[linux-2.6-block.git] / net / sunrpc / svcauth_unix.c

#include <linux/types.h>
#include <linux/sched.h>
#include <linux/module.h>
#include <linux/sunrpc/types.h>
#include <linux/sunrpc/xdr.h>
#include <linux/sunrpc/svcsock.h>
#include <linux/sunrpc/svcauth.h>
#include <linux/err.h>
#include <linux/seq_file.h>
#include <linux/hash.h>
#include <linux/string.h>
#include <net/sock.h>

#define RPCDBG_FACILITY	RPCDBG_AUTH


/*
 * AUTHUNIX and AUTHNULL credentials are both handled here.
 * AUTHNULL is treated just like AUTHUNIX except that the uid/gid
 * are always nobody (-2).  i.e. we do the same IP address checks for
 * AUTHNULL as for AUTHUNIX, and that is done here.
 */


struct unix_domain {
	struct auth_domain	h;
	int	addr_changes;
	/* other stuff later */
};

extern struct auth_ops svcauth_unix;

struct auth_domain *unix_domain_find(char *name)
{
	struct auth_domain *rv;
	struct unix_domain *new = NULL;

	rv = auth_domain_lookup(name, NULL);
	while(1) {
		if (rv) {
			if (new && rv != &new->h)
				auth_domain_put(&new->h);

			if (rv->flavour != &svcauth_unix) {
				auth_domain_put(rv);
				return NULL;
			}
			return rv;
		}

		new = kmalloc(sizeof(*new), GFP_KERNEL);
		if (new == NULL)
			return NULL;
		kref_init(&new->h.ref);
		new->h.name = kstrdup(name, GFP_KERNEL);
		if (new->h.name == NULL) {
			kfree(new);
			return NULL;
		}
		new->h.flavour = &svcauth_unix;
		new->addr_changes = 0;
		rv = auth_domain_lookup(name, &new->h);
	}
}

static void svcauth_unix_domain_release(struct auth_domain *dom)
{
	struct unix_domain *ud = container_of(dom, struct unix_domain, h);

	kfree(dom->name);
	kfree(ud);
}


/**************************************************
 * cache for IP address to unix_domain
 * as needed by AUTH_UNIX
 */
#define	IP_HASHBITS	8
#define	IP_HASHMAX	(1<<IP_HASHBITS)
#define	IP_HASHMASK	(IP_HASHMAX-1)

struct ip_map {
	struct cache_head	h;
	char			m_class[8]; /* e.g. "nfsd" */
	struct in_addr		m_addr;
	struct unix_domain	*m_client;
	int			m_add_change;
};
static struct cache_head	*ip_table[IP_HASHMAX];

static void ip_map_put(struct kref *kref)
{
	struct cache_head *item = container_of(kref, struct cache_head, ref);
	struct ip_map *im = container_of(item, struct ip_map,h);

	if (test_bit(CACHE_VALID, &item->flags) &&
	    !test_bit(CACHE_NEGATIVE, &item->flags))
		auth_domain_put(&im->m_client->h);
	kfree(im);
}

#if IP_HASHBITS == 8
/* hash_long on a 64 bit machine is currently REALLY BAD for
 * IP addresses in reverse-endian (i.e. on a little-endian machine).
 * So use a trivial but reliable hash instead
 */
static inline int hash_ip(__be32 ip)
{
	int hash = (__force u32)ip ^ ((__force u32)ip>>16);
	return (hash ^ (hash>>8)) & 0xff;
}
#endif
static int ip_map_match(struct cache_head *corig, struct cache_head *cnew)
{
	struct ip_map *orig = container_of(corig, struct ip_map, h);
	struct ip_map *new = container_of(cnew, struct ip_map, h);
	return strcmp(orig->m_class, new->m_class) == 0
		&& orig->m_addr.s_addr == new->m_addr.s_addr;
}
static void ip_map_init(struct cache_head *cnew, struct cache_head *citem)
{
	struct ip_map *new = container_of(cnew, struct ip_map, h);
	struct ip_map *item = container_of(citem, struct ip_map, h);

	strcpy(new->m_class, item->m_class);
	new->m_addr.s_addr = item->m_addr.s_addr;
}
static void update(struct cache_head *cnew, struct cache_head *citem)
{
	struct ip_map *new = container_of(cnew, struct ip_map, h);
	struct ip_map *item = container_of(citem, struct ip_map, h);

	kref_get(&item->m_client->h.ref);
	new->m_client = item->m_client;
	new->m_add_change = item->m_add_change;
}
static struct cache_head *ip_map_alloc(void)
{
	struct ip_map *i = kmalloc(sizeof(*i), GFP_KERNEL);
	if (i)
		return &i->h;
	else
		return NULL;
}

static void ip_map_request(struct cache_detail *cd,
				  struct cache_head *h,
				  char **bpp, int *blen)
{
	char text_addr[20];
	struct ip_map *im = container_of(h, struct ip_map, h);
	__be32 addr = im->m_addr.s_addr;

	snprintf(text_addr, 20, "%u.%u.%u.%u",
		 ntohl(addr) >> 24 & 0xff,
		 ntohl(addr) >> 16 & 0xff,
		 ntohl(addr) >>  8 & 0xff,
		 ntohl(addr) >>  0 & 0xff);

	qword_add(bpp, blen, im->m_class);
	qword_add(bpp, blen, text_addr);
	(*bpp)[-1] = '\n';
}

static struct ip_map *ip_map_lookup(char *class, struct in_addr addr);
static int ip_map_update(struct ip_map *ipm, struct unix_domain *udom, time_t expiry);

static int ip_map_parse(struct cache_detail *cd,
			  char *mesg, int mlen)
{
	/* class ipaddress [domainname] */
	/* should be safe just to use the start of the input buffer
	 * for scratch: */
	char *buf = mesg;
	int len;
	int b1,b2,b3,b4;
	char c;
	char class[8];
	struct in_addr addr;
	int err;

	struct ip_map *ipmp;
	struct auth_domain *dom;
	time_t expiry;

	if (mesg[mlen-1] != '\n')
		return -EINVAL;
	mesg[mlen-1] = 0;

