net/sunrpc/auth.c

   1 /*
   2  * linux/net/sunrpc/auth.c
   3  *
   4  * Generic RPC client authentication API.
   5  *
   6  * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de>
   7  */
   8
   9 #include <linux/types.h>
  10 #include <linux/sched.h>
  11 #include <linux/module.h>
  12 #include <linux/slab.h>
  13 #include <linux/errno.h>
  14 #include <linux/socket.h>
  15 #include <linux/sunrpc/clnt.h>
  16 #include <linux/spinlock.h>
  17 #include <linux/vserver/xid.h>
  18
  19 #ifdef RPC_DEBUG
  20 # define RPCDBG_FACILITY        RPCDBG_AUTH
  21 #endif
  22
  23 static struct rpc_authops *     auth_flavors[RPC_AUTH_MAXFLAVOR] = {
  24         &authnull_ops,          /* AUTH_NULL */
  25         &authunix_ops,          /* AUTH_UNIX */
  26         NULL,                   /* others can be loadable modules */
  27 };
  28
  29 static u32
  30 pseudoflavor_to_flavor(u32 flavor) {
  31         if (flavor >= RPC_AUTH_MAXFLAVOR)
  32                 return RPC_AUTH_GSS;
  33         return flavor;
  34 }
  35
  36 int
  37 rpcauth_register(struct rpc_authops *ops)
  38 {
  39         rpc_authflavor_t flavor;
  40
  41         if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR)
  42                 return -EINVAL;
  43         if (auth_flavors[flavor] != NULL)
  44                 return -EPERM;          /* what else? */
  45         auth_flavors[flavor] = ops;
  46         return 0;
  47 }
  48
  49 int
  50 rpcauth_unregister(struct rpc_authops *ops)
  51 {
  52         rpc_authflavor_t flavor;
  53
  54         if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR)
  55                 return -EINVAL;
  56         if (auth_flavors[flavor] != ops)
  57                 return -EPERM;          /* what else? */
  58         auth_flavors[flavor] = NULL;
  59         return 0;
  60 }
  61
  62 struct rpc_auth *
  63 rpcauth_create(rpc_authflavor_t pseudoflavor, struct rpc_clnt *clnt)
  64 {
  65         struct rpc_auth         *auth;
  66         struct rpc_authops      *ops;
  67         u32                     flavor = pseudoflavor_to_flavor(pseudoflavor);
  68
  69         if (flavor >= RPC_AUTH_MAXFLAVOR || !(ops = auth_flavors[flavor]))
  70                 return NULL;
  71         auth = ops->create(clnt, pseudoflavor);
  72         if (!auth)
  73                 return NULL;
  74         if (clnt->cl_auth)
  75                 rpcauth_destroy(clnt->cl_auth);
  76         clnt->cl_auth = auth;
  77         return auth;
  78 }
  79
  80 void
  81 rpcauth_destroy(struct rpc_auth *auth)
  82 {
  83         if (!atomic_dec_and_test(&auth->au_count))
  84                 return;
  85         auth->au_ops->destroy(auth);
  86 }
  87
  88 static DEFINE_SPINLOCK(rpc_credcache_lock);
  89
  90 /*
  91  * Initialize RPC credential cache
  92  */
  93 int
  94 rpcauth_init_credcache(struct rpc_auth *auth, unsigned long expire)
  95 {
  96         struct rpc_cred_cache *new;
  97         int i;
  98
  99         new = (struct rpc_cred_cache *)kmalloc(sizeof(*new), GFP_KERNEL);
 100         if (!new)
 101                 return -ENOMEM;
 102         for (i = 0; i < RPC_CREDCACHE_NR; i++)
 103                 INIT_HLIST_HEAD(&new->hashtable[i]);
 104         new->expire = expire;
 105         new->nextgc = jiffies + (expire >> 1);
 106         auth->au_credcache = new;
 107         return 0;
 108 }
 109
 110 /*
 111  * Destroy a list of credentials
 112  */
 113 static inline
 114 void rpcauth_destroy_credlist(struct hlist_head *head)
 115 {
 116         struct rpc_cred *cred;
 117
 118         while (!hlist_empty(head)) {
 119                 cred = hlist_entry(head->first, struct rpc_cred, cr_hash);
 120                 hlist_del_init(&cred->cr_hash);
 121                 put_rpccred(cred);
 122         }
 123 }
 124
 125 /*
 126  * Clear the RPC credential cache, and delete those credentials
 127  * that are not referenced.
