1 /* AFS security handling 2 * 3 * Copyright (C) 2007, 2017 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/init.h> 13 #include <linux/slab.h> 14 #include <linux/fs.h> 15 #include <linux/ctype.h> 16 #include <linux/sched.h> 17 #include <linux/hashtable.h> 18 #include <keys/rxrpc-type.h> 19 #include "internal.h" 20 21 static DEFINE_HASHTABLE(afs_permits_cache, 10); 22 static DEFINE_SPINLOCK(afs_permits_lock); 23 24 /* 25 * get a key 26 */ 27 struct key *afs_request_key(struct afs_cell *cell) 28 { 29 struct key *key; 30 31 _enter("{%x}", key_serial(cell->anonymous_key)); 32 33 _debug("key %s", cell->anonymous_key->description); 34 key = request_key(&key_type_rxrpc, cell->anonymous_key->description, 35 NULL); 36 if (IS_ERR(key)) { 37 if (PTR_ERR(key) != -ENOKEY) { 38 _leave(" = %ld", PTR_ERR(key)); 39 return key; 40 } 41 42 /* act as anonymous user */ 43 _leave(" = {%x} [anon]", key_serial(cell->anonymous_key)); 44 return key_get(cell->anonymous_key); 45 } else { 46 /* act as authorised user */ 47 _leave(" = {%x} [auth]", key_serial(key)); 48 return key; 49 } 50 } 51 52 /* 53 * Dispose of a list of permits. 54 */ 55 static void afs_permits_rcu(struct rcu_head *rcu) 56 { 57 struct afs_permits *permits = 58 container_of(rcu, struct afs_permits, rcu); 59 int i; 60 61 for (i = 0; i < permits->nr_permits; i++) 62 key_put(permits->permits[i].key); 63 kfree(permits); 64 } 65 66 /* 67 * Discard a permission cache. 68 */ 69 void afs_put_permits(struct afs_permits *permits) 70 { 71 if (permits && refcount_dec_and_test(&permits->usage)) { 72 spin_lock(&afs_permits_lock); 73 hash_del_rcu(&permits->hash_node); 74 spin_unlock(&afs_permits_lock); 75 call_rcu(&permits->rcu, afs_permits_rcu); 76 } 77 } 78 79 /* 80 * Clear a permit cache on callback break. 81 */ 82 void afs_clear_permits(struct afs_vnode *vnode) 83 { 84 struct afs_permits *permits; 85 86 spin_lock(&vnode->lock); 87 permits = rcu_dereference_protected(vnode->permit_cache, 88 lockdep_is_held(&vnode->lock)); 89 RCU_INIT_POINTER(vnode->permit_cache, NULL); 90 vnode->cb_break++; 91 spin_unlock(&vnode->lock); 92 93 if (permits) 94 afs_put_permits(permits); 95 } 96 97 /* 98 * Hash a list of permits. Use simple addition to make it easy to add an extra 99 * one at an as-yet indeterminate position in the list. 100 */ 101 static void afs_hash_permits(struct afs_permits *permits) 102 { 103 unsigned long h = permits->nr_permits; 104 int i; 105 106 for (i = 0; i < permits->nr_permits; i++) { 107 h += (unsigned long)permits->permits[i].key / sizeof(void *); 108 h += permits->permits[i].access; 109 } 110 111 permits->h = h; 112 } 113 114 /* 115 * Cache the CallerAccess result obtained from doing a fileserver operation 116 * that returned a vnode status for a particular key. If a callback break 117 * occurs whilst the operation was in progress then we have to ditch the cache 118 * as the ACL *may* have changed. 119 */ 120 void afs_cache_permit(struct afs_vnode *vnode, struct key *key, 121 unsigned int cb_break) 122 { 123 struct afs_permits *permits, *xpermits, *replacement, *zap, *new = NULL; 124 afs_access_t caller_access = READ_ONCE(vnode->status.caller_access); 125 size_t size = 0; 126 bool changed = false; 127 int i, j; 128 129 _enter("{%llx:%llu},%x,%x", 130 vnode->fid.vid, vnode->fid.vnode, key_serial(key), caller_access); 131 132 rcu_read_lock(); 133 134 /* Check for the common case first: We got back the same access as last 135 * time we tried and already have it recorded. 