1 /* 2 * Mapping of UID/GIDs to name and vice versa. 3 * 4 * Copyright (c) 2002, 2003 The Regents of the University of 5 * Michigan. All rights reserved. 6 * 7 * Marius Aamodt Eriksen <marius@umich.edu> 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the University nor the names of its 19 * contributors may be used to endorse or promote products derived 20 * from this software without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 23 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 24 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 25 * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 27 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 28 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 29 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 30 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 31 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 32 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35 #include <linux/module.h> 36 #include <linux/seq_file.h> 37 #include <linux/sched.h> 38 #include <linux/slab.h> 39 #include <linux/sunrpc/svc_xprt.h> 40 #include <net/net_namespace.h> 41 #include "idmap.h" 42 #include "nfsd.h" 43 #include "netns.h" 44 #include "vfs.h" 45 46 /* 47 * Turn off idmapping when using AUTH_SYS. 48 */ 49 static bool nfs4_disable_idmapping = true; 50 module_param(nfs4_disable_idmapping, bool, 0644); 51 MODULE_PARM_DESC(nfs4_disable_idmapping, 52 "Turn off server's NFSv4 idmapping when using 'sec=sys'"); 53 54 /* 55 * Cache entry 56 */ 57 58 /* 59 * XXX we know that IDMAP_NAMESZ < PAGE_SIZE, but it's ugly to rely on 60 * that. 61 */ 62 63 struct ent { 64 struct cache_head h; 65 int type; /* User / Group */ 66 u32 id; 67 char name[IDMAP_NAMESZ]; 68 char authname[IDMAP_NAMESZ]; 69 struct rcu_head rcu_head; 70 }; 71 72 /* Common entry handling */ 73 74 #define ENT_HASHBITS 8 75 #define ENT_HASHMAX (1 << ENT_HASHBITS) 76 77 static void 78 ent_init(struct cache_head *cnew, struct cache_head *citm) 79 { 80 struct ent *new = container_of(cnew, struct ent, h); 81 struct ent *itm = container_of(citm, struct ent, h); 82 83 new->id = itm->id; 84 new->type = itm->type; 85 86 strscpy(new->name, itm->name, sizeof(new->name)); 87 strscpy(new->authname, itm->authname, sizeof(new->authname)); 88 } 89 90 static void 91 ent_put(struct kref *ref) 92 { 93 struct ent *map = container_of(ref, struct ent, h.ref); 94 kfree_rcu(map, rcu_head); 95 } 96 97 static struct cache_head * 98 ent_alloc(void) 99 { 100 struct ent *e = kmalloc(sizeof(*e), GFP_KERNEL); 101 if (e) 102 return &e->h; 103 else 104 return NULL; 105 } 106 107 /* 108 * ID -> Name cache 109 */ 110 111 static uint32_t 112 idtoname_hash(struct ent *ent) 113 { 114 uint32_t hash; 115 116 hash = hash_str(ent->authname, ENT_HASHBITS); 117 hash = hash_long(hash ^ ent->id, ENT_HASHBITS); 118 119 /* Flip LSB for user/group */ 120 if (ent->type == IDMAP_TYPE_GROUP) 121 hash ^= 1; 122 123 return hash; 124 } 125 126 static int 127 idtoname_upcall(struct cache_detail *cd, struct cache_head *h) 128 { 129 return sunrpc_cache_pipe_upcall_timeout(cd, h); 130 } 131 132 static void 133 idtoname_request(struct cache_detail *cd, struct cache_head *ch, char **bpp, 134 int *blen) 135 { 136 struct ent *ent = container_of(ch, struct ent, h); 137 char idstr[11]; 138 139 qword_add(bpp, blen, ent->authname); 140 snprintf(idstr, sizeof(idstr), "%u", ent->id); 141 qword_add(bpp, blen, ent->type == IDMAP_TYPE_GROUP ? "group" : "user"); 142 qword_add(bpp, blen, idstr); 143 144 (*bpp)[-1] = '\n'; 145 } 146 147 static int 148 idtoname_match(struct cache_head *ca, struct cache_head *cb) 149 { 150 struct ent *a = container_of(ca, struct ent, h); 151 struct ent *b = container_of(cb, struct ent, h); 152 153 return (a->id == b->id && a->type == b->type && 154 strcmp(a->authname, b->authname) == 0); 155 } 156 157 static int 158 idtoname_show(struct seq_file *m, struct cache_detail *cd, struct cache_head *h) 159 { 160 struct ent *ent; 161 162 if (h == NULL) { 163 seq_puts(m, "#domain type id [name]\n"); 164 return 0; 165 } 166 ent = container_of(h, struct ent, h); 167 seq_printf(m, "%s %s %u", ent->authname, 168 ent->type == IDMAP_TYPE_GROUP ? "group" : "user", 169 ent->id); 170 if (test_bit(CACHE_VALID, &h->flags)) 171 seq_printf(m, " %s", ent->name); 172 seq_putc(m, '\n'); 173 return 0; 174 } 175 176 static void 177 warn_no_idmapd(struct cache_detail *detail, int has_died) 178 { 179 printk("nfsd: nfsv4 idmapping failing: has idmapd %s?\n", 180 has_died ? "died" : "not been started"); 181 } 182 183 184 static int idtoname_parse(struct cache_detail *, char *, int); 185 static struct ent *idtoname_lookup(struct cache_detail *, struct ent *); 186 static struct ent *idtoname_update(struct cache_detail *, struct ent *, 187 struct ent *); 188 189 static const struct cache_detail idtoname_cache_template = { 190 .owner = THIS_MODULE, 191 .hash_size = ENT_HASHMAX, 192 .name = "nfs4.idtoname", 193 .cache_put = ent_put, 194 .cache_upcall = idtoname_upcall, 195 .cache_request = idtoname_request, 196 .cache_parse = idtoname_parse, 197 .cache_show = idtoname_show, 198 .warn_no_listener = warn_no_idmapd, 199 .match = idtoname_match, 200 .init = ent_init, 201 .update = ent_init, 202 .alloc = ent_alloc, 203 }; 204 205 static int 206 idtoname_parse(struct cache_detail *cd, char *buf, int buflen) 207 { 208 struct ent ent, *res; 209 char *buf1, *bp; 210 int len; 211 int error = -EINVAL; 212 213 if (buf[buflen - 1] != '\n') 214 return (-EINVAL); 215 buf[buflen - 1]= '\0'; 216 217 buf1 = kmalloc(PAGE_SIZE, GFP_KERNEL); 218 if (buf1 == NULL) 219 return (-ENOMEM); 220 221 memset(&ent, 0, sizeof(ent)); 222 223 /* Authentication name */ 224 len = qword_get(&buf, buf1, PAGE_SIZE); 225 if (len <= 0 || len >= IDMAP_NAMESZ) 226 goto out; 227 memcpy(ent.authname, buf1, sizeof(ent.authname)); 228 229 /* Type */ 230 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 231 goto out; 232 ent.type = strcmp(buf1, "user") == 0 ? 233 IDMAP_TYPE_USER : IDMAP_TYPE_GROUP; 234 235 /* ID */ 236 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 237 goto out; 238 ent.id = simple_strtoul(buf1, &bp, 10); 239 if (bp == buf1) 240 goto out; 241 242 /* expiry */ 243 error = get_expiry(&buf, &ent.h.expiry_time); 244 if (error) 245 goto out; 246 247 error = -ENOMEM; 248 res = idtoname_lookup(cd, &ent); 249 if (!res) 250 goto out; 251 252 /* Name */ 253 error = -EINVAL; 254 len = qword_get(&buf, buf1, PAGE_SIZE); 255 if (len < 0 || len >= IDMAP_NAMESZ) 256 goto out; 257 if (len == 0) 258 set_bit(CACHE_NEGATIVE, &ent.h.flags); 259 else 260 memcpy(ent.name, buf1, sizeof(ent.name)); 261 error = -ENOMEM; 262 res = idtoname_update(cd, &ent, res); 263 if (res == NULL) 264 goto out; 265 266 cache_put(&res->h, cd); 267 error = 0; 268 out: 269 kfree(buf1); 270 return error; 271 } 272 273 static struct ent * 274 idtoname_lookup(struct cache_detail *cd, struct ent *item) 275 { 276 struct cache_head *ch = sunrpc_cache_lookup_rcu(cd, &item->h, 277 idtoname_hash(item)); 278 if (ch) 279 return container_of(ch, struct ent, h); 280 else 281 return NULL; 282 } 283 284 static struct ent * 285 idtoname_update(struct cache_detail *cd, struct ent *new, struct ent *old) 286 { 287 struct cache_head *ch = sunrpc_cache_update(cd, &new->h, &old->h, 288 idtoname_hash(new)); 289 if (ch) 290 return container_of(ch, struct ent, h); 291 else 292 return NULL; 293 } 294 295 296 /* 297 * Name -> ID cache 298 */ 299 300 static inline int 301 nametoid_hash(struct ent *ent) 302 { 303 return hash_str(ent->name, ENT_HASHBITS); 304 } 305 306 static int 307 nametoid_upcall(struct cache_detail *cd, struct cache_head *h) 308 { 309 return sunrpc_cache_pipe_upcall_timeout(cd, h); 310 } 311 312 static void 313 nametoid_request(struct cache_detail *cd, struct cache_head *ch, char **bpp, 314 int *blen) 315 { 316 struct ent *ent = container_of(ch, struct ent, h); 317 318 qword_add(bpp, blen, ent->authname); 319 qword_add(bpp, blen, ent->type == IDMAP_TYPE_GROUP ? "group" : "user"); 320 qword_add(bpp, blen, ent->name); 321 322 (*bpp)[-1] = '\n'; 323 } 324 325 static int 326 nametoid_match(struct cache_head *ca, struct cache_head *cb) 327 { 328 struct ent *a = container_of(ca, struct ent, h); 329 struct ent *b = container_of(cb, struct ent, h); 330 331 return (a->type == b->type && strcmp(a->name, b->name) == 0 && 332 strcmp(a->authname, b->authname) == 0); 333 } 334 335 static int 336 nametoid_show(struct seq_file *m, struct cache_detail *cd, struct cache_head *h) 337 { 338 struct ent *ent; 339 340 if (h == NULL) { 341 seq_puts(m, "#domain type name [id]\n"); 342 return 0; 343 } 344 ent = container_of(h, struct ent, h); 345 seq_printf(m, "%s %s %s", ent->authname, 346 ent->type == IDMAP_TYPE_GROUP ? "group" : "user", 347 ent->name); 348 if (test_bit(CACHE_VALID, &h->flags)) 349 seq_printf(m, " %u", ent->id); 350 seq_putc(m, '\n'); 351 return 0; 352 } 353 354 static struct ent *nametoid_lookup(struct cache_detail *, struct ent *); 355 static struct ent *nametoid_update(struct cache_detail *, struct ent *, 356 struct ent *); 357 static int nametoid_parse(struct cache_detail *, char *, int); 358 359 static const struct cache_detail nametoid_cache_template = { 360 .owner = THIS_MODULE, 361 .hash_size = ENT_HASHMAX, 362 .name = "nfs4.nametoid", 363 .cache_put = ent_put, 364 .cache_upcall = nametoid_upcall, 365 .cache_request = nametoid_request, 366 .cache_parse = nametoid_parse, 367 .cache_show = nametoid_show, 368 .warn_no_listener = warn_no_idmapd, 369 .match = nametoid_match, 370 .init = ent_init, 371 .update = ent_init, 372 .alloc = ent_alloc, 373 }; 374 375 static int 376 nametoid_parse(struct cache_detail *cd, char *buf, int buflen) 377 { 378 struct ent ent, *res; 379 char *buf1; 380 int len, error = -EINVAL; 381 382 if (buf[buflen - 1] != '\n') 383 return (-EINVAL); 384 buf[buflen - 1]= '\0'; 385 386 buf1 = kmalloc(PAGE_SIZE, GFP_KERNEL); 387 if (buf1 == NULL) 388 return (-ENOMEM); 389 390 memset(&ent, 0, sizeof(ent)); 391 392 /* Authentication name */ 393 len = qword_get(&buf, buf1, PAGE_SIZE); 394 if (len <= 0 || len >= IDMAP_NAMESZ) 395 goto out; 396 memcpy(ent.authname, buf1, sizeof(ent.authname)); 397 398 /* Type */ 399 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 400 goto out; 401 ent.type = strcmp(buf1, "user") == 0 ? 