]> git.proxmox.com Git - mirror_ubuntu-focal-kernel.git/blob - net/sunrpc/auth.c
projects / mirror_ubuntu-focal-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'sh-pfc-for-v5.1-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git...
[mirror_ubuntu-focal-kernel.git] / net / sunrpc / auth.c
1 /*
2 * linux/net/sunrpc/auth.c
3 *
4 * Generic RPC client authentication API.
5 *
6 * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de>
7 */
8
9 #include <linux/types.h>
10 #include <linux/sched.h>
11 #include <linux/cred.h>
12 #include <linux/module.h>
13 #include <linux/slab.h>
14 #include <linux/errno.h>
15 #include <linux/hash.h>
16 #include <linux/sunrpc/clnt.h>
17 #include <linux/sunrpc/gss_api.h>
18 #include <linux/spinlock.h>
19
20 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
21 # define RPCDBG_FACILITY RPCDBG_AUTH
22 #endif
23
24 #define RPC_CREDCACHE_DEFAULT_HASHBITS (4)
25 struct rpc_cred_cache {
26 struct hlist_head *hashtable;
27 unsigned int hashbits;
28 spinlock_t lock;
29 };
30
31 static unsigned int auth_hashbits = RPC_CREDCACHE_DEFAULT_HASHBITS;
32
33 static const struct rpc_authops __rcu *auth_flavors[RPC_AUTH_MAXFLAVOR] = {
34 [RPC_AUTH_NULL] = (const struct rpc_authops __force __rcu *)&authnull_ops,
35 [RPC_AUTH_UNIX] = (const struct rpc_authops __force __rcu *)&authunix_ops,
36 NULL, /* others can be loadable modules */
37 };
38
39 static LIST_HEAD(cred_unused);
40 static unsigned long number_cred_unused;
41
42 static struct cred machine_cred = {
43 .usage = ATOMIC_INIT(1),
44 #ifdef CONFIG_DEBUG_CREDENTIALS
45 .magic = CRED_MAGIC,
46 #endif
47 };
48
49 /*
50 * Return the machine_cred pointer to be used whenever
51 * the a generic machine credential is needed.
52 */
53 const struct cred *rpc_machine_cred(void)
54 {
55 return &machine_cred;
56 }
57 EXPORT_SYMBOL_GPL(rpc_machine_cred);
58
59 #define MAX_HASHTABLE_BITS (14)
60 static int param_set_hashtbl_sz(const char *val, const struct kernel_param *kp)
61 {
62 unsigned long num;
63 unsigned int nbits;
64 int ret;
65
66 if (!val)
67 goto out_inval;
68 ret = kstrtoul(val, 0, &num);
69 if (ret)
70 goto out_inval;
71 nbits = fls(num - 1);
72 if (nbits > MAX_HASHTABLE_BITS || nbits < 2)
73 goto out_inval;
74 *(unsigned int *)kp->arg = nbits;
75 return 0;
76 out_inval:
77 return -EINVAL;
78 }
79
80 static int param_get_hashtbl_sz(char *buffer, const struct kernel_param *kp)
81 {
82 unsigned int nbits;
83
84 nbits = *(unsigned int *)kp->arg;
85 return sprintf(buffer, "%u", 1U << nbits);
86 }
87
88 #define param_check_hashtbl_sz(name, p) __param_check(name, p, unsigned int);
89
90 static const struct kernel_param_ops param_ops_hashtbl_sz = {
91 .set = param_set_hashtbl_sz,
92 .get = param_get_hashtbl_sz,
93 };
94
95 module_param_named(auth_hashtable_size, auth_hashbits, hashtbl_sz, 0644);
96 MODULE_PARM_DESC(auth_hashtable_size, "RPC credential cache hashtable size");
97
98 static unsigned long auth_max_cred_cachesize = ULONG_MAX;
99 module_param(auth_max_cred_cachesize, ulong, 0644);
100 MODULE_PARM_DESC(auth_max_cred_cachesize, "RPC credential maximum total cache size");
101
102 static u32
103 pseudoflavor_to_flavor(u32 flavor) {
104 if (flavor > RPC_AUTH_MAXFLAVOR)
105 return RPC_AUTH_GSS;
106 return flavor;
107 }
108
109 int
110 rpcauth_register(const struct rpc_authops *ops)
111 {
112 const struct rpc_authops *old;
