mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-11-01 17:08:10 +00:00
7d6beb71da
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCYCegywAKCRCRxhvAZXjc
ouJ6AQDlf+7jCQlQdeKKoN9QDFfMzG1ooemat36EpRRTONaGuAD8D9A4sUsG4+5f
4IU5Lj9oY4DEmF8HenbWK2ZHsesL2Qg=
=yPaw
-----END PGP SIGNATURE-----
Merge tag 'idmapped-mounts-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
Pull idmapped mounts from Christian Brauner:
"This introduces idmapped mounts which has been in the making for some
time. Simply put, different mounts can expose the same file or
directory with different ownership. This initial implementation comes
with ports for fat, ext4 and with Christoph's port for xfs with more
filesystems being actively worked on by independent people and
maintainers.
Idmapping mounts handle a wide range of long standing use-cases. Here
are just a few:
- Idmapped mounts make it possible to easily share files between
multiple users or multiple machines especially in complex
scenarios. For example, idmapped mounts will be used in the
implementation of portable home directories in
systemd-homed.service(8) where they allow users to move their home
directory to an external storage device and use it on multiple
computers where they are assigned different uids and gids. This
effectively makes it possible to assign random uids and gids at
login time.
- It is possible to share files from the host with unprivileged
containers without having to change ownership permanently through
chown(2).
- It is possible to idmap a container's rootfs and without having to
mangle every file. For example, Chromebooks use it to share the
user's Download folder with their unprivileged containers in their
Linux subsystem.
- It is possible to share files between containers with
non-overlapping idmappings.
- Filesystem that lack a proper concept of ownership such as fat can
use idmapped mounts to implement discretionary access (DAC)
permission checking.
- They allow users to efficiently changing ownership on a per-mount
basis without having to (recursively) chown(2) all files. In
contrast to chown (2) changing ownership of large sets of files is
instantenous with idmapped mounts. This is especially useful when
ownership of a whole root filesystem of a virtual machine or
container is changed. With idmapped mounts a single syscall
mount_setattr syscall will be sufficient to change the ownership of
all files.
- Idmapped mounts always take the current ownership into account as
idmappings specify what a given uid or gid is supposed to be mapped
to. This contrasts with the chown(2) syscall which cannot by itself
take the current ownership of the files it changes into account. It
simply changes the ownership to the specified uid and gid. This is
especially problematic when recursively chown(2)ing a large set of
files which is commong with the aforementioned portable home
directory and container and vm scenario.
- Idmapped mounts allow to change ownership locally, restricting it
to specific mounts, and temporarily as the ownership changes only
apply as long as the mount exists.
Several userspace projects have either already put up patches and
pull-requests for this feature or will do so should you decide to pull
this:
- systemd: In a wide variety of scenarios but especially right away
in their implementation of portable home directories.
https://systemd.io/HOME_DIRECTORY/
- container runtimes: containerd, runC, LXD:To share data between
host and unprivileged containers, unprivileged and privileged
containers, etc. The pull request for idmapped mounts support in
containerd, the default Kubernetes runtime is already up for quite
a while now: https://github.com/containerd/containerd/pull/4734
- The virtio-fs developers and several users have expressed interest
in using this feature with virtual machines once virtio-fs is
ported.
- ChromeOS: Sharing host-directories with unprivileged containers.
I've tightly synced with all those projects and all of those listed
here have also expressed their need/desire for this feature on the
mailing list. For more info on how people use this there's a bunch of
talks about this too. Here's just two recent ones:
https://www.cncf.io/wp-content/uploads/2020/12/Rootless-Containers-in-Gitpod.pdf
https://fosdem.org/2021/schedule/event/containers_idmap/
This comes with an extensive xfstests suite covering both ext4 and
xfs:
https://git.kernel.org/brauner/xfstests-dev/h/idmapped_mounts
It covers truncation, creation, opening, xattrs, vfscaps, setid
execution, setgid inheritance and more both with idmapped and
non-idmapped mounts. It already helped to discover an unrelated xfs
setgid inheritance bug which has since been fixed in mainline. It will
be sent for inclusion with the xfstests project should you decide to
merge this.
In order to support per-mount idmappings vfsmounts are marked with
user namespaces. The idmapping of the user namespace will be used to
map the ids of vfs objects when they are accessed through that mount.
By default all vfsmounts are marked with the initial user namespace.
The initial user namespace is used to indicate that a mount is not
idmapped. All operations behave as before and this is verified in the
testsuite.
Based on prior discussions we want to attach the whole user namespace
and not just a dedicated idmapping struct. This allows us to reuse all
the helpers that already exist for dealing with idmappings instead of
introducing a whole new range of helpers. In addition, if we decide in
the future that we are confident enough to enable unprivileged users
to setup idmapped mounts the permission checking can take into account
whether the caller is privileged in the user namespace the mount is
currently marked with.
The user namespace the mount will be marked with can be specified by
passing a file descriptor refering to the user namespace as an
argument to the new mount_setattr() syscall together with the new
MOUNT_ATTR_IDMAP flag. The system call follows the openat2() pattern
of extensibility.
The following conditions must be met in order to create an idmapped
mount:
- The caller must currently have the CAP_SYS_ADMIN capability in the
user namespace the underlying filesystem has been mounted in.
- The underlying filesystem must support idmapped mounts.
- The mount must not already be idmapped. This also implies that the
idmapping of a mount cannot be altered once it has been idmapped.
- The mount must be a detached/anonymous mount, i.e. it must have
been created by calling open_tree() with the OPEN_TREE_CLONE flag
and it must not already have been visible in the filesystem.
The last two points guarantee easier semantics for userspace and the
kernel and make the implementation significantly simpler.
By default vfsmounts are marked with the initial user namespace and no
behavioral or performance changes are observed.
The manpage with a detailed description can be found here:
1d7b902e28
In order to support idmapped mounts, filesystems need to be changed
and mark themselves with the FS_ALLOW_IDMAP flag in fs_flags. The
patches to convert individual filesystem are not very large or
complicated overall as can be seen from the included fat, ext4, and
xfs ports. Patches for other filesystems are actively worked on and
will be sent out separately. The xfstestsuite can be used to verify
that port has been done correctly.
The mount_setattr() syscall is motivated independent of the idmapped
mounts patches and it's been around since July 2019. One of the most
valuable features of the new mount api is the ability to perform
mounts based on file descriptors only.
Together with the lookup restrictions available in the openat2()
RESOLVE_* flag namespace which we added in v5.6 this is the first time
we are close to hardened and race-free (e.g. symlinks) mounting and
path resolution.
While userspace has started porting to the new mount api to mount
proper filesystems and create new bind-mounts it is currently not
possible to change mount options of an already existing bind mount in
the new mount api since the mount_setattr() syscall is missing.
With the addition of the mount_setattr() syscall we remove this last
restriction and userspace can now fully port to the new mount api,
covering every use-case the old mount api could. We also add the
crucial ability to recursively change mount options for a whole mount
tree, both removing and adding mount options at the same time. This
syscall has been requested multiple times by various people and
projects.
There is a simple tool available at
https://github.com/brauner/mount-idmapped
that allows to create idmapped mounts so people can play with this
patch series. I'll add support for the regular mount binary should you
decide to pull this in the following weeks:
Here's an example to a simple idmapped mount of another user's home
directory:
u1001@f2-vm:/$ sudo ./mount --idmap both:1000:1001:1 /home/ubuntu/ /mnt
u1001@f2-vm:/$ ls -al /home/ubuntu/
total 28
drwxr-xr-x 2 ubuntu ubuntu 4096 Oct 28 22:07 .
drwxr-xr-x 4 root root 4096 Oct 28 04:00 ..
-rw------- 1 ubuntu ubuntu 3154 Oct 28 22:12 .bash_history
-rw-r--r-- 1 ubuntu ubuntu 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 ubuntu ubuntu 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 ubuntu ubuntu 807 Feb 25 2020 .profile
-rw-r--r-- 1 ubuntu ubuntu 0 Oct 16 16:11 .sudo_as_admin_successful
-rw------- 1 ubuntu ubuntu 1144 Oct 28 00:43 .viminfo
u1001@f2-vm:/$ ls -al /mnt/
total 28
drwxr-xr-x 2 u1001 u1001 4096 Oct 28 22:07 .
drwxr-xr-x 29 root root 4096 Oct 28 22:01 ..
-rw------- 1 u1001 u1001 3154 Oct 28 22:12 .bash_history
-rw-r--r-- 1 u1001 u1001 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 u1001 u1001 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 u1001 u1001 807 Feb 25 2020 .profile
-rw-r--r-- 1 u1001 u1001 0 Oct 16 16:11 .sudo_as_admin_successful
-rw------- 1 u1001 u1001 1144 Oct 28 00:43 .viminfo
u1001@f2-vm:/$ touch /mnt/my-file
u1001@f2-vm:/$ setfacl -m u:1001:rwx /mnt/my-file
u1001@f2-vm:/$ sudo setcap -n 1001 cap_net_raw+ep /mnt/my-file
u1001@f2-vm:/$ ls -al /mnt/my-file
-rw-rwxr--+ 1 u1001 u1001 0 Oct 28 22:14 /mnt/my-file
u1001@f2-vm:/$ ls -al /home/ubuntu/my-file
-rw-rwxr--+ 1 ubuntu ubuntu 0 Oct 28 22:14 /home/ubuntu/my-file
u1001@f2-vm:/$ getfacl /mnt/my-file
getfacl: Removing leading '/' from absolute path names
# file: mnt/my-file
# owner: u1001
# group: u1001
user::rw-
user:u1001:rwx
group::rw-
mask::rwx
other::r--
u1001@f2-vm:/$ getfacl /home/ubuntu/my-file
getfacl: Removing leading '/' from absolute path names
# file: home/ubuntu/my-file
# owner: ubuntu
# group: ubuntu
user::rw-
user:ubuntu:rwx
group::rw-
mask::rwx
other::r--"
* tag 'idmapped-mounts-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux: (41 commits)
xfs: remove the possibly unused mp variable in xfs_file_compat_ioctl
xfs: support idmapped mounts
ext4: support idmapped mounts
fat: handle idmapped mounts
tests: add mount_setattr() selftests
fs: introduce MOUNT_ATTR_IDMAP
fs: add mount_setattr()
fs: add attr_flags_to_mnt_flags helper
fs: split out functions to hold writers
namespace: only take read lock in do_reconfigure_mnt()
mount: make {lock,unlock}_mount_hash() static
namespace: take lock_mount_hash() directly when changing flags
nfs: do not export idmapped mounts
overlayfs: do not mount on top of idmapped mounts
ecryptfs: do not mount on top of idmapped mounts
ima: handle idmapped mounts
apparmor: handle idmapped mounts
fs: make helpers idmap mount aware
exec: handle idmapped mounts
would_dump: handle idmapped mounts
...
4933 lines
131 KiB
C
4933 lines
131 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* linux/fs/namei.c
|
|
*
|
|
* Copyright (C) 1991, 1992 Linus Torvalds
|
|
*/
|
|
|
|
/*
|
|
* Some corrections by tytso.
|
|
*/
|
|
|
|
/* [Feb 1997 T. Schoebel-Theuer] Complete rewrite of the pathname
|
|
* lookup logic.
|
|
*/
|
|
/* [Feb-Apr 2000, AV] Rewrite to the new namespace architecture.
|
|
*/
|
|
|
|
#include <linux/init.h>
|
|
#include <linux/export.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/namei.h>
|
|
#include <linux/pagemap.h>
|
|
#include <linux/fsnotify.h>
|
|
#include <linux/personality.h>
|
|
#include <linux/security.h>
|
|
#include <linux/ima.h>
|
|
#include <linux/syscalls.h>
|
|
#include <linux/mount.h>
|
|
#include <linux/audit.h>
|
|
#include <linux/capability.h>
|
|
#include <linux/file.h>
|
|
#include <linux/fcntl.h>
|
|
#include <linux/device_cgroup.h>
|
|
#include <linux/fs_struct.h>
|
|
#include <linux/posix_acl.h>
|
|
#include <linux/hash.h>
|
|
#include <linux/bitops.h>
|
|
#include <linux/init_task.h>
|
|
#include <linux/uaccess.h>
|
|
|
|
#include "internal.h"
|
|
#include "mount.h"
|
|
|
|
/* [Feb-1997 T. Schoebel-Theuer]
|
|
* Fundamental changes in the pathname lookup mechanisms (namei)
|
|
* were necessary because of omirr. The reason is that omirr needs
|
|
* to know the _real_ pathname, not the user-supplied one, in case
|
|
* of symlinks (and also when transname replacements occur).
|
|
*
|
|
* The new code replaces the old recursive symlink resolution with
|
|
* an iterative one (in case of non-nested symlink chains). It does
|
|
* this with calls to <fs>_follow_link().
|
|
* As a side effect, dir_namei(), _namei() and follow_link() are now
|
|
* replaced with a single function lookup_dentry() that can handle all
|
|
* the special cases of the former code.
|
|
*
|
|
* With the new dcache, the pathname is stored at each inode, at least as
|
|
* long as the refcount of the inode is positive. As a side effect, the
|
|
* size of the dcache depends on the inode cache and thus is dynamic.
|
|
*
|
|
* [29-Apr-1998 C. Scott Ananian] Updated above description of symlink
|
|
* resolution to correspond with current state of the code.
|
|
*
|
|
* Note that the symlink resolution is not *completely* iterative.
|
|
* There is still a significant amount of tail- and mid- recursion in
|
|
* the algorithm. Also, note that <fs>_readlink() is not used in
|
|
* lookup_dentry(): lookup_dentry() on the result of <fs>_readlink()
|
|
* may return different results than <fs>_follow_link(). Many virtual
|
|
* filesystems (including /proc) exhibit this behavior.
|
|
*/
|
|
|
|
/* [24-Feb-97 T. Schoebel-Theuer] Side effects caused by new implementation:
|
|
* New symlink semantics: when open() is called with flags O_CREAT | O_EXCL
|
|
* and the name already exists in form of a symlink, try to create the new
|
|
* name indicated by the symlink. The old code always complained that the
|
|
* name already exists, due to not following the symlink even if its target
|
|
* is nonexistent. The new semantics affects also mknod() and link() when
|
|
* the name is a symlink pointing to a non-existent name.
|
|
*
|
|
* I don't know which semantics is the right one, since I have no access
|
|
* to standards. But I found by trial that HP-UX 9.0 has the full "new"
|
|
* semantics implemented, while SunOS 4.1.1 and Solaris (SunOS 5.4) have the
|
|
* "old" one. Personally, I think the new semantics is much more logical.
|
|
* Note that "ln old new" where "new" is a symlink pointing to a non-existing
|
|
* file does succeed in both HP-UX and SunOs, but not in Solaris
|
|
* and in the old Linux semantics.
|
|
*/
|
|
|
|
/* [16-Dec-97 Kevin Buhr] For security reasons, we change some symlink
|
|
* semantics. See the comments in "open_namei" and "do_link" below.
|
|
*
|
|
* [10-Sep-98 Alan Modra] Another symlink change.
|
|
*/
|
|
|
|
/* [Feb-Apr 2000 AV] Complete rewrite. Rules for symlinks:
|
|
* inside the path - always follow.
|
|
* in the last component in creation/removal/renaming - never follow.
|
|
* if LOOKUP_FOLLOW passed - follow.
|
|
* if the pathname has trailing slashes - follow.
|
|
* otherwise - don't follow.
|
|
* (applied in that order).
|
|
*
|
|
* [Jun 2000 AV] Inconsistent behaviour of open() in case if flags==O_CREAT
|
|
* restored for 2.4. This is the last surviving part of old 4.2BSD bug.
|
|
* During the 2.4 we need to fix the userland stuff depending on it -
|
|
* hopefully we will be able to get rid of that wart in 2.5. So far only
|
|
* XEmacs seems to be relying on it...
|
|
*/
|
|
/*
|
|
* [Sep 2001 AV] Single-semaphore locking scheme (kudos to David Holland)
|
|
* implemented. Let's see if raised priority of ->s_vfs_rename_mutex gives
|
|
* any extra contention...
|
|
*/
|
|
|
|
/* In order to reduce some races, while at the same time doing additional
|
|
* checking and hopefully speeding things up, we copy filenames to the
|
|
* kernel data space before using them..
|
|
*
|
|
* POSIX.1 2.4: an empty pathname is invalid (ENOENT).
|
|
* PATH_MAX includes the nul terminator --RR.
|
|
*/
|
|
|
|
#define EMBEDDED_NAME_MAX (PATH_MAX - offsetof(struct filename, iname))
|
|
|
|
struct filename *
|
|
getname_flags(const char __user *filename, int flags, int *empty)
|
|
{
|
|
struct filename *result;
|
|
char *kname;
|
|
int len;
|
|
|
|
result = audit_reusename(filename);
|
|
if (result)
|
|
return result;
|
|
|
|
result = __getname();
|
|
if (unlikely(!result))
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
/*
|
|
* First, try to embed the struct filename inside the names_cache
|
|
* allocation
|
|
*/
|
|
kname = (char *)result->iname;
|
|
result->name = kname;
|
|
|
|
len = strncpy_from_user(kname, filename, EMBEDDED_NAME_MAX);
|
|
if (unlikely(len < 0)) {
|
|
__putname(result);
|
|
return ERR_PTR(len);
|
|
}
|
|
|
|
/*
|
|
* Uh-oh. We have a name that's approaching PATH_MAX. Allocate a
|
|
* separate struct filename so we can dedicate the entire
|
|
* names_cache allocation for the pathname, and re-do the copy from
|
|
* userland.
|
|
*/
|
|
if (unlikely(len == EMBEDDED_NAME_MAX)) {
|
|
const size_t size = offsetof(struct filename, iname[1]);
|
|
kname = (char *)result;
|
|
|
|
/*
|
|
* size is chosen that way we to guarantee that
|
|
* result->iname[0] is within the same object and that
|
|
* kname can't be equal to result->iname, no matter what.
|
|
*/
|
|
result = kzalloc(size, GFP_KERNEL);
|
|
if (unlikely(!result)) {
|
|
__putname(kname);
|
|
return ERR_PTR(-ENOMEM);
|
|
}
|
|
result->name = kname;
|
|
len = strncpy_from_user(kname, filename, PATH_MAX);
|
|
if (unlikely(len < 0)) {
|
|
__putname(kname);
|
|
kfree(result);
|
|
return ERR_PTR(len);
|
|
}
|
|
if (unlikely(len == PATH_MAX)) {
|
|
__putname(kname);
|
|
kfree(result);
|
|
return ERR_PTR(-ENAMETOOLONG);
|
|
}
|
|
}
|
|
|
|
result->refcnt = 1;
|
|
/* The empty path is special. */
|
|
if (unlikely(!len)) {
|
|
if (empty)
|
|
*empty = 1;
|
|
if (!(flags & LOOKUP_EMPTY)) {
|
|
putname(result);
|
|
return ERR_PTR(-ENOENT);
|
|
}
|
|
}
|
|
|
|
result->uptr = filename;
|
|
result->aname = NULL;
|
|
audit_getname(result);
|
|
return result;
|
|
}
|
|
|
|
struct filename *
|
|
getname(const char __user * filename)
|
|
{
|
|
return getname_flags(filename, 0, NULL);
|
|
}
|
|
|
|
struct filename *
|
|
getname_kernel(const char * filename)
|
|
{
|
|
struct filename *result;
|
|
int len = strlen(filename) + 1;
|
|
|
|
result = __getname();
|
|
if (unlikely(!result))
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
if (len <= EMBEDDED_NAME_MAX) {
|
|
result->name = (char *)result->iname;
|
|
} else if (len <= PATH_MAX) {
|
|
const size_t size = offsetof(struct filename, iname[1]);
|
|
struct filename *tmp;
|
|
|
|
tmp = kmalloc(size, GFP_KERNEL);
|
|
if (unlikely(!tmp)) {
|
|
__putname(result);
|
|
return ERR_PTR(-ENOMEM);
|
|
}
|
|
tmp->name = (char *)result;
|
|
result = tmp;
|
|
} else {
|
|
__putname(result);
|
|
return ERR_PTR(-ENAMETOOLONG);
|
|
}
|
|
memcpy((char *)result->name, filename, len);
|
|
result->uptr = NULL;
|
|
result->aname = NULL;
|
|
result->refcnt = 1;
|
|
audit_getname(result);
|
|
|
|
return result;
|
|
}
|
|
|
|
void putname(struct filename *name)
|
|
{
|
|
BUG_ON(name->refcnt <= 0);
|
|
|
|
if (--name->refcnt > 0)
|
|
return;
|
|
|
|
if (name->name != name->iname) {
|
|
__putname(name->name);
|
|
kfree(name);
|
|
} else
|
|
__putname(name);
|
|
}
|
|
|
|
/**
|
|
* check_acl - perform ACL permission checking
|
|
* @mnt_userns: user namespace of the mount the inode was found from
|
|
* @inode: inode to check permissions on
|
|
* @mask: right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC ...)
|
|
*
|
|
* This function performs the ACL permission checking. Since this function
|
|
* retrieve POSIX acls it needs to know whether it is called from a blocking or
|
|
* non-blocking context and thus cares about the MAY_NOT_BLOCK bit.
|
|
*
|
|
* If the inode has been found through an idmapped mount the user namespace of
|
|
* the vfsmount must be passed through @mnt_userns. This function will then take
|
|
* care to map the inode according to @mnt_userns before checking permissions.
|
|
* On non-idmapped mounts or if permission checking is to be performed on the
|
|
* raw inode simply passs init_user_ns.
|
|
*/
|
|
static int check_acl(struct user_namespace *mnt_userns,
|
|
struct inode *inode, int mask)
|
|
{
|
|
#ifdef CONFIG_FS_POSIX_ACL
|
|
struct posix_acl *acl;
|
|
|
|
if (mask & MAY_NOT_BLOCK) {
|
|
acl = get_cached_acl_rcu(inode, ACL_TYPE_ACCESS);
|
|
if (!acl)
|
|
return -EAGAIN;
|
|
/* no ->get_acl() calls in RCU mode... */
|
|
if (is_uncached_acl(acl))
|
|
return -ECHILD;
|
|
return posix_acl_permission(mnt_userns, inode, acl, mask);
|
|
}
|
|
|
|
acl = get_acl(inode, ACL_TYPE_ACCESS);
|
|
if (IS_ERR(acl))
|
|
return PTR_ERR(acl);
|
|
if (acl) {
|
|
int error = posix_acl_permission(mnt_userns, inode, acl, mask);
|
|
posix_acl_release(acl);
|
|
return error;
|
|
}
|
|
#endif
|
|
|
|
return -EAGAIN;
|
|
}
|
|
|
|
/**
|
|
* acl_permission_check - perform basic UNIX permission checking
|
|
* @mnt_userns: user namespace of the mount the inode was found from
|
|
* @inode: inode to check permissions on
|
|
* @mask: right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC ...)
|
|
*
|
|
* This function performs the basic UNIX permission checking. Since this
|
|
* function may retrieve POSIX acls it needs to know whether it is called from a
|
|
* blocking or non-blocking context and thus cares about the MAY_NOT_BLOCK bit.
|
|
*
|
|
* If the inode has been found through an idmapped mount the user namespace of
|
|
* the vfsmount must be passed through @mnt_userns. This function will then take
|
|
* care to map the inode according to @mnt_userns before checking permissions.
|
|
* On non-idmapped mounts or if permission checking is to be performed on the
|
|
* raw inode simply passs init_user_ns.
|
|
*/
|
|
static int acl_permission_check(struct user_namespace *mnt_userns,
|
|
struct inode *inode, int mask)
|
|
{
|
|
unsigned int mode = inode->i_mode;
|
|
kuid_t i_uid;
|
|
|
|
/* Are we the owner? If so, ACL's don't matter */
|
|
i_uid = i_uid_into_mnt(mnt_userns, inode);
|
|
if (likely(uid_eq(current_fsuid(), i_uid))) {
|
|
mask &= 7;
|
|
mode >>= 6;
|
|
return (mask & ~mode) ? -EACCES : 0;
|
|
}
|
|
|
|
/* Do we have ACL's? */
|
|
if (IS_POSIXACL(inode) && (mode & S_IRWXG)) {
|
|
int error = check_acl(mnt_userns, inode, mask);
|
|
if (error != -EAGAIN)
|
|
return error;
|
|
}
|
|
|
|
/* Only RWX matters for group/other mode bits */
|
|
mask &= 7;
|
|
|
|
/*
|
|
* Are the group permissions different from
|
|
* the other permissions in the bits we care
|
|
* about? Need to check group ownership if so.
|
|
*/
|
|
if (mask & (mode ^ (mode >> 3))) {
|
|
kgid_t kgid = i_gid_into_mnt(mnt_userns, inode);
|
|
if (in_group_p(kgid))
|
|
mode >>= 3;
|
|
}
|
|
|
|
/* Bits in 'mode' clear that we require? */
|
|
return (mask & ~mode) ? -EACCES : 0;
|
|
}
|
|
|
|
/**
|
|
* generic_permission - check for access rights on a Posix-like filesystem
|
|
* @mnt_userns: user namespace of the mount the inode was found from
|
|
* @inode: inode to check access rights for
|
|
* @mask: right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC,
|
|
* %MAY_NOT_BLOCK ...)
|
|
*
|
|
* Used to check for read/write/execute permissions on a file.
