xref: /openbmc/linux/fs/afs/security.c (revision 4a3fad70)
1 /* AFS security handling
2  *
3  * Copyright (C) 2007, 2017 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11 
12 #include <linux/init.h>
13 #include <linux/slab.h>
14 #include <linux/fs.h>
15 #include <linux/ctype.h>
16 #include <linux/sched.h>
17 #include <linux/hashtable.h>
18 #include <keys/rxrpc-type.h>
19 #include "internal.h"
20 
21 static DEFINE_HASHTABLE(afs_permits_cache, 10);
22 static DEFINE_SPINLOCK(afs_permits_lock);
23 
24 /*
25  * get a key
26  */
27 struct key *afs_request_key(struct afs_cell *cell)
28 {
29 	struct key *key;
30 
31 	_enter("{%x}", key_serial(cell->anonymous_key));
32 
33 	_debug("key %s", cell->anonymous_key->description);
34 	key = request_key(&key_type_rxrpc, cell->anonymous_key->description,
35 			  NULL);
36 	if (IS_ERR(key)) {
37 		if (PTR_ERR(key) != -ENOKEY) {
38 			_leave(" = %ld", PTR_ERR(key));
39 			return key;
40 		}
41 
42 		/* act as anonymous user */
43 		_leave(" = {%x} [anon]", key_serial(cell->anonymous_key));
44 		return key_get(cell->anonymous_key);
45 	} else {
46 		/* act as authorised user */
47 		_leave(" = {%x} [auth]", key_serial(key));
48 		return key;
49 	}
50 }
51 
52 /*
53  * Dispose of a list of permits.
54  */
55 static void afs_permits_rcu(struct rcu_head *rcu)
56 {
57 	struct afs_permits *permits =
58 		container_of(rcu, struct afs_permits, rcu);
59 	int i;
60 
61 	for (i = 0; i < permits->nr_permits; i++)
62 		key_put(permits->permits[i].key);
63 	kfree(permits);
64 }
65 
66 /*
67  * Discard a permission cache.
68  */
69 void afs_put_permits(struct afs_permits *permits)
70 {
71 	if (permits && refcount_dec_and_test(&permits->usage)) {
72 		spin_lock(&afs_permits_lock);
73 		hash_del_rcu(&permits->hash_node);
74 		spin_unlock(&afs_permits_lock);
75 		call_rcu(&permits->rcu, afs_permits_rcu);
76 	}
77 }
78 
79 /*
80  * Clear a permit cache on callback break.
81  */
82 void afs_clear_permits(struct afs_vnode *vnode)
83 {
84 	struct afs_permits *permits;
85 
86 	spin_lock(&vnode->lock);
87 	permits = rcu_dereference_protected(vnode->permit_cache,
88 					    lockdep_is_held(&vnode->lock));
89 	RCU_INIT_POINTER(vnode->permit_cache, NULL);
90 	vnode->cb_break++;
91 	spin_unlock(&vnode->lock);
92 
93 	if (permits)
94 		afs_put_permits(permits);
95 }
96 
97 /*
98  * Hash a list of permits.  Use simple addition to make it easy to add an extra
99  * one at an as-yet indeterminate position in the list.
100  */
101 static void afs_hash_permits(struct afs_permits *permits)
102 {
103 	unsigned long h = permits->nr_permits;
104 	int i;
105 
106 	for (i = 0; i < permits->nr_permits; i++) {
107 		h += (unsigned long)permits->permits[i].key / sizeof(void *);
108 		h += permits->permits[i].access;
109 	}
110 
111 	permits->h = h;
112 }
113 
114 /*
115  * Cache the CallerAccess result obtained from doing a fileserver operation
116  * that returned a vnode status for a particular key.  If a callback break
117  * occurs whilst the operation was in progress then we have to ditch the cache
118  * as the ACL *may* have changed.
119  */
120 void afs_cache_permit(struct afs_vnode *vnode, struct key *key,
121 		      unsigned int cb_break)
122 {
123 	struct afs_permits *permits, *xpermits, *replacement, *zap, *new = NULL;
124 	afs_access_t caller_access = READ_ONCE(vnode->status.caller_access);
125 	size_t size = 0;
126 	bool changed = false;
127 	int i, j;
128 
129 	_enter("{%x:%u},%x,%x",
130 	       vnode->fid.vid, vnode->fid.vnode, key_serial(key), caller_access);
131 
132 	rcu_read_lock();
133 
134 	/* Check for the common case first: We got back the same access as last
135 	 * time we tried and already have it recorded.
