mirror of
https://github.com/torvalds/linux.git
synced 2024-10-30 16:51:45 +00:00
d84f4f992c
Inaugurate copy-on-write credentials management. This uses RCU to manage the credentials pointer in the task_struct with respect to accesses by other tasks. A process may only modify its own credentials, and so does not need locking to access or modify its own credentials. A mutex (cred_replace_mutex) is added to the task_struct to control the effect of PTRACE_ATTACHED on credential calculations, particularly with respect to execve(). With this patch, the contents of an active credentials struct may not be changed directly; rather a new set of credentials must be prepared, modified and committed using something like the following sequence of events: struct cred *new = prepare_creds(); int ret = blah(new); if (ret < 0) { abort_creds(new); return ret; } return commit_creds(new); There are some exceptions to this rule: the keyrings pointed to by the active credentials may be instantiated - keyrings violate the COW rule as managing COW keyrings is tricky, given that it is possible for a task to directly alter the keys in a keyring in use by another task. To help enforce this, various pointers to sets of credentials, such as those in the task_struct, are declared const. The purpose of this is compile-time discouragement of altering credentials through those pointers. Once a set of credentials has been made public through one of these pointers, it may not be modified, except under special circumstances: (1) Its reference count may incremented and decremented. (2) The keyrings to which it points may be modified, but not replaced. The only safe way to modify anything else is to create a replacement and commit using the functions described in Documentation/credentials.txt (which will be added by a later patch). This patch and the preceding patches have been tested with the LTP SELinux testsuite. This patch makes several logical sets of alteration: (1) execve(). This now prepares and commits credentials in various places in the security code rather than altering the current creds directly. (2) Temporary credential overrides. do_coredump() and sys_faccessat() now prepare their own credentials and temporarily override the ones currently on the acting thread, whilst preventing interference from other threads by holding cred_replace_mutex on the thread being dumped. This will be replaced in a future patch by something that hands down the credentials directly to the functions being called, rather than altering the task's objective credentials. (3) LSM interface. A number of functions have been changed, added or removed: (*) security_capset_check(), ->capset_check() (*) security_capset_set(), ->capset_set() Removed in favour of security_capset(). (*) security_capset(), ->capset() New. This is passed a pointer to the new creds, a pointer to the old creds and the proposed capability sets. It should fill in the new creds or return an error. All pointers, barring the pointer to the new creds, are now const. (*) security_bprm_apply_creds(), ->bprm_apply_creds() Changed; now returns a value, which will cause the process to be killed if it's an error. (*) security_task_alloc(), ->task_alloc_security() Removed in favour of security_prepare_creds(). (*) security_cred_free(), ->cred_free() New. Free security data attached to cred->security. (*) security_prepare_creds(), ->cred_prepare() New. Duplicate any security data attached to cred->security. (*) security_commit_creds(), ->cred_commit() New. Apply any security effects for the upcoming installation of new security by commit_creds(). (*) security_task_post_setuid(), ->task_post_setuid() Removed in favour of security_task_fix_setuid(). (*) security_task_fix_setuid(), ->task_fix_setuid() Fix up the proposed new credentials for setuid(). This is used by cap_set_fix_setuid() to implicitly adjust capabilities in line with setuid() changes. Changes are made to the new credentials, rather than the task itself as in security_task_post_setuid(). (*) security_task_reparent_to_init(), ->task_reparent_to_init() Removed. Instead the task being reparented to init is referred directly to init's credentials. NOTE! This results in the loss of some state: SELinux's osid no longer records the sid of the thread that forked it. (*) security_key_alloc(), ->key_alloc() (*) security_key_permission(), ->key_permission() Changed. These now take cred pointers rather than task pointers to refer to the security context. (4) sys_capset(). This has been simplified and uses less locking. The LSM functions it calls have been merged. (5) reparent_to_kthreadd(). This gives the current thread the same credentials as init by simply using commit_thread() to point that way. (6) __sigqueue_alloc() and switch_uid() __sigqueue_alloc() can't stop the target task from changing its creds beneath it, so this function gets a reference to the currently applicable user_struct which it then passes into the sigqueue struct it returns if successful. switch_uid() is now called from commit_creds(), and possibly should be folded into that. commit_creds() should take care of protecting __sigqueue_alloc(). (7) [sg]et[ug]id() and co and [sg]et_current_groups. The set functions now all use prepare_creds(), commit_creds() and abort_creds() to build and check a new set of credentials before applying it. security_task_set[ug]id() is called inside the prepared section. This guarantees that nothing else will affect the creds until we've finished. The calling of set_dumpable() has been moved into commit_creds(). Much of the functionality of set_user() has been moved into commit_creds(). The get functions all simply access the data directly. (8) security_task_prctl() and cap_task_prctl(). security_task_prctl() has been modified to return -ENOSYS if it doesn't want to handle a function, or otherwise return the return value directly rather than through an argument. Additionally, cap_task_prctl() now prepares a new set of credentials, even if it doesn't end up using it. (9) Keyrings. A number of changes have been made to the keyrings code: (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have all been dropped and built in to the credentials functions directly. They may want separating out again later. (b) key_alloc() and search_process_keyrings() now take a cred pointer rather than a task pointer to specify the security context. (c) copy_creds() gives a new thread within the same thread group a new thread keyring if its parent had one, otherwise it discards the thread keyring. (d) The authorisation key now points directly to the credentials to extend the search into rather pointing to the task that carries them. (e) Installing thread, process or session keyrings causes a new set of credentials to be created, even though it's not strictly necessary for process or session keyrings (they're shared). (10) Usermode helper. The usermode helper code now carries a cred struct pointer in its subprocess_info struct instead of a new session keyring pointer. This set of credentials is derived from init_cred and installed on the new process after it has been cloned. call_usermodehelper_setup() allocates the new credentials and call_usermodehelper_freeinfo() discards them if they haven't been used. A special cred function (prepare_usermodeinfo_creds()) is provided specifically for call_usermodehelper_setup() to call. call_usermodehelper_setkeys() adjusts the credentials to sport the supplied keyring as the new session keyring. (11) SELinux. SELinux has a number of changes, in addition to those to support the LSM interface changes mentioned above: (a) selinux_setprocattr() no longer does its check for whether the current ptracer can access processes with the new SID inside the lock that covers getting the ptracer's SID. Whilst this lock ensures that the check is done with the ptracer pinned, the result is only valid until the lock is released, so there's no point doing it inside the lock. (12) is_single_threaded(). This function has been extracted from selinux_setprocattr() and put into a file of its own in the lib/ directory as join_session_keyring() now wants to use it too. The code in SELinux just checked to see whether a task shared mm_structs with other tasks (CLONE_VM), but that isn't good enough. We really want to know if they're part of the same thread group (CLONE_THREAD). (13) nfsd. The NFS server daemon now has to use the COW credentials to set the credentials it is going to use. It really needs to pass the credentials down to the functions it calls, but it can't do that until other patches in this series have been applied. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: James Morris <jmorris@namei.org>
1171 lines
26 KiB
C
1171 lines
26 KiB
C
/*
|
|
* linux/fs/open.c
|
|
*
|
|
* Copyright (C) 1991, 1992 Linus Torvalds
|
|
*/
|
|
|
|
#include <linux/string.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/file.h>
|
|
#include <linux/fdtable.h>
|
|
#include <linux/quotaops.h>
|
|
#include <linux/fsnotify.h>
|
|
#include <linux/module.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/tty.h>
|
|
#include <linux/namei.h>
|
|
#include <linux/backing-dev.h>
|
|
#include <linux/capability.h>
|
|
#include <linux/securebits.h>
|
|
#include <linux/security.h>
|
|
#include <linux/mount.h>
|
|
#include <linux/vfs.h>
|
|
#include <linux/fcntl.h>
|
|
#include <asm/uaccess.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/personality.h>
|
|
#include <linux/pagemap.h>
|
|
#include <linux/syscalls.h>
|
|
#include <linux/rcupdate.h>
|
|
#include <linux/audit.h>
|
|
#include <linux/falloc.h>
|
|
|
|
int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
|
|
{
|
|
int retval = -ENODEV;
|
|
|
|
if (dentry) {
|
|
retval = -ENOSYS;
|
|
if (dentry->d_sb->s_op->statfs) {
|
|
memset(buf, 0, sizeof(*buf));
|
|
retval = security_sb_statfs(dentry);
|
|
if (retval)
|
|
return retval;
|
|
retval = dentry->d_sb->s_op->statfs(dentry, buf);
|
|
if (retval == 0 && buf->f_frsize == 0)
|
|
buf->f_frsize = buf->f_bsize;
|
|
}
|
|
}
|
|
return retval;
|
|
}
|
|
|
|
EXPORT_SYMBOL(vfs_statfs);
|
|
|
|
static int vfs_statfs_native(struct dentry *dentry, struct statfs *buf)
|
|
{
|
|
struct kstatfs st;
|
|
int retval;
|
|
|
|
retval = vfs_statfs(dentry, &st);
|
|
if (retval)
|
|
return retval;
