From patchwork Mon Aug 7 21:23:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Olga Kornievskaia X-Patchwork-Id: 9886223 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A409060364 for ; Mon, 7 Aug 2017 21:24:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9645127813 for ; Mon, 7 Aug 2017 21:24:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8B3FF28161; Mon, 7 Aug 2017 21:24:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2AC2227813 for ; Mon, 7 Aug 2017 21:24:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751986AbdHGVYM (ORCPT ); Mon, 7 Aug 2017 17:24:12 -0400 Received: from mx142.netapp.com ([216.240.21.19]:1517 "EHLO mx142.netapp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751869AbdHGVYB (ORCPT ); Mon, 7 Aug 2017 17:24:01 -0400 X-IronPort-AV: E=Sophos;i="5.41,339,1498546800"; d="scan'208";a="204763572" Received: from vmwexchts03-prd.hq.netapp.com ([10.122.105.31]) by mx142-out.netapp.com with ESMTP; 07 Aug 2017 14:01:25 -0700 Received: from smtp1.corp.netapp.com (10.122.76.128) by VMWEXCHTS03-PRD.hq.netapp.com (10.122.105.31) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 7 Aug 2017 14:24:00 -0700 Received: from localhost.localdomain ([10.63.226.31]) by smtp1.corp.netapp.com (8.14.9+Sun/8.13.1/NTAP-1.6) with ESMTP id v77LNvnU013190; Mon, 7 Aug 2017 14:24:00 -0700 (PDT) From: Olga Kornievskaia To: , , Subject: [RFC v3 2/3] SUNRPC mark user credentials destroyed Date: Mon, 7 Aug 2017 17:23:54 -0400 Message-ID: <20170807212355.29127-4-kolga@netapp.com> X-Mailer: git-send-email 2.10.1 (Apple Git-78) In-Reply-To: <20170807212355.29127-1-kolga@netapp.com> References: <20170807212355.29127-1-kolga@netapp.com> MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Provide an API -- rpcauth_key_set_destroy() -- to mark specific gss user's creds destroyed. Afterwards, these credentials come up as expired and require new credentials to be established. If previously the user did a kdestroy, then user has no access to the nfs mount. Signed-off-by: Olga Kornievskaia --- include/linux/sunrpc/auth.h | 5 +++++ net/sunrpc/auth.c | 9 +++++++++ net/sunrpc/auth_generic.c | 15 +++++++++++++++ net/sunrpc/auth_gss/auth_gss.c | 3 +++ 4 files changed, 32 insertions(+) diff --git a/include/linux/sunrpc/auth.h b/include/linux/sunrpc/auth.h index 8fd3504..2ab0bc9 100644 --- a/include/linux/sunrpc/auth.h +++ b/include/linux/sunrpc/auth.h @@ -76,6 +76,7 @@ struct rpc_cred { #define RPCAUTH_CRED_UPTODATE 1 #define RPCAUTH_CRED_HASHED 2 #define RPCAUTH_CRED_NEGATIVE 3 +#define RPCAUTH_CRED_DESTROYED 4 /* rpc_auth au_flags */ #define RPCAUTH_AUTH_NO_CRKEY_TIMEOUT 0x0001 /* underlying cred has no key timeout */ @@ -136,6 +137,8 @@ struct rpc_authops { struct rpcsec_gss_info *); int (*key_timeout)(struct rpc_auth *, struct rpc_cred *); + int (*key_destroy)(struct rpc_auth *, + struct rpc_cred *); }; struct rpc_credops { @@ -198,6 +201,8 @@ int rpcauth_get_gssinfo(rpc_authflavor_t, void rpcauth_clear_credcache(struct rpc_cred_cache *); int rpcauth_key_timeout_notify(struct rpc_auth *, struct rpc_cred *); +int rpcauth_key_set_destroy(struct rpc_auth *, + struct rpc_cred *); bool rpcauth_cred_key_to_expire(struct rpc_auth *, struct rpc_cred *); char * rpcauth_stringify_acceptor(struct rpc_cred *); diff --git a/net/sunrpc/auth.c b/net/sunrpc/auth.c index d2623b9..408452c 100644 --- a/net/sunrpc/auth.c +++ b/net/sunrpc/auth.c @@ -357,6 +357,15 @@ struct rpc_auth * } EXPORT_SYMBOL_GPL(rpcauth_key_timeout_notify); +int +rpcauth_key_set_destroy(struct rpc_auth *auth, struct rpc_cred *cred) +{ + if (!cred->cr_auth->au_ops->key_destroy) + return 0; + return cred->cr_auth->au_ops->key_destroy(auth, cred); +} +EXPORT_SYMBOL_GPL(rpcauth_key_set_destroy); + bool rpcauth_cred_key_to_expire(struct rpc_auth *auth, struct rpc_cred *cred) { diff --git a/net/sunrpc/auth_generic.c b/net/sunrpc/auth_generic.c index f1df983..f1b1088 100644 --- a/net/sunrpc/auth_generic.c +++ b/net/sunrpc/auth_generic.c @@ -263,6 +263,20 @@ void rpc_destroy_generic_auth(void) return ret; } +static int +generic_key_destroy(struct rpc_auth *auth, struct rpc_cred *cred) +{ + struct auth_cred *acred = &container_of(cred, struct generic_cred, + gc_base)->acred; + struct rpc_cred *tcred; + + tcred = auth->au_ops->lookup_cred(auth, acred, 0); + if (IS_ERR(tcred)) + return -ENOENT; + set_bit(RPCAUTH_CRED_DESTROYED, &tcred->cr_flags); + return 0; +} + static const struct rpc_authops generic_auth_ops = { .owner = THIS_MODULE, .au_name = "Generic", @@ -270,6 +284,7 @@ void rpc_destroy_generic_auth(void) .lookup_cred = generic_lookup_cred, .crcreate = generic_create_cred, .key_timeout = generic_key_timeout, + .key_destroy = generic_key_destroy, }; static struct rpc_auth generic_auth = { diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c index 9463af4..2c1370a 100644 --- a/net/sunrpc/auth_gss/auth_gss.c +++ b/net/sunrpc/auth_gss/auth_gss.c @@ -1473,6 +1473,9 @@ static void gss_pipe_free(struct gss_pipe *p) if (ret == 0) return ret; + if (test_bit(RPCAUTH_CRED_DESTROYED, &rc->cr_flags)) + return 0; + /* Notify acred users of GSS context expiration timeout */ if (test_bit(RPC_CRED_NOTIFY_TIMEOUT, &acred->ac_flags) && (gss_key_timeout(rc) != 0)) {