1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * NFS exporting and validation. 4 * 5 * We maintain a list of clients, each of which has a list of 6 * exports. To export an fs to a given client, you first have 7 * to create the client entry with NFSCTL_ADDCLIENT, which 8 * creates a client control block and adds it to the hash 9 * table. Then, you call NFSCTL_EXPORT for each fs. 10 * 11 * 12 * Copyright (C) 1995, 1996 Olaf Kirch, <okir@monad.swb.de> 13 */ 14 15 #include <linux/slab.h> 16 #include <linux/namei.h> 17 #include <linux/module.h> 18 #include <linux/exportfs.h> 19 #include <linux/sunrpc/svc_xprt.h> 20 21 #include "nfsd.h" 22 #include "nfsfh.h" 23 #include "netns.h" 24 #include "pnfs.h" 25 #include "filecache.h" 26 #include "trace.h" 27 28 #define NFSDDBG_FACILITY NFSDDBG_EXPORT 29 30 /* 31 * We have two caches. 32 * One maps client+vfsmnt+dentry to export options - the export map 33 * The other maps client+filehandle-fragment to export options. - the expkey map 34 * 35 * The export options are actually stored in the first map, and the 36 * second map contains a reference to the entry in the first map. 37 */ 38 39 #define EXPKEY_HASHBITS 8 40 #define EXPKEY_HASHMAX (1 << EXPKEY_HASHBITS) 41 #define EXPKEY_HASHMASK (EXPKEY_HASHMAX -1) 42 43 static void expkey_put(struct kref *ref) 44 { 45 struct svc_expkey *key = container_of(ref, struct svc_expkey, h.ref); 46 47 if (test_bit(CACHE_VALID, &key->h.flags) && 48 !test_bit(CACHE_NEGATIVE, &key->h.flags)) 49 path_put(&key->ek_path); 50 auth_domain_put(key->ek_client); 51 kfree_rcu(key, ek_rcu); 52 } 53 54 static int expkey_upcall(struct cache_detail *cd, struct cache_head *h) 55 { 56 return sunrpc_cache_pipe_upcall(cd, h); 57 } 58 59 static void expkey_request(struct cache_detail *cd, 60 struct cache_head *h, 61 char **bpp, int *blen) 62 { 63 /* client fsidtype \xfsid */ 64 struct svc_expkey *ek = container_of(h, struct svc_expkey, h); 65 char type[5]; 66 67 qword_add(bpp, blen, ek->ek_client->name); 68 snprintf(type, 5, "%d", ek->ek_fsidtype); 69 qword_add(bpp, blen, type); 70 qword_addhex(bpp, blen, (char*)ek->ek_fsid, key_len(ek->ek_fsidtype)); 71 (*bpp)[-1] = '\n'; 72 } 73 74 static struct svc_expkey *svc_expkey_update(struct cache_detail *cd, struct svc_expkey *new, 75 struct svc_expkey *old); 76 static struct svc_expkey *svc_expkey_lookup(struct cache_detail *cd, struct svc_expkey *); 77 78 static int expkey_parse(struct cache_detail *cd, char *mesg, int mlen) 79 { 80 /* client fsidtype fsid expiry [path] */ 81 char *buf; 82 int len; 83 struct auth_domain *dom = NULL; 84 int err; 85 u8 fsidtype; 86 struct svc_expkey key; 87 struct svc_expkey *ek = NULL; 88 89 if (mesg[mlen - 1] != '\n') 90 return -EINVAL; 91 mesg[mlen-1] = 0; 92 93 buf = kmalloc(PAGE_SIZE, GFP_KERNEL); 94 err = -ENOMEM; 95 if (!buf) 96 goto out; 97 98 err = -EINVAL; 99 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 100 goto out; 101 102 err = -ENOENT; 103 dom = auth_domain_find(buf); 104 if (!dom) 105 goto out; 106 dprintk("found domain %s\n", buf); 107 108 err = -EINVAL; 109 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 110 goto out; 111 if (kstrtou8(buf, 10, &fsidtype)) 112 goto out; 113 dprintk("found fsidtype %u\n", fsidtype); 114 if (key_len(fsidtype)==0) /* invalid type */ 115 goto out; 116 if ((len=qword_get(&mesg, buf, PAGE_SIZE)) <= 0) 117 goto out; 118 dprintk("found fsid length %d\n", len); 119 if (len != key_len(fsidtype)) 120 goto out; 121 122 /* OK, we seem to have a valid key */ 123 key.h.flags = 0; 124 err = get_expiry(&mesg, &key.h.expiry_time); 125 if (err) 126 goto out; 127 128 key.ek_client = dom; 129 key.ek_fsidtype = fsidtype; 130 memcpy(key.ek_fsid, buf, len); 131 132 ek = svc_expkey_lookup(cd, &key); 133 err = -ENOMEM; 134 if (!ek) 135 goto out; 136 137 /* now we want a pathname, or empty meaning NEGATIVE */ 138 err = -EINVAL; 139 len = qword_get(&mesg, buf, PAGE_SIZE); 140 if (len < 0) 141 goto out; 142 dprintk("Path seems to be <%s>\n", buf); 143 err = 0; 144 if (len == 0) { 145 set_bit(CACHE_NEGATIVE, &key.h.flags); 146 ek = svc_expkey_update(cd, &key, ek); 147 if (ek) 148 trace_nfsd_expkey_update(ek, NULL); 149 else 150 err = -ENOMEM; 151 } else { 152 err = kern_path(buf, 0, &key.ek_path); 153 if (err) 154 goto out; 155 156 dprintk("Found the path %s\n", buf); 157 158 ek = svc_expkey_update(cd, &key, ek); 159 if (ek) 160 trace_nfsd_expkey_update(ek, buf); 161 else 162 err = -ENOMEM; 163 path_put(&key.ek_path); 164 } 165 cache_flush(); 166 out: 167 if (ek) 168 cache_put(&ek->h, cd); 169 if (dom) 170 auth_domain_put(dom); 171 kfree(buf); 172 return err; 173 } 174 175 static int expkey_show(struct seq_file *m, 176 struct cache_detail *cd, 177 struct cache_head *h) 178 { 179 struct svc_expkey *ek ; 180 int i; 181 182 if (h ==NULL) { 183 seq_puts(m, "#domain fsidtype fsid [path]\n"); 184 return 0; 185 } 186 ek = container_of(h, struct svc_expkey, h); 187 seq_printf(m, "%s %d 0x", ek->ek_client->name, 188 ek->ek_fsidtype); 189 for (i=0; i < key_len(ek->ek_fsidtype)/4; i++) 190 seq_printf(m, "%08x", ek->ek_fsid[i]); 191 if (test_bit(CACHE_VALID, &h->flags) && 192 !test_bit(CACHE_NEGATIVE, &h->flags)) { 193 seq_printf(m, " "); 194 seq_path(m, &ek->ek_path, "\\ \t\n"); 195 } 196 seq_printf(m, "\n"); 197 return 0; 198 } 199 200 static inline int expkey_match (struct cache_head *a, struct cache_head *b) 201 { 202 struct svc_expkey *orig = container_of(a, struct svc_expkey, h); 203 struct svc_expkey *new = container_of(b, struct svc_expkey, h); 204 205 if (orig->ek_fsidtype != new->ek_fsidtype || 206 orig->ek_client != new->ek_client || 207 