SUNRPC: Add a helper rpcauth_lookup_generic_cred()
[linux-2.6.git] / net / sunrpc / auth.c
1 /*
2  * linux/net/sunrpc/auth.c
3  *
4  * Generic RPC client authentication API.
5  *
6  * Copyright (C) 1996, Olaf Kirch <okir@monad.swb.de>
7  */
8
9 #include <linux/types.h>
10 #include <linux/sched.h>
11 #include <linux/module.h>
12 #include <linux/slab.h>
13 #include <linux/errno.h>
14 #include <linux/hash.h>
15 #include <linux/sunrpc/clnt.h>
16 #include <linux/spinlock.h>
17
18 #ifdef RPC_DEBUG
19 # define RPCDBG_FACILITY        RPCDBG_AUTH
20 #endif
21
22 static DEFINE_SPINLOCK(rpc_authflavor_lock);
23 static const struct rpc_authops *auth_flavors[RPC_AUTH_MAXFLAVOR] = {
24         &authnull_ops,          /* AUTH_NULL */
25         &authunix_ops,          /* AUTH_UNIX */
26         NULL,                   /* others can be loadable modules */
27 };
28
29 static LIST_HEAD(cred_unused);
30 static unsigned long number_cred_unused;
31
32 static u32
33 pseudoflavor_to_flavor(u32 flavor) {
34         if (flavor >= RPC_AUTH_MAXFLAVOR)
35                 return RPC_AUTH_GSS;
36         return flavor;
37 }
38
39 int
40 rpcauth_register(const struct rpc_authops *ops)
41 {
42         rpc_authflavor_t flavor;
43         int ret = -EPERM;
44
45         if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR)
46                 return -EINVAL;
47         spin_lock(&rpc_authflavor_lock);
48         if (auth_flavors[flavor] == NULL) {
49                 auth_flavors[flavor] = ops;
50                 ret = 0;
51         }
52         spin_unlock(&rpc_authflavor_lock);
53         return ret;
54 }
55 EXPORT_SYMBOL_GPL(rpcauth_register);
56
57 int
58 rpcauth_unregister(const struct rpc_authops *ops)
59 {
60         rpc_authflavor_t flavor;
61         int ret = -EPERM;
62
63         if ((flavor = ops->au_flavor) >= RPC_AUTH_MAXFLAVOR)
64                 return -EINVAL;
65         spin_lock(&rpc_authflavor_lock);
66         if (auth_flavors[flavor] == ops) {
67                 auth_flavors[flavor] = NULL;
68                 ret = 0;
69         }
70         spin_unlock(&rpc_authflavor_lock);
71         return ret;
72 }
73 EXPORT_SYMBOL_GPL(rpcauth_unregister);
74
75 struct rpc_auth *
76 rpcauth_create(rpc_authflavor_t pseudoflavor, struct rpc_clnt *clnt)
77 {
78         struct rpc_auth         *auth;
79         const struct rpc_authops *ops;
80         u32                     flavor = pseudoflavor_to_flavor(pseudoflavor);
81
82         auth = ERR_PTR(-EINVAL);
83         if (flavor >= RPC_AUTH_MAXFLAVOR)
84                 goto out;
85
86 #ifdef CONFIG_KMOD
87         if ((ops = auth_flavors[flavor]) == NULL)
88                 request_module("rpc-auth-%u", flavor);
89 #endif
90         spin_lock(&rpc_authflavor_lock);
91         ops = auth_flavors[flavor];
92         if (ops == NULL || !try_module_get(ops->owner)) {
93                 spin_unlock(&rpc_authflavor_lock);
94                 goto out;
95         }
96         spin_unlock(&rpc_authflavor_lock);
97         auth = ops->create(clnt, pseudoflavor);
98         module_put(ops->owner);
99         if (IS_ERR(auth))
100                 return auth;
101         if (clnt->cl_auth)
102                 rpcauth_release(clnt->cl_auth);
103         clnt->cl_auth = auth;
104
105 out:
106         return auth;
107 }
108 EXPORT_SYMBOL_GPL(rpcauth_create);
109
110 void
111 rpcauth_release(struct rpc_auth *auth)
112 {
