Root/
1 | #include <linux/types.h> |
2 | #include <linux/sched.h> |
3 | #include <linux/module.h> |
4 | #include <linux/sunrpc/types.h> |
5 | #include <linux/sunrpc/xdr.h> |
6 | #include <linux/sunrpc/svcsock.h> |
7 | #include <linux/sunrpc/svcauth.h> |
8 | #include <linux/sunrpc/gss_api.h> |
9 | #include <linux/err.h> |
10 | #include <linux/seq_file.h> |
11 | #include <linux/hash.h> |
12 | #include <linux/string.h> |
13 | #include <linux/slab.h> |
14 | #include <net/sock.h> |
15 | #include <net/ipv6.h> |
16 | #include <linux/kernel.h> |
17 | #define RPCDBG_FACILITY RPCDBG_AUTH |
18 | |
19 | #include <linux/sunrpc/clnt.h> |
20 | |
21 | /* |
22 | * AUTHUNIX and AUTHNULL credentials are both handled here. |
23 | * AUTHNULL is treated just like AUTHUNIX except that the uid/gid |
24 | * are always nobody (-2). i.e. we do the same IP address checks for |
25 | * AUTHNULL as for AUTHUNIX, and that is done here. |
26 | */ |
27 | |
28 | |
29 | struct unix_domain { |
30 | struct auth_domain h; |
31 | int addr_changes; |
32 | /* other stuff later */ |
33 | }; |
34 | |
35 | extern struct auth_ops svcauth_unix; |
36 | |
37 | struct auth_domain *unix_domain_find(char *name) |
38 | { |
39 | struct auth_domain *rv; |
40 | struct unix_domain *new = NULL; |
41 | |
42 | rv = auth_domain_lookup(name, NULL); |
43 | while(1) { |
44 | if (rv) { |
45 | if (new && rv != &new->h) |
46 | auth_domain_put(&new->h); |
47 | |
48 | if (rv->flavour != &svcauth_unix) { |
49 | auth_domain_put(rv); |
50 | return NULL; |
51 | } |
52 | return rv; |
53 | } |
54 | |
55 | new = kmalloc(sizeof(*new), GFP_KERNEL); |
56 | if (new == NULL) |
57 | return NULL; |
58 | kref_init(&new->h.ref); |
59 | new->h.name = kstrdup(name, GFP_KERNEL); |
60 | if (new->h.name == NULL) { |
61 | kfree(new); |
62 | return NULL; |
63 | } |
64 | new->h.flavour = &svcauth_unix; |
65 | new->addr_changes = 0; |
66 | rv = auth_domain_lookup(name, &new->h); |
67 | } |
68 | } |
69 | EXPORT_SYMBOL_GPL(unix_domain_find); |
70 | |
71 | static void svcauth_unix_domain_release(struct auth_domain *dom) |
72 | { |
73 | struct unix_domain *ud = container_of(dom, struct unix_domain, h); |
74 | |
75 | kfree(dom->name); |
76 | kfree(ud); |
77 | } |
78 | |
79 | |
80 | /************************************************** |
81 | * cache for IP address to unix_domain |
82 | * as needed by AUTH_UNIX |
83 | */ |
84 | #define IP_HASHBITS 8 |
85 | #define IP_HASHMAX (1<<IP_HASHBITS) |
86 | #define IP_HASHMASK (IP_HASHMAX-1) |
87 | |
88 | struct ip_map { |
89 | struct cache_head h; |
90 | char m_class[8]; /* e.g. "nfsd" */ |
91 | struct in6_addr m_addr; |
92 | struct unix_domain *m_client; |
93 | int m_add_change; |
94 | }; |
95 | static struct cache_head *ip_table[IP_HASHMAX]; |
96 | |
97 | static void ip_map_put(struct kref *kref) |
98 | { |
99 | struct cache_head *item = container_of(kref, struct cache_head, ref); |
100 | struct ip_map *im = container_of(item, struct ip_map,h); |
101 | |
102 | if (test_bit(CACHE_VALID, &item->flags) && |
103 | !test_bit(CACHE_NEGATIVE, &item->flags)) |
104 | auth_domain_put(&im->m_client->h); |
105 | kfree(im); |
106 | } |
107 | |
108 | #if IP_HASHBITS == 8 |
109 | /* hash_long on a 64 bit machine is currently REALLY BAD for |
110 | * IP addresses in reverse-endian (i.e. on a little-endian machine). |
111 | * So use a trivial but reliable hash instead |
