*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; If not, see
- * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
+ * http://www.gnu.org/licenses/gpl-2.0.html
*
* GPL HEADER END
*/
#include <linux/mutex.h>
#include <asm/atomic.h>
+#include <libcfs/linux/linux-list.h>
#include <obd.h>
#include <obd_class.h>
#include <obd_support.h>
-#include <lustre/lustre_idl.h>
+#include <uapi/linux/lustre/lustre_idl.h>
#include <lustre_sec.h>
#include <lustre_net.h>
#include <lustre_import.h>
#include "gss_internal.h"
#include "gss_api.h"
+#ifdef HAVE_GET_REQUEST_KEY_AUTH
+#include <keys/request_key_auth-type.h>
+#endif
+
static struct ptlrpc_sec_policy gss_policy_keyring;
static struct ptlrpc_ctx_ops gss_keyring_ctxops;
static struct key_type gss_key_type;
/*
* the timeout is only for the case that upcall child process die abnormally.
* in any other cases it should finally update kernel key.
- *
+ *
* FIXME we'd better to incorporate the client & server side upcall timeouts
* into the framework of Adaptive Timeouts, but we need to figure out how to
* make sure that kernel knows the upcall processes is in-progress or died
* internal helpers *
****************************************/
-#define DUMP_PROCESS_KEYRINGS(tsk) \
-{ \
- CWARN("DUMP PK: %s[%u,%u/%u](<-%s[%u,%u/%u]): " \
- "a %d, t %d, p %d, s %d, u %d, us %d, df %d\n", \
- tsk->comm, tsk->pid, tsk->uid, tsk->fsuid, \
- tsk->parent->comm, tsk->parent->pid, \
- tsk->parent->uid, tsk->parent->fsuid, \
- tsk->request_key_auth ? \
- tsk->request_key_auth->serial : 0, \
- key_cred(tsk)->thread_keyring ? \
- key_cred(tsk)->thread_keyring->serial : 0, \
- key_tgcred(tsk)->process_keyring ? \
- key_tgcred(tsk)->process_keyring->serial : 0, \
- key_tgcred(tsk)->session_keyring ? \
- key_tgcred(tsk)->session_keyring->serial : 0, \
- key_cred(tsk)->user->uid_keyring ? \
- key_cred(tsk)->user->uid_keyring->serial : 0, \
- key_cred(tsk)->user->session_keyring ? \
- key_cred(tsk)->user->session_keyring->serial : 0, \
- key_cred(tsk)->jit_keyring \
- ); \
-}
-
-#define DUMP_KEY(key) \
-{ \
- CWARN("DUMP KEY: %p(%d) ref %d u%u/g%u desc %s\n", \
- key, key->serial, atomic_read(&key->usage), \
- key->uid, key->gid, \
- key->description ? key->description : "n/a" \
- ); \
-}
-
-#define key_cred(tsk) ((tsk)->cred)
-#define key_tgcred(tsk) ((tsk)->cred->tgcred)
-
static inline void keyring_upcall_lock(struct gss_sec_keyring *gsec_kr)
{
#ifdef HAVE_KEYRING_UPCALL_SERIALIZED
set_bit(KEY_FLAG_REVOKED, &key->flags);
}
-static void ctx_upcall_timeout_kr(unsigned long data)
+static void ctx_upcall_timeout_kr(cfs_timer_cb_arg_t data)
{
- struct ptlrpc_cli_ctx *ctx = (struct ptlrpc_cli_ctx *) data;
- struct key *key = ctx2gctx_keyring(ctx)->gck_key;
+ struct gss_cli_ctx_keyring *gctx_kr = cfs_from_timer(gctx_kr,
+ data, gck_timer);
+ struct ptlrpc_cli_ctx *ctx = &(gctx_kr->gck_base.gc_base);
+ struct key *key = gctx_kr->gck_key;
CWARN("ctx %p, key %p\n", ctx, key);
key_revoke_locked(key);
}
-static void ctx_start_timer_kr(struct ptlrpc_cli_ctx *ctx, long timeout)
+static void ctx_start_timer_kr(struct ptlrpc_cli_ctx *ctx, time64_t timeout)
