1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 File: fs/xattr.c 4 5 Extended attribute handling. 6 7 Copyright (C) 2001 by Andreas Gruenbacher <a.gruenbacher@computer.org> 8 Copyright (C) 2001 SGI - Silicon Graphics, Inc <linux-xfs@oss.sgi.com> 9 Copyright (c) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> 10 */ 11 #include <linux/fs.h> 12 #include <linux/filelock.h> 13 #include <linux/slab.h> 14 #include <linux/file.h> 15 #include <linux/xattr.h> 16 #include <linux/mount.h> 17 #include <linux/namei.h> 18 #include <linux/security.h> 19 #include <linux/evm.h> 20 #include <linux/syscalls.h> 21 #include <linux/export.h> 22 #include <linux/fsnotify.h> 23 #include <linux/audit.h> 24 #include <linux/vmalloc.h> 25 #include <linux/posix_acl_xattr.h> 26 27 #include <linux/uaccess.h> 28 29 #include "internal.h" 30 31 static const char * 32 strcmp_prefix(const char *a, const char *a_prefix) 33 { 34 while (*a_prefix && *a == *a_prefix) { 35 a++; 36 a_prefix++; 37 } 38 return *a_prefix ? NULL : a; 39 } 40 41 /* 42 * In order to implement different sets of xattr operations for each xattr 43 * prefix, a filesystem should create a null-terminated array of struct 44 * xattr_handler (one for each prefix) and hang a pointer to it off of the 45 * s_xattr field of the superblock. 46 */ 47 #define for_each_xattr_handler(handlers, handler) \ 48 if (handlers) \ 49 for ((handler) = *(handlers)++; \ 50 (handler) != NULL; \ 51 (handler) = *(handlers)++) 52 53 /* 54 * Find the xattr_handler with the matching prefix. 55 */ 56 static const struct xattr_handler * 57 xattr_resolve_name(struct inode *inode, const char **name) 58 { 59 const struct xattr_handler * const *handlers = inode->i_sb->s_xattr; 60 const struct xattr_handler *handler; 61 62 if (!(inode->i_opflags & IOP_XATTR)) { 63 if (unlikely(is_bad_inode(inode))) 64 return ERR_PTR(-EIO); 65 return ERR_PTR(-EOPNOTSUPP); 66 } 67 for_each_xattr_handler(handlers, handler) { 68 const char *n; 69 70 n = strcmp_prefix(*name, xattr_prefix(handler)); 71 if (n) { 72 if (!handler->prefix ^ !*n) { 73 if (*n) 74 continue; 75 return ERR_PTR(-EINVAL); 76 } 77 *name = n; 78 return handler; 79 } 80 } 81 return ERR_PTR(-EOPNOTSUPP); 82 } 83 84 /** 85 * may_write_xattr - check whether inode allows writing xattr 86 * @idmap: idmap of the mount the inode was found from 87 * @inode: the inode on which to set an xattr 88 * 89 * Check whether the inode allows writing xattrs. Specifically, we can never 90 * set or remove an extended attribute on a read-only filesystem or on an 91 * immutable / append-only inode. 92 * 93 * We also need to ensure that the inode has a mapping in the mount to 94 * not risk writing back invalid i_{g,u}id values. 95 * 96 * Return: On success zero is returned. On error a negative errno is returned. 97 */ 98 int may_write_xattr(struct mnt_idmap *idmap, struct inode *inode) 99 { 100 if (IS_IMMUTABLE(inode)) 101 return -EPERM; 102 if (IS_APPEND(inode)) 103 return -EPERM; 104 if (HAS_UNMAPPED_ID(idmap, inode)) 105 return -EPERM; 106 return 0; 107 } 108 109 /* 110 * Check permissions for extended attribute access. This is a bit complicated 111 * because different namespaces have very different rules. 112 */ 113 static int 114 xattr_permission(struct mnt_idmap *idmap, struct inode *inode, 115 const char *name, int mask) 116 { 117 if (mask & MAY_WRITE) { 118 int ret; 119 120 ret = may_write_xattr(idmap, inode); 121 if (ret) 122 return ret; 123 } 124 125 /* 126 * No restriction for security.* and system.* from the VFS. Decision 127 * on these is left to the underlying filesystem / security module. 128 */ 129 if (!strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) || 130 !strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN)) 131 return 0; 132 133 /* 134 * The trusted.* namespace can only be accessed by privileged users. 135 */ 136 if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) { 137 if (!capable(CAP_SYS_ADMIN)) 138 return (mask & MAY_WRITE) ? -EPERM : -ENODATA; 139 return 0; 140 } 141 142 /* 143 * In the user.* namespace, only regular files and directories can have 144 * extended attributes. For sticky directories, only the owner and 145 * privileged users can write attributes. 146 */ 147 if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { 148 if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode)) 149 return (mask & MAY_WRITE) ? -EPERM : -ENODATA; 150 if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) && 151 (mask & MAY_WRITE) && 152 !inode_owner_or_capable(idmap, inode)) 153 return -EPERM; 154 } 155 156 return inode_permission(idmap, inode, mask); 157 } 158 159 /* 160 * Look for any handler that deals with the specified namespace. 161 */ 162 int 163 xattr_supports_user_prefix(struct inode *inode) 164 { 165 const struct xattr_handler * const *handlers = inode->i_sb->s_xattr; 166 const struct xattr_handler *handler; 167 168 if (!