4 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 only,
8 * as published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License version 2 for more details (a copy is included
14 * in the LICENSE file that accompanied this code).
16 * You should have received a copy of the GNU General Public License
17 * version 2 along with this program; If not, see
18 * http://www.gnu.org/licenses/gpl-2.0.html
23 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Use is subject to license terms.
26 * Copyright (c) 2011, 2017, Intel Corporation.
29 * This file is part of Lustre, http://www.lustre.org/
33 * Author: Eric Mei <ericm@clusterfs.com>
36 #define DEBUG_SUBSYSTEM S_SEC
38 #include <linux/user_namespace.h>
39 #include <linux/uidgid.h>
40 #include <linux/crypto.h>
41 #include <linux/key.h>
43 #include <libcfs/libcfs.h>
45 #include <obd_class.h>
46 #include <obd_support.h>
47 #include <lustre_net.h>
48 #include <lustre_import.h>
49 #include <lustre_dlm.h>
50 #include <lustre_sec.h>
52 #include "ptlrpc_internal.h"
54 static int send_sepol;
55 module_param(send_sepol, int, 0644);
56 MODULE_PARM_DESC(send_sepol, "Client sends SELinux policy status");
62 static rwlock_t policy_lock;
63 static struct ptlrpc_sec_policy *policies[SPTLRPC_POLICY_MAX] = {
67 int sptlrpc_register_policy(struct ptlrpc_sec_policy *policy)
69 __u16 number = policy->sp_policy;
71 LASSERT(policy->sp_name);
72 LASSERT(policy->sp_cops);
73 LASSERT(policy->sp_sops);
75 if (number >= SPTLRPC_POLICY_MAX)
78 write_lock(&policy_lock);
79 if (unlikely(policies[number])) {
80 write_unlock(&policy_lock);
83 policies[number] = policy;
84 write_unlock(&policy_lock);
86 CDEBUG(D_SEC, "%s: registered\n", policy->sp_name);
89 EXPORT_SYMBOL(sptlrpc_register_policy);
91 int sptlrpc_unregister_policy(struct ptlrpc_sec_policy *policy)
93 __u16 number = policy->sp_policy;
95 LASSERT(number < SPTLRPC_POLICY_MAX);
97 write_lock(&policy_lock);
98 if (unlikely(policies[number] == NULL)) {
99 write_unlock(&policy_lock);
100 CERROR("%s: already unregistered\n", policy->sp_name);
104 LASSERT(policies[number] == policy);
105 policies[number] = NULL;
106 write_unlock(&policy_lock);
108 CDEBUG(D_SEC, "%s: unregistered\n", policy->sp_name);
111 EXPORT_SYMBOL(sptlrpc_unregister_policy);
114 struct ptlrpc_sec_policy *sptlrpc_wireflavor2policy(__u32 flavor)
116 static DEFINE_MUTEX(load_mutex);
117 static atomic_t loaded = ATOMIC_INIT(0);
118 struct ptlrpc_sec_policy *policy;
119 __u16 number = SPTLRPC_FLVR_POLICY(flavor);
122 if (number >= SPTLRPC_POLICY_MAX)
126 read_lock(&policy_lock);
127 policy = policies[number];
128 if (policy && !try_module_get(policy->sp_owner))
131 flag = atomic_read(&loaded);
132 read_unlock(&policy_lock);
134 if (policy != NULL || flag != 0 ||
135 number != SPTLRPC_POLICY_GSS)
138 /* try to load gss module, once */
139 mutex_lock(&load_mutex);
140 if (atomic_read(&loaded) == 0) {
141 if (request_module("ptlrpc_gss") == 0)
143 "module ptlrpc_gss loaded on demand\n");
145 CERROR("Unable to load module ptlrpc_gss\n");
147 atomic_set(&loaded, 1);
149 mutex_unlock(&load_mutex);
155 __u32 sptlrpc_name2flavor_base(const char *name)
157 if (!strcmp(name, "null"))
158 return SPTLRPC_FLVR_NULL;
159 if (!strcmp(name, "plain"))
160 return SPTLRPC_FLVR_PLAIN;
161 if (!strcmp(name, "gssnull"))
162 return SPTLRPC_FLVR_GSSNULL;
163 if (!strcmp(name, "krb5n"))
164 return SPTLRPC_FLVR_KRB5N;
165 if (!strcmp(name, "krb5a"))
166 return SPTLRPC_FLVR_KRB5A;
167 if (!strcmp(name, "krb5i"))
168 return SPTLRPC_FLVR_KRB5I;
169 if (!strcmp(name, "krb5p"))
170 return SPTLRPC_FLVR_KRB5P;
171 if (!strcmp(name, "skn"))
172 return SPTLRPC_FLVR_SKN;
173 if (!strcmp(name, "ska"))
174 return SPTLRPC_FLVR_SKA;
175 if (!strcmp(name, "ski"))
176 return SPTLRPC_FLVR_SKI;
177 if (!strcmp(name, "skpi"))
178 return SPTLRPC_FLVR_SKPI;
180 return SPTLRPC_FLVR_INVALID;
182 EXPORT_SYMBOL(sptlrpc_name2flavor_base);
184 const char *sptlrpc_flavor2name_base(__u32 flvr)
186 __u32 base = SPTLRPC_FLVR_BASE(flvr);
188 if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_NULL))
190 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_PLAIN))
192 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_GSSNULL))
194 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_KRB5N))
196 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_KRB5A))
198 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_KRB5I))
200 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_KRB5P))
202 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_SKN))
204 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_SKA))
206 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_SKI))
208 else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_SKPI))
211 CERROR("invalid wire flavor 0x%x\n", flvr);
214 EXPORT_SYMBOL(sptlrpc_flavor2name_base);
216 char *sptlrpc_flavor2name_bulk(struct sptlrpc_flavor *sf,
217 char *buf, int bufsize)
219 if (SPTLRPC_FLVR_POLICY(sf->sf_rpc) == SPTLRPC_POLICY_PLAIN)
220 snprintf(buf, bufsize, "hash:%s",
221 sptlrpc_get_hash_name(sf->u_bulk.hash.hash_alg));
223 snprintf(buf, bufsize, "%s",
224 sptlrpc_flavor2name_base(sf->sf_rpc));
226 buf[bufsize - 1] = '\0';
229 EXPORT_SYMBOL(sptlrpc_flavor2name_bulk);
231 char *sptlrpc_flavor2name(struct sptlrpc_flavor *sf, char *buf, int bufsize)
233 snprintf(buf, bufsize, "%s", sptlrpc_flavor2name_base(sf->sf_rpc));
236 * currently we don't support customized bulk specification for
237 * flavors other than plain
239 if (SPTLRPC_FLVR_POLICY(sf->sf_rpc) == SPTLRPC_POLICY_PLAIN) {
243 sptlrpc_flavor2name_bulk(sf, &bspec[1], sizeof(bspec) - 1);
244 strncat(buf, bspec, bufsize);
247 buf[bufsize - 1] = '\0';
250 EXPORT_SYMBOL(sptlrpc_flavor2name);
252 char *sptlrpc_secflags2str(__u32 flags, char *buf, int bufsize)
256 if (flags & PTLRPC_SEC_FL_REVERSE)
257 strlcat(buf, "reverse,", bufsize);
258 if (flags & PTLRPC_SEC_FL_ROOTONLY)
259 strlcat(buf, "rootonly,", bufsize);
260 if (flags & PTLRPC_SEC_FL_UDESC)
261 strlcat(buf, "udesc,", bufsize);
262 if (flags & PTLRPC_SEC_FL_BULK)
263 strlcat(buf, "bulk,", bufsize);
265 strlcat(buf, "-,", bufsize);
269 EXPORT_SYMBOL(sptlrpc_secflags2str);
272 * client context APIs
276 struct ptlrpc_cli_ctx *get_my_ctx(struct ptlrpc_sec *sec)
278 struct vfs_cred vcred;
279 int create = 1, remove_dead = 1;
282 LASSERT(sec->ps_policy->sp_cops->lookup_ctx);
284 if (sec->ps_flvr.sf_flags & (PTLRPC_SEC_FL_REVERSE |
285 PTLRPC_SEC_FL_ROOTONLY)) {
288 if (sec->ps_flvr.sf_flags & PTLRPC_SEC_FL_REVERSE) {
293 vcred.vc_uid = from_kuid(&init_user_ns, current_uid());
294 vcred.vc_gid = from_kgid(&init_user_ns, current_gid());
297 return sec->ps_policy->sp_cops->lookup_ctx(sec, &vcred, create,
301 struct ptlrpc_cli_ctx *sptlrpc_cli_ctx_get(struct ptlrpc_cli_ctx *ctx)
303 atomic_inc(&ctx->cc_refcount);
306 EXPORT_SYMBOL(sptlrpc_cli_ctx_get);
308 void sptlrpc_cli_ctx_put(struct ptlrpc_cli_ctx *ctx, int sync)
310 struct ptlrpc_sec *sec = ctx->cc_sec;
313 LASSERT_ATOMIC_POS(&ctx->cc_refcount);
315 if (!atomic_dec_and_test(&ctx->cc_refcount))
318 sec->ps_policy->sp_cops->release_ctx(sec, ctx, sync);
320 EXPORT_SYMBOL(sptlrpc_cli_ctx_put);
323 * Expire the client context immediately.
325 * \pre Caller must hold at least 1 reference on the \a ctx.
327 void sptlrpc_cli_ctx_expire(struct ptlrpc_cli_ctx *ctx)
329 LASSERT(ctx->cc_ops->die);
330 ctx->cc_ops->die(ctx, 0);
332 EXPORT_SYMBOL(sptlrpc_cli_ctx_expire);
335 * To wake up the threads who are waiting for this client context. Called
336 * after some status change happened on \a ctx.
338 void sptlrpc_cli_ctx_wakeup(struct ptlrpc_cli_ctx *ctx)
340 struct ptlrpc_request *req, *next;
342 spin_lock(&ctx->cc_lock);
343 list_for_each_entry_safe(req, next, &ctx->cc_req_list,
345 list_del_init(&req->rq_ctx_chain);
346 ptlrpc_client_wake_req(req);
348 spin_unlock(&ctx->cc_lock);
350 EXPORT_SYMBOL(sptlrpc_cli_ctx_wakeup);
352 int sptlrpc_cli_ctx_display(struct ptlrpc_cli_ctx *ctx, char *buf, int bufsize)
354 LASSERT(ctx->cc_ops);
356 if (ctx->cc_ops->display == NULL)
359 return ctx->cc_ops->display(ctx, buf, bufsize);
362 static int import_sec_check_expire(struct obd_import *imp)
366 write_lock(&imp->imp_sec_lock);
367 if (imp->imp_sec_expire &&
368 imp->imp_sec_expire < ktime_get_real_seconds()) {
370 imp->imp_sec_expire = 0;
372 write_unlock(&imp->imp_sec_lock);
377 CDEBUG(D_SEC, "found delayed sec adapt expired, do it now\n");
378 return sptlrpc_import_sec_adapt(imp, NULL, NULL);
382 * Get and validate the client side ptlrpc security facilities from
383 * \a imp. There is a race condition on client reconnect when the import is
384 * being destroyed while there are outstanding client bound requests. In
385 * this case do not output any error messages if import secuity is not
388 * \param[in] imp obd import associated with client
389 * \param[out] sec client side ptlrpc security
391 * \retval 0 if security retrieved successfully
392 * \retval -ve errno if there was a problem
394 static int import_sec_validate_get(struct obd_import *imp,
395 struct ptlrpc_sec **sec)
399 if (unlikely(imp->imp_sec_expire)) {
400 rc = import_sec_check_expire(imp);
405 *sec = sptlrpc_import_sec_ref(imp);
407 /* Only output an error when the import is still active */
408 if (!test_bit(WORK_STRUCT_PENDING_BIT,
409 work_data_bits(&imp->imp_zombie_work)))
410 CERROR("import %p (%s) with no sec\n",
411 imp, ptlrpc_import_state_name(imp->imp_state));
415 if (unlikely((*sec)->ps_dying)) {
416 CERROR("attempt to use dying sec %p\n", sec);
417 sptlrpc_sec_put(*sec);
425 * Given a \a req, find or allocate an appropriate context for it.
