auth.c 21 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897
  1. /*
  2. * linux/net/sunrpc/auth.c
  3. *
  4. * Generic RPC client authentication API.
  5. *
  6. * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de>
  7. */
  8. #include <linux/types.h>
  9. #include <linux/sched.h>
  10. #include <linux/cred.h>
  11. #include <linux/module.h>
  12. #include <linux/slab.h>
  13. #include <linux/errno.h>
  14. #include <linux/hash.h>
  15. #include <linux/sunrpc/clnt.h>
  16. #include <linux/sunrpc/gss_api.h>
  17. #include <linux/spinlock.h>
  18. #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
  19. # define RPCDBG_FACILITY RPCDBG_AUTH
  20. #endif
  21. #define RPC_CREDCACHE_DEFAULT_HASHBITS (4)
  22. struct rpc_cred_cache {
  23. struct hlist_head *hashtable;
  24. unsigned int hashbits;
  25. spinlock_t lock;
  26. };
  27. static unsigned int auth_hashbits = RPC_CREDCACHE_DEFAULT_HASHBITS;
  28. static DEFINE_SPINLOCK(rpc_authflavor_lock);
  29. static const struct rpc_authops *auth_flavors[RPC_AUTH_MAXFLAVOR] = {
  30. &authnull_ops, /* AUTH_NULL */
  31. &authunix_ops, /* AUTH_UNIX */
  32. NULL, /* others can be loadable modules */
  33. };
  34. static LIST_HEAD(cred_unused);
  35. static unsigned long number_cred_unused;
  36. #define MAX_HASHTABLE_BITS (14)
  37. static int param_set_hashtbl_sz(const char *val, const struct kernel_param *kp)
  38. {
  39. unsigned long num;
  40. unsigned int nbits;
  41. int ret;
  42. if (!val)
  43. goto out_inval;
  44. ret = kstrtoul(val, 0, &num);
  45. if (ret)
  46. goto out_inval;
  47. nbits = fls(num - 1);
  48. if (nbits > MAX_HASHTABLE_BITS || nbits < 2)
  49. goto out_inval;
  50. *(unsigned int *)kp->arg = nbits;
  51. return 0;
  52. out_inval:
  53. return -EINVAL;
  54. }
  55. static int param_get_hashtbl_sz(char *buffer, const struct kernel_param *kp)
  56. {
  57. unsigned int nbits;
  58. nbits = *(unsigned int *)kp->arg;
  59. return sprintf(buffer, "%u", 1U << nbits);
  60. }
  61. #define param_check_hashtbl_sz(name, p) __param_check(name, p, unsigned int);
  62. static const struct kernel_param_ops param_ops_hashtbl_sz = {
  63. .set = param_set_hashtbl_sz,
  64. .get = param_get_hashtbl_sz,
  65. };
  66. module_param_named(auth_hashtable_size, auth_hashbits, hashtbl_sz, 0644);
  67. MODULE_PARM_DESC(auth_hashtable_size, "RPC credential cache hashtable size");
  68. static unsigned long auth_max_cred_cachesize = ULONG_MAX;
  69. module_param(auth_max_cred_cachesize, ulong, 0644);
  70. MODULE_PARM_DESC(auth_max_cred_cachesize, "RPC credential maximum total cache size");
  71. static u32
  72. pseudoflavor_to_flavor(u32 flavor) {
  73. if (flavor > RPC_AUTH_MAXFLAVOR)
  74. return RPC_AUTH_GSS;
  75. return flavor;
  76. }
  77. int
  78. rpcauth_register(const struct rpc_authops *ops)
  79. {
  80. rpc_authflavor_t flavor;
  81. int ret = -EPERM;
  82. if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR)
  83. return -EINVAL;
  84. spin_lock(&rpc_authflavor_lock);
  85. if (auth_flavors[flavor] == NULL) {
  86. auth_flavors[flavor] = ops;
  87. ret = 0;
  88. }
  89. spin_unlock(&rpc_authflavor_lock);
  90. return ret;
  91. }
  92. EXPORT_SYMBOL_GPL(rpcauth_register);
  93. int
  94. rpcauth_unregister(const struct rpc_authops *ops)
  95. {
  96. rpc_authflavor_t flavor;
  97. int ret = -EPERM;
  98. if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR)
  99. return -EINVAL;
  100. spin_lock(&rpc_authflavor_lock);
  101. if (auth_flavors[flavor] == ops) {
  102. auth_flavors[flavor] = NULL;
  103. ret = 0;
  104. }
  105. spin_unlock(&rpc_authflavor_lock);
  106. return ret;
  107. }
  108. EXPORT_SYMBOL_GPL(rpcauth_unregister);
  109. /**
  110. * rpcauth_get_pseudoflavor - check if security flavor is supported
  111. * @flavor: a security flavor
  112. * @info: a GSS mech OID, quality of protection, and service value
  113. *
  114. * Verifies that an appropriate kernel module is available or already loaded.
