mirror of
https://github.com/torvalds/linux.git
synced 2024-11-29 23:51:37 +00:00
ba73d98745
The may_follow_link(), may_linkat(), may_lookup(), may_open(), may_o_create(), may_create_in_sticky(), may_delete(), and may_create() helpers determine whether the caller is privileged enough to perform the associated operations. Let them handle idmapped mounts by mapping the inode or fsids according to the mount's user namespace. Afterwards the checks are identical to non-idmapped inodes. The patch takes care to retrieve the mount's user namespace right before performing permission checks and passing it down into the fileystem so the user namespace can't change in between by someone idmapping a mount that is currently not idmapped. If the initial user namespace is passed nothing changes so non-idmapped mounts will see identical behavior as before. Link: https://lore.kernel.org/r/20210121131959.646623-13-christian.brauner@ubuntu.com Cc: Christoph Hellwig <hch@lst.de> Cc: David Howells <dhowells@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: linux-fsdevel@vger.kernel.org Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: James Morris <jamorris@linux.microsoft.com> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
1131 lines
27 KiB
C
1131 lines
27 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
File: fs/xattr.c
|
|
|
|
Extended attribute handling.
|
|
|
|
Copyright (C) 2001 by Andreas Gruenbacher <a.gruenbacher@computer.org>
|
|
Copyright (C) 2001 SGI - Silicon Graphics, Inc <linux-xfs@oss.sgi.com>
|
|
Copyright (c) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
|
*/
|
|
#include <linux/fs.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/file.h>
|
|
#include <linux/xattr.h>
|
|
#include <linux/mount.h>
|
|
#include <linux/namei.h>
|
|
#include <linux/security.h>
|
|
#include <linux/evm.h>
|
|
#include <linux/syscalls.h>
|
|
#include <linux/export.h>
|
|
#include <linux/fsnotify.h>
|
|
#include <linux/audit.h>
|
|
#include <linux/vmalloc.h>
|
|
#include <linux/posix_acl_xattr.h>
|
|
|
|
#include <linux/uaccess.h>
|
|
|
|
static const char *
|
|
strcmp_prefix(const char *a, const char *a_prefix)
|
|
{
|
|
while (*a_prefix && *a == *a_prefix) {
|
|
a++;
|
|
a_prefix++;
|
|
}
|
|
return *a_prefix ? NULL : a;
|
|
}
|
|
|
|
/*
|
|
* In order to implement different sets of xattr operations for each xattr
|
|
* prefix, a filesystem should create a null-terminated array of struct
|
|
* xattr_handler (one for each prefix) and hang a pointer to it off of the
|
|
* s_xattr field of the superblock.
|
|
*/
|
|
#define for_each_xattr_handler(handlers, handler) \
|
|
if (handlers) \
|
|
for ((handler) = *(handlers)++; \
|
|
(handler) != NULL; \
|
|
(handler) = *(handlers)++)
|
|
|
|
/*
|
|
* Find the xattr_handler with the matching prefix.
|
|
*/
|
|
static const struct xattr_handler *
|
|
xattr_resolve_name(struct inode *inode, const char **name)
|
|
{
|
|
const struct xattr_handler **handlers = inode->i_sb->s_xattr;
|
|
const struct xattr_handler *handler;
|
|
|
|
if (!(inode->i_opflags & IOP_XATTR)) {
|
|
if (unlikely(is_bad_inode(inode)))
|
|
return ERR_PTR(-EIO);
|
|
return ERR_PTR(-EOPNOTSUPP);
|
|
}
|
|
for_each_xattr_handler(handlers, handler) {
|
|
const char *n;
|
|
|
|
n = strcmp_prefix(*name, xattr_prefix(handler));
|
|
if (n) {
|
|
if (!handler->prefix ^ !*n) {
|
|
if (*n)
|
|
continue;
|
|
return ERR_PTR(-EINVAL);
|
|
}
|
|
*name = n;
|
|
return handler;
|
|
}
|
|
}
|
|
return ERR_PTR(-EOPNOTSUPP);
|
|
}
|
|
|
|
/*
|
|
* Check permissions for extended attribute access. This is a bit complicated
|
|
* because different namespaces have very different rules.
|
|
*/
|
|
static int
|
|
xattr_permission(struct user_namespace *mnt_userns, struct inode *inode,
|
|
const char *name, int mask)
|
|
{
|
|
/*
|
|
* We can never set or remove an extended attribute on a read-only
|
|
* filesystem or on an immutable / append-only inode.
|
|
*/
|
|
if (mask & MAY_WRITE) {
|
|
if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
|
|
return -EPERM;
|
|
/*
|
|
* Updating an xattr will likely cause i_uid and i_gid
|
|
* to be writen back improperly if their true value is
|
|
* unknown to the vfs.
|
|
*/
|
|
if (HAS_UNMAPPED_ID(mnt_userns, inode))
|
|
return -EPERM;
|
|
}
|
|
|
|
/*
|
|
* No restriction for security.* and system.* from the VFS. Decision
|
|
* on these is left to the underlying filesystem / security module.
