* [PATCH 1/4] NFSv4.1 Use the mount point rpc_clnt for layoutreturn @ 2013-07-22 16:42 andros 2013-07-22 16:42 ` [PATCH 2/4] NFSv4.1 Use clientid management rpc_clnt for fs_locations andros ` (3 more replies) 0 siblings, 4 replies; 18+ messages in thread From: andros @ 2013-07-22 16:42 UTC (permalink / raw) To: trond.myklebust; +Cc: linux-nfs, Andy Adamson From: Andy Adamson <andros@netapp.com> Should not use the clientid maintenance rpc_clnt. Signed-off-by: Andy Adamson <andros@netapp.com> --- fs/nfs/nfs4proc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index cf11799..7a846b6 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -6876,7 +6876,7 @@ int nfs4_proc_layoutreturn(struct nfs4_layoutreturn *lrp) .rpc_cred = lrp->cred, }; struct rpc_task_setup task_setup_data = { - .rpc_client = lrp->clp->cl_rpcclient, + .rpc_client = NFS_SERVER(lrp->args.inode)->client, .rpc_message = &msg, .callback_ops = &nfs4_layoutreturn_call_ops, .callback_data = lrp, -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH 2/4] NFSv4.1 Use clientid management rpc_clnt for fs_locations 2013-07-22 16:42 [PATCH 1/4] NFSv4.1 Use the mount point rpc_clnt for layoutreturn andros @ 2013-07-22 16:42 ` andros 2013-08-07 16:54 ` Myklebust, Trond 2013-07-22 16:42 ` [PATCH 3/4] NFSv4.1 Use clientid management rpc_clnt for secinfo andros ` (2 subsequent siblings) 3 siblings, 1 reply; 18+ messages in thread From: andros @ 2013-07-22 16:42 UTC (permalink / raw) To: trond.myklebust; +Cc: linux-nfs, Andy Adamson From: Andy Adamson <andros@netapp.com> As per RFC 3530 and RFC 5661 Security Considerations. Commit 4edaa308 "NFS: Use "krb5i" to establish NFSv4 state whenever possible" uses the nfs_client cl_rpcclient for all clientid management operations. Remove un-needed rpc_clnt parameter from nfs4_proc_fs_locations and friends. Signed-off-by: Andy Adamson <andros@netapp.com> --- fs/nfs/nfs4_fs.h | 2 +- fs/nfs/nfs4namespace.c | 2 +- fs/nfs/nfs4proc.c | 13 +++++++------ 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h index ee81e35..97feff2 100644 --- a/fs/nfs/nfs4_fs.h +++ b/fs/nfs/nfs4_fs.h @@ -231,7 +231,7 @@ extern int nfs4_init_clientid(struct nfs_client *, struct rpc_cred *); extern int nfs41_init_clientid(struct nfs_client *, struct rpc_cred *); extern int nfs4_do_close(struct nfs4_state *state, gfp_t gfp_mask, int wait); extern int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle); -extern int nfs4_proc_fs_locations(struct rpc_clnt *, struct inode *, const struct qstr *, +extern int nfs4_proc_fs_locations(struct inode *, const struct qstr *, struct nfs4_fs_locations *, struct page *); extern struct rpc_clnt *nfs4_proc_lookup_mountpoint(struct inode *, struct qstr *, struct nfs_fh *, struct nfs_fattr *); diff --git a/fs/nfs/nfs4namespace.c b/fs/nfs/nfs4namespace.c index cdb0b41..dca2f3a 100644 --- a/fs/nfs/nfs4namespace.c +++ b/fs/nfs/nfs4namespace.c @@ -350,7 +350,7 @@ static struct vfsmount *nfs_do_refmount(struct rpc_clnt *client, struct dentry * dprintk("%s: getting locations for %s/%s\n", __func__, parent->d_name.name, dentry->d_name.name); - err = nfs4_proc_fs_locations(client, parent->d_inode, &dentry->d_name, fs_locations, page); + err = nfs4_proc_fs_locations(parent->d_inode, &dentry->d_name, fs_locations, page); dput(parent); if (err != 0 || fs_locations->nlocations <= 0 || diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 7a846b6..7761802 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -2831,7 +2831,7 @@ err_free_label: * Note that we'll actually follow the referral later when * we detect fsid mismatch in inode revalidation */ -static int nfs4_get_referral(struct rpc_clnt *client, struct inode *dir, +static int nfs4_get_referral(struct inode *dir, const struct qstr *name, struct nfs_fattr *fattr, struct nfs_fh *fhandle) { @@ -2846,7 +2846,7 @@ static int nfs4_get_referral(struct rpc_clnt *client, struct inode *dir, if (locations == NULL) goto out; - status = nfs4_proc_fs_locations(client, dir, name, locations, page); + status = nfs4_proc_fs_locations(dir, name, locations, page); if (status != 0) goto out; /* Make sure server returned a different fsid for the referral */ @@ -3025,7 +3025,7 @@ static int nfs4_proc_lookup_common(struct rpc_clnt **clnt, struct inode *dir, err = -ENOENT; goto out; case -NFS4ERR_MOVED: - err = nfs4_get_referral(client, dir, name, fattr, fhandle); + err = nfs4_get_referral(dir, name, fattr, fhandle); goto out; case -NFS4ERR_WRONGSEC: err = -EPERM; @@ -5733,7 +5733,7 @@ static void nfs_fixup_referral_attributes(struct nfs_fattr *fattr) fattr->nlink = 2; } -static int _nfs4_proc_fs_locations(struct rpc_clnt *client, struct inode *dir, +static int _nfs4_proc_fs_locations(struct inode *dir, const struct qstr *name, struct nfs4_fs_locations *fs_locations, struct page *page) @@ -5756,6 +5756,7 @@ static int _nfs4_proc_fs_locations(struct rpc_clnt *client, struct inode *dir, .rpc_argp = &args, .rpc_resp = &res, }; + struct rpc_clnt *client = NFS_SERVER(dir)->nfs_client->cl_rpcclient; int