1/* 2 * Mapping of UID/GIDs to name and vice versa. 3 * 4 * Copyright (c) 2002, 2003 The Regents of the University of 5 * Michigan. All rights reserved. 6 * 7 * Marius Aamodt Eriksen <marius@umich.edu> 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the University nor the names of its 19 * contributors may be used to endorse or promote products derived 20 * from this software without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 23 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 24 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 25 * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 27 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 28 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 29 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 30 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 31 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 32 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35#include <linux/module.h> 36#include <linux/seq_file.h> 37#include <linux/sched.h> 38#include <linux/slab.h> 39#include <linux/sunrpc/svc_xprt.h> 40#include <net/net_namespace.h> 41#include "idmap.h" 42#include "nfsd.h" 43#include "netns.h" 44#include "vfs.h" 45 46/* 47 * Turn off idmapping when using AUTH_SYS. 48 */ 49static bool nfs4_disable_idmapping = true; 50module_param(nfs4_disable_idmapping, bool, 0644); 51MODULE_PARM_DESC(nfs4_disable_idmapping, 52 "Turn off server's NFSv4 idmapping when using 'sec=sys'"); 53 54/* 55 * Cache entry 56 */ 57 58/* 59 * XXX we know that IDMAP_NAMESZ < PAGE_SIZE, but it's ugly to rely on 60 * that. 61 */ 62 63struct ent { 64 struct cache_head h; 65 int type; /* User / Group */ 66 u32 id; 67 char name[IDMAP_NAMESZ]; 68 char authname[IDMAP_NAMESZ]; 69 struct rcu_head rcu_head; 70}; 71 72/* Common entry handling */ 73 74#define ENT_HASHBITS 8 75#define ENT_HASHMAX (1 << ENT_HASHBITS) 76 77static void 78ent_init(struct cache_head *cnew, struct cache_head *citm) 79{ 80 struct ent *new = container_of(cnew, struct ent, h); 81 struct ent *itm = container_of(citm, struct ent, h); 82 83 new->id = itm->id; 84 new->type = itm->type; 85 86 strscpy(new->name, itm->name, sizeof(new->name)); 87 strscpy(new->authname, itm->authname, sizeof(new->authname)); 88} 89 90static void 91ent_put(struct kref *ref) 92{ 93 struct ent *map = container_of(ref, struct ent, h.ref); 94 kfree_rcu(map, rcu_head); 95} 96 97static struct cache_head * 98ent_alloc(void) 99{ 100 struct ent *e = kmalloc(sizeof(*e), GFP_KERNEL); 101 if (e) 102 return &e->h; 103 else 104 return NULL; 105} 106 107/* 108 * ID -> Name cache 109 */ 110 111static uint32_t 112idtoname_hash(struct ent *ent) 113{ 114 uint32_t hash; 115 116 hash = hash_str(ent->authname, ENT_HASHBITS); 117 hash = hash_long(hash ^ ent->id, ENT_HASHBITS); 118 119 /* Flip LSB for user/group */ 120 if (ent->type == IDMAP_TYPE_GROUP) 121 hash ^= 1; 122 123 return hash; 124} 125 126static int 127idtoname_upcall(struct cache_detail *cd, struct cache_head *h) 128{ 129 return sunrpc_cache_pipe_upcall_timeout(cd, h); 130} 131 132static void 133idtoname_request(struct cache_detail *cd, struct cache_head *ch, char **bpp, 134 int *blen) 135{ 136 struct ent *ent = container_of(ch, struct ent, h); 137 char idstr[11]; 138 139 qword_add(bpp, blen, ent->authname); 140 snprintf(idstr, sizeof(idstr), "%u", ent->id); 141 qword_add(bpp, blen, ent->type == IDMAP_TYPE_GROUP ? "group" : "user"); 142 qword_add(bpp, blen, idstr); 143 144 (*bpp)[-1] = '\n'; 145} 146 147static int 148idtoname_match(struct cache_head *ca, struct