android/android_kernel_asus_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f7b4f375c7
android_kernel_asus_sm8350/fs/afs/xattr.c
Mark Salyzyn 3484eba91d FROMLIST: Add flags option to get xattr method paired to __vfs_getxattr 
Add a flag option to get xattr method that could have a bit flag of
XATTR_NOSECURITY passed to it.  XATTR_NOSECURITY is generally then
set in the __vfs_getxattr path when called by security
infrastructure.

This handles the case of a union filesystem driver that is being
requested by the security layer to report back the xattr data.

For the use case where access is to be blocked by the security layer.

The path then could be security(dentry) ->
__vfs_getxattr(dentry...XATTR_NOSECURITY) ->
handler->get(dentry...XATTR_NOSECURITY) ->
__vfs_getxattr(lower_dentry...XATTR_NOSECURITY) ->
lower_handler->get(lower_dentry...XATTR_NOSECURITY)
which would report back through the chain data and success as
expected, the logging security layer at the top would have the
data to determine the access permissions and report back the target
context that was blocked.

Without the get handler flag, the path on a union filesystem would be
the errant security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
which would report back through the chain no data, and -EACCES.

For selinux for both cases, this would translate to a correctly
determined blocked access. In the first case with this change a correct avc
log would be reported, in the second legacy case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.

This patch series is inert and is the wide-spread addition of the
flags option for xattr functions, and a replacement of __vfs_getxattr
with __vfs_getxattr(...XATTR_NOSECURITY).

Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Acked-by: Jan Kara <jack@suse.cz>
Acked-by: Jeff Layton <jlayton@kernel.org>
Acked-by: David Sterba <dsterba@suse.com>
Acked-by: Darrick J. Wong <darrick.wong@oracle.com>
Acked-by: Mike Marshall <hubcap@omnibond.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: linux-kernel@vger.kernel.org
Cc: kernel-team@android.com
Cc: linux-security-module@vger.kernel.org

(cherry picked from (rejected from archive because of too many recipients))
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 133515582
Bug: 136124883
Bug: 129319403
Change-Id: Iabbb8771939d5f66667a26bb23ddf4c562c349a1
2019-11-05 13:50:57 -08:00

