1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * Copyright (C) 2007 Red Hat. All rights reserved. |
4 | */ |
5 | |
6 | #include <linux/init.h> |
7 | #include <linux/fs.h> |
8 | #include <linux/slab.h> |
9 | #include <linux/rwsem.h> |
10 | #include <linux/xattr.h> |
11 | #include <linux/security.h> |
12 | #include <linux/posix_acl_xattr.h> |
13 | #include <linux/iversion.h> |
14 | #include <linux/sched/mm.h> |
15 | #include "ctree.h" |
16 | #include "fs.h" |
17 | #include "messages.h" |
18 | #include "btrfs_inode.h" |
19 | #include "transaction.h" |
20 | #include "xattr.h" |
21 | #include "disk-io.h" |
22 | #include "props.h" |
23 | #include "locking.h" |
24 | #include "accessors.h" |
25 | #include "dir-item.h" |
26 | |
27 | int btrfs_getxattr(struct inode *inode, const char *name, |
28 | void *buffer, size_t size) |
29 | { |
30 | struct btrfs_dir_item *di; |
31 | struct btrfs_root *root = BTRFS_I(inode)->root; |
32 | struct btrfs_path *path; |
33 | struct extent_buffer *leaf; |
34 | int ret = 0; |
35 | unsigned long data_ptr; |
36 | |
37 | path = btrfs_alloc_path(); |
38 | if (!path) |
39 | return -ENOMEM; |
40 | |
41 | /* lookup the xattr by name */ |
42 | di = btrfs_lookup_xattr(NULL, root, path, dir: btrfs_ino(inode: BTRFS_I(inode)), |
43 | name, strlen(name), mod: 0); |
44 | if (!di) { |
45 | ret = -ENODATA; |
46 | goto out; |
47 | } else if (IS_ERR(ptr: di)) { |
48 | ret = PTR_ERR(ptr: di); |
49 | goto out; |
50 | } |
51 | |
52 | leaf = path->nodes[0]; |
53 | /* if size is 0, that means we want the size of the attr */ |
54 | if (!size) { |
55 | ret = btrfs_dir_data_len(eb: leaf, s: di); |
56 | goto out; |
57 | } |
58 | |
59 | /* now get the data out of our dir_item */ |
60 | if (btrfs_dir_data_len(eb: leaf, s: di) > size) { |
61 | ret = -ERANGE; |
62 | goto out; |
63 | } |
64 | |
65 | /* |
66 | * The way things are packed into the leaf is like this |
67 | * |struct btrfs_dir_item|name|data| |
68 | * where name is the xattr name, so security.foo, and data is the |
69 | * content of the xattr. data_ptr points to the location in memory |
70 | * where the data starts in the in memory leaf |
71 | */ |
72 | data_ptr = (unsigned long)((char *)(di + 1) + |
73 | btrfs_dir_name_len(eb: leaf, s: di)); |
74 | read_extent_buffer(eb: leaf, dst: buffer, start: data_ptr, |
75 | len: btrfs_dir_data_len(eb: leaf, s: di)); |
76 | ret = btrfs_dir_data_len(eb: leaf, s: di); |
77 | |
78 | out: |
79 | btrfs_free_path(p: path); |
80 | return ret; |
81 | } |
82 | |
83 | int btrfs_setxattr(struct btrfs_trans_handle *trans, struct inode *inode, |
84 | const char *name, const void *value, size_t size, int flags) |
85 | { |
86 | struct btrfs_dir_item *di = NULL; |
87 | struct btrfs_root *root = BTRFS_I(inode)->root; |
88 | struct btrfs_fs_info *fs_info = root->fs_info; |
89 | struct btrfs_path *path; |
90 | size_t name_len = strlen(name); |
91 | int ret = 0; |
92 | |
93 | ASSERT(trans); |
94 | |
95 | if (name_len + size > BTRFS_MAX_XATTR_SIZE(info: root->fs_info)) |
96 | return -ENOSPC; |
97 | |
98 | path = btrfs_alloc_path(); |
99 | if (!path) |
