From patchwork Thu Aug 3 18:35:08 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Olga Kornievskaia X-Patchwork-Id: 9879719 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6FB5F6037D for ; Thu, 3 Aug 2017 18:35:20 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 75F18287B8 for ; Thu, 3 Aug 2017 18:35:20 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6AD6D28949; Thu, 3 Aug 2017 18:35:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 09A91287B8 for ; Thu, 3 Aug 2017 18:35:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751877AbdHCSfO (ORCPT ); Thu, 3 Aug 2017 14:35:14 -0400 Received: from mx142.netapp.com ([216.240.21.19]:2372 "EHLO mx142.netapp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751251AbdHCSfN (ORCPT ); Thu, 3 Aug 2017 14:35:13 -0400 X-IronPort-AV: E=Sophos;i="5.41,317,1498546800"; d="scan'208";a="204150062" Received: from vmwexchts01-prd.hq.netapp.com ([10.122.105.12]) by mx142-out.netapp.com with ESMTP; 03 Aug 2017 11:12:58 -0700 Received: from smtp1.corp.netapp.com (10.57.156.124) by VMWEXCHTS01-PRD.hq.netapp.com (10.122.105.12) with Microsoft SMTP Server id 15.0.1263.5; Thu, 3 Aug 2017 11:35:11 -0700 Received: from localhost.localdomain ([10.63.238.77]) by smtp1.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id v73IZ91Y022909; Thu, 3 Aug 2017 11:35:11 -0700 (PDT) From: Olga Kornievskaia To: , Subject: [RFC 3/3] SUNRPC mark user credentials destroyed Date: Thu, 3 Aug 2017 14:35:08 -0400 Message-ID: <20170803183508.24565-4-kolga@netapp.com> X-Mailer: git-send-email 2.10.1 (Apple Git-78) In-Reply-To: <20170803183508.24565-1-kolga@netapp.com> References: <20170803183508.24565-1-kolga@netapp.com> MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Provide an API -- rpcauth_key_set_destroy() -- to mark specific gss user's creds destroyed. Afterwards, these credentials come up as expired and require new credentials to be established. If previously the user did a kdestroy, then user has no access to the nfs mount. Signed-off-by: Olga Kornievskaia --- include/linux/sunrpc/auth.h | 5 +++++ net/sunrpc/auth.c | 9 +++++++++ net/sunrpc/auth_generic.c | 15 +++++++++++++++ net/sunrpc/auth_gss/auth_gss.c | 3 +++ 4 files changed, 32 insertions(+) diff --git a/include/linux/sunrpc/auth.h b/include/linux/sunrpc/auth.h index 8fd3504..2ab0bc9 100644 --- a/include/linux/sunrpc/auth.h +++ b/include/linux/sunrpc/auth.h @@ -76,6 +76,7 @@ struct rpc_cred { #define RPCAUTH_CRED_UPTODATE 1 #define RPCAUTH_CRED_HASHED 2 #define RPCAUTH_CRED_NEGATIVE 3 +#define RPCAUTH_CRED_DESTROYED 4 /* rpc_auth au_flags */ #define RPCAUTH_AUTH_NO_CRKEY_TIMEOUT 0x0001 /* underlying cred has no key timeout */ @@ -136,6 +137,8 @@ struct rpc_authops { struct rpcsec_gss_info *); int (*key_timeout)(struct rpc_auth *, struct rpc_cred *); + int (*key_destroy)(struct rpc_auth *, + struct rpc_cred *); }; struct rpc_credops { @@ -198,6 +201,8 @@ int rpcauth_get_gssinfo(rpc_authflavor_t, void rpcauth_clear_credcache(struct rpc_cred_cache *); int rpcauth_key_timeout_notify(struct rpc_auth *, struct rpc_cred *); +int rpcauth_key_set_destroy(struct rpc_auth *, + struct rpc_cred *); bool rpcauth_cred_key_to_expire(struct rpc_auth *, struct rpc_cred *); char * rpcauth_stringify_acceptor(struct rpc_cred *); diff --git a/net/sunrpc/auth.c b/net/sunrpc/auth.c index d2623b9..408452c 100644 --- a/net/sunrpc/auth.c +++ b/net/sunrpc/auth.c @@ -357,6 +357,15 @@ struct rpc_auth * } EXPORT_SYMBOL_GPL(rpcauth_key_timeout_notify); +int +rpcauth_key_set_destroy(struct rpc_auth *auth, struct rpc_cred *cred) +{ + if (!cred->cr_auth->au_ops->key_destroy) + return 0; + return cred->cr_auth->au_ops->key_destroy(auth, cred); +} +EXPORT_SYMBOL_GPL(rpcauth_key_set_destroy); + bool rpcauth_cred_key_to_expire(struct rpc_auth *auth, struct rpc_cred *cred) { diff --git a/net/sunrpc/auth_generic.c b/net/sunrpc/auth_generic.c index f1df983..f434a03 100644 --- a/net/sunrpc/auth_generic.c +++ b/net/sunrpc/auth_generic.c @@ -223,6 +223,20 @@ void rpc_destroy_generic_auth(void) * on the acred ac_flags and return 0. */ static int +generic_key_destroy(struct rpc_auth *auth, struct rpc_cred *cred) +{ + struct auth_cred *acred = &container_of(cred, struct generic_cred, + gc_base)->acred; + struct rpc_cred *tcred; + + tcred = auth->au_ops->lookup_cred(auth, acred, 0); + if (IS_ERR(tcred)) + return -EACCES; + set_bit(RPCAUTH_CRED_DESTROYED, &tcred->cr_flags); + return 1; +} + +static int generic_key_timeout(struct rpc_auth *auth, struct rpc_cred *cred) { struct auth_cred *acred = &container_of(cred, struct generic_cred, @@ -270,6 +284,7 @@ void rpc_destroy_generic_auth(void) .lookup_cred = generic_lookup_cred, .crcreate = generic_create_cred, .key_timeout = generic_key_timeout, + .key_destroy = generic_key_destroy, }; static struct rpc_auth generic_auth = { diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c index 4f16953..75f062c 100644 --- a/net/sunrpc/auth_gss/auth_gss.c +++ b/net/sunrpc/auth_gss/auth_gss.c @@ -1473,6 +1473,9 @@ static void gss_pipe_free(struct gss_pipe *p) if (ret == 0) return ret; + if (test_bit(RPCAUTH_CRED_DESTROYED, &rc->cr_flags)) + return 0; + /* Notify acred users of GSS context expiration timeout */ if (test_bit(RPC_CRED_NOTIFY_TIMEOUT, &acred->ac_flags) && (gss_key_timeout(rc) != 0)) {