1 /* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
2 * vim:expandtab:shiftwidth=8:tabstop=8:
6 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 only,
10 * as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * General Public License version 2 for more details (a copy is included
16 * in the LICENSE file that accompanied this code).
18 * You should have received a copy of the GNU General Public License
19 * version 2 along with this program; If not, see
20 * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf
22 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
23 * CA 95054 USA or visit www.sun.com if you need additional information or
29 * Copyright 2008 Sun Microsystems, Inc. All rights reserved
30 * Use is subject to license terms.
33 * This file is part of Lustre, http://www.lustre.org/
34 * Lustre is a trademark of Sun Microsystems, Inc.
36 * lustre/ptlrpc/gss/gss_keyring.c
38 * Author: Eric Mei <ericm@clusterfs.com>
42 # define EXPORT_SYMTAB
44 #define DEBUG_SUBSYSTEM S_SEC
46 #include <linux/init.h>
47 #include <linux/module.h>
48 #include <linux/slab.h>
49 #include <linux/dcache.h>
51 #include <linux/random.h>
52 #include <linux/crypto.h>
53 #include <linux/key.h>
54 #include <linux/keyctl.h>
55 #include <linux/mutex.h>
56 #include <asm/atomic.h>
58 #include <liblustre.h>
62 #include <obd_class.h>
63 #include <obd_support.h>
64 #include <lustre/lustre_idl.h>
65 #include <lustre_sec.h>
66 #include <lustre_net.h>
67 #include <lustre_import.h>
70 #include "gss_internal.h"
73 static struct ptlrpc_sec_policy gss_policy_keyring;
74 static struct ptlrpc_ctx_ops gss_keyring_ctxops;
75 static struct key_type gss_key_type;
77 static int sec_install_rctx_kr(struct ptlrpc_sec *sec,
78 struct ptlrpc_svc_ctx *svc_ctx);
81 #define task_aux(tsk) (tsk)
85 * the timeout is only for the case that upcall child process die abnormally.
86 * in any other cases it should finally update kernel key.
88 * FIXME we'd better to incorporate the client & server side upcall timeouts
89 * into the framework of Adaptive Timeouts, but we need to figure out how to
90 * make sure that kernel knows the upcall processes is in-progress or died
93 #define KEYRING_UPCALL_TIMEOUT (obd_timeout + obd_timeout)
95 /****************************************
97 ****************************************/
99 #define DUMP_PROCESS_KEYRINGS(tsk) \
101 CWARN("DUMP PK: %s[%u,%u/%u](<-%s[%u,%u/%u]): " \
102 "a %d, t %d, p %d, s %d, u %d, us %d, df %d\n", \
103 tsk->comm, tsk->pid, tsk->uid, tsk->fsuid, \
104 tsk->parent->comm, tsk->parent->pid, \
105 tsk->parent->uid, tsk->parent->fsuid, \
106 task_aux(tsk)->request_key_auth ? \
107 task_aux(tsk)->request_key_auth->serial : 0, \
108 task_aux(tsk)->thread_keyring ? \
109 task_aux(tsk)->thread_keyring->serial : 0, \
110 tsk->signal->process_keyring ? \
111 tsk->signal->process_keyring->serial : 0, \
112 tsk->signal->session_keyring ? \
113 tsk->signal->session_keyring->serial : 0, \
114 tsk->user->uid_keyring ? \
115 tsk->user->uid_keyring->serial : 0, \
116 tsk->user->session_keyring ? \
117 tsk->user->session_keyring->serial : 0, \
118 task_aux(tsk)->jit_keyring \
122 #define DUMP_KEY(key) \
124 CWARN("DUMP KEY: %p(%d) ref %d u%u/g%u desc %s\n", \
125 key, key->serial, atomic_read(&key->usage), \
126 key->uid, key->gid, \
127 key->description ? key->description : "n/a" \
132 static inline void keyring_upcall_lock(struct gss_sec_keyring *gsec_kr)
134 #ifdef HAVE_KEYRING_UPCALL_SERIALIZED
135 mutex_lock(&gsec_kr->gsk_uc_lock);
139 static inline void keyring_upcall_unlock(struct gss_sec_keyring *gsec_kr)
141 #ifdef HAVE_KEYRING_UPCALL_SERIALIZED
142 mutex_unlock(&gsec_kr->gsk_uc_lock);
146 static inline void key_revoke_locked(struct key *key)
148 set_bit(KEY_FLAG_REVOKED, &key->flags);
151 static void ctx_upcall_timeout_kr(unsigned long data)
153 struct ptlrpc_cli_ctx *ctx = (struct ptlrpc_cli_ctx *) data;
154 struct key *key = ctx2gctx_keyring(ctx)->gck_key;
156 CWARN("ctx %p, key %p\n", ctx, key);
161 key_revoke_locked(key);
162 sptlrpc_cli_ctx_wakeup(ctx);
166 void ctx_start_timer_kr(struct ptlrpc_cli_ctx *ctx, long timeout)
168 struct gss_cli_ctx_keyring *gctx_kr = ctx2gctx_keyring(ctx);
169 struct timer_list *timer = gctx_kr->gck_timer;
173 CDEBUG(D_SEC, "ctx %p: start timer %lds\n", ctx, timeout);
174 timeout = timeout * HZ + cfs_time_current();
177 timer->expires = timeout;
