2 * nfsdcltrack.c -- NFSv4 client name tracking program
4 * Copyright (C) 2012 Jeff Layton <jlayton@redhat.com>
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version 2
9 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor,
19 * Boston, MA 02110-1301, USA.
24 #endif /* HAVE_CONFIG_H */
34 #include <sys/types.h>
38 #include <sys/inotify.h>
39 #ifdef HAVE_SYS_CAPABILITY_H
40 #include <sys/prctl.h>
41 #include <sys/capability.h>
47 #ifndef CLD_DEFAULT_STORAGEDIR
48 #define CLD_DEFAULT_STORAGEDIR NFS_STATEDIR "/nfsdcltrack"
51 /* defined by RFC 3530 */
52 #define NFS4_OPAQUE_LIMIT 1024
54 /* private data structures */
58 int (*func)(const char *arg);
61 /* forward declarations */
62 static int cltrack_init(const char *unused);
63 static int cltrack_create(const char *id);
64 static int cltrack_remove(const char *id);
65 static int cltrack_check(const char *id);
66 static int cltrack_gracedone(const char *gracetime);
68 /* global variables */
69 static struct option longopts[] =
71 { "help", 0, NULL, 'h' },
72 { "debug", 0, NULL, 'd' },
73 { "foreground", 0, NULL, 'f' },
74 { "storagedir", 1, NULL, 's' },
78 static struct cltrack_cmd commands[] =
80 { "init", false, cltrack_init },
81 { "create", true, cltrack_create },
82 { "remove", true, cltrack_remove },
83 { "check", true, cltrack_check },
84 { "gracedone", true, cltrack_gracedone },
85 { NULL, false, NULL },
88 static char *storagedir = CLD_DEFAULT_STORAGEDIR;
90 /* common buffer for holding id4 blobs */
91 static unsigned char blob[NFS4_OPAQUE_LIMIT];
96 printf("%s [ -hfd ] [ -s dir ] < cmd > < arg >\n", progname);
97 printf("Where < cmd > is one of the following and takes the following < arg >:\n");
99 printf(" create <nfs_client_id4>\n");
100 printf(" remove <nfs_client_id4>\n");
101 printf(" check <nfs_client_id4>\n");
102 printf(" gracedone <epoch time>\n");
107 * hex_to_bin - convert a hex digit to its real value
108 * @ch: ascii character represents hex digit
110 * hex_to_bin() converts one hex digit to its actual value or -1 in case of bad
113 * Note: borrowed from lib/hexdump.c in the Linux kernel sources.
118 if ((ch >= '0') && (ch <= '9'))
121 if ((ch >= 'a') && (ch <= 'f'))
122 return ch - 'a' + 10;
127 * hex_str_to_bin - convert a hexidecimal string into a binary blob
129 * @src: string of hex digit pairs
130 * @dst: destination buffer to hold binary data
131 * @dstsize: size of the destination buffer
133 * Walk a string of hex digit pairs and convert them into binary data. Returns
134 * the resulting length of the binary data or a negative error code. If the
135 * data will not fit in the buffer, it returns -ENOBUFS (but will likely have
136 * clobbered the dst buffer in the process of determining that). If there are
137 * non-hexidecimal characters in the src, or an odd number of them then it
141 hex_str_to_bin(const char *src, unsigned char *dst, ssize_t dstsize)
143 unsigned char *tmpdst = dst;
148 /* make sure we don't overrun the dst buffer */
149 if ((tmpdst - dst) >= dstsize)
152 hi = hex_to_bin(*src++);
154 /* did we get an odd number of characters? */
157 lo = hex_to_bin(*src++);
159 /* one of the characters isn't a hex digit */
160 if (hi < 0 || lo < 0)
163 /* now place it in the dst buffer */
164 *tmpdst++ = (hi << 4) | lo;
167 return (ssize_t)(tmpdst - dst);
171 * This program will almost always be run with root privileges since the
172 * kernel will call out to run it. Drop all capabilities prior to doing
173 * anything important to limit the exposure to potential compromise.
175 * FIXME: should we setuid to a different user early on instead?
