2019-05-19 06:08:55 -06:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2005-04-16 16:20:36 -06:00
|
|
|
/*
|
|
|
|
|
File: fs/xattr.c
|
|
|
|
|
|
|
|
|
|
Extended attribute handling.
|
|
|
|
|
|
|
|
|
|
Copyright (C) 2001 by Andreas Gruenbacher <a.gruenbacher@computer.org>
|
|
|
|
|
Copyright (C) 2001 SGI - Silicon Graphics, Inc <linux-xfs@oss.sgi.com>
|
|
|
|
|
Copyright (c) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
|
|
|
|
*/
|
|
|
|
|
#include <linux/fs.h>
|
|
|
|
|
#include <linux/slab.h>
|
|
|
|
|
#include <linux/file.h>
|
|
|
|
|
#include <linux/xattr.h>
|
2008-02-15 15:37:38 -07:00
|
|
|
#include <linux/mount.h>
|
2005-04-16 16:20:36 -06:00
|
|
|
#include <linux/namei.h>
|
|
|
|
|
#include <linux/security.h>
|
2011-03-09 12:39:18 -07:00
|
|
|
#include <linux/evm.h>
|
2005-04-16 16:20:36 -06:00
|
|
|
#include <linux/syscalls.h>
|
2011-11-16 21:57:37 -07:00
|
|
|
#include <linux/export.h>
|
[PATCH] inotify
inotify is intended to correct the deficiencies of dnotify, particularly
its inability to scale and its terrible user interface:
* dnotify requires the opening of one fd per each directory
that you intend to watch. This quickly results in too many
open files and pins removable media, preventing unmount.
* dnotify is directory-based. You only learn about changes to
directories. Sure, a change to a file in a directory affects
the directory, but you are then forced to keep a cache of
stat structures.
* dnotify's interface to user-space is awful. Signals?
inotify provides a more usable, simple, powerful solution to file change
notification:
* inotify's interface is a system call that returns a fd, not SIGIO.
You get a single fd, which is select()-able.
* inotify has an event that says "the filesystem that the item
you were watching is on was unmounted."
* inotify can watch directories or files.
Inotify is currently used by Beagle (a desktop search infrastructure),
Gamin (a FAM replacement), and other projects.
See Documentation/filesystems/inotify.txt.
Signed-off-by: Robert Love <rml@novell.com>
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-07-12 15:06:03 -06:00
|
|
|
#include <linux/fsnotify.h>
|
2005-11-03 09:00:25 -07:00
|
|
|
#include <linux/audit.h>
|
2012-04-05 15:25:07 -06:00
|
|
|
#include <linux/vmalloc.h>
|
2012-02-07 19:52:57 -07:00
|
|
|
#include <linux/posix_acl_xattr.h>
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2016-12-24 12:46:01 -07:00
|
|
|
#include <linux/uaccess.h>
|
2006-01-09 21:51:55 -07:00
|
|
|
|
2016-09-29 09:48:38 -06:00
|
|
|
static const char *
|
|
|
|
|
strcmp_prefix(const char *a, const char *a_prefix)
|
|
|
|
|
{
|
|
|
|
|
while (*a_prefix && *a == *a_prefix) {
|
|
|
|
|
a++;
|
|
|
|
|
a_prefix++;
|
|
|
|
|
}
|
|
|
|
|
return *a_prefix ? NULL : a;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* In order to implement different sets of xattr operations for each xattr
|
xattr: Stop calling {get,set,remove}xattr inode operations
All filesystems that support xattrs by now do so via xattr handlers.
They all define sb->s_xattr, and their getxattr, setxattr, and
removexattr inode operations use the generic inode operations. On
filesystems that don't support xattrs, the xattr inode operations are
all NULL, and sb->s_xattr is also NULL.
This means that we can remove the getxattr, setxattr, and removexattr
inode operations and directly call the generic handlers, or better,
inline expand those handlers into fs/xattr.c.
Filesystems that do not support xattrs on some inodes should clear the
IOP_XATTR i_opflags flag in those inodes. (Right now, some filesystems
have checks to disable xattrs on some inodes in the ->list, ->get, and
->set xattr handler operations instead.) The IOP_XATTR flag is
automatically cleared in inodes of filesystems that don't have xattr
support.
In orangefs, symlinks do have a setxattr iop but no getxattr iop. Add a
check for symlinks to orangefs_inode_getxattr to preserve the current,
weird behavior; that check may not be necessary though.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-09-29 09:48:44 -06:00
|
|
|
* prefix, a filesystem should create a null-terminated array of struct
|
|
|
|
|
* xattr_handler (one for each prefix) and hang a pointer to it off of the
|
|
|
|
|
* s_xattr field of the superblock.
|
2016-09-29 09:48:38 -06:00
|
|
|
*/
|
|
|
|
|
#define for_each_xattr_handler(handlers, handler) \
|
|
|
|
|
if (handlers) \
|
|
|
|
|
for ((handler) = *(handlers)++; \
|
|
|
|
|
(handler) != NULL; \
|
|
|
|
|
(handler) = *(handlers)++)
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Find the xattr_handler with the matching prefix.
|
|
|
|
|
*/
|
|
|
|
|
static const struct xattr_handler *
|
2016-09-29 09:48:39 -06:00
|
|
|
xattr_resolve_name(struct inode *inode, const char **name)
|
2016-09-29 09:48:38 -06:00
|
|
|
{
|
2016-09-29 09:48:39 -06:00
|
|
|
const struct xattr_handler **handlers = inode->i_sb->s_xattr;
|
2016-09-29 09:48:38 -06:00
|
|
|
const struct xattr_handler *handler;
|
|
|
|
|
|
2016-09-29 09:48:40 -06:00
|
|
|
if (!(inode->i_opflags & IOP_XATTR)) {
|
|
|
|
|
if (unlikely(is_bad_inode(inode)))
|
|
|
|
|
return ERR_PTR(-EIO);
|
2016-09-29 09:48:39 -06:00
|
|
|
return ERR_PTR(-EOPNOTSUPP);
|
2016-09-29 09:48:40 -06:00
|
|
|
}
|
2016-09-29 09:48:38 -06:00
|
|
|
for_each_xattr_handler(handlers, handler) {
|
|
|
|
|
const char *n;
|
|
|
|
|
|
|
|
|
|
n = strcmp_prefix(*name, xattr_prefix(handler));
|
|
|
|
|
if (n) {
|
|
|
|
|
if (!handler->prefix ^ !*n) {
|
|
|
|
|
if (*n)
|
|
|
|
|
continue;
|
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
}
|
|
|
|
|
*name = n;
|
|
|
|
|
return handler;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return ERR_PTR(-EOPNOTSUPP);
|
|
|
|
|
}
|
|
|
|
|
|
2006-01-09 21:51:56 -07:00
|
|
|
/*
|
|
|
|
|
* Check permissions for extended attribute access. This is a bit complicated
|
|
|
|
|
* because different namespaces have very different rules.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
xattr_permission(struct inode *inode, const char *name, int mask)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* We can never set or remove an extended attribute on a read-only
|
|
|
|
|
* filesystem or on an immutable / append-only inode.
|
|
|
|
|
*/
|
|
|
|
|
if (mask & MAY_WRITE) {
|
|
|
|
|
if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
|
|
|
|
|
return -EPERM;
|
2016-06-29 13:54:46 -06:00
|
|
|
/*
|
|
|
|
|
* Updating an xattr will likely cause i_uid and i_gid
|
|
|
|
|
* to be writen back improperly if their true value is
|
|
|
|
|
* unknown to the vfs.
|
|
|
|
|
*/
|
|
|
|
|
if (HAS_UNMAPPED_ID(inode))
|
|
|
|
|
return -EPERM;
|
2006-01-09 21:51:56 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* No restriction for security.* and system.* from the VFS. Decision
|
|
|
|
|
* on these is left to the underlying filesystem / security module.
|
|
|
|
|
*/
|
|
|
|
|
if (!strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) ||
|
|
|
|
|
!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/*
|
2011-05-27 06:50:36 -06:00
|
|
|
* The trusted.* namespace can only be accessed by privileged users.
|
2006-01-09 21:51:56 -07:00
|
|
|
*/
|
2011-05-27 06:50:36 -06:00
|
|
|
if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) {
|
|
|
|
|
if (!capable(CAP_SYS_ADMIN))
|
|
|
|
|
return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2006-01-09 21:51:56 -07:00
|
|
|
|
2011-05-27 06:50:36 -06:00
|
|
|
/*
|
|
|
|
|
* In the user.* namespace, only regular files and directories can have
|
2006-11-02 23:07:29 -07:00
|
|
|
* extended attributes. For sticky directories, only the owner and
|
2011-05-27 06:50:36 -06:00
|
|
|
* privileged users can write attributes.
|
2006-11-02 23:07:29 -07:00
|
|
|
*/
|
2006-01-09 21:51:56 -07:00
|
|
|
if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
|
2006-11-02 23:07:29 -07:00
|
|
|
if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode))
|
2011-05-27 06:50:36 -06:00
|
|
|
return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
|
2006-11-02 23:07:29 -07:00
|
|
|
if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) &&
|
2011-03-23 17:43:26 -06:00
|
|
|
(mask & MAY_WRITE) && !inode_owner_or_capable(inode))
|
2006-01-09 21:51:56 -07:00
|
|
|
return -EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
2008-07-21 22:07:17 -06:00
|
|
|
return inode_permission(inode, mask);
|
2006-01-09 21:51:56 -07:00
|
|
|
}
|
|
|
|
|
|
2016-09-29 09:48:42 -06:00
|
|
|
int
|
|
|
|
|
__vfs_setxattr(struct dentry *dentry, struct inode *inode, const char *name,
|
|
|
|
|
const void *value, size_t size, int flags)
|
|
|
|
|
{
|
xattr: Stop calling {get,set,remove}xattr inode operations
All filesystems that support xattrs by now do so via xattr handlers.
