User and group names are mapped to IDs using the kernel keyring infrastructure.
When a name does not exist, it is mapped to the nobody user or group; there is
no way to tell the difference from the mapping result.

In ACLs, we need to make that distinction.  For that, use the new "xuid" and
"xgid" maps: they behave like the old "uid" and "gid" maps except that the IDs
of existing users and groups are prefixed by a "+" sign.

When the "xuid" or "xgid" maps are not supported, nfs falls back to the "uid"
and "gid" maps.

Signed-off-by: Andreas Gruenbacher <agrue...@redhat.com>
---
 fs/nfs/nfs4idmap.c        | 57 ++++++++++++++++++++++++++++++++++++++---------
 fs/nfs/nfs4xdr.c          |  6 +++--
 include/linux/nfs_fs_sb.h |  1 +
 3 files changed, 52 insertions(+), 12 deletions(-)

diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c
index 2e49022..34dd404 100644
--- a/fs/nfs/nfs4idmap.c
+++ b/fs/nfs/nfs4idmap.c
@@ -100,10 +100,12 @@ static bool nfs_fattr_map_owner_name(struct nfs_server 
*server, struct nfs_fattr
 {
        struct nfs4_string *owner = fattr->owner_name;
        kuid_t uid;
+       int ret;
 
        if (!(fattr->valid & NFS_ATTR_FATTR_OWNER_NAME))
                return false;
-       if (nfs_map_name_to_uid(server, owner->data, owner->len, &uid) == 0) {
+       ret = nfs_map_name_to_uid(server, owner->data, owner->len, &uid);
+       if (ret == 0 || ret == -ENOENT) {
                fattr->uid = uid;
                fattr->valid |= NFS_ATTR_FATTR_OWNER;
        }
@@ -114,10 +116,12 @@ static bool nfs_fattr_map_group_name(struct nfs_server 
*server, struct nfs_fattr
 {
        struct nfs4_string *group = fattr->group_name;
        kgid_t gid;
+       int ret;
 
        if (!(fattr->valid & NFS_ATTR_FATTR_GROUP_NAME))
                return false;
-       if (nfs_map_group_to_gid(server, group->data, group->len, &gid) == 0) {
+       ret = nfs_map_group_to_gid(server, group->data, group->len, &gid);
+       if (ret == 0 || ret == -ENOENT) {
                fattr->gid = gid;
                fattr->valid |= NFS_ATTR_FATTR_GROUP;
        }
@@ -351,20 +355,23 @@ static ssize_t nfs_idmap_lookup_name(__u32 id, const char 
*type, char *buf,
 }
 
 /* Name -> ID */
+/* Returns -ENOENT for unknown names (with @id set to the nobody id). */
 static int nfs_idmap_lookup_id(const char *name, size_t namelen, const char 
*type,
                               __u32 *id, struct idmap *idmap)
 {
-       char id_str[NFS_UINT_MAXLEN];
+       char id_str[NFS_UINT_MAXLEN + 1];
        long id_long;
        ssize_t data_size;
        int ret = 0;
 
-       data_size = nfs_idmap_get_key(name, namelen, type, id_str, 
NFS_UINT_MAXLEN, idmap);
+       data_size = nfs_idmap_get_key(name, namelen, type, id_str, 
sizeof(id_str), idmap);
        if (data_size <= 0) {
                ret = -EINVAL;
        } else {
                ret = kstrtol(id_str, 10, &id_long);
                *id = (__u32)id_long;
+               if (!ret && *id_str != '+')
+                       ret = -ENOENT;
        }
        return ret;
 }
@@ -719,9 +726,24 @@ int nfs_map_name_to_uid(const struct nfs_server *server, 
const char *name, size_
        __u32 id = -1;
        int ret = 0;
 
