xref: /openbmc/linux/fs/attr.c (revision 86e281fc)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  *  linux/fs/attr.c
4  *
5  *  Copyright (C) 1991, 1992  Linus Torvalds
6  *  changes by Thomas Schoebel-Theuer
7  */
8 
9 #include <linux/export.h>
10 #include <linux/time.h>
11 #include <linux/mm.h>
12 #include <linux/string.h>
13 #include <linux/sched/signal.h>
14 #include <linux/capability.h>
15 #include <linux/fsnotify.h>
16 #include <linux/fcntl.h>
17 #include <linux/filelock.h>
18 #include <linux/security.h>
19 #include <linux/evm.h>
20 #include <linux/ima.h>
21 
22 #include "internal.h"
23 
24 /**
25  * setattr_should_drop_sgid - determine whether the setgid bit needs to be
26  *                            removed
27  * @idmap:	idmap of the mount @inode was found from
28  * @inode:	inode to check
29  *
30  * This function determines whether the setgid bit needs to be removed.
31  * We retain backwards compatibility and require setgid bit to be removed
32  * unconditionally if S_IXGRP is set. Otherwise we have the exact same
33  * requirements as setattr_prepare() and setattr_copy().
34  *
35  * Return: ATTR_KILL_SGID if setgid bit needs to be removed, 0 otherwise.
36  */
37 int setattr_should_drop_sgid(struct mnt_idmap *idmap,
38 			     const struct inode *inode)
39 {
40 	umode_t mode = inode->i_mode;
41 
42 	if (!(mode & S_ISGID))
43 		return 0;
44 	if (mode & S_IXGRP)
45 		return ATTR_KILL_SGID;
46 	if (!in_group_or_capable(idmap, inode, i_gid_into_vfsgid(idmap, inode)))
47 		return ATTR_KILL_SGID;
48 	return 0;
49 }
50 EXPORT_SYMBOL(setattr_should_drop_sgid);
51 
52 /**
53  * setattr_should_drop_suidgid - determine whether the set{g,u}id bit needs to
54  *                               be dropped
55  * @idmap:	idmap of the mount @inode was found from
56  * @inode:	inode to check
57  *
58  * This function determines whether the set{g,u}id bits need to be removed.
59  * If the setuid bit needs to be removed ATTR_KILL_SUID is returned. If the
60  * setgid bit needs to be removed ATTR_KILL_SGID is returned. If both
61  * set{g,u}id bits need to be removed the corresponding mask of both flags is
62  * returned.
63  *
64  * Return: A mask of ATTR_KILL_S{G,U}ID indicating which - if any - setid bits
65  * to remove, 0 otherwise.
66  */
67 int setattr_should_drop_suidgid(struct mnt_idmap *idmap,
68 				struct inode *inode)
69 {
70 	umode_t mode = inode->i_mode;
71 	int kill = 0;
72 
73 	/* suid always must be killed */
74 	if (unlikely(mode & S_ISUID))
75 		kill = ATTR_KILL_SUID;
76 
77 	kill |= setattr_should_drop_sgid(idmap, inode);
78 
79 	if (unlikely(kill && !capable(CAP_FSETID) && S_ISREG(mode)))
80 		return kill;
81 
82 	return 0;
83 }
84 EXPORT_SYMBOL(setattr_should_drop_suidgid);
85 
86 /**
87  * chown_ok - verify permissions to chown inode
88  * @idmap:	idmap of the mount @inode was found from
89  * @inode:	inode to check permissions on
90  * @ia_vfsuid:	uid to chown @inode to
91  *
92  * If the inode has been found through an idmapped mount the idmap of
93  * the vfsmount must be passed through @idmap. This function will then
94  * take care to map the inode according to @idmap before checking
95  * permissions. On non-idmapped mounts or if permission checking is to be
96  * performed on the raw inode simply pass @nop_mnt_idmap.