113 rpc_authflavor_t flavor;
114
115 if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR)
116 return -EINVAL;
117 old = cmpxchg((const struct rpc_authops ** __force)&auth_flavors[flavor], NULL, ops);
118 if (old == NULL || old == ops)
119 return 0;
120 return -EPERM;
121 }
122 EXPORT_SYMBOL_GPL(rpcauth_register);
123
124 int
125 rpcauth_unregister(const struct rpc_authops *ops)
126 {
127 const struct rpc_authops *old;
128 rpc_authflavor_t flavor;
129
130 if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR)
131 return -EINVAL;
132
133 old = cmpxchg((const struct rpc_authops ** __force)&auth_flavors[flavor], ops, NULL);
134 if (old == ops || old == NULL)
135 return 0;
136 return -EPERM;
137 }
138 EXPORT_SYMBOL_GPL(rpcauth_unregister);
139
140 static const struct rpc_authops *
141 rpcauth_get_authops(rpc_authflavor_t flavor)
142 {
143 const struct rpc_authops *ops;
144
145 if (flavor >= RPC_AUTH_MAXFLAVOR)
146 return NULL;
147
148 rcu_read_lock();
149 ops = rcu_dereference(auth_flavors[flavor]);
150 if (ops == NULL) {
151 rcu_read_unlock();
152 request_module("rpc-auth-%u", flavor);
153 rcu_read_lock();
154 ops = rcu_dereference(auth_flavors[flavor]);
155 if (ops == NULL)
156 goto out;
157 }
158 if (!try_module_get(ops->owner))
159 ops = NULL;
160 out:
161 rcu_read_unlock();
162 return ops;
163 }
164
165 static void
166 rpcauth_put_authops(const struct rpc_authops *ops)
167 {
168 module_put(ops->owner);
169 }
170
171 /**
172 * rpcauth_get_pseudoflavor - check if security flavor is supported
173 * @flavor: a security flavor
174 * @info: a GSS mech OID, quality of protection, and service value
175 *
176 * Verifies that an appropriate kernel module is available or already loaded.
177 * Returns an equivalent pseudoflavor, or RPC_AUTH_MAXFLAVOR if "flavor" is
178 * not supported locally.
179 */
180 rpc_authflavor_t
181 rpcauth_get_pseudoflavor(rpc_authflavor_t flavor, struct rpcsec_gss_info *info)
182 {
183 const struct rpc_authops *ops = rpcauth_get_authops(flavor);
184 rpc_authflavor_t pseudoflavor;
185
186 if (!ops)
187 return RPC_AUTH_MAXFLAVOR;
188 pseudoflavor = flavor;
189 if (ops->info2flavor != NULL)
190 pseudoflavor = ops->info2flavor(info);
191
192 rpcauth_put_authops(ops);
193 return pseudoflavor;
194 }
195 EXPORT_SYMBOL_GPL(rpcauth_get_pseudoflavor);
196
197 /**
198 * rpcauth_get_gssinfo - find GSS tuple matching a GSS pseudoflavor
199 * @pseudoflavor: GSS pseudoflavor to match
200 * @info: rpcsec_gss_info structure to fill in
201 *
202 * Returns zero and fills in "info" if pseudoflavor matches a
203 * supported mechanism.
204 */
205 int
206 rpcauth_get_gssinfo(rpc_authflavor_t pseudoflavor, struct rpcsec_gss_info *info)
207 {
208 rpc_authflavor_t flavor = pseudoflavor_to_flavor(pseudoflavor);
209 const struct rpc_authops *ops;
210 int result;
211
212 ops = rpcauth_get_authops(flavor);
213 if (ops == NULL)
214 return -ENOENT;
215
216 result = -ENOENT;
217 if (ops->flavor2info != NULL)
218 result = ops->flavor2info(pseudoflavor, info);
219
220 rpcauth_put_authops(ops);
221 return result;
222 }
223 EXPORT_SYMBOL_GPL(rpcauth_get_gssinfo);
224
225 /**
226 * rpcauth_list_flavors - discover registered flavors and pseudoflavors
227 * @array: array to fill in
228 * @size: size of "array"
229 *
230 * Returns the number of array items filled in, or a negative errno.
