1/* 2 * Generic RPC credential 3 * 4 * Copyright (C) 2008, Trond Myklebust <Trond.Myklebust@netapp.com> 5 */ 6 7#include <linux/err.h> 8#include <linux/slab.h> 9#include <linux/types.h> 10#include <linux/module.h> 11#include <linux/sched.h> 12#include <linux/sunrpc/auth.h> 13#include <linux/sunrpc/clnt.h> 14#include <linux/sunrpc/debug.h> 15#include <linux/sunrpc/sched.h> 16 17#if IS_ENABLED(CONFIG_SUNRPC_DEBUG) 18# define RPCDBG_FACILITY RPCDBG_AUTH 19#endif 20 21#define RPC_MACHINE_CRED_USERID GLOBAL_ROOT_UID 22#define RPC_MACHINE_CRED_GROUPID GLOBAL_ROOT_GID 23 24struct generic_cred { 25 struct rpc_cred gc_base; 26 struct auth_cred acred; 27}; 28 29static struct rpc_auth generic_auth; 30static const struct rpc_credops generic_credops; 31 32/* 33 * Public call interface 34 */ 35struct rpc_cred *rpc_lookup_cred(void) 36{ 37 return rpcauth_lookupcred(&generic_auth, 0); 38} 39EXPORT_SYMBOL_GPL(rpc_lookup_cred); 40 41struct rpc_cred *rpc_lookup_cred_nonblock(void) 42{ 43 return rpcauth_lookupcred(&generic_auth, RPCAUTH_LOOKUP_RCU); 44} 45EXPORT_SYMBOL_GPL(rpc_lookup_cred_nonblock); 46 47/* 48 * Public call interface for looking up machine creds. 49 */ 50struct rpc_cred *rpc_lookup_machine_cred(const char *service_name) 51{ 52 struct auth_cred acred = { 53 .uid = RPC_MACHINE_CRED_USERID, 54 .gid = RPC_MACHINE_CRED_GROUPID, 55 .principal = service_name, 56 .machine_cred = 1, 57 }; 58 59 dprintk("RPC: looking up machine cred for service %s\n", 60 service_name); 61 return generic_auth.au_ops->lookup_cred(&generic_auth, &acred, 0); 62} 63EXPORT_SYMBOL_GPL(rpc_lookup_machine_cred); 64 65static struct rpc_cred *generic_bind_cred(struct rpc_task *task, 66 struct rpc_cred *cred, int lookupflags) 67{ 68 struct rpc_auth *auth = task->tk_client->cl_auth; 69 struct auth_cred *acred = &container_of(cred, struct generic_cred, gc_base)->acred; 70 71 return auth->au_ops->lookup_cred(auth, acred, lookupflags); 72} 73 74/* 75 * Lookup generic creds for current process 76 */ 77static struct rpc_cred * 78generic_lookup_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags) 79{ 80 return rpcauth_lookup_credcache(&generic_auth, acred, flags); 81} 82 83static struct rpc_cred * 84generic_create_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags) 85{ 86 struct generic_cred *gcred; 87 88 gcred = kmalloc(sizeof(*gcred), GFP_KERNEL); 89 if (gcred == NULL) 90 return ERR_PTR(-ENOMEM); 91 92 rpcauth_init_cred(&gcred->gc_base, acred, &generic_auth, &generic_credops); 93 gcred->gc_base.cr_flags = 1UL << RPCAUTH_CRED_UPTODATE; 94 95 gcred->acred.uid = acred->uid; 96 gcred->acred.gid = acred->gid; 97 gcred->acred.group_info = acred->group_info; 98 gcred->acred.ac_flags = 0; 99 if (gcred->acred.group_info != NULL) 100 get_group_info(gcred->acred.group_info); 101 gcred->acred.machine_cred = acred->machine_cred; 102 gcred->acred.principal = acred->principal; 103 104 dprintk("RPC: allocated %s cred %p for uid %d gid %d\n", 105 gcred->acred.machine_cred ? "machine" : "generic", 106 gcred, 107 from_kuid(&init_user_ns, acred->uid), 108 from_kgid(&init_user_ns, acred->gid)); 109 return &gcred->gc_base; 110} 111 112static void 113generic_free_cred(struct rpc_cred *cred) 114{ 115 struct generic_cred *gcred = container_of(cred, struct generic_cred, gc_base); 116 117 dprintk("RPC: generic_free_cred %p\n", gcred); 118 if (gcred->acred.group_info != NULL) 119 put_group_info(gcred->acred.group_info); 120 kfree(gcred); 121} 122 123static void 124generic_free_cred_callback(struct rcu_head *head) 125{ 126 struct rpc_cred *cred = container_of(head, struct rpc_cred, cr_rcu); 127 generic_free_cred(cred); 128} 129 130static void 131generic_destroy_cred(struct rpc_cred *cred) 132{ 133 call_rcu(&cred->cr_rcu, generic_free_cred_callback); 134} 135 136static int 137machine_cred_match(struct auth_cred *acred, struct generic_cred *gcred, int flags) 138{ 139 if (!gcred->acred.machine_cred || 140 gcred->acred.principal != acred->principal || 141 !uid_eq(gcred->acred.uid, acred->uid) || 142 !gid_eq(gcred->acred.gid, acred->gid)) 143 return 0; 144 return 1; 145} 146 147/* 148 * Match credentials against current process creds. 