~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/include/linux/sunrpc/svcauth.h

Version: ~ [ linux-5.18-rc6 ] ~ [ linux-5.17.6 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.38 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.114 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.192 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.241 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.277 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.312 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.302 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /* SPDX-License-Identifier: GPL-2.0 */
  2 /*
  3  * linux/include/linux/sunrpc/svcauth.h
  4  *
  5  * RPC server-side authentication stuff.
  6  *
  7  * Copyright (C) 1995, 1996 Olaf Kirch <okir@monad.swb.de>
  8  */
  9 
 10 #ifndef _LINUX_SUNRPC_SVCAUTH_H_
 11 #define _LINUX_SUNRPC_SVCAUTH_H_
 12 
 13 #ifdef __KERNEL__
 14 
 15 #include <linux/string.h>
 16 #include <linux/sunrpc/msg_prot.h>
 17 #include <linux/sunrpc/cache.h>
 18 #include <linux/sunrpc/gss_api.h>
 19 #include <linux/hash.h>
 20 #include <linux/stringhash.h>
 21 #include <linux/cred.h>
 22 
 23 struct svc_cred {
 24         kuid_t                  cr_uid;
 25         kgid_t                  cr_gid;
 26         struct group_info       *cr_group_info;
 27         u32                     cr_flavor; /* pseudoflavor */
 28         /* name of form servicetype/hostname@REALM, passed down by
 29          * gss-proxy: */
 30         char                    *cr_raw_principal;
 31         /* name of form servicetype@hostname, passed down by
 32          * rpc.svcgssd, or computed from the above: */
 33         char                    *cr_principal;
 34         char                    *cr_targ_princ;
 35         struct gss_api_mech     *cr_gss_mech;
 36 };
 37 
 38 static inline void init_svc_cred(struct svc_cred *cred)
 39 {
 40         cred->cr_group_info = NULL;
 41         cred->cr_raw_principal = NULL;
 42         cred->cr_principal = NULL;
 43         cred->cr_targ_princ = NULL;
 44         cred->cr_gss_mech = NULL;
 45 }
 46 
 47 static inline void free_svc_cred(struct svc_cred *cred)
 48 {
 49         if (cred->cr_group_info)
 50                 put_group_info(cred->cr_group_info);
 51         kfree(cred->cr_raw_principal);
 52         kfree(cred->cr_principal);
 53         kfree(cred->cr_targ_princ);
 54         gss_mech_put(cred->cr_gss_mech);
 55         init_svc_cred(cred);
 56 }
 57 
 58 struct svc_rqst;                /* forward decl */
 59 struct in6_addr;
 60 
 61 /* Authentication is done in the context of a domain.
 62  *
 63  * Currently, the nfs server uses the auth_domain to stand
 64  * for the "client" listed in /etc/exports.
 65  *
 66  * More generally, a domain might represent a group of clients using
 67  * a common mechanism for authentication and having a common mapping
 68  * between local identity (uid) and network identity.  All clients
 69  * in a domain have similar general access rights.  Each domain can
 70  * contain multiple principals which will have different specific right
 71  * based on normal Discretionary Access Control.
 72  *
 73  * A domain is created by an authentication flavour module based on name
 74  * only.  Userspace then fills in detail on demand.
 75  *
 76  * In the case of auth_unix and auth_null, the auth_domain is also
 77  * associated with entries in another cache representing the mapping
 78  * of ip addresses to the given client.
 79  */
 80 struct auth_domain {
 81         struct kref             ref;
 82         struct hlist_node       hash;
 83         char                    *name;
 84         struct auth_ops         *flavour;
 85         struct rcu_head         rcu_head;
 86 };
 87 
 88 /*
 89  * Each authentication flavour registers an auth_ops
 90  * structure.
 91  * name is simply the name.
 92  * flavour gives the auth flavour. It determines where the flavour is registered
 93  * accept() is given a request and should verify it.
 94  *   It should inspect the authenticator and verifier, and possibly the data.
 95  *    If there is a problem with the authentication *authp should be set.
 96  *    The return value of accept() can indicate:
 97  *      OK - authorised. client and credential are set in rqstp.
