1 // SPDX-License-Identifier: GPL-2.0 1 // SPDX-License-Identifier: GPL-2.0 2 /* 2 /* 3 * linux/net/sunrpc/auth_unix.c 3 * linux/net/sunrpc/auth_unix.c 4 * 4 * 5 * UNIX-style authentication; no AUTH_SHORT su 5 * UNIX-style authentication; no AUTH_SHORT support 6 * 6 * 7 * Copyright (C) 1996, Olaf Kirch <okir@monad. 7 * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de> 8 */ 8 */ 9 9 10 #include <linux/slab.h> 10 #include <linux/slab.h> 11 #include <linux/types.h> 11 #include <linux/types.h> 12 #include <linux/sched.h> 12 #include <linux/sched.h> 13 #include <linux/module.h> 13 #include <linux/module.h> 14 #include <linux/mempool.h> 14 #include <linux/mempool.h> 15 #include <linux/sunrpc/clnt.h> 15 #include <linux/sunrpc/clnt.h> 16 #include <linux/sunrpc/auth.h> 16 #include <linux/sunrpc/auth.h> 17 #include <linux/user_namespace.h> 17 #include <linux/user_namespace.h> 18 18 19 19 20 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) 20 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) 21 # define RPCDBG_FACILITY RPCDBG_AUTH 21 # define RPCDBG_FACILITY RPCDBG_AUTH 22 #endif 22 #endif 23 23 24 static struct rpc_auth unix_auth; 24 static struct rpc_auth unix_auth; 25 static const struct rpc_credops unix_credops; 25 static const struct rpc_credops unix_credops; 26 static mempool_t *unix_pool; 26 static mempool_t *unix_pool; 27 27 28 static struct rpc_auth * 28 static struct rpc_auth * 29 unx_create(const struct rpc_auth_create_args * 29 unx_create(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt) 30 { 30 { 31 refcount_inc(&unix_auth.au_count); 31 refcount_inc(&unix_auth.au_count); 32 return &unix_auth; 32 return &unix_auth; 33 } 33 } 34 34 35 static void 35 static void 36 unx_destroy(struct rpc_auth *auth) 36 unx_destroy(struct rpc_auth *auth) 37 { 37 { 38 } 38 } 39 39 40 /* 40 /* 41 * Lookup AUTH_UNIX creds for current process 41 * Lookup AUTH_UNIX creds for current process 42 */ 42 */ 43 static struct rpc_cred *unx_lookup_cred(struct !! 43 static struct rpc_cred * 44 struct !! 44 unx_lookup_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags) 45 { 45 { 46 struct rpc_cred *ret; !! 46 struct rpc_cred *ret = mempool_alloc(unix_pool, GFP_NOFS); 47 47 48 ret = kmalloc(sizeof(*ret), rpc_task_g << 49 if (!ret) { << 50 if (!(flags & RPCAUTH_LOOKUP_A << 51 return ERR_PTR(-ENOMEM << 52 ret = mempool_alloc(unix_pool, << 53 if (!ret) << 54 return ERR_PTR(-ENOMEM << 55 } << 56 rpcauth_init_cred(ret, acred, auth, &u 48 rpcauth_init_cred(ret, acred, auth, &unix_credops); 57 ret->cr_flags = 1UL << RPCAUTH_CRED_UP 49 ret->cr_flags = 1UL << RPCAUTH_CRED_UPTODATE; 58 return ret; 50 return ret; 59 } 51 } 60 52 61 static void 53 static void 62 unx_free_cred_callback(struct rcu_head *head) 54 unx_free_cred_callback(struct rcu_head *head) 63 { 55 { 64 struct rpc_cred *rpc_cred = container_ 56 struct rpc_cred *rpc_cred = container_of(head, struct rpc_cred, cr_rcu); 