fs/afs/security.c at v5.2-rc2

tjh.dev / kernel
fork atom
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / fs / afs / security.c
at v5.2-rc2 421 lines 10 kB view raw
wrap content
  1/* AFS security handling
  2 *
  3 * Copyright (C) 2007, 2017 Red Hat, Inc. All Rights Reserved.
  4 * Written by David Howells (dhowells@redhat.com)
  5 *
  6 * This program is free software; you can redistribute it and/or
  7 * modify it under the terms of the GNU General Public License
  8 * as published by the Free Software Foundation; either version
  9 * 2 of the License, or (at your option) any later version.
 10 */
 11
 12#include <linux/init.h>
 13#include <linux/slab.h>
 14#include <linux/fs.h>
 15#include <linux/ctype.h>
 16#include <linux/sched.h>
 17#include <linux/hashtable.h>
 18#include <keys/rxrpc-type.h>
 19#include "internal.h"
 20
 21static DEFINE_HASHTABLE(afs_permits_cache, 10);
 22static DEFINE_SPINLOCK(afs_permits_lock);
 23
 24/*
 25 * get a key
 26 */
 27struct key *afs_request_key(struct afs_cell *cell)
 28{
 29	struct key *key;
 30
 31	_enter("{%x}", key_serial(cell->anonymous_key));
 32
 33	_debug("key %s", cell->anonymous_key->description);
 34	key = request_key(&key_type_rxrpc, cell->anonymous_key->description,
 35			  NULL);
 36	if (IS_ERR(key)) {
 37		if (PTR_ERR(key) != -ENOKEY) {
 38			_leave(" = %ld", PTR_ERR(key));
 39			return key;
 40		}
 41
 42		/* act as anonymous user */
 43		_leave(" = {%x} [anon]", key_serial(cell->anonymous_key));
 44		return key_get(cell->anonymous_key);
 45	} else {
 46		/* act as authorised user */
 47		_leave(" = {%x} [auth]", key_serial(key));
 48		return key;
 49	}
 50}
 51
 52/*
 53 * Dispose of a list of permits.
 54 */
 55static void afs_permits_rcu(struct rcu_head *rcu)
 56{
 57	struct afs_permits *permits =
 58		container_of(rcu, struct afs_permits, rcu);
 59	int i;
 60
 61	for (i = 0; i < permits->nr_permits; i++)
 62		key_put(permits->permits[i].key);
 63	kfree(permits);
 64}
 65
 66/*
 67 * Discard a permission cache.
 68 */
 69void afs_put_permits(struct afs_permits *permits)
 70{
 71	if (permits && refcount_dec_and_test(&permits->usage)) {
 72		spin_lock(&afs_permits_lock);
 73		hash_del_rcu(&permits->hash_node);
 74		spin_unlock(&afs_permits_lock);
 75		call_rcu(&permits->rcu, afs_permits_rcu);
 76	}
 77}
 78
 79/*
 80 * Clear a permit cache on callback break.
 81 */
 82void afs_clear_permits(struct afs_vnode *vnode)
 83{
 84	struct afs_permits *permits;
 85
 86	spin_lock(&vnode->lock);
 87	permits = rcu_dereference_protected(vnode->permit_cache,
 88					    lockdep_is_held(&vnode->lock));
 89	RCU_INIT_POINTER(vnode->permit_cache, NULL);
 90	spin_unlock(&vnode->lock);
 91
 92	afs_put_permits(permits);
 93}
 94
 95/*
 96 * Hash a list of permits.  Use simple addition to make it easy to add an extra
 97 * one at an as-yet indeterminate position in the list.
 98 */
 99static void afs_hash_permits(struct afs_permits *permits)
100{
101	unsigned long h = permits->nr_permits;
102	int i;
103
104	for (i = 0; i < permits->nr_permits; i++) {
105		h += (unsigned long)permits->permits[i].key / sizeof(void *);
106		h += permits->permits[i].access;
107	}
108
109	permits->h = h;
110}
111
112/*
113 * Cache the CallerAccess result obtained from doing a fileserver operation
114 * that returned a vnode status for a particular key.  If a callback break
115 * occurs whilst the operation was in progress then we have to ditch the cache
116 * as the ACL *may* have changed.
117 */
118void afs_cache_permit(struct afs_vnode *vnode, struct key *key,
119		      unsigned int cb_break, struct afs_status_cb *scb)
120{
121	struct afs_permits *permits, *xpermits, *replacement, *zap, *new = NULL;
122	afs_access_t caller_access = scb->status.caller_access;
123	size_t size = 0;
124	bool changed = false;
125	int i, j;
126
127	_enter("{%llx:%llu},%x,%x",
128	       vnode->fid.vid, vnode->fid.vnode, key_serial(key), caller_access);
129
130	rcu_read_lock();
131
132	/* Check for the common case first: We got back the same access as last
133	 * time we tried and already have it recorded.
