1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* AFS security handling 3 * 4 * Copyright (C) 2007, 2017 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #include <linux/init.h> 9 #include <linux/slab.h> 10 #include <linux/fs.h> 11 #include <linux/ctype.h> 12 #include <linux/sched.h> 13 #include <linux/hashtable.h> 14 #include <keys/rxrpc-type.h> 15 #include "internal.h" 16 17 static DEFINE_HASHTABLE(afs_permits_cache, 10); 18 static DEFINE_SPINLOCK(afs_permits_lock); 19 20 /* 21 * get a key 22 */ 23 struct key *afs_request_key(struct afs_cell *cell) 24 { 25 struct key *key; 26 27 _enter("{%x}", key_serial(cell->anonymous_key)); 28 29 _debug("key %s", cell->anonymous_key->description); 30 key = request_key_net(&key_type_rxrpc, cell->anonymous_key->description, 31 cell->net->net, NULL); 32 if (IS_ERR(key)) { 33 if (PTR_ERR(key) != -ENOKEY) { 34 _leave(" = %ld", PTR_ERR(key)); 35 return key; 36 } 37 38 /* act as anonymous user */ 39 _leave(" = {%x} [anon]", key_serial(cell->anonymous_key)); 40 return key_get(cell->anonymous_key); 41 } else { 42 /* act as authorised user */ 43 _leave(" = {%x} [auth]", key_serial(key)); 44 return key; 45 } 46 } 47 48 /* 49 * Get a key when pathwalk is in rcuwalk mode. 50 */ 51 struct key *afs_request_key_rcu(struct afs_cell *cell) 52 { 53 struct key *key; 54 55 _enter("{%x}", key_serial(cell->anonymous_key)); 56 57 _debug("key %s", cell->anonymous_key->description); 58 key = request_key_net_rcu(&key_type_rxrpc, 59 cell->anonymous_key->description, 60 cell->net->net); 61 if (IS_ERR(key)) { 62 if (PTR_ERR(key) != -ENOKEY) { 63 _leave(" = %ld", PTR_ERR(key)); 64 return key; 65 } 66 67 /* act as anonymous user */ 68 _leave(" = {%x} [anon]", key_serial(cell->anonymous_key)); 69 return key_get(cell->anonymous_key); 70 } else { 71 /* act as authorised user */ 72 _leave(" = {%x} [auth]", key_serial(key)); 73 return key; 74 } 75 } 76 77 /* 78 * Dispose of a list of permits. 79 */ 80 static void afs_permits_rcu(struct rcu_head *rcu) 81 { 82 struct afs_permits *permits = 83 container_of(rcu, struct afs_permits, rcu); 84 int i; 85 86 for (i = 0; i < permits->nr_permits; i++) 87 key_put(permits->permits[i].key); 88 kfree(permits); 89 } 90 91 /* 92 * Discard a permission cache. 93 */ 94 void afs_put_permits(struct afs_permits *permits) 95 { 96 if (permits && refcount_dec_and_test(&permits->usage)) { 97 spin_lock(&afs_permits_lock); 98 hash_del_rcu(&permits->hash_node); 99 spin_unlock(&afs_permits_lock); 100 call_rcu(&permits->rcu, afs_permits_rcu); 101 } 102 } 103 104 /* 105 * Clear a permit cache on callback break. 106 */ 107 void afs_clear_permits(struct afs_vnode *vnode) 108 { 109 struct afs_permits *permits; 110 111 spin_lock(&vnode->lock); 112 permits = rcu_dereference_protected(vnode->permit_cache, 113 lockdep_is_held(&vnode->lock)); 114 RCU_INIT_POINTER(vnode->permit_cache, NULL); 115 spin_unlock(&vnode->lock); 116 117 afs_put_permits(permits); 118 } 119 120 /* 121 * Hash a list of permits. Use simple addition to make it easy to add an extra 122 * one at an as-yet indeterminate position in the list. 123 */ 124 static void afs_hash_permits(struct afs_permits *permits) 125 { 126 unsigned long h = permits->nr_permits; 127 int i; 128 129 for (i = 0; i < permits->nr_permits; i++) { 130 h += (unsigned long)permits->permits[i].key / sizeof(void *); 131 h += permits->permits[i].access; 132 } 133 134 permits->h = h; 135 } 136 137 /* 138 * Cache the CallerAccess result obtained from doing a fileserver operation 139 * that returned a vnode status for a particular key. If a callback break 140 * occurs whilst the operation was in progress then we have to ditch the cache 141 * as the ACL *may* have changed. 