]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | #include <linux/types.h> |
2 | #include <linux/sched.h> | |
3 | #include <linux/module.h> | |
4 | #include <linux/sunrpc/types.h> | |
5 | #include <linux/sunrpc/xdr.h> | |
6 | #include <linux/sunrpc/svcsock.h> | |
7 | #include <linux/sunrpc/svcauth.h> | |
c4170583 | 8 | #include <linux/sunrpc/gss_api.h> |
1da177e4 LT |
9 | #include <linux/err.h> |
10 | #include <linux/seq_file.h> | |
11 | #include <linux/hash.h> | |
543537bd | 12 | #include <linux/string.h> |
7b2b1fee | 13 | #include <net/sock.h> |
f15364bd AC |
14 | #include <net/ipv6.h> |
15 | #include <linux/kernel.h> | |
1da177e4 LT |
16 | #define RPCDBG_FACILITY RPCDBG_AUTH |
17 | ||
07396051 | 18 | #include <linux/sunrpc/clnt.h> |
1da177e4 LT |
19 | |
20 | /* | |
21 | * AUTHUNIX and AUTHNULL credentials are both handled here. | |
22 | * AUTHNULL is treated just like AUTHUNIX except that the uid/gid | |
23 | * are always nobody (-2). i.e. we do the same IP address checks for | |
24 | * AUTHNULL as for AUTHUNIX, and that is done here. | |
25 | */ | |
26 | ||
27 | ||
1da177e4 LT |
28 | struct unix_domain { |
29 | struct auth_domain h; | |
30 | int addr_changes; | |
31 | /* other stuff later */ | |
32 | }; | |
33 | ||
efc36aa5 N |
34 | extern struct auth_ops svcauth_unix; |
35 | ||
1da177e4 LT |
36 | struct auth_domain *unix_domain_find(char *name) |
37 | { | |
efc36aa5 N |
38 | struct auth_domain *rv; |
39 | struct unix_domain *new = NULL; | |
40 | ||
41 | rv = auth_domain_lookup(name, NULL); | |
42 | while(1) { | |
ad1b5229 N |
43 | if (rv) { |
44 | if (new && rv != &new->h) | |
45 | auth_domain_put(&new->h); | |
46 | ||
47 | if (rv->flavour != &svcauth_unix) { | |
48 | auth_domain_put(rv); | |
49 | return NULL; | |
50 | } | |
efc36aa5 N |
51 | return rv; |
52 | } | |
efc36aa5 N |
53 | |
54 | new = kmalloc(sizeof(*new), GFP_KERNEL); | |
55 | if (new == NULL) | |
56 | return NULL; | |
57 | kref_init(&new->h.ref); | |
58 | new->h.name = kstrdup(name, GFP_KERNEL); | |
dd08d6ea N |
59 | if (new->h.name == NULL) { |
60 | kfree(new); | |
61 | return NULL; | |
62 | } | |
efc36aa5 N |
63 | new->h.flavour = &svcauth_unix; |
64 | new->addr_changes = 0; | |
65 | rv = auth_domain_lookup(name, &new->h); | |
1da177e4 | 66 | } |
1da177e4 | 67 | } |
24c3767e | 68 | EXPORT_SYMBOL_GPL(unix_domain_find); |
1da177e4 LT |
69 | |
70 | static void svcauth_unix_domain_release(struct auth_domain *dom) | |
71 | { | |
72 | struct unix_domain *ud = container_of(dom, struct unix_domain, h); | |
73 | ||
74 | kfree(dom->name); | |
75 | kfree(ud); | |
76 | } | |
77 | ||
78 | ||
79 | /************************************************** | |
80 | * cache for IP address to unix_domain | |
81 | * as needed by AUTH_UNIX | |
82 | */ | |
83 | #define IP_HASHBITS 8 | |
84 | #define IP_HASHMAX (1<<IP_HASHBITS) | |
85 | #define IP_HASHMASK (IP_HASHMAX-1) | |
86 | ||
87 | struct ip_map { | |
88 | struct cache_head h; | |
89 | char m_class[8]; /* e.g. "nfsd" */ | |
f15364bd | 90 | struct in6_addr m_addr; |
1da177e4 LT |
91 | struct unix_domain *m_client; |
92 | int m_add_change; | |
93 | }; | |
94 | static struct cache_head *ip_table[IP_HASHMAX]; | |
95 | ||
baab935f | 96 | static void ip_map_put(struct kref *kref) |
1da177e4 | 97 | { |
baab935f | 98 | struct cache_head *item = container_of(kref, struct cache_head, ref); |
1da177e4 | 99 | struct ip_map *im = container_of(item, struct ip_map,h); |
baab935f N |
100 | |
101 | if (test_bit(CACHE_VALID, &item->flags) && | |
102 | !test_bit(CACHE_NEGATIVE, &item->flags)) | |
103 | auth_domain_put(&im->m_client->h); | |
104 | kfree(im); | |
1da177e4 LT |
105 | } |
106 | ||
1f1e030b N |
107 | #if IP_HASHBITS == 8 |
108 | /* hash_long on a 64 bit machine is currently REALLY BAD for | |
109 | * IP addresses in reverse-endian (i.e. on a little-endian machine). | |