231 *
232 * The returned array is not sorted by any policy. Callers should not
233 * rely on the order of the items in the returned array.
234 */
235 int
236 rpcauth_list_flavors(rpc_authflavor_t *array, int size)
237 {
238 const struct rpc_authops *ops;
239 rpc_authflavor_t flavor, pseudos[4];
240 int i, len, result = 0;
241
242 rcu_read_lock();
243 for (flavor = 0; flavor < RPC_AUTH_MAXFLAVOR; flavor++) {
244 ops = rcu_dereference(auth_flavors[flavor]);
245 if (result >= size) {
246 result = -ENOMEM;
247 break;
248 }
249
250 if (ops == NULL)
251 continue;
252 if (ops->list_pseudoflavors == NULL) {
253 array[result++] = ops->au_flavor;
254 continue;
255 }
256 len = ops->list_pseudoflavors(pseudos, ARRAY_SIZE(pseudos));
257 if (len < 0) {
258 result = len;
259 break;
260 }
261 for (i = 0; i < len; i++) {
262 if (result >= size) {
263 result = -ENOMEM;
264 break;
265 }
266 array[result++] = pseudos[i];
267 }
268 }
269 rcu_read_unlock();
270
271 dprintk("RPC: %s returns %d\n", __func__, result);
272 return result;
273 }
274 EXPORT_SYMBOL_GPL(rpcauth_list_flavors);
275
276 struct rpc_auth *
277 rpcauth_create(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
278 {
279 struct rpc_auth *auth = ERR_PTR(-EINVAL);
280 const struct rpc_authops *ops;
281 u32 flavor = pseudoflavor_to_flavor(args->pseudoflavor);
282
283 ops = rpcauth_get_authops(flavor);
284 if (ops == NULL)
285 goto out;
286
287 auth = ops->create(args, clnt);
288
289 rpcauth_put_authops(ops);
290 if (IS_ERR(auth))
291 return auth;
292 if (clnt->cl_auth)
293 rpcauth_release(clnt->cl_auth);
294 clnt->cl_auth = auth;
295
296 out:
297 return auth;
298 }
299 EXPORT_SYMBOL_GPL(rpcauth_create);
300
301 void
302 rpcauth_release(struct rpc_auth *auth)
303 {
304 if (!refcount_dec_and_test(&auth->au_count))
305 return;
306 auth->au_ops->destroy(auth);
307 }
308
309 static DEFINE_SPINLOCK(rpc_credcache_lock);
310
311 /*
312 * On success, the caller is responsible for freeing the reference
313 * held by the hashtable
314 */
315 static bool
316 rpcauth_unhash_cred_locked(struct rpc_cred *cred)
317 {
318 if (!test_and_clear_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags))
319 return false;
320 hlist_del_rcu(&cred->cr_hash);
321 return true;
322 }
323
324 static bool
325 rpcauth_unhash_cred(struct rpc_cred *cred)
326 {
327 spinlock_t *cache_lock;
328 bool ret;
329
330 if (!test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags))
331 return false;
332 cache_lock = &cred->cr_auth->au_credcache->lock;
333 spin_lock(cache_lock);
334 ret = rpcauth_unhash_cred_locked(cred);
335 spin_unlock(cache_lock);
336 return ret;
337 }
338
339 /*
340 * Initialize RPC credential cache
341 */
342 int
343 rpcauth_init_credcache(struct rpc_auth *auth)
344 {
345 struct rpc_cred_cache *new;
346 unsigned int hashsize;
347
348 new = kmalloc(sizeof(*new), GFP_KERNEL);
349 if (!new)
350 goto out_nocache;
351 new->hashbits = auth_hashbits;
352 hashsize = 1U << new->hashbits;
353 new->hashtable = kcalloc(hashsize, sizeof(new->hashtable[0]), GFP_KERNEL);
