2005-04-17 00:20:36 +02:00
|
|
|
/*
|
|
|
|
|
* linux/fs/open.c
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 1991, 1992 Linus Torvalds
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/string.h>
|
|
|
|
|
#include <linux/mm.h>
|
|
|
|
|
#include <linux/file.h>
|
2008-04-24 13:44:08 +02:00
|
|
|
#include <linux/fdtable.h>
|
[PATCH] inotify
inotify is intended to correct the deficiencies of dnotify, particularly
its inability to scale and its terrible user interface:
* dnotify requires the opening of one fd per each directory
that you intend to watch. This quickly results in too many
open files and pins removable media, preventing unmount.
* dnotify is directory-based. You only learn about changes to
directories. Sure, a change to a file in a directory affects
the directory, but you are then forced to keep a cache of
stat structures.
* dnotify's interface to user-space is awful. Signals?
inotify provides a more usable, simple, powerful solution to file change
notification:
* inotify's interface is a system call that returns a fd, not SIGIO.
You get a single fd, which is select()-able.
* inotify has an event that says "the filesystem that the item
you were watching is on was unmounted."
* inotify can watch directories or files.
Inotify is currently used by Beagle (a desktop search infrastructure),
Gamin (a FAM replacement), and other projects.
See Documentation/filesystems/inotify.txt.
Signed-off-by: Robert Love <rml@novell.com>
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-07-12 23:06:03 +02:00
|
|
|
#include <linux/fsnotify.h>
|
2005-04-17 00:20:36 +02:00
|
|
|
#include <linux/module.h>
|
|
|
|
|
#include <linux/tty.h>
|
|
|
|
|
#include <linux/namei.h>
|
|
|
|
|
#include <linux/backing-dev.h>
|
2006-01-11 21:17:46 +01:00
|
|
|
#include <linux/capability.h>
|
2008-07-04 18:59:58 +02:00
|
|
|
#include <linux/securebits.h>
|
2005-04-17 00:20:36 +02:00
|
|
|
#include <linux/security.h>
|
|
|
|
|
#include <linux/mount.h>
|
2006-01-19 02:43:53 +01:00
|
|
|
#include <linux/fcntl.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 09:04:11 +01:00
|
|
|
#include <linux/slab.h>
|
2005-04-17 00:20:36 +02:00
|
|
|
#include <asm/uaccess.h>
|
|
|
|
|
#include <linux/fs.h>
|
2005-06-23 09:09:58 +02:00
|
|
|
#include <linux/personality.h>
|
2005-04-17 00:20:36 +02:00
|
|
|
#include <linux/pagemap.h>
|
|
|
|
|
#include <linux/syscalls.h>
|
2005-09-09 22:04:13 +02:00
|
|
|
#include <linux/rcupdate.h>
|
2005-11-03 17:00:25 +01:00
|
|
|
#include <linux/audit.h>
|
sys_fallocate() implementation on i386, x86_64 and powerpc
fallocate() is a new system call being proposed here which will allow
applications to preallocate space to any file(s) in a file system.
Each file system implementation that wants to use this feature will need
to support an inode operation called ->fallocate().
Applications can use this feature to avoid fragmentation to certain
level and thus get faster access speed. With preallocation, applications
also get a guarantee of space for particular file(s) - even if later the
the system becomes full.
Currently, glibc provides an interface called posix_fallocate() which
can be used for similar cause. Though this has the advantage of working
on all file systems, but it is quite slow (since it writes zeroes to
each block that has to be preallocated). Without a doubt, file systems
can do this more efficiently within the kernel, by implementing
the proposed fallocate() system call. It is expected that
posix_fallocate() will be modified to call this new system call first
and incase the kernel/filesystem does not implement it, it should fall
back to the current implementation of writing zeroes to the new blocks.
ToDos:
1. Implementation on other architectures (other than i386, x86_64,
and ppc). Patches for s390(x) and ia64 are already available from
previous posts, but it was decided that they should be added later
once fallocate is in the mainline. Hence not including those patches
in this take.
2. Changes to glibc,
a) to support fallocate() system call
b) to make posix_fallocate() and posix_fallocate64() call fallocate()
Signed-off-by: Amit Arora <aarora@in.ibm.com>
2007-07-18 03:42:44 +02:00
|
|
|
#include <linux/falloc.h>
|
2009-03-30 01:50:06 +02:00
|
|
|
#include <linux/fs_struct.h>
|
2009-12-16 12:27:40 +01:00
|
|
|
#include <linux/ima.h>
|
2009-12-18 02:30:52 +01:00
|
|
|
#include <linux/dnotify.h>
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2009-12-04 21:47:36 +01:00
|
|
|
#include "internal.h"
|
|
|
|
|
|
2006-01-08 10:02:39 +01:00
|
|
|
int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,
|
|
|
|
|
struct file *filp)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2009-08-21 04:29:03 +02:00
|
|
|
int ret;
|
2005-04-17 00:20:36 +02:00
|
|
|
struct iattr newattrs;
|
|
|
|
|
|
|
|
|
|
/* Not pretty: "inode->i_size" shouldn't really be signed. But it is. */
|
|
|
|
|
if (length < 0)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
newattrs.ia_size = length;
|
2006-01-08 10:02:39 +01:00
|
|
|
newattrs.ia_valid = ATTR_SIZE | time_attrs;
|
2005-11-07 09:59:49 +01:00
|
|
|
if (filp) {
|
|
|
|
|
newattrs.ia_file = filp;
|
|
|
|
|
newattrs.ia_valid |= ATTR_FILE;
|
|
|
|
|
}
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2007-05-09 05:10:00 +02:00
|
|
|
/* Remove suid/sgid on truncate too */
|
2009-08-21 04:29:03 +02:00
|
|
|
ret = should_remove_suid(dentry);
|
|
|
|
|
if (ret)
|
|
|
|
|
newattrs.ia_valid |= ret | ATTR_FORCE;
|
2007-05-09 05:10:00 +02:00
|
|
|
|
2006-01-10 00:59:24 +01:00
|
|
|
mutex_lock(&dentry->d_inode->i_mutex);
|
2009-08-21 04:29:03 +02:00
|
|
|
ret = notify_change(dentry, &newattrs);
|
2006-01-10 00:59:24 +01:00
|
|
|
mutex_unlock(&dentry->d_inode->i_mutex);
|
2009-08-21 04:29:03 +02:00
|
|
|
return ret;
|
2005-04-17 00:20:36 +02:00
|
|
|
}
|
|
|
|
|
|
2012-12-20 22:52:36 +01:00
|
|
|
long vfs_truncate(struct path *path, loff_t length)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2008-07-22 15:59:21 +02:00
|
|
|
struct inode *inode;
|
2012-12-20 22:52:36 +01:00
|
|
|
long error;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2012-12-20 22:52:36 +01:00
|
|
|
inode = path->dentry->d_inode;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
|
|
|
|
/* For directories it's -EISDIR, for other non-regulars - -EINVAL */
|
|
|
|
|
if (S_ISDIR(inode->i_mode))
|
2012-12-20 22:52:36 +01:00
|
|
|
return -EISDIR;
|
2005-04-17 00:20:36 +02:00
|
|
|
if (!S_ISREG(inode->i_mode))
|
2012-12-20 22:52:36 +01:00
|
|
|
return -EINVAL;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2012-12-20 22:52:36 +01:00
|
|
|
error = mnt_want_write(path->mnt);
|
2005-04-17 00:20:36 +02:00
|
|
|
if (error)
|
2012-12-20 22:52:36 +01:00
|
|
|
goto out;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2008-07-22 14:09:30 +02:00
|
|
|
error = inode_permission(inode, MAY_WRITE);
|
2008-02-15 23:37:52 +01:00
|
|
|
if (error)
|
|
|
|
|
goto mnt_drop_write_and_out;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
|
|
|
|
error = -EPERM;
|
2008-06-24 16:50:12 +02:00
|
|
|
if (IS_APPEND(inode))
|
2008-02-15 23:37:52 +01:00
|
|
|
goto mnt_drop_write_and_out;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2007-07-31 09:39:12 +02:00
|
|
|
error = get_write_access(inode);
|
2005-04-17 00:20:36 +02:00
|
|
|
if (error)
|
2008-02-15 23:37:52 +01:00
|
|
|
goto mnt_drop_write_and_out;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2007-07-31 09:39:12 +02:00
|
|
|
/*
|
|
|
|
|
* Make sure that there are no leases. get_write_access() protects
|
|
|
|
|
* against the truncate racing with a lease-granting setlease().
|
|
|
|
|
*/
|
2009-12-24 12:47:55 +01:00
|
|
|
error = break_lease(inode, O_WRONLY);
|
2005-04-17 00:20:36 +02:00
|
|
|
if (error)
|
2007-07-31 09:39:12 +02:00
|
|
|
goto put_write_and_out;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
|
|
|
|
error = locks_verify_truncate(inode, NULL, length);
|
2008-12-17 05:24:15 +01:00
|
|
|
if (!error)
|
2012-12-20 22:52:36 +01:00
|
|
|
error = security_path_truncate(path);
|
2010-03-03 15:05:06 +01:00
|
|
|
if (!error)
|
2012-12-20 22:52:36 +01:00
|
|
|
error = do_truncate(path->dentry, length, 0, NULL);
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2007-07-31 09:39:12 +02:00
|
|
|
put_write_and_out:
|
|
|
|
|
put_write_access(inode);
|
2008-02-15 23:37:52 +01:00
|
|
|
mnt_drop_write_and_out:
|
2012-12-20 22:52:36 +01:00
|
|
|
mnt_drop_write(path->mnt);
|
2005-04-17 00:20:36 +02:00
|
|
|
out:
|
|
|
|
|
return error;
|
|
|
|
|
}
|
2012-12-20 22:52:36 +01:00
|
|
|
EXPORT_SYMBOL_GPL(vfs_truncate);
|
|
|
|
|
|
|
|
|
|
static long do_sys_truncate(const char __user *pathname, loff_t length)
|
|
|
|
|
{
|
2012-12-11 18:10:11 +01:00
|
|
|
unsigned int lookup_flags = LOOKUP_FOLLOW;
|
2012-12-20 22:52:36 +01:00
|
|
|
struct path path;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
if (length < 0) /* sorry, but loff_t says... */
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2012-12-11 18:10:11 +01:00
|
|
|
retry:
|
|
|
|
|
error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path);
|
2012-12-20 22:52:36 +01:00
|
|
|
if (!error) {
|
|
|
|
|
error = vfs_truncate(&path, length);
|
|
|
|
|
path_put(&path);
|
|
|
|
|
}
|
2012-12-11 18:10:11 +01:00
|
|
|
if (retry_estale(error, lookup_flags)) {
|
|
|
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
|
|
|
goto retry;
|
|
|
|
|
}
|
2012-12-20 22:52:36 +01:00
|
|
|
return error;
|
|
|
|
|
}
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2009-09-23 17:49:55 +02:00
|
|
|
SYSCALL_DEFINE2(truncate, const char __user *, path, long, length)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2009-09-23 17:49:55 +02:00
|
|
|
return do_sys_truncate(path, length);
|
2005-04-17 00:20:36 +02:00
|
|
|
}
|
|
|
|
|
|
2006-01-08 10:05:20 +01:00
|
|
|
static long do_sys_ftruncate(unsigned int fd, loff_t length, int small)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2012-08-27 02:13:36 +02:00
|
|
|
struct inode *inode;
|
2005-04-17 00:20:36 +02:00
|
|
|
struct dentry *dentry;
|
2012-08-28 18:52:22 +02:00
|
|
|
struct fd f;
|
2005-04-17 00:20:36 +02:00
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
error = -EINVAL;
|
|
|
|
|
if (length < 0)
|
|
|
|
|
goto out;
|
|
|
|
|
error = -EBADF;
|
2012-08-28 18:52:22 +02:00
|
|
|
f = fdget(fd);
|
|
|
|
|
if (!f.file)
|
2005-04-17 00:20:36 +02:00
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
/* explicitly opened as large or we are on 64-bit box */
|
2012-08-28 18:52:22 +02:00
|
|
|
if (f.file->f_flags & O_LARGEFILE)
|
2005-04-17 00:20:36 +02:00
|
|
|
small = 0;
|
|
|
|
|
|
2012-08-28 18:52:22 +02:00
|
|
|
dentry = f.file->f_path.dentry;
|
2005-04-17 00:20:36 +02:00
|
|
|
inode = dentry->d_inode;
|
|
|
|
|
error = -EINVAL;
|
2012-08-28 18:52:22 +02:00
|
|
|
if (!S_ISREG(inode->i_mode) || !(f.file->f_mode & FMODE_WRITE))
|
2005-04-17 00:20:36 +02:00
|
|
|
goto out_putf;
|
|
|
|
|
|
|
|
|
|
error = -EINVAL;
|
|
|
|
|
/* Cannot ftruncate over 2^31 bytes without large file support */
|
|
|
|
|
if (small && length > MAX_NON_LFS)
|
|
|
|
|
goto out_putf;
|
|
|
|
|
|
|
|
|
|
error = -EPERM;
|
|
|
|
|
if (IS_APPEND(inode))
|
|
|
|
|
goto out_putf;
|
|
|
|
|
|
2012-06-12 16:20:37 +02:00
|
|
|
sb_start_write(inode->i_sb);
|
2012-08-28 18:52:22 +02:00
|
|
|
error = locks_verify_truncate(inode, f.file, length);
|
2008-12-17 05:24:15 +01:00
|
|
|
if (!error)
|
2012-08-28 18:52:22 +02:00
|
|
|
error = security_path_truncate(&f.file->f_path);
|
2005-04-17 00:20:36 +02:00
|
|
|
if (!error)
|
2012-08-28 18:52:22 +02:00
|
|
|
error = do_truncate(dentry, length, ATTR_MTIME|ATTR_CTIME, f.file);
|
2012-06-12 16:20:37 +02:00
|
|
|
sb_end_write(inode->i_sb);
|
2005-04-17 00:20:36 +02:00
|
|
|
out_putf:
|
2012-08-28 18:52:22 +02:00
|
|
|
fdput(f);
|
2005-04-17 00:20:36 +02:00
|
|
|
out:
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2009-01-14 14:14:12 +01:00
|
|
|
SYSCALL_DEFINE2(ftruncate, unsigned int, fd, unsigned long, length)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2006-04-18 22:02:48 +02:00
|
|
|
long ret = do_sys_ftruncate(fd, length, 1);
|
2006-04-18 22:22:59 +02:00
|
|
|
/* avoid REGPARM breakage on x86: */
|
2008-04-11 00:37:38 +02:00
|
|
|
asmlinkage_protect(2, ret, fd, length);
|
2006-04-18 22:02:48 +02:00
|
|
|
return ret;
|
2005-04-17 00:20:36 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* LFS versions of truncate are only needed on 32 bit machines */
