summaryrefslogtreecommitdiffstats
path: root/localuser.c
diff options
context:
space:
mode:
authorJose Bollo <jose.bollo@iot.bzh>2019-11-27 18:31:42 +0100
committerJosé Bollo <jose.bollo@iot.bzh>2019-11-28 15:36:43 +0100
commit66803c6fdb609ed83a78b9194ecb23e9c1b773e7 (patch)
treef0c9def22d22126d3db686584ab0235969cf86f0 /localuser.c
parentba89d6ff99e42a69a347ee2fdbe8fb85ae96fb1c (diff)
Add applications the the localuser familyicefish_8.99.2icefish/8.99.28.99.2
This proposal allows to use separate names for separate applications and separate users running on the loopback interface. Bug-AGL: SPEC-2968 Change-Id: I7c25e89da9f51c10c59a72670339f2ea55b31997 Signed-off-by: Jose Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'localuser.c')
-rw-r--r--localuser.c460
1 files changed, 322 insertions, 138 deletions
diff --git a/localuser.c b/localuser.c
index f8265e9..ddba031 100644
--- a/localuser.c
+++ b/localuser.c
@@ -24,28 +24,65 @@
* -----------
* This source file provides NSS (Name Service Switch -see [1]-) facilities
* for defining a virtual host of name localuser that resolves to an address
- * of the localhost that integrate user ID.
- *
- * The name "localuser" is resolved to the IPv4 address 127.x.y.z
- * where x.y.z resolves to the current user UID = 65536*(x - 128) + 256*y + z
- *
- * The name "localuser-UID" is resolved to the address 127.x.y.z
- * where UID = 65536*(x - 128) + 256*y + z
- *
- * Allowed UID are from 0 to 4194303 included.
+ * of the localhost that integrate user ID and/or application ID.
*
+ * It defines the family *"localuser"* of virtual hostnames as one of the
+ * below names:
+ *
+ * - localuser
+ * - localuser-UID
+ * - localuser--APPID
+ * - localuser-UID-APPID
+ * - localuser---APPID
+ *
+ * This can be summarized by the following matrix:
+ *
+ * |------------------|------------------|---------------------|-------------------|
+ * | | **current user** | **user of UID** | **no user** |
+ * |------------------|------------------|---------------------|-------------------|
+ * | **no APP** | localuser | localuser-UID | |
+ * | **app of APPID** | localuser--APPID | localuser-UID-APPID | localuser---APPID |
+ * |------------------|------------------|---------------------|-------------------|
+ *
+ * The delivered NSS service defines one virtual host of name `localuser`
+ * that resolves to an IP address of the localhost loopback that integrates
+ * user ID.
+ *
+ * It is intended to enable distinct IP for distinct users, distinct application.
+ *
+ * The name *localuser* family is resolved to the IPv4 address range 127.128.0.0/9
+ *
+ * The delivered IPv4 address is structured as follow:
+ *
+ * ```text
+ * +--------+--------+--------+--------+
+ * :01111111:1abbcccc:dddddeee:ffffffff:
+ * +--------+--------+--------+--------+
+ * ```
+ *
+ * When `a` is `1`, the value 11 bits value `bbccccddddd` encodes the APPID
+ * and the 11 bits value `eeedddddddd` encodes the UID.
+ * This is represented by the following hostnames: `localuser--APPID`
+ * and `localuser-UID-APPID`.
+ *
+ * When `abb` is `011`, the 20 bits value `ccccdddddeeeffffffff` encodes the APPID.
+ * This is represented by the following hostnames: `localuser---APPID`.
+ *
+ * When `abb` is `010`, the 20 bits value `ccccdddddeeeffffffff` encodes the UID.
+ * This is represented by the following hostnames: `localuser`
+ * and `localuser-UID`.
+ *
+ * The values `000` and `001` of `abb` are reserved for futur use.
+ *
* Examples:
- * localuser => 127.128.0.0 (when UID = 0)
- * localuser => 127.128.3.233 (when UID = 1001)
- * localuser-1024 => 127.128.4.0 (always)
- *
- * This module provides the reverse resolution.
- *
- * This module provides a value for IPv6: it translate to a IPv4-mapped IPv6 address
- * because IPv6 lakes of loopback range.