(inode->i_opflags & IOP_XATTR)) { 169 if (unlikely(is_bad_inode(inode))) 170 return -EIO; 171 return -EOPNOTSUPP; 172 } 173 174 for_each_xattr_handler(handlers, handler) { 175 if (!strncmp(xattr_prefix(handler), XATTR_USER_PREFIX, 176 XATTR_USER_PREFIX_LEN)) 177 return 0; 178 } 179 180 return -EOPNOTSUPP; 181 } 182 EXPORT_SYMBOL(xattr_supports_user_prefix); 183 184 int 185 __vfs_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, 186 struct inode *inode, const char *name, const void *value, 187 size_t size, int flags) 188 { 189 const struct xattr_handler *handler; 190 191 if (is_posix_acl_xattr(name)) 192 return -EOPNOTSUPP; 193 194 handler = xattr_resolve_name(inode, &name); 195 if (IS_ERR(handler)) 196 return PTR_ERR(handler); 197 if (!handler->set) 198 return -EOPNOTSUPP; 199 if (size == 0) 200 value = ""; /* empty EA, do not remove */ 201 return handler->set(handler, idmap, dentry, inode, name, value, 202 size, flags); 203 } 204 EXPORT_SYMBOL(__vfs_setxattr); 205 206 /** 207 * __vfs_setxattr_noperm - perform setxattr operation without performing 208 * permission checks. 209 * 210 * @idmap: idmap of the mount the inode was found from 211 * @dentry: object to perform setxattr on 212 * @name: xattr name to set 213 * @value: value to set @name to 214 * @size: size of @value 215 * @flags: flags to pass into filesystem operations 216 * 217 * returns the result of the internal setxattr or setsecurity operations. 218 * 219 * This function requires the caller to lock the inode's i_mutex before it 220 * is executed. It also assumes that the caller will make the appropriate 221 * permission checks. 222 */ 223 int __vfs_setxattr_noperm(struct mnt_idmap *idmap, 224 struct dentry *dentry, const char *name, 225 const void *value, size_t size, int flags) 226 { 227 struct inode *inode = dentry->d_inode; 228 int error = -EAGAIN; 229 int issec = !strncmp(name, XATTR_SECURITY_PREFIX, 230 XATTR_SECURITY_PREFIX_LEN); 231 232 if (issec) 233 inode->i_flags &= ~S_NOSEC; 234 if (inode->i_opflags & IOP_XATTR) { 235 error = __vfs_setxattr(idmap, dentry, inode, name, value, 236 size, flags); 237 if (!error) { 238 fsnotify_xattr(dentry); 239 security_inode_post_setxattr(dentry, name, value, 240 size, flags); 241 } 242 } else { 243 if (unlikely(is_bad_inode(inode))) 244 return -EIO; 245 } 246 if (error == -EAGAIN) { 247 error = -EOPNOTSUPP; 248 249 if (issec) { 250 const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; 251 252 error = security_inode_setsecurity(inode, suffix, value, 253 size, flags); 254 if (!error) 255 fsnotify_xattr(dentry); 256 } 257 } 258 259 return error; 260 } 261 262 /** 263 * __vfs_setxattr_locked - set an extended attribute while holding the inode 264 * lock 265 * 266 * @idmap: idmap of the mount of the target inode 267 * @dentry: object to perform setxattr on 268 * @name: xattr name to set 269 * @value: value to set @name to 270 * @size: size of @value 271 * @flags: flags to pass into filesystem operations 272 * @delegated_inode: on return, will contain an inode pointer that 273 * a delegation was broken on, NULL if none. 274 */ 275 int 276 __vfs_setxattr_locked(struct mnt_idmap *idmap, struct dentry *dentry, 277 const char *name, const void *value, size_t size, 278 int flags, struct inode **delegated_inode) 279 { 280 struct inode *inode = dentry->d_inode; 281 int error; 282 283 error = xattr_permission(idmap, inode, name, MAY_WRITE); 284 if (error) 285 return error; 286 287 error = security_inode_setxattr(idmap, dentry, name, value, size, 288 flags); 289 if (error) 290 goto out; 291 292 error = try_break_deleg(inode, delegated_inode); 293 if (error) 294 goto out; 295 296 error = __vfs_setxattr_noperm(idmap, dentry, name, value, 297 size, flags); 298 299 out: 300 return error; 301 } 302 EXPORT_SYMBOL_GPL(__vfs_setxattr_locked); 303 304 int 305 vfs_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, 306 const char *name, const void *value, size_t size, int flags) 307 { 308 struct inode *inode = dentry->d_inode; 309 struct inode *delegated_inode = NULL; 310 const void *orig_value = value; 311 int error; 312 313 if (size && strcmp(name, XATTR_NAME_CAPS) == 0) { 314 error = cap_convert_nscap(idmap, dentry, &value, size); 315 if (error < 0) 316 return error; 317 size = error; 318 } 319 320 retry_deleg: 321 inode_lock(inode); 322 error = __vfs_setxattr_locked(idmap, dentry, name, value, size, 323 flags, &delegated_inode); 324 inode_unlock(inode); 325 326 if (delegated_inode) { 327 error = break_deleg_wait(&delegated_inode); 328 if (!error) 329 goto retry_deleg; 330 } 331 if (value != orig_value) 332 kfree(value); 333 334 return error; 335 } 336 EXPORT_SYMBOL_GPL(vfs_setxattr); 337 338 static ssize_t 339 xattr_getsecurity(struct mnt_idmap *idmap, struct inode *inode, 340 const char *name, void *value, size_t size) 341 { 342 void *buffer = NULL; 343 ssize_t len; 344 345 if (!value || !size) { 346 len = security_inode_getsecurity(idmap, inode, name, 347 &buffer, false); 348 goto out_noalloc; 349 } 350 351 len = security_inode_getsecurity(idmap, inode, name, &buffer, 352 true); 353 if (len < 0) 354 return len; 355 if (size < len) { 356 len = -ERANGE; 357 goto out; 358 } 359 memcpy(value, buffer, len); 360 out: 361 kfree(buffer); 362 out_noalloc: 363 return len; 364 } 365 366 /* 367 * vfs_getxattr_alloc - allocate memory, if necessary, before calling getxattr 368 * 369 * Allocate memory, if not already allocated, or re-allocate correct size, 370 * before retrieving the extended attribute. The xattr value buffer should 371 * always be freed by the caller, even on error. 