[linux.git] / fs / afs / security.c

/* AFS security handling
 *
 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells ([email protected])
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version
 * 2 of the License, or (at your option) any later version.
 */

#include <linux/init.h>
#include <linux/slab.h>
#include <linux/fs.h>
#include <linux/ctype.h>
#include <linux/sched.h>
#include <keys/rxrpc-type.h>
#include "internal.h"

/*
 * get a key
 */
struct key *afs_request_key(struct afs_cell *cell)
{
	struct key *key;

	_enter("{%x}", key_serial(cell->anonymous_key));

	_debug("key %s", cell->anonymous_key->description);
	key = request_key(&key_type_rxrpc, cell->anonymous_key->description,
			  NULL);
	if (IS_ERR(key)) {
		if (PTR_ERR(key) != -ENOKEY) {
			_leave(" = %ld", PTR_ERR(key));
			return key;
		}

		/* act as anonymous user */
		_leave(" = {%x} [anon]", key_serial(cell->anonymous_key));
		return key_get(cell->anonymous_key);
	} else {
		/* act as authorised user */
		_leave(" = {%x} [auth]", key_serial(key));
		return key;
	}
}

/*
 * dispose of a permits list
 */
void afs_zap_permits(struct rcu_head *rcu)
{
	struct afs_permits *permits =
		container_of(rcu, struct afs_permits, rcu);
	int loop;

	_enter("{%d}", permits->count);

	for (loop = permits->count - 1; loop >= 0; loop--)
		key_put(permits->permits[loop].key);
	kfree(permits);
}

/*
 * dispose of a permits list in which all the key pointers have been copied
 */
static void afs_dispose_of_permits(struct rcu_head *rcu)
{
	struct afs_permits *permits =
		container_of(rcu, struct afs_permits, rcu);

	_enter("{%d}", permits->count);

	kfree(permits);
}

/*
 * get the authorising vnode - this is the specified inode itself if it's a
 * directory or it's the parent directory if the specified inode is a file or
 * symlink
 * - the caller must release the ref on the inode
 */
static struct afs_vnode *afs_get_auth_inode(struct afs_vnode *vnode,
					    struct key *key)
{
	struct afs_vnode *auth_vnode;
	struct inode *auth_inode;

	_enter("");

	if (S_ISDIR(vnode->vfs_inode.i_mode)) {
		auth_inode = igrab(&vnode->vfs_inode);
		ASSERT(auth_inode != NULL);
	} else {
		auth_inode = afs_iget(vnode->vfs_inode.i_sb, key,
				      &vnode->status.parent, NULL, NULL);
		if (IS_ERR(auth_inode))
			return ERR_CAST(auth_inode);
	}

	auth_vnode = AFS_FS_I(auth_inode);
	_leave(" = {%x}", auth_vnode->fid.vnode);
	return auth_vnode;
}

/*
 * clear the permit cache on a directory vnode
 */
void afs_clear_permits(struct afs_vnode *vnode)
{
	struct afs_permits *permits;

	_enter("{%x:%u}", vnode->fid.vid, vnode->fid.vnode);

	mutex_lock(&vnode->permits_lock);
	permits = vnode->permits;
	rcu_assign_pointer(vnode->permits, NULL);
	mutex_unlock(&vnode->permits_lock);

	if (permits)
		call_rcu(&permits->rcu, afs_zap_permits);
	_leave("");
}

/*
 * add the result obtained for a vnode to its or its parent directory's cache
 * for the key used to access it
 */
void afs_cache_permit(struct afs_vnode *vnode, struct key *key, long acl_order)
{
	struct afs_permits *permits, *xpermits;
	struct afs_permit *permit;
	struct afs_vnode *auth_vnode;
	int count, loop;

	_enter("{%x:%u},%x,%lx",
	       vnode->fid.vid, vnode->fid.vnode, key_serial(key), acl_order);

	auth_vnode = afs_get_auth_inode(vnode, key);
	if (IS_ERR(auth_vnode)) {
		_leave(" [get error %ld]", PTR_ERR(auth_vnode));
		return;
	}

	mutex_lock(&auth_vnode->permits_lock);

