1 /* AFS security handling 2 * 3 * Copyright (C) 2007, 2017 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/init.h> 13 #include <linux/slab.h> 14 #include <linux/fs.h> 15 #include <linux/ctype.h> 16 #include <linux/sched.h> 17 #include <linux/hashtable.h> 18 #include <keys/rxrpc-type.h> 19 #include "internal.h" 20 21 static DEFINE_HASHTABLE(afs_permits_cache, 10); 22 static DEFINE_SPINLOCK(afs_permits_lock); 23 24 /* 25 * get a key 26 */ 27 struct key *afs_request_key(struct afs_cell *cell) 28 { 29 struct key *key; 30 31 _enter("{%x}", key_serial(cell->anonymous_key)); 32 33 _debug("key %s", cell->anonymous_key->description); 34 key = request_key(&key_type_rxrpc, cell->anonymous_key->description, 35 NULL); 36 if (IS_ERR(key)) { 37 if (PTR_ERR(key) != -ENOKEY) { 38 _leave(" = %ld", PTR_ERR(key)); 39 return key; 40 } 41 42 /* act as anonymous user */ 43 _leave(" = {%x} [anon]", key_serial(cell->anonymous_key)); 44 return key_get(cell->anonymous_key); 45 } else { 46 /* act as authorised user */ 47 _leave(" = {%x} [auth]", key_serial(key)); 48 return key; 49 } 50 } 51 52 /* 53 * Dispose of a list of permits. 54 */ 55 static void afs_permits_rcu(struct rcu_head *rcu) 56 { 57 struct afs_permits *permits = 58 container_of(rcu, struct afs_permits, rcu); 59 int i; 60 61 for (i = 0; i < permits->nr_permits; i++) 62 key_put(permits->permits[i].key); 63 kfree(permits); 64 } 65 66 /* 67 * Discard a permission cache. 68 */ 69 void afs_put_permits(struct afs_permits *permits) 70 { 71 if (permits && refcount_dec_and_test(&permits->usage)) { 72 spin_lock(&afs_permits_lock); 73 hash_del_rcu(&permits->hash_node); 74 spin_unlock(&afs_permits_lock); 75 call_rcu(&permits->rcu, afs_permits_rcu); 76 } 77 } 78 79 /* 80 * Clear a permit cache on callback break. 81 */ 82 void afs_clear_permits(struct afs_vnode *vnode) 83 { 84 struct afs_permits *permits; 85 86 spin_lock(&vnode->lock); 87 permits = rcu_dereference_protected(vnode->permit_cache, 88 lockdep_is_held(&vnode->lock)); 89 RCU_INIT_POINTER(vnode->permit_cache, NULL); 90 spin_unlock(&vnode->lock); 91 92 afs_put_permits(permits); 93 } 94 95 /* 96 * Hash a list of permits. Use simple addition to make it easy to add an extra 97 * one at an as-yet indeterminate position in the list. 98 */ 99 static void afs_hash_permits(struct afs_permits *permits) 100 { 101 unsigned long h = permits->nr_permits; 102 int i; 103 104 for (i = 0; i < permits->nr_permits; i++) { 105 h += (unsigned long)permits->permits[i].key / sizeof(void *); 106 h += permits->permits[i].access; 107 } 108 109 permits->h = h; 110 } 111 112 /* 113 * Cache the CallerAccess result obtained from doing a fileserver operation 114 * that returned a vnode status for a particular key. If a callback break 115 * occurs whilst the operation was in progress then we have to ditch the cache 116 * as the ACL *may* have changed. 117 */ 118 void afs_cache_permit(struct afs_vnode *vnode, struct key *key, 119 unsigned int cb_break, struct afs_status_cb *scb) 120 { 121 struct afs_permits *permits, *xpermits, *replacement, *zap, *new = NULL; 122 afs_access_t caller_access = scb->status.caller_access; 123 size_t size = 0; 124 bool changed = false; 125 int i, j; 126 127 _enter("{%llx:%llu},%x,%x", 128 vnode->fid.vid, vnode->fid.vnode, key_serial(key), caller_access); 129 130 rcu_read_lock(); 131 132 /* Check for the common case first: We got back the same access as last 133 * time we tried and already have it recorded. 