1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2002,2003 by Andreas Gruenbacher <a.gruenbacher@computer.org> 4 * 5 * Fixes from William Schumacher incorporated on 15 March 2001. 6 * (Reported by Charles Bertsch, <CBertsch@microtest.com>). 7 */ 8 9 /* 10 * This file contains generic functions for manipulating 11 * POSIX 1003.1e draft standard 17 ACLs. 12 */ 13 14 #include <linux/kernel.h> 15 #include <linux/slab.h> 16 #include <linux/atomic.h> 17 #include <linux/fs.h> 18 #include <linux/sched.h> 19 #include <linux/cred.h> 20 #include <linux/posix_acl.h> 21 #include <linux/posix_acl_xattr.h> 22 #include <linux/xattr.h> 23 #include <linux/export.h> 24 #include <linux/user_namespace.h> 25 #include <linux/namei.h> 26 #include <linux/mnt_idmapping.h> 27 #include <linux/iversion.h> 28 #include <linux/security.h> 29 #include <linux/evm.h> 30 #include <linux/fsnotify.h> 31 #include <linux/filelock.h> 32 33 #include "internal.h" 34 35 static struct posix_acl **acl_by_type(struct inode *inode, int type) 36 { 37 switch (type) { 38 case ACL_TYPE_ACCESS: 39 return &inode->i_acl; 40 case ACL_TYPE_DEFAULT: 41 return &inode->i_default_acl; 42 default: 43 BUG(); 44 } 45 } 46 47 struct posix_acl *get_cached_acl(struct inode *inode, int type) 48 { 49 struct posix_acl **p = acl_by_type(inode, type); 50 struct posix_acl *acl; 51 52 for (;;) { 53 rcu_read_lock(); 54 acl = rcu_dereference(*p); 55 if (!acl || is_uncached_acl(acl) || 56 refcount_inc_not_zero(&acl->a_refcount)) 57 break; 58 rcu_read_unlock(); 59 cpu_relax(); 60 } 61 rcu_read_unlock(); 62 return acl; 63 } 64 EXPORT_SYMBOL(get_cached_acl); 65 66 struct posix_acl *get_cached_acl_rcu(struct inode *inode, int type) 67 { 68 struct posix_acl *acl = rcu_dereference(*acl_by_type(inode, type)); 69 70 if (acl == ACL_DONT_CACHE) { 71 struct posix_acl *ret; 72 73 ret = inode->i_op->get_inode_acl(inode, type, LOOKUP_RCU); 74 if (!IS_ERR(ret)) 75 acl = ret; 76 } 77 78 return acl; 79 } 80 EXPORT_SYMBOL(get_cached_acl_rcu); 81 82 void set_cached_acl(struct inode *inode, int type, struct posix_acl *acl) 83 { 84 struct posix_acl **p = acl_by_type(inode, type); 85 struct posix_acl *old; 86 87 old = xchg(p, posix_acl_dup(acl)); 88 if (!is_uncached_acl(old)) 89 posix_acl_release(old); 90 } 91 EXPORT_SYMBOL(set_cached_acl); 92 93 static void __forget_cached_acl(struct posix_acl **p) 94 { 95 struct posix_acl *old; 96 97 old = xchg(p, ACL_NOT_CACHED); 98 if (!is_uncached_acl(old)) 99 posix_acl_release(old); 100 } 101 102 void forget_cached_acl(struct inode *inode, int type) 103 { 104 __forget_cached_acl(acl_by_type(inode, type)); 105 } 106 EXPORT_SYMBOL(forget_cached_acl); 107 108 void forget_all_cached_acls(struct inode *inode) 109 { 110 __forget_cached_acl(&inode->i_acl); 111 __forget_cached_acl(&inode->i_default_acl); 112 } 113 EXPORT_SYMBOL(forget_all_cached_acls); 114 115 static struct posix_acl *__get_acl(struct mnt_idmap *idmap, 116 struct dentry *dentry, struct inode *inode, 117 int type) 118 { 119 struct posix_acl *sentinel; 120 struct posix_acl **p; 121 struct posix_acl *acl; 122 123 /* 124 * The sentinel is used to detect when another operation like 125 * set_cached_acl() or forget_cached_acl() races with get_inode_acl(). 126 * It is guaranteed that is_uncached_acl(sentinel) is true. 127 */ 128 129 acl = get_cached_acl(inode, type); 130 if (!is_uncached_acl(acl)) 131 return acl; 132 133 if (!IS_POSIXACL(inode)) 134 return NULL; 135 136 sentinel = uncached_acl_sentinel(current); 137 p = acl_by_type(inode, type); 138 139 /* 140 * If the ACL isn't being read yet, set our sentinel. Otherwise, the 141 * current value of the ACL will not be ACL_NOT_CACHED and so our own 142 * sentinel will not be set; another task will update the cache. We 143 * could wait for that other task to complete its job, but it's easier 144 * to just call ->get_inode_acl to fetch the ACL ourself. (This is 145 * going to be an unlikely race.) 146 */ 147 cmpxchg(p, ACL_NOT_CACHED, sentinel); 148 149 /* 150 * Normally, the ACL returned by ->get{_inode}_acl will be cached. 151 * A filesystem can prevent that by calling 152 * forget_cached_acl(inode, type) in ->get{_inode}_acl. 153 * 154 * If the filesystem doesn't have a get{_inode}_ acl() function at all, 155 * we'll just create the negative cache entry. 