1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1989, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * This code is derived from software contributed to Berkeley by 8 * Rick Macklem at The University of Guelph. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the University nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 */ 35 36 #include <sys/cdefs.h> 37 #include "opt_inet6.h" 38 #include "opt_kgssapi.h" 39 #include "opt_kern_tls.h" 40 41 #include <fs/nfs/nfsport.h> 42 43 #include <rpc/rpc.h> 44 #include <rpc/rpcsec_gss.h> 45 #include <rpc/rpcsec_tls.h> 46 47 #include <fs/nfsserver/nfs_fha_new.h> 48 49 #include <security/mac/mac_framework.h> 50 51 NFSDLOCKMUTEX; 52 NFSV4ROOTLOCKMUTEX; 53 char *nfsrv_zeropnfsdat = NULL; 54 55 /* 56 * Mapping of old NFS Version 2 RPC numbers to generic numbers. 57 */ 58 int newnfs_nfsv3_procid[NFS_V3NPROCS] = { 59 NFSPROC_NULL, 60 NFSPROC_GETATTR, 61 NFSPROC_SETATTR, 62 NFSPROC_NOOP, 63 NFSPROC_LOOKUP, 64 NFSPROC_READLINK, 65 NFSPROC_READ, 66 NFSPROC_NOOP, 67 NFSPROC_WRITE, 68 NFSPROC_CREATE, 69 NFSPROC_REMOVE, 70 NFSPROC_RENAME, 71 NFSPROC_LINK, 72 NFSPROC_SYMLINK, 73 NFSPROC_MKDIR, 74 NFSPROC_RMDIR, 75 NFSPROC_READDIR, 76 NFSPROC_FSSTAT, 77 NFSPROC_NOOP, 78 NFSPROC_NOOP, 79 NFSPROC_NOOP, 80 NFSPROC_NOOP, 81 }; 82 83 SYSCTL_DECL(_vfs_nfsd); 84 85 NFSD_VNET_DEFINE_STATIC(int, nfs_privport) = 1; 86 SYSCTL_INT(_vfs_nfsd, OID_AUTO, nfs_privport, CTLFLAG_NFSD_VNET | CTLFLAG_RWTUN, 87 &NFSD_VNET_NAME(nfs_privport), 0, 88 "Only allow clients using a privileged port for NFSv2, 3 and 4"); 89 90 NFSD_VNET_DEFINE_STATIC(int, nfs_minvers) = NFS_VER2; 91 SYSCTL_INT(_vfs_nfsd, OID_AUTO, server_min_nfsvers, 92 CTLFLAG_NFSD_VNET | CTLFLAG_RWTUN, &NFSD_VNET_NAME(nfs_minvers), 0, 93 "The lowest version of NFS handled by the server"); 94 95 NFSD_VNET_DEFINE_STATIC(int, nfs_maxvers) = NFS_VER4; 96 SYSCTL_INT(_vfs_nfsd, OID_AUTO, server_max_nfsvers, 97 CTLFLAG_NFSD_VNET | CTLFLAG_RWTUN, &NFSD_VNET_NAME(nfs_maxvers), 0, 98 "The highest version of NFS handled by the server"); 99 100 static int nfs_proc(struct nfsrv_descript *, u_int32_t, SVCXPRT *xprt, 101 struct nfsrvcache **); 102 103 extern u_long sb_max_adj; 104 extern int newnfs_numnfsd; 105 extern time_t nfsdev_time; 106 extern int nfsrv_writerpc[NFS_NPROCS]; 107 extern volatile int nfsrv_devidcnt; 108 extern struct nfsv4_opflag nfsv4_opflag[NFSV42_NOPS]; 109 extern int nfsd_debuglevel; 110 111 NFSD_VNET_DECLARE(struct proc *, nfsd_master_proc); 112 113 NFSD_VNET_DEFINE(SVCPOOL *, nfsrvd_pool); 114 NFSD_VNET_DEFINE(int, nfsrv_numnfsd) = 0; 115 NFSD_VNET_DEFINE(struct nfsv4lock, nfsd_suspend_lock); 116 117 NFSD_VNET_DEFINE_STATIC(bool, nfsrvd_inited) = false; 118 119 /* 120 * NFS server system calls 121 */ 122 123 static void 124 nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt) 125 { 126 struct nfsrv_descript nd; 127 struct nfsrvcache *rp = NULL; 128 rpc_gss_rawcred_t *rcredp; 129 int cacherep, credflavor, i, j; 130 u_char *p; 131 #ifdef KERN_TLS 132 u_int maxlen; 133 #endif 134 135 NFSD_CURVNET_SET_QUIET(NFSD_TD_TO_VNET(curthread)); 136 memset(&nd, 0, sizeof(nd)); 137 if (rqst->rq_vers == NFS_VER2) { 138 if (rqst->rq_proc > NFSV2PROC_STATFS || 139 newnfs_nfsv3_procid[rqst->rq_proc] == NFSPROC_NOOP) { 140 svcerr_noproc(rqst); 141 svc_freereq(rqst); 142 goto out; 143 } 144 nd.nd_procnum = newnfs_nfsv3_procid[rqst->rq_proc]; 145 nd.nd_flag = ND_NFSV2; 146 } else if (rqst->rq_vers == NFS_VER3) { 147 if (rqst->rq_proc >= NFS_V3NPROCS) { 148 svcerr_noproc(rqst); 149 svc_freereq(rqst); 150 goto out; 151 } 152 nd.nd_procnum = rqst->rq_proc; 153 nd.nd_flag = ND_NFSV3; 154 } else { 155 if (rqst->rq_proc != NFSPROC_NULL && 156 rqst->rq_proc != NFSV4PROC_COMPOUND) { 157 svcerr_noproc(rqst); 158 svc_freereq(rqst); 159 goto out; 160 } 161 nd.nd_procnum = rqst->rq_proc; 162 nd.nd_flag = ND_NFSV4; 163 } 164 165 /* 166 * Note: we want rq_addr, not svc_getrpccaller for nd_nam2 - 167 * NFS_SRVMAXDATA uses a NULL value for nd_nam2 to detect TCP 168 * mounts. 169 */ 170 nd.nd_mrep = rqst->rq_args; 171 rqst->rq_args = NULL; 172 newnfs_realign(&nd.nd_mrep, M_WAITOK); 173 nd.nd_md = nd.nd_mrep; 174 nd.nd_dpos = mtod(nd.nd_md, caddr_t); 175 nd.nd_nam = svc_getrpccaller(rqst); 176 nd.nd_nam2 = rqst->rq_addr; 177 nd.nd_mreq = NULL; 178 nd.nd_cred = NULL; 179 180 if (NFSD_VNET(nfs_privport) != 0) { 181 /* Check if source port is privileged */ 182 u_short port; 183 struct sockaddr *nam = nd.nd_nam; 184 struct sockaddr_in *sin; 185 186 sin = (struct sockaddr_in *)nam; 187 /* 188 * INET/INET6 - same code: 189 * sin_port and sin6_port are at same offset 190 */ 191 port = ntohs(sin->sin_port); 192 if (port >= IPPORT_RESERVED && 193 nd.nd_procnum != NFSPROC_NULL) { 194 static struct timeval privport_ratecheck = { 195 .tv_sec = 0, .tv_usec = 0 196 }; 197 static const struct timeval privport_ratecheck_int = { 198 .tv_sec = 1, .tv_usec = 0 199 }; 200 #ifdef INET6 201 char buf[INET6_ADDRSTRLEN]; 202 #else 203 char buf[INET_ADDRSTRLEN]; 204 #endif 205 #ifdef INET6 206 #if defined(KLD_MODULE) 207 /* Do not use ip6_sprintf: the nfs module should work without INET6. */ 208 #define ip6_sprintf(buf, a) \ 209 (sprintf((buf), "%x:%x:%x:%x:%x:%x:%x:%x", \ 210 (a)->s6_addr16[0], (a)->s6_addr16[1], \ 211 (a)->s6_addr16[2], (a)->s6_addr16[3], \ 212 (a)->s6_addr16[4], (a)->s6_addr16[5], \ 213 (a)->s6_addr16[6], (a)->s6_addr16[7]), \ 214 (buf)) 215 #endif 216 #endif 217 if (ratecheck(&privport_ratecheck, 218 &privport_ratecheck_int)) { 219 printf( 220 "NFS request from unprivileged port (%s:%d)\n", 221 #ifdef INET6 222 sin->sin_family == AF_INET6 ? 