They all define sb->s_xattr, and their getxattr, setxattr, and
removexattr inode operations use the generic inode operations. On
filesystems that don't support xattrs, the xattr inode operations are
all NULL, and sb->s_xattr is also NULL.
This means that we can remove the getxattr, setxattr, and removexattr
inode operations and directly call the generic handlers, or better,
inline expand those handlers into fs/xattr.c.
Filesystems that do not support xattrs on some inodes should clear the
IOP_XATTR i_opflags flag in those inodes. (Right now, some filesystems
have checks to disable xattrs on some inodes in the ->list, ->get, and
->set xattr handler operations instead.) The IOP_XATTR flag is
automatically cleared in inodes of filesystems that don't have xattr
support.
In orangefs, symlinks do have a setxattr iop but no getxattr iop. Add a
check for symlinks to orangefs_inode_getxattr to preserve the current,
weird behavior; that check may not be necessary though.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-09-29 09:48:44 -06:00
|
|
|
const struct xattr_handler *handler;
|
|
|
|
|
|
|
|
|
|
handler = xattr_resolve_name(inode, &name);
|
|
|
|
|
if (IS_ERR(handler))
|
|
|
|
|
return PTR_ERR(handler);
|
|
|
|
|
if (!handler->set)
|
2016-09-29 09:48:42 -06:00
|
|
|
return -EOPNOTSUPP;
|
xattr: Stop calling {get,set,remove}xattr inode operations
All filesystems that support xattrs by now do so via xattr handlers.
They all define sb->s_xattr, and their getxattr, setxattr, and
removexattr inode operations use the generic inode operations. On
filesystems that don't support xattrs, the xattr inode operations are
all NULL, and sb->s_xattr is also NULL.
This means that we can remove the getxattr, setxattr, and removexattr
inode operations and directly call the generic handlers, or better,
inline expand those handlers into fs/xattr.c.
Filesystems that do not support xattrs on some inodes should clear the
IOP_XATTR i_opflags flag in those inodes. (Right now, some filesystems
have checks to disable xattrs on some inodes in the ->list, ->get, and
->set xattr handler operations instead.) The IOP_XATTR flag is
automatically cleared in inodes of filesystems that don't have xattr
support.
In orangefs, symlinks do have a setxattr iop but no getxattr iop. Add a
check for symlinks to orangefs_inode_getxattr to preserve the current,
weird behavior; that check may not be necessary though.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-09-29 09:48:44 -06:00
|
|
|
if (size == 0)
|
|
|
|
|
value = ""; /* empty EA, do not remove */
|
|
|
|
|
return handler->set(handler, dentry, inode, name, value, size, flags);
|
2016-09-29 09:48:42 -06:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(__vfs_setxattr);
|
|
|
|
|
|
2009-09-03 12:25:56 -06:00
|
|
|
/**
|
|
|
|
|
* __vfs_setxattr_noperm - perform setxattr operation without performing
|
|
|
|
|
* permission checks.
|
|
|
|
|
*
|
|
|
|
|
* @dentry - object to perform setxattr on
|
|
|
|
|
* @name - xattr name to set
|
|
|
|
|
* @value - value to set @name to
|
|
|
|
|
* @size - size of @value
|
|
|
|
|
* @flags - flags to pass into filesystem operations
|
|
|
|
|
*
|
|
|
|
|
* returns the result of the internal setxattr or setsecurity operations.
|
|
|
|
|
*
|
|
|
|
|
* This function requires the caller to lock the inode's i_mutex before it
|
|
|
|
|
* is executed. It also assumes that the caller will make the appropriate
|
|
|
|
|
* permission checks.
|
|
|
|
|
*/
|
|
|
|
|
int __vfs_setxattr_noperm(struct dentry *dentry, const char *name,
|
|
|
|
|
const void *value, size_t size, int flags)
|
2006-01-09 21:51:55 -07:00
|
|
|
{
|
|
|
|
|
struct inode *inode = dentry->d_inode;
|
2016-11-13 13:23:34 -07:00
|
|
|
int error = -EAGAIN;
|
2011-05-28 09:25:51 -06:00
|
|
|
int issec = !strncmp(name, XATTR_SECURITY_PREFIX,
|
|
|
|
|
XATTR_SECURITY_PREFIX_LEN);
|
2006-01-09 21:51:56 -07:00
|
|
|
|
2011-05-28 09:25:51 -06:00
|
|
|
if (issec)
|
|
|
|
|
inode->i_flags &= ~S_NOSEC;
|
xattr: Stop calling {get,set,remove}xattr inode operations
All filesystems that support xattrs by now do so via xattr handlers.
They all define sb->s_xattr, and their getxattr, setxattr, and
removexattr inode operations use the generic inode operations. On
filesystems that don't support xattrs, the xattr inode operations are
all NULL, and sb->s_xattr is also NULL.
This means that we can remove the getxattr, setxattr, and removexattr
inode operations and directly call the generic handlers, or better,
inline expand those handlers into fs/xattr.c.
Filesystems that do not support xattrs on some inodes should clear the
IOP_XATTR i_opflags flag in those inodes. (Right now, some filesystems
have checks to disable xattrs on some inodes in the ->list, ->get, and
->set xattr handler operations instead.) The IOP_XATTR flag is
automatically cleared in inodes of filesystems that don't have xattr
support.
In orangefs, symlinks do have a setxattr iop but no getxattr iop. Add a
check for symlinks to orangefs_inode_getxattr to preserve the current,
weird behavior; that check may not be necessary though.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-09-29 09:48:44 -06:00
|
|
|
if (inode->i_opflags & IOP_XATTR) {
|
2016-09-29 09:48:42 -06:00
|
|
|
error = __vfs_setxattr(dentry, inode, name, value, size, flags);
|
2006-01-09 21:51:55 -07:00
|
|
|
if (!error) {
|
|
|
|
|
fsnotify_xattr(dentry);
|
|
|
|
|
security_inode_post_setxattr(dentry, name, value,
|
|
|
|
|
size, flags);
|
|
|
|
|
}
|
2016-11-13 13:23:34 -07:00
|
|
|
} else {
|
2016-09-29 09:48:40 -06:00
|
|
|
if (unlikely(is_bad_inode(inode)))
|
|
|
|
|
return -EIO;
|
2016-11-13 13:23:34 -07:00
|
|
|
}
|
|
|
|
|
if (error == -EAGAIN) {
|
|
|
|
|
error = -EOPNOTSUPP;
|
|
|
|
|
|
|
|
|
|
if (issec) {
|
|
|
|
|
const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
|
|
|
|
|
|
|
|
|
|
error = security_inode_setsecurity(inode, suffix, value,
|
|
|
|
|
size, flags);
|
|
|
|
|
if (!error)
|
|
|
|
|
fsnotify_xattr(dentry);
|
|
|
|
|
}
|
2006-01-09 21:51:55 -07:00
|
|
|
}
|
2009-09-03 12:25:56 -06:00
|
|
|
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-23 16:39:18 -06:00
|
|
|
/**
|
|
|
|
|
* __vfs_setxattr_locked: set an extended attribute while holding the inode
|
|
|
|
|
* lock
|
|
|
|
|
*
|
|
|
|
|
* @dentry - object to perform setxattr on
|
|
|
|
|
* @name - xattr name to set
|
|
|
|
|
* @value - value to set @name to
|
|
|
|
|
* @size - size of @value
|
|
|
|
|
* @flags - flags to pass into filesystem operations
|
|
|
|
|
* @delegated_inode - on return, will contain an inode pointer that
|
|
|
|
|
* a delegation was broken on, NULL if none.
|
|
|
|
|
*/
|
2009-09-03 12:25:56 -06:00
|
|
|
int
|
2020-06-23 16:39:18 -06:00
|
|
|
__vfs_setxattr_locked(struct dentry *dentry, const char *name,
|
|
|
|
|
const void *value, size_t size, int flags,
|
|
|
|
|
struct inode **delegated_inode)
|
2009-09-03 12:25:56 -06:00
|
|
|
{
|
|
|
|
|
struct inode *inode = dentry->d_inode;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
error = xattr_permission(inode, name, MAY_WRITE);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
|
|
|
|
|
error = security_inode_setxattr(dentry, name, value, size, flags);
|
|
|
|
|
if (error)
|
|
|
|
|
goto out;
|
|
|
|
|
|
2020-06-23 16:39:18 -06:00
|
|
|
error = try_break_deleg(inode, delegated_inode);
|
|
|
|
|
if (error)
|
|
|
|
|
goto out;
|
|
|
|
|
|
2009-09-03 12:25:56 -06:00
|
|
|
error = __vfs_setxattr_noperm(dentry, name, value, size, flags);
|
|
|
|
|
|
2006-01-09 21:51:55 -07:00
|
|
|
out:
|
2020-06-23 16:39:18 -06:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(__vfs_setxattr_locked);
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
vfs_setxattr(struct dentry *dentry, const char *name, const void *value,
|
|
|
|
|
size_t size, int flags)
|
|
|
|
|
{
|
|
|
|
|
struct inode *inode = dentry->d_inode;
|
|
|
|
|
struct inode *delegated_inode = NULL;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
retry_deleg:
|
|
|
|
|
inode_lock(inode);
|
|
|
|
|
error = __vfs_setxattr_locked(dentry, name, value, size, flags,
|
|
|
|
|
&delegated_inode);
|
2016-01-22 13:40:57 -07:00
|
|
|
inode_unlock(inode);
|
2020-06-23 16:39:18 -06:00
|
|
|
|
|
|
|
|
if (delegated_inode) {
|
|
|
|
|
error = break_deleg_wait(&delegated_inode);
|
|
|
|
|
if (!error)
|
|
|
|
|
goto retry_deleg;
|
|
|
|
|
}
|
2006-01-09 21:51:55 -07:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(vfs_setxattr);
|
|
|
|
|
|
2018-04-24 19:22:04 -06:00
|
|
|
static ssize_t
|
2008-02-04 23:29:39 -07:00
|
|
|
xattr_getsecurity(struct inode *inode, const char *name, void *value,
|
|
|
|
|
size_t size)
|
|
|
|
|
{
|
|
|
|
|
void *buffer = NULL;
|
|
|
|
|
ssize_t len;
|
|
|
|
|
|
|
|
|
|
if (!value || !size) {
|
|
|
|
|
len = security_inode_getsecurity(inode, name, &buffer, false);
|
|
|
|
|
goto out_noalloc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
len = security_inode_getsecurity(inode, name, &buffer, true);
|
|
|
|
|
if (len < 0)
|
|
|
|
|
return len;
|
|
|
|
|
if (size < len) {
|
|
|
|
|
len = -ERANGE;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
memcpy(value, buffer, len);
|
|
|
|
|
out:
|
2017-09-19 10:39:08 -06:00
|
|
|
kfree(buffer);
|
2008-02-04 23:29:39 -07:00
|
|
|
out_noalloc:
|
|
|
|
|
return len;
|
|
|
|
|
}
|
|
|
|
|
|
2011-03-09 12:23:34 -07:00
|
|
|
/*
|
|
|
|
|
* vfs_getxattr_alloc - allocate memory, if necessary, before calling getxattr
|
|
|
|
|
*
|
|
|
|
|
* Allocate memory, if not already allocated, or re-allocate correct size,
|
|
|
|
|
* before retrieving the extended attribute.
