static int mdt_getxattr_all(struct mdt_thread_info *info, struct mdt_body *reqbody, struct mdt_body *repbody, struct lu_buf *buf, struct md_object *next) { const struct lu_env *env = info->mti_env; struct ptlrpc_request *req = mdt_info_req(info); struct mdt_export_data *med = mdt_req2med(req); struct lu_ucred *uc = mdt_ucred(info); char *v, *b, *eadatahead, *eadatatail; __u32 *sizes; int eadatasize, eavallen = 0, eavallens = 0, rc; ENTRY; /* * The format of the pill is the following: * EADATA: attr1\0attr2\0...attrn\0 * EAVALS: val1val2...valn * EAVALS_LENS: 4,4,...4 */ eadatahead = buf->lb_buf; /* Fill out EADATA first */ eadatasize = mo_xattr_list(env, next, buf); if (eadatasize < 0) GOTO(out, rc = eadatasize); eadatatail = eadatahead + eadatasize; v = req_capsule_server_get(info->mti_pill, &RMF_EAVALS); sizes = req_capsule_server_get(info->mti_pill, &RMF_EAVALS_LENS); /* Fill out EAVALS and EAVALS_LENS */ for (b = eadatahead; b < eadatatail; b += strlen(b) + 1, v += rc) { buf->lb_buf = v; buf->lb_len = reqbody->eadatasize - eavallen; rc = mdt_getxattr_one(info, b, next, buf, med, uc); if (rc < 0) GOTO(out, rc); sizes[eavallens] = rc; eavallens++; eavallen += rc; } repbody->aclsize = eavallen; repbody->max_mdsize = eavallens; req_capsule_shrink(info->mti_pill, &RMF_EAVALS, eavallen, RCL_SERVER); req_capsule_shrink(info->mti_pill, &RMF_EAVALS_LENS, eavallens * sizeof(__u32), RCL_SERVER); req_capsule_shrink(info->mti_pill, &RMF_EADATA, eadatasize, RCL_SERVER); GOTO(out, rc = eadatasize); out: return rc; }
int ptlrpc_user_desc_do_idmap(struct ptlrpc_request *req, struct ptlrpc_user_desc *pud) { struct mdt_export_data *med = mdt_req2med(req); struct lustre_idmap_table *idmap = med->med_idmap; uid_t uid, fsuid; gid_t gid, fsgid; /* Only remote client need desc_to_idmap. */ if (!exp_connect_rmtclient(req->rq_export)) return 0; uid = lustre_idmap_lookup_uid(NULL, idmap, 0, pud->pud_uid); if (uid == CFS_IDMAP_NOTFOUND) { CDEBUG(D_SEC, "no mapping for uid %u\n", pud->pud_uid); return -EACCES; } if (pud->pud_uid == pud->pud_fsuid) { fsuid = uid; } else { fsuid = lustre_idmap_lookup_uid(NULL, idmap, 0, pud->pud_fsuid); if (fsuid == CFS_IDMAP_NOTFOUND) { CDEBUG(D_SEC, "no mapping for fsuid %u\n", pud->pud_fsuid); return -EACCES; } } gid = lustre_idmap_lookup_gid(NULL, idmap, 0, pud->pud_gid); if (gid == CFS_IDMAP_NOTFOUND) { CDEBUG(D_SEC, "no mapping for gid %u\n", pud->pud_gid); return -EACCES; } if (pud->pud_gid == pud->pud_fsgid) { fsgid = gid; } else { fsgid = lustre_idmap_lookup_gid(NULL, idmap, 0, pud->pud_fsgid); if (fsgid == CFS_IDMAP_NOTFOUND) { CDEBUG(D_SEC, "no mapping for fsgid %u\n", pud->pud_fsgid); return -EACCES; } } pud->pud_uid = uid; pud->pud_gid = gid; pud->pud_fsuid = fsuid; pud->pud_fsgid = fsgid; return 0; }
