1// SPDX-License-Identifier: GPL-2.0
2/*
3 *  linux/fs/attr.c
4 *
5 *  Copyright (C) 1991, 1992  Linus Torvalds
6 *  changes by Thomas Schoebel-Theuer
7 */
8
9#include <linux/export.h>
10#include <linux/time.h>
11#include <linux/mm.h>
12#include <linux/string.h>
13#include <linux/sched/signal.h>
14#include <linux/capability.h>
15#include <linux/fsnotify.h>
16#include <linux/fcntl.h>
17#include <linux/filelock.h>
18#include <linux/security.h>
19
20#include "internal.h"
21
22/**
23 * setattr_should_drop_sgid - determine whether the setgid bit needs to be
24 *                            removed
25 * @idmap:	idmap of the mount @inode was found from
26 * @inode:	inode to check
27 *
28 * This function determines whether the setgid bit needs to be removed.
29 * We retain backwards compatibility and require setgid bit to be removed
30 * unconditionally if S_IXGRP is set. Otherwise we have the exact same
31 * requirements as setattr_prepare() and setattr_copy().
32 *
33 * Return: ATTR_KILL_SGID if setgid bit needs to be removed, 0 otherwise.
34 */
35int setattr_should_drop_sgid(struct mnt_idmap *idmap,
36			     const struct inode *inode)
37{
38	umode_t mode = inode->i_mode;
39
40	if (!(mode & S_ISGID))
41		return 0;
42	if (mode & S_IXGRP)
43		return ATTR_KILL_SGID;
44	if (!in_group_or_capable(idmap, inode, i_gid_into_vfsgid(idmap, inode)))
45		return ATTR_KILL_SGID;
46	return 0;
47}
48EXPORT_SYMBOL(setattr_should_drop_sgid);
49
50/**
51 * setattr_should_drop_suidgid - determine whether the set{g,u}id bit needs to
52 *                               be dropped
53 * @idmap:	idmap of the mount @inode was found from
54 * @inode:	inode to check
55 *
56 * This function determines whether the set{g,u}id bits need to be removed.
57 * If the setuid bit needs to be removed ATTR_KILL_SUID is returned. If the
58 * setgid bit needs to be removed ATTR_KILL_SGID is returned. If both
59 * set{g,u}id bits need to be removed the corresponding mask of both flags is
60 * returned.
61 *
62 * Return: A mask of ATTR_KILL_S{G,U}ID indicating which - if any - setid bits
63 * to remove, 0 otherwise.
64 */
65int setattr_should_drop_suidgid(struct mnt_idmap *idmap,
66				struct inode *inode)
67{
68	umode_t mode = inode->i_mode;
69	int kill = 0;
70
71	/* suid always must be killed */
72	if (unlikely(mode & S_ISUID))
73		kill = ATTR_KILL_SUID;
74
75	kill |= setattr_should_drop_sgid(idmap, inode);
76
77	if (unlikely(kill && !capable(CAP_FSETID) && S_ISREG(mode)))
78		return kill;
79
80	return 0;
81}
82EXPORT_SYMBOL(setattr_should_drop_suidgid);
83
84/**
85 * chown_ok - verify permissions to chown inode
86 * @idmap:	idmap of the mount @inode was found from
87 * @inode:	inode to check permissions on
88 * @ia_vfsuid:	uid to chown @inode to
89 *
90 * If the inode has been found through an idmapped mount the idmap of
91 * the vfsmount must be passed through @idmap. This function will then
92 * take care to map the inode according to @idmap before checking
93 * permissions. On non-idmapped mounts or if permission checking is to be
94 * performed on the raw inode simply pass @nop_mnt_idmap.