142 */ 143 void afs_cache_permit(struct afs_vnode *vnode, struct key *key, 144 unsigned int cb_break, struct afs_status_cb *scb) 145 { 146 struct afs_permits *permits, *xpermits, *replacement, *zap, *new = NULL; 147 afs_access_t caller_access = scb->status.caller_access; 148 size_t size = 0; 149 bool changed = false; 150 int i, j; 151 152 _enter("{%llx:%llu},%x,%x", 153 vnode->fid.vid, vnode->fid.vnode, key_serial(key), caller_access); 154 155 rcu_read_lock(); 156 157 /* Check for the common case first: We got back the same access as last 158 * time we tried and already have it recorded. 159 */ 160 permits = rcu_dereference(vnode->permit_cache); 161 if (permits) { 162 if (!permits->invalidated) { 163 for (i = 0; i < permits->nr_permits; i++) { 164 if (permits->permits[i].key < key) 165 continue; 166 if (permits->permits[i].key > key) 167 break; 168 if (permits->permits[i].access != caller_access) { 169 changed = true; 170 break; 171 } 172 173 if (afs_cb_is_broken(cb_break, vnode)) { 174 changed = true; 175 break; 176 } 177 178 /* The cache is still good. */ 179 rcu_read_unlock(); 180 return; 181 } 182 } 183 184 changed |= permits->invalidated; 185 size = permits->nr_permits; 186 187 /* If this set of permits is now wrong, clear the permits 188 * pointer so that no one tries to use the stale information. 189 */ 190 if (changed) { 191 spin_lock(&vnode->lock); 192 if (permits != rcu_access_pointer(vnode->permit_cache)) 193 goto someone_else_changed_it_unlock; 194 RCU_INIT_POINTER(vnode->permit_cache, NULL); 195 spin_unlock(&vnode->lock); 196 197 afs_put_permits(permits); 198 permits = NULL; 199 size = 0; 200 } 201 } 202 203 if (afs_cb_is_broken(cb_break, vnode)) 204 goto someone_else_changed_it; 205 206 /* We need a ref on any permits list we want to copy as we'll have to 207 * drop the lock to do memory allocation. 208 */ 209 if (permits && !refcount_inc_not_zero(&permits->usage)) 210 goto someone_else_changed_it; 211 212 rcu_read_unlock(); 213 214 /* Speculatively create a new list with the revised permission set. We 215 * discard this if we find an extant match already in the hash, but 216 * it's easier to compare with memcmp this way. 217 * 218 * We fill in the key pointers at this time, but we don't get the refs 219 * yet. 220 */ 221 size++; 222 new = kzalloc(sizeof(struct afs_permits) + 223 sizeof(struct afs_permit) * size, GFP_NOFS); 224 if (!new) 225 goto out_put; 226 227 refcount_set(&new->usage, 1); 228 new->nr_permits = size; 229 i = j = 0; 230 if (permits) { 231 for (i = 0; i < permits->nr_permits; i++) { 232 if (j == i && permits->permits[i].key > key) { 233 new->permits[j].key = key; 234 new->permits[j].access = caller_access; 235 j++; 236 } 237 new->permits[j].key = permits->permits[i].key; 238 