1 /* 2 * Mapping of UID/GIDs to name and vice versa. 3 * 4 * Copyright (c) 2002, 2003 The Regents of the University of 5 * Michigan. All rights reserved. 6 * 7 * Marius Aamodt Eriksen <marius@umich.edu> 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the University nor the names of its 19 * contributors may be used to endorse or promote products derived 20 * from this software without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 23 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 24 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 25 * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 27 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 28 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 29 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 30 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 31 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 32 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35 #include <linux/module.h> 36 #include <linux/seq_file.h> 37 #include <linux/sched.h> 38 #include <linux/slab.h> 39 #include <net/net_namespace.h> 40 #include "idmap.h" 41 #include "nfsd.h" 42 43 /* 44 * Turn off idmapping when using AUTH_SYS. 45 */ 46 static bool nfs4_disable_idmapping = true; 47 module_param(nfs4_disable_idmapping, bool, 0644); 48 MODULE_PARM_DESC(nfs4_disable_idmapping, 49 "Turn off server's NFSv4 idmapping when using 'sec=sys'"); 50 51 /* 52 * Cache entry 53 */ 54 55 /* 56 * XXX we know that IDMAP_NAMESZ < PAGE_SIZE, but it's ugly to rely on 57 * that. 58 */ 59 60 #define IDMAP_TYPE_USER 0 61 #define IDMAP_TYPE_GROUP 1 62 63 struct ent { 64 struct cache_head h; 65 int type; /* User / Group */ 66 uid_t id; 67 char name[IDMAP_NAMESZ]; 68 char authname[IDMAP_NAMESZ]; 69 }; 70 71 /* Common entry handling */ 72 73 #define ENT_HASHBITS 8 74 #define ENT_HASHMAX (1 << ENT_HASHBITS) 75 76 static void 77 ent_init(struct cache_head *cnew, struct cache_head *citm) 78 { 79 struct ent *new = container_of(cnew, struct ent, h); 80 struct ent *itm = container_of(citm, struct ent, h); 81 82 new->id = itm->id; 83 new->type = itm->type; 84 85 strlcpy(new->name, itm->name, sizeof(new->name)); 86 strlcpy(new->authname, itm->authname, sizeof(new->name)); 87 } 88 89 static void 90 ent_put(struct kref *ref) 91 { 92 struct ent *map = container_of(ref, struct ent, h.ref); 93 kfree(map); 94 } 95 96 static struct cache_head * 97 ent_alloc(void) 98 { 99 struct ent *e = kmalloc(sizeof(*e), GFP_KERNEL); 100 if (e) 101 return &e->h; 102 else 103 return NULL; 104 } 105 106 /* 107 * ID -> Name cache 108 */ 109 110 static struct cache_head *idtoname_table[ENT_HASHMAX]; 111 112 static uint32_t 113 idtoname_hash(struct ent *ent) 114 { 115 uint32_t hash; 116 117 hash = hash_str(ent->authname, ENT_HASHBITS); 118 hash = hash_long(hash ^ ent->id, ENT_HASHBITS); 119 120 /* Flip LSB for user/group */ 121 if (ent->type == IDMAP_TYPE_GROUP) 122 hash ^= 1; 123 124 return hash; 125 } 126 127 static void 128 idtoname_request(struct cache_detail *cd, struct cache_head *ch, char **bpp, 129 int *blen) 130 { 131 struct ent *ent = container_of(ch, struct ent, h); 132 char idstr[11]; 133 134 