memcmp(orig->ek_fsid, new->ek_fsid, key_len(orig->ek_fsidtype)) != 0) 208 return 0; 209 return 1; 210 } 211 212 static inline void expkey_init(struct cache_head *cnew, 213 struct cache_head *citem) 214 { 215 struct svc_expkey *new = container_of(cnew, struct svc_expkey, h); 216 struct svc_expkey *item = container_of(citem, struct svc_expkey, h); 217 218 kref_get(&item->ek_client->ref); 219 new->ek_client = item->ek_client; 220 new->ek_fsidtype = item->ek_fsidtype; 221 222 memcpy(new->ek_fsid, item->ek_fsid, sizeof(new->ek_fsid)); 223 } 224 225 static inline void expkey_update(struct cache_head *cnew, 226 struct cache_head *citem) 227 { 228 struct svc_expkey *new = container_of(cnew, struct svc_expkey, h); 229 struct svc_expkey *item = container_of(citem, struct svc_expkey, h); 230 231 new->ek_path = item->ek_path; 232 path_get(&item->ek_path); 233 } 234 235 static struct cache_head *expkey_alloc(void) 236 { 237 struct svc_expkey *i = kmalloc_obj(*i, GFP_KERNEL); 238 if (i) 239 return &i->h; 240 else 241 return NULL; 242 } 243 244 static void expkey_flush(void) 245 { 246 /* 247 * Take the nfsd_mutex here to ensure that the file cache is not 248 * destroyed while we're in the middle of flushing. 249 */ 250 mutex_lock(&nfsd_mutex); 251 nfsd_file_cache_purge(current->nsproxy->net_ns); 252 mutex_unlock(&nfsd_mutex); 253 } 254 255 static const struct cache_detail svc_expkey_cache_template = { 256 .owner = THIS_MODULE, 257 .hash_size = EXPKEY_HASHMAX, 258 .name = "nfsd.fh", 259 .cache_put = expkey_put, 260 .cache_upcall = expkey_upcall, 261 .cache_request = expkey_request, 262 .cache_parse = expkey_parse, 263 .cache_show = expkey_show, 264 .match = expkey_match, 265 .init = expkey_init, 266 .update = expkey_update, 267 .alloc = expkey_alloc, 268 .flush = expkey_flush, 269 }; 270 271 static int 272 svc_expkey_hash(struct svc_expkey *item) 273 { 274 int hash = item->ek_fsidtype; 275 char * cp = (char*)item->ek_fsid; 276 int len = key_len(item->ek_fsidtype); 277 278 hash ^= hash_mem(cp, len, EXPKEY_HASHBITS); 279 hash ^= hash_ptr(item->ek_client, EXPKEY_HASHBITS); 280 hash &= EXPKEY_HASHMASK; 281 return hash; 282 } 283 284 static struct svc_expkey * 285 svc_expkey_lookup(struct cache_detail *cd, struct svc_expkey *item) 286 { 287 struct cache_head *ch; 288 int hash = svc_expkey_hash(item); 289 290 ch = sunrpc_cache_lookup_rcu(cd, &item->h, hash); 291 if (ch) 292 return container_of(ch, struct svc_expkey, h); 293 else 294 return NULL; 295 } 296 297 static struct svc_expkey * 298 svc_expkey_update(struct cache_detail *cd, struct svc_expkey *new, 299 struct svc_expkey *old) 300 { 301 struct cache_head *ch; 302 int hash = svc_expkey_hash(new); 303 304 ch = sunrpc_cache_update(cd, &new->h, &old->h, hash); 305 if (ch) 306 return container_of(ch, struct svc_expkey, h); 307 else 308 return NULL; 309 } 310 311 312 #define EXPORT_HASHBITS 8 313 #define EXPORT_HASHMAX (1<< EXPORT_HASHBITS) 314 315 static void nfsd4_fslocs_free(struct nfsd4_fs_locations *fsloc) 316 { 317 struct nfsd4_fs_location *locations = fsloc->locations; 318 int i; 319 320 if (!locations) 321 return; 322 323 for (i = 0; i < fsloc->locations_count; i++) { 324 kfree(locations[i].path); 325 kfree(locations[i].hosts); 326 } 327 328 kfree(locations); 329 fsloc->locations = NULL; 330 } 331 332 static int export_stats_init(struct export_stats *stats) 333 { 334 stats->start_time = ktime_get_seconds(); 335 return percpu_counter_init_many(stats->counter, 0, GFP_KERNEL, 336 EXP_STATS_COUNTERS_NUM); 337 } 338 339 static void export_stats_reset(struct export_stats *stats) 340 { 341 if (stats) { 342 int i; 343 344 for (i = 0; i < EXP_STATS_COUNTERS_NUM; i++) 345 percpu_counter_set(&stats->counter[i], 0); 346 } 347 } 348 349 static void export_stats_destroy(struct export_stats *stats) 350 { 351 if (stats) 352 percpu_counter_destroy_many(stats->counter, 353 EXP_STATS_COUNTERS_NUM); 354 } 355 356 static void svc_export_release(struct rcu_head *rcu_head) 357 { 358 struct svc_export *exp = container_of(rcu_head, struct svc_export, 359 ex_rcu); 360 361 nfsd4_fslocs_free(&exp->ex_fslocs); 362 export_stats_destroy(exp->ex_stats); 363 kfree(exp->ex_stats); 364 kfree(exp->ex_uuid); 365 kfree(exp); 366 } 367 368 static void svc_export_put(struct kref *ref) 369 { 370 struct svc_export *exp = container_of(ref, struct svc_export, h.ref); 371 372 path_put(&exp->ex_path); 373 auth_domain_put(exp->ex_client); 374 call_rcu(&exp->ex_rcu, svc_export_release); 375 } 376 377 static int svc_export_upcall(struct cache_detail *cd, struct cache_head *h) 378 { 379 return sunrpc_cache_pipe_upcall(cd, h); 380 } 381 382 static void svc_export_request(struct cache_detail *cd, 383 struct cache_head *h, 384 char **bpp, int *blen) 385 { 386 /* client path */ 387 struct svc_export *exp = container_of(h, struct svc_export, h); 388 char *pth; 389 390 qword_add(bpp, blen, exp->ex_client->name); 391 pth = d_path(&exp->ex_path, *bpp, *blen); 392 if (IS_ERR(pth)) { 393 /* is this correct? */ 394 (*bpp)[0] = '\n'; 395 return; 396 } 397 qword_add(bpp, blen, pth); 398 (*bpp)[-1] = '\n'; 399 } 400 401 static struct svc_export *svc_export_update(struct svc_export *new, 402 struct svc_export *old); 403 static struct svc_export *svc_export_lookup(struct svc_export *); 404 405 static int check_export(const struct path *path, int *flags, unsigned char *uuid) 406 { 407 struct inode *inode = d_inode(path->dentry); 408 409 /* 410 * We currently export only dirs, regular files, and (for v4 411 * pseudoroot) symlinks. 