1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * NFS exporting and validation. 4 * 5 * We maintain a list of clients, each of which has a list of 6 * exports. To export an fs to a given client, you first have 7 * to create the client entry with NFSCTL_ADDCLIENT, which 8 * creates a client control block and adds it to the hash 9 * table. Then, you call NFSCTL_EXPORT for each fs. 10 * 11 * 12 * Copyright (C) 1995, 1996 Olaf Kirch, <okir@monad.swb.de> 13 */ 14 15 #include <linux/slab.h> 16 #include <linux/namei.h> 17 #include <linux/module.h> 18 #include <linux/exportfs.h> 19 #include <linux/sunrpc/svc_xprt.h> 20 21 #include "nfsd.h" 22 #include "nfsfh.h" 23 #include "netns.h" 24 #include "pnfs.h" 25 #include "filecache.h" 26 #include "trace.h" 27 28 #define NFSDDBG_FACILITY NFSDDBG_EXPORT 29 30 /* 31 * We have two caches. 32 * One maps client+vfsmnt+dentry to export options - the export map 33 * The other maps client+filehandle-fragment to export options. - the expkey map 34 * 35 * The export options are actually stored in the first map, and the 36 * second map contains a reference to the entry in the first map. 37 */ 38 39 #define EXPKEY_HASHBITS 8 40 #define EXPKEY_HASHMAX (1 << EXPKEY_HASHBITS) 41 #define EXPKEY_HASHMASK (EXPKEY_HASHMAX -1) 42 43 static void expkey_put(struct kref *ref) 44 { 45 struct svc_expkey *key = container_of(ref, struct svc_expkey, h.ref); 46 47 if (test_bit(CACHE_VALID, &key->h.flags) && 48 !test_bit(CACHE_NEGATIVE, &key->h.flags)) 49 path_put(&key->ek_path); 50 auth_domain_put(key->ek_client); 51 kfree_rcu(key, ek_rcu); 52 } 53 54 static int expkey_upcall(struct cache_detail *cd, struct cache_head *h) 55 { 56 return sunrpc_cache_pipe_upcall(cd, h); 57 } 58 59 static void expkey_request(struct cache_detail *cd, 60 struct cache_head *h, 61 char **bpp, int *blen) 62 { 63 /* client fsidtype \xfsid */ 64 struct svc_expkey *ek = container_of(h, struct svc_expkey, h); 65 char type[5]; 66 67 qword_add(bpp, blen, ek->ek_client->name); 68 snprintf(type, 5, "%d", ek->ek_fsidtype); 69 qword_add(bpp, blen, type); 70 qword_addhex(bpp, blen, (char*)ek->ek_fsid, key_len(ek->ek_fsidtype)); 71 (*bpp)[-1] = '\n'; 72 } 73 74 static struct svc_expkey *svc_expkey_update(struct cache_detail *cd, struct svc_expkey *new, 75 struct svc_expkey *old); 76 static struct svc_expkey *svc_expkey_lookup(struct cache_detail *cd, struct svc_expkey *); 77 78 static int expkey_parse(struct cache_detail *cd, char *mesg, int mlen) 79 { 80 /* client fsidtype fsid expiry [path] */ 81 char *buf; 82 int len; 83 struct auth_domain *dom = NULL; 84 int err; 85 u8 fsidtype; 86 struct svc_expkey key; 87 struct svc_expkey *ek = NULL; 88 89 if (mesg[mlen - 1] != '\n') 90 return -EINVAL; 91 mesg[mlen-1] = 0; 92 93 buf = kmalloc(PAGE_SIZE, GFP_KERNEL); 94 err = -ENOMEM; 95 if (!buf) 96 goto out; 97 98 err = -EINVAL; 99 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 100 goto out; 101 102 err = -ENOENT; 103 dom = auth_domain_find(buf); 104 if (!dom) 105 goto out; 106 dprintk("found domain %s\n", buf); 107 108 err = -EINVAL; 109 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 110 goto out; 111 if (kstrtou8(buf, 10, &fsidtype)) 112 goto out; 113 dprintk("found fsidtype %u\n", fsidtype); 114 if (key_len(fsidtype)==0) /* invalid type */ 115 goto out; 116 if ((len=qword_get(&mesg, buf, PAGE_SIZE)) <= 0) 117 goto out; 118 dprintk("found fsid length %d\n", len); 119 if (len != key_len(fsidtype)) 120 goto out; 121 122 /* OK, we seem to have a valid key */ 123 key.h.flags = 0; 124 err = get_expiry(&mesg, &key.h.expiry_time); 125 if (err) 126 goto out; 127 128 key.ek_client = dom; 129 key.ek_fsidtype = fsidtype; 130 memcpy(key.ek_fsid, buf, len); 131 132 ek = svc_expkey_lookup(cd, &key); 133 err = -ENOMEM; 134 if (!ek) 135 goto out; 136 137 /* now we want a pathname, or empty meaning NEGATIVE */ 138 err = -EINVAL; 139 len = qword_get(&mesg, buf, PAGE_SIZE); 140 if (len < 0) 141 goto out; 142 dprintk("Path seems to be <%s>\n", buf); 143 err = 0; 144 if (len == 0) { 145 set_bit(CACHE_NEGATIVE, &key.h.flags); 146 ek = svc_expkey_update(cd, &key, ek); 147 if (ek) 148 trace_nfsd_expkey_update(ek, NULL); 149 else 150 err = -ENOMEM; 151 } else { 152 err = kern_path(buf, 0, &key.ek_path); 153 if (err) 154 goto out; 155 156 dprintk("Found the path %s\n", buf); 157 158 ek = svc_expkey_update(cd, &key, ek); 159 if (ek) 160 trace_nfsd_expkey_update(ek, buf); 161 else 162 err = -ENOMEM; 163 path_put(&key.ek_path); 164 } 165 cache_flush(); 166 out: 167 if (ek) 168 cache_put(&ek->h, cd); 169 if (dom) 170 auth_domain_put(dom); 171 kfree(buf); 172 return err; 173 } 174 175 static int expkey_show(struct seq_file *m, 176 struct cache_detail *cd, 177 struct cache_head *h) 178 { 179 struct svc_expkey *ek ; 180 int i; 181 182 if (h ==NULL) { 183 seq_puts(m, "#domain fsidtype fsid [path]\n"); 184 return 0; 185 } 186 ek = container_of(h, struct svc_expkey, h); 187 seq_printf(m, "%s %d 0x", ek->ek_client->name, 188 ek->ek_fsidtype); 189 for (i=0; i < key_len(ek->ek_fsidtype)/4; i++) 190 seq_printf(m, "%08x", ek->ek_fsid[i]); 191 if (test_bit(CACHE_VALID, &h->flags) && 192 !test_bit(CACHE_NEGATIVE, &h->flags)) { 193 seq_printf(m, " "); 194 seq_path(m, &ek->ek_path, "\\ \t\n"); 195 } 196 seq_printf(m, "\n"); 197 return 0; 198 } 199 200 static inline int expkey_match (struct cache_head *a, struct cache_head *b) 201 { 202 struct svc_expkey *orig = container_of(a, struct svc_expkey, h); 203 struct svc_expkey *new = container_of(b, struct svc_expkey, h); 204 205 if (orig->ek_fsidtype != new->ek_fsidtype || 206 orig->ek_client != new->ek_client || 207 