upstream/illumos/illumos-gate: comparison usr/src/uts/common/fs/nfs/nfs4

equal deleted inserted replaced

-:5791e75682d0
+:37f4a3e2bd99
 /*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
-* Common Development and Distribution License, Version 1.0 only
+* Common Development and Distribution License (the "License").
-* (the "License").  You may not use this file except in compliance
+* You may not use this file except in compliance with the License.
-* with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
 /*
-* Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+* Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */
 /*
 *	Copyright (c) 1983,1984,1985,1986,1987,1988,1989  AT&T.
 #include <sys/nbmlock.h>
 #include <sys/share.h>
 #include <sys/atomic.h>
 #include <sys/policy.h>
 #include <sys/fem.h>
+#include <sys/sdt.h>
 #include <rpc/types.h>
 #include <rpc/auth.h>
 #include <rpc/rpcsec_gss.h>
 #include <rpc/svc.h>
 #include <sys/strsun.h>
 #include <inet/common.h>
 #include <inet/ip.h>
 #include <inet/ip6.h>
+#include <sys/tsol/label.h>
+#include <sys/tsol/tndb.h>
 #define	RFS4_MAXLOCK_TRIES 4	/* Try to get the lock this many times */
 static int rfs4_maxlock_tries = RFS4_MAXLOCK_TRIES;
 #define	RFS4_LOCK_DELAY 10	/* Milliseconds */
 static clock_t rfs4_lock_delay = RFS4_LOCK_DELAY;
 * cookie: uint64_t   +  utf8namelen: uint_t  +   utf8name padded to 8 bytes
 *
 */
 #define	DIRENT64_TO_DIRCOUNT(dp) \
 	(3 * BYTES_PER_XDR_UNIT + DIRENT64_NAMELEN((dp)->d_reclen))
+/*
+* types of label comparison
+*/
+#define	EQUALITY_CHECK	0
+#define	DOMINANCE_CHECK	1
 time_t rfs4_start_time;			/* Initialized in rfs4_srvrinit */
 static sysid_t lockt_sysid;		/* dummy sysid for all LOCKT calls */
 	kmem_free(resok_val, count * sizeof (secinfo4));
 	resp->SECINFO4resok_len = 0;
 	resp->SECINFO4resok_val = NULL;
 }
+/*
+* do label check on client label and server's file lable.
+*/
+static boolean_t
+do_rfs4_label_check(bslabel_t *clabel, vnode_t *vp, int flag)
+{
+	bslabel_t *slabel;
+	ts_label_t *tslabel;
+	boolean_t result;
+	if ((tslabel = nfs4_getflabel(vp)) == NULL) {
+		return (B_FALSE);
+	}
+	slabel = label2bslabel(tslabel);
+	DTRACE_PROBE4(tx__rfs4__log__info__labelcheck, char *,
+	    "comparing server's file label(1) with client label(2) (vp(3))",
+	    bslabel_t *, slabel, bslabel_t *, clabel, vnode_t *, vp);
+	if (flag == EQUALITY_CHECK)
+		result = blequal(clabel, slabel);
+	else
+		result = bldominates(clabel, slabel);
+	label_rele(tslabel);
+	return (result);
+}
 /* ARGSUSED */
 static void
 rfs4_op_access(nfs_argop4 *argop, nfs_resop4 *resop, struct svc_req *req,
 	struct compound_state *cs)
 {
 	int error;
 	vnode_t *vp;
 	struct vattr va;
 	int checkwriteperm;
 	cred_t *cr = cs->cr;
+	bslabel_t *clabel, *slabel;
+	ts_label_t *tslabel;
+	boolean_t admin_low_client;
 #if 0	/* XXX allow access even if !cs->access. Eventually only pseudo fs */
 	if (cs->access == CS_ACCESS_DENIED) {
 		*cs->statusp = resp->status = NFS4ERR_ACCESS;
 		return;
 	error = VOP_GETATTR(vp, &va, 0, cr);
 	if (error) {