113         if (!atomic_dec_and_test(&auth->au_count))
114                 return;
115         auth->au_ops->destroy(auth);
116 }
117
118 static DEFINE_SPINLOCK(rpc_credcache_lock);
119
120 static void
121 rpcauth_unhash_cred_locked(struct rpc_cred *cred)
122 {
123         hlist_del_rcu(&cred->cr_hash);
124         smp_mb__before_clear_bit();
125         clear_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags);
126 }
127
128 static void
129 rpcauth_unhash_cred(struct rpc_cred *cred)
130 {
131         spinlock_t *cache_lock;
132
133         cache_lock = &cred->cr_auth->au_credcache->lock;
134         spin_lock(cache_lock);
135         if (atomic_read(&cred->cr_count) == 0)
136                 rpcauth_unhash_cred_locked(cred);
137         spin_unlock(cache_lock);
138 }
139
140 /*
141  * Initialize RPC credential cache
142  */
143 int
144 rpcauth_init_credcache(struct rpc_auth *auth)
145 {
146         struct rpc_cred_cache *new;
147         int i;
148
149         new = kmalloc(sizeof(*new), GFP_KERNEL);
150         if (!new)
151                 return -ENOMEM;
152         for (i = 0; i < RPC_CREDCACHE_NR; i++)
153                 INIT_HLIST_HEAD(&new->hashtable[i]);
154         spin_lock_init(&new->lock);
155         auth->au_credcache = new;
156         return 0;
157 }
158 EXPORT_SYMBOL_GPL(rpcauth_init_credcache);
159
160 /*
161  * Destroy a list of credentials
162  */
163 static inline
164 void rpcauth_destroy_credlist(struct list_head *head)
165 {
166         struct rpc_cred *cred;
167
168         while (!list_empty(head)) {
169                 cred = list_entry(head->next, struct rpc_cred, cr_lru);
170                 list_del_init(&cred->cr_lru);
171                 put_rpccred(cred);
172         }
173 }
174
175 /*
176  * Clear the RPC credential cache, and delete those credentials
177  * that are not referenced.
178  */
179 void
180 rpcauth_clear_credcache(struct rpc_cred_cache *cache)
181 {
182         LIST_HEAD(free);
183         struct hlist_head *head;
184         struct rpc_cred *cred;
185         int             i;
186
187         spin_lock(&rpc_credcache_lock);
188         spin_lock(&cache->lock);
189         for (i = 0; i < RPC_CREDCACHE_NR; i++) {
190                 head = &cache->hashtable[i];
191                 while (!hlist_empty(head)) {
192                         cred = hlist_entry(head->first, struct rpc_cred, cr_hash);
193                         get_rpccred(cred);
194                         if (!list_empty(&cred->cr_lru)) {
195                                 list_del(&cred->cr_lru);
196                                 number_cred_unused--;
197                         }
198                         list_add_tail(&cred->cr_lru, &free);
199                         rpcauth_unhash_cred_locked(cred);
200                 }
201         }
202         spin_unlock(&cache->lock);
203         spin_unlock(&rpc_credcache_lock);
204         rpcauth_destroy_credlist(&free);
205 }
206
207 /*
208  * Destroy the RPC credential cache
209  */
210 void
211 rpcauth_destroy_credcache(struct rpc_auth *auth)
212 {
213         struct rpc_cred_cache *cache = auth->au_credcache;
214
215         if (cache) {
216                 auth->au_credcache = NULL;
217                 rpcauth_clear_credcache(cache);
218                 kfree(cache);
219         }
220 }
221 EXPORT_SYMBOL_GPL(rpcauth_destroy_credcache);
222
223 /*
224  * Remove stale credentials. Avoid sleeping inside the loop.