cache_head *cb) 149{ 150 struct ent *a = container_of(ca, struct ent, h); 151 struct ent *b = container_of(cb, struct ent, h); 152 153 return (a->id == b->id && a->type == b->type && 154 strcmp(a->authname, b->authname) == 0); 155} 156 157static int 158idtoname_show(struct seq_file *m, struct cache_detail *cd, struct cache_head *h) 159{ 160 struct ent *ent; 161 162 if (h == NULL) { 163 seq_puts(m, "#domain type id [name]\n"); 164 return 0; 165 } 166 ent = container_of(h, struct ent, h); 167 seq_printf(m, "%s %s %u", ent->authname, 168 ent->type == IDMAP_TYPE_GROUP ? "group" : "user", 169 ent->id); 170 if (test_bit(CACHE_VALID, &h->flags)) 171 seq_printf(m, " %s", ent->name); 172 seq_putc(m, '\n'); 173 return 0; 174} 175 176static void 177warn_no_idmapd(struct cache_detail *detail, int has_died) 178{ 179 printk("nfsd: nfsv4 idmapping failing: has idmapd %s?\n", 180 has_died ? "died" : "not been started"); 181} 182 183 184static int idtoname_parse(struct cache_detail *, char *, int); 185static struct ent *idtoname_lookup(struct cache_detail *, struct ent *); 186static struct ent *idtoname_update(struct cache_detail *, struct ent *, 187 struct ent *); 188 189static const struct cache_detail idtoname_cache_template = { 190 .owner = THIS_MODULE, 191 .hash_size = ENT_HASHMAX, 192 .name = "nfs4.idtoname", 193 .cache_put = ent_put, 194 .cache_upcall = idtoname_upcall, 195 .cache_request = idtoname_request, 196 .cache_parse = idtoname_parse, 197 .cache_show = idtoname_show, 198 .warn_no_listener = warn_no_idmapd, 199 .match = idtoname_match, 200 .init = ent_init, 201 .update = ent_init, 202 .alloc = ent_alloc, 203}; 204 205static int 206idtoname_parse(struct cache_detail *cd, char *buf, int buflen) 207{ 208 struct ent ent, *res; 209 char *buf1, *bp; 210 int len; 211 int error = -EINVAL; 212 213 if (buf[buflen - 1] != '\n') 214 return (-EINVAL); 215 buf[buflen - 1]= '\0'; 216 217 buf1 = kmalloc(PAGE_SIZE, GFP_KERNEL); 218 if (buf1 == NULL) 219 return (-ENOMEM); 220 221 memset(&ent, 0, sizeof(ent)); 222 223 /* Authentication name */ 224 len = qword_get(&buf, buf1, PAGE_SIZE); 225 if (len <= 0 || len >= IDMAP_NAMESZ) 226 goto out; 227 memcpy(ent.authname, buf1, sizeof(ent.authname)); 228 229 /* Type */ 230 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 231 goto out; 232 ent.type = strcmp(buf1, "user") == 0 ? 233 IDMAP_TYPE_USER : IDMAP_TYPE_GROUP; 234 235 /* ID */ 236 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 237 goto out; 238 ent.id = simple_strtoul(buf1, &bp, 10); 239 if (bp == buf1) 240 goto out; 241 242 /* expiry */ 243 error = get_expiry(&buf, &ent.h.expiry_time); 244 if (error) 245 goto out; 246 247 error = -ENOMEM; 248 res = idtoname_lookup(cd, &ent); 249 if (!res) 250 goto out; 251 252 /* Name */ 253 error = -EINVAL; 254 len = qword_get(&buf, buf1, PAGE_SIZE); 255 if (len < 0 || len >= IDMAP_NAMESZ) 256 goto out; 257 if (len == 0) 258 set_bit(CACHE_NEGATIVE, &ent.h.flags); 259 else 260 memcpy(ent.name, buf1, sizeof(ent.name)); 261 error = -ENOMEM; 262 res = idtoname_update(cd, &ent, res); 263 if (res == NULL) 264 goto out; 265 266 cache_put(&res->h, cd); 267 error = 0; 268out: 269 kfree(buf1); 270 return error; 271} 272 273static struct ent * 274idtoname_lookup(struct cache_detail *cd, struct ent *item) 275{ 276 struct cache_head *ch = sunrpc_cache_lookup_rcu(cd, &item->h, 277 idtoname_hash(item)); 278 if (ch) 279 return container_of(ch, struct ent, h); 280 else 281 return NULL; 282} 283 284static struct ent * 285idtoname_update(struct cache_detail *cd, struct ent *new, struct ent *old) 