Line data Source code
1 : // SPDX-License-Identifier: GPL-2.0-only
2 : /*
3 : * linux/fs/open.c
4 : *
5 : * Copyright (C) 1991, 1992 Linus Torvalds
6 : */
7 :
8 : #include <linux/string.h>
9 : #include <linux/mm.h>
10 : #include <linux/file.h>
11 : #include <linux/fdtable.h>
12 : #include <linux/fsnotify.h>
13 : #include <linux/module.h>
14 : #include <linux/tty.h>
15 : #include <linux/namei.h>
16 : #include <linux/backing-dev.h>
17 : #include <linux/capability.h>
18 : #include <linux/securebits.h>
19 : #include <linux/security.h>
20 : #include <linux/mount.h>
21 : #include <linux/fcntl.h>
22 : #include <linux/slab.h>
23 : #include <linux/uaccess.h>
24 : #include <linux/fs.h>
25 : #include <linux/personality.h>
26 : #include <linux/pagemap.h>
27 : #include <linux/syscalls.h>
28 : #include <linux/rcupdate.h>
29 : #include <linux/audit.h>
30 : #include <linux/falloc.h>
31 : #include <linux/fs_struct.h>
32 : #include <linux/ima.h>
33 : #include <linux/dnotify.h>
34 : #include <linux/compat.h>
35 : #include <linux/mnt_idmapping.h>
36 : #include <linux/filelock.h>
37 :
38 : #include "internal.h"
39 :
40 9889543 : int do_truncate(struct mnt_idmap *idmap, struct dentry *dentry,
41 : loff_t length, unsigned int time_attrs, struct file *filp)
42 : {
43 9889543 : int ret;
44 9889543 : struct iattr newattrs;
45 :
46 : /* Not pretty: "inode->i_size" shouldn't really be signed. But it is. */
47 9889543 : if (length < 0)
48 : return -EINVAL;
49 :
50 9889543 : newattrs.ia_size = length;
51 9889543 : newattrs.ia_valid = ATTR_SIZE | time_attrs;
52 9889543 : if (filp) {
53 6549199 : newattrs.ia_file = filp;
54 6549199 : newattrs.ia_valid |= ATTR_FILE;
55 : }
56 :
57 : /* Remove suid, sgid, and file capabilities on truncate too */
58 9889543 : ret = dentry_needs_remove_privs(idmap, dentry);
59 9889358 : if (ret < 0)
60 : return ret;
61 9889358 : if (ret)
62 104 : newattrs.ia_valid |= ret | ATTR_FORCE;
63 :
64 9889358 : inode_lock(dentry->d_inode);
65 : /* Note any delegations or leases have already been broken: */
66 9889824 : ret = notify_change(idmap, dentry, &newattrs, NULL);
67 9889493 : inode_unlock(dentry->d_inode);
68 9889493 : return ret;
69 : }
70 :
71 3340423 : long vfs_truncate(const struct path *path, loff_t length)
72 : {
73 3340423 : struct mnt_idmap *idmap;
74 3340423 : struct inode *inode;
75 3340423 : long error;
76 :
77 3340423 : inode = path->dentry->d_inode;
78 :
79 : /* For directories it's -EISDIR, for other non-regulars - -EINVAL */
80 3340423 : if (S_ISDIR(inode->i_mode))
81 : return -EISDIR;
82 3340423 : if (!S_ISREG(inode->i_mode))
83 : return -EINVAL;
84 :
85 3340423 : error = mnt_want_write(path->mnt);
86 3340476 : if (error)
87 0 : goto out;
88 :
89 3340476 : idmap = mnt_idmap(path->mnt);
90 3340445 : error = inode_permission(idmap, inode, MAY_WRITE);
91 3340443 : if (error)
92 27 : goto mnt_drop_write_and_out;
93 :
94 3340416 : error = -EPERM;
95 3340416 : if (IS_APPEND(inode))
96 26 : goto mnt_drop_write_and_out;
97 :
98 3340390 : error = get_write_access(inode);
99 3340431 : if (error)
100 0 : goto mnt_drop_write_and_out;
101 :
102 : /*
103 : * Make sure that there are no leases. get_write_access() protects
104 : * against the truncate racing with a lease-granting setlease().
