1 /* Key type used to cache DNS lookups made by the kernel
3 * See Documentation/networking/dns_resolver.txt
5 * Copyright (c) 2007 Igor Mammedov
6 * Author(s): Igor Mammedov (niallain@gmail.com)
7 * Steve French (sfrench@us.ibm.com)
8 * Wang Lei (wang840925@gmail.com)
9 * David Howells (dhowells@redhat.com)
11 * This library is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU Lesser General Public License as published
13 * by the Free Software Foundation; either version 2.1 of the License, or
14 * (at your option) any later version.
16 * This library is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
19 * the GNU Lesser General Public License for more details.
21 * You should have received a copy of the GNU Lesser General Public License
22 * along with this library; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25 #include <linux/module.h>
26 #include <linux/moduleparam.h>
27 #include <linux/slab.h>
28 #include <linux/string.h>
29 #include <linux/kernel.h>
30 #include <linux/keyctl.h>
31 #include <linux/err.h>
32 #include <linux/seq_file.h>
33 #include <keys/dns_resolver-type.h>
34 #include <keys/user-type.h>
37 MODULE_DESCRIPTION("DNS Resolver");
38 MODULE_AUTHOR("Wang Lei");
39 MODULE_LICENSE("GPL");
41 unsigned int dns_resolver_debug
;
42 module_param_named(debug
, dns_resolver_debug
, uint
, S_IWUSR
| S_IRUGO
);
43 MODULE_PARM_DESC(debug
, "DNS Resolver debugging mask");
45 const struct cred
*dns_resolver_cache
;
47 #define DNS_ERRORNO_OPTION "dnserror"
50 * Instantiate a user defined key for dns_resolver.
52 * The data must be a NUL-terminated string, with the NUL char accounted in
55 * If the data contains a '#' characters, then we take the clause after each
56 * one to be an option of the form 'key=value'. The actual data of interest is
57 * the string leading up to the first '#'. For instance:
59 * "ip1,ip2,...#foo=bar"
62 dns_resolver_instantiate(struct key
*key
, struct key_preparsed_payload
*prep
)
64 struct user_key_payload
*upayload
;
67 size_t datalen
= prep
->datalen
, result_len
= 0;
68 const char *data
= prep
->data
, *end
, *opt
;
70 kenter("%%%d,%s,'%*.*s',%zu",
71 key
->serial
, key
->description
,
72 (int)datalen
, (int)datalen
, data
, datalen
);
74 if (datalen
<= 1 || !data
|| data
[datalen
- 1] != '\0')
78 /* deal with any options embedded in the data */
80 opt
= memchr(data
, '#', datalen
);
82 /* no options: the entire data is the result */
88 result_len
= opt
- data
;
90 kdebug("options: '%s'", opt
);
93 int opt_len
, opt_nlen
, opt_vlen
, tmp
;
95 next_opt
= memchr(opt
, '#', end
- opt
) ?: end
;
96 opt_len
= next_opt
- opt
;
99 "Empty option to dns_resolver key %d\n",
104 eq
= memchr(opt
, '=', opt_len
) ?: end
;
107 opt_vlen
= next_opt
- eq
; /* will be -1 if no value */
109 tmp
= opt_vlen
>= 0 ? opt_vlen
: 0;
110 kdebug("option '%*.*s' val '%*.*s'",
111 opt_nlen
, opt_nlen
, opt
, tmp
, tmp
, eq
);
113 /* see if it's an error number representing a DNS error
114 * that's to be recorded as the result in this key */
115 if (opt_nlen
== sizeof(DNS_ERRORNO_OPTION
) - 1 &&
116 memcmp(opt
, DNS_ERRORNO_OPTION
, opt_nlen
) == 0) {
117 kdebug("dns error number option");
119 goto bad_option_value
;
121 ret
= kstrtoul(eq
, 10, &derrno
);
123 goto bad_option_value
;
125 if (derrno
< 1 || derrno
> 511)
126 goto bad_option_value
;
128 kdebug("dns error no. = %lu", derrno
);
129 key
->type_data
.x
[0] = -derrno
;
135 "Option '%*.*s' to dns_resolver key %d:"
136 " bad/missing value\n",
137 opt_nlen
, opt_nlen
, opt
, key
->serial
);
139 } while (opt
= next_opt
+ 1, opt
< end
);
142 /* don't cache the result if we're caching an error saying there's no
144 if (key
->type_data
.x
[0]) {
145 kleave(" = 0 [h_error %ld]", key
->type_data
.x
[0]);
149 kdebug("store result");
150 ret
= key_payload_reserve(key
, result_len
);
154 upayload
= kmalloc(sizeof(*upayload
) + result_len
+ 1, GFP_KERNEL
);
156 kleave(" = -ENOMEM");
160 upayload
->datalen
= result_len
;
161 memcpy(upayload
->data
, data
, result_len
);
162 upayload
->data
[result_len
] = '\0';
163 rcu_assign_pointer(key
->payload
.data
, upayload
);
170 * The description is of the form "[<type>:]<domain_name>"
172 * The domain name may be a simple name or an absolute domain name (which
173 * should end with a period). The domain name is case-independent.
