net/sunrpc/auth_unix.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /*
   3  * linux/net/sunrpc/auth_unix.c
   4  *
   5  * UNIX-style authentication; no AUTH_SHORT support
   6  *
   7  * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de>
   8  */
   9
  10 #include <linux/slab.h>
  11 #include <linux/types.h>
  12 #include <linux/sched.h>
  13 #include <linux/module.h>
  14 #include <linux/sunrpc/clnt.h>
  15 #include <linux/sunrpc/auth.h>
  16 #include <linux/user_namespace.h>
  17
  18 struct unx_cred {
  19         struct rpc_cred         uc_base;
  20         kgid_t                  uc_gid;
  21         kgid_t                  uc_gids[UNX_NGROUPS];
  22 };
  23 #define uc_uid                  uc_base.cr_uid
  24
  25 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
  26 # define RPCDBG_FACILITY        RPCDBG_AUTH
  27 #endif
  28
  29 static struct rpc_auth          unix_auth;
  30 static const struct rpc_credops unix_credops;
  31
  32 static struct rpc_auth *
  33 unx_create(struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
  34 {
  35         dprintk("RPC:       creating UNIX authenticator for client %p\n",
  36                         clnt);
  37         atomic_inc(&unix_auth.au_count);
  38         return &unix_auth;
  39 }
  40
  41 static void
  42 unx_destroy(struct rpc_auth *auth)
  43 {
  44         dprintk("RPC:       destroying UNIX authenticator %p\n", auth);
  45         rpcauth_clear_credcache(auth->au_credcache);
  46 }
  47
  48 static int
  49 unx_hash_cred(struct auth_cred *acred, unsigned int hashbits)
  50 {
  51         return hash_64(from_kgid(&init_user_ns, acred->gid) |
  52                 ((u64)from_kuid(&init_user_ns, acred->uid) <<
  53                         (sizeof(gid_t) * 8)), hashbits);
  54 }
  55
  56 /*
  57  * Lookup AUTH_UNIX creds for current process
  58  */
  59 static struct rpc_cred *
  60 unx_lookup_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags)
  61 {
  62         return rpcauth_lookup_credcache(auth, acred, flags, GFP_NOFS);
  63 }
  64
  65 static struct rpc_cred *
  66 unx_create_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags, gfp_t gfp)
  67 {
  68         struct unx_cred *cred;
  69         unsigned int groups = 0;
  70         unsigned int i;
  71
  72         dprintk("RPC:       allocating UNIX cred for uid %d gid %d\n",
  73                         from_kuid(&init_user_ns, acred->uid),
  74                         from_kgid(&init_user_ns, acred->gid));
  75
  76         if (!(cred = kmalloc(sizeof(*cred), gfp)))
  77                 return ERR_PTR(-ENOMEM);
  78
  79         rpcauth_init_cred(&cred->uc_base, acred, auth, &unix_credops);
  80         cred->uc_base.cr_flags = 1UL << RPCAUTH_CRED_UPTODATE;
  81
  82         if (acred->group_info != NULL)
  83                 groups = acred->group_info->ngroups;
  84         if (groups > UNX_NGROUPS)
  85                 groups = UNX_NGROUPS;
  86
  87         cred->uc_gid = acred->gid;
  88         for (i = 0; i < groups; i++)
  89                 cred->uc_gids[i] = acred->group_info->gid[i];
  90         if (i < UNX_NGROUPS)
  91                 cred->uc_gids[i] = INVALID_GID;
  92
  93         return &cred->uc_base;
  94 }
  95
  96 static void
  97 unx_free_cred(struct unx_cred *unx_cred)
  98 {
  99         dprintk("RPC:       unx_free_cred %p\n", unx_cred);
 100         kfree(unx_cred);
 101 }
 102
 103 static void
 104 unx_free_cred_callback(struct rcu_head *head)
 105 {
 106         struct unx_cred *unx_cred = container_of(head, struct unx_cred, uc_base.cr_rcu);
 107         unx_free_cred(unx_cred);
 108 }
 109
 110 static void
 111 unx_destroy_cred(struct rpc_cred *cred)
 112 {
 113         call_rcu(&cred->cr_rcu, unx_free_cred_callback);
 114 }
 115
 116 /*
 117  * Match credentials against current process creds.
 118  * The root_override argument takes care of cases where the caller may
 119  * request root creds (e.g. for NFS swapping).
 120  */
 121 static int
 122 unx_match(struct auth_cred *acred, struct rpc_cred *rcred, int flags)
 123 {
 124         struct unx_cred *cred = container_of(rcred, struct unx_cred, uc_base);
 125         unsigned int groups = 0;
 126         unsigned int i;
 127
 128
 129         if (!uid_eq(cred->uc_uid, acred->uid) || !gid_eq(cred->uc_gid, acred->gid))
 130                 return 0;
 131
 132         if (acred->group_info != NULL)
 133                 groups = acred->group_info->ngroups;
 134         if (groups > UNX_NGROUPS)
 135                 groups = UNX_NGROUPS;
 136         for (i = 0; i < groups ; i++)
 137                 if (!gid_eq(cred->uc_gids[i], acred->group_info->gid[i]))
 138                         return 0;
 139         if (groups < UNX_NGROUPS && gid_valid(cred->uc_gids[groups]))
 140                 return 0;
 141         return 1;
 142 }
 143
 144 /*
 145  * Marshal credentials.
