1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 File: fs/xattr.c 4 5 Extended attribute handling. 6 7 Copyright (C) 2001 by Andreas Gruenbacher <a.gruenbacher@computer.org> 8 Copyright (C) 2001 SGI - Silicon Graphics, Inc <linux-xfs@oss.sgi.com> 9 Copyright (c) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> 10 */ 11 #include <linux/fs.h> 12 #include <linux/filelock.h> 13 #include <linux/slab.h> 14 #include <linux/file.h> 15 #include <linux/xattr.h> 16 #include <linux/mount.h> 17 #include <linux/namei.h> 18 #include <linux/security.h> 19 #include <linux/evm.h> 20 #include <linux/syscalls.h> 21 #include <linux/export.h> 22 #include <linux/fsnotify.h> 23 #include <linux/audit.h> 24 #include <linux/vmalloc.h> 25 #include <linux/posix_acl_xattr.h> 26 27 #include <linux/uaccess.h> 28 29 #include "internal.h" 30 31 static const char * 32 strcmp_prefix(const char *a, const char *a_prefix) 33 { 34 while (*a_prefix && *a == *a_prefix) { 35 a++; 36 a_prefix++; 37 } 38 return *a_prefix ? NULL : a; 39 } 40 41 /* 42 * In order to implement different sets of xattr operations for each xattr 43 * prefix, a filesystem should create a null-terminated array of struct 44 * xattr_handler (one for each prefix) and hang a pointer to it off of the 45 * s_xattr field of the superblock. 46 */ 47 #define for_each_xattr_handler(handlers, handler) \ 48 if (handlers) \ 49 for ((handler) = *(handlers)++; \ 50 (handler) != NULL; \ 51 (handler) = *(handlers)++) 52 53 /* 54 * Find the xattr_handler with the matching prefix. 55 */ 56 static const struct xattr_handler * 57 xattr_resolve_name(struct inode *inode, const char **name) 58 { 59 const struct xattr_handler * const *handlers = inode->i_sb->s_xattr; 60 const struct xattr_handler *handler; 61 62 if (!(inode->i_opflags & IOP_XATTR)) { 63 if (unlikely(is_bad_inode(inode))) 64 return ERR_PTR(-EIO); 65 return ERR_PTR(-EOPNOTSUPP); 66 } 67 for_each_xattr_handler(handlers, handler) { 68 const char *n; 69 70 n = strcmp_prefix(*name, xattr_prefix(handler)); 71 if (n) { 72 if (!handler->prefix ^ !*n) { 73 if (*n) 74 continue; 75 return ERR_PTR(-EINVAL); 76 } 77 *name = n; 78 return handler; 79 } 80 } 81 return ERR_PTR(-EOPNOTSUPP); 82 } 83 84 /** 85 * may_write_xattr - check whether inode allows writing xattr 86 * @idmap: idmap of the mount the inode was found from 87 * @inode: the inode on which to set an xattr 88 * 89 * Check whether the inode allows writing xattrs. Specifically, we can never 90 * set or remove an extended attribute on a read-only filesystem or on an 91 * immutable / append-only inode. 92 * 93 * We also need to ensure that the inode has a mapping in the mount to 94 * not risk writing back invalid i_{g,u}id values. 95 * 96 * Return: On success zero is returned. On error a negative errno is returned. 97 */ 98 int may_write_xattr(struct mnt_idmap *idmap, struct inode *inode) 99 { 100 if (IS_IMMUTABLE(inode)) 101 return -EPERM; 102 if (IS_APPEND(inode)) 103 return -EPERM; 104 if (HAS_UNMAPPED_ID(idmap, inode)) 105 return -EPERM; 106 return 0; 107 } 108 109 /* 110 * Check permissions for extended attribute access. This is a bit complicated 111 * because different namespaces have very different rules. 112 */ 113 static int 114 xattr_permission(struct mnt_idmap *idmap, struct inode *inode, 115 const char *name, int mask) 116 { 117 if (mask & MAY_WRITE) { 118 int ret; 119 120 ret = may_write_xattr(idmap, inode); 121 if (ret) 122 return ret; 123 } 124 125 /* 126 * No restriction for security.* and system.* from the VFS. Decision 127 * on these is left to the underlying filesystem / security module. 128 */ 129 if (!strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) || 130 !strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN)) 131 return 0; 132 133 /* 134 * The trusted.* namespace can only be accessed by privileged users. 135 */ 136 if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) { 137 if (!capable(CAP_SYS_ADMIN)) 138 return (mask & MAY_WRITE) ? -EPERM : -ENODATA; 139 return 0; 140 } 141 142 /* 143 * In the user.* namespace, only regular files and directories can have 144 * extended attributes. For sticky directories, only the owner and 145 * privileged users can write attributes. 146 */ 147 if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { 148 if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode)) 149 return (mask & MAY_WRITE) ? -EPERM : -ENODATA; 150 if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) && 151 (mask & MAY_WRITE) && 152 !inode_owner_or_capable(idmap, inode)) 153 return -EPERM; 154 } 155 156 return inode_permission(idmap, inode, mask); 157 } 158 159 /* 160 * Look for any handler that deals with the specified namespace. 161 */ 162 int 163 xattr_supports_user_prefix(struct inode *inode) 164 { 165 const struct xattr_handler * const *handlers = inode->i_sb->s_xattr; 166 const struct xattr_handler *handler; 167 168 if (!