status; dprintk("%s: start\n", __func__); @@ -5775,7 +5776,7 @@ static int _nfs4_proc_fs_locations(struct rpc_clnt *client, struct inode *dir, return status; } -int nfs4_proc_fs_locations(struct rpc_clnt *client, struct inode *dir, +int nfs4_proc_fs_locations(struct inode *dir, const struct qstr *name, struct nfs4_fs_locations *fs_locations, struct page *page) @@ -5784,7 +5785,7 @@ int nfs4_proc_fs_locations(struct rpc_clnt *client, struct inode *dir, int err; do { err = nfs4_handle_exception(NFS_SERVER(dir), - _nfs4_proc_fs_locations(client, dir, name, fs_locations, page), + _nfs4_proc_fs_locations(dir, name, fs_locations, page), &exception); } while (exception.retry); return err; -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH 2/4] NFSv4.1 Use clientid management rpc_clnt for fs_locations 2013-07-22 16:42 ` [PATCH 2/4] NFSv4.1 Use clientid management rpc_clnt for fs_locations andros @ 2013-08-07 16:54 ` Myklebust, Trond [not found] ` <479EB531-9CD2-42E2-AB98-A3CD9B13603D@netapp.com> 0 siblings, 1 reply; 18+ messages in thread From: Myklebust, Trond @ 2013-08-07 16:54 UTC (permalink / raw) To: Adamson, Andy; +Cc: linux-nfs T24gTW9uLCAyMDEzLTA3LTIyIGF0IDEyOjQyIC0wNDAwLCBhbmRyb3NAbmV0YXBwLmNvbSB3cm90 ZToNCj4gRnJvbTogQW5keSBBZGFtc29uIDxhbmRyb3NAbmV0YXBwLmNvbT4NCj4gDQo+IEFzIHBl ciBSRkMgMzUzMCBhbmQgUkZDIDU2NjEgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMuDQo+IA0KPiBD b21taXQgNGVkYWEzMDggIk5GUzogVXNlICJrcmI1aSIgdG8gZXN0YWJsaXNoIE5GU3Y0IHN0YXRl IHdoZW5ldmVyIHBvc3NpYmxlIg0KPiB1c2VzIHRoZSBuZnNfY2xpZW50IGNsX3JwY2NsaWVudCBm b3IgYWxsIGNsaWVudGlkIG1hbmFnZW1lbnQgb3BlcmF0aW9ucy4NCg0KV2h5PyBGcm9tIGEgc2Vj dXJpdHkgcGVyc3BlY3RpdmUsIGhvdyBpcyB0aGlzIGFueSBkaWZmZXJlbnQgZnJvbSBkb2luZyBh DQpSRUFETElOSywgZm9yIGluc3RhbmNlPw0KDQotLSANClRyb25kIE15a2xlYnVzdA0KTGludXgg TkZTIGNsaWVudCBtYWludGFpbmVyDQoNCk5ldEFwcA0KVHJvbmQuTXlrbGVidXN0QG5ldGFwcC5j b20NCnd3dy5uZXRhcHAuY29tDQo= ^ permalink raw reply [flat|nested] 18+ messages in thread
[parent not found: <479EB531-9CD2-42E2-AB98-A3CD9B13603D@netapp.com>]
* Re: [PATCH 2/4] NFSv4.1 Use clientid management rpc_clnt for fs_locations [not found] ` <479EB531-9CD2-42E2-AB98-A3CD9B13603D@netapp.com> @ 2013-08-07 18:04 ` Myklebust, Trond 2013-08-07 18:19 ` Myklebust, Trond 0 siblings, 1 reply; 18+ messages in thread From: Myklebust, Trond @ 2013-08-07 18:04 UTC (permalink / raw) To: Adamson, Andy; +Cc: linux-nfs T24gV2VkLCAyMDEzLTA4LTA3IGF0IDE4OjAxICswMDAwLCBBZGFtc29uLCBBbmR5IHdyb3RlOg0K PiANCj4gT24gQXVnIDcsIDIwMTMsIGF0IDEyOjU0IFBNLCAiTXlrbGVidXN0LCBUcm9uZCINCj4g PFRyb25kLk15a2xlYnVzdEBuZXRhcHAuY29tPg0KPiAgd3JvdGU6DQo+IA0KPiA+IE9uIE1vbiwg MjAxMy0wNy0yMiBhdCAxMjo0MiAtMDQwMCwgYW5kcm9zQG5ldGFwcC5jb20gd3JvdGU6DQo+ID4g PiBGcm9tOiBBbmR5IEFkYW1zb24gPGFuZHJvc0BuZXRhcHAuY29tPg0KPiA+ID4gDQo+ID4gPiBB cyBwZXIgUkZDIDM1MzAgYW5kIFJGQyA1NjYxIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zLg0KPiA+ ID4gDQo+ID4gPiBDb21taXQgNGVkYWEzMDggIk5GUzogVXNlICJrcmI1aSIgdG8gZXN0YWJsaXNo IE5GU3Y0IHN0YXRlDQo+ID4gPiB3aGVuZXZlciBwb3NzaWJsZSINCj4gPiA+IHVzZXMgdGhlIG5m c19jbGllbnQgY2xfcnBjY2xpZW50IGZvciBhbGwgY2xpZW50aWQgbWFuYWdlbWVudA0KPiA+ID4g b3BlcmF0aW9ucy4NCj4gPiANCj4gPiBXaHk/IA0KPiANCj4gDQo+IFRvIHByb3RlY3QgdGhlIGlu dGVncml0eSBvZiB0aGUgZnNfbG9jYXRpb25zIHNlcnZlciBsaXN0Lg0KPiANCj4gPiBGcm9tIGEg c2VjdXJpdHkgcGVyc3BlY3RpdmUsIGhvdyBpcyB0aGlzIGFueSBkaWZmZXJlbnQgZnJvbSBkb2lu ZyBhDQo+ID4gUkVBRExJTkssIGZvciBpbnN0YW5jZT8NCj4gDQo+IA0KPiBmc19sb2NhdGlvbnMg ZGlmZmVycyBmcm9tIFJFQURMSU5LIGluIHRoYXQgY29tcHJvbWlzaW5nIHRoZQ0KPiBmc19sb2Nh dGlvbnMgYXR0cmlidXRlIHNlcnZlciBsaXN0IGNhbiByZXN1bHQgaW4gYWxsIG9mIHRoZSBjbGll bnQNCj4gdHJhZmZpYyB1bmRlciBhIGp1bmN0aW9uIHJlZGlyZWN0ZWQgYnkgYW4gYXR0YWNrZXIu DQoNCkkgcmVwZWF0OiBob3cgaXMgdGhpcyBpbiBhbnkgd2F5LCBzaGFwZSBvciBmb3JtIGRpZmZl cmVudCBmcm9tIFJFQURMSU5LPw0KDQo+IA0KPiBIZXJlIGlzIHRoZSBhdHRhY2sgYXMgZGVzY3Jp YmVkIGluIDM1MzBiaXMgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMNCj4gc2VjdGlvbjoNCj4gDQo+ IA0KPiAgICBUaGUgc2Vjb25kIG9wZXJhdGlvbiB0aGF0IHNob3VsZCBkZWZpbml0ZWx5IHVzZSBp bnRlZ3JpdHkgcHJvdGVjdGlvbg0KPiAgICBpcyBhbnkgR0VUQVRUUiBmb3IgdGhlIGZzX2xvY2F0 aW9ucyBhdHRyaWJ1dGUuICBUaGUgYXR0YWNrIGhhcyB0d28NCj4gICAgc3RlcHMuICBGaXJzdCB0 aGUgYXR0YWNrZXIgbW9kaWZpZXMgdGhlIHVucHJvdGVjdGVkIHJlc3VsdHMgb2Ygc29tZQ0KPiAg ICBvcGVyYXRpb24gdG8gcmV0dXJuIE5GUzRFUlJfTU9WRUQuICBTZWNvbmQsIHdoZW4gdGhlIGNs aWVudCBmb2xsb3dzDQo+ICAgIHVwIHdpdGggYSBHRVRBVFRSIGZvciB0aGUgZnNfbG9jYXRpb25z IGF0dHJpYnV0ZSwgdGhlIGF0dGFja2VyDQo+ICAgIG1vZGlmaWVzIHRoZSByZXN1bHRzIHRvIGNh dXNlIHRoZSBjbGllbnQgbWlncmF0ZSBpdHMgdHJhZmZpYyB0byBhDQo+ICAgIHNlcnZlciBjb250 cm9sbGVkIGJ5IHRoZSBhdHRhY2tlci4NCg0KWW91IGNhbiB0aGUgZXhhY3Qgc2FtZSB0aGluZyBi eSBjaGFuZ2luZyB0aGUgUkVBRExJTksgcmVzdWx0cy4NCg0KDQotLSANClRyb25kIE15a2xlYnVz dA0KTGludXggTkZTIGNsaWVudCBtYWludGFpbmVyDQoNCk5ldEFwcA0KVHJvbmQuTXlrbGVidXN0 QG5ldGFwcC5jb20NCnd3dy5uZXRhcHAuY29tDQo= ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 2/4] NFSv4.1 Use clientid management rpc_clnt for fs_locations 2013-08-07 18:04 ` Myklebust, Trond @ 2013-08-07 18:19 ` Myklebust, Trond 2013-08-07 18:24 ` Adamson, Andy 2013-08-07 18:32 ` Adamson, Andy 0 siblings, 2 replies; 18+ messages in thread From: Myklebust, Trond @ 2013-08-07 18:19 UTC (permalink / raw) To: Adamson, Andy; +Cc: linux-nfs T24gV2VkLCAyMDEzLTA4LTA3IGF0IDE0OjA0IC0wNDAwLCBUcm9uZCBNeWtsZWJ1c3Qgd3JvdGU6 DQo+IE9uIFdlZCwgMjAxMy0wOC0wNyBhdCAxODowMSArMDAwMCwgQWRhbXNvbiwgQW5keSB3cm90 ZToNCj4gPiANCj4gPiBIZXJlIGlzIHRoZSBhdHRhY2sgYXMgZGVzY3JpYmVkIGluIDM1MzBiaXMg U2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMNCj4gPiBzZWN0aW9uOg0KPiA+IA0KPiA+IA0KPiA+ICAg IFRoZSBzZWNvbmQgb3BlcmF0aW9uIHRoYXQgc2hvdWxkIGRlZmluaXRlbHkgdXNlIGludGVncml0 eSBwcm90ZWN0aW9uDQo+ID4gICAgaXMgYW55IEdFVEFUVFIgZm9yIHRoZSBmc19sb2NhdGlvbnMg YXR0cmlidXRlLiAgVGhlIGF0dGFjayBoYXMgdHdvDQo+ID4gICAgc3RlcHMuICBGaXJzdCB0aGUg YXR0YWNrZXIgbW9kaWZpZXMgdGhlIHVucHJvdGVjdGVkIHJlc3VsdHMgb2Ygc29tZQ0KPiA+ICAg IG9wZXJhdGlvbiB0byByZXR1cm4gTkZTNEVSUl9NT1ZFRC4gIFNlY29uZCwgd2hlbiB0aGUgY2xp ZW50IGZvbGxvd3MNCj4gPiAgICB1cCB3aXRoIGEgR0VUQVRUUiBmb3IgdGhlIGZzX2xvY2F0aW9u cyBhdHRyaWJ1dGUsIHRoZSBhdHRhY2tlcg0KPiA+ICAgIG1vZGlmaWVzIHRoZSByZXN1bHRzIHRv IGNhdXNlIHRoZSBjbGllbnQgbWlncmF0ZSBpdHMgdHJhZmZpYyB0byBhDQo+ID4gICAgc2VydmVy IGNvbnRyb2xsZWQgYnkgdGhlIGF0dGFja2VyLg0KPiANCj4gWW91IGNhbiB0aGUgZXhhY3Qgc2Ft ZSB0aGluZyBieSBjaGFuZ2luZyB0aGUgUkVBRExJTksgcmVzdWx0cy4NCg0KVGhlIGF0dGFjayBp czogY2hhbmdlIHRoZSB1bnByb3RlY3RlZCBMT09LVVAgcmVzdWx0cyB0byBwb2ludCB0byBhDQpz eW1saW5rLCB0aGVuIGZlZWQgJy9uZXQvPGV2aWwtaXAtYWRkcmVzcz4vbXkvZXZpbC9wYXRobmFt ZScgaW50bw0KUkVBRExJTksuDQoNCk15IHBvaW50IGlzIHRoYXQgaWYgeW91J3JlIG9uIGEgbmV0 d29yayB3aGVyZSB0aGUgYWJvdmUgaXMgYSBwb3RlbnRpYWwNCnRocmVhdCwgdGhlbiB5b3Ugc2hv dWxkIGJlIHVzaW5nIGtyYjVpIG9yLCBiZXR0ZXIgeWV0LCBrcmI1cCBmb3IgX2FsbF8NCm9wZXJh dGlvbnMuIEl0J3Mgbm90IHN1ZmZpY2llbnQgdG8gc2luZ2xlIG91dCBmc19sb2NhdGlvbnMgZm9y IHNwZWNpYWwNCnRyZWF0bWVudC4NCg0KLS0gDQpUcm9uZCBNeWtsZWJ1c3QNCkxpbnV4IE5GUyBj bGllbnQgbWFpbnRhaW5lcg0KDQpOZXRBcHANClRyb25kLk15a2xlYnVzdEBuZXRhcHAuY29tDQp3 d3cubmV0YXBwLmNvbQ0K ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 2/4] NFSv4.1 Use clientid management rpc_clnt for fs_locations 2013-08-07 18:19 ` Myklebust, Trond @ 2013-08-07 18:24 ` Adamson, Andy 2013-08-07 18:28 ` Fwd: " Adamson, Andy 2013-08-07 18:32 ` Myklebust, Trond 2013-08-07 18:32 ` Adamson, Andy 1 sibling, 2 replies; 18+ messages in thread From: Adamson, Andy @ 2013-08-07 18:24 UTC (permalink / raw) To: Myklebust, Trond; +Cc: Adamson, Andy, linux-nfs On Aug 7, 2013, at 2:19 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote: > On Wed, 2013-08-07 at 14:04 -0400, Trond Myklebust wrote: >> On Wed, 2013-08-07 at 18:01 +0000, Adamson, Andy wrote: >>> >>> Here is the attack as described in 3530bis Security Considerations >>> section: >>> >>> >>> The second operation that should definitely use integrity protection >>> is any GETATTR for the fs_locations attribute. The attack has two >>> steps. First the attacker modifies the unprotected results of some >>> operation to return NFS4ERR_MOVED. Second, when the client follows >>> up with a GETATTR for the fs_locations attribute, the attacker >>> modifies the results to cause the client migrate its traffic to a >>> server controlled by the attacker. >> >> You can the exact same thing by changing the READLINK results. > > The attack is: change the unprotected LOOKUP results to point to a > symlink, then feed '/net/<evil-ip-address>/my/evil/pathname' into > READLINK. > > My point is that if you're on a network where the above is a potential > threat, then you should be using krb5i or, better yet, krb5p for _all_ > operations. It's not sufficient to single out fs_locations for special > treatment. In that case, why did you accept commit 4edaa308 "NFS: Use "krb5i" to establish NFSv4 state whenever possible" ? -->Andy > > -- > Trond Myklebust > Linux NFS client maintainer > > NetApp > Trond.Myklebust@netapp.com > www.netapp.com ^ permalink raw reply [flat|nested] 18+ messages in thread
* Fwd: [PATCH 2/4] NFSv4.1 Use clientid management rpc_clnt for fs_locations 2013-08-07 18:24 ` Adamson, Andy @ 2013-08-07 18:28 ` Adamson, Andy 2013-08-07 18:32 ` Myklebust, Trond 1 sibling, 0 replies; 18+ messages in thread From: Adamson, Andy @ 2013-08-07 18:28 UTC (permalink / raw) To: linux-nfs@vger.kernel.org list Re-send due to my mailer adding html to the message, and thus being rejected by linux-nfs@vger.kernel.org -->Andy Begin forwarded message: > From: "Adamson, Andy" <William.Adamson@netapp.com> > Subject: Re: [PATCH 2/4] NFSv4.1 Use clientid management rpc_clnt for fs_locations > Date: August 7, 2013 2:24:31 PM EDT > To: "Myklebust, Trond" <Trond.Myklebust@netapp.com> > Cc: "Adamson, Andy" <William.Adamson@netapp.com>, "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org> > > > On Aug 7, 2013, at 2:19 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> > wrote: > >> On Wed, 2013-08-07 at 14:04 -0400, Trond Myklebust wrote: >>> On Wed, 2013-08-07 at 18:01 +0000, Adamson, Andy wrote: >>>> >>>> Here is the attack as described in 3530bis Security Considerations >>>> section: >>>> >>>> >>>> The second operation that should definitely