4 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 only,
8 * as published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License version 2 for more details (a copy is included
14 * in the LICENSE file that accompanied this code).
16 * You should have received a copy of the GNU General Public License
17 * version 2 along with this program; If not, see
18 * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf
20 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
21 * CA 95054 USA or visit www.sun.com if you need additional information or
27 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
28 * Use is subject to license terms.
30 * Copyright (c) 2012, Intel Corporation.
33 * This file is part of Lustre, http://www.lustre.org/
34 * Lustre is a trademark of Sun Microsystems, Inc.
36 * lustre/ptlrpc/gss/gss_keyring.c
38 * Author: Eric Mei <ericm@clusterfs.com>
41 #define DEBUG_SUBSYSTEM S_SEC
42 #include <linux/init.h>
43 #include <linux/module.h>
44 #include <linux/slab.h>
45 #include <linux/dcache.h>
47 #include <linux/crypto.h>
48 #include <linux/key.h>
49 #include <linux/keyctl.h>
50 #include <linux/key-type.h>
51 #include <linux/mutex.h>
52 #include <asm/atomic.h>
55 #include <obd_class.h>
56 #include <obd_support.h>
57 #include <lustre/lustre_idl.h>
58 #include <lustre_sec.h>
59 #include <lustre_net.h>
60 #include <lustre_import.h>
63 #include "gss_internal.h"
66 static struct ptlrpc_sec_policy gss_policy_keyring
;
67 static struct ptlrpc_ctx_ops gss_keyring_ctxops
;
68 static struct key_type gss_key_type
;
70 static int sec_install_rctx_kr(struct ptlrpc_sec
*sec
,
71 struct ptlrpc_svc_ctx
*svc_ctx
);
74 * the timeout is only for the case that upcall child process die abnormally.
75 * in any other cases it should finally update kernel key.
77 * FIXME we'd better to incorporate the client & server side upcall timeouts
78 * into the framework of Adaptive Timeouts, but we need to figure out how to
79 * make sure that kernel knows the upcall processes is in-progress or died
82 #define KEYRING_UPCALL_TIMEOUT (obd_timeout + obd_timeout)
84 /****************************************
86 ****************************************/
88 #define DUMP_PROCESS_KEYRINGS(tsk) \
90 CWARN("DUMP PK: %s[%u,%u/%u](<-%s[%u,%u/%u]): " \
91 "a %d, t %d, p %d, s %d, u %d, us %d, df %d\n", \
92 tsk->comm, tsk->pid, tsk->uid, tsk->fsuid, \
93 tsk->parent->comm, tsk->parent->pid, \
94 tsk->parent->uid, tsk->parent->fsuid, \
95 tsk->request_key_auth ? \
96 tsk->request_key_auth->serial : 0, \
97 key_cred(tsk)->thread_keyring ? \
98 key_cred(tsk)->thread_keyring->serial : 0, \
99 key_tgcred(tsk)->process_keyring ? \
100 key_tgcred(tsk)->process_keyring->serial : 0, \
101 key_tgcred(tsk)->session_keyring ? \
102 key_tgcred(tsk)->session_keyring->serial : 0, \
103 key_cred(tsk)->user->uid_keyring ? \
104 key_cred(tsk)->user->uid_keyring->serial : 0, \
105 key_cred(tsk)->user->session_keyring ? \
106 key_cred(tsk)->user->session_keyring->serial : 0, \
107 key_cred(tsk)->jit_keyring \
111 #define DUMP_KEY(key) \
113 CWARN("DUMP KEY: %p(%d) ref %d u%u/g%u desc %s\n", \
114 key, key->serial, atomic_read(&key->usage), \
115 key->uid, key->gid, \
116 key->description ? key->description : "n/a" \
120 #define key_cred(tsk) ((tsk)->cred)
121 #define key_tgcred(tsk) ((tsk)->cred->tgcred)
123 static inline void keyring_upcall_lock(struct gss_sec_keyring
*gsec_kr
)
125 #ifdef HAVE_KEYRING_UPCALL_SERIALIZED
126 mutex_lock(&gsec_kr
->gsk_uc_lock
);
130 static inline void keyring_upcall_unlock(struct gss_sec_keyring
*gsec_kr
)
132 #ifdef HAVE_KEYRING_UPCALL_SERIALIZED
133 mutex_unlock(&gsec_kr
->gsk_uc_lock
);
137 static inline void key_revoke_locked(struct key
*key
)
139 set_bit(KEY_FLAG_REVOKED
, &key
->flags
);
142 static void ctx_upcall_timeout_kr(unsigned long data
)
144 struct ptlrpc_cli_ctx
*ctx
= (struct ptlrpc_cli_ctx
*) data
;
145 struct key
*key
= ctx2gctx_keyring(ctx
)->gck_key
;
147 CWARN("ctx %p, key %p\n", ctx
, key
);
152 key_revoke_locked(key
);
156 void ctx_start_timer_kr(struct ptlrpc_cli_ctx
*ctx
, long timeout
)
158 struct gss_cli_ctx_keyring
*gctx_kr
= ctx2gctx_keyring(ctx
);
159 struct timer_list
*timer
= gctx_kr
->gck_timer
;
163 CDEBUG(D_SEC
, "ctx %p: start timer %lds\n", ctx
, timeout
);
164 timeout
= timeout
* HZ
+ cfs_time_current();
167 timer
->expires
= timeout
;
168 timer
->data
= (unsigned long ) ctx
;
169 timer
->function
= ctx_upcall_timeout_kr