354 if (!new->hashtable)
355 goto out_nohashtbl;
356 spin_lock_init(&new->lock);
357 auth->au_credcache = new;
358 return 0;
359 out_nohashtbl:
360 kfree(new);
361 out_nocache:
362 return -ENOMEM;
363 }
364 EXPORT_SYMBOL_GPL(rpcauth_init_credcache);
365
366 char *
367 rpcauth_stringify_acceptor(struct rpc_cred *cred)
368 {
369 if (!cred->cr_ops->crstringify_acceptor)
370 return NULL;
371 return cred->cr_ops->crstringify_acceptor(cred);
372 }
373 EXPORT_SYMBOL_GPL(rpcauth_stringify_acceptor);
374
375 /*
376 * Destroy a list of credentials
377 */
378 static inline
379 void rpcauth_destroy_credlist(struct list_head *head)
380 {
381 struct rpc_cred *cred;
382
383 while (!list_empty(head)) {
384 cred = list_entry(head->next, struct rpc_cred, cr_lru);
385 list_del_init(&cred->cr_lru);
386 put_rpccred(cred);
387 }
388 }
389
390 static void
391 rpcauth_lru_add_locked(struct rpc_cred *cred)
392 {
393 if (!list_empty(&cred->cr_lru))
394 return;
395 number_cred_unused++;
396 list_add_tail(&cred->cr_lru, &cred_unused);
397 }
398
399 static void
400 rpcauth_lru_add(struct rpc_cred *cred)
401 {
402 if (!list_empty(&cred->cr_lru))
403 return;
404 spin_lock(&rpc_credcache_lock);
405 rpcauth_lru_add_locked(cred);
406 spin_unlock(&rpc_credcache_lock);
407 }
408
409 static void
410 rpcauth_lru_remove_locked(struct rpc_cred *cred)
411 {
412 if (list_empty(&cred->cr_lru))
413 return;
414 number_cred_unused--;
415 list_del_init(&cred->cr_lru);
416 }
417
418 static void
419 rpcauth_lru_remove(struct rpc_cred *cred)
420 {
421 if (list_empty(&cred->cr_lru))
422 return;
423 spin_lock(&rpc_credcache_lock);
424 rpcauth_lru_remove_locked(cred);
425 spin_unlock(&rpc_credcache_lock);
426 }
427
428 /*
429 * Clear the RPC credential cache, and delete those credentials
430 * that are not referenced.
431 */
432 void
433 rpcauth_clear_credcache(struct rpc_cred_cache *cache)
434 {
435 LIST_HEAD(free);
436 struct hlist_head *head;
437 struct rpc_cred *cred;
438 unsigned int hashsize = 1U << cache->hashbits;
439 int i;
440
441 spin_lock(&rpc_credcache_lock);
442 spin_lock(&cache->lock);
443 for (i = 0; i < hashsize; i++) {
444 head = &cache->hashtable[i];
445 while (!hlist_empty(head)) {
446 cred = hlist_entry(head->first, struct rpc_cred, cr_hash);
447 rpcauth_unhash_cred_locked(cred);
448 /* Note: We now hold a reference to cred */
449 rpcauth_lru_remove_locked(cred);
450 list_add_tail(&cred->cr_lru, &free);
451 }
452 }
453 spin_unlock(&cache->lock);
454 spin_unlock(&rpc_credcache_lock);
455 rpcauth_destroy_credlist(&free);
456 }
457
458 /*
459 * Destroy the RPC credential cache
460 */
461 void
462 rpcauth_destroy_credcache(struct rpc_auth *auth)
463 {
464 struct rpc_cred_cache *cache = auth->au_credcache;
465
466 if (cache) {
467 auth->au_credcache = NULL;
468 rpcauth_clear_credcache(cache);
469 kfree(cache->hashtable);
470 kfree(cache);
471 }
472 }
473 EXPORT_SYMBOL_GPL(rpcauth_destroy_credcache);
474
475
476 #define RPC_AUTH_EXPIRY_MORATORIUM (60 * HZ)
477
478 /*
479 * Remove stale credentials. Avoid sleeping inside the loop.