new->permits[j].access = permits->permits[i].access; 239 j++; 240 } 241 } 242 243 if (j == i) { 244 new->permits[j].key = key; 245 new->permits[j].access = caller_access; 246 } 247 248 afs_hash_permits(new); 249 250 /* Now see if the permit list we want is actually already available */ 251 spin_lock(&afs_permits_lock); 252 253 hash_for_each_possible(afs_permits_cache, xpermits, hash_node, new->h) { 254 if (xpermits->h != new->h || 255 xpermits->invalidated || 256 xpermits->nr_permits != new->nr_permits || 257 memcmp(xpermits->permits, new->permits, 258 new->nr_permits * sizeof(struct afs_permit)) != 0) 259 continue; 260 261 if (refcount_inc_not_zero(&xpermits->usage)) { 262 replacement = xpermits; 263 goto found; 264 } 265 266 break; 267 } 268 269 for (i = 0; i < new->nr_permits; i++) 270 key_get(new->permits[i].key); 271 hash_add_rcu(afs_permits_cache, &new->hash_node, new->h); 272 replacement = new; 273 new = NULL; 274 275 found: 276 spin_unlock(&afs_permits_lock); 277 278 kfree(new); 279 280 rcu_read_lock(); 281 spin_lock(&vnode->lock); 282 zap = rcu_access_pointer(vnode->permit_cache); 283 if (!afs_cb_is_broken(cb_break, vnode) && zap == permits) 284 rcu_assign_pointer(vnode->permit_cache, replacement); 285 else 286 zap = replacement; 287 spin_unlock(&vnode->lock); 288 rcu_read_unlock(); 289 afs_put_permits(zap); 290 out_put: 291 afs_put_permits(permits); 292 return; 293 294 someone_else_changed_it_unlock: 295 spin_unlock(&vnode->lock); 296 someone_else_changed_it: 297 /* Someone else changed the cache under us - don't recheck at this 298 * time. 299 */ 300 rcu_read_unlock(); 301 return; 302 } 303 304 static bool afs_check_permit_rcu(struct afs_vnode *vnode, struct key *key, 305 afs_access_t *_access) 306 { 307 const struct afs_permits *permits; 308 int i; 309 310 _enter("{%llx:%llu},%x", 311 vnode->fid.vid, vnode->fid.vnode, key_serial(key)); 312 313 /* check the permits to see if we've got one yet */ 314 if (key == vnode->volume->cell->anonymous_key) { 315 *_access = vnode->status.anon_access; 316 _leave(" = t [anon %x]", *_access); 317 return true; 318 } 319 320 permits = rcu_dereference(vnode->permit_cache); 321 if (permits) { 322 for (i = 0; i < permits->nr_permits; i++) { 323 if (permits->permits[i].key < key) 324 continue; 325 if (permits->permits[i].key > key) 326 break; 327 328 *_access = permits->permits[i].access; 329 _leave(" = %u [perm %x]", !permits->invalidated, *_access); 330 return !permits->invalidated; 331 } 332 } 333 334 _leave(" = f"); 335 return false; 336 } 337 338 /* 339 * check with the fileserver to see if the directory or parent directory is 340 * permitted to be accessed with this authorisation, and if so, what access it 341 * is granted 342 */ 343 int afs_check_permit(struct afs_vnode *vnode, struct key *key, 344 afs_access_t *_access) 345 { 346 struct afs_permits *permits; 347 bool valid = false; 348 int i, ret; 349 350 _enter("{%llx:%llu},%x", 351 vnode->fid.vid, vnode->fid.vnode, key_serial(key)); 352 353 /* check the permits to see if we've got one yet */ 354 if (key == vnode->volume->cell->anonymous_key) { 355 _debug("anon"); 356 *_access = vnode->status.anon_access; 357 valid = true; 358 } else { 359 rcu_read_lock(); 360 permits = rcu_dereference(vnode->permit_cache); 361 if (permits) { 362 for (i = 0; i < permits->nr_permits; i++) { 363 if (permits->permits[i].key < key) 364 continue; 365 if (permits->permits[i].key > key) 366 break; 367 368 *_access = permits->permits[i].access; 369 valid = !permits->invalidated; 370 break; 371 } 372 } 373 rcu_read_unlock(); 374 } 375 376 if (!valid) { 377 /* Check the status on the file we're actually interested in 378 * (the post-processing will cache the result). 