372 * 373 * Returns the result of alloc, if failed, or the getxattr operation. 374 */ 375 int 376 vfs_getxattr_alloc(struct mnt_idmap *idmap, struct dentry *dentry, 377 const char *name, char **xattr_value, size_t xattr_size, 378 gfp_t flags) 379 { 380 const struct xattr_handler *handler; 381 struct inode *inode = dentry->d_inode; 382 char *value = *xattr_value; 383 int error; 384 385 error = xattr_permission(idmap, inode, name, MAY_READ); 386 if (error) 387 return error; 388 389 handler = xattr_resolve_name(inode, &name); 390 if (IS_ERR(handler)) 391 return PTR_ERR(handler); 392 if (!handler->get) 393 return -EOPNOTSUPP; 394 error = handler->get(handler, dentry, inode, name, NULL, 0); 395 if (error < 0) 396 return error; 397 398 if (!value || (error > xattr_size)) { 399 value = krealloc(*xattr_value, error + 1, flags); 400 if (!value) 401 return -ENOMEM; 402 memset(value, 0, error + 1); 403 } 404 405 error = handler->get(handler, dentry, inode, name, value, error); 406 *xattr_value = value; 407 return error; 408 } 409 410 ssize_t 411 __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name, 412 void *value, size_t size) 413 { 414 const struct xattr_handler *handler; 415 416 if (is_posix_acl_xattr(name)) 417 return -EOPNOTSUPP; 418 419 handler = xattr_resolve_name(inode, &name); 420 if (IS_ERR(handler)) 421 return PTR_ERR(handler); 422 if (!handler->get) 423 return -EOPNOTSUPP; 424 return handler->get(handler, dentry, inode, name, value, size); 425 } 426 EXPORT_SYMBOL(__vfs_getxattr); 427 428 ssize_t 429 vfs_getxattr(struct mnt_idmap *idmap, struct dentry *dentry, 430 const char *name, void *value, size_t size) 431 { 432 struct inode *inode = dentry->d_inode; 433 int error; 434 435 error = xattr_permission(idmap, inode, name, MAY_READ); 436 if (error) 437 return error; 438 439 error = security_inode_getxattr(dentry, name); 440 if (error) 441 return error; 442 443 if (!strncmp(name, XATTR_SECURITY_PREFIX, 444 XATTR_SECURITY_PREFIX_LEN)) { 445 const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; 446 int ret = xattr_getsecurity(idmap, inode, suffix, value, 447 size); 448 /* 449 * Only overwrite the return value if a security module 450 * is actually active. 451 */ 452 if (ret == -EOPNOTSUPP) 453 goto nolsm; 454 return ret; 455 } 456 nolsm: 457 return __vfs_getxattr(dentry, inode, name, value, size); 458 } 459 EXPORT_SYMBOL_GPL(vfs_getxattr); 460 461 /** 462 * vfs_listxattr - retrieve \0 separated list of xattr names 463 * @dentry: the dentry from whose inode the xattr names are retrieved 464 * @list: buffer to store xattr names into 465 * @size: size of the buffer 466 * 467 * This function returns the names of all xattrs associated with the 468 * inode of @dentry. 469 * 470 * Note, for legacy reasons the vfs_listxattr() function lists POSIX 471 * ACLs as well. Since POSIX ACLs are decoupled from IOP_XATTR the 472 * vfs_listxattr() function doesn't check for this flag since a 473 * filesystem could implement POSIX ACLs without implementing any other 474 * xattrs. 475 * 476 * However, since all codepaths that remove IOP_XATTR also assign of 477 * inode operations that either don't implement or implement a stub 478 * ->listxattr() operation. 479 * 480 * Return: On success, the size of the buffer that was used. On error a 481 * negative error code. 482 */ 483 ssize_t 484 vfs_listxattr(struct dentry *dentry, char *list, size_t size) 485 { 486 struct inode *inode = d_inode(dentry); 487 ssize_t error; 488 489 error = security_inode_listxattr(dentry); 490 if (error) 491 return error; 492 493 if (inode->i_op->listxattr) { 494 error = inode->i_op->listxattr(dentry, list, size); 495 } else { 496 error = security_inode_listsecurity(inode, list, size); 497 if (size && error > size) 498 error = -ERANGE; 499 } 500 return error; 501 } 502 EXPORT_SYMBOL_GPL(vfs_listxattr); 503 504 int 505 __vfs_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, 506 const char *name) 507 { 508 struct inode *inode = d_inode(dentry); 509 const struct xattr_handler *handler; 510 511 if (is_posix_acl_xattr(name)) 512 return -EOPNOTSUPP; 513 514 handler = xattr_resolve_name(inode, &name); 515 if (IS_ERR(handler)) 516 return PTR_ERR(handler); 517 if (!handler->set) 518 return -EOPNOTSUPP; 519 return handler->set(handler, idmap, dentry, inode, name, NULL, 0, 520 XATTR_REPLACE); 521 } 522 EXPORT_SYMBOL(__vfs_removexattr); 523 524 /** 525 * __vfs_removexattr_locked - set an extended attribute while holding the inode 526 * lock 527 * 528 * @idmap: idmap of the mount of the target inode 529 * @dentry: object to perform setxattr on 530 * @name: name of xattr to remove 531 * @delegated_inode: on return, will contain an inode pointer that 532 * a delegation was broken on, NULL if none. 533 */ 534 int 535 __vfs_removexattr_locked(struct mnt_idmap *idmap, 536 