100 | return -ENOMEM; |
101 | path->skip_release_on_error = 1; |
102 | |
103 | if (!value) { |
104 | di = btrfs_lookup_xattr(trans, root, path, |
105 | dir: btrfs_ino(inode: BTRFS_I(inode)), name, name_len, mod: -1); |
106 | if (!di && (flags & XATTR_REPLACE)) |
107 | ret = -ENODATA; |
108 | else if (IS_ERR(ptr: di)) |
109 | ret = PTR_ERR(ptr: di); |
110 | else if (di) |
111 | ret = btrfs_delete_one_dir_name(trans, root, path, di); |
112 | goto out; |
113 | } |
114 | |
115 | /* |
116 | * For a replace we can't just do the insert blindly. |
117 | * Do a lookup first (read-only btrfs_search_slot), and return if xattr |
118 | * doesn't exist. If it exists, fall down below to the insert/replace |
119 | * path - we can't race with a concurrent xattr delete, because the VFS |
120 | * locks the inode's i_mutex before calling setxattr or removexattr. |
121 | */ |
122 | if (flags & XATTR_REPLACE) { |
123 | ASSERT(inode_is_locked(inode)); |
124 | di = btrfs_lookup_xattr(NULL, root, path, |
125 | dir: btrfs_ino(inode: BTRFS_I(inode)), name, name_len, mod: 0); |
126 | if (!di) |
127 | ret = -ENODATA; |
128 | else if (IS_ERR(ptr: di)) |
129 | ret = PTR_ERR(ptr: di); |
130 | if (ret) |
131 | goto out; |
132 | btrfs_release_path(p: path); |
133 | di = NULL; |
134 | } |
135 | |
136 | ret = btrfs_insert_xattr_item(trans, root, path, objectid: btrfs_ino(inode: BTRFS_I(inode)), |
137 | name, name_len, data: value, data_len: size); |
138 | if (ret == -EOVERFLOW) { |
139 | /* |
140 | * We have an existing item in a leaf, split_leaf couldn't |
141 | * expand it. That item might have or not a dir_item that |
142 | * matches our target xattr, so lets check. |
143 | */ |
144 | ret = 0; |
145 | btrfs_assert_tree_write_locked(eb: path->nodes[0]); |
146 | di = btrfs_match_dir_item_name(fs_info, path, name, name_len); |
147 | if (!di && !(flags & XATTR_REPLACE)) { |
148 | ret = -ENOSPC; |
149 | goto out; |
150 | } |
151 | } else if (ret == -EEXIST) { |
152 | ret = 0; |
153 | di = btrfs_match_dir_item_name(fs_info, path, name, name_len); |
154 | ASSERT(di); /* logic error */ |
155 | } else if (ret) { |
156 | goto out; |
157 | } |
158 | |
159 | if (di && (flags & XATTR_CREATE)) { |
160 | ret = -EEXIST; |
161 | goto out; |
162 | } |
163 | |
164 | if (di) { |
165 | /* |
166 | * We're doing a replace, and it must be atomic, that is, at |
167 | * any point in time we have either the old or the new xattr |
168 | * value in the tree. We don't want readers (getxattr and |
169 | * listxattrs) to miss a value, this is specially important |
170 | * for ACLs. |
171 | */ |
172 | const int slot = path->slots[0]; |
173 | struct extent_buffer *leaf = path->nodes[0]; |
174 | const u16 old_data_len = btrfs_dir_data_len(eb: leaf, s: di); |
175 | const u32 item_size = btrfs_item_size(eb: leaf, slot); |
176 | const u32 data_size = sizeof(*di) + name_len + size; |
177 | unsigned long data_ptr; |
178 | char *ptr; |
179 | |
180 | if (size > old_data_len) { |
181 | if (btrfs_leaf_free_space(leaf) < |
182 | (size - old_data_len)) { |
183 | ret = -ENOSPC; |
184 | goto out; |
185 | } |
186 | } |
187 | |