	/* class */
	len = qword_get(&mesg, class, sizeof(class));
	if (len <= 0) return -EINVAL;

	/* ip address */
	len = qword_get(&mesg, buf, mlen);
	if (len <= 0) return -EINVAL;

	if (sscanf(buf, "%u.%u.%u.%u%c", &b1, &b2, &b3, &b4, &c) != 4)
		return -EINVAL;

	expiry = get_expiry(&mesg);
	if (expiry ==0)
		return -EINVAL;

	/* domainname, or empty for NEGATIVE */
	len = qword_get(&mesg, buf, mlen);
	if (len < 0) return -EINVAL;

	if (len) {
		dom = unix_domain_find(buf);
		if (dom == NULL)
			return -ENOENT;
	} else
		dom = NULL;

	addr.s_addr =
		htonl((((((b1<<8)|b2)<<8)|b3)<<8)|b4);

	ipmp = ip_map_lookup(class,addr);
	if (ipmp) {
		err = ip_map_update(ipmp,
			     container_of(dom, struct unix_domain, h),
			     expiry);
	} else
		err = -ENOMEM;

	if (dom)
		auth_domain_put(dom);

	cache_flush();
	return err;
}

static int ip_map_show(struct seq_file *m,
		       struct cache_detail *cd,
		       struct cache_head *h)
{
	struct ip_map *im;
	struct in_addr addr;
	char *dom = "-no-domain-";

	if (h == NULL) {
		seq_puts(m, "#class IP domain\n");
		return 0;
	}
	im = container_of(h, struct ip_map, h);
	/* class addr domain */
	addr = im->m_addr;

	if (test_bit(CACHE_VALID, &h->flags) &&
	    !test_bit(CACHE_NEGATIVE, &h->flags))
		dom = im->m_client->h.name;

	seq_printf(m, "%s %d.%d.%d.%d %s\n",
		   im->m_class,
		   ntohl(addr.s_addr) >> 24 & 0xff,
		   ntohl(addr.s_addr) >> 16 & 0xff,
		   ntohl(addr.s_addr) >>  8 & 0xff,
		   ntohl(addr.s_addr) >>  0 & 0xff,
		   dom
		   );
	return 0;
}


struct cache_detail ip_map_cache = {
	.owner		= THIS_MODULE,
	.hash_size	= IP_HASHMAX,
	.hash_table	= ip_table,
	.name		= "auth.unix.ip",
	.cache_put	= ip_map_put,
	.cache_request	= ip_map_request,
	.cache_parse	= ip_map_parse,
	.cache_show	= ip_map_show,
	.match		= ip_map_match,
	.init		= ip_map_init,
	.update		= update,
	.alloc		= ip_map_alloc,
};

static struct ip_map *ip_map_lookup(char *class, struct in_addr addr)
{
	struct ip_map ip;
	struct cache_head *ch;

	strcpy(ip.m_class, class);
	ip.m_addr = addr;
	ch = sunrpc_cache_lookup(&ip_map_cache, &ip.h,
				 hash_str(class, IP_HASHBITS) ^
				 hash_ip(addr.s_addr));

	if (ch)
		return container_of(ch, struct ip_map, h);
	else
		return NULL;
}

static int ip_map_update(struct ip_map *ipm, struct unix_domain *udom, time_t expiry)
{
	struct ip_map ip;
	struct cache_head *ch;

	ip.m_client = udom;
	ip.h.flags = 0;
	if (!udom)
		set_bit(CACHE_NEGATIVE, &ip.h.flags);
	else {
		ip.m_add_change = udom->addr_changes;
		/* if this is from the legacy set_client system call,
		 * we need m_add_change to be one higher
		 */
		if (expiry == NEVER)
			ip.m_add_change++;
	}
	ip.h.expiry_time = expiry;
	ch = sunrpc_cache_update(&ip_map_cache,
				 &ip.h, &ipm->h,
				 hash_str(ipm->m_class, IP_HASHBITS) ^
				 hash_ip(ipm->m_addr.s_addr));
	if (!ch)
		return -ENOMEM;
	cache_put(ch, &ip_map_cache);
	return 0;
}

int auth_unix_add_addr(struct in_addr addr, struct auth_domain *dom)
{
	struct unix_domain *udom;
	struct ip_map *ipmp;

	if (dom->flavour != &svcauth_unix)
		return -EINVAL;
	udom = container_of(dom, struct unix_domain, h);
	ipmp = ip_map_lookup("nfsd", addr);

	if (ipmp)
		return ip_map_update(ipmp, udom, NEVER);
	else
		return -ENOMEM;
}

int auth_unix_forget_old(struct auth_domain *dom)
{
	struct unix_domain *udom;

