[linux.git] / fs / fuse / acl.c

/*
 * FUSE: Filesystem in Userspace
 * Copyright (C) 2016 Canonical Ltd. <[email protected]>
 *
 * This program can be distributed under the terms of the GNU GPL.
 * See the file COPYING.
 */

#include "fuse_i.h"

#include <linux/posix_acl.h>
#include <linux/posix_acl_xattr.h>

static struct posix_acl *__fuse_get_acl(struct fuse_conn *fc,
					struct mnt_idmap *idmap,
					struct inode *inode, int type, bool rcu)
{
	int size;
	const char *name;
	void *value = NULL;
	struct posix_acl *acl;

	if (rcu)
		return ERR_PTR(-ECHILD);

	if (fuse_is_bad(inode))
		return ERR_PTR(-EIO);

	if (fc->no_getxattr)
		return NULL;

	if (type == ACL_TYPE_ACCESS)
		name = XATTR_NAME_POSIX_ACL_ACCESS;
	else if (type == ACL_TYPE_DEFAULT)
		name = XATTR_NAME_POSIX_ACL_DEFAULT;
	else
		return ERR_PTR(-EOPNOTSUPP);

	value = kmalloc(PAGE_SIZE, GFP_KERNEL);
	if (!value)
		return ERR_PTR(-ENOMEM);
	size = fuse_getxattr(inode, name, value, PAGE_SIZE);
	if (size > 0)
		acl = posix_acl_from_xattr(fc->user_ns, value, size);
	else if ((size == 0) || (size == -ENODATA) ||
		 (size == -EOPNOTSUPP && fc->no_getxattr))
		acl = NULL;
	else if (size == -ERANGE)
		acl = ERR_PTR(-E2BIG);
	else
		acl = ERR_PTR(size);

	kfree(value);
	return acl;
}

static inline bool fuse_no_acl(const struct fuse_conn *fc,
			       const struct inode *inode)
{
	/*
	 * Refuse interacting with POSIX ACLs for daemons that
	 * don't support FUSE_POSIX_ACL and are not mounted on
	 * the host to retain backwards compatibility.
	 */
	return !fc->posix_acl && (i_user_ns(inode) != &init_user_ns);
}

struct posix_acl *fuse_get_acl(struct mnt_idmap *idmap,
			       struct dentry *dentry, int type)
{
	struct inode *inode = d_inode(dentry);
	struct fuse_conn *fc = get_fuse_conn(inode);

	if (fuse_no_acl(fc, inode))
		return ERR_PTR(-EOPNOTSUPP);

	return __fuse_get_acl(fc, idmap, inode, type, false);
}

struct posix_acl *fuse_get_inode_acl(struct inode *inode, int type, bool rcu)
{
	struct fuse_conn *fc = get_fuse_conn(inode);

	/*
	 * FUSE daemons before FUSE_POSIX_ACL was introduced could get and set
	 * POSIX ACLs without them being used for permission checking by the
	 * vfs. Retain that behavior for backwards compatibility as there are
	 * filesystems that do all permission checking for acls in the daemon
	 * and not in the kernel.
	 */
	if (!fc->posix_acl)
		return NULL;

	return __fuse_get_acl(fc, &nop_mnt_idmap, inode, type, rcu);
}

int fuse_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
		 struct posix_acl *acl, int type)
{
	struct inode *inode = d_inode(dentry);
	struct fuse_conn *fc = get_fuse_conn(inode);
	const char *name;
	int ret;

	if (fuse_is_bad(inode))
		return -EIO;

	if (fc->no_setxattr || fuse_no_acl(fc, inode))
		return -EOPNOTSUPP;

	if (type == ACL_TYPE_ACCESS)
		name = XATTR_NAME_POSIX_ACL_ACCESS;
	else if (type == ACL_TYPE_DEFAULT)
		name = XATTR_NAME_POSIX_ACL_DEFAULT;
	else
		return -EINVAL;

	if (acl) {
		unsigned int extra_flags = 0;
		/*
		 * Fuse userspace is responsible for updating access
		 * permissions in the inode, if needed. fuse_setxattr
		 * invalidates the inode attributes, which will force
		 * them to be refreshed the next time they are used,
		 * and it also updates i_ctime.
		 */
		size_t size = posix_acl_xattr_size(acl->a_count);
		void *value;

		if (size > PAGE_SIZE)
			return -E2BIG;

		value = kmalloc(size, GFP_KERNEL);
		if (!value)
			return -ENOMEM;

		ret = posix_acl_to_xattr(fc->user_ns, acl, value, size);
		if (ret < 0) {
			kfree(value);
			return ret;
		}

