1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2002,2003 by Andreas Gruenbacher <a.gruenbacher@computer.org> 4 * 5 * Fixes from William Schumacher incorporated on 15 March 2001. 6 * (Reported by Charles Bertsch, <CBertsch@microtest.com>). 7 */ 8 9 /* 10 * This file contains generic functions for manipulating 11 * POSIX 1003.1e draft standard 17 ACLs. 12 */ 13 14 #include <linux/kernel.h> 15 #include <linux/slab.h> 16 #include <linux/atomic.h> 17 #include <linux/fs.h> 18 #include <linux/sched.h> 19 #include <linux/cred.h> 20 #include <linux/posix_acl.h> 21 #include <linux/posix_acl_xattr.h> 22 #include <linux/xattr.h> 23 #include <linux/export.h> 24 #include <linux/user_namespace.h> 25 #include <linux/namei.h> 26 #include <linux/mnt_idmapping.h> 27 #include <linux/iversion.h> 28 #include <linux/security.h> 29 #include <linux/evm.h> 30 #include <linux/fsnotify.h> 31 #include <linux/filelock.h> 32 33 #include "internal.h" 34 35 static struct posix_acl **acl_by_type(struct inode *inode, int type) 36 { 37 switch (type) { 38 case ACL_TYPE_ACCESS: 39 return &inode->i_acl; 40 case ACL_TYPE_DEFAULT: 41 return &inode->i_default_acl; 42 default: 43 BUG(); 44 } 45 } 46 47 struct posix_acl *get_cached_acl(struct inode *inode, int type) 48 { 49 struct posix_acl **p = acl_by_type(inode, type); 50 struct posix_acl *acl; 51 52 for (;;) { 53 rcu_read_lock(); 54 acl = rcu_dereference(*p); 55 if (!acl || is_uncached_acl(acl) || 56 refcount_inc_not_zero(&acl->a_refcount)) 57 break; 58 rcu_read_unlock(); 59 cpu_relax(); 60 } 61 rcu_read_unlock(); 62 return acl; 63 } 64 EXPORT_SYMBOL(get_cached_acl); 65 66 struct posix_acl *get_cached_acl_rcu(struct inode *inode, int type) 67 { 68 struct posix_acl *acl = rcu_dereference(*acl_by_type(inode, type)); 69 70 if (acl == ACL_DONT_CACHE) { 71 struct posix_acl *ret; 72 73 ret = inode->i_op->get_inode_acl(inode, type, LOOKUP_RCU); 74 if (!IS_ERR(ret)) 75 acl = ret; 76 } 77 78 return acl; 79 } 80 EXPORT_SYMBOL(get_cached_acl_rcu); 81 82 void set_cached_acl(struct inode *inode, int type, struct posix_acl *acl) 83 { 84 struct posix_acl **p = acl_by_type(inode, type); 85 struct posix_acl *old; 86 87 old = xchg(p, posix_acl_dup(acl)); 88 if (!is_uncached_acl(old)) 89 posix_acl_release(old); 90 } 91 EXPORT_SYMBOL(set_cached_acl); 92 93 static void __forget_cached_acl(struct posix_acl **p) 94 { 95 struct posix_acl *old; 96 97 old = xchg(p, ACL_NOT_CACHED); 98 if (!is_uncached_acl(old)) 99 posix_acl_release(old); 100 } 101 102 void forget_cached_acl(struct inode *inode, int type) 103 { 104 __forget_cached_acl(acl_by_type(inode, type)); 105 } 106 EXPORT_SYMBOL(forget_cached_acl); 107 108 void forget_all_cached_acls(struct inode *inode) 109 { 110 __forget_cached_acl(&inode->i_acl); 111 __forget_cached_acl(&inode->i_default_acl); 112 } 113 EXPORT_SYMBOL(forget_all_cached_acls); 114 115 static struct posix_acl *__get_acl(struct mnt_idmap *idmap, 116 struct dentry *dentry, struct inode *inode, 117 int type) 118 { 119 struct posix_acl *sentinel; 120 struct posix_acl **p; 121 struct posix_acl *acl; 122 123 /* 124 * The sentinel is used to detect when another operation like 125 * set_cached_acl() or forget_cached_acl() races with get_inode_acl(). 126 * It is guaranteed that is_uncached_acl(sentinel) is true. 127 */ 128 129 acl = get_cached_acl(inode, type); 130 if (!is_uncached_acl(acl)) 131 return acl; 132 133 if (!IS_POSIXACL(inode)) 134 return NULL; 135 136 sentinel = uncached_acl_sentinel(current); 137 p = acl_by_type(inode, type); 138 139 /* 140 * If the ACL isn't being read yet, set our sentinel. Otherwise, the 141 * current value of the ACL will not be ACL_NOT_CACHED and so our own 142 * sentinel will not be set; another task will update the cache. We 143 * could wait for that other task to complete its job, but it's easier 144 * to just call ->get_inode_acl to fetch the ACL ourself. (This is 145 * going to be an unlikely race.) 146 */ 147 cmpxchg(p, ACL_NOT_CACHED, sentinel); 148 149 /* 150 * Normally, the ACL returned by ->get{_inode}_acl will be cached. 151 * A filesystem can prevent that by calling 152 * forget_cached_acl(inode, type) in ->get{_inode}_acl. 153 * 154 * If the filesystem doesn't have a get{_inode}_ acl() function at all, 155 * we'll just create the negative cache entry. 