1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 File: fs/xattr.c 4 5 Extended attribute handling. 6 7 Copyright (C) 2001 by Andreas Gruenbacher <a.gruenbacher@computer.org> 8 Copyright (C) 2001 SGI - Silicon Graphics, Inc <linux-xfs@oss.sgi.com> 9 Copyright (c) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> 10 */ 11 #include <linux/fs.h> 12 #include <linux/filelock.h> 13 #include <linux/slab.h> 14 #include <linux/file.h> 15 #include <linux/xattr.h> 16 #include <linux/mount.h> 17 #include <linux/namei.h> 18 #include <linux/security.h> 19 #include <linux/evm.h> 20 #include <linux/syscalls.h> 21 #include <linux/export.h> 22 #include <linux/fsnotify.h> 23 #include <linux/audit.h> 24 #include <linux/vmalloc.h> 25 #include <linux/posix_acl_xattr.h> 26 27 #include <linux/uaccess.h> 28 29 #include "internal.h" 30 31 static const char * 32 strcmp_prefix(const char *a, const char *a_prefix) 33 { 34 while (*a_prefix && *a == *a_prefix) { 35 a++; 36 a_prefix++; 37 } 38 return *a_prefix ? NULL : a; 39 } 40 41 /* 42 * In order to implement different sets of xattr operations for each xattr 43 * prefix, a filesystem should create a null-terminated array of struct 44 * xattr_handler (one for each prefix) and hang a pointer to it off of the 45 * s_xattr field of the superblock. 46 */ 47 #define for_each_xattr_handler(handlers, handler) \ 48 if (handlers) \ 49 for ((handler) = *(handlers)++; \ 50 (handler) != NULL; \ 51 (handler) = *(handlers)++) 52 53 /* 54 * Find the xattr_handler with the matching prefix. 55 */ 56 static const struct xattr_handler * 57 xattr_resolve_name(struct inode *inode, const char **name) 58 { 59 const struct xattr_handler **handlers = inode->i_sb->s_xattr; 60 const struct xattr_handler *handler; 61 62 if (!(inode->i_opflags & IOP_XATTR)) { 63 if (unlikely(is_bad_inode(inode))) 64 return ERR_PTR(-EIO); 65 return ERR_PTR(-EOPNOTSUPP); 66 } 67 for_each_xattr_handler(handlers, handler) { 68 const char *n; 69 70 n = strcmp_prefix(*name, xattr_prefix(handler)); 71 if (n) { 72 if (!handler->prefix ^ !*n) { 73 if (*n) 74 continue; 75 return ERR_PTR(-EINVAL); 76 } 77 *name = n; 78 return handler; 79 } 80 } 81 return ERR_PTR(-EOPNOTSUPP); 82 } 83 84 /** 85 * may_write_xattr - check whether inode allows writing xattr 86 * @idmap: idmap of the mount the inode was found from 87 * @inode: the inode on which to set an xattr 88 * 89 * Check whether the inode allows writing xattrs. Specifically, we can never 90 * set or remove an extended attribute on a read-only filesystem or on an 91 * immutable / append-only inode. 92 * 93 * We also need to ensure that the inode has a mapping in the mount to 94 * not risk writing back invalid i_{g,u}id values. 95 * 96 * Return: On success zero is returned. On error a negative errno is returned. 97 */ 98 int may_write_xattr(struct mnt_idmap *idmap, struct inode *inode) 99 { 100 if (IS_IMMUTABLE(inode)) 101 return -EPERM; 102 if (IS_APPEND(inode)) 103 return -EPERM; 104 if (HAS_UNMAPPED_ID(idmap, inode)) 105 return -EPERM; 106 return 0; 107 } 108 109 /* 110 * Check permissions for extended attribute access. This is a bit complicated 111 * because different namespaces have very different rules. 112 */ 113 static int 114 xattr_permission(struct mnt_idmap *idmap, struct inode *inode, 115 const char *name, int mask) 116 { 117 if (mask & MAY_WRITE) { 118 int ret; 119 120 ret = may_write_xattr(idmap, inode); 121 if (ret) 122 return ret; 123 } 124 125 /* 126 * No restriction for security.* and system.* from the VFS. Decision 127 * on these is left to the underlying filesystem / security module. 128 */ 129 if (!strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) || 130 !strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN)) 131 return 0; 132 133 /* 134 * The trusted.* namespace can only be accessed by privileged users. 135 */ 136 if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) { 137 if (!capable(CAP_SYS_ADMIN)) 138 return (mask & MAY_WRITE) ? -EPERM : -ENODATA; 139 return 0; 140 } 141 142 /* 143 * In the user.* namespace, only regular files and directories can have 144 * extended attributes. For sticky directories, only the owner and 145 * privileged users can write attributes. 146 */ 147 if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { 148 if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode)) 149 return (mask & MAY_WRITE) ? -EPERM : -ENODATA; 150 if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) && 151 (mask & MAY_WRITE) && 152 !inode_owner_or_capable(idmap, inode)) 153 return -EPERM; 154 } 155 156 return inode_permission(idmap, inode, mask); 157 } 158 159 /* 160 * Look for any handler that deals with the specified namespace. 161 */ 162 int 163 xattr_supports_user_prefix(struct inode *inode) 164 { 165 const struct xattr_handler **handlers = inode->i_sb->s_xattr; 166 const struct xattr_handler *handler; 167 168 if (!