;
175 * caller should make sure no race with other threads
178 void ctx_clear_timer_kr(struct ptlrpc_cli_ctx
*ctx
)
180 struct gss_cli_ctx_keyring
*gctx_kr
= ctx2gctx_keyring(ctx
);
181 struct timer_list
*timer
= gctx_kr
->gck_timer
;
186 CDEBUG(D_SEC
, "ctx %p, key %p\n", ctx
, gctx_kr
->gck_key
);
188 gctx_kr
->gck_timer
= NULL
;
190 del_singleshot_timer_sync(timer
);
196 struct ptlrpc_cli_ctx
*ctx_create_kr(struct ptlrpc_sec
*sec
,
197 struct vfs_cred
*vcred
)
199 struct ptlrpc_cli_ctx
*ctx
;
200 struct gss_cli_ctx_keyring
*gctx_kr
;
202 OBD_ALLOC_PTR(gctx_kr
);
206 OBD_ALLOC_PTR(gctx_kr
->gck_timer
);
207 if (gctx_kr
->gck_timer
== NULL
) {
208 OBD_FREE_PTR(gctx_kr
);
211 init_timer(gctx_kr
->gck_timer
);
213 ctx
= &gctx_kr
->gck_base
.gc_base
;
215 if (gss_cli_ctx_init_common(sec
, ctx
, &gss_keyring_ctxops
, vcred
)) {
216 OBD_FREE_PTR(gctx_kr
->gck_timer
);
217 OBD_FREE_PTR(gctx_kr
);
221 ctx
->cc_expire
= cfs_time_current_sec() + KEYRING_UPCALL_TIMEOUT
;
222 clear_bit(PTLRPC_CTX_NEW_BIT
, &ctx
->cc_flags
);
223 atomic_inc(&ctx
->cc_refcount
); /* for the caller */
228 static void ctx_destroy_kr(struct ptlrpc_cli_ctx
*ctx
)
230 struct ptlrpc_sec
*sec
= ctx
->cc_sec
;
231 struct gss_cli_ctx_keyring
*gctx_kr
= ctx2gctx_keyring(ctx
);
233 CDEBUG(D_SEC
, "destroying ctx %p\n", ctx
);
235 /* at this time the association with key has been broken. */
237 LASSERT(atomic_read(&sec
->ps_refcount
) > 0);
238 LASSERT(atomic_read(&sec
->ps_nctx
) > 0);
239 LASSERT(test_bit(PTLRPC_CTX_CACHED_BIT
, &ctx
->cc_flags
) == 0);
240 LASSERT(gctx_kr
->gck_key
== NULL
);
242 ctx_clear_timer_kr(ctx
);
243 LASSERT(gctx_kr
->gck_timer
== NULL
);
245 if (gss_cli_ctx_fini_common(sec
, ctx
))
248 OBD_FREE_PTR(gctx_kr
);
250 atomic_dec(&sec
->ps_nctx
);
251 sptlrpc_sec_put(sec
);
254 static void ctx_release_kr(struct ptlrpc_cli_ctx
*ctx
, int sync
)
259 atomic_inc(&ctx
->cc_refcount
);
260 sptlrpc_gc_add_ctx(ctx
);
264 static void ctx_put_kr(struct ptlrpc_cli_ctx
*ctx
, int sync
)
266 LASSERT(atomic_read(&ctx
->cc_refcount
) > 0);
268 if (atomic_dec_and_test(&ctx
->cc_refcount
))
269 ctx_release_kr(ctx
, sync
);
273 * key <-> ctx association and rules:
274 * - ctx might not bind with any key
275 * - key/ctx binding is protected by key semaphore (if the key present)
276 * - key and ctx each take a reference of the other
277 * - ctx enlist/unlist is protected by ctx spinlock
278 * - never enlist a ctx after it's been unlisted
279 * - whoever do enlist should also do bind, lock key before enlist:
280 * - lock key -> lock ctx -> enlist -> unlock ctx -> bind -> unlock key
281 * - whoever do unlist should also do unbind:
282 * - lock key -> lock ctx -> unlist -> unlock ctx -> unbind -> unlock key
283 * - lock ctx -> unlist -> unlock ctx -> lock key -> unbind -> unlock key
286 static inline void spin_lock_if(spinlock_t
*lock
, int condition
)
292 static inline void spin_unlock_if(spinlock_t
*lock
, int condition
)
298 static void ctx_enlist_kr(struct ptlrpc_cli_ctx
*ctx
, int is_root
, int locked
)
300 struct ptlrpc_sec
*sec
= ctx
->cc_sec
;
301 struct gss_sec_keyring
*gsec_kr
= sec2gsec_keyring(sec
);
303 LASSERT(!test_bit(PTLRPC_CTX_CACHED_BIT
, &ctx
->cc_flags
));
304 LASSERT(atomic_read(&ctx
->cc_refcount
) > 0);
306 spin_lock_if(&sec
->ps_lock
, !locked
);
308 atomic_inc(&ctx
->cc_refcount
);
309 set_bit(PTLRPC_CTX_CACHED_BIT
, &ctx
->cc_flags
);
310 hlist_add_head(&ctx
->cc_cache
, &gsec_kr
->gsk_clist
);
312 gsec_kr
->gsk_root_ctx
= ctx
;
314 spin_unlock_if(&sec
->ps_lock
, !locked
);
318 * Note after this get called, caller should not access ctx again because
319 * it might have been freed, unless caller hold at least one refcount of
322 * return non-zero if we indeed unlist this ctx.
324 static int ctx_unlist_kr(struct ptlrpc_cli_ctx
*ctx
, int locked
)
326 struct ptlrpc_sec
*sec
= ctx
->cc_sec
;
327 struct gss_sec_keyring
*gsec_kr
= sec2gsec_keyring(sec
);
329 /* if hashed bit has gone, leave the job to somebody who is doing it */
330 if (test_and_clear_bit(PTLRPC_CTX_CACHED_BIT
, &ctx
->cc_flags
) == 0)
333 /* drop ref inside spin lock to prevent race with other operations */
334 spin_lock_if(&sec
->ps_lock
, !locked
);
336 if (gsec_kr
->gsk_root_ctx
== ctx
)
337 gsec_kr
->gsk_root_ctx
= NULL
;
338 hlist_del_init(&ctx
->cc_cache
);
339 atomic_dec(&ctx
->cc_refcount
);
341 spin_unlock_if(&sec
->ps_lock
, !locked
);
347 * bind a key with a ctx together.
