common/nfs/auth.h

1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta/*
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * CDDL HEADER START
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * The contents of this file are subject to the terms of the
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * Common Development and Distribution License (the "License").
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * You may not use this file except in compliance with the License.
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * or http://www.opensolaris.org/os/licensing.
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * See the License for the specific language governing permissions
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * and limitations under the License.
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * When distributing Covered Code, include this CDDL HEADER in each
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * If applicable, add the following below this CDDL HEADER, with the
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * fields enclosed by brackets "[]" replaced with your own identifying
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * information: Portions Copyright [yyyy] [name of copyright owner]
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * CDDL HEADER END
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta */
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta/*
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta */
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka
5cb0d67909d9970a3e7adbea9422ca3fc88000bfMarcel Telka/*
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka * Use is subject to license terms.
5cb0d67909d9970a3e7adbea9422ca3fc88000bfMarcel Telka */
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#ifndef _AUTH_H
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define _AUTH_H
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta/*
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * nfsauth_prot.x (The NFSAUTH Protocol)
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * This protocol is used by the kernel to authorize NFS clients. This svc
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * lives in the mount daemon and checks the client's access for an export
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * with a given authentication flavor.
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * The status result determines what kind of access the client is permitted.
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * The result is cached in the kernel, so the authorization call will be
5cb0d67909d9970a3e7adbea9422ca3fc88000bfMarcel Telka * made only the first time the client mounts the filesystem.
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * const A_MAXPATH  = 1024;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * struct auth_req {
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *  netobj  req_client;     # client's address
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *  string  req_netid<>;        # Netid of address
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *  string  req_path<A_MAXPATH>;    # export path
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *  int req_flavor;     # auth flavor
5cb0d67909d9970a3e7adbea9422ca3fc88000bfMarcel Telka *  uid_t   req_clnt_uid;       # client's uid
5cb0d67909d9970a3e7adbea9422ca3fc88000bfMarcel Telka *  gid_t   req_clnt_gid;       # client's gid
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka *  gid_t   req_clnt_gids<>;    # client's supplemental groups
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * };
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * const NFSAUTH_DENIED   = 0x01;   # Access denied
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * const NFSAUTH_RO   = 0x02;   # Read-only
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * const NFSAUTH_RW   = 0x04;   # Read-write
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * const NFSAUTH_ROOT     = 0x08;   # Root access
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * const NFSAUTH_WRONGSEC = 0x10;   # Advise NFS v4 clients to
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *                  # try a different flavor
5cb0d67909d9970a3e7adbea9422ca3fc88000bfMarcel Telka * const NFSAUTH_UIDMAP   = 0x100;  # uid mapped
5cb0d67909d9970a3e7adbea9422ca3fc88000bfMarcel Telka * const NFSAUTH_GIDMAP   = 0x200;  # gid mapped
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka * const NFSAUTH_GROUPS   = 0x400;  # translated supplemental groups
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * #
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * # The following are not part of the protocol.
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * #
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * const NFSAUTH_DROP    = 0x20;    # Drop request
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * const NFSAUTH_MAPNONE = 0x40;    # Mapped flavor to AUTH_NONE
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * const NFSAUTH_LIMITED = 0x80;    # Access limited to visible nodes
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * struct auth_res {
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka *  int auth_perm;
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka *  uid_t   auth_srv_uid;       # translated uid
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka *  gid_t   auth_srv_gid;       # translated gid
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka *  gid_t   auth_srv_gids<>;    # translated supplemental groups
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * };
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * program NFSAUTH_PROG {
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *  version NFSAUTH_VERS {
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *      #
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *      # Authorization Request
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *      #
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *      auth_res
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *      NFSAUTH_ACCESS(auth_req) = 1;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta *  } = 1;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * } = 100231;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta */
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#ifndef _KERNEL
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#include <stddef.h>
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#endif
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#include <sys/sysmacros.h>
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#include <sys/types.h>
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#include <rpc/xdr.h>
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#ifdef  __cplusplus
1cc553493b17fa6a6770261bbfeb258f354ebf48rmestaextern "C" {