  115. * Returns an equivalent pseudoflavor, or RPC_AUTH_MAXFLAVOR if "flavor" is
  116. * not supported locally.
  117. */
  118. rpc_authflavor_t
  119. rpcauth_get_pseudoflavor(rpc_authflavor_t flavor, struct rpcsec_gss_info *info)
  120. {
  121. const struct rpc_authops *ops;
  122. rpc_authflavor_t pseudoflavor;
  123. ops = auth_flavors[flavor];
  124. if (ops == NULL)
  125. request_module("rpc-auth-%u", flavor);
  126. spin_lock(&rpc_authflavor_lock);
  127. ops = auth_flavors[flavor];
  128. if (ops == NULL || !try_module_get(ops->owner)) {
  129. spin_unlock(&rpc_authflavor_lock);
  130. return RPC_AUTH_MAXFLAVOR;
  131. }
  132. spin_unlock(&rpc_authflavor_lock);
  133. pseudoflavor = flavor;
  134. if (ops->info2flavor != NULL)
  135. pseudoflavor = ops->info2flavor(info);
  136. module_put(ops->owner);
  137. return pseudoflavor;
  138. }
  139. EXPORT_SYMBOL_GPL(rpcauth_get_pseudoflavor);
  140. /**
  141. * rpcauth_get_gssinfo - find GSS tuple matching a GSS pseudoflavor
  142. * @pseudoflavor: GSS pseudoflavor to match
  143. * @info: rpcsec_gss_info structure to fill in
  144. *
  145. * Returns zero and fills in "info" if pseudoflavor matches a
  146. * supported mechanism.
  147. */
  148. int
  149. rpcauth_get_gssinfo(rpc_authflavor_t pseudoflavor, struct rpcsec_gss_info *info)
  150. {
  151. rpc_authflavor_t flavor = pseudoflavor_to_flavor(pseudoflavor);
  152. const struct rpc_authops *ops;
  153. int result;
  154. if (flavor >= RPC_AUTH_MAXFLAVOR)
  155. return -EINVAL;
  156. ops = auth_flavors[flavor];
  157. if (ops == NULL)
  158. request_module("rpc-auth-%u", flavor);
  159. spin_lock(&rpc_authflavor_lock);
  160. ops = auth_flavors[flavor];
  161. if (ops == NULL || !try_module_get(ops->owner)) {
  162. spin_unlock(&rpc_authflavor_lock);
  163. return -ENOENT;
  164. }
  165. spin_unlock(&rpc_authflavor_lock);
  166. result = -ENOENT;
  167. if (ops->flavor2info != NULL)
  168. result = ops->flavor2info(pseudoflavor, info);
  169. module_put(ops->owner);
  170. return result;
  171. }
  172. EXPORT_SYMBOL_GPL(rpcauth_get_gssinfo);
  173. /**
  174. * rpcauth_list_flavors - discover registered flavors and pseudoflavors
  175. * @array: array to fill in
  176. * @size: size of "array"
  177. *
  178. * Returns the number of array items filled in, or a negative errno.
  179. *
  180. * The returned array is not sorted by any policy. Callers should not
  181. * rely on the order of the items in the returned array.