426 * \pre req->rq_cli_ctx == NULL.
428 * \retval 0 succeed, and req->rq_cli_ctx is set.
429 * \retval -ev error number, and req->rq_cli_ctx == NULL.
431 int sptlrpc_req_get_ctx(struct ptlrpc_request *req)
433 struct obd_import *imp = req->rq_import;
434 struct ptlrpc_sec *sec;
439 LASSERT(!req->rq_cli_ctx);
442 rc = import_sec_validate_get(imp, &sec);
446 req->rq_cli_ctx = get_my_ctx(sec);
448 sptlrpc_sec_put(sec);
450 if (!req->rq_cli_ctx) {
451 CERROR("req %p: fail to get context\n", req);
452 RETURN(-ECONNREFUSED);
459 * Drop the context for \a req.
460 * \pre req->rq_cli_ctx != NULL.
461 * \post req->rq_cli_ctx == NULL.
463 * If \a sync == 0, this function should return quickly without sleep;
464 * otherwise it might trigger and wait for the whole process of sending
465 * an context-destroying rpc to server.
467 void sptlrpc_req_put_ctx(struct ptlrpc_request *req, int sync)
472 LASSERT(req->rq_cli_ctx);
475 * request might be asked to release earlier while still
476 * in the context waiting list.
478 if (!list_empty(&req->rq_ctx_chain)) {
479 spin_lock(&req->rq_cli_ctx->cc_lock);
480 list_del_init(&req->rq_ctx_chain);
481 spin_unlock(&req->rq_cli_ctx->cc_lock);
484 sptlrpc_cli_ctx_put(req->rq_cli_ctx, sync);
485 req->rq_cli_ctx = NULL;
490 int sptlrpc_req_ctx_switch(struct ptlrpc_request *req,
491 struct ptlrpc_cli_ctx *oldctx,
492 struct ptlrpc_cli_ctx *newctx)
494 struct sptlrpc_flavor old_flvr;
495 char *reqmsg = NULL; /* to workaround old gcc */
500 "req %p: switch ctx %p(%u->%s) -> %p(%u->%s), switch sec %p(%s) -> %p(%s)\n",
501 req, oldctx, oldctx->cc_vcred.vc_uid,
502 sec2target_str(oldctx->cc_sec), newctx, newctx->cc_vcred.vc_uid,
503 sec2target_str(newctx->cc_sec), oldctx->cc_sec,
504 oldctx->cc_sec->ps_policy->sp_name, newctx->cc_sec,
505 newctx->cc_sec->ps_policy->sp_name);
508 old_flvr = req->rq_flvr;
510 /* save request message */
511 reqmsg_size = req->rq_reqlen;
512 if (reqmsg_size != 0) {
513 LASSERT(req->rq_reqmsg);
514 OBD_ALLOC_LARGE(reqmsg, reqmsg_size);
517 memcpy(reqmsg, req->rq_reqmsg, reqmsg_size);
520 /* release old req/rep buf */
521 req->rq_cli_ctx = oldctx;
522 sptlrpc_cli_free_reqbuf(req);
523 sptlrpc_cli_free_repbuf(req);
524 req->rq_cli_ctx = newctx;
526 /* recalculate the flavor */
527 sptlrpc_req_set_flavor(req, 0);
530 * alloc new request buffer
531 * we don't need to alloc reply buffer here, leave it to the
532 * rest procedure of ptlrpc
534 if (reqmsg_size != 0) {
535 rc = sptlrpc_cli_alloc_reqbuf(req, reqmsg_size);
537 LASSERT(req->rq_reqmsg);
538 memcpy(req->rq_reqmsg, reqmsg, reqmsg_size);
540 CWARN("failed to alloc reqbuf: %d\n", rc);
541 req->rq_flvr = old_flvr;
544 OBD_FREE_LARGE(reqmsg, reqmsg_size);
550 * If current context of \a req is dead somehow, e.g. we just switched flavor
551 * thus marked original contexts dead, we'll find a new context for it. if
552 * no switch is needed, \a req will end up with the same context.
554 * \note a request must have a context, to keep other parts of code happy.
555 * In any case of failure during the switching, we must restore the old one.
557 int sptlrpc_req_replace_dead_ctx(struct ptlrpc_request *req)
559 struct ptlrpc_cli_ctx *oldctx = req->rq_cli_ctx;
560 struct ptlrpc_cli_ctx *newctx;
567 sptlrpc_cli_ctx_get(oldctx);
568 sptlrpc_req_put_ctx(req, 0);
570 rc = sptlrpc_req_get_ctx(req);
572 LASSERT(!req->rq_cli_ctx);
574 /* restore old ctx */
575 req->rq_cli_ctx = oldctx;
579 newctx = req->rq_cli_ctx;
582 if (unlikely(newctx == oldctx &&
583 test_bit(PTLRPC_CTX_DEAD_BIT, &oldctx->cc_flags))) {
585 * still get the old dead ctx, usually means system too busy
588 "ctx (%p, fl %lx) doesn't switch, relax a little bit\n",
589 newctx, newctx->cc_flags);
591 schedule_timeout_interruptible(cfs_time_seconds(1));
592 } else if (unlikely(test_bit(PTLRPC_CTX_UPTODATE_BIT, &newctx->cc_flags)
595 * new ctx not up to date yet
598 "ctx (%p, fl %lx) doesn't switch, not up to date yet\n",
599 newctx, newctx->cc_flags);
602 * it's possible newctx == oldctx if we're switching
603 * subflavor with the same sec.
605 rc = sptlrpc_req_ctx_switch(req, oldctx, newctx);
607 /* restore old ctx */
608 sptlrpc_req_put_ctx(req, 0);
609 req->rq_cli_ctx = oldctx;
613 LASSERT(req->rq_cli_ctx == newctx);
616 sptlrpc_cli_ctx_put(oldctx, 1);
619 EXPORT_SYMBOL(sptlrpc_req_replace_dead_ctx);
622 int ctx_check_refresh(struct ptlrpc_cli_ctx *ctx)
624 if (cli_ctx_is_refreshed(ctx))
630 void ctx_refresh_interrupt(struct ptlrpc_request *req)
633 spin_lock(&req->rq_lock);
635 spin_unlock(&req->rq_lock);
639 void req_off_ctx_list(struct ptlrpc_request *req, struct ptlrpc_cli_ctx *ctx)
641 spin_lock(&ctx->cc_lock);
642 if (!list_empty(&req->rq_ctx_chain))
643 list_del_init(&req->rq_ctx_chain);
644 spin_unlock(&ctx->cc_lock);
648 * To refresh the context of \req, if it's not up-to-date.
650 * - == 0: do not wait
651 * - == MAX_SCHEDULE_TIMEOUT: wait indefinitely
652 * - > 0: not supported
654 * The status of the context could be subject to be changed by other threads
655 * at any time. We allow this race, but once we return with 0, the caller will
656 * suppose it's uptodated and keep using it until the owning rpc is done.
658 * \retval 0 only if the context is uptodated.
659 * \retval -ev error number.
661 int sptlrpc_req_refresh_ctx(struct ptlrpc_request *req, long timeout)
663 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
664 struct ptlrpc_sec *sec;
671 if (req->rq_ctx_init || req->rq_ctx_fini)
674 if (timeout != 0 && timeout != MAX_SCHEDULE_TIMEOUT) {
675 CERROR("req %p: invalid timeout %lu\n", req, timeout);
680 * during the process a request's context might change type even
681 * (e.g. from gss ctx to null ctx), so each loop we need to re-check
685 rc = import_sec_validate_get(req->rq_import, &sec);
689 if (sec->ps_flvr.sf_rpc != req->rq_flvr.sf_rpc) {
690 CDEBUG(D_SEC, "req %p: flavor has changed %x -> %x\n",
691 req, req->rq_flvr.sf_rpc, sec->ps_flvr.sf_rpc);
692 req_off_ctx_list(req, ctx);
693 sptlrpc_req_replace_dead_ctx(req);
694 ctx = req->rq_cli_ctx;
696 sptlrpc_sec_put(sec);
698 if (cli_ctx_is_eternal(ctx))
701 if (unlikely(test_bit(PTLRPC_CTX_NEW_BIT, &ctx->cc_flags))) {
702 if (ctx->cc_ops->refresh)
703 ctx->cc_ops->refresh(ctx);
705 LASSERT(test_bit(PTLRPC_CTX_NEW_BIT, &ctx->cc_flags) == 0);
707 LASSERT(ctx->cc_ops->validate);
708 if (ctx->cc_ops->validate(ctx) == 0) {
709 req_off_ctx_list(req, ctx);
713 if (unlikely(test_bit(PTLRPC_CTX_ERROR_BIT, &ctx->cc_flags))) {
714 spin_lock(&req->rq_lock);
716 spin_unlock(&req->rq_lock);
717 req_off_ctx_list(req, ctx);
722 * There's a subtle issue for resending RPCs, suppose following
724 * 1. the request was sent to server.
725 * 2. recovery was kicked start, after finished the request was
727 * 3. resend the request.
728 * 4. old reply from server received, we accept and verify the reply.
729 * this has to be success, otherwise the error will be aware
731 * 5. new reply from server received, dropped by LNet.
733 * Note the xid of old & new request is the same. We can't simply
734 * change xid for the resent request because the server replies on
735 * it for reply reconstruction.
737 * Commonly the original context should be uptodate because we
738 * have an expiry nice time; server will keep its context because
739 * we at least hold a ref of old context which prevent context
740 * from destroying RPC being sent. So server still can accept the
741 * request and finish the RPC. But if that's not the case:
742 * 1. If server side context has been trimmed, a NO_CONTEXT will
743 * be returned, gss_cli_ctx_verify/unseal will switch to new
745 * 2. Current context never be refreshed, then we are fine: we
746 * never really send request with old context before.