- *
- * Example: localuser-1024 => ::ffff:127.128.4.0
- *
+ *
+ * ```text
+ * localuser => 127.128.0.0 (when user has UID = 0)
+ * localuser => 127.128.3.233 (when user has UID = 1001)
+ * localuser-1024 => 127.128.4.0 (for any user)
+ * ```
+ *
+ * The service also provides the reverse resolution.
* links
* -----
* [1] https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html
@@ -60,98 +97,289 @@
/* string for "localuser" */
static const char localuser[] = "localuser";
static const char separator = '-';
+#define MAXNAMELEN 40
/* defines the length of adresses */
static const int lenip4 = 4;
static const int lenip6 = 16;
/* masks for IPv4 adresses */
-static const uint32_t prefix_mask = 0xffc00000u; /* 255.192.0.0 */
+static const uint32_t prefix_mask = 0xff800000u; /* 255.128.0.0 */
static const uint32_t prefix_value = 0x7f800000u; /* 127.128.0.0 */
-static const uint32_t locusr_mask = 0x003fffffu; /* 0.63.255.255 */
-/* return the IPv4 localuser address for 'uid' */
-static uint32_t get_localuser(uint32_t uid)
-{
- uint32_t adr = (uint32_t)(prefix_value | (locusr_mask & uid));
- return htonl(adr);
-}
+static const uint32_t locusr_both_ids_mask = 0x7fc00000u;
+static const uint32_t locusr_both_ids_prefix = 0x7fc00000u;
+static const uint32_t locusr_both_ids_uid_max = 0x000007ffu;
+static const uint32_t locusr_both_ids_uid_mask = 0x000007ffu;
+static const uint32_t locusr_both_ids_appid_max = 0x000007ffu;
+static const uint32_t locusr_both_ids_appid_mask = 0x000007ffu;
+static const uint8_t locusr_both_ids_appid_shift = 11;
-/* is 'ip' a localuser IPv4 address ? */
-static int is_localuser(uint32_t ip)
-{
- return prefix_value == (ntohl(ip) & prefix_mask);
-}
+static const uint32_t locusr_appid_only_mask = 0x7ff00000u;
+static const uint32_t locusr_appid_only_prefix = 0x7fb00000u;
+static const uint32_t locusr_appid_only_appid_max = 0x000fffffu;
+static const uint32_t locusr_appid_only_appid_mask = 0x000fffffu;
-/* return the user of the localuser IPv4 'ip' */
-static uint32_t uid_of_localuser(uint32_t ip)
-{
- return (ntohl(ip) & locusr_mask);
-}
+static const uint32_t locusr_uid_only_mask = 0x7ff00000u;
+static const uint32_t locusr_uid_only_prefix = 0x7fa00000u;
+static const uint32_t locusr_uid_only_uid_max = 0x000fffffu;
+static const uint32_t locusr_uid_only_uid_mask = 0x000fffffu;
-/* put in 'buffer' the IPv4 localuser address for 'uid' */
-static void getIPv4(uint32_t *buffer, uint32_t uid)
+/* structure for coding/decoding */
+struct lud
{
- buffer[0] = get_localuser(uid);
-}
+ unsigned has_uid: 1; /* has a uid */
+ unsigned has_appid: 1; /* has a appid */
+ uint32_t uid; /* uid if any */
+ uint32_t appid; /* appid if any */
+ uint32_t ipv4; /* IPv4 representation */
+ uint32_t len; /* name length */
+ char name[MAXNAMELEN]; /* name value */
+};
-/* is 'buffer' pointing a localuser IPv4 address ? */
-static int isIPv4(const uint32_t *buffer)
+/* read a 32 bits integer. returns its length in character or -1 on overflow */
+static int read_u32(const char *str, uint32_t *val)
{
- return is_localuser(buffer[0]);
+ char c;
+ int p;
+ uint32_t a, b;
+
+ a = 0;
+ c = str[p = 0];
+ while ('0' <= c && c <= '9') {
+ b = (a << 3) + (a << 1) + (uint32_t)(c - '0');
+ if (b < a)
+ return -1; /* overflow */