|
|
* We use "fsuid" for this, letting us set arbitrary permissions
|
|
* for filesystem access without changing the "normal" uids which
|
|
* are used for other things.
|
|
*
|
|
* generic_permission is rcu-walk aware. It returns -ECHILD in case an rcu-walk
|
|
* request cannot be satisfied (eg. requires blocking or too much complexity).
|
|
* It would then be called again in ref-walk mode.
|
|
*
|
|
* If the inode has been found through an idmapped mount the user namespace of
|
|
* the vfsmount must be passed through @mnt_userns. This function will then take
|
|
* care to map the inode according to @mnt_userns before checking permissions.
|
|
* On non-idmapped mounts or if permission checking is to be performed on the
|
|
* raw inode simply passs init_user_ns.
|
|
*/
|
|
int generic_permission(struct user_namespace *mnt_userns, struct inode *inode,
|
|
int mask)
|
|
{
|
|
int ret;
|
|
|
|
/*
|
|
* Do the basic permission checks.
|
|
*/
|
|
ret = acl_permission_check(mnt_userns, inode, mask);
|
|
if (ret != -EACCES)
|
|
return ret;
|
|
|
|
if (S_ISDIR(inode->i_mode)) {
|
|
/* DACs are overridable for directories */
|
|
if (!(mask & MAY_WRITE))
|
|
if (capable_wrt_inode_uidgid(mnt_userns, inode,
|
|
CAP_DAC_READ_SEARCH))
|
|
return 0;
|
|
if (capable_wrt_inode_uidgid(mnt_userns, inode,
|
|
CAP_DAC_OVERRIDE))
|
|
return 0;
|
|
return -EACCES;
|
|
}
|
|
|
|
/*
|
|
* Searching includes executable on directories, else just read.
|
|
*/
|
|
mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
|
|
if (mask == MAY_READ)
|
|
if (capable_wrt_inode_uidgid(mnt_userns, inode,
|
|
CAP_DAC_READ_SEARCH))
|
|
return 0;
|
|
/*
|
|
* Read/write DACs are always overridable.
|
|
* Executable DACs are overridable when there is
|
|
* at least one exec bit set.
|
|
*/
|
|
if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
|
|
if (capable_wrt_inode_uidgid(mnt_userns, inode,
|
|
CAP_DAC_OVERRIDE))
|
|
return 0;
|
|
|
|
return -EACCES;
|
|
}
|
|
EXPORT_SYMBOL(generic_permission);
|
|
|
|
/**
|
|
* do_inode_permission - UNIX permission checking
|
|
* @mnt_userns: user namespace of the mount the inode was found from
|
|
* @inode: inode to check permissions on
|
|
* @mask: right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC ...)
|
|
*
|
|
* We _really_ want to just do "generic_permission()" without
|
|
* even looking at the inode->i_op values. So we keep a cache
|
|
* flag in inode->i_opflags, that says "this has not special
|
|
* permission function, use the fast case".
|
|
*/
|
|
static inline int do_inode_permission(struct user_namespace *mnt_userns,
|
|
struct inode *inode, int mask)
|
|
{
|
|
if (unlikely(!(inode->i_opflags & IOP_FASTPERM))) {
|
|
if (likely(inode->i_op->permission))
|
|
return inode->i_op->permission(mnt_userns, inode, mask);
|
|
|
|
/* This gets set once for the inode lifetime */
|
|
spin_lock(&inode->i_lock);
|
|
inode->i_opflags |= IOP_FASTPERM;
|
|
spin_unlock(&inode->i_lock);
|
|
}
|
|
return generic_permission(mnt_userns, inode, mask);
|
|
}
|
|
|
|
/**
|
|
* sb_permission - Check superblock-level permissions
|
|
* @sb: Superblock of inode to check permission on
|
|
* @inode: Inode to check permission on
|
|
* @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
|
|
*
|
|
* Separate out file-system wide checks from inode-specific permission checks.
|
|
*/
|
|
static int sb_permission(struct super_block *sb, struct inode *inode, int mask)
|
|
{
|
|
if (unlikely(mask & MAY_WRITE)) {
|
|
umode_t mode = inode->i_mode;
|
|
|
|
/* Nobody gets write access to a read-only fs. */
|
|
if (sb_rdonly(sb) && (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode)))
|
|
return -EROFS;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* inode_permission - Check for access rights to a given inode
|
|
* @mnt_userns: User namespace of the mount the inode was found from
|
|
* @inode: Inode to check permission on
|
|
* @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
|
|
*
|
|
* Check for read/write/execute permissions on an inode. We use fs[ug]id for
|
|
* this, letting us set arbitrary permissions for filesystem access without
|
|
* changing the "normal" UIDs which are used for other things.
|
|
*
|
|
* When checking for MAY_APPEND, MAY_WRITE must also be set in @mask.
|
|
*/
|
|
int inode_permission(struct user_namespace *mnt_userns,
|
|
struct inode *inode, int mask)
|
|
{
|
|
int retval;
|
|
|
|
retval = sb_permission(inode->i_sb, inode, mask);
|
|
if (retval)
|
|
return retval;
|
|
|
|
if (unlikely(mask & MAY_WRITE)) {
|
|
/*
|
|
* Nobody gets write access to an immutable file.
|
|
*/
|
|
if (IS_IMMUTABLE(inode))
|
|
return -EPERM;
|
|
|
|
/*
|
|
* Updating mtime will likely cause i_uid and i_gid to be
|
|
* written back improperly if their true value is unknown
|
|
* to the vfs.
|
|
*/
|
|
if (HAS_UNMAPPED_ID(mnt_userns, inode))
|
|
return -EACCES;
|
|
}
|
|
|
|
retval = do_inode_permission(mnt_userns, inode, mask);
|
|
if (retval)
|
|
return retval;
|
|
|
|
retval = devcgroup_inode_permission(inode, mask);
|
|
if (retval)
|
|
return retval;
|
|
|
|
return security_inode_permission(inode, mask);
|
|
}
|
|
EXPORT_SYMBOL(inode_permission);
|
|
|
|
/**
|
|
* path_get - get a reference to a path
|
|
* @path: path to get the reference to
|
|
*
|
|
* Given a path increment the reference count to the dentry and the vfsmount.
|
|
*/
|
|
void path_get(const struct path *path)
|
|
{
|
|
mntget(path->mnt);
|
|
dget(path->dentry);
|
|
}
|
|
EXPORT_SYMBOL(path_get);
|
|
|
|
/**
|
|
* path_put - put a reference to a path
|
|
* @path: path to put the reference to
|
|
*
|
|
* Given a path decrement the reference count to the dentry and the vfsmount.
|
|
*/
|
|
void path_put(const struct path *path)
|
|
{
|
|
dput(path->dentry);
|
|
mntput(path->mnt);
|
|
}
|
|
EXPORT_SYMBOL(path_put);
|
|
|
|
#define EMBEDDED_LEVELS 2
|
|
struct nameidata {
|
|
struct path path;
|
|
struct qstr last;
|
|
struct path root;
|
|
struct inode *inode; /* path.dentry.d_inode */
|
|
unsigned int flags;
|
|
unsigned seq, m_seq, r_seq;
|
|
int last_type;
|
|
unsigned depth;
|
|
int total_link_count;
|
|
struct saved {
|
|
struct path link;
|
|
struct delayed_call done;
|
|
const char *name;
|
|
unsigned seq;
|
|
} *stack, internal[EMBEDDED_LEVELS];
|
|
struct filename *name;
|
|
struct nameidata *saved;
|
|
unsigned root_seq;
|
|
int dfd;
|
|
kuid_t dir_uid;
|
|
umode_t dir_mode;
|
|
} __randomize_layout;
|
|
|
|
static void set_nameidata(struct nameidata *p, int dfd, struct filename *name)
|
|
{
|
|
struct nameidata *old = current->nameidata;
|
|
p->stack = p->internal;
|
|
p->dfd = dfd;
|
|
p->name = name;
|
|
p->total_link_count = old ? old->total_link_count : 0;
|
|
p->saved = old;
|
|
current->nameidata = p;
|
|
}
|
|
|
|
static void restore_nameidata(void)
|
|
{
|
|
struct nameidata *now = current->nameidata, *old = now->saved;
|
|
|
|
current->nameidata = old;
|
|
if (old)
|
|
old->total_link_count = now->total_link_count;
|
|
if (now->stack != now->internal)
|
|
kfree(now->stack);
|
|
}
|
|
|
|
static bool nd_alloc_stack(struct nameidata *nd)
|
|
{
|
|
struct saved *p;
|
|
|
|
p= kmalloc_array(MAXSYMLINKS, sizeof(struct saved),
|
|
nd->flags & LOOKUP_RCU ? GFP_ATOMIC : GFP_KERNEL);
|
|
if (unlikely(!p))
|
|
return false;
|
|
memcpy(p, nd->internal, sizeof(nd->internal));
|
|
nd->stack = p;
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* path_connected - Verify that a dentry is below mnt.mnt_root
|
|
*
|
|
* Rename can sometimes move a file or directory outside of a bind
|
|
* mount, path_connected allows those cases to be detected.
|
|
*/
|
|
static bool path_connected(struct vfsmount *mnt, struct dentry *dentry)
|
|
{
|
|
struct super_block *sb = mnt->mnt_sb;
|
|
|
|
/* Bind mounts can have disconnected paths */
|
|
if (mnt->mnt_root == sb->s_root)
|
|
return true;
|
|
|
|
return is_subdir(dentry, mnt->mnt_root);
|
|
}
|
|
|
|
static void drop_links(struct nameidata *nd)
|
|
{
|
|
int i = nd->depth;
|
|
while (i--) {
|
|
struct saved *last = nd->stack + i;
|
|
do_delayed_call(&last->done);
|
|
clear_delayed_call(&last->done);
|
|
}
|
|
}
|
|
|
|
static void terminate_walk(struct nameidata *nd)
|
|
{
|
|
drop_links(nd);
|
|
if (!(nd->flags & LOOKUP_RCU)) {
|
|
int i;
|
|
path_put(&nd->path);
|
|
for (i = 0; i < nd->depth; i++)
|
|
path_put(&nd->stack[i].link);
|
|
if (nd->flags & LOOKUP_ROOT_GRABBED) {
|
|
path_put(&nd->root);
|
|
nd->flags &= ~LOOKUP_ROOT_GRABBED;
|
|
}
|
|
} else {
|
|
nd->flags &= ~LOOKUP_RCU;
|
|
rcu_read_unlock();
|
|
}
|
|
nd->depth = 0;
|
|
}
|
|
|
|
/* path_put is needed afterwards regardless of success or failure */
|
|
static bool __legitimize_path(struct path *path, unsigned seq, unsigned mseq)
|
|
{
|
|
int res = __legitimize_mnt(path->mnt, mseq);
|
|
if (unlikely(res)) {
|
|
if (res > 0)
|
|
path->mnt = NULL;
|
|
path->dentry = NULL;
|
|
return false;
|
|
}
|
|
if (unlikely(!lockref_get_not_dead(&path->dentry->d_lockref))) {
|
|
path->dentry = NULL;
|
|
return false;
|
|
}
|
|
return !read_seqcount_retry(&path->dentry->d_seq, seq);
|
|
}
|
|
|
|
static inline bool legitimize_path(struct nameidata *nd,
|
|
struct path *path, unsigned seq)
|
|
{
|
|
return __legitimize_path(path, seq, nd->m_seq);
|
|
}
|
|
|
|
static bool legitimize_links(struct nameidata *nd)
|
|
{
|
|
int i;
|
|
if (unlikely(nd->flags & LOOKUP_CACHED)) {
|
|
drop_links(nd);
|
|
nd->depth = 0;
|
|
return false;
|
|
}
|
|
for (i = 0; i < nd->depth; i++) {
|
|
struct saved *last = nd->stack + i;
|
|
if (unlikely(!legitimize_path(nd, &last->link, last->seq))) {
|
|
drop_links(nd);
|
|
nd->depth = i + 1;
|
|
return false;
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
|
|
static bool legitimize_root(struct nameidata *nd)
|
|
{
|
|
/*
|
|
* For scoped-lookups (where nd->root has been zeroed), we need to
|
|
* restart the whole lookup from scratch -- because set_root() is wrong
|
|
* for these lookups (nd->dfd is the root, not the filesystem root).
|
|
*/
|
|
if (!nd->root.mnt && (nd->flags & LOOKUP_IS_SCOPED))
|
|
return false;
|
|
/* Nothing to do if nd->root is zero or is managed by the VFS user. */
|
|
if (!nd->root.mnt || (nd->flags & LOOKUP_ROOT))
|
|
return true;
|
|
nd->flags |= LOOKUP_ROOT_GRABBED;
|
|
return legitimize_path(nd, &nd->root, nd->root_seq);
|
|
}
|
|
|
|
/*
|
|
* Path walking has 2 modes, rcu-walk and ref-walk (see
|
|
* Documentation/filesystems/path-lookup.txt). In situations when we can't
|
|
* continue in RCU mode, we attempt to drop out of rcu-walk mode and grab
|
|
* normal reference counts on dentries and vfsmounts to transition to ref-walk
|
|
* mode. Refcounts are grabbed at the last known good point before rcu-walk
|
|
* got stuck, so ref-walk may continue from there. If this is not successful
|
|
* (eg. a seqcount has changed), then failure is returned and it's up to caller
|
|
* to restart the path walk from the beginning in ref-walk mode.
|
|
*/
|
|
|
|
/**
|
|
* try_to_unlazy - try to switch to ref-walk mode.
|
|
* @nd: nameidata pathwalk data
|
|
* Returns: true on success, false on failure
|
|
*
|
|
* try_to_unlazy attempts to legitimize the current nd->path and nd->root
|
|
* for ref-walk mode.
|
|
* Must be called from rcu-walk context.
|
|
* Nothing should touch nameidata between try_to_unlazy() failure and
|
|
* terminate_walk().
|
|
*/
|
|
static bool try_to_unlazy(struct nameidata *nd)
|
|
{
|
|
struct dentry *parent = nd->path.dentry;
|
|
|
|
BUG_ON(!(nd->flags & LOOKUP_RCU));
|
|
|
|
nd->flags &= ~LOOKUP_RCU;
|
|
if (unlikely(!legitimize_links(nd)))
|
|
goto out1;
|
|
if (unlikely(!legitimize_path(nd, &nd->path, nd->seq)))
|
|
goto out;
|
|
if (unlikely(!legitimize_root(nd)))
|
|
goto out;
|
|
rcu_read_unlock();
|
|
BUG_ON(nd->inode != parent->d_inode);
|
|
return true;
|
|
|
|
out1:
|
|
nd->path.mnt = NULL;
|
|
nd->path.dentry = NULL;
|
|
out:
|
|
rcu_read_unlock();
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* try_to_unlazy_next - try to switch to ref-walk mode.
|
|
* @nd: nameidata pathwalk data
|
|
* @dentry: next dentry to step into
|
|
* @seq: seq number to check @dentry against
|
|
* Returns: true on success, false on failure
|
|
*
|
|
* Similar to to try_to_unlazy(), but here we have the next dentry already
|
|
* picked by rcu-walk and want to legitimize that in addition to the current
|
|
* nd->path and nd->root for ref-walk mode. Must be called from rcu-walk context.
|
|
* Nothing should touch nameidata between try_to_unlazy_next() failure and
|
|
* terminate_walk().
|
|
*/
|
|
static bool try_to_unlazy_next(struct nameidata *nd, struct dentry *dentry, unsigned seq)
|
|
{
|
|
BUG_ON(!(nd->flags & LOOKUP_RCU));
|
|
|
|
nd->flags &= ~LOOKUP_RCU;
|
|
if (unlikely(!legitimize_links(nd)))
|
|
goto out2;
|
|
if (unlikely(!legitimize_mnt(nd->path.mnt, nd->m_seq)))
|
|
goto out2;
|
|
if (unlikely(!lockref_get_not_dead(&nd->path.dentry->d_lockref)))
|
|
goto out1;
|
|
|
|
/*
|
|
* We need to move both the parent and the dentry from the RCU domain
|
|
* to be properly refcounted. And the sequence number in the dentry
|
|
* validates *both* dentry counters, since we checked the sequence
|
|
* number of the parent after we got the child sequence number. So we
|
|
* know the parent must still be valid if the child sequence number is
|
|
*/
|
|
if (unlikely(!lockref_get_not_dead(&dentry->d_lockref)))
|
|
goto out;
|
|
if (unlikely(read_seqcount_retry(&dentry->d_seq, seq)))
|
|
goto out_dput;
|
|
/*
|
|
* Sequence counts matched. Now make sure that the root is
|
|
* still valid and get it if required.
|
|
*/
|
|
if (unlikely(!legitimize_root(nd)))
|
|
goto out_dput;
|
|
rcu_read_unlock();
|
|
return true;
|
|
|
|
out2:
|
|
nd->path.mnt = NULL;
|
|
out1:
|
|
nd->path.dentry = NULL;
|
|
out:
|
|
rcu_read_unlock();
|
|
return false;
|
|
out_dput:
|
|
rcu_read_unlock();
|
|
dput(dentry);
|
|
return false;
|
|
}
|
|
|
|
static inline int d_revalidate(struct dentry *dentry, unsigned int flags)
|
|
{
|
|
if (unlikely(dentry->d_flags & DCACHE_OP_REVALIDATE))
|
|
return dentry->d_op->d_revalidate(dentry, flags);
|
|
else
|
|
return 1;
|
|
}
|
|
|
|
/**
|
|
* complete_walk - successful completion of path walk
|
|
* @nd: pointer nameidata
|
|
*
|
|
* If we had been in RCU mode, drop out of it and legitimize nd->path.
|
|
* Revalidate the final result, unless we'd already done that during
|
|
* the path walk or the filesystem doesn't ask for it. Return 0 on
|
|
* success, -error on failure. In case of failure caller does not
|
|
* need to drop nd->path.
|
|
*/
|
|
static int complete_walk(struct nameidata *nd)
|
|
{
|
|
struct dentry *dentry = nd->path.dentry;
|
|
int status;
|
|
|
|
if (nd->flags & LOOKUP_RCU) {
|
|
/*
|
|
* We don't want to zero nd->root for scoped-lookups or
|
|
* externally-managed nd->root.
|
|
*/
|
|
if (!(nd->flags & (LOOKUP_ROOT | LOOKUP_IS_SCOPED)))
|
|
nd->root.mnt = NULL;
|
|
nd->flags &= ~LOOKUP_CACHED;
|
|
if (!try_to_unlazy(nd))
|
|
return -ECHILD;
|
|
}
|
|
|
|
if (unlikely(nd->flags & LOOKUP_IS_SCOPED)) {
|
|
/*
|
|
* While the guarantee of LOOKUP_IS_SCOPED is (roughly) "don't
|
|
* ever step outside the root during lookup" and should already
|
|
* be guaranteed by the rest of namei, we want to avoid a namei
|
|
* BUG resulting in userspace being given a path that was not
|
|
* scoped within the root at some point during the lookup.
|
|
*
|
|
* So, do a final sanity-check to make sure that in the
|
|
* worst-case scenario (a complete bypass of LOOKUP_IS_SCOPED)
|
|
* we won't silently return an fd completely outside of the
|
|
* requested root to userspace.
|
|
*
|
|
* Userspace could move the path outside the root after this
|
|
* check, but as discussed elsewhere this is not a concern (the
|
|
* resolved file was inside the root at some point).
|
|
*/
|
|
if (!path_is_under(&nd->path, &nd->root))
|
|
return -EXDEV;
|
|
}
|
|
|
|
if (likely(!(nd->flags & LOOKUP_JUMPED)))
|
|
return 0;
|
|
|
|
if (likely(!(dentry->d_flags & DCACHE_OP_WEAK_REVALIDATE)))
|
|
return 0;
|
|
|
|
status = dentry->d_op->d_weak_revalidate(dentry, nd->flags);
|
|
if (status > 0)
|
|
return 0;
|
|
|
|
if (!status)
|
|
status = -ESTALE;
|
|
|
|
return status;
|
|
}
|
|
|
|
static int set_root(struct nameidata *nd)
|
|
{
|
|
struct fs_struct *fs = current->fs;
|
|
|
|
/*
|
|
* Jumping to the real root in a scoped-lookup is a BUG in namei, but we
|
|
* still have to ensure it doesn't happen because it will cause a breakout
|
|
* from the dirfd.
|
|
*/
|
|
if (WARN_ON(nd->flags & LOOKUP_IS_SCOPED))
|
|
return -ENOTRECOVERABLE;
|
|
|
|
if (nd->flags & LOOKUP_RCU) {
|
|
unsigned seq;
|
|
|
|
do {
|
|
seq = read_seqcount_begin(&fs->seq);
|
|
nd->root = fs->root;
|
|
nd->root_seq = __read_seqcount_begin(&nd->root.dentry->d_seq);
|
|
} while (read_seqcount_retry(&fs->seq, seq));
|
|
} else {
|
|
get_fs_root(fs, &nd->root);
|
|
nd->flags |= LOOKUP_ROOT_GRABBED;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int nd_jump_root(struct nameidata *nd)
|
|
{
|
|
if (unlikely(nd->flags & LOOKUP_BENEATH))
|
|
return -EXDEV;
|
|
if (unlikely(nd->flags & LOOKUP_NO_XDEV)) {
|
|
/* Absolute path arguments to path_init() are allowed. */
|
|
if (nd->path.mnt != NULL && nd->path.mnt != nd->root.mnt)
|
|
return -EXDEV;
|
|
}
|
|
if (!nd->root.mnt) {
|
|
int error = set_root(nd);
|
|
if (error)
|
|
return error;
|
|
}
|
|
if (nd->flags & LOOKUP_RCU) {
|
|
struct dentry *d;
|
|
nd->path = nd->root;
|
|
d = nd->path.dentry;
|
|
nd->inode = d->d_inode;
|
|
nd->seq = nd->root_seq;
|
|
if (unlikely(read_seqcount_retry(&d->d_seq, nd->seq)))
|
|
return -ECHILD;
|
|
} else {
|
|
path_put(&nd->path);
|
|
nd->path = nd->root;
|
|
path_get(&nd->path);
|
|
nd->inode = nd->path.dentry->d_inode;
|
|
}
|
|
nd->flags |= LOOKUP_JUMPED;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Helper to directly jump to a known parsed path from ->get_link,
|
|
* caller must have taken a reference to path beforehand.
|
|
*/
|
|
int nd_jump_link(struct path *path)
|
|
{
|
|
int error = -ELOOP;
|
|
struct nameidata *nd = current->nameidata;
|
|
|
|
if (unlikely(nd->flags & LOOKUP_NO_MAGICLINKS))
|
|
goto err;
|
|
|
|
error = -EXDEV;
|
|
if (unlikely(nd->flags & LOOKUP_NO_XDEV)) {
|
|
if (nd->path.mnt != path->mnt)
|
|
goto err;
|
|
}
|
|
/* Not currently safe for scoped-lookups. */
|
|
if (unlikely(nd->flags & LOOKUP_IS_SCOPED))
|
|
goto err;
|
|
|
|
path_put(&nd->path);
|
|
nd->path = *path;
|
|
nd->inode = nd->path.dentry->d_inode;
|
|
nd->flags |= LOOKUP_JUMPED;
|
|
return 0;
|
|
|
|
err:
|
|
path_put(path);
|
|
return error;
|
|
}
|
|
|
|
static inline void put_link(struct nameidata *nd)
|
|
{
|
|
struct saved *last = nd->stack + --nd->depth;
|
|
do_delayed_call(&last->done);
|
|
if (!(nd->flags & LOOKUP_RCU))
|
|
path_put(&last->link);
|
|
}
|
|
|
|
int sysctl_protected_symlinks __read_mostly = 0;
|
|
int sysctl_protected_hardlinks __read_mostly = 0;
|
|
int sysctl_protected_fifos __read_mostly;
|
|
int sysctl_protected_regular __read_mostly;
|
|
|
|
/**
|
|
* may_follow_link - Check symlink following for unsafe situations
|
|
* @nd: nameidata pathwalk data
|
|
*
|
|
* In the case of the sysctl_protected_symlinks sysctl being enabled,
|
|
* CAP_DAC_OVERRIDE needs to be specifically ignored if the symlink is
|
|
* in a sticky world-writable directory. This is to protect privileged
|
|
* processes from failing races against path names that may change out
|
|
* from under them by way of other users creating malicious symlinks.
|
|
* It will permit symlinks to be followed only when outside a sticky
|
|
* world-writable directory, or when the uid of the symlink and follower
|
|
* match, or when the directory owner matches the symlink's owner.
|
|
*
|
|
* Returns 0 if following the symlink is allowed, -ve on error.
