!41 Retry writing to /proc/net/rpc/use-gss-proxy

From: @yixiangzhike 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

backport-Do-not-close-fd-if-it-was-never-set.patch

@@ -0,0 +1,47 @@
+From 9d013b1bcc6277842824b25241e8652a865a2944 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Wed, 18 Oct 2023 15:55:13 -0400
+Subject: [PATCH] Do not close fd if it was never set
+
+Fixes Coverity 403648: Argument cannot be negative
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ src/gp_init.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/gp_init.c b/src/gp_init.c
+index 8d72c3e..5e7074f 100644
+--- a/src/gp_init.c
++++ b/src/gp_init.c
+@@ -379,12 +379,14 @@ int init_event_fini(struct gssproxy_ctx *gpctx)
+ static int try_init_proc_nfsd(void)
+ {
+     char buf[] = "1";
+-    int fd, ret;
+     static bool poked = false;
+     static bool warned_once = false;
++    int fd = 1;
++    int ret;
+ 
+-    if (poked)
++    if (poked) {
+         return 0;
++    }
+ 
+     fd = open(LINUX_PROC_USE_GSS_PROXY_FILE, O_RDWR);
+     if (fd == -1) {
+@@ -411,7 +413,9 @@ static int try_init_proc_nfsd(void)
+     ret = 0;
+ 
+ out:
+-    close(fd);
++    if (fd != -1) {
++        close(fd);
++    }
+     return ret;
+ }
+ 
+-- 
+2.43.0
+

backport-More-typo-fixes-to-silence-Debian-lintian-typo-in-ma.patch

@@ -0,0 +1,77 @@
+From 159794c918c2e2c0e3d7a1d1a4feadf3151ebc80 Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Fri, 16 Sep 2022 16:22:25 +0200
+Subject: [PATCH] More typo fixes to silence Debian lintian
+ typo-in-manual-page.
+
+Signed-off-by: Simon Josefsson <simon@josefsson.org>
+---
+ man/gssproxy-mech.8.xml.in | 4 ++--
+ man/gssproxy.conf.5.xml    | 8 ++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/man/gssproxy-mech.8.xml.in b/man/gssproxy-mech.8.xml.in
+index 6be38f9..87e5d8e 100644
+--- a/man/gssproxy-mech.8.xml.in
++++ b/man/gssproxy-mech.8.xml.in
+@@ -36,7 +36,7 @@
+             <filename>/etc/gss/mech</filename> configuration file.
+         </para>
+         <para>
+-            The interposer plugin allows to intercept the entire GSSAPI
++            The interposer plugin allows one to intercept the entire GSSAPI
+             communication and detour to the <command>gssproxy</command>
+             daemon. When the interposer plugin is installed two other
+             conditions need to be met in order to activate it:
+@@ -112,7 +112,7 @@
+                 <term>REMOTE_ONLY</term>
+                 <listitem>
+                     <para>This setting is currently not fully implemented and
+-                        therefor not supported.
++                        therefore not supported.
+                     </para>
+                 </listitem>
+             </varlistentry>
+diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml
+index 261c9f6..0e9b3b1 100644
+--- a/man/gssproxy.conf.5.xml
++++ b/man/gssproxy.conf.5.xml
+@@ -98,7 +98,7 @@
+                               option may cause a service definition to mask
+                               access to following services. To avoid issues
+                               change the order of services in your
+-                              configuation file so that services with
++                              configuration file so that services with
+                               allow_any_uid enabled are listed last, or define
+                               a custom socket for other services.</para>
+                         <para>Default: false</para>
+@@ -146,7 +146,7 @@
+                 <varlistentry>
+                     <term>cred_store (string)</term>
+                     <listitem>
+-                        <para>This parameter allows to control in which way gssproxy should use the cred_store interface provided by GSSAPI. The parameter can be defined multiple times per service.</para>
++                        <para>This parameter allows one to control in which way gssproxy should use the cred_store interface provided by GSSAPI. The parameter can be defined multiple times per service.</para>
+                         <para>The syntax of the cred_store parameter is as
+                             follows:
+                             <![CDATA[cred_store = <cred_store_option>:<cred_store_value>]]></para>
+@@ -272,7 +272,7 @@
+                             flag name or value.
+                         </para>
+                         <para>
+-                            NOTE: Because often gssproxy is used to withold
++                            NOTE: Because often gssproxy is used to withhold
+                             access to credentials the Delegate Flag is filtered
+                             by default. To allow a service to delegate
+                             credentials use the first example below.
+@@ -381,7 +381,7 @@
+                 <varlistentry>
+                     <term>socket (string)</term>
+                     <listitem>
+-                        <para>This parameter allows to create a per-service socket file over which gssproxy client and server components communicate.
++                        <para>This parameter allows one to create a per-service socket file over which gssproxy client and server components communicate.
+                         </para>
+                         <para>When this parameter is not set, gssproxy will
+                             use a compiled-in default.</para>
+-- 
+2.27.0
+

