1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * linux/fs/attr.c 4 * 5 * Copyright (C) 1991, 1992 Linus Torvalds 6 * changes by Thomas Schoebel-Theuer 7 */ 8 9 #include <linux/export.h> 10 #include <linux/time.h> 11 #include <linux/mm.h> 12 #include <linux/string.h> 13 #include <linux/sched/signal.h> 14 #include <linux/capability.h> 15 #include <linux/fsnotify.h> 16 #include <linux/fcntl.h> 17 #include <linux/security.h> 18 #include <linux/evm.h> 19 #include <linux/ima.h> 20 21 /** 22 * chown_ok - verify permissions to chown inode 23 * @mnt_userns: user namespace of the mount @inode was found from 24 * @inode: inode to check permissions on 25 * @uid: uid to chown @inode to 26 * 27 * If the inode has been found through an idmapped mount the user namespace of 28 * the vfsmount must be passed through @mnt_userns. This function will then 29 * take care to map the inode according to @mnt_userns before checking 30 * permissions. On non-idmapped mounts or if permission checking is to be 31 * performed on the raw inode simply passs init_user_ns. 32 */ 33 static bool chown_ok(struct user_namespace *mnt_userns, 34 const struct inode *inode, 35 kuid_t uid) 36 { 37 kuid_t kuid = i_uid_into_mnt(mnt_userns, inode); 38 if (uid_eq(current_fsuid(), kuid) && uid_eq(uid, inode->i_uid)) 39 return true; 40 if (capable_wrt_inode_uidgid(mnt_userns, inode, CAP_CHOWN)) 41 return true; 42 if (uid_eq(kuid, INVALID_UID) && 43 ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN)) 44 return true; 45 return false; 46 } 47 48 /** 49 * chgrp_ok - verify permissions to chgrp inode 50 * @mnt_userns: user namespace of the mount @inode was found from 51 * @inode: inode to check permissions on 52 * @gid: gid to chown @inode to 53 * 54 * If the inode has been found through an idmapped mount the user namespace of 55 * the vfsmount must be passed through @mnt_userns. This function will then 56 * take care to map the inode according to @mnt_userns before checking 57 * permissions. On non-idmapped mounts or if permission checking is to be 58 * performed on the raw inode simply passs init_user_ns. 59 */ 60 static bool chgrp_ok(struct user_namespace *mnt_userns, 61 const struct inode *inode, kgid_t gid) 62 { 63 kgid_t kgid = i_gid_into_mnt(mnt_userns, inode); 64 if (uid_eq(current_fsuid(), i_uid_into_mnt(mnt_userns, inode))) { 65 kgid_t mapped_gid; 66 67 if (gid_eq(gid, inode->i_gid)) 68 return true; 69 mapped_gid = mapped_kgid_fs(mnt_userns, i_user_ns(inode), gid); 70 if (in_group_p(mapped_gid)) 71 return true; 72 } 73 if (capable_wrt_inode_uidgid(mnt_userns, inode, CAP_CHOWN)) 74 return true; 75 if (gid_eq(kgid, INVALID_GID) && 76 ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN)) 77 return true; 78 return false; 79 } 80 81 /** 82 * setattr_prepare - check if attribute changes to a dentry are allowed 83 * @mnt_userns: user namespace of the mount the inode was found from 84 * @dentry: dentry to check 85 * @attr: attributes to change 86 * 87 * Check if we are allowed to change the attributes contained in @attr 88 * in the given dentry. This includes the normal unix access permission 89 * checks, as well as checks for rlimits and others. The function also clears 90 * SGID bit from mode if user is not allowed to set it. Also file capabilities 91 * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set. 92 * 93 * If the inode has been found through an idmapped mount the user namespace of 94 * the vfsmount must be passed through @mnt_userns. This function will then 95 * take care to map the inode according to @mnt_userns before checking 96 * permissions. On non-idmapped mounts or if permission checking is to be 97 * performed on the raw inode simply passs init_user_ns. 98 * 99 * Should be called as the first thing in ->setattr implementations, 100 * possibly after taking additional locks. 