lustre/obdfilter/filter_capa.c

   1 /* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
   2  * vim:expandtab:shiftwidth=8:tabstop=8:
   3  *
   4  * Copyright (C) 2004, 2005 Cluster File Systems, Inc.
   5  *
   6  * Author: Lai Siyao <lsy@clusterfs.com>
   7  *
   8  *   This file is part of Lustre, http://www.lustre.org.
   9  *
  10  *   Lustre is free software; you can redistribute it and/or
  11  *   modify it under the terms of version 2 of the GNU General Public
  12  *   License as published by the Free Software Foundation.
  13  *
  14  *   Lustre is distributed in the hope that it will be useful,
  15  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17  *   GNU General Public License for more details.
  18  *
  19  *   You should have received a copy of the GNU General Public License
  20  *   along with Lustre; if not, write to the Free Software
  21  *   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22  */
  23
  24 #define DEBUG_SUBSYSTEM S_FILTER
  25
  26 #include <linux/fs.h>
  27 #include <linux/version.h>
  28 #include <asm/uaccess.h>
  29 #include <linux/file.h>
  30 #include <linux/kmod.h>
  31
  32 #include <linux/lustre_fsfilt.h>
  33 #include <linux/lustre_sec.h>
  34
  35 #include "filter_internal.h"
  36
  37 void filter_free_capa_keys(struct filter_obd *filter)
  38 {
  39         struct filter_capa_key *key, *n;
  40
  41         spin_lock(&filter->fo_capa_lock);
  42         list_for_each_entry_safe(key, n, &filter->fo_capa_keys, k_list) {
  43                 list_del_init(&key->k_list);
  44                 OBD_FREE(key, sizeof(*key));
  45         }
  46         spin_unlock(&filter->fo_capa_lock);
  47 }
  48
  49 int filter_update_capa_key(struct obd_device *obd, struct lustre_capa_key *key)
  50 {
  51         struct filter_obd *filter = &obd->u.filter;
  52         struct filter_capa_key *tmp = NULL, *rkey = NULL, *bkey = NULL;
  53         int rc = 0;
  54         ENTRY;
  55
  56         spin_lock(&filter->fo_capa_lock);
  57         list_for_each_entry(tmp, &filter->fo_capa_keys, k_list) {
  58                 if (tmp->k_key.lk_mdsid != le32_to_cpu(key->lk_mdsid))
  59                         continue;
  60
  61                 if (rkey == NULL)
  62                         rkey = tmp;
  63                 else
  64                         bkey = tmp;
  65         }
  66         spin_unlock(&filter->fo_capa_lock);
  67
  68         if (rkey && bkey && capa_key_cmp(&rkey->k_key, &bkey->k_key) < 0) {
  69                 tmp = rkey;
  70                 rkey = bkey;
  71                 bkey = tmp;
  72         }
  73
  74         if (bkey) {
  75                 tmp = bkey;
  76         } else {
  77                 OBD_ALLOC(tmp, sizeof(*tmp));
  78                 if (!tmp)
  79                         GOTO(out, rc = -ENOMEM);
  80         }
  81
  82         /* fields in lustre_capa_key are in cpu order */
  83         spin_lock(&filter->fo_capa_lock);
  84         tmp->k_key.lk_mdsid = le32_to_cpu(key->lk_mdsid);
  85         tmp->k_key.lk_keyid = le32_to_cpu(key->lk_keyid);
  86         tmp->k_key.lk_expiry = le64_to_cpu(key->lk_expiry);
  87         memcpy(&tmp->k_key.lk_key, key->lk_key, sizeof(key->lk_key));
  88
  89         if (!bkey)
  90                 list_add_tail(&tmp->k_list, &filter->fo_capa_keys);
  91         spin_unlock(&filter->fo_capa_lock);
  92
  93         DEBUG_CAPA_KEY(D_INFO, &tmp->k_key, "filter_update_capa_key");
  94 out:
  95         RETURN(rc);
  96 }
  97
  98 int filter_verify_capa(int cmd, struct obd_export *exp, struct inode *inode,
  99                        struct lustre_capa *capa)
 100 {
 101         struct obd_device *obd = exp->exp_obd;
 102         struct filter_obd *filter = &obd->u.filter;
 103         struct obd_capa *ocapa;
 104         struct lustre_capa tcapa;
 105         struct lustre_id fid;
 106         struct filter_capa_key *rkey = NULL, *bkey = NULL, *tmp;
 107         __u8 hmac_key[CAPA_KEY_LEN];
 108         int rc = 0;
 109         ENTRY;
 110
 111         /* capability is disabled */
 112         if (filter->fo_capa_stat == 0)
 113                 RETURN(0);
 114
 115         if (capa == NULL)
