security.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /* AFS security handling
  3. *
  4. * Copyright (C) 2007, 2017 Red Hat, Inc. All Rights Reserved.
  5. * Written by David Howells (dhowells@redhat.com)
  6. */
  7. #include <linux/init.h>
  8. #include <linux/slab.h>
  9. #include <linux/fs.h>
  10. #include <linux/ctype.h>
  11. #include <linux/sched.h>
  12. #include <linux/hashtable.h>
  13. #include <keys/rxrpc-type.h>
  14. #include "internal.h"
  15. static DEFINE_HASHTABLE(afs_permits_cache, 10);
  16. static DEFINE_SPINLOCK(afs_permits_lock);
  17. static DEFINE_MUTEX(afs_key_lock);
  18. /*
  19. * Allocate a key to use as a placeholder for anonymous user security.
  20. */
  21. static int afs_alloc_anon_key(struct afs_cell *cell)
  22. {
  23. struct key *key;
  24. mutex_lock(&afs_key_lock);
  25. key = cell->anonymous_key;
  26. if (!key) {
  27. key = rxrpc_get_null_key(cell->key_desc);
  28. if (!IS_ERR(key))
  29. cell->anonymous_key = key;
  30. }
  31. mutex_unlock(&afs_key_lock);
  32. if (IS_ERR(key))
  33. return PTR_ERR(key);
  34. _debug("anon key %p{%x}",
  35. cell->anonymous_key, key_serial(cell->anonymous_key));
  36. return 0;
  37. }
  38. /*
  39. * get a key
  40. */
  41. struct key *afs_request_key(struct afs_cell *cell)
  42. {
  43. struct key *key;
  44. int ret;
  45. _enter("{%s}", cell->key_desc);
  46. _debug("key %s", cell->key_desc);
  47. key = request_key_net(&key_type_rxrpc, cell->key_desc,
  48. cell->net->net, NULL);
  49. if (IS_ERR(key)) {
  50. if (PTR_ERR(key) != -ENOKEY) {
  51. _leave(" = %ld", PTR_ERR(key));
  52. return key;
  53. }
  54. if (!cell->anonymous_key) {
  55. ret = afs_alloc_anon_key(cell);
  56. if (ret < 0)
  57. return ERR_PTR(ret);
  58. }
  59. /* act as anonymous user */
  60. _leave(" = {%x} [anon]", key_serial(cell->anonymous_key));
  61. return key_get(cell->anonymous_key);
  62. } else {
  63. /* act as authorised user */
  64. _leave(" = {%x} [auth]", key_serial(key));
  65. return key;
  66. }
  67. }
  68. /*
  69. * Get a key when pathwalk is in rcuwalk mode.
  70. */
  71. struct key *afs_request_key_rcu(struct afs_cell *cell)
  72. {
  73. struct key *key;
  74. _enter("{%s}", cell->key_desc);
  75. _debug("key %s", cell->key_desc);
  76. key = request_key_net_rcu(&key_type_rxrpc, cell->key_desc,
  77. cell->net->net);
  78. if (IS_ERR(key)) {
  79. if (PTR_ERR(key) != -ENOKEY) {
  80. _leave(" = %ld", PTR_ERR(key));
  81. return key;
  82. }
  83. /* act as anonymous user */
  84. if (!cell->anonymous_key)
  85. return NULL; /* Need to allocate */
  86. _leave(" = {%x} [anon]", key_serial(cell->anonymous_key));
  87. return key_get(cell->anonymous_key);
  88. } else {
  89. /* act as authorised user */
  90. _leave(" = {%x} [auth]", key_serial(key));
  91. return key;
  92. }
  93. }
  94. /*
  95. * Dispose of a list of permits.
  96. */
  97. static void afs_permits_rcu(struct rcu_head *rcu)
  98. {
  99. struct afs_permits *permits =
  100. container_of(rcu, struct afs_permits, rcu);
  101. int i;
  102. for (i = 0; i < permits->nr_permits; i++)
  103. key_put(permits->permits[i].key);
  104. kfree(permits);
  105. }
  106. /*
  107. * Discard a permission cache.
