svcauth_unix.c 21 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909
  1. #include <linux/types.h>
  2. #include <linux/sched.h>
  3. #include <linux/module.h>
  4. #include <linux/sunrpc/types.h>
  5. #include <linux/sunrpc/xdr.h>
  6. #include <linux/sunrpc/svcsock.h>
  7. #include <linux/sunrpc/svcauth.h>
  8. #include <linux/sunrpc/gss_api.h>
  9. #include <linux/sunrpc/addr.h>
  10. #include <linux/err.h>
  11. #include <linux/seq_file.h>
  12. #include <linux/hash.h>
  13. #include <linux/string.h>
  14. #include <linux/slab.h>
  15. #include <net/sock.h>
  16. #include <net/ipv6.h>
  17. #include <linux/kernel.h>
  18. #include <linux/user_namespace.h>
  19. #define RPCDBG_FACILITY RPCDBG_AUTH
  20. #include "netns.h"
  21. /*
  22. * AUTHUNIX and AUTHNULL credentials are both handled here.
  23. * AUTHNULL is treated just like AUTHUNIX except that the uid/gid
  24. * are always nobody (-2). i.e. we do the same IP address checks for
  25. * AUTHNULL as for AUTHUNIX, and that is done here.
  26. */
  27. struct unix_domain {
  28. struct auth_domain h;
  29. /* other stuff later */
  30. };
  31. extern struct auth_ops svcauth_null;
  32. extern struct auth_ops svcauth_unix;
  33. static void svcauth_unix_domain_release(struct auth_domain *dom)
  34. {
  35. struct unix_domain *ud = container_of(dom, struct unix_domain, h);
  36. kfree(dom->name);
  37. kfree(ud);
  38. }
  39. struct auth_domain *unix_domain_find(char *name)
  40. {
  41. struct auth_domain *rv;
  42. struct unix_domain *new = NULL;
  43. rv = auth_domain_lookup(name, NULL);
  44. while(1) {
  45. if (rv) {
  46. if (new && rv != &new->h)
  47. svcauth_unix_domain_release(&new->h);
  48. if (rv->flavour != &svcauth_unix) {
  49. auth_domain_put(rv);
  50. return NULL;
  51. }
  52. return rv;
  53. }
  54. new = kmalloc(sizeof(*new), GFP_KERNEL);
  55. if (new == NULL)
  56. return NULL;
  57. kref_init(&new->h.ref);
  58. new->h.name = kstrdup(name, GFP_KERNEL);
  59. if (new->h.name == NULL) {
  60. kfree(new);
  61. return NULL;
  62. }
  63. new->h.flavour = &svcauth_unix;
  64. rv = auth_domain_lookup(name, &new->h);
  65. }
  66. }
  67. EXPORT_SYMBOL_GPL(unix_domain_find);
  68. /**************************************************
  69. * cache for IP address to unix_domain
  70. * as needed by AUTH_UNIX
  71. */
  72. #define IP_HASHBITS 8
  73. #define IP_HASHMAX (1<<IP_HASHBITS)
  74. struct ip_map {
  75. struct cache_head h;
  76. char m_class[8]; /* e.g. "nfsd" */
  77. struct in6_addr m_addr;
  78. struct unix_domain *m_client;
  79. };
  80. static void ip_map_put(struct kref *kref)
  81. {
  82. struct cache_head *item = container_of(kref, struct cache_head, ref);
  83. struct ip_map *im = container_of(item, struct ip_map,h);
  84. if (test_bit(CACHE_VALID, &item->flags) &&
  85. !test_bit(CACHE_NEGATIVE, &item->flags))
  86. auth_domain_put(&im->m_client->h);
  87. kfree(im);
  88. }
  89. static inline int hash_ip6(const struct in6_addr *ip)
  90. {
  91. return hash_32(ipv6_addr_hash(ip), IP_HASHBITS);
  92. }
  93. static int ip_map_match(struct cache_head *corig, struct cache_head *cnew)
  94. {
  95. struct ip_map *orig = container_of(corig, struct ip_map, h);
  96. struct ip_map *new = container_of(cnew, struct ip_map, h);
  97. return strcmp(orig->m_class, new->m_class) == 0 &&
  98. ipv6_addr_equal(&orig->m_addr, &new->m_addr);