|
|
|
|
|
*
|
|
|
|
|
* Returns the result of alloc, if failed, or the getxattr operation.
|
|
|
|
|
*/
|
|
|
|
|
ssize_t
|
|
|
|
|
vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value,
|
|
|
|
|
size_t xattr_size, gfp_t flags)
|
|
|
|
|
{
|
xattr: Stop calling {get,set,remove}xattr inode operations
All filesystems that support xattrs by now do so via xattr handlers.
They all define sb->s_xattr, and their getxattr, setxattr, and
removexattr inode operations use the generic inode operations. On
filesystems that don't support xattrs, the xattr inode operations are
all NULL, and sb->s_xattr is also NULL.
This means that we can remove the getxattr, setxattr, and removexattr
inode operations and directly call the generic handlers, or better,
inline expand those handlers into fs/xattr.c.
Filesystems that do not support xattrs on some inodes should clear the
IOP_XATTR i_opflags flag in those inodes. (Right now, some filesystems
have checks to disable xattrs on some inodes in the ->list, ->get, and
->set xattr handler operations instead.) The IOP_XATTR flag is
automatically cleared in inodes of filesystems that don't have xattr
support.
In orangefs, symlinks do have a setxattr iop but no getxattr iop. Add a
check for symlinks to orangefs_inode_getxattr to preserve the current,
weird behavior; that check may not be necessary though.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-09-29 09:48:44 -06:00
|
|
|
const struct xattr_handler *handler;
|
2011-03-09 12:23:34 -07:00
|
|
|
struct inode *inode = dentry->d_inode;
|
|
|
|
|
char *value = *xattr_value;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
error = xattr_permission(inode, name, MAY_READ);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
|
xattr: Stop calling {get,set,remove}xattr inode operations
All filesystems that support xattrs by now do so via xattr handlers.
They all define sb->s_xattr, and their getxattr, setxattr, and
removexattr inode operations use the generic inode operations. On
filesystems that don't support xattrs, the xattr inode operations are
all NULL, and sb->s_xattr is also NULL.
This means that we can remove the getxattr, setxattr, and removexattr
inode operations and directly call the generic handlers, or better,
inline expand those handlers into fs/xattr.c.
Filesystems that do not support xattrs on some inodes should clear the
IOP_XATTR i_opflags flag in those inodes. (Right now, some filesystems
have checks to disable xattrs on some inodes in the ->list, ->get, and
->set xattr handler operations instead.) The IOP_XATTR flag is
automatically cleared in inodes of filesystems that don't have xattr
support.
In orangefs, symlinks do have a setxattr iop but no getxattr iop. Add a
check for symlinks to orangefs_inode_getxattr to preserve the current,
weird behavior; that check may not be necessary though.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-09-29 09:48:44 -06:00
|
|
|
handler = xattr_resolve_name(inode, &name);
|
|
|
|
|
if (IS_ERR(handler))
|
|
|
|
|
return PTR_ERR(handler);
|
|
|
|
|
if (!handler->get)
|
2011-03-09 12:23:34 -07:00
|
|
|
return -EOPNOTSUPP;
|
xattr: Stop calling {get,set,remove}xattr inode operations
All filesystems that support xattrs by now do so via xattr handlers.
They all define sb->s_xattr, and their getxattr, setxattr, and
removexattr inode operations use the generic inode operations. On
filesystems that don't support xattrs, the xattr inode operations are
all NULL, and sb->s_xattr is also NULL.
This means that we can remove the getxattr, setxattr, and removexattr
inode operations and directly call the generic handlers, or better,
inline expand those handlers into fs/xattr.c.
Filesystems that do not support xattrs on some inodes should clear the
IOP_XATTR i_opflags flag in those inodes. (Right now, some filesystems
have checks to disable xattrs on some inodes in the ->list, ->get, and
->set xattr handler operations instead.) The IOP_XATTR flag is
automatically cleared in inodes of filesystems that don't have xattr
support.
In orangefs, symlinks do have a setxattr iop but no getxattr iop. Add a
check for symlinks to orangefs_inode_getxattr to preserve the current,
weird behavior; that check may not be necessary though.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-09-29 09:48:44 -06:00
|
|
|
error = handler->get(handler, dentry, inode, name, NULL, 0);
|
2011-03-09 12:23:34 -07:00
|
|
|
if (error < 0)
|
|
|
|
|
return error;
|
|
|
|
|
|
|
|
|
|
if (!value || (error > xattr_size)) {
|
|
|
|
|
value = krealloc(*xattr_value, error + 1, flags);
|
|
|
|
|
if (!value)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
memset(value, 0, error + 1);
|
|
|
|
|
}
|
|
|
|
|
|
xattr: Stop calling {get,set,remove}xattr inode operations
All filesystems that support xattrs by now do so via xattr handlers.
They all define sb->s_xattr, and their getxattr, setxattr, and
removexattr inode operations use the generic inode operations. On
filesystems that don't support xattrs, the xattr inode operations are
all NULL, and sb->s_xattr is also NULL.
This means that we can remove the getxattr, setxattr, and removexattr
inode operations and directly call the generic handlers, or better,
inline expand those handlers into fs/xattr.c.
Filesystems that do not support xattrs on some inodes should clear the
IOP_XATTR i_opflags flag in those inodes. (Right now, some filesystems
have checks to disable xattrs on some inodes in the ->list, ->get, and
->set xattr handler operations instead.) The IOP_XATTR flag is
automatically cleared in inodes of filesystems that don't have xattr
support.
In orangefs, symlinks do have a setxattr iop but no getxattr iop. Add a
check for symlinks to orangefs_inode_getxattr to preserve the current,
weird behavior; that check may not be necessary though.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-09-29 09:48:44 -06:00
|
|
|
error = handler->get(handler, dentry, inode, name, value, error);
|
2011-03-09 12:23:34 -07:00
|
|
|
*xattr_value = value;
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-29 09:48:42 -06:00
|
|
|
ssize_t
|
|
|
|
|
__vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name,
|
|
|
|
|
void *value, size_t size)
|
|
|
|
|
{
|
xattr: Stop calling {get,set,remove}xattr inode operations
All filesystems that support xattrs by now do so via xattr handlers.
They all define sb->s_xattr, and their getxattr, setxattr, and
removexattr inode operations use the generic inode operations. On
filesystems that don't support xattrs, the xattr inode operations are
all NULL, and sb->s_xattr is also NULL.
This means that we can remove the getxattr, setxattr, and removexattr
inode operations and directly call the generic handlers, or better,
inline expand those handlers into fs/xattr.c.
Filesystems that do not support xattrs on some inodes should clear the
IOP_XATTR i_opflags flag in those inodes. (Right now, some filesystems
have checks to disable xattrs on some inodes in the ->list, ->get, and
->set xattr handler operations instead.) The IOP_XATTR flag is
automatically cleared in inodes of filesystems that don't have xattr
support.
In orangefs, symlinks do have a setxattr iop but no getxattr iop. Add a
check for symlinks to orangefs_inode_getxattr to preserve the current,
weird behavior; that check may not be necessary though.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-09-29 09:48:44 -06:00
|
|
|
const struct xattr_handler *handler;
|
|
|
|
|
|
|
|
|
|
handler = xattr_resolve_name(inode, &name);
|
|
|
|
|
if (IS_ERR(handler))
|
|
|
|
|
return PTR_ERR(handler);
|
|
|
|
|
if (!handler->get)
|
2016-09-29 09:48:42 -06:00
|
|
|
return -EOPNOTSUPP;
|
xattr: Stop calling {get,set,remove}xattr inode operations
All filesystems that support xattrs by now do so via xattr handlers.
They all define sb->s_xattr, and their getxattr, setxattr, and
removexattr inode operations use the generic inode operations. On
filesystems that don't support xattrs, the xattr inode operations are
all NULL, and sb->s_xattr is also NULL.
