Branch data     Line data    Source code

       1                 :            : /* SPDX-License-Identifier: GPL-2.0 */
       2                 :            : /*
       3                 :            :  * linux/include/linux/sunrpc/svcauth.h
       4                 :            :  *
       5                 :            :  * RPC server-side authentication stuff.
       6                 :            :  *
       7                 :            :  * Copyright (C) 1995, 1996 Olaf Kirch <okir@monad.swb.de>
       8                 :            :  */
       9                 :            : 
      10                 :            : #ifndef _LINUX_SUNRPC_SVCAUTH_H_
      11                 :            : #define _LINUX_SUNRPC_SVCAUTH_H_
      12                 :            : 
      13                 :            : #ifdef __KERNEL__
      14                 :            : 
      15                 :            : #include <linux/string.h>
      16                 :            : #include <linux/sunrpc/msg_prot.h>
      17                 :            : #include <linux/sunrpc/cache.h>
      18                 :            : #include <linux/sunrpc/gss_api.h>
      19                 :            : #include <linux/hash.h>
      20                 :            : #include <linux/stringhash.h>
      21                 :            : #include <linux/cred.h>
      22                 :            : 
      23                 :            : struct svc_cred {
      24                 :            :         kuid_t                  cr_uid;
      25                 :            :         kgid_t                  cr_gid;
      26                 :            :         struct group_info       *cr_group_info;
      27                 :            :         u32                     cr_flavor; /* pseudoflavor */
      28                 :            :         /* name of form servicetype/hostname@REALM, passed down by
      29                 :            :          * gss-proxy: */
      30                 :            :         char                    *cr_raw_principal;
      31                 :            :         /* name of form servicetype@hostname, passed down by
      32                 :            :          * rpc.svcgssd, or computed from the above: */
      33                 :            :         char                    *cr_principal;
      34                 :            :         char                    *cr_targ_princ;
      35                 :            :         struct gss_api_mech     *cr_gss_mech;
      36                 :            : };
      37                 :            : 
      38                 :            : static inline void init_svc_cred(struct svc_cred *cred)
      39                 :            : {
      40                 :          0 :         cred->cr_group_info = NULL;
      41                 :          0 :         cred->cr_raw_principal = NULL;
      42                 :          0 :         cred->cr_principal = NULL;
      43                 :          0 :         cred->cr_targ_princ = NULL;
      44                 :          0 :         cred->cr_gss_mech = NULL;
      45                 :            : }
      46                 :            : 
      47                 :          0 : static inline void free_svc_cred(struct svc_cred *cred)
      48                 :            : {
      49                 :          0 :         if (cred->cr_group_info)
      50                 :          0 :                 put_group_info(cred->cr_group_info);
      51                 :          0 :         kfree(cred->cr_raw_principal);
      52                 :          0 :         kfree(cred->cr_principal);
      53                 :          0 :         kfree(cred->cr_targ_princ);
      54                 :          0 :         gss_mech_put(cred->cr_gss_mech);
      55                 :            :         init_svc_cred(cred);
      56                 :          0 : }
      57                 :            : 
      58                 :            : struct svc_rqst;                /* forward decl */
      59                 :            : struct in6_addr;
      60                 :            : 
      61                 :            : /* Authentication is done in the context of a domain.
      62                 :            :  *
      63                 :            :  * Currently, the nfs server uses the auth_domain to stand
      64                 :            :  * for the "client" listed in /etc/exports.
      65                 :            :  *
      66                 :            :  * More generally, a domain might represent a group of clients using
      67                 :            :  * a common mechanism for authentication and having a common mapping
      68                 :            :  * between local identity (uid) and network identity.  All clients
      69                 :            :  * in a domain have similar general access rights.  Each domain can
      70                 :            :  * contain multiple principals which will have different specific right
      71                 :            :  * based on normal Discretionary Access Control.
      72                 :            :  *
      73                 :            :  * A domain is created by an authentication flavour module based on name
      74                 :            :  * only.  Userspace then fills in detail on demand.
      75                 :            :  *
      76                 :            :  * In the case of auth_unix and auth_null, the auth_domain is also
      77                 :            :  * associated with entries in another cache representing the mapping
      78                 :            :  * of ip addresses to the given client.
      79                 :            :  */
      80                 :            : struct auth_domain {
      81                 :            :         struct kref             ref;
      82                 :            :         struct hlist_node       hash;
      83                 :            :         char                    *name;
      84                 :            :         struct auth_ops         *flavour;
      85                 :            :         struct rcu_head         rcu_head;
      86                 :            : };
      87                 :            : 
      88                 :            : /*
      89                 :            :  * Each authentication flavour registers an auth_ops
      90                 :            :  * structure.
      91                 :            :  * name is simply the name.
      92                 :            :  * flavour gives the auth flavour. It determines where the flavour is registered
      93                 :            :  * accept() is given a request and should verify it.
      94                 :            :  *   It should inspect the authenticator and verifier, and possibly the data.
      95                 :            :  *    If there is a problem with the authentication *authp should be set.
      96                 :            :  *    The return value of accept() can indicate:
      97                 :            :  *      OK - authorised. client and credential are set in rqstp.
      98                 :            :  *           reqbuf points to arguments
      99                 :            :  *           resbuf points to good place for results.  verfier
     100                 :            :  *             is (probably) already in place.  Certainly space is
     101                 :            :  *             reserved for it.
