1 /* AFS security handling 2 * 3 * Copyright (C) 2007, 2017 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/init.h> 13 #include <linux/slab.h> 14 #include <linux/fs.h> 15 #include <linux/ctype.h> 16 #include <linux/sched.h> 17 #include <linux/hashtable.h> 18 #include <keys/rxrpc-type.h> 19 #include "internal.h" 20 21 static DEFINE_HASHTABLE(afs_permits_cache, 10); 22 static DEFINE_SPINLOCK(afs_permits_lock); 23 24 /* 25 * get a key 26 */ 27 struct key *afs_request_key(struct afs_cell *cell) 28 { 29 struct key *key; 30 31 _enter("{%x}", key_serial(cell->anonymous_key)); 32 33 _debug("key %s", cell->anonymous_key->description); 34 key = request_key(&key_type_rxrpc, cell->anonymous_key->description, 35 NULL); 36 if (IS_ERR(key)) { 37 if (PTR_ERR(key) != -ENOKEY) { 38 _leave(" = %ld", PTR_ERR(key)); 39 return key; 40 } 41 42 /* act as anonymous user */ 43 _leave(" = {%x} [anon]", key_serial(cell->anonymous_key)); 44 return key_get(cell->anonymous_key); 45 } else { 46 /* act as authorised user */ 47 _leave(" = {%x} [auth]", key_serial(key)); 48 return key; 49 } 50 } 51 52 /* 53 * Dispose of a list of permits. 54 */ 55 static void afs_permits_rcu(struct rcu_head *rcu) 56 { 57 struct afs_permits *permits = 58 container_of(rcu, struct afs_permits, rcu); 59 int i; 60 61 for (i = 0; i < permits->nr_permits; i++) 62 key_put(permits->permits[i].key); 63 kfree(permits); 64 } 65 66 /* 67 * Discard a permission cache. 68 */ 69 void afs_put_permits(struct afs_permits *permits) 70 { 71 if (permits && refcount_dec_and_test(&permits->usage)) { 72 spin_lock(&afs_permits_lock); 73 hash_del_rcu(&permits->hash_node); 74 spin_unlock(&afs_permits_lock); 75 call_rcu(&permits->rcu, afs_permits_rcu); 76 } 77 } 78 79 /* 80 * Clear a permit cache on callback break. 81 */ 82 void afs_clear_permits(struct afs_vnode *vnode) 83 { 84 struct afs_permits *permits; 85 86 spin_lock(&vnode->lock); 87 permits = rcu_dereference_protected(vnode->permit_cache, 88 lockdep_is_held(&vnode->lock)); 89 RCU_INIT_POINTER(vnode->permit_cache, NULL); 90 vnode->cb_break++; 91 spin_unlock(&vnode->lock); 92 93 if (permits) 94 afs_put_permits(permits); 95 } 96 97 /* 98 * Hash a list of permits. Use simple addition to make it easy to add an extra 99 * one at an as-yet indeterminate position in the list. 100 */ 101 static void afs_hash_permits(struct afs_permits *permits) 102 { 103 unsigned long h = permits->nr_permits; 104 int i; 105 106 for (i = 0; i < permits->nr_permits; i++) { 107 h += (unsigned long)permits->permits[i].key / sizeof(void *); 108 h += permits->permits[i].access; 109 } 110 111 permits->h = h; 112 } 113 114 /* 115 * Cache the CallerAccess result obtained from doing a fileserver operation 116 * that returned a vnode status for a particular key. If a callback break 117 * occurs whilst the operation was in progress then we have to ditch the cache 118 * as the ACL *may* have changed. 119 */ 120 void afs_cache_permit(struct afs_vnode *vnode, struct key *key, 121 unsigned int cb_break) 122 { 123 struct afs_permits *permits, *xpermits, *replacement, *zap, *new = NULL; 124 afs_access_t caller_access = READ_ONCE(vnode->status.caller_access); 125 size_t size = 0; 126 bool changed = false; 127 int i, j; 128 129 _enter("{%x:%u},%x,%x", 130 vnode->fid.vid, vnode->fid.vnode, key_serial(key), caller_access); 131 132 rcu_read_lock(); 133 134 /* Check for the common case first: We got back the same access as last 135 * time we tried and already have it recorded. 