748 if (test_bit(PTLRPC_CTX_UPTODATE_BIT, &ctx->cc_flags) &&
749 unlikely(req->rq_reqmsg) &&
750 lustre_msg_get_flags(req->rq_reqmsg) & MSG_RESENT) {
751 req_off_ctx_list(req, ctx);
755 if (unlikely(test_bit(PTLRPC_CTX_DEAD_BIT, &ctx->cc_flags))) {
756 req_off_ctx_list(req, ctx);
758 * don't switch ctx if import was deactivated
760 if (req->rq_import->imp_deactive) {
761 spin_lock(&req->rq_lock);
763 spin_unlock(&req->rq_lock);
767 rc = sptlrpc_req_replace_dead_ctx(req);
769 LASSERT(ctx == req->rq_cli_ctx);
770 CERROR("req %p: failed to replace dead ctx %p: %d\n",
772 spin_lock(&req->rq_lock);
774 spin_unlock(&req->rq_lock);
778 ctx = req->rq_cli_ctx;
783 * Now we're sure this context is during upcall, add myself into
786 spin_lock(&ctx->cc_lock);
787 if (list_empty(&req->rq_ctx_chain))
788 list_add(&req->rq_ctx_chain, &ctx->cc_req_list);
789 spin_unlock(&ctx->cc_lock);
794 /* Clear any flags that may be present from previous sends */
795 LASSERT(req->rq_receiving_reply == 0);
796 spin_lock(&req->rq_lock);
798 req->rq_timedout = 0;
801 spin_unlock(&req->rq_lock);
803 /* by now we know that timeout value is MAX_SCHEDULE_TIMEOUT,
804 * so wait indefinitely with non-fatal signals blocked
806 if (l_wait_event_abortable(req->rq_reply_waitq,
807 ctx_check_refresh(ctx)) == -ERESTARTSYS) {
809 ctx_refresh_interrupt(req);
813 * following cases could lead us here:
814 * - successfully refreshed;
816 * - timedout, and we don't want recover from the failure;
817 * - timedout, and waked up upon recovery finished;
818 * - someone else mark this ctx dead by force;
819 * - someone invalidate the req and call ptlrpc_client_wake_req(),
820 * e.g. ptlrpc_abort_inflight();
822 if (!cli_ctx_is_refreshed(ctx)) {
823 /* timed out or interruptted */
824 req_off_ctx_list(req, ctx);
833 /* Bring ptlrpc_sec context up-to-date */
834 int sptlrpc_export_update_ctx(struct obd_export *exp)
836 struct obd_import *imp = exp ? exp->exp_imp_reverse : NULL;
837 struct ptlrpc_sec *sec = NULL;
838 struct ptlrpc_cli_ctx *ctx = NULL;
842 sec = sptlrpc_import_sec_ref(imp);
844 ctx = get_my_ctx(sec);
845 sptlrpc_sec_put(sec);
849 if (ctx->cc_ops->refresh)
850 rc = ctx->cc_ops->refresh(ctx);
851 sptlrpc_cli_ctx_put(ctx, 1);
857 * Initialize flavor settings for \a req, according to \a opcode.
859 * \note this could be called in two situations:
860 * - new request from ptlrpc_pre_req(), with proper @opcode
861 * - old request which changed ctx in the middle, with @opcode == 0
863 void sptlrpc_req_set_flavor(struct ptlrpc_request *req, int opcode)
865 struct ptlrpc_sec *sec;
867 LASSERT(req->rq_import);
868 LASSERT(req->rq_cli_ctx);
869 LASSERT(req->rq_cli_ctx->cc_sec);
870 LASSERT(req->rq_bulk_read == 0 || req->rq_bulk_write == 0);
872 /* special security flags according to opcode */
876 case MGS_CONFIG_READ:
878 req->rq_bulk_read = 1;
882 req->rq_bulk_write = 1;
885 req->rq_ctx_init = 1;
888 req->rq_ctx_fini = 1;
891 /* init/fini rpc won't be resend, so can't be here */
892 LASSERT(req->rq_ctx_init == 0);
893 LASSERT(req->rq_ctx_fini == 0);
895 /* cleanup flags, which should be recalculated */
896 req->rq_pack_udesc = 0;
897 req->rq_pack_bulk = 0;
901 sec = req->rq_cli_ctx->cc_sec;
903 spin_lock(&sec->ps_lock);
904 req->rq_flvr = sec->ps_flvr;
905 spin_unlock(&sec->ps_lock);
908 * force SVC_NULL for context initiation rpc, SVC_INTG for context
911 if (unlikely(req->rq_ctx_init))
912 flvr_set_svc(&req->rq_flvr.sf_rpc, SPTLRPC_SVC_NULL);
913 else if (unlikely(req->rq_ctx_fini))
914 flvr_set_svc(&req->rq_flvr.sf_rpc, SPTLRPC_SVC_INTG);
916 /* user descriptor flag, null security can't do it anyway */
917 if ((sec->ps_flvr.sf_flags & PTLRPC_SEC_FL_UDESC) &&
918 (req->rq_flvr.sf_rpc != SPTLRPC_FLVR_NULL))
919 req->rq_pack_udesc = 1;
921 /* bulk security flag */
922 if ((req->rq_bulk_read || req->rq_bulk_write) &&
923 sptlrpc_flavor_has_bulk(&req->rq_flvr))
924 req->rq_pack_bulk = 1;
927 void sptlrpc_request_out_callback(struct ptlrpc_request *req)
929 if (SPTLRPC_FLVR_SVC(req->rq_flvr.sf_rpc) != SPTLRPC_SVC_PRIV)
932 LASSERT(req->rq_clrbuf);
933 if (req->rq_pool || !req->rq_reqbuf)
936 OBD_FREE(req->rq_reqbuf, req->rq_reqbuf_len);
937 req->rq_reqbuf = NULL;
938 req->rq_reqbuf_len = 0;
942 * Given an import \a imp, check whether current user has a valid context
943 * or not. We may create a new context and try to refresh it, and try
944 * repeatedly try in case of non-fatal errors. Return 0 means success.
946 int sptlrpc_import_check_ctx(struct obd_import *imp)
948 struct ptlrpc_sec *sec;
949 struct ptlrpc_cli_ctx *ctx;
950 struct ptlrpc_request *req = NULL;
957 sec = sptlrpc_import_sec_ref(imp);
958 ctx = get_my_ctx(sec);
959 sptlrpc_sec_put(sec);
964 if (cli_ctx_is_eternal(ctx) ||
965 ctx->cc_ops->validate(ctx) == 0) {
966 sptlrpc_cli_ctx_put(ctx, 1);
970 if (cli_ctx_is_error(ctx)) {
971 sptlrpc_cli_ctx_put(ctx, 1);
975 req = ptlrpc_request_cache_alloc(GFP_NOFS);
979 ptlrpc_cli_req_init(req);
980 atomic_set(&req->rq_refcount, 10000);
982 req->rq_import = imp;
983 req->rq_flvr = sec->ps_flvr;
984 req->rq_cli_ctx = ctx;
986 rc = sptlrpc_req_refresh_ctx(req, MAX_SCHEDULE_TIMEOUT);
987 LASSERT(list_empty(&req->rq_ctx_chain));
988 sptlrpc_cli_ctx_put(req->rq_cli_ctx, 1);
989 ptlrpc_request_cache_free(req);
995 * Used by ptlrpc client, to perform the pre-defined security transformation
996 * upon the request message of \a req. After this function called,
997 * req->rq_reqmsg is still accessible as clear text.
999 int sptlrpc_cli_wrap_request(struct ptlrpc_request *req)
1001 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
1007 LASSERT(ctx->cc_sec);
1008 LASSERT(req->rq_reqbuf || req->rq_clrbuf);
1011 * we wrap bulk request here because now we can be sure
1012 * the context is uptodate.
1015 rc = sptlrpc_cli_wrap_bulk(req, req->rq_bulk);
1020 switch (SPTLRPC_FLVR_SVC(req->rq_flvr.sf_rpc)) {
1021 case SPTLRPC_SVC_NULL:
1022 case SPTLRPC_SVC_AUTH:
1023 case SPTLRPC_SVC_INTG:
1024 LASSERT(ctx->cc_ops->sign);
1025 rc = ctx->cc_ops->sign(ctx, req);
1027 case SPTLRPC_SVC_PRIV:
1028 LASSERT(ctx->cc_ops->seal);
1029 rc = ctx->cc_ops->seal(ctx, req);
1036 LASSERT(req->rq_reqdata_len);
1037 LASSERT(req->rq_reqdata_len % 8 == 0);
1038 LASSERT(req->rq_reqdata_len <= req->rq_reqbuf_len);
1044 static int do_cli_unwrap_reply(struct ptlrpc_request *req)
1046 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
1052 LASSERT(ctx->cc_sec);
1053 LASSERT(req->rq_repbuf);
1054 LASSERT(req->rq_repdata);
1055 LASSERT(req->rq_repmsg == NULL);
1057 req->rq_rep_swab_mask = 0;
1059 rc = __lustre_unpack_msg(req->rq_repdata, req->rq_repdata_len);
1062 lustre_set_rep_swabbed(req, MSG_PTLRPC_HEADER_OFF);
1066 CERROR("failed unpack reply: x%llu\n", req->rq_xid);
1070 if (req->rq_repdata_len < sizeof(struct lustre_msg)) {
1071 CERROR("replied data length %d too small\n",
1072 req->rq_repdata_len);
1076 if (SPTLRPC_FLVR_POLICY(req->rq_repdata->lm_secflvr) !=
1077 SPTLRPC_FLVR_POLICY(req->rq_flvr.sf_rpc)) {
1078 CERROR("reply policy %u doesn't match request policy %u\n",
1079 SPTLRPC_FLVR_POLICY(req->rq_repdata->lm_secflvr),
1080 SPTLRPC_FLVR_POLICY(req->rq_flvr.sf_rpc));
1084 switch (SPTLRPC_FLVR_SVC(req->rq_flvr.sf_rpc)) {
1085 case SPTLRPC_SVC_NULL:
1086 case SPTLRPC_SVC_AUTH:
1087 case SPTLRPC_SVC_INTG:
1088 LASSERT(ctx->cc_ops->verify);
1089 rc = ctx->cc_ops->verify(ctx, req);
1091 case SPTLRPC_SVC_PRIV:
1092 LASSERT(ctx->cc_ops->unseal);
1093 rc = ctx->cc_ops->unseal(ctx, req);
1098 LASSERT(rc || req->rq_repmsg || req->rq_resend);
1100 if (SPTLRPC_FLVR_POLICY(req->rq_flvr.sf_rpc) != SPTLRPC_POLICY_NULL &&
1102 req->rq_rep_swab_mask = 0;
1107 * Used by ptlrpc client, to perform security transformation upon the reply
1108 * message of \a req. After return successfully, req->rq_repmsg points to
1109 * the reply message in clear text.
