Linux Audio

Check our new training course

Loading...
v4.6
 
  1/*
  2 *  linux/fs/attr.c
  3 *
  4 *  Copyright (C) 1991, 1992  Linus Torvalds
  5 *  changes by Thomas Schoebel-Theuer
  6 */
  7
  8#include <linux/export.h>
  9#include <linux/time.h>
 10#include <linux/mm.h>
 11#include <linux/string.h>
 
 12#include <linux/capability.h>
 13#include <linux/fsnotify.h>
 14#include <linux/fcntl.h>
 15#include <linux/security.h>
 16#include <linux/evm.h>
 17#include <linux/ima.h>
 18
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 19/**
 20 * inode_change_ok - check if attribute changes to an inode are allowed
 21 * @inode:	inode to check
 22 * @attr:	attributes to change
 23 *
 24 * Check if we are allowed to change the attributes contained in @attr
 25 * in the given inode.  This includes the normal unix access permission
 26 * checks, as well as checks for rlimits and others.
 
 
 27 *
 28 * Should be called as the first thing in ->setattr implementations,
 29 * possibly after taking additional locks.
 30 */
 31int inode_change_ok(const struct inode *inode, struct iattr *attr)
 32{
 
 33	unsigned int ia_valid = attr->ia_valid;
 34
 35	/*
 36	 * First check size constraints.  These can't be overriden using
 37	 * ATTR_FORCE.
 38	 */
 39	if (ia_valid & ATTR_SIZE) {
 40		int error = inode_newsize_ok(inode, attr->ia_size);
 41		if (error)
 42			return error;
 43	}
 44
 45	/* If force is set do it anyway. */
 46	if (ia_valid & ATTR_FORCE)
 47		return 0;
 48
 49	/* Make sure a caller can chown. */
 50	if ((ia_valid & ATTR_UID) &&
 51	    (!uid_eq(current_fsuid(), inode->i_uid) ||
 52	     !uid_eq(attr->ia_uid, inode->i_uid)) &&
 53	    !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
 54		return -EPERM;
 55
 56	/* Make sure caller can chgrp. */
 57	if ((ia_valid & ATTR_GID) &&
 58	    (!uid_eq(current_fsuid(), inode->i_uid) ||
 59	    (!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) &&
 60	    !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
 61		return -EPERM;
 62
 63	/* Make sure a caller can chmod. */
 64	if (ia_valid & ATTR_MODE) {
 65		if (!inode_owner_or_capable(inode))
 66			return -EPERM;
 67		/* Also check the setgid bit! */
 68		if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid :
 69				inode->i_gid) &&
 70		    !capable_wrt_inode_uidgid(inode, CAP_FSETID))
 71			attr->ia_mode &= ~S_ISGID;
 72	}
 73
 74	/* Check for setting the inode time. */
 75	if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) {
 76		if (!inode_owner_or_capable(inode))
 77			return -EPERM;
 78	}
 79
 
 
 
 
 
 
 
 
 
 
 80	return 0;
 81}
 82EXPORT_SYMBOL(inode_change_ok);
 83
 84/**
 85 * inode_newsize_ok - may this inode be truncated to a given size
 86 * @inode:	the inode to be truncated
 87 * @offset:	the new size to assign to the inode
 88 * @Returns:	0 on success, -ve errno on failure
 89 *
 90 * inode_newsize_ok must be called with i_mutex held.
 91 *
 92 * inode_newsize_ok will check filesystem limits and ulimits to check that the
 93 * new inode size is within limits. inode_newsize_ok will also send SIGXFSZ
 94 * when necessary. Caller must not proceed with inode size change if failure is
 95 * returned. @inode must be a file (not directory), with appropriate
 96 * permissions to allow truncate (inode_newsize_ok does NOT check these
 97 * conditions).
 
