[linux.git] / fs / afs / security.c

/* AFS security handling
 *
 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells ([email protected])
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version
 * 2 of the License, or (at your option) any later version.
 */

#include <linux/init.h>
#include <linux/slab.h>
#include <linux/fs.h>
#include <linux/ctype.h>
#include <linux/sched.h>
#include <keys/rxrpc-type.h>
#include "internal.h"

/*
 * get a key
 */
struct key *afs_request_key(struct afs_cell *cell)
{
	struct key *key;

	_enter("{%x}", key_serial(cell->anonymous_key));

	_debug("key %s", cell->anonymous_key->description);
	key = request_key(&key_type_rxrpc, cell->anonymous_key->description,
			  NULL);
	if (IS_ERR(key)) {
		if (PTR_ERR(key) != -ENOKEY) {
			_leave(" = %ld", PTR_ERR(key));
			return key;
		}

		/* act as anonymous user */
		_leave(" = {%x} [anon]", key_serial(cell->anonymous_key));
		return key_get(cell->anonymous_key);
	} else {
		/* act as authorised user */
		_leave(" = {%x} [auth]", key_serial(key));
		return key;
	}
}

/*
 * dispose of a permits list
 */
void afs_zap_permits(struct rcu_head *rcu)
{
	struct afs_permits *permits =
		container_of(rcu, struct afs_permits, rcu);
	int loop;

	_enter("{%d}", permits->count);

	for (loop = permits->count - 1; loop >= 0; loop--)
		key_put(permits->permits[loop].key);
	kfree(permits);
}

/*
 * dispose of a permits list in which all the key pointers have been copied
 */
static void afs_dispose_of_permits(struct rcu_head *rcu)
{
	struct afs_permits *permits =
		container_of(rcu, struct afs_permits, rcu);

	_enter("{%d}", permits->count);

	kfree(permits);
}

/*
 * get the authorising vnode - this is the specified inode itself if it's a
 * directory or it's the parent directory if the specified inode is a file or
 * symlink
 * - the caller must release the ref on the inode
 */
static struct afs_vnode *afs_get_auth_inode(struct afs_vnode *vnode,
					    struct key *key)
{
	struct afs_vnode *auth_vnode;
	struct inode *auth_inode;

	_enter("");

	if (S_ISDIR(vnode->vfs_inode.i_mode)) {
		auth_inode = igrab(&vnode->vfs_inode);
		ASSERT(auth_inode != NULL);
	} else {
		auth_inode = afs_iget(vnode->vfs_inode.i_sb, key,
				      &vnode->status.parent, NULL, NULL);
		if (IS_ERR(auth_inode))
			return ERR_CAST(auth_inode);
	}

	auth_vnode = AFS_FS_I(auth_inode);
	_leave(" = {%x}", auth_vnode->fid.vnode);
	return auth_vnode;
}

/*
 * clear the permit cache on a directory vnode
 */
void afs_clear_permits(struct afs_vnode *vnode)
{
	struct afs_permits *permits;

	_enter("{%x:%u}", vnode->fid.vid, vnode->fid.vnode);

	mutex_lock(&vnode->permits_lock);
	permits = vnode->permits;
	rcu_assign_pointer(vnode->permits, NULL);
	mutex_unlock(&vnode->permits_lock);

	if (permits)
		call_rcu(&permits->rcu, afs_zap_permits);
	_leave("");
}

/*
 * add the result obtained for a vnode to its or its parent directory's cache
 * for the key used to access it
 */
void afs_cache_permit(struct afs_vnode *vnode, struct key *key, long acl_order)
{
	struct afs_permits *permits, *xpermits;
	struct afs_permit *permit;
	struct afs_vnode *auth_vnode;
	int count, loop;

	_enter("{%x:%u},%x,%lx",
	       vnode->fid.vid, vnode->fid.vnode, key_serial(key), acl_order);

	auth_vnode = afs_get_auth_inode(vnode, key);
	if (IS_ERR(auth_vnode)) {
		_leave(" [get error %ld]", PTR_ERR(auth_vnode));
		return;
	}

	mutex_lock(&auth_vnode->permits_lock);