110 | * So use a trivial but reliable hash instead | |
111 | */ | |
4806126d | 112 | static inline int hash_ip(__be32 ip) |
1f1e030b | 113 | { |
4806126d | 114 | int hash = (__force u32)ip ^ ((__force u32)ip>>16); |
1f1e030b N |
115 | return (hash ^ (hash>>8)) & 0xff; |
116 | } | |
117 | #endif | |
f15364bd AC |
118 | static inline int hash_ip6(struct in6_addr ip) |
119 | { | |
120 | return (hash_ip(ip.s6_addr32[0]) ^ | |
121 | hash_ip(ip.s6_addr32[1]) ^ | |
122 | hash_ip(ip.s6_addr32[2]) ^ | |
123 | hash_ip(ip.s6_addr32[3])); | |
124 | } | |
1a9917c2 | 125 | static int ip_map_match(struct cache_head *corig, struct cache_head *cnew) |
1da177e4 | 126 | { |
1a9917c2 N |
127 | struct ip_map *orig = container_of(corig, struct ip_map, h); |
128 | struct ip_map *new = container_of(cnew, struct ip_map, h); | |
f64f9e71 JP |
129 | return strcmp(orig->m_class, new->m_class) == 0 && |
130 | ipv6_addr_equal(&orig->m_addr, &new->m_addr); | |
1da177e4 | 131 | } |
1a9917c2 | 132 | static void ip_map_init(struct cache_head *cnew, struct cache_head *citem) |
1da177e4 | 133 | { |
1a9917c2 N |
134 | struct ip_map *new = container_of(cnew, struct ip_map, h); |
135 | struct ip_map *item = container_of(citem, struct ip_map, h); | |
136 | ||
1da177e4 | 137 | strcpy(new->m_class, item->m_class); |
f15364bd | 138 | ipv6_addr_copy(&new->m_addr, &item->m_addr); |
1da177e4 | 139 | } |
1a9917c2 | 140 | static void update(struct cache_head *cnew, struct cache_head *citem) |
1da177e4 | 141 | { |
1a9917c2 N |
142 | struct ip_map *new = container_of(cnew, struct ip_map, h); |
143 | struct ip_map *item = container_of(citem, struct ip_map, h); | |
144 | ||
efc36aa5 | 145 | kref_get(&item->m_client->h.ref); |
1da177e4 LT |
146 | new->m_client = item->m_client; |
147 | new->m_add_change = item->m_add_change; | |
148 | } | |
1a9917c2 N |
149 | static struct cache_head *ip_map_alloc(void) |
150 | { | |
151 | struct ip_map *i = kmalloc(sizeof(*i), GFP_KERNEL); | |
152 | if (i) | |
153 | return &i->h; | |
154 | else | |
155 | return NULL; | |
156 | } | |
1da177e4 LT |
157 | |
158 | static void ip_map_request(struct cache_detail *cd, | |
159 | struct cache_head *h, | |
160 | char **bpp, int *blen) | |
161 | { | |
f15364bd | 162 | char text_addr[40]; |
1da177e4 | 163 | struct ip_map *im = container_of(h, struct ip_map, h); |
1da177e4 | 164 | |
f15364bd | 165 | if (ipv6_addr_v4mapped(&(im->m_addr))) { |
21454aaa | 166 | snprintf(text_addr, 20, "%pI4", &im->m_addr.s6_addr32[3]); |
f15364bd | 167 | } else { |
5b095d98 | 168 | snprintf(text_addr, 40, "%pI6", &im->m_addr); |
f15364bd | 169 | } |
1da177e4 LT |
170 | qword_add(bpp, blen, im->m_class); |
171 | qword_add(bpp, blen, text_addr); | |
172 | (*bpp)[-1] = '\n'; | |
173 | } | |
174 | ||
bc74b4f5 TM |
175 | static int ip_map_upcall(struct cache_detail *cd, struct cache_head *h) |
176 | { | |
177 | return sunrpc_cache_pipe_upcall(cd, h, ip_map_request); | |
178 | } | |
179 | ||
f15364bd | 180 | static struct ip_map *ip_map_lookup(char *class, struct in6_addr *addr); |
1a9917c2 | 181 | static int ip_map_update(struct ip_map *ipm, struct unix_domain *udom, time_t expiry); |
1da177e4 LT |
182 | |
183 | static int ip_map_parse(struct cache_detail *cd, | |
184 | char *mesg, int mlen) | |
185 | { | |
186 | /* class ipaddress [domainname] */ | |
187 | /* should be safe just to use the start of the input buffer | |
188 | * for scratch: */ | |
189 | char *buf = mesg; | |
190 | int len; | |
1a9917c2 | 191 | char class[8]; |
07396051 CL |
192 | union { |
193 | struct sockaddr sa; | |
194 | struct sockaddr_in s4; | |
195 | struct sockaddr_in6 s6; | |
196 | } address; | |
197 | struct sockaddr_in6 sin6; | |
1a9917c2 N |
198 | int err; |
199 | ||
200 | struct ip_map *ipmp; | |
1da177e4 LT |
201 | struct auth_domain *dom; |
202 | time_t expiry; | |
203 | ||