156 */ 157 if (dentry && inode->i_op->get_acl) { 158 acl = inode->i_op->get_acl(idmap, dentry, type); 159 } else if (inode->i_op->get_inode_acl) { 160 acl = inode->i_op->get_inode_acl(inode, type, false); 161 } else { 162 set_cached_acl(inode, type, NULL); 163 return NULL; 164 } 165 if (IS_ERR(acl)) { 166 /* 167 * Remove our sentinel so that we don't block future attempts 168 * to cache the ACL. 169 */ 170 cmpxchg(p, sentinel, ACL_NOT_CACHED); 171 return acl; 172 } 173 174 /* 175 * Cache the result, but only if our sentinel is still in place. 176 */ 177 posix_acl_dup(acl); 178 if (unlikely(!try_cmpxchg(p, &sentinel, acl))) 179 posix_acl_release(acl); 180 return acl; 181 } 182 183 struct posix_acl *get_inode_acl(struct inode *inode, int type) 184 { 185 return __get_acl(&nop_mnt_idmap, NULL, inode, type); 186 } 187 EXPORT_SYMBOL(get_inode_acl); 188 189 /* 190 * Init a fresh posix_acl 191 */ 192 void 193 posix_acl_init(struct posix_acl *acl, int count) 194 { 195 refcount_set(&acl->a_refcount, 1); 196 acl->a_count = count; 197 } 198 EXPORT_SYMBOL(posix_acl_init); 199 200 /* 201 * Allocate a new ACL with the specified number of entries. 202 */ 203 struct posix_acl * 204 posix_acl_alloc(int count, gfp_t flags) 205 { 206 const size_t size = sizeof(struct posix_acl) + 207 count * sizeof(struct posix_acl_entry); 208 struct posix_acl *acl = kmalloc(size, flags); 209 if (acl) 210 posix_acl_init(acl, count); 211 return acl; 212 } 213 EXPORT_SYMBOL(posix_acl_alloc); 214 215 /* 216 * Clone an ACL. 217 */ 218 struct posix_acl * 219 posix_acl_clone(const struct posix_acl *acl, gfp_t flags) 220 { 221 struct posix_acl *clone = NULL; 222 223 if (acl) { 224 int size = sizeof(struct posix_acl) + acl->a_count * 225 sizeof(struct posix_acl_entry); 226 clone = kmemdup(acl, size, flags); 227 if (clone) 228 refcount_set(&clone->a_refcount, 1); 229 } 230 return clone; 231 } 232 EXPORT_SYMBOL_GPL(posix_acl_clone); 233 234 /* 235 * Check if an acl is valid. Returns 0 if it is, or -E... otherwise. 236 */ 237 int 238 posix_acl_valid(struct user_namespace *user_ns, const struct posix_acl *acl) 239 { 240 const struct posix_acl_entry *pa, *pe; 241 int state = ACL_USER_OBJ; 242 int needs_mask = 0; 243 244 FOREACH_ACL_ENTRY(pa, acl, pe) { 245 if (pa->e_perm & ~(ACL_READ|ACL_WRITE|ACL_EXECUTE)) 246 return -EINVAL; 247 switch (pa->e_tag) { 248 case ACL_USER_OBJ: 249 if (state == ACL_USER_OBJ) { 250 state = ACL_USER; 251 break; 252 } 253 return -EINVAL; 254 255 case ACL_USER: 256 if (state != ACL_USER) 257 return -EINVAL; 258 if (!kuid_has_mapping(user_ns, pa->e_uid)) 259 return -EINVAL; 260 needs_mask = 1; 261 break; 262 263 case ACL_GROUP_OBJ: 264 if (state == ACL_USER) { 265 state = ACL_GROUP; 266 break; 267 } 268 return -EINVAL; 269 270 case ACL_GROUP: 271 if (state != ACL_GROUP) 272 return -EINVAL; 273 if (!kgid_has_mapping(user_ns, pa->e_gid)) 274 return -EINVAL; 275 needs_mask = 1; 276 break; 277 278 case ACL_MASK: 279 if (state != ACL_GROUP) 280 return -EINVAL; 281 state = ACL_OTHER; 282 break; 283 284 case ACL_OTHER: 285 if (state == ACL_OTHER || 286 (state == ACL_GROUP && !needs_mask)) { 287 state = 0; 288 break; 289 } 290 return -EINVAL; 291 292 default: 293 return -EINVAL; 294 } 295 } 296 if (state == 0) 297 return 0; 298 return -EINVAL; 299 } 300 EXPORT_SYMBOL(posix_acl_valid); 301 302 /* 303 * Returns 0 if the acl can be exactly represented in the traditional 304 * file mode permission bits, or else 1. Returns -E... on error. 305 */ 306 int 307 posix_acl_equiv_mode(const struct posix_acl *acl, umode_t *mode_p) 308 { 309 const struct posix_acl_entry *pa, *pe; 310 umode_t mode = 0; 311 int not_equiv = 0; 312 313 /* 314 * A null ACL can always be presented as mode bits. 315 */ 316 if (!acl) 317 return 0; 318 319 FOREACH_ACL_ENTRY(pa, acl, pe) { 320 switch (pa->e_tag) { 321 case ACL_USER_OBJ: 322 mode |= (pa->e_perm & S_IRWXO) << 6; 323 break; 324 case ACL_GROUP_OBJ: 325 mode |= (pa->e_perm & S_IRWXO) << 3; 326 break; 327 case ACL_OTHER: 328 mode |= pa->e_perm & S_IRWXO; 329 break; 330 case ACL_MASK: 331 mode = (mode & ~S_IRWXG) | 332 ((pa->e_perm & S_IRWXO) << 3); 333 not_equiv = 1; 334 break; 335 case ACL_USER: 336 case ACL_GROUP: 337 not_equiv = 1; 338 break; 339 default: 340 return -EINVAL; 341 } 342 } 343 if (mode_p) 344 *mode_p = (*mode_p & ~S_IRWXUGO) | mode; 345 return not_equiv; 346 } 347 EXPORT_SYMBOL(posix_acl_equiv_mode); 348 349 /* 350 * Create an ACL representing the file mode permission bits of an inode. 