112 | */ |
113 | static inline int hash_ip(__be32 ip) |
114 | { |
115 | int hash = (__force u32)ip ^ ((__force u32)ip>>16); |
116 | return (hash ^ (hash>>8)) & 0xff; |
117 | } |
118 | #endif |
119 | static inline int hash_ip6(struct in6_addr ip) |
120 | { |
121 | return (hash_ip(ip.s6_addr32[0]) ^ |
122 | hash_ip(ip.s6_addr32[1]) ^ |
123 | hash_ip(ip.s6_addr32[2]) ^ |
124 | hash_ip(ip.s6_addr32[3])); |
125 | } |
126 | static int ip_map_match(struct cache_head *corig, struct cache_head *cnew) |
127 | { |
128 | struct ip_map *orig = container_of(corig, struct ip_map, h); |
129 | struct ip_map *new = container_of(cnew, struct ip_map, h); |
130 | return strcmp(orig->m_class, new->m_class) == 0 && |
131 | ipv6_addr_equal(&orig->m_addr, &new->m_addr); |
132 | } |
133 | static void ip_map_init(struct cache_head *cnew, struct cache_head *citem) |
134 | { |
135 | struct ip_map *new = container_of(cnew, struct ip_map, h); |
136 | struct ip_map *item = container_of(citem, struct ip_map, h); |
137 | |
138 | strcpy(new->m_class, item->m_class); |
139 | ipv6_addr_copy(&new->m_addr, &item->m_addr); |
140 | } |
141 | static void update(struct cache_head *cnew, struct cache_head *citem) |
142 | { |
143 | struct ip_map *new = container_of(cnew, struct ip_map, h); |
144 | struct ip_map *item = container_of(citem, struct ip_map, h); |
145 | |
146 | kref_get(&item->m_client->h.ref); |
147 | new->m_client = item->m_client; |
148 | new->m_add_change = item->m_add_change; |
149 | } |
150 | static struct cache_head *ip_map_alloc(void) |
151 | { |
152 | struct ip_map *i = kmalloc(sizeof(*i), GFP_KERNEL); |
153 | if (i) |
154 | return &i->h; |
155 | else |
156 | return NULL; |
157 | } |
158 | |
159 | static void ip_map_request(struct cache_detail *cd, |
160 | struct cache_head *h, |
161 | char **bpp, int *blen) |
162 | { |
163 | char text_addr[40]; |
164 | struct ip_map *im = container_of(h, struct ip_map, h); |
165 | |
166 | if (ipv6_addr_v4mapped(&(im->m_addr))) { |
167 | snprintf(text_addr, 20, "%pI4", &im->m_addr.s6_addr32[3]); |
168 | } else { |
169 | snprintf(text_addr, 40, "%pI6", &im->m_addr); |
170 | } |
171 | qword_add(bpp, blen, im->m_class); |
172 | qword_add(bpp, blen, text_addr); |
173 | (*bpp)[-1] = '\n'; |
174 | } |
175 | |
176 | static int ip_map_upcall(struct cache_detail *cd, struct cache_head *h) |
177 | { |
178 | return sunrpc_cache_pipe_upcall(cd, h, ip_map_request); |
179 | } |
180 | |
181 | static struct ip_map *ip_map_lookup(char *class, struct in6_addr *addr); |
182 | static int ip_map_update(struct ip_map *ipm, struct unix_domain *udom, time_t expiry); |
183 | |
184 | static int ip_map_parse(struct cache_detail *cd, |
185 | char *mesg, int mlen) |
186 | { |
187 | /* class ipaddress [domainname] */ |
188 | /* should be safe just to use the start of the input buffer |
189 | * for scratch: */ |
190 | char *buf = mesg; |
191 | int len; |
192 | char class[8]; |
193 | union { |
194 | struct sockaddr sa; |
195 | struct sockaddr_in s4; |
196 | struct sockaddr_in6 s6; |
197 | } address; |
198 | struct sockaddr_in6 sin6; |
199 | int err; |
200 | |
201 | struct ip_map *ipmp; |
202 | struct auth_domain *dom; |
203 | time_t expiry; |
204 | |
205 | if (mesg[mlen-1] != '\n') |
206 | return -EINVAL; |
207 | mesg[mlen-1] = 0; |
208 | |
209 | /* class */ |
210 | len = qword_get(&mesg, class, sizeof(class)); |
