gNFS: mnt3_find_export() by pass AUTH check

NFS subdir mount does not respect nfs.rpc-auth-reject option in the volume. If the volume is being mounted, then it would validate the AUTH by mnt3_check_client_net() but if the client is mounting a subdir, the control takes a different code path i.e. mnt3_find_export() which does not bother about the AUTH. FIX: Enforce the AUTH check in mnt3_parse_dir_exports() which is invoked by mnt3_find_export() for subdir mount. Change-Id: I6fdd3e6bd6cbd32b0d9ca620cc4c30fdaff9ca30 BUG: 1049225 Signed-off-by: Santosh Kumar Pradhan <spradhan@redhat.com> Reviewed-on: http://review.gluster.org/6655 Reviewed-by: Niels de Vos <ndevos@redhat.com> Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com>
2014-01-07 14:22:03 +05:30 · 2014-01-07 14:22:03 +05:30 · a1e26be05c
commit a1e26be05c
parent 1e4f2d08f1
2 changed files with 43 additions and 16 deletions
--- a/tests/bugs/bug-921072.t
+++ b/tests/bugs/bug-921072.t
@ -89,12 +89,13 @@ TEST $CLI volume set $V0 nfs.rpc-auth-allow 127.0.0.1
 EXPECT_WITHIN 20 1 is_nfs_export_available

 TEST mount -t nfs -o vers=3,nolock,soft,intr localhost:/$V0 $N0
+TEST mkdir -p $N0/subdir
 TEST umount $N0

 # case 10: allow a non-localhost ip
 TEST $CLI volume set $V0 nfs.rpc-auth-allow 192.168.1.1
 EXPECT_WITHIN 20 1 is_nfs_export_available
-#40
+#41
 TEST ! mount -t nfs -o vers=3,nolock,soft,intr localhost:/$V0 $N0

 # case 11: reject only localhost ip
@ -104,6 +105,7 @@ TEST $CLI volume set $V0 nfs.rpc-auth-reject 127.0.0.1
 EXPECT_WITHIN 20 1 is_nfs_export_available

 TEST ! mount -t nfs -o vers=3,nolock,soft,intr localhost:/$V0 $N0
+TEST ! mount -t nfs -o vers=3,nolock,soft,intr localhost:/$V0/subdir $N0

 # case 12: reject only non-localhost ip
 TEST $CLI volume set $V0 nfs.rpc-auth-reject 192.168.1.1
@ -112,7 +114,10 @@ EXPECT_WITHIN 20 1 is_nfs_export_available
 TEST mount -t nfs -o vers=3,nolock,soft,intr localhost:/$V0 $N0
 TEST umount $N0

+TEST mount -t nfs -o vers=3,nolock,soft,intr localhost:/$V0/subdir $N0
+TEST umount $N0
+
 TEST $CLI volume stop --mode=script $V0
-#49
+#52
 TEST $CLI volume delete --mode=script $V0
 cleanup
--- a/xlators/nfs/server/src/mount3.c
+++ b/xlators/nfs/server/src/mount3.c
@ -1318,7 +1318,8 @@ mnt3_parse_dir_exports (rpcsvc_request_t *req, struct mount3_state *ms,
        char                    volname[1024];
        struct mnt3_export      *exp = NULL;
        char                    *volname_ptr = NULL;
-        int                     ret = -1;
+        int                     ret = -ENOENT;
+        struct nfs_state        *nfs = NULL;

        if ((!ms) || (!subdir))
                return -1;
@ -1332,10 +1333,26 @@ mnt3_parse_dir_exports (rpcsvc_request_t *req, struct mount3_state *ms,
        if (!exp)
                goto err;

+        nfs = (struct nfs_state *)ms->nfsx->private;
+        if (!nfs)
+                goto err;
+
+        if (!nfs_subvolume_started (nfs, exp->vol)) {
+                gf_log (GF_MNT, GF_LOG_DEBUG,
+                        "Volume %s not started", exp->vol->name);
+                goto err;
+        }
+
+        if (mnt3_check_client_net (ms, req, exp->vol) == RPCSVC_AUTH_REJECT) {
+                gf_log (GF_MNT, GF_LOG_DEBUG, "Client mount not allowed");
+                ret = -EACCES;
+                goto err;
+        }
+
        ret = mnt3_resolve_subdir (req, ms, exp, subdir);
        if (ret < 0) {
-                gf_log (GF_MNT, GF_LOG_ERROR, "Failed to resolve export dir: %s"
-                        , subdir);
+                gf_log (GF_MNT, GF_LOG_ERROR,
+                        "Failed to resolve export dir: %s", subdir);
                goto err;
        }

@ -1375,10 +1392,6 @@ mnt3_find_export (rpcsvc_request_t *req, char *path, struct mnt3_export **e)
        }

        ret = mnt3_parse_dir_exports (req, ms, path);
-        if (ret == 0) {
-                ret = -2;
-                goto err;
-        }

 err:
        return ret;
@ -1416,17 +1429,26 @@ mnt3svc_mnt (rpcsvc_request_t *req)
                goto rpcerr;
        }

-        ret = 0;
        nfs = (struct nfs_state *)ms->nfsx->private;
        gf_log (GF_MNT, GF_LOG_DEBUG, "dirpath: %s", path);
        ret = mnt3_find_export (req, path, &exp);
-        if (ret == -2) {
-                ret = 0;
-                goto rpcerr;
-        } else if (ret < 0) {
-                ret = -1;
-                mntstat = MNT3ERR_NOENT;
+        if (ret < 0) {
+                mntstat = mnt3svc_errno_to_mnterr (-ret);
                goto mnterr;
+        } else if (!exp) {
+                /*
+                 * SPECIAL CASE: exp is NULL if "path" is subdir in
+                 * call to mnt3_find_export().
+                 *
+                 * This is subdir mount, we are already DONE!
+                 * nfs_subvolume_started() and mnt3_check_client_net()
+                 * validation are done in mnt3_parse_dir_exports()
+                 * which is invoked through mnt3_find_export().
+                 *
+                 * TODO: All mount should happen thorugh mnt3svc_mount()
+                 *       It needs more clean up.
+                 */
+                return (0);
        }

        if (!nfs_subvolume_started (nfs, exp->vol)) {