156 */ 157 if (dentry && inode->i_op->get_acl) { 158 acl = inode->i_op->get_acl(idmap, dentry, type); 159 } else if (inode->i_op->get_inode_acl) { 160 acl = inode->i_op->get_inode_acl(inode, type, false); 161 } else { 162 set_cached_acl(inode, type, NULL); 163 return NULL; 164 } 165 if (IS_ERR(acl)) { 166 /* 167 * Remove our sentinel so that we don't block future attempts 168 * to cache the ACL. 169 */ 170 cmpxchg(p, sentinel, ACL_NOT_CACHED); 171 return acl; 172 } 173 174 /* 175 * Cache the result, but only if our sentinel is still in place. 176 */ 177 posix_acl_dup(acl); 178 if (unlikely(!try_cmpxchg(p, &sentinel, acl))) 179 posix_acl_release(acl); 180 return acl; 181 } 182 183 struct posix_acl *get_inode_acl(struct inode *inode, int type) 184 { 185 return __get_acl(&nop_mnt_idmap, NULL, inode, type); 186 } 187 EXPORT_SYMBOL(get_inode_acl); 188 189 /* 190 * Init a fresh posix_acl 191 */ 192 void 193 posix_acl_init(struct posix_acl *acl, int count) 194 { 195 refcount_set(&acl->a_refcount, 1); 196 acl->a_count = count; 197 } 198 EXPORT_SYMBOL(posix_acl_init); 199 200 /* 201 * Allocate a new ACL with the specified number of entries. 202 */ 203 struct posix_acl * 204 posix_acl_alloc(int count, gfp_t flags) 205 { 206 const size_t size = sizeof(struct posix_acl) + 207 count * sizeof(struct posix_acl_entry); 208 struct posix_acl *acl = kmalloc(size, flags); 209 if (acl) 210 posix_acl_init(acl, count); 211 return acl; 212 } 213 EXPORT_SYMBOL(posix_acl_alloc); 214 215 /* 216 * Clone an ACL. 217 */ 218 struct posix_acl * 219 posix_acl_clone(const struct posix_acl *acl, gfp_t flags) 220 { 221 struct posix_acl *clone = NULL; 222 223 if (acl) { 224 int size = sizeof(struct posix_acl) + acl->a_count * 225 sizeof(struct posix_acl_entry); 226 clone = kmemdup(acl, size, flags); 227 if (clone) 228 refcount_set(&clone->a_refcount, 1); 229 } 230 return clone; 231 } 232 EXPORT_SYMBOL_GPL(posix_acl_clone); 233 234 /* 235 * Check if an acl is valid. Returns 0 if it is, or -E... otherwise. 236 */ 237 int 238 posix_acl_valid(struct user_namespace *user_ns, const struct posix_acl *acl) 239 { 240 const struct posix_acl_entry *pa, *pe; 241 int state = ACL_USER_OBJ; 242 int needs_mask = 0; 243 244 FOREACH_ACL_ENTRY(pa, acl, pe) { 245 if (pa->e_perm & ~(ACL_READ|ACL_WRITE|ACL_EXECUTE)) 246 return -EINVAL; 247 switch (pa->e_tag) { 248 case ACL_USER_OBJ: 249 if (state == ACL_USER_OBJ) { 250 state = ACL_USER; 251 break; 252 } 253 return -EINVAL; 254 255 case ACL_USER: 256 if (state != ACL_USER) 257 return -EINVAL; 258 if (!kuid_has_mapping(user_ns, pa->e_uid)) 259 return -EINVAL; 260 needs_mask = 1; 261 break; 262 263 case ACL_GROUP_OBJ: 264 if (state == ACL_USER) { 265 state = ACL_GROUP; 266 break; 267 } 268 return -EINVAL; 269 270 case ACL_GROUP: 271 if (state != ACL_GROUP) 272 return -EINVAL; 273 if (!kgid_has_mapping(user_ns, pa->e_gid)) 274 return -EINVAL; 275 needs_mask = 1; 276 break; 277 278 case ACL_MASK: 279 if (state != ACL_GROUP) 280 return -EINVAL; 281 state = ACL_OTHER; 282 break; 283 284 case ACL_OTHER: 285 if (state == ACL_OTHER || 286 (state == ACL_GROUP && !needs_mask)) { 287 state = 0; 288 break; 289 } 290 return -EINVAL; 291 292 default: 293 return -EINVAL; 294 } 295 } 296 if (state == 0) 297 return 0; 298 return -EINVAL; 299 } 300 EXPORT_SYMBOL(posix_acl_valid); 301 302 /* 303 * Returns 0 if the acl can be exactly represented in the traditional 304 * file mode permission bits, or else 1. Returns -E... on error. 305 */ 306 int 307 posix_acl_equiv_mode(const struct posix_acl *acl, umode_t *mode_p) 308 { 309 const struct posix_acl_entry *pa, *pe; 310 umode_t mode = 0; 311 int not_equiv = 0; 312 313 /* 314 * A null ACL can always be presented as mode bits. 315 */ 316 if (!acl) 317 return 0; 318 319 FOREACH_ACL_ENTRY(pa, acl, pe) { 320 switch (pa->e_tag) { 321 case ACL_USER_OBJ: 322 mode |= (pa->e_perm & S_IRWXO) << 6; 323 break; 324 case ACL_GROUP_OBJ: 325 mode |= (pa->e_perm & S_IRWXO) << 3; 326 break; 327 case ACL_OTHER: 328 mode |= pa->e_perm & S_IRWXO; 329 break; 330 case ACL_MASK: 331 mode = (mode & ~S_IRWXG) | 332 ((pa->e_perm & S_IRWXO) << 3); 333 not_equiv = 1; 334 break; 335 case ACL_USER: 336 case ACL_GROUP: 337 not_equiv = 1; 338 break; 339 default: 340 return -EINVAL; 341 } 342 } 343 if (mode_p) 344 *mode_p = (*mode_p & ~S_IRWXUGO) | mode; 345 return not_equiv; 346 } 347 EXPORT_SYMBOL(posix_acl_equiv_mode); 348 349 /* 350 * Create an ACL representing the file mode permission bits of an inode. 