diff options
author | Wang Lei <wang840925@gmail.com> | 2010-08-04 10:16:33 -0400 |
---|---|---|
committer | Steve French <sfrench@us.ibm.com> | 2010-08-05 13:17:51 -0400 |
commit | 1a4240f4764ac78adbf4b0ebb49b3bd8c72ffa11 (patch) | |
tree | 7d9de5b071e7ab8a8355bdf7902db4c0a0e812b1 /fs | |
parent | ba5dadbf4e7b531bd7ccecffb4d3935c80a3372e (diff) |
DNS: Separate out CIFS DNS Resolver code
Separate out the DNS resolver key type from the CIFS filesystem into its own
module so that it can be made available for general use, including the AFS
filesystem module.
This facility makes it possible for the kernel to upcall to userspace to have
it issue DNS requests, package up the replies and present them to the kernel
in a useful form. The kernel is then able to cache the DNS replies as keys
can be retained in keyrings.
Resolver keys are of type "dns_resolver" and have a case-insensitive
description that is of the form "[<type>:]<domain_name>". The optional <type>
indicates the particular DNS lookup and packaging that's required. The
<domain_name> is the query to be made.
If <type> isn't given, a basic hostname to IP address lookup is made, and the
result is stored in the key in the form of a printable string consisting of a
comma-separated list of IPv4 and IPv6 addresses.
This key type is supported by userspace helpers driven from /sbin/request-key
and configured through /etc/request-key.conf. The cifs.upcall utility is
invoked for UNC path server name to IP address resolution.
The CIFS functionality is encapsulated by the dns_resolve_unc_to_ip() function,
which is used to resolve a UNC path to an IP address for CIFS filesystem. This
part remains in the CIFS module for now.
See the added Documentation/networking/dns_resolver.txt for more information.
Signed-off-by: Wang Lei <wang840925@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/cifs/Kconfig | 17 | ||||
-rw-r--r-- | fs/cifs/cifsfs.c | 13 | ||||
-rw-r--r-- | fs/cifs/dns_resolve.c | 229 | ||||
-rw-r--r-- | fs/cifs/dns_resolve.h | 2 |
4 files changed, 56 insertions, 205 deletions
diff --git a/fs/cifs/Kconfig b/fs/cifs/Kconfig index 5739fd7f88b4..57f0aa9f141f 100644 --- a/fs/cifs/Kconfig +++ b/fs/cifs/Kconfig | |||
@@ -71,14 +71,14 @@ config CIFS_WEAK_PW_HASH | |||
71 | If unsure, say N. | 71 | If unsure, say N. |
72 | 72 | ||
73 | config CIFS_UPCALL | 73 | config CIFS_UPCALL |
74 | bool "Kerberos/SPNEGO advanced session setup" | 74 | bool "Kerberos/SPNEGO advanced session setup" |
75 | depends on CIFS && KEYS | 75 | depends on CIFS && KEYS |
76 | help | 76 | select DNS_RESOLVER |
77 | Enables an upcall mechanism for CIFS which accesses | 77 | help |
78 | userspace helper utilities to provide SPNEGO packaged (RFC 4178) | 78 | Enables an upcall mechanism for CIFS which accesses userspace helper |
79 | Kerberos tickets which are needed to mount to certain secure servers | 79 | utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets |
80 | (for which more secure Kerberos authentication is required). If | 80 | which are needed to mount to certain secure servers (for which more |
81 | unsure, say N. | 81 | secure Kerberos authentication is required). If unsure, say N. |
82 | 82 | ||
83 | config CIFS_XATTR | 83 | config CIFS_XATTR |
