xref: /illumos-gate/usr/src/uts/common/nfs/auth.h (revision 7d46dc6c) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 /*
26  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
27  */
28 
29 #ifndef _AUTH_H
30 #define	_AUTH_H
31 
32 /*
33  * nfsauth_prot.x (The NFSAUTH Protocol)
34  *
35  * This protocol is used by the kernel to authorize NFS clients. This svc
36  * lives in the mount daemon and checks the client's access for an export
37  * with a given authentication flavor.
38  *
39  * The status result determines what kind of access the client is permitted.
40  *
41  * The result is cached in the kernel, so the authorization call will be
42  * made only the first time the client mounts the filesystem.
43  *
44  * const A_MAXPATH	= 1024;
45  *
46  * struct auth_req {
47  * 	netobj 	req_client;		# client's address
48  * 	string	req_netid<>;		# Netid of address
49  * 	string	req_path<A_MAXPATH>;	# export path
50  * 	int	req_flavor;		# auth flavor
51  *	uid_t	req_clnt_uid;		# client's uid
52  *	gid_t	req_clnt_gid;		# client's gid
53  * };
54  *
55  * const NFSAUTH_DENIED	  = 0x01;	# Access denied
56  * const NFSAUTH_RO	  = 0x02;	# Read-only
57  * const NFSAUTH_RW	  = 0x04;	# Read-write
58  * const NFSAUTH_ROOT	  = 0x08;	# Root access
59  * const NFSAUTH_WRONGSEC = 0x10;	# Advise NFS v4 clients to
60  * 					# try a different flavor
61  * const NFSAUTH_UIDMAP   = 0x100;	# uid mapped
62  * const NFSAUTH_GIDMAP   = 0x200;	# gid mapped
63  * #
64  * # The following are not part of the protocol.
65  * #
66  * const NFSAUTH_DROP	 = 0x20;	# Drop request
67  * const NFSAUTH_MAPNONE = 0x40;	# Mapped flavor to AUTH_NONE
68  * const NFSAUTH_LIMITED = 0x80;	# Access limited to visible nodes
69  *
70  * struct auth_res {
71  * 	int auth_perm;
72  *	uid_t	auth_srv_uid;
73  *	gid_t	auth_srv_gid;
74  * };
75  *
76  * program NFSAUTH_PROG {
77  * 	version NFSAUTH_VERS {
78  *		#
79  *		# Authorization Request
80  *		#
81  * 		auth_res
82  * 		NFSAUTH_ACCESS(auth_req) = 1;
83  *
84  * 	} = 1;
85  * } = 100231;
86  */
87 
88 #ifndef _KERNEL
89 #include <stddef.h>
90 #endif
91 #include <sys/sysmacros.h>
92 #include <sys/types.h>
93 #include <rpc/xdr.h>
94 
95 #ifdef	__cplusplus
96 extern "C" {
97 #endif
98 
99 
100 /* --8<-- Start: nfsauth_prot.x definitions --8<-- */
101 
102 #define	A_MAXPATH		1024
103 
104 #define	NFSAUTH_ACCESS		1
105 
106 #define	NFSAUTH_DENIED		0x01
107 #define	NFSAUTH_RO		0x02
108 #define	NFSAUTH_RW		0x04
109 #define	NFSAUTH_ROOT		0x08
110 #define	NFSAUTH_WRONGSEC	0x10
111 #define	NFSAUTH_DROP		0x20
112 #define	NFSAUTH_MAPNONE		0x40
113 #define	NFSAUTH_LIMITED		0x80
114 #define	NFSAUTH_UIDMAP		0x100
115 #define	NFSAUTH_GIDMAP		0x200
116 
117 struct auth_req {
118 	netobj	 req_client;
119 	char	*req_netid;
120 	char	*req_path;
121 	int	 req_flavor;
122 	uid_t	 req_clnt_uid;
123 	gid_t	 req_clnt_gid;
124 };
125 typedef struct auth_req auth_req;
126 
127 struct auth_res {
128 	int	auth_perm;
129 	uid_t	auth_srv_uid;
130 	gid_t	auth_srv_gid;
131 };
132 typedef struct auth_res auth_res;
133 
134 /* --8<-- End: nfsauth_prot.x definitions --8<-- */
135 
136 
137 #define	NFSAUTH_DR_OKAY		0x0	/* success */
138 #define	NFSAUTH_DR_BADCMD	0x100	/* NFSAUTH_ACCESS is only cmd allowed */
139 #define	NFSAUTH_DR_DECERR	0x200	/* mountd could not decode arguments */
140 #define	NFSAUTH_DR_EFAIL	0x400	/* mountd could not encode results */
141 #define	NFSAUTH_DR_TRYCNT	5	/* door handle acquisition retry cnt */
142 
143 #if defined(DEBUG) && !defined(_KERNEL)
144 #define	MOUNTD_DOOR		"/var/run/mountd_door"
145 #endif
146 
147 /*
148  * Only cmd is added to the args. We need to know "what" we want
149  * the daemon to do for us. Also, 'stat' returns the status from
150  * the daemon down to the kernel in addition to perms.
151  */
152 struct nfsauth_arg {
153 	uint_t		cmd;
154 	auth_req	areq;
155 };
156 typedef struct nfsauth_arg nfsauth_arg_t;
157 
158 struct nfsauth_res {
159 	uint_t		stat;
160 	auth_res	ares;
161 };
162 typedef struct nfsauth_res nfsauth_res_t;
163 
164 /*
165  * For future extensibility, we version the data structures so
166  * future incantations of mountd(1m) will know how to XDR decode
167  * the arguments.
168  */
169 enum vtypes {
170 	V_ERROR = 0,
171 	V_PROTO = 1
172 };
173 typedef enum vtypes vtypes;
174 
175 typedef struct varg {
176 	uint_t	vers;
177 	union {
178 		nfsauth_arg_t	arg;
179 		/* additional args versions go here */
180 	} arg_u;
181 } varg_t;
182 
183 extern bool_t	xdr_varg(XDR *, varg_t *);
184 extern bool_t	xdr_nfsauth_arg(XDR *, nfsauth_arg_t *);
185 extern bool_t	xdr_nfsauth_res(XDR *, nfsauth_res_t *);
186 
187 #ifdef	__cplusplus
188 }
189 #endif
190 
191 #endif /* _AUTH_H */
192