95 */
96static bool chown_ok(struct mnt_idmap *idmap,
97		     const struct inode *inode, vfsuid_t ia_vfsuid)
98{
99	vfsuid_t vfsuid = i_uid_into_vfsuid(idmap, inode);
100	if (vfsuid_eq_kuid(vfsuid, current_fsuid()) &&
101	    vfsuid_eq(ia_vfsuid, vfsuid))
102		return true;
103	if (capable_wrt_inode_uidgid(idmap, inode, CAP_CHOWN))
104		return true;
105	if (!vfsuid_valid(vfsuid) &&
106	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
107		return true;
108	return false;
109}
110
111/**
112 * chgrp_ok - verify permissions to chgrp inode
113 * @idmap:	idmap of the mount @inode was found from
114 * @inode:	inode to check permissions on
115 * @ia_vfsgid:	gid to chown @inode to
116 *
117 * If the inode has been found through an idmapped mount the idmap of
118 * the vfsmount must be passed through @idmap. This function will then
119 * take care to map the inode according to @idmap before checking
120 * permissions. On non-idmapped mounts or if permission checking is to be
121 * performed on the raw inode simply pass @nop_mnt_idmap.
122 */
123static bool chgrp_ok(struct mnt_idmap *idmap,
124		     const struct inode *inode, vfsgid_t ia_vfsgid)
125{
126	vfsgid_t vfsgid = i_gid_into_vfsgid(idmap, inode);
127	vfsuid_t vfsuid = i_uid_into_vfsuid(idmap, inode);
128	if (vfsuid_eq_kuid(vfsuid, current_fsuid())) {
129		if (vfsgid_eq(ia_vfsgid, vfsgid))
130			return true;
131		if (vfsgid_in_group_p(ia_vfsgid))
132			return true;
133	}
134	if (capable_wrt_inode_uidgid(idmap, inode, CAP_CHOWN))
135		return true;
136	if (!vfsgid_valid(vfsgid) &&
137	    ns_capable(inode->i_sb->s_user_ns, CAP_CHOWN))
138		return true;
139	return false;
140}
141
142/**
143 * setattr_prepare - check if attribute changes to a dentry are allowed
144 * @idmap:	idmap of the mount the inode was found from
145 * @dentry:	dentry to check
146 * @attr:	attributes to change
147 *
148 * Check if we are allowed to change the attributes contained in @attr
149 * in the given dentry.  This includes the normal unix access permission
150 * checks, as well as checks for rlimits and others. The function also clears
151 * SGID bit from mode if user is not allowed to set it. Also file capabilities
152 * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set.
153 *
154 * If the inode has been found through an idmapped mount the idmap of
155 * the vfsmount must be passed through @idmap. This function will then
156 * take care to map the inode according to @idmap before checking
157 * permissions. On non-idmapped mounts or if permission checking is to be
158 * performed on the raw inode simply pass @nop_mnt_idmap.
159 *
160 * Should be called as the first thing in ->setattr implementations,
161 * possibly after taking additional locks.
162 */
163int setattr_prepare(struct mnt_idmap *idmap, struct dentry *dentry,
164		    struct iattr *attr)
165{
166	struct inode *inode = d_inode(dentry);
167	unsigned int ia_valid = attr->ia_valid;
168
169	/*
170	 * First check size constraints.  These can't be overriden using
171	 * ATTR_FORCE.
