[PATCH 0/4] Add support for new upcall mechanism for nfsd

[PATCH 0/4] Add support for new upcall mechanism for nfsd

[Simo Sorce]

NOTE: Rebased on top of Bruce Field's for-3.5 tree.

This patchset implements a new upcall mechanism that uses the sunrpc
client to talk to gssproxy[1], a new userspace daemon to handle gssapi
operations on behalf of other processes on the system.

The main driver for this new mechanism is to overcome limitations with
the current daemon and upcall. The current code cannot handle tickets
larger than approximatively 2k and cannot handle sending back large user
credential sets to the kernel.

These patches have been tested against the development version of gssproxy
tagged as kernel_v0.1 in the master repo[2].

I have tested walking into mountpoints using tickets artificially pumped
up to 64k and the user is properly authorized, after the accept_se_context
call is performed through the new upcall mechanism and gssproxy.

The gssproxy has the potential of handling also init_sec_context calls,
but at the moment the only targeted system is nfsd.

Simo.


[1] https://fedorahosted.org/gss-proxy/
[2] http://git.fedorahosted.org/git/?p=gss-proxy.git;a=shortlog;h=refs/tags/kernel_v0.1

Simo Sorce (4):
  SUNRPC: conditionally return endtime from import_sec_context
  SUNRPC: Document a bit RPCGSS handling in the NFS Server
  SUNRPC: Add RPC based upcall mechanism for RPCGSS auth
  SUNRPC: Use gssproxy upcall for nfsd's RPCGSS authentication.

 Documentation/filesystems/nfs/00-INDEX         |    2 +
 Documentation/filesystems/nfs/knfsd-rpcgss.txt |   65 ++
 include/linux/sunrpc/auth_gss.h                |    3 +
 include/linux/sunrpc/gss_api.h                 |    2 +
 include/linux/sunrpc/svcauth_gss.h             |    2 +-
 net/sunrpc/auth_gss/Makefile                   |    4 +-
 net/sunrpc/auth_gss/auth_gss.c                 |   11 +-
 net/sunrpc/auth_gss/gss_krb5_mech.c            |    3 +
 net/sunrpc/auth_gss/gss_mech_switch.c          |    5 +-
 net/sunrpc/auth_gss/gss_rpc_upcall.c           |  341 +++++++++
 net/sunrpc/auth_gss/gss_rpc_upcall.h           |   43 ++
 net/sunrpc/auth_gss/gss_rpc_xdr.c              |  904 ++++++++++++++++++++++++
 net/sunrpc/auth_gss/gss_rpc_xdr.h              |  269 +++++++
 net/sunrpc/auth_gss/svcauth_gss.c              |  252 +++++++-
 14 files changed, 1886 insertions(+), 20 deletions(-)
 create mode 100644 Documentation/filesystems/nfs/knfsd-rpcgss.txt
 create mode 100644 net/sunrpc/auth_gss/gss_rpc_upcall.c
 create mode 100644 net/sunrpc/auth_gss/gss_rpc_upcall.h
 create mode 100644 net/sunrpc/auth_gss/gss_rpc_xdr.c
 create mode 100644 net/sunrpc/auth_gss/gss_rpc_xdr.h

-- 
1.7.7.6

[PATCH 1/4] SUNRPC: conditionally return endtime from import_sec_context

[Simo Sorce]

We expose this parameter for a future caller.
It will be used to extract the endtime from the gss-proxy upcall mechanism,
in order to set the rsc cache expiration time.

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 include/linux/sunrpc/gss_api.h        |    2 ++
 net/sunrpc/auth_gss/auth_gss.c        |    2 +-
 net/sunrpc/auth_gss/gss_krb5_mech.c   |    3 +++
 net/sunrpc/auth_gss/gss_mech_switch.c |    5 +++--
 net/sunrpc/auth_gss/svcauth_gss.c     |    3 ++-
 5 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/include/linux/sunrpc/gss_api.h b/include/linux/sunrpc/gss_api.h
index 332da61cf8b71fc73d802b2609210f46641a9ea1..7bd486d50f0861b45c98e695751c2f92f1b3bdfa 100644
--- a/include/linux/sunrpc/gss_api.h
+++ b/include/linux/sunrpc/gss_api.h
@@ -36,6 +36,7 @@ int gss_import_sec_context(
 		size_t			bufsize,
 		struct gss_api_mech	*mech,
 		struct gss_ctx		**ctx_id,
+		time_t			*endtime,
 		gfp_t			gfp_mask);
 u32 gss_get_mic(
 		struct gss_ctx		*ctx_id,
@@ -91,6 +92,7 @@ struct gss_api_ops {
 			const void		*input_token,
 			size_t			bufsize,
 			struct gss_ctx		*ctx_id,
+			time_t			*endtime,
 			gfp_t			gfp_mask);
 	u32 (*gss_get_mic)(
 			struct gss_ctx		*ctx_id,
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index d3ad81f8da5b79551c36b17a7d53007406946699..836cbecb1947235d38c62eadf79ae96ad73906e6 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -232,7 +232,7 @@ gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct
 		p = ERR_PTR(-EFAULT);
 		goto err;
 	}
-	ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx, GFP_NOFS);
+	ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx, NULL, GFP_NOFS);
 	if (ret < 0) {
 		p = ERR_PTR(ret);
 		goto err;
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 8eff8c32d1b9b403c2365326c16e44df7c0923e6..329c36b9aa269a414932df86d89650c7a39528fd 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -679,6 +679,7 @@ out_err:
 static int
 gss_import_sec_context_kerberos(const void *p, size_t len,
 				struct gss_ctx *ctx_id,
+				time_t *endtime,
 				gfp_t gfp_mask)
 {
 	const void *end = (const void *)((const char *)p + len);
@@ -696,6 +697,8 @@ gss_import_sec_context_kerberos(const void *p, size_t len,
 
 	if (ret == 0)
 		ctx_id->internal_ctx_id = ctx;
+		if (endtime)
+			*endtime = ctx->endtime;
 	else
 		kfree(ctx);
 
diff --git a/net/sunrpc/auth_gss/gss_mech_switch.c b/net/sunrpc/auth_gss/gss_mech_switch.c
index ca8cad8251c7ff1c13c9bff6757e098c4f1cd9b2..b22cc24fac482351876c8f4a6c10d8b203a95045 100644
--- a/net/sunrpc/auth_gss/gss_mech_switch.c
+++ b/net/sunrpc/auth_gss/gss_mech_switch.c
@@ -312,14 +312,15 @@ int
 gss_import_sec_context(const void *input_token, size_t bufsize,
 		       struct gss_api_mech	*mech,
 		       struct gss_ctx		**ctx_id,
+		       time_t			*endtime,
 		       gfp_t gfp_mask)
 {
 	if (!(*ctx_id = kzalloc(sizeof(**ctx_id), gfp_mask)))
 		return -ENOMEM;
 	(*ctx_id)->mech_type = gss_mech_get(mech);
 
-	return mech->gm_ops
-		->gss_import_sec_context(input_token, bufsize, *ctx_id, gfp_mask);
+	return mech->gm_ops->gss_import_sec_context(input_token, bufsize,
+						*ctx_id, endtime, gfp_mask);
 }
 
 /* gss_get_mic: compute a mic over message and return mic_token. */
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index f0a0cd4470b7a23ab46a08a68b4ef78c7400db4c..aa1b649749741c82e60f0f528ac645197fd7ab35 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -489,7 +489,8 @@ static int rsc_parse(struct cache_detail *cd,
 		len = qword_get(&mesg, buf, mlen);
 		if (len < 0)
 			goto out;
-		status = gss_import_sec_context(buf, len, gm, &rsci.mechctx, GFP_KERNEL);
+		status = gss_import_sec_context(buf, len, gm, &rsci.mechctx,
+						NULL, GFP_KERNEL);
 		if (status)
 			goto out;
 
-- 
1.7.7.6

[PATCH 2/4] SUNRPC: Document a bit RPCGSS handling in the NFS Server

[Simo Sorce]

Includes changes intorduced by GSS-Proxy.

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 Documentation/filesystems/nfs/00-INDEX         |    2 +
 Documentation/filesystems/nfs/knfsd-rpcgss.txt |   65 ++++++++++++++++++++++++
 2 files changed, 67 insertions(+), 0 deletions(-)
 create mode 100644 Documentation/filesystems/nfs/knfsd-rpcgss.txt

diff --git a/Documentation/filesystems/nfs/00-INDEX b/Documentation/filesystems/nfs/00-INDEX
index 1716874a651e1c574e7ca9719dfb4e3521b0a5e9..66eb6c8c5334518ddbc10115c7b34b4dfb1b3c0e 100644
--- a/Documentation/filesystems/nfs/00-INDEX
+++ b/Documentation/filesystems/nfs/00-INDEX
@@ -20,3 +20,5 @@ rpc-cache.txt
 	- introduction to the caching mechanisms in the sunrpc layer.
 idmapper.txt
 	- information for configuring request-keys to be used by idmapper
+knfsd-rpcgss.txt
+	- Information on GSS authentication support in the NFS Server
diff --git a/Documentation/filesystems/nfs/knfsd-rpcgss.txt b/Documentation/filesystems/nfs/knfsd-rpcgss.txt
new file mode 100644
index 0000000000000000000000000000000000000000..914aa536273b986539d7859092e2c0f139ce5535
--- /dev/null
+++ b/Documentation/filesystems/nfs/knfsd-rpcgss.txt
@@ -0,0 +1,65 @@
+
+Kernel NFS Server RPCGSS Support
+================================
+
+This document gives references to the standards and protocols used to
+implement RPCGSS authentication in the NFS Server.
+
+RPCGSS is specified in a few IETF documents:
+ - RFC2203 v1: http://tools.ietf.org/rfc/rfc2203.txt
+ - RFC5403 v2: http://tools.ietf.org/rfc/rfc5403.txt
+and there is a 3rd version  being proposed:
+ - http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
+   (At draft n. 02 at the time of writing)
+
+Background
+----------
+
+The RPCGSS Authentication method describes a way to perform GSSAPI
+Authentication for NFS.
+Although GSSAPI is itself completely mechanism agnostic, in many cases only
+the KRB5 mechanism is supported by NFS implementations.
+
+The Linux kernel, at the moment, supports only the KRB5 mechanism, and depends
+on GSSAPI extensions that are KRB5 specific.
+
+GSSAPI is a complex library, and implementing it completely in kernel is
+unwarranted. However GSSAPI operations are fundementally separable in 2 parts:
+- context establishment
+- integrity/privacy protection (read: signing and encrypting)
+
+The first part is the complex one, while the actual integrity and privacy
+protecion is simple enough.
+Because of the complexity of context establishment, the NFS Server defers the
+operation to the userspace througuh the use of upcalls.
+
+NFS Server Legacy Upcall mechanism
+----------------------------------
+
+The classic upcall mechanism uses a custom text based upcall mechanism to talk
+to a custom daemon called rpc.svcgssd that is provide by the nfs-utils package.
+
+This upcall mechanism has 2 limitations:
+A) Can handle tokens that are no bigger than 2KiB
+
+In some Kerberos deployment GSSAPI tokens can be quite big, up and beyond 64KiB
+in size due to various authorization extensions attacked to the Kerberos
+tickets, that needs to be sent through the GSS layer in order to perform
+context establishment.
+
+B) Does not properly handle creds where the user is member of more than a few
+housand groups (the current hard limit in the kernel is 65K groups) due to
+limitation on the size of the buffer that can be send back to the kernel (4KiB).
+
+NFS Server New RPC Upcall mechanism
+-----------------------------------
+
+A new upcall mechanism that uses RPC over a Unix socket is added. This
+mechanism uses a protocol called gss-proxy, and user space program that
+implements it called Gssproxy. The gss_proxy RPC protocol is currently document
+here: https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation
+
+This upcall mechanism uses the kernel rpc client and connects to the gssproxy
+userspace program over a regular unix socket. The gssproxy protocol does not
+suffer from the size limitations of the legacy protocol.
+
-- 
1.7.7.6

[PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Simo Sorce]

This patch implements a sunrpc client to use the services of the gssproxy
userspace daemon.

In particular it allows to perform calls in user space using an RPC
call instead of custom hand-coded upcall/downcall messages.

Currently only accept_sec_context is implemented as that is all is needed for
the server case.

File server modules like NFS and CIFS can use full gssapi services this way,
once init_sec_context is also implemented.

For the NFS server case this code allow to lift the limit of max 2k krb5
tickets. This limit is prevents legitimate kerberos deployments from using krb5
authentication with the Linux NFS server as they have normally ticket that are
many kilobytes large.

It will also allow to lift the limitation on the size of the credential set
(uid,gid,gids) passed down from user space for users that have very many groups
associated. Currently the downcall mechanism used by rpc.svcgssd is limited
to around 2k secondary groups of the 65k allowed by kernel structures.

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 net/sunrpc/auth_gss/Makefile         |    4 +-
 net/sunrpc/auth_gss/gss_rpc_upcall.c |  341 +++++++++++++
 net/sunrpc/auth_gss/gss_rpc_upcall.h |   43 ++
 net/sunrpc/auth_gss/gss_rpc_xdr.c    |  904 ++++++++++++++++++++++++++++++++++
 net/sunrpc/auth_gss/gss_rpc_xdr.h    |  269 ++++++++++
 5 files changed, 1560 insertions(+), 1 deletions(-)
 create mode 100644 net/sunrpc/auth_gss/gss_rpc_upcall.c
 create mode 100644 net/sunrpc/auth_gss/gss_rpc_upcall.h
 create mode 100644 net/sunrpc/auth_gss/gss_rpc_xdr.c
 create mode 100644 net/sunrpc/auth_gss/gss_rpc_xdr.h

diff --git a/net/sunrpc/auth_gss/Makefile b/net/sunrpc/auth_gss/Makefile
index 9e4cb59ef9f0207bc8edc4629dee18c545599de6..bf9f334529416f496ad32a3d0087964df93ff4ac 100644
--- a/net/sunrpc/auth_gss/Makefile
+++ b/net/sunrpc/auth_gss/Makefile
@@ -5,9 +5,11 @@
 obj-$(CONFIG_SUNRPC_GSS) += auth_rpcgss.o
 
 auth_rpcgss-y := auth_gss.o gss_generic_token.o \
-	gss_mech_switch.o svcauth_gss.o
+	gss_mech_switch.o svcauth_gss.o \
+	gss_rpc_upcall.o gss_rpc_xdr.o
 
 obj-$(CONFIG_RPCSEC_GSS_KRB5) += rpcsec_gss_krb5.o
 
 rpcsec_gss_krb5-y := gss_krb5_mech.o gss_krb5_seal.o gss_krb5_unseal.o \
 	gss_krb5_seqnum.o gss_krb5_wrap.o gss_krb5_crypto.o gss_krb5_keys.o
+
diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c
new file mode 100644
index 0000000000000000000000000000000000000000..75e88519bd1be87aab4a1b195a7d86aedb7ed03a
--- /dev/null
+++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c
@@ -0,0 +1,341 @@
+/*
+ *  linux/net/sunrpc/gss_rpc_upcall.c
+ *
+ *  Copyright (C) 2012 Simo Sorce <simo@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include <linux/types.h>
+#include <linux/un.h>
+
+#include <linux/sunrpc/svcauth.h>
+#include "gss_rpc_upcall.h"
+
+#define GSSPROXY_SOCK_PATHNAME	"/var/run/gssproxy.sock"
+
+#define GSSPROXY_PROGRAM	(400112u)
+#define GSSPROXY_VERS_1		(1u)
+
+DEFINE_MUTEX(gssp_clnt_mutex);
+struct rpc_clnt *gssp_clnt;
+
+/*
+ * Encoding/Decoding functions
+ */
+
+enum {
+	GSSX_NULL = 0,	/* Unused */
+        GSSX_INDICATE_MECHS = 1,
+        GSSX_GET_CALL_CONTEXT = 2,
+        GSSX_IMPORT_AND_CANON_NAME = 3,
+        GSSX_EXPORT_CRED = 4,
+        GSSX_IMPORT_CRED = 5,
+        GSSX_ACQUIRE_CRED = 6,
+        GSSX_STORE_CRED = 7,
+        GSSX_INIT_SEC_CONTEXT = 8,
+        GSSX_ACCEPT_SEC_CONTEXT = 9,
+        GSSX_RELEASE_HANDLE = 10,
+        GSSX_GET_MIC = 11,
+        GSSX_VERIFY = 12,
+        GSSX_WRAP = 13,
+        GSSX_UNWRAP = 14,
+        GSSX_WRAP_SIZE_LIMIT = 15,
+};
+
+#define PROC(proc, name)				\
+[GSSX_##proc] = {					\
+	.p_proc   = GSSX_##proc,			\
+	.p_encode = (kxdreproc_t)gssx_enc_##name,	\
+	.p_decode = (kxdrdproc_t)gssx_dec_##name,	\
+	.p_arglen = GSSX_ARG_##name##_sz,		\
+	.p_replen = GSSX_RES_##name##_sz, 		\
+	.p_statidx = GSSX_##proc,			\
+	.p_name   = #proc,				\
+}
+
+struct rpc_procinfo gssp_procedures[] = {
+	PROC(INDICATE_MECHS, indicate_mechs),
+        PROC(GET_CALL_CONTEXT, get_call_context),
+        PROC(IMPORT_AND_CANON_NAME, import_and_canon_name),
+        PROC(EXPORT_CRED, export_cred),
+        PROC(IMPORT_CRED, import_cred),
+        PROC(ACQUIRE_CRED, acquire_cred),
+        PROC(STORE_CRED, store_cred),
+        PROC(INIT_SEC_CONTEXT, init_sec_context),
+        PROC(ACCEPT_SEC_CONTEXT, accept_sec_context),
+        PROC(RELEASE_HANDLE, release_handle),
+        PROC(GET_MIC, get_mic),
+        PROC(VERIFY, verify),
+        PROC(WRAP, wrap),
+        PROC(UNWRAP, unwrap),
+        PROC(WRAP_SIZE_LIMIT, wrap_size_limit),
+};
+
+
+
+/*
+ * Common transport functions
+ */
+
+static const struct rpc_program gssp_program;
+
+static int gssp_rpc_create(struct rpc_clnt **_clnt)
+{
+	static const struct sockaddr_un gssp_localaddr = {
+		.sun_family		= AF_LOCAL,
+		.sun_path		= GSSPROXY_SOCK_PATHNAME,
+	};
+	struct rpc_create_args args = {
+		.net		= &init_net,
+		.protocol	= XPRT_TRANSPORT_LOCAL,
+		.address	= (struct sockaddr *)&gssp_localaddr,
+		.addrsize	= sizeof(gssp_localaddr),
+		.servername	= "localhost",
+		.program	= &gssp_program,
+		.version	= GSSPROXY_VERS_1,
+		.authflavor	= RPC_AUTH_NULL,
+		.flags		= RPC_CLNT_CREATE_NOPING,
+	};
+	struct rpc_clnt *clnt;
+	int result = 0;
+
+	clnt = rpc_create(&args);
+	if (IS_ERR(clnt)) {
+		dprintk("RPC:       failed to create AF_LOCAL gssproxy "
+				"client (errno %ld).\n", PTR_ERR(clnt));
+		result = -PTR_ERR(clnt);
+		*_clnt = NULL;
+		goto out;
+	}
+
+	dprintk("RPC:       created new gssp local client (gssp_local_clnt: "
+			"%p)\n", clnt);
+	*_clnt = clnt;
+
+out:
+	return result;
+}
+
+static struct rpc_clnt *get_clnt(bool global_clnt)
+{
+	struct rpc_clnt *clnt;
+	int err;
+
+	mutex_lock(&gssp_clnt_mutex);
+
+	if (global_clnt && gssp_clnt)
+		return gssp_clnt;
+
+	err = gssp_rpc_create(&clnt);
+	if (err) {
+		mutex_unlock(&gssp_clnt_mutex);
+		return NULL;
+	}
+	if (global_clnt)
+		gssp_clnt = clnt;
+
+	mutex_unlock(&gssp_clnt_mutex);
+	return clnt;
+}
+
+static void kill_clnt(struct rpc_clnt *clnt)
+{
+	BUG_ON(clnt == NULL);
+
+	mutex_lock(&gssp_clnt_mutex);
+
+	rpc_shutdown_client(clnt);
+	if (clnt == gssp_clnt)
+		gssp_clnt = NULL;
+
+	mutex_unlock(&gssp_clnt_mutex);
+}
+
+static int gssp_call(struct rpc_message *msg)
+{
+	struct rpc_clnt *clnt;
+	int status;
+
+	/* for now always create new one */
+	clnt = get_clnt(false);
+
+	status = rpc_call_sync(clnt, msg, 0);
+	if (status < 0) {
+		dprintk("gssp: rpc_call returned error %d\n", -status);
+		switch (status) {
+		case -EPROTONOSUPPORT:
+			status = -EINVAL;
+			break;
+		case -ECONNREFUSED:
+		case -ETIMEDOUT:
+		case -ENOTCONN:
+			status = -EAGAIN;
+			break;
+		case -ERESTARTSYS:
+			if (signalled ())
+				status = -EINTR;
+			break;
+		default:
+			break;
+		}
+	}
+
+	/* always kill connection for now */
+	kill_clnt(clnt);
+
+	return status;
+}
+
+
+/*
+ * Public functions
+ */
+
+/* numbers somewhat arbitrary but large enough for current needs */
+#define GSSX_MAX_OUT_HANDLE	128
+#define GSSX_MAX_MECH_OID	16
+#define GSSX_MAX_SRC_PRINC	256
+#define GSSX_KMEMBUF (GSSX_max_output_handle_sz + \
+			GSSX_max_oid_sz + \
+			GSSX_max_princ_sz + \
+			sizeof(struct svc_cred))
+
+int gssp_accept_sec_context_upcall(struct gssp_upcall_data *data)
+{
+	struct gssx_arg_accept_sec_context arg;
+	struct gssx_res_accept_sec_context res;
+	struct gssx_ctx ctxh;
+	struct gssx_ctx rctxh;
+	struct gssx_cred delegcred;
+	struct rpc_message msg = {
+		.rpc_proc = &gssp_procedures[GSSX_ACCEPT_SEC_CONTEXT],
+		.rpc_argp = &arg,
+		.rpc_resp = &res,
+		.rpc_cred = NULL, /* FIXME ? */
+	};
+	int ret;
+
+	/* fill in arg */
+	memset(&arg, 0, sizeof(arg));
+	if (data->in_handle.len != 0) {
+		memset(&ctxh, 0, sizeof(ctxh));
+		arg.context_handle = &ctxh;
+		ctxh.state = data->in_handle;
+	}
+	arg.input_token = data->in_token;
+
+	/* use nfs/ for targ_name ? */
+
+	/* prepare res */
+	data->kmembuf = kmalloc(GSSX_KMEMBUF, GFP_KERNEL);
+	if (!data->kmembuf) {
+		return -ENOMEM;
+	}
+
+	memset(&res, 0, sizeof(res));
+	memset(&rctxh, 0, sizeof(rctxh));
+	rctxh.exported_context_token.len = GSSX_max_output_handle_sz;
+	rctxh.exported_context_token.data = data->kmembuf;
+	rctxh.mech.len = GSSX_max_oid_sz;
+	rctxh.mech.data = data->kmembuf + GSSX_max_output_handle_sz;
+	rctxh.src_name.display_name.len = GSSX_max_princ_sz;
+	rctxh.src_name.display_name.data = data->kmembuf +
+						GSSX_max_output_handle_sz +
+						GSSX_max_oid_sz;
+	res.context_handle = &rctxh;
+
+	data->creds = data->kmembuf +
+				GSSX_max_output_handle_sz +
+				GSSX_max_oid_sz +
+				GSSX_max_princ_sz;
+	memset(data->creds, 0, sizeof(struct svc_cred));
+
+	res.output_token = &data->out_token;
+	/* tell decoder to allocate the out_token if necessary */
+	res.output_token->len = GSSX_max_output_token_sz;
+
+	/* we are never interested in delegate credentials */
+	memset(&delegcred, 0, sizeof(delegcred));
+	res.delegated_cred_handle = &delegcred;
+
+	/* make upcall */
+	ret = gssp_call(&msg);
+
+	/* we need to fetch all data even in case of error so
+	 * that we can free special strctures is they have been allocated */
+	data->major_status = res.status.major_status;
+	data->minor_status = res.status.minor_status;
+	if (res.context_handle) {
+		data->out_handle = rctxh.exported_context_token;
+		data->mech_oid = rctxh.mech;
+		data->client_name = rctxh.src_name.display_name;
+	}
+
+	if (res.options.count == 1) {
+		gssx_buffer *value = &res.options.data[0].value;
+		/* Currently we only decode CREDS_VALUE, if we add
+		 * anything else we'll have to loop and match on the
+		 * option name */
+		if (value->len)
+			/* copy struct svc_cred and steal groups */
+			*data->creds = *(struct svc_cred *)value->data;
+		else
+			/* not even nobody apparently */
+			data->creds = NULL;
+	} else
+		data->creds = NULL;
+
+	if (res.options.count != 0) {
+		kfree(res.options.data);
+	}
+
+	return ret;
+}
+
+void gssp_free_upcall_data(struct gssp_upcall_data *data)
+{
+	kfree(data->in_handle.data);
+	kfree(data->out_token.data);
+	if (data->creds && data->creds->cr_group_info != NULL)
+		groups_free(data->creds->cr_group_info);
+	kfree(data->kmembuf);
+}
+
+
+/*
+ * Initialization stuff
+ */
+
+static const struct rpc_version gssp_version1 = {
+	.number		= GSSPROXY_VERS_1,
+	.nrprocs	= ARRAY_SIZE(gssp_procedures),
+	.procs		= gssp_procedures,
+};
+
+static const struct rpc_version *gssp_version[] = {
+	NULL,
+	&gssp_version1,
+};
+
+static struct rpc_stat gssp_stats;
+
+static const struct rpc_program gssp_program = {
+	.name		= "gssproxy",
+	.number		= GSSPROXY_PROGRAM,
+	.nrvers		= ARRAY_SIZE(gssp_version),
+	.version	= gssp_version,
+	.stats		= &gssp_stats,
+};
diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.h b/net/sunrpc/auth_gss/gss_rpc_upcall.h
new file mode 100644
index 0000000000000000000000000000000000000000..b09217740493e83979f8dc690b812d396db6e54c
--- /dev/null
+++ b/net/sunrpc/auth_gss/gss_rpc_upcall.h
@@ -0,0 +1,43 @@
+/*
+ *  linux/net/sunrpc/gss_rpc_upcall.h
+ *
+ *  Copyright (C) 2012 Simo Sorce <simo@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#ifndef _GSS_RPC_UPCALL_H
+#define _GSS_RPC_UPCALL_H
+
+#include <linux/sunrpc/auth_gss.h>
+#include "gss_rpc_xdr.h"
+
+struct gssp_upcall_data {
+	void *kmembuf;
+	struct xdr_netobj in_handle;
+	struct gssp_in_token in_token;
+	struct xdr_netobj out_handle;
+	struct xdr_netobj out_token;
+	struct xdr_netobj mech_oid;
+	struct xdr_netobj client_name;
+	struct svc_cred *creds;
+	int major_status;
+	int minor_status;
+};
+
+int gssp_accept_sec_context_upcall(struct gssp_upcall_data *data);
+void gssp_free_upcall_data(struct gssp_upcall_data *data);
+
+#endif /* _GSS_RPC_UPCALL_H */
diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c
new file mode 100644
index 0000000000000000000000000000000000000000..25600d5a2113cfb0dce64ab89a1b166ee1a089ef
--- /dev/null
+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c
@@ -0,0 +1,904 @@
+/*
+ * GSS Proxy upcall module
+ *
+ *  Copyright (C) 2012 Simo Sorce <simo@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include <linux/sunrpc/svcauth.h>
+#include "gss_rpc_xdr.h"
+
+static bool gssx_check_pointer(struct xdr_stream *xdr)
+{
+	__be32 *p;
+
+	p = xdr_reserve_space(xdr, 4);
+	if (unlikely(p == NULL))
+		return -ENOSPC;
+	return *p?true:false;
+}
+
+static int gssx_enc_bool(struct xdr_stream *xdr, int v)
+{
+	__be32 *p;
+
+	p = xdr_reserve_space(xdr, 4);
+	if (unlikely(p == NULL))
+		return -ENOSPC;
+	*p = v ? xdr_one : xdr_zero;
+	return 0;
+}
+
+static int gssx_dec_bool(struct xdr_stream *xdr, u32 *v)
+{
+	__be32 *p;
+
+	p = xdr_inline_decode(xdr, 4);
+	if (unlikely(p == NULL))
+		return -ENOSPC;
+	*v = be32_to_cpu(*p);
+	return 0;
+}
+
+static int gssx_enc_buffer(struct xdr_stream *xdr,
+			   gssx_buffer *buf)
+{
+	__be32 *p;
+
+	p = xdr_reserve_space(xdr, sizeof(u32) + buf->len);
+	if (!p)
+		return -ENOSPC;
+	xdr_encode_opaque(p, buf->data, buf->len);
+	return 0;
+}
+
+static int gssx_enc_in_token(struct xdr_stream *xdr,
+			     struct gssp_in_token *in)
+{
+	__be32 *p;
+
+	p = xdr_reserve_space(xdr, 4);
+	if (!p)
+		return -ENOSPC;
+	*p = cpu_to_be32(in->page_len);
+
+	/* all we need to do is to write pages */
+	xdr_write_pages(xdr, in->pages, in->page_base, in->page_len);
+
+	return 0;
+}
+
+
+static int gssx_dec_buffer(struct xdr_stream *xdr,
+			   gssx_buffer *buf)
+{
+	u32 length;
+	__be32 *p;
+
+	p = xdr_inline_decode(xdr, 4);
+	if (unlikely(p == NULL))
+		return -ENOSPC;
+
+	length = be32_to_cpup(p);
+	p = xdr_inline_decode(xdr, length);
+	if (unlikely(p == NULL))
+		return -ENOSPC;
+
+	if (buf->len == 0) {
+		/* we intentionally are not interested in this buffer */
+		return 0;
+	}
+	if (length > buf->len)
+		return -ENOSPC;
+
+	if (!buf->data) {
+		buf->data = kmemdup(p, length, GFP_KERNEL);
+		if (!buf->data)
+			return -ENOMEM;
+	} else {
+		memcpy(buf->data, p, length);
+	}
+	buf->len = length;
+	return 0;
+}
+
+static int gssx_enc_option(struct xdr_stream *xdr,
+			   struct gssx_option *opt)
+{
+	int err;
+
+	err = gssx_enc_buffer(xdr, &opt->option);
+	if (err)
+		return err;
+	err = gssx_enc_buffer(xdr, &opt->value);
+	return err;
+}
+
+static int gssx_dec_option(struct xdr_stream *xdr,
+			   struct gssx_option *opt)
+{
+	int err;
+
+	err = gssx_dec_buffer(xdr, &opt->option);
+	if (err)
+		return err;
+	err = gssx_dec_buffer(xdr, &opt->value);
+	return err;
+}
+
+static int dummy_enc_opt_array(struct xdr_stream *xdr,
+				struct gssx_option_array *oa)
+{
+	__be32 *p;
+
+	if (oa->count != 0)
+		return -EINVAL;
+
+	p = xdr_reserve_space(xdr, 4);
+	if (!p)
+		return -ENOSPC;
+	*p = 0;
+
+	return 0;
+}
+
+static int dummy_dec_opt_array(struct xdr_stream *xdr,
+				struct gssx_option_array *oa)
+{
+	struct gssx_option dummy;
+	u32 count, i;
+	__be32 *p;
+
+	p = xdr_inline_decode(xdr, 4);
+	if (unlikely(p == NULL))
+		return -ENOSPC;
+	count = be32_to_cpup(p++);
+	memset(&dummy, 0, sizeof(dummy));
+	for (i = 0; i < count; i++) {
+		gssx_dec_option(xdr, &dummy);
+	}
+
+	oa->count = 0;
+	oa->data = NULL;
+	return 0;
+}
+
+static int get_s32(void **p, void *max, s32 *res)
+{
+	void *base = *p;
+	void *next = (void *)((char *)base + sizeof(s32));
+	if (unlikely(next > max || next < base))
+		return -EINVAL;
+	memcpy(res, base, sizeof(s32));
+	*p = next;
+	return 0;
+}
+
+static int gssx_dec_linux_creds(struct xdr_stream *xdr,
+				struct svc_cred *creds)
+{
+	u32 length;
+	__be32 *p;
+	void *q, *end;
+	s32 tmp;
+	int N, i, err;
+
+	p = xdr_inline_decode(xdr, 4);
+	if (unlikely(p == NULL))
+		return -ENOSPC;
+
+	length = be32_to_cpup(p);
+
+	/* FIXME: we do not want to use the scratch buffer for this one
+	 * may need to use functions that allows us to access an io vector
+	 * directly */
+	p = xdr_inline_decode(xdr, length);
+	if (unlikely(p == NULL))
+		return -ENOSPC;
+
+	q = p;
+	end = q + length;
+
+	/* uid */
+	err = get_s32(&q, end, &tmp);
+	if (err)
+		return err;
+	creds->cr_uid = tmp;
+
+	/* gid */
+	err = get_s32(&q, end, &tmp);
+	if (err)
+		return err;
+	creds->cr_gid = tmp;
+
+	/* number of additional gid's */
+	err = get_s32(&q, end, &tmp);
+	if (err)
+		return err;
+	N = tmp;
+	creds->cr_group_info = groups_alloc(N);
+	if (creds->cr_group_info == NULL)
+		return -ENOMEM;
+
+	/* gid's */
+	for (i = 0; i < N; i++) {
+		err = get_s32(&q, end, &tmp);
+		if (err) {
+			groups_free(creds->cr_group_info);
+			return err;
+		}
+		GROUP_AT(creds->cr_group_info, i) = tmp;
+	}
+
+	return 0;
+}
+
+static int gssx_dec_option_array(struct xdr_stream *xdr,
+				 struct gssx_option_array *oa)
+{
+	struct svc_cred *creds;
+	u32 count, i;
+	__be32 *p;
+	int err;
+
+	p = xdr_inline_decode(xdr, 4);
+	if (unlikely(p == NULL))
+		return -ENOSPC;
+	count = be32_to_cpup(p++);
+	if (count != 0) {
+		/* we recognize only 1 currently: CREDS_VALUE */
+		oa->count = 1;
+
+		oa->data = kmalloc(sizeof(struct gssx_option) +
+					sizeof(struct svc_cred), GFP_KERNEL);
+		if (!oa->data)
+			return -ENOMEM;
+
+		creds = (void *)oa->data + sizeof(struct gssx_option);
+
+		oa->data[0].option.data = CREDS_VALUE;
+		oa->data[0].option.len = sizeof(CREDS_VALUE);
+		oa->data[0].value.data = (void *)creds;
+		oa->data[0].value.len = 0;
+	}
+	for (i = 0; i < count; i++) {
+		gssx_buffer dummy = { 0, NULL };
+		u32 length;
+
+		/* option buffer */
+		p = xdr_inline_decode(xdr, 4);
+		if (unlikely(p == NULL))
+			return -ENOSPC;
+
+		length = be32_to_cpup(p);
+		p = xdr_inline_decode(xdr, length);
+		if (unlikely(p == NULL))
+			return -ENOSPC;
+
+		if (length == sizeof(CREDS_VALUE) &&
+		    memcmp(p, CREDS_VALUE, sizeof(CREDS_VALUE)) == 0) {
+			/* We have creds here. parse them */
+			err = gssx_dec_linux_creds(xdr, creds);
+			if (err)
+				return err;
+			oa->data[0].value.len = 1; /* presence */
+		} else {
+			/* consume uninteresting buffer */
+			err = gssx_dec_buffer(xdr, &dummy);
+			if (err)
+				return err;
+		}
+	}
+	return 0;
+}
+
+static int gssx_dec_status(struct xdr_stream *xdr,
+			   struct gssx_status *status)
+{
+	__be32 *p;
+	int err;
+
+	/* status->major_status */
+	p = xdr_inline_decode(xdr, 8);
+	if (unlikely(p == NULL))
+		return -ENOSPC;
+	p = xdr_decode_hyper(p, &status->major_status);
+
+	/* status->mech */
+	err = gssx_dec_buffer(xdr, &status->mech);
+	if (err)
+		return err;
+
+	/* status->minor_status */
+	p = xdr_inline_decode(xdr, 8);
+	if (unlikely(p == NULL))
+		return -ENOSPC;
+	p = xdr_decode_hyper(p, &status->minor_status);
+
+	/* status->major_status_string */
+	err = gssx_dec_buffer(xdr, &status->major_status_string);
+	if (err)
+		return err;
+
+	/* status->minor_status_string */
+	err = gssx_dec_buffer(xdr, &status->minor_status_string);
+	if (err)
+		return err;
+
+	/* status->server_ctx */
+	err = gssx_dec_buffer(xdr, &status->server_ctx);
+	if (err)
+		return err;
+
+	/* we assume we have no options for now, so simply consume them */
+	/* status->options */
+	err = dummy_dec_opt_array(xdr, &status->options);
+
+	return err;
+}
+
+static int gssx_enc_call_ctx(struct xdr_stream *xdr,
+			     struct gssx_call_ctx *ctx)
+{
+	struct gssx_option opt;
+	__be32 *p;
+	int err;
+
+	/* ctx->locale */
+	err = gssx_enc_buffer(xdr, &ctx->locale);
+	if (err)
+		return err;
+
+	/* ctx->server_ctx */
+	err = gssx_enc_buffer(xdr, &ctx->server_ctx);
+	if (err)
+		return err;
+
+	/* we always want to ask for lucid contexts */
+	/* ctx->options */
+	p = xdr_reserve_space(xdr, 4);
+	*p = cpu_to_be32(2);
+
+	/* we want a lucid_v1 context */
+	opt.option.data = LUCID_OPTION;
+	opt.option.len = sizeof(LUCID_OPTION);
+	opt.value.data = LUCID_VALUE;
+	opt.value.len = sizeof(LUCID_VALUE);
+	err = gssx_enc_option(xdr, &opt);
+
+	/* ..and user creds */
+	opt.option.data = CREDS_OPTION;
+	opt.option.len = sizeof(CREDS_OPTION);
+	opt.value.data = CREDS_VALUE;
+	opt.value.len = sizeof(CREDS_VALUE);
+	err = gssx_enc_option(xdr, &opt);
+
+	return err;
+}
+
+static int gssx_dec_name_attr(struct xdr_stream *xdr,
+			     struct gssx_name_attr *attr)
+{
+	int err;
+
+	/* attr->attr */
+	err = gssx_dec_buffer(xdr, &attr->attr);
+	if (err)
+		return err;
+
+	/* attr->value */
+	err = gssx_dec_buffer(xdr, &attr->value);
+	if (err)
+		return err;
+
+	/* attr->extensions */
+	err = dummy_dec_opt_array(xdr, &attr->extensions);
+
+	return err;
+}
+
+static int dummy_enc_nameattr_array(struct xdr_stream *xdr,
+				    struct gssx_name_attr_array *naa)
+{
+	__be32 *p;
+
+	if (naa->count != 0)
+		return -EINVAL;
+
+	p = xdr_reserve_space(xdr, 4);
+	if (!p)
+		return -ENOSPC;
+	*p = 0;
+
+	return 0;
+}
+
+static int dummy_dec_nameattr_array(struct xdr_stream *xdr,
+				    struct gssx_name_attr_array *naa)
+{
+	struct gssx_name_attr dummy;
+	u32 count, i;
+	__be32 *p;
+
+	p = xdr_inline_decode(xdr, 4);
+	if (unlikely(p == NULL))
+		return -ENOSPC;
+	count = be32_to_cpup(p++);
+	for (i = 0; i < count; i++) {
+		gssx_dec_name_attr(xdr, &dummy);
+	}
+
+	naa->count = 0;
+	naa->data = NULL;
+	return 0;
+}
+
+static int gssx_enc_name(struct xdr_stream *xdr,
+			 struct gssx_name *name)
+{
+	int err;
+
+	/* name->display_name */
+	err = gssx_enc_buffer(xdr, &name->display_name);
+	if (err)
+		return err;
+
+	/* name->name_type */
+	err = gssx_enc_buffer(xdr, &name->name_type);
+	if (err)
+		return err;
+
+	/* name->exported_name */
+	err = gssx_enc_buffer(xdr, &name->exported_name);
+	if (err)
+		return err;
+
+	/* name->exported_composite_name */
+	err = gssx_enc_buffer(xdr, &name->exported_composite_name);
+	if (err)
+		return err;
+
+	/* leave name_attributes empty for now, will add once we have any
+	 * to pass up at all */
+	/* name->name_attributes */
+	err = dummy_enc_nameattr_array(xdr, &name->name_attributes);
+	if (err)
+		return err;
+
+	/* leave options empty for now, will add once we have any options
+	 * to pass up at all */
+	/* name->extensions */
+	err = dummy_enc_opt_array(xdr, &name->extensions);
+
+	return err;
+}
+
+static int gssx_dec_name(struct xdr_stream *xdr,
+			 struct gssx_name *name)
+{
+	int err;
+
+	/* name->display_name */
+	err = gssx_dec_buffer(xdr, &name->display_name);
+	if (err)
+		return err;
+
+	/* name->name_type */
+	err = gssx_dec_buffer(xdr, &name->name_type);
+	if (err)
+		return err;
+
+	/* name->exported_name */
+	err = gssx_dec_buffer(xdr, &name->exported_name);
+	if (err)
+		return err;
+
+	/* name->exported_composite_name */
+	err = gssx_dec_buffer(xdr, &name->exported_composite_name);
+	if (err)
+		return err;
+
+	/* we assume we have no attributes for now, so simply consume them */
+	/* name->name_attributes */
+	err = dummy_dec_nameattr_array(xdr, &name->name_attributes);
+	if (err)
+		return err;
+
+	/* we assume we have no options for now, so simply consume them */
+	/* name->extensions */
+	err = dummy_dec_opt_array(xdr, &name->extensions);
+
+	return err;
+}
+
+static int gssx_dec_cred_element(struct xdr_stream *xdr,
+				 struct gssx_cred_element *el)
+{
+	__be32 *p;
+	int err;
+
+	/* el->MN */
+	err = gssx_dec_name(xdr, &el->MN);
+	if (err)
+		return err;
+
+	/* el->mech */
+	err = gssx_dec_buffer(xdr, &el->mech);
+	if (err)
+		return err;
+
+	/* el->cred_usage */
+	p = xdr_inline_decode(xdr, 4+8+8);
+	if (!p)
+		return -ENOSPC;
+	el->cred_usage = be32_to_cpup(p++);
+
+	/* el->initiator_time_rec */
+	p = xdr_decode_hyper(p, &el->initiator_time_rec);
+
+	/* el->acceptor_time_rec */
+	p = xdr_decode_hyper(p, &el->initiator_time_rec);
+
+	/* we assume we have no options for now, so simply consume them */
+	/* el->options */
+	err = dummy_dec_opt_array(xdr, &el->options);
+
+	return err;
+}
+
+static int dummy_enc_credel_array(struct xdr_stream *xdr,
+				  struct gssx_cred_element_array *cea)
+{
+	__be32 *p;
+
+	if (cea->count != 0)
+		return -EINVAL;
+
+	p = xdr_reserve_space(xdr, 4);
+	if (!p)
+		return -ENOSPC;
+	*p = 0;
+
+	return 0;
+}
+
+static int dummy_dec_credel_array(struct xdr_stream *xdr,
+				  struct gssx_cred_element_array *cea)
+{
+	struct gssx_cred_element dummy;
+	u32 count, i;
+	__be32 *p;
+
+	p = xdr_inline_decode(xdr, 4);
+	if (unlikely(p == NULL))
+		return -ENOSPC;
+	count = be32_to_cpup(p++);
+	for (i = 0; i < count; i++) {
+		gssx_dec_cred_element(xdr, &dummy);
+	}
+
+	cea->count = 0;
+	cea->data = NULL;
+	return 0;
+}
+
+static int gssx_enc_cred(struct xdr_stream *xdr,
+			 struct gssx_cred *cred)
+{
+	int err;
+
+	/* cred->desired_name */
+	err = gssx_enc_name(xdr, &cred->desired_name);
+	if (err)
+		return err;
+
+	/* cred->elements */
+	err = dummy_enc_credel_array(xdr, &cred->elements);
+
+	/* cred->cred_handle_reference */
+	err = gssx_enc_buffer(xdr, &cred->cred_handle_reference);
+	if (err)
+		return err;
+
+	/* cred->needs_release */
+	err = gssx_enc_bool(xdr, cred->needs_release);
+
+	return err;
+}
+
+static int gssx_dec_cred(struct xdr_stream *xdr,
+			 struct gssx_cred *cred)
+{
+	int err;
+
+	/* cred->desired_name */
+	err = gssx_dec_name(xdr, &cred->desired_name);
+	if (err)
+		return err;
+
+	/* cred->elements */
+	err = dummy_dec_credel_array(xdr, &cred->elements);
+
+	/* cred->cred_handle_reference */
+	err = gssx_dec_buffer(xdr, &cred->cred_handle_reference);
+	if (err)
+		return err;
+
+	/* cred->needs_release */
+	err = gssx_dec_bool(xdr, &cred->needs_release);
+
+	return err;
+}
+
+static int gssx_enc_ctx(struct xdr_stream *xdr,
+			struct gssx_ctx *ctx)
+{
+	__be32 *p;
+	int err;
+
+	/* ctx->exported_context_token */
+	err = gssx_enc_buffer(xdr, &ctx->exported_context_token);
+	if (err)
+		return err;
+
+	/* ctx->state */
+	err = gssx_enc_buffer(xdr, &ctx->state);
+	if (err)
+		return err;
+
+	/* ctx->need_release */
+	err = gssx_enc_bool(xdr, ctx->need_release);
+	if (err)
+		return err;
+
+	/* ctx->mech */
+	err = gssx_enc_buffer(xdr, &ctx->mech);
+	if (err)
+		return err;
+
+	/* ctx->src_name */
+	err = gssx_enc_name(xdr, &ctx->src_name);
+	if (err)
+		return err;
+
+	/* ctx->targ_name */
+	err = gssx_enc_name(xdr, &ctx->targ_name);
+	if (err)
+		return err;
+
+	/* ctx->lifetime */
+	p = xdr_reserve_space(xdr, 8+8);
+	if (!p)
+		return -ENOSPC;
+	p = xdr_encode_hyper(p, ctx->lifetime);
+
+	/* ctx->ctx_flags */
+	p = xdr_encode_hyper(p, ctx->ctx_flags);
+
+	/* ctx->locally_initiated */
+	err = gssx_enc_bool(xdr, ctx->locally_initiated);
+	if (err)
+		return err;
+
+	/* ctx->open */
+	err = gssx_enc_bool(xdr, ctx->open);
+	if (err)
+		return err;
+
+	/* leave options empty for now, will add once we have any options
+	 * to pass up at all */
+	/* ctx->options */
+	err = dummy_enc_opt_array(xdr, &ctx->options);
+
+	return err;
+}
+
+static int gssx_dec_ctx(struct xdr_stream *xdr,
+			struct gssx_ctx *ctx)
+{
+	__be32 *p;
+	int err;
+
+	/* ctx->exported_context_token */
+	err = gssx_dec_buffer(xdr, &ctx->exported_context_token);
+	if (err)
+		return err;
+
+	/* ctx->state */
+	err = gssx_dec_buffer(xdr, &ctx->state);
+	if (err)
+		return err;
+
+	/* ctx->need_release */
+	err = gssx_dec_bool(xdr, &ctx->need_release);
+	if (err)
+		return err;
+
+	/* ctx->mech */
+	err = gssx_dec_buffer(xdr, &ctx->mech);
+	if (err)
+		return err;
+
+	/* ctx->src_name */
+	err = gssx_dec_name(xdr, &ctx->src_name);
+	if (err)
+		return err;
+
+	/* ctx->targ_name */
+	err = gssx_dec_name(xdr, &ctx->targ_name);
+	if (err)
+		return err;
+
+	/* ctx->lifetime */
+	p = xdr_inline_decode(xdr, 8+8);
+	if (unlikely(p == NULL))
+		return -ENOSPC;
+	p = xdr_decode_hyper(p, &ctx->lifetime);
+
+	/* ctx->ctx_flags */
+	p = xdr_decode_hyper(p, &ctx->ctx_flags);
+
+	/* ctx->locally_initiated */
+	err = gssx_dec_bool(xdr, &ctx->locally_initiated);
+	if (err)
+		return err;
+
+	/* ctx->open */
+	err = gssx_dec_bool(xdr, &ctx->open);
+	if (err)
+		return err;
+
+	/* we assume we have no options for now, so simply consume them */
+	/* ctx->options */
+	err = dummy_dec_opt_array(xdr, &ctx->options);
+
+	return err;
+}
+
+static int gssx_enc_cb(struct xdr_stream *xdr, struct gssx_cb *cb)
+{
+	__be32 *p;
+	int err;
+
+	/* cb->initiator_addrtype */
+	p = xdr_reserve_space(xdr, 8);
+	if (!p)
+		return -ENOSPC;
+	p = xdr_encode_hyper(p, cb->initiator_addrtype);
+
+	/* cb->initiator_address */
+	err = gssx_enc_buffer(xdr, &cb->initiator_address);
+	if (err)
+		return err;
+
+	/* cb->acceptor_addrtype */
+	p = xdr_reserve_space(xdr, 8);
+	if (!p)
+		return -ENOSPC;
+	p = xdr_encode_hyper(p, cb->acceptor_addrtype);
+
+	/* cb->acceptor_address */
+	err = gssx_enc_buffer(xdr, &cb->acceptor_address);
+	if (err)
+		return err;
+
+	/* cb->application_data */
+	err = gssx_enc_buffer(xdr, &cb->application_data);
+
+	return err;
+}
+
+void gssx_enc_accept_sec_context(struct rpc_rqst *req,
+				 struct xdr_stream *xdr,
+				 struct gssx_arg_accept_sec_context *arg)
+{
+	int err;
+
+	err = gssx_enc_call_ctx(xdr, &arg->call_ctx);
+	if (err)
+		goto done;
+
+	/* arg->context_handle */
+	if (arg->context_handle) {
+		err = gssx_enc_ctx(xdr, arg->context_handle);
+		if (err)
+			goto done;
+	} else {
+		err = gssx_enc_bool(xdr, 0);
+	}
+
+	/* arg->cred_handle */
+	if (arg->cred_handle) {
+		err = gssx_enc_cred(xdr, arg->cred_handle);
+		if (err)
+			goto done;
+	} else {
+		err = gssx_enc_bool(xdr, 0);
+	}
+
+	/* arg->input_token */
+	err = gssx_enc_in_token(xdr, &arg->input_token);
+	if (err)
+		goto done;
+
+	/* arg->input_cb */
+	if (arg->input_cb) {
+		err = gssx_enc_cb(xdr, arg->input_cb);
+		if (err)
+			goto done;
+	} else {
+		err = gssx_enc_bool(xdr, 0);
+	}
+
+	err = gssx_enc_bool(xdr, arg->ret_deleg_cred);
+	if (err)
+		goto done;
+
+	/* leave options empty for now, will add once we have any options
+	 * to pass up at all */
+	/* arg->options */
+	err = dummy_enc_opt_array(xdr, &arg->options);
+
+done:
+	if (err)
+		dprintk("RPC:       gssx_enc_accept_sec_context: %d\n", err);
+}
+
+int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp,
+				struct xdr_stream *xdr,
+				struct gssx_res_accept_sec_context *res)
+{
+	int err;
+
+	/* res->status */
+	err = gssx_dec_status(xdr, &res->status);
+	if (err)
+		return err;
+
+	/* res->context_handle */
+	if (gssx_check_pointer(xdr)) {
+		err = gssx_dec_ctx(xdr, res->context_handle);
+		if (err)
+			return err;
+	} else {
+		res->context_handle = NULL;
+	}
+
+	/* res->output_token */
+	if (gssx_check_pointer(xdr)) {
+		err = gssx_dec_buffer(xdr, res->output_token);
+		if (err)
+			return err;
+	} else {
+		res->output_token = NULL;
+	}
+
+	/* res->delegated_cred_handle */
+	if (gssx_check_pointer(xdr)) {
+		err = gssx_dec_cred(xdr, res->delegated_cred_handle);
+		if (err)
+			return err;
+	} else {
+		res->delegated_cred_handle = NULL;
+	}
+
+	/* we assume we have no options for now, so simply consume them */
+	/* res->options */
+	err = gssx_dec_option_array(xdr, &res->options);
+
+	return err;
+}
+
diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.h b/net/sunrpc/auth_gss/gss_rpc_xdr.h
new file mode 100644
index 0000000000000000000000000000000000000000..9256a5836474fef952ab12d3b27e03bb4d0f20ea
--- /dev/null
+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.h
@@ -0,0 +1,269 @@
+/*
+ * GSS Proxy upcall module
+ *
+ *  Copyright (C) 2012 Simo Sorce <simo@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#ifndef _LINUX_GSS_RPC_XDR_H
+#define _LINUX_GSS_RPC_XDR_H
+
+#include <linux/sunrpc/xdr.h>
+#include <linux/sunrpc/clnt.h>
+#include <linux/sunrpc/xprtsock.h>
+
+#ifdef RPC_DEBUG
+# define RPCDBG_FACILITY	RPCDBG_AUTH
+#endif
+
+#define LUCID_OPTION "exported_context_type"
+#define LUCID_VALUE  "linux_lucid_v1"
+#define CREDS_OPTION "exported_creds_type"
+#define CREDS_VALUE  "linux_creds_v1"
+
+typedef struct xdr_netobj gssx_buffer;
+typedef struct xdr_netobj utf8string;
+typedef struct xdr_netobj gssx_OID;
+
+enum gssx_cred_usage {
+	GSSX_C_INITIATE = 1,
+	GSSX_C_ACCEPT = 2,
+	GSSX_C_BOTH = 3,
+};
+
+struct gssx_option {
+	gssx_buffer option;
+	gssx_buffer value;
+};
+
+struct gssx_option_array {
+	u32 count;
+	struct gssx_option *data;
+};
+
+struct gssx_status {
+	u64 major_status;
+	gssx_OID mech;
+	u64 minor_status;
+	utf8string major_status_string;
+	utf8string minor_status_string;
+	gssx_buffer server_ctx;
+	struct gssx_option_array options;
+};
+
+struct gssx_call_ctx {
+	utf8string locale;
+	gssx_buffer server_ctx;
+	struct gssx_option_array options;
+};
+
+struct gssx_name_attr {
+	gssx_buffer attr;
+	gssx_buffer value;
+	struct gssx_option_array extensions;
+};
+
+struct gssx_name_attr_array {
+	u32 count;
+	struct gssx_name_attr *data;
+};
+
+struct gssx_name {
+	gssx_buffer display_name;
+	gssx_OID name_type;
+	gssx_buffer exported_name;
+	gssx_buffer exported_composite_name;
+	struct gssx_name_attr_array name_attributes;
+	struct gssx_option_array extensions;
+};
+typedef struct gssx_name gssx_name;
+
+struct gssx_cred_element {
+	gssx_name MN;
+	gssx_OID mech;
+	u32 cred_usage;
+	u64 initiator_time_rec;
+	u64 acceptor_time_rec;
+	struct gssx_option_array options;
+};
+
+struct gssx_cred_element_array {
+	u32 count;
+	struct gssx_cred_element *data;
+};
+
+struct gssx_cred {
+	gssx_name desired_name;
+	struct gssx_cred_element_array elements;
+	gssx_buffer cred_handle_reference;
+	u32 needs_release;
+};
+
+struct gssx_ctx {
+	gssx_buffer exported_context_token;
+	gssx_buffer state;
+	u32 need_release;
+	gssx_OID mech;
+	gssx_name src_name;
+	gssx_name targ_name;
+	u64 lifetime;
+	u64 ctx_flags;
+	u32 locally_initiated;
+	u32 open;
+	struct gssx_option_array options;
+};
+
+struct gssx_cb {
+	u64 initiator_addrtype;
+	gssx_buffer initiator_address;
+	u64 acceptor_addrtype;
+	gssx_buffer acceptor_address;
+	gssx_buffer application_data;
+};
+
+
+/* This structure is not defined in the protocol.
+ * It is used in the kernel to carry around a big buffer
+ * as a set of pages */
+struct gssp_in_token {
+	struct page **pages;	/* Array of contiguous pages */
+	unsigned int page_base;	/* Start of page data */
+	unsigned int page_len;	/* Length of page data */
+};
+
+struct gssx_arg_accept_sec_context {
+	struct gssx_call_ctx call_ctx;
+	struct gssx_ctx *context_handle;
+	struct gssx_cred *cred_handle;
+	struct gssp_in_token input_token;
+	struct gssx_cb *input_cb;
+	u32 ret_deleg_cred;
+	struct gssx_option_array options;
+};
+
+struct gssx_res_accept_sec_context {
+	struct gssx_status status;
+	struct gssx_ctx *context_handle;
+	gssx_buffer *output_token;
+	struct gssx_cred *delegated_cred_handle;
+	struct gssx_option_array options;
+};
+
+
+
+#define gssx_enc_indicate_mechs NULL
+#define gssx_dec_indicate_mechs NULL
+#define gssx_enc_get_call_context NULL
+#define gssx_dec_get_call_context NULL
+#define gssx_enc_import_and_canon_name NULL
+#define gssx_dec_import_and_canon_name NULL
+#define gssx_enc_export_cred NULL
+#define gssx_dec_export_cred NULL
+#define gssx_enc_import_cred NULL
+#define gssx_dec_import_cred NULL
+#define gssx_enc_acquire_cred NULL
+#define gssx_dec_acquire_cred NULL
+#define gssx_enc_store_cred NULL
+#define gssx_dec_store_cred NULL
+#define gssx_enc_init_sec_context NULL
+#define gssx_dec_init_sec_context NULL
+void gssx_enc_accept_sec_context(struct rpc_rqst *req,
+				 struct xdr_stream *xdr,
+				 struct gssx_arg_accept_sec_context *args);
+int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp,
+				struct xdr_stream *xdr,
+				struct gssx_res_accept_sec_context *res);
+#define gssx_enc_release_handle NULL
+#define gssx_dec_release_handle NULL
+#define gssx_enc_get_mic NULL
+#define gssx_dec_get_mic NULL
+#define gssx_enc_verify NULL
+#define gssx_dec_verify NULL
+#define gssx_enc_wrap NULL
+#define gssx_dec_wrap NULL
+#define gssx_enc_unwrap NULL
+#define gssx_dec_unwrap NULL
+#define gssx_enc_wrap_size_limit NULL
+#define gssx_dec_wrap_size_limit NULL
+
+/* non implemented calls are set to 0 size */
+#define GSSX_ARG_indicate_mechs_sz 0
+#define GSSX_RES_indicate_mechs_sz 0
+#define GSSX_ARG_get_call_context_sz 0
+#define GSSX_RES_get_call_context_sz 0
+#define GSSX_ARG_import_and_canon_name_sz 0
+#define GSSX_RES_import_and_canon_name_sz 0
+#define GSSX_ARG_export_cred_sz 0
+#define GSSX_RES_export_cred_sz 0
+#define GSSX_ARG_import_cred_sz 0
+#define GSSX_RES_import_cred_sz 0
+#define GSSX_ARG_acquire_cred_sz 0
+#define GSSX_RES_acquire_cred_sz 0
+#define GSSX_ARG_store_cred_sz 0
+#define GSSX_RES_store_cred_sz 0
+#define GSSX_ARG_init_sec_context_sz 0
+#define GSSX_RES_init_sec_context_sz 0
+
+#define GSSX_default_in_call_ctx_sz (4 + 4 + 4 + \
+			8 + sizeof(LUCID_OPTION) + sizeof(LUCID_VALUE) + \
+			8 + sizeof(CREDS_OPTION) + sizeof(CREDS_VALUE))
+#define GSSX_default_in_ctx_hndl_sz (4 + 4+8 + 4 + 4 + 6*4 + 6*4 + 8 + 8 + \
+					4 + 4 + 4)
+#define GSSX_default_in_cred_sz 4 /* we send in no cred_handle */
+#define GSSX_default_in_token_sz 4 /* does *not* include token data */
+#define GSSX_default_in_cb_sz 4 /* we do not use channel bindings */
+#define GSSX_ARG_accept_sec_context_sz (GSSX_default_in_call_ctx_sz + \
+					GSSX_default_in_ctx_hndl_sz + \
+					GSSX_default_in_cred_sz + \
+					GSSX_default_in_token_sz + \
+					GSSX_default_in_cb_sz + \
+					4 /* no deleg creds boolean */ + \
+					4) /* empty options */
+
+/* somewhat arbitrary numbers but large enough (we ignore some of the data
+ * sent down, but it is part of the protocol so we need enough space to take
+ * it in) */
+#define GSSX_default_status_sz 8 + 24 + 8 + 256 + 256 + 16 + 4
+#define GSSX_max_output_handle_sz 128
+#define GSSX_max_oid_sz 16
+#define GSSX_max_princ_sz 256
+#define GSSX_default_ctx_sz (GSSX_max_output_handle_sz + \
+			     16 + 4 + GSSX_max_oid_sz + \
+			     2 * GSSX_max_princ_sz + \
+			     8 + 8 + 4 + 4 + 4)
+#define GSSX_max_output_token_sz 1024
+#define GSSX_max_creds_sz (4 + 4 + 4 + NGROUPS_MAX * 4)
+#define GSSX_RES_accept_sec_context_sz (GSSX_default_status_sz + \
+					GSSX_default_ctx_sz + \
+					GSSX_max_output_token_sz + \
+					4 + GSSX_max_creds_sz)
+
+#define GSSX_ARG_release_handle_sz 0
+#define GSSX_RES_release_handle_sz 0
+#define GSSX_ARG_get_mic_sz 0
+#define GSSX_RES_get_mic_sz 0
+#define GSSX_ARG_verify_sz 0
+#define GSSX_RES_verify_sz 0
+#define GSSX_ARG_wrap_sz 0
+#define GSSX_RES_wrap_sz 0
+#define GSSX_ARG_unwrap_sz 0
+#define GSSX_RES_unwrap_sz 0
+#define GSSX_ARG_wrap_size_limit_sz 0
+#define GSSX_RES_wrap_size_limit_sz 0
+
+
+
+#endif /* _LINUX_GSS_RPC_XDR_H */
-- 
1.7.7.6