		/*
		 * Fuse daemons without FUSE_POSIX_ACL never changed the passed
		 * through POSIX ACLs. Such daemons don't expect setgid bits to
		 * be stripped.
		 */
		if (fc->posix_acl &&
		    !vfsgid_in_group_p(i_gid_into_vfsgid(&nop_mnt_idmap, inode)) &&
		    !capable_wrt_inode_uidgid(&nop_mnt_idmap, inode, CAP_FSETID))
			extra_flags |= FUSE_SETXATTR_ACL_KILL_SGID;

		ret = fuse_setxattr(inode, name, value, size, 0, extra_flags);
		kfree(value);
	} else {
		ret = fuse_removexattr(inode, name);
	}

	if (fc->posix_acl) {
		/*
		 * Fuse daemons without FUSE_POSIX_ACL never cached POSIX ACLs
		 * and didn't invalidate attributes. Retain that behavior.
		 */
		forget_all_cached_acls(inode);
		fuse_invalidate_attr(inode);
	}

	return ret;
}
Commit	Line	Data
60bcc88a SF	1	/*
	2	* FUSE: Filesystem in Userspace
	3	* Copyright (C) 2016 Canonical Ltd. <[email protected]>
	4	*
	5	* This program can be distributed under the terms of the GNU GPL.
	6	* See the file COPYING.
	7	*/
	8
	9	#include "fuse_i.h"
	10
	11	#include <linux/posix_acl.h>
	12	#include <linux/posix_acl_xattr.h>
	13
facd6105	14	static struct posix_acl __fuse_get_acl(struct fuse_conn fc,
05e6295f	15	struct mnt_idmap *idmap,
facd6105	16	struct inode *inode, int type, bool rcu)
60bcc88a	17	{
60bcc88a SF	18	int size;
	19	const char *name;
	20	void *value = NULL;
	21	struct posix_acl *acl;
	22
0cad6246 MS	23	if (rcu)
	24	return ERR_PTR(-ECHILD);
	25
5d069dbe MS	26	if (fuse_is_bad(inode))
	27	return ERR_PTR(-EIO);
	28
facd6105	29	if (fc->no_getxattr)
60bcc88a SF	30	return NULL;
	31
	32	if (type == ACL_TYPE_ACCESS)
	33	name = XATTR_NAME_POSIX_ACL_ACCESS;
	34	else if (type == ACL_TYPE_DEFAULT)
	35	name = XATTR_NAME_POSIX_ACL_DEFAULT;
	36	else
	37	return ERR_PTR(-EOPNOTSUPP);
	38
	39	value = kmalloc(PAGE_SIZE, GFP_KERNEL);
	40	if (!value)
	41	return ERR_PTR(-ENOMEM);
	42	size = fuse_getxattr(inode, name, value, PAGE_SIZE);
	43	if (size > 0)
8cb08329	44	acl = posix_acl_from_xattr(fc->user_ns, value, size);
60bcc88a SF	45	else if ((size == 0) \|\| (size == -ENODATA) \|\|
	46	(size == -EOPNOTSUPP && fc->no_getxattr))
	47	acl = NULL;
	48	else if (size == -ERANGE)
	49	acl = ERR_PTR(-E2BIG);
	50	else
	51	acl = ERR_PTR(size);
	52
	53	kfree(value);
	54	return acl;
	55	}
	56
facd6105 CB	57	static inline bool fuse_no_acl(const struct fuse_conn *fc,
	58	const struct inode *inode)
	59	{
	60	/*
	61	* Refuse interacting with POSIX ACLs for daemons that
	62	* don't support FUSE_POSIX_ACL and are not mounted on
	63	* the host to retain backwards compatibility.
	64	*/
	65	return !fc->posix_acl && (i_user_ns(inode) != &init_user_ns);
	66	}
	67
05e6295f	68	struct posix_acl fuse_get_acl(struct mnt_idmap idmap,
facd6105 CB	69	struct dentry *dentry, int type)
	70	{
	71	struct inode *inode = d_inode(dentry);
	72	struct fuse_conn *fc = get_fuse_conn(inode);
	73
	74	if (fuse_no_acl(fc, inode))
	75	return ERR_PTR(-EOPNOTSUPP);
	76