|
|
*/
|
|
static inline int may_follow_link(struct nameidata *nd, const struct inode *inode)
|
|
{
|
|
struct user_namespace *mnt_userns;
|
|
kuid_t i_uid;
|
|
|
|
if (!sysctl_protected_symlinks)
|
|
return 0;
|
|
|
|
mnt_userns = mnt_user_ns(nd->path.mnt);
|
|
i_uid = i_uid_into_mnt(mnt_userns, inode);
|
|
/* Allowed if owner and follower match. */
|
|
if (uid_eq(current_cred()->fsuid, i_uid))
|
|
return 0;
|
|
|
|
/* Allowed if parent directory not sticky and world-writable. */
|
|
if ((nd->dir_mode & (S_ISVTX|S_IWOTH)) != (S_ISVTX|S_IWOTH))
|
|
return 0;
|
|
|
|
/* Allowed if parent directory and link owner match. */
|
|
if (uid_valid(nd->dir_uid) && uid_eq(nd->dir_uid, i_uid))
|
|
return 0;
|
|
|
|
if (nd->flags & LOOKUP_RCU)
|
|
return -ECHILD;
|
|
|
|
audit_inode(nd->name, nd->stack[0].link.dentry, 0);
|
|
audit_log_path_denied(AUDIT_ANOM_LINK, "follow_link");
|
|
return -EACCES;
|
|
}
|
|
|
|
/**
|
|
* safe_hardlink_source - Check for safe hardlink conditions
|
|
* @mnt_userns: user namespace of the mount the inode was found from
|
|
* @inode: the source inode to hardlink from
|
|
*
|
|
* Return false if at least one of the following conditions:
|
|
* - inode is not a regular file
|
|
* - inode is setuid
|
|
* - inode is setgid and group-exec
|
|
* - access failure for read and write
|
|
*
|
|
* Otherwise returns true.
|
|
*/
|
|
static bool safe_hardlink_source(struct user_namespace *mnt_userns,
|
|
struct inode *inode)
|
|
{
|
|
umode_t mode = inode->i_mode;
|
|
|
|
/* Special files should not get pinned to the filesystem. */
|
|
if (!S_ISREG(mode))
|
|
return false;
|
|
|
|
/* Setuid files should not get pinned to the filesystem. */
|
|
if (mode & S_ISUID)
|
|
return false;
|
|
|
|
/* Executable setgid files should not get pinned to the filesystem. */
|
|
if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
|
|
return false;
|
|
|
|
/* Hardlinking to unreadable or unwritable sources is dangerous. */
|
|
if (inode_permission(mnt_userns, inode, MAY_READ | MAY_WRITE))
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* may_linkat - Check permissions for creating a hardlink
|
|
* @mnt_userns: user namespace of the mount the inode was found from
|
|
* @link: the source to hardlink from
|
|
*
|
|
* Block hardlink when all of:
|
|
* - sysctl_protected_hardlinks enabled
|
|
* - fsuid does not match inode
|
|
* - hardlink source is unsafe (see safe_hardlink_source() above)
|
|
* - not CAP_FOWNER in a namespace with the inode owner uid mapped
|
|
*
|
|
* If the inode has been found through an idmapped mount the user namespace of
|
|
* the vfsmount must be passed through @mnt_userns. This function will then take
|
|
* care to map the inode according to @mnt_userns before checking permissions.
|
|
* On non-idmapped mounts or if permission checking is to be performed on the
|
|
* raw inode simply passs init_user_ns.
|
|
*
|
|
* Returns 0 if successful, -ve on error.
|
|
*/
|
|
int may_linkat(struct user_namespace *mnt_userns, struct path *link)
|
|
{
|
|
struct inode *inode = link->dentry->d_inode;
|
|
|
|
/* Inode writeback is not safe when the uid or gid are invalid. */
|
|
if (!uid_valid(i_uid_into_mnt(mnt_userns, inode)) ||
|
|
!gid_valid(i_gid_into_mnt(mnt_userns, inode)))
|
|
return -EOVERFLOW;
|
|
|
|
if (!sysctl_protected_hardlinks)
|
|
return 0;
|
|
|
|
/* Source inode owner (or CAP_FOWNER) can hardlink all they like,
|
|
* otherwise, it must be a safe source.
|
|
*/
|
|
if (safe_hardlink_source(mnt_userns, inode) ||
|
|
inode_owner_or_capable(mnt_userns, inode))
|
|
return 0;
|
|
|
|
audit_log_path_denied(AUDIT_ANOM_LINK, "linkat");
|
|
return -EPERM;
|
|
}
|
|
|
|
/**
|
|
* may_create_in_sticky - Check whether an O_CREAT open in a sticky directory
|
|
* should be allowed, or not, on files that already
|
|
* exist.
|
|
* @mnt_userns: user namespace of the mount the inode was found from
|
|
* @dir_mode: mode bits of directory
|
|
* @dir_uid: owner of directory
|
|
* @inode: the inode of the file to open
|
|
*
|
|
* Block an O_CREAT open of a FIFO (or a regular file) when:
|
|
* - sysctl_protected_fifos (or sysctl_protected_regular) is enabled
|
|
* - the file already exists
|
|
* - we are in a sticky directory
|
|
* - we don't own the file
|
|
* - the owner of the directory doesn't own the file
|
|
* - the directory is world writable
|
|
* If the sysctl_protected_fifos (or sysctl_protected_regular) is set to 2
|
|
* the directory doesn't have to be world writable: being group writable will
|
|
* be enough.
|
|
*
|
|
* If the inode has been found through an idmapped mount the user namespace of
|
|
* the vfsmount must be passed through @mnt_userns. This function will then take
|
|
* care to map the inode according to @mnt_userns before checking permissions.
|
|
* On non-idmapped mounts or if permission checking is to be performed on the
|
|
* raw inode simply passs init_user_ns.
|
|
*
|
|
* Returns 0 if the open is allowed, -ve on error.
|
|
*/
|
|
static int may_create_in_sticky(struct user_namespace *mnt_userns,
|
|
struct nameidata *nd, struct inode *const inode)
|
|
{
|
|
umode_t dir_mode = nd->dir_mode;
|
|
kuid_t dir_uid = nd->dir_uid;
|
|
|
|
if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) ||
|
|
(!sysctl_protected_regular && S_ISREG(inode->i_mode)) ||
|
|
likely(!(dir_mode & S_ISVTX)) ||
|
|
uid_eq(i_uid_into_mnt(mnt_userns, inode), dir_uid) ||
|
|
uid_eq(current_fsuid(), i_uid_into_mnt(mnt_userns, inode)))
|
|
return 0;
|
|
|
|
if (likely(dir_mode & 0002) ||
|
|
(dir_mode & 0020 &&
|
|
((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||
|
|
(sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {
|
|
const char *operation = S_ISFIFO(inode->i_mode) ?
|
|
"sticky_create_fifo" :
|
|
"sticky_create_regular";
|
|
audit_log_path_denied(AUDIT_ANOM_CREAT, operation);
|
|
return -EACCES;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* follow_up - Find the mountpoint of path's vfsmount
|
|
*
|
|
* Given a path, find the mountpoint of its source file system.
|
|
* Replace @path with the path of the mountpoint in the parent mount.
|
|
* Up is towards /.
|
|
*
|
|
* Return 1 if we went up a level and 0 if we were already at the
|
|
* root.
|
|
*/
|
|
int follow_up(struct path *path)
|
|
{
|
|
struct mount *mnt = real_mount(path->mnt);
|
|
struct mount *parent;
|
|
struct dentry *mountpoint;
|
|
|
|
read_seqlock_excl(&mount_lock);
|
|
parent = mnt->mnt_parent;
|
|
if (parent == mnt) {
|
|
read_sequnlock_excl(&mount_lock);
|
|
return 0;
|
|
}
|
|
mntget(&parent->mnt);
|
|
mountpoint = dget(mnt->mnt_mountpoint);
|
|
read_sequnlock_excl(&mount_lock);
|
|
dput(path->dentry);
|
|
path->dentry = mountpoint;
|
|
mntput(path->mnt);
|
|
path->mnt = &parent->mnt;
|
|
return 1;
|
|
}
|
|
EXPORT_SYMBOL(follow_up);
|
|
|
|
static bool choose_mountpoint_rcu(struct mount *m, const struct path *root,
|
|
struct path *path, unsigned *seqp)
|
|
{
|
|
while (mnt_has_parent(m)) {
|
|
struct dentry *mountpoint = m->mnt_mountpoint;
|
|
|
|
m = m->mnt_parent;
|
|
if (unlikely(root->dentry == mountpoint &&
|
|
root->mnt == &m->mnt))
|
|
break;
|
|
if (mountpoint != m->mnt.mnt_root) {
|
|
path->mnt = &m->mnt;
|
|
path->dentry = mountpoint;
|
|
*seqp = read_seqcount_begin(&mountpoint->d_seq);
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
static bool choose_mountpoint(struct mount *m, const struct path *root,
|
|
struct path *path)
|
|
{
|
|
bool found;
|
|
|
|
rcu_read_lock();
|
|
while (1) {
|
|
unsigned seq, mseq = read_seqbegin(&mount_lock);
|
|
|
|
found = choose_mountpoint_rcu(m, root, path, &seq);
|
|
if (unlikely(!found)) {
|
|
if (!read_seqretry(&mount_lock, mseq))
|
|
break;
|
|
} else {
|
|
if (likely(__legitimize_path(path, seq, mseq)))
|
|
break;
|
|
rcu_read_unlock();
|
|
path_put(path);
|
|
rcu_read_lock();
|
|
}
|
|
}
|
|
rcu_read_unlock();
|
|
return found;
|
|
}
|
|
|
|
/*
|
|
* Perform an automount
|
|
* - return -EISDIR to tell follow_managed() to stop and return the path we
|
|
* were called with.
|
|
*/
|
|
static int follow_automount(struct path *path, int *count, unsigned lookup_flags)
|
|
{
|
|
struct dentry *dentry = path->dentry;
|
|
|
|
/* We don't want to mount if someone's just doing a stat -
|
|
* unless they're stat'ing a directory and appended a '/' to
|
|
* the name.
|
|
*
|
|
* We do, however, want to mount if someone wants to open or
|
|
* create a file of any type under the mountpoint, wants to
|
|
* traverse through the mountpoint or wants to open the
|
|
* mounted directory. Also, autofs may mark negative dentries
|
|
* as being automount points. These will need the attentions
|
|
* of the daemon to instantiate them before they can be used.
|
|
*/
|
|
if (!(lookup_flags & (LOOKUP_PARENT | LOOKUP_DIRECTORY |
|
|
LOOKUP_OPEN | LOOKUP_CREATE | LOOKUP_AUTOMOUNT)) &&
|
|
dentry->d_inode)
|
|
return -EISDIR;
|
|
|
|
if (count && (*count)++ >= MAXSYMLINKS)
|
|
return -ELOOP;
|
|
|
|
return finish_automount(dentry->d_op->d_automount(path), path);
|
|
}
|
|
|
|
/*
|
|
* mount traversal - out-of-line part. One note on ->d_flags accesses -
|
|
* dentries are pinned but not locked here, so negative dentry can go
|
|
* positive right under us. Use of smp_load_acquire() provides a barrier
|
|
* sufficient for ->d_inode and ->d_flags consistency.
|
|
*/
|
|
static int __traverse_mounts(struct path *path, unsigned flags, bool *jumped,
|
|
int *count, unsigned lookup_flags)
|
|
{
|
|
struct vfsmount *mnt = path->mnt;
|
|
bool need_mntput = false;
|
|
int ret = 0;
|
|
|
|
while (flags & DCACHE_MANAGED_DENTRY) {
|
|
/* Allow the filesystem to manage the transit without i_mutex
|
|
* being held. */
|
|
if (flags & DCACHE_MANAGE_TRANSIT) {
|
|
ret = path->dentry->d_op->d_manage(path, false);
|
|
flags = smp_load_acquire(&path->dentry->d_flags);
|
|
if (ret < 0)
|
|
break;
|
|
}
|
|
|
|
if (flags & DCACHE_MOUNTED) { // something's mounted on it..
|
|
struct vfsmount *mounted = lookup_mnt(path);
|
|
if (mounted) { // ... in our namespace
|
|
dput(path->dentry);
|
|
if (need_mntput)
|
|
mntput(path->mnt);
|
|
path->mnt = mounted;
|
|
path->dentry = dget(mounted->mnt_root);
|
|
// here we know it's positive
|
|
flags = path->dentry->d_flags;
|
|
need_mntput = true;
|
|
continue;
|
|
}
|
|
}
|
|
|
|
if (!(flags & DCACHE_NEED_AUTOMOUNT))
|
|
break;
|
|
|
|
// uncovered automount point
|
|
ret = follow_automount(path, count, lookup_flags);
|
|
flags = smp_load_acquire(&path->dentry->d_flags);
|
|
if (ret < 0)
|
|
break;
|
|
}
|
|
|
|
if (ret == -EISDIR)
|
|
ret = 0;
|
|
// possible if you race with several mount --move
|
|
if (need_mntput && path->mnt == mnt)
|
|
mntput(path->mnt);
|
|
if (!ret && unlikely(d_flags_negative(flags)))
|
|
ret = -ENOENT;
|
|
*jumped = need_mntput;
|
|
return ret;
|
|
}
|
|
|
|
static inline int traverse_mounts(struct path *path, bool *jumped,
|
|
int *count, unsigned lookup_flags)
|
|
{
|
|
unsigned flags = smp_load_acquire(&path->dentry->d_flags);
|
|
|
|
/* fastpath */
|
|
if (likely(!(flags & DCACHE_MANAGED_DENTRY))) {
|
|
*jumped = false;
|
|
if (unlikely(d_flags_negative(flags)))
|
|
return -ENOENT;
|
|
return 0;
|
|
}
|
|
return __traverse_mounts(path, flags, jumped, count, lookup_flags);
|
|
}
|
|
|
|
int follow_down_one(struct path *path)
|
|
{
|
|
struct vfsmount *mounted;
|
|
|
|
mounted = lookup_mnt(path);
|
|
if (mounted) {
|
|
dput(path->dentry);
|
|
mntput(path->mnt);
|
|
path->mnt = mounted;
|
|
path->dentry = dget(mounted->mnt_root);
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL(follow_down_one);
|
|
|
|
/*
|
|
* Follow down to the covering mount currently visible to userspace. At each
|
|
* point, the filesystem owning that dentry may be queried as to whether the
|
|
* caller is permitted to proceed or not.
|
|
*/
|
|
int follow_down(struct path *path)
|
|
{
|
|
struct vfsmount *mnt = path->mnt;
|
|
bool jumped;
|
|
int ret = traverse_mounts(path, &jumped, NULL, 0);
|
|
|
|
if (path->mnt != mnt)
|
|
mntput(mnt);
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL(follow_down);
|
|
|
|
/*
|
|
* Try to skip to top of mountpoint pile in rcuwalk mode. Fail if
|
|
* we meet a managed dentry that would need blocking.
|
|
*/
|
|
static bool __follow_mount_rcu(struct nameidata *nd, struct path *path,
|
|
struct inode **inode, unsigned *seqp)
|
|
{
|
|
struct dentry *dentry = path->dentry;
|
|
unsigned int flags = dentry->d_flags;
|
|
|
|
if (likely(!(flags & DCACHE_MANAGED_DENTRY)))
|
|
return true;
|
|
|
|
if (unlikely(nd->flags & LOOKUP_NO_XDEV))
|
|
return false;
|
|
|
|
for (;;) {
|
|
/*
|
|
* Don't forget we might have a non-mountpoint managed dentry
|
|
* that wants to block transit.
|
|
*/
|
|
if (unlikely(flags & DCACHE_MANAGE_TRANSIT)) {
|
|
int res = dentry->d_op->d_manage(path, true);
|
|
if (res)
|
|
return res == -EISDIR;
|
|
flags = dentry->d_flags;
|
|
}
|
|
|
|
if (flags & DCACHE_MOUNTED) {
|
|
struct mount *mounted = __lookup_mnt(path->mnt, dentry);
|
|
if (mounted) {
|
|
path->mnt = &mounted->mnt;
|
|
dentry = path->dentry = mounted->mnt.mnt_root;
|
|
nd->flags |= LOOKUP_JUMPED;
|
|
*seqp = read_seqcount_begin(&dentry->d_seq);
|
|
*inode = dentry->d_inode;
|
|
/*
|
|
* We don't need to re-check ->d_seq after this
|
|
* ->d_inode read - there will be an RCU delay
|
|
* between mount hash removal and ->mnt_root
|
|
* becoming unpinned.
|
|
*/
|
|
flags = dentry->d_flags;
|
|
continue;
|
|
}
|
|
if (read_seqretry(&mount_lock, nd->m_seq))
|
|
return false;
|
|
}
|
|
return !(flags & DCACHE_NEED_AUTOMOUNT);
|
|
}
|
|
}
|
|
|
|
static inline int handle_mounts(struct nameidata *nd, struct dentry *dentry,
|
|
struct path *path, struct inode **inode,
|
|
unsigned int *seqp)
|
|
{
|
|
bool jumped;
|
|
int ret;
|
|
|
|
path->mnt = nd->path.mnt;
|
|
path->dentry = dentry;
|
|
if (nd->flags & LOOKUP_RCU) {
|
|
unsigned int seq = *seqp;
|
|
if (unlikely(!*inode))
|
|
return -ENOENT;
|
|
if (likely(__follow_mount_rcu(nd, path, inode, seqp)))
|
|
return 0;
|
|
if (!try_to_unlazy_next(nd, dentry, seq))
|
|
return -ECHILD;
|
|
// *path might've been clobbered by __follow_mount_rcu()
|
|
path->mnt = nd->path.mnt;
|
|
path->dentry = dentry;
|
|
}
|
|
ret = traverse_mounts(path, &jumped, &nd->total_link_count, nd->flags);
|
|
if (jumped) {
|
|
if (unlikely(nd->flags & LOOKUP_NO_XDEV))
|
|
ret = -EXDEV;
|
|
else
|
|
nd->flags |= LOOKUP_JUMPED;
|
|
}
|
|
if (unlikely(ret)) {
|
|
dput(path->dentry);
|
|
if (path->mnt != nd->path.mnt)
|
|
mntput(path->mnt);
|
|
} else {
|
|
*inode = d_backing_inode(path->dentry);
|
|
*seqp = 0; /* out of RCU mode, so the value doesn't matter */
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* This looks up the name in dcache and possibly revalidates the found dentry.
|
|
* NULL is returned if the dentry does not exist in the cache.
|
|
*/
|
|
static struct dentry *lookup_dcache(const struct qstr *name,
|
|
struct dentry *dir,
|
|
unsigned int flags)
|
|
{
|
|
struct dentry *dentry = d_lookup(dir, name);
|
|
if (dentry) {
|
|
int error = d_revalidate(dentry, flags);
|
|
if (unlikely(error <= 0)) {
|
|
if (!error)
|
|
d_invalidate(dentry);
|
|
dput(dentry);
|
|
return ERR_PTR(error);
|
|
}
|
|
}
|
|
return dentry;
|
|
}
|
|
|
|
/*
|
|
* Parent directory has inode locked exclusive. This is one
|
|
* and only case when ->lookup() gets called on non in-lookup
|
|
* dentries - as the matter of fact, this only gets called
|
|
* when directory is guaranteed to have no in-lookup children
|
|
* at all.
|
|
*/
|
|
static struct dentry *__lookup_hash(const struct qstr *name,
|
|
struct dentry *base, unsigned int flags)
|
|
{
|
|
struct dentry *dentry = lookup_dcache(name, base, flags);
|
|
struct dentry *old;
|
|
struct inode *dir = base->d_inode;
|
|
|
|
if (dentry)
|
|
return dentry;
|
|
|
|
/* Don't create child dentry for a dead directory. */
|
|
if (unlikely(IS_DEADDIR(dir)))
|
|
return ERR_PTR(-ENOENT);
|
|
|
|
dentry = d_alloc(base, name);
|
|
if (unlikely(!dentry))
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
old = dir->i_op->lookup(dir, dentry, flags);
|
|
if (unlikely(old)) {
|
|
dput(dentry);
|
|
dentry = old;
|
|
}
|
|
return dentry;
|
|
}
|
|
|
|
static struct dentry *lookup_fast(struct nameidata *nd,
|
|
struct inode **inode,
|
|
unsigned *seqp)
|
|
{
|
|
struct dentry *dentry, *parent = nd->path.dentry;
|
|
int status = 1;
|
|
|
|
/*
|
|
* Rename seqlock is not required here because in the off chance
|
|
* of a false negative due to a concurrent rename, the caller is
|
|
* going to fall back to non-racy lookup.
|
|
*/
|
|
if (nd->flags & LOOKUP_RCU) {
|
|
unsigned seq;
|
|
dentry = __d_lookup_rcu(parent, &nd->last, &seq);
|
|
if (unlikely(!dentry)) {
|
|
if (!try_to_unlazy(nd))
|
|
return ERR_PTR(-ECHILD);
|
|
return NULL;
|
|
}
|
|
|
|
/*
|
|
* This sequence count validates that the inode matches
|
|
* the dentry name information from lookup.
|
|
*/
|
|
*inode = d_backing_inode(dentry);
|
|
if (unlikely(read_seqcount_retry(&dentry->d_seq, seq)))
|
|
return ERR_PTR(-ECHILD);
|
|
|
|
/*
|
|
* This sequence count validates that the parent had no
|
|
* changes while we did the lookup of the dentry above.
|
|
*
|
|
* The memory barrier in read_seqcount_begin of child is
|
|
* enough, we can use __read_seqcount_retry here.
|
|
*/
|
|
if (unlikely(__read_seqcount_retry(&parent->d_seq, nd->seq)))
|
|
return ERR_PTR(-ECHILD);
|
|
|
|
*seqp = seq;
|
|
status = d_revalidate(dentry, nd->flags);
|
|
if (likely(status > 0))
|
|
return dentry;
|
|
if (!try_to_unlazy_next(nd, dentry, seq))
|
|
return ERR_PTR(-ECHILD);
|
|
if (status == -ECHILD)
|
|
/* we'd been told to redo it in non-rcu mode */
|
|
status = d_revalidate(dentry, nd->flags);
|
|
} else {
|
|
dentry = __d_lookup(parent, &nd->last);
|
|
if (unlikely(!dentry))
|
|
return NULL;
|
|
status = d_revalidate(dentry, nd->flags);
|
|
}
|
|
if (unlikely(status <= 0)) {
|
|
if (!status)
|
|
d_invalidate(dentry);
|
|
dput(dentry);
|
|
return ERR_PTR(status);
|
|
}
|
|
return dentry;
|
|
}
|
|
|
|
/* Fast lookup failed, do it the slow way */
|
|
static struct dentry *__lookup_slow(const struct qstr *name,
|
|
struct dentry *dir,
|
|
unsigned int flags)
|
|
{
|
|
struct dentry *dentry, *old;
|
|
struct inode *inode = dir->d_inode;
|
|
DECLARE_WAIT_QUEUE_HEAD_ONSTACK(wq);
|
|
|
|
/* Don't go there if it's already dead */
|
|
if (unlikely(IS_DEADDIR(inode)))
|
|
return ERR_PTR(-ENOENT);
|
|
again:
|
|
dentry = d_alloc_parallel(dir, name, &wq);
|
|
if (IS_ERR(dentry))
|
|
return dentry;
|
|
if (unlikely(!d_in_lookup(dentry))) {
|
|
int error = d_revalidate(dentry, flags);
|
|
if (unlikely(error <= 0)) {
|
|
if (!error) {
|
|
d_invalidate(dentry);
|
|
dput(dentry);
|
|
goto again;
|
|
}
|
|
dput(dentry);
|
|
dentry = ERR_PTR(error);
|
|
}
|
|
} else {
|
|
old = inode->i_op->lookup(inode, dentry, flags);
|
|
d_lookup_done(dentry);
|
|
if (unlikely(old)) {
|
|
dput(dentry);
|
|
dentry = old;
|
|
}
|
|
}
|
|
return dentry;
|
|
}
|
|
|
|
static struct dentry *lookup_slow(const struct qstr *name,
|
|
struct dentry *dir,
|
|
unsigned int flags)
|
|
{
|
|
struct inode *inode = dir->d_inode;
|
|
struct dentry *res;
|
|
inode_lock_shared(inode);
|
|
res = __lookup_slow(name, dir, flags);
|
|
inode_unlock_shared(inode);
|
|
return res;
|
|
}
|
|
|
|
static inline int may_lookup(struct user_namespace *mnt_userns,
|
|
struct nameidata *nd)
|
|
{
|
|
if (nd->flags & LOOKUP_RCU) {
|
|
int err = inode_permission(mnt_userns, nd->inode, MAY_EXEC|MAY_NOT_BLOCK);
|
|
if (err != -ECHILD || !try_to_unlazy(nd))
|
|
return err;
|
|
}
|
|
return inode_permission(mnt_userns, nd->inode, MAY_EXEC);
|
|
}
|
|
|
|
static int reserve_stack(struct nameidata *nd, struct path *link, unsigned seq)
|
|
{
|
|
if (unlikely(nd->total_link_count++ >= MAXSYMLINKS))
|
|
return -ELOOP;
|
|
|
|
if (likely(nd->depth != EMBEDDED_LEVELS))
|
|
return 0;
|
|
if (likely(nd->stack != nd->internal))
|
|
return 0;
|
|
if (likely(nd_alloc_stack(nd)))
|
|
return 0;
|
|
|
|
if (nd->flags & LOOKUP_RCU) {
|
|
// we need to grab link before we do unlazy. And we can't skip
|
|
// unlazy even if we fail to grab the link - cleanup needs it
|
|
bool grabbed_link = legitimize_path(nd, link, seq);
|
|
|
|
if (!try_to_unlazy(nd) != 0 || !grabbed_link)
|
|
return -ECHILD;
|
|
|
|
if (nd_alloc_stack(nd))
|
|
return 0;
|
|
}
|
|
return -ENOMEM;
|
|
}
|
|
|
|
enum {WALK_TRAILING = 1, WALK_MORE = 2, WALK_NOFOLLOW = 4};
|
|
|
|
static const char *pick_link(struct nameidata *nd, struct path *link,
|
|
struct inode *inode, unsigned seq, int flags)
|
|
{
|
|
struct saved *last;
|
|
const char *res;
|
|
int error = reserve_stack(nd, link, seq);
|
|
|
|
if (unlikely(error)) {
|
|
if (!(nd->flags & LOOKUP_RCU))
|
|
path_put(link);
|
|
return ERR_PTR(error);
|
|
}
|
|
last = nd->stack + nd->depth++;
|
|
last->link = *link;
|
|
clear_delayed_call(&last->done);
|
|
last->seq = seq;
|
|
|
|
if (flags & WALK_TRAILING) {
|
|
error = may_follow_link(nd, inode);
|
|
if (unlikely(error))
|
|
return ERR_PTR(error);
|
|
}
|
|
|
|
if (unlikely(nd->flags & LOOKUP_NO_SYMLINKS) ||
|
|
unlikely(link->mnt->mnt_flags & MNT_NOSYMFOLLOW))
|
|
return ERR_PTR(-ELOOP);
|
|
|
|
if (!(nd->flags & LOOKUP_RCU)) {
|
|
touch_atime(&last->link);
|
|
cond_resched();
|
|
} else if (atime_needs_update(&last->link, inode)) {
|
|
if (!try_to_unlazy(nd))
|
|
return ERR_PTR(-ECHILD);
|
|
touch_atime(&last->link);
|
|
}
|
|
|
|
error = security_inode_follow_link(link->dentry, inode,
|
|
nd->flags & LOOKUP_RCU);
|
|
if (unlikely(error))
|
|
return ERR_PTR(error);
|
|
|
|
res = READ_ONCE(inode->i_link);
|
|
if (!res) {
|
|
const char * (*get)(struct dentry *, struct inode *,
|
|
struct delayed_call *);
|
|
get = inode->i_op->get_link;
|
|
if (nd->flags & LOOKUP_RCU) {
|
|
res = get(NULL, inode, &last->done);
|
|
if (res == ERR_PTR(-ECHILD) && try_to_unlazy(nd))
|
|
res = get(link->dentry, inode, &last->done);
|
|
} else {
|
|
res = get(link->dentry, inode, &last->done);
|
|
}
|
|
if (!res)
|
|
goto all_done;
|
|
if (IS_ERR(res))
|
|
return res;
|
|
}
|
|
if (*res == '/') {
|
|
error = nd_jump_root(nd);
|
|
if (unlikely(error))
|
|
return ERR_PTR(error);
|
|
while (unlikely(*++res == '/'))
|
|
;
|
|
}
|
|
if (*res)
|
|
return res;
|
|
all_done: // pure jump
|
|
put_link(nd);
|
|
return NULL;
|
|
}
|
|
|
|
/*
|
|
* Do we need to follow links? We _really_ want to be able
|
|
* to do this check without having to look at inode->i_op,
|
|
* so we keep a cache of "no, this doesn't need follow_link"
|
|
* for the common case.
