1 /* AFS security handling 2 * 3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/init.h> 13 #include <linux/slab.h> 14 #include <linux/fs.h> 15 #include <linux/ctype.h> 16 #include <linux/sched.h> 17 #include <keys/rxrpc-type.h> 18 #include "internal.h" 19 20 /* 21 * get a key 22 */ 23 struct key *afs_request_key(struct afs_cell *cell) 24 { 25 struct key *key; 26 27 _enter("{%x}", key_serial(cell->anonymous_key)); 28 29 _debug("key %s", cell->anonymous_key->description); 30 key = request_key(&key_type_rxrpc, cell->anonymous_key->description, 31 NULL); 32 if (IS_ERR(key)) { 33 if (PTR_ERR(key) != -ENOKEY) { 34 _leave(" = %ld", PTR_ERR(key)); 35 return key; 36 } 37 38 /* act as anonymous user */ 39 _leave(" = {%x} [anon]", key_serial(cell->anonymous_key)); 40 return key_get(cell->anonymous_key); 41 } else { 42 /* act as authorised user */ 43 _leave(" = {%x} [auth]", key_serial(key)); 44 return key; 45 } 46 } 47 48 /* 49 * dispose of a permits list 50 */ 51 void afs_zap_permits(struct rcu_head *rcu) 52 { 53 struct afs_permits *permits = 54 container_of(rcu, struct afs_permits, rcu); 55 int loop; 56 57 _enter("{%d}", permits->count); 58 59 for (loop = permits->count - 1; loop >= 0; loop--) 60 key_put(permits->permits[loop].key); 61 kfree(permits); 62 } 63 64 /* 65 * dispose of a permits list in which all the key pointers have been copied 66 */ 67 static void afs_dispose_of_permits(struct rcu_head *rcu) 68 { 69 struct afs_permits *permits = 70 container_of(rcu, struct afs_permits, rcu); 71 72 _enter("{%d}", permits->count); 73 74 kfree(permits); 75 } 76 77 /* 78 * get the authorising vnode - this is the specified inode itself if it's a 79 * directory or it's the parent directory if the specified inode is a file or 80 * symlink 81 * - the caller must release the ref on the inode 82 */ 83 static struct afs_vnode *afs_get_auth_inode(struct afs_vnode *vnode, 84 struct key *key) 85 { 86 struct afs_vnode *auth_vnode; 87 struct inode *auth_inode; 88 89 _enter(""); 90 91 if (S_ISDIR(vnode->vfs_inode.i_mode)) { 92 auth_inode = igrab(&vnode->vfs_inode); 93 ASSERT(auth_inode != NULL); 94 } else { 95 auth_inode = afs_iget(vnode->vfs_inode.i_sb, key, 96 &vnode->status.parent, NULL, NULL); 97 if (IS_ERR(auth_inode)) 98 return ERR_CAST(auth_inode); 99 } 100 101 auth_vnode = AFS_FS_I(auth_inode); 102 _leave(" = {%x}", auth_vnode->fid.vnode); 103 return auth_vnode; 104 } 105 106 /* 107 * clear the permit cache on a directory vnode 108 */ 109 void afs_clear_permits(struct afs_vnode *vnode) 110 { 111 struct afs_permits *permits; 112 113 _enter("{%x:%u}", vnode->fid.vid, vnode->fid.vnode); 114 115 mutex_lock(&vnode->permits_lock); 116 permits = vnode->permits; 117 RCU_INIT_POINTER(vnode->permits, NULL); 118 mutex_unlock(&vnode->permits_lock); 119 120 if (permits) 121 call_rcu(&permits->rcu, afs_zap_permits); 122 _leave(""); 123 } 124 125 /* 126 * add the result obtained for a vnode to its or its parent directory's cache 127 * for the key used to access it 128 */ 129 void afs_cache_permit(struct afs_vnode *vnode, struct key *key, long acl_order) 130 { 131 struct afs_permits *permits, *xpermits; 132 struct afs_permit *permit; 133 struct afs_vnode *auth_vnode; 134 int count, loop; 135 136 _enter("{%x:%u},%x,%lx", 