This means that we can remove the getxattr, setxattr, and removexattr
inode operations and directly call the generic handlers, or better,
inline expand those handlers into fs/xattr.c.
Filesystems that do not support xattrs on some inodes should clear the
IOP_XATTR i_opflags flag in those inodes. (Right now, some filesystems
have checks to disable xattrs on some inodes in the ->list, ->get, and
->set xattr handler operations instead.) The IOP_XATTR flag is
automatically cleared in inodes of filesystems that don't have xattr
support.
In orangefs, symlinks do have a setxattr iop but no getxattr iop. Add a
check for symlinks to orangefs_inode_getxattr to preserve the current,
weird behavior; that check may not be necessary though.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-09-29 09:48:44 -06:00
|
|
|
return handler->get(handler, dentry, inode, name, value, size);
|
2016-09-29 09:48:42 -06:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(__vfs_getxattr);
|
|
|
|
|
|
2006-01-09 21:51:55 -07:00
|
|
|
ssize_t
|
2008-04-29 01:59:41 -06:00
|
|
|
vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size)
|
2006-01-09 21:51:55 -07:00
|
|
|
{
|
|
|
|
|
struct inode *inode = dentry->d_inode;
|
|
|
|
|
int error;
|
|
|
|
|
|
2006-01-09 21:51:56 -07:00
|
|
|
error = xattr_permission(inode, name, MAY_READ);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
|
2006-01-09 21:51:55 -07:00
|
|
|
error = security_inode_getxattr(dentry, name);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
|
|
|
|
|
if (!strncmp(name, XATTR_SECURITY_PREFIX,
|
2006-01-09 21:51:56 -07:00
|
|
|
XATTR_SECURITY_PREFIX_LEN)) {
|
|
|
|
|
const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
|
2008-02-04 23:29:39 -07:00
|
|
|
int ret = xattr_getsecurity(inode, suffix, value, size);
|
2006-01-09 21:51:55 -07:00
|
|
|
/*
|
|
|
|
|
* Only overwrite the return value if a security module
|
|
|
|
|
* is actually active.
|
|
|
|
|
*/
|
2008-02-04 23:29:40 -07:00
|
|
|
if (ret == -EOPNOTSUPP)
|
|
|
|
|
goto nolsm;
|
|
|
|
|
return ret;
|
2006-01-09 21:51:55 -07:00
|
|
|
}
|
2008-02-04 23:29:40 -07:00
|
|
|
nolsm:
|
2016-09-29 09:48:42 -06:00
|
|
|
return __vfs_getxattr(dentry, inode, name, value, size);
|
2006-01-09 21:51:55 -07:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(vfs_getxattr);
|
|
|
|
|
|
2006-10-09 14:10:48 -06:00
|
|
|
ssize_t
|
2016-09-29 09:48:43 -06:00
|
|
|
vfs_listxattr(struct dentry *dentry, char *list, size_t size)
|
2006-10-09 14:10:48 -06:00
|
|
|
{
|
2016-09-29 09:48:43 -06:00
|
|
|
struct inode *inode = d_inode(dentry);
|
2006-10-09 14:10:48 -06:00
|
|
|
ssize_t error;
|
|
|
|
|
|
2016-09-29 09:48:43 -06:00
|
|
|
error = security_inode_listxattr(dentry);
|
2006-10-09 14:10:48 -06:00
|
|
|
if (error)
|
|
|
|
|
return error;
|
2016-09-29 09:48:43 -06:00
|
|
|
if (inode->i_op->listxattr && (inode->i_opflags & IOP_XATTR)) {
|
|
|
|
|
error = inode->i_op->listxattr(dentry, list, size);
|
2006-10-09 14:10:48 -06:00
|
|
|
} else {
|
2016-09-29 09:48:43 -06:00
|
|
|
error = security_inode_listsecurity(inode, list, size);
|
2006-10-09 14:10:48 -06:00
|
|
|
if (size && error > size)
|
|
|
|
|
error = -ERANGE;
|
|
|
|
|
}
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(vfs_listxattr);
|
|
|
|
|
|
2006-01-09 21:51:55 -07:00
|
|
|
int
|
2016-09-29 09:48:42 -06:00
|
|
|
__vfs_removexattr(struct dentry *dentry, const char *name)
|
2006-01-09 21:51:55 -07:00
|
|
|
{
|
xattr: Stop calling {get,set,remove}xattr inode operations
All filesystems that support xattrs by now do so via xattr handlers.
They all define sb->s_xattr, and their getxattr, setxattr, and
removexattr inode operations use the generic inode operations. On
filesystems that don't support xattrs, the xattr inode operations are
all NULL, and sb->s_xattr is also NULL.
This means that we can remove the getxattr, setxattr, and removexattr
inode operations and directly call the generic handlers, or better,
inline expand those handlers into fs/xattr.c.
Filesystems that do not support xattrs on some inodes should clear the
IOP_XATTR i_opflags flag in those inodes. (Right now, some filesystems
have checks to disable xattrs on some inodes in the ->list, ->get, and
->set xattr handler operations instead.) The IOP_XATTR flag is
automatically cleared in inodes of filesystems that don't have xattr
support.
In orangefs, symlinks do have a setxattr iop but no getxattr iop. Add a
check for symlinks to orangefs_inode_getxattr to preserve the current,
weird behavior; that check may not be necessary though.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-09-29 09:48:44 -06:00
|
|
|
struct inode *inode = d_inode(dentry);
|
|
|
|
|
const struct xattr_handler *handler;
|
2006-01-09 21:51:55 -07:00
|
|
|
|
xattr: Stop calling {get,set,remove}xattr inode operations
All filesystems that support xattrs by now do so via xattr handlers.
They all define sb->s_xattr, and their getxattr, setxattr, and
removexattr inode operations use the generic inode operations. On
filesystems that don't support xattrs, the xattr inode operations are
all NULL, and sb->s_xattr is also NULL.
This means that we can remove the getxattr, setxattr, and removexattr
inode operations and directly call the generic handlers, or better,
inline expand those handlers into fs/xattr.c.
Filesystems that do not support xattrs on some inodes should clear the
IOP_XATTR i_opflags flag in those inodes. (Right now, some filesystems
have checks to disable xattrs on some inodes in the ->list, ->get, and
->set xattr handler operations instead.) The IOP_XATTR flag is
automatically cleared in inodes of filesystems that don't have xattr
support.
In orangefs, symlinks do have a setxattr iop but no getxattr iop. Add a
check for symlinks to orangefs_inode_getxattr to preserve the current,
weird behavior; that check may not be necessary though.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-09-29 09:48:44 -06:00
|
|
|
handler = xattr_resolve_name(inode, &name);
|
|
|
|
|
if (IS_ERR(handler))
|
|
|
|
|
return PTR_ERR(handler);
|
|
|
|
|
if (!handler->set)
|
2006-01-09 21:51:55 -07:00
|
|
|
return -EOPNOTSUPP;
|
xattr: Stop calling {get,set,remove}xattr inode operations
All filesystems that support xattrs by now do so via xattr handlers.
They all define sb->s_xattr, and their getxattr, setxattr, and
removexattr inode operations use the generic inode operations. On
filesystems that don't support xattrs, the xattr inode operations are
all NULL, and sb->s_xattr is also NULL.
This means that we can remove the getxattr, setxattr, and removexattr
inode operations and directly call the generic handlers, or better,
inline expand those handlers into fs/xattr.c.
Filesystems that do not support xattrs on some inodes should clear the
IOP_XATTR i_opflags flag in those inodes. (Right now, some filesystems
have checks to disable xattrs on some inodes in the ->list, ->get, and
->set xattr handler operations instead.) The IOP_XATTR flag is
automatically cleared in inodes of filesystems that don't have xattr
support.
In orangefs, symlinks do have a setxattr iop but no getxattr iop. Add a
check for symlinks to orangefs_inode_getxattr to preserve the current,
weird behavior; that check may not be necessary though.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-09-29 09:48:44 -06:00
|
|
|
return handler->set(handler, dentry, inode, name, NULL, 0, XATTR_REPLACE);
|
2016-09-29 09:48:42 -06:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(__vfs_removexattr);
|
|
|
|
|
|
2020-06-23 16:39:18 -06:00
|
|
|
/**
|
|
|
|
|
* __vfs_removexattr_locked: set an extended attribute while holding the inode
|
|
|
|
|
* lock
|
|
|
|
|
*
|
|
|
|
|
* @dentry - object to perform setxattr on
|
|
|
|
|
* @name - name of xattr to remove
|
|
|
|
|
* @delegated_inode - on return, will contain an inode pointer that
|
|
|
|
|
* a delegation was broken on, NULL if none.