178 cltrack_set_caps(void)
181 #ifdef HAVE_SYS_CAPABILITY_H
185 /* prune the bounding set to nothing */
186 for (i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0 ; ++i) {
187 ret = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
189 xlog(L_ERROR, "Unable to prune capability %lu from "
190 "bounding set: %m", i);
195 /* get a blank capset */
198 xlog(L_ERROR, "Unable to get blank capability set: %m");
202 /* reset the process capabilities */
203 if (cap_set_proc(caps) != 0) {
204 xlog(L_ERROR, "Unable to set process capabilities: %m");
213 cltrack_init(const char __attribute__((unused)) *unused)
218 * see if the storagedir is writable by root w/o CAP_DAC_OVERRIDE.
219 * If it isn't then give the user a warning but proceed as if
220 * everything is OK. If the DB has already been created, then
221 * everything might still work. If it doesn't exist at all, then
222 * assume that the maindb init will be able to create it. Fail on
225 if (access(storagedir, W_OK) == -1) {
228 xlog(L_WARNING, "Storage directory %s is not writable. "
229 "Should be owned by root and writable "
230 "by owner!", storagedir);
233 /* ignore and assume that we can create dir as root */
236 xlog(L_ERROR, "Unexpected error when checking access "
237 "on %s: %m", storagedir);
242 /* set up storage db */
243 ret = sqlite_maindb_init(storagedir);
245 xlog(L_ERROR, "Failed to init database: %d", ret);
247 * Convert any error here into -EACCES. It's not truly
248 * accurate in all cases, but it should cause the kernel to
249 * stop upcalling until the problem is resolved.
257 cltrack_create(const char *id)
262 xlog(D_GENERAL, "%s: create client record.", __func__);
264 ret = sqlite_prepare_dbh(storagedir);
268 len = hex_str_to_bin(id, blob, sizeof(blob));
272 ret = sqlite_insert_client(blob, len);
274 return ret ? -EREMOTEIO : ret;
278 cltrack_remove(const char *id)
283 xlog(D_GENERAL, "%s: remove client record.", __func__);
285 ret = sqlite_prepare_dbh(storagedir);
289 len = hex_str_to_bin(id, blob, sizeof(blob));
293 ret = sqlite_remove_client(blob, len);
295 return ret ? -EREMOTEIO : ret;
299 cltrack_check(const char *id)
304 xlog(D_GENERAL, "%s: check client record", __func__);
306 ret = sqlite_prepare_dbh(storagedir);
310 len = hex_str_to_bin(id, blob, sizeof(blob));
314 ret = sqlite_check_client(blob, len);
316 return ret ? -EPERM : ret;
320 cltrack_gracedone(const char *timestr)
327 ret = sqlite_prepare_dbh(storagedir);
332 gracetime = strtol(timestr, &tail, 0);
334 /* did the resulting value overflow? (Probably -ERANGE here) */
338 /* string wasn't fully converted */
342 xlog(D_GENERAL, "%s: grace done. gracetime=%ld", __func__, gracetime);
344 ret = sqlite_remove_unreclaimed(gracetime);
346 return ret ? -EREMOTEIO : ret;
349 static struct cltrack_cmd *
350 find_cmd(char *cmdname)
352 struct cltrack_cmd *current = &commands[0];
354 while (current->name) {
355 if (!strcmp(cmdname, current->name))
360 xlog(L_ERROR, "%s: '%s' doesn't match any known command",
366 main(int argc, char **argv)
370 char *progname, *cmdarg = NULL;
371 struct cltrack_cmd *cmd;
373 progname = basename(argv[0]);
378 /* process command-line options */
379 while ((arg = getopt_long(argc, argv, "hdfs:", longopts,
383 xlog_config(D_ALL, 1);
399 /* we expect a command, at least */
400 if (optind >= argc) {
401 xlog(L_ERROR, "Missing command name\n");
406 /* drop all capabilities */
407 rc = cltrack_set_caps();
411 cmd = find_cmd(argv[optind]);
414 * In the event that we get a command that we don't understand
415 * then return a distinct error. The kernel can use this to
416 * determine a new kernel/old userspace situation and cope
423 /* populate arg var if command needs it */
424 if (cmd->needs_arg) {
425 if (optind + 1 >= argc) {
426 xlog(L_ERROR, "Command %s requires an argument\n",
431 cmdarg = argv[optind + 1];
433 rc = cmd->func(cmdarg);