|
|
*/
|
|
if (!strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) ||
|
|
!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
|
|
return 0;
|
|
|
|
/*
|
|
* The trusted.* namespace can only be accessed by privileged users.
|
|
*/
|
|
if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) {
|
|
if (!capable(CAP_SYS_ADMIN))
|
|
return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* In the user.* namespace, only regular files and directories can have
|
|
* extended attributes. For sticky directories, only the owner and
|
|
* privileged users can write attributes.
|
|
*/
|
|
if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
|
|
if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode))
|
|
return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
|
|
if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) &&
|
|
(mask & MAY_WRITE) &&
|
|
!inode_owner_or_capable(mnt_userns, inode))
|
|
return -EPERM;
|
|
}
|
|
|
|
return inode_permission(mnt_userns, inode, mask);
|
|
}
|
|
|
|
/*
|
|
* Look for any handler that deals with the specified namespace.
|
|
*/
|
|
int
|
|
xattr_supported_namespace(struct inode *inode, const char *prefix)
|
|
{
|
|
const struct xattr_handler **handlers = inode->i_sb->s_xattr;
|
|
const struct xattr_handler *handler;
|
|
size_t preflen;
|
|
|
|
if (!(inode->i_opflags & IOP_XATTR)) {
|
|
if (unlikely(is_bad_inode(inode)))
|
|
return -EIO;
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
preflen = strlen(prefix);
|
|
|
|
for_each_xattr_handler(handlers, handler) {
|
|
if (!strncmp(xattr_prefix(handler), prefix, preflen))
|
|
return 0;
|
|
}
|
|
|
|
return -EOPNOTSUPP;
|
|
}
|
|
EXPORT_SYMBOL(xattr_supported_namespace);
|
|
|
|
int
|
|
__vfs_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry,
|
|
struct inode *inode, const char *name, const void *value,
|
|
size_t size, int flags)
|
|
{
|
|
const struct xattr_handler *handler;
|
|
|
|
handler = xattr_resolve_name(inode, &name);
|
|
if (IS_ERR(handler))
|
|
return PTR_ERR(handler);
|
|
if (!handler->set)
|
|
return -EOPNOTSUPP;
|
|
if (size == 0)
|
|
value = ""; /* empty EA, do not remove */
|
|
return handler->set(handler, mnt_userns, dentry, inode, name, value,
|
|
size, flags);
|
|
}
|
|
EXPORT_SYMBOL(__vfs_setxattr);
|
|
|
|
/**
|
|
* __vfs_setxattr_noperm - perform setxattr operation without performing
|
|
* permission checks.
|
|
*
|
|
* @mnt_userns - user namespace of the mount the inode was found from
|
|
* @dentry - object to perform setxattr on
|
|
* @name - xattr name to set
|
|
* @value - value to set @name to
|
|
* @size - size of @value
|
|
* @flags - flags to pass into filesystem operations
|
|
*
|
|
* returns the result of the internal setxattr or setsecurity operations.
|
|
*
|
|
* This function requires the caller to lock the inode's i_mutex before it
|
|
* is executed. It also assumes that the caller will make the appropriate
|
|
* permission checks.
|
|
*/
|
|
int __vfs_setxattr_noperm(struct user_namespace *mnt_userns,
|
|
struct dentry *dentry, const char *name,
|
|
const void *value, size_t size, int flags)
|
|
{
|
|
struct inode *inode = dentry->d_inode;
|
|
int error = -EAGAIN;
|
|
int issec = !strncmp(name, XATTR_SECURITY_PREFIX,
|
|
XATTR_SECURITY_PREFIX_LEN);
|
|
|
|
if (issec)
|
|
inode->i_flags &= ~S_NOSEC;
|
|
if (inode->i_opflags & IOP_XATTR) {
|
|
error = __vfs_setxattr(mnt_userns, dentry, inode, name, value,
|
|
size, flags);
|
|
if (!error) {
|
|
fsnotify_xattr(dentry);
|
|
security_inode_post_setxattr(dentry, name, value,
|
|
size, flags);
|
|
}
|
|
} else {
|
|
if (unlikely(is_bad_inode(inode)))
|
|
return -EIO;
|
|
}
|
|
if (error == -EAGAIN) {
|
|
error = -EOPNOTSUPP;
|
|
|
|
if (issec) {
|
|
const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
|
|
|
|
error = security_inode_setsecurity(inode, suffix, value,
|
|
size, flags);
|
|
if (!error)
|
|
fsnotify_xattr(dentry);
|
|
}
|
|
}
|
|
|
|
return error;
|
|
}
|
|
|
|
/**
|
|
* __vfs_setxattr_locked - set an extended attribute while holding the inode
|
|
* lock
|
|
*
|
|
* @dentry: object to perform setxattr on
|
|
* @name: xattr name to set
|
|
* @value: value to set @name to
|
|
* @size: size of @value
|
|
* @flags: flags to pass into filesystem operations
|
|
* @delegated_inode: on return, will contain an inode pointer that
|
|
* a delegation was broken on, NULL if none.
