From patchwork Fri Dec 23 16:04:27 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Adamson X-Patchwork-Id: 9487585 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id F223262AAB for ; Fri, 23 Dec 2016 16:06:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E4CAE26246 for ; Fri, 23 Dec 2016 16:06:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D9C6D2711E; Fri, 23 Dec 2016 16:06:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E9C7226246 for ; Fri, 23 Dec 2016 16:06:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966277AbcLWQGs (ORCPT ); Fri, 23 Dec 2016 11:06:48 -0500 Received: from mx142.netapp.com ([216.240.21.19]:6612 "EHLO mx142.netapp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966269AbcLWQGr (ORCPT ); Fri, 23 Dec 2016 11:06:47 -0500 X-IronPort-AV: E=Sophos;i="5.33,393,1477983600"; d="scan'208";a="161000145" Received: from vmwexchts01-prd.hq.netapp.com ([10.122.105.12]) by mx142-out.netapp.com with ESMTP; 23 Dec 2016 08:03:12 -0800 Received: from smtp2.corp.netapp.com (10.57.159.114) by VMWEXCHTS01-PRD.hq.netapp.com (10.122.105.12) with Microsoft SMTP Server id 15.0.1210.3; Fri, 23 Dec 2016 08:06:27 -0800 Received: from rhel7-1ga.androsad.fake (dros-16.local.vpn.netapp.com [10.55.72.69]) by smtp2.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id uBNG6EV0024091; Fri, 23 Dec 2016 08:06:27 -0800 (PST) From: To: CC: , , Andy Adamson Subject: [PATCH Version 3 15/16] SUNRPC SVCAUTH_GSS set gss3 label on nfsd thread Date: Fri, 23 Dec 2016 11:04:27 -0500 Message-ID: <1482509068-24516-16-git-send-email-andros@netapp.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1482509068-24516-1-git-send-email-andros@netapp.com> References: <1482509068-24516-1-git-send-email-andros@netapp.com> MIME-Version: 1.0 Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Andy Adamson Signed-off-by: Andy Adamson --- fs/nfsd/auth.c | 11 ++++++++++- include/linux/sunrpc/svcauth.h | 1 + net/sunrpc/auth_gss/svcauth_gss.c | 41 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 1 deletion(-) diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c index 62469c6..02756b2 100644 --- a/fs/nfsd/auth.c +++ b/fs/nfsd/auth.c @@ -1,6 +1,7 @@ /* Copyright (C) 1995, 1996 Olaf Kirch */ #include +#include #include "nfsd.h" #include "auth.h" @@ -22,7 +23,7 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) struct group_info *rqgi; struct group_info *gi; struct cred *new; - int i; + int i, ret; int flags = nfsexp_flags(rqstp, exp); validate_process_creds(); @@ -77,6 +78,14 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) else new->cap_effective = cap_raise_nfsd_set(new->cap_effective, new->cap_permitted); + + /* Need a test for FULL labeling.*/ + if (selinux_is_enabled() && rqstp->rq_authop->set_label) { + ret = rqstp->rq_authop->set_label(rqstp, new); + if (ret < 0) + /* Should nfsd fail this request? */ + pr_warn("%s set_label FAILED ret %d\n", __func__, ret); + } validate_process_creds(); put_cred(override_creds(new)); put_cred(new); diff --git a/include/linux/sunrpc/svcauth.h b/include/linux/sunrpc/svcauth.h index d039320..eed6880 100644 --- a/include/linux/sunrpc/svcauth.h +++ b/include/linux/sunrpc/svcauth.h @@ -128,6 +128,7 @@ struct auth_ops { int (*release)(struct svc_rqst *rq); void (*domain_release)(struct auth_domain *); int (*set_client)(struct svc_rqst *rq); + int (*set_label)(struct svc_rqst *rq, struct cred *new); }; #define SVC_GARBAGE 1 diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c index 7e675c2..c89ecca 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c @@ -1065,6 +1065,46 @@ struct gss_svc_data { return SVC_OK; } +/** + * the svcdata->rsci pointer is the parent context. + * the svcdata->cl_cred->gc_ctx may hold the child context handle + * assume one GSS3_LABEL per child context. + */ +static int +svcauth_gss_set_label(struct svc_rqst *rqstp, struct cred *new) +{ + struct gss_svc_data *svcdata = rqstp->rq_auth_data; + struct rpc_gss_wire_cred *gc = &svcdata->clcred; + struct sunrpc_net *sn = net_generic(rqstp->rq_xprt->xpt_net, + sunrpc_net_id); + struct rsc *rsci; + struct gss3_svc_assert *g3a; + struct gss3_label *g3l; + int ret = -1; + + rsci = gss_svc_searchbyctx(sn->rsc_cache, &gc->gc_ctx); + if (!rsci) + goto out; + + if (rsci->parent_handle.len == 0 || !rsci->assertions) + goto out_put; + + g3a = rsci->assertions; + g3l = &g3a->sa_assert.u.au_label; + + if (g3a->sa_num != 1 || g3a->sa_assert.au_type != GSS3_LABEL || + g3l->la_label.len == 0) + goto out_put; + + /* Assume SeLinux - need to validate la_lfs and la_pi ? */ + ret = set_security_override_from_ctx(new, (char *)g3l->la_label.data); + +out_put: + cache_put(&rsci->h, sn->rsc_cache); +out: + return ret; +} + static inline int gss_write_init_verf(struct cache_detail *cd, struct svc_rqst *rqstp, struct rpc_gss_wire_cred *gc, @@ -2083,6 +2123,7 @@ static void gss3_free_svc_assert(struct gss3_svc_assert *g3a) .release = svcauth_gss_release, .domain_release = svcauth_gss_domain_release, .set_client = svcauth_gss_set_client, + .set_label = svcauth_gss_set_label, }; static int rsi_cache_create_net(struct net *net)