134	 */
135	permits = rcu_dereference(vnode->permit_cache);
136	if (permits) {
137		if (!permits->invalidated) {
138			for (i = 0; i < permits->nr_permits; i++) {
139				if (permits->permits[i].key < key)
140					continue;
141				if (permits->permits[i].key > key)
142					break;
143				if (permits->permits[i].access != caller_access) {
144					changed = true;
145					break;
146				}
147
148				if (afs_cb_is_broken(cb_break, vnode,
149						     rcu_dereference(vnode->cb_interest))) {
150					changed = true;
151					break;
152				}
153
154				/* The cache is still good. */
155				rcu_read_unlock();
156				return;
157			}
158		}
159
160		changed |= permits->invalidated;
161		size = permits->nr_permits;
162
163		/* If this set of permits is now wrong, clear the permits
164		 * pointer so that no one tries to use the stale information.
165		 */
166		if (changed) {
167			spin_lock(&vnode->lock);
168			if (permits != rcu_access_pointer(vnode->permit_cache))
169				goto someone_else_changed_it_unlock;
170			RCU_INIT_POINTER(vnode->permit_cache, NULL);
171			spin_unlock(&vnode->lock);
172
173			afs_put_permits(permits);
174			permits = NULL;
175			size = 0;
176		}
177	}
178
179	if (afs_cb_is_broken(cb_break, vnode, rcu_dereference(vnode->cb_interest)))
180		goto someone_else_changed_it;
181
182	/* We need a ref on any permits list we want to copy as we'll have to
183	 * drop the lock to do memory allocation.
184	 */
185	if (permits && !refcount_inc_not_zero(&permits->usage))
186		goto someone_else_changed_it;
187
188	rcu_read_unlock();
189
190	/* Speculatively create a new list with the revised permission set.  We
191	 * discard this if we find an extant match already in the hash, but
192	 * it's easier to compare with memcmp this way.
193	 *
194	 * We fill in the key pointers at this time, but we don't get the refs
195	 * yet.
196	 */
197	size++;
198	new = kzalloc(sizeof(struct afs_permits) +
199		      sizeof(struct afs_permit) * size, GFP_NOFS);
200	if (!new)
201		goto out_put;
202
203	refcount_set(&new->usage, 1);
204	new->nr_permits = size;
205	i = j = 0;
206	if (permits) {
207		for (i = 0; i < permits->nr_permits; i++) {
208			if (j == i && permits->permits[i].key > key) {
209				new->permits[j].key = key;
210				new->permits[j].access = caller_access;
211				j++;
212			}
213			new->permits[j].key = permits->permits[i].key;
214			new->permits[j].access = permits->permits[i].access;
215			j++;
216		}
217	}
218
219	if (j == i) {
220		new->permits[j].key = key;
221		new->permits[j].access = caller_access;
222	}
223
224	afs_hash_permits(new);
225
226	/* Now see if the permit list we want is actually already available */
227	spin_lock(&afs_permits_lock);
228
229	hash_for_each_possible(afs_permits_cache, xpermits, hash_node, new->h) {
230		if (xpermits->h != new->h ||
231		    xpermits->invalidated ||
232		    xpermits->nr_permits != new->nr_permits ||
233		    memcmp(xpermits->permits, new->permits,
234			   new->nr_permits * sizeof(struct afs_permit)) != 0)
235			continue;
236
237		if (refcount_inc_not_zero(&xpermits->usage)) {
238			replacement = xpermits;
239			goto found;
240		}
241
242		break;
243	}
244
245	for (i = 0; i < new->nr_permits; i++)
246		key_get(new->permits[i].key);
247	hash_add_rcu(afs_permits_cache, &new->hash_node, new->h);
248	replacement = new;
249	new = NULL;
250
251found:
252	spin_unlock(&afs_permits_lock);
253
254	kfree(new);
255
256	rcu_read_lock();
257	spin_lock(&vnode->lock);
258	zap = rcu_access_pointer(vnode->permit_cache);
259	if (!afs_cb_is_broken(cb_break, vnode, rcu_dereference(vnode->cb_interest)) &&
260	    zap == permits)
261		rcu_assign_pointer(vnode->permit_cache, replacement);
262	else
263		zap = replacement;
264	spin_unlock(&vnode->lock);
265	rcu_read_unlock();
266	afs_put_permits(zap);
267out_put:
268	afs_put_permits(permits);
269	return;
270
271someone_else_changed_it_unlock:
272	spin_unlock(&vnode->lock);
273someone_else_changed_it:
274	/* Someone else changed the cache under us - don't recheck at this
275	 * time.