 		*cs->statusp = resp->status = puterrno4(error);
 		return;
 	}
 	resp->access = 0;
 	resp->supported = 0;
+	if (is_system_labeled()) {
+		ASSERT(req->rq_label != NULL);
+		clabel = req->rq_label;
+		DTRACE_PROBE2(tx__rfs4__log__info__opaccess__clabel, char *,
+		    "got client label from request(1)",
+		    struct svc_req *, req);
+		if (!blequal(&l_admin_low->tsl_label, clabel)) {
+			if ((tslabel = nfs4_getflabel(vp)) == NULL) {
+				*cs->statusp = resp->status = puterrno4(EACCES);
+				return;
+			}
+			slabel = label2bslabel(tslabel);
+			DTRACE_PROBE3(tx__rfs4__log__info__opaccess__slabel,
+			    char *, "got server label(1) for vp(2)",
+			    bslabel_t *, slabel, vnode_t *, vp);
+			admin_low_client = B_FALSE;
+		} else
+			admin_low_client = B_TRUE;
+	}
 	if (args->access & ACCESS4_READ) {
 		error = VOP_ACCESS(vp, VREAD, 0, cr);
-		if (!error && !MANDLOCK(vp, va.va_mode))
+		if (!error && !MANDLOCK(vp, va.va_mode) &&
+		    (!is_system_labeled() || admin_low_client ||
+		    bldominates(clabel, slabel)))
 			resp->access |= ACCESS4_READ;
 		resp->supported |= ACCESS4_READ;
 	}
 	if ((args->access & ACCESS4_LOOKUP) && vp->v_type == VDIR) {
 		error = VOP_ACCESS(vp, VEXEC, 0, cr);
-		if (!error)
+		if (!error && (!is_system_labeled() || admin_low_client ||
+		    bldominates(clabel, slabel)))
 			resp->access |= ACCESS4_LOOKUP;
 		resp->supported |= ACCESS4_LOOKUP;
 	}
 	if (checkwriteperm &&
 	    (args->access & (ACCESS4_MODIFY|ACCESS4_EXTEND))) {
 		error = VOP_ACCESS(vp, VWRITE, 0, cr);
-		if (!error && !MANDLOCK(vp, va.va_mode))
+		if (!error && !MANDLOCK(vp, va.va_mode) &&
+		    (!is_system_labeled() || admin_low_client ||
+		    blequal(clabel, slabel)))
 			resp->access |=
 			    (args->access & (ACCESS4_MODIFY|ACCESS4_EXTEND));
 		resp->supported |= (ACCESS4_MODIFY|ACCESS4_EXTEND);
 	}
 	if (checkwriteperm &&
 	    (args->access & ACCESS4_DELETE) && vp->v_type == VDIR) {
 		error = VOP_ACCESS(vp, VWRITE, 0, cr);
-		if (!error)
+		if (!error && (!is_system_labeled() || admin_low_client ||
+		    blequal(clabel, slabel)))
 			resp->access |= ACCESS4_DELETE;
 		resp->supported |= ACCESS4_DELETE;
 	}
 	if (args->access & ACCESS4_EXECUTE && vp->v_type != VDIR) {
 		error = VOP_ACCESS(vp, VEXEC, 0, cr);
-		if (!error && !MANDLOCK(vp, va.va_mode))
+		if (!error && !MANDLOCK(vp, va.va_mode) &&
+		    (!is_system_labeled() || admin_low_client ||
+		    bldominates(clabel, slabel)))
 			resp->access |= ACCESS4_EXECUTE;
 		resp->supported |= ACCESS4_EXECUTE;
 	}
+	if (is_system_labeled() && !admin_low_client)
+		label_rele(tslabel);
 	*cs->statusp = resp->status = NFS4_OK;
 }
 /* ARGSUSED */
 			cs->vp = oldvp;
 			return (stat);
 		}
 	}
+	/*
+	 * After various NFS checks, do a label check on the path
+	 * component. The label on this path should either be the
+	 * global zone's label or a zone's label. We are only
+	 * interested in the zone's label because exported files
+	 * in global zone is accessible (though read-only) to
+	 * clients. The exportability/visibility check is already
+	 * done before reaching this code.
