Commit | Line | Data |
---|---|---|
457c8996 | 1 | // SPDX-License-Identifier: GPL-2.0-only |
1da177e4 LT |
2 | #include <linux/types.h> |
3 | #include <linux/sched.h> | |
4 | #include <linux/module.h> | |
5 | #include <linux/sunrpc/types.h> | |
6 | #include <linux/sunrpc/xdr.h> | |
7 | #include <linux/sunrpc/svcsock.h> | |
8 | #include <linux/sunrpc/svcauth.h> | |
c4170583 | 9 | #include <linux/sunrpc/gss_api.h> |
5976687a | 10 | #include <linux/sunrpc/addr.h> |
1da177e4 LT |
11 | #include <linux/err.h> |
12 | #include <linux/seq_file.h> | |
13 | #include <linux/hash.h> | |
543537bd | 14 | #include <linux/string.h> |
5a0e3ad6 | 15 | #include <linux/slab.h> |
7b2b1fee | 16 | #include <net/sock.h> |
f15364bd AC |
17 | #include <net/ipv6.h> |
18 | #include <linux/kernel.h> | |
ae2975bc | 19 | #include <linux/user_namespace.h> |
1da177e4 LT |
20 | #define RPCDBG_FACILITY RPCDBG_AUTH |
21 | ||
22 | ||
90d51b02 PE |
23 | #include "netns.h" |
24 | ||
1da177e4 LT |
25 | /* |
26 | * AUTHUNIX and AUTHNULL credentials are both handled here. | |
27 | * AUTHNULL is treated just like AUTHUNIX except that the uid/gid | |
28 | * are always nobody (-2). i.e. we do the same IP address checks for | |
29 | * AUTHNULL as for AUTHUNIX, and that is done here. | |
30 | */ | |
31 | ||
32 | ||
1da177e4 LT |
33 | struct unix_domain { |
34 | struct auth_domain h; | |
1da177e4 LT |
35 | /* other stuff later */ |
36 | }; | |
37 | ||
13e0e958 | 38 | extern struct auth_ops svcauth_null; |
efc36aa5 | 39 | extern struct auth_ops svcauth_unix; |
74aaf96f | 40 | extern struct auth_ops svcauth_tls; |
efc36aa5 | 41 | |
608a0ab2 | 42 | static void svcauth_unix_domain_release_rcu(struct rcu_head *head) |
8b3e07ac | 43 | { |
608a0ab2 | 44 | struct auth_domain *dom = container_of(head, struct auth_domain, rcu_head); |
8b3e07ac BF |
45 | struct unix_domain *ud = container_of(dom, struct unix_domain, h); |
46 | ||
47 | kfree(dom->name); | |
48 | kfree(ud); | |
49 | } | |
50 | ||
608a0ab2 TM |
51 | static void svcauth_unix_domain_release(struct auth_domain *dom) |
52 | { | |
53 | call_rcu(&dom->rcu_head, svcauth_unix_domain_release_rcu); | |
54 | } | |
55 | ||
1da177e4 LT |
56 | struct auth_domain *unix_domain_find(char *name) |
57 | { | |
efc36aa5 N |
58 | struct auth_domain *rv; |
59 | struct unix_domain *new = NULL; | |
60 | ||
608a0ab2 | 61 | rv = auth_domain_find(name); |
efc36aa5 | 62 | while(1) { |
ad1b5229 N |
63 | if (rv) { |
64 | if (new && rv != &new->h) | |
352b5d13 | 65 | svcauth_unix_domain_release(&new->h); |
ad1b5229 N |
66 | |
67 | if (rv->flavour != &svcauth_unix) { | |
68 | auth_domain_put(rv); | |
69 | return NULL; | |
70 | } | |
efc36aa5 N |
71 | return rv; |
72 | } | |
efc36aa5 N |
73 | |
74 | new = kmalloc(sizeof(*new), GFP_KERNEL); | |
75 | if (new == NULL) | |
76 | return NULL; | |
77 | kref_init(&new->h.ref); | |
78 | new->h.name = kstrdup(name, GFP_KERNEL); | |
dd08d6ea N |
79 | if (new->h.name == NULL) { |
80 | kfree(new); | |
81 | return NULL; | |
82 | } | |
efc36aa5 | 83 | new->h.flavour = &svcauth_unix; |
efc36aa5 | 84 | rv = auth_domain_lookup(name, &new->h); |
1da177e4 | 85 | } |
1da177e4 | 86 | } |
24c3767e | 87 | EXPORT_SYMBOL_GPL(unix_domain_find); |
1da177e4 | 88 | |
1da177e4 LT |
89 | |
90 | /************************************************** | |
91 | * cache for IP address to unix_domain | |
92 | * as needed by AUTH_UNIX | |
93 | */ | |
94 | #define IP_HASHBITS 8 | |
95 | #define IP_HASHMAX (1<<IP_HASHBITS) | |
1da177e4 LT |
96 | |
97 | struct ip_map { | |
98 | struct cache_head h; | |
99 | char m_class[8]; /* e.g. "nfsd" */ | |
f15364bd | 100 | struct in6_addr m_addr; |
1da177e4 | 101 | struct unix_domain *m_client; |
fd5d2f78 | 102 | struct rcu_head m_rcu; |
1da177e4 | 103 | }; |
1da177e4 | 104 | |
baab935f | 105 | static void ip_map_put(struct kref *kref) |
1da177e4 | 106 | { |
baab935f | 107 | struct cache_head *item = container_of(kref, struct cache_head, ref); |
1da177e4 | 108 | struct ip_map *im = container_of(item, struct ip_map,h); |
baab935f N |
109 | |
110 | if (test_bit(CACHE_VALID, &item->flags) && | |
111 | !test_bit(CACHE_NEGATIVE, &item->flags)) | |
112 | auth_domain_put(&im->m_client->h); | |
fd5d2f78 | 113 | kfree_rcu(im, m_rcu); |
1da177e4 LT |
114 | } |
115 | ||
ddbe5032 | 116 | static inline int hash_ip6(const struct in6_addr *ip) |
f15364bd | 117 | { |
ddbe5032 | 118 | return hash_32(ipv6_addr_hash(ip), IP_HASHBITS); |
f15364bd | 119 | } |