412 */ 413 if (!S_ISDIR(inode->i_mode) && 414 !S_ISLNK(inode->i_mode) && 415 !S_ISREG(inode->i_mode)) 416 return -ENOTDIR; 417 418 /* 419 * Mountd should never pass down a writeable V4ROOT export, but, 420 * just to make sure: 421 */ 422 if (*flags & NFSEXP_V4ROOT) 423 *flags |= NFSEXP_READONLY; 424 425 /* There are two requirements on a filesystem to be exportable. 426 * 1: We must be able to identify the filesystem from a number. 427 * either a device number (so FS_REQUIRES_DEV needed) 428 * or an FSID number (so NFSEXP_FSID or ->uuid is needed). 429 * 2: We must be able to find an inode from a filehandle. 430 * This means that s_export_op must be set and comply with 431 * the requirements for remote filesystem export. 432 * 3: We must not currently be on an idmapped mount. 433 */ 434 if (!(inode->i_sb->s_type->fs_flags & FS_REQUIRES_DEV) && 435 !(*flags & NFSEXP_FSID) && 436 uuid == NULL) { 437 dprintk("exp_export: export of non-dev fs without fsid\n"); 438 return -EINVAL; 439 } 440 441 if (!exportfs_may_export(inode->i_sb->s_export_op)) { 442 dprintk("exp_export: export of invalid fs type (%s).\n", 443 inode->i_sb->s_type->name); 444 return -EINVAL; 445 } 446 447 if (is_idmapped_mnt(path->mnt)) { 448 dprintk("exp_export: export of idmapped mounts not yet supported.\n"); 449 return -EINVAL; 450 } 451 452 if (inode->i_sb->s_export_op->flags & EXPORT_OP_NOSUBTREECHK && 453 !(*flags & NFSEXP_NOSUBTREECHECK)) { 454 dprintk("%s: %s does not support subtree checking!\n", 455 __func__, inode->i_sb->s_type->name); 456 return -EINVAL; 457 } 458 return 0; 459 } 460 461 #ifdef CONFIG_NFSD_V4 462 463 static int 464 fsloc_parse(char **mesg, char *buf, struct nfsd4_fs_locations *fsloc) 465 { 466 int len; 467 int migrated, i, err; 468 469 /* more than one fsloc */ 470 if (fsloc->locations) 471 return -EINVAL; 472 473 /* listsize */ 474 err = get_uint(mesg, &fsloc->locations_count); 475 if (err) 476 return err; 477 if (fsloc->locations_count > MAX_FS_LOCATIONS) 478 return -EINVAL; 479 if (fsloc->locations_count == 0) 480 return 0; 481 482 fsloc->locations = kzalloc_objs(struct nfsd4_fs_location, 483 fsloc->locations_count, GFP_KERNEL); 484 if (!fsloc->locations) 485 return -ENOMEM; 486 for (i=0; i < fsloc->locations_count; i++) { 487 /* colon separated host list */ 488 err = -EINVAL; 489 len = qword_get(mesg, buf, PAGE_SIZE); 490 if (len <= 0) 491 goto out_free_all; 492 err = -ENOMEM; 493 fsloc->locations[i].hosts = kstrdup(buf, GFP_KERNEL); 494 if (!fsloc->locations[i].hosts) 495 goto out_free_all; 496 err = -EINVAL; 497 /* slash separated path component list */ 498 len = qword_get(mesg, buf, PAGE_SIZE); 499 if (len <= 0) 500 goto out_free_all; 501 err = -ENOMEM; 502 fsloc->locations[i].path = kstrdup(buf, GFP_KERNEL); 503 if (!fsloc->locations[i].path) 504 goto out_free_all; 505 } 506 /* migrated */ 507 err = get_int(mesg, &migrated); 508 if (err) 509 goto out_free_all; 510 err = -EINVAL; 511 if (migrated < 0 || migrated > 1) 512 goto out_free_all; 513 fsloc->migrated = migrated; 514 return 0; 515 out_free_all: 516 nfsd4_fslocs_free(fsloc); 517 return err; 518 } 519 520 static int secinfo_parse(char **mesg, char *buf, struct svc_export *exp) 521 { 522 struct exp_flavor_info *f; 523 u32 listsize; 524 int err; 525 526 /* more than one secinfo */ 527 if (exp->ex_nflavors) 528 return -EINVAL; 529 530 err = get_uint(mesg, &listsize); 531 if (err) 532 return err; 533 if (listsize > MAX_SECINFO_LIST) 534 return -EINVAL; 535 536 for (f = exp->ex_flavors; f < exp->ex_flavors + listsize; f++) { 537 err = get_uint(mesg, &f->pseudoflavor); 538 if (err) 539 return err; 540 /* 541 * XXX: It would be nice to also check whether this 542 * pseudoflavor is supported, so we can discover the 543 * problem at export time instead of when a client fails 544 * to authenticate. 545 */ 546 err = get_uint(mesg, &f->flags); 547 if (err) 548 return err; 549 /* Only some flags are allowed to differ between flavors: */ 550 if (~NFSEXP_SECINFO_FLAGS & (f->flags ^ exp->ex_flags)) 551 return -EINVAL; 552 } 553 exp->ex_nflavors = listsize; 554 return 0; 555 } 556 557 #else /* CONFIG_NFSD_V4 */ 558 static inline int 559 fsloc_parse(char **mesg, char *buf, struct nfsd4_fs_locations *fsloc){return 0;} 560 static inline int 561 secinfo_parse(char **mesg, char *buf, struct svc_export *exp) { return 0; } 562 #endif 563 564 static int xprtsec_parse(char **mesg, char *buf, struct svc_export *exp) 565 { 566 unsigned int i, mode, listsize; 567 int err; 568 569 err = get_uint(mesg, &listsize); 570 if (err) 571 return err; 572 if (listsize > NFSEXP_XPRTSEC_NUM) 573 return -EINVAL; 574 575 exp->ex_xprtsec_modes = 0; 576 for (i = 0; i < listsize; i++) { 577 err = get_uint(mesg, &mode); 578 if (err) 579 return err; 580 if (mode > NFSEXP_XPRTSEC_MTLS) 581 return -EINVAL; 582 exp->ex_xprtsec_modes |= mode; 583 } 584 return 0; 585 } 586 587 static inline int 588 nfsd_uuid_parse(char **mesg, char *buf, unsigned char **puuid) 589 { 590 int len; 591 592 /* more than one uuid */ 593 if (*puuid) 594 return -EINVAL; 595 596 /* expect a 16 byte uuid encoded as \xXXXX... */ 597 len = qword_get(mesg, buf, PAGE_SIZE); 598 if (len != EX_UUID_LEN) 599 return -EINVAL; 600 601 *puuid = kmemdup(buf, EX_UUID_LEN, GFP_KERNEL); 602 if (*puuid == NULL) 603 return -ENOMEM; 604 605 return 0; 606 } 607 608 static int svc_export_parse(struct cache_detail *cd, char *mesg, int mlen) 609 { 610 /* client path expiry [flags anonuid anongid fsid] */ 611 char *buf; 612 int err; 613 struct auth_domain *dom = NULL; 614 struct svc_export exp = {}, *expp; 615 int an_int; 616 617 if (mesg[mlen-1] != '\n') 618 return -EINVAL; 619 mesg[mlen-1] = 0; 620 621 buf = kmalloc(PAGE_SIZE, GFP_KERNEL); 622 if (!buf) 623 return -ENOMEM; 624 625 /* client */ 626 err = -EINVAL; 