4 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 only,
8 * as published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License version 2 for more details (a copy is included
14 * in the LICENSE file that accompanied this code).
16 * You should have received a copy of the GNU General Public License
17 * version 2 along with this program; If not, see
18 * http://www.gnu.org/licenses/gpl-2.0.html
23 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Use is subject to license terms.
26 * Copyright (c) 2011, 2017, Intel Corporation.
29 * This file is part of Lustre, http://www.lustre.org/
33 * Author: Eric Mei <ericm@clusterfs.com>
36 #define DEBUG_SUBSYSTEM S_SEC
38 #include <linux/user_namespace.h>
39 #include <linux/uidgid.h>
40 #include <linux/crypto.h>
41 #include <linux/key.h>
43 #include <libcfs/libcfs.h>
45 #include <obd_class.h>
46 #include <obd_support.h>
47 #include <lustre_net.h>
48 #include <lustre_import.h>
49 #include <lustre_dlm.h>
50 #include <lustre_sec.h>
52 #include "ptlrpc_internal.h"
54 static int send_sepol;
55 module_param(send_sepol, int, 0644);
56 MODULE_PARM_DESC(send_sepol, "Client sends SELinux policy status");
62 static rwlock_t policy_lock;
63 static struct ptlrpc_sec_policy *policies[SPTLRPC_POLICY_MAX] = {
67 int sptlrpc_register_policy(struct ptlrpc_sec_policy *policy)
69 __u16 number = policy->sp_policy;
71 LASSERT(policy->sp_name);
72 LASSERT(policy->sp_cops);
73 LASSERT(policy->sp_sops);
75 if (number >= SPTLRPC_POLICY_MAX)
78 write_lock(&policy_lock);
79 if (unlikely(policies[number])) {
80 write_unlock(&policy_lock);
83 policies[number] = policy;
84 write_unlock(&policy_lock);
86 CDEBUG(D_SEC, "%s: registered\n", policy->sp_name);
89 EXPORT_SYMBOL(sptlrpc_register_policy);
91 int sptlrpc_unregister_policy(struct ptlrpc_sec_policy *policy)
93 __u16 number = policy->sp_policy;
95 LASSERT(number < SPTLRPC_POLICY_MAX);
97 write_lock(&policy_lock);
98 if (unlikely(policies[number] == NULL)) {
99 write_unlock(&policy_lock);
100 CERROR("%s: already unregistered\n", policy->sp_name);
104 LASSERT(policies[number] == policy);
105 policies[number] = NULL;
106 write_unlock(&policy_lock);
108 CDEBUG(D_SEC, "%s: unregistered\n", policy->sp_name);
111 EXPORT_SYMBOL(sptlrpc_unregister_policy);
114 struct ptlrpc_sec_policy *sptlrpc_wireflavor2policy(__u32 flavor)
116 static DEFINE_MUTEX(load_mutex);
117 struct ptlrpc_sec_policy *policy;
118 __u16 number = SPTLRPC_FLVR_POLICY(flavor);
121 if (number >= SPTLRPC_POLICY_MAX)
125 read_lock(&policy_lock);
126 policy = policies[number];
127 if (policy && !try_module_get(policy->sp_owner))
129 read_unlock(&policy_lock);
131 if (policy != NULL || number != SPTLRPC_POLICY_GSS)
134 /* try to load gss module, happens only if policy at index
135 * SPTLRPC_POLICY_GSS is not already referenced in
136 * global array policies[]
138 mutex_lock(&load_mutex);
139 /* The fact that request_module() returns 0 does not guarantee
140 * the module has done its job. So we must check that the
141 * requested policy is now available. This is done by checking
142 * again for policies[number] in the loop.
144 rc = request_module("ptlrpc_gss");
146 CDEBUG(D_SEC, "module ptlrpc_gss loaded on demand\n");
148 CERROR("Unable to load module ptlrpc_gss: rc %d\n", rc);
149 mutex_unlock(&load_mutex);
155 __u32 sptlrpc_name2flavor_base(const char *name)
157 if (!strcmp(name, "null"))
158 return SPTLRPC_FLVR_NULL;
159 if (!strcmp(name, "plain"))
160 return SPTLRPC_FLVR_PLAIN;
161 if (!strcmp(name, "gssnull"))
162 return SPTLRPC_FLVR_GSSNULL;
163 if (!strcmp(name, "krb5n"))
164 return SPTLRPC_FLVR_KRB5N;
165 if (!strcmp(name, "krb5a"))
166 return SPTLRPC_FLVR_KRB5A;
167 if (!strcmp(name, "krb5i"))
168 return SPTLRPC_FLVR_KRB5I;
169 if (!strcmp(name, "krb5p"))
170 return SPTLRPC_FLVR_KRB5P;
171 if (!strcmp(name, "skn"))
172 return SPTLRPC_FLVR_SKN;
173 if (!strcmp(name, "ska"))
174 return SPTLRPC_FLVR_SKA;
175 if (!strcmp(name, "ski"))
176 return SPTLRPC_FLVR_SKI;
177 if (!strcmp(name, "skpi"))
178 return SPTLRPC_FLVR_SKPI;
180 return SPTLRPC_FLVR_INVALID;
182 EXPORT_SYMBOL(sptlrpc_name2flavor_base);
184 const char *sptlrpc_flavor2name_base(__u32 flvr)
186 __u32 base = SPTLRPC_FLVR_BASE(flvr);
188 if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_NULL))
190 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_PLAIN))
192 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_GSSNULL))
194 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_KRB5N))
196 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_KRB5A))
198 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_KRB5I))
200 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_KRB5P))
202 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_SKN))
204 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_SKA))
206 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_SKI))
208 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_SKPI))
211 CERROR("invalid wire flavor 0x%x\n", flvr);
214 EXPORT_SYMBOL(sptlrpc_flavor2name_base);
216 char *sptlrpc_flavor2name_bulk(struct sptlrpc_flavor *sf,
217 char *buf, int bufsize)
219 if (SPTLRPC_FLVR_POLICY(sf->sf_rpc) == SPTLRPC_POLICY_PLAIN)
220 snprintf(buf, bufsize, "hash:%s",
221 sptlrpc_get_hash_name(sf->u_bulk.hash.hash_alg));
223 snprintf(buf, bufsize, "%s",
224 sptlrpc_flavor2name_base(sf->sf_rpc));
226 buf[bufsize - 1] = '\0';
229 EXPORT_SYMBOL(sptlrpc_flavor2name_bulk);
231 char *sptlrpc_flavor2name(struct sptlrpc_flavor *sf, char *buf, int bufsize)
235 ln = snprintf(buf, bufsize, "%s", sptlrpc_flavor2name_base(sf->sf_rpc));
238 * currently we don't support customized bulk specification for
239 * flavors other than plain
241 if (SPTLRPC_FLVR_POLICY(sf->sf_rpc) == SPTLRPC_POLICY_PLAIN) {
245 sptlrpc_flavor2name_bulk(sf, bspec + 1, sizeof(bspec) - 1);
246 strncat(buf, bspec, bufsize - ln);
249 buf[bufsize - 1] = '\0';
252 EXPORT_SYMBOL(sptlrpc_flavor2name);
254 char *sptlrpc_secflags2str(__u32 flags, char *buf, int bufsize)
258 if (flags & PTLRPC_SEC_FL_REVERSE)
259 strlcat(buf, "reverse,", bufsize);
260 if (flags & PTLRPC_SEC_FL_ROOTONLY)
261 strlcat(buf, "rootonly,", bufsize);
262 if (flags & PTLRPC_SEC_FL_UDESC)
263 strlcat(buf, "udesc,", bufsize);
264 if (flags & PTLRPC_SEC_FL_BULK)
265 strlcat(buf, "bulk,", bufsize);
267 strlcat(buf, "-,", bufsize);
271 EXPORT_SYMBOL(sptlrpc_secflags2str);
274 * client context APIs
278 struct ptlrpc_cli_ctx *get_my_ctx(struct ptlrpc_sec *sec)
280 struct vfs_cred vcred;
281 int create = 1, remove_dead = 1;
284 LASSERT(sec->ps_policy->sp_cops->lookup_ctx);
286 if (sec->ps_flvr.sf_flags & (PTLRPC_SEC_FL_REVERSE |
287 PTLRPC_SEC_FL_ROOTONLY)) {
290 if (sec->ps_flvr.sf_flags & PTLRPC_SEC_FL_REVERSE) {
295 vcred.vc_uid = from_kuid(&init_user_ns, current_uid());
296 vcred.vc_gid = from_kgid(&init_user_ns, current_gid());
299 return sec->ps_policy->sp_cops->lookup_ctx(sec, &vcred, create,
303 struct ptlrpc_cli_ctx *sptlrpc_cli_ctx_get(struct ptlrpc_cli_ctx *ctx)
305 atomic_inc(&ctx->cc_refcount);
308 EXPORT_SYMBOL(sptlrpc_cli_ctx_get);
310 void sptlrpc_cli_ctx_put(struct ptlrpc_cli_ctx *ctx, int sync)
312 struct ptlrpc_sec *sec = ctx->cc_sec;
315 LASSERT(atomic_read(&(ctx)->cc_refcount) > 0);
317 if (!atomic_dec_and_test(&ctx->cc_refcount))
320 sec->ps_policy->sp_cops->release_ctx(sec, ctx, sync);
322 EXPORT_SYMBOL(sptlrpc_cli_ctx_put);
325 * Expire the client context immediately.
327 * \pre Caller must hold at least 1 reference on the \a ctx.
329 void sptlrpc_cli_ctx_expire(struct ptlrpc_cli_ctx *ctx)
331 LASSERT(ctx->cc_ops->die);
332 ctx->cc_ops->die(ctx, 0);
334 EXPORT_SYMBOL(sptlrpc_cli_ctx_expire);
337 * To wake up the threads who are waiting for this client context. Called
338 * after some status change happened on \a ctx.
340 void sptlrpc_cli_ctx_wakeup(struct ptlrpc_cli_ctx *ctx)
342 struct ptlrpc_request *req, *next;
344 spin_lock(&ctx->cc_lock);
345 list_for_each_entry_safe(req, next, &ctx->cc_req_list,
347 list_del_init(&req->rq_ctx_chain);
348 ptlrpc_client_wake_req(req);
350 spin_unlock(&ctx->cc_lock);
352 EXPORT_SYMBOL(sptlrpc_cli_ctx_wakeup);
354 int sptlrpc_cli_ctx_display(struct ptlrpc_cli_ctx *ctx, char *buf, int bufsize)
356 LASSERT(ctx->cc_ops);
358 if (ctx->cc_ops->display == NULL)
361 return ctx->cc_ops->display(ctx, buf, bufsize);
364 static int import_sec_check_expire(struct obd_import *imp)
368 write_lock(&imp->imp_sec_lock);
369 if (imp->imp_sec_expire &&
370 imp->imp_sec_expire < ktime_get_real_seconds()) {
372 imp->imp_sec_expire = 0;
374 write_unlock(&imp->imp_sec_lock);
379 CDEBUG(D_SEC, "found delayed sec adapt expired, do it now\n");
380 return sptlrpc_import_sec_adapt(imp, NULL, NULL);
384 * Get and validate the client side ptlrpc security facilities from
385 * \a imp. There is a race condition on client reconnect when the import is
386 * being destroyed while there are outstanding client bound requests. In
387 * this case do not output any error messages if import secuity is not
390 * \param[in] imp obd import associated with client
391 * \param[out] sec client side ptlrpc security
393 * \retval 0 if security retrieved successfully
394 * \retval -ve errno if there was a problem
396 static int import_sec_validate_get(struct obd_import *imp,
397 struct ptlrpc_sec **sec)
401 if (unlikely(imp->imp_sec_expire)) {
402 rc = import_sec_check_expire(imp);
407 *sec = sptlrpc_import_sec_ref(imp);
409 /* Only output an error when the import is still active */
410 if (!test_bit(WORK_STRUCT_PENDING_BIT,
411 work_data_bits(&imp->imp_zombie_work)))
412 CERROR("import %p (%s) with no sec\n",
413 imp, ptlrpc_import_state_name(imp->imp_state));
417 if (unlikely((*sec)->ps_dying)) {
418 CERROR("attempt to use dying sec %p\n", sec);
419 sptlrpc_sec_put(*sec);
427 * Given a \a req, find or allocate an appropriate context for it.