memcmp(orig->ek_fsid, new->ek_fsid, key_len(orig->ek_fsidtype)) != 0) 208 return 0; 209 return 1; 210 } 211 212 static inline void expkey_init(struct cache_head *cnew, 213 struct cache_head *citem) 214 { 215 struct svc_expkey *new = container_of(cnew, struct svc_expkey, h); 216 struct svc_expkey *item = container_of(citem, struct svc_expkey, h); 217 218 kref_get(&item->ek_client->ref); 219 new->ek_client = item->ek_client; 220 new->ek_fsidtype = item->ek_fsidtype; 221 222 memcpy(new->ek_fsid, item->ek_fsid, sizeof(new->ek_fsid)); 223 } 224 225 static inline void expkey_update(struct cache_head *cnew, 226 struct cache_head *citem) 227 { 228 struct svc_expkey *new = container_of(cnew, struct svc_expkey, h); 229 struct svc_expkey *item = container_of(citem, struct svc_expkey, h); 230 231 new->ek_path = item->ek_path; 232 path_get(&item->ek_path); 233 } 234 235 static struct cache_head *expkey_alloc(void) 236 { 237 struct svc_expkey *i = kmalloc(sizeof(*i), GFP_KERNEL); 238 if (i) 239 return &i->h; 240 else 241 return NULL; 242 } 243 244 static void expkey_flush(void) 245 { 246 /* 247 * Take the nfsd_mutex here to ensure that the file cache is not 248 * destroyed while we're in the middle of flushing. 249 */ 250 mutex_lock(&nfsd_mutex); 251 nfsd_file_cache_purge(current->nsproxy->net_ns); 252 mutex_unlock(&nfsd_mutex); 253 } 254 255 static const struct cache_detail svc_expkey_cache_template = { 256 .owner = THIS_MODULE, 257 .hash_size = EXPKEY_HASHMAX, 258 .name = "nfsd.fh", 259 .cache_put = expkey_put, 260 .cache_upcall = expkey_upcall, 261 .cache_request = expkey_request, 262 .cache_parse = expkey_parse, 263 .cache_show = expkey_show, 264 .match = expkey_match, 265 .init = expkey_init, 266 .update = expkey_update, 267 .alloc = expkey_alloc, 268 .flush = expkey_flush, 269 }; 270 271 static int 272 svc_expkey_hash(struct svc_expkey *item) 273 { 274 int hash = item->ek_fsidtype; 275 char * cp = (char*)item->ek_fsid; 276 int len = key_len(item->ek_fsidtype); 277 278 hash ^= hash_mem(cp, len, EXPKEY_HASHBITS); 279 hash ^= hash_ptr(item->ek_client, EXPKEY_HASHBITS); 280 hash &= EXPKEY_HASHMASK; 281 return hash; 282 } 283 284 static struct svc_expkey * 285 svc_expkey_lookup(struct cache_detail *cd, struct svc_expkey *item) 286 { 287 struct cache_head *ch; 288 int hash = svc_expkey_hash(item); 289 290 ch = sunrpc_cache_lookup_rcu(cd, &item->h, hash); 291 if (ch) 292 return container_of(ch, struct svc_expkey, h); 293 else 294 return NULL; 295 } 296 297 static struct svc_expkey * 298 svc_expkey_update(struct cache_detail *cd, struct svc_expkey *new, 299 struct svc_expkey *old) 300 { 301 struct cache_head *ch; 302 int hash = svc_expkey_hash(new); 303 304 ch = sunrpc_cache_update(cd, &new->h, &old->h, hash); 305 if (ch) 306 return container_of(ch, struct svc_expkey, h); 307 else 308 return NULL; 309 } 310 311 312 #define EXPORT_HASHBITS 8 313 #define EXPORT_HASHMAX (1<< EXPORT_HASHBITS) 314 315 static void nfsd4_fslocs_free(struct nfsd4_fs_locations *fsloc) 316 { 317 struct nfsd4_fs_location *locations = fsloc->locations; 318 int i; 319 320 if (!locations) 321 return; 322 323 for (i = 0; i < fsloc->locations_count; i++) { 324 kfree(locations[i].path); 325 kfree(locations[i].hosts); 326 } 327 328 kfree(locations); 329 fsloc->locations = NULL; 330 } 331 332 static int export_stats_init(struct export_stats *stats) 333 { 334 stats->start_time = ktime_get_seconds(); 335 return percpu_counter_init_many(stats->counter, 0, GFP_KERNEL, 336 EXP_STATS_COUNTERS_NUM); 337 } 338 339 static void export_stats_reset(struct export_stats *stats) 340 { 341 if (stats) { 342 int i; 343 344 for (i = 0; i < EXP_STATS_COUNTERS_NUM; i++) 345 percpu_counter_set(&stats->counter[i], 0); 346 } 347 } 348 349 static void export_stats_destroy(struct export_stats *stats) 350 { 351 if (stats) 352 percpu_counter_destroy_many(stats->counter, 353 EXP_STATS_COUNTERS_NUM); 354 } 355 356 static void svc_export_release(struct rcu_head *rcu_head) 357 { 358 struct svc_export *exp = container_of(rcu_head, struct svc_export, 359 ex_rcu); 360 361 nfsd4_fslocs_free(&exp->ex_fslocs); 362 export_stats_destroy(exp->ex_stats); 363 kfree(exp->ex_stats); 364 kfree(exp->ex_uuid); 365 kfree(exp); 366 } 367 368 static void svc_export_put(struct kref *ref) 369 { 370 struct svc_export *exp = container_of(ref, struct svc_export, h.ref); 371 372 path_put(&exp->ex_path); 373 auth_domain_put(exp->ex_client); 374 call_rcu(&exp->ex_rcu, svc_export_release); 375 } 376 377 static int svc_export_upcall(struct cache_detail *cd, struct cache_head *h) 378 { 379 return sunrpc_cache_pipe_upcall(cd, h); 380 } 381 382 static void svc_export_request(struct cache_detail *cd, 383 struct cache_head *h, 384 char **bpp, int *blen) 385 { 386 /* client path */ 387 struct svc_export *exp = container_of(h, struct svc_export, h); 388 char *pth; 389 390 qword_add(bpp, blen, exp->ex_client->name); 391 pth = d_path(&exp->ex_path, *bpp, *blen); 392 if (IS_ERR(pth)) { 393 /* is this correct? */ 394 (*bpp)[0] = '\n'; 395 return; 396 } 397 qword_add(bpp, blen, pth); 398 (*bpp)[-1] = '\n'; 399 } 400 401 static struct svc_export *svc_export_update(struct svc_export *new, 402 struct svc_export *old); 403 static struct svc_export *svc_export_lookup(struct svc_export *); 404 405 static int check_export(const struct path *path, int *flags, unsigned char *uuid) 406 { 407 struct inode *inode = d_inode(path->dentry); 408 409 /* 410 * We currently export only dirs, regular files, and (for v4 411 * pseudoroot) symlinks. 