SOURCES/Add-an-option-for-minimum-lifetime.patch

@@ -0,0 +1,140 @@
+From c6847f012b326a7e27dbe79d8df0faafdeb2dbef Mon Sep 17 00:00:00 2001
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Thu, 2 Sep 2021 12:44:27 -0400
+Subject: [PATCH] Add an option for minimum lifetime
+
+It's possible for gssproxy to return a cached credential with a very
+small remaining lifetime.  This can be problematic for NFS clients since
+it requires a round trip to the NFS server to establish a GSS context.
+Add a min_lifetime option that represents the lowest value that the
+lifetime of the cached credential can be.  Any lower than that, and
+gp_check_cred() returns GSS_S_CREDENTIALS_EXPIRED, so that
+gp_add_krb5_creds() is forced to try to obtain a new credential.
+
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+[antorres@redhat.com: adjusted lines number for man diff]
+---
+ examples/99-nfs-client.conf.in |  1 +
+ man/gssproxy.conf.5.xml        | 15 +++++++++++++++
+ src/gp_config.c                | 12 ++++++++++++
+ src/gp_creds.c                 | 12 ++++++++++--
+ src/gp_proxy.h                 |  1 +
+ 5 files changed, 39 insertions(+), 2 deletions(-)
+
+diff --git a/examples/99-nfs-client.conf.in b/examples/99-nfs-client.conf.in
+index c0985d9..9dd1891 100644
+--- a/examples/99-nfs-client.conf.in
++++ b/examples/99-nfs-client.conf.in
+@@ -7,3 +7,4 @@
+   allow_any_uid = yes
+   trusted = yes
+   euid = 0
++  min_lifetime = 60
+diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml
+index de846b4..af6ca18 100644
+--- a/man/gssproxy.conf.5.xml
++++ b/man/gssproxy.conf.5.xml
+@@ -348,6 +348,21 @@
+                     </listitem>
+                     </varlistentry>
+ 
++                <varlistentry>
++                    <term>min_lifetime (integer)</term>
++                    <listitem>
++                        <para>Minimum lifetime of a cached credential, in seconds.</para>
++                        <para>If non-zero, when gssproxy is deciding whether to use
++                            a cached credential, it will compare the lifetime of the
++                            cached credential to this value.  If the lifetime of the
++                            cached credential is lower, gssproxy will treat the cached
++                            credential as expired and will attempt to obtain a new
++                            credential.
++                        </para>
++                        <para>Default: min_lifetime = 15</para>
++                    </listitem>
++                </varlistentry>
++
+                 <varlistentry>
+                     <term>program (string)</term>
+                     <listitem>
+diff --git a/src/gp_config.c b/src/gp_config.c
+index 4cda579..a0afa73 100644
+--- a/src/gp_config.c
++++ b/src/gp_config.c
+@@ -32,6 +32,7 @@ struct gp_flag_def flag_names[] = {
+ 
+ #define DEFAULT_FILTERED_FLAGS GSS_C_DELEG_FLAG
+ #define DEFAULT_ENFORCED_FLAGS 0
++#define DEFAULT_MIN_LIFETIME 15
+ 
+ static void free_str_array(const char ***a, int *count)
+ {
+@@ -538,6 +539,17 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)
+                     goto done;
+                 }
+             }
++
++            cfg->svcs[n]->min_lifetime = DEFAULT_MIN_LIFETIME;
++            ret = gp_config_get_int(ctx, secname, "min_lifetime", &valnum);
++            if (ret == 0) {
++                if (valnum >= 0) {
++                    cfg->svcs[n]->min_lifetime = valnum;
++                } else {
++                    GPDEBUG("Invalid value '%d' for min_lifetime in [%s], ignoring.\n",
++                            valnum, secname);
++                }
++            }
+         }
+         safefree(secname);
+     }
+diff --git a/src/gp_creds.c b/src/gp_creds.c
+index 92a6f13..843d1a3 100644
+--- a/src/gp_creds.c
++++ b/src/gp_creds.c
+@@ -492,6 +492,7 @@ done:
+ }
+ 
+ static uint32_t gp_check_cred(uint32_t *min,
++                              struct gp_service *svc,
+                               gss_cred_id_t in_cred,
+                               gssx_name *desired_name,
+                               gss_cred_usage_t cred_usage)
+@@ -563,7 +564,14 @@ static uint32_t gp_check_cred(uint32_t *min,
+     if (lifetime == 0) {
+         ret_maj = GSS_S_CREDENTIALS_EXPIRED;
+     } else {
+-        ret_maj = GSS_S_COMPLETE;
++        if (svc->min_lifetime && lifetime < svc->min_lifetime) {
++            GPDEBUG("%s: lifetime (%u) less than min_lifetime (%u) "
++                    "for service \"%s\" - returning\n",
++                    __func__, lifetime, svc->min_lifetime, svc->name);
++            ret_maj = GSS_S_CREDENTIALS_EXPIRED;
++        } else {
++            ret_maj = GSS_S_COMPLETE;
++        }
+     }
+ 
+ done:
+@@ -622,7 +630,7 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
+          * function completely */
+ 
+         /* just check if it is a valid krb5 cred */
+-        ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage);
++        ret_maj = gp_check_cred(&ret_min, gpcall->service, in_cred, desired_name, cred_usage);
+         if (ret_maj == GSS_S_COMPLETE) {
+             return GSS_S_COMPLETE;
+         } else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED ||
+diff --git a/src/gp_proxy.h b/src/gp_proxy.h
+index 3f58a43..f56d640 100644
+--- a/src/gp_proxy.h
++++ b/src/gp_proxy.h
+@@ -45,6 +45,7 @@ struct gp_service {
+     gss_cred_usage_t cred_usage;
+     uint32_t filter_flags;
+     uint32_t enforce_flags;
++    uint32_t min_lifetime;
+     char *program;
+ 
+     uint32_t mechs;
+-- 
+2.31.1
+

