1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
24 */
25
26 /*
27 * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
28 * Use is subject to license terms.
29 */
30
31 #ifndef _AUTH_H
32 #define _AUTH_H
33
34 /*
35 * nfsauth_prot.x (The NFSAUTH Protocol)
36 *
37 * This protocol is used by the kernel to authorize NFS clients. This svc
38 * lives in the mount daemon and checks the client's access for an export
39 * with a given authentication flavor.
40 *
41 * The status result determines what kind of access the client is permitted.
42 *
43 * The result is cached in the kernel, so the authorization call will be
44 * made only the first time the client mounts the filesystem.
45 *
46 * const A_MAXPATH = 1024;
47 *
48 * struct auth_req {
49 * netobj req_client; # client's address
50 * string req_netid<>; # Netid of address
51 * string req_path<A_MAXPATH>; # export path
52 * int req_flavor; # auth flavor
53 * uid_t req_clnt_uid; # client's uid
54 * gid_t req_clnt_gid; # client's gid
55 * gid_t req_clnt_gids<>; # client's supplemental groups
56 * };
57 *
58 * const NFSAUTH_DENIED = 0x01; # Access denied
59 * const NFSAUTH_RO = 0x02; # Read-only
60 * const NFSAUTH_RW = 0x04; # Read-write
61 * const NFSAUTH_ROOT = 0x08; # Root access
62 * const NFSAUTH_WRONGSEC = 0x10; # Advise NFS v4 clients to
63 * # try a different flavor
64 * const NFSAUTH_UIDMAP = 0x100; # uid mapped
65 * const NFSAUTH_GIDMAP = 0x200; # gid mapped
66 * const NFSAUTH_GROUPS = 0x400; # translated supplemental groups
67 * #
68 * # The following are not part of the protocol.
69 * #
70 * const NFSAUTH_DROP = 0x20; # Drop request
71 * const NFSAUTH_MAPNONE = 0x40; # Mapped flavor to AUTH_NONE
72 * const NFSAUTH_LIMITED = 0x80; # Access limited to visible nodes
73 *
74 * struct auth_res {
75 * int auth_perm;
76 * uid_t auth_srv_uid; # translated uid
77 * gid_t auth_srv_gid; # translated gid
78 * gid_t auth_srv_gids<>; # translated supplemental groups
79 * };
80 *
81 * program NFSAUTH_PROG {
82 * version NFSAUTH_VERS {
83 * #
84 * # Authorization Request
85 * #
86 * auth_res
87 * NFSAUTH_ACCESS(auth_req) = 1;
88 *
89 * } = 1;
90 * } = 100231;
91 */
92
93 #ifndef _KERNEL
94 #include <stddef.h>
95 #endif
96 #include <sys/sysmacros.h>
97 #include <sys/types.h>
98 #include <rpc/xdr.h>
99
100 #ifdef __cplusplus
101 extern "C" {
102 #endif
103
104
105 /* --8<-- Start: nfsauth_prot.x definitions --8<-- */
106
107 #define A_MAXPATH 1024
108
109 #define NFSAUTH_ACCESS 1
110
111 #define NFSAUTH_DENIED 0x01
112 #define NFSAUTH_RO 0x02
113 #define NFSAUTH_RW 0x04
114 #define NFSAUTH_ROOT 0x08
115 #define NFSAUTH_WRONGSEC 0x10
116 #define NFSAUTH_DROP 0x20
117 #define NFSAUTH_MAPNONE 0x40
118 #define NFSAUTH_LIMITED 0x80
119 #define NFSAUTH_UIDMAP 0x100
120 #define NFSAUTH_GIDMAP 0x200
121 #define NFSAUTH_GROUPS 0x400
122
123 struct auth_req {
124 netobj req_client;
125 char *req_netid;
126 char *req_path;
127 int req_flavor;
128 uid_t req_clnt_uid;
129 gid_t req_clnt_gid;
130 struct {
131 uint_t len;
132 gid_t *val;
133 } req_clnt_gids;
134 };
135 typedef struct auth_req auth_req;
136
137 struct auth_res {
138 int auth_perm;
139 uid_t auth_srv_uid;
140 gid_t auth_srv_gid;
141 struct {
142 uint_t len;
143 gid_t *val;
144 } auth_srv_gids;
145 };
146 typedef struct auth_res auth_res;
147
148 /* --8<-- End: nfsauth_prot.x definitions --8<-- */
149
150
151 #define NFSAUTH_DR_OKAY 0x0 /* success */
152 #define NFSAUTH_DR_BADCMD 0x100 /* NFSAUTH_ACCESS is only cmd allowed */
153 #define NFSAUTH_DR_DECERR 0x200 /* mountd could not decode arguments */
154 #define NFSAUTH_DR_EFAIL 0x400 /* mountd could not encode results */
155 #define NFSAUTH_DR_TRYCNT 5 /* door handle acquisition retry cnt */
156
157 #if defined(DEBUG) && !defined(_KERNEL)
158 #define MOUNTD_DOOR "/var/run/mountd_door"
159 #endif
160
161 /*
162 * Only cmd is added to the args. We need to know "what" we want
163 * the daemon to do for us. Also, 'stat' returns the status from
164 * the daemon down to the kernel in addition to perms.
165 */
166 struct nfsauth_arg {
167 uint_t cmd;
168 auth_req areq;
169 };
170 typedef struct nfsauth_arg nfsauth_arg_t;
171
172 struct nfsauth_res {
173 uint_t stat;
174 auth_res ares;
175 };
176 typedef struct nfsauth_res nfsauth_res_t;
177
178 /*
179 * For future extensibility, we version the data structures so
180 * future incantations of mountd(1m) will know how to XDR decode
181 * the arguments.
182 */
183 enum vtypes {
184 V_ERROR = 0,
185 V_PROTO = 1
186 };
187 typedef enum vtypes vtypes;
188
189 typedef struct varg {
190 uint_t vers;
191 union {
192 nfsauth_arg_t arg;
193 /* additional args versions go here */
194 } arg_u;
195 } varg_t;
196
197 extern bool_t xdr_varg(XDR *, varg_t *);
198 extern bool_t xdr_nfsauth_arg(XDR *, nfsauth_arg_t *);
199 extern bool_t xdr_nfsauth_res(XDR *, nfsauth_res_t *);
200
201 #ifdef __cplusplus
202 }
203 #endif
204
205 #endif /* _AUTH_H */