412 */ 413 if (!S_ISDIR(inode->i_mode) && 414 !S_ISLNK(inode->i_mode) && 415 !S_ISREG(inode->i_mode)) 416 return -ENOTDIR; 417 418 /* 419 * Mountd should never pass down a writeable V4ROOT export, but, 420 * just to make sure: 421 */ 422 if (*flags & NFSEXP_V4ROOT) 423 *flags |= NFSEXP_READONLY; 424 425 /* There are two requirements on a filesystem to be exportable. 426 * 1: We must be able to identify the filesystem from a number. 427 * either a device number (so FS_REQUIRES_DEV needed) 428 * or an FSID number (so NFSEXP_FSID or ->uuid is needed). 429 * 2: We must be able to find an inode from a filehandle. 430 * This means that s_export_op must be set and comply with 431 * the requirements for remote filesystem export. 432 * 3: We must not currently be on an idmapped mount. 433 */ 434 if (!(inode->i_sb->s_type->fs_flags & FS_REQUIRES_DEV) && 435 !(*flags & NFSEXP_FSID) && 436 uuid == NULL) { 437 dprintk("exp_export: export of non-dev fs without fsid\n"); 438 return -EINVAL; 439 } 440 441 if (!exportfs_may_export(inode->i_sb->s_export_op)) { 442 dprintk("exp_export: export of invalid fs type (%s).\n", 443 inode->i_sb->s_type->name); 444 return -EINVAL; 445 } 446 447 if (is_idmapped_mnt(path->mnt)) { 448 dprintk("exp_export: export of idmapped mounts not yet supported.\n"); 449 return -EINVAL; 450 } 451 452 if (inode->i_sb->s_export_op->flags & EXPORT_OP_NOSUBTREECHK && 453 !(*flags & NFSEXP_NOSUBTREECHECK)) { 454 dprintk("%s: %s does not support subtree checking!\n", 455 __func__, inode->i_sb->s_type->name); 456 return -EINVAL; 457 } 458 return 0; 459 } 460 461 #ifdef CONFIG_NFSD_V4 462 463 static int 464 fsloc_parse(char **mesg, char *buf, struct nfsd4_fs_locations *fsloc) 465 { 466 int len; 467 int migrated, i, err; 468 469 /* more than one fsloc */ 470 if (fsloc->locations) 471 return -EINVAL; 472 473 /* listsize */ 474 err = get_uint(mesg, &fsloc->locations_count); 475 if (err) 476 return err; 477 if (fsloc->locations_count > MAX_FS_LOCATIONS) 478 return -EINVAL; 479 if (fsloc->locations_count == 0) 480 return 0; 481 482 fsloc->locations = kcalloc(fsloc->locations_count, 483 sizeof(struct nfsd4_fs_location), 484 GFP_KERNEL); 485 if (!fsloc->locations) 486 return -ENOMEM; 487 for (i=0; i < fsloc->locations_count; i++) { 488 /* colon separated host list */ 489 err = -EINVAL; 490 len = qword_get(mesg, buf, PAGE_SIZE); 491 if (len <= 0) 492 goto out_free_all; 493 err = -ENOMEM; 494 fsloc->locations[i].hosts = kstrdup(buf, GFP_KERNEL); 495 if (!fsloc->locations[i].hosts) 496 goto out_free_all; 497 err = -EINVAL; 498 /* slash separated path component list */ 499 len = qword_get(mesg, buf, PAGE_SIZE); 500 if (len <= 0) 501 goto out_free_all; 502 err = -ENOMEM; 503 fsloc->locations[i].path = kstrdup(buf, GFP_KERNEL); 504 if (!fsloc->locations[i].path) 505 goto out_free_all; 506 } 507 /* migrated */ 508 err = get_int(mesg, &migrated); 509 if (err) 510 goto out_free_all; 511 err = -EINVAL; 512 if (migrated < 0 || migrated > 1) 513 goto out_free_all; 514 fsloc->migrated = migrated; 515 return 0; 516 out_free_all: 517 nfsd4_fslocs_free(fsloc); 518 return err; 519 } 520 521 static int secinfo_parse(char **mesg, char *buf, struct svc_export *exp) 522 { 523 struct exp_flavor_info *f; 524 u32 listsize; 525 int err; 526 527 /* more than one secinfo */ 528 if (exp->ex_nflavors) 529 return -EINVAL; 530 531 err = get_uint(mesg, &listsize); 532 if (err) 533 return err; 534 if (listsize > MAX_SECINFO_LIST) 535 return -EINVAL; 536 537 for (f = exp->ex_flavors; f < exp->ex_flavors + listsize; f++) { 538 err = get_uint(mesg, &f->pseudoflavor); 539 if (err) 540 return err; 541 /* 542 * XXX: It would be nice to also check whether this 543 * pseudoflavor is supported, so we can discover the 544 * problem at export time instead of when a client fails 545 * to authenticate. 546 */ 547 err = get_uint(mesg, &f->flags); 548 if (err) 549 return err; 550 /* Only some flags are allowed to differ between flavors: */ 551 if (~NFSEXP_SECINFO_FLAGS & (f->flags ^ exp->ex_flags)) 552 return -EINVAL; 553 } 554 exp->ex_nflavors = listsize; 555 return 0; 556 } 557 558 #else /* CONFIG_NFSD_V4 */ 559 static inline int 560 fsloc_parse(char **mesg, char *buf, struct nfsd4_fs_locations *fsloc){return 0;} 561 static inline int 562 secinfo_parse(char **mesg, char *buf, struct svc_export *exp) { return 0; } 563 #endif 564 565 static int xprtsec_parse(char **mesg, char *buf, struct svc_export *exp) 566 { 567 unsigned int i, mode, listsize; 568 int err; 569 570 err = get_uint(mesg, &listsize); 571 if (err) 572 return err; 573 if (listsize > NFSEXP_XPRTSEC_NUM) 574 return -EINVAL; 575 576 exp->ex_xprtsec_modes = 0; 577 for (i = 0; i < listsize; i++) { 578 err = get_uint(mesg, &mode); 579 if (err) 580 return err; 581 if (mode > NFSEXP_XPRTSEC_MTLS) 582 return -EINVAL; 583 exp->ex_xprtsec_modes |= mode; 584 } 585 return 0; 586 } 587 588 static inline int 589 nfsd_uuid_parse(char **mesg, char *buf, unsigned char **puuid) 590 { 591 int len; 592 593 /* more than one uuid */ 594 if (*puuid) 595 return -EINVAL; 596 597 /* expect a 16 byte uuid encoded as \xXXXX... */ 598 len = qword_get(mesg, buf, PAGE_SIZE); 599 if (len != EX_UUID_LEN) 600 return -EINVAL; 601 602 *puuid = kmemdup(buf, EX_UUID_LEN, GFP_KERNEL); 603 if (*puuid == NULL) 604 return -ENOMEM; 605 606 return 0; 607 } 608 609 static int svc_export_parse(struct cache_detail *cd, char *mesg, int mlen) 610 { 611 /* client path expiry [flags anonuid anongid fsid] */ 612 char *buf; 613 int err; 614 struct auth_domain *dom = NULL; 615 struct svc_export exp = {}, *expp; 616 int an_int; 617 618 if (mesg[mlen-1] != '\n') 619 return -EINVAL; 620 mesg[mlen-1] = 0; 621 622 buf = kmalloc(PAGE_SIZE, GFP_KERNEL); 623 if (!buf) 624 return -ENOMEM; 625 626 /* client */ 627 err = -EINVAL; 628 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 629 goto out; 630 631 err = -ENOENT; 632 dom = auth_domain_find(buf); 633 if (!dom) 634 goto out; 635 636 /* path */ 637 err = -EINVAL; 638 if (qword_get(&mesg, buf, PAGE_SIZE) <= 0) 639 goto out1; 640 641 err = kern_path(buf, 0, &exp.ex_path); 642 if (err) 643 goto out1; 644 645 exp.ex_client = dom; 646 exp.cd = cd; 647 exp.ex_devid_map = NULL; 648 exp.ex_xprtsec_modes = NFSEXP_XPRTSEC_ALL; 649 650 /* expiry */ 651 err = get_expiry(&mesg, &exp.h.expiry_time); 652 if (err) 653 goto out3; 654 655 /* flags */ 656 err = get_int(&mesg, &an_int); 657 if (err == -ENOENT) { 658 err = 0; 659 set_bit(CACHE_NEGATIVE, &exp.h.flags); 660 } else { 661 if (err || an_int < 0) 662 goto out3; 663 exp.ex_flags= an_int; 664 665 /* anon uid */ 666 err = get_int(&mesg, &an_int); 667 if (err) 668 goto out3; 669 exp.ex_anon_uid= make_kuid(current_user_ns(), an_int); 670 671 /* anon gid */ 672 err = get_int(&mesg, &an_int); 673 if (err) 674 goto out3; 675 exp.ex_anon_gid= make_kgid(current_user_ns(), an_int); 676 677 /* fsid */ 678 err = get_int(&mesg, &an_int); 679 if (err) 680 goto out3; 681 exp.ex_fsid = an_int; 682 683 while (qword_get(&mesg, buf, PAGE_SIZE) > 0) { 684 if (strcmp(buf, "fsloc") == 0) 685 err = fsloc_parse(&mesg, buf, &exp.ex_fslocs); 686 else if (strcmp(buf, "uuid") == 0) 687 err = nfsd_uuid_parse(&mesg, buf, &exp.ex_uuid); 688 else if (strcmp(buf, "secinfo") == 0) 689 err = secinfo_parse(&mesg, buf, &exp); 690 else if (strcmp(buf, "xprtsec") == 0) 691 err = xprtsec_parse(&mesg, buf, &exp); 692 else 693 /* quietly ignore unknown words and anything 694 * following. Newer user-space can try to set 695 * new values, then see what the result was. 696 */ 697 break; 698 if (err) 699 goto out4; 700 } 701 702 err = check_export(&exp.ex_path, &exp.ex_flags, exp.ex_uuid); 703 if (err) 704 goto out4; 705 706 /* 707 * No point caching this if it would immediately expire. 708 * Also, this protects exportfs's dummy export from the 709 * anon_uid/anon_gid checks: 710 */ 711 if (exp.h.expiry_time < seconds_since_boot()) 712 goto out4; 713 /* 714 * For some reason exportfs has been passing down an 715 * invalid (-1) uid & gid on the "dummy" export which it 716 * uses to test export support. To make sure exportfs 717 * sees errors from check_export we therefore need to 718 * delay these checks till after check_export: 719 */ 720 err = -EINVAL; 721 if (!uid_valid(exp.ex_anon_uid)) 722 goto out4; 723 if (!gid_valid(exp.ex_anon_gid)) 724 goto out4; 725 err = 0; 726 727 nfsd4_setup_layout_type(&exp); 728 } 729 730 expp = svc_export_lookup(&exp); 731 if (!expp) { 732 err = -ENOMEM; 733 goto out4; 734 } 735 expp = svc_export_update(&exp, expp); 736 if (expp) { 737 trace_nfsd_export_update(expp); 738 cache_flush(); 739 exp_put(expp); 740 } else 741 err = -ENOMEM; 742 out4: 743 nfsd4_fslocs_free(&exp.ex_fslocs); 744 kfree(exp.ex_uuid); 745 out3: 746 path_put(&exp.ex_path); 747 out1: 748 auth_domain_put(dom); 749 out: 750 kfree(buf); 751 return err; 752 } 753 754 static void exp_flags(struct seq_file *m, int flag, int fsid, 755 kuid_t anonu, kgid_t anong, struct nfsd4_fs_locations *fslocs); 756 static void show_secinfo(struct seq_file *m, struct svc_export *exp); 757 758 static int is_export_stats_file(struct seq_file *m) 759 { 760 /* 761 * The export_stats file uses the same ops as the exports file. 762 * We use the file's name to determine the reported info per export. 763 * There is no rename in nsfdfs, so d_name.name is stable. 764 */ 765 return !strcmp(m->file->f_path.dentry->d_name.name, "export_stats"); 766 } 767 768 static int svc_export_show(struct seq_file *m, 769 struct cache_detail *cd, 770 struct cache_head *h) 771 { 772 struct svc_export *exp; 773 bool export_stats = is_export_stats_file(m); 774 775 if (h == NULL) { 776 if (export_stats) 777 seq_puts(m, "#path domain start-time\n#\tstats\n"); 778 else 779 seq_puts(m, "#path domain(flags)\n"); 780 return 0; 781 } 782 exp = container_of(h, struct svc_export, h); 783 seq_path(m, &exp->ex_path, " \t\n\\"); 784 seq_putc(m, '\t'); 785 seq_escape(m, exp->ex_client->name, " \t\n\\"); 786 if (export_stats) { 787 struct percpu_counter *counter = exp->ex_stats->counter; 788 789 seq_printf(m, "\t%lld\n", exp->ex_stats->start_time); 790 seq_printf(m, "\tfh_stale: %lld\n", 791 percpu_counter_sum_positive(&counter[EXP_STATS_FH_STALE])); 792 seq_printf(m, "\tio_read: %lld\n", 793 percpu_counter_sum_positive(&counter[EXP_STATS_IO_READ])); 794 seq_printf(m, "\tio_write: %lld\n", 795 percpu_counter_sum_positive(&counter[EXP_STATS_IO_WRITE])); 796 seq_putc(m, '\n'); 797 return 0; 798 } 799 seq_putc(m, '('); 800 if (test_bit(CACHE_VALID, &h->flags) && 801 !test_bit(CACHE_NEGATIVE, &h->flags)) { 802 exp_flags(m, exp->ex_flags, exp->ex_fsid, 803 exp->ex_anon_uid, exp->ex_anon_gid, &exp->ex_fslocs); 804 if (exp->ex_uuid) { 805 int i; 806 seq_puts(m, ",uuid="); 807 for (i = 0; i < EX_UUID_LEN; i++) { 808 if ((i&3) == 0 && i) 809 seq_putc(m, ':'); 810 seq_printf(m, "%02x", exp->ex_uuid[i]); 811 } 812 } 813 show_secinfo(m, exp); 814 } 815 seq_puts(m, ")\n"); 816 return 0; 817 } 818 static int svc_export_match(struct cache_head *a, struct cache_head *b) 819 { 820 struct svc_export *orig = container_of(a, struct svc_export, h); 821 struct svc_export *new = container_of(b, struct svc_export, h); 822 return orig->ex_client == new->ex_client && 823 path_equal(&orig->ex_path, &new->ex_path); 824 } 825 826 static void svc_export_init(struct cache_head *cnew, struct cache_head *citem) 827 { 828 struct svc_export *new = container_of(cnew, struct svc_export, h); 