1 // SPDX-License-Identifier: GPL-2.0-only
28  * are always nobody (-2).  i.e. we do the same IP address checks for
47 	kfree(dom->name);  in svcauth_unix_domain_release_rcu()
53 	call_rcu(&dom->rcu_head, svcauth_unix_domain_release_rcu);  in svcauth_unix_domain_release()
64 			if (new && rv != &new->h)  in unix_domain_find()
65 				svcauth_unix_domain_release(&new->h);  in unix_domain_find()
67 			if (rv->flavour != &svcauth_unix) {  in unix_domain_find()
77 		kref_init(&new->h.ref);  in unix_domain_find()
78 		new->h.name = kstrdup(name, GFP_KERNEL);  in unix_domain_find()
79 		if (new->h.name == NULL) {  in unix_domain_find()
83 		new->h.flavour = &svcauth_unix;  in unix_domain_find()
84 		rv = auth_domain_lookup(name, &new->h);  in unix_domain_find()
108 	struct ip_map *im = container_of(item, struct ip_map,h);  in ip_map_put()  local
110 	if (test_bit(CACHE_VALID, &item->flags) &&  in ip_map_put()
111 	    !test_bit(CACHE_NEGATIVE, &item->flags))  in ip_map_put()
112 		auth_domain_put(&im->m_client->h);  in ip_map_put()
113 	kfree_rcu(im, m_rcu);  in ip_map_put()
124 	return strcmp(orig->m_class, new->m_class) == 0 &&  in ip_map_match()
125 	       ipv6_addr_equal(&orig->m_addr, &new->m_addr);  in ip_map_match()
132 	strcpy(new->m_class, item->m_class);  in ip_map_init()
133 	new->m_addr = item->m_addr;  in ip_map_init()
140 	kref_get(&item->m_client->h.ref);  in update()
141 	new->m_client = item->m_client;  in update()
147 		return &i->h;  in ip_map_alloc()
162 	struct ip_map *im = container_of(h, struct ip_map, h);  in ip_map_request()  local
164 	if (ipv6_addr_v4mapped(&(im->m_addr))) {  in ip_map_request()
165 		snprintf(text_addr, 20, "%pI4", &im->m_addr.s6_addr32[3]);  in ip_map_request()
167 		snprintf(text_addr, 40, "%pI6", &im->m_addr);  in ip_map_request()
169 	qword_add(bpp, blen, im->m_class);  in ip_map_request()
171 	(*bpp)[-1] = '\n';  in ip_map_request()
198 	if (mesg[mlen-1] != '\n')  in ip_map_parse()
199 		return -EINVAL;  in ip_map_parse()
200 	mesg[mlen-1] = 0;  in ip_map_parse()
204 	if (len <= 0) return -EINVAL;  in ip_map_parse()
208 	if (len <= 0) return -EINVAL;  in ip_map_parse()
210 	if (rpc_pton(cd->net, buf, len, &address.sa, sizeof(address)) == 0)  in ip_map_parse()
211 		return -EINVAL;  in ip_map_parse()
225 		return -EINVAL;  in ip_map_parse()
230 		return -EINVAL;  in ip_map_parse()
234 	if (len < 0) return -EINVAL;  in ip_map_parse()
239 			return -ENOENT;  in ip_map_parse()
250 		err = -ENOMEM;  in ip_map_parse()
263 	struct ip_map *im;  in ip_map_show()  local
265 	char *dom = "-no-domain-";  in ip_map_show()
271 	im = container_of(h, struct ip_map, h);  in ip_map_show()
273 	addr = im->m_addr;  in ip_map_show()
275 	if (test_bit(CACHE_VALID, &h->flags) &&  in ip_map_show()
276 	    !test_bit(CACHE_NEGATIVE, &h->flags))  in ip_map_show()
277 		dom = im->m_client->h.name;  in ip_map_show()
281 			im->m_class, &addr.s6_addr32[3], dom);  in ip_map_show()
283 		seq_printf(m, "%s %pI6 %s\n", im->m_class, &addr, dom);  in ip_map_show()
318 	ch = sunrpc_cache_update(cd, &ip.h, &ipm->h,  in __ip_map_update()
319 				 hash_str(ipm->m_class, IP_HASHBITS) ^  in __ip_map_update()
320 				 hash_ip6(&ipm->m_addr));  in __ip_map_update()
322 		return -ENOMEM;  in __ip_map_update()
332 	cache_purge(sn->ip_map_cache);  in svcauth_unix_purge()
342 	if (test_bit(XPT_CACHE_AUTH, &xprt->xpt_flags)) {  in ip_map_cached_get()