|
|
*/
|
|
int
|
|
__vfs_setxattr_locked(struct user_namespace *mnt_userns, struct dentry *dentry,
|
|
const char *name, const void *value, size_t size,
|
|
int flags, struct inode **delegated_inode)
|
|
{
|
|
struct inode *inode = dentry->d_inode;
|
|
int error;
|
|
|
|
error = xattr_permission(mnt_userns, inode, name, MAY_WRITE);
|
|
if (error)
|
|
return error;
|
|
|
|
error = security_inode_setxattr(mnt_userns, dentry, name, value, size,
|
|
flags);
|
|
if (error)
|
|
goto out;
|
|
|
|
error = try_break_deleg(inode, delegated_inode);
|
|
if (error)
|
|
goto out;
|
|
|
|
error = __vfs_setxattr_noperm(mnt_userns, dentry, name, value,
|
|
size, flags);
|
|
|
|
out:
|
|
return error;
|
|
}
|
|
EXPORT_SYMBOL_GPL(__vfs_setxattr_locked);
|
|
|
|
int
|
|
vfs_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry,
|
|
const char *name, const void *value, size_t size, int flags)
|
|
{
|
|
struct inode *inode = dentry->d_inode;
|
|
struct inode *delegated_inode = NULL;
|
|
const void *orig_value = value;
|
|
int error;
|
|
|
|
if (size && strcmp(name, XATTR_NAME_CAPS) == 0) {
|
|
error = cap_convert_nscap(mnt_userns, dentry, &value, size);
|
|
if (error < 0)
|
|
return error;
|
|
size = error;
|
|
}
|
|
|
|
retry_deleg:
|
|
inode_lock(inode);
|
|
error = __vfs_setxattr_locked(mnt_userns, dentry, name, value, size,
|
|
flags, &delegated_inode);
|
|
inode_unlock(inode);
|
|
|
|
if (delegated_inode) {
|
|
error = break_deleg_wait(&delegated_inode);
|
|
if (!error)
|
|
goto retry_deleg;
|
|
}
|
|
if (value != orig_value)
|
|
kfree(value);
|
|
|
|
return error;
|
|
}
|
|
EXPORT_SYMBOL_GPL(vfs_setxattr);
|
|
|
|
static ssize_t
|
|
xattr_getsecurity(struct user_namespace *mnt_userns, struct inode *inode,
|
|
const char *name, void *value, size_t size)
|
|
{
|
|
void *buffer = NULL;
|
|
ssize_t len;
|
|
|
|
if (!value || !size) {
|
|
len = security_inode_getsecurity(mnt_userns, inode, name,
|
|
&buffer, false);
|
|
goto out_noalloc;
|
|
}
|
|
|
|
len = security_inode_getsecurity(mnt_userns, inode, name, &buffer,
|
|
true);
|
|
if (len < 0)
|
|
return len;
|
|
if (size < len) {
|
|
len = -ERANGE;
|
|
goto out;
|
|
}
|
|
memcpy(value, buffer, len);
|
|
out:
|
|
kfree(buffer);
|
|
out_noalloc:
|
|
return len;
|
|
}
|
|
|
|
/*
|
|
* vfs_getxattr_alloc - allocate memory, if necessary, before calling getxattr
|
|
*
|
|
* Allocate memory, if not already allocated, or re-allocate correct size,
|
|
* before retrieving the extended attribute.
|
|
*
|
|
* Returns the result of alloc, if failed, or the getxattr operation.
|
|
*/
|
|
ssize_t
|
|
vfs_getxattr_alloc(struct user_namespace *mnt_userns, struct dentry *dentry,
|
|
const char *name, char **xattr_value, size_t xattr_size,
|
|
gfp_t flags)
|
|
{
|
|
const struct xattr_handler *handler;
|
|
struct inode *inode = dentry->d_inode;
|
|
char *value = *xattr_value;
|
|
int error;
|
|
|
|
error = xattr_permission(mnt_userns, inode, name, MAY_READ);
|
|
if (error)
|
|
return error;
|
|
|
|
handler = xattr_resolve_name(inode, &name);
|
|
if (IS_ERR(handler))
|
|
return PTR_ERR(handler);
|
|
if (!handler->get)
|
|
return -EOPNOTSUPP;
|
|
error = handler->get(handler, dentry, inode, name, NULL, 0);
|
|
if (error < 0)
|
|
return error;
|
|
|
|
if (!value || (error > xattr_size)) {
|
|
value = krealloc(*xattr_value, error + 1, flags);
|
|
if (!value)
|
|
return -ENOMEM;
|
|
memset(value, 0, error + 1);
|
|
}
|
|
|
|
error = handler->get(handler, dentry, inode, name, value, error);
|
|
*xattr_value = value;
|
|
return error;
|
|
}
|
|
|
|
ssize_t
|
|
__vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name,
|
|
void *value, size_t size)
|
|
{
|
|
const struct xattr_handler *handler;
|
|
|
|
handler = xattr_resolve_name(inode, &name);
|
|
if (IS_ERR(handler))
|
|
return PTR_ERR(handler);
|
|
if (!handler->get)
|
|
return -EOPNOTSUPP;
|
|
return handler->get(handler, dentry, inode, name, value, size);
|
|
}
|
|
EXPORT_SYMBOL(__vfs_getxattr);
|
|
|
|
ssize_t
|
|
vfs_getxattr(struct user_namespace *mnt_userns, struct dentry *dentry,
|
|
const char *name, void *value, size_t size)
|
|
{
|
|
struct inode *inode = dentry->d_inode;
|
|
int error;
|
|
|
|
error = xattr_permission(mnt_userns, inode, name, MAY_READ);
|
|
if (error)
|
|
return error;
|
|
|
|
error = security_inode_getxattr(dentry, name);
|
|
if (error)
|
|
return error;
|
|
|
|
if (!strncmp(name, XATTR_SECURITY_PREFIX,
|
|
XATTR_SECURITY_PREFIX_LEN)) {
|
|
const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
|
|
int ret = xattr_getsecurity(mnt_userns, inode, suffix, value,
|
|
size);
|
|
/*
|
|
* Only overwrite the return value if a security module
|
|
* is actually active.