SOURCES/Fix-handling-of-selinux-context-when-NULL.patch

@@ -0,0 +1,41 @@
+From 255188b5e3cfc3be5aebd037389bcf7da686a622 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 7 Apr 2020 08:56:53 -0400
+Subject: [PATCH] Fix handling of selinux context when NULL
+
+Fixes: #256
+Signed-off-by: Simo Sorce <simo@redhat.com>
+Merges: #257
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+---
+ src/gp_socket.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/gp_socket.c b/src/gp_socket.c
+index 7a19ee5..9070928 100644
+--- a/src/gp_socket.c
++++ b/src/gp_socket.c
+@@ -122,7 +122,9 @@ void gp_conn_free(struct gp_conn *conn)
+         close(conn->us.sd);
+     }
+     free(conn->program);
+-    SELINUX_context_free(conn->selinux_ctx);
++    if (conn->selinux_ctx) {
++        SELINUX_context_free(conn->selinux_ctx);
++    }
+     free(conn);
+ }
+ 
+@@ -635,7 +637,8 @@ void accept_sock_conn(verto_ctx *vctx, verto_ev *ev)
+                 conn->creds.ucred.uid,
+                 conn->creds.ucred.gid);
+     }
+-    if (conn->creds.type & CRED_TYPE_SELINUX) {
++    if ((conn->creds.type & CRED_TYPE_SELINUX) &&
++        (conn->selinux_ctx != NULL)) {
+         GPDEBUG(" (context = %s)",
+                 SELINUX_context_str(conn->selinux_ctx));
+     }
+-- 
+2.35.3
+

SPECS/gssproxy.spec

@@ -1,7 +1,7 @@
 Name:		gssproxy
 
 Version:	0.8.0
-Release:	19%{?dist}
+Release:	21%{?dist}
 Summary:	GSSAPI Proxy
 
 Group:		System Environment/Libraries
@@ -42,6 +42,8 @@ Patch25: Always-free-ciphertext-data-in-gp_encrypt_buffer.patch
 Patch26: Return-static-oids-for-naming-functions.patch
 Patch27: Avoid-unnecessary-allocation-in-gpm_inquire_mechs_fo.patch
 Patch28: Use-static-OIDs-in-gss_inquire_context.patch
+Patch29: Add-an-option-for-minimum-lifetime.patch
+Patch30: Fix-handling-of-selinux-context-when-NULL.patch
 
 ### Dependencies ###
 Requires: krb5-libs >= 1.12.0
@@ -136,6 +138,14 @@ mkdir -p %{buildroot}%{gpstatedir}/rcache
 %systemd_postun_with_restart gssproxy.service
 
 %changelog
+* Mon Jul 04 2022 Julien Rische <jrische@redhat.com> - 0.8.0-21
+- Fix handling of selinux context when NULL
+- Resolves: rhbz#2061061
+
+* Wed Nov 17 2021 Antonio Torres <antorres@redhat.com> - 0.8.0-20
+- Add an option for minimum lifetime
+- Resolves: #1721331
+
 * Thu Oct 29 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.0-19
 - More leak fixes
 - Resolves: #1813200