178 timer->data = (unsigned long ) ctx;
179 timer->function = ctx_upcall_timeout_kr;
185 * caller should make sure no race with other threads
188 void ctx_clear_timer_kr(struct ptlrpc_cli_ctx *ctx)
190 struct gss_cli_ctx_keyring *gctx_kr = ctx2gctx_keyring(ctx);
191 struct timer_list *timer = gctx_kr->gck_timer;
196 CDEBUG(D_SEC, "ctx %p, key %p\n", ctx, gctx_kr->gck_key);
198 gctx_kr->gck_timer = NULL;
200 del_singleshot_timer_sync(timer);
206 struct ptlrpc_cli_ctx *ctx_create_kr(struct ptlrpc_sec *sec,
207 struct vfs_cred *vcred)
209 struct ptlrpc_cli_ctx *ctx;
210 struct gss_cli_ctx_keyring *gctx_kr;
212 OBD_ALLOC_PTR(gctx_kr);
216 OBD_ALLOC_PTR(gctx_kr->gck_timer);
217 if (gctx_kr->gck_timer == NULL) {
218 OBD_FREE_PTR(gctx_kr);
221 init_timer(gctx_kr->gck_timer);
223 ctx = &gctx_kr->gck_base.gc_base;
225 if (gss_cli_ctx_init_common(sec, ctx, &gss_keyring_ctxops, vcred)) {
226 OBD_FREE_PTR(gctx_kr->gck_timer);
227 OBD_FREE_PTR(gctx_kr);
231 ctx->cc_expire = cfs_time_current_sec() + KEYRING_UPCALL_TIMEOUT;
232 clear_bit(PTLRPC_CTX_NEW_BIT, &ctx->cc_flags);
233 atomic_inc(&ctx->cc_refcount); /* for the caller */
238 static void ctx_destroy_kr(struct ptlrpc_cli_ctx *ctx)
240 struct ptlrpc_sec *sec = ctx->cc_sec;
241 struct gss_cli_ctx_keyring *gctx_kr = ctx2gctx_keyring(ctx);
243 CDEBUG(D_SEC, "destroying ctx %p\n", ctx);
245 /* at this time the association with key has been broken. */
247 LASSERT(atomic_read(&sec->ps_refcount) > 0);
248 LASSERT(atomic_read(&sec->ps_nctx) > 0);
249 LASSERT(test_bit(PTLRPC_CTX_CACHED_BIT, &ctx->cc_flags) == 0);
250 LASSERT(gctx_kr->gck_key == NULL);
252 ctx_clear_timer_kr(ctx);
253 LASSERT(gctx_kr->gck_timer == NULL);
255 if (gss_cli_ctx_fini_common(sec, ctx))
258 OBD_FREE_PTR(gctx_kr);
260 atomic_dec(&sec->ps_nctx);
261 sptlrpc_sec_put(sec);
264 static void ctx_release_kr(struct ptlrpc_cli_ctx *ctx, int sync)
269 atomic_inc(&ctx->cc_refcount);
270 sptlrpc_gc_add_ctx(ctx);
274 static void ctx_put_kr(struct ptlrpc_cli_ctx *ctx, int sync)
276 LASSERT(atomic_read(&ctx->cc_refcount) > 0);
278 if (atomic_dec_and_test(&ctx->cc_refcount))
279 ctx_release_kr(ctx, sync);
283 * key <-> ctx association and rules:
284 * - ctx might not bind with any key
285 * - key/ctx binding is protected by key semaphore (if the key present)
286 * - key and ctx each take a reference of the other
287 * - ctx enlist/unlist is protected by ctx spinlock
288 * - never enlist a ctx after it's been unlisted
289 * - whoever do enlist should also do bind, lock key before enlist:
290 * - lock key -> lock ctx -> enlist -> unlock ctx -> bind -> unlock key
291 * - whoever do unlist should also do unbind:
292 * - lock key -> lock ctx -> unlist -> unlock ctx -> unbind -> unlock key
293 * - lock ctx -> unlist -> unlock ctx -> lock key -> unbind -> unlock key
296 static inline void spin_lock_if(spinlock_t *lock, int condition)
302 static inline void spin_unlock_if(spinlock_t *lock, int condition)
308 static void ctx_enlist_kr(struct ptlrpc_cli_ctx *ctx, int is_root, int locked)
310 struct ptlrpc_sec *sec = ctx->cc_sec;
311 struct gss_sec_keyring *gsec_kr = sec2gsec_keyring(sec);
313 LASSERT(!test_bit(PTLRPC_CTX_CACHED_BIT, &ctx->cc_flags));
314 LASSERT(atomic_read(&ctx->cc_refcount) > 0);
316 spin_lock_if(&sec->ps_lock, !locked);
318 atomic_inc(&ctx->cc_refcount);
319 set_bit(PTLRPC_CTX_CACHED_BIT, &ctx->cc_flags);
320 hlist_add_head(&ctx->cc_cache, &gsec_kr->gsk_clist);
322 gsec_kr->gsk_root_ctx = ctx;
324 spin_unlock_if(&sec->ps_lock, !locked);
328 * Note after this get called, caller should not access ctx again because
329 * it might have been freed, unless caller hold at least one refcount of
332 * return non-zero if we indeed unlist this ctx.
334 static int ctx_unlist_kr(struct ptlrpc_cli_ctx *ctx, int locked)
336 struct ptlrpc_sec *sec = ctx->cc_sec;
337 struct gss_sec_keyring *gsec_kr = sec2gsec_keyring(sec);
339 /* if hashed bit has gone, leave the job to somebody who is doing it */
340 if (test_and_clear_bit(PTLRPC_CTX_CACHED_BIT, &ctx->cc_flags) == 0)
343 /* drop ref inside spin lock to prevent race with other operations */
344 spin_lock_if(&sec->ps_lock, !locked);
346 if (gsec_kr->gsk_root_ctx == ctx)
347 gsec_kr->gsk_root_ctx = NULL;
348 hlist_del_init(&ctx->cc_cache);
349 atomic_dec(&ctx->cc_refcount);
351 spin_unlock_if(&sec->ps_lock, !locked);
357 * bind a key with a ctx together.