204 | if (mesg[mlen-1] != '\n') | |
205 | return -EINVAL; | |
206 | mesg[mlen-1] = 0; | |
207 | ||
208 | /* class */ | |
1a9917c2 | 209 | len = qword_get(&mesg, class, sizeof(class)); |
1da177e4 LT |
210 | if (len <= 0) return -EINVAL; |
211 | ||
212 | /* ip address */ | |
213 | len = qword_get(&mesg, buf, mlen); | |
214 | if (len <= 0) return -EINVAL; | |
215 | ||
07396051 | 216 | if (rpc_pton(buf, len, &address.sa, sizeof(address)) == 0) |
1da177e4 | 217 | return -EINVAL; |
07396051 CL |
218 | switch (address.sa.sa_family) { |
219 | case AF_INET: | |
220 | /* Form a mapped IPv4 address in sin6 */ | |
221 | memset(&sin6, 0, sizeof(sin6)); | |
222 | sin6.sin6_family = AF_INET6; | |
223 | sin6.sin6_addr.s6_addr32[2] = htonl(0xffff); | |
224 | sin6.sin6_addr.s6_addr32[3] = address.s4.sin_addr.s_addr; | |
225 | break; | |
226 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | |
227 | case AF_INET6: | |
228 | memcpy(&sin6, &address.s6, sizeof(sin6)); | |
229 | break; | |
230 | #endif | |
231 | default: | |
232 | return -EINVAL; | |
233 | } | |
cca5172a | 234 | |
1da177e4 LT |
235 | expiry = get_expiry(&mesg); |
236 | if (expiry ==0) | |
237 | return -EINVAL; | |
238 | ||
239 | /* domainname, or empty for NEGATIVE */ | |
240 | len = qword_get(&mesg, buf, mlen); | |
241 | if (len < 0) return -EINVAL; | |
242 | ||
243 | if (len) { | |
244 | dom = unix_domain_find(buf); | |
245 | if (dom == NULL) | |
246 | return -ENOENT; | |
247 | } else | |
248 | dom = NULL; | |
249 | ||
07396051 CL |
250 | /* IPv6 scope IDs are ignored for now */ |
251 | ipmp = ip_map_lookup(class, &sin6.sin6_addr); | |
1a9917c2 N |
252 | if (ipmp) { |
253 | err = ip_map_update(ipmp, | |
254 | container_of(dom, struct unix_domain, h), | |
255 | expiry); | |
1da177e4 | 256 | } else |
1a9917c2 | 257 | err = -ENOMEM; |
1da177e4 | 258 | |
1da177e4 LT |
259 | if (dom) |
260 | auth_domain_put(dom); | |
1a9917c2 | 261 | |
1da177e4 | 262 | cache_flush(); |
1a9917c2 | 263 | return err; |
1da177e4 LT |
264 | } |
265 | ||
266 | static int ip_map_show(struct seq_file *m, | |
267 | struct cache_detail *cd, | |
268 | struct cache_head *h) | |
269 | { | |
270 | struct ip_map *im; | |
f15364bd | 271 | struct in6_addr addr; |
1da177e4 LT |
272 | char *dom = "-no-domain-"; |
273 | ||
274 | if (h == NULL) { | |
275 | seq_puts(m, "#class IP domain\n"); | |
276 | return 0; | |
277 | } | |
278 | im = container_of(h, struct ip_map, h); | |
279 | /* class addr domain */ | |
f15364bd | 280 | ipv6_addr_copy(&addr, &im->m_addr); |
1da177e4 | 281 | |
cca5172a | 282 | if (test_bit(CACHE_VALID, &h->flags) && |
1da177e4 LT |
283 | !test_bit(CACHE_NEGATIVE, &h->flags)) |
284 | dom = im->m_client->h.name; | |
285 | ||
f15364bd | 286 | if (ipv6_addr_v4mapped(&addr)) { |
21454aaa HH |
287 | seq_printf(m, "%s %pI4 %s\n", |
288 | im->m_class, &addr.s6_addr32[3], dom); | |
f15364bd | 289 | } else { |
5b095d98 | 290 | seq_printf(m, "%s %pI6 %s\n", im->m_class, &addr, dom); |
f15364bd | 291 | } |
1da177e4 LT |
292 | return 0; |
293 | } | |
cca5172a | 294 | |
1da177e4 LT |
295 | |
296 | struct cache_detail ip_map_cache = { | |
f35279d3 | 297 | .owner = THIS_MODULE, |
1da177e4 LT |
298 | .hash_size = IP_HASHMAX, |
299 | .hash_table = ip_table, | |
300 | .name = "auth.unix.ip", | |
301 | .cache_put = ip_map_put, | |
bc74b4f5 | 302 | .cache_upcall = ip_map_upcall, |
1da177e4 LT |
303 | .cache_parse = ip_map_parse, |
304 | .cache_show = ip_map_show, | |
1a9917c2 N |
305 | .match = ip_map_match, |
306 | .init = ip_map_init, | |
307 | .update = update, | |
308 | .alloc = ip_map_alloc, | |
1da177e4 LT |
309 | }; |
310 | ||
f15364bd | 311 | static struct ip_map *ip_map_lookup(char *class, struct in6_addr *addr) |
1a9917c2 N |
312 | { |
313 | struct ip_map ip; | |
314 | struct cache_head *ch; | |
315 | ||
316 | strcpy(ip.m_class, class); | |
