svcauth_unix.c 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. #include <linux/types.h>
  3. #include <linux/sched.h>
  4. #include <linux/module.h>
  5. #include <linux/sunrpc/types.h>
  6. #include <linux/sunrpc/xdr.h>
  7. #include <linux/sunrpc/svcsock.h>
  8. #include <linux/sunrpc/svcauth.h>
  9. #include <linux/sunrpc/gss_api.h>
  10. #include <linux/sunrpc/addr.h>
  11. #include <linux/err.h>
  12. #include <linux/seq_file.h>
  13. #include <linux/hash.h>
  14. #include <linux/string.h>
  15. #include <linux/slab.h>
  16. #include <net/sock.h>
  17. #include <net/ipv6.h>
  18. #include <linux/kernel.h>
  19. #include <linux/user_namespace.h>
  20. #define RPCDBG_FACILITY RPCDBG_AUTH
  21. #include "netns.h"
  22. /*
  23. * AUTHUNIX and AUTHNULL credentials are both handled here.
  24. * AUTHNULL is treated just like AUTHUNIX except that the uid/gid
  25. * are always nobody (-2). i.e. we do the same IP address checks for
  26. * AUTHNULL as for AUTHUNIX, and that is done here.
  27. */
  28. struct unix_domain {
  29. struct auth_domain h;
  30. /* other stuff later */
  31. };
  32. extern struct auth_ops svcauth_null;
  33. extern struct auth_ops svcauth_unix;
  34. extern struct auth_ops svcauth_tls;
  35. static void svcauth_unix_domain_release_rcu(struct rcu_head *head)
  36. {
  37. struct auth_domain *dom = container_of(head, struct auth_domain, rcu_head);
  38. struct unix_domain *ud = container_of(dom, struct unix_domain, h);
  39. kfree(dom->name);
  40. kfree(ud);
  41. }
  42. static void svcauth_unix_domain_release(struct auth_domain *dom)
  43. {
  44. call_rcu(&dom->rcu_head, svcauth_unix_domain_release_rcu);
  45. }
  46. struct auth_domain *unix_domain_find(char *name)
  47. {
  48. struct auth_domain *rv;
  49. struct unix_domain *new = NULL;
  50. rv = auth_domain_find(name);
  51. while(1) {
  52. if (rv) {
  53. if (new && rv != &new->h)
  54. svcauth_unix_domain_release(&new->h);
  55. if (rv->flavour != &svcauth_unix) {
  56. auth_domain_put(rv);
  57. return NULL;
  58. }
  59. return rv;
  60. }
  61. new = kmalloc(sizeof(*new), GFP_KERNEL);
  62. if (new == NULL)
  63. return NULL;
  64. kref_init(&new->h.ref);
  65. new->h.name = kstrdup(name, GFP_KERNEL);
  66. if (new->h.name == NULL) {
  67. kfree(new);
  68. return NULL;
  69. }
  70. new->h.flavour = &svcauth_unix;
  71. rv = auth_domain_lookup(name, &new->h);
  72. }
  73. }
  74. EXPORT_SYMBOL_GPL(unix_domain_find);
  75. /**************************************************
  76. * cache for IP address to unix_domain
  77. * as needed by AUTH_UNIX
  78. */
  79. #define IP_HASHBITS 8
  80. #define IP_HASHMAX (1<<IP_HASHBITS)
  81. struct ip_map {
  82. struct cache_head h;
  83. char m_class[8]; /* e.g. "nfsd" */
  84. struct in6_addr m_addr;
  85. struct unix_domain *m_client;
  86. struct rcu_head m_rcu;
  87. };
  88. static void ip_map_put(struct kref *kref)
  89. {
  90. struct cache_head *item = container_of(kref, struct cache_head, ref);
  91. struct ip_map *im = container_of(item, struct ip_map,h);
  92. if (test_bit(CACHE_VALID, &item->flags) &&
  93. !test_bit(CACHE_NEGATIVE, &item->flags))
  94. auth_domain_put(&im->m_client->h);
  95. kfree_rcu(im, m_rcu);
  96. }
  97. static inline int hash_ip6(const struct in6_addr *ip)
  98. {
  99. return hash_32(ipv6_addr_hash(ip), IP_HASHBITS);
