xref: /openbmc/linux/security/inode.c (revision 22246614)
1 /*
2  *  inode.c - securityfs
3  *
4  *  Copyright (C) 2005 Greg Kroah-Hartman <gregkh@suse.de>
5  *
6  *	This program is free software; you can redistribute it and/or
7  *	modify it under the terms of the GNU General Public License version
8  *	2 as published by the Free Software Foundation.
9  *
10  *  Based on fs/debugfs/inode.c which had the following copyright notice:
11  *    Copyright (C) 2004 Greg Kroah-Hartman <greg@kroah.com>
12  *    Copyright (C) 2004 IBM Inc.
13  */
14 
15 /* #define DEBUG */
16 #include <linux/module.h>
17 #include <linux/fs.h>
18 #include <linux/mount.h>
19 #include <linux/pagemap.h>
20 #include <linux/init.h>
21 #include <linux/namei.h>
22 #include <linux/security.h>
23 
24 #define SECURITYFS_MAGIC	0x73636673
25 
26 static struct vfsmount *mount;
27 static int mount_count;
28 
29 /*
30  * TODO:
31  *   I think I can get rid of these default_file_ops, but not quite sure...
32  */
33 static ssize_t default_read_file(struct file *file, char __user *buf,
34 				 size_t count, loff_t *ppos)
35 {
36 	return 0;
37 }
38 
39 static ssize_t default_write_file(struct file *file, const char __user *buf,
40 				   size_t count, loff_t *ppos)
41 {
42 	return count;
43 }
44 
45 static int default_open(struct inode *inode, struct file *file)
46 {
47 	if (inode->i_private)
48 		file->private_data = inode->i_private;
49 
50 	return 0;
51 }
52 
53 static const struct file_operations default_file_ops = {
54 	.read =		default_read_file,
55 	.write =	default_write_file,
56 	.open =		default_open,
57 };
58 
59 static struct inode *get_inode(struct super_block *sb, int mode, dev_t dev)
60 {
61 	struct inode *inode = new_inode(sb);
62 
63 	if (inode) {
64 		inode->i_mode = mode;
65 		inode->i_uid = 0;
66 		inode->i_gid = 0;
67 		inode->i_blocks = 0;
68 		inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME;
69 		switch (mode & S_IFMT) {
70 		default:
71 			init_special_inode(inode, mode, dev);
72 			break;
73 		case S_IFREG:
74 			inode->i_fop = &default_file_ops;
75 			break;
76 		case S_IFDIR:
77 			inode->i_op = &simple_dir_inode_operations;
78 			inode->i_fop = &simple_dir_operations;
79 
80 			/* directory inodes start off with i_nlink == 2 (for "." entry) */
81 			inc_nlink(inode);
82 			break;
83 		}
84 	}
85 	return inode;
86 }
87 
88 /* SMP-safe */
89 static int mknod(struct inode *dir, struct dentry *dentry,
90 			 int mode, dev_t dev)
91 {
92 	struct inode *inode;
93 	int error = -EPERM;
94 
95 	if (dentry->d_inode)
96 		return -EEXIST;
97 
98 	inode = get_inode(dir->i_sb, mode, dev);
99 	if (inode) {
100 		d_instantiate(dentry, inode);
101 		dget(dentry);
102 		error = 0;
103 	}
104 	return error;
105 }
106 
107 static int mkdir(struct inode *dir, struct dentry *dentry, int mode)
108 {
109 	int res;
110 
111 	mode = (mode & (S_IRWXUGO | S_ISVTX)) | S_IFDIR;
112 	res = mknod(dir, dentry, mode, 0);
113 	if (!res)
114 		inc_nlink(dir);
115 	return res;
116 }
117 
118 static int create(struct inode *dir, struct dentry *dentry, int mode)
119 {
120 	mode = (mode & S_IALLUGO) | S_IFREG;
121 	return mknod(dir, dentry, mode, 0);
122 }
123 
124 static inline int positive(struct dentry *dentry)
125 {
126 	return dentry->d_inode && !d_unhashed(dentry);
127 }
128 
129 static int fill_super(struct super_block *sb, void *data, int silent)
130 {
131 	static struct tree_descr files[] = {{""}};
132 
133 	return simple_fill_super(sb, SECURITYFS_MAGIC, files);
134 }
135 
136 static int get_sb(struct file_system_type *fs_type,
137 		  int flags, const char *dev_name,
138 		  void *data, struct vfsmount *mnt)
139 {
140 	return get_sb_single(fs_type, flags, data, fill_super, mnt);
141 }
142 
143 static struct file_system_type fs_type = {
144 	.owner =	THIS_MODULE,
145 	.name =		"securityfs",
146 	.get_sb =	get_sb,
147 	.kill_sb =	kill_litter_super,
148 };
149 
150 static int create_by_name(const char *name, mode_t mode,
151 			  struct dentry *parent,
152 			  struct dentry **dentry)
153 {
154 	int error = 0;
155 
156 	*dentry = NULL;
157 
158 	/* If the parent is not specified, we create it in the root.
