• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1  /*
2   *  linux/fs/attr.c
3   *
4   *  Copyright (C) 1991, 1992  Linus Torvalds
5   *  changes by Thomas Schoebel-Theuer
6   */
7  
8  #include <linux/export.h>
9  #include <linux/time.h>
10  #include <linux/mm.h>
11  #include <linux/string.h>
12  #include <linux/capability.h>
13  #include <linux/fsnotify.h>
14  #include <linux/fcntl.h>
15  #include <linux/security.h>
16  #include <linux/evm.h>
17  #include <linux/ima.h>
18  
19  /**
20   * setattr_prepare - check if attribute changes to a dentry are allowed
21   * @dentry:	dentry to check
22   * @attr:	attributes to change
23   *
24   * Check if we are allowed to change the attributes contained in @attr
25   * in the given dentry.  This includes the normal unix access permission
26   * checks, as well as checks for rlimits and others. The function also clears
27   * SGID bit from mode if user is not allowed to set it. Also file capabilities
28   * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set.
29   *
30   * Should be called as the first thing in ->setattr implementations,
31   * possibly after taking additional locks.
32   */
setattr_prepare(struct dentry * dentry,struct iattr * attr)33  int setattr_prepare(struct dentry *dentry, struct iattr *attr)
34  {
35  	struct inode *inode = d_inode(dentry);
36  	unsigned int ia_valid = attr->ia_valid;
37  
38  	/*
39  	 * First check size constraints.  These can't be overriden using
40  	 * ATTR_FORCE.
41  	 */
42  	if (ia_valid & ATTR_SIZE) {
43  		int error = inode_newsize_ok(inode, attr->ia_size);
44  		if (error)
45  			return error;
46  	}
47  
48  	/* If force is set do it anyway. */
49  	if (ia_valid & ATTR_FORCE)
50  		goto kill_priv;
51  
52  	/* Make sure a caller can chown. */
53  	if ((ia_valid & ATTR_UID) &&
54  	    (!uid_eq(current_fsuid(), inode->i_uid) ||
55  	     !uid_eq(attr->ia_uid, inode->i_uid)) &&
56  	    !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
57  		return -EPERM;
58  
59  	/* Make sure caller can chgrp. */
60  	if ((ia_valid & ATTR_GID) &&
61  	    (!uid_eq(current_fsuid(), inode->i_uid) ||
62  	    (!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) &&
63  	    !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
64  		return -EPERM;
65  
66  	/* Make sure a caller can chmod. */
67  	if (ia_valid & ATTR_MODE) {
68  		if (!inode_owner_or_capable(inode))
69  			return -EPERM;
70  		/* Also check the setgid bit! */
71  		if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid :
72  				inode->i_gid) &&
73  		    !capable_wrt_inode_uidgid(inode, CAP_FSETID))
74  			attr->ia_mode &= ~S_ISGID;
75  	}
76  
77  	/* Check for setting the inode time. */
78  	if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) {
79  		if (!inode_owner_or_capable(inode))
80  			return -EPERM;
81  	}
82  
83  kill_priv:
84  	/* User has permission for the change */
85  	if (ia_valid & ATTR_KILL_PRIV) {
86  		int error;
87  
88  		error = security_inode_killpriv(dentry);
89  		if (error)
90  			return error;
91  	}
92  
93  	return 0;
94  }
95  EXPORT_SYMBOL(setattr_prepare);
96  
97  /**
98   * inode_newsize_ok - may this inode be truncated to a given size
99   * @inode:	the inode to be truncated
100   * @offset:	the new size to assign to the inode
101   * @Returns:	0 on success, -ve errno on failure
102   *
103   * inode_newsize_ok must be called with i_mutex held.
104   *
105   * inode_newsize_ok will check filesystem limits and ulimits to check that the
106   * new inode size is within limits. inode_newsize_ok will also send SIGXFSZ
107   * when necessary. Caller must not proceed with inode size change if failure is
108   * returned. @inode must be a file (not directory), with appropriate
109   * permissions to allow truncate (inode_newsize_ok does NOT check these
110   * conditions).