{
struct gss_cli_ctx_keyring *gctx_kr = ctx2gctx_keyring(ctx);
- struct timer_list *timer = gctx_kr->gck_timer;
+ struct timer_list *timer = &gctx_kr->gck_timer;
LASSERT(timer);
- CDEBUG(D_SEC, "ctx %p: start timer %lds\n", ctx, timeout);
- timeout = msecs_to_jiffies(timeout * MSEC_PER_SEC) +
- cfs_time_current();
-
- init_timer(timer);
- timer->expires = timeout;
- timer->data = (unsigned long ) ctx;
- timer->function = ctx_upcall_timeout_kr;
+ CDEBUG(D_SEC, "ctx %p: start timer %llds\n", ctx, timeout);
+ cfs_timer_setup(timer, ctx_upcall_timeout_kr,
+ (unsigned long)gctx_kr, 0);
+ timer->expires = cfs_time_seconds(timeout) + jiffies;
add_timer(timer);
}
void ctx_clear_timer_kr(struct ptlrpc_cli_ctx *ctx)
{
struct gss_cli_ctx_keyring *gctx_kr = ctx2gctx_keyring(ctx);
- struct timer_list *timer = gctx_kr->gck_timer;
-
- if (timer == NULL)
- return;
+ struct timer_list *timer = &gctx_kr->gck_timer;
CDEBUG(D_SEC, "ctx %p, key %p\n", ctx, gctx_kr->gck_key);
- gctx_kr->gck_timer = NULL;
-
del_singleshot_timer_sync(timer);
-
- OBD_FREE_PTR(timer);
}
static
struct ptlrpc_cli_ctx *ctx_create_kr(struct ptlrpc_sec *sec,
struct vfs_cred *vcred)
{
- struct ptlrpc_cli_ctx *ctx;
- struct gss_cli_ctx_keyring *gctx_kr;
+ struct ptlrpc_cli_ctx *ctx;
+ struct gss_cli_ctx_keyring *gctx_kr;
- OBD_ALLOC_PTR(gctx_kr);
- if (gctx_kr == NULL)
- return NULL;
+ OBD_ALLOC_PTR(gctx_kr);
+ if (gctx_kr == NULL)
+ return NULL;
- OBD_ALLOC_PTR(gctx_kr->gck_timer);
- if (gctx_kr->gck_timer == NULL) {
- OBD_FREE_PTR(gctx_kr);
- return NULL;
- }
- init_timer(gctx_kr->gck_timer);
+ cfs_timer_setup(&gctx_kr->gck_timer, NULL, 0, 0);
- ctx = &gctx_kr->gck_base.gc_base;
+ ctx = &gctx_kr->gck_base.gc_base;
- if (gss_cli_ctx_init_common(sec, ctx, &gss_keyring_ctxops, vcred)) {
- OBD_FREE_PTR(gctx_kr->gck_timer);
- OBD_FREE_PTR(gctx_kr);
- return NULL;
- }
+ if (gss_cli_ctx_init_common(sec, ctx, &gss_keyring_ctxops, vcred)) {
+ OBD_FREE_PTR(gctx_kr);
+ return NULL;
+ }
- ctx->cc_expire = cfs_time_current_sec() + KEYRING_UPCALL_TIMEOUT;
+ ctx->cc_expire = ktime_get_real_seconds() + KEYRING_UPCALL_TIMEOUT;
clear_bit(PTLRPC_CTX_NEW_BIT, &ctx->cc_flags);
atomic_inc(&ctx->cc_refcount); /* for the caller */
LASSERT(gctx_kr->gck_key == NULL);
ctx_clear_timer_kr(ctx);
- LASSERT(gctx_kr->gck_timer == NULL);
if (gss_cli_ctx_fini_common(sec, ctx))
return;
}
/*
+ * Get specific payload. Newer kernels support 4 slots.
+ */
+static void *
+key_get_payload(struct key *key, unsigned int index)
+{
+ void *key_ptr = NULL;
+
+#ifdef HAVE_KEY_PAYLOAD_DATA_ARRAY
+ key_ptr = key->payload.data[index];
+#else
+ if (!index)
+ key_ptr = key->payload.data;
+#endif
+ return key_ptr;
+}
+
+/*
+ * Set specific payload. Newer kernels support 4 slots.
+ */
+static int key_set_payload(struct key *key, unsigned int index,
+ struct ptlrpc_cli_ctx *ctx)
+{
+ int rc = -EINVAL;
+
+#ifdef HAVE_KEY_PAYLOAD_DATA_ARRAY
+ if (index < 4) {
+ key->payload.data[index] = ctx;
+#else
+ if (!index) {
+ key->payload.data = ctx;
+#endif
+ rc = 0;
+ }
+ return rc;
+}
+
+/*
* bind a key with a ctx together.