|
|
|
|
|
#if BITS_PER_LONG == 32
|
2009-01-14 14:14:02 +01:00
|
|
|
SYSCALL_DEFINE(truncate64)(const char __user * path, loff_t length)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
|
|
|
|
return do_sys_truncate(path, length);
|
|
|
|
|
}
|
2009-01-14 14:14:02 +01:00
|
|
|
#ifdef CONFIG_HAVE_SYSCALL_WRAPPERS
|
|
|
|
|
asmlinkage long SyS_truncate64(long path, loff_t length)
|
|
|
|
|
{
|
|
|
|
|
return SYSC_truncate64((const char __user *) path, length);
|
|
|
|
|
}
|
|
|
|
|
SYSCALL_ALIAS(sys_truncate64, SyS_truncate64);
|
|
|
|
|
#endif
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2009-01-14 14:14:02 +01:00
|
|
|
SYSCALL_DEFINE(ftruncate64)(unsigned int fd, loff_t length)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2006-04-18 22:02:48 +02:00
|
|
|
long ret = do_sys_ftruncate(fd, length, 0);
|
2006-04-18 22:22:59 +02:00
|
|
|
/* avoid REGPARM breakage on x86: */
|
2008-04-11 00:37:38 +02:00
|
|
|
asmlinkage_protect(2, ret, fd, length);
|
2006-04-18 22:02:48 +02:00
|
|
|
return ret;
|
2005-04-17 00:20:36 +02:00
|
|
|
}
|
2009-01-14 14:14:02 +01:00
|
|
|
#ifdef CONFIG_HAVE_SYSCALL_WRAPPERS
|
|
|
|
|
asmlinkage long SyS_ftruncate64(long fd, loff_t length)
|
|
|
|
|
{
|
|
|
|
|
return SYSC_ftruncate64((unsigned int) fd, length);
|
|
|
|
|
}
|
|
|
|
|
SYSCALL_ALIAS(sys_ftruncate64, SyS_ftruncate64);
|
2005-04-17 00:20:36 +02:00
|
|
|
#endif
|
2009-01-14 14:14:02 +01:00
|
|
|
#endif /* BITS_PER_LONG == 32 */
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2009-06-19 20:28:07 +02:00
|
|
|
|
|
|
|
|
int do_fallocate(struct file *file, int mode, loff_t offset, loff_t len)
|
sys_fallocate() implementation on i386, x86_64 and powerpc
fallocate() is a new system call being proposed here which will allow
applications to preallocate space to any file(s) in a file system.
Each file system implementation that wants to use this feature will need
to support an inode operation called ->fallocate().
Applications can use this feature to avoid fragmentation to certain
level and thus get faster access speed. With preallocation, applications
also get a guarantee of space for particular file(s) - even if later the
the system becomes full.
Currently, glibc provides an interface called posix_fallocate() which
can be used for similar cause. Though this has the advantage of working
on all file systems, but it is quite slow (since it writes zeroes to
each block that has to be preallocated). Without a doubt, file systems
can do this more efficiently within the kernel, by implementing
the proposed fallocate() system call. It is expected that
posix_fallocate() will be modified to call this new system call first
and incase the kernel/filesystem does not implement it, it should fall
back to the current implementation of writing zeroes to the new blocks.
ToDos:
1. Implementation on other architectures (other than i386, x86_64,
and ppc). Patches for s390(x) and ia64 are already available from
previous posts, but it was decided that they should be added later
once fallocate is in the mainline. Hence not including those patches
in this take.
2. Changes to glibc,
a) to support fallocate() system call
b) to make posix_fallocate() and posix_fallocate64() call fallocate()
Signed-off-by: Amit Arora <aarora@in.ibm.com>
2007-07-18 03:42:44 +02:00
|
|
|
{
|
2009-06-19 20:28:07 +02:00
|
|
|
struct inode *inode = file->f_path.dentry->d_inode;
|
|
|
|
|
long ret;
|
sys_fallocate() implementation on i386, x86_64 and powerpc
fallocate() is a new system call being proposed here which will allow
applications to preallocate space to any file(s) in a file system.
Each file system implementation that wants to use this feature will need
to support an inode operation called ->fallocate().
Applications can use this feature to avoid fragmentation to certain
level and thus get faster access speed. With preallocation, applications
also get a guarantee of space for particular file(s) - even if later the
the system becomes full.
Currently, glibc provides an interface called posix_fallocate() which
can be used for similar cause. Though this has the advantage of working
on all file systems, but it is quite slow (since it writes zeroes to
each block that has to be preallocated). Without a doubt, file systems
can do this more efficiently within the kernel, by implementing
the proposed fallocate() system call. It is expected that
posix_fallocate() will be modified to call this new system call first
and incase the kernel/filesystem does not implement it, it should fall
back to the current implementation of writing zeroes to the new blocks.
ToDos:
1. Implementation on other architectures (other than i386, x86_64,
and ppc). Patches for s390(x) and ia64 are already available from
previous posts, but it was decided that they should be added later
once fallocate is in the mainline. Hence not including those patches
in this take.
2. Changes to glibc,
a) to support fallocate() system call
b) to make posix_fallocate() and posix_fallocate64() call fallocate()
Signed-off-by: Amit Arora <aarora@in.ibm.com>
2007-07-18 03:42:44 +02:00
|
|
|
|
|
|
|
|
if (offset < 0 || len <= 0)
|
2009-06-19 20:28:07 +02:00
|
|
|
return -EINVAL;
|
sys_fallocate() implementation on i386, x86_64 and powerpc
fallocate() is a new system call being proposed here which will allow
applications to preallocate space to any file(s) in a file system.
Each file system implementation that wants to use this feature will need
to support an inode operation called ->fallocate().
Applications can use this feature to avoid fragmentation to certain
level and thus get faster access speed. With preallocation, applications
also get a guarantee of space for particular file(s) - even if later the
the system becomes full.
Currently, glibc provides an interface called posix_fallocate() which
can be used for similar cause. Though this has the advantage of working
on all file systems, but it is quite slow (since it writes zeroes to
each block that has to be preallocated). Without a doubt, file systems
can do this more efficiently within the kernel, by implementing
the proposed fallocate() system call. It is expected that
posix_fallocate() will be modified to call this new system call first
and incase the kernel/filesystem does not implement it, it should fall
back to the current implementation of writing zeroes to the new blocks.
ToDos:
1. Implementation on other architectures (other than i386, x86_64,
and ppc). Patches for s390(x) and ia64 are already available from
previous posts, but it was decided that they should be added later
once fallocate is in the mainline. Hence not including those patches
in this take.
2. Changes to glibc,
a) to support fallocate() system call
b) to make posix_fallocate() and posix_fallocate64() call fallocate()
Signed-off-by: Amit Arora <aarora@in.ibm.com>
2007-07-18 03:42:44 +02:00
|
|
|
|
|
|
|
|
/* Return error if mode is not supported */
|
2010-11-18 02:46:15 +01:00
|
|
|
if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE))
|
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
|
|
|
|
|
|
/* Punch hole must have keep size set */
|
|
|
|
|
if ((mode & FALLOC_FL_PUNCH_HOLE) &&
|
|
|
|
|
!(mode & FALLOC_FL_KEEP_SIZE))
|
2009-06-19 20:28:07 +02:00
|
|
|
return -EOPNOTSUPP;
|
sys_fallocate() implementation on i386, x86_64 and powerpc
fallocate() is a new system call being proposed here which will allow
applications to preallocate space to any file(s) in a file system.
Each file system implementation that wants to use this feature will need
to support an inode operation called ->fallocate().
Applications can use this feature to avoid fragmentation to certain
level and thus get faster access speed. With preallocation, applications
also get a guarantee of space for particular file(s) - even if later the
the system becomes full.
Currently, glibc provides an interface called posix_fallocate() which
can be used for similar cause. Though this has the advantage of working
on all file systems, but it is quite slow (since it writes zeroes to
each block that has to be preallocated). Without a doubt, file systems
can do this more efficiently within the kernel, by implementing
the proposed fallocate() system call. It is expected that
posix_fallocate() will be modified to call this new system call first
and incase the kernel/filesystem does not implement it, it should fall
back to the current implementation of writing zeroes to the new blocks.
ToDos:
1. Implementation on other architectures (other than i386, x86_64,
and ppc). Patches for s390(x) and ia64 are already available from
previous posts, but it was decided that they should be added later
once fallocate is in the mainline. Hence not including those patches
in this take.
2. Changes to glibc,
a) to support fallocate() system call
b) to make posix_fallocate() and posix_fallocate64() call fallocate()
Signed-off-by: Amit Arora <aarora@in.ibm.com>
2007-07-18 03:42:44 +02:00
|
|
|
|
|
|
|
|
if (!(file->f_mode & FMODE_WRITE))
|
2009-06-19 20:28:07 +02:00
|
|
|
return -EBADF;
|
2011-03-05 11:10:19 +01:00
|
|
|
|
|
|
|
|
/* It's not possible punch hole on append only file */
|
|
|
|
|
if (mode & FALLOC_FL_PUNCH_HOLE && IS_APPEND(inode))
|
|
|
|
|
return -EPERM;
|
|
|
|
|
|
|
|
|
|
if (IS_IMMUTABLE(inode))
|
|
|
|
|
return -EPERM;
|
|
|
|
|
|
sys_fallocate() implementation on i386, x86_64 and powerpc
fallocate() is a new system call being proposed here which will allow
applications to preallocate space to any file(s) in a file system.
Each file system implementation that wants to use this feature will need
to support an inode operation called ->fallocate().
Applications can use this feature to avoid fragmentation to certain
level and thus get faster access speed. With preallocation, applications
also get a guarantee of space for particular file(s) - even if later the
the system becomes full.
Currently, glibc provides an interface called posix_fallocate() which
can be used for similar cause. Though this has the advantage of working
on all file systems, but it is quite slow (since it writes zeroes to
each block that has to be preallocated). Without a doubt, file systems
can do this more efficiently within the kernel, by implementing
the proposed fallocate() system call. It is expected that
posix_fallocate() will be modified to call this new system call first
and incase the kernel/filesystem does not implement it, it should fall
back to the current implementation of writing zeroes to the new blocks.
ToDos:
1. Implementation on other architectures (other than i386, x86_64,
and ppc). Patches for s390(x) and ia64 are already available from
previous posts, but it was decided that they should be added later
once fallocate is in the mainline. Hence not including those patches
in this take.
2. Changes to glibc,
a) to support fallocate() system call
b) to make posix_fallocate() and posix_fallocate64() call fallocate()
Signed-off-by: Amit Arora <aarora@in.ibm.com>
2007-07-18 03:42:44 +02:00
|
|
|
/*
|
|
|
|
|
* Revalidate the write permissions, in case security policy has
|
|
|
|
|
* changed since the files were opened.
|
|
|
|
|
*/
|
|
|
|
|
ret = security_file_permission(file, MAY_WRITE);
|
|
|
|
|
if (ret)
|
2009-06-19 20:28:07 +02:00
|
|
|
return ret;
|
sys_fallocate() implementation on i386, x86_64 and powerpc
fallocate() is a new system call being proposed here which will allow
applications to preallocate space to any file(s) in a file system.
Each file system implementation that wants to use this feature will need
to support an inode operation called ->fallocate().
Applications can use this feature to avoid fragmentation to certain
level and thus get faster access speed. With preallocation, applications
also get a guarantee of space for particular file(s) - even if later the
the system becomes full.
Currently, glibc provides an interface called posix_fallocate() which
can be used for similar cause. Though this has the advantage of working
on all file systems, but it is quite slow (since it writes zeroes to
each block that has to be preallocated). Without a doubt, file systems
can do this more efficiently within the kernel, by implementing
the proposed fallocate() system call. It is expected that
posix_fallocate() will be modified to call this new system call first
and incase the kernel/filesystem does not implement it, it should fall
back to the current implementation of writing zeroes to the new blocks.