(inode->i_opflags & IOP_XATTR)) { 169 if (unlikely(is_bad_inode(inode))) 170 return -EIO; 171 return -EOPNOTSUPP; 172 } 173 174 for_each_xattr_handler(handlers, handler) { 175 if (!strncmp(xattr_prefix(handler), XATTR_USER_PREFIX, 176 XATTR_USER_PREFIX_LEN)) 177 return 0; 178 } 179 180 return -EOPNOTSUPP; 181 } 182 EXPORT_SYMBOL(xattr_supports_user_prefix); 183 184 int 185 __vfs_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, 186 struct inode *inode, const char *name, const void *value, 187 size_t size, int flags) 188 { 189 const struct xattr_handler *handler; 190 191 if (is_posix_acl_xattr(name)) 192 return -EOPNOTSUPP; 193 194 handler = xattr_resolve_name(inode, &name); 195 if (IS_ERR(handler)) 196 return PTR_ERR(handler); 197 if (!handler->set) 198 return -EOPNOTSUPP; 199 if (size == 0) 200 value = ""; /* empty EA, do not remove */ 201 return handler->set(handler, idmap, dentry, inode, name, value, 202 size, flags); 203 } 204 EXPORT_SYMBOL(__vfs_setxattr); 205 206 /** 207 * __vfs_setxattr_noperm - perform setxattr operation without performing 208 * permission checks. 209 * 210 * @idmap: idmap of the mount the inode was found from 211 * @dentry: object to perform setxattr on 212 * @name: xattr name to set 213 * @value: value to set @name to 214 * @size: size of @value 215 * @flags: flags to pass into filesystem operations 216 * 217 * returns the result of the internal setxattr or setsecurity operations. 218 * 219 * This function requires the caller to lock the inode's i_mutex before it 220 * is executed. It also assumes that the caller will make the appropriate 221 * permission checks. 222 */ 223 int __vfs_setxattr_noperm(struct mnt_idmap *idmap, 224 struct dentry *dentry, const char *name, 225 const void *value, size_t size, int flags) 226 { 227 struct inode *inode = dentry->d_inode; 228 int error = -EAGAIN; 229 int issec = !strncmp(name, XATTR_SECURITY_PREFIX, 230 XATTR_SECURITY_PREFIX_LEN); 231 232 if (issec) 233 inode->i_flags &= ~S_NOSEC; 234 if (inode->i_opflags & IOP_XATTR) { 235 error = __vfs_setxattr(idmap, dentry, inode, name, value, 236 size, flags); 237 if (!error) { 238 fsnotify_xattr(dentry); 239 security_inode_post_setxattr(dentry, name, value, 240 size, flags); 241 } 242 } else { 243 if (unlikely(is_bad_inode(inode))) 244 return -EIO; 245 } 246 if (error == -EAGAIN) { 247 error = -EOPNOTSUPP; 248 249 if (issec) { 250 const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; 251 252 error = security_inode_setsecurity(inode, suffix, value, 253 size, flags); 254 if (!error) 255 fsnotify_xattr(dentry); 256 } 257 } 258 259 return error; 260 } 261 262 /** 263 * __vfs_setxattr_locked - set an extended attribute while holding the inode 264 * lock 265 * 266 * @idmap: idmap of the mount of the target inode 267 * @dentry: object to perform setxattr on 268 * @name: xattr name to set 269 * @value: value to set @name to 270 * @size: size of @value 271 * @flags: flags to pass into filesystem operations 272 * @delegated_inode: on return, will contain an inode pointer that 273 * a delegation was broken on, NULL if none. 274 */ 275 int 276 __vfs_setxattr_locked(struct mnt_idmap *idmap, struct dentry *dentry, 277 const char *name, const void *value, size_t size, 278 int flags, struct inode **delegated_inode) 279 { 280 struct inode *inode = dentry->d_inode; 281 int error; 282 283 error = xattr_permission(idmap, inode, name, MAY_WRITE); 284 if (error) 285 return error; 286 287 error = security_inode_setxattr(idmap, dentry, name, value, size, 288 flags); 289 if (error) 290 goto out; 291 292 error = try_break_deleg(inode, delegated_inode); 293 if (error) 294 goto out; 295 296 error = __vfs_setxattr_noperm(idmap, dentry, name, value, 297 size, flags); 298 299 out: 300 return error; 301 } 302 EXPORT_SYMBOL_GPL(__vfs_setxattr_locked); 303 304 int 305 vfs_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, 306 const char *name, const void *value, size_t size, int flags) 307 { 308 struct inode *inode = dentry->d_inode; 309 struct inode *delegated_inode = NULL; 310 const void *orig_value = value; 311 int error; 312 313 if (size && strcmp(name, XATTR_NAME_CAPS) == 0) { 314 error = cap_convert_nscap(idmap, dentry, &value, size); 315 if (error < 0) 316 return error; 317 size = error; 318 } 319 320 retry_deleg: 321 inode_lock(inode); 322 error = __vfs_setxattr_locked(idmap, dentry, name, value, size, 323 flags, &delegated_inode); 324 inode_unlock(inode); 325 326 if (delegated_inode) { 327 error = break_deleg_wait(&delegated_inode); 328 if (!error) 329 goto retry_deleg; 330 } 331 if (value != orig_value) 332 kfree(value); 333 334 return error; 335 } 336 EXPORT_SYMBOL_GPL(vfs_setxattr); 337 338 static ssize_t 339 xattr_getsecurity(struct mnt_idmap *idmap, struct inode *inode, 340 const char *name, void *value, size_t size) 341 { 342 void *buffer = NULL; 343 ssize_t len; 344 345 if (!value || !size) { 346 len = security_inode_getsecurity(idmap, inode, name, 347 &buffer, false); 348 goto out_noalloc; 349 } 350 351 len = security_inode_getsecurity(idmap, inode, name, &buffer, 352 true); 353 if (len < 0) 354 return len; 355 if (size < len) { 356 len = -ERANGE; 357 goto out; 358 } 359 memcpy(value, buffer, len); 360 out: 361 kfree(buffer); 362 out_noalloc: 363 return len; 364 } 365 366 /* 367 * vfs_getxattr_alloc - allocate memory, if necessary, before calling getxattr 368 * 369 * Allocate memory, if not already allocated, or re-allocate correct size, 370 * before retrieving the extended attribute. The xattr value buffer should 371 * always be freed by the caller, even on error. 