* caller must hold write lock of the key, as well as ref on key & ctx.
*/
static void bind_key_ctx(struct key *key, struct ptlrpc_cli_ctx *ctx)
{
LASSERT(atomic_read(&ctx->cc_refcount) > 0);
- LASSERT(atomic_read(&key->usage) > 0);
+ LASSERT(ll_read_key_usage(key) > 0);
LASSERT(ctx2gctx_keyring(ctx)->gck_key == NULL);
- LASSERT(key->payload.data == NULL);
+ LASSERT(!key_get_payload(key, 0));
/* at this time context may or may not in list. */
key_get(key);
atomic_inc(&ctx->cc_refcount);
ctx2gctx_keyring(ctx)->gck_key = key;
- key->payload.data = ctx;
+ LASSERT(!key_set_payload(key, 0, ctx));
}
/*
*/
static void unbind_key_ctx(struct key *key, struct ptlrpc_cli_ctx *ctx)
{
- LASSERT(key->payload.data == ctx);
+ LASSERT(key_get_payload(key, 0) == ctx);
LASSERT(test_bit(PTLRPC_CTX_CACHED_BIT, &ctx->cc_flags) == 0);
/* must revoke the key, or others may treat it as newly created */
key_revoke_locked(key);
- key->payload.data = NULL;
+ key_set_payload(key, 0, NULL);
ctx2gctx_keyring(ctx)->gck_key = NULL;
/* once ctx get split from key, the timer is meaningless */
struct key *key = ctx2gctx_keyring(ctx)->gck_key;
if (key) {
- LASSERT(key->payload.data == ctx);
+ LASSERT(key_get_payload(key, 0) == ctx);
key_get(key);
down_write(&key->sem);
*/
static void unbind_key_locked(struct key *key)
{
- struct ptlrpc_cli_ctx *ctx = key->payload.data;
+ struct ptlrpc_cli_ctx *ctx = key_get_payload(key, 0);
if (ctx)
unbind_key_ctx(key, ctx);
*/
static void kill_key_locked(struct key *key)
{
- struct ptlrpc_cli_ctx *ctx = key->payload.data;
+ struct ptlrpc_cli_ctx *ctx = key_get_payload(key, 0);
if (ctx && ctx_unlist_kr(ctx, 0))
unbind_key_locked(key);
struct ptlrpc_cli_ctx *new_ctx,
struct key *key)
{
- struct gss_sec_keyring *gsec_kr = sec2gsec_keyring(sec);
- struct hlist_node __maybe_unused *hnode;
- struct ptlrpc_cli_ctx *ctx;
- cfs_time_t now;
- ENTRY;
+ struct gss_sec_keyring *gsec_kr = sec2gsec_keyring(sec);
+ struct hlist_node __maybe_unused *hnode;
+ struct ptlrpc_cli_ctx *ctx;
+ time64_t now;
- LASSERT(sec_is_reverse(sec));
+ ENTRY;
+ LASSERT(sec_is_reverse(sec));
spin_lock(&sec->ps_lock);
- now = cfs_time_current_sec();
+ now = ktime_get_real_seconds();
/* set all existing ctxs short expiry */
cfs_hlist_for_each_entry(ctx, hnode, &gsec_kr->gsk_clist, cc_cache) {
}
/*
+ * kernel 5.3: commit 0f44e4d976f96c6439da0d6717238efa4b91196e
+ * keys: Move the user and user-session keyrings to the user_namespace
+ *
+ * When lookup_user_key is available use the kernel API rather than directly
+ * accessing the uid_keyring and session_keyring via the current process
+ * credentials.
+ */
+#ifdef HAVE_LOOKUP_USER_KEY
+
+/* from Linux security/keys/internal.h: */
+#ifndef KEY_LOOKUP_FOR_UNLINK
+#define KEY_LOOKUP_FOR_UNLINK 0x04
+#endif
+
+static struct key *_user_key(key_serial_t id)
+{
+ key_ref_t ref;
+
+ might_sleep();
+ ref = lookup_user_key(id, KEY_LOOKUP_FOR_UNLINK, 0);
+ if (IS_ERR(ref))
+ return NULL;
+ return key_ref_to_ptr(ref);
+}
+
+static inline struct key *get_user_session_keyring(const struct cred *cred)
+{
+ return _user_key(KEY_SPEC_USER_SESSION_KEYRING);
+}
+
+static inline struct key *get_user_keyring(const struct cred *cred)
+{
+ return _user_key(KEY_SPEC_USER_KEYRING);
+}
+#else
+static inline struct key *get_user_session_keyring(const struct cred *cred)
+{
+ return key_get(cred->user->session_keyring);
+}
+
+static inline struct key *get_user_keyring(const struct cred *cred)
+{
+ return key_get(cred->user->uid_keyring);
+}
+#endif
+
+/*
* unlink request key from it's ring, which is linked during request_key().