  99. }
  100. static void ip_map_init(struct cache_head *cnew, struct cache_head *citem)
  101. {
  102. struct ip_map *new = container_of(cnew, struct ip_map, h);
  103. struct ip_map *item = container_of(citem, struct ip_map, h);
  104. strcpy(new->m_class, item->m_class);
  105. new->m_addr = item->m_addr;
  106. }
  107. static void update(struct cache_head *cnew, struct cache_head *citem)
  108. {
  109. struct ip_map *new = container_of(cnew, struct ip_map, h);
  110. struct ip_map *item = container_of(citem, struct ip_map, h);
  111. kref_get(&item->m_client->h.ref);
  112. new->m_client = item->m_client;
  113. }
  114. static struct cache_head *ip_map_alloc(void)
  115. {
  116. struct ip_map *i = kmalloc(sizeof(*i), GFP_KERNEL);
  117. if (i)
  118. return &i->h;
  119. else
  120. return NULL;
  121. }
  122. static void ip_map_request(struct cache_detail *cd,
  123. struct cache_head *h,
  124. char **bpp, int *blen)
  125. {
  126. char text_addr[40];
  127. struct ip_map *im = container_of(h, struct ip_map, h);
  128. if (ipv6_addr_v4mapped(&(im->m_addr))) {
  129. snprintf(text_addr, 20, "%pI4", &im->m_addr.s6_addr32[3]);
  130. } else {
  131. snprintf(text_addr, 40, "%pI6", &im->m_addr);
  132. }
  133. qword_add(bpp, blen, im->m_class);
  134. qword_add(bpp, blen, text_addr);
  135. (*bpp)[-1] = '\n';
  136. }
  137. static struct ip_map *__ip_map_lookup(struct cache_detail *cd, char *class, struct in6_addr *addr);
  138. static int __ip_map_update(struct cache_detail *cd, struct ip_map *ipm, struct unix_domain *udom, time_t expiry);
  139. static int ip_map_parse(struct cache_detail *cd,
  140. char *mesg, int mlen)
  141. {
  142. /* class ipaddress [domainname] */
  143. /* should be safe just to use the start of the input buffer
  144. * for scratch: */
  145. char *buf = mesg;
  146. int len;
  147. char class[8];
  148. union {
  149. struct sockaddr sa;
  150. struct sockaddr_in s4;
  151. struct sockaddr_in6 s6;
  152. } address;
  153. struct sockaddr_in6 sin6;
  154. int err;
  155. struct ip_map *ipmp;
  156. struct auth_domain *dom;
  157. time_t expiry;
  158. if (mesg[mlen-1] != '\n')
  159. return -EINVAL;
  160. mesg[mlen-1] = 0;
  161. /* class */
  162. len = qword_get(&mesg, class, sizeof(class));
  163. if (len <= 0) return -EINVAL;
  164. /* ip address */
  165. len = qword_get(&mesg, buf, mlen);
  166. if (len <= 0) return -EINVAL;
  167. if (rpc_pton(cd->net, buf, len, &address.sa, sizeof(address)) == 0)
  168. return -EINVAL;
  169. switch (address.sa.sa_family) {
  170. case AF_INET:
  171. /* Form a mapped IPv4 address in sin6 */
  172. sin6.sin6_family = AF_INET6;
  173. ipv6_addr_set_v4mapped(address.s4.sin_addr.s_addr,
  174. &sin6.sin6_addr);
  175. break;
  176. #if IS_ENABLED(CONFIG_IPV6)
  177. case AF_INET6:
  178. memcpy(&sin6, &address.s6, sizeof(sin6));
  179. break;
  180. #endif
  181. default:
  182. return -EINVAL;
  183. }
  184. expiry = get_expiry(&mesg);
  185. if (expiry ==0)
  186. return -EINVAL;
  187. /* domainname, or empty for NEGATIVE */
  188. len = qword_get(&mesg, buf, mlen);
  189. if (len < 0) return -EINVAL;
  190. if (len) {
  191. dom = unix_domain_find(buf);
  192. if (dom == NULL)
  193. return -ENOENT;
  194. } else
  195. dom = NULL;
  196. /* IPv6 scope IDs are ignored for now */
  197. ipmp = __ip_map_lookup(cd, class, &sin6.sin6_addr);
