xref: /openbmc/linux/fs/attr.c (revision ec5c05e5ac8bcb4a6bcd92970e15494a85400d34)
1  // SPDX-License-Identifier: GPL-2.0
2  /*
3   *  linux/fs/attr.c
4   *
5   *  Copyright (C) 1991, 1992  Linus Torvalds
6   *  changes by Thomas Schoebel-Theuer
7   */
8  
9  #include <linux/export.h>
10  #include <linux/time.h>
11  #include <linux/mm.h>
12  #include <linux/string.h>
13  #include <linux/sched/signal.h>
14  #include <linux/capability.h>
15  #include <linux/fsnotify.h>
16  #include <linux/fcntl.h>
17  #include <linux/security.h>
18  #include <linux/evm.h>
19  #include <linux/ima.h>
20  
21  #include "internal.h"
22  
23  /**
24   * setattr_should_drop_sgid - determine whether the setgid bit needs to be
25   *                            removed
26   * @mnt_userns:	user namespace of the mount @inode was found from
27   * @inode:	inode to check
28   *
29   * This function determines whether the setgid bit needs to be removed.
30   * We retain backwards compatibility and require setgid bit to be removed
31   * unconditionally if S_IXGRP is set. Otherwise we have the exact same
32   * requirements as setattr_prepare() and setattr_copy().
33   *
34   * Return: ATTR_KILL_SGID if setgid bit needs to be removed, 0 otherwise.
35   */
36  int setattr_should_drop_sgid(struct user_namespace *mnt_userns,
37  			     const struct inode *inode)
38  {
39  	umode_t mode = inode->i_mode;
40  
41  	if (!(mode & S_ISGID))
42  		return 0;
43  	if (mode & S_IXGRP)
44  		return ATTR_KILL_SGID;
45  	if (!in_group_or_capable(mnt_userns, inode,
46  				 i_gid_into_vfsgid(mnt_userns, inode)))
47  		return ATTR_KILL_SGID;
48  	return 0;
49  }
50  
51  /**
52   * setattr_should_drop_suidgid - determine whether the set{g,u}id bit needs to
53   *                               be dropped
54   * @mnt_userns:	user namespace of the mount @inode was found from
55   * @inode:	inode to check
56   *
57   * This function determines whether the set{g,u}id bits need to be removed.
58   * If the setuid bit needs to be removed ATTR_KILL_SUID is returned. If the
59   * setgid bit needs to be removed ATTR_KILL_SGID is returned. If both
60   * set{g,u}id bits need to be removed the corresponding mask of both flags is
61   * returned.
62   *
63   * Return: A mask of ATTR_KILL_S{G,U}ID indicating which - if any - setid bits
64   * to remove, 0 otherwise.
65   */
66  int setattr_should_drop_suidgid(struct user_namespace *mnt_userns,
67  				struct inode *inode)
68  {
69  	umode_t mode = inode->i_mode;
70  	int kill = 0;
71  
72  	/* suid always must be killed */
73  	if (unlikely(mode & S_ISUID))
74  		kill = ATTR_KILL_SUID;
75  
76  	kill |= setattr_should_drop_sgid(mnt_userns, inode);
77  
78  	if (unlikely(kill && !capable(CAP_FSETID) && S_ISREG(mode)))
79  		return kill;
80  
81  	return 0;
82  }
83  EXPORT_SYMBOL(setattr_should_drop_suidgid);
84  
85  /**
86   * chown_ok - verify permissions to chown inode
87   * @mnt_userns:	user namespace of the mount @inode was found from
88   * @inode:	inode to check permissions on
89   * @ia_vfsuid:	uid to chown @inode to
90   *
91   * If the inode has been found through an idmapped mount the user namespace of
92   * the vfsmount must be passed through @mnt_userns. This function will then
93   * take care to map the inode according to @mnt_userns before checking
94   * permissions. On non-idmapped mounts or if permission checking is to be
95   * performed on the raw inode simply passs init_user_ns.
