the-tree/security/inode.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  *  inode.c - securityfs
0004  *
0005  *  Copyright (C) 2005 Greg Kroah-Hartman <gregkh@suse.de>
0006  *
0007  *  Based on fs/debugfs/inode.c which had the following copyright notice:
0008  *    Copyright (C) 2004 Greg Kroah-Hartman <greg@kroah.com>
0009  *    Copyright (C) 2004 IBM Inc.
0010  */
0011
0012 /* #define DEBUG */
0013 #include <linux/sysfs.h>
0014 #include <linux/kobject.h>
0015 #include <linux/fs.h>
0016 #include <linux/fs_context.h>
0017 #include <linux/mount.h>
0018 #include <linux/pagemap.h>
0019 #include <linux/init.h>
0020 #include <linux/namei.h>
0021 #include <linux/security.h>
0022 #include <linux/lsm_hooks.h>
0023 #include <linux/magic.h>
0024
0025 static struct vfsmount *mount;
0026 static int mount_count;
0027
0028 static void securityfs_free_inode(struct inode *inode)
0029 {
0030     if (S_ISLNK(inode->i_mode))
0031         kfree(inode->i_link);
0032     free_inode_nonrcu(inode);
0033 }
0034
0035 static const struct super_operations securityfs_super_operations = {
0036     .statfs     = simple_statfs,
0037     .free_inode = securityfs_free_inode,
0038 };
0039
0040 static int securityfs_fill_super(struct super_block *sb, struct fs_context *fc)
0041 {
0042     static const struct tree_descr files[] = {{""}};
0043     int error;
0044
0045     error = simple_fill_super(sb, SECURITYFS_MAGIC, files);
0046     if (error)
0047         return error;
0048
0049     sb->s_op = &securityfs_super_operations;
0050
0051     return 0;
0052 }
0053
0054 static int securityfs_get_tree(struct fs_context *fc)
0055 {
0056     return get_tree_single(fc, securityfs_fill_super);
0057 }
0058
0059 static const struct fs_context_operations securityfs_context_ops = {
0060     .get_tree   = securityfs_get_tree,
0061 };
0062
0063 static int securityfs_init_fs_context(struct fs_context *fc)
0064 {
0065     fc->ops = &securityfs_context_ops;
0066     return 0;
0067 }
0068
0069 static struct file_system_type fs_type = {
0070     .owner =    THIS_MODULE,
0071     .name =     "securityfs",
0072     .init_fs_context = securityfs_init_fs_context,
0073     .kill_sb =  kill_litter_super,
0074 };
0075
0076 /**
0077  * securityfs_create_dentry - create a dentry in the securityfs filesystem
0078  *
0079  * @name: a pointer to a string containing the name of the file to create.
0080  * @mode: the permission that the file should have
0081  * @parent: a pointer to the parent dentry for this file.  This should be a
0082  *          directory dentry if set.  If this parameter is %NULL, then the
0083  *          file will be created in the root of the securityfs filesystem.
0084  * @data: a pointer to something that the caller will want to get to later
0085  *        on.  The inode.i_private pointer will point to this value on
0086  *        the open() call.
0087  * @fops: a pointer to a struct file_operations that should be used for
0088  *        this file.
0089  * @iops: a point to a struct of inode_operations that should be used for
0090  *        this file/dir
0091  *
0092  * This is the basic "create a file/dir/symlink" function for
0093  * securityfs.  It allows for a wide range of flexibility in creating
0094  * a file, or a directory (if you want to create a directory, the
0095  * securityfs_create_dir() function is recommended to be used
0096  * instead).
0097  *
0098  * This function returns a pointer to a dentry if it succeeds.  This
0099  * pointer must be passed to the securityfs_remove() function when the
0100  * file is to be removed (no automatic cleanup happens if your module
0101  * is unloaded, you are responsible here).  If an error occurs, the
0102  * function will return the error value (via ERR_PTR).
0103  *
0104  * If securityfs is not enabled in the kernel, the value %-ENODEV is
0105  * returned.
0106  */
0107 static struct dentry *securityfs_create_dentry(const char *name, umode_t mode,
0108                     struct dentry *parent, void *data,
0109                     const struct file_operations *fops,
0110                     const struct inode_operations *iops)
0111 {
0112     struct dentry *dentry;
0113     struct inode *dir, *inode;
0114     int error;
0115
0116     if (!(mode & S_IFMT))
0117         mode = (mode & S_IALLUGO) | S_IFREG;
0118
0119     pr_debug("securityfs: creating file '%s'\n",name);
0120
0121     error = simple_pin_fs(&fs_type, &mount, &mount_count);
0122     if (error)
0123         return ERR_PTR(error);
0124
0125     if (!parent)
0126         parent = mount->mnt_root;
0127
0128     dir = d_inode(parent);
0129
0130     inode_lock(dir);
0131     dentry = lookup_one_len(name, parent, strlen(name));
0132     if (IS_ERR(dentry))
0133         goto out;
0134
0135     if (d_really_is_positive(dentry)) {
0136         error = -EEXIST;
0137         goto out1;
0138     }
0139
0140     inode = new_inode(dir->i_sb);
0141     if (!inode) {
0142         error = -ENOMEM;
0143         goto out1;
0144     }
0145
0146     inode->i_ino = get_next_ino();
0147     inode->i_mode = mode;
0148     inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
0149     inode->i_private = data;
0150     if (S_ISDIR(mode)) {
0151         inode->i_op = &simple_dir_inode_operations;
0152         inode->i_fop = &simple_dir_operations;
0153         inc_nlink(inode);
0154         inc_nlink(dir);
0155     } else if (S_ISLNK(mode)) {
0156         inode->i_op = iops ? iops : &simple_symlink_inode_operations;
0157         inode->i_link = data;
0158     } else {
0159         inode->i_fop = fops;
0160     }
0161     d_instantiate(dentry, inode);
0162     dget(dentry);
0163     inode_unlock(dir);
0164     return dentry;
0165
0166 out1:
0167     dput(dentry);
0168     dentry = ERR_PTR(error);
0169 out:
0170     inode_unlock(dir);
0171     simple_release_fs(&mount, &mount_count);
0172     return dentry;
0173 }
0174
0175 /**
0176  * securityfs_create_file - create a file in the securityfs filesystem
0177  *
0178  * @name: a pointer to a string containing the name of the file to create.
0179  * @mode: the permission that the file should have
0180  * @parent: a pointer to the parent dentry for this file.  This should be a
0181  *          directory dentry if set.  If this parameter is %NULL, then the
0182  *          file will be created in the root of the securityfs filesystem.
0183  * @data: a pointer to something that the caller will want to get to later
0184  *        on.  The inode.i_private pointer will point to this value on
0185  *        the open() call.
0186  * @fops: a pointer to a struct file_operations that should be used for
0187  *        this file.
0188  *
0189  * This function creates a file in securityfs with the given @name.
0190  *
0191  * This function returns a pointer to a dentry if it succeeds.  This
0192  * pointer must be passed to the securityfs_remove() function when the file is
0193  * to be removed (no automatic cleanup happens if your module is unloaded,
0194  * you are responsible here).  If an error occurs, the function will return
0195  * the error value (via ERR_PTR).
0196  *
0197  * If securityfs is not enabled in the kernel, the value %-ENODEV is
0198  * returned.
0199  */
0200 struct dentry *securityfs_create_file(const char *name, umode_t mode,
0201                       struct dentry *parent, void *data,
0202                       const struct file_operations *fops)
0203 {
0204     return securityfs_create_dentry(name, mode, parent, data, fops, NULL);
0205 }
0206 EXPORT_SYMBOL_GPL(securityfs_create_file);
0207
0208 /**
0209  * securityfs_create_dir - create a directory in the securityfs filesystem
0210  *
0211  * @name: a pointer to a string containing the name of the directory to
0212  *        create.
0213  * @parent: a pointer to the parent dentry for this file.  This should be a
0214  *          directory dentry if set.  If this parameter is %NULL, then the
0215  *          directory will be created in the root of the securityfs filesystem.
0216  *
0217  * This function creates a directory in securityfs with the given @name.
0218  *
0219  * This function returns a pointer to a dentry if it succeeds.  This
0220  * pointer must be passed to the securityfs_remove() function when the file is
0221  * to be removed (no automatic cleanup happens if your module is unloaded,
0222  * you are responsible here).  If an error occurs, the function will return
0223  * the error value (via ERR_PTR).
0224  *
0225  * If securityfs is not enabled in the kernel, the value %-ENODEV is
0226  * returned.
0227  */
0228 struct dentry *securityfs_create_dir(const char *name, struct dentry *parent)
0229 {
0230     return securityfs_create_file(name, S_IFDIR | 0755, parent, NULL, NULL);
0231 }
0232 EXPORT_SYMBOL_GPL(securityfs_create_dir);
0233
0234 /**
0235  * securityfs_create_symlink - create a symlink in the securityfs filesystem
0236  *
0237  * @name: a pointer to a string containing the name of the symlink to
0238  *        create.
0239  * @parent: a pointer to the parent dentry for the symlink.  This should be a
0240  *          directory dentry if set.  If this parameter is %NULL, then the
0241  *          directory will be created in the root of the securityfs filesystem.
0242  * @target: a pointer to a string containing the name of the symlink's target.
0243  *          If this parameter is %NULL, then the @iops parameter needs to be
0244  *          setup to handle .readlink and .get_link inode_operations.
0245  * @iops: a pointer to the struct inode_operations to use for the symlink. If
0246  *        this parameter is %NULL, then the default simple_symlink_inode
0247  *        operations will be used.
0248  *
0249  * This function creates a symlink in securityfs with the given @name.
0250  *
0251  * This function returns a pointer to a dentry if it succeeds.  This
0252  * pointer must be passed to the securityfs_remove() function when the file is
0253  * to be removed (no automatic cleanup happens if your module is unloaded,
0254  * you are responsible here).  If an error occurs, the function will return
0255  * the error value (via ERR_PTR).
0256  *
0257  * If securityfs is not enabled in the kernel, the value %-ENODEV is
0258  * returned.
0259  */
0260 struct dentry *securityfs_create_symlink(const char *name,
0261                      struct dentry *parent,
0262                      const char *target,
0263                      const struct inode_operations *iops)
0264 {
0265     struct dentry *dent;
0266     char *link = NULL;
0267
0268     if (target) {
0269         link = kstrdup(target, GFP_KERNEL);
0270         if (!link)
0271             return ERR_PTR(-ENOMEM);
0272     }
0273     dent = securityfs_create_dentry(name, S_IFLNK | 0444, parent,
0274                     link, NULL, iops);
0275     if (IS_ERR(dent))
0276         kfree(link);
0277
0278     return dent;
0279 }
0280 EXPORT_SYMBOL_GPL(securityfs_create_symlink);
0281
0282 /**
0283  * securityfs_remove - removes a file or directory from the securityfs filesystem
0284  *
0285  * @dentry: a pointer to a the dentry of the file or directory to be removed.
0286  *
0287  * This function removes a file or directory in securityfs that was previously
0288  * created with a call to another securityfs function (like
0289  * securityfs_create_file() or variants thereof.)
0290  *
0291  * This function is required to be called in order for the file to be
0292  * removed. No automatic cleanup of files will happen when a module is
0293  * removed; you are responsible here.
0294  */
0295 void securityfs_remove(struct dentry *dentry)
0296 {
0297     struct inode *dir;
0298
0299     if (!dentry || IS_ERR(dentry))
0300         return;
0301
0302     dir = d_inode(dentry->d_parent);
0303     inode_lock(dir);
0304     if (simple_positive(dentry)) {
0305         if (d_is_dir(dentry))
0306             simple_rmdir(dir, dentry);
0307         else
0308             simple_unlink(dir, dentry);
0309         dput(dentry);
0310     }
0311     inode_unlock(dir);
0312     simple_release_fs(&mount, &mount_count);
0313 }
0314 EXPORT_SYMBOL_GPL(securityfs_remove);
0315
0316 #ifdef CONFIG_SECURITY
0317 static struct dentry *lsm_dentry;
0318 static ssize_t lsm_read(struct file *filp, char __user *buf, size_t count,
0319             loff_t *ppos)
0320 {
0321     return simple_read_from_buffer(buf, count, ppos, lsm_names,
0322         strlen(lsm_names));
0323 }
0324
0325 static const struct file_operations lsm_ops = {
0326     .read = lsm_read,
0327     .llseek = generic_file_llseek,
0328 };
0329 #endif
0330
0331 static int __init securityfs_init(void)
0332 {
0333     int retval;
0334
0335     retval = sysfs_create_mount_point(kernel_kobj, "security");
0336     if (retval)
0337         return retval;
0338
0339     retval = register_filesystem(&fs_type);
0340     if (retval) {
0341         sysfs_remove_mount_point(kernel_kobj, "security");
0342         return retval;
0343     }
0344 #ifdef CONFIG_SECURITY
0345     lsm_dentry = securityfs_create_file("lsm", 0444, NULL, NULL,
0346                         &lsm_ops);
0347 #endif
0348     return 0;
0349 }
0350 core_initcall(securityfs_init);