]>
Commit | Line | Data |
---|---|---|
00d3b7a4 DH |
1 | /* AFS security handling |
2 | * | |
be080a6f | 3 | * Copyright (C) 2007, 2017 Red Hat, Inc. All Rights Reserved. |
00d3b7a4 DH |
4 | * Written by David Howells (dhowells@redhat.com) |
5 | * | |
6 | * This program is free software; you can redistribute it and/or | |
7 | * modify it under the terms of the GNU General Public License | |
8 | * as published by the Free Software Foundation; either version | |
9 | * 2 of the License, or (at your option) any later version. | |
10 | */ | |
11 | ||
12 | #include <linux/init.h> | |
13 | #include <linux/slab.h> | |
14 | #include <linux/fs.h> | |
15 | #include <linux/ctype.h> | |
e8edc6e0 | 16 | #include <linux/sched.h> |
be080a6f | 17 | #include <linux/hashtable.h> |
00d3b7a4 DH |
18 | #include <keys/rxrpc-type.h> |
19 | #include "internal.h" | |
20 | ||
be080a6f DH |
21 | static DEFINE_HASHTABLE(afs_permits_cache, 10); |
22 | static DEFINE_SPINLOCK(afs_permits_lock); | |
23 | ||
00d3b7a4 DH |
24 | /* |
25 | * get a key | |
26 | */ | |
27 | struct key *afs_request_key(struct afs_cell *cell) | |
28 | { | |
29 | struct key *key; | |
30 | ||
31 | _enter("{%x}", key_serial(cell->anonymous_key)); | |
32 | ||
33 | _debug("key %s", cell->anonymous_key->description); | |
34 | key = request_key(&key_type_rxrpc, cell->anonymous_key->description, | |
35 | NULL); | |
36 | if (IS_ERR(key)) { | |
37 | if (PTR_ERR(key) != -ENOKEY) { | |
38 | _leave(" = %ld", PTR_ERR(key)); | |
39 | return key; | |
40 | } | |
41 | ||
42 | /* act as anonymous user */ | |
43 | _leave(" = {%x} [anon]", key_serial(cell->anonymous_key)); | |
44 | return key_get(cell->anonymous_key); | |
45 | } else { | |
46 | /* act as authorised user */ | |
47 | _leave(" = {%x} [auth]", key_serial(key)); | |
48 | return key; | |
49 | } | |
50 | } | |
51 | ||
52 | /* | |
be080a6f | 53 | * Dispose of a list of permits. |
00d3b7a4 | 54 | */ |
be080a6f | 55 | static void afs_permits_rcu(struct rcu_head *rcu) |
00d3b7a4 DH |
56 | { |
57 | struct afs_permits *permits = | |
58 | container_of(rcu, struct afs_permits, rcu); | |
be080a6f | 59 | int i; |
00d3b7a4 | 60 | |
be080a6f DH |
61 | for (i = 0; i < permits->nr_permits; i++) |
62 | key_put(permits->permits[i].key); | |
00d3b7a4 DH |
63 | kfree(permits); |
64 | } | |
65 | ||
66 | /* | |
be080a6f | 67 | * Discard a permission cache. |
00d3b7a4 | 68 | */ |
be080a6f | 69 | void afs_put_permits(struct afs_permits *permits) |
00d3b7a4 | 70 | { |
be080a6f DH |
71 | if (permits && refcount_dec_and_test(&permits->usage)) { |
72 | spin_lock(&afs_permits_lock); | |
73 | hash_del_rcu(&permits->hash_node); | |
74 | spin_unlock(&afs_permits_lock); | |
75 | call_rcu(&permits->rcu, afs_permits_rcu); | |
76 | } | |
00d3b7a4 DH |
77 | } |
78 | ||
79 | /* | |
be080a6f | 80 | * Clear a permit cache on callback break. |
00d3b7a4 | 81 | */ |
be080a6f | 82 | void afs_clear_permits(struct afs_vnode *vnode) |
00d3b7a4 | 83 | { |
be080a6f | 84 | struct afs_permits *permits; |
00d3b7a4 | 85 | |
be080a6f DH |
86 | spin_lock(&vnode->lock); |
87 | permits = rcu_dereference_protected(vnode->permit_cache, | |