(inode->i_opflags & IOP_XATTR)) { 169 if (unlikely(is_bad_inode(inode))) 170 return -EIO; 171 return -EOPNOTSUPP; 172 } 173 174 for_each_xattr_handler(handlers, handler) { 175 if (!strncmp(xattr_prefix(handler), XATTR_USER_PREFIX, 176 XATTR_USER_PREFIX_LEN)) 177 return 0; 178 } 179 180 return -EOPNOTSUPP; 181 } 182 EXPORT_SYMBOL(xattr_supports_user_prefix); 183 184 int 185 __vfs_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, 186 struct inode *inode, const char *name, const void *value, 187 size_t size, int flags) 188 { 189 const struct xattr_handler *handler; 190 191 if (is_posix_acl_xattr(name)) 192 return -EOPNOTSUPP; 193 194 handler = xattr_resolve_name(inode, &name); 195 if (IS_ERR(handler)) 196 return PTR_ERR(handler); 197 if (!handler->set) 198 return -EOPNOTSUPP; 199 if (size == 0) 200 value = ""; /* empty EA, do not remove */ 201 return handler->set(handler, idmap, dentry, inode, name, value, 202 size, flags); 203 } 204 EXPORT_SYMBOL(__vfs_setxattr); 205 206 /** 207 * __vfs_setxattr_noperm - perform setxattr operation without performing 208 * permission checks. 209 * 210 * @idmap: idmap of the mount the inode was found from 211 * @dentry: object to perform setxattr on 212 * @name: xattr name to set 213 * @value: value to set @name to 214 * @size: size of @value 215 * @flags: flags to pass into filesystem operations 216 * 217 * returns the result of the internal setxattr or setsecurity operations. 218 * 219 * This function requires the caller to lock the inode's i_mutex before it 220 * is executed. It also assumes that the caller will make the appropriate 221 * permission checks. 222 */ 223 int __vfs_setxattr_noperm(struct mnt_idmap *idmap, 224 struct dentry *dentry, const char *name, 225 const void *value, size_t size, int flags) 226 { 227 struct inode *inode = dentry->d_inode; 228 int error = -EAGAIN; 229 int issec = !strncmp(name, XATTR_SECURITY_PREFIX, 230 XATTR_SECURITY_PREFIX_LEN); 231 232 if (issec) 233 inode->i_flags &= ~S_NOSEC; 234 if (inode->i_opflags & IOP_XATTR) { 235 error = __vfs_setxattr(idmap, dentry, inode, name, value, 236 size, flags); 237 if (!error) { 238 fsnotify_xattr(dentry); 239 security_inode_post_setxattr(dentry, name, value, 240 size, flags); 241 } 242 } else { 243 if (unlikely(is_bad_inode(inode))) 244 return -EIO; 245 } 246 if (error == -EAGAIN) { 247 error = -EOPNOTSUPP; 248 249 if (issec) { 250 const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; 251 252 error = security_inode_setsecurity(inode, suffix, value, 253 size, flags); 254 if (!error) 255 fsnotify_xattr(dentry); 256 } 257 } 258 259 return error; 260 } 261 262 /** 263 * __vfs_setxattr_locked - set an extended attribute while holding the inode 264 * lock 265 * 266 * @idmap: idmap of the mount of the target inode 267 * @dentry: object to perform setxattr on 268 * @name: xattr name to set 269 * @value: value to set @name to 270 * @size: size of @value 271 * @flags: flags to pass into filesystem operations 272 * @delegated_inode: on return, will contain an inode pointer that 273 * a delegation was broken on, NULL if none. 274 */ 275 int 276 __vfs_setxattr_locked(struct mnt_idmap *idmap, struct dentry *dentry, 277 const char *name, const void *value, size_t size, 278 int flags, struct inode **delegated_inode) 279 { 280 struct inode *inode = dentry->d_inode; 281 int error; 282 283 error = xattr_permission(idmap, inode, name, MAY_WRITE); 284 if (error) 285 return error; 286 287 error = security_inode_setxattr(idmap, dentry, name, value, size, 288 flags); 289 if (error) 290 goto out; 291 292 error = try_break_deleg(inode, delegated_inode); 293 if (error) 294 goto out; 295 296 error = __vfs_setxattr_noperm(idmap, dentry, name, value, 297 size, flags); 298 299 out: 300 return error; 301 } 302 EXPORT_SYMBOL_GPL(__vfs_setxattr_locked); 303 304 int 305 vfs_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, 306 const char *name, const void *value, size_t size, int flags) 307 { 308 struct inode *inode = dentry->d_inode; 309 struct inode *delegated_inode = NULL; 310 const void *orig_value = value; 311 int error; 312 313 if (size && strcmp(name, XATTR_NAME_CAPS) == 0) { 314 error = cap_convert_nscap(idmap, dentry, &value, size); 315 if (error < 0) 316 return error; 317 size = error; 318 } 319 320 retry_deleg: 321 inode_lock(inode); 322 error = __vfs_setxattr_locked(idmap, dentry, name, value, size, 323 flags, &delegated_inode); 324 inode_unlock(inode); 325 326 if (delegated_inode) { 327 error = break_deleg_wait(&delegated_inode); 328 if (!error) 329 goto retry_deleg; 330 } 331 if (value != orig_value) 332 kfree(value); 333 334 return error; 335 } 336 EXPORT_SYMBOL_GPL(vfs_setxattr); 337 338 static ssize_t 339 xattr_getsecurity(struct mnt_idmap *idmap, struct inode *inode, 340 const char *name, void *value, size_t size) 341 { 342 void *buffer = NULL; 343 ssize_t len; 344 345 if (!value || !size) { 346 len = security_inode_getsecurity(idmap, inode, name, 347 &buffer, false); 348 goto out_noalloc; 349 } 350 351 len = security_inode_getsecurity(idmap, inode, name, &buffer, 352 true); 353 if (len < 0) 354 return len; 355 if (size < len) { 356 len = -ERANGE; 357 goto out; 358 } 359 memcpy(value, buffer, len); 360 out: 361 kfree(buffer); 362 out_noalloc: 363 return len; 364 } 365 366 /* 367 * vfs_getxattr_alloc - allocate memory, if necessary, before calling getxattr 368 * 369 * Allocate memory, if not already allocated, or re-allocate correct size, 370 * before retrieving the extended attribute. The xattr value buffer should 371 * always be freed by the caller, even on error. 