forked from Minki/linux
7d6beb71da
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCYCegywAKCRCRxhvAZXjc
ouJ6AQDlf+7jCQlQdeKKoN9QDFfMzG1ooemat36EpRRTONaGuAD8D9A4sUsG4+5f
4IU5Lj9oY4DEmF8HenbWK2ZHsesL2Qg=
=yPaw
-----END PGP SIGNATURE-----
Merge tag 'idmapped-mounts-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
Pull idmapped mounts from Christian Brauner:
"This introduces idmapped mounts which has been in the making for some
time. Simply put, different mounts can expose the same file or
directory with different ownership. This initial implementation comes
with ports for fat, ext4 and with Christoph's port for xfs with more
filesystems being actively worked on by independent people and
maintainers.
Idmapping mounts handle a wide range of long standing use-cases. Here
are just a few:
- Idmapped mounts make it possible to easily share files between
multiple users or multiple machines especially in complex
scenarios. For example, idmapped mounts will be used in the
implementation of portable home directories in
systemd-homed.service(8) where they allow users to move their home
directory to an external storage device and use it on multiple
computers where they are assigned different uids and gids. This
effectively makes it possible to assign random uids and gids at
login time.
- It is possible to share files from the host with unprivileged
containers without having to change ownership permanently through
chown(2).
- It is possible to idmap a container's rootfs and without having to
mangle every file. For example, Chromebooks use it to share the
user's Download folder with their unprivileged containers in their
Linux subsystem.
- It is possible to share files between containers with
non-overlapping idmappings.
- Filesystem that lack a proper concept of ownership such as fat can
use idmapped mounts to implement discretionary access (DAC)
permission checking.
- They allow users to efficiently changing ownership on a per-mount
basis without having to (recursively) chown(2) all files. In
contrast to chown (2) changing ownership of large sets of files is
instantenous with idmapped mounts. This is especially useful when
ownership of a whole root filesystem of a virtual machine or
container is changed. With idmapped mounts a single syscall
mount_setattr syscall will be sufficient to change the ownership of
all files.
- Idmapped mounts always take the current ownership into account as
idmappings specify what a given uid or gid is supposed to be mapped
to. This contrasts with the chown(2) syscall which cannot by itself
take the current ownership of the files it changes into account. It
simply changes the ownership to the specified uid and gid. This is
especially problematic when recursively chown(2)ing a large set of
files which is commong with the aforementioned portable home
directory and container and vm scenario.
- Idmapped mounts allow to change ownership locally, restricting it
to specific mounts, and temporarily as the ownership changes only
apply as long as the mount exists.
Several userspace projects have either already put up patches and
pull-requests for this feature or will do so should you decide to pull
this:
- systemd: In a wide variety of scenarios but especially right away
in their implementation of portable home directories.
https://systemd.io/HOME_DIRECTORY/
- container runtimes: containerd, runC, LXD:To share data between
host and unprivileged containers, unprivileged and privileged
containers, etc. The pull request for idmapped mounts support in
containerd, the default Kubernetes runtime is already up for quite
a while now: https://github.com/containerd/containerd/pull/4734
- The virtio-fs developers and several users have expressed interest
in using this feature with virtual machines once virtio-fs is
ported.
- ChromeOS: Sharing host-directories with unprivileged containers.
I've tightly synced with all those projects and all of those listed
here have also expressed their need/desire for this feature on the
mailing list. For more info on how people use this there's a bunch of
talks about this too. Here's just two recent ones:
https://www.cncf.io/wp-content/uploads/2020/12/Rootless-Containers-in-Gitpod.pdf
https://fosdem.org/2021/schedule/event/containers_idmap/
This comes with an extensive xfstests suite covering both ext4 and
xfs:
https://git.kernel.org/brauner/xfstests-dev/h/idmapped_mounts
It covers truncation, creation, opening, xattrs, vfscaps, setid
execution, setgid inheritance and more both with idmapped and
non-idmapped mounts. It already helped to discover an unrelated xfs
setgid inheritance bug which has since been fixed in mainline. It will
be sent for inclusion with the xfstests project should you decide to
merge this.
In order to support per-mount idmappings vfsmounts are marked with
user namespaces. The idmapping of the user namespace will be used to
map the ids of vfs objects when they are accessed through that mount.
By default all vfsmounts are marked with the initial user namespace.
The initial user namespace is used to indicate that a mount is not
idmapped. All operations behave as before and this is verified in the
testsuite.
Based on prior discussions we want to attach the whole user namespace
and not just a dedicated idmapping struct. This allows us to reuse all
the helpers that already exist for dealing with idmappings instead of
introducing a whole new range of helpers. In addition, if we decide in
the future that we are confident enough to enable unprivileged users
to setup idmapped mounts the permission checking can take into account
whether the caller is privileged in the user namespace the mount is
currently marked with.
The user namespace the mount will be marked with can be specified by
passing a file descriptor refering to the user namespace as an
argument to the new mount_setattr() syscall together with the new
MOUNT_ATTR_IDMAP flag. The system call follows the openat2() pattern
of extensibility.