402 IDMAP_TYPE_USER : IDMAP_TYPE_GROUP; 403 404 /* Name */ 405 len = qword_get(&buf, buf1, PAGE_SIZE); 406 if (len <= 0 || len >= IDMAP_NAMESZ) 407 goto out; 408 memcpy(ent.name, buf1, sizeof(ent.name)); 409 410 /* expiry */ 411 error = get_expiry(&buf, &ent.h.expiry_time); 412 if (error) 413 goto out; 414 415 /* ID */ 416 error = get_int(&buf, &ent.id); 417 if (error == -EINVAL) 418 goto out; 419 if (error == -ENOENT) 420 set_bit(CACHE_NEGATIVE, &ent.h.flags); 421 422 error = -ENOMEM; 423 res = nametoid_lookup(cd, &ent); 424 if (res == NULL) 425 goto out; 426 res = nametoid_update(cd, &ent, res); 427 if (res == NULL) 428 goto out; 429 430 cache_put(&res->h, cd); 431 error = 0; 432 out: 433 kfree(buf1); 434 return (error); 435 } 436 437 438 static struct ent * 439 nametoid_lookup(struct cache_detail *cd, struct ent *item) 440 { 441 struct cache_head *ch = sunrpc_cache_lookup_rcu(cd, &item->h, 442 nametoid_hash(item)); 443 if (ch) 444 return container_of(ch, struct ent, h); 445 else 446 return NULL; 447 } 448 449 static struct ent * 450 nametoid_update(struct cache_detail *cd, struct ent *new, struct ent *old) 451 { 452 struct cache_head *ch = sunrpc_cache_update(cd, &new->h, &old->h, 453 nametoid_hash(new)); 454 if (ch) 455 return container_of(ch, struct ent, h); 456 else 457 return NULL; 458 } 459 460 /* 461 * Exported API 462 */ 463 464 int 465 nfsd_idmap_init(struct net *net) 466 { 467 int rv; 468 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 469 470 nn->idtoname_cache = cache_create_net(&idtoname_cache_template, net); 471 if (IS_ERR(nn->idtoname_cache)) 472 return PTR_ERR(nn->idtoname_cache); 473 rv = cache_register_net(nn->idtoname_cache, net); 474 if (rv) 475 goto destroy_idtoname_cache; 476 nn->nametoid_cache = cache_create_net(&nametoid_cache_template, net); 477 if (IS_ERR(nn->nametoid_cache)) { 478 rv = PTR_ERR(nn->nametoid_cache); 479 goto unregister_idtoname_cache; 480 } 481 rv = cache_register_net(nn->nametoid_cache, net); 482 if (rv) 483 goto destroy_nametoid_cache; 484 return 0; 485 486 destroy_nametoid_cache: 487 cache_destroy_net(nn->nametoid_cache, net); 488 unregister_idtoname_cache: 489 cache_unregister_net(nn->idtoname_cache, net); 490 destroy_idtoname_cache: 491 cache_destroy_net(nn->idtoname_cache, net); 492 return rv; 493 } 494 495 void 496 nfsd_idmap_shutdown(struct net *net) 497 { 498 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 499 500 cache_unregister_net(nn->idtoname_cache, net); 501 cache_unregister_net(nn->nametoid_cache, net); 502 cache_destroy_net(nn->idtoname_cache, net); 503 cache_destroy_net(nn->nametoid_cache, net); 504 } 505 506 static int 507 idmap_lookup(struct svc_rqst *rqstp, 508 struct ent *(*lookup_fn)(struct cache_detail *, struct ent *), 509 struct ent *key, struct cache_detail *detail, struct ent **item) 510 { 511 int ret; 512 513 *item = lookup_fn(detail, key); 514 if (!*item) 515 return -ENOMEM; 516 retry: 517 ret = cache_check(detail, &(*item)->h, &rqstp->rq_chandle); 518 519 if (ret == -ETIMEDOUT) { 520 struct ent *prev_item = *item; 521 *item = lookup_fn(detail, key); 522 if (*item != prev_item) 523 goto retry; 524 cache_put(&(*item)->h, detail); 525 } 526 return ret; 527 } 528 529 static char * 530 rqst_authname(struct svc_rqst *rqstp) 531 { 532 struct auth_domain *clp; 533 534 clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client; 535 return clp->name; 536 } 537 538 static __be32 539 idmap_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen, 540 u32 *id) 541 { 542 struct ent *item, key = { 543 .type = type, 544 }; 545 int ret; 546 struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); 547 548 if (namelen + 1 > sizeof(key.name)) 549 return nfserr_badowner; 550 memcpy(key.name, name, namelen); 551 key.name[namelen] = '\0'; 552 strscpy(key.authname, rqst_authname(rqstp), sizeof(key.authname)); 553 ret = idmap_lookup(rqstp, nametoid_lookup, &key, nn->nametoid_cache, &item); 554 if (ret == -ENOENT) 555 return nfserr_badowner; 556 if (ret) 557 return nfserrno(ret); 558 *id = item->id; 559 cache_put(&item->h, nn->nametoid_cache); 560 