xref: /openbmc/linux/fs/afs/security.c (revision 260ea95c)
1 /* AFS security handling
2  *
3  * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11 
12 #include <linux/init.h>
13 #include <linux/slab.h>
14 #include <linux/fs.h>
15 #include <linux/ctype.h>
16 #include <linux/sched.h>
17 #include <keys/rxrpc-type.h>
18 #include "internal.h"
19 
20 /*
21  * get a key
22  */
23 struct key *afs_request_key(struct afs_cell *cell)
24 {
25 	struct key *key;
26 
27 	_enter("{%x}", key_serial(cell->anonymous_key));
28 
29 	_debug("key %s", cell->anonymous_key->description);
30 	key = request_key(&key_type_rxrpc, cell->anonymous_key->description,
31 			  NULL);
32 	if (IS_ERR(key)) {
33 		if (PTR_ERR(key) != -ENOKEY) {
34 			_leave(" = %ld", PTR_ERR(key));
35 			return key;
36 		}
37 
38 		/* act as anonymous user */
39 		_leave(" = {%x} [anon]", key_serial(cell->anonymous_key));
40 		return key_get(cell->anonymous_key);
41 	} else {
42 		/* act as authorised user */
43 		_leave(" = {%x} [auth]", key_serial(key));
44 		return key;
45 	}
46 }
47 
48 /*
49  * dispose of a permits list
50  */
51 void afs_zap_permits(struct rcu_head *rcu)
52 {
53 	struct afs_permits *permits =
54 		container_of(rcu, struct afs_permits, rcu);
55 	int loop;
56 
57 	_enter("{%d}", permits->count);
58 
59 	for (loop = permits->count - 1; loop >= 0; loop--)
60 		key_put(permits->permits[loop].key);
61 	kfree(permits);
62 }
63 
64 /*
65  * dispose of a permits list in which all the key pointers have been copied
66  */
67 static void afs_dispose_of_permits(struct rcu_head *rcu)
68 {
69 	struct afs_permits *permits =
70 		container_of(rcu, struct afs_permits, rcu);
71 
72 	_enter("{%d}", permits->count);
73 
74 	kfree(permits);
75 }
76 
77 /*
78  * get the authorising vnode - this is the specified inode itself if it's a
79  * directory or it's the parent directory if the specified inode is a file or
80  * symlink
81  * - the caller must release the ref on the inode
82  */
83 static struct afs_vnode *afs_get_auth_inode(struct afs_vnode *vnode,
84 					    struct key *key)
85 {
86 	struct afs_vnode *auth_vnode;
87 	struct inode *auth_inode;
88 
89 	_enter("");
90 
91 	if (S_ISDIR(vnode->vfs_inode.i_mode)) {
92 		auth_inode = igrab(&vnode->vfs_inode);
93 		ASSERT(auth_inode != NULL);
94 	} else {
95 		auth_inode = afs_iget(vnode->vfs_inode.i_sb, key,
96 				      &vnode->status.parent, NULL, NULL);
97 		if (IS_ERR(auth_inode))
98 			return ERR_CAST(auth_inode);
99 	}
100 
101 	auth_vnode = AFS_FS_I(auth_inode);
102 	_leave(" = {%x}", auth_vnode->fid.vnode);
103 	return auth_vnode;
104 }
105 
106 /*
107  * clear the permit cache on a directory vnode
108  */
109 void afs_clear_permits(struct afs_vnode *vnode)
110 {
111 	struct afs_permits *permits;
112 
113 	_enter("{%x:%u}", vnode->fid.vid, vnode->fid.vnode);
114 
115 	mutex_lock(&vnode->permits_lock);
116 	permits = vnode->permits;
117 	RCU_INIT_POINTER(vnode->permits, NULL);
118 	mutex_unlock(&vnode->permits_lock);
119 
120 	if (permits)
121 		call_rcu(&permits->rcu, afs_zap_permits);
122 	_leave("");
123 }
124 
125 /*
126  * add the result obtained for a vnode to its or its parent directory's cache
127  * for the key used to access it
128  */
129 void afs_cache_permit(struct afs_vnode *vnode, struct key *key, long acl_order)
130 {
131 	struct afs_permits *permits, *xpermits;
132 	struct afs_permit *permit;
133 	struct afs_vnode *auth_vnode;
134 	int count, loop;
135 
136 	_enter("{%x:%u},%x,%lx",