1a9917c2 | 120 | static int ip_map_match(struct cache_head *corig, struct cache_head *cnew) |
1da177e4 | 121 | { |
1a9917c2 N |
122 | struct ip_map *orig = container_of(corig, struct ip_map, h); |
123 | struct ip_map *new = container_of(cnew, struct ip_map, h); | |
f64f9e71 JP |
124 | return strcmp(orig->m_class, new->m_class) == 0 && |
125 | ipv6_addr_equal(&orig->m_addr, &new->m_addr); | |
1da177e4 | 126 | } |
1a9917c2 | 127 | static void ip_map_init(struct cache_head *cnew, struct cache_head *citem) |
1da177e4 | 128 | { |
1a9917c2 N |
129 | struct ip_map *new = container_of(cnew, struct ip_map, h); |
130 | struct ip_map *item = container_of(citem, struct ip_map, h); | |
131 | ||
1da177e4 | 132 | strcpy(new->m_class, item->m_class); |
4e3fd7a0 | 133 | new->m_addr = item->m_addr; |
1da177e4 | 134 | } |
1a9917c2 | 135 | static void update(struct cache_head *cnew, struct cache_head *citem) |
1da177e4 | 136 | { |
1a9917c2 N |
137 | struct ip_map *new = container_of(cnew, struct ip_map, h); |
138 | struct ip_map *item = container_of(citem, struct ip_map, h); | |
139 | ||
efc36aa5 | 140 | kref_get(&item->m_client->h.ref); |
1da177e4 | 141 | new->m_client = item->m_client; |
1da177e4 | 142 | } |
1a9917c2 N |
143 | static struct cache_head *ip_map_alloc(void) |
144 | { | |
145 | struct ip_map *i = kmalloc(sizeof(*i), GFP_KERNEL); | |
146 | if (i) | |
147 | return &i->h; | |
148 | else | |
149 | return NULL; | |
150 | } | |
1da177e4 | 151 | |
65286b88 TM |
152 | static int ip_map_upcall(struct cache_detail *cd, struct cache_head *h) |
153 | { | |
154 | return sunrpc_cache_pipe_upcall(cd, h); | |
155 | } | |
156 | ||
1da177e4 LT |
157 | static void ip_map_request(struct cache_detail *cd, |
158 | struct cache_head *h, | |
159 | char **bpp, int *blen) | |
160 | { | |
f15364bd | 161 | char text_addr[40]; |
1da177e4 | 162 | struct ip_map *im = container_of(h, struct ip_map, h); |
1da177e4 | 163 | |
f15364bd | 164 | if (ipv6_addr_v4mapped(&(im->m_addr))) { |
21454aaa | 165 | snprintf(text_addr, 20, "%pI4", &im->m_addr.s6_addr32[3]); |
f15364bd | 166 | } else { |
5b095d98 | 167 | snprintf(text_addr, 40, "%pI6", &im->m_addr); |
f15364bd | 168 | } |
1da177e4 LT |
169 | qword_add(bpp, blen, im->m_class); |
170 | qword_add(bpp, blen, text_addr); | |
171 | (*bpp)[-1] = '\n'; | |
172 | } | |
173 | ||
bf18ab32 | 174 | static struct ip_map *__ip_map_lookup(struct cache_detail *cd, char *class, struct in6_addr *addr); |
f559935e | 175 | static int __ip_map_update(struct cache_detail *cd, struct ip_map *ipm, struct unix_domain *udom, time64_t expiry); |
1da177e4 LT |
176 | |
177 | static int ip_map_parse(struct cache_detail *cd, | |
178 | char *mesg, int mlen) | |
179 | { | |
180 | /* class ipaddress [domainname] */ | |
181 | /* should be safe just to use the start of the input buffer | |
182 | * for scratch: */ | |
183 | char *buf = mesg; | |
184 | int len; | |
1a9917c2 | 185 | char class[8]; |
07396051 CL |
186 | union { |
187 | struct sockaddr sa; | |
188 | struct sockaddr_in s4; | |
189 | struct sockaddr_in6 s6; | |
190 | } address; | |
191 | struct sockaddr_in6 sin6; | |
1a9917c2 N |
192 | int err; |
193 | ||
194 | struct ip_map *ipmp; | |
1da177e4 | 195 | struct auth_domain *dom; |
f559935e | 196 | time64_t expiry; |
1da177e4 LT |
197 | |
198 | if (mesg[mlen-1] != '\n') | |
199 | return -EINVAL; | |
200 | mesg[mlen-1] = 0; | |
201 | ||
202 | /* class */ | |
1a9917c2 | 203 | len = qword_get(&mesg, class, sizeof(class)); |
1da177e4 LT |
204 | if (len <= 0) return -EINVAL; |
205 | ||
206 | /* ip address */ | |
207 | len = qword_get(&mesg, buf, mlen); | |
208 | if (len <= 0) return -EINVAL; | |
209 | ||
d05cc104 | 210 | if (rpc_pton(cd->net, buf, len, &address.sa, sizeof(address)) == 0) |
1da177e4 | 211 | return -EINVAL; |
07396051 CL |
212 | switch (address.sa.sa_family) { |
213 | case AF_INET: | |
214 | /* Form a mapped IPv4 address in sin6 */ | |
07396051 | 215 | sin6.sin6_family = AF_INET6; |
70dc78da PE |
216 | ipv6_addr_set_v4mapped(address.s4.sin_addr.s_addr, |
217 | &sin6.sin6_addr); | |
07396051 | 218 | break; |
dfd56b8b | 219 | #if IS_ENABLED(CONFIG_IPV6) |
07396051 CL |
220 | case AF_INET6: |
221 | memcpy(&sin6, &address.s6, sizeof(sin6)); | |
222 | break; | |
223 | #endif | |
224 | default: | |
225 | return -EINVAL; | |
226 | } | |
cca5172a | 227 | |
1da177e4 LT |
228 | expiry = get_expiry(&mesg); |
229 | if (expiry ==0) | |
230 | return -EINVAL; | |
231 | ||