627 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 628 goto out; 629 630 err = -ENOENT; 631 dom = auth_domain_find(buf); 632 if (!dom) 633 goto out; 634 635 /* path */ 636 err = -EINVAL; 637 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 638 goto out1; 639 640 err = kern_path(buf, 0, &exp.ex_path); 641 if (err) 642 goto out1; 643 644 exp.ex_client = dom; 645 exp.cd = cd; 646 exp.ex_devid_map = NULL; 647 exp.ex_xprtsec_modes = NFSEXP_XPRTSEC_ALL; 648 649 /* expiry */ 650 err = get_expiry(&mesg, &exp.h.expiry_time); 651 if (err) 652 goto out3; 653 654 /* flags */ 655 err = get_int(&mesg, &an_int); 656 if (err == -ENOENT) { 657 err = 0; 658 set_bit(CACHE_NEGATIVE, &exp.h.flags); 659 } else { 660 if (err || an_int < 0) 661 goto out3; 662 exp.ex_flags= an_int; 663 664 /* anon uid */ 665 err = get_int(&mesg, &an_int); 666 if (err) 667 goto out3; 668 exp.ex_anon_uid= make_kuid(current_user_ns(), an_int); 669 670 /* anon gid */ 671 err = get_int(&mesg, &an_int); 672 if (err) 673 goto out3; 674 exp.ex_anon_gid= make_kgid(current_user_ns(), an_int); 675 676 /* fsid */ 677 err = get_int(&mesg, &an_int); 678 if (err) 679 goto out3; 680 exp.ex_fsid = an_int; 681 682 while (qword_get(&mesg, buf, PAGE_SIZE) > 0) { 683 if (strcmp(buf, "fsloc") == 0) 684 err = fsloc_parse(&mesg, buf, &exp.ex_fslocs); 685 else if (strcmp(buf, "uuid") == 0) 686 err = nfsd_uuid_parse(&mesg, buf, &exp.ex_uuid); 687 else if (strcmp(buf, "secinfo") == 0) 688 err = secinfo_parse(&mesg, buf, &exp); 689 else if (strcmp(buf, "xprtsec") == 0) 690 err = xprtsec_parse(&mesg, buf, &exp); 691 else 692 /* quietly ignore unknown words and anything 693 * following. Newer user-space can try to set 694 * new values, then see what the result was. 695 */ 696 break; 697 if (err) 698 goto out4; 699 } 700 701 err = check_export(&exp.ex_path, &exp.ex_flags, exp.ex_uuid); 702 if (err) 703 goto out4; 704 705 /* 706 * No point caching this if it would immediately expire. 707 * Also, this protects exportfs's dummy export from the 708 * anon_uid/anon_gid checks: 709 */ 710 if (exp.h.expiry_time < seconds_since_boot()) 711 goto out4; 712 /* 713 * For some reason exportfs has been passing down an 714 * invalid (-1) uid & gid on the "dummy" export which it 715 * uses to test export support. To make sure exportfs 716 * sees errors from check_export we therefore need to 717 * delay these checks till after check_export: 718 */ 719 err = -EINVAL; 720 if (!uid_valid(exp.ex_anon_uid)) 721 goto out4; 722 if (!gid_valid(exp.ex_anon_gid)) 723 goto out4; 724 err = 0; 725 726 nfsd4_setup_layout_type(&exp); 727 } 728 729 expp = svc_export_lookup(&exp); 730 if (!expp) { 731 err = -ENOMEM; 732 goto out4; 733 } 734 expp = svc_export_update(&exp, expp); 735 if (expp) { 736 trace_nfsd_export_update(expp); 737 cache_flush(); 738 exp_put(expp); 739 } else 740 err = -ENOMEM; 741 out4: 742 nfsd4_fslocs_free(&exp.ex_fslocs); 743 kfree(exp.ex_uuid); 744 out3: 745 path_put(&exp.ex_path); 746 out1: 747 auth_domain_put(dom); 748 out: 749 kfree(buf); 750 return err; 751 } 752 753 static void exp_flags(struct seq_file *m, int flag, int fsid, 754 kuid_t anonu, kgid_t anong, struct nfsd4_fs_locations *fslocs); 755 static void show_secinfo(struct seq_file *m, struct svc_export *exp); 756 757 static int is_export_stats_file(struct seq_file *m) 758 { 759 /* 760 * The export_stats file uses the same ops as the exports file. 761 * We use the file's name to determine the reported info per export. 762 * There is no rename in nsfdfs, so d_name.name is stable. 763 */ 764 return !strcmp(m->file->f_path.dentry->d_name.name, "export_stats"); 765 } 766 767 static int svc_export_show(struct seq_file *m, 768 struct cache_detail *cd, 769 struct cache_head *h) 770 { 771 struct svc_export *exp; 772 bool export_stats = is_export_stats_file(m); 773 774 if (h == NULL) { 775 if (export_stats) 776 seq_puts(m, "#path domain start-time\n#\tstats\n"); 777 else 778 seq_puts(m, "#path domain(flags)\n"); 779 return 0; 780 } 781 exp = container_of(h, struct svc_export, h); 782 seq_path(m, &exp->ex_path, " \t\n\\"); 783 seq_putc(m, '\t'); 784 seq_escape(m, exp->ex_client->name, " \t\n\\"); 785 if (export_stats) { 786 struct percpu_counter *counter = exp->ex_stats->counter; 787 788 seq_printf(m, "\t%lld\n", exp->ex_stats->start_time); 789 seq_printf(m, "\tfh_stale: %lld\n", 790 percpu_counter_sum_positive(&counter[EXP_STATS_FH_STALE])); 791 seq_printf(m, "\tio_read: %lld\n", 792 percpu_counter_sum_positive(&counter[EXP_STATS_IO_READ])); 793 seq_printf(m, "\tio_write: %lld\n", 794 percpu_counter_sum_positive(&counter[EXP_STATS_IO_WRITE])); 795 seq_putc(m, '\n'); 796 return 0; 797 } 798 seq_putc(m, '('); 799 if (test_bit(CACHE_VALID, &h->flags) && 800 !test_bit(CACHE_NEGATIVE, &h->flags)) { 801 exp_flags(m, exp->ex_flags, exp->ex_fsid, 802 exp->ex_anon_uid, exp->ex_anon_gid, &exp->ex_fslocs); 803 if (exp->ex_uuid) { 804 int i; 805 seq_puts(m, ",uuid="); 806 for (i = 0; i < EX_UUID_LEN; i++) { 807 if ((i&3) == 0 && i) 808 seq_putc(m, ':'); 809 seq_printf(m, "%02x", exp->ex_uuid[i]); 810 } 811 } 812 show_secinfo(m, exp); 813 } 814 seq_puts(m, ")\n"); 815 return 0; 816 } 817 static int svc_export_match(struct cache_head *a, struct cache_head *b) 818 { 819 struct svc_export *orig = container_of(a, struct svc_export, h); 820 struct svc_export *new = container_of(b, struct svc_export, h); 821 return orig->ex_client == new->ex_client && 822 path_equal(&orig->ex_path, &new->ex_path); 823 } 824 825 static void svc_export_init(struct cache_head *cnew, struct cache_head *citem) 826 { 827 struct svc_export *new = container_of(cnew, struct