211 | if (len <= 0) return -EINVAL; |
212 | |
213 | /* ip address */ |
214 | len = qword_get(&mesg, buf, mlen); |
215 | if (len <= 0) return -EINVAL; |
216 | |
217 | if (rpc_pton(buf, len, &address.sa, sizeof(address)) == 0) |
218 | return -EINVAL; |
219 | switch (address.sa.sa_family) { |
220 | case AF_INET: |
221 | /* Form a mapped IPv4 address in sin6 */ |
222 | memset(&sin6, 0, sizeof(sin6)); |
223 | sin6.sin6_family = AF_INET6; |
224 | sin6.sin6_addr.s6_addr32[2] = htonl(0xffff); |
225 | sin6.sin6_addr.s6_addr32[3] = address.s4.sin_addr.s_addr; |
226 | break; |
227 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
228 | case AF_INET6: |
229 | memcpy(&sin6, &address.s6, sizeof(sin6)); |
230 | break; |
231 | #endif |
232 | default: |
233 | return -EINVAL; |
234 | } |
235 | |
236 | expiry = get_expiry(&mesg); |
237 | if (expiry ==0) |
238 | return -EINVAL; |
239 | |
240 | /* domainname, or empty for NEGATIVE */ |
241 | len = qword_get(&mesg, buf, mlen); |
242 | if (len < 0) return -EINVAL; |
243 | |
244 | if (len) { |
245 | dom = unix_domain_find(buf); |
246 | if (dom == NULL) |
247 | return -ENOENT; |
248 | } else |
249 | dom = NULL; |
250 | |
251 | /* IPv6 scope IDs are ignored for now */ |
252 | ipmp = ip_map_lookup(class, &sin6.sin6_addr); |
253 | if (ipmp) { |
254 | err = ip_map_update(ipmp, |
255 | container_of(dom, struct unix_domain, h), |
256 | expiry); |
257 | } else |
258 | err = -ENOMEM; |
259 | |
260 | if (dom) |
261 | auth_domain_put(dom); |
262 | |
263 | cache_flush(); |
264 | return err; |
265 | } |
266 | |
267 | static int ip_map_show(struct seq_file *m, |
268 | struct cache_detail *cd, |
269 | struct cache_head *h) |
270 | { |
271 | struct ip_map *im; |
272 | struct in6_addr addr; |
273 | char *dom = "-no-domain-"; |
274 | |
275 | if (h == NULL) { |
276 | seq_puts(m, "#class IP domain\n"); |
277 | return 0; |
278 | } |
279 | im = container_of(h, struct ip_map, h); |
280 | /* class addr domain */ |
281 | ipv6_addr_copy(&addr, &im->m_addr); |
282 | |
283 | if (test_bit(CACHE_VALID, &h->flags) && |
284 | !test_bit(CACHE_NEGATIVE, &h->flags)) |
285 | dom = im->m_client->h.name; |
286 | |
287 | if (ipv6_addr_v4mapped(&addr)) { |
288 | seq_printf(m, "%s %pI4 %s\n", |
289 | im->m_class, &addr.s6_addr32[3], dom); |
290 | } else { |
291 | seq_printf(m, "%s %pI6 %s\n", im->m_class, &addr, dom); |
292 | } |
293 | return 0; |
294 | } |
295 | |
296 | |
297 | struct cache_detail ip_map_cache = { |
298 | .owner = THIS_MODULE, |
299 | .hash_size = IP_HASHMAX, |
300 | .hash_table = ip_table, |
301 | .name = "auth.unix.ip", |
302 | .cache_put = ip_map_put, |
303 | .cache_upcall = ip_map_upcall, |
304 | .cache_parse = ip_map_parse, |
305 | .cache_show = ip_map_show, |
306 | .match = ip_map_match, |
307 | .init = ip_map_init, |
308 | .update = update, |
309 | .alloc = ip_map_alloc, |
310 | }; |
311 | |
312 | static struct ip_map *ip_map_lookup(char *class, struct in6_addr *addr) |
313 | { |
314 | struct ip_map ip; |
315 | struct cache_head *ch; |
316 | |
317 | strcpy(ip.m_class, class); |
318 | ipv6_addr_copy(&ip.m_addr, addr); |
319 | ch = sunrpc_cache_lookup(&ip_map_cache, &ip.h, |
320 | hash_str(class, IP_HASHBITS) ^ |
321 | hash_ip6(*addr)); |
322 | |
323 | if (ch) |
324 | return container_of(ch, struct ip_map, h); |
325 | else |
326 | return NULL; |
327 | } |
328 | |