172	 */
173	if (ia_valid & ATTR_SIZE) {
174		int error = inode_newsize_ok(inode, attr->ia_size);
175		if (error)
176			return error;
177	}
178
179	/* If force is set do it anyway. */
180	if (ia_valid & ATTR_FORCE)
181		goto kill_priv;
182
183	/* Make sure a caller can chown. */
184	if ((ia_valid & ATTR_UID) &&
185	    !chown_ok(idmap, inode, attr->ia_vfsuid))
186		return -EPERM;
187
188	/* Make sure caller can chgrp. */
189	if ((ia_valid & ATTR_GID) &&
190	    !chgrp_ok(idmap, inode, attr->ia_vfsgid))
191		return -EPERM;
192
193	/* Make sure a caller can chmod. */
194	if (ia_valid & ATTR_MODE) {
195		vfsgid_t vfsgid;
196
197		if (!inode_owner_or_capable(idmap, inode))
198			return -EPERM;
199
200		if (ia_valid & ATTR_GID)
201			vfsgid = attr->ia_vfsgid;
202		else
203			vfsgid = i_gid_into_vfsgid(idmap, inode);
204
205		/* Also check the setgid bit! */
206		if (!in_group_or_capable(idmap, inode, vfsgid))
207			attr->ia_mode &= ~S_ISGID;
208	}
209
210	/* Check for setting the inode time. */
211	if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) {
212		if (!inode_owner_or_capable(idmap, inode))
213			return -EPERM;
214	}
215
216kill_priv:
217	/* User has permission for the change */
218	if (ia_valid & ATTR_KILL_PRIV) {
219		int error;
220
221		error = security_inode_killpriv(idmap, dentry);
222		if (error)
223			return error;
224	}
225
226	return 0;
227}
228EXPORT_SYMBOL(setattr_prepare);
229
230/**
231 * inode_newsize_ok - may this inode be truncated to a given size
232 * @inode:	the inode to be truncated
233 * @offset:	the new size to assign to the inode
234 *
235 * inode_newsize_ok must be called with i_mutex held.
236 *
237 * inode_newsize_ok will check filesystem limits and ulimits to check that the
238 * new inode size is within limits. inode_newsize_ok will also send SIGXFSZ
239 * when necessary. Caller must not proceed with inode size change if failure is
240 * returned. @inode must be a file (not directory), with appropriate
241 * permissions to allow truncate (inode_newsize_ok does NOT check these
242 * conditions).
243 *
244 * Return: 0 on success, -ve errno on failure
245 */
246int inode_newsize_ok(const struct inode *inode, loff_t offset)
247{
248	if (offset < 0)
249		return -EINVAL;
250	if (inode->i_size < offset) {
251		unsigned long limit;
252
253		limit = rlimit(RLIMIT_FSIZE);
254		if (limit != RLIM_INFINITY && offset > limit)
255			goto out_sig;
256		if (offset > inode->i_sb->s_maxbytes)
257			goto out_big;
258	} else {
259		/*
260		 * truncation of in-use swapfiles is disallowed - it would
261		 * cause subsequent swapout to scribble on the now-freed
262		 * blocks.
263		 */
264		if (IS_SWAPFILE(inode))
265			return -ETXTBSY;
266	}
267
268	return 0;
269out_sig:
270	send_sig(SIGXFSZ, current, 0);
271out_big:
272	return -EFBIG;
273}
274EXPORT_SYMBOL(inode_newsize_ok);
275
276/**
277 * setattr_copy - copy simple metadata updates into the generic inode
278 * @idmap:	idmap of the mount the inode was found from
279 * @inode:	the inode to be updated
280 * @attr:	the new attributes
281 *
282 * setattr_copy must be called with i_mutex held.
283 *
284 * setattr_copy updates the inode's metadata with that specified
285 * in attr on idmapped mounts. Necessary permission checks to determine
286 * whether or not the S_ISGID property needs to be removed are performed with
287 * the correct idmapped mount permission helpers.
288 * Noticeably missing is inode size update, which is more complex
289 * as it requires pagecache updates.
290 *
291 * If the inode has been found through an idmapped mount the idmap of
292 * the vfsmount must be passed through @idmap. This function will then
293 * take care to map the inode according to @idmap before checking
294 * permissions. On non-idmapped mounts or if permission checking is to be
295 * performed on the raw inode simply pass @nop_mnt_idmap.
296 *
297 * The inode is not marked as dirty after this operation. The rationale is
298 * that for "simple" filesystems, the struct inode is the inode storage.
299 * The caller is free to mark the inode dirty afterwards if needed.