97  */
98 static bool chown_ok(struct mnt_idmap *idmap,
99 		     const struct inode *inode, vfsuid_t ia_vfsuid)
100 {
101 	vfsuid_t vfsuid = i_uid_into_vfsuid(idmap, inode);
102 	if (vfsuid_eq_kuid(vfsuid, current_fsuid()) &&
103 	    vfsuid_eq(ia_vfsuid, vfsuid))
104 		return true;
105 	if (capable_wrt_inode_uidgid(idmap, inode, CAP_CHOWN))
106 		return true;
107 	if (!vfsuid_valid(vfsuid) &&
108 	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
109 		return true;
110 	return false;
111 }
112 
113 /**
114  * chgrp_ok - verify permissions to chgrp inode
115  * @idmap:	idmap of the mount @inode was found from
116  * @inode:	inode to check permissions on
117  * @ia_vfsgid:	gid to chown @inode to
118  *
119  * If the inode has been found through an idmapped mount the idmap of
120  * the vfsmount must be passed through @idmap. This function will then
121  * take care to map the inode according to @idmap before checking
122  * permissions. On non-idmapped mounts or if permission checking is to be
123  * performed on the raw inode simply pass @nop_mnt_idmap.
124  */
125 static bool chgrp_ok(struct mnt_idmap *idmap,
126 		     const struct inode *inode, vfsgid_t ia_vfsgid)
127 {
128 	vfsgid_t vfsgid = i_gid_into_vfsgid(idmap, inode);
129 	vfsuid_t vfsuid = i_uid_into_vfsuid(idmap, inode);
130 	if (vfsuid_eq_kuid(vfsuid, current_fsuid())) {
131 		if (vfsgid_eq(ia_vfsgid, vfsgid))
132 			return true;
133 		if (vfsgid_in_group_p(ia_vfsgid))
134 			return true;
135 	}
136 	if (capable_wrt_inode_uidgid(idmap, inode, CAP_CHOWN))
137 		return true;
138 	if (!vfsgid_valid(vfsgid) &&
139 	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
140 		return true;
141 	return false;
142 }
143 
144 /**
145  * setattr_prepare - check if attribute changes to a dentry are allowed
146  * @idmap:	idmap of the mount the inode was found from
147  * @dentry:	dentry to check
148  * @attr:	attributes to change
149  *
150  * Check if we are allowed to change the attributes contained in @attr
151  * in the given dentry.  This includes the normal unix access permission
152  * checks, as well as checks for rlimits and others. The function also clears
153  * SGID bit from mode if user is not allowed to set it. Also file capabilities
154  * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set.
155  *
156  * If the inode has been found through an idmapped mount the idmap of
157  * the vfsmount must be passed through @idmap. This function will then
158  * take care to map the inode according to @idmap before checking
159  * permissions. On non-idmapped mounts or if permission checking is to be
160  * performed on the raw inode simply passs @nop_mnt_idmap.
161  *
162  * Should be called as the first thing in ->setattr implementations,
163  * possibly after taking additional locks.
164  */
165 int setattr_prepare(struct mnt_idmap *idmap, struct dentry *dentry,
166 		    struct iattr *attr)
167 {
168 	struct inode *inode = d_inode(dentry);
169 	unsigned int ia_valid = attr->ia_valid;
170 
171 	/*
172 	 * First check size constraints.  These can't be overriden using
173 	 * ATTR_FORCE.