|
|
|
|
|
*/
|
2016-09-29 09:48:42 -06:00
|
|
|
int
|
2020-06-23 16:39:18 -06:00
|
|
|
__vfs_removexattr_locked(struct dentry *dentry, const char *name,
|
|
|
|
|
struct inode **delegated_inode)
|
2016-09-29 09:48:42 -06:00
|
|
|
{
|
|
|
|
|
struct inode *inode = dentry->d_inode;
|
|
|
|
|
int error;
|
2006-01-09 21:51:55 -07:00
|
|
|
|
2006-01-09 21:51:56 -07:00
|
|
|
error = xattr_permission(inode, name, MAY_WRITE);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
|
2006-01-09 21:51:55 -07:00
|
|
|
error = security_inode_removexattr(dentry, name);
|
2014-11-20 07:31:01 -07:00
|
|
|
if (error)
|
|
|
|
|
goto out;
|
2006-01-09 21:51:55 -07:00
|
|
|
|
2020-06-23 16:39:18 -06:00
|
|
|
error = try_break_deleg(inode, delegated_inode);
|
|
|
|
|
if (error)
|
|
|
|
|
goto out;
|
|
|
|
|
|
2016-09-29 09:48:42 -06:00
|
|
|
error = __vfs_removexattr(dentry, name);
|
2006-01-09 21:51:55 -07:00
|
|
|
|
2011-03-09 12:39:18 -07:00
|
|
|
if (!error) {
|
2006-01-09 21:51:55 -07:00
|
|
|
fsnotify_xattr(dentry);
|
2011-03-09 12:39:18 -07:00
|
|
|
evm_inode_post_removexattr(dentry, name);
|
|
|
|
|
}
|
2014-11-20 07:31:01 -07:00
|
|
|
|
|
|
|
|
out:
|
2020-06-23 16:39:18 -06:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(__vfs_removexattr_locked);
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
vfs_removexattr(struct dentry *dentry, const char *name)
|
|
|
|
|
{
|
|
|
|
|
struct inode *inode = dentry->d_inode;
|
|
|
|
|
struct inode *delegated_inode = NULL;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
retry_deleg:
|
|
|
|
|
inode_lock(inode);
|
|
|
|
|
error = __vfs_removexattr_locked(dentry, name, &delegated_inode);
|
2016-01-22 13:40:57 -07:00
|
|
|
inode_unlock(inode);
|
2020-06-23 16:39:18 -06:00
|
|
|
|
|
|
|
|
if (delegated_inode) {
|
|
|
|
|
error = break_deleg_wait(&delegated_inode);
|
|
|
|
|
if (!error)
|
|
|
|
|
goto retry_deleg;
|
|
|
|
|
}
|
|
|
|
|
|
2006-01-09 21:51:55 -07:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(vfs_removexattr);
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/*
|
|
|
|
|
* Extended attribute SET operations
|
|
|
|
|
*/
|
|
|
|
|
static long
|
2008-04-29 01:59:41 -06:00
|
|
|
setxattr(struct dentry *d, const char __user *name, const void __user *value,
|
2005-04-16 16:20:36 -06:00
|
|
|
size_t size, int flags)
|
|
|
|
|
{
|
|
|
|
|
int error;
|
|
|
|
|
void *kvalue = NULL;
|
|
|
|
|
char kname[XATTR_NAME_MAX + 1];
|
|
|
|
|
|
|
|
|
|
if (flags & ~(XATTR_CREATE|XATTR_REPLACE))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
error = strncpy_from_user(kname, name, sizeof(kname));
|
|
|
|
|
if (error == 0 || error == sizeof(kname))
|
|
|
|
|
error = -ERANGE;
|
|
|
|
|
if (error < 0)
|
|
|
|
|
return error;
|
|
|
|
|
|
|
|
|
|
if (size) {
|
|
|
|
|
if (size > XATTR_SIZE_MAX)
|
|
|
|
|
return -E2BIG;
|
2017-05-08 16:57:27 -06:00
|
|
|
kvalue = kvmalloc(size, GFP_KERNEL);
|
|
|
|
|
if (!kvalue)
|
|
|
|
|
return -ENOMEM;
|
2012-04-05 15:25:07 -06:00
|
|
|
if (copy_from_user(kvalue, value, size)) {
|
|
|
|
|
error = -EFAULT;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
2012-02-07 19:52:57 -07:00
|
|
|
if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
|
|
|
|
|
(strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
|
|
|
|
|
posix_acl_fix_xattr_from_user(kvalue, size);
|
Introduce v3 namespaced file capabilities
Root in a non-initial user ns cannot be trusted to write a traditional
security.capability xattr. If it were allowed to do so, then any
unprivileged user on the host could map his own uid to root in a private
namespace, write the xattr, and execute the file with privilege on the
host.
However supporting file capabilities in a user namespace is very
desirable. Not doing so means that any programs designed to run with
limited privilege must continue to support other methods of gaining and
dropping privilege. For instance a program installer must detect
whether file capabilities can be assigned, and assign them if so but set
setuid-root otherwise. The program in turn must know how to drop
partial capabilities, and do so only if setuid-root.
This patch introduces v3 of the security.capability xattr. It builds a
vfs_ns_cap_data struct by appending a uid_t rootid to struct
vfs_cap_data. This is the absolute uid_t (that is, the uid_t in user
namespace which mounted the filesystem, usually init_user_ns) of the
root id in whose namespaces the file capabilities may take effect.
When a task asks to write a v2 security.capability xattr, if it is
privileged with respect to the userns which mounted the filesystem, then
nothing should change. Otherwise, the kernel will transparently rewrite
the xattr as a v3 with the appropriate rootid. This is done during the
execution of setxattr() to catch user-space-initiated capability writes.
Subsequently, any task executing the file which has the noted kuid as
its root uid, or which is in a descendent user_ns of such a user_ns,
will run the file with capabilities.
Similarly when asking to read file capabilities, a v3 capability will
be presented as v2 if it applies to the caller's namespace.
If a task writes a v3 security.capability, then it can provide a uid for
the xattr so long as the uid is valid in its own user namespace, and it
is privileged with CAP_SETFCAP over its namespace. The kernel will
translate that rootid to an absolute uid, and write that to disk. After
this, a task in the writer's namespace will not be able to use those
capabilities (unless rootid was 0), but a task in a namespace where the
given uid is root will.
Only a single security.capability xattr may exist at a time for a given
file. A task may overwrite an existing xattr so long as it is
privileged over the inode. Note this is a departure from previous
semantics, which required privilege to remove a security.capability
xattr. This check can be re-added if deemed useful.
This allows a simple setxattr to work, allows tar/untar to work, and
allows us to tar in one namespace and untar in another while preserving
the capability, without risking leaking privilege into a parent
namespace.
Example using tar:
$ cp /bin/sleep sleepx
$ mkdir b1 b2
$ lxc-usernsexec -m b:0:100000:1 -m b:1:$(id -u):1 -- chown 0:0 b1
$ lxc-usernsexec -m b:0:100001:1 -m b:1:$(id -u):1 -- chown 0:0 b2
$ lxc-usernsexec -m b:0:100000:1000 -- tar --xattrs-include=security.capability --xattrs -cf b1/sleepx.tar sleepx
$ lxc-usernsexec -m b:0:100001:1000 -- tar --xattrs-include=security.capability --xattrs -C b2 -xf b1/sleepx.tar
$ lxc-usernsexec -m b:0:100001:1000 -- getcap b2/sleepx
b2/sleepx = cap_sys_admin+ep
# /opt/ltp/testcases/bin/getv3xattr b2/sleepx
v3 xattr, rootid is 100001
A patch to linux-test-project adding a new set of tests for this
functionality is in the nsfscaps branch at github.com/hallyn/ltp
Changelog:
Nov 02 2016: fix invalid check at refuse_fcap_overwrite()
Nov 07 2016: convert rootid from and to fs user_ns
(From ebiederm: mar 28 2017)
commoncap.c: fix typos - s/v4/v3
get_vfs_caps_from_disk: clarify the fs_ns root access check
nsfscaps: change the code split for cap_inode_setxattr()
Apr 09 2017:
don't return v3 cap for caps owned by current root.
return a v2 cap for a true v2 cap in non-init ns
Apr 18 2017:
. Change the flow of fscap writing to support s_user_ns writing.
. Remove refuse_fcap_overwrite(). The value of the previous
xattr doesn't matter.