329 | static int ip_map_update(struct ip_map *ipm, struct unix_domain *udom, time_t expiry) |
330 | { |
331 | struct ip_map ip; |
332 | struct cache_head *ch; |
333 | |
334 | ip.m_client = udom; |
335 | ip.h.flags = 0; |
336 | if (!udom) |
337 | set_bit(CACHE_NEGATIVE, &ip.h.flags); |
338 | else { |
339 | ip.m_add_change = udom->addr_changes; |
340 | /* if this is from the legacy set_client system call, |
341 | * we need m_add_change to be one higher |
342 | */ |
343 | if (expiry == NEVER) |
344 | ip.m_add_change++; |
345 | } |
346 | ip.h.expiry_time = expiry; |
347 | ch = sunrpc_cache_update(&ip_map_cache, |
348 | &ip.h, &ipm->h, |
349 | hash_str(ipm->m_class, IP_HASHBITS) ^ |
350 | hash_ip6(ipm->m_addr)); |
351 | if (!ch) |
352 | return -ENOMEM; |
353 | cache_put(ch, &ip_map_cache); |
354 | return 0; |
355 | } |
356 | |
357 | int auth_unix_add_addr(struct in6_addr *addr, struct auth_domain *dom) |
358 | { |
359 | struct unix_domain *udom; |
360 | struct ip_map *ipmp; |
361 | |
362 | if (dom->flavour != &svcauth_unix) |
363 | return -EINVAL; |
364 | udom = container_of(dom, struct unix_domain, h); |
365 | ipmp = ip_map_lookup("nfsd", addr); |
366 | |
367 | if (ipmp) |
368 | return ip_map_update(ipmp, udom, NEVER); |
369 | else |
370 | return -ENOMEM; |
371 | } |
372 | EXPORT_SYMBOL_GPL(auth_unix_add_addr); |
373 | |
374 | int auth_unix_forget_old(struct auth_domain *dom) |
375 | { |
376 | struct unix_domain *udom; |
377 | |
378 | if (dom->flavour != &svcauth_unix) |
379 | return -EINVAL; |
380 | udom = container_of(dom, struct unix_domain, h); |
381 | udom->addr_changes++; |
382 | return 0; |
383 | } |
384 | EXPORT_SYMBOL_GPL(auth_unix_forget_old); |
385 | |
386 | struct auth_domain *auth_unix_lookup(struct in6_addr *addr) |
387 | { |
388 | struct ip_map *ipm; |
389 | struct auth_domain *rv; |
390 | |
391 | ipm = ip_map_lookup("nfsd", addr); |
392 | |
393 | if (!ipm) |
394 | return NULL; |
395 | if (cache_check(&ip_map_cache, &ipm->h, NULL)) |
396 | return NULL; |
397 | |
398 | if ((ipm->m_client->addr_changes - ipm->m_add_change) >0) { |
399 | if (test_and_set_bit(CACHE_NEGATIVE, &ipm->h.flags) == 0) |
400 | auth_domain_put(&ipm->m_client->h); |
401 | rv = NULL; |
402 | } else { |
403 | rv = &ipm->m_client->h; |
404 | kref_get(&rv->ref); |
405 | } |
406 | cache_put(&ipm->h, &ip_map_cache); |
407 | return rv; |
408 | } |
409 | EXPORT_SYMBOL_GPL(auth_unix_lookup); |
410 | |
411 | void svcauth_unix_purge(void) |
412 | { |
413 | cache_purge(&ip_map_cache); |
414 | } |
415 | EXPORT_SYMBOL_GPL(svcauth_unix_purge); |
416 | |
417 | static inline struct ip_map * |
418 | ip_map_cached_get(struct svc_rqst *rqstp) |
419 | { |
420 | struct ip_map *ipm = NULL; |
421 | struct svc_xprt *xprt = rqstp->rq_xprt; |
422 | |
423 | if (test_bit(XPT_CACHE_AUTH, &xprt->xpt_flags)) { |
424 | spin_lock(&xprt->xpt_lock); |
425 | ipm = xprt->xpt_auth_cache; |
426 | if (ipm != NULL) { |
427 | if (!cache_valid(&ipm->h)) { |
428 | /* |
429 | * The entry has been invalidated since it was |
430 | * remembered, e.g. by a second mount from the |
431 | * same IP address. |
432 | */ |
433 | xprt->xpt_auth_cache = NULL; |
434 | spin_unlock(&xprt->xpt_lock); |
435 | cache_put(&ipm->h, &ip_map_cache); |
436 | return NULL; |
437 | } |
438 | cache_get(&ipm->h); |
439 | } |
440 | spin_unlock(&xprt->xpt_lock); |
441 | } |
442 | return ipm; |
