Linux Audio

Check our new training course

Loading...
v6.2
  1// SPDX-License-Identifier: GPL-2.0
  2/*
  3 *  linux/fs/attr.c
  4 *
  5 *  Copyright (C) 1991, 1992  Linus Torvalds
  6 *  changes by Thomas Schoebel-Theuer
  7 */
  8
  9#include <linux/export.h>
 10#include <linux/time.h>
 11#include <linux/mm.h>
 12#include <linux/string.h>
 13#include <linux/sched/signal.h>
 14#include <linux/capability.h>
 15#include <linux/fsnotify.h>
 16#include <linux/fcntl.h>
 
 17#include <linux/security.h>
 18#include <linux/evm.h>
 19#include <linux/ima.h>
 20
 21#include "internal.h"
 22
 23/**
 24 * setattr_should_drop_sgid - determine whether the setgid bit needs to be
 25 *                            removed
 26 * @mnt_userns:	user namespace of the mount @inode was found from
 27 * @inode:	inode to check
 28 *
 29 * This function determines whether the setgid bit needs to be removed.
 30 * We retain backwards compatibility and require setgid bit to be removed
 31 * unconditionally if S_IXGRP is set. Otherwise we have the exact same
 32 * requirements as setattr_prepare() and setattr_copy().
 33 *
 34 * Return: ATTR_KILL_SGID if setgid bit needs to be removed, 0 otherwise.
 35 */
 36int setattr_should_drop_sgid(struct user_namespace *mnt_userns,
 37			     const struct inode *inode)
 38{
 39	umode_t mode = inode->i_mode;
 40
 41	if (!(mode & S_ISGID))
 42		return 0;
 43	if (mode & S_IXGRP)
 44		return ATTR_KILL_SGID;
 45	if (!in_group_or_capable(mnt_userns, inode,
 46				 i_gid_into_vfsgid(mnt_userns, inode)))
 47		return ATTR_KILL_SGID;
 48	return 0;
 49}
 
 50
 51/**
 52 * setattr_should_drop_suidgid - determine whether the set{g,u}id bit needs to
 53 *                               be dropped
 54 * @mnt_userns:	user namespace of the mount @inode was found from
 55 * @inode:	inode to check
 56 *
 57 * This function determines whether the set{g,u}id bits need to be removed.
 58 * If the setuid bit needs to be removed ATTR_KILL_SUID is returned. If the
 59 * setgid bit needs to be removed ATTR_KILL_SGID is returned. If both
 60 * set{g,u}id bits need to be removed the corresponding mask of both flags is
 61 * returned.
 62 *
 63 * Return: A mask of ATTR_KILL_S{G,U}ID indicating which - if any - setid bits
 64 * to remove, 0 otherwise.
 65 */
 66int setattr_should_drop_suidgid(struct user_namespace *mnt_userns,
 67				struct inode *inode)
 68{
 69	umode_t mode = inode->i_mode;
 70	int kill = 0;
 71
 72	/* suid always must be killed */
 73	if (unlikely(mode & S_ISUID))
 74		kill = ATTR_KILL_SUID;
 75
 76	kill |= setattr_should_drop_sgid(mnt_userns, inode);
 77
 78	if (unlikely(kill && !capable(CAP_FSETID) && S_ISREG(mode)))
 79		return kill;
 80
 81	return 0;
 82}
 83EXPORT_SYMBOL(setattr_should_drop_suidgid);
 84
 85/**
 86 * chown_ok - verify permissions to chown inode
 87 * @mnt_userns:	user namespace of the mount @inode was found from
 88 * @inode:	inode to check permissions on
 89 * @ia_vfsuid:	uid to chown @inode to
 90 *
 91 * If the inode has been found through an idmapped mount the user namespace of
 92 * the vfsmount must be passed through @mnt_userns. This function will then
 93 * take care to map the inode according to @mnt_userns before checking
 94 * permissions. On non-idmapped mounts or if permission checking is to be
 95 * performed on the raw inode simply passs init_user_ns.
 96 */
 97static bool chown_ok(struct user_namespace *mnt_userns,
 98		     const struct inode *inode, vfsuid_t ia_vfsuid)
 99{
100	vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_userns, inode);
101	if (vfsuid_eq_kuid(vfsuid, current_fsuid()) &&
102	    vfsuid_eq(ia_vfsuid, vfsuid))
103		return true;
104	if (capable_wrt_inode_uidgid(mnt_userns, inode, CAP_CHOWN))
105		return true;
106	if (!vfsuid_valid(vfsuid) &&
107	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
108		return true;
109	return false;
110}
111
112/**
113 * chgrp_ok - verify permissions to chgrp inode
114 * @mnt_userns:	user namespace of the mount @inode was found from
115 * @inode:	inode to check permissions on
116 * @ia_vfsgid:	gid to chown @inode to
117 *
118 * If the inode has been found through an idmapped mount the user namespace of
119 * the vfsmount must be passed through @mnt_userns. This function will then
120 * take care to map the inode according to @mnt_userns before checking
121 * permissions. On non-idmapped mounts or if permission checking is to be
122 * performed on the raw inode simply passs init_user_ns.