 
 98 */
 99int inode_newsize_ok(const struct inode *inode, loff_t offset)
100{
101	if (inode->i_size < offset) {
102		unsigned long limit;
103
104		limit = rlimit(RLIMIT_FSIZE);
105		if (limit != RLIM_INFINITY && offset > limit)
106			goto out_sig;
107		if (offset > inode->i_sb->s_maxbytes)
108			goto out_big;
109	} else {
110		/*
111		 * truncation of in-use swapfiles is disallowed - it would
112		 * cause subsequent swapout to scribble on the now-freed
113		 * blocks.
114		 */
115		if (IS_SWAPFILE(inode))
116			return -ETXTBSY;
117	}
118
119	return 0;
120out_sig:
121	send_sig(SIGXFSZ, current, 0);
122out_big:
123	return -EFBIG;
124}
125EXPORT_SYMBOL(inode_newsize_ok);
126
127/**
128 * setattr_copy - copy simple metadata updates into the generic inode
129 * @inode:	the inode to be updated
130 * @attr:	the new attributes
131 *
132 * setattr_copy must be called with i_mutex held.
133 *
134 * setattr_copy updates the inode's metadata with that specified
135 * in attr. Noticeably missing is inode size update, which is more complex
136 * as it requires pagecache updates.
137 *
138 * The inode is not marked as dirty after this operation. The rationale is
139 * that for "simple" filesystems, the struct inode is the inode storage.
140 * The caller is free to mark the inode dirty afterwards if needed.
141 */
142void setattr_copy(struct inode *inode, const struct iattr *attr)
143{
144	unsigned int ia_valid = attr->ia_valid;
145
146	if (ia_valid & ATTR_UID)
147		inode->i_uid = attr->ia_uid;
148	if (ia_valid & ATTR_GID)
149		inode->i_gid = attr->ia_gid;
150	if (ia_valid & ATTR_ATIME)
151		inode->i_atime = timespec_trunc(attr->ia_atime,
152						inode->i_sb->s_time_gran);
153	if (ia_valid & ATTR_MTIME)
154		inode->i_mtime = timespec_trunc(attr->ia_mtime,
155						inode->i_sb->s_time_gran);
156	if (ia_valid & ATTR_CTIME)
157		inode->i_ctime = timespec_trunc(attr->ia_ctime,
158						inode->i_sb->s_time_gran);
159	if (ia_valid & ATTR_MODE) {
160		umode_t mode = attr->ia_mode;
161
162		if (!in_group_p(inode->i_gid) &&
163		    !capable_wrt_inode_uidgid(inode, CAP_FSETID))
164			mode &= ~S_ISGID;
165		inode->i_mode = mode;
166	}
167}
168EXPORT_SYMBOL(setattr_copy);
169
170/**
171 * notify_change - modify attributes of a filesytem object
172 * @dentry:	object affected
173 * @iattr:	new attributes
174 * @delegated_inode: returns inode, if the inode is delegated
175 *
176 * The caller must hold the i_mutex on the affected object.
177 *
178 * If notify_change discovers a delegation in need of breaking,
179 * it will return -EWOULDBLOCK and return a reference to the inode in
180 * delegated_inode.  The caller should then break the delegation and
181 * retry.  Because breaking a delegation may take a long time, the
182 * caller should drop the i_mutex before doing so.
183 *
184 * Alternatively, a caller may pass NULL for delegated_inode.  This may
185 * be appropriate for callers that expect the underlying filesystem not
186 * to be NFS exported.  Also, passing NULL is fine for callers holding
187 * the file open for write, as there can be no conflicting delegation in
188 * that case.
189 */
190int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **delegated_inode)
191{
192	struct inode *inode = dentry->d_inode;
193	umode_t mode = inode->i_mode;
194	int error;
195	struct timespec now;
196	unsigned int ia_valid = attr->ia_valid;
197
198	WARN_ON_ONCE(!inode_is_locked(inode));
199
200	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) {
201		if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
202			return -EPERM;
203	}
204
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
205	if ((ia_valid & ATTR_MODE)) {
206		umode_t amode = attr->ia_mode;
207		/* Flag setting protected by i_mutex */
208		if (is_sxid(amode))
209			inode->i_flags &= ~S_NOSEC;
210	}
211
212	now = current_fs_time(inode->i_sb);
213
214	attr->ia_ctime = now;
215	if (!(ia_valid & ATTR_ATIME_SET))
216		attr->ia_atime = now;
 