  182. */
  183. int
  184. rpcauth_list_flavors(rpc_authflavor_t *array, int size)
  185. {
  186. rpc_authflavor_t flavor;
  187. int result = 0;
  188. spin_lock(&rpc_authflavor_lock);
  189. for (flavor = 0; flavor < RPC_AUTH_MAXFLAVOR; flavor++) {
  190. const struct rpc_authops *ops = auth_flavors[flavor];
  191. rpc_authflavor_t pseudos[4];
  192. int i, len;
  193. if (result >= size) {
  194. result = -ENOMEM;
  195. break;
  196. }
  197. if (ops == NULL)
  198. continue;
  199. if (ops->list_pseudoflavors == NULL) {
  200. array[result++] = ops->au_flavor;
  201. continue;
  202. }
  203. len = ops->list_pseudoflavors(pseudos, ARRAY_SIZE(pseudos));
  204. if (len < 0) {
  205. result = len;
  206. break;
  207. }
  208. for (i = 0; i < len; i++) {
  209. if (result >= size) {
  210. result = -ENOMEM;
  211. break;
  212. }
  213. array[result++] = pseudos[i];
  214. }
  215. }
  216. spin_unlock(&rpc_authflavor_lock);
  217. dprintk("RPC: %s returns %d\n", __func__, result);
  218. return result;
  219. }
  220. EXPORT_SYMBOL_GPL(rpcauth_list_flavors);
  221. struct rpc_auth *
  222. rpcauth_create(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
  223. {
  224. struct rpc_auth *auth;
  225. const struct rpc_authops *ops;
  226. u32 flavor = pseudoflavor_to_flavor(args->pseudoflavor);
  227. auth = ERR_PTR(-EINVAL);
  228. if (flavor >= RPC_AUTH_MAXFLAVOR)
  229. goto out;
  230. if ((ops = auth_flavors[flavor]) == NULL)
  231. request_module("rpc-auth-%u", flavor);
  232. spin_lock(&rpc_authflavor_lock);
  233. ops = auth_flavors[flavor];
  234. if (ops == NULL || !try_module_get(ops->owner)) {
  235. spin_unlock(&rpc_authflavor_lock);
  236. goto out;
  237. }
  238. spin_unlock(&rpc_authflavor_lock);
  239. auth = ops->create(args, clnt);
  240. module_put(ops->owner);
  241. if (IS_ERR(auth))
  242. return auth;
  243. if (clnt->cl_auth)
  244. rpcauth_release(clnt->cl_auth);
  245. clnt->cl_auth = auth;
  246. out:
  247. return auth;
  248. }
  249. EXPORT_SYMBOL_GPL(rpcauth_create);
  250. void
  251. rpcauth_release(struct rpc_auth *auth)
  252. {
  253. if (!atomic_dec_and_test(&auth->au_count))
  254. return;
  255. auth->au_ops->destroy(auth);
  256. }
  257. static DEFINE_SPINLOCK(rpc_credcache_lock);
  258. static void
  259. rpcauth_unhash_cred_locked(struct rpc_cred *cred)
  260. {
  261. hlist_del_rcu(&cred->cr_hash);
  262. smp_mb__before_atomic();
  263. clear_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags);
  264. }
  265. static int
  266. rpcauth_unhash_cred(struct rpc_cred *cred)
  267. {
  268. spinlock_t *cache_lock;
  269. int ret;
  270. cache_lock = &cred->cr_auth->au_credcache->lock;
  271. spin_lock(cache_lock);
  272. ret = atomic_read(&cred->cr_count) == 0;
  273. if (ret)
  274. rpcauth_unhash_cred_locked(cred);
  275. spin_unlock(cache_lock);
  276. return ret;
  277. }
  278. /*
  279. * Initialize RPC credential cache
  280. */
  281. int
  282. rpcauth_init_credcache(struct rpc_auth *auth)
  283. {
  284. struct rpc_cred_cache *new;
  285. unsigned int hashsize;
  286. new = kmalloc(sizeof(*new), GFP_KERNEL);
  287. if (!new)
  288. goto out_nocache;
  289. new->hashbits = auth_hashbits;
  290. hashsize = 1U << new->hashbits;