176 dns_resolver_match(const struct key
*key
, const void *description
)
178 int slen
, dlen
, ret
= 0;
179 const char *src
= key
->description
, *dsp
= description
;
181 kenter("%s,%s", src
, dsp
);
186 if (strcasecmp(src
, dsp
) == 0)
191 if (slen
<= 0 || dlen
<= 0)
193 if (src
[slen
- 1] == '.')
195 if (dsp
[dlen
- 1] == '.')
197 if (slen
!= dlen
|| strncasecmp(src
, dsp
, slen
) != 0)
203 kleave(" = %d", ret
);
210 static void dns_resolver_describe(const struct key
*key
, struct seq_file
*m
)
212 int err
= key
->type_data
.x
[0];
214 seq_puts(m
, key
->description
);
215 if (key_is_instantiated(key
)) {
217 seq_printf(m
, ": %d", err
);
219 seq_printf(m
, ": %u", key
->datalen
);
225 * - the key's semaphore is read-locked
227 static long dns_resolver_read(const struct key
*key
,
228 char __user
*buffer
, size_t buflen
)
230 if (key
->type_data
.x
[0])
231 return key
->type_data
.x
[0];
233 return user_read(key
, buffer
, buflen
);
236 struct key_type key_type_dns_resolver
= {
237 .name
= "dns_resolver",
238 .instantiate
= dns_resolver_instantiate
,
239 .match
= dns_resolver_match
,
240 .revoke
= user_revoke
,
241 .destroy
= user_destroy
,
242 .describe
= dns_resolver_describe
,
243 .read
= dns_resolver_read
,
246 static int __init
init_dns_resolver(void)
252 /* create an override credential set with a special thread keyring in
253 * which DNS requests are cached
255 * this is used to prevent malicious redirections from being installed
258 cred
= prepare_kernel_cred(NULL
);
262 keyring
= keyring_alloc(".dns_resolver",
263 GLOBAL_ROOT_UID
, GLOBAL_ROOT_GID
, cred
,
264 (KEY_POS_ALL
& ~KEY_POS_SETATTR
) |
265 KEY_USR_VIEW
| KEY_USR_READ
,
266 KEY_ALLOC_NOT_IN_QUOTA
, NULL
);
267 if (IS_ERR(keyring
)) {
268 ret
= PTR_ERR(keyring
);
269 goto failed_put_cred
;
272 ret
= register_key_type(&key_type_dns_resolver
);
276 /* instruct request_key() to use this special keyring as a cache for
277 * the results it looks up */
278 set_bit(KEY_FLAG_ROOT_CAN_CLEAR
, &keyring
->flags
);
279 cred
->thread_keyring
= keyring
;
280 cred
->jit_keyring
= KEY_REQKEY_DEFL_THREAD_KEYRING
;
281 dns_resolver_cache
= cred
;
283 kdebug("DNS resolver keyring: %d\n", key_serial(keyring
));
293 static void __exit
exit_dns_resolver(void)
295 key_revoke(dns_resolver_cache
->thread_keyring
);
296 unregister_key_type(&key_type_dns_resolver
);
297 put_cred(dns_resolver_cache
);
300 module_init(init_dns_resolver
)
301 module_exit(exit_dns_resolver
)
302 MODULE_LICENSE("GPL");