1 /* AFS security handling 2 * 3 * Copyright (C) 2007, 2017 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/init.h> 13 #include <linux/slab.h> 14 #include <linux/fs.h> 15 #include <linux/ctype.h> 16 #include <linux/sched.h> 17 #include <linux/hashtable.h> 18 #include <keys/rxrpc-type.h> 19 #include "internal.h" 20 21 static DEFINE_HASHTABLE(afs_permits_cache, 10); 22 static DEFINE_SPINLOCK(afs_permits_lock); 23 24 /* 25 * get a key 26 */ 27 struct key *afs_request_key(struct afs_cell *cell) 28 { 29 struct key *key; 30 31 _enter("{%x}", key_serial(cell->anonymous_key)); 32 33 _debug("key %s", cell->anonymous_key->description); 34 key = request_key(&key_type_rxrpc, cell->anonymous_key->description, 35 NULL); 36 if (IS_ERR(key)) { 37 if (PTR_ERR(key) != -ENOKEY) { 38 _leave(" = %ld", PTR_ERR(key)); 39 return key; 40 } 41 42 /* act as anonymous user */ 43 _leave(" = {%x} [anon]", key_serial(cell->anonymous_key)); 44 return key_get(cell->anonymous_key); 45 } else { 46 /* act as authorised user */ 47 _leave(" = {%x} [auth]", key_serial(key)); 48 return key; 49 } 50 } 51 52 /* 53 * Dispose of a list of permits. 54 */ 55 static void afs_permits_rcu(struct rcu_head *rcu) 56 { 57 struct afs_permits *permits = 58 container_of(rcu, struct afs_permits, rcu); 59 int i; 60 61 for (i = 0; i < permits->nr_permits; i++) 62 key_put(permits->permits[i].key); 63 kfree(permits); 64 } 65 66 /* 67 * Discard a permission cache. 68 */ 69 void afs_put_permits(struct afs_permits *permits) 70 { 71 if (permits && refcount_dec_and_test(&permits->usage)) { 72 spin_lock(&afs_permits_lock); 73 hash_del_rcu(&permits->hash_node); 74 spin_unlock(&afs_permits_lock); 75 call_rcu(&permits->rcu, afs_permits_rcu); 76 } 77 } 78 79 /* 80 * Clear a permit cache on callback break. 81 */ 82 void afs_clear_permits(struct afs_vnode *vnode) 83 { 84 struct afs_permits *permits; 85 86 spin_lock(&vnode->lock); 87 permits = rcu_dereference_protected(vnode->permit_cache, 88 lockdep_is_held(&vnode->lock)); 89 RCU_INIT_POINTER(vnode->permit_cache, NULL); 90 vnode->cb_break++; 91 spin_unlock(&vnode->lock); 92 93 if (permits) 94 afs_put_permits(permits); 95 } 96 97 /* 98 * Hash a list of permits. Use simple addition to make it easy to add an extra 99 * one at an as-yet indeterminate position in the list. 100 */ 101 static void afs_hash_permits(struct afs_permits *permits) 102 { 103 unsigned long h = permits->nr_permits; 104 int i; 105 106 for (i = 0; i < permits->nr_permits; i++) { 107 h += (unsigned long)permits->permits[i].key / sizeof(void *); 108 h += permits->permits[i].access; 109 } 110 111 permits->h = h; 112 } 113 114 /* 115 * Cache the CallerAccess result obtained from doing a fileserver operation 116 * that returned a vnode status for a particular key. If a callback break 117 * occurs whilst the operation was in progress then we have to ditch the cache 118 * as the ACL *may* have changed. 119 */ 120 void afs_cache_permit(struct afs_vnode *vnode, struct key *key, 121 unsigned int cb_break) 122 { 123 struct afs_permits *permits, *xpermits, *replacement, *zap, *new = NULL; 124 afs_access_t caller_access = READ_ONCE(vnode->status.caller_access); 125 size_t size = 0; 126 bool changed = false; 127 int i, j; 128 129 _enter("{%x:%u},%x,%x", 130 vnode->fid.vid, vnode->fid.vnode, key_serial(key), caller_access); 131 132 rcu_read_lock(); 133 134 /* Check for the common case first: We got back the same access as last 135 * time we tried and already have it recorded. 