223 ip6_sprintf(buf, &satosin6(sin)->sin6_addr) : 224 #if defined(KLD_MODULE) 225 #undef ip6_sprintf 226 #endif 227 #endif 228 inet_ntoa_r(sin->sin_addr, buf), port); 229 } 230 svcerr_weakauth(rqst); 231 svc_freereq(rqst); 232 m_freem(nd.nd_mrep); 233 goto out; 234 } 235 } 236 237 if (nd.nd_procnum != NFSPROC_NULL) { 238 if (!svc_getcred(rqst, &nd.nd_cred, &credflavor)) { 239 svcerr_weakauth(rqst); 240 svc_freereq(rqst); 241 m_freem(nd.nd_mrep); 242 goto out; 243 } 244 245 /* Set the flag based on credflavor */ 246 if (credflavor == RPCSEC_GSS_KRB5) { 247 nd.nd_flag |= ND_GSS; 248 } else if (credflavor == RPCSEC_GSS_KRB5I) { 249 nd.nd_flag |= (ND_GSS | ND_GSSINTEGRITY); 250 } else if (credflavor == RPCSEC_GSS_KRB5P) { 251 nd.nd_flag |= (ND_GSS | ND_GSSPRIVACY); 252 } else if (credflavor != AUTH_SYS) { 253 svcerr_weakauth(rqst); 254 svc_freereq(rqst); 255 m_freem(nd.nd_mrep); 256 goto out; 257 } 258 259 /* Acquire the principal name for the RPCSEC_GSS cases. */ 260 if ((nd.nd_flag & (ND_NFSV4 | ND_GSS)) == (ND_NFSV4 | ND_GSS)) { 261 rcredp = NULL; 262 rpc_gss_getcred_call(rqst, &rcredp, NULL, NULL); 263 /* 264 * The exported principal name consists of: 265 * - TOK_ID bytes with value of 4 and 1. 266 * - 2 byte mech length 267 * - mech 268 * - 4 byte principal name length 269 * - principal name 270 * A call to gss_import_name() would be an 271 * upcall to the gssd, so parse it here. 272 * See lib/libgssapi/gss_import_name.c for the 273 * above format. 274 */ 275 if (rcredp != NULL && 276 rcredp->client_principal->len > 4 && 277 rcredp->client_principal->name[0] == 4 && 278 rcredp->client_principal->name[1] == 1) { 279 /* Skip over the mech. */ 280 p = &rcredp->client_principal->name[2]; 281 i = (p[0] << 8) | p[1]; 282 p += i + 2; 283 i += 4; 284 /* 285 * Set "j" to a bogus length so that the 286 * "i + j" check will fail unless the below 287 * code sets "j" correctly. 288 */ 289 j = rcredp->client_principal->len; 290 if (rcredp->client_principal->len > i + 4) { 291 j = (p[0] << 24) | (p[1] << 16) | 292 (p[2] << 8) | p[3]; 293 i += 4; 294 p += 4; 295 } 296 if (i + j == rcredp->client_principal->len) { 297 nd.nd_principal = malloc(j + 1, M_TEMP, 298 M_WAITOK); 299 nd.nd_princlen = j; 300 memcpy(nd.nd_principal, p, j); 301 nd.nd_principal[j] = '\0'; 302 NFSD_DEBUG(1, "nfssvc_program: " 303 "principal=%s\n", nd.nd_principal); 304 } 305 } 306 if (nd.nd_princlen == 0) 307 printf("nfssvc_program: cannot get RPCSEC_GSS " 308 "principal name\n"); 309 } 310 311 