  291. new->hashtable = kcalloc(hashsize, sizeof(new->hashtable[0]), GFP_KERNEL);
  292. if (!new->hashtable)
  293. goto out_nohashtbl;
  294. spin_lock_init(&new->lock);
  295. auth->au_credcache = new;
  296. return 0;
  297. out_nohashtbl:
  298. kfree(new);
  299. out_nocache:
  300. return -ENOMEM;
  301. }
  302. EXPORT_SYMBOL_GPL(rpcauth_init_credcache);
  303. /*
  304. * Setup a credential key lifetime timeout notification
  305. */
  306. int
  307. rpcauth_key_timeout_notify(struct rpc_auth *auth, struct rpc_cred *cred)
  308. {
  309. if (!cred->cr_auth->au_ops->key_timeout)
  310. return 0;
  311. return cred->cr_auth->au_ops->key_timeout(auth, cred);
  312. }
  313. EXPORT_SYMBOL_GPL(rpcauth_key_timeout_notify);
  314. bool
  315. rpcauth_cred_key_to_expire(struct rpc_auth *auth, struct rpc_cred *cred)
  316. {
  317. if (auth->au_flags & RPCAUTH_AUTH_NO_CRKEY_TIMEOUT)
  318. return false;
  319. if (!cred->cr_ops->crkey_to_expire)
  320. return false;
  321. return cred->cr_ops->crkey_to_expire(cred);
  322. }
  323. EXPORT_SYMBOL_GPL(rpcauth_cred_key_to_expire);
  324. char *
  325. rpcauth_stringify_acceptor(struct rpc_cred *cred)
  326. {
  327. if (!cred->cr_ops->crstringify_acceptor)
  328. return NULL;
  329. return cred->cr_ops->crstringify_acceptor(cred);
  330. }
  331. EXPORT_SYMBOL_GPL(rpcauth_stringify_acceptor);
  332. /*
  333. * Destroy a list of credentials
  334. */
  335. static inline
  336. void rpcauth_destroy_credlist(struct list_head *head)
  337. {
  338. struct rpc_cred *cred;
  339. while (!list_empty(head)) {
  340. cred = list_entry(head->next, struct rpc_cred, cr_lru);
  341. list_del_init(&cred->cr_lru);
  342. put_rpccred(cred);
  343. }
  344. }
  345. /*
  346. * Clear the RPC credential cache, and delete those credentials
  347. * that are not referenced.
  348. */
  349. void
  350. rpcauth_clear_credcache(struct rpc_cred_cache *cache)
  351. {
  352. LIST_HEAD(free);
  353. struct hlist_head *head;
  354. struct rpc_cred *cred;
  355. unsigned int hashsize = 1U << cache->hashbits;
  356. int i;
  357. spin_lock(&rpc_credcache_lock);
  358. spin_lock(&cache->lock);
  359. for (i = 0; i < hashsize; i++) {
  360. head = &cache->hashtable[i];
  361. while (!hlist_empty(head)) {
  362. cred = hlist_entry(head->first, struct rpc_cred, cr_hash);
  363. get_rpccred(cred);
  364. if (!list_empty(&cred->cr_lru)) {
  365. list_del(&cred->cr_lru);
  366. number_cred_unused--;
  367. }
  368. list_add_tail(&cred->cr_lru, &free);
  369. rpcauth_unhash_cred_locked(cred);
  370. }
  371. }
  372. spin_unlock(&cache->lock);
  373. spin_unlock(&rpc_credcache_lock);
  374. rpcauth_destroy_credlist(&free);
  375. }
  376. /*
  377. * Destroy the RPC credential cache
  378. */
  379. void
  380. rpcauth_destroy_credcache(struct rpc_auth *auth)
  381. {
  382. struct rpc_cred_cache *cache = auth->au_credcache;
  383. if (cache) {
  384. auth->au_credcache = NULL;
  385. rpcauth_clear_credcache(cache);
  386. kfree(cache->hashtable);
  387. kfree(cache);
  388. }
  389. }
  390. EXPORT_SYMBOL_GPL(rpcauth_destroy_credcache);
  391. #define RPC_AUTH_EXPIRY_MORATORIUM (60 * HZ)
  392. /*
  393. * Remove stale credentials. Avoid sleeping inside the loop.