232 | /* domainname, or empty for NEGATIVE */ | |
233 | len = qword_get(&mesg, buf, mlen); | |
234 | if (len < 0) return -EINVAL; | |
235 | ||
236 | if (len) { | |
237 | dom = unix_domain_find(buf); | |
238 | if (dom == NULL) | |
239 | return -ENOENT; | |
240 | } else | |
241 | dom = NULL; | |
242 | ||
07396051 | 243 | /* IPv6 scope IDs are ignored for now */ |
bf18ab32 | 244 | ipmp = __ip_map_lookup(cd, class, &sin6.sin6_addr); |
1a9917c2 | 245 | if (ipmp) { |
bf18ab32 | 246 | err = __ip_map_update(cd, ipmp, |
1a9917c2 N |
247 | container_of(dom, struct unix_domain, h), |
248 | expiry); | |
1da177e4 | 249 | } else |
1a9917c2 | 250 | err = -ENOMEM; |
1da177e4 | 251 | |
1da177e4 LT |
252 | if (dom) |
253 | auth_domain_put(dom); | |
1a9917c2 | 254 | |
1da177e4 | 255 | cache_flush(); |
1a9917c2 | 256 | return err; |
1da177e4 LT |
257 | } |
258 | ||
259 | static int ip_map_show(struct seq_file *m, | |
260 | struct cache_detail *cd, | |
261 | struct cache_head *h) | |
262 | { | |
263 | struct ip_map *im; | |
f15364bd | 264 | struct in6_addr addr; |
1da177e4 LT |
265 | char *dom = "-no-domain-"; |
266 | ||
267 | if (h == NULL) { | |
268 | seq_puts(m, "#class IP domain\n"); | |
269 | return 0; | |
270 | } | |
271 | im = container_of(h, struct ip_map, h); | |
272 | /* class addr domain */ | |
4e3fd7a0 | 273 | addr = im->m_addr; |
1da177e4 | 274 | |
cca5172a | 275 | if (test_bit(CACHE_VALID, &h->flags) && |
1da177e4 LT |
276 | !test_bit(CACHE_NEGATIVE, &h->flags)) |
277 | dom = im->m_client->h.name; | |
278 | ||
f15364bd | 279 | if (ipv6_addr_v4mapped(&addr)) { |
21454aaa HH |
280 | seq_printf(m, "%s %pI4 %s\n", |
281 | im->m_class, &addr.s6_addr32[3], dom); | |
f15364bd | 282 | } else { |
5b095d98 | 283 | seq_printf(m, "%s %pI6 %s\n", im->m_class, &addr, dom); |
f15364bd | 284 | } |
1da177e4 LT |
285 | return 0; |
286 | } | |
cca5172a | 287 | |
1da177e4 | 288 | |
bf18ab32 PE |
289 | static struct ip_map *__ip_map_lookup(struct cache_detail *cd, char *class, |
290 | struct in6_addr *addr) | |
1a9917c2 N |
291 | { |
292 | struct ip_map ip; | |
293 | struct cache_head *ch; | |
294 | ||
295 | strcpy(ip.m_class, class); | |
4e3fd7a0 | 296 | ip.m_addr = *addr; |
fd5d2f78 TM |
297 | ch = sunrpc_cache_lookup_rcu(cd, &ip.h, |
298 | hash_str(class, IP_HASHBITS) ^ | |
299 | hash_ip6(addr)); | |
1a9917c2 N |
300 | |
301 | if (ch) | |
302 | return container_of(ch, struct ip_map, h); | |
303 | else | |
304 | return NULL; | |
305 | } | |
1da177e4 | 306 | |
bf18ab32 | 307 | static int __ip_map_update(struct cache_detail *cd, struct ip_map *ipm, |
f559935e | 308 | struct unix_domain *udom, time64_t expiry) |
1a9917c2 N |
309 | { |
310 | struct ip_map ip; | |
311 | struct cache_head *ch; | |
312 | ||
313 | ip.m_client = udom; | |
314 | ip.h.flags = 0; | |
315 | if (!udom) | |
316 | set_bit(CACHE_NEGATIVE, &ip.h.flags); | |
1a9917c2 | 317 | ip.h.expiry_time = expiry; |
bf18ab32 | 318 | ch = sunrpc_cache_update(cd, &ip.h, &ipm->h, |
1a9917c2 | 319 | hash_str(ipm->m_class, IP_HASHBITS) ^ |
ddbe5032 | 320 | hash_ip6(&ipm->m_addr)); |
1a9917c2 N |
321 | if (!ch) |
322 | return -ENOMEM; | |
bf18ab32 | 323 | cache_put(ch, cd); |
1a9917c2 N |
324 | return 0; |
325 | } | |
1da177e4 | 326 | |
e5f06f72 | 327 | void svcauth_unix_purge(struct net *net) |
1da177e4 | 328 | { |
e5f06f72 | 329 | struct sunrpc_net *sn; |
90d51b02 | 330 | |
e5f06f72 SK |
331 | sn = net_generic(net, sunrpc_net_id); |
332 | cache_purge(sn->ip_map_cache); | |
1da177e4 | 333 | } |
24c3767e | 334 | EXPORT_SYMBOL_GPL(svcauth_unix_purge); |
1da177e4 | 335 | |
7b2b1fee | 336 | static inline struct ip_map * |
3be4479f | 337 | ip_map_cached_get(struct svc_xprt *xprt) |
7b2b1fee | 338 | { |
def13d74 | 339 | struct ip_map *ipm = NULL; |
90d51b02 | 340 | struct sunrpc_net *sn; |
def13d74 TT |
341 | |
342 | if (test_bit(XPT_CACHE_AUTH, &xprt->xpt_flags)) { | |
343 | spin_lock(&xprt->xpt_lock); | |
344 | ipm = xprt->xpt_auth_cache; | |
345 | if (ipm != NULL) { | |
7715cde8 N |
346 | sn = net_generic(xprt->xpt_net, sunrpc_net_id); |
347 | if (cache_is_expired(sn->ip_map_cache, &ipm->h)) { | |
def13d74 TT |
348 | /* |
349 | * The entry has been invalidated since it was | |
350 | * remembered, e.g. by a second mount from the | |
351 | * same IP address. | |
352 | */ | |
353 | xprt->xpt_auth_cache = NULL; | |
354 | spin_unlock(&xprt->xpt_lock); | |
90d51b02 | 355 | cache_put(&ipm->h, sn->ip_map_cache); |
def13d74 TT |
356 | return NULL; |
357 | } | |