|
|
*/
|
|
if (ret == -EOPNOTSUPP)
|
|
goto nolsm;
|
|
return ret;
|
|
}
|
|
nolsm:
|
|
return __vfs_getxattr(dentry, inode, name, value, size);
|
|
}
|
|
EXPORT_SYMBOL_GPL(vfs_getxattr);
|
|
|
|
ssize_t
|
|
vfs_listxattr(struct dentry *dentry, char *list, size_t size)
|
|
{
|
|
struct inode *inode = d_inode(dentry);
|
|
ssize_t error;
|
|
|
|
error = security_inode_listxattr(dentry);
|
|
if (error)
|
|
return error;
|
|
if (inode->i_op->listxattr && (inode->i_opflags & IOP_XATTR)) {
|
|
error = inode->i_op->listxattr(dentry, list, size);
|
|
} else {
|
|
error = security_inode_listsecurity(inode, list, size);
|
|
if (size && error > size)
|
|
error = -ERANGE;
|
|
}
|
|
return error;
|
|
}
|
|
EXPORT_SYMBOL_GPL(vfs_listxattr);
|
|
|
|
int
|
|
__vfs_removexattr(struct user_namespace *mnt_userns, struct dentry *dentry,
|
|
const char *name)
|
|
{
|
|
struct inode *inode = d_inode(dentry);
|
|
const struct xattr_handler *handler;
|
|
|
|
handler = xattr_resolve_name(inode, &name);
|
|
if (IS_ERR(handler))
|
|
return PTR_ERR(handler);
|
|
if (!handler->set)
|
|
return -EOPNOTSUPP;
|
|
return handler->set(handler, mnt_userns, dentry, inode, name, NULL, 0,
|
|
XATTR_REPLACE);
|
|
}
|
|
EXPORT_SYMBOL(__vfs_removexattr);
|
|
|
|
/**
|
|
* __vfs_removexattr_locked - set an extended attribute while holding the inode
|
|
* lock
|
|
*
|
|
* @dentry: object to perform setxattr on
|
|
* @name: name of xattr to remove
|
|
* @delegated_inode: on return, will contain an inode pointer that
|
|
* a delegation was broken on, NULL if none.
|
|
*/
|
|
int
|
|
__vfs_removexattr_locked(struct user_namespace *mnt_userns,
|
|
struct dentry *dentry, const char *name,
|
|
struct inode **delegated_inode)
|
|
{
|
|
struct inode *inode = dentry->d_inode;
|
|
int error;
|
|
|
|
error = xattr_permission(mnt_userns, inode, name, MAY_WRITE);
|
|
if (error)
|
|
return error;
|
|
|
|
error = security_inode_removexattr(mnt_userns, dentry, name);
|
|
if (error)
|
|
goto out;
|
|
|
|
error = try_break_deleg(inode, delegated_inode);
|
|
if (error)
|
|
goto out;
|
|
|
|
error = __vfs_removexattr(mnt_userns, dentry, name);
|
|
|
|
if (!error) {
|
|
fsnotify_xattr(dentry);
|
|
evm_inode_post_removexattr(dentry, name);
|
|
}
|
|
|
|
out:
|
|
return error;
|
|
}
|
|
EXPORT_SYMBOL_GPL(__vfs_removexattr_locked);
|
|
|
|
int
|
|
vfs_removexattr(struct user_namespace *mnt_userns, struct dentry *dentry,
|
|
const char *name)
|
|
{
|
|
struct inode *inode = dentry->d_inode;
|
|
struct inode *delegated_inode = NULL;
|
|
int error;
|
|
|
|
retry_deleg:
|
|
inode_lock(inode);
|
|
error = __vfs_removexattr_locked(mnt_userns, dentry,
|
|
name, &delegated_inode);
|
|
inode_unlock(inode);
|
|
|
|
if (delegated_inode) {
|
|
error = break_deleg_wait(&delegated_inode);
|
|
if (!error)
|
|
goto retry_deleg;
|
|
}
|
|
|
|
return error;
|
|
}
|
|
EXPORT_SYMBOL_GPL(vfs_removexattr);
|
|
|
|
/*
|
|
* Extended attribute SET operations
|
|
*/
|
|
static long
|
|
setxattr(struct user_namespace *mnt_userns, struct dentry *d,
|
|
const char __user *name, const void __user *value, size_t size,
|
|
int flags)
|
|
{
|
|
int error;
|
|
void *kvalue = NULL;
|
|
char kname[XATTR_NAME_MAX + 1];
|
|
|
|
if (flags & ~(XATTR_CREATE|XATTR_REPLACE))
|
|
return -EINVAL;
|
|
|
|
error = strncpy_from_user(kname, name, sizeof(kname));
|
|
if (error == 0 || error == sizeof(kname))
|
|
error = -ERANGE;
|
|
if (error < 0)
|
|
return error;
|
|
|
|
if (size) {
|
|
if (size > XATTR_SIZE_MAX)
|
|
return -E2BIG;
|
|
kvalue = kvmalloc(size, GFP_KERNEL);
|
|
if (!kvalue)
|
|
return -ENOMEM;
|
|
if (copy_from_user(kvalue, value, size)) {
|
|
error = -EFAULT;
|
|
goto out;
|
|
}
|
|
if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
|
|
(strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
|
|
posix_acl_fix_xattr_from_user(mnt_userns, kvalue, size);
|
|
}
|
|
|
|
error = vfs_setxattr(mnt_userns, d, kname, kvalue, size, flags);
|
|
out:
|
|
kvfree(kvalue);
|
|
|
|
return error;
|
|
}
|
|
|
|