svc_export, h); 828 struct svc_export *item = container_of(citem, struct svc_export, h); 829 830 kref_get(&item->ex_client->ref); 831 new->ex_client = item->ex_client; 832 new->ex_path = item->ex_path; 833 path_get(&item->ex_path); 834 new->ex_fslocs.locations = NULL; 835 new->ex_fslocs.locations_count = 0; 836 new->ex_fslocs.migrated = 0; 837 new->ex_layout_types = 0; 838 new->ex_uuid = NULL; 839 new->cd = item->cd; 840 export_stats_reset(new->ex_stats); 841 } 842 843 static void export_update(struct cache_head *cnew, struct cache_head *citem) 844 { 845 struct svc_export *new = container_of(cnew, struct svc_export, h); 846 struct svc_export *item = container_of(citem, struct svc_export, h); 847 int i; 848 849 new->ex_flags = item->ex_flags; 850 new->ex_anon_uid = item->ex_anon_uid; 851 new->ex_anon_gid = item->ex_anon_gid; 852 new->ex_fsid = item->ex_fsid; 853 new->ex_devid_map = item->ex_devid_map; 854 item->ex_devid_map = NULL; 855 new->ex_uuid = item->ex_uuid; 856 item->ex_uuid = NULL; 857 new->ex_fslocs.locations = item->ex_fslocs.locations; 858 item->ex_fslocs.locations = NULL; 859 new->ex_fslocs.locations_count = item->ex_fslocs.locations_count; 860 item->ex_fslocs.locations_count = 0; 861 new->ex_fslocs.migrated = item->ex_fslocs.migrated; 862 item->ex_fslocs.migrated = 0; 863 new->ex_layout_types = item->ex_layout_types; 864 new->ex_nflavors = item->ex_nflavors; 865 for (i = 0; i < MAX_SECINFO_LIST; i++) { 866 new->ex_flavors[i] = item->ex_flavors[i]; 867 } 868 new->ex_xprtsec_modes = item->ex_xprtsec_modes; 869 } 870 871 static struct cache_head *svc_export_alloc(void) 872 { 873 struct svc_export *i = kmalloc_obj(*i, GFP_KERNEL); 874 if (!i) 875 return NULL; 876 877 i->ex_stats = kmalloc_obj(*(i->ex_stats), GFP_KERNEL); 878 if (!i->ex_stats) { 879 kfree(i); 880 return NULL; 881 } 882 883 if (export_stats_init(i->ex_stats)) { 884 kfree(i->ex_stats); 885 kfree(i); 886 return NULL; 887 } 888 889 return &i->h; 890 } 891 892 static const struct cache_detail svc_export_cache_template = { 893 .owner = THIS_MODULE, 894 .hash_size = EXPORT_HASHMAX, 895 .name = "nfsd.export", 896 .cache_put = svc_export_put, 897 .cache_upcall = svc_export_upcall, 898 .cache_request = svc_export_request, 899 .cache_parse = svc_export_parse, 900 .cache_show = svc_export_show, 901 .match = svc_export_match, 902 .init = svc_export_init, 903 .update = export_update, 904 .alloc = svc_export_alloc, 905 }; 906 907 static int 908 svc_export_hash(struct svc_export *exp) 909 { 910 int hash; 911 912 hash = hash_ptr(exp->ex_client, EXPORT_HASHBITS); 913 hash ^= hash_ptr(exp->ex_path.dentry, EXPORT_HASHBITS); 914 hash ^= hash_ptr(exp->ex_path.mnt, EXPORT_HASHBITS); 915 return hash; 916 } 917 918 static struct svc_export * 919 svc_export_lookup(struct svc_export *exp) 920 { 921 struct cache_head *ch; 922 int hash = svc_export_hash(exp); 923 924 ch = sunrpc_cache_lookup_rcu(exp->cd, &exp->h, hash); 925 if (ch) 926 return container_of(ch, struct svc_export, h); 927 else 928 return NULL; 929 } 930 931 static struct svc_export * 932 svc_export_update(struct svc_export *new, struct svc_export *old) 933 { 934 struct cache_head *ch; 935 int hash = svc_export_hash(old); 936 937 ch = sunrpc_cache_update(old->cd, &new->h, &old->h, hash); 938 if (ch) 939 return container_of(ch, struct svc_export, h); 940 else 941 return NULL; 942 } 943 944 945 static struct svc_expkey * 946 exp_find_key(struct cache_detail *cd, struct auth_domain *clp, int fsid_type, 947 u32 *fsidv, struct cache_req *reqp) 948 { 949 struct svc_expkey key, *ek; 950 int err; 951 952 if (!clp) 953 return ERR_PTR(-ENOENT); 954 955 key.ek_client = clp; 956 key.ek_fsidtype = fsid_type; 957 memcpy(key.ek_fsid, fsidv, key_len(fsid_type)); 958 959 ek = svc_expkey_lookup(cd, &key); 960 if (ek == NULL) 961 return ERR_PTR(-ENOMEM); 962 err = cache_check(cd, &ek->h, reqp); 963 if (err) { 964 trace_nfsd_exp_find_key(&key, err); 965 return ERR_PTR(err); 966 } 967 return ek; 968 } 969 970 static struct svc_export * 971 exp_get_by_name(struct cache_detail *cd, struct auth_domain *clp, 972 const struct path *path, struct cache_req *reqp) 973 { 974 struct svc_export *exp, key; 975 int err; 976 977 if (!clp) 978 return ERR_PTR(-ENOENT); 979 980 key.ex_client = clp; 981 key.ex_path = *path; 982 key.cd = cd; 983 984 exp = svc_export_lookup(&key); 985 if (exp == NULL) 986 return ERR_PTR(-ENOMEM); 987 err = cache_check(cd, &exp->h, reqp); 988 if (err) { 989 trace_nfsd_exp_get_by_name(&key, err); 990 return ERR_PTR(err); 991 } 992 return exp; 993 } 994 995 /* 996 * Find the export entry for a given dentry. 997 */ 998 static struct svc_export * 999 exp_parent(struct cache_detail *cd, struct auth_domain *clp, struct path *path) 1000 { 1001 struct dentry *saved = dget(path->dentry); 1002 struct svc_export *exp = exp_get_by_name(cd, clp, path, NULL); 1003 1004 while (PTR_ERR(exp) == -ENOENT && !IS_ROOT(path->dentry)) { 1005 struct dentry *parent = dget_parent(path->dentry); 1006 dput(path->dentry); 1007 path->dentry = parent; 1008 exp = exp_get_by_name(cd, clp, path, NULL); 1009 } 1010 dput(path->dentry); 1011 path->dentry = saved; 1012 return exp; 1013 } 1014 1015 1016 1017 /* 1018 * Obtain the root fh on behalf of a client. 1019 * This could be done in user space, but I feel that it adds some safety 1020 * since its harder to fool a kernel module than a user space program. 