225  */
226 static int
227 rpcauth_prune_expired(struct list_head *free, int nr_to_scan)
228 {
229         spinlock_t *cache_lock;
230         struct rpc_cred *cred;
231
232         while (!list_empty(&cred_unused)) {
233                 cred = list_entry(cred_unused.next, struct rpc_cred, cr_lru);
234                 list_del_init(&cred->cr_lru);
235                 number_cred_unused--;
236                 if (atomic_read(&cred->cr_count) != 0)
237                         continue;
238                 cache_lock = &cred->cr_auth->au_credcache->lock;
239                 spin_lock(cache_lock);
240                 if (atomic_read(&cred->cr_count) == 0) {
241                         get_rpccred(cred);
242                         list_add_tail(&cred->cr_lru, free);
243                         rpcauth_unhash_cred_locked(cred);
244                         nr_to_scan--;
245                 }
246                 spin_unlock(cache_lock);
247                 if (nr_to_scan == 0)
248                         break;
249         }
250         return nr_to_scan;
251 }
252
253 /*
254  * Run memory cache shrinker.
255  */
256 static int
257 rpcauth_cache_shrinker(int nr_to_scan, gfp_t gfp_mask)
258 {
259         LIST_HEAD(free);
260         int res;
261
262         if (list_empty(&cred_unused))
263                 return 0;
264         spin_lock(&rpc_credcache_lock);
265         nr_to_scan = rpcauth_prune_expired(&free, nr_to_scan);
266         res = (number_cred_unused / 100) * sysctl_vfs_cache_pressure;
267         spin_unlock(&rpc_credcache_lock);
268         rpcauth_destroy_credlist(&free);
269         return res;
270 }
271
272 /*
273  * Look up a process' credentials in the authentication cache
274  */
275 struct rpc_cred *
276 rpcauth_lookup_credcache(struct rpc_auth *auth, struct auth_cred * acred,
277                 int flags)
278 {
279         LIST_HEAD(free);
280         struct rpc_cred_cache *cache = auth->au_credcache;
281         struct hlist_node *pos;
282         struct rpc_cred *cred = NULL,
283                         *entry, *new;
284         unsigned int nr;
285
286         nr = hash_long(acred->uid, RPC_CREDCACHE_HASHBITS);
287
288         rcu_read_lock();
289         hlist_for_each_entry_rcu(entry, pos, &cache->hashtable[nr], cr_hash) {
290                 if (!entry->cr_ops->crmatch(acred, entry, flags))
291                         continue;
292                 spin_lock(&cache->lock);
293                 if (test_bit(RPCAUTH_CRED_HASHED, &entry->cr_flags) == 0) {
294                         spin_unlock(&cache->lock);
295                         continue;
296                 }
297                 cred = get_rpccred(entry);
298                 spin_unlock(&cache->lock);
299                 break;
300         }
301         rcu_read_unlock();
302
303         if (cred != NULL)
304                 goto found;
305
306         new = auth->au_ops->crcreate(auth, acred, flags);
307         if (IS_ERR(new)) {
308                 cred = new;
309                 goto out;
310         }
311
312         spin_lock(&cache->lock);
313         hlist_for_each_entry(entry, pos, &cache->hashtable[nr], cr_hash) {
314                 if (!entry->cr_ops->crmatch(acred, entry, flags))
315                         continue;
316                 cred = get_rpccred(entry);
317                 break;
318         }
319         if (cred == NULL) {
320                 cred = new;
321                 set_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags);
322                 hlist_add_head_rcu(&cred->cr_hash, &cache->hashtable[nr]);
323         } else
324                 list_add_tail(&new->cr_lru, &free);
325         spin_unlock(&cache->lock);
326 found:
327         if (test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags)
328                         && cred->cr_ops->cr_init != NULL
329                         && !(flags & RPCAUTH_LOOKUP_NEW)) {
330                 int res = cred->cr_ops->cr_init(auth, cred);
331                 if (res < 0) {
332                         put_rpccred(cred);
333                         cred = ERR_PTR(res);