ToDos:
1. Implementation on other architectures (other than i386, x86_64,
and ppc). Patches for s390(x) and ia64 are already available from
previous posts, but it was decided that they should be added later
once fallocate is in the mainline. Hence not including those patches
in this take.
2. Changes to glibc,
a) to support fallocate() system call
b) to make posix_fallocate() and posix_fallocate64() call fallocate()
Signed-off-by: Amit Arora <aarora@in.ibm.com>
2007-07-18 03:42:44 +02:00
|
|
|
|
|
|
|
|
if (S_ISFIFO(inode->i_mode))
|
2009-06-19 20:28:07 +02:00
|
|
|
return -ESPIPE;
|
sys_fallocate() implementation on i386, x86_64 and powerpc
fallocate() is a new system call being proposed here which will allow
applications to preallocate space to any file(s) in a file system.
Each file system implementation that wants to use this feature will need
to support an inode operation called ->fallocate().
Applications can use this feature to avoid fragmentation to certain
level and thus get faster access speed. With preallocation, applications
also get a guarantee of space for particular file(s) - even if later the
the system becomes full.
Currently, glibc provides an interface called posix_fallocate() which
can be used for similar cause. Though this has the advantage of working
on all file systems, but it is quite slow (since it writes zeroes to
each block that has to be preallocated). Without a doubt, file systems
can do this more efficiently within the kernel, by implementing
the proposed fallocate() system call. It is expected that
posix_fallocate() will be modified to call this new system call first
and incase the kernel/filesystem does not implement it, it should fall
back to the current implementation of writing zeroes to the new blocks.
ToDos:
1. Implementation on other architectures (other than i386, x86_64,
and ppc). Patches for s390(x) and ia64 are already available from
previous posts, but it was decided that they should be added later
once fallocate is in the mainline. Hence not including those patches
in this take.
2. Changes to glibc,
a) to support fallocate() system call
b) to make posix_fallocate() and posix_fallocate64() call fallocate()
Signed-off-by: Amit Arora <aarora@in.ibm.com>
2007-07-18 03:42:44 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Let individual file system decide if it supports preallocation
|
|
|
|
|
* for directories or not.
|
|
|
|
|
*/
|
|
|
|
|
if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode))
|
2009-06-19 20:28:07 +02:00
|
|
|
return -ENODEV;
|
sys_fallocate() implementation on i386, x86_64 and powerpc
fallocate() is a new system call being proposed here which will allow
applications to preallocate space to any file(s) in a file system.
Each file system implementation that wants to use this feature will need
to support an inode operation called ->fallocate().
Applications can use this feature to avoid fragmentation to certain
level and thus get faster access speed. With preallocation, applications
also get a guarantee of space for particular file(s) - even if later the
the system becomes full.
Currently, glibc provides an interface called posix_fallocate() which
can be used for similar cause. Though this has the advantage of working
on all file systems, but it is quite slow (since it writes zeroes to
each block that has to be preallocated). Without a doubt, file systems
can do this more efficiently within the kernel, by implementing
the proposed fallocate() system call. It is expected that
posix_fallocate() will be modified to call this new system call first
and incase the kernel/filesystem does not implement it, it should fall
back to the current implementation of writing zeroes to the new blocks.
ToDos:
1. Implementation on other architectures (other than i386, x86_64,
and ppc). Patches for s390(x) and ia64 are already available from
previous posts, but it was decided that they should be added later
once fallocate is in the mainline. Hence not including those patches
in this take.
2. Changes to glibc,
a) to support fallocate() system call
b) to make posix_fallocate() and posix_fallocate64() call fallocate()
Signed-off-by: Amit Arora <aarora@in.ibm.com>
2007-07-18 03:42:44 +02:00
|
|
|
|
|
|
|
|
/* Check for wrap through zero too */
|
|
|
|
|
if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0))
|
2009-06-19 20:28:07 +02:00
|
|
|
return -EFBIG;
|
sys_fallocate() implementation on i386, x86_64 and powerpc
fallocate() is a new system call being proposed here which will allow
applications to preallocate space to any file(s) in a file system.
Each file system implementation that wants to use this feature will need
to support an inode operation called ->fallocate().
Applications can use this feature to avoid fragmentation to certain
level and thus get faster access speed. With preallocation, applications
also get a guarantee of space for particular file(s) - even if later the
the system becomes full.
Currently, glibc provides an interface called posix_fallocate() which
can be used for similar cause. Though this has the advantage of working
on all file systems, but it is quite slow (since it writes zeroes to
each block that has to be preallocated). Without a doubt, file systems
can do this more efficiently within the kernel, by implementing
the proposed fallocate() system call. It is expected that
posix_fallocate() will be modified to call this new system call first
and incase the kernel/filesystem does not implement it, it should fall
back to the current implementation of writing zeroes to the new blocks.
ToDos:
1. Implementation on other architectures (other than i386, x86_64,
and ppc). Patches for s390(x) and ia64 are already available from
previous posts, but it was decided that they should be added later
once fallocate is in the mainline. Hence not including those patches
in this take.
2. Changes to glibc,
a) to support fallocate() system call
b) to make posix_fallocate() and posix_fallocate64() call fallocate()
Signed-off-by: Amit Arora <aarora@in.ibm.com>
2007-07-18 03:42:44 +02:00
|
|
|
|
2011-01-14 13:07:43 +01:00
|
|
|
if (!file->f_op->fallocate)
|
2009-06-19 20:28:07 +02:00
|
|
|
return -EOPNOTSUPP;
|
sys_fallocate() implementation on i386, x86_64 and powerpc
fallocate() is a new system call being proposed here which will allow
applications to preallocate space to any file(s) in a file system.
Each file system implementation that wants to use this feature will need
to support an inode operation called ->fallocate().
Applications can use this feature to avoid fragmentation to certain
level and thus get faster access speed. With preallocation, applications
also get a guarantee of space for particular file(s) - even if later the
the system becomes full.
Currently, glibc provides an interface called posix_fallocate() which
can be used for similar cause. Though this has the advantage of working
on all file systems, but it is quite slow (since it writes zeroes to
each block that has to be preallocated). Without a doubt, file systems
can do this more efficiently within the kernel, by implementing
the proposed fallocate() system call. It is expected that
posix_fallocate() will be modified to call this new system call first
and incase the kernel/filesystem does not implement it, it should fall
back to the current implementation of writing zeroes to the new blocks.
ToDos:
1. Implementation on other architectures (other than i386, x86_64,
and ppc). Patches for s390(x) and ia64 are already available from
previous posts, but it was decided that they should be added later
once fallocate is in the mainline. Hence not including those patches
in this take.
2. Changes to glibc,
a) to support fallocate() system call
b) to make posix_fallocate() and posix_fallocate64() call fallocate()
Signed-off-by: Amit Arora <aarora@in.ibm.com>
2007-07-18 03:42:44 +02:00
|
|
|
|
2012-06-12 16:20:37 +02:00
|
|
|
sb_start_write(inode->i_sb);
|
|
|
|
|
ret = file->f_op->fallocate(file, mode, offset, len);
|
|
|
|
|
sb_end_write(inode->i_sb);
|
|
|
|
|
return ret;
|
2009-06-19 20:28:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SYSCALL_DEFINE(fallocate)(int fd, int mode, loff_t offset, loff_t len)
|
|
|
|
|
{
|
2012-08-28 18:52:22 +02:00
|
|
|
struct fd f = fdget(fd);
|
2009-06-19 20:28:07 +02:00
|
|
|
int error = -EBADF;
|
|
|
|
|
|
2012-08-28 18:52:22 +02:00
|
|
|
if (f.file) {
|
|
|
|
|
error = do_fallocate(f.file, mode, offset, len);
|
|
|
|
|
fdput(f);
|
2009-06-19 20:28:07 +02:00
|
|
|
}
|
|
|
|
|
return error;
|
sys_fallocate() implementation on i386, x86_64 and powerpc
fallocate() is a new system call being proposed here which will allow
applications to preallocate space to any file(s) in a file system.
Each file system implementation that wants to use this feature will need
to support an inode operation called ->fallocate().
Applications can use this feature to avoid fragmentation to certain
level and thus get faster access speed. With preallocation, applications
also get a guarantee of space for particular file(s) - even if later the
the system becomes full.
Currently, glibc provides an interface called posix_fallocate() which
can be used for similar cause. Though this has the advantage of working
on all file systems, but it is quite slow (since it writes zeroes to
each block that has to be preallocated). Without a doubt, file systems
can do this more efficiently within the kernel, by implementing
the proposed fallocate() system call. It is expected that
posix_fallocate() will be modified to call this new system call first
and incase the kernel/filesystem does not implement it, it should fall
back to the current implementation of writing zeroes to the new blocks.
ToDos:
1. Implementation on other architectures (other than i386, x86_64,
and ppc). Patches for s390(x) and ia64 are already available from
previous posts, but it was decided that they should be added later
once fallocate is in the mainline. Hence not including those patches
in this take.
2. Changes to glibc,
a) to support fallocate() system call
b) to make posix_fallocate() and posix_fallocate64() call fallocate()
Signed-off-by: Amit Arora <aarora@in.ibm.com>
2007-07-18 03:42:44 +02:00
|
|
|
}
|
2009-06-19 20:28:07 +02:00
|
|
|
|
2009-01-14 14:14:02 +01:00
|
|
|
#ifdef CONFIG_HAVE_SYSCALL_WRAPPERS
|
|
|
|
|
asmlinkage long SyS_fallocate(long fd, long mode, loff_t offset, loff_t len)
|
|
|
|
|
{
|
|
|
|
|
return SYSC_fallocate((int)fd, (int)mode, offset, len);
|
|
|
|
|
}
|
|
|
|
|
SYSCALL_ALIAS(sys_fallocate, SyS_fallocate);
|
|
|
|
|
#endif
|
sys_fallocate() implementation on i386, x86_64 and powerpc
fallocate() is a new system call being proposed here which will allow
applications to preallocate space to any file(s) in a file system.
Each file system implementation that wants to use this feature will need
to support an inode operation called ->fallocate().
Applications can use this feature to avoid fragmentation to certain
level and thus get faster access speed. With preallocation, applications
also get a guarantee of space for particular file(s) - even if later the
the system becomes full.
Currently, glibc provides an interface called posix_fallocate() which
can be used for similar cause. Though this has the advantage of working
on all file systems, but it is quite slow (since it writes zeroes to
each block that has to be preallocated). Without a doubt, file systems
can do this more efficiently within the kernel, by implementing
the proposed fallocate() system call. It is expected that
posix_fallocate() will be modified to call this new system call first
and incase the kernel/filesystem does not implement it, it should fall
back to the current implementation of writing zeroes to the new blocks.
ToDos:
1. Implementation on other architectures (other than i386, x86_64,
and ppc). Patches for s390(x) and ia64 are already available from
previous posts, but it was decided that they should be added later
once fallocate is in the mainline. Hence not including those patches
in this take.
2. Changes to glibc,
a) to support fallocate() system call
b) to make posix_fallocate() and posix_fallocate64() call fallocate()
Signed-off-by: Amit Arora <aarora@in.ibm.com>
2007-07-18 03:42:44 +02:00
|
|
|
|
2005-04-17 00:20:36 +02:00
|
|
|
/*
|
|
|
|
|
* access() needs to use the real uid/gid, not the effective uid/gid.
|
|
|
|
|
* We do this by temporarily clearing all FS-related capabilities and
|
|
|
|
|
* switching the fsuid/fsgid around to the real ones.
|
|
|
|
|
*/
|
2009-01-14 14:14:32 +01:00
|
|
|
SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 00:39:23 +01:00
|
|
|
const struct cred *old_cred;
|
|
|
|
|
struct cred *override_cred;
|
2008-07-22 15:59:21 +02:00
|
|
|
struct path path;
|
2008-07-22 14:09:30 +02:00
|
|
|
struct inode *inode;
|
2005-04-17 00:20:36 +02:00
|
|
|
int res;
|
2012-12-11 18:10:11 +01:00
|
|
|
unsigned int lookup_flags = LOOKUP_FOLLOW;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
|
|
|
|
if (mode & ~S_IRWXO) /* where's F_OK, X_OK, W_OK, R_OK? */
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 00:39:23 +01:00
|
|
|
override_cred = prepare_creds();
|
|
|
|
|
if (!override_cred)
|
|
|
|
|
return -ENOMEM;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 00:39:23 +01:00
|
|
|
override_cred->fsuid = override_cred->uid;
|
|
|
|
|
override_cred->fsgid = override_cred->gid;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2008-07-04 18:59:58 +02:00
|
|
|
if (!issecure(SECURE_NO_SETUID_FIXUP)) {
|
2008-11-14 00:39:14 +01:00
|
|
|
/* Clear the capabilities if we switch to a non-root user */
|
2012-02-08 01:45:47 +01:00
|
|
|
kuid_t root_uid = make_kuid(override_cred->user_ns, 0);
|
|
|
|
|
if (!uid_eq(override_cred->uid, root_uid))
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 00:39:23 +01:00
|
|
|
cap_clear(override_cred->cap_effective);
|
2008-07-04 18:59:58 +02:00
|
|
|
else
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 00:39:23 +01:00
|
|
|
override_cred->cap_effective =
|
|
|
|
|
override_cred->cap_permitted;
|
2008-07-04 18:59:58 +02:00
|
|
|
}
|
2005-04-17 00:20:36 +02:00
|
|
|
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 00:39:23 +01:00
|
|
|
old_cred = override_creds(override_cred);
|
2012-12-11 18:10:11 +01:00
|
|
|
retry:
|
|
|
|
|
res = user_path_at(dfd, filename, lookup_flags, &path);
|
2006-10-01 08:29:01 +02:00
|
|
|
if (res)
|
|
|
|
|
goto out;
|
|
|
|
|
|
2008-07-22 15:59:21 +02:00
|
|
|
inode = path.dentry->d_inode;
|
2008-07-22 14:09:30 +02:00
|
|
|
|
|
|
|
|
if ((mode & MAY_EXEC) && S_ISREG(inode->i_mode)) {
|
2008-07-22 06:02:33 +02:00
|
|
|
/*
|
|
|
|
|
* MAY_EXEC on regular files is denied if the fs is mounted
|
|
|
|
|
* with the "noexec" flag.