[PATCH 4/4] SUNRPC: Use gssproxy upcall for nfsd's RPCGSS authentication.

[Simo Sorce]

The main advantge of this new upcall mechanism is that it can handle
big tickets as seen in Kerberos implementations where tickets carry
authorization data like the MS-PAC buffer with AD or the Posix Authorization
Data being discussed in IETF on the krbwg working group.

The Gssproxy program is used to perform the accept_sec_context call on the
kernel's behalf. The code is changed to also pass the input buffer straight
to upcall mechanism to avoid allocating and copying many pages as tokens can
be as big (potentially more in future) as 64KiB.

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 include/linux/sunrpc/auth_gss.h    |    3 +
 include/linux/sunrpc/svcauth_gss.h |    2 +-
 net/sunrpc/auth_gss/auth_gss.c     |    9 +-
 net/sunrpc/auth_gss/svcauth_gss.c  |  249 ++++++++++++++++++++++++++++++++++--
 4 files changed, 248 insertions(+), 15 deletions(-)

diff --git a/include/linux/sunrpc/auth_gss.h b/include/linux/sunrpc/auth_gss.h
index f1cfd4c85cd047c4b2fadd367eeb819aabc57d29..eb2670f6cf9113f1b4c161b9deda05ee4757fa85 100644
--- a/include/linux/sunrpc/auth_gss.h
+++ b/include/linux/sunrpc/auth_gss.h
@@ -19,6 +19,9 @@
 
 #define RPC_GSS_VERSION		1
 
+#define GSS_UPCALL_LEGACY	0
+#define GSS_UPCALL_GSSPROXY	1
+
 #define MAXSEQ 0x80000000 /* maximum legal sequence number, from rfc 2203 */
 
 enum rpc_gss_proc {
diff --git a/include/linux/sunrpc/svcauth_gss.h b/include/linux/sunrpc/svcauth_gss.h
index 7c32daa025eb07b644d8185a27c8ea10d8b7c55f..678c6fc8f1593bc53bc3d875175ed7098cd4db40 100644
--- a/include/linux/sunrpc/svcauth_gss.h
+++ b/include/linux/sunrpc/svcauth_gss.h
@@ -16,7 +16,7 @@
 #include <linux/sunrpc/svcsock.h>
 #include <linux/sunrpc/auth_gss.h>
 
-int gss_svc_init(void);
+int gss_svc_init(unsigned int upcall_type);
 void gss_svc_shutdown(void);
 int gss_svc_init_net(struct net *net);
 void gss_svc_shutdown_net(struct net *net);
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 836cbecb1947235d38c62eadf79ae96ad73906e6..97fe72609387cb8b948bc3aa4d14db4956138d3c 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -60,6 +60,8 @@ static const struct rpc_credops gss_nullops;
 #define GSS_RETRY_EXPIRED 5
 static unsigned int gss_expired_cred_retry_delay = GSS_RETRY_EXPIRED;
 
+static unsigned int gss_upcall_daemon_type = GSS_UPCALL_LEGACY;
+
 #ifdef RPC_DEBUG
 # define RPCDBG_FACILITY	RPCDBG_AUTH
 #endif
@@ -1687,7 +1689,7 @@ static int __init init_rpcsec_gss(void)
 	err = rpcauth_register(&authgss_ops);
 	if (err)
 		goto out;
-	err = gss_svc_init();
+	err = gss_svc_init(gss_upcall_daemon_type);
 	if (err)
 		goto out_unregister;
 	err = register_pernet_subsys(&rpcsec_gss_net_ops);
@@ -1717,6 +1719,11 @@ module_param_named(expired_cred_retry_delay,
 		   uint, 0644);
 MODULE_PARM_DESC(expired_cred_retry_delay, "Timeout (in seconds) until "
 		"the RPC engine retries an expired credential");
+module_param_named(upcall_daemon_type,
+		   gss_upcall_daemon_type,
+		   uint, 0644);
+MODULE_PARM_DESC(upcall_daemon_type, "Type of svcgss upcall daemon used "
+		"(legacy=0 or gssproxy=1)");
 
 module_init(init_rpcsec_gss)
 module_exit(exit_rpcsec_gss)
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index aa1b649749741c82e60f0f528ac645197fd7ab35..87dcc837fa10e8ee7176379b1cc27235800bd612 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -47,6 +47,7 @@
 #include <linux/sunrpc/svcauth.h>
 #include <linux/sunrpc/svcauth_gss.h>
 #include <linux/sunrpc/cache.h>
+#include "gss_rpc_upcall.h"
 
 #include "../netns.h"
 
@@ -54,6 +55,8 @@
 # define RPCDBG_FACILITY	RPCDBG_AUTH
 #endif
 
+static bool use_gssp = false;
+
 /* The rpcsec_init cache is used for mapping RPCSEC_GSS_{,CONT_}INIT requests
  * into replies.
  *
@@ -554,6 +557,7 @@ static struct rsc *rsc_update(struct cache_detail *cd, struct rsc *new, struct r
 }
 
 
+
 static struct rsc *
 gss_svc_searchbyctx(struct cache_detail *cd, struct xdr_netobj *handle)
 {
@@ -984,13 +988,10 @@ gss_write_init_verf(struct cache_detail *cd, struct svc_rqst *rqstp,
 }
 
 static inline int
-gss_read_verf(struct rpc_gss_wire_cred *gc,
-	      struct kvec *argv, __be32 *authp,
-	      struct xdr_netobj *in_handle,
-	      struct xdr_netobj *in_token)
+gss_read_common_verf(struct rpc_gss_wire_cred *gc,
+		     struct kvec *argv, __be32 *authp,
+		     struct xdr_netobj *in_handle)
 {
-	struct xdr_netobj tmpobj;
-
 	/* Read the verifier; should be NULL: */
 	*authp = rpc_autherr_badverf;
 	if (argv->iov_len < 2 * 4)
@@ -1006,6 +1007,23 @@ gss_read_verf(struct rpc_gss_wire_cred *gc,
 	if (dup_netobj(in_handle, &gc->gc_ctx))
 		return SVC_CLOSE;
 	*authp = rpc_autherr_badverf;
+
+	return 0;
+}
+
+static inline int
+gss_read_verf(struct rpc_gss_wire_cred *gc,
+	      struct kvec *argv, __be32 *authp,
+	      struct xdr_netobj *in_handle,
+	      struct xdr_netobj *in_token)
+{
+	struct xdr_netobj tmpobj;
+	int res;
+
+	res = gss_read_common_verf(gc, argv, authp, in_handle);
+	if (res)
+		return res;
+
 	if (svc_safe_getnetobj(argv, &tmpobj)) {
 		kfree(in_handle->data);
 		return SVC_DENIED;
@@ -1018,6 +1036,42 @@ gss_read_verf(struct rpc_gss_wire_cred *gc,
 	return 0;
 }
 
+/* Ok this is really heavily depending on a set of semantics in
+ * how rqstp is set up by svc_recv and pages laid down by the
+ * server when reading a request. We are basically guaranteed that
+ * the token lays all down linearly across a set of pages, starting
+ * at iov_base in rq_arg.head[0] which happens to be the first of a
+ * set of pages stored in rq_pages[].
+ * rq_arg.head[0].iov_base will provide us the page_base to pass
+ * to the upcall.
+ */
+static inline int
+gss_read_proxy_verf(struct svc_rqst *rqstp,
+		    struct rpc_gss_wire_cred *gc, __be32 *authp,
+		    struct xdr_netobj *in_handle,
+		    struct gssp_in_token *in_token)
+{
+	struct kvec *argv = &rqstp->rq_arg.head[0];
+	u32 inlen;
+	int res;
+
+	res = gss_read_common_verf(gc, argv, authp, in_handle);
+	if (res)
+		return res;
+
+	inlen = svc_getnl(argv);
+	if (inlen > (argv->iov_len + rqstp->rq_arg.page_len))
+		return SVC_DENIED;
+
+	in_token->pages = rqstp->rq_pages;
+	in_token->page_base = (ulong)argv->iov_base & ~PAGE_MASK;
+	in_token->page_len = inlen;
+
+	/* FIXME: change argv to point to the end of in_token ? */
+
+	return 0;
+}
+
 static inline int
 gss_write_resv(struct kvec *resv, size_t size_limit,
 	       struct xdr_netobj *out_handle, struct xdr_netobj *out_token,
@@ -1045,7 +1099,7 @@ gss_write_resv(struct kvec *resv, size_t size_limit,
  * the upcall results are available, write the verifier and result.
  * Otherwise, drop the request pending an answer to the upcall.
  */
-static int svcauth_gss_handle_init(struct svc_rqst *rqstp,
+static int svcauth_gss_legacy_init(struct svc_rqst *rqstp,
 			struct rpc_gss_wire_cred *gc, __be32 *authp)
 {
 	struct kvec *argv = &rqstp->rq_arg.head[0];
@@ -1085,6 +1139,158 @@ out:
 	return ret;
 }
 
+static int gss_proxy_save_rsc(struct cache_detail *cd,
+				struct gssp_upcall_data *ud,
+				struct xdr_netobj *handle)
+{
+	struct rsc rsci, *rscp = NULL;
+	static atomic64_t ctxhctr;
+	long long ctxh;
+	struct gss_api_mech *gm = NULL;
+	time_t expiry;
+	char *c;
+	int status = -EINVAL;
+
+	memset(&rsci, 0, sizeof(rsci));
+	/* context handle */
+	status = -ENOMEM;
+	/* the handle needs to be just a unique id,
+	 * use a static counter */
+	ctxh = atomic64_inc_return(&ctxhctr);
+	handle->data = kmemdup(&ctxh, sizeof(ctxh), GFP_KERNEL);
+	if (handle->data == NULL)
+		goto out;
+	handle->len = sizeof(ctxh);
+	if (dup_to_netobj(&rsci.handle, handle->data, handle->len))
+		goto out;
+
+	rscp = rsc_lookup(cd, &rsci);
+	if (!rscp)
+		goto out;
+
+	/* creds */
+	if (!ud->creds) {
+		dprintk("RPC:       No creds found, marking Negative!\n");
+		set_bit(CACHE_NEGATIVE, &rsci.h.flags);
+	} else {
+
+		/* steal creds */
+		rsci.cred = *ud->creds;
+		ud->creds->cr_group_info = NULL;
+
+		status = -EOPNOTSUPP;
+		/* get mech handle from OID */
+		gm = gss_mech_get_by_OID(&ud->mech_oid);
+		if (!gm)
+			goto out;
+
+		status = -EINVAL;
+		/* mech-specific data: */
+		status = gss_import_sec_context(ud->out_handle.data,
+						ud->out_handle.len,
+						gm, &rsci.mechctx,
+						&expiry, GFP_KERNEL);
+		if (status)
+			goto out;
+
+		/* get client name */
+		if (ud->client_name.len != 0) {
+			status = -ENOMEM;
+			/* convert to GSS_NT_HOSTBASED_SERVICE form */
+			rsci.client_name = kstrndup(ud->client_name.data,
+							ud->client_name.len,
+							GFP_KERNEL);
+			if (!rsci.client_name)
+				goto out;
+			/* terminate and remove realm part */
+			c = strchr(rsci.client_name, '@');
+			if (c) {
+				*c = '\0';
+
+				/* change service-hostname delimiter */
+				c = strchr(rsci.client_name, '/');
+				if (c) *c = '@';
+			}
+			if (!c) {
+				/* not a service principal */
+				kfree(rsci.client_name);
+				rsci.client_name = NULL;
+			}
+		}
+	}
+
+	rsci.h.expiry_time = expiry;
+	rscp = rsc_update(cd, &rsci, rscp);
+	status = 0;
+out:
+	gss_mech_put(gm);
+	rsc_free(&rsci);
+	if (rscp)
+		cache_put(&rscp->h, cd);
+	else
+		status = -ENOMEM;
+	return status;
+}
+
+static int svcauth_gss_proxy_init(struct svc_rqst *rqstp,
+			struct rpc_gss_wire_cred *gc, __be32 *authp)
+{
+	struct kvec *resv = &rqstp->rq_res.head[0];
+	struct xdr_netobj cli_handle;
+	struct gssp_upcall_data ud;
+	int status;
+	int ret;
+	struct sunrpc_net *sn = net_generic(rqstp->rq_xprt->xpt_net, sunrpc_net_id);
+
+	memset(&cli_handle, 0, sizeof(cli_handle));
+	memset(&ud, 0, sizeof(ud));
+	ret = gss_read_proxy_verf(rqstp, gc, authp,
+				  &ud.in_handle, &ud.in_token);
+	if (ret)
+		return ret;
+
+	ret = SVC_CLOSE;
+
+	/* Perform synchronous upcall to gss-proxy */
+	status = gssp_accept_sec_context_upcall(&ud);
+	if (status) {
+		goto out;
+	}
+
+	dprintk("RPC:       svcauth_gss: gss major status = %d\n",
+			ud.major_status);
+
+	switch (ud.major_status) {
+	case GSS_S_CONTINUE_NEEDED:
+		cli_handle = ud.out_handle;
+		ud.out_handle.data = NULL;
+		break;
+	case GSS_S_COMPLETE:
+		status = gss_proxy_save_rsc(sn->rsc_cache, &ud, &cli_handle);
+		if (status)
+			goto out;
+		break;
+	default:
+		ret = SVC_CLOSE;
+		goto out;
+	}
+
+	/* Got an answer to the upcall; use it: */
+	if (gss_write_init_verf(sn->rsc_cache, rqstp,
+				&cli_handle, &ud.major_status))
+		goto out;
+	if (gss_write_resv(resv, PAGE_SIZE,
+			   &cli_handle, &ud.out_token,
+			   ud.major_status, ud.minor_status))
+		goto out;
+
+	ret = SVC_COMPLETE;
+out:
+	gssp_free_upcall_data(&ud);
+	kfree(cli_handle.data);
+	return ret;
+}
+
 /*
  * Accept an rpcsec packet.
  * If context establishment, punt to user space
@@ -1151,7 +1357,10 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp)
 	switch (gc->gc_proc) {
 	case RPC_GSS_PROC_INIT:
 	case RPC_GSS_PROC_CONTINUE_INIT:
-		return svcauth_gss_handle_init(rqstp, gc, authp);
+		if (use_gssp)
+			return svcauth_gss_proxy_init(rqstp, gc, authp);
+		else
+			return svcauth_gss_legacy_init(rqstp, gc, authp);
 	case RPC_GSS_PROC_DATA:
 	case RPC_GSS_PROC_DESTROY:
 		/* Look up the context, and check the verifier: */
@@ -1523,9 +1732,12 @@ gss_svc_init_net(struct net *net)
 	rv = rsc_cache_create_net(net);
 	if (rv)
 		return rv;
-	rv = rsi_cache_create_net(net);
-	if (rv)
-		goto out1;
+	if (!use_gssp) {
+		rv = rsi_cache_create_net(net);
+		if (rv)
+			goto out1;
+	}
+
 	return 0;
 out1:
 	rsc_cache_destroy_net(net);
@@ -1535,13 +1747,24 @@ out1:
 void
 gss_svc_shutdown_net(struct net *net)
 {
-	rsi_cache_destroy_net(net);
+	if (!use_gssp)
+		rsi_cache_destroy_net(net);
 	rsc_cache_destroy_net(net);
 }
 
 int
-gss_svc_init(void)
+gss_svc_init(unsigned int upcall_type)
 {
+	switch (upcall_type) {
+	case GSS_UPCALL_LEGACY:
+		break;
+	case GSS_UPCALL_GSSPROXY:
+		dprintk("RPC:       svcauth_gss: Initializing for use with gss-proxy\n");
+		use_gssp = true;
+		break;
+	default:
+		return -EINVAL;
+	}
 	return svc_auth_register(RPC_AUTH_GSS, &svcauthops_gss);
 }
 
-- 
1.7.7.6

Re: [PATCH 1/4] SUNRPC: conditionally return endtime from import_sec_context

[J. Bruce Fields]

On Tue, May 15, 2012 at 09:12:27AM -0400, Simo Sorce wrote:
> We expose this parameter for a future caller.
> It will be used to extract the endtime from the gss-proxy upcall mechanism,
> in order to set the rsc cache expiration time.