351 */ 352 struct posix_acl * 353 posix_acl_from_mode(umode_t mode, gfp_t flags) 354 { 355 struct posix_acl *acl = posix_acl_alloc(3, flags); 356 if (!acl) 357 return ERR_PTR(-ENOMEM); 358 359 acl->a_entries[0].e_tag = ACL_USER_OBJ; 360 acl->a_entries[0].e_perm = (mode & S_IRWXU) >> 6; 361 362 acl->a_entries[1].e_tag = ACL_GROUP_OBJ; 363 acl->a_entries[1].e_perm = (mode & S_IRWXG) >> 3; 364 365 acl->a_entries[2].e_tag = ACL_OTHER; 366 acl->a_entries[2].e_perm = (mode & S_IRWXO); 367 return acl; 368 } 369 EXPORT_SYMBOL(posix_acl_from_mode); 370 371 /* 372 * Return 0 if current is granted want access to the inode 373 * by the acl. Returns -E... otherwise. 374 */ 375 int 376 posix_acl_permission(struct mnt_idmap *idmap, struct inode *inode, 377 const struct posix_acl *acl, int want) 378 { 379 const struct posix_acl_entry *pa, *pe, *mask_obj; 380 struct user_namespace *fs_userns = i_user_ns(inode); 381 int found = 0; 382 vfsuid_t vfsuid; 383 vfsgid_t vfsgid; 384 385 want &= MAY_READ | MAY_WRITE | MAY_EXEC; 386 387 FOREACH_ACL_ENTRY(pa, acl, pe) { 388 switch(pa->e_tag) { 389 case ACL_USER_OBJ: 390 /* (May have been checked already) */ 391 vfsuid = i_uid_into_vfsuid(idmap, inode); 392 if (vfsuid_eq_kuid(vfsuid, current_fsuid())) 393 goto check_perm; 394 break; 395 case ACL_USER: 396 vfsuid = make_vfsuid(idmap, fs_userns, 397 pa->e_uid); 398 if (vfsuid_eq_kuid(vfsuid, current_fsuid())) 399 goto mask; 400 break; 401 case ACL_GROUP_OBJ: 402 vfsgid = i_gid_into_vfsgid(idmap, inode); 403 if (vfsgid_in_group_p(vfsgid)) { 404 found = 1; 405 if ((pa->e_perm & want) == want) 406 goto mask; 407 } 408 break; 409 case ACL_GROUP: 410 vfsgid = make_vfsgid(idmap, fs_userns, 411 pa->e_gid); 412 if (vfsgid_in_group_p(vfsgid)) { 413 found = 1; 414 if ((pa->e_perm & want) == want) 415 goto mask; 416 } 417 break; 418 case ACL_MASK: 419 break; 420 case ACL_OTHER: 421 if (found) 422 return -EACCES; 423 else 424 goto check_perm; 425 default: 426 return -EIO; 427 } 428 } 429 return -EIO; 430 431 mask: 432 for (mask_obj = pa+1; mask_obj != pe; mask_obj++) { 433 if (mask_obj->e_tag == ACL_MASK) { 434 if ((pa->e_perm & mask_obj->e_perm & want) == want) 435 return 0; 436 return -EACCES; 437 } 438 } 439 440 check_perm: 441 if ((pa->e_perm & want) == want) 442 return 0; 443 return -EACCES; 444 } 445 446 /* 447 * Modify acl when creating a new inode. The caller must ensure the acl is 448 * only referenced once. 449 * 450 * mode_p initially must contain the mode parameter to the open() / creat() 451 * system calls. All permissions that are not granted by the acl are removed. 452 * The permissions in the acl are changed to reflect the mode_p parameter. 453 */ 454 static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p) 455 { 456 struct posix_acl_entry *pa, *pe; 457 struct posix_acl_entry *group_obj = NULL, *mask_obj = NULL; 458 umode_t mode = *mode_p; 459 int not_equiv = 0; 460 461 /* assert(atomic_read(acl->a_refcount) == 1); */ 462 463 FOREACH_ACL_ENTRY(pa, acl, pe) { 464 switch(pa->e_tag) { 465 case ACL_USER_OBJ: 466 pa->e_perm &= (mode >> 6) | ~S_IRWXO; 467 mode &= (pa->e_perm << 6) | ~S_IRWXU; 468 break; 469 470 case ACL_USER: 471 case ACL_GROUP: 472 not_equiv = 1; 473 break; 474 475 case ACL_GROUP_OBJ: 476 group_obj = pa; 477 break; 478 479 case ACL_OTHER: 480 pa->e_perm &= mode | ~S_IRWXO; 481 mode &= pa->e_perm | ~S_IRWXO; 482 break; 483 484 case ACL_MASK: 485 mask_obj = pa; 486 not_equiv = 1; 487 break; 488 489 default: 490 return -EIO; 491 } 492 } 493 494 if (mask_obj) { 495 mask_obj->e_perm &= (mode >> 3) | ~S_IRWXO; 496 mode &= (mask_obj->e_perm << 3) | ~S_IRWXG; 497 } else { 498 if (!group_obj) 499 return -EIO; 500 group_obj->e_perm &= (mode >> 3) | ~S_IRWXO; 501 mode &= (group_obj->e_perm << 3) | ~S_IRWXG; 502 } 503 504 *mode_p = (*mode_p & ~S_IRWXUGO) | mode; 505 return not_equiv; 506 } 507 508 /* 509 * Modify the ACL for the chmod syscall. 