1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* AFS security handling
4 * Copyright (C) 2007, 2017 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
8 #include <linux/init.h>
9 #include <linux/slab.h>
11 #include <linux/ctype.h>
12 #include <linux/sched.h>
13 #include <linux/hashtable.h>
14 #include <keys/rxrpc-type.h>
17 static DEFINE_HASHTABLE(afs_permits_cache
, 10);
18 static DEFINE_SPINLOCK(afs_permits_lock
);
23 struct key
*afs_request_key(struct afs_cell
*cell
)
27 _enter("{%x}", key_serial(cell
->anonymous_key
));
29 _debug("key %s", cell
->anonymous_key
->description
);
30 key
= request_key(&key_type_rxrpc
, cell
->anonymous_key
->description
,
33 if (PTR_ERR(key
) != -ENOKEY
) {
34 _leave(" = %ld", PTR_ERR(key
));
38 /* act as anonymous user */
39 _leave(" = {%x} [anon]", key_serial(cell
->anonymous_key
));
40 return key_get(cell
->anonymous_key
);
42 /* act as authorised user */
43 _leave(" = {%x} [auth]", key_serial(key
));
49 * Dispose of a list of permits.
51 static void afs_permits_rcu(struct rcu_head
*rcu
)
53 struct afs_permits
*permits
=
54 container_of(rcu
, struct afs_permits
, rcu
);
57 for (i
= 0; i
< permits
->nr_permits
; i
++)
58 key_put(permits
->permits
[i
].key
);
63 * Discard a permission cache.
65 void afs_put_permits(struct afs_permits
*permits
)
67 if (permits
&& refcount_dec_and_test(&permits
->usage
)) {
68 spin_lock(&afs_permits_lock
);
69 hash_del_rcu(&permits
->hash_node
);
70 spin_unlock(&afs_permits_lock
);
71 call_rcu(&permits
->rcu
, afs_permits_rcu
);
76 * Clear a permit cache on callback break.
78 void afs_clear_permits(struct afs_vnode
*vnode
)
80 struct afs_permits
*permits
;
82 spin_lock(&vnode
->lock
);
83 permits
= rcu_dereference_protected(vnode
->permit_cache
,
84 lockdep_is_held(&vnode
->lock
));
85 RCU_INIT_POINTER(vnode
->permit_cache
, NULL
);
86 spin_unlock(&vnode
->lock
);
88 afs_put_permits(permits
);
92 * Hash a list of permits. Use simple addition to make it easy to add an extra
93 * one at an as-yet indeterminate position in the list.
95 static void afs_hash_permits(struct afs_permits
*permits
)
97 unsigned long h
= permits
->nr_permits
;
100 for (i
= 0; i
< permits
->nr_permits
; i
++) {
101 h
+= (unsigned long)permits
->permits
[i
].key
/ sizeof(void *);
102 h
+= permits
->permits
[i
].access
;
109 * Cache the CallerAccess result obtained from doing a fileserver operation
110 * that returned a vnode status for a particular key. If a callback break
111 * occurs whilst the operation was in progress then we have to ditch the cache
112 * as the ACL *may* have changed.
114 void afs_cache_permit(struct afs_vnode
*vnode
, struct key
*key
,
115 unsigned int cb_break
, struct afs_status_cb
*scb
)
117 struct afs_permits
*permits
, *xpermits
, *replacement
, *zap
, *new = NULL
;
118 afs_access_t caller_access
= scb
->status
.caller_access
;
120 bool changed
= false;
123 _enter("{%llx:%llu},%x,%x",
124 vnode
->fid
.vid
, vnode
->fid
.vnode
, key_serial(key
), caller_access
);
128 /* Check for the common case first: We got back the same access as last
129 * time we tried and already have it recorded.
131 permits
= rcu_dereference(vnode
->permit_cache
);
133 if (!permits
->invalidated
) {
134 for (i
= 0; i
< permits
->nr_permits
; i
++) {
135 if (permits
->permits
[i
].key
< key
)
137 if (permits
->permits
[i
].key
> key
)
139 if (permits
->permits
[i
].access
!= caller_access
) {
144 if (afs_cb_is_broken(cb_break
, vnode
,
145 rcu_dereference(vnode
->cb_interest
))) {
150 /* The cache is still good. */
156 changed
|= permits
->invalidated
;
157 size
= permits
->nr_permits
;
159 /* If this set of permits is now wrong, clear the permits
160 * pointer so that no one tries to use the stale information.
163 spin_lock(&vnode
->lock
);
164 if (permits
!= rcu_access_pointer(vnode
->permit_cache
))
165 goto someone_else_changed_it_unlock
;
166 RCU_INIT_POINTER(vnode
->permit_cache
, NULL
);
167 spin_unlock(&vnode
->lock
);
169 afs_put_permits(permits
);
175 if (afs_cb_is_broken(cb_break
, vnode
, rcu_dereference(vnode
->cb_interest
)))
176 goto someone_else_changed_it
;
178 /* We need a ref on any permits list we want to copy as we'll have to
179 * drop the lock to do memory allocation.
181 if (permits
&& !refcount_inc_not_zero(&permits
->usage
))
182 goto someone_else_changed_it
;
186 /* Speculatively create a new list with the revised permission set. We
187 * discard this if we find an extant match already in the hash, but
188 * it's easier to compare with memcmp this way.
