git.ipfire.org Git - thirdparty/linux.git/commit

author	Benjamin Coddington <bcodding@hammerspace.com>
	Wed, 25 Feb 2026 12:51:38 +0000 (07:51 -0500)
committer	Chuck Lever <chuck.lever@oracle.com>
	Mon, 30 Mar 2026 01:25:09 +0000 (21:25 -0400)
commit	2a83ffc5575013784ea41739daf9e10200e44e7c
tree	94704830afce5aa105bff261e207313b39ca3316	tree \| snapshot
parent	a002ad8a9bc89c084bc40933065c88336700837e	commit \| diff

NFSD: Sign filehandles

NFS clients may bypass restrictive directory permissions by using
open_by_handle() (or other available OS system call) to guess the
filehandles for files below that directory.

In order to harden knfsd servers against this attack, create a method to
sign and verify filehandles using SipHash-2-4 as a MAC (Message
Authentication Code).  According to
https://cr.yp.to/siphash/siphash-20120918.pdf, SipHash can be used as a
MAC, and our use of SipHash-2-4 provides a low 1 in 2^64 chance of forgery.

Filehandles that have been signed cannot be tampered with, nor can
clients reasonably guess correct filehandles and hashes that may exist in
parts of the filesystem they cannot access due to directory permissions.

Append the 8 byte SipHash to encoded filehandles for exports that have set
the "sign_fh" export option.  Filehandles received from clients are
verified by comparing the appended hash to the expected hash.  If the MAC
does not match the server responds with NFS error _STALE.  If unsigned
filehandles are received for an export with "sign_fh" they are rejected
with NFS error _STALE.

Signed-off-by: Benjamin Coddington <bcodding@hammerspace.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

Documentation/filesystems/nfs/exporting.rst		diff \| blob \| blame \| history
fs/nfsd/Kconfig		diff \| blob \| blame \| history
fs/nfsd/nfsfh.c		diff \| blob \| blame \| history
fs/nfsd/trace.h		diff \| blob \| blame \| history