Looks fine, thanks.--b.

> 
> Signed-off-by: Simo Sorce <simo@redhat.com>
> ---
>  include/linux/sunrpc/gss_api.h        |    2 ++
>  net/sunrpc/auth_gss/auth_gss.c        |    2 +-
>  net/sunrpc/auth_gss/gss_krb5_mech.c   |    3 +++
>  net/sunrpc/auth_gss/gss_mech_switch.c |    5 +++--
>  net/sunrpc/auth_gss/svcauth_gss.c     |    3 ++-
>  5 files changed, 11 insertions(+), 4 deletions(-)
> 
> diff --git a/include/linux/sunrpc/gss_api.h b/include/linux/sunrpc/gss_api.h
> index 332da61cf8b71fc73d802b2609210f46641a9ea1..7bd486d50f0861b45c98e695751c2f92f1b3bdfa 100644
> --- a/include/linux/sunrpc/gss_api.h
> +++ b/include/linux/sunrpc/gss_api.h
> @@ -36,6 +36,7 @@ int gss_import_sec_context(
>  		size_t			bufsize,
>  		struct gss_api_mech	*mech,
>  		struct gss_ctx		**ctx_id,
> +		time_t			*endtime,
>  		gfp_t			gfp_mask);
>  u32 gss_get_mic(
>  		struct gss_ctx		*ctx_id,
> @@ -91,6 +92,7 @@ struct gss_api_ops {
>  			const void		*input_token,
>  			size_t			bufsize,
>  			struct gss_ctx		*ctx_id,
> +			time_t			*endtime,
>  			gfp_t			gfp_mask);
>  	u32 (*gss_get_mic)(
>  			struct gss_ctx		*ctx_id,
> diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
> index d3ad81f8da5b79551c36b17a7d53007406946699..836cbecb1947235d38c62eadf79ae96ad73906e6 100644
> --- a/net/sunrpc/auth_gss/auth_gss.c
> +++ b/net/sunrpc/auth_gss/auth_gss.c
> @@ -232,7 +232,7 @@ gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct
>  		p = ERR_PTR(-EFAULT);
>  		goto err;
>  	}
> -	ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx, GFP_NOFS);
> +	ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx, NULL, GFP_NOFS);
>  	if (ret < 0) {
>  		p = ERR_PTR(ret);
>  		goto err;
> diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
> index 8eff8c32d1b9b403c2365326c16e44df7c0923e6..329c36b9aa269a414932df86d89650c7a39528fd 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_mech.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
> @@ -679,6 +679,7 @@ out_err:
>  static int
>  gss_import_sec_context_kerberos(const void *p, size_t len,
>  				struct gss_ctx *ctx_id,
> +				time_t *endtime,
>  				gfp_t gfp_mask)
>  {
>  	const void *end = (const void *)((const char *)p + len);
> @@ -696,6 +697,8 @@ gss_import_sec_context_kerberos(const void *p, size_t len,
>  
>  	if (ret == 0)
>  		ctx_id->internal_ctx_id = ctx;
> +		if (endtime)
> +			*endtime = ctx->endtime;
>  	else
>  		kfree(ctx);
>  
> diff --git a/net/sunrpc/auth_gss/gss_mech_switch.c b/net/sunrpc/auth_gss/gss_mech_switch.c
> index ca8cad8251c7ff1c13c9bff6757e098c4f1cd9b2..b22cc24fac482351876c8f4a6c10d8b203a95045 100644
> --- a/net/sunrpc/auth_gss/gss_mech_switch.c
> +++ b/net/sunrpc/auth_gss/gss_mech_switch.c
> @@ -312,14 +312,15 @@ int
>  gss_import_sec_context(const void *input_token, size_t bufsize,
>  		       struct gss_api_mech	*mech,
>  		       struct gss_ctx		**ctx_id,
> +		       time_t			*endtime,
>  		       gfp_t gfp_mask)
>  {
>  	if (!(*ctx_id = kzalloc(sizeof(**ctx_id), gfp_mask)))
>  		return -ENOMEM;
>  	(*ctx_id)->mech_type = gss_mech_get(mech);
>  
> -	return mech->gm_ops
> -		->gss_import_sec_context(input_token, bufsize, *ctx_id, gfp_mask);
> +	return mech->gm_ops->gss_import_sec_context(input_token, bufsize,
> +						*ctx_id, endtime, gfp_mask);
>  }
>  
>  /* gss_get_mic: compute a mic over message and return mic_token. */
> diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
> index f0a0cd4470b7a23ab46a08a68b4ef78c7400db4c..aa1b649749741c82e60f0f528ac645197fd7ab35 100644
> --- a/net/sunrpc/auth_gss/svcauth_gss.c
> +++ b/net/sunrpc/auth_gss/svcauth_gss.c
> @@ -489,7 +489,8 @@ static int rsc_parse(struct cache_detail *cd,
>  		len = qword_get(&mesg, buf, mlen);
>  		if (len < 0)
>  			goto out;
> -		status = gss_import_sec_context(buf, len, gm, &rsci.mechctx, GFP_KERNEL);
> +		status = gss_import_sec_context(buf, len, gm, &rsci.mechctx,
> +						NULL, GFP_KERNEL);
>  		if (status)
>  			goto out;
>  
> -- 
> 1.7.7.6
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/4] SUNRPC: Document a bit RPCGSS handling in the NFS Server

[J. Bruce Fields]

On Tue, May 15, 2012 at 09:12:28AM -0400, Simo Sorce wrote:
> Includes changes intorduced by GSS-Proxy.
> 
> Signed-off-by: Simo Sorce <simo@redhat.com>
> ---
>  Documentation/filesystems/nfs/00-INDEX         |    2 +
>  Documentation/filesystems/nfs/knfsd-rpcgss.txt |   65 ++++++++++++++++++++++++
>  2 files changed, 67 insertions(+), 0 deletions(-)
>  create mode 100644 Documentation/filesystems/nfs/knfsd-rpcgss.txt
> 
> diff --git a/Documentation/filesystems/nfs/00-INDEX b/Documentation/filesystems/nfs/00-INDEX
> index 1716874a651e1c574e7ca9719dfb4e3521b0a5e9..66eb6c8c5334518ddbc10115c7b34b4dfb1b3c0e 100644
> --- a/Documentation/filesystems/nfs/00-INDEX
> +++ b/Documentation/filesystems/nfs/00-INDEX
> @@ -20,3 +20,5 @@ rpc-cache.txt
>  	- introduction to the caching mechanisms in the sunrpc layer.
>  idmapper.txt
>  	- information for configuring request-keys to be used by idmapper
> +knfsd-rpcgss.txt
> +	- Information on GSS authentication support in the NFS Server
> diff --git a/Documentation/filesystems/nfs/knfsd-rpcgss.txt b/Documentation/filesystems/nfs/knfsd-rpcgss.txt
> new file mode 100644
> index 0000000000000000000000000000000000000000..914aa536273b986539d7859092e2c0f139ce5535
> --- /dev/null
> +++ b/Documentation/filesystems/nfs/knfsd-rpcgss.txt
> @@ -0,0 +1,65 @@
> +
> +Kernel NFS Server RPCGSS Support
> +================================
> +
> +This document gives references to the standards and protocols used to
> +implement RPCGSS authentication in the NFS Server.
> +
> +RPCGSS is specified in a few IETF documents:
> + - RFC2203 v1: http://tools.ietf.org/rfc/rfc2203.txt
> + - RFC5403 v2: http://tools.ietf.org/rfc/rfc5403.txt
> +and there is a 3rd version  being proposed:
> + - http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
> +   (At draft n. 02 at the time of writing)
> +
> +Background
> +----------
> +
> +The RPCGSS Authentication method describes a way to perform GSSAPI
> +Authentication for NFS.
> +Although GSSAPI is itself completely mechanism agnostic, in many cases only
> +the KRB5 mechanism is supported by NFS implementations.
> +
> +The Linux kernel, at the moment, supports only the KRB5 mechanism, and depends
> +on GSSAPI extensions that are KRB5 specific.
> +
> +GSSAPI is a complex library, and implementing it completely in kernel is
> +unwarranted. However GSSAPI operations are fundementally separable in 2 parts:
> +- context establishment
> +- integrity/privacy protection (read: signing and encrypting)
> +
> +The first part is the complex one, while the actual integrity and privacy
> +protecion is simple enough.
> +Because of the complexity of context establishment, the NFS Server defers the
> +operation to the userspace througuh the use of upcalls.
> +
> +NFS Server Legacy Upcall mechanism
> +----------------------------------
> +
> +The classic upcall mechanism uses a custom text based upcall mechanism to talk
> +to a custom daemon called rpc.svcgssd that is provide by the nfs-utils package.
> +
> +This upcall mechanism has 2 limitations:
> +A) Can handle tokens that are no bigger than 2KiB
> +
> +In some Kerberos deployment GSSAPI tokens can be quite big, up and beyond 64KiB
> +in size due to various authorization extensions attacked to the Kerberos
> +tickets, that needs to be sent through the GSS layer in order to perform
> +context establishment.
> +
> +B) Does not properly handle creds where the user is member of more than a few
> +housand groups (the current hard limit in the kernel is 65K groups) due to
> +limitation on the size of the buffer that can be send back to the kernel (4KiB).
> +
> +NFS Server New RPC Upcall mechanism
> +-----------------------------------
> +
> +A new upcall mechanism that uses RPC over a Unix socket is added. This
> +mechanism uses a protocol called gss-proxy, and user space program that
> +implements it called Gssproxy. The gss_proxy RPC protocol is currently document
> +here: https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation

That's helpful, thanks.

I thought there were a couple other ways in which the gss-proxy<->kernel
protocol would differ slightly from the full protocol.  (Some fields
which we "know" will always be left empty?)  Do I remember right, and if
so are those documented someplace too?

--b.

> +
> +This upcall mechanism uses the kernel rpc client and connects to the gssproxy
> +userspace program over a regular unix socket. The gssproxy protocol does not
> +suffer from the size limitations of the legacy protocol.
> +
> -- 
> 1.7.7.6
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/4] SUNRPC: Document a bit RPCGSS handling in the NFS Server

[Simo Sorce]

On Mon, 2012-05-21 at 17:55 -0400, J. Bruce Fields wrote:
> On Tue, May 15, 2012 at 09:12:28AM -0400, Simo Sorce wrote:
> > Includes changes intorduced by GSS-Proxy.
> > 
> > Signed-off-by: Simo Sorce <simo@redhat.com>
> > ---
> >  Documentation/filesystems/nfs/00-INDEX         |    2 +
> >  Documentation/filesystems/nfs/knfsd-rpcgss.txt |   65 ++++++++++++++++++++++++
> >  2 files changed, 67 insertions(+), 0 deletions(-)
> >  create mode 100644 Documentation/filesystems/nfs/knfsd-rpcgss.txt
> > 
> > diff --git a/Documentation/filesystems/nfs/00-INDEX b/Documentation/filesystems/nfs/00-INDEX
> > index 1716874a651e1c574e7ca9719dfb4e3521b0a5e9..66eb6c8c5334518ddbc10115c7b34b4dfb1b3c0e 100644
> > --- a/Documentation/filesystems/nfs/00-INDEX
> > +++ b/Documentation/filesystems/nfs/00-INDEX
> > @@ -20,3 +20,5 @@ rpc-cache.txt
> >  	- introduction to the caching mechanisms in the sunrpc layer.
> >  idmapper.txt
> >  	- information for configuring request-keys to be used by idmapper
> > +knfsd-rpcgss.txt
> > +	- Information on GSS authentication support in the NFS Server
> > diff --git a/Documentation/filesystems/nfs/knfsd-rpcgss.txt b/Documentation/filesystems/nfs/knfsd-rpcgss.txt
> > new file mode 100644
> > index 0000000000000000000000000000000000000000..914aa536273b986539d7859092e2c0f139ce5535
> > --- /dev/null
> > +++ b/Documentation/filesystems/nfs/knfsd-rpcgss.txt
> > @@ -0,0 +1,65 @@
> > +
> > +Kernel NFS Server RPCGSS Support
> > +================================
> > +
> > +This document gives references to the standards and protocols used to
> > +implement RPCGSS authentication in the NFS Server.
> > +
> > +RPCGSS is specified in a few IETF documents:
> > + - RFC2203 v1: http://tools.ietf.org/rfc/rfc2203.txt
> > + - RFC5403 v2: http://tools.ietf.org/rfc/rfc5403.txt
> > +and there is a 3rd version  being proposed:
> > + - http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
> > +   (At draft n. 02 at the time of writing)
> > +
> > +Background
> > +----------
> > +
> > +The RPCGSS Authentication method describes a way to perform GSSAPI
> > +Authentication for NFS.
> > +Although GSSAPI is itself completely mechanism agnostic, in many cases only
> > +the KRB5 mechanism is supported by NFS implementations.
> > +
> > +The Linux kernel, at the moment, supports only the KRB5 mechanism, and depends
> > +on GSSAPI extensions that are KRB5 specific.
> > +
> > +GSSAPI is a complex library, and implementing it completely in kernel is
> > +unwarranted. However GSSAPI operations are fundementally separable in 2 parts:
> > +- context establishment
> > +- integrity/privacy protection (read: signing and encrypting)
> > +
> > +The first part is the complex one, while the actual integrity and privacy
> > +protecion is simple enough.
> > +Because of the complexity of context establishment, the NFS Server defers the
> > +operation to the userspace througuh the use of upcalls.
> > +
> > +NFS Server Legacy Upcall mechanism
> > +----------------------------------
> > +
> > +The classic upcall mechanism uses a custom text based upcall mechanism to talk
> > +to a custom daemon called rpc.svcgssd that is provide by the nfs-utils package.
> > +
> > +This upcall mechanism has 2 limitations:
> > +A) Can handle tokens that are no bigger than 2KiB
> > +
> > +In some Kerberos deployment GSSAPI tokens can be quite big, up and beyond 64KiB
> > +in size due to various authorization extensions attacked to the Kerberos
> > +tickets, that needs to be sent through the GSS layer in order to perform
> > +context establishment.
> > +
> > +B) Does not properly handle creds where the user is member of more than a few
> > +housand groups (the current hard limit in the kernel is 65K groups) due to
> > +limitation on the size of the buffer that can be send back to the kernel (4KiB).
> > +
> > +NFS Server New RPC Upcall mechanism
> > +-----------------------------------
> > +
> > +A new upcall mechanism that uses RPC over a Unix socket is added. This
> > +mechanism uses a protocol called gss-proxy, and user space program that
> > +implements it called Gssproxy. The gss_proxy RPC protocol is currently document
> > +here: https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation
> 
> That's helpful, thanks.
> 
> I thought there were a couple other ways in which the gss-proxy<->kernel
> protocol would differ slightly from the full protocol.  (Some fields
> which we "know" will always be left empty?)  Do I remember right, and if
> so are those documented someplace too?

Nope, nothing special, we simply ignore fields we are not interested to
in the reply. The special handling for that is all in kernel and does
not affect the actual protocol.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[J. Bruce Fields]

Have you and Stanislav talked about fitting this with the ongoing
container work?

--b.