	if (dom->flavour != &svcauth_unix)
		return -EINVAL;
	udom = container_of(dom, struct unix_domain, h);
	udom->addr_changes++;
	return 0;
}

struct auth_domain *auth_unix_lookup(struct in_addr addr)
{
	struct ip_map *ipm;
	struct auth_domain *rv;

	ipm = ip_map_lookup("nfsd", addr);

	if (!ipm)
		return NULL;
	if (cache_check(&ip_map_cache, &ipm->h, NULL))
		return NULL;

	if ((ipm->m_client->addr_changes - ipm->m_add_change) >0) {
		if (test_and_set_bit(CACHE_NEGATIVE, &ipm->h.flags) == 0)
			auth_domain_put(&ipm->m_client->h);
		rv = NULL;
	} else {
		rv = &ipm->m_client->h;
		kref_get(&rv->ref);
	}
	cache_put(&ipm->h, &ip_map_cache);
	return rv;
}

void svcauth_unix_purge(void)
{
	cache_purge(&ip_map_cache);
}

static inline struct ip_map *
ip_map_cached_get(struct svc_rqst *rqstp)
{
	struct ip_map *ipm = rqstp->rq_sock->sk_info_authunix;
	if (ipm != NULL) {
		if (!cache_valid(&ipm->h)) {
			/*
			 * The entry has been invalidated since it was
			 * remembered, e.g. by a second mount from the
			 * same IP address.
			 */
			rqstp->rq_sock->sk_info_authunix = NULL;
			cache_put(&ipm->h, &ip_map_cache);
			return NULL;
		}
		cache_get(&ipm->h);
	}
	return ipm;
}

static inline void
ip_map_cached_put(struct svc_rqst *rqstp, struct ip_map *ipm)
{
	struct svc_sock *svsk = rqstp->rq_sock;

	if (svsk->sk_sock->type == SOCK_STREAM && svsk->sk_info_authunix == NULL)
		svsk->sk_info_authunix = ipm;	/* newly cached, keep the reference */
	else
		cache_put(&ipm->h, &ip_map_cache);
}

void
svcauth_unix_info_release(void *info)
{
	struct ip_map *ipm = info;
	cache_put(&ipm->h, &ip_map_cache);
}

static int
svcauth_unix_set_client(struct svc_rqst *rqstp)
{
	struct sockaddr_in *sin = svc_addr_in(rqstp);
	struct ip_map *ipm;

	rqstp->rq_client = NULL;
	if (rqstp->rq_proc == 0)
		return SVC_OK;

	ipm = ip_map_cached_get(rqstp);
	if (ipm == NULL)
		ipm = ip_map_lookup(rqstp->rq_server->sv_program->pg_class,
				    sin->sin_addr);

	if (ipm == NULL)
		return SVC_DENIED;

	switch (cache_check(&ip_map_cache, &ipm->h, &rqstp->rq_chandle)) {
		default:
			BUG();
		case -EAGAIN:
		case -ETIMEDOUT:
			return SVC_DROP;
		case -ENOENT:
			return SVC_DENIED;
		case 0:
			rqstp->rq_client = &ipm->m_client->h;
			kref_get(&rqstp->rq_client->ref);
			ip_map_cached_put(rqstp, ipm);
			break;
	}
	return SVC_OK;
}

static int
svcauth_null_accept(struct svc_rqst *rqstp, __be32 *authp)
{
	struct kvec	*argv = &rqstp->rq_arg.head[0];
	struct kvec	*resv = &rqstp->rq_res.head[0];
	struct svc_cred	*cred = &rqstp->rq_cred;

	cred->cr_group_info = NULL;
	rqstp->rq_client = NULL;

	if (argv->iov_len < 3*4)
		return SVC_GARBAGE;

	if (svc_getu32(argv) != 0) {
		dprintk("svc: bad null cred\n");
		*authp = rpc_autherr_badcred;
		return SVC_DENIED;
	}
	if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) {
		dprintk("svc: bad null verf\n");
		*authp = rpc_autherr_badverf;
		return SVC_DENIED;
	}

	/* Signal that mapping to nobody uid/gid is required */
	cred->cr_uid = (uid_t) -1;
	cred->cr_gid = (gid_t) -1;
	cred->cr_group_info = groups_alloc(0);
	if (cred->cr_group_info == NULL)
		return SVC_DROP; /* kmalloc failure - client must retry */

	/* Put NULL verifier */
	svc_putnl(resv, RPC_AUTH_NULL);
	svc_putnl(resv, 0);

	return SVC_OK;
}

static int
svcauth_null_release(struct svc_rqst *rqstp)
{
	if (rqstp->rq_client)
		auth_domain_put(rqstp->rq_client);
	rqstp->rq_client = NULL;
	if (rqstp->rq_cred.cr_group_info)
		put_group_info(rqstp->rq_cred.cr_group_info);
	rqstp->rq_cred.cr_group_info = NULL;

	return 0; /* don't drop */
}


struct auth_ops svcauth_null = {
	.name		= "null",
	.owner		= THIS_MODULE,
	.flavour	= RPC_AUTH_NULL,
	.accept 	= svcauth_null_accept,
	.release	= svcauth_null_release,
	.set_client	= svcauth_unix_set_client,
};