372 * 373 * Returns the result of alloc, if failed, or the getxattr operation. 374 */ 375 int 376 vfs_getxattr_alloc(struct mnt_idmap *idmap, struct dentry *dentry, 377 const char *name, char **xattr_value, size_t xattr_size, 378 gfp_t flags) 379 { 380 const struct xattr_handler *handler; 381 struct inode *inode = dentry->d_inode; 382 char *value = *xattr_value; 383 int error; 384 385 error = xattr_permission(idmap, inode, name, MAY_READ); 386 if (error) 387 return error; 388 389 handler = xattr_resolve_name(inode, &name); 390 if (IS_ERR(handler)) 391 return PTR_ERR(handler); 392 if (!handler->get) 393 return -EOPNOTSUPP; 394 error = handler->get(handler, dentry, inode, name, NULL, 0); 395 if (error < 0) 396 return error; 397 398 if (!value || (error > xattr_size)) { 399 value = krealloc(*xattr_value, error + 1, flags); 400 if (!value) 401 return -ENOMEM; 402 memset(value, 0, error + 1); 403 } 404 405 error = handler->get(handler, dentry, inode, name, value, error); 406 *xattr_value = value; 407 return error; 408 } 409 410 ssize_t 411 __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name, 412 void *value, size_t size) 413 { 414 const struct xattr_handler *handler; 415 416 if (is_posix_acl_xattr(name)) 417 return -EOPNOTSUPP; 418 419 handler = xattr_resolve_name(inode, &name); 420 if (IS_ERR(handler)) 421 return PTR_ERR(handler); 422 if (!handler->get) 423 return -EOPNOTSUPP; 424 return handler->get(handler, dentry, inode, name, value, size); 425 } 426 EXPORT_SYMBOL(__vfs_getxattr); 427 428 ssize_t 429 vfs_getxattr(struct mnt_idmap *idmap, struct dentry *dentry, 430 const char *name, void *value, size_t size) 431 { 432 struct inode *inode = dentry->d_inode; 433 int error; 434 435 error = xattr_permission(idmap, inode, name, MAY_READ); 436 if (error) 437 return error; 438 439 error = security_inode_getxattr(dentry, name); 440 if (error) 441 return error; 442 443 if (!strncmp(name, XATTR_SECURITY_PREFIX, 444 XATTR_SECURITY_PREFIX_LEN)) { 445 const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; 446 int ret = xattr_getsecurity(idmap, inode, suffix, value, 447 size); 448 /* 449 * Only overwrite the return value if a security module 450 * is actually active. 451 */ 452 if (ret == -EOPNOTSUPP) 453 goto nolsm; 454 return ret; 455 } 456 nolsm: 457 return __vfs_getxattr(dentry, inode, name, value, size); 458 } 459 EXPORT_SYMBOL_GPL(vfs_getxattr); 460 461 /** 462 * vfs_listxattr - retrieve \0 separated list of xattr names 463 * @dentry: the dentry from whose inode the xattr names are retrieved 464 * @list: buffer to store xattr names into 465 * @size: size of the buffer 466 * 467 * This function returns the names of all xattrs associated with the 468 * inode of @dentry. 469 * 470 * Note, for legacy reasons the vfs_listxattr() function lists POSIX 471 * ACLs as well. Since POSIX ACLs are decoupled from IOP_XATTR the 472 * vfs_listxattr() function doesn't check for this flag since a 473 * filesystem could implement POSIX ACLs without implementing any other 474 * xattrs. 475 * 476 * However, since all codepaths that remove IOP_XATTR also assign of 477 * inode operations that either don't implement or implement a stub 478 * ->listxattr() operation. 479 * 480 * Return: On success, the size of the buffer that was used. On error a 481 * negative error code. 482 */ 483 ssize_t 484 vfs_listxattr(struct dentry *dentry, char *list, size_t size) 485 { 486 struct inode *inode = d_inode(dentry); 487 ssize_t error; 488 489 error = security_inode_listxattr(dentry); 490 if (error) 491 return error; 492 493 if (inode->i_op->listxattr) { 494 error = inode->i_op->listxattr(dentry, list, size); 495 } else { 496 error = security_inode_listsecurity(inode, list, size); 497 if (size && error > size) 498 error = -ERANGE; 499 } 500 return error; 501 } 502 EXPORT_SYMBOL_GPL(vfs_listxattr); 503 504 int 505 __vfs_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, 506 const char *name) 507 { 508 struct inode *inode = d_inode(dentry); 509 const struct xattr_handler *handler; 510 511 if (is_posix_acl_xattr(name)) 512 return -EOPNOTSUPP; 513 514 handler = xattr_resolve_name(inode, &name); 515 if (IS_ERR(handler)) 516 return PTR_ERR(handler); 517 if (!handler->set) 518 return -EOPNOTSUPP; 519 return handler->set(handler, idmap, dentry, inode, name, NULL, 0, 520 XATTR_REPLACE); 521 } 522 EXPORT_SYMBOL(__vfs_removexattr); 523 524 /** 525 * __vfs_removexattr_locked - set an extended attribute while holding the inode 526 * lock 527 * 528 * @idmap: idmap of the mount of the target inode 529 * @dentry: object to perform setxattr on 530 * @name: name of xattr to remove 531 * @delegated_inode: on return, will contain an inode pointer that 532 * a delegation was broken on, NULL if none. 533 */ 534 int 535 __vfs_removexattr_locked(struct mnt_idmap *idmap, 536 struct dentry *dentry, const