348 * caller must hold write lock of the key, as well as ref on key & ctx.
350 static void bind_key_ctx(struct key
*key
, struct ptlrpc_cli_ctx
*ctx
)
352 LASSERT(atomic_read(&ctx
->cc_refcount
) > 0);
353 LASSERT(atomic_read(&key
->usage
) > 0);
354 LASSERT(ctx2gctx_keyring(ctx
)->gck_key
== NULL
);
355 LASSERT(key
->payload
.data
== NULL
);
357 /* at this time context may or may not in list. */
359 atomic_inc(&ctx
->cc_refcount
);
360 ctx2gctx_keyring(ctx
)->gck_key
= key
;
361 key
->payload
.data
= ctx
;
365 * unbind a key and a ctx.
366 * caller must hold write lock, as well as a ref of the key.
368 static void unbind_key_ctx(struct key
*key
, struct ptlrpc_cli_ctx
*ctx
)
370 LASSERT(key
->payload
.data
== ctx
);
371 LASSERT(test_bit(PTLRPC_CTX_CACHED_BIT
, &ctx
->cc_flags
) == 0);
373 /* must revoke the key, or others may treat it as newly created */
374 key_revoke_locked(key
);
376 key
->payload
.data
= NULL
;
377 ctx2gctx_keyring(ctx
)->gck_key
= NULL
;
379 /* once ctx get split from key, the timer is meaningless */
380 ctx_clear_timer_kr(ctx
);
387 * given a ctx, unbind with its coupled key, if any.
388 * unbind could only be called once, so we don't worry the key be released
391 static void unbind_ctx_kr(struct ptlrpc_cli_ctx
*ctx
)
393 struct key
*key
= ctx2gctx_keyring(ctx
)->gck_key
;
396 LASSERT(key
->payload
.data
== ctx
);
399 down_write(&key
->sem
);
400 unbind_key_ctx(key
, ctx
);
407 * given a key, unbind with its coupled ctx, if any.
408 * caller must hold write lock, as well as a ref of the key.
410 static void unbind_key_locked(struct key
*key
)
412 struct ptlrpc_cli_ctx
*ctx
= key
->payload
.data
;
415 unbind_key_ctx(key
, ctx
);
419 * unlist a ctx, and unbind from coupled key
421 static void kill_ctx_kr(struct ptlrpc_cli_ctx
*ctx
)
423 if (ctx_unlist_kr(ctx
, 0))
428 * given a key, unlist and unbind with the coupled ctx (if any).
429 * caller must hold write lock, as well as a ref of the key.
431 static void kill_key_locked(struct key
*key
)
433 struct ptlrpc_cli_ctx
*ctx
= key
->payload
.data
;
435 if (ctx
&& ctx_unlist_kr(ctx
, 0))
436 unbind_key_locked(key
);
440 * caller should hold one ref on contexts in freelist.
442 static void dispose_ctx_list_kr(struct hlist_head
*freelist
)
444 struct hlist_node
*next
;
445 struct ptlrpc_cli_ctx
*ctx
;
446 struct gss_cli_ctx
*gctx
;
448 hlist_for_each_entry_safe(ctx
, next
, freelist
, cc_cache
) {
449 hlist_del_init(&ctx
->cc_cache
);
451 /* reverse ctx: update current seq to buddy svcctx if exist.
452 * ideally this should be done at gss_cli_ctx_finalize(), but
453 * the ctx destroy could be delayed by:
454 * 1) ctx still has reference;
455 * 2) ctx destroy is asynchronous;
456 * and reverse import call inval_all_ctx() require this be done
457 *_immediately_ otherwise newly created reverse ctx might copy
458 * the very old sequence number from svcctx. */
459 gctx
= ctx2gctx(ctx
);
460 if (!rawobj_empty(&gctx
->gc_svc_handle
) &&
461 sec_is_reverse(gctx
->gc_base
.cc_sec
)) {
462 gss_svc_upcall_update_sequence(&gctx
->gc_svc_handle
,
463 (__u32
) atomic_read(&gctx
->gc_seq
));
466 /* we need to wakeup waiting reqs here. the context might
467 * be forced released before upcall finished, then the
468 * late-arrived downcall can't find the ctx even. */
469 sptlrpc_cli_ctx_wakeup(ctx
);
477 * lookup a root context directly in a sec, return root ctx with a
478 * reference taken or NULL.
