1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * linux/fs/open.c |
4 | * |
5 | * Copyright (C) 1991, 1992 Linus Torvalds |
6 | */ |
7 | |
8 | #include <linux/string.h> |
9 | #include <linux/mm.h> |
10 | #include <linux/file.h> |
11 | #include <linux/fdtable.h> |
12 | #include <linux/fsnotify.h> |
13 | #include <linux/module.h> |
14 | #include <linux/tty.h> |
15 | #include <linux/namei.h> |
16 | #include <linux/backing-dev.h> |
17 | #include <linux/capability.h> |
18 | #include <linux/securebits.h> |
19 | #include <linux/security.h> |
20 | #include <linux/mount.h> |
21 | #include <linux/fcntl.h> |
22 | #include <linux/slab.h> |
23 | #include <linux/uaccess.h> |
24 | #include <linux/fs.h> |
25 | #include <linux/personality.h> |
26 | #include <linux/pagemap.h> |
27 | #include <linux/syscalls.h> |
28 | #include <linux/rcupdate.h> |
29 | #include <linux/audit.h> |
30 | #include <linux/falloc.h> |
31 | #include <linux/fs_struct.h> |
32 | #include <linux/ima.h> |
33 | #include <linux/dnotify.h> |
34 | #include <linux/compat.h> |
35 | #include <linux/mnt_idmapping.h> |
36 | #include <linux/filelock.h> |
37 | |
38 | #include "internal.h" |
39 | |
40 | int do_truncate(struct mnt_idmap *idmap, struct dentry *dentry, |
41 | loff_t length, unsigned int time_attrs, struct file *filp) |
42 | { |
43 | int ret; |
44 | struct iattr newattrs; |
45 | |
46 | /* Not pretty: "inode->i_size" shouldn't really be signed. But it is. */ |
47 | if (length < 0) |
48 | return -EINVAL; |
49 | |
50 | newattrs.ia_size = length; |
51 | newattrs.ia_valid = ATTR_SIZE | time_attrs; |
52 | if (filp) { |
53 | newattrs.ia_file = filp; |
54 | newattrs.ia_valid |= ATTR_FILE; |
55 | } |
56 | |
57 | /* Remove suid, sgid, and file capabilities on truncate too */ |
58 | ret = dentry_needs_remove_privs(idmap, dentry); |
59 | if (ret < 0) |
60 | return ret; |
61 | if (ret) |
62 | newattrs.ia_valid |= ret | ATTR_FORCE; |
63 | |
64 | inode_lock(inode: dentry->d_inode); |
65 | /* Note any delegations or leases have already been broken: */ |
66 | ret = notify_change(idmap, dentry, &newattrs, NULL); |
67 | inode_unlock(inode: dentry->d_inode); |
68 | return ret; |
69 | } |
70 | |
71 | long vfs_truncate(const struct path *path, loff_t length) |
72 | { |
73 | struct mnt_idmap *idmap; |
74 | struct inode *inode; |
75 | long error; |
76 | |
77 | inode = path->dentry->d_inode; |
78 | |
79 | /* For directories it's -EISDIR, for other non-regulars - -EINVAL */ |
80 | if (S_ISDIR(inode->i_mode)) |
81 | return -EISDIR; |
82 | if (!S_ISREG(inode->i_mode)) |
83 | return -EINVAL; |
84 | |
85 | error = mnt_want_write(mnt: path->mnt); |
86 | if (error) |
87 | goto out; |
88 | |
89 | idmap = mnt_idmap(mnt: path->mnt); |
90 | error = inode_permission(idmap, inode, MAY_WRITE); |
91 | if (error) |
92 | goto mnt_drop_write_and_out; |
93 | |
94 | error = -EPERM; |
95 | if (IS_APPEND(inode)) |
96 | goto mnt_drop_write_and_out; |
97 | |
98 | error = get_write_access(inode); |
99 | if (error) |
100 | goto mnt_drop_write_and_out; |
101 | |
102 | /* |
103 | * Make sure that there are no leases. get_write_access() protects |
104 | * against the truncate racing with a lease-granting setlease(). |
105 | */ |
106 | error = break_lease(inode, O_WRONLY); |
107 | if (error) |
108 | goto put_write_and_out; |
109 | |
110 | error = security_path_truncate(path); |
111 | if (!error) |
112 | error = do_truncate(idmap, dentry: path->dentry, length, time_attrs: 0, NULL); |
113 | |
114 | put_write_and_out: |
115 | put_write_access(inode); |
116 | mnt_drop_write_and_out: |
117 | mnt_drop_write(mnt: path->mnt); |
118 | out: |
119 | return error; |
120 | } |
121 | EXPORT_SYMBOL_GPL(vfs_truncate); |
122 | |
123 | long do_sys_truncate(const char __user *pathname, loff_t length) |
124 | { |
125 | unsigned int lookup_flags = LOOKUP_FOLLOW; |
126 | struct path path; |
127 | int error; |
128 | |
129 | if (length < 0) /* sorry, but loff_t says... */ |
130 | return -EINVAL; |
131 | |
132 | retry: |
133 | error = user_path_at(AT_FDCWD, name: pathname, flags: lookup_flags, path: &path); |
134 | if (!error) { |
135 | error = vfs_truncate(&path, length); |
136 | path_put(&path); |
137 | } |
138 | if (retry_estale(error, flags: lookup_flags)) { |
139 | lookup_flags |= LOOKUP_REVAL; |
140 | goto retry; |
141 | } |
142 | return error; |
143 | } |
144 | |
145 | SYSCALL_DEFINE2(truncate, const char __user *, path, long, length) |
146 | { |
147 | return do_sys_truncate(pathname: path, length); |
148 | } |
149 | |
150 | #ifdef CONFIG_COMPAT |
151 | COMPAT_SYSCALL_DEFINE2(truncate, const char __user *, path, compat_off_t, length) |
152 | { |
153 | return do_sys_truncate(pathname: path, length); |
154 | } |
155 | #endif |
156 | |
157 | long do_sys_ftruncate(unsigned int fd, loff_t length, int small) |
158 | { |
159 | struct inode *inode; |
160 | struct dentry *dentry; |
161 | struct fd f; |
162 | int error; |
163 | |
164 | error = -EINVAL; |
165 | if (length < 0) |
166 | goto out; |
167 | error = -EBADF; |
168 | f = fdget(fd); |
169 | if (!f.file) |
170 | goto out; |
171 | |
172 | /* explicitly opened as large or we are on 64-bit box */ |
173 | if (f.file->f_flags & O_LARGEFILE) |
174 | small = 0; |
175 | |
176 | dentry = f.file->f_path.dentry; |
177 | inode = dentry->d_inode; |
178 | error = -EINVAL; |
179 | if (!S_ISREG(inode->i_mode) || !(f.file->f_mode & FMODE_WRITE)) |
180 | goto out_putf; |
181 | |
182 | error = -EINVAL; |
183 | /* Cannot ftruncate over 2^31 bytes without large file support */ |
184 | if (small && length > MAX_NON_LFS) |
185 | goto out_putf; |
186 | |
187 | error = -EPERM; |
188 | /* Check IS_APPEND on real upper inode */ |
189 | if (IS_APPEND(file_inode(f.file))) |
190 | goto out_putf; |
191 | sb_start_write(sb: inode->i_sb); |
192 | error = security_file_truncate(file: f.file); |
193 | if (!error) |
194 | error = do_truncate(idmap: file_mnt_idmap(file: f.file), dentry, length, |
195 | ATTR_MTIME | ATTR_CTIME, filp: f.file); |
196 | sb_end_write(sb: inode->i_sb); |
197 | out_putf: |
198 | fdput(fd: f); |
199 | out: |
200 | return error; |
201 | } |
202 | |
203 | SYSCALL_DEFINE2(ftruncate, unsigned int, fd, unsigned long, length) |
204 | { |
205 | return do_sys_ftruncate(fd, length, small: 1); |
206 | } |
207 | |
208 | #ifdef CONFIG_COMPAT |
209 | COMPAT_SYSCALL_DEFINE2(ftruncate, unsigned int, fd, compat_ulong_t, length) |
210 | { |
211 | return do_sys_ftruncate(fd, length, small: 1); |
212 | } |
213 | #endif |
214 | |
215 | /* LFS versions of truncate are only needed on 32 bit machines */ |
216 | #if BITS_PER_LONG == 32 |
217 | SYSCALL_DEFINE2(truncate64, const char __user *, path, loff_t, length) |
218 | { |
219 | return do_sys_truncate(path, length); |
220 | } |
221 | |
222 | SYSCALL_DEFINE2(ftruncate64, unsigned int, fd, loff_t, length) |
223 | { |
224 | return do_sys_ftruncate(fd, length, 0); |
225 | } |
226 | #endif /* BITS_PER_LONG == 32 */ |
227 | |