188 | if (old_data_len + name_len + sizeof(*di) == item_size) { |
189 | /* No other xattrs packed in the same leaf item. */ |
190 | if (size > old_data_len) |
191 | btrfs_extend_item(trans, path, data_size: size - old_data_len); |
192 | else if (size < old_data_len) |
193 | btrfs_truncate_item(trans, path, new_size: data_size, from_end: 1); |
194 | } else { |
195 | /* There are other xattrs packed in the same item. */ |
196 | ret = btrfs_delete_one_dir_name(trans, root, path, di); |
197 | if (ret) |
198 | goto out; |
199 | btrfs_extend_item(trans, path, data_size); |
200 | } |
201 | |
202 | ptr = btrfs_item_ptr(leaf, slot, char); |
203 | ptr += btrfs_item_size(eb: leaf, slot) - data_size; |
204 | di = (struct btrfs_dir_item *)ptr; |
205 | btrfs_set_dir_data_len(eb: leaf, s: di, val: size); |
206 | data_ptr = ((unsigned long)(di + 1)) + name_len; |
207 | write_extent_buffer(eb: leaf, src: value, start: data_ptr, len: size); |
208 | btrfs_mark_buffer_dirty(trans, buf: leaf); |
209 | } else { |
210 | /* |
211 | * Insert, and we had space for the xattr, so path->slots[0] is |
212 | * where our xattr dir_item is and btrfs_insert_xattr_item() |
213 | * filled it. |
214 | */ |
215 | } |
216 | out: |
217 | btrfs_free_path(p: path); |
218 | if (!ret) { |
219 | set_bit(nr: BTRFS_INODE_COPY_EVERYTHING, |
220 | addr: &BTRFS_I(inode)->runtime_flags); |
221 | clear_bit(nr: BTRFS_INODE_NO_XATTRS, addr: &BTRFS_I(inode)->runtime_flags); |
222 | } |
223 | return ret; |
224 | } |
225 | |
226 | /* |
227 | * @value: "" makes the attribute to empty, NULL removes it |
228 | */ |
229 | int btrfs_setxattr_trans(struct inode *inode, const char *name, |
230 | const void *value, size_t size, int flags) |
231 | { |
232 | struct btrfs_root *root = BTRFS_I(inode)->root; |
233 | struct btrfs_trans_handle *trans; |
234 | const bool start_trans = (current->journal_info == NULL); |
235 | int ret; |
236 | |
237 | if (start_trans) { |
238 | /* |
239 | * 1 unit for inserting/updating/deleting the xattr |
240 | * 1 unit for the inode item update |
241 | */ |
242 | trans = btrfs_start_transaction(root, num_items: 2); |
243 | if (IS_ERR(ptr: trans)) |
244 | return PTR_ERR(ptr: trans); |
245 | } else { |
246 | /* |
247 | * This can happen when smack is enabled and a directory is being |
248 | * created. It happens through d_instantiate_new(), which calls |
249 | * smack_d_instantiate(), which in turn calls __vfs_setxattr() to |
250 | * set the transmute xattr (XATTR_NAME_SMACKTRANSMUTE) on the |
251 | * inode. We have already reserved space for the xattr and inode |
252 | * update at btrfs_mkdir(), so just use the transaction handle. |
253 | * We don't join or start a transaction, as that will reset the |
254 | * block_rsv of the handle and trigger a warning for the start |
255 | * case. |
256 | */ |
257 | ASSERT(strncmp(name, XATTR_SECURITY_PREFIX, |
258 | XATTR_SECURITY_PREFIX_LEN) == 0); |
259 | trans = current->journal_info; |
260 | } |
261 | |
262 | ret = btrfs_setxattr(trans, inode, name, value, size, flags); |
263 | if (ret) |
264 | goto out; |
265 | |
266 | inode_inc_iversion(inode); |