343 		spin_lock(&xprt->xpt_lock);  in ip_map_cached_get()
344 		ipm = xprt->xpt_auth_cache;  in ip_map_cached_get()
346 			sn = net_generic(xprt->xpt_net, sunrpc_net_id);  in ip_map_cached_get()
347 			if (cache_is_expired(sn->ip_map_cache, &ipm->h)) {  in ip_map_cached_get()
353 				xprt->xpt_auth_cache = NULL;  in ip_map_cached_get()
354 				spin_unlock(&xprt->xpt_lock);  in ip_map_cached_get()
355 				cache_put(&ipm->h, sn->ip_map_cache);  in ip_map_cached_get()
358 			cache_get(&ipm->h);  in ip_map_cached_get()
360 		spin_unlock(&xprt->xpt_lock);  in ip_map_cached_get()
368 	if (test_bit(XPT_CACHE_AUTH, &xprt->xpt_flags)) {  in ip_map_cached_put()
369 		spin_lock(&xprt->xpt_lock);  in ip_map_cached_put()
370 		if (xprt->xpt_auth_cache == NULL) {  in ip_map_cached_put()
372 			xprt->xpt_auth_cache = ipm;  in ip_map_cached_put()
375 		spin_unlock(&xprt->xpt_lock);  in ip_map_cached_put()
380 		sn = net_generic(xprt->xpt_net, sunrpc_net_id);  in ip_map_cached_put()
381 		cache_put(&ipm->h, sn->ip_map_cache);  in ip_map_cached_put()
390 	ipm = xpt->xpt_auth_cache;  in svcauth_unix_info_release()
394 		sn = net_generic(xpt->xpt_net, sunrpc_net_id);  in svcauth_unix_info_release()
395 		cache_put(&ipm->h, sn->ip_map_cache);  in svcauth_unix_info_release()
423 	if (test_bit(CACHE_VALID, &item->flags) &&  in unix_gid_put()
424 	    !test_bit(CACHE_NEGATIVE, &item->flags))  in unix_gid_put()
425 		put_group_info(ug->gi);  in unix_gid_put()
433 	return uid_eq(orig->uid, new->uid);  in unix_gid_match()
439 	new->uid = item->uid;  in unix_gid_init()
446 	get_group_info(item->gi);  in unix_gid_update()
447 	new->gi = item->gi;  in unix_gid_update()
453 		return &g->h;  in unix_gid_alloc()
470 	snprintf(tuid, 20, "%u", from_kuid(&init_user_ns, ug->uid));  in unix_gid_request()
472 	(*bpp)[-1] = '\n';  in unix_gid_request()
480 	/* uid expiry Ngid gid0 gid1 ... gidN-1 */  in unix_gid_parse()
490 	if (mesg[mlen - 1] != '\n')  in unix_gid_parse()
491 		return -EINVAL;  in unix_gid_parse()
492 	mesg[mlen-1] = 0;  in unix_gid_parse()
496 		return -EINVAL;  in unix_gid_parse()
502 		return -EINVAL;  in unix_gid_parse()
506 		return -EINVAL;  in unix_gid_parse()
510 		return -ENOMEM;  in unix_gid_parse()
516 		err = -EINVAL;  in unix_gid_parse()
522 		ug.gi->gid[i] = kgid;  in unix_gid_parse()
532 					 &ug.h, &ugp->h,  in unix_gid_parse()
535 			err = -ENOMEM;  in unix_gid_parse()
541 		err = -ENOMEM;  in unix_gid_parse()
552 	struct user_namespace *user_ns = m->file->f_cred->user_ns;  in unix_gid_show()
562 	if (test_bit(CACHE_VALID, &h->flags) &&  in unix_gid_show()
563 	    !test_bit(CACHE_NEGATIVE, &h->flags))  in unix_gid_show()
564 		glen = ug->gi->ngroups;  in unix_gid_show()
568 	seq_printf(m, "%u %d:", from_kuid_munged(user_ns, ug->uid), glen);  in unix_gid_show()
570 		seq_printf(m, " %d", from_kgid_munged(user_ns, ug->gi->gid[i]));  in unix_gid_show()
604 	sn->unix_gid_cache = cd;  in unix_gid_cache_create()
611 	struct cache_detail *cd = sn->unix_gid_cache;  in unix_gid_cache_destroy()
613 	sn->unix_gid_cache = NULL;  in unix_gid_cache_destroy()
637 	struct sunrpc_net *sn = net_generic(rqstp->rq_xprt->xpt_net,  in unix_gid_find()
640 	ug = unix_gid_lookup(sn->unix_gid_cache, uid);  in unix_gid_find()
642 		return ERR_PTR(-EAGAIN);  in unix_gid_find()
643 	ret = cache_check(sn->unix_gid_cache, &ug->h, &rqstp->rq_chandle);  in unix_gid_find()
