1. 29 6月, 2013 1 次提交
  2. 31 5月, 2013 1 次提交
    • C
      NFS: Fix security flavor negotiation with legacy binary mounts · eb54d437
      Chuck Lever 提交于
      Darrick J. Wong <darrick.wong@oracle.com> reports:
      > I have a kvm-based testing setup that netboots VMs over NFS, the
      > client end of which seems to have broken somehow in 3.10-rc1.  The
      > server's exports file looks like this:
      >
      > /storage/mtr/x64	192.168.122.0/24(ro,sync,no_root_squash,no_subtree_check)
      >
      > On the client end (inside the VM), the initrd runs the following
      > command to try to mount the rootfs over NFS:
      >
      > # mount -o nolock -o ro -o retrans=10 192.168.122.1:/storage/mtr/x64/ /root
      >
      > (Note: This is the busybox mount command.)
      >
      > The mount fails with -EINVAL.
      
      Commit 4580a92d "NFS: Use server-recommended security flavor by
      default (NFSv3)" introduced a behavior regression for NFS mounts
      done via a legacy binary mount(2) call.
      
      Ensure that a default security flavor is specified for legacy binary
      mount requests, since they do not invoke nfs_select_flavor() in the
      kernel.
      
      Busybox uses klibc's nfsmount command, which performs NFS mounts
      using the legacy binary mount data format.  /sbin/mount.nfs is not
      affected by this regression.
      Reported-by: NDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: NChuck Lever <chuck.lever@oracle.com>
      Tested-by: NDarrick J. Wong <darrick.wong@oracle.com>
      Acked-by: NWeston Andros Adamson <dros@netapp.com>
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      eb54d437
  3. 07 5月, 2013 1 次提交
    • W
      NFSv3: match sec= flavor against server list · d497ab97
      Weston Andros Adamson 提交于
      Older linux clients match the 'sec=' mount option flavor against the server's
      flavor list (if available) and return EPERM if the specified flavor or AUTH_NULL
      (which "matches" any flavor) is not found.
      
      Recent changes skip this step and allow the vfs mount even though no operations
      will succeed, creating a 'dud' mount.
      
      This patch reverts back to the old behavior of matching specified flavors
      against the server list and also returns EPERM when no sec= is specified and
      none of the flavors returned by the server are supported by the client.
      
      Example of behavior change:
      
      the server's /etc/exports:
      
      /export/krb5      *(sec=krb5,rw,no_root_squash)
      
      old client behavior:
      
      $ uname -a
      Linux one.apikia.fake 3.8.8-202.fc18.x86_64 #1 SMP Wed Apr 17 23:25:17 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
      $ sudo mount -v -o sec=sys,vers=3 zero:/export/krb5 /mnt
      mount.nfs: timeout set for Sun May  5 17:32:04 2013
      mount.nfs: trying text-based options 'sec=sys,vers=3,addr=192.168.100.10'
      mount.nfs: prog 100003, trying vers=3, prot=6
      mount.nfs: trying 192.168.100.10 prog 100003 vers 3 prot TCP port 2049
      mount.nfs: prog 100005, trying vers=3, prot=17
      mount.nfs: trying 192.168.100.10 prog 100005 vers 3 prot UDP port 20048
      mount.nfs: mount(2): Permission denied
      mount.nfs: access denied by server while mounting zero:/export/krb5
      
      recently changed behavior:
      
      $ uname -a
      Linux one.apikia.fake 3.9.0-testing+ #2 SMP Fri May 3 20:29:32 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux
      $ sudo mount -v -o sec=sys,vers=3 zero:/export/krb5 /mnt
      mount.nfs: timeout set for Sun May  5 17:37:17 2013
      mount.nfs: trying text-based options 'sec=sys,vers=3,addr=192.168.100.10'
      mount.nfs: prog 100003, trying vers=3, prot=6
      mount.nfs: trying 192.168.100.10 prog 100003 vers 3 prot TCP port 2049
      mount.nfs: prog 100005, trying vers=3, prot=17
      mount.nfs: trying 192.168.100.10 prog 100005 vers 3 prot UDP port 20048
      $ ls /mnt
      ls: cannot open directory /mnt: Permission denied
      $ sudo ls /mnt
      ls: cannot open directory /mnt: Permission denied
      $ sudo df /mnt
      df: ‘/mnt’: Permission denied
      df: no file systems processed
      $ sudo umount /mnt
      $
      Signed-off-by: NWeston Andros Adamson <dros@netapp.com>
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      d497ab97
  4. 05 4月, 2013 1 次提交
    • C
      NFS: Use server-recommended security flavor by default (NFSv3) · 4580a92d
      Chuck Lever 提交于
      Since commit ec88f28d in 2009, checking if the user-specified flavor
      is in the server's flavor list has been the source of a few
      noticeable regressions (now fixed), but there is one that is still
      vexing.
      