510 */ 511 static int __posix_acl_chmod_masq(struct posix_acl *acl, umode_t mode) 512 { 513 struct posix_acl_entry *group_obj = NULL, *mask_obj = NULL; 514 struct posix_acl_entry *pa, *pe; 515 516 /* assert(atomic_read(acl->a_refcount) == 1); */ 517 518 FOREACH_ACL_ENTRY(pa, acl, pe) { 519 switch(pa->e_tag) { 520 case ACL_USER_OBJ: 521 pa->e_perm = (mode & S_IRWXU) >> 6; 522 break; 523 524 case ACL_USER: 525 case ACL_GROUP: 526 break; 527 528 case ACL_GROUP_OBJ: 529 group_obj = pa; 530 break; 531 532 case ACL_MASK: 533 mask_obj = pa; 534 break; 535 536 case ACL_OTHER: 537 pa->e_perm = (mode & S_IRWXO); 538 break; 539 540 default: 541 return -EIO; 542 } 543 } 544 545 if (mask_obj) { 546 mask_obj->e_perm = (mode & S_IRWXG) >> 3; 547 } else { 548 if (!group_obj) 549 return -EIO; 550 group_obj->e_perm = (mode & S_IRWXG) >> 3; 551 } 552 553 return 0; 554 } 555 556 int 557 __posix_acl_create(struct posix_acl **acl, gfp_t gfp, umode_t *mode_p) 558 { 559 struct posix_acl *clone = posix_acl_clone(*acl, gfp); 560 int err = -ENOMEM; 561 if (clone) { 562 err = posix_acl_create_masq(clone, mode_p); 563 if (err < 0) { 564 posix_acl_release(clone); 565 clone = NULL; 566 } 567 } 568 posix_acl_release(*acl); 569 *acl = clone; 570 return err; 571 } 572 EXPORT_SYMBOL(__posix_acl_create); 573 574 int 575 __posix_acl_chmod(struct posix_acl **acl, gfp_t gfp, umode_t mode) 576 { 577 struct posix_acl *clone = posix_acl_clone(*acl, gfp); 578 int err = -ENOMEM; 579 if (clone) { 580 err = __posix_acl_chmod_masq(clone, mode); 581 if (err) { 582 posix_acl_release(clone); 583 clone = NULL; 584 } 585 } 586 posix_acl_release(*acl); 587 *acl = clone; 588 return err; 589 } 590 EXPORT_SYMBOL(__posix_acl_chmod); 591 592 /** 593 * posix_acl_chmod - chmod a posix acl 594 * 595 * @idmap: idmap of the mount @inode was found from 596 * @dentry: dentry to check permissions on 597 * @mode: the new mode of @inode 598 * 599 * If the dentry has been found through an idmapped mount the idmap of 600 * the vfsmount must be passed through @idmap. This function will then 601 * take care to map the inode according to @idmap before checking 602 * permissions. On non-idmapped mounts or if permission checking is to be 603 * performed on the raw inode simply passs @nop_mnt_idmap. 604 */ 605 int 606 posix_acl_chmod(struct mnt_idmap *idmap, struct dentry *dentry, 607 umode_t mode) 608 { 609 struct inode *inode = d_inode(dentry); 610 struct posix_acl *acl; 611 int ret = 0; 612 613 if (!IS_POSIXACL(inode)) 614 return 0; 615 if (!inode->i_op->set_acl) 616 return -EOPNOTSUPP; 617 618 acl = get_inode_acl(inode, ACL_TYPE_ACCESS); 619 if (IS_ERR_OR_NULL(acl)) { 620 if (acl == ERR_PTR(-EOPNOTSUPP)) 621 return 0; 622 return PTR_ERR(acl); 623 } 624 625 ret = __posix_acl_chmod(&acl, GFP_KERNEL, mode); 626 if (ret) 627 return ret; 628 ret = inode->i_op->set_acl(idmap, dentry, acl, ACL_TYPE_ACCESS); 629 posix_acl_release(acl); 630 return ret; 631 } 632 EXPORT_SYMBOL(posix_acl_chmod); 633 634 int 635 posix_acl_create(struct inode *dir, umode_t *mode, 636 struct posix_acl **default_acl, struct posix_acl **acl) 637 { 638 struct posix_acl *p; 639 struct posix_acl *clone; 640 int ret; 641 642 *acl = NULL; 643 *default_acl = NULL; 644 645 if (S_ISLNK(*mode) || !IS_POSIXACL(dir)) 646 return 0; 647 648 p = get_inode_acl(dir, ACL_TYPE_DEFAULT); 649 if (!p || p == ERR_PTR(-EOPNOTSUPP)) { 650 *mode &= ~current_umask(); 651 return 0; 652 } 653 if (IS_ERR(p)) 654 return PTR_ERR(p); 655 656 ret = -ENOMEM; 657 clone = posix_acl_clone(p, GFP_NOFS); 658 if (!clone) 659 goto err_release; 660 661 ret = posix_acl_create_masq(clone, mode); 662 if (ret < 0) 663 goto err_release_clone; 664 665 if (ret == 0) 666 posix_acl_release(clone); 667 else 668 *acl = clone; 669 670 if (!S_ISDIR(*mode)) 671 posix_acl_release(p); 672 else 673 *default_acl = p; 674 675 return 0; 676 677 err_release_clone: 678 posix_acl_release(clone); 679 err_release: 680 posix_acl_release(p); 681 return ret; 682 } 683 EXPORT_SYMBOL_GPL(posix_acl_create); 684 685 /** 686 * posix_acl_update_mode - update mode in set_acl 687 * @idmap: idmap of the mount @inode was found from 688 * @inode: target inode 689 * @mode_p: mode (pointer) for update 690 * @acl: acl pointer 691 * 692 * Update the file mode when setting an ACL: compute the new file permission 693 * bits based on the ACL. In addition, if the ACL is equivalent to the new 694 * file mode, set *@acl to NULL to indicate that no ACL should be set. 695 * 696 * As with chmod, clear the setgid bit if the caller is not in the owning group 697 * or capable of CAP_FSETID (see inode_change_ok). 