|
1 /* |
|
2 * CDDL HEADER START |
|
3 * |
|
4 * The contents of this file are subject to the terms of the |
|
5 * Common Development and Distribution License (the "License"). |
|
6 * You may not use this file except in compliance with the License. |
|
7 * |
|
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
9 * or http://www.opensolaris.org/os/licensing. |
|
10 * See the License for the specific language governing permissions |
|
11 * and limitations under the License. |
|
12 * |
|
13 * When distributing Covered Code, include this CDDL HEADER in each |
|
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
15 * If applicable, add the following below this CDDL HEADER, with the |
|
16 * fields enclosed by brackets "[]" replaced with your own identifying |
|
17 * information: Portions Copyright [yyyy] [name of copyright owner] |
|
18 * |
|
19 * CDDL HEADER END |
|
20 */ |
|
21 |
|
22 /* |
|
23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. |
|
24 * Use is subject to license terms. |
|
25 */ |
|
26 |
|
27 #include <sys/types.h> |
|
28 #include <sys/socket.h> |
|
29 #include <stdio.h> |
|
30 #include <string.h> |
|
31 #include <stdlib.h> |
|
32 #include <errno.h> |
|
33 #include <unistd.h> |
|
34 #include <pthread.h> |
|
35 #include <ucred.h> |
|
36 #include <zone.h> |
|
37 |
|
38 #include "rad_object.h" |
|
39 #include "rad_modapi.h" |
|
40 #include "rad_modapi_xport.h" |
|
41 #include "rad_connection.h" |
|
42 #include "rad_util.h" |
|
43 #include "rad_xport.h" |
|
44 #include "rad_log.h" |
|
45 |
|
46 #include "api_uds.h" |
|
47 |
|
48 static boolean_t |
|
49 sockaddr_init(struct sockaddr_un *addr, const char *name) |
|
50 { |
|
51 size_t namelen; |
|
52 size_t addrlen; |
|
53 |
|
54 (void) memset(addr, 0, sizeof (*addr)); |
|
55 addr->sun_family = AF_UNIX; |
|
56 |
|
57 namelen = strlen(name); |
|
58 addrlen = sizeof (addr->sun_path); |
|
59 |
|
60 if (namelen >= addrlen) |
|
61 return (B_FALSE); |
|
62 |
|
63 (void) strlcpy(addr->sun_path, name, sizeof (addr->sun_path)); |
|
64 return (B_TRUE); |
|
65 } |
|
66 |
|
67 static int |
|
68 listen_on_name(const char *name) |
|
69 { |
|
70 int fd; |
|
71 struct sockaddr_un addr; |
|
72 |
|
73 if (unlink(name) == -1 && errno != ENOENT) { |
|
74 rad_log(RL_ERROR, "unlink of '%s' failed: %s", name, |
|
75 strerror(errno)); |
|
76 return (-1); |
|
77 } |
|
78 |
|
79 if (!sockaddr_init(&addr, name)) { |
|
80 rad_log(RL_ERROR, "socket name '%s' too long", name); |
|
81 return (-1); |
|
82 } |
|
83 |
|
84 if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { |
|
85 rad_log(RL_ERROR, "socket failed: %s", strerror(errno)); |
|
86 return (-1); |
|
87 } |
|
88 |
|
89 if (bind(fd, (struct sockaddr *)&addr, sizeof (addr)) == -1) { |
|
90 rad_log(RL_ERROR, "bind to '%s' failed: %s", name, |
|
91 strerror(errno)); |
|
92 (void) close(fd); |
|
93 return (-1); |
|
94 } |
|
95 |
|
96 if (listen(fd, 15) == -1) { |
|
97 rad_log(RL_ERROR, "listen on '%s' failed: %s", name, |
|
98 strerror(errno)); |
|
99 return (-1); |
|
100 } |
|
101 |
|
102 return (fd); |
|
103 } |
|
104 |
|
105 static radmod_transport_t transport = { |
|
106 rm_fd_read, |
|
107 rm_fd_write, |
|
108 rm_fd_close, |
|
109 rm_fd_free |
|
110 }; |
|
111 |
|
112 /* |
|
113 * Determines if the ucred represents someone who is effectively us. |
|
114 */ |
|
115 static boolean_t |
|
116 sent_by_joe(ucred_t *uc) |
|
117 { |
|
118 const priv_set_t *theirprivs; |
|
119 priv_set_t *myprivs = priv_allocset(); |
|
120 if (myprivs == NULL) { |
|
121 rad_log(RL_ERROR, "failed to allocate privilege set"); |
|
122 return (B_FALSE); |
|
123 } |
|
124 if (getppriv(PRIV_PERMITTED, myprivs) == -1) |
|
