aboutsummaryrefslogtreecommitdiffstats
path: root/include/uapi/linux
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@redhat.com>2017-01-03 12:30:11 -0500
committerJ. Bruce Fields <bfields@redhat.com>2017-01-31 12:31:54 -0500
commit32ddd944a056c786f6acdd95ed29e994adc613a2 (patch)
treede1987f57f81d68f1ef68d89297d262abf43f37a /include/uapi/linux
parent5cf23dbb1d3122bbc378dbbd96880a086c1b63df (diff)
nfsd: opt in to labeled nfs per export
Currently turning on NFSv4.2 results in 4.2 clients suddenly seeing the individual file labels as they're set on the server. This is not what they've previously seen, and not appropriate in may cases. (In particular, if clients have heterogenous security policies then one client's labels may not even make sense to another.) Labeled NFS should be opted in only in those cases when the administrator knows it makes sense. It's helpful to be able to turn 4.2 on by default, and otherwise the protocol upgrade seems free of regressions. So, default labeled NFS to off and provide an export flag to reenable it. Users wanting labeled NFS support on an export will henceforth need to: - make sure 4.2 support is enabled on client and server (as before), and - upgrade the server nfs-utils to a version supporting the new "security_label" export flag. - set that "security_label" flag on the export. This is commit may be seen as a regression to anyone currently depending on security labels. We believe those cases are currently rare. Reported-by: tibbs@math.uh.edu Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Diffstat (limited to 'include/uapi/linux')
-rw-r--r--include/uapi/linux/nfsd/export.h5
1 files changed, 3 insertions, 2 deletions
diff --git a/include/uapi/linux/nfsd/export.h b/include/uapi/linux/nfsd/export.h
index 0df7bd5d2fb1..c3be256107c6 100644
--- a/include/uapi/linux/nfsd/export.h
+++ b/include/uapi/linux/nfsd/export.h
@@ -32,7 +32,8 @@
32#define NFSEXP_ASYNC 0x0010 32#define NFSEXP_ASYNC 0x0010
33#define NFSEXP_GATHERED_WRITES 0x0020 33#define NFSEXP_GATHERED_WRITES 0x0020
34#define NFSEXP_NOREADDIRPLUS 0x0040 34#define NFSEXP_NOREADDIRPLUS 0x0040
35/* 80 100 currently unused */ 35#define NFSEXP_SECURITY_LABEL 0x0080
36/* 0x100 currently unused */
36#define NFSEXP_NOHIDE 0x0200 37#define NFSEXP_NOHIDE 0x0200
37#define NFSEXP_NOSUBTREECHECK 0x0400 38#define NFSEXP_NOSUBTREECHECK 0x0400
38#define NFSEXP_NOAUTHNLM 0x0800 /* Don't authenticate NLM requests - just trust */ 39#define NFSEXP_NOAUTHNLM 0x0800 /* Don't authenticate NLM requests - just trust */
@@ -53,7 +54,7 @@
53#define NFSEXP_PNFS 0x20000 54#define NFSEXP_PNFS 0x20000
54 55
55/* All flags that we claim to support. (Note we don't support NOACL.) */ 56/* All flags that we claim to support. (Note we don't support NOACL.) */
56#define NFSEXP_ALLFLAGS 0x3FE7F 57#define NFSEXP_ALLFLAGS 0x3FEFF
57 58
58/* The flags that may vary depending on security flavor: */ 59/* The flags that may vary depending on security flavor: */
59#define NFSEXP_SECINFO_FLAGS (NFSEXP_READONLY | NFSEXP_ROOTSQUASH \ 60#define NFSEXP_SECINFO_FLAGS (NFSEXP_READONLY | NFSEXP_ROOTSQUASH \