nfs, rpc: Ensure kernel credentials have at least one group

This fixes several bugs where some 'struct ucred' in the kernel,
constructed from user input (via nmount(2)) or obtained from other
server

nfs, rpc: Ensure kernel credentials have at least one group

This fixes several bugs where some 'struct ucred' in the kernel,
constructed from user input (via nmount(2)) or obtained from other
servers (e.g., gssd(8)), could have an unfilled 'cr_groups' field and
whose 'cr_groups[0]' (or 'cr_gid', which is an alias) was later
accessed, causing an uninitialized access giving random access rights.

Use crsetgroups_fallback() to enforce a fallback group when possible.
For NFS, the chosen fallback group is that of the NFS server in the
current VNET (NFSD_VNET(nfsrv_defaultgid)).

There does not seem to be any sensible fallback available in rpc code
(sys/rpc/svc_auth.c, svc_getcred()) on AUTH_UNIX (TLS or not), so just
fail credential retrieval there. Stock NSS sources, rpc.tlsservd(8) or
rpc.tlsclntd(8) provide non-empty group lists, so will not be impacted.

Discussed with: rmacklem (by mail)
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46918

show more ...

sys: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remov

sys: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

show more ...

krpc: Display stats of TLS usage

This patch adds some sysctls:
kern.rpc.unenc.tx_msgcnt
kern.rpc.unenc.tx_msgbytes
kern.rpc.unenc.rx_msgcnt
kern.rpc.unenc.rx_msgbytes
kern.rpc.tls.tx_msgcnt
kern.rpc

krpc: Display stats of TLS usage

This patch adds some sysctls:
kern.rpc.unenc.tx_msgcnt
kern.rpc.unenc.tx_msgbytes
kern.rpc.unenc.rx_msgcnt
kern.rpc.unenc.rx_msgbytes
kern.rpc.tls.tx_msgcnt
kern.rpc.tls.tx_msgbytes
kern.rpc.tls.rx_msgcnt
kern.rpc.tls.rx_msgbytes
kern.rpc.tls.handshake_success
kern.rpc.tls.handshake_failed
kern.rpc.tls.alerts
which allow a NFS server sysadmin to determine how much
NFS-over-TLS is being used. A large number of failed
handshakes might also indicate an NFS confirguration
problem.

This patch moves the definition of "kern.rpc" from the
kgssapi module to the krpc module. As such, both modules
need to be rebuilt from sources. Since __FreeBSD_version
was bumped yesterday, I will not bump it again.

Suggested by: gwollman
Discussed on: freebsd-current
MFC after: 1 month

show more ...

nfscl/kgssapi: Fix Kerberized NFS mounts to pNFS servers

During recent testing related to the IETF NFSv4 Bakeathon, it was
discovered that Kerberized NFSv4.1/4.2 mounts to pNFS servers
(sec=krb5[ip]

nfscl/kgssapi: Fix Kerberized NFS mounts to pNFS servers

During recent testing related to the IETF NFSv4 Bakeathon, it was
discovered that Kerberized NFSv4.1/4.2 mounts to pNFS servers
(sec=krb5[ip],pnfs mount options) was broken.
The FreeBSD client was using the "service principal" for
the MDS to try and establish a rpcsec_gss credential for a DS,
which is incorrect. (A "service principal" looks like
"nfs@<fqdn-of-server>" and the <fqdn-of-server> for the DS is not
the same as the MDS for most pNFS servers.)

To fix this, the rpcsec_gss code needs to be able to do a
reverse DNS lookup of the DS's IP address. A new kgssapi upcall
to the gssd(8) daemon is added by this patch to do the reverse DNS
along with a new rpcsec_gss function to generate the "service
principal".

A separate patch to the gssd(8) will be committed, so that this
patch will fix the problem. Without the gssd(8) patch, the new
upcall fails and current/incorrect behaviour remains.

This bug only affects the rare case of a Kerberized (sec=krb5[ip],pnfs)
mount using pNFS.

This patch changes the internal KAPI between the kgssapi and
nfscl modules, but since I did a version bump a few days ago,
I will not do one this time.

MFC after: 1 month

show more ...

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

svc_rpcsec_gss.c: Separate out the non-vnet initialization

Without this patch, a single initialization function was
used to initialize both the vnet'd and non-vnet'd data.
This patch separates out t

svc_rpcsec_gss.c: Separate out the non-vnet initialization

Without this patch, a single initialization function was
used to initialize both the vnet'd and non-vnet'd data.
This patch separates out the non-vnet'd initializations
into a separate function invoked by SYSINIT().
This avoids use of IS_DEFAULT_VNET() in the initialization
functions and also configures the non-vnet'd initialization
function to be called first, although ordering is not
currently needed.

