diff options
author | David Howells <dhowells@redhat.com> | 2007-04-26 18:57:07 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2007-04-26 18:57:07 -0400 |
commit | 00d3b7a4533e367b0dc2812a706db8f9f071c27f (patch) | |
tree | f0b1ae0266267cb2c54cb11aa61ad0758ce9c0f5 /fs/afs/internal.h | |
parent | 436058a49e0fb91c74454dbee9cfee6fb53b4336 (diff) |
[AFS]: Add security support.
Add security support to the AFS filesystem. Kerberos IV tickets are added as
RxRPC keys are added to the session keyring with the klog program. open() and
other VFS operations then find this ticket with request_key() and either use
it immediately (eg: mkdir, unlink) or attach it to a file descriptor (open).
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'fs/afs/internal.h')
-rw-r--r-- | fs/afs/internal.h | 106 |
1 files changed, 80 insertions, 26 deletions
diff --git a/fs/afs/internal.h b/fs/afs/internal.h index afc6f0f30259..8bed2429d01f 100644 --- a/fs/afs/internal.h +++ b/fs/afs/internal.h | |||
@@ -15,6 +15,7 @@ | |||
15 | #include <linux/pagemap.h> | 15 | #include <linux/pagemap.h> |
16 | #include <linux/skbuff.h> | 16 | #include <linux/skbuff.h> |
17 | #include <linux/rxrpc.h> | 17 | #include <linux/rxrpc.h> |
18 | #include <linux/key.h> | ||
18 | #include "afs.h" | 19 | #include "afs.h" |
19 | #include "afs_vl.h" | 20 | #include "afs_vl.h" |
20 | 21 | ||
@@ -32,6 +33,17 @@ typedef enum { | |||
32 | AFS_VL_UNCERTAIN, /* uncertain state (update failed) */ | 33 | AFS_VL_UNCERTAIN, /* uncertain state (update failed) */ |
33 | } __attribute__((packed)) afs_vlocation_state_t; | 34 | } __attribute__((packed)) afs_vlocation_state_t; |
34 | 35 | ||
36 | struct afs_mount_params { | ||
37 | bool rwpath; /* T if the parent should be considered R/W */ | ||
38 | bool force; /* T to force cell type */ | ||
39 | afs_voltype_t type; /* type of volume requested */ | ||
40 | int volnamesz; /* size of volume name */ | ||
41 | const char *volname; /* name of volume to mount */ | ||
42 | struct afs_cell *cell; /* cell in which to find volume */ | ||
43 | struct afs_volume *volume; /* volume record */ | ||
44 | struct key *key; /* key to use for secure mounting */ | ||
45 | }; | ||
46 | |||
35 | /* | 47 | /* |
36 | * definition of how to wait for the completion of an operation | 48 | * definition of how to wait for the completion of an operation |
37 | */ | 49 | */ |
@@ -95,6 +107,8 @@ struct afs_call { | |||
95 | }; | 107 | }; |
96 | 108 | ||
97 | struct afs_call_type { | 109 | struct afs_call_type { |
110 | const char *name; | ||
111 | |||
98 | /* deliver request or reply data to an call | 112 | /* deliver request or reply data to an call |
99 | * - returning an error will cause the call to be aborted | 113 | * - returning an error will cause the call to be aborted |
100 | */ | 114 | */ |
@@ -128,8 +142,8 @@ extern struct file_system_type afs_fs_type; | |||
128 | * entry in the cached cell catalogue | 142 | * entry in the cached cell catalogue |
129 | */ | 143 | */ |
130 | struct afs_cache_cell { | 144 | struct afs_cache_cell { |
131 | char name[64]; /* cell name (padded with NULs) */ | 145 | char name[AFS_MAXCELLNAME]; /* cell name (padded with NULs) */ |
132 | struct in_addr vl_servers[15]; /* cached cell VL servers */ | 146 | struct in_addr vl_servers[15]; /* cached cell VL servers */ |
133 | }; | 147 | }; |
134 | 148 | ||
135 | /* | 149 | /* |