* sadly, we have to 'guess' which keyring it's linked to.
*
- * FIXME this code is fragile, depend on how request_key_link() is implemented.
+ * FIXME this code is fragile, it depends on how request_key() is implemented.
*/
static void request_key_unlink(struct key *key)
{
- struct task_struct *tsk = current;
- struct key *ring;
+ const struct cred *cred = current_cred();
+ struct key *ring = NULL;
- switch (key_cred(tsk)->jit_keyring) {
+ switch (cred->jit_keyring) {
case KEY_REQKEY_DEFL_DEFAULT:
+ case KEY_REQKEY_DEFL_REQUESTOR_KEYRING:
+#ifdef HAVE_GET_REQUEST_KEY_AUTH
+ if (cred->request_key_auth) {
+ struct request_key_auth *rka;
+ struct key *authkey = cred->request_key_auth;
+
+ down_read(&authkey->sem);
+ rka = get_request_key_auth(authkey);
+ if (!test_bit(KEY_FLAG_REVOKED, &authkey->flags))
+ ring = key_get(rka->dest_keyring);
+ up_read(&authkey->sem);
+ if (ring)
+ break;
+ }
+#endif
+ /* fall through */
case KEY_REQKEY_DEFL_THREAD_KEYRING:
- ring = key_get(key_cred(tsk)->thread_keyring);
+ ring = key_get(cred->thread_keyring);
if (ring)
break;
+ /* fallthrough */
case KEY_REQKEY_DEFL_PROCESS_KEYRING:
- ring = key_get(key_tgcred(tsk)->process_keyring);
+ ring = key_get(cred->process_keyring);
if (ring)
break;
+ /* fallthrough */
case KEY_REQKEY_DEFL_SESSION_KEYRING:
rcu_read_lock();
- ring = key_get(rcu_dereference(key_tgcred(tsk)
- ->session_keyring));
+ ring = key_get(rcu_dereference(cred->session_keyring));
rcu_read_unlock();
if (ring)
break;
+ /* fallthrough */
case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
- ring = key_get(key_cred(tsk)->user->session_keyring);
+ ring = get_user_session_keyring(cred);
break;
case KEY_REQKEY_DEFL_USER_KEYRING:
- ring = key_get(key_cred(tsk)->user->uid_keyring);
+ ring = get_user_keyring(cred);
break;
case KEY_REQKEY_DEFL_GROUP_KEYRING:
default:
char desc[24];
char *coinfo;
int coinfo_size;
- char *co_flags = "";
+ const char *sec_part_flags = "";
+ char svc_flag = '-';
ENTRY;
LASSERT(imp != NULL);
/* update reverse handle for root user */
sec2gsec(sec)->gs_rvs_hdl = gss_get_next_ctx_index();
- switch (sec->ps_part) {
- case LUSTRE_SP_MDT:
- co_flags = "m";
- break;
- case LUSTRE_SP_OST:
- co_flags = "o";
- break;
- case LUSTRE_SP_MGC:
- co_flags = "rmo";
- break;
- case LUSTRE_SP_CLI:
- co_flags = "r";
- break;
- case LUSTRE_SP_MGS:
- default:
- LBUG();
+ switch (sec->ps_part) {
+ case LUSTRE_SP_MDT:
+ sec_part_flags = "m";
+ break;
+ case LUSTRE_SP_OST:
+ sec_part_flags = "o";
+ break;
+ case LUSTRE_SP_MGC:
+ sec_part_flags = "rmo";
+ break;
+ case LUSTRE_SP_CLI:
+ sec_part_flags = "r";
+ break;
+ case LUSTRE_SP_MGS:
+ default:
+ LBUG();
}
- }
-
- /* in case of setuid, key will be constructed as owner of fsuid/fsgid,
- * but we do authentication based on real uid/gid. the key permission
- * bits will be exactly as POS_ALL, so only processes who subscribed
- * this key could have the access, although the quota might be counted
- * on others (fsuid/fsgid).