136 */ 137 permits = rcu_dereference(vnode->permit_cache); 138 if (permits) { 139 if (!permits->invalidated) { 140 for (i = 0; i < permits->nr_permits; i++) { 141 if (permits->permits[i].key < key) 142 continue; 143 if (permits->permits[i].key > key) 144 break; 145 if (permits->permits[i].access != caller_access) { 146 changed = true; 147 break; 148 } 149 150 if (cb_break != afs_cb_break_sum(vnode, vnode->cb_interest)) { 151 changed = true; 152 break; 153 } 154 155 /* The cache is still good. */ 156 rcu_read_unlock(); 157 return; 158 } 159 } 160 161 changed |= permits->invalidated; 162 size = permits->nr_permits; 163 164 /* If this set of permits is now wrong, clear the permits 165 * pointer so that no one tries to use the stale information. 166 */ 167 if (changed) { 168 spin_lock(&vnode->lock); 169 if (permits != rcu_access_pointer(vnode->permit_cache)) 170 goto someone_else_changed_it_unlock; 171 RCU_INIT_POINTER(vnode->permit_cache, NULL); 172 spin_unlock(&vnode->lock); 173 174 afs_put_permits(permits); 175 permits = NULL; 176 size = 0; 177 } 178 } 179 180 if (cb_break != afs_cb_break_sum(vnode, vnode->cb_interest)) 181 goto someone_else_changed_it; 182 183 /* We need a ref on any permits list we want to copy as we'll have to 184 * drop the lock to do memory allocation. 185 */ 186 if (permits && !refcount_inc_not_zero(&permits->usage)) 187 goto someone_else_changed_it; 188 189 rcu_read_unlock(); 190 191 /* Speculatively create a new list with the revised permission set. We 192 * discard this if we find an extant match already in the hash, but 193 * it's easier to compare with memcmp this way. 194 * 195 * We fill in the key pointers at this time, but we don't get the refs 196 * yet. 197 */ 198 size++; 199 new = kzalloc(sizeof(struct afs_permits) + 200 sizeof(struct afs_permit) * size, GFP_NOFS); 201 if (!new) 202 goto out_put; 203 204 refcount_set(&new->usage, 1); 205 new->nr_permits = size; 206 i = j = 0; 207 if (permits) { 208 for (i = 0; i < permits->nr_permits; i++) { 209 if (j == i && permits->permits[i].key > key) { 210 new->permits[j].key = key; 211 new->permits[j].access = caller_access; 212 j++; 213 } 214 new->permits[j].key = permits->permits[i].key; 215 new->permits[j].access = permits->permits[i].access; 216 j++; 217 } 218 } 219 220 if (j == i) { 221 new->permits[j].key = key; 222 new->permits[j].access = caller_access; 223 } 224 225 afs_hash_permits(new); 226 227 /* Now see if the permit list we want is actually already available */ 228 spin_lock(&afs_permits_lock); 229 230 hash_for_each_possible(afs_permits_cache, xpermits, hash_node, new->h) { 231 if (xpermits->h != new->h || 232 xpermits->invalidated || 233 xpermits->nr_permits != new->nr_permits || 234 memcmp(xpermits->permits, new->permits, 235 new->nr_permits * sizeof(struct afs_permit)) != 0) 236 continue; 237 238 if (refcount_inc_not_zero(&xpermits->usage)) { 239 replacement = xpermits; 240 goto found; 241 } 242 243 break; 244 } 245 246 for (i = 0; i < new->nr_permits; i++) 247 key_get(new->permits[i].key); 248 hash_add_rcu(afs_permits_cache, &new->hash_node, new->h); 249 replacement = new; 250 new = NULL; 251 252 found: 253 spin_unlock(&afs_permits_lock); 254 255 kfree(new); 256 257 spin_lock(&vnode->lock); 258 zap = rcu_access_pointer(vnode->permit_cache); 259 if (cb_break == afs_cb_break_sum(vnode, vnode->cb_interest) && 260 zap == permits) 261 rcu_assign_pointer(vnode->permit_cache, replacement); 262 else 263 zap = replacement; 264 spin_unlock(&vnode->lock); 265 afs_put_permits(zap); 266 out_put: 267 afs_put_permits(permits); 268 return; 269 270 someone_else_changed_it_unlock: 271 spin_unlock(&vnode->lock); 272 someone_else_changed_it: 273 /* Someone else changed the cache under us - don't recheck at this 274 * time. 275 */ 276 rcu_read_unlock(); 277 return; 278 } 279 280 /* 281 * check with the fileserver to see