The following conditions must be met in order to create an idmapped
mount:
- The caller must currently have the CAP_SYS_ADMIN capability in the
user namespace the underlying filesystem has been mounted in.
- The underlying filesystem must support idmapped mounts.
- The mount must not already be idmapped. This also implies that the
idmapping of a mount cannot be altered once it has been idmapped.
- The mount must be a detached/anonymous mount, i.e. it must have
been created by calling open_tree() with the OPEN_TREE_CLONE flag
and it must not already have been visible in the filesystem.
The last two points guarantee easier semantics for userspace and the
kernel and make the implementation significantly simpler.
By default vfsmounts are marked with the initial user namespace and no
behavioral or performance changes are observed.
The manpage with a detailed description can be found here:
1d7b902e28
In order to support idmapped mounts, filesystems need to be changed
and mark themselves with the FS_ALLOW_IDMAP flag in fs_flags. The
patches to convert individual filesystem are not very large or
complicated overall as can be seen from the included fat, ext4, and
xfs ports. Patches for other filesystems are actively worked on and
will be sent out separately. The xfstestsuite can be used to verify
that port has been done correctly.
The mount_setattr() syscall is motivated independent of the idmapped
mounts patches and it's been around since July 2019. One of the most
valuable features of the new mount api is the ability to perform
mounts based on file descriptors only.
Together with the lookup restrictions available in the openat2()
RESOLVE_* flag namespace which we added in v5.6 this is the first time
we are close to hardened and race-free (e.g. symlinks) mounting and
path resolution.
While userspace has started porting to the new mount api to mount
proper filesystems and create new bind-mounts it is currently not
possible to change mount options of an already existing bind mount in
the new mount api since the mount_setattr() syscall is missing.
With the addition of the mount_setattr() syscall we remove this last
restriction and userspace can now fully port to the new mount api,
covering every use-case the old mount api could. We also add the
crucial ability to recursively change mount options for a whole mount
tree, both removing and adding mount options at the same time. This
syscall has been requested multiple times by various people and
projects.
There is a simple tool available at
https://github.com/brauner/mount-idmapped
that allows to create idmapped mounts so people can play with this
patch series. I'll add support for the regular mount binary should you
decide to pull this in the following weeks:
Here's an example to a simple idmapped mount of another user's home
directory:
u1001@f2-vm:/$ sudo ./mount --idmap both:1000:1001:1 /home/ubuntu/ /mnt
u1001@f2-vm:/$ ls -al /home/ubuntu/
total 28
drwxr-xr-x 2 ubuntu ubuntu 4096 Oct 28 22:07 .
drwxr-xr-x 4 root root 4096 Oct 28 04:00 ..
-rw------- 1 ubuntu ubuntu 3154 Oct 28 22:12 .bash_history
-rw-r--r-- 1 ubuntu ubuntu 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 ubuntu ubuntu 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 ubuntu ubuntu 807 Feb 25 2020 .profile
-rw-r--r-- 1 ubuntu ubuntu 0 Oct 16 16:11 .sudo_as_admin_successful
-rw------- 1 ubuntu ubuntu 1144 Oct 28 00:43 .viminfo
u1001@f2-vm:/$ ls -al /mnt/
total 28
drwxr-xr-x 2 u1001 u1001 4096 Oct 28 22:07 .
drwxr-xr-x 29 root root 4096 Oct 28 22:01 ..
-rw------- 1 u1001 u1001 3154 Oct 28 22:12 .bash_history
-rw-r--r-- 1 u1001 u1001 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 u1001 u1001 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 u1001 u1001 807 Feb 25 2020 .profile
-rw-r--r-- 1 u1001 u1001 0 Oct 16 16:11 .sudo_as_admin_successful
-rw------- 1 u1001 u1001 1144 Oct 28 00:43 .viminfo
u1001@f2-vm:/$ touch /mnt/my-file
u1001@f2-vm:/$ setfacl -m u:1001:rwx /mnt/my-file
u1001@f2-vm:/$ sudo setcap -n 1001 cap_net_raw+ep /mnt/my-file
u1001@f2-vm:/$ ls -al /mnt/my-file
-rw-rwxr--+ 1 u1001 u1001 0 Oct 28 22:14 /mnt/my-file
u1001@f2-vm:/$ ls -al /home/ubuntu/my-file
-rw-rwxr--+ 1 ubuntu ubuntu 0 Oct 28 22:14 /home/ubuntu/my-file
u1001@f2-vm:/$ getfacl /mnt/my-file
getfacl: Removing leading '/' from absolute path names
# file: mnt/my-file
# owner: u1001
# group: u1001
user::rw-
user:u1001:rwx
group::rw-
mask::rwx
other::r--
u1001@f2-vm:/$ getfacl /home/ubuntu/my-file
getfacl: Removing leading '/' from absolute path names
# file: home/ubuntu/my-file
# owner: ubuntu
# group: ubuntu
user::rw-
user:ubuntu:rwx
group::rw-
mask::rwx
other::r--"
* tag 'idmapped-mounts-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux: (41 commits)
xfs: remove the possibly unused mp variable in xfs_file_compat_ioctl
xfs: support idmapped mounts
ext4: support idmapped mounts
fat: handle idmapped mounts
tests: add mount_setattr() selftests
fs: introduce MOUNT_ATTR_IDMAP
fs: add mount_setattr()
fs: add attr_flags_to_mnt_flags helper
fs: split out functions to hold writers
namespace: only take read lock in do_reconfigure_mnt()
mount: make {lock,unlock}_mount_hash() static
namespace: take lock_mount_hash() directly when changing flags
nfs: do not export idmapped mounts
overlayfs: do not mount on top of idmapped mounts
ecryptfs: do not mount on top of idmapped mounts
ima: handle idmapped mounts
apparmor: handle idmapped mounts
fs: make helpers idmap mount aware
exec: handle idmapped mounts
would_dump: handle idmapped mounts
...