276	 */
277	rcu_read_unlock();
278	return;
279}
280
281/*
282 * check with the fileserver to see if the directory or parent directory is
283 * permitted to be accessed with this authorisation, and if so, what access it
284 * is granted
285 */
286int afs_check_permit(struct afs_vnode *vnode, struct key *key,
287		     afs_access_t *_access)
288{
289	struct afs_permits *permits;
290	bool valid = false;
291	int i, ret;
292
293	_enter("{%llx:%llu},%x",
294	       vnode->fid.vid, vnode->fid.vnode, key_serial(key));
295
296	/* check the permits to see if we've got one yet */
297	if (key == vnode->volume->cell->anonymous_key) {
298		_debug("anon");
299		*_access = vnode->status.anon_access;
300		valid = true;
301	} else {
302		rcu_read_lock();
303		permits = rcu_dereference(vnode->permit_cache);
304		if (permits) {
305			for (i = 0; i < permits->nr_permits; i++) {
306				if (permits->permits[i].key < key)
307					continue;
308				if (permits->permits[i].key > key)
309					break;
310
311				*_access = permits->permits[i].access;
312				valid = !permits->invalidated;
313				break;
314			}
315		}
316		rcu_read_unlock();
317	}
318
319	if (!valid) {
320		/* Check the status on the file we're actually interested in
321		 * (the post-processing will cache the result).
322		 */
323		_debug("no valid permit");
324
325		ret = afs_fetch_status(vnode, key, false, _access);
326		if (ret < 0) {
327			*_access = 0;
328			_leave(" = %d", ret);
329			return ret;
330		}
331	}
332
333	_leave(" = 0 [access %x]", *_access);
334	return 0;
335}
336
337/*
338 * check the permissions on an AFS file
339 * - AFS ACLs are attached to directories only, and a file is controlled by its
340 *   parent directory's ACL
341 */
342int afs_permission(struct inode *inode, int mask)
343{
344	struct afs_vnode *vnode = AFS_FS_I(inode);
345	afs_access_t uninitialized_var(access);
346	struct key *key;
347	int ret;
348
349	if (mask & MAY_NOT_BLOCK)
350		return -ECHILD;
351
352	_enter("{{%llx:%llu},%lx},%x,",
353	       vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask);
354
355	key = afs_request_key(vnode->volume->cell);
356	if (IS_ERR(key)) {
357		_leave(" = %ld [key]", PTR_ERR(key));
358		return PTR_ERR(key);
359	}
360
361	ret = afs_validate(vnode, key);
362	if (ret < 0)
363		goto error;
364
365	/* check the permits to see if we've got one yet */
366	ret = afs_check_permit(vnode, key, &access);
367	if (ret < 0)
368		goto error;
369
370	/* interpret the access mask */
371	_debug("REQ %x ACC %x on %s",
372	       mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file");
373
374	if (S_ISDIR(inode->i_mode)) {
375		if (mask & (MAY_EXEC | MAY_READ | MAY_CHDIR)) {
376			if (!(access & AFS_ACE_LOOKUP))
377				goto permission_denied;
378		}
379		if (mask & MAY_WRITE) {
380			if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */
381					AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */
382				goto permission_denied;
383		}
384	} else {
385		if (!(access & AFS_ACE_LOOKUP))
386			goto permission_denied;
387		if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR))
388			goto permission_denied;
389		if (mask & (MAY_EXEC | MAY_READ)) {
390			if (!(access & AFS_ACE_READ))
391				goto permission_denied;
392			if (!(inode->i_mode & S_IRUSR))
393				goto permission_denied;
394		} else if (mask & MAY_WRITE) {
395			if (!(access & AFS_ACE_WRITE))
396				goto permission_denied;
397			if (!(inode->i_mode & S_IWUSR))
398				goto permission_denied;
399		}
400	}
401
402	key_put(key);
403	_leave(" = %d", ret);
404	return ret;
405
406permission_denied:
407	ret = -EACCES;
408error:
409	key_put(key);
410	_leave(" = %d", ret);
411	return ret;
412}
413
414void __exit afs_clean_up_permit_cache(void)
415{
416	int i;
417
418	for (i = 0; i < HASH_SIZE(afs_permits_cache); i++)
419		WARN_ON_ONCE(!hlist_empty(&afs_permits_cache[i]));
420
421}