88 | lockdep_is_held(&vnode->lock)); | |
89 | RCU_INIT_POINTER(vnode->permit_cache, NULL); | |
90 | vnode->cb_break++; | |
91 | spin_unlock(&vnode->lock); | |
00d3b7a4 | 92 | |
be080a6f DH |
93 | if (permits) |
94 | afs_put_permits(permits); | |
00d3b7a4 DH |
95 | } |
96 | ||
97 | /* | |
be080a6f DH |
98 | * Hash a list of permits. Use simple addition to make it easy to add an extra |
99 | * one at an as-yet indeterminate position in the list. | |
00d3b7a4 | 100 | */ |
be080a6f | 101 | static void afs_hash_permits(struct afs_permits *permits) |
00d3b7a4 | 102 | { |
be080a6f DH |
103 | unsigned long h = permits->nr_permits; |
104 | int i; | |
00d3b7a4 | 105 | |
be080a6f DH |
106 | for (i = 0; i < permits->nr_permits; i++) { |
107 | h += (unsigned long)permits->permits[i].key / sizeof(void *); | |
108 | h += permits->permits[i].access; | |
109 | } | |
00d3b7a4 | 110 | |
be080a6f | 111 | permits->h = h; |
00d3b7a4 DH |
112 | } |
113 | ||
114 | /* | |
be080a6f DH |
115 | * Cache the CallerAccess result obtained from doing a fileserver operation |
116 | * that returned a vnode status for a particular key. If a callback break | |
117 | * occurs whilst the operation was in progress then we have to ditch the cache | |
118 | * as the ACL *may* have changed. | |
00d3b7a4 | 119 | */ |
be080a6f DH |
120 | void afs_cache_permit(struct afs_vnode *vnode, struct key *key, |
121 | unsigned int cb_break) | |
00d3b7a4 | 122 | { |
1bcab125 | 123 | struct afs_permits *permits, *xpermits, *replacement, *zap, *new = NULL; |
be080a6f DH |
124 | afs_access_t caller_access = READ_ONCE(vnode->status.caller_access); |
125 | size_t size = 0; | |
126 | bool changed = false; | |
127 | int i, j; | |
128 | ||
129 | _enter("{%x:%u},%x,%x", | |
130 | vnode->fid.vid, vnode->fid.vnode, key_serial(key), caller_access); | |
131 | ||
132 | rcu_read_lock(); | |
133 | ||
134 | /* Check for the common case first: We got back the same access as last | |
135 | * time we tried and already have it recorded. | |
136 | */ | |
137 | permits = rcu_dereference(vnode->permit_cache); | |
138 | if (permits) { | |
139 | if (!permits->invalidated) { | |
140 | for (i = 0; i < permits->nr_permits; i++) { | |
141 | if (permits->permits[i].key < key) | |
142 | continue; | |
143 | if (permits->permits[i].key > key) | |
144 | break; | |
145 | if (permits->permits[i].access != caller_access) { | |
146 | changed = true; | |
147 | break; | |
148 | } | |
00d3b7a4 | 149 | |
be080a6f DH |
150 | if (cb_break != (vnode->cb_break + |
151 | vnode->cb_interest->server->cb_s_break)) { | |
152 | changed = true; | |
153 | break; | |
154 | } | |
00d3b7a4 | 155 | |
be080a6f DH |
156 | /* The cache is still good. */ |
157 | rcu_read_unlock(); | |
158 | return; | |
159 | } | |
160 | } | |
00d3b7a4 | 161 | |
be080a6f DH |
162 | changed |= permits->invalidated; |
163 | size = permits->nr_permits; | |
00d3b7a4 | 164 | |
be080a6f DH |
165 | /* If this set of permits is now wrong, clear the permits |
166 | * pointer so that no one tries to use the stale information. | |
167 | */ | |
168 | if (changed) { | |