	/* guard against a rename being detected whilst we waited for the
	 * lock */
	if (memcmp(&auth_vnode->fid, &vnode->status.parent,
		   sizeof(struct afs_fid)) != 0) {
		_debug("renamed");
		goto out_unlock;
	}

	/* have to be careful as the directory's callback may be broken between
	 * us receiving the status we're trying to cache and us getting the
	 * lock to update the cache for the status */
	if (auth_vnode->acl_order - acl_order > 0) {
		_debug("ACL changed?");
		goto out_unlock;
	}

	/* always update the anonymous mask */
	_debug("anon access %x", vnode->status.anon_access);
	auth_vnode->status.anon_access = vnode->status.anon_access;
	if (key == vnode->volume->cell->anonymous_key)
		goto out_unlock;

	xpermits = auth_vnode->permits;
	count = 0;
	if (xpermits) {
		/* see if the permit is already in the list
		 * - if it is then we just amend the list
		 */
		count = xpermits->count;
		permit = xpermits->permits;
		for (loop = count; loop > 0; loop--) {
			if (permit->key == key) {
				permit->access_mask =
					vnode->status.caller_access;
				goto out_unlock;
			}
			permit++;
		}
	}

	permits = kmalloc(sizeof(*permits) + sizeof(*permit) * (count + 1),
			  GFP_NOFS);
	if (!permits)
		goto out_unlock;

	if (xpermits)
		memcpy(permits->permits, xpermits->permits,
			count * sizeof(struct afs_permit));

	_debug("key %x access %x",
	       key_serial(key), vnode->status.caller_access);
	permits->permits[count].access_mask = vnode->status.caller_access;
	permits->permits[count].key = key_get(key);
	permits->count = count + 1;

	rcu_assign_pointer(auth_vnode->permits, permits);
	if (xpermits)
		call_rcu(&xpermits->rcu, afs_dispose_of_permits);

out_unlock:
	mutex_unlock(&auth_vnode->permits_lock);
	iput(&auth_vnode->vfs_inode);
	_leave("");
}

/*
 * check with the fileserver to see if the directory or parent directory is
 * permitted to be accessed with this authorisation, and if so, what access it
 * is granted
 */
static int afs_check_permit(struct afs_vnode *vnode, struct key *key,
			    afs_access_t *_access)
{
	struct afs_permits *permits;
	struct afs_permit *permit;
	struct afs_vnode *auth_vnode;
	bool valid;
	int loop, ret;

	_enter("{%x:%u},%x",
	       vnode->fid.vid, vnode->fid.vnode, key_serial(key));

	auth_vnode = afs_get_auth_inode(vnode, key);
	if (IS_ERR(auth_vnode)) {
		*_access = 0;
		_leave(" = %ld", PTR_ERR(auth_vnode));
		return PTR_ERR(auth_vnode);
	}

	ASSERT(S_ISDIR(auth_vnode->vfs_inode.i_mode));

	/* check the permits to see if we've got one yet */
	if (key == auth_vnode->volume->cell->anonymous_key) {
		_debug("anon");
		*_access = auth_vnode->status.anon_access;
		valid = true;
	} else {
		valid = false;
		rcu_read_lock();
		permits = rcu_dereference(auth_vnode->permits);
		if (permits) {
			permit = permits->permits;
			for (loop = permits->count; loop > 0; loop--) {
				if (permit->key == key) {
					_debug("found in cache");
					*_access = permit->access_mask;
					valid = true;
					break;
				}
				permit++;
			}
		}
		rcu_read_unlock();
	}

	if (!valid) {
		/* check the status on the file we're actually interested in
		 * (the post-processing will cache the result on auth_vnode) */
		_debug("no valid permit");

		set_bit(AFS_VNODE_CB_BROKEN, &vnode->flags);
		ret = afs_vnode_fetch_status(vnode, auth_vnode, key);
		if (ret < 0) {
			iput(&auth_vnode->vfs_inode);
			*_access = 0;
			_leave(" = %d", ret);
			return ret;
		}
		*_access = vnode->status.caller_access;
	}

	iput(&auth_vnode->vfs_inode);
	_leave(" = 0 [access %x]", *_access);
	return 0;
}

