fhandle.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462
  1. // SPDX-License-Identifier: GPL-2.0
  2. #include <linux/syscalls.h>
  3. #include <linux/slab.h>
  4. #include <linux/fs.h>
  5. #include <linux/file.h>
  6. #include <linux/mount.h>
  7. #include <linux/namei.h>
  8. #include <linux/exportfs.h>
  9. #include <linux/fs_struct.h>
  10. #include <linux/fsnotify.h>
  11. #include <linux/personality.h>
  12. #include <linux/uaccess.h>
  13. #include <linux/compat.h>
  14. #include <linux/nsfs.h>
  15. #include "internal.h"
  16. #include "mount.h"
  17. static long do_sys_name_to_handle(const struct path *path,
  18. struct file_handle __user *ufh,
  19. void __user *mnt_id, bool unique_mntid,
  20. int fh_flags)
  21. {
  22. long retval;
  23. struct file_handle f_handle;
  24. int handle_dwords, handle_bytes;
  25. struct file_handle *handle = NULL;
  26. /*
  27. * We need to make sure whether the file system support decoding of
  28. * the file handle if decodeable file handle was requested.
  29. */
  30. if (!exportfs_can_encode_fh(path->dentry->d_sb->s_export_op, fh_flags))
  31. return -EOPNOTSUPP;
  32. /*
  33. * A request to encode a connectable handle for a disconnected dentry
  34. * is unexpected since AT_EMPTY_PATH is not allowed.
  35. */
  36. if (fh_flags & EXPORT_FH_CONNECTABLE &&
  37. WARN_ON(path->dentry->d_flags & DCACHE_DISCONNECTED))
  38. return -EINVAL;
  39. if (copy_from_user(&f_handle, ufh, sizeof(struct file_handle)))
  40. return -EFAULT;
  41. if (f_handle.handle_bytes > MAX_HANDLE_SZ)
  42. return -EINVAL;
  43. handle = kzalloc_flex(*handle, f_handle, f_handle.handle_bytes);
  44. if (!handle)
  45. return -ENOMEM;
  46. /* convert handle size to multiple of sizeof(u32) */
  47. handle_dwords = f_handle.handle_bytes >> 2;
  48. /* Encode a possibly decodeable/connectable file handle */
  49. retval = exportfs_encode_fh(path->dentry,
  50. (struct fid *)handle->f_handle,
  51. &handle_dwords, fh_flags);
  52. handle->handle_type = retval;
  53. /* convert handle size to bytes */
  54. handle_bytes = handle_dwords * sizeof(u32);
  55. handle->handle_bytes = handle_bytes;
  56. if ((handle->handle_bytes > f_handle.handle_bytes) ||
  57. (retval == FILEID_INVALID) || (retval < 0)) {
  58. /* As per old exportfs_encode_fh documentation
  59. * we could return ENOSPC to indicate overflow
  60. * But file system returned 255 always. So handle
  61. * both the values
  62. */
  63. if (retval == FILEID_INVALID || retval == -ENOSPC)
  64. retval = -EOVERFLOW;
  65. /*
  66. * set the handle size to zero so we copy only
  67. * non variable part of the file_handle
  68. */
  69. handle_bytes = 0;
  70. } else {
  71. /*
  72. * When asked to encode a connectable file handle, encode this
  73. * property in the file handle itself, so that we later know
  74. * how to decode it.
  75. * For sanity, also encode in the file handle if the encoded
  76. * object is a directory and verify this during decode, because
  77. * decoding directory file handles is quite different than
  78. * decoding connectable non-directory file handles.
  79. */
  80. if (fh_flags & EXPORT_FH_CONNECTABLE) {
  81. handle->handle_type |= FILEID_IS_CONNECTABLE;
  82. if (d_is_dir(path->dentry))
  83. handle->handle_type |= FILEID_IS_DIR;
  84. }
  85. retval = 0;
  86. }
  87. /* copy the mount id */
  88. if (unique_mntid) {
  89. if (put_user(real_mount(path->mnt)->mnt_id_unique,
  90. (u64 __user *) mnt_id))
  91. retval = -EFAULT;
  92. } else {
  93. if (put_user(real_mount(path->mnt)->mnt_id,
  94. (int __user *) mnt_id))
  95. retval = -EFAULT;
  96. }
  97. /* copy the handle */
  98. if (retval != -EFAULT &&
  99. copy_to_user(ufh, handle,
  100. struct_size(handle, f_handle, handle_bytes)))
  101. retval = -EFAULT;
  102. kfree(handle);
  103. return retval;
  104. }
  105. /**
  106. * sys_name_to_handle_at: convert name to handle
  107. * @dfd: directory relative to which name is interpreted if not absolute
  108. * @name: name that should be converted to handle.