  198. if (ipmp) {
  199. err = __ip_map_update(cd, ipmp,
  200. container_of(dom, struct unix_domain, h),
  201. expiry);
  202. } else
  203. err = -ENOMEM;
  204. if (dom)
  205. auth_domain_put(dom);
  206. cache_flush();
  207. return err;
  208. }
  209. static int ip_map_show(struct seq_file *m,
  210. struct cache_detail *cd,
  211. struct cache_head *h)
  212. {
  213. struct ip_map *im;
  214. struct in6_addr addr;
  215. char *dom = "-no-domain-";
  216. if (h == NULL) {
  217. seq_puts(m, "#class IP domain\n");
  218. return 0;
  219. }
  220. im = container_of(h, struct ip_map, h);
  221. /* class addr domain */
  222. addr = im->m_addr;
  223. if (test_bit(CACHE_VALID, &h->flags) &&
  224. !test_bit(CACHE_NEGATIVE, &h->flags))
  225. dom = im->m_client->h.name;
  226. if (ipv6_addr_v4mapped(&addr)) {
  227. seq_printf(m, "%s %pI4 %s\n",
  228. im->m_class, &addr.s6_addr32[3], dom);
  229. } else {
  230. seq_printf(m, "%s %pI6 %s\n", im->m_class, &addr, dom);
  231. }
  232. return 0;
  233. }
  234. static struct ip_map *__ip_map_lookup(struct cache_detail *cd, char *class,
  235. struct in6_addr *addr)
  236. {
  237. struct ip_map ip;
  238. struct cache_head *ch;
  239. strcpy(ip.m_class, class);
  240. ip.m_addr = *addr;
  241. ch = sunrpc_cache_lookup(cd, &ip.h,
  242. hash_str(class, IP_HASHBITS) ^
  243. hash_ip6(addr));
  244. if (ch)
  245. return container_of(ch, struct ip_map, h);
  246. else
  247. return NULL;
  248. }
  249. static inline struct ip_map *ip_map_lookup(struct net *net, char *class,
  250. struct in6_addr *addr)
  251. {
  252. struct sunrpc_net *sn;
  253. sn = net_generic(net, sunrpc_net_id);
  254. return __ip_map_lookup(sn->ip_map_cache, class, addr);
  255. }
  256. static int __ip_map_update(struct cache_detail *cd, struct ip_map *ipm,
  257. struct unix_domain *udom, time_t expiry)
  258. {
  259. struct ip_map ip;
  260. struct cache_head *ch;
  261. ip.m_client = udom;
  262. ip.h.flags = 0;
  263. if (!udom)
  264. set_bit(CACHE_NEGATIVE, &ip.h.flags);
  265. ip.h.expiry_time = expiry;
  266. ch = sunrpc_cache_update(cd, &ip.h, &ipm->h,
  267. hash_str(ipm->m_class, IP_HASHBITS) ^
  268. hash_ip6(&ipm->m_addr));
  269. if (!ch)
  270. return -ENOMEM;
  271. cache_put(ch, cd);
  272. return 0;
  273. }
  274. static inline int ip_map_update(struct net *net, struct ip_map *ipm,
  275. struct unix_domain *udom, time_t expiry)
  276. {
  277. struct sunrpc_net *sn;
  278. sn = net_generic(net, sunrpc_net_id);
  279. return __ip_map_update(sn->ip_map_cache, ipm, udom, expiry);
  280. }
  281. void svcauth_unix_purge(struct net *net)
  282. {
  283. struct sunrpc_net *sn;
  284. sn = net_generic(net, sunrpc_net_id);
  285. cache_purge(sn->ip_map_cache);
  286. }
  287. EXPORT_SYMBOL_GPL(svcauth_unix_purge);
  288. static inline struct ip_map *
  289. ip_map_cached_get(struct svc_xprt *xprt)
  290. {
  291. struct ip_map *ipm = NULL;
  292. struct sunrpc_net *sn;
  293. if (test_bit(XPT_CACHE_AUTH, &xprt->xpt_flags)) {
  294. spin_lock(&xprt->xpt_lock);
  295. ipm = xprt->xpt_auth_cache;
  296. if (ipm != NULL) {
  297. sn = net_generic(xprt->xpt_net, sunrpc_net_id);
  298. if (cache_is_expired(sn->ip_map_cache, &ipm->h)) {
  299. /*
  300. * The entry has been invalidated since it was
  301. * remembered, e.g. by a second mount from the
  302. * same IP address.
