1 /* 2 * Mapping of UID/GIDs to name and vice versa. 3 * 4 * Copyright (c) 2002, 2003 The Regents of the University of 5 * Michigan. All rights reserved. 6 * 7 * Marius Aamodt Eriksen <marius@umich.edu> 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the University nor the names of its 19 * contributors may be used to endorse or promote products derived 20 * from this software without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 23 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 24 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 25 * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 27 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 28 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 29 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 30 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 31 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 32 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35 #include <linux/module.h> 36 #include <linux/seq_file.h> 37 #include <linux/sched.h> 38 #include <linux/slab.h> 39 #include <linux/sunrpc/svc_xprt.h> 40 #include <net/net_namespace.h> 41 #include "idmap.h" 42 #include "nfsd.h" 43 #include "netns.h" 44 45 /* 46 * Turn off idmapping when using AUTH_SYS. 47 */ 48 static bool nfs4_disable_idmapping = true; 49 module_param(nfs4_disable_idmapping, bool, 0644); 50 MODULE_PARM_DESC(nfs4_disable_idmapping, 51 "Turn off server's NFSv4 idmapping when using 'sec=sys'"); 52 53 /* 54 * Cache entry 55 */ 56 57 /* 58 * XXX we know that IDMAP_NAMESZ < PAGE_SIZE, but it's ugly to rely on 59 * that. 60 */ 61 62 #define IDMAP_TYPE_USER 0 63 #define IDMAP_TYPE_GROUP 1 64 65 struct ent { 66 struct cache_head h; 67 int type; /* User / Group */ 68 u32 id; 69 char name[IDMAP_NAMESZ]; 70 char authname[IDMAP_NAMESZ]; 71 }; 72 73 /* Common entry handling */ 74 75 #define ENT_HASHBITS 8 76 #define ENT_HASHMAX (1 << ENT_HASHBITS) 77 78 static void 79 ent_init(struct cache_head *cnew, struct cache_head *citm) 80 { 81 struct ent *new = container_of(cnew, struct ent, h); 82 struct ent *itm = container_of(citm, struct ent, h); 83 84 new->id = itm->id; 85 new->type = itm->type; 86 87 strlcpy(new->name, itm->name, sizeof(new->name)); 88 strlcpy(new->authname, itm->authname, sizeof(new->name)); 89 } 90 91 static void 92 ent_put(struct kref *ref) 93 { 94 struct ent *map = container_of(ref, struct ent, h.ref); 95 kfree(map); 96 } 97 98 static struct cache_head * 99 ent_alloc(void) 100 { 101 struct ent *e = kmalloc(sizeof(*e), GFP_KERNEL); 102 if (e) 103 return &e->h; 104 else 105 return NULL; 106 } 107 108 /* 109 * ID -> Name cache 110 */ 111 112 static uint32_t 113 idtoname_hash(struct ent *ent) 114 { 115 uint32_t hash; 116 117 hash = hash_str(ent->authname, ENT_HASHBITS); 118 hash = hash_long(hash ^ ent->id, ENT_HASHBITS); 119 120 /* Flip LSB for user/group */ 121 if (ent->type == IDMAP_TYPE_GROUP) 122 hash ^= 1; 123 124 return hash; 125 } 126 127 static void 128 idtoname_request(struct cache_detail *cd, struct cache_head *ch, char **bpp, 129 int *blen) 130 { 131 struct ent *ent = container_of(ch, struct ent, h); 132 char idstr[11]; 133 134 qword_add(bpp, blen, ent->authname); 135 snprintf(idstr, sizeof(idstr), "%u", ent->id); 136 qword_add(bpp, blen, ent->type == IDMAP_TYPE_GROUP ? "group" : "user"); 137 qword_add(bpp, blen, idstr); 138 139 (*bpp)[-1] = '\n'; 140 } 141 142 static int 143 idtoname_match(struct cache_head *ca, struct cache_head *cb) 144 { 145 struct ent *a = container_of(ca, struct ent, h); 146 struct ent *b = container_of(cb, struct ent, h); 147 148 return (a->id == b->id && a->type == b->type && 149 strcmp(a->authname, b->authname) == 0); 150 } 151 152 static int 153 idtoname_show(struct seq_file *m, struct cache_detail *cd, struct cache_head *h) 154 { 155 struct ent *ent; 156 157 if (h == NULL) { 158 seq_puts(m, "#domain type id [name]\n"); 159 return 0; 160 } 161 ent = container_of(h, struct ent, h); 162 seq_printf(m, "%s %s %u", ent->authname, 163 ent->type == IDMAP_TYPE_GROUP ? "group" : "user", 164 ent->id); 165 if (test_bit(CACHE_VALID, &h->flags)) 166 seq_printf(m, " %s", ent->name); 167 seq_printf(m, "\n"); 168 return 0; 169 } 170 171 static void 172 warn_no_idmapd(struct cache_detail *detail, int has_died) 173 { 174 printk("nfsd: nfsv4 idmapping failing: has idmapd %s?\n", 175 has_died ? "died" : "not been started"); 176 } 177 178 179 static int idtoname_parse(struct cache_detail *, char *, int); 180 static struct ent *idtoname_lookup(struct cache_detail *, struct ent *); 181 static struct ent *idtoname_update(struct cache_detail *, struct ent *, 182 struct ent *); 183 184 static struct cache_detail idtoname_cache_template = { 185 .owner = THIS_MODULE, 186 .hash_size = ENT_HASHMAX, 187 .name = "nfs4.idtoname", 188 .cache_put = ent_put, 189 .cache_request = idtoname_request, 190 .cache_parse = idtoname_parse, 191 .cache_show = idtoname_show, 192 .warn_no_listener = warn_no_idmapd, 193 .match = idtoname_match, 194 .init = ent_init, 195 .update = ent_init, 196 .alloc = ent_alloc, 197 }; 198 199 static int 200 idtoname_parse(struct cache_detail *cd, char *buf, int buflen) 201 { 202 struct ent ent, *res; 203 char *buf1, *bp; 204 int len; 205 int error = -EINVAL; 206 207 if (buf[buflen - 1] != '\n') 208 return (-EINVAL); 209 buf[buflen - 1]= '\0'; 210 211 buf1 = kmalloc(PAGE_SIZE, GFP_KERNEL); 212 if (buf1 == NULL) 213 return (-ENOMEM); 214 215 memset(&ent, 0, sizeof(ent)); 216 217 /* Authentication name */ 218 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 219 goto out; 220 memcpy(ent.authname, buf1, sizeof(ent.authname)); 221 222 /* Type */ 223 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 224 goto out; 225 ent.type = strcmp(buf1, "user") == 0 ? 226 IDMAP_TYPE_USER : IDMAP_TYPE_GROUP; 227 228 /* ID */ 229 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 230 goto out; 231 ent.id = simple_strtoul(buf1, &bp, 10); 232 if (bp == buf1) 233 goto out; 234 235 /* expiry */ 236 ent.h.expiry_time = get_expiry(&buf); 237 if (ent.h.expiry_time == 0) 238 goto out; 239 240 error = -ENOMEM; 241 res = idtoname_lookup(cd, &ent); 242 if (!res) 243 goto out; 244 245 /* Name */ 246 error = -EINVAL; 247 len = qword_get(&buf, buf1, PAGE_SIZE); 248 if (len < 0) 249 goto out; 250 if (len == 0) 251 set_bit(CACHE_NEGATIVE, &ent.h.flags); 252 else if (len >= IDMAP_NAMESZ) 253 goto out; 254 else 255 memcpy(ent.name, buf1, sizeof(ent.name)); 256 error = -ENOMEM; 257 res = idtoname_update(cd, &ent, res); 258 if (res == NULL) 259 goto out; 260 261 cache_put(&res->h, cd); 262 263 error = 0; 264 out: 265 kfree(buf1); 266 267 return error; 268 } 269 270 271 static struct ent * 272 idtoname_lookup(struct cache_detail *cd, struct ent *item) 273 { 274 struct cache_head *ch = sunrpc_cache_lookup(cd, &item->h, 275 idtoname_hash(item)); 276 if (ch) 277 return container_of(ch, struct ent, h); 278 else 279 return NULL; 280 } 281 282 static struct ent * 283 idtoname_update(struct cache_detail *cd, struct