300 */
301void setattr_copy(struct mnt_idmap *idmap, struct inode *inode,
302		  const struct iattr *attr)
303{
304	unsigned int ia_valid = attr->ia_valid;
305
306	i_uid_update(idmap, attr, inode);
307	i_gid_update(idmap, attr, inode);
308	if (ia_valid & ATTR_ATIME)
309		inode_set_atime_to_ts(inode, attr->ia_atime);
310	if (ia_valid & ATTR_MTIME)
311		inode_set_mtime_to_ts(inode, attr->ia_mtime);
312	if (ia_valid & ATTR_CTIME)
313		inode_set_ctime_to_ts(inode, attr->ia_ctime);
314	if (ia_valid & ATTR_MODE) {
315		umode_t mode = attr->ia_mode;
316		if (!in_group_or_capable(idmap, inode,
317					 i_gid_into_vfsgid(idmap, inode)))
318			mode &= ~S_ISGID;
319		inode->i_mode = mode;
320	}
321}
322EXPORT_SYMBOL(setattr_copy);
323
324int may_setattr(struct mnt_idmap *idmap, struct inode *inode,
325		unsigned int ia_valid)
326{
327	int error;
328
329	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) {
330		if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
331			return -EPERM;
332	}
333
334	/*
335	 * If utimes(2) and friends are called with times == NULL (or both
336	 * times are UTIME_NOW), then we need to check for write permission
337	 */
338	if (ia_valid & ATTR_TOUCH) {
339		if (IS_IMMUTABLE(inode))
340			return -EPERM;
341
342		if (!inode_owner_or_capable(idmap, inode)) {
343			error = inode_permission(idmap, inode, MAY_WRITE);
344			if (error)
345				return error;
346		}
347	}
348	return 0;
349}
350EXPORT_SYMBOL(may_setattr);
351
352/**
353 * notify_change - modify attributes of a filesystem object
354 * @idmap:	idmap of the mount the inode was found from
355 * @dentry:	object affected
356 * @attr:	new attributes
357 * @delegated_inode: returns inode, if the inode is delegated
358 *
359 * The caller must hold the i_mutex on the affected object.
360 *
361 * If notify_change discovers a delegation in need of breaking,
362 * it will return -EWOULDBLOCK and return a reference to the inode in
363 * delegated_inode.  The caller should then break the delegation and
364 * retry.  Because breaking a delegation may take a long time, the
365 * caller should drop the i_mutex before doing so.
366 *
367 * Alternatively, a caller may pass NULL for delegated_inode.  This may
368 * be appropriate for callers that expect the underlying filesystem not
369 * to be NFS exported.  Also, passing NULL is fine for callers holding
370 * the file open for write, as there can be no conflicting delegation in
371 * that case.
372 *
373 * If the inode has been found through an idmapped mount the idmap of
374 * the vfsmount must be passed through @idmap. This function will then
375 * take care to map the inode according to @idmap before checking
376 * permissions. On non-idmapped mounts or if permission checking is to be
377 * performed on the raw inode simply pass @nop_mnt_idmap.
378 */
379int notify_change(struct mnt_idmap *idmap, struct dentry *dentry,
380		  struct iattr *attr, struct inode **delegated_inode)
381{
382	struct inode *inode = dentry->d_inode;
383	umode_t mode = inode->i_mode;
384	int error;
385	struct timespec64 now;
386	unsigned int ia_valid = attr->ia_valid;
387
388	WARN_ON_ONCE(!inode_is_locked(inode));
389
390	error = may_setattr(idmap, inode, ia_valid);
391	if (error)
392		return error;
393
394	if ((ia_valid & ATTR_MODE)) {
395		/*
396		 * Don't allow changing the mode of symlinks:
397		 *
398		 * (1) The vfs doesn't take the mode of symlinks into account
399		 *     during permission checking.
400		 * (2) This has never worked correctly. Most major filesystems
401		 *     did return EOPNOTSUPP due to interactions with POSIX ACLs
402		 *     but did still updated the mode of the symlink.
403		 *     This inconsistency led system call wrapper providers such
404		 *     as libc to block changing the mode of symlinks with
405		 *     EOPNOTSUPP already.