  100. }
  101. static int ip_map_match(struct cache_head *corig, struct cache_head *cnew)
  102. {
  103. struct ip_map *orig = container_of(corig, struct ip_map, h);
  104. struct ip_map *new = container_of(cnew, struct ip_map, h);
  105. return strcmp(orig->m_class, new->m_class) == 0 &&
  106. ipv6_addr_equal(&orig->m_addr, &new->m_addr);
  107. }
  108. static void ip_map_init(struct cache_head *cnew, struct cache_head *citem)
  109. {
  110. struct ip_map *new = container_of(cnew, struct ip_map, h);
  111. struct ip_map *item = container_of(citem, struct ip_map, h);
  112. strcpy(new->m_class, item->m_class);
  113. new->m_addr = item->m_addr;
  114. }
  115. static void update(struct cache_head *cnew, struct cache_head *citem)
  116. {
  117. struct ip_map *new = container_of(cnew, struct ip_map, h);
  118. struct ip_map *item = container_of(citem, struct ip_map, h);
  119. kref_get(&item->m_client->h.ref);
  120. new->m_client = item->m_client;
  121. }
  122. static struct cache_head *ip_map_alloc(void)
  123. {
  124. struct ip_map *i = kmalloc(sizeof(*i), GFP_KERNEL);
  125. if (i)
  126. return &i->h;
  127. else
  128. return NULL;
  129. }
  130. static int ip_map_upcall(struct cache_detail *cd, struct cache_head *h)
  131. {
  132. return sunrpc_cache_pipe_upcall(cd, h);
  133. }
  134. static void ip_map_request(struct cache_detail *cd,
  135. struct cache_head *h,
  136. char **bpp, int *blen)
  137. {
  138. char text_addr[40];
  139. struct ip_map *im = container_of(h, struct ip_map, h);
  140. if (ipv6_addr_v4mapped(&(im->m_addr))) {
  141. snprintf(text_addr, 20, "%pI4", &im->m_addr.s6_addr32[3]);
  142. } else {
  143. snprintf(text_addr, 40, "%pI6", &im->m_addr);
  144. }
  145. qword_add(bpp, blen, im->m_class);
  146. qword_add(bpp, blen, text_addr);
  147. (*bpp)[-1] = '\n';
  148. }
  149. static struct ip_map *__ip_map_lookup(struct cache_detail *cd, char *class, struct in6_addr *addr);
  150. static int __ip_map_update(struct cache_detail *cd, struct ip_map *ipm, struct unix_domain *udom, time64_t expiry);
  151. static int ip_map_parse(struct cache_detail *cd,
  152. char *mesg, int mlen)
  153. {
  154. /* class ipaddress [domainname] */
  155. /* should be safe just to use the start of the input buffer
  156. * for scratch: */
  157. char *buf = mesg;
  158. int len;
  159. char class[8];
  160. union {
  161. struct sockaddr sa;
  162. struct sockaddr_in s4;
  163. struct sockaddr_in6 s6;
  164. } address;
  165. struct sockaddr_in6 sin6;
  166. int err;
  167. struct ip_map *ipmp;
  168. struct auth_domain *dom;
  169. time64_t expiry;
  170. if (mesg[mlen-1] != '\n')
  171. return -EINVAL;
  172. mesg[mlen-1] = 0;
  173. /* class */
  174. len = qword_get(&mesg, class, sizeof(class));
  175. if (len <= 0) return -EINVAL;
  176. /* ip address */
  177. len = qword_get(&mesg, buf, mlen);
  178. if (len <= 0) return -EINVAL;
  179. if (rpc_pton(cd->net, buf, len, &address.sa, sizeof(address)) == 0)
  180. return -EINVAL;
  181. switch (address.sa.sa_family) {
  182. case AF_INET:
  183. /* Form a mapped IPv4 address in sin6 */
  184. sin6.sin6_family = AF_INET6;
  185. ipv6_addr_set_v4mapped(address.s4.sin_addr.s_addr,
  186. &sin6.sin6_addr);
  187. break;
  188. #if IS_ENABLED(CONFIG_IPV6)
  189. case AF_INET6:
  190. memcpy(&sin6, &address.s6, sizeof(sin6));
