1 files changed, 110 insertions, 3 deletions
diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
index b02720864ded..ad92bf731ff5 100644
--- a/fs/nfs/namespace.c
+++ b/fs/nfs/namespace.c
@@ -15,6 +15,7 @@
 #include <linux/string.h>
 #include <linux/sunrpc/clnt.h>
 #include <linux/vfs.h>
+#include <linux/sunrpc/gss_api.h>
 #include "internal.h"
 #define NFSDBG_FACILITY         NFSDBG_VFS
@@ -27,7 +28,8 @@ int nfs_mountpoint_expiry_timeout = 500 * HZ;
 static struct vfsmount *nfs_do_submount(struct dentry *dentry,
                                        struct nfs_fh *fh,
-                                        struct nfs_fattr *fattr);
+                                        struct nfs_fattr *fattr,
+                                        rpc_authflavor_t authflavor);
 /*
 * nfs_path - reconstruct the path given an arbitrary dentry
@@ -116,6 +118,100 @@ Elong:
        return ERR_PTR(-ENAMETOOLONG);
 }
+#ifdef CONFIG_NFS_V4
+static rpc_authflavor_t nfs_find_best_sec(struct nfs4_secinfo_flavors *flavors, struct inode *inode)
+{
+        struct gss_api_mech *mech;
+        struct xdr_netobj oid;
+        int i;
+        rpc_authflavor_t pseudoflavor = RPC_AUTH_UNIX;
+        for (i = 0; i < flavors->num_flavors; i++) {
+                struct nfs4_secinfo_flavor *flavor;
+                flavor = &flavors->flavors[i];
+                if (flavor->flavor == RPC_AUTH_NULL || flavor->flavor == RPC_AUTH_UNIX) {
+                        pseudoflavor = flavor->flavor;
+                        break;
+                } else if (flavor->flavor == RPC_AUTH_GSS) {
+                        oid.len  = flavor->gss.sec_oid4.len;
+                        oid.data = flavor->gss.sec_oid4.data;
+                        mech = gss_mech_get_by_OID(&oid);
+                        if (!mech)
+                                continue;
+                        pseudoflavor = gss_svc_to_pseudoflavor(mech, flavor->gss.service);
+                        gss_mech_put(mech);
+                        break;
+                }
+        }
+        return pseudoflavor;
+}
+static rpc_authflavor_t nfs_negotiate_security(const struct dentry *parent, const struct dentry *dentry)
+{
+        int status = 0;
+        struct page *page;
+        struct nfs4_secinfo_flavors *flavors;
+        int (*secinfo)(struct inode *, const struct qstr *, struct nfs4_secinfo_flavors *);
+        rpc_authflavor_t flavor = RPC_AUTH_UNIX;
+        secinfo = NFS_PROTO(parent->d_inode)->secinfo;
+        if (secinfo != NULL) {
+                page = alloc_page(GFP_KERNEL);
+                if (!page) {
+                        status = -ENOMEM;
+                        goto out;
+                }
+                flavors = page_address(page);
+                status = secinfo(parent->d_inode, &dentry->d_name, flavors);
+                flavor = nfs_find_best_sec(flavors, dentry->d_inode);
+                put_page(page);
+        }
+        return flavor;
+out:
+        status = -ENOMEM;
+        return status;
+}
+static rpc_authflavor_t nfs_lookup_with_sec(struct nfs_server *server, struct dentry *parent,
+                                     struct dentry *dentry, struct path *path,
+                                     struct nfs_fh *fh, struct nfs_fattr *fattr)
+{
+        rpc_authflavor_t flavor;
+        struct rpc_clnt *clone;
+        struct rpc_auth *auth;