 128  */
 129 void
 130 rpcauth_free_credcache(struct rpc_auth *auth)
 131 {
 132         struct rpc_cred_cache *cache = auth->au_credcache;
 133         HLIST_HEAD(free);
 134         struct hlist_node *pos, *next;
 135         struct rpc_cred *cred;
 136         int             i;
 137
 138         spin_lock(&rpc_credcache_lock);
 139         for (i = 0; i < RPC_CREDCACHE_NR; i++) {
 140                 hlist_for_each_safe(pos, next, &cache->hashtable[i]) {
 141                         cred = hlist_entry(pos, struct rpc_cred, cr_hash);
 142                         __hlist_del(&cred->cr_hash);
 143                         hlist_add_head(&cred->cr_hash, &free);
 144                 }
 145         }
 146         spin_unlock(&rpc_credcache_lock);
 147         rpcauth_destroy_credlist(&free);
 148 }
 149
 150 static void
 151 rpcauth_prune_expired(struct rpc_auth *auth, struct rpc_cred *cred, struct hlist_head *free)
 152 {
 153         if (atomic_read(&cred->cr_count) != 1)
 154                return;
 155         if (time_after(jiffies, cred->cr_expire + auth->au_credcache->expire))
 156                 cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE;
 157         if (!(cred->cr_flags & RPCAUTH_CRED_UPTODATE)) {
 158                 __hlist_del(&cred->cr_hash);
 159                 hlist_add_head(&cred->cr_hash, free);
 160         }
 161 }
 162
 163 /*
 164  * Remove stale credentials. Avoid sleeping inside the loop.
 165  */
 166 static void
 167 rpcauth_gc_credcache(struct rpc_auth *auth, struct hlist_head *free)
 168 {
 169         struct rpc_cred_cache *cache = auth->au_credcache;
 170         struct hlist_node *pos, *next;
 171         struct rpc_cred *cred;
 172         int             i;
 173
 174         dprintk("RPC: gc'ing RPC credentials for auth %p\n", auth);
 175         for (i = 0; i < RPC_CREDCACHE_NR; i++) {
 176                 hlist_for_each_safe(pos, next, &cache->hashtable[i]) {
 177                         cred = hlist_entry(pos, struct rpc_cred, cr_hash);
 178                         rpcauth_prune_expired(auth, cred, free);
 179                 }
 180         }
 181         cache->nextgc = jiffies + cache->expire;
 182 }
 183
 184 /*
 185  * Look up a process' credentials in the authentication cache
 186  */
 187 struct rpc_cred *
 188 rpcauth_lookup_credcache(struct rpc_auth *auth, struct auth_cred * acred,
 189                 int taskflags)
 190 {
 191         struct rpc_cred_cache *cache = auth->au_credcache;
 192         HLIST_HEAD(free);
 193         struct hlist_node *pos, *next;
 194         struct rpc_cred *new = NULL,
 195                         *cred = NULL;
 196         int             nr = 0;
 197
 198         if (!(taskflags & RPC_TASK_ROOTCREDS))
 199                 nr = acred->uid & RPC_CREDCACHE_MASK;
 200 retry:
 201         spin_lock(&rpc_credcache_lock);
 202         if (time_before(cache->nextgc, jiffies))
 203                 rpcauth_gc_credcache(auth, &free);
 204         hlist_for_each_safe(pos, next, &cache->hashtable[nr]) {
 205                 struct rpc_cred *entry;
 206                 entry = hlist_entry(pos, struct rpc_cred, cr_hash);
 207                 if (entry->cr_ops->crmatch(acred, entry, taskflags)) {
 208                         hlist_del(&entry->cr_hash);
 209                         cred = entry;