358 * caller must hold write lock of the key, as well as ref on key & ctx.
360 static void bind_key_ctx(struct key *key, struct ptlrpc_cli_ctx *ctx)
362 LASSERT(atomic_read(&ctx->cc_refcount) > 0);
363 LASSERT(atomic_read(&key->usage) > 0);
364 LASSERT(ctx2gctx_keyring(ctx)->gck_key == NULL);
365 LASSERT(key->payload.data == NULL);
367 /* at this time context may or may not in list. */
369 atomic_inc(&ctx->cc_refcount);
370 ctx2gctx_keyring(ctx)->gck_key = key;
371 key->payload.data = ctx;
375 * unbind a key and a ctx.
376 * caller must hold write lock, as well as a ref of the key.
378 static void unbind_key_ctx(struct key *key, struct ptlrpc_cli_ctx *ctx)
380 LASSERT(key->payload.data == ctx);
381 LASSERT(test_bit(PTLRPC_CTX_CACHED_BIT, &ctx->cc_flags) == 0);
383 /* must revoke the key, or others may treat it as newly created */
384 key_revoke_locked(key);
386 key->payload.data = NULL;
387 ctx2gctx_keyring(ctx)->gck_key = NULL;
389 /* once ctx get split from key, the timer is meaningless */
390 ctx_clear_timer_kr(ctx);
397 * given a ctx, unbind with its coupled key, if any.
398 * unbind could only be called once, so we don't worry the key be released
401 static void unbind_ctx_kr(struct ptlrpc_cli_ctx *ctx)
403 struct key *key = ctx2gctx_keyring(ctx)->gck_key;
406 LASSERT(key->payload.data == ctx);
409 down_write(&key->sem);
410 unbind_key_ctx(key, ctx);
417 * given a key, unbind with its coupled ctx, if any.
418 * caller must hold write lock, as well as a ref of the key.
420 static void unbind_key_locked(struct key *key)
422 struct ptlrpc_cli_ctx *ctx = key->payload.data;
425 unbind_key_ctx(key, ctx);
429 * unlist a ctx, and unbind from coupled key
431 static void kill_ctx_kr(struct ptlrpc_cli_ctx *ctx)
433 if (ctx_unlist_kr(ctx, 0))
438 * given a key, unlist and unbind with the coupled ctx (if any).
439 * caller must hold write lock, as well as a ref of the key.
441 static void kill_key_locked(struct key *key)
443 struct ptlrpc_cli_ctx *ctx = key->payload.data;
445 if (ctx && ctx_unlist_kr(ctx, 0))
446 unbind_key_locked(key);
450 * caller should hold one ref on contexts in freelist.
452 static void dispose_ctx_list_kr(struct hlist_head *freelist)
454 struct hlist_node *pos, *next;
455 struct ptlrpc_cli_ctx *ctx;
456 struct gss_cli_ctx *gctx;
458 hlist_for_each_entry_safe(ctx, pos, next, freelist, cc_cache) {
459 hlist_del_init(&ctx->cc_cache);
461 /* reverse ctx: update current seq to buddy svcctx if exist.
462 * ideally this should be done at gss_cli_ctx_finalize(), but
463 * the ctx destroy could be delayed by:
464 * 1) ctx still has reference;
465 * 2) ctx destroy is asynchronous;
466 * and reverse import call inval_all_ctx() require this be done
467 *_immediately_ otherwise newly created reverse ctx might copy
468 * the very old sequence number from svcctx. */
469 gctx = ctx2gctx(ctx);
470 if (!rawobj_empty(&gctx->gc_svc_handle) &&
471 sec_is_reverse(gctx->gc_base.cc_sec)) {
472 gss_svc_upcall_update_sequence(&gctx->gc_svc_handle,
473 (__u32) atomic_read(&gctx->gc_seq));
476 /* we need to wakeup waiting reqs here. the context might
477 * be forced released before upcall finished, then the
478 * late-arrived downcall can't find the ctx even. */
479 sptlrpc_cli_ctx_wakeup(ctx);
487 * lookup a root context directly in a sec, return root ctx with a
488 * reference taken or NULL.
491 struct ptlrpc_cli_ctx * sec_lookup_root_ctx_kr(struct ptlrpc_sec *sec)
493 struct gss_sec_keyring *gsec_kr = sec2gsec_keyring(sec);
494 struct ptlrpc_cli_ctx *ctx = NULL;
496 spin_lock(&sec->ps_lock);
498 ctx = gsec_kr->gsk_root_ctx;
500 if (ctx == NULL && unlikely(sec_is_reverse(sec))) {
501 struct hlist_node *node;
502 struct ptlrpc_cli_ctx *tmp;
504 /* reverse ctx, search root ctx in list, choose the one
505 * with shortest expire time, which is most possibly have
506 * an established peer ctx at client side. */
507 hlist_for_each_entry(tmp, node, &gsec_kr->gsk_clist, cc_cache) {
508 if (ctx == NULL || ctx->cc_expire == 0 ||
509 ctx->cc_expire > tmp->cc_expire) {
511 /* promote to be root_ctx */
512 gsec_kr->gsk_root_ctx = ctx;
518 LASSERT(atomic_read(&ctx->cc_refcount) > 0);
519 LASSERT(!hlist_empty(&gsec_kr->gsk_clist));
520 atomic_inc(&ctx->cc_refcount);
523 spin_unlock(&sec->ps_lock);
528 #define RVS_CTX_EXPIRE_NICE (10)
531 void rvs_sec_install_root_ctx_kr(struct ptlrpc_sec *sec,
532 struct ptlrpc_cli_ctx *new_ctx,
535 struct gss_sec_keyring *gsec_kr = sec2gsec_keyring(sec);
536 struct hlist_node *hnode;
537 struct ptlrpc_cli_ctx *ctx;
541 LASSERT(sec_is_reverse(sec));
543 spin_lock(&sec->ps_lock);
545 now = cfs_time_current_sec();
547 /* set all existing ctxs short expiry */
548 hlist_for_each_entry(ctx, hnode, &gsec_kr->gsk_clist, cc_cache) {
549 if (ctx->cc_expire > now + RVS_CTX_EXPIRE_NICE) {
550 ctx->cc_early_expire = 1;
551 ctx->cc_expire = now + RVS_CTX_EXPIRE_NICE;
555 /* if there's root_ctx there, instead obsolete the current
556 * immediately, we leave it continue operating for a little while.