qword_add(bpp, blen, ent->authname); 135 snprintf(idstr, sizeof(idstr), "%u", ent->id); 136 qword_add(bpp, blen, ent->type == IDMAP_TYPE_GROUP ? "group" : "user"); 137 qword_add(bpp, blen, idstr); 138 139 (*bpp)[-1] = '\n'; 140 } 141 142 static int 143 idtoname_upcall(struct cache_detail *cd, struct cache_head *ch) 144 { 145 return sunrpc_cache_pipe_upcall(cd, ch, idtoname_request); 146 } 147 148 static int 149 idtoname_match(struct cache_head *ca, struct cache_head *cb) 150 { 151 struct ent *a = container_of(ca, struct ent, h); 152 struct ent *b = container_of(cb, struct ent, h); 153 154 return (a->id == b->id && a->type == b->type && 155 strcmp(a->authname, b->authname) == 0); 156 } 157 158 static int 159 idtoname_show(struct seq_file *m, struct cache_detail *cd, struct cache_head *h) 160 { 161 struct ent *ent; 162 163 if (h == NULL) { 164 seq_puts(m, "#domain type id [name]\n"); 165 return 0; 166 } 167 ent = container_of(h, struct ent, h); 168 seq_printf(m, "%s %s %u", ent->authname, 169 ent->type == IDMAP_TYPE_GROUP ? "group" : "user", 170 ent->id); 171 if (test_bit(CACHE_VALID, &h->flags)) 172 seq_printf(m, " %s", ent->name); 173 seq_printf(m, "\n"); 174 return 0; 175 } 176 177 static void 178 warn_no_idmapd(struct cache_detail *detail, int has_died) 179 { 180 printk("nfsd: nfsv4 idmapping failing: has idmapd %s?\n", 181 has_died ? "died" : "not been started"); 182 } 183 184 185 static int idtoname_parse(struct cache_detail *, char *, int); 186 static struct ent *idtoname_lookup(struct ent *); 187 static struct ent *idtoname_update(struct ent *, struct ent *); 188 189 static struct cache_detail idtoname_cache = { 190 .owner = THIS_MODULE, 191 .hash_size = ENT_HASHMAX, 192 .hash_table = idtoname_table, 193 .name = "nfs4.idtoname", 194 .cache_put = ent_put, 195 .cache_upcall = idtoname_upcall, 196 .cache_parse = idtoname_parse, 197 .cache_show = idtoname_show, 198 .warn_no_listener = warn_no_idmapd, 199 .match = idtoname_match, 200 .init = ent_init, 201 .update = ent_init, 202 .alloc = ent_alloc, 203 }; 204 205 static int 206 idtoname_parse(struct cache_detail *cd, char *buf, int buflen) 207 { 208 struct ent ent, *res; 209 char *buf1, *bp; 210 int len; 211 int error = -EINVAL; 212 213 if (buf[buflen - 1] != '\n') 214 return (-EINVAL); 215 buf[buflen - 1]= '\0'; 216 217 buf1 = kmalloc(PAGE_SIZE, GFP_KERNEL); 218 if (buf1 == NULL) 219 return (-ENOMEM); 220 221 memset(&ent, 0, sizeof(ent)); 222 223 /* Authentication name */ 224 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 225 goto out; 226 memcpy(ent.authname, buf1, sizeof(ent.authname)); 227 228 /* Type */ 229 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 230 goto out; 231 ent.type = strcmp(buf1, "user") == 0 ? 