159 	 * We need the root dentry to do this, which is in the super
160 	 * block. A pointer to that is in the struct vfsmount that we
161 	 * have around.
162 	 */
163 	if (!parent ) {
164 		if (mount && mount->mnt_sb) {
165 			parent = mount->mnt_sb->s_root;
166 		}
167 	}
168 	if (!parent) {
169 		pr_debug("securityfs: Ah! can not find a parent!\n");
170 		return -EFAULT;
171 	}
172 
173 	mutex_lock(&parent->d_inode->i_mutex);
174 	*dentry = lookup_one_len(name, parent, strlen(name));
175 	if (!IS_ERR(dentry)) {
176 		if ((mode & S_IFMT) == S_IFDIR)
177 			error = mkdir(parent->d_inode, *dentry, mode);
178 		else
179 			error = create(parent->d_inode, *dentry, mode);
180 	} else
181 		error = PTR_ERR(dentry);
182 	mutex_unlock(&parent->d_inode->i_mutex);
183 
184 	return error;
185 }
186 
187 /**
188  * securityfs_create_file - create a file in the securityfs filesystem
189  *
190  * @name: a pointer to a string containing the name of the file to create.
191  * @mode: the permission that the file should have
192  * @parent: a pointer to the parent dentry for this file.  This should be a
193  *          directory dentry if set.  If this paramater is NULL, then the
194  *          file will be created in the root of the securityfs filesystem.
195  * @data: a pointer to something that the caller will want to get to later
196  *        on.  The inode.i_private pointer will point to this value on
197  *        the open() call.
198  * @fops: a pointer to a struct file_operations that should be used for
199  *        this file.
200  *
201  * This is the basic "create a file" function for securityfs.  It allows for a
202  * wide range of flexibility in createing a file, or a directory (if you
203  * want to create a directory, the securityfs_create_dir() function is
204  * recommended to be used instead.)
205  *
206  * This function will return a pointer to a dentry if it succeeds.  This
207  * pointer must be passed to the securityfs_remove() function when the file is
208  * to be removed (no automatic cleanup happens if your module is unloaded,
209  * you are responsible here.)  If an error occurs, NULL will be returned.
210  *
211  * If securityfs is not enabled in the kernel, the value -ENODEV will be
212  * returned.  It is not wise to check for this value, but rather, check for
213  * NULL or !NULL instead as to eliminate the need for #ifdef in the calling
214  * code.