372 * 373 * Returns the result of alloc, if failed, or the getxattr operation. 374 */ 375 int 376 vfs_getxattr_alloc(struct mnt_idmap *idmap, struct dentry *dentry, 377 const char *name, char **xattr_value, size_t xattr_size, 378 gfp_t flags) 379 { 380 const struct xattr_handler *handler; 381 struct inode *inode = dentry->d_inode; 382 char *value = *xattr_value; 383 int error; 384 385 error = xattr_permission(idmap, inode, name, MAY_READ); 386 if (error) 387 return error; 388 389 handler = xattr_resolve_name(inode, &name); 390 if (IS_ERR(handler)) 391 return PTR_ERR(handler); 392 if (!handler->get) 393 return -EOPNOTSUPP; 394 error = handler->get(handler, dentry, inode, name, NULL, 0); 395 if (error < 0) 396 return error; 397 398 if (!value || (error > xattr_size)) { 399 value = krealloc(*xattr_value, error + 1, flags); 400 if (!value) 401 return -ENOMEM; 402 memset(value, 0, error + 1); 403 } 404 405 error = handler->get(handler, dentry, inode, name, value, error); 406 *xattr_value = value; 407 return error; 408 } 409 410 ssize_t 411 __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name, 412 void *value, size_t size) 413 { 414 const struct xattr_handler *handler; 415 416 if (is_posix_acl_xattr(name)) 417 return -EOPNOTSUPP; 418 419 handler = xattr_resolve_name(inode, &name); 420 if (IS_ERR(handler)) 421 return PTR_ERR(handler); 422 if (!handler->get) 423 return -EOPNOTSUPP; 424 return handler->get(handler, dentry, inode, name, value, size); 425 } 426 EXPORT_SYMBOL(__vfs_getxattr); 427 428 ssize_t 429 vfs_getxattr(struct mnt_idmap *idmap, struct dentry *dentry, 430 const char *name, void *value, size_t size) 431 { 432 struct inode *inode = dentry->d_inode; 433 int error; 434 435 error = xattr_permission(idmap, inode, name, MAY_READ); 436 if (error) 437 return error; 438 439 error = security_inode_getxattr(dentry, name); 440 if (error) 441 return error; 442 443 if (!strncmp(name, XATTR_SECURITY_PREFIX, 444 XATTR_SECURITY_PREFIX_LEN)) { 445 const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; 446 int ret = xattr_getsecurity(idmap, inode, suffix, value, 447 size); 448 /* 449 * Only overwrite the return value if a security module 450 * is actually active. 451 */ 452 if (ret == -EOPNOTSUPP) 453 goto nolsm; 454 return ret; 455 } 456 nolsm: 457 return __vfs_getxattr(dentry, inode, name, value, size); 458 } 459 EXPORT_SYMBOL_GPL(vfs_getxattr); 460 461 /** 462 * vfs_listxattr - retrieve \0 separated list of xattr names 463 * @dentry: the dentry from whose inode the xattr names are retrieved 464 * @list: buffer to store xattr names into 465 * @size: size of the buffer 466 * 467 * This function returns the names of all xattrs associated with the 468 * inode of @dentry. 469 * 470 * Note, for legacy reasons the vfs_listxattr() function lists POSIX 471 * ACLs as well. Since POSIX ACLs are decoupled from IOP_XATTR the 472 * vfs_listxattr() function doesn't check for this flag since a 473 * filesystem could implement POSIX ACLs without implementing any other 474 * xattrs. 475 * 476 * However, since all codepaths that remove IOP_XATTR also assign of 477 * inode operations that either don't implement or implement a stub 478 * ->listxattr() operation. 479 * 480 * Return: On success, the size of the buffer that was used. On error a 481 * negative error code. 482 */ 483 ssize_t 484 vfs_listxattr(struct dentry *dentry, char *list, size_t size) 485 { 486 struct inode *inode = d_inode(dentry); 487 ssize_t error; 488 489 error = security_inode_listxattr(dentry); 490 if (error) 491 return error; 492 493 if (inode->i_op->listxattr) { 494 error = inode->i_op->listxattr(dentry, list, size); 495 } else { 496 error = security_inode_listsecurity(inode, list, size); 497 if (size && error > size) 498 error = -ERANGE; 499 } 500 return error; 501 } 502 EXPORT_SYMBOL_GPL(vfs_listxattr); 503 504 int 505 __vfs_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, 506 const char *name) 507 { 508 struct inode *inode = d_inode(dentry); 509 const struct xattr_handler *handler; 510 511 if (is_posix_acl_xattr(name)) 512 return -EOPNOTSUPP; 513 514 handler = xattr_resolve_name(inode, &name); 515 if (IS_ERR(handler)) 516 return PTR_ERR(handler); 517 if (!handler->set) 518 return -EOPNOTSUPP; 519 return handler->set(handler, idmap, dentry, inode, name, NULL, 0, 520 XATTR_REPLACE); 521 } 522 EXPORT_SYMBOL(__vfs_removexattr); 523 524 /** 525 * __vfs_removexattr_locked - set an extended attribute while holding the inode 526 * lock 527 * 528 * @idmap: idmap of the mount of the target inode 529 * @dentry: object to perform setxattr on 530 * @name: name of xattr to remove 531 * @delegated_inode: on return, will contain an inode pointer that 532 * a delegation was broken on, NULL if none. 533 */ 534 int 535 __vfs_removexattr_locked(struct mnt_idmap *idmap, 536 struct dentry *dentry, const char *name, 537 struct inode **delegated_inode) 538 { 539 struct inode *inode = dentry->d_inode; 540 int error; 541 542 error = xattr_permission(idmap, inode, name, MAY_WRITE); 543 if (error) 544 return error; 545 546 error = security_inode_removexattr(idmap, dentry, name); 547 if (error) 548 goto out; 549 550 error = try_break_deleg(inode, delegated_inode); 551 if (error) 552 goto out; 553 554 error = __vfs_removexattr(idmap, dentry, name); 555 556 if (!error) { 557 fsnotify_xattr(dentry); 558 evm_inode_post_removexattr(dentry, name); 559 } 560 561 out: 562 return error; 563 } 564 EXPORT_SYMBOL_GPL(__vfs_removexattr_locked); 565 566 int 567 vfs_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, 568 const char *name) 569 { 570 struct inode *inode = dentry->d_inode; 571 struct inode *delegated_inode = NULL; 572 int error; 573 574 retry_deleg: 575 inode_lock(inode); 576 error = __vfs_removexattr_locked(idmap, dentry, 577 name, &delegated_inode); 578 inode_unlock(inode); 579 580 if (delegated_inode) { 581 error = break_deleg_wait(&delegated_inode); 582 if (!error) 583 goto retry_deleg; 584 } 585 586 return error; 587 } 588 EXPORT_SYMBOL_GPL(vfs_removexattr); 589 590 /* 591 * Extended attribute SET operations 592 */ 593 594 int setxattr_copy(const char __user *name, struct xattr_ctx *ctx) 595 { 596 int error; 597 598 if (ctx->flags & ~(XATTR_CREATE|XATTR_REPLACE)) 599 return -EINVAL; 600 601 error = strncpy_from_user(ctx->kname->name, name, 602 sizeof(ctx->kname->name)); 603 if (error == 0 || error == sizeof(ctx->kname->name)) 604 return -ERANGE; 605 if (error < 0) 606 return error; 607 608 error = 0; 609 if (ctx->size) { 610 if (ctx->size > XATTR_SIZE_MAX) 611 return -E2BIG; 612 613 ctx->kvalue = vmemdup_user(ctx->cvalue, ctx->size); 614 if (IS_ERR(ctx->kvalue)) { 615 error = PTR_ERR(ctx->kvalue); 616 ctx->kvalue = NULL; 617 } 618 } 619 620 return error; 621 } 622 623 int do_setxattr(struct mnt_idmap *idmap, struct dentry *dentry, 624 struct xattr_ctx *ctx) 625 { 626 if (is_posix_acl_xattr(ctx->kname->name)) 627 return do_set_acl(idmap, dentry, ctx->kname->name, 628 ctx->kvalue, ctx->size); 629 630 return vfs_setxattr(idmap, dentry, ctx->kname->name, 631 ctx->kvalue, ctx->size, ctx->flags); 632 } 633 634 static int path_setxattr(const char __user *pathname, 635 const char __user *name, const void __user *value, 636 size_t size, int flags, unsigned int lookup_flags) 637 { 638 struct xattr_name kname; 639 struct xattr_ctx ctx = { 640 .cvalue = value, 641 .kvalue = NULL, 642 .size = size, 643 .kname = &kname, 644 .flags = flags, 645 }; 646 struct path path; 647 int error; 648 649 error = setxattr_copy(name, &ctx); 650 if (error) 651 return error; 652 653 retry: 654 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 655 if (error) 656 goto out; 657 error = mnt_want_write(path.mnt); 658 if (!error) { 659 error = do_setxattr(mnt_idmap(path.mnt), path.dentry, &ctx); 660 mnt_drop_write(path.mnt); 661 } 662 path_put(&path); 663 if (retry_estale(error, lookup_flags)) { 664 lookup_flags |= LOOKUP_REVAL; 665 goto retry; 666 } 667 668 out: 669 kvfree(ctx.kvalue); 670 return error; 671 } 672 673 SYSCALL_DEFINE5(setxattr, const char __user *, pathname, 674 const char __user *, name, const void __user *, value, 675 size_t, size, int, flags) 676 { 677 return path_setxattr(pathname, name, value, size, flags, LOOKUP_FOLLOW); 678 } 679 680 SYSCALL_DEFINE5(lsetxattr, const char __user *, pathname, 681 const char __user *, name, const void __user *, value, 682 size_t, size, int, flags) 683 { 684 return path_setxattr(pathname, name, value, size, flags, 0); 685 } 686 687 SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name, 688 const void __user *,value, size_t, size, int, flags) 689 { 690 struct xattr_name kname; 691 struct xattr_ctx ctx = { 692 .cvalue = value, 693 .kvalue = NULL, 694 .size = size, 695 .kname = &kname, 696 .flags = flags, 697 }; 698 int error; 699 700 CLASS(fd, f)(fd); 701 if (!f.file) 702 return -EBADF; 703 704 audit_file(f.file); 705 error = setxattr_copy(name, &ctx); 706 if (error) 707 return error; 708 709 error = mnt_want_write_file(f.file); 710 if (!error) { 711 error = do_setxattr(file_mnt_idmap(f.file), 712 f.file->f_path.dentry, &ctx); 713 mnt_drop_write_file(f.file); 714 } 715 kvfree(ctx.kvalue); 716 return error; 717 } 718 719 /* 720 * Extended attribute GET operations 721 */ 722 ssize_t 723 do_getxattr(struct mnt_idmap *idmap, struct dentry *d, 724 struct xattr_ctx *ctx) 725 { 726 ssize_t error; 727 char *kname = ctx->kname->name; 728 729 if (ctx->size) { 730 if (ctx->size > XATTR_SIZE_MAX) 731 ctx->size = XATTR_SIZE_MAX; 732 ctx->kvalue = kvzalloc(ctx->size, GFP_KERNEL); 733 if (!ctx->kvalue) 734 return -ENOMEM; 735 } 736 737 if (is_posix_acl_xattr(ctx->kname->name)) 738 error = do_get_acl(idmap, d, kname, ctx->kvalue, ctx->size); 739 else 740 error = vfs_getxattr(idmap, d, kname, ctx->kvalue, ctx->size); 741 if (error > 0) { 742 if (ctx->size && copy_to_user(ctx->value, ctx->kvalue, error)) 743 error = -EFAULT; 744 } else if (error == -ERANGE && ctx->size >= XATTR_SIZE_MAX) { 745 /* The file system tried to returned a value bigger 