static int path_setxattr(const char __user *pathname,
|
|
const char __user *name, const void __user *value,
|
|
size_t size, int flags, unsigned int lookup_flags)
|
|
{
|
|
struct path path;
|
|
int error;
|
|
|
|
retry:
|
|
error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path);
|
|
if (error)
|
|
return error;
|
|
error = mnt_want_write(path.mnt);
|
|
if (!error) {
|
|
error = setxattr(mnt_user_ns(path.mnt), path.dentry, name,
|
|
value, size, flags);
|
|
mnt_drop_write(path.mnt);
|
|
}
|
|
path_put(&path);
|
|
if (retry_estale(error, lookup_flags)) {
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
goto retry;
|
|
}
|
|
return error;
|
|
}
|
|
|
|
SYSCALL_DEFINE5(setxattr, const char __user *, pathname,
|
|
const char __user *, name, const void __user *, value,
|
|
size_t, size, int, flags)
|
|
{
|
|
return path_setxattr(pathname, name, value, size, flags, LOOKUP_FOLLOW);
|
|
}
|
|
|
|
SYSCALL_DEFINE5(lsetxattr, const char __user *, pathname,
|
|
const char __user *, name, const void __user *, value,
|
|
size_t, size, int, flags)
|
|
{
|
|
return path_setxattr(pathname, name, value, size, flags, 0);
|
|
}
|
|
|
|
SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name,
|
|
const void __user *,value, size_t, size, int, flags)
|
|
{
|
|
struct fd f = fdget(fd);
|
|
int error = -EBADF;
|
|
|
|
if (!f.file)
|
|
return error;
|
|
audit_file(f.file);
|
|
error = mnt_want_write_file(f.file);
|
|
if (!error) {
|
|
error = setxattr(file_mnt_user_ns(f.file),
|
|
f.file->f_path.dentry, name,
|
|
value, size, flags);
|
|
mnt_drop_write_file(f.file);
|
|
}
|
|
fdput(f);
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* Extended attribute GET operations
|
|
*/
|
|
static ssize_t
|
|
getxattr(struct user_namespace *mnt_userns, struct dentry *d,
|
|
const char __user *name, void __user *value, size_t size)
|
|
{
|
|
ssize_t error;
|
|
void *kvalue = NULL;
|
|
char kname[XATTR_NAME_MAX + 1];
|
|
|
|
error = strncpy_from_user(kname, name, sizeof(kname));
|
|
if (error == 0 || error == sizeof(kname))
|
|
error = -ERANGE;
|
|
if (error < 0)
|
|
return error;
|
|
|
|
if (size) {
|
|
if (size > XATTR_SIZE_MAX)
|
|
size = XATTR_SIZE_MAX;
|
|
kvalue = kvzalloc(size, GFP_KERNEL);
|
|
if (!kvalue)
|
|
return -ENOMEM;
|
|
}
|
|
|
|
error = vfs_getxattr(mnt_userns, d, kname, kvalue, size);
|
|
if (error > 0) {
|
|
if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
|
|
(strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
|
|
posix_acl_fix_xattr_to_user(mnt_userns, kvalue, error);
|
|
if (size && copy_to_user(value, kvalue, error))
|
|
error = -EFAULT;
|
|
} else if (error == -ERANGE && size >= XATTR_SIZE_MAX) {
|
|
/* The file system tried to returned a value bigger
|
|
than XATTR_SIZE_MAX bytes. Not possible. */
|
|
error = -E2BIG;
|
|
}
|
|
|
|
kvfree(kvalue);
|
|
|
|
return error;
|
|
}
|
|
|
|
static ssize_t path_getxattr(const char __user *pathname,
|
|
const char __user *name, void __user *value,
|
|
size_t size, unsigned int lookup_flags)
|
|
{
|
|
struct path path;
|
|
ssize_t error;
|
|
retry:
|
|
error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path);
|
|
if (error)
|
|
return error;
|
|
error = getxattr(mnt_user_ns(path.mnt), path.dentry, name, value, size);
|
|
path_put(&path);
|
|
if (retry_estale(error, lookup_flags)) {
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
goto retry;
|
|
}
|
|
return error;
|
|
}
|
|
|
|
SYSCALL_DEFINE4(getxattr, const char __user *, pathname,
|
|
const char __user *, name, void __user *, value, size_t, size)
|
|
{
|
|
return path_getxattr(pathname, name, value, size, LOOKUP_FOLLOW);
|
|
}
|
|
|
|
SYSCALL_DEFINE4(lgetxattr, const char __user *, pathname,
|
|
const char __user *, name, void __user *, value, size_t, size)
|
|
{
|
|
return path_getxattr(pathname, name, value, size, 0);
|
|
}
|
|
|
|
SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name,
|
|
void __user *, value, size_t, size)
|
|
{
|
|
struct fd f = fdget(fd);
|
|
ssize_t error = -EBADF;
|
|
|
|
if (!f.file)
