cifs-utils/allow-dns-resolver-key-to-expire.patch

269 lines
9.1 KiB
Diff
Raw Normal View History

From paulo@paulo.ac Wed Feb 13 18:09:41 2019
Return-path: <linux-cifs-owner@vger.kernel.org>
Received: from prv1-mx.provo.novell.com (novprvlin0515.provo.novell.com [130.57.1.105])
by prv-mh.provo.novell.com with ESMTP (NOT encrypted); Wed, 13 Feb 2019 11:09:56 -0700
Received: from vger.kernel.org (209.132.180.67) by prv1-mx.provo.novell.com (130.57.1.11) GWAVA SMTP; Wed, 13 Feb 2019 11:09:57 -0700
X-Spam_ID: str=0001.0A020211.5C645D75.005D,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-GWAVADAT: <keymat><rkey>zFPcY7v2brlPt6Q2</rkey><gkey>e5327cab1501d80247f45f4235d8ab62d9cebc212966054348ffdffbdcecc4b3</gkey><objectid>17boib3.17boib3.v6</objectid></keymat>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1729522AbfBMSJ4 (ORCPT <rfc822;dmulder@suse.com> + 3 others);
Wed, 13 Feb 2019 13:09:56 -0500
Received: from mail.paulo.ac ([18.228.144.36]:36484 "EHLO mail.paulo.ac"
rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
id S1727937AbfBMSJz (ORCPT <rfc822;linux-cifs@vger.kernel.org>);
Wed, 13 Feb 2019 13:09:55 -0500
Received: from localhost (localhost [127.0.0.1])
by mail.paulo.ac (Postfix) with ESMTP id 908B04823B16;
Wed, 13 Feb 2019 18:09:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=paulo.ac; s=default;
t=1550081392; bh=NPHMWzhC+dOx1uqYM9k6+umJOPTfdQQb4DDuwxCPykY=;
h=From:To:Cc:Subject:Date;
b=T/4Gj7VIMqZKmdsNgp0GA1d/4g7rZD8wHngdPprFv5GJ3kwcM0HAiFs9IY7sqln2m
+zAQ9B5qbEoeJif9o/LeR7ED+kqAZyn+uGitgiE7DcMJ5wzvGIDZyl/KAGQn/35Auf
BNdDIwgVMyv0Iba6DiPlLSIXP9QBxBlXHGDD90fE=
Received: from mail.paulo.ac ([127.0.0.1])
by localhost (ip-172-31-5-70.sa-east-1.compute.internal [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ztemnOMlOHdf; Wed, 13 Feb 2019 18:09:51 +0000 (UTC)
Received: from localhost.localdomain (unknown [186.215.53.127])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.paulo.ac (Postfix) with ESMTPSA id CAFF84822E3F;
Wed, 13 Feb 2019 18:09:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=paulo.ac; s=default;
t=1550081391; bh=NPHMWzhC+dOx1uqYM9k6+umJOPTfdQQb4DDuwxCPykY=;
h=From:To:Cc:Subject:Date;
b=iyVAaOItT0Qa5SuPc9LRAoN1qb8VHw5hZNzhOF6NOB178UgZYt2Tt9pzR9/0UbhUF
GeJP0gK64HWvGmbDz8zRhrVgnZpGgAXfaPa20AuGm3WlrtZpb3Z2s/krSAI2I1tQfx
82wY8IeZOD9F+709ZZlwlkGHMWiDLaiRH7xTJWIU=
From: Paulo Alcantara <paulo@paulo.ac>
To: linux-cifs@vger.kernel.org
Cc: smfrench@gmail.com, aaptel@suse.com, piastryyy@gmail.com,
Paulo Alcantara <paulo@paulo.ac>,
Paulo Alcantara <palcantara@suse.de>
Subject: [PATCH] cifs: Allow DNS resolver key to expire
Date: Wed, 13 Feb 2019 16:09:41 -0200
Message-Id: <20190213180941.2587-1-paulo@paulo.ac>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-cifs.vger.kernel.org>
X-Mailing-List: linux-cifs@vger.kernel.org
This patch introduces a new '--expire' option that allows the user to
set a timeout value for the dns resolver key -- which is typically
useful for hostnames that may get their ip addresses changed under
long running mounts.
The default timeout value is set to 10 minutes.