232 IDMAP_TYPE_USER : IDMAP_TYPE_GROUP; 233 234 /* ID */ 235 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 236 goto out; 237 ent.id = simple_strtoul(buf1, &bp, 10); 238 if (bp == buf1) 239 goto out; 240 241 /* expiry */ 242 ent.h.expiry_time = get_expiry(&buf); 243 if (ent.h.expiry_time == 0) 244 goto out; 245 246 error = -ENOMEM; 247 res = idtoname_lookup(&ent); 248 if (!res) 249 goto out; 250 251 /* Name */ 252 error = -EINVAL; 253 len = qword_get(&buf, buf1, PAGE_SIZE); 254 if (len < 0) 255 goto out; 256 if (len == 0) 257 set_bit(CACHE_NEGATIVE, &ent.h.flags); 258 else if (len >= IDMAP_NAMESZ) 259 goto out; 260 else 261 memcpy(ent.name, buf1, sizeof(ent.name)); 262 error = -ENOMEM; 263 res = idtoname_update(&ent, res); 264 if (res == NULL) 265 goto out; 266 267 cache_put(&res->h, &idtoname_cache); 268 269 error = 0; 270 out: 271 kfree(buf1); 272 273 return error; 274 } 275 276 277 static struct ent * 278 idtoname_lookup(struct ent *item) 279 { 280 struct cache_head *ch = sunrpc_cache_lookup(&idtoname_cache, 281 &item->h, 282 idtoname_hash(item)); 283 if (ch) 284 return container_of(ch, struct ent, h); 285 else 286 return NULL; 287 } 288 289 static struct ent * 290 idtoname_update(struct ent *new, struct ent *old) 291 { 292 struct cache_head *ch = sunrpc_cache_update(&idtoname_cache, 293 &new->h, &old->h, 294 idtoname_hash(new)); 295 if (ch) 296 return container_of(ch, struct ent, h); 297 else 298 return NULL; 299 } 300 301 302 /* 303 * Name -> ID cache 304 */ 305 306 static struct cache_head *nametoid_table[ENT_HASHMAX]; 307 308 static inline int 309 nametoid_hash(struct ent *ent) 310 { 311 return hash_str(ent->name, ENT_HASHBITS); 312 } 313 314 static void 315 nametoid_request(struct cache_detail *cd, struct cache_head *ch, char **bpp, 316 int *blen) 317 { 318 struct ent *ent = container_of(ch, struct ent, h); 319 320 qword_add(bpp, blen, ent->authname); 321 qword_add(bpp, blen, ent->type == IDMAP_TYPE_GROUP ? "group" : "user"); 322 qword_add(bpp, blen, ent->name); 323 324 (*bpp)[-1] = '\n'; 325 } 326 327 static int 328 nametoid_upcall(struct cache_detail *cd, struct cache_head *ch) 329 { 330 return sunrpc_cache_pipe_upcall(cd, ch, nametoid_request); 331 } 332 333 static int 334 nametoid_match(struct cache_head *ca, struct cache_head *cb) 335 { 336 struct ent *a = container_of(ca, struct ent, h); 337 struct ent *b = container_of(cb, struct ent, h); 338 339 return (a->type == b->type && strcmp(a->name, b->name) == 0 && 340 strcmp(a->authname, b->authname) == 0); 341 } 342 343 static int 344 nametoid_show(struct seq_file *m, struct cache_detail *cd, struct cache_head *h) 345 { 346 struct ent *ent; 347 348 if (h == NULL) { 349 seq_puts(m, "#domain type name [id]\n"); 350 return 0; 351 } 352 ent = container_of(h, struct ent, h); 353 seq_printf(m, "%s %s %s", ent->authname, 354 ent->type == IDMAP_TYPE_GROUP ? "group" : "user", 355 ent->name); 356 if (test_bit(CACHE_VALID, &h->flags)) 357 seq_printf(m, " %u", ent->id); 358 seq_printf(m, "\n"); 359 return 0; 360 } 361 362 static struct ent *nametoid_lookup(struct ent *); 363 static struct ent *nametoid_update(struct ent *, struct ent *); 364 static int nametoid_parse(struct cache_detail *, char *, int); 365 366 static struct cache_detail nametoid_cache = { 367 .owner = THIS_MODULE, 368 .hash_size = ENT_HASHMAX, 369 .hash_table = nametoid_table, 370 .name = "nfs4.nametoid", 371 .cache_put = ent_put, 372 .cache_upcall = nametoid_upcall, 373 .cache_parse = nametoid_parse, 374 .cache_show = nametoid_show, 375 .warn_no_listener = warn_no_idmapd, 376 .match = nametoid_match, 377 .init = ent_init, 378 .update = ent_init, 379 .alloc = ent_alloc, 380 }; 381 382 static int 383 nametoid_parse(struct cache_detail *cd, char *buf, int buflen) 384 { 385 struct ent ent, *res; 386 char *buf1; 387 int error = -EINVAL; 388 389 if (buf[buflen - 1] != '\n') 390 return (-EINVAL); 391 buf[buflen - 1]= '\0'; 392 393 buf1 = kmalloc(PAGE_SIZE, GFP_KERNEL); 394 if (buf1 == NULL) 395 return (-ENOMEM); 396 397 memset(&ent, 0, sizeof(ent)); 398 399 /* Authentication name */ 400 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 401 goto out; 402 memcpy(ent.authname, buf1, sizeof(ent.authname)); 403 404 /* Type */ 405 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 406 goto out; 407 ent.type = strcmp(buf1, "user") == 0 ? 408 IDMAP_TYPE_USER : IDMAP_TYPE_GROUP; 409 410 /* Name */ 411 error = qword_get(&buf, buf1, PAGE_SIZE); 412 if (error <= 0 || error >= IDMAP_NAMESZ) 413 goto out; 414 memcpy(ent.name, buf1, sizeof(ent.name)); 415 416 /* expiry */ 417 ent.h.expiry_time = get_expiry(&buf); 418 if (ent.h.expiry_time == 0) 419 goto out; 420 421 /* ID */ 422 error = get_int(&buf, &ent.id); 423 if (error == -EINVAL) 424 goto out; 425 if (error == -ENOENT) 426 set_bit(CACHE_NEGATIVE, &ent.h.flags); 427 428 error = -ENOMEM; 429 res = nametoid_lookup(&ent); 430 if (res == NULL) 431 goto out; 432 res = nametoid_update(&ent, res); 433 if (res == NULL) 434 goto out; 435 436 cache_put(&res->h, &nametoid_cache); 437 error = 0; 438 out: 439 kfree(buf1); 440 441 return (error); 442 } 443 444 445 static struct ent * 446 nametoid_lookup(struct ent *item) 447 { 448 struct cache_head *ch = sunrpc_cache_lookup(&nametoid_cache, 449 &item->h, 450 nametoid_hash(item)); 451 if (ch) 452 return container_of(ch, struct ent, h); 453 else 454 return NULL; 455 } 456 457 static struct ent * 458 nametoid_update(struct ent *new, struct ent *old) 459 { 460 struct cache_head *ch = sunrpc_cache_update(&nametoid_cache, 461 &new->h, &old->h, 462 nametoid_hash(new)); 463 if (ch) 464 return container_of(ch, struct ent, h); 465 else 466 return NULL; 467 } 468 469 /* 470 * Exported API 471 */ 472 473 int 474 nfsd_idmap_init(void) 475 { 476 int rv; 477 478 rv = cache_register_net(&idtoname_cache, &init_net); 479 if (rv) 480 return rv; 481 rv = cache_register_net(&nametoid_cache, &init_net); 482 if (rv) 483 cache_unregister_net(&idtoname_cache, &init_net); 484 return rv; 485 } 486 487 void 488 nfsd_idmap_shutdown(void) 489 { 490 cache_unregister_net(&idtoname_cache, &init_net); 491 cache_unregister_net(&nametoid_cache, &init_net); 492 } 493 494 static int 495 idmap_lookup(struct svc_rqst *rqstp, 496 struct ent *(*lookup_fn)(struct ent *), struct ent *key, 497 struct cache_detail *detail, struct ent **item) 498 { 499 int ret; 500 501 *item = lookup_fn(key); 502 if (!