  191. break;
  192. #endif
  193. default:
  194. return -EINVAL;
  195. }
  196. expiry = get_expiry(&mesg);
  197. if (expiry ==0)
  198. return -EINVAL;
  199. /* domainname, or empty for NEGATIVE */
  200. len = qword_get(&mesg, buf, mlen);
  201. if (len < 0) return -EINVAL;
  202. if (len) {
  203. dom = unix_domain_find(buf);
  204. if (dom == NULL)
  205. return -ENOENT;
  206. } else
  207. dom = NULL;
  208. /* IPv6 scope IDs are ignored for now */
  209. ipmp = __ip_map_lookup(cd, class, &sin6.sin6_addr);
  210. if (ipmp) {
  211. err = __ip_map_update(cd, ipmp,
  212. container_of(dom, struct unix_domain, h),
  213. expiry);
  214. } else
  215. err = -ENOMEM;
  216. if (dom)
  217. auth_domain_put(dom);
  218. cache_flush();
  219. return err;
  220. }
  221. static int ip_map_show(struct seq_file *m,
  222. struct cache_detail *cd,
  223. struct cache_head *h)
  224. {
  225. struct ip_map *im;
  226. struct in6_addr addr;
  227. char *dom = "-no-domain-";
  228. if (h == NULL) {
  229. seq_puts(m, "#class IP domain\n");
  230. return 0;
  231. }
  232. im = container_of(h, struct ip_map, h);
  233. /* class addr domain */
  234. addr = im->m_addr;
  235. if (test_bit(CACHE_VALID, &h->flags) &&
  236. !test_bit(CACHE_NEGATIVE, &h->flags))
  237. dom = im->m_client->h.name;
  238. if (ipv6_addr_v4mapped(&addr)) {
  239. seq_printf(m, "%s %pI4 %s\n",
  240. im->m_class, &addr.s6_addr32[3], dom);
  241. } else {
  242. seq_printf(m, "%s %pI6 %s\n", im->m_class, &addr, dom);
  243. }
  244. return 0;
  245. }
  246. static struct ip_map *__ip_map_lookup(struct cache_detail *cd, char *class,
  247. struct in6_addr *addr)
  248. {
  249. struct ip_map ip;
  250. struct cache_head *ch;
  251. strcpy(ip.m_class, class);
  252. ip.m_addr = *addr;
  253. ch = sunrpc_cache_lookup_rcu(cd, &ip.h,
  254. hash_str(class, IP_HASHBITS) ^
  255. hash_ip6(addr));
  256. if (ch)
  257. return container_of(ch, struct ip_map, h);
  258. else
  259. return NULL;
  260. }
  261. static int __ip_map_update(struct cache_detail *cd, struct ip_map *ipm,
  262. struct unix_domain *udom, time64_t expiry)
  263. {
  264. struct ip_map ip;
  265. struct cache_head *ch;
  266. ip.m_client = udom;
  267. ip.h.flags = 0;
  268. if (!udom)
  269. set_bit(CACHE_NEGATIVE, &ip.h.flags);
  270. ip.h.expiry_time = expiry;
  271. ch = sunrpc_cache_update(cd, &ip.h, &ipm->h,
  272. hash_str(ipm->m_class, IP_HASHBITS) ^
  273. hash_ip6(&ipm->m_addr));
  274. if (!ch)
  275. return -ENOMEM;
  276. cache_put(ch, cd);
  277. return 0;
  278. }
  279. void svcauth_unix_purge(struct net *net)
  280. {
  281. struct sunrpc_net *sn;
  282. sn = net_generic(net, sunrpc_net_id);
  283. cache_purge(sn->ip_map_cache);
  284. }
  285. EXPORT_SYMBOL_GPL(svcauth_unix_purge);
  286. static inline struct ip_map *
  287. ip_map_cached_get(struct svc_xprt *xprt)
  288. {
  289. struct ip_map *ipm = NULL;
  290. struct sunrpc_net *sn;
  291. if (test_bit(XPT_CACHE_AUTH, &xprt->xpt_flags)) {
  292. spin_lock(&xprt->xpt_lock);
  293. ipm = xprt->xpt_auth_cache;
  294. if (ipm != NULL) {
  295. sn = net_generic(xprt->xpt_net, sunrpc_net_id);
  296. if (cache_is_expired(sn->ip_map_cache, &ipm->h)) {
  297. /*
  298. * The entry has been invalidated since it was
  299. * remembered, e.g. by a second mount from the
  300. * same IP address.
