diff options
| -rw-r--r-- | config/spl-build.m4 | 33 | ||||
| -rwxr-xr-x | configure | 214 | ||||
| -rw-r--r-- | include/splat-ctl.h | 1 | ||||
| -rw-r--r-- | include/sys/cred.h | 76 | ||||
| -rw-r--r-- | include/sys/debug.h | 1 | ||||
| -rw-r--r-- | module/spl/Makefile.in | 1 | ||||
| -rw-r--r-- | module/spl/spl-cred.c | 308 | ||||
| -rw-r--r-- | module/spl/spl-debug.c | 2 | ||||
| -rw-r--r-- | module/splat/Makefile.in | 1 | ||||
| -rw-r--r-- | module/splat/splat-cred.c | 247 | ||||
| -rw-r--r-- | module/splat/splat-ctl.c | 2 | ||||
| -rw-r--r-- | module/splat/splat-internal.h | 3 | ||||
| -rw-r--r-- | spl_config.h.in | 6 |
13 files changed, 839 insertions, 56 deletions
diff --git a/config/spl-build.m4 b/config/spl-build.m4 index 35cc8e401..79fcd2548 100644 --- a/config/spl-build.m4 +++ b/config/spl-build.m4 @@ -64,6 +64,8 @@ AC_DEFUN([SPL_AC_CONFIG_KERNEL], [ SPL_AC_ZONE_STAT_ITEM_FIA SPL_AC_2ARGS_VFS_UNLINK SPL_AC_4ARGS_VFS_RENAME + SPL_AC_CRED_STRUCT + SPL_AC_GROUPS_SEARCH ]) AC_DEFUN([SPL_AC_MODULE_SYMVERS], [ @@ -1099,3 +1101,34 @@ AC_DEFUN([SPL_AC_4ARGS_VFS_RENAME], AC_MSG_RESULT(no) ]) ]) + +dnl # +dnl # 2.6.29 API change, +dnl # check whether 'struct cred' exists +dnl # +AC_DEFUN([SPL_AC_CRED_STRUCT], [ + AC_MSG_CHECKING([whether struct cred exists]) + SPL_LINUX_TRY_COMPILE([ + #include <linux/cred.h> + ],[ + struct cred *cr; + cr = NULL; + ],[ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_CRED_STRUCT, 1, [struct cred exists]) + ],[ + AC_MSG_RESULT(no) + ]) +]) + +dnl # +dnl # Custom SPL patch may export this symbol +dnl # +AC_DEFUN([SPL_AC_GROUPS_SEARCH], [ + SPL_CHECK_SYMBOL_EXPORT( + [groups_search], + [], + [AC_DEFINE(HAVE_GROUPS_SEARCH, 1, + [groups_search() is available])], + []) +]) @@ -21342,6 +21342,113 @@ fi + + echo "$as_me:$LINENO: checking whether struct cred exists" >&5 +echo $ECHO_N "checking whether struct cred exists... $ECHO_C" >&6 + + +cat >conftest.c <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + + + #include <linux/cred.h> + +int +main (void) +{ + + struct cred *cr; + cr = NULL; + + ; + return 0; +} + +_ACEOF + + + rm -Rf build && mkdir -p build + echo "obj-m := conftest.o" >build/Makefile + if { ac_try='cp conftest.c build && make modules -C $LINUX_OBJ EXTRA_CFLAGS="-Werror-implicit-function-declaration $EXTRA_KCFLAGS" $ARCH_UM M=$PWD/build' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } >/dev/null && { ac_try='test -s build/conftest.o' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + +cat >>confdefs.h <<\_ACEOF +#define HAVE_CRED_STRUCT 1 +_ACEOF + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + + + +fi + + rm -Rf build + + + + + echo "$as_me:$LINENO: checking whether symbol groups_search is exported" >&5 +echo $ECHO_N "checking whether symbol groups_search is exported... $ECHO_C" >&6 + grep -q -E '[[:space:]]groups_search[[:space:]]' \ + $LINUX_OBJ/Module*.symvers 2>/dev/null + rc=$? + if test $rc -ne 0; then + export=0 + for file in ; do + grep -q -E "EXPORT_SYMBOL.