lustre/obdfilter/filter_capa.c

   1 /*
   2  * GPL HEADER START
   3  *
   4  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   5  *
   6  * This program is free software; you can redistribute it and/or modify
   7  * it under the terms of the GNU General Public License version 2 only,
   8  * as published by the Free Software Foundation.
   9  *
  10  * This program is distributed in the hope that it will be useful, but
  11  * WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  13  * General Public License version 2 for more details (a copy is included
  14  * in the LICENSE file that accompanied this code).
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * version 2 along with this program; If not, see
  18  * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf
  19  *
  20  * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
  21  * CA 95054 USA or visit www.sun.com if you need additional information or
  22  * have any questions.
  23  *
  24  * GPL HEADER END
  25  */
  26 /*
  27  * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
  28  * Use is subject to license terms.
  29  */
  30 /*
  31  * This file is part of Lustre, http://www.lustre.org/
  32  * Lustre is a trademark of Sun Microsystems, Inc.
  33  *
  34  * lustre/obdfilter/filter_capa.c
  35  *
  36  * Author: Lai Siyao <lsy@clusterfs.com>
  37  */
  38
  39 #define DEBUG_SUBSYSTEM S_FILTER
  40
  41 #include <linux/fs.h>
  42 #include <linux/version.h>
  43 #include <asm/uaccess.h>
  44 #include <linux/file.h>
  45 #include <linux/kmod.h>
  46
  47 #include <lustre_fsfilt.h>
  48 #include <lustre_capa.h>
  49
  50 #include "filter_internal.h"
  51
  52 static inline __u32 filter_ck_keyid(struct filter_capa_key *key)
  53 {
  54         return key->k_key.lk_keyid;
  55 }
  56
  57 int filter_update_capa_key(struct obd_device *obd, struct lustre_capa_key *new)
  58 {
  59         struct filter_obd *filter = &obd->u.filter;
  60         struct filter_capa_key *k, *keys[2] = { NULL, NULL };
  61         int i;
  62
  63         cfs_spin_lock(&capa_lock);
  64         cfs_list_for_each_entry(k, &filter->fo_capa_keys, k_list) {
  65                 if (k->k_key.lk_seq != new->lk_seq)
  66                         continue;
  67
  68                 if (keys[0]) {
  69                         keys[1] = k;
  70                         if (filter_ck_keyid(keys[1]) > filter_ck_keyid(keys[0]))
  71                                 keys[1] = keys[0], keys[0] = k;
  72                 } else {
  73                         keys[0] = k;
  74                 }
  75         }
  76         cfs_spin_unlock(&capa_lock);
  77
  78         for (i = 0; i < 2; i++) {
  79                 if (!keys[i])
  80                         continue;
  81                 if (filter_ck_keyid(keys[i]) != new->lk_keyid)
  82                         continue;
  83                 /* maybe because of recovery or other reasons, MDS sent the
  84                  * the old capability key again.
  85                  */
  86                 cfs_spin_lock(&capa_lock);
  87                 keys[i]->k_key = *new;
  88                 cfs_spin_unlock(&capa_lock);
  89
  90                 RETURN(0);
  91         }
  92
  93         if (keys[1]) {
  94                 /* if OSS already have two keys, update the old one */
  95                 k = keys[1];
  96         } else {
  97                 OBD_ALLOC_PTR(k);
  98                 if (!k)
  99                         RETURN(-ENOMEM);
 100                 CFS_INIT_LIST_HEAD(&k->k_list);
 101         }
 102
 103         cfs_spin_lock(&capa_lock);
 104         k->k_key = *new;
 105         if (cfs_list_empty(&k->k_list))
 106                 cfs_list_add(&k->k_list, &filter->fo_capa_keys);
 107         cfs_spin_unlock(&capa_lock);
 108
 109         DEBUG_CAPA_KEY(D_SEC, new, "new");
 110         RETURN(0);
 111 }
 112
 113 int filter_auth_capa(struct obd_export *exp, struct lu_fid *fid, obd_seq seq,
 114                      struct lustre_capa *capa, __u64 opc)
 115 {
 116         struct obd_device *obd = exp->exp_obd;
 117         struct filter_obd *filter = &obd->u.filter;
 118         struct filter_capa_key *k;
 119         struct lustre_capa_key key;
 120         struct obd_capa *oc;
 121         __u8 *hmac;
 122         int keys_ready = 0, key_found = 0, rc = 0;
 123         ENTRY;
 124
 125         /* skip capa check for llog and obdecho */
 126         if (!fid_seq_is_mdt(seq))
 127                 RETURN(0);
 128
 129         /* capability is disabled */
 130         if (!filter->fo_fl_oss_capa)
 131                 RETURN(0);
 132
 133         if (!(exp->exp_connect_flags & OBD_CONNECT_OSS_CAPA))
 134                 RETURN(0);
 135
 136         if (capa == NULL) {
 137                 if (fid)
 138                         CERROR("seq/fid/opc "LPU64"/"DFID"/"LPX64
 139                                ": no capability has been passed\n",
 140                                seq, PFID(fid), opc);
 141                 else
 142                         CERROR("seq/opc "LPU64"/"LPX64
 143                                ": no capability has been passed\n",
 144                                seq, opc);
 145                 RETURN(-EACCES);
 146         }
 147
 148         if (opc == CAPA_OPC_OSS_READ) {
 149                 if (!(capa->lc_opc & CAPA_OPC_OSS_RW))
 150                         rc = -EACCES;
 151         } else if (!capa_opc_supported(capa, opc)) {