698 * 699 * If the inode has been found through an idmapped mount the idmap of 700 * the vfsmount must be passed through @idmap. This function will then 701 * take care to map the inode according to @idmap before checking 702 * permissions. On non-idmapped mounts or if permission checking is to be 703 * performed on the raw inode simply passs @nop_mnt_idmap. 704 * 705 * Called from set_acl inode operations. 706 */ 707 int posix_acl_update_mode(struct mnt_idmap *idmap, 708 struct inode *inode, umode_t *mode_p, 709 struct posix_acl **acl) 710 { 711 umode_t mode = inode->i_mode; 712 int error; 713 714 error = posix_acl_equiv_mode(*acl, &mode); 715 if (error < 0) 716 return error; 717 if (error == 0) 718 *acl = NULL; 719 if (!vfsgid_in_group_p(i_gid_into_vfsgid(idmap, inode)) && 720 !capable_wrt_inode_uidgid(idmap, inode, CAP_FSETID)) 721 mode &= ~S_ISGID; 722 *mode_p = mode; 723 return 0; 724 } 725 EXPORT_SYMBOL(posix_acl_update_mode); 726 727 /* 728 * Fix up the uids and gids in posix acl extended attributes in place. 729 */ 730 static int posix_acl_fix_xattr_common(const void *value, size_t size) 731 { 732 const struct posix_acl_xattr_header *header = value; 733 int count; 734 735 if (!header) 736 return -EINVAL; 737 if (size < sizeof(struct posix_acl_xattr_header)) 738 return -EINVAL; 739 if (header->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION)) 740 return -EOPNOTSUPP; 741 742 count = posix_acl_xattr_count(size); 743 if (count < 0) 744 return -EINVAL; 745 if (count == 0) 746 return 0; 747 748 return count; 749 } 750 751 /** 752 * posix_acl_from_xattr - convert POSIX ACLs from backing store to VFS format 753 * @userns: the filesystem's idmapping 754 * @value: the uapi representation of POSIX ACLs 755 * @size: the size of @void 756 * 757 * Filesystems that store POSIX ACLs in the unaltered uapi format should use 758 * posix_acl_from_xattr() when reading them from the backing store and 759 * converting them into the struct posix_acl VFS format. The helper is 760 * specifically intended to be called from the acl inode operation. 761 * 762 * The posix_acl_from_xattr() function will map the raw {g,u}id values stored 763 * in ACL_{GROUP,USER} entries into idmapping in @userns. 764 * 765 * Note that posix_acl_from_xattr() does not take idmapped mounts into account. 766 * If it did it calling it from the get acl inode operation would return POSIX 767 * ACLs mapped according to an idmapped mount which would mean that the value 768 * couldn't be cached for the filesystem. Idmapped mounts are taken into 769 * account on the fly during permission checking or right at the VFS - 770 * userspace boundary before reporting them to the user. 771 * 772 * Return: Allocated struct posix_acl on success, NULL for a valid header but 773 * without actual POSIX ACL entries, or ERR_PTR() encoded error code. 774 */ 775 struct posix_acl *posix_acl_from_xattr(struct user_namespace *userns, 776 const void *value, size_t size) 777 { 778 const struct posix_acl_xattr_header *header = value; 779 const struct posix_acl_xattr_entry *entry = (const void *)(header + 1), *end; 780 int count; 781 struct posix_acl *acl; 782 struct posix_acl_entry *acl_e; 783 784 count = posix_acl_fix_xattr_common(value, size); 785 if (count < 0) 786 return ERR_PTR(count); 787 if (count == 0) 788 return NULL; 789 790 acl = posix_acl_alloc(count, GFP_NOFS); 791 if (!acl) 792 return ERR_PTR(-ENOMEM); 793 acl_e = acl->a_entries; 794 795 for (end = entry + count; entry != end; acl_e++, entry++) { 796 acl_e->e_tag = le16_to_cpu(entry->e_tag); 797 acl_e->e_perm = le16_to_cpu(entry->e_perm); 798 799 switch(acl_e->e_tag) { 800 case ACL_USER_OBJ: 801 case ACL_GROUP_OBJ: 802 case ACL_MASK: 803 case ACL_OTHER: 804 break; 805 806 case ACL_USER: 807 acl_e->e_uid = make_kuid(userns, 808 le32_to_cpu(entry->e_id)); 809 if (!uid_valid(acl_e->e_uid)) 810 goto fail; 811 break; 812 case ACL_GROUP: 813 acl_e->e_gid = make_kgid(userns, 814 le32_to_cpu(entry->e_id)); 815 if (!gid_valid(acl_e->e_gid)) 816 goto fail; 817 break; 818 819 default: 820 goto fail; 821 } 822 } 823 return acl; 824 825 fail: 826 posix_acl_release(acl); 827 return ERR_PTR(-EINVAL); 828 } 829 EXPORT_SYMBOL (posix_acl_from_xattr); 830 831 /* 832 * Convert from in-memory to extended attribute representation. 