428 * \pre req->rq_cli_ctx == NULL.
430 * \retval 0 succeed, and req->rq_cli_ctx is set.
431 * \retval -ev error number, and req->rq_cli_ctx == NULL.
433 int sptlrpc_req_get_ctx(struct ptlrpc_request *req)
435 struct obd_import *imp = req->rq_import;
436 struct ptlrpc_sec *sec;
441 LASSERT(!req->rq_cli_ctx);
444 rc = import_sec_validate_get(imp, &sec);
448 req->rq_cli_ctx = get_my_ctx(sec);
450 sptlrpc_sec_put(sec);
452 if (!req->rq_cli_ctx) {
454 } else if (IS_ERR(req->rq_cli_ctx)) {
455 rc = PTR_ERR(req->rq_cli_ctx);
456 req->rq_cli_ctx = NULL;
460 CERROR("%s: fail to get context for req %p: rc = %d\n",
461 imp->imp_obd->obd_name, req, rc);
467 * Drop the context for \a req.
468 * \pre req->rq_cli_ctx != NULL.
469 * \post req->rq_cli_ctx == NULL.
471 * If \a sync == 0, this function should return quickly without sleep;
472 * otherwise it might trigger and wait for the whole process of sending
473 * an context-destroying rpc to server.
475 void sptlrpc_req_put_ctx(struct ptlrpc_request *req, int sync)
480 LASSERT(req->rq_cli_ctx);
483 * request might be asked to release earlier while still
484 * in the context waiting list.
486 if (!list_empty(&req->rq_ctx_chain)) {
487 spin_lock(&req->rq_cli_ctx->cc_lock);
488 list_del_init(&req->rq_ctx_chain);
489 spin_unlock(&req->rq_cli_ctx->cc_lock);
492 sptlrpc_cli_ctx_put(req->rq_cli_ctx, sync);
493 req->rq_cli_ctx = NULL;
498 int sptlrpc_req_ctx_switch(struct ptlrpc_request *req,
499 struct ptlrpc_cli_ctx *oldctx,
500 struct ptlrpc_cli_ctx *newctx)
502 struct sptlrpc_flavor old_flvr;
503 char *reqmsg = NULL; /* to workaround old gcc */
508 "req %p: switch ctx %p(%u->%s) -> %p(%u->%s), switch sec %p(%s) -> %p(%s)\n",
509 req, oldctx, oldctx->cc_vcred.vc_uid,
510 sec2target_str(oldctx->cc_sec), newctx, newctx->cc_vcred.vc_uid,
511 sec2target_str(newctx->cc_sec), oldctx->cc_sec,
512 oldctx->cc_sec->ps_policy->sp_name, newctx->cc_sec,
513 newctx->cc_sec->ps_policy->sp_name);
516 old_flvr = req->rq_flvr;
518 /* save request message */
519 reqmsg_size = req->rq_reqlen;
520 if (reqmsg_size != 0) {
521 LASSERT(req->rq_reqmsg);
522 OBD_ALLOC_LARGE(reqmsg, reqmsg_size);
525 memcpy(reqmsg, req->rq_reqmsg, reqmsg_size);
528 /* release old req/rep buf */
529 req->rq_cli_ctx = oldctx;
530 sptlrpc_cli_free_reqbuf(req);
531 sptlrpc_cli_free_repbuf(req);
532 req->rq_cli_ctx = newctx;
534 /* recalculate the flavor */
535 sptlrpc_req_set_flavor(req, 0);
538 * alloc new request buffer
539 * we don't need to alloc reply buffer here, leave it to the
540 * rest procedure of ptlrpc
542 if (reqmsg_size != 0) {
543 rc = sptlrpc_cli_alloc_reqbuf(req, reqmsg_size);
545 LASSERT(req->rq_reqmsg);
546 memcpy(req->rq_reqmsg, reqmsg, reqmsg_size);
548 CWARN("failed to alloc reqbuf: %d\n", rc);
549 req->rq_flvr = old_flvr;
552 OBD_FREE_LARGE(reqmsg, reqmsg_size);
558 * If current context of \a req is dead somehow, e.g. we just switched flavor
559 * thus marked original contexts dead, we'll find a new context for it. if
560 * no switch is needed, \a req will end up with the same context.
562 * \note a request must have a context, to keep other parts of code happy.
563 * In any case of failure during the switching, we must restore the old one.
565 int sptlrpc_req_replace_dead_ctx(struct ptlrpc_request *req)
567 struct ptlrpc_cli_ctx *oldctx = req->rq_cli_ctx;
568 struct ptlrpc_cli_ctx *newctx;
575 sptlrpc_cli_ctx_get(oldctx);
576 sptlrpc_req_put_ctx(req, 0);
578 rc = sptlrpc_req_get_ctx(req);
580 LASSERT(!req->rq_cli_ctx);
582 /* restore old ctx */
583 req->rq_cli_ctx = oldctx;
587 newctx = req->rq_cli_ctx;
590 if (unlikely(newctx == oldctx &&
591 test_bit(PTLRPC_CTX_DEAD_BIT, &oldctx->cc_flags))) {
593 * still get the old dead ctx, usually means system too busy
596 "ctx (%p, fl %lx) doesn't switch, relax a little bit\n",
597 newctx, newctx->cc_flags);
599 schedule_timeout_interruptible(cfs_time_seconds(1));
600 } else if (unlikely(test_bit(PTLRPC_CTX_UPTODATE_BIT, &newctx->cc_flags)
603 * new ctx not up to date yet
606 "ctx (%p, fl %lx) doesn't switch, not up to date yet\n",
607 newctx, newctx->cc_flags);
610 * it's possible newctx == oldctx if we're switching
611 * subflavor with the same sec.
613 rc = sptlrpc_req_ctx_switch(req, oldctx, newctx);
615 /* restore old ctx */
616 sptlrpc_req_put_ctx(req, 0);
617 req->rq_cli_ctx = oldctx;
621 LASSERT(req->rq_cli_ctx == newctx);
624 sptlrpc_cli_ctx_put(oldctx, 1);
627 EXPORT_SYMBOL(sptlrpc_req_replace_dead_ctx);
630 int ctx_check_refresh(struct ptlrpc_cli_ctx *ctx)
632 if (cli_ctx_is_refreshed(ctx))
638 void ctx_refresh_interrupt(struct ptlrpc_request *req)
641 spin_lock(&req->rq_lock);
643 spin_unlock(&req->rq_lock);
647 void req_off_ctx_list(struct ptlrpc_request *req, struct ptlrpc_cli_ctx *ctx)
649 spin_lock(&ctx->cc_lock);
650 if (!list_empty(&req->rq_ctx_chain))
651 list_del_init(&req->rq_ctx_chain);
652 spin_unlock(&ctx->cc_lock);
656 * To refresh the context of \req, if it's not up-to-date.
658 * - == 0: do not wait
659 * - == MAX_SCHEDULE_TIMEOUT: wait indefinitely
660 * - > 0: not supported
662 * The status of the context could be subject to be changed by other threads
663 * at any time. We allow this race, but once we return with 0, the caller will
664 * suppose it's uptodated and keep using it until the owning rpc is done.
666 * \retval 0 only if the context is uptodated.
667 * \retval -ev error number.
669 int sptlrpc_req_refresh_ctx(struct ptlrpc_request *req, long timeout)
671 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
672 struct ptlrpc_sec *sec;
679 if (req->rq_ctx_init || req->rq_ctx_fini)
682 if (timeout != 0 && timeout != MAX_SCHEDULE_TIMEOUT) {
683 CERROR("req %p: invalid timeout %lu\n", req, timeout);
688 * during the process a request's context might change type even
689 * (e.g. from gss ctx to null ctx), so each loop we need to re-check
693 rc = import_sec_validate_get(req->rq_import, &sec);
697 if (sec->ps_flvr.sf_rpc != req->rq_flvr.sf_rpc) {
698 CDEBUG(D_SEC, "req %p: flavor has changed %x -> %x\n",
699 req, req->rq_flvr.sf_rpc, sec->ps_flvr.sf_rpc);
700 req_off_ctx_list(req, ctx);
701 sptlrpc_req_replace_dead_ctx(req);
702 ctx = req->rq_cli_ctx;
704 sptlrpc_sec_put(sec);
706 if (cli_ctx_is_eternal(ctx))
709 if (unlikely(test_bit(PTLRPC_CTX_NEW_BIT, &ctx->cc_flags))) {
710 if (ctx->cc_ops->refresh)
711 ctx->cc_ops->refresh(ctx);
713 LASSERT(test_bit(PTLRPC_CTX_NEW_BIT, &ctx->cc_flags) == 0);
715 LASSERT(ctx->cc_ops->validate);
716 if (ctx->cc_ops->validate(ctx) == 0) {
717 req_off_ctx_list(req, ctx);
721 if (unlikely(test_bit(PTLRPC_CTX_ERROR_BIT, &ctx->cc_flags))) {
722 spin_lock(&req->rq_lock);
724 spin_unlock(&req->rq_lock);
725 req_off_ctx_list(req, ctx);
730 * There's a subtle issue for resending RPCs, suppose following
732 * 1. the request was sent to server.
733 * 2. recovery was kicked start, after finished the request was
735 * 3. resend the request.
736 * 4. old reply from server received, we accept and verify the reply.
737 * this has to be success, otherwise the error will be aware
739 * 5. new reply from server received, dropped by LNet.
741 * Note the xid of old & new request is the same. We can't simply
742 * change xid for the resent request because the server replies on
743 * it for reply reconstruction.
745 * Commonly the original context should be uptodate because we
746 * have an expiry nice time; server will keep its context because
747 * we at least hold a ref of old context which prevent context
748 * from destroying RPC being sent. So server still can accept the
749 * request and finish the RPC. But if that's not the case:
750 * 1. If server side context has been trimmed, a NO_CONTEXT will
751 * be returned, gss_cli_ctx_verify/unseal will switch to new
753 * 2. Current context never be refreshed, then we are fine: we
754 * never really send request with old context before.
