1 // SPDX-License-Identifier: GPL-2.0 2 #include <linux/syscalls.h> 3 #include <linux/slab.h> 4 #include <linux/fs.h> 5 #include <linux/file.h> 6 #include <linux/mount.h> 7 #include <linux/namei.h> 8 #include <linux/exportfs.h> 9 #include <linux/fs_struct.h> 10 #include <linux/fsnotify.h> 11 #include <linux/personality.h> 12 #include <linux/uaccess.h> 13 #include <linux/compat.h> 14 #include "internal.h" 15 #include "mount.h" 16 17 static long do_sys_name_to_handle(const struct path *path, 18 struct file_handle __user *ufh, 19 void __user *mnt_id, bool unique_mntid, 20 int fh_flags) 21 { 22 long retval; 23 struct file_handle f_handle; 24 int handle_dwords, handle_bytes; 25 struct file_handle *handle = NULL; 26 27 /* 28 * We need to make sure whether the file system support decoding of 29 * the file handle if decodeable file handle was requested. 30 */ 31 if (!exportfs_can_encode_fh(path->dentry->d_sb->s_export_op, fh_flags)) 32 return -EOPNOTSUPP; 33 34 if (copy_from_user(&f_handle, ufh, sizeof(struct file_handle))) 35 return -EFAULT; 36 37 if (f_handle.handle_bytes > MAX_HANDLE_SZ) 38 return -EINVAL; 39 40 handle = kzalloc(struct_size(handle, f_handle, f_handle.handle_bytes), 41 GFP_KERNEL); 42 if (!handle) 43 return -ENOMEM; 44 45 /* convert handle size to multiple of sizeof(u32) */ 46 handle_dwords = f_handle.handle_bytes >> 2; 47 48 /* we ask for a non connectable maybe decodeable file handle */ 49 retval = exportfs_encode_fh(path->dentry, 50 (struct fid *)handle->f_handle, 51 &handle_dwords, fh_flags); 52 handle->handle_type = retval; 53 /* convert handle size to bytes */ 54 handle_bytes = handle_dwords * sizeof(u32); 55 handle->handle_bytes = handle_bytes; 56 if ((handle->handle_bytes > f_handle.handle_bytes) || 57 (retval == FILEID_INVALID) || (retval < 0)) { 58 /* As per old exportfs_encode_fh documentation 59 * we could return ENOSPC to indicate overflow 60 * But file system returned 255 always. So handle 61 * both the values 62 */ 63 if (retval == FILEID_INVALID || retval == -ENOSPC) 64 retval = -EOVERFLOW; 65 /* 66 * set the handle size to zero so we copy only 67 * non variable part of the file_handle 68 */ 69 handle_bytes = 0; 70 } else 71 retval = 0; 72 /* copy the mount id */ 73 if (unique_mntid) { 74 if (put_user(real_mount(path->mnt)->mnt_id_unique, 75 (u64 __user *) mnt_id)) 76 retval = -EFAULT; 77 } else { 78 if (put_user(real_mount(path->mnt)->mnt_id, 79 (int __user *) mnt_id)) 80 retval = -EFAULT; 81 } 82 /* copy the handle */ 83 if (retval != -EFAULT && 84 copy_to_user(ufh, handle, 85 struct_size(handle, f_handle, handle_bytes))) 86 retval = -EFAULT; 87 kfree(handle); 88 return retval; 89 } 90 91 /** 92 * sys_name_to_handle_at: convert name to handle 93 * @dfd: directory relative to which name is interpreted if not absolute 94 * @name: name that should be converted to handle. 95 * @handle: resulting file handle 96 * @mnt_id: mount id of the file system containing the file 97 * (u64 if AT_HANDLE_MNT_ID_UNIQUE, otherwise int) 98 * @flag: flag value to indicate whether to follow symlink or not 99 * and whether a decodable file handle is required. 100 * 101 * @handle->handle_size indicate the space available to store the 102 * variable part of the file handle in bytes. If there is not 103 * enough space, the field is updated to return the minimum 104 * value required. 