1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1989, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * This code is derived from software contributed to Berkeley by 8 * Rick Macklem at The University of Guelph. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the University nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 */ 35 36 #include <sys/cdefs.h> 37 __FBSDID("$FreeBSD$"); 38 39 #include "opt_inet6.h" 40 #include "opt_kgssapi.h" 41 42 #include <fs/nfs/nfsport.h> 43 44 #include <rpc/rpc.h> 45 #include <rpc/rpcsec_gss.h> 46 47 #include <nfs/nfs_fha.h> 48 #include <fs/nfsserver/nfs_fha_new.h> 49 50 #include <security/mac/mac_framework.h> 51 52 NFSDLOCKMUTEX; 53 NFSV4ROOTLOCKMUTEX; 54 struct nfsv4lock nfsd_suspend_lock; 55 56 /* 57 * Mapping of old NFS Version 2 RPC numbers to generic numbers. 58 */ 59 int newnfs_nfsv3_procid[NFS_V3NPROCS] = { 60 NFSPROC_NULL, 61 NFSPROC_GETATTR, 62 NFSPROC_SETATTR, 63 NFSPROC_NOOP, 64 NFSPROC_LOOKUP, 65 NFSPROC_READLINK, 66 NFSPROC_READ, 67 NFSPROC_NOOP, 68 NFSPROC_WRITE, 69 NFSPROC_CREATE, 70 NFSPROC_REMOVE, 71 NFSPROC_RENAME, 72 NFSPROC_LINK, 73 NFSPROC_SYMLINK, 74 NFSPROC_MKDIR, 75 NFSPROC_RMDIR, 76 NFSPROC_READDIR, 77 NFSPROC_FSSTAT, 78 NFSPROC_NOOP, 79 NFSPROC_NOOP, 80 NFSPROC_NOOP, 81 NFSPROC_NOOP, 82 }; 83 84 85 SYSCTL_DECL(_vfs_nfsd); 86 87 SVCPOOL *nfsrvd_pool; 88 89 static int nfs_privport = 0; 90 SYSCTL_INT(_vfs_nfsd, OID_AUTO, nfs_privport, CTLFLAG_RWTUN, 91 &nfs_privport, 0, 92 "Only allow clients using a privileged port for NFSv2 and 3"); 93 94 static int nfs_minvers = NFS_VER2; 95 SYSCTL_INT(_vfs_nfsd, OID_AUTO, server_min_nfsvers, CTLFLAG_RWTUN, 96 &nfs_minvers, 0, "The lowest version of NFS handled by the server"); 97 98 static int nfs_maxvers = NFS_VER4; 99 SYSCTL_INT(_vfs_nfsd, OID_AUTO, server_max_nfsvers, CTLFLAG_RWTUN, 100 &nfs_maxvers, 0, "The highest version of NFS handled by the server"); 101 102 static int nfs_proc(struct nfsrv_descript *, u_int32_t, SVCXPRT *xprt, 103 struct nfsrvcache **); 104 105 extern u_long sb_max_adj; 106 extern int newnfs_numnfsd; 107 extern struct proc *nfsd_master_proc; 108 109 /* 110 * NFS server system calls 111 */ 112 113 static void 114 nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt) 115 { 116 struct nfsrv_descript nd; 117 struct nfsrvcache *rp = NULL; 118 int cacherep, credflavor; 119 120 memset(&nd, 0, sizeof(nd)); 121 if (rqst->rq_vers == NFS_VER2) { 122 if (rqst->rq_proc > NFSV2PROC_STATFS || 123 newnfs_nfsv3_procid[rqst->rq_proc] == NFSPROC_NOOP) { 124 svcerr_noproc(rqst); 125 svc_freereq(rqst); 126 goto out; 127 } 128 nd.nd_procnum = newnfs_nfsv3_procid[rqst->rq_proc]; 129 nd.nd_flag = ND_NFSV2; 130 } else if (rqst->rq_vers == NFS_VER3) { 131 if (rqst->rq_proc >= NFS_V3NPROCS) { 132 svcerr_noproc(rqst); 133 svc_freereq(rqst); 134 goto out; 135 } 136 nd.nd_procnum = rqst->rq_proc; 137 nd.nd_flag = ND_NFSV3; 138 } else { 139 if (rqst->rq_proc != NFSPROC_NULL && 140 rqst->rq_proc != NFSV4PROC_COMPOUND) { 141 svcerr_noproc(rqst); 142 svc_freereq(rqst); 143 goto out; 144 } 145 nd.nd_procnum = rqst->rq_proc; 146 nd.nd_flag = ND_NFSV4; 147 } 148 149 /* 150 * Note: we want rq_addr, not svc_getrpccaller for nd_nam2 - 151 * NFS_SRVMAXDATA uses a NULL value for nd_nam2 to detect TCP 152 * mounts. 