/*
 * check the permissions on an AFS file
 * - AFS ACLs are attached to directories only, and a file is controlled by its
 *   parent directory's ACL
 */
int afs_permission(struct inode *inode, int mask)
{
	struct afs_vnode *vnode = AFS_FS_I(inode);
	afs_access_t uninitialized_var(access);
	struct key *key;
	int ret;

	_enter("{{%x:%u},%lx},%x,",
	       vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask);

	key = afs_request_key(vnode->volume->cell);
	if (IS_ERR(key)) {
		_leave(" = %ld [key]", PTR_ERR(key));
		return PTR_ERR(key);
	}

	/* if the promise has expired, we need to check the server again */
	if (!vnode->cb_promised) {
		_debug("not promised");
		ret = afs_vnode_fetch_status(vnode, NULL, key);
		if (ret < 0)
			goto error;
		_debug("new promise [fl=%lx]", vnode->flags);
	}

	/* check the permits to see if we've got one yet */
	ret = afs_check_permit(vnode, key, &access);
	if (ret < 0)
		goto error;

	/* interpret the access mask */
	_debug("REQ %x ACC %x on %s",
	       mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file");

	if (S_ISDIR(inode->i_mode)) {
		if (mask & MAY_EXEC) {
			if (!(access & AFS_ACE_LOOKUP))
				goto permission_denied;
		} else if (mask & MAY_READ) {
			if (!(access & AFS_ACE_READ))
				goto permission_denied;
		} else if (mask & MAY_WRITE) {
			if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */
					AFS_ACE_INSERT | /* create, mkdir, symlink, rename to */
					AFS_ACE_WRITE))) /* chmod */
				goto permission_denied;
		} else {
			BUG();
		}
	} else {
		if (!(access & AFS_ACE_LOOKUP))
			goto permission_denied;
		if (mask & (MAY_EXEC | MAY_READ)) {
			if (!(access & AFS_ACE_READ))
				goto permission_denied;
		} else if (mask & MAY_WRITE) {
			if (!(access & AFS_ACE_WRITE))
				goto permission_denied;
		}
	}

	key_put(key);
	ret = generic_permission(inode, mask, NULL);
	_leave(" = %d", ret);
	return ret;