136 */ 137 permits = rcu_dereference(vnode->permit_cache); 138 if (permits) { 139 if (!permits->invalidated) { 140 for (i = 0; i < permits->nr_permits; i++) { 141 if (permits->permits[i].key < key) 142 continue; 143 if (permits->permits[i].key > key) 144 break; 145 if (permits->permits[i].access != caller_access) { 146 changed = true; 147 break; 148 } 149 150 if (cb_break != (vnode->cb_break + 151 vnode->cb_interest->server->cb_s_break)) { 152 changed = true; 153 break; 154 } 155 156 /* The cache is still good. */ 157 rcu_read_unlock(); 158 return; 159 } 160 } 161 162 changed |= permits->invalidated; 163 size = permits->nr_permits; 164 165 /* If this set of permits is now wrong, clear the permits 166 * pointer so that no one tries to use the stale information. 167 */ 168 if (changed) { 169 spin_lock(&vnode->lock); 170 if (permits != rcu_access_pointer(vnode->permit_cache)) 171 goto someone_else_changed_it_unlock; 172 RCU_INIT_POINTER(vnode->permit_cache, NULL); 173 spin_unlock(&vnode->lock); 174 175 afs_put_permits(permits); 176 permits = NULL; 177 size = 0; 178 } 179 } 180 181 if (cb_break != (vnode->cb_break + vnode->cb_interest->server->cb_s_break)) { 182 rcu_read_unlock(); 183 goto someone_else_changed_it; 184 } 185 186 /* We need a ref on any permits list we want to copy as we'll have to 187 * drop the lock to do memory allocation. 188 */ 189 if (permits && !refcount_inc_not_zero(&permits->usage)) { 190 rcu_read_unlock(); 191 goto someone_else_changed_it; 192 } 193 194 rcu_read_unlock(); 195 196 /* Speculatively create a new list with the revised permission set. We 197 * discard this if we find an extant match already in the hash, but 198 * it's easier to compare with memcmp this way. 199 * 200 * We fill in the key pointers at this time, but we don't get the refs 201 * yet. 202 */ 203 size++; 204 new = kzalloc(sizeof(struct afs_permits) + 205 sizeof(struct afs_permit) * size, GFP_NOFS); 206 if (!new) 207 goto out_put; 208 209 refcount_set(&new->usage, 1); 210 new->nr_permits = size; 211 i = j = 0; 212 if (permits) { 213 for (i = 0; i < permits->nr_permits; i++) { 214 if (j == i && permits->permits[i].key > key) { 215 new->permits[j].key = key; 216 new->permits[j].access = caller_access; 217 j++; 218 } 219 new->permits[j].key = permits->permits[i].key; 220 new->permits[j].access = permits->permits[i].access; 221 j++; 222 } 223 } 224 225 if (j == i) { 226 new->permits[j].key = key; 227 new->permits[j].access = caller_access; 228 } 229 230 afs_hash_permits(new); 231 232 /* Now see if the permit list we want is actually already available */ 233 spin_lock(&afs_permits_lock); 234 235 hash_for_each_possible(afs_permits_cache, xpermits, hash_node, new->h) { 236 if (xpermits->h != new->h || 237 xpermits->invalidated || 238 xpermits->nr_permits != new->nr_permits || 239 memcmp(xpermits->permits, new->permits, 240 new->nr_permits * sizeof(struct afs_permit)) != 0) 241 continue; 242 243 if (refcount_inc_not_zero(&xpermits->usage)) { 244 replacement = xpermits; 245 goto found; 246 } 247 248 break; 249 } 250 251 for (i = 0; i < new->nr_permits; i++) 252 key_get(new->permits[i].key); 253 hash_add_rcu(afs_permits_cache, &new->hash_node, new->h); 254 replacement = new; 255 new = NULL; 256 257 found: 258 spin_unlock(&afs_permits_lock); 259 260 kfree(new); 261 262 spin_lock(&vnode->lock); 263 zap = rcu_access_pointer(vnode->permit_cache); 264 if (cb_break == (vnode->cb_break + vnode->cb_interest->server->cb_s_break) && 265 zap == permits) 266 rcu_assign_pointer(vnode->permit_cache, replacement); 267 else 268 zap = replacement; 269 spin_unlock(&vnode->lock); 270 afs_put_permits(zap); 271 out_put: 272 afs_put_permits(permits); 273 return; 274 275 someone_else_changed_it_unlock: 276 spin_unlock(&vnode->lock); 277 someone_else_changed_it: 278 /* Someone else changed the cache under us - don't recheck at this 279 * time. 280 */ 281 return; 282 } 283 284 /* 285 * check with the fileserver to see if the directory or parent directory is 286 * permitted