f15364bd | 317 | ipv6_addr_copy(&ip.m_addr, addr); |
1a9917c2 N |
318 | ch = sunrpc_cache_lookup(&ip_map_cache, &ip.h, |
319 | hash_str(class, IP_HASHBITS) ^ | |
f15364bd | 320 | hash_ip6(*addr)); |
1a9917c2 N |
321 | |
322 | if (ch) | |
323 | return container_of(ch, struct ip_map, h); | |
324 | else | |
325 | return NULL; | |
326 | } | |
1da177e4 | 327 | |
1a9917c2 N |
328 | static int ip_map_update(struct ip_map *ipm, struct unix_domain *udom, time_t expiry) |
329 | { | |
330 | struct ip_map ip; | |
331 | struct cache_head *ch; | |
332 | ||
333 | ip.m_client = udom; | |
334 | ip.h.flags = 0; | |
335 | if (!udom) | |
336 | set_bit(CACHE_NEGATIVE, &ip.h.flags); | |
337 | else { | |
338 | ip.m_add_change = udom->addr_changes; | |
339 | /* if this is from the legacy set_client system call, | |
340 | * we need m_add_change to be one higher | |
341 | */ | |
342 | if (expiry == NEVER) | |
343 | ip.m_add_change++; | |
344 | } | |
345 | ip.h.expiry_time = expiry; | |
346 | ch = sunrpc_cache_update(&ip_map_cache, | |
347 | &ip.h, &ipm->h, | |
348 | hash_str(ipm->m_class, IP_HASHBITS) ^ | |
f15364bd | 349 | hash_ip6(ipm->m_addr)); |
1a9917c2 N |
350 | if (!ch) |
351 | return -ENOMEM; | |
baab935f | 352 | cache_put(ch, &ip_map_cache); |
1a9917c2 N |
353 | return 0; |
354 | } | |
1da177e4 | 355 | |
f15364bd | 356 | int auth_unix_add_addr(struct in6_addr *addr, struct auth_domain *dom) |
1da177e4 LT |
357 | { |
358 | struct unix_domain *udom; | |
1a9917c2 | 359 | struct ip_map *ipmp; |
1da177e4 | 360 | |
efc36aa5 | 361 | if (dom->flavour != &svcauth_unix) |
1da177e4 LT |
362 | return -EINVAL; |
363 | udom = container_of(dom, struct unix_domain, h); | |
1a9917c2 | 364 | ipmp = ip_map_lookup("nfsd", addr); |
1da177e4 | 365 | |
1a9917c2 N |
366 | if (ipmp) |
367 | return ip_map_update(ipmp, udom, NEVER); | |
368 | else | |
1da177e4 LT |
369 | return -ENOMEM; |
370 | } | |
24c3767e | 371 | EXPORT_SYMBOL_GPL(auth_unix_add_addr); |
1da177e4 LT |
372 | |
373 | int auth_unix_forget_old(struct auth_domain *dom) | |
374 | { | |
375 | struct unix_domain *udom; | |
cca5172a | 376 | |
efc36aa5 | 377 | if (dom->flavour != &svcauth_unix) |
1da177e4 LT |
378 | return -EINVAL; |
379 | udom = container_of(dom, struct unix_domain, h); | |
380 | udom->addr_changes++; | |
381 | return 0; | |
382 | } | |
24c3767e | 383 | EXPORT_SYMBOL_GPL(auth_unix_forget_old); |
1da177e4 | 384 | |
f15364bd | 385 | struct auth_domain *auth_unix_lookup(struct in6_addr *addr) |
1da177e4 | 386 | { |
40f10522 | 387 | struct ip_map *ipm; |
1da177e4 LT |
388 | struct auth_domain *rv; |
389 | ||
1a9917c2 | 390 | ipm = ip_map_lookup("nfsd", addr); |
1da177e4 LT |
391 | |
392 | if (!ipm) | |
393 | return NULL; | |
394 | if (cache_check(&ip_map_cache, &ipm->h, NULL)) | |
395 | return NULL; | |
396 | ||
397 | if ((ipm->m_client->addr_changes - ipm->m_add_change) >0) { | |
398 | if (test_and_set_bit(CACHE_NEGATIVE, &ipm->h.flags) == 0) | |
399 | auth_domain_put(&ipm->m_client->h); | |
400 | rv = NULL; | |
401 | } else { | |
402 | rv = &ipm->m_client->h; | |
efc36aa5 | 403 | kref_get(&rv->ref); |
1da177e4 | 404 | } |
baab935f | 405 | cache_put(&ipm->h, &ip_map_cache); |
1da177e4 LT |
406 | return rv; |
407 | } | |
24c3767e | 408 | EXPORT_SYMBOL_GPL(auth_unix_lookup); |
1da177e4 LT |
409 | |
410 | void svcauth_unix_purge(void) | |
411 | { | |
412 | cache_purge(&ip_map_cache); | |
1da177e4 | 413 | } |
24c3767e | 414 | EXPORT_SYMBOL_GPL(svcauth_unix_purge); |
1da177e4 | 415 | |
7b2b1fee GB |
416 | static inline struct ip_map * |
417 | ip_map_cached_get(struct svc_rqst *rqstp) | |
418 | { | |
def13d74 TT |
419 | struct ip_map *ipm = NULL; |
420 | struct svc_xprt *xprt = rqstp->rq_xprt; | |
421 | ||
422 | if (test_bit(XPT_CACHE_AUTH, &xprt->xpt_flags)) { | |
423 | spin_lock(&xprt->xpt_lock); | |
424 | ipm = xprt->xpt_auth_cache; | |