746 than XATTR_SIZE_MAX bytes. Not possible. */ 747 error = -E2BIG; 748 } 749 750 return error; 751 } 752 753 static ssize_t 754 getxattr(struct mnt_idmap *idmap, struct dentry *d, 755 const char __user *name, void __user *value, size_t size) 756 { 757 ssize_t error; 758 struct xattr_name kname; 759 struct xattr_ctx ctx = { 760 .value = value, 761 .kvalue = NULL, 762 .size = size, 763 .kname = &kname, 764 .flags = 0, 765 }; 766 767 error = strncpy_from_user(kname.name, name, sizeof(kname.name)); 768 if (error == 0 || error == sizeof(kname.name)) 769 error = -ERANGE; 770 if (error < 0) 771 return error; 772 773 error = do_getxattr(idmap, d, &ctx); 774 775 kvfree(ctx.kvalue); 776 return error; 777 } 778 779 static ssize_t path_getxattr(const char __user *pathname, 780 const char __user *name, void __user *value, 781 size_t size, unsigned int lookup_flags) 782 { 783 struct path path; 784 ssize_t error; 785 retry: 786 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 787 if (error) 788 return error; 789 error = getxattr(mnt_idmap(path.mnt), path.dentry, name, value, size); 790 path_put(&path); 791 if (retry_estale(error, lookup_flags)) { 792 lookup_flags |= LOOKUP_REVAL; 793 goto retry; 794 } 795 return error; 796 } 797 798 SYSCALL_DEFINE4(getxattr, const char __user *, pathname, 799 const char __user *, name, void __user *, value, size_t, size) 800 { 801 return path_getxattr(pathname, name, value, size, LOOKUP_FOLLOW); 802 } 803 804 SYSCALL_DEFINE4(lgetxattr, const char __user *, pathname, 805 const char __user *, name, void __user *, value, size_t, size) 806 { 807 return path_getxattr(pathname, name, value, size, 0); 808 } 809 810 SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name, 811 void __user *, value, size_t, size) 812 { 813 struct fd f = fdget(fd); 814 ssize_t error = -EBADF; 815 816 if (!f.file) 817 return error; 818 audit_file(f.file); 819 error = getxattr(file_mnt_idmap(f.file), f.file->f_path.dentry, 820 name, value, size); 821 fdput(f); 822 return error; 823 } 824 825 /* 826 * Extended attribute LIST operations 827 */ 828 static ssize_t 829 listxattr(struct dentry *d, char __user *list, size_t size) 830 { 831 ssize_t error; 832 char *klist = NULL; 833 834 if (size) { 835 if (size > XATTR_LIST_MAX) 836 size = XATTR_LIST_MAX; 837 klist = kvmalloc(size, GFP_KERNEL); 838 if (!klist) 839 return -ENOMEM; 840 } 841 842 error = vfs_listxattr(d, klist, size); 843 if (error > 0) { 844 if (size && copy_to_user(list, klist, error)) 845 error = -EFAULT; 846 } else if (error == -ERANGE && size >= XATTR_LIST_MAX) { 847 /* The file system tried to returned a list bigger 848 than XATTR_LIST_MAX bytes. Not possible. */ 849 error = -E2BIG; 850 } 851 852 kvfree(klist); 853 854 return error; 855 } 856 857 static ssize_t path_listxattr(const char __user *pathname, char __user *list, 858 size_t size, unsigned int lookup_flags) 859 { 860 struct path path; 861 ssize_t error; 862 retry: 863 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 864 if (error) 865 return error; 866 error = listxattr(path.dentry, list, size); 867 path_put(&path); 868 if (retry_estale(error, lookup_flags)) { 869 lookup_flags |= LOOKUP_REVAL; 870 goto retry; 871 } 872 return error; 873 } 874 875 SYSCALL_DEFINE3(listxattr, const char __user *, pathname, char __user *, list, 876 size_t, size) 877 { 878 return path_listxattr(pathname, list, size, LOOKUP_FOLLOW); 879 } 880 881 SYSCALL_DEFINE3(llistxattr, const char __user *, pathname, char __user *, list, 882 size_t, size) 883 { 884 return path_listxattr(pathname, list, size, 0); 885 } 886 887 SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size) 888 { 889 struct fd f = fdget(fd); 890 ssize_t error = -EBADF; 891 892 if (!f.file) 893 return error; 894 audit_file(f.file); 895 error = listxattr(f.file->f_path.dentry, list, size); 896 fdput(f); 897 return error; 898 } 899 900 /* 901 * Extended attribute REMOVE operations 902 */ 903 static long 904 removexattr(struct mnt_idmap *idmap, struct dentry *d, const char *name) 905 { 906 if (is_posix_acl_xattr(name)) 907 return vfs_remove_acl(idmap, d, name); 908 return vfs_removexattr(idmap, d, name); 909 } 910 911 static int path_removexattr(const char __user *pathname, 912 const char __user *name, unsigned int lookup_flags) 913 { 914 struct path path; 915 int error; 916 char kname[XATTR_NAME_MAX + 1]; 917 918 error = strncpy_from_user(kname, name, sizeof(kname)); 919 if (error == 0 || error == sizeof(kname)) 920 error = -ERANGE; 921 if (error < 0) 922 return error; 923 retry: 924 error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path); 925 if (error) 926 return error; 927 error = mnt_want_write(path.mnt); 928 if (!error) { 929 error = removexattr(mnt_idmap(path.mnt), path.dentry, kname); 930 mnt_drop_write(path.mnt); 931 } 932 path_put(&path); 933 if (retry_estale(error, lookup_flags)) { 934 lookup_flags |= LOOKUP_REVAL; 935 goto retry; 936 } 937 return error; 938 } 939 940 SYSCALL_DEFINE2(removexattr, const char __user *, pathname, 941 const char __user *, name) 942 { 943 return path_removexattr(pathname, name, LOOKUP_FOLLOW); 944 } 945 