557 * hopefully when the first backward rpc with newest ctx send out,
558 * the client side already have the peer ctx well established. */
559 ctx_enlist_kr(new_ctx, gsec_kr->gsk_root_ctx ? 0 : 1, 1);
562 bind_key_ctx(key, new_ctx);
564 spin_unlock(&sec->ps_lock);
567 static void construct_key_desc(void *buf, int bufsize,
568 struct ptlrpc_sec *sec, uid_t uid)
570 snprintf(buf, bufsize, "%d@%x", uid, sec->ps_id);
571 ((char *)buf)[bufsize - 1] = '\0';
574 /****************************************
576 ****************************************/
579 struct ptlrpc_sec * gss_sec_create_kr(struct obd_import *imp,
580 struct ptlrpc_svc_ctx *svcctx,
581 struct sptlrpc_flavor *sf)
583 struct gss_sec_keyring *gsec_kr;
586 OBD_ALLOC(gsec_kr, sizeof(*gsec_kr));
590 CFS_INIT_HLIST_HEAD(&gsec_kr->gsk_clist);
591 gsec_kr->gsk_root_ctx = NULL;
592 mutex_init(&gsec_kr->gsk_root_uc_lock);
593 #ifdef HAVE_KEYRING_UPCALL_SERIALIZED
594 mutex_init(&gsec_kr->gsk_uc_lock);
597 if (gss_sec_create_common(&gsec_kr->gsk_base, &gss_policy_keyring,
601 if (svcctx != NULL &&
602 sec_install_rctx_kr(&gsec_kr->gsk_base.gs_base, svcctx)) {
603 gss_sec_destroy_common(&gsec_kr->gsk_base);
607 RETURN(&gsec_kr->gsk_base.gs_base);
610 OBD_FREE(gsec_kr, sizeof(*gsec_kr));
615 void gss_sec_destroy_kr(struct ptlrpc_sec *sec)
617 struct gss_sec *gsec = sec2gsec(sec);
618 struct gss_sec_keyring *gsec_kr = sec2gsec_keyring(sec);
620 CDEBUG(D_SEC, "destroy %s@%p\n", sec->ps_policy->sp_name, sec);
622 LASSERT(hlist_empty(&gsec_kr->gsk_clist));
623 LASSERT(gsec_kr->gsk_root_ctx == NULL);
625 gss_sec_destroy_common(gsec);
627 OBD_FREE(gsec_kr, sizeof(*gsec_kr));
630 static inline int user_is_root(struct ptlrpc_sec *sec, struct vfs_cred *vcred)
632 /* except the ROOTONLY flag, treat it as root user only if real uid
633 * is 0, euid/fsuid being 0 are handled as setuid scenarios */
634 if (sec_is_rootonly(sec) || (vcred->vc_uid == 0))
641 * unlink request key from it's ring, which is linked during request_key().
642 * sadly, we have to 'guess' which keyring it's linked to.
644 * FIXME this code is fragile, depend on how request_key_link() is implemented.
646 static void request_key_unlink(struct key *key)
648 struct task_struct *tsk = current;
651 switch (task_aux(tsk)->jit_keyring) {
652 case KEY_REQKEY_DEFL_DEFAULT:
653 case KEY_REQKEY_DEFL_THREAD_KEYRING:
654 ring = key_get(task_aux(tsk)->thread_keyring);
657 case KEY_REQKEY_DEFL_PROCESS_KEYRING:
658 ring = key_get(tsk->signal->process_keyring);
661 case KEY_REQKEY_DEFL_SESSION_KEYRING:
663 ring = key_get(rcu_dereference(tsk->signal->session_keyring));
667 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
668 ring = key_get(tsk->user->session_keyring);
670 case KEY_REQKEY_DEFL_USER_KEYRING:
671 ring = key_get(tsk->user->uid_keyring);
673 case KEY_REQKEY_DEFL_GROUP_KEYRING:
679 key_unlink(ring, key);
684 struct ptlrpc_cli_ctx * gss_sec_lookup_ctx_kr(struct ptlrpc_sec *sec,
685 struct vfs_cred *vcred,
686 int create, int remove_dead)
688 struct obd_import *imp = sec->ps_import;
689 struct gss_sec_keyring *gsec_kr = sec2gsec_keyring(sec);
690 struct ptlrpc_cli_ctx *ctx = NULL;
691 unsigned int is_root = 0, create_new = 0;
699 LASSERT(imp != NULL);
701 is_root = user_is_root(sec, vcred);
703 /* a little bit optimization for root context */
705 ctx = sec_lookup_root_ctx_kr(sec);
707 * Only lookup directly for REVERSE sec, which should
710 if (ctx || sec_is_reverse(sec))
714 LASSERT(create != 0);
716 /* for root context, obtain lock and check again, this time hold
717 * the root upcall lock, make sure nobody else populated new root
718 * context after last check. */
720 mutex_lock(&gsec_kr->gsk_root_uc_lock);
722 ctx = sec_lookup_root_ctx_kr(sec);
726 /* update reverse handle for root user */
727 sec2gsec(sec)->gs_rvs_hdl = gss_get_next_ctx_index();
732 /* in case of setuid, key will be constructed as owner of fsuid/fsgid,
733 * but we do authentication based on real uid/gid. the key permission
734 * bits will be exactly as POS_ALL, so only processes who subscribed
735 * this key could have the access, although the quota might be counted
736 * on others (fsuid/fsgid).