+        int err;
+        flavor = nfs_negotiate_security(parent, path->dentry);
+        if (flavor < 0)
+                goto out;
+        clone  = rpc_clone_client(server->client);
+        auth   = rpcauth_create(flavor, clone);
+        if (!auth) {
+                flavor = -EIO;
+                goto out;
+        }
+        err = server->nfs_client->rpc_ops->lookup(clone, parent->d_inode,
+                                                  &path->dentry->d_name,
+                                                  fh, fattr);
+        if (err < 0)
+                flavor = err;
+out:
+        return flavor;
+}
+#else /* CONFIG_NFS_V4 */
+static inline rpc_authflavor_t nfs_lookup_with_sec(struct nfs_server *server,
+                                     struct dentry *parent, struct dentry *dentry,
+                                     struct path *path, struct nfs_fh *fh,
+                                     struct nfs_fattr *fattr)
+{
+        return -EPERM;
+}
+#endif /* CONFIG_NFS_V4 */
 /*
 * nfs_d_automount - Handle crossing a mountpoint on the server
 * @path - The mountpoint
@@ -136,6 +232,7 @@ struct vfsmount *nfs_d_automount(struct path *path)
        struct nfs_fh *fh = NULL;
        struct nfs_fattr *fattr = NULL;
        int err;
+        rpc_authflavor_t flavor = 1;
        dprintk("--> nfs_d_automount()\n");
@@ -156,6 +253,13 @@ struct vfsmount *nfs_d_automount(struct path *path)
        err = server->nfs_client->rpc_ops->lookup(server->client, parent->d_inode,
                                                  &path->dentry->d_name,
                                                  fh, fattr);
+        if (err == -EPERM) {
+                flavor = nfs_lookup_with_sec(server, parent, path->dentry, path, fh, fattr);
+                if (flavor < 0)
+                        err = flavor;
+                else
+                        err = 0;
+        }
        dput(parent);
        if (err != 0) {
                mnt = ERR_PTR(err);
@@ -165,7 +269,7 @@ struct vfsmount *nfs_d_automount(struct path *path)
        if (fattr->valid & NFS_ATTR_FATTR_V4_REFERRAL)
                mnt = nfs_do_refmount(path->dentry);
        else
-                mnt = nfs_do_submount(path->dentry, fh, fattr);
+                mnt = nfs_do_submount(path->dentry, fh, fattr, flavor);
        if (IS_ERR(mnt))
                goto out;
@@ -232,17 +336,20 @@ static struct vfsmount *nfs_do_clone_mount(struct nfs_server *server,
 * @dentry - parent directory
 * @fh - filehandle for new root dentry
 * @fattr - attributes for new root inode
+ * @authflavor - security flavor to use when performing the mount
 *
 */
 static struct vfsmount *nfs_do_submount(struct dentry *dentry,
                                        struct nfs_fh *fh,
-                                        struct nfs_fattr *fattr)
+                                        struct nfs_fattr *fattr,
+                                        rpc_authflavor_t authflavor)
 {
        struct nfs_clone_mount mountdata = {
                .sb = dentry->d_sb,
                .dentry = dentry,
                .fh = fh,
                .fattr = fattr,
+                .authflavor = authflavor,
        };
        struct vfsmount *mnt = ERR_PTR(-ENOMEM);
        char *page = (char *) __get_free_page(GFP_USER);

diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c index b02720864ded..ad92bf731ff5 100644 --- a/fs/nfs/namespace.c +++ b/fs/nfs/namespace.c
@@ -15,6 +15,7 @@
15	#include <linux/string.h>	15	#include <linux/string.h>
16	#include <linux/sunrpc/clnt.h>	16	#include <linux/sunrpc/clnt.h>
17	#include <linux/vfs.h>	17	#include <linux/vfs.h>
		18	#include <linux/sunrpc/gss_api.h>
18	#include "internal.h"	19	#include "internal.h"
19		20
20	#define NFSDBG_FACILITY NFSDBG_VFS	21	#define NFSDBG_FACILITY NFSDBG_VFS
@@ -27,7 +28,8 @@ int nfs_mountpoint_expiry_timeout = 500 * HZ;
27		28
28	static struct vfsmount nfs_do_submount(struct dentry dentry,	29	static struct vfsmount nfs_do_submount(struct dentry dentry,
29	struct nfs_fh *fh,	30	struct nfs_fh *fh,
30	struct nfs_fattr *fattr);	31	struct nfs_fattr *fattr,
		32	rpc_authflavor_t authflavor);
31		33
32	/*	34	/*
33	* nfs_path - reconstruct the path given an arbitrary dentry	35	* nfs_path - reconstruct the path given an arbitrary dentry
@@ -116,6 +118,100 @@ Elong:
116	return ERR_PTR(-ENAMETOOLONG);	118	return ERR_PTR(-ENAMETOOLONG);
117	}	119	}
118		120
		121	#ifdef CONFIG_NFS_V4
		122	static rpc_authflavor_t nfs_find_best_sec(struct nfs4_secinfo_flavors flavors, struct inode inode)
		123	{
		124	struct gss_api_mech *mech;
		125	struct xdr_netobj oid;
		126	int i;
		127	rpc_authflavor_t pseudoflavor = RPC_AUTH_UNIX;
		128
		129	for (i = 0; i < flavors->num_flavors; i++) {
		130	struct nfs4_secinfo_flavor *flavor;
		131	flavor = &flavors->flavors[i];
		132
		133	if (flavor->flavor == RPC_AUTH_NULL \|\| flavor->flavor == RPC_AUTH_UNIX) {
		134	pseudoflavor = flavor->flavor;
		135	break;
		136	} else if (flavor->flavor == RPC_AUTH_GSS) {
		137	oid.len = flavor->gss.sec_oid4.len;
		138	oid.data = flavor->gss.sec_oid4.data;
		139	mech = gss_mech_get_by_OID(&oid);
		140	if (!mech)
		141	continue;
		142	pseudoflavor = gss_svc_to_pseudoflavor(mech, flavor->gss.service);
		143	gss_mech_put(mech);
		144	break;
		145	}
		146	}
		147
		148	return pseudoflavor;
		149	}
		150
		151	static rpc_authflavor_t nfs_negotiate_security(const struct dentry parent, const struct dentry dentry)
		152	{
		153	int status = 0;
		154	struct page *page;
		155	struct nfs4_secinfo_flavors *flavors;
		156	int (secinfo)(struct inode , const struct qstr , struct nfs4_secinfo_flavors );
		157	rpc_authflavor_t flavor = RPC_AUTH_UNIX;
		158
		159	secinfo = NFS_PROTO(parent->d_inode)->secinfo;
		160	if (secinfo != NULL) {
		161	page = alloc_page(GFP_KERNEL);
		162	if (!page) {
		163	status = -ENOMEM;
		164	goto out;
		165	}
		166	flavors = page_address(page);
		167	status = secinfo(parent->d_inode, &dentry->d_name, flavors);
		168	flavor = nfs_find_best_sec(flavors, dentry->d_inode);
		169	put_page(page);
		170	}
		171
		172	return flavor;
		173
		174	out:
		175	status = -ENOMEM;
		176	return status;
		177	}
		178
		179	static rpc_authflavor_t nfs_lookup_with_sec(struct nfs_server server, struct dentry parent,
		180	struct dentry dentry, struct path path,
		181	struct nfs_fh fh, struct nfs_fattr fattr)
		182	{
		183	rpc_authflavor_t flavor;
		184	struct rpc_clnt *clone;
		185	struct rpc_auth *auth;
		186	int err;
		187
		188	flavor = nfs_negotiate_security(parent, path->dentry);
		189	if (flavor < 0)
		190	goto out;
		191	clone = rpc_clone_client(server->client);
		192	auth = rpcauth_create(flavor, clone);
		193	if (!auth) {
		194	flavor = -EIO;
		195	goto out;