+	 */
+	if (is_system_labeled()) {
+		bslabel_t *clabel;
+		ASSERT(req->rq_label != NULL);
+		clabel = req->rq_label;
+		DTRACE_PROBE2(tx__rfs4__log__info__oplookup__clabel, char *,
+		    "got client label from request(1)", struct svc_req *, req);
+		if (!blequal(&l_admin_low->tsl_label, clabel)) {
+			if (!do_rfs4_label_check(clabel, vp, DOMINANCE_CHECK)) {
+				error = EACCES;
+				goto err_out;
+			}
+		} else {
+			/*
+			 * We grant access to admin_low label clients
+			 * only if the client is trusted, i.e. also
+			 * running Solaris Trusted Extension.
+			 */
+			struct sockaddr	*ca;
+			int		addr_type;
+			void		*ipaddr;
+			tsol_tpc_t	*tp;
+			ca = (struct sockaddr *)svc_getrpccaller(
+			    req->rq_xprt)->buf;
+			if (ca->sa_family == AF_INET) {
+				addr_type = IPV4_VERSION;
+				ipaddr = &((struct sockaddr_in *)ca)->sin_addr;
+			} else if (ca->sa_family == AF_INET6) {
+				addr_type = IPV6_VERSION;
+				ipaddr = &((struct sockaddr_in6 *)
+				    ca)->sin6_addr;
+			}
+			tp = find_tpc(ipaddr, addr_type, B_FALSE);
+			if (tp == NULL || tp->tpc_tp.tp_doi !=
+			    l_admin_low->tsl_doi || tp->tpc_tp.host_type !=
+			    SUN_CIPSO) {
+				error = EACCES;
+				goto err_out;
+			}
+		}
+	}
 	error = makefh4(&cs->fh, vp, cs->exi);
+err_out:
 	if (error) {
 		if (is_newvp) {
 			VN_RELE(cs->vp);
 			cs->vp = oldvp;
 		} else
 	struct vattr bdva, idva, adva;
 	char *nm;
 	uint_t len;
 	rfs4_file_t *fp;
 	int in_crit = 0;
+	bslabel_t *clabel;
 	/* CURRENT_FH: directory */
 	dvp = cs->vp;
 	if (dvp == NULL) {
 		*cs->statusp = resp->status = NFS4ERR_NOFILEHANDLE;
 			if (fp) {
 				rfs4_clear_dont_grant(fp);
 				rfs4_file_rele(fp);
 			}
 			return;
+		}
+	}
+	/* check label before allowing removal */
+	if (is_system_labeled()) {
+		ASSERT(req->rq_label != NULL);
+		clabel = req->rq_label;
+		DTRACE_PROBE2(tx__rfs4__log__info__opremove__clabel, char *,
+		    "got client label from request(1)",
+		    struct svc_req *, req);
+		if (!blequal(&l_admin_low->tsl_label, clabel)) {
+			if (!do_rfs4_label_check(clabel, vp, EQUALITY_CHECK)) {
+				*cs->statusp = resp->status = NFS4ERR_ACCESS;
+				kmem_free(nm, len);
+				if (in_crit)
+					nbl_end_crit(vp);
+				VN_RELE(vp);
+				if (fp) {
+					rfs4_clear_dont_grant(fp);
+					rfs4_file_rele(fp);
+				}
+				return;
+			}
 		}
 	}
 	/* Get dir "before" change value */
 	bdva.va_mask = AT_CTIME|AT_SEQ;
 	char *onm, *nnm;
 	uint_t olen, nlen;
 	rfs4_file_t *fp, *sfp;
 	int in_crit_src, in_crit_targ;
 	int fp_rele_grant_hold, sfp_rele_grant_hold;
+	bslabel_t *clabel;
 	fp = sfp = NULL;
 	srcvp = targvp = NULL;
 	in_crit_src = in_crit_targ = 0;
 	fp_rele_grant_hold = sfp_rele_grant_hold = 0;
 	if (rdonly4(cs->exi, cs->vp, req)) {
 		*cs->statusp = resp->status = NFS4ERR_ROFS;
 		kmem_free(onm, olen);
 		kmem_free(nnm, nlen);
 		return;
+	}
+	/* check label of the target dir */
+	if (is_system_labeled()) {
+		ASSERT(req->rq_label != NULL);
+		clabel = req->rq_label;
+		DTRACE_PROBE2(tx__rfs4__log__info__oprename__clabel, char *,
+		    "got client label from request(1)",
+		    struct svc_req *, req);
+		if (!blequal(&l_admin_low->tsl_label, clabel)) {
+			if (!do_rfs4_label_check(clabel, ndvp,
+			    EQUALITY_CHECK)) {
+				*cs->statusp = resp->status = NFS4ERR_ACCESS;
+				return;
+			}
+		}
 	}
 	/*
 	 * Is the source a file and have a delegation?