358 | cache_get(&ipm->h); | |
7b2b1fee | 359 | } |
def13d74 | 360 | spin_unlock(&xprt->xpt_lock); |
7b2b1fee GB |
361 | } |
362 | return ipm; | |
363 | } | |
364 | ||
365 | static inline void | |
3be4479f | 366 | ip_map_cached_put(struct svc_xprt *xprt, struct ip_map *ipm) |
7b2b1fee | 367 | { |
def13d74 TT |
368 | if (test_bit(XPT_CACHE_AUTH, &xprt->xpt_flags)) { |
369 | spin_lock(&xprt->xpt_lock); | |
370 | if (xprt->xpt_auth_cache == NULL) { | |
371 | /* newly cached, keep the reference */ | |
372 | xprt->xpt_auth_cache = ipm; | |
373 | ipm = NULL; | |
374 | } | |
375 | spin_unlock(&xprt->xpt_lock); | |
30f3deee | 376 | } |
90d51b02 PE |
377 | if (ipm) { |
378 | struct sunrpc_net *sn; | |
379 | ||
380 | sn = net_generic(xprt->xpt_net, sunrpc_net_id); | |
381 | cache_put(&ipm->h, sn->ip_map_cache); | |
382 | } | |
7b2b1fee GB |
383 | } |
384 | ||
385 | void | |
e3bfca01 | 386 | svcauth_unix_info_release(struct svc_xprt *xpt) |
7b2b1fee | 387 | { |
e3bfca01 PE |
388 | struct ip_map *ipm; |
389 | ||
390 | ipm = xpt->xpt_auth_cache; | |
90d51b02 PE |
391 | if (ipm != NULL) { |
392 | struct sunrpc_net *sn; | |
393 | ||
394 | sn = net_generic(xpt->xpt_net, sunrpc_net_id); | |
395 | cache_put(&ipm->h, sn->ip_map_cache); | |
396 | } | |
7b2b1fee GB |
397 | } |
398 | ||
3fc605a2 N |
399 | /**************************************************************************** |
400 | * auth.unix.gid cache | |
401 | * simple cache to map a UID to a list of GIDs | |
5786461b | 402 | * because AUTH_UNIX aka AUTH_SYS has a max of UNX_NGROUPS |
3fc605a2 N |
403 | */ |
404 | #define GID_HASHBITS 8 | |
405 | #define GID_HASHMAX (1<<GID_HASHBITS) | |
3fc605a2 N |
406 | |
407 | struct unix_gid { | |
408 | struct cache_head h; | |
7eaf040b | 409 | kuid_t uid; |
3fc605a2 | 410 | struct group_info *gi; |
fd5d2f78 | 411 | struct rcu_head rcu; |
3fc605a2 | 412 | }; |
3fc605a2 | 413 | |
9e469e30 EB |
414 | static int unix_gid_hash(kuid_t uid) |
415 | { | |
416 | return hash_long(from_kuid(&init_user_ns, uid), GID_HASHBITS); | |
417 | } | |
418 | ||
3fc605a2 N |
419 | static void unix_gid_put(struct kref *kref) |
420 | { | |
421 | struct cache_head *item = container_of(kref, struct cache_head, ref); | |
422 | struct unix_gid *ug = container_of(item, struct unix_gid, h); | |
423 | if (test_bit(CACHE_VALID, &item->flags) && | |
424 | !test_bit(CACHE_NEGATIVE, &item->flags)) | |
425 | put_group_info(ug->gi); | |
fd5d2f78 | 426 | kfree_rcu(ug, rcu); |
3fc605a2 N |
427 | } |
428 | ||
429 | static int unix_gid_match(struct cache_head *corig, struct cache_head *cnew) | |
430 | { | |
431 | struct unix_gid *orig = container_of(corig, struct unix_gid, h); | |
432 | struct unix_gid *new = container_of(cnew, struct unix_gid, h); | |
0b4d51b0 | 433 | return uid_eq(orig->uid, new->uid); |
3fc605a2 N |
434 | } |
435 | static void unix_gid_init(struct cache_head *cnew, struct cache_head *citem) | |
436 | { | |
437 | struct unix_gid *new = container_of(cnew, struct unix_gid, h); | |
438 | struct unix_gid *item = container_of(citem, struct unix_gid, h); | |
439 | new->uid = item->uid; | |
440 | } | |
441 | static void unix_gid_update(struct cache_head *cnew, struct cache_head *citem) | |
442 | { | |
443 | struct unix_gid *new = container_of(cnew, struct unix_gid, h); | |
444 | struct unix_gid *item = container_of(citem, struct unix_gid, h); | |
445 | ||
446 | get_group_info(item->gi); | |
447 | new->gi = item->gi; | |
448 | } | |
449 | static struct cache_head *unix_gid_alloc(void) | |
450 | { | |
451 | struct unix_gid *g = kmalloc(sizeof(*g), GFP_KERNEL); | |
452 | if (g) | |
453 | return &g->h; | |
454 | else | |
455 | return NULL; | |
456 | } | |
457 | ||
65286b88 TM |
458 | static int unix_gid_upcall(struct cache_detail *cd, struct cache_head *h) |
459 | { | |
460 | return sunrpc_cache_pipe_upcall_timeout(cd, h); | |
461 | } | |
462 | ||
3fc605a2 N |
463 | static void unix_gid_request(struct cache_detail *cd, |
464 | struct cache_head *h, | |
465 | char **bpp, int *blen) | |
466 | { | |
467 | char tuid[20]; | |
468 | struct unix_gid *ug = container_of(h, struct unix_gid, h); | |
469 | ||
25da9263 | 470 | snprintf(tuid, 20, "%u", from_kuid(&init_user_ns, ug->uid)); |
3fc605a2 N |
471 | qword_add(bpp, blen, tuid); |
472 | (*bpp)[-1] = '\n'; | |
473 | } | |
474 | ||
7eaf040b | 475 | static struct unix_gid *unix_gid_lookup(struct cache_detail *cd, kuid_t uid); |
3fc605a2 N |
476 | |