 116                 RETURN(-EACCES);
 117
 118         if (cmd == OBD_BRW_WRITE && capa->lc_op != MAY_WRITE)
 119                 RETURN(-EACCES);
 120         if (cmd == OBD_BRW_READ && !(capa->lc_op & (MAY_WRITE | MAY_READ)))
 121                 RETURN(-EACCES);
 122
 123         if (OBD_FAIL_CHECK(OBD_FAIL_FILTER_VERIFY_CAPA))
 124                 RETURN(-EACCES);
 125
 126         rc = fsfilt_get_md(obd, inode, &fid, sizeof(fid), EA_SID);
 127         if (rc < 0) {
 128                 CERROR("get fid from object failed! rc:%d\n", rc);
 129                 RETURN(rc);
 130         } else if (rc > 0) {
 131                 if (capa->lc_mdsid != id_group(&fid) ||
 132                     capa->lc_ino != id_ino(&fid))
 133                         RETURN(-EINVAL);
 134         }
 135
 136         if (capa_expired(capa))
 137                 RETURN(-ESTALE);
 138
 139         ocapa = capa_get(capa->lc_uid, capa->lc_op, capa->lc_mdsid,
 140                          capa->lc_ino, FILTER_CAPA, NULL, NULL, NULL);
 141 verify:
 142         if (ocapa) {
 143                 /* fo_capa_lock protects capa too */
 144                 spin_lock(&filter->fo_capa_lock);
 145                 if (capa->lc_keyid == ocapa->c_capa.lc_keyid) {
 146                         rc = memcmp(capa, &ocapa->c_capa, sizeof(*capa));
 147                 } else if (ocapa->c_bvalid &&
 148                            capa->lc_keyid == ocapa->c_bkeyid) {
 149                         rc = memcmp(capa->lc_hmac, ocapa->c_bhmac,
 150                                     sizeof(capa->lc_hmac));
 151                 } else {
 152                         /* ocapa is obsolete */
 153                         capa_put(ocapa, FILTER_CAPA);
 154                         spin_unlock(&filter->fo_capa_lock);
 155                         goto new_capa;
 156                 }
 157                 spin_unlock(&filter->fo_capa_lock);
 158
 159                 capa_put(ocapa, FILTER_CAPA);
 160                 RETURN(rc ? -EACCES : 0);
 161         }
 162
 163 new_capa:
 164         spin_lock(&filter->fo_capa_lock);
 165         list_for_each_entry(tmp, &filter->fo_capa_keys, k_list) {
 166                 if (tmp->k_key.lk_mdsid == capa->lc_mdsid) {
 167                         if (rkey == NULL)
 168                                 rkey = tmp;
 169                         else
 170                                 bkey = tmp;
 171                 }
 172         }
 173
 174         if (rkey && bkey && capa_key_cmp(&rkey->k_key, &bkey->k_key) < 0) {
 175                 tmp = rkey;
 176                 rkey = bkey;
 177                 bkey = tmp;
 178         }
 179
 180         if ((!rkey || rkey->k_key.lk_keyid != capa->lc_keyid) &&
 181             (!bkey || bkey->k_key.lk_keyid != capa->lc_keyid)) {
 182                 spin_unlock(&filter->fo_capa_lock);
 183                 GOTO(out, rc = -ESTALE);
 184         }
 185
 186         LASSERT(rkey);
 187
 188         memcpy(&tcapa, capa, sizeof(tcapa));
 189         tcapa.lc_keyid = rkey->k_key.lk_keyid;
 190         memcpy(hmac_key, rkey->k_key.lk_key, sizeof(hmac_key));
 191         spin_unlock(&filter->fo_capa_lock);
 192
 193         capa_hmac(filter->fo_capa_hmac, hmac_key, &tcapa);
 194
 195         /* store in capa cache */
 196         ocapa = capa_get(capa->lc_uid, capa->lc_op, capa->lc_mdsid,
 197                          capa->lc_ino, FILTER_CAPA, capa, NULL, NULL);
 198         if (!ocapa)
 199                 GOTO(out, rc = -ENOMEM);
 200
 201         if (bkey) {
 202                 spin_lock(&filter->fo_capa_lock);
 203                 tcapa.lc_keyid = bkey->k_key.lk_keyid;
 204                 memcpy(hmac_key, bkey->k_key.lk_key, sizeof(hmac_key));
 205                 ocapa->c_bkeyid = bkey->k_key.lk_keyid;
 206                 spin_unlock(&filter->fo_capa_lock);
 207
 208                 capa_hmac(filter->fo_capa_hmac, bkey->k_key.lk_key, &tcapa);
 209
 210                 spin_lock(&filter->fo_capa_lock);
 211                 memcpy(ocapa->c_bhmac, tcapa.lc_hmac, sizeof(ocapa->c_bhmac));
 212                 spin_unlock(&filter->fo_capa_lock);
 213         }
 214         goto verify;
 215 out:
 216         RETURN(rc);
 217 }