1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2014 Nexenta Systems, Inc. All rights reserved. 24 */ 25 26 /* 27 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 28 * Use is subject to license terms. 29 */ 30 31 #ifndef _AUTH_H 32 #define _AUTH_H 33 34 /* 35 * nfsauth_prot.x (The NFSAUTH Protocol) 36 * 37 * This protocol is used by the kernel to authorize NFS clients. This svc 38 * lives in the mount daemon and checks the client's access for an export 39 * with a given authentication flavor. 40 * 41 * The status result determines what kind of access the client is permitted. 42 * 43 * The result is cached in the kernel, so the authorization call will be 44 * made only the first time the client mounts the filesystem. 45 * 46 * const A_MAXPATH = 1024; 47 * 48 * struct auth_req { 49 * netobj req_client; # client's address 50 * string req_netid<>; # Netid of address 51 * string req_path<A_MAXPATH>; # export path 52 * int req_flavor; # auth flavor 53 * uid_t req_clnt_uid; # client's uid 54 * gid_t req_clnt_gid; # client's gid 55 * gid_t req_clnt_gids<>; # client's supplemental groups 56 * }; 57 * 58 * const NFSAUTH_DENIED = 0x01; # Access denied 59 * const NFSAUTH_RO = 0x02; # Read-only 60 * const NFSAUTH_RW = 0x04; # Read-write 61 * const NFSAUTH_ROOT = 0x08; # Root access 62 * const NFSAUTH_WRONGSEC = 0x10; # Advise NFS v4 clients to 63 * # try a different flavor 64 * const NFSAUTH_UIDMAP = 0x100; # uid mapped 65 * const NFSAUTH_GIDMAP = 0x200; # gid mapped 66 * const NFSAUTH_GROUPS = 0x400; # translated supplemental groups 67 * # 68 * # The following are not part of the protocol. 69 * # 70 * const NFSAUTH_DROP = 0x20; # Drop request 71 * const NFSAUTH_MAPNONE = 0x40; # Mapped flavor to AUTH_NONE 72 * const NFSAUTH_LIMITED = 0x80; # Access limited to visible nodes 73 * 74 * struct auth_res { 75 * int auth_perm; 76 * uid_t auth_srv_uid; # translated uid 77 * gid_t auth_srv_gid; # translated gid 78 * gid_t auth_srv_gids<>; # translated supplemental groups 79 * }; 80 * 81 * program NFSAUTH_PROG { 82 * version NFSAUTH_VERS { 83 * # 84 * # Authorization Request 85 * # 86 * auth_res 87 * NFSAUTH_ACCESS(auth_req) = 1; 88 * 89 * } = 1; 90 * } = 100231; 91 */ 92 93 #ifndef _KERNEL 94 #include <stddef.h> 95 #endif 96 #include <sys/sysmacros.h> 97 #include <sys/types.h> 98 #include <rpc/xdr.h> 99 100 #ifdef __cplusplus 101 extern "C" { 102 #endif 103 104 105 /* --8<-- Start: nfsauth_prot.x definitions --8<-- */ 106 107 #define A_MAXPATH 1024 108 109 #define NFSAUTH_ACCESS 1 110 111 #define NFSAUTH_DENIED 0x01 112 #define NFSAUTH_RO 0x02 113 #define NFSAUTH_RW 0x04 114 #define NFSAUTH_ROOT 0x08 115 #define NFSAUTH_WRONGSEC 0x10 116 #define NFSAUTH_DROP 0x20 117 #define NFSAUTH_MAPNONE 0x40 118 #define NFSAUTH_LIMITED 0x80 119 #define NFSAUTH_UIDMAP 0x100 120 #define NFSAUTH_GIDMAP 0x200 121 #define NFSAUTH_GROUPS 0x400 122 123 struct auth_req { 124 netobj req_client; 125 char *req_netid; 126 char *req_path; 127 int req_flavor; 128 uid_t req_clnt_uid; 129 gid_t req_clnt_gid; 130 struct { 131 uint_t len; 132 gid_t *val; 133 } req_clnt_gids; 134 }; 135 typedef struct auth_req auth_req; 136 137 struct auth_res { 138 int auth_perm; 139 uid_t auth_srv_uid; 140 gid_t auth_srv_gid; 141 struct { 142 uint_t len; 143 gid_t *val; 144 } auth_srv_gids; 145 }; 146 typedef struct auth_res auth_res; 147 148 /* --8<-- End: nfsauth_prot.x definitions --8<-- */ 149 150 151 #define NFSAUTH_DR_OKAY 0x0 /* success */ 152 #define NFSAUTH_DR_BADCMD 0x100 /* NFSAUTH_ACCESS is only cmd allowed */ 153 #define NFSAUTH_DR_DECERR 0x200 /* mountd could not decode arguments */ 154 #define NFSAUTH_DR_EFAIL 0x400 /* mountd could not encode results */ 155 #define NFSAUTH_DR_TRYCNT 5 /* door handle acquisition retry cnt */ 156 157 #if defined(DEBUG) && !defined(_KERNEL) 158 #define MOUNTD_DOOR "/var/run/mountd_door" 159 #endif 160 161 /* 162 * Only cmd is added to the args. We need to know "what" we want 163 * the daemon to do for us. Also, 'stat' returns the status from 164 * the daemon down to the kernel in addition to perms. 165 */ 166 struct nfsauth_arg { 167 uint_t cmd; 168 auth_req areq; 169 }; 170 typedef struct nfsauth_arg nfsauth_arg_t; 171 172 struct nfsauth_res { 173 uint_t stat; 174 auth_res ares; 175 }; 176 typedef struct nfsauth_res nfsauth_res_t; 177 178 /* 179 * For future extensibility, we version the data structures so 180 * future incantations of mountd(8) will know how to XDR decode 181 * the arguments. 182 */ 183 enum vtypes { 184 V_ERROR = 0, 185 V_PROTO = 1 186 }; 187 typedef enum vtypes vtypes; 188 189 typedef struct varg { 190 uint_t vers; 191 union { 192 nfsauth_arg_t arg; 193 /* additional args versions go here */ 194 } arg_u; 195 } varg_t; 196 197 extern bool_t xdr_varg(XDR *, varg_t *); 198 extern bool_t xdr_nfsauth_arg(XDR *, nfsauth_arg_t *); 199 extern bool_t xdr_nfsauth_res(XDR *, nfsauth_res_t *); 200 201 #ifdef __cplusplus 202 } 203 #endif 204 205 #endif /* _AUTH_H */ 206