|
|
|
|
|
*/
|
|
|
|
|
res = -EACCES;
|
2008-07-22 15:59:21 +02:00
|
|
|
if (path.mnt->mnt_flags & MNT_NOEXEC)
|
2008-07-22 06:02:33 +02:00
|
|
|
goto out_path_release;
|
|
|
|
|
}
|
|
|
|
|
|
2008-07-22 14:09:30 +02:00
|
|
|
res = inode_permission(inode, mode | MAY_ACCESS);
|
2006-10-01 08:29:01 +02:00
|
|
|
/* SuS v2 requires we report a read only fs too */
|
2008-07-22 14:09:30 +02:00
|
|
|
if (res || !(mode & S_IWOTH) || special_file(inode->i_mode))
|
2006-10-01 08:29:01 +02:00
|
|
|
goto out_path_release;
|
2008-02-15 23:37:55 +01:00
|
|
|
/*
|
|
|
|
|
* This is a rare case where using __mnt_is_readonly()
|
|
|
|
|
* is OK without a mnt_want/drop_write() pair. Since
|
|
|
|
|
* no actual write to the fs is performed here, we do
|
|
|
|
|
* not need to telegraph to that to anyone.
|
|
|
|
|
*
|
|
|
|
|
* By doing this, we accept that this access is
|
|
|
|
|
* inherently racy and know that the fs may change
|
|
|
|
|
* state before we even see this result.
|
|
|
|
|
*/
|
2008-07-22 15:59:21 +02:00
|
|
|
if (__mnt_is_readonly(path.mnt))
|
2006-10-01 08:29:01 +02:00
|
|
|
res = -EROFS;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2006-10-01 08:29:01 +02:00
|
|
|
out_path_release:
|
2008-07-22 15:59:21 +02:00
|
|
|
path_put(&path);
|
2012-12-11 18:10:11 +01:00
|
|
|
if (retry_estale(res, lookup_flags)) {
|
|
|
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
|
|
|
goto retry;
|
|
|
|
|
}
|
2006-10-01 08:29:01 +02:00
|
|
|
out:
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 00:39:23 +01:00
|
|
|
revert_creds(old_cred);
|
|
|
|
|
put_cred(override_cred);
|
2005-04-17 00:20:36 +02:00
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
|
2009-01-14 14:14:19 +01:00
|
|
|
SYSCALL_DEFINE2(access, const char __user *, filename, int, mode)
|
2006-01-19 02:43:53 +01:00
|
|
|
{
|
|
|
|
|
return sys_faccessat(AT_FDCWD, filename, mode);
|
|
|
|
|
}
|
|
|
|
|
|
2009-01-14 14:14:22 +01:00
|
|
|
SYSCALL_DEFINE1(chdir, const char __user *, filename)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2008-07-22 15:59:21 +02:00
|
|
|
struct path path;
|
2005-04-17 00:20:36 +02:00
|
|
|
int error;
|
2012-12-11 18:10:12 +01:00
|
|
|
unsigned int lookup_flags = LOOKUP_FOLLOW | LOOKUP_DIRECTORY;
|
|
|
|
|
retry:
|
|
|
|
|
error = user_path_at(AT_FDCWD, filename, lookup_flags, &path);
|
2005-04-17 00:20:36 +02:00
|
|
|
if (error)
|
|
|
|
|
goto out;
|
|
|
|
|
|
2010-07-23 17:43:51 +02:00
|
|
|
error = inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_CHDIR);
|
2005-04-17 00:20:36 +02:00
|
|
|
if (error)
|
|
|
|
|
goto dput_and_out;
|
|
|
|
|
|
2008-07-22 15:59:21 +02:00
|
|
|
set_fs_pwd(current->fs, &path);
|
2005-04-17 00:20:36 +02:00
|
|
|
|
|
|
|
|
dput_and_out:
|
2008-07-22 15:59:21 +02:00
|
|
|
path_put(&path);
|
2012-12-11 18:10:12 +01:00
|
|
|
if (retry_estale(error, lookup_flags)) {
|
|
|
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
|
|
|
goto retry;
|
|
|
|
|
}
|
2005-04-17 00:20:36 +02:00
|
|
|
out:
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2009-01-14 14:14:22 +01:00
|
|
|
SYSCALL_DEFINE1(fchdir, unsigned int, fd)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2012-08-28 18:52:22 +02:00
|
|
|
struct fd f = fdget_raw(fd);
|
2005-04-17 00:20:36 +02:00
|
|
|
struct inode *inode;
|
2012-08-28 18:52:22 +02:00
|
|
|
int error = -EBADF;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
|
|
|
|
error = -EBADF;
|
2012-08-28 18:52:22 +02:00
|
|
|
if (!f.file)
|
2005-04-17 00:20:36 +02:00
|
|
|
goto out;
|
|
|
|
|
|
2012-08-28 18:52:22 +02:00
|
|
|
inode = f.file->f_path.dentry->d_inode;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
|
|
|
|
error = -ENOTDIR;
|
|
|
|
|
if (!S_ISDIR(inode->i_mode))
|
|
|
|
|
goto out_putf;
|
|
|
|
|
|
2010-07-23 17:43:51 +02:00
|
|
|
error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
|
2005-04-17 00:20:36 +02:00
|
|
|
if (!error)
|
2012-08-28 18:52:22 +02:00
|
|
|
set_fs_pwd(current->fs, &f.file->f_path);
|
2005-04-17 00:20:36 +02:00
|
|
|
out_putf:
|
2012-08-28 18:52:22 +02:00
|
|
|
fdput(f);
|
2005-04-17 00:20:36 +02:00
|
|
|
out:
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2009-01-14 14:14:16 +01:00
|
|
|
SYSCALL_DEFINE1(chroot, const char __user *, filename)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2008-07-22 15:59:21 +02:00
|
|
|
struct path path;
|
2005-04-17 00:20:36 +02:00
|
|
|
int error;
|
2012-12-20 23:08:32 +01:00
|
|
|
unsigned int lookup_flags = LOOKUP_FOLLOW | LOOKUP_DIRECTORY;
|
|
|
|
|
retry:
|
|
|
|
|
error = user_path_at(AT_FDCWD, filename, lookup_flags, &path);
|
2005-04-17 00:20:36 +02:00
|
|
|
if (error)
|
|
|
|
|
goto out;
|
|
|
|
|
|
2010-07-23 17:43:51 +02:00
|
|
|
error = inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_CHDIR);
|
2005-04-17 00:20:36 +02:00
|
|
|
if (error)
|
|
|
|
|
goto dput_and_out;
|
|
|
|
|
|
|
|
|
|
error = -EPERM;
|
2012-07-31 10:14:12 +02:00
|
|
|
if (!nsown_capable(CAP_SYS_CHROOT))
|
2005-04-17 00:20:36 +02:00
|
|
|
goto dput_and_out;
|
2009-10-04 14:49:48 +02:00
|
|
|
error = security_path_chroot(&path);
|
|
|
|
|
if (error)
|
|
|
|
|
goto dput_and_out;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2008-07-22 15:59:21 +02:00
|
|
|
set_fs_root(current->fs, &path);
|
2005-04-17 00:20:36 +02:00
|
|
|
error = 0;
|
|
|
|
|
dput_and_out:
|
2008-07-22 15:59:21 +02:00
|
|
|
path_put(&path);
|
2012-12-20 23:08:32 +01:00
|
|
|
if (retry_estale(error, lookup_flags)) {
|
|
|
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
|
|
|
goto retry;
|
|
|
|
|
}
|
2005-04-17 00:20:36 +02:00
|
|
|
out:
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2011-07-26 10:15:54 +02:00
|
|
|
static int chmod_common(struct path *path, umode_t mode)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2011-07-26 10:15:54 +02:00
|
|
|
struct inode *inode = path->dentry->d_inode;
|
2005-04-17 00:20:36 +02:00
|
|
|
struct iattr newattrs;
|
2011-07-26 10:15:54 +02:00
|
|
|
int error;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2011-07-26 10:15:54 +02:00
|
|
|
error = mnt_want_write(path->mnt);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
2009-11-22 03:49:55 +01:00
|
|
|
mutex_lock(&inode->i_mutex);
|
2011-12-08 16:51:53 +01:00
|
|
|
error = security_path_chmod(path, mode);
|
2011-07-26 10:15:54 +02:00
|
|
|
if (error)
|
2009-11-22 03:49:55 +01:00
|
|
|
goto out_unlock;
|
2005-04-17 00:20:36 +02:00
|
|
|
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
|
|
|
|
|
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
|
2011-07-26 10:15:54 +02:00
|
|
|
error = notify_change(path->dentry, &newattrs);
|
2009-11-22 03:49:55 +01:00
|
|
|
out_unlock:
|
2006-01-10 00:59:24 +01:00
|
|
|
mutex_unlock(&inode->i_mutex);
|
2011-07-26 10:15:54 +02:00
|
|
|
mnt_drop_write(path->mnt);
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2011-07-26 10:22:01 +02:00
|
|
|
SYSCALL_DEFINE2(fchmod, unsigned int, fd, umode_t, mode)
|
2011-07-26 10:15:54 +02:00
|
|
|
{
|
|
|
|
|
struct file * file;
|
|
|
|
|
int err = -EBADF;
|
|
|
|
|
|
|
|
|
|
file = fget(fd);
|
|
|
|
|
if (file) {
|
2012-10-10 21:25:23 +02:00
|
|
|
audit_inode(NULL, file->f_path.dentry, 0);
|
2011-07-26 10:15:54 +02:00
|
|
|
err = chmod_common(&file->f_path, mode);
|
|
|
|
|
fput(file);
|
|
|
|
|
}
|
2005-04-17 00:20:36 +02:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2011-07-26 10:22:01 +02:00
|
|
|
SYSCALL_DEFINE3(fchmodat, int, dfd, const char __user *, filename, umode_t, mode)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2008-07-22 15:59:21 +02:00
|
|
|
struct path path;
|
2005-04-17 00:20:36 +02:00
|
|
|
int error;
|
2012-12-11 18:10:13 +01:00
|
|
|
unsigned int lookup_flags = LOOKUP_FOLLOW;
|
|
|
|
|
retry:
|
|
|
|
|
error = user_path_at(dfd, filename, lookup_flags, &path);
|
2011-07-26 10:15:54 +02:00
|
|
|
if (!error) {
|
|
|
|
|
error = chmod_common(&path, mode);
|
|
|
|
|
path_put(&path);
|
2012-12-11 18:10:13 +01:00
|
|
|
if (retry_estale(error, lookup_flags)) {
|
|
|
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
|
|
|
goto retry;
|
|
|
|
|
}
|
2011-07-26 10:15:54 +02:00
|
|
|
}
|
2005-04-17 00:20:36 +02:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2011-07-26 10:22:01 +02:00
|
|
|
SYSCALL_DEFINE2(chmod, const char __user *, filename, umode_t, mode)
|
2006-01-19 02:43:53 +01:00
|
|
|
{
|
|
|
|
|
return sys_fchmodat(AT_FDCWD, filename, mode);
|
|
|
|
|
}
|
|
|
|
|
|
2009-11-22 03:49:55 +01:00
|
|
|
static int chown_common(struct path *path, uid_t user, gid_t group)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2009-11-22 03:49:55 +01:00
|
|
|
struct inode *inode = path->dentry->d_inode;
|
2005-04-17 00:20:36 +02:00
|
|
|
int error;
|
|
|
|
|
struct iattr newattrs;
|
2012-03-04 04:52:01 +01:00
|
|
|
kuid_t uid;
|
|
|
|
|
kgid_t gid;
|
|
|
|
|
|
|
|
|
|
uid = make_kuid(current_user_ns(), user);
|
|
|
|
|
gid = make_kgid(current_user_ns(), group);
|
2005-04-17 00:20:36 +02:00
|
|
|
|
|
|
|
|
newattrs.ia_valid = ATTR_CTIME;
|
|
|
|
|
if (user != (uid_t) -1) {
|
2012-03-04 04:52:01 +01:00
|
|
|
if (!uid_valid(uid))
|
|
|
|
|
return -EINVAL;
|
2005-04-17 00:20:36 +02:00
|
|
|
newattrs.ia_valid |= ATTR_UID;
|
2012-03-04 04:52:01 +01:00
|
|
|
newattrs.ia_uid = uid;
|
2005-04-17 00:20:36 +02:00
|
|
|
}
|
|
|
|
|
if (group != (gid_t) -1) {
|
2012-03-04 04:52:01 +01:00
|
|
|
if (!gid_valid(gid))
|
|
|
|
|
return -EINVAL;
|
2005-04-17 00:20:36 +02:00
|
|
|
newattrs.ia_valid |= ATTR_GID;
|
2012-03-04 04:52:01 +01:00
|
|
|
newattrs.ia_gid = gid;
|
2005-04-17 00:20:36 +02:00
|
|
|
}
|
|
|
|
|
if (!S_ISDIR(inode->i_mode))
|
Implement file posix capabilities
Implement file posix capabilities. This allows programs to be given a
subset of root's powers regardless of who runs them, without having to use
setuid and giving the binary all of root's powers.