1111 * \pre the reply buffer should have been un-posted from LNet, so nothing is
1114 int sptlrpc_cli_unwrap_reply(struct ptlrpc_request *req)
1116 LASSERT(req->rq_repbuf);
1117 LASSERT(req->rq_repdata == NULL);
1118 LASSERT(req->rq_repmsg == NULL);
1119 LASSERT(req->rq_reply_off + req->rq_nob_received <= req->rq_repbuf_len);
1121 if (req->rq_reply_off == 0 &&
1122 (lustre_msghdr_get_flags(req->rq_reqmsg) & MSGHDR_AT_SUPPORT)) {
1123 CERROR("real reply with offset 0\n");
1127 if (req->rq_reply_off % 8 != 0) {
1128 CERROR("reply at odd offset %u\n", req->rq_reply_off);
1132 req->rq_repdata = (struct lustre_msg *)
1133 (req->rq_repbuf + req->rq_reply_off);
1134 req->rq_repdata_len = req->rq_nob_received;
1136 return do_cli_unwrap_reply(req);
1140 * Used by ptlrpc client, to perform security transformation upon the early
1141 * reply message of \a req. We expect the rq_reply_off is 0, and
1142 * rq_nob_received is the early reply size.
1144 * Because the receive buffer might be still posted, the reply data might be
1145 * changed at any time, no matter we're holding rq_lock or not. For this reason
1146 * we allocate a separate ptlrpc_request and reply buffer for early reply
1149 * \retval 0 success, \a req_ret is filled with a duplicated ptlrpc_request.
1150 * Later the caller must call sptlrpc_cli_finish_early_reply() on the returned
1151 * \a *req_ret to release it.
1152 * \retval -ev error number, and \a req_ret will not be set.
1154 int sptlrpc_cli_unwrap_early_reply(struct ptlrpc_request *req,
1155 struct ptlrpc_request **req_ret)
1157 struct ptlrpc_request *early_req;
1159 int early_bufsz, early_size;
1164 early_req = ptlrpc_request_cache_alloc(GFP_NOFS);
1165 if (early_req == NULL)
1168 ptlrpc_cli_req_init(early_req);
1170 early_size = req->rq_nob_received;
1171 early_bufsz = size_roundup_power2(early_size);
1172 OBD_ALLOC_LARGE(early_buf, early_bufsz);
1173 if (early_buf == NULL)
1174 GOTO(err_req, rc = -ENOMEM);
1176 /* sanity checkings and copy data out, do it inside spinlock */
1177 spin_lock(&req->rq_lock);
1179 if (req->rq_replied) {
1180 spin_unlock(&req->rq_lock);
1181 GOTO(err_buf, rc = -EALREADY);
1184 LASSERT(req->rq_repbuf);
1185 LASSERT(req->rq_repdata == NULL);
1186 LASSERT(req->rq_repmsg == NULL);
1188 if (req->rq_reply_off != 0) {
1189 CERROR("early reply with offset %u\n", req->rq_reply_off);
1190 spin_unlock(&req->rq_lock);
1191 GOTO(err_buf, rc = -EPROTO);
1194 if (req->rq_nob_received != early_size) {
1195 /* even another early arrived the size should be the same */
1196 CERROR("data size has changed from %u to %u\n",
1197 early_size, req->rq_nob_received);
1198 spin_unlock(&req->rq_lock);
1199 GOTO(err_buf, rc = -EINVAL);
1202 if (req->rq_nob_received < sizeof(struct lustre_msg)) {
1203 CERROR("early reply length %d too small\n",
1204 req->rq_nob_received);
1205 spin_unlock(&req->rq_lock);
1206 GOTO(err_buf, rc = -EALREADY);
1209 memcpy(early_buf, req->rq_repbuf, early_size);
1210 spin_unlock(&req->rq_lock);
1212 early_req->rq_cli_ctx = sptlrpc_cli_ctx_get(req->rq_cli_ctx);
1213 early_req->rq_flvr = req->rq_flvr;
1214 early_req->rq_repbuf = early_buf;
1215 early_req->rq_repbuf_len = early_bufsz;
1216 early_req->rq_repdata = (struct lustre_msg *) early_buf;
1217 early_req->rq_repdata_len = early_size;
1218 early_req->rq_early = 1;
1219 early_req->rq_reqmsg = req->rq_reqmsg;
1221 rc = do_cli_unwrap_reply(early_req);
1223 DEBUG_REQ(D_ADAPTTO, early_req,
1224 "unwrap early reply: rc = %d", rc);
1228 LASSERT(early_req->rq_repmsg);
1229 *req_ret = early_req;
1233 sptlrpc_cli_ctx_put(early_req->rq_cli_ctx, 1);
1235 OBD_FREE_LARGE(early_buf, early_bufsz);
1237 ptlrpc_request_cache_free(early_req);
1242 * Used by ptlrpc client, to release a processed early reply \a early_req.
1244 * \pre \a early_req was obtained from calling sptlrpc_cli_unwrap_early_reply().
1246 void sptlrpc_cli_finish_early_reply(struct ptlrpc_request *early_req)
1248 LASSERT(early_req->rq_repbuf);
1249 LASSERT(early_req->rq_repdata);
1250 LASSERT(early_req->rq_repmsg);
1252 sptlrpc_cli_ctx_put(early_req->rq_cli_ctx, 1);
1253 OBD_FREE_LARGE(early_req->rq_repbuf, early_req->rq_repbuf_len);
1254 ptlrpc_request_cache_free(early_req);
1257 /**************************************************
1259 **************************************************/
1262 * "fixed" sec (e.g. null) use sec_id < 0
1264 static atomic_t sptlrpc_sec_id = ATOMIC_INIT(1);
1266 int sptlrpc_get_next_secid(void)
1268 return atomic_inc_return(&sptlrpc_sec_id);
1270 EXPORT_SYMBOL(sptlrpc_get_next_secid);
1273 * client side high-level security APIs
1276 static int sec_cop_flush_ctx_cache(struct ptlrpc_sec *sec, uid_t uid,
1277 int grace, int force)
1279 struct ptlrpc_sec_policy *policy = sec->ps_policy;
1281 LASSERT(policy->sp_cops);
1282 LASSERT(policy->sp_cops->flush_ctx_cache);
1284 return policy->sp_cops->flush_ctx_cache(sec, uid, grace, force);
1287 static void sec_cop_destroy_sec(struct ptlrpc_sec *sec)
1289 struct ptlrpc_sec_policy *policy = sec->ps_policy;
1291 LASSERT_ATOMIC_ZERO(&sec->ps_refcount);
1292 LASSERT_ATOMIC_ZERO(&sec->ps_nctx);
1293 LASSERT(policy->sp_cops->destroy_sec);
1295 CDEBUG(D_SEC, "%s@%p: being destroied\n", sec->ps_policy->sp_name, sec);
1297 policy->sp_cops->destroy_sec(sec);
1298 sptlrpc_policy_put(policy);
1301 void sptlrpc_sec_destroy(struct ptlrpc_sec *sec)
1303 sec_cop_destroy_sec(sec);
1305 EXPORT_SYMBOL(sptlrpc_sec_destroy);
1307 static void sptlrpc_sec_kill(struct ptlrpc_sec *sec)
1309 LASSERT_ATOMIC_POS(&sec->ps_refcount);
1311 if (sec->ps_policy->sp_cops->kill_sec) {
1312 sec->ps_policy->sp_cops->kill_sec(sec);
1314 sec_cop_flush_ctx_cache(sec, -1, 1, 1);
1318 struct ptlrpc_sec *sptlrpc_sec_get(struct ptlrpc_sec *sec)
1321 atomic_inc(&sec->ps_refcount);
1325 EXPORT_SYMBOL(sptlrpc_sec_get);
1327 void sptlrpc_sec_put(struct ptlrpc_sec *sec)
1330 LASSERT_ATOMIC_POS(&sec->ps_refcount);
1332 if (atomic_dec_and_test(&sec->ps_refcount)) {
1333 sptlrpc_gc_del_sec(sec);
1334 sec_cop_destroy_sec(sec);
1338 EXPORT_SYMBOL(sptlrpc_sec_put);
1341 * policy module is responsible for taking refrence of import
1344 struct ptlrpc_sec * sptlrpc_sec_create(struct obd_import *imp,
1345 struct ptlrpc_svc_ctx *svc_ctx,
1346 struct sptlrpc_flavor *sf,
1347 enum lustre_sec_part sp)
1349 struct ptlrpc_sec_policy *policy;
1350 struct ptlrpc_sec *sec;
1356 LASSERT(imp->imp_dlm_fake == 1);
1358 CDEBUG(D_SEC, "%s %s: reverse sec using flavor %s\n",
1359 imp->imp_obd->obd_type->typ_name,
1360 imp->imp_obd->obd_name,
1361 sptlrpc_flavor2name(sf, str, sizeof(str)));
1363 policy = sptlrpc_policy_get(svc_ctx->sc_policy);
1364 sf->sf_flags |= PTLRPC_SEC_FL_REVERSE | PTLRPC_SEC_FL_ROOTONLY;
1366 LASSERT(imp->imp_dlm_fake == 0);
1368 CDEBUG(D_SEC, "%s %s: select security flavor %s\n",
1369 imp->imp_obd->obd_type->typ_name,
1370 imp->imp_obd->obd_name,
1371 sptlrpc_flavor2name(sf, str, sizeof(str)));
1373 policy = sptlrpc_wireflavor2policy(sf->sf_rpc);
1375 CERROR("invalid flavor 0x%x\n", sf->sf_rpc);
1380 sec = policy->sp_cops->create_sec(imp, svc_ctx, sf);
1382 atomic_inc(&sec->ps_refcount);
1386 if (sec->ps_gc_interval && policy->sp_cops->gc_ctx)
1387 sptlrpc_gc_add_sec(sec);
1389 sptlrpc_policy_put(policy);
1395 struct ptlrpc_sec *sptlrpc_import_sec_ref(struct obd_import *imp)
1397 struct ptlrpc_sec *sec;
1399 read_lock(&imp->imp_sec_lock);
1400 sec = sptlrpc_sec_get(imp->imp_sec);
1401 read_unlock(&imp->imp_sec_lock);
1405 EXPORT_SYMBOL(sptlrpc_import_sec_ref);
1407 static void sptlrpc_import_sec_install(struct obd_import *imp,
1408 struct ptlrpc_sec *sec)
1410 struct ptlrpc_sec *old_sec;
1412 LASSERT_ATOMIC_POS(&sec->ps_refcount);
1414 write_lock(&imp->imp_sec_lock);
1415 old_sec = imp->imp_sec;
1417 write_unlock(&imp->imp_sec_lock);
1420 sptlrpc_sec_kill(old_sec);
1422 /* balance the ref taken by this import */
1423 sptlrpc_sec_put(old_sec);
1428 int flavor_equal(struct sptlrpc_flavor *sf1, struct sptlrpc_flavor *sf2)
1430 return (memcmp(sf1, sf2, sizeof(*sf1)) == 0);
1434 void flavor_copy(struct sptlrpc_flavor *dst, struct sptlrpc_flavor *src)
1440 * To get an appropriate ptlrpc_sec for the \a imp, according to the current
1441 * configuration. Upon called, imp->imp_sec may or may not be NULL.
