cifs: Add idmap key and related data structures and functions (try #17 repost)

Define (global) data structures to store ids, uids and gids, to which a SID maps. There are two separate trees, one for SID/uid and another one for SID/gid. A new type of key, cifs_idmap_key_type, is used. Keys are instantiated and searched using credential of the root by overriding and restoring the credentials of the caller requesting the key. Id mapping functions are invoked under config option of cifs acl. Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
author: Shirish Pargaonkar <shirishpargaonkar@gmail.com> 2011-04-28 00:34:35 -0400
committer: Steve French <sfrench@us.ibm.com> 2011-05-19 10:10:51 -0400
commit: 4d79dba0e00749fa40de8ef13a9b85ce57a1603b (patch)
tree: 55e377f53c761e70d5b90a1f901f70609ffcbcc7 /fs/cifs/cifsacl.c
parent: 9ad1506b42c828dff0b9d8f3914e1f837734e91c (diff)
1 files changed, 138 insertions, 0 deletions
diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
index a0d11eab14e5..061fc3afd841 100644
--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -23,6 +23,10 @@
 #include <linux/fs.h>
 #include <linux/slab.h>
+#include <linux/string.h>
+#include <linux/keyctl.h>
+#include <linux/key-type.h>
+#include <keys/user-type.h>
 #include "cifspdu.h"
 #include "cifsglob.h"
 #include "cifsacl.h"
@@ -50,6 +54,140 @@ static const struct cifs_sid sid_authusers = {
 /* group users */
 static const struct cifs_sid sid_user = {1, 2 , {0, 0, 0, 0, 0, 5}, {} };
+static const struct cred *root_cred;
+/*
+ * Run idmap cache shrinker.
+ */
+static int
+cifs_idmap_shrinker(struct shrinker *shrink, int nr_to_scan, gfp_t gfp_mask)
+{
+        /* Use a pruning scheme in a subsequent patch instead */
+        cifs_destroy_idmaptrees();
+        return 0;
+}
+static struct shrinker cifs_shrinker = {
+        .shrink = cifs_idmap_shrinker,
+        .seeks = DEFAULT_SEEKS,
+};
+static int
+cifs_idmap_key_instantiate(struct key *key, const void *data, size_t datalen)
+{
+        char *payload;
+        payload = kmalloc(datalen, GFP_KERNEL);
+        if (!payload)
+                return -ENOMEM;
+        memcpy(payload, data, datalen);
+        key->payload.data = payload;
+        return 0;
+}
+static inline void
+cifs_idmap_key_destroy(struct key *key)
+{
+        kfree(key->payload.data);
+}
+static
+struct key_type cifs_idmap_key_type = {
+        .name        = "cifs.cifs_idmap",
+        .instantiate = cifs_idmap_key_instantiate,
+        .destroy     = cifs_idmap_key_destroy,
+        .describe    = user_describe,
+        .match       = user_match,
+};
+int
+init_cifs_idmap(void)
+{
+        struct cred *cred;
+        struct key *keyring;
+        int ret;
+        cFYI(1, "Registering the %s key type\n", cifs_idmap_key_type.name);
+        /* create an override credential set with a special thread keyring in
+         * which requests are cached
+         *
+         * this is used to prevent malicious redirections from being installed
+         * with add_key().
