xref: /illumos-gate/usr/src/uts/common/nfs/auth.h (revision 52244c0958bdf281ca42932b449f644b4decfdc2)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
24  */
25 
26 /*
27  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
28  * Use is subject to license terms.
29  */
30 
31 #ifndef _AUTH_H
32 #define	_AUTH_H
33 
34 /*
35  * nfsauth_prot.x (The NFSAUTH Protocol)
36  *
37  * This protocol is used by the kernel to authorize NFS clients. This svc
38  * lives in the mount daemon and checks the client's access for an export
39  * with a given authentication flavor.
40  *
41  * The status result determines what kind of access the client is permitted.
42  *
43  * The result is cached in the kernel, so the authorization call will be
44  * made only the first time the client mounts the filesystem.
45  *
46  * const A_MAXPATH	= 1024;
47  *
48  * struct auth_req {
49  * 	netobj 	req_client;		# client's address
50  * 	string	req_netid<>;		# Netid of address
51  * 	string	req_path<A_MAXPATH>;	# export path
52  * 	int	req_flavor;		# auth flavor
53  *	uid_t	req_clnt_uid;		# client's uid
54  *	gid_t	req_clnt_gid;		# client's gid
55  *	gid_t	req_clnt_gids<>;	# client's supplemental groups
56  * };
57  *
58  * const NFSAUTH_DENIED	  = 0x01;	# Access denied
59  * const NFSAUTH_RO	  = 0x02;	# Read-only
60  * const NFSAUTH_RW	  = 0x04;	# Read-write
61  * const NFSAUTH_ROOT	  = 0x08;	# Root access
62  * const NFSAUTH_WRONGSEC = 0x10;	# Advise NFS v4 clients to
63  * 					# try a different flavor
64  * const NFSAUTH_UIDMAP   = 0x100;	# uid mapped
65  * const NFSAUTH_GIDMAP   = 0x200;	# gid mapped
66  * const NFSAUTH_GROUPS   = 0x400;	# translated supplemental groups
67  * #
68  * # The following are not part of the protocol.
69  * #
70  * const NFSAUTH_DROP	 = 0x20;	# Drop request
71  * const NFSAUTH_MAPNONE = 0x40;	# Mapped flavor to AUTH_NONE
72  * const NFSAUTH_LIMITED = 0x80;	# Access limited to visible nodes
73  *
74  * struct auth_res {
75  * 	int	auth_perm;
76  *	uid_t	auth_srv_uid;		# translated uid
77  *	gid_t	auth_srv_gid;		# translated gid
78  *	gid_t	auth_srv_gids<>;	# translated supplemental groups
79  * };
80  *
81  * program NFSAUTH_PROG {
82  * 	version NFSAUTH_VERS {
83  *		#
84  *		# Authorization Request
85  *		#
86  * 		auth_res
87  * 		NFSAUTH_ACCESS(auth_req) = 1;
88  *
89  * 	} = 1;
90  * } = 100231;
91  */
92 
93 #ifndef _KERNEL
94 #include <stddef.h>
95 #endif
96 #include <sys/sysmacros.h>
97 #include <sys/types.h>
98 #include <rpc/xdr.h>
99 
100 #ifdef	__cplusplus
101 extern "C" {
102 #endif
103 
104 
105 /* --8<-- Start: nfsauth_prot.x definitions --8<-- */
106 
107 #define	A_MAXPATH		1024
108 
109 #define	NFSAUTH_ACCESS		1
110 
111 #define	NFSAUTH_DENIED		0x01
112 #define	NFSAUTH_RO		0x02
113 #define	NFSAUTH_RW		0x04
114 #define	NFSAUTH_ROOT		0x08
115 #define	NFSAUTH_WRONGSEC	0x10
116 #define	NFSAUTH_DROP		0x20
117 #define	NFSAUTH_MAPNONE		0x40
118 #define	NFSAUTH_LIMITED		0x80
119 #define	NFSAUTH_UIDMAP		0x100
120 #define	NFSAUTH_GIDMAP		0x200
121 #define	NFSAUTH_GROUPS		0x400
122 
123 struct auth_req {
124 	netobj	 req_client;
125 	char	*req_netid;
126 	char	*req_path;
127 	int	 req_flavor;
128 	uid_t	 req_clnt_uid;
129 	gid_t	 req_clnt_gid;
130 	struct {
131 		uint_t	len;
132 		gid_t	*val;
133 	} req_clnt_gids;
134 };
135 typedef struct auth_req auth_req;
136 
137 struct auth_res {
138 	int	auth_perm;
139 	uid_t	auth_srv_uid;
140 	gid_t	auth_srv_gid;
141 	struct {
142 		uint_t	len;
143 		gid_t	*val;
144 	} auth_srv_gids;
145 };
146 typedef struct auth_res auth_res;
147 
148 /* --8<-- End: nfsauth_prot.x definitions --8<-- */
149 
150 
151 #define	NFSAUTH_DR_OKAY		0x0	/* success */
152 #define	NFSAUTH_DR_BADCMD	0x100	/* NFSAUTH_ACCESS is only cmd allowed */
153 #define	NFSAUTH_DR_DECERR	0x200	/* mountd could not decode arguments */
154 #define	NFSAUTH_DR_EFAIL	0x400	/* mountd could not encode results */
155 #define	NFSAUTH_DR_TRYCNT	5	/* door handle acquisition retry cnt */
156 
157 #if defined(DEBUG) && !defined(_KERNEL)
158 #define	MOUNTD_DOOR		"/var/run/mountd_door"
159 #endif
160 
161 /*
162  * Only cmd is added to the args. We need to know "what" we want
163  * the daemon to do for us. Also, 'stat' returns the status from
164  * the daemon down to the kernel in addition to perms.
165  */
166 struct nfsauth_arg {
167 	uint_t		cmd;
168 	auth_req	areq;
169 };
170 typedef struct nfsauth_arg nfsauth_arg_t;
171 
172 struct nfsauth_res {
173 	uint_t		stat;
174 	auth_res	ares;
175 };
176 typedef struct nfsauth_res nfsauth_res_t;
177 
178 /*
179  * For future extensibility, we version the data structures so
180  * future incantations of mountd(1m) will know how to XDR decode
181  * the arguments.
182  */
183 enum vtypes {
184 	V_ERROR = 0,
185 	V_PROTO = 1
186 };
187 typedef enum vtypes vtypes;
188 
189 typedef struct varg {
190 	uint_t	vers;
191 	union {
192 		nfsauth_arg_t	arg;
193 		/* additional args versions go here */
194 	} arg_u;
195 } varg_t;
196 
197 extern bool_t	xdr_varg(XDR *, varg_t *);
198 extern bool_t	xdr_nfsauth_arg(XDR *, nfsauth_arg_t *);
199 extern bool_t	xdr_nfsauth_res(XDR *, nfsauth_res_t *);
200 
201 #ifdef	__cplusplus
202 }
203 #endif
204 
205 #endif /* _AUTH_H */
206