425 | if (ipm != NULL) { | |
426 | if (!cache_valid(&ipm->h)) { | |
427 | /* | |
428 | * The entry has been invalidated since it was | |
429 | * remembered, e.g. by a second mount from the | |
430 | * same IP address. | |
431 | */ | |
432 | xprt->xpt_auth_cache = NULL; | |
433 | spin_unlock(&xprt->xpt_lock); | |
434 | cache_put(&ipm->h, &ip_map_cache); | |
435 | return NULL; | |
436 | } | |
437 | cache_get(&ipm->h); | |
7b2b1fee | 438 | } |
def13d74 | 439 | spin_unlock(&xprt->xpt_lock); |
7b2b1fee GB |
440 | } |
441 | return ipm; | |
442 | } | |
443 | ||
444 | static inline void | |
445 | ip_map_cached_put(struct svc_rqst *rqstp, struct ip_map *ipm) | |
446 | { | |
def13d74 TT |
447 | struct svc_xprt *xprt = rqstp->rq_xprt; |
448 | ||
449 | if (test_bit(XPT_CACHE_AUTH, &xprt->xpt_flags)) { | |
450 | spin_lock(&xprt->xpt_lock); | |
451 | if (xprt->xpt_auth_cache == NULL) { | |
452 | /* newly cached, keep the reference */ | |
453 | xprt->xpt_auth_cache = ipm; | |
454 | ipm = NULL; | |
455 | } | |
456 | spin_unlock(&xprt->xpt_lock); | |
30f3deee | 457 | } |
30f3deee | 458 | if (ipm) |
7b2b1fee GB |
459 | cache_put(&ipm->h, &ip_map_cache); |
460 | } | |
461 | ||
462 | void | |
463 | svcauth_unix_info_release(void *info) | |
464 | { | |
465 | struct ip_map *ipm = info; | |
466 | cache_put(&ipm->h, &ip_map_cache); | |
467 | } | |
468 | ||
3fc605a2 N |
469 | /**************************************************************************** |
470 | * auth.unix.gid cache | |
471 | * simple cache to map a UID to a list of GIDs | |
472 | * because AUTH_UNIX aka AUTH_SYS has a max of 16 | |
473 | */ | |
474 | #define GID_HASHBITS 8 | |
475 | #define GID_HASHMAX (1<<GID_HASHBITS) | |
476 | #define GID_HASHMASK (GID_HASHMAX - 1) | |
477 | ||
478 | struct unix_gid { | |
479 | struct cache_head h; | |
480 | uid_t uid; | |
481 | struct group_info *gi; | |
482 | }; | |
483 | static struct cache_head *gid_table[GID_HASHMAX]; | |
484 | ||
485 | static void unix_gid_put(struct kref *kref) | |
486 | { | |
487 | struct cache_head *item = container_of(kref, struct cache_head, ref); | |
488 | struct unix_gid *ug = container_of(item, struct unix_gid, h); | |
489 | if (test_bit(CACHE_VALID, &item->flags) && | |
490 | !test_bit(CACHE_NEGATIVE, &item->flags)) | |
491 | put_group_info(ug->gi); | |
492 | kfree(ug); | |
493 | } | |
494 | ||
495 | static int unix_gid_match(struct cache_head *corig, struct cache_head *cnew) | |
496 | { | |
497 | struct unix_gid *orig = container_of(corig, struct unix_gid, h); | |
498 | struct unix_gid *new = container_of(cnew, struct unix_gid, h); | |
499 | return orig->uid == new->uid; | |
500 | } | |
501 | static void unix_gid_init(struct cache_head *cnew, struct cache_head *citem) | |
502 | { | |
503 | struct unix_gid *new = container_of(cnew, struct unix_gid, h); | |
504 | struct unix_gid *item = container_of(citem, struct unix_gid, h); | |
505 | new->uid = item->uid; | |
506 | } | |
507 | static void unix_gid_update(struct cache_head *cnew, struct cache_head *citem) | |
508 | { | |
509 | struct unix_gid *new = container_of(cnew, struct unix_gid, h); | |
510 | struct unix_gid *item = container_of(citem, struct unix_gid, h); | |
511 | ||
512 | get_group_info(item->gi); | |
513 | new->gi = item->gi; | |
514 | } | |
515 | static struct cache_head *unix_gid_alloc(void) | |
516 | { | |
517 | struct unix_gid *g = kmalloc(sizeof(*g), GFP_KERNEL); | |
518 | if (g) | |
519 | return &g->h; | |
520 | else | |
521 | return NULL; | |
522 | } | |
523 | ||
524 | static void unix_gid_request(struct cache_detail *cd, | |
525 | struct cache_head *h, | |
526 | char **bpp, int *blen) | |
527 | { | |
528 | char tuid[20]; | |
529 | struct unix_gid *ug = container_of(h, struct unix_gid, h); | |
530 | ||
531 | snprintf(tuid, 20, "%u", ug->uid); | |
532 | qword_add(bpp, blen, tuid); | |