153 */ 154 nd.nd_mrep = rqst->rq_args; 155 rqst->rq_args = NULL; 156 newnfs_realign(&nd.nd_mrep, M_WAITOK); 157 nd.nd_md = nd.nd_mrep; 158 nd.nd_dpos = mtod(nd.nd_md, caddr_t); 159 nd.nd_nam = svc_getrpccaller(rqst); 160 nd.nd_nam2 = rqst->rq_addr; 161 nd.nd_mreq = NULL; 162 nd.nd_cred = NULL; 163 164 if (nfs_privport && (nd.nd_flag & ND_NFSV4) == 0) { 165 /* Check if source port is privileged */ 166 u_short port; 167 struct sockaddr *nam = nd.nd_nam; 168 struct sockaddr_in *sin; 169 170 sin = (struct sockaddr_in *)nam; 171 /* 172 * INET/INET6 - same code: 173 * sin_port and sin6_port are at same offset 174 */ 175 port = ntohs(sin->sin_port); 176 if (port >= IPPORT_RESERVED && 177 nd.nd_procnum != NFSPROC_NULL) { 178 #ifdef INET6 179 char buf[INET6_ADDRSTRLEN]; 180 #else 181 char buf[INET_ADDRSTRLEN]; 182 #endif 183 #ifdef INET6 184 #if defined(KLD_MODULE) 185 /* Do not use ip6_sprintf: the nfs module should work without INET6. */ 186 #define ip6_sprintf(buf, a) \ 187 (sprintf((buf), "%x:%x:%x:%x:%x:%x:%x:%x", \ 188 (a)->s6_addr16[0], (a)->s6_addr16[1], \ 189 (a)->s6_addr16[2], (a)->s6_addr16[3], \ 190 (a)->s6_addr16[4], (a)->s6_addr16[5], \ 191 (a)->s6_addr16[6], (a)->s6_addr16[7]), \ 192 (buf)) 193 #endif 194 #endif 195 printf("NFS request from unprivileged port (%s:%d)\n", 196 #ifdef INET6 197 sin->sin_family == AF_INET6 ? 198 ip6_sprintf(buf, &satosin6(sin)->sin6_addr) : 199 #if defined(KLD_MODULE) 200 #undef ip6_sprintf 201 #endif 202 #endif 203 inet_ntoa_r(sin->sin_addr, buf), port); 204 svcerr_weakauth(rqst); 205 svc_freereq(rqst); 206 m_freem(nd.nd_mrep); 207 goto out; 208 } 209 } 210 211 if (nd.nd_procnum != NFSPROC_NULL) { 212 if (!svc_getcred(rqst, &nd.nd_cred, &credflavor)) { 213 svcerr_weakauth(rqst); 214 svc_freereq(rqst); 215 m_freem(nd.nd_mrep); 216 goto out; 217 } 218 219 /* Set the flag based on credflavor */ 220 if (credflavor == RPCSEC_GSS_KRB5) { 221 nd.nd_flag |= ND_GSS; 222 } else if (credflavor == RPCSEC_GSS_KRB5I) { 223 nd.nd_flag |= (ND_GSS | ND_GSSINTEGRITY); 224 } else if (credflavor == RPCSEC_GSS_KRB5P) { 225 nd.nd_flag |= (ND_GSS | ND_GSSPRIVACY); 226 } else if (credflavor != AUTH_SYS) { 227 svcerr_weakauth(rqst); 228 svc_freereq(rqst); 229 m_freem(nd.nd_mrep); 230 goto out; 231 } 232 233 #ifdef MAC 234 mac_cred_associate_nfsd(nd.nd_cred); 235 #endif 236 /* 237 * Get a refcnt (shared lock) on nfsd_suspend_lock. 238 * NFSSVC_SUSPENDNFSD will take an exclusive lock on 239 * nfsd_suspend_lock to suspend these threads. 