728 lines
19 KiB
C
728 lines
19 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* This file is part of UBIFS.
|
|
*
|
|
* Copyright (C) 2006-2008 Nokia Corporation.
|
|
*
|
|
* Authors: Artem Bityutskiy (Битюцкий Артём)
|
|
* Adrian Hunter
|
|
*/
|
|
|
|
/*
|
|
* This file implements UBIFS extended attributes support.
|
|
*
|
|
* Extended attributes are implemented as regular inodes with attached data,
|
|
* which limits extended attribute size to UBIFS block size (4KiB). Names of
|
|
* extended attributes are described by extended attribute entries (xentries),
|
|
* which are almost identical to directory entries, but have different key type.
|
|
*
|
|
* In other words, the situation with extended attributes is very similar to
|
|
* directories. Indeed, any inode (but of course not xattr inodes) may have a
|
|
* number of associated xentries, just like directory inodes have associated
|
|
* directory entries. Extended attribute entries store the name of the extended
|
|
* attribute, the host inode number, and the extended attribute inode number.
|
|
* Similarly, direntries store the name, the parent and the target inode
|
|
* numbers. Thus, most of the common UBIFS mechanisms may be re-used for
|
|
* extended attributes.
|
|
*
|
|
* The number of extended attributes is not limited, but there is Linux
|
|
* limitation on the maximum possible size of the list of all extended
|
|
* attributes associated with an inode (%XATTR_LIST_MAX), so UBIFS makes sure
|
|
* the sum of all extended attribute names of the inode does not exceed that
|
|
* limit.
|
|
*
|
|
* Extended attributes are synchronous, which means they are written to the
|
|
* flash media synchronously and there is no write-back for extended attribute
|
|
* inodes. The extended attribute values are not stored in compressed form on
|
|
* the media.
|
|
*
|
|
* Since extended attributes are represented by regular inodes, they are cached
|
|
* in the VFS inode cache. The xentries are cached in the LNC cache (see
|
|
* tnc.c).
|
|
*
|
|
* ACL support is not implemented.
|
|
*/
|
|
|
|
#include "ubifs.h"
|
|
#include <linux/fs.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/xattr.h>
|
|
|
|
/*
|
|
* Extended attribute type constants.
|
|
*
|
|
* USER_XATTR: user extended attribute ("user.*")
|
|
* TRUSTED_XATTR: trusted extended attribute ("trusted.*)
|
|
* SECURITY_XATTR: security extended attribute ("security.*")
|
|
*/
|
|
enum {
|
|
USER_XATTR,
|
|
TRUSTED_XATTR,
|
|
SECURITY_XATTR,
|
|
};
|
|
|
|
static const struct inode_operations empty_iops;
|
|
static const struct file_operations empty_fops;
|
|
|
|
/**
|
|
* create_xattr - create an extended attribute.
|
|
* @c: UBIFS file-system description object
|
|
* @host: host inode
|
|
* @nm: extended attribute name
|
|
* @value: extended attribute value
|
|
* @size: size of extended attribute value
|
|
*
|
|
* This is a helper function which creates an extended attribute of name @nm
|
|
* and value @value for inode @host. The host inode is also updated on flash
|
|
* because the ctime and extended attribute accounting data changes. This
|
|
* function returns zero in case of success and a negative error code in case
|
|
* of failure.
|
|
*/
|
|
static int create_xattr(struct ubifs_info *c, struct inode *host,
|
|
const struct fscrypt_name *nm, const void *value, int size)
|
|
{
|
|
int err, names_len;
|
|
struct inode *inode;
|
|
struct ubifs_inode *ui, *host_ui = ubifs_inode(host);
|
|
struct ubifs_budget_req req = { .new_ino = 1, .new_dent = 1,
|
|
.new_ino_d = ALIGN(size, 8), .dirtied_ino = 1,
|
|
.dirtied_ino_d = ALIGN(host_ui->data_len, 8) };
|
|
|
|
if (host_ui->xattr_cnt >= ubifs_xattr_max_cnt(c)) {
|
|
ubifs_err(c, "inode %lu already has too many xattrs (%d), cannot create more",
|
|
host->i_ino, host_ui->xattr_cnt);
|
|
return -ENOSPC;
|
|
}
|
|
/*
|
|
* Linux limits the maximum size of the extended attribute names list
|
|
* to %XATTR_LIST_MAX. This means we should not allow creating more
|
|
* extended attributes if the name list becomes larger. This limitation
|
|
* is artificial for UBIFS, though.