645 	case -ENOENT:  in unix_gid_find()
646 		return ERR_PTR(-ENOENT);  in unix_gid_find()
647 	case -ETIMEDOUT:  in unix_gid_find()
648 		return ERR_PTR(-ESHUTDOWN);  in unix_gid_find()
650 		gi = get_group_info(ug->gi);  in unix_gid_find()
651 		cache_put(&ug->h, sn->unix_gid_cache);  in unix_gid_find()
654 		return ERR_PTR(-EAGAIN);  in unix_gid_find()
665 	struct svc_cred *cred = &rqstp->rq_cred;  in svcauth_unix_set_client()
666 	struct svc_xprt *xprt = rqstp->rq_xprt;  in svcauth_unix_set_client()
667 	struct net *net = xprt->xpt_net;  in svcauth_unix_set_client()
670 	switch (rqstp->rq_addr.ss_family) {  in svcauth_unix_set_client()
674 		ipv6_addr_set_v4mapped(sin->sin_addr.s_addr, &sin6->sin6_addr);  in svcauth_unix_set_client()
683 	rqstp->rq_client = NULL;  in svcauth_unix_set_client()
684 	if (rqstp->rq_proc == 0)  in svcauth_unix_set_client()
687 	rqstp->rq_auth_stat = rpc_autherr_badcred;  in svcauth_unix_set_client()
690 		ipm = __ip_map_lookup(sn->ip_map_cache, rqstp->rq_server->sv_program->pg_class,  in svcauth_unix_set_client()
691 				    &sin6->sin6_addr);  in svcauth_unix_set_client()
696 	switch (cache_check(sn->ip_map_cache, &ipm->h, &rqstp->rq_chandle)) {  in svcauth_unix_set_client()
699 		case -ETIMEDOUT:  in svcauth_unix_set_client()
701 		case -EAGAIN:  in svcauth_unix_set_client()
703 		case -ENOENT:  in svcauth_unix_set_client()
706 			rqstp->rq_client = &ipm->m_client->h;  in svcauth_unix_set_client()
707 			kref_get(&rqstp->rq_client->ref);  in svcauth_unix_set_client()
712 	gi = unix_gid_find(cred->cr_uid, rqstp);  in svcauth_unix_set_client()
714 	case -EAGAIN:  in svcauth_unix_set_client()
716 	case -ESHUTDOWN:  in svcauth_unix_set_client()
718 	case -ENOENT:  in svcauth_unix_set_client()
721 		put_group_info(cred->cr_group_info);  in svcauth_unix_set_client()
722 		cred->cr_group_info = gi;  in svcauth_unix_set_client()
726 	rqstp->rq_auth_stat = rpc_auth_ok;  in svcauth_unix_set_client()
735 	struct kvec	*argv = &rqstp->rq_arg.head[0];  in svcauth_null_accept()
736 	struct kvec	*resv = &rqstp->rq_res.head[0];  in svcauth_null_accept()
737 	struct svc_cred	*cred = &rqstp->rq_cred;  in svcauth_null_accept()
739 	if (argv->iov_len < 3*4)  in svcauth_null_accept()
744 		rqstp->rq_auth_stat = rpc_autherr_badcred;  in svcauth_null_accept()
749 		rqstp->rq_auth_stat = rpc_autherr_badverf;  in svcauth_null_accept()
754 	cred->cr_uid = INVALID_UID;  in svcauth_null_accept()
755 	cred->cr_gid = INVALID_GID;  in svcauth_null_accept()
756 	cred->cr_group_info = groups_alloc(0);  in svcauth_null_accept()
757 	if (cred->cr_group_info == NULL)  in svcauth_null_accept()
758 		return SVC_CLOSE; /* kmalloc failure - client must retry */  in svcauth_null_accept()
764 	rqstp->rq_cred.cr_flavor = RPC_AUTH_NULL;  in svcauth_null_accept()
771 	if (rqstp->rq_client)  in svcauth_null_release()
772 		auth_domain_put(rqstp->rq_client);  in svcauth_null_release()
773 	rqstp->rq_client = NULL;  in svcauth_null_release()
774 	if (rqstp->rq_cred.cr_group_info)  in svcauth_null_release()
775 		put_group_info(rqstp->rq_cred.cr_group_info);  in svcauth_null_release()
776 	rqstp->rq_cred.cr_group_info = NULL;  in svcauth_null_release()
795 	struct svc_cred	*cred = &rqstp->rq_cred;  in svcauth_tls_accept()
796 	struct kvec *argv = rqstp->rq_arg.head;  in svcauth_tls_accept()
797 	struct kvec *resv = rqstp->rq_res.head;  in svcauth_tls_accept()