  301. */
  302. xprt->xpt_auth_cache = NULL;
  303. spin_unlock(&xprt->xpt_lock);
  304. cache_put(&ipm->h, sn->ip_map_cache);
  305. return NULL;
  306. }
  307. cache_get(&ipm->h);
  308. }
  309. spin_unlock(&xprt->xpt_lock);
  310. }
  311. return ipm;
  312. }
  313. static inline void
  314. ip_map_cached_put(struct svc_xprt *xprt, struct ip_map *ipm)
  315. {
  316. if (test_bit(XPT_CACHE_AUTH, &xprt->xpt_flags)) {
  317. spin_lock(&xprt->xpt_lock);
  318. if (xprt->xpt_auth_cache == NULL) {
  319. /* newly cached, keep the reference */
  320. xprt->xpt_auth_cache = ipm;
  321. ipm = NULL;
  322. }
  323. spin_unlock(&xprt->xpt_lock);
  324. }
  325. if (ipm) {
  326. struct sunrpc_net *sn;
  327. sn = net_generic(xprt->xpt_net, sunrpc_net_id);
  328. cache_put(&ipm->h, sn->ip_map_cache);
  329. }
  330. }
  331. void
  332. svcauth_unix_info_release(struct svc_xprt *xpt)
  333. {
  334. struct ip_map *ipm;
  335. ipm = xpt->xpt_auth_cache;
  336. if (ipm != NULL) {
  337. struct sunrpc_net *sn;
  338. sn = net_generic(xpt->xpt_net, sunrpc_net_id);
  339. cache_put(&ipm->h, sn->ip_map_cache);
  340. }
  341. }
  342. /****************************************************************************
  343. * auth.unix.gid cache
  344. * simple cache to map a UID to a list of GIDs
  345. * because AUTH_UNIX aka AUTH_SYS has a max of UNX_NGROUPS
  346. */
  347. #define GID_HASHBITS 8
  348. #define GID_HASHMAX (1<<GID_HASHBITS)
  349. struct unix_gid {
  350. struct cache_head h;
  351. kuid_t uid;
  352. struct group_info *gi;
  353. struct rcu_head rcu;
  354. };
  355. static int unix_gid_hash(kuid_t uid)
  356. {
  357. return hash_long(from_kuid(&init_user_ns, uid), GID_HASHBITS);
  358. }
  359. static void unix_gid_free(struct rcu_head *rcu)
  360. {
  361. struct unix_gid *ug = container_of(rcu, struct unix_gid, rcu);
  362. struct cache_head *item = &ug->h;
  363. if (test_bit(CACHE_VALID, &item->flags) &&
  364. !test_bit(CACHE_NEGATIVE, &item->flags))
  365. put_group_info(ug->gi);
  366. kfree(ug);
  367. }
  368. static void unix_gid_put(struct kref *kref)
  369. {
  370. struct cache_head *item = container_of(kref, struct cache_head, ref);
  371. struct unix_gid *ug = container_of(item, struct unix_gid, h);
  372. call_rcu(&ug->rcu, unix_gid_free);
  373. }
  374. static int unix_gid_match(struct cache_head *corig, struct cache_head *cnew)
  375. {
  376. struct unix_gid *orig = container_of(corig, struct unix_gid, h);
  377. struct unix_gid *new = container_of(cnew, struct unix_gid, h);
  378. return uid_eq(orig->uid, new->uid);
  379. }
  380. static void unix_gid_init(struct cache_head *cnew, struct cache_head *citem)
  381. {
  382. struct unix_gid *new = container_of(cnew, struct unix_gid, h);
  383. struct unix_gid *item = container_of(citem, struct unix_gid, h);
  384. new->uid = item->uid;
  385. }
  386. static void unix_gid_update(struct cache_head *cnew, struct cache_head *citem)
  387. {
  388. struct unix_gid *new = container_of(cnew, struct unix_gid, h);
  389. struct unix_gid *item = container_of(citem, struct unix_gid, h);
  390. get_group_info(item->gi);
  391. new->gi = item->gi;
  392. }
  393. static struct cache_head *unix_gid_alloc(void)
  394. {
  395. struct unix_gid *g = kmalloc(sizeof(*g), GFP_KERNEL);
  396. if (g)
  397. return &g->h;
  398. else
  399. return NULL;
  400. }
  401. static int unix_gid_upcall(struct cache_detail *cd, struct cache_head *h)
  402. {
  403. return sunrpc_cache_pipe_upcall_timeout(cd, h);
  404. }
  405. static void unix_gid_request(struct cache_detail *cd,
  406. struct cache_head *h,
  407. char **bpp, int *blen)
  408. {
  409. char tuid[20];
  410. struct unix_gid *ug = container_of(h, struct unix_gid, h);
