1 /* 2 File: fs/xattr.c 3 4 Extended attribute handling. 5 6 Copyright (C) 2001 by Andreas Gruenbacher <a.gruenbacher@computer.org> 7 Copyright (C) 2001 SGI - Silicon Graphics, Inc <linux-xfs@oss.sgi.com> 8 Copyright (c) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> 9 */ 10 #include <linux/fs.h> 11 #include <linux/slab.h> 12 #include <linux/file.h> 13 #include <linux/xattr.h> 14 #include <linux/mount.h> 15 #include <linux/namei.h> 16 #include <linux/security.h> 17 #include <linux/evm.h> 18 #include <linux/syscalls.h> 19 #include <linux/export.h> 20 #include <linux/fsnotify.h> 21 #include <linux/audit.h> 22 #include <linux/vmalloc.h> 23 24 #include <asm/uaccess.h> 25 26 /* 27 * Check permissions for extended attribute access. This is a bit complicated 28 * because different namespaces have very different rules. 29 */ 30 static int 31 xattr_permission(struct inode *inode, const char *name, int mask) 32 { 33 /* 34 * We can never set or remove an extended attribute on a read-only 35 * filesystem or on an immutable / append-only inode. 36 */ 37 if (mask & MAY_WRITE) { 38 if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) 39 return -EPERM; 40 } 41 42 /* 43 * No restriction for security.* and system.* from the VFS. Decision 44 * on these is left to the underlying filesystem / security module. 45 */ 46 if (!strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) || 47 !strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN)) 48 return 0; 49 50 /* 51 * The trusted.* namespace can only be accessed by privileged users. 52 */ 53 if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) { 54 if (!capable(CAP_SYS_ADMIN)) 55 return (mask & MAY_WRITE) ? -EPERM : -ENODATA; 56 return 0; 57 } 58 59 /* 60 * In the user.* namespace, only regular files and directories can have 61 * extended attributes. For sticky directories, only the owner and 62 * privileged users can write attributes. 63 */ 64 if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { 65 if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode)) 66 return (mask & MAY_WRITE) ? -EPERM : -ENODATA; 67 if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) && 68 (mask & MAY_WRITE) && !inode_owner_or_capable(inode)) 69 return -EPERM; 70 } 71 72 return inode_permission(inode, mask); 73 } 74 75 /** 76 * __vfs_setxattr_noperm - perform setxattr operation without performing 77 * permission checks. 78 * 79 * @dentry - object to perform setxattr on 80 * @name - xattr name to set 81 * @value - value to set @name to 82 * @size - size of @value 83 * @flags - flags to pass into filesystem operations 84 * 85 * returns the result of the internal setxattr or setsecurity operations. 86 * 87 * This function requires the caller to lock the inode's i_mutex before it 88 * is executed. It also assumes that the caller will make the appropriate 89 * permission checks. 90 */ 91 int __vfs_setxattr_noperm(struct dentry *dentry, const char *name, 92 const void *value, size_t size, int flags) 93 { 94 struct inode *inode = dentry->d_inode; 95 int error = -EOPNOTSUPP; 96 int issec = !strncmp(name, XATTR_SECURITY_PREFIX, 97 XATTR_SECURITY_PREFIX_LEN); 98 99 if (issec) 100 inode->i_flags &= ~S_NOSEC; 101 if (inode->i_op->setxattr) { 102 error = inode->i_op->setxattr(dentry, name, value, size, flags); 103 if (!error) { 104 fsnotify_xattr(dentry); 105 security_inode_post_setxattr(dentry, name, value, 106 size, flags); 107 } 108 } else if (issec) { 109 const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; 110 error = security_inode_setsecurity(inode, suffix, value, 111 size, flags); 112 if (!error) 113 fsnotify_xattr(dentry); 114 } 115 116 return error; 117 } 118 119 120 int 121 vfs_setxattr(struct dentry *dentry, const char *name, const void *value, 122 size_t size, int flags) 123 { 124 struct inode *inode = dentry->d_inode; 125 int error; 126 127 error = xattr_permission(inode, name, MAY_WRITE); 128 if (error) 129 return error; 130 131 mutex_lock(&inode->i_mutex); 132 error = security_inode_setxattr(dentry, name, value, size, flags); 133 if (error) 134 goto out; 135 136 error = __vfs_setxattr_noperm(dentry, name, value, size, flags); 137 138 out: 139 mutex_unlock(&inode->i_mutex); 140 return error; 141 } 142 EXPORT_SYMBOL_GPL(vfs_setxattr); 143 144 ssize_t 145 xattr_getsecurity(struct inode *inode, const char *name, void *value, 146 size_t size) 147 { 148 void *buffer = NULL; 149 ssize_t len; 150 151 if (!value || !size) { 152 len = security_inode_getsecurity(inode, name, &buffer, false); 153 goto out_noalloc; 154 } 155 156 len = security_inode_getsecurity(inode, name, &buffer, true); 157 if (len < 0) 158 return len; 159 if (size < len) { 160 len = -ERANGE; 161 goto out; 162 } 163 memcpy(value, buffer, len); 164 out: 165 security_release_secctx(buffer, len); 166 out_noalloc: 167 return len; 168 } 169 EXPORT_SYMBOL_GPL(xattr_getsecurity); 170 171 /* 172 * vfs_getxattr_alloc - allocate memory, if necessary, before calling getxattr 173 * 174 * Allocate memory, if not already allocated, or re-allocate correct size, 175 * before retrieving the extended attribute. 176 * 177 * Returns the result of alloc, if failed, or the getxattr operation. 178 */ 179 ssize_t 180 vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value, 181 size_t xattr_size, gfp_t flags) 182 { 183 struct inode *inode = dentry->d_inode; 184 char *value = *xattr_value; 185 int error; 186 187 error = xattr_permission(inode, name, MAY_READ); 188 if (error) 189 return error; 190 191 if (!inode->i_op->getxattr) 192 return -EOPNOTSUPP; 193 194 error = inode->i_op->getxattr(dentry, name, NULL, 0); 195 if (error < 0) 196 return error; 197 198 if (!value || (error > xattr_size)) { 199 value = krealloc(*xattr_value, error + 1, flags); 200 if (!value) 201 return -ENOMEM; 202 memset(value, 0, error + 1); 203 } 204 205 error = inode->i_op->getxattr(dentry, name, value, error); 206 *xattr_value = value; 207 return error; 208 } 209 210 /* Compare an extended attribute value with the given value */ 211 int vfs_xattr_cmp(struct dentry *dentry, const char *xattr_name, 212 const char *value, size_t size, gfp_t flags) 213 { 214 char *xattr_value = NULL; 215 int rc; 216 217 rc = vfs_getxattr_alloc(dentry, xattr_name, &xattr_value, 0, flags); 218 if (rc < 0) 219 return rc; 220 221 if ((rc != size) || (memcmp(xattr_value, value, rc) != 0)) 222 rc = -EINVAL; 223 else 224 rc = 0; 225 kfree(xattr_value); 226 return rc; 227 } 228 229 ssize_t 230 vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size) 231 { 232 struct inode *inode = dentry->d_inode; 233 int error; 234 235 error = xattr_permission(inode, name, MAY_READ); 236 if (error) 237 return error; 238 239 error = security_inode_getxattr(dentry, name); 240 if (error) 241 return error; 242 243 if (!strncmp(name, XATTR_SECURITY_PREFIX, 244 XATTR_SECURITY_PREFIX_LEN)) { 245 const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; 246 int ret = xattr_getsecurity(inode, suffix, value, size); 247 /* 248 * Only overwrite the return value if a security module 249 * is actually active. 250 */ 251 if (ret == -EOPNOTSUPP) 252 goto nolsm; 253 return ret; 254 } 255 nolsm: 256 if (inode->i_op->getxattr) 257 error = inode->i_op->getxattr(dentry, name, value, size); 258 else 259 error = -EOPNOTSUPP; 260 261 return error; 262 } 263 EXPORT_SYMBOL_GPL(vfs_getxattr); 264 265 ssize_t 266 vfs_listxattr(struct dentry *d, char *list, size_t size) 267 { 268 ssize_t error; 269 270 error = security_inode_listxattr(d); 271 if (error) 272 return error; 273 error = -EOPNOTSUPP; 274 if (d->d_inode->i_op->listxattr) { 275 error = d->d_inode->i_op->listxattr(d, list, size); 276 } else { 277 error = security_inode_listsecurity(d->d_inode, list, size); 278 if (size && error > size) 279 error = -ERANGE; 280 } 281 return error; 282 } 283 EXPORT_SYMBOL_GPL(vfs_listxattr); 284 285 int 286 vfs_removexattr(struct dentry *dentry, const char *name) 287 { 288 struct inode *inode = dentry->d_inode; 289 int error; 290 291 if (!inode->i_op->removexattr) 292 return -EOPNOTSUPP; 293 