      An NFS server can list AUTH_NULL in its flavor list, which suggests
      a client should try to mount the server with the flavor of the
      client's choice, but the server will squash all accesses.  In some
      cases, our client fails to mount a server because of this check,
      when the mount could have proceeded successfully.
      
      Skip this check if the user has specified "sec=" on the mount
      command line.  But do consult the server-provided flavor list to
      choose a security flavor if no sec= option is specified on the mount
      command.
      
      If a server lists Kerberos pseudoflavors before "sys" in its export
      options, our client now chooses Kerberos over AUTH_UNIX for mount
      points, when no security flavor is specified by the mount command.
      This could be surprising to some administrators or users, who would
      then need to have Kerberos credentials to access the export.
      
      Or, a client administrator may not have enabled rpc.gssd.  In this
      case, auth_rpcgss.ko might still be loadable, which is enough for
      the new logic to choose Kerberos over AUTH_UNIX.  But the mount
      would fail since no GSS context can be created without rpc.gssd
      running.
      
      To retain the use of AUTH_UNIX by default:
      
        o  The server administrator can ensure that "sys" is listed before
           Kerberos flavors in its export security options (see
           exports(5)),
      
        o  The client administrator can explicitly specify "sec=sys" on
           its mount command line (see nfs(5)),
      
        o  The client administrator can use "Sec=sys" in an appropriate
           section of /etc/nfsmount.conf (see nfsmount.conf(5)), or
      
        o  The client administrator can blacklist auth_rpcgss.ko.
      Signed-off-by: NChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      4580a92d
  5. 02 4月, 2013 1 次提交
    • J
      selinux: make security_sb_clone_mnt_opts return an error on context mismatch · 094f7b69
      Jeff Layton 提交于
      I had the following problem reported a while back. If you mount the
      same filesystem twice using NFSv4 with different contexts, then the
      second context= option is ignored. For instance:
      
          # mount server:/export /mnt/test1
          # mount server:/export /mnt/test2 -o context=system_u:object_r:tmp_t:s0
          # ls -dZ /mnt/test1
          drwxrwxrwt. root root system_u:object_r:nfs_t:s0       /mnt/test1
          # ls -dZ /mnt/test2
          drwxrwxrwt. root root system_u:object_r:nfs_t:s0       /mnt/test2
      
      When we call into SELinux to set the context of a "cloned" superblock,
      it will currently just bail out when it notices that we're reusing an
      existing superblock. Since the existing superblock is already set up and
      presumably in use, we can't go overwriting its context with the one from
      the "original" sb. Because of this, the second context= option in this
      case cannot take effect.
      
      This patch fixes this by turning security_sb_clone_mnt_opts into an int
      return operation. When it finds that the "new" superblock that it has
      been handed is already set up, it checks to see whether the contexts on
      the old superblock match it. If it does, then it will just return
      success, otherwise it'll return -EBUSY and emit a printk to tell the
      admin why the second mount failed.
      
      Note that this patch may cause casualties. The NFSv4 code relies on
      being able to walk down to an export from the pseudoroot. If you mount
      filesystems that are nested within one another with different contexts,
      then this patch will make those mounts fail in new and "exciting" ways.
      
      For instance, suppose that /export is a separate filesystem on the
      server:
      
          # mount server:/ /mnt/test1
          # mount salusa:/export /mnt/test2 -o context=system_u:object_r:tmp_t:s0
          mount.nfs: an incorrect mount option was specified
      
      ...with the printk in the ring buffer. Because we *might* eventually
      walk down to /mnt/test1/export, the mount is denied due to this patch.
      The second mount needs the pseudoroot superblock, but that's already
      present with the wrong context.
      