111   */
inode_newsize_ok(const struct inode * inode,loff_t offset)112  int inode_newsize_ok(const struct inode *inode, loff_t offset)
113  {
114  	if (inode->i_size < offset) {
115  		unsigned long limit;
116  
117  		limit = rlimit(RLIMIT_FSIZE);
118  		if (limit != RLIM_INFINITY && offset > limit)
119  			goto out_sig;
120  		if (offset > inode->i_sb->s_maxbytes)
121  			goto out_big;
122  	} else {
123  		/*
124  		 * truncation of in-use swapfiles is disallowed - it would
125  		 * cause subsequent swapout to scribble on the now-freed
126  		 * blocks.
127  		 */
128  		if (IS_SWAPFILE(inode))
129  			return -ETXTBSY;
130  	}
131  
132  	return 0;
133  out_sig:
134  	send_sig(SIGXFSZ, current, 0);
135  out_big:
136  	return -EFBIG;
137  }
138  EXPORT_SYMBOL(inode_newsize_ok);
139  
140  /**
141   * setattr_copy - copy simple metadata updates into the generic inode
142   * @inode:	the inode to be updated
143   * @attr:	the new attributes
144   *
145   * setattr_copy must be called with i_mutex held.
146   *
147   * setattr_copy updates the inode's metadata with that specified
148   * in attr. Noticeably missing is inode size update, which is more complex
149   * as it requires pagecache updates.
150   *
151   * The inode is not marked as dirty after this operation. The rationale is
152   * that for "simple" filesystems, the struct inode is the inode storage.
153   * The caller is free to mark the inode dirty afterwards if needed.
154   */
setattr_copy(struct inode * inode,const struct iattr * attr)155  void setattr_copy(struct inode *inode, const struct iattr *attr)
156  {
157  	unsigned int ia_valid = attr->ia_valid;
158  
159  	if (ia_valid & ATTR_UID)
160  		inode->i_uid = attr->ia_uid;
161  	if (ia_valid & ATTR_GID)
162  		inode->i_gid = attr->ia_gid;
163  	if (ia_valid & ATTR_ATIME)
164  		inode->i_atime = timespec_trunc(attr->ia_atime,
165  						inode->i_sb->s_time_gran);
166  	if (ia_valid & ATTR_MTIME)
167  		inode->i_mtime = timespec_trunc(attr->ia_mtime,
168  						inode->i_sb->s_time_gran);
169  	if (ia_valid & ATTR_CTIME)
170  		inode->i_ctime = timespec_trunc(attr->ia_ctime,
171  						inode->i_sb->s_time_gran);
172  	if (ia_valid & ATTR_MODE) {
173  		umode_t mode = attr->ia_mode;
174  
175  		if (!in_group_p(inode->i_gid) &&
176  		    !capable_wrt_inode_uidgid(inode, CAP_FSETID))
177  			mode &= ~S_ISGID;
178  		inode->i_mode = mode;
179  	}
180  }
181  EXPORT_SYMBOL(setattr_copy);
182  
183  /**
184   * notify_change - modify attributes of a filesytem object
185   * @dentry:	object affected
186   * @iattr:	new attributes
187   * @delegated_inode: returns inode, if the inode is delegated
188   *
189   * The caller must hold the i_mutex on the affected object.
190   *
191   * If notify_change discovers a delegation in need of breaking,
192   * it will return -EWOULDBLOCK and return a reference to the inode in
193   * delegated_inode.  The caller should then break the delegation and
194   * retry.  Because breaking a delegation may take a long time, the
195   * caller should drop the i_mutex before doing so.
196   *
197   * Alternatively, a caller may pass NULL for delegated_inode.  This may
198   * be appropriate for callers that expect the underlying filesystem not
199   * to be NFS exported.  Also, passing NULL is fine for callers holding
200   * the file open for write, as there can be no conflicting delegation in
201   * that case.