1021 */ 1022 int 1023 exp_rootfh(struct net *net, struct auth_domain *clp, char *name, 1024 struct knfsd_fh *f, int maxsize) 1025 { 1026 struct svc_export *exp; 1027 struct path path; 1028 struct inode *inode __maybe_unused; 1029 struct svc_fh fh; 1030 int err; 1031 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1032 struct cache_detail *cd = nn->svc_export_cache; 1033 1034 err = -EPERM; 1035 /* NB: we probably ought to check that it's NUL-terminated */ 1036 if (kern_path(name, 0, &path)) { 1037 printk("nfsd: exp_rootfh path not found %s", name); 1038 return err; 1039 } 1040 inode = d_inode(path.dentry); 1041 1042 dprintk("nfsd: exp_rootfh(%s [%p] %s:%s/%ld)\n", 1043 name, path.dentry, clp->name, 1044 inode->i_sb->s_id, inode->i_ino); 1045 exp = exp_parent(cd, clp, &path); 1046 if (IS_ERR(exp)) { 1047 err = PTR_ERR(exp); 1048 goto out; 1049 } 1050 1051 /* 1052 * fh must be initialized before calling fh_compose 1053 */ 1054 fh_init(&fh, maxsize); 1055 if (fh_compose(&fh, exp, path.dentry, NULL)) 1056 err = -EINVAL; 1057 else 1058 err = 0; 1059 memcpy(f, &fh.fh_handle, sizeof(struct knfsd_fh)); 1060 fh_put(&fh); 1061 exp_put(exp); 1062 out: 1063 path_put(&path); 1064 return err; 1065 } 1066 1067 static struct svc_export *exp_find(struct cache_detail *cd, 1068 struct auth_domain *clp, int fsid_type, 1069 u32 *fsidv, struct cache_req *reqp) 1070 { 1071 struct svc_export *exp; 1072 struct nfsd_net *nn = net_generic(cd->net, nfsd_net_id); 1073 struct svc_expkey *ek = exp_find_key(nn->svc_expkey_cache, clp, fsid_type, fsidv, reqp); 1074 if (IS_ERR(ek)) 1075 return ERR_CAST(ek); 1076 1077 exp = exp_get_by_name(cd, clp, &ek->ek_path, reqp); 1078 cache_put(&ek->h, nn->svc_expkey_cache); 1079 1080 if (IS_ERR(exp)) 1081 return ERR_CAST(exp); 1082 return exp; 1083 } 1084 1085 /** 1086 * check_xprtsec_policy - check if access to export is allowed by the 1087 * xprtsec policy 1088 * @exp: svc_export that is being accessed. 1089 * @rqstp: svc_rqst attempting to access @exp. 1090 * 1091 * Helper function for check_nfsd_access(). Note that callers should be 1092 * using check_nfsd_access() instead of calling this function directly. The 1093 * one exception is __fh_verify() since it has logic that may result in one 1094 * or both of the helpers being skipped. 1095 * 1096 * Return values: 1097 * %nfs_ok if access is granted, or 1098 * %nfserr_wrongsec if access is denied 1099 */ 1100 __be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp) 1101 { 1102 struct svc_xprt *xprt = rqstp->rq_xprt; 1103 1104 if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) { 1105 if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags)) 1106 return nfs_ok; 1107 } 1108 if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_TLS) { 1109 if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && 1110 !test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) 1111 return nfs_ok; 1112 } 1113 if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_MTLS) { 1114 if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && 1115 test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) 1116 return nfs_ok; 1117 } 1118 return nfserr_wrongsec; 1119 } 1120 1121 /** 1122 * check_security_flavor - check if access to export is allowed by the 1123 * security flavor 1124 * @exp: svc_export that is being accessed. 1125 * @rqstp: svc_rqst attempting to access @exp. 1126 * @may_bypass_gss: reduce strictness of authorization check 1127 * 1128 * Helper function for check_nfsd_access(). Note that callers should be 1129 * using check_nfsd_access() instead of calling this function directly. The 1130 * one exception is __fh_verify() since it has logic that may result in one 1131 * or both of the helpers being skipped. 1132 * 1133 * Return values: 1134 * %nfs_ok if access is granted, or 1135 * %nfserr_wrongsec if access is denied 1136 */ 1137 __be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp, 1138 bool may_bypass_gss) 1139 { 1140 struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; 1141 1142 /* legacy gss-only clients are always OK: */ 1143 if (exp->ex_client == rqstp->rq_gssclient) 1144 return nfs_ok; 1145 /* ip-address based client; check sec= export option: */ 1146 for (f = exp->ex_flavors; f < end; f++) { 1147 if (f->pseudoflavor == rqstp->rq_cred.cr_flavor) 1148 return nfs_ok; 1149 } 1150 /* defaults in absence of sec= options: */ 1151 if (exp->ex_nflavors == 0) { 1152 if (rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL || 1153 rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX) 1154 return nfs_ok; 1155 } 1156 1157 /* If the compound op contains a spo_must_allowed op, 1158 * it will be sent with integrity/protection which 1159 * will have to be expressly allowed on mounts that 1160 * don't support it 1161 */ 1162 1163 if (nfsd4_spo_must_allow(rqstp)) 1164 return nfs_ok; 1165 1166 /* Some calls may be processed without authentication 1167 * on GSS exports. For example NFS2/3 calls on root 1168 * directory, see section 2.3.2 of rfc 2623. 1169 * For "may_bypass_gss" check that export has really 1170 * enabled some flavor with authentication (GSS or any 1171 * other) and also check that the used auth flavor is 1172 * without authentication (none or sys). 1173 */ 1174 if (may_bypass_gss && ( 1175 rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL || 1176 rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX)) { 1177 for (f = exp->ex_flavors; f < end; f++) { 1178 if (f->pseudoflavor >= RPC_AUTH_DES) 1179 return 0; 1180 } 1181 } 1182 1183 return nfserr_wrongsec; 1184 } 1185 1186 /** 1187 * check_nfsd_access - check if access to export is allowed. 1188 * @exp: svc_export that is being accessed. 