480 */
481 static long
482 rpcauth_prune_expired(struct list_head *free, int nr_to_scan)
483 {
484 struct rpc_cred *cred, *next;
485 unsigned long expired = jiffies - RPC_AUTH_EXPIRY_MORATORIUM;
486 long freed = 0;
487
488 list_for_each_entry_safe(cred, next, &cred_unused, cr_lru) {
489
490 if (nr_to_scan-- == 0)
491 break;
492 if (refcount_read(&cred->cr_count) > 1) {
493 rpcauth_lru_remove_locked(cred);
494 continue;
495 }
496 /*
497 * Enforce a 60 second garbage collection moratorium
498 * Note that the cred_unused list must be time-ordered.
499 */
500 if (!time_in_range(cred->cr_expire, expired, jiffies))
501 continue;
502 if (!rpcauth_unhash_cred(cred))
503 continue;
504
505 rpcauth_lru_remove_locked(cred);
506 freed++;
507 list_add_tail(&cred->cr_lru, free);
508 }
509 return freed ? freed : SHRINK_STOP;
510 }
511
512 static unsigned long
513 rpcauth_cache_do_shrink(int nr_to_scan)
514 {
515 LIST_HEAD(free);
516 unsigned long freed;
517
518 spin_lock(&rpc_credcache_lock);
519 freed = rpcauth_prune_expired(&free, nr_to_scan);
520 spin_unlock(&rpc_credcache_lock);
521 rpcauth_destroy_credlist(&free);
522
523 return freed;
524 }
525
526 /*
527 * Run memory cache shrinker.
528 */
529 static unsigned long
530 rpcauth_cache_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
531
532 {
533 if ((sc->gfp_mask & GFP_KERNEL) != GFP_KERNEL)
534 return SHRINK_STOP;
535
536 /* nothing left, don't come back */
537 if (list_empty(&cred_unused))
538 return SHRINK_STOP;
539
540 return rpcauth_cache_do_shrink(sc->nr_to_scan);
541 }
542
543 static unsigned long
544 rpcauth_cache_shrink_count(struct shrinker *shrink, struct shrink_control *sc)
545
546 {
547 return number_cred_unused * sysctl_vfs_cache_pressure / 100;
548 }
549
550 static void
551 rpcauth_cache_enforce_limit(void)
552 {
553 unsigned long diff;
554 unsigned int nr_to_scan;
555
556 if (number_cred_unused <= auth_max_cred_cachesize)
557 return;
558 diff = number_cred_unused - auth_max_cred_cachesize;
559 nr_to_scan = 100;
560 if (diff < nr_to_scan)
561 nr_to_scan = diff;
562 rpcauth_cache_do_shrink(nr_to_scan);
563 }
564
565 /*
566 * Look up a process' credentials in the authentication cache
567 */
568 struct rpc_cred *
569 rpcauth_lookup_credcache(struct rpc_auth *auth, struct auth_cred * acred,
570 int flags, gfp_t gfp)
571 {
572 LIST_HEAD(free);
573 struct rpc_cred_cache *cache = auth->au_credcache;
574 struct rpc_cred *cred = NULL,
575 *entry, *new;
576 unsigned int nr;
577
578 nr = auth->au_ops->hash_cred(acred, cache->hashbits);
579
580 rcu_read_lock();
581 hlist_for_each_entry_rcu(entry, &cache->hashtable[nr], cr_hash) {
582 if (!entry->cr_ops->crmatch(acred, entry, flags))
583 continue;
584 cred = get_rpccred(entry);
585 if (cred)
586 break;
587 }
588 rcu_read_unlock();
589
590 if (cred != NULL)
591 goto found;
592
593 new = auth->au_ops->crcreate(auth, acred, flags, gfp);
594 if (IS_ERR(new)) {
595 cred = new;
596 goto out;
597 }
598
599 spin_lock(&cache->lock);
600 hlist_for_each_entry(entry, &cache->hashtable[nr], cr_hash) {
601 if (!entry->cr_ops->crmatch(acred, entry, flags))