65 57 66 put_cred(rpc_cred->cr_cred); 58 put_cred(rpc_cred->cr_cred); 67 mempool_free(rpc_cred, unix_pool); 59 mempool_free(rpc_cred, unix_pool); 68 } 60 } 69 61 70 static void 62 static void 71 unx_destroy_cred(struct rpc_cred *cred) 63 unx_destroy_cred(struct rpc_cred *cred) 72 { 64 { 73 call_rcu(&cred->cr_rcu, unx_free_cred_ 65 call_rcu(&cred->cr_rcu, unx_free_cred_callback); 74 } 66 } 75 67 76 /* 68 /* 77 * Match credentials against current the auth_ 69 * Match credentials against current the auth_cred. 78 */ 70 */ 79 static int 71 static int 80 unx_match(struct auth_cred *acred, struct rpc_ 72 unx_match(struct auth_cred *acred, struct rpc_cred *cred, int flags) 81 { 73 { 82 unsigned int groups = 0; 74 unsigned int groups = 0; 83 unsigned int i; 75 unsigned int i; 84 76 85 if (cred->cr_cred == acred->cred) 77 if (cred->cr_cred == acred->cred) 86 return 1; 78 return 1; 87 79 88 if (!uid_eq(cred->cr_cred->fsuid, acre 80 if (!uid_eq(cred->cr_cred->fsuid, acred->cred->fsuid) || !gid_eq(cred->cr_cred->fsgid, acred->cred->fsgid)) 89 return 0; 81 return 0; 90 82 91 if (acred->cred->group_info != NULL) 83 if (acred->cred->group_info != NULL) 92 groups = acred->cred->group_in 84 groups = acred->cred->group_info->ngroups; 93 if (groups > UNX_NGROUPS) 85 if (groups > UNX_NGROUPS) 94 groups = UNX_NGROUPS; 86 groups = UNX_NGROUPS; 95 if (cred->cr_cred->group_info == NULL) 87 if (cred->cr_cred->group_info == NULL) 96 return groups == 0; 88 return groups == 0; 97 if (groups != cred->cr_cred->group_inf 89 if (groups != cred->cr_cred->group_info->ngroups) 98 return 0; 90 return 0; 99 91 100 for (i = 0; i < groups ; i++) 92 for (i = 0; i < groups ; i++) 101 if (!gid_eq(cred->cr_cred->gro 93 if (!gid_eq(cred->cr_cred->group_info->gid[i], acred->cred->group_info->gid[i])) 102 return 0; 94 return 0; 103 return 1; 95 return 1; 104 } 96 } 105 97 106 /* 98 /* 107 * Marshal credentials. 99 * Marshal credentials. 108 * Maybe we should keep a cached credential fo 100 * Maybe we should keep a cached credential for performance reasons. 109 */ 101 */ 110 static int 102 static int 111 unx_marshal(struct rpc_task *task, struct xdr_ 103 unx_marshal(struct rpc_task *task, struct xdr_stream *xdr) 112 { 104 { 113 struct rpc_clnt *clnt = task->tk_clien 105 struct rpc_clnt *clnt = task->tk_client; 114 struct rpc_cred *cred = task->tk_rqstp 106 struct rpc_cred *cred = task->tk_rqstp->rq_cred; 115 __be32 *p, *cred_len, *gidarr 107 __be32 *p, *cred_len, *gidarr_len; 116 int i; 108 int i; 117 struct group_info *gi = cred->cr_cred- 109 struct group_info *gi = cred->cr_cred->group_info; 118 struct user_namespace *userns = clnt-> 110 struct user_namespace *userns = clnt->cl_cred ? 