174 	 */
175 	if (ia_valid & ATTR_SIZE) {
176 		int error = inode_newsize_ok(inode, attr->ia_size);
177 		if (error)
178 			return error;
179 	}
180 
181 	/* If force is set do it anyway. */
182 	if (ia_valid & ATTR_FORCE)
183 		goto kill_priv;
184 
185 	/* Make sure a caller can chown. */
186 	if ((ia_valid & ATTR_UID) &&
187 	    !chown_ok(idmap, inode, attr->ia_vfsuid))
188 		return -EPERM;
189 
190 	/* Make sure caller can chgrp. */
191 	if ((ia_valid & ATTR_GID) &&
192 	    !chgrp_ok(idmap, inode, attr->ia_vfsgid))
193 		return -EPERM;
194 
195 	/* Make sure a caller can chmod. */
196 	if (ia_valid & ATTR_MODE) {
197 		vfsgid_t vfsgid;
198 
199 		if (!inode_owner_or_capable(idmap, inode))
200 			return -EPERM;
201 
202 		if (ia_valid & ATTR_GID)
203 			vfsgid = attr->ia_vfsgid;
204 		else
205 			vfsgid = i_gid_into_vfsgid(idmap, inode);
206 
207 		/* Also check the setgid bit! */
208 		if (!in_group_or_capable(idmap, inode, vfsgid))
209 			attr->ia_mode &= ~S_ISGID;
210 	}
211 
212 	/* Check for setting the inode time. */
213 	if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) {
214 		if (!inode_owner_or_capable(idmap, inode))
215 			return -EPERM;
216 	}
217 
218 kill_priv:
219 	/* User has permission for the change */
220 	if (ia_valid & ATTR_KILL_PRIV) {
221 		int error;
222 
223 		error = security_inode_killpriv(idmap, dentry);
224 		if (error)
225 			return error;
226 	}
227 
228 	return 0;
229 }
230 EXPORT_SYMBOL(setattr_prepare);
231 
232 /**
233  * inode_newsize_ok - may this inode be truncated to a given size
234  * @inode:	the inode to be truncated
235  * @offset:	the new size to assign to the inode
236  *
237  * inode_newsize_ok must be called with i_mutex held.
238  *
239  * inode_newsize_ok will check filesystem limits and ulimits to check that the
240  * new inode size is within limits. inode_newsize_ok will also send SIGXFSZ
241  * when necessary. Caller must not proceed with inode size change if failure is
242  * returned. @inode must be a file (not directory), with appropriate
243  * permissions to allow truncate (inode_newsize_ok does NOT check these
244  * conditions).
245  *
246  * Return: 0 on success, -ve errno on failure
247  */
248 int inode_newsize_ok(const struct inode *inode, loff_t offset)
249 {
250 	if (offset < 0)
251 		return -EINVAL;
252 	if (inode->i_size < offset) {
253 		unsigned long limit;
254 
255 		limit = rlimit(RLIMIT_FSIZE);
256 		if (limit != RLIM_INFINITY && offset > limit)
257 			goto out_sig;
258 		if (offset > inode->i_sb->s_maxbytes)
259 			goto out_big;
260 	} else {
261 		/*
262 		 * truncation of in-use swapfiles is disallowed - it would
263 		 * cause subsequent swapout to scribble on the now-freed
264 		 * blocks.
265 		 */
266 		if (IS_SWAPFILE(inode))
267 			return -ETXTBSY;
268 	}
269 
270 	return 0;
271 out_sig:
272 	send_sig(SIGXFSZ, current, 0);
273 out_big:
274 	return -EFBIG;
275 }
276 EXPORT_SYMBOL(inode_newsize_ok);
277 
278 /**
279  * setattr_copy - copy simple metadata updates into the generic inode
280  * @idmap:	idmap of the mount the inode was found from
281  * @inode:	the inode to be updated
282  * @attr:	the new attributes
283  *
284  * setattr_copy must be called with i_mutex held.
285  *
286  * setattr_copy updates the inode's metadata with that specified
287  * in attr on idmapped mounts. Necessary permission checks to determine
288  * whether or not the S_ISGID property needs to be removed are performed with
289  * the correct idmapped mount permission helpers.
290  * Noticeably missing is inode size update, which is more complex
291  * as it requires pagecache updates.
292  *
293  * If the inode has been found through an idmapped mount the idmap of
294  * the vfsmount must be passed through @idmap. This function will then
295  * take care to map the inode according to @idmap before checking
296  * permissions. On non-idmapped mounts or if permission checking is to be
297  * performed on the raw inode simply pass @nop_mnt_idmap.
298  *
299  * The inode is not marked as dirty after this operation. The rationale is
300  * that for "simple" filesystems, the struct inode is the inode storage.
301  * The caller is free to mark the inode dirty afterwards if needed.