char *name, 537 struct inode **delegated_inode) 538 { 539 struct inode *inode = dentry->d_inode; 540 int error; 541 542 error = xattr_permission(idmap, inode, name, MAY_WRITE); 543 if (error) 544 return error; 545 546 error = security_inode_removexattr(idmap, dentry, name); 547 if (error) 548 goto out; 549 550 error = try_break_deleg(inode, delegated_inode); 551 if (error) 552 goto out; 553 554 error = __vfs_removexattr(idmap, dentry, name); 555 if (error) 556 return error; 557 558 fsnotify_xattr(dentry); 559 security_inode_post_removexattr(dentry, name); 560 evm_inode_post_removexattr(dentry, name); 561 562 out: 563 return error; 564 } 565 EXPORT_SYMBOL_GPL(__vfs_removexattr_locked); 566 567 int 568 vfs_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, 569 const char *name) 570 { 571 struct inode *inode = dentry->d_inode; 572 struct inode *delegated_inode = NULL; 573 int error; 574 575 retry_deleg: 576 inode_lock(inode); 577 error = __vfs_removexattr_locked(idmap, dentry, 578 name, &delegated_inode); 579 inode_unlock(inode); 580 581 if (delegated_inode) { 582 error = break_deleg_wait(&delegated_inode); 583 if (!error) 584 goto retry_deleg; 585 } 586 587 return error; 588 } 589 EXPORT_SYMBOL_GPL(vfs_removexattr); 590 591 /* 592 * Extended attribute SET operations 593 */ 594 595 int setxattr_copy(const char __user *name, struct xattr_ctx *ctx) 596 { 597 int error; 598 599 if (ctx->flags & ~(XATTR_CREATE|XATTR_REPLACE)) 600 return -EINVAL; 601 602 error = strncpy_from_user(ctx->kname->name, name, 603 sizeof(ctx->kname->name)); 604 if (error == 0 || error == sizeof(ctx->kname->name)) 605 return -ERANGE; 606 if (error < 0) 607 return error; 608 609 error = 0; 610 if (ctx->size) { 611 if (ctx->size > XATTR_SIZE_MAX) 612 return -E2BIG; 613 614 ctx->kvalue = vmemdup_user(ctx->cvalue, ctx->size); 615 if (IS_ERR(ctx->kvalue)) { 616 error = PTR_ERR(ctx->kvalue); 617 ctx->kvalue = NULL; 618 } 619 } 620 621 return error; 622 } 623 624 int do_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, 625 struct xattr_ctx *ctx) 626 { 627 if (is_posix_acl_xattr(ctx->kname->name)) 628 return do_set_acl(idmap, dentry, ctx->kname->name, 629 ctx->kvalue, ctx->size); 630 631 return vfs_setxattr(idmap, dentry, ctx->kname->name, 632 ctx->kvalue, ctx->size, ctx->flags); 633 } 634 635 static long 636 setxattr(struct mnt_idmap *idmap, struct dentry *d, 637 const char __user *name, const void __user *value, size_t size, 638 int flags) 639 { 640 struct xattr_name kname; 641 struct xattr_ctx ctx = { 642 .cvalue = value, 643 .kvalue = NULL, 644 .size = size, 645 .kname = &kname, 646 .flags = flags, 647 }; 648 int error; 649 650 error = setxattr_copy(name, &ctx); 651 if (error) 652 return error; 653 654 error = do_setxattr(idmap, d, &ctx); 655 656 kvfree(ctx.kvalue); 657 return error; 658 } 659 660 static int path_setxattr(const char __user *pathname, 661 const char __user *name, const void __user *value, 662 size_t size, int flags, unsigned int lookup_flags) 663 { 664 struct path path; 665 int error; 666 667 retry: 668 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 669 if (error) 670 return error; 671 error = mnt_want_write(path.mnt); 672 if (!error) { 673 error = setxattr(mnt_idmap(path.mnt), path.dentry, name, 674 value, size, flags); 675 mnt_drop_write(path.mnt); 676 } 677 path_put(&path); 678 if (retry_estale(error, lookup_flags)) { 679 lookup_flags |= LOOKUP_REVAL; 680 goto retry; 681 } 682 return error; 683 } 684 685 SYSCALL_DEFINE5(setxattr, const char __user *, pathname, 686 const char __user *, name, const void __user *, value, 687 size_t, size, int, flags) 688 { 689 return path_setxattr(pathname, name, value, size, flags, LOOKUP_FOLLOW); 690 } 691 692 SYSCALL_DEFINE5(lsetxattr, const char __user *, pathname, 693 const char __user *, name, const void __user *, value, 694 size_t, size, int, flags) 695 { 696 return path_setxattr(pathname, name, value, size, flags, 0); 697 } 698 699 SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name, 700 const void __user *,value, size_t, size, int, flags) 701 { 702 struct fd f = fdget(fd); 703 int error = -EBADF; 704 705 if (!f.file) 706 return error; 707 audit_file(f.file); 708 error = mnt_want_write_file(f.file); 709 if (!error) { 710 error = setxattr(file_mnt_idmap(f.file), 711 f.file->f_path.dentry, name, 712 value, size, flags); 713 mnt_drop_write_file(f.file); 714 } 715 fdput(f); 716 return error; 717 } 718 719 /* 720 * Extended attribute GET operations 721 */ 722 ssize_t 723 do_getxattr(struct mnt_idmap *idmap, struct dentry *d, 724 struct xattr_ctx *ctx) 725 { 726 ssize_t error; 727 char *kname = ctx->kname->name; 728 729 if (ctx->size) { 730 if (ctx->size > XATTR_SIZE_MAX) 731 ctx->size = XATTR_SIZE_MAX; 732 ctx->kvalue = kvzalloc(ctx->size, GFP_KERNEL); 733 if (!ctx->kvalue) 734 return -ENOMEM; 735 } 736 737 if (is_posix_acl_xattr(ctx->kname->name)) 738 error = do_get_acl(idmap, d, kname, ctx->kvalue, ctx->size); 739 else 740 error = vfs_getxattr(idmap, d, kname, ctx->kvalue, ctx->size); 741 if (error > 0) { 742 if (ctx->size && copy_to_user(ctx->value, ctx->kvalue, error)) 