From patchwork Mon Mar 20 14:35:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 13181329 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91639C6FD1D for ; Mon, 20 Mar 2023 14:35:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230094AbjCTOfq (ORCPT ); Mon, 20 Mar 2023 10:35:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38382 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231261AbjCTOfl (ORCPT ); Mon, 20 Mar 2023 10:35:41 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B79F24BE2 for ; Mon, 20 Mar 2023 07:35:36 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 99933B80E79 for ; Mon, 20 Mar 2023 14:35:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 32E1FC4339E; Mon, 20 Mar 2023 14:35:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1679322933; bh=WYIMfd7jDC+1GWpf5JZKzZffLjkpVi2BsA57sgKUkjY=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=b1RhawZFlmg0KJkWUIG65mkC0/LEh0Een7zXtOI0Ti7VLQEcoMj/d7c5iNwjfquQO /xp8ik5N+oUI4zJuCJDbpuQB/fhAFW8P+xsUEPAa/0uDUG1hcP6FITJCDqOREEpVae gTLcv5MvKSrwCijdeTkgcqIoXzXPtM6vdBMlKCbuUdZk2Oa7Qwi+yXWrOVqXgdAFoF fyaYRuBXjDIZA/55xAjZvcp9u9zXOx3P3NkQ/0r5p9duB8Szt7FyFAGhcicwfvE8tP kvvw3bfTs2BjTli/u6MY4gFpJt0sZLFNX1FK+RXMdAJhLeOXecl7AeNbpiZo255FHy t7KNrKlY8o1Sg== Subject: [PATCH v1 1/4] libexports: Fix whitespace damage in support/nfs/exports.c From: Chuck Lever To: SteveD@redhat.com Cc: linux-nfs@vger.kernel.org Date: Mon, 20 Mar 2023 10:35:32 -0400 Message-ID: <167932293228.3437.14241976367971874225.stgit@manet.1015granger.net> In-Reply-To: <167932279970.3437.7130911928591001093.stgit@manet.1015granger.net> References: <167932279970.3437.7130911928591001093.stgit@manet.1015granger.net> User-Agent: StGit/1.5 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Chuck Lever Clean up. Signed-off-by: Chuck Lever --- support/nfs/exports.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/support/nfs/exports.c b/support/nfs/exports.c index 2c8f0752ad9d..7f12383981c3 100644 --- a/support/nfs/exports.c +++ b/support/nfs/exports.c @@ -122,7 +122,7 @@ getexportent(int fromkernel, int fromexports) if (first || (ok = getexport(exp, sizeof(exp))) == 0) { has_default_opts = 0; has_default_subtree_opts = 0; - + init_exportent(&def_ee, fromkernel); ok = getpath(def_ee.e_path, sizeof(def_ee.e_path)); @@ -146,7 +146,7 @@ getexportent(int fromkernel, int fromexports) if (exp[0] == '-' && !fromkernel) { if (parseopts(exp + 1, &def_ee, 0, &has_default_subtree_opts) < 0) return NULL; - + has_default_opts = 1; ok = getexport(exp, sizeof(exp)); @@ -239,7 +239,6 @@ void secinfo_show(FILE *fp, struct exportent *ep) if (ep->e_secinfo[0].flav == NULL) secinfo_addflavor(find_flavor("sys"), ep); for (p1=ep->e_secinfo; p1->flav; p1=p2) { - fprintf(fp, ",sec=%s", p1->flav->flavour); for (p2=p1+1; (p2->flav != NULL) && (p1->flags == p2->flags); p2++) { @@ -621,7 +620,7 @@ parseopts(char *cp, struct exportent *ep, int warn, int *had_subtree_opt_ptr) ep->e_anonuid = strtol(opt+8, &oe, 10); if (opt[8]=='\0' || *oe != '\0') { xlog(L_ERROR, "%s: %d: bad anonuid \"%s\"\n", - flname, flline, opt); + flname, flline, opt); bad_option: free(opt); return -1; @@ -631,7 +630,7 @@ bad_option: ep->e_anongid = strtol(opt+8, &oe, 10); if (opt[8]=='\0' || *oe != '\0') { xlog(L_ERROR, "%s: %d: bad anongid \"%s\"\n", - flname, flline, opt); + flname, flline, opt); goto bad_option; } } else if (strncmp(opt, "squash_uids=", 12) == 0) { @@ -649,13 +648,13 @@ bad_option: setflags(NFSEXP_FSID, active, ep); } else { ep->e_fsid = strtoul(opt+5, &oe, 0); - if (opt[5]!='\0' && *oe == '\0') + if (opt[5]!='\0' && *oe == '\0') setflags(NFSEXP_FSID, active, ep); else if (valid_uuid(opt+5)) ep->e_uuid = strdup(opt+5); else { xlog(L_ERROR, "%s: %d: bad fsid \"%s\"\n", - flname, flline, opt); + flname, flline, opt); goto bad_option; } } @@ -709,7 +708,7 @@ out: if (warn && !had_subtree_opt) xlog(L_WARNING, "%s [%d]: Neither 'subtree_check' or 'no_subtree_check' specified for export \"%s:%s\".