1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * linux/net/sunrpc/auth_unix.c 4 * 5 * UNIX-style authentication; no AUTH_SHORT support 6 * 7 * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de> 8 */ 9 10 #include <linux/slab.h> 11 #include <linux/types.h> 12 #include <linux/sched.h> 13 #include <linux/module.h> 14 #include <linux/mempool.h> 15 #include <linux/sunrpc/clnt.h> 16 #include <linux/sunrpc/auth.h> 17 #include <linux/user_namespace.h> 18 19 20 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) 21 # define RPCDBG_FACILITY RPCDBG_AUTH 22 #endif 23 24 static struct rpc_auth unix_auth; 25 static const struct rpc_credops unix_credops; 26 static mempool_t *unix_pool; 27 28 static struct rpc_auth * 29 unx_create(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt) 30 { 31 refcount_inc(&unix_auth.au_count); 32 return &unix_auth; 33 } 34 35 static void 36 unx_destroy(struct rpc_auth *auth) 37 { 38 } 39 40 /* 41 * Lookup AUTH_UNIX creds for current process 42 */ 43 static struct rpc_cred * 44 unx_lookup_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags) 45 { 46 struct rpc_cred *ret = mempool_alloc(unix_pool, GFP_NOFS); 47 48 rpcauth_init_cred(ret, acred, auth, &unix_credops); 49 ret->cr_flags = 1UL << RPCAUTH_CRED_UPTODATE; 50 return ret; 51 } 52 53 static void 54 unx_free_cred_callback(struct rcu_head *head) 55 { 56 struct rpc_cred *rpc_cred = container_of(head, struct rpc_cred, cr_rcu); 57 58 put_cred(rpc_cred->cr_cred); 59 mempool_free(rpc_cred, unix_pool); 60 } 61 62 static void 63 unx_destroy_cred(struct rpc_cred *cred) 64 { 65 call_rcu(&cred->cr_rcu, unx_free_cred_callback); 66 } 67 68 /* 69 * Match credentials against current the auth_cred. 70 */ 71 static int 72 unx_match(struct auth_cred *acred, struct rpc_cred *cred, int flags) 73 { 74 unsigned int groups = 0; 75 unsigned int i; 76 77 if (cred->cr_cred == acred->cred) 78 return 1; 79 80 if (!uid_eq(cred->cr_cred->fsuid, acred->cred->fsuid) || !gid_eq(cred->cr_cred->fsgid, acred->cred->fsgid)) 81 return 0; 82 83 if (acred->cred && acred->cred->group_info != NULL) 84 groups = acred->cred->group_info->ngroups; 85 if (groups > UNX_NGROUPS) 86 groups = UNX_NGROUPS; 87 if (cred->cr_cred->group_info == NULL) 88 return groups == 0; 89 if (groups != cred->cr_cred->group_info->ngroups) 90 return 0; 91 92 for (i = 0; i < groups ; i++) 93 if (!gid_eq(cred->cr_cred->group_info->gid[i], acred->cred->group_info->gid[i])) 94 return 0; 95 return 1; 96 } 97 98 /* 99 * Marshal credentials. 100 * Maybe we should keep a cached credential for performance reasons. 