 152                 rc = -EACCES;
 153         }
 154         if (rc) {
 155                 DEBUG_CAPA(D_ERROR, capa, "opc "LPX64" not supported by", opc);
 156                 RETURN(rc);
 157         }
 158
 159         oc = capa_lookup(filter->fo_capa_hash, capa, 0);
 160         if (oc) {
 161                 cfs_spin_lock(&oc->c_lock);
 162                 if (capa_is_expired(oc)) {
 163                         DEBUG_CAPA(D_ERROR, capa, "expired");
 164                         rc = -ESTALE;
 165                 }
 166                 cfs_spin_unlock(&oc->c_lock);
 167
 168                 capa_put(oc);
 169                 RETURN(rc);
 170         }
 171
 172         if (capa_is_expired_sec(capa)) {
 173                 DEBUG_CAPA(D_ERROR, capa, "expired");
 174                 RETURN(-ESTALE);
 175         }
 176
 177         cfs_spin_lock(&capa_lock);
 178         cfs_list_for_each_entry(k, &filter->fo_capa_keys, k_list) {
 179                 if (k->k_key.lk_seq == seq) {
 180                         keys_ready = 1;
 181                         if (k->k_key.lk_keyid == capa_keyid(capa)) {
 182                                 key = k->k_key;
 183                                 key_found = 1;
 184                                 break;
 185                         }
 186                 }
 187         }
 188         cfs_spin_unlock(&capa_lock);
 189
 190         if (!keys_ready) {
 191                 CDEBUG(D_SEC, "MDS hasn't propagated capability keys yet, "
 192                        "ignore check!\n");
 193                 RETURN(0);
 194         }
 195
 196        if (!key_found) {
 197                 DEBUG_CAPA(D_ERROR, capa, "no matched capability key for");
 198                 RETURN(-ESTALE);
 199         }
 200
 201         OBD_ALLOC(hmac, CAPA_HMAC_MAX_LEN);
 202         if (hmac == NULL)
 203                 RETURN(-ENOMEM);
 204
 205         rc = capa_hmac(hmac, capa, key.lk_key);
 206         if (rc) {
 207                 DEBUG_CAPA(D_ERROR, capa, "HMAC failed: rc %d", rc);
 208                 OBD_FREE(hmac, CAPA_HMAC_MAX_LEN);
 209                 RETURN(rc);
 210         }
 211
 212         rc = memcmp(hmac, capa->lc_hmac, CAPA_HMAC_MAX_LEN);
 213         OBD_FREE(hmac, CAPA_HMAC_MAX_LEN);
 214         if (rc) {
 215                 DEBUG_CAPA_KEY(D_ERROR, &key, "calculate HMAC with ");
 216                 DEBUG_CAPA(D_ERROR, capa, "HMAC mismatch");
 217                 RETURN(-EACCES);
 218         }
 219
 220         /* store in capa hash */
 221         oc = capa_add(filter->fo_capa_hash, capa);
 222         capa_put(oc);
 223         RETURN(0);
 224 }
 225
 226 int filter_capa_fixoa(struct obd_export *exp, struct obdo *oa, obd_seq seq,
 227                       struct lustre_capa *capa)
 228 {
 229         int rc = 0;
 230         ENTRY;
 231
 232         /* skip capa check for llog and obdecho */
 233         if (!fid_seq_is_mdt(seq))
 234                 RETURN(0);
 235
 236         if (!(exp->exp_connect_flags & OBD_CONNECT_OSS_CAPA))
 237                 RETURN(0);
 238
 239         if (unlikely(!capa))
 240                 RETURN(-EACCES);
 241
 242         if (capa_flags(capa) == LC_ID_CONVERT) {
 243                 struct obd_device *obd = exp->exp_obd;
 244                 struct filter_obd *filter = &obd->u.filter;
 245                 struct filter_capa_key *k;
 246                 int found = 0;
 247
 248                 cfs_spin_lock(&capa_lock);
 249                 cfs_list_for_each_entry(k, &filter->fo_capa_keys, k_list) {
 250                         if (k->k_key.lk_seq == seq &&
 251                             k->k_key.lk_keyid == capa_keyid(capa)) {
 252                                 found = 1;
 253                                 break;
 254                         }
 255                 }
 256                 cfs_spin_unlock(&capa_lock);
 257
 258                 if (found) {
 259                         union {
 260                                 __u64 id64;
 261                                 __u32 id32[2];
 262                         } uid, gid;
 263                         __u32 d[4], s[4];
 264
 265                         uid.id64 = capa_uid(capa);
 266                         gid.id64 = capa_gid(capa);
 267                         s[0] = uid.id32[0];
 268                         s[1] = uid.id32[1];
 269                         s[2] = gid.id32[0];
 270                         s[3] = gid.id32[1];
 271
 272                         rc = capa_decrypt_id(d, s, k->k_key.lk_key,
 273                                              CAPA_HMAC_KEY_MAX_LEN);
 274                         if (unlikely(rc))
 275                                 RETURN(rc);
 276
 277                         oa->o_uid = d[0];
 278                         oa->o_gid = d[2];
 279                 } else {
 280                         DEBUG_CAPA(D_ERROR, capa, "no matched capability key for");
 281                         rc = -ESTALE;
 282                 }
 283         }
 284
 285         RETURN(rc);
 286 }
 287
 288 void filter_free_capa_keys(struct filter_obd *filter)
 289 {
 290         struct filter_capa_key *key, *n;
 291
 292         cfs_spin_lock(&capa_lock);
 293         cfs_list_for_each_entry_safe(key, n, &filter->fo_capa_keys, k_list) {
 294                 cfs_list_del_init(&key->k_list);
 295                 OBD_FREE(key, sizeof(*key));
 296         }
 297         cfs_spin_unlock(&capa_lock);
 298 }