On Tue, May 15, 2012 at 09:12:29AM -0400, Simo Sorce wrote:
> This patch implements a sunrpc client to use the services of the gssproxy
> userspace daemon.
> 
> In particular it allows to perform calls in user space using an RPC
> call instead of custom hand-coded upcall/downcall messages.
> 
> Currently only accept_sec_context is implemented as that is all is needed for
> the server case.
> 
> File server modules like NFS and CIFS can use full gssapi services this way,
> once init_sec_context is also implemented.
> 
> For the NFS server case this code allow to lift the limit of max 2k krb5
> tickets. This limit is prevents legitimate kerberos deployments from using krb5
> authentication with the Linux NFS server as they have normally ticket that are
> many kilobytes large.
> 
> It will also allow to lift the limitation on the size of the credential set
> (uid,gid,gids) passed down from user space for users that have very many groups
> associated. Currently the downcall mechanism used by rpc.svcgssd is limited
> to around 2k secondary groups of the 65k allowed by kernel structures.
> 
> Signed-off-by: Simo Sorce <simo@redhat.com>
> ---
>  net/sunrpc/auth_gss/Makefile         |    4 +-
>  net/sunrpc/auth_gss/gss_rpc_upcall.c |  341 +++++++++++++
>  net/sunrpc/auth_gss/gss_rpc_upcall.h |   43 ++
>  net/sunrpc/auth_gss/gss_rpc_xdr.c    |  904 ++++++++++++++++++++++++++++++++++
>  net/sunrpc/auth_gss/gss_rpc_xdr.h    |  269 ++++++++++
>  5 files changed, 1560 insertions(+), 1 deletions(-)
>  create mode 100644 net/sunrpc/auth_gss/gss_rpc_upcall.c
>  create mode 100644 net/sunrpc/auth_gss/gss_rpc_upcall.h
>  create mode 100644 net/sunrpc/auth_gss/gss_rpc_xdr.c
>  create mode 100644 net/sunrpc/auth_gss/gss_rpc_xdr.h
> 
> diff --git a/net/sunrpc/auth_gss/Makefile b/net/sunrpc/auth_gss/Makefile
> index 9e4cb59ef9f0207bc8edc4629dee18c545599de6..bf9f334529416f496ad32a3d0087964df93ff4ac 100644
> --- a/net/sunrpc/auth_gss/Makefile
> +++ b/net/sunrpc/auth_gss/Makefile
> @@ -5,9 +5,11 @@
>  obj-$(CONFIG_SUNRPC_GSS) += auth_rpcgss.o
>  
>  auth_rpcgss-y := auth_gss.o gss_generic_token.o \
> -	gss_mech_switch.o svcauth_gss.o
> +	gss_mech_switch.o svcauth_gss.o \
> +	gss_rpc_upcall.o gss_rpc_xdr.o
>  
>  obj-$(CONFIG_RPCSEC_GSS_KRB5) += rpcsec_gss_krb5.o
>  
>  rpcsec_gss_krb5-y := gss_krb5_mech.o gss_krb5_seal.o gss_krb5_unseal.o \
>  	gss_krb5_seqnum.o gss_krb5_wrap.o gss_krb5_crypto.o gss_krb5_keys.o
> +
> diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c
> new file mode 100644
> index 0000000000000000000000000000000000000000..75e88519bd1be87aab4a1b195a7d86aedb7ed03a
> --- /dev/null
> +++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c
> @@ -0,0 +1,341 @@
> +/*
> + *  linux/net/sunrpc/gss_rpc_upcall.c
> + *
> + *  Copyright (C) 2012 Simo Sorce <simo@redhat.com>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation; either version 2 of the License, or
> + * (at your option) any later version.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program; if not, write to the Free Software
> + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
> + */
> +
> +#include <linux/types.h>
> +#include <linux/un.h>
> +
> +#include <linux/sunrpc/svcauth.h>
> +#include "gss_rpc_upcall.h"
> +
> +#define GSSPROXY_SOCK_PATHNAME	"/var/run/gssproxy.sock"
> +
> +#define GSSPROXY_PROGRAM	(400112u)
> +#define GSSPROXY_VERS_1		(1u)
> +
> +DEFINE_MUTEX(gssp_clnt_mutex);
> +struct rpc_clnt *gssp_clnt;
> +
> +/*
> + * Encoding/Decoding functions
> + */
> +
> +enum {
> +	GSSX_NULL = 0,	/* Unused */
> +        GSSX_INDICATE_MECHS = 1,
> +        GSSX_GET_CALL_CONTEXT = 2,
> +        GSSX_IMPORT_AND_CANON_NAME = 3,
> +        GSSX_EXPORT_CRED = 4,
> +        GSSX_IMPORT_CRED = 5,
> +        GSSX_ACQUIRE_CRED = 6,
> +        GSSX_STORE_CRED = 7,
> +        GSSX_INIT_SEC_CONTEXT = 8,
> +        GSSX_ACCEPT_SEC_CONTEXT = 9,
> +        GSSX_RELEASE_HANDLE = 10,
> +        GSSX_GET_MIC = 11,
> +        GSSX_VERIFY = 12,
> +        GSSX_WRAP = 13,
> +        GSSX_UNWRAP = 14,
> +        GSSX_WRAP_SIZE_LIMIT = 15,
> +};
> +
> +#define PROC(proc, name)				\
> +[GSSX_##proc] = {					\
> +	.p_proc   = GSSX_##proc,			\
> +	.p_encode = (kxdreproc_t)gssx_enc_##name,	\
> +	.p_decode = (kxdrdproc_t)gssx_dec_##name,	\
> +	.p_arglen = GSSX_ARG_##name##_sz,		\
> +	.p_replen = GSSX_RES_##name##_sz, 		\
> +	.p_statidx = GSSX_##proc,			\
> +	.p_name   = #proc,				\
> +}
> +
> +struct rpc_procinfo gssp_procedures[] = {
> +	PROC(INDICATE_MECHS, indicate_mechs),
> +        PROC(GET_CALL_CONTEXT, get_call_context),
> +        PROC(IMPORT_AND_CANON_NAME, import_and_canon_name),
> +        PROC(EXPORT_CRED, export_cred),
> +        PROC(IMPORT_CRED, import_cred),
> +        PROC(ACQUIRE_CRED, acquire_cred),
> +        PROC(STORE_CRED, store_cred),
> +        PROC(INIT_SEC_CONTEXT, init_sec_context),
> +        PROC(ACCEPT_SEC_CONTEXT, accept_sec_context),
> +        PROC(RELEASE_HANDLE, release_handle),
> +        PROC(GET_MIC, get_mic),
> +        PROC(VERIFY, verify),
> +        PROC(WRAP, wrap),
> +        PROC(UNWRAP, unwrap),
> +        PROC(WRAP_SIZE_LIMIT, wrap_size_limit),
> +};
> +
> +
> +
> +/*
> + * Common transport functions
> + */
> +
> +static const struct rpc_program gssp_program;
> +
> +static int gssp_rpc_create(struct rpc_clnt **_clnt)
> +{
> +	static const struct sockaddr_un gssp_localaddr = {
> +		.sun_family		= AF_LOCAL,
> +		.sun_path		= GSSPROXY_SOCK_PATHNAME,
> +	};
> +	struct rpc_create_args args = {
> +		.net		= &init_net,
> +		.protocol	= XPRT_TRANSPORT_LOCAL,
> +		.address	= (struct sockaddr *)&gssp_localaddr,
> +		.addrsize	= sizeof(gssp_localaddr),
> +		.servername	= "localhost",
> +		.program	= &gssp_program,
> +		.version	= GSSPROXY_VERS_1,
> +		.authflavor	= RPC_AUTH_NULL,
> +		.flags		= RPC_CLNT_CREATE_NOPING,
> +	};
> +	struct rpc_clnt *clnt;
> +	int result = 0;
> +
> +	clnt = rpc_create(&args);
> +	if (IS_ERR(clnt)) {
> +		dprintk("RPC:       failed to create AF_LOCAL gssproxy "
> +				"client (errno %ld).\n", PTR_ERR(clnt));
> +		result = -PTR_ERR(clnt);
> +		*_clnt = NULL;
> +		goto out;
> +	}
> +
> +	dprintk("RPC:       created new gssp local client (gssp_local_clnt: "
> +			"%p)\n", clnt);
> +	*_clnt = clnt;
> +
> +out:
> +	return result;
> +}
> +
> +static struct rpc_clnt *get_clnt(bool global_clnt)
> +{
> +	struct rpc_clnt *clnt;
> +	int err;
> +
> +	mutex_lock(&gssp_clnt_mutex);
> +
> +	if (global_clnt && gssp_clnt)
> +		return gssp_clnt;
> +
> +	err = gssp_rpc_create(&clnt);
> +	if (err) {
> +		mutex_unlock(&gssp_clnt_mutex);
> +		return NULL;
> +	}
> +	if (global_clnt)
> +		gssp_clnt = clnt;
> +
> +	mutex_unlock(&gssp_clnt_mutex);
> +	return clnt;
> +}
> +
> +static void kill_clnt(struct rpc_clnt *clnt)
> +{
> +	BUG_ON(clnt == NULL);
> +
> +	mutex_lock(&gssp_clnt_mutex);
> +
> +	rpc_shutdown_client(clnt);
> +	if (clnt == gssp_clnt)
> +		gssp_clnt = NULL;
> +
> +	mutex_unlock(&gssp_clnt_mutex);
> +}
> +
> +static int gssp_call(struct rpc_message *msg)
> +{
> +	struct rpc_clnt *clnt;
> +	int status;
> +
> +	/* for now always create new one */
> +	clnt = get_clnt(false);
> +
> +	status = rpc_call_sync(clnt, msg, 0);
> +	if (status < 0) {
> +		dprintk("gssp: rpc_call returned error %d\n", -status);
> +		switch (status) {
> +		case -EPROTONOSUPPORT:
> +			status = -EINVAL;
> +			break;
> +		case -ECONNREFUSED:
> +		case -ETIMEDOUT:
> +		case -ENOTCONN:
> +			status = -EAGAIN;
> +			break;
> +		case -ERESTARTSYS:
> +			if (signalled ())
> +				status = -EINTR;
> +			break;
> +		default:
> +			break;
> +		}
> +	}
> +
> +	/* always kill connection for now */
> +	kill_clnt(clnt);
> +
> +	return status;
> +}
> +
> +
> +/*
> + * Public functions
> + */
> +
> +/* numbers somewhat arbitrary but large enough for current needs */
> +#define GSSX_MAX_OUT_HANDLE	128
> +#define GSSX_MAX_MECH_OID	16
> +#define GSSX_MAX_SRC_PRINC	256
> +#define GSSX_KMEMBUF (GSSX_max_output_handle_sz + \
> +			GSSX_max_oid_sz + \
> +			GSSX_max_princ_sz + \
> +			sizeof(struct svc_cred))
> +
> +int gssp_accept_sec_context_upcall(struct gssp_upcall_data *data)
> +{
> +	struct gssx_arg_accept_sec_context arg;
> +	struct gssx_res_accept_sec_context res;
> +	struct gssx_ctx ctxh;
> +	struct gssx_ctx rctxh;
> +	struct gssx_cred delegcred;
> +	struct rpc_message msg = {
> +		.rpc_proc = &gssp_procedures[GSSX_ACCEPT_SEC_CONTEXT],
> +		.rpc_argp = &arg,
> +		.rpc_resp = &res,
> +		.rpc_cred = NULL, /* FIXME ? */
> +	};
> +	int ret;
> +
> +	/* fill in arg */
> +	memset(&arg, 0, sizeof(arg));
> +	if (data->in_handle.len != 0) {
> +		memset(&ctxh, 0, sizeof(ctxh));
> +		arg.context_handle = &ctxh;
> +		ctxh.state = data->in_handle;
> +	}
> +	arg.input_token = data->in_token;
> +
> +	/* use nfs/ for targ_name ? */
> +
> +	/* prepare res */
> +	data->kmembuf = kmalloc(GSSX_KMEMBUF, GFP_KERNEL);
> +	if (!data->kmembuf) {
> +		return -ENOMEM;
> +	}
> +
> +	memset(&res, 0, sizeof(res));
> +	memset(&rctxh, 0, sizeof(rctxh));
> +	rctxh.exported_context_token.len = GSSX_max_output_handle_sz;
> +	rctxh.exported_context_token.data = data->kmembuf;
> +	rctxh.mech.len = GSSX_max_oid_sz;
> +	rctxh.mech.data = data->kmembuf + GSSX_max_output_handle_sz;
> +	rctxh.src_name.display_name.len = GSSX_max_princ_sz;
> +	rctxh.src_name.display_name.data = data->kmembuf +
> +						GSSX_max_output_handle_sz +
> +						GSSX_max_oid_sz;
> +	res.context_handle = &rctxh;
> +
> +	data->creds = data->kmembuf +
> +				GSSX_max_output_handle_sz +
> +				GSSX_max_oid_sz +
> +				GSSX_max_princ_sz;
> +	memset(data->creds, 0, sizeof(struct svc_cred));
> +
> +	res.output_token = &data->out_token;
> +	/* tell decoder to allocate the out_token if necessary */
> +	res.output_token->len = GSSX_max_output_token_sz;
> +
> +	/* we are never interested in delegate credentials */
> +	memset(&delegcred, 0, sizeof(delegcred));
> +	res.delegated_cred_handle = &delegcred;
> +
> +	/* make upcall */
> +	ret = gssp_call(&msg);
> +
> +	/* we need to fetch all data even in case of error so
> +	 * that we can free special strctures is they have been allocated */
> +	data->major_status = res.status.major_status;
> +	data->minor_status = res.status.minor_status;
> +	if (res.context_handle) {
> +		data->out_handle = rctxh.exported_context_token;
> +		data->mech_oid = rctxh.mech;
> +		data->client_name = rctxh.src_name.display_name;
> +	}
> +
> +	if (res.options.count == 1) {
> +		gssx_buffer *value = &res.options.data[0].value;
> +		/* Currently we only decode CREDS_VALUE, if we add
> +		 * anything else we'll have to loop and match on the
> +		 * option name */
> +		if (value->len)
> +			/* copy struct svc_cred and steal groups */
> +			*data->creds = *(struct svc_cred *)value->data;
> +		else
> +			/* not even nobody apparently */
> +			data->creds = NULL;
> +	} else
> +		data->creds = NULL;
> +
> +	if (res.options.count != 0) {
> +		kfree(res.options.data);
> +	}
> +
> +	return ret;
> +}
> +
> +void gssp_free_upcall_data(struct gssp_upcall_data *data)
> +{
> +	kfree(data->in_handle.data);
> +	kfree(data->out_token.data);
> +	if (data->creds && data->creds->cr_group_info != NULL)
> +		groups_free(data->creds->cr_group_info);
> +	kfree(data->kmembuf);
> +}
> +
> +
> +/*
> + * Initialization stuff
> + */
> +
> +static const struct rpc_version gssp_version1 = {
> +	.number		= GSSPROXY_VERS_1,
> +	.nrprocs	= ARRAY_SIZE(gssp_procedures),
> +	.procs		= gssp_procedures,
> +};
> +
> +static const struct rpc_version *gssp_version[] = {
> +	NULL,
> +	&gssp_version1,
> +};
> +
> +static struct rpc_stat gssp_stats;
> +
> +static const struct rpc_program gssp_program = {
> +	.name		= "gssproxy",
> +	.number		= GSSPROXY_PROGRAM,
> +	.nrvers		= ARRAY_SIZE(gssp_version),
> +	.version	= gssp_version,
> +	.stats		= &gssp_stats,
> +};
> diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.h b/net/sunrpc/auth_gss/gss_rpc_upcall.h
> new file mode 100644
> index 0000000000000000000000000000000000000000..b09217740493e83979f8dc690b812d396db6e54c
> --- /dev/null
> +++ b/net/sunrpc/auth_gss/gss_rpc_upcall.h
> @@ -0,0 +1,43 @@
> +/*
> + *  linux/net/sunrpc/gss_rpc_upcall.h
> + *
> + *  Copyright (C) 2012 Simo Sorce <simo@redhat.com>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation; either version 2 of the License, or
> + * (at your option) any later version.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program; if not, write to the Free Software
> + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
> + */
> +
> +#ifndef _GSS_RPC_UPCALL_H
> +#define _GSS_RPC_UPCALL_H
> +
> +#include <linux/sunrpc/auth_gss.h>
> +#include "gss_rpc_xdr.h"
> +
> +struct gssp_upcall_data {
> +	void *kmembuf;
> +	struct xdr_netobj in_handle;
> +	struct gssp_in_token in_token;
> +	struct xdr_netobj out_handle;
> +	struct xdr_netobj out_token;
> +	struct xdr_netobj mech_oid;
> +	struct xdr_netobj client_name;
> +	struct svc_cred *creds;
> +	int major_status;
> +	int minor_status;
> +};
> +
> +int gssp_accept_sec_context_upcall(struct gssp_upcall_data *data);
> +void gssp_free_upcall_data(struct gssp_upcall_data *data);
> +
> +#endif /* _GSS_RPC_UPCALL_H */
> diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c
> new file mode 100644
> index 0000000000000000000000000000000000000000..25600d5a2113cfb0dce64ab89a1b166ee1a089ef
> --- /dev/null
> +++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c
> @@ -0,0 +1,904 @@
> +/*
> + * GSS Proxy upcall module
> + *
> + *  Copyright (C) 2012 Simo Sorce <simo@redhat.com>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation; either version 2 of the License, or
> + * (at your option) any later version.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program; if not, write to the Free Software
> + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
> + */
> +
> +#include <linux/sunrpc/svcauth.h>
> +#include "gss_rpc_xdr.h"
> +
> +static bool gssx_check_pointer(struct xdr_stream *xdr)
> +{
> +	__be32 *p;
> +
> +	p = xdr_reserve_space(xdr, 4);
> +	if (unlikely(p == NULL))
> +		return -ENOSPC;
> +	return *p?true:false;
> +}
> +
> +static int gssx_enc_bool(struct xdr_stream *xdr, int v)
> +{
> +	__be32 *p;
> +
> +	p = xdr_reserve_space(xdr, 4);
> +	if (unlikely(p == NULL))
> +		return -ENOSPC;
> +	*p = v ? xdr_one : xdr_zero;
> +	return 0;
> +}
> +
> +static int gssx_dec_bool(struct xdr_stream *xdr, u32 *v)
> +{
> +	__be32 *p;
> +
> +	p = xdr_inline_decode(xdr, 4);
> +	if (unlikely(p == NULL))
> +		return -ENOSPC;
> +	*v = be32_to_cpu(*p);
> +	return 0;
> +}
> +
> +static int gssx_enc_buffer(struct xdr_stream *xdr,
> +			   gssx_buffer *buf)
> +{
> +	__be32 *p;
> +
> +	p = xdr_reserve_space(xdr, sizeof(u32) + buf->len);
> +	if (!p)
> +		return -ENOSPC;
> +	xdr_encode_opaque(p, buf->data, buf->len);
> +	return 0;
> +}
> +
> +static int gssx_enc_in_token(struct xdr_stream *xdr,
> +			     struct gssp_in_token *in)
> +{
> +	__be32 *p;
> +
> +	p = xdr_reserve_space(xdr, 4);
> +	if (!p)
> +		return -ENOSPC;
> +	*p = cpu_to_be32(in->page_len);
> +
> +	/* all we need to do is to write pages */
> +	xdr_write_pages(xdr, in->pages, in->page_base, in->page_len);
> +
> +	return 0;
> +}
> +
> +
> +static int gssx_dec_buffer(struct xdr_stream *xdr,
> +			   gssx_buffer *buf)
> +{
> +	u32 length;
> +	__be32 *p;
> +
> +	p = xdr_inline_decode(xdr, 4);
> +	if (unlikely(p == NULL))
> +		return -ENOSPC;
> +
> +	length = be32_to_cpup(p);
> +	p = xdr_inline_decode(xdr, length);
> +	if (unlikely(p == NULL))
> +		return -ENOSPC;
> +
> +	if (buf->len == 0) {
> +		/* we intentionally are not interested in this buffer */
> +		return 0;
> +	}
> +	if (length > buf->len)
> +		return -ENOSPC;
> +
> +	if (!buf->data) {
> +		buf->data = kmemdup(p, length, GFP_KERNEL);
> +		if (!buf->data)
> +			return -ENOMEM;
> +	} else {
> +		memcpy(buf->data, p, length);
> +	}
> +	buf->len = length;
> +	return 0;
> +}
> +
> +static int gssx_enc_option(struct xdr_stream *xdr,
> +			   struct gssx_option *opt)
> +{
> +	int err;
> +
> +	err = gssx_enc_buffer(xdr, &opt->option);
> +	if (err)
> +		return err;
> +	err = gssx_enc_buffer(xdr, &opt->value);
> +	return err;
> +}
> +
> +static int gssx_dec_option(struct xdr_stream *xdr,
> +			   struct gssx_option *opt)
> +{
> +	int err;
> +
> +	err = gssx_dec_buffer(xdr, &opt->option);
> +	if (err)
> +		return err;
> +	err = gssx_dec_buffer(xdr, &opt->value);
> +	return err;
> +}
> +
> +static int dummy_enc_opt_array(struct xdr_stream *xdr,
> +				struct gssx_option_array *oa)
> +{
> +	__be32 *p;
> +
> +	if (oa->count != 0)
> +		return -EINVAL;
> +
> +	p = xdr_reserve_space(xdr, 4);
> +	if (!p)
> +		return -ENOSPC;
> +	*p = 0;
> +
> +	return 0;
> +}
> +
> +static int dummy_dec_opt_array(struct xdr_stream *xdr,
> +				struct gssx_option_array *oa)
> +{
> +	struct gssx_option dummy;
> +	u32 count, i;
> +	__be32 *p;
> +
> +	p = xdr_inline_decode(xdr, 4);
> +	if (unlikely(p == NULL))
> +		return -ENOSPC;
> +	count = be32_to_cpup(p++);
> +	memset(&dummy, 0, sizeof(dummy));
> +	for (i = 0; i < count; i++) {
> +		gssx_dec_option(xdr, &dummy);
> +	}
> +
> +	oa->count = 0;
> +	oa->data = NULL;
> +	return 0;
> +}
> +
> +static int get_s32(void **p, void *max, s32 *res)
> +{
> +	void *base = *p;
> +	void *next = (void *)((char *)base + sizeof(s32));
> +	if (unlikely(next > max || next < base))
> +		return -EINVAL;
> +	memcpy(res, base, sizeof(s32));
> +	*p = next;
> +	return 0;
> +}
> +
> +static int gssx_dec_linux_creds(struct xdr_stream *xdr,
> +				struct svc_cred *creds)
> +{
> +	u32 length;
> +	__be32 *p;
> +	void *q, *end;
> +	s32 tmp;
> +	int N, i, err;
> +
> +	p = xdr_inline_decode(xdr, 4);
> +	if (unlikely(p == NULL))
> +		return -ENOSPC;
> +
> +	length = be32_to_cpup(p);
> +
> +	/* FIXME: we do not want to use the scratch buffer for this one
> +	 * may need to use functions that allows us to access an io vector
> +	 * directly */
> +	p = xdr_inline_decode(xdr, length);
> +	if (unlikely(p == NULL))
> +		return -ENOSPC;
> +
> +	q = p;
> +	end = q + length;
> +
> +	/* uid */
> +	err = get_s32(&q, end, &tmp);
> +	if (err)
> +		return err;
> +	creds->cr_uid = tmp;
> +
> +	/* gid */
> +	err = get_s32(&q, end, &tmp);
> +	if (err)
> +		return err;
> +	creds->cr_gid = tmp;
> +
> +	/* number of additional gid's */
> +	err = get_s32(&q, end, &tmp);
> +	if (err)
> +		return err;
> +	N = tmp;
> +	creds->cr_group_info = groups_alloc(N);
> +	if (creds->cr_group_info == NULL)
> +		return -ENOMEM;
> +
> +	/* gid's */
> +	for (i = 0; i < N; i++) {
> +		err = get_s32(&q, end, &tmp);
> +		if (err) {
> +			groups_free(creds->cr_group_info);
> +			return err;
> +		}
> +		GROUP_AT(creds->cr_group_info, i) = tmp;
> +	}
> +
> +	return 0;
> +}
> +
> +static int gssx_dec_option_array(struct xdr_stream *xdr,
> +				 struct gssx_option_array *oa)
> +{
> +	struct svc_cred *creds;
> +	u32 count, i;
> +	__be32 *p;
> +	int err;
> +
> +	p = xdr_inline_decode(xdr, 4);
> +	if (unlikely(p == NULL))
> +		return -ENOSPC;
> +	count = be32_to_cpup(p++);
> +	if (count != 0) {
> +		/* we recognize only 1 currently: CREDS_VALUE */
> +		oa->count = 1;
> +
> +		oa->data = kmalloc(sizeof(struct gssx_option) +
> +					sizeof(struct svc_cred), GFP_KERNEL);
> +		if (!oa->data)
> +			return -ENOMEM;
> +
> +		creds = (void *)oa->data + sizeof(struct gssx_option);
> +
> +		oa->data[0].option.data = CREDS_VALUE;
> +		oa->data[0].option.len = sizeof(CREDS_VALUE);
> +		oa->data[0].value.data = (void *)creds;
> +		oa->data[0].value.len = 0;
> +	}
> +	for (i = 0; i < count; i++) {
> +		gssx_buffer dummy = { 0, NULL };
> +		u32 length;
> +
> +		/* option buffer */
> +		p = xdr_inline_decode(xdr, 4);
> +		if (unlikely(p == NULL))
> +			return -ENOSPC;
> +
> +		length = be32_to_cpup(p);
> +		p = xdr_inline_decode(xdr, length);
> +		if (unlikely(p == NULL))
> +			return -ENOSPC;
> +
> +		if (length == sizeof(CREDS_VALUE) &&
> +		    memcmp(p, CREDS_VALUE, sizeof(CREDS_VALUE)) == 0) {
> +			/* We have creds here. parse them */
> +			err = gssx_dec_linux_creds(xdr, creds);
> +			if (err)
> +				return err;
> +			oa->data[0].value.len = 1; /* presence */
> +		} else {
> +			/* consume uninteresting buffer */
> +			err = gssx_dec_buffer(xdr, &dummy);
> +			if (err)
> +				return err;
> +		}
> +	}
> +	return 0;
> +}
> +
> +static int gssx_dec_status(struct xdr_stream *xdr,
> +			   struct gssx_status *status)
> +{
> +	__be32 *p;
> +	int err;
> +
> +	/* status->major_status */
> +	p = xdr_inline_decode(xdr, 8);
> +	if (unlikely(p == NULL))
> +		return -ENOSPC;
> +	p = xdr_decode_hyper(p, &status->major_status);
> +
> +	/* status->mech */
> +	err = gssx_dec_buffer(xdr, &status->mech);
> +	if (err)
> +		return err;
> +
> +	/* status->minor_status */
> +	p = xdr_inline_decode(xdr, 8);
> +	if (unlikely(p == NULL))
> +		return -ENOSPC;
> +	p = xdr_decode_hyper(p, &status->minor_status);
> +
> +	/* status->major_status_string */
> +	err = gssx_dec_buffer(xdr, &status->major_status_string);
> +	if (err)
> +		return err;
> +
> +	/* status->minor_status_string */
> +	err = gssx_dec_buffer(xdr, &status->minor_status_string);
> +	if (err)
> +		return err;
> +
> +	/* status->server_ctx */
> +	err = gssx_dec_buffer(xdr, &status->server_ctx);
> +	if (err)
> +		return err;
> +
> +	/* we assume we have no options for now, so simply consume them */
> +	/* status->options */
> +	err = dummy_dec_opt_array(xdr, &status->options);
> +
> +	return err;
> +}
> +
> +static int gssx_enc_call_ctx(struct xdr_stream *xdr,
> +			     struct gssx_call_ctx *ctx)
> +{
> +	struct gssx_option opt;
> +	__be32 *p;
> +	int err;
> +
> +	/* ctx->locale */
> +	err = gssx_enc_buffer(xdr, &ctx->locale);
> +	if (err)
> +		return err;
> +
> +	/* ctx->server_ctx */
> +	err = gssx_enc_buffer(xdr, &ctx->server_ctx);
> +	if (err)
> +		return err;
> +
> +	/* we always want to ask for lucid contexts */
> +	/* ctx->options */
> +	p = xdr_reserve_space(xdr, 4);
> +	*p = cpu_to_be32(2);
> +
> +	/* we want a lucid_v1 context */
> +	opt.option.data = LUCID_OPTION;
> +	opt.option.len = sizeof(LUCID_OPTION);
> +	opt.value.data = LUCID_VALUE;
> +	opt.value.len = sizeof(LUCID_VALUE);
> +	err = gssx_enc_option(xdr, &opt);
> +
> +	/* ..and user creds */
> +	opt.option.data = CREDS_OPTION;
> +	opt.option.len = sizeof(CREDS_OPTION);
> +	opt.value.data = CREDS_VALUE;
> +	opt.value.len = sizeof(CREDS_VALUE);
> +	err = gssx_enc_option(xdr, &opt);
> +
> +	return err;
> +}
> +
> +static int gssx_dec_name_attr(struct xdr_stream *xdr,
> +			     struct gssx_name_attr *attr)
> +{
> +	int err;
> +
> +	/* attr->attr */
> +	err = gssx_dec_buffer(xdr, &attr->attr);
> +	if (err)
> +		return err;
> +
> +	/* attr->value */
> +	err = gssx_dec_buffer(xdr, &attr->value);
> +	if (err)
> +		return err;
> +
> +	/* attr->extensions */
> +	err = dummy_dec_opt_array(xdr, &attr->extensions);
> +
> +	return err;
> +}
> +
> +static int dummy_enc_nameattr_array(struct xdr_stream *xdr,
> +				    struct gssx_name_attr_array *naa)
> +{
> +	__be32 *p;
> +
> +	if (naa->count != 0)
> +		return -EINVAL;
> +
> +	p = xdr_reserve_space(xdr, 4);
> +	if (!p)
> +		return -ENOSPC;
> +	*p = 0;
> +
> +	return 0;
> +}
> +
> +static int dummy_dec_nameattr_array(struct xdr_stream *xdr,
> +				    struct gssx_name_attr_array *naa)
> +{
> +	struct gssx_name_attr dummy;
> +	u32 count, i;
> +	__be32 *p;
> +
> +	p = xdr_inline_decode(xdr, 4);
> +	if (unlikely(p == NULL))
> +		return -ENOSPC;
> +	count = be32_to_cpup(p++);
> +	for (i = 0; i < count; i++) {
> +		gssx_dec_name_attr(xdr, &dummy);
> +	}
> +
> +	naa->count = 0;
> +	naa->data = NULL;
> +	return 0;
> +}
> +
> +static int gssx_enc_name(struct xdr_stream *xdr,
> +			 struct gssx_name *name)
> +{
> +	int err;
> +
> +	/* name->display_name */
> +	err = gssx_enc_buffer(xdr, &name->display_name);
> +	if (err)
> +		return err;
> +
> +	/* name->name_type */
> +	err = gssx_enc_buffer(xdr, &name->name_type);
> +	if (err)
> +		return err;
> +
> +	/* name->exported_name */
> +	err = gssx_enc_buffer(xdr, &name->exported_name);
> +	if (err)
> +		return err;
> +
> +	/* name->exported_composite_name */
> +	err = gssx_enc_buffer(xdr, &name->exported_composite_name);
> +	if (err)
> +		return err;
> +
> +	/* leave name_attributes empty for now, will add once we have any
> +	 * to pass up at all */
> +	/* name->name_attributes */
> +	err = dummy_enc_nameattr_array(xdr, &name->name_attributes);
> +	if (err)
> +		return err;
> +
> +	/* leave options empty for now, will add once we have any options
> +	 * to pass up at all */
> +	/* name->extensions */
> +	err = dummy_enc_opt_array(xdr, &name->extensions);
> +
> +	return err;
> +}
> +
> +static int gssx_dec_name(struct xdr_stream *xdr,
> +			 struct gssx_name *name)
> +{
> +	int err;
> +
> +	/* name->display_name */
> +	err = gssx_dec_buffer(xdr, &name->display_name);
> +	if (err)
> +		return err;
> +
> +	/* name->name_type */
> +	err = gssx_dec_buffer(xdr, &name->name_type);
> +	if (err)
> +		return err;
> +
> +	/* name->exported_name */
> +	err = gssx_dec_buffer(xdr, &name->exported_name);
> +	if (err)
> +		return err;
> +
> +	/* name->exported_composite_name */
> +	err = gssx_dec_buffer(xdr, &name->exported_composite_name);
> +	if (err)
> +		return err;
> +
> +	/* we assume we have no attributes for now, so simply consume them */
> +	/* name->name_attributes */
> +	err = dummy_dec_nameattr_array(xdr, &name->name_attributes);
> +	if (err)
> +		return err;
> +
> +	/* we assume we have no options for now, so simply consume them */
> +	/* name->extensions */
> +	err = dummy_dec_opt_array(xdr, &name->extensions);
> +
> +	return err;
> +}
> +
> +static int gssx_dec_cred_element(struct xdr_stream *xdr,
> +				 struct gssx_cred_element *el)
> +{
> +	__be32 *p;
> +	int err;
> +
> +	/* el->MN */
> +	err = gssx_dec_name(xdr, &el->MN);
> +	if (err)
> +		return err;
> +
> +	/* el->mech */
> +	err = gssx_dec_buffer(xdr, &el->mech);
> +	if (err)
> +		return err;
> +
> +	/* el->cred_usage */
> +	p = xdr_inline_decode(xdr, 4+8+8);
> +	if (!p)
> +		return -ENOSPC;
> +	el->cred_usage = be32_to_cpup(p++);
> +
> +	/* el->initiator_time_rec */
> +	p = xdr_decode_hyper(p, &el->initiator_time_rec);
> +
> +	/* el->acceptor_time_rec */
> +	p = xdr_decode_hyper(p, &el->initiator_time_rec);
> +
> +	/* we assume we have no options for now, so simply consume them */
> +	/* el->options */
> +	err = dummy_dec_opt_array(xdr, &el->options);
> +
> +	return err;
> +}
> +
> +static int dummy_enc_credel_array(struct xdr_stream *xdr,
> +				  struct gssx_cred_element_array *cea)
> +{
> +	__be32 *p;
> +
> +	if (cea->count != 0)
> +		return -EINVAL;
> +
> +	p = xdr_reserve_space(xdr, 4);
> +	if (!p)
> +		return -ENOSPC;
> +	*p = 0;
> +
> +	return 0;
> +}
> +
> +static int dummy_dec_credel_array(struct xdr_stream *xdr,
> +				  struct gssx_cred_element_array *cea)
> +{
> +	struct gssx_cred_element dummy;
> +	u32 count, i;
> +	__be32 *p;
> +
> +	p = xdr_inline_decode(xdr, 4);
> +	if (unlikely(p == NULL))
> +		return -ENOSPC;
> +	count = be32_to_cpup(p++);
> +	for (i = 0; i < count; i++) {
> +		gssx_dec_cred_element(xdr, &dummy);
> +	}
> +
> +	cea->count = 0;
> +	cea->data = NULL;
> +	return 0;
> +}
> +
> +static int gssx_enc_cred(struct xdr_stream *xdr,
> +			 struct gssx_cred *cred)
> +{
> +	int err;
> +
> +	/* cred->desired_name */
> +	err = gssx_enc_name(xdr, &cred->desired_name);
> +	if (err)
> +		return err;
> +
> +	/* cred->elements */
> +	err = dummy_enc_credel_array(xdr, &cred->elements);
> +
> +	/* cred->cred_handle_reference */
> +	err = gssx_enc_buffer(xdr, &cred->cred_handle_reference);
> +	if (err)
> +		return err;
> +
> +	/* cred->needs_release */
> +	err = gssx_enc_bool(xdr, cred->needs_release);
> +
> +	return err;
> +}
> +
> +static int gssx_dec_cred(struct xdr_stream *xdr,
> +			 struct gssx_cred *cred)
> +{
> +	int err;
> +
> +	/* cred->desired_name */
> +	err = gssx_dec_name(xdr, &cred->desired_name);
> +	if (err)
> +		return err;
> +
> +	/* cred->elements */
> +	err = dummy_dec_credel_array(xdr, &cred->elements);
> +
> +	/* cred->cred_handle_reference */
> +	err = gssx_dec_buffer(xdr, &cred->cred_handle_reference);
> +	if (err)
> +		return err;
> +
> +	/* cred->needs_release */
> +	err = gssx_dec_bool(xdr, &cred->needs_release);
> +
> +	return err;
> +}
> +
> +static int gssx_enc_ctx(struct xdr_stream *xdr,
> +			struct gssx_ctx *ctx)
> +{
> +	__be32 *p;
> +	int err;
> +
> +	/* ctx->exported_context_token */
> +	err = gssx_enc_buffer(xdr, &ctx->exported_context_token);
> +	if (err)
> +		return err;
> +
> +	/* ctx->state */
> +	err = gssx_enc_buffer(xdr, &ctx->state);
> +	if (err)
> +		return err;
> +
> +	/* ctx->need_release */
> +	err = gssx_enc_bool(xdr, ctx->need_release);
> +	if (err)
> +		return err;
> +
> +	/* ctx->mech */
> +	err = gssx_enc_buffer(xdr, &ctx->mech);
> +	if (err)
> +		return err;
> +
> +	/* ctx->src_name */
> +	err = gssx_enc_name(xdr, &ctx->src_name);
> +	if (err)
> +		return err;
> +
> +	/* ctx->targ_name */
> +	err = gssx_enc_name(xdr, &ctx->targ_name);
> +	if (err)
> +		return err;
> +
> +	/* ctx->lifetime */
> +	p = xdr_reserve_space(xdr, 8+8);
> +	if (!p)
> +		return -ENOSPC;
> +	p = xdr_encode_hyper(p, ctx->lifetime);
> +
> +	/* ctx->ctx_flags */
> +	p = xdr_encode_hyper(p, ctx->ctx_flags);
> +
> +	/* ctx->locally_initiated */
> +	err = gssx_enc_bool(xdr, ctx->locally_initiated);
> +	if (err)
> +		return err;
> +
> +	/* ctx->open */
> +	err = gssx_enc_bool(xdr, ctx->open);
> +	if (err)
> +		return err;
> +
> +	/* leave options empty for now, will add once we have any options
> +	 * to pass up at all */
> +	/* ctx->options */
> +	err = dummy_enc_opt_array(xdr, &ctx->options);
> +
> +	return err;
> +}
> +
> +static int gssx_dec_ctx(struct xdr_stream *xdr,
> +			struct gssx_ctx *ctx)
> +{
> +	__be32 *p;
> +	int err;
> +
> +	/* ctx->exported_context_token */
> +	err = gssx_dec_buffer(xdr, &ctx->exported_context_token);
> +	if (err)
> +		return err;
> +
> +	/* ctx->state */
> +	err = gssx_dec_buffer(xdr, &ctx->state);
> +	if (err)
> +		return err;
> +
> +	/* ctx->need_release */
> +	err = gssx_dec_bool(xdr, &ctx->need_release);
> +	if (err)
> +		return err;
> +
> +	/* ctx->mech */
> +	err = gssx_dec_buffer(xdr, &ctx->mech);
> +	if (err)
> +		return err;
> +
> +	/* ctx->src_name */
> +	err = gssx_dec_name(xdr, &ctx->src_name);
> +	if (err)
> +		return err;
> +
> +	/* ctx->targ_name */
> +	err = gssx_dec_name(xdr, &ctx->targ_name);
> +	if (err)
> +		return err;
> +
> +	/* ctx->lifetime */
> +	p = xdr_inline_decode(xdr, 8+8);
> +	if (unlikely(p == NULL))
> +		return -ENOSPC;
> +	p = xdr_decode_hyper(p, &ctx->lifetime);
> +
> +	/* ctx->ctx_flags */
> +	p = xdr_decode_hyper(p, &ctx->ctx_flags);
> +
> +	/* ctx->locally_initiated */
> +	err = gssx_dec_bool(xdr, &ctx->locally_initiated);
> +	if (err)
> +		return err;
> +
> +	/* ctx->open */
> +	err = gssx_dec_bool(xdr, &ctx->open);
> +	if (err)
> +		return err;
> +
> +	/* we assume we have no options for now, so simply consume them */
> +	/* ctx->options */
> +	err = dummy_dec_opt_array(xdr, &ctx->options);
> +
> +	return err;
> +}
> +
> +static int gssx_enc_cb(struct xdr_stream *xdr, struct gssx_cb *cb)
> +{
> +	__be32 *p;
> +	int err;
> +
> +	/* cb->initiator_addrtype */
> +	p = xdr_reserve_space(xdr, 8);
> +	if (!p)
> +		return -ENOSPC;
> +	p = xdr_encode_hyper(p, cb->initiator_addrtype);
> +
> +	/* cb->initiator_address */
> +	err = gssx_enc_buffer(xdr, &cb->initiator_address);
> +	if (err)
> +		return err;
> +
> +	/* cb->acceptor_addrtype */
> +	p = xdr_reserve_space(xdr, 8);
> +	if (!p)
> +		return -ENOSPC;
> +	p = xdr_encode_hyper(p, cb->acceptor_addrtype);
> +
> +	/* cb->acceptor_address */
> +	err = gssx_enc_buffer(xdr, &cb->acceptor_address);
> +	if (err)
> +		return err;
> +
> +	/* cb->application_data */
> +	err = gssx_enc_buffer(xdr, &cb->application_data);
> +
> +	return err;
> +}
> +
> +void gssx_enc_accept_sec_context(struct rpc_rqst *req,
> +				 struct xdr_stream *xdr,
> +				 struct gssx_arg_accept_sec_context *arg)
> +{
> +	int err;
> +
> +	err = gssx_enc_call_ctx(xdr, &arg->call_ctx);
> +	if (err)
> +		goto done;
> +
> +	/* arg->context_handle */
> +	if (arg->context_handle) {
> +		err = gssx_enc_ctx(xdr, arg->context_handle);
> +		if (err)
> +			goto done;
> +	} else {
> +		err = gssx_enc_bool(xdr, 0);
> +	}
> +
> +	/* arg->cred_handle */
> +	if (arg->cred_handle) {
> +		err = gssx_enc_cred(xdr, arg->cred_handle);
> +		if (err)
> +			goto done;
> +	} else {
> +		err = gssx_enc_bool(xdr, 0);
> +	}
> +
> +	/* arg->input_token */
> +	err = gssx_enc_in_token(xdr, &arg->input_token);
> +	if (err)
> +		goto done;
> +
> +	/* arg->input_cb */
> +	if (arg->input_cb) {
> +		err = gssx_enc_cb(xdr, arg->input_cb);
> +		if (err)
> +			goto done;
> +	} else {
> +		err = gssx_enc_bool(xdr, 0);
> +	}
> +
> +	err = gssx_enc_bool(xdr, arg->ret_deleg_cred);
> +	if (err)
> +		goto done;
> +
> +	/* leave options empty for now, will add once we have any options
> +	 * to pass up at all */
> +	/* arg->options */
> +	err = dummy_enc_opt_array(xdr, &arg->options);
> +
> +done:
> +	if (err)
> +		dprintk("RPC:       gssx_enc_accept_sec_context: %d\n", err);
> +}
> +
> +int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp,
> +				struct xdr_stream *xdr,
> +				struct gssx_res_accept_sec_context *res)
> +{
> +	int err;
> +
> +	/* res->status */
> +	err = gssx_dec_status(xdr, &res->status);
> +	if (err)
> +		return err;
> +
> +	/* res->context_handle */
> +	if (gssx_check_pointer(xdr)) {
> +		err = gssx_dec_ctx(xdr, res->context_handle);
> +		if (err)
> +			return err;
> +	} else {
> +		res->context_handle = NULL;
> +	}
> +
> +	/* res->output_token */
> +	if (gssx_check_pointer(xdr)) {
> +		err = gssx_dec_buffer(xdr, res->output_token);
> +		if (err)
> +			return err;
> +	} else {
> +		res->output_token = NULL;
> +	}
> +
> +	/* res->delegated_cred_handle */
> +	if (gssx_check_pointer(xdr)) {
> +		err = gssx_dec_cred(xdr, res->delegated_cred_handle);
> +		if (err)
> +			return err;
> +	} else {
> +		res->delegated_cred_handle = NULL;
> +	}
> +
> +	/* we assume we have no options for now, so simply consume them */
> +	/* res->options */
> +	err = gssx_dec_option_array(xdr, &res->options);
> +
> +	return err;
> +}
> +
> diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.h b/net/sunrpc/auth_gss/gss_rpc_xdr.h
> new file mode 100644
> index 0000000000000000000000000000000000000000..9256a5836474fef952ab12d3b27e03bb4d0f20ea
> --- /dev/null
> +++ b/net/sunrpc/auth_gss/gss_rpc_xdr.h
> @@ -0,0 +1,269 @@
> +/*
> + * GSS Proxy upcall module
> + *
> + *  Copyright (C) 2012 Simo Sorce <simo@redhat.com>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation; either version 2 of the License, or
> + * (at your option) any later version.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program; if not, write to the Free Software
> + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
> + */
> +
> +#ifndef _LINUX_GSS_RPC_XDR_H
> +#define _LINUX_GSS_RPC_XDR_H
> +
> +#include <linux/sunrpc/xdr.h>
> +#include <linux/sunrpc/clnt.h>
> +#include <linux/sunrpc/xprtsock.h>
> +
> +#ifdef RPC_DEBUG
> +# define RPCDBG_FACILITY	RPCDBG_AUTH
> +#endif
> +
> +#define LUCID_OPTION "exported_context_type"
> +#define LUCID_VALUE  "linux_lucid_v1"
> +#define CREDS_OPTION "exported_creds_type"
> +#define CREDS_VALUE  "linux_creds_v1"
> +
> +typedef struct xdr_netobj gssx_buffer;
> +typedef struct xdr_netobj utf8string;
> +typedef struct xdr_netobj gssx_OID;
> +
> +enum gssx_cred_usage {
> +	GSSX_C_INITIATE = 1,
> +	GSSX_C_ACCEPT = 2,
> +	GSSX_C_BOTH = 3,
> +};
> +
> +struct gssx_option {
> +	gssx_buffer option;
> +	gssx_buffer value;
> +};
> +
> +struct gssx_option_array {
> +	u32 count;
> +	struct gssx_option *data;
> +};
> +
> +struct gssx_status {
> +	u64 major_status;
> +	gssx_OID mech;
> +	u64 minor_status;
> +	utf8string major_status_string;
> +	utf8string minor_status_string;
> +	gssx_buffer server_ctx;
> +	struct gssx_option_array options;
> +};
> +
> +struct gssx_call_ctx {
> +	utf8string locale;
> +	gssx_buffer server_ctx;
> +	struct gssx_option_array options;
> +};
> +
> +struct gssx_name_attr {
> +	gssx_buffer attr;
> +	gssx_buffer value;
> +	struct gssx_option_array extensions;
> +};
> +
> +struct gssx_name_attr_array {
> +	u32 count;
> +	struct gssx_name_attr *data;
> +};
> +
> +struct gssx_name {
> +	gssx_buffer display_name;
> +	gssx_OID name_type;
> +	gssx_buffer exported_name;
> +	gssx_buffer exported_composite_name;
> +	struct gssx_name_attr_array name_attributes;
> +	struct gssx_option_array extensions;
> +};
> +typedef struct gssx_name gssx_name;
> +
> +struct gssx_cred_element {
> +	gssx_name MN;
> +	gssx_OID mech;
> +	u32 cred_usage;
> +	u64 initiator_time_rec;
> +	u64 acceptor_time_rec;
> +	struct gssx_option_array options;
> +};
> +
> +struct gssx_cred_element_array {
> +	u32 count;
> +	struct gssx_cred_element *data;
> +};
> +
> +struct gssx_cred {
> +	gssx_name desired_name;
> +	struct gssx_cred_element_array elements;
> +	gssx_buffer cred_handle_reference;
> +	u32 needs_release;
> +};
> +
> +struct gssx_ctx {
> +	gssx_buffer exported_context_token;
> +	gssx_buffer state;
> +	u32 need_release;
> +	gssx_OID mech;
> +	gssx_name src_name;
> +	gssx_name targ_name;
> +	u64 lifetime;
> +	u64 ctx_flags;
> +	u32 locally_initiated;
> +	u32 open;
> +	struct gssx_option_array options;
> +};
> +
> +struct gssx_cb {
> +	u64 initiator_addrtype;
> +	gssx_buffer initiator_address;
> +	u64 acceptor_addrtype;
> +	gssx_buffer acceptor_address;
> +	gssx_buffer application_data;
> +};
> +
> +
> +/* This structure is not defined in the protocol.
> + * It is used in the kernel to carry around a big buffer
> + * as a set of pages */
> +struct gssp_in_token {
> +	struct page **pages;	/* Array of contiguous pages */
> +	unsigned int page_base;	/* Start of page data */
> +	unsigned int page_len;	/* Length of page data */
> +};
> +
> +struct gssx_arg_accept_sec_context {
> +	struct gssx_call_ctx call_ctx;
> +	struct gssx_ctx *context_handle;
> +	struct gssx_cred *cred_handle;
> +	struct gssp_in_token input_token;
> +	struct gssx_cb *input_cb;
> +	u32 ret_deleg_cred;
> +	struct gssx_option_array options;
> +};
> +
> +struct gssx_res_accept_sec_context {
> +	struct gssx_status status;
> +	struct gssx_ctx *context_handle;
> +	gssx_buffer *output_token;
> +	struct gssx_cred *delegated_cred_handle;
> +	struct gssx_option_array options;
> +};
> +
> +
> +
> +#define gssx_enc_indicate_mechs NULL
> +#define gssx_dec_indicate_mechs NULL
> +#define gssx_enc_get_call_context NULL
> +#define gssx_dec_get_call_context NULL
> +#define gssx_enc_import_and_canon_name NULL
> +#define gssx_dec_import_and_canon_name NULL
> +#define gssx_enc_export_cred NULL
> +#define gssx_dec_export_cred NULL
> +#define gssx_enc_import_cred NULL
> +#define gssx_dec_import_cred NULL
> +#define gssx_enc_acquire_cred NULL
> +#define gssx_dec_acquire_cred NULL
> +#define gssx_enc_store_cred NULL
> +#define gssx_dec_store_cred NULL
> +#define gssx_enc_init_sec_context NULL
> +#define gssx_dec_init_sec_context NULL
> +void gssx_enc_accept_sec_context(struct rpc_rqst *req,
> +				 struct xdr_stream *xdr,
> +				 struct gssx_arg_accept_sec_context *args);
> +int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp,
> +				struct xdr_stream *xdr,
> +				struct gssx_res_accept_sec_context *res);
> +#define gssx_enc_release_handle NULL
> +#define gssx_dec_release_handle NULL
> +#define gssx_enc_get_mic NULL
> +#define gssx_dec_get_mic NULL
> +#define gssx_enc_verify NULL
> +#define gssx_dec_verify NULL
> +#define gssx_enc_wrap NULL
> +#define gssx_dec_wrap NULL
> +#define gssx_enc_unwrap NULL
> +#define gssx_dec_unwrap NULL
> +#define gssx_enc_wrap_size_limit NULL
> +#define gssx_dec_wrap_size_limit NULL
> +
> +/* non implemented calls are set to 0 size */
> +#define GSSX_ARG_indicate_mechs_sz 0
> +#define GSSX_RES_indicate_mechs_sz 0
> +#define GSSX_ARG_get_call_context_sz 0
> +#define GSSX_RES_get_call_context_sz 0
> +#define GSSX_ARG_import_and_canon_name_sz 0
> +#define GSSX_RES_import_and_canon_name_sz 0
> +#define GSSX_ARG_export_cred_sz 0
> +#define GSSX_RES_export_cred_sz 0
> +#define GSSX_ARG_import_cred_sz 0
> +#define GSSX_RES_import_cred_sz 0
> +#define GSSX_ARG_acquire_cred_sz 0
> +#define GSSX_RES_acquire_cred_sz 0
> +#define GSSX_ARG_store_cred_sz 0
> +#define GSSX_RES_store_cred_sz 0
> +#define GSSX_ARG_init_sec_context_sz 0
> +#define GSSX_RES_init_sec_context_sz 0
> +
> +#define GSSX_default_in_call_ctx_sz (4 + 4 + 4 + \
> +			8 + sizeof(LUCID_OPTION) + sizeof(LUCID_VALUE) + \
> +			8 + sizeof(CREDS_OPTION) + sizeof(CREDS_VALUE))
> +#define GSSX_default_in_ctx_hndl_sz (4 + 4+8 + 4 + 4 + 6*4 + 6*4 + 8 + 8 + \
> +					4 + 4 + 4)
> +#define GSSX_default_in_cred_sz 4 /* we send in no cred_handle */
> +#define GSSX_default_in_token_sz 4 /* does *not* include token data */
> +#define GSSX_default_in_cb_sz 4 /* we do not use channel bindings */
> +#define GSSX_ARG_accept_sec_context_sz (GSSX_default_in_call_ctx_sz + \
> +					GSSX_default_in_ctx_hndl_sz + \
> +					GSSX_default_in_cred_sz + \
> +					GSSX_default_in_token_sz + \
> +					GSSX_default_in_cb_sz + \
> +					4 /* no deleg creds boolean */ + \
> +					4) /* empty options */
> +
> +/* somewhat arbitrary numbers but large enough (we ignore some of the data
> + * sent down, but it is part of the protocol so we need enough space to take
> + * it in) */
> +#define GSSX_default_status_sz 8 + 24 + 8 + 256 + 256 + 16 + 4
> +#define GSSX_max_output_handle_sz 128
> +#define GSSX_max_oid_sz 16
> +#define GSSX_max_princ_sz 256
> +#define GSSX_default_ctx_sz (GSSX_max_output_handle_sz + \
> +			     16 + 4 + GSSX_max_oid_sz + \
> +			     2 * GSSX_max_princ_sz + \
> +			     8 + 8 + 4 + 4 + 4)
> +#define GSSX_max_output_token_sz 1024
> +#define GSSX_max_creds_sz (4 + 4 + 4 + NGROUPS_MAX * 4)
> +#define GSSX_RES_accept_sec_context_sz (GSSX_default_status_sz + \
> +					GSSX_default_ctx_sz + \
> +					GSSX_max_output_token_sz + \
> +					4 + GSSX_max_creds_sz)
> +
> +#define GSSX_ARG_release_handle_sz 0
> +#define GSSX_RES_release_handle_sz 0
> +#define GSSX_ARG_get_mic_sz 0
> +#define GSSX_RES_get_mic_sz 0
> +#define GSSX_ARG_verify_sz 0
> +#define GSSX_RES_verify_sz 0
> +#define GSSX_ARG_wrap_sz 0
> +#define GSSX_RES_wrap_sz 0
> +#define GSSX_ARG_unwrap_sz 0
> +#define GSSX_RES_unwrap_sz 0
> +#define GSSX_ARG_wrap_size_limit_sz 0
> +#define GSSX_RES_wrap_size_limit_sz 0
> +
> +
> +
> +#endif /* _LINUX_GSS_RPC_XDR_H */
> -- 
> 1.7.7.6
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Simo Sorce]

On Tue, 2012-05-22 at 08:47 -0400, J. Bruce Fields wrote:
> Have you and Stanislav talked about fitting this with the ongoing
> container work?

No, I wanted to make it work for the normal case first, I assume it will
be simple enough to change the code to work with containers later.
Main reason is that I have no way to test containerized stuff.

If I understand it correctly, all is needed is to allow attaching to
different sockets for different containers ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Stanislav Kinsbursky]

On 22.05.2012 16:47, J. Bruce Fields wrote:
> Have you and Stanislav talked about fitting this with the ongoing
> container work?
>

Unix socket again...
Nope, we haven't talked yet.
Unix sockets is a pain in neck for sure.
And it looks to me, that this problem with unix sockets have to be solved and 
generic way.
Hoping, I'll have time for this task this summer...