351 */ 352 struct posix_acl * 353 posix_acl_from_mode(umode_t mode, gfp_t flags) 354 { 355 struct posix_acl *acl = posix_acl_alloc(3, flags); 356 if (!acl) 357 return ERR_PTR(-ENOMEM); 358 359 acl->a_entries[0].e_tag = ACL_USER_OBJ; 360 acl->a_entries[0].e_perm = (mode & S_IRWXU) >> 6; 361 362 acl->a_entries[1].e_tag = ACL_GROUP_OBJ; 363 acl->a_entries[1].e_perm = (mode & S_IRWXG) >> 3; 364 365 acl->a_entries[2].e_tag = ACL_OTHER; 366 acl->a_entries[2].e_perm = (mode & S_IRWXO); 367 return acl; 368 } 369 EXPORT_SYMBOL(posix_acl_from_mode); 370 371 /* 372 * Return 0 if current is granted want access to the inode 373 * by the acl. Returns -E... otherwise. 374 */ 375 int 376 posix_acl_permission(struct mnt_idmap *idmap, struct inode *inode, 377 const struct posix_acl *acl, int want) 378 { 379 const struct posix_acl_entry *pa, *pe, *mask_obj; 380 struct user_namespace *fs_userns = i_user_ns(inode); 381 int found = 0; 382 vfsuid_t vfsuid; 383 vfsgid_t vfsgid; 384 385 want &= MAY_READ | MAY_WRITE | MAY_EXEC; 386 387 FOREACH_ACL_ENTRY(pa, acl, pe) { 388 switch(pa->e_tag) { 389 case ACL_USER_OBJ: 390 /* (May have been checked already) */ 391 vfsuid = i_uid_into_vfsuid(idmap, inode); 392 if (vfsuid_eq_kuid(vfsuid, current_fsuid())) 393 goto check_perm; 394 break; 395 case ACL_USER: 396 vfsuid = make_vfsuid(idmap, fs_userns, 397 pa->e_uid); 398 if (vfsuid_eq_kuid(vfsuid, current_fsuid())) 399 goto mask; 400 break; 401 case ACL_GROUP_OBJ: 402 vfsgid = i_gid_into_vfsgid(idmap, inode); 403 if (vfsgid_in_group_p(vfsgid)) { 404 found = 1; 405 if ((pa->e_perm & want) == want) 406 goto mask; 407 } 408 break; 409 case ACL_GROUP: 410 vfsgid = make_vfsgid(idmap, fs_userns, 411 pa->e_gid); 412 if (vfsgid_in_group_p(vfsgid)) { 413 found = 1; 414 if ((pa->e_perm & want) == want) 415 goto mask; 416 } 417 break; 418 case ACL_MASK: 419 break; 420 case ACL_OTHER: 421 if (found) 422 return -EACCES; 423 else 424 goto check_perm; 425 default: 426 return -EIO; 427 } 428 } 429 return -EIO; 430 431 mask: 432 for (mask_obj = pa+1; mask_obj != pe; mask_obj++) { 433 if (mask_obj->e_tag == ACL_MASK) { 434 if ((pa->e_perm & mask_obj->e_perm & want) == want) 435 return 0; 436 return -EACCES; 437 } 438 } 439 440 check_perm: 441 if ((pa->e_perm & want) == want) 442 return 0; 443 return -EACCES; 444 } 445 446 /* 447 * Modify acl when creating a new inode. The caller must ensure the acl is 448 * only referenced once. 449 * 450 * mode_p initially must contain the mode parameter to the open() / creat() 451 * system calls. All permissions that are not granted by the acl are removed. 452 * The permissions in the acl are changed to reflect the mode_p parameter. 453 */ 454 static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p) 455 { 456 struct posix_acl_entry *pa, *pe; 457 struct posix_acl_entry *group_obj = NULL, *mask_obj = NULL; 458 umode_t mode = *mode_p; 459 int not_equiv = 0; 460 461 /* assert(atomic_read(acl->a_refcount) == 1); */ 462 463 FOREACH_ACL_ENTRY(pa, acl, pe) { 464 switch(pa->e_tag) { 465 case ACL_USER_OBJ: 466 pa->e_perm &= (mode >> 6) | ~S_IRWXO; 467 mode &= (pa->e_perm << 6) | ~S_IRWXU; 468 break; 469 470 case ACL_USER: 471 case ACL_GROUP: 472 not_equiv = 1; 473 break; 474 475 case ACL_GROUP_OBJ: 476 group_obj = pa; 477 break; 478 479 case ACL_OTHER: 480 pa->e_perm &= mode | ~S_IRWXO; 481 mode &= pa->e_perm | ~S_IRWXO; 482 break; 483 484 case ACL_MASK: 485 mask_obj = pa; 486 not_equiv = 1; 487 break; 488 489 default: 490 return -EIO; 491 } 492 } 493 494 if (mask_obj) { 495 mask_obj->e_perm &= (mode >> 3) | ~S_IRWXO; 496 mode &= (mask_obj->e_perm << 3) | ~S_IRWXG; 497 } else { 498 if (!group_obj) 499 return -EIO; 500 group_obj->e_perm &= (mode >> 3) | ~S_IRWXO; 501 mode &= (group_obj->e_perm << 3) | ~S_IRWXG; 502 } 503 504 *mode_p = (*mode_p & ~S_IRWXUGO) | mode; 505 return not_equiv; 506 } 507 508 /* 509 * Modify the ACL for the chmod syscall. 