On Fri, 01 Aug 2025, Scott Mayhew wrote:
> A while back I had reported that an NFSv3 client could successfully
> mount using '-o xprtsec=none' an export that had been exported with
> 'xprtsec=tls:mtls'. By "successfully" I mean that the mount command
> would succeed and the mount would show up in /proc/mounts. Attempting
> to do anything futher with the mount would be met with NFS3ERR_ACCES.
>
> This was fixed (albeit accidentally) by bb4f07f2409c ("nfsd: Fix
> NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT") and was
> subsequently re-broken by 0813c5f01249 ("nfsd: fix access checking for
> NLM under XPRTSEC policies").
>
> Transport Layer Security isn't an RPC security flavor or pseudo-flavor,
> so they shouldn't be conflated when determining whether the access
> checks can be bypassed.
Clearly delineating the two makes a lot of sense - thanks for doing this.
>
> Signed-off-by: Scott Mayhew <smayhew@xxxxxxxxxx>
> ---
> fs/nfsd/export.c | 60 ++++++++++++++++++++++++++++++++++++----------
> fs/nfsd/export.h | 1 +
> fs/nfsd/nfs4proc.c | 6 ++++-
> fs/nfsd/nfs4xdr.c | 3 +++
> fs/nfsd/nfsfh.c | 8 +++++++
> fs/nfsd/vfs.c | 3 +++
> 6 files changed, 67 insertions(+), 14 deletions(-)
>
> diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
> index cadfc2bae60e..bc54b01bb516 100644
> --- a/fs/nfsd/export.c
> +++ b/fs/nfsd/export.c
> @@ -1082,19 +1082,27 @@ static struct svc_export *exp_find(struct cache_detail *cd,
> }
>
> /**
> - * check_nfsd_access - check if access to export is allowed.
> + * check_xprtsec_policy - check if access to export is permitted by the
> + * xprtsec policy
> * @exp: svc_export that is being accessed.
> * @rqstp: svc_rqst attempting to access @exp (will be NULL for LOCALIO).
> - * @may_bypass_gss: reduce strictness of authorization check
> + *
> + * This logic should not be combined with check_nfsd_access, as the rules
> + * for bypassing GSS are not the same as for bypassing the xprtsec policy
> + * check:
> + * - NFSv3 FSINFO and GETATTR can bypass the GSS for the root dentry,
> + * but that doesn't mean they can bypass the xprtsec poolicy check
> + * - NLM can bypass the GSS check on exports exported with the
> + * NFSEXP_NOAUTHNLM flag
> + * - NLM can always bypass the xprtsec policy check since TLS isn't
> + * implemented for the sidecar protocols
Despite this detailed difference, of the 4 times that
check_xprtsec_policy() and check_nfsd_access() are called, three times
they are simply called one after the other and the other time you got
the logic wrong :-) (as you subsequently noted).
So I wonder if, having pulled them apart, they could be recombined to
maintain the simplicity but add clarity.
It would be good if the code made it abundantly clear how and why that
fourth case (in __fh_verify) is different from the other three.
Looking forward to v2
Thanks,
NeilBrown