101 */ 102 int setattr_prepare(struct user_namespace *mnt_userns, struct dentry *dentry, 103 struct iattr *attr) 104 { 105 struct inode *inode = d_inode(dentry); 106 unsigned int ia_valid = attr->ia_valid; 107 108 /* 109 * First check size constraints. These can't be overriden using 110 * ATTR_FORCE. 111 */ 112 if (ia_valid & ATTR_SIZE) { 113 int error = inode_newsize_ok(inode, attr->ia_size); 114 if (error) 115 return error; 116 } 117 118 /* If force is set do it anyway. */ 119 if (ia_valid & ATTR_FORCE) 120 goto kill_priv; 121 122 /* Make sure a caller can chown. */ 123 if ((ia_valid & ATTR_UID) && !chown_ok(mnt_userns, inode, attr->ia_uid)) 124 return -EPERM; 125 126 /* Make sure caller can chgrp. */ 127 if ((ia_valid & ATTR_GID) && !chgrp_ok(mnt_userns, inode, attr->ia_gid)) 128 return -EPERM; 129 130 /* Make sure a caller can chmod. */ 131 if (ia_valid & ATTR_MODE) { 132 kgid_t mapped_gid; 133 134 if (!inode_owner_or_capable(mnt_userns, inode)) 135 return -EPERM; 136 137 if (ia_valid & ATTR_GID) 138 mapped_gid = mapped_kgid_fs(mnt_userns, 139 i_user_ns(inode), attr->ia_gid); 140 else 141 mapped_gid = i_gid_into_mnt(mnt_userns, inode); 142 143 /* Also check the setgid bit! */ 144 if (!in_group_p(mapped_gid) && 145 !capable_wrt_inode_uidgid(mnt_userns, inode, CAP_FSETID)) 146 attr->ia_mode &= ~S_ISGID; 147 } 148 149 /* Check for setting the inode time. */ 150 if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) { 151 if (!inode_owner_or_capable(mnt_userns, inode)) 152 return -EPERM; 153 } 154 155 kill_priv: 156 /* User has permission for the change */ 157 if (ia_valid & ATTR_KILL_PRIV) { 158 int error; 159 160 error = security_inode_killpriv(mnt_userns, dentry); 161 if (error) 162 return error; 163 } 164 165 return 0; 166 } 167 EXPORT_SYMBOL(setattr_prepare); 168 169 /** 170 * inode_newsize_ok - may this inode be truncated to a given size 171 * @inode: the inode to be truncated 172 * @offset: the new size to assign to the inode 173 * 174 * inode_newsize_ok must be called with i_mutex held. 175 * 176 * inode_newsize_ok will check filesystem limits and ulimits to check that the 177 * new inode size is within limits. inode_newsize_ok will also send SIGXFSZ 178 * when necessary. Caller must not proceed with inode size change if failure is 179 * returned. @inode must be a file (not directory), with appropriate 180 * permissions to allow truncate (inode_newsize_ok does NOT check these 181 * conditions). 182 * 183 * Return: 0 on success, -ve errno on failure 184 */ 185 int inode_newsize_ok(const struct inode *inode, loff_t offset) 186 { 187 if (inode->i_size < offset) { 188 unsigned long limit; 189 190 limit = rlimit(RLIMIT_FSIZE); 191 if (limit != RLIM_INFINITY && offset > limit) 192 goto out_sig; 193 if (offset > inode->i_sb->s_maxbytes) 194 goto out_big; 195 } else { 196 /* 197 * truncation of in-use swapfiles is disallowed - it would 198 * cause subsequent swapout to scribble on the now-freed 199 * blocks. 200 */ 201 if (IS_SWAPFILE(inode)) 202 return -ETXTBSY; 203 } 204 205 return 0; 206 out_sig: 207 send_sig(SIGXFSZ, current, 0); 208 out_big: 209 return -EFBIG; 210 } 211 EXPORT_SYMBOL(inode_newsize_ok); 212 213 /** 214 * setattr_copy - copy simple metadata updates into the generic inode 215 * @mnt_userns: user namespace of the mount the inode was found from 216 * @inode: the inode to be updated 217 * @attr: the new attributes 218 * 219 * setattr_copy must be called with i_mutex held. 220 * 221 * setattr_copy updates the inode's metadata with that specified 222 * in attr on idmapped mounts. If file ownership is changed setattr_copy 223 * doesn't map ia_uid and ia_gid. It will asssume the caller has already 224 * provided the intended values. Necessary permission checks to determine 225 * whether or not the S_ISGID property needs to be removed are performed with 226 * the correct idmapped mount permission helpers. 