- *
- * keyring will use fsuid/fsgid as upcall parameters, so we have to
- * encode real uid/gid into callout info.
- */
- construct_key_desc(desc, sizeof(desc), sec, vcred->vc_uid);
+ switch (SPTLRPC_FLVR_SVC(sec->ps_flvr.sf_rpc)) {
+ case SPTLRPC_SVC_NULL:
+ svc_flag = 'n';
+ break;
+ case SPTLRPC_SVC_AUTH:
+ svc_flag = 'a';
+ break;
+ case SPTLRPC_SVC_INTG:
+ svc_flag = 'i';
+ break;
+ case SPTLRPC_SVC_PRIV:
+ svc_flag = 'p';
+ break;
+ default:
+ LBUG();
+ }
+ }
- /* callout info format:
- * secid:mech:uid:gid:flags:svc_type:peer_nid:target_uuid
- */
- coinfo_size = sizeof(struct obd_uuid) + MAX_OBD_NAME + 64;
- OBD_ALLOC(coinfo, coinfo_size);
- if (coinfo == NULL)
- goto out;
+ /* in case of setuid, key will be constructed as owner of fsuid/fsgid,
+ * but we do authentication based on real uid/gid. the key permission
+ * bits will be exactly as POS_ALL, so only processes who subscribed
+ * this key could have the access, although the quota might be counted
+ * on others (fsuid/fsgid).
+ *
+ * keyring will use fsuid/fsgid as upcall parameters, so we have to
+ * encode real uid/gid into callout info.
+ */
+
+ /* But first we need to make sure the obd type is supported */
+ if (strcmp(imp->imp_obd->obd_type->typ_name, LUSTRE_MDC_NAME) &&
+ strcmp(imp->imp_obd->obd_type->typ_name, LUSTRE_OSC_NAME) &&
+ strcmp(imp->imp_obd->obd_type->typ_name, LUSTRE_MGC_NAME) &&
+ strcmp(imp->imp_obd->obd_type->typ_name, LUSTRE_LWP_NAME) &&
+ strcmp(imp->imp_obd->obd_type->typ_name, LUSTRE_OSP_NAME)) {
+ CERROR("obd %s is not a supported device\n",
+ imp->imp_obd->obd_name);
+ GOTO(out, ctx = NULL);
+ }
- snprintf(coinfo, coinfo_size, "%d:%s:%u:%u:%s:%d:"LPX64":%s",
- sec->ps_id, sec2gsec(sec)->gs_mech->gm_name,
- vcred->vc_uid, vcred->vc_gid,
- co_flags, import_to_gss_svc(imp),
- imp->imp_connection->c_peer.nid, imp->imp_obd->obd_name);
+ construct_key_desc(desc, sizeof(desc), sec, vcred->vc_uid);
+
+ /* callout info format:
+ * secid:mech:uid:gid:sec_flags:svc_flag:svc_type:peer_nid:target_uuid:
+ * self_nid:pid
+ */
+ coinfo_size = sizeof(struct obd_uuid) + MAX_OBD_NAME + 64;
+ OBD_ALLOC(coinfo, coinfo_size);
+ if (coinfo == NULL)
+ goto out;
+
+ /* Last callout parameter is pid of process whose namespace will be used
+ * for credentials' retrieval.
+ * For user's credentials (in which case sec_part_flags is empty), use
+ * current PID instead of import's reference PID to get reference
+ * namespace. */
+ snprintf(coinfo, coinfo_size, "%d:%s:%u:%u:%s:%c:%d:%#llx:%s:%#llx:%d",
+ sec->ps_id, sec2gsec(sec)->gs_mech->gm_name,
+ vcred->vc_uid, vcred->vc_gid,
+ sec_part_flags, svc_flag, import_to_gss_svc(imp),
+ imp->imp_connection->c_peer.nid, imp->imp_obd->obd_name,
+ imp->imp_connection->c_self,
+ sec_part_flags[0] == '\0' ?