430 lines
9.7 KiB
C
Raw Blame History

// SPDX-License-Identifier: GPL-2.0-or-later
/* Extended attribute handling for AFS. We use xattrs to get and set metadata
* instead of providing pioctl().
*
* Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*/
#include <linux/slab.h>
#include <linux/fs.h>
#include <linux/xattr.h>
#include "internal.h"
static const char afs_xattr_list[] =
"afs.acl\0"
"afs.cell\0"
"afs.fid\0"
"afs.volume\0"
"afs.yfs.acl\0"
"afs.yfs.acl_inherited\0"
"afs.yfs.acl_num_cleaned\0"
"afs.yfs.vol_acl";
/*
* Retrieve a list of the supported xattrs.
*/
ssize_t afs_listxattr(struct dentry *dentry, char *buffer, size_t size)
{
if (size == 0)
return sizeof(afs_xattr_list);
if (size < sizeof(afs_xattr_list))
return -ERANGE;
memcpy(buffer, afs_xattr_list, sizeof(afs_xattr_list));
return sizeof(afs_xattr_list);
}
/*
* Get a file's ACL.
*/
static int afs_xattr_get_acl(const struct xattr_handler *handler,
struct dentry *dentry,
struct inode *inode, const char *name,
void *buffer, size_t size, int flags)
{
struct afs_fs_cursor fc;
struct afs_status_cb *scb;
struct afs_vnode *vnode = AFS_FS_I(inode);
struct afs_acl *acl = NULL;
struct key *key;
int ret = -ENOMEM;
scb = kzalloc(sizeof(struct afs_status_cb), GFP_NOFS);
if (!scb)
goto error;
key = afs_request_key(vnode->volume->cell);
if (IS_ERR(key)) {
ret = PTR_ERR(key);
goto error_scb;
}
ret = -ERESTARTSYS;
if (afs_begin_vnode_operation(&fc, vnode, key, true)) {
afs_dataversion_t data_version = vnode->status.data_version;
while (afs_select_fileserver(&fc)) {
fc.cb_break = afs_calc_vnode_cb_break(vnode);
acl = afs_fs_fetch_acl(&fc, scb);
}
afs_check_for_remote_deletion(&fc, fc.vnode);
afs_vnode_commit_status(&fc, vnode, fc.cb_break,
&data_version, scb);
ret = afs_end_vnode_operation(&fc);
}
if (ret == 0) {
ret = acl->size;
if (size > 0) {
if (acl->size <= size)
memcpy(buffer, acl->data, acl->size);
else
ret = -ERANGE;
}
kfree(acl);
}
key_put(key);
error_scb:
kfree(scb);
error:
return ret;
}
/*
* Set a file's AFS3 ACL.
*/
static int afs_xattr_set_acl(const struct xattr_handler *handler,
struct dentry *dentry,
struct inode *inode, const char *name,
const void *buffer, size_t size, int flags)
{
struct afs_fs_cursor fc;
struct afs_status_cb *scb;
struct afs_vnode *vnode = AFS_FS_I(inode);
struct afs_acl *acl = NULL;
struct key *key;
int ret = -ENOMEM;
if (flags == XATTR_CREATE)
return -EINVAL;
scb = kzalloc(sizeof(struct afs_status_cb), GFP_NOFS);
if (!scb)
goto error;
acl = kmalloc(sizeof(*acl) + size, GFP_KERNEL);
if (!acl)
goto error_scb;
key = afs_request_key(vnode->volume->cell);
if (IS_ERR(key)) {
ret = PTR_ERR(key);
goto error_acl;
}
acl->size = size;
memcpy(acl->data, buffer, size);
ret = -ERESTARTSYS;
if (afs_begin_vnode_operation(&fc, vnode, key, true)) {
afs_dataversion_t data_version = vnode->status.data_version;
while (afs_select_fileserver(&fc)) {
fc.cb_break = afs_calc_vnode_cb_break(vnode);
afs_fs_store_acl(&fc, acl, scb);
}
afs_check_for_remote_deletion(&fc, fc.vnode);
afs_vnode_commit_status(&fc, vnode, fc.cb_break,
&data_version, scb);
ret = afs_end_vnode_operation(&fc);
}
key_put(key);
error_acl:
kfree(acl);
error_scb:
kfree(scb);
error:
return ret;
}
static const struct xattr_handler afs_xattr_afs_acl_handler = {
.name = "afs.acl",
.get = afs_xattr_get_acl,
.set = afs_xattr_set_acl,
};
/*
* Get a file's YFS ACL.
*/
static int afs_xattr_get_yfs(const struct xattr_handler *handler,
struct dentry *dentry,
struct inode *inode, const char *name,
void *buffer, size_t size, int flags)
{
struct afs_fs_cursor fc;
struct afs_status_cb *scb;
struct afs_vnode *vnode = AFS_FS_I(inode);
struct yfs_acl *yacl = NULL;
struct key *key;
char buf[16], *data;
int which = 0, dsize, ret = -ENOMEM;
if (strcmp(name, "acl") == 0)
which = 0;
else if (strcmp(name, "acl_inherited") == 0)
which = 1;
else if (strcmp(name, "acl_num_cleaned") == 0)
which = 2;
else if (strcmp(name, "vol_acl") == 0)
which = 3;
else
return -EOPNOTSUPP;
yacl = kzalloc(sizeof(struct yfs_acl), GFP_KERNEL);
if (!yacl)
goto error;
if (which == 0)
yacl->flags |= YFS_ACL_WANT_ACL;
else if (which == 3)
yacl->flags |= YFS_ACL_WANT_VOL_ACL;
scb = kzalloc(sizeof(struct afs_status_cb), GFP_NOFS);
if (!scb)
goto error_yacl;
key = afs_request_key(vnode->volume->cell);
if (IS_ERR(key)) {
ret = PTR_ERR(key);
goto error_scb;
}
ret = -ERESTARTSYS;
if (afs_begin_vnode_operation(&fc, vnode, key, true)) {
afs_dataversion_t data_version = vnode->status.data_version;
while (afs_select_fileserver(&fc)) {
fc.cb_break = afs_calc_vnode_cb_break(vnode);
yfs_fs_fetch_opaque_acl(&fc, yacl, scb);
}
afs_check_for_remote_deletion(&fc, fc.vnode);