829 struct svc_export *item = container_of(citem, struct svc_export, h); 830 831 kref_get(&item->ex_client->ref); 832 new->ex_client = item->ex_client; 833 new->ex_path = item->ex_path; 834 path_get(&item->ex_path); 835 new->ex_fslocs.locations = NULL; 836 new->ex_fslocs.locations_count = 0; 837 new->ex_fslocs.migrated = 0; 838 new->ex_layout_types = 0; 839 new->ex_uuid = NULL; 840 new->cd = item->cd; 841 export_stats_reset(new->ex_stats); 842 } 843 844 static void export_update(struct cache_head *cnew, struct cache_head *citem) 845 { 846 struct svc_export *new = container_of(cnew, struct svc_export, h); 847 struct svc_export *item = container_of(citem, struct svc_export, h); 848 int i; 849 850 new->ex_flags = item->ex_flags; 851 new->ex_anon_uid = item->ex_anon_uid; 852 new->ex_anon_gid = item->ex_anon_gid; 853 new->ex_fsid = item->ex_fsid; 854 new->ex_devid_map = item->ex_devid_map; 855 item->ex_devid_map = NULL; 856 new->ex_uuid = item->ex_uuid; 857 item->ex_uuid = NULL; 858 new->ex_fslocs.locations = item->ex_fslocs.locations; 859 item->ex_fslocs.locations = NULL; 860 new->ex_fslocs.locations_count = item->ex_fslocs.locations_count; 861 item->ex_fslocs.locations_count = 0; 862 new->ex_fslocs.migrated = item->ex_fslocs.migrated; 863 item->ex_fslocs.migrated = 0; 864 new->ex_layout_types = item->ex_layout_types; 865 new->ex_nflavors = item->ex_nflavors; 866 for (i = 0; i < MAX_SECINFO_LIST; i++) { 867 new->ex_flavors[i] = item->ex_flavors[i]; 868 } 869 new->ex_xprtsec_modes = item->ex_xprtsec_modes; 870 } 871 872 static struct cache_head *svc_export_alloc(void) 873 { 874 struct svc_export *i = kmalloc(sizeof(*i), GFP_KERNEL); 875 if (!i) 876 return NULL; 877 878 i->ex_stats = kmalloc(sizeof(*(i->ex_stats)), GFP_KERNEL); 879 if (!i->ex_stats) { 880 kfree(i); 881 return NULL; 882 } 883 884 if (export_stats_init(i->ex_stats)) { 885 kfree(i->ex_stats); 886 kfree(i); 887 return NULL; 888 } 889 890 return &i->h; 891 } 892 893 static const struct cache_detail svc_export_cache_template = { 894 .owner = THIS_MODULE, 895 .hash_size = EXPORT_HASHMAX, 896 .name = "nfsd.export", 897 .cache_put = svc_export_put, 898 .cache_upcall = svc_export_upcall, 899 .cache_request = svc_export_request, 900 .cache_parse = svc_export_parse, 901 .cache_show = svc_export_show, 902 .match = svc_export_match, 903 .init = svc_export_init, 904 .update = export_update, 905 .alloc = svc_export_alloc, 906 }; 907 908 static int 909 svc_export_hash(struct svc_export *exp) 910 { 911 int hash; 912 913 hash = hash_ptr(exp->ex_client, EXPORT_HASHBITS); 914 hash ^= hash_ptr(exp->ex_path.dentry, EXPORT_HASHBITS); 915 hash ^= hash_ptr(exp->ex_path.mnt, EXPORT_HASHBITS); 916 return hash; 917 } 918 919 static struct svc_export * 920 svc_export_lookup(struct svc_export *exp) 921 { 922 struct cache_head *ch; 923 int hash = svc_export_hash(exp); 924 925 ch = sunrpc_cache_lookup_rcu(exp->cd, &exp->h, hash); 926 if (ch) 927 return container_of(ch, struct svc_export, h); 928 else 929 return NULL; 930 } 931 932 static struct svc_export * 933 svc_export_update(struct svc_export *new, struct svc_export *old) 934 { 935 struct cache_head *ch; 936 int hash = svc_export_hash(old); 937 938 ch = sunrpc_cache_update(old->cd, &new->h, &old->h, hash); 939 if (ch) 940 return container_of(ch, struct svc_export, h); 941 else 942 return NULL; 943 } 944 945 946 static struct svc_expkey * 947 exp_find_key(struct cache_detail *cd, struct auth_domain *clp, int fsid_type, 948 u32 *fsidv, struct cache_req *reqp) 949 { 950 struct svc_expkey key, *ek; 951 int err; 952 953 if (!clp) 954 return ERR_PTR(-ENOENT); 955 956 key.ek_client = clp; 957 key.ek_fsidtype = fsid_type; 958 memcpy(key.ek_fsid, fsidv, key_len(fsid_type)); 959 960 ek = svc_expkey_lookup(cd, &key); 961 if (ek == NULL) 962 return ERR_PTR(-ENOMEM); 963 err = cache_check(cd, &ek->h, reqp); 964 if (err) { 965 trace_nfsd_exp_find_key(&key, err); 966 return ERR_PTR(err); 967 } 968 return ek; 969 } 970 971 static struct svc_export * 972 exp_get_by_name(struct cache_detail *cd, struct auth_domain *clp, 973 const struct path *path, struct cache_req *reqp) 974 { 975 struct svc_export *exp, key; 976 int err; 977 978 if (!clp) 979 return ERR_PTR(-ENOENT); 980 981 key.ex_client = clp; 982 key.ex_path = *path; 983 key.cd = cd; 984 985 exp = svc_export_lookup(&key); 986 if (exp == NULL) 987 return ERR_PTR(-ENOMEM); 988 err = cache_check(cd, &exp->h, reqp); 989 if (err) { 990 trace_nfsd_exp_get_by_name(&key, err); 991 return ERR_PTR(err); 992 } 993 return exp; 994 } 995 996 /* 997 * Find the export entry for a given dentry. 998 */ 999 static struct svc_export * 1000 exp_parent(struct cache_detail *cd, struct auth_domain *clp, struct path *path) 1001 { 1002 struct dentry *saved = dget(path->dentry); 1003 struct svc_export *exp = exp_get_by_name(cd, clp, path, NULL); 1004 1005 while (PTR_ERR(exp) == -ENOENT && !IS_ROOT(path->dentry)) { 1006 struct dentry *parent = dget_parent(path->dentry); 1007 dput(path->dentry); 1008 path->dentry = parent; 1009 exp = exp_get_by_name(cd, clp, path, NULL); 1010 } 1011 dput(path->dentry); 1012 path->dentry = saved; 1013 return exp; 1014 } 1015 1016 1017 1018 /* 1019 * Obtain the root fh on behalf of a client. 1020 * This could be done in user space, but I feel that it adds some safety 1021 * since its harder to fool a kernel module than a user space program. 