84 | bool "CIFS extended attributes" | 84 | bool "CIFS extended attributes" |
@@ -122,6 +122,7 @@ config CIFS_DEBUG2 | |||
122 | config CIFS_DFS_UPCALL | 122 | config CIFS_DFS_UPCALL |
123 | bool "DFS feature support" | 123 | bool "DFS feature support" |
124 | depends on CIFS && KEYS | 124 | depends on CIFS && KEYS |
125 | select DNS_RESOLVER | ||
125 | help | 126 | help |
126 | Distributed File System (DFS) support is used to access shares | 127 | Distributed File System (DFS) support is used to access shares |
127 | transparently in an enterprise name space, even if the share | 128 | transparently in an enterprise name space, even if the share |
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c index 8a2cf129e535..2a0c892959f4 100644 --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c | |||
@@ -45,7 +45,6 @@ | |||
45 | #include "cifs_fs_sb.h" | 45 | #include "cifs_fs_sb.h" |
46 | #include <linux/mm.h> | 46 | #include <linux/mm.h> |
47 | #include <linux/key-type.h> | 47 | #include <linux/key-type.h> |
48 | #include "dns_resolve.h" | ||
49 | #include "cifs_spnego.h" | 48 | #include "cifs_spnego.h" |
50 | #include "fscache.h" | 49 | #include "fscache.h" |
51 | #define CIFS_MAGIC_NUMBER 0xFF534D42 /* the first four bytes of SMB PDUs */ | 50 | #define CIFS_MAGIC_NUMBER 0xFF534D42 /* the first four bytes of SMB PDUs */ |
@@ -934,22 +933,13 @@ init_cifs(void) | |||
934 | if (rc) | 933 | if (rc) |
935 | goto out_unregister_filesystem; | 934 | goto out_unregister_filesystem; |
936 | #endif | 935 | #endif |
937 | #ifdef CONFIG_CIFS_DFS_UPCALL | ||
938 | rc = cifs_init_dns_resolver(); | ||
939 | if (rc) | ||
940 | goto out_unregister_key_type; | ||
941 | #endif | ||
942 | rc = slow_work_register_user(THIS_MODULE); | 936 | rc = slow_work_register_user(THIS_MODULE); |
943 | if (rc) | 937 | if (rc) |
944 | goto out_unregister_resolver_key; | 938 | goto out_unregister_key_type; |
945 | 939 | ||
946 | return 0; | 940 | return 0; |
947 | 941 | ||
948 | out_unregister_resolver_key: | ||
949 | #ifdef CONFIG_CIFS_DFS_UPCALL | ||
950 | cifs_exit_dns_resolver(); | ||
951 | out_unregister_key_type: | 942 | out_unregister_key_type: |
952 | #endif | ||
953 | #ifdef CONFIG_CIFS_UPCALL | 943 | #ifdef CONFIG_CIFS_UPCALL |
954 | unregister_key_type(&cifs_spnego_key_type); | 944 | unregister_key_type(&cifs_spnego_key_type); |
955 | out_unregister_filesystem: | 945 | out_unregister_filesystem: |
@@ -976,7 +966,6 @@ exit_cifs(void) | |||
976 | cifs_fscache_unregister(); | 966 | cifs_fscache_unregister(); |
977 | #ifdef CONFIG_CIFS_DFS_UPCALL | 967 | #ifdef CONFIG_CIFS_DFS_UPCALL |
978 | cifs_dfs_release_automount_timer(); | 968 | cifs_dfs_release_automount_timer(); |
979 | cifs_exit_dns_resolver(); | ||
980 | #endif | 969 | #endif |
981 | #ifdef CONFIG_CIFS_UPCALL | 970 | #ifdef CONFIG_CIFS_UPCALL |
982 | unregister_key_type(&cifs_spnego_key_type); | 971 | unregister_key_type(&cifs_spnego_key_type); |
diff --git a/fs/cifs/dns_resolve.c b/fs/cifs/dns_resolve.c index aa967e7917f8..0eb87026cad3 100644 --- a/fs/cifs/dns_resolve.c +++ b/fs/cifs/dns_resolve.c | |||
@@ -4,6 +4,8 @@ | |||
4 | * Copyright (c) 2007 Igor Mammedov | 4 | * Copyright (c) 2007 Igor Mammedov |