1443 * - regular import: \a svc_ctx should be NULL and \a flvr is ignored;
1444 * - reverse import: \a svc_ctx and \a flvr are obtained from incoming request.
1446 int sptlrpc_import_sec_adapt(struct obd_import *imp,
1447 struct ptlrpc_svc_ctx *svc_ctx,
1448 struct sptlrpc_flavor *flvr)
1450 struct ptlrpc_connection *conn;
1451 struct sptlrpc_flavor sf;
1452 struct ptlrpc_sec *sec, *newsec;
1453 enum lustre_sec_part sp;
1464 conn = imp->imp_connection;
1466 if (svc_ctx == NULL) {
1467 struct client_obd *cliobd = &imp->imp_obd->u.cli;
1469 * normal import, determine flavor from rule set, except
1470 * for mgc the flavor is predetermined.
1472 if (cliobd->cl_sp_me == LUSTRE_SP_MGC)
1473 sf = cliobd->cl_flvr_mgc;
1475 sptlrpc_conf_choose_flavor(cliobd->cl_sp_me,
1477 &cliobd->cl_target_uuid,
1480 sp = imp->imp_obd->u.cli.cl_sp_me;
1482 /* reverse import, determine flavor from incoming reqeust */
1485 if (sf.sf_rpc != SPTLRPC_FLVR_NULL)
1486 sf.sf_flags = PTLRPC_SEC_FL_REVERSE |
1487 PTLRPC_SEC_FL_ROOTONLY;
1489 sp = sptlrpc_target_sec_part(imp->imp_obd);
1492 sec = sptlrpc_import_sec_ref(imp);
1496 if (flavor_equal(&sf, &sec->ps_flvr))
1499 CDEBUG(D_SEC, "import %s->%s: changing flavor %s -> %s\n",
1500 imp->imp_obd->obd_name,
1501 obd_uuid2str(&conn->c_remote_uuid),
1502 sptlrpc_flavor2name(&sec->ps_flvr, str, sizeof(str)),
1503 sptlrpc_flavor2name(&sf, str2, sizeof(str2)));
1504 } else if (SPTLRPC_FLVR_BASE(sf.sf_rpc) !=
1505 SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_NULL)) {
1506 CDEBUG(D_SEC, "import %s->%s netid %x: select flavor %s\n",
1507 imp->imp_obd->obd_name,
1508 obd_uuid2str(&conn->c_remote_uuid),
1509 LNET_NIDNET(conn->c_self),
1510 sptlrpc_flavor2name(&sf, str, sizeof(str)));
1513 newsec = sptlrpc_sec_create(imp, svc_ctx, &sf, sp);
1515 sptlrpc_import_sec_install(imp, newsec);
1517 CERROR("import %s->%s: failed to create new sec\n",
1518 imp->imp_obd->obd_name,
1519 obd_uuid2str(&conn->c_remote_uuid));
1524 sptlrpc_sec_put(sec);
1528 void sptlrpc_import_sec_put(struct obd_import *imp)
1531 sptlrpc_sec_kill(imp->imp_sec);
1533 sptlrpc_sec_put(imp->imp_sec);
1534 imp->imp_sec = NULL;
1538 static void import_flush_ctx_common(struct obd_import *imp,
1539 uid_t uid, int grace, int force)
1541 struct ptlrpc_sec *sec;
1546 sec = sptlrpc_import_sec_ref(imp);
1550 sec_cop_flush_ctx_cache(sec, uid, grace, force);
1551 sptlrpc_sec_put(sec);
1554 void sptlrpc_import_flush_root_ctx(struct obd_import *imp)
1557 * it's important to use grace mode, see explain in
1558 * sptlrpc_req_refresh_ctx()
1560 import_flush_ctx_common(imp, 0, 1, 1);
1563 void sptlrpc_import_flush_my_ctx(struct obd_import *imp)
1565 import_flush_ctx_common(imp, from_kuid(&init_user_ns, current_uid()),
1568 EXPORT_SYMBOL(sptlrpc_import_flush_my_ctx);
1570 void sptlrpc_import_flush_all_ctx(struct obd_import *imp)
1572 import_flush_ctx_common(imp, -1, 1, 1);
1574 EXPORT_SYMBOL(sptlrpc_import_flush_all_ctx);
1577 * Used by ptlrpc client to allocate request buffer of \a req. Upon return
1578 * successfully, req->rq_reqmsg points to a buffer with size \a msgsize.
1580 int sptlrpc_cli_alloc_reqbuf(struct ptlrpc_request *req, int msgsize)
1582 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
1583 struct ptlrpc_sec_policy *policy;
1587 LASSERT(ctx->cc_sec);
1588 LASSERT(ctx->cc_sec->ps_policy);
1589 LASSERT(req->rq_reqmsg == NULL);
1590 LASSERT_ATOMIC_POS(&ctx->cc_refcount);
1592 policy = ctx->cc_sec->ps_policy;
1593 rc = policy->sp_cops->alloc_reqbuf(ctx->cc_sec, req, msgsize);
1595 LASSERT(req->rq_reqmsg);
1596 LASSERT(req->rq_reqbuf || req->rq_clrbuf);
1598 /* zeroing preallocated buffer */
1600 memset(req->rq_reqmsg, 0, msgsize);
1607 * Used by ptlrpc client to free request buffer of \a req. After this
1608 * req->rq_reqmsg is set to NULL and should not be accessed anymore.
1610 void sptlrpc_cli_free_reqbuf(struct ptlrpc_request *req)
1612 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
1613 struct ptlrpc_sec_policy *policy;
1616 LASSERT(ctx->cc_sec);
1617 LASSERT(ctx->cc_sec->ps_policy);
1618 LASSERT_ATOMIC_POS(&ctx->cc_refcount);
1620 if (req->rq_reqbuf == NULL && req->rq_clrbuf == NULL)
1623 policy = ctx->cc_sec->ps_policy;
1624 policy->sp_cops->free_reqbuf(ctx->cc_sec, req);
1625 req->rq_reqmsg = NULL;
1629 * NOTE caller must guarantee the buffer size is enough for the enlargement
1631 void _sptlrpc_enlarge_msg_inplace(struct lustre_msg *msg,
1632 int segment, int newsize)
1635 int oldsize, oldmsg_size, movesize;
1637 LASSERT(segment < msg->lm_bufcount);
1638 LASSERT(msg->lm_buflens[segment] <= newsize);
1640 if (msg->lm_buflens[segment] == newsize)
1643 /* nothing to do if we are enlarging the last segment */
1644 if (segment == msg->lm_bufcount - 1) {
1645 msg->lm_buflens[segment] = newsize;
1649 oldsize = msg->lm_buflens[segment];
1651 src = lustre_msg_buf(msg, segment + 1, 0);
1652 msg->lm_buflens[segment] = newsize;
1653 dst = lustre_msg_buf(msg, segment + 1, 0);
1654 msg->lm_buflens[segment] = oldsize;
1656 /* move from segment + 1 to end segment */
1657 LASSERT(msg->lm_magic == LUSTRE_MSG_MAGIC_V2);
1658 oldmsg_size = lustre_msg_size_v2(msg->lm_bufcount, msg->lm_buflens);
1659 movesize = oldmsg_size - ((unsigned long) src - (unsigned long) msg);
1660 LASSERT(movesize >= 0);
1663 memmove(dst, src, movesize);
1665 /* note we don't clear the ares where old data live, not secret */
1667 /* finally set new segment size */
1668 msg->lm_buflens[segment] = newsize;
1670 EXPORT_SYMBOL(_sptlrpc_enlarge_msg_inplace);
1673 * Used by ptlrpc client to enlarge the \a segment of request message pointed
1674 * by req->rq_reqmsg to size \a newsize, all previously filled-in data will be
1675 * preserved after the enlargement. this must be called after original request
1676 * buffer being allocated.
1678 * \note after this be called, rq_reqmsg and rq_reqlen might have been changed,
1679 * so caller should refresh its local pointers if needed.
1681 int sptlrpc_cli_enlarge_reqbuf(struct ptlrpc_request *req,
1682 const struct req_msg_field *field,
1685 struct req_capsule *pill = &req->rq_pill;
1686 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
1687 struct ptlrpc_sec_cops *cops;
1688 struct lustre_msg *msg = req->rq_reqmsg;
1689 int segment = __req_capsule_offset(pill, field, RCL_CLIENT);
1693 LASSERT(msg->lm_bufcount > segment);
1694 LASSERT(msg->lm_buflens[segment] <= newsize);
1696 if (msg->lm_buflens[segment] == newsize)
1699 cops = ctx->cc_sec->ps_policy->sp_cops;
1700 LASSERT(cops->enlarge_reqbuf);
1701 return cops->enlarge_reqbuf(ctx->cc_sec, req, segment, newsize);
1703 EXPORT_SYMBOL(sptlrpc_cli_enlarge_reqbuf);
1706 * Used by ptlrpc client to allocate reply buffer of \a req.
1708 * \note After this, req->rq_repmsg is still not accessible.
1710 int sptlrpc_cli_alloc_repbuf(struct ptlrpc_request *req, int msgsize)
1712 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
1713 struct ptlrpc_sec_policy *policy;
1718 LASSERT(ctx->cc_sec);
1719 LASSERT(ctx->cc_sec->ps_policy);
1724 policy = ctx->cc_sec->ps_policy;
1725 RETURN(policy->sp_cops->alloc_repbuf(ctx->cc_sec, req, msgsize));
1729 * Used by ptlrpc client to free reply buffer of \a req. After this
1730 * req->rq_repmsg is set to NULL and should not be accessed anymore.