105 */ 106 SYSCALL_DEFINE5(name_to_handle_at, int, dfd, const char __user *, name, 107 struct file_handle __user *, handle, void __user *, mnt_id, 108 int, flag) 109 { 110 struct path path; 111 int lookup_flags; 112 int fh_flags; 113 int err; 114 115 if (flag & ~(AT_SYMLINK_FOLLOW | AT_EMPTY_PATH | AT_HANDLE_FID | 116 AT_HANDLE_MNT_ID_UNIQUE)) 117 return -EINVAL; 118 119 lookup_flags = (flag & AT_SYMLINK_FOLLOW) ? LOOKUP_FOLLOW : 0; 120 fh_flags = (flag & AT_HANDLE_FID) ? EXPORT_FH_FID : 0; 121 if (flag & AT_EMPTY_PATH) 122 lookup_flags |= LOOKUP_EMPTY; 123 err = user_path_at(dfd, name, lookup_flags, &path); 124 if (!err) { 125 err = do_sys_name_to_handle(&path, handle, mnt_id, 126 flag & AT_HANDLE_MNT_ID_UNIQUE, 127 fh_flags); 128 path_put(&path); 129 } 130 return err; 131 } 132 133 static int get_path_from_fd(int fd, struct path *root) 134 { 135 if (fd == AT_FDCWD) { 136 struct fs_struct *fs = current->fs; 137 spin_lock(&fs->lock); 138 *root = fs->pwd; 139 path_get(root); 140 spin_unlock(&fs->lock); 141 } else { 142 CLASS(fd, f)(fd); 143 if (fd_empty(f)) 144 return -EBADF; 145 *root = fd_file(f)->f_path; 146 path_get(root); 147 } 148 149 return 0; 150 } 151 152 enum handle_to_path_flags { 153 HANDLE_CHECK_PERMS = (1 << 0), 154 HANDLE_CHECK_SUBTREE = (1 << 1), 155 }; 156 157 struct handle_to_path_ctx { 158 struct path root; 159 enum handle_to_path_flags flags; 160 unsigned int fh_flags; 161 }; 162 163 static int vfs_dentry_acceptable(void *context, struct dentry *dentry) 164 { 165 struct handle_to_path_ctx *ctx = context; 166 struct user_namespace *user_ns = current_user_ns(); 167 struct dentry *d, *root = ctx->root.dentry; 168 struct mnt_idmap *idmap = mnt_idmap(ctx->root.mnt); 169 int retval = 0; 170 171 if (!root) 172 return 1; 173 174 /* Old permission model with global CAP_DAC_READ_SEARCH. */ 175 if (!ctx->flags) 176 return 1; 177 178 /* 179 * It's racy as we're not taking rename_lock but we're able to ignore 180 * permissions and we just need an approximation whether we were able 181 * to follow a path to the file. 182 * 183 * It's also potentially expensive on some filesystems especially if 184 * there is a deep path. 185 */ 186 d = dget(dentry); 187 while (d != root && !IS_ROOT(d)) { 188 struct dentry *parent = dget_parent(d); 189 190 /* 191 * We know that we have the ability to override DAC permissions 192 * as we've verified this earlier via CAP_DAC_READ_SEARCH. But 193 * we also need to make sure that there aren't any unmapped 194 * inodes in the path that would prevent us from reaching the 195 * file. 196 */ 197 if (!privileged_wrt_inode_uidgid(user_ns, idmap, 198 d_inode(parent))) { 199 dput(d); 200 dput(parent); 201 return retval; 202 } 203 204 dput(d); 205 d = parent; 206 } 207 208 if (!(ctx->flags & HANDLE_CHECK_SUBTREE) || d == root) 209 retval = 1; 210 WARN_ON_ONCE(d != root && d != root->d_sb->s_root); 211 dput(d); 212 return retval; 213 } 214 215 static int do_handle_to_path(struct file_handle *handle, struct path *path, 216 struct handle_to_path_ctx *ctx) 217 { 218 int handle_dwords; 219 struct vfsmount *mnt = ctx->root.mnt; 220 221 /* change the handle size to multiple of sizeof(u32) */ 222 handle_dwords = handle->handle_bytes >> 2; 223 path->dentry = exportfs_decode_fh_raw(mnt, 224 (struct fid *)handle->f_handle, 225 handle_dwords, handle->handle_type, 226 ctx->fh_flags, 227 vfs_dentry_acceptable, ctx); 228 if (IS_ERR_OR_NULL(path->dentry)) { 229 if (path->dentry == ERR_PTR(-ENOMEM)) 230 return -ENOMEM; 231 return -ESTALE; 232 } 233 path->mnt = mntget(mnt); 234 return 0; 235 } 236 237 /* 238 * Allow relaxed permissions of file handles if the caller has the 239 * ability to mount the filesystem or create a bind-mount of the 240 * provided @mountdirfd. 241 * 242 * In both cases the caller may be able to get an unobstructed way to 243 * the encoded file handle. If the caller is only able to create a 244 * bind-mount we need to verify that there are no locked mounts on top 245 * of it that could prevent us from getting to the encoded file. 246 * 247 * In principle, locked mounts can prevent the caller from mounting the 248 * filesystem but that only applies to procfs and sysfs neither of which 249 * support decoding file handles. 