> --b.
>
> On Tue, May 15, 2012 at 09:12:29AM -0400, Simo Sorce wrote:
>> This patch implements a sunrpc client to use the services of the gssproxy
>> userspace daemon.
>>
>> In particular it allows to perform calls in user space using an RPC
>> call instead of custom hand-coded upcall/downcall messages.
>>
>> Currently only accept_sec_context is implemented as that is all is needed for
>> the server case.
>>
>> File server modules like NFS and CIFS can use full gssapi services this way,
>> once init_sec_context is also implemented.
>>
>> For the NFS server case this code allow to lift the limit of max 2k krb5
>> tickets. This limit is prevents legitimate kerberos deployments from using krb5
>> authentication with the Linux NFS server as they have normally ticket that are
>> many kilobytes large.
>>
>> It will also allow to lift the limitation on the size of the credential set
>> (uid,gid,gids) passed down from user space for users that have very many groups
>> associated. Currently the downcall mechanism used by rpc.svcgssd is limited
>> to around 2k secondary groups of the 65k allowed by kernel structures.
>>
>> Signed-off-by: Simo Sorce<simo@redhat.com>
>> ---
>>   net/sunrpc/auth_gss/Makefile         |    4 +-
>>   net/sunrpc/auth_gss/gss_rpc_upcall.c |  341 +++++++++++++
>>   net/sunrpc/auth_gss/gss_rpc_upcall.h |   43 ++
>>   net/sunrpc/auth_gss/gss_rpc_xdr.c    |  904 ++++++++++++++++++++++++++++++++++
>>   net/sunrpc/auth_gss/gss_rpc_xdr.h    |  269 ++++++++++
>>   5 files changed, 1560 insertions(+), 1 deletions(-)
>>   create mode 100644 net/sunrpc/auth_gss/gss_rpc_upcall.c
>>   create mode 100644 net/sunrpc/auth_gss/gss_rpc_upcall.h
>>   create mode 100644 net/sunrpc/auth_gss/gss_rpc_xdr.c
>>   create mode 100644 net/sunrpc/auth_gss/gss_rpc_xdr.h
>>
>> diff --git a/net/sunrpc/auth_gss/Makefile b/net/sunrpc/auth_gss/Makefile
>> index 9e4cb59ef9f0207bc8edc4629dee18c545599de6..bf9f334529416f496ad32a3d0087964df93ff4ac 100644
>> --- a/net/sunrpc/auth_gss/Makefile
>> +++ b/net/sunrpc/auth_gss/Makefile
>> @@ -5,9 +5,11 @@
>>   obj-$(CONFIG_SUNRPC_GSS) += auth_rpcgss.o
>>
>>   auth_rpcgss-y := auth_gss.o gss_generic_token.o \
>> -     gss_mech_switch.o svcauth_gss.o
>> +     gss_mech_switch.o svcauth_gss.o \
>> +     gss_rpc_upcall.o gss_rpc_xdr.o
>>
>>   obj-$(CONFIG_RPCSEC_GSS_KRB5) += rpcsec_gss_krb5.o
>>
>>   rpcsec_gss_krb5-y := gss_krb5_mech.o gss_krb5_seal.o gss_krb5_unseal.o \
>>        gss_krb5_seqnum.o gss_krb5_wrap.o gss_krb5_crypto.o gss_krb5_keys.o
>> +
>> diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c
>> new file mode 100644
>> index 0000000000000000000000000000000000000000..75e88519bd1be87aab4a1b195a7d86aedb7ed03a
>> --- /dev/null
>> +++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c
>> @@ -0,0 +1,341 @@
>> +/*
>> + *  linux/net/sunrpc/gss_rpc_upcall.c
>> + *
>> + *  Copyright (C) 2012 Simo Sorce<simo@redhat.com>
>> + *
>> + * This program is free software; you can redistribute it and/or modify
>> + * it under the terms of the GNU General Public License as published by
>> + * the Free Software Foundation; either version 2 of the License, or
>> + * (at your option) any later version.
>> + *
>> + * This program is distributed in the hope that it will be useful,
>> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
>> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>> + * GNU General Public License for more details.
>> + *
>> + * You should have received a copy of the GNU General Public License
>> + * along with this program; if not, write to the Free Software
>> + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
>> + */
>> +
>> +#include<linux/types.h>
>> +#include<linux/un.h>
>> +
>> +#include<linux/sunrpc/svcauth.h>
>> +#include "gss_rpc_upcall.h"
>> +
>> +#define GSSPROXY_SOCK_PATHNAME       "/var/run/gssproxy.sock"
>> +
>> +#define GSSPROXY_PROGRAM     (400112u)
>> +#define GSSPROXY_VERS_1              (1u)
>> +
>> +DEFINE_MUTEX(gssp_clnt_mutex);
>> +struct rpc_clnt *gssp_clnt;
>> +
>> +/*
>> + * Encoding/Decoding functions
>> + */
>> +
>> +enum {
>> +     GSSX_NULL = 0,  /* Unused */
>> +        GSSX_INDICATE_MECHS = 1,
>> +        GSSX_GET_CALL_CONTEXT = 2,
>> +        GSSX_IMPORT_AND_CANON_NAME = 3,
>> +        GSSX_EXPORT_CRED = 4,
>> +        GSSX_IMPORT_CRED = 5,
>> +        GSSX_ACQUIRE_CRED = 6,
>> +        GSSX_STORE_CRED = 7,
>> +        GSSX_INIT_SEC_CONTEXT = 8,
>> +        GSSX_ACCEPT_SEC_CONTEXT = 9,
>> +        GSSX_RELEASE_HANDLE = 10,
>> +        GSSX_GET_MIC = 11,
>> +        GSSX_VERIFY = 12,
>> +        GSSX_WRAP = 13,
>> +        GSSX_UNWRAP = 14,
>> +        GSSX_WRAP_SIZE_LIMIT = 15,
>> +};
>> +
>> +#define PROC(proc, name)                             \
>> +[GSSX_##proc] = {                                    \
>> +     .p_proc   = GSSX_##proc,                        \
>> +     .p_encode = (kxdreproc_t)gssx_enc_##name,       \
>> +     .p_decode = (kxdrdproc_t)gssx_dec_##name,       \
>> +     .p_arglen = GSSX_ARG_##name##_sz,               \
>> +     .p_replen = GSSX_RES_##name##_sz,               \
>> +     .p_statidx = GSSX_##proc,                       \
>> +     .p_name   = #proc,                              \
>> +}
>> +
>> +struct rpc_procinfo gssp_procedures[] = {
>> +     PROC(INDICATE_MECHS, indicate_mechs),
>> +        PROC(GET_CALL_CONTEXT, get_call_context),
>> +        PROC(IMPORT_AND_CANON_NAME, import_and_canon_name),
>> +        PROC(EXPORT_CRED, export_cred),
>> +        PROC(IMPORT_CRED, import_cred),
>> +        PROC(ACQUIRE_CRED, acquire_cred),
>> +        PROC(STORE_CRED, store_cred),
>> +        PROC(INIT_SEC_CONTEXT, init_sec_context),
>> +        PROC(ACCEPT_SEC_CONTEXT, accept_sec_context),
>> +        PROC(RELEASE_HANDLE, release_handle),
>> +        PROC(GET_MIC, get_mic),
>> +        PROC(VERIFY, verify),
>> +        PROC(WRAP, wrap),
>> +        PROC(UNWRAP, unwrap),
>> +        PROC(WRAP_SIZE_LIMIT, wrap_size_limit),
>> +};
>> +
>> +
>> +
>> +/*
>> + * Common transport functions
>> + */
>> +
>> +static const struct rpc_program gssp_program;
>> +
>> +static int gssp_rpc_create(struct rpc_clnt **_clnt)
>> +{
>> +     static const struct sockaddr_un gssp_localaddr = {
>> +             .sun_family             = AF_LOCAL,
>> +             .sun_path               = GSSPROXY_SOCK_PATHNAME,
>> +     };
>> +     struct rpc_create_args args = {
>> +             .net            =&init_net,
>> +             .protocol       = XPRT_TRANSPORT_LOCAL,
>> +             .address        = (struct sockaddr *)&gssp_localaddr,
>> +             .addrsize       = sizeof(gssp_localaddr),
>> +             .servername     = "localhost",
>> +             .program        =&gssp_program,
>> +             .version        = GSSPROXY_VERS_1,
>> +             .authflavor     = RPC_AUTH_NULL,
>> +             .flags          = RPC_CLNT_CREATE_NOPING,
>> +     };
>> +     struct rpc_clnt *clnt;
>> +     int result = 0;
>> +
>> +     clnt = rpc_create(&args);
>> +     if (IS_ERR(clnt)) {
>> +             dprintk("RPC:       failed to create AF_LOCAL gssproxy "
>> +                             "client (errno %ld).\n", PTR_ERR(clnt));
>> +             result = -PTR_ERR(clnt);
>> +             *_clnt = NULL;
>> +             goto out;
>> +     }
>> +
>> +     dprintk("RPC:       created new gssp local client (gssp_local_clnt: "
>> +                     "%p)\n", clnt);
>> +     *_clnt = clnt;
>> +
>> +out:
>> +     return result;
>> +}
>> +
>> +static struct rpc_clnt *get_clnt(bool global_clnt)
>> +{
>> +     struct rpc_clnt *clnt;
>> +     int err;
>> +
>> +     mutex_lock(&gssp_clnt_mutex);
>> +
>> +     if (global_clnt&&  gssp_clnt)
>> +             return gssp_clnt;
>> +
>> +     err = gssp_rpc_create(&clnt);
>> +     if (err) {
>> +             mutex_unlock(&gssp_clnt_mutex);
>> +             return NULL;
>> +     }
>> +     if (global_clnt)
>> +             gssp_clnt = clnt;
>> +
>> +     mutex_unlock(&gssp_clnt_mutex);
>> +     return clnt;
>> +}
>> +
>> +static void kill_clnt(struct rpc_clnt *clnt)
>> +{
>> +     BUG_ON(clnt == NULL);
>> +
>> +     mutex_lock(&gssp_clnt_mutex);
>> +
>> +     rpc_shutdown_client(clnt);
>> +     if (clnt == gssp_clnt)
>> +             gssp_clnt = NULL;
>> +
>> +     mutex_unlock(&gssp_clnt_mutex);
>> +}
>> +
>> +static int gssp_call(struct rpc_message *msg)
>> +{
>> +     struct rpc_clnt *clnt;
>> +     int status;
>> +
>> +     /* for now always create new one */
>> +     clnt = get_clnt(false);
>> +
>> +     status = rpc_call_sync(clnt, msg, 0);
>> +     if (status<  0) {
>> +             dprintk("gssp: rpc_call returned error %d\n", -status);
>> +             switch (status) {
>> +             case -EPROTONOSUPPORT:
>> +                     status = -EINVAL;
>> +                     break;
>> +             case -ECONNREFUSED:
>> +             case -ETIMEDOUT:
>> +             case -ENOTCONN:
>> +                     status = -EAGAIN;
>> +                     break;
>> +             case -ERESTARTSYS:
>> +                     if (signalled ())
>> +                             status = -EINTR;
>> +                     break;
>> +             default:
>> +                     break;
>> +             }
>> +     }
>> +
>> +     /* always kill connection for now */
>> +     kill_clnt(clnt);
>> +
>> +     return status;
>> +}
>> +
>> +
>> +/*
>> + * Public functions
>> + */
>> +
>> +/* numbers somewhat arbitrary but large enough for current needs */
>> +#define GSSX_MAX_OUT_HANDLE  128
>> +#define GSSX_MAX_MECH_OID    16
>> +#define GSSX_MAX_SRC_PRINC   256
>> +#define GSSX_KMEMBUF (GSSX_max_output_handle_sz + \
>> +                     GSSX_max_oid_sz + \
>> +                     GSSX_max_princ_sz + \
>> +                     sizeof(struct svc_cred))
>> +
>> +int gssp_accept_sec_context_upcall(struct gssp_upcall_data *data)
>> +{
>> +     struct gssx_arg_accept_sec_context arg;
>> +     struct gssx_res_accept_sec_context res;
>> +     struct gssx_ctx ctxh;
>> +     struct gssx_ctx rctxh;
>> +     struct gssx_cred delegcred;
>> +     struct rpc_message msg = {
>> +             .rpc_proc =&gssp_procedures[GSSX_ACCEPT_SEC_CONTEXT],
>> +             .rpc_argp =&arg,
>> +             .rpc_resp =&res,
>> +             .rpc_cred = NULL, /* FIXME ? */
>> +     };
>> +     int ret;
>> +
>> +     /* fill in arg */
>> +     memset(&arg, 0, sizeof(arg));
>> +     if (data->in_handle.len != 0) {
>> +             memset(&ctxh, 0, sizeof(ctxh));
>> +             arg.context_handle =&ctxh;
>> +             ctxh.state = data->in_handle;
>> +     }
>> +     arg.input_token = data->in_token;
>> +
>> +     /* use nfs/ for targ_name ? */
>> +
>> +     /* prepare res */
>> +     data->kmembuf = kmalloc(GSSX_KMEMBUF, GFP_KERNEL);
>> +     if (!data->kmembuf) {
>> +             return -ENOMEM;
>> +     }
>> +
>> +     memset(&res, 0, sizeof(res));
>> +     memset(&rctxh, 0, sizeof(rctxh));
>> +     rctxh.exported_context_token.len = GSSX_max_output_handle_sz;
>> +     rctxh.exported_context_token.data = data->kmembuf;
>> +     rctxh.mech.len = GSSX_max_oid_sz;
>> +     rctxh.mech.data = data->kmembuf + GSSX_max_output_handle_sz;
>> +     rctxh.src_name.display_name.len = GSSX_max_princ_sz;
>> +     rctxh.src_name.display_name.data = data->kmembuf +
>> +                                             GSSX_max_output_handle_sz +
>> +                                             GSSX_max_oid_sz;
>> +     res.context_handle =&rctxh;
>> +
>> +     data->creds = data->kmembuf +
>> +                             GSSX_max_output_handle_sz +
>> +                             GSSX_max_oid_sz +
>> +                             GSSX_max_princ_sz;
>> +     memset(data->creds, 0, sizeof(struct svc_cred));
>> +
>> +     res.output_token =&data->out_token;
>> +     /* tell decoder to allocate the out_token if necessary */
>> +     res.output_token->len = GSSX_max_output_token_sz;
>> +
>> +     /* we are never interested in delegate credentials */
>> +     memset(&delegcred, 0, sizeof(delegcred));
>> +     res.delegated_cred_handle =&delegcred;
>> +
>> +     /* make upcall */
>> +     ret = gssp_call(&msg);
>> +
>> +     /* we need to fetch all data even in case of error so
>> +      * that we can free special strctures is they have been allocated */
>> +     data->major_status = res.status.major_status;
>> +     data->minor_status = res.status.minor_status;
>> +     if (res.context_handle) {
>> +             data->out_handle = rctxh.exported_context_token;
>> +             data->mech_oid = rctxh.mech;
>> +             data->client_name = rctxh.src_name.display_name;
>> +     }
>> +
>> +     if (res.options.count == 1) {
>> +             gssx_buffer *value =&res.options.data[0].value;
>> +             /* Currently we only decode CREDS_VALUE, if we add
>> +              * anything else we'll have to loop and match on the
>> +              * option name */
>> +             if (value->len)
>> +                     /* copy struct svc_cred and steal groups */
>> +                     *data->creds = *(struct svc_cred *)value->data;
>> +             else
>> +                     /* not even nobody apparently */
>> +                     data->creds = NULL;
>> +     } else
>> +             data->creds = NULL;
>> +
>> +     if (res.options.count != 0) {
>> +             kfree(res.options.data);
>> +     }
>> +
>> +     return ret;
>> +}
>> +
>> +void gssp_free_upcall_data(struct gssp_upcall_data *data)
>> +{
>> +     kfree(data->in_handle.data);
>> +     kfree(data->out_token.data);
>> +     if (data->creds&&  data->creds->cr_group_info != NULL)
>> +             groups_free(data->creds->cr_group_info);
>> +     kfree(data->kmembuf);
>> +}
>> +
>> +
>> +/*
>> + * Initialization stuff
>> + */
>> +
>> +static const struct rpc_version gssp_version1 = {
>> +     .number         = GSSPROXY_VERS_1,
>> +     .nrprocs        = ARRAY_SIZE(gssp_procedures),
>> +     .procs          = gssp_procedures,
>> +};
>> +
>> +static const struct rpc_version *gssp_version[] = {
>> +     NULL,
>> +&gssp_version1,
>> +};
>> +
>> +static struct rpc_stat gssp_stats;
>> +
>> +static const struct rpc_program gssp_program = {
>> +     .name           = "gssproxy",
>> +     .number         = GSSPROXY_PROGRAM,
>> +     .nrvers         = ARRAY_SIZE(gssp_version),
>> +     .version        = gssp_version,
>> +     .stats          =&gssp_stats,
>> +};
>> diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.h b/net/sunrpc/auth_gss/gss_rpc_upcall.h
>> new file mode 100644
>> index 0000000000000000000000000000000000000000..b09217740493e83979f8dc690b812d396db6e54c
>> --- /dev/null
>> +++ b/net/sunrpc/auth_gss/gss_rpc_upcall.h
>> @@ -0,0 +1,43 @@
>> +/*
>> + *  linux/net/sunrpc/gss_rpc_upcall.h
>> + *
>> + *  Copyright (C) 2012 Simo Sorce<simo@redhat.com>
>> + *
>> + * This program is free software; you can redistribute it and/or modify
>> + * it under the terms of the GNU General Public License as published by
>> + * the Free Software Foundation; either version 2 of the License, or
>> + * (at your option) any later version.
>> + *
>> + * This program is distributed in the hope that it will be useful,
>> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
>> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>> + * GNU General Public License for more details.
>> + *
>> + * You should have received a copy of the GNU General Public License
>> + * along with this program; if not, write to the Free Software
>> + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
>> + */
>> +
>> +#ifndef _GSS_RPC_UPCALL_H
>> +#define _GSS_RPC_UPCALL_H
>> +
>> +#include<linux/sunrpc/auth_gss.h>
>> +#include "gss_rpc_xdr.h"
>> +
>> +struct gssp_upcall_data {
>> +     void *kmembuf;
>> +     struct xdr_netobj in_handle;
>> +     struct gssp_in_token in_token;
>> +     struct xdr_netobj out_handle;
>> +     struct xdr_netobj out_token;
>> +     struct xdr_netobj mech_oid;
>> +     struct xdr_netobj client_name;
>> +     struct svc_cred *creds;
>> +     int major_status;
>> +     int minor_status;
>> +};
>> +
>> +int gssp_accept_sec_context_upcall(struct gssp_upcall_data *data);
>> +void gssp_free_upcall_data(struct gssp_upcall_data *data);
>> +
>> +#endif /* _GSS_RPC_UPCALL_H */
>> diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c
>> new file mode 100644
>> index 0000000000000000000000000000000000000000..25600d5a2113cfb0dce64ab89a1b166ee1a089ef
>> --- /dev/null
>> +++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c
>> @@ -0,0 +1,904 @@
>> +/*
>> + * GSS Proxy upcall module
>> + *
>> + *  Copyright (C) 2012 Simo Sorce<simo@redhat.com>
>> + *
>> + * This program is free software; you can redistribute it and/or modify
>> + * it under the terms of the GNU General Public License as published by
>> + * the Free Software Foundation; either version 2 of the License, or
>> + * (at your option) any later version.
>> + *
>> + * This program is distributed in the hope that it will be useful,
>> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
>> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>> + * GNU General Public License for more details.
>> + *
>> + * You should have received a copy of the GNU General Public License
>> + * along with this program; if not, write to the Free Software
>> + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
>> + */
>> +
>> +#include<linux/sunrpc/svcauth.h>
>> +#include "gss_rpc_xdr.h"
>> +
>> +static bool gssx_check_pointer(struct xdr_stream *xdr)
>> +{
>> +     __be32 *p;
>> +
>> +     p = xdr_reserve_space(xdr, 4);
>> +     if (unlikely(p == NULL))
>> +             return -ENOSPC;
>> +     return *p?true:false;
>> +}
>> +
>> +static int gssx_enc_bool(struct xdr_stream *xdr, int v)
>> +{
>> +     __be32 *p;
>> +
>> +     p = xdr_reserve_space(xdr, 4);
>> +     if (unlikely(p == NULL))
>> +             return -ENOSPC;
>> +     *p = v ? xdr_one : xdr_zero;
>> +     return 0;
>> +}
>> +
>> +static int gssx_dec_bool(struct xdr_stream *xdr, u32 *v)
>> +{
>> +     __be32 *p;
>> +
>> +     p = xdr_inline_decode(xdr, 4);
>> +     if (unlikely(p == NULL))
>> +             return -ENOSPC;
>> +     *v = be32_to_cpu(*p);
>> +     return 0;
>> +}
>> +
>> +static int gssx_enc_buffer(struct xdr_stream *xdr,
>> +                        gssx_buffer *buf)
>> +{
>> +     __be32 *p;
>> +
>> +     p = xdr_reserve_space(xdr, sizeof(u32) + buf->len);
>> +     if (!p)
>> +             return -ENOSPC;
>> +     xdr_encode_opaque(p, buf->data, buf->len);
>> +     return 0;
>> +}
>> +
>> +static int gssx_enc_in_token(struct xdr_stream *xdr,
>> +                          struct gssp_in_token *in)
>> +{
>> +     __be32 *p;
>> +
>> +     p = xdr_reserve_space(xdr, 4);
>> +     if (!p)
>> +             return -ENOSPC;
>> +     *p = cpu_to_be32(in->page_len);
>> +
>> +     /* all we need to do is to write pages */
>> +     xdr_write_pages(xdr, in->pages, in->page_base, in->page_len);
>> +
>> +     return 0;
>> +}
>> +
>> +
>> +static int gssx_dec_buffer(struct xdr_stream *xdr,
>> +                        gssx_buffer *buf)
>> +{
>> +     u32 length;
>> +     __be32 *p;
>> +
>> +     p = xdr_inline_decode(xdr, 4);
>> +     if (unlikely(p == NULL))
>> +             return -ENOSPC;
>> +
>> +     length = be32_to_cpup(p);
>> +     p = xdr_inline_decode(xdr, length);
>> +     if (unlikely(p == NULL))
>> +             return -ENOSPC;
>> +
>> +     if (buf->len == 0) {
>> +             /* we intentionally are not interested in this buffer */
>> +             return 0;
>> +     }
>> +     if (length>  buf->len)
>> +             return -ENOSPC;
>> +
>> +     if (!buf->data) {
>> +             buf->data = kmemdup(p, length, GFP_KERNEL);
>> +             if (!buf->data)
>> +                     return -ENOMEM;
>> +     } else {
>> +             memcpy(buf->data, p, length);
>> +     }
>> +     buf->len = length;
>> +     return 0;
>> +}
>> +
>> +static int gssx_enc_option(struct xdr_stream *xdr,
>> +                        struct gssx_option *opt)
>> +{
>> +     int err;
>> +
>> +     err = gssx_enc_buffer(xdr,&opt->option);
>> +     if (err)
>> +             return err;
>> +     err = gssx_enc_buffer(xdr,&opt->value);
>> +     return err;
>> +}
>> +
>> +static int gssx_dec_option(struct xdr_stream *xdr,
>> +                        struct gssx_option *opt)
>> +{
>> +     int err;
>> +
>> +     err = gssx_dec_buffer(xdr,&opt->option);
>> +     if (err)
>> +             return err;
>> +     err = gssx_dec_buffer(xdr,&opt->value);
>> +     return err;
>> +}
>> +
>> +static int dummy_enc_opt_array(struct xdr_stream *xdr,
>> +                             struct gssx_option_array *oa)
>> +{
>> +     __be32 *p;
>> +
>> +     if (oa->count != 0)
>> +             return -EINVAL;
>> +
>> +     p = xdr_reserve_space(xdr, 4);
>> +     if (!p)
>> +             return -ENOSPC;
>> +     *p = 0;
>> +
>> +     return 0;
>> +}
>> +
>> +static int dummy_dec_opt_array(struct xdr_stream *xdr,
>> +                             struct gssx_option_array *oa)
>> +{
>> +     struct gssx_option dummy;
>> +     u32 count, i;
>> +     __be32 *p;
>> +
>> +     p = xdr_inline_decode(xdr, 4);
>> +     if (unlikely(p == NULL))
>> +             return -ENOSPC;
>> +     count = be32_to_cpup(p++);
>> +     memset(&dummy, 0, sizeof(dummy));
>> +     for (i = 0; i<  count; i++) {
>> +             gssx_dec_option(xdr,&dummy);
>> +     }
>> +
>> +     oa->count = 0;
>> +     oa->data = NULL;
>> +     return 0;
>> +}
>> +
>> +static int get_s32(void **p, void *max, s32 *res)
>> +{
>> +     void *base = *p;
>> +     void *next = (void *)((char *)base + sizeof(s32));
>> +     if (unlikely(next>  max || next<  base))
>> +             return -EINVAL;
>> +     memcpy(res, base, sizeof(s32));
>> +     *p = next;
>> +     return 0;
>> +}
>> +
>> +static int gssx_dec_linux_creds(struct xdr_stream *xdr,
>> +                             struct svc_cred *creds)
>> +{
>> +     u32 length;
>> +     __be32 *p;
>> +     void *q, *end;
>> +     s32 tmp;
>> +     int N, i, err;
>> +
>> +     p = xdr_inline_decode(xdr, 4);
>> +     if (unlikely(p == NULL))
>> +             return -ENOSPC;
>> +
>> +     length = be32_to_cpup(p);
>> +
>> +     /* FIXME: we do not want to use the scratch buffer for this one
>> +      * may need to use functions that allows us to access an io vector
>> +      * directly */
>> +     p = xdr_inline_decode(xdr, length);
>> +     if (unlikely(p == NULL))
>> +             return -ENOSPC;
>> +
>> +     q = p;
>> +     end = q + length;
>> +
>> +     /* uid */
>> +     err = get_s32(&q, end,&tmp);
>> +     if (err)
>> +             return err;
>> +     creds->cr_uid = tmp;
>> +
>> +     /* gid */
>> +     err = get_s32(&q, end,&tmp);
>> +     if (err)
>> +             return err;
>> +     creds->cr_gid = tmp;
>> +
>> +     /* number of additional gid's */
>> +     err = get_s32(&q, end,&tmp);
>> +     if (err)
>> +             return err;
>> +     N = tmp;
>> +     creds->cr_group_info = groups_alloc(N);
>> +     if (creds->cr_group_info == NULL)
>> +             return -ENOMEM;
>> +
>> +     /* gid's */
>> +     for (i = 0; i<  N; i++) {
>> +             err = get_s32(&q, end,&tmp);
>> +             if (err) {
>> +                     groups_free(creds->cr_group_info);
>> +                     return err;
>> +             }
>> +             GROUP_AT(creds->cr_group_info, i) = tmp;
>> +     }
>> +
>> +     return 0;
>> +}
>> +
>> +static int gssx_dec_option_array(struct xdr_stream *xdr,
>> +                              struct gssx_option_array *oa)
>> +{
>> +     struct svc_cred *creds;
>> +     u32 count, i;
>> +     __be32 *p;
>> +     int err;
>> +
>> +     p = xdr_inline_decode(xdr, 4);
>> +     if (unlikely(p == NULL))
>> +             return -ENOSPC;
>> +     count = be32_to_cpup(p++);
>> +     if (count != 0) {
>> +             /* we recognize only 1 currently: CREDS_VALUE */
>> +             oa->count = 1;
>> +
>> +             oa->data = kmalloc(sizeof(struct gssx_option) +
>> +                                     sizeof(struct svc_cred), GFP_KERNEL);
>> +             if (!oa->data)
>> +                     return -ENOMEM;
>> +
>> +             creds = (void *)oa->data + sizeof(struct gssx_option);
>> +
>> +             oa->data[0].option.data = CREDS_VALUE;
>> +             oa->data[0].option.len = sizeof(CREDS_VALUE);
>> +             oa->data[0].value.data = (void *)creds;
>> +             oa->data[0].value.len = 0;
>> +     }
>> +     for (i = 0; i<  count; i++) {
>> +             gssx_buffer dummy = { 0, NULL };
>> +             u32 length;
>> +
>> +             /* option buffer */
>> +             p = xdr_inline_decode(xdr, 4);
>> +             if (unlikely(p == NULL))
>> +                     return -ENOSPC;
>> +
>> +             length = be32_to_cpup(p);
>> +             p = xdr_inline_decode(xdr, length);
>> +             if (unlikely(p == NULL))
>> +                     return -ENOSPC;
>> +
>> +             if (length == sizeof(CREDS_VALUE)&&
>> +                 memcmp(p, CREDS_VALUE, sizeof(CREDS_VALUE)) == 0) {
>> +                     /* We have creds here. parse them */
>> +                     err = gssx_dec_linux_creds(xdr, creds);
>> +                     if (err)
>> +                             return err;
>> +                     oa->data[0].value.len = 1; /* presence */
>> +             } else {
>> +                     /* consume uninteresting buffer */
>> +                     err = gssx_dec_buffer(xdr,&dummy);
>> +                     if (err)
>> +                             return err;
>> +             }
>> +     }
>> +     return 0;
>> +}
>> +
>> +static int gssx_dec_status(struct xdr_stream *xdr,
>> +                        struct gssx_status *status)
>> +{
>> +     __be32 *p;
>> +     int err;
>> +
>> +     /* status->major_status */
>> +     p = xdr_inline_decode(xdr, 8);
>> +     if (unlikely(p == NULL))
>> +             return -ENOSPC;
>> +     p = xdr_decode_hyper(p,&status->major_status);
>> +
>> +     /* status->mech */
>> +     err = gssx_dec_buffer(xdr,&status->mech);
>> +     if (err)
>> +             return err;
>> +
>> +     /* status->minor_status */
>> +     p = xdr_inline_decode(xdr, 8);
>> +     if (unlikely(p == NULL))
>> +             return -ENOSPC;
>> +     p = xdr_decode_hyper(p,&status->minor_status);
>> +
>> +     /* status->major_status_string */
>> +     err = gssx_dec_buffer(xdr,&status->major_status_string);
>> +     if (err)
>> +             return err;
>> +
>> +     /* status->minor_status_string */
>> +     err = gssx_dec_buffer(xdr,&status->minor_status_string);
>> +     if (err)
>> +             return err;
>> +
>> +     /* status->server_ctx */
>> +     err = gssx_dec_buffer(xdr,&status->server_ctx);
>> +     if (err)
>> +             return err;
>> +
>> +     /* we assume we have no options for now, so simply consume them */
>> +     /* status->options */
>> +     err = dummy_dec_opt_array(xdr,&status->options);
>> +
>> +     return err;
>> +}
>> +
>> +static int gssx_enc_call_ctx(struct xdr_stream *xdr,
>> +                          struct gssx_call_ctx *ctx)
>> +{
>> +     struct gssx_option opt;
>> +     __be32 *p;
>> +     int err;
>> +
>> +     /* ctx->locale */
>> +     err = gssx_enc_buffer(xdr,&ctx->locale);
>> +     if (err)
>> +             return err;
>> +
>> +     /* ctx->server_ctx */
>> +     err = gssx_enc_buffer(xdr,&ctx->server_ctx);
>> +     if (err)
>> +             return err;
>> +
>> +     /* we always want to ask for lucid contexts */
>> +     /* ctx->options */
>> +     p = xdr_reserve_space(xdr, 4);
>> +     *p = cpu_to_be32(2);
>> +
>> +     /* we want a lucid_v1 context */
>> +     opt.option.data = LUCID_OPTION;
>> +     opt.option.len = sizeof(LUCID_OPTION);
>> +     opt.value.data = LUCID_VALUE;
>> +     opt.value.len = sizeof(LUCID_VALUE);
>> +     err = gssx_enc_option(xdr,&opt);
>> +
>> +     /* ..and user creds */
>> +     opt.option.data = CREDS_OPTION;
>> +     opt.option.len = sizeof(CREDS_OPTION);
>> +     opt.value.data = CREDS_VALUE;
>> +     opt.value.len = sizeof(CREDS_VALUE);
>> +     err = gssx_enc_option(xdr,&opt);
>> +
>> +     return err;
>> +}
>> +
>> +static int gssx_dec_name_attr(struct xdr_stream *xdr,
>> +                          struct gssx_name_attr *attr)
>> +{
>> +     int err;
>> +
>> +     /* attr->attr */
>> +     err = gssx_dec_buffer(xdr,&attr->attr);
>> +     if (err)
>> +             return err;
>> +
>> +     /* attr->value */
>> +     err = gssx_dec_buffer(xdr,&attr->value);
>> +     if (err)
>> +             return err;
>> +
>> +     /* attr->extensions */
>> +     err = dummy_dec_opt_array(xdr,&attr->extensions);
>> +
>> +     return err;
>> +}
>> +
>> +static int dummy_enc_nameattr_array(struct xdr_stream *xdr,
>> +                                 struct gssx_name_attr_array *naa)
>> +{
>> +     __be32 *p;
>> +
>> +     if (naa->count != 0)
>> +             return -EINVAL;
>> +
>> +     p = xdr_reserve_space(xdr, 4);
>> +     if (!p)
>> +             return -ENOSPC;
>> +     *p = 0;
>> +
>> +     return 0;
>> +}
>> +
>> +static int dummy_dec_nameattr_array(struct xdr_stream *xdr,
>> +                                 struct gssx_name_attr_array *naa)
>> +{
>> +     struct gssx_name_attr dummy;
>> +     u32 count, i;
>> +     __be32 *p;
>> +
>> +     p = xdr_inline_decode(xdr, 4);
>> +     if (unlikely(p == NULL))
>> +             return -ENOSPC;
>> +     count = be32_to_cpup(p++);
>> +     for (i = 0; i<  count; i++) {
>> +             gssx_dec_name_attr(xdr,&dummy);
>> +     }
>> +
>> +     naa->count = 0;
>> +     naa->data = NULL;
>> +     return 0;
>> +}
>> +
>> +static int gssx_enc_name(struct xdr_stream *xdr,
>> +                      struct gssx_name *name)
>> +{
>> +     int err;
>> +
>> +     /* name->display_name */
>> +     err = gssx_enc_buffer(xdr,&name->display_name);
>> +     if (err)
>> +             return err;
>> +
>> +     /* name->name_type */
>> +     err = gssx_enc_buffer(xdr,&name->name_type);
>> +     if (err)
>> +             return err;
>> +
>> +     /* name->exported_name */
>> +     err = gssx_enc_buffer(xdr,&name->exported_name);
>> +     if (err)
>> +             return err;
>> +
>> +     /* name->exported_composite_name */
>> +     err = gssx_enc_buffer(xdr,&name->exported_composite_name);
>> +     if (err)
>> +             return err;
>> +
>> +     /* leave name_attributes empty for now, will add once we have any
>> +      * to pass up at all */
>> +     /* name->name_attributes */
>> +     err = dummy_enc_nameattr_array(xdr,&name->name_attributes);
>> +     if (err)
>> +             return err;
>> +
>> +     /* leave options empty for now, will add once we have any options
>> +      * to pass up at all */
>> +     /* name->extensions */
>> +     err = dummy_enc_opt_array(xdr,&name->extensions);
>> +
>> +     return err;
>> +}
>> +
>> +static int gssx_dec_name(struct xdr_stream *xdr,
>> +                      struct gssx_name *name)
>> +{
>> +     int err;
>> +
>> +     /* name->display_name */
>> +     err = gssx_dec_buffer(xdr,&name->display_name);
>> +     if (err)
>> +             return err;
>> +
>> +     /* name->name_type */
>> +     err = gssx_dec_buffer(xdr,&name->name_type);
>> +     if (err)
>> +             return err;
>> +
>> +     /* name->exported_name */
>> +     err = gssx_dec_buffer(xdr,&name->exported_name);
>> +     if (err)
>> +             return err;
>> +
>> +     /* name->exported_composite_name */
>> +     err = gssx_dec_buffer(xdr,&name->exported_composite_name);
>> +     if (err)
>> +             return err;
>> +
>> +     /* we assume we have no attributes for now, so simply consume them */
>> +     /* name->name_attributes */
>> +     err = dummy_dec_nameattr_array(xdr,&name->name_attributes);
>> +     if (err)
>> +             return err;
>> +
>> +     /* we assume we have no options for now, so simply consume them */
>> +     /* name->extensions */
>> +     err = dummy_dec_opt_array(xdr,&name->extensions);
>> +
>> +     return err;
>> +}
>> +
>> +static int gssx_dec_cred_element(struct xdr_stream *xdr,
>> +                              struct gssx_cred_element *el)
>> +{
>> +     __be32 *p;
>> +     int err;
>> +
>> +     /* el->MN */
>> +     err = gssx_dec_name(xdr,&el->MN);
>> +     if (err)
>> +             return err;
>> +
>> +     /* el->mech */
>> +     err = gssx_dec_buffer(xdr,&el->mech);
>> +     if (err)
>> +             return err;
>> +
>> +     /* el->cred_usage */
>> +     p = xdr_inline_decode(xdr, 4+8+8);
>> +     if (!p)
>> +             return -ENOSPC;
>> +     el->cred_usage = be32_to_cpup(p++);
>> +
>> +     /* el->initiator_time_rec */
>> +     p = xdr_decode_hyper(p,&el->initiator_time_rec);
>> +
>> +     /* el->acceptor_time_rec */
>> +     p = xdr_decode_hyper(p,&el->initiator_time_rec);
>> +
>> +     /* we assume we have no options for now, so simply consume them */
>> +     /* el->options */
>> +     err = dummy_dec_opt_array(xdr,&el->options);
>> +
>> +     return err;
>> +}
>> +
>> +static int dummy_enc_credel_array(struct xdr_stream *xdr,
>> +                               struct gssx_cred_element_array *cea)
>> +{
>> +     __be32 *p;
>> +
>> +     if (cea->count != 0)
>> +             return -EINVAL;
>> +
>> +     p = xdr_reserve_space(xdr, 4);
>> +     if (!p)
>> +             return -ENOSPC;
>> +     *p = 0;
>> +
>> +     return 0;
>> +}
>> +
>> +static int dummy_dec_credel_array(struct xdr_stream *xdr,
>> +                               struct gssx_cred_element_array *cea)
>> +{
>> +     struct gssx_cred_element dummy;
>> +     u32 count, i;
>> +     __be32 *p;
>> +
>> +     p = xdr_inline_decode(xdr, 4);
>> +     if (unlikely(p == NULL))
>> +             return -ENOSPC;
>> +     count = be32_to_cpup(p++);
>> +     for (i = 0; i<  count; i++) {
>> +             gssx_dec_cred_element(xdr,&dummy);
>> +     }
>> +
>> +     cea->count = 0;
>> +     cea->data = NULL;
>> +     return 0;
>> +}
>> +
>> +static int gssx_enc_cred(struct xdr_stream *xdr,
>> +                      struct gssx_cred *cred)
>> +{
>> +     int err;
>> +
>> +     /* cred->desired_name */
>> +     err = gssx_enc_name(xdr,&cred->desired_name);
>> +     if (err)
>> +             return err;
>> +
>> +     /* cred->elements */
>> +     err = dummy_enc_credel_array(xdr,&cred->elements);
>> +
>> +     /* cred->cred_handle_reference */
>> +     err = gssx_enc_buffer(xdr,&cred->cred_handle_reference);
>> +     if (err)
>> +             return err;
>> +
>> +     /* cred->needs_release */
>> +     err = gssx_enc_bool(xdr, cred->needs_release);
>> +
>> +     return err;
>> +}
>> +
>> +static int gssx_dec_cred(struct xdr_stream *xdr,
>> +                      struct gssx_cred *cred)
>> +{
>> +     int err;
>> +
>> +     /* cred->desired_name */
>> +     err = gssx_dec_name(xdr,&cred->desired_name);
>> +     if (err)
>> +             return err;
>> +
>> +     /* cred->elements */
>> +     err = dummy_dec_credel_array(xdr,&cred->elements);
>> +
>> +     /* cred->cred_handle_reference */
>> +     err = gssx_dec_buffer(xdr,&cred->cred_handle_reference);
>> +     if (err)
>> +             return err;
>> +
>> +     /* cred->needs_release */
>> +     err = gssx_dec_bool(xdr,&cred->needs_release);
>> +
>> +     return err;
>> +}
>> +
>> +static int gssx_enc_ctx(struct xdr_stream *xdr,
>> +                     struct gssx_ctx *ctx)
>> +{
>> +     __be32 *p;
>> +     int err;
>> +
>> +     /* ctx->exported_context_token */
>> +     err = gssx_enc_buffer(xdr,&ctx->exported_context_token);
>> +     if (err)
>> +             return err;
>> +
>> +     /* ctx->state */
>> +     err = gssx_enc_buffer(xdr,&ctx->state);
>> +     if (err)
>> +             return err;
>> +
>> +     /* ctx->need_release */
>> +     err = gssx_enc_bool(xdr, ctx->need_release);
>> +     if (err)
>> +             return err;
>> +
>> +     /* ctx->mech */
>> +     err = gssx_enc_buffer(xdr,&ctx->mech);
>> +     if (err)
>> +             return err;
>> +
>> +     /* ctx->src_name */
>> +     err = gssx_enc_name(xdr,&ctx->src_name);
>> +     if (err)
>> +             return err;
>> +
>> +     /* ctx->targ_name */
>> +     err = gssx_enc_name(xdr,&ctx->targ_name);
>> +     if (err)
>> +             return err;
>> +
>> +     /* ctx->lifetime */
>> +     p = xdr_reserve_space(xdr, 8+8);
>> +     if (!p)
>> +             return -ENOSPC;
>> +     p = xdr_encode_hyper(p, ctx->lifetime);
>> +
>> +     /* ctx->ctx_flags */
>> +     p = xdr_encode_hyper(p, ctx->ctx_flags);
>> +
>> +     /* ctx->locally_initiated */
>> +     err = gssx_enc_bool(xdr, ctx->locally_initiated);
>> +     if (err)
>> +             return err;
>> +
>> +     /* ctx->open */
>> +     err = gssx_enc_bool(xdr, ctx->open);
>> +     if (err)
>> +             return err;
>> +
>> +     /* leave options empty for now, will add once we have any options
>> +      * to pass up at all */
>> +     /* ctx->options */
>> +     err = dummy_enc_opt_array(xdr,&ctx->options);
>> +
>> +     return err;
>> +}
>> +
>> +static int gssx_dec_ctx(struct xdr_stream *xdr,
>> +                     struct gssx_ctx *ctx)
>> +{
>> +     __be32 *p;
>> +     int err;
>> +
>> +     /* ctx->exported_context_token */
>> +     err = gssx_dec_buffer(xdr,&ctx->exported_context_token);
>> +     if (err)
>> +             return err;
>> +
>> +     /* ctx->state */
>> +     err = gssx_dec_buffer(xdr,&ctx->state);
>> +     if (err)
>> +             return err;
>> +
>> +     /* ctx->need_release */
>> +     err = gssx_dec_bool(xdr,&ctx->need_release);
>> +     if (err)
>> +             return err;
>> +
>> +     /* ctx->mech */
>> +     err = gssx_dec_buffer(xdr,&ctx->mech);
>> +     if (err)
>> +             return err;
>> +
>> +     /* ctx->src_name */
>> +     err = gssx_dec_name(xdr,&ctx->src_name);
>> +     if (err)
>> +             return err;
>> +
>> +     /* ctx->targ_name */
>> +     err = gssx_dec_name(xdr,&ctx->targ_name);
>> +     if (err)
>> +             return err;
>> +
>> +     /* ctx->lifetime */
>> +     p = xdr_inline_decode(xdr, 8+8);
>> +     if (unlikely(p == NULL))
>> +             return -ENOSPC;
>> +     p = xdr_decode_hyper(p,&ctx->lifetime);
>> +
>> +     /* ctx->ctx_flags */
>> +     p = xdr_decode_hyper(p,&ctx->ctx_flags);
>> +
>> +     /* ctx->locally_initiated */
>> +     err = gssx_dec_bool(xdr,&ctx->locally_initiated);
>> +     if (err)
>> +             return err;
>> +
>> +     /* ctx->open */
>> +     err = gssx_dec_bool(xdr,&ctx->open);
>> +     if (err)
>> +             return err;
>> +
>> +     /* we assume we have no options for now, so simply consume them */
>> +     /* ctx->options */
>> +     err = dummy_dec_opt_array(xdr,&ctx->options);
>> +
>> +     return err;
>> +}
>> +
>> +static int gssx_enc_cb(struct xdr_stream *xdr, struct gssx_cb *cb)
>> +{
>> +     __be32 *p;
>> +     int err;
>> +
>> +     /* cb->initiator_addrtype */
>> +     p = xdr_reserve_space(xdr, 8);
>> +     if (!p)
>> +             return -ENOSPC;
>> +     p = xdr_encode_hyper(p, cb->initiator_addrtype);
>> +
>> +     /* cb->initiator_address */
>> +     err = gssx_enc_buffer(xdr,&cb->initiator_address);
>> +     if (err)
>> +             return err;
>> +
>> +     /* cb->acceptor_addrtype */
>> +     p = xdr_reserve_space(xdr, 8);
>> +     if (!p)
>> +             return -ENOSPC;
>> +     p = xdr_encode_hyper(p, cb->acceptor_addrtype);
>> +
>> +     /* cb->acceptor_address */
>> +     err = gssx_enc_buffer(xdr,&cb->acceptor_address);
>> +     if (err)
>> +             return err;
>> +
>> +     /* cb->application_data */
>> +     err = gssx_enc_buffer(xdr,&cb->application_data);
>> +
>> +     return err;
>> +}
>> +
>> +void gssx_enc_accept_sec_context(struct rpc_rqst *req,
>> +                              struct xdr_stream *xdr,
>> +                              struct gssx_arg_accept_sec_context *arg)
>> +{
>> +     int err;
>> +
>> +     err = gssx_enc_call_ctx(xdr,&arg->call_ctx);
>> +     if (err)
>> +             goto done;
>> +
>> +     /* arg->context_handle */
>> +     if (arg->context_handle) {
>> +             err = gssx_enc_ctx(xdr, arg->context_handle);
>> +             if (err)
>> +                     goto done;
>> +     } else {
>> +             err = gssx_enc_bool(xdr, 0);
>> +     }
>> +
>> +     /* arg->cred_handle */
>> +     if (arg->cred_handle) {
>> +             err = gssx_enc_cred(xdr, arg->cred_handle);
>> +             if (err)
>> +                     goto done;
>> +     } else {
>> +             err = gssx_enc_bool(xdr, 0);
>> +     }
>> +
>> +     /* arg->input_token */
>> +     err = gssx_enc_in_token(xdr,&arg->input_token);
>> +     if (err)
>> +             goto done;
>> +
>> +     /* arg->input_cb */
>> +     if (arg->input_cb) {
>> +             err = gssx_enc_cb(xdr, arg->input_cb);
>> +             if (err)
>> +                     goto done;
>> +     } else {
>> +             err = gssx_enc_bool(xdr, 0);
>> +     }
>> +
>> +     err = gssx_enc_bool(xdr, arg->ret_deleg_cred);
>> +     if (err)
>> +             goto done;
>> +
>> +     /* leave options empty for now, will add once we have any options
>> +      * to pass up at all */
>> +     /* arg->options */
>> +     err = dummy_enc_opt_array(xdr,&arg->options);
>> +
>> +done:
>> +     if (err)
>> +             dprintk("RPC:       gssx_enc_accept_sec_context: %d\n", err);
>> +}
>> +
>> +int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp,
>> +                             struct xdr_stream *xdr,
>> +                             struct gssx_res_accept_sec_context *res)
>> +{
>> +     int err;
>> +
>> +     /* res->status */
>> +     err = gssx_dec_status(xdr,&res->status);
>> +     if (err)
>> +             return err;
>> +
>> +     /* res->context_handle */
>> +     if (gssx_check_pointer(xdr)) {
>> +             err = gssx_dec_ctx(xdr, res->context_handle);
>> +             if (err)
>> +                     return err;
>> +     } else {
>> +             res->context_handle = NULL;
>> +     }
>> +
>> +     /* res->output_token */
>> +     if (gssx_check_pointer(xdr)) {
>> +             err = gssx_dec_buffer(xdr, res->output_token);
>> +             if (err)
>> +                     return err;
>> +     } else {
>> +             res->output_token = NULL;
>> +     }
>> +
>> +     /* res->delegated_cred_handle */
>> +     if (gssx_check_pointer(xdr)) {
>> +             err = gssx_dec_cred(xdr, res->delegated_cred_handle);
>> +             if (err)
>> +                     return err;
>> +     } else {
>> +             res->delegated_cred_handle = NULL;
>> +     }
>> +
>> +     /* we assume we have no options for now, so simply consume them */
>> +     /* res->options */
>> +     err = gssx_dec_option_array(xdr,&res->options);
>> +
>> +     return err;
>> +}
>> +
>> diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.h b/net/sunrpc/auth_gss/gss_rpc_xdr.h
>> new file mode 100644
>> index 0000000000000000000000000000000000000000..9256a5836474fef952ab12d3b27e03bb4d0f20ea
>> --- /dev/null
>> +++ b/net/sunrpc/auth_gss/gss_rpc_xdr.h
>> @@ -0,0 +1,269 @@
>> +/*
>> + * GSS Proxy upcall module
>> + *
>> + *  Copyright (C) 2012 Simo Sorce<simo@redhat.com>
>> + *
>> + * This program is free software; you can redistribute it and/or modify
>> + * it under the terms of the GNU General Public License as published by
>> + * the Free Software Foundation; either version 2 of the License, or
>> + * (at your option) any later version.
>> + *
>> + * This program is distributed in the hope that it will be useful,
>> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
>> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>> + * GNU General Public License for more details.
>> + *
>> + * You should have received a copy of the GNU General Public License
>> + * along with this program; if not, write to the Free Software
>> + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
>> + */
>> +
>> +#ifndef _LINUX_GSS_RPC_XDR_H
>> +#define _LINUX_GSS_RPC_XDR_H
>> +
>> +#include<linux/sunrpc/xdr.h>
>> +#include<linux/sunrpc/clnt.h>
>> +#include<linux/sunrpc/xprtsock.h>
>> +
>> +#ifdef RPC_DEBUG
>> +# define RPCDBG_FACILITY     RPCDBG_AUTH
>> +#endif
>> +
>> +#define LUCID_OPTION "exported_context_type"
>> +#define LUCID_VALUE  "linux_lucid_v1"
>> +#define CREDS_OPTION "exported_creds_type"
>> +#define CREDS_VALUE  "linux_creds_v1"
>> +
>> +typedef struct xdr_netobj gssx_buffer;
>> +typedef struct xdr_netobj utf8string;
>> +typedef struct xdr_netobj gssx_OID;
>> +
>> +enum gssx_cred_usage {
>> +     GSSX_C_INITIATE = 1,
>> +     GSSX_C_ACCEPT = 2,
>> +     GSSX_C_BOTH = 3,
>> +};
>> +
>> +struct gssx_option {
>> +     gssx_buffer option;
>> +     gssx_buffer value;
>> +};
>> +
>> +struct gssx_option_array {
>> +     u32 count;
>> +     struct gssx_option *data;
>> +};
>> +
>> +struct gssx_status {
>> +     u64 major_status;
>> +     gssx_OID mech;
>> +     u64 minor_status;
>> +     utf8string major_status_string;
>> +     utf8string minor_status_string;
>> +     gssx_buffer server_ctx;
>> +     struct gssx_option_array options;
>> +};
>> +
>> +struct gssx_call_ctx {
>> +     utf8string locale;
>> +     gssx_buffer server_ctx;
>> +     struct gssx_option_array options;
>> +};
>> +
>> +struct gssx_name_attr {
>> +     gssx_buffer attr;
>> +     gssx_buffer value;
>> +     struct gssx_option_array extensions;
>> +};
>> +
>> +struct gssx_name_attr_array {
>> +     u32 count;
>> +     struct gssx_name_attr *data;
>> +};
>> +
>> +struct gssx_name {
>> +     gssx_buffer display_name;
>> +     gssx_OID name_type;
>> +     gssx_buffer exported_name;
>> +     gssx_buffer exported_composite_name;
>> +     struct gssx_name_attr_array name_attributes;
>> +     struct gssx_option_array extensions;
>> +};
>> +typedef struct gssx_name gssx_name;
>> +
>> +struct gssx_cred_element {
>> +     gssx_name MN;
>> +     gssx_OID mech;
>> +     u32 cred_usage;
>> +     u64 initiator_time_rec;
>> +     u64 acceptor_time_rec;
>> +     struct gssx_option_array options;
>> +};
>> +
>> +struct gssx_cred_element_array {
>> +     u32 count;
>> +     struct gssx_cred_element *data;
>> +};
>> +
>> +struct gssx_cred {
>> +     gssx_name desired_name;
>> +     struct gssx_cred_element_array elements;
>> +     gssx_buffer cred_handle_reference;
>> +     u32 needs_release;
>> +};
>> +
>> +struct gssx_ctx {
>> +     gssx_buffer exported_context_token;
>> +     gssx_buffer state;
>> +     u32 need_release;
>> +     gssx_OID mech;
>> +     gssx_name src_name;
>> +     gssx_name targ_name;
>> +     u64 lifetime;
>> +     u64 ctx_flags;
>> +     u32 locally_initiated;
>> +     u32 open;
>> +     struct gssx_option_array options;
>> +};
>> +
>> +struct gssx_cb {
>> +     u64 initiator_addrtype;
>> +     gssx_buffer initiator_address;
>> +     u64 acceptor_addrtype;
>> +     gssx_buffer acceptor_address;
>> +     gssx_buffer application_data;
>> +};
>> +
>> +
>> +/* This structure is not defined in the protocol.
>> + * It is used in the kernel to carry around a big buffer
>> + * as a set of pages */
>> +struct gssp_in_token {
>> +     struct page **pages;    /* Array of contiguous pages */
>> +     unsigned int page_base; /* Start of page data */
>> +     unsigned int page_len;  /* Length of page data */
>> +};
>> +
>> +struct gssx_arg_accept_sec_context {
>> +     struct gssx_call_ctx call_ctx;
>> +     struct gssx_ctx *context_handle;
>> +     struct gssx_cred *cred_handle;
>> +     struct gssp_in_token input_token;
>> +     struct gssx_cb *input_cb;
>> +     u32 ret_deleg_cred;
>> +     struct gssx_option_array options;
>> +};
>> +
>> +struct gssx_res_accept_sec_context {
>> +     struct gssx_status status;
>> +     struct gssx_ctx *context_handle;
>> +     gssx_buffer *output_token;
>> +     struct gssx_cred *delegated_cred_handle;
>> +     struct gssx_option_array options;
>> +};
>> +
>> +
>> +
>> +#define gssx_enc_indicate_mechs NULL
>> +#define gssx_dec_indicate_mechs NULL
>> +#define gssx_enc_get_call_context NULL
>> +#define gssx_dec_get_call_context NULL
>> +#define gssx_enc_import_and_canon_name NULL
>> +#define gssx_dec_import_and_canon_name NULL
>> +#define gssx_enc_export_cred NULL
>> +#define gssx_dec_export_cred NULL
>> +#define gssx_enc_import_cred NULL
>> +#define gssx_dec_import_cred NULL
>> +#define gssx_enc_acquire_cred NULL
>> +#define gssx_dec_acquire_cred NULL
>> +#define gssx_enc_store_cred NULL
>> +#define gssx_dec_store_cred NULL
>> +#define gssx_enc_init_sec_context NULL
>> +#define gssx_dec_init_sec_context NULL
>> +void gssx_enc_accept_sec_context(struct rpc_rqst *req,
>> +                              struct xdr_stream *xdr,
>> +                              struct gssx_arg_accept_sec_context *args);
>> +int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp,
>> +                             struct xdr_stream *xdr,
>> +                             struct gssx_res_accept_sec_context *res);
>> +#define gssx_enc_release_handle NULL
>> +#define gssx_dec_release_handle NULL
>> +#define gssx_enc_get_mic NULL
>> +#define gssx_dec_get_mic NULL
>> +#define gssx_enc_verify NULL
>> +#define gssx_dec_verify NULL
>> +#define gssx_enc_wrap NULL
>> +#define gssx_dec_wrap NULL
>> +#define gssx_enc_unwrap NULL
>> +#define gssx_dec_unwrap NULL
>> +#define gssx_enc_wrap_size_limit NULL
>> +#define gssx_dec_wrap_size_limit NULL
>> +
>> +/* non implemented calls are set to 0 size */
>> +#define GSSX_ARG_indicate_mechs_sz 0
>> +#define GSSX_RES_indicate_mechs_sz 0
>> +#define GSSX_ARG_get_call_context_sz 0
>> +#define GSSX_RES_get_call_context_sz 0
>> +#define GSSX_ARG_import_and_canon_name_sz 0
>> +#define GSSX_RES_import_and_canon_name_sz 0
>> +#define GSSX_ARG_export_cred_sz 0
>> +#define GSSX_RES_export_cred_sz 0
>> +#define GSSX_ARG_import_cred_sz 0
>> +#define GSSX_RES_import_cred_sz 0
>> +#define GSSX_ARG_acquire_cred_sz 0
>> +#define GSSX_RES_acquire_cred_sz 0
>> +#define GSSX_ARG_store_cred_sz 0
>> +#define GSSX_RES_store_cred_sz 0
>> +#define GSSX_ARG_init_sec_context_sz 0
>> +#define GSSX_RES_init_sec_context_sz 0
>> +
>> +#define GSSX_default_in_call_ctx_sz (4 + 4 + 4 + \
>> +                     8 + sizeof(LUCID_OPTION) + sizeof(LUCID_VALUE) + \
>> +                     8 + sizeof(CREDS_OPTION) + sizeof(CREDS_VALUE))
>> +#define GSSX_default_in_ctx_hndl_sz (4 + 4+8 + 4 + 4 + 6*4 + 6*4 + 8 + 8 + \
>> +                                     4 + 4 + 4)
>> +#define GSSX_default_in_cred_sz 4 /* we send in no cred_handle */
>> +#define GSSX_default_in_token_sz 4 /* does *not* include token data */
>> +#define GSSX_default_in_cb_sz 4 /* we do not use channel bindings */
>> +#define GSSX_ARG_accept_sec_context_sz (GSSX_default_in_call_ctx_sz + \
>> +                                     GSSX_default_in_ctx_hndl_sz + \
>> +                                     GSSX_default_in_cred_sz + \
>> +                                     GSSX_default_in_token_sz + \
>> +                                     GSSX_default_in_cb_sz + \
>> +                                     4 /* no deleg creds boolean */ + \
>> +                                     4) /* empty options */
>> +
>> +/* somewhat arbitrary numbers but large enough (we ignore some of the data
>> + * sent down, but it is part of the protocol so we need enough space to take
>> + * it in) */
>> +#define GSSX_default_status_sz 8 + 24 + 8 + 256 + 256 + 16 + 4
>> +#define GSSX_max_output_handle_sz 128
>> +#define GSSX_max_oid_sz 16
>> +#define GSSX_max_princ_sz 256
>> +#define GSSX_default_ctx_sz (GSSX_max_output_handle_sz + \
>> +                          16 + 4 + GSSX_max_oid_sz + \
>> +                          2 * GSSX_max_princ_sz + \
>> +                          8 + 8 + 4 + 4 + 4)
>> +#define GSSX_max_output_token_sz 1024
>> +#define GSSX_max_creds_sz (4 + 4 + 4 + NGROUPS_MAX * 4)
>> +#define GSSX_RES_accept_sec_context_sz (GSSX_default_status_sz + \
>> +                                     GSSX_default_ctx_sz + \
>> +                                     GSSX_max_output_token_sz + \
>> +                                     4 + GSSX_max_creds_sz)
>> +
>> +#define GSSX_ARG_release_handle_sz 0
>> +#define GSSX_RES_release_handle_sz 0
>> +#define GSSX_ARG_get_mic_sz 0
>> +#define GSSX_RES_get_mic_sz 0
>> +#define GSSX_ARG_verify_sz 0
>> +#define GSSX_RES_verify_sz 0
>> +#define GSSX_ARG_wrap_sz 0
>> +#define GSSX_RES_wrap_sz 0
>> +#define GSSX_ARG_unwrap_sz 0
>> +#define GSSX_RES_unwrap_sz 0
>> +#define GSSX_ARG_wrap_size_limit_sz 0
>> +#define GSSX_RES_wrap_size_limit_sz 0
>> +
>> +
>> +
>> +#endif /* _LINUX_GSS_RPC_XDR_H */
>> --
>> 1.7.7.6
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
Best regards,
Stanislav Kinsbursky