443 | } |
444 | |
445 | static inline void |
446 | ip_map_cached_put(struct svc_rqst *rqstp, struct ip_map *ipm) |
447 | { |
448 | struct svc_xprt *xprt = rqstp->rq_xprt; |
449 | |
450 | if (test_bit(XPT_CACHE_AUTH, &xprt->xpt_flags)) { |
451 | spin_lock(&xprt->xpt_lock); |
452 | if (xprt->xpt_auth_cache == NULL) { |
453 | /* newly cached, keep the reference */ |
454 | xprt->xpt_auth_cache = ipm; |
455 | ipm = NULL; |
456 | } |
457 | spin_unlock(&xprt->xpt_lock); |
458 | } |
459 | if (ipm) |
460 | cache_put(&ipm->h, &ip_map_cache); |
461 | } |
462 | |
463 | void |
464 | svcauth_unix_info_release(void *info) |
465 | { |
466 | struct ip_map *ipm = info; |
467 | cache_put(&ipm->h, &ip_map_cache); |
468 | } |
469 | |
470 | /**************************************************************************** |
471 | * auth.unix.gid cache |
472 | * simple cache to map a UID to a list of GIDs |
473 | * because AUTH_UNIX aka AUTH_SYS has a max of 16 |
474 | */ |
475 | #define GID_HASHBITS 8 |
476 | #define GID_HASHMAX (1<<GID_HASHBITS) |
477 | #define GID_HASHMASK (GID_HASHMAX - 1) |
478 | |
479 | struct unix_gid { |
480 | struct cache_head h; |
481 | uid_t uid; |
482 | struct group_info *gi; |
483 | }; |
484 | static struct cache_head *gid_table[GID_HASHMAX]; |
485 | |
486 | static void unix_gid_put(struct kref *kref) |
487 | { |
488 | struct cache_head *item = container_of(kref, struct cache_head, ref); |
489 | struct unix_gid *ug = container_of(item, struct unix_gid, h); |
490 | if (test_bit(CACHE_VALID, &item->flags) && |
491 | !test_bit(CACHE_NEGATIVE, &item->flags)) |
492 | put_group_info(ug->gi); |
493 | kfree(ug); |
494 | } |
495 | |
496 | static int unix_gid_match(struct cache_head *corig, struct cache_head *cnew) |
497 | { |
498 | struct unix_gid *orig = container_of(corig, struct unix_gid, h); |
499 | struct unix_gid *new = container_of(cnew, struct unix_gid, h); |
500 | return orig->uid == new->uid; |
501 | } |
502 | static void unix_gid_init(struct cache_head *cnew, struct cache_head *citem) |
503 | { |
504 | struct unix_gid *new = container_of(cnew, struct unix_gid, h); |
505 | struct unix_gid *item = container_of(citem, struct unix_gid, h); |
506 | new->uid = item->uid; |
507 | } |
508 | static void unix_gid_update(struct cache_head *cnew, struct cache_head *citem) |
509 | { |
510 | struct unix_gid *new = container_of(cnew, struct unix_gid, h); |
511 | struct unix_gid *item = container_of(citem, struct unix_gid, h); |
512 | |
513 | get_group_info(item->gi); |
514 | new->gi = item->gi; |
515 | } |
516 | static struct cache_head *unix_gid_alloc(void) |
517 | { |
518 | struct unix_gid *g = kmalloc(sizeof(*g), GFP_KERNEL); |
519 | if (g) |
520 | return &g->h; |
521 | else |
522 | return NULL; |
523 | } |
524 | |
525 | static void unix_gid_request(struct cache_detail *cd, |
526 | struct cache_head *h, |
527 | char **bpp, int *blen) |
528 | { |
529 | char tuid[20]; |
530 | struct unix_gid *ug = container_of(h, struct unix_gid, h); |
531 | |
532 | snprintf(tuid, 20, "%u", ug->uid); |
533 | qword_add(bpp, blen, tuid); |
534 | (*bpp)[-1] = '\n'; |
535 | } |
536 | |
537 | static int unix_gid_upcall(struct cache_detail *cd, struct cache_head *h) |
538 | { |
539 | return sunrpc_cache_pipe_upcall(cd, h, unix_gid_request); |
540 | } |
541 | |
542 | static struct unix_gid *unix_gid_lookup(uid_t uid); |
