Commit | Line | Data |
---|---|---|
2874c5fd | 1 | // SPDX-License-Identifier: GPL-2.0-or-later |
00d3b7a4 DH |
2 | /* AFS security handling |
3 | * | |
be080a6f | 4 | * Copyright (C) 2007, 2017 Red Hat, Inc. All Rights Reserved. |
00d3b7a4 | 5 | * Written by David Howells (dhowells@redhat.com) |
00d3b7a4 DH |
6 | */ |
7 | ||
8 | #include <linux/init.h> | |
9 | #include <linux/slab.h> | |
10 | #include <linux/fs.h> | |
11 | #include <linux/ctype.h> | |
e8edc6e0 | 12 | #include <linux/sched.h> |
be080a6f | 13 | #include <linux/hashtable.h> |
00d3b7a4 DH |
14 | #include <keys/rxrpc-type.h> |
15 | #include "internal.h" | |
16 | ||
be080a6f DH |
17 | static DEFINE_HASHTABLE(afs_permits_cache, 10); |
18 | static DEFINE_SPINLOCK(afs_permits_lock); | |
19 | ||
00d3b7a4 DH |
20 | /* |
21 | * get a key | |
22 | */ | |
23 | struct key *afs_request_key(struct afs_cell *cell) | |
24 | { | |
25 | struct key *key; | |
26 | ||
27 | _enter("{%x}", key_serial(cell->anonymous_key)); | |
28 | ||
29 | _debug("key %s", cell->anonymous_key->description); | |
30 | key = request_key(&key_type_rxrpc, cell->anonymous_key->description, | |
31 | NULL); | |
32 | if (IS_ERR(key)) { | |
33 | if (PTR_ERR(key) != -ENOKEY) { | |
34 | _leave(" = %ld", PTR_ERR(key)); | |
35 | return key; | |
36 | } | |
37 | ||
38 | /* act as anonymous user */ | |
39 | _leave(" = {%x} [anon]", key_serial(cell->anonymous_key)); | |
40 | return key_get(cell->anonymous_key); | |
41 | } else { | |
42 | /* act as authorised user */ | |
43 | _leave(" = {%x} [auth]", key_serial(key)); | |
44 | return key; | |
45 | } | |
46 | } | |
47 | ||
48 | /* | |
be080a6f | 49 | * Dispose of a list of permits. |
00d3b7a4 | 50 | */ |
be080a6f | 51 | static void afs_permits_rcu(struct rcu_head *rcu) |
00d3b7a4 DH |
52 | { |
53 | struct afs_permits *permits = | |
54 | container_of(rcu, struct afs_permits, rcu); | |
be080a6f | 55 | int i; |
00d3b7a4 | 56 | |
be080a6f DH |
57 | for (i = 0; i < permits->nr_permits; i++) |
58 | key_put(permits->permits[i].key); | |
00d3b7a4 DH |
59 | kfree(permits); |
60 | } | |
61 | ||
62 | /* | |
be080a6f | 63 | * Discard a permission cache. |
00d3b7a4 | 64 | */ |
be080a6f | 65 | void afs_put_permits(struct afs_permits *permits) |
00d3b7a4 | 66 | { |
be080a6f DH |
67 | if (permits && refcount_dec_and_test(&permits->usage)) { |
68 | spin_lock(&afs_permits_lock); | |
69 | hash_del_rcu(&permits->hash_node); | |
70 | spin_unlock(&afs_permits_lock); | |
71 | call_rcu(&permits->rcu, afs_permits_rcu); | |
72 | } | |
00d3b7a4 DH |
73 | } |
74 | ||
75 | /* | |
be080a6f | 76 | * Clear a permit cache on callback break. |
00d3b7a4 | 77 | */ |
be080a6f | 78 | void afs_clear_permits(struct afs_vnode *vnode) |
00d3b7a4 | 79 | { |
be080a6f | 80 | struct afs_permits *permits; |
00d3b7a4 | 81 | |
be080a6f DH |
82 | spin_lock(&vnode->lock); |
83 | permits = rcu_dereference_protected(vnode->permit_cache, | |
84 | lockdep_is_held(&vnode->lock)); | |
85 | RCU_INIT_POINTER(vnode->permit_cache, NULL); | |
be080a6f | 86 | spin_unlock(&vnode->lock); |