96   */
97  static bool chown_ok(struct user_namespace *mnt_userns,
98  		     const struct inode *inode, vfsuid_t ia_vfsuid)
99  {
100  	vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_userns, inode);
101  	if (vfsuid_eq_kuid(vfsuid, current_fsuid()) &&
102  	    vfsuid_eq(ia_vfsuid, vfsuid))
103  		return true;
104  	if (capable_wrt_inode_uidgid(mnt_userns, inode, CAP_CHOWN))
105  		return true;
106  	if (!vfsuid_valid(vfsuid) &&
107  	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
108  		return true;
109  	return false;
110  }
111  
112  /**
113   * chgrp_ok - verify permissions to chgrp inode
114   * @mnt_userns:	user namespace of the mount @inode was found from
115   * @inode:	inode to check permissions on
116   * @ia_vfsgid:	gid to chown @inode to
117   *
118   * If the inode has been found through an idmapped mount the user namespace of
119   * the vfsmount must be passed through @mnt_userns. This function will then
120   * take care to map the inode according to @mnt_userns before checking
121   * permissions. On non-idmapped mounts or if permission checking is to be
122   * performed on the raw inode simply passs init_user_ns.
123   */
124  static bool chgrp_ok(struct user_namespace *mnt_userns,
125  		     const struct inode *inode, vfsgid_t ia_vfsgid)
126  {
127  	vfsgid_t vfsgid = i_gid_into_vfsgid(mnt_userns, inode);
128  	vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_userns, inode);
129  	if (vfsuid_eq_kuid(vfsuid, current_fsuid())) {
130  		if (vfsgid_eq(ia_vfsgid, vfsgid))
131  			return true;
132  		if (vfsgid_in_group_p(ia_vfsgid))
133  			return true;
134  	}
135  	if (capable_wrt_inode_uidgid(mnt_userns, inode, CAP_CHOWN))
136  		return true;
137  	if (!vfsgid_valid(vfsgid) &&
138  	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
139  		return true;
140  	return false;
141  }
142  
143  /**
144   * setattr_prepare - check if attribute changes to a dentry are allowed
145   * @mnt_userns:	user namespace of the mount the inode was found from
146   * @dentry:	dentry to check
147   * @attr:	attributes to change
148   *
149   * Check if we are allowed to change the attributes contained in @attr
150   * in the given dentry.  This includes the normal unix access permission
151   * checks, as well as checks for rlimits and others. The function also clears
152   * SGID bit from mode if user is not allowed to set it. Also file capabilities
153   * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set.
154   *
155   * If the inode has been found through an idmapped mount the user namespace of
156   * the vfsmount must be passed through @mnt_userns. This function will then
157   * take care to map the inode according to @mnt_userns before checking
158   * permissions. On non-idmapped mounts or if permission checking is to be
159   * performed on the raw inode simply passs init_user_ns.
160   *
161   * Should be called as the first thing in ->setattr implementations,
162   * possibly after taking additional locks.
163   */
164  int setattr_prepare(struct user_namespace *mnt_userns, struct dentry *dentry,
165  		    struct iattr *attr)
166  {
167  	struct inode *inode = d_inode(dentry);
168  	unsigned int ia_valid = attr->ia_valid;
169  
170  	/*
171  	 * First check size constraints.  These can't be overriden using
172  	 * ATTR_FORCE.