267 | inode_set_ctime_current(inode); |
268 | ret = btrfs_update_inode(trans, inode: BTRFS_I(inode)); |
269 | if (ret) |
270 | btrfs_abort_transaction(trans, ret); |
271 | out: |
272 | if (start_trans) |
273 | btrfs_end_transaction(trans); |
274 | return ret; |
275 | } |
276 | |
277 | ssize_t btrfs_listxattr(struct dentry *dentry, char *buffer, size_t size) |
278 | { |
279 | struct btrfs_key found_key; |
280 | struct btrfs_key key; |
281 | struct inode *inode = d_inode(dentry); |
282 | struct btrfs_root *root = BTRFS_I(inode)->root; |
283 | struct btrfs_path *path; |
284 | int iter_ret = 0; |
285 | int ret = 0; |
286 | size_t total_size = 0, size_left = size; |
287 | |
288 | /* |
289 | * ok we want all objects associated with this id. |
290 | * NOTE: we set key.offset = 0; because we want to start with the |
291 | * first xattr that we find and walk forward |
292 | */ |
293 | key.objectid = btrfs_ino(inode: BTRFS_I(inode)); |
294 | key.type = BTRFS_XATTR_ITEM_KEY; |
295 | key.offset = 0; |
296 | |
297 | path = btrfs_alloc_path(); |
298 | if (!path) |
299 | return -ENOMEM; |
300 | path->reada = READA_FORWARD; |
301 | |
302 | /* search for our xattrs */ |
303 | btrfs_for_each_slot(root, &key, &found_key, path, iter_ret) { |
304 | struct extent_buffer *leaf; |
305 | int slot; |
306 | struct btrfs_dir_item *di; |
307 | u32 item_size; |
308 | u32 cur; |
309 | |
310 | leaf = path->nodes[0]; |
311 | slot = path->slots[0]; |
312 | |
313 | /* check to make sure this item is what we want */ |
314 | if (found_key.objectid != key.objectid) |
315 | break; |
316 | if (found_key.type > BTRFS_XATTR_ITEM_KEY) |
317 | break; |
318 | if (found_key.type < BTRFS_XATTR_ITEM_KEY) |
319 | continue; |
320 | |
321 | di = btrfs_item_ptr(leaf, slot, struct btrfs_dir_item); |
322 | item_size = btrfs_item_size(eb: leaf, slot); |
323 | cur = 0; |
324 | while (cur < item_size) { |
325 | u16 name_len = btrfs_dir_name_len(eb: leaf, s: di); |
326 | u16 data_len = btrfs_dir_data_len(eb: leaf, s: di); |
327 | u32 this_len = sizeof(*di) + name_len + data_len; |
328 | unsigned long name_ptr = (unsigned long)(di + 1); |
329 | |
330 | total_size += name_len + 1; |
331 | /* |
332 | * We are just looking for how big our buffer needs to |
333 | * be. |
334 | */ |
335 | if (!size) |
336 | goto next; |
337 | |
338 | if (!buffer || (name_len + 1) > size_left) { |
339 | iter_ret = -ERANGE; |
340 | break; |
341 | } |
342 | |
343 | read_extent_buffer(eb: leaf, dst: buffer, start: name_ptr, len: name_len); |
344 | buffer[name_len] = '\0'; |
345 | |
346 | size_left -= name_len + 1; |
347 | buffer += name_len + 1; |
348 | next: |
349 | cur += this_len; |
350 | di = (struct btrfs_dir_item *)((char *)di + this_len); |
351 | } |
352 | } |
353 | |
354 | if (iter_ret < 0) |
355 | ret = iter_ret; |
356 | else |
357 | ret = total_size; |
358 | |
359 | btrfs_free_path(p: path); |
360 | |
361 | return ret; |
362 | } |
363 | |
364 | static int btrfs_xattr_handler_get(const struct xattr_handler *handler, |
365 | struct dentry *unused, struct inode *inode, |
366 | const char *name, void *buffer, size_t size) |