240 * The call to nfsv4_lock() that precedes nfsv4_getref() 241 * ensures that the acquisition of the exclusive lock 242 * takes priority over acquisition of the shared lock by 243 * waiting for any exclusive lock request to complete. 244 * This must be done here, before the check of 245 * nfsv4root exports by nfsvno_v4rootexport(). 246 */ 247 NFSLOCKV4ROOTMUTEX(); 248 nfsv4_lock(&nfsd_suspend_lock, 0, NULL, NFSV4ROOTLOCKMUTEXPTR, 249 NULL); 250 nfsv4_getref(&nfsd_suspend_lock, NULL, NFSV4ROOTLOCKMUTEXPTR, 251 NULL); 252 NFSUNLOCKV4ROOTMUTEX(); 253 254 if ((nd.nd_flag & ND_NFSV4) != 0) { 255 nd.nd_repstat = nfsvno_v4rootexport(&nd); 256 if (nd.nd_repstat != 0) { 257 NFSLOCKV4ROOTMUTEX(); 258 nfsv4_relref(&nfsd_suspend_lock); 259 NFSUNLOCKV4ROOTMUTEX(); 260 svcerr_weakauth(rqst); 261 svc_freereq(rqst); 262 m_freem(nd.nd_mrep); 263 goto out; 264 } 265 } 266 267 cacherep = nfs_proc(&nd, rqst->rq_xid, xprt, &rp); 268 NFSLOCKV4ROOTMUTEX(); 269 nfsv4_relref(&nfsd_suspend_lock); 270 NFSUNLOCKV4ROOTMUTEX(); 271 } else { 272 NFSMGET(nd.nd_mreq); 273 nd.nd_mreq->m_len = 0; 274 cacherep = RC_REPLY; 275 } 276 if (nd.nd_mrep != NULL) 277 m_freem(nd.nd_mrep); 278 279 if (nd.nd_cred != NULL) 280 crfree(nd.nd_cred); 281 282 if (cacherep == RC_DROPIT) { 283 if (nd.nd_mreq != NULL) 284 m_freem(nd.nd_mreq); 285 svc_freereq(rqst); 286 goto out; 287 } 288 289 if (nd.nd_mreq == NULL) { 290 svcerr_decode(rqst); 291 svc_freereq(rqst); 292 goto out; 293 } 294 295 if (nd.nd_repstat & NFSERR_AUTHERR) { 296 svcerr_auth(rqst, nd.nd_repstat & ~NFSERR_AUTHERR); 297 if (nd.nd_mreq != NULL) 298 m_freem(nd.nd_mreq); 299 } else if (!svc_sendreply_mbuf(rqst, nd.nd_mreq)) { 300 svcerr_systemerr(rqst); 301 } 302 if (rp != NULL) { 303 nfsrvd_sentcache(rp, (rqst->rq_reply_seq != 0 || 304 SVC_ACK(xprt, NULL)), rqst->rq_reply_seq); 305 } 306 svc_freereq(rqst); 307 308 out: 309 td_softdep_cleanup(curthread); 310 NFSEXITCODE(0); 311 } 312 313 /* 314 * Check the cache and, optionally, do the RPC. 315 * Return the appropriate cache response. 316 */ 317 static int 318 nfs_proc(struct nfsrv_descript *nd, u_int32_t xid, SVCXPRT *xprt, 319 struct nfsrvcache **rpp) 320 { 321 struct thread *td = curthread; 322 int cacherep = RC_DOIT, isdgram, taglen = -1; 323 struct mbuf *m; 324 u_char tag[NFSV4_SMALLSTR + 1], *tagstr = NULL; 325 u_int32_t minorvers = 0; 326 uint32_t ack; 327 328 *rpp = NULL; 329 if (nd->nd_nam2 == NULL) { 330 nd->nd_flag |= ND_STREAMSOCK; 331 isdgram = 0; 332 } else { 333 isdgram = 1; 334 } 335 336 /* 337 * Two cases: 338 * 1 - For NFSv2 over UDP, if we are near our malloc/mget 339 * limit, just drop the request. There is no 340 * NFSERR_RESOURCE or NFSERR_DELAY for NFSv2 and the 341 * client will timeout/retry over UDP in a little while. 342 * 2 - nd_repstat == 0 && nd_mreq == NULL, which 343 * means a normal nfs rpc, so check the cache 344 */ 345 if ((nd->nd_flag & ND_NFSV2) && nd->nd_nam2 != NULL && 346 nfsrv_mallocmget_limit()) { 347 cacherep = RC_DROPIT; 348 } else { 349 /* 350 * For NFSv3, play it safe and assume that the client is 351 * doing retries on the same TCP connection. 