|
|
|
|
if (sizeof(*buf) == sizeof(st))
|
|
memcpy(buf, &st, sizeof(st));
|
|
else {
|
|
if (sizeof buf->f_blocks == 4) {
|
|
if ((st.f_blocks | st.f_bfree | st.f_bavail |
|
|
st.f_bsize | st.f_frsize) &
|
|
0xffffffff00000000ULL)
|
|
return -EOVERFLOW;
|
|
/*
|
|
* f_files and f_ffree may be -1; it's okay to stuff
|
|
* that into 32 bits
|
|
*/
|
|
if (st.f_files != -1 &&
|
|
(st.f_files & 0xffffffff00000000ULL))
|
|
return -EOVERFLOW;
|
|
if (st.f_ffree != -1 &&
|
|
(st.f_ffree & 0xffffffff00000000ULL))
|
|
return -EOVERFLOW;
|
|
}
|
|
|
|
buf->f_type = st.f_type;
|
|
buf->f_bsize = st.f_bsize;
|
|
buf->f_blocks = st.f_blocks;
|
|
buf->f_bfree = st.f_bfree;
|
|
buf->f_bavail = st.f_bavail;
|
|
buf->f_files = st.f_files;
|
|
buf->f_ffree = st.f_ffree;
|
|
buf->f_fsid = st.f_fsid;
|
|
buf->f_namelen = st.f_namelen;
|
|
buf->f_frsize = st.f_frsize;
|
|
memset(buf->f_spare, 0, sizeof(buf->f_spare));
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int vfs_statfs64(struct dentry *dentry, struct statfs64 *buf)
|
|
{
|
|
struct kstatfs st;
|
|
int retval;
|
|
|
|
retval = vfs_statfs(dentry, &st);
|
|
if (retval)
|
|
return retval;
|
|
|
|
if (sizeof(*buf) == sizeof(st))
|
|
memcpy(buf, &st, sizeof(st));
|
|
else {
|
|
buf->f_type = st.f_type;
|
|
buf->f_bsize = st.f_bsize;
|
|
buf->f_blocks = st.f_blocks;
|
|
buf->f_bfree = st.f_bfree;
|
|
buf->f_bavail = st.f_bavail;
|
|
buf->f_files = st.f_files;
|
|
buf->f_ffree = st.f_ffree;
|
|
buf->f_fsid = st.f_fsid;
|
|
buf->f_namelen = st.f_namelen;
|
|
buf->f_frsize = st.f_frsize;
|
|
memset(buf->f_spare, 0, sizeof(buf->f_spare));
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
asmlinkage long sys_statfs(const char __user *pathname, struct statfs __user * buf)
|
|
{
|
|
struct path path;
|
|
int error;
|
|
|
|
error = user_path(pathname, &path);
|
|
if (!error) {
|
|
struct statfs tmp;
|
|
error = vfs_statfs_native(path.dentry, &tmp);
|
|
if (!error && copy_to_user(buf, &tmp, sizeof(tmp)))
|
|
error = -EFAULT;
|
|
path_put(&path);
|
|
}
|
|
return error;
|
|
}
|
|
|
|
|
|
asmlinkage long sys_statfs64(const char __user *pathname, size_t sz, struct statfs64 __user *buf)
|
|
{
|
|
struct path path;
|
|
long error;
|
|
|
|
if (sz != sizeof(*buf))
|
|
return -EINVAL;
|
|
error = user_path(pathname, &path);
|
|
if (!error) {
|
|
struct statfs64 tmp;
|
|
error = vfs_statfs64(path.dentry, &tmp);
|
|
if (!error && copy_to_user(buf, &tmp, sizeof(tmp)))
|
|
error = -EFAULT;
|
|
path_put(&path);
|
|
}
|
|
return error;
|
|
}
|
|
|
|
|
|
asmlinkage long sys_fstatfs(unsigned int fd, struct statfs __user * buf)
|
|
{
|
|
struct file * file;
|
|
struct statfs tmp;
|
|
int error;
|
|
|
|
error = -EBADF;
|
|
file = fget(fd);
|
|
if (!file)
|
|
goto out;
|
|
error = vfs_statfs_native(file->f_path.dentry, &tmp);
|
|
if (!error && copy_to_user(buf, &tmp, sizeof(tmp)))
|
|
error = -EFAULT;
|
|
fput(file);
|
|
out:
|
|
return error;
|
|
}
|
|
|
|
asmlinkage long sys_fstatfs64(unsigned int fd, size_t sz, struct statfs64 __user *buf)
|
|
{
|
|
struct file * file;
|
|
struct statfs64 tmp;
|
|
int error;
|
|
|
|
if (sz != sizeof(*buf))
|
|
return -EINVAL;
|
|
|
|
error = -EBADF;
|
|
file = fget(fd);
|
|
if (!file)
|
|
goto out;
|
|
error = vfs_statfs64(file->f_path.dentry, &tmp);
|
|
if (!error && copy_to_user(buf, &tmp, sizeof(tmp)))
|
|
error = -EFAULT;
|
|
fput(file);
|
|
out:
|
|
return error;
|
|
}
|
|
|
|
int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,
|
|
struct file *filp)
|
|
{
|
|
int err;
|
|
struct iattr newattrs;
|
|
|
|
/* Not pretty: "inode->i_size" shouldn't really be signed. But it is. */
|
|
if (length < 0)
|
|
return -EINVAL;
|
|
|
|
newattrs.ia_size = length;
|
|
newattrs.ia_valid = ATTR_SIZE | time_attrs;
|
|
if (filp) {
|
|
newattrs.ia_file = filp;
|
|
newattrs.ia_valid |= ATTR_FILE;
|
|
}
|
|
|
|
/* Remove suid/sgid on truncate too */
|
|
newattrs.ia_valid |= should_remove_suid(dentry);
|
|
|
|
mutex_lock(&dentry->d_inode->i_mutex);
|
|
err = notify_change(dentry, &newattrs);
|
|
mutex_unlock(&dentry->d_inode->i_mutex);
|
|
return err;
|
|
}
|
|
|
|
static long do_sys_truncate(const char __user *pathname, loff_t length)
|
|
{
|
|
struct path path;
|
|
struct inode *inode;
|
|
int error;
|
|
|
|
error = -EINVAL;
|
|
if (length < 0) /* sorry, but loff_t says... */
|
|
goto out;
|
|
|
|
error = user_path(pathname, &path);
|
|
if (error)
|
|
goto out;
|
|
inode = path.dentry->d_inode;
|
|
|
|
/* For directories it's -EISDIR, for other non-regulars - -EINVAL */
|
|
error = -EISDIR;
|
|
if (S_ISDIR(inode->i_mode))
|
|
goto dput_and_out;
|
|
|
|
error = -EINVAL;
|
|
if (!S_ISREG(inode->i_mode))
|
|
goto dput_and_out;
|
|
|
|
error = mnt_want_write(path.mnt);
|
|
if (error)
|
|
goto dput_and_out;
|
|
|
|
error = inode_permission(inode, MAY_WRITE);
|
|
if (error)
|
|
goto mnt_drop_write_and_out;
|
|
|
|
error = -EPERM;
|
|
if (IS_APPEND(inode))
|
|
goto mnt_drop_write_and_out;
|
|
|
|
error = get_write_access(inode);
|
|
if (error)
|
|
goto mnt_drop_write_and_out;
|
|
|
|
/*
|
|
* Make sure that there are no leases. get_write_access() protects
|
|
* against the truncate racing with a lease-granting setlease().