756 if (test_bit(PTLRPC_CTX_UPTODATE_BIT, &ctx->cc_flags) &&
757 unlikely(req->rq_reqmsg) &&
758 lustre_msg_get_flags(req->rq_reqmsg) & MSG_RESENT) {
759 req_off_ctx_list(req, ctx);
763 if (unlikely(test_bit(PTLRPC_CTX_DEAD_BIT, &ctx->cc_flags))) {
764 req_off_ctx_list(req, ctx);
766 * don't switch ctx if import was deactivated
768 if (req->rq_import->imp_deactive) {
769 spin_lock(&req->rq_lock);
771 spin_unlock(&req->rq_lock);
775 rc = sptlrpc_req_replace_dead_ctx(req);
777 LASSERT(ctx == req->rq_cli_ctx);
778 CERROR("req %p: failed to replace dead ctx %p: %d\n",
780 spin_lock(&req->rq_lock);
782 spin_unlock(&req->rq_lock);
786 ctx = req->rq_cli_ctx;
791 * Now we're sure this context is during upcall, add myself into
794 spin_lock(&ctx->cc_lock);
795 if (list_empty(&req->rq_ctx_chain))
796 list_add(&req->rq_ctx_chain, &ctx->cc_req_list);
797 spin_unlock(&ctx->cc_lock);
802 /* Clear any flags that may be present from previous sends */
803 LASSERT(req->rq_receiving_reply == 0);
804 spin_lock(&req->rq_lock);
806 req->rq_timedout = 0;
809 spin_unlock(&req->rq_lock);
811 /* by now we know that timeout value is MAX_SCHEDULE_TIMEOUT,
812 * so wait indefinitely with non-fatal signals blocked
814 if (l_wait_event_abortable(req->rq_reply_waitq,
815 ctx_check_refresh(ctx)) == -ERESTARTSYS) {
817 ctx_refresh_interrupt(req);
821 * following cases could lead us here:
822 * - successfully refreshed;
824 * - timedout, and we don't want recover from the failure;
825 * - timedout, and waked up upon recovery finished;
826 * - someone else mark this ctx dead by force;
827 * - someone invalidate the req and call ptlrpc_client_wake_req(),
828 * e.g. ptlrpc_abort_inflight();
830 if (!cli_ctx_is_refreshed(ctx)) {
831 /* timed out or interruptted */
832 req_off_ctx_list(req, ctx);
841 /* Bring ptlrpc_sec context up-to-date */
842 int sptlrpc_export_update_ctx(struct obd_export *exp)
844 struct obd_import *imp = exp ? exp->exp_imp_reverse : NULL;
845 struct ptlrpc_sec *sec = NULL;
846 struct ptlrpc_cli_ctx *ctx = NULL;
850 sec = sptlrpc_import_sec_ref(imp);
852 ctx = get_my_ctx(sec);
855 sptlrpc_sec_put(sec);
859 if (ctx->cc_ops->refresh)
860 rc = ctx->cc_ops->refresh(ctx);
861 sptlrpc_cli_ctx_put(ctx, 1);
867 * Initialize flavor settings for \a req, according to \a opcode.
869 * \note this could be called in two situations:
870 * - new request from ptlrpc_pre_req(), with proper @opcode
871 * - old request which changed ctx in the middle, with @opcode == 0
873 void sptlrpc_req_set_flavor(struct ptlrpc_request *req, int opcode)
875 struct ptlrpc_sec *sec;
877 LASSERT(req->rq_import);
878 LASSERT(req->rq_cli_ctx);
879 LASSERT(req->rq_cli_ctx->cc_sec);
880 LASSERT(req->rq_bulk_read == 0 || req->rq_bulk_write == 0);
882 /* special security flags according to opcode */
886 case MGS_CONFIG_READ:
888 req->rq_bulk_read = 1;
892 req->rq_bulk_write = 1;
895 req->rq_ctx_init = 1;
898 req->rq_ctx_fini = 1;
901 /* init/fini rpc won't be resend, so can't be here */
902 LASSERT(req->rq_ctx_init == 0);
903 LASSERT(req->rq_ctx_fini == 0);
905 /* cleanup flags, which should be recalculated */
906 req->rq_pack_udesc = 0;
907 req->rq_pack_bulk = 0;
911 sec = req->rq_cli_ctx->cc_sec;
913 spin_lock(&sec->ps_lock);
914 req->rq_flvr = sec->ps_flvr;
915 spin_unlock(&sec->ps_lock);
918 * force SVC_NULL for context initiation rpc, SVC_INTG for context
921 if (unlikely(req->rq_ctx_init))
922 flvr_set_svc(&req->rq_flvr.sf_rpc, SPTLRPC_SVC_NULL);
923 else if (unlikely(req->rq_ctx_fini))
924 flvr_set_svc(&req->rq_flvr.sf_rpc, SPTLRPC_SVC_INTG);
926 /* user descriptor flag, null security can't do it anyway */
927 if ((sec->ps_flvr.sf_flags & PTLRPC_SEC_FL_UDESC) &&
928 (req->rq_flvr.sf_rpc != SPTLRPC_FLVR_NULL))
929 req->rq_pack_udesc = 1;
931 /* bulk security flag */
932 if ((req->rq_bulk_read || req->rq_bulk_write) &&
933 sptlrpc_flavor_has_bulk(&req->rq_flvr))
934 req->rq_pack_bulk = 1;
937 void sptlrpc_request_out_callback(struct ptlrpc_request *req)
939 if (SPTLRPC_FLVR_SVC(req->rq_flvr.sf_rpc) != SPTLRPC_SVC_PRIV)
942 LASSERT(req->rq_clrbuf);
943 if (req->rq_pool || !req->rq_reqbuf)
946 OBD_FREE(req->rq_reqbuf, req->rq_reqbuf_len);
947 req->rq_reqbuf = NULL;
948 req->rq_reqbuf_len = 0;
952 * Given an import \a imp, check whether current user has a valid context
953 * or not. We may create a new context and try to refresh it, and try
954 * repeatedly try in case of non-fatal errors. Return 0 means success.
956 int sptlrpc_import_check_ctx(struct obd_import *imp)
958 struct ptlrpc_sec *sec;
959 struct ptlrpc_cli_ctx *ctx;
960 struct ptlrpc_request *req = NULL;
967 sec = sptlrpc_import_sec_ref(imp);
968 ctx = get_my_ctx(sec);
969 sptlrpc_sec_put(sec);
972 RETURN(PTR_ERR(ctx));
976 if (cli_ctx_is_eternal(ctx) ||
977 ctx->cc_ops->validate(ctx) == 0) {
978 sptlrpc_cli_ctx_put(ctx, 1);
982 if (cli_ctx_is_error(ctx)) {
983 sptlrpc_cli_ctx_put(ctx, 1);
987 req = ptlrpc_request_cache_alloc(GFP_NOFS);
991 ptlrpc_cli_req_init(req);
992 atomic_set(&req->rq_refcount, 10000);
994 req->rq_import = imp;
995 req->rq_flvr = sec->ps_flvr;
996 req->rq_cli_ctx = ctx;
998 rc = sptlrpc_req_refresh_ctx(req, MAX_SCHEDULE_TIMEOUT);
999 LASSERT(list_empty(&req->rq_ctx_chain));
1000 sptlrpc_cli_ctx_put(req->rq_cli_ctx, 1);
1001 ptlrpc_request_cache_free(req);
1007 * Used by ptlrpc client, to perform the pre-defined security transformation
1008 * upon the request message of \a req. After this function called,
1009 * req->rq_reqmsg is still accessible as clear text.
1011 int sptlrpc_cli_wrap_request(struct ptlrpc_request *req)
1013 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
1019 LASSERT(ctx->cc_sec);
1020 LASSERT(req->rq_reqbuf || req->rq_clrbuf);
1023 * we wrap bulk request here because now we can be sure
1024 * the context is uptodate.
1027 rc = sptlrpc_cli_wrap_bulk(req, req->rq_bulk);
1032 switch (SPTLRPC_FLVR_SVC(req->rq_flvr.sf_rpc)) {
1033 case SPTLRPC_SVC_NULL:
1034 case SPTLRPC_SVC_AUTH:
1035 case SPTLRPC_SVC_INTG:
1036 LASSERT(ctx->cc_ops->sign);
1037 rc = ctx->cc_ops->sign(ctx, req);
1039 case SPTLRPC_SVC_PRIV:
1040 LASSERT(ctx->cc_ops->seal);
1041 rc = ctx->cc_ops->seal(ctx, req);
1048 LASSERT(req->rq_reqdata_len);
1049 LASSERT(req->rq_reqdata_len % 8 == 0);
1050 LASSERT(req->rq_reqdata_len <= req->rq_reqbuf_len);
1056 static int do_cli_unwrap_reply(struct ptlrpc_request *req)
1058 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
1064 LASSERT(ctx->cc_sec);
1065 LASSERT(req->rq_repbuf);
1066 LASSERT(req->rq_repdata);
1067 LASSERT(req->rq_repmsg == NULL);
1069 req->rq_rep_swab_mask = 0;
1071 rc = __lustre_unpack_msg(req->rq_repdata, req->rq_repdata_len);
1074 req_capsule_set_rep_swabbed(&req->rq_pill,
1075 MSG_PTLRPC_HEADER_OFF);
1079 CERROR("failed unpack reply: x%llu\n", req->rq_xid);
1083 if (req->rq_repdata_len < sizeof(struct lustre_msg)) {
1084 CERROR("replied data length %d too small\n",
1085 req->rq_repdata_len);
1089 if (SPTLRPC_FLVR_POLICY(req->rq_repdata->lm_secflvr) !=
1090 SPTLRPC_FLVR_POLICY(req->rq_flvr.sf_rpc)) {
1091 CERROR("reply policy %u doesn't match request policy %u\n",
1092 SPTLRPC_FLVR_POLICY(req->rq_repdata->lm_secflvr),
1093 SPTLRPC_FLVR_POLICY(req->rq_flvr.sf_rpc));
1097 switch (SPTLRPC_FLVR_SVC(req->rq_flvr.sf_rpc)) {
1098 case SPTLRPC_SVC_NULL:
1099 case SPTLRPC_SVC_AUTH:
1100 case SPTLRPC_SVC_INTG:
1101 LASSERT(ctx->cc_ops->verify);
1102 rc = ctx->cc_ops->verify(ctx, req);
1104 case SPTLRPC_SVC_PRIV:
1105 LASSERT(ctx->cc_ops->unseal);
1106 rc = ctx->cc_ops->unseal(ctx, req);
1111 LASSERT(rc || req->rq_repmsg || req->rq_resend);
1113 if (SPTLRPC_FLVR_POLICY(req->rq_flvr.sf_rpc) != SPTLRPC_POLICY_NULL &&
1115 req->rq_rep_swab_mask = 0;
1120 * Used by ptlrpc client, to perform security transformation upon the reply
1121 * message of \a req. After return successfully, req->rq_repmsg points to
1122 * the reply message in clear text.
1124 * \pre the reply buffer should have been un-posted from LNet, so nothing is
1127 int sptlrpc_cli_unwrap_reply(struct ptlrpc_request *req)
1129 LASSERT(req->rq_repbuf);
1130 LASSERT(req->rq_repdata == NULL);
1131 LASSERT(req->rq_repmsg == NULL);
1132 LASSERT(req->rq_reply_off + req->rq_nob_received <= req->rq_repbuf_len);
1134 if (req->rq_reply_off == 0 &&
1135 (lustre_msghdr_get_flags(req->rq_reqmsg) & MSGHDR_AT_SUPPORT)) {
1136 CERROR("real reply with offset 0\n");
1140 if (req->rq_reply_off % 8 != 0) {
1141 CERROR("reply at odd offset %u\n", req->rq_reply_off);
1145 req->rq_repdata = (struct lustre_msg *)
1146 (req->rq_repbuf + req->rq_reply_off);
1147 req->rq_repdata_len = req->rq_nob_received;
1149 return do_cli_unwrap_reply(req);
1153 * Used by ptlrpc client, to perform security transformation upon the early
1154 * reply message of \a req. We expect the rq_reply_off is 0, and
1155 * rq_nob_received is the early reply size.
