Blame - src/kernel/linux/v4.19/net/sunrpc/auth_unix.c - T800

blob: 185e56d4f9aee4da149dc73556ae0e35abed4424 [file] [log] [blame]

xj	b04a402	2021-11-25 15:01:52 +0800	[diff] [blame]	1	// SPDX-License-Identifier: GPL-2.0
				2	/*
				3	* linux/net/sunrpc/auth_unix.c
				4	*
				5	* UNIX-style authentication; no AUTH_SHORT support
				6	*
				7	* Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de>
				8	*/
				9
				10	#include <linux/slab.h>
				11	#include <linux/types.h>
				12	#include <linux/sched.h>
				13	#include <linux/module.h>
				14	#include <linux/sunrpc/clnt.h>
				15	#include <linux/sunrpc/auth.h>
				16	#include <linux/user_namespace.h>
				17
				18	struct unx_cred {
				19	struct rpc_cred uc_base;
				20	kgid_t uc_gid;
				21	kgid_t uc_gids[UNX_NGROUPS];
				22	};
				23	#define uc_uid uc_base.cr_uid
				24
				25	#if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
				26	# define RPCDBG_FACILITY RPCDBG_AUTH
				27	#endif
				28
				29	static struct rpc_auth unix_auth;
				30	static const struct rpc_credops unix_credops;
				31
				32	static struct rpc_auth *
				33	unx_create(const struct rpc_auth_create_args args, struct rpc_clnt clnt)
				34	{
				35	dprintk("RPC: creating UNIX authenticator for client %p\n",
				36	clnt);
				37	atomic_inc(&unix_auth.au_count);
				38	return &unix_auth;
				39	}
				40
				41	static void
				42	unx_destroy(struct rpc_auth *auth)
				43	{
				44	dprintk("RPC: destroying UNIX authenticator %p\n", auth);
				45	rpcauth_clear_credcache(auth->au_credcache);
				46	}
				47
				48	static int
				49	unx_hash_cred(struct auth_cred *acred, unsigned int hashbits)
				50	{
				51	return hash_64(from_kgid(&init_user_ns, acred->gid) \|
				52	((u64)from_kuid(&init_user_ns, acred->uid) <<
				53	(sizeof(gid_t) * 8)), hashbits);
				54	}
				55
				56	/*
				57	* Lookup AUTH_UNIX creds for current process
				58	*/
				59	static struct rpc_cred *
				60	unx_lookup_cred(struct rpc_auth auth, struct auth_cred acred, int flags)
				61	{
				62	return rpcauth_lookup_credcache(auth, acred, flags, GFP_NOFS);
				63	}
				64
				65	static struct rpc_cred *
				66	unx_create_cred(struct rpc_auth auth, struct auth_cred acred, int flags, gfp_t gfp)
				67	{
				68	struct unx_cred *cred;
				69	unsigned int groups = 0;
				70	unsigned int i;
				71
				72	dprintk("RPC: allocating UNIX cred for uid %d gid %d\n",
				73	from_kuid(&init_user_ns, acred->uid),
				74	from_kgid(&init_user_ns, acred->gid));
				75
				76	if (!(cred = kmalloc(sizeof(*cred), gfp)))
				77	return ERR_PTR(-ENOMEM);
				78
				79	rpcauth_init_cred(&cred->uc_base, acred, auth, &unix_credops);
				80	cred->uc_base.cr_flags = 1UL << RPCAUTH_CRED_UPTODATE;
				81
				82	if (acred->group_info != NULL)
				83	groups = acred->group_info->ngroups;
				84	if (groups > UNX_NGROUPS)
				85	groups = UNX_NGROUPS;
				86
				87	cred->uc_gid = acred->gid;
				88	for (i = 0; i < groups; i++)
				89	cred->uc_gids[i] = acred->group_info->gid[i];
				90	if (i < UNX_NGROUPS)
				91	cred->uc_gids[i] = INVALID_GID;
				92
				93	return &cred->uc_base;
				94	}
				95
				96	static void
				97	unx_free_cred(struct unx_cred *unx_cred)
				98	{
				99	dprintk("RPC: unx_free_cred %p\n", unx_cred);
				100	kfree(unx_cred);
				101	}
				102
				103	static void
				104	unx_free_cred_callback(struct rcu_head *head)
				105	{
				106	struct unx_cred *unx_cred = container_of(head, struct unx_cred, uc_base.cr_rcu);
				107	unx_free_cred(unx_cred);
				108	}
				109
				110	static void
				111	unx_destroy_cred(struct rpc_cred *cred)
				112	{
				113	call_rcu(&cred->cr_rcu, unx_free_cred_callback);
				114	}
				115
				116	/*
				117	* Match credentials against current process creds.
				118	* The root_override argument takes care of cases where the caller may
				119	* request root creds (e.g. for NFS swapping).