946 SYSCALL_DEFINE2(lremovexattr, const char __user *, pathname, 947 const char __user *, name) 948 { 949 return path_removexattr(pathname, name, 0); 950 } 951 952 SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name) 953 { 954 struct fd f = fdget(fd); 955 char kname[XATTR_NAME_MAX + 1]; 956 int error = -EBADF; 957 958 if (!f.file) 959 return error; 960 audit_file(f.file); 961 962 error = strncpy_from_user(kname, name, sizeof(kname)); 963 if (error == 0 || error == sizeof(kname)) 964 error = -ERANGE; 965 if (error < 0) 966 return error; 967 968 error = mnt_want_write_file(f.file); 969 if (!error) { 970 error = removexattr(file_mnt_idmap(f.file), 971 f.file->f_path.dentry, kname); 972 mnt_drop_write_file(f.file); 973 } 974 fdput(f); 975 return error; 976 } 977 978 int xattr_list_one(char **buffer, ssize_t *remaining_size, const char *name) 979 { 980 size_t len; 981 982 len = strlen(name) + 1; 983 if (*buffer) { 984 if (*remaining_size < len) 985 return -ERANGE; 986 memcpy(*buffer, name, len); 987 *buffer += len; 988 } 989 *remaining_size -= len; 990 return 0; 991 } 992 993 /** 994 * generic_listxattr - run through a dentry's xattr list() operations 995 * @dentry: dentry to list the xattrs 996 * @buffer: result buffer 997 * @buffer_size: size of @buffer 998 * 999 * Combine the results of the list() operation from every xattr_handler in the 1000 * xattr_handler stack. 1001 * 1002 * Note that this will not include the entries for POSIX ACLs. 1003 */ 1004 ssize_t 1005 generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) 1006 { 1007 const struct xattr_handler *handler, **handlers = dentry->d_sb->s_xattr; 1008 ssize_t remaining_size = buffer_size; 1009 int err = 0; 1010 1011 for_each_xattr_handler(handlers, handler) { 1012 if (!handler->name || (handler->list && !handler->list(dentry))) 1013 continue; 1014 err = xattr_list_one(&buffer, &remaining_size, handler->name); 1015 if (err) 1016 return err; 1017 } 1018 1019 return err ? err : buffer_size - remaining_size; 1020 } 1021 EXPORT_SYMBOL(generic_listxattr); 1022 1023 /** 1024 * xattr_full_name - Compute full attribute name from suffix 1025 * 1026 * @handler: handler of the xattr_handler operation 1027 * @name: name passed to the xattr_handler operation 1028 * 1029 * The get and set xattr handler operations are called with the remainder of 1030 * the attribute name after skipping the handler's prefix: for example, "foo" 1031 * is passed to the get operation of a handler with prefix "user." to get 1032 * attribute "user.foo". The full name is still "there" in the name though. 1033 * 1034 * Note: the list xattr handler operation when called from the vfs is passed a 1035 * NULL name; some file systems use this operation internally, with varying 1036 * semantics. 1037 */ 1038 const char *xattr_full_name(const struct xattr_handler *handler, 1039 const char *name) 1040 { 1041 size_t prefix_len = strlen(xattr_prefix(handler)); 1042 1043 return name - prefix_len; 1044 } 1045 EXPORT_SYMBOL(xattr_full_name); 1046 1047 /** 1048 * simple_xattr_space - estimate the memory used by a simple xattr 1049 * @name: the full name of the xattr 1050 * @size: the size of its value 1051 * 1052 * This takes no account of how much larger the two slab objects actually are: 1053 * that would depend on the slab implementation, when what is required is a 1054 * deterministic number, which grows with name length and size and quantity. 1055 * 1056 * Return: The approximate number of bytes of memory used by such an xattr. 1057 */ 1058 size_t simple_xattr_space(const char *name, size_t size) 1059 { 1060 /* 1061 * Use "40" instead of sizeof(struct simple_xattr), to return the 1062 * same result on 32-bit and 64-bit, and even if simple_xattr grows. 1063 */ 1064 return 40 + size + strlen(name); 1065 } 1066 1067 /** 1068 * simple_xattr_free - free an xattr object 1069 * @xattr: the xattr object 1070 * 1071 * Free the xattr object. Can handle @xattr being NULL. 1072 */ 1073 void simple_xattr_free(struct simple_xattr *xattr) 1074 { 1075 if (xattr) 1076 kfree(xattr->name); 1077 kvfree(xattr); 1078 } 1079 1080 /** 1081 * simple_xattr_alloc - allocate new xattr object 1082 * @value: value of the xattr object 1083 * @size: size of @value 1084 * 1085 * Allocate a new xattr object and initialize respective members. The caller is 1086 * responsible for handling the name of the xattr. 1087 * 1088 * Return: On success a new xattr object is returned. On failure NULL is 1089 * returned. 1090 */ 1091 struct simple_xattr *simple_xattr_alloc(const void *value, size_t size) 1092 { 1093 struct simple_xattr *new_xattr; 1094 size_t len; 1095 1096 /* wrap around? */ 1097 len = sizeof(*new_xattr) + size; 1098 if (len < sizeof(*new_xattr)) 1099 return NULL; 1100 1101 new_xattr = kvmalloc(len, GFP_KERNEL_ACCOUNT); 1102 if (!new_xattr) 1103 return NULL; 1104 1105 new_xattr->size = size; 1106 memcpy(new_xattr->value, value, size); 1107 return new_xattr; 1108 } 1109 1110 /** 1111 * rbtree_simple_xattr_cmp - compare xattr name with current rbtree xattr entry 1112 * @key: xattr name 1113 * @node: current node 1114 * 1115 * Compare the xattr name with the xattr name attached to @node in the rbtree. 