Commit | Line | Data |
---|---|---|
9a559efd TM |
1 | /* |
2 | * Generic RPC credential | |
3 | * | |
4 | * Copyright (C) 2008, Trond Myklebust <Trond.Myklebust@netapp.com> | |
5 | */ | |
6 | ||
7 | #include <linux/err.h> | |
5a0e3ad6 | 8 | #include <linux/slab.h> |
9a559efd TM |
9 | #include <linux/types.h> |
10 | #include <linux/module.h> | |
11 | #include <linux/sched.h> | |
12 | #include <linux/sunrpc/auth.h> | |
13 | #include <linux/sunrpc/clnt.h> | |
14 | #include <linux/sunrpc/debug.h> | |
15 | #include <linux/sunrpc/sched.h> | |
16 | ||
f895b252 | 17 | #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) |
9a559efd TM |
18 | # define RPCDBG_FACILITY RPCDBG_AUTH |
19 | #endif | |
20 | ||
bf37f794 EB |
21 | #define RPC_MACHINE_CRED_USERID GLOBAL_ROOT_UID |
22 | #define RPC_MACHINE_CRED_GROUPID GLOBAL_ROOT_GID | |
7c67db3a | 23 | |
9a559efd TM |
24 | struct generic_cred { |
25 | struct rpc_cred gc_base; | |
26 | struct auth_cred acred; | |
27 | }; | |
28 | ||
29 | static struct rpc_auth generic_auth; | |
9a559efd TM |
30 | static const struct rpc_credops generic_credops; |
31 | ||
32 | /* | |
33 | * Public call interface | |
34 | */ | |
35 | struct rpc_cred *rpc_lookup_cred(void) | |
36 | { | |
37 | return rpcauth_lookupcred(&generic_auth, 0); | |
38 | } | |
39 | EXPORT_SYMBOL_GPL(rpc_lookup_cred); | |
40 | ||
bd956080 N |
41 | struct rpc_cred *rpc_lookup_cred_nonblock(void) |
42 | { | |
43 | return rpcauth_lookupcred(&generic_auth, RPCAUTH_LOOKUP_RCU); | |
44 | } | |
45 | EXPORT_SYMBOL_GPL(rpc_lookup_cred_nonblock); | |
46 | ||
7c67db3a TM |
47 | /* |
48 | * Public call interface for looking up machine creds. | |
49 | */ | |
68c97153 | 50 | struct rpc_cred *rpc_lookup_machine_cred(const char *service_name) |
7c67db3a TM |
51 | { |
52 | struct auth_cred acred = { | |
b4528762 TM |
53 | .uid = RPC_MACHINE_CRED_USERID, |
54 | .gid = RPC_MACHINE_CRED_GROUPID, | |
68c97153 | 55 | .principal = service_name, |
7c67db3a TM |
56 | .machine_cred = 1, |
57 | }; | |
58 | ||
68c97153 TM |
59 | dprintk("RPC: looking up machine cred for service %s\n", |
60 | service_name); | |
7c67db3a TM |
61 | return generic_auth.au_ops->lookup_cred(&generic_auth, &acred, 0); |
62 | } | |
63 | EXPORT_SYMBOL_GPL(rpc_lookup_machine_cred); | |
64 | ||
8572b8e2 TM |
65 | static struct rpc_cred *generic_bind_cred(struct rpc_task *task, |
66 | struct rpc_cred *cred, int lookupflags) | |
5c691044 TM |
67 | { |
68 | struct rpc_auth *auth = task->tk_client->cl_auth; | |
69 | struct auth_cred *acred = &container_of(cred, struct generic_cred, gc_base)->acred; | |
5c691044 | 70 | |
8572b8e2 | 71 | return auth->au_ops->lookup_cred(auth, acred, lookupflags); |
5c691044 TM |
72 | } |
73 | ||
9a559efd TM |
74 | /* |
75 | * Lookup generic creds for current process | |
76 | */ | |
77 | static struct rpc_cred * | |
78 | generic_lookup_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags) | |
79 | { | |
80 | return rpcauth_lookup_credcache(&generic_auth, acred, flags); | |
81 | } | |
82 | ||
83 | static struct rpc_cred * | |
84 | generic_create_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags) | |
85 | { | |
86 | struct generic_cred *gcred; | |
87 | ||
88 | gcred = kmalloc(sizeof(*gcred), GFP_KERNEL); | |
89 | if (gcred == NULL) | |
90 | return ERR_PTR(-ENOMEM); | |
91 | ||
92 | rpcauth_init_cred(&gcred->gc_base, acred, &generic_auth, &generic_credops); | |
93 | gcred->gc_base.cr_flags = 1UL << RPCAUTH_CRED_UPTODATE; | |
94 | ||
95 | gcred->acred.uid = acred->uid; | |
96 | gcred->acred.gid = acred->gid; | |
97 | gcred->acred.group_info = acred->group_info; | |
4de6caa2 | 98 | gcred->acred.ac_flags = 0; |
9a559efd TM |
