1 /* 2 File: fs/xattr.c 3 4 Extended attribute handling. 5 6 Copyright (C) 2001 by Andreas Gruenbacher <a.gruenbacher@computer.org> 7 Copyright (C) 2001 SGI - Silicon Graphics, Inc <linux-xfs@oss.sgi.com> 8 Copyright (c) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> 9 */ 10 #include <linux/fs.h> 11 #include <linux/slab.h> 12 #include <linux/file.h> 13 #include <linux/xattr.h> 14 #include <linux/mount.h> 15 #include <linux/namei.h> 16 #include <linux/security.h> 17 #include <linux/evm.h> 18 #include <linux/syscalls.h> 19 #include <linux/export.h> 20 #include <linux/fsnotify.h> 21 #include <linux/audit.h> 22 #include <linux/vmalloc.h> 23 24 #include <asm/uaccess.h> 25 26 /* 27 * Check permissions for extended attribute access. This is a bit complicated 28 * because different namespaces have very different rules. 29 */ 30 static int 31 xattr_permission(struct inode *inode, const char *name, int mask) 32 { 33 /* 34 * We can never set or remove an extended attribute on a read-only 35 * filesystem or on an immutable / append-only inode. 36 */ 37 if (mask & MAY_WRITE) { 38 if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) 39 return -EPERM; 40 } 41 42 /* 43 * No restriction for security.* and system.* from the VFS. Decision 44 * on these is left to the underlying filesystem / security module. 45 */ 46 if (!strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) || 47 !strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN)) 48 return 0; 49 50 /* 51 * The trusted.* namespace can only be accessed by privileged users. 52 */ 53 if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) { 54 if (!capable(CAP_SYS_ADMIN)) 55 return (mask & MAY_WRITE) ? -EPERM : -ENODATA; 56 return 0; 57 } 58 59 /* 60 * In the user.* namespace, only regular files and directories can have 61 * extended attributes. For sticky directories, only the owner and 62 * privileged users can write attributes. 63 */ 64 if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { 65 if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode)) 66 return (mask & MAY_WRITE) ? -EPERM : -ENODATA; 67 if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) && 68 (mask & MAY_WRITE) && !inode_owner_or_capable(inode)) 69 return -EPERM; 70 } 71 72 return inode_permission(inode, mask); 73 } 74 75 /** 76 * __vfs_setxattr_noperm - perform setxattr operation without performing 77 * permission checks. 78 * 79 * @dentry - object to perform setxattr on 80 * @name - xattr name to set 81 * @value - value to set @name to 82 * @size - size of @value 83 * @flags - flags to pass into filesystem operations 84 * 85 * returns the result of the internal setxattr or setsecurity operations. 86 * 87 * This function requires the caller to lock the inode's i_mutex before it 88 * is executed. It also assumes that the caller will make the appropriate 89 * permission checks. 90 */ 91 int __vfs_setxattr_noperm(struct dentry *dentry, const char *name, 92 const void *value, size_t size, int flags) 93 { 94 struct inode *inode = dentry->d_inode; 95 int error = -EOPNOTSUPP; 96 int issec = !strncmp(name, XATTR_SECURITY_PREFIX, 97 XATTR_SECURITY_PREFIX_LEN); 98 99 if (issec) 100 inode->i_flags &= ~S_NOSEC; 101 if (inode->i_op->setxattr) { 102 error = inode->i_op->setxattr(dentry, name, value, size, flags); 103 if (!error) { 104 fsnotify_xattr(dentry); 105 security_inode_post_setxattr(dentry, name, value, 106 size, flags); 