if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0) { 312 nd.nd_flag |= ND_TLS; 313 if ((xprt->xp_tls & RPCTLS_FLAGS_VERIFIED) != 0) 314 nd.nd_flag |= ND_TLSCERT; 315 if ((xprt->xp_tls & RPCTLS_FLAGS_CERTUSER) != 0) 316 nd.nd_flag |= ND_TLSCERTUSER; 317 } 318 nd.nd_maxextsiz = 16384; 319 #ifdef MAC 320 mac_cred_associate_nfsd(nd.nd_cred); 321 #endif 322 /* 323 * Get a refcnt (shared lock) on nfsd_suspend_lock. 324 * NFSSVC_SUSPENDNFSD will take an exclusive lock on 325 * nfsd_suspend_lock to suspend these threads. 326 * The call to nfsv4_lock() that precedes nfsv4_getref() 327 * ensures that the acquisition of the exclusive lock 328 * takes priority over acquisition of the shared lock by 329 * waiting for any exclusive lock request to complete. 330 * This must be done here, before the check of 331 * nfsv4root exports by nfsvno_v4rootexport(). 332 */ 333 NFSLOCKV4ROOTMUTEX(); 334 nfsv4_lock(&NFSD_VNET(nfsd_suspend_lock), 0, NULL, 335 NFSV4ROOTLOCKMUTEXPTR, NULL); 336 nfsv4_getref(&NFSD_VNET(nfsd_suspend_lock), NULL, 337 NFSV4ROOTLOCKMUTEXPTR, NULL); 338 NFSUNLOCKV4ROOTMUTEX(); 339 340 if ((nd.nd_flag & ND_NFSV4) != 0) { 341 nd.nd_repstat = nfsvno_v4rootexport(&nd); 342 if (nd.nd_repstat != 0) { 343 NFSLOCKV4ROOTMUTEX(); 344 nfsv4_relref(&NFSD_VNET(nfsd_suspend_lock)); 345 NFSUNLOCKV4ROOTMUTEX(); 346 svcerr_weakauth(rqst); 347 svc_freereq(rqst); 348 m_freem(nd.nd_mrep); 349 goto out; 350 } 351 } 352 353 #ifdef KERN_TLS 354 if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 && 355 rpctls_getinfo(&maxlen, false, false)) 356 nd.nd_maxextsiz = maxlen; 357 #endif 358 cacherep = nfs_proc(&nd, rqst->rq_xid, xprt, &rp); 359 NFSLOCKV4ROOTMUTEX(); 360 nfsv4_relref(&NFSD_VNET(nfsd_suspend_lock)); 361 NFSUNLOCKV4ROOTMUTEX(); 362 } else { 363 NFSMGET(nd.nd_mreq); 364 nd.nd_mreq->m_len = 0; 365 cacherep = RC_REPLY; 366 } 367 if (nd.nd_mrep != NULL) 368 m_freem(nd.nd_mrep); 369 370 if (nd.nd_cred != NULL) 371 crfree(nd.nd_cred); 372 373 if (cacherep == RC_DROPIT) { 374 if (nd.nd_mreq != NULL) 375 m_freem(nd.nd_mreq); 376 svc_freereq(rqst); 377 goto out; 378 } 379 380 if (nd.nd_mreq == NULL) { 381 svcerr_decode(rqst); 382 svc_freereq(rqst); 383 goto out; 384 } 385 386 if (nd.nd_repstat & NFSERR_AUTHERR) { 387 svcerr_auth(rqst, nd.nd_repstat & ~NFSERR_AUTHERR); 388 if (nd.nd_mreq != NULL) 389 m_freem(nd.nd_mreq); 390 } else if (!svc_sendreply_mbuf(rqst, nd.nd_mreq)) { 391 svcerr_systemerr(rqst); 392 } 393 if (rp != NULL) { 394 nfsrvd_sentcache(rp, (rqst->rq_reply_seq != 0 || 395 SVC_ACK(xprt, NULL)), rqst->rq_reply_seq); 396 } 397 svc_freereq(rqst); 398 399 out: 400 free(nd.nd_principal, M_TEMP); 401 NFSD_CURVNET_RESTORE(); 402 ast_kclear(curthread); 403 NFSEXITCODE(0); 404 } 405 406 /* 407 * Check the cache and, optionally, do the RPC. 408 * Return the appropriate cache response. 