static int mdt_getxattr_all(struct mdt_thread_info *info,
struct mdt_body *reqbody, struct mdt_body *repbody,
struct lu_buf *buf, struct md_object *next)
{
const struct lu_env *env = info->mti_env;
struct ptlrpc_request *req = mdt_info_req(info);
struct mdt_export_data *med = mdt_req2med(req);
struct lu_ucred *uc = mdt_ucred(info);
char *v, *b, *eadatahead, *eadatatail;
__u32 *sizes;
int eadatasize, eavallen = 0, eavallens = 0, rc;
ENTRY;
/*
* The format of the pill is the following:
* EADATA: attr1\0attr2\0...attrn\0
* EAVALS: val1val2...valn
* EAVALS_LENS: 4,4,...4
*/
eadatahead = buf->lb_buf;
/* Fill out EADATA first */
eadatasize = mo_xattr_list(env, next, buf);
if (eadatasize < 0)
GOTO(out, rc = eadatasize);
eadatatail = eadatahead + eadatasize;
v = req_capsule_server_get(info->mti_pill, &RMF_EAVALS);
sizes = req_capsule_server_get(info->mti_pill, &RMF_EAVALS_LENS);
/* Fill out EAVALS and EAVALS_LENS */
for (b = eadatahead; b < eadatatail; b += strlen(b) + 1, v += rc) {
buf->lb_buf = v;
buf->lb_len = reqbody->eadatasize - eavallen;
rc = mdt_getxattr_one(info, b, next, buf, med, uc);
if (rc < 0)
GOTO(out, rc);
sizes[eavallens] = rc;
eavallens++;
eavallen += rc;
}
repbody->aclsize = eavallen;
repbody->max_mdsize = eavallens;
req_capsule_shrink(info->mti_pill, &RMF_EAVALS, eavallen, RCL_SERVER);
req_capsule_shrink(info->mti_pill, &RMF_EAVALS_LENS,
eavallens * sizeof(__u32), RCL_SERVER);
req_capsule_shrink(info->mti_pill, &RMF_EADATA, eadatasize, RCL_SERVER);
GOTO(out, rc = eadatasize);
out:
return rc;
}
int ptlrpc_user_desc_do_idmap(struct ptlrpc_request *req,
struct ptlrpc_user_desc *pud)
{
struct mdt_export_data *med = mdt_req2med(req);
struct lustre_idmap_table *idmap = med->med_idmap;
uid_t uid, fsuid;
gid_t gid, fsgid;
/* Only remote client need desc_to_idmap. */
if (!exp_connect_rmtclient(req->rq_export))
return 0;
uid = lustre_idmap_lookup_uid(NULL, idmap, 0, pud->pud_uid);
if (uid == CFS_IDMAP_NOTFOUND) {
CDEBUG(D_SEC, "no mapping for uid %u\n", pud->pud_uid);
return -EACCES;
}
if (pud->pud_uid == pud->pud_fsuid) {
fsuid = uid;
} else {
fsuid = lustre_idmap_lookup_uid(NULL, idmap, 0, pud->pud_fsuid);
if (fsuid == CFS_IDMAP_NOTFOUND) {
CDEBUG(D_SEC, "no mapping for fsuid %u\n",
pud->pud_fsuid);
return -EACCES;
}
}
gid = lustre_idmap_lookup_gid(NULL, idmap, 0, pud->pud_gid);
if (gid == CFS_IDMAP_NOTFOUND) {
CDEBUG(D_SEC, "no mapping for gid %u\n", pud->pud_gid);
return -EACCES;
}
if (pud->pud_gid == pud->pud_fsgid) {
fsgid = gid;
} else {
fsgid = lustre_idmap_lookup_gid(NULL, idmap, 0, pud->pud_fsgid);
if (fsgid == CFS_IDMAP_NOTFOUND) {
CDEBUG(D_SEC, "no mapping for fsgid %u\n",
pud->pud_fsgid);
return -EACCES;
}
}
pud->pud_uid = uid;
pud->pud_gid = gid;
pud->pud_fsuid = fsuid;
pud->pud_fsgid = fsgid;
return 0;
}
/* Do not ignore root_squash for non-setattr case. */
int mdt_fix_attr_ucred(struct mdt_thread_info *info, __u32 op)
{
struct ptlrpc_request *req = mdt_info_req(info);