Apr 24 2017:
. incorporate Eric's incremental diff
. move cap_convert_nscap to setxattr and simplify its usage
May 8, 2017:
. fix leaking dentry refcount in cap_inode_getsecurity
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
2017-05-08 12:11:56 -06:00
|
|
|
else if (strcmp(kname, XATTR_NAME_CAPS) == 0) {
|
|
|
|
|
error = cap_convert_nscap(d, &kvalue, size);
|
|
|
|
|
if (error < 0)
|
|
|
|
|
goto out;
|
|
|
|
|
size = error;
|
|
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2006-01-09 21:51:55 -07:00
|
|
|
error = vfs_setxattr(d, kname, kvalue, size, flags);
|
2012-04-05 15:25:07 -06:00
|
|
|
out:
|
2016-01-02 15:09:47 -07:00
|
|
|
kvfree(kvalue);
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-12 10:59:58 -06:00
|
|
|
static int path_setxattr(const char __user *pathname,
|
|
|
|
|
const char __user *name, const void __user *value,
|
|
|
|
|
size_t size, int flags, unsigned int lookup_flags)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2008-07-22 07:59:21 -06:00
|
|
|
struct path path;
|
2005-04-16 16:20:36 -06:00
|
|
|
int error;
|
2012-12-11 10:10:15 -07:00
|
|
|
retry:
|
|
|
|
|
error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (error)
|
|
|
|
|
return error;
|
2008-07-22 07:59:21 -06:00
|
|
|
error = mnt_want_write(path.mnt);
|
2008-02-15 15:37:38 -07:00
|
|
|
if (!error) {
|
2008-07-22 07:59:21 -06:00
|
|
|
error = setxattr(path.dentry, name, value, size, flags);
|
|
|
|
|
mnt_drop_write(path.mnt);
|
2008-02-15 15:37:38 -07:00
|
|
|
}
|
2008-07-22 07:59:21 -06:00
|
|
|
path_put(&path);
|
2012-12-11 10:10:15 -07:00
|
|
|
if (retry_estale(error, lookup_flags)) {
|
|
|
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
|
|
|
goto retry;
|
|
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-12 10:59:58 -06:00
|
|
|
SYSCALL_DEFINE5(setxattr, const char __user *, pathname,
|
|
|
|
|
const char __user *, name, const void __user *, value,
|
|
|
|
|
size_t, size, int, flags)
|
|
|
|
|
{
|
|
|
|
|
return path_setxattr(pathname, name, value, size, flags, LOOKUP_FOLLOW);
|
|
|
|
|
}
|
|
|
|
|
|
2009-01-14 06:14:14 -07:00
|
|
|
SYSCALL_DEFINE5(lsetxattr, const char __user *, pathname,
|
|
|
|
|
const char __user *, name, const void __user *, value,
|
|
|
|
|
size_t, size, int, flags)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2014-10-12 10:59:58 -06:00
|
|
|
return path_setxattr(pathname, name, value, size, flags, 0);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2009-01-14 06:14:14 -07:00
|
|
|
SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name,
|
|
|
|
|
const void __user *,value, size_t, size, int, flags)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2012-08-28 10:52:22 -06:00
|
|
|
struct fd f = fdget(fd);
|
2005-04-16 16:20:36 -06:00
|
|
|
int error = -EBADF;
|
|
|
|
|
|
2012-08-28 10:52:22 -06:00
|
|
|
if (!f.file)
|
2005-04-16 16:20:36 -06:00
|
|
|
return error;
|
2014-10-31 15:44:57 -06:00
|
|
|
audit_file(f.file);
|
2018-07-18 07:44:43 -06:00
|
|
|
error = mnt_want_write_file(f.file);
|
2008-02-15 15:37:38 -07:00
|
|
|
if (!error) {
|
2014-10-31 15:44:57 -06:00
|
|
|
error = setxattr(f.file->f_path.dentry, name, value, size, flags);
|
2018-07-18 07:44:43 -06:00
|
|
|
mnt_drop_write_file(f.file);
|
2008-02-15 15:37:38 -07:00
|
|
|
}
|
2012-08-28 10:52:22 -06:00
|
|
|
fdput(f);
|
2005-04-16 16:20:36 -06:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Extended attribute GET operations
|
|
|
|
|
*/
|
|
|
|
|
static ssize_t
|
2008-04-29 01:59:41 -06:00
|
|
|
getxattr(struct dentry *d, const char __user *name, void __user *value,
|
|
|
|
|
size_t size)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
|
ssize_t error;
|
|
|
|
|
void *kvalue = NULL;
|
|
|
|
|
char kname[XATTR_NAME_MAX + 1];
|
|
|
|
|
|
|
|
|
|
error = strncpy_from_user(kname, name, sizeof(kname));
|
|
|
|
|
if (error == 0 || error == sizeof(kname))
|
|
|
|
|
error = -ERANGE;
|
|
|
|
|
if (error < 0)
|
|
|
|
|
return error;
|
|
|
|
|
|
|
|
|
|
if (size) {
|
|
|
|
|
if (size > XATTR_SIZE_MAX)
|
|
|
|
|
size = XATTR_SIZE_MAX;
|
2017-05-08 16:57:27 -06:00
|
|
|
kvalue = kvzalloc(size, GFP_KERNEL);
|
|
|
|
|
if (!kvalue)
|
|
|
|
|
return -ENOMEM;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2006-01-09 21:51:55 -07:00
|
|
|
error = vfs_getxattr(d, kname, kvalue, size);
|
2005-09-03 16:55:18 -06:00
|
|
|
if (error > 0) {
|
2012-02-07 19:52:57 -07:00
|
|
|
if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
|
|
|
|
|
(strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
|
getxattr: use correct xattr length
When running in a container with a user namespace, if you call getxattr
with name = "system.posix_acl_access" and size % 8 != 4, then getxattr
silently skips the user namespace fixup that it normally does resulting in
un-fixed-up data being returned.
This is caused by posix_acl_fix_xattr_to_user() being passed the total
buffer size and not the actual size of the xattr as returned by
vfs_getxattr().
This commit passes the actual length of the xattr as returned by
vfs_getxattr() down.
A reproducer for the issue is:
touch acl_posix
setfacl -m user:0:rwx acl_posix
and the compile:
#define _GNU_SOURCE
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#include <attr/xattr.h>
/* Run in user namespace with nsuid 0 mapped to uid != 0 on the host. */
int main(int argc, void **argv)
{
ssize_t ret1, ret2;
char buf1[128], buf2[132];
int fret = EXIT_SUCCESS;
char *file;
if (argc < 2) {
fprintf(stderr,
"Please specify a file with "
"\"system.posix_acl_access\" permissions set\n");
_exit(EXIT_FAILURE);
}
file = argv[1];
ret1 = getxattr(file, "system.posix_acl_access",
buf1, sizeof(buf1));
if (ret1 < 0) {
fprintf(stderr, "%s - Failed to retrieve "
"\"system.posix_acl_access\" "
"from \"%s\"\n", strerror(errno), file);
_exit(EXIT_FAILURE);
}
ret2 = getxattr(file, "system.posix_acl_access",
buf2, sizeof(buf2));
if (ret2 < 0) {
fprintf(stderr, "%s - Failed to retrieve "
"\"system.posix_acl_access\" "
"from \"%s\"\n", strerror(errno), file);
_exit(EXIT_FAILURE);
}
if (ret1 != ret2) {
fprintf(stderr, "The value of \"system.posix_acl_"
"access\" for file \"%s\" changed "
"between two successive calls\n", file);
_exit(EXIT_FAILURE);
}
for (ssize_t i = 0; i < ret2; i++) {
if (buf1[i] == buf2[i])
continue;
fprintf(stderr,
"Unexpected different in byte %zd: "
"%02x != %02x\n", i, buf1[i], buf2[i]);
fret = EXIT_FAILURE;
}
if (fret == EXIT_SUCCESS)
fprintf(stderr, "Test passed\n");
else
fprintf(stderr, "Test failed\n");
_exit(fret);
}
and run:
./tester acl_posix
On a non-fixed up kernel this should return something like:
root@c1:/# ./t
Unexpected different in byte 16: ffffffa0 != 00
Unexpected different in byte 17: ffffff86 != 00
Unexpected different in byte 18: 01 != 00
and on a fixed kernel:
root@c1:~# ./t
Test passed
Cc: stable@vger.kernel.org
Fixes: 2f6f0654ab61 ("userns: Convert vfs posix_acl support to use kuids and kgids")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=199945
Reported-by: Colin Watson <cjwatson@ubuntu.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
2018-06-07 05:43:48 -06:00
|
|
|
posix_acl_fix_xattr_to_user(kvalue, error);
|
2005-09-03 16:55:18 -06:00
|
|
|
if (size && copy_to_user(value, kvalue, error))
|
|
|
|
|
error = -EFAULT;
|
|
|
|
|
} else if (error == -ERANGE && size >= XATTR_SIZE_MAX) {
|
|
|
|
|
/* The file system tried to returned a value bigger
|
|
|
|
|
than XATTR_SIZE_MAX bytes. Not possible. */
|
|
|
|
|
error = -E2BIG;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
2016-01-02 15:09:47 -07:00
|
|
|
|
|
|
|
|
kvfree(kvalue);
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-12 10:59:58 -06:00
|
|
|
static ssize_t path_getxattr(const char __user *pathname,
|
|
|
|
|
const char __user *name, void __user *value,
|
|
|
|
|
size_t size, unsigned int lookup_flags)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2008-07-22 07:59:21 -06:00
|
|
|
struct path path;
|
2005-04-16 16:20:36 -06:00
|
|
|
ssize_t error;
|
2012-12-11 10:10:16 -07:00
|
|
|
retry:
|
|
|
|
|
error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (error)
|
|
|
|
|
return error;
|
2008-07-22 07:59:21 -06:00
|
|
|
error = getxattr(path.dentry, name, value, size);
|
|
|
|
|
path_put(&path);
|
2012-12-11 10:10:16 -07:00
|
|
|
if (retry_estale(error, lookup_flags)) {
|
|
|
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
|
|
|
goto retry;
|
|
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-12 10:59:58 -06:00
|
|
|
SYSCALL_DEFINE4(getxattr, const char __user *, pathname,
|
|
|
|
|
const char __user *, name, void __user *, value, size_t, size)
|
|
|
|
|
{
|
|
|
|
|
return path_getxattr(pathname, name, value, size, LOOKUP_FOLLOW);
|
|
|
|
|
}
|
|
|
|
|
|
2009-01-14 06:14:14 -07:00
|
|
|
SYSCALL_DEFINE4(lgetxattr, const char __user *, pathname,
|
|
|
|
|
const char __user *, name, void __user *, value, size_t, size)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2014-10-12 10:59:58 -06:00