136 */ 137 permits = rcu_dereference(vnode->permit_cache); 138 if (permits) { 139 if (!permits->invalidated) { 140 for (i = 0; i < permits->nr_permits; i++) { 141 if (permits->permits[i].key < key) 142 continue; 143 if (permits->permits[i].key > key) 144 break; 145 if (permits->permits[i].access != caller_access) { 146 changed = true; 147 break; 148 } 149 150 if (afs_cb_is_broken(cb_break, vnode, 151 vnode->cb_interest)) { 152 changed = true; 153 break; 154 } 155 156 /* The cache is still good. */ 157 rcu_read_unlock(); 158 return; 159 } 160 } 161 162 changed |= permits->invalidated; 163 size = permits->nr_permits; 164 165 /* If this set of permits is now wrong, clear the permits 166 * pointer so that no one tries to use the stale information. 167 */ 168 if (changed) { 169 spin_lock(&vnode->lock); 170 if (permits != rcu_access_pointer(vnode->permit_cache)) 171 goto someone_else_changed_it_unlock; 172 RCU_INIT_POINTER(vnode->permit_cache, NULL); 173 spin_unlock(&vnode->lock); 174 175 afs_put_permits(permits); 176 permits = NULL; 177 size = 0; 178 } 179 } 180 181 if (afs_cb_is_broken(cb_break, vnode, vnode->cb_interest)) 182 goto someone_else_changed_it; 183 184 /* We need a ref on any permits list we want to copy as we'll have to 185 * drop the lock to do memory allocation. 186 */ 187 if (permits && !refcount_inc_not_zero(&permits->usage)) 188 goto someone_else_changed_it; 189 190 rcu_read_unlock(); 191 192 /* Speculatively create a new list with the revised permission set. We 193 * discard this if we find an extant match already in the hash, but 194 * it's easier to compare with memcmp this way. 195 * 196 * We fill in the key pointers at this time, but we don't get the refs 197 * yet. 198 */ 199 size++; 200 new = kzalloc(sizeof(struct afs_permits) + 201 sizeof(struct afs_permit) * size, GFP_NOFS); 202 if (!new) 203 goto out_put; 204 205 refcount_set(&new->usage, 1); 206 new->nr_permits = size; 207 i = j = 0; 208 if (permits) { 209 for (i = 0; i < permits->nr_permits; i++) { 210 if (j == i && permits->permits[i].key > key) { 211 new->permits[j].key = key; 212 new->permits[j].access = caller_access; 213 j++; 214 } 215 new->permits[j].key = permits->permits[i].key; 216 new->permits[j].access = permits->permits[i].access; 217 j++; 218 } 219 } 220 221 if (j == i) { 222 new->permits[j].key = key; 223 new->permits[j].access = caller_access; 224 } 225 226 afs_hash_permits(new); 227 228 /* Now see if the permit list we want is actually already available */ 229 spin_lock(&afs_permits_lock); 230 231 hash_for_each_possible(afs_permits_cache, xpermits, hash_node, new->h) { 232 if (xpermits->h != new->h || 233 xpermits->invalidated || 234 xpermits->nr_permits != new->nr_permits || 235 memcmp(xpermits->permits, new->permits, 236 new->nr_permits * sizeof(struct afs_permit)) != 0) 237 continue; 238 239 if (refcount_inc_not_zero(&xpermits->usage)) { 240 replacement = xpermits; 241 goto found; 242 } 243 244 break; 245 } 246 247 for (i = 0; i < new->nr_permits; i++) 248 key_get(new->permits[i].key); 249 hash_add_rcu(afs_permits_cache, &new->hash_node, new->h); 250 replacement = new; 251 new = NULL; 252 253 found: 254 spin_unlock(&afs_permits_lock); 255 256 kfree(new); 257 258 spin_lock(&vnode->lock); 259 zap = rcu_access_pointer(vnode->permit_cache); 260 if (!afs_cb_is_broken(cb_break, vnode, vnode->cb_interest) && 261 zap == permits) 262 rcu_assign_pointer(vnode->permit_cache, replacement); 263 else 264 zap = replacement; 265 spin_unlock(&vnode->lock); 266 afs_put_permits(zap); 267 out_put: 268 afs_put_permits(permits); 269 return; 270 271 someone_else_changed_it_unlock: 272 spin_unlock(&vnode->lock); 273 someone_else_changed_it: 274 /* Someone else changed the cache under us - don't recheck at this 275 * time. 276 */ 277 rcu_read_unlock(); 278 return; 279 } 280 281 /* 282 * check with the fileserver to see if