				120	*/
				121	static int
				122	unx_match(struct auth_cred acred, struct rpc_cred rcred, int flags)
				123	{
				124	struct unx_cred *cred = container_of(rcred, struct unx_cred, uc_base);
				125	unsigned int groups = 0;
				126	unsigned int i;
				127
				128
				129	if (!uid_eq(cred->uc_uid, acred->uid) \|\| !gid_eq(cred->uc_gid, acred->gid))
				130	return 0;
				131
				132	if (acred->group_info != NULL)
				133	groups = acred->group_info->ngroups;
				134	if (groups > UNX_NGROUPS)
				135	groups = UNX_NGROUPS;
				136	for (i = 0; i < groups ; i++)
				137	if (!gid_eq(cred->uc_gids[i], acred->group_info->gid[i]))
				138	return 0;
				139	if (groups < UNX_NGROUPS && gid_valid(cred->uc_gids[groups]))
				140	return 0;
				141	return 1;
				142	}
				143
				144	/*
				145	* Marshal credentials.
				146	* Maybe we should keep a cached credential for performance reasons.
				147	*/
				148	static __be32 *
				149	unx_marshal(struct rpc_task task, __be32 p)
				150	{
				151	struct rpc_clnt *clnt = task->tk_client;
				152	struct unx_cred *cred = container_of(task->tk_rqstp->rq_cred, struct unx_cred, uc_base);
				153	__be32 base, hold;
				154	int i;
				155
				156	*p++ = htonl(RPC_AUTH_UNIX);
				157	base = p++;
				158	*p++ = htonl(jiffies/HZ);
				159
				160	/*
				161	* Copy the UTS nodename captured when the client was created.
				162	*/
				163	p = xdr_encode_array(p, clnt->cl_nodename, clnt->cl_nodelen);
				164
				165	*p++ = htonl((u32) from_kuid(&init_user_ns, cred->uc_uid));
				166	*p++ = htonl((u32) from_kgid(&init_user_ns, cred->uc_gid));
				167	hold = p++;
				168	for (i = 0; i < UNX_NGROUPS && gid_valid(cred->uc_gids[i]); i++)
				169	*p++ = htonl((u32) from_kgid(&init_user_ns, cred->uc_gids[i]));
				170	hold = htonl(p - hold - 1); / gid array length */
				171	base = htonl((p - base - 1) << 2); / cred length */
				172
				173	*p++ = htonl(RPC_AUTH_NULL);
				174	*p++ = htonl(0);
				175
				176	return p;
				177	}
				178
				179	/*
				180	* Refresh credentials. This is a no-op for AUTH_UNIX
				181	*/
				182	static int
				183	unx_refresh(struct rpc_task *task)
				184	{
				185	set_bit(RPCAUTH_CRED_UPTODATE, &task->tk_rqstp->rq_cred->cr_flags);
				186	return 0;
				187	}
				188
				189	static __be32 *
				190	unx_validate(struct rpc_task task, __be32 p)
				191	{
				192	rpc_authflavor_t flavor;
				193	u32 size;
				194
				195	flavor = ntohl(*p++);
				196	if (flavor != RPC_AUTH_NULL &&
				197	flavor != RPC_AUTH_UNIX &&
				198	flavor != RPC_AUTH_SHORT) {
				199	printk("RPC: bad verf flavor: %u\n", flavor);
				200	return ERR_PTR(-EIO);
				201	}
				202
				203	size = ntohl(*p++);
				204	if (size > RPC_MAX_AUTH_SIZE) {
				205	printk("RPC: giant verf size: %u\n", size);
				206	return ERR_PTR(-EIO);
				207	}
				208	task->tk_rqstp->rq_cred->cr_auth->au_rslack = (size >> 2) + 2;
				209	p += (size >> 2);
				210
				211	return p;
				212	}
				213
				214	int __init rpc_init_authunix(void)
				215	{
				216	return rpcauth_init_credcache(&unix_auth);
				217	}
				218
				219	void rpc_destroy_authunix(void)
				220	{
				221	rpcauth_destroy_credcache(&unix_auth);
				222	}
				223
				224	const struct rpc_authops authunix_ops = {
				225	.owner = THIS_MODULE,
				226	.au_flavor = RPC_AUTH_UNIX,
				227	.au_name = "UNIX",
				228	.create = unx_create,
				229	.destroy = unx_destroy,
				230	.hash_cred = unx_hash_cred,
				231	.lookup_cred = unx_lookup_cred,
				232	.crcreate = unx_create_cred,
				233	};
				234
				235	static
				236	struct rpc_auth unix_auth = {
				237	.au_cslack = UNX_CALLSLACK,
				238	.au_rslack = NUL_REPLYSLACK,
				239	.au_flags = RPCAUTH_AUTH_NO_CRKEY_TIMEOUT,
				240	.au_ops = &authunix_ops,
				241	.au_flavor = RPC_AUTH_UNIX,
				242	.au_count = ATOMIC_INIT(0),
				243	};
				244
				245	static
				246	const struct rpc_credops unix_credops = {
				247	.cr_name = "AUTH_UNIX",
				248	.crdestroy = unx_destroy_cred,
				249	.crbind = rpcauth_generic_bind_cred,
				250	.crmatch = unx_match,
				251	.crmarshal = unx_marshal,
				252	.crrefresh = unx_refresh,
				253	.crvalidate = unx_validate,
				254	};