1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 File: fs/xattr.c 4 5 Extended attribute handling. 6 7 Copyright (C) 2001 by Andreas Gruenbacher <a.gruenbacher@computer.org> 8 Copyright (C) 2001 SGI - Silicon Graphics, Inc <linux-xfs@oss.sgi.com> 9 Copyright (c) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> 10 */ 11 #include <linux/fs.h> 12 #include <linux/filelock.h> 13 #include <linux/slab.h> 14 #include <linux/file.h> 15 #include <linux/xattr.h> 16 #include <linux/mount.h> 17 #include <linux/namei.h> 18 #include <linux/security.h> 19 #include <linux/evm.h> 20 #include <linux/syscalls.h> 21 #include <linux/export.h> 22 #include <linux/fsnotify.h> 23 #include <linux/audit.h> 24 #include <linux/vmalloc.h> 25 #include <linux/posix_acl_xattr.h> 26 27 #include <linux/uaccess.h> 28 29 #include "internal.h" 30 31 static const char * 32 strcmp_prefix(const char *a, const char *a_prefix) 33 { 34 while (*a_prefix && *a == *a_prefix) { 35 a++; 36 a_prefix++; 37 } 38 return *a_prefix ? NULL : a; 39 } 40 41 /* 42 * In order to implement different sets of xattr operations for each xattr 43 * prefix, a filesystem should create a null-terminated array of struct 44 * xattr_handler (one for each prefix) and hang a pointer to it off of the 45 * s_xattr field of the superblock. 46 */ 47 #define for_each_xattr_handler(handlers, handler) \ 48 if (handlers) \ 49 for ((handler) = *(handlers)++; \ 50 (handler) != NULL; \ 51 (handler) = *(handlers)++) 52 53 /* 54 * Find the xattr_handler with the matching prefix. 55 */ 56 static const struct xattr_handler * 57 xattr_resolve_name(struct inode *inode, const char **name) 58 { 59 const struct xattr_handler **handlers = inode->i_sb->s_xattr; 60 const struct xattr_handler *handler; 61 62 if (!(inode->i_opflags & IOP_XATTR)) { 63 if (unlikely(is_bad_inode(inode))) 64 return ERR_PTR(-EIO); 65 return ERR_PTR(-EOPNOTSUPP); 66 } 67 for_each_xattr_handler(handlers, handler) { 68 const char *n; 69 70 n = strcmp_prefix(*name, xattr_prefix(handler)); 71 if (n) { 72 if (!handler->prefix ^ !*n) { 73 if (*n) 74 continue; 75 return ERR_PTR(-EINVAL); 76 } 77 *name = n; 78 return handler; 79 } 80 } 81 return ERR_PTR(-EOPNOTSUPP); 82 } 83 84 /** 85 * may_write_xattr - check whether inode allows writing xattr 86 * @idmap: idmap of the mount the inode was found from 87 * @inode: the inode on which to set an xattr 88 * 89 * Check whether the inode allows writing xattrs. Specifically, we can never 90 * set or remove an extended attribute on a read-only filesystem or on an 91 * immutable / append-only inode. 92 * 93 * We also need to ensure that the inode has a mapping in the mount to 94 * not risk writing back invalid i_{g,u}id values. 95 * 96 * Return: On success zero is returned. On error a negative errno is returned. 97 */ 98 int may_write_xattr(struct mnt_idmap *idmap, struct inode *inode) 99 { 100 if (IS_IMMUTABLE(inode)) 101 return -EPERM; 102 if (IS_APPEND(inode)) 103 return -EPERM; 104 if (HAS_UNMAPPED_ID(idmap, inode)) 105 return -EPERM; 106 return 0; 107 } 108 109 /* 110 * Check permissions for extended attribute access. This is a bit complicated 111 * because different namespaces have very different rules. 112 */ 113 static int 114 xattr_permission(struct mnt_idmap *idmap, struct inode *inode, 115 const char *name, int mask) 116 { 117 if (mask & MAY_WRITE) { 118 int ret; 119 120 ret = may_write_xattr(idmap, inode); 121 if (ret) 122 return ret; 123 } 124 125 /* 126 * No restriction for security.* and system.* from the VFS. Decision 127 * on these is left to the underlying filesystem / security module. 128 */ 129 if (!strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) || 130 !strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN)) 131 return 0; 132 133 /* 134 * The trusted.* namespace can only be accessed by privileged users. 135 */ 136 if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) { 137 if (!capable(CAP_SYS_ADMIN)) 138 return (mask & MAY_WRITE) ? -EPERM : -ENODATA; 139 return 0; 140 } 141 142 /* 143 * In the user.* namespace, only regular files and directories can have 144 * extended attributes. For sticky directories, only the owner and 145 * privileged users can write attributes. 146 */ 147 if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { 148 if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode)) 149 return (mask & MAY_WRITE) ? -EPERM : -ENODATA; 150 if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) && 151 (mask & MAY_WRITE) && 152 !inode_owner_or_capable(idmap, inode)) 153 return -EPERM; 154 } 155 156 return inode_permission(idmap, inode, mask); 157 } 158 159 /* 160 * Look for any handler that deals with the specified namespace. 161 */ 162 int 163 xattr_supports_user_prefix(struct inode *inode) 164 { 165 const struct xattr_handler **handlers = inode->i_sb->s_xattr; 166 const struct xattr_handler *handler; 167 168 if (!