738 * keyring will use fsuid/fsgid as upcall parameters, so we have to
739 * encode real uid/gid into callout info.
742 construct_key_desc(desc, sizeof(desc), sec, vcred->vc_uid);
744 /* callout info format:
745 * secid:mech:uid:gid:flags:svc_type:peer_nid:target_uuid
747 coinfo_size = sizeof(struct obd_uuid) + MAX_OBD_NAME + 64;
748 OBD_ALLOC(coinfo, coinfo_size);
752 snprintf(coinfo, coinfo_size, "%d:%s:%u:%u:%s:%d:"LPX64":%s",
753 sec->ps_id, sec2gsec(sec)->gs_mech->gm_name,
754 vcred->vc_uid, vcred->vc_gid,
755 co_flags, import_to_gss_svc(imp),
756 imp->imp_connection->c_peer.nid, imp->imp_obd->obd_name);
758 CDEBUG(D_SEC, "requesting key for %s\n", desc);
760 keyring_upcall_lock(gsec_kr);
761 key = request_key(&gss_key_type, desc, coinfo);
762 keyring_upcall_unlock(gsec_kr);
764 OBD_FREE(coinfo, coinfo_size);
767 CERROR("failed request key: %ld\n", PTR_ERR(key));
770 CDEBUG(D_SEC, "obtained key %08x for %s\n", key->serial, desc);
772 /* once payload.data was pointed to a ctx, it never changes until
773 * we de-associate them; but parallel request_key() may return
774 * a key with payload.data == NULL at the same time. so we still
775 * need wirtelock of key->sem to serialize them. */
776 down_write(&key->sem);
778 if (likely(key->payload.data != NULL)) {
779 ctx = key->payload.data;
781 LASSERT(atomic_read(&ctx->cc_refcount) >= 1);
782 LASSERT(ctx2gctx_keyring(ctx)->gck_key == key);
783 LASSERT(atomic_read(&key->usage) >= 2);
785 /* simply take a ref and return. it's upper layer's
786 * responsibility to detect & replace dead ctx. */
787 atomic_inc(&ctx->cc_refcount);
789 /* pre initialization with a cli_ctx. this can't be done in
790 * key_instantiate() because we'v no enough information
792 ctx = ctx_create_kr(sec, vcred);
794 ctx_enlist_kr(ctx, is_root, 0);
795 bind_key_ctx(key, ctx);
797 ctx_start_timer_kr(ctx, KEYRING_UPCALL_TIMEOUT);
799 CDEBUG(D_SEC, "installed key %p <-> ctx %p (sec %p)\n",
802 /* we'd prefer to call key_revoke(), but we more like
803 * to revoke it within this key->sem locked period. */
804 key_revoke_locked(key);
812 if (is_root && create_new)
813 request_key_unlink(key);
818 mutex_unlock(&gsec_kr->gsk_root_uc_lock);
823 void gss_sec_release_ctx_kr(struct ptlrpc_sec *sec,
824 struct ptlrpc_cli_ctx *ctx,
827 LASSERT(atomic_read(&sec->ps_refcount) > 0);
828 LASSERT(atomic_read(&ctx->cc_refcount) == 0);
829 ctx_release_kr(ctx, sync);
833 * flush context of normal user, we must resort to keyring itself to find out
834 * contexts which belong to me.
836 * Note here we suppose only to flush _my_ context, the "uid" will
837 * be ignored in the search.
840 void flush_user_ctx_cache_kr(struct ptlrpc_sec *sec,
842 int grace, int force)
847 /* nothing to do for reverse or rootonly sec */
848 if (sec_is_reverse(sec) || sec_is_rootonly(sec))
851 construct_key_desc(desc, sizeof(desc), sec, uid);
853 /* there should be only one valid key, but we put it in the
854 * loop in case of any weird cases */
856 key = request_key(&gss_key_type, desc, NULL);
858 CDEBUG(D_SEC, "No more key found for current user\n");
862 down_write(&key->sem);
864 kill_key_locked(key);
866 /* kill_key_locked() should usually revoke the key, but we
867 * revoke it again to make sure, e.g. some case the key may
868 * not well coupled with a context. */
869 key_revoke_locked(key);
878 * flush context of root or all, we iterate through the list.