  109. * @handle: resulting file handle
  110. * @mnt_id: mount id of the file system containing the file
  111. * (u64 if AT_HANDLE_MNT_ID_UNIQUE, otherwise int)
  112. * @flag: flag value to indicate whether to follow symlink or not
  113. * and whether a decodable file handle is required.
  114. *
  115. * @handle->handle_size indicate the space available to store the
  116. * variable part of the file handle in bytes. If there is not
  117. * enough space, the field is updated to return the minimum
  118. * value required.
  119. */
  120. SYSCALL_DEFINE5(name_to_handle_at, int, dfd, const char __user *, name,
  121. struct file_handle __user *, handle, void __user *, mnt_id,
  122. int, flag)
  123. {
  124. struct path path;
  125. int lookup_flags;
  126. int fh_flags = 0;
  127. int err;
  128. if (flag & ~(AT_SYMLINK_FOLLOW | AT_EMPTY_PATH | AT_HANDLE_FID |
  129. AT_HANDLE_MNT_ID_UNIQUE | AT_HANDLE_CONNECTABLE))
  130. return -EINVAL;
  131. /*
  132. * AT_HANDLE_FID means there is no intention to decode file handle
  133. * AT_HANDLE_CONNECTABLE means there is an intention to decode a
  134. * connected fd (with known path), so these flags are conflicting.
  135. * AT_EMPTY_PATH could be used along with a dfd that refers to a
  136. * disconnected non-directory, which cannot be used to encode a
  137. * connectable file handle, because its parent is unknown.
  138. */
  139. if (flag & AT_HANDLE_CONNECTABLE &&
  140. flag & (AT_HANDLE_FID | AT_EMPTY_PATH))
  141. return -EINVAL;
  142. else if (flag & AT_HANDLE_FID)
  143. fh_flags |= EXPORT_FH_FID;
  144. else if (flag & AT_HANDLE_CONNECTABLE)
  145. fh_flags |= EXPORT_FH_CONNECTABLE;
  146. lookup_flags = (flag & AT_SYMLINK_FOLLOW) ? LOOKUP_FOLLOW : 0;
  147. CLASS(filename_uflags, filename)(name, flag);
  148. err = filename_lookup(dfd, filename, lookup_flags, &path, NULL);
  149. if (!err) {
  150. err = do_sys_name_to_handle(&path, handle, mnt_id,
  151. flag & AT_HANDLE_MNT_ID_UNIQUE,
  152. fh_flags);
  153. path_put(&path);
  154. }
  155. return err;
  156. }
  157. static int get_path_anchor(int fd, struct path *root)
  158. {
  159. if (fd >= 0) {
  160. CLASS(fd, f)(fd);
  161. if (fd_empty(f))
  162. return -EBADF;
  163. *root = fd_file(f)->f_path;
  164. path_get(root);
  165. return 0;
  166. }
  167. if (fd == AT_FDCWD) {
  168. get_fs_pwd(current->fs, root);
  169. return 0;
  170. }
  171. if (fd == FD_PIDFS_ROOT) {
  172. pidfs_get_root(root);
  173. return 0;
  174. }
  175. if (fd == FD_NSFS_ROOT) {
  176. nsfs_get_root(root);
  177. return 0;
  178. }
  179. return -EBADF;
  180. }
  181. static int vfs_dentry_acceptable(void *context, struct dentry *dentry)
  182. {
  183. struct handle_to_path_ctx *ctx = context;
  184. struct user_namespace *user_ns = current_user_ns();
  185. struct dentry *d, *root = ctx->root.dentry;
  186. struct mnt_idmap *idmap = mnt_idmap(ctx->root.mnt);
  187. int retval = 0;
  188. if (!root)
  189. return 1;
  190. /* Old permission model with global CAP_DAC_READ_SEARCH. */
  191. if (!ctx->flags)
  192. return 1;
  193. /*
  194. * Verify that the decoded dentry itself has a valid id mapping.
  195. * In case the decoded dentry is the mountfd root itself, this
  196. * verifies that the mountfd inode itself has a valid id mapping.
  197. */
  198. if (!privileged_wrt_inode_uidgid(user_ns, idmap, d_inode(dentry)))
  199. return 0;
  200. /*
  201. * It's racy as we're not taking rename_lock but we're able to ignore
  202. * permissions and we just need an approximation whether we were able
  203. * to follow a path to the file.