|
|
return error;
|
|
audit_file(f.file);
|
|
error = getxattr(file_mnt_user_ns(f.file), f.file->f_path.dentry,
|
|
name, value, size);
|
|
fdput(f);
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* Extended attribute LIST operations
|
|
*/
|
|
static ssize_t
|
|
listxattr(struct dentry *d, char __user *list, size_t size)
|
|
{
|
|
ssize_t error;
|
|
char *klist = NULL;
|
|
|
|
if (size) {
|
|
if (size > XATTR_LIST_MAX)
|
|
size = XATTR_LIST_MAX;
|
|
klist = kvmalloc(size, GFP_KERNEL);
|
|
if (!klist)
|
|
return -ENOMEM;
|
|
}
|
|
|
|
error = vfs_listxattr(d, klist, size);
|
|
if (error > 0) {
|
|
if (size && copy_to_user(list, klist, error))
|
|
error = -EFAULT;
|
|
} else if (error == -ERANGE && size >= XATTR_LIST_MAX) {
|
|
/* The file system tried to returned a list bigger
|
|
than XATTR_LIST_MAX bytes. Not possible. */
|
|
error = -E2BIG;
|
|
}
|
|
|
|
kvfree(klist);
|
|
|
|
return error;
|
|
}
|
|
|
|
static ssize_t path_listxattr(const char __user *pathname, char __user *list,
|
|
size_t size, unsigned int lookup_flags)
|
|
{
|
|
struct path path;
|
|
ssize_t error;
|
|
retry:
|
|
error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path);
|
|
if (error)
|
|
return error;
|
|
error = listxattr(path.dentry, list, size);
|
|
path_put(&path);
|
|
if (retry_estale(error, lookup_flags)) {
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
goto retry;
|
|
}
|
|
return error;
|
|
}
|
|
|
|
SYSCALL_DEFINE3(listxattr, const char __user *, pathname, char __user *, list,
|
|
size_t, size)
|
|
{
|
|
return path_listxattr(pathname, list, size, LOOKUP_FOLLOW);
|
|
}
|
|
|
|
SYSCALL_DEFINE3(llistxattr, const char __user *, pathname, char __user *, list,
|
|
size_t, size)
|
|
{
|
|
return path_listxattr(pathname, list, size, 0);
|
|
}
|
|
|
|
SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size)
|
|
{
|
|
struct fd f = fdget(fd);
|
|
ssize_t error = -EBADF;
|
|
|
|
if (!f.file)
|
|
return error;
|
|
audit_file(f.file);
|
|
error = listxattr(f.file->f_path.dentry, list, size);
|
|
fdput(f);
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* Extended attribute REMOVE operations
|
|
*/
|
|
static long
|
|
removexattr(struct user_namespace *mnt_userns, struct dentry *d,
|
|
const char __user *name)
|
|
{
|
|
int error;
|
|
char kname[XATTR_NAME_MAX + 1];
|
|
|
|
error = strncpy_from_user(kname, name, sizeof(kname));
|
|
if (error == 0 || error == sizeof(kname))
|
|
error = -ERANGE;
|
|
if (error < 0)
|
|
return error;
|
|
|
|
return vfs_removexattr(mnt_userns, d, kname);
|
|
}
|
|
|
|
static int path_removexattr(const char __user *pathname,
|
|
const char __user *name, unsigned int lookup_flags)
|
|
{
|
|
struct path path;
|
|
int error;
|
|
retry:
|
|
error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path);
|
|
if (error)
|
|
return error;
|
|
error = mnt_want_write(path.mnt);
|
|
if (!error) {
|
|
error = removexattr(mnt_user_ns(path.mnt), path.dentry, name);
|
|
mnt_drop_write(path.mnt);
|
|
}
|
|
path_put(&path);
|
|
if (retry_estale(error, lookup_flags)) {
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
goto retry;
|
|
}
|
|
return error;
|
|
}
|
|
|
|
SYSCALL_DEFINE2(removexattr, const char __user *, pathname,
|
|
const char __user *, name)
|
|
{
|
|
return path_removexattr(pathname, name, LOOKUP_FOLLOW);
|
|
}
|
|
|
|
SYSCALL_DEFINE2(lremovexattr, const char __user *, pathname,
|
|
const char __user *, name)
|
|
{
|
|
return path_removexattr(pathname, name, 0);
|
|
}
|
|
|
|
SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name)
|
|
{
|
|
struct fd f = fdget(fd);
|
|
int error = -EBADF;
|
|
|
|
if (!f.file)
|
|
return error;
|
|
audit_file(f.file);
|
|
error = mnt_want_write_file(f.file);
|
|
if (!error) {
|
|
error = removexattr(file_mnt_user_ns(f.file),
|
|
f.file->f_path.dentry, name);
|
|
mnt_drop_write_file(f.file);
|
|
}
|
|
fdput(f);
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* Combine the results of the list() operation from every xattr_handler in the
|
|
* list.