137 vnode->fid.vid, vnode->fid.vnode, key_serial(key), acl_order); 138 139 auth_vnode = afs_get_auth_inode(vnode, key); 140 if (IS_ERR(auth_vnode)) { 141 _leave(" [get error %ld]", PTR_ERR(auth_vnode)); 142 return; 143 } 144 145 mutex_lock(&auth_vnode->permits_lock); 146 147 /* guard against a rename being detected whilst we waited for the 148 * lock */ 149 if (memcmp(&auth_vnode->fid, &vnode->status.parent, 150 sizeof(struct afs_fid)) != 0) { 151 _debug("renamed"); 152 goto out_unlock; 153 } 154 155 /* have to be careful as the directory's callback may be broken between 156 * us receiving the status we're trying to cache and us getting the 157 * lock to update the cache for the status */ 158 if (auth_vnode->acl_order - acl_order > 0) { 159 _debug("ACL changed?"); 160 goto out_unlock; 161 } 162 163 /* always update the anonymous mask */ 164 _debug("anon access %x", vnode->status.anon_access); 165 auth_vnode->status.anon_access = vnode->status.anon_access; 166 if (key == vnode->volume->cell->anonymous_key) 167 goto out_unlock; 168 169 xpermits = auth_vnode->permits; 170 count = 0; 171 if (xpermits) { 172 /* see if the permit is already in the list 173 * - if it is then we just amend the list 174 */ 175 count = xpermits->count; 176 permit = xpermits->permits; 177 for (loop = count; loop > 0; loop--) { 178 if (permit->key == key) { 179 permit->access_mask = 180 vnode->status.caller_access; 181 goto out_unlock; 182 } 183 permit++; 184 } 185 } 186 187 permits = kmalloc(sizeof(*permits) + sizeof(*permit) * (count + 1), 188 GFP_NOFS); 189 if (!permits) 190 goto out_unlock; 191 192 if (xpermits) 193 memcpy(permits->permits, xpermits->permits, 194 count * sizeof(struct afs_permit)); 195 196 _debug("key %x access %x", 197 key_serial(key), vnode->status.caller_access); 198 permits->permits[count].access_mask = vnode->status.caller_access; 199 permits->permits[count].key = key_get(key); 200 permits->count = count + 1; 201 202 rcu_assign_pointer(auth_vnode->permits, permits); 203 if (xpermits) 204 call_rcu(&xpermits->rcu, afs_dispose_of_permits); 205 206 out_unlock: 207 mutex_unlock(&auth_vnode->permits_lock); 208 iput(&auth_vnode->vfs_inode); 209 _leave(""); 210 } 211 212 /* 213 * check with the fileserver to see if the directory or parent directory is 214 * permitted to be accessed with this authorisation, and if so, what access it 215 * is granted 216 */ 217 static int afs_check_permit(struct afs_vnode *vnode, struct key *key, 218 afs_access_t *_access) 219 { 220 struct afs_permits *permits; 221 struct afs_permit *permit; 222 struct afs_vnode *auth_vnode; 223 bool valid; 224 int loop, ret; 225 226 _enter("{%x:%u},%x", 227 vnode->fid.vid, vnode->fid.vnode, key_serial(key)); 228 229 auth_vnode = afs_get_auth_inode(vnode, key); 230 if (IS_ERR(auth_vnode)) { 231 *_access = 0; 232 _leave(" = %ld", PTR_ERR(auth_vnode)); 233 return PTR_ERR(auth_vnode); 234 } 235 236 ASSERT(S_ISDIR(auth_vnode->vfs_inode.i_mode)); 237 238 /* check the permits to see if we've got one yet */ 239 if (key == auth_vnode->volume->cell->anonymous_key) { 240 _debug("anon"); 241 *_access = auth_vnode->status.anon_access; 242 valid = true; 243 } else { 244 valid = false; 245 rcu_read_lock(); 246 permits = rcu_dereference(auth_vnode->permits); 247 if (permits) { 248 permit = permits->permits; 249 for (loop = permits->count; loop > 0; loop--) { 250 if (permit->key == key) { 251 _debug("found in cache"); 252 *_access = permit->access_mask; 253 valid = true; 254 break; 255 } 256 permit++; 257 } 258 } 259 rcu_read_unlock(); 260 } 261 262 if (!valid) { 263 /* check the status on the file we're actually interested in 264 * (the post-processing will cache the result on auth_vnode) */ 265 _debug("no valid permit"); 266 267 set_bit(AFS_VNODE_CB_BROKEN, &vnode->flags); 268 ret = afs_vnode_fetch_status(vnode, auth_vnode, key); 269 if (ret < 0) { 270 iput(&auth_vnode->vfs_inode); 271 *_access = 0; 272 _leave(" = %d", ret); 273 return ret; 274 } 275 *_access = vnode->status.caller_access; 276 } 277 278 iput(&auth_vnode->vfs_inode); 279 _leave(" = 0 [access %x]", *_access); 280 return 0; 281 } 282 283 /* 284 * check the permissions on an AFS file 285 * - AFS ACLs are attached to directories only, and a file is controlled by its 286 * parent directory's ACL 287 */ 288 int afs_permission(struct inode *inode, int mask) 289 { 290 struct afs_vnode *vnode = AFS_FS_I(inode); 291 afs_access_t uninitialized_var(access); 292 struct key *key; 293 int ret; 294 295 if (mask & MAY_NOT_BLOCK) 296 return -ECHILD; 297 298 _enter("{{%x:%u},%lx},%x,", 299 vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask); 300 301 key = afs_request_key(vnode->volume->cell); 302 if (IS_ERR(key)) { 303 _leave(" = %ld [key]", PTR_ERR(key)); 304 return PTR_ERR(key); 305 } 306 307 /* if the promise has expired, we need to check the server again */ 308 if (!vnode->cb_promised) { 309 _debug("not promised"); 310 ret = afs_vnode_fetch_status(vnode, NULL, key); 311 if (ret < 0) 312 goto error; 313 _debug("new promise [fl=%lx]", vnode->flags); 314 } 315 316 /* check the permits to see if we've got one yet */ 317 ret = afs_check_permit(vnode, key, &access); 318 if (ret < 0) 319 goto error; 320 321 /* interpret the access mask */ 322 _debug("REQ %x ACC %x on %s", 323 mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file"); 324 325 if (S_ISDIR(inode->i_mode)) { 326 if (mask & MAY_EXEC) { 327 if (!(access & AFS_ACE_LOOKUP)) 328 goto permission_denied; 329 } else if (mask & MAY_READ) { 330 if (!(access & AFS_ACE_LOOKUP)) 331 goto permission_denied; 332 } else if (mask & MAY_WRITE) { 333 if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */ 334 AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */ 335 goto permission_denied; 336 } else { 337 BUG(); 338 } 339 } else { 340 if (!(access & AFS_ACE_LOOKUP)) 341 goto permission_denied; 342 if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR)) 343 goto permission_denied; 344 if (mask & (MAY_EXEC | MAY_READ)) { 345 if (!(access & AFS_ACE_READ)) 346 goto permission_denied; 347 if (!(inode->i_mode & S_IRUSR)) 348 goto permission_denied; 349 } else if (mask & MAY_WRITE) { 350 if (!(access & AFS_ACE_WRITE)) 351 goto permission_denied; 352 if (!(inode->i_mode & S_IWUSR)) 353 goto permission_denied; 354 } 355 } 356 357 key_put(key); 358 _leave(" = %d", ret); 359 return ret; 360 361 permission_denied: 362 ret = -EACCES; 363 error: 364 key_put(key); 365 _leave(" = %d", ret); 366 return ret; 367 } 368