 146  * Maybe we should keep a cached credential for performance reasons.
 147  */
 148 static __be32 *
 149 unx_marshal(struct rpc_task *task, __be32 *p)
 150 {
 151         struct rpc_clnt *clnt = task->tk_client;
 152         struct unx_cred *cred = container_of(task->tk_rqstp->rq_cred, struct unx_cred, uc_base);
 153         __be32          *base, *hold;
 154         int             i;
 155
 156         *p++ = htonl(RPC_AUTH_UNIX);
 157         base = p++;
 158         *p++ = htonl(jiffies/HZ);
 159
 160         /*
 161          * Copy the UTS nodename captured when the client was created.
 162          */
 163         p = xdr_encode_array(p, clnt->cl_nodename, clnt->cl_nodelen);
 164
 165         *p++ = htonl((u32) from_kuid(&init_user_ns, cred->uc_uid));
 166         *p++ = htonl((u32) from_kgid(&init_user_ns, cred->uc_gid));
 167         hold = p++;
 168         for (i = 0; i < UNX_NGROUPS && gid_valid(cred->uc_gids[i]); i++)
 169                 *p++ = htonl((u32) from_kgid(&init_user_ns, cred->uc_gids[i]));
 170         *hold = htonl(p - hold - 1);            /* gid array length */
 171         *base = htonl((p - base - 1) << 2);     /* cred length */
 172
 173         *p++ = htonl(RPC_AUTH_NULL);
 174         *p++ = htonl(0);
 175
 176         return p;
 177 }
 178
 179 /*
 180  * Refresh credentials. This is a no-op for AUTH_UNIX
 181  */
 182 static int
 183 unx_refresh(struct rpc_task *task)
 184 {
 185         set_bit(RPCAUTH_CRED_UPTODATE, &task->tk_rqstp->rq_cred->cr_flags);
 186         return 0;
 187 }
 188
 189 static __be32 *
 190 unx_validate(struct rpc_task *task, __be32 *p)
 191 {
 192         rpc_authflavor_t        flavor;
 193         u32                     size;
 194
 195         flavor = ntohl(*p++);
 196         if (flavor != RPC_AUTH_NULL &&
 197             flavor != RPC_AUTH_UNIX &&
 198             flavor != RPC_AUTH_SHORT) {
 199                 printk("RPC: bad verf flavor: %u\n", flavor);
 200                 return ERR_PTR(-EIO);
 201         }
 202
 203         size = ntohl(*p++);
 204         if (size > RPC_MAX_AUTH_SIZE) {
 205                 printk("RPC: giant verf size: %u\n", size);
 206                 return ERR_PTR(-EIO);
 207         }
 208         task->tk_rqstp->rq_cred->cr_auth->au_rslack = (size >> 2) + 2;
 209         p += (size >> 2);
 210
 211         return p;
 212 }
 213
 214 int __init rpc_init_authunix(void)
 215 {
 216         return rpcauth_init_credcache(&unix_auth);
 217 }
 218
 219 void rpc_destroy_authunix(void)
 220 {
 221         rpcauth_destroy_credcache(&unix_auth);
 222 }
 223
 224 const struct rpc_authops authunix_ops = {
 225         .owner          = THIS_MODULE,
 226         .au_flavor      = RPC_AUTH_UNIX,
 227         .au_name        = "UNIX",
 228         .create         = unx_create,
 229         .destroy        = unx_destroy,
 230         .hash_cred      = unx_hash_cred,
 231         .lookup_cred    = unx_lookup_cred,
 232         .crcreate       = unx_create_cred,
 233 };
 234
 235 static
 236 struct rpc_auth         unix_auth = {
 237         .au_cslack      = UNX_CALLSLACK,
 238         .au_rslack      = NUL_REPLYSLACK,
 239         .au_flags       = RPCAUTH_AUTH_NO_CRKEY_TIMEOUT,
 240         .au_ops         = &authunix_ops,
 241         .au_flavor      = RPC_AUTH_UNIX,
 242         .au_count       = ATOMIC_INIT(0),
 243 };
 244
 245 static
 246 const struct rpc_credops unix_credops = {
 247         .cr_name        = "AUTH_UNIX",
 248         .crdestroy      = unx_destroy_cred,
 249         .crbind         = rpcauth_generic_bind_cred,
 250         .crmatch        = unx_match,
 251         .crmarshal      = unx_marshal,
 252         .crrefresh      = unx_refresh,
 253         .crvalidate     = unx_validate,
 254 };