602 continue;
603 cred = get_rpccred(entry);
604 if (cred)
605 break;
606 }
607 if (cred == NULL) {
608 cred = new;
609 set_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags);
610 refcount_inc(&cred->cr_count);
611 hlist_add_head_rcu(&cred->cr_hash, &cache->hashtable[nr]);
612 } else
613 list_add_tail(&new->cr_lru, &free);
614 spin_unlock(&cache->lock);
615 rpcauth_cache_enforce_limit();
616 found:
617 if (test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags) &&
618 cred->cr_ops->cr_init != NULL &&
619 !(flags & RPCAUTH_LOOKUP_NEW)) {
620 int res = cred->cr_ops->cr_init(auth, cred);
621 if (res < 0) {
622 put_rpccred(cred);
623 cred = ERR_PTR(res);
624 }
625 }
626 rpcauth_destroy_credlist(&free);
627 out:
628 return cred;
629 }
630 EXPORT_SYMBOL_GPL(rpcauth_lookup_credcache);
631
632 struct rpc_cred *
633 rpcauth_lookupcred(struct rpc_auth *auth, int flags)
634 {
635 struct auth_cred acred;
636 struct rpc_cred *ret;
637 const struct cred *cred = current_cred();
638
639 dprintk("RPC: looking up %s cred\n",
640 auth->au_ops->au_name);
641
642 memset(&acred, 0, sizeof(acred));
643 acred.cred = cred;
644 ret = auth->au_ops->lookup_cred(auth, &acred, flags);
645 return ret;
646 }
647 EXPORT_SYMBOL_GPL(rpcauth_lookupcred);
648
649 void
650 rpcauth_init_cred(struct rpc_cred *cred, const struct auth_cred *acred,
651 struct rpc_auth *auth, const struct rpc_credops *ops)
652 {
653 INIT_HLIST_NODE(&cred->cr_hash);
654 INIT_LIST_HEAD(&cred->cr_lru);
655 refcount_set(&cred->cr_count, 1);
656 cred->cr_auth = auth;
657 cred->cr_flags = 0;
658 cred->cr_ops = ops;
659 cred->cr_expire = jiffies;
660 cred->cr_cred = get_cred(acred->cred);
661 }
662 EXPORT_SYMBOL_GPL(rpcauth_init_cred);
663
664 static struct rpc_cred *
665 rpcauth_bind_root_cred(struct rpc_task *task, int lookupflags)
666 {
667 struct rpc_auth *auth = task->tk_client->cl_auth;
668 struct auth_cred acred = {
669 .cred = get_task_cred(&init_task),
670 };
671 struct rpc_cred *ret;
672
673 dprintk("RPC: %5u looking up %s cred\n",
674 task->tk_pid, task->tk_client->cl_auth->au_ops->au_name);
675 ret = auth->au_ops->lookup_cred(auth, &acred, lookupflags);
676 put_cred(acred.cred);
677 return ret;
678 }
679
680 static struct rpc_cred *
681 rpcauth_bind_machine_cred(struct rpc_task *task, int lookupflags)
682 {
683 struct rpc_auth *auth = task->tk_client->cl_auth;
684 struct auth_cred acred = {
685 .principal = task->tk_client->cl_principal,
686 .cred = init_task.cred,
687 };
688
689 if (!acred.principal)
690 return NULL;
691 dprintk("RPC: %5u looking up %s machine cred\n",
692 task->tk_pid, task->tk_client->cl_auth->au_ops->au_name);
693 return auth->au_ops->lookup_cred(auth, &acred, lookupflags);
694 }
695
696 static struct rpc_cred *
697 rpcauth_bind_new_cred(struct rpc_task *task, int lookupflags)
698 {
699 struct rpc_auth *auth = task->tk_client->cl_auth;
700
701 dprintk("RPC: %5u looking up %s cred\n",
702 task->tk_pid, auth->au_ops->au_name);
703 return rpcauth_lookupcred(auth, lookupflags);
704 }
705
706 static int