-       if (!nfs_map_string_to_numeric(name, namelen, &id))
-               ret = nfs_idmap_lookup_id(name, namelen, "uid", &id, idmap);
-       if (ret == 0) {
+       if (!nfs_map_string_to_numeric(name, namelen, &id)) {
+               struct nfs_client *client = server->nfs_client;
+               const char *type;
+
+               for(;;) {
+                       type = "xuid";
+                       if (test_bit(NFS_CS_NOXUID, &client->cl_flags))
+                               type = "uid";
+
+                       ret = nfs_idmap_lookup_id(name, namelen, type, &id, 
idmap);
+                       if (ret != -EINVAL || test_bit(NFS_CS_NOXUID, 
&client->cl_flags))
+                               break;
+                       printk(KERN_NOTICE "NFS: Falling back from nfsidmap "
+                              "xuid/xgid to uid/gid\n");
+                       set_bit(NFS_CS_NOXUID, &client->cl_flags);
+               }
+       }
+       if (ret == 0 || ret == -ENOENT) {
                *uid = make_kuid(&init_user_ns, id);
                if (!uid_valid(*uid))
                        ret = -ERANGE;
@@ -736,9 +758,24 @@ int nfs_map_group_to_gid(const struct nfs_server *server, 
const char *name, size
        __u32 id = -1;
        int ret = 0;
 
-       if (!nfs_map_string_to_numeric(name, namelen, &id))
-               ret = nfs_idmap_lookup_id(name, namelen, "gid", &id, idmap);
-       if (ret == 0) {
+       if (!nfs_map_string_to_numeric(name, namelen, &id)) {
+               struct nfs_client *client = server->nfs_client;
+               const char *type;
+
+               for(;;) {
+                       type = "xgid";
+                       if (test_bit(NFS_CS_NOXUID, &client->cl_flags))
+                               type = "gid";
+
+                       ret = nfs_idmap_lookup_id(name, namelen, type, &id, 
idmap);
+                       if (ret != -EINVAL || test_bit(NFS_CS_NOXUID, 
&client->cl_flags))
+                               break;
+                       printk(KERN_NOTICE "NFS: Falling back from nfsidmap "
+                              "xuid/xgid to uid/gid\n");
+                       set_bit(NFS_CS_NOXUID, &client->cl_flags);
+               }
+       }
+       if (ret == 0 || ret == -ENOENT) {
                *gid = make_kgid(&init_user_ns, id);
                if (!gid_valid(*gid))
                        ret = -ERANGE;
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index eefed15..adeb894 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -3875,7 +3875,8 @@ static int decode_attr_owner(struct xdr_stream *xdr, 
uint32_t *bitmap,
                                ret = NFS_ATTR_FATTR_OWNER_NAME;
                        }
                } else if (len < XDR_MAX_NETOBJ) {
-                       if (nfs_map_name_to_uid(server, (char *)p, len, uid) == 
0)
+                       ret = nfs_map_name_to_uid(server, (char *)p, len, uid);
+                       if (ret == 0 || ret == -ENOENT)
                                ret = NFS_ATTR_FATTR_OWNER;
                        else
                                dprintk("%s: nfs_map_name_to_uid failed!\n",
@@ -3918,7 +3919,8 @@ static int decode_attr_group(struct xdr_stream *xdr, 
uint32_t *bitmap,
                                ret = NFS_ATTR_FATTR_GROUP_NAME;
                        }
                } else if (len < XDR_MAX_NETOBJ) {
-                       if (nfs_map_group_to_gid(server, (char *)p, len, gid) 
== 0)
+                       ret = nfs_map_group_to_gid(server, (char *)p, len, gid);
+                       if (ret == 0 || ret == -ENOENT)
                                ret = NFS_ATTR_FATTR_GROUP;
                        else
                                dprintk("%s: nfs_map_group_to_gid failed!\n",
diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h
index 570a7df..c7d42b7 100644
--- a/include/linux/nfs_fs_sb.h
+++ b/include/linux/nfs_fs_sb.h
@@ -36,6 +36,7 @@ struct nfs_client {
 #define NFS_CS_RENEWD          3               /* - renewd started */
 #define NFS_CS_STOP_RENEW      4               /* no more state to renew */
 #define NFS_CS_CHECK_LEASE_TIME        5               /* need to check lease 
time */
+#define NFS_CS_NOXUID          6               /* don't use idmap xuid / xgid 
*/
        unsigned long           cl_flags;       /* behavior switches */
 #define NFS_CS_NORESVPORT      0               /* - use ephemeral src port */
 #define NFS_CS_DISCRTRY                1               /* - disconnect on RPC 
retry */
-- 
2.5.0

--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to