backport-Remove-from-the-correct-list.patch

@@ -0,0 +1,28 @@
+From a9f3b002da2405eb93876610608f968d8108a2b6 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 11 Mar 2024 17:17:00 -0400
+Subject: [PATCH] Remove from the correct list
+
+Fixes #92
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ src/gp_workers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gp_workers.c b/src/gp_workers.c
+index 78e8347..0519777 100644
+--- a/src/gp_workers.c
++++ b/src/gp_workers.c
+@@ -189,7 +189,7 @@ void gp_workers_free(struct gp_workers *w)
+     while (w->busy_list) {
+         /* pick threads one by one */
+         t = w->busy_list;
+-        LIST_DEL(w->free_list, t);
++        LIST_DEL(w->busy_list, t);
+ 
+         /* wake up threads, then join them */
+         /* ======> COND_MUTEX */
+-- 
+2.33.0
+

backport-Typo-doc-fix.patch

@@ -0,0 +1,28 @@
+From 090aa9442c141e967e6e86455d50bccd2142ab0a Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Tue, 13 Sep 2022 17:12:51 +0200
+Subject: [PATCH] Typo doc fix.
+
+Silences Debian lintian typo-in-manual-page.
+
+Signed-off-by: Simon Josefsson <simon@josefsson.org>
+---
+ man/gssproxy.conf.5.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml
+index e778583..261c9f6 100644
+--- a/man/gssproxy.conf.5.xml
++++ b/man/gssproxy.conf.5.xml
+@@ -186,7 +186,7 @@
+                 <varlistentry>
+                     <term>cred_usage (string)</term>
+                     <listitem>
+-                        <para>Allow to restrict the kind of operations permitted for this service.</para>
++                        <para>Allow one to restrict the kind of operations permitted for this service.</para>
+                         <para>The allowed options are: initiate, accept, both</para>
+                         <para>Default: cred_usage = both </para>
+                     </listitem>
+-- 
+2.27.0
+