Reviewed by: glebius
MFC after: 3 months
Differential Revision: https://reviews.freebsd.org/D38749

show more ...

nfsd: Add VNET_SYSUNINIT() macros for vnet cleanup

Commit ed03776ca7f4 enabled the vnet front end macros.
As such, for kernels built with the VIMAGE option will malloc
data and initialize locks on a

nfsd: Add VNET_SYSUNINIT() macros for vnet cleanup

Commit ed03776ca7f4 enabled the vnet front end macros.
As such, for kernels built with the VIMAGE option will malloc
data and initialize locks on a per-vnet basis, typically
via a VNET_SYSINIT().

This patch adds VNET_SYSUNINIT() macros to do the frees
of the per-vnet malloc'd data and destroys of per-vnet
locks. It also removes the mtx_lock/mtx_unlock calls
from nfsrvd_cleancache(), since they are not needed.

Discussed with: bz, jamie
MFC after: 3 months

show more ...

nfsd: Enable the NFSD_VNET vnet front end macros

Several commits have added front end macros for the vnet
macros to the NFS server, krpc and kgssapi. These macros
are now null, but this patch chang

nfsd: Enable the NFSD_VNET vnet front end macros

Several commits have added front end macros for the vnet
macros to the NFS server, krpc and kgssapi. These macros
are now null, but this patch changes them to front end
the vnet macros.

With this commit, many global variables in the code become
vnet'd, so that nfsd(8), nfsuserd(8), rpc.tlsservd(8) and
gssd(8) can run in a vnet prison, once enabled.
To run the NFS server in a vnet prison still requires a
couple of patches (in D37741 and D38371) that allow mountd(8)
to export file systems from within a vnet prison. Once
these are committed to main, a small patch to kern_jail.c
allowing "allow.nfsd" without VNET_NFSD defined will allow
the NFS server to run in a vnet prison.

One area that still needs to be settled is cleanup when a
prison is removed. Without this, everything should work
except there will be a leak of malloc'd data and mutex locks
when a vnet prison is removed.

MFC after: 3 months

show more ...

kgssapi: Add macros so that gssd(8) can run in vnet prison

Commit 7344856e3a6d added a lot of macros that will front end
vnet macros so that nfsd(8) can run in vnet prison.
This patch adds similar m

kgssapi: Add macros so that gssd(8) can run in vnet prison

Commit 7344856e3a6d added a lot of macros that will front end
vnet macros so that nfsd(8) can run in vnet prison.
This patch adds similar macros named KGSS_VNETxxx so that
the gssd(8) daemon can run in a vnet prison, once the
macros front end the vnet ones. For now, they are null macros.

This is the last commit that adds macros. The next step is
to change the macros to front end the vnet ones.

MFC after: 3 months

show more ...

krpc: Allow mountd/nfsd to optionally run in a jail

This patch modifies the kernel RPC so that it will allow
mountd/nfsd to run inside of a vnet jail. Running mountd/nfsd
inside a vnet jail will be

krpc: Allow mountd/nfsd to optionally run in a jail

This patch modifies the kernel RPC so that it will allow
mountd/nfsd to run inside of a vnet jail. Running mountd/nfsd
inside a vnet jail will be enabled via a new kernel build
option called VNET_NFSD, which will be implemented in future
commits.

Although I suspect cr_prison can be set from the credentials
of the current thread unconditionally, I #ifdef'd the code
VNET_NFSD and only did this for the jailed case mainly to
document that it is only needed for use in a jail.

The TLS support code has not yet been modified to work in
a jail. That is planned as future development after the
basic VNET_NFSD support is in the kernel.

This patch should not result in any semantics change until
VNET_NFSD is implemented and used in a kernel configuration.

MFC after: 4 months

show more ...

sys/rpc: Use C99 fixed-width integer types.

No functional change.

Reviewed by: imp, emaste
Differential Revision: https://reviews.freebsd.org/D33640

rpc: Make function tables const

No functional change intended.

MFC after: 1 week
Sponsored by: The FreeBSD Foundation

Merge ^/head r358269 through r358399.

Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many)

r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are
still not MPSAFE (or already are but aren’t properly mark

Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many)

r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are
still not MPSAFE (or already are but aren’t properly marked).
Use it in preparation for a general review of all nodes.

This is non-functional change that adds annotations to SYSCTL_NODE and
SYSCTL_PROC nodes using one of the soon-to-be-required flags.

Mark all obvious cases as MPSAFE. All entries that haven't been marked
as MPSAFE before are by default marked as NEEDGIANT

Approved by: kib (mentor, blanket)
Commented by: kib, gallatin, melifaro
Differential Revision: https://reviews.freebsd.org/D23718

show more ...