ent *new, struct ent *old) 284 { 285 struct cache_head *ch = sunrpc_cache_update(cd, &new->h, &old->h, 286 idtoname_hash(new)); 287 if (ch) 288 return container_of(ch, struct ent, h); 289 else 290 return NULL; 291 } 292 293 294 /* 295 * Name -> ID cache 296 */ 297 298 static inline int 299 nametoid_hash(struct ent *ent) 300 { 301 return hash_str(ent->name, ENT_HASHBITS); 302 } 303 304 static void 305 nametoid_request(struct cache_detail *cd, struct cache_head *ch, char **bpp, 306 int *blen) 307 { 308 struct ent *ent = container_of(ch, struct ent, h); 309 310 qword_add(bpp, blen, ent->authname); 311 qword_add(bpp, blen, ent->type == IDMAP_TYPE_GROUP ? "group" : "user"); 312 qword_add(bpp, blen, ent->name); 313 314 (*bpp)[-1] = '\n'; 315 } 316 317 static int 318 nametoid_match(struct cache_head *ca, struct cache_head *cb) 319 { 320 struct ent *a = container_of(ca, struct ent, h); 321 struct ent *b = container_of(cb, struct ent, h); 322 323 return (a->type == b->type && strcmp(a->name, b->name) == 0 && 324 strcmp(a->authname, b->authname) == 0); 325 } 326 327 static int 328 nametoid_show(struct seq_file *m, struct cache_detail *cd, struct cache_head *h) 329 { 330 struct ent *ent; 331 332 if (h == NULL) { 333 seq_puts(m, "#domain type name [id]\n"); 334 return 0; 335 } 336 ent = container_of(h, struct ent, h); 337 seq_printf(m, "%s %s %s", ent->authname, 338 ent->type == IDMAP_TYPE_GROUP ? "group" : "user", 339 ent->name); 340 if (test_bit(CACHE_VALID, &h->flags)) 341 seq_printf(m, " %u", ent->id); 342 seq_printf(m, "\n"); 343 return 0; 344 } 345 346 static struct ent *nametoid_lookup(struct cache_detail *, struct ent *); 347 static struct ent *nametoid_update(struct cache_detail *, struct ent *, 348 struct ent *); 349 static int nametoid_parse(struct cache_detail *, char *, int); 350 351 static struct cache_detail nametoid_cache_template = { 352 .owner = THIS_MODULE, 353 .hash_size = ENT_HASHMAX, 354 .name = "nfs4.nametoid", 355 .cache_put = ent_put, 356 .cache_request = nametoid_request, 357 .cache_parse = nametoid_parse, 358 .cache_show = nametoid_show, 359 .warn_no_listener = warn_no_idmapd, 360 .match = nametoid_match, 361 .init = ent_init, 362 .update = ent_init, 363 .alloc = ent_alloc, 364 }; 365 366 static int 367 nametoid_parse(struct cache_detail *cd, char *buf, int buflen) 368 { 369 struct ent ent, *res; 370 char *buf1; 371 int error = -EINVAL; 372 373 if (buf[buflen - 1] != '\n') 374 return (-EINVAL); 375 buf[buflen - 1]= '\0'; 376 377 buf1 = kmalloc(PAGE_SIZE, GFP_KERNEL); 378 if (buf1 == NULL) 379 return (-ENOMEM); 380 381 memset(&ent, 0, sizeof(ent)); 382 383 /* Authentication name */ 384 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 385 goto out; 386 memcpy(ent.authname, buf1, sizeof(ent.authname)); 387 388 /* Type */ 389 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 390 goto out; 391 ent.type = strcmp(buf1, "user") == 0 ? 392 IDMAP_TYPE_USER : IDMAP_TYPE_GROUP; 393 394 /* Name */ 395 error = qword_get(&buf, buf1, PAGE_SIZE); 396 if (error <= 0 || error >= IDMAP_NAMESZ) 397 goto out; 398 memcpy(ent.name, buf1, sizeof(ent.name)); 399 400 /* expiry */ 401 ent.h.expiry_time = get_expiry(&buf); 402 if (ent.h.expiry_time == 0) 403 goto out; 404 405 /* ID */ 406 error = get_int(&buf, &ent.id); 407 if (error == -EINVAL) 408 goto out; 409 if (error == -ENOENT) 410 set_bit(CACHE_NEGATIVE, &ent.h.flags); 411 412 error = -ENOMEM; 413 res = nametoid_lookup(cd, &ent); 414 if (res == NULL) 415 goto out; 416 res = nametoid_update(cd, &ent, res); 417 if (res == NULL) 418 goto out; 419 420 cache_put(&res->h, cd); 421 error = 0; 422 out: 423 kfree(buf1); 424 425 return (error); 426 } 427 428 429 static struct ent * 430 nametoid_lookup(struct cache_detail *cd, struct ent *item) 431 { 432 struct cache_head *ch = sunrpc_cache_lookup(cd, &item->h, 433 nametoid_hash(item)); 434 if (ch) 435 return container_of(ch, struct ent, h); 436 else 437 return NULL; 438 } 439 440 static struct ent * 441 nametoid_update(struct cache_detail *cd, struct ent *new, struct ent *old) 442 { 443 struct cache_head *ch = sunrpc_cache_update(cd, &new->h, &old->h, 444 nametoid_hash(new)); 445 if (ch) 446 return container_of(ch, struct ent, h); 447 else 448 return NULL; 449 } 450 451 /* 452 * Exported API 453 */ 454 455 int 456 nfsd_idmap_init(struct net *net) 457 { 458 int rv; 459 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 460 461 nn->idtoname_cache = cache_create_net(&idtoname_cache_template, net); 462 if (IS_ERR(nn->idtoname_cache)) 463 return PTR_ERR(nn->idtoname_cache); 464 rv = cache_register_net(nn->idtoname_cache, net); 465 if (rv) 466 goto destroy_idtoname_cache; 467 nn->nametoid_cache = cache_create_net(&nametoid_cache_template, net); 468 if (IS_ERR(nn->nametoid_cache)) { 469 rv = PTR_ERR(nn->nametoid_cache); 470 goto unregister_idtoname_cache; 471 } 472 rv = cache_register_net(nn->nametoid_cache, net); 473 if (rv) 474 goto destroy_nametoid_cache; 475 return 0; 476 477 destroy_nametoid_cache: 478 cache_destroy_net(nn->nametoid_cache, net); 479 unregister_idtoname_cache: 480 cache_unregister_net(nn->idtoname_cache, net); 481 destroy_idtoname_cache: 482 cache_destroy_net(nn->idtoname_cache, net); 483 return rv; 484 } 485 486 void 487 nfsd_idmap_shutdown(struct net *net) 488 { 489 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 490 491 cache_unregister_net(nn->idtoname_cache, net); 492 cache_unregister_net(nn->nametoid_cache, net); 493 cache_destroy_net(nn->idtoname_cache, net); 494 cache_destroy_net(nn->nametoid_cache, net); 495 } 496 497 static int 498 idmap_lookup(struct svc_rqst *rqstp, 499 struct ent *(*lookup_fn)(struct cache_detail *, struct ent *), 500 struct ent *key, struct cache_detail *detail, struct ent **item) 501 { 502 int ret; 503 504 *item = lookup_fn(detail, key); 505 if (!*item) 506 return -ENOMEM; 507 retry: 508 ret = cache_check(detail, &(*item)->h, &rqstp->rq_chandle); 509 510 if (ret == -ETIMEDOUT) { 511 struct ent *prev_item = *item; 512 *item = lookup_fn(detail, key); 513 if (*item != prev_item) 514 goto retry; 515 cache_put(&(*item)->h, detail); 516 } 517 return ret; 518 } 519 520 static char * 521 rqst_authname(struct svc_rqst *rqstp) 522 { 523 struct auth_domain *clp; 524 525 clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client; 526 return clp->name; 527 } 528 529 static __be32 530 idmap_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen, 531 u32 *id) 532 { 533 struct ent *item, key = { 534 .type = type, 535 }; 536 int ret; 537 struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); 538 539 if (namelen + 1 > sizeof(key.name)) 540 return nfserr_badowner; 541 memcpy(key.name, name, namelen); 542 key.name[namelen] = '\0'; 543 strlcpy(key.authname, rqst_authname(rqstp), sizeof(key.authname)); 544 ret = idmap_lookup(rqstp, nametoid_lookup, &key, nn->nametoid_cache, &item); 545 if (ret == -ENOENT) 546 return nfserr_badowner; 547 if (ret) 548 return nfserrno(ret); 549 *id = item->id; 550 cache_put(&item->h, nn->nametoid_cache); 