5 | * Author(s): Igor Mammedov (niallain@gmail.com) | 5 | * Author(s): Igor Mammedov (niallain@gmail.com) |
6 | * Steve French (sfrench@us.ibm.com) | 6 | * Steve French (sfrench@us.ibm.com) |
7 | * Wang Lei (wang840925@gmail.com) | ||
8 | * David Howells (dhowells@redhat.com) | ||
7 | * | 9 | * |
8 | * Contains the CIFS DFS upcall routines used for hostname to | 10 | * Contains the CIFS DFS upcall routines used for hostname to |
9 | * IP address translation. | 11 | * IP address translation. |
@@ -24,212 +26,73 @@ | |||
24 | */ | 26 | */ |
25 | 27 | ||
26 | #include <linux/slab.h> | 28 | #include <linux/slab.h> |
27 | #include <linux/keyctl.h> | 29 | #include <linux/dns_resolver.h> |
28 | #include <linux/key-type.h> | ||
29 | #include <keys/user-type.h> | ||
30 | #include "dns_resolve.h" | 30 | #include "dns_resolve.h" |
31 | #include "cifsglob.h" | 31 | #include "cifsglob.h" |
32 | #include "cifsproto.h" | 32 | #include "cifsproto.h" |
33 | #include "cifs_debug.h" | 33 | #include "cifs_debug.h" |
34 | 34 | ||
35 | static const struct cred *dns_resolver_cache; | 35 | /** |
36 | 36 | * dns_resolve_server_name_to_ip - Resolve UNC server name to ip address. | |
37 | /* Checks if supplied name is IP address | 37 | * @unc: UNC path specifying the server |
38 | * returns: | 38 | * @ip_addr: Where to return the IP address. |
39 | * 1 - name is IP | 39 | * |
40 | * 0 - name is not IP | 40 | * The IP address will be returned in string form, and the caller is |
41 | */ | 41 | * responsible for freeing it. |
42 | static int | 42 | * |
43 | is_ip(const char *name, int len) | 43 | * Returns length of result on success, -ve on error. |
44 | { | ||
45 | struct sockaddr_storage ss; | ||
46 | |||
47 | return cifs_convert_address((struct sockaddr *)&ss, name, len); | ||
48 | } | ||
49 | |||
50 | static int | ||
51 | dns_resolver_instantiate(struct key *key, const void *data, | ||
52 | size_t datalen) | ||
53 | { | ||
54 | int rc = 0; | ||
55 | char *ip; | ||
56 | |||
57 | /* make sure this looks like an address */ | ||
58 | if (!is_ip(data, datalen)) | ||
59 | return -EINVAL; | ||
60 | |||
61 | ip = kmalloc(datalen + 1, GFP_KERNEL); | ||
62 | if (!ip) | ||
63 | return -ENOMEM; | ||
64 | |||
65 | memcpy(ip, data, datalen); | ||
66 | ip[datalen] = '\0'; | ||
67 | |||
68 | key->type_data.x[0] = datalen; | ||
69 | key->payload.data = ip; | ||
70 | |||
71 | return rc; | ||
72 | } | ||
73 | |||
74 | static void | ||
75 | dns_resolver_destroy(struct key *key) | ||
76 | { | ||
77 | kfree(key->payload.data); | ||
78 | } | ||
79 | |||
80 | struct key_type key_type_dns_resolver = { | ||
81 | .name = "dns_resolver", | ||
82 | .def_datalen = sizeof(struct in_addr), | ||
83 | .describe = user_describe, | ||
84 | .instantiate = dns_resolver_instantiate, | ||
85 | .destroy = dns_resolver_destroy, | ||
86 | .match = user_match, | ||
87 | }; | ||
88 | |||
89 | /* Resolves server name to ip address. | ||
90 | * input: | ||
91 | * unc - server UNC | ||
92 | * output: | ||
93 | * *ip_addr - pointer to server ip, caller responcible for freeing it. | ||
94 | * return the length of the returned string on success | ||
95 | */ | 44 | */ |
96 | int | 45 | int |