533 | (*bpp)[-1] = '\n'; | |
534 | } | |
535 | ||
bc74b4f5 TM |
536 | static int unix_gid_upcall(struct cache_detail *cd, struct cache_head *h) |
537 | { | |
538 | return sunrpc_cache_pipe_upcall(cd, h, unix_gid_request); | |
539 | } | |
540 | ||
3fc605a2 N |
541 | static struct unix_gid *unix_gid_lookup(uid_t uid); |
542 | extern struct cache_detail unix_gid_cache; | |
543 | ||
544 | static int unix_gid_parse(struct cache_detail *cd, | |
545 | char *mesg, int mlen) | |
546 | { | |
547 | /* uid expiry Ngid gid0 gid1 ... gidN-1 */ | |
548 | int uid; | |
549 | int gids; | |
550 | int rv; | |
551 | int i; | |
552 | int err; | |
553 | time_t expiry; | |
554 | struct unix_gid ug, *ugp; | |
555 | ||
556 | if (mlen <= 0 || mesg[mlen-1] != '\n') | |
557 | return -EINVAL; | |
558 | mesg[mlen-1] = 0; | |
559 | ||
560 | rv = get_int(&mesg, &uid); | |
561 | if (rv) | |
562 | return -EINVAL; | |
563 | ug.uid = uid; | |
564 | ||
565 | expiry = get_expiry(&mesg); | |
566 | if (expiry == 0) | |
567 | return -EINVAL; | |
568 | ||
569 | rv = get_int(&mesg, &gids); | |
570 | if (rv || gids < 0 || gids > 8192) | |
571 | return -EINVAL; | |
572 | ||
573 | ug.gi = groups_alloc(gids); | |
574 | if (!ug.gi) | |
575 | return -ENOMEM; | |
576 | ||
577 | for (i = 0 ; i < gids ; i++) { | |
578 | int gid; | |
579 | rv = get_int(&mesg, &gid); | |
580 | err = -EINVAL; | |
581 | if (rv) | |
582 | goto out; | |
583 | GROUP_AT(ug.gi, i) = gid; | |
584 | } | |
585 | ||
586 | ugp = unix_gid_lookup(uid); | |
587 | if (ugp) { | |
588 | struct cache_head *ch; | |
589 | ug.h.flags = 0; | |
590 | ug.h.expiry_time = expiry; | |
591 | ch = sunrpc_cache_update(&unix_gid_cache, | |
592 | &ug.h, &ugp->h, | |
593 | hash_long(uid, GID_HASHBITS)); | |
594 | if (!ch) | |
595 | err = -ENOMEM; | |
596 | else { | |
597 | err = 0; | |
598 | cache_put(ch, &unix_gid_cache); | |
599 | } | |
600 | } else | |
601 | err = -ENOMEM; | |
602 | out: | |
603 | if (ug.gi) | |
604 | put_group_info(ug.gi); | |
605 | return err; | |
606 | } | |
607 | ||
608 | static int unix_gid_show(struct seq_file *m, | |
609 | struct cache_detail *cd, | |
610 | struct cache_head *h) | |
611 | { | |
612 | struct unix_gid *ug; | |
613 | int i; | |
614 | int glen; | |
615 | ||
616 | if (h == NULL) { | |
617 | seq_puts(m, "#uid cnt: gids...\n"); | |
618 | return 0; | |
619 | } | |
620 | ug = container_of(h, struct unix_gid, h); | |
621 | if (test_bit(CACHE_VALID, &h->flags) && | |
622 | !test_bit(CACHE_NEGATIVE, &h->flags)) | |
623 | glen = ug->gi->ngroups; | |
624 | else | |
625 | glen = 0; | |
626 | ||
ccdb357c | 627 | seq_printf(m, "%u %d:", ug->uid, glen); |
3fc605a2 N |
628 | for (i = 0; i < glen; i++) |
629 | seq_printf(m, " %d", GROUP_AT(ug->gi, i)); | |
630 | seq_printf(m, "\n"); | |
631 | return 0; | |
632 | } | |
633 | ||
634 | struct cache_detail unix_gid_cache = { | |
635 | .owner = THIS_MODULE, | |
636 | .hash_size = GID_HASHMAX, | |
637 | .hash_table = gid_table, | |
638 | .name = "auth.unix.gid", | |
639 | .cache_put = unix_gid_put, | |
bc74b4f5 | 640 | .cache_upcall = unix_gid_upcall, |
3fc605a2 N |
641 | .cache_parse = unix_gid_parse, |
642 | .cache_show = unix_gid_show, | |
643 | .match = unix_gid_match, | |
644 | .init = unix_gid_init, | |
645 | .update = unix_gid_update, | |
646 | .alloc = unix_gid_alloc, | |
647 | }; | |
648 | ||
649 | static struct unix_gid *unix_gid_lookup(uid_t uid) | |
650 | { | |
651 | struct unix_gid ug; | |
652 | struct cache_head *ch; | |
653 | ||
654 | ug.uid = uid; | |
655 | ch = sunrpc_cache_lookup(&unix_gid_cache, &ug.h, | |
656 | hash_long(uid, GID_HASHBITS)); | |
657 | if (ch) | |
658 | return container_of(ch, struct unix_gid, h); | |
659 | else | |
660 | return NULL; | |
661 | } | |
662 | ||
dc83d6e2 | 663 | static struct group_info *unix_gid_find(uid_t uid, struct svc_rqst *rqstp) |
3fc605a2 | 664 | { |