134 */ 135 permits = rcu_dereference(vnode->permit_cache); 136 if (permits) { 137 if (!permits->invalidated) { 138 for (i = 0; i < permits->nr_permits; i++) { 139 if (permits->permits[i].key < key) 140 continue; 141 if (permits->permits[i].key > key) 142 break; 143 if (permits->permits[i].access != caller_access) { 144 changed = true; 145 break; 146 } 147 148 if (afs_cb_is_broken(cb_break, vnode, 149 rcu_dereference(vnode->cb_interest))) { 150 changed = true; 151 break; 152 } 153 154 /* The cache is still good. */ 155 rcu_read_unlock(); 156 return; 157 } 158 } 159 160 changed |= permits->invalidated; 161 size = permits->nr_permits; 162 163 /* If this set of permits is now wrong, clear the permits 164 * pointer so that no one tries to use the stale information. 165 */ 166 if (changed) { 167 spin_lock(&vnode->lock); 168 if (permits != rcu_access_pointer(vnode->permit_cache)) 169 goto someone_else_changed_it_unlock; 170 RCU_INIT_POINTER(vnode->permit_cache, NULL); 171 spin_unlock(&vnode->lock); 172 173 afs_put_permits(permits); 174 permits = NULL; 175 size = 0; 176 } 177 } 178 179 if (afs_cb_is_broken(cb_break, vnode, rcu_dereference(vnode->cb_interest))) 180 goto someone_else_changed_it; 181 182 /* We need a ref on any permits list we want to copy as we'll have to 183 * drop the lock to do memory allocation. 184 */ 185 if (permits && !refcount_inc_not_zero(&permits->usage)) 186 goto someone_else_changed_it; 187 188 rcu_read_unlock(); 189 190 /* Speculatively create a new list with the revised permission set. We 191 * discard this if we find an extant match already in the hash, but 192 * it's easier to compare with memcmp this way. 193 * 194 * We fill in the key pointers at this time, but we don't get the refs 195 * yet. 196 */ 197 size++; 198 new = kzalloc(sizeof(struct afs_permits) + 199 sizeof(struct afs_permit) * size, GFP_NOFS); 200 if (!new) 201 goto out_put; 202 203 refcount_set(&new->usage, 1); 204 new->nr_permits = size; 205 i = j = 0; 206 if (permits) { 207 for (i = 0; i < permits->nr_permits; i++) { 208 if (j == i && permits->permits[i].key > key) { 209 new->permits[j].key = key; 210 new->permits[j].access = caller_access; 211 j++; 212 } 213 new->permits[j].key = permits->permits[i].key; 214 new->permits[j].access = permits->permits[i].access; 215 j++; 216 } 217 } 218 219 if (j == i) { 220 new->permits[j].key = key; 221 new->permits[j].access = caller_access; 222 } 223 224 afs_hash_permits(new); 225 226 /* Now see if the permit list we want is actually already available */ 227 spin_lock(&afs_permits_lock); 228 229 hash_for_each_possible(afs_permits_cache, xpermits, hash_node, new->h) { 230 if (xpermits->h != new->h || 231 xpermits->invalidated || 232 xpermits->nr_permits != new->nr_permits || 233 memcmp(xpermits->permits, new->permits, 234 new->nr_permits * sizeof(struct afs_permit)) != 0) 235 continue; 236 237 if (refcount_inc_not_zero(&xpermits->usage)) { 238 replacement = xpermits; 239 goto found; 240 } 241 242 break; 243 } 244 245 for (i = 0; i < new->nr_permits; i++) 246 key_get(new->permits[i].key); 247 hash_add_rcu(afs_permits_cache, &new->hash_node, new->h); 248 replacement = new; 249 new = NULL; 250 251 found: 252 spin_unlock(&afs_permits_lock); 253 254 kfree(new); 255 256 rcu_read_lock(); 257 spin_lock(&vnode->lock); 258 zap = rcu_access_pointer(vnode->permit_cache); 259 if (!afs_cb_is_broken(cb_break, vnode, rcu_dereference(vnode->cb_interest)) && 260 zap == permits) 261 rcu_assign_pointer(vnode->permit_cache, replacement); 262 else 263 zap = replacement; 264 spin_unlock(&vnode->lock); 265 rcu_read_unlock(); 266 afs_put_permits(zap); 267 out_put: 268 afs_put_permits(permits); 269 return; 270 271 someone_else_changed_it_unlock: 272 spin_unlock(&vnode->lock); 273 someone_else_changed_it: 274 /* Someone else changed the cache under us - don't recheck at this 275 * time. 276 */ 277 rcu_read_unlock(); 278 return; 279 } 280 281 /* 282 * check with the fileserver to see if the directory or parent directory is 283 * permitted to be accessed with this authorisation, and if so, what access it 284 * is granted 285 */ 286 int afs_check_permit(struct afs_vnode *vnode, struct key *key, 287 afs_access_t *_access) 288 { 289 struct afs_permits *permits; 290 bool valid = false; 291 int i, ret; 292 293 _enter("{%llx:%llu},%x", 294 vnode->fid.vid, vnode->fid.vnode, key_serial(key)); 295 296 /* check the permits to see if we've got one yet */ 297 if (key == vnode->volume->cell->anonymous_key) { 298 _debug("anon"); 299 *_access = vnode->status.anon_access; 300 valid = true; 301 } else { 302 rcu_read_lock(); 303 permits = rcu_dereference(vnode->permit_cache); 304 if (permits) { 305 for (i = 0; i < permits->nr_permits; i++) { 306 if (permits->permits[i].key < key) 307 continue; 308 if (permits->permits[i].key > key) 309 break; 310 311 *_access = permits->permits[i].access; 312 valid = !permits->invalidated; 313 break; 314 } 315 } 316 rcu_read_unlock(); 317 } 318 319 if (!valid) { 320 /* Check the status on the file we're actually interested in 321 * (the post-processing will cache the result). 322 */ 323 _debug("no valid permit"); 324 325 ret = afs_fetch_status(vnode, key, false, _access); 326 if (ret < 0) { 327 *_access = 0; 328 _leave(" = %d", ret); 329 return ret; 330 } 331 } 332 333 _leave(" = 0 [access %x]", *_access); 334 return 0; 335 } 336 337 /* 338 * check the permissions on an AFS file 339 * - AFS ACLs are attached to directories only, and a file is controlled by its 340 * parent directory's ACL 341 */ 342 int afs_permission(struct inode *inode, int mask) 343 { 344 struct afs_vnode *vnode = AFS_FS_I(inode); 345 afs_access_t uninitialized_var(access); 346 struct key *key; 347 int ret; 348 349 if (mask & MAY_NOT_BLOCK) 350 return -ECHILD; 351 352 _enter("{{%llx:%llu},%lx},%x,", 353 vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask); 354 355 key = afs_request_key(vnode->volume->cell); 356 if (IS_ERR(key)) { 357 _leave(" = %ld [key]", PTR_ERR(key)); 358 return PTR_ERR(key); 359 } 360 361 ret = afs_validate(vnode, key); 362 if (ret < 0) 363 goto error; 364 365 /* check the permits to see if we've got one yet */ 366 ret = afs_check_permit(vnode, key, &access); 367 if (ret < 0) 368 goto error; 369 370 /* interpret the access mask */ 371 _debug("REQ %x ACC %x on %s", 372 mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file"); 373 374 if (S_ISDIR(inode->i_mode)) { 375 if (mask & (MAY_EXEC | MAY_READ | MAY_CHDIR)) { 376 if (!(access & AFS_ACE_LOOKUP)) 377 goto permission_denied; 378 } 379 if (mask & MAY_WRITE) { 380 if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */ 381 AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */ 382 goto permission_denied; 383 } 384 } else { 385 if (!(access & AFS_ACE_LOOKUP)) 386 goto permission_denied; 387 if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR)) 388 goto permission_denied; 389 if (mask & (MAY_EXEC | MAY_READ)) { 390 if (!(access & AFS_ACE_READ)) 391 goto permission_denied; 392 if (!(inode->i_mode & S_IRUSR)) 393 goto permission_denied; 394 } else if (mask & MAY_WRITE) { 395 if (!(access & AFS_ACE_WRITE)) 396 goto permission_denied; 397 if (!(inode->i_mode & S_IWUSR)) 398 goto permission_denied; 399 } 400 } 401 402 key_put(key); 403 _leave(" = %d", ret); 404 return ret; 405 406 permission_denied: 407 ret = -EACCES; 408 error: 409 key_put(key); 410 _leave(" = %d", ret); 411 return ret; 412 } 413 414 void __exit afs_clean_up_permit_cache(void) 415 { 416 int i; 417 418 for (i = 0; i < HASH_SIZE(afs_permits_cache); i++) 419 WARN_ON_ONCE(!hlist_empty(&afs_permits_cache[i])); 420 421 } 422