struct dentry *dentry, const char *name, 537 struct inode **delegated_inode) 538 { 539 struct inode *inode = dentry->d_inode; 540 int error; 541 542 error = xattr_permission(idmap, inode, name, MAY_WRITE); 543 if (error) 544 return error; 545 546 error = security_inode_removexattr(idmap, dentry, name); 547 if (error) 548 goto out; 549 550 error = try_break_deleg(inode, delegated_inode); 551 if (error) 552 goto out; 553 554 error = __vfs_removexattr(idmap, dentry, name); 555 556 if (!error) { 557 fsnotify_xattr(dentry); 558 evm_inode_post_removexattr(dentry, name); 559 } 560 561 out: 562 return error; 563 } 564 EXPORT_SYMBOL_GPL(__vfs_removexattr_locked); 565 566 int 567 vfs_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, 568 const char *name) 569 { 570 struct inode *inode = dentry->d_inode; 571 struct inode *delegated_inode = NULL; 572 int error; 573 574 retry_deleg: 575 inode_lock(inode); 576 error = __vfs_removexattr_locked(idmap, dentry, 577 name, &delegated_inode); 578 inode_unlock(inode); 579 580 if (delegated_inode) { 581 error = break_deleg_wait(&delegated_inode); 582 if (!error) 583 goto retry_deleg; 584 } 585 586 return error; 587 } 588 EXPORT_SYMBOL_GPL(vfs_removexattr); 589 590 /* 591 * Extended attribute SET operations 592 */ 593 594 int setxattr_copy(const char __user *name, struct xattr_ctx *ctx) 595 { 596 int error; 597 598 if (ctx->flags & ~(XATTR_CREATE|XATTR_REPLACE)) 599 return -EINVAL; 600 601 error = strncpy_from_user(ctx->kname->name, name, 602 sizeof(ctx->kname->name)); 603 if (error == 0 || error == sizeof(ctx->kname->name)) 604 return -ERANGE; 605 if (error < 0) 606 return error; 607 608 error = 0; 609 if (ctx->size) { 610 if (ctx->size > XATTR_SIZE_MAX) 611 return -E2BIG; 612 613 ctx->kvalue = vmemdup_user(ctx->cvalue, ctx->size); 614 if (IS_ERR(ctx->kvalue)) { 615 error = PTR_ERR(ctx->kvalue); 616 ctx->kvalue = NULL; 617 } 618 } 619 620 return error; 621 } 622 623 int do_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, 624 struct xattr_ctx *ctx) 625 { 626 if (is_posix_acl_xattr(ctx->kname->name)) 627 return do_set_acl(idmap, dentry, ctx->kname->name, 628 ctx->kvalue, ctx->size); 629 630 return vfs_setxattr(idmap, dentry, ctx->kname->name, 631 ctx->kvalue, ctx->size, ctx->flags); 632 } 633 634 static long 635 setxattr(struct mnt_idmap *idmap, struct dentry *d, 636 const char __user *name, const void __user *value, size_t size, 637 int flags) 638 { 639 struct xattr_name kname; 640 struct xattr_ctx ctx = { 641 .cvalue = value, 642 .kvalue = NULL, 643 .size = size, 644 .kname = &kname, 645 .flags = flags, 646 }; 647 int error; 648 649 error = setxattr_copy(name, &ctx); 650 if (error) 651 return error; 652 653 error = do_setxattr(idmap, d, &ctx); 654 655 kvfree(ctx.kvalue); 656 return error; 657 } 658 659 static int path_setxattr(const char __user *pathname, 660 const char __user *name, const void __user *value, 661 size_t size, int flags, unsigned int lookup_flags) 662 { 663 struct path path; 664 int error; 665 666 retry: 667 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 668 if (error) 669 return error; 670 error = mnt_want_write(path.mnt); 671 if (!error) { 672 error = setxattr(mnt_idmap(path.mnt), path.dentry, name, 673 value, size, flags); 674 mnt_drop_write(path.mnt); 675 } 676 path_put(&path); 677 if (retry_estale(error, lookup_flags)) { 678 lookup_flags |= LOOKUP_REVAL; 679 goto retry; 680 } 681 return error; 682 } 683 684 SYSCALL_DEFINE5(setxattr, const char __user *, pathname, 685 const char __user *, name, const void __user *, value, 686 size_t, size, int, flags) 687 { 688 return path_setxattr(pathname, name, value, size, flags, LOOKUP_FOLLOW); 689 } 690 691 SYSCALL_DEFINE5(lsetxattr, const char __user *, pathname, 692 const char __user *, name, const void __user *, value, 693 size_t, size, int, flags) 694 { 695 return path_setxattr(pathname, name, value, size, flags, 0); 696 } 697 698 SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name, 699 const void __user *,value, size_t, size, int, flags) 700 { 701 struct fd f = fdget(fd); 702 int error = -EBADF; 703 704 if (!f.file) 705 return error; 706 audit_file(f.file); 707 error = mnt_want_write_file(f.file); 708 if (!error) { 709 error = setxattr(file_mnt_idmap(f.file), 710 f.file->f_path.dentry, name, 711 value, size, flags); 712 mnt_drop_write_file(f.file); 713 } 714 fdput(f); 715 return error; 716 } 717 718 /* 719 * Extended attribute GET operations 720 */ 721 ssize_t 722 do_getxattr(struct mnt_idmap *idmap, struct dentry *d, 723 struct xattr_ctx *ctx) 724 { 725 ssize_t error; 726 char *kname = ctx->kname->name; 727 728 if (ctx->size) { 729 if (ctx->size > XATTR_SIZE_MAX) 730 ctx->size = XATTR_SIZE_MAX; 731 ctx->kvalue = kvzalloc(ctx->size, GFP_KERNEL); 732 if (!ctx->kvalue) 733 return -ENOMEM; 734 } 735 736 if (is_posix_acl_xattr(ctx->kname->name)) 737 error = do_get_acl(idmap, d, kname, ctx->kvalue, ctx->size); 738 else 739 error = vfs_getxattr(idmap, d, kname, ctx->kvalue, ctx->size); 740 if (error > 0) { 741 if (ctx->size && copy_to_user(ctx->value, ctx->kvalue, error)) 742 error = -EFAULT; 