|
|
*/
|
|
error = break_lease(inode, FMODE_WRITE);
|
|
if (error)
|
|
goto put_write_and_out;
|
|
|
|
error = locks_verify_truncate(inode, NULL, length);
|
|
if (!error) {
|
|
DQUOT_INIT(inode);
|
|
error = do_truncate(path.dentry, length, 0, NULL);
|
|
}
|
|
|
|
put_write_and_out:
|
|
put_write_access(inode);
|
|
mnt_drop_write_and_out:
|
|
mnt_drop_write(path.mnt);
|
|
dput_and_out:
|
|
path_put(&path);
|
|
out:
|
|
return error;
|
|
}
|
|
|
|
asmlinkage long sys_truncate(const char __user * path, unsigned long length)
|
|
{
|
|
/* on 32-bit boxen it will cut the range 2^31--2^32-1 off */
|
|
return do_sys_truncate(path, (long)length);
|
|
}
|
|
|
|
static long do_sys_ftruncate(unsigned int fd, loff_t length, int small)
|
|
{
|
|
struct inode * inode;
|
|
struct dentry *dentry;
|
|
struct file * file;
|
|
int error;
|
|
|
|
error = -EINVAL;
|
|
if (length < 0)
|
|
goto out;
|
|
error = -EBADF;
|
|
file = fget(fd);
|
|
if (!file)
|
|
goto out;
|
|
|
|
/* explicitly opened as large or we are on 64-bit box */
|
|
if (file->f_flags & O_LARGEFILE)
|
|
small = 0;
|
|
|
|
dentry = file->f_path.dentry;
|
|
inode = dentry->d_inode;
|
|
error = -EINVAL;
|
|
if (!S_ISREG(inode->i_mode) || !(file->f_mode & FMODE_WRITE))
|
|
goto out_putf;
|
|
|
|
error = -EINVAL;
|
|
/* Cannot ftruncate over 2^31 bytes without large file support */
|
|
if (small && length > MAX_NON_LFS)
|
|
goto out_putf;
|
|
|
|
error = -EPERM;
|
|
if (IS_APPEND(inode))
|
|
goto out_putf;
|
|
|
|
error = locks_verify_truncate(inode, file, length);
|
|
if (!error)
|
|
error = do_truncate(dentry, length, ATTR_MTIME|ATTR_CTIME, file);
|
|
out_putf:
|
|
fput(file);
|
|
out:
|
|
return error;
|
|
}
|
|
|
|
asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length)
|
|
{
|
|
long ret = do_sys_ftruncate(fd, length, 1);
|
|
/* avoid REGPARM breakage on x86: */
|
|
asmlinkage_protect(2, ret, fd, length);
|
|
return ret;
|
|
}
|
|
|
|
/* LFS versions of truncate are only needed on 32 bit machines */
|
|
#if BITS_PER_LONG == 32
|
|
asmlinkage long sys_truncate64(const char __user * path, loff_t length)
|
|
{
|
|
return do_sys_truncate(path, length);
|
|
}
|
|
|
|
asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length)
|
|
{
|
|
long ret = do_sys_ftruncate(fd, length, 0);
|
|
/* avoid REGPARM breakage on x86: */
|
|
asmlinkage_protect(2, ret, fd, length);
|
|
return ret;
|
|
}
|
|
#endif
|
|
|
|
asmlinkage long sys_fallocate(int fd, int mode, loff_t offset, loff_t len)
|
|
{
|
|
struct file *file;
|
|
struct inode *inode;
|
|
long ret = -EINVAL;
|
|
|
|
if (offset < 0 || len <= 0)
|
|
goto out;
|
|
|
|
/* Return error if mode is not supported */
|
|
ret = -EOPNOTSUPP;
|
|
if (mode && !(mode & FALLOC_FL_KEEP_SIZE))
|
|
goto out;
|
|
|
|
ret = -EBADF;
|
|
file = fget(fd);
|
|
if (!file)
|
|
goto out;
|
|
if (!(file->f_mode & FMODE_WRITE))
|
|
goto out_fput;
|
|
/*
|
|
* Revalidate the write permissions, in case security policy has
|
|
* changed since the files were opened.
|
|
*/
|
|
ret = security_file_permission(file, MAY_WRITE);
|
|
if (ret)
|
|
goto out_fput;
|
|
|
|
inode = file->f_path.dentry->d_inode;
|
|
|
|
ret = -ESPIPE;
|
|
if (S_ISFIFO(inode->i_mode))
|
|
goto out_fput;
|
|
|
|
ret = -ENODEV;
|
|
/*
|
|
* Let individual file system decide if it supports preallocation
|
|
* for directories or not.
|
|
*/
|
|
if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode))
|
|
goto out_fput;
|
|
|
|
ret = -EFBIG;
|
|
/* Check for wrap through zero too */
|
|
if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0))
|
|
goto out_fput;
|
|
|
|
if (inode->i_op && inode->i_op->fallocate)
|
|
ret = inode->i_op->fallocate(inode, mode, offset, len);
|
|
else
|
|
ret = -EOPNOTSUPP;
|
|
|
|
out_fput:
|
|
fput(file);
|
|
out:
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* access() needs to use the real uid/gid, not the effective uid/gid.
|
|
* We do this by temporarily clearing all FS-related capabilities and
|
|
* switching the fsuid/fsgid around to the real ones.
|
|
*/
|
|
asmlinkage long sys_faccessat(int dfd, const char __user *filename, int mode)
|
|
{
|
|
const struct cred *old_cred;
|
|
struct cred *override_cred;
|
|
struct path path;
|
|
struct inode *inode;
|
|
int res;
|
|
|
|
if (mode & ~S_IRWXO) /* where's F_OK, X_OK, W_OK, R_OK? */
|
|
return -EINVAL;
|
|
|
|
override_cred = prepare_creds();
|
|
if (!override_cred)
|
|
return -ENOMEM;
|
|
|
|
override_cred->fsuid = override_cred->uid;
|
|
override_cred->fsgid = override_cred->gid;
|
|
|
|
if (!issecure(SECURE_NO_SETUID_FIXUP)) {
|
|
/* Clear the capabilities if we switch to a non-root user */
|
|
if (override_cred->uid)
|
|
cap_clear(override_cred->cap_effective);
|
|
else
|
|
override_cred->cap_effective =
|
|
override_cred->cap_permitted;
|
|
}
|
|
|
|
old_cred = override_creds(override_cred);
|
|
|
|
res = user_path_at(dfd, filename, LOOKUP_FOLLOW, &path);
|
|
if (res)
|
|
goto out;
|
|
|
|
inode = path.dentry->d_inode;
|
|
|
|
if ((mode & MAY_EXEC) && S_ISREG(inode->i_mode)) {
|
|
/*
|
|
* MAY_EXEC on regular files is denied if the fs is mounted
|
|
* with the "noexec" flag.
|
|
*/
|
|
res = -EACCES;
|
|
if (path.mnt->mnt_flags & MNT_NOEXEC)
|
|
goto out_path_release;
|
|
}
|
|
|
|
res = inode_permission(inode, mode | MAY_ACCESS);
|
|
/* SuS v2 requires we report a read only fs too */
|
|
if (res || !(mode & S_IWOTH) || special_file(inode->i_mode))
|
|
goto out_path_release;
|
|
/*
|
|
* This is a rare case where using __mnt_is_readonly()
|
|
* is OK without a mnt_want/drop_write() pair. Since
|
|
* no actual write to the fs is performed here, we do
|
|
* not need to telegraph to that to anyone.