|
|
*/
|
|
names_len = host_ui->xattr_names + host_ui->xattr_cnt + fname_len(nm) + 1;
|
|
if (names_len > XATTR_LIST_MAX) {
|
|
ubifs_err(c, "cannot add one more xattr name to inode %lu, total names length would become %d, max. is %d",
|
|
host->i_ino, names_len, XATTR_LIST_MAX);
|
|
return -ENOSPC;
|
|
}
|
|
|
|
err = ubifs_budget_space(c, &req);
|
|
if (err)
|
|
return err;
|
|
|
|
inode = ubifs_new_inode(c, host, S_IFREG | S_IRWXUGO);
|
|
if (IS_ERR(inode)) {
|
|
err = PTR_ERR(inode);
|
|
goto out_budg;
|
|
}
|
|
|
|
/* Re-define all operations to be "nothing" */
|
|
inode->i_mapping->a_ops = &empty_aops;
|
|
inode->i_op = &empty_iops;
|
|
inode->i_fop = &empty_fops;
|
|
|
|
inode->i_flags |= S_SYNC | S_NOATIME | S_NOCMTIME;
|
|
ui = ubifs_inode(inode);
|
|
ui->xattr = 1;
|
|
ui->flags |= UBIFS_XATTR_FL;
|
|
ui->data = kmemdup(value, size, GFP_NOFS);
|
|
if (!ui->data) {
|
|
err = -ENOMEM;
|
|
goto out_free;
|
|
}
|
|
inode->i_size = ui->ui_size = size;
|
|
ui->data_len = size;
|
|
|
|
mutex_lock(&host_ui->ui_mutex);
|
|
host->i_ctime = current_time(host);
|
|
host_ui->xattr_cnt += 1;
|
|
host_ui->xattr_size += CALC_DENT_SIZE(fname_len(nm));
|
|
host_ui->xattr_size += CALC_XATTR_BYTES(size);
|
|
host_ui->xattr_names += fname_len(nm);
|
|
|
|
/*
|
|
* We handle UBIFS_XATTR_NAME_ENCRYPTION_CONTEXT here because we
|
|
* have to set the UBIFS_CRYPT_FL flag on the host inode.
|
|
* To avoid multiple updates of the same inode in the same operation,
|
|
* let's do it here.
|
|
*/
|
|
if (strcmp(fname_name(nm), UBIFS_XATTR_NAME_ENCRYPTION_CONTEXT) == 0)
|
|
host_ui->flags |= UBIFS_CRYPT_FL;
|
|
|
|
err = ubifs_jnl_update(c, host, nm, inode, 0, 1);
|
|
if (err)
|
|
goto out_cancel;
|
|
ubifs_set_inode_flags(host);
|
|
mutex_unlock(&host_ui->ui_mutex);
|
|
|
|
ubifs_release_budget(c, &req);
|
|
insert_inode_hash(inode);
|
|
iput(inode);
|
|
return 0;
|
|
|
|
out_cancel:
|
|
host_ui->xattr_cnt -= 1;
|
|
host_ui->xattr_size -= CALC_DENT_SIZE(fname_len(nm));
|
|
host_ui->xattr_size -= CALC_XATTR_BYTES(size);
|
|
host_ui->xattr_names -= fname_len(nm);
|
|
host_ui->flags &= ~UBIFS_CRYPT_FL;
|
|
mutex_unlock(&host_ui->ui_mutex);
|
|
out_free:
|
|
make_bad_inode(inode);
|
|
iput(inode);
|
|
out_budg:
|
|
ubifs_release_budget(c, &req);
|
|
return err;
|
|
}
|
|
|
|
/**
|
|
* change_xattr - change an extended attribute.
|
|
* @c: UBIFS file-system description object
|
|
* @host: host inode
|
|
* @inode: extended attribute inode
|
|
* @value: extended attribute value
|
|
* @size: size of extended attribute value
|
|
*
|
|
* This helper function changes the value of extended attribute @inode with new
|
|
* data from @value. Returns zero in case of success and a negative error code
|
|
* in case of failure.
|
|
*/
|
|
static int change_xattr(struct ubifs_info *c, struct inode *host,
|
|
struct inode *inode, const void *value, int size)
|
|
{
|
|
int err;
|
|
struct ubifs_inode *host_ui = ubifs_inode(host);
|
|
struct ubifs_inode *ui = ubifs_inode(inode);
|
|
void *buf = NULL;
|
|
int old_size;
|
|
struct ubifs_budget_req req = { .dirtied_ino = 2,
|
|
.dirtied_ino_d = ALIGN(size, 8) + ALIGN(host_ui->data_len, 8) };
|
|
|
|
ubifs_assert(c, ui->data_len == inode->i_size);
|
|
err = ubifs_budget_space(c, &req);
|
|
if (err)
|
|
return err;
|
|
|
|
buf = kmemdup(value, size, GFP_NOFS);
|
|
if (!buf) {
|
|
err = -ENOMEM;
|
|
goto out_free;
|
|
}
|
|
mutex_lock(&ui->ui_mutex);
|
|
kfree(ui->data);
|
|
ui->data = buf;
|
|
inode->i_size = ui->ui_size = size;
|
|
old_size = ui->data_len;
|
|
ui->data_len = size;
|
|
mutex_unlock(&ui->ui_mutex);
|
|
|
|
mutex_lock(&host_ui->ui_mutex);
|
|
host->i_ctime = current_time(host);
|
|
host_ui->xattr_size -= CALC_XATTR_BYTES(old_size);
|
|
host_ui->xattr_size += CALC_XATTR_BYTES(size);
|
|
|
|
/*
|
|
* It is important to write the host inode after the xattr inode
|
|
* because if the host inode gets synchronized (via 'fsync()'), then
|
|
* the extended attribute inode gets synchronized, because it goes
|
|
* before the host inode in the write-buffer.
