diff --git a/backport-Do-not-close-fd-if-it-was-never-set.patch b/backport-Do-not-close-fd-if-it-was-never-set.patch new file mode 100644 index 0000000000000000000000000000000000000000..4005abfcaecbe4af21e2ebd93b4ed03436f8e611 --- /dev/null +++ b/backport-Do-not-close-fd-if-it-was-never-set.patch @@ -0,0 +1,47 @@ +From 9d013b1bcc6277842824b25241e8652a865a2944 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Wed, 18 Oct 2023 15:55:13 -0400 +Subject: [PATCH] Do not close fd if it was never set + +Fixes Coverity 403648: Argument cannot be negative + +Signed-off-by: Simo Sorce +--- + src/gp_init.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/gp_init.c b/src/gp_init.c +index 8d72c3e..5e7074f 100644 +--- a/src/gp_init.c ++++ b/src/gp_init.c +@@ -379,12 +379,14 @@ int init_event_fini(struct gssproxy_ctx *gpctx) + static int try_init_proc_nfsd(void) + { + char buf[] = "1"; +- int fd, ret; + static bool poked = false; + static bool warned_once = false; ++ int fd = 1; ++ int ret; + +- if (poked) ++ if (poked) { + return 0; ++ } + + fd = open(LINUX_PROC_USE_GSS_PROXY_FILE, O_RDWR); + if (fd == -1) { +@@ -411,7 +413,9 @@ static int try_init_proc_nfsd(void) + ret = 0; + + out: +- close(fd); ++ if (fd != -1) { ++ close(fd); ++ } + return ret; + } + +-- +2.43.0 + diff --git a/backport-gssproxy-retry-writing-to-proc-net-rpc-use-gss-proxy.patch b/backport-gssproxy-retry-writing-to-proc-net-rpc-use-gss-proxy.patch new file mode 100644 index 0000000000000000000000000000000000000000..5ddd04921d51a79a13972ed7e335b0f823ba249d --- /dev/null +++ b/backport-gssproxy-retry-writing-to-proc-net-rpc-use-gss-proxy.patch @@ -0,0 +1,194 @@ +From fb8737b2c48d67a63a66abfa090e92f21765a94f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?David=20H=C3=A4rdeman?= +Date: Wed, 18 Oct 2023 16:25:06 +0200 +Subject: [PATCH] [gssproxy] retry writing to /proc/net/rpc/use-gss-proxy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This improves the handling of cases where the auth_rpcgss module has not yet +been loaded when gssproxy is started. + +Signed-off-by: David Härdeman +--- + src/gp_init.c | 102 +++++++++++++++++++++++++++++++++++++------------ + src/gp_proxy.h | 4 +- + src/gssproxy.c | 2 +- + 3 files changed, 82 insertions(+), 26 deletions(-) + +diff --git a/src/gp_init.c b/src/gp_init.c +index 1cc7e28..8d72c3e 100644 +--- a/src/gp_init.c ++++ b/src/gp_init.c +@@ -277,7 +277,7 @@ static void hup_handler(verto_ctx *vctx UNUSED, verto_ev *ev) + } + + /* conditionally reload kernel interface */ +- init_proc_nfsd(gpctx->config); ++ init_proc_nfsd(gpctx); + + free_config(&old_config); + +@@ -376,31 +376,26 @@ int init_event_fini(struct gssproxy_ctx *gpctx) + return 0; + } + +-void init_proc_nfsd(struct gp_config *cfg) ++static int try_init_proc_nfsd(void) + { + char buf[] = "1"; +- bool enabled = false; + int fd, ret; +- static int poked = 0; ++ static bool poked = false; ++ static bool warned_once = false; + +- /* check first if any service enabled kernel support */ +- for (int i = 0; i < cfg->num_svcs; i++) { +- if (cfg->svcs[i]->kernel_nfsd) { +- enabled = true; +- break; +- } +- } +- +- if (!enabled || poked) { +- return; +- } ++ if (poked) ++ return 0; + + fd = open(LINUX_PROC_USE_GSS_PROXY_FILE, O_RDWR); + if (fd == -1) { + ret = errno; +- GPDEBUG("Kernel doesn't support GSS-Proxy (can't open %s: %d (%s))\n", +- LINUX_PROC_USE_GSS_PROXY_FILE, ret, gp_strerror(ret)); +- goto fail; ++ if (!warned_once) { ++ GPDEBUG("Kernel doesn't support GSS-Proxy " ++ "(can't open %s: %d (%s))\n", ++ LINUX_PROC_USE_GSS_PROXY_FILE, ret, gp_strerror(ret)); ++ warned_once = true; ++ } ++ goto out; + } + + ret = write(fd, buf, 1); +@@ -408,15 +403,74 @@ void init_proc_nfsd(struct gp_config *cfg) + ret = errno; + GPDEBUG("Failed to write to %s: %d (%s)\n", + LINUX_PROC_USE_GSS_PROXY_FILE, ret, gp_strerror(ret)); +- close(fd); +- goto fail; ++ goto out; + } + +- poked = 1; ++ GPDEBUG("Kernel GSS-Proxy support enabled\n"); ++ poked = true; ++ ret = 0; ++ ++out: + close(fd); +- return; +-fail: +- GPDEBUG("Problem with kernel communication! NFS server will not work\n"); ++ return ret; ++} ++ ++static void delayed_proc_nfsd(verto_ctx *vctx UNUSED, verto_ev *ev) ++{ ++ struct gssproxy_ctx *gpctx; ++ int ret; ++ ++ gpctx = verto_get_private(ev); ++ ++ ret = try_init_proc_nfsd(); ++ if (ret == 0) { ++ verto_del(gpctx->retry_proc_ev); ++ gpctx->retry_proc_ev = NULL; ++ } ++} ++ ++int init_proc_nfsd(struct gssproxy_ctx *gpctx) ++{ ++ bool enabled = false; ++ int ret; ++ ++ /* check first if any service enabled kernel support */ ++ for (int i = 0; i < gpctx->config->num_svcs; i++) { ++ if (gpctx->config->svcs[i]->kernel_nfsd) { ++ enabled = true; ++ break; ++ } ++ } ++ ++ if (!enabled) { ++ goto out; ++ } ++ ++ ret = try_init_proc_nfsd(); ++ if (ret == 0) { ++ goto out; ++ } ++ ++ /* failure, but the auth_rpcgss module might not be loaded yet */ ++ if (!gpctx->retry_proc_ev) { ++ gpctx->retry_proc_ev = verto_add_timeout(gpctx->vctx, ++ VERTO_EV_FLAG_PERSIST, ++ delayed_proc_nfsd, 10 * 1000); ++ if (!gpctx->retry_proc_ev) { ++ fprintf(stderr, "Failed to register delayed_proc_nfsd event!\n"); ++ } else { ++ verto_set_private(gpctx->retry_proc_ev, gpctx, NULL); ++ } ++ } ++ ++ return 1; ++ ++out: ++ if (gpctx->retry_proc_ev) { ++ verto_del(gpctx->retry_proc_ev); ++ gpctx->retry_proc_ev = NULL; ++ } ++ return 0; + } + + void write_pid(void) +diff --git a/src/gp_proxy.h b/src/gp_proxy.h +index c8b55ef..4e0e9c3 100644 +--- a/src/gp_proxy.h ++++ b/src/gp_proxy.h +@@ -84,6 +84,8 @@ struct gssproxy_ctx { + time_t term_timeout; + verto_ev *term_ev; /* termination ev in user mode */ + ++ verto_ev *retry_proc_ev; /* retry telling the kernel to use GSS-Proxy */ ++ + ssize_t readstats; + ssize_t writestats; + time_t last_activity; +@@ -120,7 +122,7 @@ void fini_server(void); + int init_sockets(struct gssproxy_ctx *gpctx, struct gp_config *old_config); + int init_userproxy_socket(struct gssproxy_ctx *gpctx); + void init_event_loop(struct gssproxy_ctx *gpctx); +-void init_proc_nfsd(struct gp_config *cfg); ++int init_proc_nfsd(struct gssproxy_ctx *gpctx); + int init_event_fini(struct gssproxy_ctx *gpctx); + void write_pid(void); + int drop_privs(struct gp_config *cfg); +diff --git a/src/gssproxy.c b/src/gssproxy.c +index e216ec5..3e5326c 100644 +--- a/src/gssproxy.c ++++ b/src/gssproxy.c +@@ -168,7 +168,7 @@ int main(int argc, const char *argv[]) + * as nfsd needs to know GSS-Proxy is in use before the first time it + * needs to call accept_sec_context. */ + if (!gpctx->userproxymode) { +- init_proc_nfsd(gpctx->config); ++ init_proc_nfsd(gpctx); + } + + /* Now it is safe to tell the init system that we're done starting up, +-- +2.43.0 + diff --git a/gssproxy.spec b/gssproxy.spec index 9d419b23ac21794184edc7d47bb603bfde044020..bf282ee10f5710f484bb636891183d88f8f35941 100644 --- a/gssproxy.spec +++ b/gssproxy.spec @@ -4,7 +4,7 @@ Name: gssproxy Version: 0.9.1 -Release: 3 +Release: 4 Summary: GSSAPI Proxy License: MIT URL: https://github.com/gssapi/gssproxy @@ -13,6 +13,8 @@ Source0: https://github.com/gssapi/%{name}/releases/download/v%{version}/%{name} Patch1: backport-Typo-doc-fix.patch Patch2: backport-More-typo-fixes-to-silence-Debian-lintian-typo-in-ma.patch Patch3: backport-Remove-from-the-correct-list.patch +Patch4: backport-gssproxy-retry-writing-to-proc-net-rpc-use-gss-proxy.patch +Patch5: backport-Do-not-close-fd-if-it-was-never-set.patch Requires: krb5 keyutils libverto-module-base libini_config Requires(post): systemd @@ -92,6 +94,9 @@ mkdir -p %{buildroot}%{gpstatedir}/rcache %{_mandir}/man8/gssproxy-mech.8* %changelog +* Tue May 13 2025 yixiangzhike - 0.9.1-4 +- backport upstream patch to retry writing to /proc/net/rpc/use-gss-proxy + * Wed Mar 27 2024 yixiangzhike - 0.9.1-3 - backport upstream patch to remove node from correct list