|
|
*
|
|
* By doing this, we accept that this access is
|
|
* inherently racy and know that the fs may change
|
|
* state before we even see this result.
|
|
*/
|
|
if (__mnt_is_readonly(path.mnt))
|
|
res = -EROFS;
|
|
|
|
out_path_release:
|
|
path_put(&path);
|
|
out:
|
|
revert_creds(old_cred);
|
|
put_cred(override_cred);
|
|
return res;
|
|
}
|
|
|
|
asmlinkage long sys_access(const char __user *filename, int mode)
|
|
{
|
|
return sys_faccessat(AT_FDCWD, filename, mode);
|
|
}
|
|
|
|
asmlinkage long sys_chdir(const char __user * filename)
|
|
{
|
|
struct path path;
|
|
int error;
|
|
|
|
error = user_path_dir(filename, &path);
|
|
if (error)
|
|
goto out;
|
|
|
|
error = inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_ACCESS);
|
|
if (error)
|
|
goto dput_and_out;
|
|
|
|
set_fs_pwd(current->fs, &path);
|
|
|
|
dput_and_out:
|
|
path_put(&path);
|
|
out:
|
|
return error;
|
|
}
|
|
|
|
asmlinkage long sys_fchdir(unsigned int fd)
|
|
{
|
|
struct file *file;
|
|
struct inode *inode;
|
|
int error;
|
|
|
|
error = -EBADF;
|
|
file = fget(fd);
|
|
if (!file)
|
|
goto out;
|
|
|
|
inode = file->f_path.dentry->d_inode;
|
|
|
|
error = -ENOTDIR;
|
|
if (!S_ISDIR(inode->i_mode))
|
|
goto out_putf;
|
|
|
|
error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
|
|
if (!error)
|
|
set_fs_pwd(current->fs, &file->f_path);
|
|
out_putf:
|
|
fput(file);
|
|
out:
|
|
return error;
|
|
}
|
|
|
|
asmlinkage long sys_chroot(const char __user * filename)
|
|
{
|
|
struct path path;
|
|
int error;
|
|
|
|
error = user_path_dir(filename, &path);
|
|
if (error)
|
|
goto out;
|
|
|
|
error = inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_ACCESS);
|
|
if (error)
|
|
goto dput_and_out;
|
|
|
|
error = -EPERM;
|
|
if (!capable(CAP_SYS_CHROOT))
|
|
goto dput_and_out;
|
|
|
|
set_fs_root(current->fs, &path);
|
|
error = 0;
|
|
dput_and_out:
|
|
path_put(&path);
|
|
out:
|
|
return error;
|
|
}
|
|
|
|
asmlinkage long sys_fchmod(unsigned int fd, mode_t mode)
|
|
{
|
|
struct inode * inode;
|
|
struct dentry * dentry;
|
|
struct file * file;
|
|
int err = -EBADF;
|
|
struct iattr newattrs;
|
|
|
|
file = fget(fd);
|
|
if (!file)
|
|
goto out;
|
|
|
|
dentry = file->f_path.dentry;
|
|
inode = dentry->d_inode;
|
|
|
|
audit_inode(NULL, dentry);
|
|
|
|
err = mnt_want_write(file->f_path.mnt);
|
|
if (err)
|
|
goto out_putf;
|
|
mutex_lock(&inode->i_mutex);
|
|
if (mode == (mode_t) -1)
|
|
mode = inode->i_mode;
|
|
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
|
|
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
|
|
err = notify_change(dentry, &newattrs);
|
|
mutex_unlock(&inode->i_mutex);
|
|
mnt_drop_write(file->f_path.mnt);
|
|
out_putf:
|
|
fput(file);
|
|
out:
|
|
return err;
|
|
}
|
|
|
|
asmlinkage long sys_fchmodat(int dfd, const char __user *filename,
|
|
mode_t mode)
|
|
{
|
|
struct path path;
|
|
struct inode *inode;
|
|
int error;
|
|
struct iattr newattrs;
|
|
|
|
error = user_path_at(dfd, filename, LOOKUP_FOLLOW, &path);
|
|
if (error)
|
|
goto out;
|
|
inode = path.dentry->d_inode;
|
|
|
|
error = mnt_want_write(path.mnt);
|
|
if (error)
|
|
goto dput_and_out;
|
|
mutex_lock(&inode->i_mutex);
|
|
if (mode == (mode_t) -1)
|
|
mode = inode->i_mode;
|
|
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
|
|
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
|
|
error = notify_change(path.dentry, &newattrs);
|
|
mutex_unlock(&inode->i_mutex);
|
|
mnt_drop_write(path.mnt);
|
|
dput_and_out:
|
|
path_put(&path);
|
|
out:
|
|
return error;
|
|
}
|
|
|
|
asmlinkage long sys_chmod(const char __user *filename, mode_t mode)
|
|
{
|
|
return sys_fchmodat(AT_FDCWD, filename, mode);
|
|
}
|
|
|
|
static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
|
|
{
|
|
struct inode *inode = dentry->d_inode;
|
|
int error;
|
|
struct iattr newattrs;
|
|
|
|
newattrs.ia_valid = ATTR_CTIME;
|
|
if (user != (uid_t) -1) {
|
|
newattrs.ia_valid |= ATTR_UID;
|
|
newattrs.ia_uid = user;
|
|
}
|
|
if (group != (gid_t) -1) {
|
|
newattrs.ia_valid |= ATTR_GID;
|
|
newattrs.ia_gid = group;
|
|
}
|
|
if (!S_ISDIR(inode->i_mode))
|
|
newattrs.ia_valid |=
|
|
ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
|
|
mutex_lock(&inode->i_mutex);
|
|
error = notify_change(dentry, &newattrs);
|
|
mutex_unlock(&inode->i_mutex);
|
|
|
|
return error;
|
|
}
|
|
|
|
asmlinkage long sys_chown(const char __user * filename, uid_t user, gid_t group)