*(groups_search)" \ + "$LINUX_OBJ/$file" 2>/dev/null + rc=$? + if test $rc -eq 0; then + export=1 + break; + fi + done + if test $export -eq 0; then + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + + else + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + +cat >>confdefs.h <<\_ACEOF +#define HAVE_GROUPS_SEARCH 1 +_ACEOF + + fi + else + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + +cat >>confdefs.h <<\_ACEOF +#define HAVE_GROUPS_SEARCH 1 +_ACEOF + + fi + + ;; user) ;; all) @@ -23736,6 +23843,113 @@ fi + echo "$as_me:$LINENO: checking whether struct cred exists" >&5 +echo $ECHO_N "checking whether struct cred exists... $ECHO_C" >&6 + + +cat >conftest.c <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + + + #include <linux/cred.h> + +int +main (void) +{ + + struct cred *cr; + cr = NULL; + + ; + return 0; +} + +_ACEOF + + + rm -Rf build && mkdir -p build + echo "obj-m := conftest.o" >build/Makefile + if { ac_try='cp conftest.c build && make modules -C $LINUX_OBJ EXTRA_CFLAGS="-Werror-implicit-function-declaration $EXTRA_KCFLAGS" $ARCH_UM M=$PWD/build' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } >/dev/null && { ac_try='test -s build/conftest.o' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + +cat >>confdefs.h <<\_ACEOF +#define HAVE_CRED_STRUCT 1 +_ACEOF + + +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + + + +fi + + rm -Rf build + + + + + echo "$as_me:$LINENO: checking whether symbol groups_search is exported" >&5 +echo $ECHO_N "checking whether symbol groups_search is exported... $ECHO_C" >&6 + grep -q -E '[[:space:]]groups_search[[:space:]]' \ + $LINUX_OBJ/Module*.symvers 2>/dev/null + rc=$? + if test $rc -ne 0; then + export=0 + for file in ; do + grep -q -E "EXPORT_SYMBOL.*(groups_search)" \ + "$LINUX_OBJ/$file" 2>/dev/null + rc=$? + if test $rc -eq 0; then + export=1 + break; + fi + done + if test $export -eq 0; then + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + + else + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + +cat >>confdefs.h <<\_ACEOF +#define HAVE_GROUPS_SEARCH 1 +_ACEOF + + fi + else + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + +cat >>confdefs.h <<\_ACEOF +#define HAVE_GROUPS_SEARCH 1 +_ACEOF + + fi + + + ;; *) echo "$as_me:$LINENO: result: Error!" >&5 diff --git a/include/splat-ctl.h b/include/splat-ctl.h index 7f49b9fff..fc68395e8 100644 --- a/include/splat-ctl.h +++ b/include/splat-ctl.h @@ -105,6 +105,7 @@ typedef struct splat_cmd { #define SPLAT_SUBSYSTEM_ATOMIC 0x0b00 #define SPLAT_SUBSYSTEM_LIST 0x0c00 #define SPLAT_SUBSYSTEM_GENERIC 0x0d00 +#define SPLAT_SUBSYSTEM_CRED 0x0e00 #define SPLAT_SUBSYSTEM_UNKNOWN 0xff00 #endif /* _SPLAT_CTL_H */ diff --git a/include/sys/cred.h b/include/sys/cred.h index 47eeda2cb..9717b66bc 100644 --- a/include/sys/cred.h +++ b/include/sys/cred.h @@ -9,69 +9,33 @@ extern "C" { #include <sys/types.h> #include <sys/vfs.h> -/* XXX - Portions commented out because we really just want to have the type - * defined and the contents aren't nearly so important at the moment. */ -typedef struct cred { - uint_t cr_ref; /* reference count */ - uid_t cr_uid; /* effective user id */ - gid_t cr_gid; /* effective group id */ - uid_t cr_ruid; /* real user id */ - gid_t cr_rgid; /* real group id */ - uid_t cr_suid; /* "saved" user id (from exec) */ - gid_t cr_sgid; /* "saved" group id (from exec) */ - uint_t cr_ngroups; /* number of groups returned by */ - /* crgroups() */ -#if 0 - cred_priv_t cr_priv; /* privileges */ - projid_t cr_projid; /* project */ - struct zone *cr_zone; /* pointer to per-zone structure */ - struct ts_label_s *cr_label; /* pointer to the effective label */ - credsid_t *cr_ksid; /* pointer to SIDs */ -#endif - gid_t cr_groups[1]; /* cr_groups size not fixed */ - /* audit info is defined dynamically */ - /* and valid only when audit enabled */ - /* auditinfo_addr_t cr_auinfo; audit info */ -} cred_t; +#ifdef HAVE_CRED_STRUCT -#define kcred NULL -#define CRED() NULL +typedef struct cred cred_t; -static __inline__ uid_t -crgetuid(cred_t *cr) -{ - return 0; -} +#define kcred ((cred_t *)(init_task.cred)) +#define CRED() ((cred_t *)current_cred()) -static __inline__ gid_t -crgetgid(cred_t *cr) -{ - return 0; -} +#else -static __inline__ int -crgetngroups(cred_t *cr) -{ - return 0; -} +typedef struct task_struct cred_t; -static __inline__ gid_t * -crgetgroups(cred_t *cr) -{ - return NULL; -} - -static __inline__ int -groupmember(gid_t gid, const cred_t *cr) -{ - /* Primary group check */ - if ((cr) && (gid == cr->cr_gid)) - return 1; +#define kcred ((cred_t *)&init_task) +#define CRED() ((cred_t *)current) - /* Supplemental group check (unsupported) */ - return 0; -} +#endif /* HAVE_CRED_STRUCT */ +extern void crhold(cred_t *cr); +extern void crfree(cred_t *cr); +extern uid_t crgetuid(const cred_t *cr); +extern uid_t crgetruid(const cred_t *cr); +extern uid_t crgetsuid(const cred_t *cr); +extern gid_t crgetgid(const cred_t *cr); +extern gid_t crgetrgid(const cred_t *cr); +extern gid_t crgetsgid(const cred_t *cr); +extern int crgetngroups(const cred_t *cr); +extern gid_t * crgetgroups(const cred_t *cr); +extern int groupmember(gid_t gid, const cred_t *cr); #ifdef __cplusplus } diff --git a/include/sys/debug.h b/include/sys/debug.h index f19231b90..8da76863c 100644 --- a/include/sys/debug.h +++ b/include/sys/debug.h @@ -53,6 +53,7 @@ extern unsigned long spl_debug_subsys; #define S_GENERIC 0x00002000 #define S_PROC 0x00004000 #define S_MODULE 0x00008000 +#define S_CRED 0x00010000 #define D_TRACE 0x00000001 #define D_INFO 0x00000002 diff --git a/module/spl/Makefile.in b/module/spl/Makefile.in index e9c8d3470..ad29af406 100644 --- a/module/spl/Makefile.in +++ b/module/spl/Makefile.in @@ -23,3 +23,4 @@ spl-objs += spl-mutex.o spl-objs += spl-kstat.o spl-objs += spl-condvar.o spl-objs += spl-xdr.o +spl-objs += spl-cred.o diff --git a/module/spl/spl-cred.c b/module/spl/spl-cred.c new file mode 100644 index 000000000..c5994aa20 --- /dev/null +++ b/module/spl/spl-cred.c @@ -0,0 +1,308 @@ +/* + * This file is part of the SPL: Solaris Porting Layer. + * + * Copyright (c) 2009 Lawrence Livermore National Security, LLC. + * Produced at Lawrence Livermore National Laboratory + * Written by: + * Brian Behlendorf <[email protected]>, + * UCRL-CODE-235197 + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include <sys/cred.h> + +#ifdef DEBUG_SUBSYSTEM +#undef DEBUG_SUBSYSTEM +#endif + +#define DEBUG_SUBSYSTEM S_CRED + +#ifdef HAVE_GROUPS_SEARCH +/* Symbol may be exported by custom kernel patch */ +#define cr_groups_search(gi, grp) groups_search(gi, grp) +#else +/* Implementation from 2.6.30 kernel */ +static int +cr_groups_search(const struct group_info *group_info, gid_t grp) +{ + unsigned int left, right; + + if (!group_info) + return 0; + + left = 0; + right = group_info->ngroups; + while (left < right) { + unsigned int mid = (left+right)/2; + int cmp = grp - GROUP_AT(group_info, mid); + if (cmp > 0) + left = mid + 1; + else if (cmp < 0) + right = mid; + else + return 1; + } + return 0; +} +#endif + +#ifdef HAVE_CRED_STRUCT + +/* + * As of 2.6.29 a clean credential API appears in the linux kernel. + * We attempt to layer the Solaris API on top of the linux API. + */ + +/* Hold a reference on the credential and group info */ +void +crhold(cred_t *cr) +{ + (void)get_cred((const cred_t *)cr); + (void)get_group_info(cr->group_info); +} + +/* Free a reference on the credential and group info */ +void +crfree(cred_t *cr) +{ + put_group_info(cr->group_info); + put_cred((const cred_t *)cr); +} + +/* Return the effective user id */ +uid_t +crgetuid(const cred_t *cr) +{ + return cr->euid; +} + +/* Return the real user id */ +uid_t +crgetruid(const cred_t *cr) +{ + return cr->uid; +} + +/* Return the saved user id */ +uid_t +crgetsuid(const cred_t *cr) +{ + return cr->suid; +} + +/* Return the effective group id */ +gid_t +crgetgid(const cred_t *cr) +{ + return cr->egid; +} + +/* Return the real group id */ +gid_t +crgetrgid(const cred_t *cr) +{ + return cr->gid; +} + +/* Return the saved group id */ +gid_t +crgetsgid(const cred_t *cr) +{ + return cr->sgid; +} + +/* Return the number of supplemental groups */ +int +crgetngroups(const cred_t *cr) +{ + struct group_info *gi; + int rc; + + gi = get_group_info(cr->group_info); + rc = gi->ngroups; + put_group_info(gi); + + return rc; +} + +/* + * Return an array of supplemental gids. The returned address is safe + * to use as long as the caller has taken a reference with crhold(). + * The caller is responsible for releasing the reference with crfree(). + */ +gid_t * +crgetgroups(const cred_t *cr) +{ + struct group_info *gi; + gid_t *gids; + + gi = get_group_info(cr->group_info); + gids = gi->blocks[0]; + put_group_info(gi); + + return gids; +} + +/* Check if the passed gid is available is in supplied credential. */ +int +groupmember(gid_t gid, const cred_t *cr) +{ + struct group_info *gi; + int rc; + + gi = get_group_info(cr->group_info); + rc = cr_groups_search(cr->group_info, gid); + put_group_info(gi); + + return rc; +} + +#else /* HAVE_CRED_STRUCT */ + +/* + * Until very recently all credential information was embedded in + * the linux task struct. For this reason to simulate a Solaris + * cred_t we need to pass the entire task structure around. + */ + +/* Hold a reference on the credential and group info */ +void +crhold(cred_t *cr) +{ + get_task_struct(cr); +} + +/* Free a reference on the credential and group info */ +void +crfree(cred_t *cr) +{ + put_task_struct(cr); +} + +/* Return the effective user id */ +uid_t +crgetuid(const cred_t *cr) { + return cr->euid; +} + +/* Return the effective real id */ +uid_t +crgetruid(const cred_t *cr) { + return cr->uid; +} + +/* Return the effective saved id */ +uid_t +crgetsuid(const cred_t *cr) { + return cr->suid; +} + +/* Return the effective group id */ +gid_t +crgetgid(const cred_t *cr) { + return cr->egid; +} + +/* Return the real group id */ +gid_t +crgetrgid(const cred_t *cr) { + return cr->gid; +} + +/* Return the saved group id */ +gid_t +crgetsgid(const cred_t *cr) { + return cr->sgid; +} + +/* Return the number of supplemental groups */ +int +crgetngroups(const cred_t *cr) +{ + int lock, rc; + + lock = (cr != current); + if (lock) + task_lock((struct task_struct *)cr); + + get_group_info(cr->group_info); + rc = cr->group_info->ngroups; + put_group_info(cr->group_info); + + if (lock) + task_unlock((struct task_struct *)cr); + + return rc; +} + +/* + * Return an array of supplemental gids. The returned address is safe + * to use as long as the caller has taken a reference with crhold(). + * The caller is responsible for releasing the reference with crfree(). + */ +gid_t * +crgetgroups(const cred_t *cr) +{ + gid_t *gids; + int lock; + + lock = (cr != current); + if (lock) + task_lock((struct task_struct *)cr); + + get_group_info(cr->group_info); + gids = cr->group_info->blocks[0]; + put_group_info(cr->group_info); + + if (lock) + task_unlock((struct task_struct *)cr); + + return gids; +} + +/* Check if the passed gid is available is in supplied credential. */ +int +groupmember(gid_t gid, const cred_t *cr) +{ + int lock, rc; + + lock = (cr != current); + if (lock) + task_lock((struct task_struct *)cr); + + get_group_info(cr->group_info); + rc = cr_groups_search(cr->group_info, gid); + put_group_info(cr->group_info); + + if (lock) + task_unlock((struct task_struct *)cr); + + return rc; +} + +#endif /* HAVE_CRED_STRUCT */ + +EXPORT_SYMBOL(crhold); +EXPORT_SYMBOL(crfree); +EXPORT_SYMBOL(crgetuid); +EXPORT_SYMBOL(crgetruid); +EXPORT_SYMBOL(crgetsuid); +EXPORT_SYMBOL(crgetgid); +EXPORT_SYMBOL(crgetrgid); +EXPORT_SYMBOL(crgetsgid); +EXPORT_SYMBOL(crgetngroups); +EXPORT_SYMBOL(crgetgroups); +EXPORT_SYMBOL(groupmember); diff --git a/module/spl/spl-debug.c b/module/spl/spl-debug.c index a60740519..6d71f4b82 100644 --- a/module/spl/spl-debug.c +++ b/module/spl/spl-debug.c @@ -157,6 +157,8 @@ spl_debug_subsys2str(int subsys) return "proc"; case S_MODULE: return "module"; + case S_CRED: + return "cred"; } } diff --git a/module/splat/Makefile.in b/module/splat/Makefile.in index c2d4c3f22..2f63b458a 100644 --- a/module/splat/Makefile.in +++ b/module/splat/Makefile.in @@ -20,3 +20,4 @@ splat-objs += splat-kobj.o splat-objs += splat-atomic.o splat-objs += splat-list.o splat-objs += splat-generic.o +splat-objs += splat-cred.o diff --git a/module/splat/splat-cred.c b/module/splat/splat-cred.c new file mode 100644 index 000000000..f808625e8 --- /dev/null +++ b/module/splat/splat-cred.c @@ -0,0 +1,247 @@ +/* + * This file is part of the SPL: Solaris Porting Layer. + * + * Copyright (c) 2009 Lawrence Livermore National Security, LLC. + * Produced at Lawrence Livermore National Laboratory + * Written by: + * Brian Behlendorf <[email protected]>, + * UCRL-CODE-235197 + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include "splat-internal.h" + +#define SPLAT_CRED_NAME "cred" +#define SPLAT_CRED_DESC "Kernel Cred Tests" + +#define SPLAT_CRED_TEST1_ID 0x0e01 +#define SPLAT_CRED_TEST1_NAME "cred" +#define SPLAT_CRED_TEST1_DESC "Task Credential Test" + +#define SPLAT_CRED_TEST2_ID 0x0e02 +#define SPLAT_CRED_TEST2_NAME "kcred" +#define SPLAT_CRED_TEST2_DESC "Kernel Credential Test" + +#define SPLAT_CRED_TEST3_ID 0x0e03 +#define SPLAT_CRED_TEST3_NAME "groupmember" +#define SPLAT_CRED_TEST3_DESC "Group Member Test" + +#define GROUP_STR_SIZE 128 +#define GROUP_STR_REDZONE 16 + +static int +splat_cred_test1(struct file *file, void *arg) +{ + char str[GROUP_STR_SIZE]; + uid_t uid, ruid, suid; + gid_t gid, rgid, sgid, *groups; + int ngroups, i, count = 0; + + uid = crgetuid(CRED()); + ruid = crgetruid(CRED()); + suid = crgetsuid(CRED()); + + gid = crgetgid(CRED()); + rgid = crgetrgid(CRED()); + sgid = crgetsgid(CRED()); + + crhold(CRED()); + ngroups = crgetngroups(CRED()); + groups = crgetgroups(CRED()); + + memset(str, 0, GROUP_STR_SIZE); + for (i = 0; i < ngroups; i++) { + count += sprintf(str + count, "%d ", groups[i]); + + if (count > (GROUP_STR_SIZE - GROUP_STR_REDZONE)) { + splat_vprint(file, SPLAT_CRED_TEST1_NAME, + "Failed too many group entries for temp " + "buffer: %d, %s\n", ngroups, str); + return -ENOSPC; + } + } + + crfree(CRED()); + + splat_vprint(file, SPLAT_CRED_TEST1_NAME, + "uid: %d ruid: %d suid: %d " + "gid: %d rgid: %d sgid: %d\n", + uid, ruid, suid, gid, rgid, sgid); + splat_vprint(file, SPLAT_CRED_TEST1_NAME, + "ngroups: %d groups: %s\n", ngroups, str); + + if (uid || ruid || suid || gid || rgid || sgid) { + splat_vprint(file, SPLAT_CRED_TEST1_NAME, + "Failed expected all uids+gids to be %d\n", 0); + return -EIDRM; + } + + if (ngroups > NGROUPS_MAX) { + splat_vprint(file, SPLAT_CRED_TEST1_NAME, + "Failed ngroups must not exceed NGROUPS_MAX: " + "%d > %d\n", ngroups, NGROUPS_MAX); + return -EIDRM; + } + + splat_vprint(file, SPLAT_CRED_TEST1_NAME, + "Success sane CRED(): %d\n", 0); + + return 0; +} /* splat_cred_test1() */ + +static int +splat_cred_test2(struct file *file, void *arg) +{ + char str[GROUP_STR_SIZE]; + uid_t uid, ruid, suid; + gid_t gid, rgid, sgid, *groups; + int ngroups, i, count = 0; + + uid = crgetuid(kcred); + ruid = crgetruid(kcred); + suid = crgetsuid(kcred); + + gid = crgetgid(kcred); + rgid = crgetrgid(kcred); + sgid = crgetsgid(kcred); + + crhold(kcred); + ngroups = crgetngroups(kcred); + groups = crgetgroups(kcred); + + memset(str, 0, GROUP_STR_SIZE); + for (i = 0; i < ngroups; i++) { + count += sprintf(str + count, "%d ", groups[i]); + + if (count > (GROUP_STR_SIZE - GROUP_STR_REDZONE)) { + splat_vprint(file, SPLAT_CRED_TEST2_NAME, + "Failed too many group entries for temp " + "buffer: %d, %s\n", ngroups, str); + return -ENOSPC; + } + } + + crfree(kcred); + + splat_vprint(file, SPLAT_CRED_TEST2_NAME, + "uid: %d ruid: %d suid: %d " + "gid: %d rgid: %d sgid: %d\n", + uid, ruid, suid, gid, rgid, sgid); + splat_vprint(file, SPLAT_CRED_TEST2_NAME, + "ngroups: %d groups: %s\n", ngroups, str); + + if (uid || ruid || suid || gid || rgid || sgid) { + splat_vprint(file, SPLAT_CRED_TEST2_NAME, + "Failed expected all uids+gids to be %d\n", 0); + return -EIDRM; + } + + if (ngroups > NGROUPS_MAX) { + splat_vprint(file, SPLAT_CRED_TEST2_NAME, + "Failed ngroups must not exceed NGROUPS_MAX: " + "%d > %d\n", ngroups, NGROUPS_MAX); + return -EIDRM; + } + + splat_vprint(file, SPLAT_CRED_TEST2_NAME, + "Success sane kcred: %d\n", 0); + + return 0; +} /* splat_cred_test2() */ + +/* + * On most/all systems it can be expected that a task with root + * permissions also is a member of the root group, Since the + * test suite is always run as root we check first that CRED() is + * a member of the root group, and secondly that it is not a member + * of our fake group. This test will break is someone happens to + * create group number NGROUPS_MAX-1 and then added root to it. + */ +static int +splat_cred_test3(struct file *file, void *arg) +{ + gid_t root_gid, fake_gid; + int rc; + + root_gid = 0; + fake_gid = NGROUPS_MAX-1; + + rc = groupmember(root_gid, CRED()); + if (!rc) { + splat_vprint(file, SPLAT_CRED_TEST3_NAME, + "Failed root git %d expected to be member " + "of CRED() groups: %d\n", root_gid, rc); + return -EIDRM; + } + + rc = groupmember(fake_gid, CRED()); + if (rc) { + splat_vprint(file, SPLAT_CRED_TEST3_NAME, + "Failed fake git %d expected not to be member " + "of CRED() groups: %d\n", fake_gid, rc); + return -EIDRM; + } + + splat_vprint(file, SPLAT_CRED_TEST3_NAME, "Success root gid " + "is a member of the expected groups: %d\n", rc); + + return rc; +} /* splat_cred_test3() */ + +splat_subsystem_t * +splat_cred_init(void) +{ + splat_subsystem_t *sub; + + sub = kmalloc(sizeof(*sub), GFP_KERNEL); + if (sub == NULL) + return NULL; + + memset(sub, 0, sizeof(*sub)); + strncpy(sub->desc.name, SPLAT_CRED_NAME, SPLAT_NAME_SIZE); + strncpy(sub->desc.desc, SPLAT_CRED_DESC, SPLAT_DESC_SIZE); + INIT_LIST_HEAD(&sub->subsystem_list); + INIT_LIST_HEAD(&sub->test_list); + spin_lock_init(&sub->test_lock); + sub->desc.id = SPLAT_SUBSYSTEM_CRED; + + SPLAT_TEST_INIT(sub, SPLAT_CRED_TEST1_NAME, SPLAT_CRED_TEST1_DESC, + SPLAT_CRED_TEST1_ID, splat_cred_test1); + SPLAT_TEST_INIT(sub, SPLAT_CRED_TEST2_NAME, SPLAT_CRED_TEST2_DESC, + SPLAT_CRED_TEST2_ID, splat_cred_test2); + SPLAT_TEST_INIT(sub, SPLAT_CRED_TEST3_NAME, SPLAT_CRED_TEST3_DESC, + SPLAT_CRED_TEST3_ID, splat_cred_test3); + + return sub; +} /* splat_cred_init() */ + +void +splat_cred_fini(splat_subsystem_t *sub) +{ + ASSERT(sub); + + SPLAT_TEST_FINI(sub, SPLAT_CRED_TEST3_ID); + SPLAT_TEST_FINI(sub, SPLAT_CRED_TEST2_ID); + SPLAT_TEST_FINI(sub, SPLAT_CRED_TEST1_ID); + + kfree(sub); +} /* splat_cred_fini() */ + +int +splat_cred_id(void) +{ + return SPLAT_SUBSYSTEM_CRED; +} /* splat_cred_id() */ diff --git a/module/splat/splat-ctl.c b/module/splat/splat-ctl.c index c8925636a..159103980 100644 --- a/module/splat/splat-ctl.c +++ b/module/splat/splat-ctl.c @@ -630,6 +630,7 @@ splat_init(void) SPLAT_SUBSYSTEM_INIT(atomic); SPLAT_SUBSYSTEM_INIT(list); SPLAT_SUBSYSTEM_INIT(generic); + SPLAT_SUBSYSTEM_INIT(cred); dev = MKDEV(SPLAT_MAJOR, 0); if ((rc = register_chrdev_region(dev, SPLAT_MINORS, SPLAT_NAME))) @@ -676,6 +677,7 @@ splat_fini(void) cdev_del(&splat_cdev); unregister_chrdev_region(dev, SPLAT_MINORS); + SPLAT_SUBSYSTEM_FINI(cred); SPLAT_SUBSYSTEM_FINI(generic); SPLAT_SUBSYSTEM_FINI(list); SPLAT_SUBSYSTEM_FINI(atomic); diff --git a/module/splat/splat-internal.h b/module/splat/splat-internal.h index 0fa177c02..c1c84d8d1 100644 --- a/module/splat/splat-internal.h +++ b/module/splat/splat-internal.h @@ -208,6 +208,7 @@ splat_subsystem_t *splat_kobj_init(void); splat_subsystem_t *splat_atomic_init(void); splat_subsystem_t *splat_list_init(void); splat_subsystem_t *splat_generic_init(void); +splat_subsystem_t *splat_cred_init(void); void splat_condvar_fini(splat_subsystem_t *); void splat_kmem_fini(splat_subsystem_t *); @@ -222,6 +223,7 @@ void splat_kobj_fini(splat_subsystem_t *); void splat_atomic_fini(splat_subsystem_t *); void splat_list_fini(splat_subsystem_t *); void splat_generic_fini(splat_subsystem_t *); +void splat_cred_fini(splat_subsystem_t *); int splat_condvar_id(void); int splat_kmem_id(void); @@ -236,5 +238,6 @@ int splat_kobj_id(void); int splat_atomic_id(void); int splat_list_id(void); int splat_generic_id(void); +int splat_cred_id(void); #endif /* _SPLAT_INTERNAL_H */ diff --git a/spl_config.h.in b/spl_config.h.in index 3b07d993c..582a47603 100644 --- a/spl_config.h.in +++ b/spl_config.h.in @@ -36,6 +36,9 @@ /* class_device_create() is available */ #undef HAVE_CLASS_DEVICE_CREATE +/* struct cred exists */ +#undef HAVE_CRED_STRUCT + /* unnumbered sysctl support exists */ #undef HAVE_CTL_UNNUMBERED @@ -72,6 +75,9 @@ /* global_page_state() is available */ #undef HAVE_GLOBAL_PAGE_STATE +/* groups_search() is available */ +#undef HAVE_GROUPS_SEARCH + /* init_utsname() is available */ #undef HAVE_INIT_UTSNAME |