190 * We fill in the key pointers at this time, but we don't get the refs
194 new = kzalloc(sizeof(struct afs_permits
) +
195 sizeof(struct afs_permit
) * size
, GFP_NOFS
);
199 refcount_set(&new->usage
, 1);
200 new->nr_permits
= size
;
203 for (i
= 0; i
< permits
->nr_permits
; i
++) {
204 if (j
== i
&& permits
->permits
[i
].key
> key
) {
205 new->permits
[j
].key
= key
;
206 new->permits
[j
].access
= caller_access
;
209 new->permits
[j
].key
= permits
->permits
[i
].key
;
210 new->permits
[j
].access
= permits
->permits
[i
].access
;
216 new->permits
[j
].key
= key
;
217 new->permits
[j
].access
= caller_access
;
220 afs_hash_permits(new);
222 /* Now see if the permit list we want is actually already available */
223 spin_lock(&afs_permits_lock
);
225 hash_for_each_possible(afs_permits_cache
, xpermits
, hash_node
, new->h
) {
226 if (xpermits
->h
!= new->h
||
227 xpermits
->invalidated
||
228 xpermits
->nr_permits
!= new->nr_permits
||
229 memcmp(xpermits
->permits
, new->permits
,
230 new->nr_permits
* sizeof(struct afs_permit
)) != 0)
233 if (refcount_inc_not_zero(&xpermits
->usage
)) {
234 replacement
= xpermits
;
241 for (i
= 0; i
< new->nr_permits
; i
++)
242 key_get(new->permits
[i
].key
);
243 hash_add_rcu(afs_permits_cache
, &new->hash_node
, new->h
);
248 spin_unlock(&afs_permits_lock
);
253 spin_lock(&vnode
->lock
);
254 zap
= rcu_access_pointer(vnode
->permit_cache
);
255 if (!afs_cb_is_broken(cb_break
, vnode
, rcu_dereference(vnode
->cb_interest
)) &&
257 rcu_assign_pointer(vnode
->permit_cache
, replacement
);
260 spin_unlock(&vnode
->lock
);
262 afs_put_permits(zap
);
264 afs_put_permits(permits
);
267 someone_else_changed_it_unlock
:
268 spin_unlock(&vnode
->lock
);
269 someone_else_changed_it
:
270 /* Someone else changed the cache under us - don't recheck at this
278 * check with the fileserver to see if the directory or parent directory is
279 * permitted to be accessed with this authorisation, and if so, what access it
282 int afs_check_permit(struct afs_vnode
*vnode
, struct key
*key
,
283 afs_access_t
*_access
)
285 struct afs_permits
*permits
;
289 _enter("{%llx:%llu},%x",
290 vnode
->fid
.vid
, vnode
->fid
.vnode
, key_serial(key
));
292 /* check the permits to see if we've got one yet */
293 if (key
== vnode
->volume
->cell
->anonymous_key
) {
295 *_access
= vnode
->status
.anon_access
;
299 permits
= rcu_dereference(vnode
->permit_cache
);
301 for (i
= 0; i
< permits
->nr_permits
; i
++) {
302 if (permits
->permits
[i
].key
< key
)
304 if (permits
->permits
[i
].key
> key
)
307 *_access
= permits
->permits
[i
].access
;
308 valid
= !permits
->invalidated
;
316 /* Check the status on the file we're actually interested in
317 * (the post-processing will cache the result).
319 _debug("no valid permit");
321 ret
= afs_fetch_status(vnode
, key
, false, _access
);
324 _leave(" = %d", ret
);
329 _leave(" = 0 [access %x]", *_access
);
334 * check the permissions on an AFS file
335 * - AFS ACLs are attached to directories only, and a file is controlled by its
336 * parent directory's ACL
338 int afs_permission(struct inode
*inode
, int mask
)
340 struct afs_vnode
*vnode
= AFS_FS_I(inode
);
341 afs_access_t
uninitialized_var(access
);
345 if (mask
& MAY_NOT_BLOCK
)
348 _enter("{{%llx:%llu},%lx},%x,",
349 vnode
->fid
.vid
, vnode
->fid
.vnode
, vnode
->flags
, mask
);
351 key
= afs_request_key(vnode
->volume
->cell
);
353 _leave(" = %ld [key]", PTR_ERR(key
));
357 ret
= afs_validate(vnode
, key
);
361 /* check the permits to see if we've got one yet */
362 ret
= afs_check_permit(vnode
, key
, &access
);
366 /* interpret the access mask */
367 _debug("REQ %x ACC %x on %s",
368 mask
, access
, S_ISDIR(inode
->i_mode
) ? "dir" : "file");
370 if (S_ISDIR(inode
->i_mode
)) {
371 if (mask
& (MAY_EXEC
| MAY_READ
| MAY_CHDIR
)) {
372 if (!(access
& AFS_ACE_LOOKUP
))
373 goto permission_denied
;
375 if (mask
& MAY_WRITE
) {
376 if (!(access
& (AFS_ACE_DELETE
| /* rmdir, unlink, rename from */
377 AFS_ACE_INSERT
))) /* create, mkdir, symlink, rename to */
378 goto permission_denied
;
381 if (!(access
& AFS_ACE_LOOKUP
))
382 goto permission_denied
;
383 if ((mask
& MAY_EXEC
) && !(inode
->i_mode
& S_IXUSR
))
384 goto permission_denied
;
385 if (mask
& (MAY_EXEC
| MAY_READ
)) {
386 if (!(access
& AFS_ACE_READ
))
387 goto permission_denied
;
388 if (!(inode
->i_mode
& S_IRUSR
))
389 goto permission_denied
;
390 } else if (mask
& MAY_WRITE
) {
391 if (!(access
& AFS_ACE_WRITE
))
392 goto permission_denied
;
393 if (!(inode
->i_mode
& S_IWUSR
))
394 goto permission_denied
;
399 _leave(" = %d", ret
);
406 _leave(" = %d", ret
);
410 void __exit
afs_clean_up_permit_cache(void)
414 for (i
= 0; i
< HASH_SIZE(afs_permits_cache
); i
++)
415 WARN_ON_ONCE(!hlist_empty(&afs_permits_cache
[i
]));