543 | extern struct cache_detail unix_gid_cache; |
544 | |
545 | static int unix_gid_parse(struct cache_detail *cd, |
546 | char *mesg, int mlen) |
547 | { |
548 | /* uid expiry Ngid gid0 gid1 ... gidN-1 */ |
549 | int uid; |
550 | int gids; |
551 | int rv; |
552 | int i; |
553 | int err; |
554 | time_t expiry; |
555 | struct unix_gid ug, *ugp; |
556 | |
557 | if (mlen <= 0 || mesg[mlen-1] != '\n') |
558 | return -EINVAL; |
559 | mesg[mlen-1] = 0; |
560 | |
561 | rv = get_int(&mesg, &uid); |
562 | if (rv) |
563 | return -EINVAL; |
564 | ug.uid = uid; |
565 | |
566 | expiry = get_expiry(&mesg); |
567 | if (expiry == 0) |
568 | return -EINVAL; |
569 | |
570 | rv = get_int(&mesg, &gids); |
571 | if (rv || gids < 0 || gids > 8192) |
572 | return -EINVAL; |
573 | |
574 | ug.gi = groups_alloc(gids); |
575 | if (!ug.gi) |
576 | return -ENOMEM; |
577 | |
578 | for (i = 0 ; i < gids ; i++) { |
579 | int gid; |
580 | rv = get_int(&mesg, &gid); |
581 | err = -EINVAL; |
582 | if (rv) |
583 | goto out; |
584 | GROUP_AT(ug.gi, i) = gid; |
585 | } |
586 | |
587 | ugp = unix_gid_lookup(uid); |
588 | if (ugp) { |
589 | struct cache_head *ch; |
590 | ug.h.flags = 0; |
591 | ug.h.expiry_time = expiry; |
592 | ch = sunrpc_cache_update(&unix_gid_cache, |
593 | &ug.h, &ugp->h, |
594 | hash_long(uid, GID_HASHBITS)); |
595 | if (!ch) |
596 | err = -ENOMEM; |
597 | else { |
598 | err = 0; |
599 | cache_put(ch, &unix_gid_cache); |
600 | } |
601 | } else |
602 | err = -ENOMEM; |
603 | out: |
604 | if (ug.gi) |
605 | put_group_info(ug.gi); |
606 | return err; |
607 | } |
608 | |
609 | static int unix_gid_show(struct seq_file *m, |
610 | struct cache_detail *cd, |
611 | struct cache_head *h) |
612 | { |
613 | struct unix_gid *ug; |
614 | int i; |
615 | int glen; |
616 | |
617 | if (h == NULL) { |
618 | seq_puts(m, "#uid cnt: gids...\n"); |
619 | return 0; |
620 | } |
621 | ug = container_of(h, struct unix_gid, h); |
622 | if (test_bit(CACHE_VALID, &h->flags) && |
623 | !test_bit(CACHE_NEGATIVE, &h->flags)) |
624 | glen = ug->gi->ngroups; |
625 | else |
626 | glen = 0; |
627 | |
628 | seq_printf(m, "%u %d:", ug->uid, glen); |
629 | for (i = 0; i < glen; i++) |
630 | seq_printf(m, " %d", GROUP_AT(ug->gi, i)); |
631 | seq_printf(m, "\n"); |
632 | return 0; |
633 | } |
634 | |
635 | struct cache_detail unix_gid_cache = { |
636 | .owner = THIS_MODULE, |
637 | .hash_size = GID_HASHMAX, |
638 | .hash_table = gid_table, |
639 | .name = "auth.unix.gid", |
640 | .cache_put = unix_gid_put, |
641 | .cache_upcall = unix_gid_upcall, |
642 | .cache_parse = unix_gid_parse, |
643 | .cache_show = unix_gid_show, |
644 | .match = unix_gid_match, |
645 | .init = unix_gid_init, |
646 | .update = unix_gid_update, |
647 | .alloc = unix_gid_alloc, |
648 | }; |
649 | |
650 | static struct unix_gid *unix_gid_lookup(uid_t uid) |
651 | { |
652 | struct unix_gid ug; |
653 | struct cache_head *ch; |
654 | |
655 | ug.uid = uid; |
656 | ch = sunrpc_cache_lookup(&unix_gid_cache, &ug.h, |
657 | hash_long(uid, GID_HASHBITS)); |
658 | if (ch) |
659 | return container_of(ch, struct unix_gid, h); |
660 | else |
661 | return NULL; |
662 | } |
663 | |
664 | static struct group_info *unix_gid_find(uid_t uid, struct svc_rqst *rqstp) |
665 | { |
666 | struct unix_gid *ug; |
667 | struct group_info *gi; |
668 | int ret; |
669 | |
670 | ug = unix_gid_lookup(uid); |