149 */ 150static int 151generic_match(struct auth_cred *acred, struct rpc_cred *cred, int flags) 152{ 153 struct generic_cred *gcred = container_of(cred, struct generic_cred, gc_base); 154 int i; 155 156 if (acred->machine_cred) 157 return machine_cred_match(acred, gcred, flags); 158 159 if (!uid_eq(gcred->acred.uid, acred->uid) || 160 !gid_eq(gcred->acred.gid, acred->gid) || 161 gcred->acred.machine_cred != 0) 162 goto out_nomatch; 163 164 /* Optimisation in the case where pointers are identical... */ 165 if (gcred->acred.group_info == acred->group_info) 166 goto out_match; 167 168 /* Slow path... */ 169 if (gcred->acred.group_info->ngroups != acred->group_info->ngroups) 170 goto out_nomatch; 171 for (i = 0; i < gcred->acred.group_info->ngroups; i++) { 172 if (!gid_eq(GROUP_AT(gcred->acred.group_info, i), 173 GROUP_AT(acred->group_info, i))) 174 goto out_nomatch; 175 } 176out_match: 177 return 1; 178out_nomatch: 179 return 0; 180} 181 182int __init rpc_init_generic_auth(void) 183{ 184 return rpcauth_init_credcache(&generic_auth); 185} 186 187void rpc_destroy_generic_auth(void) 188{ 189 rpcauth_destroy_credcache(&generic_auth); 190} 191 192/* 193 * Test the the current time (now) against the underlying credential key expiry 194 * minus a timeout and setup notification. 195 * 196 * The normal case: 197 * If 'now' is before the key expiry minus RPC_KEY_EXPIRE_TIMEO, set 198 * the RPC_CRED_NOTIFY_TIMEOUT flag to setup the underlying credential 199 * rpc_credops crmatch routine to notify this generic cred when it's key 200 * expiration is within RPC_KEY_EXPIRE_TIMEO, and return 0. 201 * 202 * The error case: 203 * If the underlying cred lookup fails, return -EACCES. 204 * 205 * The 'almost' error case: 206 * If 'now' is within key expiry minus RPC_KEY_EXPIRE_TIMEO, but not within 207 * key expiry minus RPC_KEY_EXPIRE_FAIL, set the RPC_CRED_EXPIRE_SOON bit 208 * on the acred ac_flags and return 0. 209 */ 210static int 211generic_key_timeout(struct rpc_auth *auth, struct rpc_cred *cred) 212{ 213 struct auth_cred *acred = &container_of(cred, struct generic_cred, 214 gc_base)->acred; 215 struct rpc_cred *tcred; 216 int ret = 0; 217 218 219 /* Fast track for non crkey_timeout (no key) underlying credentials */ 220 if (test_bit(RPC_CRED_NO_CRKEY_TIMEOUT, &acred->ac_flags)) 221 return 0; 222 223 /* Fast track for the normal case */ 224 if (test_bit(RPC_CRED_NOTIFY_TIMEOUT, &acred->ac_flags)) 225 return 0; 226 227 /* lookup_cred either returns a valid referenced rpc_cred, or PTR_ERR */ 228 tcred = auth->au_ops->lookup_cred(auth, acred, 0); 229 if (IS_ERR(tcred)) 230 return -EACCES; 231 232 if (!tcred->cr_ops->crkey_timeout) { 233 set_bit(RPC_CRED_NO_CRKEY_TIMEOUT, &acred->ac_flags); 234 ret = 0; 235 goto out_put; 236 } 237 238 /* Test for the almost error case */ 239 ret = tcred->cr_ops->crkey_timeout(tcred); 240 if (ret != 0) { 241 set_bit(RPC_CRED_KEY_EXPIRE_SOON, &acred->ac_flags); 242 ret = 0; 243 } else { 244 /* In case underlying cred key has been reset */ 245 if (test_and_clear_bit(RPC_CRED_KEY_EXPIRE_SOON, 246 &acred->ac_flags)) 247 dprintk("RPC: UID %d Credential key reset\n", 248 from_kuid(&init_user_ns, tcred->cr_uid)); 249 /* set up fasttrack for the normal case */ 250 set_bit(RPC_CRED_NOTIFY_TIMEOUT, &acred->ac_flags); 251 } 252 253out_put: 254 put_rpccred(tcred); 255 return ret; 256} 257 258static const struct rpc_authops generic_auth_ops = { 259 .owner = THIS_MODULE, 260 .au_name = "Generic", 261 .lookup_cred = generic_lookup_cred, 262 .crcreate = generic_create_cred, 263 .key_timeout = generic_key_timeout, 264}; 265 266static struct rpc_auth generic_auth = { 267 .au_ops = &generic_auth_ops, 268 .au_count = ATOMIC_INIT(0), 269}; 270 271static bool generic_key_to_expire(struct rpc_cred *cred) 272{ 273 struct auth_cred *acred = &container_of(cred, struct generic_cred, 274 gc_base)->acred; 275 bool ret; 276 277 get_rpccred(cred); 278 ret = test_bit(RPC_CRED_KEY_EXPIRE_SOON, &acred->ac_flags); 279 put_rpccred(cred); 280 281 return ret; 282} 283 284static const struct rpc_credops generic_credops = { 285 .cr_name = "Generic cred", 286 .crdestroy = generic_destroy_cred, 287 .crbind = generic_bind_cred, 288 .crmatch = generic_match, 289 .crkey_to_expire = generic_key_to_expire, 290}; 291