881 void flush_spec_ctx_cache_kr(struct ptlrpc_sec *sec,
883 int grace, int force)
885 struct gss_sec_keyring *gsec_kr;
886 struct hlist_head freelist = CFS_HLIST_HEAD_INIT;
887 struct hlist_node *pos, *next;
888 struct ptlrpc_cli_ctx *ctx;
891 gsec_kr = sec2gsec_keyring(sec);
893 spin_lock(&sec->ps_lock);
894 hlist_for_each_entry_safe(ctx, pos, next,
895 &gsec_kr->gsk_clist, cc_cache) {
896 LASSERT(atomic_read(&ctx->cc_refcount) > 0);
898 if (uid != -1 && uid != ctx->cc_vcred.vc_uid)
901 /* at this moment there's at least 2 base reference:
902 * key association and in-list. */
903 if (atomic_read(&ctx->cc_refcount) > 2) {
906 CWARN("flush busy ctx %p(%u->%s, extra ref %d)\n",
907 ctx, ctx->cc_vcred.vc_uid,
908 sec2target_str(ctx->cc_sec),
909 atomic_read(&ctx->cc_refcount) - 2);
912 set_bit(PTLRPC_CTX_DEAD_BIT, &ctx->cc_flags);
914 clear_bit(PTLRPC_CTX_UPTODATE_BIT, &ctx->cc_flags);
916 atomic_inc(&ctx->cc_refcount);
918 if (ctx_unlist_kr(ctx, 1)) {
919 hlist_add_head(&ctx->cc_cache, &freelist);
921 LASSERT(atomic_read(&ctx->cc_refcount) >= 2);
922 atomic_dec(&ctx->cc_refcount);
925 spin_unlock(&sec->ps_lock);
927 dispose_ctx_list_kr(&freelist);
932 int gss_sec_flush_ctx_cache_kr(struct ptlrpc_sec *sec,
934 int grace, int force)
938 CDEBUG(D_SEC, "sec %p(%d, nctx %d), uid %d, grace %d, force %d\n",
939 sec, atomic_read(&sec->ps_refcount), atomic_read(&sec->ps_nctx),
942 if (uid != -1 && uid != 0)
943 flush_user_ctx_cache_kr(sec, uid, grace, force);
945 flush_spec_ctx_cache_kr(sec, uid, grace, force);
951 void gss_sec_gc_ctx_kr(struct ptlrpc_sec *sec)
953 struct gss_sec_keyring *gsec_kr = sec2gsec_keyring(sec);
954 struct hlist_head freelist = CFS_HLIST_HEAD_INIT;
955 struct hlist_node *pos, *next;
956 struct ptlrpc_cli_ctx *ctx;
959 CWARN("running gc\n");
961 spin_lock(&sec->ps_lock);
962 hlist_for_each_entry_safe(ctx, pos, next,
963 &gsec_kr->gsk_clist, cc_cache) {
964 LASSERT(atomic_read(&ctx->cc_refcount) > 0);
966 atomic_inc(&ctx->cc_refcount);
968 if (cli_ctx_check_death(ctx) && ctx_unlist_kr(ctx, 1)) {
969 hlist_add_head(&ctx->cc_cache, &freelist);
970 CWARN("unhashed ctx %p\n", ctx);
972 LASSERT(atomic_read(&ctx->cc_refcount) >= 2);
973 atomic_dec(&ctx->cc_refcount);
976 spin_unlock(&sec->ps_lock);
978 dispose_ctx_list_kr(&freelist);
984 int gss_sec_display_kr(struct ptlrpc_sec *sec, struct seq_file *seq)
986 struct gss_sec_keyring *gsec_kr = sec2gsec_keyring(sec);
987 struct hlist_node *pos, *next;
988 struct ptlrpc_cli_ctx *ctx;
989 struct gss_cli_ctx *gctx;
990 time_t now = cfs_time_current_sec();
993 spin_lock(&sec->ps_lock);
994 hlist_for_each_entry_safe(ctx, pos, next,
995 &gsec_kr->gsk_clist, cc_cache) {
1000 gctx = ctx2gctx(ctx);
1001 key = ctx2gctx_keyring(ctx)->gck_key;
1003 gss_cli_ctx_flags2str(ctx->cc_flags,
1004 flags_str, sizeof(flags_str));
1006 if (gctx->gc_mechctx)
1007 lgss_display(gctx->gc_mechctx, mech, sizeof(mech));
1009 snprintf(mech, sizeof(mech), "N/A");
1010 mech[sizeof(mech) - 1] = '\0';
1012 seq_printf(seq, "%p: uid %u, ref %d, expire %ld(%+ld), fl %s, "
1013 "seq %d, win %u, key %08x(ref %d), "
1014 "hdl "LPX64":"LPX64", mech: %s\n",
1015 ctx, ctx->cc_vcred.vc_uid,
1016 atomic_read(&ctx->cc_refcount),
1018 ctx->cc_expire ? ctx->cc_expire - now : 0,
1020 atomic_read(&gctx->gc_seq),
1022 key ? key->serial : 0,
1023 key ? atomic_read(&key->usage) : 0,
1024 gss_handle_to_u64(&gctx->gc_handle),
1025 gss_handle_to_u64(&gctx->gc_svc_handle),
1028 spin_unlock(&sec->ps_lock);
1033 /****************************************
1035 ****************************************/
1038 int gss_cli_ctx_refresh_kr(struct ptlrpc_cli_ctx *ctx)
1040 /* upcall is already on the way */
1045 int gss_cli_ctx_validate_kr(struct ptlrpc_cli_ctx *ctx)
1047 LASSERT(atomic_read(&ctx->cc_refcount) > 0);
1048 LASSERT(ctx->cc_sec);
1050 if (cli_ctx_check_death(ctx)) {
1055 if (cli_ctx_is_ready(ctx))
1061 void gss_cli_ctx_die_kr(struct ptlrpc_cli_ctx *ctx, int grace)
1063 LASSERT(atomic_read(&ctx->cc_refcount) > 0);
1064 LASSERT(ctx->cc_sec);
1066 cli_ctx_expire(ctx);
1070 /****************************************
1071 * (reverse) service *
1072 ****************************************/
1075 * reverse context could have nothing to do with keyrings. here we still keep
1076 * the version which bind to a key, for future reference.