  204. *
  205. * It's also potentially expensive on some filesystems especially if
  206. * there is a deep path.
  207. */
  208. d = dget(dentry);
  209. while (d != root && !IS_ROOT(d)) {
  210. struct dentry *parent = dget_parent(d);
  211. /*
  212. * We know that we have the ability to override DAC permissions
  213. * as we've verified this earlier via CAP_DAC_READ_SEARCH. But
  214. * we also need to make sure that there aren't any unmapped
  215. * inodes in the path that would prevent us from reaching the
  216. * file.
  217. */
  218. if (!privileged_wrt_inode_uidgid(user_ns, idmap,
  219. d_inode(parent))) {
  220. dput(d);
  221. dput(parent);
  222. return retval;
  223. }
  224. dput(d);
  225. d = parent;
  226. }
  227. if (!(ctx->flags & HANDLE_CHECK_SUBTREE) || d == root)
  228. retval = 1;
  229. /*
  230. * exportfs_decode_fh_raw() does not call acceptable() callback with
  231. * a disconnected directory dentry, so we should have reached either
  232. * mount fd directory or sb root.
  233. */
  234. if (ctx->fh_flags & EXPORT_FH_DIR_ONLY)
  235. WARN_ON_ONCE(d != root && d != root->d_sb->s_root);
  236. dput(d);
  237. return retval;
  238. }
  239. static int do_handle_to_path(struct file_handle *handle, struct path *path,
  240. struct handle_to_path_ctx *ctx)
  241. {
  242. int handle_dwords;
  243. struct vfsmount *mnt = ctx->root.mnt;
  244. struct dentry *dentry;
  245. /* change the handle size to multiple of sizeof(u32) */
  246. handle_dwords = handle->handle_bytes >> 2;
  247. dentry = exportfs_decode_fh_raw(mnt, (struct fid *)handle->f_handle,
  248. handle_dwords, handle->handle_type,
  249. ctx->fh_flags, vfs_dentry_acceptable,
  250. ctx);
  251. if (IS_ERR_OR_NULL(dentry)) {
  252. if (dentry == ERR_PTR(-ENOMEM))
  253. return -ENOMEM;
  254. return -ESTALE;
  255. }
  256. path->dentry = dentry;
  257. path->mnt = mntget(mnt);
  258. return 0;
  259. }
  260. static inline int may_decode_fh(struct handle_to_path_ctx *ctx,
  261. unsigned int o_flags)
  262. {
  263. struct path *root = &ctx->root;
  264. if (capable(CAP_DAC_READ_SEARCH))
  265. return 0;
  266. /*
  267. * Allow relaxed permissions of file handles if the caller has
  268. * the ability to mount the filesystem or create a bind-mount of
  269. * the provided @mountdirfd.
  270. *
  271. * In both cases the caller may be able to get an unobstructed
  272. * way to the encoded file handle. If the caller is only able to
  273. * create a bind-mount we need to verify that there are no
  274. * locked mounts on top of it that could prevent us from getting
  275. * to the encoded file.
  276. *
  277. * In principle, locked mounts can prevent the caller from
  278. * mounting the filesystem but that only applies to procfs and
  279. * sysfs neither of which support decoding file handles.
  280. *
  281. * Restrict to O_DIRECTORY to provide a deterministic API that
  282. * avoids a confusing api in the face of disconnected non-dir
  283. * dentries.
  284. *
  285. * There's only one dentry for each directory inode (VFS rule)...