123 */
124static bool chgrp_ok(struct user_namespace *mnt_userns,
125		     const struct inode *inode, vfsgid_t ia_vfsgid)
126{
127	vfsgid_t vfsgid = i_gid_into_vfsgid(mnt_userns, inode);
128	vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_userns, inode);
129	if (vfsuid_eq_kuid(vfsuid, current_fsuid())) {
130		if (vfsgid_eq(ia_vfsgid, vfsgid))
131			return true;
132		if (vfsgid_in_group_p(ia_vfsgid))
133			return true;
134	}
135	if (capable_wrt_inode_uidgid(mnt_userns, inode, CAP_CHOWN))
136		return true;
137	if (!vfsgid_valid(vfsgid) &&
138	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
139		return true;
140	return false;
141}
142
143/**
144 * setattr_prepare - check if attribute changes to a dentry are allowed
145 * @mnt_userns:	user namespace of the mount the inode was found from
146 * @dentry:	dentry to check
147 * @attr:	attributes to change
148 *
149 * Check if we are allowed to change the attributes contained in @attr
150 * in the given dentry.  This includes the normal unix access permission
151 * checks, as well as checks for rlimits and others. The function also clears
152 * SGID bit from mode if user is not allowed to set it. Also file capabilities
153 * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set.
154 *
155 * If the inode has been found through an idmapped mount the user namespace of
156 * the vfsmount must be passed through @mnt_userns. This function will then
157 * take care to map the inode according to @mnt_userns before checking
158 * permissions. On non-idmapped mounts or if permission checking is to be
159 * performed on the raw inode simply passs init_user_ns.
160 *
161 * Should be called as the first thing in ->setattr implementations,
162 * possibly after taking additional locks.
163 */
164int setattr_prepare(struct user_namespace *mnt_userns, struct dentry *dentry,
165		    struct iattr *attr)
166{
167	struct inode *inode = d_inode(dentry);
168	unsigned int ia_valid = attr->ia_valid;
169
170	/*
171	 * First check size constraints.  These can't be overriden using
172	 * ATTR_FORCE.
173	 */
174	if (ia_valid & ATTR_SIZE) {
175		int error = inode_newsize_ok(inode, attr->ia_size);
176		if (error)
177			return error;
178	}
179
180	/* If force is set do it anyway. */
181	if (ia_valid & ATTR_FORCE)
182		goto kill_priv;
183
184	/* Make sure a caller can chown. */
185	if ((ia_valid & ATTR_UID) &&
186	    !chown_ok(mnt_userns, inode, attr->ia_vfsuid))
187		return -EPERM;
188
189	/* Make sure caller can chgrp. */
190	if ((ia_valid & ATTR_GID) &&
191	    !chgrp_ok(mnt_userns, inode, attr->ia_vfsgid))
192		return -EPERM;
193
194	/* Make sure a caller can chmod. */
195	if (ia_valid & ATTR_MODE) {
196		vfsgid_t vfsgid;
197
198		if (!inode_owner_or_capable(mnt_userns, inode))
199			return -EPERM;
200
201		if (ia_valid & ATTR_GID)
202			vfsgid = attr->ia_vfsgid;
203		else
204			vfsgid = i_gid_into_vfsgid(mnt_userns, inode);
205
206		/* Also check the setgid bit! */
207		if (!in_group_or_capable(mnt_userns, inode, vfsgid))
208			attr->ia_mode &= ~S_ISGID;
209	}
210
211	/* Check for setting the inode time. */
212	if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) {
213		if (!inode_owner_or_capable(mnt_userns, inode))
214			return -EPERM;
215	}
216
217kill_priv:
218	/* User has permission for the change */
219	if (ia_valid & ATTR_KILL_PRIV) {
220		int error;
221
222		error = security_inode_killpriv(mnt_userns, dentry);
223		if (error)
224			return error;
225	}
226
227	return 0;
228}
229EXPORT_SYMBOL(setattr_prepare);
230
231/**
232 * inode_newsize_ok - may this inode be truncated to a given size
233 * @inode:	the inode to be truncated
234 * @offset:	the new size to assign to the inode
235 *
236 * inode_newsize_ok must be called with i_mutex held.
237 *
238 * inode_newsize_ok will check filesystem limits and ulimits to check that the
239 * new inode size is within limits. inode_newsize_ok will also send SIGXFSZ
240 * when necessary. Caller must not proceed with inode size change if failure is
241 * returned. @inode must be a file (not directory), with appropriate
242 * permissions to allow truncate (inode_newsize_ok does NOT check these
243 * conditions).