@@ -138,6 +152,7 @@ struct afs_cache_cell { | |||
138 | struct afs_cell { | 152 | struct afs_cell { |
139 | atomic_t usage; | 153 | atomic_t usage; |
140 | struct list_head link; /* main cell list link */ | 154 | struct list_head link; /* main cell list link */ |
155 | struct key *anonymous_key; /* anonymous user key for this cell */ | ||
141 | struct list_head proc_link; /* /proc cell list link */ | 156 | struct list_head proc_link; /* /proc cell list link */ |
142 | struct proc_dir_entry *proc_dir; /* /proc dir for this cell */ | 157 | struct proc_dir_entry *proc_dir; /* /proc dir for this cell */ |
143 | #ifdef AFS_CACHING_SUPPORT | 158 | #ifdef AFS_CACHING_SUPPORT |
@@ -163,7 +178,9 @@ struct afs_cell { | |||
163 | * entry in the cached volume location catalogue | 178 | * entry in the cached volume location catalogue |
164 | */ | 179 | */ |
165 | struct afs_cache_vlocation { | 180 | struct afs_cache_vlocation { |
166 | uint8_t name[64 + 1]; /* volume name (lowercase, padded with NULs) */ | 181 | /* volume name (lowercase, padded with NULs) */ |
182 | uint8_t name[AFS_MAXVOLNAME + 1]; | ||
183 | |||
167 | uint8_t nservers; /* number of entries used in servers[] */ | 184 | uint8_t nservers; /* number of entries used in servers[] */ |
168 | uint8_t vidmask; /* voltype mask for vid[] */ | 185 | uint8_t vidmask; /* voltype mask for vid[] */ |
169 | uint8_t srvtmask[8]; /* voltype masks for servers[] */ | 186 | uint8_t srvtmask[8]; /* voltype masks for servers[] */ |
@@ -281,7 +298,8 @@ struct afs_vnode { | |||
281 | #ifdef AFS_CACHING_SUPPORT | 298 | #ifdef AFS_CACHING_SUPPORT |
282 | struct cachefs_cookie *cache; /* caching cookie */ | 299 | struct cachefs_cookie *cache; /* caching cookie */ |
283 | #endif | 300 | #endif |
284 | 301 | struct afs_permits *permits; /* cache of permits so far obtained */ | |
302 | struct mutex permits_lock; /* lock for altering permits list */ | ||
285 | wait_queue_head_t update_waitq; /* status fetch waitqueue */ | 303 | wait_queue_head_t update_waitq; /* status fetch waitqueue */ |
286 | unsigned update_cnt; /* number of outstanding ops that will update the | 304 | unsigned update_cnt; /* number of outstanding ops that will update the |
287 | * status */ | 305 | * status */ |
@@ -296,12 +314,13 @@ struct afs_vnode { | |||
296 | #define AFS_VNODE_DIR_CHANGED 6 /* set if vnode's parent dir metadata changed */ | 314 | #define AFS_VNODE_DIR_CHANGED 6 /* set if vnode's parent dir metadata changed */ |
297 | #define AFS_VNODE_DIR_MODIFIED 7 /* set if vnode's parent dir data modified */ | 315 | #define AFS_VNODE_DIR_MODIFIED 7 /* set if vnode's parent dir data modified */ |
298 | 316 | ||
317 | long acl_order; /* ACL check count (callback break count) */ | ||
318 | |||
299 | /* outstanding callback notification on this file */ | 319 | /* outstanding callback notification on this file */ |
300 | struct rb_node server_rb; /* link in server->fs_vnodes */ | 320 | struct rb_node server_rb; /* link in server->fs_vnodes */ |
301 | struct rb_node cb_promise; /* link in server->cb_promises */ | 321 | struct rb_node cb_promise; /* link in server->cb_promises */ |
302 | struct work_struct cb_broken_work; /* work to be done on callback break */ | 322 | struct work_struct cb_broken_work; /* work to be done on callback break */ |