dc83d6e2 BF |
665 | struct unix_gid *ug; |
666 | struct group_info *gi; | |
667 | int ret; | |
668 | ||
669 | ug = unix_gid_lookup(uid); | |
3fc605a2 | 670 | if (!ug) |
dc83d6e2 BF |
671 | return ERR_PTR(-EAGAIN); |
672 | ret = cache_check(&unix_gid_cache, &ug->h, &rqstp->rq_chandle); | |
673 | switch (ret) { | |
3fc605a2 | 674 | case -ENOENT: |
dc83d6e2 | 675 | return ERR_PTR(-ENOENT); |
3fc605a2 | 676 | case 0: |
dc83d6e2 | 677 | gi = get_group_info(ug->gi); |
560ab42e | 678 | cache_put(&ug->h, &unix_gid_cache); |
dc83d6e2 | 679 | return gi; |
3fc605a2 | 680 | default: |
dc83d6e2 | 681 | return ERR_PTR(-EAGAIN); |
3fc605a2 N |
682 | } |
683 | } | |
684 | ||
3ab4d8b1 | 685 | int |
1da177e4 LT |
686 | svcauth_unix_set_client(struct svc_rqst *rqstp) |
687 | { | |
f15364bd AC |
688 | struct sockaddr_in *sin; |
689 | struct sockaddr_in6 *sin6, sin6_storage; | |
1a9917c2 | 690 | struct ip_map *ipm; |
dc83d6e2 BF |
691 | struct group_info *gi; |
692 | struct svc_cred *cred = &rqstp->rq_cred; | |
1da177e4 | 693 | |
f15364bd AC |
694 | switch (rqstp->rq_addr.ss_family) { |
695 | case AF_INET: | |
696 | sin = svc_addr_in(rqstp); | |
697 | sin6 = &sin6_storage; | |
b301e82c | 698 | ipv6_addr_set_v4mapped(sin->sin_addr.s_addr, &sin6->sin6_addr); |
f15364bd AC |
699 | break; |
700 | case AF_INET6: | |
701 | sin6 = svc_addr_in6(rqstp); | |
702 | break; | |
703 | default: | |
704 | BUG(); | |
705 | } | |
706 | ||
1da177e4 LT |
707 | rqstp->rq_client = NULL; |
708 | if (rqstp->rq_proc == 0) | |
709 | return SVC_OK; | |
710 | ||
7b2b1fee GB |
711 | ipm = ip_map_cached_get(rqstp); |
712 | if (ipm == NULL) | |
713 | ipm = ip_map_lookup(rqstp->rq_server->sv_program->pg_class, | |
f15364bd | 714 | &sin6->sin6_addr); |
1da177e4 LT |
715 | |
716 | if (ipm == NULL) | |
717 | return SVC_DENIED; | |
718 | ||
719 | switch (cache_check(&ip_map_cache, &ipm->h, &rqstp->rq_chandle)) { | |
720 | default: | |
721 | BUG(); | |
722 | case -EAGAIN: | |
e0bb89ef | 723 | case -ETIMEDOUT: |
1da177e4 LT |
724 | return SVC_DROP; |
725 | case -ENOENT: | |
726 | return SVC_DENIED; | |
727 | case 0: | |
728 | rqstp->rq_client = &ipm->m_client->h; | |
efc36aa5 | 729 | kref_get(&rqstp->rq_client->ref); |
7b2b1fee | 730 | ip_map_cached_put(rqstp, ipm); |
1da177e4 LT |
731 | break; |
732 | } | |
dc83d6e2 BF |
733 | |
734 | gi = unix_gid_find(cred->cr_uid, rqstp); | |
735 | switch (PTR_ERR(gi)) { | |
736 | case -EAGAIN: | |
737 | return SVC_DROP; | |
738 | case -ENOENT: | |
739 | break; | |
740 | default: | |
741 | put_group_info(cred->cr_group_info); | |
742 | cred->cr_group_info = gi; | |
743 | } | |
1da177e4 LT |
744 | return SVC_OK; |
745 | } | |
746 | ||
24c3767e | 747 | EXPORT_SYMBOL_GPL(svcauth_unix_set_client); |
3ab4d8b1 | 748 | |
1da177e4 | 749 | static int |
d8ed029d | 750 | svcauth_null_accept(struct svc_rqst *rqstp, __be32 *authp) |
1da177e4 LT |
751 | { |
752 | struct kvec *argv = &rqstp->rq_arg.head[0]; | |
753 | struct kvec *resv = &rqstp->rq_res.head[0]; | |
754 | struct svc_cred *cred = &rqstp->rq_cred; | |
755 | ||
756 | cred->cr_group_info = NULL; | |
757 | rqstp->rq_client = NULL; | |
758 | ||
759 | if (argv->iov_len < 3*4) | |
760 | return SVC_GARBAGE; | |
761 | ||
cca5172a | 762 | if (svc_getu32(argv) != 0) { |
1da177e4 LT |
763 | dprintk("svc: bad null cred\n"); |
764 | *authp = rpc_autherr_badcred; | |
765 | return SVC_DENIED; | |
766 | } | |
76994313 | 767 | if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) { |
1da177e4 LT |
768 | dprintk("svc: bad null verf\n"); |
769 | *authp = rpc_autherr_badverf; | |
770 | return SVC_DENIED; | |
771 | } | |
772 | ||
773 | /* Signal that mapping to nobody uid/gid is required */ | |
774 | cred->cr_uid = (uid_t) -1; | |
775 | cred->cr_gid = (gid_t) -1; | |
776 | cred->cr_group_info = groups_alloc(0); | |
777 | if (cred->cr_group_info == NULL) | |