244 *
245 * Return: 0 on success, -ve errno on failure
246 */
247int inode_newsize_ok(const struct inode *inode, loff_t offset)
248{
249	if (offset < 0)
250		return -EINVAL;
251	if (inode->i_size < offset) {
252		unsigned long limit;
253
254		limit = rlimit(RLIMIT_FSIZE);
255		if (limit != RLIM_INFINITY && offset > limit)
256			goto out_sig;
257		if (offset > inode->i_sb->s_maxbytes)
258			goto out_big;
259	} else {
260		/*
261		 * truncation of in-use swapfiles is disallowed - it would
262		 * cause subsequent swapout to scribble on the now-freed
263		 * blocks.
264		 */
265		if (IS_SWAPFILE(inode))
266			return -ETXTBSY;
267	}
268
269	return 0;
270out_sig:
271	send_sig(SIGXFSZ, current, 0);
272out_big:
273	return -EFBIG;
274}
275EXPORT_SYMBOL(inode_newsize_ok);
276
277/**
278 * setattr_copy - copy simple metadata updates into the generic inode
279 * @mnt_userns:	user namespace of the mount the inode was found from
280 * @inode:	the inode to be updated
281 * @attr:	the new attributes
282 *
283 * setattr_copy must be called with i_mutex held.
284 *
285 * setattr_copy updates the inode's metadata with that specified
286 * in attr on idmapped mounts. Necessary permission checks to determine
287 * whether or not the S_ISGID property needs to be removed are performed with
288 * the correct idmapped mount permission helpers.
289 * Noticeably missing is inode size update, which is more complex
290 * as it requires pagecache updates.
291 *
292 * If the inode has been found through an idmapped mount the user namespace of
293 * the vfsmount must be passed through @mnt_userns. This function will then
294 * take care to map the inode according to @mnt_userns before checking
295 * permissions. On non-idmapped mounts or if permission checking is to be
296 * performed on the raw inode simply passs init_user_ns.
297 *
298 * The inode is not marked as dirty after this operation. The rationale is
299 * that for "simple" filesystems, the struct inode is the inode storage.
300 * The caller is free to mark the inode dirty afterwards if needed.
301 */
302void setattr_copy(struct user_namespace *mnt_userns, struct inode *inode,
303		  const struct iattr *attr)
304{
305	unsigned int ia_valid = attr->ia_valid;
306
307	i_uid_update(mnt_userns, attr, inode);
308	i_gid_update(mnt_userns, attr, inode);
309	if (ia_valid & ATTR_ATIME)
310		inode->i_atime = attr->ia_atime;
311	if (ia_valid & ATTR_MTIME)
312		inode->i_mtime = attr->ia_mtime;
313	if (ia_valid & ATTR_CTIME)
314		inode->i_ctime = attr->ia_ctime;
315	if (ia_valid & ATTR_MODE) {
316		umode_t mode = attr->ia_mode;
317		if (!in_group_or_capable(mnt_userns, inode,
318					 i_gid_into_vfsgid(mnt_userns, inode)))
319			mode &= ~S_ISGID;
320		inode->i_mode = mode;
321	}
322}
323EXPORT_SYMBOL(setattr_copy);
324
325int may_setattr(struct user_namespace *mnt_userns, struct inode *inode,
326		unsigned int ia_valid)
327{
328	int error;
329
330	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) {
331		if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
332			return -EPERM;
333	}
334
335	/*
336	 * If utimes(2) and friends are called with times == NULL (or both
337	 * times are UTIME_NOW), then we need to check for write permission
338	 */
339	if (ia_valid & ATTR_TOUCH) {
340		if (IS_IMMUTABLE(inode))
341			return -EPERM;
342
343		if (!inode_owner_or_capable(mnt_userns, inode)) {
344			error = inode_permission(mnt_userns, inode, MAY_WRITE);
345			if (error)
346				return error;
347		}
348	}
349	return 0;
350}
351EXPORT_SYMBOL(may_setattr);
352
353/**
354 * notify_change - modify attributes of a filesytem object
355 * @mnt_userns:	user namespace of the mount the inode was found from
356 * @dentry:	object affected
357 * @attr:	new attributes
358 * @delegated_inode: returns inode, if the inode is delegated
359 *
360 * The caller must hold the i_mutex on the affected object.
361 *
362 * If notify_change discovers a delegation in need of breaking,
363 * it will return -EWOULDBLOCK and return a reference to the inode in
364 * delegated_inode.  The caller should then break the delegation and
365 * retry.  Because breaking a delegation may take a long time, the
366 * caller should drop the i_mutex before doing so.
367 *
368 * Alternatively, a caller may pass NULL for delegated_inode.  This may
369 * be appropriate for callers that expect the underlying filesystem not
370 * to be NFS exported.  Also, passing NULL is fine for callers holding
371 * the file open for write, as there can be no conflicting delegation in
372 * that case.
373 *
374 * If the inode has been found through an idmapped mount the user namespace of
375 * the vfsmount must be passed through @mnt_userns. This function will then
376 * take care to map the inode according to @mnt_userns before checking
377 * permissions. On non-idmapped mounts or if permission checking is to be
378 * performed on the raw inode simply passs init_user_ns.