334                 }
335         }
336         rpcauth_destroy_credlist(&free);
337 out:
338         return cred;
339 }
340 EXPORT_SYMBOL_GPL(rpcauth_lookup_credcache);
341
342 struct rpc_cred *
343 rpcauth_lookupcred(struct rpc_auth *auth, int flags)
344 {
345         struct auth_cred acred = {
346                 .uid = current->fsuid,
347                 .gid = current->fsgid,
348                 .group_info = current->group_info,
349         };
350         struct rpc_cred *ret;
351
352         dprintk("RPC:       looking up %s cred\n",
353                 auth->au_ops->au_name);
354         get_group_info(acred.group_info);
355         ret = auth->au_ops->lookup_cred(auth, &acred, flags);
356         put_group_info(acred.group_info);
357         return ret;
358 }
359
360 void
361 rpcauth_init_cred(struct rpc_cred *cred, const struct auth_cred *acred,
362                   struct rpc_auth *auth, const struct rpc_credops *ops)
363 {
364         INIT_HLIST_NODE(&cred->cr_hash);
365         INIT_LIST_HEAD(&cred->cr_lru);
366         atomic_set(&cred->cr_count, 1);
367         cred->cr_auth = auth;
368         cred->cr_ops = ops;
369         cred->cr_expire = jiffies;
370 #ifdef RPC_DEBUG
371         cred->cr_magic = RPCAUTH_CRED_MAGIC;
372 #endif
373         cred->cr_uid = acred->uid;
374 }
375 EXPORT_SYMBOL_GPL(rpcauth_init_cred);
376
377 void
378 rpcauth_generic_bind_cred(struct rpc_task *task, struct rpc_cred *cred)
379 {
380         task->tk_msg.rpc_cred = get_rpccred(cred);
381         dprintk("RPC: %5u holding %s cred %p\n", task->tk_pid,
382                         cred->cr_auth->au_ops->au_name, cred);
383 }
384 EXPORT_SYMBOL_GPL(rpcauth_generic_bind_cred);
385
386 static void
387 rpcauth_bind_root_cred(struct rpc_task *task)
388 {
389         struct rpc_auth *auth = task->tk_client->cl_auth;
390         struct auth_cred acred = {
391                 .uid = 0,
392                 .gid = 0,
393         };
394         struct rpc_cred *ret;
395
396         dprintk("RPC: %5u looking up %s cred\n",
397                 task->tk_pid, task->tk_client->cl_auth->au_ops->au_name);
398         ret = auth->au_ops->lookup_cred(auth, &acred, 0);
399         if (!IS_ERR(ret))
400                 task->tk_msg.rpc_cred = ret;
401         else
402                 task->tk_status = PTR_ERR(ret);
403 }
404
405 static void
406 rpcauth_bind_new_cred(struct rpc_task *task)
407 {
408         struct rpc_auth *auth = task->tk_client->cl_auth;
409         struct rpc_cred *ret;
410
411         dprintk("RPC: %5u looking up %s cred\n",
412                 task->tk_pid, auth->au_ops->au_name);
413         ret = rpcauth_lookupcred(auth, 0);
414         if (!IS_ERR(ret))
415                 task->tk_msg.rpc_cred = ret;
416         else
417                 task->tk_status = PTR_ERR(ret);
418 }
419
420 void
421 rpcauth_bindcred(struct rpc_task *task, struct rpc_cred *cred, int flags)
422 {
423         if (cred != NULL)
424                 cred->cr_ops->crbind(task, cred);
425         else if (flags & RPC_TASK_ROOTCREDS)
426                 rpcauth_bind_root_cred(task);
427         else
428                 rpcauth_bind_new_cred(task);
429 }
430
431 void
432 put_rpccred(struct rpc_cred *cred)
433 {
434         /* Fast path for unhashed credentials */
435         if (test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags) != 0)
436                 goto need_lock;
437
438         if (!atomic_dec_and_test(&cred->cr_count))
439                 return;
440         goto out_destroy;
441 need_lock:
442         if (!atomic_dec_and_lock(&cred->cr_count, &rpc_credcache_lock))
443                 return;
444         if (!list_empty(&cred->cr_lru)) {
445                 number_cred_unused--;
446                 list_del_init(&cred->cr_lru);
447         }
448         if (test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) == 0)
449                 rpcauth_unhash_cred(cred);
450         else if (test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags) != 0) {
451                 cred->cr_expire = jiffies;