00d3b7a4 | 87 | |
fd711586 | 88 | afs_put_permits(permits); |
00d3b7a4 DH |
89 | } |
90 | ||
91 | /* | |
be080a6f DH |
92 | * Hash a list of permits. Use simple addition to make it easy to add an extra |
93 | * one at an as-yet indeterminate position in the list. | |
00d3b7a4 | 94 | */ |
be080a6f | 95 | static void afs_hash_permits(struct afs_permits *permits) |
00d3b7a4 | 96 | { |
be080a6f DH |
97 | unsigned long h = permits->nr_permits; |
98 | int i; | |
00d3b7a4 | 99 | |
be080a6f DH |
100 | for (i = 0; i < permits->nr_permits; i++) { |
101 | h += (unsigned long)permits->permits[i].key / sizeof(void *); | |
102 | h += permits->permits[i].access; | |
103 | } | |
00d3b7a4 | 104 | |
be080a6f | 105 | permits->h = h; |
00d3b7a4 DH |
106 | } |
107 | ||
108 | /* | |
be080a6f DH |
109 | * Cache the CallerAccess result obtained from doing a fileserver operation |
110 | * that returned a vnode status for a particular key. If a callback break | |
111 | * occurs whilst the operation was in progress then we have to ditch the cache | |
112 | * as the ACL *may* have changed. | |
00d3b7a4 | 113 | */ |
be080a6f | 114 | void afs_cache_permit(struct afs_vnode *vnode, struct key *key, |
a58823ac | 115 | unsigned int cb_break, struct afs_status_cb *scb) |
00d3b7a4 | 116 | { |
1bcab125 | 117 | struct afs_permits *permits, *xpermits, *replacement, *zap, *new = NULL; |
a58823ac | 118 | afs_access_t caller_access = scb->status.caller_access; |
be080a6f DH |
119 | size_t size = 0; |
120 | bool changed = false; | |
121 | int i, j; | |
122 | ||
3b6492df | 123 | _enter("{%llx:%llu},%x,%x", |
be080a6f DH |
124 | vnode->fid.vid, vnode->fid.vnode, key_serial(key), caller_access); |
125 | ||
126 | rcu_read_lock(); | |
127 | ||
128 | /* Check for the common case first: We got back the same access as last | |
129 | * time we tried and already have it recorded. | |
130 | */ | |
131 | permits = rcu_dereference(vnode->permit_cache); | |
132 | if (permits) { | |
133 | if (!permits->invalidated) { | |
134 | for (i = 0; i < permits->nr_permits; i++) { | |
135 | if (permits->permits[i].key < key) | |
136 | continue; | |
137 | if (permits->permits[i].key > key) | |
138 | break; | |
139 | if (permits->permits[i].access != caller_access) { | |
140 | changed = true; | |
141 | break; | |
142 | } | |
00d3b7a4 | 143 | |
18ac6185 | 144 | if (afs_cb_is_broken(cb_break, vnode, |
f642404a | 145 | rcu_dereference(vnode->cb_interest))) { |
be080a6f DH |
146 | changed = true; |
147 | break; | |
148 | } | |
00d3b7a4 | 149 | |
be080a6f DH |
150 | /* The cache is still good. */ |
151 | rcu_read_unlock(); | |
152 | return; | |
153 | } | |
154 | } | |
00d3b7a4 | 155 | |
be080a6f DH |
156 | changed |= permits->invalidated; |
157 | size = permits->nr_permits; | |
00d3b7a4 | 158 | |
be080a6f DH |
159 | /* If this set of permits is now wrong, clear the permits |
160 | * pointer so that no one tries to use the stale information. | |
161 | */ | |
162 | if (changed) { | |
163 | spin_lock(&vnode->lock); | |
164 | if (permits != rcu_access_pointer(vnode->permit_cache)) | |