303 | struct mutex cb_broken_lock; /* lock against multiple attempts to fix break */ | 323 | struct mutex cb_broken_lock; /* lock against multiple attempts to fix break */ |
304 | // struct list_head cb_hash_link; /* link in master callback hash */ | ||
305 | time_t cb_expires; /* time at which callback expires */ | 324 | time_t cb_expires; /* time at which callback expires */ |
306 | time_t cb_expires_at; /* time used to order cb_promise */ | 325 | time_t cb_expires_at; /* time used to order cb_promise */ |
307 | unsigned cb_version; /* callback version */ | 326 | unsigned cb_version; /* callback version */ |
@@ -310,6 +329,23 @@ struct afs_vnode { | |||
310 | bool cb_promised; /* true if promise still holds */ | 329 | bool cb_promised; /* true if promise still holds */ |
311 | }; | 330 | }; |
312 | 331 | ||
332 | /* | ||
333 | * cached security record for one user's attempt to access a vnode | ||
334 | */ | ||
335 | struct afs_permit { | ||
336 | struct key *key; /* RxRPC ticket holding a security context */ | ||
337 | afs_access_t access_mask; /* access mask for this key */ | ||
338 | }; | ||
339 | |||
340 | /* | ||
341 | * cache of security records from attempts to access a vnode | ||
342 | */ | ||
343 | struct afs_permits { | ||
344 | struct rcu_head rcu; /* disposal procedure */ | ||
345 | int count; /* number of records */ | ||
346 | struct afs_permit permits[0]; /* the permits so far examined */ | ||
347 | }; | ||
348 | |||
313 | /*****************************************************************************/ | 349 | /*****************************************************************************/ |
314 | /* | 350 | /* |
315 | * callback.c | 351 | * callback.c |
@@ -352,11 +388,17 @@ extern bool afs_cm_incoming_call(struct afs_call *); | |||
352 | extern const struct inode_operations afs_dir_inode_operations; | 388 | extern const struct inode_operations afs_dir_inode_operations; |
353 | extern const struct file_operations afs_dir_file_operations; | 389 | extern const struct file_operations afs_dir_file_operations; |
354 | 390 | ||
391 | extern int afs_permission(struct inode *, int, struct nameidata *); | ||
392 | |||
355 | /* | 393 | /* |
356 | * file.c | 394 | * file.c |
357 | */ | 395 | */ |
358 | extern const struct address_space_operations afs_fs_aops; | 396 | extern const struct address_space_operations afs_fs_aops; |
359 | extern const struct inode_operations afs_file_inode_operations; | 397 | extern const struct inode_operations afs_file_inode_operations; |
398 | extern const struct file_operations afs_file_operations; | ||
399 | |||
400 | extern int afs_open(struct inode *, struct file *); | ||
401 | extern int afs_release(struct inode *, struct file *); | ||
360 | 402 | ||
361 | #ifdef AFS_CACHING_SUPPORT | 403 | #ifdef AFS_CACHING_SUPPORT |
362 | extern int afs_cache_get_page_cookie(struct page *, struct cachefs_page **); | 404 | extern int afs_cache_get_page_cookie(struct page *, struct cachefs_page **); |
@@ -365,22 +407,24 @@ extern int afs_cache_get_page_cookie(struct page *, struct cachefs_page **); | |||
365 | /* | 407 | /* |
366 | * fsclient.c | 408 | * fsclient.c |
367 | */ | 409 | */ |
368 | extern int afs_fs_fetch_file_status(struct afs_server *, | 410 | extern int afs_fs_fetch_file_status(struct afs_server *, struct key *, |
369 | struct afs_vnode *, | 411 | struct afs_vnode *, struct afs_volsync *, |
370 | struct afs_volsync *, | ||