  394. */
  395. static long
  396. rpcauth_prune_expired(struct list_head *free, int nr_to_scan)
  397. {
  398. spinlock_t *cache_lock;
  399. struct rpc_cred *cred, *next;
  400. unsigned long expired = jiffies - RPC_AUTH_EXPIRY_MORATORIUM;
  401. long freed = 0;
  402. list_for_each_entry_safe(cred, next, &cred_unused, cr_lru) {
  403. if (nr_to_scan-- == 0)
  404. break;
  405. /*
  406. * Enforce a 60 second garbage collection moratorium
  407. * Note that the cred_unused list must be time-ordered.
  408. */
  409. if (time_in_range(cred->cr_expire, expired, jiffies) &&
  410. test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags) != 0) {
  411. freed = SHRINK_STOP;
  412. break;
  413. }
  414. list_del_init(&cred->cr_lru);
  415. number_cred_unused--;
  416. freed++;
  417. if (atomic_read(&cred->cr_count) != 0)
  418. continue;
  419. cache_lock = &cred->cr_auth->au_credcache->lock;
  420. spin_lock(cache_lock);
  421. if (atomic_read(&cred->cr_count) == 0) {
  422. get_rpccred(cred);
  423. list_add_tail(&cred->cr_lru, free);
  424. rpcauth_unhash_cred_locked(cred);
  425. }
  426. spin_unlock(cache_lock);
  427. }
  428. return freed;
  429. }
  430. static unsigned long
  431. rpcauth_cache_do_shrink(int nr_to_scan)
  432. {
  433. LIST_HEAD(free);
  434. unsigned long freed;
  435. spin_lock(&rpc_credcache_lock);
  436. freed = rpcauth_prune_expired(&free, nr_to_scan);
  437. spin_unlock(&rpc_credcache_lock);
  438. rpcauth_destroy_credlist(&free);
  439. return freed;
  440. }
  441. /*
  442. * Run memory cache shrinker.
  443. */
  444. static unsigned long
  445. rpcauth_cache_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
  446. {
  447. if ((sc->gfp_mask & GFP_KERNEL) != GFP_KERNEL)
  448. return SHRINK_STOP;
  449. /* nothing left, don't come back */
  450. if (list_empty(&cred_unused))
  451. return SHRINK_STOP;
  452. return rpcauth_cache_do_shrink(sc->nr_to_scan);
  453. }
  454. static unsigned long
  455. rpcauth_cache_shrink_count(struct shrinker *shrink, struct shrink_control *sc)
  456. {
  457. return number_cred_unused * sysctl_vfs_cache_pressure / 100;
  458. }
  459. static void
  460. rpcauth_cache_enforce_limit(void)
  461. {
  462. unsigned long diff;
  463. unsigned int nr_to_scan;
  464. if (number_cred_unused <= auth_max_cred_cachesize)
  465. return;
  466. diff = number_cred_unused - auth_max_cred_cachesize;
  467. nr_to_scan = 100;
  468. if (diff < nr_to_scan)
  469. nr_to_scan = diff;
  470. rpcauth_cache_do_shrink(nr_to_scan);
  471. }
  472. /*
  473. * Look up a process' credentials in the authentication cache
  474. */
  475. struct rpc_cred *
  476. rpcauth_lookup_credcache(struct rpc_auth *auth, struct auth_cred * acred,
  477. int flags, gfp_t gfp)
  478. {
  479. LIST_HEAD(free);
  480. struct rpc_cred_cache *cache = auth->au_credcache;
  481. struct rpc_cred *cred = NULL,
  482. *entry, *new;
  483. unsigned int nr;
  484. nr = auth->au_ops->hash_cred(acred, cache->hashbits);
  485. rcu_read_lock();
  486. hlist_for_each_entry_rcu(entry, &cache->hashtable[nr], cr_hash) {
  487. if (!entry->cr_ops->crmatch(acred, entry, flags))
  488. continue;
  489. if (flags & RPCAUTH_LOOKUP_RCU) {
  490. if (test_bit(RPCAUTH_CRED_HASHED, &entry->cr_flags) &&