|
|
{
|
|
struct path path;
|
|
int error;
|
|
|
|
error = user_path(filename, &path);
|
|
if (error)
|
|
goto out;
|
|
error = mnt_want_write(path.mnt);
|
|
if (error)
|
|
goto out_release;
|
|
error = chown_common(path.dentry, user, group);
|
|
mnt_drop_write(path.mnt);
|
|
out_release:
|
|
path_put(&path);
|
|
out:
|
|
return error;
|
|
}
|
|
|
|
asmlinkage long sys_fchownat(int dfd, const char __user *filename, uid_t user,
|
|
gid_t group, int flag)
|
|
{
|
|
struct path path;
|
|
int error = -EINVAL;
|
|
int follow;
|
|
|
|
if ((flag & ~AT_SYMLINK_NOFOLLOW) != 0)
|
|
goto out;
|
|
|
|
follow = (flag & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW;
|
|
error = user_path_at(dfd, filename, follow, &path);
|
|
if (error)
|
|
goto out;
|
|
error = mnt_want_write(path.mnt);
|
|
if (error)
|
|
goto out_release;
|
|
error = chown_common(path.dentry, user, group);
|
|
mnt_drop_write(path.mnt);
|
|
out_release:
|
|
path_put(&path);
|
|
out:
|
|
return error;
|
|
}
|
|
|
|
asmlinkage long sys_lchown(const char __user * filename, uid_t user, gid_t group)
|
|
{
|
|
struct path path;
|
|
int error;
|
|
|
|
error = user_lpath(filename, &path);
|
|
if (error)
|
|
goto out;
|
|
error = mnt_want_write(path.mnt);
|
|
if (error)
|
|
goto out_release;
|
|
error = chown_common(path.dentry, user, group);
|
|
mnt_drop_write(path.mnt);
|
|
out_release:
|
|
path_put(&path);
|
|
out:
|
|
return error;
|
|
}
|
|
|
|
|
|
asmlinkage long sys_fchown(unsigned int fd, uid_t user, gid_t group)
|
|
{
|
|
struct file * file;
|
|
int error = -EBADF;
|
|
struct dentry * dentry;
|
|
|
|
file = fget(fd);
|
|
if (!file)
|
|
goto out;
|
|
|
|
error = mnt_want_write(file->f_path.mnt);
|
|
if (error)
|
|
goto out_fput;
|
|
dentry = file->f_path.dentry;
|
|
audit_inode(NULL, dentry);
|
|
error = chown_common(dentry, user, group);
|
|
mnt_drop_write(file->f_path.mnt);
|
|
out_fput:
|
|
fput(file);
|
|
out:
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* You have to be very careful that these write
|
|
* counts get cleaned up in error cases and
|
|
* upon __fput(). This should probably never
|
|
* be called outside of __dentry_open().
|
|
*/
|
|
static inline int __get_file_write_access(struct inode *inode,
|
|
struct vfsmount *mnt)
|
|
{
|
|
int error;
|
|
error = get_write_access(inode);
|
|
if (error)
|
|
return error;
|
|
/*
|
|
* Do not take mount writer counts on
|
|
* special files since no writes to
|
|
* the mount itself will occur.
|
|
*/
|
|
if (!special_file(inode->i_mode)) {
|
|
/*
|
|
* Balanced in __fput()
|
|
*/
|
|
error = mnt_want_write(mnt);
|
|
if (error)
|
|
put_write_access(inode);
|
|
}
|
|
return error;
|
|
}
|
|
|
|
static struct file *__dentry_open(struct dentry *dentry, struct vfsmount *mnt,
|
|
int flags, struct file *f,
|
|
int (*open)(struct inode *, struct file *),
|
|
const struct cred *cred)
|
|
{
|
|
struct inode *inode;
|
|
int error;
|
|
|
|
f->f_flags = flags;
|
|
f->f_mode = (__force fmode_t)((flags+1) & O_ACCMODE) | FMODE_LSEEK |
|
|
FMODE_PREAD | FMODE_PWRITE;
|
|
inode = dentry->d_inode;
|
|
if (f->f_mode & FMODE_WRITE) {
|
|
error = __get_file_write_access(inode, mnt);
|
|
if (error)
|
|
goto cleanup_file;
|
|
if (!special_file(inode->i_mode))
|
|
file_take_write(f);
|
|
}
|
|
|
|
f->f_mapping = inode->i_mapping;
|
|
f->f_path.dentry = dentry;
|
|
f->f_path.mnt = mnt;
|
|
f->f_pos = 0;
|
|
f->f_op = fops_get(inode->i_fop);
|
|
file_move(f, &inode->i_sb->s_files);
|
|
|
|
error = security_dentry_open(f, cred);
|
|
if (error)
|
|
goto cleanup_all;
|
|
|
|
if (!open && f->f_op)
|
|
open = f->f_op->open;
|
|
if (open) {
|
|
error = open(inode, f);
|
|
if (error)
|
|
goto cleanup_all;
|
|
}
|
|
|
|
f->f_flags &= ~(O_CREAT | O_EXCL | O_NOCTTY | O_TRUNC);
|
|
|
|
file_ra_state_init(&f->f_ra, f->f_mapping->host->i_mapping);
|
|
|
|
/* NB: we're sure to have correct a_ops only after f_op->open */
|
|
if (f->f_flags & O_DIRECT) {
|
|
if (!f->f_mapping->a_ops ||
|
|
((!f->f_mapping->a_ops->direct_IO) &&
|
|
(!f->f_mapping->a_ops->get_xip_mem))) {
|
|
fput(f);
|
|
f = ERR_PTR(-EINVAL);
|
|
}
|
|
}
|
|
|
|
return f;
|
|
|
|
cleanup_all:
|
|
fops_put(f->f_op);
|
|
if (f->f_mode & FMODE_WRITE) {
|
|
put_write_access(inode);
|
|
if (!special_file(inode->i_mode)) {
|
|
/*
|
|
* We don't consider this a real
|
|
* mnt_want/drop_write() pair
|
|
* because it all happenend right
|
|
* here, so just reset the state.