to be accessed with this authorisation, and if so, what access it 287 * is granted 288 */ 289 int afs_check_permit(struct afs_vnode *vnode, struct key *key, 290 afs_access_t *_access) 291 { 292 struct afs_permits *permits; 293 bool valid = false; 294 int i, ret; 295 296 _enter("{%x:%u},%x", 297 vnode->fid.vid, vnode->fid.vnode, key_serial(key)); 298 299 permits = vnode->permit_cache; 300 301 /* check the permits to see if we've got one yet */ 302 if (key == vnode->volume->cell->anonymous_key) { 303 _debug("anon"); 304 *_access = vnode->status.anon_access; 305 valid = true; 306 } else { 307 rcu_read_lock(); 308 permits = rcu_dereference(vnode->permit_cache); 309 if (permits) { 310 for (i = 0; i < permits->nr_permits; i++) { 311 if (permits->permits[i].key < key) 312 continue; 313 if (permits->permits[i].key > key) 314 break; 315 316 *_access = permits->permits[i].access; 317 valid = !permits->invalidated; 318 break; 319 } 320 } 321 rcu_read_unlock(); 322 } 323 324 if (!valid) { 325 /* Check the status on the file we're actually interested in 326 * (the post-processing will cache the result). 327 */ 328 _debug("no valid permit"); 329 330 ret = afs_fetch_status(vnode, key); 331 if (ret < 0) { 332 *_access = 0; 333 _leave(" = %d", ret); 334 return ret; 335 } 336 *_access = vnode->status.caller_access; 337 } 338 339 _leave(" = 0 [access %x]", *_access); 340 return 0; 341 } 342 343 /* 344 * check the permissions on an AFS file 345 * - AFS ACLs are attached to directories only, and a file is controlled by its 346 * parent directory's ACL 347 */ 348 int afs_permission(struct inode *inode, int mask) 349 { 350 struct afs_vnode *vnode = AFS_FS_I(inode); 351 afs_access_t uninitialized_var(access); 352 struct key *key; 353 int ret; 354 355 if (mask & MAY_NOT_BLOCK) 356 return -ECHILD; 357 358 _enter("{{%x:%u},%lx},%x,", 359 vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask); 360 361 key = afs_request_key(vnode->volume->cell); 362 if (IS_ERR(key)) { 363 _leave(" = %ld [key]", PTR_ERR(key)); 364 return PTR_ERR(key); 365 } 366 367 ret = afs_validate(vnode, key); 368 if (ret < 0) 369 goto error; 370 371 /* check the permits to see if we've got one yet */ 372 ret = afs_check_permit(vnode, key, &access); 373 if (ret < 0) 374 goto error; 375 376 /* interpret the access mask */ 377 _debug("REQ %x ACC %x on %s", 378 mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file"); 379 380 if (S_ISDIR(inode->i_mode)) { 381 if (mask & MAY_EXEC) { 382 if (!(access & AFS_ACE_LOOKUP)) 383 goto permission_denied; 384 } else if (mask & MAY_READ) { 385 if (!(access & AFS_ACE_LOOKUP)) 386 goto permission_denied; 387 } else if (mask & MAY_WRITE) { 388 if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */ 389 AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */ 390 goto permission_denied; 391 } else { 392 BUG(); 393 } 394 } else { 395 if (!(access & AFS_ACE_LOOKUP)) 396 goto permission_denied; 397 if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR)) 398 goto permission_denied; 399 if (mask & (MAY_EXEC | MAY_READ)) { 400 if (!(access & AFS_ACE_READ)) 401 goto permission_denied; 402 if (!(inode->i_mode & S_IRUSR)) 403 goto permission_denied; 404 } else if (mask & MAY_WRITE) { 405 if (!(access & AFS_ACE_WRITE)) 406 goto permission_denied; 407 if (!(inode->i_mode & S_IWUSR)) 408 goto permission_denied; 409 } 410 } 411 412 key_put(key); 413 _leave(" = %d", ret); 414 return ret; 415 416 permission_denied: 417 ret = -EACCES; 418 error: 419 key_put(key); 420 _leave(" = %d", ret); 421 return ret; 422 } 423 424 void __exit afs_clean_up_permit_cache(void) 425 { 426 int i; 427 428 for (i = 0; i < HASH_SIZE(afs_permits_cache); i++) 429 WARN_ON_ONCE(!hlist_empty(&afs_permits_cache[i])); 430 431 } 432