(inode->i_opflags & IOP_XATTR)) { 169 if (unlikely(is_bad_inode(inode))) 170 return -EIO; 171 return -EOPNOTSUPP; 172 } 173 174 for_each_xattr_handler(handlers, handler) { 175 if (!strncmp(xattr_prefix(handler), XATTR_USER_PREFIX, 176 XATTR_USER_PREFIX_LEN)) 177 return 0; 178 } 179 180 return -EOPNOTSUPP; 181 } 182 EXPORT_SYMBOL(xattr_supports_user_prefix); 183 184 int 185 __vfs_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, 186 struct inode *inode, const char *name, const void *value, 187 size_t size, int flags) 188 { 189 const struct xattr_handler *handler; 190 191 if (is_posix_acl_xattr(name)) 192 return -EOPNOTSUPP; 193 194 handler = xattr_resolve_name(inode, &name); 195 if (IS_ERR(handler)) 196 return PTR_ERR(handler); 197 if (!handler->set) 198 return -EOPNOTSUPP; 199 if (size == 0) 200 value = ""; /* empty EA, do not remove */ 201 return handler->set(handler, idmap, dentry, inode, name, value, 202 size, flags); 203 } 204 EXPORT_SYMBOL(__vfs_setxattr); 205 206 /** 207 * __vfs_setxattr_noperm - perform setxattr operation without performing 208 * permission checks. 209 * 210 * @idmap: idmap of the mount the inode was found from 211 * @dentry: object to perform setxattr on 212 * @name: xattr name to set 213 * @value: value to set @name to 214 * @size: size of @value 215 * @flags: flags to pass into filesystem operations 216 * 217 * returns the result of the internal setxattr or setsecurity operations. 218 * 219 * This function requires the caller to lock the inode's i_mutex before it 220 * is executed. It also assumes that the caller will make the appropriate 221 * permission checks. 222 */ 223 int __vfs_setxattr_noperm(struct mnt_idmap *idmap, 224 struct dentry *dentry, const char *name, 225 const void *value, size_t size, int flags) 226 { 227 struct inode *inode = dentry->d_inode; 228 int error = -EAGAIN; 229 int issec = !strncmp(name, XATTR_SECURITY_PREFIX, 230 XATTR_SECURITY_PREFIX_LEN); 231 232 if (issec) 233 inode->i_flags &= ~S_NOSEC; 234 if (inode->i_opflags & IOP_XATTR) { 235 error = __vfs_setxattr(idmap, dentry, inode, name, value, 236 size, flags); 237 if (!error) { 238 fsnotify_xattr(dentry); 239 security_inode_post_setxattr(dentry, name, value, 240 size, flags); 241 } 242 } else { 243 if (unlikely(is_bad_inode(inode))) 244 return -EIO; 245 } 246 if (error == -EAGAIN) { 247 error = -EOPNOTSUPP; 248 249 if (issec) { 250 const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; 251 252 error = security_inode_setsecurity(inode, suffix, value, 253 size, flags); 254 if (!error) 255 fsnotify_xattr(dentry); 256 } 257 } 258 259 return error; 260 } 261 262 /** 263 * __vfs_setxattr_locked - set an extended attribute while holding the inode 264 * lock 265 * 266 * @idmap: idmap of the mount of the target inode 267 * @dentry: object to perform setxattr on 268 * @name: xattr name to set 269 * @value: value to set @name to 270 * @size: size of @value 271 * @flags: flags to pass into filesystem operations 272 * @delegated_inode: on return, will contain an inode pointer that 273 * a delegation was broken on, NULL if none. 274 */ 275 int 276 __vfs_setxattr_locked(struct mnt_idmap *idmap, struct dentry *dentry, 277 const char *name, const void *value, size_t size, 278 int flags, struct inode **delegated_inode) 279 { 280 struct inode *inode = dentry->d_inode; 281 int error; 282 283 error = xattr_permission(idmap, inode, name, MAY_WRITE); 284 if (error) 285 return error; 286 287 error = security_inode_setxattr(idmap, dentry, name, value, size, 288 flags); 289 if (error) 290 goto out; 291 292 error = try_break_deleg(inode, delegated_inode); 293 if (error) 294 goto out; 295 296 error = __vfs_setxattr_noperm(idmap, dentry, name, value, 297 size, flags); 298 299 out: 300 return error; 301 } 302 EXPORT_SYMBOL_GPL(__vfs_setxattr_locked); 303 304 int 305 vfs_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, 306 const char *name, const void *value, size_t size, int flags) 307 { 308 struct inode *inode = dentry->d_inode; 309 struct inode *delegated_inode = NULL; 310 const void *orig_value = value; 311 int error; 312 313 if (size && strcmp(name, XATTR_NAME_CAPS) == 0) { 314 error = cap_convert_nscap(idmap, dentry, &value, size); 315 if (error < 0) 316 return error; 317 size = error; 318 } 319 320 retry_deleg: 321 inode_lock(inode); 322 error = __vfs_setxattr_locked(idmap, dentry, name, value, size, 323 flags, &delegated_inode); 324 inode_unlock(inode); 325 326 if (delegated_inode) { 327 error = break_deleg_wait(&delegated_inode); 328 if (!error) 329 goto retry_deleg; 330 } 331 if (value != orig_value) 332 kfree(value); 333 334 return error; 335 } 336 EXPORT_SYMBOL_GPL(vfs_setxattr); 337 338 static ssize_t 339 xattr_getsecurity(struct mnt_idmap *idmap, struct inode *inode, 340 const char *name, void *value, size_t size) 341 { 342 void *buffer = NULL; 343 ssize_t len; 344 345 if (!value || !size) { 346 len = security_inode_getsecurity(idmap, inode, name, 347 &buffer, false); 348 goto out_noalloc; 349 } 350 351 len = security_inode_getsecurity(idmap, inode, name, &buffer, 352 true); 353 if (len < 0) 354 return len; 355 if (size < len) { 356 len = -ERANGE; 357 goto out; 358 } 359 memcpy(value, buffer, len); 360 out: 361 kfree(buffer); 362 out_noalloc: 363 return len; 364 } 365 366 /* 367 * vfs_getxattr_alloc - allocate memory, if necessary, before calling getxattr 368 * 369 * Allocate memory, if not already allocated, or re-allocate correct size, 370 * before retrieving the extended attribute. The xattr value buffer should 371 * always be freed by the caller, even on error. 