1/*
  2 * Generic RPC credential
  3 *
  4 * Copyright (C) 2008, Trond Myklebust <Trond.Myklebust@netapp.com>
  5 */
  6
  7#include <linux/err.h>
  8#include <linux/slab.h>
  9#include <linux/types.h>
 10#include <linux/module.h>
 11#include <linux/sched.h>
 12#include <linux/sunrpc/auth.h>
 13#include <linux/sunrpc/clnt.h>
 14#include <linux/sunrpc/debug.h>
 15#include <linux/sunrpc/sched.h>
 16
 17#ifdef RPC_DEBUG
 18# define RPCDBG_FACILITY	RPCDBG_AUTH
 19#endif
 20
 21#define RPC_MACHINE_CRED_USERID		GLOBAL_ROOT_UID
 22#define RPC_MACHINE_CRED_GROUPID	GLOBAL_ROOT_GID
 23
 24struct generic_cred {
 25	struct rpc_cred gc_base;
 26	struct auth_cred acred;
 27};
 28
 29static struct rpc_auth generic_auth;
 30static const struct rpc_credops generic_credops;
 31
 32/*
 33 * Public call interface
 34 */
 35struct rpc_cred *rpc_lookup_cred(void)
 36{
 37	return rpcauth_lookupcred(&generic_auth, 0);
 38}
 39EXPORT_SYMBOL_GPL(rpc_lookup_cred);
 40
 41/*
 42 * Public call interface for looking up machine creds.
 43 */
 44struct rpc_cred *rpc_lookup_machine_cred(const char *service_name)
 45{
 46	struct auth_cred acred = {
 47		.uid = RPC_MACHINE_CRED_USERID,
 48		.gid = RPC_MACHINE_CRED_GROUPID,
 49		.principal = service_name,
 50		.machine_cred = 1,
 51	};
 52
 53	dprintk("RPC:       looking up machine cred for service %s\n",
 54			service_name);
 55	return generic_auth.au_ops->lookup_cred(&generic_auth, &acred, 0);
 56}
 57EXPORT_SYMBOL_GPL(rpc_lookup_machine_cred);
 58
 59static struct rpc_cred *generic_bind_cred(struct rpc_task *task,
 60		struct rpc_cred *cred, int lookupflags)
 61{
 62	struct rpc_auth *auth = task->tk_client->cl_auth;
 63	struct auth_cred *acred = &container_of(cred, struct generic_cred, gc_base)->acred;
 64
 65	return auth->au_ops->lookup_cred(auth, acred, lookupflags);
 66}
 67
 68/*
 69 * Lookup generic creds for current process
 70 */
 71static struct rpc_cred *
 72generic_lookup_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags)
 73{
 74	return rpcauth_lookup_credcache(&generic_auth, acred, flags);
 75}
 76
 77static struct rpc_cred *
 78generic_create_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags)
 79{
 80	struct generic_cred *gcred;
 81
 82	gcred = kmalloc(sizeof(*gcred), GFP_KERNEL);
 83	if (gcred == NULL)
 84		return ERR_PTR(-ENOMEM);
 85
 86	rpcauth_init_cred(&gcred->gc_base, acred, &generic_auth, &generic_credops);
 87	gcred->gc_base.cr_flags = 1UL << RPCAUTH_CRED_UPTODATE;
 88
 89	gcred->acred.uid = acred->uid;
 90	gcred->acred.gid = acred->gid;
 91	gcred->acred.group_info = acred->group_info;
 92	gcred->acred.ac_flags = 0;
 93	if (gcred->acred.group_info != NULL)
 94		get_group_info(gcred->acred.group_info);
 95	gcred->acred.machine_cred = acred->machine_cred;
 96	gcred->acred.principal = acred->principal;
 97
 98	dprintk("RPC:       allocated %s cred %p for uid %d gid %d\n",
 99			gcred->acred.machine_cred ? "machine" : "generic",
100			gcred,
101			from_kuid(&init_user_ns, acred->uid),
102			from_kgid(&init_user_ns, acred->gid));
103	return &gcred->gc_base;
104}
105
106static void
107generic_free_cred(struct rpc_cred *cred)
108{
109	struct generic_cred *gcred = container_of(cred, struct generic_cred, gc_base);
110
111	dprintk("RPC:       generic_free_cred %p\n", gcred);
112	if (gcred->acred.group_info != NULL)
113		put_group_info(gcred->acred.group_info);
114	kfree(gcred);
115}
116
117static void
118generic_free_cred_callback(struct rcu_head *head)
119{
120	struct rpc_cred *cred = container_of(head, struct rpc_cred, cr_rcu);
121	generic_free_cred(cred);
122}
123
124static void
125generic_destroy_cred(struct rpc_cred *cred)
126{
127	call_rcu(&cred->cr_rcu, generic_free_cred_callback);
128}
129
130static int
131machine_cred_match(struct auth_cred *acred, struct generic_cred *gcred, int flags)
132{
133	if (!gcred->acred.machine_cred ||
134	    gcred->acred.principal != acred->principal ||
135	    !uid_eq(gcred->acred.uid, acred->uid) ||
136	    !gid_eq(gcred->acred.gid, acred->gid))
137		return 0;
138	return 1;
139}
140
141/*
142 * Match credentials against current process creds.
