Commit 68c97153fb7f2877f98aa6c29546381d9cad2fed
1 parent
805a6af8db
Exists in
master
and in
6 other branches
SUNRPC: Clean up the RPCSEC_GSS service ticket requests
Instead of hacking specific service names into gss_encode_v1_msg, we should just allow the caller to specify the service name explicitly. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Acked-by: J. Bruce Fields <bfields@redhat.com>
Showing 6 changed files with 32 additions and 23 deletions Side-by-side Diff
fs/nfs/client.c
| ... | ... | @@ -185,7 +185,7 @@ |
| 185 | 185 | clp->cl_minorversion = cl_init->minorversion; |
| 186 | 186 | clp->cl_mvops = nfs_v4_minor_ops[cl_init->minorversion]; |
| 187 | 187 | #endif |
| 188 | - cred = rpc_lookup_machine_cred(); | |
| 188 | + cred = rpc_lookup_machine_cred("*"); | |
| 189 | 189 | if (!IS_ERR(cred)) |
| 190 | 190 | clp->cl_machine_cred = cred; |
| 191 | 191 | nfs_fscache_get_client_cookie(clp); |
fs/nfsd/nfs4callback.c
include/linux/sunrpc/auth.h
| ... | ... | @@ -26,6 +26,7 @@ |
| 26 | 26 | uid_t uid; |
| 27 | 27 | gid_t gid; |
| 28 | 28 | struct group_info *group_info; |
| 29 | + const char *principal; | |
| 29 | 30 | unsigned char machine_cred : 1; |
| 30 | 31 | }; |
| 31 | 32 | |
| ... | ... | @@ -127,7 +128,7 @@ |
| 127 | 128 | void rpc_destroy_authunix(void); |
| 128 | 129 | |
| 129 | 130 | struct rpc_cred * rpc_lookup_cred(void); |
| 130 | -struct rpc_cred * rpc_lookup_machine_cred(void); | |
| 131 | +struct rpc_cred * rpc_lookup_machine_cred(const char *service_name); | |
| 131 | 132 | int rpcauth_register(const struct rpc_authops *); |
| 132 | 133 | int rpcauth_unregister(const struct rpc_authops *); |
| 133 | 134 | struct rpc_auth * rpcauth_create(rpc_authflavor_t, struct rpc_clnt *); |
include/linux/sunrpc/auth_gss.h
net/sunrpc/auth_generic.c
| ... | ... | @@ -41,15 +41,17 @@ |
| 41 | 41 | /* |
| 42 | 42 | * Public call interface for looking up machine creds. |
| 43 | 43 | */ |
| 44 | -struct rpc_cred *rpc_lookup_machine_cred(void) | |
| 44 | +struct rpc_cred *rpc_lookup_machine_cred(const char *service_name) | |
| 45 | 45 | { |
| 46 | 46 | struct auth_cred acred = { |
| 47 | 47 | .uid = RPC_MACHINE_CRED_USERID, |
| 48 | 48 | .gid = RPC_MACHINE_CRED_GROUPID, |
| 49 | + .principal = service_name, | |
| 49 | 50 | .machine_cred = 1, |
| 50 | 51 | }; |
| 51 | 52 | |
| 52 | - dprintk("RPC: looking up machine cred\n"); | |
| 53 | + dprintk("RPC: looking up machine cred for service %s\n", | |
| 54 | + service_name); | |
| 53 | 55 | return generic_auth.au_ops->lookup_cred(&generic_auth, &acred, 0); |
| 54 | 56 | } |
| 55 | 57 | EXPORT_SYMBOL_GPL(rpc_lookup_machine_cred); |
net/sunrpc/auth_gss/auth_gss.c
| ... | ... | @@ -392,7 +392,8 @@ |
| 392 | 392 | } |
| 393 | 393 | |
| 394 | 394 | static void gss_encode_v1_msg(struct gss_upcall_msg *gss_msg, |
| 395 | - struct rpc_clnt *clnt, int machine_cred) | |
| 395 | + struct rpc_clnt *clnt, | |
| 396 | + const char *service_name) | |
| 396 | 397 | { |
| 397 | 398 | struct gss_api_mech *mech = gss_msg->auth->mech; |
| 398 | 399 | char *p = gss_msg->databuf; |
| 399 | 400 | |
| ... | ... | @@ -407,14 +408,10 @@ |
| 407 | 408 | p += len; |
| 408 | 409 | gss_msg->msg.len += len; |
| 409 | 410 | } |
| 410 | - if (machine_cred) { | |
| 411 | - len = sprintf(p, "service=* "); | |
| 411 | + if (service_name != NULL) { | |
| 412 | + len = sprintf(p, "service=%s ", service_name); | |
| 412 | 413 | p += len; |
| 413 | 414 | gss_msg->msg.len += len; |
| 414 | - } else if (!strcmp(clnt->cl_program->name, "nfs4_cb")) { | |
| 415 | - len = sprintf(p, "service=nfs "); | |