1157 * Because the receive buffer might be still posted, the reply data might be
1158 * changed at any time, no matter we're holding rq_lock or not. For this reason
1159 * we allocate a separate ptlrpc_request and reply buffer for early reply
1162 * \retval 0 success, \a req_ret is filled with a duplicated ptlrpc_request.
1163 * Later the caller must call sptlrpc_cli_finish_early_reply() on the returned
1164 * \a *req_ret to release it.
1165 * \retval -ev error number, and \a req_ret will not be set.
1167 int sptlrpc_cli_unwrap_early_reply(struct ptlrpc_request *req,
1168 struct ptlrpc_request **req_ret)
1170 struct ptlrpc_request *early_req;
1172 int early_bufsz, early_size;
1177 early_req = ptlrpc_request_cache_alloc(GFP_NOFS);
1178 if (early_req == NULL)
1181 ptlrpc_cli_req_init(early_req);
1183 early_size = req->rq_nob_received;
1184 early_bufsz = size_roundup_power2(early_size);
1185 OBD_ALLOC_LARGE(early_buf, early_bufsz);
1186 if (early_buf == NULL)
1187 GOTO(err_req, rc = -ENOMEM);
1189 /* sanity checkings and copy data out, do it inside spinlock */
1190 spin_lock(&req->rq_lock);
1192 if (req->rq_replied) {
1193 spin_unlock(&req->rq_lock);
1194 GOTO(err_buf, rc = -EALREADY);
1197 LASSERT(req->rq_repbuf);
1198 LASSERT(req->rq_repdata == NULL);
1199 LASSERT(req->rq_repmsg == NULL);
1201 if (req->rq_reply_off != 0) {
1202 CERROR("early reply with offset %u\n", req->rq_reply_off);
1203 spin_unlock(&req->rq_lock);
1204 GOTO(err_buf, rc = -EPROTO);
1207 if (req->rq_nob_received != early_size) {
1208 /* even another early arrived the size should be the same */
1209 CERROR("data size has changed from %u to %u\n",
1210 early_size, req->rq_nob_received);
1211 spin_unlock(&req->rq_lock);
1212 GOTO(err_buf, rc = -EINVAL);
1215 if (req->rq_nob_received < sizeof(struct lustre_msg)) {
1216 CERROR("early reply length %d too small\n",
1217 req->rq_nob_received);
1218 spin_unlock(&req->rq_lock);
1219 GOTO(err_buf, rc = -EALREADY);
1222 memcpy(early_buf, req->rq_repbuf, early_size);
1223 spin_unlock(&req->rq_lock);
1225 early_req->rq_cli_ctx = sptlrpc_cli_ctx_get(req->rq_cli_ctx);
1226 early_req->rq_flvr = req->rq_flvr;
1227 early_req->rq_repbuf = early_buf;
1228 early_req->rq_repbuf_len = early_bufsz;
1229 early_req->rq_repdata = (struct lustre_msg *) early_buf;
1230 early_req->rq_repdata_len = early_size;
1231 early_req->rq_early = 1;
1232 early_req->rq_reqmsg = req->rq_reqmsg;
1234 rc = do_cli_unwrap_reply(early_req);
1236 DEBUG_REQ(D_ADAPTTO, early_req,
1237 "unwrap early reply: rc = %d", rc);
1241 LASSERT(early_req->rq_repmsg);
1242 *req_ret = early_req;
1246 sptlrpc_cli_ctx_put(early_req->rq_cli_ctx, 1);
1248 OBD_FREE_LARGE(early_buf, early_bufsz);
1250 ptlrpc_request_cache_free(early_req);
1255 * Used by ptlrpc client, to release a processed early reply \a early_req.
1257 * \pre \a early_req was obtained from calling sptlrpc_cli_unwrap_early_reply().
1259 void sptlrpc_cli_finish_early_reply(struct ptlrpc_request *early_req)
1261 LASSERT(early_req->rq_repbuf);
1262 LASSERT(early_req->rq_repdata);
1263 LASSERT(early_req->rq_repmsg);
1265 sptlrpc_cli_ctx_put(early_req->rq_cli_ctx, 1);
1266 OBD_FREE_LARGE(early_req->rq_repbuf, early_req->rq_repbuf_len);
1267 ptlrpc_request_cache_free(early_req);
1270 /**************************************************
1272 **************************************************/
1275 * "fixed" sec (e.g. null) use sec_id < 0
1277 static atomic_t sptlrpc_sec_id = ATOMIC_INIT(1);
1279 int sptlrpc_get_next_secid(void)
1281 return atomic_inc_return(&sptlrpc_sec_id);
1283 EXPORT_SYMBOL(sptlrpc_get_next_secid);
1286 * client side high-level security APIs
1289 static int sec_cop_flush_ctx_cache(struct ptlrpc_sec *sec, uid_t uid,
1290 int grace, int force)
1292 struct ptlrpc_sec_policy *policy = sec->ps_policy;
1294 LASSERT(policy->sp_cops);
1295 LASSERT(policy->sp_cops->flush_ctx_cache);
1297 return policy->sp_cops->flush_ctx_cache(sec, uid, grace, force);
1300 static void sec_cop_destroy_sec(struct ptlrpc_sec *sec)
1302 struct ptlrpc_sec_policy *policy = sec->ps_policy;
1303 struct sptlrpc_sepol *sepol;
1305 LASSERT(atomic_read(&sec->ps_refcount) == 0);
1306 LASSERT(policy->sp_cops->destroy_sec);
1308 CDEBUG(D_SEC, "%s@%p: being destroyed\n", sec->ps_policy->sp_name, sec);
1310 spin_lock(&sec->ps_lock);
1311 sec->ps_sepol_checknext = ktime_set(0, 0);
1312 sepol = rcu_dereference_protected(sec->ps_sepol, 1);
1313 rcu_assign_pointer(sec->ps_sepol, NULL);
1314 spin_unlock(&sec->ps_lock);
1316 sptlrpc_sepol_put(sepol);
1318 policy->sp_cops->destroy_sec(sec);
1319 sptlrpc_policy_put(policy);
1322 void sptlrpc_sec_destroy(struct ptlrpc_sec *sec)
1324 sec_cop_destroy_sec(sec);
1326 EXPORT_SYMBOL(sptlrpc_sec_destroy);
1328 static void sptlrpc_sec_kill(struct ptlrpc_sec *sec)
1330 LASSERT(atomic_read(&(sec)->ps_refcount) > 0);
1332 if (sec->ps_policy->sp_cops->kill_sec) {
1333 sec->ps_policy->sp_cops->kill_sec(sec);
1335 sec_cop_flush_ctx_cache(sec, -1, 1, 1);
1339 struct ptlrpc_sec *sptlrpc_sec_get(struct ptlrpc_sec *sec)
1342 atomic_inc(&sec->ps_refcount);
1346 EXPORT_SYMBOL(sptlrpc_sec_get);
1348 void sptlrpc_sec_put(struct ptlrpc_sec *sec)
1351 LASSERT(atomic_read(&(sec)->ps_refcount) > 0);
1353 if (atomic_dec_and_test(&sec->ps_refcount)) {
1354 sptlrpc_gc_del_sec(sec);
1355 sec_cop_destroy_sec(sec);
1359 EXPORT_SYMBOL(sptlrpc_sec_put);
1362 * policy module is responsible for taking refrence of import
1365 struct ptlrpc_sec * sptlrpc_sec_create(struct obd_import *imp,
1366 struct ptlrpc_svc_ctx *svc_ctx,
1367 struct sptlrpc_flavor *sf,
1368 enum lustre_sec_part sp)
1370 struct ptlrpc_sec_policy *policy;
1371 struct ptlrpc_sec *sec;
1377 LASSERT(imp->imp_dlm_fake == 1);
1379 CDEBUG(D_SEC, "%s %s: reverse sec using flavor %s\n",
1380 imp->imp_obd->obd_type->typ_name,
1381 imp->imp_obd->obd_name,
1382 sptlrpc_flavor2name(sf, str, sizeof(str)));
1384 policy = sptlrpc_policy_get(svc_ctx->sc_policy);
1385 sf->sf_flags |= PTLRPC_SEC_FL_REVERSE | PTLRPC_SEC_FL_ROOTONLY;
1387 LASSERT(imp->imp_dlm_fake == 0);
1389 CDEBUG(D_SEC, "%s %s: select security flavor %s\n",
1390 imp->imp_obd->obd_type->typ_name,
1391 imp->imp_obd->obd_name,
1392 sptlrpc_flavor2name(sf, str, sizeof(str)));
1394 policy = sptlrpc_wireflavor2policy(sf->sf_rpc);
1396 CERROR("invalid flavor 0x%x\n", sf->sf_rpc);
1401 sec = policy->sp_cops->create_sec(imp, svc_ctx, sf);
1403 atomic_inc(&sec->ps_refcount);
1407 if (sec->ps_gc_interval && policy->sp_cops->gc_ctx)
1408 sptlrpc_gc_add_sec(sec);
1410 sptlrpc_policy_put(policy);
1416 static int print_srpc_serverctx_seq(struct obd_export *exp, void *cb_data)
1418 struct seq_file *m = cb_data;
1419 struct obd_import *imp = exp->exp_imp_reverse;
1420 struct ptlrpc_sec *sec = NULL;
1423 sec = sptlrpc_import_sec_ref(imp);
1427 if (sec->ps_policy->sp_cops->display)
1428 sec->ps_policy->sp_cops->display(sec, m);
1430 sptlrpc_sec_put(sec);
1435 int lprocfs_srpc_serverctx_seq_show(struct seq_file *m, void *data)
1437 struct obd_device *obd = m->private;
1438 struct obd_export *exp, *n;
1440 spin_lock(&obd->obd_dev_lock);
1441 list_for_each_entry_safe(exp, n, &obd->obd_exports, exp_obd_chain) {
1442 print_srpc_serverctx_seq(exp, m);
1444 spin_unlock(&obd->obd_dev_lock);
1448 EXPORT_SYMBOL(lprocfs_srpc_serverctx_seq_show);
1450 struct ptlrpc_sec *sptlrpc_import_sec_ref(struct obd_import *imp)
1452 struct ptlrpc_sec *sec;
1454 read_lock(&imp->imp_sec_lock);
1455 sec = sptlrpc_sec_get(imp->imp_sec);
1456 read_unlock(&imp->imp_sec_lock);
1460 EXPORT_SYMBOL(sptlrpc_import_sec_ref);
1462 static void sptlrpc_import_sec_install(struct obd_import *imp,
1463 struct ptlrpc_sec *sec)
1465 struct ptlrpc_sec *old_sec;
1467 LASSERT(atomic_read(&(sec)->ps_refcount) > 0);
1469 write_lock(&imp->imp_sec_lock);
1470 old_sec = imp->imp_sec;
1472 write_unlock(&imp->imp_sec_lock);
1475 sptlrpc_sec_kill(old_sec);
1477 /* balance the ref taken by this import */
1478 sptlrpc_sec_put(old_sec);
1483 int flavor_equal(struct sptlrpc_flavor *sf1, struct sptlrpc_flavor *sf2)
1485 return (memcmp(sf1, sf2, sizeof(*sf1)) == 0);
1489 void flavor_copy(struct sptlrpc_flavor *dst, struct sptlrpc_flavor *src)
1495 * To get an appropriate ptlrpc_sec for the \a imp, according to the current
1496 * configuration. Upon called, imp->imp_sec may or may not be NULL.