permission_denied:
	ret = -EACCES;
error:
	key_put(key);
	_leave(" = %d", ret);
	return ret;
}
Commit	Line	Data
00d3b7a4 DH	1	/* AFS security handling
	2	*
	3	* Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
	4	* Written by David Howells ([email protected])
	5	*
	6	* This program is free software; you can redistribute it and/or
	7	* modify it under the terms of the GNU General Public License
	8	* as published by the Free Software Foundation; either version
	9	* 2 of the License, or (at your option) any later version.
	10	*/
	11
	12	#include <linux/init.h>
	13	#include <linux/slab.h>
	14	#include <linux/fs.h>
	15	#include <linux/ctype.h>
e8edc6e0	16	#include <linux/sched.h>
00d3b7a4 DH	17	#include <keys/rxrpc-type.h>
	18	#include "internal.h"
	19
	20	/*
	21	* get a key
	22	*/
	23	struct key afs_request_key(struct afs_cell cell)
	24	{
	25	struct key *key;
	26
	27	_enter("{%x}", key_serial(cell->anonymous_key));
	28
	29	_debug("key %s", cell->anonymous_key->description);
	30	key = request_key(&key_type_rxrpc, cell->anonymous_key->description,
	31	NULL);
	32	if (IS_ERR(key)) {
	33	if (PTR_ERR(key) != -ENOKEY) {
	34	_leave(" = %ld", PTR_ERR(key));
	35	return key;
	36	}
	37
	38	/* act as anonymous user */
	39	_leave(" = {%x} [anon]", key_serial(cell->anonymous_key));
	40	return key_get(cell->anonymous_key);
	41	} else {
	42	/* act as authorised user */
	43	_leave(" = {%x} [auth]", key_serial(key));
	44	return key;
	45	}
	46	}
	47
	48	/*
	49	* dispose of a permits list
	50	*/
	51	void afs_zap_permits(struct rcu_head *rcu)
	52	{
	53	struct afs_permits *permits =
	54	container_of(rcu, struct afs_permits, rcu);
	55	int loop;
	56
	57	_enter("{%d}", permits->count);
	58
	59	for (loop = permits->count - 1; loop >= 0; loop--)
	60	key_put(permits->permits[loop].key);
	61	kfree(permits);
	62	}
	63
	64	/*
	65	* dispose of a permits list in which all the key pointers have been copied
	66	*/
	67	static void afs_dispose_of_permits(struct rcu_head *rcu)
	68	{
	69	struct afs_permits *permits =
	70	container_of(rcu, struct afs_permits, rcu);
	71
	72	_enter("{%d}", permits->count);
	73
	74	kfree(permits);
	75	}
	76
	77	/*
	78	* get the authorising vnode - this is the specified inode itself if it's a
	79	* directory or it's the parent directory if the specified inode is a file or
	80	* symlink
81	* - the caller must release the ref on the inode
82	*/
83	static struct afs_vnode afs_get_auth_inode(struct afs_vnode vnode,
84	struct key *key)
85	{
86	struct afs_vnode *auth_vnode;
87	struct inode *auth_inode;
88
89	_enter("");
90
91	if (S_ISDIR(vnode->vfs_inode.i_mode)) {
92	auth_inode = igrab(&vnode->vfs_inode);
93	ASSERT(auth_inode != NULL);
94	} else {
95	auth_inode = afs_iget(vnode->vfs_inode.i_sb, key,
260a9803	96	&vnode->status.parent, NULL, NULL);
00d3b7a4	97	if (IS_ERR(auth_inode))
e231c2ee	98	return ERR_CAST(auth_inode);
00d3b7a4 DH	99	}
	100
	101	auth_vnode = AFS_FS_I(auth_inode);
	102	_leave(" = {%x}", auth_vnode->fid.vnode);
	103	return auth_vnode;
	104	}
	105
	106	/*
	107	* clear the permit cache on a directory vnode
	108	*/
	109	void afs_clear_permits(struct afs_vnode *vnode)
	110	{
	111	struct afs_permits *permits;
	112
416351f2	113	_enter("{%x:%u}", vnode->fid.vid, vnode->fid.vnode);
00d3b7a4 DH	114
	115	mutex_lock(&vnode->permits_lock);
	116	permits = vnode->permits;
	117	rcu_assign_pointer(vnode->permits, NULL);
	118	mutex_unlock(&vnode->permits_lock);
	119
	120	if (permits)
	121	call_rcu(&permits->rcu, afs_zap_permits);
	122	_leave("");
	123	}
	124
	125	/*
	126	* add the result obtained for a vnode to its or its parent directory's cache