  108. */
  109. void afs_put_permits(struct afs_permits *permits)
  110. {
  111. if (permits && refcount_dec_and_test(&permits->usage)) {
  112. spin_lock(&afs_permits_lock);
  113. hash_del_rcu(&permits->hash_node);
  114. spin_unlock(&afs_permits_lock);
  115. call_rcu(&permits->rcu, afs_permits_rcu);
  116. }
  117. }
  118. /*
  119. * Clear a permit cache on callback break.
  120. */
  121. void afs_clear_permits(struct afs_vnode *vnode)
  122. {
  123. struct afs_permits *permits;
  124. spin_lock(&vnode->lock);
  125. permits = rcu_dereference_protected(vnode->permit_cache,
  126. lockdep_is_held(&vnode->lock));
  127. RCU_INIT_POINTER(vnode->permit_cache, NULL);
  128. spin_unlock(&vnode->lock);
  129. afs_put_permits(permits);
  130. }
  131. /*
  132. * Hash a list of permits. Use simple addition to make it easy to add an extra
  133. * one at an as-yet indeterminate position in the list.
  134. */
  135. static void afs_hash_permits(struct afs_permits *permits)
  136. {
  137. unsigned long h = permits->nr_permits;
  138. int i;
  139. for (i = 0; i < permits->nr_permits; i++) {
  140. h += (unsigned long)permits->permits[i].key / sizeof(void *);
  141. h += permits->permits[i].access;
  142. }
  143. permits->h = h;
  144. }
  145. /*
  146. * Cache the CallerAccess result obtained from doing a fileserver operation
  147. * that returned a vnode status for a particular key. If a callback break
  148. * occurs whilst the operation was in progress then we have to ditch the cache
  149. * as the ACL *may* have changed.
  150. */
  151. void afs_cache_permit(struct afs_vnode *vnode, struct key *key,
  152. unsigned int cb_break, struct afs_status_cb *scb)
  153. {
  154. struct afs_permits *permits, *xpermits, *replacement, *zap, *new = NULL;
  155. afs_access_t caller_access = scb->status.caller_access;
  156. size_t size = 0;
  157. bool changed = false;
  158. int i, j;
  159. _enter("{%llx:%llu},%x,%x",
  160. vnode->fid.vid, vnode->fid.vnode, key_serial(key), caller_access);
  161. rcu_read_lock();
  162. /* Check for the common case first: We got back the same access as last
  163. * time we tried and already have it recorded.
  164. */
  165. permits = rcu_dereference(vnode->permit_cache);
  166. if (permits) {
  167. if (!permits->invalidated) {
  168. for (i = 0; i < permits->nr_permits; i++) {
  169. if (permits->permits[i].key < key)
  170. continue;
  171. if (permits->permits[i].key > key)
  172. break;
  173. if (permits->permits[i].access != caller_access) {
  174. changed = true;
  175. break;
  176. }
  177. if (afs_cb_is_broken(cb_break, vnode)) {
  178. changed = true;
  179. break;
  180. }
  181. /* The cache is still good. */
  182. rcu_read_unlock();
  183. return;
  184. }
  185. }
  186. changed |= permits->invalidated;
  187. size = permits->nr_permits;
  188. /* If this set of permits is now wrong, clear the permits
  189. * pointer so that no one tries to use the stale information.
  190. */
  191. if (changed) {
  192. spin_lock(&vnode->lock);
  193. if (permits != rcu_access_pointer(vnode->permit_cache))
  194. goto someone_else_changed_it_unlock;
  195. RCU_INIT_POINTER(vnode->permit_cache, NULL);
  196. spin_unlock(&vnode->lock);
  197. afs_put_permits(permits);
  198. permits = NULL;
  199. size = 0;
  200. }
  201. }
  202. if (afs_cb_is_broken(cb_break, vnode))
  203. goto someone_else_changed_it;
  204. /* We need a ref on any permits list we want to copy as we'll have to
  205. * drop the lock to do memory allocation.
  206. */
  207. if (permits && !refcount_inc_not_zero(&permits->usage))
  208. goto someone_else_changed_it;
  209. rcu_read_unlock();
  210. /* Speculatively create a new list with the revised permission set. We
  211. * discard this if we find an extant match already in the hash, but
  212. * it's easier to compare with memcmp this way.
  213. *
  214. * We fill in the key pointers at this time, but we don't get the refs
  215. * yet.
