1 // SPDX-License-Identifier: GPL-2.0-only
28  * are always nobody (-2).  i.e. we do the same IP address checks for
46 	kfree(dom->name);  in svcauth_unix_domain_release_rcu()
52 	call_rcu(&dom->rcu_head, svcauth_unix_domain_release_rcu);  in svcauth_unix_domain_release()
63 			if (new && rv != &new->h)  in unix_domain_find()
64 				svcauth_unix_domain_release(&new->h);  in unix_domain_find()
66 			if (rv->flavour != &svcauth_unix) {  in unix_domain_find()
76 		kref_init(&new->h.ref);  in unix_domain_find()
77 		new->h.name = kstrdup(name, GFP_KERNEL);  in unix_domain_find()
78 		if (new->h.name == NULL) {  in unix_domain_find()
82 		new->h.flavour = &svcauth_unix;  in unix_domain_find()
83 		rv = auth_domain_lookup(name, &new->h);  in unix_domain_find()
107 	struct ip_map *im = container_of(item, struct ip_map,h);  in ip_map_put()  local
109 	if (test_bit(CACHE_VALID, &item->flags) &&  in ip_map_put()
110 	    !test_bit(CACHE_NEGATIVE, &item->flags))  in ip_map_put()
111 		auth_domain_put(&im->m_client->h);  in ip_map_put()
112 	kfree_rcu(im, m_rcu);  in ip_map_put()
123 	return strcmp(orig->m_class, new->m_class) == 0 &&  in ip_map_match()
124 	       ipv6_addr_equal(&orig->m_addr, &new->m_addr);  in ip_map_match()
131 	strcpy(new->m_class, item->m_class);  in ip_map_init()
132 	new->m_addr = item->m_addr;  in ip_map_init()
139 	kref_get(&item->m_client->h.ref);  in update()
140 	new->m_client = item->m_client;  in update()
146 		return &i->h;  in ip_map_alloc()
161 	struct ip_map *im = container_of(h, struct ip_map, h);  in ip_map_request()  local
163 	if (ipv6_addr_v4mapped(&(im->m_addr))) {  in ip_map_request()
164 		snprintf(text_addr, 20, "%pI4", &im->m_addr.s6_addr32[3]);  in ip_map_request()
166 		snprintf(text_addr, 40, "%pI6", &im->m_addr);  in ip_map_request()
168 	qword_add(bpp, blen, im->m_class);  in ip_map_request()
170 	(*bpp)[-1] = '\n';  in ip_map_request()
197 	if (mesg[mlen-1] != '\n')  in ip_map_parse()
198 		return -EINVAL;  in ip_map_parse()
199 	mesg[mlen-1] = 0;  in ip_map_parse()
203 	if (len <= 0) return -EINVAL;  in ip_map_parse()
207 	if (len <= 0) return -EINVAL;  in ip_map_parse()
209 	if (rpc_pton(cd->net, buf, len, &address.sa, sizeof(address)) == 0)  in ip_map_parse()
210 		return -EINVAL;  in ip_map_parse()
224 		return -EINVAL;  in ip_map_parse()
229 		return -EINVAL;  in ip_map_parse()
233 	if (len < 0) return -EINVAL;  in ip_map_parse()
238 			return -ENOENT;  in ip_map_parse()
249 		err = -ENOMEM;  in ip_map_parse()
262 	struct ip_map *im;  in ip_map_show()  local
264 	char *dom = "-no-domain-";  in ip_map_show()
270 	im = container_of(h, struct ip_map, h);  in ip_map_show()
272 	addr = im->m_addr;  in ip_map_show()
274 	if (test_bit(CACHE_VALID, &h->flags) &&  in ip_map_show()
275 	    !test_bit(CACHE_NEGATIVE, &h->flags))  in ip_map_show()
276 		dom = im->m_client->h.name;  in ip_map_show()
280 			im->m_class, &addr.s6_addr32[3], dom);  in ip_map_show()
282 		seq_printf(m, "%s %pI6 %s\n", im->m_class, &addr, dom);  in ip_map_show()