  411. snprintf(tuid, 20, "%u", from_kuid(&init_user_ns, ug->uid));
  412. qword_add(bpp, blen, tuid);
  413. (*bpp)[-1] = '\n';
  414. }
  415. static struct unix_gid *unix_gid_lookup(struct cache_detail *cd, kuid_t uid);
  416. static int unix_gid_parse(struct cache_detail *cd,
  417. char *mesg, int mlen)
  418. {
  419. /* uid expiry Ngid gid0 gid1 ... gidN-1 */
  420. int id;
  421. kuid_t uid;
  422. int gids;
  423. int rv;
  424. int i;
  425. int err;
  426. time64_t expiry;
  427. struct unix_gid ug, *ugp;
  428. if (mesg[mlen - 1] != '\n')
  429. return -EINVAL;
  430. mesg[mlen-1] = 0;
  431. rv = get_int(&mesg, &id);
  432. if (rv)
  433. return -EINVAL;
  434. uid = make_kuid(current_user_ns(), id);
  435. ug.uid = uid;
  436. expiry = get_expiry(&mesg);
  437. if (expiry == 0)
  438. return -EINVAL;
  439. rv = get_int(&mesg, &gids);
  440. if (rv || gids < 0 || gids > 8192)
  441. return -EINVAL;
  442. ug.gi = groups_alloc(gids);
  443. if (!ug.gi)
  444. return -ENOMEM;
  445. for (i = 0 ; i < gids ; i++) {
  446. int gid;
  447. kgid_t kgid;
  448. rv = get_int(&mesg, &gid);
  449. err = -EINVAL;
  450. if (rv)
  451. goto out;
  452. kgid = make_kgid(current_user_ns(), gid);
  453. if (!gid_valid(kgid))
  454. goto out;
  455. ug.gi->gid[i] = kgid;
  456. }
  457. groups_sort(ug.gi);
  458. ugp = unix_gid_lookup(cd, uid);
  459. if (ugp) {
  460. struct cache_head *ch;
  461. ug.h.flags = 0;
  462. ug.h.expiry_time = expiry;
  463. ch = sunrpc_cache_update(cd,
  464. &ug.h, &ugp->h,
  465. unix_gid_hash(uid));
  466. if (!ch)
  467. err = -ENOMEM;
  468. else {
  469. err = 0;
  470. cache_put(ch, cd);
  471. }
  472. } else
  473. err = -ENOMEM;
  474. out:
  475. if (ug.gi)
  476. put_group_info(ug.gi);
  477. return err;
  478. }
  479. static int unix_gid_show(struct seq_file *m,
  480. struct cache_detail *cd,
  481. struct cache_head *h)
  482. {
  483. struct user_namespace *user_ns = m->file->f_cred->user_ns;
  484. struct unix_gid *ug;
  485. int i;
  486. int glen;
  487. if (h == NULL) {
  488. seq_puts(m, "#uid cnt: gids...\n");
  489. return 0;
  490. }
  491. ug = container_of(h, struct unix_gid, h);
  492. if (test_bit(CACHE_VALID, &h->flags) &&
  493. !test_bit(CACHE_NEGATIVE, &h->flags))
  494. glen = ug->gi->ngroups;
  495. else
  496. glen = 0;
  497. seq_printf(m, "%u %d:", from_kuid_munged(user_ns, ug->uid), glen);
  498. for (i = 0; i < glen; i++)
  499. seq_printf(m, " %d", from_kgid_munged(user_ns, ug->gi->gid[i]));
  500. seq_printf(m, "\n");
  501. return 0;
  502. }
  503. static const struct cache_detail unix_gid_cache_template = {
  504. .owner = THIS_MODULE,
  505. .hash_size = GID_HASHMAX,
  506. .name = "auth.unix.gid",
  507. .cache_put = unix_gid_put,
  508. .cache_upcall = unix_gid_upcall,
  509. .cache_request = unix_gid_request,
  510. .cache_parse = unix_gid_parse,
  511. .cache_show = unix_gid_show,
  512. .match = unix_gid_match,
  513. .init = unix_gid_init,
  514. .update = unix_gid_update,
  515. .alloc = unix_gid_alloc,
  516. };
  517. int unix_gid_cache_create(struct net *net)
  518. {
  519. struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
  520. struct cache_detail *cd;
  521. int err;
  522. cd = cache_create_net(&unix_gid_cache_template, net);
  523. if (IS_ERR(cd))
  524. return PTR_ERR(cd);
  525. err = cache_register_net(cd, net);
  526. if (err) {
  527. cache_destroy_net(cd, net);
  528. return err;
  529. }
  530. sn->unix_gid_cache = cd;
  531. return 0;
  532. }
  533. void unix_gid_cache_destroy(struct net *net)
  534. {
  535. struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
  536. struct cache_detail *cd = sn->unix_gid_cache;
  537. sn->unix_gid_cache = NULL;