|
|
*/
|
|
static const char *step_into(struct nameidata *nd, int flags,
|
|
struct dentry *dentry, struct inode *inode, unsigned seq)
|
|
{
|
|
struct path path;
|
|
int err = handle_mounts(nd, dentry, &path, &inode, &seq);
|
|
|
|
if (err < 0)
|
|
return ERR_PTR(err);
|
|
if (likely(!d_is_symlink(path.dentry)) ||
|
|
((flags & WALK_TRAILING) && !(nd->flags & LOOKUP_FOLLOW)) ||
|
|
(flags & WALK_NOFOLLOW)) {
|
|
/* not a symlink or should not follow */
|
|
if (!(nd->flags & LOOKUP_RCU)) {
|
|
dput(nd->path.dentry);
|
|
if (nd->path.mnt != path.mnt)
|
|
mntput(nd->path.mnt);
|
|
}
|
|
nd->path = path;
|
|
nd->inode = inode;
|
|
nd->seq = seq;
|
|
return NULL;
|
|
}
|
|
if (nd->flags & LOOKUP_RCU) {
|
|
/* make sure that d_is_symlink above matches inode */
|
|
if (read_seqcount_retry(&path.dentry->d_seq, seq))
|
|
return ERR_PTR(-ECHILD);
|
|
} else {
|
|
if (path.mnt == nd->path.mnt)
|
|
mntget(path.mnt);
|
|
}
|
|
return pick_link(nd, &path, inode, seq, flags);
|
|
}
|
|
|
|
static struct dentry *follow_dotdot_rcu(struct nameidata *nd,
|
|
struct inode **inodep,
|
|
unsigned *seqp)
|
|
{
|
|
struct dentry *parent, *old;
|
|
|
|
if (path_equal(&nd->path, &nd->root))
|
|
goto in_root;
|
|
if (unlikely(nd->path.dentry == nd->path.mnt->mnt_root)) {
|
|
struct path path;
|
|
unsigned seq;
|
|
if (!choose_mountpoint_rcu(real_mount(nd->path.mnt),
|
|
&nd->root, &path, &seq))
|
|
goto in_root;
|
|
if (unlikely(nd->flags & LOOKUP_NO_XDEV))
|
|
return ERR_PTR(-ECHILD);
|
|
nd->path = path;
|
|
nd->inode = path.dentry->d_inode;
|
|
nd->seq = seq;
|
|
if (unlikely(read_seqretry(&mount_lock, nd->m_seq)))
|
|
return ERR_PTR(-ECHILD);
|
|
/* we know that mountpoint was pinned */
|
|
}
|
|
old = nd->path.dentry;
|
|
parent = old->d_parent;
|
|
*inodep = parent->d_inode;
|
|
*seqp = read_seqcount_begin(&parent->d_seq);
|
|
if (unlikely(read_seqcount_retry(&old->d_seq, nd->seq)))
|
|
return ERR_PTR(-ECHILD);
|
|
if (unlikely(!path_connected(nd->path.mnt, parent)))
|
|
return ERR_PTR(-ECHILD);
|
|
return parent;
|
|
in_root:
|
|
if (unlikely(read_seqretry(&mount_lock, nd->m_seq)))
|
|
return ERR_PTR(-ECHILD);
|
|
if (unlikely(nd->flags & LOOKUP_BENEATH))
|
|
return ERR_PTR(-ECHILD);
|
|
return NULL;
|
|
}
|
|
|
|
static struct dentry *follow_dotdot(struct nameidata *nd,
|
|
struct inode **inodep,
|
|
unsigned *seqp)
|
|
{
|
|
struct dentry *parent;
|
|
|
|
if (path_equal(&nd->path, &nd->root))
|
|
goto in_root;
|
|
if (unlikely(nd->path.dentry == nd->path.mnt->mnt_root)) {
|
|
struct path path;
|
|
|
|
if (!choose_mountpoint(real_mount(nd->path.mnt),
|
|
&nd->root, &path))
|
|
goto in_root;
|
|
path_put(&nd->path);
|
|
nd->path = path;
|
|
nd->inode = path.dentry->d_inode;
|
|
if (unlikely(nd->flags & LOOKUP_NO_XDEV))
|
|
return ERR_PTR(-EXDEV);
|
|
}
|
|
/* rare case of legitimate dget_parent()... */
|
|
parent = dget_parent(nd->path.dentry);
|
|
if (unlikely(!path_connected(nd->path.mnt, parent))) {
|
|
dput(parent);
|
|
return ERR_PTR(-ENOENT);
|
|
}
|
|
*seqp = 0;
|
|
*inodep = parent->d_inode;
|
|
return parent;
|
|
|
|
in_root:
|
|
if (unlikely(nd->flags & LOOKUP_BENEATH))
|
|
return ERR_PTR(-EXDEV);
|
|
dget(nd->path.dentry);
|
|
return NULL;
|
|
}
|
|
|
|
static const char *handle_dots(struct nameidata *nd, int type)
|
|
{
|
|
if (type == LAST_DOTDOT) {
|
|
const char *error = NULL;
|
|
struct dentry *parent;
|
|
struct inode *inode;
|
|
unsigned seq;
|
|
|
|
if (!nd->root.mnt) {
|
|
error = ERR_PTR(set_root(nd));
|
|
if (error)
|
|
return error;
|
|
}
|
|
if (nd->flags & LOOKUP_RCU)
|
|
parent = follow_dotdot_rcu(nd, &inode, &seq);
|
|
else
|
|
parent = follow_dotdot(nd, &inode, &seq);
|
|
if (IS_ERR(parent))
|
|
return ERR_CAST(parent);
|
|
if (unlikely(!parent))
|
|
error = step_into(nd, WALK_NOFOLLOW,
|
|
nd->path.dentry, nd->inode, nd->seq);
|
|
else
|
|
error = step_into(nd, WALK_NOFOLLOW,
|
|
parent, inode, seq);
|
|
if (unlikely(error))
|
|
return error;
|
|
|
|
if (unlikely(nd->flags & LOOKUP_IS_SCOPED)) {
|
|
/*
|
|
* If there was a racing rename or mount along our
|
|
* path, then we can't be sure that ".." hasn't jumped
|
|
* above nd->root (and so userspace should retry or use
|
|
* some fallback).
|
|
*/
|
|
smp_rmb();
|
|
if (unlikely(__read_seqcount_retry(&mount_lock.seqcount, nd->m_seq)))
|
|
return ERR_PTR(-EAGAIN);
|
|
if (unlikely(__read_seqcount_retry(&rename_lock.seqcount, nd->r_seq)))
|
|
return ERR_PTR(-EAGAIN);
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
static const char *walk_component(struct nameidata *nd, int flags)
|
|
{
|
|
struct dentry *dentry;
|
|
struct inode *inode;
|
|
unsigned seq;
|
|
/*
|
|
* "." and ".." are special - ".." especially so because it has
|
|
* to be able to know about the current root directory and
|
|
* parent relationships.
|
|
*/
|
|
if (unlikely(nd->last_type != LAST_NORM)) {
|
|
if (!(flags & WALK_MORE) && nd->depth)
|
|
put_link(nd);
|
|
return handle_dots(nd, nd->last_type);
|
|
}
|
|
dentry = lookup_fast(nd, &inode, &seq);
|
|
if (IS_ERR(dentry))
|
|
return ERR_CAST(dentry);
|
|
if (unlikely(!dentry)) {
|
|
dentry = lookup_slow(&nd->last, nd->path.dentry, nd->flags);
|
|
if (IS_ERR(dentry))
|
|
return ERR_CAST(dentry);
|
|
}
|
|
if (!(flags & WALK_MORE) && nd->depth)
|
|
put_link(nd);
|
|
return step_into(nd, flags, dentry, inode, seq);
|
|
}
|
|
|
|
/*
|
|
* We can do the critical dentry name comparison and hashing
|
|
* operations one word at a time, but we are limited to:
|
|
*
|
|
* - Architectures with fast unaligned word accesses. We could
|
|
* do a "get_unaligned()" if this helps and is sufficiently
|
|
* fast.
|
|
*
|
|
* - non-CONFIG_DEBUG_PAGEALLOC configurations (so that we
|
|
* do not trap on the (extremely unlikely) case of a page
|
|
* crossing operation.
|
|
*
|
|
* - Furthermore, we need an efficient 64-bit compile for the
|
|
* 64-bit case in order to generate the "number of bytes in
|
|
* the final mask". Again, that could be replaced with a
|
|
* efficient population count instruction or similar.
|
|
*/
|
|
#ifdef CONFIG_DCACHE_WORD_ACCESS
|
|
|
|
#include <asm/word-at-a-time.h>
|
|
|
|
#ifdef HASH_MIX
|
|
|
|
/* Architecture provides HASH_MIX and fold_hash() in <asm/hash.h> */
|
|
|
|
#elif defined(CONFIG_64BIT)
|
|
/*
|
|
* Register pressure in the mixing function is an issue, particularly
|
|
* on 32-bit x86, but almost any function requires one state value and
|
|
* one temporary. Instead, use a function designed for two state values
|
|
* and no temporaries.
|
|
*
|
|
* This function cannot create a collision in only two iterations, so
|
|
* we have two iterations to achieve avalanche. In those two iterations,
|
|
* we have six layers of mixing, which is enough to spread one bit's
|
|
* influence out to 2^6 = 64 state bits.
|
|
*
|
|
* Rotate constants are scored by considering either 64 one-bit input
|
|
* deltas or 64*63/2 = 2016 two-bit input deltas, and finding the
|
|
* probability of that delta causing a change to each of the 128 output
|
|
* bits, using a sample of random initial states.
|
|
*
|
|
* The Shannon entropy of the computed probabilities is then summed
|
|
* to produce a score. Ideally, any input change has a 50% chance of
|
|
* toggling any given output bit.
|
|
*
|
|
* Mixing scores (in bits) for (12,45):
|
|
* Input delta: 1-bit 2-bit
|
|
* 1 round: 713.3 42542.6
|
|
* 2 rounds: 2753.7 140389.8
|
|
* 3 rounds: 5954.1 233458.2
|
|
* 4 rounds: 7862.6 256672.2
|
|
* Perfect: 8192 258048
|
|
* (64*128) (64*63/2 * 128)
|
|
*/
|
|
#define HASH_MIX(x, y, a) \
|
|
( x ^= (a), \
|
|
y ^= x, x = rol64(x,12),\
|
|
x += y, y = rol64(y,45),\
|
|
y *= 9 )
|
|
|
|
/*
|
|
* Fold two longs into one 32-bit hash value. This must be fast, but
|
|
* latency isn't quite as critical, as there is a fair bit of additional
|
|
* work done before the hash value is used.
|
|
*/
|
|
static inline unsigned int fold_hash(unsigned long x, unsigned long y)
|
|
{
|
|
y ^= x * GOLDEN_RATIO_64;
|
|
y *= GOLDEN_RATIO_64;
|
|
return y >> 32;
|
|
}
|
|
|
|
#else /* 32-bit case */
|
|
|
|
/*
|
|
* Mixing scores (in bits) for (7,20):
|
|
* Input delta: 1-bit 2-bit
|
|
* 1 round: 330.3 9201.6
|
|
* 2 rounds: 1246.4 25475.4
|
|
* 3 rounds: 1907.1 31295.1
|
|
* 4 rounds: 2042.3 31718.6
|
|
* Perfect: 2048 31744
|
|
* (32*64) (32*31/2 * 64)
|
|
*/
|
|
#define HASH_MIX(x, y, a) \
|
|
( x ^= (a), \
|
|
y ^= x, x = rol32(x, 7),\
|
|
x += y, y = rol32(y,20),\
|
|
y *= 9 )
|
|
|
|
static inline unsigned int fold_hash(unsigned long x, unsigned long y)
|
|
{
|
|
/* Use arch-optimized multiply if one exists */
|
|
return __hash_32(y ^ __hash_32(x));
|
|
}
|
|
|
|
#endif
|
|
|
|
/*
|
|
* Return the hash of a string of known length. This is carfully
|
|
* designed to match hash_name(), which is the more critical function.
|
|
* In particular, we must end by hashing a final word containing 0..7
|
|
* payload bytes, to match the way that hash_name() iterates until it
|
|
* finds the delimiter after the name.
|
|
*/
|
|
unsigned int full_name_hash(const void *salt, const char *name, unsigned int len)
|
|
{
|
|
unsigned long a, x = 0, y = (unsigned long)salt;
|
|
|
|
for (;;) {
|
|
if (!len)
|
|
goto done;
|
|
a = load_unaligned_zeropad(name);
|
|
if (len < sizeof(unsigned long))
|
|
break;
|
|
HASH_MIX(x, y, a);
|
|
name += sizeof(unsigned long);
|
|
len -= sizeof(unsigned long);
|
|
}
|
|
x ^= a & bytemask_from_count(len);
|
|
done:
|
|
return fold_hash(x, y);
|
|
}
|
|
EXPORT_SYMBOL(full_name_hash);
|
|
|
|
/* Return the "hash_len" (hash and length) of a null-terminated string */
|
|
u64 hashlen_string(const void *salt, const char *name)
|
|
{
|
|
unsigned long a = 0, x = 0, y = (unsigned long)salt;
|
|
unsigned long adata, mask, len;
|
|
const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
|
|
|
|
len = 0;
|
|
goto inside;
|
|
|
|
do {
|
|
HASH_MIX(x, y, a);
|
|
len += sizeof(unsigned long);
|
|
inside:
|
|
a = load_unaligned_zeropad(name+len);
|
|
} while (!has_zero(a, &adata, &constants));
|
|
|
|
adata = prep_zero_mask(a, adata, &constants);
|
|
mask = create_zero_mask(adata);
|
|
x ^= a & zero_bytemask(mask);
|
|
|
|
return hashlen_create(fold_hash(x, y), len + find_zero(mask));
|
|
}
|
|
EXPORT_SYMBOL(hashlen_string);
|
|
|
|
/*
|
|
* Calculate the length and hash of the path component, and
|
|
* return the "hash_len" as the result.
|
|
*/
|
|
static inline u64 hash_name(const void *salt, const char *name)
|
|
{
|
|
unsigned long a = 0, b, x = 0, y = (unsigned long)salt;
|
|
unsigned long adata, bdata, mask, len;
|
|
const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
|
|
|
|
len = 0;
|
|
goto inside;
|
|
|
|
do {
|
|
HASH_MIX(x, y, a);
|
|
len += sizeof(unsigned long);
|
|
inside:
|
|
a = load_unaligned_zeropad(name+len);
|
|
b = a ^ REPEAT_BYTE('/');
|
|
} while (!(has_zero(a, &adata, &constants) | has_zero(b, &bdata, &constants)));
|
|
|
|
adata = prep_zero_mask(a, adata, &constants);
|
|
bdata = prep_zero_mask(b, bdata, &constants);
|
|
mask = create_zero_mask(adata | bdata);
|
|
x ^= a & zero_bytemask(mask);
|
|
|
|
return hashlen_create(fold_hash(x, y), len + find_zero(mask));
|
|
}
|
|
|
|
#else /* !CONFIG_DCACHE_WORD_ACCESS: Slow, byte-at-a-time version */
|
|
|
|
/* Return the hash of a string of known length */
|
|
unsigned int full_name_hash(const void *salt, const char *name, unsigned int len)
|
|
{
|
|
unsigned long hash = init_name_hash(salt);
|
|
while (len--)
|
|
hash = partial_name_hash((unsigned char)*name++, hash);
|
|
return end_name_hash(hash);
|
|
}
|
|
EXPORT_SYMBOL(full_name_hash);
|
|
|
|
/* Return the "hash_len" (hash and length) of a null-terminated string */
|
|
u64 hashlen_string(const void *salt, const char *name)
|
|
{
|
|
unsigned long hash = init_name_hash(salt);
|
|
unsigned long len = 0, c;
|
|
|
|
c = (unsigned char)*name;
|
|
while (c) {
|
|
len++;
|
|
hash = partial_name_hash(c, hash);
|
|
c = (unsigned char)name[len];
|
|
}
|
|
return hashlen_create(end_name_hash(hash), len);
|
|
}
|
|
EXPORT_SYMBOL(hashlen_string);
|
|
|
|
/*
|
|
* We know there's a real path component here of at least
|
|
* one character.
|
|
*/
|
|
static inline u64 hash_name(const void *salt, const char *name)
|
|
{
|
|
unsigned long hash = init_name_hash(salt);
|
|
unsigned long len = 0, c;
|
|
|
|
c = (unsigned char)*name;
|
|
do {
|
|
len++;
|
|
hash = partial_name_hash(c, hash);
|
|
c = (unsigned char)name[len];
|
|
} while (c && c != '/');
|
|
return hashlen_create(end_name_hash(hash), len);
|
|
}
|
|
|
|
#endif
|
|
|
|
/*
|
|
* Name resolution.
|
|
* This is the basic name resolution function, turning a pathname into
|
|
* the final dentry. We expect 'base' to be positive and a directory.
|
|
*
|
|
* Returns 0 and nd will have valid dentry and mnt on success.
|
|
* Returns error and drops reference to input namei data on failure.
|
|
*/
|
|
static int link_path_walk(const char *name, struct nameidata *nd)
|
|
{
|
|
int depth = 0; // depth <= nd->depth
|
|
int err;
|
|
|
|
nd->last_type = LAST_ROOT;
|
|
nd->flags |= LOOKUP_PARENT;
|
|
if (IS_ERR(name))
|
|
return PTR_ERR(name);
|
|
while (*name=='/')
|
|
name++;
|
|
if (!*name) {
|
|
nd->dir_mode = 0; // short-circuit the 'hardening' idiocy
|
|
return 0;
|
|
}
|
|
|
|
/* At this point we know we have a real path component. */
|
|
for(;;) {
|
|
struct user_namespace *mnt_userns;
|
|
const char *link;
|
|
u64 hash_len;
|
|
int type;
|
|
|
|
mnt_userns = mnt_user_ns(nd->path.mnt);
|
|
err = may_lookup(mnt_userns, nd);
|
|
if (err)
|
|
return err;
|
|
|
|
hash_len = hash_name(nd->path.dentry, name);
|
|
|
|
type = LAST_NORM;
|
|
if (name[0] == '.') switch (hashlen_len(hash_len)) {
|
|
case 2:
|
|
if (name[1] == '.') {
|
|
type = LAST_DOTDOT;
|
|
nd->flags |= LOOKUP_JUMPED;
|
|
}
|
|
break;
|
|
case 1:
|
|
type = LAST_DOT;
|
|
}
|
|
if (likely(type == LAST_NORM)) {
|
|
struct dentry *parent = nd->path.dentry;
|
|
nd->flags &= ~LOOKUP_JUMPED;
|
|
if (unlikely(parent->d_flags & DCACHE_OP_HASH)) {
|
|
struct qstr this = { { .hash_len = hash_len }, .name = name };
|
|
err = parent->d_op->d_hash(parent, &this);
|
|
if (err < 0)
|
|
return err;
|
|
hash_len = this.hash_len;
|
|
name = this.name;
|
|
}
|
|
}
|
|
|
|
nd->last.hash_len = hash_len;
|
|
nd->last.name = name;
|
|
nd->last_type = type;
|
|
|
|
name += hashlen_len(hash_len);
|
|
if (!*name)
|
|
goto OK;
|
|
/*
|
|
* If it wasn't NUL, we know it was '/'. Skip that
|
|
* slash, and continue until no more slashes.