97 | dns_resolve_server_name_to_ip(const char *unc, char **ip_addr) | 46 | dns_resolve_server_name_to_ip(const char *unc, char **ip_addr) |
98 | { | 47 | { |
99 | const struct cred *saved_cred; | 48 | struct sockaddr_storage ss; |
100 | int rc = -EAGAIN; | 49 | const char *hostname, *sep; |
101 | struct key *rkey = ERR_PTR(-EAGAIN); | ||
102 | char *name; | 50 | char *name; |
103 | char *data = NULL; | 51 | int len, rc; |
104 | int len; | ||
105 | 52 | ||
106 | if (!ip_addr || !unc) | 53 | if (!ip_addr || !unc) |
107 | return -EINVAL; | 54 | return -EINVAL; |
108 | 55 | ||
109 | /* search for server name delimiter */ | ||
110 | len = strlen(unc); | 56 | len = strlen(unc); |
111 | if (len < 3) { | 57 | if (len < 3) { |
112 | cFYI(1, "%s: unc is too short: %s", __func__, unc); | 58 | cFYI(1, "%s: unc is too short: %s", __func__, unc); |
113 | return -EINVAL; | 59 | return -EINVAL; |
114 | } | 60 | } |
115 | len -= 2; | ||
116 | name = memchr(unc+2, '\\', len); | ||
117 | if (!name) { | ||
118 | cFYI(1, "%s: probably server name is whole unc: %s", | ||
119 | __func__, unc); | ||
120 | } else { | ||
121 | len = (name - unc) - 2/* leading // */; | ||
122 | } | ||
123 | |||
124 | name = kmalloc(len+1, GFP_KERNEL); | ||
125 | if (!name) { | ||
126 | rc = -ENOMEM; | ||
127 | return rc; | ||
128 | } | ||
129 | memcpy(name, unc+2, len); | ||
130 | name[len] = 0; | ||
131 | |||
132 | if (is_ip(name, len)) { | ||
133 | cFYI(1, "%s: it is IP, skipping dns upcall: %s", | ||
134 | __func__, name); | ||
135 | data = name; | ||
136 | goto skip_upcall; | ||
137 | } | ||
138 | 61 | ||
139 | saved_cred = override_creds(dns_resolver_cache); | 62 | /* Discount leading slashes for cifs */ |
140 | rkey = request_key(&key_type_dns_resolver, name, ""); | 63 | len -= 2; |
141 | revert_creds(saved_cred); | 64 | hostname = unc + 2; |
142 | if (!IS_ERR(rkey)) { | ||
143 | if (!(rkey->perm & KEY_USR_VIEW)) { | ||
144 | down_read(&rkey->sem); | ||
145 | rkey->perm |= KEY_USR_VIEW; | ||
146 | up_read(&rkey->sem); | ||
147 | } | ||
148 | len = rkey->type_data.x[0]; | ||
149 | data = rkey->payload.data; | ||
150 | } else { | ||
151 | cERROR(1, "%s: unable to resolve: %s", __func__, name); | ||
152 | goto out; | ||
153 | } | ||
154 | |||
155 | skip_upcall: | ||
156 | if (data) { | ||
157 | *ip_addr = kmalloc(len + 1, GFP_KERNEL); | ||
158 | if (*ip_addr) { | ||
159 | memcpy(*ip_addr, data, len + 1); | ||
160 | if (!IS_ERR(rkey)) | ||
161 | cFYI(1, "%s: resolved: %s to %s", __func__, | ||
162 | name, | ||
163 | *ip_addr | ||
164 | ); | ||
165 | rc = len; | ||
166 | } else { | ||
167 | rc = -ENOMEM; | ||
168 | } | ||
169 | if (!IS_ERR(rkey)) | ||
170 | key_put(rkey); | ||
171 | } | ||
172 | 65 | ||
173 | out: | 66 | /* Search for server name delimiter */ |
174 | kfree(name); | 67 | sep = memchr(hostname, '\\', len); |
68 | if (sep) | ||
69 | len = sep - unc; | ||
70 | else | ||
71 | cFYI(1, "%s: probably server name is whole unc: %s", | ||
72 | __func__, unc); | ||
73 | |||
74 | /* Try to interpret hostname as an IPv4 or IPv6 address */ | ||
75 | rc = cifs_convert_address((struct sockaddr *)&ss, hostname, len); | ||
76 | if (rc > 0) | ||
77 | goto name_is_IP_address; | ||
78 | |||
79 | /* Perform the upcall */ | ||
80 | rc = dns_query(NULL, hostname, len, NULL, ip_addr, NULL); | ||