372 * 373 * Returns the result of alloc, if failed, or the getxattr operation. 374 */ 375 int 376 vfs_getxattr_alloc(struct mnt_idmap *idmap, struct dentry *dentry, 377 const char *name, char **xattr_value, size_t xattr_size, 378 gfp_t flags) 379 { 380 const struct xattr_handler *handler; 381 struct inode *inode = dentry->d_inode; 382 char *value = *xattr_value; 383 int error; 384 385 error = xattr_permission(idmap, inode, name, MAY_READ); 386 if (error) 387 return error; 388 389 handler = xattr_resolve_name(inode, &name); 390 if (IS_ERR(handler)) 391 return PTR_ERR(handler); 392 if (!handler->get) 393 return -EOPNOTSUPP; 394 error = handler->get(handler, dentry, inode, name, NULL, 0); 395 if (error < 0) 396 return error; 397 398 if (!value || (error > xattr_size)) { 399 value = krealloc(*xattr_value, error + 1, flags); 400 if (!value) 401 return -ENOMEM; 402 memset(value, 0, error + 1); 403 } 404 405 error = handler->get(handler, dentry, inode, name, value, error); 406 *xattr_value = value; 407 return error; 408 } 409 410 ssize_t 411 __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name, 412 void *value, size_t size) 413 { 414 const struct xattr_handler *handler; 415 416 if (is_posix_acl_xattr(name)) 417 return -EOPNOTSUPP; 418 419 handler = xattr_resolve_name(inode, &name); 420 if (IS_ERR(handler)) 421 return PTR_ERR(handler); 422 if (!handler->get) 423 return -EOPNOTSUPP; 424 return handler->get(handler, dentry, inode, name, value, size); 425 } 426 EXPORT_SYMBOL(__vfs_getxattr); 427 428 ssize_t 429 vfs_getxattr(struct mnt_idmap *idmap, struct dentry *dentry, 430 const char *name, void *value, size_t size) 431 { 432 struct inode *inode = dentry->d_inode; 433 int error; 434 435 error = xattr_permission(idmap, inode, name, MAY_READ); 436 if (error) 437 return error; 438 439 error = security_inode_getxattr(dentry, name); 440 if (error) 441 return error; 442 443 if (!strncmp(name, XATTR_SECURITY_PREFIX, 444 XATTR_SECURITY_PREFIX_LEN)) { 445 const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; 446 int ret = xattr_getsecurity(idmap, inode, suffix, value, 447 size); 448 /* 449 * Only overwrite the return value if a security module 450 * is actually active. 451 */ 452 if (ret == -EOPNOTSUPP) 453 goto nolsm; 454 return ret; 455 } 456 nolsm: 457 return __vfs_getxattr(dentry, inode, name, value, size); 458 } 459 EXPORT_SYMBOL_GPL(vfs_getxattr); 460 461 /** 462 * vfs_listxattr - retrieve \0 separated list of xattr names 463 * @dentry: the dentry from whose inode the xattr names are retrieved 464 * @list: buffer to store xattr names into 465 * @size: size of the buffer 466 * 467 * This function returns the names of all xattrs associated with the 468 * inode of @dentry. 469 * 470 * Note, for legacy reasons the vfs_listxattr() function lists POSIX 471 * ACLs as well. Since POSIX ACLs are decoupled from IOP_XATTR the 472 * vfs_listxattr() function doesn't check for this flag since a 473 * filesystem could implement POSIX ACLs without implementing any other 474 * xattrs. 475 * 476 * However, since all codepaths that remove IOP_XATTR also assign of 477 * inode operations that either don't implement or implement a stub 478 * ->listxattr() operation. 479 * 480 * Return: On success, the size of the buffer that was used. On error a 481 * negative error code. 482 */ 483 ssize_t 484 vfs_listxattr(struct dentry *dentry, char *list, size_t size) 485 { 486 struct inode *inode = d_inode(dentry); 487 ssize_t error; 488 489 error = security_inode_listxattr(dentry); 490 if (error) 491 return error; 492 493 if (inode->i_op->listxattr) { 494 error = inode->i_op->listxattr(dentry, list, size); 495 } else { 496 error = security_inode_listsecurity(inode, list, size); 497 if (size && error > size) 498 error = -ERANGE; 499 } 500 return error; 501 } 502 EXPORT_SYMBOL_GPL(vfs_listxattr); 503 504 int 505 __vfs_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, 506 const char *name) 507 { 508 struct inode *inode = d_inode(dentry); 509 const struct xattr_handler *handler; 510 511 if (is_posix_acl_xattr(name)) 512 return -EOPNOTSUPP; 513 514 handler = xattr_resolve_name(inode, &name); 515 if (IS_ERR(handler)) 516 return PTR_ERR(handler); 517 if (!handler->set) 518 return -EOPNOTSUPP; 519 return handler->set(handler, idmap, dentry, inode, name, NULL, 0, 520 XATTR_REPLACE); 521 } 522 EXPORT_SYMBOL(__vfs_removexattr); 523 524 /** 525 * __vfs_removexattr_locked - set an extended attribute while holding the inode 526 * lock 527 * 528 * @idmap: idmap of the mount of the target inode 529 * @dentry: object to perform setxattr on 530 * @name: name of xattr to remove 531 * @delegated_inode: on return, will contain an inode pointer that 532 * a delegation was broken on, NULL if none. 533 */ 534 int 535 __vfs_removexattr_locked(struct mnt_idmap *idmap, 536 struct dentry *dentry, const char *name, 537 struct inode **delegated_inode) 538 { 539 struct inode *inode = dentry->d_inode; 540 int error; 541 542 error = xattr_permission(idmap, inode, name, MAY_WRITE); 543 if (error) 544 return error; 545 546 error = security_inode_removexattr(idmap, dentry, name); 547 if (error) 548 goto out; 549 550 error = try_break_deleg(inode, delegated_inode); 551 if (error) 552 goto out; 553 554 error = __vfs_removexattr(idmap, dentry, name); 555 556 if (!error) { 557 fsnotify_xattr(dentry); 558 evm_inode_post_removexattr(dentry, name); 559 } 560 561 out: 562 return error; 563 } 564 EXPORT_SYMBOL_GPL(__vfs_removexattr_locked); 565 566 int 567 vfs_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, 568 const char *name) 569 { 570 struct inode *inode = dentry->d_inode; 571 struct inode *delegated_inode = NULL; 572 int error; 573 574 retry_deleg: 575 inode_lock(inode); 576 error = __vfs_removexattr_locked(idmap, dentry, 577 name, &delegated_inode); 578 inode_unlock(inode); 579 580 if (delegated_inode) { 581 error = break_deleg_wait(&delegated_inode); 582 if (!error) 583 goto retry_deleg; 584 } 585 586 return error; 587 } 588 EXPORT_SYMBOL_GPL(vfs_removexattr); 589 590 /* 591 * Extended attribute SET operations 592 */ 593 594 int setxattr_copy(const char __user *name, struct xattr_ctx *ctx) 595 { 596 int error; 597 598 if (ctx->flags & ~(XATTR_CREATE|XATTR_REPLACE)) 599 return -EINVAL; 600 601 error = strncpy_from_user(ctx->kname->name, name, 602 sizeof(ctx->kname->name)); 603 if (error == 0 || error == sizeof(ctx->kname->name)) 604 return -ERANGE; 605 if (error < 0) 606 return error; 607 608 error = 0; 609 if (ctx->size) { 610 if (ctx->size > XATTR_SIZE_MAX) 611 return -E2BIG; 612 613 ctx->kvalue = vmemdup_user(ctx->cvalue, ctx->size); 614 if (IS_ERR(ctx->kvalue)) { 615 error = PTR_ERR(ctx->kvalue); 616 ctx->kvalue = NULL; 617 } 618 } 619 620 return error; 621 } 622 623 int do_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, 624 struct xattr_ctx *ctx) 625 { 626 if (is_posix_acl_xattr(ctx->kname->name)) 627 return do_set_acl(idmap, dentry, ctx->kname->name, 628 ctx->kvalue, ctx->size); 629 630 return vfs_setxattr(idmap, dentry, ctx->kname->name, 631 ctx->kvalue, ctx->size, ctx->flags); 632 } 633 634 static long 635 setxattr(struct mnt_idmap *idmap, struct dentry *d, 636 const char __user *name, const void __user *value, size_t size, 637 int flags) 638 { 639 struct xattr_name kname; 640 struct xattr_ctx ctx = { 641 .cvalue = value, 642 .kvalue = NULL, 643 .size = size, 644 .kname = &kname, 645 .flags = flags, 646 }; 647 int error; 648 649 error = setxattr_copy(name, &ctx); 650 if (error) 651 return error; 652 653 error = do_setxattr(idmap, d, &ctx); 654 655 kvfree(ctx.kvalue); 656 return error; 657 } 658 659 static int path_setxattr(const char __user *pathname, 660 const char __user *name, const void __user *value, 661 size_t size, int flags, unsigned int lookup_flags) 662 { 663 struct path path; 664 int error; 665 666 retry: 667 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 668 if (error) 669 return error; 670 error = mnt_want_write(path.mnt); 671 if (!error) { 672 error = setxattr(mnt_idmap(path.mnt), path.dentry, name, 673 value, size, flags); 674 mnt_drop_write(path.mnt); 675 } 676 path_put(&path); 677 if (retry_estale(error, lookup_flags)) { 678 lookup_flags |= LOOKUP_REVAL; 679 goto retry; 680 } 681 return error; 682 } 683 684 SYSCALL_DEFINE5(setxattr, const char __user *, pathname, 685 const char __user *, name, const void __user *, value, 686 size_t, size, int, flags) 687 { 688 return path_setxattr(pathname, name, value, size, flags, LOOKUP_FOLLOW); 689 } 690 691 SYSCALL_DEFINE5(lsetxattr, const char __user *, pathname, 692 const char __user *, name, const void __user *, value, 693 size_t, size, int, flags) 694 { 695 return path_setxattr(pathname, name, value, size, flags, 0); 696 } 697 698 SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name, 699 const void __user *,value, size_t, size, int, flags) 700 { 701 struct fd f = fdget(fd); 702 int error = -EBADF; 703 704 if (!f.file) 705 return error; 706 audit_file(f.file); 707 error = mnt_want_write_file(f.file); 708 if (!error) { 709 error = setxattr(file_mnt_idmap(f.file), 710 f.file->f_path.dentry, name, 711 value, size, flags); 712 mnt_drop_write_file(f.file); 713 } 714 fdput(f); 715 return error; 716 } 717 718 /* 719 * Extended attribute GET operations 720 */ 721 ssize_t 722 do_getxattr(struct mnt_idmap *idmap, struct dentry *d, 723 struct xattr_ctx *ctx) 724 { 725 ssize_t error; 726 char *kname = ctx->kname->name; 727 728 if (ctx->size) { 729 if (ctx->size > XATTR_SIZE_MAX) 730 ctx->size = XATTR_SIZE_MAX; 731 ctx->kvalue = kvzalloc(ctx->size, GFP_KERNEL); 732 if (!ctx->kvalue) 733 return -ENOMEM; 734 } 735 736 if (is_posix_acl_xattr(ctx->kname->name)) 737 error = do_get_acl(idmap, d, kname, ctx->kvalue, ctx->size); 738 else 739 error = vfs_getxattr(idmap, d, kname, ctx->kvalue, ctx->size); 740 if (error > 0) { 741 if (ctx->size && copy_to_user(ctx->value, ctx->kvalue, error)) 742 error = -EFAULT; 743 } else if (error == -ERANGE && ctx->size >= XATTR_SIZE_MAX) { 744 /* The file system tried to returned a value bigger 745 than XATTR_SIZE_MAX bytes. Not possible. */ 746 error = -E2BIG; 747 } 748 749 return error; 750 } 751 752 static ssize_t 753 getxattr(struct mnt_idmap *idmap, struct dentry *d, 754 const char __user *name, void __user *value, size_t size) 755 { 756 ssize_t error; 757 struct xattr_name kname; 758 struct xattr_ctx ctx = { 759 .value = value, 760 .kvalue = NULL, 761 .size = size, 762 .kname = &kname, 763 .flags = 0, 764 }; 765 766 error = strncpy_from_user(kname.name, name, sizeof(kname.name)); 767 if (error == 0 || error == sizeof(kname.name)) 768 error = -ERANGE; 769 if (error < 0) 770 return error; 771 772 error = do_getxattr(idmap, d, &ctx); 773 774 kvfree(ctx.kvalue); 775 return error; 776 } 777 778 static ssize_t path_getxattr(const char __user *pathname, 779 const char __user *name, void __user *value, 780 size_t size, unsigned int lookup_flags) 781 { 782 struct path path; 783 ssize_t error; 784 retry: 785 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 786 if (error) 787 return error; 788 error = getxattr(mnt_idmap(path.mnt), path.dentry, name, value, size); 789 path_put(&path); 790 if (retry_estale(error, lookup_flags)) { 791 lookup_flags |= LOOKUP_REVAL; 792 goto retry; 793 } 794 return error; 795 } 796 797 SYSCALL_DEFINE4(getxattr, const char __user *, pathname, 798 const char __user *, name, void __user *, value, size_t, size) 799 { 800 return path_getxattr(pathname, name, value, size, LOOKUP_FOLLOW); 801 } 802 803 SYSCALL_DEFINE4(lgetxattr, const char __user *, pathname, 804 const char __user *, name, void __user *, value, size_t, size) 805 { 806 return path_getxattr(pathname, name, value, size, 0); 807 } 808 809 SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name, 810 void __user *, value, size_t, size) 811 { 812 struct fd f = fdget(fd); 813 ssize_t error = -EBADF; 814 815 if (!f.file) 816 return error; 817 audit_file(f.file); 818 error = getxattr(file_mnt_idmap(f.file), f.file->f_path.dentry, 819 name, value, size); 820 fdput(f); 821 return error; 822 } 823 824 /* 825 * Extended attribute LIST operations 826 */ 827 static ssize_t 828 listxattr(struct dentry *d, char __user *list, size_t size) 829 { 830 ssize_t error; 831 char *klist = NULL; 832 833 if (size) { 834 if (size > XATTR_LIST_MAX) 835 size = XATTR_LIST_MAX; 836 klist = kvmalloc(size, GFP_KERNEL); 837 if (!klist) 838 return -ENOMEM; 839 } 840 841 error = vfs_listxattr(d, klist, size); 842 if (error > 0) { 843 if (size && copy_to_user(list, klist, error)) 844 error = -EFAULT; 845 } else if (error == -ERANGE && size >= XATTR_LIST_MAX) { 846 /* The file system tried to returned a list bigger 847 than XATTR_LIST_MAX bytes. Not possible. */ 848 error = -E2BIG; 849 } 850 851 kvfree(klist); 852 853 return error; 854 } 855 856 static ssize_t path_listxattr(const char __user *pathname, char __user *list, 857 size_t size, unsigned int lookup_flags) 858 { 859 struct path path; 860 ssize_t error; 861 retry: 862 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 863 if (error) 864 return error; 865 error = listxattr(path.dentry, list, size); 866 path_put(&path); 867 if (retry_estale(error, lookup_flags)) { 868 lookup_flags |= LOOKUP_REVAL; 869 goto retry; 870 } 871 return error; 872 } 873 874 SYSCALL_DEFINE3(listxattr, const char __user *, pathname, char __user *, list, 875 size_t, size) 876 { 877 return path_listxattr(pathname, list, size, LOOKUP_FOLLOW); 878 } 879 880 SYSCALL_DEFINE3(llistxattr, const char __user *, pathname, char __user *, list, 881 size_t, size) 882 { 883 return path_listxattr(pathname, list, size, 0); 884 } 885 886 SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size) 887 { 888 struct fd f = fdget(fd); 889 ssize_t error = -EBADF; 890 891 if (!f.file) 892 return error; 893 audit_file(f.file); 894 error = listxattr(f.file->f_path.dentry, list, size); 895 fdput(f); 896 return error; 897 } 898 899 /* 900 * Extended attribute REMOVE operations 901 */ 902 static long 903 removexattr(struct mnt_idmap *idmap, struct dentry *d, 904 const char __user *name) 905 { 906 int error; 907 char kname[XATTR_NAME_MAX + 1]; 908 909 error = strncpy_from_user(kname, name, sizeof(kname)); 910 if (error == 0 || error == sizeof(kname)) 911 error = -ERANGE; 912 if (error < 0) 913 return error; 914 915 if (is_posix_acl_xattr(kname)) 916 return vfs_remove_acl(idmap, d, kname); 917 918 return vfs_removexattr(idmap, d, kname); 919 } 920 921 static int path_removexattr(const char __user *pathname, 922 const char __user *name, unsigned int lookup_flags) 923 { 924 struct path path; 925 int error; 926 retry: 927 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 928 if (error) 929 return error; 930 error = mnt_want_write(path.mnt); 931 if (!error) { 932 error = removexattr(mnt_idmap(path.mnt), path.dentry, name); 933 mnt_drop_write(path.mnt); 934 } 935 path_put(&path); 936 if (retry_estale(error, lookup_flags)) { 937 lookup_flags |= LOOKUP_REVAL; 938 goto retry; 939 } 940 return error; 941 } 942 943 SYSCALL_DEFINE2(removexattr, const char __user *, pathname, 944 const char __user *, name) 945 { 946 return path_removexattr(pathname, name, LOOKUP_FOLLOW); 947 } 948 949 SYSCALL_DEFINE2(lremovexattr, const char __user *, pathname, 950 const char __user *, name) 951 { 952 return path_removexattr(pathname, name, 0); 953 } 954 955 SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name) 956 { 957 struct fd f = fdget(fd); 958 int error = -EBADF; 959 960 if (!f.file) 961 return error; 962 audit_file(f.file); 963 error = mnt_want_write_file(f.file); 964 if (!error) { 965 error = removexattr(file_mnt_idmap(f.file), 966 f.file->f_path.dentry, name); 967 mnt_drop_write_file(f.file); 968 } 969 fdput(f); 970 return error; 971 } 972 973 int xattr_list_one(char **buffer, ssize_t *remaining_size, const char *name) 974 { 975 size_t len; 976 977 len = strlen(name) + 1; 978 if (*buffer) { 979 if (*remaining_size < len) 980 return -ERANGE; 981 memcpy(*buffer, name, len); 982 *buffer += len; 983 } 984 *remaining_size -= len; 985 return 0; 986 } 987 988 /* 989 * Combine the results of the list() operation from every xattr_handler in the 990 * list. 991 */ 992 ssize_t 993 generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) 994 { 995 const struct xattr_handler *handler, **handlers = dentry->d_sb->s_xattr; 996 ssize_t remaining_size = buffer_size; 997 int err = 0; 998 999 err = posix_acl_listxattr(d_inode(dentry), &buffer, &remaining_size); 1000 if (err) 1001 return err; 1002 1003 for_each_xattr_handler(handlers, handler) { 1004 if (!handler->name || (handler->list && !handler->list(dentry))) 1005 continue; 1006 err = xattr_list_one(&buffer, &remaining_size, handler->name); 1007 if (err) 1008 return err; 1009 } 1010 1011 return err ? err : buffer_size - remaining_size; 1012 } 1013 EXPORT_SYMBOL(generic_listxattr); 1014 1015 /** 1016 * xattr_full_name - Compute full attribute name from suffix 1017 * 1018 * @handler: handler of the xattr_handler operation 1019 * @name: name passed to the xattr_handler operation 1020 * 1021 * The get and set xattr handler operations are called with the remainder of 1022 * the attribute name after skipping the handler's prefix: for example, "foo" 1023 * is passed to the get operation of a handler with prefix "user." to get 1024 * attribute "user.foo". The full name is still "there" in the name though. 1025 * 1026 * Note: the list xattr handler operation when called from the vfs is passed a 1027 * NULL name; some file systems use this operation internally, with varying 1028 * semantics. 1029 */ 1030 const char *xattr_full_name(const struct xattr_handler *handler, 1031 const char *name) 1032 { 1033 size_t prefix_len = strlen(xattr_prefix(handler)); 1034 1035 return name - prefix_len; 1036 } 1037 EXPORT_SYMBOL(xattr_full_name); 1038 1039 /** 1040 * free_simple_xattr - free an xattr object 1041 * @xattr: the xattr object 1042 * 1043 * Free the xattr object. Can handle @xattr being NULL. 1044 */ 1045 static inline void free_simple_xattr(struct simple_xattr *xattr) 1046 { 1047 if (xattr) 1048 kfree(xattr->name); 1049 kvfree(xattr); 1050 } 1051 1052 /** 1053 * simple_xattr_alloc - allocate new xattr object 1054 * @value: value of the xattr object 1055 * @size: size of @value 1056 * 1057 * Allocate a new xattr object and initialize respective members. The caller is 1058 * responsible for handling the name of the xattr. 1059 * 1060 * Return: On success a new xattr object is returned. On failure NULL is 1061 * returned. 1062 */ 1063 struct simple_xattr *simple_xattr_alloc(const void *value, size_t size) 1064 { 1065 struct simple_xattr *new_xattr; 1066 size_t len; 1067 1068 /* wrap around? */ 1069 len = sizeof(*new_xattr) + size; 1070 if (len < sizeof(*new_xattr)) 1071 return NULL; 1072 1073 new_xattr = kvmalloc(len, GFP_KERNEL); 1074 if (!new_xattr) 1075 return NULL; 1076 1077 new_xattr->size = size; 1078 memcpy(new_xattr->value, value, size); 1079 return new_xattr; 1080 } 1081 1082 /** 1083 * rbtree_simple_xattr_cmp - compare xattr name with current rbtree xattr entry 1084 * @key: xattr name 1085 * @node: current node 1086 * 1087 * Compare the xattr name with the xattr name attached to @node in the rbtree. 