452                 list_add_tail(&cred->cr_lru, &cred_unused);
453                 number_cred_unused++;
454                 spin_unlock(&rpc_credcache_lock);
455                 return;
456         }
457         spin_unlock(&rpc_credcache_lock);
458 out_destroy:
459         cred->cr_ops->crdestroy(cred);
460 }
461 EXPORT_SYMBOL_GPL(put_rpccred);
462
463 void
464 rpcauth_unbindcred(struct rpc_task *task)
465 {
466         struct rpc_cred *cred = task->tk_msg.rpc_cred;
467
468         dprintk("RPC: %5u releasing %s cred %p\n",
469                 task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
470
471         put_rpccred(cred);
472         task->tk_msg.rpc_cred = NULL;
473 }
474
475 __be32 *
476 rpcauth_marshcred(struct rpc_task *task, __be32 *p)
477 {
478         struct rpc_cred *cred = task->tk_msg.rpc_cred;
479
480         dprintk("RPC: %5u marshaling %s cred %p\n",
481                 task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
482
483         return cred->cr_ops->crmarshal(task, p);
484 }
485
486 __be32 *
487 rpcauth_checkverf(struct rpc_task *task, __be32 *p)
488 {
489         struct rpc_cred *cred = task->tk_msg.rpc_cred;
490
491         dprintk("RPC: %5u validating %s cred %p\n",
492                 task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
493
494         return cred->cr_ops->crvalidate(task, p);
495 }
496
497 int
498 rpcauth_wrap_req(struct rpc_task *task, kxdrproc_t encode, void *rqstp,
499                 __be32 *data, void *obj)
500 {
501         struct rpc_cred *cred = task->tk_msg.rpc_cred;
502
503         dprintk("RPC: %5u using %s cred %p to wrap rpc data\n",
504                         task->tk_pid, cred->cr_ops->cr_name, cred);
505         if (cred->cr_ops->crwrap_req)
506                 return cred->cr_ops->crwrap_req(task, encode, rqstp, data, obj);
507         /* By default, we encode the arguments normally. */
508         return rpc_call_xdrproc(encode, rqstp, data, obj);
509 }
510
511 int
512 rpcauth_unwrap_resp(struct rpc_task *task, kxdrproc_t decode, void *rqstp,
513                 __be32 *data, void *obj)
514 {
515         struct rpc_cred *cred = task->tk_msg.rpc_cred;
516
517         dprintk("RPC: %5u using %s cred %p to unwrap rpc data\n",
518                         task->tk_pid, cred->cr_ops->cr_name, cred);
519         if (cred->cr_ops->crunwrap_resp)
520                 return cred->cr_ops->crunwrap_resp(task, decode, rqstp,
521                                                    data, obj);
522         /* By default, we decode the arguments normally. */
523         return rpc_call_xdrproc(decode, rqstp, data, obj);
524 }
525
526 int
527 rpcauth_refreshcred(struct rpc_task *task)
528 {
529         struct rpc_cred *cred = task->tk_msg.rpc_cred;
530         int err;
531
532         dprintk("RPC: %5u refreshing %s cred %p\n",
533                 task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
534
535         err = cred->cr_ops->crrefresh(task);
536         if (err < 0)
537                 task->tk_status = err;
538         return err;
539 }
540
541 void
542 rpcauth_invalcred(struct rpc_task *task)
543 {
544         struct rpc_cred *cred = task->tk_msg.rpc_cred;
545
546         dprintk("RPC: %5u invalidating %s cred %p\n",
547                 task->tk_pid, cred->cr_auth->au_ops->au_name, cred);
548         if (cred)
549                 clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
550 }
551
552 int
553 rpcauth_uptodatecred(struct rpc_task *task)
554 {
555         struct rpc_cred *cred = task->tk_msg.rpc_cred;
556
557         return cred == NULL ||
558                 test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0;
559 }
560
561 static struct shrinker rpc_cred_shrinker = {
562         .shrink = rpcauth_cache_shrinker,
563         .seeks = DEFAULT_SEEKS,
564 };
565
566 void __init rpcauth_init_module(void)
567 {
568         rpc_init_authunix();
569         rpc_init_generic_auth();
570         register_shrinker(&rpc_cred_shrinker);
571 }
572
573 void __exit rpcauth_remove_module(void)
574 {
575         unregister_shrinker(&rpc_cred_shrinker);
576 }