510 */ 511 static int __posix_acl_chmod_masq(struct posix_acl *acl, umode_t mode) 512 { 513 struct posix_acl_entry *group_obj = NULL, *mask_obj = NULL; 514 struct posix_acl_entry *pa, *pe; 515 516 /* assert(atomic_read(acl->a_refcount) == 1); */ 517 518 FOREACH_ACL_ENTRY(pa, acl, pe) { 519 switch(pa->e_tag) { 520 case ACL_USER_OBJ: 521 pa->e_perm = (mode & S_IRWXU) >> 6; 522 break; 523 524 case ACL_USER: 525 case ACL_GROUP: 526 break; 527 528 case ACL_GROUP_OBJ: 529 group_obj = pa; 530 break; 531 532 case ACL_MASK: 533 mask_obj = pa; 534 break; 535 536 case ACL_OTHER: 537 pa->e_perm = (mode & S_IRWXO); 538 break; 539 540 default: 541 return -EIO; 542 } 543 } 544 545 if (mask_obj) { 546 mask_obj->e_perm = (mode & S_IRWXG) >> 3; 547 } else { 548 if (!group_obj) 549 return -EIO; 550 group_obj->e_perm = (mode & S_IRWXG) >> 3; 551 } 552 553 return 0; 554 } 555 556 int 557 __posix_acl_create(struct posix_acl **acl, gfp_t gfp, umode_t *mode_p) 558 { 559 struct posix_acl *clone = posix_acl_clone(*acl, gfp); 560 int err = -ENOMEM; 561 if (clone) { 562 err = posix_acl_create_masq(clone, mode_p); 563 if (err < 0) { 564 posix_acl_release(clone); 565 clone = NULL; 566 } 567 } 568 posix_acl_release(*acl); 569 *acl = clone; 570 return err; 571 } 572 EXPORT_SYMBOL(__posix_acl_create); 573 574 int 575 __posix_acl_chmod(struct posix_acl **acl, gfp_t gfp, umode_t mode) 576 { 577 struct posix_acl *clone = posix_acl_clone(*acl, gfp); 578 int err = -ENOMEM; 579 if (clone) { 580 err = __posix_acl_chmod_masq(clone, mode); 581 if (err) { 582 posix_acl_release(clone); 583 clone = NULL; 584 } 585 } 586 posix_acl_release(*acl); 587 *acl = clone; 588 return err; 589 } 590 EXPORT_SYMBOL(__posix_acl_chmod); 591 592 /** 593 * posix_acl_chmod - chmod a posix acl 594 * 595 * @idmap: idmap of the mount @inode was found from 596 * @dentry: dentry to check permissions on 597 * @mode: the new mode of @inode 598 * 599 * If the dentry has been found through an idmapped mount the idmap of 600 * the vfsmount must be passed through @idmap. This function will then 601 * take care to map the inode according to @idmap before checking 602 * permissions. On non-idmapped mounts or if permission checking is to be 603 * performed on the raw inode simply passs @nop_mnt_idmap. 604 */ 605 int 606 posix_acl_chmod(struct mnt_idmap *idmap, struct dentry *dentry, 607 umode_t mode) 608 { 609 struct inode *inode = d_inode(dentry); 610 struct posix_acl *acl; 611 int ret = 0; 612 613 if (!IS_POSIXACL(inode)) 614 return 0; 615 if (!inode->i_op->set_acl) 616 return -EOPNOTSUPP; 617 618 acl = get_inode_acl(inode, ACL_TYPE_ACCESS); 619 if (IS_ERR_OR_NULL(acl)) { 620 if (acl == ERR_PTR(-EOPNOTSUPP)) 621 return 0; 622 return PTR_ERR(acl); 623 } 624 625 ret = __posix_acl_chmod(&acl, GFP_KERNEL, mode); 626 if (ret) 627 return ret; 628 ret = inode->i_op->set_acl(idmap, dentry, acl, ACL_TYPE_ACCESS); 629 posix_acl_release(acl); 630 return ret; 631 } 632 EXPORT_SYMBOL(posix_acl_chmod); 633 634 int 635 posix_acl_create(struct inode *dir, umode_t *mode, 636 struct posix_acl **default_acl, struct posix_acl **acl) 637 { 638 struct posix_acl *p; 639 struct posix_acl *clone; 640 int ret; 641 642 *acl = NULL; 643 *default_acl = NULL; 644 645 if (S_ISLNK(*mode) || !IS_POSIXACL(dir)) 646 return 0; 647 648 p = get_inode_acl(dir, ACL_TYPE_DEFAULT); 649 if (!p || p == ERR_PTR(-EOPNOTSUPP)) { 650 *mode &= ~current_umask(); 651 return 0; 652 } 653 if (IS_ERR(p)) 654 return PTR_ERR(p); 655 656 ret = -ENOMEM; 657 clone = posix_acl_clone(p, GFP_NOFS); 658 if (!clone) 659 goto err_release; 660 661 ret = posix_acl_create_masq(clone, mode); 662 if (ret < 0) 663 goto err_release_clone; 664 665 if (ret == 0) 666 posix_acl_release(clone); 667 else 668 *acl = clone; 669 670 if (!S_ISDIR(*mode)) 671 posix_acl_release(p); 672 else 673 *default_acl = p; 674 675 return 0; 676 677 err_release_clone: 678 posix_acl_release(clone); 679 err_release: 680 posix_acl_release(p); 681 return ret; 682 } 683 EXPORT_SYMBOL_GPL(posix_acl_create); 684 685 /** 686 * posix_acl_update_mode - update mode in set_acl 687 * @idmap: idmap of the mount @inode was found from 688 * @inode: target inode 689 * @mode_p: mode (pointer) for update 690 * @acl: acl pointer 691 * 692 * Update the file mode when setting an ACL: compute the new file permission 693 * bits based on the ACL. In addition, if the ACL is equivalent to the new 694 * file mode, set *@acl to NULL to indicate that no ACL should be set. 695 * 696 * As with chmod, clear the setgid bit if the caller is not in the owning group 697 * or capable of CAP_FSETID (see inode_change_ok). 