forked from Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
235 lines
5.3 KiB
235 lines
5.3 KiB
// SPDX-License-Identifier: GPL-2.0 |
|
/* |
|
* linux/net/sunrpc/auth_unix.c |
|
* |
|
* UNIX-style authentication; no AUTH_SHORT support |
|
* |
|
* Copyright (C) 1996, Olaf Kirch <[email protected]> |
|
*/ |
|
|
|
#include <linux/slab.h> |
|
#include <linux/types.h> |
|
#include <linux/sched.h> |
|
#include <linux/module.h> |
|
#include <linux/mempool.h> |
|
#include <linux/sunrpc/clnt.h> |
|
#include <linux/sunrpc/auth.h> |
|
#include <linux/user_namespace.h> |
|
|
|
|
|
#if IS_ENABLED(CONFIG_SUNRPC_DEBUG) |
|
# define RPCDBG_FACILITY RPCDBG_AUTH |
|
#endif |
|
|
|
static struct rpc_auth unix_auth; |
|
static const struct rpc_credops unix_credops; |
|
static mempool_t *unix_pool; |
|
|
|
static struct rpc_auth * |
|
unx_create(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt) |
|
{ |
|
refcount_inc(&unix_auth.au_count); |
|
return &unix_auth; |
|
} |
|
|
|
static void |
|
unx_destroy(struct rpc_auth *auth) |
|
{ |
|
} |
|
|
|
/* |
|
* Lookup AUTH_UNIX creds for current process |
|
*/ |
|
static struct rpc_cred * |
|
unx_lookup_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags) |
|
{ |
|
struct rpc_cred *ret = mempool_alloc(unix_pool, GFP_NOFS); |
|
|
|
rpcauth_init_cred(ret, acred, auth, &unix_credops); |
|
ret->cr_flags = 1UL << RPCAUTH_CRED_UPTODATE; |
|
return ret; |
|
} |
|
|
|
static void |
|
unx_free_cred_callback(struct rcu_head *head) |
|
{ |
|
struct rpc_cred *rpc_cred = container_of(head, struct rpc_cred, cr_rcu); |
|
|
|
put_cred(rpc_cred->cr_cred); |
|
mempool_free(rpc_cred, unix_pool); |
|
} |
|
|
|
static void |
|
unx_destroy_cred(struct rpc_cred *cred) |
|
{ |
|
call_rcu(&cred->cr_rcu, unx_free_cred_callback); |
|
} |
|
|
|
/* |
|
* Match credentials against current the auth_cred. |
|
*/ |
|
static int |
|
unx_match(struct auth_cred *acred, struct rpc_cred *cred, int flags) |
|
{ |
|
unsigned int groups = 0; |
|
unsigned int i; |
|
|
|
if (cred->cr_cred == acred->cred) |
|
return 1; |
|
|
|
if (!uid_eq(cred->cr_cred->fsuid, acred->cred->fsuid) || !gid_eq(cred->cr_cred->fsgid, acred->cred->fsgid)) |
|
return 0; |
|
|
|
if (acred->cred->group_info != NULL) |
|
groups = acred->cred->group_info->ngroups; |
|
if (groups > UNX_NGROUPS) |
|
groups = UNX_NGROUPS; |
|
if (cred->cr_cred->group_info == NULL) |
|
return groups == 0; |
|
if (groups != cred->cr_cred->group_info->ngroups) |
|
return 0; |
|
|
|
for (i = 0; i < groups ; i++) |
|
if (!gid_eq(cred->cr_cred->group_info->gid[i], acred->cred->group_info->gid[i])) |
|
return 0; |
|
return 1; |
|
} |
|
|
|
/* |
|
* Marshal credentials. |
|
* Maybe we should keep a cached credential for performance reasons. |
|
*/ |
|
static int |
|
unx_marshal(struct rpc_task *task, struct xdr_stream *xdr) |
|
{ |
|
struct rpc_clnt *clnt = task->tk_client; |
|
struct rpc_cred *cred = task->tk_rqstp->rq_cred; |
|
__be32 *p, *cred_len, *gidarr_len; |
|
int i; |
|
struct group_info *gi = cred->cr_cred->group_info; |
|
struct user_namespace *userns = clnt->cl_cred ? |
|
clnt->cl_cred->user_ns : &init_user_ns; |