|
|
|
return path_getxattr(pathname, name, value, size, 0);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2009-01-14 06:14:14 -07:00
|
|
|
SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name,
|
|
|
|
|
void __user *, value, size_t, size)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2012-08-28 10:52:22 -06:00
|
|
|
struct fd f = fdget(fd);
|
2005-04-16 16:20:36 -06:00
|
|
|
ssize_t error = -EBADF;
|
|
|
|
|
|
2012-08-28 10:52:22 -06:00
|
|
|
if (!f.file)
|
2005-04-16 16:20:36 -06:00
|
|
|
return error;
|
2014-10-31 15:44:57 -06:00
|
|
|
audit_file(f.file);
|
2012-08-28 10:52:22 -06:00
|
|
|
error = getxattr(f.file->f_path.dentry, name, value, size);
|
|
|
|
|
fdput(f);
|
2005-04-16 16:20:36 -06:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Extended attribute LIST operations
|
|
|
|
|
*/
|
|
|
|
|
static ssize_t
|
|
|
|
|
listxattr(struct dentry *d, char __user *list, size_t size)
|
|
|
|
|
{
|
|
|
|
|
ssize_t error;
|
|
|
|
|
char *klist = NULL;
|
|
|
|
|
|
|
|
|
|
if (size) {
|
|
|
|
|
if (size > XATTR_LIST_MAX)
|
|
|
|
|
size = XATTR_LIST_MAX;
|
2017-05-08 16:57:27 -06:00
|
|
|
klist = kvmalloc(size, GFP_KERNEL);
|
|
|
|
|
if (!klist)
|
|
|
|
|
return -ENOMEM;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2006-10-09 14:10:48 -06:00
|
|
|
error = vfs_listxattr(d, klist, size);
|
2005-09-03 16:55:18 -06:00
|
|
|
if (error > 0) {
|
|
|
|
|
if (size && copy_to_user(list, klist, error))
|
|
|
|
|
error = -EFAULT;
|
|
|
|
|
} else if (error == -ERANGE && size >= XATTR_LIST_MAX) {
|
|
|
|
|
/* The file system tried to returned a list bigger
|
|
|
|
|
than XATTR_LIST_MAX bytes. Not possible. */
|
|
|
|
|
error = -E2BIG;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
2016-01-02 15:09:47 -07:00
|
|
|
|
|
|
|
|
kvfree(klist);
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-12 10:59:58 -06:00
|
|
|
static ssize_t path_listxattr(const char __user *pathname, char __user *list,
|
|
|
|
|
size_t size, unsigned int lookup_flags)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2008-07-22 07:59:21 -06:00
|
|
|
struct path path;
|
2005-04-16 16:20:36 -06:00
|
|
|
ssize_t error;
|
2012-12-11 10:10:16 -07:00
|
|
|
retry:
|
|
|
|
|
error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (error)
|
|
|
|
|
return error;
|
2008-07-22 07:59:21 -06:00
|
|
|
error = listxattr(path.dentry, list, size);
|
|
|
|
|
path_put(&path);
|
2012-12-11 10:10:16 -07:00
|
|
|
if (retry_estale(error, lookup_flags)) {
|
|
|
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
|
|
|
goto retry;
|
|
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-12 10:59:58 -06:00
|
|
|
SYSCALL_DEFINE3(listxattr, const char __user *, pathname, char __user *, list,
|
|
|
|
|
size_t, size)
|
|
|
|
|
{
|
|
|
|
|
return path_listxattr(pathname, list, size, LOOKUP_FOLLOW);
|
|
|
|
|
}
|
|
|
|
|
|
2009-01-14 06:14:14 -07:00
|
|
|
SYSCALL_DEFINE3(llistxattr, const char __user *, pathname, char __user *, list,
|
|
|
|
|
size_t, size)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2014-10-12 10:59:58 -06:00
|
|
|
return path_listxattr(pathname, list, size, 0);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2009-01-14 06:14:14 -07:00
|
|
|
SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2012-08-28 10:52:22 -06:00
|
|
|
struct fd f = fdget(fd);
|
2005-04-16 16:20:36 -06:00
|
|
|
ssize_t error = -EBADF;
|
|
|
|
|
|
2012-08-28 10:52:22 -06:00
|
|
|
if (!f.file)
|
2005-04-16 16:20:36 -06:00
|
|
|
return error;
|
2014-10-31 15:44:57 -06:00
|
|
|
audit_file(f.file);
|
2012-08-28 10:52:22 -06:00
|
|
|
error = listxattr(f.file->f_path.dentry, list, size);
|
|
|
|
|
fdput(f);
|
2005-04-16 16:20:36 -06:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Extended attribute REMOVE operations
|
|
|
|
|
*/
|
|
|
|
|
static long
|
2008-04-29 01:59:41 -06:00
|
|
|
removexattr(struct dentry *d, const char __user *name)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
|
int error;
|
|
|
|
|
char kname[XATTR_NAME_MAX + 1];
|
|
|
|
|
|
|
|
|
|
error = strncpy_from_user(kname, name, sizeof(kname));
|
|
|
|
|
if (error == 0 || error == sizeof(kname))
|
|
|
|
|
error = -ERANGE;
|
|
|
|
|
if (error < 0)
|
|
|
|
|
return error;
|
|
|
|
|
|
2006-01-09 21:51:55 -07:00
|
|
|
return vfs_removexattr(d, kname);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2014-10-12 10:59:58 -06:00
|
|
|
static int path_removexattr(const char __user *pathname,
|
|
|
|
|
const char __user *name, unsigned int lookup_flags)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2008-07-22 07:59:21 -06:00
|
|
|
struct path path;
|
2005-04-16 16:20:36 -06:00
|
|
|
int error;
|
2012-12-11 10:10:17 -07:00
|
|
|
retry:
|
|
|
|
|
error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (error)
|
|
|
|
|
return error;
|
2008-07-22 07:59:21 -06:00
|
|
|
error = mnt_want_write(path.mnt);
|
2008-02-15 15:37:38 -07:00
|
|
|
if (!error) {
|
2008-07-22 07:59:21 -06:00
|
|
|
error = removexattr(path.dentry, name);
|
|
|
|
|
mnt_drop_write(path.mnt);
|
2008-02-15 15:37:38 -07:00
|
|
|
}
|
2008-07-22 07:59:21 -06:00
|
|
|
path_put(&path);
|
2012-12-11 10:10:17 -07:00
|
|
|
if (retry_estale(error, lookup_flags)) {
|
|
|
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
|
|
|
goto retry;
|
|
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-12 10:59:58 -06:00
|
|
|
SYSCALL_DEFINE2(removexattr, const char __user *, pathname,
|
|
|
|
|
const char __user *, name)
|
|
|
|
|
{
|
|
|
|
|
return path_removexattr(pathname, name, LOOKUP_FOLLOW);
|
|
|
|
|
}
|
|
|
|
|
|
2009-01-14 06:14:15 -07:00
|
|
|
SYSCALL_DEFINE2(lremovexattr, const char __user *, pathname,
|
|
|
|
|
const char __user *, name)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2014-10-12 10:59:58 -06:00
|
|
|
return path_removexattr(pathname, name, 0);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2009-01-14 06:14:15 -07:00
|
|
|
SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2012-08-28 10:52:22 -06:00
|
|
|
struct fd f = fdget(fd);
|
2005-04-16 16:20:36 -06:00
|
|
|
int error = -EBADF;
|
|
|
|
|
|
2012-08-28 10:52:22 -06:00
|
|
|
if (!f.file)
|
2005-04-16 16:20:36 -06:00
|
|
|
return error;
|
2014-10-31 15:44:57 -06:00
|
|
|
audit_file(f.file);
|
2018-07-18 07:44:43 -06:00
|
|
|
error = mnt_want_write_file(f.file);
|
2008-02-15 15:37:38 -07:00
|
|
|
if (!error) {
|
2014-10-31 15:44:57 -06:00
|
|
|
error = removexattr(f.file->f_path.dentry, name);
|
2018-07-18 07:44:43 -06:00
|
|
|
mnt_drop_write_file(f.file);
|
2008-02-15 15:37:38 -07:00
|
|
|
}
|
2012-08-28 10:52:22 -06:00
|
|
|
fdput(f);
|
2005-04-16 16:20:36 -06:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Combine the results of the list() operation from every xattr_handler in the
|
|
|
|
|
* list.
|
|
|
|
|
*/
|
|
|
|
|
ssize_t
|
|
|
|
|
generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size)
|
|
|
|
|
{
|
2010-05-13 18:53:14 -06:00
|
|
|
const struct xattr_handler *handler, **handlers = dentry->d_sb->s_xattr;
|
2005-04-16 16:20:36 -06:00
|
|
|
unsigned int size = 0;
|
|
|
|
|
|
|
|
|
|
if (!buffer) {
|
2009-11-13 02:52:56 -07:00
|
|
|
for_each_xattr_handler(handlers, handler) {
|
2015-12-02 06:44:43 -07:00
|
|
|
if (!handler->name ||
|
|
|
|
|
(handler->list && !handler->list(dentry)))
|
2015-12-02 06:44:41 -07:00
|
|
|
continue;
|
2015-12-02 06:44:43 -07:00
|
|
|
size += strlen(handler->name) + 1;
|
2009-11-13 02:52:56 -07:00
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
} else {
|
|
|
|
|
char *buf = buffer;
|
2015-12-02 06:44:43 -07:00
|
|
|
size_t len;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
for_each_xattr_handler(handlers, handler) {
|
2015-12-02 06:44:43 -07:00
|
|
|
if (!handler->name ||
|
|
|
|
|
(handler->list && !handler->list(dentry)))
|
2015-12-02 06:44:41 -07:00
|
|
|
continue;
|
2015-12-02 06:44:43 -07:00
|
|
|
len = strlen(handler->name);
|
|
|
|
|
if (len + 1 > buffer_size)
|
2005-04-16 16:20:36 -06:00
|
|
|
return -ERANGE;
|
2015-12-02 06:44:43 -07:00
|
|
|
memcpy(buf, handler->name, len + 1);
|
|
|
|
|
buf += len + 1;
|
|
|
|
|
buffer_size -= len + 1;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
size = buf - buffer;
|
|
|
|
|
}
|
|
|
|
|
return size;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(generic_listxattr);
|
2012-08-23 14:53:28 -06:00
|
|
|
|
2015-10-04 11:18:52 -06:00
|
|
|
/**
|
|
|
|
|
* xattr_full_name - Compute full attribute name from suffix
|
|
|
|
|
*
|
|
|
|
|
* @handler: handler of the xattr_handler operation
|
|
|
|
|
* @name: name passed to the xattr_handler operation
|
|
|
|
|
*
|
|
|
|
|
* The get and set xattr handler operations are called with the remainder of
|
|
|
|
|
* the attribute name after skipping the handler's prefix: for example, "foo"
|
|
|
|
|
* is passed to the get operation of a handler with prefix "user." to get
|
|
|
|
|
* attribute "user.foo". The full name is still "there" in the name though.