294 error = xattr_permission(inode, name, MAY_WRITE); 295 if (error) 296 return error; 297 298 error = security_inode_removexattr(dentry, name); 299 if (error) 300 return error; 301 302 mutex_lock(&inode->i_mutex); 303 error = inode->i_op->removexattr(dentry, name); 304 mutex_unlock(&inode->i_mutex); 305 306 if (!error) { 307 fsnotify_xattr(dentry); 308 evm_inode_post_removexattr(dentry, name); 309 } 310 return error; 311 } 312 EXPORT_SYMBOL_GPL(vfs_removexattr); 313 314 315 /* 316 * Extended attribute SET operations 317 */ 318 static long 319 setxattr(struct dentry *d, const char __user *name, const void __user *value, 320 size_t size, int flags) 321 { 322 int error; 323 void *kvalue = NULL; 324 void *vvalue = NULL; /* If non-NULL, we used vmalloc() */ 325 char kname[XATTR_NAME_MAX + 1]; 326 327 if (flags & ~(XATTR_CREATE|XATTR_REPLACE)) 328 return -EINVAL; 329 330 error = strncpy_from_user(kname, name, sizeof(kname)); 331 if (error == 0 || error == sizeof(kname)) 332 error = -ERANGE; 333 if (error < 0) 334 return error; 335 336 if (size) { 337 if (size > XATTR_SIZE_MAX) 338 return -E2BIG; 339 kvalue = kmalloc(size, GFP_KERNEL | __GFP_NOWARN); 340 if (!kvalue) { 341 vvalue = vmalloc(size); 342 if (!vvalue) 343 return -ENOMEM; 344 kvalue = vvalue; 345 } 346 if (copy_from_user(kvalue, value, size)) { 347 error = -EFAULT; 348 goto out; 349 } 350 } 351 352 error = vfs_setxattr(d, kname, kvalue, size, flags); 353 out: 354 if (vvalue) 355 vfree(vvalue); 356 else 357 kfree(kvalue); 358 return error; 359 } 360 361 SYSCALL_DEFINE5(setxattr, const char __user *, pathname, 362 const char __user *, name, const void __user *, value, 363 size_t, size, int, flags) 364 { 365 struct path path; 366 int error; 367 368 error = user_path(pathname, &path); 369 if (error) 370 return error; 371 error = mnt_want_write(path.mnt); 372 if (!error) { 373 error = setxattr(path.dentry, name, value, size, flags); 374 mnt_drop_write(path.mnt); 375 } 376 path_put(&path); 377 return error; 378 } 379 380 SYSCALL_DEFINE5(lsetxattr, const char __user *, pathname, 381 const char __user *, name, const void __user *, value, 382 size_t, size, int, flags) 383 { 384 struct path path; 385 int error; 386 387 error = user_lpath(pathname, &path); 388 if (error) 389 return error; 390 error = mnt_want_write(path.mnt); 391 if (!error) { 392 error = setxattr(path.dentry, name, value, size, flags); 393 mnt_drop_write(path.mnt); 394 } 395 path_put(&path); 396 return error; 397 } 398 399 SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name, 400 const void __user *,value, size_t, size, int, flags) 401 { 402 struct file *f; 403 struct dentry *dentry; 404 int error = -EBADF; 405 406 f = fget(fd); 407 if (!f) 408 return error; 409 dentry = f->f_path.dentry; 410 audit_inode(NULL, dentry); 411 error = mnt_want_write_file(f); 412 if (!error) { 413 error = setxattr(dentry, name, value, size, flags); 414 mnt_drop_write_file(f); 415 } 416 fput(f); 417 return error; 418 } 419 420 /* 421 * Extended attribute GET operations 422 */ 423 static ssize_t 424 getxattr(struct dentry *d, const char __user *name, void __user *value, 425 size_t size) 426 { 427 ssize_t error; 428 void *kvalue = NULL; 429 char kname[XATTR_NAME_MAX + 1]; 430 431 error = strncpy_from_user(kname, name, sizeof(kname)); 432 if (error == 0 || error == sizeof(kname)) 433 error = -ERANGE; 434 if (error < 0) 435 return error; 436 437 if (size) { 438 if (size > XATTR_SIZE_MAX) 439 size = XATTR_SIZE_MAX; 440 kvalue = kzalloc(size, GFP_KERNEL); 441 if (!kvalue) 442 return -ENOMEM; 443 } 444 445 error = vfs_getxattr(d, kname, kvalue, size); 446 if (error > 0) { 447 if (size && copy_to_user(value, kvalue, error)) 448 error = -EFAULT; 449 } else if (error == -ERANGE && size >= XATTR_SIZE_MAX) { 450 /* The file system tried to returned a value bigger 451 than XATTR_SIZE_MAX bytes. Not possible. */ 452 error = -E2BIG; 453 } 454 kfree(kvalue); 455 return error; 456 } 457 458 SYSCALL_DEFINE4(getxattr, const char __user *, pathname, 459 const