1022 */ 1023 int 1024 exp_rootfh(struct net *net, struct auth_domain *clp, char *name, 1025 struct knfsd_fh *f, int maxsize) 1026 { 1027 struct svc_export *exp; 1028 struct path path; 1029 struct inode *inode __maybe_unused; 1030 struct svc_fh fh; 1031 int err; 1032 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1033 struct cache_detail *cd = nn->svc_export_cache; 1034 1035 err = -EPERM; 1036 /* NB: we probably ought to check that it's NUL-terminated */ 1037 if (kern_path(name, 0, &path)) { 1038 printk("nfsd: exp_rootfh path not found %s", name); 1039 return err; 1040 } 1041 inode = d_inode(path.dentry); 1042 1043 dprintk("nfsd: exp_rootfh(%s [%p] %s:%s/%ld)\n", 1044 name, path.dentry, clp->name, 1045 inode->i_sb->s_id, inode->i_ino); 1046 exp = exp_parent(cd, clp, &path); 1047 if (IS_ERR(exp)) { 1048 err = PTR_ERR(exp); 1049 goto out; 1050 } 1051 1052 /* 1053 * fh must be initialized before calling fh_compose 1054 */ 1055 fh_init(&fh, maxsize); 1056 if (fh_compose(&fh, exp, path.dentry, NULL)) 1057 err = -EINVAL; 1058 else 1059 err = 0; 1060 memcpy(f, &fh.fh_handle, sizeof(struct knfsd_fh)); 1061 fh_put(&fh); 1062 exp_put(exp); 1063 out: 1064 path_put(&path); 1065 return err; 1066 } 1067 1068 static struct svc_export *exp_find(struct cache_detail *cd, 1069 struct auth_domain *clp, int fsid_type, 1070 u32 *fsidv, struct cache_req *reqp) 1071 { 1072 struct svc_export *exp; 1073 struct nfsd_net *nn = net_generic(cd->net, nfsd_net_id); 1074 struct svc_expkey *ek = exp_find_key(nn->svc_expkey_cache, clp, fsid_type, fsidv, reqp); 1075 if (IS_ERR(ek)) 1076 return ERR_CAST(ek); 1077 1078 exp = exp_get_by_name(cd, clp, &ek->ek_path, reqp); 1079 cache_put(&ek->h, nn->svc_expkey_cache); 1080 1081 if (IS_ERR(exp)) 1082 return ERR_CAST(exp); 1083 return exp; 1084 } 1085 1086 /** 1087 * check_xprtsec_policy - check if access to export is allowed by the 1088 * xprtsec policy 1089 * @exp: svc_export that is being accessed. 1090 * @rqstp: svc_rqst attempting to access @exp. 1091 * 1092 * Helper function for check_nfsd_access(). Note that callers should be 1093 * using check_nfsd_access() instead of calling this function directly. The 1094 * one exception is __fh_verify() since it has logic that may result in one 1095 * or both of the helpers being skipped. 1096 * 1097 * Return values: 1098 * %nfs_ok if access is granted, or 1099 * %nfserr_wrongsec if access is denied 1100 */ 1101 __be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp) 1102 { 1103 struct svc_xprt *xprt = rqstp->rq_xprt; 1104 1105 if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) { 1106 if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags)) 1107 return nfs_ok; 1108 } 1109 if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_TLS) { 1110 if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && 1111 !test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) 1112 return nfs_ok; 1113 } 1114 if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_MTLS) { 1115 if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && 1116 test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) 1117 return nfs_ok; 1118 } 1119 return nfserr_wrongsec; 1120 } 1121 1122 /** 1123 * check_security_flavor - check if access to export is allowed by the 1124 * security flavor 1125 * @exp: svc_export that is being accessed. 1126 * @rqstp: svc_rqst attempting to access @exp. 1127 * @may_bypass_gss: reduce strictness of authorization check 1128 * 1129 * Helper function for check_nfsd_access(). Note that callers should be 1130 * using check_nfsd_access() instead of calling this function directly. The 1131 * one exception is __fh_verify() since it has logic that may result in one 1132 * or both of the helpers being skipped. 1133 * 1134 * Return values: 1135 * %nfs_ok if access is granted, or 1136 * %nfserr_wrongsec if access is denied 1137 */ 1138 __be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp, 1139 bool may_bypass_gss) 1140 { 1141 struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; 1142 1143 /* legacy gss-only clients are always OK: */ 1144 if (exp->ex_client == rqstp->rq_gssclient) 1145 return nfs_ok; 1146 /* ip-address based client; check sec= export option: */ 1147 for (f = exp->ex_flavors; f < end; f++) { 1148 if (f->pseudoflavor == rqstp->rq_cred.cr_flavor) 1149 return nfs_ok; 1150 } 1151 /* defaults in absence of sec= options: */ 1152 if (exp->ex_nflavors == 0) { 1153 if (rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL || 1154 rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX) 1155 return nfs_ok; 1156 } 1157 1158 /* If the compound op contains a spo_must_allowed op, 1159 * it will be sent with integrity/protection which 1160 * will have to be expressly allowed on mounts that 1161 * don't support it 1162 */ 1163 1164 if (nfsd4_spo_must_allow(rqstp)) 1165 return nfs_ok; 1166 1167 /* Some calls may be processed without authentication 1168 * on GSS exports. For example NFS2/3 calls on root 1169 * directory, see section 2.3.2 of rfc 2623. 1170 * For "may_bypass_gss" check that export has really 1171 * enabled some flavor with authentication (GSS or any 1172 * other) and also check that the used auth flavor is 1173 * without authentication (none or sys). 1174 */ 1175 if (may_bypass_gss && ( 1176 rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL || 1177 rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX)) { 1178 for (f = exp->ex_flavors; f < end; f++) { 1179 if (f->pseudoflavor >= RPC_AUTH_DES) 1180 return 0; 1181 } 1182 } 1183 1184 return nfserr_wrongsec; 1185 } 1186 1187 /** 1188 * check_nfsd_access - check if access to export is allowed. 1189 * @exp: svc_export that is being accessed. 