Signed-off-by: Paulo Alcantara <palcantara@suse.de>
---
cifs.upcall.c | 88 +++++++++++++++++++++++++++++++++-------------
cifs.upcall.rst.in | 5 ++-
2 files changed, 67 insertions(+), 26 deletions(-)
diff --git a/cifs.upcall.c b/cifs.upcall.c
index 89563fd42adc..c92ee62f6764 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -63,6 +63,8 @@
static krb5_context context;
static const char *prog = "cifs.upcall";
+#define DNS_RESOLVER_DEFAULT_TIMEOUT 600 /* 10 minutes */
+
typedef enum _sectype {
NONE = 0,
KRB5,
@@ -749,19 +751,48 @@ decode_key_description(const char *desc, struct decoded_args *arg)
return retval;
}
-static int cifs_resolver(const key_serial_t key, const char *key_descr)
+static int setup_key(const key_serial_t key, const void *data, size_t datalen)
+{
+ int rc;
+
+ rc = keyctl_instantiate(key, data, datalen, 0);
+ if (rc) {
+ switch (errno) {
+ case ENOMEM:
+ case EDQUOT:
+ rc = keyctl_clear(key);
+ if (rc) {
+ syslog(LOG_ERR, "%s: keyctl_clear: %s",
+ __func__, strerror(errno));
+ return rc;
+ }
+ rc = keyctl_instantiate(key, data, datalen, 0);
+ break;
+ default:
+ ;
+ }
+ }
+ if (rc) {
+ syslog(LOG_ERR, "%s: keyctl_instantiate: %s",
+ __func__, strerror(errno));
+ }
+ return rc;
+}
+
+static int cifs_resolver(const key_serial_t key, const char *key_descr,
+ const char *key_buf, unsigned expire_time)
{
int c;
struct addrinfo *addr;
char ip[INET6_ADDRSTRLEN];
void *p;
- const char *keyend = key_descr;
+ const char *keyend = key_buf;
/* skip next 4 ';' delimiters to get to description */
for (c = 1; c <= 4; c++) {
keyend = index(keyend + 1, ';');
if (!keyend) {
syslog(LOG_ERR, "invalid key description: %s",
- key_descr);
+ key_buf);
return 1;
}
}
@@ -787,15 +818,21 @@ static int cifs_resolver(const key_serial_t key, const char *key_descr)
return 1;
}
- /* setup key */
- c = keyctl_instantiate(key, ip, strlen(ip) + 1, 0);
- if (c == -1) {
- syslog(LOG_ERR, "%s: keyctl_instantiate: %s", __func__,
- strerror(errno));
- freeaddrinfo(addr);
- return 1;
- }
+ /* needed for keyctl_set_timeout() */
+ request_key("keyring", key_descr, NULL, KEY_SPEC_THREAD_KEYRING);
+ c = setup_key(key, ip, strlen(ip) + 1);
+ if (c) {
+ freeaddrinfo(addr);
+ return 1;
+ }
+ c = keyctl_set_timeout(key, expire_time);
+ if (c) {
+ syslog(LOG_ERR, "%s: keyctl_set_timeout: %s", __func__,
+ strerror(errno));
+ freeaddrinfo(addr);
+ return 1;
+ }
freeaddrinfo(addr);
return 0;
}
@@ -864,7 +901,7 @@ lowercase_string(char *c)
static void usage(void)
{
- fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-E] [-t] [-v] [-l] key_serial\n", prog);
+ fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-E] [-t] [-v] [-l] [-e nsecs] key_serial\n", prog);
}
static const struct option long_options[] = {
@@ -874,6 +911,7 @@ static const struct option long_options[] = {
{"trust-dns", 0, NULL, 't'},
{"keytab", 1, NULL, 'K'},
{"version", 0, NULL, 'v'},
+ {"expire", 1, NULL, 'e'},
{NULL, 0, NULL, 0}
};
@@ -897,13 +935,15 @@ int main(const int argc, char *const argv[])
char *env_cachename = NULL;
krb5_ccache ccache = NULL;
struct passwd *pw;
+ unsigned expire_time = DNS_RESOLVER_DEFAULT_TIMEOUT;
+ const char *key_descr = NULL;
hostbuf[0] = '\0';
memset(&arg, 0, sizeof(arg));
openlog(prog, 0, LOG_DAEMON);
- while ((c = getopt_long(argc, argv, "cEk:K:ltv", long_options, NULL)) != -1) {
+ while ((c = getopt_long(argc, argv, "cEk:K:ltve:", long_options, NULL)) != -1) {
switch (c) {
case 'c':
/* legacy option -- skip it */
@@ -931,6 +971,9 @@ int main(const int argc, char *const argv[])
rc = 0;
printf("version: %s\n", VERSION);
goto out;
+ case 'e':
+ expire_time = strtoul(optarg, NULL, 10);
+ break;
default:
syslog(LOG_ERR, "unknown option: %c", c);
goto out;
@@ -965,9 +1008,12 @@ int main(const int argc, char *const argv[])
syslog(LOG_DEBUG, "key description: %s", buf);
- if ((strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0) ||
- (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0)) {
- rc = cifs_resolver(key, buf);
+ if (strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0)
+ key_descr = ".cifs.resolver";
+ else if (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0)
+ key_descr = ".dns_resolver";
+ if (key_descr) {
+ rc = cifs_resolver(key, key_descr, buf, expire_time);
goto out;
}
@@ -1193,16 +1239,8 @@ retry_new_hostname:
memcpy(&(keydata->data) + keydata->sesskey_len,
secblob.data, secblob.length);
- /* setup key */
- rc = keyctl_instantiate(key, keydata, datalen, 0);
- if (rc == -1) {
- syslog(LOG_ERR, "keyctl_instantiate: %s", strerror(errno));
- goto out;
- }
+ rc = setup_key(key, keydata, datalen);
- /* BB: maybe we need use timeout for key: for example no more then
- * ticket lifietime? */
- /* keyctl_set_timeout( key, 60); */
out:
/*
* on error, negatively instantiate the key ourselves so that we can
diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in
index 1b8df3f31d94..08ce324fc5f6 100644
--- a/cifs.upcall.rst.in
+++ b/cifs.upcall.rst.in
@@ -13,7 +13,7 @@ SYNOPSIS
cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
[--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf]
- [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid}
+ [--keytab=/path/to/keytab|-K /path/to/keytab] [--expire|-e nsecs] {keyid}
***********
DESCRIPTION
@@ -85,6 +85,9 @@ OPTIONS
user. Set this option if you want cifs.upcall to use the older uid=
parameter instead of the creduid= parameter.
+--expire|-e
+ Override default timeout value (600 seconds) for ``dns_resolver`` key.
+
--version|-v
Print version number and exit.
--
2.20.1