nfsd: restrict filehandles accepted in V4ROOT case

On V4ROOT exports, only accept filehandles that are the *root* of some export. This allows mountd to allow or deny access to individual directories and symlinks on the pseudofilesystem. Note that the checks in readdir and lookup are not enough, since a malicious host with access to the network could guess filehandles that they weren't able to obtain through lookup or readdir. Signed-off-by: Steve Dickson <steved@redhat.com> Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
author: Steve Dickson <SteveD@redhat.com> 2009-09-09 15:06:05 -0400
committer: J. Bruce Fields <bfields@citi.umich.edu> 2009-12-15 14:07:24 -0500
commit: 03a816b46d7eba78da11e4025f0af195b32fa464 (patch)
tree: 5069e9183dd5535c61bc7eff8a8a03202a19568d /fs/nfsd/nfsfh.c
parent: f2ca7153ca49a407ea1c7232c9fa7e9849f03f9c (diff)
1 files changed, 34 insertions, 0 deletions
diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c
index 951938d6c495..44812c32e51e 100644
--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@@ -103,6 +103,36 @@ static __be32 nfsd_setuser_and_check_port(struct svc_rqst *rqstp,
        return nfserrno(nfsd_setuser(rqstp, exp));
 }
+static inline __be32 check_pseudo_root(struct svc_rqst *rqstp,
+        struct dentry *dentry, struct svc_export *exp)
+{
+        if (!(exp->ex_flags & NFSEXP_V4ROOT))
+                return nfs_ok;
+        /*
+         * v2/v3 clients have no need for the V4ROOT export--they use
+         * the mount protocl instead; also, further V4ROOT checks may be
+         * in v4-specific code, in which case v2/v3 clients could bypass
+         * them.
+         */
+        if (!nfsd_v4client(rqstp))
+                return nfserr_stale;
+        /*
+         * We're exposing only the directories and symlinks that have to be
+         * traversed on the way to real exports:
+         */
+        if (unlikely(!S_ISDIR(dentry->d_inode->i_mode) &&
+                     !S_ISLNK(dentry->d_inode->i_mode)))
+                return nfserr_stale;
+        /*
+         * A pseudoroot export gives permission to access only one
+         * single directory; the kernel has to make another upcall
+         * before granting access to anything else under it:
+         */
+        if (unlikely(dentry != exp->ex_path.dentry))
+                return nfserr_stale;
+        return nfs_ok;
+}
 /*
 * Use the given filehandle to look up the corresponding export and
 * dentry.  On success, the results are used to set fh_export and
@@ -299,6 +329,10 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, int access)
         *        (for example, if different id-squashing options are in
         *        effect on the new filesystem).
         */
+        error = check_pseudo_root(rqstp, dentry, exp);
+        if (error)
+                goto out;
        error = nfsd_setuser_and_check_port(rqstp, exp);
        if (error)
                goto out;
author	Steve Dickson <SteveD@redhat.com>	2009-09-09 15:06:05 -0400
committer	J. Bruce Fields <bfields@citi.umich.edu>	2009-12-15 14:07:24 -0500
commit	03a816b46d7eba78da11e4025f0af195b32fa464 (patch)
tree	5069e9183dd5535c61bc7eff8a8a03202a19568d /fs/nfsd/nfsfh.c
parent	f2ca7153ca49a407ea1c7232c9fa7e9849f03f9c (diff)

diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c index 951938d6c495..44812c32e51e 100644 --- a/fs/nfsd/nfsfh.c +++ b/fs/nfsd/nfsfh.c
@@ -103,6 +103,36 @@ static __be32 nfsd_setuser_and_check_port(struct svc_rqst *rqstp,
103	return nfserrno(nfsd_setuser(rqstp, exp));	103	return nfserrno(nfsd_setuser(rqstp, exp));
104	}	104	}
105		105
		106	static inline __be32 check_pseudo_root(struct svc_rqst *rqstp,
		107	struct dentry dentry, struct svc_export exp)
		108	{
		109	if (!(exp->ex_flags & NFSEXP_V4ROOT))
		110	return nfs_ok;
		111	/*
		112	* v2/v3 clients have no need for the V4ROOT export--they use
		113	* the mount protocl instead; also, further V4ROOT checks may be
		114	* in v4-specific code, in which case v2/v3 clients could bypass
		115	* them.
		116	*/
		117	if (!nfsd_v4client(rqstp))
		118	return nfserr_stale;
		119	/*
		120	* We're exposing only the directories and symlinks that have to be
		121	* traversed on the way to real exports:
		122	*/
		123	if (unlikely(!S_ISDIR(dentry->d_inode->i_mode) &&
		124	!S_ISLNK(dentry->d_inode->i_mode)))
		125	return nfserr_stale;
		126	/*
		127	* A pseudoroot export gives permission to access only one
		128	* single directory; the kernel has to make another upcall
		129	* before granting access to anything else under it:
		130	*/
		131	if (unlikely(dentry != exp->ex_path.dentry))
		132	return nfserr_stale;
		133	return nfs_ok;
		134	}
		135
106	/*	136	/*
107	* Use the given filehandle to look up the corresponding export and	137	* Use the given filehandle to look up the corresponding export and
108	* dentry. On success, the results are used to set fh_export and	138	* dentry. On success, the results are used to set fh_export and
@@ -299,6 +329,10 @@ fh_verify(struct svc_rqst rqstp, struct svc_fh fhp, int type, int access)
299	* (for example, if different id-squashing options are in	329	* (for example, if different id-squashing options are in
300	* effect on the new filesystem).	330	* effect on the new filesystem).
301	*/	331	*/
		332	error = check_pseudo_root(rqstp, dentry, exp);
		333	if (error)
		334	goto out;
		335
302	error = nfsd_setuser_and_check_port(rqstp, exp);	336	error = nfsd_setuser_and_check_port(rqstp, exp);
303	if (error)	337	if (error)
304	goto out;	338	goto out;