367 | { |
368 | name = xattr_full_name(handler, name); |
369 | return btrfs_getxattr(inode, name, buffer, size); |
370 | } |
371 | |
372 | static int btrfs_xattr_handler_set(const struct xattr_handler *handler, |
373 | struct mnt_idmap *idmap, |
374 | struct dentry *unused, struct inode *inode, |
375 | const char *name, const void *buffer, |
376 | size_t size, int flags) |
377 | { |
378 | if (btrfs_root_readonly(root: BTRFS_I(inode)->root)) |
379 | return -EROFS; |
380 | |
381 | name = xattr_full_name(handler, name); |
382 | return btrfs_setxattr_trans(inode, name, value: buffer, size, flags); |
383 | } |
384 | |
385 | static int btrfs_xattr_handler_get_security(const struct xattr_handler *handler, |
386 | struct dentry *unused, |
387 | struct inode *inode, |
388 | const char *name, void *buffer, |
389 | size_t size) |
390 | { |
391 | int ret; |
392 | bool is_cap = false; |
393 | |
394 | name = xattr_full_name(handler, name); |
395 | |
396 | /* |
397 | * security.capability doesn't cache the results, so calls into us |
398 | * constantly to see if there's a capability xattr. Cache the result |
399 | * here in order to avoid wasting time doing lookups for xattrs we know |
400 | * don't exist. |
401 | */ |
402 | if (strcmp(name, XATTR_NAME_CAPS) == 0) { |
403 | is_cap = true; |
404 | if (test_bit(BTRFS_INODE_NO_CAP_XATTR, &BTRFS_I(inode)->runtime_flags)) |
405 | return -ENODATA; |
406 | } |
407 | |
408 | ret = btrfs_getxattr(inode, name, buffer, size); |
409 | if (ret == -ENODATA && is_cap) |
410 | set_bit(nr: BTRFS_INODE_NO_CAP_XATTR, addr: &BTRFS_I(inode)->runtime_flags); |
411 | return ret; |
412 | } |
413 | |
414 | static int btrfs_xattr_handler_set_security(const struct xattr_handler *handler, |
415 | struct mnt_idmap *idmap, |
416 | struct dentry *unused, |
417 | struct inode *inode, |
418 | const char *name, |
419 | const void *buffer, |
420 | size_t size, int flags) |
421 | { |
422 | if (btrfs_root_readonly(root: BTRFS_I(inode)->root)) |
423 | return -EROFS; |
424 | |
425 | name = xattr_full_name(handler, name); |
426 | if (strcmp(name, XATTR_NAME_CAPS) == 0) |
427 | clear_bit(nr: BTRFS_INODE_NO_CAP_XATTR, addr: &BTRFS_I(inode)->runtime_flags); |
428 | |
429 | return btrfs_setxattr_trans(inode, name, value: buffer, size, flags); |
430 | } |
431 | |
432 | static int btrfs_xattr_handler_set_prop(const struct xattr_handler *handler, |
433 | struct mnt_idmap *idmap, |
434 | struct dentry *unused, struct inode *inode, |
435 | const char *name, const void *value, |
436 | size_t size, int flags) |
437 | { |
438 | int ret; |
439 | struct btrfs_trans_handle *trans; |
440 | struct btrfs_root *root = BTRFS_I(inode)->root; |
441 | |
442 | name = xattr_full_name(handler, name); |
443 | ret = btrfs_validate_prop(inode: BTRFS_I(inode), name, value, value_len: size); |
444 | if (ret) |
445 | return ret; |
446 | |
447 | if (btrfs_ignore_prop(inode: BTRFS_I(inode), name)) |
448 | return 0; |
449 | |
450 | trans = btrfs_start_transaction(root, num_items: 2); |
451 | if (IS_ERR(ptr: trans)) |
452 | return PTR_ERR(ptr: trans); |