use integrity protection >>>> is any GETATTR for the fs_locations attribute. The attack has two >>>> steps. First the attacker modifies the unprotected results of some >>>> operation to return NFS4ERR_MOVED. Second, when the client follows >>>> up with a GETATTR for the fs_locations attribute, the attacker >>>> modifies the results to cause the client migrate its traffic to a >>>> server controlled by the attacker. >>> >>> You can the exact same thing by changing the READLINK results. >> >> The attack is: change the unprotected LOOKUP results to point to a >> symlink, then feed '/net/<evil-ip-address>/my/evil/pathname' into >> READLINK. >> >> My point is that if you're on a network where the above is a potential >> threat, then you should be using krb5i or, better yet, krb5p for _all_ >> operations. It's not sufficient to single out fs_locations for special >> treatment. > > In that case, why did you accept commit 4edaa308 "NFS: Use "krb5i" to establish NFSv4 state whenever possible" ? > > -->Andy > >> >> -- >> Trond Myklebust >> Linux NFS client maintainer >> >> NetApp >> Trond.Myklebust@netapp.com >> www.netapp.com > ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 2/4] NFSv4.1 Use clientid management rpc_clnt for fs_locations 2013-08-07 18:24 ` Adamson, Andy 2013-08-07 18:28 ` Fwd: " Adamson, Andy @ 2013-08-07 18:32 ` Myklebust, Trond 1 sibling, 0 replies; 18+ messages in thread From: Myklebust, Trond @ 2013-08-07 18:32 UTC (permalink / raw) To: Adamson, Andy; +Cc: linux-nfs T24gV2VkLCAyMDEzLTA4LTA3IGF0IDE4OjI0ICswMDAwLCBBZGFtc29uLCBBbmR5IHdyb3RlOg0K PiBPbiBBdWcgNywgMjAxMywgYXQgMjoxOSBQTSwgIk15a2xlYnVzdCwgVHJvbmQiIDxUcm9uZC5N eWtsZWJ1c3RAbmV0YXBwLmNvbT4NCj4gIHdyb3RlOg0KPiANCj4gPiBPbiBXZWQsIDIwMTMtMDgt MDcgYXQgMTQ6MDQgLTA0MDAsIFRyb25kIE15a2xlYnVzdCB3cm90ZToNCj4gPj4gT24gV2VkLCAy MDEzLTA4LTA3IGF0IDE4OjAxICswMDAwLCBBZGFtc29uLCBBbmR5IHdyb3RlOg0KPiA+Pj4gDQo+ ID4+PiBIZXJlIGlzIHRoZSBhdHRhY2sgYXMgZGVzY3JpYmVkIGluIDM1MzBiaXMgU2VjdXJpdHkg Q29uc2lkZXJhdGlvbnMNCj4gPj4+IHNlY3Rpb246DQo+ID4+PiANCj4gPj4+IA0KPiA+Pj4gICBU aGUgc2Vjb25kIG9wZXJhdGlvbiB0aGF0IHNob3VsZCBkZWZpbml0ZWx5IHVzZSBpbnRlZ3JpdHkg cHJvdGVjdGlvbg0KPiA+Pj4gICBpcyBhbnkgR0VUQVRUUiBmb3IgdGhlIGZzX2xvY2F0aW9ucyBh dHRyaWJ1dGUuICBUaGUgYXR0YWNrIGhhcyB0d28NCj4gPj4+ICAgc3RlcHMuICBGaXJzdCB0aGUg YXR0YWNrZXIgbW9kaWZpZXMgdGhlIHVucHJvdGVjdGVkIHJlc3VsdHMgb2Ygc29tZQ0KPiA+Pj4g ICBvcGVyYXRpb24gdG8gcmV0dXJuIE5GUzRFUlJfTU9WRUQuICBTZWNvbmQsIHdoZW4gdGhlIGNs aWVudCBmb2xsb3dzDQo+ID4+PiAgIHVwIHdpdGggYSBHRVRBVFRSIGZvciB0aGUgZnNfbG9jYXRp b25zIGF0dHJpYnV0ZSwgdGhlIGF0dGFja2VyDQo+ID4+PiAgIG1vZGlmaWVzIHRoZSByZXN1bHRz IHRvIGNhdXNlIHRoZSBjbGllbnQgbWlncmF0ZSBpdHMgdHJhZmZpYyB0byBhDQo+ID4+PiAgIHNl cnZlciBjb250cm9sbGVkIGJ5IHRoZSBhdHRhY2tlci4NCj4gPj4gDQo+ID4+IFlvdSBjYW4gdGhl IGV4YWN0IHNhbWUgdGhpbmcgYnkgY2hhbmdpbmcgdGhlIFJFQURMSU5LIHJlc3VsdHMuDQo+ID4g DQo+ID4gVGhlIGF0dGFjayBpczogY2hhbmdlIHRoZSB1bnByb3RlY3RlZCBMT09LVVAgcmVzdWx0 cyB0byBwb2ludCB0byBhDQo+ID4gc3ltbGluaywgdGhlbiBmZWVkICcvbmV0LzxldmlsLWlwLWFk ZHJlc3M+L215L2V2aWwvcGF0aG5hbWUnIGludG8NCj4gPiBSRUFETElOSy4NCj4gPiANCj4gPiBN eSBwb2ludCBpcyB0aGF0IGlmIHlvdSdyZSBvbiBhIG5ldHdvcmsgd2hlcmUgdGhlIGFib3ZlIGlz IGEgcG90ZW50aWFsDQo+ID4gdGhyZWF0LCB0aGVuIHlvdSBzaG91bGQgYmUgdXNpbmcga3JiNWkg b3IsIGJldHRlciB5ZXQsIGtyYjVwIGZvciBfYWxsXw0KPiA+IG9wZXJhdGlvbnMuIEl0J3Mgbm90 IHN1ZmZpY2llbnQgdG8gc2luZ2xlIG91dCBmc19sb2NhdGlvbnMgZm9yIHNwZWNpYWwNCj4gPiB0 cmVhdG1lbnQuDQo+IA0KPiBJbiB0aGF0IGNhc2UsIHdoeSBkaWQgeW91IGFjY2VwdCBjb21taXQg NGVkYWEzMDggIk5GUzogVXNlICJrcmI1aSIgdG8gZXN0YWJsaXNoIE5GU3Y0IHN0YXRlIHdoZW5l dmVyIHBvc3NpYmxlIiA/DQoNCiAgICAgMS4gVG8gYXZvaWQgdGhlIE5GUzRFUlJfQ0xJRF9JTl9V U0UgcHJvYmxlbSB3aGVuIHlvdSBjaGFuZ2UgZnJvbQ0KICAgICAgICBvbmUgbW91bnQgYXV0aCBm bGF2b3VyIHRvIGFub3RoZXIuDQogICAgIDIuIEluIHNjZW5hcmlvcyB3aGVyZSBtaXhlZCBzZWN1 cml0eSBpcyBpbiB1c2UsIHRoZSBzdGF0ZSBtYW5hZ2VyDQogICAgICAgIHNob3VsZCBhbHdheXMg dXNlIHRoZSBzdHJvbmdlc3Qgc2VjdXJpdHkuIFByZXZpb3VzbHksIHdlIGp1c3QNCiAgICAgICAg Y2hvc2Ugd2hhdGV2ZXIgc2VjdXJpdHkgZmxhdm91ciB0aGF0IHdhcyB1c2VkIGZpcnN0Lg0KDQot LSANClRyb25kIE15a2xlYnVzdA0KTGludXggTkZTIGNsaWVudCBtYWludGFpbmVyDQoNCk5ldEFw cA0KVHJvbmQuTXlrbGVidXN0QG5ldGFwcC5jb20NCnd3dy5uZXRhcHAuY29tDQo= ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 2/4] NFSv4.1 Use clientid management rpc_clnt for fs_locations 2013-08-07 18:19 ` Myklebust, Trond 2013-08-07 18:24 ` Adamson, Andy @ 2013-08-07 18:32 ` Adamson, Andy 2013-08-07 18:36 ` Myklebust, Trond 1 sibling, 1 reply; 18+ messages in thread From: Adamson, Andy @ 2013-08-07 18:32 UTC (permalink / raw) To: Myklebust, Trond; +Cc: Adamson, Andy, linux-nfs On Aug 7, 2013, at 2:19 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote: > On Wed, 2013-08-07 at 14:04 -0400, Trond Myklebust wrote: >> On Wed, 2013-08-07 at 18:01 +0000, Adamson, Andy wrote: >>> >>> Here is the attack as described in 3530bis Security Considerations >>> section: >>> >>> >>> The second operation that should definitely use integrity protection >>> is any GETATTR for the fs_locations attribute. The attack has two >>> steps. First the attacker modifies the