227 * Noticeably missing is inode size update, which is more complex 228 * as it requires pagecache updates. 229 * 230 * If the inode has been found through an idmapped mount the user namespace of 231 * the vfsmount must be passed through @mnt_userns. This function will then 232 * take care to map the inode according to @mnt_userns before checking 233 * permissions. On non-idmapped mounts or if permission checking is to be 234 * performed on the raw inode simply passs init_user_ns. 235 * 236 * The inode is not marked as dirty after this operation. The rationale is 237 * that for "simple" filesystems, the struct inode is the inode storage. 238 * The caller is free to mark the inode dirty afterwards if needed. 239 */ 240 void setattr_copy(struct user_namespace *mnt_userns, struct inode *inode, 241 const struct iattr *attr) 242 { 243 unsigned int ia_valid = attr->ia_valid; 244 245 if (ia_valid & ATTR_UID) 246 inode->i_uid = attr->ia_uid; 247 if (ia_valid & ATTR_GID) 248 inode->i_gid = attr->ia_gid; 249 if (ia_valid & ATTR_ATIME) 250 inode->i_atime = attr->ia_atime; 251 if (ia_valid & ATTR_MTIME) 252 inode->i_mtime = attr->ia_mtime; 253 if (ia_valid & ATTR_CTIME) 254 inode->i_ctime = attr->ia_ctime; 255 if (ia_valid & ATTR_MODE) { 256 umode_t mode = attr->ia_mode; 257 kgid_t kgid = i_gid_into_mnt(mnt_userns, inode); 258 if (!in_group_p(kgid) && 259 !capable_wrt_inode_uidgid(mnt_userns, inode, CAP_FSETID)) 260 mode &= ~S_ISGID; 261 inode->i_mode = mode; 262 } 263 } 264 EXPORT_SYMBOL(setattr_copy); 265 266 int may_setattr(struct user_namespace *mnt_userns, struct inode *inode, 267 unsigned int ia_valid) 268 { 269 int error; 270 271 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) { 272 if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) 273 return -EPERM; 274 } 275 276 /* 277 * If utimes(2) and friends are called with times == NULL (or both 278 * times are UTIME_NOW), then we need to check for write permission 279 */ 280 if (ia_valid & ATTR_TOUCH) { 281 if (IS_IMMUTABLE(inode)) 282 return -EPERM; 283 284 if (!inode_owner_or_capable(mnt_userns, inode)) { 285 error = inode_permission(mnt_userns, inode, MAY_WRITE); 286 if (error) 287 return error; 288 } 289 } 290 return 0; 291 } 292 EXPORT_SYMBOL(may_setattr); 293 294 /** 295 * notify_change - modify attributes of a filesytem object 296 * @mnt_userns: user namespace of the mount the inode was found from 297 * @dentry: object affected 298 * @attr: new attributes 299 * @delegated_inode: returns inode, if the inode is delegated 300 * 301 * The caller must hold the i_mutex on the affected object. 302 * 303 * If notify_change discovers a delegation in need of breaking, 304 * it will return -EWOULDBLOCK and return a reference to the inode in 305 * delegated_inode. The caller should then break the delegation and 306 * retry. Because breaking a delegation may take a long time, the 307 * caller should drop the i_mutex before doing so. 308 * 309 * If file ownership is changed notify_change() doesn't map ia_uid and 310 * ia_gid. It will asssume the caller has already provided the intended values. 