\n" " Assuming default behaviour ('no_subtree_check').\n" - " NOTE: this default has changed since nfs-utils version 1.0.x\n", + " NOTE: this default has changed since nfs-utils version 1.0.x\n", flname, flline, ep->e_hostname, ep->e_path); From patchwork Mon Mar 20 14:35:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 13181330 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 48F62C6FD1D for ; Mon, 20 Mar 2023 14:35:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231363AbjCTOfy (ORCPT ); Mon, 20 Mar 2023 10:35:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38688 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231401AbjCTOfw (ORCPT ); Mon, 20 Mar 2023 10:35:52 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5270324102 for ; Mon, 20 Mar 2023 07:35:43 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 1338AB80EA9 for ; Mon, 20 Mar 2023 14:35:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 83E68C4339B; Mon, 20 Mar 2023 14:35:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1679322939; bh=zN0oM9XiEoK72jUqODp/U1yby6qhSUkBTlEBEOvg+Zw=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=U1mBbJ6Gm5riNhecx57lb6ZcvQpC59xNlOI2N9t/EHvCRSRSR7rKAmJKZ4RgEIJzI oeREq1eD49CWIOuh1cfDvqv6AUGIJv7dyfRhaJGuWXb7fuq1aetkQrVsvSDHQS/BeW Id0mJrJbCEXIZqbSro4dYHnd7fvXEFGzRpzbVY+63EWrdMlX3BLP7odC3K+4UG0Oog bRymBs0/fAiZF0AVb2YxEOqa1keDkTb9gc46YPTYXQ2HasN3mBFRhGMETw3F6Pm80v xxsww4aU5yu56sZOLzt0oiDjyyMXHYqoaLnoTKm9IReqYJfDPcFBBZhaLuocbnNGUa E6gTfa2ymjbRQ== Subject: [PATCH v1 2/4] exports: Add an xprtsec= export option From: Chuck Lever To: SteveD@redhat.com Cc: linux-nfs@vger.kernel.org Date: Mon, 20 Mar 2023 10:35:38 -0400 Message-ID: <167932293857.3437.10836642078898996996.stgit@manet.1015granger.net> In-Reply-To: <167932279970.3437.7130911928591001093.stgit@manet.1015granger.net> References: <167932279970.3437.7130911928591001093.stgit@manet.1015granger.net> User-Agent: StGit/1.5 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Chuck Lever The overall goal is to enable administrators to require the use of transport layer security when clients access particular exports. This patch adds support to exportfs to parse and display a new xprtsec= export option. The setting is not yet passed to the kernel. Signed-off-by: Chuck Lever --- support/include/nfs/export.h | 6 +++ support/include/nfslib.h | 14 +++++++ support/nfs/exports.c | 85 ++++++++++++++++++++++++++++++++++++++++++ utils/exportfs/exportfs.c | 1 4 files changed, 106 insertions(+) diff --git a/support/include/nfs/export.h b/support/include/nfs/export.h index 0eca828ee3ad..b29c6fa4f554 100644 --- a/support/include/nfs/export.h +++ b/support/include/nfs/export.h @@ -40,4 +40,10 @@ #define NFSEXP_OLD_SECINFO_FLAGS (NFSEXP_READONLY | NFSEXP_ROOTSQUASH \ | NFSEXP_ALLSQUASH) +enum { + NFSEXP_XPRTSEC_NONE = 1, + NFSEXP_XPRTSEC_TLS = 2, + NFSEXP_XPRTSEC_MTLS = 3, +}; + #endif /* _NSF_EXPORT_H */ diff --git a/support/include/nfslib.h b/support/include/nfslib.h index 6faba71bf0cd..9a188fb84790 100644 --- a/support/include/nfslib.h +++ b/support/include/nfslib.h @@ -62,6 +62,18 @@ struct sec_entry { int flags; }; +#define XPRTSECMODE_COUNT 4 + +struct xprtsec_info { + const char *name; + int number; +}; + +struct xprtsec_entry { + const struct xprtsec_info *info; + int flags; +}; + /* * Data related to a single exports entry as returned by getexportent. * FIXME: export options should probably be parsed at a later time to @@ -83,6 +95,7 @@ struct exportent { char * e_fslocdata; char * e_uuid; struct sec_entry e_secinfo[SECFLAVOR_COUNT+1]; + struct xprtsec_entry e_xprtsec[XPRTSECMODE_COUNT + 1]; unsigned int e_ttl; char * e_realpath; }; @@ -99,6 +112,7 @@ struct rmtabent { void setexportent(char *fname, char *type); struct exportent * getexportent(int,int); void secinfo_show(FILE *fp, struct exportent *ep); +void xprtsecinfo_show(FILE *fp, struct exportent *ep); void putexportent(struct exportent *xep); void endexportent(void); struct exportent * mkexportent(char *hname, char *path, char *opts); diff --git a/support/nfs/exports.c b/support/nfs/exports.c index 7f12383981c3..da8ace3a65fd 100644 --- a/support/nfs/exports.c +++ b/support/nfs/exports.c @@ -99,6 +99,7 @@ static void init_exportent (struct exportent *ee, int fromkernel) ee->e_fslocmethod = FSLOC_NONE; ee->e_fslocdata = NULL; ee->e_secinfo[0].flav = NULL; + ee->e_xprtsec[0].info = NULL; ee->e_nsquids = 0; ee->e_nsqgids = 0; ee->e_uuid = NULL; @@ -248,6 +249,17 @@ void secinfo_show(FILE *fp, struct exportent *ep) } } +void xprtsecinfo_show(FILE *fp, struct exportent *ep) +{ + struct xprtsec_entry *p1, *p2; + + for (p1 = ep->e_xprtsec; p1->info; p1 = p2) { + fprintf(fp, ",xprtsec=%s", p1->info->name); + for (p2 = p1 + 1; p2->info && (p1->flags == p2->flags); p2++) + fprintf(fp, ":%s", p2->info->name); + } +} + static void fprintpath(FILE *fp, const char *path) { @@ -344,6 +356,7 @@ putexportent(struct exportent *ep) } fprintf(fp, "anonuid=%d,anongid=%d", ep->e_anonuid, ep->e_anongid); secinfo_show(fp, ep); + xprtsecinfo_show(fp, ep); fprintf(fp, ")\n"); } @@ -482,6 +495,75 @@ static unsigned int parse_flavors(char *str, struct exportent *ep) return out; } +static const struct xprtsec_info xprtsec_name2info[] = { + { "none", NFSEXP_XPRTSEC_NONE }, + { "tls", NFSEXP_XPRTSEC_TLS }, + { "mtls", NFSEXP_XPRTSEC_MTLS }, + { NULL, 0 } +}; + +static const struct xprtsec_info *find_xprtsec_info(const char *name) +{ + const struct xprtsec_info *info; + + for (info = xprtsec_name2info; info->name; info++) + if (strcmp(info->name, name) == 0) + return info; + return NULL; +} + +/* + * Append the given xprtsec mode to the exportent's e_xprtsec array, + * or do nothing if it's already there. Returns the index of flavor in + * the resulting array in any case. + */ +static int xprtsec_addmode(const struct xprtsec_info *info, struct exportent *ep) +{ + struct xprtsec_entry *p; + + for (p = ep->e_xprtsec; p->info; p++) + if (p->info == info || p->info->number == info->number) + return p - ep->e_xprtsec; + + if (p - ep->e_xprtsec >= XPRTSECMODE_COUNT) { + xlog(L_ERROR, "more than %d xprtsec modes on an export\n", + XPRTSECMODE_COUNT); + return -1; + } + p->info = info; + p->flags = ep->e_flags; + (p + 1)->info = NULL; + return p - ep->e_xprtsec; +} + +/* + * @str is a colon seperated list of transport layer security modes. + * Their order is recorded in @ep, and a bitmap corresponding to the + * list is returned. + * + * A zero return indicates an error. + */ +static unsigned int parse_xprtsec(char *str, struct exportent *ep) +{ + unsigned int out = 0; + char *name; + + while ((name = strsep(&str, ":"))) { + const struct xprtsec_info *info = find_xprtsec_info(name); + int bit; + + if (!info) { + xlog(L_ERROR, "unknown xprtsec mode %s\n", name); + return 0; + } + bit = xprtsec_addmode(info, ep); + if (bit < 0) + return 0; + out |= 1 << bit; + } + return out; +} + /* Sets the bits in @mask for the appropriate security flavor flags. */ static void setflags(int mask, unsigned int active, struct exportent *ep) { @@ -687,6 +769,9 @@ bad_option: active = parse_flavors(opt+4, ep); if (!active) goto bad_option; + } else if (strncmp(opt, "xprtsec=", 8) == 0) { + if (!parse_xprtsec(opt + 8, ep)) + goto bad_option; } else { xlog(L_ERROR, "%s:%d: unknown keyword \"%s\"\n", flname, flline, opt); diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c index 6d79a5b3480d..37b9e4b3612d 100644 --- a/utils/exportfs/exportfs.c +++ b/utils/exportfs/exportfs.c @@ -743,6 +743,7 @@ dump(int verbose, int export_format) #endif } secinfo_show(stdout, ep); + xprtsecinfo_show(stdout, ep); printf("%c\n", (c != '(')? ')' : ' '); } } From patchwork Mon Mar 20 14:35:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 13181331 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 351D8C7618D for ; Mon, 20 Mar 2023 14:35:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231261AbjCTOf4 (ORCPT ); Mon, 20 Mar 2023 10:35:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38734 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231461AbjCTOfy (ORCPT ); Mon, 20 Mar 2023 10:35:54 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4568823C5F for ; Mon, 20 Mar 2023 07:35:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A3D3561558 for ; Mon, 20 Mar 2023 14:35:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D3B33C433EF; Mon, 20 Mar 2023 14:35:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1679322946; bh=Ho2a0Fb1NVpOC9wO5p7dPQkLq9nEpMEu/1j1Av1Vwf4=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=GSD1aOjQ/nvBRh1TesIDgVwlUtUIRCQ2a1pU5UDAZHaT5XpEURsduYGAL1V2LPYDS x5Nw7l/tjPaDiHnflkprgk4DwlXqjKLVXIYu+IfuUrPtZ5pWaNjYujIyUc5kTTn3Yl zDpXmZHoG2DsmdGBa4lU3esan+lhaFS1W+eg0BkbvZLzrN/1XcqY8vw7BqLdtP7cw2 akQ21qw/73tRCCBCUqCxI8DtuX1iTgHx3K5UKur6D0lIevOYd0PHX3p0hw3hbIGYDk DCR8ewDfd9B7A8dwX2fhv1W7EnN1uCfcbgGwd+S8BkrpWg/hXUtN5iN3Ehiu2DhnUI 9DIvzA1S7yNSg== Subject: [PATCH v1 3/4] exportfs: Push xprtsec settings to the kernel From: Chuck Lever To: SteveD@redhat.com Cc: linux-nfs@vger.kernel.org Date: Mon, 20 Mar 2023 10:35:44 -0400 Message-ID: <167932294491.3437.5540093843072637245.stgit@manet.1015granger.net> In-Reply-To: <167932279970.3437.7130911928591001093.stgit@manet.1015granger.net> References: <167932279970.3437.7130911928591001093.stgit@manet.1015granger.net> User-Agent: StGit/1.5 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Chuck Lever Signed-off-by: Chuck Lever --- support/export/cache.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/support/export/cache.c b/support/export/cache.c index 2497d4f48df3..9354f71db894 100644 --- a/support/export/cache.c +++ b/support/export/cache.c @@ -932,6 +932,7 @@ static void write_fsloc(char **bp, int *blen, struct exportent *ep) release_replicas(servers); } #endif + static void write_secinfo(char **bp, int *blen, struct exportent *ep, int flag_mask) { struct sec_entry *p; @@ -949,7 +950,20 @@ static void write_secinfo(char **bp, int *blen, struct exportent *ep, int flag_m qword_addint(bp, blen, p->flav->fnum); qword_addint(bp, blen, p->flags & flag_mask); } +} + +static void write_xprtsec(char **bp, int *blen, struct exportent *ep) +{ + struct xprtsec_entry *p; + + for (p = ep->e_xprtsec; p->info; p++); + if (p == ep->e_xprtsec) + return; + qword_add(bp, blen, "xprtsec"); + qword_addint(bp, blen, p - ep->e_xprtsec); + for (p = ep->e_xprtsec; p->info; p++) + qword_addint(bp, blen, p->info->number); } static int dump_to_cache(int f, char *buf, int blen, char *domain, @@ -992,6 +1006,7 @@ static int dump_to_cache(int f, char *buf, int blen, char *domain, qword_add(&bp, &blen, "uuid"); qword_addhex(&bp, &blen, u, 16); } + write_xprtsec(&bp, &blen, exp); xlog(D_AUTH, "granted access to %s for %s", path, *domain == '$' ? domain+1 : domain); } else { From patchwork Mon Mar 20 14:35:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 13181332 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EB0F1C6FD1D for ; Mon, 20 Mar 2023 14:35:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231417AbjCTOf5 (ORCPT ); Mon, 20 Mar 2023 10:35:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38764 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231316AbjCTOf4 (ORCPT ); Mon, 20 Mar 2023 10:35:56 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 