286{ 287 struct cache_head *ch = sunrpc_cache_update(cd, &new->h, &old->h, 288 idtoname_hash(new)); 289 if (ch) 290 return container_of(ch, struct ent, h); 291 else 292 return NULL; 293} 294 295 296/* 297 * Name -> ID cache 298 */ 299 300static inline int 301nametoid_hash(struct ent *ent) 302{ 303 return hash_str(ent->name, ENT_HASHBITS); 304} 305 306static int 307nametoid_upcall(struct cache_detail *cd, struct cache_head *h) 308{ 309 return sunrpc_cache_pipe_upcall_timeout(cd, h); 310} 311 312static void 313nametoid_request(struct cache_detail *cd, struct cache_head *ch, char **bpp, 314 int *blen) 315{ 316 struct ent *ent = container_of(ch, struct ent, h); 317 318 qword_add(bpp, blen, ent->authname); 319 qword_add(bpp, blen, ent->type == IDMAP_TYPE_GROUP ? "group" : "user"); 320 qword_add(bpp, blen, ent->name); 321 322 (*bpp)[-1] = '\n'; 323} 324 325static int 326nametoid_match(struct cache_head *ca, struct cache_head *cb) 327{ 328 struct ent *a = container_of(ca, struct ent, h); 329 struct ent *b = container_of(cb, struct ent, h); 330 331 return (a->type == b->type && strcmp(a->name, b->name) == 0 && 332 strcmp(a->authname, b->authname) == 0); 333} 334 335static int 336nametoid_show(struct seq_file *m, struct cache_detail *cd, struct cache_head *h) 337{ 338 struct ent *ent; 339 340 if (h == NULL) { 341 seq_puts(m, "#domain type name [id]\n"); 342 return 0; 343 } 344 ent = container_of(h, struct ent, h); 345 seq_printf(m, "%s %s %s", ent->authname, 346 ent->type == IDMAP_TYPE_GROUP ? "group" : "user", 347 ent->name); 348 if (test_bit(CACHE_VALID, &h->flags)) 349 seq_printf(m, " %u", ent->id); 350 seq_putc(m, '\n'); 351 return 0; 352} 353 354static struct ent *nametoid_lookup(struct cache_detail *, struct ent *); 355static struct ent *nametoid_update(struct cache_detail *, struct ent *, 356 struct ent *); 357static int nametoid_parse(struct cache_detail *, char *, int); 358 359static const struct cache_detail nametoid_cache_template = { 360 .owner = THIS_MODULE, 361 .hash_size = ENT_HASHMAX, 362 .name = "nfs4.nametoid", 363 .cache_put = ent_put, 364 .cache_upcall = nametoid_upcall, 365 .cache_request = nametoid_request, 366 .cache_parse = nametoid_parse, 367 .cache_show = nametoid_show, 368 .warn_no_listener = warn_no_idmapd, 369 .match = nametoid_match, 370 .init = ent_init, 371 .update = ent_init, 372 .alloc = ent_alloc, 373}; 374 375static int 376nametoid_parse(struct cache_detail *cd, char *buf, int buflen) 377{ 378 struct ent ent, *res; 379 char *buf1; 380 int len, error = -EINVAL; 381 382 if (buf[buflen - 1] != '\n') 383 return (-EINVAL); 384 buf[buflen - 1]= '\0'; 385 386 buf1 = kmalloc(PAGE_SIZE, GFP_KERNEL); 387 if (buf1 == NULL) 388 return (-ENOMEM); 389 390 memset(&ent, 0, sizeof(ent)); 391 392 /* Authentication name */ 393 len = qword_get(&buf, buf1, PAGE_SIZE); 394 if (len <= 0 || len >= IDMAP_NAMESZ) 395 goto out; 396 memcpy(ent.authname, buf1, sizeof(ent.authname)); 397 398 /* Type */ 399 if (qword_get(&buf, buf1, PAGE_SIZE) <= 0) 400 goto out; 401 ent.type = strcmp(buf1, "user") == 0 ? 