1190 * @rqstp: svc_rqst attempting to access @exp. 1191 * @may_bypass_gss: reduce strictness of authorization check 1192 * 1193 * Return values: 1194 * %nfs_ok if access is granted, or 1195 * %nfserr_wrongsec if access is denied 1196 */ 1197 __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, 1198 bool may_bypass_gss) 1199 { 1200 __be32 status; 1201 1202 status = check_xprtsec_policy(exp, rqstp); 1203 if (status != nfs_ok) 1204 return status; 1205 return check_security_flavor(exp, rqstp, may_bypass_gss); 1206 } 1207 1208 /* 1209 * Uses rq_client and rq_gssclient to find an export; uses rq_client (an 1210 * auth_unix client) if it's available and has secinfo information; 1211 * otherwise, will try to use rq_gssclient. 1212 * 1213 * Called from functions that handle requests; functions that do work on 1214 * behalf of mountd are passed a single client name to use, and should 1215 * use exp_get_by_name() or exp_find(). 1216 */ 1217 struct svc_export * 1218 rqst_exp_get_by_name(struct svc_rqst *rqstp, const struct path *path) 1219 { 1220 struct svc_export *gssexp, *exp = ERR_PTR(-ENOENT); 1221 struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); 1222 struct cache_detail *cd = nn->svc_export_cache; 1223 1224 if (rqstp->rq_client == NULL) 1225 goto gss; 1226 1227 /* First try the auth_unix client: */ 1228 exp = exp_get_by_name(cd, rqstp->rq_client, path, &rqstp->rq_chandle); 1229 if (PTR_ERR(exp) == -ENOENT) 1230 goto gss; 1231 if (IS_ERR(exp)) 1232 return exp; 1233 /* If it has secinfo, assume there are no gss/... clients */ 1234 if (exp->ex_nflavors > 0) 1235 return exp; 1236 gss: 1237 /* Otherwise, try falling back on gss client */ 1238 if (rqstp->rq_gssclient == NULL) 1239 return exp; 1240 gssexp = exp_get_by_name(cd, rqstp->rq_gssclient, path, &rqstp->rq_chandle); 1241 if (PTR_ERR(gssexp) == -ENOENT) 1242 return exp; 1243 if (!IS_ERR(exp)) 1244 exp_put(exp); 1245 return gssexp; 1246 } 1247 1248 /** 1249 * rqst_exp_find - Find an svc_export in the context of a rqst or similar 1250 * @reqp: The handle to be used to suspend the request if a cache-upcall is needed 1251 * If NULL, missing in-cache information will result in failure. 1252 * @net: The network namespace in which the request exists 1253 * @cl: default auth_domain to use for looking up the export 1254 * @gsscl: an alternate auth_domain defined using deprecated gss/krb5 format. 1255 * @fsid_type: The type of fsid to look for 1256 * @fsidv: The actual fsid to look up in the context of either client. 1257 * 1258 * Perform a lookup for @cl/@fsidv in the given @net for an export. If 1259 * none found and @gsscl specified, repeat the lookup. 1260 * 1261 * Returns an export, or an error pointer. 1262 */ 1263 struct svc_export * 1264 rqst_exp_find(struct cache_req *reqp, struct net *net, 1265 struct auth_domain *cl, struct auth_domain *gsscl, 1266 int fsid_type, u32 *fsidv) 1267 { 1268 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1269 struct svc_export *gssexp, *exp = ERR_PTR(-ENOENT); 1270 struct cache_detail *cd = nn->svc_export_cache; 1271 1272 if (!cl) 1273 goto gss; 1274 1275 /* First try the auth_unix client: */ 1276 exp = exp_find(cd, cl, fsid_type, fsidv, reqp); 1277 if (PTR_ERR(exp) == -ENOENT) 1278 goto gss; 1279 if (IS_ERR(exp)) 1280 return exp; 1281 /* If it has secinfo, assume there are no gss/... clients */ 1282 if (exp->ex_nflavors > 0) 1283 return exp; 1284 gss: 1285 /* Otherwise, try falling back on gss client */ 1286 if (!gsscl) 1287 return exp; 1288 gssexp = exp_find(cd, gsscl, fsid_type, fsidv, reqp); 1289 if (PTR_ERR(gssexp) == -ENOENT) 1290 return exp; 1291 if (!IS_ERR(exp)) 1292 exp_put(exp); 1293 return gssexp; 1294 } 1295 1296 struct svc_export * 1297 rqst_exp_parent(struct svc_rqst *rqstp, struct path *path) 1298 { 1299 struct dentry *saved = dget(path->dentry); 1300 struct svc_export *exp = rqst_exp_get_by_name(rqstp, path); 1301 1302 while (PTR_ERR(exp) == -ENOENT && !IS_ROOT(path->dentry)) { 1303 struct dentry *parent = dget_parent(path->dentry); 1304 dput(path->dentry); 1305 path->dentry = parent; 1306 exp = rqst_exp_get_by_name(rqstp, path); 1307 } 1308 dput(path->dentry); 1309 path->dentry = saved; 1310 return exp; 1311 } 1312 1313 struct svc_export *rqst_find_fsidzero_export(struct svc_rqst *rqstp) 1314 { 1315 u32 fsidv[2]; 1316 1317 mk_fsid(FSID_NUM, fsidv, 0, 0, 0, NULL); 1318 1319 return rqst_exp_find(&rqstp->rq_chandle, SVC_NET(rqstp), 1320 rqstp->rq_client, rqstp->rq_gssclient, 1321 FSID_NUM, fsidv); 1322 } 1323 1324 /* 1325 * Called when we need the filehandle for the root of the pseudofs, 1326 * for a given NFSv4 client. The root is defined to be the 1327 * export point with fsid==0 1328 */ 1329 __be32 1330 exp_pseudoroot(struct svc_rqst *rqstp, struct svc_fh *fhp) 1331 { 1332 struct svc_export *exp; 1333 __be32 rv; 1334 1335 exp = rqst_find_fsidzero_export(rqstp); 1336 if (IS_ERR(exp)) 1337 return nfserrno(PTR_ERR(exp)); 1338 rv = fh_compose(fhp, exp, exp->ex_path.dentry, NULL); 1339 exp_put(exp); 1340 return rv; 1341 } 1342 1343 static struct flags { 1344 int flag; 1345 char *name[2]; 1346 } expflags[] = { 1347 { NFSEXP_READONLY, {"ro", "rw"}}, 1348 { NFSEXP_INSECURE_PORT, {"insecure", ""}}, 1349 { NFSEXP_ROOTSQUASH, {"root_squash", "no_root_squash"}}, 1350 { NFSEXP_ALLSQUASH, {"all_squash", ""}}, 1351 { NFSEXP_ASYNC, {"async", "sync"}}, 1352 { NFSEXP_GATHERED_WRITES, {"wdelay", "no_wdelay"}}, 1353 { NFSEXP_NOREADDIRPLUS, {"nordirplus", ""}}, 1354 { NFSEXP_NOHIDE, {"nohide", ""}}, 1355 { NFSEXP_CROSSMOUNT, {"crossmnt", ""}}, 1356 { NFSEXP_NOSUBTREECHECK, {"no_subtree_check", ""}}, 1357 { NFSEXP_NOAUTHNLM, {"insecure_locks", ""}}, 1358 { NFSEXP_V4ROOT, {"v4root", ""}}, 1359 { NFSEXP_PNFS, {"pnfs", ""}}, 1360 { NFSEXP_SECURITY_LABEL, {"security_label", ""}}, 1361 { 0, {"", ""}} 1362 }; 1363 1364 static void show_expflags(struct seq_file *m, int flags, int mask) 1365 { 1366 struct flags *flg; 1367 int state, first = 0; 1368 1369 for (flg = expflags; flg->flag; flg++) { 1370 if (flg->flag & ~mask) 1371 continue; 1372 state = (flg->flag & flags) ? 