if the directory or parent directory is 282 * permitted to be accessed with this authorisation, and if so, what access it 283 * is granted 284 */ 285 int afs_check_permit(struct afs_vnode *vnode, struct key *key, 286 afs_access_t *_access) 287 { 288 struct afs_permits *permits; 289 bool valid = false; 290 int i, ret; 291 292 _enter("{%x:%u},%x", 293 vnode->fid.vid, vnode->fid.vnode, key_serial(key)); 294 295 /* check the permits to see if we've got one yet */ 296 if (key == vnode->volume->cell->anonymous_key) { 297 _debug("anon"); 298 *_access = vnode->status.anon_access; 299 valid = true; 300 } else { 301 rcu_read_lock(); 302 permits = rcu_dereference(vnode->permit_cache); 303 if (permits) { 304 for (i = 0; i < permits->nr_permits; i++) { 305 if (permits->permits[i].key < key) 306 continue; 307 if (permits->permits[i].key > key) 308 break; 309 310 *_access = permits->permits[i].access; 311 valid = !permits->invalidated; 312 break; 313 } 314 } 315 rcu_read_unlock(); 316 } 317 318 if (!valid) { 319 /* Check the status on the file we're actually interested in 320 * (the post-processing will cache the result). 321 */ 322 _debug("no valid permit"); 323 324 ret = afs_fetch_status(vnode, key, false); 325 if (ret < 0) { 326 *_access = 0; 327 _leave(" = %d", ret); 328 return ret; 329 } 330 *_access = vnode->status.caller_access; 331 } 332 333 _leave(" = 0 [access %x]", *_access); 334 return 0; 335 } 336 337 /* 338 * check the permissions on an AFS file 339 * - AFS ACLs are attached to directories only, and a file is controlled by its 340 * parent directory's ACL 341 */ 342 int afs_permission(struct inode *inode, int mask) 343 { 344 struct afs_vnode *vnode = AFS_FS_I(inode); 345 afs_access_t uninitialized_var(access); 346 struct key *key; 347 int ret; 348 349 if (mask & MAY_NOT_BLOCK) 350 return -ECHILD; 351 352 _enter("{{%x:%u},%lx},%x,", 353 vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask); 354 355 key = afs_request_key(vnode->volume->cell); 356 if (IS_ERR(key)) { 357 _leave(" = %ld [key]", PTR_ERR(key)); 358 return PTR_ERR(key); 359 } 360 361 ret = afs_validate(vnode, key); 362 if (ret < 0) 363 goto error; 364 365 /* check the permits to see if we've got one yet */ 366 ret = afs_check_permit(vnode, key, &access); 367 if (ret < 0) 368 goto error; 369 370 /* interpret the access mask */ 371 _debug("REQ %x ACC %x on %s", 372 mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file"); 373 374 if (S_ISDIR(inode->i_mode)) { 375 if (mask & (MAY_EXEC | MAY_READ | MAY_CHDIR)) { 376 if (!(access & AFS_ACE_LOOKUP)) 377 goto permission_denied; 378 } 379 if (mask & MAY_WRITE) { 380 if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */ 381 AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */ 382 goto permission_denied; 383 } 384 } else { 385 if (!(access & AFS_ACE_LOOKUP)) 386 goto permission_denied; 387 if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR)) 388 goto permission_denied; 389 if (mask & (MAY_EXEC | MAY_READ)) { 390 if (!(access & AFS_ACE_READ)) 391 goto permission_denied; 392 if (!(inode->i_mode & S_IRUSR)) 393 goto permission_denied; 394 } else if (mask & MAY_WRITE) { 395 if (!(access & AFS_ACE_WRITE)) 396 goto permission_denied; 397 if (!(inode->i_mode & S_IWUSR)) 398 goto permission_denied; 399 } 400 } 401 402 key_put(key); 403 _leave(" = %d", ret); 404 return ret; 405 406 permission_denied: 407 ret = -EACCES; 408 error: 409 key_put(key); 410 _leave(" = %d", ret); 411 return ret; 412 } 413 414 void __exit afs_clean_up_permit_cache(void) 415 { 416 int i; 417 418 for (i = 0; i < HASH_SIZE(afs_permits_cache); i++) 419 WARN_ON_ONCE(!hlist_empty(&afs_permits_cache[i])); 420 421 } 422