119 clnt->cl_cred->user_ns : &init 111 clnt->cl_cred->user_ns : &init_user_ns; 120 112 121 /* Credential */ 113 /* Credential */ 122 114 123 p = xdr_reserve_space(xdr, 3 * sizeof( 115 p = xdr_reserve_space(xdr, 3 * sizeof(*p)); 124 if (!p) 116 if (!p) 125 goto marshal_failed; 117 goto marshal_failed; 126 *p++ = rpc_auth_unix; 118 *p++ = rpc_auth_unix; 127 cred_len = p++; 119 cred_len = p++; 128 *p++ = xdr_zero; /* stamp */ 120 *p++ = xdr_zero; /* stamp */ 129 if (xdr_stream_encode_opaque(xdr, clnt 121 if (xdr_stream_encode_opaque(xdr, clnt->cl_nodename, 130 clnt->cl_ 122 clnt->cl_nodelen) < 0) 131 goto marshal_failed; 123 goto marshal_failed; 132 p = xdr_reserve_space(xdr, 3 * sizeof( 124 p = xdr_reserve_space(xdr, 3 * sizeof(*p)); 133 if (!p) 125 if (!p) 134 goto marshal_failed; 126 goto marshal_failed; 135 *p++ = cpu_to_be32(from_kuid_munged(us 127 *p++ = cpu_to_be32(from_kuid_munged(userns, cred->cr_cred->fsuid)); 136 *p++ = cpu_to_be32(from_kgid_munged(us 128 *p++ = cpu_to_be32(from_kgid_munged(userns, cred->cr_cred->fsgid)); 137 129 138 gidarr_len = p++; 130 gidarr_len = p++; 139 if (gi) 131 if (gi) 140 for (i = 0; i < UNX_NGROUPS && 132 for (i = 0; i < UNX_NGROUPS && i < gi->ngroups; i++) 141 *p++ = cpu_to_be32(fro 133 *p++ = cpu_to_be32(from_kgid_munged(userns, gi->gid[i])); 142 *gidarr_len = cpu_to_be32(p - gidarr_l 134 *gidarr_len = cpu_to_be32(p - gidarr_len - 1); 143 *cred_len = cpu_to_be32((p - cred_len 135 *cred_len = cpu_to_be32((p - cred_len - 1) << 2); 144 p = xdr_reserve_space(xdr, (p - gidarr 136 p = xdr_reserve_space(xdr, (p - gidarr_len - 1) << 2); 145 if (!p) 137 if (!p) 146 goto marshal_failed; 138 goto marshal_failed; 147 139 148 /* Verifier */ 140 /* Verifier */ 149 141 150 p = xdr_reserve_space(xdr, 2 * sizeof( 142 p = xdr_reserve_space(xdr, 2 * sizeof(*p)); 151 if (!p) 143 if (!p) 152 goto marshal_failed; 144 goto marshal_failed; 153 *p++ = rpc_auth_null; 145 *p++ = rpc_auth_null; 154 *p = xdr_zero; 146 *p = xdr_zero; 155 147 156 return 0; 148 return 0; 157 149 158 marshal_failed: 150 marshal_failed: 159 return -EMSGSIZE; 151 return -EMSGSIZE; 160 } 152 } 161 153 162 /* 154 /* 163 * Refresh credentials. This is a no-op for AU 155 * Refresh credentials. This is a no-op for AUTH_UNIX 164 */ 156 */ 165 static int 157 static int 166 unx_refresh(struct rpc_task *task) 158 unx_refresh(struct rpc_task *task) 167 { 159 { 168 set_bit(RPCAUTH_CRED_UPTODATE, &task-> 160 set_bit(RPCAUTH_CRED_UPTODATE, &task->tk_rqstp->rq_cred->cr_flags); 169 return 0; 161 return 0; 170 } 162 } 171 163 172 static int 164 static int 173 unx_validate(struct rpc_task *task, struct xdr 165 unx_validate(struct rpc_task *task, struct xdr_stream *xdr) 174 { 166 { 175 struct rpc_auth *auth = task->tk_rqstp 167 struct rpc_auth *auth = task->tk_rqstp->rq_cred->cr_auth; 176 __be32 *p; 168 __be32 *p; 177 u32 size; 169 u32 size; 178 170 179 p = xdr_inline_decode(xdr, 2 * sizeof( 171 p = xdr_inline_decode(xdr, 2 * sizeof(*p)); 180 if (!p) 172 if (!p) 181 return -EIO; 173 return -EIO; 182 switch (*p++) { 174 switch (*p++) { 183 case rpc_auth_null: 175 case rpc_auth_null: 184 case rpc_auth_unix: 176 case