302  */
303 void setattr_copy(struct mnt_idmap *idmap, struct inode *inode,
304 		  const struct iattr *attr)
305 {
306 	unsigned int ia_valid = attr->ia_valid;
307 
308 	i_uid_update(idmap, attr, inode);
309 	i_gid_update(idmap, attr, inode);
310 	if (ia_valid & ATTR_ATIME)
311 		inode->i_atime = attr->ia_atime;
312 	if (ia_valid & ATTR_MTIME)
313 		inode->i_mtime = attr->ia_mtime;
314 	if (ia_valid & ATTR_CTIME)
315 		inode_set_ctime_to_ts(inode, attr->ia_ctime);
316 	if (ia_valid & ATTR_MODE) {
317 		umode_t mode = attr->ia_mode;
318 		if (!in_group_or_capable(idmap, inode,
319 					 i_gid_into_vfsgid(idmap, inode)))
320 			mode &= ~S_ISGID;
321 		inode->i_mode = mode;
322 	}
323 }
324 EXPORT_SYMBOL(setattr_copy);
325 
326 int may_setattr(struct mnt_idmap *idmap, struct inode *inode,
327 		unsigned int ia_valid)
328 {
329 	int error;
330 
331 	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) {
332 		if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
333 			return -EPERM;
334 	}
335 
336 	/*
337 	 * If utimes(2) and friends are called with times == NULL (or both
338 	 * times are UTIME_NOW), then we need to check for write permission
339 	 */
340 	if (ia_valid & ATTR_TOUCH) {
341 		if (IS_IMMUTABLE(inode))
342 			return -EPERM;
343 
344 		if (!inode_owner_or_capable(idmap, inode)) {
345 			error = inode_permission(idmap, inode, MAY_WRITE);
346 			if (error)
347 				return error;
348 		}
349 	}
350 	return 0;
351 }
352 EXPORT_SYMBOL(may_setattr);
353 
354 /**
355  * notify_change - modify attributes of a filesytem object
356  * @idmap:	idmap of the mount the inode was found from
357  * @dentry:	object affected
358  * @attr:	new attributes
359  * @delegated_inode: returns inode, if the inode is delegated
360  *
361  * The caller must hold the i_mutex on the affected object.
362  *
363  * If notify_change discovers a delegation in need of breaking,
364  * it will return -EWOULDBLOCK and return a reference to the inode in
365  * delegated_inode.  The caller should then break the delegation and
366  * retry.  Because breaking a delegation may take a long time, the
367  * caller should drop the i_mutex before doing so.
368  *
369  * Alternatively, a caller may pass NULL for delegated_inode.  This may
370  * be appropriate for callers that expect the underlying filesystem not
371  * to be NFS exported.  Also, passing NULL is fine for callers holding
372  * the file open for write, as there can be no conflicting delegation in
373  * that case.
374  *
375  * If the inode has been found through an idmapped mount the idmap of
376  * the vfsmount must be passed through @idmap. This function will then
377  * take care to map the inode according to @idmap before checking
378  * permissions. On non-idmapped mounts or if permission checking is to be
379  * performed on the raw inode simply pass @nop_mnt_idmap.
380  */
381 int notify_change(struct mnt_idmap *idmap, struct dentry *dentry,
382 		  struct iattr *attr, struct inode **delegated_inode)
383 {
384 	struct inode *inode = dentry->d_inode;
385 	umode_t mode = inode->i_mode;
386 	int error;
387 	struct timespec64 now;
388 	unsigned int ia_valid = attr->ia_valid;
389 
390 	WARN_ON_ONCE(!inode_is_locked(inode));
391 
392 	error = may_setattr(idmap, inode, ia_valid);
393 	if (error)
394 		return error;
395 
396 	if ((ia_valid & ATTR_MODE)) {
397 		/*
398 		 * Don't allow changing the mode of symlinks:
399 		 *
400 		 * (1) The vfs doesn't take the mode of symlinks into account
401 		 *     during permission checking.
402 		 * (2) This has never worked correctly. Most major filesystems
403 		 *     did return EOPNOTSUPP due to interactions with POSIX ACLs
404 		 *     but did still updated the mode of the symlink.
405 		 *     This inconsistency led system call wrapper providers such
406 		 *     as libc to block changing the mode of symlinks with
407 		 *     EOPNOTSUPP already.
408 		 * (3) To even do this in the first place one would have to use
409 		 *     specific file descriptors and quite some effort.