107 } 108 } else if (issec) { 109 const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; 110 error = security_inode_setsecurity(inode, suffix, value, 111 size, flags); 112 if (!error) 113 fsnotify_xattr(dentry); 114 } 115 116 return error; 117 } 118 119 120 int 121 vfs_setxattr(struct dentry *dentry, const char *name, const void *value, 122 size_t size, int flags) 123 { 124 struct inode *inode = dentry->d_inode; 125 int error; 126 127 error = xattr_permission(inode, name, MAY_WRITE); 128 if (error) 129 return error; 130 131 mutex_lock(&inode->i_mutex); 132 error = security_inode_setxattr(dentry, name, value, size, flags); 133 if (error) 134 goto out; 135 136 error = __vfs_setxattr_noperm(dentry, name, value, size, flags); 137 138 out: 139 mutex_unlock(&inode->i_mutex); 140 return error; 141 } 142 EXPORT_SYMBOL_GPL(vfs_setxattr); 143 144 ssize_t 145 xattr_getsecurity(struct inode *inode, const char *name, void *value, 146 size_t size) 147 { 148 void *buffer = NULL; 149 ssize_t len; 150 151 if (!value || !size) { 152 len = security_inode_getsecurity(inode, name, &buffer, false); 153 goto out_noalloc; 154 } 155 156 len = security_inode_getsecurity(inode, name, &buffer, true); 157 if (len < 0) 158 return len; 159 if (size < len) { 160 len = -ERANGE; 161 goto out; 162 } 163 memcpy(value, buffer, len); 164 out: 165 security_release_secctx(buffer, len); 166 out_noalloc: 167 return len; 168 } 169 EXPORT_SYMBOL_GPL(xattr_getsecurity); 170 171 /* 172 * vfs_getxattr_alloc - allocate memory, if necessary, before calling getxattr 173 * 174 * Allocate memory, if not already allocated, or re-allocate correct size, 175 * before retrieving the extended attribute. 176 * 177 * Returns the result of alloc, if failed, or the getxattr operation. 178 */ 179 ssize_t 180 vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value, 181 size_t xattr_size, gfp_t flags) 182 { 183 struct inode *inode = dentry->d_inode; 184 char *value = *xattr_value; 185 int error; 186 187 error = xattr_permission(inode, name, MAY_READ); 188 if (error) 189 return error; 190 191 if (!inode->i_op->getxattr) 192 return -EOPNOTSUPP; 193 194 error = inode->i_op->getxattr(dentry, name, NULL, 0); 195 if (error < 0) 196 return error; 197 198 if (!value || (error > xattr_size)) { 199 value = krealloc(*xattr_value, error + 1, flags); 200 if (!value) 201 return -ENOMEM; 202 memset(value, 0, error + 1); 203 } 204 205 error = inode->i_op->getxattr(dentry, name, value, error); 206 *xattr_value = value; 207 return error; 208 } 209 210 /* Compare an extended attribute value with the given value */ 211 int vfs_xattr_cmp(struct dentry *dentry, const char *xattr_name, 212 const char *value, size_t size, gfp_t flags) 213 { 214 char *xattr_value = NULL; 215 int rc; 216 217 rc = vfs_getxattr_alloc(dentry, xattr_name, &xattr_value, 0, flags); 218 if (rc < 0) 219 return rc; 220 221 if ((rc != size) || (memcmp(xattr_value, value, rc) != 0)) 222 rc = -EINVAL; 223 else 224 rc = 0; 225 kfree(xattr_value); 226 return rc; 227 } 228 229 ssize_t 230 vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size) 231 { 232 struct inode *inode = dentry->d_inode; 233 int error; 234 235 error = xattr_permission(inode, name, MAY_READ); 236 if (error) 237 return error; 238 239 error = security_inode_getxattr(dentry, name); 240 if (error) 241 return error; 242 243 if (!strncmp(name, XATTR_SECURITY_PREFIX, 244 XATTR_SECURITY_PREFIX_LEN)) { 245 const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; 246 int ret = xattr_getsecurity(inode, suffix, value, size); 247 /* 248 * Only overwrite the return value if a security module 249 * is actually active. 