99 | if (gcred->acred.group_info != NULL) |
100 | get_group_info(gcred->acred.group_info); | |
7c67db3a | 101 | gcred->acred.machine_cred = acred->machine_cred; |
875ad3f8 | 102 | gcred->acred.principal = acred->principal; |
9a559efd | 103 | |
7c67db3a TM |
104 | dprintk("RPC: allocated %s cred %p for uid %d gid %d\n", |
105 | gcred->acred.machine_cred ? "machine" : "generic", | |
cdba321e EB |
106 | gcred, |
107 | from_kuid(&init_user_ns, acred->uid), | |
108 | from_kgid(&init_user_ns, acred->gid)); | |
9a559efd TM |
109 | return &gcred->gc_base; |
110 | } | |
111 | ||
112 | static void | |
113 | generic_free_cred(struct rpc_cred *cred) | |
114 | { | |
115 | struct generic_cred *gcred = container_of(cred, struct generic_cred, gc_base); | |
116 | ||
117 | dprintk("RPC: generic_free_cred %p\n", gcred); | |
118 | if (gcred->acred.group_info != NULL) | |
119 | put_group_info(gcred->acred.group_info); | |
120 | kfree(gcred); | |
121 | } | |
122 | ||
123 | static void | |
124 | generic_free_cred_callback(struct rcu_head *head) | |
125 | { | |
126 | struct rpc_cred *cred = container_of(head, struct rpc_cred, cr_rcu); | |
127 | generic_free_cred(cred); | |
128 | } | |
129 | ||
130 | static void | |
131 | generic_destroy_cred(struct rpc_cred *cred) | |
132 | { | |
133 | call_rcu(&cred->cr_rcu, generic_free_cred_callback); | |
134 | } | |
135 | ||
875ad3f8 TM |
136 | static int |
137 | machine_cred_match(struct auth_cred *acred, struct generic_cred *gcred, int flags) | |
138 | { | |
139 | if (!gcred->acred.machine_cred || | |
140 | gcred->acred.principal != acred->principal || | |
0b4d51b0 EB |
141 | !uid_eq(gcred->acred.uid, acred->uid) || |
142 | !gid_eq(gcred->acred.gid, acred->gid)) | |
875ad3f8 TM |
143 | return 0; |
144 | return 1; | |
145 | } | |
146 | ||
9a559efd TM |
147 | /* |
148 | * Match credentials against current process creds. | |
149 | */ | |
150 | static int | |
151 | generic_match(struct auth_cred *acred, struct rpc_cred *cred, int flags) | |
152 | { | |
153 | struct generic_cred *gcred = container_of(cred, struct generic_cred, gc_base); | |
23918b03 | 154 | int i; |
9a559efd | 155 | |
875ad3f8 TM |
156 | if (acred->machine_cred) |
157 | return machine_cred_match(acred, gcred, flags); | |
158 | ||
0b4d51b0 EB |
159 | if (!uid_eq(gcred->acred.uid, acred->uid) || |
160 | !gid_eq(gcred->acred.gid, acred->gid) || | |
875ad3f8 | 161 | gcred->acred.machine_cred != 0) |
23918b03 TM |
162 | goto out_nomatch; |
163 | ||
164 | /* Optimisation in the case where pointers are identical... */ | |
165 | if (gcred->acred.group_info == acred->group_info) | |
166 | goto out_match; | |
167 | ||
168 | /* Slow path... */ | |
169 | if (gcred->acred.group_info->ngroups != acred->group_info->ngroups) | |
170 | goto out_nomatch; | |
171 | for (i = 0; i < gcred->acred.group_info->ngroups; i++) { | |
ae2975bc EB |
172 | if (!gid_eq(GROUP_AT(gcred->acred.group_info, i), |
173 | GROUP_AT(acred->group_info, i))) | |
23918b03 TM |
174 | goto out_nomatch; |
175 | } | |
176 | out_match: | |
9a559efd | 177 | return 1; |
23918b03 TM |
178 | out_nomatch: |
179 | return 0; | |
9a559efd TM |
180 | } |
181 | ||
5d8d9a4d | 182 | int __init rpc_init_generic_auth(void) |
9a559efd | 183 | { |
5d8d9a4d | 184 | return rpcauth_init_credcache(&generic_auth); |
9a559efd TM |
185 | } |
186 | ||
c135e84a | 187 | void rpc_destroy_generic_auth(void) |
9a559efd | 188 | { |
5d8d9a4d | 189 | rpcauth_destroy_credcache(&generic_auth); |
9a559efd TM |
190 | } |
191 | ||
4de6caa2 AA |
192 | /* |
193 | * Test the the current time (now) against the underlying credential key expiry | |
194 | * minus a timeout and setup notification. | |
195 | * | |
