| Message ID | 20240829010424.83693-5-snitzer@kernel.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | nfs/nfsd: add support for LOCALIO | expand |
On Wed, 2024-08-28 at 21:03 -0400, Mike Snitzer wrote: > From: NeilBrown <neilb@suse.de> > > LOCALIO-initiated open operations are not running in an nfsd thread > and thus do not have an associated svc_rqst context. > > Signed-off-by: NeilBrown <neilb@suse.de> > Co-developed-by: Mike Snitzer <snitzer@kernel.org> > Signed-off-by: Mike Snitzer <snitzer@kernel.org> > Signed-off-by: Chuck Lever <chuck.lever@oracle.com> > --- > fs/nfsd/export.c | 30 +++++++++++++++++++++++++----- > 1 file changed, 25 insertions(+), 5 deletions(-) > > diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c > index 7bb4f2075ac5..c82d8e3e0d4f 100644 > --- a/fs/nfsd/export.c > +++ b/fs/nfsd/export.c > @@ -1074,10 +1074,30 @@ static struct svc_export *exp_find(struct cache_detail *cd, > return exp; > } > > +/** > + * check_nfsd_access - check if access to export is allowed. > + * @exp: svc_export that is being accessed. > + * @rqstp: svc_rqst attempting to access @exp (will be NULL for LOCALIO). > + * > + * Return values: > + * %nfs_ok if access is granted, or > + * %nfserr_wrongsec if access is denied > + */ > __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) > { > struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; > - struct svc_xprt *xprt = rqstp->rq_xprt; > + struct svc_xprt *xprt; > + > + /* > + * If rqstp is NULL, this is a LOCALIO request which will only > + * ever use a filehandle/credential pair for which access has > + * been affirmed (by ACCESS or OPEN NFS requests) over the > + * wire. So there is no need for further checks here. > + */ > + if (!rqstp) > + return nfs_ok; > + > + xprt = rqstp->rq_xprt; > > if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) { > if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags)) > @@ -1098,17 +1118,17 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) > ok: > /* legacy gss-only clients are always OK: */ > if (exp->ex_client == rqstp->rq_gssclient) > - return 0; > + return nfs_ok; > /* ip-address based client; check sec= export option: */ > for (f = exp->ex_flavors; f < end; f++) { > if (f->pseudoflavor == rqstp->rq_cred.cr_flavor) > - return 0; > + return nfs_ok; > } > /* defaults in absence of sec= options: */ > if (exp->ex_nflavors == 0) { > if (rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL || > rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX) > - return 0; > + return nfs_ok; > } > > /* If the compound op contains a spo_must_allowed op, > @@ -1118,7 +1138,7 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) > */ > > if (nfsd4_spo_must_allow(rqstp)) > - return 0; > + return nfs_ok; > > denied: > return nfserr_wrongsec; Reviewed-by: Jeff Layton <jlayton@kernel.org>
diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c index 7bb4f2075ac5..c82d8e3e0d4f 100644 --- a/fs/nfsd/export.c +++ b/fs/nfsd/export.c @@ -1074,10 +1074,30 @@ static struct svc_export *exp_find(struct cache_detail *cd, return exp; } +/** + * check_nfsd_access - check if access to export is allowed. + * @exp: svc_export that is being accessed. + * @rqstp: svc_rqst attempting to access @exp (will be NULL for LOCALIO). + * + * Return values: + * %nfs_ok if access is granted, or + * %nfserr_wrongsec if access is denied + */ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) { struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; - struct svc_xprt *xprt = rqstp->rq_xprt; + struct svc_xprt *xprt; + + /* + * If rqstp is NULL, this is a LOCALIO request which will only + * ever use a filehandle/credential pair for which access has + * been affirmed (by ACCESS or OPEN NFS requests) over the + * wire. So there is no need for further checks here. + */ + if (!rqstp) + return nfs_ok; + + xprt = rqstp->rq_xprt; if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) { if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags)) @@ -1098,17 +1118,17 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) ok: /* legacy gss-only clients are always OK: */ if (exp->ex_client == rqstp->rq_gssclient) - return 0; + return nfs_ok; /* ip-address based client; check sec= export option: */ for (f = exp->ex_flavors; f < end; f++) { if (f->pseudoflavor == rqstp->rq_cred.cr_flavor) - return 0; + return nfs_ok; } /* defaults in absence of sec= options: */ if (exp->ex_nflavors == 0) { if (rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL || rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX) - return 0; + return nfs_ok; } /* If the compound op contains a spo_must_allowed op, @@ -1118,7 +1138,7 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) */ if (nfsd4_spo_must_allow(rqstp)) - return 0; + return nfs_ok; denied: return nfserr_wrongsec;