rpc_auth_unix: 185 case rpc_auth_short: 177 case rpc_auth_short: 186 break; 178 break; 187 default: 179 default: 188 return -EIO; 180 return -EIO; 189 } 181 } 190 size = be32_to_cpup(p); 182 size = be32_to_cpup(p); 191 if (size > RPC_MAX_AUTH_SIZE) 183 if (size > RPC_MAX_AUTH_SIZE) 192 return -EIO; 184 return -EIO; 193 p = xdr_inline_decode(xdr, size); 185 p = xdr_inline_decode(xdr, size); 194 if (!p) 186 if (!p) 195 return -EIO; 187 return -EIO; 196 188 197 auth->au_verfsize = XDR_QUADLEN(size) 189 auth->au_verfsize = XDR_QUADLEN(size) + 2; 198 auth->au_rslack = XDR_QUADLEN(size) + 190 auth->au_rslack = XDR_QUADLEN(size) + 2; 199 auth->au_ralign = XDR_QUADLEN(size) + 191 auth->au_ralign = XDR_QUADLEN(size) + 2; 200 return 0; 192 return 0; 201 } 193 } 202 194 203 int __init rpc_init_authunix(void) 195 int __init rpc_init_authunix(void) 204 { 196 { 205 unix_pool = mempool_create_kmalloc_poo 197 unix_pool = mempool_create_kmalloc_pool(16, sizeof(struct rpc_cred)); 206 return unix_pool ? 0 : -ENOMEM; 198 return unix_pool ? 0 : -ENOMEM; 207 } 199 } 208 200 209 void rpc_destroy_authunix(void) 201 void rpc_destroy_authunix(void) 210 { 202 { 211 mempool_destroy(unix_pool); 203 mempool_destroy(unix_pool); 212 } 204 } 213 205 214 const struct rpc_authops authunix_ops = { 206 const struct rpc_authops authunix_ops = { 215 .owner = THIS_MODULE, 207 .owner = THIS_MODULE, 216 .au_flavor = RPC_AUTH_UNIX, 208 .au_flavor = RPC_AUTH_UNIX, 217 .au_name = "UNIX", 209 .au_name = "UNIX", 218 .create = unx_create, 210 .create = unx_create, 219 .destroy = unx_destroy, 211 .destroy = unx_destroy, 220 .lookup_cred = unx_lookup_cred, 212 .lookup_cred = unx_lookup_cred, 221 }; 213 }; 222 214 223 static 215 static 224 struct rpc_auth unix_auth = { 216 struct rpc_auth unix_auth = { 225 .au_cslack = UNX_CALLSLACK, 217 .au_cslack = UNX_CALLSLACK, 226 .au_rslack = NUL_REPLYSLACK, 218 .au_rslack = NUL_REPLYSLACK, 227 .au_verfsize = NUL_REPLYSLACK, 219 .au_verfsize = NUL_REPLYSLACK, 228 .au_ops = &authunix_ops, 220 .au_ops = &authunix_ops, 229 .au_flavor = RPC_AUTH_UNIX, 221 .au_flavor = RPC_AUTH_UNIX, 230 .au_count = REFCOUNT_INIT(1), 222 .au_count = REFCOUNT_INIT(1), 231 }; 223 }; 232 224 233 static 225 static 234 const struct rpc_credops unix_credops = { 226 const struct rpc_credops unix_credops = { 235 .cr_name = "AUTH_UNIX", 227 .cr_name = "AUTH_UNIX", 236 .crdestroy = unx_destroy_cred, 228 .crdestroy = unx_destroy_cred, 237 .crmatch = unx_match, 229 .crmatch = unx_match, 238 .crmarshal = unx_marshal, 230 .crmarshal = unx_marshal, 239 .crwrap_req = rpcauth_wrap_req_enc 231 .crwrap_req = rpcauth_wrap_req_encode, 240 .crrefresh = unx_refresh, 232 .crrefresh = unx_refresh, 241 .crvalidate = unx_validate, 233 .crvalidate = unx_validate, 242 .crunwrap_resp = rpcauth_unwrap_resp_ 234 .crunwrap_resp = rpcauth_unwrap_resp_decode, 243 }; 235 }; 244 236
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.