 210                         break;
 211                 }
 212                 rpcauth_prune_expired(auth, entry, &free);
 213         }
 214         if (new) {
 215                 if (cred)
 216                         hlist_add_head(&new->cr_hash, &free);
 217                 else
 218                         cred = new;
 219         }
 220         if (cred) {
 221                 hlist_add_head(&cred->cr_hash, &cache->hashtable[nr]);
 222                 get_rpccred(cred);
 223         }
 224         spin_unlock(&rpc_credcache_lock);
 225
 226         rpcauth_destroy_credlist(&free);
 227
 228         if (!cred) {
 229                 new = auth->au_ops->crcreate(auth, acred, taskflags);
 230                 if (!IS_ERR(new)) {
 231 #ifdef RPC_DEBUG
 232                         new->cr_magic = RPCAUTH_CRED_MAGIC;
 233 #endif
 234                         goto retry;
 235                 } else
 236                         cred = new;
 237         }
 238
 239         return (struct rpc_cred *) cred;
 240 }
 241
 242 struct rpc_cred *
 243 rpcauth_lookupcred(struct rpc_auth *auth, int taskflags)
 244 {
 245         struct auth_cred acred = {
 246                 .uid = current->fsuid,
 247                 .gid = current->fsgid,
 248                 .xid = vx_current_xid(),
 249                 .group_info = current->group_info,
 250         };
 251         struct rpc_cred *ret;
 252
 253         dprintk("RPC:     looking up %s cred\n",
 254                 auth->au_ops->au_name);
 255         get_group_info(acred.group_info);
 256         ret = auth->au_ops->lookup_cred(auth, &acred, taskflags);
 257         put_group_info(acred.group_info);
 258         return ret;
 259 }
 260
 261 struct rpc_cred *
 262 rpcauth_bindcred(struct rpc_task *task)
 263 {
 264         struct rpc_auth *auth = task->tk_auth;
 265         struct auth_cred acred = {
 266                 .uid = current->fsuid,
 267                 .gid = current->fsgid,
 268                 .xid = vx_current_xid(),
 269                 .group_info = current->group_info,
 270         };
 271         struct rpc_cred *ret;
 272
 273         dprintk("RPC: %4d looking up %s cred\n",
 274                 task->tk_pid, task->tk_auth->au_ops->au_name);
 275         get_group_info(acred.group_info);
 276         ret = auth->au_ops->lookup_cred(auth, &acred, task->tk_flags);
 277         if (!IS_ERR(ret))
 278                 task->tk_msg.rpc_cred = ret;
 279         else
 280                 task->tk_status = PTR_ERR(ret);
 281         put_group_info(acred.group_info);
 282         return ret;
 283 }
 284
 285 void
 286 rpcauth_holdcred(struct rpc_task *task)
 287 {
 288         dprintk("RPC: %4d holding %s cred %p\n",
 289                 task->tk_pid, task->tk_auth->au_ops->au_name, task->tk_msg.rpc_cred);
 290         if (task->tk_msg.rpc_cred)
 291                 get_rpccred(task->tk_msg.rpc_cred);
 292 }
 293
 294 void
 295 put_rpccred(struct rpc_cred *cred)
 296 {
 297         cred->cr_expire = jiffies;
 298         if (!atomic_dec_and_test(&cred->cr_count))
 299                 return;
 300         cred->cr_ops->crdestroy(cred);
 301 }
 302
 303 void
 304 rpcauth_unbindcred(struct rpc_task *task)
 305 {
 306         struct rpc_auth *auth = task->tk_auth;
 307         struct rpc_cred *cred = task->tk_msg.rpc_cred;
 308