477 | static int unix_gid_parse(struct cache_detail *cd, | |
478 | char *mesg, int mlen) | |
479 | { | |
480 | /* uid expiry Ngid gid0 gid1 ... gidN-1 */ | |
25da9263 EB |
481 | int id; |
482 | kuid_t uid; | |
3fc605a2 N |
483 | int gids; |
484 | int rv; | |
485 | int i; | |
486 | int err; | |
f559935e | 487 | time64_t expiry; |
3fc605a2 N |
488 | struct unix_gid ug, *ugp; |
489 | ||
3476964d | 490 | if (mesg[mlen - 1] != '\n') |
3fc605a2 N |
491 | return -EINVAL; |
492 | mesg[mlen-1] = 0; | |
493 | ||
25da9263 | 494 | rv = get_int(&mesg, &id); |
3fc605a2 N |
495 | if (rv) |
496 | return -EINVAL; | |
ccfe51a5 | 497 | uid = make_kuid(current_user_ns(), id); |
3fc605a2 N |
498 | ug.uid = uid; |
499 | ||
500 | expiry = get_expiry(&mesg); | |
501 | if (expiry == 0) | |
502 | return -EINVAL; | |
503 | ||
504 | rv = get_int(&mesg, &gids); | |
505 | if (rv || gids < 0 || gids > 8192) | |
506 | return -EINVAL; | |
507 | ||
508 | ug.gi = groups_alloc(gids); | |
509 | if (!ug.gi) | |
510 | return -ENOMEM; | |
511 | ||
512 | for (i = 0 ; i < gids ; i++) { | |
513 | int gid; | |
ae2975bc | 514 | kgid_t kgid; |
3fc605a2 N |
515 | rv = get_int(&mesg, &gid); |
516 | err = -EINVAL; | |
517 | if (rv) | |
518 | goto out; | |
ccfe51a5 | 519 | kgid = make_kgid(current_user_ns(), gid); |
ae2975bc EB |
520 | if (!gid_valid(kgid)) |
521 | goto out; | |
81243eac | 522 | ug.gi->gid[i] = kgid; |
3fc605a2 N |
523 | } |
524 | ||
bdcf0a42 | 525 | groups_sort(ug.gi); |
73393232 | 526 | ugp = unix_gid_lookup(cd, uid); |
3fc605a2 N |
527 | if (ugp) { |
528 | struct cache_head *ch; | |
529 | ug.h.flags = 0; | |
530 | ug.h.expiry_time = expiry; | |
73393232 | 531 | ch = sunrpc_cache_update(cd, |
3fc605a2 | 532 | &ug.h, &ugp->h, |
9e469e30 | 533 | unix_gid_hash(uid)); |
3fc605a2 N |
534 | if (!ch) |
535 | err = -ENOMEM; | |
536 | else { | |
537 | err = 0; | |
73393232 | 538 | cache_put(ch, cd); |
3fc605a2 N |
539 | } |
540 | } else | |
541 | err = -ENOMEM; | |
542 | out: | |
543 | if (ug.gi) | |
544 | put_group_info(ug.gi); | |
545 | return err; | |
546 | } | |
547 | ||
548 | static int unix_gid_show(struct seq_file *m, | |
549 | struct cache_detail *cd, | |
550 | struct cache_head *h) | |
551 | { | |
ccfe51a5 | 552 | struct user_namespace *user_ns = m->file->f_cred->user_ns; |
3fc605a2 N |
553 | struct unix_gid *ug; |
554 | int i; | |
555 | int glen; | |
556 | ||
557 | if (h == NULL) { | |
558 | seq_puts(m, "#uid cnt: gids...\n"); | |
559 | return 0; | |
560 | } | |
561 | ug = container_of(h, struct unix_gid, h); | |
562 | if (test_bit(CACHE_VALID, &h->flags) && | |
563 | !test_bit(CACHE_NEGATIVE, &h->flags)) | |
564 | glen = ug->gi->ngroups; | |
565 | else | |
566 | glen = 0; | |
567 | ||
25da9263 | 568 | seq_printf(m, "%u %d:", from_kuid_munged(user_ns, ug->uid), glen); |
3fc605a2 | 569 | for (i = 0; i < glen; i++) |
81243eac | 570 | seq_printf(m, " %d", from_kgid_munged(user_ns, ug->gi->gid[i])); |
3fc605a2 N |
571 | seq_printf(m, "\n"); |
572 | return 0; | |
573 | } | |
574 | ||
ee24eac3 | 575 | static const struct cache_detail unix_gid_cache_template = { |
3fc605a2 N |
576 | .owner = THIS_MODULE, |
577 | .hash_size = GID_HASHMAX, | |
3fc605a2 N |
578 | .name = "auth.unix.gid", |
579 | .cache_put = unix_gid_put, | |
65286b88 | 580 | .cache_upcall = unix_gid_upcall, |
73fb847a | 581 | .cache_request = unix_gid_request, |
3fc605a2 N |
582 | .cache_parse = unix_gid_parse, |
583 | .cache_show = unix_gid_show, | |
584 | .match = unix_gid_match, | |
585 | .init = unix_gid_init, | |
586 | .update = unix_gid_update, | |
587 | .alloc = unix_gid_alloc, | |
588 | }; | |
589 | ||
73393232 SK |
590 | int unix_gid_cache_create(struct net *net) |
591 | { | |
592 | struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); | |
593 | struct cache_detail *cd; | |
594 | int err; | |
595 | ||
596 | cd = cache_create_net(&unix_gid_cache_template, net); | |
597 | if (IS_ERR(cd)) | |
598 | return PTR_ERR(cd); | |
599 | err = cache_register_net(cd, net); | |
600 | if (err) { | |
601 | cache_destroy_net(cd, net); | |
602 | return err; | |
603 | } | |
604 | sn->unix_gid_cache = cd; | |
605 | return 0; | |
606 | } | |
607 | ||
608 | void unix_gid_cache_destroy(struct net *net) | |
609 | { | |
610 | struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); | |
611 | struct cache_detail *cd = sn->unix_gid_cache; | |
612 | ||
613 | sn->unix_gid_cache = NULL; | |
614 | cache_purge(cd); | |
615 | cache_unregister_net(cd, net); | |