743 } else if (error == -ERANGE && ctx->size >= XATTR_SIZE_MAX) { 744 /* The file system tried to returned a value bigger 745 than XATTR_SIZE_MAX bytes. Not possible. */ 746 error = -E2BIG; 747 } 748 749 return error; 750 } 751 752 static ssize_t 753 getxattr(struct mnt_idmap *idmap, struct dentry *d, 754 const char __user *name, void __user *value, size_t size) 755 { 756 ssize_t error; 757 struct xattr_name kname; 758 struct xattr_ctx ctx = { 759 .value = value, 760 .kvalue = NULL, 761 .size = size, 762 .kname = &kname, 763 .flags = 0, 764 }; 765 766 error = strncpy_from_user(kname.name, name, sizeof(kname.name)); 767 if (error == 0 || error == sizeof(kname.name)) 768 error = -ERANGE; 769 if (error < 0) 770 return error; 771 772 error = do_getxattr(idmap, d, &ctx); 773 774 kvfree(ctx.kvalue); 775 return error; 776 } 777 778 static ssize_t path_getxattr(const char __user *pathname, 779 const char __user *name, void __user *value, 780 size_t size, unsigned int lookup_flags) 781 { 782 struct path path; 783 ssize_t error; 784 retry: 785 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 786 if (error) 787 return error; 788 error = getxattr(mnt_idmap(path.mnt), path.dentry, name, value, size); 789 path_put(&path); 790 if (retry_estale(error, lookup_flags)) { 791 lookup_flags |= LOOKUP_REVAL; 792 goto retry; 793 } 794 return error; 795 } 796 797 SYSCALL_DEFINE4(getxattr, const char __user *, pathname, 798 const char __user *, name, void __user *, value, size_t, size) 799 { 800 return path_getxattr(pathname, name, value, size, LOOKUP_FOLLOW); 801 } 802 803 SYSCALL_DEFINE4(lgetxattr, const char __user *, pathname, 804 const char __user *, name, void __user *, value, size_t, size) 805 { 806 return path_getxattr(pathname, name, value, size, 0); 807 } 808 809 SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name, 810 void __user *, value, size_t, size) 811 { 812 struct fd f = fdget(fd); 813 ssize_t error = -EBADF; 814 815 if (!f.file) 816 return error; 817 audit_file(f.file); 818 error = getxattr(file_mnt_idmap(f.file), f.file->f_path.dentry, 819 name, value, size); 820 fdput(f); 821 return error; 822 } 823 824 /* 825 * Extended attribute LIST operations 826 */ 827 static ssize_t 828 listxattr(struct dentry *d, char __user *list, size_t size) 829 { 830 ssize_t error; 831 char *klist = NULL; 832 833 if (size) { 834 if (size > XATTR_LIST_MAX) 835 size = XATTR_LIST_MAX; 836 klist = kvmalloc(size, GFP_KERNEL); 837 if (!klist) 838 return -ENOMEM; 839 } 840 841 error = vfs_listxattr(d, klist, size); 842 if (error > 0) { 843 if (size && copy_to_user(list, klist, error)) 844 error = -EFAULT; 845 } else if (error == -ERANGE && size >= XATTR_LIST_MAX) { 846 /* The file system tried to returned a list bigger 847 than XATTR_LIST_MAX bytes. Not possible. */ 848 error = -E2BIG; 849 } 850 851 kvfree(klist); 852 853 return error; 854 } 855 856 static ssize_t path_listxattr(const char __user *pathname, char __user *list, 857 size_t size, unsigned int lookup_flags) 858 { 859 struct path path; 860 ssize_t error; 861 retry: 862 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 863 if (error) 864 return error; 865 error = listxattr(path.dentry, list, size); 866 path_put(&path); 867 if (retry_estale(error, lookup_flags)) { 868 lookup_flags |= LOOKUP_REVAL; 869 goto retry; 870 } 871 return error; 872 } 873 874 SYSCALL_DEFINE3(listxattr, const char __user *, pathname, char __user *, list, 875 size_t, size) 876 { 877 return path_listxattr(pathname, list, size, LOOKUP_FOLLOW); 878 } 879 880 SYSCALL_DEFINE3(llistxattr, const char __user *, pathname, char __user *, list, 881 size_t, size) 882 { 883 return path_listxattr(pathname, list, size, 0); 884 } 885 886 SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size) 887 { 888 struct fd f = fdget(fd); 889 ssize_t error = -EBADF; 890 891 if (!f.file) 892 return error; 893 audit_file(f.file); 894 error = listxattr(f.file->f_path.dentry, list, size); 895 fdput(f); 896 return error; 897 } 898 899 /* 900 * Extended attribute REMOVE operations 901 */ 902 static long 903 removexattr(struct mnt_idmap *idmap, struct dentry *d, 904 const char __user *name) 905 { 906 int error; 907 char kname[XATTR_NAME_MAX + 1]; 908 909 error = strncpy_from_user(kname, name, sizeof(kname)); 910 if (error == 0 || error == sizeof(kname)) 911 error = -ERANGE; 912 if (error < 0) 913 return error; 914 915 if (is_posix_acl_xattr(kname)) 916 return vfs_remove_acl(idmap, d, kname); 917 918 return vfs_removexattr(idmap, d, kname); 919 } 920 921 static int path_removexattr(const char __user *pathname, 922 const char __user *name, unsigned int lookup_flags) 923 { 924 struct path path; 925 int error; 926 retry: 927 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 928 if (error) 929 return error; 930 error = mnt_want_write(path.mnt); 931 if (!error) { 932 error = removexattr(mnt_idmap(path.mnt), path.dentry, name); 933 mnt_drop_write(path.mnt); 934 } 935 path_put(&path); 936 if (retry_estale(error, lookup_flags)) { 937 lookup_flags |= LOOKUP_REVAL; 938 goto retry; 939 } 940 return error; 941 } 942 943 