/* Do not ignore root_squash for non-setattr case. */ int mdt_fix_attr_ucred(struct mdt_thread_info *info, __u32 op) { struct ptlrpc_request *req = mdt_info_req(info); struct md_ucred *uc = mdt_ucred(info); struct lu_attr *attr = &info->mti_attr.ma_attr; struct mdt_export_data *med = mdt_req2med(req); struct lustre_idmap_table *idmap = med->med_idmap; if ((uc->mu_valid != UCRED_OLD) && (uc->mu_valid != UCRED_NEW)) return -EINVAL; if (op != REINT_SETATTR) { if ((attr->la_valid & LA_UID) && (attr->la_uid != -1)) attr->la_uid = uc->mu_fsuid; /* for S_ISGID, inherit gid from his parent, such work will be * done in cmm/mdd layer, here set all cases as uc->mu_fsgid. */ if ((attr->la_valid & LA_GID) && (attr->la_gid != -1)) attr->la_gid = uc->mu_fsgid; } else if (exp_connect_rmtclient(info->mti_exp)) { /* NB: -1 case will be handled by mdt_fix_attr() later. */ if ((attr->la_valid & LA_UID) && (attr->la_uid != -1)) { uid_t uid = lustre_idmap_lookup_uid(uc, idmap, 0, attr->la_uid); if (uid == CFS_IDMAP_NOTFOUND) { CDEBUG(D_SEC, "Deny chown to uid %u\n", attr->la_uid); return -EPERM; } attr->la_uid = uid; } if ((attr->la_valid & LA_GID) && (attr->la_gid != -1)) { gid_t gid = lustre_idmap_lookup_gid(uc, idmap, 0, attr->la_gid); if (gid == CFS_IDMAP_NOTFOUND) { CDEBUG(D_SEC, "Deny chown to gid %u\n", attr->la_gid); return -EPERM; } attr->la_gid = gid; } } return 0; }
static int mdt_rmtlsetfacl(struct mdt_thread_info *info, struct md_object *next, const char *xattr_name, ext_acl_xattr_header *header, posix_acl_xattr_header **out) { struct ptlrpc_request *req = mdt_info_req(info); struct mdt_export_data *med = mdt_req2med(req); struct md_ucred *uc = mdt_ucred(info); struct lu_buf *buf = &info->mti_buf; int rc; ENTRY; rc = lustre_ext_acl_xattr_id2server(uc, med->med_idmap, header); if (rc) RETURN(rc); rc = mo_xattr_get(info->mti_env, next, &LU_BUF_NULL, xattr_name); if (rc == -ENODATA) rc = 0; else if (rc < 0) RETURN(rc); buf->lb_len = rc; if (buf->lb_len > 0) { OBD_ALLOC_LARGE(buf->lb_buf, buf->lb_len); if (unlikely(buf->lb_buf == NULL)) RETURN(-ENOMEM); rc = mo_xattr_get(info->mti_env, next, buf, xattr_name); if (rc < 0) { CERROR("getxattr failed: %d\n", rc); GOTO(_out, rc); } } else buf->lb_buf = NULL; rc = lustre_acl_xattr_merge2posix((posix_acl_xattr_header *)(buf->lb_buf), buf->lb_len, header, out); EXIT; _out: if (rc <= 0 && buf->lb_buf != NULL) OBD_FREE_LARGE(buf->lb_buf, buf->lb_len); return rc; }
int mdt_init_idmap(struct tgt_session_info *tsi) { struct ptlrpc_request *req = tgt_ses_req(tsi); struct mdt_export_data *med = mdt_req2med(req); struct obd_export *exp = req->rq_export; char *client = libcfs_nid2str(req->rq_peer.nid); int rc = 0; ENTRY; if (exp_connect_rmtclient(exp)) { mutex_lock(&med->med_idmap_mutex); if (!med->med_idmap) med->med_idmap = lustre_idmap_init(); mutex_unlock(&med->med_idmap_mutex); if (IS_ERR(med->med_idmap)) { long err = PTR_ERR(med->med_idmap); med->med_idmap = NULL; CERROR("%s: client %s -> target %s " "failed to init idmap [%ld]!\n", tgt_name(tsi->tsi_tgt), client, tgt_name(tsi->tsi_tgt), err); RETURN(err); } else if (!med->med_idmap) { CERROR("%s: client %s -> target %s " "failed to init(2) idmap!\n", tgt_name(tsi->tsi_tgt), client, tgt_name(tsi->tsi_tgt)); RETURN(-ENOMEM); } CDEBUG(D_SEC, "%s: client %s -> target %s is remote.\n", tgt_name(tsi->tsi_tgt), client, tgt_name(tsi->tsi_tgt)); /* NB, MDS_CONNECT establish root idmap too! */ rc = mdt_handle_idmap(tsi); } RETURN(rc); }