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Stanislav Kinsbursky]

On 22.05.2012 17:00, Simo Sorce wrote:
> On Tue, 2012-05-22 at 08:47 -0400, J. Bruce Fields wrote:
>> Have you and Stanislav talked about fitting this with the ongoing
>> container work?
>
> No, I wanted to make it work for the normal case first, I assume it will
> be simple enough to change the code to work with containers later.
> Main reason is that I have no way to test containerized stuff.
>


It's not that hard to "containerize" this code.
All you need is to bypass rqstp->rq_xprt->xpt_net to gssp_rpc_create().
I.e. either add net as a parameter to 
gssp_accept_sec_context_upcall()->gssp_call()->get_clnt()->gssp_rpc_create() 
prototypes or pass it as a part of gssp_upcall_data structure and then pass as a 
parameter to gssp_call()->get_clnt()->gssp_rpc_create().

This will suits you. I.e. I'm sure that you'll not experience any changes 
comparing to current behavior.

> If I understand it correctly, all is needed is to allow attaching to
> different sockets for different containers ?
>

Sorry, but I don't understand the sentence.
Starting from kernel 3.3 SUNRPC layer if fully containerized. I.e. all network 
related resources now carefully allocated and destroyed per and with network 
namespace.
And it would be really great, if the layer will remain containerized in future.

> Simo.
>


-- 
Best regards,
Stanislav Kinsbursky

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Simo Sorce]

On Tue, 2012-05-22 at 17:17 +0400, Stanislav Kinsbursky wrote:
> On 22.05.2012 17:00, Simo Sorce wrote:
> > On Tue, 2012-05-22 at 08:47 -0400, J. Bruce Fields wrote:
> >> Have you and Stanislav talked about fitting this with the ongoing
> >> container work?
> >
> > No, I wanted to make it work for the normal case first, I assume it will
> > be simple enough to change the code to work with containers later.
> > Main reason is that I have no way to test containerized stuff.
> >
> 
> 
> It's not that hard to "containerize" this code.
> All you need is to bypass rqstp->rq_xprt->xpt_net to gssp_rpc_create().
> I.e. either add net as a parameter to 
> gssp_accept_sec_context_upcall()->gssp_call()->get_clnt()->gssp_rpc_create() 
> prototypes or pass it as a part of gssp_upcall_data structure and then pass as a 
> parameter to gssp_call()->get_clnt()->gssp_rpc_create().
> 
> This will suits you. I.e. I'm sure that you'll not experience any changes 
> comparing to current behavior.

This should be easy enough.

> > If I understand it correctly, all is needed is to allow attaching to
> > different sockets for different containers ?
> >
> 
> Sorry, but I don't understand the sentence.
> Starting from kernel 3.3 SUNRPC layer if fully containerized. I.e. all network 
> related resources now carefully allocated and destroyed per and with network 
> namespace.
> And it would be really great, if the layer will remain containerized in future.

I need guidance here. I need to know what it means to 'remain
containerized', does it mean I need to do something special for the
socket handling ?

Keep in mind I started working on these patches before any
containerization code was added to SUNRPC, and I have no knowledge
whatsoever of containers and what are their constraints.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Stanislav Kinsbursky]

On 22.05.2012 17:22, Simo Sorce wrote:
> On Tue, 2012-05-22 at 17:17 +0400, Stanislav Kinsbursky wrote:
>> On 22.05.2012 17:00, Simo Sorce wrote:
>>> On Tue, 2012-05-22 at 08:47 -0400, J. Bruce Fields wrote:
>>>> Have you and Stanislav talked about fitting this with the ongoing
>>>> container work?
>>>
>>> No, I wanted to make it work for the normal case first, I assume it will
>>> be simple enough to change the code to work with containers later.
>>> Main reason is that I have no way to test containerized stuff.
>>>
>>
>>
>> It's not that hard to "containerize" this code.
>> All you need is to bypass rqstp->rq_xprt->xpt_net to gssp_rpc_create().
>> I.e. either add net as a parameter to
>> gssp_accept_sec_context_upcall()->gssp_call()->get_clnt()->gssp_rpc_create()
>> prototypes or pass it as a part of gssp_upcall_data structure and then pass as a
>> parameter to gssp_call()->get_clnt()->gssp_rpc_create().
>>
>> This will suits you. I.e. I'm sure that you'll not experience any changes
>> comparing to current behavior.
>
> This should be easy enough.
>
>>> If I understand it correctly, all is needed is to allow attaching to
>>> different sockets for different containers ?
>>>
>>
>> Sorry, but I don't understand the sentence.
>> Starting from kernel 3.3 SUNRPC layer if fully containerized. I.e. all network
>> related resources now carefully allocated and destroyed per and with network
>> namespace.
>> And it would be really great, if the layer will remain containerized in future.
>
> I need guidance here. I need to know what it means to 'remain
> containerized', does it mean I need to do something special for the
> socket handling ?
>

It actually means, that no hard-coded init_net references should appear - and 
that's all. Required network context have to be taken from currently existent 
objects (like RPC client, RPC service, etc) and, if not available (it's very 
rare case - like NFS mount call), from current->nsproxy->net_ns.
You don't need to do anything special except this.
There will be a problem with your patches in container, because you are using 
unix socket. But this problem is not in your patches but in unix sockets 
themselves. So don't worry about it.

> Keep in mind I started working on these patches before any
> containerization code was added to SUNRPC, and I have no knowledge
> whatsoever of containers and what are their constraints.
>
> Simo.
>


-- 
Best regards,
Stanislav Kinsbursky

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[J. Bruce Fields]

On Tue, May 22, 2012 at 05:32:01PM +0400, Stanislav Kinsbursky wrote:
> On 22.05.2012 17:22, Simo Sorce wrote:
> >On Tue, 2012-05-22 at 17:17 +0400, Stanislav Kinsbursky wrote:
> >>On 22.05.2012 17:00, Simo Sorce wrote:
> >>>On Tue, 2012-05-22 at 08:47 -0400, J. Bruce Fields wrote:
> >>>>Have you and Stanislav talked about fitting this with the ongoing
> >>>>container work?
> >>>
> >>>No, I wanted to make it work for the normal case first, I assume it will
> >>>be simple enough to change the code to work with containers later.
> >>>Main reason is that I have no way to test containerized stuff.
> >>>
> >>
> >>
> >>It's not that hard to "containerize" this code.
> >>All you need is to bypass rqstp->rq_xprt->xpt_net to gssp_rpc_create().
> >>I.e. either add net as a parameter to
> >>gssp_accept_sec_context_upcall()->gssp_call()->get_clnt()->gssp_rpc_create()
> >>prototypes or pass it as a part of gssp_upcall_data structure and then pass as a
> >>parameter to gssp_call()->get_clnt()->gssp_rpc_create().
> >>
> >>This will suits you. I.e. I'm sure that you'll not experience any changes
> >>comparing to current behavior.
> >
> >This should be easy enough.
> >
> >>>If I understand it correctly, all is needed is to allow attaching to
> >>>different sockets for different containers ?
> >>>
> >>
> >>Sorry, but I don't understand the sentence.
> >>Starting from kernel 3.3 SUNRPC layer if fully containerized. I.e. all network
> >>related resources now carefully allocated and destroyed per and with network
> >>namespace.
> >>And it would be really great, if the layer will remain containerized in future.
> >
> >I need guidance here. I need to know what it means to 'remain
> >containerized', does it mean I need to do something special for the
> >socket handling ?
> >
> 
> It actually means, that no hard-coded init_net references should
> appear - and that's all. Required network context have to be taken
> from currently existent objects (like RPC client, RPC service, etc)
> and, if not available (it's very rare case - like NFS mount call),
> from current->nsproxy->net_ns.
> You don't need to do anything special except this.
> There will be a problem with your patches in container, because you
> are using unix socket. But this problem is not in your patches but
> in unix sockets themselves. So don't worry about it.

Could you remind me what the problem with unix sockets is?  (Or just
point me to old email....  I'm sure we've discussed it before.)

In particular: the current svcgssd communication method is using one of
the sunrpc caches.  If we convert now to this method (which uses a unix
socket) would there be a loss in functionality, until the unix sockets
problems are fixed?

--b.

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Stanislav Kinsbursky]

On 22.05.2012 18:20, J. Bruce Fields wrote:
> On Tue, May 22, 2012 at 05:32:01PM +0400, Stanislav Kinsbursky wrote:
>> On 22.05.2012 17:22, Simo Sorce wrote:
>>> On Tue, 2012-05-22 at 17:17 +0400, Stanislav Kinsbursky wrote:
>>>> On 22.05.2012 17:00, Simo Sorce wrote:
>>>>> On Tue, 2012-05-22 at 08:47 -0400, J. Bruce Fields wrote:
>>>>>> Have you and Stanislav talked about fitting this with the ongoing
>>>>>> container work?
>>>>>
>>>>> No, I wanted to make it work for the normal case first, I assume it will
>>>>> be simple enough to change the code to work with containers later.
>>>>> Main reason is that I have no way to test containerized stuff.
>>>>>
>>>>
>>>>
>>>> It's not that hard to "containerize" this code.
>>>> All you need is to bypass rqstp->rq_xprt->xpt_net to gssp_rpc_create().
>>>> I.e. either add net as a parameter to
>>>> gssp_accept_sec_context_upcall()->gssp_call()->get_clnt()->gssp_rpc_create()
>>>> prototypes or pass it as a part of gssp_upcall_data structure and then pass as a
>>>> parameter to gssp_call()->get_clnt()->gssp_rpc_create().
>>>>
>>>> This will suits you. I.e. I'm sure that you'll not experience any changes
>>>> comparing to current behavior.
>>>
>>> This should be easy enough.
>>>
>>>>> If I understand it correctly, all is needed is to allow attaching to
>>>>> different sockets for different containers ?
>>>>>
>>>>
>>>> Sorry, but I don't understand the sentence.
>>>> Starting from kernel 3.3 SUNRPC layer if fully containerized. I.e. all network
>>>> related resources now carefully allocated and destroyed per and with network
>>>> namespace.
>>>> And it would be really great, if the layer will remain containerized in future.
>>>
>>> I need guidance here. I need to know what it means to 'remain
>>> containerized', does it mean I need to do something special for the
>>> socket handling ?
>>>
>>
>> It actually means, that no hard-coded init_net references should
>> appear - and that's all. Required network context have to be taken
>> from currently existent objects (like RPC client, RPC service, etc)
>> and, if not available (it's very rare case - like NFS mount call),
>> from current->nsproxy->net_ns.
>> You don't need to do anything special except this.
>> There will be a problem with your patches in container, because you
>> are using unix socket. But this problem is not in your patches but
>> in unix sockets themselves. So don't worry about it.
>
> Could you remind me what the problem with unix sockets is?  (Or just
> point me to old email....  I'm sure we've discussed it before.)
>

Yep, we discussed it already.
The problem is that connect call to unix sockets is done from rpciod workqueue 
because of selinux restrictions.
IOW UNIX socket path will be traversed staring from rpciod kernel thread root. 
Currently this problem is existent for portmapper registration calls - for 
example LockD, started in container with nested root, will be registered in 
global rpcbind instead of local (container's) one.

One of solutions was to export set_fs_root(), but Al Viro doesn't like it.

So currently I'm thinking about patching network layer - i.e. implementing an 
ability to pass desired path to unix sockets connect and bind calls.
IOW, I'm talking about introducing of "bindat" and "connectat" system calls...

> In particular: the current svcgssd communication method is using one of
> the sunrpc caches.  If we convert now to this method (which uses a unix
> socket) would there be a loss in functionality, until the unix sockets
> problems are fixed?
>

I'm afraid, that you are right...
This new client will connect to root daemon - not containerized one...
How soon this new unix-socket way will become common practice?
Maybe I'd be able to patch unix sockets before distro's will use this new version.
But I don't know, what would be best to do...

> --b.


-- 
Best regards,
Stanislav Kinsbursky

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Simo Sorce]

[-- Attachment #1: Type: text/plain, Size: 826 bytes --]

On Tue, 2012-05-22 at 17:32 +0400, Stanislav Kinsbursky wrote:
> It actually means, that no hard-coded init_net references should appear - and 
> that's all. Required network context have to be taken from currently existent 
> objects (like RPC client, RPC service, etc) and, if not available (it's very 
> rare case - like NFS mount call), from current->nsproxy->net_ns.
> You don't need to do anything special except this.
> There will be a problem with your patches in container, because you are using 
> unix socket. But this problem is not in your patches but in unix sockets 
> themselves. So don't worry about it.

Can you tell me if the attached patches are all you think is needed ?
If they are, I'll squash them in with other fixes and will send out a
new patch set.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

[-- Attachment #2: 0001-make-upcall.c-container-safe.patch --]
[-- Type: text/x-patch, Size: 3433 bytes --]

>From 887918f5173b6b989fb8b8ff7738c842ed741f3d Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 22 May 2012 10:27:16 -0400
Subject: [PATCH 1/2] make upcall.c container safe

---
 net/sunrpc/auth_gss/gss_rpc_upcall.c |   17 +++++++++--------
 net/sunrpc/auth_gss/gss_rpc_upcall.h |    3 ++-
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c
index 50a1a8c742e4b43a500e4a3b8d3ce9d51fca08ee..1ea8fd87204fcf248035b0e3056c261aaf63cd89 100644
--- a/net/sunrpc/auth_gss/gss_rpc_upcall.c
+++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c
@@ -92,14 +92,14 @@ struct rpc_procinfo gssp_procedures[] = {
 
 static const struct rpc_program gssp_program;
 
-static int gssp_rpc_create(struct rpc_clnt **_clnt)
+static int gssp_rpc_create(struct net *xprt_net, struct rpc_clnt **_clnt)
 {
 	static const struct sockaddr_un gssp_localaddr = {
 		.sun_family		= AF_LOCAL,
 		.sun_path		= GSSPROXY_SOCK_PATHNAME,
 	};
 	struct rpc_create_args args = {
-		.net		= &init_net,
+		.net		= xprt_net,
 		.protocol	= XPRT_TRANSPORT_LOCAL,
 		.address	= (struct sockaddr *)&gssp_localaddr,
 		.addrsize	= sizeof(gssp_localaddr),
@@ -129,7 +129,7 @@ out:
 	return result;
 }
 
-static struct rpc_clnt *get_clnt(bool global_clnt)
+static struct rpc_clnt *get_clnt(struct net *xprt_net, bool global_clnt)
 {
 	struct rpc_clnt *clnt;
 	int err;
@@ -139,7 +139,7 @@ static struct rpc_clnt *get_clnt(bool global_clnt)
 	if (global_clnt && gssp_clnt)
 		return gssp_clnt;
 
-	err = gssp_rpc_create(&clnt);
+	err = gssp_rpc_create(xprt_net, &clnt);
 	if (err) {
 		mutex_unlock(&gssp_clnt_mutex);
 		return NULL;
@@ -164,13 +164,13 @@ static void kill_clnt(struct rpc_clnt *clnt)
 	mutex_unlock(&gssp_clnt_mutex);
 }
 
-static int gssp_call(struct rpc_message *msg)
+static int gssp_call(struct net *xprt_net, struct rpc_message *msg)
 {
 	struct rpc_clnt *clnt;
 	int status;
 
 	/* for now always create new one */
-	clnt = get_clnt(false);
+	clnt = get_clnt(xprt_net, false);
 
 	status = rpc_call_sync(clnt, msg, 0);
 	if (status < 0) {
@@ -213,7 +213,8 @@ static int gssp_call(struct rpc_message *msg)
 			GSSX_max_princ_sz + \
 			sizeof(struct svc_cred))
 
-int gssp_accept_sec_context_upcall(struct gssp_upcall_data *data)
+int gssp_accept_sec_context_upcall(struct net *xprt_net,
+				struct gssp_upcall_data *data)
 {
 	struct gssx_arg_accept_sec_context arg;
 	struct gssx_res_accept_sec_context res;
@@ -272,7 +273,7 @@ int gssp_accept_sec_context_upcall(struct gssp_upcall_data *data)
 	res.delegated_cred_handle = &delegcred;
 
 	/* make upcall */
-	ret = gssp_call(&msg);
+	ret = gssp_call(xprt_net, &msg);
 
 	/* we need to fetch all data even in case of error so
 	 * that we can free special strctures is they have been allocated */
diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.h b/net/sunrpc/auth_gss/gss_rpc_upcall.h
index b09217740493e83979f8dc690b812d396db6e54c..327a1952be688bcc445d7314ad6e4feb6a44deef 100644
--- a/net/sunrpc/auth_gss/gss_rpc_upcall.h
+++ b/net/sunrpc/auth_gss/gss_rpc_upcall.h
@@ -37,7 +37,8 @@ struct gssp_upcall_data {
 	int minor_status;
 };
 
-int gssp_accept_sec_context_upcall(struct gssp_upcall_data *data);
+int gssp_accept_sec_context_upcall(struct net *xprt_net,
+				struct gssp_upcall_data *data);
 void gssp_free_upcall_data(struct gssp_upcall_data *data);
 
 #endif /* _GSS_RPC_UPCALL_H */
-- 
1.7.7.6


[-- Attachment #3: 0002-make-svcauth_gss.c-container-safe.patch --]
[-- Type: text/x-patch, Size: 876 bytes --]

>From 6efe0d79d2e3bbece469c28074b1f09c89ad63a3 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 22 May 2012 10:27:26 -0400
Subject: [PATCH 2/2] make svcauth_gss.c container safe

---
 net/sunrpc/auth_gss/svcauth_gss.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index e06c6e01e6c4ad3cee8138069b2d75229f064233..5db8841690bc4e42f1c8954b0d28552b5ad7eff4 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1213,7 +1213,7 @@ static int svcauth_gss_proxy_init(struct svc_rqst *rqstp,
 	ret = SVC_CLOSE;
 
 	/* Perform synchronous upcall to gss-proxy */
-	status = gssp_accept_sec_context_upcall(&ud);
+	status = gssp_accept_sec_context_upcall(rqstp->rq_xprt->xpt_net, &ud);
 	if (status) {
 		goto out;
 	}
-- 
1.7.7.6

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[J. Bruce Fields]

On Tue, May 15, 2012 at 09:12:29AM -0400, Simo Sorce wrote:
> +/* numbers somewhat arbitrary but large enough for current needs */
> +#define GSSX_MAX_OUT_HANDLE	128
> +#define GSSX_MAX_MECH_OID	16
> +#define GSSX_MAX_SRC_PRINC	256
> +#define GSSX_KMEMBUF (GSSX_max_output_handle_sz + \
> +			GSSX_max_oid_sz + \
> +			GSSX_max_princ_sz + \
> +			sizeof(struct svc_cred))
> +
...
> +	data->kmembuf = kmalloc(GSSX_KMEMBUF, GFP_KERNEL);
...
> +	rctxh.exported_context_token.data = data->kmembuf;
...
> +	rctxh.mech.data = data->kmembuf + GSSX_max_output_handle_sz;
...
> +	rctxh.src_name.display_name.data = data->kmembuf +
> +						GSSX_max_output_handle_sz +
> +						GSSX_max_oid_sz;
...
> +	data->creds = data->kmembuf +
> +				GSSX_max_output_handle_sz +
> +				GSSX_max_oid_sz +
> +				GSSX_max_princ_sz;

Sorry, is this did I complaining about too many kmalloc()'s?  This seems
likely to break in subtle ways if we ever change one of those constants
to not be a multiple of a large enough power of 2.  And makes the memory
handling a little more obscure.  I'd rather just allocate those
separately if that's the choice.

But why not just include this in gssp_upcall_data?:
 
 struct gssp_upcall_data {
-	void *kmembuf;
 	struct xdr_netobj in_handle;
 	struct gssp_in_token in_token;
 	struct xdr_netobj out_handle;
+	char out_handle_data[GSSX_MAX_OUT_HANDLE];
 	struct xdr_netobj out_token;
 	struct xdr_netobj mech_oid;
+	char mech_oid_data[GSSX_MAX_MECH_OID];
 	struct xdr_netobj client_name;
+	char client_name_data[GSSX_MAX_SRC_PRINC];
-	struct svc_cred *creds;
+	struct svc_cred creds;
 	int major_status;
 	int minor_status;
 };

As long as that still comes to under 4k that should be OK.

Oh, I see, and you'd have to alloc/free this in svcauth_gss_proxy_init
instead of here, to avoid putting it on the stack there.

Whatever, I don't really care how the various xdr_netobj->data's are
allocated, honestly there's no crusade to eliminate kmalloc()'s, I'll
only object in a case (like the struct svc_cred field above) where it
seems obviously unnecessary.

--b.

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[J. Bruce Fields]

Note also if you rebase to my latest for-3.5 you need something like
the following (untested).

--b.

commit 2cc8f0912880a177eee73e08c4305ac3692b8ff9
Author: J. Bruce Fields <bfields@redhat.com>
Date:   Tue May 22 08:44:08 2012 -0400

    client_name->cred.cr_principal

diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 0211265..95104ae 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1182,26 +1182,27 @@ static int gss_proxy_save_rsc(struct cache_detail *cd,
 
 		/* get client name */
 		if (ud->client_name.len != 0) {
+			struct svc_cred *cred = &rsci.cred;
 			status = -ENOMEM;
 			/* convert to GSS_NT_HOSTBASED_SERVICE form */
-			rsci.client_name = kstrndup(ud->client_name.data,
+			cred->cr_principal = kstrndup(ud->client_name.data,
 							ud->client_name.len,
 							GFP_KERNEL);
-			if (!rsci.client_name)
+			if (!cred->cr_principal)
 				goto out;
 			/* terminate and remove realm part */
-			c = strchr(rsci.client_name, '@');
+			c = strchr(cred->cr_principal, '@');
 			if (c) {
 				*c = '\0';
 
 				/* change service-hostname delimiter */
-				c = strchr(rsci.client_name, '/');
+				c = strchr(cred->cr_principal, '/');
 				if (c) *c = '@';
 			}
 			if (!c) {
 				/* not a service principal */
-				kfree(rsci.client_name);
-				rsci.client_name = NULL;
+				kfree(cred->cr_principal);
+				cred->cr_principal = NULL;
 			}
 		}
 	}

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[J. Bruce Fields]

On Tue, May 22, 2012 at 06:44:55PM +0400, Stanislav Kinsbursky wrote:
> Yep, we discussed it already.
> The problem is that connect call to unix sockets is done from rpciod
> workqueue because of selinux restrictions.
> IOW UNIX socket path will be traversed staring from rpciod kernel
> thread root. Currently this problem is existent for portmapper
> registration calls - for example LockD, started in container with
> nested root, will be registered in global rpcbind instead of local
> (container's) one.

Thanks for the reminder!

> One of solutions was to export set_fs_root(), but Al Viro doesn't like it.
> 
> So currently I'm thinking about patching network layer - i.e.
> implementing an ability to pass desired path to unix sockets connect
> and bind calls.
> IOW, I'm talking about introducing of "bindat" and "connectat" system calls...

So then we'd resolve the path in the right context and pass down a
(vfsmount, dentry) that rpciod could use in bindat/connectat calls?

> >In particular: the current svcgssd communication method is using one of
> >the sunrpc caches.  If we convert now to this method (which uses a unix
> >socket) would there be a loss in functionality, until the unix sockets
> >problems are fixed?
> >
> 
> I'm afraid, that you are right...
> This new client will connect to root daemon - not containerized one...
> How soon this new unix-socket way will become common practice?
> Maybe I'd be able to patch unix sockets before distro's will use this new version.
> But I don't know, what would be best to do...

Ugh.

Simo, remind me of the reasons for using a unix socket?

--b.

