the-tree/fs/attr.c

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*
0003  *  linux/fs/attr.c
0004  *
0005  *  Copyright (C) 1991, 1992  Linus Torvalds
0006  *  changes by Thomas Schoebel-Theuer
0007  */
0008
0009 #include <linux/export.h>
0010 #include <linux/time.h>
0011 #include <linux/mm.h>
0012 #include <linux/string.h>
0013 #include <linux/sched/signal.h>
0014 #include <linux/capability.h>
0015 #include <linux/fsnotify.h>
0016 #include <linux/fcntl.h>
0017 #include <linux/security.h>
0018 #include <linux/evm.h>
0019 #include <linux/ima.h>
0020
0021 /**
0022  * chown_ok - verify permissions to chown inode
0023  * @mnt_userns: user namespace of the mount @inode was found from
0024  * @inode:  inode to check permissions on
0025  * @ia_vfsuid:  uid to chown @inode to
0026  *
0027  * If the inode has been found through an idmapped mount the user namespace of
0028  * the vfsmount must be passed through @mnt_userns. This function will then
0029  * take care to map the inode according to @mnt_userns before checking
0030  * permissions. On non-idmapped mounts or if permission checking is to be
0031  * performed on the raw inode simply passs init_user_ns.
0032  */
0033 static bool chown_ok(struct user_namespace *mnt_userns,
0034              const struct inode *inode, vfsuid_t ia_vfsuid)
0035 {
0036     vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_userns, inode);
0037     if (vfsuid_eq_kuid(vfsuid, current_fsuid()) &&
0038         vfsuid_eq(ia_vfsuid, vfsuid))
0039         return true;
0040     if (capable_wrt_inode_uidgid(mnt_userns, inode, CAP_CHOWN))
0041         return true;
0042     if (!vfsuid_valid(vfsuid) &&
0043         ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
0044         return true;
0045     return false;
0046 }
0047
0048 /**
0049  * chgrp_ok - verify permissions to chgrp inode
0050  * @mnt_userns: user namespace of the mount @inode was found from
0051  * @inode:  inode to check permissions on
0052  * @ia_vfsgid:  gid to chown @inode to
0053  *
0054  * If the inode has been found through an idmapped mount the user namespace of
0055  * the vfsmount must be passed through @mnt_userns. This function will then
0056  * take care to map the inode according to @mnt_userns before checking
0057  * permissions. On non-idmapped mounts or if permission checking is to be
0058  * performed on the raw inode simply passs init_user_ns.
0059  */
0060 static bool chgrp_ok(struct user_namespace *mnt_userns,
0061              const struct inode *inode, vfsgid_t ia_vfsgid)
0062 {
0063     vfsgid_t vfsgid = i_gid_into_vfsgid(mnt_userns, inode);
0064     vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_userns, inode);
0065     if (vfsuid_eq_kuid(vfsuid, current_fsuid())) {
0066         if (vfsgid_eq(ia_vfsgid, vfsgid))
0067             return true;
0068         if (vfsgid_in_group_p(ia_vfsgid))
0069             return true;
0070     }
0071     if (capable_wrt_inode_uidgid(mnt_userns, inode, CAP_CHOWN))
0072         return true;
0073     if (!vfsgid_valid(vfsgid) &&
0074         ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
0075         return true;
0076     return false;
0077 }
0078
0079 /**
0080  * setattr_prepare - check if attribute changes to a dentry are allowed
0081  * @mnt_userns: user namespace of the mount the inode was found from
0082  * @dentry: dentry to check
0083  * @attr:   attributes to change
0084  *
0085  * Check if we are allowed to change the attributes contained in @attr
0086  * in the given dentry.  This includes the normal unix access permission
0087  * checks, as well as checks for rlimits and others. The function also clears
0088  * SGID bit from mode if user is not allowed to set it. Also file capabilities
0089  * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set.
0090  *
0091  * If the inode has been found through an idmapped mount the user namespace of
0092  * the vfsmount must be passed through @mnt_userns. This function will then
0093  * take care to map the inode according to @mnt_userns before checking
0094  * permissions. On non-idmapped mounts or if permission checking is to be
0095  * performed on the raw inode simply passs init_user_ns.
0096  *
0097  * Should be called as the first thing in ->setattr implementations,
0098  * possibly after taking additional locks.