551 return 0; 552 } 553 554 static __be32 encode_ascii_id(u32 id, __be32 **p, int *buflen) 555 { 556 char buf[11]; 557 int len; 558 int bytes; 559 560 len = sprintf(buf, "%u", id); 561 bytes = 4 + (XDR_QUADLEN(len) << 2); 562 if (bytes > *buflen) 563 return nfserr_resource; 564 *p = xdr_encode_opaque(*p, buf, len); 565 *buflen -= bytes; 566 return 0; 567 } 568 569 static __be32 idmap_id_to_name(struct svc_rqst *rqstp, int type, u32 id, __be32 **p, int *buflen) 570 { 571 struct ent *item, key = { 572 .id = id, 573 .type = type, 574 }; 575 int ret; 576 int bytes; 577 struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); 578 579 strlcpy(key.authname, rqst_authname(rqstp), sizeof(key.authname)); 580 ret = idmap_lookup(rqstp, idtoname_lookup, &key, nn->idtoname_cache, &item); 581 if (ret == -ENOENT) 582 return encode_ascii_id(id, p, buflen); 583 if (ret) 584 return nfserrno(ret); 585 ret = strlen(item->name); 586 WARN_ON_ONCE(ret > IDMAP_NAMESZ); 587 bytes = 4 + (XDR_QUADLEN(ret) << 2); 588 if (bytes > *buflen) 589 return nfserr_resource; 590 *p = xdr_encode_opaque(*p, item->name, ret); 591 *buflen -= bytes; 592 cache_put(&item->h, nn->idtoname_cache); 593 return 0; 594 } 595 596 static bool 597 numeric_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen, u32 *id) 598 { 599 int ret; 600 char buf[11]; 601 602 if (namelen + 1 > sizeof(buf)) 603 /* too long to represent a 32-bit id: */ 604 return false; 605 /* Just to make sure it's null-terminated: */ 606 memcpy(buf, name, namelen); 607 buf[namelen] = '\0'; 608 ret = kstrtouint(buf, 10, id); 609 return ret == 0; 610 } 611 612 static __be32 613 do_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen, u32 *id) 614 { 615 if (nfs4_disable_idmapping && rqstp->rq_cred.cr_flavor < RPC_AUTH_GSS) 616 if (numeric_name_to_id(rqstp, type, name, namelen, id)) 617 return 0; 618 /* 619 * otherwise, fall through and try idmapping, for 620 * backwards compatibility with clients sending names: 621 */ 622 return idmap_name_to_id(rqstp, type, name, namelen, id); 623 } 624 625 static __be32 encode_name_from_id(struct svc_rqst *rqstp, int type, u32 id, __be32 **p, int *buflen) 626 { 627 if (nfs4_disable_idmapping && rqstp->rq_cred.cr_flavor < RPC_AUTH_GSS) 628 return encode_ascii_id(id, p, buflen); 629 return idmap_id_to_name(rqstp, type, id, p, buflen); 630 } 631 632 __be32 633 nfsd_map_name_to_uid(struct svc_rqst *rqstp, const char *name, size_t namelen, 634 kuid_t *uid) 635 { 636 __be32 status; 637 u32 id = -1; 638 status = do_name_to_id(rqstp, IDMAP_TYPE_USER, name, namelen, &id); 639 *uid = make_kuid(&init_user_ns, id); 640 if (!uid_valid(*uid)) 641 status = nfserr_badowner; 642 return status; 643 } 644 645 __be32 646 nfsd_map_name_to_gid(struct svc_rqst *rqstp, const char *name, size_t namelen, 647 kgid_t *gid) 648 { 649 __be32 status; 650 u32 id = -1; 651 status = do_name_to_id(rqstp, IDMAP_TYPE_GROUP, name, namelen, &id); 652 *gid = make_kgid(&init_user_ns, id); 653 if (!gid_valid(*gid)) 654 status = nfserr_badowner; 655 return status; 656 } 657 658 __be32 nfsd4_encode_user(struct svc_rqst *rqstp, kuid_t uid, __be32 **p, int *buflen) 659 { 660 u32 id = from_kuid(&init_user_ns, uid); 661 return encode_name_from_id(rqstp, IDMAP_TYPE_USER, id, p, buflen); 662 } 663 664 __be32 nfsd4_encode_group(struct svc_rqst *rqstp, kgid_t gid, __be32 **p, int *buflen) 665 { 666 u32 id = from_kgid(&init_user_ns, gid); 667 return encode_name_from_id(rqstp, IDMAP_TYPE_GROUP, id, p, buflen); 668 } 669