|
|
*/
|
|
do {
|
|
name++;
|
|
} while (unlikely(*name == '/'));
|
|
if (unlikely(!*name)) {
|
|
OK:
|
|
/* pathname or trailing symlink, done */
|
|
if (!depth) {
|
|
nd->dir_uid = i_uid_into_mnt(mnt_userns, nd->inode);
|
|
nd->dir_mode = nd->inode->i_mode;
|
|
nd->flags &= ~LOOKUP_PARENT;
|
|
return 0;
|
|
}
|
|
/* last component of nested symlink */
|
|
name = nd->stack[--depth].name;
|
|
link = walk_component(nd, 0);
|
|
} else {
|
|
/* not the last component */
|
|
link = walk_component(nd, WALK_MORE);
|
|
}
|
|
if (unlikely(link)) {
|
|
if (IS_ERR(link))
|
|
return PTR_ERR(link);
|
|
/* a symlink to follow */
|
|
nd->stack[depth++].name = name;
|
|
name = link;
|
|
continue;
|
|
}
|
|
if (unlikely(!d_can_lookup(nd->path.dentry))) {
|
|
if (nd->flags & LOOKUP_RCU) {
|
|
if (!try_to_unlazy(nd))
|
|
return -ECHILD;
|
|
}
|
|
return -ENOTDIR;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* must be paired with terminate_walk() */
|
|
static const char *path_init(struct nameidata *nd, unsigned flags)
|
|
{
|
|
int error;
|
|
const char *s = nd->name->name;
|
|
|
|
/* LOOKUP_CACHED requires RCU, ask caller to retry */
|
|
if ((flags & (LOOKUP_RCU | LOOKUP_CACHED)) == LOOKUP_CACHED)
|
|
return ERR_PTR(-EAGAIN);
|
|
|
|
if (!*s)
|
|
flags &= ~LOOKUP_RCU;
|
|
if (flags & LOOKUP_RCU)
|
|
rcu_read_lock();
|
|
|
|
nd->flags = flags | LOOKUP_JUMPED;
|
|
nd->depth = 0;
|
|
|
|
nd->m_seq = __read_seqcount_begin(&mount_lock.seqcount);
|
|
nd->r_seq = __read_seqcount_begin(&rename_lock.seqcount);
|
|
smp_rmb();
|
|
|
|
if (flags & LOOKUP_ROOT) {
|
|
struct dentry *root = nd->root.dentry;
|
|
struct inode *inode = root->d_inode;
|
|
if (*s && unlikely(!d_can_lookup(root)))
|
|
return ERR_PTR(-ENOTDIR);
|
|
nd->path = nd->root;
|
|
nd->inode = inode;
|
|
if (flags & LOOKUP_RCU) {
|
|
nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq);
|
|
nd->root_seq = nd->seq;
|
|
} else {
|
|
path_get(&nd->path);
|
|
}
|
|
return s;
|
|
}
|
|
|
|
nd->root.mnt = NULL;
|
|
nd->path.mnt = NULL;
|
|
nd->path.dentry = NULL;
|
|
|
|
/* Absolute pathname -- fetch the root (LOOKUP_IN_ROOT uses nd->dfd). */
|
|
if (*s == '/' && !(flags & LOOKUP_IN_ROOT)) {
|
|
error = nd_jump_root(nd);
|
|
if (unlikely(error))
|
|
return ERR_PTR(error);
|
|
return s;
|
|
}
|
|
|
|
/* Relative pathname -- get the starting-point it is relative to. */
|
|
if (nd->dfd == AT_FDCWD) {
|
|
if (flags & LOOKUP_RCU) {
|
|
struct fs_struct *fs = current->fs;
|
|
unsigned seq;
|
|
|
|
do {
|
|
seq = read_seqcount_begin(&fs->seq);
|
|
nd->path = fs->pwd;
|
|
nd->inode = nd->path.dentry->d_inode;
|
|
nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq);
|
|
} while (read_seqcount_retry(&fs->seq, seq));
|
|
} else {
|
|
get_fs_pwd(current->fs, &nd->path);
|
|
nd->inode = nd->path.dentry->d_inode;
|
|
}
|
|
} else {
|
|
/* Caller must check execute permissions on the starting path component */
|
|
struct fd f = fdget_raw(nd->dfd);
|
|
struct dentry *dentry;
|
|
|
|
if (!f.file)
|
|
return ERR_PTR(-EBADF);
|
|
|
|
dentry = f.file->f_path.dentry;
|
|
|
|
if (*s && unlikely(!d_can_lookup(dentry))) {
|
|
fdput(f);
|
|
return ERR_PTR(-ENOTDIR);
|
|
}
|
|
|
|
nd->path = f.file->f_path;
|
|
if (flags & LOOKUP_RCU) {
|
|
nd->inode = nd->path.dentry->d_inode;
|
|
nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq);
|
|
} else {
|
|
path_get(&nd->path);
|
|
nd->inode = nd->path.dentry->d_inode;
|
|
}
|
|
fdput(f);
|
|
}
|
|
|
|
/* For scoped-lookups we need to set the root to the dirfd as well. */
|
|
if (flags & LOOKUP_IS_SCOPED) {
|
|
nd->root = nd->path;
|
|
if (flags & LOOKUP_RCU) {
|
|
nd->root_seq = nd->seq;
|
|
} else {
|
|
path_get(&nd->root);
|
|
nd->flags |= LOOKUP_ROOT_GRABBED;
|
|
}
|
|
}
|
|
return s;
|
|
}
|
|
|
|
static inline const char *lookup_last(struct nameidata *nd)
|
|
{
|
|
if (nd->last_type == LAST_NORM && nd->last.name[nd->last.len])
|
|
nd->flags |= LOOKUP_FOLLOW | LOOKUP_DIRECTORY;
|
|
|
|
return walk_component(nd, WALK_TRAILING);
|
|
}
|
|
|
|
static int handle_lookup_down(struct nameidata *nd)
|
|
{
|
|
if (!(nd->flags & LOOKUP_RCU))
|
|
dget(nd->path.dentry);
|
|
return PTR_ERR(step_into(nd, WALK_NOFOLLOW,
|
|
nd->path.dentry, nd->inode, nd->seq));
|
|
}
|
|
|
|
/* Returns 0 and nd will be valid on success; Retuns error, otherwise. */
|
|
static int path_lookupat(struct nameidata *nd, unsigned flags, struct path *path)
|
|
{
|
|
const char *s = path_init(nd, flags);
|
|
int err;
|
|
|
|
if (unlikely(flags & LOOKUP_DOWN) && !IS_ERR(s)) {
|
|
err = handle_lookup_down(nd);
|
|
if (unlikely(err < 0))
|
|
s = ERR_PTR(err);
|
|
}
|
|
|
|
while (!(err = link_path_walk(s, nd)) &&
|
|
(s = lookup_last(nd)) != NULL)
|
|
;
|
|
if (!err)
|
|
err = complete_walk(nd);
|
|
|
|
if (!err && nd->flags & LOOKUP_DIRECTORY)
|
|
if (!d_can_lookup(nd->path.dentry))
|
|
err = -ENOTDIR;
|
|
if (!err && unlikely(nd->flags & LOOKUP_MOUNTPOINT)) {
|
|
err = handle_lookup_down(nd);
|
|
nd->flags &= ~LOOKUP_JUMPED; // no d_weak_revalidate(), please...
|
|
}
|
|
if (!err) {
|
|
*path = nd->path;
|
|
nd->path.mnt = NULL;
|
|
nd->path.dentry = NULL;
|
|
}
|
|
terminate_walk(nd);
|
|
return err;
|
|
}
|
|
|
|
int filename_lookup(int dfd, struct filename *name, unsigned flags,
|
|
struct path *path, struct path *root)
|
|
{
|
|
int retval;
|
|
struct nameidata nd;
|
|
if (IS_ERR(name))
|
|
return PTR_ERR(name);
|
|
if (unlikely(root)) {
|
|
nd.root = *root;
|
|
flags |= LOOKUP_ROOT;
|
|
}
|
|
set_nameidata(&nd, dfd, name);
|
|
retval = path_lookupat(&nd, flags | LOOKUP_RCU, path);
|
|
if (unlikely(retval == -ECHILD))
|
|
retval = path_lookupat(&nd, flags, path);
|
|
if (unlikely(retval == -ESTALE))
|
|
retval = path_lookupat(&nd, flags | LOOKUP_REVAL, path);
|
|
|
|
if (likely(!retval))
|
|
audit_inode(name, path->dentry,
|
|
flags & LOOKUP_MOUNTPOINT ? AUDIT_INODE_NOEVAL : 0);
|
|
restore_nameidata();
|
|
putname(name);
|
|
return retval;
|
|
}
|
|
|
|
/* Returns 0 and nd will be valid on success; Retuns error, otherwise. */
|
|
static int path_parentat(struct nameidata *nd, unsigned flags,
|
|
struct path *parent)
|
|
{
|
|
const char *s = path_init(nd, flags);
|
|
int err = link_path_walk(s, nd);
|
|
if (!err)
|
|
err = complete_walk(nd);
|
|
if (!err) {
|
|
*parent = nd->path;
|
|
nd->path.mnt = NULL;
|
|
nd->path.dentry = NULL;
|
|
}
|
|
terminate_walk(nd);
|
|
return err;
|
|
}
|
|
|
|
static struct filename *filename_parentat(int dfd, struct filename *name,
|
|
unsigned int flags, struct path *parent,
|
|
struct qstr *last, int *type)
|
|
{
|
|
int retval;
|
|
struct nameidata nd;
|
|
|
|
if (IS_ERR(name))
|
|
return name;
|
|
set_nameidata(&nd, dfd, name);
|
|
retval = path_parentat(&nd, flags | LOOKUP_RCU, parent);
|
|
if (unlikely(retval == -ECHILD))
|
|
retval = path_parentat(&nd, flags, parent);
|
|
if (unlikely(retval == -ESTALE))
|
|
retval = path_parentat(&nd, flags | LOOKUP_REVAL, parent);
|
|
if (likely(!retval)) {
|
|
*last = nd.last;
|
|
*type = nd.last_type;
|
|
audit_inode(name, parent->dentry, AUDIT_INODE_PARENT);
|
|
} else {
|
|
putname(name);
|
|
name = ERR_PTR(retval);
|
|
}
|
|
restore_nameidata();
|
|
return name;
|
|
}
|
|
|
|
/* does lookup, returns the object with parent locked */
|
|
struct dentry *kern_path_locked(const char *name, struct path *path)
|
|
{
|
|
struct filename *filename;
|
|
struct dentry *d;
|
|
struct qstr last;
|
|
int type;
|
|
|
|
filename = filename_parentat(AT_FDCWD, getname_kernel(name), 0, path,
|
|
&last, &type);
|
|
if (IS_ERR(filename))
|
|
return ERR_CAST(filename);
|
|
if (unlikely(type != LAST_NORM)) {
|
|
path_put(path);
|
|
putname(filename);
|
|
return ERR_PTR(-EINVAL);
|
|
}
|
|
inode_lock_nested(path->dentry->d_inode, I_MUTEX_PARENT);
|
|
d = __lookup_hash(&last, path->dentry, 0);
|
|
if (IS_ERR(d)) {
|
|
inode_unlock(path->dentry->d_inode);
|
|
path_put(path);
|
|
}
|
|
putname(filename);
|
|
return d;
|
|
}
|
|
|
|
int kern_path(const char *name, unsigned int flags, struct path *path)
|
|
{
|
|
return filename_lookup(AT_FDCWD, getname_kernel(name),
|
|
flags, path, NULL);
|
|
}
|
|
EXPORT_SYMBOL(kern_path);
|
|
|
|
/**
|
|
* vfs_path_lookup - lookup a file path relative to a dentry-vfsmount pair
|
|
* @dentry: pointer to dentry of the base directory
|
|
* @mnt: pointer to vfs mount of the base directory
|
|
* @name: pointer to file name
|
|
* @flags: lookup flags
|
|
* @path: pointer to struct path to fill
|
|
*/
|
|
int vfs_path_lookup(struct dentry *dentry, struct vfsmount *mnt,
|
|
const char *name, unsigned int flags,
|
|
struct path *path)
|
|
{
|
|
struct path root = {.mnt = mnt, .dentry = dentry};
|
|
/* the first argument of filename_lookup() is ignored with root */
|
|
return filename_lookup(AT_FDCWD, getname_kernel(name),
|
|
flags , path, &root);
|
|
}
|
|
EXPORT_SYMBOL(vfs_path_lookup);
|
|
|
|
static int lookup_one_len_common(const char *name, struct dentry *base,
|
|
int len, struct qstr *this)
|
|
{
|
|
this->name = name;
|
|
this->len = len;
|
|
this->hash = full_name_hash(base, name, len);
|
|
if (!len)
|
|
return -EACCES;
|
|
|
|
if (unlikely(name[0] == '.')) {
|
|
if (len < 2 || (len == 2 && name[1] == '.'))
|
|
return -EACCES;
|
|
}
|
|
|
|
while (len--) {
|
|
unsigned int c = *(const unsigned char *)name++;
|
|
if (c == '/' || c == '\0')
|
|
return -EACCES;
|
|
}
|
|
/*
|
|
* See if the low-level filesystem might want
|
|
* to use its own hash..
|
|
*/
|
|
if (base->d_flags & DCACHE_OP_HASH) {
|
|
int err = base->d_op->d_hash(base, this);
|
|
if (err < 0)
|
|
return err;
|
|
}
|
|
|
|
return inode_permission(&init_user_ns, base->d_inode, MAY_EXEC);
|
|
}
|
|
|
|
/**
|
|
* try_lookup_one_len - filesystem helper to lookup single pathname component
|
|
* @name: pathname component to lookup
|
|
* @base: base directory to lookup from
|
|
* @len: maximum length @len should be interpreted to
|
|
*
|
|
* Look up a dentry by name in the dcache, returning NULL if it does not
|
|
* currently exist. The function does not try to create a dentry.
|
|
*
|
|
* Note that this routine is purely a helper for filesystem usage and should
|
|
* not be called by generic code.
|
|
*
|
|
* The caller must hold base->i_mutex.
|
|
*/
|
|
struct dentry *try_lookup_one_len(const char *name, struct dentry *base, int len)
|
|
{
|
|
struct qstr this;
|
|
int err;
|
|
|
|
WARN_ON_ONCE(!inode_is_locked(base->d_inode));
|
|
|
|
err = lookup_one_len_common(name, base, len, &this);
|
|
if (err)
|
|
return ERR_PTR(err);
|
|
|
|
return lookup_dcache(&this, base, 0);
|
|
}
|
|
EXPORT_SYMBOL(try_lookup_one_len);
|
|
|
|
/**
|
|
* lookup_one_len - filesystem helper to lookup single pathname component
|
|
* @name: pathname component to lookup
|
|
* @base: base directory to lookup from
|
|
* @len: maximum length @len should be interpreted to
|
|
*
|
|
* Note that this routine is purely a helper for filesystem usage and should
|
|
* not be called by generic code.
|
|
*
|
|
* The caller must hold base->i_mutex.
|
|
*/
|
|
struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
|
|
{
|
|
struct dentry *dentry;
|
|
struct qstr this;
|
|
int err;
|
|
|
|
WARN_ON_ONCE(!inode_is_locked(base->d_inode));
|
|
|
|
err = lookup_one_len_common(name, base, len, &this);
|
|
if (err)
|
|
return ERR_PTR(err);
|
|
|
|
dentry = lookup_dcache(&this, base, 0);
|
|
return dentry ? dentry : __lookup_slow(&this, base, 0);
|
|
}
|
|
EXPORT_SYMBOL(lookup_one_len);
|
|
|
|
/**
|
|
* lookup_one_len_unlocked - filesystem helper to lookup single pathname component
|
|
* @name: pathname component to lookup
|
|
* @base: base directory to lookup from
|
|
* @len: maximum length @len should be interpreted to
|
|
*
|
|
* Note that this routine is purely a helper for filesystem usage and should
|
|
* not be called by generic code.
|
|
*
|
|
* Unlike lookup_one_len, it should be called without the parent
|
|
* i_mutex held, and will take the i_mutex itself if necessary.
|
|
*/
|
|
struct dentry *lookup_one_len_unlocked(const char *name,
|
|
struct dentry *base, int len)
|
|
{
|
|
struct qstr this;
|
|
int err;
|
|
struct dentry *ret;
|
|
|
|
err = lookup_one_len_common(name, base, len, &this);
|
|
if (err)
|
|
return ERR_PTR(err);
|
|
|
|
ret = lookup_dcache(&this, base, 0);
|
|
if (!ret)
|
|
ret = lookup_slow(&this, base, 0);
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL(lookup_one_len_unlocked);
|
|
|
|
/*
|
|
* Like lookup_one_len_unlocked(), except that it yields ERR_PTR(-ENOENT)
|
|
* on negatives. Returns known positive or ERR_PTR(); that's what
|
|
* most of the users want. Note that pinned negative with unlocked parent
|
|
* _can_ become positive at any time, so callers of lookup_one_len_unlocked()
|
|
* need to be very careful; pinned positives have ->d_inode stable, so
|
|
* this one avoids such problems.
|
|
*/
|
|
struct dentry *lookup_positive_unlocked(const char *name,
|
|
struct dentry *base, int len)
|
|
{
|
|
struct dentry *ret = lookup_one_len_unlocked(name, base, len);
|
|
if (!IS_ERR(ret) && d_flags_negative(smp_load_acquire(&ret->d_flags))) {
|
|
dput(ret);
|
|
ret = ERR_PTR(-ENOENT);
|
|
}
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL(lookup_positive_unlocked);
|
|
|
|
#ifdef CONFIG_UNIX98_PTYS
|
|
int path_pts(struct path *path)
|
|
{
|
|
/* Find something mounted on "pts" in the same directory as
|
|
* the input path.
|
|
*/
|
|
struct dentry *parent = dget_parent(path->dentry);
|
|
struct dentry *child;
|
|
struct qstr this = QSTR_INIT("pts", 3);
|
|
|
|
if (unlikely(!path_connected(path->mnt, parent))) {
|
|
dput(parent);
|
|
return -ENOENT;
|
|
}
|
|
dput(path->dentry);
|
|
path->dentry = parent;
|
|
child = d_hash_and_lookup(parent, &this);
|
|
if (!child)
|
|
return -ENOENT;
|
|
|
|
path->dentry = child;
|
|
dput(parent);
|
|
follow_down(path);
|
|
return 0;
|
|
}
|
|
#endif
|
|
|
|
int user_path_at_empty(int dfd, const char __user *name, unsigned flags,
|
|
struct path *path, int *empty)
|
|
{
|
|
return filename_lookup(dfd, getname_flags(name, flags, empty),
|
|
flags, path, NULL);
|
|
}
|
|
EXPORT_SYMBOL(user_path_at_empty);
|
|
|
|
int __check_sticky(struct user_namespace *mnt_userns, struct inode *dir,
|
|
struct inode *inode)
|
|
{
|
|
kuid_t fsuid = current_fsuid();
|
|
|
|
if (uid_eq(i_uid_into_mnt(mnt_userns, inode), fsuid))
|
|
return 0;
|
|
if (uid_eq(i_uid_into_mnt(mnt_userns, dir), fsuid))
|
|
return 0;
|
|
return !capable_wrt_inode_uidgid(mnt_userns, inode, CAP_FOWNER);
|
|
}
|
|
EXPORT_SYMBOL(__check_sticky);
|
|
|
|
/*
|
|
* Check whether we can remove a link victim from directory dir, check
|
|
* whether the type of victim is right.
|
|
* 1. We can't do it if dir is read-only (done in permission())
|
|
* 2. We should have write and exec permissions on dir
|
|
* 3. We can't remove anything from append-only dir
|
|
* 4. We can't do anything with immutable dir (done in permission())
|
|
* 5. If the sticky bit on dir is set we should either
|
|
* a. be owner of dir, or
|
|
* b. be owner of victim, or
|
|
* c. have CAP_FOWNER capability
|
|
* 6. If the victim is append-only or immutable we can't do antyhing with
|
|
* links pointing to it.
|
|
* 7. If the victim has an unknown uid or gid we can't change the inode.
|
|
* 8. If we were asked to remove a directory and victim isn't one - ENOTDIR.
|
|
* 9. If we were asked to remove a non-directory and victim isn't one - EISDIR.
|
|
* 10. We can't remove a root or mountpoint.
|
|
* 11. We don't allow removal of NFS sillyrenamed files; it's handled by
|
|
* nfs_async_unlink().
|
|
*/
|
|
static int may_delete(struct user_namespace *mnt_userns, struct inode *dir,
|
|
struct dentry *victim, bool isdir)
|
|
{
|
|
struct inode *inode = d_backing_inode(victim);
|
|
int error;
|
|
|
|
if (d_is_negative(victim))
|
|
return -ENOENT;
|
|
BUG_ON(!inode);
|
|
|
|
BUG_ON(victim->d_parent->d_inode != dir);
|
|
|
|
/* Inode writeback is not safe when the uid or gid are invalid. */
|
|
if (!uid_valid(i_uid_into_mnt(mnt_userns, inode)) ||
|
|
!gid_valid(i_gid_into_mnt(mnt_userns, inode)))
|
|
return -EOVERFLOW;
|
|
|
|
audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE);
|
|
|
|
error = inode_permission(mnt_userns, dir, MAY_WRITE | MAY_EXEC);
|
|
if (error)
|
|
return error;
|
|
if (IS_APPEND(dir))
|
|
return -EPERM;
|
|
|
|
if (check_sticky(mnt_userns, dir, inode) || IS_APPEND(inode) ||
|
|
IS_IMMUTABLE(inode) || IS_SWAPFILE(inode) ||
|
|
HAS_UNMAPPED_ID(mnt_userns, inode))
|
|
return -EPERM;
|
|
if (isdir) {
|
|
if (!d_is_dir(victim))
|
|
return -ENOTDIR;
|
|
if (IS_ROOT(victim))
|
|
return -EBUSY;
|
|
} else if (d_is_dir(victim))
|
|
return -EISDIR;
|
|
if (IS_DEADDIR(dir))
|
|
return -ENOENT;
|
|
if (victim->d_flags & DCACHE_NFSFS_RENAMED)
|
|
return -EBUSY;
|
|
return 0;
|
|
}
|
|
|
|
/* Check whether we can create an object with dentry child in directory
|
|
* dir.
|
|
* 1. We can't do it if child already exists (open has special treatment for
|
|
* this case, but since we are inlined it's OK)
|
|
* 2. We can't do it if dir is read-only (done in permission())
|
|
* 3. We can't do it if the fs can't represent the fsuid or fsgid.
|
|
* 4. We should have write and exec permissions on dir
|
|
* 5. We can't do it if dir is immutable (done in permission())
|
|
*/
|
|
static inline int may_create(struct user_namespace *mnt_userns,
|
|
struct inode *dir, struct dentry *child)
|
|
{
|
|
struct user_namespace *s_user_ns;
|
|
audit_inode_child(dir, child, AUDIT_TYPE_CHILD_CREATE);
|
|
if (child->d_inode)
|
|
return -EEXIST;
|
|
if (IS_DEADDIR(dir))
|
|
return -ENOENT;
|
|
s_user_ns = dir->i_sb->s_user_ns;
|
|
if (!kuid_has_mapping(s_user_ns, fsuid_into_mnt(mnt_userns)) ||
|
|
!kgid_has_mapping(s_user_ns, fsgid_into_mnt(mnt_userns)))
|
|
return -EOVERFLOW;
|
|
return inode_permission(mnt_userns, dir, MAY_WRITE | MAY_EXEC);
|
|
}
|
|
|
|
/*
|
|
* p1 and p2 should be directories on the same fs.
|
|
*/
|
|
struct dentry *lock_rename(struct dentry *p1, struct dentry *p2)
|
|
{
|
|
struct dentry *p;
|
|
|
|
if (p1 == p2) {
|
|
inode_lock_nested(p1->d_inode, I_MUTEX_PARENT);
|
|
return NULL;
|
|
}
|
|
|
|
mutex_lock(&p1->d_sb->s_vfs_rename_mutex);
|
|
|
|
p = d_ancestor(p2, p1);
|
|
if (p) {
|
|
inode_lock_nested(p2->d_inode, I_MUTEX_PARENT);
|
|
inode_lock_nested(p1->d_inode, I_MUTEX_CHILD);
|
|
return p;
|
|
}
|
|
|
|
p = d_ancestor(p1, p2);
|
|
if (p) {
|
|
inode_lock_nested(p1->d_inode, I_MUTEX_PARENT);
|
|
inode_lock_nested(p2->d_inode, I_MUTEX_CHILD);
|
|
return p;
|
|
}
|
|
|
|
inode_lock_nested(p1->d_inode, I_MUTEX_PARENT);
|
|
inode_lock_nested(p2->d_inode, I_MUTEX_PARENT2);
|
|
return NULL;
|
|
}
|
|
EXPORT_SYMBOL(lock_rename);
|
|
|
|
void unlock_rename(struct dentry *p1, struct dentry *p2)
|
|
{
|
|
inode_unlock(p1->d_inode);
|
|
if (p1 != p2) {
|
|
inode_unlock(p2->d_inode);
|
|
mutex_unlock(&p1->d_sb->s_vfs_rename_mutex);
|
|
}
|
|
}
|
|
EXPORT_SYMBOL(unlock_rename);
|
|
|
|
/**
|
|
* vfs_create - create new file
|
|
* @mnt_userns: user namespace of the mount the inode was found from
|
|
* @dir: inode of @dentry
|
|
* @dentry: pointer to dentry of the base directory
|
|
* @mode: mode of the new file
|
|
* @want_excl: whether the file must not yet exist
|
|
*
|
|
* Create a new file.
|
|
*
|
|
* If the inode has been found through an idmapped mount the user namespace of
|
|
* the vfsmount must be passed through @mnt_userns. This function will then take
|
|
* care to map the inode according to @mnt_userns before checking permissions.
|
|
* On non-idmapped mounts or if permission checking is to be performed on the
|
|
* raw inode simply passs init_user_ns.
|
|
*/
|
|
int vfs_create(struct user_namespace *mnt_userns, struct inode *dir,
|
|
struct dentry *dentry, umode_t mode, bool want_excl)
|
|
{
|
|
int error = may_create(mnt_userns, dir, dentry);
|
|
if (error)
|
|
return error;
|
|
|
|
if (!dir->i_op->create)
|
|
return -EACCES; /* shouldn't it be ENOSYS? */
|
|
mode &= S_IALLUGO;
|
|
mode |= S_IFREG;
|
|
error = security_inode_create(dir, dentry, mode);
|
|
if (error)
|
|
return error;
|
|
error = dir->i_op->create(mnt_userns, dir, dentry, mode, want_excl);
|
|
if (!error)
|
|
fsnotify_create(dir, dentry);
|
|
return error;
|
|
}
|
|
EXPORT_SYMBOL(vfs_create);
|
|
|
|
int vfs_mkobj(struct dentry *dentry, umode_t mode,
|
|
int (*f)(struct dentry *, umode_t, void *),
|
|
void *arg)
|
|
{
|
|
struct inode *dir = dentry->d_parent->d_inode;
|
|
int error = may_create(&init_user_ns, dir, dentry);
|
|
if (error)
|
|
return error;
|
|
|
|
mode &= S_IALLUGO;
|
|
mode |= S_IFREG;
|
|
error = security_inode_create(dir, dentry, mode);
|
|
if (error)
|
|
return error;
|
|
error = f(dentry, mode, arg);
|
|
if (!error)
|
|
fsnotify_create(dir, dentry);
|
|
return error;
|
|
}
|
|
EXPORT_SYMBOL(vfs_mkobj);
|
|
|
|
bool may_open_dev(const struct path *path)
|
|
{
|
|
return !(path->mnt->mnt_flags & MNT_NODEV) &&
|
|
!(path->mnt->mnt_sb->s_iflags & SB_I_NODEV);
|
|
}
|
|
|
|
static int may_open(struct user_namespace *mnt_userns, const struct path *path,
|
|
int acc_mode, int flag)
|
|
{
|
|
struct dentry *dentry = path->dentry;
|
|
struct inode *inode = dentry->d_inode;
|
|
int error;
|
|
|
|
if (!inode)
|
|
return -ENOENT;
|
|
|
|
switch (inode->i_mode & S_IFMT) {
|
|
case S_IFLNK:
|
|
return -ELOOP;
|
|
case S_IFDIR:
|
|
if (acc_mode & MAY_WRITE)
|
|
return -EISDIR;
|
|
if (acc_mode & MAY_EXEC)
|
|
return -EACCES;
|
|
break;
|
|
case S_IFBLK:
|
|
case S_IFCHR:
|
|
if (!may_open_dev(path))
|
|
return -EACCES;
|
|
fallthrough;
|
|
case S_IFIFO:
|
|
case S_IFSOCK:
|
|
if (acc_mode & MAY_EXEC)
|
|
return -EACCES;
|
|
flag &= ~O_TRUNC;
|
|
break;
|
|
case S_IFREG:
|
|
if ((acc_mode & MAY_EXEC) && path_noexec(path))
|
|
return -EACCES;
|
|
break;
|
|
}
|
|
|
|
error = inode_permission(mnt_userns, inode, MAY_OPEN | acc_mode);
|
|
if (error)
|
|
return error;
|
|
|
|
/*
|
|
* An append-only file must be opened in append mode for writing.