371 | const struct afs_wait_mode *); | 412 | const struct afs_wait_mode *); |
372 | extern int afs_fs_give_up_callbacks(struct afs_server *, | 413 | extern int afs_fs_give_up_callbacks(struct afs_server *, |
373 | const struct afs_wait_mode *); | 414 | const struct afs_wait_mode *); |
374 | extern int afs_fs_fetch_data(struct afs_server *, struct afs_vnode *, off_t, | 415 | extern int afs_fs_fetch_data(struct afs_server *, struct key *, |
375 | size_t, struct page *, struct afs_volsync *, | 416 | struct afs_vnode *, off_t, size_t, struct page *, |
417 | struct afs_volsync *, | ||
376 | const struct afs_wait_mode *); | 418 | const struct afs_wait_mode *); |
377 | 419 | ||
378 | /* | 420 | /* |
379 | * inode.c | 421 | * inode.c |
380 | */ | 422 | */ |
381 | extern struct inode *afs_iget(struct super_block *, struct afs_fid *); | 423 | extern struct inode *afs_iget(struct super_block *, struct key *, |
424 | struct afs_fid *); | ||
382 | extern int afs_inode_getattr(struct vfsmount *, struct dentry *, | 425 | extern int afs_inode_getattr(struct vfsmount *, struct dentry *, |
383 | struct kstat *); | 426 | struct kstat *); |
427 | extern void afs_zap_permits(struct rcu_head *); | ||
384 | extern void afs_clear_inode(struct inode *); | 428 | extern void afs_clear_inode(struct inode *); |
385 | 429 | ||
386 | /* | 430 | /* |
@@ -402,17 +446,11 @@ extern const struct inode_operations afs_mntpt_inode_operations; | |||
402 | extern const struct file_operations afs_mntpt_file_operations; | 446 | extern const struct file_operations afs_mntpt_file_operations; |
403 | extern unsigned long afs_mntpt_expiry_timeout; | 447 | extern unsigned long afs_mntpt_expiry_timeout; |
404 | 448 | ||
405 | extern int afs_mntpt_check_symlink(struct afs_vnode *); | 449 | extern int afs_mntpt_check_symlink(struct afs_vnode *, struct key *); |
406 | extern void afs_mntpt_kill_timer(void); | 450 | extern void afs_mntpt_kill_timer(void); |
407 | extern void afs_umount_begin(struct vfsmount *, int); | 451 | extern void afs_umount_begin(struct vfsmount *, int); |
408 | 452 | ||
409 | /* | 453 | /* |
410 | * super.c | ||
411 | */ | ||
412 | extern int afs_fs_init(void); | ||
413 | extern void afs_fs_exit(void); | ||
414 | |||
415 | /* | ||
416 | * proc.c | 454 | * proc.c |
417 | */ | 455 | */ |
418 | extern int afs_proc_init(void); | 456 | extern int afs_proc_init(void); |
@@ -436,6 +474,14 @@ extern int afs_extract_data(struct afs_call *, struct sk_buff *, bool, void *, | |||
436 | size_t); | 474 | size_t); |
437 | 475 | ||
438 | /* | 476 | /* |
477 | * security.c | ||
478 | */ | ||
479 | extern void afs_clear_permits(struct afs_vnode *); | ||
480 | extern void afs_cache_permit(struct afs_vnode *, struct key *, long); | ||
481 | extern struct key *afs_request_key(struct afs_cell *); | ||
482 | extern int afs_permission(struct inode *, int, struct nameidata *); | ||
483 | |||
484 | /* | ||
439 | * server.c | 485 | * server.c |
440 | */ | 486 | */ |
441 | extern spinlock_t afs_server_peer_lock; | 487 | extern spinlock_t afs_server_peer_lock; |
@@ -449,16 +495,23 @@ extern void afs_put_server(struct afs_server *); | |||
449 | extern void __exit afs_purge_servers(void); | 495 | extern void __exit afs_purge_servers(void); |
450 | 496 | ||
451 | /* | 497 | /* |
498 | * super.c | ||
499 | */ | ||
500 | extern int afs_fs_init(void); | ||