 
217	if (!(ia_valid & ATTR_MTIME_SET))
218		attr->ia_mtime = now;
 
 
 
219	if (ia_valid & ATTR_KILL_PRIV) {
220		attr->ia_valid &= ~ATTR_KILL_PRIV;
221		ia_valid &= ~ATTR_KILL_PRIV;
222		error = security_inode_need_killpriv(dentry);
223		if (error > 0)
224			error = security_inode_killpriv(dentry);
225		if (error)
226			return error;
 
 
227	}
228
229	/*
230	 * We now pass ATTR_KILL_S*ID to the lower level setattr function so
231	 * that the function has the ability to reinterpret a mode change
232	 * that's due to these bits. This adds an implicit restriction that
233	 * no function will ever call notify_change with both ATTR_MODE and
234	 * ATTR_KILL_S*ID set.
235	 */
236	if ((ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) &&
237	    (ia_valid & ATTR_MODE))
238		BUG();
239
240	if (ia_valid & ATTR_KILL_SUID) {
241		if (mode & S_ISUID) {
242			ia_valid = attr->ia_valid |= ATTR_MODE;
243			attr->ia_mode = (inode->i_mode & ~S_ISUID);
244		}
245	}
246	if (ia_valid & ATTR_KILL_SGID) {
247		if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
248			if (!(ia_valid & ATTR_MODE)) {
249				ia_valid = attr->ia_valid |= ATTR_MODE;
250				attr->ia_mode = inode->i_mode;
251			}
252			attr->ia_mode &= ~S_ISGID;
253		}
254	}
255	if (!(attr->ia_valid & ~(ATTR_KILL_SUID | ATTR_KILL_SGID)))
256		return 0;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
257
258	error = security_inode_setattr(dentry, attr);
259	if (error)
260		return error;
261	error = try_break_deleg(inode, delegated_inode);
262	if (error)
263		return error;
264
265	if (inode->i_op->setattr)
266		error = inode->i_op->setattr(dentry, attr);
267	else
268		error = simple_setattr(dentry, attr);
269
270	if (!error) {
271		fsnotify_change(dentry, ia_valid);
272		ima_inode_post_setattr(dentry);
273		evm_inode_post_setattr(dentry, ia_valid);
274	}
275
276	return error;
277}
278EXPORT_SYMBOL(notify_change);
v5.9
  1// SPDX-License-Identifier: GPL-2.0
  2/*
  3 *  linux/fs/attr.c
  4 *
  5 *  Copyright (C) 1991, 1992  Linus Torvalds
  6 *  changes by Thomas Schoebel-Theuer
  7 */
  8
  9#include <linux/export.h>
 10#include <linux/time.h>
 11#include <linux/mm.h>
 12#include <linux/string.h>
 13#include <linux/sched/signal.h>
 14#include <linux/capability.h>
 15#include <linux/fsnotify.h>
 16#include <linux/fcntl.h>
 17#include <linux/security.h>
 18#include <linux/evm.h>
 19#include <linux/ima.h>
 20
 21static bool chown_ok(const struct inode *inode, kuid_t uid)
 22{
 23	if (uid_eq(current_fsuid(), inode->i_uid) &&
 24	    uid_eq(uid, inode->i_uid))
 25		return true;
 26	if (capable_wrt_inode_uidgid(inode, CAP_CHOWN))
 27		return true;
 28	if (uid_eq(inode->i_uid, INVALID_UID) &&
 29	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
 30		return true;
 31	return false;
 32}
 33
 34static bool chgrp_ok(const struct inode *inode, kgid_t gid)
 35{
 36	if (uid_eq(current_fsuid(), inode->i_uid) &&
 37	    (in_group_p(gid) || gid_eq(gid, inode->i_gid)))
 38		return true;
 39	if (capable_wrt_inode_uidgid(inode, CAP_CHOWN))
 40		return true;
 41	if (gid_eq(inode->i_gid, INVALID_GID) &&
 42	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
 43		return true;
 44	return false;
 45}
 46
 47/**
 48 * setattr_prepare - check if attribute changes to a dentry are allowed
 49 * @dentry:	dentry to check
 50 * @attr:	attributes to change
 51 *
 52 * Check if we are allowed to change the attributes contained in @attr
 53 * in the given dentry.  This includes the normal unix access permission
 54 * checks, as well as checks for rlimits and others. The function also clears
 55 * SGID bit from mode if user is not allowed to set it. Also file capabilities
 56 * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set.
 57 *
 58 * Should be called as the first thing in ->setattr implementations,
 59 * possibly after taking additional locks.
 60 */
 61int setattr_prepare(struct dentry *dentry, struct iattr *attr)
 62{
 63	struct inode *inode = d_inode(dentry);
 64	unsigned int ia_valid = attr->ia_valid;
 65
 66	/*
 67	 * First check size constraints.  These can't be overriden using
 68	 * ATTR_FORCE.
 69	 */
 70	if (ia_valid & ATTR_SIZE) {
 71		int error = inode_newsize_ok(inode, attr->ia_size);
 72		if (error)
 73			return error;
 74	}
 75
 76	/* If force is set do it anyway. */
 77	if (ia_valid & ATTR_FORCE)
 78		goto kill_priv;
 79
 80	/* Make sure a caller can chown. */
 81	if ((ia_valid & ATTR_UID) && !chown_ok(inode, attr->ia_uid))
 