  491. !test_bit(RPCAUTH_CRED_NEW, &entry->cr_flags))
  492. cred = entry;
  493. break;
  494. }
  495. spin_lock(&cache->lock);
  496. if (test_bit(RPCAUTH_CRED_HASHED, &entry->cr_flags) == 0) {
  497. spin_unlock(&cache->lock);
  498. continue;
  499. }
  500. cred = get_rpccred(entry);
  501. spin_unlock(&cache->lock);
  502. break;
  503. }
  504. rcu_read_unlock();
  505. if (cred != NULL)
  506. goto found;
  507. if (flags & RPCAUTH_LOOKUP_RCU)
  508. return ERR_PTR(-ECHILD);
  509. new = auth->au_ops->crcreate(auth, acred, flags, gfp);
  510. if (IS_ERR(new)) {
  511. cred = new;
  512. goto out;
  513. }
  514. spin_lock(&cache->lock);
  515. hlist_for_each_entry(entry, &cache->hashtable[nr], cr_hash) {
  516. if (!entry->cr_ops->crmatch(acred, entry, flags))
  517. continue;
  518. cred = get_rpccred(entry);
  519. break;
  520. }
  521. if (cred == NULL) {
  522. cred = new;
  523. set_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags);
  524. hlist_add_head_rcu(&cred->cr_hash, &cache->hashtable[nr]);
  525. } else
  526. list_add_tail(&new->cr_lru, &free);
  527. spin_unlock(&cache->lock);
  528. rpcauth_cache_enforce_limit();
  529. found:
  530. if (test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags) &&
  531. cred->cr_ops->cr_init != NULL &&
  532. !(flags & RPCAUTH_LOOKUP_NEW)) {
  533. int res = cred->cr_ops->cr_init(auth, cred);
  534. if (res < 0) {
  535. put_rpccred(cred);
  536. cred = ERR_PTR(res);
  537. }
  538. }
  539. rpcauth_destroy_credlist(&free);
  540. out:
  541. return cred;
  542. }
  543. EXPORT_SYMBOL_GPL(rpcauth_lookup_credcache);
  544. struct rpc_cred *
  545. rpcauth_lookupcred(struct rpc_auth *auth, int flags)
  546. {
  547. struct auth_cred acred;
  548. struct rpc_cred *ret;
  549. const struct cred *cred = current_cred();
  550. dprintk("RPC: looking up %s cred\n",
  551. auth->au_ops->au_name);
  552. memset(&acred, 0, sizeof(acred));
  553. acred.uid = cred->fsuid;
  554. acred.gid = cred->fsgid;
  555. acred.group_info = cred->group_info;
  556. ret = auth->au_ops->lookup_cred(auth, &acred, flags);
  557. return ret;
  558. }
  559. EXPORT_SYMBOL_GPL(rpcauth_lookupcred);
  560. void
  561. rpcauth_init_cred(struct rpc_cred *cred, const struct auth_cred *acred,
  562. struct rpc_auth *auth, const struct rpc_credops *ops)
  563. {
  564. INIT_HLIST_NODE(&cred->cr_hash);
  565. INIT_LIST_HEAD(&cred->cr_lru);
  566. atomic_set(&cred->cr_count, 1);
  567. cred->cr_auth = auth;
  568. cred->cr_ops = ops;
  569. cred->cr_expire = jiffies;
  570. cred->cr_uid = acred->uid;
  571. }
  572. EXPORT_SYMBOL_GPL(rpcauth_init_cred);
  573. struct rpc_cred *
  574. rpcauth_generic_bind_cred(struct rpc_task *task, struct rpc_cred *cred, int lookupflags)
  575. {
  576. dprintk("RPC: %5u holding %s cred %p\n", task->tk_pid,
  577. cred->cr_auth->au_ops->au_name, cred);
  578. return get_rpccred(cred);
  579. }
  580. EXPORT_SYMBOL_GPL(rpcauth_generic_bind_cred);
  581. static struct rpc_cred *
  582. rpcauth_bind_root_cred(struct rpc_task *task, int lookupflags)
  583. {
  584. struct rpc_auth *auth = task->tk_client->cl_auth;
  585. struct auth_cred acred = {
  586. .uid = GLOBAL_ROOT_UID,
  587. .gid = GLOBAL_ROOT_GID,
  588. };
  589. dprintk("RPC: %5u looking up %s cred\n",