1088 * 1089 * Return: Negative value if continuing left, positive if continuing right, 0 1090 * if the xattr attached to @node matches @key. 1091 */ 1092 static int rbtree_simple_xattr_cmp(const void *key, const struct rb_node *node) 1093 { 1094 const char *xattr_name = key; 1095 const struct simple_xattr *xattr; 1096 1097 xattr = rb_entry(node, struct simple_xattr, rb_node); 1098 return strcmp(xattr->name, xattr_name); 1099 } 1100 1101 /** 1102 * rbtree_simple_xattr_node_cmp - compare two xattr rbtree nodes 1103 * @new_node: new node 1104 * @node: current node 1105 * 1106 * Compare the xattr attached to @new_node with the xattr attached to @node. 1107 * 1108 * Return: Negative value if continuing left, positive if continuing right, 0 1109 * if the xattr attached to @new_node matches the xattr attached to @node. 1110 */ 1111 static int rbtree_simple_xattr_node_cmp(struct rb_node *new_node, 1112 const struct rb_node *node) 1113 { 1114 struct simple_xattr *xattr; 1115 xattr = rb_entry(new_node, struct simple_xattr, rb_node); 1116 return rbtree_simple_xattr_cmp(xattr->name, node); 1117 } 1118 1119 /** 1120 * simple_xattr_get - get an xattr object 1121 * @xattrs: the header of the xattr object 1122 * @name: the name of the xattr to retrieve 1123 * @buffer: the buffer to store the value into 1124 * @size: the size of @buffer 1125 * 1126 * Try to find and retrieve the xattr object associated with @name. 1127 * If @buffer is provided store the value of @xattr in @buffer 1128 * otherwise just return the length. The size of @buffer is limited 1129 * to XATTR_SIZE_MAX which currently is 65536. 1130 * 1131 * Return: On success the length of the xattr value is returned. On error a 1132 * negative error code is returned. 1133 */ 1134 int simple_xattr_get(struct simple_xattrs *xattrs, const char *name, 1135 void *buffer, size_t size) 1136 { 1137 struct simple_xattr *xattr = NULL; 1138 struct rb_node *rbp; 1139 int ret = -ENODATA; 1140 1141 read_lock(&xattrs->lock); 1142 rbp = rb_find(name, &xattrs->rb_root, rbtree_simple_xattr_cmp); 1143 if (rbp) { 1144 xattr = rb_entry(rbp, struct simple_xattr, rb_node); 1145 ret = xattr->size; 1146 if (buffer) { 1147 if (size < xattr->size) 1148 ret = -ERANGE; 1149 else 1150 memcpy(buffer, xattr->value, xattr->size); 1151 } 1152 } 1153 read_unlock(&xattrs->lock); 1154 return ret; 1155 } 1156 1157 /** 1158 * simple_xattr_set - set an xattr object 1159 * @xattrs: the header of the xattr object 1160 * @name: the name of the xattr to retrieve 1161 * @value: the value to store along the xattr 1162 * @size: the size of @value 1163 * @flags: the flags determining how to set the xattr 1164 * @removed_size: the size of the removed xattr 1165 * 1166 * Set a new xattr object. 1167 * If @value is passed a new xattr object will be allocated. If XATTR_REPLACE 1168 * is specified in @flags a matching xattr object for @name must already exist. 1169 * If it does it will be replaced with the new xattr object. If it doesn't we 1170 * fail. If XATTR_CREATE is specified and a matching xattr does already exist 1171 * we fail. If it doesn't we create a new xattr. If @flags is zero we simply 1172 * insert the new xattr replacing any existing one. 1173 * 1174 * If @value is empty and a matching xattr object is found we delete it if 1175 * XATTR_REPLACE is specified in @flags or @flags is zero. 1176 * 1177 * If @value is empty and no matching xattr object for @name is found we do 1178 * nothing if XATTR_CREATE is specified in @flags or @flags is zero. For 1179 * XATTR_REPLACE we fail as mentioned above. 1180 * 1181 * Return: On success zero and on error a negative error code is returned. 1182 */ 1183 int simple_xattr_set(struct simple_xattrs *xattrs, const char *name, 1184 const void *value, size_t size, int flags, 1185 ssize_t *removed_size) 1186 { 1187 struct simple_xattr *xattr = NULL, *new_xattr = NULL; 1188 struct rb_node *parent = NULL, **rbp; 1189 int err = 0, ret; 1190 1191 if (removed_size) 1192 *removed_size = -1; 1193 1194 /* value == NULL means remove */ 1195 if (value) { 1196 new_xattr = simple_xattr_alloc(value, size); 1197 if (!new_xattr) 1198 return -ENOMEM; 1199 1200 new_xattr->name = kstrdup(name, GFP_KERNEL); 1201 if (!new_xattr->name) { 1202 free_simple_xattr(new_xattr); 1203 return -ENOMEM; 1204 } 1205 } 1206 1207 write_lock(&xattrs->lock); 1208 rbp = &xattrs->rb_root.rb_node; 1209 while (*rbp) { 1210 parent = *rbp; 1211 ret = rbtree_simple_xattr_cmp(name, *rbp); 1212 if (ret < 0) 1213 rbp = &(*rbp)->rb_left; 1214 else if (ret > 0) 1215 rbp = &(*rbp)->rb_right; 1216 else 1217 xattr = rb_entry(*rbp, struct simple_xattr, rb_node); 1218 if (xattr) 1219 break; 1220 } 1221 1222 if (xattr) { 1223 /* Fail if XATTR_CREATE is requested and the xattr exists. */ 1224 if (flags & XATTR_CREATE) { 1225 err = -EEXIST; 1226 goto out_unlock; 1227 } 1228 1229 if (new_xattr) 1230 rb_replace_node(&xattr->rb_node, &new_xattr->rb_node, 1231 &xattrs->rb_root); 1232 else 1233 rb_erase(&xattr->rb_node, &xattrs->rb_root); 1234 if (!err && removed_size) 1235 *removed_size = xattr->size; 1236 } else { 1237 /* Fail if XATTR_REPLACE is requested but no xattr is found. */ 1238 if (flags & XATTR_REPLACE) { 1239 err = -ENODATA; 1240 goto out_unlock; 1241 } 1242 1243 /* 1244 * If XATTR_CREATE or no flags are specified together with a 1245 * new value simply insert it. 1246 */ 1247 if (new_xattr) { 1248 rb_link_node(&new_xattr->rb_node, parent, rbp); 1249 rb_insert_color(&new_xattr->rb_node, &xattrs->rb_root); 1250 } 1251 1252 /* 1253 * If XATTR_CREATE or no flags are specified and neither an 1254 * old or new xattr exist then we don't need to do anything. 