707 rpcauth_bindcred(struct rpc_task *task, const struct cred *cred, int flags)
708 {
709 struct rpc_rqst *req = task->tk_rqstp;
710 struct rpc_cred *new = NULL;
711 int lookupflags = 0;
712 struct rpc_auth *auth = task->tk_client->cl_auth;
713 struct auth_cred acred = {
714 .cred = cred,
715 };
716
717 if (flags & RPC_TASK_ASYNC)
718 lookupflags |= RPCAUTH_LOOKUP_NEW;
719 if (task->tk_op_cred)
720 /* Task must use exactly this rpc_cred */
721 new = get_rpccred(task->tk_op_cred);
722 else if (cred != NULL && cred != &machine_cred)
723 new = auth->au_ops->lookup_cred(auth, &acred, lookupflags);
724 else if (cred == &machine_cred)
725 new = rpcauth_bind_machine_cred(task, lookupflags);
726
727 /* If machine cred couldn't be bound, try a root cred */
728 if (new)
729 ;
730 else if (cred == &machine_cred || (flags & RPC_TASK_ROOTCREDS))
731 new = rpcauth_bind_root_cred(task, lookupflags);
732 else if (flags & RPC_TASK_NULLCREDS)
733 new = authnull_ops.lookup_cred(NULL, NULL, 0);
734 else
735 new = rpcauth_bind_new_cred(task, lookupflags);
736 if (IS_ERR(new))
737 return PTR_ERR(new);
738 put_rpccred(req->rq_cred);
739 req->rq_cred = new;
740 return 0;
741 }
742
743 void
744 put_rpccred(struct rpc_cred *cred)
745 {
746 if (cred == NULL)
747 return;
748 rcu_read_lock();
749 if (refcount_dec_and_test(&cred->cr_count))
750 goto destroy;
751 if (refcount_read(&cred->cr_count) != 1 ||
752 !test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags))
753 goto out;
754 if (test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0) {
755 cred->cr_expire = jiffies;
756 rpcauth_lru_add(cred);
757 /* Race breaker */
758 if (unlikely(!test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags)))
759 rpcauth_lru_remove(cred);
760 } else if (rpcauth_unhash_cred(cred)) {
761 rpcauth_lru_remove(cred);
762 if (refcount_dec_and_test(&cred->cr_count))
763 goto destroy;
764 }
765 out:
766 rcu_read_unlock();
767 return;
768 destroy:
769 rcu_read_unlock();
770 cred->cr_ops->crdestroy(cred);
771 }
772 EXPORT_SYMBOL_GPL(put_rpccred);
773
774 __be32 *
775 rpcauth_marshcred(struct rpc_task *task, __be32 *p)
776 {
777 struct rpc_cred *cred = task->tk_rqstp->rq_cred;
778
779 dprintk("RPC: %5u marshaling %s cred %p\n",
780 task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
781
782 return cred->cr_ops->crmarshal(task, p);
783 }
784
785 __be32 *
786 rpcauth_checkverf(struct rpc_task *task, __be32 *p)
787 {
788 struct rpc_cred *cred = task->tk_rqstp->rq_cred;
789
790 dprintk("RPC: %5u validating %s cred %p\n",
791 task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
792
793 return cred->cr_ops->crvalidate(task, p);
794 }
795
796 static void rpcauth_wrap_req_encode(kxdreproc_t encode, struct rpc_rqst *rqstp,
797 __be32 *data, void *obj)
798 {
799 struct xdr_stream xdr;
800
801 xdr_init_encode(&xdr, &rqstp->rq_snd_buf, data);
802 encode(rqstp, &xdr, obj);
803 }
804
805 int
806 rpcauth_wrap_req(struct rpc_task *task, kxdreproc_t encode, void *rqstp,
807 __be32 *data, void *obj)
808 {
809 struct rpc_cred *cred = task->tk_rqstp->rq_cred;
810