196 | * The normal case: | |
197 | * If 'now' is before the key expiry minus RPC_KEY_EXPIRE_TIMEO, set | |
198 | * the RPC_CRED_NOTIFY_TIMEOUT flag to setup the underlying credential | |
199 | * rpc_credops crmatch routine to notify this generic cred when it's key | |
200 | * expiration is within RPC_KEY_EXPIRE_TIMEO, and return 0. | |
201 | * | |
202 | * The error case: | |
203 | * If the underlying cred lookup fails, return -EACCES. | |
204 | * | |
205 | * The 'almost' error case: | |
206 | * If 'now' is within key expiry minus RPC_KEY_EXPIRE_TIMEO, but not within | |
207 | * key expiry minus RPC_KEY_EXPIRE_FAIL, set the RPC_CRED_EXPIRE_SOON bit | |
208 | * on the acred ac_flags and return 0. | |
209 | */ | |
210 | static int | |
211 | generic_key_timeout(struct rpc_auth *auth, struct rpc_cred *cred) | |
212 | { | |
213 | struct auth_cred *acred = &container_of(cred, struct generic_cred, | |
214 | gc_base)->acred; | |
215 | struct rpc_cred *tcred; | |
216 | int ret = 0; | |
217 | ||
218 | ||
219 | /* Fast track for non crkey_timeout (no key) underlying credentials */ | |
220 | if (test_bit(RPC_CRED_NO_CRKEY_TIMEOUT, &acred->ac_flags)) | |
221 | return 0; | |
222 | ||
223 | /* Fast track for the normal case */ | |
224 | if (test_bit(RPC_CRED_NOTIFY_TIMEOUT, &acred->ac_flags)) | |
225 | return 0; | |
226 | ||
227 | /* lookup_cred either returns a valid referenced rpc_cred, or PTR_ERR */ | |
228 | tcred = auth->au_ops->lookup_cred(auth, acred, 0); | |
229 | if (IS_ERR(tcred)) | |
230 | return -EACCES; | |
231 | ||
232 | if (!tcred->cr_ops->crkey_timeout) { | |
233 | set_bit(RPC_CRED_NO_CRKEY_TIMEOUT, &acred->ac_flags); | |
234 | ret = 0; | |
235 | goto out_put; | |
236 | } | |
237 | ||
238 | /* Test for the almost error case */ | |
239 | ret = tcred->cr_ops->crkey_timeout(tcred); | |
240 | if (ret != 0) { | |
241 | set_bit(RPC_CRED_KEY_EXPIRE_SOON, &acred->ac_flags); | |
242 | ret = 0; | |
243 | } else { | |
244 | /* In case underlying cred key has been reset */ | |
245 | if (test_and_clear_bit(RPC_CRED_KEY_EXPIRE_SOON, | |
246 | &acred->ac_flags)) | |
247 | dprintk("RPC: UID %d Credential key reset\n", | |
13429305 | 248 | from_kuid(&init_user_ns, tcred->cr_uid)); |
4de6caa2 AA |
249 | /* set up fasttrack for the normal case */ |
250 | set_bit(RPC_CRED_NOTIFY_TIMEOUT, &acred->ac_flags); | |
251 | } | |
252 | ||
253 | out_put: | |
254 | put_rpccred(tcred); | |
255 | return ret; | |
256 | } | |
257 | ||
9a559efd TM |
258 | static const struct rpc_authops generic_auth_ops = { |
259 | .owner = THIS_MODULE, | |
9a559efd | 260 | .au_name = "Generic", |
9a559efd TM |
261 | .lookup_cred = generic_lookup_cred, |
262 | .crcreate = generic_create_cred, | |
4de6caa2 | 263 | .key_timeout = generic_key_timeout, |
9a559efd TM |
264 | }; |
265 | ||
266 | static struct rpc_auth generic_auth = { | |
267 | .au_ops = &generic_auth_ops, | |
268 | .au_count = ATOMIC_INIT(0), | |
9a559efd TM |
269 | }; |
270 | ||
4de6caa2 AA |
271 | static bool generic_key_to_expire(struct rpc_cred *cred) |
272 | { | |
273 | struct auth_cred *acred = &container_of(cred, struct generic_cred, | |
274 | gc_base)->acred; | |
275 | bool ret; | |
276 | ||
277 | get_rpccred(cred); | |
278 | ret = test_bit(RPC_CRED_KEY_EXPIRE_SOON, &acred->ac_flags); | |
279 | put_rpccred(cred); | |
280 | ||
281 | return ret; | |
282 | } | |
283 | ||
9a559efd TM |
284 | static const struct rpc_credops generic_credops = { |
285 | .cr_name = "Generic cred", | |
286 | .crdestroy = generic_destroy_cred, | |
5c691044 | 287 | .crbind = generic_bind_cred, |
9a559efd | 288 | .crmatch = generic_match, |
4de6caa2 | 289 | .crkey_to_expire = generic_key_to_expire, |
9a559efd | 290 | }; |