  590. task->tk_pid, task->tk_client->cl_auth->au_ops->au_name);
  591. return auth->au_ops->lookup_cred(auth, &acred, lookupflags);
  592. }
  593. static struct rpc_cred *
  594. rpcauth_bind_new_cred(struct rpc_task *task, int lookupflags)
  595. {
  596. struct rpc_auth *auth = task->tk_client->cl_auth;
  597. dprintk("RPC: %5u looking up %s cred\n",
  598. task->tk_pid, auth->au_ops->au_name);
  599. return rpcauth_lookupcred(auth, lookupflags);
  600. }
  601. static int
  602. rpcauth_bindcred(struct rpc_task *task, struct rpc_cred *cred, int flags)
  603. {
  604. struct rpc_rqst *req = task->tk_rqstp;
  605. struct rpc_cred *new;
  606. int lookupflags = 0;
  607. if (flags & RPC_TASK_ASYNC)
  608. lookupflags |= RPCAUTH_LOOKUP_NEW;
  609. if (cred != NULL)
  610. new = cred->cr_ops->crbind(task, cred, lookupflags);
  611. else if (flags & RPC_TASK_ROOTCREDS)
  612. new = rpcauth_bind_root_cred(task, lookupflags);
  613. else
  614. new = rpcauth_bind_new_cred(task, lookupflags);
  615. if (IS_ERR(new))
  616. return PTR_ERR(new);
  617. put_rpccred(req->rq_cred);
  618. req->rq_cred = new;
  619. return 0;
  620. }
  621. void
  622. put_rpccred(struct rpc_cred *cred)
  623. {
  624. if (cred == NULL)
  625. return;
  626. /* Fast path for unhashed credentials */
  627. if (test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags) == 0) {
  628. if (atomic_dec_and_test(&cred->cr_count))
  629. cred->cr_ops->crdestroy(cred);
  630. return;
  631. }
  632. if (!atomic_dec_and_lock(&cred->cr_count, &rpc_credcache_lock))
  633. return;
  634. if (!list_empty(&cred->cr_lru)) {
  635. number_cred_unused--;
  636. list_del_init(&cred->cr_lru);
  637. }
  638. if (test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags) != 0) {
  639. if (test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0) {
  640. cred->cr_expire = jiffies;
  641. list_add_tail(&cred->cr_lru, &cred_unused);
  642. number_cred_unused++;
  643. goto out_nodestroy;
  644. }
  645. if (!rpcauth_unhash_cred(cred)) {
  646. /* We were hashed and someone looked us up... */
  647. goto out_nodestroy;
  648. }
  649. }
  650. spin_unlock(&rpc_credcache_lock);
  651. cred->cr_ops->crdestroy(cred);
  652. return;
  653. out_nodestroy:
  654. spin_unlock(&rpc_credcache_lock);
  655. }
  656. EXPORT_SYMBOL_GPL(put_rpccred);
  657. __be32 *
  658. rpcauth_marshcred(struct rpc_task *task, __be32 *p)
  659. {
  660. struct rpc_cred *cred = task->tk_rqstp->rq_cred;
  661. dprintk("RPC: %5u marshaling %s cred %p\n",
  662. task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
  663. return cred->cr_ops->crmarshal(task, p);
  664. }
  665. __be32 *
  666. rpcauth_checkverf(struct rpc_task *task, __be32 *p)
  667. {
  668. struct rpc_cred *cred = task->tk_rqstp->rq_cred;
  669. dprintk("RPC: %5u validating %s cred %p\n",
  670. task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
  671. return cred->cr_ops->crvalidate(task, p);
  672. }
  673. static void rpcauth_wrap_req_encode(kxdreproc_t encode, struct rpc_rqst *rqstp,
  674. __be32 *data, void *obj)
  675. {
  676. struct xdr_stream xdr;
  677. xdr_init_encode(&xdr, &rqstp->rq_snd_buf, data);
  678. encode(rqstp, &xdr, obj);
  679. }
  680. int
  681. rpcauth_wrap_req(struct rpc_task *task, kxdreproc_t encode, void *rqstp,