struct md_ucred *uc = mdt_ucred(info);
struct lu_attr *attr = &info->mti_attr.ma_attr;
struct mdt_export_data *med = mdt_req2med(req);
struct lustre_idmap_table *idmap = med->med_idmap;
if ((uc->mu_valid != UCRED_OLD) && (uc->mu_valid != UCRED_NEW))
return -EINVAL;
if (op != REINT_SETATTR) {
if ((attr->la_valid & LA_UID) && (attr->la_uid != -1))
attr->la_uid = uc->mu_fsuid;
/* for S_ISGID, inherit gid from his parent, such work will be
* done in cmm/mdd layer, here set all cases as uc->mu_fsgid. */
if ((attr->la_valid & LA_GID) && (attr->la_gid != -1))
attr->la_gid = uc->mu_fsgid;
} else if (exp_connect_rmtclient(info->mti_exp)) {
/* NB: -1 case will be handled by mdt_fix_attr() later. */
if ((attr->la_valid & LA_UID) && (attr->la_uid != -1)) {
uid_t uid = lustre_idmap_lookup_uid(uc, idmap, 0,
attr->la_uid);
if (uid == CFS_IDMAP_NOTFOUND) {
CDEBUG(D_SEC, "Deny chown to uid %u\n",
attr->la_uid);
return -EPERM;
}
attr->la_uid = uid;
}
if ((attr->la_valid & LA_GID) && (attr->la_gid != -1)) {
gid_t gid = lustre_idmap_lookup_gid(uc, idmap, 0,
attr->la_gid);
if (gid == CFS_IDMAP_NOTFOUND) {
CDEBUG(D_SEC, "Deny chown to gid %u\n",
attr->la_gid);
return -EPERM;
}
attr->la_gid = gid;
}
}
return 0;
}
static int mdt_rmtlsetfacl(struct mdt_thread_info *info,
struct md_object *next,
const char *xattr_name,
ext_acl_xattr_header *header,
posix_acl_xattr_header **out)
{
struct ptlrpc_request *req = mdt_info_req(info);
struct mdt_export_data *med = mdt_req2med(req);
struct md_ucred *uc = mdt_ucred(info);
struct lu_buf *buf = &info->mti_buf;
int rc;
ENTRY;
rc = lustre_ext_acl_xattr_id2server(uc, med->med_idmap, header);
if (rc)
RETURN(rc);
rc = mo_xattr_get(info->mti_env, next, &LU_BUF_NULL, xattr_name);
if (rc == -ENODATA)
rc = 0;
else if (rc < 0)
RETURN(rc);
buf->lb_len = rc;
if (buf->lb_len > 0) {
OBD_ALLOC_LARGE(buf->lb_buf, buf->lb_len);
if (unlikely(buf->lb_buf == NULL))
RETURN(-ENOMEM);
rc = mo_xattr_get(info->mti_env, next, buf, xattr_name);
if (rc < 0) {
CERROR("getxattr failed: %d\n", rc);
GOTO(_out, rc);
}
} else
buf->lb_buf = NULL;
rc = lustre_acl_xattr_merge2posix((posix_acl_xattr_header *)(buf->lb_buf),
buf->lb_len, header, out);
EXIT;
_out:
if (rc <= 0 && buf->lb_buf != NULL)
OBD_FREE_LARGE(buf->lb_buf, buf->lb_len);
return rc;
}
int mdt_init_idmap(struct tgt_session_info *tsi)
{
struct ptlrpc_request *req = tgt_ses_req(tsi);
struct mdt_export_data *med = mdt_req2med(req);
struct obd_export *exp = req->rq_export;
char *client = libcfs_nid2str(req->rq_peer.nid);
int rc = 0;
ENTRY;
if (exp_connect_rmtclient(exp)) {
mutex_lock(&med->med_idmap_mutex);
if (!med->med_idmap)
med->med_idmap = lustre_idmap_init();
mutex_unlock(&med->med_idmap_mutex);
if (IS_ERR(med->med_idmap)) {
long err = PTR_ERR(med->med_idmap);
med->med_idmap = NULL;
CERROR("%s: client %s -> target %s "
"failed to init idmap [%ld]!\n",
tgt_name(tsi->tsi_tgt), client,
tgt_name(tsi->tsi_tgt), err);
RETURN(err);
} else if (!med->med_idmap) {