833 */ 834 int 835 posix_acl_to_xattr(struct user_namespace *user_ns, const struct posix_acl *acl, 836 void *buffer, size_t size) 837 { 838 struct posix_acl_xattr_header *ext_acl = buffer; 839 struct posix_acl_xattr_entry *ext_entry; 840 int real_size, n; 841 842 real_size = posix_acl_xattr_size(acl->a_count); 843 if (!buffer) 844 return real_size; 845 if (real_size > size) 846 return -ERANGE; 847 848 ext_entry = (void *)(ext_acl + 1); 849 ext_acl->a_version = cpu_to_le32(POSIX_ACL_XATTR_VERSION); 850 851 for (n=0; n < acl->a_count; n++, ext_entry++) { 852 const struct posix_acl_entry *acl_e = &acl->a_entries[n]; 853 ext_entry->e_tag = cpu_to_le16(acl_e->e_tag); 854 ext_entry->e_perm = cpu_to_le16(acl_e->e_perm); 855 switch(acl_e->e_tag) { 856 case ACL_USER: 857 ext_entry->e_id = 858 cpu_to_le32(from_kuid(user_ns, acl_e->e_uid)); 859 break; 860 case ACL_GROUP: 861 ext_entry->e_id = 862 cpu_to_le32(from_kgid(user_ns, acl_e->e_gid)); 863 break; 864 default: 865 ext_entry->e_id = cpu_to_le32(ACL_UNDEFINED_ID); 866 break; 867 } 868 } 869 return real_size; 870 } 871 EXPORT_SYMBOL (posix_acl_to_xattr); 872 873 /** 874 * vfs_posix_acl_to_xattr - convert from kernel to userspace representation 875 * @idmap: idmap of the mount 876 * @inode: inode the posix acls are set on 877 * @acl: the posix acls as represented by the vfs 878 * @buffer: the buffer into which to convert @acl 879 * @size: size of @buffer 880 * 881 * This converts @acl from the VFS representation in the filesystem idmapping 882 * to the uapi form reportable to userspace. And mount and caller idmappings 883 * are handled appropriately. 884 * 885 * Return: On success, the size of the stored uapi posix acls, on error a 886 * negative errno. 887 */ 888 static ssize_t vfs_posix_acl_to_xattr(struct mnt_idmap *idmap, 889 struct inode *inode, 890 const struct posix_acl *acl, void *buffer, 891 size_t size) 892 893 { 894 struct posix_acl_xattr_header *ext_acl = buffer; 895 struct posix_acl_xattr_entry *ext_entry; 896 struct user_namespace *fs_userns, *caller_userns; 897 ssize_t real_size, n; 898 vfsuid_t vfsuid; 899 vfsgid_t vfsgid; 900 901 real_size = posix_acl_xattr_size(acl->a_count); 902 if (!buffer) 903 return real_size; 904 if (real_size > size) 905 return -ERANGE; 906 907 ext_entry = (void *)(ext_acl + 1); 908 ext_acl->a_version = cpu_to_le32(POSIX_ACL_XATTR_VERSION); 909 910 fs_userns = i_user_ns(inode); 911 caller_userns = current_user_ns(); 912 for (n=0; n < acl->a_count; n++, ext_entry++) { 913 const struct posix_acl_entry *acl_e = &acl->a_entries[n]; 914 ext_entry->e_tag = cpu_to_le16(acl_e->e_tag); 915 ext_entry->e_perm = cpu_to_le16(acl_e->e_perm); 916 switch(acl_e->e_tag) { 917 case ACL_USER: 918 vfsuid = make_vfsuid(idmap, fs_userns, acl_e->e_uid); 919 ext_entry->e_id = cpu_to_le32(from_kuid( 920 caller_userns, vfsuid_into_kuid(vfsuid))); 921 break; 922 case ACL_GROUP: 923 vfsgid = make_vfsgid(idmap, fs_userns, acl_e->e_gid); 924 ext_entry->e_id = cpu_to_le32(from_kgid( 925 caller_userns, vfsgid_into_kgid(vfsgid))); 926 break; 927 default: 928 ext_entry->e_id = cpu_to_le32(ACL_UNDEFINED_ID); 929 break; 930 } 931 } 932 return real_size; 933 } 934 935 int 936 set_posix_acl(struct mnt_idmap *idmap, struct dentry *dentry, 937 int type, struct posix_acl *acl) 938 { 939 struct inode *inode = d_inode(dentry); 940 941 if (!IS_POSIXACL(inode)) 942 return -EOPNOTSUPP; 943 if (!inode->i_op->set_acl) 944 return -EOPNOTSUPP; 945 946 if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) 947 return acl ? -EACCES : 0; 948 if (!inode_owner_or_capable(idmap, inode)) 949 return -EPERM; 950 951 if (acl) { 952 int ret = posix_acl_valid(inode->i_sb->s_user_ns, acl); 953 if (ret) 954 return ret; 955 } 956 return inode->i_op->set_acl(idmap, dentry, acl, type); 957 } 958 EXPORT_SYMBOL(set_posix_acl); 959 960 int posix_acl_listxattr(struct inode *inode, char **buffer, 961 ssize_t *remaining_size) 962 { 963 int err; 964 965 if (!IS_POSIXACL(inode)) 966 return 0; 967 968 if (inode->i_acl) { 969 err = xattr_list_one(buffer, remaining_size, 970 XATTR_NAME_POSIX_ACL_ACCESS); 971 if (err) 972 return err; 973 } 974 975 if (inode->i_default_acl) { 976 err = xattr_list_one(buffer, remaining_size, 977 XATTR_NAME_POSIX_ACL_DEFAULT); 978 if (err) 979 return err; 980 } 981 982 return 0; 983 } 984 985 static bool 986 posix_acl_xattr_list(struct dentry *dentry) 987 { 988 return IS_POSIXACL(d_backing_inode(dentry)); 989 } 990 991 /* 992 * nop_posix_acl_access - legacy xattr handler