379 */
380int notify_change(struct user_namespace *mnt_userns, struct dentry *dentry,
381		  struct iattr *attr, struct inode **delegated_inode)
382{
383	struct inode *inode = dentry->d_inode;
384	umode_t mode = inode->i_mode;
385	int error;
386	struct timespec64 now;
387	unsigned int ia_valid = attr->ia_valid;
388
389	WARN_ON_ONCE(!inode_is_locked(inode));
390
391	error = may_setattr(mnt_userns, inode, ia_valid);
392	if (error)
393		return error;
394
395	if ((ia_valid & ATTR_MODE)) {
396		umode_t amode = attr->ia_mode;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
397		/* Flag setting protected by i_mutex */
398		if (is_sxid(amode))
399			inode->i_flags &= ~S_NOSEC;
400	}
401
402	now = current_time(inode);
403
404	attr->ia_ctime = now;
405	if (!(ia_valid & ATTR_ATIME_SET))
406		attr->ia_atime = now;
407	else
408		attr->ia_atime = timestamp_truncate(attr->ia_atime, inode);
409	if (!(ia_valid & ATTR_MTIME_SET))
410		attr->ia_mtime = now;
411	else
412		attr->ia_mtime = timestamp_truncate(attr->ia_mtime, inode);
413
414	if (ia_valid & ATTR_KILL_PRIV) {
415		error = security_inode_need_killpriv(dentry);
416		if (error < 0)
417			return error;
418		if (error == 0)
419			ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV;
420	}
421
422	/*
423	 * We now pass ATTR_KILL_S*ID to the lower level setattr function so
424	 * that the function has the ability to reinterpret a mode change
425	 * that's due to these bits. This adds an implicit restriction that
426	 * no function will ever call notify_change with both ATTR_MODE and
427	 * ATTR_KILL_S*ID set.
428	 */
429	if ((ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) &&
430	    (ia_valid & ATTR_MODE))
431		BUG();
432
433	if (ia_valid & ATTR_KILL_SUID) {
434		if (mode & S_ISUID) {
435			ia_valid = attr->ia_valid |= ATTR_MODE;
436			attr->ia_mode = (inode->i_mode & ~S_ISUID);
437		}
438	}
439	if (ia_valid & ATTR_KILL_SGID) {
440		if (mode & S_ISGID) {
441			if (!(ia_valid & ATTR_MODE)) {
442				ia_valid = attr->ia_valid |= ATTR_MODE;
443				attr->ia_mode = inode->i_mode;
444			}
445			attr->ia_mode &= ~S_ISGID;
446		}
447	}
448	if (!(attr->ia_valid & ~(ATTR_KILL_SUID | ATTR_KILL_SGID)))
449		return 0;
450
451	/*
452	 * Verify that uid/gid changes are valid in the target
453	 * namespace of the superblock.
454	 */
455	if (ia_valid & ATTR_UID &&
456	    !vfsuid_has_fsmapping(mnt_userns, inode->i_sb->s_user_ns,
457				  attr->ia_vfsuid))
458		return -EOVERFLOW;
459	if (ia_valid & ATTR_GID &&
460	    !vfsgid_has_fsmapping(mnt_userns, inode->i_sb->s_user_ns,
461				  attr->ia_vfsgid))
462		return -EOVERFLOW;
463
464	/* Don't allow modifications of files with invalid uids or
465	 * gids unless those uids & gids are being made valid.
466	 */
467	if (!(ia_valid & ATTR_UID) &&
468	    !vfsuid_valid(i_uid_into_vfsuid(mnt_userns, inode)))
469		return -EOVERFLOW;
470	if (!(ia_valid & ATTR_GID) &&
471	    !vfsgid_valid(i_gid_into_vfsgid(mnt_userns, inode)))
472		return -EOVERFLOW;
473
474	error = security_inode_setattr(mnt_userns, dentry, attr);
475	if (error)
476		return error;
477	error = try_break_deleg(inode, delegated_inode);
478	if (error)
479		return error;
480
481	if (inode->i_op->setattr)
482		error = inode->i_op->setattr(mnt_userns, dentry, attr);
483	else
484		error = simple_setattr(mnt_userns, dentry, attr);
485
486	if (!error) {
487		fsnotify_change(dentry, ia_valid);
488		ima_inode_post_setattr(mnt_userns, dentry);
489		evm_inode_post_setattr(dentry, ia_valid);
490	}
491
492	return error;
493}
494EXPORT_SYMBOL(notify_change);
v6.8
  1// SPDX-License-Identifier: GPL-2.0
  2/*
  3 *  linux/fs/attr.c
  4 *
  5 *  Copyright (C) 1991, 1992  Linus Torvalds
  6 *  changes by Thomas Schoebel-Theuer
  7 */
  8
  9#include <linux/export.h>
 10#include <linux/time.h>
 11#include <linux/mm.h>
 12#include <linux/string.h>
 13#include <linux/sched/signal.h>
 14#include <linux/capability.h>
 15#include <linux/fsnotify.h>
 16#include <linux/fcntl.h>
 17#include <linux/filelock.h>
 18#include <linux/security.h>
 19#include <linux/evm.h>
 20#include <linux/ima.h>
 21
 22#include "internal.h"
 23
 24/**
 25 * setattr_should_drop_sgid - determine whether the setgid bit needs to be
 26 *                            removed
 27 * @idmap:	idmap of the mount @inode was found from
 28 * @inode:	inode to check
 29 *
 30 * This function determines whether the setgid bit needs to be removed.