1498 * - regular import: \a svc_ctx should be NULL and \a flvr is ignored;
1499 * - reverse import: \a svc_ctx and \a flvr are obtained from incoming request.
1501 int sptlrpc_import_sec_adapt(struct obd_import *imp,
1502 struct ptlrpc_svc_ctx *svc_ctx,
1503 struct sptlrpc_flavor *flvr)
1505 struct ptlrpc_connection *conn;
1506 struct sptlrpc_flavor sf;
1507 struct ptlrpc_sec *sec, *newsec;
1508 enum lustre_sec_part sp;
1519 conn = imp->imp_connection;
1521 if (svc_ctx == NULL) {
1522 struct client_obd *cliobd = &imp->imp_obd->u.cli;
1524 * normal import, determine flavor from rule set, except
1525 * for mgc the flavor is predetermined.
1527 if (cliobd->cl_sp_me == LUSTRE_SP_MGC)
1528 sf = cliobd->cl_flvr_mgc;
1530 sptlrpc_conf_choose_flavor(cliobd->cl_sp_me,
1532 &cliobd->cl_target_uuid,
1533 &conn->c_self, &sf);
1535 sp = imp->imp_obd->u.cli.cl_sp_me;
1537 /* reverse import, determine flavor from incoming reqeust */
1540 if (sf.sf_rpc != SPTLRPC_FLVR_NULL)
1541 sf.sf_flags = PTLRPC_SEC_FL_REVERSE |
1542 PTLRPC_SEC_FL_ROOTONLY;
1544 sp = sptlrpc_target_sec_part(imp->imp_obd);
1547 sec = sptlrpc_import_sec_ref(imp);
1551 if (flavor_equal(&sf, &sec->ps_flvr))
1554 CDEBUG(D_SEC, "import %s->%s: changing flavor %s -> %s\n",
1555 imp->imp_obd->obd_name,
1556 obd_uuid2str(&conn->c_remote_uuid),
1557 sptlrpc_flavor2name(&sec->ps_flvr, str, sizeof(str)),
1558 sptlrpc_flavor2name(&sf, str2, sizeof(str2)));
1559 } else if (SPTLRPC_FLVR_BASE(sf.sf_rpc) !=
1560 SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_NULL)) {
1561 CDEBUG(D_SEC, "import %s->%s netid %x: select flavor %s\n",
1562 imp->imp_obd->obd_name,
1563 obd_uuid2str(&conn->c_remote_uuid),
1564 LNET_NID_NET(&conn->c_self),
1565 sptlrpc_flavor2name(&sf, str, sizeof(str)));
1568 newsec = sptlrpc_sec_create(imp, svc_ctx, &sf, sp);
1570 sptlrpc_import_sec_install(imp, newsec);
1572 CERROR("import %s->%s: failed to create new sec\n",
1573 imp->imp_obd->obd_name,
1574 obd_uuid2str(&conn->c_remote_uuid));
1579 sptlrpc_sec_put(sec);
1583 void sptlrpc_import_sec_put(struct obd_import *imp)
1586 sptlrpc_sec_kill(imp->imp_sec);
1588 sptlrpc_sec_put(imp->imp_sec);
1589 imp->imp_sec = NULL;
1593 static void import_flush_ctx_common(struct obd_import *imp,
1594 uid_t uid, int grace, int force)
1596 struct ptlrpc_sec *sec;
1601 sec = sptlrpc_import_sec_ref(imp);
1605 sec_cop_flush_ctx_cache(sec, uid, grace, force);
1606 sptlrpc_sec_put(sec);
1609 void sptlrpc_import_flush_root_ctx(struct obd_import *imp)
1612 * it's important to use grace mode, see explain in
1613 * sptlrpc_req_refresh_ctx()
1615 import_flush_ctx_common(imp, 0, 1, 1);
1618 void sptlrpc_import_flush_my_ctx(struct obd_import *imp)
1620 import_flush_ctx_common(imp, from_kuid(&init_user_ns, current_uid()),
1623 EXPORT_SYMBOL(sptlrpc_import_flush_my_ctx);
1625 void sptlrpc_import_flush_all_ctx(struct obd_import *imp)
1627 import_flush_ctx_common(imp, -1, 1, 1);
1629 EXPORT_SYMBOL(sptlrpc_import_flush_all_ctx);
1632 * Used by ptlrpc client to allocate request buffer of \a req. Upon return
1633 * successfully, req->rq_reqmsg points to a buffer with size \a msgsize.
1635 int sptlrpc_cli_alloc_reqbuf(struct ptlrpc_request *req, int msgsize)
1637 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
1638 struct ptlrpc_sec_policy *policy;
1642 LASSERT(ctx->cc_sec);
1643 LASSERT(ctx->cc_sec->ps_policy);
1644 LASSERT(req->rq_reqmsg == NULL);
1645 LASSERT(atomic_read(&(ctx)->cc_refcount) > 0);
1647 policy = ctx->cc_sec->ps_policy;
1648 rc = policy->sp_cops->alloc_reqbuf(ctx->cc_sec, req, msgsize);
1650 LASSERT(req->rq_reqmsg);
1651 LASSERT(req->rq_reqbuf || req->rq_clrbuf);
1653 /* zeroing preallocated buffer */
1655 memset(req->rq_reqmsg, 0, msgsize);
1662 * Used by ptlrpc client to free request buffer of \a req. After this
1663 * req->rq_reqmsg is set to NULL and should not be accessed anymore.
1665 void sptlrpc_cli_free_reqbuf(struct ptlrpc_request *req)
1667 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
1668 struct ptlrpc_sec_policy *policy;
1671 LASSERT(ctx->cc_sec);
1672 LASSERT(ctx->cc_sec->ps_policy);
1673 LASSERT(atomic_read(&(ctx)->cc_refcount) > 0);
1675 if (req->rq_reqbuf == NULL && req->rq_clrbuf == NULL)
1678 policy = ctx->cc_sec->ps_policy;
1679 policy->sp_cops->free_reqbuf(ctx->cc_sec, req);
1680 req->rq_reqmsg = NULL;
1684 * NOTE caller must guarantee the buffer size is enough for the enlargement
1686 void _sptlrpc_enlarge_msg_inplace(struct lustre_msg *msg,
1687 int segment, int newsize)
1690 int oldsize, oldmsg_size, movesize;
1692 LASSERT(segment < msg->lm_bufcount);
1693 LASSERT(msg->lm_buflens[segment] <= newsize);
1695 if (msg->lm_buflens[segment] == newsize)
1698 /* nothing to do if we are enlarging the last segment */
1699 if (segment == msg->lm_bufcount - 1) {
1700 msg->lm_buflens[segment] = newsize;
1704 oldsize = msg->lm_buflens[segment];
1706 src = lustre_msg_buf(msg, segment + 1, 0);
1707 msg->lm_buflens[segment] = newsize;
1708 dst = lustre_msg_buf(msg, segment + 1, 0);
1709 msg->lm_buflens[segment] = oldsize;
1711 /* move from segment + 1 to end segment */
1712 LASSERT(msg->lm_magic == LUSTRE_MSG_MAGIC_V2);
1713 oldmsg_size = lustre_msg_size_v2(msg->lm_bufcount, msg->lm_buflens);
1714 movesize = oldmsg_size - ((unsigned long) src - (unsigned long) msg);
1715 LASSERT(movesize >= 0);
1718 memmove(dst, src, movesize);
1720 /* note we don't clear the ares where old data live, not secret */
1722 /* finally set new segment size */
1723 msg->lm_buflens[segment] = newsize;
1725 EXPORT_SYMBOL(_sptlrpc_enlarge_msg_inplace);
1728 * Used by ptlrpc client to enlarge the \a segment of request message pointed
1729 * by req->rq_reqmsg to size \a newsize, all previously filled-in data will be
1730 * preserved after the enlargement. this must be called after original request
1731 * buffer being allocated.
1733 * \note after this be called, rq_reqmsg and rq_reqlen might have been changed,
1734 * so caller should refresh its local pointers if needed.
1736 int sptlrpc_cli_enlarge_reqbuf(struct ptlrpc_request *req,
1737 const struct req_msg_field *field,
1740 struct req_capsule *pill = &req->rq_pill;
1741 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
1742 struct ptlrpc_sec_cops *cops;
1743 struct lustre_msg *msg = req->rq_reqmsg;
1744 int segment = __req_capsule_offset(pill, field, RCL_CLIENT);
1748 LASSERT(msg->lm_bufcount > segment);
1749 LASSERT(msg->lm_buflens[segment] <= newsize);
1751 if (msg->lm_buflens[segment] == newsize)
1754 cops = ctx->cc_sec->ps_policy->sp_cops;
1755 LASSERT(cops->enlarge_reqbuf);
1756 return cops->enlarge_reqbuf(ctx->cc_sec, req, segment, newsize);
1758 EXPORT_SYMBOL(sptlrpc_cli_enlarge_reqbuf);
1761 * Used by ptlrpc client to allocate reply buffer of \a req.
1763 * \note After this, req->rq_repmsg is still not accessible.
1765 int sptlrpc_cli_alloc_repbuf(struct ptlrpc_request *req, int msgsize)
1767 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
1768 struct ptlrpc_sec_policy *policy;
1773 LASSERT(ctx->cc_sec);
1774 LASSERT(ctx->cc_sec->ps_policy);
1779 policy = ctx->cc_sec->ps_policy;
1780 RETURN(policy->sp_cops->alloc_repbuf(ctx->cc_sec, req, msgsize));
1784 * Used by ptlrpc client to free reply buffer of \a req. After this
1785 * req->rq_repmsg is set to NULL and should not be accessed anymore.