|
|
|
|
|
*
|
|
|
|
|
* Note: the list xattr handler operation when called from the vfs is passed a
|
|
|
|
|
* NULL name; some file systems use this operation internally, with varying
|
|
|
|
|
* semantics.
|
|
|
|
|
*/
|
|
|
|
|
const char *xattr_full_name(const struct xattr_handler *handler,
|
|
|
|
|
const char *name)
|
|
|
|
|
{
|
2015-12-02 06:44:36 -07:00
|
|
|
size_t prefix_len = strlen(xattr_prefix(handler));
|
2015-10-04 11:18:52 -06:00
|
|
|
|
|
|
|
|
return name - prefix_len;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(xattr_full_name);
|
|
|
|
|
|
2012-08-23 14:53:28 -06:00
|
|
|
/*
|
|
|
|
|
* Allocate new xattr and copy in the value; but leave the name to callers.
|
|
|
|
|
*/
|
|
|
|
|
struct simple_xattr *simple_xattr_alloc(const void *value, size_t size)
|
|
|
|
|
{
|
|
|
|
|
struct simple_xattr *new_xattr;
|
|
|
|
|
size_t len;
|
|
|
|
|
|
|
|
|
|
/* wrap around? */
|
|
|
|
|
len = sizeof(*new_xattr) + size;
|
2014-07-23 15:00:17 -06:00
|
|
|
if (len < sizeof(*new_xattr))
|
2012-08-23 14:53:28 -06:00
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
new_xattr = kmalloc(len, GFP_KERNEL);
|
|
|
|
|
if (!new_xattr)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
new_xattr->size = size;
|
|
|
|
|
memcpy(new_xattr->value, value, size);
|
|
|
|
|
return new_xattr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* xattr GET operation for in-memory/pseudo filesystems
|
|
|
|
|
*/
|
|
|
|
|
int simple_xattr_get(struct simple_xattrs *xattrs, const char *name,
|
|
|
|
|
void *buffer, size_t size)
|
|
|
|
|
{
|
|
|
|
|
struct simple_xattr *xattr;
|
|
|
|
|
int ret = -ENODATA;
|
|
|
|
|
|
|
|
|
|
spin_lock(&xattrs->lock);
|
|
|
|
|
list_for_each_entry(xattr, &xattrs->head, list) {
|
|
|
|
|
if (strcmp(name, xattr->name))
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
ret = xattr->size;
|
|
|
|
|
if (buffer) {
|
|
|
|
|
if (size < xattr->size)
|
|
|
|
|
ret = -ERANGE;
|
|
|
|
|
else
|
|
|
|
|
memcpy(buffer, xattr->value, xattr->size);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
spin_unlock(&xattrs->lock);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2015-12-02 06:44:38 -07:00
|
|
|
/**
|
|
|
|
|
* simple_xattr_set - xattr SET operation for in-memory/pseudo filesystems
|
|
|
|
|
* @xattrs: target simple_xattr list
|
|
|
|
|
* @name: name of the extended attribute
|
|
|
|
|
* @value: value of the xattr. If %NULL, will remove the attribute.
|
|
|
|
|
* @size: size of the new xattr
|
|
|
|
|
* @flags: %XATTR_{CREATE|REPLACE}
|
|
|
|
|
*
|
|
|
|
|
* %XATTR_CREATE is set, the xattr shouldn't exist already; otherwise fails
|
|
|
|
|
* with -EEXIST. If %XATTR_REPLACE is set, the xattr should exist;
|
|
|
|
|
* otherwise, fails with -ENODATA.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 on success, -errno on failure.
|
|
|
|
|
*/
|
|
|
|
|
int simple_xattr_set(struct simple_xattrs *xattrs, const char *name,
|
|
|
|
|
const void *value, size_t size, int flags)
|
2012-08-23 14:53:28 -06:00
|
|
|
{
|
|
|
|
|
struct simple_xattr *xattr;
|
2012-10-17 21:41:15 -06:00
|
|
|
struct simple_xattr *new_xattr = NULL;
|
2012-08-23 14:53:28 -06:00
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
|
|
/* value == NULL means remove */
|
|
|
|
|
if (value) {
|
|
|
|
|
new_xattr = simple_xattr_alloc(value, size);
|
|
|
|
|
if (!new_xattr)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
new_xattr->name = kstrdup(name, GFP_KERNEL);
|
|
|
|
|
if (!new_xattr->name) {
|
|
|
|
|
kfree(new_xattr);
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
spin_lock(&xattrs->lock);
|
|
|
|
|
list_for_each_entry(xattr, &xattrs->head, list) {
|
|
|
|
|
if (!strcmp(name, xattr->name)) {
|
|
|
|
|
if (flags & XATTR_CREATE) {
|
|
|
|
|
xattr = new_xattr;
|
|
|
|
|
err = -EEXIST;
|
|
|
|
|
} else if (new_xattr) {
|
|
|
|
|
list_replace(&xattr->list, &new_xattr->list);
|
|
|
|
|
} else {
|
|
|
|
|
list_del(&xattr->list);
|
|
|
|
|
}
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (flags & XATTR_REPLACE) {
|
|
|
|
|
xattr = new_xattr;
|
|
|
|
|
err = -ENODATA;
|
|
|
|
|
} else {
|
|
|
|
|
list_add(&new_xattr->list, &xattrs->head);
|
|
|
|
|
xattr = NULL;
|
|
|
|
|
}
|
|
|
|
|
out:
|
|
|
|
|
spin_unlock(&xattrs->lock);
|
|
|
|
|
if (xattr) {
|
|
|
|
|
kfree(xattr->name);
|
|
|
|
|
kfree(xattr);
|
|
|
|
|
}
|
|
|
|
|
return err;
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool xattr_is_trusted(const char *name)
|
|
|
|
|
{
|
|
|
|
|
return !strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN);
|
|
|
|
|
}
|
|
|
|
|
|
2015-12-02 06:44:39 -07:00
|
|
|
static int xattr_list_one(char **buffer, ssize_t *remaining_size,
|
|
|
|
|
const char *name)
|
|
|
|
|
{
|
|
|
|
|
size_t len = strlen(name) + 1;
|
|
|
|
|
if (*buffer) {
|
|
|
|
|
if (*remaining_size < len)
|
|
|
|
|
return -ERANGE;
|
|
|
|
|
memcpy(*buffer, name, len);
|
|
|
|
|
*buffer += len;
|
|
|
|
|
}
|
|
|
|
|
*remaining_size -= len;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-23 14:53:28 -06:00
|
|
|
/*
|
|
|
|
|
* xattr LIST operation for in-memory/pseudo filesystems
|
|
|
|
|
*/
|
2015-12-02 06:44:39 -07:00
|
|
|
ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs,
|
|
|
|
|
char *buffer, size_t size)
|
2012-08-23 14:53:28 -06:00
|
|
|
{
|
|
|
|
|
bool trusted = capable(CAP_SYS_ADMIN);
|
|
|
|
|
struct simple_xattr *xattr;
|
2015-12-02 06:44:39 -07:00
|
|
|
ssize_t remaining_size = size;
|
2016-02-03 18:56:30 -07:00
|
|
|
int err = 0;
|
2015-12-02 06:44:39 -07:00
|
|
|
|
|
|
|
|
#ifdef CONFIG_FS_POSIX_ACL
|
2018-09-17 22:36:36 -06:00
|
|
|
if (IS_POSIXACL(inode)) {
|
|
|
|
|
if (inode->i_acl) {
|
|
|
|
|
err = xattr_list_one(&buffer, &remaining_size,
|
|
|
|
|
XATTR_NAME_POSIX_ACL_ACCESS);
|
|
|
|
|
if (err)
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
if (inode->i_default_acl) {
|
|
|
|
|
err = xattr_list_one(&buffer, &remaining_size,
|
|
|
|
|
XATTR_NAME_POSIX_ACL_DEFAULT);
|
|
|
|
|
if (err)
|
|
|
|
|
return err;
|
|
|
|
|
}
|
2015-12-02 06:44:39 -07:00
|
|
|
}
|
|
|
|
|
#endif
|
2012-08-23 14:53:28 -06:00
|
|
|
|
|
|
|
|
spin_lock(&xattrs->lock);
|
|
|
|
|
list_for_each_entry(xattr, &xattrs->head, list) {
|
|
|
|
|
/* skip "trusted." attributes for unprivileged callers */
|
|
|
|
|
if (!trusted && xattr_is_trusted(xattr->name))
|
|
|
|
|
continue;
|
|
|
|
|
|
2015-12-02 06:44:39 -07:00
|
|
|
err = xattr_list_one(&buffer, &remaining_size, xattr->name);
|
|
|
|
|
if (err)
|
2016-02-03 18:56:30 -07:00
|
|
|
break;
|
2012-08-23 14:53:28 -06:00
|
|
|
}
|
|
|
|
|
spin_unlock(&xattrs->lock);
|
|
|
|
|
|
2016-02-03 18:56:30 -07:00
|
|
|
return err ? err : size - remaining_size;
|
2012-08-23 14:53:28 -06:00
|
|
|
}
|
|
|
|
|
|
2012-09-11 14:28:11 -06:00
|
|
|
/*
|
|
|
|
|
* Adds an extended attribute to the list
|
|
|
|
|
*/
|
2012-08-23 14:53:28 -06:00
|
|
|
void simple_xattr_list_add(struct simple_xattrs *xattrs,
|
|
|
|
|
struct simple_xattr *new_xattr)
|
|
|
|
|
{
|
|
|
|
|
spin_lock(&xattrs->lock);
|
|
|
|
|
list_add(&new_xattr->list, &xattrs->head);
|
|
|
|
|
spin_unlock(&xattrs->lock);
|
|
|
|
|
}
|