143 */
144static int
145generic_match(struct auth_cred *acred, struct rpc_cred *cred, int flags)
146{
147	struct generic_cred *gcred = container_of(cred, struct generic_cred, gc_base);
148	int i;
149
150	if (acred->machine_cred)
151		return machine_cred_match(acred, gcred, flags);
152
153	if (!uid_eq(gcred->acred.uid, acred->uid) ||
154	    !gid_eq(gcred->acred.gid, acred->gid) ||
155	    gcred->acred.machine_cred != 0)
156		goto out_nomatch;
157
158	/* Optimisation in the case where pointers are identical... */
159	if (gcred->acred.group_info == acred->group_info)
160		goto out_match;
161
162	/* Slow path... */
163	if (gcred->acred.group_info->ngroups != acred->group_info->ngroups)
164		goto out_nomatch;
165	for (i = 0; i < gcred->acred.group_info->ngroups; i++) {
166		if (!gid_eq(GROUP_AT(gcred->acred.group_info, i),
167				GROUP_AT(acred->group_info, i)))
168			goto out_nomatch;
169	}
170out_match:
171	return 1;
172out_nomatch:
173	return 0;
174}
175
176int __init rpc_init_generic_auth(void)
177{
178	return rpcauth_init_credcache(&generic_auth);
179}
180
181void rpc_destroy_generic_auth(void)
182{
183	rpcauth_destroy_credcache(&generic_auth);
184}
185
186/*
187 * Test the the current time (now) against the underlying credential key expiry
188 * minus a timeout and setup notification.
189 *
190 * The normal case:
191 * If 'now' is before the key expiry minus RPC_KEY_EXPIRE_TIMEO, set
192 * the RPC_CRED_NOTIFY_TIMEOUT flag to setup the underlying credential
193 * rpc_credops crmatch routine to notify this generic cred when it's key
194 * expiration is within RPC_KEY_EXPIRE_TIMEO, and return 0.
195 *
196 * The error case:
197 * If the underlying cred lookup fails, return -EACCES.
198 *
199 * The 'almost' error case:
200 * If 'now' is within key expiry minus RPC_KEY_EXPIRE_TIMEO, but not within
201 * key expiry minus RPC_KEY_EXPIRE_FAIL, set the RPC_CRED_EXPIRE_SOON bit
202 * on the acred ac_flags and return 0.
203 */
204static int
205generic_key_timeout(struct rpc_auth *auth, struct rpc_cred *cred)
206{
207	struct auth_cred *acred = &container_of(cred, struct generic_cred,
208						gc_base)->acred;
209	struct rpc_cred *tcred;
210	int ret = 0;
211
212
213	/* Fast track for non crkey_timeout (no key) underlying credentials */
214	if (test_bit(RPC_CRED_NO_CRKEY_TIMEOUT, &acred->ac_flags))
215		return 0;
216
217	/* Fast track for the normal case */
218	if (test_bit(RPC_CRED_NOTIFY_TIMEOUT, &acred->ac_flags))
219		return 0;
220
221	/* lookup_cred either returns a valid referenced rpc_cred, or PTR_ERR */
222	tcred = auth->au_ops->lookup_cred(auth, acred, 0);
223	if (IS_ERR(tcred))
224		return -EACCES;
225
226	if (!tcred->cr_ops->crkey_timeout) {
227		set_bit(RPC_CRED_NO_CRKEY_TIMEOUT, &acred->ac_flags);
228		ret = 0;
229		goto out_put;
230	}
231
232	/* Test for the almost error case */
233	ret = tcred->cr_ops->crkey_timeout(tcred);
234	if (ret != 0) {
235		set_bit(RPC_CRED_KEY_EXPIRE_SOON, &acred->ac_flags);
236		ret = 0;
237	} else {
238		/* In case underlying cred key has been reset */
239		if (test_and_clear_bit(RPC_CRED_KEY_EXPIRE_SOON,
240					&acred->ac_flags))
241			dprintk("RPC:        UID %d Credential key reset\n",
242				from_kuid(&init_user_ns, tcred->cr_uid));
243		/* set up fasttrack for the normal case */
244		set_bit(RPC_CRED_NOTIFY_TIMEOUT, &acred->ac_flags);
245	}
246
247out_put:
248	put_rpccred(tcred);
249	return ret;
250}
251
252static const struct rpc_authops generic_auth_ops = {
253	.owner = THIS_MODULE,
254	.au_name = "Generic",
255	.lookup_cred = generic_lookup_cred,
256	.crcreate = generic_create_cred,
257	.key_timeout = generic_key_timeout,
258};
259
260static struct rpc_auth generic_auth = {
261	.au_ops = &generic_auth_ops,
262	.au_count = ATOMIC_INIT(0),
263};
264
265static bool generic_key_to_expire(struct rpc_cred *cred)
266{
267	struct auth_cred *acred = &container_of(cred, struct generic_cred,
268						gc_base)->acred;
269	bool ret;
270
271	get_rpccred(cred);
272	ret = test_bit(RPC_CRED_KEY_EXPIRE_SOON, &acred->ac_flags);
273	put_rpccred(cred);
274
275	return ret;
276}
277
278static const struct rpc_credops generic_credops = {
279	.cr_name = "Generic cred",
280	.crdestroy = generic_destroy_cred,
281	.crbind = generic_bind_cred,
282	.crmatch = generic_match,
283	.crkey_to_expire = generic_key_to_expire,
284};