165 | goto someone_else_changed_it_unlock; | |
166 | RCU_INIT_POINTER(vnode->permit_cache, NULL); | |
167 | spin_unlock(&vnode->lock); | |
168 | ||
169 | afs_put_permits(permits); | |
170 | permits = NULL; | |
171 | size = 0; | |
172 | } | |
00d3b7a4 DH |
173 | } |
174 | ||
f642404a | 175 | if (afs_cb_is_broken(cb_break, vnode, rcu_dereference(vnode->cb_interest))) |
be080a6f | 176 | goto someone_else_changed_it; |
00d3b7a4 | 177 | |
be080a6f DH |
178 | /* We need a ref on any permits list we want to copy as we'll have to |
179 | * drop the lock to do memory allocation. | |
180 | */ | |
fe342cf7 | 181 | if (permits && !refcount_inc_not_zero(&permits->usage)) |
be080a6f | 182 | goto someone_else_changed_it; |
be080a6f DH |
183 | |
184 | rcu_read_unlock(); | |
185 | ||
186 | /* Speculatively create a new list with the revised permission set. We | |
187 | * discard this if we find an extant match already in the hash, but | |
188 | * it's easier to compare with memcmp this way. | |
189 | * | |
190 | * We fill in the key pointers at this time, but we don't get the refs | |
191 | * yet. | |
192 | */ | |
193 | size++; | |
194 | new = kzalloc(sizeof(struct afs_permits) + | |
195 | sizeof(struct afs_permit) * size, GFP_NOFS); | |
196 | if (!new) | |
1bcab125 | 197 | goto out_put; |
be080a6f DH |
198 | |
199 | refcount_set(&new->usage, 1); | |
200 | new->nr_permits = size; | |
201 | i = j = 0; | |
202 | if (permits) { | |
203 | for (i = 0; i < permits->nr_permits; i++) { | |
204 | if (j == i && permits->permits[i].key > key) { | |
205 | new->permits[j].key = key; | |
206 | new->permits[j].access = caller_access; | |
207 | j++; | |
00d3b7a4 | 208 | } |
be080a6f DH |
209 | new->permits[j].key = permits->permits[i].key; |
210 | new->permits[j].access = permits->permits[i].access; | |
211 | j++; | |
00d3b7a4 DH |
212 | } |
213 | } | |
214 | ||
be080a6f DH |
215 | if (j == i) { |
216 | new->permits[j].key = key; | |
217 | new->permits[j].access = caller_access; | |
218 | } | |
219 | ||
220 | afs_hash_permits(new); | |
221 | ||
be080a6f DH |
222 | /* Now see if the permit list we want is actually already available */ |
223 | spin_lock(&afs_permits_lock); | |
224 | ||
225 | hash_for_each_possible(afs_permits_cache, xpermits, hash_node, new->h) { | |
226 | if (xpermits->h != new->h || | |
227 | xpermits->invalidated || | |
228 | xpermits->nr_permits != new->nr_permits || | |
229 | memcmp(xpermits->permits, new->permits, | |
230 | new->nr_permits * sizeof(struct afs_permit)) != 0) | |
231 | continue; | |
232 | ||
233 | if (refcount_inc_not_zero(&xpermits->usage)) { | |
234 | replacement = xpermits; | |
235 | goto found; | |
236 | } | |
237 | ||
238 | break; | |
239 | } | |
240 | ||
241 | for (i = 0; i < new->nr_permits; i++) | |
242 | key_get(new->permits[i].key); | |
243 | hash_add_rcu(afs_permits_cache, &new->hash_node, new->h); | |
244 | replacement = new; | |
245 | new = NULL; | |
246 | ||
247 | found: | |
248 | spin_unlock(&afs_permits_lock); | |
249 | ||
250 | kfree(new); | |