This version works with Kaigai Kohei's userspace tools, found at
http://www.kaigai.gr.jp/index.php. For more information on how to use this
patch, Chris Friedhoff has posted a nice page at
http://www.friedhoff.org/fscaps.html.
Changelog:
Nov 27:
Incorporate fixes from Andrew Morton
(security-introduce-file-caps-tweaks and
security-introduce-file-caps-warning-fix)
Fix Kconfig dependency.
Fix change signaling behavior when file caps are not compiled in.
Nov 13:
Integrate comments from Alexey: Remove CONFIG_ ifdef from
capability.h, and use %zd for printing a size_t.
Nov 13:
Fix endianness warnings by sparse as suggested by Alexey
Dobriyan.
Nov 09:
Address warnings of unused variables at cap_bprm_set_security
when file capabilities are disabled, and simultaneously clean
up the code a little, by pulling the new code into a helper
function.
Nov 08:
For pointers to required userspace tools and how to use
them, see http://www.friedhoff.org/fscaps.html.
Nov 07:
Fix the calculation of the highest bit checked in
check_cap_sanity().
Nov 07:
Allow file caps to be enabled without CONFIG_SECURITY, since
capabilities are the default.
Hook cap_task_setscheduler when !CONFIG_SECURITY.
Move capable(TASK_KILL) to end of cap_task_kill to reduce
audit messages.
Nov 05:
Add secondary calls in selinux/hooks.c to task_setioprio and
task_setscheduler so that selinux and capabilities with file
cap support can be stacked.
Sep 05:
As Seth Arnold points out, uid checks are out of place
for capability code.
Sep 01:
Define task_setscheduler, task_setioprio, cap_task_kill, and
task_setnice to make sure a user cannot affect a process in which
they called a program with some fscaps.
One remaining question is the note under task_setscheduler: are we
ok with CAP_SYS_NICE being sufficient to confine a process to a
cpuset?
It is a semantic change, as without fsccaps, attach_task doesn't
allow CAP_SYS_NICE to override the uid equivalence check. But since
it uses security_task_setscheduler, which elsewhere is used where
CAP_SYS_NICE can be used to override the uid equivalence check,
fixing it might be tough.
task_setscheduler
note: this also controls cpuset:attach_task. Are we ok with
CAP_SYS_NICE being used to confine to a cpuset?
task_setioprio
task_setnice
sys_setpriority uses this (through set_one_prio) for another
process. Need same checks as setrlimit
Aug 21:
Updated secureexec implementation to reflect the fact that
euid and uid might be the same and nonzero, but the process
might still have elevated caps.
Aug 15:
Handle endianness of xattrs.
Enforce capability version match between kernel and disk.
Enforce that no bits beyond the known max capability are
set, else return -EPERM.
With this extra processing, it may be worth reconsidering
doing all the work at bprm_set_security rather than
d_instantiate.
Aug 10:
Always call getxattr at bprm_set_security, rather than
caching it at d_instantiate.
[morgan@kernel.org: file-caps clean up for linux/capability.h]
[bunk@kernel.org: unexport cap_inode_killpriv]
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: Andrew Morgan <morgan@kernel.org>
Signed-off-by: Andrew Morgan <morgan@kernel.org>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-17 08:31:36 +02:00
|
|
|
newattrs.ia_valid |=
|
|
|
|
|
ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
|
2006-01-10 00:59:24 +01:00
|
|
|
mutex_lock(&inode->i_mutex);
|
2012-06-02 00:14:19 +02:00
|
|
|
error = security_path_chown(path, uid, gid);
|
2009-11-22 03:49:55 +01:00
|
|
|
if (!error)
|
|
|
|
|
error = notify_change(path->dentry, &newattrs);
|
2006-01-10 00:59:24 +01:00
|
|
|
mutex_unlock(&inode->i_mutex);
|
2008-07-01 15:01:29 +02:00
|
|
|
|
2005-04-17 00:20:36 +02:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2009-01-14 14:14:32 +01:00
|
|
|
SYSCALL_DEFINE5(fchownat, int, dfd, const char __user *, filename, uid_t, user,
|
|
|
|
|
gid_t, group, int, flag)
|
2006-01-19 02:43:53 +01:00
|
|
|
{
|
2008-07-22 15:59:21 +02:00
|
|
|
struct path path;
|
2006-01-19 02:43:53 +01:00
|
|
|
int error = -EINVAL;
|
2011-03-13 20:56:26 +01:00
|
|
|
int lookup_flags;
|
2006-01-19 02:43:53 +01:00
|
|
|
|
2011-03-13 20:56:26 +01:00
|
|
|
if ((flag & ~(AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH)) != 0)
|
2006-01-19 02:43:53 +01:00
|
|
|
goto out;
|
|
|
|
|
|
2011-03-13 20:56:26 +01:00
|
|
|
lookup_flags = (flag & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW;
|
|
|
|
|
if (flag & AT_EMPTY_PATH)
|
|
|
|
|
lookup_flags |= LOOKUP_EMPTY;
|
2012-12-11 18:10:13 +01:00
|
|
|
retry:
|
2011-03-13 20:56:26 +01:00
|
|
|
error = user_path_at(dfd, filename, lookup_flags, &path);
|
2006-10-01 08:29:01 +02:00
|
|
|
if (error)
|
|
|
|
|
goto out;
|
2008-07-22 15:59:21 +02:00
|
|
|
error = mnt_want_write(path.mnt);
|
2008-02-15 23:37:50 +01:00
|
|
|
if (error)
|
|
|
|
|
goto out_release;
|
2009-11-22 03:49:55 +01:00
|
|
|
error = chown_common(&path, user, group);
|
2008-07-22 15:59:21 +02:00
|
|
|
mnt_drop_write(path.mnt);
|
2008-02-15 23:37:50 +01:00
|
|
|
out_release:
|
2008-07-22 15:59:21 +02:00
|
|
|
path_put(&path);
|
2012-12-11 18:10:13 +01:00
|
|
|
if (retry_estale(error, lookup_flags)) {
|
|
|
|
|
lookup_flags |= LOOKUP_REVAL;
|
|
|
|
|
goto retry;
|
|
|
|
|
}
|
2006-01-19 02:43:53 +01:00
|
|
|
out:
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2012-06-25 13:55:09 +02:00
|
|
|
SYSCALL_DEFINE3(chown, const char __user *, filename, uid_t, user, gid_t, group)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2012-06-25 13:55:09 +02:00
|
|
|
return sys_fchownat(AT_FDCWD, filename, user, group, 0);
|
|
|
|
|
}
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2012-06-25 13:55:09 +02:00
|
|
|
SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group)
|
|
|
|
|
{
|
|
|
|
|
return sys_fchownat(AT_FDCWD, filename, user, group,
|
|
|
|
|
AT_SYMLINK_NOFOLLOW);
|
2005-04-17 00:20:36 +02:00
|
|
|
}
|
|
|
|
|
|
2009-01-14 14:14:19 +01:00
|
|
|
SYSCALL_DEFINE3(fchown, unsigned int, fd, uid_t, user, gid_t, group)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2012-08-28 18:52:22 +02:00
|
|
|
struct fd f = fdget(fd);
|
2005-04-17 00:20:36 +02:00
|
|
|
int error = -EBADF;
|
|
|
|
|
|
2012-08-28 18:52:22 +02:00
|
|
|
if (!f.file)
|
2006-10-01 08:29:01 +02:00
|
|
|
goto out;
|
|
|
|
|
|
2012-08-28 18:52:22 +02:00
|
|
|
error = mnt_want_write_file(f.file);
|
2008-02-15 23:37:50 +01:00
|
|
|
if (error)
|
|
|
|
|
goto out_fput;
|
2012-10-10 21:25:23 +02:00
|
|
|
audit_inode(NULL, f.file->f_path.dentry, 0);
|
2012-08-28 18:52:22 +02:00
|
|
|
error = chown_common(&f.file->f_path, user, group);
|
|
|
|
|
mnt_drop_write_file(f.file);
|
2008-02-15 23:37:50 +01:00
|
|
|
out_fput:
|
2012-08-28 18:52:22 +02:00
|
|
|
fdput(f);
|
2006-10-01 08:29:01 +02:00
|
|
|
out:
|
2005-04-17 00:20:36 +02:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2008-02-15 23:37:48 +01:00
|
|
|
/*
|
|
|
|
|
* You have to be very careful that these write
|
|
|
|
|
* counts get cleaned up in error cases and
|
|
|
|
|
* upon __fput(). This should probably never
|
|
|
|
|
* be called outside of __dentry_open().
|
|
|
|
|
*/
|
|
|
|
|
static inline int __get_file_write_access(struct inode *inode,
|
|
|
|
|
struct vfsmount *mnt)
|
|
|
|
|
{
|
|
|
|
|
int error;
|
|
|
|
|
error = get_write_access(inode);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
/*
|
|
|
|
|
* Do not take mount writer counts on
|
|
|
|
|
* special files since no writes to
|
|
|
|
|
* the mount itself will occur.
|
|
|
|
|
*/
|
|
|
|
|
if (!special_file(inode->i_mode)) {
|
|
|
|
|
/*
|
|
|
|
|
* Balanced in __fput()
|
|
|
|
|
*/
|
2012-06-12 16:20:35 +02:00
|
|
|
error = __mnt_want_write(mnt);
|
2008-02-15 23:37:48 +01:00
|
|
|
if (error)
|
|
|
|
|
put_write_access(inode);
|
|
|
|
|
}
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2012-05-21 17:30:15 +02:00
|
|
|
int open_check_o_direct(struct file *f)
|
|
|
|
|
{
|
|
|
|
|
/* NB: we're sure to have correct a_ops only after f_op->open */
|
|
|
|
|
if (f->f_flags & O_DIRECT) {
|
|
|
|
|
if (!f->f_mapping->a_ops ||
|
|
|
|
|
((!f->f_mapping->a_ops->direct_IO) &&
|
|
|
|
|
(!f->f_mapping->a_ops->get_xip_mem))) {
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2012-06-10 20:32:45 +02:00
|
|
|
static int do_dentry_open(struct file *f,
|
2012-06-10 20:22:04 +02:00
|
|
|
int (*open)(struct inode *, struct file *),
|
|
|
|
|
const struct cred *cred)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
New kind of open files - "location only".
New flag for open(2) - O_PATH. Semantics:
* pathname is resolved, but the file itself is _NOT_ opened
as far as filesystem is concerned.
* almost all operations on the resulting descriptors shall
fail with -EBADF. Exceptions are:
1) operations on descriptors themselves (i.e.
close(), dup(), dup2(), dup3(), fcntl(fd, F_DUPFD),
fcntl(fd, F_DUPFD_CLOEXEC, ...), fcntl(fd, F_GETFD),
fcntl(fd, F_SETFD, ...))
2) fcntl(fd, F_GETFL), for a common non-destructive way to
check if descriptor is open
3) "dfd" arguments of ...at(2) syscalls, i.e. the starting
points of pathname resolution
* closing such descriptor does *NOT* affect dnotify or
posix locks.
* permissions are checked as usual along the way to file;
no permission checks are applied to the file itself. Of course,
giving such thing to syscall will result in permission checks (at
the moment it means checking that starting point of ....at() is
a directory and caller has exec permissions on it).
fget() and fget_light() return NULL on such descriptors; use of
fget_raw() and fget_raw_light() is needed to get them. That protects
existing code from dealing with those things.
There are two things still missing (they come in the next commits):
one is handling of symlinks (right now we refuse to open them that
way; see the next commit for semantics related to those) and another
is descriptor passing via SCM_RIGHTS datagrams.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-03-13 08:51:11 +01:00
|
|
|
static const struct file_operations empty_fops = {};
|
2005-04-17 00:20:36 +02:00
|
|
|
struct inode *inode;
|
|
|
|
|
int error;
|
|
|
|
|
|
2009-12-19 16:15:07 +01:00
|
|
|
f->f_mode = OPEN_FMODE(f->f_flags) | FMODE_LSEEK |
|
[PATCH] open returns ENFILE but creates file anyway
When open(O_CREAT) is called and the error, ENFILE, is returned, the file
may be created anyway. This is counter intuitive, against the SUS V3
specification, and may cause applications to misbehave if they are not
coded correctly to handle this semantic. The SUS V3 specification
explicitly states "No files shall be created or modified if the function
returns -1.".