		196	}
		197	err = server->nfs_client->rpc_ops->lookup(clone, parent->d_inode,
		198	&path->dentry->d_name,
		199	fh, fattr);
		200	if (err < 0)
		201	flavor = err;
		202	out:
		203	return flavor;
		204	}
		205	#else /* CONFIG_NFS_V4 */
		206	static inline rpc_authflavor_t nfs_lookup_with_sec(struct nfs_server *server,
		207	struct dentry parent, struct dentry dentry,
		208	struct path path, struct nfs_fh fh,
		209	struct nfs_fattr *fattr)
		210	{
		211	return -EPERM;
		212	}
		213	#endif /* CONFIG_NFS_V4 */
		214
119	/*	215	/*
120	* nfs_d_automount - Handle crossing a mountpoint on the server	216	* nfs_d_automount - Handle crossing a mountpoint on the server
121	* @path - The mountpoint	217	* @path - The mountpoint
@@ -136,6 +232,7 @@ struct vfsmount nfs_d_automount(struct path path)
136	struct nfs_fh *fh = NULL;	232	struct nfs_fh *fh = NULL;
137	struct nfs_fattr *fattr = NULL;	233	struct nfs_fattr *fattr = NULL;
138	int err;	234	int err;
		235	rpc_authflavor_t flavor = 1;
139		236
140	dprintk("--> nfs_d_automount()\n");	237	dprintk("--> nfs_d_automount()\n");
141		238
@@ -156,6 +253,13 @@ struct vfsmount nfs_d_automount(struct path path)
156	err = server->nfs_client->rpc_ops->lookup(server->client, parent->d_inode,	253	err = server->nfs_client->rpc_ops->lookup(server->client, parent->d_inode,
157	&path->dentry->d_name,	254	&path->dentry->d_name,
158	fh, fattr);	255	fh, fattr);
		256	if (err == -EPERM) {
		257	flavor = nfs_lookup_with_sec(server, parent, path->dentry, path, fh, fattr);
		258	if (flavor < 0)
		259	err = flavor;
		260	else
		261	err = 0;
		262	}
159	dput(parent);	263	dput(parent);
160	if (err != 0) {	264	if (err != 0) {
161	mnt = ERR_PTR(err);	265	mnt = ERR_PTR(err);
@@ -165,7 +269,7 @@ struct vfsmount nfs_d_automount(struct path path)
165	if (fattr->valid & NFS_ATTR_FATTR_V4_REFERRAL)	269	if (fattr->valid & NFS_ATTR_FATTR_V4_REFERRAL)
166	mnt = nfs_do_refmount(path->dentry);	270	mnt = nfs_do_refmount(path->dentry);
167	else	271	else
168	mnt = nfs_do_submount(path->dentry, fh, fattr);	272	mnt = nfs_do_submount(path->dentry, fh, fattr, flavor);
169	if (IS_ERR(mnt))	273	if (IS_ERR(mnt))
170	goto out;	274	goto out;
171		275
@@ -232,17 +336,20 @@ static struct vfsmount nfs_do_clone_mount(struct nfs_server server,
232	* @dentry - parent directory	336	* @dentry - parent directory
233	* @fh - filehandle for new root dentry	337	* @fh - filehandle for new root dentry
234	* @fattr - attributes for new root inode	338	* @fattr - attributes for new root inode
		339	* @authflavor - security flavor to use when performing the mount
235	*	340	*
236	*/	341	*/
237	static struct vfsmount nfs_do_submount(struct dentry dentry,	342	static struct vfsmount nfs_do_submount(struct dentry dentry,
238	struct nfs_fh *fh,	343	struct nfs_fh *fh,
239	struct nfs_fattr *fattr)	344	struct nfs_fattr *fattr,
		345	rpc_authflavor_t authflavor)
240	{	346	{
241	struct nfs_clone_mount mountdata = {	347	struct nfs_clone_mount mountdata = {
242	.sb = dentry->d_sb,	348	.sb = dentry->d_sb,
243	.dentry = dentry,	349	.dentry = dentry,
244	.fh = fh,	350	.fh = fh,
245	.fattr = fattr,	351	.fattr = fattr,
		352	.authflavor = authflavor,
246	};	353	};
247	struct vfsmount *mnt = ERR_PTR(-ENOMEM);	354	struct vfsmount *mnt = ERR_PTR(-ENOMEM);
248	char page = (char ) __get_free_page(GFP_USER);	355	char page = (char ) __get_free_page(GFP_USER);