for access POSIX ACLs 993 * 994 * This is the legacy POSIX ACL access xattr handler. It is used by some 995 * filesystems to implement their ->listxattr() inode operation. New code 996 * should never use them. 997 */ 998 const struct xattr_handler nop_posix_acl_access = { 999 .name = XATTR_NAME_POSIX_ACL_ACCESS, 1000 .list = posix_acl_xattr_list, 1001 }; 1002 EXPORT_SYMBOL_GPL(nop_posix_acl_access); 1003 1004 /* 1005 * nop_posix_acl_default - legacy xattr handler for default POSIX ACLs 1006 * 1007 * This is the legacy POSIX ACL default xattr handler. It is used by some 1008 * filesystems to implement their ->listxattr() inode operation. New code 1009 * should never use them. 1010 */ 1011 const struct xattr_handler nop_posix_acl_default = { 1012 .name = XATTR_NAME_POSIX_ACL_DEFAULT, 1013 .list = posix_acl_xattr_list, 1014 }; 1015 EXPORT_SYMBOL_GPL(nop_posix_acl_default); 1016 1017 int simple_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, 1018 struct posix_acl *acl, int type) 1019 { 1020 int error; 1021 struct inode *inode = d_inode(dentry); 1022 1023 if (type == ACL_TYPE_ACCESS) { 1024 error = posix_acl_update_mode(idmap, inode, 1025 &inode->i_mode, &acl); 1026 if (error) 1027 return error; 1028 } 1029 1030 inode->i_ctime = current_time(inode); 1031 if (IS_I_VERSION(inode)) 1032 inode_inc_iversion(inode); 1033 set_cached_acl(inode, type, acl); 1034 return 0; 1035 } 1036 1037 int simple_acl_create(struct inode *dir, struct inode *inode) 1038 { 1039 struct posix_acl *default_acl, *acl; 1040 int error; 1041 1042 error = posix_acl_create(dir, &inode->i_mode, &default_acl, &acl); 1043 if (error) 1044 return error; 1045 1046 set_cached_acl(inode, ACL_TYPE_DEFAULT, default_acl); 1047 set_cached_acl(inode, ACL_TYPE_ACCESS, acl); 1048 1049 if (default_acl) 1050 posix_acl_release(default_acl); 1051 if (acl) 1052 posix_acl_release(acl); 1053 return 0; 1054 } 1055 1056 static int vfs_set_acl_idmapped_mnt(struct mnt_idmap *idmap, 1057 struct user_namespace *fs_userns, 1058 struct posix_acl *acl) 1059 { 1060 for (int n = 0; n < acl->a_count; n++) { 1061 struct posix_acl_entry *acl_e = &acl->a_entries[n]; 1062 1063 switch (acl_e->e_tag) { 1064 case ACL_USER: 1065 acl_e->e_uid = from_vfsuid(idmap, fs_userns, 1066 VFSUIDT_INIT(acl_e->e_uid)); 1067 break; 1068 case ACL_GROUP: 1069 acl_e->e_gid = from_vfsgid(idmap, fs_userns, 1070 VFSGIDT_INIT(acl_e->e_gid)); 1071 break; 1072 } 1073 } 1074 1075 return 0; 1076 } 1077 1078 /** 1079 * vfs_set_acl - set posix acls 1080 * @idmap: idmap of the mount 1081 * @dentry: the dentry based on which to set the posix acls 1082 * @acl_name: the name of the posix acl 1083 * @kacl: the posix acls in the appropriate VFS format 1084 * 1085 * This function sets @kacl. The caller must all posix_acl_release() on @kacl 1086 * afterwards. 1087 * 1088 * Return: On success 0, on error negative errno. 1089 */ 1090 int vfs_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, 1091 const char *acl_name, struct posix_acl *kacl) 1092 { 1093 int acl_type; 1094 int error; 1095 struct inode *inode = d_inode(dentry); 1096 struct inode *delegated_inode = NULL; 1097 1098 acl_type = posix_acl_type(acl_name); 1099 if (acl_type < 0) 1100 return -EINVAL; 1101 1102 if (kacl) { 1103 /* 1104 * If we're on an idmapped mount translate from mount specific 1105 * vfs{g,u}id_t into global filesystem k{g,u}id_t. 1106 * Afterwards we can cache the POSIX ACLs filesystem wide and - 1107 * if this is a filesystem with a backing store - ultimately 1108 * translate them to backing store values. 1109 */ 1110 error = vfs_set_acl_idmapped_mnt(idmap, i_user_ns(inode), kacl); 1111 if (error) 1112 return error; 1113 } 1114 1115 retry_deleg: 1116 inode_lock(inode); 1117 1118 /* 1119 * We only care about restrictions the inode struct itself places upon 1120 * us otherwise POSIX ACLs aren't subject to any VFS restrictions. 