char __user *, name, void __user *, value, size_t, size) 460 { 461 struct path path; 462 ssize_t error; 463 464 error = user_path(pathname, &path); 465 if (error) 466 return error; 467 error = getxattr(path.dentry, name, value, size); 468 path_put(&path); 469 return error; 470 } 471 472 SYSCALL_DEFINE4(lgetxattr, const char __user *, pathname, 473 const char __user *, name, void __user *, value, size_t, size) 474 { 475 struct path path; 476 ssize_t error; 477 478 error = user_lpath(pathname, &path); 479 if (error) 480 return error; 481 error = getxattr(path.dentry, name, value, size); 482 path_put(&path); 483 return error; 484 } 485 486 SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name, 487 void __user *, value, size_t, size) 488 { 489 struct file *f; 490 ssize_t error = -EBADF; 491 492 f = fget(fd); 493 if (!f) 494 return error; 495 audit_inode(NULL, f->f_path.dentry); 496 error = getxattr(f->f_path.dentry, name, value, size); 497 fput(f); 498 return error; 499 } 500 501 /* 502 * Extended attribute LIST operations 503 */ 504 static ssize_t 505 listxattr(struct dentry *d, char __user *list, size_t size) 506 { 507 ssize_t error; 508 char *klist = NULL; 509 char *vlist = NULL; /* If non-NULL, we used vmalloc() */ 510 511 if (size) { 512 if (size > XATTR_LIST_MAX) 513 size = XATTR_LIST_MAX; 514 klist = kmalloc(size, __GFP_NOWARN | GFP_KERNEL); 515 if (!klist) { 516 vlist = vmalloc(size); 517 if (!vlist) 518 return -ENOMEM; 519 klist = vlist; 520 } 521 } 522 523 error = vfs_listxattr(d, klist, size); 524 if (error > 0) { 525 if (size && copy_to_user(list, klist, error)) 526 error = -EFAULT; 527 } else if (error == -ERANGE && size >= XATTR_LIST_MAX) { 528 /* The file system tried to returned a list bigger 529 than XATTR_LIST_MAX bytes. Not possible. */ 530 error = -E2BIG; 531 } 532 if (vlist) 533 vfree(vlist); 534 else 535 kfree(klist); 536 return error; 537 } 538 539 SYSCALL_DEFINE3(listxattr, const char __user *, pathname, char __user *, list, 540 size_t, size) 541 { 542 struct path path; 543 ssize_t error; 544 545 error = user_path(pathname, &path); 546 if (error) 547 return error; 548 error = listxattr(path.dentry, list, size); 549 path_put(&path); 550 return error; 551 } 552 553 SYSCALL_DEFINE3(llistxattr, const char __user *, pathname, char __user *, list, 554 size_t, size) 555 { 556 struct path path; 557 ssize_t error; 558 559 error = user_lpath(pathname, &path); 560 if (error) 561 return error; 562 error = listxattr(path.dentry, list, size); 563 path_put(&path); 564 return error; 565 } 566 567 SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size) 568 { 569 struct file *f; 570 ssize_t error = -EBADF; 571 572 f = fget(fd); 573 if (!f) 574 return error; 575 audit_inode(NULL, f->f_path.dentry); 576 error = listxattr(f->f_path.dentry, list, size); 577 fput(f); 578 return error; 579 } 580 581 /* 582 * Extended attribute REMOVE operations 583 */ 584 static long 585 removexattr(struct dentry *d, const char __user *name) 586 { 587 int error; 588 char kname[XATTR_NAME_MAX + 1]; 589 590 error = strncpy_from_user(kname, name, sizeof(kname)); 591 if (error == 0 || error == sizeof(kname)) 592 error = -ERANGE; 593 if (error < 0) 594 return error; 595 596 return vfs_removexattr(d, kname); 597 } 598 599 SYSCALL_DEFINE2(removexattr, const char __user *, pathname, 600 const char __user *, name) 601 { 602 struct path path; 603 int error; 604 605 error = user_path(pathname, &path); 606 if (error) 607 return error; 608 error = mnt_want_write(path.mnt); 609 if (!error) { 610 error = removexattr(path.dentry, name); 611 mnt_drop_write(path.mnt); 612 } 613 path_put(&path); 614 return error; 615 } 616 617 SYSCALL_DEFINE2(lremovexattr, const char __user *, pathname, 618 const char __user *, name) 619 { 620 struct path path; 621 int error; 622 623 error = user_lpath(pathname, &path); 624 if (error) 625 return error; 626 error = mnt_want_write(path.mnt); 627 if (!error) { 628 error = removexattr(path.dentry, name); 629 mnt_drop_write(path.mnt); 630 } 