  216. */
  217. size++;
  218. new = kzalloc_flex(*new, permits, size, GFP_NOFS);
  219. if (!new)
  220. goto out_put;
  221. refcount_set(&new->usage, 1);
  222. new->nr_permits = size;
  223. i = j = 0;
  224. if (permits) {
  225. for (i = 0; i < permits->nr_permits; i++) {
  226. if (j == i && permits->permits[i].key > key) {
  227. new->permits[j].key = key;
  228. new->permits[j].access = caller_access;
  229. j++;
  230. }
  231. new->permits[j].key = permits->permits[i].key;
  232. new->permits[j].access = permits->permits[i].access;
  233. j++;
  234. }
  235. }
  236. if (j == i) {
  237. new->permits[j].key = key;
  238. new->permits[j].access = caller_access;
  239. }
  240. afs_hash_permits(new);
  241. /* Now see if the permit list we want is actually already available */
  242. spin_lock(&afs_permits_lock);
  243. hash_for_each_possible(afs_permits_cache, xpermits, hash_node, new->h) {
  244. if (xpermits->h != new->h ||
  245. xpermits->invalidated ||
  246. xpermits->nr_permits != new->nr_permits ||
  247. memcmp(xpermits->permits, new->permits,
  248. new->nr_permits * sizeof(struct afs_permit)) != 0)
  249. continue;
  250. if (refcount_inc_not_zero(&xpermits->usage)) {
  251. replacement = xpermits;
  252. goto found;
  253. }
  254. break;
  255. }
  256. for (i = 0; i < new->nr_permits; i++)
  257. key_get(new->permits[i].key);
  258. hash_add_rcu(afs_permits_cache, &new->hash_node, new->h);
  259. replacement = new;
  260. new = NULL;
  261. found:
  262. spin_unlock(&afs_permits_lock);
  263. kfree(new);
  264. rcu_read_lock();
  265. spin_lock(&vnode->lock);
  266. zap = rcu_access_pointer(vnode->permit_cache);
  267. if (!afs_cb_is_broken(cb_break, vnode) && zap == permits)
  268. rcu_assign_pointer(vnode->permit_cache, replacement);
  269. else
  270. zap = replacement;
  271. spin_unlock(&vnode->lock);
  272. rcu_read_unlock();
  273. afs_put_permits(zap);
  274. out_put:
  275. afs_put_permits(permits);
  276. return;
  277. someone_else_changed_it_unlock:
  278. spin_unlock(&vnode->lock);
  279. someone_else_changed_it:
  280. /* Someone else changed the cache under us - don't recheck at this
  281. * time.
  282. */
  283. rcu_read_unlock();
  284. return;
  285. }
  286. static bool afs_check_permit_rcu(struct afs_vnode *vnode, struct key *key,
  287. afs_access_t *_access)
  288. {
  289. const struct afs_permits *permits;
  290. int i;
  291. _enter("{%llx:%llu},%x",
  292. vnode->fid.vid, vnode->fid.vnode, key_serial(key));
  293. /* check the permits to see if we've got one yet */
  294. if (key == vnode->volume->cell->anonymous_key) {
  295. *_access = vnode->status.anon_access;
  296. _leave(" = t [anon %x]", *_access);
  297. return true;
  298. }
  299. permits = rcu_dereference(vnode->permit_cache);
  300. if (permits) {
  301. for (i = 0; i < permits->nr_permits; i++) {
  302. if (permits->permits[i].key < key)
  303. continue;
  304. if (permits->permits[i].key > key)
  305. break;
  306. *_access = permits->permits[i].access;
  307. _leave(" = %u [perm %x]", !permits->invalidated, *_access);
  308. return !permits->invalidated;
  309. }
  310. }
  311. _leave(" = f");
  312. return false;
  313. }
  314. /*
  315. * check with the fileserver to see if the directory or parent directory is
  316. * permitted to be accessed with this authorisation, and if so, what access it
  317. * is granted
  318. */
  319. int afs_check_permit(struct afs_vnode *vnode, struct key *key,
  320. afs_access_t *_access)
  321. {
  322. struct afs_permits *permits;
  323. bool valid = false;
  324. int i, ret;
  325. _enter("{%llx:%llu},%x",
  326. vnode->fid.vid, vnode->fid.vnode, key_serial(key));
  327. /* check the permits to see if we've got one yet */
  328. if (key == vnode->volume->cell->anonymous_key) {
  329. _debug("anon");
  330. *_access = vnode->status.anon_access;
  331. valid = true;
  332. } else {
  333. rcu_read_lock();
  334. permits = rcu_dereference(vnode->permit_cache);
  335. if (permits) {
  336. for (i = 0; i < permits->nr_permits; i++) {
  337. if (permits->permits[i].key < key)
  338. continue;
  339. if (permits->permits[i].key > key)
  340. break;
  341. *_access = permits->permits[i].access;
  342. valid = !permits->invalidated;
  343. break;
  344. }
  345. }
  346. rcu_read_unlock();
  347. }
  348. if (!valid) {
  349. /* Check the status on the file we're actually interested in
  350. * (the post-processing will cache the result).