481 struct ptlrpc_cli_ctx
* sec_lookup_root_ctx_kr(struct ptlrpc_sec
*sec
)
483 struct gss_sec_keyring
*gsec_kr
= sec2gsec_keyring(sec
);
484 struct ptlrpc_cli_ctx
*ctx
= NULL
;
486 spin_lock(&sec
->ps_lock
);
488 ctx
= gsec_kr
->gsk_root_ctx
;
490 if (ctx
== NULL
&& unlikely(sec_is_reverse(sec
))) {
491 struct ptlrpc_cli_ctx
*tmp
;
493 /* reverse ctx, search root ctx in list, choose the one
494 * with shortest expire time, which is most possibly have
495 * an established peer ctx at client side. */
496 hlist_for_each_entry(tmp
, &gsec_kr
->gsk_clist
, cc_cache
) {
497 if (ctx
== NULL
|| ctx
->cc_expire
== 0 ||
498 ctx
->cc_expire
> tmp
->cc_expire
) {
500 /* promote to be root_ctx */
501 gsec_kr
->gsk_root_ctx
= ctx
;
507 LASSERT(atomic_read(&ctx
->cc_refcount
) > 0);
508 LASSERT(!hlist_empty(&gsec_kr
->gsk_clist
));
509 atomic_inc(&ctx
->cc_refcount
);
512 spin_unlock(&sec
->ps_lock
);
517 #define RVS_CTX_EXPIRE_NICE (10)
520 void rvs_sec_install_root_ctx_kr(struct ptlrpc_sec
*sec
,
521 struct ptlrpc_cli_ctx
*new_ctx
,
524 struct gss_sec_keyring
*gsec_kr
= sec2gsec_keyring(sec
);
525 struct ptlrpc_cli_ctx
*ctx
;
528 LASSERT(sec_is_reverse(sec
));
530 spin_lock(&sec
->ps_lock
);
532 now
= cfs_time_current_sec();
534 /* set all existing ctxs short expiry */
535 hlist_for_each_entry(ctx
, &gsec_kr
->gsk_clist
, cc_cache
) {
536 if (ctx
->cc_expire
> now
+ RVS_CTX_EXPIRE_NICE
) {
537 ctx
->cc_early_expire
= 1;
538 ctx
->cc_expire
= now
+ RVS_CTX_EXPIRE_NICE
;
542 /* if there's root_ctx there, instead obsolete the current
543 * immediately, we leave it continue operating for a little while.
544 * hopefully when the first backward rpc with newest ctx send out,
545 * the client side already have the peer ctx well established. */
546 ctx_enlist_kr(new_ctx
, gsec_kr
->gsk_root_ctx
? 0 : 1, 1);
549 bind_key_ctx(key
, new_ctx
);
551 spin_unlock(&sec
->ps_lock
);
554 static void construct_key_desc(void *buf
, int bufsize
,
555 struct ptlrpc_sec
*sec
, uid_t uid
)
557 snprintf(buf
, bufsize
, "%d@%x", uid
, sec
->ps_id
);
558 ((char *)buf
)[bufsize
- 1] = '\0';
561 /****************************************
563 ****************************************/
566 struct ptlrpc_sec
* gss_sec_create_kr(struct obd_import
*imp
,
567 struct ptlrpc_svc_ctx
*svcctx
,
568 struct sptlrpc_flavor
*sf
)
570 struct gss_sec_keyring
*gsec_kr
;
572 OBD_ALLOC(gsec_kr
, sizeof(*gsec_kr
));
576 INIT_HLIST_HEAD(&gsec_kr
->gsk_clist
);
577 gsec_kr
->gsk_root_ctx
= NULL
;
578 mutex_init(&gsec_kr
->gsk_root_uc_lock
);
579 #ifdef HAVE_KEYRING_UPCALL_SERIALIZED
580 mutex_init(&gsec_kr
->gsk_uc_lock
);
583 if (gss_sec_create_common(&gsec_kr
->gsk_base
, &gss_policy_keyring
,
587 if (svcctx
!= NULL
&&
588 sec_install_rctx_kr(&gsec_kr
->gsk_base
.gs_base
, svcctx
)) {
589 gss_sec_destroy_common(&gsec_kr
->gsk_base
);
593 return &gsec_kr
->gsk_base
.gs_base
;
596 OBD_FREE(gsec_kr
, sizeof(*gsec_kr
));
601 void gss_sec_destroy_kr(struct ptlrpc_sec
*sec
)
603 struct gss_sec
*gsec
= sec2gsec(sec
);
604 struct gss_sec_keyring
*gsec_kr
= sec2gsec_keyring(sec
);
606 CDEBUG(D_SEC
, "destroy %s@%p\n", sec
->ps_policy
->sp_name
, sec
);
608 LASSERT(hlist_empty(&gsec_kr
->gsk_clist
));
609 LASSERT(gsec_kr
->gsk_root_ctx
== NULL
);
611 gss_sec_destroy_common(gsec
);
613 OBD_FREE(gsec_kr
, sizeof(*gsec_kr
));
616 static inline int user_is_root(struct ptlrpc_sec
*sec
, struct vfs_cred
*vcred
)
618 /* except the ROOTONLY flag, treat it as root user only if real uid
619 * is 0, euid/fsuid being 0 are handled as setuid scenarios */
620 if (sec_is_rootonly(sec
) || (vcred
->vc_uid
== 0))
627 * unlink request key from it's ring, which is linked during request_key().
628 * sadly, we have to 'guess' which keyring it's linked to.
630 * FIXME this code is fragile, depend on how request_key_link() is implemented.
632 static void request_key_unlink(struct key
*key
)
634 struct task_struct
*tsk
= current
;
637 switch (key_cred(tsk
)->jit_keyring
) {
638 case KEY_REQKEY_DEFL_DEFAULT
:
639 case KEY_REQKEY_DEFL_THREAD_KEYRING
:
640 ring
= key_get(key_cred(tsk
)->thread_keyring
);
643 case KEY_REQKEY_DEFL_PROCESS_KEYRING
:
644 ring
= key_get(key_tgcred(tsk
)->process_keyring
);
647 case KEY_REQKEY_DEFL_SESSION_KEYRING
:
649 ring
= key_get(rcu_dereference(key_tgcred(tsk
)
654 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING
:
655 ring
= key_get(key_cred(tsk
)->user
->session_keyring
);
657 case KEY_REQKEY_DEFL_USER_KEYRING
:
658 ring
= key_get(key_cred(tsk
)->user
->uid_keyring
);
660 case KEY_REQKEY_DEFL_GROUP_KEYRING
:
666 key_unlink(ring
, key
);
671 struct ptlrpc_cli_ctx
* gss_sec_lookup_ctx_kr(struct ptlrpc_sec
*sec
,
672 struct vfs_cred
*vcred
,
673 int create
, int remove_dead
)
675 struct obd_import
*imp
= sec
->ps_import
;
676 struct gss_sec_keyring
*gsec_kr
= sec2gsec_keyring(sec
);
677 struct ptlrpc_cli_ctx
*ctx
= NULL
;
678 unsigned int is_root
= 0, create_new
= 0;
685 LASSERT(imp
!= NULL
);
687 is_root
= user_is_root(sec
, vcred
);
689 /* a little bit optimization for root context */
691 ctx
= sec_lookup_root_ctx_kr(sec
);
693 * Only lookup directly for REVERSE sec, which should
696 if (ctx
|| sec_is_reverse(sec
))
700 LASSERT(create
!= 0);
702 /* for root context, obtain lock and check again, this time hold
703 * the root upcall lock, make sure nobody else populated new root
704 * context after last check. */
706 mutex_lock(&gsec_kr
->gsk_root_uc_lock
);
708 ctx
= sec_lookup_root_ctx_kr(sec
);
712 /* update reverse handle for root user */
713 sec2gsec(sec
)->gs_rvs_hdl
= gss_get_next_ctx_index();
715 switch (sec
->ps_part
) {
734 /* in case of setuid, key will be constructed as owner of fsuid/fsgid,
735 * but we do authentication based on real uid/gid. the key permission
736 * bits will be exactly as POS_ALL, so only processes who subscribed
737 * this key could have the access, although the quota might be counted
738 * on others (fsuid/fsgid).