  303. */
  304. xprt->xpt_auth_cache = NULL;
  305. spin_unlock(&xprt->xpt_lock);
  306. cache_put(&ipm->h, sn->ip_map_cache);
  307. return NULL;
  308. }
  309. cache_get(&ipm->h);
  310. }
  311. spin_unlock(&xprt->xpt_lock);
  312. }
  313. return ipm;
  314. }
  315. static inline void
  316. ip_map_cached_put(struct svc_xprt *xprt, struct ip_map *ipm)
  317. {
  318. if (test_bit(XPT_CACHE_AUTH, &xprt->xpt_flags)) {
  319. spin_lock(&xprt->xpt_lock);
  320. if (xprt->xpt_auth_cache == NULL) {
  321. /* newly cached, keep the reference */
  322. xprt->xpt_auth_cache = ipm;
  323. ipm = NULL;
  324. }
  325. spin_unlock(&xprt->xpt_lock);
  326. }
  327. if (ipm) {
  328. struct sunrpc_net *sn;
  329. sn = net_generic(xprt->xpt_net, sunrpc_net_id);
  330. cache_put(&ipm->h, sn->ip_map_cache);
  331. }
  332. }
  333. void
  334. svcauth_unix_info_release(struct svc_xprt *xpt)
  335. {
  336. struct ip_map *ipm;
  337. ipm = xpt->xpt_auth_cache;
  338. if (ipm != NULL) {
  339. struct sunrpc_net *sn;
  340. sn = net_generic(xpt->xpt_net, sunrpc_net_id);
  341. cache_put(&ipm->h, sn->ip_map_cache);
  342. }
  343. }
  344. /****************************************************************************
  345. * auth.unix.gid cache
  346. * simple cache to map a UID to a list of GIDs
  347. * because AUTH_UNIX aka AUTH_SYS has a max of UNX_NGROUPS
  348. */
  349. #define GID_HASHBITS 8
  350. #define GID_HASHMAX (1<<GID_HASHBITS)
  351. struct unix_gid {
  352. struct cache_head h;
  353. kuid_t uid;
  354. struct group_info *gi;
  355. };
  356. static int unix_gid_hash(kuid_t uid)
  357. {
  358. return hash_long(from_kuid(&init_user_ns, uid), GID_HASHBITS);
  359. }
  360. static void unix_gid_put(struct kref *kref)
  361. {
  362. struct cache_head *item = container_of(kref, struct cache_head, ref);
  363. struct unix_gid *ug = container_of(item, struct unix_gid, h);
  364. if (test_bit(CACHE_VALID, &item->flags) &&
  365. !test_bit(CACHE_NEGATIVE, &item->flags))
  366. put_group_info(ug->gi);
  367. kfree(ug);
  368. }
  369. static int unix_gid_match(struct cache_head *corig, struct cache_head *cnew)
  370. {
  371. struct unix_gid *orig = container_of(corig, struct unix_gid, h);
  372. struct unix_gid *new = container_of(cnew, struct unix_gid, h);
  373. return uid_eq(orig->uid, new->uid);
  374. }
  375. static void unix_gid_init(struct cache_head *cnew, struct cache_head *citem)
  376. {
  377. struct unix_gid *new = container_of(cnew, struct unix_gid, h);
  378. struct unix_gid *item = container_of(citem, struct unix_gid, h);
  379. new->uid = item->uid;
  380. }
  381. static void unix_gid_update(struct cache_head *cnew, struct cache_head *citem)
  382. {
  383. struct unix_gid *new = container_of(cnew, struct unix_gid, h);
  384. struct unix_gid *item = container_of(citem, struct unix_gid, h);
  385. get_group_info(item->gi);
  386. new->gi = item->gi;
  387. }
  388. static struct cache_head *unix_gid_alloc(void)
  389. {
  390. struct unix_gid *g = kmalloc(sizeof(*g), GFP_KERNEL);
  391. if (g)
  392. return &g->h;
  393. else
  394. return NULL;
  395. }