SYSCALL_DEFINE2(removexattr, const char __user *, pathname, 944 const char __user *, name) 945 { 946 return path_removexattr(pathname, name, LOOKUP_FOLLOW); 947 } 948 949 SYSCALL_DEFINE2(lremovexattr, const char __user *, pathname, 950 const char __user *, name) 951 { 952 return path_removexattr(pathname, name, 0); 953 } 954 955 SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name) 956 { 957 struct fd f = fdget(fd); 958 int error = -EBADF; 959 960 if (!f.file) 961 return error; 962 audit_file(f.file); 963 error = mnt_want_write_file(f.file); 964 if (!error) { 965 error = removexattr(file_mnt_idmap(f.file), 966 f.file->f_path.dentry, name); 967 mnt_drop_write_file(f.file); 968 } 969 fdput(f); 970 return error; 971 } 972 973 int xattr_list_one(char **buffer, ssize_t *remaining_size, const char *name) 974 { 975 size_t len; 976 977 len = strlen(name) + 1; 978 if (*buffer) { 979 if (*remaining_size < len) 980 return -ERANGE; 981 memcpy(*buffer, name, len); 982 *buffer += len; 983 } 984 *remaining_size -= len; 985 return 0; 986 } 987 988 /** 989 * generic_listxattr - run through a dentry's xattr list() operations 990 * @dentry: dentry to list the xattrs 991 * @buffer: result buffer 992 * @buffer_size: size of @buffer 993 * 994 * Combine the results of the list() operation from every xattr_handler in the 995 * xattr_handler stack. 996 * 997 * Note that this will not include the entries for POSIX ACLs. 998 */ 999 ssize_t 1000 generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) 1001 { 1002 const struct xattr_handler *handler, * const *handlers = dentry->d_sb->s_xattr; 1003 ssize_t remaining_size = buffer_size; 1004 int err = 0; 1005 1006 for_each_xattr_handler(handlers, handler) { 1007 if (!handler->name || (handler->list && !handler->list(dentry))) 1008 continue; 1009 err = xattr_list_one(&buffer, &remaining_size, handler->name); 1010 if (err) 1011 return err; 1012 } 1013 1014 return err ? err : buffer_size - remaining_size; 1015 } 1016 EXPORT_SYMBOL(generic_listxattr); 1017 1018 /** 1019 * xattr_full_name - Compute full attribute name from suffix 1020 * 1021 * @handler: handler of the xattr_handler operation 1022 * @name: name passed to the xattr_handler operation 1023 * 1024 * The get and set xattr handler operations are called with the remainder of 1025 * the attribute name after skipping the handler's prefix: for example, "foo" 1026 * is passed to the get operation of a handler with prefix "user." to get 1027 * attribute "user.foo". The full name is still "there" in the name though. 1028 * 1029 * Note: the list xattr handler operation when called from the vfs is passed a 1030 * NULL name; some file systems use this operation internally, with varying 1031 * semantics. 1032 */ 1033 const char *xattr_full_name(const struct xattr_handler *handler, 1034 const char *name) 1035 { 1036 size_t prefix_len = strlen(xattr_prefix(handler)); 1037 1038 return name - prefix_len; 1039 } 1040 EXPORT_SYMBOL(xattr_full_name); 1041 1042 /** 1043 * simple_xattr_space - estimate the memory used by a simple xattr 1044 * @name: the full name of the xattr 1045 * @size: the size of its value 1046 * 1047 * This takes no account of how much larger the two slab objects actually are: 1048 * that would depend on the slab implementation, when what is required is a 1049 * deterministic number, which grows with name length and size and quantity. 1050 * 1051 * Return: The approximate number of bytes of memory used by such an xattr. 1052 */ 1053 size_t simple_xattr_space(const char *name, size_t size) 1054 { 1055 /* 1056 * Use "40" instead of sizeof(struct simple_xattr), to return the 1057 * same result on 32-bit and 64-bit, and even if simple_xattr grows. 1058 */ 1059 return 40 + size + strlen(name); 1060 } 1061 1062 /** 1063 * simple_xattr_free - free an xattr object 1064 * @xattr: the xattr object 1065 * 1066 * Free the xattr object. Can handle @xattr being NULL. 1067 */ 1068 void simple_xattr_free(struct simple_xattr *xattr) 1069 { 1070 if (xattr) 1071 kfree(xattr->name); 1072 kvfree(xattr); 1073 } 1074 1075 /** 1076 * simple_xattr_alloc - allocate new xattr object 1077 * @value: value of the xattr object 1078 * @size: size of @value 1079 * 1080 * Allocate a new xattr object and initialize respective members. The caller is 1081 * responsible for handling the name of the xattr. 1082 * 1083 * Return: On success a new xattr object is returned. On failure NULL is 1084 * returned. 1085 */ 1086 struct simple_xattr *simple_xattr_alloc(const void *value, size_t size) 1087 { 1088 struct simple_xattr *new_xattr; 1089 size_t len; 1090 1091 /* wrap around? */ 1092 len = sizeof(*new_xattr) + size; 1093 if (len < sizeof(*new_xattr)) 1094 return NULL; 1095 1096 new_xattr = kvmalloc(len, GFP_KERNEL_ACCOUNT); 1097 if (!new_xattr) 1098 return NULL; 1099 1100 new_xattr->size = size; 1101 memcpy(new_xattr->value, value, size); 1102 return new_xattr; 1103 } 1104 1105 /** 1106 * rbtree_simple_xattr_cmp - compare xattr name with current rbtree xattr entry 1107 * @key: xattr name 1108 * @node: current node 1109 * 1110 * Compare the xattr name with the xattr name attached to @node in the rbtree. 