778 | return SVC_DROP; /* kmalloc failure - client must retry */ | |
779 | ||
780 | /* Put NULL verifier */ | |
76994313 AD |
781 | svc_putnl(resv, RPC_AUTH_NULL); |
782 | svc_putnl(resv, 0); | |
1da177e4 | 783 | |
c4170583 | 784 | rqstp->rq_flavor = RPC_AUTH_NULL; |
1da177e4 LT |
785 | return SVC_OK; |
786 | } | |
787 | ||
788 | static int | |
789 | svcauth_null_release(struct svc_rqst *rqstp) | |
790 | { | |
791 | if (rqstp->rq_client) | |
792 | auth_domain_put(rqstp->rq_client); | |
793 | rqstp->rq_client = NULL; | |
794 | if (rqstp->rq_cred.cr_group_info) | |
795 | put_group_info(rqstp->rq_cred.cr_group_info); | |
796 | rqstp->rq_cred.cr_group_info = NULL; | |
797 | ||
798 | return 0; /* don't drop */ | |
799 | } | |
800 | ||
801 | ||
802 | struct auth_ops svcauth_null = { | |
803 | .name = "null", | |
804 | .owner = THIS_MODULE, | |
805 | .flavour = RPC_AUTH_NULL, | |
806 | .accept = svcauth_null_accept, | |
807 | .release = svcauth_null_release, | |
808 | .set_client = svcauth_unix_set_client, | |
809 | }; | |
810 | ||
811 | ||
812 | static int | |
d8ed029d | 813 | svcauth_unix_accept(struct svc_rqst *rqstp, __be32 *authp) |
1da177e4 LT |
814 | { |
815 | struct kvec *argv = &rqstp->rq_arg.head[0]; | |
816 | struct kvec *resv = &rqstp->rq_res.head[0]; | |
817 | struct svc_cred *cred = &rqstp->rq_cred; | |
818 | u32 slen, i; | |
819 | int len = argv->iov_len; | |
820 | ||
821 | cred->cr_group_info = NULL; | |
822 | rqstp->rq_client = NULL; | |
823 | ||
824 | if ((len -= 3*4) < 0) | |
825 | return SVC_GARBAGE; | |
826 | ||
827 | svc_getu32(argv); /* length */ | |
828 | svc_getu32(argv); /* time stamp */ | |
76994313 | 829 | slen = XDR_QUADLEN(svc_getnl(argv)); /* machname length */ |
1da177e4 LT |
830 | if (slen > 64 || (len -= (slen + 3)*4) < 0) |
831 | goto badcred; | |
d8ed029d | 832 | argv->iov_base = (void*)((__be32*)argv->iov_base + slen); /* skip machname */ |
1da177e4 LT |
833 | argv->iov_len -= slen*4; |
834 | ||
76994313 AD |
835 | cred->cr_uid = svc_getnl(argv); /* uid */ |
836 | cred->cr_gid = svc_getnl(argv); /* gid */ | |
837 | slen = svc_getnl(argv); /* gids length */ | |
1da177e4 LT |
838 | if (slen > 16 || (len -= (slen + 2)*4) < 0) |
839 | goto badcred; | |
dc83d6e2 BF |
840 | cred->cr_group_info = groups_alloc(slen); |
841 | if (cred->cr_group_info == NULL) | |
1da177e4 | 842 | return SVC_DROP; |
dc83d6e2 BF |
843 | for (i = 0; i < slen; i++) |
844 | GROUP_AT(cred->cr_group_info, i) = svc_getnl(argv); | |
76994313 | 845 | if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) { |
1da177e4 LT |
846 | *authp = rpc_autherr_badverf; |
847 | return SVC_DENIED; | |
848 | } | |
849 | ||
850 | /* Put NULL verifier */ | |
76994313 AD |
851 | svc_putnl(resv, RPC_AUTH_NULL); |
852 | svc_putnl(resv, 0); | |
1da177e4 | 853 | |
c4170583 | 854 | rqstp->rq_flavor = RPC_AUTH_UNIX; |
1da177e4 LT |
855 | return SVC_OK; |
856 | ||
857 | badcred: | |
858 | *authp = rpc_autherr_badcred; | |
859 | return SVC_DENIED; | |
860 | } | |
861 | ||
862 | static int | |
863 | svcauth_unix_release(struct svc_rqst *rqstp) | |
864 | { | |
865 | /* Verifier (such as it is) is already in place. | |
866 | */ | |
867 | if (rqstp->rq_client) | |
868 | auth_domain_put(rqstp->rq_client); | |
869 | rqstp->rq_client = NULL; | |
870 | if (rqstp->rq_cred.cr_group_info) | |
871 | put_group_info(rqstp->rq_cred.cr_group_info); | |
872 | rqstp->rq_cred.cr_group_info = NULL; | |
873 | ||
874 | return 0; | |
875 | } | |
876 | ||
877 | ||
878 | struct auth_ops svcauth_unix = { | |
879 | .name = "unix", | |
880 | .owner = THIS_MODULE, | |
881 | .flavour = RPC_AUTH_UNIX, | |
882 | .accept = svcauth_unix_accept, | |
883 | .release = svcauth_unix_release, | |
884 | .domain_release = svcauth_unix_domain_release, | |
885 | .set_client = svcauth_unix_set_client, | |
886 | }; | |
887 |