409 */ 410 static int 411 nfs_proc(struct nfsrv_descript *nd, u_int32_t xid, SVCXPRT *xprt, 412 struct nfsrvcache **rpp) 413 { 414 int cacherep = RC_DOIT, isdgram, taglen = -1; 415 struct mbuf *m; 416 u_char tag[NFSV4_SMALLSTR + 1], *tagstr = NULL; 417 u_int32_t minorvers = 0; 418 uint32_t ack; 419 420 *rpp = NULL; 421 if (nd->nd_nam2 == NULL) { 422 nd->nd_flag |= ND_STREAMSOCK; 423 isdgram = 0; 424 } else { 425 isdgram = 1; 426 } 427 428 /* 429 * Two cases: 430 * 1 - For NFSv2 over UDP, if we are near our malloc/mget 431 * limit, just drop the request. There is no 432 * NFSERR_RESOURCE or NFSERR_DELAY for NFSv2 and the 433 * client will timeout/retry over UDP in a little while. 434 * 2 - nd_repstat == 0 && nd_mreq == NULL, which 435 * means a normal nfs rpc, so check the cache 436 */ 437 if ((nd->nd_flag & ND_NFSV2) && nd->nd_nam2 != NULL && 438 nfsrv_mallocmget_limit()) { 439 cacherep = RC_DROPIT; 440 } else { 441 /* 442 * For NFSv3, play it safe and assume that the client is 443 * doing retries on the same TCP connection. 444 */ 445 if ((nd->nd_flag & (ND_NFSV4 | ND_STREAMSOCK)) == 446 ND_STREAMSOCK) 447 nd->nd_flag |= ND_SAMETCPCONN; 448 nd->nd_retxid = xid; 449 nd->nd_tcpconntime = NFSD_MONOSEC; 450 nd->nd_sockref = xprt->xp_sockref; 451 if ((nd->nd_flag & ND_NFSV4) != 0) 452 nfsd_getminorvers(nd, tag, &tagstr, &taglen, 453 &minorvers); 454 if ((nd->nd_flag & ND_NFSV41) != 0) 455 /* NFSv4.1 caches replies in the session slots. */ 456 cacherep = RC_DOIT; 457 else { 458 cacherep = nfsrvd_getcache(nd); 459 ack = 0; 460 SVC_ACK(xprt, &ack); 461 nfsrc_trimcache(xprt->xp_sockref, ack, 0); 462 } 463 } 464 465 /* 466 * Handle the request. There are three cases. 467 * RC_DOIT - do the RPC 468 * RC_REPLY - return the reply already created 469 * RC_DROPIT - just throw the request away 470 */ 471 if (cacherep == RC_DOIT) { 472 if ((nd->nd_flag & ND_NFSV41) != 0) 473 nd->nd_xprt = xprt; 474 nfsrvd_dorpc(nd, isdgram, tagstr, taglen, minorvers); 475 if ((nd->nd_flag & ND_NFSV41) != 0) { 476 if (nd->nd_repstat != NFSERR_REPLYFROMCACHE && 477 (nd->nd_flag & ND_SAVEREPLY) != 0) { 478 /* Cache a copy of the reply. */ 479 m = m_copym(nd->nd_mreq, 0, M_COPYALL, 480 M_WAITOK); 481 } else 482 m = NULL; 483 if ((nd->nd_flag & ND_HASSEQUENCE) != 0) 484 nfsrv_cache_session(nd, &m); 485 if (nd->nd_repstat == NFSERR_REPLYFROMCACHE) { 486 nd->nd_repstat = 0; 487 if (m != NULL) { 488 m_freem(nd->nd_mreq); 489 nd->nd_mreq = m; 490 } 491 } 492 cacherep = RC_REPLY; 493 } else { 494 if (nd->nd_repstat == NFSERR_DONTREPLY) 495 cacherep = RC_DROPIT; 496 else 497 cacherep = RC_REPLY; 498 *rpp = nfsrvd_updatecache(nd); 499 } 500 } 501 if (tagstr != NULL && taglen > NFSV4_SMALLSTR) 502 free(tagstr, M_TEMP); 503 504 NFSEXITCODE2(0, nd); 505 return (cacherep); 506 } 507 508 static void 509 nfssvc_loss(SVCXPRT *xprt) 510 { 511 uint32_t ack; 512 513 ack = 0; 514 SVC_ACK(xprt, &ack); 515 NFSD_CURVNET_SET(NFSD_TD_TO_VNET(curthread)); 516 nfsrc_trimcache(xprt->xp_sockref, ack, 1); 517 NFSD_CURVNET_RESTORE(); 518 } 519 520 /* 521 * Adds a socket to the list for servicing by nfsds. 522 */ 523 int 524 nfsrvd_addsock(struct file *fp) 525 { 526 int siz; 527 struct socket *so; 528 int error = 0; 529 SVCXPRT *xprt; 530 static u_int64_t sockref = 0; 531 532 so = fp->f_data; 533 534 siz = sb_max_adj; 535 error = soreserve(so, siz, siz); 536 if (error) 537 goto out; 538 539 /* 540 * Steal the socket from userland so that it doesn't close 541 * unexpectedly. 542 */ 543 if (so->so_type == SOCK_DGRAM) 544 xprt = svc_dg_create(NFSD_VNET(nfsrvd_pool), so, 0, 0); 545 else 546 xprt = svc_vc_create(NFSD_VNET(nfsrvd_pool), so, 0, 0); 547 if (xprt) { 548 fp->f_ops = &badfileops; 549 fp->f_data = NULL; 550 xprt->xp_sockref = ++sockref; 551 if (NFSD_VNET(nfs_minvers) == NFS_VER2) 552 svc_reg(xprt, NFS_PROG, NFS_VER2, nfssvc_program, 553 NULL); 554 if (NFSD_VNET(nfs_minvers) <= NFS_VER3 && 555 NFSD_VNET(nfs_maxvers) >= NFS_VER3) 556 svc_reg(xprt, NFS_PROG, NFS_VER3, nfssvc_program, 557 NULL); 558 if (NFSD_VNET(nfs_maxvers) >= NFS_VER4) 559 svc_reg(xprt, NFS_PROG, NFS_VER4, nfssvc_program, 560 NULL); 561 if (so->so_type == SOCK_STREAM) 562 svc_loss_reg(xprt, nfssvc_loss); 563 SVC_RELEASE(xprt); 564 } else 565 error = EPERM; 566 567 out: 568 NFSEXITCODE(error); 569 return (error); 570 } 571 572 /* 573 * Called by nfssvc() for nfsds. Just loops around servicing rpc requests 574 * until it is killed by a signal. 575 */ 576 int 577 nfsrvd_nfsd(struct thread *td, struct nfsd_nfsd_args *args) 578 { 579 char principal[MAXHOSTNAMELEN + 5]; 580 struct proc *p; 581 int error = 0; 582 bool_t ret2, ret3, ret4; 583 584 error = copyinstr(args->principal, principal, sizeof (principal), 585 NULL); 586 if (error) 587 goto out; 588 589 /* 590 * Only the first nfsd actually does any work. The RPC code 591 * adds threads to it as needed. Any extra processes offered 592 * by nfsd just exit. If nfsd is new enough, it will call us 593 * once with a structure that specifies how many threads to 594 * use. 595 */ 596 NFSD_LOCK(); 597 if (NFSD_VNET(nfsrv_numnfsd) == 0) { 598 nfsdev_time = time_second; 599 p = td->td_proc; 600 PROC_LOCK(p); 601 p->p_flag2 |= P2_AST_SU; 602 PROC_UNLOCK(p); 603 newnfs_numnfsd++; /* Total num for all vnets. */ 604 NFSD_VNET(nfsrv_numnfsd)++; /* Num for