|
|
*/
|
|
file_reset_write(f);
|
|
mnt_drop_write(mnt);
|
|
}
|
|
}
|
|
file_kill(f);
|
|
f->f_path.dentry = NULL;
|
|
f->f_path.mnt = NULL;
|
|
cleanup_file:
|
|
put_filp(f);
|
|
dput(dentry);
|
|
mntput(mnt);
|
|
return ERR_PTR(error);
|
|
}
|
|
|
|
/**
|
|
* lookup_instantiate_filp - instantiates the open intent filp
|
|
* @nd: pointer to nameidata
|
|
* @dentry: pointer to dentry
|
|
* @open: open callback
|
|
*
|
|
* Helper for filesystems that want to use lookup open intents and pass back
|
|
* a fully instantiated struct file to the caller.
|
|
* This function is meant to be called from within a filesystem's
|
|
* lookup method.
|
|
* Beware of calling it for non-regular files! Those ->open methods might block
|
|
* (e.g. in fifo_open), leaving you with parent locked (and in case of fifo,
|
|
* leading to a deadlock, as nobody can open that fifo anymore, because
|
|
* another process to open fifo will block on locked parent when doing lookup).
|
|
* Note that in case of error, nd->intent.open.file is destroyed, but the
|
|
* path information remains valid.
|
|
* If the open callback is set to NULL, then the standard f_op->open()
|
|
* filesystem callback is substituted.
|
|
*/
|
|
struct file *lookup_instantiate_filp(struct nameidata *nd, struct dentry *dentry,
|
|
int (*open)(struct inode *, struct file *))
|
|
{
|
|
const struct cred *cred = current_cred();
|
|
|
|
if (IS_ERR(nd->intent.open.file))
|
|
goto out;
|
|
if (IS_ERR(dentry))
|
|
goto out_err;
|
|
nd->intent.open.file = __dentry_open(dget(dentry), mntget(nd->path.mnt),
|
|
nd->intent.open.flags - 1,
|
|
nd->intent.open.file,
|
|
open, cred);
|
|
out:
|
|
return nd->intent.open.file;
|
|
out_err:
|
|
release_open_intent(nd);
|
|
nd->intent.open.file = (struct file *)dentry;
|
|
goto out;
|
|
}
|
|
EXPORT_SYMBOL_GPL(lookup_instantiate_filp);
|
|
|
|
/**
|
|
* nameidata_to_filp - convert a nameidata to an open filp.
|
|
* @nd: pointer to nameidata
|
|
* @flags: open flags
|
|
*
|
|
* Note that this function destroys the original nameidata
|
|
*/
|
|
struct file *nameidata_to_filp(struct nameidata *nd, int flags)
|
|
{
|
|
const struct cred *cred = current_cred();
|
|
struct file *filp;
|
|
|
|
/* Pick up the filp from the open intent */
|
|
filp = nd->intent.open.file;
|
|
/* Has the filesystem initialised the file for us? */
|
|
if (filp->f_path.dentry == NULL)
|
|
filp = __dentry_open(nd->path.dentry, nd->path.mnt, flags, filp,
|
|
NULL, cred);
|
|
else
|
|
path_put(&nd->path);
|
|
return filp;
|
|
}
|
|
|
|
/*
|
|
* dentry_open() will have done dput(dentry) and mntput(mnt) if it returns an
|
|
* error.
|
|
*/
|
|
struct file *dentry_open(struct dentry *dentry, struct vfsmount *mnt, int flags,
|
|
const struct cred *cred)
|
|
{
|
|
int error;
|
|
struct file *f;
|
|
|
|
/*
|
|
* We must always pass in a valid mount pointer. Historically
|
|
* callers got away with not passing it, but we must enforce this at
|
|
* the earliest possible point now to avoid strange problems deep in the
|
|
* filesystem stack.
|
|
*/
|
|
if (!mnt) {
|
|
printk(KERN_WARNING "%s called with NULL vfsmount\n", __func__);
|
|
dump_stack();
|
|
return ERR_PTR(-EINVAL);
|
|
}
|
|
|
|
error = -ENFILE;
|
|
f = get_empty_filp();
|
|
if (f == NULL) {
|
|
dput(dentry);
|
|
mntput(mnt);
|
|
return ERR_PTR(error);
|
|
}
|
|
|
|
return __dentry_open(dentry, mnt, flags, f, NULL, cred);
|
|
}
|
|
EXPORT_SYMBOL(dentry_open);
|
|
|
|
static void __put_unused_fd(struct files_struct *files, unsigned int fd)
|
|
{
|
|
struct fdtable *fdt = files_fdtable(files);
|
|
__FD_CLR(fd, fdt->open_fds);
|
|
if (fd < files->next_fd)
|
|
files->next_fd = fd;
|
|
}
|
|
|
|
void put_unused_fd(unsigned int fd)
|
|
{
|
|
struct files_struct *files = current->files;
|
|
spin_lock(&files->file_lock);
|
|
__put_unused_fd(files, fd);
|
|
spin_unlock(&files->file_lock);
|
|
}
|
|
|
|
EXPORT_SYMBOL(put_unused_fd);
|
|
|
|
/*
|
|
* Install a file pointer in the fd array.
|
|
*
|
|
* The VFS is full of places where we drop the files lock between
|
|
* setting the open_fds bitmap and installing the file in the file
|
|
* array. At any such point, we are vulnerable to a dup2() race
|
|
* installing a file in the array before us. We need to detect this and
|
|
* fput() the struct file we are about to overwrite in this case.
|
|
*
|
|
* It should never happen - if we allow dup2() do it, _really_ bad things
|
|
* will follow.