1078 #define HAVE_REVERSE_CTX_NOKEY
1080 #ifdef HAVE_REVERSE_CTX_NOKEY
1083 int sec_install_rctx_kr(struct ptlrpc_sec *sec,
1084 struct ptlrpc_svc_ctx *svc_ctx)
1086 struct ptlrpc_cli_ctx *cli_ctx;
1087 struct vfs_cred vcred = { 0, 0 };
1093 cli_ctx = ctx_create_kr(sec, &vcred);
1094 if (cli_ctx == NULL)
1097 rc = gss_copy_rvc_cli_ctx(cli_ctx, svc_ctx);
1099 CERROR("failed copy reverse cli ctx: %d\n", rc);
1101 ctx_put_kr(cli_ctx, 1);
1105 rvs_sec_install_root_ctx_kr(sec, cli_ctx, NULL);
1107 ctx_put_kr(cli_ctx, 1);
1112 #else /* ! HAVE_REVERSE_CTX_NOKEY */
1115 int sec_install_rctx_kr(struct ptlrpc_sec *sec,
1116 struct ptlrpc_svc_ctx *svc_ctx)
1118 struct ptlrpc_cli_ctx *cli_ctx = NULL;
1120 struct vfs_cred vcred = { 0, 0 };
1128 construct_key_desc(desc, sizeof(desc), sec, 0);
1130 key = key_alloc(&gss_key_type, desc, 0, 0,
1131 KEY_POS_ALL | KEY_USR_ALL, 1);
1133 CERROR("failed to alloc key: %ld\n", PTR_ERR(key));
1134 return PTR_ERR(key);
1137 rc = key_instantiate_and_link(key, NULL, 0, NULL, NULL);
1139 CERROR("failed to instantiate key: %d\n", rc);
1143 down_write(&key->sem);
1145 LASSERT(key->payload.data == NULL);
1147 cli_ctx = ctx_create_kr(sec, &vcred);
1148 if (cli_ctx == NULL) {
1153 rc = gss_copy_rvc_cli_ctx(cli_ctx, svc_ctx);
1155 CERROR("failed copy reverse cli ctx: %d\n", rc);
1159 rvs_sec_install_root_ctx_kr(sec, cli_ctx, key);
1161 ctx_put_kr(cli_ctx, 1);
1162 up_write(&key->sem);
1171 ctx_put_kr(cli_ctx, 1);
1173 up_write(&key->sem);
1179 #endif /* HAVE_REVERSE_CTX_NOKEY */
1181 /****************************************
1183 ****************************************/
1186 int gss_svc_accept_kr(struct ptlrpc_request *req)
1188 return gss_svc_accept(&gss_policy_keyring, req);
1192 int gss_svc_install_rctx_kr(struct obd_import *imp,
1193 struct ptlrpc_svc_ctx *svc_ctx)
1195 struct ptlrpc_sec *sec;
1198 sec = sptlrpc_import_sec_ref(imp);
1201 rc = sec_install_rctx_kr(sec, svc_ctx);
1202 sptlrpc_sec_put(sec);
1207 /****************************************
1209 ****************************************/
1212 int gss_kt_instantiate(struct key *key, const void *data, size_t datalen)
1217 if (data != NULL || datalen != 0) {
1218 CERROR("invalid: data %p, len "LPSZ"\n", data, datalen);
1222 if (key->payload.data != 0) {
1223 CERROR("key already have payload\n");
1227 /* link the key to session keyring, so following context negotiation
1228 * rpc fired from user space could find this key. This will be unlinked
1229 * automatically when upcall processes die.
1231 * we can't do this through keyctl from userspace, because the upcall
1232 * might be neither possessor nor owner of the key (setuid).
1234 * the session keyring is created upon upcall, and don't change all
1235 * the way until upcall finished, so rcu lock is not needed here.
1237 LASSERT(cfs_current()->signal->session_keyring);
1239 rc = key_link(cfs_current()->signal->session_keyring, key);
1241 CERROR("failed to link key %08x to keyring %08x: %d\n",
1243 cfs_current()->signal->session_keyring->serial, rc);
1247 CDEBUG(D_SEC, "key %p instantiated, ctx %p\n", key, key->payload.data);
1252 * called with key semaphore write locked. it means we can operate
1253 * on the context without fear of loosing refcount.
1256 int gss_kt_update(struct key *key, const void *data, size_t datalen)
1258 struct ptlrpc_cli_ctx *ctx = key->payload.data;
1259 struct gss_cli_ctx *gctx;
1260 rawobj_t tmpobj = RAWOBJ_EMPTY;
1261 __u32 datalen32 = (__u32) datalen;
1265 if (data == NULL || datalen == 0) {
1266 CWARN("invalid: data %p, len "LPSZ"\n", data, datalen);
1270 /* there's a race between userspace parent - child processes. if
1271 * child finish negotiation too fast and call kt_update(), the ctx
1272 * might be still NULL. but the key will finally be associate
1273 * with a context, or be revoked. if key status is fine, return
1274 * -EAGAIN to allow userspace sleep a while and call again. */
1276 CWARN("race in userspace. key %p(%x) flags %lx\n",
1277 key, key->serial, key->flags);
1279 rc = key_validate(key);
1286 LASSERT(atomic_read(&ctx->cc_refcount) > 0);
1287 LASSERT(ctx->cc_sec);
1289 ctx_clear_timer_kr(ctx);
1291 /* don't proceed if already refreshed */
1292 if (cli_ctx_is_refreshed(ctx)) {
1293 CWARN("ctx already done refresh\n");
1294 sptlrpc_cli_ctx_wakeup(ctx);
1298 sptlrpc_cli_ctx_get(ctx);
1299 gctx = ctx2gctx(ctx);
