[PATCH 0/9] Deliver TLS session tags to upper-layer consumers (NFSD)
From: Chuck Lever <cel@kernel.org>
Date: 2026-06-05 17:34:49
Also in:
linux-nfs, linux-nvme
NFSD and similar upper-layer services want access-control decisions
based on TLS peer-certificate characteristics, but in-kernel x.509
parsing would duplicate work mature userspace libraries already do.
This series gives tlshd a way to evaluate certificates against
admin-defined policy and report matching policies back to the kernel
as opaque string tags. The handshake layer plumbs the tags through to
the upper-layer consumer's completion callback; intersection against
per-resource tag sets stays the consumer's problem.
Four architectural choices shape the series, only one of which is
visible in any single patch.
The tagging vocabulary is opaque to the kernel. tlshd decides what
each tag means; the handshake layer and its consumers only test
membership. This keeps x.509 out of the kernel and lets policy evolve
at userspace speed. Any future attribute the kernel wants to gate on
must be expressed as a tag rather than as a new netlink field per
attribute.
DONE gains a privilege check (patch 1) as a prerequisite, not as
cleanup. Without it, an unprivileged process guessing a sockfd could
submit a forged DONE and effectively grant or deny tag membership
for a real handshake. Once tags carry authorization weight, that
pre-existing gap becomes load-bearing. The fix predates tags in
principle and carries a Fixes: tag, but it sits at the head of this
series so the rest of the work has a trustworthy foundation.
HANDSHAKE_MAX_SESSIONTAGS is advertised on every ACCEPT reply as
HANDSHAKE_A_ACCEPT_MAX_TAGS (patch 6), so tlshd can size its
DONE-side tag list against the kernel's runtime limit rather than
guessing from header constants. If a daemon overruns anyway, the
DONE handler truncates and logs one pr_warn_once rather than
returning -E2BIG: tearing down a handshake the operator almost
certainly wants to keep is a worse outcome than dropping a few
tags. The truncation path is defense-in-depth for a buggy or
stale agent, not the primary signal.
The tagset helper (patch 3) is split out as a generic library so
NFSD export tagging (patches 8 and 9) can use it without further
churn in net/handshake/.
---
Chuck Lever (9):
handshake: Require admin permission for DONE command
handshake: Add tags to "done" downcall
lib: Add a "tagset" data structure
handshake: Pick up session tags passed during the DONE downcall
handshake: Add a kunit test for the completion gate
handshake: advertise the session-tag cap to user space
SUNRPC: Copy the TLS session tags when they are available
NFSD: Implement export tagging
NFSD: Add allow_tags to the netlink export interface
Documentation/core-api/index.rst | 1 +
Documentation/core-api/tagset.rst | 225 +++++++++++++++++++++++++++++
Documentation/netlink/specs/handshake.yaml | 16 ++
Documentation/netlink/specs/nfsd.yaml | 10 ++
Documentation/networking/tls-handshake.rst | 63 +++++++-
drivers/nvme/host/tcp.c | 3 +-
drivers/nvme/target/tcp.c | 3 +-
fs/nfsd/export.c | 141 +++++++++++++++++-
fs/nfsd/export.h | 11 ++
fs/nfsd/netlink.c | 4 +-
fs/nfsd/netlink.h | 3 +-
fs/nfsd/trace.h | 19 +++
include/linux/sunrpc/svc_xprt.h | 2 +
include/linux/tagset.h | 187 ++++++++++++++++++++++++
include/net/handshake.h | 30 +++-
include/uapi/linux/handshake.h | 4 +
include/uapi/linux/nfsd_netlink.h | 1 +
lib/Makefile | 1 +
lib/tagset.c | 174 ++++++++++++++++++++++
net/handshake/genl.c | 7 +-
net/handshake/handshake-test.c | 72 +++++++++
net/handshake/handshake.h | 6 +
net/handshake/netlink.c | 109 +++++++++++++-
net/handshake/request.c | 68 ++++++++-
net/handshake/tlshd.c | 10 +-
net/sunrpc/svc_xprt.c | 11 +-
net/sunrpc/svcauth_unix.c | 12 ++
net/sunrpc/svcsock.c | 38 ++++-
net/sunrpc/xprtsock.c | 5 +-
29 files changed, 1205 insertions(+), 31 deletions(-)
---
base-commit: 4d4d6605de5f91a40335729b6a7cc15e83b280f3
change-id: 20260512-tls-session-tags-9d0042583f44
Best regards,
--
Chuck Lever [off-list ref]