/* * Reverse mapping */ void mdt_body_reverse_idmap(struct mdt_thread_info *info, struct mdt_body *body) { struct ptlrpc_request *req = mdt_info_req(info); struct lu_ucred *uc = mdt_ucred(info); struct mdt_export_data *med = mdt_req2med(req); struct lustre_idmap_table *idmap = med->med_idmap; if (!exp_connect_rmtclient(info->mti_exp)) return; if (body->mbo_valid & OBD_MD_FLUID) { uid_t uid; uid = lustre_idmap_lookup_uid(uc, idmap, 1, body->mbo_uid); if (uid == CFS_IDMAP_NOTFOUND) { uid = NOBODY_UID; if (body->mbo_valid & OBD_MD_FLMODE) body->mbo_mode = (body->mbo_mode & ~S_IRWXU) | ((body->mbo_mode & S_IRWXO) << 6); } body->mbo_uid = uid; } if (body->mbo_valid & OBD_MD_FLGID) { gid_t gid; gid = lustre_idmap_lookup_gid(uc, idmap, 1, body->mbo_gid); if (gid == CFS_IDMAP_NOTFOUND) { gid = NOBODY_GID; if (body->mbo_valid & OBD_MD_FLMODE) body->mbo_mode = (body->mbo_mode & ~S_IRWXG) | ((body->mbo_mode & S_IRWXO) << 3); } body->mbo_gid = gid; } }
int mdt_init_idmap(struct mdt_thread_info *info) { struct ptlrpc_request *req = mdt_info_req(info); struct mdt_export_data *med = mdt_req2med(req); struct obd_export *exp = req->rq_export; char *client = libcfs_nid2str(req->rq_peer.nid); struct obd_device *obd = exp->exp_obd; int rc = 0; ENTRY; if (exp_connect_rmtclient(exp)) { cfs_down(&med->med_idmap_sem); if (!med->med_idmap) med->med_idmap = lustre_idmap_init(); cfs_up(&med->med_idmap_sem); if (IS_ERR(med->med_idmap)) { long err = PTR_ERR(med->med_idmap); med->med_idmap = NULL; CERROR("client %s -> target %s " "failed to init idmap [%ld]!\n", client, obd->obd_name, err); RETURN(err); } else if (!med->med_idmap) { CERROR("client %s -> target %s " "failed to init(2) idmap!\n", client, obd->obd_name); RETURN(-ENOMEM); } CDEBUG(D_SEC, "client %s -> target %s is remote.\n", client, obd->obd_name); /* NB, MDS_CONNECT establish root idmap too! */ rc = mdt_handle_idmap(info); } RETURN(rc); }
int mdt_getxattr(struct mdt_thread_info *info) { struct ptlrpc_request *req = mdt_info_req(info); struct mdt_export_data *med = mdt_req2med(req); struct md_ucred *uc = mdt_ucred(info); struct mdt_body *reqbody; struct mdt_body *repbody = NULL; struct md_object *next; struct lu_buf *buf; __u32 remote = exp_connect_rmtclient(info->mti_exp); __u32 perm; int easize, rc; ENTRY; LASSERT(info->mti_object != NULL); LASSERT(lu_object_assert_exists(&info->mti_object->mot_obj.mo_lu)); CDEBUG(D_INODE, "getxattr "DFID"\n", PFID(&info->mti_body->fid1)); reqbody = req_capsule_client_get(info->mti_pill, &RMF_MDT_BODY); if (reqbody == NULL) RETURN(err_serious(-EFAULT)); rc = mdt_init_ucred(info, reqbody); if (rc) RETURN(err_serious(rc)); next = mdt_object_child(info->mti_object); if (info->mti_body->valid & OBD_MD_FLRMTRGETFACL) { if (unlikely(!remote)) GOTO(out, rc = err_serious(-EINVAL)); perm = mdt_identity_get_perm(uc->mu_identity, remote, req->rq_peer.nid); if (!