      OTOH, if we mount these in the reverse order, then both mounts work,
      because the pseudoroot superblock created when mounting /export is
      discarded once that mount is done. If we then however try to walk into
      that directory, the automount fails for the similar reasons:
      
          # cd /mnt/test1/scratch/
          -bash: cd: /mnt/test1/scratch: Device or resource busy
      
      The story I've gotten from the SELinux folks that I've talked to is that
      this is desirable behavior. In SELinux-land, mounting the same data
      under different contexts is wrong -- there can be only one.
      
      Cc: Steve Dickson <steved@redhat.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Acked-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <james.l.morris@oracle.com>
      094f7b69
  6. 13 3月, 2013 1 次提交
    • E
      fs: Readd the fs module aliases. · fa7614dd
      Eric W. Biederman 提交于
      I had assumed that the only use of module aliases for filesystems
      prior to "fs: Limit sys_mount to only request filesystem modules."
      was in request_module.  It turns out I was wrong.  At least mkinitcpio
      in Arch linux uses these aliases.
      
      So readd the preexising aliases, to keep from breaking userspace.
      
      Userspace eventually will have to follow and use the same aliases the
      kernel does.  So at some point we may be delete these aliases without
      problems.  However that day is not today.
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      fa7614dd
  7. 04 3月, 2013 1 次提交
    • E
      fs: Limit sys_mount to only request filesystem modules. · 7f78e035
      Eric W. Biederman 提交于
      Modify the request_module to prefix the file system type with "fs-"
      and add aliases to all of the filesystems that can be built as modules
      to match.
      
      A common practice is to build all of the kernel code and leave code
      that is not commonly needed as modules, with the result that many
      users are exposed to any bug anywhere in the kernel.
      
      Looking for filesystems with a fs- prefix limits the pool of possible
      modules that can be loaded by mount to just filesystems trivially
      making things safer with no real cost.
      
      Using aliases means user space can control the policy of which
      filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf
      with blacklist and alias directives.  Allowing simple, safe,
      well understood work-arounds to known problematic software.
      
      This also addresses a rare but unfortunate problem where the filesystem
      name is not the same as it's module name and module auto-loading
      would not work.  While writing this patch I saw a handful of such
      cases.  The most significant being autofs that lives in the module
      autofs4.
      
      This is relevant to user namespaces because we can reach the request
      module in get_fs_type() without having any special permissions, and
      people get uncomfortable when a user specified string (in this case
      the filesystem type) goes all of the way to request_module.
      
      After having looked at this issue I don't think there is any
      particular reason to perform any filtering or permission checks beyond
      making it clear in the module request that we want a filesystem
      module.  The common pattern in the kernel is to call request_module()
      without regards to the users permissions.  In general all a filesystem
      module does once loaded is call register_filesystem() and go to sleep.
      Which means there is not much attack surface exposed by loading a
      filesytem module unless the filesystem is mounted.  In a user
      namespace filesystems are not mounted unless .fs_flags = FS_USERNS_MOUNT,
      which most filesystems do not set today.
      Acked-by: NSerge Hallyn <serge.hallyn@canonical.com>
      Acked-by: NKees Cook <keescook@chromium.org>
      Reported-by: NKees Cook <keescook@google.com>
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      7f78e035
  8. 26 2月, 2013 1 次提交
    • J
      vfs: kill FS_REVAL_DOT by adding a d_weak_revalidate dentry op · ecf3d1f1
      Jeff Layton 提交于
      The following set of operations on a NFS client and server will cause
      
          server# mkdir a
          client# cd a
          server# mv a a.bak
          client# sleep 30  # (or whatever the dir attrcache timeout is)
          client# stat .
          stat: cannot stat `.': Stale NFS file handle
      
      Obviously, we should not be getting an ESTALE error back there since the
      inode still exists on the server. The problem is that the lookup code
      will call d_revalidate on the dentry that "." refers to, because NFS has
      FS_REVAL_DOT set.
      
      nfs_lookup_revalidate will see that the parent directory has changed and
      will try to reverify the dentry by redoing a LOOKUP. That of course
      fails, so the lookup code returns ESTALE.
      