return 0; 561 } 562 563 static __be32 encode_ascii_id(struct xdr_stream *xdr, u32 id) 564 { 565 char buf[11]; 566 int len; 567 __be32 *p; 568 569 len = sprintf(buf, "%u", id); 570 p = xdr_reserve_space(xdr, len + 4); 571 if (!p) 572 return nfserr_resource; 573 p = xdr_encode_opaque(p, buf, len); 574 return 0; 575 } 576 577 static __be32 idmap_id_to_name(struct xdr_stream *xdr, 578 struct svc_rqst *rqstp, int type, u32 id) 579 { 580 struct ent *item, key = { 581 .id = id, 582 .type = type, 583 }; 584 __be32 *p; 585 int ret; 586 struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); 587 588 strscpy(key.authname, rqst_authname(rqstp), sizeof(key.authname)); 589 ret = idmap_lookup(rqstp, idtoname_lookup, &key, nn->idtoname_cache, &item); 590 if (ret == -ENOENT) 591 return encode_ascii_id(xdr, id); 592 if (ret) 593 return nfserrno(ret); 594 ret = strlen(item->name); 595 WARN_ON_ONCE(ret > IDMAP_NAMESZ); 596 p = xdr_reserve_space(xdr, ret + 4); 597 if (!p) 598 return nfserr_resource; 599 p = xdr_encode_opaque(p, item->name, ret); 600 cache_put(&item->h, nn->idtoname_cache); 601 return 0; 602 } 603 604 static bool 605 numeric_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen, u32 *id) 606 { 607 int ret; 608 char buf[11]; 609 610 if (namelen + 1 > sizeof(buf)) 611 /* too long to represent a 32-bit id: */ 612 return false; 613 /* Just to make sure it's null-terminated: */ 614 memcpy(buf, name, namelen); 615 buf[namelen] = '\0'; 616 ret = kstrtouint(buf, 10, id); 617 return ret == 0; 618 } 619 620 static __be32 621 do_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen, u32 *id) 622 { 623 if (nfs4_disable_idmapping && rqstp->rq_cred.cr_flavor < RPC_AUTH_GSS) 624 if (numeric_name_to_id(rqstp, type, name, namelen, id)) 625 return 0; 626 /* 627 * otherwise, fall through and try idmapping, for 628 * backwards compatibility with clients sending names: 629 */ 630 return idmap_name_to_id(rqstp, type, name, namelen, id); 631 } 632 633 static __be32 encode_name_from_id(struct xdr_stream *xdr, 634 struct svc_rqst *rqstp, int type, u32 id) 635 { 636 if (nfs4_disable_idmapping && rqstp->rq_cred.cr_flavor < RPC_AUTH_GSS) 637 return encode_ascii_id(xdr, id); 638 return idmap_id_to_name(xdr, rqstp, type, id); 639 } 640 641 __be32 642 nfsd_map_name_to_uid(struct svc_rqst *rqstp, const char *name, size_t namelen, 643 kuid_t *uid) 644 { 645 __be32 status; 646 u32 id = -1; 647 648 if (name == NULL || namelen == 0) 649 return nfserr_inval; 650 651 status = do_name_to_id(rqstp, IDMAP_TYPE_USER, name, namelen, &id); 652 *uid = make_kuid(nfsd_user_namespace(rqstp), id); 653 if (!uid_valid(*uid)) 654 status = nfserr_badowner; 655 return status; 656 } 657 658 __be32 659 nfsd_map_name_to_gid(struct svc_rqst *rqstp, const char *name, size_t namelen, 660 kgid_t *gid) 661 { 662 __be32 status; 663 u32 id = -1; 664 665 if (name == NULL || namelen == 0) 666 return nfserr_inval; 667 668 status = do_name_to_id(rqstp, IDMAP_TYPE_GROUP, name, namelen, &id); 669 *gid = make_kgid(nfsd_user_namespace(rqstp), id); 670 if (!gid_valid(*gid)) 671 status = nfserr_badowner; 672 return status; 673 } 674 675 __be32 nfsd4_encode_user(struct xdr_stream *xdr, struct svc_rqst *rqstp, 676 kuid_t uid) 677 { 678 u32 id = from_kuid_munged(nfsd_user_namespace(rqstp), uid); 679 return encode_name_from_id(xdr, rqstp, IDMAP_TYPE_USER, id); 680 } 681 682 __be32 nfsd4_encode_group(struct xdr_stream *xdr, struct svc_rqst *rqstp, 683 kgid_t gid) 684 { 685 u32 id = from_kgid_munged(nfsd_user_namespace(rqstp), gid); 686 return encode_name_from_id(xdr, rqstp, IDMAP_TYPE_GROUP, id); 687 } 688