nfs_auth.c revision 7c478bd95313f5f23a4c958a745db2134aa03244
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2004 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include <sys/pathname.h>
#include <nfs/nfs_clnt.h>
#include <rpcsvc/nfsauth_prot.h>
static struct knetconfig auth_knconf;
static servinfo_t svp;
static struct kmem_cache *exi_cache_handle;
static void exi_cache_reclaim(void *);
int nfsauth_cache_hit;
int nfsauth_cache_miss;
/*
* Number of seconds to wait for an NFSAUTH upcall.
*/
static int nfsauth_timeout = 20;
void
nfsauth_init(void)
{
int error;
/*
* Setup netconfig.
* Assume a connectionless loopback transport.
*/
return;
}
ci.cl_readsize = 0;
/*
* Allocate nfsauth cache handle
*/
}
/*
* Finalization routine for nfsauth. It is important to call this routine
* before destroying the exported_lock.
*/
void
nfsauth_fini(void)
{
/*
* Deallocate nfsauth cache handle
*/
}
static int
{
}
/*
* Convert the address in a netbuf to
* a hash index for the auth_cache table.
*/
static int
{
int i, h = 0;
for (i = 0; i < a->len; i++)
h ^= a->buf[i];
return (h & (AUTH_TABLESIZE - 1));
}
/*
* Mask out the components of an
* address that do not identify
* a host. For socket addresses the
* masking gets rid of the port number.
*/
static void
{
int i;
}
/*
* nfsauth4_access is used for NFS V4 auth checking. Besides doing
* the common nfsauth_access(), it will check if the client can
* have a limited access to this vnode even if the security flavor
* used does not meet the policy.
*/
int
{
int access;
/*
* There are cases that the server needs to allow the client
* to have a limited view.
*
* e.g.
* /export is shared as "sec=sys,rw=dfs-test-4,sec=krb5,rw"
*
* When the client mounts /export with sec=sys, the client
* would get a limited view with RO access on /export to see
* "home" only because the client is allowed to access
*/
/*
* Allow ro permission with LIMITED view if there is a
* sub-dir exported under vp.
*/
return (NFSAUTH_LIMITED);
}
}
return (access);
}
/*
* Get the access information from the cache or callup to the mountd
* to get and cache the access information in the kernel.
*/
int
{
int access;
/*
* Now check whether this client already
* has an entry for this flavor in the cache
* for this export.
* Get the caller's address, mask off the
* parts of the address that do not identify
* the host (port number, etc), and then hash
* it to find the chain of cache entries.
*/
break;
}
if (ap) { /* cache hit */
}
if (ap) {
return (access);
}
/*
* so we need to call the nfsauth service in the
* mount daemon.
*/
return (NFSAUTH_DROP);
}
timout);
switch (rpcstat) {
case RPC_SUCCESS:
break;
case RPC_INTR:
break;
case RPC_TIMEDOUT:
/*
* Show messages no more than once per minute
*/
now = gethrestime_sec();
}
break;
default:
/*
* Show messages no more than once per minute
*/
now = gethrestime_sec();
char *errmsg;
}
break;
}
if (rpcstat != RPC_SUCCESS) {
return (NFSAUTH_DROP);
}
/*
* Now cache the result on the cache chain
* for this export (if there's enough memory)
*/
if (ap) {
} else {
}
return (access);
}
/*
* Check if the requesting client has access to the filesystem with
* a given nfs flavor number which is an explicitly shared flavor.
*/
int
{
int access;
if (! (perm & M_4SEC_EXPORTED)) {
return (NFSAUTH_DENIED);
}
/*
* Optimize if there are no lists
*/
perm &= ~M_4SEC_EXPORTED;
return (NFSAUTH_RO);
return (NFSAUTH_RW);
}
return (access);
}
int
{
int authnone_entry = -1;
/*
* Get the nfs flavor number from xprt.
*/
/*
* First check the access restrictions on the filesystem. If
* there are no lists associated with this flavor then there's no
* need to make an expensive call to the nfsauth service or to
* cache anything.
*/
authnone_entry = i;
continue;
}
break;
}
mapaccess = 0;
/*
* Flavor not found, but use AUTH_NONE if it exists
*/
if (authnone_entry == -1)
return (NFSAUTH_DENIED);
i = authnone_entry;
}
/*
* If the flavor is in the ex_secinfo list, but not an explicitly
* shared flavor by the user, it is a result of the nfsv4 server
* namespace setup. We will grant an RO permission similar for
* a pseudo node except that this node is a shared one.
*
* e.g. flavor in (flavor) indicates that it is not explictly
* shared by the user:
*
* / (sys, krb5)
* |
* export #share -o sec=sys (krb5)
* |
* secure #share -o sec=krb5
*
* In this case, when a krb5 request coming in to access
* /export, RO permission is granted.
*/
return (mapaccess | NFSAUTH_RO);
/*
* Optimize if there are no lists
*/
perm &= ~M_4SEC_EXPORTED;
return (mapaccess | NFSAUTH_RO);
return (mapaccess | NFSAUTH_RW);
}
}
/*
* Free the nfsauth cache for a given export
*/
void
{
int i;
struct auth_cache *p, *next;
for (i = 0; i < AUTH_TABLESIZE; i++) {
kmem_cache_free(exi_cache_handle, (void *)p);
}
}
}
/*
* Called by the kernel memory allocator when
* memory is low. Free unused cache entries.
* If that's not enough, the VM system will
* call again for some more.
*/
/*ARGSUSED*/
void
exi_cache_reclaim(void *cdrarg)
{
int i;
struct exportinfo *exi;
for (i = 0; i < EXPTABLESIZE; i++) {
}
}
}
/*
* Don't reclaim entries until they've been
* in the cache for at least exi_cache_time
* seconds.
*/
void
{
struct auth_cache *p;
int i;
for (i = 0; i < AUTH_TABLESIZE; i++) {
/*
* Free entries that have not been
* used for exi_cache_time seconds.
*/
if (p->auth_time > stale_time) {
prev = p;
continue;
}
kmem_cache_free(exi_cache_handle, (void *)p);
else
}
}
}