|
|
*/
|
|
if (IS_APPEND(inode)) {
|
|
if ((flag & O_ACCMODE) != O_RDONLY && !(flag & O_APPEND))
|
|
return -EPERM;
|
|
if (flag & O_TRUNC)
|
|
return -EPERM;
|
|
}
|
|
|
|
/* O_NOATIME can only be set by the owner or superuser */
|
|
if (flag & O_NOATIME && !inode_owner_or_capable(mnt_userns, inode))
|
|
return -EPERM;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int handle_truncate(struct user_namespace *mnt_userns, struct file *filp)
|
|
{
|
|
const struct path *path = &filp->f_path;
|
|
struct inode *inode = path->dentry->d_inode;
|
|
int error = get_write_access(inode);
|
|
if (error)
|
|
return error;
|
|
/*
|
|
* Refuse to truncate files with mandatory locks held on them.
|
|
*/
|
|
error = locks_verify_locked(filp);
|
|
if (!error)
|
|
error = security_path_truncate(path);
|
|
if (!error) {
|
|
error = do_truncate(mnt_userns, path->dentry, 0,
|
|
ATTR_MTIME|ATTR_CTIME|ATTR_OPEN,
|
|
filp);
|
|
}
|
|
put_write_access(inode);
|
|
return error;
|
|
}
|
|
|
|
static inline int open_to_namei_flags(int flag)
|
|
{
|
|
if ((flag & O_ACCMODE) == 3)
|
|
flag--;
|
|
return flag;
|
|
}
|
|
|
|
static int may_o_create(struct user_namespace *mnt_userns,
|
|
const struct path *dir, struct dentry *dentry,
|
|
umode_t mode)
|
|
{
|
|
struct user_namespace *s_user_ns;
|
|
int error = security_path_mknod(dir, dentry, mode, 0);
|
|
if (error)
|
|
return error;
|
|
|
|
s_user_ns = dir->dentry->d_sb->s_user_ns;
|
|
if (!kuid_has_mapping(s_user_ns, fsuid_into_mnt(mnt_userns)) ||
|
|
!kgid_has_mapping(s_user_ns, fsgid_into_mnt(mnt_userns)))
|
|
return -EOVERFLOW;
|
|
|
|
error = inode_permission(mnt_userns, dir->dentry->d_inode,
|
|
MAY_WRITE | MAY_EXEC);
|
|
if (error)
|
|
return error;
|
|
|
|
return security_inode_create(dir->dentry->d_inode, dentry, mode);
|
|
}
|
|
|
|
/*
|
|
* Attempt to atomically look up, create and open a file from a negative
|
|
* dentry.
|
|
*
|
|
* Returns 0 if successful. The file will have been created and attached to
|
|
* @file by the filesystem calling finish_open().
|
|
*
|
|
* If the file was looked up only or didn't need creating, FMODE_OPENED won't
|
|
* be set. The caller will need to perform the open themselves. @path will
|
|
* have been updated to point to the new dentry. This may be negative.
|
|
*
|
|
* Returns an error code otherwise.
|
|
*/
|
|
static struct dentry *atomic_open(struct nameidata *nd, struct dentry *dentry,
|
|
struct file *file,
|
|
int open_flag, umode_t mode)
|
|
{
|
|
struct dentry *const DENTRY_NOT_SET = (void *) -1UL;
|
|
struct inode *dir = nd->path.dentry->d_inode;
|
|
int error;
|
|
|
|
if (nd->flags & LOOKUP_DIRECTORY)
|
|
open_flag |= O_DIRECTORY;
|
|
|
|
file->f_path.dentry = DENTRY_NOT_SET;
|
|
file->f_path.mnt = nd->path.mnt;
|
|
error = dir->i_op->atomic_open(dir, dentry, file,
|
|
open_to_namei_flags(open_flag), mode);
|
|
d_lookup_done(dentry);
|
|
if (!error) {
|
|
if (file->f_mode & FMODE_OPENED) {
|
|
if (unlikely(dentry != file->f_path.dentry)) {
|
|
dput(dentry);
|
|
dentry = dget(file->f_path.dentry);
|
|
}
|
|
} else if (WARN_ON(file->f_path.dentry == DENTRY_NOT_SET)) {
|
|
error = -EIO;
|
|
} else {
|
|
if (file->f_path.dentry) {
|
|
dput(dentry);
|
|
dentry = file->f_path.dentry;
|
|
}
|
|
if (unlikely(d_is_negative(dentry)))
|
|
error = -ENOENT;
|
|
}
|
|
}
|
|
if (error) {
|
|
dput(dentry);
|
|
dentry = ERR_PTR(error);
|
|
}
|
|
return dentry;
|
|
}
|
|
|
|
/*
|
|
* Look up and maybe create and open the last component.
|
|
*
|
|
* Must be called with parent locked (exclusive in O_CREAT case).
|
|
*
|
|
* Returns 0 on success, that is, if
|
|
* the file was successfully atomically created (if necessary) and opened, or
|
|
* the file was not completely opened at this time, though lookups and
|
|
* creations were performed.
|
|
* These case are distinguished by presence of FMODE_OPENED on file->f_mode.
|
|
* In the latter case dentry returned in @path might be negative if O_CREAT
|
|
* hadn't been specified.
|
|
*
|
|
* An error code is returned on failure.
|
|
*/
|
|
static struct dentry *lookup_open(struct nameidata *nd, struct file *file,
|
|
const struct open_flags *op,
|
|
bool got_write)
|
|
{
|
|
struct user_namespace *mnt_userns;
|
|
struct dentry *dir = nd->path.dentry;
|
|
struct inode *dir_inode = dir->d_inode;
|
|
int open_flag = op->open_flag;
|
|
struct dentry *dentry;
|
|
int error, create_error = 0;
|
|
umode_t mode = op->mode;
|
|
DECLARE_WAIT_QUEUE_HEAD_ONSTACK(wq);
|
|
|
|
if (unlikely(IS_DEADDIR(dir_inode)))
|
|
return ERR_PTR(-ENOENT);
|
|
|
|
file->f_mode &= ~FMODE_CREATED;
|
|
dentry = d_lookup(dir, &nd->last);
|
|
for (;;) {
|
|
if (!dentry) {
|
|
dentry = d_alloc_parallel(dir, &nd->last, &wq);
|
|
if (IS_ERR(dentry))
|
|
return dentry;
|
|
}
|
|
if (d_in_lookup(dentry))
|
|
break;
|
|
|
|
error = d_revalidate(dentry, nd->flags);
|
|
if (likely(error > 0))
|
|
break;
|
|
if (error)
|
|
goto out_dput;
|
|
d_invalidate(dentry);
|
|
dput(dentry);
|
|
dentry = NULL;
|
|
}
|
|
if (dentry->d_inode) {
|
|
/* Cached positive dentry: will open in f_op->open */
|
|
return dentry;
|
|
}
|
|
|
|
/*
|
|
* Checking write permission is tricky, bacuse we don't know if we are
|
|
* going to actually need it: O_CREAT opens should work as long as the
|
|
* file exists. But checking existence breaks atomicity. The trick is
|
|
* to check access and if not granted clear O_CREAT from the flags.
|
|
*
|
|
* Another problem is returing the "right" error value (e.g. for an
|
|
* O_EXCL open we want to return EEXIST not EROFS).
|
|
*/
|
|
if (unlikely(!got_write))
|
|
open_flag &= ~O_TRUNC;
|
|
mnt_userns = mnt_user_ns(nd->path.mnt);
|
|
if (open_flag & O_CREAT) {
|
|
if (open_flag & O_EXCL)
|
|
open_flag &= ~O_TRUNC;
|
|
if (!IS_POSIXACL(dir->d_inode))
|
|
mode &= ~current_umask();
|
|
if (likely(got_write))
|
|
create_error = may_o_create(mnt_userns, &nd->path,
|
|
dentry, mode);
|
|
else
|
|
create_error = -EROFS;
|
|
}
|
|
if (create_error)
|
|
open_flag &= ~O_CREAT;
|
|
if (dir_inode->i_op->atomic_open) {
|
|
dentry = atomic_open(nd, dentry, file, open_flag, mode);
|
|
if (unlikely(create_error) && dentry == ERR_PTR(-ENOENT))
|
|
dentry = ERR_PTR(create_error);
|
|
return dentry;
|
|
}
|
|
|
|
if (d_in_lookup(dentry)) {
|
|
struct dentry *res = dir_inode->i_op->lookup(dir_inode, dentry,
|
|
nd->flags);
|
|
d_lookup_done(dentry);
|
|
if (unlikely(res)) {
|
|
if (IS_ERR(res)) {
|
|
error = PTR_ERR(res);
|
|
goto out_dput;
|
|
}
|
|
dput(dentry);
|
|
dentry = res;
|
|
}
|
|
}
|
|
|
|
/* Negative dentry, just create the file */
|
|
if (!dentry->d_inode && (open_flag & O_CREAT)) {
|
|
file->f_mode |= FMODE_CREATED;
|
|
audit_inode_child(dir_inode, dentry, AUDIT_TYPE_CHILD_CREATE);
|
|
if (!dir_inode->i_op->create) {
|
|
error = -EACCES;
|
|
goto out_dput;
|
|
}
|
|
|
|
error = dir_inode->i_op->create(mnt_userns, dir_inode, dentry,
|
|
mode, open_flag & O_EXCL);
|
|
if (error)
|
|
goto out_dput;
|
|
}
|
|
if (unlikely(create_error) && !dentry->d_inode) {
|
|
error = create_error;
|
|
goto out_dput;
|
|
}
|
|
return dentry;
|
|
|
|
out_dput:
|
|
dput(dentry);
|
|
return ERR_PTR(error);
|
|
}
|
|
|
|
static const char *open_last_lookups(struct nameidata *nd,
|
|
struct file *file, const struct open_flags *op)
|
|
{
|
|
struct dentry *dir = nd->path.dentry;
|
|
int open_flag = op->open_flag;
|
|
bool got_write = false;
|
|
unsigned seq;
|
|
struct inode *inode;
|
|
struct dentry *dentry;
|
|
const char *res;
|
|
|
|
nd->flags |= op->intent;
|
|
|
|
if (nd->last_type != LAST_NORM) {
|
|
if (nd->depth)
|
|
put_link(nd);
|
|
return handle_dots(nd, nd->last_type);
|
|
}
|
|
|
|
if (!(open_flag & O_CREAT)) {
|
|
if (nd->last.name[nd->last.len])
|
|
nd->flags |= LOOKUP_FOLLOW | LOOKUP_DIRECTORY;
|
|
/* we _can_ be in RCU mode here */
|
|
dentry = lookup_fast(nd, &inode, &seq);
|
|
if (IS_ERR(dentry))
|
|
return ERR_CAST(dentry);
|
|
if (likely(dentry))
|
|
goto finish_lookup;
|
|
|
|
BUG_ON(nd->flags & LOOKUP_RCU);
|
|
} else {
|
|
/* create side of things */
|
|
if (nd->flags & LOOKUP_RCU) {
|
|
if (!try_to_unlazy(nd))
|
|
return ERR_PTR(-ECHILD);
|
|
}
|
|
audit_inode(nd->name, dir, AUDIT_INODE_PARENT);
|
|
/* trailing slashes? */
|
|
if (unlikely(nd->last.name[nd->last.len]))
|
|
return ERR_PTR(-EISDIR);
|
|
}
|
|
|
|
if (open_flag & (O_CREAT | O_TRUNC | O_WRONLY | O_RDWR)) {
|
|
got_write = !mnt_want_write(nd->path.mnt);
|
|
/*
|
|
* do _not_ fail yet - we might not need that or fail with
|
|
* a different error; let lookup_open() decide; we'll be
|
|
* dropping this one anyway.
|
|
*/
|
|
}
|
|
if (open_flag & O_CREAT)
|
|
inode_lock(dir->d_inode);
|
|
else
|
|
inode_lock_shared(dir->d_inode);
|
|
dentry = lookup_open(nd, file, op, got_write);
|
|
if (!IS_ERR(dentry) && (file->f_mode & FMODE_CREATED))
|
|
fsnotify_create(dir->d_inode, dentry);
|
|
if (open_flag & O_CREAT)
|
|
inode_unlock(dir->d_inode);
|
|
else
|
|
inode_unlock_shared(dir->d_inode);
|
|
|
|
if (got_write)
|
|
mnt_drop_write(nd->path.mnt);
|
|
|
|
if (IS_ERR(dentry))
|
|
return ERR_CAST(dentry);
|
|
|
|
if (file->f_mode & (FMODE_OPENED | FMODE_CREATED)) {
|
|
dput(nd->path.dentry);
|
|
nd->path.dentry = dentry;
|
|
return NULL;
|
|
}
|
|
|
|
finish_lookup:
|
|
if (nd->depth)
|
|
put_link(nd);
|
|
res = step_into(nd, WALK_TRAILING, dentry, inode, seq);
|
|
if (unlikely(res))
|
|
nd->flags &= ~(LOOKUP_OPEN|LOOKUP_CREATE|LOOKUP_EXCL);
|
|
return res;
|
|
}
|
|
|
|
/*
|
|
* Handle the last step of open()
|
|
*/
|
|
static int do_open(struct nameidata *nd,
|
|
struct file *file, const struct open_flags *op)
|
|
{
|
|
struct user_namespace *mnt_userns;
|
|
int open_flag = op->open_flag;
|
|
bool do_truncate;
|
|
int acc_mode;
|
|
int error;
|
|
|
|
if (!(file->f_mode & (FMODE_OPENED | FMODE_CREATED))) {
|
|
error = complete_walk(nd);
|
|
if (error)
|
|
return error;
|
|
}
|
|
if (!(file->f_mode & FMODE_CREATED))
|
|
audit_inode(nd->name, nd->path.dentry, 0);
|
|
mnt_userns = mnt_user_ns(nd->path.mnt);
|
|
if (open_flag & O_CREAT) {
|
|
if ((open_flag & O_EXCL) && !(file->f_mode & FMODE_CREATED))
|
|
return -EEXIST;
|
|
if (d_is_dir(nd->path.dentry))
|
|
return -EISDIR;
|
|
error = may_create_in_sticky(mnt_userns, nd,
|
|
d_backing_inode(nd->path.dentry));
|
|
if (unlikely(error))
|
|
return error;
|
|
}
|
|
if ((nd->flags & LOOKUP_DIRECTORY) && !d_can_lookup(nd->path.dentry))
|
|
return -ENOTDIR;
|
|
|
|
do_truncate = false;
|
|
acc_mode = op->acc_mode;
|
|
if (file->f_mode & FMODE_CREATED) {
|
|
/* Don't check for write permission, don't truncate */
|
|
open_flag &= ~O_TRUNC;
|
|
acc_mode = 0;
|
|
} else if (d_is_reg(nd->path.dentry) && open_flag & O_TRUNC) {
|
|
error = mnt_want_write(nd->path.mnt);
|
|
if (error)
|
|
return error;
|
|
do_truncate = true;
|
|
}
|
|
error = may_open(mnt_userns, &nd->path, acc_mode, open_flag);
|
|
if (!error && !(file->f_mode & FMODE_OPENED))
|
|
error = vfs_open(&nd->path, file);
|
|
if (!error)
|
|
error = ima_file_check(file, op->acc_mode);
|
|
if (!error && do_truncate)
|
|
error = handle_truncate(mnt_userns, file);
|
|
if (unlikely(error > 0)) {
|
|
WARN_ON(1);
|
|
error = -EINVAL;
|
|
}
|
|
if (do_truncate)
|
|
mnt_drop_write(nd->path.mnt);
|
|
return error;
|
|
}
|
|
|
|
/**
|
|
* vfs_tmpfile - create tmpfile
|
|
* @mnt_userns: user namespace of the mount the inode was found from
|
|
* @dentry: pointer to dentry of the base directory
|
|
* @mode: mode of the new tmpfile
|
|
* @open_flags: flags
|
|
*
|
|
* Create a temporary file.
|
|
*
|
|
* If the inode has been found through an idmapped mount the user namespace of
|
|
* the vfsmount must be passed through @mnt_userns. This function will then take
|
|
* care to map the inode according to @mnt_userns before checking permissions.
|
|
* On non-idmapped mounts or if permission checking is to be performed on the
|
|
* raw inode simply passs init_user_ns.
|
|
*/
|
|
struct dentry *vfs_tmpfile(struct user_namespace *mnt_userns,
|
|
struct dentry *dentry, umode_t mode, int open_flag)
|
|
{
|
|
struct dentry *child = NULL;
|
|
struct inode *dir = dentry->d_inode;
|
|
struct inode *inode;
|
|
int error;
|
|
|
|
/* we want directory to be writable */
|
|
error = inode_permission(mnt_userns, dir, MAY_WRITE | MAY_EXEC);
|
|
if (error)
|
|
goto out_err;
|
|
error = -EOPNOTSUPP;
|
|
if (!dir->i_op->tmpfile)
|
|
goto out_err;
|
|
error = -ENOMEM;
|
|
child = d_alloc(dentry, &slash_name);
|
|
if (unlikely(!child))
|
|
goto out_err;
|
|
error = dir->i_op->tmpfile(mnt_userns, dir, child, mode);
|
|
if (error)
|
|
goto out_err;
|
|
error = -ENOENT;
|
|
inode = child->d_inode;
|
|
if (unlikely(!inode))
|
|
goto out_err;
|
|
if (!(open_flag & O_EXCL)) {
|
|
spin_lock(&inode->i_lock);
|
|
inode->i_state |= I_LINKABLE;
|
|
spin_unlock(&inode->i_lock);
|
|
}
|
|
ima_post_create_tmpfile(mnt_userns, inode);
|
|
return child;
|
|
|
|
out_err:
|
|
dput(child);
|
|
return ERR_PTR(error);
|
|
}
|
|
EXPORT_SYMBOL(vfs_tmpfile);
|
|
|
|
static int do_tmpfile(struct nameidata *nd, unsigned flags,
|
|
const struct open_flags *op,
|
|
struct file *file)
|
|
{
|
|
struct user_namespace *mnt_userns;
|
|
struct dentry *child;
|
|
struct path path;
|
|
int error = path_lookupat(nd, flags | LOOKUP_DIRECTORY, &path);
|
|
if (unlikely(error))
|
|
return error;
|
|
error = mnt_want_write(path.mnt);
|
|
if (unlikely(error))
|
|
goto out;
|
|
mnt_userns = mnt_user_ns(path.mnt);
|
|
child = vfs_tmpfile(mnt_userns, path.dentry, op->mode, op->open_flag);
|
|
error = PTR_ERR(child);
|
|
if (IS_ERR(child))
|
|
goto out2;
|
|
dput(path.dentry);
|
|
path.dentry = child;
|
|
audit_inode(nd->name, child, 0);
|
|
/* Don't check for other permissions, the inode was just created */
|
|
error = may_open(mnt_userns, &path, 0, op->open_flag);
|
|
if (!error)
|
|
error = vfs_open(&path, file);
|
|
out2:
|
|
mnt_drop_write(path.mnt);
|
|
out:
|
|
path_put(&path);
|
|
return error;
|
|
}
|
|
|
|
static int do_o_path(struct nameidata *nd, unsigned flags, struct file *file)
|
|
{
|
|
struct path path;
|
|
int error = path_lookupat(nd, flags, &path);
|
|
if (!error) {
|
|
audit_inode(nd->name, path.dentry, 0);
|
|
error = vfs_open(&path, file);
|
|
path_put(&path);
|
|
}
|
|
return error;
|
|
}
|
|
|
|
static struct file *path_openat(struct nameidata *nd,
|
|
const struct open_flags *op, unsigned flags)
|
|
{
|
|
struct file *file;
|
|
int error;
|
|
|
|
file = alloc_empty_file(op->open_flag, current_cred());
|
|
if (IS_ERR(file))
|
|
return file;
|
|
|
|
if (unlikely(file->f_flags & __O_TMPFILE)) {
|
|
error = do_tmpfile(nd, flags, op, file);
|
|
} else if (unlikely(file->f_flags & O_PATH)) {
|
|
error = do_o_path(nd, flags, file);
|
|
} else {
|
|
const char *s = path_init(nd, flags);
|
|
while (!(error = link_path_walk(s, nd)) &&
|
|
(s = open_last_lookups(nd, file, op)) != NULL)
|
|
;
|
|
if (!error)
|
|
error = do_open(nd, file, op);
|
|
terminate_walk(nd);
|
|
}
|
|
if (likely(!error)) {
|
|
if (likely(file->f_mode & FMODE_OPENED))
|
|
return file;
|
|
WARN_ON(1);
|
|
error = -EINVAL;
|
|
}
|
|
fput(file);
|
|
if (error == -EOPENSTALE) {
|
|
if (flags & LOOKUP_RCU)
|
|
error = -ECHILD;
|
|
else
|
|
error = -ESTALE;
|
|
}
|
|
return ERR_PTR(error);
|
|
}
|
|
|
|
struct file *do_filp_open(int dfd, struct filename *pathname,
|
|
const struct open_flags *op)
|
|
{
|
|
struct nameidata nd;
|
|
int flags = op->lookup_flags;
|
|
struct file *filp;
|
|
|
|
set_nameidata(&nd, dfd, pathname);
|
|
filp = path_openat(&nd, op, flags | LOOKUP_RCU);
|
|
if (unlikely(filp == ERR_PTR(-ECHILD)))
|
|
filp = path_openat(&nd, op, flags);
|
|
if (unlikely(filp == ERR_PTR(-ESTALE)))
|
|
filp = path_openat(&nd, op, flags | LOOKUP_REVAL);
|
|
restore_nameidata();
|
|
return filp;
|
|
}
|
|
|
|
struct file *do_file_open_root(struct dentry *dentry, struct vfsmount *mnt,
|
|
const char *name, const struct open_flags *op)
|
|
{
|
|
struct nameidata nd;
|
|
struct file *file;
|
|
struct filename *filename;
|
|
int flags = op->lookup_flags | LOOKUP_ROOT;
|
|
|
|
nd.root.mnt = mnt;
|
|
nd.root.dentry = dentry;
|
|
|
|
if (d_is_symlink(dentry) && op->intent & LOOKUP_OPEN)
|
|
return ERR_PTR(-ELOOP);
|
|
|
|
filename = getname_kernel(name);
|
|
if (IS_ERR(filename))
|
|
return ERR_CAST(filename);
|
|
|
|
set_nameidata(&nd, -1, filename);
|
|
file = path_openat(&nd, op, flags | LOOKUP_RCU);
|
|
if (unlikely(file == ERR_PTR(-ECHILD)))
|
|
file = path_openat(&nd, op, flags);
|
|
if (unlikely(file == ERR_PTR(-ESTALE)))
|
|
file = path_openat(&nd, op, flags | LOOKUP_REVAL);
|
|
restore_nameidata();
|
|
putname(filename);
|
|
return file;
|
|
}
|
|
|
|
static struct dentry *filename_create(int dfd, struct filename *name,
|
|
struct path *path, unsigned int lookup_flags)
|
|
{
|
|
struct dentry *dentry = ERR_PTR(-EEXIST);
|
|
struct qstr last;
|
|
int type;
|
|
int err2;
|
|
int error;
|
|
bool is_dir = (lookup_flags & LOOKUP_DIRECTORY);
|
|
|
|
/*
|
|
* Note that only LOOKUP_REVAL and LOOKUP_DIRECTORY matter here. Any
|
|
* other flags passed in are ignored!
|
|
*/
|
|
lookup_flags &= LOOKUP_REVAL;
|
|
|
|
name = filename_parentat(dfd, name, lookup_flags, path, &last, &type);
|
|
if (IS_ERR(name))
|
|
return ERR_CAST(name);
|
|
|
|
/*
|
|
* Yucky last component or no last component at all?
|
|
* (foo/., foo/.., /////)
|
|
*/
|
|
if (unlikely(type != LAST_NORM))
|
|
goto out;
|
|
|
|
/* don't fail immediately if it's r/o, at least try to report other errors */
|
|
err2 = mnt_want_write(path->mnt);
|
|
/*
|
|
* Do the final lookup.
|
|
*/
|
|
lookup_flags |= LOOKUP_CREATE | LOOKUP_EXCL;
|
|
inode_lock_nested(path->dentry->d_inode, I_MUTEX_PARENT);
|
|
dentry = __lookup_hash(&last, path->dentry, lookup_flags);
|
|
if (IS_ERR(dentry))
|
|
goto unlock;
|
|
|
|
error = -EEXIST;
|
|
if (d_is_positive(dentry))
|
|
goto fail;
|
|
|
|
/*
|
|
* Special case - lookup gave negative, but... we had foo/bar/
|
|
* From the vfs_mknod() POV we just have a negative dentry -
|
|
* all is fine. Let's be bastards - you had / on the end, you've
|
|
* been asking for (non-existent) directory. -ENOENT for you.
|
|
*/
|
|
if (unlikely(!is_dir && last.name[last.len])) {
|
|
error = -ENOENT;
|
|
goto fail;
|
|
}
|
|
if (unlikely(err2)) {
|
|
error = err2;
|
|
goto fail;
|
|
}
|
|
putname(name);
|
|
return dentry;
|
|
fail:
|
|
dput(dentry);
|
|
dentry = ERR_PTR(error);
|
|
unlock:
|
|
inode_unlock(path->dentry->d_inode);
|
|
if (!err2)
|
|
mnt_drop_write(path->mnt);
|
|
out:
|
|
path_put(path);
|
|
putname(name);
|
|
return dentry;
|
|
}
|
|
|
|
struct dentry *kern_path_create(int dfd, const char *pathname,
|
|
struct path *path, unsigned int lookup_flags)
|
|
{
|
|
return filename_create(dfd, getname_kernel(pathname),
|
|
path, lookup_flags);
|
|
}
|
|
EXPORT_SYMBOL(kern_path_create);
|
|
|
|
void done_path_create(struct path *path, struct dentry *dentry)
|
|
{
|
|
dput(dentry);
|
|
inode_unlock(path->dentry->d_inode);
|
|
mnt_drop_write(path->mnt);
|
|
path_put(path);
|
|
}
|
|
EXPORT_SYMBOL(done_path_create);
|
|
|
|
inline struct dentry *user_path_create(int dfd, const char __user *pathname,
|
|
struct path *path, unsigned int lookup_flags)
|
|
{
|
|
return filename_create(dfd, getname(pathname), path, lookup_flags);
|
|
}
|
|
EXPORT_SYMBOL(user_path_create);
|
|
|
|
/**
|
|
* vfs_mknod - create device node or file
|
|
* @mnt_userns: user namespace of the mount the inode was found from
|
|
* @dir: inode of @dentry
|
|
* @dentry: pointer to dentry of the base directory
|
|
* @mode: mode of the new device node or file
|
|
* @dev: device number of device to create
|
|
*
|
|
* Create a device node or file.
|
|
*
|
|
* If the inode has been found through an idmapped mount the user namespace of
|
|
* the vfsmount must be passed through @mnt_userns. This function will then take
|
|
* care to map the inode according to @mnt_userns before checking permissions.
|
|
* On non-idmapped mounts or if permission checking is to be performed on the
|
|
* raw inode simply passs init_user_ns.
|
|
*/
|
|
int vfs_mknod(struct user_namespace *mnt_userns, struct inode *dir,
|
|
struct dentry *dentry, umode_t mode, dev_t dev)
|
|
{
|
|
bool is_whiteout = S_ISCHR(mode) && dev == WHITEOUT_DEV;
|
|
int error = may_create(mnt_userns, dir, dentry);
|
|
|
|
if (error)
|
|
return error;
|
|
|
|
if ((S_ISCHR(mode) || S_ISBLK(mode)) && !is_whiteout &&
|
|
!capable(CAP_MKNOD))
|
|
return -EPERM;
|
|
|
|
if (!dir->i_op->mknod)
|
|
return -EPERM;
|
|
|
|
error = devcgroup_inode_mknod(mode, dev);
|
|
if (error)
|
|
return error;
|
|
|
|
error = security_inode_mknod(dir, dentry, mode, dev);
|
|
if (error)
|
|
return error;
|
|
|
|
error = dir->i_op->mknod(mnt_userns, dir, dentry, mode, dev);
|
|
if (!error)
|
|
fsnotify_create(dir, dentry);
|
|
return error;
|
|
}
|
|
EXPORT_SYMBOL(vfs_mknod);
|
|
|
|
static int may_mknod(umode_t mode)
|
|
{
|
|
switch (mode & S_IFMT) {
|
|
case S_IFREG:
|
|
case S_IFCHR:
|
|
case S_IFBLK:
|
|
case S_IFIFO:
|
|
case S_IFSOCK:
|
|
case 0: /* zero mode translates to S_IFREG */
|
|
return 0;
|
|
case S_IFDIR:
|
|
return -EPERM;
|
|
default:
|
|
return -EINVAL;
|
|
}
|
|
}
|
|
|
|
static long do_mknodat(int dfd, const char __user *filename, umode_t mode,
|
|
unsigned int dev)
|
|
{
|
|
struct user_namespace *mnt_userns;
|
|
struct dentry *dentry;
|
|
struct path path;
|
|
int error;
|
|
unsigned int lookup_flags = 0;
|
|
|
|
error = may_mknod(mode);
|
|
if (error)
|
|
return error;
|
|
retry:
|
|
dentry = user_path_create(dfd, filename, &path, lookup_flags);
|
|
if (IS_ERR(dentry))
|
|
return PTR_ERR(dentry);
|
|
|
|
if (!IS_POSIXACL(path.dentry->d_inode))
|
|
mode &= ~current_umask();
|
|
error = security_path_mknod(&path, dentry, mode, dev);
|
|
if (error)
|
|
goto out;
|
|
|
|
mnt_userns = mnt_user_ns(path.mnt);
|
|
switch (mode & S_IFMT) {
|
|
case 0: case S_IFREG:
|
|
error = vfs_create(mnt_userns, path.dentry->d_inode,
|
|
dentry, mode, true);
|
|
if (!error)
|
|
ima_post_path_mknod(mnt_userns, dentry);
|
|
break;
|
|
case S_IFCHR: case S_IFBLK:
|
|
error = vfs_mknod(mnt_userns, path.dentry->d_inode,
|
|
dentry, mode, new_decode_dev(dev));
|
|
break;
|
|
case S_IFIFO: case S_IFSOCK:
|
|
error = vfs_mknod(mnt_userns, path.dentry->d_inode,
|
|
dentry, mode, 0);
|
|
break;
|
|
}
|
|
out:
|
|
done_path_create(&path, dentry);
|
|
if (retry_estale(error, lookup_flags)) {
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
goto retry;
|
|
}
|
|
return error;
|
|
}
|
|
|
|
SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode,
|
|
unsigned int, dev)
|
|
{
|
|
return do_mknodat(dfd, filename, mode, dev);
|
|
}
|
|
|
|
SYSCALL_DEFINE3(mknod, const char __user *, filename, umode_t, mode, unsigned, dev)
|
|
{
|
|
return do_mknodat(AT_FDCWD, filename, mode, dev);
|
|
}
|
|
|
|
/**
|
|
* vfs_mkdir - create directory
|
|
* @mnt_userns: user namespace of the mount the inode was found from
|
|
* @dir: inode of @dentry
|
|
* @dentry: pointer to dentry of the base directory
|
|
* @mode: mode of the new directory
|
|
*
|
|
* Create a directory.
|
|
*
|
|
* If the inode has been found through an idmapped mount the user namespace of
|
|
* the vfsmount must be passed through @mnt_userns. This function will then take
|
|
* care to map the inode according to @mnt_userns before checking permissions.
|
|
* On non-idmapped mounts or if permission checking is to be performed on the
|
|
* raw inode simply passs init_user_ns.
|
|
*/
|
|
int vfs_mkdir(struct user_namespace *mnt_userns, struct inode *dir,
|
|
struct dentry *dentry, umode_t mode)
|
|
{
|
|
int error = may_create(mnt_userns, dir, dentry);
|
|
unsigned max_links = dir->i_sb->s_max_links;
|
|
|
|
if (error)
|
|
return error;
|
|
|
|
if (!dir->i_op->mkdir)
|
|
return -EPERM;
|
|
|
|
mode &= (S_IRWXUGO|S_ISVTX);
|
|
error = security_inode_mkdir(dir, dentry, mode);
|
|
if (error)
|
|
return error;
|
|
|
|
if (max_links && dir->i_nlink >= max_links)
|
|
return -EMLINK;
|
|
|
|
error = dir->i_op->mkdir(mnt_userns, dir, dentry, mode);
|
|
if (!error)
|
|
fsnotify_mkdir(dir, dentry);
|
|
return error;
|
|
}
|
|
EXPORT_SYMBOL(vfs_mkdir);
|
|
|
|
static long do_mkdirat(int dfd, const char __user *pathname, umode_t mode)
|
|
{
|
|
struct dentry *dentry;
|
|
struct path path;
|
|
int error;
|
|
unsigned int lookup_flags = LOOKUP_DIRECTORY;
|
|
|
|
retry:
|
|
dentry = user_path_create(dfd, pathname, &path, lookup_flags);
|
|
if (IS_ERR(dentry))
|
|
return PTR_ERR(dentry);
|
|
|
|
if (!IS_POSIXACL(path.dentry->d_inode))
|
|
mode &= ~current_umask();
|
|
error = security_path_mkdir(&path, dentry, mode);
|
|
if (!error) {
|
|
struct user_namespace *mnt_userns;
|
|
mnt_userns = mnt_user_ns(path.mnt);
|
|
error = vfs_mkdir(mnt_userns, path.dentry->d_inode, dentry,
|
|
mode);
|
|
}
|
|
done_path_create(&path, dentry);
|
|
if (retry_estale(error, lookup_flags)) {
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
goto retry;
|
|
}
|
|
return error;
|
|
}
|
|
|
|
SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode)
|
|
{
|
|
return do_mkdirat(dfd, pathname, mode);
|
|
}
|
|
|
|
SYSCALL_DEFINE2(mkdir, const char __user *, pathname, umode_t, mode)
|
|
{
|
|
return do_mkdirat(AT_FDCWD, pathname, mode);
|
|
}
|
|
|
|
/**
|
|
* vfs_rmdir - remove directory
|
|
* @mnt_userns: user namespace of the mount the inode was found from
|
|
* @dir: inode of @dentry
|
|
* @dentry: pointer to dentry of the base directory
|
|
*
|
|
* Remove a directory.
|
|
*
|
|
* If the inode has been found through an idmapped mount the user namespace of
|
|
* the vfsmount must be passed through @mnt_userns. This function will then take
|
|
* care to map the inode according to @mnt_userns before checking permissions.
|
|
* On non-idmapped mounts or if permission checking is to be performed on the
|
|
* raw inode simply passs init_user_ns.
|
|
*/
|
|
int vfs_rmdir(struct user_namespace *mnt_userns, struct inode *dir,
|
|
struct dentry *dentry)
|
|
{
|
|
int error = may_delete(mnt_userns, dir, dentry, 1);
|
|
|
|
if (error)
|
|
return error;
|
|
|
|
if (!dir->i_op->rmdir)
|
|
return -EPERM;
|
|
|
|
dget(dentry);
|
|
inode_lock(dentry->d_inode);
|
|
|
|
error = -EBUSY;
|
|
if (is_local_mountpoint(dentry))
|
|
goto out;
|
|
|
|
error = security_inode_rmdir(dir, dentry);
|
|
if (error)
|
|
goto out;
|
|
|
|
error = dir->i_op->rmdir(dir, dentry);
|
|
if (error)
|
|
goto out;
|
|
|
|
shrink_dcache_parent(dentry);
|
|
dentry->d_inode->i_flags |= S_DEAD;
|
|
dont_mount(dentry);
|
|
detach_mounts(dentry);
|
|
fsnotify_rmdir(dir, dentry);
|
|
|
|
out:
|
|
inode_unlock(dentry->d_inode);
|
|
dput(dentry);
|
|
if (!error)
|
|
d_delete(dentry);
|
|
return error;
|
|
}
|
|
EXPORT_SYMBOL(vfs_rmdir);
|
|
|
|
long do_rmdir(int dfd, struct filename *name)
|
|
{
|
|
struct user_namespace *mnt_userns;
|
|
int error = 0;
|
|
struct dentry *dentry;
|
|
struct path path;
|
|
struct qstr last;
|
|
int type;
|
|
unsigned int lookup_flags = 0;
|
|
retry:
|
|
name = filename_parentat(dfd, name, lookup_flags,
|
|
&path, &last, &type);
|
|
if (IS_ERR(name))
|
|
return PTR_ERR(name);
|
|
|
|
switch (type) {
|
|
case LAST_DOTDOT:
|
|
error = -ENOTEMPTY;
|
|
goto exit1;
|
|
case LAST_DOT:
|
|
error = -EINVAL;
|
|
goto exit1;
|
|
case LAST_ROOT:
|
|
error = -EBUSY;
|
|
goto exit1;
|
|
}
|
|
|
|
error = mnt_want_write(path.mnt);
|
|
if (error)
|
|
goto exit1;
|
|
|
|
inode_lock_nested(path.dentry->d_inode, I_MUTEX_PARENT);
|
|
dentry = __lookup_hash(&last, path.dentry, lookup_flags);
|
|
error = PTR_ERR(dentry);
|
|
if (IS_ERR(dentry))
|
|
goto exit2;
|
|
if (!dentry->d_inode) {
|
|
error = -ENOENT;
|
|
goto exit3;
|
|
}
|
|
error = security_path_rmdir(&path, dentry);
|
|
if (error)
|
|
goto exit3;
|
|
mnt_userns = mnt_user_ns(path.mnt);
|
|
error = vfs_rmdir(mnt_userns, path.dentry->d_inode, dentry);
|
|
exit3:
|
|
dput(dentry);
|
|
exit2:
|
|
inode_unlock(path.dentry->d_inode);
|
|
mnt_drop_write(path.mnt);
|
|
exit1:
|
|
path_put(&path);
|
|
if (retry_estale(error, lookup_flags)) {
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
goto retry;
|
|
}
|
|
putname(name);
|
|
return error;
|
|
}
|
|
|
|
SYSCALL_DEFINE1(rmdir, const char __user *, pathname)
|
|
{
|
|
return do_rmdir(AT_FDCWD, getname(pathname));
|
|
}
|
|
|
|
/**
|
|
* vfs_unlink - unlink a filesystem object
|
|
* @mnt_userns: user namespace of the mount the inode was found from
|
|
* @dir: parent directory
|
|
* @dentry: victim
|
|
* @delegated_inode: returns victim inode, if the inode is delegated.
|
|
*
|
|
* The caller must hold dir->i_mutex.
|
|
*
|
|
* If vfs_unlink discovers a delegation, it will return -EWOULDBLOCK and
|
|
* return a reference to the inode in delegated_inode. The caller
|
|
* should then break the delegation on that inode and retry. Because
|
|
* breaking a delegation may take a long time, the caller should drop
|
|
* dir->i_mutex before doing so.
|
|
*
|
|
* Alternatively, a caller may pass NULL for delegated_inode. This may
|
|
* be appropriate for callers that expect the underlying filesystem not
|
|
* to be NFS exported.
|
|
*
|
|
* If the inode has been found through an idmapped mount the user namespace of
|
|
* the vfsmount must be passed through @mnt_userns. This function will then take
|
|
* care to map the inode according to @mnt_userns before checking permissions.
|
|
* On non-idmapped mounts or if permission checking is to be performed on the
|
|
* raw inode simply passs init_user_ns.
|
|
*/
|
|
int vfs_unlink(struct user_namespace *mnt_userns, struct inode *dir,
|
|
struct dentry *dentry, struct inode **delegated_inode)
|
|
{
|
|
struct inode *target = dentry->d_inode;
|
|
int error = may_delete(mnt_userns, dir, dentry, 0);
|
|
|
|
if (error)
|
|
return error;
|
|
|
|
if (!dir->i_op->unlink)
|
|
return -EPERM;
|
|
|
|
inode_lock(target);
|
|
if (is_local_mountpoint(dentry))
|
|
error = -EBUSY;
|
|
else {
|
|
error = security_inode_unlink(dir, dentry);
|
|
if (!error) {
|
|
error = try_break_deleg(target, delegated_inode);
|
|
if (error)
|
|
goto out;
|
|
error = dir->i_op->unlink(dir, dentry);
|
|
if (!error) {
|
|
dont_mount(dentry);
|
|
detach_mounts(dentry);
|
|
fsnotify_unlink(dir, dentry);
|
|
}
|
|
}
|
|
}
|
|
out:
|
|
inode_unlock(target);
|
|
|
|
/* We don't d_delete() NFS sillyrenamed files--they still exist. */
|
|
if (!error && !(dentry->d_flags & DCACHE_NFSFS_RENAMED)) {
|
|
fsnotify_link_count(target);
|
|
d_delete(dentry);
|
|
}
|
|
|
|
return error;
|
|
}
|
|
EXPORT_SYMBOL(vfs_unlink);
|
|
|
|
/*
|
|
* Make sure that the actual truncation of the file will occur outside its
|
|
* directory's i_mutex. Truncate can take a long time if there is a lot of
|
|
* writeout happening, and we don't want to prevent access to the directory
|
|
* while waiting on the I/O.
|
|
*/
|
|
long do_unlinkat(int dfd, struct filename *name)
|
|
{
|
|
int error;
|
|
struct dentry *dentry;
|
|
struct path path;
|
|
struct qstr last;
|
|
int type;
|
|
struct inode *inode = NULL;
|
|
struct inode *delegated_inode = NULL;
|
|
unsigned int lookup_flags = 0;
|
|
retry:
|
|
name = filename_parentat(dfd, name, lookup_flags, &path, &last, &type);
|
|
if (IS_ERR(name))
|
|
return PTR_ERR(name);
|
|
|
|
error = -EISDIR;
|
|
if (type != LAST_NORM)
|
|
goto exit1;
|
|
|
|
error = mnt_want_write(path.mnt);
|
|
if (error)
|
|
goto exit1;
|
|
retry_deleg:
|
|
inode_lock_nested(path.dentry->d_inode, I_MUTEX_PARENT);
|
|
dentry = __lookup_hash(&last, path.dentry, lookup_flags);
|
|
error = PTR_ERR(dentry);
|
|
if (!IS_ERR(dentry)) {
|
|
struct user_namespace *mnt_userns;
|
|
|
|
/* Why not before? Because we want correct error value */
|
|
if (last.name[last.len])
|
|
goto slashes;
|
|
inode = dentry->d_inode;
|
|
if (d_is_negative(dentry))
|
|
goto slashes;
|
|
ihold(inode);
|
|
error = security_path_unlink(&path, dentry);
|
|
if (error)
|
|
goto exit2;
|
|
mnt_userns = mnt_user_ns(path.mnt);
|
|
error = vfs_unlink(mnt_userns, path.dentry->d_inode, dentry,
|
|
&delegated_inode);
|
|
exit2:
|
|
dput(dentry);
|
|
}
|
|
inode_unlock(path.dentry->d_inode);
|
|
if (inode)
|
|
iput(inode); /* truncate the inode here */
|
|
inode = NULL;
|
|
if (delegated_inode) {
|
|
error = break_deleg_wait(&delegated_inode);
|
|
if (!error)
|
|
goto retry_deleg;
|
|
}
|
|
mnt_drop_write(path.mnt);
|
|
exit1:
|
|
path_put(&path);
|
|
if (retry_estale(error, lookup_flags)) {
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
inode = NULL;
|
|
goto retry;
|
|
}
|
|
putname(name);
|
|
return error;
|
|
|
|
slashes:
|
|
if (d_is_negative(dentry))
|
|
error = -ENOENT;
|
|
else if (d_is_dir(dentry))
|
|
error = -EISDIR;
|
|
else
|
|
error = -ENOTDIR;
|
|
goto exit2;
|
|
}
|
|
|
|
SYSCALL_DEFINE3(unlinkat, int, dfd, const char __user *, pathname, int, flag)
|
|
{
|
|
if ((flag & ~AT_REMOVEDIR) != 0)
|
|
return -EINVAL;
|
|
|
|
if (flag & AT_REMOVEDIR)
|
|
return do_rmdir(dfd, getname(pathname));
|
|
return do_unlinkat(dfd, getname(pathname));
|
|
}
|
|
|
|
SYSCALL_DEFINE1(unlink, const char __user *, pathname)
|
|
{
|
|
return do_unlinkat(AT_FDCWD, getname(pathname));
|
|
}
|
|
|
|
/**
|
|
* vfs_symlink - create symlink
|
|
* @mnt_userns: user namespace of the mount the inode was found from
|
|
* @dir: inode of @dentry
|
|
* @dentry: pointer to dentry of the base directory
|
|
* @oldname: name of the file to link to
|
|
*
|
|
* Create a symlink.
|
|
*
|
|
* If the inode has been found through an idmapped mount the user namespace of
|
|
* the vfsmount must be passed through @mnt_userns. This function will then take
|
|
* care to map the inode according to @mnt_userns before checking permissions.
|
|
* On non-idmapped mounts or if permission checking is to be performed on the
|
|
* raw inode simply passs init_user_ns.
|
|
*/
|
|
int vfs_symlink(struct user_namespace *mnt_userns, struct inode *dir,
|
|
struct dentry *dentry, const char *oldname)
|
|
{
|
|
int error = may_create(mnt_userns, dir, dentry);
|
|
|
|
if (error)
|
|
return error;
|
|
|
|
if (!dir->i_op->symlink)
|
|
return -EPERM;
|
|
|
|
error = security_inode_symlink(dir, dentry, oldname);
|
|
if (error)
|
|
return error;
|
|
|
|
error = dir->i_op->symlink(mnt_userns, dir, dentry, oldname);
|
|
if (!error)
|
|
fsnotify_create(dir, dentry);
|
|
return error;
|
|
}
|
|
EXPORT_SYMBOL(vfs_symlink);
|
|
|
|
static long do_symlinkat(const char __user *oldname, int newdfd,
|
|
const char __user *newname)
|
|
{
|
|
int error;
|
|
struct filename *from;
|
|
struct dentry *dentry;
|
|
struct path path;
|
|
unsigned int lookup_flags = 0;
|
|
|
|
from = getname(oldname);
|
|
if (IS_ERR(from))
|
|
return PTR_ERR(from);
|
|
retry:
|
|
dentry = user_path_create(newdfd, newname, &path, lookup_flags);
|
|
error = PTR_ERR(dentry);
|
|
if (IS_ERR(dentry))
|
|
goto out_putname;
|
|
|
|
error = security_path_symlink(&path, dentry, from->name);
|
|
if (!error) {
|
|
struct user_namespace *mnt_userns;
|
|
|
|
mnt_userns = mnt_user_ns(path.mnt);
|
|
error = vfs_symlink(mnt_userns, path.dentry->d_inode, dentry,
|
|
from->name);
|
|
}
|
|
done_path_create(&path, dentry);
|
|
if (retry_estale(error, lookup_flags)) {
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
goto retry;
|
|
}
|
|
out_putname:
|
|
putname(from);
|
|
return error;
|
|
}
|
|
|
|
SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
|
|
int, newdfd, const char __user *, newname)
|
|
{
|
|
return do_symlinkat(oldname, newdfd, newname);
|
|
}
|
|
|
|
SYSCALL_DEFINE2(symlink, const char __user *, oldname, const char __user *, newname)
|
|
{
|
|
return do_symlinkat(oldname, AT_FDCWD, newname);
|
|
}
|
|
|
|
/**
|
|
* vfs_link - create a new link
|
|
* @old_dentry: object to be linked
|
|
* @mnt_userns: the user namespace of the mount
|
|
* @dir: new parent
|
|
* @new_dentry: where to create the new link
|
|
* @delegated_inode: returns inode needing a delegation break
|
|
*
|
|
* The caller must hold dir->i_mutex
|
|
*
|
|
* If vfs_link discovers a delegation on the to-be-linked file in need
|
|
* of breaking, it will return -EWOULDBLOCK and return a reference to the
|
|
* inode in delegated_inode. The caller should then break the delegation
|
|
* and retry. Because breaking a delegation may take a long time, the
|
|
* caller should drop the i_mutex before doing so.
|
|
*
|
|
* Alternatively, a caller may pass NULL for delegated_inode. This may
|
|
* be appropriate for callers that expect the underlying filesystem not
|
|
* to be NFS exported.
|
|
*
|
|
* If the inode has been found through an idmapped mount the user namespace of
|
|
* the vfsmount must be passed through @mnt_userns. This function will then take
|
|
* care to map the inode according to @mnt_userns before checking permissions.
|
|
* On non-idmapped mounts or if permission checking is to be performed on the
|
|
* raw inode simply passs init_user_ns.
|
|
*/
|
|
int vfs_link(struct dentry *old_dentry, struct user_namespace *mnt_userns,
|
|
struct inode *dir, struct dentry *new_dentry,
|
|
struct inode **delegated_inode)
|
|
{
|
|
struct inode *inode = old_dentry->d_inode;
|
|
unsigned max_links = dir->i_sb->s_max_links;
|
|
int error;
|
|
|
|
if (!inode)
|
|
return -ENOENT;
|
|
|
|
error = may_create(mnt_userns, dir, new_dentry);
|
|
if (error)
|
|
return error;
|
|
|
|
if (dir->i_sb != inode->i_sb)
|
|
return -EXDEV;
|
|
|
|
/*
|
|
* A link to an append-only or immutable file cannot be created.
|
|
*/
|
|
if (IS_APPEND(inode) || IS_IMMUTABLE(inode))
|
|
return -EPERM;
|
|
/*
|
|
* Updating the link count will likely cause i_uid and i_gid to
|
|
* be writen back improperly if their true value is unknown to
|
|
* the vfs.
