summaryrefslogtreecommitdiff
path: root/fs/nfsd/export.c
diff options
context:
space:
mode:
authorAndy Adamson <andros@citi.umich.edu>2007-07-17 04:04:48 -0700
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-07-17 10:23:08 -0700
commit32c1eb0cd7ee00b5eb7b6f7059c635fbc1052966 (patch)
treec1a15e47d2dd93417b38d374346332809d461bda /fs/nfsd/export.c
parent6c0a654dceaa4342270306de77eadb0173dfb58a (diff)
downloadlwn-32c1eb0cd7ee00b5eb7b6f7059c635fbc1052966.tar.gz
lwn-32c1eb0cd7ee00b5eb7b6f7059c635fbc1052966.zip
knfsd: nfsd4: return nfserr_wrongsec
Make the first actual use of the secinfo information by using it to return nfserr_wrongsec when an export is found that doesn't allow the flavor used on this request. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Andy Adamson <andros@citi.umich.edu> Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/nfsd/export.c')
-rw-r--r--fs/nfsd/export.c26
1 files changed, 26 insertions, 0 deletions
diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
index 4537a8f5cb9a..323cbdcc9bfd 100644
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -1228,6 +1228,28 @@ exp_find(struct auth_domain *clp, int fsid_type, u32 *fsidv,
return exp;
}
+__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp)
+{
+ struct exp_flavor_info *f;
+ struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors;
+
+ /* legacy gss-only clients are always OK: */
+ if (exp->ex_client == rqstp->rq_gssclient)
+ return 0;
+ /* ip-address based client; check sec= export option: */
+ for (f = exp->ex_flavors; f < end; f++) {
+ if (f->pseudoflavor == rqstp->rq_flavor)
+ return 0;
+ }
+ /* defaults in absence of sec= options: */
+ if (exp->ex_nflavors == 0) {
+ if (rqstp->rq_flavor == RPC_AUTH_NULL ||
+ rqstp->rq_flavor == RPC_AUTH_UNIX)
+ return 0;
+ }
+ return nfserr_wrongsec;
+}
+
/*
* Uses rq_client and rq_gssclient to find an export; uses rq_client (an
* auth_unix client) if it's available and has secinfo information;
@@ -1340,6 +1362,10 @@ exp_pseudoroot(struct svc_rqst *rqstp, struct svc_fh *fhp)
if (IS_ERR(exp))
return nfserrno(PTR_ERR(exp));
rv = fh_compose(fhp, exp, exp->ex_dentry, NULL);
+ if (rv)
+ goto out;
+ rv = check_nfsd_access(exp, rqstp);
+out:
exp_put(exp);
return rv;
}