1787 void sptlrpc_cli_free_repbuf(struct ptlrpc_request *req)
1789 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
1790 struct ptlrpc_sec_policy *policy;
1795 LASSERT(ctx->cc_sec);
1796 LASSERT(ctx->cc_sec->ps_policy);
1797 LASSERT(atomic_read(&(ctx)->cc_refcount) > 0);
1799 if (req->rq_repbuf == NULL)
1801 LASSERT(req->rq_repbuf_len);
1803 policy = ctx->cc_sec->ps_policy;
1804 policy->sp_cops->free_repbuf(ctx->cc_sec, req);
1805 req->rq_repmsg = NULL;
1808 EXPORT_SYMBOL(sptlrpc_cli_free_repbuf);
1810 int sptlrpc_cli_install_rvs_ctx(struct obd_import *imp,
1811 struct ptlrpc_cli_ctx *ctx)
1813 struct ptlrpc_sec_policy *policy = ctx->cc_sec->ps_policy;
1815 if (!policy->sp_cops->install_rctx)
1817 return policy->sp_cops->install_rctx(imp, ctx->cc_sec, ctx);
1820 int sptlrpc_svc_install_rvs_ctx(struct obd_import *imp,
1821 struct ptlrpc_svc_ctx *ctx)
1823 struct ptlrpc_sec_policy *policy = ctx->sc_policy;
1825 if (!policy->sp_sops->install_rctx)
1827 return policy->sp_sops->install_rctx(imp, ctx);
1831 /* Get SELinux policy info from userspace */
1832 static int sepol_helper(struct obd_import *imp)
1834 char mtime_str[21] = { 0 }, mode_str[2] = { 0 };
1836 [0] = "/usr/sbin/l_getsepol",
1838 [2] = NULL, /* obd type */
1840 [4] = NULL, /* obd name */
1842 [6] = mtime_str, /* policy mtime */
1844 [8] = mode_str, /* enforcing mode */
1847 struct sptlrpc_sepol *sepol;
1850 [1] = "PATH=/sbin:/usr/sbin",
1856 if (imp == NULL || imp->imp_obd == NULL ||
1857 imp->imp_obd->obd_type == NULL)
1860 argv[2] = (char *)imp->imp_obd->obd_type->typ_name;
1861 argv[4] = imp->imp_obd->obd_name;
1864 sepol = rcu_dereference(imp->imp_sec->ps_sepol);
1866 /* ps_sepol has not been initialized */
1872 mtime_ms = ktime_to_ms(sepol->ssp_mtime);
1873 snprintf(mtime_str, sizeof(mtime_str), "%lld",
1874 mtime_ms / MSEC_PER_SEC);
1875 if (sepol->ssp_sepol_size > 1)
1876 mode_str[0] = sepol->ssp_sepol[0];
1880 ret = call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
1886 static inline int sptlrpc_sepol_needs_check(struct ptlrpc_sec *imp_sec)
1890 if (send_sepol == 0)
1893 if (send_sepol == -1)
1894 /* send_sepol == -1 means fetch sepol status every time */
1897 spin_lock(&imp_sec->ps_lock);
1898 checknext = imp_sec->ps_sepol_checknext;
1899 spin_unlock(&imp_sec->ps_lock);
1901 /* next check is too far in time, please update */
1902 if (ktime_after(checknext,
1903 ktime_add(ktime_get(), ktime_set(send_sepol, 0))))
1906 if (ktime_before(ktime_get(), checknext))
1907 /* too early to fetch sepol status */
1911 /* define new sepol_checknext time */
1912 spin_lock(&imp_sec->ps_lock);
1913 imp_sec->ps_sepol_checknext = ktime_add(ktime_get(),
1914 ktime_set(send_sepol, 0));
1915 spin_unlock(&imp_sec->ps_lock);
1920 static void sptlrpc_sepol_release(struct kref *ref)
1922 struct sptlrpc_sepol *p = container_of(ref, struct sptlrpc_sepol,
1924 kfree_rcu(p, ssp_rcu);
1927 void sptlrpc_sepol_put(struct sptlrpc_sepol *pol)
1931 kref_put(&pol->ssp_ref, sptlrpc_sepol_release);
1933 EXPORT_SYMBOL(sptlrpc_sepol_put);
1935 struct sptlrpc_sepol *sptlrpc_sepol_get_cached(struct ptlrpc_sec *imp_sec)
1937 struct sptlrpc_sepol *p;
1941 p = rcu_dereference(imp_sec->ps_sepol);
1942 if (p && !kref_get_unless_zero(&p->ssp_ref)) {
1950 EXPORT_SYMBOL(sptlrpc_sepol_get_cached);
1952 struct sptlrpc_sepol *sptlrpc_sepol_get(struct ptlrpc_request *req)
1954 struct ptlrpc_sec *imp_sec = req->rq_import->imp_sec;
1955 struct sptlrpc_sepol *out;
1960 #ifndef HAVE_SELINUX
1961 if (unlikely(send_sepol != 0))
1963 "Client cannot report SELinux status, it was not built against libselinux.\n");
1967 if (send_sepol == 0)
1970 if (imp_sec == NULL)
1971 RETURN(ERR_PTR(-EINVAL));
1973 /* Retrieve SELinux status info */
1974 if (sptlrpc_sepol_needs_check(imp_sec))
1975 rc = sepol_helper(req->rq_import);
1977 if (unlikely(rc == -ENODEV)) {
1979 "Client cannot report SELinux status, SELinux is disabled.\n");
1983 RETURN(ERR_PTR(rc));
1985 out = sptlrpc_sepol_get_cached(imp_sec);
1987 RETURN(ERR_PTR(-ENODATA));
1991 EXPORT_SYMBOL(sptlrpc_sepol_get);
1994 * server side security
1997 static int flavor_allowed(struct sptlrpc_flavor *exp,
1998 struct ptlrpc_request *req)
2000 struct sptlrpc_flavor *flvr = &req->rq_flvr;
2002 if (exp->sf_rpc == SPTLRPC_FLVR_ANY || exp->sf_rpc == flvr->sf_rpc)
2005 if ((req->rq_ctx_init || req->rq_ctx_fini) &&
2006 SPTLRPC_FLVR_POLICY(exp->sf_rpc) ==
2007 SPTLRPC_FLVR_POLICY(flvr->sf_rpc) &&
2008 SPTLRPC_FLVR_MECH(exp->sf_rpc) == SPTLRPC_FLVR_MECH(flvr->sf_rpc))
2014 #define EXP_FLVR_UPDATE_EXPIRE (OBD_TIMEOUT_DEFAULT + 10)
2017 * Given an export \a exp, check whether the flavor of incoming \a req
2018 * is allowed by the export \a exp. Main logic is about taking care of
2019 * changing configurations. Return 0 means success.
2021 int sptlrpc_target_export_check(struct obd_export *exp,
2022 struct ptlrpc_request *req)
2024 struct sptlrpc_flavor flavor;
2030 * client side export has no imp_reverse, skip
2031 * FIXME maybe we should check flavor this as well???
2033 if (exp->exp_imp_reverse == NULL)
2036 /* don't care about ctx fini rpc */
2037 if (req->rq_ctx_fini)
2040 spin_lock(&exp->exp_lock);
2043 * if flavor just changed (exp->exp_flvr_changed != 0), we wait for
2044 * the first req with the new flavor, then treat it as current flavor,
2045 * adapt reverse sec according to it.
2046 * note the first rpc with new flavor might not be with root ctx, in
2047 * which case delay the sec_adapt by leaving exp_flvr_adapt == 1.
2049 if (unlikely(exp->exp_flvr_changed) &&
2050 flavor_allowed(&exp->exp_flvr_old[1], req)) {
2052 * make the new flavor as "current", and old ones as
2055 CDEBUG(D_SEC, "exp %p: just changed: %x->%x\n", exp,
2056 exp->exp_flvr.sf_rpc, exp->exp_flvr_old[1].sf_rpc);
2057 flavor = exp->exp_flvr_old[1];
2058 exp->exp_flvr_old[1] = exp->exp_flvr_old[0];
2059 exp->exp_flvr_expire[1] = exp->exp_flvr_expire[0];
2060 exp->exp_flvr_old[0] = exp->exp_flvr;
2061 exp->exp_flvr_expire[0] = ktime_get_real_seconds() +
2062 EXP_FLVR_UPDATE_EXPIRE;
2063 exp->exp_flvr = flavor;
2065 /* flavor change finished */
2066 exp->exp_flvr_changed = 0;
2067 LASSERT(exp->exp_flvr_adapt == 1);
2069 /* if it's gss, we only interested in root ctx init */
2070 if (req->rq_auth_gss &&
2071 !(req->rq_ctx_init &&
2072 (req->rq_auth_usr_root || req->rq_auth_usr_mdt ||
2073 req->rq_auth_usr_ost))) {
2074 spin_unlock(&exp->exp_lock);
2075 CDEBUG(D_SEC, "is good but not root(%d:%d:%d:%d:%d)\n",
2076 req->rq_auth_gss, req->rq_ctx_init,
2077 req->rq_auth_usr_root, req->rq_auth_usr_mdt,
2078 req->rq_auth_usr_ost);
2082 exp->exp_flvr_adapt = 0;
2083 spin_unlock(&exp->exp_lock);
2085 return sptlrpc_import_sec_adapt(exp->exp_imp_reverse,
2086 req->rq_svc_ctx, &flavor);
2090 * if it equals to the current flavor, we accept it, but need to
2091 * dealing with reverse sec/ctx
2093 if (likely(flavor_allowed(&exp->exp_flvr, req))) {
2095 * most cases should return here, we only interested in
2098 if (!req->rq_auth_gss || !req->rq_ctx_init ||
2099 (!req->rq_auth_usr_root && !req->rq_auth_usr_mdt &&
2100 !req->rq_auth_usr_ost)) {
2101 spin_unlock(&exp->exp_lock);
2106 * if flavor just changed, we should not proceed, just leave
2107 * it and current flavor will be discovered and replaced
2108 * shortly, and let _this_ rpc pass through
2110 if (exp->exp_flvr_changed) {
2111 LASSERT(exp->exp_flvr_adapt);
2112 spin_unlock(&exp->exp_lock);
2116 if (exp->exp_flvr_adapt) {
2117 exp->exp_flvr_adapt = 0;
2118 CDEBUG(D_SEC, "exp %p (%x|%x|%x): do delayed adapt\n",
2119 exp, exp->exp_flvr.sf_rpc,
2120 exp->exp_flvr_old[0].sf_rpc,
2121 exp->exp_flvr_old[1].sf_rpc);
2122 flavor = exp->exp_flvr;
2123 spin_unlock(&exp->exp_lock);
2125 return sptlrpc_import_sec_adapt(exp->exp_imp_reverse,
2130 "exp %p (%x|%x|%x): is current flavor, install rvs ctx\n",
2131 exp, exp->exp_flvr.sf_rpc,
2132 exp->exp_flvr_old[0].sf_rpc,
2133 exp->exp_flvr_old[1].sf_rpc);
2134 spin_unlock(&exp->exp_lock);
2136 return sptlrpc_svc_install_rvs_ctx(exp->exp_imp_reverse,
2141 if (exp->exp_flvr_expire[0]) {
2142 if (exp->exp_flvr_expire[0] >= ktime_get_real_seconds()) {
2143 if (flavor_allowed(&exp->exp_flvr_old[0], req)) {
2145 "exp %p (%x|%x|%x): match the middle one (%lld)\n",
2146 exp, exp->exp_flvr.sf_rpc,
2147 exp->exp_flvr_old[0].sf_rpc,
2148 exp->exp_flvr_old[1].sf_rpc,
2149 (s64)(exp->exp_flvr_expire[0] -
2150 ktime_get_real_seconds()));
2151 spin_unlock(&exp->exp_lock);
2155 CDEBUG(D_SEC, "mark middle expired\n");
2156 exp->exp_flvr_expire[0] = 0;
2158 CDEBUG(D_SEC, "exp %p (%x|%x|%x): %x not match middle\n", exp,
2159 exp->exp_flvr.sf_rpc,
2160 exp->exp_flvr_old[0].sf_rpc, exp->exp_flvr_old[1].sf_rpc,
2161 req->rq_flvr.sf_rpc);
2165 * now it doesn't match the current flavor, the only chance we can
2166 * accept it is match the old flavors which is not expired.