 
 
 82		return -EPERM;
 83
 84	/* Make sure caller can chgrp. */
 85	if ((ia_valid & ATTR_GID) && !chgrp_ok(inode, attr->ia_gid))
 
 
 
 86		return -EPERM;
 87
 88	/* Make sure a caller can chmod. */
 89	if (ia_valid & ATTR_MODE) {
 90		if (!inode_owner_or_capable(inode))
 91			return -EPERM;
 92		/* Also check the setgid bit! */
 93		if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid :
 94				inode->i_gid) &&
 95		    !capable_wrt_inode_uidgid(inode, CAP_FSETID))
 96			attr->ia_mode &= ~S_ISGID;
 97	}
 98
 99	/* Check for setting the inode time. */
100	if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) {
101		if (!inode_owner_or_capable(inode))
102			return -EPERM;
103	}
104
105kill_priv:
106	/* User has permission for the change */
107	if (ia_valid & ATTR_KILL_PRIV) {
108		int error;
109
110		error = security_inode_killpriv(dentry);
111		if (error)
112			return error;
113	}
114
115	return 0;
116}
117EXPORT_SYMBOL(setattr_prepare);
118
119/**
120 * inode_newsize_ok - may this inode be truncated to a given size
121 * @inode:	the inode to be truncated
122 * @offset:	the new size to assign to the inode
 