 31 * We retain backwards compatibility and require setgid bit to be removed
 32 * unconditionally if S_IXGRP is set. Otherwise we have the exact same
 33 * requirements as setattr_prepare() and setattr_copy().
 34 *
 35 * Return: ATTR_KILL_SGID if setgid bit needs to be removed, 0 otherwise.
 36 */
 37int setattr_should_drop_sgid(struct mnt_idmap *idmap,
 38			     const struct inode *inode)
 39{
 40	umode_t mode = inode->i_mode;
 41
 42	if (!(mode & S_ISGID))
 43		return 0;
 44	if (mode & S_IXGRP)
 45		return ATTR_KILL_SGID;
 46	if (!in_group_or_capable(idmap, inode, i_gid_into_vfsgid(idmap, inode)))
 
 47		return ATTR_KILL_SGID;
 48	return 0;
 49}
 50EXPORT_SYMBOL(setattr_should_drop_sgid);
 51
 52/**
 53 * setattr_should_drop_suidgid - determine whether the set{g,u}id bit needs to
 54 *                               be dropped
 55 * @idmap:	idmap of the mount @inode was found from
 56 * @inode:	inode to check
 57 *
 58 * This function determines whether the set{g,u}id bits need to be removed.
 59 * If the setuid bit needs to be removed ATTR_KILL_SUID is returned. If the
 60 * setgid bit needs to be removed ATTR_KILL_SGID is returned. If both
 61 * set{g,u}id bits need to be removed the corresponding mask of both flags is
 62 * returned.
 63 *
 64 * Return: A mask of ATTR_KILL_S{G,U}ID indicating which - if any - setid bits
 65 * to remove, 0 otherwise.
 66 */
 67int setattr_should_drop_suidgid(struct mnt_idmap *idmap,
 68				struct inode *inode)
 69{
 70	umode_t mode = inode->i_mode;
 71	int kill = 0;
 72
 73	/* suid always must be killed */
 74	if (unlikely(mode & S_ISUID))
 75		kill = ATTR_KILL_SUID;
 76
 77	kill |= setattr_should_drop_sgid(idmap, inode);
 78
 79	if (unlikely(kill && !capable(CAP_FSETID) && S_ISREG(mode)))
 80		return kill;
 81
 82	return 0;
 83}
 84EXPORT_SYMBOL(setattr_should_drop_suidgid);
 85
 86/**
 87 * chown_ok - verify permissions to chown inode
 88 * @idmap:	idmap of the mount @inode was found from
 89 * @inode:	inode to check permissions on
 90 * @ia_vfsuid:	uid to chown @inode to
 91 *
 92 * If the inode has been found through an idmapped mount the idmap of
 93 * the vfsmount must be passed through @idmap. This function will then
 94 * take care to map the inode according to @idmap before checking
 95 * permissions. On non-idmapped mounts or if permission checking is to be
 96 * performed on the raw inode simply pass @nop_mnt_idmap.
 97 */
 98static bool chown_ok(struct mnt_idmap *idmap,
 99		     const struct inode *inode, vfsuid_t ia_vfsuid)
100{
101	vfsuid_t vfsuid = i_uid_into_vfsuid(idmap, inode);
102	if (vfsuid_eq_kuid(vfsuid, current_fsuid()) &&
103	    vfsuid_eq(ia_vfsuid, vfsuid))
104		return true;
105	if (capable_wrt_inode_uidgid(idmap, inode, CAP_CHOWN))
106		return true;
107	if (!vfsuid_valid(vfsuid) &&
108	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
109		return true;
110	return false;
111}
112
113/**
114 * chgrp_ok - verify permissions to chgrp inode
115 * @idmap:	idmap of the mount @inode was found from
116 * @inode:	inode to check permissions on
117 * @ia_vfsgid:	gid to chown @inode to
118 *
119 * If the inode has been found through an idmapped mount the idmap of
120 * the vfsmount must be passed through @idmap. This function will then
121 * take care to map the inode according to @idmap before checking
122 * permissions. On non-idmapped mounts or if permission checking is to be
123 * performed on the raw inode simply pass @nop_mnt_idmap.