228 | #if defined(CONFIG_COMPAT) && defined(__ARCH_WANT_COMPAT_TRUNCATE64) |
229 | COMPAT_SYSCALL_DEFINE3(truncate64, const char __user *, pathname, |
230 | compat_arg_u64_dual(length)) |
231 | { |
232 | return ksys_truncate(pathname, compat_arg_u64_glue(length)); |
233 | } |
234 | #endif |
235 | |
236 | #if defined(CONFIG_COMPAT) && defined(__ARCH_WANT_COMPAT_FTRUNCATE64) |
237 | COMPAT_SYSCALL_DEFINE3(ftruncate64, unsigned int, fd, |
238 | compat_arg_u64_dual(length)) |
239 | { |
240 | return ksys_ftruncate(fd, compat_arg_u64_glue(length)); |
241 | } |
242 | #endif |
243 | |
244 | int vfs_fallocate(struct file *file, int mode, loff_t offset, loff_t len) |
245 | { |
246 | struct inode *inode = file_inode(f: file); |
247 | long ret; |
248 | |
249 | if (offset < 0 || len <= 0) |
250 | return -EINVAL; |
251 | |
252 | /* Return error if mode is not supported */ |
253 | if (mode & ~FALLOC_FL_SUPPORTED_MASK) |
254 | return -EOPNOTSUPP; |
255 | |
256 | /* Punch hole and zero range are mutually exclusive */ |
257 | if ((mode & (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_ZERO_RANGE)) == |
258 | (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_ZERO_RANGE)) |
259 | return -EOPNOTSUPP; |
260 | |
261 | /* Punch hole must have keep size set */ |
262 | if ((mode & FALLOC_FL_PUNCH_HOLE) && |
263 | !(mode & FALLOC_FL_KEEP_SIZE)) |
264 | return -EOPNOTSUPP; |
265 | |
266 | /* Collapse range should only be used exclusively. */ |
267 | if ((mode & FALLOC_FL_COLLAPSE_RANGE) && |
268 | (mode & ~FALLOC_FL_COLLAPSE_RANGE)) |
269 | return -EINVAL; |
270 | |
271 | /* Insert range should only be used exclusively. */ |
272 | if ((mode & FALLOC_FL_INSERT_RANGE) && |
273 | (mode & ~FALLOC_FL_INSERT_RANGE)) |
274 | return -EINVAL; |
275 | |
276 | /* Unshare range should only be used with allocate mode. */ |
277 | if ((mode & FALLOC_FL_UNSHARE_RANGE) && |
278 | (mode & ~(FALLOC_FL_UNSHARE_RANGE | FALLOC_FL_KEEP_SIZE))) |
279 | return -EINVAL; |
280 | |
281 | if (!(file->f_mode & FMODE_WRITE)) |
282 | return -EBADF; |
283 | |
284 | /* |
285 | * We can only allow pure fallocate on append only files |
286 | */ |
287 | if ((mode & ~FALLOC_FL_KEEP_SIZE) && IS_APPEND(inode)) |
288 | return -EPERM; |
289 | |
290 | if (IS_IMMUTABLE(inode)) |
291 | return -EPERM; |
292 | |
293 | /* |
294 | * We cannot allow any fallocate operation on an active swapfile |
295 | */ |
296 | if (IS_SWAPFILE(inode)) |
297 | return -ETXTBSY; |
298 | |
299 | /* |
300 | * Revalidate the write permissions, in case security policy has |
301 | * changed since the files were opened. |
302 | */ |
303 | ret = security_file_permission(file, MAY_WRITE); |
304 | if (ret) |
305 | return ret; |
306 | |
307 | if (S_ISFIFO(inode->i_mode)) |
308 | return -ESPIPE; |
309 | |
310 | if (S_ISDIR(inode->i_mode)) |
311 | return -EISDIR; |
312 | |
313 | if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode)) |
314 | return -ENODEV; |
315 | |
316 | /* Check for wrap through zero too */ |
317 | if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0)) |
318 | return -EFBIG; |
319 | |
320 | if (!file->f_op->fallocate) |
321 | return -EOPNOTSUPP; |
322 | |
323 | file_start_write(file); |
324 | ret = file->f_op->fallocate(file, mode, offset, len); |
325 | |
326 | /* |
327 | * Create inotify and fanotify events. |
328 | * |
329 | * To keep the logic simple always create events if fallocate succeeds. |
330 | * This implies that events are even created if the file size remains |
331 | * unchanged, e.g. when using flag FALLOC_FL_KEEP_SIZE. |
332 | */ |
333 | if (ret == 0) |
334 | fsnotify_modify(file); |
335 | |
336 | file_end_write(file); |
337 | return ret; |
338 | } |
339 | EXPORT_SYMBOL_GPL(vfs_fallocate); |
340 | |
341 | int ksys_fallocate(int fd, int mode, loff_t offset, loff_t len) |
342 | { |
343 | struct fd f = fdget(fd); |
344 | int error = -EBADF; |
345 | |
346 | if (f.file) { |
347 | error = vfs_fallocate(f.file, mode, offset, len); |
348 | fdput(fd: f); |
349 | } |
350 | return error; |
351 | } |
352 | |
353 | SYSCALL_DEFINE4(fallocate, int, fd, int, mode, loff_t, offset, loff_t, len) |
354 | { |
355 | return ksys_fallocate(fd, mode, offset, len); |
356 | } |
357 | |
358 | #if defined(CONFIG_COMPAT) && defined(__ARCH_WANT_COMPAT_FALLOCATE) |
359 | COMPAT_SYSCALL_DEFINE6(fallocate, int, fd, int, mode, compat_arg_u64_dual(offset), |
360 | compat_arg_u64_dual(len)) |
361 | { |
362 | return ksys_fallocate(fd, mode, compat_arg_u64_glue(offset), |
363 | compat_arg_u64_glue(len)); |
364 | } |
365 | #endif |
366 | |
367 | /* |
368 | * access() needs to use the real uid/gid, not the effective uid/gid. |
369 | * We do this by temporarily clearing all FS-related capabilities and |
370 | * switching the fsuid/fsgid around to the real ones. |
371 | * |
372 | * Creating new credentials is expensive, so we try to skip doing it, |
373 | * which we can if the result would match what we already got. |
374 | */ |
375 | static bool access_need_override_creds(int flags) |
376 | { |
377 | const struct cred *cred; |
378 | |
379 | if (flags & AT_EACCESS) |
380 | return false; |
381 | |
382 | cred = current_cred(); |
383 | if (!uid_eq(left: cred->fsuid, right: cred->uid) || |
384 | !gid_eq(left: cred->fsgid, right: cred->gid)) |
385 | return true; |
386 | |
387 | if (!issecure(SECURE_NO_SETUID_FIXUP)) { |
388 | kuid_t root_uid = make_kuid(from: cred->user_ns, uid: 0); |
389 | if (!uid_eq(left: cred->uid, right: root_uid)) { |
390 | if (!cap_isclear(a: cred->cap_effective)) |
391 | return true; |
392 | } else { |
393 | if (!cap_isidentical(a: cred->cap_effective, |
394 | b: cred->cap_permitted)) |
395 | return true; |
396 | } |
397 | } |
398 | |
399 | return false; |
400 | } |
401 | |
402 | static const struct cred *access_override_creds(void) |
403 | { |
404 | const struct cred *old_cred; |
405 | struct cred *override_cred; |
406 | |
407 | override_cred = prepare_creds(); |
408 | if (!override_cred) |
409 | return NULL; |
410 | |
411 | /* |
412 | * XXX access_need_override_creds performs checks in hopes of skipping |
413 | * this work. Make sure it stays in sync if making any changes in this |
414 | * routine. |
415 | */ |
416 | |
417 | override_cred->fsuid = override_cred->uid; |
418 | override_cred->fsgid = override_cred->gid; |
419 | |
420 | if (!issecure(SECURE_NO_SETUID_FIXUP)) { |
421 | /* Clear the capabilities if we switch to a non-root user */ |
422 | kuid_t root_uid = make_kuid(from: override_cred->user_ns, uid: 0); |
423 | if (!uid_eq(left: override_cred->uid, right: root_uid)) |
424 | cap_clear(override_cred->cap_effective); |
425 | else |
426 | override_cred->cap_effective = |
427 | override_cred->cap_permitted; |
428 | } |
429 | |
430 | /* |
431 | * The new set of credentials can *only* be used in |
432 | * task-synchronous circumstances, and does not need |
433 | * RCU freeing, unless somebody then takes a separate |
434 | * reference to it. |
435 | * |