740 * keyring will use fsuid/fsgid as upcall parameters, so we have to
741 * encode real uid/gid into callout info.
744 construct_key_desc(desc
, sizeof(desc
), sec
, vcred
->vc_uid
);
746 /* callout info format:
747 * secid:mech:uid:gid:flags:svc_type:peer_nid:target_uuid
749 coinfo_size
= sizeof(struct obd_uuid
) + MAX_OBD_NAME
+ 64;
750 OBD_ALLOC(coinfo
, coinfo_size
);
754 snprintf(coinfo
, coinfo_size
, "%d:%s:%u:%u:%s:%d:"LPX64
":%s",
755 sec
->ps_id
, sec2gsec(sec
)->gs_mech
->gm_name
,
756 vcred
->vc_uid
, vcred
->vc_gid
,
757 co_flags
, import_to_gss_svc(imp
),
758 imp
->imp_connection
->c_peer
.nid
, imp
->imp_obd
->obd_name
);
760 CDEBUG(D_SEC
, "requesting key for %s\n", desc
);
762 keyring_upcall_lock(gsec_kr
);
763 key
= request_key(&gss_key_type
, desc
, coinfo
);
764 keyring_upcall_unlock(gsec_kr
);
766 OBD_FREE(coinfo
, coinfo_size
);
769 CERROR("failed request key: %ld\n", PTR_ERR(key
));
772 CDEBUG(D_SEC
, "obtained key %08x for %s\n", key
->serial
, desc
);
774 /* once payload.data was pointed to a ctx, it never changes until
775 * we de-associate them; but parallel request_key() may return
776 * a key with payload.data == NULL at the same time. so we still
777 * need wirtelock of key->sem to serialize them. */
778 down_write(&key
->sem
);
780 if (likely(key
->payload
.data
!= NULL
)) {
781 ctx
= key
->payload
.data
;
783 LASSERT(atomic_read(&ctx
->cc_refcount
) >= 1);
784 LASSERT(ctx2gctx_keyring(ctx
)->gck_key
== key
);
785 LASSERT(atomic_read(&key
->usage
) >= 2);
787 /* simply take a ref and return. it's upper layer's
788 * responsibility to detect & replace dead ctx. */
789 atomic_inc(&ctx
->cc_refcount
);
791 /* pre initialization with a cli_ctx. this can't be done in
792 * key_instantiate() because we'v no enough information
794 ctx
= ctx_create_kr(sec
, vcred
);
796 ctx_enlist_kr(ctx
, is_root
, 0);
797 bind_key_ctx(key
, ctx
);
799 ctx_start_timer_kr(ctx
, KEYRING_UPCALL_TIMEOUT
);
801 CDEBUG(D_SEC
, "installed key %p <-> ctx %p (sec %p)\n",
804 /* we'd prefer to call key_revoke(), but we more like
805 * to revoke it within this key->sem locked period. */
806 key_revoke_locked(key
);
814 if (is_root
&& create_new
)
815 request_key_unlink(key
);
820 mutex_unlock(&gsec_kr
->gsk_root_uc_lock
);
825 void gss_sec_release_ctx_kr(struct ptlrpc_sec
*sec
,
826 struct ptlrpc_cli_ctx
*ctx
,
829 LASSERT(atomic_read(&sec
->ps_refcount
) > 0);
830 LASSERT(atomic_read(&ctx
->cc_refcount
) == 0);
831 ctx_release_kr(ctx
, sync
);
835 * flush context of normal user, we must resort to keyring itself to find out
836 * contexts which belong to me.
838 * Note here we suppose only to flush _my_ context, the "uid" will
839 * be ignored in the search.
842 void flush_user_ctx_cache_kr(struct ptlrpc_sec
*sec
,
844 int grace
, int force
)
849 /* nothing to do for reverse or rootonly sec */
850 if (sec_is_reverse(sec
) || sec_is_rootonly(sec
))
853 construct_key_desc(desc
, sizeof(desc
), sec
, uid
);
855 /* there should be only one valid key, but we put it in the
856 * loop in case of any weird cases */
858 key
= request_key(&gss_key_type
, desc
, NULL
);
860 CDEBUG(D_SEC
, "No more key found for current user\n");
864 down_write(&key
->sem
);
866 kill_key_locked(key
);
868 /* kill_key_locked() should usually revoke the key, but we
869 * revoke it again to make sure, e.g. some case the key may
870 * not well coupled with a context. */
871 key_revoke_locked(key
);
880 * flush context of root or all, we iterate through the list.