124 */
125static bool chgrp_ok(struct mnt_idmap *idmap,
126		     const struct inode *inode, vfsgid_t ia_vfsgid)
127{
128	vfsgid_t vfsgid = i_gid_into_vfsgid(idmap, inode);
129	vfsuid_t vfsuid = i_uid_into_vfsuid(idmap, inode);
130	if (vfsuid_eq_kuid(vfsuid, current_fsuid())) {
131		if (vfsgid_eq(ia_vfsgid, vfsgid))
132			return true;
133		if (vfsgid_in_group_p(ia_vfsgid))
134			return true;
135	}
136	if (capable_wrt_inode_uidgid(idmap, inode, CAP_CHOWN))
137		return true;
138	if (!vfsgid_valid(vfsgid) &&
139	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
140		return true;
141	return false;
142}
143
144/**
145 * setattr_prepare - check if attribute changes to a dentry are allowed
146 * @idmap:	idmap of the mount the inode was found from
147 * @dentry:	dentry to check
148 * @attr:	attributes to change
149 *
150 * Check if we are allowed to change the attributes contained in @attr
151 * in the given dentry.  This includes the normal unix access permission
152 * checks, as well as checks for rlimits and others. The function also clears
153 * SGID bit from mode if user is not allowed to set it. Also file capabilities
154 * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set.
155 *
156 * If the inode has been found through an idmapped mount the idmap of
157 * the vfsmount must be passed through @idmap. This function will then
158 * take care to map the inode according to @idmap before checking
159 * permissions. On non-idmapped mounts or if permission checking is to be
160 * performed on the raw inode simply pass @nop_mnt_idmap.
161 *
162 * Should be called as the first thing in ->setattr implementations,
163 * possibly after taking additional locks.
164 */
165int setattr_prepare(struct mnt_idmap *idmap, struct dentry *dentry,
166		    struct iattr *attr)
167{
168	struct inode *inode = d_inode(dentry);
169	unsigned int ia_valid = attr->ia_valid;
170
171	/*
172	 * First check size constraints.  These can't be overriden using
173	 * ATTR_FORCE.
174	 */
175	if (ia_valid & ATTR_SIZE) {
176		int error = inode_newsize_ok(inode, attr->ia_size);
177		if (error)
178			return error;
179	}
180
181	/* If force is set do it anyway. */
182	if (ia_valid & ATTR_FORCE)
183		goto kill_priv;
184
185	/* Make sure a caller can chown. */
186	if ((ia_valid & ATTR_UID) &&
187	    !chown_ok(idmap, inode, attr->ia_vfsuid))
188		return -EPERM;
189
190	/* Make sure caller can chgrp. */
191	if ((ia_valid & ATTR_GID) &&
192	    !chgrp_ok(idmap, inode, attr->ia_vfsgid))
193		return -EPERM;
194
195	/* Make sure a caller can chmod. */
196	if (ia_valid & ATTR_MODE) {
197		vfsgid_t vfsgid;
198
199		if (!inode_owner_or_capable(idmap, inode))
200			return -EPERM;
201
202		if (ia_valid & ATTR_GID)
203			vfsgid = attr->ia_vfsgid;
204		else
205			vfsgid = i_gid_into_vfsgid(idmap, inode);
206
207		/* Also check the setgid bit! */
208		if (!in_group_or_capable(idmap, inode, vfsgid))
209			attr->ia_mode &= ~S_ISGID;
210	}
211
212	/* Check for setting the inode time. */
213	if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) {
214		if (!inode_owner_or_capable(idmap, inode))
215			return -EPERM;
216	}
217
218kill_priv:
219	/* User has permission for the change */
220	if (ia_valid & ATTR_KILL_PRIV) {
221		int error;
222
223		error = security_inode_killpriv(idmap, dentry);
224		if (error)
225			return error;
226	}
227
228	return 0;
229}
230EXPORT_SYMBOL(setattr_prepare);
231
232/**
233 * inode_newsize_ok - may this inode be truncated to a given size
234 * @inode:	the inode to be truncated
235 * @offset:	the new size to assign to the inode
236 *
237 * inode_newsize_ok must be called with i_mutex held.
238 *
239 * inode_newsize_ok will check filesystem limits and ulimits to check that the
240 * new inode size is within limits. inode_newsize_ok will also send SIGXFSZ
241 * when necessary. Caller must not proceed with inode size change if failure is
242 * returned. @inode must be a file (not directory), with appropriate
243 * permissions to allow truncate (inode_newsize_ok does NOT check these
244 * conditions).
245 *
246 * Return: 0 on success, -ve errno on failure
247 */
248int inode_newsize_ok(const struct inode *inode, loff_t offset)
249{
250	if (offset < 0)
251		return -EINVAL;
252	if (inode->i_size < offset) {
253		unsigned long limit;
254
255		limit = rlimit(RLIMIT_FSIZE);
256		if (limit != RLIM_INFINITY && offset > limit)
257			goto out_sig;
258		if (offset > inode->i_sb->s_maxbytes)
259			goto out_big;
260	} else {
261		/*
262		 * truncation of in-use swapfiles is disallowed - it would
263		 * cause subsequent swapout to scribble on the now-freed
264		 * blocks.
265		 */
266		if (IS_SWAPFILE(inode))
267			return -ETXTBSY;
268	}
269
270	return 0;
271out_sig:
272	send_sig(SIGXFSZ, current, 0);
273out_big:
274	return -EFBIG;
275}
276EXPORT_SYMBOL(inode_newsize_ok);
277
278/**
279 * setattr_copy - copy simple metadata updates into the generic inode
280 * @idmap:	idmap of the mount the inode was found from
281 * @inode:	the inode to be updated
282 * @attr:	the new attributes
283 *
284 * setattr_copy must be called with i_mutex held.
285 *
286 * setattr_copy updates the inode's metadata with that specified
287 * in attr on idmapped mounts. Necessary permission checks to determine
288 * whether or not the S_ISGID property needs to be removed are performed with
289 * the correct idmapped mount permission helpers.
290 * Noticeably missing is inode size update, which is more complex
291 * as it requires pagecache updates.
292 *
293 * If the inode has been found through an idmapped mount the idmap of
294 * the vfsmount must be passed through @idmap. This function will then
295 * take care to map the inode according to @idmap before checking
296 * permissions. On non-idmapped mounts or if permission checking is to be
297 * performed on the raw inode simply pass @nop_mnt_idmap.
298 *
299 * The inode is not marked as dirty after this operation. The rationale is
300 * that for "simple" filesystems, the struct inode is the inode storage.
301 * The caller is free to mark the inode dirty afterwards if needed.
302 */
303void setattr_copy(struct mnt_idmap *idmap, struct inode *inode,
304		  const struct iattr *attr)
305{
306	unsigned int ia_valid = attr->ia_valid;
307
308	i_uid_update(idmap, attr, inode);
309	i_gid_update(idmap, attr, inode);
310	if (ia_valid & ATTR_ATIME)
311		inode_set_atime_to_ts(inode, attr->ia_atime);
312	if (ia_valid & ATTR_MTIME)
313		inode_set_mtime_to_ts(inode, attr->ia_mtime);
314	if (ia_valid & ATTR_CTIME)
315		inode_set_ctime_to_ts(inode, attr->ia_ctime);
316	if (ia_valid & ATTR_MODE) {
317		umode_t mode = attr->ia_mode;
318		if (!in_group_or_capable(idmap, inode,
319					 i_gid_into_vfsgid(idmap, inode)))
320			mode &= ~S_ISGID;
321		inode->i_mode = mode;
322	}
323}
324EXPORT_SYMBOL(setattr_copy);
325
326int may_setattr(struct mnt_idmap *idmap, struct inode *inode,
327		unsigned int ia_valid)
328{
329	int error;
330
331	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) {
332		if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
333			return -EPERM;
334	}
335
336	/*
337	 * If utimes(2) and friends are called with times == NULL (or both
338	 * times are UTIME_NOW), then we need to check for write permission
339	 */
340	if (ia_valid & ATTR_TOUCH) {
341		if (IS_IMMUTABLE(inode))
342			return -EPERM;
343
344		if (!inode_owner_or_capable(idmap, inode)) {
345			error = inode_permission(idmap, inode, MAY_WRITE);
346			if (error)
347				return error;
348		}
349	}
350	return 0;
351}
352EXPORT_SYMBOL(may_setattr);
353
354/**
355 * notify_change - modify attributes of a filesytem object
356 * @idmap:	idmap of the mount the inode was found from
357 * @dentry:	object affected
358 * @attr:	new attributes
359 * @delegated_inode: returns inode, if the inode is delegated
360 *
361 * The caller must hold the i_mutex on the affected object.
362 *
363 * If notify_change discovers a delegation in need of breaking,
364 * it will return -EWOULDBLOCK and return a reference to the inode in
365 * delegated_inode.  The caller should then break the delegation and
366 * retry.  Because breaking a delegation may take a long time, the
367 * caller should drop the i_mutex before doing so.
368 *
369 * Alternatively, a caller may pass NULL for delegated_inode.  This may
370 * be appropriate for callers that expect the underlying filesystem not
371 * to be NFS exported.  Also, passing NULL is fine for callers holding
372 * the file open for write, as there can be no conflicting delegation in
373 * that case.
374 *
375 * If the inode has been found through an idmapped mount the idmap of
376 * the vfsmount must be passed through @idmap. This function will then
377 * take care to map the inode according to @idmap before checking
378 * permissions. On non-idmapped mounts or if permission checking is to be
379 * performed on the raw inode simply pass @nop_mnt_idmap.