|
|
*/
|
|
|
|
void fd_install(unsigned int fd, struct file *file)
|
|
{
|
|
struct files_struct *files = current->files;
|
|
struct fdtable *fdt;
|
|
spin_lock(&files->file_lock);
|
|
fdt = files_fdtable(files);
|
|
BUG_ON(fdt->fd[fd] != NULL);
|
|
rcu_assign_pointer(fdt->fd[fd], file);
|
|
spin_unlock(&files->file_lock);
|
|
}
|
|
|
|
EXPORT_SYMBOL(fd_install);
|
|
|
|
long do_sys_open(int dfd, const char __user *filename, int flags, int mode)
|
|
{
|
|
char *tmp = getname(filename);
|
|
int fd = PTR_ERR(tmp);
|
|
|
|
if (!IS_ERR(tmp)) {
|
|
fd = get_unused_fd_flags(flags);
|
|
if (fd >= 0) {
|
|
struct file *f = do_filp_open(dfd, tmp, flags, mode);
|
|
if (IS_ERR(f)) {
|
|
put_unused_fd(fd);
|
|
fd = PTR_ERR(f);
|
|
} else {
|
|
fsnotify_open(f->f_path.dentry);
|
|
fd_install(fd, f);
|
|
}
|
|
}
|
|
putname(tmp);
|
|
}
|
|
return fd;
|
|
}
|
|
|
|
asmlinkage long sys_open(const char __user *filename, int flags, int mode)
|
|
{
|
|
long ret;
|
|
|
|
if (force_o_largefile())
|
|
flags |= O_LARGEFILE;
|
|
|
|
ret = do_sys_open(AT_FDCWD, filename, flags, mode);
|
|
/* avoid REGPARM breakage on x86: */
|
|
asmlinkage_protect(3, ret, filename, flags, mode);
|
|
return ret;
|
|
}
|
|
|
|
asmlinkage long sys_openat(int dfd, const char __user *filename, int flags,
|
|
int mode)
|
|
{
|
|
long ret;
|
|
|
|
if (force_o_largefile())
|
|
flags |= O_LARGEFILE;
|
|
|
|
ret = do_sys_open(dfd, filename, flags, mode);
|
|
/* avoid REGPARM breakage on x86: */
|
|
asmlinkage_protect(4, ret, dfd, filename, flags, mode);
|
|
return ret;
|
|
}
|
|
|
|
#ifndef __alpha__
|
|
|
|
/*
|
|
* For backward compatibility? Maybe this should be moved
|
|
* into arch/i386 instead?
|
|
*/
|
|
asmlinkage long sys_creat(const char __user * pathname, int mode)
|
|
{
|
|
return sys_open(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode);
|
|
}
|
|
|
|
#endif
|
|
|
|
/*
|
|
* "id" is the POSIX thread ID. We use the
|
|
* files pointer for this..
|
|
*/
|
|
int filp_close(struct file *filp, fl_owner_t id)
|
|
{
|
|
int retval = 0;
|
|
|
|
if (!file_count(filp)) {
|
|
printk(KERN_ERR "VFS: Close: file count is 0\n");
|
|
return 0;
|
|
}
|
|
|
|
if (filp->f_op && filp->f_op->flush)
|
|
retval = filp->f_op->flush(filp, id);
|
|
|
|
dnotify_flush(filp, id);
|
|
locks_remove_posix(filp, id);
|
|
fput(filp);
|
|
return retval;
|
|
}
|
|
|
|
EXPORT_SYMBOL(filp_close);
|
|
|
|
/*
|
|
* Careful here! We test whether the file pointer is NULL before
|
|
* releasing the fd. This ensures that one clone task can't release
|
|
* an fd while another clone is opening it.
|
|
*/
|
|
asmlinkage long sys_close(unsigned int fd)
|
|
{
|
|
struct file * filp;
|
|
struct files_struct *files = current->files;
|
|
struct fdtable *fdt;
|
|
int retval;
|
|
|
|
spin_lock(&files->file_lock);
|
|
fdt = files_fdtable(files);
|
|
if (fd >= fdt->max_fds)
|
|
goto out_unlock;
|
|
filp = fdt->fd[fd];
|
|
if (!filp)
|
|
goto out_unlock;
|
|
rcu_assign_pointer(fdt->fd[fd], NULL);
|
|
FD_CLR(fd, fdt->close_on_exec);
|
|
__put_unused_fd(files, fd);
|
|
spin_unlock(&files->file_lock);
|
|
retval = filp_close(filp, files);
|
|
|
|
/* can't restart close syscall because file table entry was cleared */
|
|
if (unlikely(retval == -ERESTARTSYS ||
|
|
retval == -ERESTARTNOINTR ||
|
|
retval == -ERESTARTNOHAND ||
|
|
retval == -ERESTART_RESTARTBLOCK))
|
|
retval = -EINTR;
|
|
|
|
return retval;
|
|
|
|
out_unlock:
|
|
spin_unlock(&files->file_lock);
|
|
return -EBADF;
|
|
}
|
|
|
|
EXPORT_SYMBOL(sys_close);
|
|
|
|
/*
|
|
* This routine simulates a hangup on the tty, to arrange that users
|
|
* are given clean terminals at login time.
|
|
*/
|
|
asmlinkage long sys_vhangup(void)
|
|
{
|
|
if (capable(CAP_SYS_TTY_CONFIG)) {
|
|
tty_vhangup_self();
|
|
return 0;
|
|
}
|
|
return -EPERM;
|
|
}
|
|
|
|
/*
|
|
* Called when an inode is about to be open.
|
|
* We use this to disallow opening large files on 32bit systems if
|
|
* the caller didn't specify O_LARGEFILE. On 64bit systems we force
|
|
* on this flag in sys_open.
|
|
*/
|
|
int generic_file_open(struct inode * inode, struct file * filp)
|
|
{
|
|
if (!(filp->f_flags & O_LARGEFILE) && i_size_read(inode) > MAX_NON_LFS)
|
|
return -EOVERFLOW;
|
|
return 0;
|
|
}
|
|
|
|
EXPORT_SYMBOL(generic_file_open);
|
|
|
|
/*
|
|
* This is used by subsystems that don't want seekable
|
|
* file descriptors
|
|
*/
|
|
int nonseekable_open(struct inode *inode, struct file *filp)
|
|
{
|
|
filp->f_mode &= ~(FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE);
|
|
return 0;
|
|
}
|
|
|
|
EXPORT_SYMBOL(nonseekable_open);
|