616 | cache_destroy_net(cd, net); | |
617 | } | |
618 | ||
7eaf040b | 619 | static struct unix_gid *unix_gid_lookup(struct cache_detail *cd, kuid_t uid) |
3fc605a2 N |
620 | { |
621 | struct unix_gid ug; | |
622 | struct cache_head *ch; | |
623 | ||
624 | ug.uid = uid; | |
fd5d2f78 | 625 | ch = sunrpc_cache_lookup_rcu(cd, &ug.h, unix_gid_hash(uid)); |
3fc605a2 N |
626 | if (ch) |
627 | return container_of(ch, struct unix_gid, h); | |
628 | else | |
629 | return NULL; | |
630 | } | |
631 | ||
7eaf040b | 632 | static struct group_info *unix_gid_find(kuid_t uid, struct svc_rqst *rqstp) |
3fc605a2 | 633 | { |
dc83d6e2 BF |
634 | struct unix_gid *ug; |
635 | struct group_info *gi; | |
636 | int ret; | |
73393232 SK |
637 | struct sunrpc_net *sn = net_generic(rqstp->rq_xprt->xpt_net, |
638 | sunrpc_net_id); | |
dc83d6e2 | 639 | |
73393232 | 640 | ug = unix_gid_lookup(sn->unix_gid_cache, uid); |
3fc605a2 | 641 | if (!ug) |
dc83d6e2 | 642 | return ERR_PTR(-EAGAIN); |
73393232 | 643 | ret = cache_check(sn->unix_gid_cache, &ug->h, &rqstp->rq_chandle); |
dc83d6e2 | 644 | switch (ret) { |
3fc605a2 | 645 | case -ENOENT: |
dc83d6e2 | 646 | return ERR_PTR(-ENOENT); |
1ebede86 N |
647 | case -ETIMEDOUT: |
648 | return ERR_PTR(-ESHUTDOWN); | |
3fc605a2 | 649 | case 0: |
dc83d6e2 | 650 | gi = get_group_info(ug->gi); |
73393232 | 651 | cache_put(&ug->h, sn->unix_gid_cache); |
dc83d6e2 | 652 | return gi; |
3fc605a2 | 653 | default: |
dc83d6e2 | 654 | return ERR_PTR(-EAGAIN); |
3fc605a2 N |
655 | } |
656 | } | |
657 | ||
3ab4d8b1 | 658 | int |
1da177e4 LT |
659 | svcauth_unix_set_client(struct svc_rqst *rqstp) |
660 | { | |
f15364bd AC |
661 | struct sockaddr_in *sin; |
662 | struct sockaddr_in6 *sin6, sin6_storage; | |
1a9917c2 | 663 | struct ip_map *ipm; |
dc83d6e2 BF |
664 | struct group_info *gi; |
665 | struct svc_cred *cred = &rqstp->rq_cred; | |
3be4479f | 666 | struct svc_xprt *xprt = rqstp->rq_xprt; |
90d51b02 PE |
667 | struct net *net = xprt->xpt_net; |
668 | struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); | |
1da177e4 | 669 | |
f15364bd AC |
670 | switch (rqstp->rq_addr.ss_family) { |
671 | case AF_INET: | |
672 | sin = svc_addr_in(rqstp); | |
673 | sin6 = &sin6_storage; | |
b301e82c | 674 | ipv6_addr_set_v4mapped(sin->sin_addr.s_addr, &sin6->sin6_addr); |
f15364bd AC |
675 | break; |
676 | case AF_INET6: | |
677 | sin6 = svc_addr_in6(rqstp); | |
678 | break; | |
679 | default: | |
680 | BUG(); | |
681 | } | |
682 | ||
1da177e4 LT |
683 | rqstp->rq_client = NULL; |
684 | if (rqstp->rq_proc == 0) | |
5c2465df | 685 | goto out; |
1da177e4 | 686 | |
5c2465df | 687 | rqstp->rq_auth_stat = rpc_autherr_badcred; |
3be4479f | 688 | ipm = ip_map_cached_get(xprt); |
7b2b1fee | 689 | if (ipm == NULL) |
90d51b02 | 690 | ipm = __ip_map_lookup(sn->ip_map_cache, rqstp->rq_server->sv_program->pg_class, |
f15364bd | 691 | &sin6->sin6_addr); |
1da177e4 LT |
692 | |
693 | if (ipm == NULL) | |
694 | return SVC_DENIED; | |
695 | ||
90d51b02 | 696 | switch (cache_check(sn->ip_map_cache, &ipm->h, &rqstp->rq_chandle)) { |
1da177e4 LT |
697 | default: |
698 | BUG(); | |
e0bb89ef | 699 | case -ETIMEDOUT: |
1ebede86 N |
700 | return SVC_CLOSE; |
701 | case -EAGAIN: | |
1da177e4 LT |
702 | return SVC_DROP; |
703 | case -ENOENT: | |
704 | return SVC_DENIED; | |
705 | case 0: | |
706 | rqstp->rq_client = &ipm->m_client->h; | |
efc36aa5 | 707 | kref_get(&rqstp->rq_client->ref); |
3be4479f | 708 | ip_map_cached_put(xprt, ipm); |
1da177e4 LT |
709 | break; |
710 | } | |
dc83d6e2 BF |
711 | |
712 | gi = unix_gid_find(cred->cr_uid, rqstp); | |
713 | switch (PTR_ERR(gi)) { | |
714 | case -EAGAIN: | |
715 | return SVC_DROP; | |
1ebede86 N |
716 | case -ESHUTDOWN: |
717 | return SVC_CLOSE; | |
dc83d6e2 BF |
718 | case -ENOENT: |
719 | break; | |
720 | default: | |
721 | put_group_info(cred->cr_group_info); | |
722 | cred->cr_group_info = gi; | |
723 | } | |
5c2465df CL |
724 | |
725 | out: | |
726 | rqstp->rq_auth_stat = rpc_auth_ok; | |
1da177e4 LT |
727 | return SVC_OK; |
728 | } | |
729 | ||
24c3767e | 730 | EXPORT_SYMBOL_GPL(svcauth_unix_set_client); |
3ab4d8b1 | 731 | |
1da177e4 | 732 | static int |
438623a0 | 733 | svcauth_null_accept(struct svc_rqst *rqstp) |
1da177e4 LT |
734 | { |
735 | struct kvec *argv = &rqstp->rq_arg.head[0]; | |
736 | struct kvec *resv = &rqstp->rq_res.head[0]; | |
737 | struct svc_cred *cred = &rqstp->rq_cred; | |
738 | ||
1da177e4 LT |
739 | if (argv->iov_len < 3*4) |