(perm & CFS_RMTACL_PERM)) GOTO(out, rc = err_serious(-EPERM)); rc = mo_permission(info->mti_env, NULL, next, NULL, MAY_RGETFACL); if (rc) GOTO(out, rc = err_serious(rc)); } easize = mdt_getxattr_pack_reply(info); if (easize < 0) GOTO(out, rc = err_serious(easize)); repbody = req_capsule_server_get(info->mti_pill, &RMF_MDT_BODY); LASSERT(repbody != NULL); /* No need further getxattr. */ if (easize == 0 || reqbody->eadatasize == 0) GOTO(out, rc = easize); buf = &info->mti_buf; buf->lb_buf = req_capsule_server_get(info->mti_pill, &RMF_EADATA); buf->lb_len = easize; if (info->mti_body->valid & OBD_MD_FLXATTR) { int flags = CFS_IC_NOTHING; char *xattr_name = req_capsule_client_get(info->mti_pill, &RMF_NAME); CDEBUG(D_INODE, "getxattr %s\n", xattr_name); rc = mo_xattr_get(info->mti_env, next, buf, xattr_name); if (rc < 0) { CERROR("getxattr failed: %d\n", rc); GOTO(out, rc); } if (info->mti_body->valid & (OBD_MD_FLRMTLSETFACL | OBD_MD_FLRMTLGETFACL)) flags = CFS_IC_ALL; else if (info->mti_body->valid & OBD_MD_FLRMTRGETFACL) flags = CFS_IC_MAPPED; if (rc > 0 && flags != CFS_IC_NOTHING) { int rc1; if (unlikely(!remote)) GOTO(out, rc = -EINVAL); rc1 = lustre_posix_acl_xattr_id2client(uc, med->med_idmap, (posix_acl_xattr_header *)(buf->lb_buf), rc, flags); if (unlikely(rc1 < 0)) rc = rc1; } } else if (info->mti_body->valid & OBD_MD_FLXATTRLS) { CDEBUG(D_INODE, "listxattr\n"); rc = mo_xattr_list(info->mti_env, next, buf); if (rc < 0) CDEBUG(D_INFO, "listxattr failed: %d\n", rc); } else LBUG(); EXIT; out: if (rc >= 0) { mdt_counter_incr(req->rq_export, LPROC_MDT_GETXATTR); repbody->eadatasize = rc; rc = 0; } mdt_exit_ucred(info); return rc; }
int mdt_getxattr(struct mdt_thread_info *info) { struct ptlrpc_request *req = mdt_info_req(info); struct mdt_export_data *med = mdt_req2med(req); struct lu_ucred *uc = lu_ucred(info->mti_env); struct mdt_body *reqbody; struct mdt_body *repbody = NULL; struct md_object *next; struct lu_buf *buf; __u32 remote = exp_connect_rmtclient(info->mti_exp); __u32 perm; int easize, rc; obd_valid valid; ENTRY; LASSERT(info->mti_object != NULL); LASSERT(lu_object_assert_exists(&info->mti_object->mot_obj)); CDEBUG(D_INODE, "getxattr "DFID"\n", PFID(&info->mti_body->fid1)); reqbody = req_capsule_client_get(info->mti_pill, &RMF_MDT_BODY); if (reqbody == NULL) RETURN(err_serious(-EFAULT)); rc = mdt_init_ucred(info, reqbody); if (rc) RETURN(err_serious(rc)); next = mdt_object_child(info->mti_object); if (info->mti_body->valid & OBD_MD_FLRMTRGETFACL) { if (unlikely(!remote)) GOTO(out, rc = err_serious(-EINVAL)); perm = mdt_identity_get_perm(uc->uc_identity, remote, req->rq_peer.nid); if (!