123 *
124 * inode_newsize_ok must be called with i_mutex held.
125 *
126 * inode_newsize_ok will check filesystem limits and ulimits to check that the
127 * new inode size is within limits. inode_newsize_ok will also send SIGXFSZ
128 * when necessary. Caller must not proceed with inode size change if failure is
129 * returned. @inode must be a file (not directory), with appropriate
130 * permissions to allow truncate (inode_newsize_ok does NOT check these
131 * conditions).
132 *
133 * Return: 0 on success, -ve errno on failure
134 */
135int inode_newsize_ok(const struct inode *inode, loff_t offset)
136{
137	if (inode->i_size < offset) {
138		unsigned long limit;
139
140		limit = rlimit(RLIMIT_FSIZE);
141		if (limit != RLIM_INFINITY && offset > limit)
142			goto out_sig;
143		if (offset > inode->i_sb->s_maxbytes)
144			goto out_big;
145	} else {
146		/*
147		 * truncation of in-use swapfiles is disallowed - it would
148		 * cause subsequent swapout to scribble on the now-freed
149		 * blocks.
150		 */
151		if (IS_SWAPFILE(inode))
152			return -ETXTBSY;
153	}
154
155	return 0;
156out_sig:
157	send_sig(SIGXFSZ, current, 0);
158out_big:
159	return -EFBIG;
160}
161EXPORT_SYMBOL(inode_newsize_ok);
162
163/**
164 * setattr_copy - copy simple metadata updates into the generic inode
165 * @inode:	the inode to be updated
166 * @attr:	the new attributes
167 *
168 * setattr_copy must be called with i_mutex held.
169 *
170 * setattr_copy updates the inode's metadata with that specified
171 * in attr. Noticeably missing is inode size update, which is more complex
172 * as it requires pagecache updates.
173 *
174 * The inode is not marked as dirty after this operation. The rationale is
175 * that for "simple" filesystems, the struct inode is the inode storage.
176 * The caller is free to mark the inode dirty afterwards if needed.
177 */
178void setattr_copy(struct inode *inode, const struct iattr *attr)
179{
180	unsigned int ia_valid = attr->ia_valid;
181
182	if (ia_valid & ATTR_UID)
183		inode->i_uid = attr->ia_uid;
184	if (ia_valid & ATTR_GID)
185		inode->i_gid = attr->ia_gid;
186	if (ia_valid & ATTR_ATIME)
187		inode->i_atime = attr->ia_atime;
 
188	if (ia_valid & ATTR_MTIME)
189		inode->i_mtime = attr->ia_mtime;
 
190	if (ia_valid & ATTR_CTIME)
191		inode->i_ctime = attr->ia_ctime;
 
192	if (ia_valid & ATTR_MODE) {
193		umode_t mode = attr->ia_mode;
194
195		if (!in_group_p(inode->i_gid) &&
196		    !capable_wrt_inode_uidgid(inode, CAP_FSETID))
197			mode &= ~S_ISGID;
198		inode->i_mode = mode;
199	}
200}
201EXPORT_SYMBOL(setattr_copy);
202
203/**
204 * notify_change - modify attributes of a filesytem object
205 * @dentry:	object affected
206 * @attr:	new attributes
207 * @delegated_inode: returns inode, if the inode is delegated
208 *
209 * The caller must hold the i_mutex on the affected object.
210 *
211 * If notify_change discovers a delegation in need of breaking,
212 * it will return -EWOULDBLOCK and return a reference to the inode in
213 * delegated_inode.  The caller should then break the delegation and
214 * retry.  Because breaking a delegation may take a long time, the
215 * caller should drop the i_mutex before doing so.
216 *
217 * Alternatively, a caller may pass NULL for delegated_inode.  This may
218 * be appropriate for callers that expect the underlying filesystem not
219 * to be NFS exported.  Also, passing NULL is fine for callers holding
220 * the file open for write, as there can be no conflicting delegation in
221 * that case.
222 */
223int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **delegated_inode)
224{
225	struct inode *inode = dentry->d_inode;
226	umode_t mode = inode->i_mode;
227	int error;
228	struct timespec64 now;
229	unsigned int ia_valid = attr->ia_valid;
230
231	WARN_ON_ONCE(!inode_is_locked(inode));
232
233	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) {
234		if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
235			return -EPERM;
236	}
237
238	/*
239	 * If utimes(2) and friends are called with times == NULL (or both
240	 * times are UTIME_NOW), then we need to check for write permission
241	 */
242	if (ia_valid & ATTR_TOUCH) {
243		if (IS_IMMUTABLE(inode))
244			return -EPERM;
245
246		if (!inode_owner_or_capable(inode)) {
247			error = inode_permission(inode, MAY_WRITE);
248			if (error)
249				return error;
250		}
251	}
252
253	if ((ia_valid & ATTR_MODE)) {
254		umode_t amode = attr->ia_mode;
255		/* Flag setting protected by i_mutex */
256		if (is_sxid(amode))
257			inode->i_flags &= ~S_NOSEC;
258	}
259
260	now = current_time(inode);
261
262	attr->ia_ctime = now;
263	if (!(ia_valid & ATTR_ATIME_SET))
264		attr->ia_atime = now;
265	else
266		attr->ia_atime = timestamp_truncate(attr->ia_atime, inode);
267	if (!(ia_valid & ATTR_MTIME_SET))
268		attr->ia_mtime = now;
269	else
270		attr->ia_mtime = timestamp_truncate(attr->ia_mtime, inode);
271
272	if (ia_valid & ATTR_KILL_PRIV) {
 