  538. cache_purge(cd);
  539. cache_unregister_net(cd, net);
  540. cache_destroy_net(cd, net);
  541. }
  542. static struct unix_gid *unix_gid_lookup(struct cache_detail *cd, kuid_t uid)
  543. {
  544. struct unix_gid ug;
  545. struct cache_head *ch;
  546. ug.uid = uid;
  547. ch = sunrpc_cache_lookup_rcu(cd, &ug.h, unix_gid_hash(uid));
  548. if (ch)
  549. return container_of(ch, struct unix_gid, h);
  550. else
  551. return NULL;
  552. }
  553. static struct group_info *unix_gid_find(kuid_t uid, struct svc_rqst *rqstp)
  554. {
  555. struct unix_gid *ug;
  556. struct group_info *gi;
  557. int ret;
  558. struct sunrpc_net *sn = net_generic(rqstp->rq_xprt->xpt_net,
  559. sunrpc_net_id);
  560. ug = unix_gid_lookup(sn->unix_gid_cache, uid);
  561. if (!ug)
  562. return ERR_PTR(-EAGAIN);
  563. ret = cache_check(sn->unix_gid_cache, &ug->h, &rqstp->rq_chandle);
  564. switch (ret) {
  565. case -ENOENT:
  566. return ERR_PTR(-ENOENT);
  567. case -ETIMEDOUT:
  568. return ERR_PTR(-ESHUTDOWN);
  569. case 0:
  570. gi = get_group_info(ug->gi);
  571. cache_put(&ug->h, sn->unix_gid_cache);
  572. return gi;
  573. default:
  574. return ERR_PTR(-EAGAIN);
  575. }
  576. }
  577. int
  578. svcauth_unix_set_client(struct svc_rqst *rqstp)
  579. {
  580. struct sockaddr_in *sin;
  581. struct sockaddr_in6 *sin6, sin6_storage;
  582. struct ip_map *ipm;
  583. struct group_info *gi;
  584. struct svc_cred *cred = &rqstp->rq_cred;
  585. struct svc_xprt *xprt = rqstp->rq_xprt;
  586. struct net *net = xprt->xpt_net;
  587. struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
  588. switch (rqstp->rq_addr.ss_family) {
  589. case AF_INET:
  590. sin = svc_addr_in(rqstp);
  591. sin6 = &sin6_storage;
  592. ipv6_addr_set_v4mapped(sin->sin_addr.s_addr, &sin6->sin6_addr);
  593. break;
  594. case AF_INET6:
  595. sin6 = svc_addr_in6(rqstp);
  596. break;
  597. default:
  598. BUG();
  599. }
  600. rqstp->rq_client = NULL;
  601. if (rqstp->rq_proc == 0)
  602. goto out;
  603. rqstp->rq_auth_stat = rpc_autherr_badcred;
  604. ipm = ip_map_cached_get(xprt);
  605. if (ipm == NULL)
  606. ipm = __ip_map_lookup(sn->ip_map_cache, rqstp->rq_server->sv_program->pg_class,
  607. &sin6->sin6_addr);
  608. if (ipm == NULL)
  609. return SVC_DENIED;
  610. switch (cache_check(sn->ip_map_cache, &ipm->h, &rqstp->rq_chandle)) {
  611. default:
  612. BUG();
  613. case -ETIMEDOUT:
  614. return SVC_CLOSE;
  615. case -EAGAIN:
  616. return SVC_DROP;
  617. case -ENOENT:
  618. return SVC_DENIED;
  619. case 0:
  620. rqstp->rq_client = &ipm->m_client->h;
  621. kref_get(&rqstp->rq_client->ref);
  622. ip_map_cached_put(xprt, ipm);
  623. break;
  624. }
  625. gi = unix_gid_find(cred->cr_uid, rqstp);
  626. switch (PTR_ERR(gi)) {
  627. case -EAGAIN:
  628. return SVC_DROP;
  629. case -ESHUTDOWN:
  630. return SVC_CLOSE;
  631. case -ENOENT:
  632. break;
  633. default:
  634. put_group_info(cred->cr_group_info);
  635. cred->cr_group_info = gi;
  636. }
  637. out:
  638. rqstp->rq_auth_stat = rpc_auth_ok;
  639. return SVC_OK;
  640. }
  641. EXPORT_SYMBOL_GPL(svcauth_unix_set_client);
  642. static int
  643. svcauth_null_accept(struct svc_rqst *rqstp)
  644. {
  645. struct kvec *argv = &rqstp->rq_arg.head[0];
  646. struct kvec *resv = &rqstp->rq_res.head[0];
  647. struct svc_cred *cred = &rqstp->rq_cred;
  648. if (argv->iov_len < 3*4)
  649. return SVC_GARBAGE;
  650. if (svc_getu32(argv) != 0) {
  651. dprintk("svc: bad null cred\n");
  652. rqstp->rq_auth_stat = rpc_autherr_badcred;
  653. return SVC_DENIED;
  654. }
  655. if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) {
  656. dprintk("svc: bad null verf\n");