169 | spin_lock(&vnode->lock); | |
170 | if (permits != rcu_access_pointer(vnode->permit_cache)) | |
171 | goto someone_else_changed_it_unlock; | |
172 | RCU_INIT_POINTER(vnode->permit_cache, NULL); | |
173 | spin_unlock(&vnode->lock); | |
174 | ||
175 | afs_put_permits(permits); | |
176 | permits = NULL; | |
177 | size = 0; | |
178 | } | |
00d3b7a4 DH |
179 | } |
180 | ||
be080a6f DH |
181 | if (cb_break != (vnode->cb_break + vnode->cb_interest->server->cb_s_break)) { |
182 | rcu_read_unlock(); | |
183 | goto someone_else_changed_it; | |
00d3b7a4 DH |
184 | } |
185 | ||
be080a6f DH |
186 | /* We need a ref on any permits list we want to copy as we'll have to |
187 | * drop the lock to do memory allocation. | |
188 | */ | |
189 | if (permits && !refcount_inc_not_zero(&permits->usage)) { | |
190 | rcu_read_unlock(); | |
191 | goto someone_else_changed_it; | |
192 | } | |
193 | ||
194 | rcu_read_unlock(); | |
195 | ||
196 | /* Speculatively create a new list with the revised permission set. We | |
197 | * discard this if we find an extant match already in the hash, but | |
198 | * it's easier to compare with memcmp this way. | |
199 | * | |
200 | * We fill in the key pointers at this time, but we don't get the refs | |
201 | * yet. | |
202 | */ | |
203 | size++; | |
204 | new = kzalloc(sizeof(struct afs_permits) + | |
205 | sizeof(struct afs_permit) * size, GFP_NOFS); | |
206 | if (!new) | |
1bcab125 | 207 | goto out_put; |
be080a6f DH |
208 | |
209 | refcount_set(&new->usage, 1); | |
210 | new->nr_permits = size; | |
211 | i = j = 0; | |
212 | if (permits) { | |
213 | for (i = 0; i < permits->nr_permits; i++) { | |
214 | if (j == i && permits->permits[i].key > key) { | |
215 | new->permits[j].key = key; | |
216 | new->permits[j].access = caller_access; | |
217 | j++; | |
00d3b7a4 | 218 | } |
be080a6f DH |
219 | new->permits[j].key = permits->permits[i].key; |
220 | new->permits[j].access = permits->permits[i].access; | |
221 | j++; | |
00d3b7a4 DH |
222 | } |
223 | } | |
224 | ||
be080a6f DH |
225 | if (j == i) { |
226 | new->permits[j].key = key; | |
227 | new->permits[j].access = caller_access; | |
228 | } | |
229 | ||
230 | afs_hash_permits(new); | |
231 | ||
be080a6f DH |
232 | /* Now see if the permit list we want is actually already available */ |
233 | spin_lock(&afs_permits_lock); | |
234 | ||
235 | hash_for_each_possible(afs_permits_cache, xpermits, hash_node, new->h) { | |
236 | if (xpermits->h != new->h || | |
237 | xpermits->invalidated || | |
238 | xpermits->nr_permits != new->nr_permits || | |
239 | memcmp(xpermits->permits, new->permits, | |
240 | new->nr_permits * sizeof(struct afs_permit)) != 0) | |
241 | continue; | |
242 | ||
243 | if (refcount_inc_not_zero(&xpermits->usage)) { | |
244 | replacement = xpermits; | |
245 | goto found; | |
246 | } | |
247 | ||
248 | break; | |
249 | } | |
250 | ||
251 | for (i = 0; i < new->nr_permits; i++) | |
252 | key_get(new->permits[i].key); | |
253 | hash_add_rcu(afs_permits_cache, &new->hash_node, new->h); | |
254 | replacement = new; | |
255 | new = NULL; | |
256 | ||
257 | found: | |