125 rad_log(RL_FATAL, "getppriv(PRIV_PERMITTED) failed: %s", |
|
126 strerror(errno)); |
|
127 |
|
128 if (uc == NULL || |
|
129 ucred_geteuid(uc) != getuid() || |
|
130 ucred_getzoneid(uc) != getzoneid() || |
|
131 (theirprivs = ucred_getprivset(uc, PRIV_EFFECTIVE)) == NULL || |
|
132 !priv_issubset(myprivs, theirprivs)) { |
|
133 priv_freeset(myprivs); |
|
134 rad_log(RL_WARN, "unprivileged client (uid=%d) " |
|
135 "attempted connection to control port", ucred_geteuid(uc)); |
|
136 return (B_FALSE); |
|
137 } |
|
138 |
|
139 priv_freeset(myprivs); |
|
140 return (B_TRUE); |
|
141 } |
|
142 |
|
143 static void |
|
144 uds_run(void *arg) |
|
145 { |
|
146 radmod_connection_t *conn = arg; |
|
147 rad_proto_handle(conn); |
|
148 free(conn); |
|
149 } |
|
150 |
|
151 static rad_moderr_t |
|
152 uds_listen(rad_thread_t *arg) |
|
153 { |
|
154 data_t *data = rad_thread_arg(arg); |
|
155 int fd; |
|
156 data_t *d, *path = struct_get(data, "path"); |
|
157 d = struct_get(data, "proto"); |
|
158 const char *protostr = d != NULL ? d->d_data.string : "rad"; |
|
159 d = struct_get(data, "control"); |
|
160 boolean_t control = d != NULL ? d->d_data.boolean : B_FALSE; |
|
161 |
|
162 rad_protocol_t *proto = rad_proto_find(protostr); |
|
163 if (proto == NULL) { |
|
164 rad_log(RL_ERROR, "Unable to find protocol \"%s\".", protostr); |
|
165 return (rm_config); |
|
166 } |
|
167 |
|
168 if ((fd = listen_on_name(path->d_data.string)) < 0) { |
|
169 rad_log(RL_ERROR, "Error starting uds server: %s", |
|
170 strerror(errno)); |
|
171 return (rm_system); |
|
172 } |
|
173 |
|
174 rad_thread_ack(arg, rm_ok); |
|
175 for (;;) { |
|
176 int afd; |
|
177 |
|
178 rad_log(RL_DEBUG, "Waiting for connection.\n"); |
|
179 if ((afd = accept(fd, 0, 0)) == -1) { |
|
180 rad_log(RL_WARN, "Error in accept(): %s\n", |
|
181 strerror(errno)); |
|
182 continue; |
|
183 } |
|
184 rad_log(RL_DEBUG, "Connection accepted.\n"); |
|
185 |
|
186 rad_subject_t *subject = rad_subject_create_fd(afd, B_TRUE); |
|
187 if (subject == NULL) { |
|
188 rad_log(RL_ERROR, "unable to allocate subject"); |
|
189 (void) close(afd); |
|
190 continue; |
|
191 } |
|
192 |
|
193 if (control) { |
|
194 if (!sent_by_joe(subject->rs_ucred)) { |
|
195 rad_subject_unref(subject); |
|
196 (void) close(afd); |
|
197 continue; |
|
198 } |
|
199 rad_log(RL_DEBUG, |
|
200 "accepting connection on control port"); |
|
201 subject->rs_control = B_TRUE; |
|
202 } |
|
203 |
|
204 rm_xport_fd_t *fddata = zalloc(sizeof (rm_xport_fd_t)); |
|
205 fddata->infd = afd; |
|
206 fddata->outfd = afd; |
|
207 radmod_connection_t *conn = rad_conn_create(); |
|
208 conn->rm_conn_xport_ops = &transport; |
|
209 conn->rm_conn_xport_data = fddata; |
|
210 conn->rm_conn_proto_ops = proto; |
|
211 conn->rm_conn_subject = subject; |
|
212 |
|
213 if (rad_thread_create_async(uds_run, conn) != rm_ok) { |
|
214 rad_conn_close(conn); |
|
215 free(conn); |
|
216 } |
|
217 } |
|
218 } |
|
219 |
|
220 static pthread_t server_thread; |
|
221 |
|
222 static rad_moderr_t |
|
223 starter(data_t *data) |
|
224 { |
|
225 data_t *path = struct_get(data, "path"); |
|
226 |
|
227 if (path == NULL) { |
|
228 rad_log(RL_ERROR, "Unix domain socket requires path\n"); |
|
229 return (rm_config); |
|
230 } |
|
231 |
|
232 return (rad_thread_create(uds_listen, data)); |
|
233 } |
|
234 |
|
235 static rad_modinfo_t modinfo = { |
|
236 "xport_uds", "unix domain socket transport module", |
|
237 }; |
|
238 |
|
239 int |
|
240 _rad_init(void *handle) |
|
241 { |
|
242 if (rad_module_register(handle, RAD_MODVERSION, &modinfo) == -1) |
|
243 return (-1); |
|
244 |
|
245 rad_xport_register("uds", &t__uds, starter); |
|
246 return (0); |
|
247 } |