+ a = b;
+ c = str[++p];
+ }
+ *val = a;
+ return p;
}
-/* return the user of the localuser IPv4 pointed by 'buffer' */
-static uint32_t uidIPv4(const uint32_t *buffer)
+/* write a 32 bits integer and return the count of char writen */
+static unsigned write_u32(char *str, uint32_t val)
{
- return uid_of_localuser(buffer[0]);
+ unsigned w, l, u;
+ char c;
+
+ l = w = 0;
+ while (val > 9) {
+ str[w++] = (char)('0' + val % 10);
+ val /= 10;
+ }
+ str[w++] = (char)('0' + val);
+ u = w;
+ while (--u > l) {
+ c = str[u];
+ str[u] = str[l];
+ str[l++] = c;
+ }
+ return w;
}
-/* put in 'buffer' the IPv6 localuser address for 'uid' */
-static void getIPv6(uint32_t *buffer, uint32_t uid)
+static void encode_name(struct lud *lud)
{
- buffer[0] = 0;
- buffer[1] = 0;
- buffer[2] = htonl(0xffff);
- buffer[3] = get_localuser(uid);
+ unsigned i;
+
+ /* encode "localuser-" */
+ i = (int)(sizeof localuser - 1);
+ memcpy(lud->name, localuser, i);
+
+ /* encode the UID if needed */
+ if (!lud->has_uid) {
+ lud->name[i++] = separator;
+ lud->name[i++] = separator;
+ } else if (lud->uid != (uint32_t)getuid()) {
+ lud->name[i++] = separator;
+ i += write_u32(&lud->name[i], lud->uid);
+ } else if (lud->has_appid)
+ lud->name[i++] = separator;
+
+ /* encode the APPID if needed */
+ if (lud->has_appid) {
+ lud->name[i++] = separator;
+ i += write_u32(&lud->name[i], lud->appid);
+ }
+
+ /* finish */
+ lud->len = i;
+ lud->name[i] = 0;
}
-/* is 'buffer' pointing a localuser IPv6 address ? */
-static int isIPv6(const uint32_t *buffer)
+/*
+ * Decode the name if valid and stores its ip in lud
+ * Returns:
+ * - 0: not a localuser name
+ * - 1: valid local user name
+ * - -1: invalid localuser name
+ * - -2: out of range localuser name
+ */
+static int decode_name(const char *name, struct lud *lud)
{
- return buffer[0] == 0 && buffer[1] == 0
- && buffer[2] == htonl(0xffff) && is_localuser(buffer[3]);
+ int i, r;
+ uint32_t adr;
+
+ /* test the prefix of the name */
+ i = (int)(sizeof localuser - 1);
+ if (strncmp(name, localuser, (size_t)i) != 0)
+ return 0;
+
+ /* prefix matches "localuser" */
+ if (!name[i]) {
+ /* terminated string: "localuser" */
+ lud->has_uid = 1;
+ lud->uid = (uint32_t)getuid(); /* use current UID */
+ lud->has_appid = 0;
+ } else {
+ /* should be "localuser-..." */
+ if (name[i] != separator)
+ return -1;
+ /* found "localuser-..." */
+ if (name[++i] == separator) {
+ /* found "localuser--..." */
+ if (name[++i] == separator) {
+ /* found "localuser---..." */
+ ++i;
+ lud->has_uid = 0;
+ } else {
+ /* found "localuser--x.." */
+ lud->uid = (uint32_t)getuid(); /* use current UID */
+ lud->has_uid = 1;
+ }
+ lud->has_appid = 1;
+ } else {
+ /* found "localuser-X..." with X not being a dash */
+ r = read_u32(&name[i], &lud->uid);
+ if (r <= 0)
+ return -1;
+ /* found "localuser-UID..." */
+ i += r;
+ lud->has_uid = 1;
+ if (name[i] != separator)
+ lud->has_appid = 0;
+ else {
+ /* found "localuser-UID-..." */
+ i++;
+ lud->has_appid = 1;
+ }
+ }
+ /* look if appid must be read */
+ if (lud->has_appid) {
+ /* found "localuser-[UID|-]-..." */
+ r = read_u32(&name[i], &lud->appid);
+ if (r <= 0)
+ return -1;
+ /* found "localuser-[UID|-]-APPID..." */
+ i += r;
+ }
+ /* the name should be finished now */
+ if (name[i])
