Commit | Line | Data |
---|---|---|
b2441318 | 1 | // SPDX-License-Identifier: GPL-2.0 |
1da177e4 LT |
2 | /* |
3 | * linux/net/sunrpc/auth_unix.c | |
4 | * | |
5 | * UNIX-style authentication; no AUTH_SHORT support | |
6 | * | |
7 | * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de> | |
8 | */ | |
9 | ||
5a0e3ad6 | 10 | #include <linux/slab.h> |
1da177e4 LT |
11 | #include <linux/types.h> |
12 | #include <linux/sched.h> | |
13 | #include <linux/module.h> | |
2edd8d74 | 14 | #include <linux/mempool.h> |
1da177e4 LT |
15 | #include <linux/sunrpc/clnt.h> |
16 | #include <linux/sunrpc/auth.h> | |
ae2975bc | 17 | #include <linux/user_namespace.h> |
1da177e4 | 18 | |
1da177e4 | 19 | |
f895b252 | 20 | #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) |
1da177e4 LT |
21 | # define RPCDBG_FACILITY RPCDBG_AUTH |
22 | #endif | |
23 | ||
24 | static struct rpc_auth unix_auth; | |
f1c0a861 | 25 | static const struct rpc_credops unix_credops; |
2edd8d74 | 26 | static mempool_t *unix_pool; |
1da177e4 LT |
27 | |
28 | static struct rpc_auth * | |
82b98ca5 | 29 | unx_create(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt) |
1da177e4 | 30 | { |
331bc71c | 31 | refcount_inc(&unix_auth.au_count); |
1da177e4 LT |
32 | return &unix_auth; |
33 | } | |
34 | ||
35 | static void | |
36 | unx_destroy(struct rpc_auth *auth) | |
37 | { | |
1e035d06 FS |
38 | } |
39 | ||
1da177e4 LT |
40 | /* |
41 | * Lookup AUTH_UNIX creds for current process | |
42 | */ | |
43 | static struct rpc_cred * | |
44 | unx_lookup_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags) | |
45 | { | |
2edd8d74 | 46 | struct rpc_cred *ret = mempool_alloc(unix_pool, GFP_NOFS); |
1da177e4 | 47 | |
2edd8d74 N |
48 | rpcauth_init_cred(ret, acred, auth, &unix_credops); |
49 | ret->cr_flags = 1UL << RPCAUTH_CRED_UPTODATE; | |
50 | return ret; | |
31be5bf1 | 51 | } |
696e38df | 52 | |
31be5bf1 TM |
53 | static void |
54 | unx_free_cred_callback(struct rcu_head *head) | |
55 | { | |
2edd8d74 | 56 | struct rpc_cred *rpc_cred = container_of(head, struct rpc_cred, cr_rcu); |
80125d4a | 57 | |
2edd8d74 N |
58 | put_cred(rpc_cred->cr_cred); |
59 | mempool_free(rpc_cred, unix_pool); | |
31be5bf1 TM |
60 | } |
61 | ||
62 | static void | |
63 | unx_destroy_cred(struct rpc_cred *cred) | |
64 | { | |
65 | call_rcu(&cred->cr_rcu, unx_free_cred_callback); | |
1da177e4 LT |
66 | } |
67 | ||
68 | /* | |
2edd8d74 | 69 | * Match credentials against current the auth_cred. |
1da177e4 LT |
70 | */ |
71 | static int | |
2edd8d74 | 72 | unx_match(struct auth_cred *acred, struct rpc_cred *cred, int flags) |
1da177e4 | 73 | { |
af093835 TM |
74 | unsigned int groups = 0; |
75 | unsigned int i; | |
1da177e4 | 76 | |
2edd8d74 N |
77 | if (cred->cr_cred == acred->cred) |
78 | return 1; | |
1da177e4 | 79 | |
2edd8d74 | 80 | if (!uid_eq(cred->cr_cred->fsuid, acred->cred->fsuid) || !gid_eq(cred->cr_cred->fsgid, acred->cred->fsgid)) |