  682. __be32 *data, void *obj)
  683. {
  684. struct rpc_cred *cred = task->tk_rqstp->rq_cred;
  685. dprintk("RPC: %5u using %s cred %p to wrap rpc data\n",
  686. task->tk_pid, cred->cr_ops->cr_name, cred);
  687. if (cred->cr_ops->crwrap_req)
  688. return cred->cr_ops->crwrap_req(task, encode, rqstp, data, obj);
  689. /* By default, we encode the arguments normally. */
  690. rpcauth_wrap_req_encode(encode, rqstp, data, obj);
  691. return 0;
  692. }
  693. static int
  694. rpcauth_unwrap_req_decode(kxdrdproc_t decode, struct rpc_rqst *rqstp,
  695. __be32 *data, void *obj)
  696. {
  697. struct xdr_stream xdr;
  698. xdr_init_decode(&xdr, &rqstp->rq_rcv_buf, data);
  699. return decode(rqstp, &xdr, obj);
  700. }
  701. int
  702. rpcauth_unwrap_resp(struct rpc_task *task, kxdrdproc_t decode, void *rqstp,
  703. __be32 *data, void *obj)
  704. {
  705. struct rpc_cred *cred = task->tk_rqstp->rq_cred;
  706. dprintk("RPC: %5u using %s cred %p to unwrap rpc data\n",
  707. task->tk_pid, cred->cr_ops->cr_name, cred);
  708. if (cred->cr_ops->crunwrap_resp)
  709. return cred->cr_ops->crunwrap_resp(task, decode, rqstp,
  710. data, obj);
  711. /* By default, we decode the arguments normally. */
  712. return rpcauth_unwrap_req_decode(decode, rqstp, data, obj);
  713. }
  714. int
  715. rpcauth_refreshcred(struct rpc_task *task)
  716. {
  717. struct rpc_cred *cred;
  718. int err;
  719. cred = task->tk_rqstp->rq_cred;
  720. if (cred == NULL) {
  721. err = rpcauth_bindcred(task, task->tk_msg.rpc_cred, task->tk_flags);
  722. if (err < 0)
  723. goto out;
  724. cred = task->tk_rqstp->rq_cred;
  725. }
  726. dprintk("RPC: %5u refreshing %s cred %p\n",
  727. task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
  728. err = cred->cr_ops->crrefresh(task);
  729. out:
  730. if (err < 0)
  731. task->tk_status = err;
  732. return err;
  733. }
  734. void
  735. rpcauth_invalcred(struct rpc_task *task)
  736. {
  737. struct rpc_cred *cred = task->tk_rqstp->rq_cred;
  738. dprintk("RPC: %5u invalidating %s cred %p\n",
  739. task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
  740. if (cred)
  741. clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
  742. }
  743. int
  744. rpcauth_uptodatecred(struct rpc_task *task)
  745. {
  746. struct rpc_cred *cred = task->tk_rqstp->rq_cred;
  747. return cred == NULL ||
  748. test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0;
  749. }
  750. static struct shrinker rpc_cred_shrinker = {
  751. .count_objects = rpcauth_cache_shrink_count,
  752. .scan_objects = rpcauth_cache_shrink_scan,
  753. .seeks = DEFAULT_SEEKS,
  754. };
  755. int __init rpcauth_init_module(void)
  756. {
  757. int err;
  758. err = rpc_init_authunix();
  759. if (err < 0)
  760. goto out1;
  761. err = rpc_init_generic_auth();
  762. if (err < 0)
  763. goto out2;
  764. err = register_shrinker(&rpc_cred_shrinker);
  765. if (err < 0)
  766. goto out3;
  767. return 0;
  768. out3:
  769. rpc_destroy_generic_auth();
  770. out2:
  771. rpc_destroy_authunix();
  772. out1:
  773. return err;
  774. }
  775. void rpcauth_remove_module(void)
  776. {
  777. rpc_destroy_authunix();
  778. rpc_destroy_generic_auth();
  779. unregister_shrinker(&rpc_cred_shrinker);
  780. }