The error, ENFILE, is used to indicate the system wide open file table is
full and no more file structs can be allocated.
This is due to an ordering problem. The entry in the directory is created
before the file struct is allocated. If the allocation for the file struct
fails, then the system call must return an error, but the directory entry
was already created and can not be safely removed.
The solution to this situation is relatively easy. The file struct should
be allocated before the directory entry is created. If the allocation
fails, then the error can be returned directly. If the creation of the
directory entry fails, then the file struct can be easily freed.
Signed-off-by: Peter Staubach <staubach@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-13 10:25:12 +02:00
|
|
|
FMODE_PREAD | FMODE_PWRITE;
|
New kind of open files - "location only".
New flag for open(2) - O_PATH. Semantics:
* pathname is resolved, but the file itself is _NOT_ opened
as far as filesystem is concerned.
* almost all operations on the resulting descriptors shall
fail with -EBADF. Exceptions are:
1) operations on descriptors themselves (i.e.
close(), dup(), dup2(), dup3(), fcntl(fd, F_DUPFD),
fcntl(fd, F_DUPFD_CLOEXEC, ...), fcntl(fd, F_GETFD),
fcntl(fd, F_SETFD, ...))
2) fcntl(fd, F_GETFL), for a common non-destructive way to
check if descriptor is open
3) "dfd" arguments of ...at(2) syscalls, i.e. the starting
points of pathname resolution
* closing such descriptor does *NOT* affect dnotify or
posix locks.
* permissions are checked as usual along the way to file;
no permission checks are applied to the file itself. Of course,
giving such thing to syscall will result in permission checks (at
the moment it means checking that starting point of ....at() is
a directory and caller has exec permissions on it).
fget() and fget_light() return NULL on such descriptors; use of
fget_raw() and fget_raw_light() is needed to get them. That protects
existing code from dealing with those things.
There are two things still missing (they come in the next commits):
one is handling of symlinks (right now we refuse to open them that
way; see the next commit for semantics related to those) and another
is descriptor passing via SCM_RIGHTS datagrams.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-03-13 08:51:11 +01:00
|
|
|
|
|
|
|
|
if (unlikely(f->f_flags & O_PATH))
|
|
|
|
|
f->f_mode = FMODE_PATH;
|
|
|
|
|
|
2012-07-20 21:28:46 +02:00
|
|
|
path_get(&f->f_path);
|
2012-06-10 20:32:45 +02:00
|
|
|
inode = f->f_path.dentry->d_inode;
|
2005-04-17 00:20:36 +02:00
|
|
|
if (f->f_mode & FMODE_WRITE) {
|
2012-06-10 20:32:45 +02:00
|
|
|
error = __get_file_write_access(inode, f->f_path.mnt);
|
2005-04-17 00:20:36 +02:00
|
|
|
if (error)
|
|
|
|
|
goto cleanup_file;
|
2008-02-15 23:38:01 +01:00
|
|
|
if (!special_file(inode->i_mode))
|
|
|
|
|
file_take_write(f);
|
2005-04-17 00:20:36 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
f->f_mapping = inode->i_mapping;
|
|
|
|
|
f->f_pos = 0;
|
2010-08-17 20:37:35 +02:00
|
|
|
file_sb_list_add(f, inode->i_sb);
|
2005-04-17 00:20:36 +02:00
|
|
|
|
New kind of open files - "location only".
New flag for open(2) - O_PATH. Semantics:
* pathname is resolved, but the file itself is _NOT_ opened
as far as filesystem is concerned.
* almost all operations on the resulting descriptors shall
fail with -EBADF. Exceptions are:
1) operations on descriptors themselves (i.e.
close(), dup(), dup2(), dup3(), fcntl(fd, F_DUPFD),
fcntl(fd, F_DUPFD_CLOEXEC, ...), fcntl(fd, F_GETFD),
fcntl(fd, F_SETFD, ...))
2) fcntl(fd, F_GETFL), for a common non-destructive way to
check if descriptor is open
3) "dfd" arguments of ...at(2) syscalls, i.e. the starting
points of pathname resolution
* closing such descriptor does *NOT* affect dnotify or
posix locks.
* permissions are checked as usual along the way to file;
no permission checks are applied to the file itself. Of course,
giving such thing to syscall will result in permission checks (at
the moment it means checking that starting point of ....at() is
a directory and caller has exec permissions on it).
fget() and fget_light() return NULL on such descriptors; use of
fget_raw() and fget_raw_light() is needed to get them. That protects
existing code from dealing with those things.
There are two things still missing (they come in the next commits):
one is handling of symlinks (right now we refuse to open them that
way; see the next commit for semantics related to those) and another
is descriptor passing via SCM_RIGHTS datagrams.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-03-13 08:51:11 +01:00
|
|
|
if (unlikely(f->f_mode & FMODE_PATH)) {
|
|
|
|
|
f->f_op = &empty_fops;
|
2012-06-10 20:22:04 +02:00
|
|
|
return 0;
|
New kind of open files - "location only".
New flag for open(2) - O_PATH. Semantics:
* pathname is resolved, but the file itself is _NOT_ opened
as far as filesystem is concerned.
* almost all operations on the resulting descriptors shall
fail with -EBADF. Exceptions are:
1) operations on descriptors themselves (i.e.
close(), dup(), dup2(), dup3(), fcntl(fd, F_DUPFD),
fcntl(fd, F_DUPFD_CLOEXEC, ...), fcntl(fd, F_GETFD),
fcntl(fd, F_SETFD, ...))
2) fcntl(fd, F_GETFL), for a common non-destructive way to
check if descriptor is open
3) "dfd" arguments of ...at(2) syscalls, i.e. the starting
points of pathname resolution
* closing such descriptor does *NOT* affect dnotify or
posix locks.
* permissions are checked as usual along the way to file;
no permission checks are applied to the file itself. Of course,
giving such thing to syscall will result in permission checks (at
the moment it means checking that starting point of ....at() is
a directory and caller has exec permissions on it).
fget() and fget_light() return NULL on such descriptors; use of
fget_raw() and fget_raw_light() is needed to get them. That protects
existing code from dealing with those things.
There are two things still missing (they come in the next commits):
one is handling of symlinks (right now we refuse to open them that
way; see the next commit for semantics related to those) and another
is descriptor passing via SCM_RIGHTS datagrams.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-03-13 08:51:11 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
f->f_op = fops_get(inode->i_fop);
|
|
|
|
|
|
2012-04-04 19:45:40 +02:00
|
|
|
error = security_file_open(f, cred);
|
2007-09-14 02:27:07 +02:00
|
|
|
if (error)
|
|
|
|
|
goto cleanup_all;
|
|
|
|
|
|
2011-09-21 16:58:13 +02:00
|
|
|
error = break_lease(inode, f->f_flags);
|
|
|
|
|
if (error)
|
|
|
|
|
goto cleanup_all;
|
|
|
|
|
|
2005-10-18 23:20:16 +02:00
|
|
|
if (!open && f->f_op)
|
|
|
|
|
open = f->f_op->open;
|
|
|
|
|
if (open) {
|
|
|
|
|
error = open(inode, f);
|
2005-04-17 00:20:36 +02:00
|
|
|
if (error)
|
|
|
|
|
goto cleanup_all;
|
|
|
|
|
}
|
2010-11-02 15:13:07 +01:00
|
|
|
if ((f->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
|
|
|
|
|
i_readcount_inc(inode);
|
2005-10-18 23:20:16 +02:00
|
|
|
|
2005-04-17 00:20:36 +02:00
|
|
|
f->f_flags &= ~(O_CREAT | O_EXCL | O_NOCTTY | O_TRUNC);
|
|
|
|
|
|
|
|
|
|
file_ra_state_init(&f->f_ra, f->f_mapping->host->i_mapping);
|
|
|
|
|
|
2012-06-10 20:22:04 +02:00
|
|
|
return 0;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
|
|
|
|
cleanup_all:
|
|
|
|
|
fops_put(f->f_op);
|
2012-06-23 20:49:45 +02:00
|
|
|
file_sb_list_del(f);
|
2008-02-15 23:37:48 +01:00
|
|
|
if (f->f_mode & FMODE_WRITE) {
|
2005-04-17 00:20:36 +02:00
|
|
|
put_write_access(inode);
|
2008-02-15 23:38:01 +01:00
|
|
|
if (!special_file(inode->i_mode)) {
|
|
|
|
|
/*
|
|
|
|
|
* We don't consider this a real
|
|
|
|
|
* mnt_want/drop_write() pair
|
|
|
|
|
* because it all happenend right
|
|
|
|
|
* here, so just reset the state.
|
|
|
|
|
*/
|
|
|
|
|
file_reset_write(f);
|
2012-08-04 06:39:23 +02:00
|
|
|
__mnt_drop_write(f->f_path.mnt);
|
2008-02-15 23:38:01 +01:00
|
|
|
}
|
2008-02-15 23:37:48 +01:00
|
|
|
}
|
2005-04-17 00:20:36 +02:00
|
|
|
cleanup_file:
|
2012-06-10 20:32:45 +02:00
|
|
|
path_put(&f->f_path);
|
|
|
|
|
f->f_path.mnt = NULL;
|
|
|
|
|
f->f_path.dentry = NULL;
|
2012-06-10 20:22:04 +02:00
|
|
|
return error;
|
2005-04-17 00:20:36 +02:00
|
|
|
}
|
|
|
|
|
|
2012-06-05 15:10:17 +02:00
|
|
|
/**
|
|
|
|
|
* finish_open - finish opening a file
|
|
|
|
|
* @od: opaque open data
|
|
|
|
|
* @dentry: pointer to dentry
|
|
|
|
|
* @open: open callback
|
|
|
|
|
*
|
|
|
|
|
* This can be used to finish opening a file passed to i_op->atomic_open().
|
|
|
|
|
*
|
|
|
|
|
* If the open callback is set to NULL, then the standard f_op->open()
|
|
|
|
|
* filesystem callback is substituted.
|
|
|
|
|
*/
|
2012-06-22 10:40:19 +02:00
|
|
|
int finish_open(struct file *file, struct dentry *dentry,
|
|
|
|
|
int (*open)(struct inode *, struct file *),
|
|
|
|
|
int *opened)
|
2012-06-05 15:10:17 +02:00
|
|
|
{
|
2012-06-10 20:22:04 +02:00
|
|
|
int error;
|
2012-06-10 11:04:43 +02:00
|
|
|
BUG_ON(*opened & FILE_OPENED); /* once it's opened, it's opened */
|
2012-06-05 15:10:17 +02:00
|
|
|
|
2012-07-20 21:28:46 +02:00
|
|
|
file->f_path.dentry = dentry;
|
2012-06-10 20:32:45 +02:00
|
|
|
error = do_dentry_open(file, open, current_cred());
|
2012-06-10 20:22:04 +02:00
|
|
|
if (!error)
|
2012-06-10 11:01:45 +02:00
|
|
|
*opened |= FILE_OPENED;
|
2012-06-05 15:10:17 +02:00
|
|
|
|
2012-06-10 20:22:04 +02:00
|
|
|
return error;
|
2012-06-05 15:10:17 +02:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(finish_open);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* finish_no_open - finish ->atomic_open() without opening the file
|
|
|
|
|
*
|
|
|
|
|
* @od: opaque open data
|
|
|
|
|
* @dentry: dentry or NULL (as returned from ->lookup())
|
|
|
|
|
*
|
|
|
|
|
* This can be used to set the result of a successful lookup in ->atomic_open().
|
|
|
|
|
* The filesystem's atomic_open() method shall return NULL after calling this.
|
|
|
|
|
*/
|
2012-06-10 12:48:09 +02:00
|
|
|
int finish_no_open(struct file *file, struct dentry *dentry)
|
2012-06-05 15:10:17 +02:00
|
|
|
{
|
2012-06-22 10:40:19 +02:00
|
|
|
file->f_path.dentry = dentry;
|
2012-06-10 12:48:09 +02:00
|
|
|
return 1;
|
2012-06-05 15:10:17 +02:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(finish_no_open);
|
|
|
|
|
|
2012-06-26 19:58:53 +02:00
|
|
|
struct file *dentry_open(const struct path *path, int flags,
|
2008-11-14 00:39:22 +01:00
|
|
|
const struct cred *cred)
|
[PATCH] open returns ENFILE but creates file anyway
When open(O_CREAT) is called and the error, ENFILE, is returned, the file
may be created anyway. This is counter intuitive, against the SUS V3
specification, and may cause applications to misbehave if they are not
coded correctly to handle this semantic. The SUS V3 specification
explicitly states "No files shall be created or modified if the function
returns -1.".
The error, ENFILE, is used to indicate the system wide open file table is
full and no more file structs can be allocated.
This is due to an ordering problem. The entry in the directory is created
before the file struct is allocated. If the allocation for the file struct
fails, then the system call must return an error, but the directory entry
was already created and can not be safely removed.
The solution to this situation is relatively easy. The file struct should
be allocated before the directory entry is created. If the allocation
fails, then the error can be returned directly. If the creation of the
directory entry fails, then the file struct can be easily freed.