1121 */ 1122 error = may_write_xattr(idmap, inode); 1123 if (error) 1124 goto out_inode_unlock; 1125 1126 error = security_inode_set_acl(idmap, dentry, acl_name, kacl); 1127 if (error) 1128 goto out_inode_unlock; 1129 1130 error = try_break_deleg(inode, &delegated_inode); 1131 if (error) 1132 goto out_inode_unlock; 1133 1134 if (likely(!is_bad_inode(inode))) 1135 error = set_posix_acl(idmap, dentry, acl_type, kacl); 1136 else 1137 error = -EIO; 1138 if (!error) { 1139 fsnotify_xattr(dentry); 1140 evm_inode_post_set_acl(dentry, acl_name, kacl); 1141 } 1142 1143 out_inode_unlock: 1144 inode_unlock(inode); 1145 1146 if (delegated_inode) { 1147 error = break_deleg_wait(&delegated_inode); 1148 if (!error) 1149 goto retry_deleg; 1150 } 1151 1152 return error; 1153 } 1154 EXPORT_SYMBOL_GPL(vfs_set_acl); 1155 1156 /** 1157 * vfs_get_acl - get posix acls 1158 * @idmap: idmap of the mount 1159 * @dentry: the dentry based on which to retrieve the posix acls 1160 * @acl_name: the name of the posix acl 1161 * 1162 * This function retrieves @kacl from the filesystem. The caller must all 1163 * posix_acl_release() on @kacl. 1164 * 1165 * Return: On success POSIX ACLs in VFS format, on error negative errno. 1166 */ 1167 struct posix_acl *vfs_get_acl(struct mnt_idmap *idmap, 1168 struct dentry *dentry, const char *acl_name) 1169 { 1170 struct inode *inode = d_inode(dentry); 1171 struct posix_acl *acl; 1172 int acl_type, error; 1173 1174 acl_type = posix_acl_type(acl_name); 1175 if (acl_type < 0) 1176 return ERR_PTR(-EINVAL); 1177 1178 /* 1179 * The VFS has no restrictions on reading POSIX ACLs so calling 1180 * something like xattr_permission() isn't needed. Only LSMs get a say. 1181 */ 1182 error = security_inode_get_acl(idmap, dentry, acl_name); 1183 if (error) 1184 return ERR_PTR(error); 1185 1186 if (!IS_POSIXACL(inode)) 1187 return ERR_PTR(-EOPNOTSUPP); 1188 if (S_ISLNK(inode->i_mode)) 1189 return ERR_PTR(-EOPNOTSUPP); 1190 1191 acl = __get_acl(idmap, dentry, inode, acl_type); 1192 if (IS_ERR(acl)) 1193 return acl; 1194 if (!acl) 1195 return ERR_PTR(-ENODATA); 1196 1197 return acl; 1198 } 1199 EXPORT_SYMBOL_GPL(vfs_get_acl); 1200 1201 /** 1202 * vfs_remove_acl - remove posix acls 1203 * @idmap: idmap of the mount 1204 * @dentry: the dentry based on which to retrieve the posix acls 1205 * @acl_name: the name of the posix acl 1206 * 1207 * This function removes posix acls. 1208 * 1209 * Return: On success 0, on error negative errno. 1210 */ 1211 int vfs_remove_acl(struct mnt_idmap *idmap, struct dentry *dentry, 1212 const char *acl_name) 1213 { 1214 int acl_type; 1215 int error; 1216 struct inode *inode = d_inode(dentry); 1217 struct inode *delegated_inode = NULL; 1218 1219 acl_type = posix_acl_type(acl_name); 1220 if (acl_type < 0) 1221 return -EINVAL; 1222 1223 retry_deleg: 1224 inode_lock(inode); 1225 1226 /* 1227 * We only care about restrictions the inode struct itself places upon 1228 * us otherwise POSIX ACLs aren't subject to any VFS restrictions. 1229 */ 1230 error = may_write_xattr(idmap, inode); 1231 if (error) 1232 goto out_inode_unlock; 1233 1234 error = security_inode_remove_acl(idmap, dentry, acl_name); 1235 if (error) 1236 goto out_inode_unlock; 1237 1238 error = try_break_deleg(inode, &delegated_inode); 1239 if (error) 1240 goto out_inode_unlock; 1241 1242 if (likely(!is_bad_inode(inode))) 1243 error = set_posix_acl(idmap, dentry, acl_type, NULL); 1244 else 1245 error = -EIO; 1246 if (!error) { 1247 fsnotify_xattr(dentry); 1248 evm_inode_post_remove_acl(idmap, dentry, acl_name); 1249 } 1250 1251 out_inode_unlock: 1252 inode_unlock(inode); 1253 1254 if (delegated_inode) { 1255 error = break_deleg_wait(&delegated_inode); 1256 if (!error) 1257 goto retry_deleg; 1258 } 1259 1260 return error; 1261 } 1262 EXPORT_SYMBOL_GPL(vfs_remove_acl); 1263 1264 int do_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, 1265 const char *acl_name, const void *kvalue, size_t size) 1266 { 1267 int error; 1268 struct posix_acl *acl = NULL; 1269 1270 if (size) { 1271 /* 1272 * Note that posix_acl_from_xattr() uses GFP_NOFS when it 1273 * probably doesn't need to here. 1274 */ 1275 acl = posix_acl_from_xattr(current_user_ns(), kvalue, size); 1276 if (IS_ERR(acl)) 1277 return PTR_ERR(acl); 1278 } 1279 1280 error = vfs_set_acl(idmap, dentry, acl_name, acl); 1281 posix_acl_release(acl); 1282 return error; 1283 } 1284 1285 ssize_t do_get_acl(struct mnt_idmap *idmap, struct dentry *dentry, 1286 const char *acl_name, void *kvalue, size_t size) 1287 { 1288 ssize_t error; 1289 struct posix_acl *acl; 1290 1291 acl = vfs_get_acl(idmap, dentry, acl_name); 1292 if (IS_ERR(acl)) 1293 return PTR_ERR(acl); 1294 1295 error = vfs_posix_acl_to_xattr(idmap, d_inode(dentry), 1296 acl, kvalue, size); 1297 posix_acl_release(acl); 1298 return error; 1299 } 1300