  396. static void unix_gid_request(struct cache_detail *cd,
  397. struct cache_head *h,
  398. char **bpp, int *blen)
  399. {
  400. char tuid[20];
  401. struct unix_gid *ug = container_of(h, struct unix_gid, h);
  402. snprintf(tuid, 20, "%u", from_kuid(&init_user_ns, ug->uid));
  403. qword_add(bpp, blen, tuid);
  404. (*bpp)[-1] = '\n';
  405. }
  406. static struct unix_gid *unix_gid_lookup(struct cache_detail *cd, kuid_t uid);
  407. static int unix_gid_parse(struct cache_detail *cd,
  408. char *mesg, int mlen)
  409. {
  410. /* uid expiry Ngid gid0 gid1 ... gidN-1 */
  411. int id;
  412. kuid_t uid;
  413. int gids;
  414. int rv;
  415. int i;
  416. int err;
  417. time_t expiry;
  418. struct unix_gid ug, *ugp;
  419. if (mesg[mlen - 1] != '\n')
  420. return -EINVAL;
  421. mesg[mlen-1] = 0;
  422. rv = get_int(&mesg, &id);
  423. if (rv)
  424. return -EINVAL;
  425. uid = make_kuid(&init_user_ns, id);
  426. ug.uid = uid;
  427. expiry = get_expiry(&mesg);
  428. if (expiry == 0)
  429. return -EINVAL;
  430. rv = get_int(&mesg, &gids);
  431. if (rv || gids < 0 || gids > 8192)
  432. return -EINVAL;
  433. ug.gi = groups_alloc(gids);
  434. if (!ug.gi)
  435. return -ENOMEM;
  436. for (i = 0 ; i < gids ; i++) {
  437. int gid;
  438. kgid_t kgid;
  439. rv = get_int(&mesg, &gid);
  440. err = -EINVAL;
  441. if (rv)
  442. goto out;
  443. kgid = make_kgid(&init_user_ns, gid);
  444. if (!gid_valid(kgid))
  445. goto out;
  446. ug.gi->gid[i] = kgid;
  447. }
  448. groups_sort(ug.gi);
  449. ugp = unix_gid_lookup(cd, uid);
  450. if (ugp) {
  451. struct cache_head *ch;
  452. ug.h.flags = 0;
  453. ug.h.expiry_time = expiry;
  454. ch = sunrpc_cache_update(cd,
  455. &ug.h, &ugp->h,
  456. unix_gid_hash(uid));
  457. if (!ch)
  458. err = -ENOMEM;
  459. else {
  460. err = 0;
  461. cache_put(ch, cd);
  462. }
  463. } else
  464. err = -ENOMEM;
  465. out:
  466. if (ug.gi)
  467. put_group_info(ug.gi);
  468. return err;
  469. }
  470. static int unix_gid_show(struct seq_file *m,
  471. struct cache_detail *cd,
  472. struct cache_head *h)
  473. {
  474. struct user_namespace *user_ns = &init_user_ns;
  475. struct unix_gid *ug;
  476. int i;
  477. int glen;
  478. if (h == NULL) {
  479. seq_puts(m, "#uid cnt: gids...\n");
  480. return 0;
  481. }
  482. ug = container_of(h, struct unix_gid, h);
  483. if (test_bit(CACHE_VALID, &h->flags) &&
  484. !test_bit(CACHE_NEGATIVE, &h->flags))
  485. glen = ug->gi->ngroups;
  486. else
  487. glen = 0;
  488. seq_printf(m, "%u %d:", from_kuid_munged(user_ns, ug->uid), glen);
  489. for (i = 0; i < glen; i++)
  490. seq_printf(m, " %d", from_kgid_munged(user_ns, ug->gi->gid[i]));
  491. seq_printf(m, "\n");
  492. return 0;
  493. }
  494. static struct cache_detail unix_gid_cache_template = {
  495. .owner = THIS_MODULE,
  496. .hash_size = GID_HASHMAX,
  497. .name = "auth.unix.gid",
  498. .cache_put = unix_gid_put,
  499. .cache_request = unix_gid_request,
  500. .cache_parse = unix_gid_parse,
  501. .cache_show = unix_gid_show,
  502. .match = unix_gid_match,
  503. .init = unix_gid_init,
  504. .update = unix_gid_update,