      The problem here is that d_revalidate is really a bad fit for this case.
      What we really want to know at this point is whether the inode is still
      good or not, but we don't really care what name it goes by or whether
      the dcache is still valid.
      
      Add a new d_op->d_weak_revalidate operation and have complete_walk call
      that instead of d_revalidate. The intent there is to allow for a
      "weaker" d_revalidate that just checks to see whether the inode is still
      good. This is also gives us an opportunity to kill off the FS_REVAL_DOT
      special casing.
      
      [AV: changed method name, added note in porting, fixed confusion re
      having it possibly called from RCU mode (it won't be)]
      
      Cc: NeilBrown <neilb@suse.de>
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      ecf3d1f1
  9. 05 2月, 2013 1 次提交
  10. 01 2月, 2013 1 次提交
  11. 28 1月, 2013 1 次提交
  12. 04 1月, 2013 1 次提交
  13. 22 12月, 2012 1 次提交
  14. 15 12月, 2012 1 次提交
  15. 06 12月, 2012 1 次提交
  16. 01 11月, 2012 2 次提交
  17. 02 10月, 2012 4 次提交
    • S
      nfs: declare nfs_xdev_mount as static · 3dd4f8ef
      Stanislav Kinsbursky 提交于
      Sparse warning:
      fs/nfs/super.c:2517:15: warning: symbol 'nfs_xdev_mount' was not declared.
      Should it be static?
      Signed-off-by: NStanislav Kinsbursky <skinsbursky@parallels.com>
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      3dd4f8ef
    • D
      nfs: replace strict_strto* with kstrto* · 7297cb68
      Daniel Walter 提交于
      [nfs] replace strict_str* with kstr* variants
      
       * replace string conversions with newer kstr* functions
      Signed-off-by: NDaniel Walter <sahne@0x90.at>
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      7297cb68
    • C
      NFS: Add nfs4_unique_id boot parameter · 6f2ea7f2
      Chuck Lever 提交于
      An optional boot parameter is introduced to allow client
      administrators to specify a string that the Linux NFS client can
      insert into its nfs_client_id4 id string, to make it both more
      globally unique, and to ensure that it doesn't change even if the
      client's nodename changes.
      
      If this boot parameter is not specified, the client's nodename is
      used, as before.
      
      Client installation procedures can create a unique string (typically,
      a UUID) which remains unchanged during the lifetime of that client
      instance.  This works just like creating a UUID for the label of the
      system's root and boot volumes.
      Signed-off-by: NChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      6f2ea7f2
    • C
      NFS: Introduce "migration" mount option · 89652617
      Chuck Lever 提交于
      Currently, the Linux client uses a unique nfs_client_id4.id string
      when identifying itself to distinct NFS servers.
      
      To support transparent state migration, the Linux client will have to
      use the same nfs_client_id4 string for all servers it communicates
      with (also known as the "uniform client string" approach).  Otherwise
      NFS servers can not recognize that open and lock state need to be
      merged after a file system transition.
      
      Unfortunately, there are some NFSv4.0 servers currently in the field
      that do not tolerate the uniform client string approach.
      
      Thus, by default, our NFSv4.0 mounts will continue to use the current
      approach, and we introduce a mount option that switches them to use
      the uniform model.  Client administrators must identify which servers
      can be mounted with this option.  Eventually most NFSv4.0 servers will
      be able to handle the uniform approach, and we can change the default.
      
      The first mount of a server controls the behavior for all subsequent
      mounts for the lifetime of that set of mounts of that server.  After
      the last mount of that server is gone, the client erases the data
      structure that tracks the lease.  A subsequent lease may then honor
      a different "migration" setting.
      
      This patch adds only the infrastructure for parsing the new mount
      option.  Support for uniform client strings is added in a subsequent
      patch.
      Signed-off-by: NChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      89652617
  18. 05 9月, 2012 1 次提交
  19. 02 9月, 2012 1 次提交
  20. 17 8月, 2012 2 次提交
  21. 31 7月, 2012 9 次提交
  22. 18 7月, 2012 2 次提交
  23. 14 7月, 2012 1 次提交
  24. 11 7月, 2012 1 次提交
  25. 29 6月, 2012 2 次提交