static int
svcauth_unix_accept(struct svc_rqst *rqstp, __be32 *authp)
{
	struct kvec	*argv = &rqstp->rq_arg.head[0];
	struct kvec	*resv = &rqstp->rq_res.head[0];
	struct svc_cred	*cred = &rqstp->rq_cred;
	u32		slen, i;
	int		len   = argv->iov_len;

	cred->cr_group_info = NULL;
	rqstp->rq_client = NULL;

	if ((len -= 3*4) < 0)
		return SVC_GARBAGE;

	svc_getu32(argv);			/* length */
	svc_getu32(argv);			/* time stamp */
	slen = XDR_QUADLEN(svc_getnl(argv));	/* machname length */
	if (slen > 64 || (len -= (slen + 3)*4) < 0)
		goto badcred;
	argv->iov_base = (void*)((__be32*)argv->iov_base + slen);	/* skip machname */
	argv->iov_len -= slen*4;

	cred->cr_uid = svc_getnl(argv);		/* uid */
	cred->cr_gid = svc_getnl(argv);		/* gid */
	slen = svc_getnl(argv);			/* gids length */
	if (slen > 16 || (len -= (slen + 2)*4) < 0)
		goto badcred;
	cred->cr_group_info = groups_alloc(slen);
	if (cred->cr_group_info == NULL)
		return SVC_DROP;
	for (i = 0; i < slen; i++)
		GROUP_AT(cred->cr_group_info, i) = svc_getnl(argv);

	if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) {
		*authp = rpc_autherr_badverf;
		return SVC_DENIED;
	}

	/* Put NULL verifier */
	svc_putnl(resv, RPC_AUTH_NULL);
	svc_putnl(resv, 0);

	return SVC_OK;

badcred:
	*authp = rpc_autherr_badcred;
	return SVC_DENIED;
}

static int
svcauth_unix_release(struct svc_rqst *rqstp)
{
	/* Verifier (such as it is) is already in place.
	 */
	if (rqstp->rq_client)
		auth_domain_put(rqstp->rq_client);
	rqstp->rq_client = NULL;
	if (rqstp->rq_cred.cr_group_info)
		put_group_info(rqstp->rq_cred.cr_group_info);
	rqstp->rq_cred.cr_group_info = NULL;