1111 * 1112 * Return: Negative value if continuing left, positive if continuing right, 0 1113 * if the xattr attached to @node matches @key. 1114 */ 1115 static int rbtree_simple_xattr_cmp(const void *key, const struct rb_node *node) 1116 { 1117 const char *xattr_name = key; 1118 const struct simple_xattr *xattr; 1119 1120 xattr = rb_entry(node, struct simple_xattr, rb_node); 1121 return strcmp(xattr->name, xattr_name); 1122 } 1123 1124 /** 1125 * rbtree_simple_xattr_node_cmp - compare two xattr rbtree nodes 1126 * @new_node: new node 1127 * @node: current node 1128 * 1129 * Compare the xattr attached to @new_node with the xattr attached to @node. 1130 * 1131 * Return: Negative value if continuing left, positive if continuing right, 0 1132 * if the xattr attached to @new_node matches the xattr attached to @node. 1133 */ 1134 static int rbtree_simple_xattr_node_cmp(struct rb_node *new_node, 1135 const struct rb_node *node) 1136 { 1137 struct simple_xattr *xattr; 1138 xattr = rb_entry(new_node, struct simple_xattr, rb_node); 1139 return rbtree_simple_xattr_cmp(xattr->name, node); 1140 } 1141 1142 /** 1143 * simple_xattr_get - get an xattr object 1144 * @xattrs: the header of the xattr object 1145 * @name: the name of the xattr to retrieve 1146 * @buffer: the buffer to store the value into 1147 * @size: the size of @buffer 1148 * 1149 * Try to find and retrieve the xattr object associated with @name. 1150 * If @buffer is provided store the value of @xattr in @buffer 1151 * otherwise just return the length. The size of @buffer is limited 1152 * to XATTR_SIZE_MAX which currently is 65536. 1153 * 1154 * Return: On success the length of the xattr value is returned. On error a 1155 * negative error code is returned. 1156 */ 1157 int simple_xattr_get(struct simple_xattrs *xattrs, const char *name, 1158 void *buffer, size_t size) 1159 { 1160 struct simple_xattr *xattr = NULL; 1161 struct rb_node *rbp; 1162 int ret = -ENODATA; 1163 1164 read_lock(&xattrs->lock); 1165 rbp = rb_find(name, &xattrs->rb_root, rbtree_simple_xattr_cmp); 1166 if (rbp) { 1167 xattr = rb_entry(rbp, struct simple_xattr, rb_node); 1168 ret = xattr->size; 1169 if (buffer) { 1170 if (size < xattr->size) 1171 ret = -ERANGE; 1172 else 1173 memcpy(buffer, xattr->value, xattr->size); 1174 } 1175 } 1176 read_unlock(&xattrs->lock); 1177 return ret; 1178 } 1179 1180 /** 1181 * simple_xattr_set - set an xattr object 1182 * @xattrs: the header of the xattr object 1183 * @name: the name of the xattr to retrieve 1184 * @value: the value to store along the xattr 1185 * @size: the size of @value 1186 * @flags: the flags determining how to set the xattr 1187 * 1188 * Set a new xattr object. 1189 * If @value is passed a new xattr object will be allocated. If XATTR_REPLACE 1190 * is specified in @flags a matching xattr object for @name must already exist. 1191 * If it does it will be replaced with the new xattr object. If it doesn't we 1192 * fail. If XATTR_CREATE is specified and a matching xattr does already exist 1193 * we fail. If it doesn't we create a new xattr. If @flags is zero we simply 1194 * insert the new xattr replacing any existing one. 1195 * 1196 * If @value is empty and a matching xattr object is found we delete it if 1197 * XATTR_REPLACE is specified in @flags or @flags is zero. 1198 * 1199 * If @value is empty and no matching xattr object for @name is found we do 1200 * nothing if XATTR_CREATE is specified in @flags or @flags is zero. For 1201 * XATTR_REPLACE we fail as mentioned above. 1202 * 1203 * Return: On success, the removed or replaced xattr is returned, to be freed 1204 * by the caller; or NULL if none. On failure a negative error code is returned. 1205 */ 1206 struct simple_xattr *simple_xattr_set(struct simple_xattrs *xattrs, 1207 const char *name, const void *value, 1208 size_t size, int flags) 1209 { 1210 struct simple_xattr *old_xattr = NULL, *new_xattr = NULL; 1211 struct rb_node *parent = NULL, **rbp; 1212 int err = 0, ret; 1213 1214 /* value == NULL means remove */ 1215 if (value) { 1216 new_xattr = simple_xattr_alloc(value, size); 1217 if (!new_xattr) 1218 return ERR_PTR(-ENOMEM); 1219 1220 new_xattr->name = kstrdup(name, GFP_KERNEL_ACCOUNT); 1221 if (!new_xattr->name) { 1222 simple_xattr_free(new_xattr); 1223 return ERR_PTR(-ENOMEM); 1224 } 1225 } 1226 1227 write_lock(&xattrs->lock); 1228 rbp = &xattrs->rb_root.rb_node; 1229 while (*rbp) { 1230 parent = *rbp; 1231 ret = rbtree_simple_xattr_cmp(name, *rbp); 1232 if (ret < 0) 1233 rbp = &(*rbp)->rb_left; 1234 else if (ret > 0) 1235 rbp = &(*rbp)->rb_right; 1236 else 1237 old_xattr = rb_entry(*rbp, struct simple_xattr, rb_node); 1238 if (old_xattr) 1239 break; 1240 } 1241 1242 if (old_xattr) { 1243 /* Fail if XATTR_CREATE is requested and the xattr exists. */ 1244 if (flags & XATTR_CREATE) { 1245 err = -EEXIST; 1246 goto out_unlock; 1247 } 1248 1249 if (new_xattr) 1250 rb_replace_node(&old_xattr->rb_node, 1251 &new_xattr->rb_node, &xattrs->rb_root); 1252 else 1253 rb_erase(&old_xattr->rb_node, &xattrs->rb_root); 1254 } else { 1255 /* Fail if XATTR_REPLACE is requested but no xattr is found. */ 1256 if (flags & XATTR_REPLACE) { 1257 err = -ENODATA; 1258 goto out_unlock; 1259 } 1260 1261 /* 1262 * If XATTR_CREATE or no flags are specified together with a 1263 * new value simply insert it. 1264 */ 1265 if (new_xattr) { 1266 rb_link_node(&new_xattr->rb_node, parent, rbp); 1267 rb_insert_color(&new_xattr->rb_node, &xattrs->rb_root); 1268 } 1269 1270 /* 1271 * If XATTR_CREATE or no flags are specified and neither an 1272 * old or new xattr exist then we don't need to do anything. 