 98  *           reqbuf points to arguments
 99  *           resbuf points to good place for results.  verfier
100  *             is (probably) already in place.  Certainly space is
101  *             reserved for it.
102  *      DROP - simply drop the request. It may have been deferred
103  *      GARBAGE - rpc garbage_args error
104  *      SYSERR - rpc system_err error
105  *      DENIED - authp holds reason for denial.
106  *      COMPLETE - the reply is encoded already and ready to be sent; no
107  *              further processing is necessary.  (This is used for processing
108  *              null procedure calls which are used to set up encryption
109  *              contexts.)
110  *
111  *   accept is passed the proc number so that it can accept NULL rpc requests
112  *   even if it cannot authenticate the client (as is sometimes appropriate).
113  *
114  * release() is given a request after the procedure has been run.
115  *  It should sign/encrypt the results if needed
116  * It should return:
117  *    OK - the resbuf is ready to be sent
118  *    DROP - the reply should be quitely dropped
119  *    DENIED - authp holds a reason for MSG_DENIED
120  *    SYSERR - rpc system_err
121  *
122  * domain_release()
123  *   This call releases a domain.
124  * set_client()
125  *   Givens a pending request (struct svc_rqst), finds and assigns
126  *   an appropriate 'auth_domain' as the client.
127  */
128 struct auth_ops {
129         char *  name;
130         struct module *owner;
131         int     flavour;
132         int     (*accept)(struct svc_rqst *rq, __be32 *authp);
133         int     (*release)(struct svc_rqst *rq);
134         void    (*domain_release)(struct auth_domain *);
135         int     (*set_client)(struct svc_rqst *rq);
136 };
137 
138 #define SVC_GARBAGE     1
139 #define SVC_SYSERR      2
140 #define SVC_VALID       3
141 #define SVC_NEGATIVE    4
142 #define SVC_OK          5
143 #define SVC_DROP        6
144 #define SVC_CLOSE       7       /* Like SVC_DROP, but request is definitely
145                                  * lost so if there is a tcp connection, it
146                                  * should be closed
147                                  */
148 #define SVC_DENIED      8
149 #define SVC_PENDING     9
150 #define SVC_COMPLETE    10
151 
152 struct svc_xprt;
153 
154 extern int      svc_authenticate(struct svc_rqst *rqstp, __be32 *authp);
155 extern int      svc_authorise(struct svc_rqst *rqstp);
156 extern int      svc_set_client(struct svc_rqst *rqstp);
157 extern int      svc_auth_register(rpc_authflavor_t flavor, struct auth_ops *aops);
158 extern void     svc_auth_unregister(rpc_authflavor_t flavor);
159 
160 extern struct auth_domain *unix_domain_find(char *name);
161 extern void auth_domain_put(struct auth_domain *item);
162 extern int auth_unix_add_addr(struct net *net, struct in6_addr *addr, struct auth_domain *dom);
163 extern struct auth_domain *auth_domain_lookup(char *name, struct auth_domain *new);
164 extern struct auth_domain *auth_domain_find(char *name);
165 extern struct auth_domain *auth_unix_lookup(struct net *net, struct in6_addr *addr);
166 extern int auth_unix_forget_old(struct auth_domain *dom);
167 extern void svcauth_unix_purge(struct net *net);
168 extern void svcauth_unix_info_release(struct svc_xprt *xpt);
169 extern int svcauth_unix_set_client(struct svc_rqst *rqstp);
170 
171 extern int unix_gid_cache_create(struct net *net);
172 extern void unix_gid_cache_destroy(struct net *net);
173 
174 /*
175  * The <stringhash.h> functions are good enough that we don't need to
176  * use hash_32() on them; just extracting the high bits is enough.
177  */
178 static inline unsigned long hash_str(char const *name, int bits)
179 {
180         return hashlen_hash(hashlen_string(NULL, name)) >> (32 - bits);
181 }
182 
183 static inline unsigned long hash_mem(char const *buf, int length, int bits)
184 {
185         return full_name_hash(NULL, buf, length) >> (32 - bits);
186 }
187 
188 #endif /* __KERNEL__ */
189 
190 #endif /* _LINUX_SUNRPC_SVCAUTH_H_ */
191 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp