1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * linux/fs/attr.c 4 * 5 * Copyright (C) 1991, 1992 Linus Torvalds 6 * changes by Thomas Schoebel-Theuer 7 */ 8 9 #include <linux/export.h> 10 #include <linux/time.h> 11 #include <linux/mm.h> 12 #include <linux/string.h> 13 #include <linux/sched/signal.h> 14 #include <linux/capability.h> 15 #include <linux/fsnotify.h> 16 #include <linux/fcntl.h> 17 #include <linux/filelock.h> 18 #include <linux/security.h> 19 #include <linux/evm.h> 20 #include <linux/ima.h> 21 22 #include "internal.h" 23 24 /** 25 * setattr_should_drop_sgid - determine whether the setgid bit needs to be 26 * removed 27 * @idmap: idmap of the mount @inode was found from 28 * @inode: inode to check 29 * 30 * This function determines whether the setgid bit needs to be removed. 31 * We retain backwards compatibility and require setgid bit to be removed 32 * unconditionally if S_IXGRP is set. Otherwise we have the exact same 33 * requirements as setattr_prepare() and setattr_copy(). 34 * 35 * Return: ATTR_KILL_SGID if setgid bit needs to be removed, 0 otherwise. 36 */ 37 int setattr_should_drop_sgid(struct mnt_idmap *idmap, 38 const struct inode *inode) 39 { 40 umode_t mode = inode->i_mode; 41 42 if (!(mode & S_ISGID)) 43 return 0; 44 if (mode & S_IXGRP) 45 return ATTR_KILL_SGID; 46 if (!in_group_or_capable(idmap, inode, i_gid_into_vfsgid(idmap, inode))) 47 return ATTR_KILL_SGID; 48 return 0; 49 } 50 EXPORT_SYMBOL(setattr_should_drop_sgid); 51 52 /** 53 * setattr_should_drop_suidgid - determine whether the set{g,u}id bit needs to 54 * be dropped 55 * @idmap: idmap of the mount @inode was found from 56 * @inode: inode to check 57 * 58 * This function determines whether the set{g,u}id bits need to be removed. 59 * If the setuid bit needs to be removed ATTR_KILL_SUID is returned. If the 60 * setgid bit needs to be removed ATTR_KILL_SGID is returned. If both 61 * set{g,u}id bits need to be removed the corresponding mask of both flags is 62 * returned. 63 * 64 * Return: A mask of ATTR_KILL_S{G,U}ID indicating which - if any - setid bits 65 * to remove, 0 otherwise. 66 */ 67 int setattr_should_drop_suidgid(struct mnt_idmap *idmap, 68 struct inode *inode) 69 { 70 umode_t mode = inode->i_mode; 71 int kill = 0; 72 73 /* suid always must be killed */ 74 if (unlikely(mode & S_ISUID)) 75 kill = ATTR_KILL_SUID; 76 77 kill |= setattr_should_drop_sgid(idmap, inode); 78 79 if (unlikely(kill && !capable(CAP_FSETID) && S_ISREG(mode))) 80 return kill; 81 82 return 0; 83 } 84 EXPORT_SYMBOL(setattr_should_drop_suidgid); 85 86 /** 87 * chown_ok - verify permissions to chown inode 88 * @idmap: idmap of the mount @inode was found from 89 * @inode: inode to check permissions on 90 * @ia_vfsuid: uid to chown @inode to 91 * 92 * If the inode has been found through an idmapped mount the idmap of 93 * the vfsmount must be passed through @idmap. This function will then 94 * take care to map the inode according to @idmap before checking 95 * permissions. On non-idmapped mounts or if permission checking is to be 96 * performed on the raw inode simply pass @nop_mnt_idmap. 97 */ 98 static bool chown_ok(struct mnt_idmap *idmap, 99 const struct inode *inode, vfsuid_t ia_vfsuid) 100 { 101 vfsuid_t vfsuid = i_uid_into_vfsuid(idmap, inode); 102 if (vfsuid_eq_kuid(vfsuid, current_fsuid()) && 103 vfsuid_eq(ia_vfsuid, vfsuid)) 104 return true; 105 if (capable_wrt_inode_uidgid(idmap, inode, CAP_CHOWN)) 106 return true; 107 if (!vfsuid_valid(vfsuid) && 108 ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN)) 109 return true; 110 return false; 111 } 112 113 /** 114 * chgrp_ok - verify permissions to chgrp inode 115 * @idmap: idmap of the mount @inode was found from 116 * @inode: inode to check permissions on 117 * @ia_vfsgid: gid to chown @inode to 118 * 119 * If the inode has been found through an idmapped mount the idmap of 120 * the vfsmount must be passed through @idmap. This function will then 121 * take care to map the inode according to @idmap before checking 122 * permissions. On non-idmapped mounts or if permission checking is to be 123 * performed on the raw inode simply pass @nop_mnt_idmap. 124 */ 125 static bool chgrp_ok(struct mnt_idmap *idmap, 126 const struct inode *inode, vfsgid_t ia_vfsgid) 127 { 128 vfsgid_t vfsgid = i_gid_into_vfsgid(idmap, inode); 129 vfsuid_t vfsuid = i_uid_into_vfsuid(idmap, inode); 130 if (vfsuid_eq_kuid(vfsuid, current_fsuid())) { 131 if (vfsgid_eq(ia_vfsgid, vfsgid)) 132 return true; 133 if (vfsgid_in_group_p(ia_vfsgid)) 134 return true; 135 } 136 if (capable_wrt_inode_uidgid(idmap, inode, CAP_CHOWN)) 137 return true; 138 if (!vfsgid_valid(vfsgid) && 139 ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN)) 140 return true; 141 return false; 142 } 143 144 /** 145 * setattr_prepare - check if attribute changes to a dentry are allowed 146 * @idmap: idmap of the mount the inode was found from 147 * @dentry: dentry to check 148 * @attr: attributes to change 149 * 150 * Check if we are allowed to change the attributes contained in @attr 151 * in the given dentry. This includes the normal unix access permission 152 * checks, as well as checks for rlimits and others. The function also clears 153 * SGID bit from mode if user is not allowed to set it. Also file capabilities 154 * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set. 155 * 156 * If the inode has been found through an idmapped mount the idmap of 157 * the vfsmount must be passed through @idmap. This function will then 158 * take care to map the inode according to @idmap before checking 159 * permissions. On non-idmapped mounts or if permission checking is to be 160 * performed on the raw inode simply pass @nop_mnt_idmap. 161 * 162 * Should be called as the first thing in ->setattr implementations, 163 * possibly after taking additional locks. 164 */ 165 int setattr_prepare(struct mnt_idmap *idmap, struct dentry *dentry, 166 struct iattr *attr) 167 { 168 struct inode *inode = d_inode(dentry); 169 unsigned int ia_valid = attr->ia_valid; 170 171 /* 172 * First check size constraints. These can't be overriden using 173 * ATTR_FORCE. 174 */ 175 if (ia_valid & ATTR_SIZE) { 176 int error = inode_newsize_ok(inode, attr->ia_size); 177 if (error) 178 return error; 179 } 180 181 /* If force is set do it anyway. */ 182 if (ia_valid & ATTR_FORCE) 183 goto kill_priv; 184 185 /* Make sure a caller can chown. */ 186 if ((ia_valid & ATTR_UID) && 187 !chown_ok(idmap, inode, attr->ia_vfsuid)) 188 return -EPERM; 189 190 /* Make sure caller can chgrp. */ 191 if ((ia_valid & ATTR_GID) && 192 !chgrp_ok(idmap, inode, attr->ia_vfsgid)) 193 return -EPERM; 194 195 /* Make sure a caller can chmod. */ 196 if (ia_valid & ATTR_MODE) { 197 vfsgid_t vfsgid; 198 199 if (!inode_owner_or_capable(idmap, inode)) 200 return -EPERM; 201 202 if (ia_valid & ATTR_GID) 203 vfsgid = attr->ia_vfsgid; 204 else 205 vfsgid = i_gid_into_vfsgid(idmap, inode); 206 207 /* Also check the setgid bit! */ 208 if (!in_group_or_capable(idmap, inode, vfsgid)) 209 attr->ia_mode &= ~S_ISGID; 210 } 211 212 /* Check for setting the inode time. */ 213 if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) { 214 if (!inode_owner_or_capable(idmap, inode)) 215 return -EPERM; 216 } 217 218 kill_priv: 219 /* User has permission for the change */ 220 if (ia_valid & ATTR_KILL_PRIV) { 221 int error; 222 223 error = security_inode_killpriv(idmap, dentry); 224 if (error) 225 return error; 226 } 227 228 return 0; 229 } 230 EXPORT_SYMBOL(setattr_prepare); 231 232 /** 233 * inode_newsize_ok - may this inode be truncated to a given size 234 * @inode: the inode to be truncated 235 * @offset: the new size to assign to the inode 236 * 237 * inode_newsize_ok must be called with i_mutex held. 238 * 239 * inode_newsize_ok will check filesystem limits and ulimits to check that the 240 * new inode size is within limits. inode_newsize_ok will also send SIGXFSZ 241 * when necessary. Caller must not proceed with inode size change if failure is 242 * returned. @inode must be a file (not directory), with appropriate 243 * permissions to allow truncate (inode_newsize_ok does NOT check these 244 * conditions). 245 * 246 * Return: 0 on success, -ve errno on failure 247 */ 248 int inode_newsize_ok(const struct inode *inode, loff_t offset) 249 { 250 if (offset < 0) 251 return -EINVAL; 252 if (inode->i_size < offset) { 253 unsigned long limit; 254 255 limit = rlimit(RLIMIT_FSIZE); 256 if (limit != RLIM_INFINITY && offset > limit) 257 goto out_sig; 258 if (offset > inode->i_sb->s_maxbytes) 259 goto out_big; 260 } else { 261 /* 262 * truncation of in-use swapfiles is disallowed - it would 263 * cause subsequent swapout to scribble on the now-freed 264 * blocks. 265 */ 266 if (IS_SWAPFILE(inode)) 267 return -ETXTBSY; 268 } 269 270 return 0; 271 out_sig: 272 send_sig(SIGXFSZ, current, 0); 273 out_big: 274 return -EFBIG; 275 } 276 EXPORT_SYMBOL(inode_newsize_ok); 277 278 /** 279 * setattr_copy - copy simple metadata updates into the generic inode 280 * @idmap: idmap of the mount the inode was found from 281 * @inode: the inode to be updated 282 * @attr: the new attributes 283 * 284 * setattr_copy must be called with i_mutex held. 285 * 286 * setattr_copy updates the inode's metadata with that specified 287 * in attr on idmapped mounts. Necessary permission checks to determine 288 * whether or not the S_ISGID property needs to be removed are performed with 289 * the correct idmapped mount permission helpers. 290 * Noticeably missing is inode size update, which is more complex 291 * as it requires pagecache updates. 292 * 293 * If the inode has been found through an idmapped mount the idmap of 294 * the vfsmount must be passed through @idmap. This function will then 295 * take care to map the inode according to @idmap before checking 296 * permissions. On non-idmapped mounts or if permission checking is to be 297 * performed on the raw inode simply pass @nop_mnt_idmap. 298 * 299 * The inode is not marked as dirty after this operation. The rationale is 300 * that for "simple" filesystems, the struct inode is the inode storage. 301 * The caller is free to mark the inode dirty afterwards if needed. 302 */ 303 void setattr_copy(struct mnt_idmap *idmap, struct inode *inode, 304 const struct iattr *attr) 305 { 306 unsigned int ia_valid = attr->ia_valid; 307 308 i_uid_update(idmap, attr, inode); 309 i_gid_update(idmap, attr, inode); 310 if (ia_valid & ATTR_ATIME) 311 inode_set_atime_to_ts(inode, attr->ia_atime); 312 if (ia_valid & ATTR_MTIME) 313 inode_set_mtime_to_ts(inode, attr->ia_mtime); 314 if (ia_valid & ATTR_CTIME) 315 inode_set_ctime_to_ts(inode, attr->ia_ctime); 316 if (ia_valid & ATTR_MODE) { 317 umode_t mode = attr->ia_mode; 318 if (!in_group_or_capable(idmap, inode, 319 i_gid_into_vfsgid(idmap, inode))) 320 mode &= ~S_ISGID; 321 inode->i_mode = mode; 322 } 323 } 324 EXPORT_SYMBOL(setattr_copy); 325 326 int may_setattr(struct mnt_idmap *idmap, struct inode *inode, 327 unsigned int ia_valid) 328 { 329 int error; 330 331 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) { 332 if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) 333 return -EPERM; 334 } 335 336 /* 337 * If utimes(2) and friends are called with times == NULL (or both 338 * times are UTIME_NOW), then we need to check for write permission 339 */ 340 if (ia_valid & ATTR_TOUCH) { 341 if (IS_IMMUTABLE(inode)) 342 return -EPERM; 343 344 if (!inode_owner_or_capable(idmap, inode)) { 345 error = inode_permission(idmap, inode, MAY_WRITE); 346 if (error) 347 return error; 348 } 349 } 350 return 0; 351 } 352 EXPORT_SYMBOL(may_setattr); 353 354 /** 355 * notify_change - modify attributes of a filesytem object 356 * @idmap: idmap of the mount the inode was found from 357 * @dentry: object affected 358 * @attr: new attributes 359 * @delegated_inode: returns inode, if the inode is delegated 360 * 361 * The caller must hold the i_mutex on the affected object. 362 * 363 * If notify_change discovers a delegation in need of breaking, 364 * it will return -EWOULDBLOCK and return a reference to the inode in 365 * delegated_inode. The caller should then break the delegation and 366 * retry. Because breaking a delegation may take a long time, the 367 * caller should drop the i_mutex before doing so. 368 * 369 * Alternatively, a caller may pass NULL for delegated_inode. This may 370 * be appropriate for callers that expect the underlying filesystem not 371 * to be NFS exported. Also, passing NULL is fine for callers holding 372 * the file open for write, as there can be no conflicting delegation in 373 * that case. 374 * 375 * If the inode has been found through an idmapped mount the idmap of 376 * the vfsmount must be passed through @idmap. This function will then 377 * take care to map the inode according to @idmap before checking 378 * permissions. On non-idmapped mounts or if permission checking is to be 379 * performed on the raw inode simply pass @nop_mnt_idmap. 380 */ 381 int notify_change(struct mnt_idmap *idmap, struct dentry *dentry, 382 struct iattr *attr, struct inode **delegated_inode) 383 { 384 struct inode *inode = dentry->d_inode; 385 umode_t mode = inode->i_mode; 386 int error; 387 struct timespec64 now; 388 unsigned int ia_valid = attr->ia_valid; 389 390 WARN_ON_ONCE(!inode_is_locked(inode)); 391 392 error = may_setattr(idmap, inode, ia_valid); 393 if (error) 394 return error; 395 396 if ((ia_valid & ATTR_MODE)) { 397 /* 398 * Don't allow changing the mode of symlinks: 399 * 400 * (1) The vfs doesn't take the mode of symlinks into account 401 * during permission checking. 402 * (2) This has never worked correctly. Most major filesystems 403 * did return EOPNOTSUPP due to interactions with POSIX ACLs 404 * but did still updated the mode of the symlink. 405 * This inconsistency led system call wrapper providers such 406 * as libc to block changing the mode of symlinks with 407 * EOPNOTSUPP already. 408 * (3) To even do this in the first place one would have to use 409 * specific file descriptors and quite some effort. 410 */ 411 if (S_ISLNK(inode->i_mode)) 412 return -EOPNOTSUPP; 413 414 /* Flag setting protected by i_mutex */ 415 if (is_sxid(attr->ia_mode)) 416 inode->i_flags &= ~S_NOSEC; 417 } 418 419 now = current_time(inode); 420 421 attr->ia_ctime = now; 422 if (!(ia_valid & ATTR_ATIME_SET)) 423 attr->ia_atime = now; 424 else 425 attr->ia_atime = timestamp_truncate(attr->ia_atime, inode); 426 if (!(ia_valid & ATTR_MTIME_SET)) 427 attr->ia_mtime = now; 428 else 429 attr->ia_mtime = timestamp_truncate(attr->ia_mtime, inode); 430 431 if (ia_valid & ATTR_KILL_PRIV) { 432 error = security_inode_need_killpriv(dentry); 433 if (error < 0) 434 return error; 435 if (error == 0) 436 ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV; 437 } 438 439 /* 440 * We now pass ATTR_KILL_S*ID to the lower level setattr function so 441 * that the function has the ability to reinterpret a mode change 442 * that's due to these bits. This adds an implicit restriction that 443 * no function will ever call notify_change with both ATTR_MODE and 444 * ATTR_KILL_S*ID set. 445 */ 446 if ((ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) && 447 (ia_valid & ATTR_MODE)) 448 BUG(); 449 450 if (ia_valid & ATTR_KILL_SUID) { 451 if (mode & S_ISUID) { 452 ia_valid = attr->ia_valid |= ATTR_MODE; 453 attr->ia_mode = (inode->i_mode & ~S_ISUID); 454 } 455 } 456 if (ia_valid & ATTR_KILL_SGID) { 457 if (mode & S_ISGID) { 458 if (!(ia_valid & ATTR_MODE)) { 459 ia_valid = attr->ia_valid |= ATTR_MODE; 460 attr->ia_mode = inode->i_mode; 461 } 462 attr->ia_mode &= ~S_ISGID; 463 } 464 } 465 if (!(attr->ia_valid & ~(ATTR_KILL_SUID | ATTR_KILL_SGID))) 466 return 0; 467 468 /* 469 * Verify that uid/gid changes are valid in the target 470 * namespace of the superblock. 471 */ 472 if (ia_valid & ATTR_UID && 473 !vfsuid_has_fsmapping(idmap, inode->i_sb->s_user_ns, 474 attr->ia_vfsuid)) 475 return -EOVERFLOW; 476 if (ia_valid & ATTR_GID && 477 !vfsgid_has_fsmapping(idmap, inode->i_sb->s_user_ns, 478 attr->ia_vfsgid)) 479 return -EOVERFLOW; 480 481 /* Don't allow modifications of files with invalid uids or 482 * gids unless those uids & gids are being made valid. 483 */ 484 if (!(ia_valid & ATTR_UID) && 485 !vfsuid_valid(i_uid_into_vfsuid(idmap, inode))) 486 return -EOVERFLOW; 487 if (!(ia_valid & ATTR_GID) && 488 !vfsgid_valid(i_gid_into_vfsgid(idmap, inode))) 489 return -EOVERFLOW; 490 491 error = security_inode_setattr(idmap, dentry, attr); 492 if (error) 493 return error; 494 error = try_break_deleg(inode, delegated_inode); 495 if (error) 496 return error; 497 498 if (inode->i_op->setattr) 499 error = inode->i_op->setattr(idmap, dentry, attr); 500 else 501 error = simple_setattr(idmap, dentry, attr); 502 503 if (!error) { 504 fsnotify_change(dentry, ia_valid); 505 ima_inode_post_setattr(idmap, dentry); 506 evm_inode_post_setattr(dentry, ia_valid); 507 } 508 509 return error; 510 } 511 EXPORT_SYMBOL(notify_change); 512