|
|
*/
|
|
if (HAS_UNMAPPED_ID(mnt_userns, inode))
|
|
return -EPERM;
|
|
if (!dir->i_op->link)
|
|
return -EPERM;
|
|
if (S_ISDIR(inode->i_mode))
|
|
return -EPERM;
|
|
|
|
error = security_inode_link(old_dentry, dir, new_dentry);
|
|
if (error)
|
|
return error;
|
|
|
|
inode_lock(inode);
|
|
/* Make sure we don't allow creating hardlink to an unlinked file */
|
|
if (inode->i_nlink == 0 && !(inode->i_state & I_LINKABLE))
|
|
error = -ENOENT;
|
|
else if (max_links && inode->i_nlink >= max_links)
|
|
error = -EMLINK;
|
|
else {
|
|
error = try_break_deleg(inode, delegated_inode);
|
|
if (!error)
|
|
error = dir->i_op->link(old_dentry, dir, new_dentry);
|
|
}
|
|
|
|
if (!error && (inode->i_state & I_LINKABLE)) {
|
|
spin_lock(&inode->i_lock);
|
|
inode->i_state &= ~I_LINKABLE;
|
|
spin_unlock(&inode->i_lock);
|
|
}
|
|
inode_unlock(inode);
|
|
if (!error)
|
|
fsnotify_link(dir, inode, new_dentry);
|
|
return error;
|
|
}
|
|
EXPORT_SYMBOL(vfs_link);
|
|
|
|
/*
|
|
* Hardlinks are often used in delicate situations. We avoid
|
|
* security-related surprises by not following symlinks on the
|
|
* newname. --KAB
|
|
*
|
|
* We don't follow them on the oldname either to be compatible
|
|
* with linux 2.0, and to avoid hard-linking to directories
|
|
* and other special files. --ADM
|
|
*/
|
|
static int do_linkat(int olddfd, const char __user *oldname, int newdfd,
|
|
const char __user *newname, int flags)
|
|
{
|
|
struct user_namespace *mnt_userns;
|
|
struct dentry *new_dentry;
|
|
struct path old_path, new_path;
|
|
struct inode *delegated_inode = NULL;
|
|
int how = 0;
|
|
int error;
|
|
|
|
if ((flags & ~(AT_SYMLINK_FOLLOW | AT_EMPTY_PATH)) != 0)
|
|
return -EINVAL;
|
|
/*
|
|
* To use null names we require CAP_DAC_READ_SEARCH
|
|
* This ensures that not everyone will be able to create
|
|
* handlink using the passed filedescriptor.
|
|
*/
|
|
if (flags & AT_EMPTY_PATH) {
|
|
if (!capable(CAP_DAC_READ_SEARCH))
|
|
return -ENOENT;
|
|
how = LOOKUP_EMPTY;
|
|
}
|
|
|
|
if (flags & AT_SYMLINK_FOLLOW)
|
|
how |= LOOKUP_FOLLOW;
|
|
retry:
|
|
error = user_path_at(olddfd, oldname, how, &old_path);
|
|
if (error)
|
|
return error;
|
|
|
|
new_dentry = user_path_create(newdfd, newname, &new_path,
|
|
(how & LOOKUP_REVAL));
|
|
error = PTR_ERR(new_dentry);
|
|
if (IS_ERR(new_dentry))
|
|
goto out;
|
|
|
|
error = -EXDEV;
|
|
if (old_path.mnt != new_path.mnt)
|
|
goto out_dput;
|
|
mnt_userns = mnt_user_ns(new_path.mnt);
|
|
error = may_linkat(mnt_userns, &old_path);
|
|
if (unlikely(error))
|
|
goto out_dput;
|
|
error = security_path_link(old_path.dentry, &new_path, new_dentry);
|
|
if (error)
|
|
goto out_dput;
|
|
error = vfs_link(old_path.dentry, mnt_userns, new_path.dentry->d_inode,
|
|
new_dentry, &delegated_inode);
|
|
out_dput:
|
|
done_path_create(&new_path, new_dentry);
|
|
if (delegated_inode) {
|
|
error = break_deleg_wait(&delegated_inode);
|
|
if (!error) {
|
|
path_put(&old_path);
|
|
goto retry;
|
|
}
|
|
}
|
|
if (retry_estale(error, how)) {
|
|
path_put(&old_path);
|
|
how |= LOOKUP_REVAL;
|
|
goto retry;
|
|
}
|
|
out:
|
|
path_put(&old_path);
|
|
|
|
return error;
|
|
}
|
|
|
|
SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
|
|
int, newdfd, const char __user *, newname, int, flags)
|
|
{
|
|
return do_linkat(olddfd, oldname, newdfd, newname, flags);
|
|
}
|
|
|
|
SYSCALL_DEFINE2(link, const char __user *, oldname, const char __user *, newname)
|
|
{
|
|
return do_linkat(AT_FDCWD, oldname, AT_FDCWD, newname, 0);
|
|
}
|
|
|
|
/**
|
|
* vfs_rename - rename a filesystem object
|
|
* @old_mnt_userns: old user namespace of the mount the inode was found from
|
|
* @old_dir: parent of source
|
|
* @old_dentry: source
|
|
* @new_mnt_userns: new user namespace of the mount the inode was found from
|
|
* @new_dir: parent of destination
|
|
* @new_dentry: destination
|
|
* @delegated_inode: returns an inode needing a delegation break
|
|
* @flags: rename flags
|
|
*
|
|
* The caller must hold multiple mutexes--see lock_rename()).
|
|
*
|
|
* If vfs_rename discovers a delegation in need of breaking at either
|
|
* the source or destination, it will return -EWOULDBLOCK and return a
|
|
* reference to the inode in delegated_inode. The caller should then
|
|
* break the delegation and retry. Because breaking a delegation may
|
|
* take a long time, the caller should drop all locks before doing
|
|
* so.
|
|
*
|
|
* Alternatively, a caller may pass NULL for delegated_inode. This may
|
|
* be appropriate for callers that expect the underlying filesystem not
|
|
* to be NFS exported.
|
|
*
|
|
* The worst of all namespace operations - renaming directory. "Perverted"
|
|
* doesn't even start to describe it. Somebody in UCB had a heck of a trip...
|
|
* Problems:
|
|
*
|
|
* a) we can get into loop creation.
|
|
* b) race potential - two innocent renames can create a loop together.
|
|
* That's where 4.4 screws up. Current fix: serialization on
|
|
* sb->s_vfs_rename_mutex. We might be more accurate, but that's another
|
|
* story.
|
|
* c) we have to lock _four_ objects - parents and victim (if it exists),
|
|
* and source (if it is not a directory).
|
|
* And that - after we got ->i_mutex on parents (until then we don't know
|
|
* whether the target exists). Solution: try to be smart with locking
|
|
* order for inodes. We rely on the fact that tree topology may change
|
|
* only under ->s_vfs_rename_mutex _and_ that parent of the object we
|
|
* move will be locked. Thus we can rank directories by the tree
|
|
* (ancestors first) and rank all non-directories after them.
|
|
* That works since everybody except rename does "lock parent, lookup,
|
|
* lock child" and rename is under ->s_vfs_rename_mutex.
|
|
* HOWEVER, it relies on the assumption that any object with ->lookup()
|
|
* has no more than 1 dentry. If "hybrid" objects will ever appear,
|
|
* we'd better make sure that there's no link(2) for them.
|
|
* d) conversion from fhandle to dentry may come in the wrong moment - when
|
|
* we are removing the target. Solution: we will have to grab ->i_mutex
|
|
* in the fhandle_to_dentry code. [FIXME - current nfsfh.c relies on
|
|
* ->i_mutex on parents, which works but leads to some truly excessive
|
|
* locking].
|
|
*/
|
|
int vfs_rename(struct renamedata *rd)
|
|
{
|
|
int error;
|
|
struct inode *old_dir = rd->old_dir, *new_dir = rd->new_dir;
|
|
struct dentry *old_dentry = rd->old_dentry;
|
|
struct dentry *new_dentry = rd->new_dentry;
|
|
struct inode **delegated_inode = rd->delegated_inode;
|
|
unsigned int flags = rd->flags;
|
|
bool is_dir = d_is_dir(old_dentry);
|
|
struct inode *source = old_dentry->d_inode;
|
|
struct inode *target = new_dentry->d_inode;
|
|
bool new_is_dir = false;
|
|
unsigned max_links = new_dir->i_sb->s_max_links;
|
|
struct name_snapshot old_name;
|
|
|
|
if (source == target)
|
|
return 0;
|
|
|
|
error = may_delete(rd->old_mnt_userns, old_dir, old_dentry, is_dir);
|
|
if (error)
|
|
return error;
|
|
|
|
if (!target) {
|
|
error = may_create(rd->new_mnt_userns, new_dir, new_dentry);
|
|
} else {
|
|
new_is_dir = d_is_dir(new_dentry);
|
|
|
|
if (!(flags & RENAME_EXCHANGE))
|
|
error = may_delete(rd->new_mnt_userns, new_dir,
|
|
new_dentry, is_dir);
|
|
else
|
|
error = may_delete(rd->new_mnt_userns, new_dir,
|
|
new_dentry, new_is_dir);
|
|
}
|
|
if (error)
|
|
return error;
|
|
|
|
if (!old_dir->i_op->rename)
|
|
return -EPERM;
|
|
|
|
/*
|
|
* If we are going to change the parent - check write permissions,
|
|
* we'll need to flip '..'.
|
|
*/
|
|
if (new_dir != old_dir) {
|
|
if (is_dir) {
|
|
error = inode_permission(rd->old_mnt_userns, source,
|
|
MAY_WRITE);
|
|
if (error)
|
|
return error;
|
|
}
|
|
if ((flags & RENAME_EXCHANGE) && new_is_dir) {
|
|
error = inode_permission(rd->new_mnt_userns, target,
|
|
MAY_WRITE);
|
|
if (error)
|
|
return error;
|
|
}
|
|
}
|
|
|
|
error = security_inode_rename(old_dir, old_dentry, new_dir, new_dentry,
|
|
flags);
|
|
if (error)
|
|
return error;
|
|
|
|
take_dentry_name_snapshot(&old_name, old_dentry);
|
|
dget(new_dentry);
|
|
if (!is_dir || (flags & RENAME_EXCHANGE))
|
|
lock_two_nondirectories(source, target);
|
|
else if (target)
|
|
inode_lock(target);
|
|
|
|
error = -EBUSY;
|
|
if (is_local_mountpoint(old_dentry) || is_local_mountpoint(new_dentry))
|
|
goto out;
|
|
|
|
if (max_links && new_dir != old_dir) {
|
|
error = -EMLINK;
|
|
if (is_dir && !new_is_dir && new_dir->i_nlink >= max_links)
|
|
goto out;
|
|
if ((flags & RENAME_EXCHANGE) && !is_dir && new_is_dir &&
|
|
old_dir->i_nlink >= max_links)
|
|
goto out;
|
|
}
|
|
if (!is_dir) {
|
|
error = try_break_deleg(source, delegated_inode);
|
|
if (error)
|
|
goto out;
|
|
}
|
|
if (target && !new_is_dir) {
|
|
error = try_break_deleg(target, delegated_inode);
|
|
if (error)
|
|
goto out;
|
|
}
|
|
error = old_dir->i_op->rename(rd->new_mnt_userns, old_dir, old_dentry,
|
|
new_dir, new_dentry, flags);
|
|
if (error)
|
|
goto out;
|
|
|
|
if (!(flags & RENAME_EXCHANGE) && target) {
|
|
if (is_dir) {
|
|
shrink_dcache_parent(new_dentry);
|
|
target->i_flags |= S_DEAD;
|
|
}
|
|
dont_mount(new_dentry);
|
|
detach_mounts(new_dentry);
|
|
}
|
|
if (!(old_dir->i_sb->s_type->fs_flags & FS_RENAME_DOES_D_MOVE)) {
|
|
if (!(flags & RENAME_EXCHANGE))
|
|
d_move(old_dentry, new_dentry);
|
|
else
|
|
d_exchange(old_dentry, new_dentry);
|
|
}
|
|
out:
|
|
if (!is_dir || (flags & RENAME_EXCHANGE))
|
|
unlock_two_nondirectories(source, target);
|
|
else if (target)
|
|
inode_unlock(target);
|
|
dput(new_dentry);
|
|
if (!error) {
|
|
fsnotify_move(old_dir, new_dir, &old_name.name, is_dir,
|
|
!(flags & RENAME_EXCHANGE) ? target : NULL, old_dentry);
|
|
if (flags & RENAME_EXCHANGE) {
|
|
fsnotify_move(new_dir, old_dir, &old_dentry->d_name,
|
|
new_is_dir, NULL, new_dentry);
|
|
}
|
|
}
|
|
release_dentry_name_snapshot(&old_name);
|
|
|
|
return error;
|
|
}
|
|
EXPORT_SYMBOL(vfs_rename);
|
|
|
|
int do_renameat2(int olddfd, struct filename *from, int newdfd,
|
|
struct filename *to, unsigned int flags)
|
|
{
|
|
struct renamedata rd;
|
|
struct dentry *old_dentry, *new_dentry;
|
|
struct dentry *trap;
|
|
struct path old_path, new_path;
|
|
struct qstr old_last, new_last;
|
|
int old_type, new_type;
|
|
struct inode *delegated_inode = NULL;
|
|
unsigned int lookup_flags = 0, target_flags = LOOKUP_RENAME_TARGET;
|
|
bool should_retry = false;
|
|
int error = -EINVAL;
|
|
|
|
if (flags & ~(RENAME_NOREPLACE | RENAME_EXCHANGE | RENAME_WHITEOUT))
|
|
goto put_both;
|
|
|
|
if ((flags & (RENAME_NOREPLACE | RENAME_WHITEOUT)) &&
|
|
(flags & RENAME_EXCHANGE))
|
|
goto put_both;
|
|
|
|
if (flags & RENAME_EXCHANGE)
|
|
target_flags = 0;
|
|
|
|
retry:
|
|
from = filename_parentat(olddfd, from, lookup_flags, &old_path,
|
|
&old_last, &old_type);
|
|
if (IS_ERR(from)) {
|
|
error = PTR_ERR(from);
|
|
goto put_new;
|
|
}
|
|
|
|
to = filename_parentat(newdfd, to, lookup_flags, &new_path, &new_last,
|
|
&new_type);
|
|
if (IS_ERR(to)) {
|
|
error = PTR_ERR(to);
|
|
goto exit1;
|
|
}
|
|
|
|
error = -EXDEV;
|
|
if (old_path.mnt != new_path.mnt)
|
|
goto exit2;
|
|
|
|
error = -EBUSY;
|
|
if (old_type != LAST_NORM)
|
|
goto exit2;
|
|
|
|
if (flags & RENAME_NOREPLACE)
|
|
error = -EEXIST;
|
|
if (new_type != LAST_NORM)
|
|
goto exit2;
|
|
|
|
error = mnt_want_write(old_path.mnt);
|
|
if (error)
|
|
goto exit2;
|
|
|
|
retry_deleg:
|
|
trap = lock_rename(new_path.dentry, old_path.dentry);
|
|
|
|
old_dentry = __lookup_hash(&old_last, old_path.dentry, lookup_flags);
|
|
error = PTR_ERR(old_dentry);
|
|
if (IS_ERR(old_dentry))
|
|
goto exit3;
|
|
/* source must exist */
|
|
error = -ENOENT;
|
|
if (d_is_negative(old_dentry))
|
|
goto exit4;
|
|
new_dentry = __lookup_hash(&new_last, new_path.dentry, lookup_flags | target_flags);
|
|
error = PTR_ERR(new_dentry);
|
|
if (IS_ERR(new_dentry))
|
|
goto exit4;
|
|
error = -EEXIST;
|
|
if ((flags & RENAME_NOREPLACE) && d_is_positive(new_dentry))
|
|
goto exit5;
|
|
if (flags & RENAME_EXCHANGE) {
|
|
error = -ENOENT;
|
|
if (d_is_negative(new_dentry))
|
|
goto exit5;
|
|
|
|
if (!d_is_dir(new_dentry)) {
|
|
error = -ENOTDIR;
|
|
if (new_last.name[new_last.len])
|
|
goto exit5;
|
|
}
|
|
}
|
|
/* unless the source is a directory trailing slashes give -ENOTDIR */
|
|
if (!d_is_dir(old_dentry)) {
|
|
error = -ENOTDIR;
|
|
if (old_last.name[old_last.len])
|
|
goto exit5;
|
|
if (!(flags & RENAME_EXCHANGE) && new_last.name[new_last.len])
|
|
goto exit5;
|
|
}
|
|
/* source should not be ancestor of target */
|
|
error = -EINVAL;
|
|
if (old_dentry == trap)
|
|
goto exit5;
|
|
/* target should not be an ancestor of source */
|
|
if (!(flags & RENAME_EXCHANGE))
|
|
error = -ENOTEMPTY;
|
|
if (new_dentry == trap)
|
|
goto exit5;
|
|
|
|
error = security_path_rename(&old_path, old_dentry,
|
|
&new_path, new_dentry, flags);
|
|
if (error)
|
|
goto exit5;
|
|
|
|
rd.old_dir = old_path.dentry->d_inode;
|
|
rd.old_dentry = old_dentry;
|
|
rd.old_mnt_userns = mnt_user_ns(old_path.mnt);
|
|
rd.new_dir = new_path.dentry->d_inode;
|
|
rd.new_dentry = new_dentry;
|
|
rd.new_mnt_userns = mnt_user_ns(new_path.mnt);
|
|
rd.delegated_inode = &delegated_inode;
|
|
rd.flags = flags;
|
|
error = vfs_rename(&rd);
|
|
exit5:
|
|
dput(new_dentry);
|
|
exit4:
|
|
dput(old_dentry);
|
|
exit3:
|
|
unlock_rename(new_path.dentry, old_path.dentry);
|
|
if (delegated_inode) {
|
|
error = break_deleg_wait(&delegated_inode);
|
|
if (!error)
|
|
goto retry_deleg;
|
|
}
|
|
mnt_drop_write(old_path.mnt);
|
|
exit2:
|
|
if (retry_estale(error, lookup_flags))
|
|
should_retry = true;
|
|
path_put(&new_path);
|
|
exit1:
|
|
path_put(&old_path);
|
|
if (should_retry) {
|
|
should_retry = false;
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
goto retry;
|
|
}
|
|
put_both:
|
|
if (!IS_ERR(from))
|
|
putname(from);
|
|
put_new:
|
|
if (!IS_ERR(to))
|
|
putname(to);
|
|
return error;
|
|
}
|
|
|
|
SYSCALL_DEFINE5(renameat2, int, olddfd, const char __user *, oldname,
|
|
int, newdfd, const char __user *, newname, unsigned int, flags)
|
|
{
|
|
return do_renameat2(olddfd, getname(oldname), newdfd, getname(newname),
|
|
flags);
|
|
}
|
|
|
|
SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
|
|
int, newdfd, const char __user *, newname)
|
|
{
|
|
return do_renameat2(olddfd, getname(oldname), newdfd, getname(newname),
|
|
0);
|
|
}
|
|
|
|
SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newname)
|
|
{
|
|
return do_renameat2(AT_FDCWD, getname(oldname), AT_FDCWD,
|
|
getname(newname), 0);
|
|
}
|
|
|
|
int readlink_copy(char __user *buffer, int buflen, const char *link)
|
|
{
|
|
int len = PTR_ERR(link);
|
|
if (IS_ERR(link))
|
|
goto out;
|
|
|
|
len = strlen(link);
|
|
if (len > (unsigned) buflen)
|
|
len = buflen;
|
|
if (copy_to_user(buffer, link, len))
|
|
len = -EFAULT;
|
|
out:
|
|
return len;
|
|
}
|
|
|
|
/**
|
|
* vfs_readlink - copy symlink body into userspace buffer
|
|
* @dentry: dentry on which to get symbolic link
|
|
* @buffer: user memory pointer
|
|
* @buflen: size of buffer
|
|
*
|
|
* Does not touch atime. That's up to the caller if necessary
|
|
*
|
|
* Does not call security hook.
|
|
*/
|
|
int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen)
|
|
{
|
|
struct inode *inode = d_inode(dentry);
|
|
DEFINE_DELAYED_CALL(done);
|
|
const char *link;
|
|
int res;
|
|
|
|
if (unlikely(!(inode->i_opflags & IOP_DEFAULT_READLINK))) {
|
|
if (unlikely(inode->i_op->readlink))
|
|
return inode->i_op->readlink(dentry, buffer, buflen);
|
|
|
|
if (!d_is_symlink(dentry))
|
|
return -EINVAL;
|
|
|
|
spin_lock(&inode->i_lock);
|
|
inode->i_opflags |= IOP_DEFAULT_READLINK;
|
|
spin_unlock(&inode->i_lock);
|
|
}
|
|
|
|
link = READ_ONCE(inode->i_link);
|
|
if (!link) {
|
|
link = inode->i_op->get_link(dentry, inode, &done);
|
|
if (IS_ERR(link))
|
|
return PTR_ERR(link);
|
|
}
|
|
res = readlink_copy(buffer, buflen, link);
|
|
do_delayed_call(&done);
|
|
return res;
|
|
}
|
|
EXPORT_SYMBOL(vfs_readlink);
|
|
|
|
/**
|
|
* vfs_get_link - get symlink body
|
|
* @dentry: dentry on which to get symbolic link
|
|
* @done: caller needs to free returned data with this
|
|
*
|
|
* Calls security hook and i_op->get_link() on the supplied inode.
|
|
*
|
|
* It does not touch atime. That's up to the caller if necessary.
|
|
*
|
|
* Does not work on "special" symlinks like /proc/$$/fd/N
|
|
*/
|
|
const char *vfs_get_link(struct dentry *dentry, struct delayed_call *done)
|
|
{
|
|
const char *res = ERR_PTR(-EINVAL);
|
|
struct inode *inode = d_inode(dentry);
|
|
|
|
if (d_is_symlink(dentry)) {
|
|
res = ERR_PTR(security_inode_readlink(dentry));
|
|
if (!res)
|
|
res = inode->i_op->get_link(dentry, inode, done);
|
|
}
|
|
return res;
|
|
}
|
|
EXPORT_SYMBOL(vfs_get_link);
|
|
|
|
/* get the link contents into pagecache */
|
|
const char *page_get_link(struct dentry *dentry, struct inode *inode,
|
|
struct delayed_call *callback)
|
|
{
|
|
char *kaddr;
|
|
struct page *page;
|
|
struct address_space *mapping = inode->i_mapping;
|
|
|
|
if (!dentry) {
|
|
page = find_get_page(mapping, 0);
|
|
if (!page)
|
|
return ERR_PTR(-ECHILD);
|
|
if (!PageUptodate(page)) {
|
|
put_page(page);
|
|
return ERR_PTR(-ECHILD);
|
|
}
|
|
} else {
|
|
page = read_mapping_page(mapping, 0, NULL);
|
|
if (IS_ERR(page))
|
|
return (char*)page;
|
|
}
|
|
set_delayed_call(callback, page_put_link, page);
|
|
BUG_ON(mapping_gfp_mask(mapping) & __GFP_HIGHMEM);
|
|
kaddr = page_address(page);
|
|
nd_terminate_link(kaddr, inode->i_size, PAGE_SIZE - 1);
|
|
return kaddr;
|
|
}
|
|
|
|
EXPORT_SYMBOL(page_get_link);
|
|
|
|
void page_put_link(void *arg)
|
|
{
|
|
put_page(arg);
|
|
}
|
|
EXPORT_SYMBOL(page_put_link);
|
|
|
|
int page_readlink(struct dentry *dentry, char __user *buffer, int buflen)
|
|
{
|
|
DEFINE_DELAYED_CALL(done);
|
|
int res = readlink_copy(buffer, buflen,
|
|
page_get_link(dentry, d_inode(dentry),
|
|
&done));
|
|
do_delayed_call(&done);
|
|
return res;
|
|
}
|
|
EXPORT_SYMBOL(page_readlink);
|
|
|
|
/*
|
|
* The nofs argument instructs pagecache_write_begin to pass AOP_FLAG_NOFS
|
|
*/
|
|
int __page_symlink(struct inode *inode, const char *symname, int len, int nofs)
|
|
{
|
|
struct address_space *mapping = inode->i_mapping;
|
|
struct page *page;
|
|
void *fsdata;
|
|
int err;
|
|
unsigned int flags = 0;
|
|
if (nofs)
|
|
flags |= AOP_FLAG_NOFS;
|
|
|
|
retry:
|
|
err = pagecache_write_begin(NULL, mapping, 0, len-1,
|
|
flags, &page, &fsdata);
|
|
if (err)
|
|
goto fail;
|
|
|
|
memcpy(page_address(page), symname, len-1);
|
|
|
|
err = pagecache_write_end(NULL, mapping, 0, len-1, len-1,
|
|
page, fsdata);
|
|
if (err < 0)
|
|
goto fail;
|
|
if (err < len-1)
|
|
goto retry;
|
|
|
|
mark_inode_dirty(inode);
|
|
return 0;
|
|
fail:
|
|
return err;
|
|
}
|
|
EXPORT_SYMBOL(__page_symlink);
|
|
|
|
int page_symlink(struct inode *inode, const char *symname, int len)
|
|
{
|
|
return __page_symlink(inode, symname, len,
|
|
!mapping_gfp_constraint(inode->i_mapping, __GFP_FS));
|
|
}
|
|
EXPORT_SYMBOL(page_symlink);
|
|
|
|
const struct inode_operations page_symlink_inode_operations = {
|
|
.get_link = page_get_link,
|
|
};
|
|
EXPORT_SYMBOL(page_symlink_inode_operations);
|