On 07/05/2025 11:09, Christoph Hellwig wrote:
Create a kernel .nfs keyring similar to the nvme .nvme one. Unlike for
a userspace-created keyrind, tlshd is a possesor of the keys with this
and thus the keys don't need user read permissions.
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
---
fs/nfs/inode.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index 119e447758b9..fb1fe1bdfe92 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -2571,6 +2571,8 @@ static struct pernet_operations nfs_net_ops = {
.size = sizeof(struct nfs_net),
};
+static struct key *nfs_keyring;
+
/*
* Initialize NFS
*/
@@ -2578,6 +2580,17 @@ static int __init init_nfs_fs(void)
{
int err;
+ if (IS_ENABLED(CONFIG_NFS_V4)) {
xprtsec is sunrpc, meaning it is also supported with nfsv3.
+ nfs_keyring = keyring_alloc(".nfs",
+ GLOBAL_ROOT_UID, GLOBAL_ROOT_GID,
+ current_cred(),
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ (KEY_USR_ALL & ~KEY_USR_SETATTR),
+ KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
+ if (IS_ERR(nfs_keyring))
+ return PTR_ERR(nfs_keyring);
+ }
+
err = nfs_sysfs_init();
if (err < 0)
goto out10;
@@ -2653,6 +2666,8 @@ static void __exit exit_nfs_fs(void)
nfs_fs_proc_exit();
nfsiod_stop();
nfs_sysfs_exit();
+ if (IS_ENABLED(CONFIG_NFS_V4))
+ key_put(nfs_keyring);
Same comment
}
/* Not quite true; I just maintain it */