1301 rc = buffer_extract_bytes(&data, &datalen32, &gctx->gc_win,
1302 sizeof(gctx->gc_win));
1304 CERROR("failed extract seq_win\n");
1308 if (gctx->gc_win == 0) {
1309 __u32 nego_rpc_err, nego_gss_err;
1311 rc = buffer_extract_bytes(&data, &datalen32, &nego_rpc_err,
1312 sizeof(nego_rpc_err));
1314 CERROR("failed to extrace rpc rc\n");
1318 rc = buffer_extract_bytes(&data, &datalen32, &nego_gss_err,
1319 sizeof(nego_gss_err));
1321 CERROR("failed to extrace gss rc\n");
1325 CERROR("negotiation: rpc err %d, gss err %x\n",
1326 nego_rpc_err, nego_gss_err);
1328 rc = nego_rpc_err ? nego_rpc_err : -EACCES;
1330 rc = rawobj_extract_local_alloc(&gctx->gc_handle,
1331 (__u32 **) &data, &datalen32);
1333 CERROR("failed extract handle\n");
1337 rc = rawobj_extract_local(&tmpobj, (__u32 **) &data,&datalen32);
1339 CERROR("failed extract mech\n");
1343 rc = lgss_import_sec_context(&tmpobj,
1344 sec2gsec(ctx->cc_sec)->gs_mech,
1346 if (rc != GSS_S_COMPLETE)
1347 CERROR("failed import context\n");
1352 /* we don't care what current status of this ctx, even someone else
1353 * is operating on the ctx at the same time. we just add up our own
1356 gss_cli_ctx_uptodate(gctx);
1358 /* this will also revoke the key. has to be done before
1359 * wakeup waiters otherwise they can find the stale key */
1360 kill_key_locked(key);
1362 cli_ctx_expire(ctx);
1364 if (rc != -ERESTART)
1365 set_bit(PTLRPC_CTX_ERROR_BIT, &ctx->cc_flags);
1368 sptlrpc_cli_ctx_wakeup(ctx);
1370 /* let user space think it's a success */
1371 sptlrpc_cli_ctx_put(ctx, 1);
1376 int gss_kt_match(const struct key *key, const void *desc)
1378 return (strcmp(key->description, (const char *) desc) == 0);
1382 void gss_kt_destroy(struct key *key)
1385 LASSERT(key->payload.data == NULL);
1386 CDEBUG(D_SEC, "destroy key %p\n", key);
1391 void gss_kt_describe(const struct key *key, struct seq_file *s)
1393 if (key->description == NULL)
1394 seq_puts(s, "[null]");
1396 seq_puts(s, key->description);
1399 static struct key_type gss_key_type =
1403 .instantiate = gss_kt_instantiate,
1404 .update = gss_kt_update,
1405 .match = gss_kt_match,
1406 .destroy = gss_kt_destroy,
1407 .describe = gss_kt_describe,
1410 /****************************************
1411 * lustre gss keyring policy *
1412 ****************************************/
1414 static struct ptlrpc_ctx_ops gss_keyring_ctxops = {
1415 .match = gss_cli_ctx_match,
1416 .refresh = gss_cli_ctx_refresh_kr,
1417 .validate = gss_cli_ctx_validate_kr,
1418 .die = gss_cli_ctx_die_kr,
1419 .sign = gss_cli_ctx_sign,
1420 .verify = gss_cli_ctx_verify,
1421 .seal = gss_cli_ctx_seal,
1422 .unseal = gss_cli_ctx_unseal,
1423 .wrap_bulk = gss_cli_ctx_wrap_bulk,
1424 .unwrap_bulk = gss_cli_ctx_unwrap_bulk,
1427 static struct ptlrpc_sec_cops gss_sec_keyring_cops = {
1428 .create_sec = gss_sec_create_kr,
1429 .destroy_sec = gss_sec_destroy_kr,
1430 .kill_sec = gss_sec_kill,
1431 .lookup_ctx = gss_sec_lookup_ctx_kr,
1432 .release_ctx = gss_sec_release_ctx_kr,
1433 .flush_ctx_cache = gss_sec_flush_ctx_cache_kr,
1434 .gc_ctx = gss_sec_gc_ctx_kr,
1435 .install_rctx = gss_sec_install_rctx,
1436 .alloc_reqbuf = gss_alloc_reqbuf,
1437 .free_reqbuf = gss_free_reqbuf,
1438 .alloc_repbuf = gss_alloc_repbuf,
1439 .free_repbuf = gss_free_repbuf,
1440 .enlarge_reqbuf = gss_enlarge_reqbuf,
1441 .display = gss_sec_display_kr,
1444 static struct ptlrpc_sec_sops gss_sec_keyring_sops = {
1445 .accept = gss_svc_accept_kr,
1446 .invalidate_ctx = gss_svc_invalidate_ctx,
1447 .alloc_rs = gss_svc_alloc_rs,
1448 .authorize = gss_svc_authorize,
1449 .free_rs = gss_svc_free_rs,
1450 .free_ctx = gss_svc_free_ctx,
1451 .unwrap_bulk = gss_svc_unwrap_bulk,
1452 .wrap_bulk = gss_svc_wrap_bulk,
1453 .install_rctx = gss_svc_install_rctx_kr,
1456 static struct ptlrpc_sec_policy gss_policy_keyring = {
1457 .sp_owner = THIS_MODULE,
1458 .sp_name = "gss.keyring",
1459 .sp_policy = SPTLRPC_POLICY_GSS,
1460 .sp_cops = &gss_sec_keyring_cops,
1461 .sp_sops = &gss_sec_keyring_sops,
1465 int __init gss_init_keyring(void)
1469 rc = register_key_type(&gss_key_type);
1471 CERROR("failed to register keyring type: %d\n", rc);
1475 rc = sptlrpc_register_policy(&gss_policy_keyring);
1477 unregister_key_type(&gss_key_type);
1484 void __exit gss_exit_keyring(void)
1486 unregister_key_type(&gss_key_type);
1487 sptlrpc_unregister_policy(&gss_policy_keyring);