|
|
*/
|
|
ssize_t
|
|
generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size)
|
|
{
|
|
const struct xattr_handler *handler, **handlers = dentry->d_sb->s_xattr;
|
|
unsigned int size = 0;
|
|
|
|
if (!buffer) {
|
|
for_each_xattr_handler(handlers, handler) {
|
|
if (!handler->name ||
|
|
(handler->list && !handler->list(dentry)))
|
|
continue;
|
|
size += strlen(handler->name) + 1;
|
|
}
|
|
} else {
|
|
char *buf = buffer;
|
|
size_t len;
|
|
|
|
for_each_xattr_handler(handlers, handler) {
|
|
if (!handler->name ||
|
|
(handler->list && !handler->list(dentry)))
|
|
continue;
|
|
len = strlen(handler->name);
|
|
if (len + 1 > buffer_size)
|
|
return -ERANGE;
|
|
memcpy(buf, handler->name, len + 1);
|
|
buf += len + 1;
|
|
buffer_size -= len + 1;
|
|
}
|
|
size = buf - buffer;
|
|
}
|
|
return size;
|
|
}
|
|
EXPORT_SYMBOL(generic_listxattr);
|
|
|
|
/**
|
|
* xattr_full_name - Compute full attribute name from suffix
|
|
*
|
|
* @handler: handler of the xattr_handler operation
|
|
* @name: name passed to the xattr_handler operation
|
|
*
|
|
* The get and set xattr handler operations are called with the remainder of
|
|
* the attribute name after skipping the handler's prefix: for example, "foo"
|
|
* is passed to the get operation of a handler with prefix "user." to get
|
|
* attribute "user.foo". The full name is still "there" in the name though.
|
|
*
|
|
* Note: the list xattr handler operation when called from the vfs is passed a
|
|
* NULL name; some file systems use this operation internally, with varying
|
|
* semantics.
|
|
*/
|
|
const char *xattr_full_name(const struct xattr_handler *handler,
|
|
const char *name)
|
|
{
|
|
size_t prefix_len = strlen(xattr_prefix(handler));
|
|
|
|
return name - prefix_len;
|
|
}
|
|
EXPORT_SYMBOL(xattr_full_name);
|
|
|
|
/*
|
|
* Allocate new xattr and copy in the value; but leave the name to callers.
|
|
*/
|
|
struct simple_xattr *simple_xattr_alloc(const void *value, size_t size)
|
|
{
|
|
struct simple_xattr *new_xattr;
|
|
size_t len;
|
|
|
|
/* wrap around? */
|
|
len = sizeof(*new_xattr) + size;
|
|
if (len < sizeof(*new_xattr))
|
|
return NULL;
|
|
|
|
new_xattr = kvmalloc(len, GFP_KERNEL);
|
|
if (!new_xattr)
|
|
return NULL;
|
|
|
|
new_xattr->size = size;
|
|
memcpy(new_xattr->value, value, size);
|
|
return new_xattr;
|
|
}
|
|
|
|
/*
|
|
* xattr GET operation for in-memory/pseudo filesystems
|
|
*/
|
|
int simple_xattr_get(struct simple_xattrs *xattrs, const char *name,
|
|
void *buffer, size_t size)
|
|
{
|
|
struct simple_xattr *xattr;
|
|
int ret = -ENODATA;
|
|
|
|
spin_lock(&xattrs->lock);
|
|
list_for_each_entry(xattr, &xattrs->head, list) {
|
|
if (strcmp(name, xattr->name))
|
|
continue;
|
|
|
|
ret = xattr->size;
|
|
if (buffer) {
|
|
if (size < xattr->size)
|
|
ret = -ERANGE;
|
|
else
|
|
memcpy(buffer, xattr->value, xattr->size);
|
|
}
|
|
break;
|
|
}
|
|
spin_unlock(&xattrs->lock);
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* simple_xattr_set - xattr SET operation for in-memory/pseudo filesystems
|
|
* @xattrs: target simple_xattr list
|
|
* @name: name of the extended attribute
|
|
* @value: value of the xattr. If %NULL, will remove the attribute.