+ return -1;
+ }
+
+ /* encode the address */
+ if (lud->has_appid && lud->has_uid) {
+ /* case of UID and APPID */
+ if (lud->appid > locusr_both_ids_appid_max)
+ return -2;
+ if (lud->uid > locusr_both_ids_uid_max)
+ return -2;
+ adr = (uint32_t)(locusr_both_ids_prefix
+ | (lud->appid << locusr_both_ids_appid_shift)
+ | lud->uid);
+ } else if (lud->has_appid) {
+ /* case of only APPID */
+ if (lud->appid > locusr_appid_only_appid_max)
+ return -2;
+ adr = (uint32_t)(locusr_appid_only_prefix | lud->appid);
+ } else {
+ /* case of only UID */
+ if (lud->uid > locusr_uid_only_uid_max)
+ return -2;
+ adr = (uint32_t)(locusr_uid_only_prefix | lud->uid);
+ }
+ lud->ipv4 = htonl(adr);
+
+ encode_name(lud);
+ return 1;
}
-/* return the user of the localuser IPv6 pointed by 'buffer' */
-static uint32_t uidIPv6(const uint32_t *buffer)
+/*
+ * Decode the ipv4 if valid and stores its data in lud
+ * Returns:
+ * - 0: not a localuser ip
+ * - 1: valid local user ip
+ * - -1: invalid localuser ip
+ */
+static int decode_ipv4(uint32_t ipv4, struct lud *lud)
{
- return uid_of_localuser(buffer[3]);
+ uint32_t adr;
+
+ /* check the address range */
+ adr = ntohl(ipv4);
+ if ((adr & prefix_mask) != prefix_value)
+ return 0;
+
+ /* decode */
+ lud->ipv4 = ipv4;
+ if ((adr & locusr_both_ids_mask) == locusr_both_ids_prefix) {
+ lud->has_uid = 1;
+ lud->has_appid = 1;
+ lud->uid = adr & locusr_both_ids_uid_mask;
+ if (lud->uid > locusr_both_ids_uid_max)
+ return -1;
+ lud->appid = (adr >> locusr_both_ids_appid_shift) & locusr_both_ids_appid_mask;
+ if (lud->appid > locusr_both_ids_appid_max)
+ return -1;
+ } else if ((adr & locusr_appid_only_mask) == locusr_appid_only_prefix) {
+ lud->has_uid = 0;
+ lud->has_appid = 1;
+ lud->appid = adr & locusr_appid_only_appid_mask;
+ if (lud->appid > locusr_appid_only_appid_max)
+ return -1;
+ } else if ((adr & locusr_uid_only_mask) == locusr_uid_only_prefix) {
+ lud->has_uid = 1;
+ lud->has_appid = 0;
+ lud->uid = adr & locusr_uid_only_uid_mask;
+ if (lud->uid > locusr_uid_only_uid_max)
+ return -1;
+ } else {
+ /* reserved address */
+ return -1;
+ }
+
+ encode_name(lud);
+ return 1;
}
/* fill the output entry */
static enum nss_status fillent(
- const char *name,
+ struct lud *lud,
int af,
struct hostent *result,
char *buffer,
size_t buflen,
int *errnop,
- int *h_errnop,
- uint32_t uid)
+ int *h_errnop)
{
- int alen = 1 + (int)strlen(name);
- int len = af == AF_INET ? lenip4 : lenip6;
+ uint32_t *bufip;
+ int len, alen;
/* check the family */
- if (af != AF_INET && af != AF_INET6) {
+ if (af == AF_INET)
+ len = lenip4;
+ else if (af == AF_INET6)
+ len = lenip6;
+ else {
*errnop = EINVAL;
*h_errnop = NO_RECOVERY;
return NSS_STATUS_UNAVAIL;
}
/* fill aliases and addr_list */
- if (buflen < 2 * sizeof result->h_aliases[0] + alen + len) {
+ alen = 1 + lud->len;
+ if (buflen < (2 * sizeof result->h_aliases[0]) + alen + len) {
*errnop = ERANGE;
*h_errnop = NO_RECOVERY;
return NSS_STATUS_TRYAGAIN;
@@ -163,10 +391,16 @@ static enum nss_status fillent(
result->h_addr_list = (char**)buffer;
result->h_addr_list[0] = (char*)&result->h_addr_list[2];
result->h_name = &result->h_addr_list[0][len];
+ memcpy(result->h_name, lud->name, alen);
result->h_aliases = &result->h_addr_list[1];