740 | return SVC_GARBAGE; | |
741 | ||
cca5172a | 742 | if (svc_getu32(argv) != 0) { |
1da177e4 | 743 | dprintk("svc: bad null cred\n"); |
438623a0 | 744 | rqstp->rq_auth_stat = rpc_autherr_badcred; |
1da177e4 LT |
745 | return SVC_DENIED; |
746 | } | |
76994313 | 747 | if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) { |
1da177e4 | 748 | dprintk("svc: bad null verf\n"); |
438623a0 | 749 | rqstp->rq_auth_stat = rpc_autherr_badverf; |
1da177e4 LT |
750 | return SVC_DENIED; |
751 | } | |
752 | ||
753 | /* Signal that mapping to nobody uid/gid is required */ | |
bf37f794 EB |
754 | cred->cr_uid = INVALID_UID; |
755 | cred->cr_gid = INVALID_GID; | |
1da177e4 LT |
756 | cred->cr_group_info = groups_alloc(0); |
757 | if (cred->cr_group_info == NULL) | |
1ebede86 | 758 | return SVC_CLOSE; /* kmalloc failure - client must retry */ |
1da177e4 LT |
759 | |
760 | /* Put NULL verifier */ | |
76994313 AD |
761 | svc_putnl(resv, RPC_AUTH_NULL); |
762 | svc_putnl(resv, 0); | |
1da177e4 | 763 | |
d5497fc6 | 764 | rqstp->rq_cred.cr_flavor = RPC_AUTH_NULL; |
1da177e4 LT |
765 | return SVC_OK; |
766 | } | |
767 | ||
768 | static int | |
769 | svcauth_null_release(struct svc_rqst *rqstp) | |
770 | { | |
771 | if (rqstp->rq_client) | |
772 | auth_domain_put(rqstp->rq_client); | |
773 | rqstp->rq_client = NULL; | |
774 | if (rqstp->rq_cred.cr_group_info) | |
775 | put_group_info(rqstp->rq_cred.cr_group_info); | |
776 | rqstp->rq_cred.cr_group_info = NULL; | |
777 | ||
778 | return 0; /* don't drop */ | |
779 | } | |
780 | ||
781 | ||
782 | struct auth_ops svcauth_null = { | |
783 | .name = "null", | |
784 | .owner = THIS_MODULE, | |
785 | .flavour = RPC_AUTH_NULL, | |
786 | .accept = svcauth_null_accept, | |
787 | .release = svcauth_null_release, | |
788 | .set_client = svcauth_unix_set_client, | |
789 | }; | |
790 | ||
791 | ||
74aaf96f CL |
792 | static int |
793 | svcauth_tls_accept(struct svc_rqst *rqstp) | |
794 | { | |
795 | struct svc_cred *cred = &rqstp->rq_cred; | |
796 | struct kvec *argv = rqstp->rq_arg.head; | |
797 | struct kvec *resv = rqstp->rq_res.head; | |
798 | ||
799 | if (argv->iov_len < XDR_UNIT * 3) | |
800 | return SVC_GARBAGE; | |
801 | ||
802 | /* Call's cred length */ | |
803 | if (svc_getu32(argv) != xdr_zero) { | |
804 | rqstp->rq_auth_stat = rpc_autherr_badcred; | |
805 | return SVC_DENIED; | |
806 | } | |
807 | ||
808 | /* Call's verifier flavor and its length */ | |
809 | if (svc_getu32(argv) != rpc_auth_null || | |
810 | svc_getu32(argv) != xdr_zero) { | |
811 | rqstp->rq_auth_stat = rpc_autherr_badverf; | |
812 | return SVC_DENIED; | |
813 | } | |
814 | ||
815 | /* AUTH_TLS is not valid on non-NULL procedures */ | |
816 | if (rqstp->rq_proc != 0) { | |
817 | rqstp->rq_auth_stat = rpc_autherr_badcred; | |
818 | return SVC_DENIED; | |
819 | } | |
820 | ||
821 | /* Mapping to nobody uid/gid is required */ | |
822 | cred->cr_uid = INVALID_UID; | |
823 | cred->cr_gid = INVALID_GID; | |
824 | cred->cr_group_info = groups_alloc(0); | |
825 | if (cred->cr_group_info == NULL) | |
826 | return SVC_CLOSE; /* kmalloc failure - client must retry */ | |
827 | ||
828 | /* Reply's verifier */ | |
829 | svc_putnl(resv, RPC_AUTH_NULL); | |
830 | if (rqstp->rq_xprt->xpt_ops->xpo_start_tls) { | |
831 | svc_putnl(resv, 8); | |
832 | memcpy(resv->iov_base + resv->iov_len, "STARTTLS", 8); | |
833 | resv->iov_len += 8; | |
834 | } else | |
835 | svc_putnl(resv, 0); | |
836 | ||
837 | rqstp->rq_cred.cr_flavor = RPC_AUTH_TLS; | |
838 | return SVC_OK; | |
839 | } | |
840 | ||
841 | struct auth_ops svcauth_tls = { | |
842 | .name = "tls", | |
843 | .owner = THIS_MODULE, | |
844 | .flavour = RPC_AUTH_TLS, | |
845 | .accept = svcauth_tls_accept, | |
846 | .release = svcauth_null_release, | |
847 | .set_client = svcauth_unix_set_client, | |
848 | }; | |
849 | ||
850 | ||
1da177e4 | 851 | static int |
438623a0 | 852 | svcauth_unix_accept(struct svc_rqst *rqstp) |
1da177e4 LT |
853 | { |
854 | struct kvec *argv = &rqstp->rq_arg.head[0]; | |
855 | struct kvec *resv = &rqstp->rq_res.head[0]; | |
856 | struct svc_cred *cred = &rqstp->rq_cred; | |
ccfe51a5 | 857 | struct user_namespace *userns; |
1da177e4 LT |
858 | u32 slen, i; |
859 | int len = argv->iov_len; | |
860 | ||
1da177e4 LT |
861 | if ((len -= 3*4) < 0) |
862 | return SVC_GARBAGE; | |
863 | ||
864 | svc_getu32(argv); /* length */ | |
865 | svc_getu32(argv); /* time stamp */ | |
76994313 | 866 | slen = XDR_QUADLEN(svc_getnl(argv)); /* machname length */ |