215  */
216 struct dentry *securityfs_create_file(const char *name, mode_t mode,
217 				   struct dentry *parent, void *data,
218 				   const struct file_operations *fops)
219 {
220 	struct dentry *dentry = NULL;
221 	int error;
222 
223 	pr_debug("securityfs: creating file '%s'\n",name);
224 
225 	error = simple_pin_fs(&fs_type, &mount, &mount_count);
226 	if (error) {
227 		dentry = ERR_PTR(error);
228 		goto exit;
229 	}
230 
231 	error = create_by_name(name, mode, parent, &dentry);
232 	if (error) {
233 		dentry = ERR_PTR(error);
234 		simple_release_fs(&mount, &mount_count);
235 		goto exit;
236 	}
237 
238 	if (dentry->d_inode) {
239 		if (fops)
240 			dentry->d_inode->i_fop = fops;
241 		if (data)
242 			dentry->d_inode->i_private = data;
243 	}
244 exit:
245 	return dentry;
246 }
247 EXPORT_SYMBOL_GPL(securityfs_create_file);
248 
249 /**
250  * securityfs_create_dir - create a directory in the securityfs filesystem
251  *
252  * @name: a pointer to a string containing the name of the directory to
253  *        create.
254  * @parent: a pointer to the parent dentry for this file.  This should be a
255  *          directory dentry if set.  If this paramater is NULL, then the
256  *          directory will be created in the root of the securityfs filesystem.
257  *
258  * This function creates a directory in securityfs with the given name.
259  *
260  * This function will return a pointer to a dentry if it succeeds.  This
261  * pointer must be passed to the securityfs_remove() function when the file is
262  * to be removed (no automatic cleanup happens if your module is unloaded,
263  * you are responsible here.)  If an error occurs, NULL will be returned.
264  *
265  * If securityfs is not enabled in the kernel, the value -ENODEV will be
266  * returned.  It is not wise to check for this value, but rather, check for
267  * NULL or !NULL instead as to eliminate the need for #ifdef in the calling
268  * code.
269  */
270 struct dentry *securityfs_create_dir(const char *name, struct dentry *parent)
271 {
272 	return securityfs_create_file(name,
273 				      S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
274 				      parent, NULL, NULL);
275 }
276 EXPORT_SYMBOL_GPL(securityfs_create_dir);
277 
278 /**
279  * securityfs_remove - removes a file or directory from the securityfs filesystem
280  *
281  * @dentry: a pointer to a the dentry of the file or directory to be
282  *          removed.
283  *
284  * This function removes a file or directory in securityfs that was previously
285  * created with a call to another securityfs function (like
286  * securityfs_create_file() or variants thereof.)
287  *
288  * This function is required to be called in order for the file to be
289  * removed, no automatic cleanup of files will happen when a module is
290  * removed, you are responsible here.
291  */
292 void securityfs_remove(struct dentry *dentry)
293 {
294 	struct dentry *parent;
295 
296 	if (!dentry)
297 		return;
298 
299 	parent = dentry->d_parent;
300 	if (!parent || !parent->d_inode)
301 		return;
302 
303 	mutex_lock(&parent->d_inode->i_mutex);
304 	if (positive(dentry)) {
305 		if (dentry->d_inode) {
306 			if (S_ISDIR(dentry->d_inode->i_mode))
307 				simple_rmdir(parent->d_inode, dentry);
308 			else
309 				simple_unlink(parent->d_inode, dentry);
310 			dput(dentry);
311 		}
312 	}
313 	mutex_unlock(&parent->d_inode->i_mutex);
314 	simple_release_fs(&mount, &mount_count);
315 }
316 EXPORT_SYMBOL_GPL(securityfs_remove);
317 
318 static struct kobject *security_kobj;
319 
320 static int __init securityfs_init(void)
321 {
322 	int retval;
323 
324 	security_kobj = kobject_create_and_add("security", kernel_kobj);
325 	if (!security_kobj)
326 		return -EINVAL;
327 
328 	retval = register_filesystem(&fs_type);
329 	if (retval)
330 		kobject_put(security_kobj);
331 	return retval;
332 }
333 
334 core_initcall(securityfs_init);
335 MODULE_LICENSE("GPL");
336 
337