     102                 :            :  *      DROP - simply drop the request. It may have been deferred
     103                 :            :  *      GARBAGE - rpc garbage_args error
     104                 :            :  *      SYSERR - rpc system_err error
     105                 :            :  *      DENIED - authp holds reason for denial.
     106                 :            :  *      COMPLETE - the reply is encoded already and ready to be sent; no
     107                 :            :  *              further processing is necessary.  (This is used for processing
     108                 :            :  *              null procedure calls which are used to set up encryption
     109                 :            :  *              contexts.)
     110                 :            :  *
     111                 :            :  *   accept is passed the proc number so that it can accept NULL rpc requests
     112                 :            :  *   even if it cannot authenticate the client (as is sometimes appropriate).
     113                 :            :  *
     114                 :            :  * release() is given a request after the procedure has been run.
     115                 :            :  *  It should sign/encrypt the results if needed
     116                 :            :  * It should return:
     117                 :            :  *    OK - the resbuf is ready to be sent
     118                 :            :  *    DROP - the reply should be quitely dropped
     119                 :            :  *    DENIED - authp holds a reason for MSG_DENIED
     120                 :            :  *    SYSERR - rpc system_err
     121                 :            :  *
     122                 :            :  * domain_release()
     123                 :            :  *   This call releases a domain.
     124                 :            :  * set_client()
     125                 :            :  *   Givens a pending request (struct svc_rqst), finds and assigns
     126                 :            :  *   an appropriate 'auth_domain' as the client.
     127                 :            :  */
     128                 :            : struct auth_ops {
     129                 :            :         char *  name;
     130                 :            :         struct module *owner;
     131                 :            :         int     flavour;
     132                 :            :         int     (*accept)(struct svc_rqst *rq, __be32 *authp);
     133                 :            :         int     (*release)(struct svc_rqst *rq);
     134                 :            :         void    (*domain_release)(struct auth_domain *);
     135                 :            :         int     (*set_client)(struct svc_rqst *rq);
     136                 :            : };
     137                 :            : 
     138                 :            : #define SVC_GARBAGE     1
     139                 :            : #define SVC_SYSERR      2
     140                 :            : #define SVC_VALID       3
     141                 :            : #define SVC_NEGATIVE    4
     142                 :            : #define SVC_OK          5
     143                 :            : #define SVC_DROP        6
     144                 :            : #define SVC_CLOSE       7       /* Like SVC_DROP, but request is definitely
     145                 :            :                                  * lost so if there is a tcp connection, it
     146                 :            :                                  * should be closed
     147                 :            :                                  */
     148                 :            : #define SVC_DENIED      8
     149                 :            : #define SVC_PENDING     9
     150                 :            : #define SVC_COMPLETE    10
     151                 :            : 
     152                 :            : struct svc_xprt;
     153                 :            : 
     154                 :            : extern int      svc_authenticate(struct svc_rqst *rqstp, __be32 *authp);
     155                 :            : extern int      svc_authorise(struct svc_rqst *rqstp);
     156                 :            : extern int      svc_set_client(struct svc_rqst *rqstp);
     157                 :            : extern int      svc_auth_register(rpc_authflavor_t flavor, struct auth_ops *aops);
     158                 :            : extern void     svc_auth_unregister(rpc_authflavor_t flavor);
     159                 :            : 
     160                 :            : extern struct auth_domain *unix_domain_find(char *name);
     161                 :            : extern void auth_domain_put(struct auth_domain *item);
     162                 :            : extern int auth_unix_add_addr(struct net *net, struct in6_addr *addr, struct auth_domain *dom);
     163                 :            : extern struct auth_domain *auth_domain_lookup(char *name, struct auth_domain *new);
     164                 :            : extern struct auth_domain *auth_domain_find(char *name);
     165                 :            : extern struct auth_domain *auth_unix_lookup(struct net *net, struct in6_addr *addr);
     166                 :            : extern int auth_unix_forget_old(struct auth_domain *dom);
     167                 :            : extern void svcauth_unix_purge(struct net *net);
     168                 :            : extern void svcauth_unix_info_release(struct svc_xprt *xpt);
     169                 :            : extern int svcauth_unix_set_client(struct svc_rqst *rqstp);
     170                 :            : 
     171                 :            : extern int unix_gid_cache_create(struct net *net);
     172                 :            : extern void unix_gid_cache_destroy(struct net *net);
     173                 :            : 
     174                 :            : /*
     175                 :            :  * The <stringhash.h> functions are good enough that we don't need to
     176                 :            :  * use hash_32() on them; just extracting the high bits is enough.
     177                 :            :  */
     178                 :            : static inline unsigned long hash_str(char const *name, int bits)
     179                 :            : {
     180                 :          0 :         return hashlen_hash(hashlen_string(NULL, name)) >> (32 - bits);
     181                 :            : }
     182                 :            : 
     183                 :            : static inline unsigned long hash_mem(char const *buf, int length, int bits)
     184                 :            : {
     185                 :          0 :         return full_name_hash(NULL, buf, length) >> (32 - bits);
     186                 :            : }
     187                 :            : 
     188                 :            : #endif /* __KERNEL__ */
     189                 :            : 
     190                 :            : #endif /* _LINUX_SUNRPC_SVCAUTH_H_ */