1273 */ 1274 } 1275 1276 out_unlock: 1277 write_unlock(&xattrs->lock); 1278 if (!err) 1279 return old_xattr; 1280 simple_xattr_free(new_xattr); 1281 return ERR_PTR(err); 1282 } 1283 1284 static bool xattr_is_trusted(const char *name) 1285 { 1286 return !strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN); 1287 } 1288 1289 /** 1290 * simple_xattr_list - list all xattr objects 1291 * @inode: inode from which to get the xattrs 1292 * @xattrs: the header of the xattr object 1293 * @buffer: the buffer to store all xattrs into 1294 * @size: the size of @buffer 1295 * 1296 * List all xattrs associated with @inode. If @buffer is NULL we returned 1297 * the required size of the buffer. If @buffer is provided we store the 1298 * xattrs value into it provided it is big enough. 1299 * 1300 * Note, the number of xattr names that can be listed with listxattr(2) is 1301 * limited to XATTR_LIST_MAX aka 65536 bytes. If a larger buffer is passed 1302 * then vfs_listxattr() caps it to XATTR_LIST_MAX and if more xattr names 1303 * are found it will return -E2BIG. 1304 * 1305 * Return: On success the required size or the size of the copied xattrs is 1306 * returned. On error a negative error code is returned. 1307 */ 1308 ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs, 1309 char *buffer, size_t size) 1310 { 1311 bool trusted = ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN); 1312 struct simple_xattr *xattr; 1313 struct rb_node *rbp; 1314 ssize_t remaining_size = size; 1315 int err = 0; 1316 1317 err = posix_acl_listxattr(inode, &buffer, &remaining_size); 1318 if (err) 1319 return err; 1320 1321 read_lock(&xattrs->lock); 1322 for (rbp = rb_first(&xattrs->rb_root); rbp; rbp = rb_next(rbp)) { 1323 xattr = rb_entry(rbp, struct simple_xattr, rb_node); 1324 1325 /* skip "trusted." attributes for unprivileged callers */ 1326 if (!trusted && xattr_is_trusted(xattr->name)) 1327 continue; 1328 1329 err = xattr_list_one(&buffer, &remaining_size, xattr->name); 1330 if (err) 1331 break; 1332 } 1333 read_unlock(&xattrs->lock); 1334 1335 return err ? err : size - remaining_size; 1336 } 1337 1338 /** 1339 * rbtree_simple_xattr_less - compare two xattr rbtree nodes 1340 * @new_node: new node 1341 * @node: current node 1342 * 1343 * Compare the xattr attached to @new_node with the xattr attached to @node. 1344 * Note that this function technically tolerates duplicate entries. 1345 * 1346 * Return: True if insertion point in the rbtree is found. 1347 */ 1348 static bool rbtree_simple_xattr_less(struct rb_node *new_node, 1349 const struct rb_node *node) 1350 { 1351 return rbtree_simple_xattr_node_cmp(new_node, node) < 0; 1352 } 1353 1354 /** 1355 * simple_xattr_add - add xattr objects 1356 * @xattrs: the header of the xattr object 1357 * @new_xattr: the xattr object to add 1358 * 1359 * Add an xattr object to @xattrs. This assumes no replacement or removal 1360 * of matching xattrs is wanted. Should only be called during inode 1361 * initialization when a few distinct initial xattrs are supposed to be set. 1362 */ 1363 void simple_xattr_add(struct simple_xattrs *xattrs, 1364 struct simple_xattr *new_xattr) 1365 { 1366 write_lock(&xattrs->lock); 1367 rb_add(&new_xattr->rb_node, &xattrs->rb_root, rbtree_simple_xattr_less); 1368 write_unlock(&xattrs->lock); 1369 } 1370 1371 /** 1372 * simple_xattrs_init - initialize new xattr header 1373 * @xattrs: header to initialize 1374 * 1375 * Initialize relevant fields of a an xattr header. 1376 */ 1377 void simple_xattrs_init(struct simple_xattrs *xattrs) 1378 { 1379 xattrs->rb_root = RB_ROOT; 1380 rwlock_init(&xattrs->lock); 1381 } 1382 1383 /** 1384 * simple_xattrs_free - free xattrs 1385 * @xattrs: xattr header whose xattrs to destroy 1386 * @freed_space: approximate number of bytes of memory freed from @xattrs 1387 * 1388 * Destroy all xattrs in @xattr. When this is called no one can hold a 1389 * reference to any of the xattrs anymore. 1390 */ 1391 void simple_xattrs_free(struct simple_xattrs *xattrs, size_t *freed_space) 1392 { 1393 struct rb_node *rbp; 1394 1395 if (freed_space) 1396 *freed_space = 0; 1397 rbp = rb_first(&xattrs->rb_root); 1398 while (rbp) { 1399 struct simple_xattr *xattr; 1400 struct rb_node *rbp_next; 1401 1402 rbp_next = rb_next(rbp); 1403 xattr = rb_entry(rbp, struct simple_xattr, rb_node); 1404 rb_erase(&xattr->rb_node, &xattrs->rb_root); 1405 if (freed_space) 1406 *freed_space += simple_xattr_space(xattr->name, 1407 xattr->size); 1408 simple_xattr_free(xattr); 1409 rbp = rbp_next; 1410 } 1411 } 1412