406		 * (3) To even do this in the first place one would have to use
407		 *     specific file descriptors and quite some effort.
408		 */
409		if (S_ISLNK(inode->i_mode))
410			return -EOPNOTSUPP;
411
412		/* Flag setting protected by i_mutex */
413		if (is_sxid(attr->ia_mode))
414			inode->i_flags &= ~S_NOSEC;
415	}
416
417	now = current_time(inode);
418
419	attr->ia_ctime = now;
420	if (!(ia_valid & ATTR_ATIME_SET))
421		attr->ia_atime = now;
422	else
423		attr->ia_atime = timestamp_truncate(attr->ia_atime, inode);
424	if (!(ia_valid & ATTR_MTIME_SET))
425		attr->ia_mtime = now;
426	else
427		attr->ia_mtime = timestamp_truncate(attr->ia_mtime, inode);
428
429	if (ia_valid & ATTR_KILL_PRIV) {
430		error = security_inode_need_killpriv(dentry);
431		if (error < 0)
432			return error;
433		if (error == 0)
434			ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV;
435	}
436
437	/*
438	 * We now pass ATTR_KILL_S*ID to the lower level setattr function so
439	 * that the function has the ability to reinterpret a mode change
440	 * that's due to these bits. This adds an implicit restriction that
441	 * no function will ever call notify_change with both ATTR_MODE and
442	 * ATTR_KILL_S*ID set.
443	 */
444	if ((ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) &&
445	    (ia_valid & ATTR_MODE))
446		BUG();
447
448	if (ia_valid & ATTR_KILL_SUID) {
449		if (mode & S_ISUID) {
450			ia_valid = attr->ia_valid |= ATTR_MODE;
451			attr->ia_mode = (inode->i_mode & ~S_ISUID);
452		}
453	}
454	if (ia_valid & ATTR_KILL_SGID) {
455		if (mode & S_ISGID) {
456			if (!(ia_valid & ATTR_MODE)) {
457				ia_valid = attr->ia_valid |= ATTR_MODE;
458				attr->ia_mode = inode->i_mode;
459			}
460			attr->ia_mode &= ~S_ISGID;
461		}
462	}
463	if (!(attr->ia_valid & ~(ATTR_KILL_SUID | ATTR_KILL_SGID)))
464		return 0;
465
466	/*
467	 * Verify that uid/gid changes are valid in the target
468	 * namespace of the superblock.
469	 */
470	if (ia_valid & ATTR_UID &&
471	    !vfsuid_has_fsmapping(idmap, inode->i_sb->s_user_ns,
472				  attr->ia_vfsuid))
473		return -EOVERFLOW;
474	if (ia_valid & ATTR_GID &&
475	    !vfsgid_has_fsmapping(idmap, inode->i_sb->s_user_ns,
476				  attr->ia_vfsgid))
477		return -EOVERFLOW;
478
479	/* Don't allow modifications of files with invalid uids or
480	 * gids unless those uids & gids are being made valid.
481	 */
482	if (!(ia_valid & ATTR_UID) &&
483	    !vfsuid_valid(i_uid_into_vfsuid(idmap, inode)))
484		return -EOVERFLOW;
485	if (!(ia_valid & ATTR_GID) &&
486	    !vfsgid_valid(i_gid_into_vfsgid(idmap, inode)))
487		return -EOVERFLOW;
488
489	error = security_inode_setattr(idmap, dentry, attr);
490	if (error)
491		return error;
492	error = try_break_deleg(inode, delegated_inode);
493	if (error)
494		return error;
495
496	if (inode->i_op->setattr)
497		error = inode->i_op->setattr(idmap, dentry, attr);
498	else
499		error = simple_setattr(idmap, dentry, attr);
500
501	if (!error) {
502		fsnotify_change(dentry, ia_valid);
503		security_inode_post_setattr(idmap, dentry, ia_valid);
504	}
505
506	return error;
507}
508EXPORT_SYMBOL(notify_change);
509