137 	       vnode->fid.vid, vnode->fid.vnode, key_serial(key), acl_order);
138 
139 	auth_vnode = afs_get_auth_inode(vnode, key);
140 	if (IS_ERR(auth_vnode)) {
141 		_leave(" [get error %ld]", PTR_ERR(auth_vnode));
142 		return;
143 	}
144 
145 	mutex_lock(&auth_vnode->permits_lock);
146 
147 	/* guard against a rename being detected whilst we waited for the
148 	 * lock */
149 	if (memcmp(&auth_vnode->fid, &vnode->status.parent,
150 		   sizeof(struct afs_fid)) != 0) {
151 		_debug("renamed");
152 		goto out_unlock;
153 	}
154 
155 	/* have to be careful as the directory's callback may be broken between
156 	 * us receiving the status we're trying to cache and us getting the
157 	 * lock to update the cache for the status */
158 	if (auth_vnode->acl_order - acl_order > 0) {
159 		_debug("ACL changed?");
160 		goto out_unlock;
161 	}
162 
163 	/* always update the anonymous mask */
164 	_debug("anon access %x", vnode->status.anon_access);
165 	auth_vnode->status.anon_access = vnode->status.anon_access;
166 	if (key == vnode->volume->cell->anonymous_key)
167 		goto out_unlock;
168 
169 	xpermits = auth_vnode->permits;
170 	count = 0;
171 	if (xpermits) {
172 		/* see if the permit is already in the list
173 		 * - if it is then we just amend the list
174 		 */
175 		count = xpermits->count;
176 		permit = xpermits->permits;
177 		for (loop = count; loop > 0; loop--) {
178 			if (permit->key == key) {
179 				permit->access_mask =
180 					vnode->status.caller_access;
181 				goto out_unlock;
182 			}
183 			permit++;
184 		}
185 	}
186 
187 	permits = kmalloc(sizeof(*permits) + sizeof(*permit) * (count + 1),
188 			  GFP_NOFS);
189 	if (!permits)
190 		goto out_unlock;
191 
192 	if (xpermits)
193 		memcpy(permits->permits, xpermits->permits,
194 			count * sizeof(struct afs_permit));
195 
196 	_debug("key %x access %x",
197 	       key_serial(key), vnode->status.caller_access);
198 	permits->permits[count].access_mask = vnode->status.caller_access;
199 	permits->permits[count].key = key_get(key);
200 	permits->count = count + 1;
201 
202 	rcu_assign_pointer(auth_vnode->permits, permits);
203 	if (xpermits)
204 		call_rcu(&xpermits->rcu, afs_dispose_of_permits);
205 
206 out_unlock:
207 	mutex_unlock(&auth_vnode->permits_lock);
208 	iput(&auth_vnode->vfs_inode);
209 	_leave("");
210 }
211 
212 /*
213  * check with the fileserver to see if the directory or parent directory is
214  * permitted to be accessed with this authorisation, and if so, what access it
215  * is granted
216  */
217 static int afs_check_permit(struct afs_vnode *vnode, struct key *key,
218 			    afs_access_t *_access)
219 {
220 	struct afs_permits *permits;
221 	struct afs_permit *permit;
222 	struct afs_vnode *auth_vnode;
223 	bool valid;
224 	int loop, ret;
225 
226 	_enter("{%x:%u},%x",
227 	       vnode->fid.vid, vnode->fid.vnode, key_serial(key));
228 
229 	auth_vnode = afs_get_auth_inode(vnode, key);
230 	if (IS_ERR(auth_vnode)) {
231 		*_access = 0;
232 		_leave(" = %ld", PTR_ERR(auth_vnode));
233 		return PTR_ERR(auth_vnode);
234 	}
235 
236 	ASSERT(S_ISDIR(auth_vnode->vfs_inode.i_mode));
237 
238 	/* check the permits to see if we've got one yet */
239 	if (key == auth_vnode->volume->cell->anonymous_key) {
240 		_debug("anon");
241 		*_access = auth_vnode->status.anon_access;
242 		valid = true;
243 	} else {
244 		valid = false;
245 		rcu_read_lock();
246 		permits = rcu_dereference(auth_vnode->permits);