671 | if (!ug) |
672 | return ERR_PTR(-EAGAIN); |
673 | ret = cache_check(&unix_gid_cache, &ug->h, &rqstp->rq_chandle); |
674 | switch (ret) { |
675 | case -ENOENT: |
676 | return ERR_PTR(-ENOENT); |
677 | case 0: |
678 | gi = get_group_info(ug->gi); |
679 | cache_put(&ug->h, &unix_gid_cache); |
680 | return gi; |
681 | default: |
682 | return ERR_PTR(-EAGAIN); |
683 | } |
684 | } |
685 | |
686 | int |
687 | svcauth_unix_set_client(struct svc_rqst *rqstp) |
688 | { |
689 | struct sockaddr_in *sin; |
690 | struct sockaddr_in6 *sin6, sin6_storage; |
691 | struct ip_map *ipm; |
692 | struct group_info *gi; |
693 | struct svc_cred *cred = &rqstp->rq_cred; |
694 | |
695 | switch (rqstp->rq_addr.ss_family) { |
696 | case AF_INET: |
697 | sin = svc_addr_in(rqstp); |
698 | sin6 = &sin6_storage; |
699 | ipv6_addr_set_v4mapped(sin->sin_addr.s_addr, &sin6->sin6_addr); |
700 | break; |
701 | case AF_INET6: |
702 | sin6 = svc_addr_in6(rqstp); |
703 | break; |
704 | default: |
705 | BUG(); |
706 | } |
707 | |
708 | rqstp->rq_client = NULL; |
709 | if (rqstp->rq_proc == 0) |
710 | return SVC_OK; |
711 | |
712 | ipm = ip_map_cached_get(rqstp); |
713 | if (ipm == NULL) |
714 | ipm = ip_map_lookup(rqstp->rq_server->sv_program->pg_class, |
715 | &sin6->sin6_addr); |
716 | |
717 | if (ipm == NULL) |
718 | return SVC_DENIED; |
719 | |
720 | switch (cache_check(&ip_map_cache, &ipm->h, &rqstp->rq_chandle)) { |
721 | default: |
722 | BUG(); |
723 | case -EAGAIN: |
724 | case -ETIMEDOUT: |
725 | return SVC_DROP; |
726 | case -ENOENT: |
727 | return SVC_DENIED; |
728 | case 0: |
729 | rqstp->rq_client = &ipm->m_client->h; |
730 | kref_get(&rqstp->rq_client->ref); |
731 | ip_map_cached_put(rqstp, ipm); |
732 | break; |
733 | } |
734 | |
735 | gi = unix_gid_find(cred->cr_uid, rqstp); |
736 | switch (PTR_ERR(gi)) { |
737 | case -EAGAIN: |
738 | return SVC_DROP; |
739 | case -ENOENT: |
740 | break; |
741 | default: |
742 | put_group_info(cred->cr_group_info); |
743 | cred->cr_group_info = gi; |
744 | } |
745 | return SVC_OK; |
746 | } |
747 | |
748 | EXPORT_SYMBOL_GPL(svcauth_unix_set_client); |
749 | |
750 | static int |
751 | svcauth_null_accept(struct svc_rqst *rqstp, __be32 *authp) |
752 | { |
753 | struct kvec *argv = &rqstp->rq_arg.head[0]; |
754 | struct kvec *resv = &rqstp->rq_res.head[0]; |
755 | struct svc_cred *cred = &rqstp->rq_cred; |
756 | |
757 | cred->cr_group_info = NULL; |
758 | rqstp->rq_client = NULL; |
759 | |
760 | if (argv->iov_len < 3*4) |
761 | return SVC_GARBAGE; |
762 | |
763 | if (svc_getu32(argv) != 0) { |
764 | dprintk("svc: bad null cred\n"); |
765 | *authp = rpc_autherr_badcred; |
766 | return SVC_DENIED; |
767 | } |
768 | if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) { |
769 | dprintk("svc: bad null verf\n"); |
770 | *authp = rpc_autherr_badverf; |
771 | return SVC_DENIED; |
772 | } |
773 | |
774 | /* Signal that mapping to nobody uid/gid is required */ |
775 | cred->cr_uid = (uid_t) -1; |
776 | cred->cr_gid = (gid_t) -1; |
777 | cred->cr_group_info = groups_alloc(0); |
778 | if (cred->cr_group_info == NULL) |
779 | return SVC_DROP; /* kmalloc failure - client must retry */ |
780 | |
781 | /* Put NULL verifier */ |
782 | svc_putnl(resv, RPC_AUTH_NULL); |
783 | svc_putnl(resv, 0); |
784 | |
785 | rqstp->rq_flavor = RPC_AUTH_NULL; |
786 | return SVC_OK; |
787 | } |
788 | |