	return 0;
}


struct auth_ops svcauth_unix = {
	.name		= "unix",
	.owner		= THIS_MODULE,
	.flavour	= RPC_AUTH_UNIX,
	.accept 	= svcauth_unix_accept,
	.release	= svcauth_unix_release,
	.domain_release	= svcauth_unix_domain_release,
	.set_client	= svcauth_unix_set_client,
};
Commit	Line	Data
1da177e4 LT	1	#include <linux/types.h>
	2	#include <linux/sched.h>
	3	#include <linux/module.h>
	4	#include <linux/sunrpc/types.h>
	5	#include <linux/sunrpc/xdr.h>
	6	#include <linux/sunrpc/svcsock.h>
	7	#include <linux/sunrpc/svcauth.h>
	8	#include <linux/err.h>
	9	#include <linux/seq_file.h>
	10	#include <linux/hash.h>
543537bd	11	#include <linux/string.h>
7b2b1fee	12	#include <net/sock.h>
1da177e4 LT	13
	14	#define RPCDBG_FACILITY RPCDBG_AUTH
	15
	16
	17	/*
	18	* AUTHUNIX and AUTHNULL credentials are both handled here.
	19	* AUTHNULL is treated just like AUTHUNIX except that the uid/gid
	20	* are always nobody (-2). i.e. we do the same IP address checks for
	21	* AUTHNULL as for AUTHUNIX, and that is done here.
	22	*/
	23
	24
1da177e4 LT	25	struct unix_domain {
	26	struct auth_domain h;
	27	int addr_changes;
	28	/* other stuff later */
	29	};
	30
efc36aa5 N	31	extern struct auth_ops svcauth_unix;
efc36aa5 N	32
1da177e4 LT	33	struct auth_domain unix_domain_find(char name)
1da177e4 LT	34	{
efc36aa5 N	35	struct auth_domain *rv;
	36	struct unix_domain *new = NULL;
	37
	38	rv = auth_domain_lookup(name, NULL);
	39	while(1) {
ad1b5229 N	40	if (rv) {
	41	if (new && rv != &new->h)
	42	auth_domain_put(&new->h);
	43
	44	if (rv->flavour != &svcauth_unix) {
	45	auth_domain_put(rv);
	46	return NULL;
	47	}
efc36aa5 N	48	return rv;
efc36aa5 N	49	}
efc36aa5 N	50
	51	new = kmalloc(sizeof(*new), GFP_KERNEL);
	52	if (new == NULL)
	53	return NULL;
	54	kref_init(&new->h.ref);
	55	new->h.name = kstrdup(name, GFP_KERNEL);
dd08d6ea N	56	if (new->h.name == NULL) {
	57	kfree(new);
	58	return NULL;
	59	}
efc36aa5 N	60	new->h.flavour = &svcauth_unix;
	61	new->addr_changes = 0;
	62	rv = auth_domain_lookup(name, &new->h);
1da177e4	63	}
1da177e4 LT	64	}
	65
	66	static void svcauth_unix_domain_release(struct auth_domain *dom)
	67	{
	68	struct unix_domain *ud = container_of(dom, struct unix_domain, h);
	69
	70	kfree(dom->name);
	71	kfree(ud);
	72	}
	73
	74
	75	/**************************************************
	76	* cache for IP address to unix_domain
	77	* as needed by AUTH_UNIX
	78	*/
	79	#define IP_HASHBITS 8
	80	#define IP_HASHMAX (1<<IP_HASHBITS)
	81	#define IP_HASHMASK (IP_HASHMAX-1)
	82
	83	struct ip_map {
	84	struct cache_head h;
	85	char m_class[8]; /* e.g. "nfsd" */
	86	struct in_addr m_addr;
	87	struct unix_domain *m_client;
	88	int m_add_change;
	89	};
	90	static struct cache_head *ip_table[IP_HASHMAX];
	91
baab935f	92	static void ip_map_put(struct kref *kref)
1da177e4	93	{
baab935f	94	struct cache_head *item = container_of(kref, struct cache_head, ref);
1da177e4	95	struct ip_map *im = container_of(item, struct ip_map,h);
baab935f N	96
	97	if (test_bit(CACHE_VALID, &item->flags) &&
	98	!test_bit(CACHE_NEGATIVE, &item->flags))
	99	auth_domain_put(&im->m_client->h);
	100	kfree(im);
1da177e4 LT	101	}
1da177e4 LT	102
1f1e030b N	103	#if IP_HASHBITS == 8
	104	/* hash_long on a 64 bit machine is currently REALLY BAD for
	105	* IP addresses in reverse-endian (i.e. on a little-endian machine).
	106	* So use a trivial but reliable hash instead
	107	*/
4806126d	108	static inline int hash_ip(__be32 ip)
1f1e030b	109	{
4806126d	110	int hash = (__force u32)ip ^ ((__force u32)ip>>16);
1f1e030b N	111	return (hash ^ (hash>>8)) & 0xff;
	112	}
	113	#endif
1a9917c2	114	static int ip_map_match(struct cache_head corig, struct cache_head cnew)
1da177e4	115	{
1a9917c2 N	116	struct ip_map *orig = container_of(corig, struct ip_map, h);
	117	struct ip_map *new = container_of(cnew, struct ip_map, h);
	118	return strcmp(orig->m_class, new->m_class) == 0
	119	&& orig->m_addr.s_addr == new->m_addr.s_addr;
1da177e4	120	}
1a9917c2	121	static void ip_map_init(struct cache_head cnew, struct cache_head citem)
1da177e4	122	{
1a9917c2 N	123	struct ip_map *new = container_of(cnew, struct ip_map, h);
	124	struct ip_map *item = container_of(citem, struct ip_map, h);
	125
1da177e4 LT	126	strcpy(new->m_class, item->m_class);
	127	new->m_addr.s_addr = item->m_addr.s_addr;
	128	}
1a9917c2	129	static void update(struct cache_head cnew, struct cache_head citem)
1da177e4	130	{