unprotected results of some >>> operation to return NFS4ERR_MOVED. Second, when the client follows >>> up with a GETATTR for the fs_locations attribute, the attacker >>> modifies the results to cause the client migrate its traffic to a >>> server controlled by the attacker. >> >> You can the exact same thing by changing the READLINK results. > > The attack is: change the unprotected LOOKUP results to point to a > symlink, then feed '/net/<evil-ip-address>/my/evil/pathname' into > READLINK. Does the linux client actually follow links with embedded IP addresses? -->Andy > > My point is that if you're on a network where the above is a potential > threat, then you should be using krb5i or, better yet, krb5p for _all_ > operations. It's not sufficient to single out fs_locations for special > treatment. > > -- > Trond Myklebust > Linux NFS client maintainer > > NetApp > Trond.Myklebust@netapp.com > www.netapp.com ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 2/4] NFSv4.1 Use clientid management rpc_clnt for fs_locations 2013-08-07 18:32 ` Adamson, Andy @ 2013-08-07 18:36 ` Myklebust, Trond 0 siblings, 0 replies; 18+ messages in thread From: Myklebust, Trond @ 2013-08-07 18:36 UTC (permalink / raw) To: Adamson, Andy; +Cc: linux-nfs T24gV2VkLCAyMDEzLTA4LTA3IGF0IDE4OjMyICswMDAwLCBBZGFtc29uLCBBbmR5IHdyb3RlOg0K PiBPbiBBdWcgNywgMjAxMywgYXQgMjoxOSBQTSwgIk15a2xlYnVzdCwgVHJvbmQiIDxUcm9uZC5N eWtsZWJ1c3RAbmV0YXBwLmNvbT4NCj4gIHdyb3RlOg0KPiANCj4gPiBPbiBXZWQsIDIwMTMtMDgt MDcgYXQgMTQ6MDQgLTA0MDAsIFRyb25kIE15a2xlYnVzdCB3cm90ZToNCj4gPj4gT24gV2VkLCAy MDEzLTA4LTA3IGF0IDE4OjAxICswMDAwLCBBZGFtc29uLCBBbmR5IHdyb3RlOg0KPiA+Pj4gDQo+ ID4+PiBIZXJlIGlzIHRoZSBhdHRhY2sgYXMgZGVzY3JpYmVkIGluIDM1MzBiaXMgU2VjdXJpdHkg Q29uc2lkZXJhdGlvbnMNCj4gPj4+IHNlY3Rpb246DQo+ID4+PiANCj4gPj4+IA0KPiA+Pj4gICBU aGUgc2Vjb25kIG9wZXJhdGlvbiB0aGF0IHNob3VsZCBkZWZpbml0ZWx5IHVzZSBpbnRlZ3JpdHkg cHJvdGVjdGlvbg0KPiA+Pj4gICBpcyBhbnkgR0VUQVRUUiBmb3IgdGhlIGZzX2xvY2F0aW9ucyBh dHRyaWJ1dGUuICBUaGUgYXR0YWNrIGhhcyB0d28NCj4gPj4+ICAgc3RlcHMuICBGaXJzdCB0aGUg YXR0YWNrZXIgbW9kaWZpZXMgdGhlIHVucHJvdGVjdGVkIHJlc3VsdHMgb2Ygc29tZQ0KPiA+Pj4g ICBvcGVyYXRpb24gdG8gcmV0dXJuIE5GUzRFUlJfTU9WRUQuICBTZWNvbmQsIHdoZW4gdGhlIGNs aWVudCBmb2xsb3dzDQo+ID4+PiAgIHVwIHdpdGggYSBHRVRBVFRSIGZvciB0aGUgZnNfbG9jYXRp b25zIGF0dHJpYnV0ZSwgdGhlIGF0dGFja2VyDQo+ID4+PiAgIG1vZGlmaWVzIHRoZSByZXN1bHRz IHRvIGNhdXNlIHRoZSBjbGllbnQgbWlncmF0ZSBpdHMgdHJhZmZpYyB0byBhDQo+ID4+PiAgIHNl cnZlciBjb250cm9sbGVkIGJ5IHRoZSBhdHRhY2tlci4NCj4gPj4gDQo+ID4+IFlvdSBjYW4gdGhl IGV4YWN0IHNhbWUgdGhpbmcgYnkgY2hhbmdpbmcgdGhlIFJFQURMSU5LIHJlc3VsdHMuDQo+ID4g DQo+ID4gVGhlIGF0dGFjayBpczogY2hhbmdlIHRoZSB1bnByb3RlY3RlZCBMT09LVVAgcmVzdWx0 cyB0byBwb2ludCB0byBhDQo+ID4gc3ltbGluaywgdGhlbiBmZWVkICcvbmV0LzxldmlsLWlwLWFk ZHJlc3M+L215L2V2aWwvcGF0aG5hbWUnIGludG8NCj4gPiBSRUFETElOSy4NCj4gDQo+IERvZXMg dGhlIGxpbnV4IGNsaWVudCBhY3R1YWxseSBmb2xsb3cgbGlua3Mgd2l0aCBlbWJlZGRlZCBJUCBh ZGRyZXNzZXM/DQoNCklmIHlvdSBoYXZlIGF1dG9mcyBvciBhbWQgcnVubmluZyBvbiB5b3VyIGNs aWVudCwgdGhlbiBzdXJlLi4uDQoNCi0tIA0KVHJvbmQgTXlrbGVidXN0DQpMaW51eCBORlMgY2xp ZW50IG1haW50YWluZXINCg0KTmV0QXBwDQpUcm9uZC5NeWtsZWJ1c3RAbmV0YXBwLmNvbQ0Kd3d3 Lm5ldGFwcC5jb20NCg== ^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH 3/4] NFSv4.1 Use clientid management rpc_clnt for secinfo 2013-07-22 16:42 [PATCH 1/4] NFSv4.1 Use the mount point rpc_clnt for layoutreturn andros 2013-07-22 16:42 ` [PATCH 2/4] NFSv4.1 Use clientid management rpc_clnt for fs_locations andros @ 2013-07-22 16:42 ` andros 2013-07-22 16:58 ` Myklebust, Trond 2013-08-07 16:57 ` Myklebust, Trond 2013-07-22 16:42 ` [PATCH 4/4] NFSv4.1 Use clientid management rpc_clnt for secinfo_no_name andros 2013-07-22 16:44 ` [PATCH 1/4] NFSv4.1 Use the mount point rpc_clnt for layoutreturn Myklebust, Trond 3 siblings, 2 replies; 18+ messages in thread From: andros @ 2013-07-22 16:42 UTC (permalink / raw) To: trond.myklebust; +Cc: linux-nfs, Andy Adamson From: Andy Adamson <andros@netapp.com> As per RFC 3530 and RFC 5661 Security Considerations Commit 4edaa308 "NFS: Use "krb5i" to establish NFSv4 state whenever possible" uses the nfs_client cl_rpcclient for all clientid management operations. Signed-off-by: Andy Adamson <andros@netapp.com> --- fs/nfs/nfs4proc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 7761802..6a30a72 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -5806,9 +5806,10 @@ static int _nfs4_proc_secinfo(struct inode *dir, const struct qstr *name, struct .rpc_argp = &args, .rpc_resp = &res, }; + struct rpc_clnt *clnt = NFS_SERVER(dir)->nfs_client->cl_rpcclient; dprintk("NFS call secinfo %s\n", name->name); - status = nfs4_call_sync(NFS_SERVER(dir)->client, NFS_SERVER(dir), &msg, &args.seq_args, &res.seq_res, 0); + status = nfs4_call_sync(clnt, NFS_SERVER(dir), &msg, &args.seq_args, &res.seq_res, 0); dprintk("NFS reply secinfo: %d\n", status); return status; } -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH 3/4] NFSv4.1 Use clientid management rpc_clnt for secinfo 2013-07-22 16:42 ` [PATCH 3/4] NFSv4.1 Use clientid management rpc_clnt for secinfo