|
|
* @size: size of the new xattr
|
|
* @flags: %XATTR_{CREATE|REPLACE}
|
|
* @removed_size: returns size of the removed xattr, -1 if none removed
|
|
*
|
|
* %XATTR_CREATE is set, the xattr shouldn't exist already; otherwise fails
|
|
* with -EEXIST. If %XATTR_REPLACE is set, the xattr should exist;
|
|
* otherwise, fails with -ENODATA.
|
|
*
|
|
* Returns 0 on success, -errno on failure.
|
|
*/
|
|
int simple_xattr_set(struct simple_xattrs *xattrs, const char *name,
|
|
const void *value, size_t size, int flags,
|
|
ssize_t *removed_size)
|
|
{
|
|
struct simple_xattr *xattr;
|
|
struct simple_xattr *new_xattr = NULL;
|
|
int err = 0;
|
|
|
|
if (removed_size)
|
|
*removed_size = -1;
|
|
|
|
/* value == NULL means remove */
|
|
if (value) {
|
|
new_xattr = simple_xattr_alloc(value, size);
|
|
if (!new_xattr)
|
|
return -ENOMEM;
|
|
|
|
new_xattr->name = kstrdup(name, GFP_KERNEL);
|
|
if (!new_xattr->name) {
|
|
kvfree(new_xattr);
|
|
return -ENOMEM;
|
|
}
|
|
}
|
|
|
|
spin_lock(&xattrs->lock);
|
|
list_for_each_entry(xattr, &xattrs->head, list) {
|
|
if (!strcmp(name, xattr->name)) {
|
|
if (flags & XATTR_CREATE) {
|
|
xattr = new_xattr;
|
|
err = -EEXIST;
|
|
} else if (new_xattr) {
|
|
list_replace(&xattr->list, &new_xattr->list);
|
|
if (removed_size)
|
|
*removed_size = xattr->size;
|
|
} else {
|
|
list_del(&xattr->list);
|
|
if (removed_size)
|
|
*removed_size = xattr->size;
|
|
}
|
|
goto out;
|
|
}
|
|
}
|
|
if (flags & XATTR_REPLACE) {
|
|
xattr = new_xattr;
|
|
err = -ENODATA;
|
|
} else {
|
|
list_add(&new_xattr->list, &xattrs->head);
|
|
xattr = NULL;
|
|
}
|
|
out:
|
|
spin_unlock(&xattrs->lock);
|
|
if (xattr) {
|
|
kfree(xattr->name);
|
|
kvfree(xattr);
|
|
}
|
|
return err;
|
|
|
|
}
|
|
|
|
static bool xattr_is_trusted(const char *name)
|
|
{
|
|
return !strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN);
|
|
}
|
|
|
|
static int xattr_list_one(char **buffer, ssize_t *remaining_size,
|
|
const char *name)
|
|
{
|
|
size_t len = strlen(name) + 1;
|
|
if (*buffer) {
|
|
if (*remaining_size < len)
|
|
return -ERANGE;
|
|
memcpy(*buffer, name, len);
|
|
*buffer += len;
|
|
}
|
|
*remaining_size -= len;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* xattr LIST operation for in-memory/pseudo filesystems
|
|
*/
|
|
ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs,
|
|
char *buffer, size_t size)
|
|
{
|
|
bool trusted = capable(CAP_SYS_ADMIN);
|
|
struct simple_xattr *xattr;
|
|
ssize_t remaining_size = size;
|
|
int err = 0;
|
|
|
|
#ifdef CONFIG_FS_POSIX_ACL
|
|
if (IS_POSIXACL(inode)) {
|
|
if (inode->i_acl) {
|
|
err = xattr_list_one(&buffer, &remaining_size,
|
|
XATTR_NAME_POSIX_ACL_ACCESS);
|
|
if (err)
|
|
return err;
|
|
}
|
|
if (inode->i_default_acl) {
|
|
err = xattr_list_one(&buffer, &remaining_size,
|
|
XATTR_NAME_POSIX_ACL_DEFAULT);
|
|
if (err)
|
|
return err;
|
|
}
|
|
}
|
|
#endif
|
|
|
|
spin_lock(&xattrs->lock);
|
|
list_for_each_entry(xattr, &xattrs->head, list) {
|
|
/* skip "trusted." attributes for unprivileged callers */
|
|
if (!trusted && xattr_is_trusted(xattr->name))
|
|
continue;
|
|
|
|
err = xattr_list_one(&buffer, &remaining_size, xattr->name);
|
|
if (err)
|
|
break;
|
|
}
|
|
spin_unlock(&xattrs->lock);
|
|
|
|
return err ? err : size - remaining_size;
|
|
}
|
|
|
|
/*
|
|
* Adds an extended attribute to the list
|
|
*/
|
|
void simple_xattr_list_add(struct simple_xattrs *xattrs,
|
|
struct simple_xattr *new_xattr)
|
|
{
|
|
spin_lock(&xattrs->lock);
|
|
list_add(&new_xattr->list, &xattrs->head);
|
|
spin_unlock(&xattrs->lock);
|
|
}
|