	/* guard against a rename being detected whilst we waited for the
	 * lock */
	if (memcmp(&auth_vnode->fid, &vnode->status.parent,
		   sizeof(struct afs_fid)) != 0) {
		_debug("renamed");
		goto out_unlock;
	}

	/* have to be careful as the directory's callback may be broken between
	 * us receiving the status we're trying to cache and us getting the
	 * lock to update the cache for the status */
	if (auth_vnode->acl_order - acl_order > 0) {
		_debug("ACL changed?");
		goto out_unlock;
	}

	/* always update the anonymous mask */
	_debug("anon access %x", vnode->status.anon_access);
	auth_vnode->status.anon_access = vnode->status.anon_access;
	if (key == vnode->volume->cell->anonymous_key)
		goto out_unlock;

	xpermits = auth_vnode->permits;
	count = 0;
	if (xpermits) {
		/* see if the permit is already in the list
		 * - if it is then we just amend the list
		 */
		count = xpermits->count;
		permit = xpermits->permits;
		for (loop = count; loop > 0; loop--) {
			if (permit->key == key) {
				permit->access_mask =
					vnode->status.caller_access;
				goto out_unlock;
			}
			permit++;
		}
	}

	permits = kmalloc(sizeof(*permits) + sizeof(*permit) * (count + 1),
			  GFP_NOFS);
	if (!permits)
		goto out_unlock;

	memcpy(permits->permits, xpermits->permits,
	       count * sizeof(struct afs_permit));

	_debug("key %x access %x",
	       key_serial(key), vnode->status.caller_access);
	permits->permits[count].access_mask = vnode->status.caller_access;
	permits->permits[count].key = key_get(key);
	permits->count = count + 1;

	rcu_assign_pointer(auth_vnode->permits, permits);
	if (xpermits)
		call_rcu(&xpermits->rcu, afs_dispose_of_permits);

out_unlock:
	mutex_unlock(&auth_vnode->permits_lock);
	iput(&auth_vnode->vfs_inode);
	_leave("");
}

/*
 * check with the fileserver to see if the directory or parent directory is
 * permitted to be accessed with this authorisation, and if so, what access it
 * is granted
 */
static int afs_check_permit(struct afs_vnode *vnode, struct key *key,
			    afs_access_t *_access)
{
	struct afs_permits *permits;
	struct afs_permit *permit;
	struct afs_vnode *auth_vnode;
	bool valid;
	int loop, ret;

	_enter("{%x:%u},%x",
	       vnode->fid.vid, vnode->fid.vnode, key_serial(key));

	auth_vnode = afs_get_auth_inode(vnode, key);
	if (IS_ERR(auth_vnode)) {
		*_access = 0;
		_leave(" = %ld", PTR_ERR(auth_vnode));
		return PTR_ERR(auth_vnode);
	}

	ASSERT(S_ISDIR(auth_vnode->vfs_inode.i_mode));

	/* check the permits to see if we've got one yet */
	if (key == auth_vnode->volume->cell->anonymous_key) {
		_debug("anon");
		*_access = auth_vnode->status.anon_access;
		valid = true;
	} else {
		valid = false;
		rcu_read_lock();
		permits = rcu_dereference(auth_vnode->permits);
		if (permits) {
			permit = permits->permits;
			for (loop = permits->count; loop > 0; loop--) {
				if (permit->key == key) {
					_debug("found in cache");
					*_access = permit->access_mask;
					valid = true;
					break;
				}
				permit++;
			}
		}
		rcu_read_unlock();
	}

	if (!valid) {
		/* check the status on the file we're actually interested in
		 * (the post-processing will cache the result on auth_vnode) */
		_debug("no valid permit");

		set_bit(AFS_VNODE_CB_BROKEN, &vnode->flags);
		ret = afs_vnode_fetch_status(vnode, auth_vnode, key);
		if (ret < 0) {
			iput(&auth_vnode->vfs_inode);
			*_access = 0;
			_leave(" = %d", ret);
			return ret;
		}
		*_access = vnode->status.caller_access;
	}

	iput(&auth_vnode->vfs_inode);
	_leave(" = 0 [access %x]", *_access);
	return 0;
}