101 */ 102 static int 103 unx_marshal(struct rpc_task *task, struct xdr_stream *xdr) 104 { 105 struct rpc_clnt *clnt = task->tk_client; 106 struct rpc_cred *cred = task->tk_rqstp->rq_cred; 107 __be32 *p, *cred_len, *gidarr_len; 108 int i; 109 struct group_info *gi = cred->cr_cred->group_info; 110 111 /* Credential */ 112 113 p = xdr_reserve_space(xdr, 3 * sizeof(*p)); 114 if (!p) 115 goto marshal_failed; 116 *p++ = rpc_auth_unix; 117 cred_len = p++; 118 *p++ = xdr_zero; /* stamp */ 119 if (xdr_stream_encode_opaque(xdr, clnt->cl_nodename, 120 clnt->cl_nodelen) < 0) 121 goto marshal_failed; 122 p = xdr_reserve_space(xdr, 3 * sizeof(*p)); 123 if (!p) 124 goto marshal_failed; 125 *p++ = cpu_to_be32(from_kuid(&init_user_ns, cred->cr_cred->fsuid)); 126 *p++ = cpu_to_be32(from_kgid(&init_user_ns, cred->cr_cred->fsgid)); 127 128 gidarr_len = p++; 129 if (gi) 130 for (i = 0; i < UNX_NGROUPS && i < gi->ngroups; i++) 131 *p++ = cpu_to_be32(from_kgid(&init_user_ns, 132 gi->gid[i])); 133 *gidarr_len = cpu_to_be32(p - gidarr_len - 1); 134 *cred_len = cpu_to_be32((p - cred_len - 1) << 2); 135 p = xdr_reserve_space(xdr, (p - gidarr_len - 1) << 2); 136 if (!p) 137 goto marshal_failed; 138 139 /* Verifier */ 140 141 p = xdr_reserve_space(xdr, 2 * sizeof(*p)); 142 if (!p) 143 goto marshal_failed; 144 *p++ = rpc_auth_null; 145 *p = xdr_zero; 146 147 return 0; 148 149 marshal_failed: 150 return -EMSGSIZE; 151 } 152 153 /* 154 * Refresh credentials. This is a no-op for AUTH_UNIX 155 */ 156 static int 157 unx_refresh(struct rpc_task *task) 158 { 159 set_bit(RPCAUTH_CRED_UPTODATE, &task->tk_rqstp->rq_cred->cr_flags); 160 return 0; 161 } 162 163 static __be32 * 164 unx_validate(struct rpc_task *task, __be32 *p) 165 { 166 rpc_authflavor_t flavor; 167 u32 size; 168 169 flavor = ntohl(*p++); 170 if (flavor != RPC_AUTH_NULL && 171 flavor != RPC_AUTH_UNIX && 172 flavor != RPC_AUTH_SHORT) { 173 printk("RPC: bad verf flavor: %u\n", flavor); 174 return ERR_PTR(-EIO); 175 } 176 177 size = ntohl(*p++); 178 if (size > RPC_MAX_AUTH_SIZE) { 179 printk("RPC: giant verf size: %u\n", size); 180 return ERR_PTR(-EIO); 181 } 182 task->tk_rqstp->rq_cred->cr_auth->au_rslack = (size >> 2) + 2; 183 p += (size >> 2); 184 185 return p; 186 } 187 188 int __init rpc_init_authunix(void) 189 { 190 unix_pool = mempool_create_kmalloc_pool(16, sizeof(struct rpc_cred)); 191 return unix_pool ? 0 : -ENOMEM; 192 } 193 194 void rpc_destroy_authunix(void) 195 { 196 mempool_destroy(unix_pool); 197 } 198 199 const struct rpc_authops authunix_ops = { 200 .owner = THIS_MODULE, 201 .au_flavor = RPC_AUTH_UNIX, 202 .au_name = "UNIX", 203 .create = unx_create, 204 .destroy = unx_destroy, 205 .lookup_cred = unx_lookup_cred, 206 }; 207 208 static 209 struct rpc_auth unix_auth = { 210 .au_cslack = UNX_CALLSLACK, 211 .au_rslack = NUL_REPLYSLACK, 212 .au_ops = &authunix_ops, 213 .au_flavor = RPC_AUTH_UNIX, 214 .au_count = REFCOUNT_INIT(1), 215 }; 216 217 static 218 const struct rpc_credops unix_credops = { 219 .cr_name = "AUTH_UNIX", 220 .crdestroy = unx_destroy_cred, 221 .crmatch = unx_match, 222 .crmarshal = unx_marshal, 223 .crwrap_req = rpcauth_wrap_req_encode, 224 .crrefresh = unx_refresh, 225 .crvalidate = unx_validate, 226 }; 227