Signed-off-by: Peter Staubach <staubach@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-13 10:25:12 +02:00
|
|
|
{
|
|
|
|
|
int error;
|
|
|
|
|
struct file *f;
|
|
|
|
|
|
2009-09-02 10:13:40 +02:00
|
|
|
validate_creds(cred);
|
|
|
|
|
|
2011-01-19 13:08:41 +01:00
|
|
|
/* We must always pass in a valid mount pointer. */
|
2012-06-26 19:58:53 +02:00
|
|
|
BUG_ON(!path->mnt);
|
2008-02-15 23:37:24 +01:00
|
|
|
|
[PATCH] open returns ENFILE but creates file anyway
When open(O_CREAT) is called and the error, ENFILE, is returned, the file
may be created anyway. This is counter intuitive, against the SUS V3
specification, and may cause applications to misbehave if they are not
coded correctly to handle this semantic. The SUS V3 specification
explicitly states "No files shall be created or modified if the function
returns -1.".
The error, ENFILE, is used to indicate the system wide open file table is
full and no more file structs can be allocated.
This is due to an ordering problem. The entry in the directory is created
before the file struct is allocated. If the allocation for the file struct
fails, then the system call must return an error, but the directory entry
was already created and can not be safely removed.
The solution to this situation is relatively easy. The file struct should
be allocated before the directory entry is created. If the allocation
fails, then the error can be returned directly. If the creation of the
directory entry fails, then the file struct can be easily freed.
Signed-off-by: Peter Staubach <staubach@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-13 10:25:12 +02:00
|
|
|
error = -ENFILE;
|
|
|
|
|
f = get_empty_filp();
|
2012-06-26 19:58:53 +02:00
|
|
|
if (f == NULL)
|
[PATCH] open returns ENFILE but creates file anyway
When open(O_CREAT) is called and the error, ENFILE, is returned, the file
may be created anyway. This is counter intuitive, against the SUS V3
specification, and may cause applications to misbehave if they are not
coded correctly to handle this semantic. The SUS V3 specification
explicitly states "No files shall be created or modified if the function
returns -1.".
The error, ENFILE, is used to indicate the system wide open file table is
full and no more file structs can be allocated.
This is due to an ordering problem. The entry in the directory is created
before the file struct is allocated. If the allocation for the file struct
fails, then the system call must return an error, but the directory entry
was already created and can not be safely removed.
The solution to this situation is relatively easy. The file struct should
be allocated before the directory entry is created. If the allocation
fails, then the error can be returned directly. If the creation of the
directory entry fails, then the file struct can be easily freed.
Signed-off-by: Peter Staubach <staubach@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-13 10:25:12 +02:00
|
|
|
return ERR_PTR(error);
|
|
|
|
|
|
2009-12-19 16:10:39 +01:00
|
|
|
f->f_flags = flags;
|
2012-06-26 19:58:53 +02:00
|
|
|
f->f_path = *path;
|
2012-06-10 20:32:45 +02:00
|
|
|
error = do_dentry_open(f, NULL, cred);
|
2012-06-10 20:24:38 +02:00
|
|
|
if (!error) {
|
|
|
|
|
error = open_check_o_direct(f);
|
|
|
|
|
if (error) {
|
|
|
|
|
fput(f);
|
|
|
|
|
f = ERR_PTR(error);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
put_filp(f);
|
|
|
|
|
f = ERR_PTR(error);
|
|
|
|
|
}
|
|
|
|
|
return f;
|
[PATCH] open returns ENFILE but creates file anyway
When open(O_CREAT) is called and the error, ENFILE, is returned, the file
may be created anyway. This is counter intuitive, against the SUS V3
specification, and may cause applications to misbehave if they are not
coded correctly to handle this semantic. The SUS V3 specification
explicitly states "No files shall be created or modified if the function
returns -1.".
The error, ENFILE, is used to indicate the system wide open file table is
full and no more file structs can be allocated.
This is due to an ordering problem. The entry in the directory is created
before the file struct is allocated. If the allocation for the file struct
fails, then the system call must return an error, but the directory entry
was already created and can not be safely removed.
The solution to this situation is relatively easy. The file struct should
be allocated before the directory entry is created. If the allocation
fails, then the error can be returned directly. If the creation of the
directory entry fails, then the file struct can be easily freed.
Signed-off-by: Peter Staubach <staubach@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-13 10:25:12 +02:00
|
|
|
}
|
2005-04-17 00:20:36 +02:00
|
|
|
EXPORT_SYMBOL(dentry_open);
|
|
|
|
|
|
2011-11-21 20:59:34 +01:00
|
|
|
static inline int build_open_flags(int flags, umode_t mode, struct open_flags *op)
|
2011-02-23 23:44:09 +01:00
|
|
|
{
|
|
|
|
|
int lookup_flags = 0;
|
|
|
|
|
int acc_mode;
|
|
|
|
|
|
2012-08-15 13:01:24 +02:00
|
|
|
if (flags & O_CREAT)
|
|
|
|
|
op->mode = (mode & S_IALLUGO) | S_IFREG;
|
|
|
|
|
else
|
|
|
|
|
op->mode = 0;
|
2011-02-23 23:44:09 +01:00
|
|
|
|
|
|
|
|
/* Must never be set by userspace */
|
2012-08-26 17:01:04 +02:00
|
|
|
flags &= ~FMODE_NONOTIFY & ~O_CLOEXEC;
|
2011-02-23 23:44:09 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* O_SYNC is implemented as __O_SYNC|O_DSYNC. As many places only
|
|
|
|
|
* check for O_DSYNC if the need any syncing at all we enforce it's
|
|
|
|
|
* always set instead of having to deal with possibly weird behaviour
|
|
|
|
|
* for malicious applications setting only __O_SYNC.
|
|
|
|
|
*/
|
|
|
|
|
if (flags & __O_SYNC)
|
|
|
|
|
flags |= O_DSYNC;
|
|
|
|
|
|
New kind of open files - "location only".
New flag for open(2) - O_PATH. Semantics:
* pathname is resolved, but the file itself is _NOT_ opened
as far as filesystem is concerned.
* almost all operations on the resulting descriptors shall
fail with -EBADF. Exceptions are:
1) operations on descriptors themselves (i.e.
close(), dup(), dup2(), dup3(), fcntl(fd, F_DUPFD),
fcntl(fd, F_DUPFD_CLOEXEC, ...), fcntl(fd, F_GETFD),
fcntl(fd, F_SETFD, ...))
2) fcntl(fd, F_GETFL), for a common non-destructive way to
check if descriptor is open
3) "dfd" arguments of ...at(2) syscalls, i.e. the starting
points of pathname resolution
* closing such descriptor does *NOT* affect dnotify or
posix locks.
* permissions are checked as usual along the way to file;
no permission checks are applied to the file itself. Of course,
giving such thing to syscall will result in permission checks (at
the moment it means checking that starting point of ....at() is
a directory and caller has exec permissions on it).
fget() and fget_light() return NULL on such descriptors; use of
fget_raw() and fget_raw_light() is needed to get them. That protects
existing code from dealing with those things.
There are two things still missing (they come in the next commits):
one is handling of symlinks (right now we refuse to open them that
way; see the next commit for semantics related to those) and another
is descriptor passing via SCM_RIGHTS datagrams.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-03-13 08:51:11 +01:00
|
|
|
/*
|
|
|
|
|
* If we have O_PATH in the open flag. Then we
|
|
|
|
|
* cannot have anything other than the below set of flags
|
|
|
|
|
*/
|
|
|
|
|
if (flags & O_PATH) {
|
|
|
|
|
flags &= O_DIRECTORY | O_NOFOLLOW | O_PATH;
|
|
|
|
|
acc_mode = 0;
|
|
|
|
|
} else {
|
|
|
|
|
acc_mode = MAY_OPEN | ACC_MODE(flags);
|
|
|
|
|
}
|
2011-02-23 23:44:09 +01:00
|
|
|
|
New kind of open files - "location only".
New flag for open(2) - O_PATH. Semantics:
* pathname is resolved, but the file itself is _NOT_ opened
as far as filesystem is concerned.
* almost all operations on the resulting descriptors shall
fail with -EBADF. Exceptions are:
1) operations on descriptors themselves (i.e.
close(), dup(), dup2(), dup3(), fcntl(fd, F_DUPFD),
fcntl(fd, F_DUPFD_CLOEXEC, ...), fcntl(fd, F_GETFD),
fcntl(fd, F_SETFD, ...))
2) fcntl(fd, F_GETFL), for a common non-destructive way to
check if descriptor is open
3) "dfd" arguments of ...at(2) syscalls, i.e. the starting
points of pathname resolution
* closing such descriptor does *NOT* affect dnotify or
posix locks.
* permissions are checked as usual along the way to file;
no permission checks are applied to the file itself. Of course,
giving such thing to syscall will result in permission checks (at
the moment it means checking that starting point of ....at() is
a directory and caller has exec permissions on it).
fget() and fget_light() return NULL on such descriptors; use of
fget_raw() and fget_raw_light() is needed to get them. That protects
existing code from dealing with those things.
There are two things still missing (they come in the next commits):
one is handling of symlinks (right now we refuse to open them that
way; see the next commit for semantics related to those) and another
is descriptor passing via SCM_RIGHTS datagrams.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-03-13 08:51:11 +01:00
|
|
|
op->open_flag = flags;
|
2011-02-23 23:44:09 +01:00
|
|
|
|
|
|
|
|
/* O_TRUNC implies we need access checks for write permissions */
|
|
|
|
|
if (flags & O_TRUNC)
|
|
|
|
|
acc_mode |= MAY_WRITE;
|
|
|
|
|
|
|
|
|
|
/* Allow the LSM permission hook to distinguish append
|
|
|
|
|
access from general write access. */
|
|
|
|
|
if (flags & O_APPEND)
|
|
|
|
|
acc_mode |= MAY_APPEND;
|
|
|
|
|
|
|
|
|
|
op->acc_mode = acc_mode;
|
|
|
|
|
|
New kind of open files - "location only".
New flag for open(2) - O_PATH. Semantics:
* pathname is resolved, but the file itself is _NOT_ opened
as far as filesystem is concerned.
* almost all operations on the resulting descriptors shall
fail with -EBADF. Exceptions are:
1) operations on descriptors themselves (i.e.
close(), dup(), dup2(), dup3(), fcntl(fd, F_DUPFD),
fcntl(fd, F_DUPFD_CLOEXEC, ...), fcntl(fd, F_GETFD),
fcntl(fd, F_SETFD, ...))
2) fcntl(fd, F_GETFL), for a common non-destructive way to
check if descriptor is open
3) "dfd" arguments of ...at(2) syscalls, i.e. the starting
points of pathname resolution
* closing such descriptor does *NOT* affect dnotify or
posix locks.
* permissions are checked as usual along the way to file;
no permission checks are applied to the file itself. Of course,
giving such thing to syscall will result in permission checks (at
the moment it means checking that starting point of ....at() is
a directory and caller has exec permissions on it).
fget() and fget_light() return NULL on such descriptors; use of
fget_raw() and fget_raw_light() is needed to get them. That protects
existing code from dealing with those things.
There are two things still missing (they come in the next commits):
one is handling of symlinks (right now we refuse to open them that
way; see the next commit for semantics related to those) and another
is descriptor passing via SCM_RIGHTS datagrams.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-03-13 08:51:11 +01:00
|
|
|
op->intent = flags & O_PATH ? 0 : LOOKUP_OPEN;
|
|
|
|
|
|
2011-02-23 23:44:09 +01:00
|
|
|
if (flags & O_CREAT) {
|
|
|
|
|
op->intent |= LOOKUP_CREATE;
|
|
|
|
|
if (flags & O_EXCL)
|
|
|
|
|
op->intent |= LOOKUP_EXCL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (flags & O_DIRECTORY)
|
|
|
|
|
lookup_flags |= LOOKUP_DIRECTORY;
|
|
|
|
|
if (!(flags & O_NOFOLLOW))
|
|
|
|
|
lookup_flags |= LOOKUP_FOLLOW;
|
|
|
|
|
return lookup_flags;
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-10 22:43:10 +02:00
|
|
|
/**
|
|
|
|
|
* file_open_name - open file and return file pointer
|
|
|
|
|
*
|
|
|
|
|
* @name: struct filename containing path to open
|
|
|
|
|
* @flags: open flags as per the open(2) second argument
|
|
|
|
|
* @mode: mode for the new file if O_CREAT is set, else ignored
|
|
|
|
|
*
|
|
|
|
|
* This is the helper to open a file from kernelspace if you really
|
|
|
|
|
* have to. But in generally you should not do this, so please move
|
|
|
|
|
* along, nothing to see here..
|
|
|
|
|
*/
|
|
|
|
|
struct file *file_open_name(struct filename *name, int flags, umode_t mode)
|
|
|
|
|
{
|
|
|
|
|
struct open_flags op;
|
|
|
|
|
int lookup = build_open_flags(flags, mode, &op);
|
|
|
|
|
return do_filp_open(AT_FDCWD, name, &op, lookup);
|
|
|
|
|
}
|
|
|
|
|
|
2011-02-23 23:44:09 +01:00
|
|
|
/**
|
|
|
|
|
* filp_open - open file and return file pointer
|
|
|
|
|
*
|
|
|
|
|
* @filename: path to open
|
|
|
|
|
* @flags: open flags as per the open(2) second argument
|
|
|
|
|
* @mode: mode for the new file if O_CREAT is set, else ignored
|
|
|
|
|
*
|
|
|
|
|
* This is the helper to open a file from kernelspace if you really
|
|
|
|
|
* have to. But in generally you should not do this, so please move
|
|
|
|
|
* along, nothing to see here..