379 */ 380 _debug("no valid permit"); 381 382 ret = afs_fetch_status(vnode, key, false, _access); 383 if (ret < 0) { 384 *_access = 0; 385 _leave(" = %d", ret); 386 return ret; 387 } 388 } 389 390 _leave(" = 0 [access %x]", *_access); 391 return 0; 392 } 393 394 /* 395 * check the permissions on an AFS file 396 * - AFS ACLs are attached to directories only, and a file is controlled by its 397 * parent directory's ACL 398 */ 399 int afs_permission(struct user_namespace *mnt_userns, struct inode *inode, 400 int mask) 401 { 402 struct afs_vnode *vnode = AFS_FS_I(inode); 403 afs_access_t access; 404 struct key *key; 405 int ret = 0; 406 407 _enter("{{%llx:%llu},%lx},%x,", 408 vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask); 409 410 if (mask & MAY_NOT_BLOCK) { 411 key = afs_request_key_rcu(vnode->volume->cell); 412 if (IS_ERR(key)) 413 return -ECHILD; 414 415 ret = -ECHILD; 416 if (!afs_check_validity(vnode) || 417 !afs_check_permit_rcu(vnode, key, &access)) 418 goto error; 419 } else { 420 key = afs_request_key(vnode->volume->cell); 421 if (IS_ERR(key)) { 422 _leave(" = %ld [key]", PTR_ERR(key)); 423 return PTR_ERR(key); 424 } 425 426 ret = afs_validate(vnode, key); 427 if (ret < 0) 428 goto error; 429 430 /* check the permits to see if we've got one yet */ 431 ret = afs_check_permit(vnode, key, &access); 432 if (ret < 0) 433 goto error; 434 } 435 436 /* interpret the access mask */ 437 _debug("REQ %x ACC %x on %s", 438 mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file"); 439 440 ret = 0; 441 if (S_ISDIR(inode->i_mode)) { 442 if (mask & (MAY_EXEC | MAY_READ | MAY_CHDIR)) { 443 if (!(access & AFS_ACE_LOOKUP)) 444 goto permission_denied; 445 } 446 if (mask & MAY_WRITE) { 447 if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */ 448 AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */ 449 goto permission_denied; 450 } 451 } else { 452 if (!(access & AFS_ACE_LOOKUP)) 453 goto permission_denied; 454 if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR)) 455 goto permission_denied; 456 if (mask & (MAY_EXEC | MAY_READ)) { 457 if (!(access & AFS_ACE_READ)) 458 goto permission_denied; 459 if (!(inode->i_mode & S_IRUSR)) 460 goto permission_denied; 461 } else if (mask & MAY_WRITE) { 462 if (!(access & AFS_ACE_WRITE)) 463 goto permission_denied; 464 if (!(inode->i_mode & S_IWUSR)) 465 goto permission_denied; 466 } 467 } 468 469 key_put(key); 470 _leave(" = %d", ret); 471 return ret; 472 473 permission_denied: 474 ret = -EACCES; 475 error: 476 key_put(key); 477 _leave(" = %d", ret); 478 return ret; 479 } 480 481 void __exit afs_clean_up_permit_cache(void) 482 { 483 int i; 484 485 for (i = 0; i < HASH_SIZE(afs_permits_cache); i++) 486 WARN_ON_ONCE(!hlist_empty(&afs_permits_cache[i])); 487 488 } 489