afs_vnode_commit_status(&fc, vnode, fc.cb_break,
&data_version, scb);
ret = afs_end_vnode_operation(&fc);
}
if (ret < 0)
goto error_key;
switch (which) {
case 0:
data = yacl->acl->data;
dsize = yacl->acl->size;
break;
case 1:
data = buf;
dsize = scnprintf(buf, sizeof(buf), "%u", yacl->inherit_flag);
break;
case 2:
data = buf;
dsize = scnprintf(buf, sizeof(buf), "%u", yacl->num_cleaned);
break;
case 3:
data = yacl->vol_acl->data;
dsize = yacl->vol_acl->size;
break;
default:
ret = -EOPNOTSUPP;
goto error_key;
}
ret = dsize;
if (size > 0) {
if (dsize > size) {
ret = -ERANGE;
goto error_key;
}
memcpy(buffer, data, dsize);
}
error_key:
key_put(key);
error_scb:
kfree(scb);
error_yacl:
yfs_free_opaque_acl(yacl);
error:
return ret;
}
/*
* Set a file's YFS ACL.
*/
static int afs_xattr_set_yfs(const struct xattr_handler *handler,
struct dentry *dentry,
struct inode *inode, const char *name,
const void *buffer, size_t size, int flags)
{
struct afs_fs_cursor fc;
struct afs_status_cb *scb;
struct afs_vnode *vnode = AFS_FS_I(inode);
struct afs_acl *acl = NULL;
struct key *key;
int ret = -ENOMEM;
if (flags == XATTR_CREATE ||
strcmp(name, "acl") != 0)
return -EINVAL;
scb = kzalloc(sizeof(struct afs_status_cb), GFP_NOFS);
if (!scb)
goto error;
acl = kmalloc(sizeof(*acl) + size, GFP_KERNEL);
if (!acl)
goto error_scb;
acl->size = size;
memcpy(acl->data, buffer, size);
key = afs_request_key(vnode->volume->cell);
if (IS_ERR(key)) {
ret = PTR_ERR(key);
goto error_acl;
}
ret = -ERESTARTSYS;
if (afs_begin_vnode_operation(&fc, vnode, key, true)) {
afs_dataversion_t data_version = vnode->status.data_version;
while (afs_select_fileserver(&fc)) {
fc.cb_break = afs_calc_vnode_cb_break(vnode);
yfs_fs_store_opaque_acl2(&fc, acl, scb);
}
afs_check_for_remote_deletion(&fc, fc.vnode);
afs_vnode_commit_status(&fc, vnode, fc.cb_break,
&data_version, scb);
ret = afs_end_vnode_operation(&fc);
}
error_acl:
kfree(acl);
key_put(key);
error_scb:
kfree(scb);
error:
return ret;
}
static const struct xattr_handler afs_xattr_yfs_handler = {
.prefix = "afs.yfs.",
.get = afs_xattr_get_yfs,
.set = afs_xattr_set_yfs,
};
/*
* Get the name of the cell on which a file resides.
*/
static int afs_xattr_get_cell(const struct xattr_handler *handler,
struct dentry *dentry,
struct inode *inode, const char *name,
void *buffer, size_t size, int flags)
{
struct afs_vnode *vnode = AFS_FS_I(inode);
struct afs_cell *cell = vnode->volume->cell;
size_t namelen;
namelen = cell->name_len;
if (size == 0)
return namelen;
if (namelen > size)
return -ERANGE;
memcpy(buffer, cell->name, namelen);
return namelen;
}
static const struct xattr_handler afs_xattr_afs_cell_handler = {
.name = "afs.cell",
.get = afs_xattr_get_cell,
};
/*
* Get the volume ID, vnode ID and vnode uniquifier of a file as a sequence of
* hex numbers separated by colons.
*/
static int afs_xattr_get_fid(const struct xattr_handler *handler,
struct dentry *dentry,
struct inode *inode, const char *name,
void *buffer, size_t size, int flags)
{
struct afs_vnode *vnode = AFS_FS_I(inode);
char text[16 + 1 + 24 + 1 + 8 + 1];
size_t len;
/* The volume ID is 64-bit, the vnode ID is 96-bit and the
* uniquifier is 32-bit.
*/
len = scnprintf(text, sizeof(text), "%llx:", vnode->fid.vid);
if (vnode->fid.vnode_hi)
len += scnprintf(text + len, sizeof(text) - len, "%x%016llx",
vnode->fid.vnode_hi, vnode->fid.vnode);
else
len += scnprintf(text + len, sizeof(text) - len, "%llx",
vnode->fid.vnode);
len += scnprintf(text + len, sizeof(text) - len, ":%x",
vnode->fid.unique);
if (size == 0)
return len;
if (len > size)
return -ERANGE;
memcpy(buffer, text, len);
return len;
}
static const struct xattr_handler afs_xattr_afs_fid_handler = {
.name = "afs.fid",
.get = afs_xattr_get_fid,
};
/*
* Get the name of the volume on which a file resides.
*/
static int afs_xattr_get_volume(const struct xattr_handler *handler,
struct dentry *dentry,
struct inode *inode, const char *name,
void *buffer, size_t size, int flags)
{
struct afs_vnode *vnode = AFS_FS_I(inode);
const char *volname = vnode->volume->name;
size_t namelen;
namelen = strlen(volname);
if (size == 0)
return namelen;
if (namelen > size)
return -ERANGE;
memcpy(buffer, volname, namelen);
return namelen;
}
static const struct xattr_handler afs_xattr_afs_volume_handler = {
.name = "afs.volume",
.get = afs_xattr_get_volume,
};
const struct xattr_handler *afs_xattr_handlers[] = {
&afs_xattr_afs_acl_handler,
&afs_xattr_afs_cell_handler,
&afs_xattr_afs_fid_handler,
&afs_xattr_afs_volume_handler,
&afs_xattr_yfs_handler, /* afs.yfs. prefix */
NULL
};
Reference in New Issue View Git Blame Copy Permalink