|
|
|
|
|
*/
|
2011-11-21 20:59:34 +01:00
|
|
|
struct file *filp_open(const char *filename, int flags, umode_t mode)
|
2011-02-23 23:44:09 +01:00
|
|
|
{
|
2012-10-10 22:43:10 +02:00
|
|
|
struct filename name = {.name = filename};
|
|
|
|
|
return file_open_name(&name, flags, mode);
|
2011-02-23 23:44:09 +01:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(filp_open);
|
|
|
|
|
|
2011-03-11 18:08:24 +01:00
|
|
|
struct file *file_open_root(struct dentry *dentry, struct vfsmount *mnt,
|
|
|
|
|
const char *filename, int flags)
|
|
|
|
|
{
|
|
|
|
|
struct open_flags op;
|
|
|
|
|
int lookup = build_open_flags(flags, 0, &op);
|
|
|
|
|
if (flags & O_CREAT)
|
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
if (!filename && (flags & O_DIRECTORY))
|
|
|
|
|
if (!dentry->d_inode->i_op->lookup)
|
|
|
|
|
return ERR_PTR(-ENOTDIR);
|
|
|
|
|
return do_file_open_root(dentry, mnt, filename, &op, lookup);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(file_open_root);
|
|
|
|
|
|
2011-11-21 20:59:34 +01:00
|
|
|
long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2011-02-23 23:44:09 +01:00
|
|
|
struct open_flags op;
|
|
|
|
|
int lookup = build_open_flags(flags, mode, &op);
|
2012-10-10 21:25:28 +02:00
|
|
|
struct filename *tmp = getname(filename);
|
2005-09-07 00:18:25 +02:00
|
|
|
int fd = PTR_ERR(tmp);
|
2005-04-17 00:20:36 +02:00
|
|
|
|
|
|
|
|
if (!IS_ERR(tmp)) {
|
Introduce O_CLOEXEC
The problem is as follows: in multi-threaded code (or more correctly: all
code using clone() with CLONE_FILES) we have a race when exec'ing.
thread #1 thread #2
fd=open()
fork + exec
fcntl(fd,F_SETFD,FD_CLOEXEC)
In some applications this can happen frequently. Take a web browser. One
thread opens a file and another thread starts, say, an external PDF viewer.
The result can even be a security issue if that open file descriptor
refers to a sensitive file and the external program can somehow be tricked
into using that descriptor.
Just adding O_CLOEXEC support to open() doesn't solve the whole set of
problems. There are other ways to create file descriptors (socket,
epoll_create, Unix domain socket transfer, etc). These can and should be
addressed separately though. open() is such an easy case that it makes not
much sense putting the fix off.
The test program:
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#ifndef O_CLOEXEC
# define O_CLOEXEC 02000000
#endif
int
main (int argc, char *argv[])
{
int fd;
if (argc > 1)
{
fd = atol (argv[1]);
printf ("child: fd = %d\n", fd);
if (fcntl (fd, F_GETFD) == 0 || errno != EBADF)
{
puts ("file descriptor valid in child");
return 1;
}
return 0;
}
fd = open ("/proc/self/exe", O_RDONLY | O_CLOEXEC);
printf ("in parent: new fd = %d\n", fd);
char buf[20];
snprintf (buf, sizeof (buf), "%d", fd);
execl ("/proc/self/exe", argv[0], buf, NULL);
puts ("execl failed");
return 1;
}
[kyle@parisc-linux.org: parisc fix]
Signed-off-by: Ulrich Drepper <drepper@redhat.com>
Acked-by: Ingo Molnar <mingo@elte.hu>
Cc: Davide Libenzi <davidel@xmailserver.org>
Cc: Michael Kerrisk <mtk-manpages@gmx.net>
Cc: Chris Zankel <chris@zankel.net>
Signed-off-by: Kyle McMartin <kyle@parisc-linux.org>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-16 08:40:32 +02:00
|
|
|
fd = get_unused_fd_flags(flags);
|
2005-04-17 00:20:36 +02:00
|
|
|
if (fd >= 0) {
|
2012-10-10 22:43:10 +02:00
|
|
|
struct file *f = do_filp_open(dfd, tmp, &op, lookup);
|
2005-06-23 09:10:33 +02:00
|
|
|
if (IS_ERR(f)) {
|
|
|
|
|
put_unused_fd(fd);
|
|
|
|
|
fd = PTR_ERR(f);
|
|
|
|
|
} else {
|
2009-12-18 03:24:21 +01:00
|
|
|
fsnotify_open(f);
|
2005-06-23 09:10:33 +02:00
|
|
|
fd_install(fd, f);
|
|
|
|
|
}
|
2005-04-17 00:20:36 +02:00
|
|
|
}
|
|
|
|
|
putname(tmp);
|
|
|
|
|
}
|
|
|
|
|
return fd;
|
|
|
|
|
}
|
2005-09-07 00:18:25 +02:00
|
|
|
|
2011-11-21 20:59:34 +01:00
|
|
|
SYSCALL_DEFINE3(open, const char __user *, filename, int, flags, umode_t, mode)
|
2005-09-07 00:18:25 +02:00
|
|
|
{
|
2006-04-18 22:22:59 +02:00
|
|
|
long ret;
|
|
|
|
|
|
2005-09-07 00:18:25 +02:00
|
|
|
if (force_o_largefile())
|
|
|
|
|
flags |= O_LARGEFILE;
|
|
|
|
|
|
2006-04-18 22:22:59 +02:00
|
|
|
ret = do_sys_open(AT_FDCWD, filename, flags, mode);
|
|
|
|
|
/* avoid REGPARM breakage on x86: */
|
2008-04-11 00:37:38 +02:00
|
|
|
asmlinkage_protect(3, ret, filename, flags, mode);
|
2006-04-18 22:22:59 +02:00
|
|
|
return ret;
|
2005-09-07 00:18:25 +02:00
|
|
|
}
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2009-01-14 14:14:32 +01:00
|
|
|
SYSCALL_DEFINE4(openat, int, dfd, const char __user *, filename, int, flags,
|
2011-11-21 20:59:34 +01:00
|
|
|
umode_t, mode)
|
2006-01-19 02:43:53 +01:00
|
|
|
{
|
2006-04-18 22:22:59 +02:00
|
|
|
long ret;
|
|
|
|
|
|
2006-01-19 02:43:53 +01:00
|
|
|
if (force_o_largefile())
|
|
|
|
|
flags |= O_LARGEFILE;
|
|
|
|
|
|
2006-04-18 22:22:59 +02:00
|
|
|
ret = do_sys_open(dfd, filename, flags, mode);
|
|
|
|
|
/* avoid REGPARM breakage on x86: */
|
2008-04-11 00:37:38 +02:00
|
|
|
asmlinkage_protect(4, ret, dfd, filename, flags, mode);
|
2006-04-18 22:22:59 +02:00
|
|
|
return ret;
|
2006-01-19 02:43:53 +01:00
|
|
|
}
|
|
|
|
|
|
2005-04-17 00:20:36 +02:00
|
|
|
#ifndef __alpha__
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* For backward compatibility? Maybe this should be moved
|
|
|
|
|
* into arch/i386 instead?
|
|
|
|
|
*/
|
2011-11-21 20:59:34 +01:00
|
|
|
SYSCALL_DEFINE2(creat, const char __user *, pathname, umode_t, mode)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
|
|
|
|
return sys_open(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* "id" is the POSIX thread ID. We use the
|
|
|
|
|
* files pointer for this..
|
|
|
|
|
*/
|
|
|
|
|
int filp_close(struct file *filp, fl_owner_t id)
|
|
|
|
|
{
|
2005-06-23 09:10:17 +02:00
|
|
|
int retval = 0;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
|
|
|
|
if (!file_count(filp)) {
|
|
|
|
|
printk(KERN_ERR "VFS: Close: file count is 0\n");
|
2005-06-23 09:10:17 +02:00
|
|
|
return 0;
|
2005-04-17 00:20:36 +02:00
|
|
|
}
|
|
|
|
|
|
2005-06-23 09:10:17 +02:00
|
|
|
if (filp->f_op && filp->f_op->flush)
|
2006-06-23 11:05:12 +02:00
|
|
|
retval = filp->f_op->flush(filp, id);
|
2005-04-17 00:20:36 +02:00
|
|
|
|
New kind of open files - "location only".
New flag for open(2) - O_PATH. Semantics:
* pathname is resolved, but the file itself is _NOT_ opened
as far as filesystem is concerned.
* almost all operations on the resulting descriptors shall
fail with -EBADF. Exceptions are:
1) operations on descriptors themselves (i.e.
close(), dup(), dup2(), dup3(), fcntl(fd, F_DUPFD),
fcntl(fd, F_DUPFD_CLOEXEC, ...), fcntl(fd, F_GETFD),
fcntl(fd, F_SETFD, ...))
2) fcntl(fd, F_GETFL), for a common non-destructive way to
check if descriptor is open
3) "dfd" arguments of ...at(2) syscalls, i.e. the starting
points of pathname resolution
* closing such descriptor does *NOT* affect dnotify or
posix locks.
* permissions are checked as usual along the way to file;
no permission checks are applied to the file itself. Of course,
giving such thing to syscall will result in permission checks (at
the moment it means checking that starting point of ....at() is
a directory and caller has exec permissions on it).
fget() and fget_light() return NULL on such descriptors; use of
fget_raw() and fget_raw_light() is needed to get them. That protects
existing code from dealing with those things.
There are two things still missing (they come in the next commits):
one is handling of symlinks (right now we refuse to open them that
way; see the next commit for semantics related to those) and another
is descriptor passing via SCM_RIGHTS datagrams.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-03-13 08:51:11 +01:00
|
|
|
if (likely(!(filp->f_mode & FMODE_PATH))) {
|
|
|
|
|
dnotify_flush(filp, id);
|
|
|
|
|
locks_remove_posix(filp, id);
|
|
|
|
|
}
|
2005-04-17 00:20:36 +02:00
|
|
|
fput(filp);
|
|
|
|
|
return retval;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(filp_close);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Careful here! We test whether the file pointer is NULL before
|
|
|
|
|
* releasing the fd. This ensures that one clone task can't release
|
|
|
|
|
* an fd while another clone is opening it.
|
|
|
|
|
*/
|
2009-01-14 14:14:19 +01:00
|
|
|
SYSCALL_DEFINE1(close, unsigned int, fd)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
2012-08-19 18:04:24 +02:00
|
|
|
int retval = __close_fd(current->files, fd);
|
2006-09-29 11:00:13 +02:00
|
|
|
|
|
|
|
|
/* can't restart close syscall because file table entry was cleared */
|
|
|
|
|
if (unlikely(retval == -ERESTARTSYS ||
|
|
|
|
|
retval == -ERESTARTNOINTR ||
|
|
|
|
|
retval == -ERESTARTNOHAND ||
|
|
|
|
|
retval == -ERESTART_RESTARTBLOCK))
|
|
|
|
|
retval = -EINTR;
|
|
|
|
|
|
|
|
|
|
return retval;
|
2005-04-17 00:20:36 +02:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(sys_close);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* This routine simulates a hangup on the tty, to arrange that users
|
|
|
|
|
* are given clean terminals at login time.
|
|
|
|
|
*/
|
2009-01-14 14:14:19 +01:00
|
|
|
SYSCALL_DEFINE0(vhangup)
|
2005-04-17 00:20:36 +02:00
|
|
|
{
|
|
|
|
|
if (capable(CAP_SYS_TTY_CONFIG)) {
|
2008-10-13 11:40:30 +02:00
|
|
|
tty_vhangup_self();
|
2005-04-17 00:20:36 +02:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return -EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Called when an inode is about to be open.
|
|
|
|
|
* We use this to disallow opening large files on 32bit systems if
|
|
|
|
|
* the caller didn't specify O_LARGEFILE. On 64bit systems we force
|
|
|
|
|
* on this flag in sys_open.
|
|
|
|
|
*/
|
|
|
|
|
int generic_file_open(struct inode * inode, struct file * filp)
|
|
|
|
|
{
|
|
|
|
|
if (!(filp->f_flags & O_LARGEFILE) && i_size_read(inode) > MAX_NON_LFS)
|
2007-10-17 08:30:22 +02:00
|
|
|
return -EOVERFLOW;
|
2005-04-17 00:20:36 +02:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(generic_file_open);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* This is used by subsystems that don't want seekable
|
2010-08-11 03:01:33 +02:00
|
|
|
* file descriptors. The function is not supposed to ever fail, the only
|
|
|
|
|
* reason it returns an 'int' and not 'void' is so that it can be plugged
|
|
|
|
|
* directly into file_operations structure.
|
2005-04-17 00:20:36 +02:00
|
|
|
*/
|
|
|
|
|
int nonseekable_open(struct inode *inode, struct file *filp)
|
|
|
|
|
{
|
|
|
|
|
filp->f_mode &= ~(FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(nonseekable_open);
|