410 		 */
411 		if (S_ISLNK(inode->i_mode))
412 			return -EOPNOTSUPP;
413 
414 		/* Flag setting protected by i_mutex */
415 		if (is_sxid(attr->ia_mode))
416 			inode->i_flags &= ~S_NOSEC;
417 	}
418 
419 	now = current_time(inode);
420 
421 	attr->ia_ctime = now;
422 	if (!(ia_valid & ATTR_ATIME_SET))
423 		attr->ia_atime = now;
424 	else
425 		attr->ia_atime = timestamp_truncate(attr->ia_atime, inode);
426 	if (!(ia_valid & ATTR_MTIME_SET))
427 		attr->ia_mtime = now;
428 	else
429 		attr->ia_mtime = timestamp_truncate(attr->ia_mtime, inode);
430 
431 	if (ia_valid & ATTR_KILL_PRIV) {
432 		error = security_inode_need_killpriv(dentry);
433 		if (error < 0)
434 			return error;
435 		if (error == 0)
436 			ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV;
437 	}
438 
439 	/*
440 	 * We now pass ATTR_KILL_S*ID to the lower level setattr function so
441 	 * that the function has the ability to reinterpret a mode change
442 	 * that's due to these bits. This adds an implicit restriction that
443 	 * no function will ever call notify_change with both ATTR_MODE and
444 	 * ATTR_KILL_S*ID set.
445 	 */
446 	if ((ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) &&
447 	    (ia_valid & ATTR_MODE))
448 		BUG();
449 
450 	if (ia_valid & ATTR_KILL_SUID) {
451 		if (mode & S_ISUID) {
452 			ia_valid = attr->ia_valid |= ATTR_MODE;
453 			attr->ia_mode = (inode->i_mode & ~S_ISUID);
454 		}
455 	}
456 	if (ia_valid & ATTR_KILL_SGID) {
457 		if (mode & S_ISGID) {
458 			if (!(ia_valid & ATTR_MODE)) {
459 				ia_valid = attr->ia_valid |= ATTR_MODE;
460 				attr->ia_mode = inode->i_mode;
461 			}
462 			attr->ia_mode &= ~S_ISGID;
463 		}
464 	}
465 	if (!(attr->ia_valid & ~(ATTR_KILL_SUID | ATTR_KILL_SGID)))
466 		return 0;
467 
468 	/*
469 	 * Verify that uid/gid changes are valid in the target
470 	 * namespace of the superblock.
471 	 */
472 	if (ia_valid & ATTR_UID &&
473 	    !vfsuid_has_fsmapping(idmap, inode->i_sb->s_user_ns,
474 				  attr->ia_vfsuid))
475 		return -EOVERFLOW;
476 	if (ia_valid & ATTR_GID &&
477 	    !vfsgid_has_fsmapping(idmap, inode->i_sb->s_user_ns,
478 				  attr->ia_vfsgid))
479 		return -EOVERFLOW;
480 
481 	/* Don't allow modifications of files with invalid uids or
482 	 * gids unless those uids & gids are being made valid.
483 	 */
484 	if (!(ia_valid & ATTR_UID) &&
485 	    !vfsuid_valid(i_uid_into_vfsuid(idmap, inode)))
486 		return -EOVERFLOW;
487 	if (!(ia_valid & ATTR_GID) &&
488 	    !vfsgid_valid(i_gid_into_vfsgid(idmap, inode)))
489 		return -EOVERFLOW;
490 
491 	error = security_inode_setattr(idmap, dentry, attr);
492 	if (error)
493 		return error;
494 	error = try_break_deleg(inode, delegated_inode);
495 	if (error)
496 		return error;
497 
498 	if (inode->i_op->setattr)
499 		error = inode->i_op->setattr(idmap, dentry, attr);
500 	else
501 		error = simple_setattr(idmap, dentry, attr);
502 
503 	if (!error) {
504 		fsnotify_change(dentry, ia_valid);
505 		ima_inode_post_setattr(idmap, dentry);
506 		evm_inode_post_setattr(dentry, ia_valid);
507 	}
508 
509 	return error;
510 }
511 EXPORT_SYMBOL(notify_change);
512