/*
 * check the permissions on an AFS file
 * - AFS ACLs are attached to directories only, and a file is controlled by its
 *   parent directory's ACL
 */
int afs_permission(struct inode *inode, int mask, struct nameidata *nd)
{
	struct afs_vnode *vnode = AFS_FS_I(inode);
	afs_access_t uninitialized_var(access);
	struct key *key;
	int ret;

	_enter("{{%x:%u},%lx},%x,",
	       vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask);

	key = afs_request_key(vnode->volume->cell);
	if (IS_ERR(key)) {
		_leave(" = %ld [key]", PTR_ERR(key));
		return PTR_ERR(key);
	}

	/* if the promise has expired, we need to check the server again */
	if (!vnode->cb_promised) {
		_debug("not promised");
		ret = afs_vnode_fetch_status(vnode, NULL, key);
		if (ret < 0)
			goto error;
		_debug("new promise [fl=%lx]", vnode->flags);
	}

	/* check the permits to see if we've got one yet */
	ret = afs_check_permit(vnode, key, &access);
	if (ret < 0)
		goto error;

	/* interpret the access mask */
	_debug("REQ %x ACC %x on %s",
	       mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file");

	if (S_ISDIR(inode->i_mode)) {
		if (mask & MAY_EXEC) {
			if (!(access & AFS_ACE_LOOKUP))
				goto permission_denied;
		} else if (mask & MAY_READ) {
			if (!(access & AFS_ACE_READ))
				goto permission_denied;
		} else if (mask & MAY_WRITE) {
			if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */
					AFS_ACE_INSERT | /* create, mkdir, symlink, rename to */
					AFS_ACE_WRITE))) /* chmod */
				goto permission_denied;
		} else {
			BUG();
		}
	} else {
		if (!(access & AFS_ACE_LOOKUP))
			goto permission_denied;
		if (mask & (MAY_EXEC | MAY_READ)) {
			if (!(access & AFS_ACE_READ))
				goto permission_denied;
		} else if (mask & MAY_WRITE) {
			if (!(access & AFS_ACE_WRITE))
				goto permission_denied;
		}
	}

	key_put(key);
	ret = generic_permission(inode, mask, NULL);
	_leave(" = %d", ret);
	return ret;