2168 if (exp->exp_flvr_changed == 0 && exp->exp_flvr_expire[1]) {
2169 if (exp->exp_flvr_expire[1] >= ktime_get_real_seconds()) {
2170 if (flavor_allowed(&exp->exp_flvr_old[1], req)) {
2171 CDEBUG(D_SEC, "exp %p (%x|%x|%x): match the oldest one (%lld)\n",
2173 exp->exp_flvr.sf_rpc,
2174 exp->exp_flvr_old[0].sf_rpc,
2175 exp->exp_flvr_old[1].sf_rpc,
2176 (s64)(exp->exp_flvr_expire[1] -
2177 ktime_get_real_seconds()));
2178 spin_unlock(&exp->exp_lock);
2182 CDEBUG(D_SEC, "mark oldest expired\n");
2183 exp->exp_flvr_expire[1] = 0;
2185 CDEBUG(D_SEC, "exp %p (%x|%x|%x): %x not match found\n",
2186 exp, exp->exp_flvr.sf_rpc,
2187 exp->exp_flvr_old[0].sf_rpc, exp->exp_flvr_old[1].sf_rpc,
2188 req->rq_flvr.sf_rpc);
2190 CDEBUG(D_SEC, "exp %p (%x|%x|%x): skip the last one\n",
2191 exp, exp->exp_flvr.sf_rpc, exp->exp_flvr_old[0].sf_rpc,
2192 exp->exp_flvr_old[1].sf_rpc);
2195 spin_unlock(&exp->exp_lock);
2197 CWARN("exp %p(%s): req %p (%u|%u|%u|%u|%u|%u) with unauthorized flavor %x, expect %x|%x(%+lld)|%x(%+lld)\n",
2198 exp, exp->exp_obd->obd_name,
2199 req, req->rq_auth_gss, req->rq_ctx_init, req->rq_ctx_fini,
2200 req->rq_auth_usr_root, req->rq_auth_usr_mdt, req->rq_auth_usr_ost,
2201 req->rq_flvr.sf_rpc,
2202 exp->exp_flvr.sf_rpc,
2203 exp->exp_flvr_old[0].sf_rpc,
2204 exp->exp_flvr_expire[0] ?
2205 (s64)(exp->exp_flvr_expire[0] - ktime_get_real_seconds()) : 0,
2206 exp->exp_flvr_old[1].sf_rpc,
2207 exp->exp_flvr_expire[1] ?
2208 (s64)(exp->exp_flvr_expire[1] - ktime_get_real_seconds()) : 0);
2211 EXPORT_SYMBOL(sptlrpc_target_export_check);
2213 void sptlrpc_target_update_exp_flavor(struct obd_device *obd,
2214 struct sptlrpc_rule_set *rset)
2216 struct obd_export *exp;
2217 struct sptlrpc_flavor new_flvr;
2221 spin_lock(&obd->obd_dev_lock);
2223 list_for_each_entry(exp, &obd->obd_exports, exp_obd_chain) {
2224 if (exp->exp_connection == NULL)
2228 * note if this export had just been updated flavor
2229 * (exp_flvr_changed == 1), this will override the
2232 spin_lock(&exp->exp_lock);
2233 sptlrpc_target_choose_flavor(rset, exp->exp_sp_peer,
2234 &exp->exp_connection->c_peer.nid,
2236 if (exp->exp_flvr_changed ||
2237 !flavor_equal(&new_flvr, &exp->exp_flvr)) {
2238 exp->exp_flvr_old[1] = new_flvr;
2239 exp->exp_flvr_expire[1] = 0;
2240 exp->exp_flvr_changed = 1;
2241 exp->exp_flvr_adapt = 1;
2243 CDEBUG(D_SEC, "exp %p (%s): updated flavor %x->%x\n",
2244 exp, sptlrpc_part2name(exp->exp_sp_peer),
2245 exp->exp_flvr.sf_rpc,
2246 exp->exp_flvr_old[1].sf_rpc);
2248 spin_unlock(&exp->exp_lock);
2251 spin_unlock(&obd->obd_dev_lock);
2253 EXPORT_SYMBOL(sptlrpc_target_update_exp_flavor);
2255 static int sptlrpc_svc_check_from(struct ptlrpc_request *req, int svc_rc)
2257 /* peer's claim is unreliable unless gss is being used */
2258 if (!req->rq_auth_gss || svc_rc == SECSVC_DROP)
2261 switch (req->rq_sp_from) {
2263 if (req->rq_auth_usr_mdt || req->rq_auth_usr_ost) {
2264 /* The below message is checked in sanity-sec test_33 */
2265 DEBUG_REQ(D_ERROR, req, "faked source CLI");
2266 svc_rc = SECSVC_DROP;
2270 if (!req->rq_auth_usr_mdt) {
2271 /* The below message is checked in sanity-sec test_33 */
2272 DEBUG_REQ(D_ERROR, req, "faked source MDT");
2273 svc_rc = SECSVC_DROP;
2277 if (!req->rq_auth_usr_ost) {
2278 /* The below message is checked in sanity-sec test_33 */
2279 DEBUG_REQ(D_ERROR, req, "faked source OST");
2280 svc_rc = SECSVC_DROP;
2285 if (!req->rq_auth_usr_root && !req->rq_auth_usr_mdt &&
2286 !req->rq_auth_usr_ost) {
2287 /* The below message is checked in sanity-sec test_33 */
2288 DEBUG_REQ(D_ERROR, req, "faked source MGC/MGS");
2289 svc_rc = SECSVC_DROP;
2294 DEBUG_REQ(D_ERROR, req, "invalid source %u", req->rq_sp_from);
2295 svc_rc = SECSVC_DROP;
2302 * Used by ptlrpc server, to perform transformation upon request message of
2303 * incoming \a req. This must be the first thing to do with an incoming
2304 * request in ptlrpc layer.
2306 * \retval SECSVC_OK success, and req->rq_reqmsg point to request message in
2307 * clear text, size is req->rq_reqlen; also req->rq_svc_ctx is set.
2308 * \retval SECSVC_COMPLETE success, the request has been fully processed, and
2309 * reply message has been prepared.
2310 * \retval SECSVC_DROP failed, this request should be dropped.
2312 int sptlrpc_svc_unwrap_request(struct ptlrpc_request *req)
2314 struct ptlrpc_sec_policy *policy;
2315 struct lustre_msg *msg = req->rq_reqbuf;
2321 LASSERT(req->rq_reqmsg == NULL);
2322 LASSERT(req->rq_repmsg == NULL);
2323 LASSERT(req->rq_svc_ctx == NULL);
2325 req->rq_req_swab_mask = 0;
2327 rc = __lustre_unpack_msg(msg, req->rq_reqdata_len);
2330 req_capsule_set_req_swabbed(&req->rq_pill,
2331 MSG_PTLRPC_HEADER_OFF);
2335 CERROR("error unpacking request from %s x%llu\n",
2336 libcfs_idstr(&req->rq_peer), req->rq_xid);
2337 RETURN(SECSVC_DROP);
2340 req->rq_flvr.sf_rpc = WIRE_FLVR(msg->lm_secflvr);
2341 req->rq_sp_from = LUSTRE_SP_ANY;
2342 req->rq_auth_uid = -1; /* set to INVALID_UID */
2343 req->rq_auth_mapped_uid = -1;
2345 policy = sptlrpc_wireflavor2policy(req->rq_flvr.sf_rpc);
2347 CERROR("unsupported rpc flavor %x\n", req->rq_flvr.sf_rpc);
2348 RETURN(SECSVC_DROP);
2351 LASSERT(policy->sp_sops->accept);
2352 rc = policy->sp_sops->accept(req);
2353 sptlrpc_policy_put(policy);
2354 LASSERT(req->rq_reqmsg || rc != SECSVC_OK);
2355 LASSERT(req->rq_svc_ctx || rc == SECSVC_DROP);
2358 * if it's not null flavor (which means embedded packing msg),
2359 * reset the swab mask for the comming inner msg unpacking.
2361 if (SPTLRPC_FLVR_POLICY(req->rq_flvr.sf_rpc) != SPTLRPC_POLICY_NULL)
2362 req->rq_req_swab_mask = 0;
2364 /* sanity check for the request source */
2365 rc = sptlrpc_svc_check_from(req, rc);
2370 * Used by ptlrpc server, to allocate reply buffer for \a req. If succeed,
2371 * req->rq_reply_state is set, and req->rq_reply_state->rs_msg point to
2372 * a buffer of \a msglen size.
2374 int sptlrpc_svc_alloc_rs(struct ptlrpc_request *req, int msglen)
2376 struct ptlrpc_sec_policy *policy;
2377 struct ptlrpc_reply_state *rs;
2382 LASSERT(req->rq_svc_ctx);
2383 LASSERT(req->rq_svc_ctx->sc_policy);
2385 policy = req->rq_svc_ctx->sc_policy;
2386 LASSERT(policy->sp_sops->alloc_rs);
2388 rc = policy->sp_sops->alloc_rs(req, msglen);
2389 if (unlikely(rc == -ENOMEM)) {
2390 struct ptlrpc_service_part *svcpt = req->rq_rqbd->rqbd_svcpt;
2392 if (svcpt->scp_service->srv_max_reply_size <
2393 msglen + sizeof(struct ptlrpc_reply_state)) {
2394 /* Just return failure if the size is too big */
2395 CERROR("size of message is too big (%zd), %d allowed\n",
2396 msglen + sizeof(struct ptlrpc_reply_state),
2397 svcpt->scp_service->srv_max_reply_size);
2401 /* failed alloc, try emergency pool */
2402 rs = lustre_get_emerg_rs(svcpt);
2406 req->rq_reply_state = rs;
2407 rc = policy->sp_sops->alloc_rs(req, msglen);
2409 lustre_put_emerg_rs(rs);
2410 req->rq_reply_state = NULL;
2415 (req->rq_reply_state && req->rq_reply_state->rs_msg));
2421 * Used by ptlrpc server, to perform transformation upon reply message.
2423 * \post req->rq_reply_off is set to approriate server-controlled reply offset.
2424 * \post req->rq_repmsg and req->rq_reply_state->rs_msg becomes inaccessible.
2426 int sptlrpc_svc_wrap_reply(struct ptlrpc_request *req)
2428 struct ptlrpc_sec_policy *policy;
2433 LASSERT(req->rq_svc_ctx);
2434 LASSERT(req->rq_svc_ctx->sc_policy);
2436 policy = req->rq_svc_ctx->sc_policy;
2437 LASSERT(policy->sp_sops->authorize);
2439 rc = policy->sp_sops->authorize(req);
2440 LASSERT(rc || req->rq_reply_state->rs_repdata_len);
2446 * Used by ptlrpc server, to free reply_state.