*item) 503 return -ENOMEM; 504 retry: 505 ret = cache_check(detail, &(*item)->h, &rqstp->rq_chandle); 506 507 if (ret == -ETIMEDOUT) { 508 struct ent *prev_item = *item; 509 *item = lookup_fn(key); 510 if (*item != prev_item) 511 goto retry; 512 cache_put(&(*item)->h, detail); 513 } 514 return ret; 515 } 516 517 static char * 518 rqst_authname(struct svc_rqst *rqstp) 519 { 520 struct auth_domain *clp; 521 522 clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client; 523 return clp->name; 524 } 525 526 static __be32 527 idmap_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen, 528 uid_t *id) 529 { 530 struct ent *item, key = { 531 .type = type, 532 }; 533 int ret; 534 535 if (namelen + 1 > sizeof(key.name)) 536 return nfserr_badowner; 537 memcpy(key.name, name, namelen); 538 key.name[namelen] = '\0'; 539 strlcpy(key.authname, rqst_authname(rqstp), sizeof(key.authname)); 540 ret = idmap_lookup(rqstp, nametoid_lookup, &key, &nametoid_cache, &item); 541 if (ret == -ENOENT) 542 return nfserr_badowner; 543 if (ret) 544 return nfserrno(ret); 545 *id = item->id; 546 cache_put(&item->h, &nametoid_cache); 547 return 0; 548 } 549 550 static int 551 idmap_id_to_name(struct svc_rqst *rqstp, int type, uid_t id, char *name) 552 { 553 struct ent *item, key = { 554 .id = id, 555 .type = type, 556 }; 557 int ret; 558 559 strlcpy(key.authname, rqst_authname(rqstp), sizeof(key.authname)); 560 ret = idmap_lookup(rqstp, idtoname_lookup, &key, &idtoname_cache, &item); 561 if (ret == -ENOENT) 562 return sprintf(name, "%u", id); 563 if (ret) 564 return ret; 565 ret = strlen(item->name); 566 BUG_ON(ret > IDMAP_NAMESZ); 567 memcpy(name, item->name, ret); 568 cache_put(&item->h, &idtoname_cache); 569 return ret; 570 } 571 572 static bool 573 numeric_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen, uid_t *id) 574 { 575 int ret; 576 char buf[11]; 577 578 if (namelen + 1 > sizeof(buf)) 579 /* too long to represent a 32-bit id: */ 580 return false; 581 /* Just to make sure it's null-terminated: */ 582 memcpy(buf, name, namelen); 583 buf[namelen] = '\0'; 584 ret = kstrtouint(name, 10, id); 585 return ret == 0; 586 } 587 588 static __be32 589 do_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen, uid_t *id) 590 { 591 if (nfs4_disable_idmapping && rqstp->rq_flavor < RPC_AUTH_GSS) 592 if (numeric_name_to_id(rqstp, type, name, namelen, id)) 593 return 0; 594 /* 595 * otherwise, fall through and try idmapping, for 596 * backwards compatibility with clients sending names: 597 */ 598 return idmap_name_to_id(rqstp, type, name, namelen, id); 599 } 600 601 static int 602 do_id_to_name(struct svc_rqst *rqstp, int type, uid_t id, char *name) 603 { 604 if (nfs4_disable_idmapping && rqstp->rq_flavor < RPC_AUTH_GSS) 605 return sprintf(name, "%u", id); 606 return idmap_id_to_name(rqstp, type, id, name); 607 } 608 609 __be32 610 nfsd_map_name_to_uid(struct svc_rqst *rqstp, const char *name, size_t namelen, 611 __u32 *id) 612 { 613 return do_name_to_id(rqstp, IDMAP_TYPE_USER, name, namelen, id); 614 } 615 616 __be32 617 nfsd_map_name_to_gid(struct svc_rqst *rqstp, const char *name, size_t namelen, 618 __u32 *id) 619 { 620 return do_name_to_id(rqstp, IDMAP_TYPE_GROUP, name, namelen, id); 621 } 622 623 int 624 nfsd_map_uid_to_name(struct svc_rqst *rqstp, __u32 id, char *name) 625 { 626 return do_id_to_name(rqstp, IDMAP_TYPE_USER, id, name); 627 } 628 629 int 630 nfsd_map_gid_to_name(struct svc_rqst *rqstp, __u32 id, char *name) 631 { 632 return do_id_to_name(rqstp, IDMAP_TYPE_GROUP, id, name); 633 } 634