05e6295f	77	return __fuse_get_acl(fc, idmap, inode, type, false);
facd6105 CB	78	}
	79
	80	struct posix_acl fuse_get_inode_acl(struct inode inode, int type, bool rcu)
	81	{
	82	struct fuse_conn *fc = get_fuse_conn(inode);
	83
	84	/*
	85	* FUSE daemons before FUSE_POSIX_ACL was introduced could get and set
	86	* POSIX ACLs without them being used for permission checking by the
	87	* vfs. Retain that behavior for backwards compatibility as there are
	88	* filesystems that do all permission checking for acls in the daemon
	89	* and not in the kernel.
	90	*/
	91	if (!fc->posix_acl)
	92	return NULL;
	93
05e6295f	94	return __fuse_get_acl(fc, &nop_mnt_idmap, inode, type, rcu);
facd6105 CB	95	}
facd6105 CB	96
13e83a49	97	int fuse_set_acl(struct mnt_idmap idmap, struct dentry dentry,
549c7297	98	struct posix_acl *acl, int type)
60bcc88a	99	{
138060ba	100	struct inode *inode = d_inode(dentry);
60bcc88a SF	101	struct fuse_conn *fc = get_fuse_conn(inode);
	102	const char *name;
	103	int ret;
	104
5d069dbe MS	105	if (fuse_is_bad(inode))
	106	return -EIO;
	107
facd6105	108	if (fc->no_setxattr \|\| fuse_no_acl(fc, inode))
60bcc88a SF	109	return -EOPNOTSUPP;
	110
	111	if (type == ACL_TYPE_ACCESS)
	112	name = XATTR_NAME_POSIX_ACL_ACCESS;
	113	else if (type == ACL_TYPE_DEFAULT)
	114	name = XATTR_NAME_POSIX_ACL_DEFAULT;
	115	else
	116	return -EINVAL;
	117
	118	if (acl) {
550a7d3b	119	unsigned int extra_flags = 0;
60bcc88a SF	120	/*
	121	* Fuse userspace is responsible for updating access
	122	* permissions in the inode, if needed. fuse_setxattr
	123	* invalidates the inode attributes, which will force
	124	* them to be refreshed the next time they are used,
	125	* and it also updates i_ctime.
	126	*/
	127	size_t size = posix_acl_xattr_size(acl->a_count);
	128	void *value;
	129
	130	if (size > PAGE_SIZE)
	131	return -E2BIG;
	132
	133	value = kmalloc(size, GFP_KERNEL);
	134	if (!value)
	135	return -ENOMEM;
	136
8cb08329	137	ret = posix_acl_to_xattr(fc->user_ns, acl, value, size);
60bcc88a SF	138	if (ret < 0) {
	139	kfree(value);
	140	return ret;
	141	}
	142
facd6105 CB	143	/*
	144	* Fuse daemons without FUSE_POSIX_ACL never changed the passed
	145	* through POSIX ACLs. Such daemons don't expect setgid bits to
	146	* be stripped.
	147	*/
	148	if (fc->posix_acl &&
05e6295f	149	!vfsgid_in_group_p(i_gid_into_vfsgid(&nop_mnt_idmap, inode)) &&
9452e93e	150	!capable_wrt_inode_uidgid(&nop_mnt_idmap, inode, CAP_FSETID))
550a7d3b VG	151	extra_flags \|= FUSE_SETXATTR_ACL_KILL_SGID;
	152
	153	ret = fuse_setxattr(inode, name, value, size, 0, extra_flags);
60bcc88a SF	154	kfree(value);
	155	} else {
	156	ret = fuse_removexattr(inode, name);
	157	}
facd6105 CB	158
	159	if (fc->posix_acl) {
	160	/*
	161	* Fuse daemons without FUSE_POSIX_ACL never cached POSIX ACLs
	162	* and didn't invalidate attributes. Retain that behavior.
	163	*/
	164	forget_all_cached_acls(inode);
	165	fuse_invalidate_attr(inode);
	166	}
60bcc88a SF	167
	168	return ret;
	169	}