1732 void sptlrpc_cli_free_repbuf(struct ptlrpc_request *req)
1734 struct ptlrpc_cli_ctx *ctx = req->rq_cli_ctx;
1735 struct ptlrpc_sec_policy *policy;
1740 LASSERT(ctx->cc_sec);
1741 LASSERT(ctx->cc_sec->ps_policy);
1742 LASSERT_ATOMIC_POS(&ctx->cc_refcount);
1744 if (req->rq_repbuf == NULL)
1746 LASSERT(req->rq_repbuf_len);
1748 policy = ctx->cc_sec->ps_policy;
1749 policy->sp_cops->free_repbuf(ctx->cc_sec, req);
1750 req->rq_repmsg = NULL;
1753 EXPORT_SYMBOL(sptlrpc_cli_free_repbuf);
1755 int sptlrpc_cli_install_rvs_ctx(struct obd_import *imp,
1756 struct ptlrpc_cli_ctx *ctx)
1758 struct ptlrpc_sec_policy *policy = ctx->cc_sec->ps_policy;
1760 if (!policy->sp_cops->install_rctx)
1762 return policy->sp_cops->install_rctx(imp, ctx->cc_sec, ctx);
1765 int sptlrpc_svc_install_rvs_ctx(struct obd_import *imp,
1766 struct ptlrpc_svc_ctx *ctx)
1768 struct ptlrpc_sec_policy *policy = ctx->sc_policy;
1770 if (!policy->sp_sops->install_rctx)
1772 return policy->sp_sops->install_rctx(imp, ctx);
1775 /* Get SELinux policy info from userspace */
1776 static int sepol_helper(struct obd_import *imp)
1778 char mtime_str[21] = { 0 }, mode_str[2] = { 0 };
1780 [0] = "/usr/sbin/l_getsepol",
1782 [2] = NULL, /* obd type */
1784 [4] = NULL, /* obd name */
1786 [6] = mtime_str, /* policy mtime */
1788 [8] = mode_str, /* enforcing mode */
1793 [1] = "PATH=/sbin:/usr/sbin",
1799 if (imp == NULL || imp->imp_obd == NULL ||
1800 imp->imp_obd->obd_type == NULL) {
1803 argv[2] = (char *)imp->imp_obd->obd_type->typ_name;
1804 argv[4] = imp->imp_obd->obd_name;
1805 spin_lock(&imp->imp_sec->ps_lock);
1806 if (ktime_to_ns(imp->imp_sec->ps_sepol_mtime) == 0 &&
1807 imp->imp_sec->ps_sepol[0] == '\0') {
1808 /* ps_sepol has not been initialized */
1814 mtime_ms = ktime_to_ms(imp->imp_sec->ps_sepol_mtime);
1815 snprintf(mtime_str, sizeof(mtime_str), "%lld",
1816 mtime_ms / MSEC_PER_SEC);
1817 mode_str[0] = imp->imp_sec->ps_sepol[0];
1819 spin_unlock(&imp->imp_sec->ps_lock);
1820 ret = call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
1827 static inline int sptlrpc_sepol_needs_check(struct ptlrpc_sec *imp_sec)
1831 if (send_sepol == 0 || !selinux_is_enabled())
1834 if (send_sepol == -1)
1835 /* send_sepol == -1 means fetch sepol status every time */
1838 spin_lock(&imp_sec->ps_lock);
1839 checknext = imp_sec->ps_sepol_checknext;
1840 spin_unlock(&imp_sec->ps_lock);
1842 /* next check is too far in time, please update */
1843 if (ktime_after(checknext,
1844 ktime_add(ktime_get(), ktime_set(send_sepol, 0))))
1847 if (ktime_before(ktime_get(), checknext))
1848 /* too early to fetch sepol status */
1852 /* define new sepol_checknext time */
1853 spin_lock(&imp_sec->ps_lock);
1854 imp_sec->ps_sepol_checknext = ktime_add(ktime_get(),
1855 ktime_set(send_sepol, 0));
1856 spin_unlock(&imp_sec->ps_lock);
1861 int sptlrpc_get_sepol(struct ptlrpc_request *req)
1863 struct ptlrpc_sec *imp_sec = req->rq_import->imp_sec;
1868 (req->rq_sepol)[0] = '\0';
1870 #ifndef HAVE_SELINUX
1871 if (unlikely(send_sepol != 0))
1873 "Client cannot report SELinux status, it was not built against libselinux.\n");
1877 if (send_sepol == 0 || !selinux_is_enabled())
1880 if (imp_sec == NULL)
1883 /* Retrieve SELinux status info */
1884 if (sptlrpc_sepol_needs_check(imp_sec))
1885 rc = sepol_helper(req->rq_import);
1886 if (likely(rc == 0)) {
1887 spin_lock(&imp_sec->ps_lock);
1888 memcpy(req->rq_sepol, imp_sec->ps_sepol,
1889 sizeof(req->rq_sepol));
1890 spin_unlock(&imp_sec->ps_lock);
1895 EXPORT_SYMBOL(sptlrpc_get_sepol);
1898 * server side security
1901 static int flavor_allowed(struct sptlrpc_flavor *exp,
1902 struct ptlrpc_request *req)
1904 struct sptlrpc_flavor *flvr = &req->rq_flvr;
1906 if (exp->sf_rpc == SPTLRPC_FLVR_ANY || exp->sf_rpc == flvr->sf_rpc)
1909 if ((req->rq_ctx_init || req->rq_ctx_fini) &&
1910 SPTLRPC_FLVR_POLICY(exp->sf_rpc) ==
1911 SPTLRPC_FLVR_POLICY(flvr->sf_rpc) &&
1912 SPTLRPC_FLVR_MECH(exp->sf_rpc) == SPTLRPC_FLVR_MECH(flvr->sf_rpc))
1918 #define EXP_FLVR_UPDATE_EXPIRE (OBD_TIMEOUT_DEFAULT + 10)
1921 * Given an export \a exp, check whether the flavor of incoming \a req
1922 * is allowed by the export \a exp. Main logic is about taking care of
1923 * changing configurations. Return 0 means success.
1925 int sptlrpc_target_export_check(struct obd_export *exp,
1926 struct ptlrpc_request *req)
1928 struct sptlrpc_flavor flavor;
1934 * client side export has no imp_reverse, skip
1935 * FIXME maybe we should check flavor this as well???
1937 if (exp->exp_imp_reverse == NULL)
1940 /* don't care about ctx fini rpc */
1941 if (req->rq_ctx_fini)
1944 spin_lock(&exp->exp_lock);
1947 * if flavor just changed (exp->exp_flvr_changed != 0), we wait for
1948 * the first req with the new flavor, then treat it as current flavor,
1949 * adapt reverse sec according to it.
1950 * note the first rpc with new flavor might not be with root ctx, in
1951 * which case delay the sec_adapt by leaving exp_flvr_adapt == 1.
1953 if (unlikely(exp->exp_flvr_changed) &&
1954 flavor_allowed(&exp->exp_flvr_old[1], req)) {
1956 * make the new flavor as "current", and old ones as
1959 CDEBUG(D_SEC, "exp %p: just changed: %x->%x\n", exp,
1960 exp->exp_flvr.sf_rpc, exp->exp_flvr_old[1].sf_rpc);
1961 flavor = exp->exp_flvr_old[1];
1962 exp->exp_flvr_old[1] = exp->exp_flvr_old[0];
1963 exp->exp_flvr_expire[1] = exp->exp_flvr_expire[0];
1964 exp->exp_flvr_old[0] = exp->exp_flvr;
1965 exp->exp_flvr_expire[0] = ktime_get_real_seconds() +
1966 EXP_FLVR_UPDATE_EXPIRE;
1967 exp->exp_flvr = flavor;
1969 /* flavor change finished */
1970 exp->exp_flvr_changed = 0;
1971 LASSERT(exp->exp_flvr_adapt == 1);
1973 /* if it's gss, we only interested in root ctx init */
1974 if (req->rq_auth_gss &&
1975 !(req->rq_ctx_init &&
1976 (req->rq_auth_usr_root || req->rq_auth_usr_mdt ||
1977 req->rq_auth_usr_ost))) {
1978 spin_unlock(&exp->exp_lock);
1979 CDEBUG(D_SEC, "is good but not root(%d:%d:%d:%d:%d)\n",
1980 req->rq_auth_gss, req->rq_ctx_init,
1981 req->rq_auth_usr_root, req->rq_auth_usr_mdt,
1982 req->rq_auth_usr_ost);
1986 exp->exp_flvr_adapt = 0;
1987 spin_unlock(&exp->exp_lock);
1989 return sptlrpc_import_sec_adapt(exp->exp_imp_reverse,
1990 req->rq_svc_ctx, &flavor);
1994 * if it equals to the current flavor, we accept it, but need to
1995 * dealing with reverse sec/ctx
1997 if (likely(flavor_allowed(&exp->exp_flvr, req))) {
1999 * most cases should return here, we only interested in
2002 if (!req->rq_auth_gss || !req->rq_ctx_init ||
2003 (!req->rq_auth_usr_root && !req->rq_auth_usr_mdt &&
2004 !req->rq_auth_usr_ost)) {
2005 spin_unlock(&exp->exp_lock);
2010 * if flavor just changed, we should not proceed, just leave
2011 * it and current flavor will be discovered and replaced
2012 * shortly, and let _this_ rpc pass through
2014 if (exp->exp_flvr_changed) {
2015 LASSERT(exp->exp_flvr_adapt);
2016 spin_unlock(&exp->exp_lock);
2020 if (exp->exp_flvr_adapt) {
2021 exp->exp_flvr_adapt = 0;
2022 CDEBUG(D_SEC, "exp %p (%x|%x|%x): do delayed adapt\n",
2023 exp, exp->exp_flvr.sf_rpc,
2024 exp->exp_flvr_old[0].sf_rpc,
2025 exp->exp_flvr_old[1].sf_rpc);
2026 flavor = exp->exp_flvr;
2027 spin_unlock(&exp->exp_lock);
2029 return sptlrpc_import_sec_adapt(exp->exp_imp_reverse,
2034 "exp %p (%x|%x|%x): is current flavor, install rvs ctx\n",
2035 exp, exp->exp_flvr.sf_rpc,
2036 exp->exp_flvr_old[0].sf_rpc,
2037 exp->exp_flvr_old[1].sf_rpc);
2038 spin_unlock(&exp->exp_lock);
2040 return sptlrpc_svc_install_rvs_ctx(exp->exp_imp_reverse,
2045 if (exp->exp_flvr_expire[0]) {
2046 if (exp->exp_flvr_expire[0] >= ktime_get_real_seconds()) {
2047 if (flavor_allowed(&exp->exp_flvr_old[0], req)) {
2049 "exp %p (%x|%x|%x): match the middle one (%lld)\n",
2050 exp, exp->exp_flvr.sf_rpc,
2051 exp->exp_flvr_old[0].sf_rpc,
2052 exp->exp_flvr_old[1].sf_rpc,
2053 (s64)(exp->exp_flvr_expire[0] -
2054 ktime_get_real_seconds()));
2055 spin_unlock(&exp->exp_lock);
2059 CDEBUG(D_SEC, "mark middle expired\n");
2060 exp->exp_flvr_expire[0] = 0;
2062 CDEBUG(D_SEC, "exp %p (%x|%x|%x): %x not match middle\n", exp,
2063 exp->exp_flvr.sf_rpc,
2064 exp->exp_flvr_old[0].sf_rpc, exp->exp_flvr_old[1].sf_rpc,
2065 req->rq_flvr.sf_rpc);
2069 * now it doesn't match the current flavor, the only chance we can
2070 * accept it is match the old flavors which is not expired.