380 */
381int notify_change(struct mnt_idmap *idmap, struct dentry *dentry,
382		  struct iattr *attr, struct inode **delegated_inode)
383{
384	struct inode *inode = dentry->d_inode;
385	umode_t mode = inode->i_mode;
386	int error;
387	struct timespec64 now;
388	unsigned int ia_valid = attr->ia_valid;
389
390	WARN_ON_ONCE(!inode_is_locked(inode));
391
392	error = may_setattr(idmap, inode, ia_valid);
393	if (error)
394		return error;
395
396	if ((ia_valid & ATTR_MODE)) {
397		/*
398		 * Don't allow changing the mode of symlinks:
399		 *
400		 * (1) The vfs doesn't take the mode of symlinks into account
401		 *     during permission checking.
402		 * (2) This has never worked correctly. Most major filesystems
403		 *     did return EOPNOTSUPP due to interactions with POSIX ACLs
404		 *     but did still updated the mode of the symlink.
405		 *     This inconsistency led system call wrapper providers such
406		 *     as libc to block changing the mode of symlinks with
407		 *     EOPNOTSUPP already.
408		 * (3) To even do this in the first place one would have to use
409		 *     specific file descriptors and quite some effort.
410		 */
411		if (S_ISLNK(inode->i_mode))
412			return -EOPNOTSUPP;
413
414		/* Flag setting protected by i_mutex */
415		if (is_sxid(attr->ia_mode))
416			inode->i_flags &= ~S_NOSEC;
417	}
418
419	now = current_time(inode);
420
421	attr->ia_ctime = now;
422	if (!(ia_valid & ATTR_ATIME_SET))
423		attr->ia_atime = now;
424	else
425		attr->ia_atime = timestamp_truncate(attr->ia_atime, inode);
426	if (!(ia_valid & ATTR_MTIME_SET))
427		attr->ia_mtime = now;
428	else
429		attr->ia_mtime = timestamp_truncate(attr->ia_mtime, inode);
430
431	if (ia_valid & ATTR_KILL_PRIV) {
432		error = security_inode_need_killpriv(dentry);
433		if (error < 0)
434			return error;
435		if (error == 0)
436			ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV;
437	}
438
439	/*
440	 * We now pass ATTR_KILL_S*ID to the lower level setattr function so
441	 * that the function has the ability to reinterpret a mode change
442	 * that's due to these bits. This adds an implicit restriction that
443	 * no function will ever call notify_change with both ATTR_MODE and
444	 * ATTR_KILL_S*ID set.
445	 */
446	if ((ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) &&
447	    (ia_valid & ATTR_MODE))
448		BUG();
449
450	if (ia_valid & ATTR_KILL_SUID) {
451		if (mode & S_ISUID) {
452			ia_valid = attr->ia_valid |= ATTR_MODE;
453			attr->ia_mode = (inode->i_mode & ~S_ISUID);
454		}
455	}
456	if (ia_valid & ATTR_KILL_SGID) {
457		if (mode & S_ISGID) {
458			if (!(ia_valid & ATTR_MODE)) {
459				ia_valid = attr->ia_valid |= ATTR_MODE;
460				attr->ia_mode = inode->i_mode;
461			}
462			attr->ia_mode &= ~S_ISGID;
463		}
464	}
465	if (!(attr->ia_valid & ~(ATTR_KILL_SUID | ATTR_KILL_SGID)))
466		return 0;
467
468	/*
469	 * Verify that uid/gid changes are valid in the target
470	 * namespace of the superblock.
471	 */
472	if (ia_valid & ATTR_UID &&
473	    !vfsuid_has_fsmapping(idmap, inode->i_sb->s_user_ns,
474				  attr->ia_vfsuid))
475		return -EOVERFLOW;
476	if (ia_valid & ATTR_GID &&
477	    !vfsgid_has_fsmapping(idmap, inode->i_sb->s_user_ns,
478				  attr->ia_vfsgid))
479		return -EOVERFLOW;
480
481	/* Don't allow modifications of files with invalid uids or
482	 * gids unless those uids & gids are being made valid.
483	 */
484	if (!(ia_valid & ATTR_UID) &&
485	    !vfsuid_valid(i_uid_into_vfsuid(idmap, inode)))
486		return -EOVERFLOW;
487	if (!(ia_valid & ATTR_GID) &&
488	    !vfsgid_valid(i_gid_into_vfsgid(idmap, inode)))
489		return -EOVERFLOW;
490
491	error = security_inode_setattr(idmap, dentry, attr);
492	if (error)
493		return error;
494	error = try_break_deleg(inode, delegated_inode);
495	if (error)
496		return error;
497
498	if (inode->i_op->setattr)
499		error = inode->i_op->setattr(idmap, dentry, attr);
500	else
501		error = simple_setattr(idmap, dentry, attr);
502
503	if (!error) {
504		fsnotify_change(dentry, ia_valid);
505		ima_inode_post_setattr(idmap, dentry);
506		evm_inode_post_setattr(dentry, ia_valid);
507	}
508
509	return error;
510}
511EXPORT_SYMBOL(notify_change);