|
|
*/
|
|
err = ubifs_jnl_change_xattr(c, inode, host);
|
|
if (err)
|
|
goto out_cancel;
|
|
mutex_unlock(&host_ui->ui_mutex);
|
|
|
|
ubifs_release_budget(c, &req);
|
|
return 0;
|
|
|
|
out_cancel:
|
|
host_ui->xattr_size -= CALC_XATTR_BYTES(size);
|
|
host_ui->xattr_size += CALC_XATTR_BYTES(old_size);
|
|
mutex_unlock(&host_ui->ui_mutex);
|
|
make_bad_inode(inode);
|
|
out_free:
|
|
ubifs_release_budget(c, &req);
|
|
return err;
|
|
}
|
|
|
|
static struct inode *iget_xattr(struct ubifs_info *c, ino_t inum)
|
|
{
|
|
struct inode *inode;
|
|
|
|
inode = ubifs_iget(c->vfs_sb, inum);
|
|
if (IS_ERR(inode)) {
|
|
ubifs_err(c, "dead extended attribute entry, error %d",
|
|
(int)PTR_ERR(inode));
|
|
return inode;
|
|
}
|
|
if (ubifs_inode(inode)->xattr)
|
|
return inode;
|
|
ubifs_err(c, "corrupt extended attribute entry");
|
|
iput(inode);
|
|
return ERR_PTR(-EINVAL);
|
|
}
|
|
|
|
int ubifs_xattr_set(struct inode *host, const char *name, const void *value,
|
|
size_t size, int flags, bool check_lock)
|
|
{
|
|
struct inode *inode;
|
|
struct ubifs_info *c = host->i_sb->s_fs_info;
|
|
struct fscrypt_name nm = { .disk_name = FSTR_INIT((char *)name, strlen(name))};
|
|
struct ubifs_dent_node *xent;
|
|
union ubifs_key key;
|
|
int err;
|
|
|
|
if (check_lock)
|
|
ubifs_assert(c, inode_is_locked(host));
|
|
|
|
if (size > UBIFS_MAX_INO_DATA)
|
|
return -ERANGE;
|
|
|
|
if (fname_len(&nm) > UBIFS_MAX_NLEN)
|
|
return -ENAMETOOLONG;
|
|
|
|
xent = kmalloc(UBIFS_MAX_XENT_NODE_SZ, GFP_NOFS);
|
|
if (!xent)
|
|
return -ENOMEM;
|
|
|
|
/*
|
|
* The extended attribute entries are stored in LNC, so multiple
|
|
* look-ups do not involve reading the flash.
|
|
*/
|
|
xent_key_init(c, &key, host->i_ino, &nm);
|
|
err = ubifs_tnc_lookup_nm(c, &key, xent, &nm);
|
|
if (err) {
|
|
if (err != -ENOENT)
|
|
goto out_free;
|
|
|
|
if (flags & XATTR_REPLACE)
|
|
/* We are asked not to create the xattr */
|
|
err = -ENODATA;
|
|
else
|
|
err = create_xattr(c, host, &nm, value, size);
|
|
goto out_free;
|
|
}
|
|
|
|
if (flags & XATTR_CREATE) {
|
|
/* We are asked not to replace the xattr */
|
|
err = -EEXIST;
|
|
goto out_free;
|
|
}
|
|
|
|
inode = iget_xattr(c, le64_to_cpu(xent->inum));
|
|
if (IS_ERR(inode)) {
|
|
err = PTR_ERR(inode);
|
|
goto out_free;
|
|
}
|
|
|
|
err = change_xattr(c, host, inode, value, size);
|
|
iput(inode);
|
|
|
|
out_free:
|
|
kfree(xent);
|
|
return err;
|
|
}
|
|
|
|
ssize_t ubifs_xattr_get(struct inode *host, const char *name, void *buf,
|
|
size_t size)
|
|
{
|
|
struct inode *inode;
|
|
struct ubifs_info *c = host->i_sb->s_fs_info;
|
|
struct fscrypt_name nm = { .disk_name = FSTR_INIT((char *)name, strlen(name))};
|
|
struct ubifs_inode *ui;
|
|
struct ubifs_dent_node *xent;
|
|
union ubifs_key key;
|
|
int err;
|
|
|
|
if (fname_len(&nm) > UBIFS_MAX_NLEN)
|
|
return -ENAMETOOLONG;
|
|
|
|
xent = kmalloc(UBIFS_MAX_XENT_NODE_SZ, GFP_NOFS);
|
|
if (!xent)
|
|
return -ENOMEM;
|
|
|
|