permission_denied:
	ret = -EACCES;
error:
	key_put(key);
	_leave(" = %d", ret);
	return ret;
}
Commit	Line	Data
00d3b7a4 DH	1	/* AFS security handling
	2	*
	3	* Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
	4	* Written by David Howells ([email protected])
	5	*
	6	* This program is free software; you can redistribute it and/or
	7	* modify it under the terms of the GNU General Public License
	8	* as published by the Free Software Foundation; either version
	9	* 2 of the License, or (at your option) any later version.
	10	*/
	11
	12	#include <linux/init.h>
	13	#include <linux/slab.h>
	14	#include <linux/fs.h>
	15	#include <linux/ctype.h>
e8edc6e0	16	#include <linux/sched.h>
00d3b7a4 DH	17	#include <keys/rxrpc-type.h>
	18	#include "internal.h"
	19
	20	/*
	21	* get a key
	22	*/
	23	struct key afs_request_key(struct afs_cell cell)
	24	{
	25	struct key *key;
	26
	27	_enter("{%x}", key_serial(cell->anonymous_key));
	28
	29	_debug("key %s", cell->anonymous_key->description);
	30	key = request_key(&key_type_rxrpc, cell->anonymous_key->description,
	31	NULL);
	32	if (IS_ERR(key)) {
	33	if (PTR_ERR(key) != -ENOKEY) {
	34	_leave(" = %ld", PTR_ERR(key));
	35	return key;
	36	}
	37
	38	/* act as anonymous user */
	39	_leave(" = {%x} [anon]", key_serial(cell->anonymous_key));
	40	return key_get(cell->anonymous_key);
	41	} else {
	42	/* act as authorised user */
	43	_leave(" = {%x} [auth]", key_serial(key));
	44	return key;
	45	}
	46	}
	47
	48	/*
	49	* dispose of a permits list
	50	*/
	51	void afs_zap_permits(struct rcu_head *rcu)
	52	{
	53	struct afs_permits *permits =
	54	container_of(rcu, struct afs_permits, rcu);
	55	int loop;
	56
	57	_enter("{%d}", permits->count);
	58
	59	for (loop = permits->count - 1; loop >= 0; loop--)
	60	key_put(permits->permits[loop].key);
	61	kfree(permits);
	62	}
	63
	64	/*
	65	* dispose of a permits list in which all the key pointers have been copied
	66	*/
	67	static void afs_dispose_of_permits(struct rcu_head *rcu)
	68	{
	69	struct afs_permits *permits =
	70	container_of(rcu, struct afs_permits, rcu);
	71
	72	_enter("{%d}", permits->count);
	73
	74	kfree(permits);
	75	}
	76
	77	/*
	78	* get the authorising vnode - this is the specified inode itself if it's a
	79	* directory or it's the parent directory if the specified inode is a file or
	80	* symlink
81	* - the caller must release the ref on the inode
82	*/
83	static struct afs_vnode afs_get_auth_inode(struct afs_vnode vnode,
84	struct key *key)
85	{
86	struct afs_vnode *auth_vnode;
87	struct inode *auth_inode;
88
89	_enter("");
90
91	if (S_ISDIR(vnode->vfs_inode.i_mode)) {
92	auth_inode = igrab(&vnode->vfs_inode);
93	ASSERT(auth_inode != NULL);
94	} else {
95	auth_inode = afs_iget(vnode->vfs_inode.i_sb, key,
260a9803	96	&vnode->status.parent, NULL, NULL);
00d3b7a4	97	if (IS_ERR(auth_inode))
e231c2ee	98	return ERR_CAST(auth_inode);
00d3b7a4 DH	99	}
	100
	101	auth_vnode = AFS_FS_I(auth_inode);
	102	_leave(" = {%x}", auth_vnode->fid.vnode);
	103	return auth_vnode;
	104	}
	105
	106	/*
	107	* clear the permit cache on a directory vnode
	108	*/
	109	void afs_clear_permits(struct afs_vnode *vnode)
	110	{
	111	struct afs_permits *permits;
	112
416351f2	113	_enter("{%x:%u}", vnode->fid.vid, vnode->fid.vnode);
00d3b7a4 DH	114
	115	mutex_lock(&vnode->permits_lock);
	116	permits = vnode->permits;
	117	rcu_assign_pointer(vnode->permits, NULL);
	118	mutex_unlock(&vnode->permits_lock);
	119
	120	if (permits)
	121	call_rcu(&permits->rcu, afs_zap_permits);
	122	_leave("");
	123	}
	124
	125	/*
	126	* add the result obtained for a vnode to its or its parent directory's cache