258 | spin_unlock(&afs_permits_lock); | |
259 | ||
260 | kfree(new); | |
261 | ||
262 | spin_lock(&vnode->lock); | |
1bcab125 DH |
263 | zap = rcu_access_pointer(vnode->permit_cache); |
264 | if (cb_break == (vnode->cb_break + vnode->cb_interest->server->cb_s_break) && | |
265 | zap == permits) | |
266 | rcu_assign_pointer(vnode->permit_cache, replacement); | |
267 | else | |
268 | zap = replacement; | |
be080a6f | 269 | spin_unlock(&vnode->lock); |
1bcab125 DH |
270 | afs_put_permits(zap); |
271 | out_put: | |
be080a6f DH |
272 | afs_put_permits(permits); |
273 | return; | |
274 | ||
275 | someone_else_changed_it_unlock: | |
276 | spin_unlock(&vnode->lock); | |
277 | someone_else_changed_it: | |
278 | /* Someone else changed the cache under us - don't recheck at this | |
279 | * time. | |
280 | */ | |
281 | return; | |
00d3b7a4 DH |
282 | } |
283 | ||
284 | /* | |
285 | * check with the fileserver to see if the directory or parent directory is | |
286 | * permitted to be accessed with this authorisation, and if so, what access it | |
287 | * is granted | |
288 | */ | |
0fafdc9f DH |
289 | int afs_check_permit(struct afs_vnode *vnode, struct key *key, |
290 | afs_access_t *_access) | |
00d3b7a4 DH |
291 | { |
292 | struct afs_permits *permits; | |
be080a6f DH |
293 | bool valid = false; |
294 | int i, ret; | |
00d3b7a4 | 295 | |
416351f2 DH |
296 | _enter("{%x:%u},%x", |
297 | vnode->fid.vid, vnode->fid.vnode, key_serial(key)); | |
00d3b7a4 | 298 | |
be080a6f | 299 | permits = vnode->permit_cache; |
00d3b7a4 DH |
300 | |
301 | /* check the permits to see if we've got one yet */ | |
be080a6f | 302 | if (key == vnode->volume->cell->anonymous_key) { |
00d3b7a4 | 303 | _debug("anon"); |
be080a6f | 304 | *_access = vnode->status.anon_access; |
00d3b7a4 DH |
305 | valid = true; |
306 | } else { | |
00d3b7a4 | 307 | rcu_read_lock(); |
be080a6f | 308 | permits = rcu_dereference(vnode->permit_cache); |
00d3b7a4 | 309 | if (permits) { |
be080a6f DH |
310 | for (i = 0; i < permits->nr_permits; i++) { |
311 | if (permits->permits[i].key < key) | |
312 | continue; | |
313 | if (permits->permits[i].key > key) | |
00d3b7a4 | 314 | break; |
be080a6f DH |
315 | |
316 | *_access = permits->permits[i].access; | |
317 | valid = !permits->invalidated; | |
318 | break; | |
00d3b7a4 DH |
319 | } |
320 | } | |
321 | rcu_read_unlock(); | |
322 | } | |
323 | ||
324 | if (!valid) { | |
be080a6f DH |
325 | /* Check the status on the file we're actually interested in |
326 | * (the post-processing will cache the result). | |
327 | */ | |
00d3b7a4 DH |
328 | _debug("no valid permit"); |
329 | ||
d2ddc776 | 330 | ret = afs_fetch_status(vnode, key); |
00d3b7a4 | 331 | if (ret < 0) { |
00d3b7a4 DH |
332 | *_access = 0; |
333 | _leave(" = %d", ret); | |
334 | return ret; | |
335 | } | |
416351f2 | 336 | *_access = vnode->status.caller_access; |
00d3b7a4 DH |
337 | } |
338 | ||
00d3b7a4 DH |
339 | _leave(" = 0 [access %x]", *_access); |
340 | return 0; | |
341 | } | |
342 | ||
343 | /* | |
344 | * check the permissions on an AFS file | |
345 | * - AFS ACLs are attached to directories only, and a file is controlled by its | |