0099  */
0100 int setattr_prepare(struct user_namespace *mnt_userns, struct dentry *dentry,
0101             struct iattr *attr)
0102 {
0103     struct inode *inode = d_inode(dentry);
0104     unsigned int ia_valid = attr->ia_valid;
0105
0106     /*
0107      * First check size constraints.  These can't be overriden using
0108      * ATTR_FORCE.
0109      */
0110     if (ia_valid & ATTR_SIZE) {
0111         int error = inode_newsize_ok(inode, attr->ia_size);
0112         if (error)
0113             return error;
0114     }
0115
0116     /* If force is set do it anyway. */
0117     if (ia_valid & ATTR_FORCE)
0118         goto kill_priv;
0119
0120     /* Make sure a caller can chown. */
0121     if ((ia_valid & ATTR_UID) &&
0122         !chown_ok(mnt_userns, inode, attr->ia_vfsuid))
0123         return -EPERM;
0124
0125     /* Make sure caller can chgrp. */
0126     if ((ia_valid & ATTR_GID) &&
0127         !chgrp_ok(mnt_userns, inode, attr->ia_vfsgid))
0128         return -EPERM;
0129
0130     /* Make sure a caller can chmod. */
0131     if (ia_valid & ATTR_MODE) {
0132         vfsgid_t vfsgid;
0133
0134         if (!inode_owner_or_capable(mnt_userns, inode))
0135             return -EPERM;
0136
0137         if (ia_valid & ATTR_GID)
0138             vfsgid = attr->ia_vfsgid;
0139         else
0140             vfsgid = i_gid_into_vfsgid(mnt_userns, inode);
0141
0142         /* Also check the setgid bit! */
0143         if (!vfsgid_in_group_p(vfsgid) &&
0144             !capable_wrt_inode_uidgid(mnt_userns, inode, CAP_FSETID))
0145             attr->ia_mode &= ~S_ISGID;
0146     }
0147
0148     /* Check for setting the inode time. */
0149     if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) {
0150         if (!inode_owner_or_capable(mnt_userns, inode))
0151             return -EPERM;
0152     }
0153
0154 kill_priv:
0155     /* User has permission for the change */
0156     if (ia_valid & ATTR_KILL_PRIV) {
0157         int error;
0158
0159         error = security_inode_killpriv(mnt_userns, dentry);
0160         if (error)
0161             return error;
0162     }
0163
0164     return 0;
0165 }
0166 EXPORT_SYMBOL(setattr_prepare);
0167
0168 /**
0169  * inode_newsize_ok - may this inode be truncated to a given size
0170  * @inode:  the inode to be truncated
0171  * @offset: the new size to assign to the inode
0172  *
0173  * inode_newsize_ok must be called with i_mutex held.
0174  *
0175  * inode_newsize_ok will check filesystem limits and ulimits to check that the
0176  * new inode size is within limits. inode_newsize_ok will also send SIGXFSZ
0177  * when necessary. Caller must not proceed with inode size change if failure is
0178  * returned. @inode must be a file (not directory), with appropriate
0179  * permissions to allow truncate (inode_newsize_ok does NOT check these
0180  * conditions).
0181  *
0182  * Return: 0 on success, -ve errno on failure
0183  */
0184 int inode_newsize_ok(const struct inode *inode, loff_t offset)
0185 {
0186     if (offset < 0)
0187         return -EINVAL;
0188     if (inode->i_size < offset) {
0189         unsigned long limit;
0190
0191         limit = rlimit(RLIMIT_FSIZE);
0192         if (limit != RLIM_INFINITY && offset > limit)
0193             goto out_sig;
0194         if (offset > inode->i_sb->s_maxbytes)
0195             goto out_big;
0196     } else {
0197         /*
0198          * truncation of in-use swapfiles is disallowed - it would
0199          * cause subsequent swapout to scribble on the now-freed
0200          * blocks.
0201          */
0202         if (IS_SWAPFILE(inode))
0203             return -ETXTBSY;
0204     }
0205
0206     return 0;
0207 out_sig:
0208     send_sig(SIGXFSZ, current, 0);
0209 out_big:
0210     return -EFBIG;
0211 }
0212 EXPORT_SYMBOL(inode_newsize_ok);
0213
0214 /**
0215  * setattr_copy - copy simple metadata updates into the generic inode
0216  * @mnt_userns: user namespace of the mount the inode was found from
0217  * @inode:  the inode to be updated
0218  * @attr:   the new attributes
0219  *
0220  * setattr_copy must be called with i_mutex held.