402 IDMAP_TYPE_USER : IDMAP_TYPE_GROUP; 403 404 /* Name */ 405 len = qword_get(&buf, buf1, PAGE_SIZE); 406 if (len <= 0 || len >= IDMAP_NAMESZ) 407 goto out; 408 memcpy(ent.name, buf1, sizeof(ent.name)); 409 410 /* expiry */ 411 error = get_expiry(&buf, &ent.h.expiry_time); 412 if (error) 413 goto out; 414 415 /* ID */ 416 error = get_int(&buf, &ent.id); 417 if (error == -EINVAL) 418 goto out; 419 if (error == -ENOENT) 420 set_bit(CACHE_NEGATIVE, &ent.h.flags); 421 422 error = -ENOMEM; 423 res = nametoid_lookup(cd, &ent); 424 if (res == NULL) 425 goto out; 426 res = nametoid_update(cd, &ent, res); 427 if (res == NULL) 428 goto out; 429 430 cache_put(&res->h, cd); 431 error = 0; 432out: 433 kfree(buf1); 434 return (error); 435} 436 437 438static struct ent * 439nametoid_lookup(struct cache_detail *cd, struct ent *item) 440{ 441 struct cache_head *ch = sunrpc_cache_lookup_rcu(cd, &item->h, 442 nametoid_hash(item)); 443 if (ch) 444 return container_of(ch, struct ent, h); 445 else 446 return NULL; 447} 448 449static struct ent * 450nametoid_update(struct cache_detail *cd, struct ent *new, struct ent *old) 451{ 452 struct cache_head *ch = sunrpc_cache_update(cd, &new->h, &old->h, 453 nametoid_hash(new)); 454 if (ch) 455 return container_of(ch, struct ent, h); 456 else 457 return NULL; 458} 459 460/* 461 * Exported API 462 */ 463 464int 465nfsd_idmap_init(struct net *net) 466{ 467 int rv; 468 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 469 470 nn->idtoname_cache = cache_create_net(&idtoname_cache_template, net); 471 if (IS_ERR(nn->idtoname_cache)) 472 return PTR_ERR(nn->idtoname_cache); 473 rv = cache_register_net(nn->idtoname_cache, net); 474 if (rv) 475 goto destroy_idtoname_cache; 476 nn->nametoid_cache = cache_create_net(&nametoid_cache_template, net); 477 if (IS_ERR(nn->nametoid_cache)) { 478 rv = PTR_ERR(nn->nametoid_cache); 479 goto unregister_idtoname_cache; 480 } 481 rv = cache_register_net(nn->nametoid_cache, net); 482 if (rv) 483 goto destroy_nametoid_cache; 484 return 0; 485 486destroy_nametoid_cache: 487 cache_destroy_net(nn->nametoid_cache, net); 488unregister_idtoname_cache: 489 cache_unregister_net(nn->idtoname_cache, net); 490destroy_idtoname_cache: 491 cache_destroy_net(nn->idtoname_cache, net); 492 return rv; 493} 494 495void 496nfsd_idmap_shutdown(struct net *net) 497{ 498 struct nfsd_net *nn = net_generic(net, nfsd_net_id); 499 500 cache_unregister_net(nn->idtoname_cache, net); 501 cache_unregister_net(nn->nametoid_cache, net); 502 cache_destroy_net(nn->idtoname_cache, net); 503 cache_destroy_net(nn->nametoid_cache, net); 504} 505 506static int 507idmap_lookup(struct svc_rqst *rqstp, 508 struct ent *(*lookup_fn)(struct cache_detail *, struct ent *), 509 struct ent *key, struct cache_detail *detail, struct ent **item) 510{ 511 int ret; 512 513 *item = lookup_fn(detail, key); 514 if (!*item) 515 return -ENOMEM; 516 retry: 517 ret = cache_check(detail, &(*item)->h, &rqstp->rq_chandle); 518 519 if (ret == -ETIMEDOUT) { 520 struct ent *prev_item = *item; 521 *item = lookup_fn(detail, key); 522 if (*item != prev_item) 523 goto retry; 524 cache_put(&(*item)->h, detail); 525 } 526 return ret; 527} 528 529static char * 530rqst_authname(struct svc_rqst *rqstp) 531{ 532 struct auth_domain *clp; 533 534 clp = rqstp->rq_gssclient ? rqstp->rq_gssclient : rqstp->rq_client; 535 return clp->name; 536} 537 538static __be32 539idmap_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen, 540 u32 *id) 541{ 542 struct ent *item, key = { 543 .type = type, 544 }; 545 int ret; 546 struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); 547 548 if (namelen + 1 > sizeof(key.name)) 549 return nfserr_badowner; 550 memcpy(key.name, name, namelen); 551 key.name[namelen] = '\0'; 552 strscpy(key.authname, rqst_authname(rqstp), sizeof(key.authname)); 553 ret = idmap_lookup(rqstp, nametoid_lookup, &key, nn->nametoid_cache, &item); 554 if (ret == -ENOENT) 555 return nfserr_badowner; 556 if (ret) 557 return nfserrno(ret); 558 *id = item->id; 559 cache_put(&item->h, nn->nametoid_cache); 560 return 