CERROR("%s: client %s -> target %s "
"failed to init(2) idmap!\n",
tgt_name(tsi->tsi_tgt), client,
tgt_name(tsi->tsi_tgt));
RETURN(-ENOMEM);
}
CDEBUG(D_SEC, "%s: client %s -> target %s is remote.\n",
tgt_name(tsi->tsi_tgt), client,
tgt_name(tsi->tsi_tgt));
/* NB, MDS_CONNECT establish root idmap too! */
rc = mdt_handle_idmap(tsi);
}
RETURN(rc);
}
/*
* Reverse mapping
*/
void mdt_body_reverse_idmap(struct mdt_thread_info *info, struct mdt_body *body)
{
struct ptlrpc_request *req = mdt_info_req(info);
struct lu_ucred *uc = mdt_ucred(info);
struct mdt_export_data *med = mdt_req2med(req);
struct lustre_idmap_table *idmap = med->med_idmap;
if (!exp_connect_rmtclient(info->mti_exp))
return;
if (body->mbo_valid & OBD_MD_FLUID) {
uid_t uid;
uid = lustre_idmap_lookup_uid(uc, idmap, 1, body->mbo_uid);
if (uid == CFS_IDMAP_NOTFOUND) {
uid = NOBODY_UID;
if (body->mbo_valid & OBD_MD_FLMODE)
body->mbo_mode = (body->mbo_mode & ~S_IRWXU) |
((body->mbo_mode & S_IRWXO) << 6);
}
body->mbo_uid = uid;
}
if (body->mbo_valid & OBD_MD_FLGID) {
gid_t gid;
gid = lustre_idmap_lookup_gid(uc, idmap, 1, body->mbo_gid);
if (gid == CFS_IDMAP_NOTFOUND) {
gid = NOBODY_GID;
if (body->mbo_valid & OBD_MD_FLMODE)
body->mbo_mode = (body->mbo_mode & ~S_IRWXG) |
((body->mbo_mode & S_IRWXO) << 3);
}
body->mbo_gid = gid;
}
}
int mdt_init_idmap(struct mdt_thread_info *info)
{
struct ptlrpc_request *req = mdt_info_req(info);
struct mdt_export_data *med = mdt_req2med(req);
struct obd_export *exp = req->rq_export;
char *client = libcfs_nid2str(req->rq_peer.nid);
struct obd_device *obd = exp->exp_obd;
int rc = 0;
ENTRY;
if (exp_connect_rmtclient(exp)) {
cfs_down(&med->med_idmap_sem);
if (!med->med_idmap)
med->med_idmap = lustre_idmap_init();
cfs_up(&med->med_idmap_sem);
if (IS_ERR(med->med_idmap)) {
long err = PTR_ERR(med->med_idmap);
med->med_idmap = NULL;
CERROR("client %s -> target %s "
"failed to init idmap [%ld]!\n",
client, obd->obd_name, err);
RETURN(err);
} else if (!med->med_idmap) {
CERROR("client %s -> target %s "
"failed to init(2) idmap!\n",
client, obd->obd_name);
RETURN(-ENOMEM);
}
CDEBUG(D_SEC, "client %s -> target %s is remote.\n",
client, obd->obd_name);
/* NB, MDS_CONNECT establish root idmap too! */
rc = mdt_handle_idmap(info);
}
RETURN(rc);
}
int mdt_getxattr(struct mdt_thread_info *info)
{
struct ptlrpc_request *req = mdt_info_req(info);
struct mdt_export_data *med = mdt_req2med(req);
struct md_ucred *uc = mdt_ucred(info);
struct mdt_body *reqbody;
struct mdt_body *repbody = NULL;
struct md_object *next;
struct lu_buf *buf;
__u32 remote = exp_connect_rmtclient(info->mti_exp);
__u32 perm;
int easize, rc;
ENTRY;
LASSERT(info->mti_object != NULL);
LASSERT(lu_object_assert_exists(&info->mti_object->mot_obj.mo_lu));
CDEBUG(D_INODE, "getxattr "DFID"\n", PFID(&info->mti_body->fid1));
reqbody = req_capsule_client_get(info->mti_pill, &RMF_MDT_BODY);
if (reqbody == NULL)
RETURN(err_serious(-EFAULT));
rc = mdt_init_ucred(info, reqbody);