136 	 */
137 	permits = rcu_dereference(vnode->permit_cache);
138 	if (permits) {
139 		if (!permits->invalidated) {
140 			for (i = 0; i < permits->nr_permits; i++) {
141 				if (permits->permits[i].key < key)
142 					continue;
143 				if (permits->permits[i].key > key)
144 					break;
145 				if (permits->permits[i].access != caller_access) {
146 					changed = true;
147 					break;
148 				}
149 
150 				if (cb_break != (vnode->cb_break +
151 						 vnode->cb_interest->server->cb_s_break)) {
152 					changed = true;
153 					break;
154 				}
155 
156 				/* The cache is still good. */
157 				rcu_read_unlock();
158 				return;
159 			}
160 		}
161 
162 		changed |= permits->invalidated;
163 		size = permits->nr_permits;
164 
165 		/* If this set of permits is now wrong, clear the permits
166 		 * pointer so that no one tries to use the stale information.
167 		 */
168 		if (changed) {
169 			spin_lock(&vnode->lock);
170 			if (permits != rcu_access_pointer(vnode->permit_cache))
171 				goto someone_else_changed_it_unlock;
172 			RCU_INIT_POINTER(vnode->permit_cache, NULL);
173 			spin_unlock(&vnode->lock);
174 
175 			afs_put_permits(permits);
176 			permits = NULL;
177 			size = 0;
178 		}
179 	}
180 
181 	if (cb_break != (vnode->cb_break + vnode->cb_interest->server->cb_s_break)) {
182 		rcu_read_unlock();
183 		goto someone_else_changed_it;
184 	}
185 
186 	/* We need a ref on any permits list we want to copy as we'll have to
187 	 * drop the lock to do memory allocation.
188 	 */
189 	if (permits && !refcount_inc_not_zero(&permits->usage)) {
190 		rcu_read_unlock();
191 		goto someone_else_changed_it;
192 	}
193 
194 	rcu_read_unlock();
195 
196 	/* Speculatively create a new list with the revised permission set.  We
197 	 * discard this if we find an extant match already in the hash, but
198 	 * it's easier to compare with memcmp this way.
199 	 *
200 	 * We fill in the key pointers at this time, but we don't get the refs
201 	 * yet.
202 	 */
203 	size++;
204 	new = kzalloc(sizeof(struct afs_permits) +
205 		      sizeof(struct afs_permit) * size, GFP_NOFS);
206 	if (!new)
207 		goto out_put;
208 
209 	refcount_set(&new->usage, 1);
210 	new->nr_permits = size;
211 	i = j = 0;
212 	if (permits) {
213 		for (i = 0; i < permits->nr_permits; i++) {
214 			if (j == i && permits->permits[i].key > key) {
215 				new->permits[j].key = key;
216 				new->permits[j].access = caller_access;
217 				j++;
218 			}
219 			new->permits[j].key = permits->permits[i].key;
220 			new->permits[j].access = permits->permits[i].access;
221 			j++;
222 		}
223 	}
224 
225 	if (j == i) {
226 		new->permits[j].key = key;
227 		new->permits[j].access = caller_access;
228 	}
229 
230 	afs_hash_permits(new);
231 
232 	/* Now see if the permit list we want is actually already available */
233 	spin_lock(&afs_permits_lock);
234 
235 	hash_for_each_possible(afs_permits_cache, xpermits, hash_node, new->h) {
236 		if (xpermits->h != new->h ||
237 		    xpermits->invalidated ||
238 		    xpermits->nr_permits != new->nr_permits ||
239 		    memcmp(xpermits->permits, new->permits,
240 			   new->nr_permits * sizeof(struct afs_permit)) != 0)
241 			continue;
242 
243 		if (refcount_inc_not_zero(&xpermits->usage)) {
244 			replacement = xpermits;
245 			goto found;
246 		}
247 
248 		break;
249 	}
250 
251 	for (i = 0; i < new->nr_permits; i++)
252 		key_get(new->permits[i].key);
253 	hash_add_rcu(afs_permits_cache, &new->hash_node, new->h);
254 	replacement = new;
255 	new = NULL;
256 
257 found:
258 	spin_unlock(&afs_permits_lock);
259 
260 	kfree(new);
261 
262 	spin_lock(&vnode->lock);
263 	zap = rcu_access_pointer(vnode->permit_cache);
264 	if (cb_break == (vnode->cb_break + vnode->cb_interest->server->cb_s_break) &&
265 	    zap == permits)
266 		rcu_assign_pointer(vnode->permit_cache, replacement);
267 	else
268 		zap = replacement;
269 	spin_unlock(&vnode->lock);
270 	afs_put_permits(zap);
271 out_put:
272 	afs_put_permits(permits);
273 	return;
274 
275 someone_else_changed_it_unlock:
276 	spin_unlock(&vnode->lock);
277 someone_else_changed_it:
278 	/* Someone else changed the cache under us - don't recheck at this
279 	 * time.