81 | if (rc < 0) | ||
82 | cERROR(1, "%s: unable to resolve: %*.*s", | ||
83 | __func__, len, len, hostname); | ||
84 | else | ||
85 | cFYI(1, "%s: resolved: %*.*s to %s", | ||
86 | __func__, len, len, hostname, *ip_addr); | ||
175 | return rc; | 87 | return rc; |
176 | } | ||
177 | 88 | ||
178 | int __init cifs_init_dns_resolver(void) | 89 | name_is_IP_address: |
179 | { | 90 | name = kmalloc(len + 1, GFP_KERNEL); |
180 | struct cred *cred; | 91 | if (!name) |
181 | struct key *keyring; | ||
182 | int ret; | ||
183 | |||
184 | printk(KERN_NOTICE "Registering the %s key type\n", | ||
185 | key_type_dns_resolver.name); | ||
186 | |||
187 | /* create an override credential set with a special thread keyring in | ||
188 | * which DNS requests are cached | ||
189 | * | ||
190 | * this is used to prevent malicious redirections from being installed | ||
191 | * with add_key(). | ||
192 | */ | ||
193 | cred = prepare_kernel_cred(NULL); | ||
194 | if (!cred) | ||
195 | return -ENOMEM; | 92 | return -ENOMEM; |
196 | 93 | memcpy(name, hostname, len); | |
197 | keyring = key_alloc(&key_type_keyring, ".dns_resolver", 0, 0, cred, | 94 | name[len] = 0; |
198 | (KEY_POS_ALL & ~KEY_POS_SETATTR) | | 95 | cFYI(1, "%s: unc is IP, skipping dns upcall: %s", __func__, name); |
199 | KEY_USR_VIEW | KEY_USR_READ, | 96 | *ip_addr = name; |
200 | KEY_ALLOC_NOT_IN_QUOTA); | ||
201 | if (IS_ERR(keyring)) { | ||
202 | ret = PTR_ERR(keyring); | ||
203 | goto failed_put_cred; | ||
204 | } | ||
205 | |||
206 | ret = key_instantiate_and_link(keyring, NULL, 0, NULL, NULL); | ||
207 | if (ret < 0) | ||
208 | goto failed_put_key; | ||
209 | |||
210 | ret = register_key_type(&key_type_dns_resolver); | ||
211 | if (ret < 0) | ||
212 | goto failed_put_key; | ||
213 | |||
214 | /* instruct request_key() to use this special keyring as a cache for | ||
215 | * the results it looks up */ | ||
216 | cred->thread_keyring = keyring; | ||
217 | cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING; | ||
218 | dns_resolver_cache = cred; | ||
219 | return 0; | 97 | return 0; |
220 | |||
221 | failed_put_key: | ||
222 | key_put(keyring); | ||
223 | failed_put_cred: | ||
224 | put_cred(cred); | ||
225 | return ret; | ||
226 | } | ||
227 | |||
228 | void cifs_exit_dns_resolver(void) | ||
229 | { | ||
230 | key_revoke(dns_resolver_cache->thread_keyring); | ||
231 | unregister_key_type(&key_type_dns_resolver); | ||
232 | put_cred(dns_resolver_cache); | ||
233 | printk(KERN_NOTICE "Unregistered %s key type\n", | ||
234 | key_type_dns_resolver.name); | ||
235 | } | 98 | } |
diff --git a/fs/cifs/dns_resolve.h b/fs/cifs/dns_resolve.h index 5d7f291df162..d3f5d27f4d06 100644 --- a/fs/cifs/dns_resolve.h +++ b/fs/cifs/dns_resolve.h | |||
@@ -24,8 +24,6 @@ | |||
24 | #define _DNS_RESOLVE_H | 24 | #define _DNS_RESOLVE_H |
25 | 25 | ||
26 | #ifdef __KERNEL__ | 26 | #ifdef __KERNEL__ |
27 | extern int __init cifs_init_dns_resolver(void); | ||
28 | extern void cifs_exit_dns_resolver(void); | ||
29 | extern int dns_resolve_server_name_to_ip(const char *unc, char **ip_addr); | 27 | extern int dns_resolve_server_name_to_ip(const char *unc, char **ip_addr); |
30 | #endif /* KERNEL */ | 28 | #endif /* KERNEL */ |
31 | 29 | ||