  351. */
  352. _debug("no valid permit");
  353. ret = afs_fetch_status(vnode, key, false, _access);
  354. if (ret < 0) {
  355. *_access = 0;
  356. _leave(" = %d", ret);
  357. return ret;
  358. }
  359. }
  360. _leave(" = 0 [access %x]", *_access);
  361. return 0;
  362. }
  363. /*
  364. * check the permissions on an AFS file
  365. * - AFS ACLs are attached to directories only, and a file is controlled by its
  366. * parent directory's ACL
  367. */
  368. int afs_permission(struct mnt_idmap *idmap, struct inode *inode,
  369. int mask)
  370. {
  371. struct afs_vnode *vnode = AFS_FS_I(inode);
  372. afs_access_t access;
  373. struct key *key;
  374. int ret = 0;
  375. _enter("{{%llx:%llu},%lx},%x,",
  376. vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask);
  377. if (mask & MAY_NOT_BLOCK) {
  378. key = afs_request_key_rcu(vnode->volume->cell);
  379. if (IS_ERR_OR_NULL(key))
  380. return -ECHILD;
  381. ret = -ECHILD;
  382. if (!afs_check_validity(vnode) ||
  383. !afs_check_permit_rcu(vnode, key, &access))
  384. goto error;
  385. } else {
  386. key = afs_request_key(vnode->volume->cell);
  387. if (IS_ERR(key)) {
  388. _leave(" = %ld [key]", PTR_ERR(key));
  389. return PTR_ERR(key);
  390. }
  391. ret = afs_validate(vnode, key);
  392. if (ret < 0)
  393. goto error;
  394. /* check the permits to see if we've got one yet */
  395. ret = afs_check_permit(vnode, key, &access);
  396. if (ret < 0)
  397. goto error;
  398. }
  399. /* interpret the access mask */
  400. _debug("REQ %x ACC %x on %s",
  401. mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file");
  402. ret = 0;
  403. if (S_ISDIR(inode->i_mode)) {
  404. if (mask & (MAY_EXEC | MAY_READ | MAY_CHDIR)) {
  405. if (!(access & AFS_ACE_LOOKUP))
  406. goto permission_denied;
  407. }
  408. if (mask & MAY_WRITE) {
  409. if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */
  410. AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */
  411. goto permission_denied;
  412. }
  413. } else {
  414. if (!(access & AFS_ACE_LOOKUP))
  415. goto permission_denied;
  416. if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR))
  417. goto permission_denied;
  418. if (mask & (MAY_EXEC | MAY_READ)) {
  419. if (!(access & AFS_ACE_READ))
  420. goto permission_denied;
  421. if (!(inode->i_mode & S_IRUSR))
  422. goto permission_denied;
  423. } else if (mask & MAY_WRITE) {
  424. if (!(access & AFS_ACE_WRITE))
  425. goto permission_denied;
  426. if (!(inode->i_mode & S_IWUSR))
  427. goto permission_denied;
  428. }
  429. }
  430. key_put(key);
  431. _leave(" = %d", ret);
  432. return ret;
  433. permission_denied:
  434. ret = -EACCES;
  435. error:
  436. key_put(key);
  437. _leave(" = %d", ret);
  438. return ret;
  439. }
  440. void __exit afs_clean_up_permit_cache(void)
  441. {
  442. int i;
  443. for (i = 0; i < HASH_SIZE(afs_permits_cache); i++)
  444. WARN_ON_ONCE(!hlist_empty(&afs_permits_cache[i]));
  445. }