xent_key_init(c, &key, host->i_ino, &nm);
|
|
err = ubifs_tnc_lookup_nm(c, &key, xent, &nm);
|
|
if (err) {
|
|
if (err == -ENOENT)
|
|
err = -ENODATA;
|
|
goto out_unlock;
|
|
}
|
|
|
|
inode = iget_xattr(c, le64_to_cpu(xent->inum));
|
|
if (IS_ERR(inode)) {
|
|
err = PTR_ERR(inode);
|
|
goto out_unlock;
|
|
}
|
|
|
|
ui = ubifs_inode(inode);
|
|
ubifs_assert(c, inode->i_size == ui->data_len);
|
|
ubifs_assert(c, ubifs_inode(host)->xattr_size > ui->data_len);
|
|
|
|
mutex_lock(&ui->ui_mutex);
|
|
if (buf) {
|
|
/* If @buf is %NULL we are supposed to return the length */
|
|
if (ui->data_len > size) {
|
|
err = -ERANGE;
|
|
goto out_iput;
|
|
}
|
|
|
|
memcpy(buf, ui->data, ui->data_len);
|
|
}
|
|
err = ui->data_len;
|
|
|
|
out_iput:
|
|
mutex_unlock(&ui->ui_mutex);
|
|
iput(inode);
|
|
out_unlock:
|
|
kfree(xent);
|
|
return err;
|
|
}
|
|
|
|
static bool xattr_visible(const char *name)
|
|
{
|
|
/* File encryption related xattrs are for internal use only */
|
|
if (strcmp(name, UBIFS_XATTR_NAME_ENCRYPTION_CONTEXT) == 0)
|
|
return false;
|
|
|
|
/* Show trusted namespace only for "power" users */
|
|
if (strncmp(name, XATTR_TRUSTED_PREFIX,
|
|
XATTR_TRUSTED_PREFIX_LEN) == 0 && !capable(CAP_SYS_ADMIN))
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
ssize_t ubifs_listxattr(struct dentry *dentry, char *buffer, size_t size)
|
|
{
|
|
union ubifs_key key;
|
|
struct inode *host = d_inode(dentry);
|
|
struct ubifs_info *c = host->i_sb->s_fs_info;
|
|
struct ubifs_inode *host_ui = ubifs_inode(host);
|
|
struct ubifs_dent_node *xent, *pxent = NULL;
|
|
int err, len, written = 0;
|
|
struct fscrypt_name nm = {0};
|
|
|
|
dbg_gen("ino %lu ('%pd'), buffer size %zd", host->i_ino,
|
|
dentry, size);
|
|
|
|
len = host_ui->xattr_names + host_ui->xattr_cnt;
|
|
if (!buffer)
|
|
/*
|
|
* We should return the minimum buffer size which will fit a
|
|
* null-terminated list of all the extended attribute names.
|
|
*/
|
|
return len;
|
|
|
|
if (len > size)
|
|
return -ERANGE;
|
|
|
|
lowest_xent_key(c, &key, host->i_ino);
|
|
while (1) {
|
|
xent = ubifs_tnc_next_ent(c, &key, &nm);
|
|
if (IS_ERR(xent)) {
|
|
err = PTR_ERR(xent);
|
|
break;
|
|
}
|
|
|
|
fname_name(&nm) = xent->name;
|
|
fname_len(&nm) = le16_to_cpu(xent->nlen);
|
|
|
|
if (xattr_visible(xent->name)) {
|
|
memcpy(buffer + written, fname_name(&nm), fname_len(&nm) + 1);
|
|
written += fname_len(&nm) + 1;
|
|
}
|
|
|
|
kfree(pxent);
|
|
pxent = xent;
|
|
key_read(c, &xent->key, &key);
|
|
}
|
|
|
|
kfree(pxent);
|
|
if (err != -ENOENT) {
|
|
ubifs_err(c, "cannot find next direntry, error %d", err);
|
|
return err;
|
|
}
|
|
|
|
ubifs_assert(c, written <= size);
|
|
return written;
|
|
}
|
|
|
|
static int remove_xattr(struct ubifs_info *c, struct inode *host,
|
|
struct inode *inode, const struct fscrypt_name *nm)
|
|
{
|
|
int err;
|
|
struct ubifs_inode *host_ui = ubifs_inode(host);
|
|
struct ubifs_inode *ui = ubifs_inode(inode);
|
|
struct ubifs_budget_req req = { .dirtied_ino = 2, .mod_dent = 1,