250 */ 251 static inline bool may_decode_fh(struct handle_to_path_ctx *ctx, 252 unsigned int o_flags) 253 { 254 struct path *root = &ctx->root; 255 256 /* 257 * Restrict to O_DIRECTORY to provide a deterministic API that avoids a 258 * confusing api in the face of disconnected non-dir dentries. 259 * 260 * There's only one dentry for each directory inode (VFS rule)... 261 */ 262 if (!(o_flags & O_DIRECTORY)) 263 return false; 264 265 if (ns_capable(root->mnt->mnt_sb->s_user_ns, CAP_SYS_ADMIN)) 266 ctx->flags = HANDLE_CHECK_PERMS; 267 else if (is_mounted(root->mnt) && 268 ns_capable(real_mount(root->mnt)->mnt_ns->user_ns, 269 CAP_SYS_ADMIN) && 270 !has_locked_children(real_mount(root->mnt), root->dentry)) 271 ctx->flags = HANDLE_CHECK_PERMS | HANDLE_CHECK_SUBTREE; 272 else 273 return false; 274 275 /* Are we able to override DAC permissions? */ 276 if (!ns_capable(current_user_ns(), CAP_DAC_READ_SEARCH)) 277 return false; 278 279 ctx->fh_flags = EXPORT_FH_DIR_ONLY; 280 return true; 281 } 282 283 static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, 284 struct path *path, unsigned int o_flags) 285 { 286 int retval = 0; 287 struct file_handle f_handle; 288 struct file_handle *handle = NULL; 289 struct handle_to_path_ctx ctx = {}; 290 291 retval = get_path_from_fd(mountdirfd, &ctx.root); 292 if (retval) 293 goto out_err; 294 295 if (!capable(CAP_DAC_READ_SEARCH) && !may_decode_fh(&ctx, o_flags)) { 296 retval = -EPERM; 297 goto out_path; 298 } 299 300 if (copy_from_user(&f_handle, ufh, sizeof(struct file_handle))) { 301 retval = -EFAULT; 302 goto out_path; 303 } 304 if ((f_handle.handle_bytes > MAX_HANDLE_SZ) || 305 (f_handle.handle_bytes == 0)) { 306 retval = -EINVAL; 307 goto out_path; 308 } 309 handle = kmalloc(struct_size(handle, f_handle, f_handle.handle_bytes), 310 GFP_KERNEL); 311 if (!handle) { 312 retval = -ENOMEM; 313 goto out_path; 314 } 315 /* copy the full handle */ 316 *handle = f_handle; 317 if (copy_from_user(&handle->f_handle, 318 &ufh->f_handle, 319 f_handle.handle_bytes)) { 320 retval = -EFAULT; 321 goto out_handle; 322 } 323 324 retval = do_handle_to_path(handle, path, &ctx); 325 326 out_handle: 327 kfree(handle); 328 out_path: 329 path_put(&ctx.root); 330 out_err: 331 return retval; 332 } 333 334 static long do_handle_open(int mountdirfd, struct file_handle __user *ufh, 335 int open_flag) 336 { 337 long retval = 0; 338 struct path path; 339 struct file *file; 340 int fd; 341 342 retval = handle_to_path(mountdirfd, ufh, &path, open_flag); 343 if (retval) 344 return retval; 345 346 fd = get_unused_fd_flags(open_flag); 347 if (fd < 0) { 348 path_put(&path); 349 return fd; 350 } 351 file = file_open_root(&path, "", open_flag, 0); 352 if (IS_ERR(file)) { 353 put_unused_fd(fd); 354 retval = PTR_ERR(file); 355 } else { 356 retval = fd; 357 fd_install(fd, file); 358 } 359 path_put(&path); 360 return retval; 361 } 362 363 /** 364 * sys_open_by_handle_at: Open the file handle 365 * @mountdirfd: directory file descriptor 366 * @handle: file handle to be opened 367 * @flags: open flags. 368 * 369 * @mountdirfd indicate the directory file descriptor 370 * of the mount point. file handle is decoded relative 371 * to the vfsmount pointed by the @mountdirfd. @flags 372 * value is same as the open(2) flags. 373 */ 374 SYSCALL_DEFINE3(open_by_handle_at, int, mountdirfd, 375 struct file_handle __user *, handle, 376 int, flags) 377 { 378 long ret; 379 380 if (force_o_largefile()) 381 flags |= O_LARGEFILE; 382 383 ret = do_handle_open(mountdirfd, handle, flags); 384 return ret; 385 } 386 387 #ifdef CONFIG_COMPAT 388 /* 389 * Exactly like fs/open.c:sys_open_by_handle_at(), except that it 390 * doesn't set the O_LARGEFILE flag. 391 */ 392 COMPAT_SYSCALL_DEFINE3(open_by_handle_at, int, mountdirfd, 393 struct file_handle __user *, handle, int, flags) 394 { 395 return do_handle_open(mountdirfd, handle, flags); 396 } 397 #endif 398