 309         dprintk("RPC: %4d releasing %s cred %p\n",
 310                 task->tk_pid, auth->au_ops->au_name, cred);
 311
 312         put_rpccred(cred);
 313         task->tk_msg.rpc_cred = NULL;
 314 }
 315
 316 u32 *
 317 rpcauth_marshcred(struct rpc_task *task, u32 *p)
 318 {
 319         struct rpc_auth *auth = task->tk_auth;
 320         struct rpc_cred *cred = task->tk_msg.rpc_cred;
 321
 322         dprintk("RPC: %4d marshaling %s cred %p\n",
 323                 task->tk_pid, auth->au_ops->au_name, cred);
 324         return cred->cr_ops->crmarshal(task, p);
 325 }
 326
 327 u32 *
 328 rpcauth_checkverf(struct rpc_task *task, u32 *p)
 329 {
 330         struct rpc_auth *auth = task->tk_auth;
 331         struct rpc_cred *cred = task->tk_msg.rpc_cred;
 332
 333         dprintk("RPC: %4d validating %s cred %p\n",
 334                 task->tk_pid, auth->au_ops->au_name, cred);
 335         return cred->cr_ops->crvalidate(task, p);
 336 }
 337
 338 int
 339 rpcauth_wrap_req(struct rpc_task *task, kxdrproc_t encode, void *rqstp,
 340                 u32 *data, void *obj)
 341 {
 342         struct rpc_cred *cred = task->tk_msg.rpc_cred;
 343
 344         dprintk("RPC: %4d using %s cred %p to wrap rpc data\n",
 345                         task->tk_pid, cred->cr_ops->cr_name, cred);
 346         if (cred->cr_ops->crwrap_req)
 347                 return cred->cr_ops->crwrap_req(task, encode, rqstp, data, obj);
 348         /* By default, we encode the arguments normally. */
 349         return encode(rqstp, data, obj);
 350 }
 351
 352 int
 353 rpcauth_unwrap_resp(struct rpc_task *task, kxdrproc_t decode, void *rqstp,
 354                 u32 *data, void *obj)
 355 {
 356         struct rpc_cred *cred = task->tk_msg.rpc_cred;
 357
 358         dprintk("RPC: %4d using %s cred %p to unwrap rpc data\n",
 359                         task->tk_pid, cred->cr_ops->cr_name, cred);
 360         if (cred->cr_ops->crunwrap_resp)
 361                 return cred->cr_ops->crunwrap_resp(task, decode, rqstp,
 362                                                    data, obj);
 363         /* By default, we decode the arguments normally. */
 364         return decode(rqstp, data, obj);
 365 }
 366
 367 int
 368 rpcauth_refreshcred(struct rpc_task *task)
 369 {
 370         struct rpc_auth *auth = task->tk_auth;
 371         struct rpc_cred *cred = task->tk_msg.rpc_cred;
 372         int err;
 373
 374         dprintk("RPC: %4d refreshing %s cred %p\n",
 375                 task->tk_pid, auth->au_ops->au_name, cred);
 376         err = cred->cr_ops->crrefresh(task);
 377         if (err < 0)
 378                 task->tk_status = err;
 379         return err;
 380 }
 381
 382 void
 383 rpcauth_invalcred(struct rpc_task *task)
 384 {
 385         dprintk("RPC: %4d invalidating %s cred %p\n",
 386                 task->tk_pid, task->tk_auth->au_ops->au_name, task->tk_msg.rpc_cred);
 387         spin_lock(&rpc_credcache_lock);
 388         if (task->tk_msg.rpc_cred)
 389                 task->tk_msg.rpc_cred->cr_flags &= ~RPCAUTH_CRED_UPTODATE;
 390         spin_unlock(&rpc_credcache_lock);
 391 }
 392
 393 int
 394 rpcauth_uptodatecred(struct rpc_task *task)
 395 {
 396         return !(task->tk_msg.rpc_cred) ||
 397                 (task->tk_msg.rpc_cred->cr_flags & RPCAUTH_CRED_UPTODATE);
 398 }