280 	 */
281 	return;
282 }
283 
284 /*
285  * check with the fileserver to see if the directory or parent directory is
286  * permitted to be accessed with this authorisation, and if so, what access it
287  * is granted
288  */
289 int afs_check_permit(struct afs_vnode *vnode, struct key *key,
290 		     afs_access_t *_access)
291 {
292 	struct afs_permits *permits;
293 	bool valid = false;
294 	int i, ret;
295 
296 	_enter("{%x:%u},%x",
297 	       vnode->fid.vid, vnode->fid.vnode, key_serial(key));
298 
299 	permits = vnode->permit_cache;
300 
301 	/* check the permits to see if we've got one yet */
302 	if (key == vnode->volume->cell->anonymous_key) {
303 		_debug("anon");
304 		*_access = vnode->status.anon_access;
305 		valid = true;
306 	} else {
307 		rcu_read_lock();
308 		permits = rcu_dereference(vnode->permit_cache);
309 		if (permits) {
310 			for (i = 0; i < permits->nr_permits; i++) {
311 				if (permits->permits[i].key < key)
312 					continue;
313 				if (permits->permits[i].key > key)
314 					break;
315 
316 				*_access = permits->permits[i].access;
317 				valid = !permits->invalidated;
318 				break;
319 			}
320 		}
321 		rcu_read_unlock();
322 	}
323 
324 	if (!valid) {
325 		/* Check the status on the file we're actually interested in
326 		 * (the post-processing will cache the result).
327 		 */
328 		_debug("no valid permit");
329 
330 		ret = afs_fetch_status(vnode, key);
331 		if (ret < 0) {
332 			*_access = 0;
333 			_leave(" = %d", ret);
334 			return ret;
335 		}
336 		*_access = vnode->status.caller_access;
337 	}
338 
339 	_leave(" = 0 [access %x]", *_access);
340 	return 0;
341 }
342 
343 /*
344  * check the permissions on an AFS file
345  * - AFS ACLs are attached to directories only, and a file is controlled by its
346  *   parent directory's ACL
347  */
348 int afs_permission(struct inode *inode, int mask)
349 {
350 	struct afs_vnode *vnode = AFS_FS_I(inode);
351 	afs_access_t uninitialized_var(access);
352 	struct key *key;
353 	int ret;
354 
355 	if (mask & MAY_NOT_BLOCK)
356 		return -ECHILD;
357 
358 	_enter("{{%x:%u},%lx},%x,",
359 	       vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask);
360 
361 	key = afs_request_key(vnode->volume->cell);
362 	if (IS_ERR(key)) {
363 		_leave(" = %ld [key]", PTR_ERR(key));
364 		return PTR_ERR(key);
365 	}
366 
367 	ret = afs_validate(vnode, key);
368 	if (ret < 0)
369 		goto error;
370 
371 	/* check the permits to see if we've got one yet */
372 	ret = afs_check_permit(vnode, key, &access);
373 	if (ret < 0)
374 		goto error;
375 
376 	/* interpret the access mask */
377 	_debug("REQ %x ACC %x on %s",
378 	       mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file");
379 
380 	if (S_ISDIR(inode->i_mode)) {
381 		if (mask & MAY_EXEC) {
382 			if (!(access & AFS_ACE_LOOKUP))
383 				goto permission_denied;
384 		} else if (mask & MAY_READ) {
385 			if (!(access & AFS_ACE_LOOKUP))
386 				goto permission_denied;
387 		} else if (mask & MAY_WRITE) {
388 			if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */
389 					AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */
390 				goto permission_denied;
391 		} else {
392 			BUG();
393 		}
394 	} else {
395 		if (!(access & AFS_ACE_LOOKUP))
396 			goto permission_denied;
397 		if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR))
398 			goto permission_denied;
399 		if (mask & (MAY_EXEC | MAY_READ)) {
400 			if (!(access & AFS_ACE_READ))
401 				goto permission_denied;
402 			if (!(inode->i_mode & S_IRUSR))
403 				goto permission_denied;
404 		} else if (mask & MAY_WRITE) {
405 			if (!(access & AFS_ACE_WRITE))
406 				goto permission_denied;
407 			if (!(inode->i_mode & S_IWUSR))
408 				goto permission_denied;
409 		}
410 	}
411 
412 	key_put(key);
413 	_leave(" = %d", ret);
414 	return ret;
415 
416 permission_denied:
417 	ret = -EACCES;
418 error:
419 	key_put(key);
420 	_leave(" = %d", ret);
421 	return ret;
422 }
423 
424 void __exit afs_clean_up_permit_cache(void)
425 {
426 	int i;
427 
428 	for (i = 0; i < HASH_SIZE(afs_permits_cache); i++)
429 		WARN_ON_ONCE(!hlist_empty(&afs_permits_cache[i]));
430 
431 }
432