251 | ||
f642404a | 252 | rcu_read_lock(); |
be080a6f | 253 | spin_lock(&vnode->lock); |
1bcab125 | 254 | zap = rcu_access_pointer(vnode->permit_cache); |
f642404a | 255 | if (!afs_cb_is_broken(cb_break, vnode, rcu_dereference(vnode->cb_interest)) && |
1bcab125 DH |
256 | zap == permits) |
257 | rcu_assign_pointer(vnode->permit_cache, replacement); | |
258 | else | |
259 | zap = replacement; | |
be080a6f | 260 | spin_unlock(&vnode->lock); |
f642404a | 261 | rcu_read_unlock(); |
1bcab125 DH |
262 | afs_put_permits(zap); |
263 | out_put: | |
be080a6f DH |
264 | afs_put_permits(permits); |
265 | return; | |
266 | ||
267 | someone_else_changed_it_unlock: | |
268 | spin_unlock(&vnode->lock); | |
269 | someone_else_changed_it: | |
270 | /* Someone else changed the cache under us - don't recheck at this | |
271 | * time. | |
272 | */ | |
fe342cf7 | 273 | rcu_read_unlock(); |
be080a6f | 274 | return; |
00d3b7a4 DH |
275 | } |
276 | ||
277 | /* | |
278 | * check with the fileserver to see if the directory or parent directory is | |
279 | * permitted to be accessed with this authorisation, and if so, what access it | |
280 | * is granted | |
281 | */ | |
0fafdc9f DH |
282 | int afs_check_permit(struct afs_vnode *vnode, struct key *key, |
283 | afs_access_t *_access) | |
00d3b7a4 DH |
284 | { |
285 | struct afs_permits *permits; | |
be080a6f DH |
286 | bool valid = false; |
287 | int i, ret; | |
00d3b7a4 | 288 | |
3b6492df | 289 | _enter("{%llx:%llu},%x", |
416351f2 | 290 | vnode->fid.vid, vnode->fid.vnode, key_serial(key)); |
00d3b7a4 | 291 | |
00d3b7a4 | 292 | /* check the permits to see if we've got one yet */ |
be080a6f | 293 | if (key == vnode->volume->cell->anonymous_key) { |
00d3b7a4 | 294 | _debug("anon"); |
be080a6f | 295 | *_access = vnode->status.anon_access; |
00d3b7a4 DH |
296 | valid = true; |
297 | } else { | |
00d3b7a4 | 298 | rcu_read_lock(); |
be080a6f | 299 | permits = rcu_dereference(vnode->permit_cache); |
00d3b7a4 | 300 | if (permits) { |
be080a6f DH |
301 | for (i = 0; i < permits->nr_permits; i++) { |
302 | if (permits->permits[i].key < key) | |
303 | continue; | |
304 | if (permits->permits[i].key > key) | |
00d3b7a4 | 305 | break; |
be080a6f DH |
306 | |
307 | *_access = permits->permits[i].access; | |
308 | valid = !permits->invalidated; | |
309 | break; | |
00d3b7a4 DH |
310 | } |
311 | } | |
312 | rcu_read_unlock(); | |
313 | } | |
314 | ||
315 | if (!valid) { | |
be080a6f DH |
316 | /* Check the status on the file we're actually interested in |
317 | * (the post-processing will cache the result). | |
318 | */ | |
00d3b7a4 DH |
319 | _debug("no valid permit"); |
320 | ||
a58823ac | 321 | ret = afs_fetch_status(vnode, key, false, _access); |
00d3b7a4 | 322 | if (ret < 0) { |
00d3b7a4 DH |
323 | *_access = 0; |
324 | _leave(" = %d", ret); | |
325 | return ret; | |
326 | } | |
327 | } | |
328 | ||
00d3b7a4 DH |
329 | _leave(" = 0 [access %x]", *_access); |
330 | return 0; | |
331 | } | |
332 | ||
333 | /* | |
334 | * check the permissions on an AFS file | |