883 void flush_spec_ctx_cache_kr(struct ptlrpc_sec
*sec
,
885 int grace
, int force
)
887 struct gss_sec_keyring
*gsec_kr
;
888 struct hlist_head freelist
= HLIST_HEAD_INIT
;
889 struct hlist_node
*next
;
890 struct ptlrpc_cli_ctx
*ctx
;
892 gsec_kr
= sec2gsec_keyring(sec
);
894 spin_lock(&sec
->ps_lock
);
895 hlist_for_each_entry_safe(ctx
, next
,
896 &gsec_kr
->gsk_clist
, cc_cache
) {
897 LASSERT(atomic_read(&ctx
->cc_refcount
) > 0);
899 if (uid
!= -1 && uid
!= ctx
->cc_vcred
.vc_uid
)
902 /* at this moment there's at least 2 base reference:
903 * key association and in-list. */
904 if (atomic_read(&ctx
->cc_refcount
) > 2) {
907 CWARN("flush busy ctx %p(%u->%s, extra ref %d)\n",
908 ctx
, ctx
->cc_vcred
.vc_uid
,
909 sec2target_str(ctx
->cc_sec
),
910 atomic_read(&ctx
->cc_refcount
) - 2);
913 set_bit(PTLRPC_CTX_DEAD_BIT
, &ctx
->cc_flags
);
915 clear_bit(PTLRPC_CTX_UPTODATE_BIT
, &ctx
->cc_flags
);
917 atomic_inc(&ctx
->cc_refcount
);
919 if (ctx_unlist_kr(ctx
, 1)) {
920 hlist_add_head(&ctx
->cc_cache
, &freelist
);
922 LASSERT(atomic_read(&ctx
->cc_refcount
) >= 2);
923 atomic_dec(&ctx
->cc_refcount
);
926 spin_unlock(&sec
->ps_lock
);
928 dispose_ctx_list_kr(&freelist
);
932 int gss_sec_flush_ctx_cache_kr(struct ptlrpc_sec
*sec
,
933 uid_t uid
, int grace
, int force
)
935 CDEBUG(D_SEC
, "sec %p(%d, nctx %d), uid %d, grace %d, force %d\n",
936 sec
, atomic_read(&sec
->ps_refcount
),
937 atomic_read(&sec
->ps_nctx
),
940 if (uid
!= -1 && uid
!= 0)
941 flush_user_ctx_cache_kr(sec
, uid
, grace
, force
);
943 flush_spec_ctx_cache_kr(sec
, uid
, grace
, force
);
949 void gss_sec_gc_ctx_kr(struct ptlrpc_sec
*sec
)
951 struct gss_sec_keyring
*gsec_kr
= sec2gsec_keyring(sec
);
952 struct hlist_head freelist
= HLIST_HEAD_INIT
;
953 struct hlist_node
*next
;
954 struct ptlrpc_cli_ctx
*ctx
;
956 CWARN("running gc\n");
958 spin_lock(&sec
->ps_lock
);
959 hlist_for_each_entry_safe(ctx
, next
,
960 &gsec_kr
->gsk_clist
, cc_cache
) {
961 LASSERT(atomic_read(&ctx
->cc_refcount
) > 0);
963 atomic_inc(&ctx
->cc_refcount
);
965 if (cli_ctx_check_death(ctx
) && ctx_unlist_kr(ctx
, 1)) {
966 hlist_add_head(&ctx
->cc_cache
, &freelist
);
967 CWARN("unhashed ctx %p\n", ctx
);
969 LASSERT(atomic_read(&ctx
->cc_refcount
) >= 2);
970 atomic_dec(&ctx
->cc_refcount
);
973 spin_unlock(&sec
->ps_lock
);
975 dispose_ctx_list_kr(&freelist
);
979 int gss_sec_display_kr(struct ptlrpc_sec
*sec
, struct seq_file
*seq
)
981 struct gss_sec_keyring
*gsec_kr
= sec2gsec_keyring(sec
);
982 struct hlist_node
*next
;
983 struct ptlrpc_cli_ctx
*ctx
;
984 struct gss_cli_ctx
*gctx
;
985 time_t now
= cfs_time_current_sec();
987 spin_lock(&sec
->ps_lock
);
988 hlist_for_each_entry_safe(ctx
, next
,
989 &gsec_kr
->gsk_clist
, cc_cache
) {
994 gctx
= ctx2gctx(ctx
);
995 key
= ctx2gctx_keyring(ctx
)->gck_key
;
997 gss_cli_ctx_flags2str(ctx
->cc_flags
,
998 flags_str
, sizeof(flags_str
));
1000 if (gctx
->gc_mechctx
)
1001 lgss_display(gctx
->gc_mechctx
, mech
, sizeof(mech
));
1003 snprintf(mech
, sizeof(mech
), "N/A");
1004 mech
[sizeof(mech
) - 1] = '\0';
1006 seq_printf(seq
, "%p: uid %u, ref %d, expire %ld(%+ld), fl %s, "
1007 "seq %d, win %u, key %08x(ref %d), "
1008 "hdl "LPX64
":"LPX64
", mech: %s\n",
1009 ctx
, ctx
->cc_vcred
.vc_uid
,
1010 atomic_read(&ctx
->cc_refcount
),
1012 ctx
->cc_expire
? ctx
->cc_expire
- now
: 0,
1014 atomic_read(&gctx
->gc_seq
),
1016 key
? key
->serial
: 0,
1017 key
? atomic_read(&key
->usage
) : 0,
1018 gss_handle_to_u64(&gctx
->gc_handle
),
1019 gss_handle_to_u64(&gctx
->gc_svc_handle
),
1022 spin_unlock(&sec
->ps_lock
);
1027 /****************************************
1029 ****************************************/
1032 int gss_cli_ctx_refresh_kr(struct ptlrpc_cli_ctx
*ctx
)
1034 /* upcall is already on the way */
1039 int gss_cli_ctx_validate_kr(struct ptlrpc_cli_ctx
*ctx
)
1041 LASSERT(atomic_read(&ctx
->cc_refcount
) > 0);
1042 LASSERT(ctx
->cc_sec
);
1044 if (cli_ctx_check_death(ctx
)) {
1049 if (cli_ctx_is_ready(ctx
))
1055 void gss_cli_ctx_die_kr(struct ptlrpc_cli_ctx
*ctx
, int grace
)
1057 LASSERT(atomic_read(&ctx
->cc_refcount
) > 0);
1058 LASSERT(ctx
->cc_sec
);
1060 cli_ctx_expire(ctx
);
1064 /****************************************
1065 * (reverse) service *
1066 ****************************************/
1069 * reverse context could have nothing to do with keyrings. here we still keep
1070 * the version which bind to a key, for future reference.