202   */
notify_change2(struct vfsmount * mnt,struct dentry * dentry,struct iattr * attr,struct inode ** delegated_inode)203  int notify_change2(struct vfsmount *mnt, struct dentry * dentry, struct iattr * attr, struct inode **delegated_inode)
204  {
205  	struct inode *inode = dentry->d_inode;
206  	umode_t mode = inode->i_mode;
207  	int error;
208  	struct timespec now;
209  	unsigned int ia_valid = attr->ia_valid;
210  
211  	WARN_ON_ONCE(!inode_is_locked(inode));
212  
213  	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) {
214  		if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
215  			return -EPERM;
216  	}
217  
218  	/*
219  	 * If utimes(2) and friends are called with times == NULL (or both
220  	 * times are UTIME_NOW), then we need to check for write permission
221  	 */
222  	if (ia_valid & ATTR_TOUCH) {
223  		if (IS_IMMUTABLE(inode))
224  			return -EPERM;
225  
226  		if (!inode_owner_or_capable(inode)) {
227  			error = inode_permission2(mnt, inode, MAY_WRITE);
228  			if (error)
229  				return error;
230  		}
231  	}
232  
233  	if ((ia_valid & ATTR_MODE)) {
234  		umode_t amode = attr->ia_mode;
235  		/* Flag setting protected by i_mutex */
236  		if (is_sxid(amode))
237  			inode->i_flags &= ~S_NOSEC;
238  	}
239  
240  	now = current_time(inode);
241  
242  	attr->ia_ctime = now;
243  	if (!(ia_valid & ATTR_ATIME_SET))
244  		attr->ia_atime = now;
245  	if (!(ia_valid & ATTR_MTIME_SET))
246  		attr->ia_mtime = now;
247  	if (ia_valid & ATTR_KILL_PRIV) {
248  		error = security_inode_need_killpriv(dentry);
249  		if (error < 0)
250  			return error;
251  		if (error == 0)
252  			ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV;
253  	}
254  
255  	/*
256  	 * We now pass ATTR_KILL_S*ID to the lower level setattr function so
257  	 * that the function has the ability to reinterpret a mode change
258  	 * that's due to these bits. This adds an implicit restriction that
259  	 * no function will ever call notify_change with both ATTR_MODE and
260  	 * ATTR_KILL_S*ID set.
261  	 */
262  	if ((ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) &&
263  	    (ia_valid & ATTR_MODE))
264  		BUG();
265  
266  	if (ia_valid & ATTR_KILL_SUID) {
267  		if (mode & S_ISUID) {
268  			ia_valid = attr->ia_valid |= ATTR_MODE;
269  			attr->ia_mode = (inode->i_mode & ~S_ISUID);
270  		}
271  	}
272  	if (ia_valid & ATTR_KILL_SGID) {
273  		if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
274  			if (!(ia_valid & ATTR_MODE)) {
275  				ia_valid = attr->ia_valid |= ATTR_MODE;
276  				attr->ia_mode = inode->i_mode;
277  			}
278  			attr->ia_mode &= ~S_ISGID;
279  		}
280  	}
281  	if (!(attr->ia_valid & ~(ATTR_KILL_SUID | ATTR_KILL_SGID)))
282  		return 0;
283  
284  	/*
285  	 * Verify that uid/gid changes are valid in the target
286  	 * namespace of the superblock.
287  	 */
288  	if (ia_valid & ATTR_UID &&
289  	    !kuid_has_mapping(inode->i_sb->s_user_ns, attr->ia_uid))
290  		return -EOVERFLOW;
291  	if (ia_valid & ATTR_GID &&
292  	    !kgid_has_mapping(inode->i_sb->s_user_ns, attr->ia_gid))
293  		return -EOVERFLOW;
294  
295  	/* Don't allow modifications of files with invalid uids or
296  	 * gids unless those uids & gids are being made valid.
297  	 */
298  	if (!(ia_valid & ATTR_UID) && !uid_valid(inode->i_uid))
299  		return -EOVERFLOW;
300  	if (!(ia_valid & ATTR_GID) && !gid_valid(inode->i_gid))
301  		return -EOVERFLOW;
302  
303  	error = security_inode_setattr(dentry, attr);
304  	if (error)
305  		return error;
306  	error = try_break_deleg(inode, delegated_inode);
307  	if (error)
308  		return error;
309  
310  	if (mnt && inode->i_op->setattr2)
311  		error = inode->i_op->setattr2(mnt, dentry, attr);
312  	else if (inode->i_op->setattr)
313  		error = inode->i_op->setattr(dentry, attr);
314  	else
315  		error = simple_setattr(dentry, attr);
316  
317  	if (!error) {
318  		fsnotify_change(dentry, ia_valid);
319  		ima_inode_post_setattr(dentry);
320  		evm_inode_post_setattr(dentry, ia_valid);
321  	}
322  
323  	return error;
324  }
325  EXPORT_SYMBOL(notify_change2);
326  
notify_change(struct dentry * dentry,struct iattr * attr,struct inode ** delegated_inode)327  int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **delegated_inode)
328  {
329  	return notify_change2(NULL, dentry, attr, delegated_inode);
330  }
331  EXPORT_SYMBOL(notify_change);
332