0 : 1; 1373 if (*flg->name[state]) 1374 seq_printf(m, "%s%s", first++?",":"", flg->name[state]); 1375 } 1376 } 1377 1378 static void show_secinfo_flags(struct seq_file *m, int flags) 1379 { 1380 seq_printf(m, ","); 1381 show_expflags(m, flags, NFSEXP_SECINFO_FLAGS); 1382 } 1383 1384 static bool secinfo_flags_equal(int f, int g) 1385 { 1386 f &= NFSEXP_SECINFO_FLAGS; 1387 g &= NFSEXP_SECINFO_FLAGS; 1388 return f == g; 1389 } 1390 1391 static int show_secinfo_run(struct seq_file *m, struct exp_flavor_info **fp, struct exp_flavor_info *end) 1392 { 1393 int flags; 1394 1395 flags = (*fp)->flags; 1396 seq_printf(m, ",sec=%d", (*fp)->pseudoflavor); 1397 (*fp)++; 1398 while (*fp != end && secinfo_flags_equal(flags, (*fp)->flags)) { 1399 seq_printf(m, ":%d", (*fp)->pseudoflavor); 1400 (*fp)++; 1401 } 1402 return flags; 1403 } 1404 1405 static void show_secinfo(struct seq_file *m, struct svc_export *exp) 1406 { 1407 struct exp_flavor_info *f; 1408 struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors; 1409 int flags; 1410 1411 if (exp->ex_nflavors == 0) 1412 return; 1413 f = exp->ex_flavors; 1414 flags = show_secinfo_run(m, &f, end); 1415 if (!secinfo_flags_equal(flags, exp->ex_flags)) 1416 show_secinfo_flags(m, flags); 1417 while (f != end) { 1418 flags = show_secinfo_run(m, &f, end); 1419 show_secinfo_flags(m, flags); 1420 } 1421 } 1422 1423 static void exp_flags(struct seq_file *m, int flag, int fsid, 1424 kuid_t anonu, kgid_t anong, struct nfsd4_fs_locations *fsloc) 1425 { 1426 struct user_namespace *userns = m->file->f_cred->user_ns; 1427 1428 show_expflags(m, flag, NFSEXP_ALLFLAGS); 1429 if (flag & NFSEXP_FSID) 1430 seq_printf(m, ",fsid=%d", fsid); 1431 if (!uid_eq(anonu, make_kuid(userns, (uid_t)-2)) && 1432 !uid_eq(anonu, make_kuid(userns, 0x10000-2))) 1433 seq_printf(m, ",anonuid=%u", from_kuid_munged(userns, anonu)); 1434 if (!gid_eq(anong, make_kgid(userns, (gid_t)-2)) && 1435 !gid_eq(anong, make_kgid(userns, 0x10000-2))) 1436 seq_printf(m, ",anongid=%u", from_kgid_munged(userns, anong)); 1437 if (fsloc && fsloc->locations_count > 0) { 1438 char *loctype = (fsloc->migrated) ? "refer" : "replicas"; 1439 int i; 1440 1441 seq_printf(m, ",%s=", loctype); 1442 seq_escape(m, fsloc->locations[0].path, ",;@ \t\n\\"); 1443 seq_putc(m, '@'); 1444 seq_escape(m, fsloc->locations[0].hosts, ",;@ \t\n\\"); 1445 for (i = 1; i < fsloc->locations_count; i++) { 1446 seq_putc(m, ';'); 1447 seq_escape(m, fsloc->locations[i].path, ",;@ \t\n\\"); 1448 seq_putc(m, '@'); 1449 seq_escape(m, fsloc->locations[i].hosts, ",;@ \t\n\\"); 1450 } 1451 } 1452 } 1453 1454 static int e_show(struct seq_file *m, void *p) 1455 { 1456 struct cache_head *cp = p; 1457 struct svc_export *exp = container_of(cp, struct svc_export, h); 1458 struct cache_detail *cd = m->private; 1459 bool export_stats = is_export_stats_file(m); 1460 1461 if (p == SEQ_START_TOKEN) { 1462 seq_puts(m, "# Version 1.1\n"); 1463 if (export_stats) 1464 seq_puts(m, "# Path Client Start-time\n#\tStats\n"); 1465 else 1466 seq_puts(m, "# Path Client(Flags) # IPs\n"); 1467 return 0; 1468 } 1469 1470 if (cache_check_rcu(cd, &exp->h, NULL)) 1471 return 0; 1472 1473 return svc_export_show(m, cd, cp); 1474 } 1475 1476 const struct seq_operations nfs_exports_op = { 1477 .start = cache_seq_start_rcu, 1478 .next = cache_seq_next_rcu, 1479 .stop = cache_seq_stop_rcu, 1480 .show = e_show, 1481 }; 1482 1483 /* 1484 * Initialize the exports module. 1485 */ 1486 int 1487 nfsd_export_init(struct net *net) 1488 { 1489 int rv; 1490 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1491 1492 dprintk("nfsd: initializing export module (net: %x).\n", net->ns.inum); 1493 1494 nn->svc_export_cache = cache_create_net(&svc_export_cache_template, net); 1495 if (IS_ERR(nn->svc_export_cache)) 1496 return PTR_ERR(nn->svc_export_cache); 1497 rv = cache_register_net(nn->svc_export_cache, net); 1498 if (rv) 1499 goto destroy_export_cache; 1500 1501 nn->svc_expkey_cache = cache_create_net(&svc_expkey_cache_template, net); 1502 if (IS_ERR(nn->svc_expkey_cache)) { 1503 rv = PTR_ERR(nn->svc_expkey_cache); 1504 goto unregister_export_cache; 1505 } 1506 rv = cache_register_net(nn->svc_expkey_cache, net); 1507 if (rv) 1508 goto destroy_expkey_cache; 1509 return 0; 1510 1511 destroy_expkey_cache: 1512 cache_destroy_net(nn->svc_expkey_cache, net); 1513 unregister_export_cache: 1514 cache_unregister_net(nn->svc_export_cache, net); 1515 destroy_export_cache: 1516 cache_destroy_net(nn->svc_export_cache, net); 1517 return rv; 1518 } 1519 1520 /* 1521 * Flush exports table - called when last nfsd thread is killed 1522 */ 1523 void 1524 nfsd_export_flush(struct net *net) 1525 { 1526 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1527 1528 cache_purge(nn->svc_expkey_cache); 1529 cache_purge(nn->svc_export_cache); 1530 } 1531 1532 /* 1533 * Shutdown the exports module. 1534 */ 1535 void 1536 nfsd_export_shutdown(struct net *net) 1537 { 1538 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 1539 1540 dprintk("nfsd: shutting down export module (net: %x).\n", net->ns.inum); 1541 1542 cache_unregister_net(nn->svc_expkey_cache, net); 1543 cache_unregister_net(nn->svc_export_cache, net); 1544 cache_destroy_net(nn->svc_expkey_cache, net); 1545 cache_destroy_net(nn->svc_export_cache, net); 1546 svcauth_unix_purge(net); 1547 1548 dprintk("nfsd: export shutdown complete (net: %x).\n", net->ns.inum); 1549 } 1550