knfsd: nfsd: use ip-address-based domain in secinfo case
With this patch, we fall back on using the gss/pseudoflavor only if we fail to
find a matching auth_unix export that has a secinfo list.
As long as sec= options aren't used, there's still no change in behavior here
(except possibly for some additional auth_unix cache lookups, whose results
will be ignored).
The sec= option, however, is not actually enforced yet; later patches will add
the necessary checks.
Signed-off-by: "J. Bruce Fields" <bfields@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
index ac225a7..4537a8f 100644
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -1229,6 +1229,10 @@
}
/*
+ * Uses rq_client and rq_gssclient to find an export; uses rq_client (an
+ * auth_unix client) if it's available and has secinfo information;
+ * otherwise, will try to use rq_gssclient.
+ *
* Called from functions that handle requests; functions that do work on
* behalf of mountd are passed a single client name to use, and should
* use exp_get_by_name() or exp_find().
@@ -1237,29 +1241,83 @@
rqst_exp_get_by_name(struct svc_rqst *rqstp, struct vfsmount *mnt,
struct dentry *dentry)
{
- struct auth_domain *clp;
+ struct svc_export *gssexp, *exp = NULL;
- clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;
- return exp_get_by_name(clp, mnt, dentry, &rqstp->rq_chandle);
+ if (rqstp->rq_client == NULL)
+ goto gss;
+
+ /* First try the auth_unix client: */
+ exp = exp_get_by_name(rqstp->rq_client, mnt, dentry,
+ &rqstp->rq_chandle);
+ if (PTR_ERR(exp) == -ENOENT)
+ goto gss;
+ if (IS_ERR(exp))
+ return exp;
+ /* If it has secinfo, assume there are no gss/... clients */
+ if (exp->ex_nflavors > 0)
+ return exp;
+gss:
+ /* Otherwise, try falling back on gss client */
+ if (rqstp->rq_gssclient == NULL)
+ return exp;
+ gssexp = exp_get_by_name(rqstp->rq_gssclient, mnt, dentry,
+ &rqstp->rq_chandle);
+ if (PTR_ERR(gssexp) == -ENOENT)
+ return exp;
+ if (exp && !IS_ERR(exp))
+ exp_put(exp);
+ return gssexp;
}
struct svc_export *
rqst_exp_find(struct svc_rqst *rqstp, int fsid_type, u32 *fsidv)
{
- struct auth_domain *clp;
+ struct svc_export *gssexp, *exp = NULL;
- clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;
- return exp_find(clp, fsid_type, fsidv, &rqstp->rq_chandle);
+ if (rqstp->rq_client == NULL)
+ goto gss;
+
+ /* First try the auth_unix client: */
+ exp = exp_find(rqstp->rq_client, fsid_type, fsidv, &rqstp->rq_chandle);
+ if (PTR_ERR(exp) == -ENOENT)
+ goto gss;
+ if (IS_ERR(exp))
+ return exp;
+ /* If it has secinfo, assume there are no gss/... clients */
+ if (exp->ex_nflavors > 0)
+ return exp;
+gss:
+ /* Otherwise, try falling back on gss client */
+ if (rqstp->rq_gssclient == NULL)
+ return exp;
+ gssexp = exp_find(rqstp->rq_gssclient, fsid_type, fsidv,
+ &rqstp->rq_chandle);
+ if (PTR_ERR(gssexp) == -ENOENT)
+ return exp;
+ if (exp && !IS_ERR(exp))
+ exp_put(exp);
+ return gssexp;
}
struct svc_export *
rqst_exp_parent(struct svc_rqst *rqstp, struct vfsmount *mnt,
struct dentry *dentry)
{
- struct auth_domain *clp;
+ struct svc_export *exp;
- clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client;
- return exp_parent(rqstp->rq_client, mnt, dentry, &rqstp->rq_chandle);
+ dget(dentry);
+ exp = rqst_exp_get_by_name(rqstp, mnt, dentry);
+
+ while (PTR_ERR(exp) == -ENOENT && !IS_ROOT(dentry)) {
+ struct dentry *parent;
+
+ parent = dget_parent(dentry);
+ dput(dentry);
+ dentry = parent;
+ exp = rqst_exp_get_by_name(rqstp, mnt, dentry);
+ }
+ dput(dentry);
+ return exp;
}
/*