	127	* for the key used to access it
	128	*/
	129	void afs_cache_permit(struct afs_vnode vnode, struct key key, long acl_order)
	130	{
	131	struct afs_permits permits, xpermits;
	132	struct afs_permit *permit;
	133	struct afs_vnode *auth_vnode;
	134	int count, loop;
	135
416351f2 DH	136	_enter("{%x:%u},%x,%lx",
416351f2 DH	137	vnode->fid.vid, vnode->fid.vnode, key_serial(key), acl_order);
00d3b7a4 DH	138
	139	auth_vnode = afs_get_auth_inode(vnode, key);
	140	if (IS_ERR(auth_vnode)) {
	141	_leave(" [get error %ld]", PTR_ERR(auth_vnode));
	142	return;
	143	}
	144
	145	mutex_lock(&auth_vnode->permits_lock);
	146
	147	/* guard against a rename being detected whilst we waited for the
	148	* lock */
	149	if (memcmp(&auth_vnode->fid, &vnode->status.parent,
	150	sizeof(struct afs_fid)) != 0) {
	151	_debug("renamed");
	152	goto out_unlock;
	153	}
	154
	155	/* have to be careful as the directory's callback may be broken between
	156	* us receiving the status we're trying to cache and us getting the
	157	* lock to update the cache for the status */
	158	if (auth_vnode->acl_order - acl_order > 0) {
	159	_debug("ACL changed?");
	160	goto out_unlock;
	161	}
	162
	163	/* always update the anonymous mask */
	164	_debug("anon access %x", vnode->status.anon_access);
	165	auth_vnode->status.anon_access = vnode->status.anon_access;
	166	if (key == vnode->volume->cell->anonymous_key)
	167	goto out_unlock;
	168
	169	xpermits = auth_vnode->permits;
	170	count = 0;
	171	if (xpermits) {
	172	/* see if the permit is already in the list
	173	* - if it is then we just amend the list
	174	*/
	175	count = xpermits->count;
	176	permit = xpermits->permits;
	177	for (loop = count; loop > 0; loop--) {
	178	if (permit->key == key) {
	179	permit->access_mask =
	180	vnode->status.caller_access;
	181	goto out_unlock;
	182	}
	183	permit++;
	184	}
	185	}
	186
	187	permits = kmalloc(sizeof(permits) + sizeof(permit) * (count + 1),
	188	GFP_NOFS);
	189	if (!permits)
	190	goto out_unlock;
	191
99b437a9 DC	192	if (xpermits)
	193	memcpy(permits->permits, xpermits->permits,
	194	count * sizeof(struct afs_permit));
00d3b7a4 DH	195
	196	_debug("key %x access %x",
	197	key_serial(key), vnode->status.caller_access);
	198	permits->permits[count].access_mask = vnode->status.caller_access;
	199	permits->permits[count].key = key_get(key);
	200	permits->count = count + 1;
	201
	202	rcu_assign_pointer(auth_vnode->permits, permits);
	203	if (xpermits)
	204	call_rcu(&xpermits->rcu, afs_dispose_of_permits);
	205
	206	out_unlock:
	207	mutex_unlock(&auth_vnode->permits_lock);
	208	iput(&auth_vnode->vfs_inode);
	209	_leave("");
	210	}
	211
	212	/*
	213	* check with the fileserver to see if the directory or parent directory is
	214	* permitted to be accessed with this authorisation, and if so, what access it
	215	* is granted
	216	*/
	217	static int afs_check_permit(struct afs_vnode vnode, struct key key,
	218	afs_access_t *_access)
	219	{
	220	struct afs_permits *permits;
	221	struct afs_permit *permit;
	222	struct afs_vnode *auth_vnode;
	223	bool valid;
	224	int loop, ret;
	225
416351f2 DH	226	_enter("{%x:%u},%x",
416351f2 DH	227	vnode->fid.vid, vnode->fid.vnode, key_serial(key));
00d3b7a4 DH	228
	229	auth_vnode = afs_get_auth_inode(vnode, key);
	230	if (IS_ERR(auth_vnode)) {
	231	*_access = 0;
	232	_leave(" = %ld", PTR_ERR(auth_vnode));
	233	return PTR_ERR(auth_vnode);
	234	}
	235
	236	ASSERT(S_ISDIR(auth_vnode->vfs_inode.i_mode));
	237
	238	/* check the permits to see if we've got one yet */
	239	if (key == auth_vnode->volume->cell->anonymous_key) {
	240	_debug("anon");