346 | * parent directory's ACL | |
347 | */ | |
10556cb2 | 348 | int afs_permission(struct inode *inode, int mask) |
00d3b7a4 DH |
349 | { |
350 | struct afs_vnode *vnode = AFS_FS_I(inode); | |
69759454 | 351 | afs_access_t uninitialized_var(access); |
00d3b7a4 DH |
352 | struct key *key; |
353 | int ret; | |
354 | ||
10556cb2 | 355 | if (mask & MAY_NOT_BLOCK) |
b74c79e9 NP |
356 | return -ECHILD; |
357 | ||
416351f2 | 358 | _enter("{{%x:%u},%lx},%x,", |
260a9803 | 359 | vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask); |
00d3b7a4 DH |
360 | |
361 | key = afs_request_key(vnode->volume->cell); | |
362 | if (IS_ERR(key)) { | |
363 | _leave(" = %ld [key]", PTR_ERR(key)); | |
364 | return PTR_ERR(key); | |
365 | } | |
366 | ||
c435ee34 DH |
367 | ret = afs_validate(vnode, key); |
368 | if (ret < 0) | |
369 | goto error; | |
260a9803 | 370 | |
00d3b7a4 DH |
371 | /* check the permits to see if we've got one yet */ |
372 | ret = afs_check_permit(vnode, key, &access); | |
260a9803 DH |
373 | if (ret < 0) |
374 | goto error; | |
00d3b7a4 DH |
375 | |
376 | /* interpret the access mask */ | |
377 | _debug("REQ %x ACC %x on %s", | |
378 | mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file"); | |
379 | ||
380 | if (S_ISDIR(inode->i_mode)) { | |
381 | if (mask & MAY_EXEC) { | |
382 | if (!(access & AFS_ACE_LOOKUP)) | |
383 | goto permission_denied; | |
384 | } else if (mask & MAY_READ) { | |
fd249821 | 385 | if (!(access & AFS_ACE_LOOKUP)) |
00d3b7a4 DH |
386 | goto permission_denied; |
387 | } else if (mask & MAY_WRITE) { | |
388 | if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */ | |
fd249821 | 389 | AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */ |
00d3b7a4 DH |
390 | goto permission_denied; |
391 | } else { | |
392 | BUG(); | |
393 | } | |
394 | } else { | |
395 | if (!(access & AFS_ACE_LOOKUP)) | |
396 | goto permission_denied; | |
627f4694 MD |
397 | if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR)) |
398 | goto permission_denied; | |
00d3b7a4 DH |
399 | if (mask & (MAY_EXEC | MAY_READ)) { |
400 | if (!(access & AFS_ACE_READ)) | |
401 | goto permission_denied; | |
627f4694 MD |
402 | if (!(inode->i_mode & S_IRUSR)) |
403 | goto permission_denied; | |
00d3b7a4 DH |
404 | } else if (mask & MAY_WRITE) { |
405 | if (!(access & AFS_ACE_WRITE)) | |
406 | goto permission_denied; | |
627f4694 MD |
407 | if (!(inode->i_mode & S_IWUSR)) |
408 | goto permission_denied; | |
00d3b7a4 DH |
409 | } |
410 | } | |
411 | ||
412 | key_put(key); | |
260a9803 DH |
413 | _leave(" = %d", ret); |
414 | return ret; | |
00d3b7a4 DH |
415 | |
416 | permission_denied: | |
260a9803 DH |
417 | ret = -EACCES; |
418 | error: | |
00d3b7a4 | 419 | key_put(key); |
260a9803 DH |
420 | _leave(" = %d", ret); |
421 | return ret; | |
00d3b7a4 | 422 | } |
be080a6f DH |
423 | |
424 | void __exit afs_clean_up_permit_cache(void) | |
425 | { | |
426 | int i; | |
427 | ||
428 | for (i = 0; i < HASH_SIZE(afs_permits_cache); i++) | |
429 | WARN_ON_ONCE(!hlist_empty(&afs_permits_cache[i])); | |
430 | ||
431 | } |