1a9917c2 N	131	struct ip_map *new = container_of(cnew, struct ip_map, h);
	132	struct ip_map *item = container_of(citem, struct ip_map, h);
	133
efc36aa5	134	kref_get(&item->m_client->h.ref);
1da177e4 LT	135	new->m_client = item->m_client;
	136	new->m_add_change = item->m_add_change;
	137	}
1a9917c2 N	138	static struct cache_head *ip_map_alloc(void)
	139	{
	140	struct ip_map i = kmalloc(sizeof(i), GFP_KERNEL);
	141	if (i)
	142	return &i->h;
	143	else
	144	return NULL;
	145	}
1da177e4 LT	146
	147	static void ip_map_request(struct cache_detail *cd,
	148	struct cache_head *h,
	149	char *bpp, int blen)
	150	{
	151	char text_addr[20];
	152	struct ip_map *im = container_of(h, struct ip_map, h);
d8ed029d	153	__be32 addr = im->m_addr.s_addr;
cca5172a	154
1da177e4 LT	155	snprintf(text_addr, 20, "%u.%u.%u.%u",
	156	ntohl(addr) >> 24 & 0xff,
	157	ntohl(addr) >> 16 & 0xff,
	158	ntohl(addr) >> 8 & 0xff,
	159	ntohl(addr) >> 0 & 0xff);
	160
	161	qword_add(bpp, blen, im->m_class);
	162	qword_add(bpp, blen, text_addr);
	163	(*bpp)[-1] = '\n';
	164	}
	165
1a9917c2 N	166	static struct ip_map ip_map_lookup(char class, struct in_addr addr);
1a9917c2 N	167	static int ip_map_update(struct ip_map ipm, struct unix_domain udom, time_t expiry);
1da177e4 LT	168
	169	static int ip_map_parse(struct cache_detail *cd,
	170	char *mesg, int mlen)
	171	{
	172	/* class ipaddress [domainname] */
	173	/* should be safe just to use the start of the input buffer
	174	* for scratch: */
	175	char *buf = mesg;
	176	int len;
	177	int b1,b2,b3,b4;
	178	char c;
1a9917c2 N	179	char class[8];
	180	struct in_addr addr;
	181	int err;
	182
	183	struct ip_map *ipmp;
1da177e4 LT	184	struct auth_domain *dom;
	185	time_t expiry;
	186
	187	if (mesg[mlen-1] != '\n')
	188	return -EINVAL;
	189	mesg[mlen-1] = 0;
	190
	191	/* class */
1a9917c2	192	len = qword_get(&mesg, class, sizeof(class));
1da177e4 LT	193	if (len <= 0) return -EINVAL;
	194
	195	/* ip address */
	196	len = qword_get(&mesg, buf, mlen);
	197	if (len <= 0) return -EINVAL;
	198
	199	if (sscanf(buf, "%u.%u.%u.%u%c", &b1, &b2, &b3, &b4, &c) != 4)
	200	return -EINVAL;
cca5172a	201
1da177e4 LT	202	expiry = get_expiry(&mesg);
	203	if (expiry ==0)
	204	return -EINVAL;
	205
	206	/* domainname, or empty for NEGATIVE */
	207	len = qword_get(&mesg, buf, mlen);
	208	if (len < 0) return -EINVAL;
	209
	210	if (len) {
	211	dom = unix_domain_find(buf);
	212	if (dom == NULL)
	213	return -ENOENT;
	214	} else
	215	dom = NULL;
	216
1a9917c2	217	addr.s_addr =
1da177e4	218	htonl((((((b1<<8)\|b2)<<8)\|b3)<<8)\|b4);
1a9917c2 N	219
	220	ipmp = ip_map_lookup(class,addr);
	221	if (ipmp) {
	222	err = ip_map_update(ipmp,
	223	container_of(dom, struct unix_domain, h),
	224	expiry);
1da177e4	225	} else
1a9917c2	226	err = -ENOMEM;
1da177e4	227
1da177e4 LT	228	if (dom)
1da177e4 LT	229	auth_domain_put(dom);
1a9917c2	230
1da177e4	231	cache_flush();
1a9917c2	232	return err;
1da177e4 LT	233	}
	234
	235	static int ip_map_show(struct seq_file *m,
	236	struct cache_detail *cd,
	237	struct cache_head *h)
	238	{
	239	struct ip_map *im;
	240	struct in_addr addr;
	241	char *dom = "-no-domain-";
	242
	243	if (h == NULL) {
	244	seq_puts(m, "#class IP domain\n");
	245	return 0;
	246	}
	247	im = container_of(h, struct ip_map, h);
	248	/* class addr domain */
	249	addr = im->m_addr;
	250
cca5172a	251	if (test_bit(CACHE_VALID, &h->flags) &&
1da177e4 LT	252	!test_bit(CACHE_NEGATIVE, &h->flags))
	253	dom = im->m_client->h.name;
	254
	255	seq_printf(m, "%s %d.%d.%d.%d %s\n",
	256	im->m_class,
753ed90d AV	257	ntohl(addr.s_addr) >> 24 & 0xff,
	258	ntohl(addr.s_addr) >> 16 & 0xff,
	259	ntohl(addr.s_addr) >> 8 & 0xff,
	260	ntohl(addr.s_addr) >> 0 & 0xff,
1da177e4 LT	261	dom
	262	);
	263	return 0;
	264	}
cca5172a	265
1da177e4 LT	266
1da177e4 LT	267	struct cache_detail ip_map_cache = {
f35279d3	268	.owner = THIS_MODULE,
1da177e4 LT	269	.hash_size = IP_HASHMAX,
	270	.hash_table = ip_table,
	271	.name = "auth.unix.ip",
	272	.cache_put = ip_map_put,
	273	.cache_request = ip_map_request,
	274	.cache_parse = ip_map_parse,
	275	.cache_show = ip_map_show,
1a9917c2 N	276	.match = ip_map_match,
	277	.init = ip_map_init,
	278	.update = update,
	279	.alloc = ip_map_alloc,
1da177e4 LT	280	};
1da177e4 LT	281
1a9917c2 N	282	static struct ip_map ip_map_lookup(char class, struct in_addr addr)
	283	{
	284	struct ip_map ip;
	285	struct cache_head *ch;
	286
	287	strcpy(ip.m_class, class);
	288	ip.m_addr = addr;