if (rc)
RETURN(err_serious(rc));
next = mdt_object_child(info->mti_object);
if (info->mti_body->valid & OBD_MD_FLRMTRGETFACL) {
if (unlikely(!remote))
GOTO(out, rc = err_serious(-EINVAL));
perm = mdt_identity_get_perm(uc->mu_identity, remote,
req->rq_peer.nid);
if (!(perm & CFS_RMTACL_PERM))
GOTO(out, rc = err_serious(-EPERM));
rc = mo_permission(info->mti_env, NULL, next, NULL,
MAY_RGETFACL);
if (rc)
GOTO(out, rc = err_serious(rc));
}
easize = mdt_getxattr_pack_reply(info);
if (easize < 0)
GOTO(out, rc = err_serious(easize));
repbody = req_capsule_server_get(info->mti_pill, &RMF_MDT_BODY);
LASSERT(repbody != NULL);
/* No need further getxattr. */
if (easize == 0 || reqbody->eadatasize == 0)
GOTO(out, rc = easize);
buf = &info->mti_buf;
buf->lb_buf = req_capsule_server_get(info->mti_pill, &RMF_EADATA);
buf->lb_len = easize;
if (info->mti_body->valid & OBD_MD_FLXATTR) {
int flags = CFS_IC_NOTHING;
char *xattr_name = req_capsule_client_get(info->mti_pill,
&RMF_NAME);
CDEBUG(D_INODE, "getxattr %s\n", xattr_name);
rc = mo_xattr_get(info->mti_env, next, buf, xattr_name);
if (rc < 0) {
CERROR("getxattr failed: %d\n", rc);
GOTO(out, rc);
}
if (info->mti_body->valid &
(OBD_MD_FLRMTLSETFACL | OBD_MD_FLRMTLGETFACL))
flags = CFS_IC_ALL;
else if (info->mti_body->valid & OBD_MD_FLRMTRGETFACL)
flags = CFS_IC_MAPPED;
if (rc > 0 && flags != CFS_IC_NOTHING) {
int rc1;
if (unlikely(!remote))
GOTO(out, rc = -EINVAL);
rc1 = lustre_posix_acl_xattr_id2client(uc,
med->med_idmap,
(posix_acl_xattr_header *)(buf->lb_buf),
rc, flags);
if (unlikely(rc1 < 0))
rc = rc1;
}
} else if (info->mti_body->valid & OBD_MD_FLXATTRLS) {
CDEBUG(D_INODE, "listxattr\n");
rc = mo_xattr_list(info->mti_env, next, buf);
if (rc < 0)
CDEBUG(D_INFO, "listxattr failed: %d\n", rc);
} else
LBUG();
EXIT;
out:
if (rc >= 0) {
mdt_counter_incr(req->rq_export, LPROC_MDT_GETXATTR);
repbody->eadatasize = rc;
rc = 0;
}
mdt_exit_ucred(info);
return rc;
}
int mdt_getxattr(struct mdt_thread_info *info)
{
struct ptlrpc_request *req = mdt_info_req(info);
struct mdt_export_data *med = mdt_req2med(req);
struct lu_ucred *uc = lu_ucred(info->mti_env);
struct mdt_body *reqbody;
struct mdt_body *repbody = NULL;
struct md_object *next;
struct lu_buf *buf;
__u32 remote = exp_connect_rmtclient(info->mti_exp);
__u32 perm;
int easize, rc;
obd_valid valid;
ENTRY;
LASSERT(info->mti_object != NULL);
LASSERT(lu_object_assert_exists(&info->mti_object->mot_obj));
CDEBUG(D_INODE, "getxattr "DFID"\n", PFID(&info->mti_body->fid1));
reqbody = req_capsule_client_get(info->mti_pill, &RMF_MDT_BODY);
if (reqbody == NULL)
RETURN(err_serious(-EFAULT));
rc = mdt_init_ucred(info, reqbody);
if (rc)
RETURN(err_serious(rc));
next = mdt_object_child(info->mti_object);
if (info->mti_body->valid & OBD_MD_FLRMTRGETFACL) {
if (unlikely(!remote))
GOTO(out, rc = err_serious(-EINVAL));
perm = mdt_identity_get_perm(uc->uc_identity, remote,
req->rq_peer.nid);
if (!(perm & CFS_RMTACL_PERM))