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#endif
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta/* --8<-- Start: nfsauth_prot.x definitions --8<-- */
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define A_MAXPATH       1024
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define NFSAUTH_ACCESS      1
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define NFSAUTH_DENIED      0x01
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define NFSAUTH_RO      0x02
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define NFSAUTH_RW      0x04
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define NFSAUTH_ROOT        0x08
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define NFSAUTH_WRONGSEC    0x10
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define NFSAUTH_DROP        0x20
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define NFSAUTH_MAPNONE     0x40
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define NFSAUTH_LIMITED     0x80
5cb0d67909d9970a3e7adbea9422ca3fc88000bfMarcel Telka#define NFSAUTH_UIDMAP      0x100
5cb0d67909d9970a3e7adbea9422ca3fc88000bfMarcel Telka#define NFSAUTH_GIDMAP      0x200
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka#define NFSAUTH_GROUPS      0x400
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmestastruct auth_req {
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta    netobj   req_client;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta    char    *req_netid;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta    char    *req_path;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta    int  req_flavor;
5cb0d67909d9970a3e7adbea9422ca3fc88000bfMarcel Telka    uid_t    req_clnt_uid;
5cb0d67909d9970a3e7adbea9422ca3fc88000bfMarcel Telka    gid_t    req_clnt_gid;
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka    struct {
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka        uint_t  len;
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka        gid_t   *val;
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka    } req_clnt_gids;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta};
1cc553493b17fa6a6770261bbfeb258f354ebf48rmestatypedef struct auth_req auth_req;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmestastruct auth_res {
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta    int auth_perm;
5cb0d67909d9970a3e7adbea9422ca3fc88000bfMarcel Telka    uid_t   auth_srv_uid;
5cb0d67909d9970a3e7adbea9422ca3fc88000bfMarcel Telka    gid_t   auth_srv_gid;
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka    struct {
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka        uint_t  len;
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka        gid_t   *val;
89621fe174cf95ae903df6ceab605bf24d696ac3Marcel Telka    } auth_srv_gids;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta};
1cc553493b17fa6a6770261bbfeb258f354ebf48rmestatypedef struct auth_res auth_res;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta/* --8<-- End: nfsauth_prot.x definitions --8<-- */
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define NFSAUTH_DR_OKAY     0x0 /* success */
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define NFSAUTH_DR_BADCMD   0x100   /* NFSAUTH_ACCESS is only cmd allowed */
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define NFSAUTH_DR_DECERR   0x200   /* mountd could not decode arguments */
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define NFSAUTH_DR_EFAIL    0x400   /* mountd could not encode results */
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define NFSAUTH_DR_TRYCNT   5   /* door handle acquisition retry cnt */
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#if defined(DEBUG) && !defined(_KERNEL)
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#define MOUNTD_DOOR     "/var/run/mountd_door"
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#endif
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta/*
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * Only cmd is added to the args. We need to know "what" we want
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * the daemon to do for us. Also, 'stat' returns the status from
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * the daemon down to the kernel in addition to perms.
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta */
1cc553493b17fa6a6770261bbfeb258f354ebf48rmestastruct nfsauth_arg {
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta    uint_t      cmd;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta    auth_req    areq;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta};
1cc553493b17fa6a6770261bbfeb258f354ebf48rmestatypedef struct nfsauth_arg nfsauth_arg_t;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmestastruct nfsauth_res {
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta    uint_t      stat;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta    auth_res    ares;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta};
1cc553493b17fa6a6770261bbfeb258f354ebf48rmestatypedef struct nfsauth_res nfsauth_res_t;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta/*
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * For future extensibility, we version the data structures so
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * future incantations of mountd(1m) will know how to XDR decode
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta * the arguments.
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta */
1cc553493b17fa6a6770261bbfeb258f354ebf48rmestaenum vtypes {
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta    V_ERROR = 0,
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta    V_PROTO = 1
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta};
1cc553493b17fa6a6770261bbfeb258f354ebf48rmestatypedef enum vtypes vtypes;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmestatypedef struct varg {
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta    uint_t  vers;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta    union {
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta        nfsauth_arg_t   arg;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta        /* additional args versions go here */
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta    } arg_u;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta} varg_t;
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmestaextern bool_t   xdr_varg(XDR *, varg_t *);
1cc553493b17fa6a6770261bbfeb258f354ebf48rmestaextern bool_t   xdr_nfsauth_arg(XDR *, nfsauth_arg_t *);
1cc553493b17fa6a6770261bbfeb258f354ebf48rmestaextern bool_t   xdr_nfsauth_res(XDR *, nfsauth_res_t *);
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#ifdef  __cplusplus
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta}
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#endif
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta
1cc553493b17fa6a6770261bbfeb258f354ebf48rmesta#endif /* _AUTH_H */