+ current_pid() : imp->imp_sec_refpid);
CDEBUG(D_SEC, "requesting key for %s\n", desc);
* need wirtelock of key->sem to serialize them. */
down_write(&key->sem);
- if (likely(key->payload.data != NULL)) {
- ctx = key->payload.data;
-
+ ctx = key_get_payload(key, 0);
+ if (likely(ctx)) {
LASSERT(atomic_read(&ctx->cc_refcount) >= 1);
LASSERT(ctx2gctx_keyring(ctx)->gck_key == key);
- LASSERT(atomic_read(&key->usage) >= 2);
+ LASSERT(ll_read_key_usage(key) >= 2);
/* simply take a ref and return. it's upper layer's
* responsibility to detect & replace dead ctx. */
construct_key_desc(desc, sizeof(desc), sec, uid);
- /* there should be only one valid key, but we put it in the
- * loop in case of any weird cases */
- for (;;) {
- key = request_key(&gss_key_type, desc, NULL);
- if (IS_ERR(key)) {
- CDEBUG(D_SEC, "No more key found for current user\n");
- break;
- }
+ /* there should be only one valid key, but we put it in the
+ * loop in case of any weird cases */
+ for (;;) {
+ key = request_key(&gss_key_type, desc, NULL);
+ if (IS_ERR(key)) {
+ CDEBUG(D_SEC, "No more key found for current user\n");
+ break;
+ }
- down_write(&key->sem);
+ down_write(&key->sem);
- kill_key_locked(key);
+ kill_key_locked(key);
- /* kill_key_locked() should usually revoke the key, but we
- * revoke it again to make sure, e.g. some case the key may
- * not well coupled with a context. */
- key_revoke_locked(key);
+ /* kill_key_locked() should usually revoke the key, but we
+ * revoke it again to make sure, e.g. some case the key may
+ * not well coupled with a context. */
+ key_revoke_locked(key);
- up_write(&key->sem);
+ up_write(&key->sem);
- key_put(key);
- }
+ request_key_unlink(key);
+
+ key_put(key);
+ }
}
/*
dispose_ctx_list_kr(&freelist);
EXIT;
- return;
}
static
int gss_sec_display_kr(struct ptlrpc_sec *sec, struct seq_file *seq)
{
- struct gss_sec_keyring *gsec_kr = sec2gsec_keyring(sec);
- struct hlist_node __maybe_unused *pos, *next;
- struct ptlrpc_cli_ctx *ctx;
- struct gss_cli_ctx *gctx;
- time_t now = cfs_time_current_sec();
- ENTRY;
+ struct gss_sec_keyring *gsec_kr = sec2gsec_keyring(sec);
+ struct hlist_node __maybe_unused *pos, *next;
+ struct ptlrpc_cli_ctx *ctx;
+ struct gss_cli_ctx *gctx;
+ time64_t now = ktime_get_real_seconds();
+ ENTRY;
spin_lock(&sec->ps_lock);
cfs_hlist_for_each_entry_safe(ctx, pos, next,
&gsec_kr->gsk_clist, cc_cache) {
snprintf(mech, sizeof(mech), "N/A");
mech[sizeof(mech) - 1] = '\0';
- seq_printf(seq, "%p: uid %u, ref %d, expire %ld(%+ld), fl %s, "
- "seq %d, win %u, key %08x(ref %d), "
- "hdl "LPX64":"LPX64", mech: %s\n",
+ seq_printf(seq,
+ "%p: uid %u, ref %d, expire %lld(%+lld), fl %s, seq %d, win %u, key %08x(ref %d), hdl %#llx:%#llx, mech: %s\n",
ctx, ctx->cc_vcred.vc_uid,
atomic_read(&ctx->cc_refcount),
ctx->cc_expire,
atomic_read(&gctx->gc_seq),
gctx->gc_win,
key ? key->serial : 0,
- key ? atomic_read(&key->usage) : 0,
+ key ? ll_read_key_usage(key) : 0,
gss_handle_to_u64(&gctx->gc_handle),
gss_handle_to_u64(&gctx->gc_svc_handle),
mech);
static
int sec_install_rctx_kr(struct ptlrpc_sec *sec,
- struct ptlrpc_svc_ctx *svc_ctx)
+ struct ptlrpc_svc_ctx *svc_ctx)
{
- struct ptlrpc_cli_ctx *cli_ctx;
- struct vfs_cred vcred = { 0, 0 };
- int rc;
+ struct ptlrpc_cli_ctx *cli_ctx;
+ struct vfs_cred vcred = { .vc_uid = 0 };