436 | * NOTE! This is _only_ true because this credential |
437 | * is used purely for override_creds() that installs |
438 | * it as the subjective cred. Other threads will be |
439 | * accessing ->real_cred, not the subjective cred. |
440 | * |
441 | * If somebody _does_ make a copy of this (using the |
442 | * 'get_current_cred()' function), that will clear the |
443 | * non_rcu field, because now that other user may be |
444 | * expecting RCU freeing. But normal thread-synchronous |
445 | * cred accesses will keep things non-RCY. |
446 | */ |
447 | override_cred->non_rcu = 1; |
448 | |
449 | old_cred = override_creds(override_cred); |
450 | |
451 | /* override_cred() gets its own ref */ |
452 | put_cred(cred: override_cred); |
453 | |
454 | return old_cred; |
455 | } |
456 | |
457 | static long do_faccessat(int dfd, const char __user *filename, int mode, int flags) |
458 | { |
459 | struct path path; |
460 | struct inode *inode; |
461 | int res; |
462 | unsigned int lookup_flags = LOOKUP_FOLLOW; |
463 | const struct cred *old_cred = NULL; |
464 | |
465 | if (mode & ~S_IRWXO) /* where's F_OK, X_OK, W_OK, R_OK? */ |
466 | return -EINVAL; |
467 | |
468 | if (flags & ~(AT_EACCESS | AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH)) |
469 | return -EINVAL; |
470 | |
471 | if (flags & AT_SYMLINK_NOFOLLOW) |
472 | lookup_flags &= ~LOOKUP_FOLLOW; |
473 | if (flags & AT_EMPTY_PATH) |
474 | lookup_flags |= LOOKUP_EMPTY; |
475 | |
476 | if (access_need_override_creds(flags)) { |
477 | old_cred = access_override_creds(); |
478 | if (!old_cred) |
479 | return -ENOMEM; |
480 | } |
481 | |
482 | retry: |
483 | res = user_path_at(dfd, name: filename, flags: lookup_flags, path: &path); |
484 | if (res) |
485 | goto out; |
486 | |
487 | inode = d_backing_inode(upper: path.dentry); |
488 | |
489 | if ((mode & MAY_EXEC) && S_ISREG(inode->i_mode)) { |
490 | /* |
491 | * MAY_EXEC on regular files is denied if the fs is mounted |
492 | * with the "noexec" flag. |
493 | */ |
494 | res = -EACCES; |
495 | if (path_noexec(path: &path)) |
496 | goto out_path_release; |
497 | } |
498 | |
499 | res = inode_permission(mnt_idmap(mnt: path.mnt), inode, mode | MAY_ACCESS); |
500 | /* SuS v2 requires we report a read only fs too */ |
501 | if (res || !(mode & S_IWOTH) || special_file(inode->i_mode)) |
502 | goto out_path_release; |
503 | /* |
504 | * This is a rare case where using __mnt_is_readonly() |
505 | * is OK without a mnt_want/drop_write() pair. Since |
506 | * no actual write to the fs is performed here, we do |
507 | * not need to telegraph to that to anyone. |
508 | * |
509 | * By doing this, we accept that this access is |
510 | * inherently racy and know that the fs may change |
511 | * state before we even see this result. |
512 | */ |
513 | if (__mnt_is_readonly(mnt: path.mnt)) |
514 | res = -EROFS; |
515 | |
516 | out_path_release: |
517 | path_put(&path); |
518 | if (retry_estale(error: res, flags: lookup_flags)) { |
519 | lookup_flags |= LOOKUP_REVAL; |
520 | goto retry; |
521 | } |
522 | out: |
523 | if (old_cred) |
524 | revert_creds(old_cred); |
525 | |
526 | return res; |
527 | } |
528 | |
529 | SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode) |
530 | { |
531 | return do_faccessat(dfd, filename, mode, flags: 0); |
532 | } |
533 | |
534 | SYSCALL_DEFINE4(faccessat2, int, dfd, const char __user *, filename, int, mode, |
535 | int, flags) |
536 | { |
537 | return do_faccessat(dfd, filename, mode, flags); |
538 | } |
539 | |
540 | SYSCALL_DEFINE2(access, const char __user *, filename, int, mode) |
541 | { |
542 | return do_faccessat(AT_FDCWD, filename, mode, flags: 0); |
543 | } |
544 | |
545 | SYSCALL_DEFINE1(chdir, const char __user *, filename) |
546 | { |
547 | struct path path; |
548 | int error; |
549 | unsigned int lookup_flags = LOOKUP_FOLLOW | LOOKUP_DIRECTORY; |
550 | retry: |
551 | error = user_path_at(AT_FDCWD, name: filename, flags: lookup_flags, path: &path); |
552 | if (error) |
553 | goto out; |
554 | |
555 | error = path_permission(path: &path, MAY_EXEC | MAY_CHDIR); |
556 | if (error) |
557 | goto dput_and_out; |
558 | |
559 | set_fs_pwd(current->fs, &path); |
560 | |
561 | dput_and_out: |
562 | path_put(&path); |
563 | if (retry_estale(error, flags: lookup_flags)) { |
564 | lookup_flags |= LOOKUP_REVAL; |
565 | goto retry; |
566 | } |
567 | out: |
568 | return error; |
569 | } |
570 | |
571 | SYSCALL_DEFINE1(fchdir, unsigned int, fd) |
572 | { |
573 | struct fd f = fdget_raw(fd); |
574 | int error; |
575 | |
576 | error = -EBADF; |
577 | if (!f.file) |
578 | goto out; |
579 | |
580 | error = -ENOTDIR; |
581 | if (!d_can_lookup(dentry: f.file->f_path.dentry)) |
582 | goto out_putf; |
583 | |
584 | error = file_permission(file: f.file, MAY_EXEC | MAY_CHDIR); |
585 | if (!error) |
586 | set_fs_pwd(current->fs, &f.file->f_path); |
587 | out_putf: |
588 | fdput(fd: f); |
589 | out: |
590 | return error; |
591 | } |
592 | |
593 | SYSCALL_DEFINE1(chroot, const char __user *, filename) |
594 | { |
595 | struct path path; |
596 | int error; |
597 | unsigned int lookup_flags = LOOKUP_FOLLOW | LOOKUP_DIRECTORY; |
598 | retry: |
599 | error = user_path_at(AT_FDCWD, name: filename, flags: lookup_flags, path: &path); |
600 | if (error) |
601 | goto out; |
602 | |
603 | error = path_permission(path: &path, MAY_EXEC | MAY_CHDIR); |
604 | if (error) |
605 | goto dput_and_out; |
606 | |
607 | error = -EPERM; |
608 | if (!ns_capable(current_user_ns(), CAP_SYS_CHROOT)) |
609 | goto dput_and_out; |
610 | error = security_path_chroot(path: &path); |
611 | if (error) |
612 | goto dput_and_out; |
613 | |
614 | set_fs_root(current->fs, &path); |
615 | error = 0; |
616 | dput_and_out: |
617 | path_put(&path); |
618 | if (retry_estale(error, flags: lookup_flags)) { |
619 | lookup_flags |= LOOKUP_REVAL; |
620 | goto retry; |
621 | } |
622 | out: |
623 | return error; |
624 | } |
625 | |
626 | int chmod_common(const struct path *path, umode_t mode) |
627 | { |
628 | struct inode *inode = path->dentry->d_inode; |
629 | struct inode *delegated_inode = NULL; |
630 | struct iattr newattrs; |
631 | int error; |
632 | |
633 | error = mnt_want_write(mnt: path->mnt); |
634 | if (error) |
635 | return error; |
636 | retry_deleg: |
637 | inode_lock(inode); |
638 | error = security_path_chmod(path, mode); |
639 | if (error) |
640 | goto out_unlock; |
641 | newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); |
642 | newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; |
643 | error = notify_change(mnt_idmap(mnt: path->mnt), path->dentry, |
644 | &newattrs, &delegated_inode); |
645 | out_unlock: |
646 | inode_unlock(inode); |
647 | if (delegated_inode) { |
648 | error = break_deleg_wait(delegated_inode: &delegated_inode); |
649 | if (!error) |
650 | goto retry_deleg; |
651 | } |
652 | mnt_drop_write(mnt: path->mnt); |
653 | return error; |
654 | } |
655 | |