575661A651 for ; Mon, 20 Mar 2023 07:35:53 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E72ED6155C for ; Mon, 20 Mar 2023 14:35:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2DB49C433EF; Mon, 20 Mar 2023 14:35:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1679322952; bh=8C70LL8FaQsSaB0lwfIzohUglMX4dzUYUFBqWYahp6Q=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=bFIKJvo808GE3yhrDDjAan7hsIHOl24m+LcFGSUw18fYsnBNIpU6w29qGzxEAypdY NkarLAVXHfSR7E9JrJR4k3/NDkv1MciFFaG/4LMAAXLGw/8043nvQ6mP6HNndr03yY LyY06bHLJ+6VUHtmqLFCQgx8DOjr+K5ezgCzRhnDp332LGOegY0UvwAd4rUoKEd9oc tNVdIoVW7JkaOnz55uFtoacoW09CZAG1m3p2Ec0Zigp8iAirmN5lOdVS3AkTHfqt5E DGSjdvdGV/p1QYHVSWu+wc2edz8JnCfjzYaoi8/c0sZf62jZ52O+kGG1Tc3/pO+14B In4sSucgJp4NQ== Subject: [PATCH v1 4/4] exports.man: Add description of xprtsec= to exports(5) From: Chuck Lever To: SteveD@redhat.com Cc: linux-nfs@vger.kernel.org Date: Mon, 20 Mar 2023 10:35:51 -0400 Message-ID: <167932295124.3437.894267501240103990.stgit@manet.1015granger.net> In-Reply-To: <167932279970.3437.7130911928591001093.stgit@manet.1015granger.net> References: <167932279970.3437.7130911928591001093.stgit@manet.1015granger.net> User-Agent: StGit/1.5 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Chuck Lever Signed-off-by: Chuck Lever --- utils/exportfs/exports.man | 45 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man index 54b3f8776ea6..cca9bb7b4aeb 100644 --- a/utils/exportfs/exports.man +++ b/utils/exportfs/exports.man @@ -125,7 +125,49 @@ In that case you may include multiple sec= options, and following options will be enforced only for access using flavors listed in the immediately preceding sec= option. The only options that are permitted to vary in this way are ro, rw, no_root_squash, root_squash, and all_squash. +.SS Transport layer security +The Linux NFS server supports the use of transport layer security to +protect RPC traffic between itself and its clients. +This can be in the form of a VPN, an ssh tunnel, or via RPC-with-TLS, +which uses TLSv1.3. .PP +Administrators may choose to require the use of +RPC-with-TLS to protect access to individual exports. +This is particularly useful when using non-cryptographic security +flavors such as +.IR sec=sys . +The +.I xprtsec= +option, followed by a colon-delimited list of security policies, +can restrict access to the export to only clients that have negotiated +transport-layer security. +Currently supported transport layer security policies include: +.TP +.IR none +The server permits clients to access the export +without the use of transport layer security. +.TP +.IR tls +The server permits clients that have negotiated an RPC-with-TLS session +without peer authentication (confidentiality only) to access the export. +Clients are not required to offer an x.509 certificate +when establishing a transport layer security session. +.TP +.IR mtls +The server permits clients that have negotiated an RPC-with-TLS session +with peer authentication to access the export. +The server requires clients to offer an x.509 certificate +when establishing a transport layer security session. +.PP +The default setting is +.IR xprtsec=none:tls:mtls . +This is also known as "opportunistic mode". +The server permits clients to use any transport layer security mechanism +to access the export. +.PP +The server administrator must install and configure +.BR tlshd +to handle transport layer security handshake requests from the local kernel. .SS General Options .BR exportfs understands the following export options: @@ -581,7 +623,8 @@ a character class wildcard match. .BR netgroup (5), .BR mountd (8), .BR nfsd (8), -.BR showmount (8). +.BR showmount (8), +.BR tlshd (8). .\".SH DIAGNOSTICS .\"An error parsing the file is reported using syslogd(8) as level NOTICE from .\"a DAEMON whenever