backport-gssproxy-retry-writing-to-proc-net-rpc-use-gss-proxy.patch

@@ -0,0 +1,194 @@
+From fb8737b2c48d67a63a66abfa090e92f21765a94f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?David=20H=C3=A4rdeman?= <david@hardeman.nu>
+Date: Wed, 18 Oct 2023 16:25:06 +0200
+Subject: [PATCH] [gssproxy] retry writing to /proc/net/rpc/use-gss-proxy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This improves the handling of cases where the auth_rpcgss module has not yet
+been loaded when gssproxy is started.
+
+Signed-off-by: David Härdeman <david@hardeman.nu>
+---
+ src/gp_init.c  | 102 +++++++++++++++++++++++++++++++++++++------------
+ src/gp_proxy.h |   4 +-
+ src/gssproxy.c |   2 +-
+ 3 files changed, 82 insertions(+), 26 deletions(-)
+
+diff --git a/src/gp_init.c b/src/gp_init.c
+index 1cc7e28..8d72c3e 100644
+--- a/src/gp_init.c
++++ b/src/gp_init.c
+@@ -277,7 +277,7 @@ static void hup_handler(verto_ctx *vctx UNUSED, verto_ev *ev)
+     }
+ 
+     /* conditionally reload kernel interface */
+-    init_proc_nfsd(gpctx->config);
++    init_proc_nfsd(gpctx);
+ 
+     free_config(&old_config);
+ 
+@@ -376,31 +376,26 @@ int init_event_fini(struct gssproxy_ctx *gpctx)
+     return 0;
+ }
+ 
+-void init_proc_nfsd(struct gp_config *cfg)
++static int try_init_proc_nfsd(void)
+ {
+     char buf[] = "1";
+-    bool enabled = false;
+     int fd, ret;
+-    static int poked = 0;
++    static bool poked = false;
++    static bool warned_once = false;
+ 
+-    /* check first if any service enabled kernel support */
+-    for (int i = 0; i < cfg->num_svcs; i++) {
+-        if (cfg->svcs[i]->kernel_nfsd) {
+-            enabled = true;
+-            break;
+-        }
+-    }
+-
+-    if (!enabled || poked) {
+-        return;
+-    }
++    if (poked)
++        return 0;
+ 
+     fd = open(LINUX_PROC_USE_GSS_PROXY_FILE, O_RDWR);
+     if (fd == -1) {
+         ret = errno;
+-        GPDEBUG("Kernel doesn't support GSS-Proxy (can't open %s: %d (%s))\n",
+-                LINUX_PROC_USE_GSS_PROXY_FILE, ret, gp_strerror(ret));
+-        goto fail;
++        if (!warned_once) {
++            GPDEBUG("Kernel doesn't support GSS-Proxy "
++                    "(can't open %s: %d (%s))\n",
++                    LINUX_PROC_USE_GSS_PROXY_FILE, ret, gp_strerror(ret));
++            warned_once = true;
++        }
++        goto out;
+     }
+ 
+     ret = write(fd, buf, 1);
+@@ -408,15 +403,74 @@ void init_proc_nfsd(struct gp_config *cfg)
+         ret = errno;
+         GPDEBUG("Failed to write to %s: %d (%s)\n",
+                 LINUX_PROC_USE_GSS_PROXY_FILE, ret, gp_strerror(ret));
+-        close(fd);
+-        goto fail;
++        goto out;
+     }
+ 
+-    poked = 1;
++    GPDEBUG("Kernel GSS-Proxy support enabled\n");
++    poked = true;
++    ret = 0;
++
++out:
+     close(fd);
+-    return;
+-fail:
+-    GPDEBUG("Problem with kernel communication!  NFS server will not work\n");
++    return ret;
++}
++
++static void delayed_proc_nfsd(verto_ctx *vctx UNUSED, verto_ev *ev)
++{
++    struct gssproxy_ctx *gpctx;
++    int ret;
++
++    gpctx = verto_get_private(ev);
++
++    ret = try_init_proc_nfsd();
++    if (ret == 0) {
++        verto_del(gpctx->retry_proc_ev);
++        gpctx->retry_proc_ev = NULL;
++    }
++}
++
++int init_proc_nfsd(struct gssproxy_ctx *gpctx)
++{
++    bool enabled = false;
++    int ret;
++
++    /* check first if any service enabled kernel support */
++    for (int i = 0; i < gpctx->config->num_svcs; i++) {
++        if (gpctx->config->svcs[i]->kernel_nfsd) {
++            enabled = true;
++            break;
++        }
++    }
++
++    if (!enabled) {
++        goto out;
++    }
++
++    ret = try_init_proc_nfsd();
++    if (ret == 0) {
++        goto out;
++    }
++
++    /* failure, but the auth_rpcgss module might not be loaded yet */
++    if (!gpctx->retry_proc_ev) {
++        gpctx->retry_proc_ev = verto_add_timeout(gpctx->vctx,
++                                                 VERTO_EV_FLAG_PERSIST,
++                                                 delayed_proc_nfsd, 10 * 1000);
++        if (!gpctx->retry_proc_ev) {
++            fprintf(stderr, "Failed to register delayed_proc_nfsd event!\n");
++        } else {
++            verto_set_private(gpctx->retry_proc_ev, gpctx, NULL);
++        }
++    }
++
++    return 1;
++
++out:
++    if (gpctx->retry_proc_ev) {
++        verto_del(gpctx->retry_proc_ev);
++        gpctx->retry_proc_ev = NULL;
++    }
++    return 0;
+ }
+ 
+ void write_pid(void)
+diff --git a/src/gp_proxy.h b/src/gp_proxy.h
+index c8b55ef..4e0e9c3 100644
+--- a/src/gp_proxy.h
++++ b/src/gp_proxy.h
+@@ -84,6 +84,8 @@ struct gssproxy_ctx {
+     time_t term_timeout;
+     verto_ev *term_ev; /* termination ev in user mode */
+ 
++    verto_ev *retry_proc_ev; /* retry telling the kernel to use GSS-Proxy */
++
+     ssize_t readstats;
+     ssize_t writestats;
+     time_t last_activity;
+@@ -120,7 +122,7 @@ void fini_server(void);
+ int init_sockets(struct gssproxy_ctx *gpctx, struct gp_config *old_config);
+ int init_userproxy_socket(struct gssproxy_ctx *gpctx);
+ void init_event_loop(struct gssproxy_ctx *gpctx);
+-void init_proc_nfsd(struct gp_config *cfg);
++int init_proc_nfsd(struct gssproxy_ctx *gpctx);
+ int init_event_fini(struct gssproxy_ctx *gpctx);
+ void write_pid(void);
+ int drop_privs(struct gp_config *cfg);
+diff --git a/src/gssproxy.c b/src/gssproxy.c
+index e216ec5..3e5326c 100644
+--- a/src/gssproxy.c
++++ b/src/gssproxy.c
+@@ -168,7 +168,7 @@ int main(int argc, const char *argv[])
+      * as nfsd needs to know GSS-Proxy is in use before the first time it
+      * needs to call accept_sec_context. */
+     if (!gpctx->userproxymode) {
+-        init_proc_nfsd(gpctx->config);
++        init_proc_nfsd(gpctx);
+     }
+ 
+     /* Now it is safe to tell the init system that we're done starting up,
+-- 
+2.43.0
+

gssproxy.spec

@@ -3,13 +3,18 @@
 %global gpstatedir %{_localstatedir}/lib/gssproxy
 
 Name:		gssproxy
-Version:	0.8.4
-Release:	1
+Version:	0.9.1
+Release:	4
 Summary:	GSSAPI Proxy
 License:	MIT
 URL:		https://github.com/gssapi/gssproxy
 Source0:	https://github.com/gssapi/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
 