1116 * 1117 * Return: Negative value if continuing left, positive if continuing right, 0 1118 * if the xattr attached to @node matches @key. 1119 */ 1120 static int rbtree_simple_xattr_cmp(const void *key, const struct rb_node *node) 1121 { 1122 const char *xattr_name = key; 1123 const struct simple_xattr *xattr; 1124 1125 xattr = rb_entry(node, struct simple_xattr, rb_node); 1126 return strcmp(xattr->name, xattr_name); 1127 } 1128 1129 /** 1130 * rbtree_simple_xattr_node_cmp - compare two xattr rbtree nodes 1131 * @new_node: new node 1132 * @node: current node 1133 * 1134 * Compare the xattr attached to @new_node with the xattr attached to @node. 1135 * 1136 * Return: Negative value if continuing left, positive if continuing right, 0 1137 * if the xattr attached to @new_node matches the xattr attached to @node. 1138 */ 1139 static int rbtree_simple_xattr_node_cmp(struct rb_node *new_node, 1140 const struct rb_node *node) 1141 { 1142 struct simple_xattr *xattr; 1143 xattr = rb_entry(new_node, struct simple_xattr, rb_node); 1144 return rbtree_simple_xattr_cmp(xattr->name, node); 1145 } 1146 1147 /** 1148 * simple_xattr_get - get an xattr object 1149 * @xattrs: the header of the xattr object 1150 * @name: the name of the xattr to retrieve 1151 * @buffer: the buffer to store the value into 1152 * @size: the size of @buffer 1153 * 1154 * Try to find and retrieve the xattr object associated with @name. 1155 * If @buffer is provided store the value of @xattr in @buffer 1156 * otherwise just return the length. The size of @buffer is limited 1157 * to XATTR_SIZE_MAX which currently is 65536. 1158 * 1159 * Return: On success the length of the xattr value is returned. On error a 1160 * negative error code is returned. 1161 */ 1162 int simple_xattr_get(struct simple_xattrs *xattrs, const char *name, 1163 void *buffer, size_t size) 1164 { 1165 struct simple_xattr *xattr = NULL; 1166 struct rb_node *rbp; 1167 int ret = -ENODATA; 1168 1169 read_lock(&xattrs->lock); 1170 rbp = rb_find(name, &xattrs->rb_root, rbtree_simple_xattr_cmp); 1171 if (rbp) { 1172 xattr = rb_entry(rbp, struct simple_xattr, rb_node); 1173 ret = xattr->size; 1174 if (buffer) { 1175 if (size < xattr->size) 1176 ret = -ERANGE; 1177 else 1178 memcpy(buffer, xattr->value, xattr->size); 1179 } 1180 } 1181 read_unlock(&xattrs->lock); 1182 return ret; 1183 } 1184 1185 /** 1186 * simple_xattr_set - set an xattr object 1187 * @xattrs: the header of the xattr object 1188 * @name: the name of the xattr to retrieve 1189 * @value: the value to store along the xattr 1190 * @size: the size of @value 1191 * @flags: the flags determining how to set the xattr 1192 * 1193 * Set a new xattr object. 1194 * If @value is passed a new xattr object will be allocated. If XATTR_REPLACE 1195 * is specified in @flags a matching xattr object for @name must already exist. 1196 * If it does it will be replaced with the new xattr object. If it doesn't we 1197 * fail. If XATTR_CREATE is specified and a matching xattr does already exist 1198 * we fail. If it doesn't we create a new xattr. If @flags is zero we simply 1199 * insert the new xattr replacing any existing one. 1200 * 1201 * If @value is empty and a matching xattr object is found we delete it if 1202 * XATTR_REPLACE is specified in @flags or @flags is zero. 1203 * 1204 * If @value is empty and no matching xattr object for @name is found we do 1205 * nothing if XATTR_CREATE is specified in @flags or @flags is zero. For 1206 * XATTR_REPLACE we fail as mentioned above. 1207 * 1208 * Return: On success, the removed or replaced xattr is returned, to be freed 1209 * by the caller; or NULL if none. On failure a negative error code is returned. 1210 */ 1211 struct simple_xattr *simple_xattr_set(struct simple_xattrs *xattrs, 1212 const char *name, const void *value, 1213 size_t size, int flags) 1214 { 1215 struct simple_xattr *old_xattr = NULL, *new_xattr = NULL; 1216 struct rb_node *parent = NULL, **rbp; 1217 int err = 0, ret; 1218 1219 /* value == NULL means remove */ 1220 if (value) { 1221 new_xattr = simple_xattr_alloc(value, size); 1222 if (!new_xattr) 1223 return ERR_PTR(-ENOMEM); 1224 1225 new_xattr->name = kstrdup(name, GFP_KERNEL_ACCOUNT); 1226 if (!new_xattr->name) { 1227 simple_xattr_free(new_xattr); 1228 return ERR_PTR(-ENOMEM); 1229 } 1230 } 1231 1232 write_lock(&xattrs->lock); 1233 rbp = &xattrs->rb_root.rb_node; 1234 while (*rbp) { 1235 parent = *rbp; 1236 ret = rbtree_simple_xattr_cmp(name, *rbp); 1237 if (ret < 0) 1238 rbp = &(*rbp)->rb_left; 1239 else if (ret > 0) 1240 rbp = &(*rbp)->rb_right; 1241 else 1242 old_xattr = rb_entry(*rbp, struct simple_xattr, rb_node); 1243 if (old_xattr) 1244 break; 1245 } 1246 1247 if (old_xattr) { 1248 /* Fail if XATTR_CREATE is requested and the xattr exists. */ 1249 if (flags & XATTR_CREATE) { 1250 err = -EEXIST; 1251 goto out_unlock; 1252 } 1253 1254 if (new_xattr) 1255 rb_replace_node(&old_xattr->rb_node, 1256 &new_xattr->rb_node, &xattrs->rb_root); 1257 else 1258 rb_erase(&old_xattr->rb_node, &xattrs->rb_root); 1259 } else { 1260 /* Fail if XATTR_REPLACE is requested but no xattr is found. */ 1261 if (flags & XATTR_REPLACE) { 1262 err = -ENODATA; 1263 goto out_unlock; 1264 } 1265 1266 /* 1267 * If XATTR_CREATE or no flags are specified together with a 1268 * new value simply insert it. 1269 */ 1270 if (new_xattr) { 1271 rb_link_node(&new_xattr->rb_node, parent, rbp); 1272 rb_insert_color(&new_xattr->rb_node, &xattrs->rb_root); 1273 } 1274 1275 /* 1276 * If XATTR_CREATE or no flags are specified and neither an 1277 * old or new xattr exist then we don't need to do anything. 