|
|
.dirtied_ino_d = ALIGN(host_ui->data_len, 8) };
|
|
|
|
ubifs_assert(c, ui->data_len == inode->i_size);
|
|
|
|
err = ubifs_budget_space(c, &req);
|
|
if (err)
|
|
return err;
|
|
|
|
mutex_lock(&host_ui->ui_mutex);
|
|
host->i_ctime = current_time(host);
|
|
host_ui->xattr_cnt -= 1;
|
|
host_ui->xattr_size -= CALC_DENT_SIZE(fname_len(nm));
|
|
host_ui->xattr_size -= CALC_XATTR_BYTES(ui->data_len);
|
|
host_ui->xattr_names -= fname_len(nm);
|
|
|
|
err = ubifs_jnl_delete_xattr(c, host, inode, nm);
|
|
if (err)
|
|
goto out_cancel;
|
|
mutex_unlock(&host_ui->ui_mutex);
|
|
|
|
ubifs_release_budget(c, &req);
|
|
return 0;
|
|
|
|
out_cancel:
|
|
host_ui->xattr_cnt += 1;
|
|
host_ui->xattr_size += CALC_DENT_SIZE(fname_len(nm));
|
|
host_ui->xattr_size += CALC_XATTR_BYTES(ui->data_len);
|
|
host_ui->xattr_names += fname_len(nm);
|
|
mutex_unlock(&host_ui->ui_mutex);
|
|
ubifs_release_budget(c, &req);
|
|
make_bad_inode(inode);
|
|
return err;
|
|
}
|
|
|
|
int ubifs_purge_xattrs(struct inode *host)
|
|
{
|
|
union ubifs_key key;
|
|
struct ubifs_info *c = host->i_sb->s_fs_info;
|
|
struct ubifs_dent_node *xent, *pxent = NULL;
|
|
struct inode *xino;
|
|
struct fscrypt_name nm = {0};
|
|
int err;
|
|
|
|
if (ubifs_inode(host)->xattr_cnt <= ubifs_xattr_max_cnt(c))
|
|
return 0;
|
|
|
|
ubifs_warn(c, "inode %lu has too many xattrs, doing a non-atomic deletion",
|
|
host->i_ino);
|
|
|
|
lowest_xent_key(c, &key, host->i_ino);
|
|
while (1) {
|
|
xent = ubifs_tnc_next_ent(c, &key, &nm);
|
|
if (IS_ERR(xent)) {
|
|
err = PTR_ERR(xent);
|
|
break;
|
|
}
|
|
|
|
fname_name(&nm) = xent->name;
|
|
fname_len(&nm) = le16_to_cpu(xent->nlen);
|
|
|
|
xino = ubifs_iget(c->vfs_sb, le64_to_cpu(xent->inum));
|
|
if (IS_ERR(xino)) {
|
|
err = PTR_ERR(xino);
|
|
ubifs_err(c, "dead directory entry '%s', error %d",
|
|
xent->name, err);
|
|
ubifs_ro_mode(c, err);
|
|
kfree(pxent);
|
|
kfree(xent);
|
|
return err;
|
|
}
|
|
|
|
ubifs_assert(c, ubifs_inode(xino)->xattr);
|
|
|
|
clear_nlink(xino);
|
|
err = remove_xattr(c, host, xino, &nm);
|
|
if (err) {
|
|
kfree(pxent);
|
|
kfree(xent);
|
|
iput(xino);
|
|
ubifs_err(c, "cannot remove xattr, error %d", err);
|
|
return err;
|
|
}
|
|
|
|
iput(xino);
|
|
|
|
kfree(pxent);
|
|
pxent = xent;
|
|
key_read(c, &xent->key, &key);
|
|
}
|
|
|
|
kfree(pxent);
|
|
if (err != -ENOENT) {
|
|
ubifs_err(c, "cannot find next direntry, error %d", err);
|
|
return err;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* ubifs_evict_xattr_inode - Evict an xattr inode.
|
|
* @c: UBIFS file-system description object
|
|
* @xattr_inum: xattr inode number
|
|
*
|
|
* When an inode that hosts xattrs is being removed we have to make sure
|
|
* that cached inodes of the xattrs also get removed from the inode cache
|
|
* otherwise we'd waste memory. This function looks up an inode from the
|
|
* inode cache and clears the link counter such that iput() will evict
|
|
* the inode.