+ int rc;
LASSERT(sec);
LASSERT(svc_ctx);
static
int sec_install_rctx_kr(struct ptlrpc_sec *sec,
- struct ptlrpc_svc_ctx *svc_ctx)
+ struct ptlrpc_svc_ctx *svc_ctx)
{
- struct ptlrpc_cli_ctx *cli_ctx = NULL;
- struct key *key;
- struct vfs_cred vcred = { 0, 0 };
- char desc[64];
- int rc;
+ struct ptlrpc_cli_ctx *cli_ctx = NULL;
+ struct key *key;
+ struct vfs_cred vcred = { .vc_uid = 0 };
+ char desc[64];
+ int rc;
LASSERT(sec);
LASSERT(svc_ctx);
down_write(&key->sem);
- LASSERT(key->payload.data == NULL);
+ LASSERT(!key_get_payload(key, 0));
cli_ctx = ctx_create_kr(sec, &vcred);
if (cli_ctx == NULL) {
****************************************/
static
+#ifdef HAVE_KEY_TYPE_INSTANTIATE_2ARGS
+int gss_kt_instantiate(struct key *key, struct key_preparsed_payload *prep)
+{
+ const void *data = prep->data;
+ size_t datalen = prep->datalen;
+#else
int gss_kt_instantiate(struct key *key, const void *data, size_t datalen)
{
+#endif
int rc;
ENTRY;
RETURN(-EINVAL);
}
- if (key->payload.data != NULL) {
+ if (key_get_payload(key, 0)) {
CERROR("key already have payload\n");
RETURN(-EINVAL);
}
* the session keyring is created upon upcall, and don't change all
* the way until upcall finished, so rcu lock is not needed here.
*/
- LASSERT(key_tgcred(current)->session_keyring);
+ LASSERT(current_cred()->session_keyring);
lockdep_off();
- rc = key_link(key_tgcred(current)->session_keyring, key);
+ rc = key_link(current_cred()->session_keyring, key);
lockdep_on();
if (unlikely(rc)) {
CERROR("failed to link key %08x to keyring %08x: %d\n",
key->serial,
- key_tgcred(current)->session_keyring->serial, rc);
+ current_cred()->session_keyring->serial, rc);
RETURN(rc);
}
- CDEBUG(D_SEC, "key %p instantiated, ctx %p\n", key, key->payload.data);
+ CDEBUG(D_SEC, "key %p instantiated, ctx %p\n", key,
+ key_get_payload(key, 0));
RETURN(0);
}
* on the context without fear of loosing refcount.
*/
static
+#ifdef HAVE_KEY_TYPE_INSTANTIATE_2ARGS
+int gss_kt_update(struct key *key, struct key_preparsed_payload *prep)
+{
+ const void *data = prep->data;
+ __u32 datalen32 = (__u32) prep->datalen;
+#else
int gss_kt_update(struct key *key, const void *data, size_t datalen)
{
- struct ptlrpc_cli_ctx *ctx = key->payload.data;
+ __u32 datalen32 = (__u32) datalen;
+#endif
+ struct ptlrpc_cli_ctx *ctx = key_get_payload(key, 0);
struct gss_cli_ctx *gctx;
rawobj_t tmpobj = RAWOBJ_EMPTY;
- __u32 datalen32 = (__u32) datalen;
int rc;
ENTRY;
- if (data == NULL || datalen == 0) {
- CWARN("invalid: data %p, len %lu\n", data, (long)datalen);
- RETURN(-EINVAL);
- }
+ if (data == NULL || datalen32 == 0) {
+ CWARN("invalid: data %p, len %lu\n", data, (long)datalen32);
+ RETURN(-EINVAL);
+ }
/* if upcall finished negotiation too fast (mostly likely because
* of local error happened) and call kt_update(), the ctx
goto out;
}
- if (gctx->gc_win == 0) {
- __u32 nego_rpc_err, nego_gss_err;
+ if (gctx->gc_win == 0) {
+ __u32 nego_rpc_err, nego_gss_err;
- rc = buffer_extract_bytes(&data, &datalen32, &nego_rpc_err,
- sizeof(nego_rpc_err));
- if (rc) {
- CERROR("failed to extrace rpc rc\n");
- goto out;
- }
+ rc = buffer_extract_bytes(&data, &datalen32, &nego_rpc_err,
+ sizeof(nego_rpc_err));
+ if (rc) {
+ CERROR("cannot extract RPC: rc = %d\n", rc);
+ goto out;
+ }
- rc = buffer_extract_bytes(&data, &datalen32, &nego_gss_err,