312 	return __ip_map_lookup(sn->ip_map_cache, class, addr);  in ip_map_lookup()
326 	ch = sunrpc_cache_update(cd, &ip.h, &ipm->h,  in __ip_map_update()
327 				 hash_str(ipm->m_class, IP_HASHBITS) ^  in __ip_map_update()
328 				 hash_ip6(&ipm->m_addr));  in __ip_map_update()
330 		return -ENOMEM;  in __ip_map_update()
340 	cache_purge(sn->ip_map_cache);  in svcauth_unix_purge()
350 	if (test_bit(XPT_CACHE_AUTH, &xprt->xpt_flags)) {  in ip_map_cached_get()
351 		spin_lock(&xprt->xpt_lock);  in ip_map_cached_get()
352 		ipm = xprt->xpt_auth_cache;  in ip_map_cached_get()
354 			sn = net_generic(xprt->xpt_net, sunrpc_net_id);  in ip_map_cached_get()
355 			if (cache_is_expired(sn->ip_map_cache, &ipm->h)) {  in ip_map_cached_get()
361 				xprt->xpt_auth_cache = NULL;  in ip_map_cached_get()
362 				spin_unlock(&xprt->xpt_lock);  in ip_map_cached_get()
363 				cache_put(&ipm->h, sn->ip_map_cache);  in ip_map_cached_get()
366 			cache_get(&ipm->h);  in ip_map_cached_get()
368 		spin_unlock(&xprt->xpt_lock);  in ip_map_cached_get()
376 	if (test_bit(XPT_CACHE_AUTH, &xprt->xpt_flags)) {  in ip_map_cached_put()
377 		spin_lock(&xprt->xpt_lock);  in ip_map_cached_put()
378 		if (xprt->xpt_auth_cache == NULL) {  in ip_map_cached_put()
380 			xprt->xpt_auth_cache = ipm;  in ip_map_cached_put()
383 		spin_unlock(&xprt->xpt_lock);  in ip_map_cached_put()
388 		sn = net_generic(xprt->xpt_net, sunrpc_net_id);  in ip_map_cached_put()
389 		cache_put(&ipm->h, sn->ip_map_cache);  in ip_map_cached_put()
398 	ipm = xpt->xpt_auth_cache;  in svcauth_unix_info_release()
402 		sn = net_generic(xpt->xpt_net, sunrpc_net_id);  in svcauth_unix_info_release()
403 		cache_put(&ipm->h, sn->ip_map_cache);  in svcauth_unix_info_release()
431 	if (test_bit(CACHE_VALID, &item->flags) &&  in unix_gid_put()
432 	    !test_bit(CACHE_NEGATIVE, &item->flags))  in unix_gid_put()
433 		put_group_info(ug->gi);  in unix_gid_put()
441 	return uid_eq(orig->uid, new->uid);  in unix_gid_match()
447 	new->uid = item->uid;  in unix_gid_init()
454 	get_group_info(item->gi);  in unix_gid_update()
455 	new->gi = item->gi;  in unix_gid_update()
461 		return &g->h;  in unix_gid_alloc()
478 	snprintf(tuid, 20, "%u", from_kuid(&init_user_ns, ug->uid));  in unix_gid_request()
480 	(*bpp)[-1] = '\n';  in unix_gid_request()
488 	/* uid expiry Ngid gid0 gid1 ... gidN-1 */  in unix_gid_parse()
498 	if (mesg[mlen - 1] != '\n')  in unix_gid_parse()
499 		return -EINVAL;  in unix_gid_parse()
500 	mesg[mlen-1] = 0;  in unix_gid_parse()
504 		return -EINVAL;  in unix_gid_parse()
510 		return -EINVAL;  in unix_gid_parse()
514 		return -EINVAL;  in unix_gid_parse()
518 		return -ENOMEM;  in unix_gid_parse()
524 		err = -EINVAL;  in unix_gid_parse()
530 		ug.gi->gid[i] = kgid;  in unix_gid_parse()
540 					 &ug.h, &ugp->h,  in unix_gid_parse()
543 			err = -ENOMEM;  in unix_gid_parse()
549 		err = -ENOMEM;  in unix_gid_parse()
560 	struct user_namespace *user_ns = m->file->f_cred->user_ns;  in unix_gid_show()