	127	* for the key used to access it
	128	*/
	129	void afs_cache_permit(struct afs_vnode vnode, struct key key, long acl_order)
	130	{
	131	struct afs_permits permits, xpermits;
	132	struct afs_permit *permit;
	133	struct afs_vnode *auth_vnode;
	134	int count, loop;
	135
416351f2 DH	136	_enter("{%x:%u},%x,%lx",
416351f2 DH	137	vnode->fid.vid, vnode->fid.vnode, key_serial(key), acl_order);
00d3b7a4 DH	138
	139	auth_vnode = afs_get_auth_inode(vnode, key);
	140	if (IS_ERR(auth_vnode)) {
	141	_leave(" [get error %ld]", PTR_ERR(auth_vnode));
	142	return;
	143	}
	144
	145	mutex_lock(&auth_vnode->permits_lock);
	146
	147	/* guard against a rename being detected whilst we waited for the
	148	* lock */
	149	if (memcmp(&auth_vnode->fid, &vnode->status.parent,
	150	sizeof(struct afs_fid)) != 0) {
	151	_debug("renamed");
	152	goto out_unlock;
	153	}
	154
	155	/* have to be careful as the directory's callback may be broken between
	156	* us receiving the status we're trying to cache and us getting the
	157	* lock to update the cache for the status */
	158	if (auth_vnode->acl_order - acl_order > 0) {
	159	_debug("ACL changed?");
	160	goto out_unlock;
	161	}
	162
	163	/* always update the anonymous mask */
	164	_debug("anon access %x", vnode->status.anon_access);
	165	auth_vnode->status.anon_access = vnode->status.anon_access;
	166	if (key == vnode->volume->cell->anonymous_key)
	167	goto out_unlock;
	168
	169	xpermits = auth_vnode->permits;
	170	count = 0;
	171	if (xpermits) {
	172	/* see if the permit is already in the list
	173	* - if it is then we just amend the list
	174	*/
	175	count = xpermits->count;
	176	permit = xpermits->permits;
	177	for (loop = count; loop > 0; loop--) {
	178	if (permit->key == key) {
	179	permit->access_mask =
	180	vnode->status.caller_access;
	181	goto out_unlock;
	182	}
	183	permit++;
	184	}
	185	}
	186
	187	permits = kmalloc(sizeof(permits) + sizeof(permit) * (count + 1),
	188	GFP_NOFS);
	189	if (!permits)
	190	goto out_unlock;
	191
	192	memcpy(permits->permits, xpermits->permits,
	193	count * sizeof(struct afs_permit));
	194
	195	_debug("key %x access %x",
	196	key_serial(key), vnode->status.caller_access);
	197	permits->permits[count].access_mask = vnode->status.caller_access;
	198	permits->permits[count].key = key_get(key);
	199	permits->count = count + 1;
	200
	201	rcu_assign_pointer(auth_vnode->permits, permits);
202	if (xpermits)
203	call_rcu(&xpermits->rcu, afs_dispose_of_permits);
204
205	out_unlock:
206	mutex_unlock(&auth_vnode->permits_lock);
207	iput(&auth_vnode->vfs_inode);
208	_leave("");
209	}
210
211	/*
212	* check with the fileserver to see if the directory or parent directory is
213	* permitted to be accessed with this authorisation, and if so, what access it
214	* is granted
215	*/
216	static int afs_check_permit(struct afs_vnode vnode, struct key key,
217	afs_access_t *_access)
218	{
219	struct afs_permits *permits;
220	struct afs_permit *permit;
221	struct afs_vnode *auth_vnode;
222	bool valid;
223	int loop, ret;
224
416351f2 DH	225	_enter("{%x:%u},%x",
416351f2 DH	226	vnode->fid.vid, vnode->fid.vnode, key_serial(key));
00d3b7a4 DH	227
	228	auth_vnode = afs_get_auth_inode(vnode, key);
	229	if (IS_ERR(auth_vnode)) {
	230	*_access = 0;
	231	_leave(" = %ld", PTR_ERR(auth_vnode));
	232	return PTR_ERR(auth_vnode);
	233	}
	234
	235	ASSERT(S_ISDIR(auth_vnode->vfs_inode.i_mode));
	236
	237	/* check the permits to see if we've got one yet */
	238	if (key == auth_vnode->volume->cell->anonymous_key) {
	239	_debug("anon");