250 */ 251 if (ret == -EOPNOTSUPP) 252 goto nolsm; 253 return ret; 254 } 255 nolsm: 256 if (inode->i_op->getxattr) 257 error = inode->i_op->getxattr(dentry, name, value, size); 258 else 259 error = -EOPNOTSUPP; 260 261 return error; 262 } 263 EXPORT_SYMBOL_GPL(vfs_getxattr); 264 265 ssize_t 266 vfs_listxattr(struct dentry *d, char *list, size_t size) 267 { 268 ssize_t error; 269 270 error = security_inode_listxattr(d); 271 if (error) 272 return error; 273 error = -EOPNOTSUPP; 274 if (d->d_inode->i_op->listxattr) { 275 error = d->d_inode->i_op->listxattr(d, list, size); 276 } else { 277 error = security_inode_listsecurity(d->d_inode, list, size); 278 if (size && error > size) 279 error = -ERANGE; 280 } 281 return error; 282 } 283 EXPORT_SYMBOL_GPL(vfs_listxattr); 284 285 int 286 vfs_removexattr(struct dentry *dentry, const char *name) 287 { 288 struct inode *inode = dentry->d_inode; 289 int error; 290 291 if (!inode->i_op->removexattr) 292 return -EOPNOTSUPP; 293 294 error = xattr_permission(inode, name, MAY_WRITE); 295 if (error) 296 return error; 297 298 error = security_inode_removexattr(dentry, name); 299 if (error) 300 return error; 301 302 mutex_lock(&inode->i_mutex); 303 error = inode->i_op->removexattr(dentry, name); 304 mutex_unlock(&inode->i_mutex); 305 306 if (!error) { 307 fsnotify_xattr(dentry); 308 evm_inode_post_removexattr(dentry, name); 309 } 310 return error; 311 } 312 EXPORT_SYMBOL_GPL(vfs_removexattr); 313 314 315 /* 316 * Extended attribute SET operations 317 */ 318 static long 319 setxattr(struct dentry *d, const char __user *name, const void __user *value, 320 size_t size, int flags) 321 { 322 int error; 323 void *kvalue = NULL; 324 void *vvalue = NULL; /* If non-NULL, we used vmalloc() */ 325 char kname[XATTR_NAME_MAX + 1]; 326 327 if (flags & ~(XATTR_CREATE|XATTR_REPLACE)) 328 return -EINVAL; 329 330 error = strncpy_from_user(kname, name, sizeof(kname)); 331 if (error == 0 || error == sizeof(kname)) 332 error = -ERANGE; 333 if (error < 0) 334 return error; 335 336 if (size) { 337 if (size > XATTR_SIZE_MAX) 338 return -E2BIG; 339 kvalue = kmalloc(size, GFP_KERNEL | __GFP_NOWARN); 340 if (!kvalue) { 341 vvalue = vmalloc(size); 342 if (!vvalue) 343 return -ENOMEM; 344 kvalue = vvalue; 345 } 346 if (copy_from_user(kvalue, value, size)) { 347 error = -EFAULT; 348 goto out; 349 } 350 } 351 352 error = vfs_setxattr(d, kname, kvalue, size, flags); 353 out: 354 if (vvalue) 355 vfree(vvalue); 356 else 357 kfree(kvalue); 358 return error; 359 } 360 361 SYSCALL_DEFINE5(setxattr, const char __user *, pathname, 362 const char __user *, name, const void __user *, value, 363 size_t, size, int, flags) 364 { 365 struct path path; 366 int error; 367 368 error = user_path(pathname, &path); 369 if (error) 370 return error; 371 error = mnt_want_write(path.mnt); 372 if (!error) { 373 error = setxattr(path.dentry, name, value, size, flags); 374 mnt_drop_write(path.mnt); 375 } 376 path_put(&path); 377 return error; 378 } 379 380 SYSCALL_DEFINE5(lsetxattr, const char __user *, pathname, 381 const char __user *, name, const void __user *, value, 382 size_t, size, int, flags) 383 { 384 struct path path; 385 int error; 386 387 