698 * 699 * If the inode has been found through an idmapped mount the idmap of 700 * the vfsmount must be passed through @idmap. This function will then 701 * take care to map the inode according to @idmap before checking 702 * permissions. On non-idmapped mounts or if permission checking is to be 703 * performed on the raw inode simply passs @nop_mnt_idmap. 704 * 705 * Called from set_acl inode operations. 706 */ 707 int posix_acl_update_mode(struct mnt_idmap *idmap, 708 struct inode *inode, umode_t *mode_p, 709 struct posix_acl **acl) 710 { 711 umode_t mode = inode->i_mode; 712 int error; 713 714 error = posix_acl_equiv_mode(*acl, &mode); 715 if (error < 0) 716 return error; 717 if (error == 0) 718 *acl = NULL; 719 if (!vfsgid_in_group_p(i_gid_into_vfsgid(idmap, inode)) && 720 !capable_wrt_inode_uidgid(idmap, inode, CAP_FSETID)) 721 mode &= ~S_ISGID; 722 *mode_p = mode; 723 return 0; 724 } 725 EXPORT_SYMBOL(posix_acl_update_mode); 726 727 /* 728 * Fix up the uids and gids in posix acl extended attributes in place. 729 */ 730 static int posix_acl_fix_xattr_common(const void *value, size_t size) 731 { 732 const struct posix_acl_xattr_header *header = value; 733 int count; 734 735 if (!header) 736 return -EINVAL; 737 if (size < sizeof(struct posix_acl_xattr_header)) 738 return -EINVAL; 739 if (header->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION)) 740 return -EOPNOTSUPP; 741 742 count = posix_acl_xattr_count(size); 743 if (count < 0) 744 return -EINVAL; 745 if (count == 0) 746 return 0; 747 748 return count; 749 } 750 751 /** 752 * posix_acl_from_xattr - convert POSIX ACLs from backing store to VFS format 753 * @userns: the filesystem's idmapping 754 * @value: the uapi representation of POSIX ACLs 755 * @size: the size of @void 756 * 757 * Filesystems that store POSIX ACLs in the unaltered uapi format should use 758 * posix_acl_from_xattr() when reading them from the backing store and 759 * converting them into the struct posix_acl VFS format. The helper is 760 * specifically intended to be called from the acl inode operation. 761 * 762 * The posix_acl_from_xattr() function will map the raw {g,u}id values stored 763 * in ACL_{GROUP,USER} entries into idmapping in @userns. 764 * 765 * Note that posix_acl_from_xattr() does not take idmapped mounts into account. 766 * If it did it calling it from the get acl inode operation would return POSIX 767 * ACLs mapped according to an idmapped mount which would mean that the value 768 * couldn't be cached for the filesystem. Idmapped mounts are taken into 769 * account on the fly during permission checking or right at the VFS - 770 * userspace boundary before reporting them to the user. 771 * 772 * Return: Allocated struct posix_acl on success, NULL for a valid header but 773 * without actual POSIX ACL entries, or ERR_PTR() encoded error code. 774 */ 775 struct posix_acl *posix_acl_from_xattr(struct user_namespace *userns, 776 const void *value, size_t size) 777 { 778 const struct posix_acl_xattr_header *header = value; 779 const struct posix_acl_xattr_entry *entry = (const void *)(header + 1), *end; 780 int count; 781 struct posix_acl *acl; 782 struct posix_acl_entry *acl_e; 783 784 count = posix_acl_fix_xattr_common(value, size); 785 if (count < 0) 786 return ERR_PTR(count); 787 if (count == 0) 788 return NULL; 789 790 acl = posix_acl_alloc(count, GFP_NOFS); 791 if (!acl) 792 return ERR_PTR(-ENOMEM); 793 acl_e = acl->a_entries; 794 795 for (end = entry + count; entry != end; acl_e++, entry++) { 796 acl_e->e_tag = le16_to_cpu(entry->e_tag); 797 acl_e->e_perm = le16_to_cpu(entry->e_perm); 798 799 switch(acl_e->e_tag) { 800 case ACL_USER_OBJ: 801 case ACL_GROUP_OBJ: 802 case ACL_MASK: 803 case ACL_OTHER: 804 break; 805 806 case ACL_USER: 807 acl_e->e_uid = make_kuid(userns, 808 le32_to_cpu(entry->e_id)); 809 if (!uid_valid(acl_e->e_uid)) 810 goto fail; 811 break; 812 case ACL_GROUP: 813 acl_e->e_gid = make_kgid(userns, 814 le32_to_cpu(entry->e_id)); 815 if (!gid_valid(acl_e->e_gid)) 816 goto fail; 817 break; 818 819 default: 820 goto fail; 821 } 822 } 823 return acl; 824 825 fail: 826 posix_acl_release(acl); 827 return ERR_PTR(-EINVAL); 828 } 829 EXPORT_SYMBOL (posix_acl_from_xattr); 830 831 /* 832 * Convert from in-memory to extended attribute representation. 