335 | * - AFS ACLs are attached to directories only, and a file is controlled by its | |
336 | * parent directory's ACL | |
337 | */ | |
10556cb2 | 338 | int afs_permission(struct inode *inode, int mask) |
00d3b7a4 DH |
339 | { |
340 | struct afs_vnode *vnode = AFS_FS_I(inode); | |
69759454 | 341 | afs_access_t uninitialized_var(access); |
00d3b7a4 DH |
342 | struct key *key; |
343 | int ret; | |
344 | ||
10556cb2 | 345 | if (mask & MAY_NOT_BLOCK) |
b74c79e9 NP |
346 | return -ECHILD; |
347 | ||
3b6492df | 348 | _enter("{{%llx:%llu},%lx},%x,", |
260a9803 | 349 | vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask); |
00d3b7a4 DH |
350 | |
351 | key = afs_request_key(vnode->volume->cell); | |
352 | if (IS_ERR(key)) { | |
353 | _leave(" = %ld [key]", PTR_ERR(key)); | |
354 | return PTR_ERR(key); | |
355 | } | |
356 | ||
c435ee34 DH |
357 | ret = afs_validate(vnode, key); |
358 | if (ret < 0) | |
359 | goto error; | |
260a9803 | 360 | |
00d3b7a4 DH |
361 | /* check the permits to see if we've got one yet */ |
362 | ret = afs_check_permit(vnode, key, &access); | |
260a9803 DH |
363 | if (ret < 0) |
364 | goto error; | |
00d3b7a4 DH |
365 | |
366 | /* interpret the access mask */ | |
367 | _debug("REQ %x ACC %x on %s", | |
368 | mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file"); | |
369 | ||
370 | if (S_ISDIR(inode->i_mode)) { | |
378831e4 | 371 | if (mask & (MAY_EXEC | MAY_READ | MAY_CHDIR)) { |
00d3b7a4 DH |
372 | if (!(access & AFS_ACE_LOOKUP)) |
373 | goto permission_denied; | |
378831e4 DH |
374 | } |
375 | if (mask & MAY_WRITE) { | |
00d3b7a4 | 376 | if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */ |
fd249821 | 377 | AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */ |
00d3b7a4 | 378 | goto permission_denied; |
00d3b7a4 DH |
379 | } |
380 | } else { | |
381 | if (!(access & AFS_ACE_LOOKUP)) | |
382 | goto permission_denied; | |
627f4694 MD |
383 | if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR)) |
384 | goto permission_denied; | |
00d3b7a4 DH |
385 | if (mask & (MAY_EXEC | MAY_READ)) { |
386 | if (!(access & AFS_ACE_READ)) | |
387 | goto permission_denied; | |
627f4694 MD |
388 | if (!(inode->i_mode & S_IRUSR)) |
389 | goto permission_denied; | |
00d3b7a4 DH |
390 | } else if (mask & MAY_WRITE) { |
391 | if (!(access & AFS_ACE_WRITE)) | |
392 | goto permission_denied; | |
627f4694 MD |
393 | if (!(inode->i_mode & S_IWUSR)) |
394 | goto permission_denied; | |
00d3b7a4 DH |
395 | } |
396 | } | |
397 | ||
398 | key_put(key); | |
260a9803 DH |
399 | _leave(" = %d", ret); |
400 | return ret; | |
00d3b7a4 DH |
401 | |
402 | permission_denied: | |
260a9803 DH |
403 | ret = -EACCES; |
404 | error: | |
00d3b7a4 | 405 | key_put(key); |
260a9803 DH |
406 | _leave(" = %d", ret); |
407 | return ret; | |
00d3b7a4 | 408 | } |
be080a6f DH |
409 | |
410 | void __exit afs_clean_up_permit_cache(void) | |
411 | { | |
412 | int i; | |
413 | ||
414 | for (i = 0; i < HASH_SIZE(afs_permits_cache); i++) | |
415 | WARN_ON_ONCE(!hlist_empty(&afs_permits_cache[i])); | |
416 | ||
417 | } |