  657. rqstp->rq_auth_stat = rpc_autherr_badverf;
  658. return SVC_DENIED;
  659. }
  660. /* Signal that mapping to nobody uid/gid is required */
  661. cred->cr_uid = INVALID_UID;
  662. cred->cr_gid = INVALID_GID;
  663. cred->cr_group_info = groups_alloc(0);
  664. if (cred->cr_group_info == NULL)
  665. return SVC_CLOSE; /* kmalloc failure - client must retry */
  666. /* Put NULL verifier */
  667. svc_putnl(resv, RPC_AUTH_NULL);
  668. svc_putnl(resv, 0);
  669. rqstp->rq_cred.cr_flavor = RPC_AUTH_NULL;
  670. return SVC_OK;
  671. }
  672. static int
  673. svcauth_null_release(struct svc_rqst *rqstp)
  674. {
  675. if (rqstp->rq_client)
  676. auth_domain_put(rqstp->rq_client);
  677. rqstp->rq_client = NULL;
  678. if (rqstp->rq_cred.cr_group_info)
  679. put_group_info(rqstp->rq_cred.cr_group_info);
  680. rqstp->rq_cred.cr_group_info = NULL;
  681. return 0; /* don't drop */
  682. }
  683. struct auth_ops svcauth_null = {
  684. .name = "null",
  685. .owner = THIS_MODULE,
  686. .flavour = RPC_AUTH_NULL,
  687. .accept = svcauth_null_accept,
  688. .release = svcauth_null_release,
  689. .set_client = svcauth_unix_set_client,
  690. };
  691. static int
  692. svcauth_tls_accept(struct svc_rqst *rqstp)
  693. {
  694. struct svc_cred *cred = &rqstp->rq_cred;
  695. struct kvec *argv = rqstp->rq_arg.head;
  696. struct kvec *resv = rqstp->rq_res.head;
  697. if (argv->iov_len < XDR_UNIT * 3)
  698. return SVC_GARBAGE;
  699. /* Call's cred length */
  700. if (svc_getu32(argv) != xdr_zero) {
  701. rqstp->rq_auth_stat = rpc_autherr_badcred;
  702. return SVC_DENIED;
  703. }
  704. /* Call's verifier flavor and its length */
  705. if (svc_getu32(argv) != rpc_auth_null ||
  706. svc_getu32(argv) != xdr_zero) {
  707. rqstp->rq_auth_stat = rpc_autherr_badverf;
  708. return SVC_DENIED;
  709. }
  710. /* AUTH_TLS is not valid on non-NULL procedures */
  711. if (rqstp->rq_proc != 0) {
  712. rqstp->rq_auth_stat = rpc_autherr_badcred;
  713. return SVC_DENIED;
  714. }
  715. /* Mapping to nobody uid/gid is required */
  716. cred->cr_uid = INVALID_UID;
  717. cred->cr_gid = INVALID_GID;
  718. cred->cr_group_info = groups_alloc(0);
  719. if (cred->cr_group_info == NULL)
  720. return SVC_CLOSE; /* kmalloc failure - client must retry */
  721. /* Reply's verifier */
  722. svc_putnl(resv, RPC_AUTH_NULL);
  723. if (rqstp->rq_xprt->xpt_ops->xpo_start_tls) {
  724. svc_putnl(resv, 8);
  725. memcpy(resv->iov_base + resv->iov_len, "STARTTLS", 8);
  726. resv->iov_len += 8;
  727. } else
  728. svc_putnl(resv, 0);
  729. rqstp->rq_cred.cr_flavor = RPC_AUTH_TLS;
  730. return SVC_OK;
  731. }
  732. struct auth_ops svcauth_tls = {
  733. .name = "tls",
  734. .owner = THIS_MODULE,
  735. .flavour = RPC_AUTH_TLS,
  736. .accept = svcauth_tls_accept,
  737. .release = svcauth_null_release,
  738. .set_client = svcauth_unix_set_client,
  739. };
  740. static int
  741. svcauth_unix_accept(struct svc_rqst *rqstp)
  742. {
  743. struct kvec *argv = &rqstp->rq_arg.head[0];
  744. struct kvec *resv = &rqstp->rq_res.head[0];
  745. struct svc_cred *cred = &rqstp->rq_cred;
  746. struct user_namespace *userns;
  747. u32 slen, i;
  748. int len = argv->iov_len;
  749. if ((len -= 3*4) < 0)
  750. return SVC_GARBAGE;
  751. svc_getu32(argv); /* length */
  752. svc_getu32(argv); /* time stamp */
  753. slen = XDR_QUADLEN(svc_getnl(argv)); /* machname length */
  754. if (slen > 64 || (len -= (slen + 3)*4) < 0)
  755. goto badcred;
  756. argv->iov_base = (void*)((__be32*)argv->iov_base + slen); /* skip machname */
  757. argv->iov_len -= slen*4;
  758. /*
  759. * Note: we skip uid_valid()/gid_valid() checks here for
  760. * backwards compatibility with clients that use -1 id's.