352 */ 353 if ((nd->nd_flag & (ND_NFSV4 | ND_STREAMSOCK)) == 354 ND_STREAMSOCK) 355 nd->nd_flag |= ND_SAMETCPCONN; 356 nd->nd_retxid = xid; 357 nd->nd_tcpconntime = NFSD_MONOSEC; 358 nd->nd_sockref = xprt->xp_sockref; 359 if ((nd->nd_flag & ND_NFSV4) != 0) 360 nfsd_getminorvers(nd, tag, &tagstr, &taglen, 361 &minorvers); 362 if ((nd->nd_flag & ND_NFSV41) != 0) 363 /* NFSv4.1 caches replies in the session slots. */ 364 cacherep = RC_DOIT; 365 else { 366 cacherep = nfsrvd_getcache(nd); 367 ack = 0; 368 SVC_ACK(xprt, &ack); 369 nfsrc_trimcache(xprt->xp_sockref, ack, 0); 370 } 371 } 372 373 /* 374 * Handle the request. There are three cases. 375 * RC_DOIT - do the RPC 376 * RC_REPLY - return the reply already created 377 * RC_DROPIT - just throw the request away 378 */ 379 if (cacherep == RC_DOIT) { 380 if ((nd->nd_flag & ND_NFSV41) != 0) 381 nd->nd_xprt = xprt; 382 nfsrvd_dorpc(nd, isdgram, tagstr, taglen, minorvers, td); 383 if ((nd->nd_flag & ND_NFSV41) != 0) { 384 if (nd->nd_repstat != NFSERR_REPLYFROMCACHE && 385 (nd->nd_flag & ND_SAVEREPLY) != 0) { 386 /* Cache a copy of the reply. */ 387 m = m_copym(nd->nd_mreq, 0, M_COPYALL, 388 M_WAITOK); 389 } else 390 m = NULL; 391 if ((nd->nd_flag & ND_HASSEQUENCE) != 0) 392 nfsrv_cache_session(nd->nd_sessionid, 393 nd->nd_slotid, nd->nd_repstat, &m); 394 if (nd->nd_repstat == NFSERR_REPLYFROMCACHE) 395 nd->nd_repstat = 0; 396 cacherep = RC_REPLY; 397 } else { 398 if (nd->nd_repstat == NFSERR_DONTREPLY) 399 cacherep = RC_DROPIT; 400 else 401 cacherep = RC_REPLY; 402 *rpp = nfsrvd_updatecache(nd); 403 } 404 } 405 if (tagstr != NULL && taglen > NFSV4_SMALLSTR) 406 free(tagstr, M_TEMP); 407 408 NFSEXITCODE2(0, nd); 409 return (cacherep); 410 } 411 412 static void 413 nfssvc_loss(SVCXPRT *xprt) 414 { 415 uint32_t ack; 416 417 ack = 0; 418 SVC_ACK(xprt, &ack); 419 nfsrc_trimcache(xprt->xp_sockref, ack, 1); 420 } 421 422 /* 423 * Adds a socket to the list for servicing by nfsds. 424 */ 425 int 426 nfsrvd_addsock(struct file *fp) 427 { 428 int siz; 429 struct socket *so; 430 int error = 0; 431 SVCXPRT *xprt; 432 static u_int64_t sockref = 0; 433 434 so = fp->f_data; 435 436 siz = sb_max_adj; 437 error = soreserve(so, siz, siz); 438 if (error) 439 goto out; 440 441 /* 442 * Steal the socket from userland so that it doesn't close 443 * unexpectedly. 444 */ 445 if (so->so_type == SOCK_DGRAM) 446 xprt = svc_dg_create(nfsrvd_pool, so, 0, 0); 447 else 448 xprt = svc_vc_create(nfsrvd_pool, so, 0, 0); 449 if (xprt) { 450 fp->f_ops = &badfileops; 451 fp->f_data = NULL; 452 xprt->xp_sockref = ++sockref; 453 if (nfs_minvers == NFS_VER2) 454 svc_reg(xprt, NFS_PROG, NFS_VER2, nfssvc_program, 455 NULL); 456 if (nfs_minvers <= NFS_VER3 && nfs_maxvers >= NFS_VER3) 457 svc_reg(xprt, NFS_PROG, NFS_VER3, nfssvc_program, 458 NULL); 459 if (nfs_maxvers >= NFS_VER4) 460 svc_reg(xprt, NFS_PROG, NFS_VER4, nfssvc_program, 461 NULL); 462 if (so->so_type == SOCK_STREAM) 463 svc_loss_reg(xprt, nfssvc_loss); 464 SVC_RELEASE(xprt); 465 } 466 467 out: 468 NFSEXITCODE(error); 469 return (error); 470 } 471 472 /* 473 * Called by nfssvc() for nfsds. Just loops around servicing rpc requests 474 * until it is killed by a signal. 