1189 * @rqstp: svc_rqst attempting to access @exp. 1190 * @may_bypass_gss: reduce strictness of authorization check 1191 * 1192 * Return values: 1193 * %nfs_ok if access is granted, or 1194 * %nfserr_wrongsec if access is denied 1195 */ 1196 __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, 1197 bool may_bypass_gss) 1198 { 1199 __be32 status; 1200 1201 status = check_xprtsec_policy(exp, rqstp); 1202 if (status != nfs_ok) 1203 return status; 1204 return check_security_flavor(exp, rqstp, may_bypass_gss); 1205 } 1206 1207 /* 1208 * Uses rq_client and rq_gssclient to find an export; uses rq_client (an 1209 * auth_unix client) if it's available and has secinfo information; 1210 * otherwise, will try to use rq_gssclient. 1211 * 1212 * Called from functions that handle requests; functions that do work on 1213 * behalf of mountd are passed a single client name to use, and should 1214 * use exp_get_by_name() or exp_find(). 1215 */ 1216 struct svc_export * 1217 rqst_exp_get_by_name(struct svc_rqst *rqstp, const struct path *path) 1218 { 1219 struct svc_export *gssexp, *exp = ERR_PTR(-ENOENT); 1220 struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); 1221 struct cache_detail *cd = nn->svc_export_cache; 1222 1223 if (rqstp->rq_client == NULL) 1224 goto gss; 1225 1226 /* First try the auth_unix client: */ 1227 exp = exp_get_by_name(cd, rqstp->rq_client, path, &rqstp->rq_chandle); 1228 if (PTR_ERR(exp) == -ENOENT) 1229 goto gss; 1230 if (IS_ERR(exp)) 1231 return exp; 1232 /* If it has secinfo, assume there are no gss/... clients */ 1233 if (exp->ex_nflavors > 0) 1234 return exp; 1235 gss: 1236 /* Otherwise, try falling back on gss client */ 1237 if (rqstp->rq_gssclient == NULL) 1238 return exp; 1239 gssexp = exp_get_by_name(cd, rqstp->rq_gssclient, path, &rqstp->rq_chandle); 1240 if (PTR_ERR(gssexp) == -ENOENT) 1241 return exp; 1242 if (!IS_ERR(exp)) 1243 exp_put(exp); 1244 return gssexp; 1245 } 1246 1247 /** 1248 * rqst_exp_find - Find an svc_export in the context of a rqst or similar 1249 * @reqp: The handle to be used to suspend the request if a cache-upcall is needed 1250 * If NULL, missing in-cache information will result in failure. 1251 * @net: The network namespace in which the request exists 1252 * @cl: default auth_domain to use for looking up the export 1253 * @gsscl: an alternate auth_domain defined using deprecated gss/krb5 format. 1254 * @fsid_type: The type of fsid to look for 1255 * @fsidv: The actual fsid to look up in the context of either client. 1256 * 1257 * Perform a lookup for @cl/@fsidv in the given @net for an export. If 1258 * none found and @gsscl specified, repeat the lookup. 1259 * 1260 * Returns an export, or an error pointer. 1261 */ 1262 struct svc_export * 1263 rqst_exp_find(struct cache_req *reqp, struct net *net, 1264 struct auth_domain *cl, struct auth_domain *gsscl, 1265 int fsid_type, u32 *fsidv) 1266 { 1267 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1268 struct svc_export *gssexp, *exp = ERR_PTR(-ENOENT); 1269 struct cache_detail *cd = nn->svc_export_cache; 1270 1271 if (!cl) 1272 goto gss; 1273 1274 /* First try the auth_unix client: */ 1275 exp = exp_find(cd, cl, fsid_type, fsidv, reqp); 1276 if (PTR_ERR(exp) == -ENOENT) 1277 goto gss; 1278 if (IS_ERR(exp)) 1279 return exp; 1280 /* If it has secinfo, assume there are no gss/... clients */ 1281 if (exp->ex_nflavors > 0) 1282 return exp; 1283 gss: 1284 /* Otherwise, try falling back on gss client */ 1285 if (!gsscl) 1286 return exp; 1287 gssexp = exp_find(cd, gsscl, fsid_type, fsidv, reqp); 1288 if (PTR_ERR(gssexp) == -ENOENT) 1289 return exp; 1290 if (!IS_ERR(exp)) 1291 exp_put(exp); 1292 return gssexp; 1293 } 1294 1295 struct svc_export * 1296 rqst_exp_parent(struct svc_rqst *rqstp, struct path *path) 1297 { 1298 struct dentry *saved = dget(path->dentry); 1299 struct svc_export *exp = rqst_exp_get_by_name(rqstp, path); 1300 1301 while (PTR_ERR(exp) == -ENOENT && !IS_ROOT(path->dentry)) { 1302 struct dentry *parent = dget_parent(path->dentry); 1303 dput(path->dentry); 1304 path->dentry = parent; 1305 exp = rqst_exp_get_by_name(rqstp, path); 1306 } 1307 dput(path->dentry); 1308 path->dentry = saved; 1309 return exp; 1310 } 1311 1312 struct svc_export *rqst_find_fsidzero_export(struct svc_rqst *rqstp) 1313 { 1314 u32 fsidv[2]; 1315 1316 mk_fsid(FSID_NUM, fsidv, 0, 0, 0, NULL); 1317 1318 return rqst_exp_find(&rqstp->rq_chandle, SVC_NET(rqstp), 1319 rqstp->rq_client, rqstp->rq_gssclient, 1320 FSID_NUM, fsidv); 1321 } 1322 1323 /* 1324 * Called when we need the filehandle for the root of the pseudofs, 1325 * for a given NFSv4 client. The root is defined to be the 1326 * export point with fsid==0 1327 */ 1328 __be32 1329 exp_pseudoroot(struct svc_rqst *rqstp, struct svc_fh *fhp) 1330 { 1331 struct svc_export *exp; 1332 __be32 rv; 1333 1334 exp = rqst_find_fsidzero_export(rqstp); 1335 if (IS_ERR(exp)) 1336 return nfserrno(PTR_ERR(exp)); 1337 rv = fh_compose(fhp, exp, exp->ex_path.dentry, NULL); 1338 exp_put(exp); 1339 return rv; 1340 } 1341 1342 static struct flags { 1343 int flag; 1344 char *name[2]; 1345 } expflags[] = { 1346 { NFSEXP_READONLY, {"ro", "rw"}}, 1347 { NFSEXP_INSECURE_PORT, {"insecure", ""}}, 1348 { NFSEXP_ROOTSQUASH, {"root_squash", "no_root_squash"}}, 1349 { NFSEXP_ALLSQUASH, {"all_squash", ""}}, 1350 { NFSEXP_ASYNC, {"async", "sync"}}, 1351 { NFSEXP_GATHERED_WRITES, {"wdelay", "no_wdelay"}}, 1352 { NFSEXP_NOREADDIRPLUS, {"nordirplus", ""}}, 1353 { NFSEXP_NOHIDE, {"nohide", ""}}, 1354 { NFSEXP_CROSSMOUNT, {"crossmnt", ""}}, 1355 { NFSEXP_NOSUBTREECHECK, {"no_subtree_check", ""}}, 1356 { NFSEXP_NOAUTHNLM, {"insecure_locks", ""}}, 1357 { NFSEXP_V4ROOT, {"v4root", ""}}, 1358 { NFSEXP_PNFS, {"pnfs", ""}}, 1359 { NFSEXP_SECURITY_LABEL, {"security_label", ""}}, 1360 { 0, {"", ""}} 1361 }; 1362 1363 static void show_expflags(struct seq_file *m, int flags, int mask) 1364 { 1365 struct flags *flg; 1366 int state, first = 0; 1367 1368 for (flg = expflags; flg->flag; flg++) { 1369 if (flg->flag & ~mask) 1370 continue; 1371 state = (flg->flag & flags) ? 