173  	 */
174  	if (ia_valid & ATTR_SIZE) {
175  		int error = inode_newsize_ok(inode, attr->ia_size);
176  		if (error)
177  			return error;
178  	}
179  
180  	/* If force is set do it anyway. */
181  	if (ia_valid & ATTR_FORCE)
182  		goto kill_priv;
183  
184  	/* Make sure a caller can chown. */
185  	if ((ia_valid & ATTR_UID) &&
186  	    !chown_ok(mnt_userns, inode, attr->ia_vfsuid))
187  		return -EPERM;
188  
189  	/* Make sure caller can chgrp. */
190  	if ((ia_valid & ATTR_GID) &&
191  	    !chgrp_ok(mnt_userns, inode, attr->ia_vfsgid))
192  		return -EPERM;
193  
194  	/* Make sure a caller can chmod. */
195  	if (ia_valid & ATTR_MODE) {
196  		vfsgid_t vfsgid;
197  
198  		if (!inode_owner_or_capable(mnt_userns, inode))
199  			return -EPERM;
200  
201  		if (ia_valid & ATTR_GID)
202  			vfsgid = attr->ia_vfsgid;
203  		else
204  			vfsgid = i_gid_into_vfsgid(mnt_userns, inode);
205  
206  		/* Also check the setgid bit! */
207  		if (!in_group_or_capable(mnt_userns, inode, vfsgid))
208  			attr->ia_mode &= ~S_ISGID;
209  	}
210  
211  	/* Check for setting the inode time. */
212  	if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) {
213  		if (!inode_owner_or_capable(mnt_userns, inode))
214  			return -EPERM;
215  	}
216  
217  kill_priv:
218  	/* User has permission for the change */
219  	if (ia_valid & ATTR_KILL_PRIV) {
220  		int error;
221  
222  		error = security_inode_killpriv(mnt_userns, dentry);
223  		if (error)
224  			return error;
225  	}
226  
227  	return 0;
228  }
229  EXPORT_SYMBOL(setattr_prepare);
230  
231  /**
232   * inode_newsize_ok - may this inode be truncated to a given size
233   * @inode:	the inode to be truncated
234   * @offset:	the new size to assign to the inode
235   *
236   * inode_newsize_ok must be called with i_mutex held.
237   *
238   * inode_newsize_ok will check filesystem limits and ulimits to check that the
239   * new inode size is within limits. inode_newsize_ok will also send SIGXFSZ
240   * when necessary. Caller must not proceed with inode size change if failure is
241   * returned. @inode must be a file (not directory), with appropriate
242   * permissions to allow truncate (inode_newsize_ok does NOT check these
243   * conditions).
244   *
245   * Return: 0 on success, -ve errno on failure
246   */
247  int inode_newsize_ok(const struct inode *inode, loff_t offset)
248  {
249  	if (offset < 0)
250  		return -EINVAL;
251  	if (inode->i_size < offset) {
252  		unsigned long limit;
253  
254  		limit = rlimit(RLIMIT_FSIZE);
255  		if (limit != RLIM_INFINITY && offset > limit)
256  			goto out_sig;
257  		if (offset > inode->i_sb->s_maxbytes)
258  			goto out_big;
259  	} else {
260  		/*
261  		 * truncation of in-use swapfiles is disallowed - it would
262  		 * cause subsequent swapout to scribble on the now-freed
263  		 * blocks.
264  		 */
265  		if (IS_SWAPFILE(inode))
266  			return -ETXTBSY;
267  	}
268  
269  	return 0;
270  out_sig:
271  	send_sig(SIGXFSZ, current, 0);
272  out_big:
273  	return -EFBIG;
274  }
275  EXPORT_SYMBOL(inode_newsize_ok);
276  
277  /**
278   * setattr_copy - copy simple metadata updates into the generic inode
279   * @mnt_userns:	user namespace of the mount the inode was found from
280   * @inode:	the inode to be updated
281   * @attr:	the new attributes
282   *
283   * setattr_copy must be called with i_mutex held.
284   *
285   * setattr_copy updates the inode's metadata with that specified
286   * in attr on idmapped mounts. Necessary permission checks to determine
287   * whether or not the S_ISGID property needs to be removed are performed with
288   * the correct idmapped mount permission helpers.
289   * Noticeably missing is inode size update, which is more complex
290   * as it requires pagecache updates.
291   *
292   * If the inode has been found through an idmapped mount the user namespace of
293   * the vfsmount must be passed through @mnt_userns. This function will then
294   * take care to map the inode according to @mnt_userns before checking
295   * permissions. On non-idmapped mounts or if permission checking is to be
296   * performed on the raw inode simply passs init_user_ns.
297   *
298   * The inode is not marked as dirty after this operation. The rationale is
299   * that for "simple" filesystems, the struct inode is the inode storage.