811 dprintk("RPC: %5u using %s cred %p to wrap rpc data\n",
812 task->tk_pid, cred->cr_ops->cr_name, cred);
813 if (cred->cr_ops->crwrap_req)
814 return cred->cr_ops->crwrap_req(task, encode, rqstp, data, obj);
815 /* By default, we encode the arguments normally. */
816 rpcauth_wrap_req_encode(encode, rqstp, data, obj);
817 return 0;
818 }
819
820 static int
821 rpcauth_unwrap_req_decode(kxdrdproc_t decode, struct rpc_rqst *rqstp,
822 __be32 *data, void *obj)
823 {
824 struct xdr_stream xdr;
825
826 xdr_init_decode(&xdr, &rqstp->rq_rcv_buf, data);
827 return decode(rqstp, &xdr, obj);
828 }
829
830 int
831 rpcauth_unwrap_resp(struct rpc_task *task, kxdrdproc_t decode, void *rqstp,
832 __be32 *data, void *obj)
833 {
834 struct rpc_cred *cred = task->tk_rqstp->rq_cred;
835
836 dprintk("RPC: %5u using %s cred %p to unwrap rpc data\n",
837 task->tk_pid, cred->cr_ops->cr_name, cred);
838 if (cred->cr_ops->crunwrap_resp)
839 return cred->cr_ops->crunwrap_resp(task, decode, rqstp,
840 data, obj);
841 /* By default, we decode the arguments normally. */
842 return rpcauth_unwrap_req_decode(decode, rqstp, data, obj);
843 }
844
845 bool
846 rpcauth_xmit_need_reencode(struct rpc_task *task)
847 {
848 struct rpc_cred *cred = task->tk_rqstp->rq_cred;
849
850 if (!cred || !cred->cr_ops->crneed_reencode)
851 return false;
852 return cred->cr_ops->crneed_reencode(task);
853 }
854
855 int
856 rpcauth_refreshcred(struct rpc_task *task)
857 {
858 struct rpc_cred *cred;
859 int err;
860
861 cred = task->tk_rqstp->rq_cred;
862 if (cred == NULL) {
863 err = rpcauth_bindcred(task, task->tk_msg.rpc_cred, task->tk_flags);
864 if (err < 0)
865 goto out;
866 cred = task->tk_rqstp->rq_cred;
867 }
868 dprintk("RPC: %5u refreshing %s cred %p\n",
869 task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
870
871 err = cred->cr_ops->crrefresh(task);
872 out:
873 if (err < 0)
874 task->tk_status = err;
875 return err;
876 }
877
878 void
879 rpcauth_invalcred(struct rpc_task *task)
880 {
881 struct rpc_cred *cred = task->tk_rqstp->rq_cred;
882
883 dprintk("RPC: %5u invalidating %s cred %p\n",
884 task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
885 if (cred)
886 clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
887 }
888
889 int
890 rpcauth_uptodatecred(struct rpc_task *task)
891 {
892 struct rpc_cred *cred = task->tk_rqstp->rq_cred;
893
894 return cred == NULL ||
895 test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0;
896 }
897
898 static struct shrinker rpc_cred_shrinker = {
899 .count_objects = rpcauth_cache_shrink_count,
900 .scan_objects = rpcauth_cache_shrink_scan,
901 .seeks = DEFAULT_SEEKS,
902 };
903
904 int __init rpcauth_init_module(void)
905 {
906 int err;
907
908 err = rpc_init_authunix();
909 if (err < 0)
910 goto out1;
911 err = register_shrinker(&rpc_cred_shrinker);
912 if (err < 0)
913 goto out2;
914 return 0;
915 out2:
916 rpc_destroy_authunix();
917 out1:
918 return err;
919 }
920
921 void rpcauth_remove_module(void)
922 {
923 rpc_destroy_authunix();
924 unregister_shrinker(&rpc_cred_shrinker);
925 }
Ubuntu Focal Linux kernel mirror