311 * 312 * Alternatively, a caller may pass NULL for delegated_inode. This may 313 * be appropriate for callers that expect the underlying filesystem not 314 * to be NFS exported. Also, passing NULL is fine for callers holding 315 * the file open for write, as there can be no conflicting delegation in 316 * that case. 317 * 318 * If the inode has been found through an idmapped mount the user namespace of 319 * the vfsmount must be passed through @mnt_userns. This function will then 320 * take care to map the inode according to @mnt_userns before checking 321 * permissions. On non-idmapped mounts or if permission checking is to be 322 * performed on the raw inode simply passs init_user_ns. 323 */ 324 int notify_change(struct user_namespace *mnt_userns, struct dentry *dentry, 325 struct iattr *attr, struct inode **delegated_inode) 326 { 327 struct inode *inode = dentry->d_inode; 328 umode_t mode = inode->i_mode; 329 int error; 330 struct timespec64 now; 331 unsigned int ia_valid = attr->ia_valid; 332 333 WARN_ON_ONCE(!inode_is_locked(inode)); 334 335 error = may_setattr(mnt_userns, inode, ia_valid); 336 if (error) 337 return error; 338 339 if ((ia_valid & ATTR_MODE)) { 340 umode_t amode = attr->ia_mode; 341 /* Flag setting protected by i_mutex */ 342 if (is_sxid(amode)) 343 inode->i_flags &= ~S_NOSEC; 344 } 345 346 now = current_time(inode); 347 348 attr->ia_ctime = now; 349 if (!(ia_valid & ATTR_ATIME_SET)) 350 attr->ia_atime = now; 351 else 352 attr->ia_atime = timestamp_truncate(attr->ia_atime, inode); 353 if (!(ia_valid & ATTR_MTIME_SET)) 354 attr->ia_mtime = now; 355 else 356 attr->ia_mtime = timestamp_truncate(attr->ia_mtime, inode); 357 358 if (ia_valid & ATTR_KILL_PRIV) { 359 error = security_inode_need_killpriv(dentry); 360 if (error < 0) 361 return error; 362 if (error == 0) 363 ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV; 364 } 365 366 /* 367 * We now pass ATTR_KILL_S*ID to the lower level setattr function so 368 * that the function has the ability to reinterpret a mode change 369 * that's due to these bits. This adds an implicit restriction that 370 * no function will ever call notify_change with both ATTR_MODE and 371 * ATTR_KILL_S*ID set. 372 */ 373 if ((ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) && 374 (ia_valid & ATTR_MODE)) 375 BUG(); 376 377 if (ia_valid & ATTR_KILL_SUID) { 378 if (mode & S_ISUID) { 379 ia_valid = attr->ia_valid |= ATTR_MODE; 380 attr->ia_mode = (inode->i_mode & ~S_ISUID); 381 } 382 } 383 if (ia_valid & ATTR_KILL_SGID) { 384 if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { 385 if (!(ia_valid & ATTR_MODE)) { 386 ia_valid = attr->ia_valid |= ATTR_MODE; 387 attr->ia_mode = inode->i_mode; 388 } 389 attr->ia_mode &= ~S_ISGID; 390 } 391 } 392 if (!(attr->ia_valid & ~(ATTR_KILL_SUID | ATTR_KILL_SGID))) 393 return 0; 394 395 /* 396 * Verify that uid/gid changes are valid in the target 397 * namespace of the superblock. 398 */ 399 if (ia_valid & ATTR_UID && 400 !kuid_has_mapping(inode->i_sb->s_user_ns, attr->ia_uid)) 401 return -EOVERFLOW; 402 if (ia_valid & ATTR_GID && 403 !kgid_has_mapping(inode->i_sb->s_user_ns, attr->ia_gid)) 404 return -EOVERFLOW; 405 406 /* Don't allow modifications of files with invalid uids or 407 * gids unless those uids & gids are being made valid. 408 */ 409 if (!(ia_valid & ATTR_UID) && 410 !uid_valid(i_uid_into_mnt(mnt_userns, inode))) 411 return -EOVERFLOW; 412 if (!(ia_valid & ATTR_GID) && 413 !gid_valid(i_gid_into_mnt(mnt_userns, inode))) 414 return -EOVERFLOW; 415 416 error = security_inode_setattr(dentry, attr); 417 if (error) 418 return error; 419 error = try_break_deleg(inode, delegated_inode); 420 if (error) 421 return error; 422 423 if (inode->i_op->setattr) 424 error = inode->i_op->setattr(mnt_userns, dentry, attr); 425 else 426 error = simple_setattr(mnt_userns, dentry, attr); 427 428 if (!error) { 429 fsnotify_change(dentry, ia_valid); 430 ima_inode_post_setattr(mnt_userns, dentry); 431 evm_inode_post_setattr(dentry, ia_valid); 432 } 433 434 return error; 435 } 436 EXPORT_SYMBOL(notify_change); 437