GOTO(out, rc = err_serious(-EPERM));
rc = mo_permission(info->mti_env, NULL, next, NULL,
MAY_RGETFACL);
if (rc)
GOTO(out, rc = err_serious(rc));
}
easize = mdt_getxattr_pack_reply(info);
if (easize < 0)
GOTO(out, rc = err_serious(easize));
repbody = req_capsule_server_get(info->mti_pill, &RMF_MDT_BODY);
LASSERT(repbody != NULL);
/* No need further getxattr. */
if (easize == 0 || reqbody->eadatasize == 0)
GOTO(out, rc = easize);
buf = &info->mti_buf;
buf->lb_buf = req_capsule_server_get(info->mti_pill, &RMF_EADATA);
buf->lb_len = easize;
valid = info->mti_body->valid & (OBD_MD_FLXATTR | OBD_MD_FLXATTRLS);
if (valid == OBD_MD_FLXATTR) {
char *xattr_name = req_capsule_client_get(info->mti_pill,
&RMF_NAME);
rc = mdt_getxattr_one(info, xattr_name, next, buf, med, uc);
} else if (valid == OBD_MD_FLXATTRLS) {
CDEBUG(D_INODE, "listxattr\n");
rc = mo_xattr_list(info->mti_env, next, buf);
if (rc < 0)
CDEBUG(D_INFO, "listxattr failed: %d\n", rc);
} else if (valid == OBD_MD_FLXATTRALL) {
rc = mdt_getxattr_all(info, reqbody, repbody,
buf, next);
} else
LBUG();
EXIT;
out:
if (rc >= 0) {
mdt_counter_incr(req, LPROC_MDT_GETXATTR);
repbody->eadatasize = rc;
rc = 0;
}
mdt_exit_ucred(info);
return rc;
}
int mdt_handle_idmap(struct mdt_thread_info *info)
{
struct ptlrpc_request *req = mdt_info_req(info);
struct mdt_device *mdt = info->mti_mdt;
struct mdt_export_data *med;
struct ptlrpc_user_desc *pud = req->rq_user_desc;
struct md_identity *identity;
__u32 opc;
int rc = 0;
ENTRY;
if (!req->rq_export)
RETURN(0);
med = mdt_req2med(req);
if (!exp_connect_rmtclient(info->mti_exp))
RETURN(0);
opc = lustre_msg_get_opc(req->rq_reqmsg);
/* Bypass other opc */
if ((opc != SEC_CTX_INIT) && (opc != SEC_CTX_INIT_CONT) &&
(opc != SEC_CTX_FINI) && (opc != MDS_CONNECT))
RETURN(0);
LASSERT(med->med_idmap);
if (unlikely(!pud)) {
CDEBUG(D_SEC, "remote client must run with rq_user_desc "
"present\n");
RETURN(-EACCES);
}
if (req->rq_auth_mapped_uid == INVALID_UID) {
CDEBUG(D_SEC, "invalid authorized mapped uid, please check "
"/etc/lustre/idmap.conf!\n");
RETURN(-EACCES);
}
if (is_identity_get_disabled(mdt->mdt_identity_cache)) {
CDEBUG(D_SEC, "remote client must run with identity_get "
"enabled!\n");
RETURN(-EACCES);
}
identity = mdt_identity_get(mdt->mdt_identity_cache,
req->rq_auth_mapped_uid);
if (IS_ERR(identity)) {
CDEBUG(D_SEC, "can't get mdt identity(%u), no mapping added\n",
req->rq_auth_mapped_uid);
RETURN(-EACCES);
}
switch (opc) {
case SEC_CTX_INIT:
case SEC_CTX_INIT_CONT:
case MDS_CONNECT:
rc = lustre_idmap_add(med->med_idmap,
pud->pud_uid, identity->mi_uid,
pud->pud_gid, identity->mi_gid);
break;
case SEC_CTX_FINI:
rc = lustre_idmap_del(med->med_idmap,
pud->pud_uid, identity->mi_uid,
pud->pud_gid, identity->mi_gid);
break;
}
mdt_identity_put(mdt->mdt_identity_cache, identity);
if (rc)
RETURN(rc);
switch (opc) {
case SEC_CTX_INIT:
case SEC_CTX_INIT_CONT:
case SEC_CTX_FINI:
mdt_revoke_export_locks(req->rq_export);
break;
}
RETURN(0);
}