the directory or parent directory is 283 * permitted to be accessed with this authorisation, and if so, what access it 284 * is granted 285 */ 286 int afs_check_permit(struct afs_vnode *vnode, struct key *key, 287 afs_access_t *_access) 288 { 289 struct afs_permits *permits; 290 bool valid = false; 291 int i, ret; 292 293 _enter("{%llx:%llu},%x", 294 vnode->fid.vid, vnode->fid.vnode, key_serial(key)); 295 296 /* check the permits to see if we've got one yet */ 297 if (key == vnode->volume->cell->anonymous_key) { 298 _debug("anon"); 299 *_access = vnode->status.anon_access; 300 valid = true; 301 } else { 302 rcu_read_lock(); 303 permits = rcu_dereference(vnode->permit_cache); 304 if (permits) { 305 for (i = 0; i < permits->nr_permits; i++) { 306 if (permits->permits[i].key < key) 307 continue; 308 if (permits->permits[i].key > key) 309 break; 310 311 *_access = permits->permits[i].access; 312 valid = !permits->invalidated; 313 break; 314 } 315 } 316 rcu_read_unlock(); 317 } 318 319 if (!valid) { 320 /* Check the status on the file we're actually interested in 321 * (the post-processing will cache the result). 322 */ 323 _debug("no valid permit"); 324 325 ret = afs_fetch_status(vnode, key, false); 326 if (ret < 0) { 327 *_access = 0; 328 _leave(" = %d", ret); 329 return ret; 330 } 331 *_access = vnode->status.caller_access; 332 } 333 334 _leave(" = 0 [access %x]", *_access); 335 return 0; 336 } 337 338 /* 339 * check the permissions on an AFS file 340 * - AFS ACLs are attached to directories only, and a file is controlled by its 341 * parent directory's ACL 342 */ 343 int afs_permission(struct inode *inode, int mask) 344 { 345 struct afs_vnode *vnode = AFS_FS_I(inode); 346 afs_access_t uninitialized_var(access); 347 struct key *key; 348 int ret; 349 350 if (mask & MAY_NOT_BLOCK) 351 return -ECHILD; 352 353 _enter("{{%llx:%llu},%lx},%x,", 354 vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask); 355 356 key = afs_request_key(vnode->volume->cell); 357 if (IS_ERR(key)) { 358 _leave(" = %ld [key]", PTR_ERR(key)); 359 return PTR_ERR(key); 360 } 361 362 ret = afs_validate(vnode, key); 363 if (ret < 0) 364 goto error; 365 366 /* check the permits to see if we've got one yet */ 367 ret = afs_check_permit(vnode, key, &access); 368 if (ret < 0) 369 goto error; 370 371 /* interpret the access mask */ 372 _debug("REQ %x ACC %x on %s", 373 mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file"); 374 375 if (S_ISDIR(inode->i_mode)) { 376 if (mask & (MAY_EXEC | MAY_READ | MAY_CHDIR)) { 377 if (!(access & AFS_ACE_LOOKUP)) 378 goto permission_denied; 379 } 380 if (mask & MAY_WRITE) { 381 if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */ 382 AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */ 383 goto permission_denied; 384 } 385 } else { 386 if (!(access & AFS_ACE_LOOKUP)) 387 goto permission_denied; 388 if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR)) 389 goto permission_denied; 390 if (mask & (MAY_EXEC | MAY_READ)) { 391 if (!(access & AFS_ACE_READ)) 392 goto permission_denied; 393 if (!(inode->i_mode & S_IRUSR)) 394 goto permission_denied; 395 } else if (mask & MAY_WRITE) { 396 if (!(access & AFS_ACE_WRITE)) 397 goto permission_denied; 398 if (!(inode->i_mode & S_IWUSR)) 399 goto permission_denied; 400 } 401 } 402 403 key_put(key); 404 _leave(" = %d", ret); 405 return ret; 406 407 permission_denied: 408 ret = -EACCES; 409 error: 410 key_put(key); 411 _leave(" = %d", ret); 412 return ret; 413 } 414 415 void __exit afs_clean_up_permit_cache(void) 416 { 417 int i; 418 419 for (i = 0; i < HASH_SIZE(afs_permits_cache); i++) 420 WARN_ON_ONCE(!hlist_empty(&afs_permits_cache[i])); 421 422 } 423