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Stanislav Kinsbursky]

On 22.05.2012 18:58, Simo Sorce wrote:
> On Tue, 2012-05-22 at 17:32 +0400, Stanislav Kinsbursky wrote:
>> It actually means, that no hard-coded init_net references should appear - and
>> that's all. Required network context have to be taken from currently existent
>> objects (like RPC client, RPC service, etc) and, if not available (it's very
>> rare case - like NFS mount call), from current->nsproxy->net_ns.
>> You don't need to do anything special except this.
>> There will be a problem with your patches in container, because you are using
>> unix socket. But this problem is not in your patches but in unix sockets
>> themselves. So don't worry about it.
>
> Can you tell me if the attached patches are all you think is needed ?
> If they are, I'll squash them in with other fixes and will send out a
> new patch set.
>

Yep, looks good.
Would be great, if you'll fix a couple of minor issues:
1) rename "xprt_net" to "net" in prototypes (just to make things look in one 
style with other places in SUNRPC layer)
2) define net variable on stack in svcauth_gss_proxy_init() (looks simpler):

+static int svcauth_gss_proxy_init(struct svc_rqst *rqstp,
+                       struct rpc_gss_wire_cred *gc, __be32 *authp)
....
+       struct net *net = rqstp->rq_xprt->xpt_net;
+       struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
....
+       status = gssp_accept_sec_context_upcall(net, &ud);

> Simo.
>


-- 
Best regards,
Stanislav Kinsbursky

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Simo Sorce]

On Tue, 2012-05-22 at 11:03 -0400, J. Bruce Fields wrote:
> Note also if you rebase to my latest for-3.5 you need something like
> the following (untested).
> 
> --b.
> 
> commit 2cc8f0912880a177eee73e08c4305ac3692b8ff9
> Author: J. Bruce Fields <bfields@redhat.com>
> Date:   Tue May 22 08:44:08 2012 -0400
> 
>     client_name->cred.cr_principal
> 
> diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
> index 0211265..95104ae 100644
> --- a/net/sunrpc/auth_gss/svcauth_gss.c
> +++ b/net/sunrpc/auth_gss/svcauth_gss.c
> @@ -1182,26 +1182,27 @@ static int gss_proxy_save_rsc(struct cache_detail *cd,
>  
>  		/* get client name */
>  		if (ud->client_name.len != 0) {
> +			struct svc_cred *cred = &rsci.cred;
>  			status = -ENOMEM;
>  			/* convert to GSS_NT_HOSTBASED_SERVICE form */
> -			rsci.client_name = kstrndup(ud->client_name.data,
> +			cred->cr_principal = kstrndup(ud->client_name.data,
>  							ud->client_name.len,
>  							GFP_KERNEL);
> -			if (!rsci.client_name)
> +			if (!cred->cr_principal)
>  				goto out;
>  			/* terminate and remove realm part */
> -			c = strchr(rsci.client_name, '@');
> +			c = strchr(cred->cr_principal, '@');
>  			if (c) {
>  				*c = '\0';
>  
>  				/* change service-hostname delimiter */
> -				c = strchr(rsci.client_name, '/');
> +				c = strchr(cred->cr_principal, '/');
>  				if (c) *c = '@';
>  			}
>  			if (!c) {
>  				/* not a service principal */
> -				kfree(rsci.client_name);
> -				rsci.client_name = NULL;
> +				kfree(cred->cr_principal);
> +				cred->cr_principal = NULL;
>  			}
>  		}
>  	}

I have a patch to move this in gss_rpc_upcall.c instead, it's cleaner, I
think.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Simo Sorce]

On Tue, 2012-05-22 at 11:02 -0400, J. Bruce Fields wrote:
> On Tue, May 15, 2012 at 09:12:29AM -0400, Simo Sorce wrote:
> > +/* numbers somewhat arbitrary but large enough for current needs */
> > +#define GSSX_MAX_OUT_HANDLE	128
> > +#define GSSX_MAX_MECH_OID	16
> > +#define GSSX_MAX_SRC_PRINC	256
> > +#define GSSX_KMEMBUF (GSSX_max_output_handle_sz + \
> > +			GSSX_max_oid_sz + \
> > +			GSSX_max_princ_sz + \
> > +			sizeof(struct svc_cred))
> > +
> ...
> > +	data->kmembuf = kmalloc(GSSX_KMEMBUF, GFP_KERNEL);
> ...
> > +	rctxh.exported_context_token.data = data->kmembuf;
> ...
> > +	rctxh.mech.data = data->kmembuf + GSSX_max_output_handle_sz;
> ...
> > +	rctxh.src_name.display_name.data = data->kmembuf +
> > +						GSSX_max_output_handle_sz +
> > +						GSSX_max_oid_sz;
> ...
> > +	data->creds = data->kmembuf +
> > +				GSSX_max_output_handle_sz +
> > +				GSSX_max_oid_sz +
> > +				GSSX_max_princ_sz;
> 
> Sorry, is this did I complaining about too many kmalloc()'s? 

Yes, you complained about kmallocs, so I did this instead :)

>  This seems
> likely to break in subtle ways if we ever change one of those constants
> to not be a multiple of a large enough power of 2.  And makes the memory
> handling a little more obscure.  I'd rather just allocate those
> separately if that's the choice.

I do not see why it would break, the only limit we have is the total
size of the kmembuf.

> But why not just include this in gssp_upcall_data?:
>  
>  struct gssp_upcall_data {
> -	void *kmembuf;
>  	struct xdr_netobj in_handle;
>  	struct gssp_in_token in_token;
>  	struct xdr_netobj out_handle;
> +	char out_handle_data[GSSX_MAX_OUT_HANDLE];
>  	struct xdr_netobj out_token;
>  	struct xdr_netobj mech_oid;
> +	char mech_oid_data[GSSX_MAX_MECH_OID];
>  	struct xdr_netobj client_name;
> +	char client_name_data[GSSX_MAX_SRC_PRINC];
> -	struct svc_cred *creds;
> +	struct svc_cred creds;
>  	int major_status;
>  	int minor_status;
>  };
> 
> As long as that still comes to under 4k that should be OK.

I did not want to do this to avoid users of the struct starting to rely
on those sizes, exactly to avoid having subtle issues later on if we
need to change them (unlikely).

> Oh, I see, and you'd have to alloc/free this in svcauth_gss_proxy_init
> instead of here, to avoid putting it on the stack there.

Right, plus it increases the stack size, and I really did not want to do
that.

> Whatever, I don't really care how the various xdr_netobj->data's are
> allocated, honestly there's no crusade to eliminate kmalloc()'s, I'll
> only object in a case (like the struct svc_cred field above) where it
> seems obviously unnecessary.

Ok, so what should I do ?
I can remove the static allocation and let the code allocate the data
with kmalloc, in the xdr unmarshalling code.
Whatever you like best.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Simo Sorce]

On Tue, 2012-05-22 at 11:07 -0400, J. Bruce Fields wrote:
> On Tue, May 22, 2012 at 06:44:55PM +0400, Stanislav Kinsbursky wrote:
> > Yep, we discussed it already.
> > The problem is that connect call to unix sockets is done from rpciod
> > workqueue because of selinux restrictions.
> > IOW UNIX socket path will be traversed staring from rpciod kernel
> > thread root. Currently this problem is existent for portmapper
> > registration calls - for example LockD, started in container with
> > nested root, will be registered in global rpcbind instead of local
> > (container's) one.
> 
> Thanks for the reminder!
> 
> > One of solutions was to export set_fs_root(), but Al Viro doesn't like it.
> > 
> > So currently I'm thinking about patching network layer - i.e.
> > implementing an ability to pass desired path to unix sockets connect
> > and bind calls.
> > IOW, I'm talking about introducing of "bindat" and "connectat" system calls...
> 
> So then we'd resolve the path in the right context and pass down a
> (vfsmount, dentry) that rpciod could use in bindat/connectat calls?
> 
> > >In particular: the current svcgssd communication method is using one of
> > >the sunrpc caches.  If we convert now to this method (which uses a unix
> > >socket) would there be a loss in functionality, until the unix sockets
> > >problems are fixed?
> > >
> > 
> > I'm afraid, that you are right...
> > This new client will connect to root daemon - not containerized one...
> > How soon this new unix-socket way will become common practice?
> > Maybe I'd be able to patch unix sockets before distro's will use this new version.
> > But I don't know, what would be best to do...
> 
> Ugh.
> 
> Simo, remind me of the reasons for using a unix socket?

It's an RPC protocol, and we do not want the size limitations of other
upcall mechanisms, we really want a stream.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Simo Sorce]

On Tue, 2012-05-22 at 19:10 +0400, Stanislav Kinsbursky wrote:
> On 22.05.2012 18:58, Simo Sorce wrote:
> > On Tue, 2012-05-22 at 17:32 +0400, Stanislav Kinsbursky wrote:
> >> It actually means, that no hard-coded init_net references should appear - and
> >> that's all. Required network context have to be taken from currently existent
> >> objects (like RPC client, RPC service, etc) and, if not available (it's very
> >> rare case - like NFS mount call), from current->nsproxy->net_ns.
> >> You don't need to do anything special except this.
> >> There will be a problem with your patches in container, because you are using
> >> unix socket. But this problem is not in your patches but in unix sockets
> >> themselves. So don't worry about it.
> >
> > Can you tell me if the attached patches are all you think is needed ?
> > If they are, I'll squash them in with other fixes and will send out a
> > new patch set.
> >
> 
> Yep, looks good.
> Would be great, if you'll fix a couple of minor issues:
> 1) rename "xprt_net" to "net" in prototypes (just to make things look in one 
> style with other places in SUNRPC layer)

TBH, I thikn using 'net' is the worst name you guys could come up with,
try to 'git grep net' to see what I mean, but whatever, the damage is
already done, I'll change it.

> 2) define net variable on stack in svcauth_gss_proxy_init() (looks simpler):
> 
> +static int svcauth_gss_proxy_init(struct svc_rqst *rqstp,
> +                       struct rpc_gss_wire_cred *gc, __be32 *authp)
> ....
> +       struct net *net = rqstp->rq_xprt->xpt_net;
> +       struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
> ....
> +       status = gssp_accept_sec_context_upcall(net, &ud);

Heh, that is what I did at first, then changed. Works for me, I'll
include these changes in the new patchset.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Stanislav Kinsbursky]

On 22.05.2012 19:07, J. Bruce Fields wrote:
> On Tue, May 22, 2012 at 06:44:55PM +0400, Stanislav Kinsbursky wrote:
>> Yep, we discussed it already.
>> The problem is that connect call to unix sockets is done from rpciod
>> workqueue because of selinux restrictions.
>> IOW UNIX socket path will be traversed staring from rpciod kernel
>> thread root. Currently this problem is existent for portmapper
>> registration calls - for example LockD, started in container with
>> nested root, will be registered in global rpcbind instead of local
>> (container's) one.
>
> Thanks for the reminder!
>
>> One of solutions was to export set_fs_root(), but Al Viro doesn't like it.
>>
>> So currently I'm thinking about patching network layer - i.e.
>> implementing an ability to pass desired path to unix sockets connect
>> and bind calls.
>> IOW, I'm talking about introducing of "bindat" and "connectat" system calls...
>
> So then we'd resolve the path in the right context and pass down a
> (vfsmount, dentry) that rpciod could use in bindat/connectat calls?
>

A kind of this, yes. Of course, if community will accept the idea.
Actually, bindat/connectat will be user space interfaces (they will be useful 
for out CRIU project and also will allow to remove UNIX socket path length 
limitation to 108 bytes).
On kernel level I'm going to add some way to pass "struct path" to connect/bind 
calls.

>>> In particular: the current svcgssd communication method is using one of
>>> the sunrpc caches.  If we convert now to this method (which uses a unix
>>> socket) would there be a loss in functionality, until the unix sockets
>>> problems are fixed?
>>>
>>
>> I'm afraid, that you are right...
>> This new client will connect to root daemon - not containerized one...
>> How soon this new unix-socket way will become common practice?
>> Maybe I'd be able to patch unix sockets before distro's will use this new version.
>> But I don't know, what would be best to do...
>
> Ugh.
>
> Simo, remind me of the reasons for using a unix socket?
>

Just a reminder: abstract (is it the right name?) UNIX sockets (with '\0' as a 
first character in name) are containerized already.
If UNIX socket is the only way. then maybe this "abstract" socket can be used?

> --b.


-- 
Best regards,
Stanislav Kinsbursky

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Stanislav Kinsbursky]

On 22.05.2012 19:18, Simo Sorce wrote:
> On Tue, 2012-05-22 at 19:10 +0400, Stanislav Kinsbursky wrote:
>> On 22.05.2012 18:58, Simo Sorce wrote:
>>> On Tue, 2012-05-22 at 17:32 +0400, Stanislav Kinsbursky wrote:
>>>> It actually means, that no hard-coded init_net references should appear - and
>>>> that's all. Required network context have to be taken from currently existent
>>>> objects (like RPC client, RPC service, etc) and, if not available (it's very
>>>> rare case - like NFS mount call), from current->nsproxy->net_ns.
>>>> You don't need to do anything special except this.
>>>> There will be a problem with your patches in container, because you are using
>>>> unix socket. But this problem is not in your patches but in unix sockets
>>>> themselves. So don't worry about it.
>>>
>>> Can you tell me if the attached patches are all you think is needed ?
>>> If they are, I'll squash them in with other fixes and will send out a
>>> new patch set.
>>>
>>
>> Yep, looks good.
>> Would be great, if you'll fix a couple of minor issues:
>> 1) rename "xprt_net" to "net" in prototypes (just to make things look in one
>> style with other places in SUNRPC layer)
>
> TBH, I thikn using 'net' is the worst name you guys could come up with,
> try to 'git grep net' to see what I mean, but whatever, the damage is
> already done, I'll change it.
>

The reason for the simple name was that we don't care, where we gained this net: 
was it transport or whatever.
IOW, "xprt_net" doesn't carrying any required information comparing to "net" in 
this case.

>> 2) define net variable on stack in svcauth_gss_proxy_init() (looks simpler):
>>
>> +static int svcauth_gss_proxy_init(struct svc_rqst *rqstp,
>> +                       struct rpc_gss_wire_cred *gc, __be32 *authp)
>> ....
>> +       struct net *net = rqstp->rq_xprt->xpt_net;
>> +       struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
>> ....
>> +       status = gssp_accept_sec_context_upcall(net,&ud);
>
> Heh, that is what I did at first, then changed. Works for me, I'll
> include these changes in the new patchset.
>

Thanks, Simo.

> Simo.
>


-- 
Best regards,
Stanislav Kinsbursky

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[J. Bruce Fields]

On Tue, May 22, 2012 at 11:12:11AM -0400, Simo Sorce wrote:
> On Tue, 2012-05-22 at 11:03 -0400, J. Bruce Fields wrote:
> > Note also if you rebase to my latest for-3.5 you need something like
> > the following (untested).
> > 
> > --b.
> > 
> > commit 2cc8f0912880a177eee73e08c4305ac3692b8ff9
> > Author: J. Bruce Fields <bfields@redhat.com>
> > Date:   Tue May 22 08:44:08 2012 -0400
> > 
> >     client_name->cred.cr_principal
> > 
> > diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
> > index 0211265..95104ae 100644
> > --- a/net/sunrpc/auth_gss/svcauth_gss.c
> > +++ b/net/sunrpc/auth_gss/svcauth_gss.c
> > @@ -1182,26 +1182,27 @@ static int gss_proxy_save_rsc(struct cache_detail *cd,
> >  
> >  		/* get client name */
> >  		if (ud->client_name.len != 0) {
> > +			struct svc_cred *cred = &rsci.cred;
> >  			status = -ENOMEM;
> >  			/* convert to GSS_NT_HOSTBASED_SERVICE form */
> > -			rsci.client_name = kstrndup(ud->client_name.data,
> > +			cred->cr_principal = kstrndup(ud->client_name.data,
> >  							ud->client_name.len,
> >  							GFP_KERNEL);
> > -			if (!rsci.client_name)
> > +			if (!cred->cr_principal)
> >  				goto out;
> >  			/* terminate and remove realm part */
> > -			c = strchr(rsci.client_name, '@');
> > +			c = strchr(cred->cr_principal, '@');
> >  			if (c) {
> >  				*c = '\0';
> >  
> >  				/* change service-hostname delimiter */
> > -				c = strchr(rsci.client_name, '/');
> > +				c = strchr(cred->cr_principal, '/');
> >  				if (c) *c = '@';
> >  			}
> >  			if (!c) {
> >  				/* not a service principal */
> > -				kfree(rsci.client_name);
> > -				rsci.client_name = NULL;
> > +				kfree(cred->cr_principal);
> > +				cred->cr_principal = NULL;
> >  			}
> >  		}
> >  	}
> 
> I have a patch to move this in gss_rpc_upcall.c instead, it's cleaner, I
> think.

OK.  Also, could we just ditch the "not a service principal" case?  I
know svcgssd doesn't currently pass those down, but that's not really
right--I'd actually prefer to have those principals as well.

And, dumb question (have I asked this before?): is it a problem to throw
away the realm there?  If there exist both nfs/example.com@FOO and
nfs/example.com@BAR that shouldn't be treated identically, then does
that just mean our configuration is screwed up?

--b.

> 
> Simo.
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> 

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[J. Bruce Fields]

On Tue, May 22, 2012 at 11:15:22AM -0400, Simo Sorce wrote:
> On Tue, 2012-05-22 at 11:02 -0400, J. Bruce Fields wrote:
> >  This seems
> > likely to break in subtle ways if we ever change one of those constants
> > to not be a multiple of a large enough power of 2.  And makes the memory
> > handling a little more obscure.  I'd rather just allocate those
> > separately if that's the choice.
> 
> I do not see why it would break, the only limit we have is the total
> size of the kmembuf.

Oh, just because the svc_cred at the end wouldn't be aligned nicely any
more.  Doesn't that bother some architectures?

> > Whatever, I don't really care how the various xdr_netobj->data's are
> > allocated, honestly there's no crusade to eliminate kmalloc()'s, I'll
> > only object in a case (like the struct svc_cred field above) where it
> > seems obviously unnecessary.
> 
> Ok, so what should I do ?
> I can remove the static allocation and let the code allocate the data
> with kmalloc, in the xdr unmarshalling code.
> Whatever you like best.

Just embed the svc_cred:

> > -	struct svc_cred *creds;
> > +	struct svc_cred creds;

and handle the rest whichever way seems cleanest to you.

--b.

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[J. Bruce Fields]

On Tue, May 22, 2012 at 11:16:21AM -0400, Simo Sorce wrote:
> On Tue, 2012-05-22 at 11:07 -0400, J. Bruce Fields wrote:
> > On Tue, May 22, 2012 at 06:44:55PM +0400, Stanislav Kinsbursky wrote:
> > > Yep, we discussed it already.
> > > The problem is that connect call to unix sockets is done from rpciod
> > > workqueue because of selinux restrictions.
> > > IOW UNIX socket path will be traversed staring from rpciod kernel
> > > thread root. Currently this problem is existent for portmapper
> > > registration calls - for example LockD, started in container with
> > > nested root, will be registered in global rpcbind instead of local
> > > (container's) one.
> > 
> > Thanks for the reminder!
> > 
> > > One of solutions was to export set_fs_root(), but Al Viro doesn't like it.
> > > 
> > > So currently I'm thinking about patching network layer - i.e.
> > > implementing an ability to pass desired path to unix sockets connect
> > > and bind calls.
> > > IOW, I'm talking about introducing of "bindat" and "connectat" system calls...
> > 
> > So then we'd resolve the path in the right context and pass down a
> > (vfsmount, dentry) that rpciod could use in bindat/connectat calls?
> > 
> > > >In particular: the current svcgssd communication method is using one of
> > > >the sunrpc caches.  If we convert now to this method (which uses a unix
> > > >socket) would there be a loss in functionality, until the unix sockets
> > > >problems are fixed?
> > > >
> > > 
> > > I'm afraid, that you are right...
> > > This new client will connect to root daemon - not containerized one...
> > > How soon this new unix-socket way will become common practice?
> > > Maybe I'd be able to patch unix sockets before distro's will use this new version.
> > > But I don't know, what would be best to do...
> > 
> > Ugh.
> > 
> > Simo, remind me of the reasons for using a unix socket?
> 
> It's an RPC protocol, and we do not want the size limitations of other
> upcall mechanisms, we really want a stream.

So what ruled out TCP over lo?

--b.

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Simo Sorce]

On Tue, 2012-05-22 at 11:24 -0400, J. Bruce Fields wrote:
> On Tue, May 22, 2012 at 11:12:11AM -0400, Simo Sorce wrote:
> > On Tue, 2012-05-22 at 11:03 -0400, J. Bruce Fields wrote:
> > > Note also if you rebase to my latest for-3.5 you need something like
> > > the following (untested).
> > > 
> > > --b.
> > > 
> > > commit 2cc8f0912880a177eee73e08c4305ac3692b8ff9
> > > Author: J. Bruce Fields <bfields@redhat.com>
> > > Date:   Tue May 22 08:44:08 2012 -0400
> > > 
> > >     client_name->cred.cr_principal
> > > 
> > > diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
> > > index 0211265..95104ae 100644
> > > --- a/net/sunrpc/auth_gss/svcauth_gss.c
> > > +++ b/net/sunrpc/auth_gss/svcauth_gss.c
> > > @@ -1182,26 +1182,27 @@ static int gss_proxy_save_rsc(struct cache_detail *cd,
> > >  
> > >  		/* get client name */
> > >  		if (ud->client_name.len != 0) {
> > > +			struct svc_cred *cred = &rsci.cred;
> > >  			status = -ENOMEM;
> > >  			/* convert to GSS_NT_HOSTBASED_SERVICE form */
> > > -			rsci.client_name = kstrndup(ud->client_name.data,
> > > +			cred->cr_principal = kstrndup(ud->client_name.data,
> > >  							ud->client_name.len,
> > >  							GFP_KERNEL);
> > > -			if (!rsci.client_name)
> > > +			if (!cred->cr_principal)
> > >  				goto out;
> > >  			/* terminate and remove realm part */
> > > -			c = strchr(rsci.client_name, '@');
> > > +			c = strchr(cred->cr_principal, '@');
> > >  			if (c) {
> > >  				*c = '\0';
> > >  
> > >  				/* change service-hostname delimiter */
> > > -				c = strchr(rsci.client_name, '/');
> > > +				c = strchr(cred->cr_principal, '/');
> > >  				if (c) *c = '@';
> > >  			}
> > >  			if (!c) {
> > >  				/* not a service principal */
> > > -				kfree(rsci.client_name);
> > > -				rsci.client_name = NULL;
> > > +				kfree(cred->cr_principal);
> > > +				cred->cr_principal = NULL;
> > >  			}
> > >  		}
> > >  	}
> > 
> > I have a patch to move this in gss_rpc_upcall.c instead, it's cleaner, I
> > think.
> 
> OK.  Also, could we just ditch the "not a service principal" case?  I
> know svcgssd doesn't currently pass those down, but that's not really
> right--I'd actually prefer to have those principals as well.

I can include the user principal, but I will not have time to test if it
breaks anything.

> And, dumb question (have I asked this before?): is it a problem to throw
> away the realm there?  If there exist both nfs/example.com@FOO and
> nfs/example.com@BAR that shouldn't be treated identically, then does
> that just mean our configuration is screwed up?

Well, I was surprised to see the realm was removed, but the reason
probably is that you are basically just relying on the fact that a
specific client is a member of only a specific REALM, and the fqdn is
used to resolve which realm it is part of. It is technically incorrect
to rely on such assumption, but it is correct in all reasonable actual
deployments because normally applications have no way to obtain a ticket
unless they can map fqdn -> REALM.

This does not hold true for users though, so if you want me to leave the
user principal in there I will not strip the realm from it.

Is it ok to keep the code as is and remove the principal 'exclusion' to
a later patch ? That will make it also easier to spot with a bisect if
this semantic change were to cause issues anywhere.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Simo Sorce]

On Tue, 2012-05-22 at 11:29 -0400, J. Bruce Fields wrote:
> On Tue, May 22, 2012 at 11:15:22AM -0400, Simo Sorce wrote:
> > On Tue, 2012-05-22 at 11:02 -0400, J. Bruce Fields wrote:
> > >  This seems
> > > likely to break in subtle ways if we ever change one of those constants
> > > to not be a multiple of a large enough power of 2.  And makes the memory
> > > handling a little more obscure.  I'd rather just allocate those
> > > separately if that's the choice.
> > 
> > I do not see why it would break, the only limit we have is the total
> > size of the kmembuf.
> 
> Oh, just because the svc_cred at the end wouldn't be aligned nicely any
> more.  Doesn't that bother some architectures?

Ah yeah I see, indeed some architecture require memory to be aligned.
I will change that code back to kmallocs, which is what I always
preferred anyway.

> > > Whatever, I don't really care how the various xdr_netobj->data's are
> > > allocated, honestly there's no crusade to eliminate kmalloc()'s, I'll
> > > only object in a case (like the struct svc_cred field above) where it
> > > seems obviously unnecessary.
> > 
> > Ok, so what should I do ?
> > I can remove the static allocation and let the code allocate the data
> > with kmalloc, in the xdr unmarshalling code.
> > Whatever you like best.
> 
> Just embed the svc_cred:
> 
> > > -	struct svc_cred *creds;
> > > +	struct svc_cred creds;

Can't do, it needs to be allocated, because we steal it in scvauth_gss.c

> and handle the rest whichever way seems cleanest to you.

Ok.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Simo Sorce]

On Tue, 2012-05-22 at 11:31 -0400, J. Bruce Fields wrote:
> On Tue, May 22, 2012 at 11:16:21AM -0400, Simo Sorce wrote:
> > On Tue, 2012-05-22 at 11:07 -0400, J. Bruce Fields wrote:
> > > On Tue, May 22, 2012 at 06:44:55PM +0400, Stanislav Kinsbursky wrote:
> > > > Yep, we discussed it already.
> > > > The problem is that connect call to unix sockets is done from rpciod
> > > > workqueue because of selinux restrictions.
> > > > IOW UNIX socket path will be traversed staring from rpciod kernel
> > > > thread root. Currently this problem is existent for portmapper
> > > > registration calls - for example LockD, started in container with
> > > > nested root, will be registered in global rpcbind instead of local
> > > > (container's) one.
> > > 
> > > Thanks for the reminder!
> > > 
> > > > One of solutions was to export set_fs_root(), but Al Viro doesn't like it.
> > > > 
> > > > So currently I'm thinking about patching network layer - i.e.
> > > > implementing an ability to pass desired path to unix sockets connect
> > > > and bind calls.
> > > > IOW, I'm talking about introducing of "bindat" and "connectat" system calls...
> > > 
> > > So then we'd resolve the path in the right context and pass down a
> > > (vfsmount, dentry) that rpciod could use in bindat/connectat calls?
> > > 
> > > > >In particular: the current svcgssd communication method is using one of
> > > > >the sunrpc caches.  If we convert now to this method (which uses a unix
> > > > >socket) would there be a loss in functionality, until the unix sockets
> > > > >problems are fixed?
> > > > >
> > > > 
> > > > I'm afraid, that you are right...
> > > > This new client will connect to root daemon - not containerized one...
> > > > How soon this new unix-socket way will become common practice?
> > > > Maybe I'd be able to patch unix sockets before distro's will use this new version.
> > > > But I don't know, what would be best to do...
> > > 
> > > Ugh.
> > > 
> > > Simo, remind me of the reasons for using a unix socket?
> > 
> > It's an RPC protocol, and we do not want the size limitations of other
> > upcall mechanisms, we really want a stream.
> 
> So what ruled out TCP over lo?

Well it's a local-only protocol, it is not supposed to be available over
a network, listning on a tcp port would require filtering at some level.
Also, in user space,  I depend on get_sockopts to get the peer creds and
selinux context when user space client connect, I am not sure this info
would be available over TCP, but in general it seem it would needlessly
complicate things for the user space daemon, as you would need to use
rpcbind to register the port and all that useless dance.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[J. Bruce Fields]

On Tue, May 22, 2012 at 07:19:29PM +0400, Stanislav Kinsbursky wrote:
> Just a reminder: abstract (is it the right name?) UNIX sockets (with
> '\0' as a first character in name) are containerized already.
> If UNIX socket is the only way. then maybe this "abstract" socket can be used?

Huh.  Reading the section on abstract addresses in unix(7)....  Maybe
that would work.  I don't quite understand the namespace.  If we fix a
name for gss-proxy to use, what's to prevent somebody else from binding
to the same name and preventing us from using it?

--b.

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Stanislav Kinsbursky]

22.05.2012 22:11, J. Bruce Fields написал:
> On Tue, May 22, 2012 at 07:19:29PM +0400, Stanislav Kinsbursky wrote:
>> Just a reminder: abstract (is it the right name?) UNIX sockets (with
>> '\0' as a first character in name) are containerized already.
>> If UNIX socket is the only way. then maybe this "abstract" socket can be used?
> Huh.  Reading the section on abstract addresses in unix(7)....  Maybe
> that would work.  I don't quite understand the namespace.  If we fix a
> name for gss-proxy to use, what's to prevent somebody else from binding
> to the same name and preventing us from using it?

Alien network namespace.
Abstract sockets address consist of two parts: name istelf and network 
namespace.
Have a look at unix_bind () - you'll see, that sockets with the same 
name but different network namespace are skipped.

>
> --b.

Re: [PATCH 4/4] SUNRPC: Use gssproxy upcall for nfsd's RPCGSS authentication.

[J. Bruce Fields]

On Tue, May 15, 2012 at 09:12:30AM -0400, Simo Sorce wrote:
> The main advantge of this new upcall mechanism is that it can handle
> big tickets as seen in Kerberos implementations where tickets carry
> authorization data like the MS-PAC buffer with AD or the Posix Authorization
> Data being discussed in IETF on the krbwg working group.
> 
> The Gssproxy program is used to perform the accept_sec_context call on the
> kernel's behalf. The code is changed to also pass the input buffer straight
> to upcall mechanism to avoid allocating and copying many pages as tokens can
> be as big (potentially more in future) as 64KiB.
> 
> Signed-off-by: Simo Sorce <simo@redhat.com>
> ---
>  include/linux/sunrpc/auth_gss.h    |    3 +
>  include/linux/sunrpc/svcauth_gss.h |    2 +-
>  net/sunrpc/auth_gss/auth_gss.c     |    9 +-
>  net/sunrpc/auth_gss/svcauth_gss.c  |  249 ++++++++++++++++++++++++++++++++++--
>  4 files changed, 248 insertions(+), 15 deletions(-)
> 
> diff --git a/include/linux/sunrpc/auth_gss.h b/include/linux/sunrpc/auth_gss.h
> index f1cfd4c85cd047c4b2fadd367eeb819aabc57d29..eb2670f6cf9113f1b4c161b9deda05ee4757fa85 100644
> --- a/include/linux/sunrpc/auth_gss.h
> +++ b/include/linux/sunrpc/auth_gss.h
> @@ -19,6 +19,9 @@
>  
>  #define RPC_GSS_VERSION		1
>  
> +#define GSS_UPCALL_LEGACY	0
> +#define GSS_UPCALL_GSSPROXY	1
> +
>  #define MAXSEQ 0x80000000 /* maximum legal sequence number, from rfc 2203 */
>  
>  enum rpc_gss_proc {
> diff --git a/include/linux/sunrpc/svcauth_gss.h b/include/linux/sunrpc/svcauth_gss.h
> index 7c32daa025eb07b644d8185a27c8ea10d8b7c55f..678c6fc8f1593bc53bc3d875175ed7098cd4db40 100644
> --- a/include/linux/sunrpc/svcauth_gss.h
> +++ b/include/linux/sunrpc/svcauth_gss.h
> @@ -16,7 +16,7 @@
>  #include <linux/sunrpc/svcsock.h>
>  #include <linux/sunrpc/auth_gss.h>
>  
> -int gss_svc_init(void);
> +int gss_svc_init(unsigned int upcall_type);
>  void gss_svc_shutdown(void);
>  int gss_svc_init_net(struct net *net);
>  void gss_svc_shutdown_net(struct net *net);
> diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
> index 836cbecb1947235d38c62eadf79ae96ad73906e6..97fe72609387cb8b948bc3aa4d14db4956138d3c 100644
> --- a/net/sunrpc/auth_gss/auth_gss.c
> +++ b/net/sunrpc/auth_gss/auth_gss.c
> @@ -60,6 +60,8 @@ static const struct rpc_credops gss_nullops;
>  #define GSS_RETRY_EXPIRED 5
>  static unsigned int gss_expired_cred_retry_delay = GSS_RETRY_EXPIRED;
>  
> +static unsigned int gss_upcall_daemon_type = GSS_UPCALL_LEGACY;
> +
>  #ifdef RPC_DEBUG
>  # define RPCDBG_FACILITY	RPCDBG_AUTH
>  #endif
> @@ -1687,7 +1689,7 @@ static int __init init_rpcsec_gss(void)
>  	err = rpcauth_register(&authgss_ops);
>  	if (err)
>  		goto out;
> -	err = gss_svc_init();
> +	err = gss_svc_init(gss_upcall_daemon_type);
>  	if (err)
>  		goto out_unregister;
>  	err = register_pernet_subsys(&rpcsec_gss_net_ops);
> @@ -1717,6 +1719,11 @@ module_param_named(expired_cred_retry_delay,
>  		   uint, 0644);
>  MODULE_PARM_DESC(expired_cred_retry_delay, "Timeout (in seconds) until "
>  		"the RPC engine retries an expired credential");
> +module_param_named(upcall_daemon_type,
> +		   gss_upcall_daemon_type,
> +		   uint, 0644);
> +MODULE_PARM_DESC(upcall_daemon_type, "Type of svcgss upcall daemon used "
> +		"(legacy=0 or gssproxy=1)");
>  
>  module_init(init_rpcsec_gss)
>  module_exit(exit_rpcsec_gss)
> diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
> index aa1b649749741c82e60f0f528ac645197fd7ab35..87dcc837fa10e8ee7176379b1cc27235800bd612 100644
> --- a/net/sunrpc/auth_gss/svcauth_gss.c
> +++ b/net/sunrpc/auth_gss/svcauth_gss.c
> @@ -47,6 +47,7 @@
>  #include <linux/sunrpc/svcauth.h>
>  #include <linux/sunrpc/svcauth_gss.h>
>  #include <linux/sunrpc/cache.h>
> +#include "gss_rpc_upcall.h"
>  
>  #include "../netns.h"
>  
> @@ -54,6 +55,8 @@
>  # define RPCDBG_FACILITY	RPCDBG_AUTH
>  #endif
>  
> +static bool use_gssp = false;
> +
>  /* The rpcsec_init cache is used for mapping RPCSEC_GSS_{,CONT_}INIT requests
>   * into replies.
>   *
> @@ -554,6 +557,7 @@ static struct rsc *rsc_update(struct cache_detail *cd, struct rsc *new, struct r
>  }
>  
>  
> +
>  static struct rsc *
>  gss_svc_searchbyctx(struct cache_detail *cd, struct xdr_netobj *handle)
>  {
> @@ -984,13 +988,10 @@ gss_write_init_verf(struct cache_detail *cd, struct svc_rqst *rqstp,
>  }
>  
>  static inline int
> -gss_read_verf(struct rpc_gss_wire_cred *gc,
> -	      struct kvec *argv, __be32 *authp,
> -	      struct xdr_netobj *in_handle,
> -	      struct xdr_netobj *in_token)
> +gss_read_common_verf(struct rpc_gss_wire_cred *gc,
> +		     struct kvec *argv, __be32 *authp,
> +		     struct xdr_netobj *in_handle)
>  {
> -	struct xdr_netobj tmpobj;
> -
>  	/* Read the verifier; should be NULL: */
>  	*authp = rpc_autherr_badverf;
>  	if (argv->iov_len < 2 * 4)
> @@ -1006,6 +1007,23 @@ gss_read_verf(struct rpc_gss_wire_cred *gc,
>  	if (dup_netobj(in_handle, &gc->gc_ctx))
>  		return SVC_CLOSE;
>  	*authp = rpc_autherr_badverf;
> +
> +	return 0;
> +}
> +
> +static inline int
> +gss_read_verf(struct rpc_gss_wire_cred *gc,
> +	      struct kvec *argv, __be32 *authp,
> +	      struct xdr_netobj *in_handle,
> +	      struct xdr_netobj *in_token)
> +{
> +	struct xdr_netobj tmpobj;
> +	int res;
> +
> +	res = gss_read_common_verf(gc, argv, authp, in_handle);
> +	if (res)
> +		return res;
> +
>  	if (svc_safe_getnetobj(argv, &tmpobj)) {
>  		kfree(in_handle->data);
>  		return SVC_DENIED;
> @@ -1018,6 +1036,42 @@ gss_read_verf(struct rpc_gss_wire_cred *gc,
>  	return 0;
>  }
>  
> +/* Ok this is really heavily depending on a set of semantics in
> + * how rqstp is set up by svc_recv and pages laid down by the
> + * server when reading a request. We are basically guaranteed that
> + * the token lays all down linearly across a set of pages, starting
> + * at iov_base in rq_arg.head[0] which happens to be the first of a
> + * set of pages stored in rq_pages[].
> + * rq_arg.head[0].iov_base will provide us the page_base to pass
> + * to the upcall.
> + */
> +static inline int
> +gss_read_proxy_verf(struct svc_rqst *rqstp,
> +		    struct rpc_gss_wire_cred *gc, __be32 *authp,
> +		    struct xdr_netobj *in_handle,
> +		    struct gssp_in_token *in_token)
> +{
> +	struct kvec *argv = &rqstp->rq_arg.head[0];
> +	u32 inlen;
> +	int res;
> +
> +	res = gss_read_common_verf(gc, argv, authp, in_handle);
> +	if (res)
> +		return res;
> +
> +	inlen = svc_getnl(argv);
> +	if (inlen > (argv->iov_len + rqstp->rq_arg.page_len))
> +		return SVC_DENIED;
> +
> +	in_token->pages = rqstp->rq_pages;
> +	in_token->page_base = (ulong)argv->iov_base & ~PAGE_MASK;
> +	in_token->page_len = inlen;
> +
> +	/* FIXME: change argv to point to the end of in_token ? */

There's nothing left to read, so it looks like there's no problem here;
drop the comment?

> +
> +	return 0;
> +}
> +
>  static inline int
>  gss_write_resv(struct kvec *resv, size_t size_limit,
>  	       struct xdr_netobj *out_handle, struct xdr_netobj *out_token,
> @@ -1045,7 +1099,7 @@ gss_write_resv(struct kvec *resv, size_t size_limit,
>   * the upcall results are available, write the verifier and result.
>   * Otherwise, drop the request pending an answer to the upcall.
>   */
> -static int svcauth_gss_handle_init(struct svc_rqst *rqstp,
> +static int svcauth_gss_legacy_init(struct svc_rqst *rqstp,
>  			struct rpc_gss_wire_cred *gc, __be32 *authp)
>  {
>  	struct kvec *argv = &rqstp->rq_arg.head[0];
> @@ -1085,6 +1139,158 @@ out:
>  	return ret;
>  }
>  
> +static int gss_proxy_save_rsc(struct cache_detail *cd,
> +				struct gssp_upcall_data *ud,
> +				struct xdr_netobj *handle)
> +{
> +	struct rsc rsci, *rscp = NULL;
> +	static atomic64_t ctxhctr;
> +	long long ctxh;
> +	struct gss_api_mech *gm = NULL;
> +	time_t expiry;
> +	char *c;
> +	int status = -EINVAL;
> +
> +	memset(&rsci, 0, sizeof(rsci));
> +	/* context handle */
> +	status = -ENOMEM;
> +	/* the handle needs to be just a unique id,
> +	 * use a static counter */
> +	ctxh = atomic64_inc_return(&ctxhctr);
> +	handle->data = kmemdup(&ctxh, sizeof(ctxh), GFP_KERNEL);

Looks like you use this only to dup again immediately below in
dup_to_netobj, so you should just be able to make that:

	handle->data = &ctxh;

That's simpler and looks like it avoids a leak on exit.