656 | int vfs_fchmod(struct file *file, umode_t mode) |
657 | { |
658 | audit_file(file); |
659 | return chmod_common(path: &file->f_path, mode); |
660 | } |
661 | |
662 | SYSCALL_DEFINE2(fchmod, unsigned int, fd, umode_t, mode) |
663 | { |
664 | struct fd f = fdget(fd); |
665 | int err = -EBADF; |
666 | |
667 | if (f.file) { |
668 | err = vfs_fchmod(file: f.file, mode); |
669 | fdput(fd: f); |
670 | } |
671 | return err; |
672 | } |
673 | |
674 | static int do_fchmodat(int dfd, const char __user *filename, umode_t mode, |
675 | unsigned int flags) |
676 | { |
677 | struct path path; |
678 | int error; |
679 | unsigned int lookup_flags; |
680 | |
681 | if (unlikely(flags & ~(AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH))) |
682 | return -EINVAL; |
683 | |
684 | lookup_flags = (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW; |
685 | if (flags & AT_EMPTY_PATH) |
686 | lookup_flags |= LOOKUP_EMPTY; |
687 | |
688 | retry: |
689 | error = user_path_at(dfd, name: filename, flags: lookup_flags, path: &path); |
690 | if (!error) { |
691 | error = chmod_common(path: &path, mode); |
692 | path_put(&path); |
693 | if (retry_estale(error, flags: lookup_flags)) { |
694 | lookup_flags |= LOOKUP_REVAL; |
695 | goto retry; |
696 | } |
697 | } |
698 | return error; |
699 | } |
700 | |
701 | SYSCALL_DEFINE4(fchmodat2, int, dfd, const char __user *, filename, |
702 | umode_t, mode, unsigned int, flags) |
703 | { |
704 | return do_fchmodat(dfd, filename, mode, flags); |
705 | } |
706 | |
707 | SYSCALL_DEFINE3(fchmodat, int, dfd, const char __user *, filename, |
708 | umode_t, mode) |
709 | { |
710 | return do_fchmodat(dfd, filename, mode, flags: 0); |
711 | } |
712 | |
713 | SYSCALL_DEFINE2(chmod, const char __user *, filename, umode_t, mode) |
714 | { |
715 | return do_fchmodat(AT_FDCWD, filename, mode, flags: 0); |
716 | } |
717 | |
718 | /* |
719 | * Check whether @kuid is valid and if so generate and set vfsuid_t in |
720 | * ia_vfsuid. |
721 | * |
722 | * Return: true if @kuid is valid, false if not. |
723 | */ |
724 | static inline bool setattr_vfsuid(struct iattr *attr, kuid_t kuid) |
725 | { |
726 | if (!uid_valid(uid: kuid)) |
727 | return false; |
728 | attr->ia_valid |= ATTR_UID; |
729 | attr->ia_vfsuid = VFSUIDT_INIT(kuid); |
730 | return true; |
731 | } |
732 | |
733 | /* |
734 | * Check whether @kgid is valid and if so generate and set vfsgid_t in |
735 | * ia_vfsgid. |
736 | * |
737 | * Return: true if @kgid is valid, false if not. |
738 | */ |
739 | static inline bool setattr_vfsgid(struct iattr *attr, kgid_t kgid) |
740 | { |
741 | if (!gid_valid(gid: kgid)) |
742 | return false; |
743 | attr->ia_valid |= ATTR_GID; |
744 | attr->ia_vfsgid = VFSGIDT_INIT(kgid); |
745 | return true; |
746 | } |
747 | |
748 | int chown_common(const struct path *path, uid_t user, gid_t group) |
749 | { |
750 | struct mnt_idmap *idmap; |
751 | struct user_namespace *fs_userns; |
752 | struct inode *inode = path->dentry->d_inode; |
753 | struct inode *delegated_inode = NULL; |
754 | int error; |
755 | struct iattr newattrs; |
756 | kuid_t uid; |
757 | kgid_t gid; |
758 | |
759 | uid = make_kuid(current_user_ns(), uid: user); |
760 | gid = make_kgid(current_user_ns(), gid: group); |
761 | |
762 | idmap = mnt_idmap(mnt: path->mnt); |
763 | fs_userns = i_user_ns(inode); |
764 | |
765 | retry_deleg: |
766 | newattrs.ia_vfsuid = INVALID_VFSUID; |
767 | newattrs.ia_vfsgid = INVALID_VFSGID; |
768 | newattrs.ia_valid = ATTR_CTIME; |
769 | if ((user != (uid_t)-1) && !setattr_vfsuid(attr: &newattrs, kuid: uid)) |
770 | return -EINVAL; |
771 | if ((group != (gid_t)-1) && !setattr_vfsgid(attr: &newattrs, kgid: gid)) |
772 | return -EINVAL; |
773 | inode_lock(inode); |
774 | if (!S_ISDIR(inode->i_mode)) |
775 | newattrs.ia_valid |= ATTR_KILL_SUID | ATTR_KILL_PRIV | |
776 | setattr_should_drop_sgid(idmap, inode); |
777 | /* Continue to send actual fs values, not the mount values. */ |
778 | error = security_path_chown( |
779 | path, |
780 | uid: from_vfsuid(idmap, fs_userns, vfsuid: newattrs.ia_vfsuid), |
781 | gid: from_vfsgid(idmap, fs_userns, vfsgid: newattrs.ia_vfsgid)); |
782 | if (!error) |
783 | error = notify_change(idmap, path->dentry, &newattrs, |
784 | &delegated_inode); |
785 | inode_unlock(inode); |
786 | if (delegated_inode) { |
787 | error = break_deleg_wait(delegated_inode: &delegated_inode); |
788 | if (!error) |
789 | goto retry_deleg; |
790 | } |
791 | return error; |
792 | } |
793 | |
794 | int do_fchownat(int dfd, const char __user *filename, uid_t user, gid_t group, |
795 | int flag) |
796 | { |
797 | struct path path; |
798 | int error = -EINVAL; |
799 | int lookup_flags; |
800 | |
801 | if ((flag & ~(AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH)) != 0) |
802 | goto out; |
803 | |
804 | lookup_flags = (flag & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW; |
805 | if (flag & AT_EMPTY_PATH) |
806 | lookup_flags |= LOOKUP_EMPTY; |
807 | retry: |
808 | error = user_path_at(dfd, name: filename, flags: lookup_flags, path: &path); |
809 | if (error) |
810 | goto out; |
811 | error = mnt_want_write(mnt: path.mnt); |
812 | if (error) |
813 | goto out_release; |
814 | error = chown_common(path: &path, user, group); |
815 | mnt_drop_write(mnt: path.mnt); |
816 | out_release: |
817 | path_put(&path); |
818 | if (retry_estale(error, flags: lookup_flags)) { |
819 | lookup_flags |= LOOKUP_REVAL; |
820 | goto retry; |
821 | } |
822 | out: |
823 | return error; |
824 | } |
825 | |
826 | SYSCALL_DEFINE5(fchownat, int, dfd, const char __user *, filename, uid_t, user, |
827 | gid_t, group, int, flag) |
828 | { |
829 | return do_fchownat(dfd, filename, user, group, flag); |
830 | } |
831 | |
832 | SYSCALL_DEFINE3(chown, const char __user *, filename, uid_t, user, gid_t, group) |
833 | { |
834 | return do_fchownat(AT_FDCWD, filename, user, group, flag: 0); |
835 | } |
836 | |
837 | SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group) |
838 | { |
839 | return do_fchownat(AT_FDCWD, filename, user, group, |
840 | AT_SYMLINK_NOFOLLOW); |
841 | } |
842 | |
843 | int vfs_fchown(struct file *file, uid_t user, gid_t group) |
844 | { |
845 | int error; |
846 | |
847 | error = mnt_want_write_file(file); |
848 | if (error) |
849 | return error; |
850 | audit_file(file); |
851 | error = chown_common(path: &file->f_path, user, group); |
852 | mnt_drop_write_file(file); |
853 | return error; |
854 | } |
855 | |
856 | int ksys_fchown(unsigned int fd, uid_t user, gid_t group) |
857 | { |
858 | struct fd f = fdget(fd); |
859 | int error = -EBADF; |
860 | |
861 | if (f.file) { |
862 | error = vfs_fchown(file: f.file, user, group); |
863 | fdput(fd: f); |
864 | } |
865 | return error; |
866 | } |
867 | |
868 | SYSCALL_DEFINE3(fchown, unsigned int, fd, uid_t, user, gid_t, group) |
869 | { |
870 | return ksys_fchown(fd, user, group); |
871 | } |
872 | |
873 | static inline int file_get_write_access(struct file *f) |