2072 if (exp->exp_flvr_changed == 0 && exp->exp_flvr_expire[1]) {
2073 if (exp->exp_flvr_expire[1] >= ktime_get_real_seconds()) {
2074 if (flavor_allowed(&exp->exp_flvr_old[1], req)) {
2075 CDEBUG(D_SEC, "exp %p (%x|%x|%x): match the oldest one (%lld)\n",
2077 exp->exp_flvr.sf_rpc,
2078 exp->exp_flvr_old[0].sf_rpc,
2079 exp->exp_flvr_old[1].sf_rpc,
2080 (s64)(exp->exp_flvr_expire[1] -
2081 ktime_get_real_seconds()));
2082 spin_unlock(&exp->exp_lock);
2086 CDEBUG(D_SEC, "mark oldest expired\n");
2087 exp->exp_flvr_expire[1] = 0;
2089 CDEBUG(D_SEC, "exp %p (%x|%x|%x): %x not match found\n",
2090 exp, exp->exp_flvr.sf_rpc,
2091 exp->exp_flvr_old[0].sf_rpc, exp->exp_flvr_old[1].sf_rpc,
2092 req->rq_flvr.sf_rpc);
2094 CDEBUG(D_SEC, "exp %p (%x|%x|%x): skip the last one\n",
2095 exp, exp->exp_flvr.sf_rpc, exp->exp_flvr_old[0].sf_rpc,
2096 exp->exp_flvr_old[1].sf_rpc);
2099 spin_unlock(&exp->exp_lock);
2101 CWARN("exp %p(%s): req %p (%u|%u|%u|%u|%u|%u) with unauthorized flavor %x, expect %x|%x(%+lld)|%x(%+lld)\n",
2102 exp, exp->exp_obd->obd_name,
2103 req, req->rq_auth_gss, req->rq_ctx_init, req->rq_ctx_fini,
2104 req->rq_auth_usr_root, req->rq_auth_usr_mdt, req->rq_auth_usr_ost,
2105 req->rq_flvr.sf_rpc,
2106 exp->exp_flvr.sf_rpc,
2107 exp->exp_flvr_old[0].sf_rpc,
2108 exp->exp_flvr_expire[0] ?
2109 (s64)(exp->exp_flvr_expire[0] - ktime_get_real_seconds()) : 0,
2110 exp->exp_flvr_old[1].sf_rpc,
2111 exp->exp_flvr_expire[1] ?
2112 (s64)(exp->exp_flvr_expire[1] - ktime_get_real_seconds()) : 0);
2115 EXPORT_SYMBOL(sptlrpc_target_export_check);
2117 void sptlrpc_target_update_exp_flavor(struct obd_device *obd,
2118 struct sptlrpc_rule_set *rset)
2120 struct obd_export *exp;
2121 struct sptlrpc_flavor new_flvr;
2125 spin_lock(&obd->obd_dev_lock);
2127 list_for_each_entry(exp, &obd->obd_exports, exp_obd_chain) {
2128 if (exp->exp_connection == NULL)
2132 * note if this export had just been updated flavor
2133 * (exp_flvr_changed == 1), this will override the
2136 spin_lock(&exp->exp_lock);
2137 sptlrpc_target_choose_flavor(rset, exp->exp_sp_peer,
2138 exp->exp_connection->c_peer.nid,
2140 if (exp->exp_flvr_changed ||
2141 !flavor_equal(&new_flvr, &exp->exp_flvr)) {
2142 exp->exp_flvr_old[1] = new_flvr;
2143 exp->exp_flvr_expire[1] = 0;
2144 exp->exp_flvr_changed = 1;
2145 exp->exp_flvr_adapt = 1;
2147 CDEBUG(D_SEC, "exp %p (%s): updated flavor %x->%x\n",
2148 exp, sptlrpc_part2name(exp->exp_sp_peer),
2149 exp->exp_flvr.sf_rpc,
2150 exp->exp_flvr_old[1].sf_rpc);
2152 spin_unlock(&exp->exp_lock);
2155 spin_unlock(&obd->obd_dev_lock);
2157 EXPORT_SYMBOL(sptlrpc_target_update_exp_flavor);
2159 static int sptlrpc_svc_check_from(struct ptlrpc_request *req, int svc_rc)
2161 /* peer's claim is unreliable unless gss is being used */
2162 if (!req->rq_auth_gss || svc_rc == SECSVC_DROP)
2165 switch (req->rq_sp_from) {
2167 if (req->rq_auth_usr_mdt || req->rq_auth_usr_ost) {
2168 /* The below message is checked in sanity-sec test_33 */
2169 DEBUG_REQ(D_ERROR, req, "faked source CLI");
2170 svc_rc = SECSVC_DROP;
2174 if (!req->rq_auth_usr_mdt) {
2175 /* The below message is checked in sanity-sec test_33 */
2176 DEBUG_REQ(D_ERROR, req, "faked source MDT");
2177 svc_rc = SECSVC_DROP;
2181 if (!req->rq_auth_usr_ost) {
2182 /* The below message is checked in sanity-sec test_33 */
2183 DEBUG_REQ(D_ERROR, req, "faked source OST");
2184 svc_rc = SECSVC_DROP;
2189 if (!req->rq_auth_usr_root && !req->rq_auth_usr_mdt &&
2190 !req->rq_auth_usr_ost) {
2191 /* The below message is checked in sanity-sec test_33 */
2192 DEBUG_REQ(D_ERROR, req, "faked source MGC/MGS");
2193 svc_rc = SECSVC_DROP;
2198 DEBUG_REQ(D_ERROR, req, "invalid source %u", req->rq_sp_from);
2199 svc_rc = SECSVC_DROP;
2206 * Used by ptlrpc server, to perform transformation upon request message of
2207 * incoming \a req. This must be the first thing to do with an incoming
2208 * request in ptlrpc layer.
2210 * \retval SECSVC_OK success, and req->rq_reqmsg point to request message in
2211 * clear text, size is req->rq_reqlen; also req->rq_svc_ctx is set.
2212 * \retval SECSVC_COMPLETE success, the request has been fully processed, and
2213 * reply message has been prepared.
2214 * \retval SECSVC_DROP failed, this request should be dropped.
2216 int sptlrpc_svc_unwrap_request(struct ptlrpc_request *req)
2218 struct ptlrpc_sec_policy *policy;
2219 struct lustre_msg *msg = req->rq_reqbuf;
2225 LASSERT(req->rq_reqmsg == NULL);
2226 LASSERT(req->rq_repmsg == NULL);
2227 LASSERT(req->rq_svc_ctx == NULL);
2229 req->rq_req_swab_mask = 0;
2231 rc = __lustre_unpack_msg(msg, req->rq_reqdata_len);
2234 lustre_set_req_swabbed(req, MSG_PTLRPC_HEADER_OFF);
2238 CERROR("error unpacking request from %s x%llu\n",
2239 libcfs_id2str(req->rq_peer), req->rq_xid);
2240 RETURN(SECSVC_DROP);
2243 req->rq_flvr.sf_rpc = WIRE_FLVR(msg->lm_secflvr);
2244 req->rq_sp_from = LUSTRE_SP_ANY;
2245 req->rq_auth_uid = -1; /* set to INVALID_UID */
2246 req->rq_auth_mapped_uid = -1;
2248 policy = sptlrpc_wireflavor2policy(req->rq_flvr.sf_rpc);
2250 CERROR("unsupported rpc flavor %x\n", req->rq_flvr.sf_rpc);
2251 RETURN(SECSVC_DROP);
2254 LASSERT(policy->sp_sops->accept);
2255 rc = policy->sp_sops->accept(req);
2256 sptlrpc_policy_put(policy);
2257 LASSERT(req->rq_reqmsg || rc != SECSVC_OK);
2258 LASSERT(req->rq_svc_ctx || rc == SECSVC_DROP);
2261 * if it's not null flavor (which means embedded packing msg),
2262 * reset the swab mask for the comming inner msg unpacking.
2264 if (SPTLRPC_FLVR_POLICY(req->rq_flvr.sf_rpc) != SPTLRPC_POLICY_NULL)
2265 req->rq_req_swab_mask = 0;
2267 /* sanity check for the request source */
2268 rc = sptlrpc_svc_check_from(req, rc);
2273 * Used by ptlrpc server, to allocate reply buffer for \a req. If succeed,
2274 * req->rq_reply_state is set, and req->rq_reply_state->rs_msg point to
2275 * a buffer of \a msglen size.
2277 int sptlrpc_svc_alloc_rs(struct ptlrpc_request *req, int msglen)
2279 struct ptlrpc_sec_policy *policy;
2280 struct ptlrpc_reply_state *rs;
2285 LASSERT(req->rq_svc_ctx);
2286 LASSERT(req->rq_svc_ctx->sc_policy);
2288 policy = req->rq_svc_ctx->sc_policy;
2289 LASSERT(policy->sp_sops->alloc_rs);
2291 rc = policy->sp_sops->alloc_rs(req, msglen);
2292 if (unlikely(rc == -ENOMEM)) {
2293 struct ptlrpc_service_part *svcpt = req->rq_rqbd->rqbd_svcpt;
2295 if (svcpt->scp_service->srv_max_reply_size <
2296 msglen + sizeof(struct ptlrpc_reply_state)) {
2297 /* Just return failure if the size is too big */
2298 CERROR("size of message is too big (%zd), %d allowed\n",
2299 msglen + sizeof(struct ptlrpc_reply_state),
2300 svcpt->scp_service->srv_max_reply_size);
2304 /* failed alloc, try emergency pool */
2305 rs = lustre_get_emerg_rs(svcpt);
2309 req->rq_reply_state = rs;
2310 rc = policy->sp_sops->alloc_rs(req, msglen);
2312 lustre_put_emerg_rs(rs);
2313 req->rq_reply_state = NULL;
2318 (req->rq_reply_state && req->rq_reply_state->rs_msg));
2324 * Used by ptlrpc server, to perform transformation upon reply message.
2326 * \post req->rq_reply_off is set to approriate server-controlled reply offset.
2327 * \post req->rq_repmsg and req->rq_reply_state->rs_msg becomes inaccessible.
2329 int sptlrpc_svc_wrap_reply(struct ptlrpc_request *req)
2331 struct ptlrpc_sec_policy *policy;
2336 LASSERT(req->rq_svc_ctx);
2337 LASSERT(req->rq_svc_ctx->sc_policy);
2339 policy = req->rq_svc_ctx->sc_policy;
2340 LASSERT(policy->sp_sops->authorize);
2342 rc = policy->sp_sops->authorize(req);
2343 LASSERT(rc || req->rq_reply_state->rs_repdata_len);
2349 * Used by ptlrpc server, to free reply_state.
2351 void sptlrpc_svc_free_rs(struct ptlrpc_reply_state *rs)
2353 struct ptlrpc_sec_policy *policy;
2354 unsigned int prealloc;
2358 LASSERT(rs->rs_svc_ctx);
2359 LASSERT(rs->rs_svc_ctx->sc_policy);
2361 policy = rs->rs_svc_ctx->sc_policy;
2362 LASSERT(policy->sp_sops->free_rs);
2364 prealloc = rs->rs_prealloc;
2365 policy->sp_sops->free_rs(rs);
2368 lustre_put_emerg_rs(rs);
2372 void sptlrpc_svc_ctx_addref(struct ptlrpc_request *req)
2374 struct ptlrpc_svc_ctx *ctx = req->rq_svc_ctx;
2377 atomic_inc(&ctx->sc_refcount);
2380 void sptlrpc_svc_ctx_decref(struct ptlrpc_request *req)
2382 struct ptlrpc_svc_ctx *ctx = req->rq_svc_ctx;
2387 LASSERT_ATOMIC_POS(&ctx->sc_refcount);
2388 if (atomic_dec_and_test(&ctx->sc_refcount)) {
2389 if (ctx->sc_policy->sp_sops->free_ctx)
2390 ctx->sc_policy->sp_sops->free_ctx(ctx);
2392 req->rq_svc_ctx = NULL;
2395 void sptlrpc_svc_ctx_invalidate(struct ptlrpc_request *req)
2397 struct ptlrpc_svc_ctx *ctx = req->rq_svc_ctx;
2402 LASSERT_ATOMIC_POS(&ctx->sc_refcount);
2403 if (ctx->sc_policy->sp_sops->invalidate_ctx)
2404 ctx->sc_policy->sp_sops->invalidate_ctx(ctx);
2406 EXPORT_SYMBOL(sptlrpc_svc_ctx_invalidate);
2413 * Perform transformation upon bulk data pointed by \a desc. This is called
2414 * before transforming the request message.