1072 #define HAVE_REVERSE_CTX_NOKEY
1076 int sec_install_rctx_kr(struct ptlrpc_sec
*sec
,
1077 struct ptlrpc_svc_ctx
*svc_ctx
)
1079 struct ptlrpc_cli_ctx
*cli_ctx
;
1080 struct vfs_cred vcred
= { 0, 0 };
1086 cli_ctx
= ctx_create_kr(sec
, &vcred
);
1087 if (cli_ctx
== NULL
)
1090 rc
= gss_copy_rvc_cli_ctx(cli_ctx
, svc_ctx
);
1092 CERROR("failed copy reverse cli ctx: %d\n", rc
);
1094 ctx_put_kr(cli_ctx
, 1);
1098 rvs_sec_install_root_ctx_kr(sec
, cli_ctx
, NULL
);
1100 ctx_put_kr(cli_ctx
, 1);
1106 /****************************************
1108 ****************************************/
1111 int gss_svc_accept_kr(struct ptlrpc_request
*req
)
1113 return gss_svc_accept(&gss_policy_keyring
, req
);
1117 int gss_svc_install_rctx_kr(struct obd_import
*imp
,
1118 struct ptlrpc_svc_ctx
*svc_ctx
)
1120 struct ptlrpc_sec
*sec
;
1123 sec
= sptlrpc_import_sec_ref(imp
);
1126 rc
= sec_install_rctx_kr(sec
, svc_ctx
);
1127 sptlrpc_sec_put(sec
);
1132 /****************************************
1134 ****************************************/
1137 int gss_kt_instantiate(struct key
*key
, const void *data
, size_t datalen
)
1141 if (data
!= NULL
|| datalen
!= 0) {
1142 CERROR("invalid: data %p, len %lu\n", data
, (long)datalen
);
1146 if (key
->payload
.data
!= 0) {
1147 CERROR("key already have payload\n");
1151 /* link the key to session keyring, so following context negotiation
1152 * rpc fired from user space could find this key. This will be unlinked
1153 * automatically when upcall processes die.
1155 * we can't do this through keyctl from userspace, because the upcall
1156 * might be neither possessor nor owner of the key (setuid).
1158 * the session keyring is created upon upcall, and don't change all
1159 * the way until upcall finished, so rcu lock is not needed here.
1161 LASSERT(key_tgcred(current
)->session_keyring
);
1164 rc
= key_link(key_tgcred(current
)->session_keyring
, key
);
1167 CERROR("failed to link key %08x to keyring %08x: %d\n",
1169 key_tgcred(current
)->session_keyring
->serial
, rc
);
1173 CDEBUG(D_SEC
, "key %p instantiated, ctx %p\n", key
, key
->payload
.data
);
1178 * called with key semaphore write locked. it means we can operate
1179 * on the context without fear of loosing refcount.
1182 int gss_kt_update(struct key
*key
, const void *data
, size_t datalen
)
1184 struct ptlrpc_cli_ctx
*ctx
= key
->payload
.data
;
1185 struct gss_cli_ctx
*gctx
;
1186 rawobj_t tmpobj
= RAWOBJ_EMPTY
;
1187 __u32 datalen32
= (__u32
) datalen
;
1190 if (data
== NULL
|| datalen
== 0) {
1191 CWARN("invalid: data %p, len %lu\n", data
, (long)datalen
);
1195 /* if upcall finished negotiation too fast (mostly likely because
1196 * of local error happened) and call kt_update(), the ctx
1197 * might be still NULL. but the key will finally be associate
1198 * with a context, or be revoked. if key status is fine, return
1199 * -EAGAIN to allow userspace sleep a while and call again. */
1201 CDEBUG(D_SEC
, "update too soon: key %p(%x) flags %lx\n",
1202 key
, key
->serial
, key
->flags
);
1204 rc
= key_validate(key
);
1211 LASSERT(atomic_read(&ctx
->cc_refcount
) > 0);
1212 LASSERT(ctx
->cc_sec
);
1214 ctx_clear_timer_kr(ctx
);
1216 /* don't proceed if already refreshed */
1217 if (cli_ctx_is_refreshed(ctx
)) {
1218 CWARN("ctx already done refresh\n");
1222 sptlrpc_cli_ctx_get(ctx
);
1223 gctx
= ctx2gctx(ctx
);
1225 rc
= buffer_extract_bytes(&data
, &datalen32
, &gctx
->gc_win
,
1226 sizeof(gctx
->gc_win
));
1228 CERROR("failed extract seq_win\n");
1232 if (gctx
->gc_win
== 0) {
1233 __u32 nego_rpc_err
, nego_gss_err
;
1235 rc
= buffer_extract_bytes(&data
, &datalen32
, &nego_rpc_err
,
1236 sizeof(nego_rpc_err
));
1238 CERROR("failed to extrace rpc rc\n");
1242 rc
= buffer_extract_bytes(&data
, &datalen32
, &nego_gss_err
,
1243 sizeof(nego_gss_err
));
1245 CERROR("failed to extrace gss rc\n");
1249 CERROR("negotiation: rpc err %d, gss err %x\n",
1250 nego_rpc_err