1278 */ 1279 } 1280 1281 out_unlock: 1282 write_unlock(&xattrs->lock); 1283 if (!err) 1284 return old_xattr; 1285 simple_xattr_free(new_xattr); 1286 return ERR_PTR(err); 1287 } 1288 1289 static bool xattr_is_trusted(const char *name) 1290 { 1291 return !strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN); 1292 } 1293 1294 /** 1295 * simple_xattr_list - list all xattr objects 1296 * @inode: inode from which to get the xattrs 1297 * @xattrs: the header of the xattr object 1298 * @buffer: the buffer to store all xattrs into 1299 * @size: the size of @buffer 1300 * 1301 * List all xattrs associated with @inode. If @buffer is NULL we returned 1302 * the required size of the buffer. If @buffer is provided we store the 1303 * xattrs value into it provided it is big enough. 1304 * 1305 * Note, the number of xattr names that can be listed with listxattr(2) is 1306 * limited to XATTR_LIST_MAX aka 65536 bytes. If a larger buffer is passed 1307 * then vfs_listxattr() caps it to XATTR_LIST_MAX and if more xattr names 1308 * are found it will return -E2BIG. 1309 * 1310 * Return: On success the required size or the size of the copied xattrs is 1311 * returned. On error a negative error code is returned. 1312 */ 1313 ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs, 1314 char *buffer, size_t size) 1315 { 1316 bool trusted = ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN); 1317 struct simple_xattr *xattr; 1318 struct rb_node *rbp; 1319 ssize_t remaining_size = size; 1320 int err = 0; 1321 1322 err = posix_acl_listxattr(inode, &buffer, &remaining_size); 1323 if (err) 1324 return err; 1325 1326 read_lock(&xattrs->lock); 1327 for (rbp = rb_first(&xattrs->rb_root); rbp; rbp = rb_next(rbp)) { 1328 xattr = rb_entry(rbp, struct simple_xattr, rb_node); 1329 1330 /* skip "trusted." attributes for unprivileged callers */ 1331 if (!trusted && xattr_is_trusted(xattr->name)) 1332 continue; 1333 1334 err = xattr_list_one(&buffer, &remaining_size, xattr->name); 1335 if (err) 1336 break; 1337 } 1338 read_unlock(&xattrs->lock); 1339 1340 return err ? err : size - remaining_size; 1341 } 1342 1343 /** 1344 * rbtree_simple_xattr_less - compare two xattr rbtree nodes 1345 * @new_node: new node 1346 * @node: current node 1347 * 1348 * Compare the xattr attached to @new_node with the xattr attached to @node. 1349 * Note that this function technically tolerates duplicate entries. 1350 * 1351 * Return: True if insertion point in the rbtree is found. 1352 */ 1353 static bool rbtree_simple_xattr_less(struct rb_node *new_node, 1354 const struct rb_node *node) 1355 { 1356 return rbtree_simple_xattr_node_cmp(new_node, node) < 0; 1357 } 1358 1359 /** 1360 * simple_xattr_add - add xattr objects 1361 * @xattrs: the header of the xattr object 1362 * @new_xattr: the xattr object to add 1363 * 1364 * Add an xattr object to @xattrs. This assumes no replacement or removal 1365 * of matching xattrs is wanted. Should only be called during inode 1366 * initialization when a few distinct initial xattrs are supposed to be set. 1367 */ 1368 void simple_xattr_add(struct simple_xattrs *xattrs, 1369 struct simple_xattr *new_xattr) 1370 { 1371 write_lock(&xattrs->lock); 1372 rb_add(&new_xattr->rb_node, &xattrs->rb_root, rbtree_simple_xattr_less); 1373 write_unlock(&xattrs->lock); 1374 } 1375 1376 /** 1377 * simple_xattrs_init - initialize new xattr header 1378 * @xattrs: header to initialize 1379 * 1380 * Initialize relevant fields of a an xattr header. 1381 */ 1382 void simple_xattrs_init(struct simple_xattrs *xattrs) 1383 { 1384 xattrs->rb_root = RB_ROOT; 1385 rwlock_init(&xattrs->lock); 1386 } 1387 1388 /** 1389 * simple_xattrs_free - free xattrs 1390 * @xattrs: xattr header whose xattrs to destroy 1391 * @freed_space: approximate number of bytes of memory freed from @xattrs 1392 * 1393 * Destroy all xattrs in @xattr. When this is called no one can hold a 1394 * reference to any of the xattrs anymore. 1395 */ 1396 void simple_xattrs_free(struct simple_xattrs *xattrs, size_t *freed_space) 1397 { 1398 struct rb_node *rbp; 1399 1400 if (freed_space) 1401 *freed_space = 0; 1402 rbp = rb_first(&xattrs->rb_root); 1403 while (rbp) { 1404 struct simple_xattr *xattr; 1405 struct rb_node *rbp_next; 1406 1407 rbp_next = rb_next(rbp); 1408 xattr = rb_entry(rbp, struct simple_xattr, rb_node); 1409 rb_erase(&xattr->rb_node, &xattrs->rb_root); 1410 if (freed_space) 1411 *freed_space += simple_xattr_space(xattr->name, 1412 xattr->size); 1413 simple_xattr_free(xattr); 1414 rbp = rbp_next; 1415 } 1416 } 1417