  286. */
  287. if (!(o_flags & O_DIRECTORY))
  288. return -EPERM;
  289. if (ns_capable(root->mnt->mnt_sb->s_user_ns, CAP_SYS_ADMIN))
  290. ctx->flags = HANDLE_CHECK_PERMS;
  291. else if (is_mounted(root->mnt) &&
  292. ns_capable(real_mount(root->mnt)->mnt_ns->user_ns,
  293. CAP_SYS_ADMIN) &&
  294. !has_locked_children(real_mount(root->mnt), root->dentry))
  295. ctx->flags = HANDLE_CHECK_PERMS | HANDLE_CHECK_SUBTREE;
  296. else
  297. return -EPERM;
  298. /* Are we able to override DAC permissions? */
  299. if (!ns_capable(current_user_ns(), CAP_DAC_READ_SEARCH))
  300. return -EPERM;
  301. ctx->fh_flags = EXPORT_FH_DIR_ONLY;
  302. return 0;
  303. }
  304. static int handle_to_path(int mountdirfd, struct file_handle __user *ufh,
  305. struct path *path, unsigned int o_flags)
  306. {
  307. int retval = 0;
  308. struct file_handle f_handle;
  309. struct file_handle *handle __free(kfree) = NULL;
  310. struct handle_to_path_ctx ctx = {};
  311. const struct export_operations *eops;
  312. if (copy_from_user(&f_handle, ufh, sizeof(struct file_handle)))
  313. return -EFAULT;
  314. if ((f_handle.handle_bytes > MAX_HANDLE_SZ) ||
  315. (f_handle.handle_bytes == 0))
  316. return -EINVAL;
  317. if (f_handle.handle_type < 0 ||
  318. FILEID_USER_FLAGS(f_handle.handle_type) & ~FILEID_VALID_USER_FLAGS)
  319. return -EINVAL;
  320. retval = get_path_anchor(mountdirfd, &ctx.root);
  321. if (retval)
  322. return retval;
  323. eops = ctx.root.mnt->mnt_sb->s_export_op;
  324. if (eops && eops->permission)
  325. retval = eops->permission(&ctx, o_flags);
  326. else
  327. retval = may_decode_fh(&ctx, o_flags);
  328. if (retval)
  329. goto out_path;
  330. handle = kmalloc_flex(*handle, f_handle, f_handle.handle_bytes);
  331. if (!handle) {
  332. retval = -ENOMEM;
  333. goto out_path;
  334. }
  335. /* copy the full handle */
  336. *handle = f_handle;
  337. if (copy_from_user(&handle->f_handle,
  338. &ufh->f_handle,
  339. f_handle.handle_bytes)) {
  340. retval = -EFAULT;
  341. goto out_path;
  342. }
  343. /*
  344. * If handle was encoded with AT_HANDLE_CONNECTABLE, verify that we
  345. * are decoding an fd with connected path, which is accessible from
  346. * the mount fd path.
  347. */
  348. if (f_handle.handle_type & FILEID_IS_CONNECTABLE) {
  349. ctx.fh_flags |= EXPORT_FH_CONNECTABLE;
  350. ctx.flags |= HANDLE_CHECK_SUBTREE;
  351. }
  352. if (f_handle.handle_type & FILEID_IS_DIR)
  353. ctx.fh_flags |= EXPORT_FH_DIR_ONLY;
  354. /* Filesystem code should not be exposed to user flags */
  355. handle->handle_type &= ~FILEID_USER_FLAGS_MASK;
  356. retval = do_handle_to_path(handle, path, &ctx);
  357. out_path:
  358. path_put(&ctx.root);
  359. return retval;
  360. }
  361. static struct file *file_open_handle(struct path *path, int open_flag)
  362. {
  363. const struct export_operations *eops;
  364. eops = path->mnt->mnt_sb->s_export_op;
  365. if (eops->open)
  366. return eops->open(path, open_flag);
  367. return file_open_root(path, "", open_flag, 0);
  368. }
  369. static long do_handle_open(int mountdirfd, struct file_handle __user *ufh,
  370. int open_flag)
  371. {
  372. long retval;
  373. struct path path __free(path_put) = {};
  374. retval = handle_to_path(mountdirfd, ufh, &path, open_flag);
  375. if (retval)
  376. return retval;
  377. return FD_ADD(open_flag, file_open_handle(&path, open_flag));
  378. }
  379. /**
  380. * sys_open_by_handle_at: Open the file handle
  381. * @mountdirfd: directory file descriptor
  382. * @handle: file handle to be opened
  383. * @flags: open flags.
  384. *
  385. * @mountdirfd indicate the directory file descriptor
  386. * of the mount point. file handle is decoded relative
  387. * to the vfsmount pointed by the @mountdirfd. @flags
  388. * value is same as the open(2) flags.
  389. */
  390. SYSCALL_DEFINE3(open_by_handle_at, int, mountdirfd,
  391. struct file_handle __user *, handle,
  392. int, flags)
  393. {
  394. long ret;
  395. if (force_o_largefile())
  396. flags |= O_LARGEFILE;
  397. ret = do_handle_open(mountdirfd, handle, flags);
  398. return ret;
  399. }
  400. #ifdef CONFIG_COMPAT
  401. /*
  402. * Exactly like fs/open.c:sys_open_by_handle_at(), except that it
  403. * doesn't set the O_LARGEFILE flag.
  404. */
  405. COMPAT_SYSCALL_DEFINE3(open_by_handle_at, int, mountdirfd,
  406. struct file_handle __user *, handle, int, flags)
  407. {
  408. return do_handle_open(mountdirfd, handle, flags);
  409. }
  410. #endif