error = user_lpath(pathname, &path); 388 if (error) 389 return error; 390 error = mnt_want_write(path.mnt); 391 if (!error) { 392 error = setxattr(path.dentry, name, value, size, flags); 393 mnt_drop_write(path.mnt); 394 } 395 path_put(&path); 396 return error; 397 } 398 399 SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name, 400 const void __user *,value, size_t, size, int, flags) 401 { 402 int fput_needed; 403 struct file *f; 404 struct dentry *dentry; 405 int error = -EBADF; 406 407 f = fget_light(fd, &fput_needed); 408 if (!f) 409 return error; 410 dentry = f->f_path.dentry; 411 audit_inode(NULL, dentry); 412 error = mnt_want_write_file(f); 413 if (!error) { 414 error = setxattr(dentry, name, value, size, flags); 415 mnt_drop_write_file(f); 416 } 417 fput_light(f, fput_needed); 418 return error; 419 } 420 421 /* 422 * Extended attribute GET operations 423 */ 424 static ssize_t 425 getxattr(struct dentry *d, const char __user *name, void __user *value, 426 size_t size) 427 { 428 ssize_t error; 429 void *kvalue = NULL; 430 void *vvalue = NULL; 431 char kname[XATTR_NAME_MAX + 1]; 432 433 error = strncpy_from_user(kname, name, sizeof(kname)); 434 if (error == 0 || error == sizeof(kname)) 435 error = -ERANGE; 436 if (error < 0) 437 return error; 438 439 if (size) { 440 if (size > XATTR_SIZE_MAX) 441 size = XATTR_SIZE_MAX; 442 kvalue = kzalloc(size, GFP_KERNEL | __GFP_NOWARN); 443 if (!kvalue) { 444 vvalue = vmalloc(size); 445 if (!vvalue) 446 return -ENOMEM; 447 kvalue = vvalue; 448 } 449 } 450 451 error = vfs_getxattr(d, kname, kvalue, size); 452 if (error > 0) { 453 if (size && copy_to_user(value, kvalue, error)) 454 error = -EFAULT; 455 } else if (error == -ERANGE && size >= XATTR_SIZE_MAX) { 456 /* The file system tried to returned a value bigger 457 than XATTR_SIZE_MAX bytes. Not possible. */ 458 error = -E2BIG; 459 } 460 if (vvalue) 461 vfree(vvalue); 462 else 463 kfree(kvalue); 464 return error; 465 } 466 467 SYSCALL_DEFINE4(getxattr, const char __user *, pathname, 468 const char __user *, name, void __user *, value, size_t, size) 469 { 470 struct path path; 471 ssize_t error; 472 473 error = user_path(pathname, &path); 474 if (error) 475 return error; 476 error = getxattr(path.dentry, name, value, size); 477 path_put(&path); 478 return error; 479 } 480 481 SYSCALL_DEFINE4(lgetxattr, const char __user *, pathname, 482 const char __user *, name, void __user *, value, size_t, size) 483 { 484 struct path path; 485 ssize_t error; 486 487 error = user_lpath(pathname, &path); 488 if (error) 489 return error; 490 error = getxattr(path.dentry, name, value, size); 491 path_put(&path); 492 return error; 493 } 494 495 SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name, 496 void __user *, value, size_t, size) 497 { 498 int fput_needed; 499 struct file *f; 500 ssize_t error = -EBADF; 501 502 f = fget_light(fd, &fput_needed); 503 if (!f) 504 return error; 505 audit_inode(NULL, f->f_path.dentry); 506 error = getxattr(f->f_path.dentry, name, value, size); 507 fput_light(f, fput_needed); 508 return error; 509 } 510 511 /* 512 * Extended attribute LIST operations 513 */ 514 static ssize_t 515 listxattr(struct dentry *d, char __user *list, size_t size) 516 { 517 ssize_t error; 518 char *klist = NULL; 519 char *vlist = NULL; /* If non-NULL, we used vmalloc() */ 520 521 if (size) { 522 if (size > XATTR_LIST_MAX) 523 size = XATTR_LIST_MAX; 524 klist = kmalloc(size, __GFP_NOWARN | GFP_KERNEL); 525 if (!klist) { 526 vlist = vmalloc(size); 527 if (!vlist) 528 return -ENOMEM; 529 klist = vlist; 530 } 531 } 532 533 error = vfs_listxattr(d, klist, size); 534 if (error > 0) { 535 if (size && copy_to_user(list, klist, error)) 536 error = -EFAULT; 537 } else if (error == -ERANGE && size >= XATTR_LIST_MAX) { 538 /* The file system tried to returned a list bigger 539 than XATTR_LIST_MAX bytes. Not possible. */ 540 error = -E2BIG; 541 } 542 if (vlist) 543 vfree(vlist); 544 else 545 kfree(klist); 546 return error; 547 } 548 549 SYSCALL_DEFINE3(listxattr, const char __user *, pathname, char __user *, list, 550 size_t, size) 551 { 552 struct path path; 553 ssize_t error; 554 555 error = user_path(pathname, &path); 556 if (error) 557 return error; 558 error = listxattr(path.dentry, list, size); 559 path_put(&path); 560 return error; 561 } 562 563 SYSCALL_DEFINE3(llistxattr, const char __user *, pathname, char __user *, list, 564 size_t, size) 565 { 566 struct path path; 567 ssize_t error; 568 569 error = user_lpath(pathname, &path); 570 if (error) 571 return error; 572 error = listxattr(path.dentry, list, size); 573 path_put(&path); 574 return error; 575 } 576 577 SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size) 578 { 579 int fput_needed; 580 struct file *f; 581 ssize_t error = -EBADF; 582 583 f = fget_light(fd, &fput_needed); 584 if (!f) 585 return error; 586 audit_inode(NULL, f->f_path.dentry); 587 error = listxattr(f->f_path.dentry, list, size); 588 fput_light(f, fput_needed); 589 return error; 590 } 591 592 /* 593 * Extended attribute REMOVE operations 594 */ 595 static long 596 removexattr(struct dentry *d, const char __user *name) 597 { 598 int error; 599 char kname[XATTR_NAME_MAX + 1]; 600 601 error = strncpy_from_user(kname, name, sizeof(kname)); 602 if (error == 0 || error == sizeof(kname)) 603 error = -ERANGE; 604 if (error < 0) 605 return error; 606 607 return vfs_removexattr(d, kname); 608 } 609 610 SYSCALL_DEFINE2(removexattr, const char __user *, pathname, 611 const char __user *, name) 612 { 613 struct path path; 614 int error; 615 616 error = user_path(pathname, &path); 617 if (error) 618 return error; 619 error = mnt_want_write(path.mnt); 620 if (!error) { 621 error = removexattr(path.dentry, name); 622 mnt_drop_write(path.mnt); 623 } 624 path_put(&path); 625 return error; 626 } 627 628 SYSCALL_DEFINE2(lremovexattr, const char __user *, pathname, 629 const char __user *, name) 630 { 631 struct path path; 632 int error; 633 634 error = user_lpath(pathname, &path); 635 if (error) 636 return error; 637 error = mnt_want_write(path.mnt); 638 if (!error) { 639 error = removexattr(path.dentry, name); 640 mnt_drop_write(path.mnt); 641 } 642 path_put(&path); 643 return error; 644 } 645 646 SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name) 647 { 648 int fput_needed; 649 struct file *f; 650 struct dentry *dentry; 651 int error = -EBADF; 652 653 f = fget_light(fd, &fput_needed); 654 if (!f) 655 return error; 656 dentry = f->f_path.dentry; 657 audit_inode(NULL, dentry); 658 error = mnt_want_write_file(f); 659 if (!error) { 660 error = removexattr(dentry, name); 661 mnt_drop_write_file(f); 662 } 663 fput_light(f, fput_needed); 664 return error; 665 } 666 667 668 static const char * 669 strcmp_prefix(const char *a, const char *a_prefix) 670 { 671 while (*a_prefix && *a == *a_prefix) { 672 a++; 673 a_prefix++; 674 } 675 return *a_prefix ? NULL : a; 676 } 677 678 /* 679 * In order to implement different sets of xattr operations for each xattr 680 * prefix with the generic xattr API, a filesystem should create a 681 * null-terminated array of struct xattr_handler (one for each prefix) and 682 * hang a pointer to it off of the s_xattr field of the superblock. 