874 | { |
875 | int error; |
876 | |
877 | error = get_write_access(inode: f->f_inode); |
878 | if (unlikely(error)) |
879 | return error; |
880 | error = mnt_get_write_access(mnt: f->f_path.mnt); |
881 | if (unlikely(error)) |
882 | goto cleanup_inode; |
883 | if (unlikely(f->f_mode & FMODE_BACKING)) { |
884 | error = mnt_get_write_access(mnt: backing_file_user_path(f)->mnt); |
885 | if (unlikely(error)) |
886 | goto cleanup_mnt; |
887 | } |
888 | return 0; |
889 | |
890 | cleanup_mnt: |
891 | mnt_put_write_access(mnt: f->f_path.mnt); |
892 | cleanup_inode: |
893 | put_write_access(inode: f->f_inode); |
894 | return error; |
895 | } |
896 | |
897 | static int do_dentry_open(struct file *f, |
898 | struct inode *inode, |
899 | int (*open)(struct inode *, struct file *)) |
900 | { |
901 | static const struct file_operations empty_fops = {}; |
902 | int error; |
903 | |
904 | path_get(&f->f_path); |
905 | f->f_inode = inode; |
906 | f->f_mapping = inode->i_mapping; |
907 | f->f_wb_err = filemap_sample_wb_err(mapping: f->f_mapping); |
908 | f->f_sb_err = file_sample_sb_err(file: f); |
909 | |
910 | if (unlikely(f->f_flags & O_PATH)) { |
911 | f->f_mode = FMODE_PATH | FMODE_OPENED; |
912 | f->f_op = &empty_fops; |
913 | return 0; |
914 | } |
915 | |
916 | if ((f->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) { |
917 | i_readcount_inc(inode); |
918 | } else if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) { |
919 | error = file_get_write_access(f); |
920 | if (unlikely(error)) |
921 | goto cleanup_file; |
922 | f->f_mode |= FMODE_WRITER; |
923 | } |
924 | |
925 | /* POSIX.1-2008/SUSv4 Section XSI 2.9.7 */ |
926 | if (S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode)) |
927 | f->f_mode |= FMODE_ATOMIC_POS; |
928 | |
929 | f->f_op = fops_get(inode->i_fop); |
930 | if (WARN_ON(!f->f_op)) { |
931 | error = -ENODEV; |
932 | goto cleanup_all; |
933 | } |
934 | |
935 | error = security_file_open(file: f); |
936 | if (error) |
937 | goto cleanup_all; |
938 | |
939 | error = break_lease(inode: file_inode(f), mode: f->f_flags); |
940 | if (error) |
941 | goto cleanup_all; |
942 | |
943 | /* normally all 3 are set; ->open() can clear them if needed */ |
944 | f->f_mode |= FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE; |
945 | if (!open) |
946 | open = f->f_op->open; |
947 | if (open) { |
948 | error = open(inode, f); |
949 | if (error) |
950 | goto cleanup_all; |
951 | } |
952 | f->f_mode |= FMODE_OPENED; |
953 | if ((f->f_mode & FMODE_READ) && |
954 | likely(f->f_op->read || f->f_op->read_iter)) |
955 | f->f_mode |= FMODE_CAN_READ; |
956 | if ((f->f_mode & FMODE_WRITE) && |
957 | likely(f->f_op->write || f->f_op->write_iter)) |
958 | f->f_mode |= FMODE_CAN_WRITE; |
959 | if ((f->f_mode & FMODE_LSEEK) && !f->f_op->llseek) |
960 | f->f_mode &= ~FMODE_LSEEK; |
961 | if (f->f_mapping->a_ops && f->f_mapping->a_ops->direct_IO) |
962 | f->f_mode |= FMODE_CAN_ODIRECT; |
963 | |
964 | f->f_flags &= ~(O_CREAT | O_EXCL | O_NOCTTY | O_TRUNC); |
965 | f->f_iocb_flags = iocb_flags(file: f); |
966 | |
967 | file_ra_state_init(ra: &f->f_ra, mapping: f->f_mapping->host->i_mapping); |
968 | |
969 | if ((f->f_flags & O_DIRECT) && !(f->f_mode & FMODE_CAN_ODIRECT)) |
970 | return -EINVAL; |
971 | |
972 | /* |
973 | * XXX: Huge page cache doesn't support writing yet. Drop all page |
974 | * cache for this file before processing writes. |
975 | */ |
976 | if (f->f_mode & FMODE_WRITE) { |
977 | /* |
978 | * Paired with smp_mb() in collapse_file() to ensure nr_thps |
979 | * is up to date and the update to i_writecount by |
980 | * get_write_access() is visible. Ensures subsequent insertion |
981 | * of THPs into the page cache will fail. |
982 | */ |
983 | smp_mb(); |
984 | if (filemap_nr_thps(mapping: inode->i_mapping)) { |
985 | struct address_space *mapping = inode->i_mapping; |
986 | |
987 | filemap_invalidate_lock(mapping: inode->i_mapping); |
988 | /* |
989 | * unmap_mapping_range just need to be called once |
990 | * here, because the private pages is not need to be |
991 | * unmapped mapping (e.g. data segment of dynamic |
992 | * shared libraries here). |
993 | */ |
994 | unmap_mapping_range(mapping, holebegin: 0, holelen: 0, even_cows: 0); |
995 | truncate_inode_pages(mapping, 0); |
996 | filemap_invalidate_unlock(mapping: inode->i_mapping); |
997 | } |
998 | } |
999 | |
1000 | /* |
1001 | * Once we return a file with FMODE_OPENED, __fput() will call |
1002 | * fsnotify_close(), so we need fsnotify_open() here for symmetry. |
1003 | */ |
1004 | fsnotify_open(file: f); |
1005 | return 0; |
1006 | |
1007 | cleanup_all: |
1008 | if (WARN_ON_ONCE(error > 0)) |
1009 | error = -EINVAL; |
1010 | fops_put(f->f_op); |
1011 | put_file_access(file: f); |
1012 | cleanup_file: |
1013 | path_put(&f->f_path); |
1014 | f->f_path.mnt = NULL; |
1015 | f->f_path.dentry = NULL; |
1016 | f->f_inode = NULL; |
1017 | return error; |
1018 | } |
1019 | |
1020 | /** |
1021 | * finish_open - finish opening a file |
1022 | * @file: file pointer |
1023 | * @dentry: pointer to dentry |
1024 | * @open: open callback |
1025 | * |
1026 | * This can be used to finish opening a file passed to i_op->atomic_open(). |
1027 | * |
1028 | * If the open callback is set to NULL, then the standard f_op->open() |
1029 | * filesystem callback is substituted. |
1030 | * |
1031 | * NB: the dentry reference is _not_ consumed. If, for example, the dentry is |
1032 | * the return value of d_splice_alias(), then the caller needs to perform dput() |
1033 | * on it after finish_open(). |
1034 | * |
1035 | * Returns zero on success or -errno if the open failed. |
1036 | */ |
1037 | int finish_open(struct file *file, struct dentry *dentry, |
1038 | int (*open)(struct inode *, struct file *)) |
1039 | { |
1040 | BUG_ON(file->f_mode & FMODE_OPENED); /* once it's opened, it's opened */ |
1041 | |
1042 | file->f_path.dentry = dentry; |
1043 | return do_dentry_open(f: file, inode: d_backing_inode(upper: dentry), open); |
1044 | } |
1045 | EXPORT_SYMBOL(finish_open); |
1046 | |
1047 | /** |
1048 | * finish_no_open - finish ->atomic_open() without opening the file |
1049 | * |
1050 | * @file: file pointer |
1051 | * @dentry: dentry or NULL (as returned from ->lookup()) |
1052 | * |
1053 | * This can be used to set the result of a successful lookup in ->atomic_open(). |
1054 | * |
1055 | * NB: unlike finish_open() this function does consume the dentry reference and |
1056 | * the caller need not dput() it. |
1057 | * |
1058 | * Returns "0" which must be the return value of ->atomic_open() after having |
1059 | * called this function. |
1060 | */ |
1061 | int finish_no_open(struct file *file, struct dentry *dentry) |
1062 | { |
1063 | file->f_path.dentry = dentry; |
1064 | return 0; |
1065 | } |
1066 | EXPORT_SYMBOL(finish_no_open); |
1067 | |
1068 | char *file_path(struct file *filp, char *buf, int buflen) |
1069 | { |