| 416 | - p += len; | |
| 417 | - gss_msg->msg.len += len; | |
| 418 | 415 | } |
| 419 | 416 | if (mech->gm_upcall_enctypes) { |
| 420 | 417 | len = sprintf(p, "enctypes=%s ", mech->gm_upcall_enctypes); |
| 421 | 418 | |
| 422 | 419 | |
| ... | ... | @@ -429,17 +426,18 @@ |
| 429 | 426 | } |
| 430 | 427 | |
| 431 | 428 | static void gss_encode_msg(struct gss_upcall_msg *gss_msg, |
| 432 | - struct rpc_clnt *clnt, int machine_cred) | |
| 429 | + struct rpc_clnt *clnt, | |
| 430 | + const char *service_name) | |
| 433 | 431 | { |
| 434 | 432 | if (pipe_version == 0) |
| 435 | 433 | gss_encode_v0_msg(gss_msg); |
| 436 | 434 | else /* pipe_version == 1 */ |
| 437 | - gss_encode_v1_msg(gss_msg, clnt, machine_cred); | |
| 435 | + gss_encode_v1_msg(gss_msg, clnt, service_name); | |
| 438 | 436 | } |
| 439 | 437 | |
| 440 | -static inline struct gss_upcall_msg * | |
| 441 | -gss_alloc_msg(struct gss_auth *gss_auth, uid_t uid, struct rpc_clnt *clnt, | |
| 442 | - int machine_cred) | |
| 438 | +static struct gss_upcall_msg * | |
| 439 | +gss_alloc_msg(struct gss_auth *gss_auth, struct rpc_clnt *clnt, | |
| 440 | + uid_t uid, const char *service_name) | |
| 443 | 441 | { |
| 444 | 442 | struct gss_upcall_msg *gss_msg; |
| 445 | 443 | int vers; |
| ... | ... | @@ -459,7 +457,7 @@ |
| 459 | 457 | atomic_set(&gss_msg->count, 1); |
| 460 | 458 | gss_msg->uid = uid; |
| 461 | 459 | gss_msg->auth = gss_auth; |
| 462 | - gss_encode_msg(gss_msg, clnt, machine_cred); | |
| 460 | + gss_encode_msg(gss_msg, clnt, service_name); | |
| 463 | 461 | return gss_msg; |
| 464 | 462 | } |
| 465 | 463 | |
| ... | ... | @@ -471,7 +469,7 @@ |
| 471 | 469 | struct gss_upcall_msg *gss_new, *gss_msg; |
| 472 | 470 | uid_t uid = cred->cr_uid; |
| 473 | 471 | |
| 474 | - gss_new = gss_alloc_msg(gss_auth, uid, clnt, gss_cred->gc_machine_cred); | |
| 472 | + gss_new = gss_alloc_msg(gss_auth, clnt, uid, gss_cred->gc_principal); | |
| 475 | 473 | if (IS_ERR(gss_new)) |
| 476 | 474 | return gss_new; |
| 477 | 475 | gss_msg = gss_add_msg(gss_new); |
| ... | ... | @@ -995,7 +993,9 @@ |
| 995 | 993 | */ |
| 996 | 994 | cred->gc_base.cr_flags = 1UL << RPCAUTH_CRED_NEW; |
| 997 | 995 | cred->gc_service = gss_auth->service; |
| 998 | - cred->gc_machine_cred = acred->machine_cred; | |
| 996 | + cred->gc_principal = NULL; | |
| 997 | + if (acred->machine_cred) | |
| 998 | + cred->gc_principal = acred->principal; | |
| 999 | 999 | kref_get(&gss_auth->kref); |
| 1000 | 1000 | return &cred->gc_base; |
| 1001 | 1001 | |
| ... | ... | @@ -1030,7 +1030,12 @@ |
| 1030 | 1030 | if (!test_bit(RPCAUTH_CRED_UPTODATE, &rc->cr_flags)) |
| 1031 | 1031 | return 0; |
| 1032 | 1032 | out: |
| 1033 | - if (acred->machine_cred != gss_cred->gc_machine_cred) | |
| 1033 | + if (acred->principal != NULL) { | |
| 1034 | + if (gss_cred->gc_principal == NULL) | |
| 1035 | + return 0; | |
| 1036 | + return strcmp(acred->principal, gss_cred->gc_principal) == 0; | |
| 1037 | + } | |
| 1038 | + if (gss_cred->gc_principal != NULL) | |
| 1034 | 1039 | return 0; |
| 1035 | 1040 | return rc->cr_uid == acred->uid; |
| 1036 | 1041 | } |
| ... | ... | @@ -1104,7 +1109,8 @@ |
| 1104 | 1109 | struct rpc_auth *auth = oldcred->cr_auth; |
| 1105 | 1110 | struct auth_cred acred = { |
| 1106 | 1111 | .uid = oldcred->cr_uid, |
| 1107 | - .machine_cred = gss_cred->gc_machine_cred, | |
| 1112 | + .principal = gss_cred->gc_principal, | |
| 1113 | + .machine_cred = (gss_cred->gc_principal != NULL ? 1 : 0), | |
| 1108 | 1114 | }; |
| 1109 | 1115 | struct rpc_cred *new; |
| 1110 | 1116 |