2448 void sptlrpc_svc_free_rs(struct ptlrpc_reply_state *rs)
2450 struct ptlrpc_sec_policy *policy;
2451 unsigned int prealloc;
2455 LASSERT(rs->rs_svc_ctx);
2456 LASSERT(rs->rs_svc_ctx->sc_policy);
2458 policy = rs->rs_svc_ctx->sc_policy;
2459 LASSERT(policy->sp_sops->free_rs);
2461 prealloc = rs->rs_prealloc;
2462 policy->sp_sops->free_rs(rs);
2465 lustre_put_emerg_rs(rs);
2469 void sptlrpc_svc_ctx_addref(struct ptlrpc_request *req)
2471 struct ptlrpc_svc_ctx *ctx = req->rq_svc_ctx;
2474 atomic_inc(&ctx->sc_refcount);
2477 void sptlrpc_svc_ctx_decref(struct ptlrpc_request *req)
2479 struct ptlrpc_svc_ctx *ctx = req->rq_svc_ctx;
2484 LASSERT(atomic_read(&(ctx)->sc_refcount) > 0);
2485 if (atomic_dec_and_test(&ctx->sc_refcount)) {
2486 if (ctx->sc_policy->sp_sops->free_ctx)
2487 ctx->sc_policy->sp_sops->free_ctx(ctx);
2489 req->rq_svc_ctx = NULL;
2492 void sptlrpc_svc_ctx_invalidate(struct ptlrpc_request *req)
2494 struct ptlrpc_svc_ctx *ctx = req->rq_svc_ctx;
2499 LASSERT(atomic_read(&(ctx)->sc_refcount) > 0);
2500 if (ctx->sc_policy->sp_sops->invalidate_ctx)
2501 ctx->sc_policy->sp_sops->invalidate_ctx(ctx);
2503 EXPORT_SYMBOL(sptlrpc_svc_ctx_invalidate);
2510 * Perform transformation upon bulk data pointed by \a desc. This is called
2511 * before transforming the request message.
2513 int sptlrpc_cli_wrap_bulk(struct ptlrpc_request *req,
2514 struct ptlrpc_bulk_desc *desc)
2516 struct ptlrpc_cli_ctx *ctx;
2518 LASSERT(req->rq_bulk_read || req->rq_bulk_write);
2520 if (!req->rq_pack_bulk)
2523 ctx = req->rq_cli_ctx;
2524 if (ctx->cc_ops->wrap_bulk)
2525 return ctx->cc_ops->wrap_bulk(ctx, req, desc);
2528 EXPORT_SYMBOL(sptlrpc_cli_wrap_bulk);
2531 * This is called after unwrap the reply message.
2532 * return nob of actual plain text size received, or error code.
2534 int sptlrpc_cli_unwrap_bulk_read(struct ptlrpc_request *req,
2535 struct ptlrpc_bulk_desc *desc,
2538 struct ptlrpc_cli_ctx *ctx;
2541 LASSERT(req->rq_bulk_read && !req->rq_bulk_write);
2543 if (!req->rq_pack_bulk)
2544 return desc->bd_nob_transferred;
2546 ctx = req->rq_cli_ctx;
2547 if (ctx->cc_ops->unwrap_bulk) {
2548 rc = ctx->cc_ops->unwrap_bulk(ctx, req, desc);
2552 return desc->bd_nob_transferred;
2554 EXPORT_SYMBOL(sptlrpc_cli_unwrap_bulk_read);
2557 * This is called after unwrap the reply message.
2558 * return 0 for success or error code.
2560 int sptlrpc_cli_unwrap_bulk_write(struct ptlrpc_request *req,
2561 struct ptlrpc_bulk_desc *desc)
2563 struct ptlrpc_cli_ctx *ctx;
2566 LASSERT(!req->rq_bulk_read && req->rq_bulk_write);
2568 if (!req->rq_pack_bulk)
2571 ctx = req->rq_cli_ctx;
2572 if (ctx->cc_ops->unwrap_bulk) {
2573 rc = ctx->cc_ops->unwrap_bulk(ctx, req, desc);
2579 * if everything is going right, nob should equals to nob_transferred.
2580 * in case of privacy mode, nob_transferred needs to be adjusted.
2582 if (desc->bd_nob != desc->bd_nob_transferred) {
2583 CERROR("nob %d doesn't match transferred nob %d\n",
2584 desc->bd_nob, desc->bd_nob_transferred);
2590 EXPORT_SYMBOL(sptlrpc_cli_unwrap_bulk_write);
2592 #ifdef HAVE_SERVER_SUPPORT
2594 * Performe transformation upon outgoing bulk read.
2596 int sptlrpc_svc_wrap_bulk(struct ptlrpc_request *req,
2597 struct ptlrpc_bulk_desc *desc)
2599 struct ptlrpc_svc_ctx *ctx;
2601 LASSERT(req->rq_bulk_read);
2603 if (!req->rq_pack_bulk)
2606 ctx = req->rq_svc_ctx;
2607 if (ctx->sc_policy->sp_sops->wrap_bulk)
2608 return ctx->sc_policy->sp_sops->wrap_bulk(req, desc);
2612 EXPORT_SYMBOL(sptlrpc_svc_wrap_bulk);
2615 * Performe transformation upon incoming bulk write.
2617 int sptlrpc_svc_unwrap_bulk(struct ptlrpc_request *req,
2618 struct ptlrpc_bulk_desc *desc)
2620 struct ptlrpc_svc_ctx *ctx;
2623 LASSERT(req->rq_bulk_write);
2626 * if it's in privacy mode, transferred should >= expected; otherwise
2627 * transferred should == expected.
2629 if (desc->bd_nob_transferred < desc->bd_nob ||
2630 (desc->bd_nob_transferred > desc->bd_nob &&
2631 SPTLRPC_FLVR_BULK_SVC(req->rq_flvr.sf_rpc) !=
2632 SPTLRPC_BULK_SVC_PRIV)) {
2633 DEBUG_REQ(D_ERROR, req, "truncated bulk GET %d(%d)",
2634 desc->bd_nob_transferred, desc->bd_nob);
2638 if (!req->rq_pack_bulk)
2641 ctx = req->rq_svc_ctx;
2642 if (ctx->sc_policy->sp_sops->unwrap_bulk) {
2643 rc = ctx->sc_policy->sp_sops->unwrap_bulk(req, desc);
2645 CERROR("error unwrap bulk: %d\n", rc);
2648 /* return 0 to allow reply be sent */
2651 EXPORT_SYMBOL(sptlrpc_svc_unwrap_bulk);
2654 * Prepare buffers for incoming bulk write.
2656 int sptlrpc_svc_prep_bulk(struct ptlrpc_request *req,
2657 struct ptlrpc_bulk_desc *desc)
2659 struct ptlrpc_svc_ctx *ctx;
2661 LASSERT(req->rq_bulk_write);
2663 if (!req->rq_pack_bulk)
2666 ctx = req->rq_svc_ctx;
2667 if (ctx->sc_policy->sp_sops->prep_bulk)
2668 return ctx->sc_policy->sp_sops->prep_bulk(req, desc);
2672 EXPORT_SYMBOL(sptlrpc_svc_prep_bulk);
2674 #endif /* HAVE_SERVER_SUPPORT */
2677 * user descriptor helpers
2680 int sptlrpc_current_user_desc_size(void)
2684 ngroups = current_cred()->group_info->ngroups;
2686 if (ngroups > LUSTRE_MAX_GROUPS)
2687 ngroups = LUSTRE_MAX_GROUPS;
2688 return sptlrpc_user_desc_size(ngroups);
2690 EXPORT_SYMBOL(sptlrpc_current_user_desc_size);
2692 int sptlrpc_pack_user_desc(struct lustre_msg *msg, int offset)
2694 struct ptlrpc_user_desc *pud;
2697 pud = lustre_msg_buf(msg, offset, 0);
2699 pud->pud_uid = from_kuid(&init_user_ns, current_uid());
2700 pud->pud_gid = from_kgid(&init_user_ns, current_gid());
2701 pud->pud_fsuid = from_kuid(&init_user_ns, current_fsuid());
2702 pud->pud_fsgid = from_kgid(&init_user_ns, current_fsgid());
2703 pud->pud_cap = ll_capability_u32(current_cap());
2704 pud->pud_ngroups = (msg->lm_buflens[offset] - sizeof(*pud)) / 4;
2707 ngroups = current_cred()->group_info->ngroups;
2708 if (pud->pud_ngroups > ngroups)
2709 pud->pud_ngroups = ngroups;
2710 #ifdef HAVE_GROUP_INFO_GID
2711 memcpy(pud->pud_groups, current_cred()->group_info->gid,
2712 pud->pud_ngroups * sizeof(__u32));
2713 #else /* !HAVE_GROUP_INFO_GID */
2714 memcpy(pud->pud_groups, current_cred()->group_info->blocks[0],
2715 pud->pud_ngroups * sizeof(__u32));
2716 #endif /* HAVE_GROUP_INFO_GID */
2717 task_unlock(current);
2721 EXPORT_SYMBOL(sptlrpc_pack_user_desc);
2723 int sptlrpc_unpack_user_desc(struct lustre_msg *msg, int offset, int swabbed)
2725 struct ptlrpc_user_desc *pud;
2728 pud = lustre_msg_buf(msg, offset, sizeof(*pud));
2733 __swab32s(&pud->pud_uid);
2734 __swab32s(&pud->pud_gid);
2735 __swab32s(&pud->pud_fsuid);
2736 __swab32s(&pud->pud_fsgid);
2737 __swab32s(&pud->pud_cap);
2738 __swab32s(&pud->pud_ngroups);
2741 if (pud->pud_ngroups > LUSTRE_MAX_GROUPS) {
2742 CERROR("%u groups is too large\n", pud->pud_ngroups);
2746 if (sizeof(*pud) + pud->pud_ngroups * sizeof(__u32) >
2747 msg->lm_buflens[offset]) {
2748 CERROR("%u groups are claimed but bufsize only %u\n",
2749 pud->pud_ngroups, msg->lm_buflens[offset]);
2754 for (i = 0; i < pud->pud_ngroups; i++)
2755 __swab32s(&pud->pud_groups[i]);
2760 EXPORT_SYMBOL(sptlrpc_unpack_user_desc);
2766 const char *sec2target_str(struct ptlrpc_sec *sec)
2768 if (!sec || !sec->ps_import || !sec->ps_import->imp_obd)
2770 if (sec_is_reverse(sec))
2772 return obd_uuid2str(&sec->ps_import->imp_obd->u.cli.cl_target_uuid);
2774 EXPORT_SYMBOL(sec2target_str);
2777 * return true if the bulk data is protected
2779 int sptlrpc_flavor_has_bulk(struct sptlrpc_flavor *flvr)
2781 switch (SPTLRPC_FLVR_BULK_SVC(flvr->sf_rpc)) {
2782 case SPTLRPC_BULK_SVC_INTG:
2783 case SPTLRPC_BULK_SVC_PRIV:
2789 EXPORT_SYMBOL(sptlrpc_flavor_has_bulk);
2792 * crypto API helper/alloc blkciper
2796 * initialize/finalize
2799 int sptlrpc_init(void)
2803 rwlock_init(&policy_lock);
2805 rc = sptlrpc_gc_init();
2809 rc = sptlrpc_conf_init();
2813 rc = sptlrpc_enc_pool_init();
2817 rc = sptlrpc_null_init();
2821 rc = sptlrpc_plain_init();
2825 rc = sptlrpc_lproc_init();
2832 sptlrpc_plain_fini();
2834 sptlrpc_null_fini();
2836 sptlrpc_enc_pool_fini();
2838 sptlrpc_conf_fini();
2845 void sptlrpc_fini(void)
2847 sptlrpc_lproc_fini();
2848 sptlrpc_plain_fini();
2849 sptlrpc_null_fini();
2850 sptlrpc_enc_pool_fini();
2851 sptlrpc_conf_fini();
git://git.whamcloud.com / fs / lustre-release.git / blob