570 	if (test_bit(CACHE_VALID, &h->flags) &&  in unix_gid_show()
571 	    !test_bit(CACHE_NEGATIVE, &h->flags))  in unix_gid_show()
572 		glen = ug->gi->ngroups;  in unix_gid_show()
576 	seq_printf(m, "%u %d:", from_kuid_munged(user_ns, ug->uid), glen);  in unix_gid_show()
578 		seq_printf(m, " %d", from_kgid_munged(user_ns, ug->gi->gid[i]));  in unix_gid_show()
612 	sn->unix_gid_cache = cd;  in unix_gid_cache_create()
619 	struct cache_detail *cd = sn->unix_gid_cache;  in unix_gid_cache_destroy()
621 	sn->unix_gid_cache = NULL;  in unix_gid_cache_destroy()
645 	struct sunrpc_net *sn = net_generic(rqstp->rq_xprt->xpt_net,  in unix_gid_find()
648 	ug = unix_gid_lookup(sn->unix_gid_cache, uid);  in unix_gid_find()
650 		return ERR_PTR(-EAGAIN);  in unix_gid_find()
651 	ret = cache_check(sn->unix_gid_cache, &ug->h, &rqstp->rq_chandle);  in unix_gid_find()
653 	case -ENOENT:  in unix_gid_find()
654 		return ERR_PTR(-ENOENT);  in unix_gid_find()
655 	case -ETIMEDOUT:  in unix_gid_find()
656 		return ERR_PTR(-ESHUTDOWN);  in unix_gid_find()
658 		gi = get_group_info(ug->gi);  in unix_gid_find()
659 		cache_put(&ug->h, sn->unix_gid_cache);  in unix_gid_find()
662 		return ERR_PTR(-EAGAIN);  in unix_gid_find()
673 	struct svc_cred *cred = &rqstp->rq_cred;  in svcauth_unix_set_client()
674 	struct svc_xprt *xprt = rqstp->rq_xprt;  in svcauth_unix_set_client()
675 	struct net *net = xprt->xpt_net;  in svcauth_unix_set_client()
678 	switch (rqstp->rq_addr.ss_family) {  in svcauth_unix_set_client()
682 		ipv6_addr_set_v4mapped(sin->sin_addr.s_addr, &sin6->sin6_addr);  in svcauth_unix_set_client()
691 	rqstp->rq_client = NULL;  in svcauth_unix_set_client()
692 	if (rqstp->rq_proc == 0)  in svcauth_unix_set_client()
697 		ipm = __ip_map_lookup(sn->ip_map_cache, rqstp->rq_server->sv_program->pg_class,  in svcauth_unix_set_client()
698 				    &sin6->sin6_addr);  in svcauth_unix_set_client()
703 	switch (cache_check(sn->ip_map_cache, &ipm->h, &rqstp->rq_chandle)) {  in svcauth_unix_set_client()
706 		case -ETIMEDOUT:  in svcauth_unix_set_client()
708 		case -EAGAIN:  in svcauth_unix_set_client()
710 		case -ENOENT:  in svcauth_unix_set_client()
713 			rqstp->rq_client = &ipm->m_client->h;  in svcauth_unix_set_client()
714 			kref_get(&rqstp->rq_client->ref);  in svcauth_unix_set_client()
719 	gi = unix_gid_find(cred->cr_uid, rqstp);  in svcauth_unix_set_client()
721 	case -EAGAIN:  in svcauth_unix_set_client()
723 	case -ESHUTDOWN:  in svcauth_unix_set_client()
725 	case -ENOENT:  in svcauth_unix_set_client()
728 		put_group_info(cred->cr_group_info);  in svcauth_unix_set_client()
729 		cred->cr_group_info = gi;  in svcauth_unix_set_client()
739 	struct kvec	*argv = &rqstp->rq_arg.head[0];  in svcauth_null_accept()
740 	struct kvec	*resv = &rqstp->rq_res.head[0];  in svcauth_null_accept()
741 	struct svc_cred	*cred = &rqstp->rq_cred;  in svcauth_null_accept()
743 	if (argv->iov_len < 3*4)  in svcauth_null_accept()