0 : 1; 1372 if (*flg->name[state]) 1373 seq_printf(m, "%s%s", first++?",":"", flg->name[state]); 1374 } 1375 } 1376 1377 static void show_secinfo_flags(struct seq_file *m, int flags) 1378 { 1379 seq_printf(m, ","); 1380 show_expflags(m, flags, NFSEXP_SECINFO_FLAGS); 1381 } 1382 1383 static bool secinfo_flags_equal(int f, int g) 1384 { 1385 f &= NFSEXP_SECINFO_FLAGS; 1386 g &= NFSEXP_SECINFO_FLAGS; 1387 return f == g; 1388 } 1389 1390 static int show_secinfo_run(struct seq_file *m, struct exp_flavor_info **fp, struct exp_flavor_info *end) 1391 { 1392 int flags; 1393 1394 flags = (*fp)->flags; 1395 seq_printf(m, ",sec=%d", (*fp)->pseudoflavor); 1396 (*fp)++; 1397 while (*fp != end && secinfo_flags_equal(flags, (*fp)->flags)) { 1398 seq_printf(m, ":%d", (*fp)->pseudoflavor); 1399 (*fp)++; 1400 } 1401 return flags; 1402 } 1403 1404 static void show_secinfo(struct seq_file *m, struct svc_export *exp) 1405 { 1406 struct exp_flavor_info *f; 1407 struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors; 1408 int flags; 1409 1410 if (exp->ex_nflavors == 0) 1411 return; 1412 f = exp->ex_flavors; 1413 flags = show_secinfo_run(m, &f, end); 1414 if (!secinfo_flags_equal(flags, exp->ex_flags)) 1415 show_secinfo_flags(m, flags); 1416 while (f != end) { 1417 flags = show_secinfo_run(m, &f, end); 1418 show_secinfo_flags(m, flags); 1419 } 1420 } 1421 1422 static void exp_flags(struct seq_file *m, int flag, int fsid, 1423 kuid_t anonu, kgid_t anong, struct nfsd4_fs_locations *fsloc) 1424 { 1425 struct user_namespace *userns = m->file->f_cred->user_ns; 1426 1427 show_expflags(m, flag, NFSEXP_ALLFLAGS); 1428 if (flag & NFSEXP_FSID) 1429 seq_printf(m, ",fsid=%d", fsid); 1430 if (!uid_eq(anonu, make_kuid(userns, (uid_t)-2)) && 1431 !uid_eq(anonu, make_kuid(userns, 0x10000-2))) 1432 seq_printf(m, ",anonuid=%u", from_kuid_munged(userns, anonu)); 1433 if (!gid_eq(anong, make_kgid(userns, (gid_t)-2)) && 1434 !gid_eq(anong, make_kgid(userns, 0x10000-2))) 1435 seq_printf(m, ",anongid=%u", from_kgid_munged(userns, anong)); 1436 if (fsloc && fsloc->locations_count > 0) { 1437 char *loctype = (fsloc->migrated) ? "refer" : "replicas"; 1438 int i; 1439 1440 seq_printf(m, ",%s=", loctype); 1441 seq_escape(m, fsloc->locations[0].path, ",;@ \t\n\\"); 1442 seq_putc(m, '@'); 1443 seq_escape(m, fsloc->locations[0].hosts, ",;@ \t\n\\"); 1444 for (i = 1; i < fsloc->locations_count; i++) { 1445 seq_putc(m, ';'); 1446 seq_escape(m, fsloc->locations[i].path, ",;@ \t\n\\"); 1447 seq_putc(m, '@'); 1448 seq_escape(m, fsloc->locations[i].hosts, ",;@ \t\n\\"); 1449 } 1450 } 1451 } 1452 1453 static int e_show(struct seq_file *m, void *p) 1454 { 1455 struct cache_head *cp = p; 1456 struct svc_export *exp = container_of(cp, struct svc_export, h); 1457 struct cache_detail *cd = m->private; 1458 bool export_stats = is_export_stats_file(m); 1459 1460 if (p == SEQ_START_TOKEN) { 1461 seq_puts(m, "# Version 1.1\n"); 1462 if (export_stats) 1463 seq_puts(m, "# Path Client Start-time\n#\tStats\n"); 1464 else 1465 seq_puts(m, "# Path Client(Flags) # IPs\n"); 1466 return 0; 1467 } 1468 1469 if (cache_check_rcu(cd, &exp->h, NULL)) 1470 return 0; 1471 1472 return svc_export_show(m, cd, cp); 1473 } 1474 1475 const struct seq_operations nfs_exports_op = { 1476 .start = cache_seq_start_rcu, 1477 .next = cache_seq_next_rcu, 1478 .stop = cache_seq_stop_rcu, 1479 .show = e_show, 1480 }; 1481 1482 /* 1483 * Initialize the exports module. 1484 */ 1485 int 1486 nfsd_export_init(struct net *net) 1487 { 1488 int rv; 1489 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1490 1491 dprintk("nfsd: initializing export module (net: %x).\n", net->ns.inum); 1492 1493 nn->svc_export_cache = cache_create_net(&svc_export_cache_template, net); 1494 if (IS_ERR(nn->svc_export_cache)) 1495 return PTR_ERR(nn->svc_export_cache); 1496 rv = cache_register_net(nn->svc_export_cache, net); 1497 if (rv) 1498 goto destroy_export_cache; 1499 1500 nn->svc_expkey_cache = cache_create_net(&svc_expkey_cache_template, net); 1501 if (IS_ERR(nn->svc_expkey_cache)) { 1502 rv = PTR_ERR(nn->svc_expkey_cache); 1503 goto unregister_export_cache; 1504 } 1505 rv = cache_register_net(nn->svc_expkey_cache, net); 1506 if (rv) 1507 goto destroy_expkey_cache; 1508 return 0; 1509 1510 destroy_expkey_cache: 1511 cache_destroy_net(nn->svc_expkey_cache, net); 1512 unregister_export_cache: 1513 cache_unregister_net(nn->svc_export_cache, net); 1514 destroy_export_cache: 1515 cache_destroy_net(nn->svc_export_cache, net); 1516 return rv; 1517 } 1518 1519 /* 1520 * Flush exports table - called when last nfsd thread is killed 1521 */ 1522 void 1523 nfsd_export_flush(struct net *net) 1524 { 1525 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1526 1527 cache_purge(nn->svc_expkey_cache); 1528 cache_purge(nn->svc_export_cache); 1529 } 1530 1531 /* 1532 * Shutdown the exports module. 1533 */ 1534 void 1535 nfsd_export_shutdown(struct net *net) 1536 { 1537 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1538 1539 dprintk("nfsd: shutting down export module (net: %x).\n", net->ns.inum); 1540 1541 cache_unregister_net(nn->svc_expkey_cache, net); 1542 cache_unregister_net(nn->svc_export_cache, net); 1543 cache_destroy_net(nn->svc_expkey_cache, net); 1544 cache_destroy_net(nn->svc_export_cache, net); 1545 svcauth_unix_purge(net); 1546 1547 dprintk("nfsd: export shutdown complete (net: %x).\n", net->ns.inum); 1548 } 1549