743 error = -EFAULT; 744 } else if (error == -ERANGE && ctx->size >= XATTR_SIZE_MAX) { 745 /* The file system tried to returned a value bigger 746 than XATTR_SIZE_MAX bytes. Not possible. */ 747 error = -E2BIG; 748 } 749 750 return error; 751 } 752 753 static ssize_t 754 getxattr(struct mnt_idmap *idmap, struct dentry *d, 755 const char __user *name, void __user *value, size_t size) 756 { 757 ssize_t error; 758 struct xattr_name kname; 759 struct xattr_ctx ctx = { 760 .value = value, 761 .kvalue = NULL, 762 .size = size, 763 .kname = &kname, 764 .flags = 0, 765 }; 766 767 error = strncpy_from_user(kname.name, name, sizeof(kname.name)); 768 if (error == 0 || error == sizeof(kname.name)) 769 error = -ERANGE; 770 if (error < 0) 771 return error; 772 773 error = do_getxattr(idmap, d, &ctx); 774 775 kvfree(ctx.kvalue); 776 return error; 777 } 778 779 static ssize_t path_getxattr(const char __user *pathname, 780 const char __user *name, void __user *value, 781 size_t size, unsigned int lookup_flags) 782 { 783 struct path path; 784 ssize_t error; 785 retry: 786 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 787 if (error) 788 return error; 789 error = getxattr(mnt_idmap(path.mnt), path.dentry, name, value, size); 790 path_put(&path); 791 if (retry_estale(error, lookup_flags)) { 792 lookup_flags |= LOOKUP_REVAL; 793 goto retry; 794 } 795 return error; 796 } 797 798 SYSCALL_DEFINE4(getxattr, const char __user *, pathname, 799 const char __user *, name, void __user *, value, size_t, size) 800 { 801 return path_getxattr(pathname, name, value, size, LOOKUP_FOLLOW); 802 } 803 804 SYSCALL_DEFINE4(lgetxattr, const char __user *, pathname, 805 const char __user *, name, void __user *, value, size_t, size) 806 { 807 return path_getxattr(pathname, name, value, size, 0); 808 } 809 810 SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name, 811 void __user *, value, size_t, size) 812 { 813 struct fd f = fdget(fd); 814 ssize_t error = -EBADF; 815 816 if (!f.file) 817 return error; 818 audit_file(f.file); 819 error = getxattr(file_mnt_idmap(f.file), f.file->f_path.dentry, 820 name, value, size); 821 fdput(f); 822 return error; 823 } 824 825 /* 826 * Extended attribute LIST operations 827 */ 828 static ssize_t 829 listxattr(struct dentry *d, char __user *list, size_t size) 830 { 831 ssize_t error; 832 char *klist = NULL; 833 834 if (size) { 835 if (size > XATTR_LIST_MAX) 836 size = XATTR_LIST_MAX; 837 klist = kvmalloc(size, GFP_KERNEL); 838 if (!klist) 839 return -ENOMEM; 840 } 841 842 error = vfs_listxattr(d, klist, size); 843 if (error > 0) { 844 if (size && copy_to_user(list, klist, error)) 845 error = -EFAULT; 846 } else if (error == -ERANGE && size >= XATTR_LIST_MAX) { 847 /* The file system tried to returned a list bigger 848 than XATTR_LIST_MAX bytes. Not possible. */ 849 error = -E2BIG; 850 } 851 852 kvfree(klist); 853 854 return error; 855 } 856 857 static ssize_t path_listxattr(const char __user *pathname, char __user *list, 858 size_t size, unsigned int lookup_flags) 859 { 860 struct path path; 861 ssize_t error; 862 retry: 863 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 864 if (error) 865 return error; 866 error = listxattr(path.dentry, list, size); 867 path_put(&path); 868 if (retry_estale(error, lookup_flags)) { 869 lookup_flags |= LOOKUP_REVAL; 870 goto retry; 871 } 872 return error; 873 } 874 875 SYSCALL_DEFINE3(listxattr, const char __user *, pathname, char __user *, list, 876 size_t, size) 877 { 878 return path_listxattr(pathname, list, size, LOOKUP_FOLLOW); 879 } 880 881 SYSCALL_DEFINE3(llistxattr, const char __user *, pathname, char __user *, list, 882 size_t, size) 883 { 884 return path_listxattr(pathname, list, size, 0); 885 } 886 887 SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size) 888 { 889 struct fd f = fdget(fd); 890 ssize_t error = -EBADF; 891 892 if (!f.file) 893 return error; 894 audit_file(f.file); 895 error = listxattr(f.file->f_path.dentry, list, size); 896 fdput(f); 897 return error; 898 } 899 900 /* 901 * Extended attribute REMOVE operations 902 */ 903 static long 904 removexattr(struct mnt_idmap *idmap, struct dentry *d, 905 const char __user *name) 906 { 907 int error; 908 char kname[XATTR_NAME_MAX + 1]; 909 910 error = strncpy_from_user(kname, name, sizeof(kname)); 911 if (error == 0 || error == sizeof(kname)) 912 error = -ERANGE; 913 if (error < 0) 914 return error; 915 916 if (is_posix_acl_xattr(kname)) 917 return vfs_remove_acl(idmap, d, kname); 918 919 return vfs_removexattr(idmap, d, kname); 920 } 921 922 static int path_removexattr(const char __user *pathname, 923 const char __user *name, unsigned int lookup_flags) 924 { 925 struct path path; 926 int error; 927 retry: 928 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 929 if (error) 930 return error; 931 error = mnt_want_write(path.mnt); 932 if (!error) { 933 error = removexattr(mnt_idmap(path.mnt), path.dentry, name); 934 mnt_drop_write(path.mnt); 935 } 936 path_put(&path); 937 if (retry_estale(error, lookup_flags)) { 938 lookup_flags |= LOOKUP_REVAL; 939 goto retry; 940 } 941 return error; 