, nego_gss_err
);
1252 rc
= nego_rpc_err
? nego_rpc_err
: -EACCES
;
1254 rc
= rawobj_extract_local_alloc(&gctx
->gc_handle
,
1255 (__u32
**) &data
, &datalen32
);
1257 CERROR("failed extract handle\n");
1261 rc
= rawobj_extract_local(&tmpobj
, (__u32
**) &data
,&datalen32
);
1263 CERROR("failed extract mech\n");
1267 rc
= lgss_import_sec_context(&tmpobj
,
1268 sec2gsec(ctx
->cc_sec
)->gs_mech
,
1270 if (rc
!= GSS_S_COMPLETE
)
1271 CERROR("failed import context\n");
1276 /* we don't care what current status of this ctx, even someone else
1277 * is operating on the ctx at the same time. we just add up our own
1280 gss_cli_ctx_uptodate(gctx
);
1282 /* this will also revoke the key. has to be done before
1283 * wakeup waiters otherwise they can find the stale key */
1284 kill_key_locked(key
);
1286 cli_ctx_expire(ctx
);
1288 if (rc
!= -ERESTART
)
1289 set_bit(PTLRPC_CTX_ERROR_BIT
, &ctx
->cc_flags
);
1292 /* let user space think it's a success */
1293 sptlrpc_cli_ctx_put(ctx
, 1);
1298 int gss_kt_match(const struct key
*key
, const void *desc
)
1300 return (strcmp(key
->description
, (const char *) desc
) == 0);
1304 void gss_kt_destroy(struct key
*key
)
1306 LASSERT(key
->payload
.data
== NULL
);
1307 CDEBUG(D_SEC
, "destroy key %p\n", key
);
1311 void gss_kt_describe(const struct key
*key
, struct seq_file
*s
)
1313 if (key
->description
== NULL
)
1314 seq_puts(s
, "[null]");
1316 seq_puts(s
, key
->description
);
1319 static struct key_type gss_key_type
=
1323 .instantiate
= gss_kt_instantiate
,
1324 .update
= gss_kt_update
,
1325 .match
= gss_kt_match
,
1326 .destroy
= gss_kt_destroy
,
1327 .describe
= gss_kt_describe
,
1330 /****************************************
1331 * lustre gss keyring policy *
1332 ****************************************/
1334 static struct ptlrpc_ctx_ops gss_keyring_ctxops
= {
1335 .match
= gss_cli_ctx_match
,
1336 .refresh
= gss_cli_ctx_refresh_kr
,
1337 .validate
= gss_cli_ctx_validate_kr
,
1338 .die
= gss_cli_ctx_die_kr
,
1339 .sign
= gss_cli_ctx_sign
,
1340 .verify
= gss_cli_ctx_verify
,
1341 .seal
= gss_cli_ctx_seal
,
1342 .unseal
= gss_cli_ctx_unseal
,
1343 .wrap_bulk
= gss_cli_ctx_wrap_bulk
,
1344 .unwrap_bulk
= gss_cli_ctx_unwrap_bulk
,
1347 static struct ptlrpc_sec_cops gss_sec_keyring_cops
= {
1348 .create_sec
= gss_sec_create_kr
,
1349 .destroy_sec
= gss_sec_destroy_kr
,
1350 .kill_sec
= gss_sec_kill
,
1351 .lookup_ctx
= gss_sec_lookup_ctx_kr
,
1352 .release_ctx
= gss_sec_release_ctx_kr
,
1353 .flush_ctx_cache
= gss_sec_flush_ctx_cache_kr
,
1354 .gc_ctx
= gss_sec_gc_ctx_kr
,
1355 .install_rctx
= gss_sec_install_rctx
,
1356 .alloc_reqbuf
= gss_alloc_reqbuf
,
1357 .free_reqbuf
= gss_free_reqbuf
,
1358 .alloc_repbuf
= gss_alloc_repbuf
,
1359 .free_repbuf
= gss_free_repbuf
,
1360 .enlarge_reqbuf
= gss_enlarge_reqbuf
,
1361 .display
= gss_sec_display_kr
,
1364 static struct ptlrpc_sec_sops gss_sec_keyring_sops
= {
1365 .accept
= gss_svc_accept_kr
,
1366 .invalidate_ctx
= gss_svc_invalidate_ctx
,
1367 .alloc_rs
= gss_svc_alloc_rs
,
1368 .authorize
= gss_svc_authorize
,
1369 .free_rs
= gss_svc_free_rs
,
1370 .free_ctx
= gss_svc_free_ctx
,
1371 .prep_bulk
= gss_svc_prep_bulk
,
1372 .unwrap_bulk
= gss_svc_unwrap_bulk
,
1373 .wrap_bulk
= gss_svc_wrap_bulk
,
1374 .install_rctx
= gss_svc_install_rctx_kr
,
1377 static struct ptlrpc_sec_policy gss_policy_keyring
= {
1378 .sp_owner
= THIS_MODULE
,
1379 .sp_name
= "gss.keyring",
1380 .sp_policy
= SPTLRPC_POLICY_GSS
,
1381 .sp_cops
= &gss_sec_keyring_cops
,
1382 .sp_sops
= &gss_sec_keyring_sops
,
1386 int __init
gss_init_keyring(void)
1390 rc
= register_key_type(&gss_key_type
);
1392 CERROR("failed to register keyring type: %d\n", rc
);
1396 rc
= sptlrpc_register_policy(&gss_policy_keyring
);
1398 unregister_key_type(&gss_key_type
);
1405 void __exit
gss_exit_keyring(void)
1407 unregister_key_type(&gss_key_type
);
1408 sptlrpc_unregister_policy(&gss_policy_keyring
);