0; 561} 562 563static __be32 encode_ascii_id(struct xdr_stream *xdr, u32 id) 564{ 565 char buf[11]; 566 int len; 567 __be32 *p; 568 569 len = sprintf(buf, "%u", id); 570 p = xdr_reserve_space(xdr, len + 4); 571 if (!p) 572 return nfserr_resource; 573 p = xdr_encode_opaque(p, buf, len); 574 return 0; 575} 576 577static __be32 idmap_id_to_name(struct xdr_stream *xdr, 578 struct svc_rqst *rqstp, int type, u32 id) 579{ 580 struct ent *item, key = { 581 .id = id, 582 .type = type, 583 }; 584 __be32 *p; 585 int ret; 586 struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); 587 588 strscpy(key.authname, rqst_authname(rqstp), sizeof(key.authname)); 589 ret = idmap_lookup(rqstp, idtoname_lookup, &key, nn->idtoname_cache, &item); 590 if (ret == -ENOENT) 591 return encode_ascii_id(xdr, id); 592 if (ret) 593 return nfserrno(ret); 594 ret = strlen(item->name); 595 WARN_ON_ONCE(ret > IDMAP_NAMESZ); 596 p = xdr_reserve_space(xdr, ret + 4); 597 if (!p) 598 return nfserr_resource; 599 p = xdr_encode_opaque(p, item->name, ret); 600 cache_put(&item->h, nn->idtoname_cache); 601 return 0; 602} 603 604static bool 605numeric_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen, u32 *id) 606{ 607 int ret; 608 char buf[11]; 609 610 if (namelen + 1 > sizeof(buf)) 611 /* too long to represent a 32-bit id: */ 612 return false; 613 /* Just to make sure it's null-terminated: */ 614 memcpy(buf, name, namelen); 615 buf[namelen] = '\0'; 616 ret = kstrtouint(buf, 10, id); 617 return ret == 0; 618} 619 620static __be32 621do_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen, u32 *id) 622{ 623 if (nfs4_disable_idmapping && rqstp->rq_cred.cr_flavor < RPC_AUTH_GSS) 624 if (numeric_name_to_id(rqstp, type, name, namelen, id)) 625 return 0; 626 /* 627 * otherwise, fall through and try idmapping, for 628 * backwards compatibility with clients sending names: 629 */ 630 return idmap_name_to_id(rqstp, type, name, namelen, id); 631} 632 633static __be32 encode_name_from_id(struct xdr_stream *xdr, 634 struct svc_rqst *rqstp, int type, u32 id) 635{ 636 if (nfs4_disable_idmapping && rqstp->rq_cred.cr_flavor < RPC_AUTH_GSS) 637 return encode_ascii_id(xdr, id); 638 return idmap_id_to_name(xdr, rqstp, type, id); 639} 640 641__be32 642nfsd_map_name_to_uid(struct svc_rqst *rqstp, const char *name, size_t namelen, 643 kuid_t *uid) 644{ 645 __be32 status; 646 u32 id = -1; 647 648 if (name == NULL || namelen == 0) 649 return nfserr_inval; 650 651 status = do_name_to_id(rqstp, IDMAP_TYPE_USER, name, namelen, &id); 652 *uid = make_kuid(nfsd_user_namespace(rqstp), id); 653 if (!uid_valid(*uid)) 654 status = nfserr_badowner; 655 return status; 656} 657 658__be32 659nfsd_map_name_to_gid(struct svc_rqst *rqstp, const char *name, size_t namelen, 660 kgid_t *gid) 661{ 662 __be32 status; 663 u32 id = -1; 664 665 if (name == NULL || namelen == 0) 666 return nfserr_inval; 667 668 status = do_name_to_id(rqstp, IDMAP_TYPE_GROUP, name, namelen, &id); 669 *gid = make_kgid(nfsd_user_namespace(rqstp), id); 670 if (!gid_valid(*gid)) 671 status = nfserr_badowner; 672 return status; 673} 674 675__be32 nfsd4_encode_user(struct xdr_stream *xdr, struct svc_rqst *rqstp, 676 kuid_t uid) 677{ 678 u32 id = from_kuid_munged(nfsd_user_namespace(rqstp), uid); 679 return encode_name_from_id(xdr, rqstp, IDMAP_TYPE_USER, id); 680} 681 682__be32 nfsd4_encode_group(struct xdr_stream *xdr, struct svc_rqst *rqstp, 683 kgid_t gid) 684{ 685 u32 id = from_kgid_munged(nfsd_user_namespace(rqstp), gid); 686 return encode_name_from_id(xdr, rqstp, IDMAP_TYPE_GROUP, id); 687} 688