1da177e4 LT |
867 | if (slen > 64 || (len -= (slen + 3)*4) < 0) |
868 | goto badcred; | |
d8ed029d | 869 | argv->iov_base = (void*)((__be32*)argv->iov_base + slen); /* skip machname */ |
1da177e4 | 870 | argv->iov_len -= slen*4; |
afe3c3fd BF |
871 | /* |
872 | * Note: we skip uid_valid()/gid_valid() checks here for | |
873 | * backwards compatibility with clients that use -1 id's. | |
874 | * Instead, -1 uid or gid is later mapped to the | |
875 | * (export-specific) anonymous id by nfsd_setuser. | |
876 | * Supplementary gid's will be left alone. | |
877 | */ | |
ccfe51a5 TM |
878 | userns = (rqstp->rq_xprt && rqstp->rq_xprt->xpt_cred) ? |
879 | rqstp->rq_xprt->xpt_cred->user_ns : &init_user_ns; | |
880 | cred->cr_uid = make_kuid(userns, svc_getnl(argv)); /* uid */ | |
881 | cred->cr_gid = make_kgid(userns, svc_getnl(argv)); /* gid */ | |
76994313 | 882 | slen = svc_getnl(argv); /* gids length */ |
5786461b | 883 | if (slen > UNX_NGROUPS || (len -= (slen + 2)*4) < 0) |
1da177e4 | 884 | goto badcred; |
dc83d6e2 BF |
885 | cred->cr_group_info = groups_alloc(slen); |
886 | if (cred->cr_group_info == NULL) | |
1ebede86 | 887 | return SVC_CLOSE; |
ae2975bc | 888 | for (i = 0; i < slen; i++) { |
ccfe51a5 | 889 | kgid_t kgid = make_kgid(userns, svc_getnl(argv)); |
81243eac | 890 | cred->cr_group_info->gid[i] = kgid; |
ae2975bc | 891 | } |
bdcf0a42 | 892 | groups_sort(cred->cr_group_info); |
76994313 | 893 | if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) { |
438623a0 | 894 | rqstp->rq_auth_stat = rpc_autherr_badverf; |
1da177e4 LT |
895 | return SVC_DENIED; |
896 | } | |
897 | ||
898 | /* Put NULL verifier */ | |
76994313 AD |
899 | svc_putnl(resv, RPC_AUTH_NULL); |
900 | svc_putnl(resv, 0); | |
1da177e4 | 901 | |
d5497fc6 | 902 | rqstp->rq_cred.cr_flavor = RPC_AUTH_UNIX; |
1da177e4 LT |
903 | return SVC_OK; |
904 | ||
905 | badcred: | |
438623a0 | 906 | rqstp->rq_auth_stat = rpc_autherr_badcred; |
1da177e4 LT |
907 | return SVC_DENIED; |
908 | } | |
909 | ||
910 | static int | |
911 | svcauth_unix_release(struct svc_rqst *rqstp) | |
912 | { | |
913 | /* Verifier (such as it is) is already in place. | |
914 | */ | |
915 | if (rqstp->rq_client) | |
916 | auth_domain_put(rqstp->rq_client); | |
917 | rqstp->rq_client = NULL; | |
918 | if (rqstp->rq_cred.cr_group_info) | |
919 | put_group_info(rqstp->rq_cred.cr_group_info); | |
920 | rqstp->rq_cred.cr_group_info = NULL; | |
921 | ||
922 | return 0; | |
923 | } | |
924 | ||
925 | ||
926 | struct auth_ops svcauth_unix = { | |
927 | .name = "unix", | |
928 | .owner = THIS_MODULE, | |
929 | .flavour = RPC_AUTH_UNIX, | |
930 | .accept = svcauth_unix_accept, | |
931 | .release = svcauth_unix_release, | |
932 | .domain_release = svcauth_unix_domain_release, | |
933 | .set_client = svcauth_unix_set_client, | |
934 | }; | |
935 | ||
ee24eac3 | 936 | static const struct cache_detail ip_map_cache_template = { |
d05cc104 SK |
937 | .owner = THIS_MODULE, |
938 | .hash_size = IP_HASHMAX, | |
939 | .name = "auth.unix.ip", | |
940 | .cache_put = ip_map_put, | |
65286b88 | 941 | .cache_upcall = ip_map_upcall, |
73fb847a | 942 | .cache_request = ip_map_request, |
d05cc104 SK |
943 | .cache_parse = ip_map_parse, |
944 | .cache_show = ip_map_show, | |
945 | .match = ip_map_match, | |
946 | .init = ip_map_init, | |
947 | .update = update, | |
948 | .alloc = ip_map_alloc, | |
949 | }; | |
950 | ||
90d51b02 PE |
951 | int ip_map_cache_create(struct net *net) |
952 | { | |
90d51b02 | 953 | struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); |
d05cc104 SK |
954 | struct cache_detail *cd; |
955 | int err; | |
90d51b02 | 956 | |
d05cc104 SK |
957 | cd = cache_create_net(&ip_map_cache_template, net); |
958 | if (IS_ERR(cd)) | |
959 | return PTR_ERR(cd); | |
90d51b02 | 960 | err = cache_register_net(cd, net); |
d05cc104 SK |
961 | if (err) { |
962 | cache_destroy_net(cd, net); | |
963 | return err; | |
964 | } | |
90d51b02 PE |
965 | sn->ip_map_cache = cd; |
966 | return 0; | |
90d51b02 PE |
967 | } |
968 | ||
969 | void ip_map_cache_destroy(struct net *net) | |
970 | { | |
d05cc104 SK |
971 | struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); |
972 | struct cache_detail *cd = sn->ip_map_cache; | |
90d51b02 | 973 | |
d05cc104 SK |
974 | sn->ip_map_cache = NULL; |
975 | cache_purge(cd); | |
976 | cache_unregister_net(cd, net); | |
977 | cache_destroy_net(cd, net); | |
90d51b02 | 978 | } |