result->h_addr_list[1] = NULL;
- (af == AF_INET ? getIPv4 : getIPv6)((uint32_t*)result->h_addr_list[0], uid);
- memcpy(result->h_name, name, alen);
+ bufip = (uint32_t*)result->h_addr_list[0];
+ if (af == AF_INET6) {
+ *bufip++ = 0;
+ *bufip++ = 0;
+ *bufip++ = htonl(0xffff);
+ }
+ *bufip = lud->ipv4;
return NSS_STATUS_SUCCESS;
}
@@ -181,36 +415,10 @@ enum nss_status _nss_localuser_gethostbyname2_r(
int *errnop,
int *h_errnop)
{
- int valid;
- uint32_t uid;
- const char *i;
- char c;
+ struct lud lud;
- /* test the name */
- valid = !strncmp(name, localuser, sizeof localuser - 1);
- if (valid) {
- c = name[sizeof localuser - 1];
- if (!c) {
- /* terminated string: use current UID */
- uid = (uint32_t)getuid();
- } else if (c != separator) {
- valid = 0;
- } else {
- /* has a uid specification */
- i = &name[sizeof localuser];
- c = *i;
- valid = '0' <= c && c <= '9';
- if (valid) {
- uid = (uint32_t)(c - '0');
- while ((c = *++i) && (valid = '0' <= c && c <= '9')) {
- uid = (uid << 3) + (uid << 1) + (uint32_t)(c - '0');
- }
- if (valid)
- valid = uid == (uid & locusr_mask);
- }
- }
- }
- if (!valid) {
+ /* decode the name */
+ if (decode_name(name, &lud) <= 0) {
*h_errnop = HOST_NOT_FOUND;
return NSS_STATUS_NOTFOUND;
}
@@ -220,7 +428,7 @@ enum nss_status _nss_localuser_gethostbyname2_r(
af = AF_INET;
/* fill the result */
- return fillent(name, af, result, buffer, buflen, errnop, h_errnop, uid);
+ return fillent(&lud, af, result, buffer, buflen, errnop, h_errnop);
}
/* use gethostbyname2 implementation */
@@ -250,9 +458,9 @@ enum nss_status _nss_localuser_gethostbyaddr_r(
int *errnop,
int *h_errnop)
{
- char c, name[40 + sizeof localuser];
- uint32_t uid, x;
- int l, u;
+ struct lud lud;
+ const uint32_t *bufip = (const uint32_t*)addr;
+ int check;
/* set default family */
if (af == AF_UNSPEC) {
@@ -262,40 +470,16 @@ enum nss_status _nss_localuser_gethostbyaddr_r(
af = AF_INET6;
}
- /* check whether the IP comforms to localuser */
- if (af == AF_INET && len == lenip4 && isIPv4((const uint32_t*)addr)) {
- /* yes, it's a IPv4, get the uid */
- uid = uidIPv4((const uint32_t*)addr);
- } else if (af == AF_INET6 && len == lenip6 && isIPv6((const uint32_t*)addr)) {
- /* yes, it's a IPv6, get the uid */
- uid = uidIPv6((const uint32_t*)addr);
- } else {
- /* no */
- /* fail */
- *errnop = EINVAL;
- *h_errnop = NO_RECOVERY;
- return NSS_STATUS_NOTFOUND;
- }
+ /* pre process of ipv6 */
+ if (af == AF_INET6 && len == lenip6)
+ check = (*bufip++ == 0 && *bufip++ == 0 && *bufip++ == htonl(0xffff));
+ else
+ check = (af == AF_INET && len == lenip4);
- /* build the name */
- memcpy(name, localuser, sizeof localuser - 1);
- if (uid == (uint32_t)getuid())
- name[sizeof localuser - 1] = 0;
- else {
- x = uid;
- name[sizeof localuser - 1] = separator;
- l = u = (int)sizeof localuser;
- do {
- name[u++] = (char)('0' + x % 10);
- x /= 10;
- } while(x);
- name[u--] = 0;
- while (u > l) {
- c = name[u];
- name[u--] = name[l];
- name[l++] = c;
- }
- }
- /* fill the result */
- return fillent(name, af, result, buffer, buflen, errnop, h_errnop, uid);
+ if (check && decode_ipv4(*bufip, &lud) == 1)
+ return fillent(&lud, af, result, buffer, buflen, errnop, h_errnop);
+
+ *errnop = EINVAL;
+ *h_errnop = NO_RECOVERY;
+ return NSS_STATUS_NOTFOUND;
}