	240	*_access = auth_vnode->status.anon_access;
	241	valid = true;
	242	} else {
	243	valid = false;
	244	rcu_read_lock();
	245	permits = rcu_dereference(auth_vnode->permits);
	246	if (permits) {
	247	permit = permits->permits;
	248	for (loop = permits->count; loop > 0; loop--) {
	249	if (permit->key == key) {
	250	_debug("found in cache");
	251	*_access = permit->access_mask;
	252	valid = true;
	253	break;
	254	}
	255	permit++;
	256	}
	257	}
	258	rcu_read_unlock();
	259	}
	260
	261	if (!valid) {
	262	/* check the status on the file we're actually interested in
	263	* (the post-processing will cache the result on auth_vnode) */
	264	_debug("no valid permit");
	265
	266	set_bit(AFS_VNODE_CB_BROKEN, &vnode->flags);
	267	ret = afs_vnode_fetch_status(vnode, auth_vnode, key);
	268	if (ret < 0) {
	269	iput(&auth_vnode->vfs_inode);
	270	*_access = 0;
	271	_leave(" = %d", ret);
	272	return ret;
	273	}
416351f2	274	*_access = vnode->status.caller_access;
00d3b7a4 DH	275	}
00d3b7a4 DH	276
00d3b7a4 DH	277	iput(&auth_vnode->vfs_inode);
	278	_leave(" = 0 [access %x]", *_access);
	279	return 0;
	280	}
	281
	282	/*
	283	* check the permissions on an AFS file
	284	* - AFS ACLs are attached to directories only, and a file is controlled by its
	285	* parent directory's ACL
	286	*/
	287	int afs_permission(struct inode inode, int mask, struct nameidata nd)
	288	{
	289	struct afs_vnode *vnode = AFS_FS_I(inode);
69759454	290	afs_access_t uninitialized_var(access);
00d3b7a4 DH	291	struct key *key;
	292	int ret;
	293
416351f2	294	_enter("{{%x:%u},%lx},%x,",
260a9803	295	vnode->fid.vid, vnode->fid.vnode, vnode->flags, mask);
00d3b7a4 DH	296
	297	key = afs_request_key(vnode->volume->cell);
	298	if (IS_ERR(key)) {
	299	_leave(" = %ld [key]", PTR_ERR(key));
	300	return PTR_ERR(key);
	301	}
	302
260a9803 DH	303	/* if the promise has expired, we need to check the server again */
	304	if (!vnode->cb_promised) {
	305	_debug("not promised");
	306	ret = afs_vnode_fetch_status(vnode, NULL, key);
	307	if (ret < 0)
	308	goto error;
	309	_debug("new promise [fl=%lx]", vnode->flags);
	310	}
	311
00d3b7a4 DH	312	/* check the permits to see if we've got one yet */
00d3b7a4 DH	313	ret = afs_check_permit(vnode, key, &access);
260a9803 DH	314	if (ret < 0)
260a9803 DH	315	goto error;
00d3b7a4 DH	316
	317	/* interpret the access mask */
	318	_debug("REQ %x ACC %x on %s",
	319	mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file");
	320
	321	if (S_ISDIR(inode->i_mode)) {
	322	if (mask & MAY_EXEC) {
	323	if (!(access & AFS_ACE_LOOKUP))
	324	goto permission_denied;
	325	} else if (mask & MAY_READ) {
	326	if (!(access & AFS_ACE_READ))
	327	goto permission_denied;
	328	} else if (mask & MAY_WRITE) {
	329	if (!(access & (AFS_ACE_DELETE \| /* rmdir, unlink, rename from */
	330	AFS_ACE_INSERT \| /* create, mkdir, symlink, rename to */
	331	AFS_ACE_WRITE))) /* chmod */
	332	goto permission_denied;
	333	} else {
	334	BUG();
	335	}
	336	} else {
	337	if (!(access & AFS_ACE_LOOKUP))
	338	goto permission_denied;
	339	if (mask & (MAY_EXEC \| MAY_READ)) {
	340	if (!(access & AFS_ACE_READ))
	341	goto permission_denied;
	342	} else if (mask & MAY_WRITE) {
	343	if (!(access & AFS_ACE_WRITE))
	344	goto permission_denied;
	345	}
	346	}
	347
	348	key_put(key);
260a9803 DH	349	ret = generic_permission(inode, mask, NULL);
	350	_leave(" = %d", ret);
	351	return ret;
00d3b7a4 DH	352
00d3b7a4 DH	353	permission_denied:
260a9803 DH	354	ret = -EACCES;
260a9803 DH	355	error:
00d3b7a4	356	key_put(key);
260a9803 DH	357	_leave(" = %d", ret);
260a9803 DH	358	return ret;
00d3b7a4	359	}