- sizeof(nego_gss_err));
- if (rc) {
- CERROR("failed to extrace gss rc\n");
- goto out;
- }
+ rc = buffer_extract_bytes(&data, &datalen32, &nego_gss_err,
+ sizeof(nego_gss_err));
+ if (rc) {
+ CERROR("failed to extract gss rc = %d\n", rc);
+ goto out;
+ }
- CERROR("negotiation: rpc err %d, gss err %x\n",
- nego_rpc_err, nego_gss_err);
+ CERROR("negotiation: rpc err %d, gss err %x\n",
+ nego_rpc_err, nego_gss_err);
- rc = nego_rpc_err ? nego_rpc_err : -EACCES;
- } else {
- rc = rawobj_extract_local_alloc(&gctx->gc_handle,
- (__u32 **) &data, &datalen32);
- if (rc) {
- CERROR("failed extract handle\n");
- goto out;
- }
+ rc = nego_rpc_err ? nego_rpc_err : -EACCES;
+ } else {
+ rc = rawobj_extract_local_alloc(&gctx->gc_handle,
+ (__u32 **) &data, &datalen32);
+ if (rc) {
+ CERROR("failed extract handle\n");
+ goto out;
+ }
- rc = rawobj_extract_local(&tmpobj, (__u32 **) &data,&datalen32);
- if (rc) {
- CERROR("failed extract mech\n");
- goto out;
- }
+ rc = rawobj_extract_local(&tmpobj,
+ (__u32 **) &data, &datalen32);
+ if (rc) {
+ CERROR("failed extract mech\n");
+ goto out;
+ }
- rc = lgss_import_sec_context(&tmpobj,
- sec2gsec(ctx->cc_sec)->gs_mech,
- &gctx->gc_mechctx);
- if (rc != GSS_S_COMPLETE)
- CERROR("failed import context\n");
- else
- rc = 0;
- }
+ rc = lgss_import_sec_context(&tmpobj,
+ sec2gsec(ctx->cc_sec)->gs_mech,
+ &gctx->gc_mechctx);
+ if (rc != GSS_S_COMPLETE)
+ CERROR("failed import context\n");
+ else
+ rc = 0;
+ }
out:
/* we don't care what current status of this ctx, even someone else
* is operating on the ctx at the same time. we just add up our own
RETURN(0);
}
-static
-int gss_kt_match(const struct key *key, const void *desc)
+#ifndef HAVE_KEY_MATCH_DATA
+static int
+gss_kt_match(const struct key *key, const void *desc)
+{
+ return strcmp(key->description, (const char *) desc) == 0 &&
+ !test_bit(KEY_FLAG_REVOKED, &key->flags);
+}
+#else /* ! HAVE_KEY_MATCH_DATA */
+static bool
+gss_kt_match(const struct key *key, const struct key_match_data *match_data)
+{
+ const char *desc = match_data->raw_data;
+
+ return strcmp(key->description, desc) == 0 &&
+ !test_bit(KEY_FLAG_REVOKED, &key->flags);
+}
+
+/*
+ * Preparse the match criterion.
+ */
+static int gss_kt_match_preparse(struct key_match_data *match_data)
{
- return (strcmp(key->description, (const char *) desc) == 0);
+ match_data->lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT;
+ match_data->cmp = gss_kt_match;
+ return 0;
}
+#endif /* HAVE_KEY_MATCH_DATA */
static
void gss_kt_destroy(struct key *key)
{
ENTRY;
- LASSERT(key->payload.data == NULL);
+ LASSERT(!key_get_payload(key, 0));
CDEBUG(D_SEC, "destroy key %p\n", key);
EXIT;
}
static struct key_type gss_key_type =
{
- .name = "lgssc",
- .def_datalen = 0,
- .instantiate = gss_kt_instantiate,
- .update = gss_kt_update,
- .match = gss_kt_match,
- .destroy = gss_kt_destroy,
- .describe = gss_kt_describe,
+ .name = "lgssc",
+ .def_datalen = 0,
+ .instantiate = gss_kt_instantiate,
+ .update = gss_kt_update,
+#ifdef HAVE_KEY_MATCH_DATA
+ .match_preparse = gss_kt_match_preparse,
+#else
+ .match = gss_kt_match,
+#endif
+ .destroy = gss_kt_destroy,
+ .describe = gss_kt_describe,
};
/****************************************
git://git.whamcloud.com / fs / lustre-release.git / blobdiff