+         */
+        cred = prepare_kernel_cred(NULL);
+        if (!cred)
+                return -ENOMEM;
+        keyring = key_alloc(&key_type_keyring, ".cifs_idmap", 0, 0, cred,
+                            (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+                            KEY_USR_VIEW | KEY_USR_READ,
+                            KEY_ALLOC_NOT_IN_QUOTA);
+        if (IS_ERR(keyring)) {
+                ret = PTR_ERR(keyring);
+                goto failed_put_cred;
+        }
+        ret = key_instantiate_and_link(keyring, NULL, 0, NULL, NULL);
+        if (ret < 0)
+                goto failed_put_key;
+        ret = register_key_type(&cifs_idmap_key_type);
+        if (ret < 0)
+                goto failed_put_key;
+        /* instruct request_key() to use this special keyring as a cache for
+         * the results it looks up */
+        cred->thread_keyring = keyring;
+        cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
+        root_cred = cred;
+        spin_lock_init(&siduidlock);
+        uidtree = RB_ROOT;
+        spin_lock_init(&sidgidlock);
+        gidtree = RB_ROOT;
+        register_shrinker(&cifs_shrinker);
+        cFYI(1, "cifs idmap keyring: %d\n", key_serial(keyring));
+        return 0;
+failed_put_key:
+        key_put(keyring);
+failed_put_cred:
+        put_cred(cred);
+        return ret;
+}
+void
+exit_cifs_idmap(void)
+{
+        key_revoke(root_cred->thread_keyring);
+        unregister_key_type(&cifs_idmap_key_type);
+        put_cred(root_cred);
+        unregister_shrinker(&cifs_shrinker);
+        cFYI(1, "Unregistered %s key type\n", cifs_idmap_key_type.name);
+}
+void
+cifs_destroy_idmaptrees(void)
+{
+        struct rb_root *root;
+        struct rb_node *node;
+        root = &uidtree;
+        spin_lock(&siduidlock);
+        while ((node = rb_first(root)))
+                rb_erase(node, root);
+        spin_unlock(&siduidlock);
+        root = &gidtree;
+        spin_lock(&sidgidlock);
+        while ((node = rb_first(root)))
+                rb_erase(node, root);
+        spin_unlock(&sidgidlock);
+}
 int match_sid(struct cifs_sid *ctsid)
 {
author	Shirish Pargaonkar <shirishpargaonkar@gmail.com>	2011-04-28 00:34:35 -0400
committer	Steve French <sfrench@us.ibm.com>	2011-05-19 10:10:51 -0400
commit	4d79dba0e00749fa40de8ef13a9b85ce57a1603b (patch)
tree	55e377f53c761e70d5b90a1f901f70609ffcbcc7 /fs/cifs/cifsacl.c
parent	9ad1506b42c828dff0b9d8f3914e1f837734e91c (diff)

diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c index a0d11eab14e5..061fc3afd841 100644 --- a/fs/cifs/cifsacl.c +++ b/fs/cifs/cifsacl.c
@@ -23,6 +23,10 @@
23		23
24	#include <linux/fs.h>	24	#include <linux/fs.h>
25	#include <linux/slab.h>	25	#include <linux/slab.h>
		26	#include <linux/string.h>
		27	#include <linux/keyctl.h>
		28	#include <linux/key-type.h>
		29	#include <keys/user-type.h>
26	#include "cifspdu.h"	30	#include "cifspdu.h"
27	#include "cifsglob.h"	31	#include "cifsglob.h"
28	#include "cifsacl.h"	32	#include "cifsacl.h"
@@ -50,6 +54,140 @@ static const struct cifs_sid sid_authusers = {
50	/* group users */	54	/* group users */
51	static const struct cifs_sid sid_user = {1, 2 , {0, 0, 0, 0, 0, 5}, {} };	55	static const struct cifs_sid sid_user = {1, 2 , {0, 0, 0, 0, 0, 5}, {} };
52		56
		57	static const struct cred *root_cred;
		58
		59	/*
		60	* Run idmap cache shrinker.