501 | extern void afs_fs_exit(void); | ||
502 | |||
503 | /* | ||
452 | * vlclient.c | 504 | * vlclient.c |
453 | */ | 505 | */ |
454 | #ifdef AFS_CACHING_SUPPORT | 506 | #ifdef AFS_CACHING_SUPPORT |
455 | extern struct cachefs_index_def afs_vlocation_cache_index_def; | 507 | extern struct cachefs_index_def afs_vlocation_cache_index_def; |
456 | #endif | 508 | #endif |
457 | 509 | ||
458 | extern int afs_vl_get_entry_by_name(struct in_addr *, const char *, | 510 | extern int afs_vl_get_entry_by_name(struct in_addr *, struct key *, |
459 | struct afs_cache_vlocation *, | 511 | const char *, struct afs_cache_vlocation *, |
460 | const struct afs_wait_mode *); | 512 | const struct afs_wait_mode *); |
461 | extern int afs_vl_get_entry_by_id(struct in_addr *, afs_volid_t, afs_voltype_t, | 513 | extern int afs_vl_get_entry_by_id(struct in_addr *, struct key *, |
514 | afs_volid_t, afs_voltype_t, | ||
462 | struct afs_cache_vlocation *, | 515 | struct afs_cache_vlocation *, |
463 | const struct afs_wait_mode *); | 516 | const struct afs_wait_mode *); |
464 | 517 | ||
@@ -469,6 +522,7 @@ extern int afs_vl_get_entry_by_id(struct in_addr *, afs_volid_t, afs_voltype_t, | |||
469 | 522 | ||
470 | extern int __init afs_vlocation_update_init(void); | 523 | extern int __init afs_vlocation_update_init(void); |
471 | extern struct afs_vlocation *afs_vlocation_lookup(struct afs_cell *, | 524 | extern struct afs_vlocation *afs_vlocation_lookup(struct afs_cell *, |
525 | struct key *, | ||
472 | const char *, size_t); | 526 | const char *, size_t); |
473 | extern void afs_put_vlocation(struct afs_vlocation *); | 527 | extern void afs_put_vlocation(struct afs_vlocation *); |
474 | extern void __exit afs_vlocation_purge(void); | 528 | extern void __exit afs_vlocation_purge(void); |
@@ -492,9 +546,10 @@ static inline struct inode *AFS_VNODE_TO_I(struct afs_vnode *vnode) | |||
492 | return &vnode->vfs_inode; | 546 | return &vnode->vfs_inode; |
493 | } | 547 | } |
494 | 548 | ||
495 | extern int afs_vnode_fetch_status(struct afs_vnode *); | 549 | extern int afs_vnode_fetch_status(struct afs_vnode *, struct afs_vnode *, |
496 | extern int afs_vnode_fetch_data(struct afs_vnode *vnode, off_t, size_t, | 550 | struct key *); |
497 | struct page *); | 551 | extern int afs_vnode_fetch_data(struct afs_vnode *, struct key *, |
552 | off_t, size_t, struct page *); | ||
498 | 553 | ||
499 | /* | 554 | /* |
500 | * volume.c | 555 | * volume.c |
@@ -506,8 +561,7 @@ extern struct cachefs_index_def afs_volume_cache_index_def; | |||
506 | #define afs_get_volume(V) do { atomic_inc(&(V)->usage); } while(0) | 561 | #define afs_get_volume(V) do { atomic_inc(&(V)->usage); } while(0) |
507 | 562 | ||
508 | extern void afs_put_volume(struct afs_volume *); | 563 | extern void afs_put_volume(struct afs_volume *); |
509 | extern struct afs_volume *afs_volume_lookup(const char *, struct afs_cell *, | 564 | extern struct afs_volume *afs_volume_lookup(struct afs_mount_params *); |
510 | int); | ||
511 | extern struct afs_server *afs_volume_pick_fileserver(struct afs_vnode *); | 565 | extern struct afs_server *afs_volume_pick_fileserver(struct afs_vnode *); |
512 | extern int afs_volume_release_fileserver(struct afs_vnode *, | 566 | extern int afs_volume_release_fileserver(struct afs_vnode *, |
513 | struct afs_server *, int); | 567 | struct afs_server *, int); |