1070 | return d_path(&filp->f_path, buf, buflen); |
1071 | } |
1072 | EXPORT_SYMBOL(file_path); |
1073 | |
1074 | /** |
1075 | * vfs_open - open the file at the given path |
1076 | * @path: path to open |
1077 | * @file: newly allocated file with f_flag initialized |
1078 | */ |
1079 | int vfs_open(const struct path *path, struct file *file) |
1080 | { |
1081 | file->f_path = *path; |
1082 | return do_dentry_open(f: file, inode: d_backing_inode(upper: path->dentry), NULL); |
1083 | } |
1084 | |
1085 | struct file *dentry_open(const struct path *path, int flags, |
1086 | const struct cred *cred) |
1087 | { |
1088 | int error; |
1089 | struct file *f; |
1090 | |
1091 | validate_creds(cred); |
1092 | |
1093 | /* We must always pass in a valid mount pointer. */ |
1094 | BUG_ON(!path->mnt); |
1095 | |
1096 | f = alloc_empty_file(flags, cred); |
1097 | if (!IS_ERR(ptr: f)) { |
1098 | error = vfs_open(path, file: f); |
1099 | if (error) { |
1100 | fput(f); |
1101 | f = ERR_PTR(error); |
1102 | } |
1103 | } |
1104 | return f; |
1105 | } |
1106 | EXPORT_SYMBOL(dentry_open); |
1107 | |
1108 | /** |
1109 | * dentry_create - Create and open a file |
1110 | * @path: path to create |
1111 | * @flags: O_ flags |
1112 | * @mode: mode bits for new file |
1113 | * @cred: credentials to use |
1114 | * |
1115 | * Caller must hold the parent directory's lock, and have prepared |
1116 | * a negative dentry, placed in @path->dentry, for the new file. |
1117 | * |
1118 | * Caller sets @path->mnt to the vfsmount of the filesystem where |
1119 | * the new file is to be created. The parent directory and the |
1120 | * negative dentry must reside on the same filesystem instance. |
1121 | * |
1122 | * On success, returns a "struct file *". Otherwise a ERR_PTR |
1123 | * is returned. |
1124 | */ |
1125 | struct file *dentry_create(const struct path *path, int flags, umode_t mode, |
1126 | const struct cred *cred) |
1127 | { |
1128 | struct file *f; |
1129 | int error; |
1130 | |
1131 | validate_creds(cred); |
1132 | f = alloc_empty_file(flags, cred); |
1133 | if (IS_ERR(ptr: f)) |
1134 | return f; |
1135 | |
1136 | error = vfs_create(mnt_idmap(mnt: path->mnt), |
1137 | d_inode(dentry: path->dentry->d_parent), |
1138 | path->dentry, mode, true); |
1139 | if (!error) |
1140 | error = vfs_open(path, file: f); |
1141 | |
1142 | if (unlikely(error)) { |
1143 | fput(f); |
1144 | return ERR_PTR(error); |
1145 | } |
1146 | return f; |
1147 | } |
1148 | EXPORT_SYMBOL(dentry_create); |
1149 | |
1150 | /** |
1151 | * kernel_file_open - open a file for kernel internal use |
1152 | * @path: path of the file to open |
1153 | * @flags: open flags |
1154 | * @inode: the inode |
1155 | * @cred: credentials for open |
1156 | * |
1157 | * Open a file for use by in-kernel consumers. The file is not accounted |
1158 | * against nr_files and must not be installed into the file descriptor |
1159 | * table. |
1160 | * |
1161 | * Return: Opened file on success, an error pointer on failure. |
1162 | */ |
1163 | struct file *kernel_file_open(const struct path *path, int flags, |
1164 | struct inode *inode, const struct cred *cred) |
1165 | { |
1166 | struct file *f; |
1167 | int error; |
1168 | |
1169 | f = alloc_empty_file_noaccount(flags, cred); |
1170 | if (IS_ERR(ptr: f)) |
1171 | return f; |
1172 | |
1173 | f->f_path = *path; |
1174 | error = do_dentry_open(f, inode, NULL); |
1175 | if (error) { |
1176 | fput(f); |
1177 | f = ERR_PTR(error); |
1178 | } |
1179 | return f; |
1180 | } |
1181 | EXPORT_SYMBOL_GPL(kernel_file_open); |
1182 | |
1183 | /** |
1184 | * backing_file_open - open a backing file for kernel internal use |
1185 | * @user_path: path that the user reuqested to open |
1186 | * @flags: open flags |
1187 | * @real_path: path of the backing file |
1188 | * @cred: credentials for open |
1189 | * |
1190 | * Open a backing file for a stackable filesystem (e.g., overlayfs). |
1191 | * @user_path may be on the stackable filesystem and @real_path on the |
1192 | * underlying filesystem. In this case, we want to be able to return the |
1193 | * @user_path of the stackable filesystem. This is done by embedding the |
1194 | * returned file into a container structure that also stores the stacked |
1195 | * file's path, which can be retrieved using backing_file_user_path(). |
1196 | */ |
1197 | struct file *backing_file_open(const struct path *user_path, int flags, |
1198 | const struct path *real_path, |
1199 | const struct cred *cred) |
1200 | { |
1201 | struct file *f; |
1202 | int error; |
1203 | |
1204 | f = alloc_empty_backing_file(flags, cred); |
1205 | if (IS_ERR(ptr: f)) |
1206 | return f; |
1207 | |
1208 | path_get(user_path); |
1209 | *backing_file_user_path(f) = *user_path; |
1210 | f->f_path = *real_path; |
1211 | error = do_dentry_open(f, inode: d_inode(dentry: real_path->dentry), NULL); |
1212 | if (error) { |
1213 | fput(f); |
1214 | f = ERR_PTR(error); |
1215 | } |
1216 | |
1217 | return f; |
1218 | } |
1219 | EXPORT_SYMBOL_GPL(backing_file_open); |
1220 | |
1221 | #define WILL_CREATE(flags) (flags & (O_CREAT | __O_TMPFILE)) |
1222 | #define O_PATH_FLAGS (O_DIRECTORY | O_NOFOLLOW | O_PATH | O_CLOEXEC) |
1223 | |
1224 | inline struct open_how build_open_how(int flags, umode_t mode) |
1225 | { |
1226 | struct open_how how = { |
1227 | .flags = flags & VALID_OPEN_FLAGS, |
1228 | .mode = mode & S_IALLUGO, |
1229 | }; |
1230 | |
1231 | /* O_PATH beats everything else. */ |
1232 | if (how.flags & O_PATH) |
1233 | how.flags &= O_PATH_FLAGS; |
1234 | /* Modes should only be set for create-like flags. */ |
1235 | if (!WILL_CREATE(how.flags)) |
1236 | how.mode = 0; |
1237 | return how; |
1238 | } |
1239 | |
1240 | inline int build_open_flags(const struct open_how *how, struct open_flags *op) |
1241 | { |
1242 | u64 flags = how->flags; |
1243 | u64 strip = __FMODE_NONOTIFY | O_CLOEXEC; |
1244 | int lookup_flags = 0; |
1245 | int acc_mode = ACC_MODE(flags); |
1246 | |
1247 | BUILD_BUG_ON_MSG(upper_32_bits(VALID_OPEN_FLAGS), |
1248 | "struct open_flags doesn't yet handle flags > 32 bits" ); |
1249 | |
1250 | /* |
1251 | * Strip flags that either shouldn't be set by userspace like |
1252 | * FMODE_NONOTIFY or that aren't relevant in determining struct |
1253 | * open_flags like O_CLOEXEC. |
1254 | */ |
1255 | flags &= ~strip; |
1256 | |
1257 | /* |
1258 | * Older syscalls implicitly clear all of the invalid flags or argument |
1259 | * values before calling build_open_flags(), but openat2(2) checks all |
1260 | * of its arguments. |
1261 | */ |
1262 | if (flags & ~VALID_OPEN_FLAGS) |
1263 | return -EINVAL; |
1264 | if (how->resolve & ~VALID_RESOLVE_FLAGS) |
1265 | return -EINVAL; |
1266 | |
1267 | /* Scoping flags are mutually exclusive. */ |
1268 | if ((how->resolve & RESOLVE_BENEATH) && (how->resolve & RESOLVE_IN_ROOT)) |
1269 | return -EINVAL; |
1270 | |
1271 | /* Deal with the mode. */ |
1272 | if (WILL_CREATE(flags)) { |