	289	ch = sunrpc_cache_lookup(&ip_map_cache, &ip.h,
	290	hash_str(class, IP_HASHBITS) ^
4806126d	291	hash_ip(addr.s_addr));
1a9917c2 N	292
	293	if (ch)
	294	return container_of(ch, struct ip_map, h);
	295	else
	296	return NULL;
	297	}
1da177e4	298
1a9917c2 N	299	static int ip_map_update(struct ip_map ipm, struct unix_domain udom, time_t expiry)
	300	{
	301	struct ip_map ip;
	302	struct cache_head *ch;
	303
	304	ip.m_client = udom;
	305	ip.h.flags = 0;
	306	if (!udom)
	307	set_bit(CACHE_NEGATIVE, &ip.h.flags);
	308	else {
	309	ip.m_add_change = udom->addr_changes;
	310	/* if this is from the legacy set_client system call,
	311	* we need m_add_change to be one higher
	312	*/
	313	if (expiry == NEVER)
	314	ip.m_add_change++;
	315	}
	316	ip.h.expiry_time = expiry;
	317	ch = sunrpc_cache_update(&ip_map_cache,
	318	&ip.h, &ipm->h,
	319	hash_str(ipm->m_class, IP_HASHBITS) ^
4806126d	320	hash_ip(ipm->m_addr.s_addr));
1a9917c2 N	321	if (!ch)
1a9917c2 N	322	return -ENOMEM;
baab935f	323	cache_put(ch, &ip_map_cache);
1a9917c2 N	324	return 0;
1a9917c2 N	325	}
1da177e4 LT	326
	327	int auth_unix_add_addr(struct in_addr addr, struct auth_domain *dom)
	328	{
	329	struct unix_domain *udom;
1a9917c2	330	struct ip_map *ipmp;
1da177e4	331
efc36aa5	332	if (dom->flavour != &svcauth_unix)
1da177e4 LT	333	return -EINVAL;
1da177e4 LT	334	udom = container_of(dom, struct unix_domain, h);
1a9917c2	335	ipmp = ip_map_lookup("nfsd", addr);
1da177e4	336
1a9917c2 N	337	if (ipmp)
	338	return ip_map_update(ipmp, udom, NEVER);
	339	else
1da177e4 LT	340	return -ENOMEM;
	341	}
	342
	343	int auth_unix_forget_old(struct auth_domain *dom)
	344	{
	345	struct unix_domain *udom;
cca5172a	346
efc36aa5	347	if (dom->flavour != &svcauth_unix)
1da177e4 LT	348	return -EINVAL;
	349	udom = container_of(dom, struct unix_domain, h);
	350	udom->addr_changes++;
	351	return 0;
	352	}
	353
	354	struct auth_domain *auth_unix_lookup(struct in_addr addr)
	355	{
40f10522	356	struct ip_map *ipm;
1da177e4 LT	357	struct auth_domain *rv;
1da177e4 LT	358
1a9917c2	359	ipm = ip_map_lookup("nfsd", addr);
1da177e4 LT	360
	361	if (!ipm)
	362	return NULL;
	363	if (cache_check(&ip_map_cache, &ipm->h, NULL))
	364	return NULL;
	365
	366	if ((ipm->m_client->addr_changes - ipm->m_add_change) >0) {
	367	if (test_and_set_bit(CACHE_NEGATIVE, &ipm->h.flags) == 0)
	368	auth_domain_put(&ipm->m_client->h);
	369	rv = NULL;
	370	} else {
	371	rv = &ipm->m_client->h;
efc36aa5	372	kref_get(&rv->ref);
1da177e4	373	}
baab935f	374	cache_put(&ipm->h, &ip_map_cache);
1da177e4 LT	375	return rv;
	376	}
	377
	378	void svcauth_unix_purge(void)
	379	{
	380	cache_purge(&ip_map_cache);
1da177e4 LT	381	}
1da177e4 LT	382
7b2b1fee GB	383	static inline struct ip_map *
	384	ip_map_cached_get(struct svc_rqst *rqstp)
	385	{
	386	struct ip_map *ipm = rqstp->rq_sock->sk_info_authunix;
	387	if (ipm != NULL) {
	388	if (!cache_valid(&ipm->h)) {
	389	/*
	390	* The entry has been invalidated since it was
	391	* remembered, e.g. by a second mount from the
	392	* same IP address.
	393	*/
	394	rqstp->rq_sock->sk_info_authunix = NULL;
	395	cache_put(&ipm->h, &ip_map_cache);
	396	return NULL;
	397	}
	398	cache_get(&ipm->h);
	399	}
	400	return ipm;
	401	}
	402
	403	static inline void
	404	ip_map_cached_put(struct svc_rqst rqstp, struct ip_map ipm)
	405	{
	406	struct svc_sock *svsk = rqstp->rq_sock;
	407
	408	if (svsk->sk_sock->type == SOCK_STREAM && svsk->sk_info_authunix == NULL)
	409	svsk->sk_info_authunix = ipm; /* newly cached, keep the reference */
	410	else
	411	cache_put(&ipm->h, &ip_map_cache);
	412	}
	413
	414	void
	415	svcauth_unix_info_release(void *info)
	416	{
	417	struct ip_map *ipm = info;
	418	cache_put(&ipm->h, &ip_map_cache);
	419	}
	420
1da177e4 LT	421	static int
	422	svcauth_unix_set_client(struct svc_rqst *rqstp)
	423	{
27459f09	424	struct sockaddr_in *sin = svc_addr_in(rqstp);
1a9917c2	425	struct ip_map *ipm;
1da177e4 LT	426
	427	rqstp->rq_client = NULL;
	428	if (rqstp->rq_proc == 0)
	429	return SVC_OK;
	430
7b2b1fee GB	431	ipm = ip_map_cached_get(rqstp);
	432	if (ipm == NULL)
	433	ipm = ip_map_lookup(rqstp->rq_server->sv_program->pg_class,
27459f09	434	sin->sin_addr);
1da177e4 LT	435
	436	if (ipm == NULL)
	437	return SVC_DENIED;
	438
	439	switch (cache_check(&ip_map_cache, &ipm->h, &rqstp->rq_chandle)) {
	440	default:
	441	BUG();
	442	case -EAGAIN:
e0bb89ef	443	case -ETIMEDOUT:
1da177e4 LT	444	return SVC_DROP;
	445	case -ENOENT:
	446	return SVC_DENIED;
	447	case 0:
	448	rqstp->rq_client = &ipm->m_client->h;
efc36aa5	449	kref_get(&rqstp->rq_client->ref);
7b2b1fee	450	ip_map_cached_put(rqstp, ipm);
1da177e4 LT	451	break;
	452	}
	453	return SVC_OK;
	454	}
	455
	456	static int
d8ed029d	457	svcauth_null_accept(struct svc_rqst rqstp, __be32 authp)
1da177e4 LT	458	{
	459	struct kvec *argv = &rqstp->rq_arg.head[0];
	460	struct kvec *resv = &rqstp->rq_res.head[0];
	461	struct svc_cred *cred = &rqstp->rq_cred;
	462
	463	cred->cr_group_info = NULL;
	464	rqstp->rq_client = NULL;
	465
	466	if (argv->iov_len < 3*4)
	467	return SVC_GARBAGE;
	468
cca5172a	469	if (svc_getu32(argv) != 0) {
1da177e4 LT	470	dprintk("svc: bad null cred\n");
	471	*authp = rpc_autherr_badcred;
	472	return SVC_DENIED;
	473	}
76994313	474	if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) \|\| svc_getu32(argv) != 0) {
1da177e4 LT	475	dprintk("svc: bad null verf\n");
	476	*authp = rpc_autherr_badverf;
	477	return SVC_DENIED;
	478	}
	479
	480	/* Signal that mapping to nobody uid/gid is required */
	481	cred->cr_uid = (uid_t) -1;
	482	cred->cr_gid = (gid_t) -1;
	483	cred->cr_group_info = groups_alloc(0);
	484	if (cred->cr_group_info == NULL)
	485	return SVC_DROP; /* kmalloc failure - client must retry */
	486
	487	/* Put NULL verifier */
76994313 AD	488	svc_putnl(resv, RPC_AUTH_NULL);
76994313 AD	489	svc_putnl(resv, 0);
1da177e4 LT	490
	491	return SVC_OK;
	492	}
	493
	494	static int
	495	svcauth_null_release(struct svc_rqst *rqstp)
	496	{
	497	if (rqstp->rq_client)
	498	auth_domain_put(rqstp->rq_client);
	499	rqstp->rq_client = NULL;
	500	if (rqstp->rq_cred.cr_group_info)
	501	put_group_info(rqstp->rq_cred.cr_group_info);
	502	rqstp->rq_cred.cr_group_info = NULL;
	503
	504	return 0; /* don't drop */
	505	}
	506
	507
	508	struct auth_ops svcauth_null = {
	509	.name = "null",
	510	.owner = THIS_MODULE,
	511	.flavour = RPC_AUTH_NULL,
	512	.accept = svcauth_null_accept,
	513	.release = svcauth_null_release,
	514	.set_client = svcauth_unix_set_client,
	515	};
	516
	517
	518	static int
d8ed029d	519	svcauth_unix_accept(struct svc_rqst rqstp, __be32 authp)
1da177e4 LT	520	{
	521	struct kvec *argv = &rqstp->rq_arg.head[0];
	522	struct kvec *resv = &rqstp->rq_res.head[0];
	523	struct svc_cred *cred = &rqstp->rq_cred;
	524	u32 slen, i;
	525	int len = argv->iov_len;
	526
	527	cred->cr_group_info = NULL;
	528	rqstp->rq_client = NULL;
	529
	530	if ((len -= 3*4) < 0)
	531	return SVC_GARBAGE;
	532
	533	svc_getu32(argv); /* length */
	534	svc_getu32(argv); /* time stamp */
76994313	535	slen = XDR_QUADLEN(svc_getnl(argv)); /* machname length */
1da177e4 LT	536	if (slen > 64 \|\| (len -= (slen + 3)*4) < 0)
1da177e4 LT	537	goto badcred;
d8ed029d	538	argv->iov_base = (void)((__be32)argv->iov_base + slen); /* skip machname */
1da177e4 LT	539	argv->iov_len -= slen*4;
1da177e4 LT	540
76994313 AD	541	cred->cr_uid = svc_getnl(argv); /* uid */
	542	cred->cr_gid = svc_getnl(argv); /* gid */
	543	slen = svc_getnl(argv); /* gids length */
1da177e4 LT	544	if (slen > 16 \|\| (len -= (slen + 2)*4) < 0)
	545	goto badcred;
	546	cred->cr_group_info = groups_alloc(slen);
	547	if (cred->cr_group_info == NULL)
	548	return SVC_DROP;
	549	for (i = 0; i < slen; i++)
76994313	550	GROUP_AT(cred->cr_group_info, i) = svc_getnl(argv);
1da177e4	551
76994313	552	if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) \|\| svc_getu32(argv) != 0) {
1da177e4 LT	553	*authp = rpc_autherr_badverf;
	554	return SVC_DENIED;
	555	}
	556
	557	/* Put NULL verifier */
76994313 AD	558	svc_putnl(resv, RPC_AUTH_NULL);
76994313 AD	559	svc_putnl(resv, 0);
1da177e4 LT	560
	561	return SVC_OK;
	562
	563	badcred:
	564	*authp = rpc_autherr_badcred;
	565	return SVC_DENIED;
	566	}
	567
	568	static int
	569	svcauth_unix_release(struct svc_rqst *rqstp)
	570	{
	571	/* Verifier (such as it is) is already in place.
	572	*/
	573	if (rqstp->rq_client)
	574	auth_domain_put(rqstp->rq_client);
	575	rqstp->rq_client = NULL;
	576	if (rqstp->rq_cred.cr_group_info)
	577	put_group_info(rqstp->rq_cred.cr_group_info);
	578	rqstp->rq_cred.cr_group_info = NULL;
	579
	580	return 0;
	581	}
	582
	583
	584	struct auth_ops svcauth_unix = {
	585	.name = "unix",
	586	.owner = THIS_MODULE,
	587	.flavour = RPC_AUTH_UNIX,
	588	.accept = svcauth_unix_accept,
	589	.release = svcauth_unix_release,
	590	.domain_release = svcauth_unix_domain_release,
	591	.set_client = svcauth_unix_set_client,
	592	};
	593