|
|
|
/* Credential */ |
|
|
|
p = xdr_reserve_space(xdr, 3 * sizeof(*p)); |
|
if (!p) |
|
goto marshal_failed; |
|
*p++ = rpc_auth_unix; |
|
cred_len = p++; |
|
*p++ = xdr_zero; /* stamp */ |
|
if (xdr_stream_encode_opaque(xdr, clnt->cl_nodename, |
|
clnt->cl_nodelen) < 0) |
|
goto marshal_failed; |
|
p = xdr_reserve_space(xdr, 3 * sizeof(*p)); |
|
if (!p) |
|
goto marshal_failed; |
|
*p++ = cpu_to_be32(from_kuid_munged(userns, cred->cr_cred->fsuid)); |
|
*p++ = cpu_to_be32(from_kgid_munged(userns, cred->cr_cred->fsgid)); |
|
|
|
gidarr_len = p++; |
|
if (gi) |
|
for (i = 0; i < UNX_NGROUPS && i < gi->ngroups; i++) |
|
*p++ = cpu_to_be32(from_kgid_munged(userns, gi->gid[i])); |
|
*gidarr_len = cpu_to_be32(p - gidarr_len - 1); |
|
*cred_len = cpu_to_be32((p - cred_len - 1) << 2); |
|
p = xdr_reserve_space(xdr, (p - gidarr_len - 1) << 2); |
|
if (!p) |
|
goto marshal_failed; |
|
|
|
/* Verifier */ |
|
|
|
p = xdr_reserve_space(xdr, 2 * sizeof(*p)); |
|
if (!p) |
|
goto marshal_failed; |
|
*p++ = rpc_auth_null; |
|
*p = xdr_zero; |
|
|
|
return 0; |
|
|
|
marshal_failed: |
|
return -EMSGSIZE; |
|
} |
|
|
|
/* |
|
* Refresh credentials. This is a no-op for AUTH_UNIX |
|
*/ |
|
static int |
|
unx_refresh(struct rpc_task *task) |
|
{ |
|
set_bit(RPCAUTH_CRED_UPTODATE, &task->tk_rqstp->rq_cred->cr_flags); |
|
return 0; |
|
} |
|
|
|
static int |
|
unx_validate(struct rpc_task *task, struct xdr_stream *xdr) |
|
{ |
|
struct rpc_auth *auth = task->tk_rqstp->rq_cred->cr_auth; |
|
__be32 *p; |
|
u32 size; |
|
|
|
p = xdr_inline_decode(xdr, 2 * sizeof(*p)); |
|
if (!p) |
|
return -EIO; |
|
switch (*p++) { |
|
case rpc_auth_null: |
|
case rpc_auth_unix: |
|
case rpc_auth_short: |
|
break; |
|
default: |
|
return -EIO; |
|
} |
|
size = be32_to_cpup(p); |
|
if (size > RPC_MAX_AUTH_SIZE) |
|
return -EIO; |
|
p = xdr_inline_decode(xdr, size); |
|
if (!p) |
|
return -EIO; |
|
|
|
auth->au_verfsize = XDR_QUADLEN(size) + 2; |
|
auth->au_rslack = XDR_QUADLEN(size) + 2; |
|
auth->au_ralign = XDR_QUADLEN(size) + 2; |
|
return 0; |
|
} |
|
|
|
int __init rpc_init_authunix(void) |
|
{ |
|
unix_pool = mempool_create_kmalloc_pool(16, sizeof(struct rpc_cred)); |
|
return unix_pool ? 0 : -ENOMEM; |
|
} |
|
|
|
void rpc_destroy_authunix(void) |
|
{ |
|
mempool_destroy(unix_pool); |
|
} |
|
|
|
const struct rpc_authops authunix_ops = { |
|
.owner = THIS_MODULE, |
|
.au_flavor = RPC_AUTH_UNIX, |
|
.au_name = "UNIX", |
|
.create = unx_create, |
|
.destroy = unx_destroy, |
|
.lookup_cred = unx_lookup_cred, |
|
}; |
|
|
|
static |
|
struct rpc_auth unix_auth = { |
|
.au_cslack = UNX_CALLSLACK, |
|
.au_rslack = NUL_REPLYSLACK, |
|
.au_verfsize = NUL_REPLYSLACK, |
|
.au_ops = &authunix_ops, |
|
.au_flavor = RPC_AUTH_UNIX, |
|
.au_count = REFCOUNT_INIT(1), |
|
}; |
|
|
|
static |
|
const struct rpc_credops unix_credops = { |
|
.cr_name = "AUTH_UNIX", |
|
.crdestroy = unx_destroy_cred, |
|
.crmatch = unx_match, |
|
.crmarshal = unx_marshal, |
|
.crwrap_req = rpcauth_wrap_req_encode, |
|
.crrefresh = unx_refresh, |
|
.crvalidate = unx_validate, |
|
.crunwrap_resp = rpcauth_unwrap_resp_decode, |
|
};
|
|
|