789 | static int |
790 | svcauth_null_release(struct svc_rqst *rqstp) |
791 | { |
792 | if (rqstp->rq_client) |
793 | auth_domain_put(rqstp->rq_client); |
794 | rqstp->rq_client = NULL; |
795 | if (rqstp->rq_cred.cr_group_info) |
796 | put_group_info(rqstp->rq_cred.cr_group_info); |
797 | rqstp->rq_cred.cr_group_info = NULL; |
798 | |
799 | return 0; /* don't drop */ |
800 | } |
801 | |
802 | |
803 | struct auth_ops svcauth_null = { |
804 | .name = "null", |
805 | .owner = THIS_MODULE, |
806 | .flavour = RPC_AUTH_NULL, |
807 | .accept = svcauth_null_accept, |
808 | .release = svcauth_null_release, |
809 | .set_client = svcauth_unix_set_client, |
810 | }; |
811 | |
812 | |
813 | static int |
814 | svcauth_unix_accept(struct svc_rqst *rqstp, __be32 *authp) |
815 | { |
816 | struct kvec *argv = &rqstp->rq_arg.head[0]; |
817 | struct kvec *resv = &rqstp->rq_res.head[0]; |
818 | struct svc_cred *cred = &rqstp->rq_cred; |
819 | u32 slen, i; |
820 | int len = argv->iov_len; |
821 | |
822 | cred->cr_group_info = NULL; |
823 | rqstp->rq_client = NULL; |
824 | |
825 | if ((len -= 3*4) < 0) |
826 | return SVC_GARBAGE; |
827 | |
828 | svc_getu32(argv); /* length */ |
829 | svc_getu32(argv); /* time stamp */ |
830 | slen = XDR_QUADLEN(svc_getnl(argv)); /* machname length */ |
831 | if (slen > 64 || (len -= (slen + 3)*4) < 0) |
832 | goto badcred; |
833 | argv->iov_base = (void*)((__be32*)argv->iov_base + slen); /* skip machname */ |
834 | argv->iov_len -= slen*4; |
835 | |
836 | cred->cr_uid = svc_getnl(argv); /* uid */ |
837 | cred->cr_gid = svc_getnl(argv); /* gid */ |
838 | slen = svc_getnl(argv); /* gids length */ |
839 | if (slen > 16 || (len -= (slen + 2)*4) < 0) |
840 | goto badcred; |
841 | cred->cr_group_info = groups_alloc(slen); |
842 | if (cred->cr_group_info == NULL) |
843 | return SVC_DROP; |
844 | for (i = 0; i < slen; i++) |
845 | GROUP_AT(cred->cr_group_info, i) = svc_getnl(argv); |
846 | if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) { |
847 | *authp = rpc_autherr_badverf; |
848 | return SVC_DENIED; |
849 | } |
850 | |
851 | /* Put NULL verifier */ |
852 | svc_putnl(resv, RPC_AUTH_NULL); |
853 | svc_putnl(resv, 0); |
854 | |
855 | rqstp->rq_flavor = RPC_AUTH_UNIX; |
856 | return SVC_OK; |
857 | |
858 | badcred: |
859 | *authp = rpc_autherr_badcred; |
860 | return SVC_DENIED; |
861 | } |
862 | |
863 | static int |
864 | svcauth_unix_release(struct svc_rqst *rqstp) |
865 | { |
866 | /* Verifier (such as it is) is already in place. |
867 | */ |
868 | if (rqstp->rq_client) |
869 | auth_domain_put(rqstp->rq_client); |
870 | rqstp->rq_client = NULL; |
871 | if (rqstp->rq_cred.cr_group_info) |
872 | put_group_info(rqstp->rq_cred.cr_group_info); |
873 | rqstp->rq_cred.cr_group_info = NULL; |
874 | |
875 | return 0; |
876 | } |
877 | |
878 | |
879 | struct auth_ops svcauth_unix = { |
880 | .name = "unix", |
881 | .owner = THIS_MODULE, |
882 | .flavour = RPC_AUTH_UNIX, |
883 | .accept = svcauth_unix_accept, |
884 | .release = svcauth_unix_release, |
885 | .domain_release = svcauth_unix_domain_release, |
886 | .set_client = svcauth_unix_set_client, |
887 | }; |
888 | |
889 |
Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.11
jz-3.12
jz-3.13
jz-3.15
jz-3.16
jz-3.18-dt
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master
Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9