0221  *
0222  * setattr_copy updates the inode's metadata with that specified
0223  * in attr on idmapped mounts. Necessary permission checks to determine
0224  * whether or not the S_ISGID property needs to be removed are performed with
0225  * the correct idmapped mount permission helpers.
0226  * Noticeably missing is inode size update, which is more complex
0227  * as it requires pagecache updates.
0228  *
0229  * If the inode has been found through an idmapped mount the user namespace of
0230  * the vfsmount must be passed through @mnt_userns. This function will then
0231  * take care to map the inode according to @mnt_userns before checking
0232  * permissions. On non-idmapped mounts or if permission checking is to be
0233  * performed on the raw inode simply passs init_user_ns.
0234  *
0235  * The inode is not marked as dirty after this operation. The rationale is
0236  * that for "simple" filesystems, the struct inode is the inode storage.
0237  * The caller is free to mark the inode dirty afterwards if needed.
0238  */
0239 void setattr_copy(struct user_namespace *mnt_userns, struct inode *inode,
0240           const struct iattr *attr)
0241 {
0242     unsigned int ia_valid = attr->ia_valid;
0243
0244     i_uid_update(mnt_userns, attr, inode);
0245     i_gid_update(mnt_userns, attr, inode);
0246     if (ia_valid & ATTR_ATIME)
0247         inode->i_atime = attr->ia_atime;
0248     if (ia_valid & ATTR_MTIME)
0249         inode->i_mtime = attr->ia_mtime;
0250     if (ia_valid & ATTR_CTIME)
0251         inode->i_ctime = attr->ia_ctime;
0252     if (ia_valid & ATTR_MODE) {
0253         umode_t mode = attr->ia_mode;
0254         vfsgid_t vfsgid = i_gid_into_vfsgid(mnt_userns, inode);
0255         if (!vfsgid_in_group_p(vfsgid) &&
0256             !capable_wrt_inode_uidgid(mnt_userns, inode, CAP_FSETID))
0257             mode &= ~S_ISGID;
0258         inode->i_mode = mode;
0259     }
0260 }
0261 EXPORT_SYMBOL(setattr_copy);
0262
0263 int may_setattr(struct user_namespace *mnt_userns, struct inode *inode,
0264         unsigned int ia_valid)
0265 {
0266     int error;
0267
0268     if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) {
0269         if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
0270             return -EPERM;
0271     }
0272
0273     /*
0274      * If utimes(2) and friends are called with times == NULL (or both
0275      * times are UTIME_NOW), then we need to check for write permission
0276      */
0277     if (ia_valid & ATTR_TOUCH) {
0278         if (IS_IMMUTABLE(inode))
0279             return -EPERM;
0280
0281         if (!inode_owner_or_capable(mnt_userns, inode)) {
0282             error = inode_permission(mnt_userns, inode, MAY_WRITE);
0283             if (error)
0284                 return error;
0285         }
0286     }
0287     return 0;
0288 }
0289 EXPORT_SYMBOL(may_setattr);
0290
0291 /**
0292  * notify_change - modify attributes of a filesytem object
0293  * @mnt_userns: user namespace of the mount the inode was found from
0294  * @dentry: object affected
0295  * @attr:   new attributes
0296  * @delegated_inode: returns inode, if the inode is delegated
0297  *
0298  * The caller must hold the i_mutex on the affected object.
0299  *
0300  * If notify_change discovers a delegation in need of breaking,
0301  * it will return -EWOULDBLOCK and return a reference to the inode in
0302  * delegated_inode.  The caller should then break the delegation and
0303  * retry.  Because breaking a delegation may take a long time, the
0304  * caller should drop the i_mutex before doing so.
0305  *
0306  * Alternatively, a caller may pass NULL for delegated_inode.  This may
0307  * be appropriate for callers that expect the underlying filesystem not
0308  * to be NFS exported.  Also, passing NULL is fine for callers holding
0309  * the file open for write, as there can be no conflicting delegation in
0310  * that case.
0311  *
0312  * If the inode has been found through an idmapped mount the user namespace of
0313  * the vfsmount must be passed through @mnt_userns. This function will then
0314  * take care to map the inode according to @mnt_userns before checking
0315  * permissions. On non-idmapped mounts or if permission checking is to be
0316  * performed on the raw inode simply passs init_user_ns.