 
273		error = security_inode_need_killpriv(dentry);
274		if (error < 0)
 
 
275			return error;
276		if (error == 0)
277			ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV;
278	}
279
280	/*
281	 * We now pass ATTR_KILL_S*ID to the lower level setattr function so
282	 * that the function has the ability to reinterpret a mode change
283	 * that's due to these bits. This adds an implicit restriction that
284	 * no function will ever call notify_change with both ATTR_MODE and
285	 * ATTR_KILL_S*ID set.
286	 */
287	if ((ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) &&
288	    (ia_valid & ATTR_MODE))
289		BUG();
290
291	if (ia_valid & ATTR_KILL_SUID) {
292		if (mode & S_ISUID) {
293			ia_valid = attr->ia_valid |= ATTR_MODE;
294			attr->ia_mode = (inode->i_mode & ~S_ISUID);
295		}
296	}
297	if (ia_valid & ATTR_KILL_SGID) {
298		if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
299			if (!(ia_valid & ATTR_MODE)) {
300				ia_valid = attr->ia_valid |= ATTR_MODE;
301				attr->ia_mode = inode->i_mode;
302			}
303			attr->ia_mode &= ~S_ISGID;
304		}
305	}
306	if (!(attr->ia_valid & ~(ATTR_KILL_SUID | ATTR_KILL_SGID)))
307		return 0;
308
309	/*
310	 * Verify that uid/gid changes are valid in the target
311	 * namespace of the superblock.
312	 */
313	if (ia_valid & ATTR_UID &&
314	    !kuid_has_mapping(inode->i_sb->s_user_ns, attr->ia_uid))
315		return -EOVERFLOW;
316	if (ia_valid & ATTR_GID &&
317	    !kgid_has_mapping(inode->i_sb->s_user_ns, attr->ia_gid))
318		return -EOVERFLOW;
319
320	/* Don't allow modifications of files with invalid uids or
321	 * gids unless those uids & gids are being made valid.
322	 */
323	if (!(ia_valid & ATTR_UID) && !uid_valid(inode->i_uid))
324		return -EOVERFLOW;
325	if (!(ia_valid & ATTR_GID) && !gid_valid(inode->i_gid))
326		return -EOVERFLOW;
327
328	error = security_inode_setattr(dentry, attr);
329	if (error)
330		return error;
331	error = try_break_deleg(inode, delegated_inode);
332	if (error)
333		return error;
334
335	if (inode->i_op->setattr)
336		error = inode->i_op->setattr(dentry, attr);
337	else
338		error = simple_setattr(dentry, attr);
339
340	if (!error) {
341		fsnotify_change(dentry, ia_valid);
342		ima_inode_post_setattr(dentry);
343		evm_inode_post_setattr(dentry, ia_valid);
344	}
345
346	return error;
347}
348EXPORT_SYMBOL(notify_change);