  761. * Instead, -1 uid or gid is later mapped to the
  762. * (export-specific) anonymous id by nfsd_setuser.
  763. * Supplementary gid's will be left alone.
  764. */
  765. userns = (rqstp->rq_xprt && rqstp->rq_xprt->xpt_cred) ?
  766. rqstp->rq_xprt->xpt_cred->user_ns : &init_user_ns;
  767. cred->cr_uid = make_kuid(userns, svc_getnl(argv)); /* uid */
  768. cred->cr_gid = make_kgid(userns, svc_getnl(argv)); /* gid */
  769. slen = svc_getnl(argv); /* gids length */
  770. if (slen > UNX_NGROUPS || (len -= (slen + 2)*4) < 0)
  771. goto badcred;
  772. cred->cr_group_info = groups_alloc(slen);
  773. if (cred->cr_group_info == NULL)
  774. return SVC_CLOSE;
  775. for (i = 0; i < slen; i++) {
  776. kgid_t kgid = make_kgid(userns, svc_getnl(argv));
  777. cred->cr_group_info->gid[i] = kgid;
  778. }
  779. groups_sort(cred->cr_group_info);
  780. if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) {
  781. rqstp->rq_auth_stat = rpc_autherr_badverf;
  782. return SVC_DENIED;
  783. }
  784. /* Put NULL verifier */
  785. svc_putnl(resv, RPC_AUTH_NULL);
  786. svc_putnl(resv, 0);
  787. rqstp->rq_cred.cr_flavor = RPC_AUTH_UNIX;
  788. return SVC_OK;
  789. badcred:
  790. rqstp->rq_auth_stat = rpc_autherr_badcred;
  791. return SVC_DENIED;
  792. }
  793. static int
  794. svcauth_unix_release(struct svc_rqst *rqstp)
  795. {
  796. /* Verifier (such as it is) is already in place.
  797. */
  798. if (rqstp->rq_client)
  799. auth_domain_put(rqstp->rq_client);
  800. rqstp->rq_client = NULL;
  801. if (rqstp->rq_cred.cr_group_info)
  802. put_group_info(rqstp->rq_cred.cr_group_info);
  803. rqstp->rq_cred.cr_group_info = NULL;
  804. return 0;
  805. }
  806. struct auth_ops svcauth_unix = {
  807. .name = "unix",
  808. .owner = THIS_MODULE,
  809. .flavour = RPC_AUTH_UNIX,
  810. .accept = svcauth_unix_accept,
  811. .release = svcauth_unix_release,
  812. .domain_release = svcauth_unix_domain_release,
  813. .set_client = svcauth_unix_set_client,
  814. };
  815. static const struct cache_detail ip_map_cache_template = {
  816. .owner = THIS_MODULE,
  817. .hash_size = IP_HASHMAX,
  818. .name = "auth.unix.ip",
  819. .cache_put = ip_map_put,
  820. .cache_upcall = ip_map_upcall,
  821. .cache_request = ip_map_request,
  822. .cache_parse = ip_map_parse,
  823. .cache_show = ip_map_show,
  824. .match = ip_map_match,
  825. .init = ip_map_init,
  826. .update = update,
  827. .alloc = ip_map_alloc,
  828. };
  829. int ip_map_cache_create(struct net *net)
  830. {
  831. struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
  832. struct cache_detail *cd;
  833. int err;
  834. cd = cache_create_net(&ip_map_cache_template, net);
  835. if (IS_ERR(cd))
  836. return PTR_ERR(cd);
  837. err = cache_register_net(cd, net);
  838. if (err) {
  839. cache_destroy_net(cd, net);
  840. return err;
  841. }
  842. sn->ip_map_cache = cd;
  843. return 0;
  844. }
  845. void ip_map_cache_destroy(struct net *net)
  846. {
  847. struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
  848. struct cache_detail *cd = sn->ip_map_cache;
  849. sn->ip_map_cache = NULL;
  850. cache_purge(cd);
  851. cache_unregister_net(cd, net);
  852. cache_destroy_net(cd, net);
  853. }