af093835 | 81 | return 0; |
1da177e4 | 82 | |
e3735c89 | 83 | if (acred->cred->group_info != NULL) |
fc0664fd | 84 | groups = acred->cred->group_info->ngroups; |
5786461b KM |
85 | if (groups > UNX_NGROUPS) |
86 | groups = UNX_NGROUPS; | |
2edd8d74 N |
87 | if (cred->cr_cred->group_info == NULL) |
88 | return groups == 0; | |
89 | if (groups != cred->cr_cred->group_info->ngroups) | |
90 | return 0; | |
91 | ||
9132adb0 | 92 | for (i = 0; i < groups ; i++) |
2edd8d74 | 93 | if (!gid_eq(cred->cr_cred->group_info->gid[i], acred->cred->group_info->gid[i])) |
af093835 TM |
94 | return 0; |
95 | return 1; | |
1da177e4 LT |
96 | } |
97 | ||
98 | /* | |
99 | * Marshal credentials. | |
100 | * Maybe we should keep a cached credential for performance reasons. | |
101 | */ | |
e8680a24 CL |
102 | static int |
103 | unx_marshal(struct rpc_task *task, struct xdr_stream *xdr) | |
1da177e4 LT |
104 | { |
105 | struct rpc_clnt *clnt = task->tk_client; | |
2edd8d74 | 106 | struct rpc_cred *cred = task->tk_rqstp->rq_cred; |
e8680a24 | 107 | __be32 *p, *cred_len, *gidarr_len; |
1da177e4 | 108 | int i; |
2edd8d74 | 109 | struct group_info *gi = cred->cr_cred->group_info; |
283ebe3e TM |
110 | struct user_namespace *userns = clnt->cl_cred ? |
111 | clnt->cl_cred->user_ns : &init_user_ns; | |
1da177e4 | 112 | |
e8680a24 CL |
113 | /* Credential */ |
114 | ||
115 | p = xdr_reserve_space(xdr, 3 * sizeof(*p)); | |
116 | if (!p) | |
117 | goto marshal_failed; | |
118 | *p++ = rpc_auth_unix; | |
119 | cred_len = p++; | |
120 | *p++ = xdr_zero; /* stamp */ | |
121 | if (xdr_stream_encode_opaque(xdr, clnt->cl_nodename, | |
122 | clnt->cl_nodelen) < 0) | |
123 | goto marshal_failed; | |
124 | p = xdr_reserve_space(xdr, 3 * sizeof(*p)); | |
125 | if (!p) | |
126 | goto marshal_failed; | |
283ebe3e TM |
127 | *p++ = cpu_to_be32(from_kuid_munged(userns, cred->cr_cred->fsuid)); |
128 | *p++ = cpu_to_be32(from_kgid_munged(userns, cred->cr_cred->fsgid)); | |
e8680a24 CL |
129 | |
130 | gidarr_len = p++; | |
2edd8d74 N |
131 | if (gi) |
132 | for (i = 0; i < UNX_NGROUPS && i < gi->ngroups; i++) | |
283ebe3e | 133 | *p++ = cpu_to_be32(from_kgid_munged(userns, gi->gid[i])); |
e8680a24 CL |
134 | *gidarr_len = cpu_to_be32(p - gidarr_len - 1); |
135 | *cred_len = cpu_to_be32((p - cred_len - 1) << 2); | |
136 | p = xdr_reserve_space(xdr, (p - gidarr_len - 1) << 2); | |
137 | if (!p) | |
138 | goto marshal_failed; | |
139 | ||
140 | /* Verifier */ | |
141 | ||
142 | p = xdr_reserve_space(xdr, 2 * sizeof(*p)); | |
143 | if (!p) | |
144 | goto marshal_failed; | |
145 | *p++ = rpc_auth_null; | |
146 | *p = xdr_zero; | |
1da177e4 | 147 | |
e8680a24 | 148 | return 0; |
1da177e4 | 149 | |
e8680a24 CL |
150 | marshal_failed: |
151 | return -EMSGSIZE; | |
1da177e4 LT |
152 | } |
153 | ||
154 | /* | |