	241	*_access = auth_vnode->status.anon_access;
	242	valid = true;
	243	} else {
	244	valid = false;
	245	rcu_read_lock();
	246	permits = rcu_dereference(auth_vnode->permits);
	247	if (permits) {
	248	permit = permits->permits;
	249	for (loop = permits->count; loop > 0; loop--) {
	250	if (permit->key == key) {
	251	_debug("found in cache");
	252	*_access = permit->access_mask;
	253	valid = true;
	254	break;
	255	}
	256	permit++;
	257	}
	258	}
	259	rcu_read_unlock();
	260	}
	261
	262	if (!valid) {
	263	/* check the status on the file we're actually interested in
	264	* (the post-processing will cache the result on auth_vnode) */
	265	_debug("no valid permit");
	266
	267	set_bit(AFS_VNODE_CB_BROKEN, &vnode->flags);
	268	ret = afs_vnode_fetch_status(vnode, auth_vnode, key);
	269	if (ret < 0) {
	270	iput(&auth_vnode->vfs_inode);
	271	*_access = 0;
	272	_leave(" = %d", ret);
	273	return ret;
	274	}
416351f2	275	*_access = vnode->status.caller_access;
00d3b7a4 DH	276	}
00d3b7a4 DH	277
00d3b7a4 DH	278	iput(&auth_vnode->vfs_inode);
	279	_leave(" = 0 [access %x]", *_access);
	280	return 0;
	281	}
	282
	283	/*
	284	* check the permissions on an AFS file
	285	* - AFS ACLs are attached to directories only, and a file is controlled by its
	286	* parent directory's ACL
	287	*/
e6305c43	288	int afs_permission(struct inode *inode, int mask)
00d3b7a4 DH	289	{
00d3b7a4 DH	290	struct afs_vnode *vnode = AFS_FS_I(inode);
69759454	291	afs_access_t uninitialized_var(access);
00d3b7a4 DH	292	struct key *key;
	293	int ret;
	294
416351f2	295	_enter("{{%x:%u},%lx},%x,",
260a9803	296	vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask);
00d3b7a4 DH	297
	298	key = afs_request_key(vnode->volume->cell);
	299	if (IS_ERR(key)) {
	300	_leave(" = %ld [key]", PTR_ERR(key));
	301	return PTR_ERR(key);
	302	}
	303
260a9803 DH	304	/* if the promise has expired, we need to check the server again */
	305	if (!vnode->cb_promised) {
	306	_debug("not promised");
	307	ret = afs_vnode_fetch_status(vnode, NULL, key);
	308	if (ret < 0)
	309	goto error;
	310	_debug("new promise [fl=%lx]", vnode->flags);
	311	}
	312
00d3b7a4 DH	313	/* check the permits to see if we've got one yet */
00d3b7a4 DH	314	ret = afs_check_permit(vnode, key, &access);
260a9803 DH	315	if (ret < 0)
260a9803 DH	316	goto error;
00d3b7a4 DH	317
	318	/* interpret the access mask */
	319	_debug("REQ %x ACC %x on %s",
	320	mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file");
	321
	322	if (S_ISDIR(inode->i_mode)) {
	323	if (mask & MAY_EXEC) {
	324	if (!(access & AFS_ACE_LOOKUP))
	325	goto permission_denied;
	326	} else if (mask & MAY_READ) {
	327	if (!(access & AFS_ACE_READ))
	328	goto permission_denied;
	329	} else if (mask & MAY_WRITE) {
	330	if (!(access & (AFS_ACE_DELETE \| /* rmdir, unlink, rename from */
	331	AFS_ACE_INSERT \| /* create, mkdir, symlink, rename to */
	332	AFS_ACE_WRITE))) /* chmod */
	333	goto permission_denied;
	334	} else {
	335	BUG();
	336	}
	337	} else {
	338	if (!(access & AFS_ACE_LOOKUP))
	339	goto permission_denied;
	340	if (mask & (MAY_EXEC \| MAY_READ)) {
	341	if (!(access & AFS_ACE_READ))
	342	goto permission_denied;
	343	} else if (mask & MAY_WRITE) {
	344	if (!(access & AFS_ACE_WRITE))
	345	goto permission_denied;
	346	}
	347	}
	348
	349	key_put(key);
260a9803 DH	350	ret = generic_permission(inode, mask, NULL);
	351	_leave(" = %d", ret);
	352	return ret;
00d3b7a4 DH	353
00d3b7a4 DH	354	permission_denied:
260a9803 DH	355	ret = -EACCES;
260a9803 DH	356	error:
00d3b7a4	357	key_put(key);
260a9803 DH	358	_leave(" = %d", ret);
260a9803 DH	359	return ret;
00d3b7a4	360	}