| /* |
| File: fs/xattr.c |
| |
| Extended attribute handling. |
| |
| Copyright (C) 2001 by Andreas Gruenbacher <a.gruenbacher@computer.org> |
| Copyright (C) 2001 SGI - Silicon Graphics, Inc <linux-xfs@oss.sgi.com> |
| Copyright (c) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> |
| */ |
| #include <linux/fs.h> |
| #include <linux/slab.h> |
| #include <linux/file.h> |
| #include <linux/xattr.h> |
| #include <linux/mount.h> |
| #include <linux/namei.h> |
| #include <linux/security.h> |
| #include <linux/evm.h> |
| #include <linux/syscalls.h> |
| #include <linux/export.h> |
| #include <linux/fsnotify.h> |
| #include <linux/audit.h> |
| #include <linux/vmalloc.h> |
| |
| #include <asm/uaccess.h> |
| |
| /* |
| * Check permissions for extended attribute access. This is a bit complicated |
| * because different namespaces have very different rules. |
| */ |
| static int |
| xattr_permission(struct inode *inode, const char *name, int mask) |
| { |
| /* |
| * We can never set or remove an extended attribute on a read-only |
| * filesystem or on an immutable / append-only inode. |
| */ |
| if (mask & MAY_WRITE) { |
| if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) |
| return -EPERM; |
| } |
| |
| /* |
| * No restriction for security.* and system.* from the VFS. Decision |
| * on these is left to the underlying filesystem / security module. |
| */ |
| if (!strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) || |
| !strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN)) |
| return 0; |
| |
| /* |
| * The trusted.* namespace can only be accessed by privileged users. |
| */ |
| if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) { |
| if (!capable(CAP_SYS_ADMIN)) |
| return (mask & MAY_WRITE) ? -EPERM : -ENODATA; |
| return 0; |
| } |
| |
| /* |
| * In the user.* namespace, only regular files and directories can have |
| * extended attributes. For sticky directories, only the owner and |
| * privileged users can write attributes. |
| */ |
| if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { |
| if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode)) |
| return (mask & MAY_WRITE) ? -EPERM : -ENODATA; |
| if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) && |
| (mask & MAY_WRITE) && !inode_owner_or_capable(inode)) |
| return -EPERM; |
| } |
| |
| return inode_permission(inode, mask); |
| } |
| |
| /** |
| * __vfs_setxattr_noperm - perform setxattr operation without performing |
| * permission checks. |
| * |
| * @dentry - object to perform setxattr on |
| * @name - xattr name to set |
| * @value - value to set @name to |
| * @size - size of @value |
| * @flags - flags to pass into filesystem operations |
| * |
| * returns the result of the internal setxattr or setsecurity operations. |
| * |
| * This function requires the caller to lock the inode's i_mutex before it |
| * is executed. It also assumes that the caller will make the appropriate |
| * permission checks. |
| */ |
| int __vfs_setxattr_noperm(struct dentry *dentry, const char *name, |
| const void *value, size_t size, int flags) |
| { |
| struct inode *inode = dentry->d_inode; |
| int error = -EOPNOTSUPP; |
| int issec = !strncmp(name, XATTR_SECURITY_PREFIX, |
| XATTR_SECURITY_PREFIX_LEN); |
| |
| if (issec) |
| inode->i_flags &= ~S_NOSEC; |
| if (inode->i_op->setxattr) { |
| error = inode->i_op->setxattr(dentry, name, value, size, flags); |
| if (!error) { |
| fsnotify_xattr(dentry); |
| security_inode_post_setxattr(dentry, name, value, |
| size, flags); |
| } |
| } else if (issec) { |
| const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; |
| error = security_inode_setsecurity(inode, suffix, value, |
| size, flags); |
| if (!error) |
| fsnotify_xattr(dentry); |
| } |
| |
| return error; |
| } |
| |
| |
| int |
| vfs_setxattr(struct dentry *dentry, const char *name, const void *value, |
| size_t size, int flags) |
| { |
| struct inode *inode = dentry->d_inode; |
| int error; |
| |
| error = xattr_permission(inode, name, MAY_WRITE); |
| if (error) |
| return error; |
| |
| mutex_lock(&inode->i_mutex); |
| error = security_inode_setxattr(dentry, name, value, size, flags); |
| if (error) |
| goto out; |
| |
| error = __vfs_setxattr_noperm(dentry, name, value, size, flags); |
| |
| out: |
| mutex_unlock(&inode->i_mutex); |
| return error; |
| } |
| EXPORT_SYMBOL_GPL(vfs_setxattr); |
| |
| ssize_t |
| xattr_getsecurity(struct inode *inode, const char *name, void *value, |
| size_t size) |
| { |
| void *buffer = NULL; |
| ssize_t len; |
| |
| if (!value || !size) { |
| len = security_inode_getsecurity(inode, name, &buffer, false); |
| goto out_noalloc; |
| } |
| |
| len = security_inode_getsecurity(inode, name, &buffer, true); |
| if (len < 0) |
| return len; |
| if (size < len) { |
| len = -ERANGE; |
| goto out; |
| } |
| memcpy(value, buffer, len); |
| out: |
| security_release_secctx(buffer, len); |
| out_noalloc: |
| return len; |
| } |
| EXPORT_SYMBOL_GPL(xattr_getsecurity); |
| |
| /* |
| * vfs_getxattr_alloc - allocate memory, if necessary, before calling getxattr |
| * |
| * Allocate memory, if not already allocated, or re-allocate correct size, |
| * before retrieving the extended attribute. |
| * |
| * Returns the result of alloc, if failed, or the getxattr operation. |
| */ |
| ssize_t |
| vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value, |
| size_t xattr_size, gfp_t flags) |
| { |
| struct inode *inode = dentry->d_inode; |
| char *value = *xattr_value; |
| int error; |
| |
| error = xattr_permission(inode, name, MAY_READ); |
| if (error) |
| return error; |
| |
| if (!inode->i_op->getxattr) |
| return -EOPNOTSUPP; |
| |
| error = inode->i_op->getxattr(dentry, name, NULL, 0); |
| if (error < 0) |
| return error; |
| |
| if (!value || (error > xattr_size)) { |
| value = krealloc(*xattr_value, error + 1, flags); |
| if (!value) |
| return -ENOMEM; |
| memset(value, 0, error + 1); |
| } |
| |
| error = inode->i_op->getxattr(dentry, name, value, error); |
| *xattr_value = value; |
| return error; |
| } |
| |
| /* Compare an extended attribute value with the given value */ |
| int vfs_xattr_cmp(struct dentry *dentry, const char *xattr_name, |
| const char *value, size_t size, gfp_t flags) |
| { |
| char *xattr_value = NULL; |
| int rc; |
| |
| rc = vfs_getxattr_alloc(dentry, xattr_name, &xattr_value, 0, flags); |
| if (rc < 0) |
| return rc; |
| |
| if ((rc != size) || (memcmp(xattr_value, value, rc) != 0)) |
| rc = -EINVAL; |
| else |
| rc = 0; |
| kfree(xattr_value); |
| return rc; |
| } |
| |
| ssize_t |
| vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size) |
| { |
| struct inode *inode = dentry->d_inode; |
| int error; |
| |
| error = xattr_permission(inode, name, MAY_READ); |
| if (error) |
| return error; |
| |
| error = security_inode_getxattr(dentry, name); |
| if (error) |
| return error; |
| |
| if (!strncmp(name, XATTR_SECURITY_PREFIX, |
| XATTR_SECURITY_PREFIX_LEN)) { |
| const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; |
| int ret = xattr_getsecurity(inode, suffix, value, size); |
| /* |
| * Only overwrite the return value if a security module |
| * is actually active. |
| */ |
| if (ret == -EOPNOTSUPP) |
| goto nolsm; |
| return ret; |
| } |
| nolsm: |
| if (inode->i_op->getxattr) |
| error = inode->i_op->getxattr(dentry, name, value, size); |
| else |
| error = -EOPNOTSUPP; |
| |
| return error; |
| } |
| EXPORT_SYMBOL_GPL(vfs_getxattr); |
| |
| ssize_t |
| vfs_listxattr(struct dentry *d, char *list, size_t size) |
| { |
| ssize_t error; |
| |
| error = security_inode_listxattr(d); |
| if (error) |
| return error; |
| error = -EOPNOTSUPP; |
| if (d->d_inode->i_op->listxattr) { |
| error = d->d_inode->i_op->listxattr(d, list, size); |
| } else { |
| error = security_inode_listsecurity(d->d_inode, list, size); |
| if (size && error > size) |
| error = -ERANGE; |
| } |
| return error; |
| } |
| EXPORT_SYMBOL_GPL(vfs_listxattr); |
| |
| int |
| vfs_removexattr(struct dentry *dentry, const char *name) |
| { |
| struct inode *inode = dentry->d_inode; |
| int error; |
| |
| if (!inode->i_op->removexattr) |
| return -EOPNOTSUPP; |
| |
| error = xattr_permission(inode, name, MAY_WRITE); |
| if (error) |
| return error; |
| |
| error = security_inode_removexattr(dentry, name); |
| if (error) |
| return error; |
| |
| mutex_lock(&inode->i_mutex); |
| error = inode->i_op->removexattr(dentry, name); |
| mutex_unlock(&inode->i_mutex); |
| |
| if (!error) { |
| fsnotify_xattr(dentry); |
| evm_inode_post_removexattr(dentry, name); |
| } |
| return error; |
| } |
| EXPORT_SYMBOL_GPL(vfs_removexattr); |
| |
| |
| /* |
| * Extended attribute SET operations |
| */ |
| static long |
| setxattr(struct dentry *d, const char __user *name, const void __user *value, |
| size_t size, int flags) |
| { |
| int error; |
| void *kvalue = NULL; |
| void *vvalue = NULL; /* If non-NULL, we used vmalloc() */ |
| char kname[XATTR_NAME_MAX + 1]; |
| |
| if (flags & ~(XATTR_CREATE|XATTR_REPLACE)) |
| return -EINVAL; |
| |
| error = strncpy_from_user(kname, name, sizeof(kname)); |
| if (error == 0 || error == sizeof(kname)) |
| error = -ERANGE; |
| if (error < 0) |
| return error; |
| |
| if (size) { |
| if (size > XATTR_SIZE_MAX) |
| return -E2BIG; |
| kvalue = kmalloc(size, GFP_KERNEL | __GFP_NOWARN); |
| if (!kvalue) { |
| vvalue = vmalloc(size); |
| if (!vvalue) |
| return -ENOMEM; |
| kvalue = vvalue; |
| } |
| if (copy_from_user(kvalue, value, size)) { |
| error = -EFAULT; |
| goto out; |
| } |
| } |
| |
| error = vfs_setxattr(d, kname, kvalue, size, flags); |
| out: |
| if (vvalue) |
| vfree(vvalue); |
| else |
| kfree(kvalue); |
| return error; |
| } |
| |
| SYSCALL_DEFINE5(setxattr, const char __user *, pathname, |
| const char __user *, name, const void __user *, value, |
| size_t, size, int, flags) |
| { |
| struct path path; |
| int error; |
| |
| error = user_path(pathname, &path); |
| if (error) |
| return error; |
| error = mnt_want_write(path.mnt); |
| if (!error) { |
| error = setxattr(path.dentry, name, value, size, flags); |
| mnt_drop_write(path.mnt); |
| } |
| path_put(&path); |
| return error; |
| } |
| |
| SYSCALL_DEFINE5(lsetxattr, const char __user *, pathname, |
| const char __user *, name, const void __user *, value, |
| size_t, size, int, flags) |
| { |
| struct path path; |
| int error; |
| |
| error = user_lpath(pathname, &path); |
| if (error) |
| return error; |
| error = mnt_want_write(path.mnt); |
| if (!error) { |
| error = setxattr(path.dentry, name, value, size, flags); |
| mnt_drop_write(path.mnt); |
| } |
| path_put(&path); |
| return error; |
| } |
| |
| SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name, |
| const void __user *,value, size_t, size, int, flags) |
| { |
| int fput_needed; |
| struct file *f; |
| struct dentry *dentry; |
| int error = -EBADF; |
| |
| f = fget_light(fd, &fput_needed); |
| if (!f) |
| return error; |
| dentry = f->f_path.dentry; |
| audit_inode(NULL, dentry); |
| error = mnt_want_write_file(f); |
| if (!error) { |
| error = setxattr(dentry, name, value, size, flags); |
| mnt_drop_write_file(f); |
| } |
| fput_light(f, fput_needed); |
| return error; |
| } |
| |
| /* |
| * Extended attribute GET operations |
| */ |
| static ssize_t |
| getxattr(struct dentry *d, const char __user *name, void __user *value, |
| size_t size) |
| { |
| ssize_t error; |
| void *kvalue = NULL; |
| char kname[XATTR_NAME_MAX + 1]; |
| |
| error = strncpy_from_user(kname, name, sizeof(kname)); |
| if (error == 0 || error == sizeof(kname)) |
| error = -ERANGE; |
| if (error < 0) |
| return error; |
| |
| if (size) { |
| if (size > XATTR_SIZE_MAX) |
| size = XATTR_SIZE_MAX; |
| kvalue = kzalloc(size, GFP_KERNEL); |
| if (!kvalue) |
| return -ENOMEM; |
| } |
| |
| error = vfs_getxattr(d, kname, kvalue, size); |
| if (error > 0) { |
| if (size && copy_to_user(value, kvalue, error)) |
| error = -EFAULT; |
| } else if (error == -ERANGE && size >= XATTR_SIZE_MAX) { |
| /* The file system tried to returned a value bigger |
| than XATTR_SIZE_MAX bytes. Not possible. */ |
| error = -E2BIG; |
| } |
| kfree(kvalue); |
| return error; |
| } |
| |
| SYSCALL_DEFINE4(getxattr, const char __user *, pathname, |
| const char __user *, name, void __user *, value, size_t, size) |
| { |
| struct path path; |
| ssize_t error; |
| |
| error = user_path(pathname, &path); |
| if (error) |
| return error; |
| error = getxattr(path.dentry, name, value, size); |
| path_put(&path); |
| return error; |
| } |
| |
| SYSCALL_DEFINE4(lgetxattr, const char __user *, pathname, |
| const char __user *, name, void __user *, value, size_t, size) |
| { |
| struct path path; |
| ssize_t error; |
| |
| error = user_lpath(pathname, &path); |
| if (error) |
| return error; |
| error = getxattr(path.dentry, name, value, size); |
| path_put(&path); |
| return error; |
| } |
| |
| SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name, |
| void __user *, value, size_t, size) |
| { |
| int fput_needed; |
| struct file *f; |
| ssize_t error = -EBADF; |
| |
| f = fget_light(fd, &fput_needed); |
| if (!f) |
| return error; |
| audit_inode(NULL, f->f_path.dentry); |
| error = getxattr(f->f_path.dentry, name, value, size); |
| fput_light(f, fput_needed); |
| return error; |
| } |
| |
| /* |
| * Extended attribute LIST operations |
| */ |
| static ssize_t |
| listxattr(struct dentry *d, char __user *list, size_t size) |
| { |
| ssize_t error; |
| char *klist = NULL; |
| char *vlist = NULL; /* If non-NULL, we used vmalloc() */ |
| |
| if (size) { |
| if (size > XATTR_LIST_MAX) |
| size = XATTR_LIST_MAX; |
| klist = kmalloc(size, __GFP_NOWARN | GFP_KERNEL); |
| if (!klist) { |
| vlist = vmalloc(size); |
| if (!vlist) |
| return -ENOMEM; |
| klist = vlist; |
| } |
| } |
| |
| error = vfs_listxattr(d, klist, size); |
| if (error > 0) { |
| if (size && copy_to_user(list, klist, error)) |
| error = -EFAULT; |
| } else if (error == -ERANGE && size >= XATTR_LIST_MAX) { |
| /* The file system tried to returned a list bigger |
| than XATTR_LIST_MAX bytes. Not possible. */ |
| error = -E2BIG; |
| } |
| if (vlist) |
| vfree(vlist); |
| else |
| kfree(klist); |
| return error; |
| } |
| |
| SYSCALL_DEFINE3(listxattr, const char __user *, pathname, char __user *, list, |
| size_t, size) |
| { |
| struct path path; |
| ssize_t error; |
| |
| error = user_path(pathname, &path); |
| if (error) |
| return error; |
| error = listxattr(path.dentry, list, size); |
| path_put(&path); |
| return error; |
| } |
| |
| SYSCALL_DEFINE3(llistxattr, const char __user *, pathname, char __user *, list, |
| size_t, size) |
| { |
| struct path path; |
| ssize_t error; |
| |
| error = user_lpath(pathname, &path); |
| if (error) |
| return error; |
| error = listxattr(path.dentry, list, size); |
| path_put(&path); |
| return error; |
| } |
| |
| SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size) |
| { |
| int fput_needed; |
| struct file *f; |
| ssize_t error = -EBADF; |
| |
| f = fget_light(fd, &fput_needed); |
| if (!f) |
| return error; |
| audit_inode(NULL, f->f_path.dentry); |
| error = listxattr(f->f_path.dentry, list, size); |
| fput_light(f, fput_needed); |
| return error; |
| } |
| |
| /* |
| * Extended attribute REMOVE operations |
| */ |
| static long |
| removexattr(struct dentry *d, const char __user *name) |
| { |
| int error; |
| char kname[XATTR_NAME_MAX + 1]; |
| |
| error = strncpy_from_user(kname, name, sizeof(kname)); |
| if (error == 0 || error == sizeof(kname)) |
| error = -ERANGE; |
| if (error < 0) |
| return error; |
| |
| return vfs_removexattr(d, kname); |
| } |
| |
| SYSCALL_DEFINE2(removexattr, const char __user *, pathname, |
| const char __user *, name) |
| { |
| struct path path; |
| int error; |
| |
| error = user_path(pathname, &path); |
| if (error) |
| return error; |
| error = mnt_want_write(path.mnt); |
| if (!error) { |
| error = removexattr(path.dentry, name); |
| mnt_drop_write(path.mnt); |
| } |
| path_put(&path); |
| return error; |
| } |
| |
| SYSCALL_DEFINE2(lremovexattr, const char __user *, pathname, |
| const char __user *, name) |
| { |
| struct path path; |
| int error; |
| |
| error = user_lpath(pathname, &path); |
| if (error) |
| return error; |
| error = mnt_want_write(path.mnt); |
| if (!error) { |
| error = removexattr(path.dentry, name); |
| mnt_drop_write(path.mnt); |
| } |
| path_put(&path); |
| return error; |
| } |
| |
| SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name) |
| { |
| int fput_needed; |
| struct file *f; |
| struct dentry *dentry; |
| int error = -EBADF; |
| |
| f = fget_light(fd, &fput_needed); |
| if (!f) |
| return error; |
| dentry = f->f_path.dentry; |
| audit_inode(NULL, dentry); |
| error = mnt_want_write_file(f); |
| if (!error) { |
| error = removexattr(dentry, name); |
| mnt_drop_write_file(f); |
| } |
| fput_light(f, fput_needed); |
| return error; |
| } |
| |
| |
| static const char * |
| strcmp_prefix(const char *a, const char *a_prefix) |
| { |
| while (*a_prefix && *a == *a_prefix) { |
| a++; |
| a_prefix++; |
| } |
| return *a_prefix ? NULL : a; |
| } |
| |
| /* |
| * In order to implement different sets of xattr operations for each xattr |
| * prefix with the generic xattr API, a filesystem should create a |
| * null-terminated array of struct xattr_handler (one for each prefix) and |
| * hang a pointer to it off of the s_xattr field of the superblock. |
| * |
| * The generic_fooxattr() functions will use this list to dispatch xattr |
| * operations to the correct xattr_handler. |
| */ |
| #define for_each_xattr_handler(handlers, handler) \ |
| for ((handler) = *(handlers)++; \ |
| (handler) != NULL; \ |
| (handler) = *(handlers)++) |
| |
| /* |
| * Find the xattr_handler with the matching prefix. |
| */ |
| static const struct xattr_handler * |
| xattr_resolve_name(const struct xattr_handler **handlers, const char **name) |
| { |
| const struct xattr_handler *handler; |
| |
| if (!*name) |
| return NULL; |
| |
| for_each_xattr_handler(handlers, handler) { |
| const char *n = strcmp_prefix(*name, handler->prefix); |
| if (n) { |
| *name = n; |
| break; |
| } |
| } |
| return handler; |
| } |
| |
| /* |
| * Find the handler for the prefix and dispatch its get() operation. |
| */ |
| ssize_t |
| generic_getxattr(struct dentry *dentry, const char *name, void *buffer, size_t size) |
| { |
| const struct xattr_handler *handler; |
| |
| handler = xattr_resolve_name(dentry->d_sb->s_xattr, &name); |
| if (!handler) |
| return -EOPNOTSUPP; |
| return handler->get(dentry, name, buffer, size, handler->flags); |
| } |
| |
| /* |
| * Combine the results of the list() operation from every xattr_handler in the |
| * list. |
| */ |
| ssize_t |
| generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) |
| { |
| const struct xattr_handler *handler, **handlers = dentry->d_sb->s_xattr; |
| unsigned int size = 0; |
| |
| if (!buffer) { |
| for_each_xattr_handler(handlers, handler) { |
| size += handler->list(dentry, NULL, 0, NULL, 0, |
| handler->flags); |
| } |
| } else { |
| char *buf = buffer; |
| |
| for_each_xattr_handler(handlers, handler) { |
| size = handler->list(dentry, buf, buffer_size, |
| NULL, 0, handler->flags); |
| if (size > buffer_size) |
| return -ERANGE; |
| buf += size; |
| buffer_size -= size; |
| } |
| size = buf - buffer; |
| } |
| return size; |
| } |
| |
| /* |
| * Find the handler for the prefix and dispatch its set() operation. |
| */ |
| int |
| generic_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) |
| { |
| const struct xattr_handler *handler; |
| |
| if (size == 0) |
| value = ""; /* empty EA, do not remove */ |
| handler = xattr_resolve_name(dentry->d_sb->s_xattr, &name); |
| if (!handler) |
| return -EOPNOTSUPP; |
| return handler->set(dentry, name, value, size, flags, handler->flags); |
| } |
| |
| /* |
| * Find the handler for the prefix and dispatch its set() operation to remove |
| * any associated extended attribute. |
| */ |
| int |
| generic_removexattr(struct dentry *dentry, const char *name) |
| { |
| const struct xattr_handler *handler; |
| |
| handler = xattr_resolve_name(dentry->d_sb->s_xattr, &name); |
| if (!handler) |
| return -EOPNOTSUPP; |
| return handler->set(dentry, name, NULL, 0, |
| XATTR_REPLACE, handler->flags); |
| } |
| |
| EXPORT_SYMBOL(generic_getxattr); |
| EXPORT_SYMBOL(generic_listxattr); |
| EXPORT_SYMBOL(generic_setxattr); |
| EXPORT_SYMBOL(generic_removexattr); |