155 | * Refresh credentials. This is a no-op for AUTH_UNIX | |
156 | */ | |
157 | static int | |
158 | unx_refresh(struct rpc_task *task) | |
159 | { | |
a17c2153 | 160 | set_bit(RPCAUTH_CRED_UPTODATE, &task->tk_rqstp->rq_cred->cr_flags); |
1da177e4 LT |
161 | return 0; |
162 | } | |
163 | ||
a0584ee9 CL |
164 | static int |
165 | unx_validate(struct rpc_task *task, struct xdr_stream *xdr) | |
1da177e4 | 166 | { |
a00275ba | 167 | struct rpc_auth *auth = task->tk_rqstp->rq_cred->cr_auth; |
a0584ee9 CL |
168 | __be32 *p; |
169 | u32 size; | |
1da177e4 | 170 | |
a0584ee9 CL |
171 | p = xdr_inline_decode(xdr, 2 * sizeof(*p)); |
172 | if (!p) | |
173 | return -EIO; | |
174 | switch (*p++) { | |
175 | case rpc_auth_null: | |
176 | case rpc_auth_unix: | |
177 | case rpc_auth_short: | |
178 | break; | |
179 | default: | |
180 | return -EIO; | |
1da177e4 | 181 | } |
a0584ee9 CL |
182 | size = be32_to_cpup(p); |
183 | if (size > RPC_MAX_AUTH_SIZE) | |
184 | return -EIO; | |
185 | p = xdr_inline_decode(xdr, size); | |
186 | if (!p) | |
187 | return -EIO; | |
1da177e4 | 188 | |
a00275ba CL |
189 | auth->au_verfsize = XDR_QUADLEN(size) + 2; |
190 | auth->au_rslack = XDR_QUADLEN(size) + 2; | |
35e77d21 | 191 | auth->au_ralign = XDR_QUADLEN(size) + 2; |
a0584ee9 | 192 | return 0; |
1da177e4 LT |
193 | } |
194 | ||
5d8d9a4d | 195 | int __init rpc_init_authunix(void) |
9499b434 | 196 | { |
2edd8d74 N |
197 | unix_pool = mempool_create_kmalloc_pool(16, sizeof(struct rpc_cred)); |
198 | return unix_pool ? 0 : -ENOMEM; | |
5d8d9a4d TM |
199 | } |
200 | ||
201 | void rpc_destroy_authunix(void) | |
202 | { | |
2edd8d74 | 203 | mempool_destroy(unix_pool); |
9499b434 TM |
204 | } |
205 | ||
f1c0a861 | 206 | const struct rpc_authops authunix_ops = { |
1da177e4 LT |
207 | .owner = THIS_MODULE, |
208 | .au_flavor = RPC_AUTH_UNIX, | |
1da177e4 | 209 | .au_name = "UNIX", |
1da177e4 LT |
210 | .create = unx_create, |
211 | .destroy = unx_destroy, | |
212 | .lookup_cred = unx_lookup_cred, | |
1da177e4 LT |
213 | }; |
214 | ||
1da177e4 LT |
215 | static |
216 | struct rpc_auth unix_auth = { | |
4500632f CL |
217 | .au_cslack = UNX_CALLSLACK, |
218 | .au_rslack = NUL_REPLYSLACK, | |
a00275ba | 219 | .au_verfsize = NUL_REPLYSLACK, |
1da177e4 | 220 | .au_ops = &authunix_ops, |
81039f1f | 221 | .au_flavor = RPC_AUTH_UNIX, |
331bc71c | 222 | .au_count = REFCOUNT_INIT(1), |
1da177e4 LT |
223 | }; |
224 | ||
225 | static | |
f1c0a861 | 226 | const struct rpc_credops unix_credops = { |
1da177e4 LT |
227 | .cr_name = "AUTH_UNIX", |
228 | .crdestroy = unx_destroy_cred, | |
229 | .crmatch = unx_match, | |
230 | .crmarshal = unx_marshal, | |
e8680a24 | 231 | .crwrap_req = rpcauth_wrap_req_encode, |
1da177e4 LT |
232 | .crrefresh = unx_refresh, |
233 | .crvalidate = unx_validate, | |
a0584ee9 | 234 | .crunwrap_resp = rpcauth_unwrap_resp_decode, |
1da177e4 | 235 | }; |