andros @ 2013-07-22 16:58 ` Myklebust, Trond 2013-07-22 17:14 ` Adamson, Andy 2013-08-07 16:57 ` Myklebust, Trond 1 sibling, 1 reply; 18+ messages in thread From: Myklebust, Trond @ 2013-07-22 16:58 UTC (permalink / raw) To: Adamson, Andy; +Cc: linux-nfs T24gTW9uLCAyMDEzLTA3LTIyIGF0IDEyOjQyIC0wNDAwLCBhbmRyb3NAbmV0YXBwLmNvbSB3cm90 ZToNCj4gRnJvbTogQW5keSBBZGFtc29uIDxhbmRyb3NAbmV0YXBwLmNvbT4NCj4gDQo+IEFzIHBl ciBSRkMgMzUzMCBhbmQgUkZDIDU2NjEgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMNCg0KUkZDMzUz MC1iaXMsIG5vdCBSRkMzNTMwLi4uDQoNCj4gQ29tbWl0IDRlZGFhMzA4ICJORlM6IFVzZSAia3Ji NWkiIHRvIGVzdGFibGlzaCBORlN2NCBzdGF0ZSB3aGVuZXZlciBwb3NzaWJsZSINCj4gdXNlcyB0 aGUgbmZzX2NsaWVudCBjbF9ycGNjbGllbnQgZm9yIGFsbCBjbGllbnRpZCBtYW5hZ2VtZW50IG9w ZXJhdGlvbnMuDQo+IA0KPiBTaWduZWQtb2ZmLWJ5OiBBbmR5IEFkYW1zb24gPGFuZHJvc0BuZXRh cHAuY29tPg0KPiAtLS0NCj4gIGZzL25mcy9uZnM0cHJvYy5jIHwgMyArKy0NCj4gIDEgZmlsZSBj aGFuZ2VkLCAyIGluc2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkNCj4gDQo+IGRpZmYgLS1naXQg YS9mcy9uZnMvbmZzNHByb2MuYyBiL2ZzL25mcy9uZnM0cHJvYy5jDQo+IGluZGV4IDc3NjE4MDIu LjZhMzBhNzIgMTAwNjQ0DQo+IC0tLSBhL2ZzL25mcy9uZnM0cHJvYy5jDQo+ICsrKyBiL2ZzL25m cy9uZnM0cHJvYy5jDQo+IEBAIC01ODA2LDkgKzU4MDYsMTAgQEAgc3RhdGljIGludCBfbmZzNF9w cm9jX3NlY2luZm8oc3RydWN0IGlub2RlICpkaXIsIGNvbnN0IHN0cnVjdCBxc3RyICpuYW1lLCBz dHJ1Y3QNCj4gIAkJLnJwY19hcmdwID0gJmFyZ3MsDQo+ICAJCS5ycGNfcmVzcCA9ICZyZXMsDQo+ ICAJfTsNCj4gKwlzdHJ1Y3QgcnBjX2NsbnQgKmNsbnQgPSBORlNfU0VSVkVSKGRpciktPm5mc19j bGllbnQtPmNsX3JwY2NsaWVudDsNCj4gIA0KPiAgCWRwcmludGsoIk5GUyBjYWxsICBzZWNpbmZv ICVzXG4iLCBuYW1lLT5uYW1lKTsNCj4gLQlzdGF0dXMgPSBuZnM0X2NhbGxfc3luYyhORlNfU0VS VkVSKGRpciktPmNsaWVudCwgTkZTX1NFUlZFUihkaXIpLCAmbXNnLCAmYXJncy5zZXFfYXJncywg JnJlcy5zZXFfcmVzLCAwKTsNCj4gKwlzdGF0dXMgPSBuZnM0X2NhbGxfc3luYyhjbG50LCBORlNf U0VSVkVSKGRpciksICZtc2csICZhcmdzLnNlcV9hcmdzLCAmcmVzLnNlcV9yZXMsIDApOw0KPiAg CWRwcmludGsoIk5GUyByZXBseSAgc2VjaW5mbzogJWRcbiIsIHN0YXR1cyk7DQo+ICAJcmV0dXJu IHN0YXR1czsNCj4gIH0NCg0KSGFzIHRoaXMgYmVlbiB0ZXN0ZWQgYWdhaW5zdCBhIHZhcmlldHkg b2Ygc2VydmVyIGltcGxlbWVudGF0aW9ucz8gSSBrbm93DQp3aGF0IHRoZSBzcGVjIHNheXMsIGJ1 dCB0aGUgYmVoYXZpb3VyIHdlJ3JlIHJlbHlpbmcgb24gaGVyZSBpcyBzdWJ0bHkNCmNoYW5nZWQg ZnJvbSB3aGF0IHdhcyBvcmlnaW5hbGx5IGRvY3VtZW50ZWQgaW4gUkZDMzUzMC4NCg0KLS0gDQpU cm9uZCBNeWtsZWJ1c3QNCkxpbnV4IE5GUyBjbGllbnQgbWFpbnRhaW5lcg0KDQpOZXRBcHANClRy b25kLk15a2xlYnVzdEBuZXRhcHAuY29tDQp3d3cubmV0YXBwLmNvbQ0K ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 3/4] NFSv4.1 Use clientid management rpc_clnt for secinfo 2013-07-22 16:58 ` Myklebust, Trond @ 2013-07-22 17:14 ` Adamson, Andy 0 siblings, 0 replies; 18+ messages in thread From: Adamson, Andy @ 2013-07-22 17:14 UTC (permalink / raw) To: Myklebust, Trond; +Cc: Adamson, Andy, linux-nfs On Jul 22, 2013, at 12:58 PM, "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote: > On Mon, 2013-07-22 at 12:42 -0400, andros@netapp.com wrote: >> From: Andy Adamson <andros@netapp.com> >> >> As per RFC 3530 and RFC 5661 Security Considerations > > RFC3530-bis, not RFC3530... > >> Commit 4edaa308 "NFS: Use "krb5i" to establish NFSv4 state whenever possible" >> uses the nfs_client cl_rpcclient for all clientid management operations. >> >> Signed-off-by: Andy Adamson <andros@netapp.com> >> --- >> fs/nfs/nfs4proc.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c >> index 7761802..6a30a72 100644 >> --- a/fs/nfs/nfs4proc.c >> +++ b/fs/nfs/nfs4proc.c >> @@ -5806,9 +5806,10 @@ static int _nfs4_proc_secinfo(struct inode *dir, const struct qstr *name, struct >> .rpc_argp = &args, >> .rpc_resp = &res, >> }; >> + struct rpc_clnt *clnt = NFS_SERVER(dir)->nfs_client->cl_rpcclient; >> >> dprintk("NFS call secinfo %s\n", name->name); >> - status = nfs4_call_sync(NFS_SERVER(dir)->client, NFS_SERVER(dir), &msg, &args.seq_args, &res.seq_res, 0); >> + status = nfs4_call_sync(clnt, NFS_SERVER(dir), &msg, &args.seq_args, &res.seq_res, 0); >> dprintk("NFS reply secinfo: %d\n", status); >> return status; >> } > > Has this been tested against a variety of server implementations? I know > what the spec says, but the behaviour we're relying on here is subtly > changed from what was originally documented in RFC3530. Not yet. I'll set up some tests. -->Andy > > -- > Trond Myklebust > Linux NFS client maintainer > > NetApp > Trond.Myklebust@netapp.com > www.netapp.com ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 3/4] NFSv4.1 Use clientid management rpc_clnt for secinfo 2013-07-22 16:42 ` [PATCH 3/4] NFSv4.1 Use clientid management rpc_clnt for secinfo andros 2013-07-22 16:58 ` Myklebust, Trond @ 2013-08-07 16:57 ` Myklebust, Trond 1 sibling, 0 replies; 18+ messages in thread From: Myklebust, Trond @ 2013-08-07 16:57 UTC (permalink / raw) To: Adamson, Andy; +Cc: linux-nfs T24gTW9uLCAyMDEzLTA3LTIyIGF0IDEyOjQyIC0wNDAwLCBhbmRyb3NAbmV0YXBwLmNvbSB3cm90 ZToNCj4gRnJvbTogQW5keSBBZGFtc29uIDxhbmRyb3NAbmV0YXBwLmNvbT4NCj4gDQo+IEFzIHBl ciBSRkMgMzUzMCBhbmQgUkZDIDU2NjEgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMNCj4gDQo+IENv bW1pdCA0ZWRhYTMwOCAiTkZTOiBVc2UgImtyYjVpIiB0byBlc3RhYmxpc2ggTkZTdjQgc3RhdGUg