|
|
*/
|
|
void ubifs_evict_xattr_inode(struct ubifs_info *c, ino_t xattr_inum)
|
|
{
|
|
struct inode *inode;
|
|
|
|
inode = ilookup(c->vfs_sb, xattr_inum);
|
|
if (inode) {
|
|
clear_nlink(inode);
|
|
iput(inode);
|
|
}
|
|
}
|
|
|
|
static int ubifs_xattr_remove(struct inode *host, const char *name)
|
|
{
|
|
struct inode *inode;
|
|
struct ubifs_info *c = host->i_sb->s_fs_info;
|
|
struct fscrypt_name nm = { .disk_name = FSTR_INIT((char *)name, strlen(name))};
|
|
struct ubifs_dent_node *xent;
|
|
union ubifs_key key;
|
|
int err;
|
|
|
|
ubifs_assert(c, inode_is_locked(host));
|
|
|
|
if (fname_len(&nm) > UBIFS_MAX_NLEN)
|
|
return -ENAMETOOLONG;
|
|
|
|
xent = kmalloc(UBIFS_MAX_XENT_NODE_SZ, GFP_NOFS);
|
|
if (!xent)
|
|
return -ENOMEM;
|
|
|
|
xent_key_init(c, &key, host->i_ino, &nm);
|
|
err = ubifs_tnc_lookup_nm(c, &key, xent, &nm);
|
|
if (err) {
|
|
if (err == -ENOENT)
|
|
err = -ENODATA;
|
|
goto out_free;
|
|
}
|
|
|
|
inode = iget_xattr(c, le64_to_cpu(xent->inum));
|
|
if (IS_ERR(inode)) {
|
|
err = PTR_ERR(inode);
|
|
goto out_free;
|
|
}
|
|
|
|
ubifs_assert(c, inode->i_nlink == 1);
|
|
clear_nlink(inode);
|
|
err = remove_xattr(c, host, inode, &nm);
|
|
if (err)
|
|
set_nlink(inode, 1);
|
|
|
|
/* If @i_nlink is 0, 'iput()' will delete the inode */
|
|
iput(inode);
|
|
|
|
out_free:
|
|
kfree(xent);
|
|
return err;
|
|
}
|
|
|
|
#ifdef CONFIG_UBIFS_FS_SECURITY
|
|
static int init_xattrs(struct inode *inode, const struct xattr *xattr_array,
|
|
void *fs_info)
|
|
{
|
|
const struct xattr *xattr;
|
|
char *name;
|
|
int err = 0;
|
|
|
|
for (xattr = xattr_array; xattr->name != NULL; xattr++) {
|
|
name = kmalloc(XATTR_SECURITY_PREFIX_LEN +
|
|
strlen(xattr->name) + 1, GFP_NOFS);
|
|
if (!name) {
|
|
err = -ENOMEM;
|
|
break;
|
|
}
|
|
strcpy(name, XATTR_SECURITY_PREFIX);
|
|
strcpy(name + XATTR_SECURITY_PREFIX_LEN, xattr->name);
|
|
/*
|
|
* creating a new inode without holding the inode rwsem,
|
|
* no need to check whether inode is locked.
|
|
*/
|
|
err = ubifs_xattr_set(inode, name, xattr->value,
|
|
xattr->value_len, 0, false);
|
|
kfree(name);
|
|
if (err < 0)
|
|
break;
|
|
}
|
|
|
|
return err;
|
|
}
|
|
|
|
int ubifs_init_security(struct inode *dentry, struct inode *inode,
|
|
const struct qstr *qstr)
|
|
{
|
|
int err;
|
|
|
|
err = security_inode_init_security(inode, dentry, qstr,
|
|
&init_xattrs, 0);
|
|
if (err) {
|
|
struct ubifs_info *c = dentry->i_sb->s_fs_info;
|
|
ubifs_err(c, "cannot initialize security for inode %lu, error %d",
|
|
inode->i_ino, err);
|
|
}
|
|
return err;
|
|
}
|
|
#endif
|
|
|
|
static int xattr_get(const struct xattr_handler *handler,
|
|
struct dentry *dentry, struct inode *inode,
|
|
const char *name, void *buffer, size_t size)
|
|
{
|
|
dbg_gen("xattr '%s', ino %lu ('%pd'), buf size %zd", name,
|
|
inode->i_ino, dentry, size);
|
|
|
|
name = xattr_full_name(handler, name);
|
|
return ubifs_xattr_get(inode, name, buffer, size);
|
|
}
|
|
|
|
static int xattr_set(const struct xattr_handler *handler,
|
|
struct user_namespace *mnt_userns,
|
|
struct dentry *dentry, struct inode *inode,
|
|
const char *name, const void *value,
|
|
size_t size, int flags)
|
|
{
|
|
dbg_gen("xattr '%s', host ino %lu ('%pd'), size %zd",
|
|
name, inode->i_ino, dentry, size);
|
|
|
|
name = xattr_full_name(handler, name);
|
|
|
|
if (value)
|
|
return ubifs_xattr_set(inode, name, value, size, flags, true);
|
|
else
|
|
return ubifs_xattr_remove(inode, name);
|
|
}
|
|
|
|
static const struct xattr_handler ubifs_user_xattr_handler = {
|
|
.prefix = XATTR_USER_PREFIX,
|
|
.get = xattr_get,
|
|
.set = xattr_set,
|
|
};
|
|
|
|
static const struct xattr_handler ubifs_trusted_xattr_handler = {
|
|
.prefix = XATTR_TRUSTED_PREFIX,
|
|
.get = xattr_get,
|
|
.set = xattr_set,
|
|
};
|
|
|
|
#ifdef CONFIG_UBIFS_FS_SECURITY
|
|
static const struct xattr_handler ubifs_security_xattr_handler = {
|
|
.prefix = XATTR_SECURITY_PREFIX,
|
|
.get = xattr_get,
|
|
.set = xattr_set,
|
|
};
|
|
#endif
|
|
|
|
const struct xattr_handler *ubifs_xattr_handlers[] = {
|
|
&ubifs_user_xattr_handler,
|
|
&ubifs_trusted_xattr_handler,
|
|
#ifdef CONFIG_UBIFS_FS_SECURITY
|
|
&ubifs_security_xattr_handler,
|
|
#endif
|
|
NULL
|
|
};
|