942 } 943 944 SYSCALL_DEFINE2(removexattr, const char __user *, pathname, 945 const char __user *, name) 946 { 947 return path_removexattr(pathname, name, LOOKUP_FOLLOW); 948 } 949 950 SYSCALL_DEFINE2(lremovexattr, const char __user *, pathname, 951 const char __user *, name) 952 { 953 return path_removexattr(pathname, name, 0); 954 } 955 956 SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name) 957 { 958 struct fd f = fdget(fd); 959 int error = -EBADF; 960 961 if (!f.file) 962 return error; 963 audit_file(f.file); 964 error = mnt_want_write_file(f.file); 965 if (!error) { 966 error = removexattr(file_mnt_idmap(f.file), 967 f.file->f_path.dentry, name); 968 mnt_drop_write_file(f.file); 969 } 970 fdput(f); 971 return error; 972 } 973 974 int xattr_list_one(char **buffer, ssize_t *remaining_size, const char *name) 975 { 976 size_t len; 977 978 len = strlen(name) + 1; 979 if (*buffer) { 980 if (*remaining_size < len) 981 return -ERANGE; 982 memcpy(*buffer, name, len); 983 *buffer += len; 984 } 985 *remaining_size -= len; 986 return 0; 987 } 988 989 /** 990 * generic_listxattr - run through a dentry's xattr list() operations 991 * @dentry: dentry to list the xattrs 992 * @buffer: result buffer 993 * @buffer_size: size of @buffer 994 * 995 * Combine the results of the list() operation from every xattr_handler in the 996 * xattr_handler stack. 997 * 998 * Note that this will not include the entries for POSIX ACLs. 999 */ 1000 ssize_t 1001 generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) 1002 { 1003 const struct xattr_handler *handler, * const *handlers = dentry->d_sb->s_xattr; 1004 ssize_t remaining_size = buffer_size; 1005 int err = 0; 1006 1007 for_each_xattr_handler(handlers, handler) { 1008 if (!handler->name || (handler->list && !handler->list(dentry))) 1009 continue; 1010 err = xattr_list_one(&buffer, &remaining_size, handler->name); 1011 if (err) 1012 return err; 1013 } 1014 1015 return err ? err : buffer_size - remaining_size; 1016 } 1017 EXPORT_SYMBOL(generic_listxattr); 1018 1019 /** 1020 * xattr_full_name - Compute full attribute name from suffix 1021 * 1022 * @handler: handler of the xattr_handler operation 1023 * @name: name passed to the xattr_handler operation 1024 * 1025 * The get and set xattr handler operations are called with the remainder of 1026 * the attribute name after skipping the handler's prefix: for example, "foo" 1027 * is passed to the get operation of a handler with prefix "user." to get 1028 * attribute "user.foo". The full name is still "there" in the name though. 1029 * 1030 * Note: the list xattr handler operation when called from the vfs is passed a 1031 * NULL name; some file systems use this operation internally, with varying 1032 * semantics. 1033 */ 1034 const char *xattr_full_name(const struct xattr_handler *handler, 1035 const char *name) 1036 { 1037 size_t prefix_len = strlen(xattr_prefix(handler)); 1038 1039 return name - prefix_len; 1040 } 1041 EXPORT_SYMBOL(xattr_full_name); 1042 1043 /** 1044 * simple_xattr_space - estimate the memory used by a simple xattr 1045 * @name: the full name of the xattr 1046 * @size: the size of its value 1047 * 1048 * This takes no account of how much larger the two slab objects actually are: 1049 * that would depend on the slab implementation, when what is required is a 1050 * deterministic number, which grows with name length and size and quantity. 1051 * 1052 * Return: The approximate number of bytes of memory used by such an xattr. 1053 */ 1054 size_t simple_xattr_space(const char *name, size_t size) 1055 { 1056 /* 1057 * Use "40" instead of sizeof(struct simple_xattr), to return the 1058 * same result on 32-bit and 64-bit, and even if simple_xattr grows. 1059 */ 1060 return 40 + size + strlen(name); 1061 } 1062 1063 /** 1064 * simple_xattr_free - free an xattr object 1065 * @xattr: the xattr object 1066 * 1067 * Free the xattr object. Can handle @xattr being NULL. 1068 */ 1069 void simple_xattr_free(struct simple_xattr *xattr) 1070 { 1071 if (xattr) 1072 kfree(xattr->name); 1073 kvfree(xattr); 1074 } 1075 1076 /** 1077 * simple_xattr_alloc - allocate new xattr object 1078 * @value: value of the xattr object 1079 * @size: size of @value 1080 * 1081 * Allocate a new xattr object and initialize respective members. The caller is 1082 * responsible for handling the name of the xattr. 1083 * 1084 * Return: On success a new xattr object is returned. On failure NULL is 1085 * returned. 1086 */ 1087 struct simple_xattr *simple_xattr_alloc(const void *value, size_t size) 1088 { 1089 struct simple_xattr *new_xattr; 1090 size_t len; 1091 1092 /* wrap around? */ 1093 len = sizeof(*new_xattr) + size; 1094 if (len < sizeof(*new_xattr)) 1095 return NULL; 1096 1097 new_xattr = kvmalloc(len, GFP_KERNEL_ACCOUNT); 1098 if (!new_xattr) 1099 return NULL; 1100 1101 new_xattr->size = size; 1102 memcpy(new_xattr->value, value, size); 1103 return new_xattr; 1104 } 1105 1106 /** 1107 * rbtree_simple_xattr_cmp - compare xattr name with current rbtree xattr entry 1108 * @key: xattr name 1109 * @node: current node 1110 * 1111 * Compare the xattr name with the xattr name attached to @node in the rbtree. 