d2hlbmV2ZXIgcG9zc2libGUiDQo+IHVzZXMgdGhlIG5mc19jbGllbnQgY2xfcnBjY2xpZW50IGZv ciBhbGwgY2xpZW50aWQgbWFuYWdlbWVudCBvcGVyYXRpb25zLg0KPiANCj4gU2lnbmVkLW9mZi1i eTogQW5keSBBZGFtc29uIDxhbmRyb3NAbmV0YXBwLmNvbT4NCj4gLS0tDQo+ICBmcy9uZnMvbmZz NHByb2MuYyB8IDMgKystDQo+ICAxIGZpbGUgY2hhbmdlZCwgMiBpbnNlcnRpb25zKCspLCAxIGRl bGV0aW9uKC0pDQo+IA0KPiBkaWZmIC0tZ2l0IGEvZnMvbmZzL25mczRwcm9jLmMgYi9mcy9uZnMv bmZzNHByb2MuYw0KPiBpbmRleCA3NzYxODAyLi42YTMwYTcyIDEwMDY0NA0KPiAtLS0gYS9mcy9u ZnMvbmZzNHByb2MuYw0KPiArKysgYi9mcy9uZnMvbmZzNHByb2MuYw0KPiBAQCAtNTgwNiw5ICs1 ODA2LDEwIEBAIHN0YXRpYyBpbnQgX25mczRfcHJvY19zZWNpbmZvKHN0cnVjdCBpbm9kZSAqZGly LCBjb25zdCBzdHJ1Y3QgcXN0ciAqbmFtZSwgc3RydWN0DQo+ICAJCS5ycGNfYXJncCA9ICZhcmdz LA0KPiAgCQkucnBjX3Jlc3AgPSAmcmVzLA0KPiAgCX07DQo+ICsJc3RydWN0IHJwY19jbG50ICpj bG50ID0gTkZTX1NFUlZFUihkaXIpLT5uZnNfY2xpZW50LT5jbF9ycGNjbGllbnQ7DQo+ICANCj4g IAlkcHJpbnRrKCJORlMgY2FsbCAgc2VjaW5mbyAlc1xuIiwgbmFtZS0+bmFtZSk7DQo+IC0Jc3Rh dHVzID0gbmZzNF9jYWxsX3N5bmMoTkZTX1NFUlZFUihkaXIpLT5jbGllbnQsIE5GU19TRVJWRVIo ZGlyKSwgJm1zZywgJmFyZ3Muc2VxX2FyZ3MsICZyZXMuc2VxX3JlcywgMCk7DQo+ICsJc3RhdHVz ID0gbmZzNF9jYWxsX3N5bmMoY2xudCwgTkZTX1NFUlZFUihkaXIpLCAmbXNnLCAmYXJncy5zZXFf YXJncywgJnJlcy5zZXFfcmVzLCAwKTsNCj4gIAlkcHJpbnRrKCJORlMgcmVwbHkgIHNlY2luZm86 ICVkXG4iLCBzdGF0dXMpOw0KPiAgCXJldHVybiBzdGF0dXM7DQo+ICB9DQoNClRoaXMgbmVlZHMg YSBjb21tZW50IGluIHRoZSBjb2RlLg0KDQotLSANClRyb25kIE15a2xlYnVzdA0KTGludXggTkZT IGNsaWVudCBtYWludGFpbmVyDQoNCk5ldEFwcA0KVHJvbmQuTXlrbGVidXN0QG5ldGFwcC5jb20N Cnd3dy5uZXRhcHAuY29tDQo= ^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH 4/4] NFSv4.1 Use clientid management rpc_clnt for secinfo_no_name 2013-07-22 16:42 [PATCH 1/4] NFSv4.1 Use the mount point rpc_clnt for layoutreturn andros 2013-07-22 16:42 ` [PATCH 2/4] NFSv4.1 Use clientid management rpc_clnt for fs_locations andros 2013-07-22 16:42 ` [PATCH 3/4] NFSv4.1 Use clientid management rpc_clnt for secinfo andros @ 2013-07-22 16:42 ` andros 2013-08-07 16:58 ` Myklebust, Trond 2013-07-22 16:44 ` [PATCH 1/4] NFSv4.1 Use the mount point rpc_clnt for layoutreturn Myklebust, Trond 3 siblings, 1 reply; 18+ messages in thread From: andros @ 2013-07-22 16:42 UTC (permalink / raw) To: trond.myklebust; +Cc: linux-nfs, Andy Adamson From: Andy Adamson <andros@netapp.com> As per RFC 5661 Security Considerations Commit 4edaa308 "NFS: Use "krb5i" to establish NFSv4 state whenever possible" uses the nfs_client cl_rpcclient for all clientid management operations. Signed-off-by: Andy Adamson <andros@netapp.com> --- fs/nfs/nfs4proc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 6a30a72..0452b61 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -7098,7 +7098,8 @@ _nfs41_proc_secinfo_no_name(struct nfs_server *server, struct nfs_fh *fhandle, .rpc_argp = &args, .rpc_resp = &res, }; - return nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0); + return nfs4_call_sync(server->nfs_client->cl_rpcclient, server, &msg, + &args.seq_args, &res.seq_res, 0); } static int -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH 4/4] NFSv4.1 Use clientid management rpc_clnt for secinfo_no_name 2013-07-22 16:42 ` [PATCH 4/4] NFSv4.1 Use clientid management rpc_clnt for secinfo_no_name andros @ 2013-08-07 16:58 ` Myklebust, Trond 0 siblings, 0 replies; 18+ messages in thread From: Myklebust, Trond @ 2013-08-07 16:58 UTC (permalink / raw) To: Adamson, Andy; +Cc: linux-nfs T24gTW9uLCAyMDEzLTA3LTIyIGF0IDEyOjQyIC0wNDAwLCBhbmRyb3NAbmV0YXBwLmNvbSB3cm90 ZToNCj4gRnJvbTogQW5keSBBZGFtc29uIDxhbmRyb3NAbmV0YXBwLmNvbT4NCj4gDQo+IEFzIHBl ciBSRkMgNTY2MSBTZWN1cml0eSBDb25zaWRlcmF0aW9ucw0KPiANCj4gQ29tbWl0IDRlZGFhMzA4 ICJORlM6IFVzZSAia3JiNWkiIHRvIGVzdGFibGlzaCBORlN2NCBzdGF0ZSB3aGVuZXZlciBwb3Nz aWJsZSINCj4gdXNlcyB0aGUgbmZzX2NsaWVudCBjbF9ycGNjbGllbnQgZm9yIGFsbCBjbGllbnRp ZCBtYW5hZ2VtZW50IG9wZXJhdGlvbnMuDQo+IA0KPiBTaWduZWQtb2ZmLWJ5OiBBbmR5IEFkYW1z b24gPGFuZHJvc0BuZXRhcHAuY29tPg0KPiAtLS0NCj4gIGZzL25mcy9uZnM0cHJvYy5jIHwgMyAr Ky0NCj4gIDEgZmlsZSBjaGFuZ2VkLCAyIGluc2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkNCj4g DQo+IGRpZmYgLS1naXQgYS9mcy9uZnMvbmZzNHByb2MuYyBiL2ZzL25mcy9uZnM0cHJvYy5jDQo+ IGluZGV4IDZhMzBhNzIuLjA0NTJiNjEgMTAwNjQ0DQo+IC0tLSBhL2ZzL25mcy9uZnM0cHJvYy5j DQo+ICsrKyBiL2ZzL25mcy9uZnM0cHJvYy5jDQo+IEBAIC03MDk4LDcgKzcwOTgsOCBAQCBfbmZz NDFfcHJvY19zZWNpbmZvX25vX25hbWUoc3RydWN0IG5mc19zZXJ2ZXIgKnNlcnZlciwgc3RydWN0 IG5mc19maCAqZmhhbmRsZSwNCj4gIAkJLnJwY19hcmdwID0gJmFyZ3MsDQo+ICAJCS5ycGNfcmVz cCA9ICZyZXMsDQo+ICAJfTsNCj4gLQlyZXR1cm4gbmZzNF9jYWxsX3N5bmMoc2VydmVyLT5jbGll bnQsIHNlcnZlciwgJm1zZywgJmFyZ3Muc2VxX2FyZ3MsICZyZXMuc2VxX3JlcywgMCk7DQo+ICsJ cmV0dXJuIG5mczRfY2FsbF9zeW5jKHNlcnZlci0+bmZzX2NsaWVudC0+Y2xfcnBjY2xpZW50LCBz ZXJ2ZXIsICZtc2csDQo+ICsJCQkJJmFyZ3Muc2VxX2FyZ3MsICZyZXMuc2VxX3JlcywgMCk7DQo+ ICB9DQo+ICANCj4gIHN0YXRpYyBpbnQNCg0KRGl0dG86IFRoaXMgbmVlZHMgYSBjb2RlIGNvbW1l bnQuDQoNCi0tIA0KVHJvbmQgTXlrbGVidXN0DQpMaW51eCBORlMgY2xpZW50IG1haW50YWluZXIN Cg0KTmV0QXBwDQpUcm9uZC5NeWtsZWJ1c3RAbmV0YXBwLmNvbQ0Kd3d3Lm5ldGFwcC5jb20NCg== ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 1/4] NFSv4.1 Use the mount point rpc_clnt for layoutreturn 2013-07-22 16:42 [PATCH 1/4] NFSv4.1 Use the mount point rpc_clnt for layoutreturn andros ` (2 preceding siblings ...) 