799 	if (argv->iov_len < XDR_UNIT * 3)  in svcauth_tls_accept()
804 		rqstp->rq_auth_stat = rpc_autherr_badcred;  in svcauth_tls_accept()
811 		rqstp->rq_auth_stat = rpc_autherr_badverf;  in svcauth_tls_accept()
815 	/* AUTH_TLS is not valid on non-NULL procedures */  in svcauth_tls_accept()
816 	if (rqstp->rq_proc != 0) {  in svcauth_tls_accept()
817 		rqstp->rq_auth_stat = rpc_autherr_badcred;  in svcauth_tls_accept()
822 	cred->cr_uid = INVALID_UID;  in svcauth_tls_accept()
823 	cred->cr_gid = INVALID_GID;  in svcauth_tls_accept()
824 	cred->cr_group_info = groups_alloc(0);  in svcauth_tls_accept()
825 	if (cred->cr_group_info == NULL)  in svcauth_tls_accept()
826 		return SVC_CLOSE; /* kmalloc failure - client must retry */  in svcauth_tls_accept()
830 	if (rqstp->rq_xprt->xpt_ops->xpo_start_tls) {  in svcauth_tls_accept()
832 		memcpy(resv->iov_base + resv->iov_len, "STARTTLS", 8);  in svcauth_tls_accept()
833 		resv->iov_len += 8;  in svcauth_tls_accept()
837 	rqstp->rq_cred.cr_flavor = RPC_AUTH_TLS;  in svcauth_tls_accept()
854 	struct kvec	*argv = &rqstp->rq_arg.head[0];  in svcauth_unix_accept()
855 	struct kvec	*resv = &rqstp->rq_res.head[0];  in svcauth_unix_accept()
856 	struct svc_cred	*cred = &rqstp->rq_cred;  in svcauth_unix_accept()
859 	int		len   = argv->iov_len;  in svcauth_unix_accept()
861 	if ((len -= 3*4) < 0)  in svcauth_unix_accept()
867 	if (slen > 64 || (len -= (slen + 3)*4) < 0)  in svcauth_unix_accept()
869 	argv->iov_base = (void*)((__be32*)argv->iov_base + slen);	/* skip machname */  in svcauth_unix_accept()
870 	argv->iov_len -= slen*4;  in svcauth_unix_accept()
873 	 * backwards compatibility with clients that use -1 id's.  in svcauth_unix_accept()
874 	 * Instead, -1 uid or gid is later mapped to the  in svcauth_unix_accept()
875 	 * (export-specific) anonymous id by nfsd_setuser.  in svcauth_unix_accept()
878 	userns = (rqstp->rq_xprt && rqstp->rq_xprt->xpt_cred) ?  in svcauth_unix_accept()
879 		rqstp->rq_xprt->xpt_cred->user_ns : &init_user_ns;  in svcauth_unix_accept()
880 	cred->cr_uid = make_kuid(userns, svc_getnl(argv)); /* uid */  in svcauth_unix_accept()
881 	cred->cr_gid = make_kgid(userns, svc_getnl(argv)); /* gid */  in svcauth_unix_accept()
883 	if (slen > UNX_NGROUPS || (len -= (slen + 2)*4) < 0)  in svcauth_unix_accept()
885 	cred->cr_group_info = groups_alloc(slen);  in svcauth_unix_accept()
886 	if (cred->cr_group_info == NULL)  in svcauth_unix_accept()
890 		cred->cr_group_info->gid[i] = kgid;  in svcauth_unix_accept()
892 	groups_sort(cred->cr_group_info);  in svcauth_unix_accept()
894 		rqstp->rq_auth_stat = rpc_autherr_badverf;  in svcauth_unix_accept()
902 	rqstp->rq_cred.cr_flavor = RPC_AUTH_UNIX;  in svcauth_unix_accept()
906 	rqstp->rq_auth_stat = rpc_autherr_badcred;  in svcauth_unix_accept()
915 	if (rqstp->rq_client)  in svcauth_unix_release()
916 		auth_domain_put(rqstp->rq_client);  in svcauth_unix_release()
917 	rqstp->rq_client = NULL;  in svcauth_unix_release()
918 	if (rqstp->rq_cred.cr_group_info)  in svcauth_unix_release()
919 		put_group_info(rqstp->rq_cred.cr_group_info);  in svcauth_unix_release()
920 	rqstp->rq_cred.cr_group_info = NULL;  in svcauth_unix_release()
965 	sn->ip_map_cache = cd;  in ip_map_cache_create()
972 	struct cache_detail *cd = sn->ip_map_cache;  in ip_map_cache_destroy()
974 	sn->ip_map_cache = NULL;  in ip_map_cache_destroy()