683 * 684 * The generic_fooxattr() functions will use this list to dispatch xattr 685 * operations to the correct xattr_handler. 686 */ 687 #define for_each_xattr_handler(handlers, handler) \ 688 for ((handler) = *(handlers)++; \ 689 (handler) != NULL; \ 690 (handler) = *(handlers)++) 691 692 /* 693 * Find the xattr_handler with the matching prefix. 694 */ 695 static const struct xattr_handler * 696 xattr_resolve_name(const struct xattr_handler **handlers, const char **name) 697 { 698 const struct xattr_handler *handler; 699 700 if (!*name) 701 return NULL; 702 703 for_each_xattr_handler(handlers, handler) { 704 const char *n = strcmp_prefix(*name, handler->prefix); 705 if (n) { 706 *name = n; 707 break; 708 } 709 } 710 return handler; 711 } 712 713 /* 714 * Find the handler for the prefix and dispatch its get() operation. 715 */ 716 ssize_t 717 generic_getxattr(struct dentry *dentry, const char *name, void *buffer, size_t size) 718 { 719 const struct xattr_handler *handler; 720 721 handler = xattr_resolve_name(dentry->d_sb->s_xattr, &name); 722 if (!handler) 723 return -EOPNOTSUPP; 724 return handler->get(dentry, name, buffer, size, handler->flags); 725 } 726 727 /* 728 * Combine the results of the list() operation from every xattr_handler in the 729 * list. 730 */ 731 ssize_t 732 generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) 733 { 734 const struct xattr_handler *handler, **handlers = dentry->d_sb->s_xattr; 735 unsigned int size = 0; 736 737 if (!buffer) { 738 for_each_xattr_handler(handlers, handler) { 739 size += handler->list(dentry, NULL, 0, NULL, 0, 740 handler->flags); 741 } 742 } else { 743 char *buf = buffer; 744 745 for_each_xattr_handler(handlers, handler) { 746 size = handler->list(dentry, buf, buffer_size, 747 NULL, 0, handler->flags); 748 if (size > buffer_size) 749 return -ERANGE; 750 buf += size; 751 buffer_size -= size; 752 } 753 size = buf - buffer; 754 } 755 return size; 756 } 757 758 /* 759 * Find the handler for the prefix and dispatch its set() operation. 760 */ 761 int 762 generic_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) 763 { 764 const struct xattr_handler *handler; 765 766 if (size == 0) 767 value = ""; /* empty EA, do not remove */ 768 handler = xattr_resolve_name(dentry->d_sb->s_xattr, &name); 769 if (!handler) 770 return -EOPNOTSUPP; 771 return handler->set(dentry, name, value, size, flags, handler->flags); 772 } 773 774 /* 775 * Find the handler for the prefix and dispatch its set() operation to remove 776 * any associated extended attribute. 777 */ 778 int 779 generic_removexattr(struct dentry *dentry, const char *name) 780 { 781 const struct xattr_handler *handler; 782 783 handler = xattr_resolve_name(dentry->d_sb->s_xattr, &name); 784 if (!handler) 785 return -EOPNOTSUPP; 786 return handler->set(dentry, name, NULL, 0, 787 XATTR_REPLACE, handler->flags); 788 } 789 790 EXPORT_SYMBOL(generic_getxattr); 791 EXPORT_SYMBOL(generic_listxattr); 792 EXPORT_SYMBOL(generic_setxattr); 793 EXPORT_SYMBOL(generic_removexattr); 794