833 */ 834 int 835 posix_acl_to_xattr(struct user_namespace *user_ns, const struct posix_acl *acl, 836 void *buffer, size_t size) 837 { 838 struct posix_acl_xattr_header *ext_acl = buffer; 839 struct posix_acl_xattr_entry *ext_entry; 840 int real_size, n; 841 842 real_size = posix_acl_xattr_size(acl->a_count); 843 if (!buffer) 844 return real_size; 845 if (real_size > size) 846 return -ERANGE; 847 848 ext_entry = (void *)(ext_acl + 1); 849 ext_acl->a_version = cpu_to_le32(POSIX_ACL_XATTR_VERSION); 850 851 for (n=0; n < acl->a_count; n++, ext_entry++) { 852 const struct posix_acl_entry *acl_e = &acl->a_entries[n]; 853 ext_entry->e_tag = cpu_to_le16(acl_e->e_tag); 854 ext_entry->e_perm = cpu_to_le16(acl_e->e_perm); 855 switch(acl_e->e_tag) { 856 case ACL_USER: 857 ext_entry->e_id = 858 cpu_to_le32(from_kuid(user_ns, acl_e->e_uid)); 859 break; 860 case ACL_GROUP: 861 ext_entry->e_id = 862 cpu_to_le32(from_kgid(user_ns, acl_e->e_gid)); 863 break; 864 default: 865 ext_entry->e_id = cpu_to_le32(ACL_UNDEFINED_ID); 866 break; 867 } 868 } 869 return real_size; 870 } 871 EXPORT_SYMBOL (posix_acl_to_xattr); 872 873 /** 874 * vfs_posix_acl_to_xattr - convert from kernel to userspace representation 875 * @idmap: idmap of the mount 876 * @inode: inode the posix acls are set on 877 * @acl: the posix acls as represented by the vfs 878 * @buffer: the buffer into which to convert @acl 879 * @size: size of @buffer 880 * 881 * This converts @acl from the VFS representation in the filesystem idmapping 882 * to the uapi form reportable to userspace. And mount and caller idmappings 883 * are handled appropriately. 884 * 885 * Return: On success, the size of the stored uapi posix acls, on error a 886 * negative errno. 887 */ 888 static ssize_t vfs_posix_acl_to_xattr(struct mnt_idmap *idmap, 889 struct inode *inode, 890 const struct posix_acl *acl, void *buffer, 891 size_t size) 892 893 { 894 struct posix_acl_xattr_header *ext_acl = buffer; 895 struct posix_acl_xattr_entry *ext_entry; 896 struct user_namespace *fs_userns, *caller_userns; 897 ssize_t real_size, n; 898 vfsuid_t vfsuid; 899 vfsgid_t vfsgid; 900 901 real_size = posix_acl_xattr_size(acl->a_count); 902 if (!buffer) 903 return real_size; 904 if (real_size > size) 905 return -ERANGE; 906 907 ext_entry = (void *)(ext_acl + 1); 908 ext_acl->a_version = cpu_to_le32(POSIX_ACL_XATTR_VERSION); 909 910 fs_userns = i_user_ns(inode); 911 caller_userns = current_user_ns(); 912 for (n=0; n < acl->a_count; n++, ext_entry++) { 913 const struct posix_acl_entry *acl_e = &acl->a_entries[n]; 914 ext_entry->e_tag = cpu_to_le16(acl_e->e_tag); 915 ext_entry->e_perm = cpu_to_le16(acl_e->e_perm); 916 switch(acl_e->e_tag) { 917 case ACL_USER: 918 vfsuid = make_vfsuid(idmap, fs_userns, acl_e->e_uid); 919 ext_entry->e_id = cpu_to_le32(from_kuid( 920 caller_userns, vfsuid_into_kuid(vfsuid))); 921 break; 922 case ACL_GROUP: 923 vfsgid = make_vfsgid(idmap, fs_userns, acl_e->e_gid); 924 ext_entry->e_id = cpu_to_le32(from_kgid( 925 caller_userns, vfsgid_into_kgid(vfsgid))); 926 break; 927 default: 928 ext_entry->e_id = cpu_to_le32(ACL_UNDEFINED_ID); 929 break; 930 } 931 } 932 return real_size; 933 } 934 935 int 936 set_posix_acl(struct mnt_idmap *idmap, struct dentry *dentry, 937 int type, struct posix_acl *acl) 938 { 939 struct inode *inode = d_inode(dentry); 940 941 if (!IS_POSIXACL(inode)) 942 return -EOPNOTSUPP; 943 if (!inode->i_op->set_acl) 944 return -EOPNOTSUPP; 945 946 if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) 947 return acl ? -EACCES : 0; 948 if (!inode_owner_or_capable(idmap, inode)) 949 return -EPERM; 950 951 if (acl) { 952 int ret = posix_acl_valid(inode->i_sb->s_user_ns, acl); 953 if (ret) 954 return ret; 955 } 956 return inode->i_op->set_acl(idmap, dentry, acl, type); 957 } 958 EXPORT_SYMBOL(set_posix_acl); 959 960 static bool 961 posix_acl_xattr_list(struct