  505. .alloc = unix_gid_alloc,
  506. };
  507. int unix_gid_cache_create(struct net *net)
  508. {
  509. struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
  510. struct cache_detail *cd;
  511. int err;
  512. cd = cache_create_net(&unix_gid_cache_template, net);
  513. if (IS_ERR(cd))
  514. return PTR_ERR(cd);
  515. err = cache_register_net(cd, net);
  516. if (err) {
  517. cache_destroy_net(cd, net);
  518. return err;
  519. }
  520. sn->unix_gid_cache = cd;
  521. return 0;
  522. }
  523. void unix_gid_cache_destroy(struct net *net)
  524. {
  525. struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
  526. struct cache_detail *cd = sn->unix_gid_cache;
  527. sn->unix_gid_cache = NULL;
  528. cache_purge(cd);
  529. cache_unregister_net(cd, net);
  530. cache_destroy_net(cd, net);
  531. }
  532. static struct unix_gid *unix_gid_lookup(struct cache_detail *cd, kuid_t uid)
  533. {
  534. struct unix_gid ug;
  535. struct cache_head *ch;
  536. ug.uid = uid;
  537. ch = sunrpc_cache_lookup(cd, &ug.h, unix_gid_hash(uid));
  538. if (ch)
  539. return container_of(ch, struct unix_gid, h);
  540. else
  541. return NULL;
  542. }
  543. static struct group_info *unix_gid_find(kuid_t uid, struct svc_rqst *rqstp)
  544. {
  545. struct unix_gid *ug;
  546. struct group_info *gi;
  547. int ret;
  548. struct sunrpc_net *sn = net_generic(rqstp->rq_xprt->xpt_net,
  549. sunrpc_net_id);
  550. ug = unix_gid_lookup(sn->unix_gid_cache, uid);
  551. if (!ug)
  552. return ERR_PTR(-EAGAIN);
  553. ret = cache_check(sn->unix_gid_cache, &ug->h, &rqstp->rq_chandle);
  554. switch (ret) {
  555. case -ENOENT:
  556. return ERR_PTR(-ENOENT);
  557. case -ETIMEDOUT:
  558. return ERR_PTR(-ESHUTDOWN);
  559. case 0:
  560. gi = get_group_info(ug->gi);
  561. cache_put(&ug->h, sn->unix_gid_cache);
  562. return gi;
  563. default:
  564. return ERR_PTR(-EAGAIN);
  565. }
  566. }
  567. int
  568. svcauth_unix_set_client(struct svc_rqst *rqstp)
  569. {
  570. struct sockaddr_in *sin;
  571. struct sockaddr_in6 *sin6, sin6_storage;
  572. struct ip_map *ipm;
  573. struct group_info *gi;
  574. struct svc_cred *cred = &rqstp->rq_cred;
  575. struct svc_xprt *xprt = rqstp->rq_xprt;
  576. struct net *net = xprt->xpt_net;
  577. struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
  578. switch (rqstp->rq_addr.ss_family) {
  579. case AF_INET:
  580. sin = svc_addr_in(rqstp);
  581. sin6 = &sin6_storage;
  582. ipv6_addr_set_v4mapped(sin->sin_addr.s_addr, &sin6->sin6_addr);
  583. break;
  584. case AF_INET6:
  585. sin6 = svc_addr_in6(rqstp);
  586. break;
  587. default:
  588. BUG();
  589. }
  590. rqstp->rq_client = NULL;
  591. if (rqstp->rq_proc == 0)
  592. return SVC_OK;
  593. ipm = ip_map_cached_get(xprt);
  594. if (ipm == NULL)
  595. ipm = __ip_map_lookup(sn->ip_map_cache, rqstp->rq_server->sv_program->pg_class,
  596. &sin6->sin6_addr);
  597. if (ipm == NULL)
  598. return SVC_DENIED;
  599. switch (cache_check(sn->ip_map_cache, &ipm->h, &rqstp->rq_chandle)) {
  600. default:
  601. BUG();
  602. case -ETIMEDOUT:
  603. return SVC_CLOSE;
  604. case -EAGAIN:
  605. return SVC_DROP;