1273 | if (how->mode & ~S_IALLUGO) |
1274 | return -EINVAL; |
1275 | op->mode = how->mode | S_IFREG; |
1276 | } else { |
1277 | if (how->mode != 0) |
1278 | return -EINVAL; |
1279 | op->mode = 0; |
1280 | } |
1281 | |
1282 | /* |
1283 | * Block bugs where O_DIRECTORY | O_CREAT created regular files. |
1284 | * Note, that blocking O_DIRECTORY | O_CREAT here also protects |
1285 | * O_TMPFILE below which requires O_DIRECTORY being raised. |
1286 | */ |
1287 | if ((flags & (O_DIRECTORY | O_CREAT)) == (O_DIRECTORY | O_CREAT)) |
1288 | return -EINVAL; |
1289 | |
1290 | /* Now handle the creative implementation of O_TMPFILE. */ |
1291 | if (flags & __O_TMPFILE) { |
1292 | /* |
1293 | * In order to ensure programs get explicit errors when trying |
1294 | * to use O_TMPFILE on old kernels we enforce that O_DIRECTORY |
1295 | * is raised alongside __O_TMPFILE. |
1296 | */ |
1297 | if (!(flags & O_DIRECTORY)) |
1298 | return -EINVAL; |
1299 | if (!(acc_mode & MAY_WRITE)) |
1300 | return -EINVAL; |
1301 | } |
1302 | if (flags & O_PATH) { |
1303 | /* O_PATH only permits certain other flags to be set. */ |
1304 | if (flags & ~O_PATH_FLAGS) |
1305 | return -EINVAL; |
1306 | acc_mode = 0; |
1307 | } |
1308 | |
1309 | /* |
1310 | * O_SYNC is implemented as __O_SYNC|O_DSYNC. As many places only |
1311 | * check for O_DSYNC if the need any syncing at all we enforce it's |
1312 | * always set instead of having to deal with possibly weird behaviour |
1313 | * for malicious applications setting only __O_SYNC. |
1314 | */ |
1315 | if (flags & __O_SYNC) |
1316 | flags |= O_DSYNC; |
1317 | |
1318 | op->open_flag = flags; |
1319 | |
1320 | /* O_TRUNC implies we need access checks for write permissions */ |
1321 | if (flags & O_TRUNC) |
1322 | acc_mode |= MAY_WRITE; |
1323 | |
1324 | /* Allow the LSM permission hook to distinguish append |
1325 | access from general write access. */ |
1326 | if (flags & O_APPEND) |
1327 | acc_mode |= MAY_APPEND; |
1328 | |
1329 | op->acc_mode = acc_mode; |
1330 | |
1331 | op->intent = flags & O_PATH ? 0 : LOOKUP_OPEN; |
1332 | |
1333 | if (flags & O_CREAT) { |
1334 | op->intent |= LOOKUP_CREATE; |
1335 | if (flags & O_EXCL) { |
1336 | op->intent |= LOOKUP_EXCL; |
1337 | flags |= O_NOFOLLOW; |
1338 | } |
1339 | } |
1340 | |
1341 | if (flags & O_DIRECTORY) |
1342 | lookup_flags |= LOOKUP_DIRECTORY; |
1343 | if (!(flags & O_NOFOLLOW)) |
1344 | lookup_flags |= LOOKUP_FOLLOW; |
1345 | |
1346 | if (how->resolve & RESOLVE_NO_XDEV) |
1347 | lookup_flags |= LOOKUP_NO_XDEV; |
1348 | if (how->resolve & RESOLVE_NO_MAGICLINKS) |
1349 | lookup_flags |= LOOKUP_NO_MAGICLINKS; |
1350 | if (how->resolve & RESOLVE_NO_SYMLINKS) |
1351 | lookup_flags |= LOOKUP_NO_SYMLINKS; |
1352 | if (how->resolve & RESOLVE_BENEATH) |
1353 | lookup_flags |= LOOKUP_BENEATH; |
1354 | if (how->resolve & RESOLVE_IN_ROOT) |
1355 | lookup_flags |= LOOKUP_IN_ROOT; |
1356 | if (how->resolve & RESOLVE_CACHED) { |
1357 | /* Don't bother even trying for create/truncate/tmpfile open */ |
1358 | if (flags & (O_TRUNC | O_CREAT | __O_TMPFILE)) |
1359 | return -EAGAIN; |
1360 | lookup_flags |= LOOKUP_CACHED; |
1361 | } |
1362 | |
1363 | op->lookup_flags = lookup_flags; |
1364 | return 0; |
1365 | } |
1366 | |
1367 | /** |
1368 | * file_open_name - open file and return file pointer |
1369 | * |
1370 | * @name: struct filename containing path to open |
1371 | * @flags: open flags as per the open(2) second argument |
1372 | * @mode: mode for the new file if O_CREAT is set, else ignored |
1373 | * |
1374 | * This is the helper to open a file from kernelspace if you really |
1375 | * have to. But in generally you should not do this, so please move |
1376 | * along, nothing to see here.. |
1377 | */ |
1378 | struct file *file_open_name(struct filename *name, int flags, umode_t mode) |
1379 | { |
1380 | struct open_flags op; |
1381 | struct open_how how = build_open_how(flags, mode); |
1382 | int err = build_open_flags(how: &how, op: &op); |
1383 | if (err) |
1384 | return ERR_PTR(error: err); |
1385 | return do_filp_open(AT_FDCWD, pathname: name, op: &op); |
1386 | } |
1387 | |
1388 | /** |
1389 | * filp_open - open file and return file pointer |
1390 | * |
1391 | * @filename: path to open |
1392 | * @flags: open flags as per the open(2) second argument |
1393 | * @mode: mode for the new file if O_CREAT is set, else ignored |
1394 | * |
1395 | * This is the helper to open a file from kernelspace if you really |
1396 | * have to. But in generally you should not do this, so please move |
1397 | * along, nothing to see here.. |
1398 | */ |
1399 | struct file *filp_open(const char *filename, int flags, umode_t mode) |
1400 | { |
1401 | struct filename *name = getname_kernel(filename); |
1402 | struct file *file = ERR_CAST(ptr: name); |
1403 | |
1404 | if (!IS_ERR(ptr: name)) { |
1405 | file = file_open_name(name, flags, mode); |
1406 | putname(name); |
1407 | } |
1408 | return file; |
1409 | } |
1410 | EXPORT_SYMBOL(filp_open); |
1411 | |
1412 | struct file *file_open_root(const struct path *root, |
1413 | const char *filename, int flags, umode_t mode) |
1414 | { |
1415 | struct open_flags op; |
1416 | struct open_how how = build_open_how(flags, mode); |
1417 | int err = build_open_flags(how: &how, op: &op); |
1418 | if (err) |
1419 | return ERR_PTR(error: err); |
1420 | return do_file_open_root(root, filename, &op); |
1421 | } |
1422 | EXPORT_SYMBOL(file_open_root); |
1423 | |
1424 | static long do_sys_openat2(int dfd, const char __user *filename, |
1425 | struct open_how *how) |
1426 | { |
1427 | struct open_flags op; |
1428 | int fd = build_open_flags(how, op: &op); |
1429 | struct filename *tmp; |
1430 | |
1431 | if (fd) |
1432 | return fd; |
1433 | |
1434 | tmp = getname(filename); |
1435 | if (IS_ERR(ptr: tmp)) |
1436 | return PTR_ERR(ptr: tmp); |
1437 | |
1438 | fd = get_unused_fd_flags(flags: how->flags); |
1439 | if (fd >= 0) { |
1440 | struct file *f = do_filp_open(dfd, pathname: tmp, op: &op); |
1441 | if (IS_ERR(ptr: f)) { |
1442 | put_unused_fd(fd); |
1443 | fd = PTR_ERR(ptr: f); |
1444 | } else { |
1445 | fd_install(fd, file: f); |
1446 | } |
1447 | } |
1448 | putname(name: tmp); |
1449 | return fd; |
1450 | } |
1451 | |
1452 | long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode) |
1453 | { |
1454 | struct open_how how = build_open_how(flags, mode); |
1455 | return do_sys_openat2(dfd, filename, how: &how); |
1456 | } |
1457 | |
1458 | |
1459 | SYSCALL_DEFINE3(open, const char __user *, filename, int, flags, umode_t, mode) |
1460 | { |
1461 | if (force_o_largefile()) |
1462 | flags |= O_LARGEFILE; |
1463 | return do_sys_open(AT_FDCWD, filename, flags, mode); |
1464 | } |
1465 | |
1466 | SYSCALL_DEFINE4(openat, int, dfd, const char __user *, filename, int, flags, |
1467 | umode_t, mode) |
1468 | { |
1469 | if (force_o_largefile()) |
1470 | flags |= O_LARGEFILE; |
1471 | return do_sys_open(dfd, filename, flags, mode); |