Change r355157 to make svc_rpc_gss_lifetime_max a static.

MFC after: 2 weeks

Add a cap on credential lifetime for Kerberized NFS.

The kernel RPCSEC_GSS code sets the credential (called a client) lifetime
to the lifetime of the Kerberos ticket, which is typically several hour

Add a cap on credential lifetime for Kerberized NFS.

The kernel RPCSEC_GSS code sets the credential (called a client) lifetime
to the lifetime of the Kerberos ticket, which is typically several hours.
As such, when a user's credentials change such as being added to a new group,
it can take several hours for this change to be recognized by the NFS server.
This patch adds a sysctl called kern.rpc.gss.lifetime_max which can be set
by a sysadmin to put a cap on the time to expire for the credentials, so that
a sysadmin can reduce the timeout.
It also fixes a bug, where time_uptime is added twice when GSS_C_INDEFINITE
is returned for a lifetime. This has no effect in practice, sine Kerberos
never does this.

Tested by: pen@lysator.liu.se
PR: 242132
Submitted by: pen@lysator.liu.se
MFC after: 2 weeks

show more ...

MFHead@r345880

Fix malloc stats for the RPCSEC_GSS server code when DEBUG is enabled.

The code enabled when "DEBUG" is defined uses mem_alloc(), which is a
malloc(.., M_RPC, M_WAITOK | M_ZERO), but then calls gss_

Fix malloc stats for the RPCSEC_GSS server code when DEBUG is enabled.

The code enabled when "DEBUG" is defined uses mem_alloc(), which is a
malloc(.., M_RPC, M_WAITOK | M_ZERO), but then calls gss_release_buffer()
which does a free(.., M_GSSAPI) to free the memory.
This patch fixes the problem by replacing mem_alloc() with a
malloc(.., M_GSSAPI, M_WAITOK | M_ZERO).
This bug affects almost no one, since the sources are not normally built
with "DEBUG" defined.

Submitted by: peter@ifm.liu.se
MFC after: 2 weeks

show more ...

Add a comment to the r345818 patch to explain why cl_refs is initialized to 2.

PR: 235582
MFC after: 2 weeks

Fix a race in the RPCSEC_GSS server code that caused crashes.

When a new client structure was allocated, it was added to the list
so that it was visible to other threads before the expiry time was
i

Fix a race in the RPCSEC_GSS server code that caused crashes.

When a new client structure was allocated, it was added to the list
so that it was visible to other threads before the expiry time was
initialized, with only a single reference count.
The caller would increment the reference count, but it was possible
for another thread to decrement the reference count to zero and free
the structure before the caller incremented the reference count.
This could occur because the expiry time was still set to zero when
the new client structure was inserted in the list and the list was
unlocked.

This patch fixes the race by initializing the reference count to two
and initializing all fields, including the expiry time, before inserting
it in the list.

Tested by: peter@ifm.liu.se
PR: 235582
MFC after: 2 weeks

show more ...

MFhead@r344527

Merge ^/head r344178 through r344512.

Bump the default kern.rpc.gss.client_max from 128 to 1024.

The old value resulted in bad performance, with high kernel
and gssd(8) load, with more than ~64 clients; it also triggered
crashes, which

Bump the default kern.rpc.gss.client_max from 128 to 1024.

The old value resulted in bad performance, with high kernel
and gssd(8) load, with more than ~64 clients; it also triggered
crashes, which are to be fixed by a different patch.

PR: 235582
Discussed with: rmacklem@
MFC after: 2 weeks

show more ...

Add kern.rpc.gss.client_hash tunable, to make it possible to bump
it easily. This can lower the load on gssd(8) on large NFS servers.

Submitted by: Per Andersson <pa at chalmers dot se>
Reviewed by

Add kern.rpc.gss.client_hash tunable, to make it possible to bump
it easily. This can lower the load on gssd(8) on large NFS servers.

Submitted by: Per Andersson <pa at chalmers dot se>
Reviewed by: rmacklem@
MFC after: 2 weeks
Sponsored by: Chalmers University of Technology

show more ...

Add kern.rpc.gss.client_max, to make it possible to bump it easily.
This can drastically lower the load on gssd(8) on large NFS servers.

Submitted by: Per Andersson <pa at chalmers dot se>
Reviewed

Add kern.rpc.gss.client_max, to make it possible to bump it easily.
This can drastically lower the load on gssd(8) on large NFS servers.

Submitted by: Per Andersson <pa at chalmers dot se>
Reviewed by: rmacklem@
MFC after: 2 weeks
Sponsored by: Chalmers University of Technology
Differential Revision: https://reviews.freebsd.org/D18393

show more ...