(perm & CFS_RMTACL_PERM)) GOTO(out, rc = err_serious(-EPERM)); rc = mo_permission(info->mti_env, NULL, next, NULL, MAY_RGETFACL); if (rc) GOTO(out, rc = err_serious(rc)); } easize = mdt_getxattr_pack_reply(info); if (easize < 0) GOTO(out, rc = err_serious(easize)); repbody = req_capsule_server_get(info->mti_pill, &RMF_MDT_BODY); LASSERT(repbody != NULL); /* No need further getxattr. */ if (easize == 0 || reqbody->eadatasize == 0) GOTO(out, rc = easize); buf = &info->mti_buf; buf->lb_buf = req_capsule_server_get(info->mti_pill, &RMF_EADATA); buf->lb_len = easize; valid = info->mti_body->valid & (OBD_MD_FLXATTR | OBD_MD_FLXATTRLS); if (valid == OBD_MD_FLXATTR) { char *xattr_name = req_capsule_client_get(info->mti_pill, &RMF_NAME); rc = mdt_getxattr_one(info, xattr_name, next, buf, med, uc); } else if (valid == OBD_MD_FLXATTRLS) { CDEBUG(D_INODE, "listxattr\n"); rc = mo_xattr_list(info->mti_env, next, buf); if (rc < 0) CDEBUG(D_INFO, "listxattr failed: %d\n", rc); } else if (valid == OBD_MD_FLXATTRALL) { rc = mdt_getxattr_all(info, reqbody, repbody, buf, next); } else LBUG(); EXIT; out: if (rc >= 0) { mdt_counter_incr(req, LPROC_MDT_GETXATTR); repbody->eadatasize = rc; rc = 0; } mdt_exit_ucred(info); return rc; }
int mdt_handle_idmap(struct mdt_thread_info *info) { struct ptlrpc_request *req = mdt_info_req(info); struct mdt_device *mdt = info->mti_mdt; struct mdt_export_data *med; struct ptlrpc_user_desc *pud = req->rq_user_desc; struct md_identity *identity; __u32 opc; int rc = 0; ENTRY; if (!req->rq_export) RETURN(0); med = mdt_req2med(req); if (!exp_connect_rmtclient(info->mti_exp)) RETURN(0); opc = lustre_msg_get_opc(req->rq_reqmsg); /* Bypass other opc */ if ((opc != SEC_CTX_INIT) && (opc != SEC_CTX_INIT_CONT) && (opc != SEC_CTX_FINI) && (opc != MDS_CONNECT)) RETURN(0); LASSERT(med->med_idmap); if (unlikely(!pud)) { CDEBUG(D_SEC, "remote client must run with rq_user_desc " "present\n"); RETURN(-EACCES); } if (req->rq_auth_mapped_uid == INVALID_UID) { CDEBUG(D_SEC, "invalid authorized mapped uid, please check " "/etc/lustre/idmap.conf!\n"); RETURN(-EACCES); } if (is_identity_get_disabled(mdt->mdt_identity_cache)) { CDEBUG(D_SEC, "remote client must run with identity_get " "enabled!\n"); RETURN(-EACCES); } identity = mdt_identity_get(mdt->mdt_identity_cache, req->rq_auth_mapped_uid); if (IS_ERR(identity)) { CDEBUG(D_SEC, "can't get mdt identity(%u), no mapping added\n", req->rq_auth_mapped_uid); RETURN(-EACCES); } switch (opc) { case SEC_CTX_INIT: case SEC_CTX_INIT_CONT: case MDS_CONNECT: rc = lustre_idmap_add(med->med_idmap, pud->pud_uid, identity->mi_uid, pud->pud_gid, identity->mi_gid); break; case SEC_CTX_FINI: rc = lustre_idmap_del(med->med_idmap, pud->pud_uid, identity->mi_uid, pud->pud_gid, identity->mi_gid); break; } mdt_identity_put(mdt->mdt_identity_cache, identity); if (rc) RETURN(rc); switch (opc) { case SEC_CTX_INIT: case SEC_CTX_INIT_CONT: case SEC_CTX_FINI: mdt_revoke_export_locks(req->rq_export); break; } RETURN(0); }