475 */ 476 int 477 nfsrvd_nfsd(struct thread *td, struct nfsd_nfsd_args *args) 478 { 479 char principal[MAXHOSTNAMELEN + 5]; 480 struct proc *p; 481 int error = 0; 482 bool_t ret2, ret3, ret4; 483 484 error = copyinstr(args->principal, principal, sizeof (principal), 485 NULL); 486 if (error) 487 goto out; 488 489 /* 490 * Only the first nfsd actually does any work. The RPC code 491 * adds threads to it as needed. Any extra processes offered 492 * by nfsd just exit. If nfsd is new enough, it will call us 493 * once with a structure that specifies how many threads to 494 * use. 495 */ 496 NFSD_LOCK(); 497 if (newnfs_numnfsd == 0) { 498 p = td->td_proc; 499 PROC_LOCK(p); 500 p->p_flag2 |= P2_AST_SU; 501 PROC_UNLOCK(p); 502 newnfs_numnfsd++; 503 504 NFSD_UNLOCK(); 505 506 /* An empty string implies AUTH_SYS only. */ 507 if (principal[0] != '\0') { 508 ret2 = rpc_gss_set_svc_name_call(principal, 509 "kerberosv5", GSS_C_INDEFINITE, NFS_PROG, NFS_VER2); 510 ret3 = rpc_gss_set_svc_name_call(principal, 511 "kerberosv5", GSS_C_INDEFINITE, NFS_PROG, NFS_VER3); 512 ret4 = rpc_gss_set_svc_name_call(principal, 513 "kerberosv5", GSS_C_INDEFINITE, NFS_PROG, NFS_VER4); 514 515 if (!ret2 || !ret3 || !ret4) 516 printf("nfsd: can't register svc name\n"); 517 } 518 519 nfsrvd_pool->sp_minthreads = args->minthreads; 520 nfsrvd_pool->sp_maxthreads = args->maxthreads; 521 522 svc_run(nfsrvd_pool); 523 524 if (principal[0] != '\0') { 525 rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER2); 526 rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER3); 527 rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER4); 528 } 529 530 NFSD_LOCK(); 531 newnfs_numnfsd--; 532 nfsrvd_init(1); 533 PROC_LOCK(p); 534 p->p_flag2 &= ~P2_AST_SU; 535 PROC_UNLOCK(p); 536 } 537 NFSD_UNLOCK(); 538 539 out: 540 NFSEXITCODE(error); 541 return (error); 542 } 543 544 /* 545 * Initialize the data structures for the server. 546 * Handshake with any new nfsds starting up to avoid any chance of 547 * corruption. 548 */ 549 void 550 nfsrvd_init(int terminating) 551 { 552 553 NFSD_LOCK_ASSERT(); 554 555 if (terminating) { 556 nfsd_master_proc = NULL; 557 NFSD_UNLOCK(); 558 nfsrv_freeallbackchannel_xprts(); 559 svcpool_close(nfsrvd_pool); 560 NFSD_LOCK(); 561 } else { 562 NFSD_UNLOCK(); 563 nfsrvd_pool = svcpool_create("nfsd", 564 SYSCTL_STATIC_CHILDREN(_vfs_nfsd)); 565 nfsrvd_pool->sp_rcache = NULL; 566 nfsrvd_pool->sp_assign = fhanew_assign; 567 nfsrvd_pool->sp_done = fha_nd_complete; 568 NFSD_LOCK(); 569 } 570 } 571 572