2416 int sptlrpc_cli_wrap_bulk(struct ptlrpc_request *req,
2417 struct ptlrpc_bulk_desc *desc)
2419 struct ptlrpc_cli_ctx *ctx;
2421 LASSERT(req->rq_bulk_read || req->rq_bulk_write);
2423 if (!req->rq_pack_bulk)
2426 ctx = req->rq_cli_ctx;
2427 if (ctx->cc_ops->wrap_bulk)
2428 return ctx->cc_ops->wrap_bulk(ctx, req, desc);
2431 EXPORT_SYMBOL(sptlrpc_cli_wrap_bulk);
2434 * This is called after unwrap the reply message.
2435 * return nob of actual plain text size received, or error code.
2437 int sptlrpc_cli_unwrap_bulk_read(struct ptlrpc_request *req,
2438 struct ptlrpc_bulk_desc *desc,
2441 struct ptlrpc_cli_ctx *ctx;
2444 LASSERT(req->rq_bulk_read && !req->rq_bulk_write);
2446 if (!req->rq_pack_bulk)
2447 return desc->bd_nob_transferred;
2449 ctx = req->rq_cli_ctx;
2450 if (ctx->cc_ops->unwrap_bulk) {
2451 rc = ctx->cc_ops->unwrap_bulk(ctx, req, desc);
2455 return desc->bd_nob_transferred;
2457 EXPORT_SYMBOL(sptlrpc_cli_unwrap_bulk_read);
2460 * This is called after unwrap the reply message.
2461 * return 0 for success or error code.
2463 int sptlrpc_cli_unwrap_bulk_write(struct ptlrpc_request *req,
2464 struct ptlrpc_bulk_desc *desc)
2466 struct ptlrpc_cli_ctx *ctx;
2469 LASSERT(!req->rq_bulk_read && req->rq_bulk_write);
2471 if (!req->rq_pack_bulk)
2474 ctx = req->rq_cli_ctx;
2475 if (ctx->cc_ops->unwrap_bulk) {
2476 rc = ctx->cc_ops->unwrap_bulk(ctx, req, desc);
2482 * if everything is going right, nob should equals to nob_transferred.
2483 * in case of privacy mode, nob_transferred needs to be adjusted.
2485 if (desc->bd_nob != desc->bd_nob_transferred) {
2486 CERROR("nob %d doesn't match transferred nob %d\n",
2487 desc->bd_nob, desc->bd_nob_transferred);
2493 EXPORT_SYMBOL(sptlrpc_cli_unwrap_bulk_write);
2495 #ifdef HAVE_SERVER_SUPPORT
2497 * Performe transformation upon outgoing bulk read.
2499 int sptlrpc_svc_wrap_bulk(struct ptlrpc_request *req,
2500 struct ptlrpc_bulk_desc *desc)
2502 struct ptlrpc_svc_ctx *ctx;
2504 LASSERT(req->rq_bulk_read);
2506 if (!req->rq_pack_bulk)
2509 ctx = req->rq_svc_ctx;
2510 if (ctx->sc_policy->sp_sops->wrap_bulk)
2511 return ctx->sc_policy->sp_sops->wrap_bulk(req, desc);
2515 EXPORT_SYMBOL(sptlrpc_svc_wrap_bulk);
2518 * Performe transformation upon incoming bulk write.
2520 int sptlrpc_svc_unwrap_bulk(struct ptlrpc_request *req,
2521 struct ptlrpc_bulk_desc *desc)
2523 struct ptlrpc_svc_ctx *ctx;
2526 LASSERT(req->rq_bulk_write);
2529 * if it's in privacy mode, transferred should >= expected; otherwise
2530 * transferred should == expected.
2532 if (desc->bd_nob_transferred < desc->bd_nob ||
2533 (desc->bd_nob_transferred > desc->bd_nob &&
2534 SPTLRPC_FLVR_BULK_SVC(req->rq_flvr.sf_rpc) !=
2535 SPTLRPC_BULK_SVC_PRIV)) {
2536 DEBUG_REQ(D_ERROR, req, "truncated bulk GET %d(%d)",
2537 desc->bd_nob_transferred, desc->bd_nob);
2541 if (!req->rq_pack_bulk)
2544 ctx = req->rq_svc_ctx;
2545 if (ctx->sc_policy->sp_sops->unwrap_bulk) {
2546 rc = ctx->sc_policy->sp_sops->unwrap_bulk(req, desc);
2548 CERROR("error unwrap bulk: %d\n", rc);
2551 /* return 0 to allow reply be sent */
2554 EXPORT_SYMBOL(sptlrpc_svc_unwrap_bulk);
2557 * Prepare buffers for incoming bulk write.
2559 int sptlrpc_svc_prep_bulk(struct ptlrpc_request *req,
2560 struct ptlrpc_bulk_desc *desc)
2562 struct ptlrpc_svc_ctx *ctx;
2564 LASSERT(req->rq_bulk_write);
2566 if (!req->rq_pack_bulk)
2569 ctx = req->rq_svc_ctx;
2570 if (ctx->sc_policy->sp_sops->prep_bulk)
2571 return ctx->sc_policy->sp_sops->prep_bulk(req, desc);
2575 EXPORT_SYMBOL(sptlrpc_svc_prep_bulk);
2577 #endif /* HAVE_SERVER_SUPPORT */
2580 * user descriptor helpers
2583 int sptlrpc_current_user_desc_size(void)
2587 ngroups = current_cred()->group_info->ngroups;
2589 if (ngroups > LUSTRE_MAX_GROUPS)
2590 ngroups = LUSTRE_MAX_GROUPS;
2591 return sptlrpc_user_desc_size(ngroups);
2593 EXPORT_SYMBOL(sptlrpc_current_user_desc_size);
2595 int sptlrpc_pack_user_desc(struct lustre_msg *msg, int offset)
2597 struct ptlrpc_user_desc *pud;
2600 pud = lustre_msg_buf(msg, offset, 0);
2602 pud->pud_uid = from_kuid(&init_user_ns, current_uid());
2603 pud->pud_gid = from_kgid(&init_user_ns, current_gid());
2604 pud->pud_fsuid = from_kuid(&init_user_ns, current_fsuid());
2605 pud->pud_fsgid = from_kgid(&init_user_ns, current_fsgid());
2606 pud->pud_cap = cfs_curproc_cap_pack();
2607 pud->pud_ngroups = (msg->lm_buflens[offset] - sizeof(*pud)) / 4;
2610 ngroups = current_cred()->group_info->ngroups;
2611 if (pud->pud_ngroups > ngroups)
2612 pud->pud_ngroups = ngroups;
2613 #ifdef HAVE_GROUP_INFO_GID
2614 memcpy(pud->pud_groups, current_cred()->group_info->gid,
2615 pud->pud_ngroups * sizeof(__u32));
2616 #else /* !HAVE_GROUP_INFO_GID */
2617 memcpy(pud->pud_groups, current_cred()->group_info->blocks[0],
2618 pud->pud_ngroups * sizeof(__u32));
2619 #endif /* HAVE_GROUP_INFO_GID */
2620 task_unlock(current);
2624 EXPORT_SYMBOL(sptlrpc_pack_user_desc);
2626 int sptlrpc_unpack_user_desc(struct lustre_msg *msg, int offset, int swabbed)
2628 struct ptlrpc_user_desc *pud;
2631 pud = lustre_msg_buf(msg, offset, sizeof(*pud));
2636 __swab32s(&pud->pud_uid);
2637 __swab32s(&pud->pud_gid);
2638 __swab32s(&pud->pud_fsuid);
2639 __swab32s(&pud->pud_fsgid);
2640 __swab32s(&pud->pud_cap);
2641 __swab32s(&pud->pud_ngroups);
2644 if (pud->pud_ngroups > LUSTRE_MAX_GROUPS) {
2645 CERROR("%u groups is too large\n", pud->pud_ngroups);
2649 if (sizeof(*pud) + pud->pud_ngroups * sizeof(__u32) >
2650 msg->lm_buflens[offset]) {
2651 CERROR("%u groups are claimed but bufsize only %u\n",
2652 pud->pud_ngroups, msg->lm_buflens[offset]);
2657 for (i = 0; i < pud->pud_ngroups; i++)
2658 __swab32s(&pud->pud_groups[i]);
2663 EXPORT_SYMBOL(sptlrpc_unpack_user_desc);
2669 const char *sec2target_str(struct ptlrpc_sec *sec)
2671 if (!sec || !sec->ps_import || !sec->ps_import->imp_obd)
2673 if (sec_is_reverse(sec))
2675 return obd_uuid2str(&sec->ps_import->imp_obd->u.cli.cl_target_uuid);
2677 EXPORT_SYMBOL(sec2target_str);
2680 * return true if the bulk data is protected
2682 int sptlrpc_flavor_has_bulk(struct sptlrpc_flavor *flvr)
2684 switch (SPTLRPC_FLVR_BULK_SVC(flvr->sf_rpc)) {
2685 case SPTLRPC_BULK_SVC_INTG:
2686 case SPTLRPC_BULK_SVC_PRIV:
2692 EXPORT_SYMBOL(sptlrpc_flavor_has_bulk);
2695 * crypto API helper/alloc blkciper
2699 * initialize/finalize
2702 int sptlrpc_init(void)
2706 rwlock_init(&policy_lock);
2708 rc = sptlrpc_gc_init();
2712 rc = sptlrpc_conf_init();
2716 rc = sptlrpc_enc_pool_init();
2720 rc = sptlrpc_null_init();
2724 rc = sptlrpc_plain_init();
2728 rc = sptlrpc_lproc_init();
2735 sptlrpc_plain_fini();
2737 sptlrpc_null_fini();
2739 sptlrpc_enc_pool_fini();
2741 sptlrpc_conf_fini();
2748 void sptlrpc_fini(void)
2750 sptlrpc_lproc_fini();
2751 sptlrpc_plain_fini();
2752 sptlrpc_null_fini();
2753 sptlrpc_enc_pool_fini();
2754 sptlrpc_conf_fini();
git://git.whamcloud.com / fs / lustre-release.git / blob