> +	if (handle->data == NULL)
> +		goto out;
> +	handle->len = sizeof(ctxh);
> +	if (dup_to_netobj(&rsci.handle, handle->data, handle->len))
> +		goto out;
> +
> +	rscp = rsc_lookup(cd, &rsci);
> +	if (!rscp)
> +		goto out;
> +
> +	/* creds */
> +	if (!ud->creds) {
> +		dprintk("RPC:       No creds found, marking Negative!\n");
> +		set_bit(CACHE_NEGATIVE, &rsci.h.flags);

When does this happen, out of curiosity?

> +	} else {
> +
> +		/* steal creds */
> +		rsci.cred = *ud->creds;
> +		ud->creds->cr_group_info = NULL;
> +
> +		status = -EOPNOTSUPP;
> +		/* get mech handle from OID */
> +		gm = gss_mech_get_by_OID(&ud->mech_oid);
> +		if (!gm)
> +			goto out;
> +
> +		status = -EINVAL;
> +		/* mech-specific data: */
> +		status = gss_import_sec_context(ud->out_handle.data,
> +						ud->out_handle.len,
> +						gm, &rsci.mechctx,
> +						&expiry, GFP_KERNEL);
> +		if (status)
> +			goto out;
> +
> +		/* get client name */
> +		if (ud->client_name.len != 0) {
> +			status = -ENOMEM;
> +			/* convert to GSS_NT_HOSTBASED_SERVICE form */
> +			rsci.client_name = kstrndup(ud->client_name.data,
> +							ud->client_name.len,
> +							GFP_KERNEL);
> +			if (!rsci.client_name)
> +				goto out;
> +			/* terminate and remove realm part */
> +			c = strchr(rsci.client_name, '@');
> +			if (c) {
> +				*c = '\0';
> +
> +				/* change service-hostname delimiter */
> +				c = strchr(rsci.client_name, '/');
> +				if (c) *c = '@';
> +			}
> +			if (!c) {
> +				/* not a service principal */
> +				kfree(rsci.client_name);
> +				rsci.client_name = NULL;
> +			}
> +		}
> +	}
> +
> +	rsci.h.expiry_time = expiry;
> +	rscp = rsc_update(cd, &rsci, rscp);
> +	status = 0;
> +out:
> +	gss_mech_put(gm);
> +	rsc_free(&rsci);
> +	if (rscp)
> +		cache_put(&rscp->h, cd);
> +	else
> +		status = -ENOMEM;
> +	return status;
> +}
> +
> +static int svcauth_gss_proxy_init(struct svc_rqst *rqstp,
> +			struct rpc_gss_wire_cred *gc, __be32 *authp)
> +{
> +	struct kvec *resv = &rqstp->rq_res.head[0];
> +	struct xdr_netobj cli_handle;
> +	struct gssp_upcall_data ud;
> +	int status;
> +	int ret;
> +	struct sunrpc_net *sn = net_generic(rqstp->rq_xprt->xpt_net, sunrpc_net_id);
> +
> +	memset(&cli_handle, 0, sizeof(cli_handle));
> +	memset(&ud, 0, sizeof(ud));
> +	ret = gss_read_proxy_verf(rqstp, gc, authp,
> +				  &ud.in_handle, &ud.in_token);
> +	if (ret)
> +		return ret;
> +
> +	ret = SVC_CLOSE;
> +
> +	/* Perform synchronous upcall to gss-proxy */
> +	status = gssp_accept_sec_context_upcall(&ud);
> +	if (status) {
> +		goto out;
> +	}

Ditch the {}'s.

> +
> +	dprintk("RPC:       svcauth_gss: gss major status = %d\n",
> +			ud.major_status);
> +
> +	switch (ud.major_status) {
> +	case GSS_S_CONTINUE_NEEDED:
> +		cli_handle = ud.out_handle;
> +		ud.out_handle.data = NULL;
> +		break;
> +	case GSS_S_COMPLETE:
> +		status = gss_proxy_save_rsc(sn->rsc_cache, &ud, &cli_handle);
> +		if (status)
> +			goto out;
> +		break;
> +	default:
> +		ret = SVC_CLOSE;
> +		goto out;
> +	}
> +
> +	/* Got an answer to the upcall; use it: */
> +	if (gss_write_init_verf(sn->rsc_cache, rqstp,
> +				&cli_handle, &ud.major_status))
> +		goto out;
> +	if (gss_write_resv(resv, PAGE_SIZE,
> +			   &cli_handle, &ud.out_token,
> +			   ud.major_status, ud.minor_status))
> +		goto out;
> +
> +	ret = SVC_COMPLETE;
> +out:
> +	gssp_free_upcall_data(&ud);
> +	kfree(cli_handle.data);
> +	return ret;
> +}
> +
>  /*
>   * Accept an rpcsec packet.
>   * If context establishment, punt to user space
> @@ -1151,7 +1357,10 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp)
>  	switch (gc->gc_proc) {
>  	case RPC_GSS_PROC_INIT:
>  	case RPC_GSS_PROC_CONTINUE_INIT:
> -		return svcauth_gss_handle_init(rqstp, gc, authp);
> +		if (use_gssp)
> +			return svcauth_gss_proxy_init(rqstp, gc, authp);
> +		else
> +			return svcauth_gss_legacy_init(rqstp, gc, authp);
>  	case RPC_GSS_PROC_DATA:
>  	case RPC_GSS_PROC_DESTROY:
>  		/* Look up the context, and check the verifier: */
> @@ -1523,9 +1732,12 @@ gss_svc_init_net(struct net *net)
>  	rv = rsc_cache_create_net(net);
>  	if (rv)
>  		return rv;
> -	rv = rsi_cache_create_net(net);
> -	if (rv)
> -		goto out1;
> +	if (!use_gssp) {
> +		rv = rsi_cache_create_net(net);
> +		if (rv)
> +			goto out1;
> +	}
> +
>  	return 0;
>  out1:
>  	rsc_cache_destroy_net(net);
> @@ -1535,13 +1747,24 @@ out1:
>  void
>  gss_svc_shutdown_net(struct net *net)
>  {
> -	rsi_cache_destroy_net(net);
> +	if (!use_gssp)
> +		rsi_cache_destroy_net(net);
>  	rsc_cache_destroy_net(net);
>  }
>  
>  int
> -gss_svc_init(void)
> +gss_svc_init(unsigned int upcall_type)
>  {
> +	switch (upcall_type) {
> +	case GSS_UPCALL_LEGACY:
> +		break;
> +	case GSS_UPCALL_GSSPROXY:
> +		dprintk("RPC:       svcauth_gss: Initializing for use with gss-proxy\n");
> +		use_gssp = true;
> +		break;
> +	default:
> +		return -EINVAL;
> +	}
>  	return svc_auth_register(RPC_AUTH_GSS, &svcauthops_gss);
>  }
>  
> -- 
> 1.7.7.6
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[J. Bruce Fields]

On Tue, May 22, 2012 at 11:40:51AM -0400, Simo Sorce wrote:
> On Tue, 2012-05-22 at 11:29 -0400, J. Bruce Fields wrote:
> > On Tue, May 22, 2012 at 11:15:22AM -0400, Simo Sorce wrote:
> > > On Tue, 2012-05-22 at 11:02 -0400, J. Bruce Fields wrote:
> > > >  This seems
> > > > likely to break in subtle ways if we ever change one of those constants
> > > > to not be a multiple of a large enough power of 2.  And makes the memory
> > > > handling a little more obscure.  I'd rather just allocate those
> > > > separately if that's the choice.
> > > 
> > > I do not see why it would break, the only limit we have is the total
> > > size of the kmembuf.
> > 
> > Oh, just because the svc_cred at the end wouldn't be aligned nicely any
> > more.  Doesn't that bother some architectures?
> 
> Ah yeah I see, indeed some architecture require memory to be aligned.
> I will change that code back to kmallocs, which is what I always
> preferred anyway.
> 
> > > > Whatever, I don't really care how the various xdr_netobj->data's are
> > > > allocated, honestly there's no crusade to eliminate kmalloc()'s, I'll
> > > > only object in a case (like the struct svc_cred field above) where it
> > > > seems obviously unnecessary.
> > > 
> > > Ok, so what should I do ?
> > > I can remove the static allocation and let the code allocate the data
> > > with kmalloc, in the xdr unmarshalling code.
> > > Whatever you like best.
> > 
> > Just embed the svc_cred:
> > 
> > > > -	struct svc_cred *creds;
> > > > +	struct svc_cred creds;
> 
> Can't do, it needs to be allocated, because we steal it in scvauth_gss.c

Are you sure?  Looks to me like it's only the group list that's "stolen"
there, the rest is copied.

--b.

> 
> > and handle the rest whichever way seems cleanest to you.
> 
> Ok.
> 
> Simo.
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> 

Re: [PATCH 3/4] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth

[Simo Sorce]

On Tue, 2012-05-22 at 18:49 -0400, J. Bruce Fields wrote:
> On Tue, May 22, 2012 at 11:40:51AM -0400, Simo Sorce wrote:
> > On Tue, 2012-05-22 at 11:29 -0400, J. Bruce Fields wrote:
> > > On Tue, May 22, 2012 at 11:15:22AM -0400, Simo Sorce wrote:
> > > > On Tue, 2012-05-22 at 11:02 -0400, J. Bruce Fields wrote:
> > > > >  This seems
> > > > > likely to break in subtle ways if we ever change one of those constants
> > > > > to not be a multiple of a large enough power of 2.  And makes the memory
> > > > > handling a little more obscure.  I'd rather just allocate those
> > > > > separately if that's the choice.
> > > > 
> > > > I do not see why it would break, the only limit we have is the total
> > > > size of the kmembuf.
> > > 
> > > Oh, just because the svc_cred at the end wouldn't be aligned nicely any
> > > more.  Doesn't that bother some architectures?
> > 
> > Ah yeah I see, indeed some architecture require memory to be aligned.
> > I will change that code back to kmallocs, which is what I always
> > preferred anyway.
> > 
> > > > > Whatever, I don't really care how the various xdr_netobj->data's are
> > > > > allocated, honestly there's no crusade to eliminate kmalloc()'s, I'll
> > > > > only object in a case (like the struct svc_cred field above) where it
> > > > > seems obviously unnecessary.
> > > > 
> > > > Ok, so what should I do ?
> > > > I can remove the static allocation and let the code allocate the data
> > > > with kmalloc, in the xdr unmarshalling code.
> > > > Whatever you like best.
> > > 
> > > Just embed the svc_cred:
> > > 
> > > > > -	struct svc_cred *creds;
> > > > > +	struct svc_cred creds;
> > 
> > Can't do, it needs to be allocated, because we steal it in scvauth_gss.c
> 
> Are you sure?  Looks to me like it's only the group list that's "stolen"
> there, the rest is copied.

Yeah, I ended up doing what you asked, I was mis-remembering one detail.

I have a patchset here:
http://fedorapeople.org/gitweb?p=simo/public_git/kernel.git;a=shortlog;h=refs/heads/for-3.5

But it does not include the last changes you just requested, and has not
been tested yet.

However it shows the kmalloc changes and the principal handling changes.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

Re: [PATCH 4/4] SUNRPC: Use gssproxy upcall for nfsd's RPCGSS authentication.

[Simo Sorce]

On Tue, 2012-05-22 at 18:48 -0400, J. Bruce Fields wrote:
> On Tue, May 15, 2012 at 09:12:30AM -0400, Simo Sorce wrote:

> > +static inline int
> > +gss_read_proxy_verf(struct svc_rqst *rqstp,
> > +		    struct rpc_gss_wire_cred *gc, __be32 *authp,
> > +		    struct xdr_netobj *in_handle,
> > +		    struct gssp_in_token *in_token)
> > +{
[..]
> > +	/* FIXME: change argv to point to the end of in_token ? */
> 
> There's nothing left to read, so it looks like there's no problem here;
> drop the comment?

Dropping, was a reminder while I was working and it is not necessary
anymore indeed.
  
> > +static int gss_proxy_save_rsc(struct cache_detail *cd,
> > +				struct gssp_upcall_data *ud,
> > +				struct xdr_netobj *handle)
> > +{
> > +	struct rsc rsci, *rscp = NULL;
> > +	static atomic64_t ctxhctr;
> > +	long long ctxh;
> > +	struct gss_api_mech *gm = NULL;
> > +	time_t expiry;
> > +	char *c;
> > +	int status = -EINVAL;
> > +
> > +	memset(&rsci, 0, sizeof(rsci));
> > +	/* context handle */
> > +	status = -ENOMEM;
> > +	/* the handle needs to be just a unique id,
> > +	 * use a static counter */
> > +	ctxh = atomic64_inc_return(&ctxhctr);
> > +	handle->data = kmemdup(&ctxh, sizeof(ctxh), GFP_KERNEL);
> 
> Looks like you use this only to dup again immediately below in
> dup_to_netobj, so you should just be able to make that:

No this is duplicated on handle->data, where handle is a pointer passed
to us by the caller.

It is later passed to gss_write_init_verf() and finally freed when
svcauth_gss_proxy_init exits, so no leak.

> 	handle->data = &ctxh;
> 
> That's simpler and looks like it avoids a leak on exit.
> 
> > +	if (handle->data == NULL)
> > +		goto out;
> > +	handle->len = sizeof(ctxh);
> > +	if (dup_to_netobj(&rsci.handle, handle->data, handle->len))
> > +		goto out;
> > +
> > +	rscp = rsc_lookup(cd, &rsci);
> > +	if (!rscp)
> > +		goto out;
> > +
> > +	/* creds */
> > +	if (!ud->creds) {
> > +		dprintk("RPC:       No creds found, marking Negative!\n");
> > +		set_bit(CACHE_NEGATIVE, &rsci.h.flags);
> 
> When does this happen, out of curiosity?

Actually it shouldn't happen, but I maintained the same code structure
that was previously in place.
I think that with the latest changes now I always return (uid = -1, gid
= -1, no additional groups if a mapping can't be found).
However on the off chance that user space does not return a credential
struct we catch it here.

> > +	/* Perform synchronous upcall to gss-proxy */
> > +	status = gssp_accept_sec_context_upcall(&ud);
> > +	if (status) {
> > +		goto out;
> > +	}
> 
> Ditch the {}'s.

ok

Will include these changes in the next patchset, as soon as I can test
that I made no regressions with the latest kmalloc rearrangements.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

Re: [PATCH 4/4] SUNRPC: Use gssproxy upcall for nfsd's RPCGSS authentication.

[J. Bruce Fields]

On Thu, May 24, 2012 at 12:31:51AM -0400, Simo Sorce wrote:
> On Tue, 2012-05-22 at 18:48 -0400, J. Bruce Fields wrote:
> > On Tue, May 15, 2012 at 09:12:30AM -0400, Simo Sorce wrote:
> 
> > > +static inline int
> > > +gss_read_proxy_verf(struct svc_rqst *rqstp,
> > > +		    struct rpc_gss_wire_cred *gc, __be32 *authp,
> > > +		    struct xdr_netobj *in_handle,
> > > +		    struct gssp_in_token *in_token)
> > > +{
> [..]
> > > +	/* FIXME: change argv to point to the end of in_token ? */
> > 
> > There's nothing left to read, so it looks like there's no problem here;
> > drop the comment?
> 
> Dropping, was a reminder while I was working and it is not necessary
> anymore indeed.
>   
> > > +static int gss_proxy_save_rsc(struct cache_detail *cd,
> > > +				struct gssp_upcall_data *ud,
> > > +				struct xdr_netobj *handle)
> > > +{
> > > +	struct rsc rsci, *rscp = NULL;
> > > +	static atomic64_t ctxhctr;
> > > +	long long ctxh;
> > > +	struct gss_api_mech *gm = NULL;
> > > +	time_t expiry;
> > > +	char *c;
> > > +	int status = -EINVAL;
> > > +
> > > +	memset(&rsci, 0, sizeof(rsci));
> > > +	/* context handle */
> > > +	status = -ENOMEM;
> > > +	/* the handle needs to be just a unique id,
> > > +	 * use a static counter */
> > > +	ctxh = atomic64_inc_return(&ctxhctr);
> > > +	handle->data = kmemdup(&ctxh, sizeof(ctxh), GFP_KERNEL);
> > 
> > Looks like you use this only to dup again immediately below in
> > dup_to_netobj, so you should just be able to make that:
> 
> No this is duplicated on handle->data, where handle is a pointer passed
> to us by the caller.

Obviously I can't read.

> 
> It is later passed to gss_write_init_verf() and finally freed when
> svcauth_gss_proxy_init exits, so no leak.
> 
> > 	handle->data = &ctxh;
> > 
> > That's simpler and looks like it avoids a leak on exit.
> > 
> > > +	if (handle->data == NULL)
> > > +		goto out;
> > > +	handle->len = sizeof(ctxh);
> > > +	if (dup_to_netobj(&rsci.handle, handle->data, handle->len))

But why do we need two copies of the thing?

Would it be simpler to pass the new rsc back to the caller?

> > > +		goto out;
> > > +
> > > +	rscp = rsc_lookup(cd, &rsci);
> > > +	if (!rscp)
> > > +		goto out;
> > > +
> > > +	/* creds */
> > > +	if (!ud->creds) {
> > > +		dprintk("RPC:       No creds found, marking Negative!\n");
> > > +		set_bit(CACHE_NEGATIVE, &rsci.h.flags);
> > 
> > When does this happen, out of curiosity?
> 
> Actually it shouldn't happen, but I maintained the same code structure
> that was previously in place.
> I think that with the latest changes now I always return (uid = -1, gid
> = -1, no additional groups if a mapping can't be found).
> However on the off chance that user space does not return a credential
> struct we catch it here.

So the result will be to return success to the client on the
init_sec_context call but then to fail their future attempts to use that
handle?

If so, seems like it would be better to return an error and not bother
adding a negative entry to the cache.

--b.

> 
> > > +	/* Perform synchronous upcall to gss-proxy */
> > > +	status = gssp_accept_sec_context_upcall(&ud);
> > > +	if (status) {
> > > +		goto out;
> > > +	}
> > 
> > Ditch the {}'s.
> 
> ok
> 
> Will include these changes in the next patchset, as soon as I can test
> that I made no regressions with the latest kmalloc rearrangements.
> 
> Simo.
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> 

Re: [PATCH 4/4] SUNRPC: Use gssproxy upcall for nfsd's RPCGSS authentication.

[Simo Sorce]

On Thu, 2012-05-24 at 07:08 -0400, J. Bruce Fields wrote:
> On Thu, May 24, 2012 at 12:31:51AM -0400, Simo Sorce wrote:
> > On Tue, 2012-05-22 at 18:48 -0400, J. Bruce Fields wrote:
> > > On Tue, May 15, 2012 at 09:12:30AM -0400, Simo Sorce wrote:
> > 
> > > > +static inline int
> > > > +gss_read_proxy_verf(struct svc_rqst *rqstp,
> > > > +		    struct rpc_gss_wire_cred *gc, __be32 *authp,
> > > > +		    struct xdr_netobj *in_handle,
> > > > +		    struct gssp_in_token *in_token)
> > > > +{
> > [..]
> > > > +	/* FIXME: change argv to point to the end of in_token ? */
> > > 
> > > There's nothing left to read, so it looks like there's no problem here;
> > > drop the comment?
> > 
> > Dropping, was a reminder while I was working and it is not necessary
> > anymore indeed.
> >   
> > > > +static int gss_proxy_save_rsc(struct cache_detail *cd,
> > > > +				struct gssp_upcall_data *ud,
> > > > +				struct xdr_netobj *handle)
> > > > +{
> > > > +	struct rsc rsci, *rscp = NULL;
> > > > +	static atomic64_t ctxhctr;
> > > > +	long long ctxh;
> > > > +	struct gss_api_mech *gm = NULL;
> > > > +	time_t expiry;
> > > > +	char *c;
> > > > +	int status = -EINVAL;
> > > > +
> > > > +	memset(&rsci, 0, sizeof(rsci));
> > > > +	/* context handle */
> > > > +	status = -ENOMEM;
> > > > +	/* the handle needs to be just a unique id,
> > > > +	 * use a static counter */
> > > > +	ctxh = atomic64_inc_return(&ctxhctr);
> > > > +	handle->data = kmemdup(&ctxh, sizeof(ctxh), GFP_KERNEL);
> > > 
> > > Looks like you use this only to dup again immediately below in
> > > dup_to_netobj, so you should just be able to make that:
> > 
> > No this is duplicated on handle->data, where handle is a pointer passed
> > to us by the caller.
> 
> Obviously I can't read.
> 
> > 
> > It is later passed to gss_write_init_verf() and finally freed when
> > svcauth_gss_proxy_init exits, so no leak.
> > 
> > > 	handle->data = &ctxh;
> > > 
> > > That's simpler and looks like it avoids a leak on exit.
> > > 
> > > > +	if (handle->data == NULL)
> > > > +		goto out;
> > > > +	handle->len = sizeof(ctxh);
> > > > +	if (dup_to_netobj(&rsci.handle, handle->data, handle->len))
> 
> But why do we need two copies of the thing?

Yeah no great reason to, seemed the most expedient way at the time I
modified the function to get a unique handle, given the existing
prototype I had.

> Would it be simpler to pass the new rsc back to the caller?

I guess we could do that, I didn't because I am not sure if there is any
chance the rsc cache can be removed by another thread while we hold a
pointer to this data.
In the gss_write_init_verf() funciotn we use that handle to find again
the same rsc cache we just created, but I can't change that as it is the
same code used in the legacy upcall which needs to search it in there.
So the current approach seemed the least invasive and simpler.

However what I can do, perhaps is to pass in a static netobj allocated
on the callers stack, so we do not need the kmalloc, after all it is a
very small buffer so it wouldn't cause issues to put it on the stack,
what do you think ?

> > > > +		goto out;
> > > > +
> > > > +	rscp = rsc_lookup(cd, &rsci);
> > > > +	if (!rscp)
> > > > +		goto out;
> > > > +
> > > > +	/* creds */
> > > > +	if (!ud->creds) {
> > > > +		dprintk("RPC:       No creds found, marking Negative!\n");
> > > > +		set_bit(CACHE_NEGATIVE, &rsci.h.flags);
> > > 
> > > When does this happen, out of curiosity?
> > 
> > Actually it shouldn't happen, but I maintained the same code structure
> > that was previously in place.
> > I think that with the latest changes now I always return (uid = -1, gid
> > = -1, no additional groups if a mapping can't be found).
> > However on the off chance that user space does not return a credential
> > struct we catch it here.
> 
> So the result will be to return success to the client on the
> init_sec_context call but then to fail their future attempts to use that
> handle?

> If so, seems like it would be better to return an error and not bother
> adding a negative entry to the cache.

Well if we do not add the negative cache we end up looping to user space
each time the client attempts to call in. If the result was just a fluke
in user space, then it will not be a problem, but if user space is
somehow misbehaving I would rather have the kernel 'blacklist' this
client for a while, no ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

Re: [PATCH 4/4] SUNRPC: Use gssproxy upcall for nfsd's RPCGSS authentication.

[J. Bruce Fields]

On Thu, May 24, 2012 at 09:19:26AM -0400, Simo Sorce wrote:
> On Thu, 2012-05-24 at 07:08 -0400, J. Bruce Fields wrote:
> > On Thu, May 24, 2012 at 12:31:51AM -0400, Simo Sorce wrote:
> > > On Tue, 2012-05-22 at 18:48 -0400, J. Bruce Fields wrote:
> > > > On Tue, May 15, 2012 at 09:12:30AM -0400, Simo Sorce wrote:
> > > 
> > > > > +static inline int
> > > > > +gss_read_proxy_verf(struct svc_rqst *rqstp,
> > > > > +		    struct rpc_gss_wire_cred *gc, __be32 *authp,
> > > > > +		    struct xdr_netobj *in_handle,
> > > > > +		    struct gssp_in_token *in_token)
> > > > > +{
> > > [..]
> > > > > +	/* FIXME: change argv to point to the end of in_token ? */
> > > > 
> > > > There's nothing left to read, so it looks like there's no problem here;
> > > > drop the comment?
> > > 
> > > Dropping, was a reminder while I was working and it is not necessary
> > > anymore indeed.
> > >   
> > > > > +static int gss_proxy_save_rsc(struct cache_detail *cd,
> > > > > +				struct gssp_upcall_data *ud,
> > > > > +				struct xdr_netobj *handle)
> > > > > +{
> > > > > +	struct rsc rsci, *rscp = NULL;
> > > > > +	static atomic64_t ctxhctr;
> > > > > +	long long ctxh;
> > > > > +	struct gss_api_mech *gm = NULL;
> > > > > +	time_t expiry;
> > > > > +	char *c;
> > > > > +	int status = -EINVAL;
> > > > > +
> > > > > +	memset(&rsci, 0, sizeof(rsci));
> > > > > +	/* context handle */
> > > > > +	status = -ENOMEM;
> > > > > +	/* the handle needs to be just a unique id,
> > > > > +	 * use a static counter */
> > > > > +	ctxh = atomic64_inc_return(&ctxhctr);
> > > > > +	handle->data = kmemdup(&ctxh, sizeof(ctxh), GFP_KERNEL);
> > > > 
> > > > Looks like you use this only to dup again immediately below in
> > > > dup_to_netobj, so you should just be able to make that:
> > > 
> > > No this is duplicated on handle->data, where handle is a pointer passed
> > > to us by the caller.
> > 
> > Obviously I can't read.
> > 
> > > 
> > > It is later passed to gss_write_init_verf() and finally freed when
> > > svcauth_gss_proxy_init exits, so no leak.
> > > 
> > > > 	handle->data = &ctxh;
> > > > 
> > > > That's simpler and looks like it avoids a leak on exit.
> > > > 
> > > > > +	if (handle->data == NULL)
> > > > > +		goto out;
> > > > > +	handle->len = sizeof(ctxh);
> > > > > +	if (dup_to_netobj(&rsci.handle, handle->data, handle->len))
> > 
> > But why do we need two copies of the thing?
> 
> Yeah no great reason to, seemed the most expedient way at the time I
> modified the function to get a unique handle, given the existing
> prototype I had.
> 
> > Would it be simpler to pass the new rsc back to the caller?
> 
> I guess we could do that, I didn't because I am not sure if there is any
> chance the rsc cache can be removed by another thread while we hold a
> pointer to this data.
> In the gss_write_init_verf() funciotn we use that handle to find again
> the same rsc cache we just created, but I can't change that as it is the
> same code used in the legacy upcall which needs to search it in there.
> So the current approach seemed the least invasive and simpler.
> 
> However what I can do, perhaps is to pass in a static netobj allocated
> on the callers stack, so we do not need the kmalloc, after all it is a
> very small buffer so it wouldn't cause issues to put it on the stack,
> what do you think ?

Whatever results in the easier-to-understand code at the end.

> > > > > +		goto out;
> > > > > +
> > > > > +	rscp = rsc_lookup(cd, &rsci);
> > > > > +	if (!rscp)
> > > > > +		goto out;
> > > > > +
> > > > > +	/* creds */
> > > > > +	if (!ud->creds) {
> > > > > +		dprintk("RPC:       No creds found, marking Negative!\n");
> > > > > +		set_bit(CACHE_NEGATIVE, &rsci.h.flags);
> > > > 
> > > > When does this happen, out of curiosity?
> > > 
> > > Actually it shouldn't happen, but I maintained the same code structure
> > > that was previously in place.
> > > I think that with the latest changes now I always return (uid = -1, gid
> > > = -1, no additional groups if a mapping can't be found).
> > > However on the off chance that user space does not return a credential
> > > struct we catch it here.
> > 
> > So the result will be to return success to the client on the
> > init_sec_context call but then to fail their future attempts to use that
> > handle?
> 
> > If so, seems like it would be better to return an error and not bother
> > adding a negative entry to the cache.
> 
> Well if we do not add the negative cache we end up looping to user space
> each time the client attempts to call in. If the result was just a fluke
> in user space, then it will not be a problem, but if user space is
> somehow misbehaving I would rather have the kernel 'blacklist' this
> client for a while, no ?

Since this would be a bug in our code (kernel or userspace), let's do
whatever makes it most obvious it's a bug.  At a minimum, a /* userspace
is buggy */ comment there.

--b.

Re: [PATCH 4/4] SUNRPC: Use gssproxy upcall for nfsd's RPCGSS authentication.

[Simo Sorce]

On Fri, 2012-05-25 at 10:05 -0400, J. Bruce Fields wrote:
> On Thu, May 24, 2012 at 09:19:26AM -0400, Simo Sorce wrote:
> > On Thu, 2012-05-24 at 07:08 -0400, J. Bruce Fields wrote:
> > > On Thu, May 24, 2012 at 12:31:51AM -0400, Simo Sorce wrote:
> > > > On Tue, 2012-05-22 at 18:48 -0400, J. Bruce Fields wrote:
> > > > > On Tue, May 15, 2012 at 09:12:30AM -0400, Simo Sorce wrote:
> > > > 
> > > > > > +static inline int
> > > > > > +gss_read_proxy_verf(struct svc_rqst *rqstp,
> > > > > > +		    struct rpc_gss_wire_cred *gc, __be32 *authp,
> > > > > > +		    struct xdr_netobj *in_handle,
> > > > > > +		    struct gssp_in_token *in_token)
> > > > > > +{
> > > > [..]
> > > > > > +	/* FIXME: change argv to point to the end of in_token ? */
> > > > > 
> > > > > There's nothing left to read, so it looks like there's no problem here;
> > > > > drop the comment?
> > > > 
> > > > Dropping, was a reminder while I was working and it is not necessary
> > > > anymore indeed.
> > > >   
> > > > > > +static int gss_proxy_save_rsc(struct cache_detail *cd,
> > > > > > +				struct gssp_upcall_data *ud,
> > > > > > +				struct xdr_netobj *handle)
> > > > > > +{
> > > > > > +	struct rsc rsci, *rscp = NULL;
> > > > > > +	static atomic64_t ctxhctr;
> > > > > > +	long long ctxh;
> > > > > > +	struct gss_api_mech *gm = NULL;
> > > > > > +	time_t expiry;
> > > > > > +	char *c;
> > > > > > +	int status = -EINVAL;
> > > > > > +
> > > > > > +	memset(&rsci, 0, sizeof(rsci));
> > > > > > +	/* context handle */
> > > > > > +	status = -ENOMEM;
> > > > > > +	/* the handle needs to be just a unique id,
> > > > > > +	 * use a static counter */
> > > > > > +	ctxh = atomic64_inc_return(&ctxhctr);
> > > > > > +	handle->data = kmemdup(&ctxh, sizeof(ctxh), GFP_KERNEL);
> > > > > 
> > > > > Looks like you use this only to dup again immediately below in
> > > > > dup_to_netobj, so you should just be able to make that:
> > > > 
> > > > No this is duplicated on handle->data, where handle is a pointer passed
> > > > to us by the caller.
> > > 
> > > Obviously I can't read.
> > > 
> > > > 
> > > > It is later passed to gss_write_init_verf() and finally freed when
> > > > svcauth_gss_proxy_init exits, so no leak.
> > > > 
> > > > > 	handle->data = &ctxh;
> > > > > 
> > > > > That's simpler and looks like it avoids a leak on exit.
> > > > > 
> > > > > > +	if (handle->data == NULL)
> > > > > > +		goto out;
> > > > > > +	handle->len = sizeof(ctxh);
> > > > > > +	if (dup_to_netobj(&rsci.handle, handle->data, handle->len))
> > > 
> > > But why do we need two copies of the thing?
> > 
> > Yeah no great reason to, seemed the most expedient way at the time I
> > modified the function to get a unique handle, given the existing
> > prototype I had.
> > 
> > > Would it be simpler to pass the new rsc back to the caller?
> > 
> > I guess we could do that, I didn't because I am not sure if there is any
> > chance the rsc cache can be removed by another thread while we hold a
> > pointer to this data.
> > In the gss_write_init_verf() funciotn we use that handle to find again
> > the same rsc cache we just created, but I can't change that as it is the
> > same code used in the legacy upcall which needs to search it in there.
> > So the current approach seemed the least invasive and simpler.
> > 
> > However what I can do, perhaps is to pass in a static netobj allocated
> > on the callers stack, so we do not need the kmalloc, after all it is a
> > very small buffer so it wouldn't cause issues to put it on the stack,
> > what do you think ?
> 
> Whatever results in the easier-to-understand code at the end.

Ok, I think the easiest way is to pass in a pointer to a uin64_t to be
filled with ctxh, and use it to fill cli_handle in the caller.
This makes it all more understandable to me, and avoids the kmalloc.

> > > > > > +		goto out;
> > > > > > +
> > > > > > +	rscp = rsc_lookup(cd, &rsci);
> > > > > > +	if (!rscp)
> > > > > > +		goto out;
> > > > > > +
> > > > > > +	/* creds */
> > > > > > +	if (!ud->creds) {
> > > > > > +		dprintk("RPC:       No creds found, marking Negative!\n");
> > > > > > +		set_bit(CACHE_NEGATIVE, &rsci.h.flags);
> > > > > 
> > > > > When does this happen, out of curiosity?
> > > > 
> > > > Actually it shouldn't happen, but I maintained the same code structure
> > > > that was previously in place.
> > > > I think that with the latest changes now I always return (uid = -1, gid
> > > > = -1, no additional groups if a mapping can't be found).
> > > > However on the off chance that user space does not return a credential
> > > > struct we catch it here.
> > > 
> > > So the result will be to return success to the client on the
> > > init_sec_context call but then to fail their future attempts to use that
> > > handle?
> > 
> > > If so, seems like it would be better to return an error and not bother
> > > adding a negative entry to the cache.
> > 
> > Well if we do not add the negative cache we end up looping to user space
> > each time the client attempts to call in. If the result was just a fluke
> > in user space, then it will not be a problem, but if user space is
> > somehow misbehaving I would rather have the kernel 'blacklist' this
> > client for a while, no ?
> 
> Since this would be a bug in our code (kernel or userspace), let's do
> whatever makes it most obvious it's a bug.  At a minimum, a /* userspace
> is buggy */ comment there.

Will do.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

[PATCH 2/4] SUNRPC: Document a bit RPCGSS handling in the NFS Server

[Simo Sorce]

Includes changes intorduced by GSS-Proxy.

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 Documentation/filesystems/nfs/00-INDEX         |    2 +
 Documentation/filesystems/nfs/knfsd-rpcgss.txt |   65 ++++++++++++++++++++++++
 2 files changed, 67 insertions(+), 0 deletions(-)
 create mode 100644 Documentation/filesystems/nfs/knfsd-rpcgss.txt

diff --git a/Documentation/filesystems/nfs/00-INDEX b/Documentation/filesystems/nfs/00-INDEX
index 1716874a651e1c574e7ca9719dfb4e3521b0a5e9..66eb6c8c5334518ddbc10115c7b34b4dfb1b3c0e 100644
--- a/Documentation/filesystems/nfs/00-INDEX
+++ b/Documentation/filesystems/nfs/00-INDEX
@@ -20,3 +20,5 @@ rpc-cache.txt
 	- introduction to the caching mechanisms in the sunrpc layer.
 idmapper.txt
 	- information for configuring request-keys to be used by idmapper
+knfsd-rpcgss.txt
+	- Information on GSS authentication support in the NFS Server
diff --git a/Documentation/filesystems/nfs/knfsd-rpcgss.txt b/Documentation/filesystems/nfs/knfsd-rpcgss.txt
new file mode 100644
index 0000000000000000000000000000000000000000..914aa536273b986539d7859092e2c0f139ce5535
--- /dev/null
+++ b/Documentation/filesystems/nfs/knfsd-rpcgss.txt
@@ -0,0 +1,65 @@
+
+Kernel NFS Server RPCGSS Support
+================================
+
+This document gives references to the standards and protocols used to
+implement RPCGSS authentication in the NFS Server.
+
+RPCGSS is specified in a few IETF documents:
+ - RFC2203 v1: http://tools.ietf.org/rfc/rfc2203.txt
+ - RFC5403 v2: http://tools.ietf.org/rfc/rfc5403.txt
+and there is a 3rd version  being proposed:
+ - http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
+   (At draft n. 02 at the time of writing)
+
+Background
+----------
+
+The RPCGSS Authentication method describes a way to perform GSSAPI
+Authentication for NFS.
+Although GSSAPI is itself completely mechanism agnostic, in many cases only
+the KRB5 mechanism is supported by NFS implementations.
+
+The Linux kernel, at the moment, supports only the KRB5 mechanism, and depends
+on GSSAPI extensions that are KRB5 specific.
+
+GSSAPI is a complex library, and implementing it completely in kernel is
+unwarranted. However GSSAPI operations are fundementally separable in 2 parts:
+- context establishment
+- integrity/privacy protection (read: signing and encrypting)
+
+The first part is the complex one, while the actual integrity and privacy
+protecion is simple enough.
+Because of the complexity of context establishment, the NFS Server defers the
+operation to the userspace througuh the use of upcalls.
+
+NFS Server Legacy Upcall mechanism
+----------------------------------
+
+The classic upcall mechanism uses a custom text based upcall mechanism to talk
+to a custom daemon called rpc.svcgssd that is provide by the nfs-utils package.
+
+This upcall mechanism has 2 limitations:
+A) Can handle tokens that are no bigger than 2KiB
+
+In some Kerberos deployment GSSAPI tokens can be quite big, up and beyond 64KiB
+in size due to various authorization extensions attacked to the Kerberos
+tickets, that needs to be sent through the GSS layer in order to perform
+context establishment.
+
+B) Does not properly handle creds where the user is member of more than a few
+housand groups (the current hard limit in the kernel is 65K groups) due to
+limitation on the size of the buffer that can be send back to the kernel (4KiB).
+
+NFS Server New RPC Upcall mechanism
+-----------------------------------
+
+A new upcall mechanism that uses RPC over a Unix socket is added. This
+mechanism uses a protocol called gss-proxy, and user space program that
+implements it called Gssproxy. The gss_proxy RPC protocol is currently document
+here: https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation
+
+This upcall mechanism uses the kernel rpc client and connects to the gssproxy
+userspace program over a regular unix socket. The gssproxy protocol does not
+suffer from the size limitations of the legacy protocol.
+
-- 
1.7.7.6