1255 */ 1256 } 1257 1258 out_unlock: 1259 write_unlock(&xattrs->lock); 1260 if (err) 1261 free_simple_xattr(new_xattr); 1262 else 1263 free_simple_xattr(xattr); 1264 return err; 1265 1266 } 1267 1268 static bool xattr_is_trusted(const char *name) 1269 { 1270 return !strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN); 1271 } 1272 1273 /** 1274 * simple_xattr_list - list all xattr objects 1275 * @inode: inode from which to get the xattrs 1276 * @xattrs: the header of the xattr object 1277 * @buffer: the buffer to store all xattrs into 1278 * @size: the size of @buffer 1279 * 1280 * List all xattrs associated with @inode. If @buffer is NULL we returned 1281 * the required size of the buffer. If @buffer is provided we store the 1282 * xattrs value into it provided it is big enough. 1283 * 1284 * Note, the number of xattr names that can be listed with listxattr(2) is 1285 * limited to XATTR_LIST_MAX aka 65536 bytes. If a larger buffer is passed 1286 * then vfs_listxattr() caps it to XATTR_LIST_MAX and if more xattr names 1287 * are found it will return -E2BIG. 1288 * 1289 * Return: On success the required size or the size of the copied xattrs is 1290 * returned. On error a negative error code is returned. 1291 */ 1292 ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs, 1293 char *buffer, size_t size) 1294 { 1295 bool trusted = ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN); 1296 struct simple_xattr *xattr; 1297 struct rb_node *rbp; 1298 ssize_t remaining_size = size; 1299 int err = 0; 1300 1301 err = posix_acl_listxattr(inode, &buffer, &remaining_size); 1302 if (err) 1303 return err; 1304 1305 read_lock(&xattrs->lock); 1306 for (rbp = rb_first(&xattrs->rb_root); rbp; rbp = rb_next(rbp)) { 1307 xattr = rb_entry(rbp, struct simple_xattr, rb_node); 1308 1309 /* skip "trusted." attributes for unprivileged callers */ 1310 if (!trusted && xattr_is_trusted(xattr->name)) 1311 continue; 1312 1313 err = xattr_list_one(&buffer, &remaining_size, xattr->name); 1314 if (err) 1315 break; 1316 } 1317 read_unlock(&xattrs->lock); 1318 1319 return err ? err : size - remaining_size; 1320 } 1321 1322 /** 1323 * rbtree_simple_xattr_less - compare two xattr rbtree nodes 1324 * @new_node: new node 1325 * @node: current node 1326 * 1327 * Compare the xattr attached to @new_node with the xattr attached to @node. 1328 * Note that this function technically tolerates duplicate entries. 1329 * 1330 * Return: True if insertion point in the rbtree is found. 1331 */ 1332 static bool rbtree_simple_xattr_less(struct rb_node *new_node, 1333 const struct rb_node *node) 1334 { 1335 return rbtree_simple_xattr_node_cmp(new_node, node) < 0; 1336 } 1337 1338 /** 1339 * simple_xattr_add - add xattr objects 1340 * @xattrs: the header of the xattr object 1341 * @new_xattr: the xattr object to add 1342 * 1343 * Add an xattr object to @xattrs. This assumes no replacement or removal 1344 * of matching xattrs is wanted. Should only be called during inode 1345 * initialization when a few distinct initial xattrs are supposed to be set. 1346 */ 1347 void simple_xattr_add(struct simple_xattrs *xattrs, 1348 struct simple_xattr *new_xattr) 1349 { 1350 write_lock(&xattrs->lock); 1351 rb_add(&new_xattr->rb_node, &xattrs->rb_root, rbtree_simple_xattr_less); 1352 write_unlock(&xattrs->lock); 1353 } 1354 1355 /** 1356 * simple_xattrs_init - initialize new xattr header 1357 * @xattrs: header to initialize 1358 * 1359 * Initialize relevant fields of a an xattr header. 1360 */ 1361 void simple_xattrs_init(struct simple_xattrs *xattrs) 1362 { 1363 xattrs->rb_root = RB_ROOT; 1364 rwlock_init(&xattrs->lock); 1365 } 1366 1367 /** 1368 * simple_xattrs_free - free xattrs 1369 * @xattrs: xattr header whose xattrs to destroy 1370 * 1371 * Destroy all xattrs in @xattr. When this is called no one can hold a 1372 * reference to any of the xattrs anymore. 1373 */ 1374 void simple_xattrs_free(struct simple_xattrs *xattrs) 1375 { 1376 struct rb_node *rbp; 1377 1378 rbp = rb_first(&xattrs->rb_root); 1379 while (rbp) { 1380 struct simple_xattr *xattr; 1381 struct rb_node *rbp_next; 1382 1383 rbp_next = rb_next(rbp); 1384 xattr = rb_entry(rbp, struct simple_xattr, rb_node); 1385 rb_erase(&xattr->rb_node, &xattrs->rb_root); 1386 free_simple_xattr(xattr); 1387 rbp = rbp_next; 1388 } 1389 } 1390