dentry *dentry) 962 { 963 return IS_POSIXACL(d_backing_inode(dentry)); 964 } 965 966 const struct xattr_handler posix_acl_access_xattr_handler = { 967 .name = XATTR_NAME_POSIX_ACL_ACCESS, 968 .flags = ACL_TYPE_ACCESS, 969 .list = posix_acl_xattr_list, 970 }; 971 EXPORT_SYMBOL_GPL(posix_acl_access_xattr_handler); 972 973 const struct xattr_handler posix_acl_default_xattr_handler = { 974 .name = XATTR_NAME_POSIX_ACL_DEFAULT, 975 .flags = ACL_TYPE_DEFAULT, 976 .list = posix_acl_xattr_list, 977 }; 978 EXPORT_SYMBOL_GPL(posix_acl_default_xattr_handler); 979 980 int simple_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, 981 struct posix_acl *acl, int type) 982 { 983 int error; 984 struct inode *inode = d_inode(dentry); 985 986 if (type == ACL_TYPE_ACCESS) { 987 error = posix_acl_update_mode(idmap, inode, 988 &inode->i_mode, &acl); 989 if (error) 990 return error; 991 } 992 993 inode->i_ctime = current_time(inode); 994 if (IS_I_VERSION(inode)) 995 inode_inc_iversion(inode); 996 set_cached_acl(inode, type, acl); 997 return 0; 998 } 999 1000 int simple_acl_create(struct inode *dir, struct inode *inode) 1001 { 1002 struct posix_acl *default_acl, *acl; 1003 int error; 1004 1005 error = posix_acl_create(dir, &inode->i_mode, &default_acl, &acl); 1006 if (error) 1007 return error; 1008 1009 set_cached_acl(inode, ACL_TYPE_DEFAULT, default_acl); 1010 set_cached_acl(inode, ACL_TYPE_ACCESS, acl); 1011 1012 if (default_acl) 1013 posix_acl_release(default_acl); 1014 if (acl) 1015 posix_acl_release(acl); 1016 return 0; 1017 } 1018 1019 static int vfs_set_acl_idmapped_mnt(struct mnt_idmap *idmap, 1020 struct user_namespace *fs_userns, 1021 struct posix_acl *acl) 1022 { 1023 for (int n = 0; n < acl->a_count; n++) { 1024 struct posix_acl_entry *acl_e = &acl->a_entries[n]; 1025 1026 switch (acl_e->e_tag) { 1027 case ACL_USER: 1028 acl_e->e_uid = from_vfsuid(idmap, fs_userns, 1029 VFSUIDT_INIT(acl_e->e_uid)); 1030 break; 1031 case ACL_GROUP: 1032 acl_e->e_gid = from_vfsgid(idmap, fs_userns, 1033 VFSGIDT_INIT(acl_e->e_gid)); 1034 break; 1035 } 1036 } 1037 1038 return 0; 1039 } 1040 1041 /** 1042 * vfs_set_acl - set posix acls 1043 * @idmap: idmap of the mount 1044 * @dentry: the dentry based on which to set the posix acls 1045 * @acl_name: the name of the posix acl 1046 * @kacl: the posix acls in the appropriate VFS format 1047 * 1048 * This function sets @kacl. The caller must all posix_acl_release() on @kacl 1049 * afterwards. 1050 * 1051 * Return: On success 0, on error negative errno. 1052 */ 1053 int vfs_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, 1054 const char *acl_name, struct posix_acl *kacl) 1055 { 1056 int acl_type; 1057 int error; 1058 struct inode *inode = d_inode(dentry); 1059 struct inode *delegated_inode = NULL; 1060 1061 acl_type = posix_acl_type(acl_name); 1062 if (acl_type < 0) 1063 return -EINVAL; 1064 1065 if (kacl) { 1066 /* 1067 * If we're on an idmapped mount translate from mount specific 1068 * vfs{g,u}id_t into global filesystem k{g,u}id_t. 1069 * Afterwards we can cache the POSIX ACLs filesystem wide and - 1070 * if this is a filesystem with a backing store - ultimately 1071 * translate them to backing store values. 1072 */ 1073 error = vfs_set_acl_idmapped_mnt(idmap, i_user_ns(inode), kacl); 1074 if (error) 1075 return error; 1076 } 1077 1078 retry_deleg: 1079 inode_lock(inode); 1080 1081 /* 1082 * We only care about restrictions the inode struct itself places upon 1083 * us otherwise POSIX ACLs aren't subject to any VFS restrictions. 1084 */ 1085 error = may_write_xattr(idmap, inode); 1086 if (error) 1087 goto out_inode_unlock; 1088 1089 error = security_inode_set_acl(idmap, dentry, acl_name, kacl); 1090 if (error) 1091 goto out_inode_unlock; 1092 1093 error = try_break_deleg(inode, &delegated_inode); 1094 if (error) 1095 goto out_inode_unlock; 1096 1097 if (inode->i_opflags & IOP_XATTR) 1098 error = set_posix_acl(idmap, dentry, acl_type, kacl); 1099 else if (unlikely(is_bad_inode(inode))) 1100 error = -EIO; 1101 else 1102 error = -EOPNOTSUPP; 1103 if (!error) { 1104 fsnotify_xattr(dentry); 1105 evm_inode_post_set_acl(dentry, acl_name, kacl); 1106 } 1107 1108 out_inode_unlock: 1109 inode_unlock(inode); 1110 1111 if (delegated_inode) { 1112 error = break_deleg_wait(&delegated_inode); 1113 if (!error) 1114 goto retry_deleg; 1115 } 1116 1117 return error; 1118 } 1119 EXPORT_SYMBOL_GPL(vfs_set_acl); 1120 1121 /** 1122 * vfs_get_acl - get posix acls 1123 * @idmap: idmap of the mount 1124 * @dentry: the dentry based on which to retrieve the posix acls 1125 * @acl_name: the name of the posix acl 1126 * 1127 * This function retrieves @kacl from the filesystem. The caller must all 1128 * posix_acl_release() on @kacl. 1129 * 1130 * Return: On success POSIX ACLs in VFS format, on error negative errno. 