  606. case -ENOENT:
  607. return SVC_DENIED;
  608. case 0:
  609. rqstp->rq_client = &ipm->m_client->h;
  610. kref_get(&rqstp->rq_client->ref);
  611. ip_map_cached_put(xprt, ipm);
  612. break;
  613. }
  614. gi = unix_gid_find(cred->cr_uid, rqstp);
  615. switch (PTR_ERR(gi)) {
  616. case -EAGAIN:
  617. return SVC_DROP;
  618. case -ESHUTDOWN:
  619. return SVC_CLOSE;
  620. case -ENOENT:
  621. break;
  622. default:
  623. put_group_info(cred->cr_group_info);
  624. cred->cr_group_info = gi;
  625. }
  626. return SVC_OK;
  627. }
  628. EXPORT_SYMBOL_GPL(svcauth_unix_set_client);
  629. static int
  630. svcauth_null_accept(struct svc_rqst *rqstp, __be32 *authp)
  631. {
  632. struct kvec *argv = &rqstp->rq_arg.head[0];
  633. struct kvec *resv = &rqstp->rq_res.head[0];
  634. struct svc_cred *cred = &rqstp->rq_cred;
  635. if (argv->iov_len < 3*4)
  636. return SVC_GARBAGE;
  637. if (svc_getu32(argv) != 0) {
  638. dprintk("svc: bad null cred\n");
  639. *authp = rpc_autherr_badcred;
  640. return SVC_DENIED;
  641. }
  642. if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) {
  643. dprintk("svc: bad null verf\n");
  644. *authp = rpc_autherr_badverf;
  645. return SVC_DENIED;
  646. }
  647. /* Signal that mapping to nobody uid/gid is required */
  648. cred->cr_uid = INVALID_UID;
  649. cred->cr_gid = INVALID_GID;
  650. cred->cr_group_info = groups_alloc(0);
  651. if (cred->cr_group_info == NULL)
  652. return SVC_CLOSE; /* kmalloc failure - client must retry */
  653. /* Put NULL verifier */
  654. svc_putnl(resv, RPC_AUTH_NULL);
  655. svc_putnl(resv, 0);
  656. rqstp->rq_cred.cr_flavor = RPC_AUTH_NULL;
  657. return SVC_OK;
  658. }
  659. static int
  660. svcauth_null_release(struct svc_rqst *rqstp)
  661. {
  662. if (rqstp->rq_client)
  663. auth_domain_put(rqstp->rq_client);
  664. rqstp->rq_client = NULL;
  665. if (rqstp->rq_cred.cr_group_info)
  666. put_group_info(rqstp->rq_cred.cr_group_info);
  667. rqstp->rq_cred.cr_group_info = NULL;
  668. return 0; /* don't drop */
  669. }
  670. struct auth_ops svcauth_null = {
  671. .name = "null",
  672. .owner = THIS_MODULE,
  673. .flavour = RPC_AUTH_NULL,
  674. .accept = svcauth_null_accept,
  675. .release = svcauth_null_release,
  676. .set_client = svcauth_unix_set_client,
  677. };
  678. static int
  679. svcauth_unix_accept(struct svc_rqst *rqstp, __be32 *authp)
  680. {
  681. struct kvec *argv = &rqstp->rq_arg.head[0];
  682. struct kvec *resv = &rqstp->rq_res.head[0];
  683. struct svc_cred *cred = &rqstp->rq_cred;
  684. u32 slen, i;
  685. int len = argv->iov_len;
  686. if ((len -= 3*4) < 0)
  687. return SVC_GARBAGE;
  688. svc_getu32(argv); /* length */
  689. svc_getu32(argv); /* time stamp */
  690. slen = XDR_QUADLEN(svc_getnl(argv)); /* machname length */
  691. if (slen > 64 || (len -= (slen + 3)*4) < 0)
  692. goto badcred;
  693. argv->iov_base = (void*)((__be32*)argv->iov_base + slen); /* skip machname */
  694. argv->iov_len -= slen*4;
  695. /*
  696. * Note: we skip uid_valid()/gid_valid() checks here for
  697. * backwards compatibility with clients that use -1 id's.