247 		if (permits) {
248 			permit = permits->permits;
249 			for (loop = permits->count; loop > 0; loop--) {
250 				if (permit->key == key) {
251 					_debug("found in cache");
252 					*_access = permit->access_mask;
253 					valid = true;
254 					break;
255 				}
256 				permit++;
257 			}
258 		}
259 		rcu_read_unlock();
260 	}
261 
262 	if (!valid) {
263 		/* check the status on the file we're actually interested in
264 		 * (the post-processing will cache the result on auth_vnode) */
265 		_debug("no valid permit");
266 
267 		set_bit(AFS_VNODE_CB_BROKEN, &vnode->flags);
268 		ret = afs_vnode_fetch_status(vnode, auth_vnode, key);
269 		if (ret < 0) {
270 			iput(&auth_vnode->vfs_inode);
271 			*_access = 0;
272 			_leave(" = %d", ret);
273 			return ret;
274 		}
275 		*_access = vnode->status.caller_access;
276 	}
277 
278 	iput(&auth_vnode->vfs_inode);
279 	_leave(" = 0 [access %x]", *_access);
280 	return 0;
281 }
282 
283 /*
284  * check the permissions on an AFS file
285  * - AFS ACLs are attached to directories only, and a file is controlled by its
286  *   parent directory's ACL
287  */
288 int afs_permission(struct inode *inode, int mask)
289 {
290 	struct afs_vnode *vnode = AFS_FS_I(inode);
291 	afs_access_t uninitialized_var(access);
292 	struct key *key;
293 	int ret;
294 
295 	if (mask & MAY_NOT_BLOCK)
296 		return -ECHILD;
297 
298 	_enter("{{%x:%u},%lx},%x,",
299 	       vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask);
300 
301 	key = afs_request_key(vnode->volume->cell);
302 	if (IS_ERR(key)) {
303 		_leave(" = %ld [key]", PTR_ERR(key));
304 		return PTR_ERR(key);
305 	}
306 
307 	/* if the promise has expired, we need to check the server again */
308 	if (!vnode->cb_promised) {
309 		_debug("not promised");
310 		ret = afs_vnode_fetch_status(vnode, NULL, key);
311 		if (ret < 0)
312 			goto error;
313 		_debug("new promise [fl=%lx]", vnode->flags);
314 	}
315 
316 	/* check the permits to see if we've got one yet */
317 	ret = afs_check_permit(vnode, key, &access);
318 	if (ret < 0)
319 		goto error;
320 
321 	/* interpret the access mask */
322 	_debug("REQ %x ACC %x on %s",
323 	       mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file");
324 
325 	if (S_ISDIR(inode->i_mode)) {
326 		if (mask & MAY_EXEC) {
327 			if (!(access & AFS_ACE_LOOKUP))
328 				goto permission_denied;
329 		} else if (mask & MAY_READ) {
330 			if (!(access & AFS_ACE_LOOKUP))
331 				goto permission_denied;
332 		} else if (mask & MAY_WRITE) {
333 			if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */
334 					AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */
335 				goto permission_denied;
336 		} else {
337 			BUG();
338 		}
339 	} else {
340 		if (!(access & AFS_ACE_LOOKUP))
341 			goto permission_denied;
342 		if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR))
343 			goto permission_denied;
344 		if (mask & (MAY_EXEC | MAY_READ)) {
345 			if (!(access & AFS_ACE_READ))
346 				goto permission_denied;
347 			if (!(inode->i_mode & S_IRUSR))
348 				goto permission_denied;
349 		} else if (mask & MAY_WRITE) {
350 			if (!(access & AFS_ACE_WRITE))
351 				goto permission_denied;
352 			if (!(inode->i_mode & S_IWUSR))
353 				goto permission_denied;
354 		}
355 	}
356 
357 	key_put(key);
358 	_leave(" = %d", ret);
359 	return ret;
360 
361 permission_denied:
362 	ret = -EACCES;
363 error:
364 	key_put(key);
365 	_leave(" = %d", ret);
366 	return ret;
367 }
368