1131 */ 1132 struct posix_acl *vfs_get_acl(struct mnt_idmap *idmap, 1133 struct dentry *dentry, const char *acl_name) 1134 { 1135 struct inode *inode = d_inode(dentry); 1136 struct posix_acl *acl; 1137 int acl_type, error; 1138 1139 acl_type = posix_acl_type(acl_name); 1140 if (acl_type < 0) 1141 return ERR_PTR(-EINVAL); 1142 1143 /* 1144 * The VFS has no restrictions on reading POSIX ACLs so calling 1145 * something like xattr_permission() isn't needed. Only LSMs get a say. 1146 */ 1147 error = security_inode_get_acl(idmap, dentry, acl_name); 1148 if (error) 1149 return ERR_PTR(error); 1150 1151 if (!IS_POSIXACL(inode)) 1152 return ERR_PTR(-EOPNOTSUPP); 1153 if (S_ISLNK(inode->i_mode)) 1154 return ERR_PTR(-EOPNOTSUPP); 1155 1156 acl = __get_acl(idmap, dentry, inode, acl_type); 1157 if (IS_ERR(acl)) 1158 return acl; 1159 if (!acl) 1160 return ERR_PTR(-ENODATA); 1161 1162 return acl; 1163 } 1164 EXPORT_SYMBOL_GPL(vfs_get_acl); 1165 1166 /** 1167 * vfs_remove_acl - remove posix acls 1168 * @idmap: idmap of the mount 1169 * @dentry: the dentry based on which to retrieve the posix acls 1170 * @acl_name: the name of the posix acl 1171 * 1172 * This function removes posix acls. 1173 * 1174 * Return: On success 0, on error negative errno. 1175 */ 1176 int vfs_remove_acl(struct mnt_idmap *idmap, struct dentry *dentry, 1177 const char *acl_name) 1178 { 1179 int acl_type; 1180 int error; 1181 struct inode *inode = d_inode(dentry); 1182 struct inode *delegated_inode = NULL; 1183 1184 acl_type = posix_acl_type(acl_name); 1185 if (acl_type < 0) 1186 return -EINVAL; 1187 1188 retry_deleg: 1189 inode_lock(inode); 1190 1191 /* 1192 * We only care about restrictions the inode struct itself places upon 1193 * us otherwise POSIX ACLs aren't subject to any VFS restrictions. 1194 */ 1195 error = may_write_xattr(idmap, inode); 1196 if (error) 1197 goto out_inode_unlock; 1198 1199 error = security_inode_remove_acl(idmap, dentry, acl_name); 1200 if (error) 1201 goto out_inode_unlock; 1202 1203 error = try_break_deleg(inode, &delegated_inode); 1204 if (error) 1205 goto out_inode_unlock; 1206 1207 if (inode->i_opflags & IOP_XATTR) 1208 error = set_posix_acl(idmap, dentry, acl_type, NULL); 1209 else if (unlikely(is_bad_inode(inode))) 1210 error = -EIO; 1211 else 1212 error = -EOPNOTSUPP; 1213 if (!error) { 1214 fsnotify_xattr(dentry); 1215 evm_inode_post_remove_acl(idmap, dentry, acl_name); 1216 } 1217 1218 out_inode_unlock: 1219 inode_unlock(inode); 1220 1221 if (delegated_inode) { 1222 error = break_deleg_wait(&delegated_inode); 1223 if (!error) 1224 goto retry_deleg; 1225 } 1226 1227 return error; 1228 } 1229 EXPORT_SYMBOL_GPL(vfs_remove_acl); 1230 1231 int do_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, 1232 const char *acl_name, const void *kvalue, size_t size) 1233 { 1234 int error; 1235 struct posix_acl *acl = NULL; 1236 1237 if (size) { 1238 /* 1239 * Note that posix_acl_from_xattr() uses GFP_NOFS when it 1240 * probably doesn't need to here. 1241 */ 1242 acl = posix_acl_from_xattr(current_user_ns(), kvalue, size); 1243 if (IS_ERR(acl)) 1244 return PTR_ERR(acl); 1245 } 1246 1247 error = vfs_set_acl(idmap, dentry, acl_name, acl); 1248 posix_acl_release(acl); 1249 return error; 1250 } 1251 1252 ssize_t do_get_acl(struct mnt_idmap *idmap, struct dentry *dentry, 1253 const char *acl_name, void *kvalue, size_t size) 1254 { 1255 ssize_t error; 1256 struct posix_acl *acl; 1257 1258 acl = vfs_get_acl(idmap, dentry, acl_name); 1259 if (IS_ERR(acl)) 1260 return PTR_ERR(acl); 1261 1262 error = vfs_posix_acl_to_xattr(idmap, d_inode(dentry), 1263 acl, kvalue, size); 1264 posix_acl_release(acl); 1265 return error; 1266 } 1267