1112 * 1113 * Return: Negative value if continuing left, positive if continuing right, 0 1114 * if the xattr attached to @node matches @key. 1115 */ 1116 static int rbtree_simple_xattr_cmp(const void *key, const struct rb_node *node) 1117 { 1118 const char *xattr_name = key; 1119 const struct simple_xattr *xattr; 1120 1121 xattr = rb_entry(node, struct simple_xattr, rb_node); 1122 return strcmp(xattr->name, xattr_name); 1123 } 1124 1125 /** 1126 * rbtree_simple_xattr_node_cmp - compare two xattr rbtree nodes 1127 * @new_node: new node 1128 * @node: current node 1129 * 1130 * Compare the xattr attached to @new_node with the xattr attached to @node. 1131 * 1132 * Return: Negative value if continuing left, positive if continuing right, 0 1133 * if the xattr attached to @new_node matches the xattr attached to @node. 1134 */ 1135 static int rbtree_simple_xattr_node_cmp(struct rb_node *new_node, 1136 const struct rb_node *node) 1137 { 1138 struct simple_xattr *xattr; 1139 xattr = rb_entry(new_node, struct simple_xattr, rb_node); 1140 return rbtree_simple_xattr_cmp(xattr->name, node); 1141 } 1142 1143 /** 1144 * simple_xattr_get - get an xattr object 1145 * @xattrs: the header of the xattr object 1146 * @name: the name of the xattr to retrieve 1147 * @buffer: the buffer to store the value into 1148 * @size: the size of @buffer 1149 * 1150 * Try to find and retrieve the xattr object associated with @name. 1151 * If @buffer is provided store the value of @xattr in @buffer 1152 * otherwise just return the length. The size of @buffer is limited 1153 * to XATTR_SIZE_MAX which currently is 65536. 1154 * 1155 * Return: On success the length of the xattr value is returned. On error a 1156 * negative error code is returned. 1157 */ 1158 int simple_xattr_get(struct simple_xattrs *xattrs, const char *name, 1159 void *buffer, size_t size) 1160 { 1161 struct simple_xattr *xattr = NULL; 1162 struct rb_node *rbp; 1163 int ret = -ENODATA; 1164 1165 read_lock(&xattrs->lock); 1166 rbp = rb_find(name, &xattrs->rb_root, rbtree_simple_xattr_cmp); 1167 if (rbp) { 1168 xattr = rb_entry(rbp, struct simple_xattr, rb_node); 1169 ret = xattr->size; 1170 if (buffer) { 1171 if (size < xattr->size) 1172 ret = -ERANGE; 1173 else 1174 memcpy(buffer, xattr->value, xattr->size); 1175 } 1176 } 1177 read_unlock(&xattrs->lock); 1178 return ret; 1179 } 1180 1181 /** 1182 * simple_xattr_set - set an xattr object 1183 * @xattrs: the header of the xattr object 1184 * @name: the name of the xattr to retrieve 1185 * @value: the value to store along the xattr 1186 * @size: the size of @value 1187 * @flags: the flags determining how to set the xattr 1188 * 1189 * Set a new xattr object. 1190 * If @value is passed a new xattr object will be allocated. If XATTR_REPLACE 1191 * is specified in @flags a matching xattr object for @name must already exist. 1192 * If it does it will be replaced with the new xattr object. If it doesn't we 1193 * fail. If XATTR_CREATE is specified and a matching xattr does already exist 1194 * we fail. If it doesn't we create a new xattr. If @flags is zero we simply 1195 * insert the new xattr replacing any existing one. 1196 * 1197 * If @value is empty and a matching xattr object is found we delete it if 1198 * XATTR_REPLACE is specified in @flags or @flags is zero. 1199 * 1200 * If @value is empty and no matching xattr object for @name is found we do 1201 * nothing if XATTR_CREATE is specified in @flags or @flags is zero. For 1202 * XATTR_REPLACE we fail as mentioned above. 1203 * 1204 * Return: On success, the removed or replaced xattr is returned, to be freed 1205 * by the caller; or NULL if none. On failure a negative error code is returned. 1206 */ 1207 struct simple_xattr *simple_xattr_set(struct simple_xattrs *xattrs, 1208 const char *name, const void *value, 1209 size_t size, int flags) 1210 { 1211 struct simple_xattr *old_xattr = NULL, *new_xattr = NULL; 1212 struct rb_node *parent = NULL, **rbp; 1213 int err = 0, ret; 1214 1215 /* value == NULL means remove */ 1216 if (value) { 1217 new_xattr = simple_xattr_alloc(value, size); 1218 if (!new_xattr) 1219 return ERR_PTR(-ENOMEM); 1220 1221 new_xattr->name = kstrdup(name, GFP_KERNEL_ACCOUNT); 1222 if (!new_xattr->name) { 1223 simple_xattr_free(new_xattr); 1224 return ERR_PTR(-ENOMEM); 1225 } 1226 } 1227 1228 write_lock(&xattrs->lock); 1229 rbp = &xattrs->rb_root.rb_node; 1230 while (*rbp) { 1231 parent = *rbp; 1232 ret = rbtree_simple_xattr_cmp(name, *rbp); 1233 if (ret < 0) 1234 rbp = &(*rbp)->rb_left; 1235 else if (ret > 0) 1236 rbp = &(*rbp)->rb_right; 1237 else 1238 old_xattr = rb_entry(*rbp, struct simple_xattr, rb_node); 1239 if (old_xattr) 1240 break; 1241 } 1242 1243 if (old_xattr) { 1244 /* Fail if XATTR_CREATE is requested and the xattr exists. */ 1245 if (flags & XATTR_CREATE) { 1246 err = -EEXIST; 1247 goto out_unlock; 1248 } 1249 1250 if (new_xattr) 1251 rb_replace_node(&old_xattr->rb_node, 1252 &new_xattr->rb_node, &xattrs->rb_root); 1253 else 1254 rb_erase(&old_xattr->rb_node, &xattrs->rb_root); 1255 } else { 1256 /* Fail if XATTR_REPLACE is requested but no xattr is found. */ 1257 if (flags & XATTR_REPLACE) { 1258 err = -ENODATA; 1259 goto out_unlock; 1260 } 1261 1262 /* 1263 * If XATTR_CREATE or no flags are specified together with a 1264 * new value simply insert it. 1265 */ 1266 if (new_xattr) { 1267 rb_link_node(&new_xattr->rb_node, parent, rbp); 1268 rb_insert_color(&new_xattr->rb_node, &xattrs->rb_root); 1269 } 1270 1271 /* 1272 * If XATTR_CREATE or no flags are specified and neither an 1273 * old or new xattr exist then we don't need to do anything. 