Commit 2ea2209f authored by J. Bruce Fields's avatar J. Bruce Fields Committed by Linus Torvalds
Browse files

knfsd: nfsd: use ip-address-based domain in secinfo case 



With this patch, we fall back on using the gss/pseudoflavor only if we fail to
find a matching auth_unix export that has a secinfo list.

As long as sec= options aren't used, there's still no change in behavior here
(except possibly for some additional auth_unix cache lookups, whose results
will be ignored).

The sec= option, however, is not actually enforced yet; later patches will add
the necessary checks.

Signed-off-by: default avatar"J. Bruce Fields" <bfields@citi.umich.edu>
Signed-off-by: default avatarNeil Brown <neilb@suse.de>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 3ab4d8b1

fs/nfsd/export.c

+67 −9
Original line number Diff line number Diff line
@@ -1229,6 +1229,10 @@ exp_find(struct auth_domain *clp, int fsid_type, u32 *fsidv, 
}



/*

 * Uses rq_client and rq_gssclient to find an export; uses rq_client (an

 * auth_unix client) if it's available and has secinfo information;

 * otherwise, will try to use rq_gssclient.

 *

 * Called from functions that handle requests; functions that do work on

 * behalf of mountd are passed a single client name to use, and should

 * use exp_get_by_name() or exp_find().
@@ -1237,29 +1241,83 @@ struct svc_export * 
rqst_exp_get_by_name(struct svc_rqst *rqstp, struct vfsmount *mnt,

		struct dentry *dentry)

{

	struct auth_domain *clp;

	struct svc_export *gssexp, *exp = NULL;



	if (rqstp->rq_client == NULL)

		goto gss;



	clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;

	return exp_get_by_name(clp, mnt, dentry, &rqstp->rq_chandle);

	/* First try the auth_unix client: */

	exp = exp_get_by_name(rqstp->rq_client, mnt, dentry,

						&rqstp->rq_chandle);

	if (PTR_ERR(exp) == -ENOENT)

		goto gss;

	if (IS_ERR(exp))

		return exp;

	/* If it has secinfo, assume there are no gss/... clients */

	if (exp->ex_nflavors > 0)

		return exp;

gss:

	/* Otherwise, try falling back on gss client */

	if (rqstp->rq_gssclient == NULL)

		return exp;

	gssexp = exp_get_by_name(rqstp->rq_gssclient, mnt, dentry,

						&rqstp->rq_chandle);

	if (PTR_ERR(gssexp) == -ENOENT)

		return exp;

	if (exp && !IS_ERR(exp))

		exp_put(exp);

	return gssexp;

}



struct svc_export *

rqst_exp_find(struct svc_rqst *rqstp, int fsid_type, u32 *fsidv)

{

	struct auth_domain *clp;

	struct svc_export *gssexp, *exp = NULL;



	if (rqstp->rq_client == NULL)

		goto gss;



	clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;

	return exp_find(clp, fsid_type, fsidv, &rqstp->rq_chandle);

	/* First try the auth_unix client: */

	exp = exp_find(rqstp->rq_client, fsid_type, fsidv, &rqstp->rq_chandle);

	if (PTR_ERR(exp) == -ENOENT)

		goto gss;

	if (IS_ERR(exp))

		return exp;

	/* If it has secinfo, assume there are no gss/... clients */

	if (exp->ex_nflavors > 0)

		return exp;

gss:

	/* Otherwise, try falling back on gss client */

	if (rqstp->rq_gssclient == NULL)

		return exp;

	gssexp = exp_find(rqstp->rq_gssclient, fsid_type, fsidv,

						&rqstp->rq_chandle);

	if (PTR_ERR(gssexp) == -ENOENT)

		return exp;

	if (exp && !IS_ERR(exp))

		exp_put(exp);

	return gssexp;

}



struct svc_export *

rqst_exp_parent(struct svc_rqst *rqstp, struct vfsmount *mnt,

		struct dentry *dentry)

{

	struct auth_domain *clp;

	struct svc_export *exp;



	dget(dentry);

	exp = rqst_exp_get_by_name(rqstp, mnt, dentry);



	while (PTR_ERR(exp) == -ENOENT && !IS_ROOT(dentry)) {

		struct dentry *parent;



	clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;

	return exp_parent(rqstp->rq_client, mnt, dentry, &rqstp->rq_chandle);

		parent = dget_parent(dentry);

		dput(dentry);

		dentry = parent;

		exp = rqst_exp_get_by_name(rqstp, mnt, dentry);

	}

	dput(dentry);

	return exp;

}



/*

CRA Git | Maintained and supported by SUSTech CRA and CCSE