summaryrefslogtreecommitdiffstats
path: root/include/linux/lockd/lockd.h
diff options
context:
space:
mode:
authorChuck Lever <chuck.lever@oracle.com>2008-10-03 12:50:44 -0400
committerJ. Bruce Fields <bfields@citi.umich.edu>2008-10-03 17:02:35 -0400
commitb85e4676344fc4d7ec5e0f62c3d3712e48bbe223 (patch)
treea2a6c0226ea0f72536477dff2e123245a3621d9d /include/linux/lockd/lockd.h
parentdcff09f124f71d1d4fe61eb63c79e52f488ac22e (diff)
downloadkernel-crypto-b85e4676344fc4d7ec5e0f62c3d3712e48bbe223.tar.gz
kernel-crypto-b85e4676344fc4d7ec5e0f62c3d3712e48bbe223.tar.xz
kernel-crypto-b85e4676344fc4d7ec5e0f62c3d3712e48bbe223.zip
lockd: Add helper to sanity check incoming NOTIFY requests
lockd accepts SM_NOTIFY calls only from a privileged process on the local system. If lockd uses an AF_INET6 listener, the sender's address (ie the local rpc.statd) will be the IPv6 loopback address, not the IPv4 loopback address. Make sure the privilege test in nlmsvc_proc_sm_notify() and nlm4svc_proc_sm_notify() works for both AF_INET and AF_INET6 family addresses by refactoring the test into a helper and adding support for IPv6 addresses. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Diffstat (limited to 'include/linux/lockd/lockd.h')
-rw-r--r--include/linux/lockd/lockd.h41
1 files changed, 41 insertions, 0 deletions
diff --git a/include/linux/lockd/lockd.h b/include/linux/lockd/lockd.h
index e6b07097928..b56d5aa9b19 100644
--- a/include/linux/lockd/lockd.h
+++ b/include/linux/lockd/lockd.h
@@ -277,6 +277,47 @@ static inline struct inode *nlmsvc_file_inode(struct nlm_file *file)
return file->f_file->f_path.dentry->d_inode;
}
+static inline int __nlm_privileged_request4(const struct sockaddr *sap)
+{
+ const struct sockaddr_in *sin = (struct sockaddr_in *)sap;
+ return (sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) &&
+ (ntohs(sin->sin_port) < 1024);
+}
+
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+static inline int __nlm_privileged_request6(const struct sockaddr *sap)
+{
+ const struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sap;
+ return (ipv6_addr_type(&sin6->sin6_addr) & IPV6_ADDR_LOOPBACK) &&
+ (ntohs(sin6->sin6_port) < 1024);
+}
+#else /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
+static inline int __nlm_privileged_request6(const struct sockaddr *sap)
+{
+ return 0;
+}
+#endif /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
+
+/*
+ * Ensure incoming requests are from local privileged callers.
+ *
+ * Return TRUE if sender is local and is connecting via a privileged port;
+ * otherwise return FALSE.
+ */
+static inline int nlm_privileged_requester(const struct svc_rqst *rqstp)
+{
+ const struct sockaddr *sap = svc_addr(rqstp);
+
+ switch (sap->sa_family) {
+ case AF_INET:
+ return __nlm_privileged_request4(sap);
+ case AF_INET6:
+ return __nlm_privileged_request6(sap);
+ default:
+ return 0;
+ }
+}
+
static inline int __nlm_cmp_addr4(const struct sockaddr *sap1,
const struct sockaddr *sap2)
{