1472 | } |
1473 | |
1474 | SYSCALL_DEFINE4(openat2, int, dfd, const char __user *, filename, |
1475 | struct open_how __user *, how, size_t, usize) |
1476 | { |
1477 | int err; |
1478 | struct open_how tmp; |
1479 | |
1480 | BUILD_BUG_ON(sizeof(struct open_how) < OPEN_HOW_SIZE_VER0); |
1481 | BUILD_BUG_ON(sizeof(struct open_how) != OPEN_HOW_SIZE_LATEST); |
1482 | |
1483 | if (unlikely(usize < OPEN_HOW_SIZE_VER0)) |
1484 | return -EINVAL; |
1485 | |
1486 | err = copy_struct_from_user(dst: &tmp, ksize: sizeof(tmp), src: how, usize); |
1487 | if (err) |
1488 | return err; |
1489 | |
1490 | audit_openat2_how(how: &tmp); |
1491 | |
1492 | /* O_LARGEFILE is only allowed for non-O_PATH. */ |
1493 | if (!(tmp.flags & O_PATH) && force_o_largefile()) |
1494 | tmp.flags |= O_LARGEFILE; |
1495 | |
1496 | return do_sys_openat2(dfd, filename, how: &tmp); |
1497 | } |
1498 | |
1499 | #ifdef CONFIG_COMPAT |
1500 | /* |
1501 | * Exactly like sys_open(), except that it doesn't set the |
1502 | * O_LARGEFILE flag. |
1503 | */ |
1504 | COMPAT_SYSCALL_DEFINE3(open, const char __user *, filename, int, flags, umode_t, mode) |
1505 | { |
1506 | return do_sys_open(AT_FDCWD, filename, flags, mode); |
1507 | } |
1508 | |
1509 | /* |
1510 | * Exactly like sys_openat(), except that it doesn't set the |
1511 | * O_LARGEFILE flag. |
1512 | */ |
1513 | COMPAT_SYSCALL_DEFINE4(openat, int, dfd, const char __user *, filename, int, flags, umode_t, mode) |
1514 | { |
1515 | return do_sys_open(dfd, filename, flags, mode); |
1516 | } |
1517 | #endif |
1518 | |
1519 | #ifndef __alpha__ |
1520 | |
1521 | /* |
1522 | * For backward compatibility? Maybe this should be moved |
1523 | * into arch/i386 instead? |
1524 | */ |
1525 | SYSCALL_DEFINE2(creat, const char __user *, pathname, umode_t, mode) |
1526 | { |
1527 | int flags = O_CREAT | O_WRONLY | O_TRUNC; |
1528 | |
1529 | if (force_o_largefile()) |
1530 | flags |= O_LARGEFILE; |
1531 | return do_sys_open(AT_FDCWD, filename: pathname, flags, mode); |
1532 | } |
1533 | #endif |
1534 | |
1535 | /* |
1536 | * "id" is the POSIX thread ID. We use the |
1537 | * files pointer for this.. |
1538 | */ |
1539 | static int filp_flush(struct file *filp, fl_owner_t id) |
1540 | { |
1541 | int retval = 0; |
1542 | |
1543 | if (CHECK_DATA_CORRUPTION(file_count(filp) == 0, |
1544 | "VFS: Close: file count is 0 (f_op=%ps)" , |
1545 | filp->f_op)) { |
1546 | return 0; |
1547 | } |
1548 | |
1549 | if (filp->f_op->flush) |
1550 | retval = filp->f_op->flush(filp, id); |
1551 | |
1552 | if (likely(!(filp->f_mode & FMODE_PATH))) { |
1553 | dnotify_flush(filp, id); |
1554 | locks_remove_posix(filp, id); |
1555 | } |
1556 | return retval; |
1557 | } |
1558 | |
1559 | int filp_close(struct file *filp, fl_owner_t id) |
1560 | { |
1561 | int retval; |
1562 | |
1563 | retval = filp_flush(filp, id); |
1564 | fput(filp); |
1565 | |
1566 | return retval; |
1567 | } |
1568 | EXPORT_SYMBOL(filp_close); |
1569 | |
1570 | /* |
1571 | * Careful here! We test whether the file pointer is NULL before |
1572 | * releasing the fd. This ensures that one clone task can't release |
1573 | * an fd while another clone is opening it. |
1574 | */ |
1575 | SYSCALL_DEFINE1(close, unsigned int, fd) |
1576 | { |
1577 | int retval; |
1578 | struct file *file; |
1579 | |
1580 | file = close_fd_get_file(fd); |
1581 | if (!file) |
1582 | return -EBADF; |
1583 | |
1584 | retval = filp_flush(filp: file, current->files); |
1585 | |
1586 | /* |
1587 | * We're returning to user space. Don't bother |
1588 | * with any delayed fput() cases. |
1589 | */ |
1590 | __fput_sync(file); |
1591 | |
1592 | /* can't restart close syscall because file table entry was cleared */ |
1593 | if (unlikely(retval == -ERESTARTSYS || |
1594 | retval == -ERESTARTNOINTR || |
1595 | retval == -ERESTARTNOHAND || |
1596 | retval == -ERESTART_RESTARTBLOCK)) |
1597 | retval = -EINTR; |
1598 | |
1599 | return retval; |
1600 | } |
1601 | |
1602 | /** |
1603 | * sys_close_range() - Close all file descriptors in a given range. |
1604 | * |
1605 | * @fd: starting file descriptor to close |
1606 | * @max_fd: last file descriptor to close |
1607 | * @flags: reserved for future extensions |
1608 | * |
1609 | * This closes a range of file descriptors. All file descriptors |
1610 | * from @fd up to and including @max_fd are closed. |
1611 | * Currently, errors to close a given file descriptor are ignored. |
1612 | */ |
1613 | SYSCALL_DEFINE3(close_range, unsigned int, fd, unsigned int, max_fd, |
1614 | unsigned int, flags) |
1615 | { |
1616 | return __close_range(fd, max_fd, flags); |
1617 | } |
1618 | |
1619 | /* |
1620 | * This routine simulates a hangup on the tty, to arrange that users |
1621 | * are given clean terminals at login time. |
1622 | */ |
1623 | SYSCALL_DEFINE0(vhangup) |
1624 | { |
1625 | if (capable(CAP_SYS_TTY_CONFIG)) { |
1626 | tty_vhangup_self(); |
1627 | return 0; |
1628 | } |
1629 | return -EPERM; |
1630 | } |
1631 | |
1632 | /* |
1633 | * Called when an inode is about to be open. |
1634 | * We use this to disallow opening large files on 32bit systems if |
1635 | * the caller didn't specify O_LARGEFILE. On 64bit systems we force |
1636 | * on this flag in sys_open. |
1637 | */ |
1638 | int generic_file_open(struct inode * inode, struct file * filp) |
1639 | { |
1640 | if (!(filp->f_flags & O_LARGEFILE) && i_size_read(inode) > MAX_NON_LFS) |
1641 | return -EOVERFLOW; |
1642 | return 0; |
1643 | } |
1644 | |
1645 | EXPORT_SYMBOL(generic_file_open); |
1646 | |
1647 | /* |
1648 | * This is used by subsystems that don't want seekable |
1649 | * file descriptors. The function is not supposed to ever fail, the only |
1650 | * reason it returns an 'int' and not 'void' is so that it can be plugged |
1651 | * directly into file_operations structure. |
1652 | */ |
1653 | int nonseekable_open(struct inode *inode, struct file *filp) |
1654 | { |
1655 | filp->f_mode &= ~(FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE); |
1656 | return 0; |
1657 | } |
1658 | |
1659 | EXPORT_SYMBOL(nonseekable_open); |
1660 | |
1661 | /* |
1662 | * stream_open is used by subsystems that want stream-like file descriptors. |
1663 | * Such file descriptors are not seekable and don't have notion of position |
1664 | * (file.f_pos is always 0 and ppos passed to .read()/.write() is always NULL). |
1665 | * Contrary to file descriptors of other regular files, .read() and .write() |
1666 | * can run simultaneously. |
1667 | * |
1668 | * stream_open never fails and is marked to return int so that it could be |
1669 | * directly used as file_operations.open . |
1670 | */ |
1671 | int stream_open(struct inode *inode, struct file *filp) |
1672 | { |
1673 | filp->f_mode &= ~(FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE | FMODE_ATOMIC_POS); |
1674 | filp->f_mode |= FMODE_STREAM; |
1675 | return 0; |
1676 | } |
1677 | |
1678 | EXPORT_SYMBOL(stream_open); |
1679 | |