		61	*/
		62	static int
		63	cifs_idmap_shrinker(struct shrinker *shrink, int nr_to_scan, gfp_t gfp_mask)
		64	{
		65	/* Use a pruning scheme in a subsequent patch instead */
		66	cifs_destroy_idmaptrees();
		67	return 0;
		68	}
		69
		70	static struct shrinker cifs_shrinker = {
		71	.shrink = cifs_idmap_shrinker,
		72	.seeks = DEFAULT_SEEKS,
		73	};
		74
		75	static int
		76	cifs_idmap_key_instantiate(struct key key, const void data, size_t datalen)
		77	{
		78	char *payload;
		79
		80	payload = kmalloc(datalen, GFP_KERNEL);
		81	if (!payload)
		82	return -ENOMEM;
		83
		84	memcpy(payload, data, datalen);
		85	key->payload.data = payload;
		86	return 0;
		87	}
		88
		89	static inline void
		90	cifs_idmap_key_destroy(struct key *key)
		91	{
		92	kfree(key->payload.data);
		93	}
		94
		95	static
		96	struct key_type cifs_idmap_key_type = {
		97	.name = "cifs.cifs_idmap",
		98	.instantiate = cifs_idmap_key_instantiate,
		99	.destroy = cifs_idmap_key_destroy,
		100	.describe = user_describe,
		101	.match = user_match,
		102	};
		103
		104	int
		105	init_cifs_idmap(void)
		106	{
		107	struct cred *cred;
		108	struct key *keyring;
		109	int ret;
		110
		111	cFYI(1, "Registering the %s key type\n", cifs_idmap_key_type.name);
		112
		113	/* create an override credential set with a special thread keyring in
		114	* which requests are cached
		115	*
		116	* this is used to prevent malicious redirections from being installed
		117	* with add_key().
		118	*/
		119	cred = prepare_kernel_cred(NULL);
		120	if (!cred)
		121	return -ENOMEM;
		122
		123	keyring = key_alloc(&key_type_keyring, ".cifs_idmap", 0, 0, cred,
		124	(KEY_POS_ALL & ~KEY_POS_SETATTR) \|
		125	KEY_USR_VIEW \| KEY_USR_READ,
		126	KEY_ALLOC_NOT_IN_QUOTA);
		127	if (IS_ERR(keyring)) {
		128	ret = PTR_ERR(keyring);
		129	goto failed_put_cred;
		130	}
		131
		132	ret = key_instantiate_and_link(keyring, NULL, 0, NULL, NULL);
		133	if (ret < 0)
		134	goto failed_put_key;
		135
		136	ret = register_key_type(&cifs_idmap_key_type);
		137	if (ret < 0)
		138	goto failed_put_key;
		139
		140	/* instruct request_key() to use this special keyring as a cache for
		141	* the results it looks up */
		142	cred->thread_keyring = keyring;
		143	cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
		144	root_cred = cred;
		145
		146	spin_lock_init(&siduidlock);
		147	uidtree = RB_ROOT;
		148	spin_lock_init(&sidgidlock);
		149	gidtree = RB_ROOT;
		150
		151	register_shrinker(&cifs_shrinker);
		152
		153	cFYI(1, "cifs idmap keyring: %d\n", key_serial(keyring));
		154	return 0;
		155
		156	failed_put_key:
		157	key_put(keyring);
		158	failed_put_cred:
		159	put_cred(cred);
		160	return ret;
		161	}
		162
		163	void
		164	exit_cifs_idmap(void)
		165	{
		166	key_revoke(root_cred->thread_keyring);
		167	unregister_key_type(&cifs_idmap_key_type);
		168	put_cred(root_cred);
		169	unregister_shrinker(&cifs_shrinker);
		170	cFYI(1, "Unregistered %s key type\n", cifs_idmap_key_type.name);
		171	}
		172
		173	void
		174	cifs_destroy_idmaptrees(void)
		175	{
		176	struct rb_root *root;
		177	struct rb_node *node;
		178
		179	root = &uidtree;
		180	spin_lock(&siduidlock);
		181	while ((node = rb_first(root)))
		182	rb_erase(node, root);
		183	spin_unlock(&siduidlock);
		184
		185	root = &gidtree;
		186	spin_lock(&sidgidlock);
		187	while ((node = rb_first(root)))
		188	rb_erase(node, root);
		189	spin_unlock(&sidgidlock);
		190	}
53		191
54	int match_sid(struct cifs_sid *ctsid)	192	int match_sid(struct cifs_sid *ctsid)
55	{	193	{