631 path_put(&path); 632 return error; 633 } 634 635 SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name) 636 { 637 struct file *f; 638 struct dentry *dentry; 639 int error = -EBADF; 640 641 f = fget(fd); 642 if (!f) 643 return error; 644 dentry = f->f_path.dentry; 645 audit_inode(NULL, dentry); 646 error = mnt_want_write_file(f); 647 if (!error) { 648 error = removexattr(dentry, name); 649 mnt_drop_write_file(f); 650 } 651 fput(f); 652 return error; 653 } 654 655 656 static const char * 657 strcmp_prefix(const char *a, const char *a_prefix) 658 { 659 while (*a_prefix && *a == *a_prefix) { 660 a++; 661 a_prefix++; 662 } 663 return *a_prefix ? NULL : a; 664 } 665 666 /* 667 * In order to implement different sets of xattr operations for each xattr 668 * prefix with the generic xattr API, a filesystem should create a 669 * null-terminated array of struct xattr_handler (one for each prefix) and 670 * hang a pointer to it off of the s_xattr field of the superblock. 671 * 672 * The generic_fooxattr() functions will use this list to dispatch xattr 673 * operations to the correct xattr_handler. 674 */ 675 #define for_each_xattr_handler(handlers, handler) \ 676 for ((handler) = *(handlers)++; \ 677 (handler) != NULL; \ 678 (handler) = *(handlers)++) 679 680 /* 681 * Find the xattr_handler with the matching prefix. 682 */ 683 static const struct xattr_handler * 684 xattr_resolve_name(const struct xattr_handler **handlers, const char **name) 685 { 686 const struct xattr_handler *handler; 687 688 if (!*name) 689 return NULL; 690 691 for_each_xattr_handler(handlers, handler) { 692 const char *n = strcmp_prefix(*name, handler->prefix); 693 if (n) { 694 *name = n; 695 break; 696 } 697 } 698 return handler; 699 } 700 701 /* 702 * Find the handler for the prefix and dispatch its get() operation. 703 */ 704 ssize_t 705 generic_getxattr(struct dentry *dentry, const char *name, void *buffer, size_t size) 706 { 707 const struct xattr_handler *handler; 708 709 handler = xattr_resolve_name(dentry->d_sb->s_xattr, &name); 710 if (!handler) 711 return -EOPNOTSUPP; 712 return handler->get(dentry, name, buffer, size, handler->flags); 713 } 714 715 /* 716 * Combine the results of the list() operation from every xattr_handler in the 717 * list. 718 */ 719 ssize_t 720 generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) 721 { 722 const struct xattr_handler *handler, **handlers = dentry->d_sb->s_xattr; 723 unsigned int size = 0; 724 725 if (!buffer) { 726 for_each_xattr_handler(handlers, handler) { 727 size += handler->list(dentry, NULL, 0, NULL, 0, 728 handler->flags); 729 } 730 } else { 731 char *buf = buffer; 732 733 for_each_xattr_handler(handlers, handler) { 734 size = handler->list(dentry, buf, buffer_size, 735 NULL, 0, handler->flags); 736 if (size > buffer_size) 737 return -ERANGE; 738 buf += size; 739 buffer_size -= size; 740 } 741 size = buf - buffer; 742 } 743 return size; 744 } 745 746 /* 747 * Find the handler for the prefix and dispatch its set() operation. 748 */ 749 int 750 generic_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) 751 { 752 const struct xattr_handler *handler; 753 754 if (size == 0) 755 value = ""; /* empty EA, do not remove */ 756 handler = xattr_resolve_name(dentry->d_sb->s_xattr, &name); 757 if (!handler) 758 return -EOPNOTSUPP; 759 return handler->set(dentry, name, value, size, flags, handler->flags); 760 } 761 762 /* 763 * Find the handler for the prefix and dispatch its set() operation to remove 764 * any associated extended attribute. 765 */ 766 int 767 generic_removexattr(struct dentry *dentry, const char *name) 768 { 769 const struct xattr_handler *handler; 770 771 handler = xattr_resolve_name(dentry->d_sb->s_xattr, &name); 772 if (!handler) 773 return -EOPNOTSUPP; 774 return handler->set(dentry, name, NULL, 0, 775 XATTR_REPLACE, handler->flags); 776 } 777 778 EXPORT_SYMBOL(generic_getxattr); 779 EXPORT_SYMBOL(generic_listxattr); 780 EXPORT_SYMBOL(generic_setxattr); 781 EXPORT_SYMBOL(generic_removexattr); 782