758 	cred->cr_uid = INVALID_UID;  in svcauth_null_accept()
759 	cred->cr_gid = INVALID_GID;  in svcauth_null_accept()
760 	cred->cr_group_info = groups_alloc(0);  in svcauth_null_accept()
761 	if (cred->cr_group_info == NULL)  in svcauth_null_accept()
762 		return SVC_CLOSE; /* kmalloc failure - client must retry */  in svcauth_null_accept()
768 	rqstp->rq_cred.cr_flavor = RPC_AUTH_NULL;  in svcauth_null_accept()
775 	if (rqstp->rq_client)  in svcauth_null_release()
776 		auth_domain_put(rqstp->rq_client);  in svcauth_null_release()
777 	rqstp->rq_client = NULL;  in svcauth_null_release()
778 	if (rqstp->rq_cred.cr_group_info)  in svcauth_null_release()
779 		put_group_info(rqstp->rq_cred.cr_group_info);  in svcauth_null_release()
780 	rqstp->rq_cred.cr_group_info = NULL;  in svcauth_null_release()
799 	struct kvec	*argv = &rqstp->rq_arg.head[0];  in svcauth_unix_accept()
800 	struct kvec	*resv = &rqstp->rq_res.head[0];  in svcauth_unix_accept()
801 	struct svc_cred	*cred = &rqstp->rq_cred;  in svcauth_unix_accept()
804 	int		len   = argv->iov_len;  in svcauth_unix_accept()
806 	if ((len -= 3*4) < 0)  in svcauth_unix_accept()
812 	if (slen > 64 || (len -= (slen + 3)*4) < 0)  in svcauth_unix_accept()
814 	argv->iov_base = (void*)((__be32*)argv->iov_base + slen);	/* skip machname */  in svcauth_unix_accept()
815 	argv->iov_len -= slen*4;  in svcauth_unix_accept()
818 	 * backwards compatibility with clients that use -1 id's.  in svcauth_unix_accept()
819 	 * Instead, -1 uid or gid is later mapped to the  in svcauth_unix_accept()
820 	 * (export-specific) anonymous id by nfsd_setuser.  in svcauth_unix_accept()
823 	userns = (rqstp->rq_xprt && rqstp->rq_xprt->xpt_cred) ?  in svcauth_unix_accept()
824 		rqstp->rq_xprt->xpt_cred->user_ns : &init_user_ns;  in svcauth_unix_accept()
825 	cred->cr_uid = make_kuid(userns, svc_getnl(argv)); /* uid */  in svcauth_unix_accept()
826 	cred->cr_gid = make_kgid(userns, svc_getnl(argv)); /* gid */  in svcauth_unix_accept()
828 	if (slen > UNX_NGROUPS || (len -= (slen + 2)*4) < 0)  in svcauth_unix_accept()
830 	cred->cr_group_info = groups_alloc(slen);  in svcauth_unix_accept()
831 	if (cred->cr_group_info == NULL)  in svcauth_unix_accept()
835 		cred->cr_group_info->gid[i] = kgid;  in svcauth_unix_accept()
837 	groups_sort(cred->cr_group_info);  in svcauth_unix_accept()
847 	rqstp->rq_cred.cr_flavor = RPC_AUTH_UNIX;  in svcauth_unix_accept()
860 	if (rqstp->rq_client)  in svcauth_unix_release()
861 		auth_domain_put(rqstp->rq_client);  in svcauth_unix_release()
862 	rqstp->rq_client = NULL;  in svcauth_unix_release()
863 	if (rqstp->rq_cred.cr_group_info)  in svcauth_unix_release()
864 		put_group_info(rqstp->rq_cred.cr_group_info);  in svcauth_unix_release()
865 	rqstp->rq_cred.cr_group_info = NULL;  in svcauth_unix_release()
910 	sn->ip_map_cache = cd;  in ip_map_cache_create()
917 	struct cache_detail *cd = sn->ip_map_cache;  in ip_map_cache_destroy()
919 	sn->ip_map_cache = NULL;  in ip_map_cache_destroy()