300   * The caller is free to mark the inode dirty afterwards if needed.
301   */
302  void setattr_copy(struct user_namespace *mnt_userns, struct inode *inode,
303  		  const struct iattr *attr)
304  {
305  	unsigned int ia_valid = attr->ia_valid;
306  
307  	i_uid_update(mnt_userns, attr, inode);
308  	i_gid_update(mnt_userns, attr, inode);
309  	if (ia_valid & ATTR_ATIME)
310  		inode->i_atime = attr->ia_atime;
311  	if (ia_valid & ATTR_MTIME)
312  		inode->i_mtime = attr->ia_mtime;
313  	if (ia_valid & ATTR_CTIME)
314  		inode->i_ctime = attr->ia_ctime;
315  	if (ia_valid & ATTR_MODE) {
316  		umode_t mode = attr->ia_mode;
317  		if (!in_group_or_capable(mnt_userns, inode,
318  					 i_gid_into_vfsgid(mnt_userns, inode)))
319  			mode &= ~S_ISGID;
320  		inode->i_mode = mode;
321  	}
322  }
323  EXPORT_SYMBOL(setattr_copy);
324  
325  int may_setattr(struct user_namespace *mnt_userns, struct inode *inode,
326  		unsigned int ia_valid)
327  {
328  	int error;
329  
330  	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) {
331  		if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
332  			return -EPERM;
333  	}
334  
335  	/*
336  	 * If utimes(2) and friends are called with times == NULL (or both
337  	 * times are UTIME_NOW), then we need to check for write permission
338  	 */
339  	if (ia_valid & ATTR_TOUCH) {
340  		if (IS_IMMUTABLE(inode))
341  			return -EPERM;
342  
343  		if (!inode_owner_or_capable(mnt_userns, inode)) {
344  			error = inode_permission(mnt_userns, inode, MAY_WRITE);
345  			if (error)
346  				return error;
347  		}
348  	}
349  	return 0;
350  }
351  EXPORT_SYMBOL(may_setattr);
352  
353  /**
354   * notify_change - modify attributes of a filesytem object
355   * @mnt_userns:	user namespace of the mount the inode was found from
356   * @dentry:	object affected
357   * @attr:	new attributes
358   * @delegated_inode: returns inode, if the inode is delegated
359   *
360   * The caller must hold the i_mutex on the affected object.
361   *
362   * If notify_change discovers a delegation in need of breaking,
363   * it will return -EWOULDBLOCK and return a reference to the inode in
364   * delegated_inode.  The caller should then break the delegation and
365   * retry.  Because breaking a delegation may take a long time, the
366   * caller should drop the i_mutex before doing so.
367   *
368   * Alternatively, a caller may pass NULL for delegated_inode.  This may
369   * be appropriate for callers that expect the underlying filesystem not
370   * to be NFS exported.  Also, passing NULL is fine for callers holding
371   * the file open for write, as there can be no conflicting delegation in
372   * that case.
373   *
374   * If the inode has been found through an idmapped mount the user namespace of
375   * the vfsmount must be passed through @mnt_userns. This function will then
376   * take care to map the inode according to @mnt_userns before checking
377   * permissions. On non-idmapped mounts or if permission checking is to be
378   * performed on the raw inode simply passs init_user_ns.