2013-07-22 16:42 ` [PATCH 4/4] NFSv4.1 Use clientid management rpc_clnt for secinfo_no_name andros @ 2013-07-22 16:44 ` Myklebust, Trond 2013-07-22 16:46 ` Myklebust, Trond 3 siblings, 1 reply; 18+ messages in thread From: Myklebust, Trond @ 2013-07-22 16:44 UTC (permalink / raw) To: Adamson, Andy; +Cc: linux-nfs T24gTW9uLCAyMDEzLTA3LTIyIGF0IDEyOjQyIC0wNDAwLCBhbmRyb3NAbmV0YXBwLmNvbSB3cm90 ZToNCj4gRnJvbTogQW5keSBBZGFtc29uIDxhbmRyb3NAbmV0YXBwLmNvbT4NCj4gDQo+IFNob3Vs ZCBub3QgdXNlIHRoZSBjbGllbnRpZCBtYWludGVuYW5jZSBycGNfY2xudC4NCj4gDQo+IFNpZ25l ZC1vZmYtYnk6IEFuZHkgQWRhbXNvbiA8YW5kcm9zQG5ldGFwcC5jb20+DQo+IC0tLQ0KPiAgZnMv bmZzL25mczRwcm9jLmMgfCAyICstDQo+ICAxIGZpbGUgY2hhbmdlZCwgMSBpbnNlcnRpb24oKyks IDEgZGVsZXRpb24oLSkNCj4gDQo+IGRpZmYgLS1naXQgYS9mcy9uZnMvbmZzNHByb2MuYyBiL2Zz L25mcy9uZnM0cHJvYy5jDQo+IGluZGV4IGNmMTE3OTkuLjdhODQ2YjYgMTAwNjQ0DQo+IC0tLSBh L2ZzL25mcy9uZnM0cHJvYy5jDQo+ICsrKyBiL2ZzL25mcy9uZnM0cHJvYy5jDQo+IEBAIC02ODc2 LDcgKzY4NzYsNyBAQCBpbnQgbmZzNF9wcm9jX2xheW91dHJldHVybihzdHJ1Y3QgbmZzNF9sYXlv dXRyZXR1cm4gKmxycCkNCj4gIAkJLnJwY19jcmVkID0gbHJwLT5jcmVkLA0KPiAgCX07DQo+ICAJ c3RydWN0IHJwY190YXNrX3NldHVwIHRhc2tfc2V0dXBfZGF0YSA9IHsNCj4gLQkJLnJwY19jbGll bnQgPSBscnAtPmNscC0+Y2xfcnBjY2xpZW50LA0KPiArCQkucnBjX2NsaWVudCA9IE5GU19TRVJW RVIobHJwLT5hcmdzLmlub2RlKS0+Y2xpZW50LA0KPiAgCQkucnBjX21lc3NhZ2UgPSAmbXNnLA0K PiAgCQkuY2FsbGJhY2tfb3BzID0gJm5mczRfbGF5b3V0cmV0dXJuX2NhbGxfb3BzLA0KPiAgCQku Y2FsbGJhY2tfZGF0YSA9IGxycCwNCg0KTkFDSy4gTEFZT1VUUkVUVVJOIG5lZWRzIHRvIHVzZSB0 aGUgc2FtZSBjcmVkZW50aWFsIGFzIExBWU9VVEdFVC4NCg0KLS0gDQpUcm9uZCBNeWtsZWJ1c3QN CkxpbnV4IE5GUyBjbGllbnQgbWFpbnRhaW5lcg0KDQpOZXRBcHANClRyb25kLk15a2xlYnVzdEBu ZXRhcHAuY29tDQp3d3cubmV0YXBwLmNvbQ0K ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 1/4] NFSv4.1 Use the mount point rpc_clnt for layoutreturn 2013-07-22 16:44 ` [PATCH 1/4] NFSv4.1 Use the mount point rpc_clnt for layoutreturn Myklebust, Trond @ 2013-07-22 16:46 ` Myklebust, Trond 0 siblings, 0 replies; 18+ messages in thread From: Myklebust, Trond @ 2013-07-22 16:46 UTC (permalink / raw) To: Adamson, Andy; +Cc: linux-nfs T24gTW9uLCAyMDEzLTA3LTIyIGF0IDEyOjQ0IC0wNDAwLCBUcm9uZCBNeWtsZWJ1c3Qgd3JvdGU6 DQo+IE9uIE1vbiwgMjAxMy0wNy0yMiBhdCAxMjo0MiAtMDQwMCwgYW5kcm9zQG5ldGFwcC5jb20g d3JvdGU6DQo+ID4gRnJvbTogQW5keSBBZGFtc29uIDxhbmRyb3NAbmV0YXBwLmNvbT4NCj4gPiAN Cj4gPiBTaG91bGQgbm90IHVzZSB0aGUgY2xpZW50aWQgbWFpbnRlbmFuY2UgcnBjX2NsbnQuDQo+ ID4gDQo+ID4gU2lnbmVkLW9mZi1ieTogQW5keSBBZGFtc29uIDxhbmRyb3NAbmV0YXBwLmNvbT4N Cj4gPiAtLS0NCj4gPiAgZnMvbmZzL25mczRwcm9jLmMgfCAyICstDQo+ID4gIDEgZmlsZSBjaGFu Z2VkLCAxIGluc2VydGlvbigrKSwgMSBkZWxldGlvbigtKQ0KPiA+IA0KPiA+IGRpZmYgLS1naXQg YS9mcy9uZnMvbmZzNHByb2MuYyBiL2ZzL25mcy9uZnM0cHJvYy5jDQo+ID4gaW5kZXggY2YxMTc5 OS4uN2E4NDZiNiAxMDA2NDQNCj4gPiAtLS0gYS9mcy9uZnMvbmZzNHByb2MuYw0KPiA+ICsrKyBi L2ZzL25mcy9uZnM0cHJvYy5jDQo+ID4gQEAgLTY4NzYsNyArNjg3Niw3IEBAIGludCBuZnM0X3By b2NfbGF5b3V0cmV0dXJuKHN0cnVjdCBuZnM0X2xheW91dHJldHVybiAqbHJwKQ0KPiA+ICAJCS5y cGNfY3JlZCA9IGxycC0+Y3JlZCwNCj4gPiAgCX07DQo+ID4gIAlzdHJ1Y3QgcnBjX3Rhc2tfc2V0 dXAgdGFza19zZXR1cF9kYXRhID0gew0KPiA+IC0JCS5ycGNfY2xpZW50ID0gbHJwLT5jbHAtPmNs X3JwY2NsaWVudCwNCj4gPiArCQkucnBjX2NsaWVudCA9IE5GU19TRVJWRVIobHJwLT5hcmdzLmlu b2RlKS0+Y2xpZW50LA0KPiA+ICAJCS5ycGNfbWVzc2FnZSA9ICZtc2csDQo+ID4gIAkJLmNhbGxi YWNrX29wcyA9ICZuZnM0X2xheW91dHJldHVybl9jYWxsX29wcywNCj4gPiAgCQkuY2FsbGJhY2tf ZGF0YSA9IGxycCwNCj4gDQo+IE5BQ0suIExBWU9VVFJFVFVSTiBuZWVkcyB0byB1c2UgdGhlIHNh bWUgY3JlZGVudGlhbCBhcyBMQVlPVVRHRVQuDQo+IA0KDQpOZXZlciBtaW5kLiBJIGNvbXBsZXRl bHkgbWlzcmVhZCB0aGUgcGF0Y2guDQoNCkFncmVlZCB0aGF0IHRoaXMgaXMgdGhlIHJpZ2h0IHRo aW5nIHRvIGRvLg0KLS0gDQpUcm9uZCBNeWtsZWJ1c3QNCkxpbnV4IE5GUyBjbGllbnQgbWFpbnRh aW5lcg0KDQpOZXRBcHANClRyb25kLk15a2xlYnVzdEBuZXRhcHAuY29tDQp3d3cubmV0YXBwLmNv bQ0K ^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2013-08-07 18:36 UTC | newest] Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2013-07-22 16:42 [PATCH 1/4] NFSv4.1 Use the mount point rpc_clnt for layoutreturn andros 2013-07-22 16:42 ` [PATCH 2/4] NFSv4.1 Use clientid management rpc_clnt for fs_locations andros 2013-08-07 16:54 ` Myklebust, Trond [not found] ` <479EB531-9CD2-42E2-AB98-A3CD9B13603D@netapp.com> 2013-08-07 18:04 ` Myklebust, Trond 2013-08-07 18:19 ` Myklebust, Trond 2013-08-07 18:24 ` Adamson, Andy 2013-08-07 18:28 ` Fwd: " Adamson, Andy 2013-08-07 18:32 ` Myklebust, Trond 2013-08-07 18:32 ` Adamson, Andy 2013-08-07 18:36 ` Myklebust, Trond 2013-07-22 16:42 ` [PATCH 3/4] NFSv4.1 Use clientid management rpc_clnt for secinfo andros 2013-07-22 16:58 ` Myklebust, Trond 2013-07-22 17:14 ` Adamson, Andy 2013-08-07 16:57 ` Myklebust, Trond 2013-07-22 16:42 ` [PATCH 4/4] NFSv4.1 Use clientid management rpc_clnt for secinfo_no_name andros 2013-08-07 16:58 ` Myklebust, Trond 2013-07-22 16:44 ` [PATCH 1/4] NFSv4.1 Use the mount point rpc_clnt for layoutreturn Myklebust, Trond 2013-07-22 16:46 ` Myklebust, Trond
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.