this vnet. */ 605 606 NFSD_UNLOCK(); 607 error = nfsrv_createdevids(args, td); 608 if (error == 0) { 609 /* An empty string implies AUTH_SYS only. */ 610 if (principal[0] != '\0') { 611 ret2 = rpc_gss_set_svc_name_call(principal, 612 "kerberosv5", GSS_C_INDEFINITE, NFS_PROG, 613 NFS_VER2); 614 ret3 = rpc_gss_set_svc_name_call(principal, 615 "kerberosv5", GSS_C_INDEFINITE, NFS_PROG, 616 NFS_VER3); 617 ret4 = rpc_gss_set_svc_name_call(principal, 618 "kerberosv5", GSS_C_INDEFINITE, NFS_PROG, 619 NFS_VER4); 620 621 if (!ret2 || !ret3 || !ret4) 622 printf("nfsd: can't register svc " 623 "name %s jid:%d\n", principal, 624 td->td_ucred->cr_prison->pr_id); 625 } 626 627 NFSD_VNET(nfsrvd_pool)->sp_minthreads = 628 args->minthreads; 629 NFSD_VNET(nfsrvd_pool)->sp_maxthreads = 630 args->maxthreads; 631 632 /* 633 * If this is a pNFS service, make Getattr do a 634 * vn_start_write(), so it can do a vn_set_extattr(). 635 */ 636 if (nfsrv_devidcnt > 0) { 637 nfsrv_writerpc[NFSPROC_GETATTR] = 1; 638 nfsv4_opflag[NFSV4OP_GETATTR].modifyfs = 1; 639 } 640 641 svc_run(NFSD_VNET(nfsrvd_pool)); 642 643 /* Reset Getattr to not do a vn_start_write(). */ 644 nfsrv_writerpc[NFSPROC_GETATTR] = 0; 645 nfsv4_opflag[NFSV4OP_GETATTR].modifyfs = 0; 646 647 if (principal[0] != '\0') { 648 rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER2); 649 rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER3); 650 rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER4); 651 } 652 } 653 NFSD_LOCK(); 654 newnfs_numnfsd--; 655 NFSD_VNET(nfsrv_numnfsd)--; 656 nfsrvd_init(1); 657 PROC_LOCK(p); 658 p->p_flag2 &= ~P2_AST_SU; 659 PROC_UNLOCK(p); 660 } 661 NFSD_UNLOCK(); 662 663 out: 664 NFSEXITCODE(error); 665 return (error); 666 } 667 668 /* 669 * Initialize the data structures for the server. 670 * Handshake with any new nfsds starting up to avoid any chance of 671 * corruption. 672 */ 673 void 674 nfsrvd_init(int terminating) 675 { 676 677 NFSD_LOCK_ASSERT(); 678 679 if (terminating) { 680 NFSD_VNET(nfsd_master_proc) = NULL; 681 NFSD_UNLOCK(); 682 nfsrv_freealllayoutsanddevids(); 683 nfsrv_freeallbackchannel_xprts(); 684 svcpool_close(NFSD_VNET(nfsrvd_pool)); 685 free(nfsrv_zeropnfsdat, M_TEMP); 686 nfsrv_zeropnfsdat = NULL; 687 NFSD_LOCK(); 688 } else { 689 /* Initialize per-vnet globals once per vnet. */ 690 if (NFSD_VNET(nfsrvd_inited)) 691 return; 692 NFSD_VNET(nfsrvd_inited) = true; 693 NFSD_UNLOCK(); 694 NFSD_VNET(nfsrvd_pool) = svcpool_create("nfsd", 695 SYSCTL_STATIC_CHILDREN(_vfs_nfsd)); 696 NFSD_VNET(nfsrvd_pool)->sp_rcache = NULL; 697 NFSD_VNET(nfsrvd_pool)->sp_assign = fhanew_assign; 698 NFSD_VNET(nfsrvd_pool)->sp_done = fhanew_nd_complete; 699 NFSD_LOCK(); 700 } 701 } 702