Commit a002ad8a authored by Benjamin Coddington's avatar Benjamin Coddington Committed by Chuck Lever
Browse files

NFSD/export: Add sign_fh export option 

In order to signal that filehandles on this export should be signed, add a
"sign_fh" export option.  Filehandle signing can help the server defend
against certain filehandle guessing attacks.

Setting the "sign_fh" export option sets NFSEXP_SIGN_FH.  In a future patch
NFSD uses this signal to append a MAC onto filehandles for that export.

While we're in here, tidy a few stray expflags to more closely align to the
export flag order.

Link: https://lore.kernel.org/linux-nfs/cover.1772022373.git.bcodding@hammerspace.com


Signed-off-by: default avatarBenjamin Coddington <bcodding@hammerspace.com>
Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
parent 62346217

fs/nfsd/export.c

+3 −2
Original line number Diff line number Diff line
@@ -1362,13 +1362,14 @@ static struct flags { 
	{ NFSEXP_ASYNC, {"async", "sync"}},

	{ NFSEXP_GATHERED_WRITES, {"wdelay", "no_wdelay"}},

	{ NFSEXP_NOREADDIRPLUS, {"nordirplus", ""}},

	{ NFSEXP_SECURITY_LABEL, {"security_label", ""}},

	{ NFSEXP_SIGN_FH, {"sign_fh", ""}},

	{ NFSEXP_NOHIDE, {"nohide", ""}},

	{ NFSEXP_CROSSMOUNT, {"crossmnt", ""}},

	{ NFSEXP_NOSUBTREECHECK, {"no_subtree_check", ""}},

	{ NFSEXP_NOAUTHNLM, {"insecure_locks", ""}},

	{ NFSEXP_CROSSMOUNT, {"crossmnt", ""}},

	{ NFSEXP_V4ROOT, {"v4root", ""}},

	{ NFSEXP_PNFS, {"pnfs", ""}},

	{ NFSEXP_SECURITY_LABEL, {"security_label", ""}},

	{ 0, {"", ""}}

};

include/uapi/linux/nfsd/export.h

+2 −2
Original line number Diff line number Diff line
@@ -34,7 +34,7 @@ 
#define NFSEXP_GATHERED_WRITES	0x0020

#define NFSEXP_NOREADDIRPLUS    0x0040

#define NFSEXP_SECURITY_LABEL	0x0080

/* 0x100 currently unused */

#define NFSEXP_SIGN_FH		0x0100

#define NFSEXP_NOHIDE		0x0200

#define NFSEXP_NOSUBTREECHECK	0x0400

#define	NFSEXP_NOAUTHNLM	0x0800		/* Don't authenticate NLM requests - just trust */
@@ -55,7 +55,7 @@ 
#define NFSEXP_PNFS		0x20000



/* All flags that we claim to support.  (Note we don't support NOACL.) */

#define NFSEXP_ALLFLAGS		0x3FEFF

#define NFSEXP_ALLFLAGS		0x3FFFF



/* The flags that may vary depending on security flavor: */

#define NFSEXP_SECINFO_FLAGS	(NFSEXP_READONLY | NFSEXP_ROOTSQUASH \