 	 * We don't need to acquire va_seq before these lookups, if
 rfs4_op_setattr(nfs_argop4 *argop, nfs_resop4 *resop, struct svc_req *req,
 	struct compound_state *cs)
 {
 	SETATTR4args *args = &argop->nfs_argop4_u.opsetattr;
 	SETATTR4res *resp = &resop->nfs_resop4_u.opsetattr;
+	bslabel_t *clabel;
 	if (cs->vp == NULL) {
 		*cs->statusp = resp->status = NFS4ERR_NOFILEHANDLE;
 		return;
 	}
 	resp->attrsset = 0;
 	if (rdonly4(cs->exi, cs->vp, req)) {
 		*cs->statusp = resp->status = NFS4ERR_ROFS;
 		return;
+	}
+	/* check label before setting attributes */
+	if (is_system_labeled()) {
+		ASSERT(req->rq_label != NULL);
+		clabel = req->rq_label;
+		DTRACE_PROBE2(tx__rfs4__log__info__opsetattr__clabel, char *,
+		    "got client label from request(1)",
+		    struct svc_req *, req);
+		if (!blequal(&l_admin_low->tsl_label, clabel)) {
+			if (!do_rfs4_label_check(clabel, cs->vp,
+			    EQUALITY_CHECK)) {
+				*cs->statusp = resp->status = NFS4ERR_ACCESS;
+				return;
+			}
+		}
 	}
 	*cs->statusp = resp->status =
 		do_rfs4_op_setattr(&resp->attrsset, &args->obj_attributes, cs,
 			&args->stateid);
 	if (cs.basecr)
 		crfree(cs.basecr);
 	if (cs.cr)
 		crfree(cs.cr);
+	/*
+	 * done with this compound request, free the label
+	 */
+	if (req->rq_label != NULL) {
+		kmem_free(req->rq_label, sizeof (bslabel_t));
+		req->rq_label = NULL;
+	}
 }
 /*
 * XXX because of what appears to be duplicate calls to rfs4_compound_free
 * XXX zero out the tag and array values. Need to investigate why the
 	len_t reqsize;
 	int error;
 	bool_t trunc;
 	caller_context_t ct;
 	component4 *component;
+	bslabel_t *clabel;
 	sarg.sbp = &sb;
 	dvp = cs->vp;
 	/* Check if the file system is read only */
 	if (rdonly4(cs->exi, dvp, req))
 		return (NFS4ERR_ROFS);
+	/* check the label of including directory */
+	if (is_system_labeled()) {
+		ASSERT(req->rq_label != NULL);
+		clabel = req->rq_label;
+		DTRACE_PROBE2(tx__rfs4__log__info__opremove__clabel, char *,
+		    "got client label from request(1)",
+		    struct svc_req *, req);
+		if (!blequal(&l_admin_low->tsl_label, clabel)) {
+			if (!do_rfs4_label_check(clabel, dvp, EQUALITY_CHECK)) {
+				return (NFS4ERR_ACCESS);
+			}
+		}
+	}
 	/*
 	 * Get the last component of path name in nm. cs will reference
 	 * the including directory on success.
 	 */

changeset 1676	37f4a3e2bd99
parent 1146	c3555cdf52c2
child 2035	a29bc457bcb9