nfsd: opt in to labeled nfs per export · tjh.dev/kernel@32ddd94

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

nfsd: opt in to labeled nfs per export

Currently turning on NFSv4.2 results in 4.2 clients suddenly seeing the
individual file labels as they're set on the server. This is not what
they've previously seen, and not appropriate in may cases. (In
particular, if clients have heterogenous security policies then one
client's labels may not even make sense to another.) Labeled NFS should
be opted in only in those cases when the administrator knows it makes
sense.

It's helpful to be able to turn 4.2 on by default, and otherwise the
protocol upgrade seems free of regressions. So, default labeled NFS to
off and provide an export flag to reenable it.

Users wanting labeled NFS support on an export will henceforth need to:

- make sure 4.2 support is enabled on client and server (as
before), and
- upgrade the server nfs-utils to a version supporting the new
"security_label" export flag.
- set that "security_label" flag on the export.

This is commit may be seen as a regression to anyone currently depending
on security labels. We believe those cases are currently rare.

Reported-by: tibbs@math.uh.edu
Signed-off-by: J. Bruce Fields <bfields@redhat.com>

J. Bruce Fields 9 years ago 32ddd944 5cf23dbb

+12 -3

4 changed files

expand all

nfsd

export.c

nfs4proc.c

nfs4xdr.c

include

uapi

linux

nfsd

export.h

fs/nfsd/export.c

··· 1102 1102 { NFSEXP_NOAUTHNLM, {"insecure_locks", ""}}, 1103 1103 { NFSEXP_V4ROOT, {"v4root", ""}}, 1104 1104 { NFSEXP_PNFS, {"pnfs", ""}}, 1105 + { NFSEXP_SECURITY_LABEL, {"security_label", ""}}, 1105 1106 { 0, {"", ""}} 1106 1107 }; 1107 1108

fs/nfsd/nfs4proc.c

··· 95 95 u32 *bmval, u32 *writable) 96 96 { 97 97 struct dentry *dentry = cstate->current_fh.fh_dentry; 98 + struct svc_export *exp = cstate->current_fh.fh_export; 98 99 99 100 if (!nfsd_attrs_supported(cstate->minorversion, bmval)) 100 101 return nfserr_attrnotsupp; 101 102 if ((bmval[0] & FATTR4_WORD0_ACL) && !IS_POSIXACL(d_inode(dentry))) 103 + return nfserr_attrnotsupp; 104 + if ((bmval[2] & FATTR4_WORD2_SECURITY_LABEL) && 105 + !(exp->ex_flags & NFSEXP_SECURITY_LABEL)) 102 106 return nfserr_attrnotsupp; 103 107 if (writable && !bmval_is_subset(bmval, writable)) 104 108 return nfserr_inval;

+4 -1

fs/nfsd/nfs4xdr.c

··· 2417 2417 #ifdef CONFIG_NFSD_V4_SECURITY_LABEL 2418 2418 if ((bmval2 & FATTR4_WORD2_SECURITY_LABEL) || 2419 2419 bmval0 & FATTR4_WORD0_SUPPORTED_ATTRS) { 2420 - err = security_inode_getsecctx(d_inode(dentry), 2420 + if (exp->ex_flags & NFSEXP_SECURITY_LABEL) 2421 + err = security_inode_getsecctx(d_inode(dentry), 2421 2422 &context, &contextlen); 2423 + else 2424 + err = -EOPNOTSUPP; 2422 2425 contextsupport = (err == 0); 2423 2426 if (bmval2 & FATTR4_WORD2_SECURITY_LABEL) { 2424 2427 if (err == -EOPNOTSUPP)

+3 -2

include/uapi/linux/nfsd/export.h

··· 32 32 #define NFSEXP_ASYNC 0x0010 33 33 #define NFSEXP_GATHERED_WRITES 0x0020 34 34 #define NFSEXP_NOREADDIRPLUS 0x0040 35 - /* 80 100 currently unused */ 35 + #define NFSEXP_SECURITY_LABEL 0x0080 36 + /* 0x100 currently unused */ 36 37 #define NFSEXP_NOHIDE 0x0200 37 38 #define NFSEXP_NOSUBTREECHECK 0x0400 38 39 #define NFSEXP_NOAUTHNLM 0x0800 /* Don't authenticate NLM requests - just trust */ ··· 54 53 #define NFSEXP_PNFS 0x20000 55 54 56 55 /* All flags that we claim to support. (Note we don't support NOACL.) */ 57 - #define NFSEXP_ALLFLAGS 0x3FE7F 56 + #define NFSEXP_ALLFLAGS 0x3FEFF 58 57 59 58 /* The flags that may vary depending on security flavor: */ 60 59 #define NFSEXP_SECINFO_FLAGS (NFSEXP_READONLY | NFSEXP_ROOTSQUASH \