+Patch1:    backport-Typo-doc-fix.patch
+Patch2:    backport-More-typo-fixes-to-silence-Debian-lintian-typo-in-ma.patch
+Patch3:    backport-Remove-from-the-correct-list.patch
+Patch4:    backport-gssproxy-retry-writing-to-proc-net-rpc-use-gss-proxy.patch
+Patch5:    backport-Do-not-close-fd-if-it-was-never-set.patch
 
 Requires: krb5 keyutils libverto-module-base libini_config
 Requires(post): systemd
@@ -20,6 +25,8 @@ Conflicts: selinux-policy < 3.13.1-283.5
 
 BuildRequires: autoconf automake libtool m4 libxslt libxml2 docbook-style-xsl doxygen findutils systemd-units git popt-devel
 BuildRequires: gettext-devel pkgconfig krb5-devel >= 1.12.0 libselinux-devel keyutils-libs-devel libini_config-devel >= 1.2.0 libverto-devel
+# for gssuserproxy.service --idle-timeout
+BuildRequires: systemd-devel
 
 %description
 This is a proxy for GSSAPI which deals with credential handling
@@ -50,8 +57,8 @@ rm -rf %{buildroot}
 rm -f %{buildroot}%{_libdir}/gssproxy/proxymech.la
 install -d -m755 %{buildroot}%{_sysconfdir}/gssproxy
 install -m644 examples/gssproxy.conf %{buildroot}%{_sysconfdir}/gssproxy/gssproxy.conf
-install -m644 examples/99-nfs-client.conf %{buildroot}%{_sysconfdir}/gssproxy/99-nfs-client.conf
-install -D -m644 examples/mech %{buildroot}%{_sysconfdir}/gss/mech.d/gssproxy.conf
+install -m644 examples/99-network-fs-clients.conf %{buildroot}%{_sysconfdir}/gssproxy/99-network-fs-clients.conf
+install -D -m644 examples/proxymech.conf %{buildroot}%{_sysconfdir}/gss/mech.d/proxymech.conf
 install -m644 examples/24-nfs-server.conf %{buildroot}%{_sysconfdir}/gssproxy/24-nfs-server.conf
 mkdir -p %{buildroot}%{gpstatedir}/rcache
 
@@ -67,14 +74,16 @@ mkdir -p %{buildroot}%{gpstatedir}/rcache
 %files
 %license COPYING
 %{_unitdir}/gssproxy.service
+%{_userunitdir}/gssuserproxy.service
+%{_userunitdir}/gssuserproxy.socket
 %{_sbindir}/gssproxy
 %attr(755,root,root) %dir %{pubconfpath}
 %attr(755,root,root) %dir %{gpstatedir}
 %attr(700,root,root) %dir %{gpstatedir}/clients
 %attr(700,root,root) %dir %{gpstatedir}/rcache
 %attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/gssproxy.conf
-%attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/99-nfs-client.conf
-%attr(0644,root,root) %config(noreplace) /%{_sysconfdir}/gss/mech.d/gssproxy.conf
+%attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/99-network-fs-clients.conf
+%attr(0644,root,root) %config(noreplace) /%{_sysconfdir}/gss/mech.d/proxymech.conf
 %attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/24-nfs-server.conf
 %dir %{_libdir}/gssproxy
 %{_libdir}/gssproxy/proxymech.so
@@ -85,6 +94,21 @@ mkdir -p %{buildroot}%{gpstatedir}/rcache
 %{_mandir}/man8/gssproxy-mech.8*
 
 %changelog
+* Tue May 13 2025 yixiangzhike <yixiangzhike007@163.com> - 0.9.1-4
+- backport upstream patch to retry writing to /proc/net/rpc/use-gss-proxy
+
+* Wed Mar 27 2024 yixiangzhike <yixiangzhike007@163.com> - 0.9.1-3
+- backport upstream patch to remove node from correct list
+
+* Mon Apr 10 2023 yixiangzhike <yixiangzhike007@163.com> - 0.9.1-2
+- add BuildRequires:systemd-devel for option idle-timeout
+
+* Mon Oct 24 2022 yixiangzhike <yixiangzhike007@163.com> - 0.9.1-1
+- update to 0.9.1
+
+* Tue Oct 18 2022 yixiangzhike <yixiangzhike007@163.com> - 0.8.4-2
+- typo doc fix
+
 * Tue Nov 30 2021 yixiangzhike <yixiangzhike007@163.com> - 0.8.4-1
 - update to 0.8.4