0317  */
0318 int notify_change(struct user_namespace *mnt_userns, struct dentry *dentry,
0319           struct iattr *attr, struct inode **delegated_inode)
0320 {
0321     struct inode *inode = dentry->d_inode;
0322     umode_t mode = inode->i_mode;
0323     int error;
0324     struct timespec64 now;
0325     unsigned int ia_valid = attr->ia_valid;
0326
0327     WARN_ON_ONCE(!inode_is_locked(inode));
0328
0329     error = may_setattr(mnt_userns, inode, ia_valid);
0330     if (error)
0331         return error;
0332
0333     if ((ia_valid & ATTR_MODE)) {
0334         umode_t amode = attr->ia_mode;
0335         /* Flag setting protected by i_mutex */
0336         if (is_sxid(amode))
0337             inode->i_flags &= ~S_NOSEC;
0338     }
0339
0340     now = current_time(inode);
0341
0342     attr->ia_ctime = now;
0343     if (!(ia_valid & ATTR_ATIME_SET))
0344         attr->ia_atime = now;
0345     else
0346         attr->ia_atime = timestamp_truncate(attr->ia_atime, inode);
0347     if (!(ia_valid & ATTR_MTIME_SET))
0348         attr->ia_mtime = now;
0349     else
0350         attr->ia_mtime = timestamp_truncate(attr->ia_mtime, inode);
0351
0352     if (ia_valid & ATTR_KILL_PRIV) {
0353         error = security_inode_need_killpriv(dentry);
0354         if (error < 0)
0355             return error;
0356         if (error == 0)
0357             ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV;
0358     }
0359
0360     /*
0361      * We now pass ATTR_KILL_S*ID to the lower level setattr function so
0362      * that the function has the ability to reinterpret a mode change
0363      * that's due to these bits. This adds an implicit restriction that
0364      * no function will ever call notify_change with both ATTR_MODE and
0365      * ATTR_KILL_S*ID set.
0366      */
0367     if ((ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) &&
0368         (ia_valid & ATTR_MODE))
0369         BUG();
0370
0371     if (ia_valid & ATTR_KILL_SUID) {
0372         if (mode & S_ISUID) {
0373             ia_valid = attr->ia_valid |= ATTR_MODE;
0374             attr->ia_mode = (inode->i_mode & ~S_ISUID);
0375         }
0376     }
0377     if (ia_valid & ATTR_KILL_SGID) {
0378         if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
0379             if (!(ia_valid & ATTR_MODE)) {
0380                 ia_valid = attr->ia_valid |= ATTR_MODE;
0381                 attr->ia_mode = inode->i_mode;
0382             }
0383             attr->ia_mode &= ~S_ISGID;
0384         }
0385     }
0386     if (!(attr->ia_valid & ~(ATTR_KILL_SUID | ATTR_KILL_SGID)))
0387         return 0;
0388
0389     /*
0390      * Verify that uid/gid changes are valid in the target
0391      * namespace of the superblock.
0392      */
0393     if (ia_valid & ATTR_UID &&
0394         !vfsuid_has_fsmapping(mnt_userns, inode->i_sb->s_user_ns,
0395                   attr->ia_vfsuid))
0396         return -EOVERFLOW;
0397     if (ia_valid & ATTR_GID &&
0398         !vfsgid_has_fsmapping(mnt_userns, inode->i_sb->s_user_ns,
0399                   attr->ia_vfsgid))
0400         return -EOVERFLOW;
0401
0402     /* Don't allow modifications of files with invalid uids or
0403      * gids unless those uids & gids are being made valid.
0404      */
0405     if (!(ia_valid & ATTR_UID) &&
0406         !vfsuid_valid(i_uid_into_vfsuid(mnt_userns, inode)))
0407         return -EOVERFLOW;
0408     if (!(ia_valid & ATTR_GID) &&
0409         !vfsgid_valid(i_gid_into_vfsgid(mnt_userns, inode)))
0410         return -EOVERFLOW;
0411
0412     error = security_inode_setattr(mnt_userns, dentry, attr);
0413     if (error)
0414         return error;
0415     error = try_break_deleg(inode, delegated_inode);
0416     if (error)
0417         return error;
0418
0419     if (inode->i_op->setattr)
0420         error = inode->i_op->setattr(mnt_userns, dentry, attr);
0421     else
0422         error = simple_setattr(mnt_userns, dentry, attr);
0423
0424     if (!error) {
0425         fsnotify_change(dentry, ia_valid);
0426         ima_inode_post_setattr(mnt_userns, dentry);
0427         evm_inode_post_setattr(dentry, ia_valid);
0428     }
0429
0430     return error;
0431 }
0432 EXPORT_SYMBOL(notify_change);