379   */
380  int notify_change(struct user_namespace *mnt_userns, struct dentry *dentry,
381  		  struct iattr *attr, struct inode **delegated_inode)
382  {
383  	struct inode *inode = dentry->d_inode;
384  	umode_t mode = inode->i_mode;
385  	int error;
386  	struct timespec64 now;
387  	unsigned int ia_valid = attr->ia_valid;
388  
389  	WARN_ON_ONCE(!inode_is_locked(inode));
390  
391  	error = may_setattr(mnt_userns, inode, ia_valid);
392  	if (error)
393  		return error;
394  
395  	if ((ia_valid & ATTR_MODE)) {
396  		umode_t amode = attr->ia_mode;
397  		/* Flag setting protected by i_mutex */
398  		if (is_sxid(amode))
399  			inode->i_flags &= ~S_NOSEC;
400  	}
401  
402  	now = current_time(inode);
403  
404  	attr->ia_ctime = now;
405  	if (!(ia_valid & ATTR_ATIME_SET))
406  		attr->ia_atime = now;
407  	else
408  		attr->ia_atime = timestamp_truncate(attr->ia_atime, inode);
409  	if (!(ia_valid & ATTR_MTIME_SET))
410  		attr->ia_mtime = now;
411  	else
412  		attr->ia_mtime = timestamp_truncate(attr->ia_mtime, inode);
413  
414  	if (ia_valid & ATTR_KILL_PRIV) {
415  		error = security_inode_need_killpriv(dentry);
416  		if (error < 0)
417  			return error;
418  		if (error == 0)
419  			ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV;
420  	}
421  
422  	/*
423  	 * We now pass ATTR_KILL_S*ID to the lower level setattr function so
424  	 * that the function has the ability to reinterpret a mode change
425  	 * that's due to these bits. This adds an implicit restriction that
426  	 * no function will ever call notify_change with both ATTR_MODE and
427  	 * ATTR_KILL_S*ID set.
428  	 */
429  	if ((ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) &&
430  	    (ia_valid & ATTR_MODE))
431  		BUG();
432  
433  	if (ia_valid & ATTR_KILL_SUID) {
434  		if (mode & S_ISUID) {
435  			ia_valid = attr->ia_valid |= ATTR_MODE;
436  			attr->ia_mode = (inode->i_mode & ~S_ISUID);
437  		}
438  	}
439  	if (ia_valid & ATTR_KILL_SGID) {
440  		if (mode & S_ISGID) {
441  			if (!(ia_valid & ATTR_MODE)) {
442  				ia_valid = attr->ia_valid |= ATTR_MODE;
443  				attr->ia_mode = inode->i_mode;
444  			}
445  			attr->ia_mode &= ~S_ISGID;
446  		}
447  	}
448  	if (!(attr->ia_valid & ~(ATTR_KILL_SUID | ATTR_KILL_SGID)))
449  		return 0;
450  
451  	/*
452  	 * Verify that uid/gid changes are valid in the target
453  	 * namespace of the superblock.
454  	 */
455  	if (ia_valid & ATTR_UID &&
456  	    !vfsuid_has_fsmapping(mnt_userns, inode->i_sb->s_user_ns,
457  				  attr->ia_vfsuid))
458  		return -EOVERFLOW;
459  	if (ia_valid & ATTR_GID &&
460  	    !vfsgid_has_fsmapping(mnt_userns, inode->i_sb->s_user_ns,
461  				  attr->ia_vfsgid))
462  		return -EOVERFLOW;
463  
464  	/* Don't allow modifications of files with invalid uids or
465  	 * gids unless those uids & gids are being made valid.
466  	 */
467  	if (!(ia_valid & ATTR_UID) &&
468  	    !vfsuid_valid(i_uid_into_vfsuid(mnt_userns, inode)))
469  		return -EOVERFLOW;
470  	if (!(ia_valid & ATTR_GID) &&
471  	    !vfsgid_valid(i_gid_into_vfsgid(mnt_userns, inode)))
472  		return -EOVERFLOW;
473  
474  	error = security_inode_setattr(mnt_userns, dentry, attr);
475  	if (error)
476  		return error;
477  	error = try_break_deleg(inode, delegated_inode);
478  	if (error)
479  		return error;
480  
481  	if (inode->i_op->setattr)
482  		error = inode->i_op->setattr(mnt_userns, dentry, attr);
483  	else
484  		error = simple_setattr(mnt_userns, dentry, attr);
485  
486  	if (!error) {
487  		fsnotify_change(dentry, ia_valid);
488  		ima_inode_post_setattr(mnt_userns, dentry);
489  		evm_inode_post_setattr(dentry, ia_valid);
490  	}
491  
492  	return error;
493  }
494  EXPORT_SYMBOL(notify_change);
495