1274 */ 1275 } 1276 1277 out_unlock: 1278 write_unlock(&xattrs->lock); 1279 if (!err) 1280 return old_xattr; 1281 simple_xattr_free(new_xattr); 1282 return ERR_PTR(err); 1283 } 1284 1285 static bool xattr_is_trusted(const char *name) 1286 { 1287 return !strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN); 1288 } 1289 1290 /** 1291 * simple_xattr_list - list all xattr objects 1292 * @inode: inode from which to get the xattrs 1293 * @xattrs: the header of the xattr object 1294 * @buffer: the buffer to store all xattrs into 1295 * @size: the size of @buffer 1296 * 1297 * List all xattrs associated with @inode. If @buffer is NULL we returned 1298 * the required size of the buffer. If @buffer is provided we store the 1299 * xattrs value into it provided it is big enough. 1300 * 1301 * Note, the number of xattr names that can be listed with listxattr(2) is 1302 * limited to XATTR_LIST_MAX aka 65536 bytes. If a larger buffer is passed 1303 * then vfs_listxattr() caps it to XATTR_LIST_MAX and if more xattr names 1304 * are found it will return -E2BIG. 1305 * 1306 * Return: On success the required size or the size of the copied xattrs is 1307 * returned. On error a negative error code is returned. 1308 */ 1309 ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs, 1310 char *buffer, size_t size) 1311 { 1312 bool trusted = ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN); 1313 struct simple_xattr *xattr; 1314 struct rb_node *rbp; 1315 ssize_t remaining_size = size; 1316 int err = 0; 1317 1318 err = posix_acl_listxattr(inode, &buffer, &remaining_size); 1319 if (err) 1320 return err; 1321 1322 read_lock(&xattrs->lock); 1323 for (rbp = rb_first(&xattrs->rb_root); rbp; rbp = rb_next(rbp)) { 1324 xattr = rb_entry(rbp, struct simple_xattr, rb_node); 1325 1326 /* skip "trusted." attributes for unprivileged callers */ 1327 if (!trusted && xattr_is_trusted(xattr->name)) 1328 continue; 1329 1330 err = xattr_list_one(&buffer, &remaining_size, xattr->name); 1331 if (err) 1332 break; 1333 } 1334 read_unlock(&xattrs->lock); 1335 1336 return err ? err : size - remaining_size; 1337 } 1338 1339 /** 1340 * rbtree_simple_xattr_less - compare two xattr rbtree nodes 1341 * @new_node: new node 1342 * @node: current node 1343 * 1344 * Compare the xattr attached to @new_node with the xattr attached to @node. 1345 * Note that this function technically tolerates duplicate entries. 1346 * 1347 * Return: True if insertion point in the rbtree is found. 1348 */ 1349 static bool rbtree_simple_xattr_less(struct rb_node *new_node, 1350 const struct rb_node *node) 1351 { 1352 return rbtree_simple_xattr_node_cmp(new_node, node) < 0; 1353 } 1354 1355 /** 1356 * simple_xattr_add - add xattr objects 1357 * @xattrs: the header of the xattr object 1358 * @new_xattr: the xattr object to add 1359 * 1360 * Add an xattr object to @xattrs. This assumes no replacement or removal 1361 * of matching xattrs is wanted. Should only be called during inode 1362 * initialization when a few distinct initial xattrs are supposed to be set. 1363 */ 1364 void simple_xattr_add(struct simple_xattrs *xattrs, 1365 struct simple_xattr *new_xattr) 1366 { 1367 write_lock(&xattrs->lock); 1368 rb_add(&new_xattr->rb_node, &xattrs->rb_root, rbtree_simple_xattr_less); 1369 write_unlock(&xattrs->lock); 1370 } 1371 1372 /** 1373 * simple_xattrs_init - initialize new xattr header 1374 * @xattrs: header to initialize 1375 * 1376 * Initialize relevant fields of a an xattr header. 1377 */ 1378 void simple_xattrs_init(struct simple_xattrs *xattrs) 1379 { 1380 xattrs->rb_root = RB_ROOT; 1381 rwlock_init(&xattrs->lock); 1382 } 1383 1384 /** 1385 * simple_xattrs_free - free xattrs 1386 * @xattrs: xattr header whose xattrs to destroy 1387 * @freed_space: approximate number of bytes of memory freed from @xattrs 1388 * 1389 * Destroy all xattrs in @xattr. When this is called no one can hold a 1390 * reference to any of the xattrs anymore. 1391 */ 1392 void simple_xattrs_free(struct simple_xattrs *xattrs, size_t *freed_space) 1393 { 1394 struct rb_node *rbp; 1395 1396 if (freed_space) 1397 *freed_space = 0; 1398 rbp = rb_first(&xattrs->rb_root); 1399 while (rbp) { 1400 struct simple_xattr *xattr; 1401 struct rb_node *rbp_next; 1402 1403 rbp_next = rb_next(rbp); 1404 xattr = rb_entry(rbp, struct simple_xattr, rb_node); 1405 rb_erase(&xattr->rb_node, &xattrs->rb_root); 1406 if (freed_space) 1407 *freed_space += simple_xattr_space(xattr->name, 1408 xattr->size); 1409 simple_xattr_free(xattr); 1410 rbp = rbp_next; 1411 } 1412 } 1413