  698. * Instead, -1 uid or gid is later mapped to the
  699. * (export-specific) anonymous id by nfsd_setuser.
  700. * Supplementary gid's will be left alone.
  701. */
  702. cred->cr_uid = make_kuid(&init_user_ns, svc_getnl(argv)); /* uid */
  703. cred->cr_gid = make_kgid(&init_user_ns, svc_getnl(argv)); /* gid */
  704. slen = svc_getnl(argv); /* gids length */
  705. if (slen > UNX_NGROUPS || (len -= (slen + 2)*4) < 0)
  706. goto badcred;
  707. cred->cr_group_info = groups_alloc(slen);
  708. if (cred->cr_group_info == NULL)
  709. return SVC_CLOSE;
  710. for (i = 0; i < slen; i++) {
  711. kgid_t kgid = make_kgid(&init_user_ns, svc_getnl(argv));
  712. cred->cr_group_info->gid[i] = kgid;
  713. }
  714. groups_sort(cred->cr_group_info);
  715. if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) {
  716. *authp = rpc_autherr_badverf;
  717. return SVC_DENIED;
  718. }
  719. /* Put NULL verifier */
  720. svc_putnl(resv, RPC_AUTH_NULL);
  721. svc_putnl(resv, 0);
  722. rqstp->rq_cred.cr_flavor = RPC_AUTH_UNIX;
  723. return SVC_OK;
  724. badcred:
  725. *authp = rpc_autherr_badcred;
  726. return SVC_DENIED;
  727. }
  728. static int
  729. svcauth_unix_release(struct svc_rqst *rqstp)
  730. {
  731. /* Verifier (such as it is) is already in place.
  732. */
  733. if (rqstp->rq_client)
  734. auth_domain_put(rqstp->rq_client);
  735. rqstp->rq_client = NULL;
  736. if (rqstp->rq_cred.cr_group_info)
  737. put_group_info(rqstp->rq_cred.cr_group_info);
  738. rqstp->rq_cred.cr_group_info = NULL;
  739. return 0;
  740. }
  741. struct auth_ops svcauth_unix = {
  742. .name = "unix",
  743. .owner = THIS_MODULE,
  744. .flavour = RPC_AUTH_UNIX,
  745. .accept = svcauth_unix_accept,
  746. .release = svcauth_unix_release,
  747. .domain_release = svcauth_unix_domain_release,
  748. .set_client = svcauth_unix_set_client,
  749. };
  750. static struct cache_detail ip_map_cache_template = {
  751. .owner = THIS_MODULE,
  752. .hash_size = IP_HASHMAX,
  753. .name = "auth.unix.ip",
  754. .cache_put = ip_map_put,
  755. .cache_request = ip_map_request,
  756. .cache_parse = ip_map_parse,
  757. .cache_show = ip_map_show,
  758. .match = ip_map_match,
  759. .init = ip_map_init,
  760. .update = update,
  761. .alloc = ip_map_alloc,
  762. };
  763. int ip_map_cache_create(struct net *net)
  764. {
  765. struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
  766. struct cache_detail *cd;
  767. int err;
  768. cd = cache_create_net(&ip_map_cache_template, net);
  769. if (IS_ERR(cd))
  770. return PTR_ERR(cd);
  771. err = cache_register_net(cd, net);
  772. if (err) {
  773. cache_destroy_net(cd, net);
  774. return err;
  775. }
  776. sn->ip_map_cache = cd;
  777. return 0;
  778. }
  779. void ip_map_cache_destroy(struct net *net)
  780. {
  781. struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
  782. struct cache_detail *cd = sn->ip_map_cache;
  783. sn->ip_map_cache = NULL;
  784. cache_purge(cd);
  785. cache_unregister_net(cd, net);
  786. cache_destroy_net(cd, net);
  787. }