453 | |
454 | ret = btrfs_set_prop(trans, inode, name, value, value_len: size, flags); |
455 | if (!ret) { |
456 | inode_inc_iversion(inode); |
457 | inode_set_ctime_current(inode); |
458 | ret = btrfs_update_inode(trans, inode: BTRFS_I(inode)); |
459 | if (ret) |
460 | btrfs_abort_transaction(trans, ret); |
461 | } |
462 | |
463 | btrfs_end_transaction(trans); |
464 | |
465 | return ret; |
466 | } |
467 | |
468 | static const struct xattr_handler btrfs_security_xattr_handler = { |
469 | .prefix = XATTR_SECURITY_PREFIX, |
470 | .get = btrfs_xattr_handler_get_security, |
471 | .set = btrfs_xattr_handler_set_security, |
472 | }; |
473 | |
474 | static const struct xattr_handler btrfs_trusted_xattr_handler = { |
475 | .prefix = XATTR_TRUSTED_PREFIX, |
476 | .get = btrfs_xattr_handler_get, |
477 | .set = btrfs_xattr_handler_set, |
478 | }; |
479 | |
480 | static const struct xattr_handler btrfs_user_xattr_handler = { |
481 | .prefix = XATTR_USER_PREFIX, |
482 | .get = btrfs_xattr_handler_get, |
483 | .set = btrfs_xattr_handler_set, |
484 | }; |
485 | |
486 | static const struct xattr_handler btrfs_btrfs_xattr_handler = { |
487 | .prefix = XATTR_BTRFS_PREFIX, |
488 | .get = btrfs_xattr_handler_get, |
489 | .set = btrfs_xattr_handler_set_prop, |
490 | }; |
491 | |
492 | const struct xattr_handler * const btrfs_xattr_handlers[] = { |
493 | &btrfs_security_xattr_handler, |
494 | &btrfs_trusted_xattr_handler, |
495 | &btrfs_user_xattr_handler, |
496 | &btrfs_btrfs_xattr_handler, |
497 | NULL, |
498 | }; |
499 | |
500 | static int btrfs_initxattrs(struct inode *inode, |
501 | const struct xattr *xattr_array, void *fs_private) |
502 | { |
503 | struct btrfs_trans_handle *trans = fs_private; |
504 | const struct xattr *xattr; |
505 | unsigned int nofs_flag; |
506 | char *name; |
507 | int err = 0; |
508 | |
509 | /* |
510 | * We're holding a transaction handle, so use a NOFS memory allocation |
511 | * context to avoid deadlock if reclaim happens. |
512 | */ |
513 | nofs_flag = memalloc_nofs_save(); |
514 | for (xattr = xattr_array; xattr->name != NULL; xattr++) { |
515 | name = kmalloc(XATTR_SECURITY_PREFIX_LEN + |
516 | strlen(xattr->name) + 1, GFP_KERNEL); |
517 | if (!name) { |
518 | err = -ENOMEM; |
519 | break; |
520 | } |
521 | strcpy(p: name, XATTR_SECURITY_PREFIX); |
522 | strcpy(p: name + XATTR_SECURITY_PREFIX_LEN, q: xattr->name); |
523 | |
524 | if (strcmp(name, XATTR_NAME_CAPS) == 0) |
525 | clear_bit(nr: BTRFS_INODE_NO_CAP_XATTR, addr: &BTRFS_I(inode)->runtime_flags); |
526 | |
527 | err = btrfs_setxattr(trans, inode, name, value: xattr->value, |
528 | size: xattr->value_len, flags: 0); |
529 | kfree(objp: name); |
530 | if (err < 0) |
531 | break; |
532 | } |
533 | memalloc_nofs_restore(flags: nofs_flag); |
534 | return err; |
535 | } |
536 | |
537 | int btrfs_xattr_security_init(struct btrfs_trans_handle *trans, |
538 | struct inode *inode, struct inode *dir, |
539 | const struct qstr *qstr) |
540 | { |
541 | return security_inode_init_security(inode, dir, qstr, |
542 | initxattrs: &btrfs_initxattrs, fs_data: trans); |
543 | } |
544 | |