105 : */
106 3340431 : error = break_lease(inode, O_WRONLY);
107 3340437 : if (error)
108 13 : goto put_write_and_out;
109 :
110 3340424 : error = security_path_truncate(path);
111 3340424 : if (!error)
112 3340424 : error = do_truncate(idmap, path->dentry, length, 0, NULL);
113 :
114 3340256 : put_write_and_out:
115 3340256 : put_write_access(inode);
116 3340414 : mnt_drop_write_and_out:
117 3340414 : mnt_drop_write(path->mnt);
118 : out:
119 : return error;
120 : }
121 : EXPORT_SYMBOL_GPL(vfs_truncate);
122 :
123 3340396 : long do_sys_truncate(const char __user *pathname, loff_t length)
124 : {
125 3340396 : unsigned int lookup_flags = LOOKUP_FOLLOW;
126 3340396 : struct path path;
127 3340396 : int error;
128 :
129 3340396 : if (length < 0) /* sorry, but loff_t says... */
130 : return -EINVAL;
131 :
132 3340396 : retry:
133 3340398 : error = user_path_at(AT_FDCWD, pathname, lookup_flags, &path);
134 3340491 : if (!error) {
135 3340479 : error = vfs_truncate(&path, length);
136 3340299 : path_put(&path);
137 : }
138 6680498 : if (retry_estale(error, lookup_flags)) {
139 4 : lookup_flags |= LOOKUP_REVAL;
140 4 : goto retry;
141 : }
142 : return error;
143 : }
144 :
145 6680697 : SYSCALL_DEFINE2(truncate, const char __user *, path, long, length)
146 : {
147 3340416 : return do_sys_truncate(path, length);
148 : }
149 :
150 : #ifdef CONFIG_COMPAT
151 0 : COMPAT_SYSCALL_DEFINE2(truncate, const char __user *, path, compat_off_t, length)
152 : {
153 0 : return do_sys_truncate(path, length);
154 : }
155 : #endif
156 :
157 5230892 : long do_sys_ftruncate(unsigned int fd, loff_t length, int small)
158 : {
159 5230892 : struct inode *inode;
160 5230892 : struct dentry *dentry;
161 5230892 : struct fd f;
162 5230892 : int error;
163 :
164 5230892 : error = -EINVAL;
165 5230892 : if (length < 0)
166 0 : goto out;
167 5230892 : error = -EBADF;
168 5230892 : f = fdget(fd);
169 5230892 : if (!f.file)
170 0 : goto out;
171 :
172 : /* explicitly opened as large or we are on 64-bit box */
173 5230892 : if (f.file->f_flags & O_LARGEFILE)
174 5230941 : small = 0;
175 :
176 5230892 : dentry = f.file->f_path.dentry;
177 5230892 : inode = dentry->d_inode;
178 5230892 : error = -EINVAL;
179 5230892 : if (!S_ISREG(inode->i_mode) || !(f.file->f_mode & FMODE_WRITE))
180 0 : goto out_putf;
181 :
182 5230892 : error = -EINVAL;
183 : /* Cannot ftruncate over 2^31 bytes without large file support */
184 5230892 : if (small && length > MAX_NON_LFS)
185 0 : goto out_putf;
186 :
187 5230892 : error = -EPERM;
188 : /* Check IS_APPEND on real upper inode */
189 5230892 : if (IS_APPEND(file_inode(f.file)))
190 26 : goto out_putf;
191 5230866 : sb_start_write(inode->i_sb);
192 5230864 : error = security_file_truncate(f.file);
193 5230864 : if (!error)
194 5230864 : error = do_truncate(file_mnt_idmap(f.file), dentry, length,
195 : ATTR_MTIME | ATTR_CTIME, f.file);
196 5231004 : sb_end_write(inode->i_sb);
197 5231032 : out_putf:
198 5231032 : fdput(f);
199 5231039 : out:
200 5231039 : return error;
201 : }
202 :
203 10461986 : SYSCALL_DEFINE2(ftruncate, unsigned int, fd, unsigned long, length)
204 : {
205 5230953 : return do_sys_ftruncate(fd, length, 1);
206 : }
207 :
208 : #ifdef CONFIG_COMPAT
209 0 : COMPAT_SYSCALL_DEFINE2(ftruncate, unsigned int, fd, compat_ulong_t, length)
210 : {
211 0 : return do_sys_ftruncate(fd, length, 1);
212 : }
213 : #endif
214 :
215 : /* LFS versions of truncate are only needed on 32 bit machines */
216 : #if BITS_PER_LONG == 32
217 : SYSCALL_DEFINE2(truncate64, const char __user *, path, loff_t, length)
218 : {
219 : return do_sys_truncate(path, length);
220 : }
221 :
222 : SYSCALL_DEFINE2(ftruncate64, unsigned int, fd, loff_t, length)
223 : {
224 : return do_sys_ftruncate(fd, length, 0);
225 : }
226 : #endif /* BITS_PER_LONG == 32 */
227 :
228 : #if defined(CONFIG_COMPAT) && defined(__ARCH_WANT_COMPAT_TRUNCATE64)
229 : COMPAT_SYSCALL_DEFINE3(truncate64, const char __user *, pathname,
230 : compat_arg_u64_dual(length))
231 : {
232 : return ksys_truncate(pathname, compat_arg_u64_glue(length));
233 : }
234 : #endif
235 :
236 : #if defined(CONFIG_COMPAT) && defined(__ARCH_WANT_COMPAT_FTRUNCATE64)
237 : COMPAT_SYSCALL_DEFINE3(ftruncate64, unsigned int, fd,
238 : compat_arg_u64_dual(length))
239 : {
240 : return ksys_ftruncate(fd, compat_arg_u64_glue(length));
241 : }
242 : #endif
243 :
244 215099588 : int vfs_fallocate(struct file *file, int mode, loff_t offset, loff_t len)
245 : {
246 215099588 : struct inode *inode = file_inode(file);
247 215099588 : long ret;
248 :
249 215099588 : if (offset < 0 || len <= 0)
250 : return -EINVAL;
251 :
252 : /* Return error if mode is not supported */
253 65409043 : if (mode & ~FALLOC_FL_SUPPORTED_MASK)
254 : return -EOPNOTSUPP;
255 :
256 : /* Punch hole and zero range are mutually exclusive */
257 65409043 : if ((mode & (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_ZERO_RANGE)) ==
258 : (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_ZERO_RANGE))
259 : return -EOPNOTSUPP;
260 :
261 : /* Punch hole must have keep size set */
262 65409043 : if ((mode & FALLOC_FL_PUNCH_HOLE) &&
263 : !(mode & FALLOC_FL_KEEP_SIZE))
264 : return -EOPNOTSUPP;
265 :
266 : /* Collapse range should only be used exclusively. */
267 64607043 : if ((mode & FALLOC_FL_COLLAPSE_RANGE) &&
268 4004306 : (mode & ~FALLOC_FL_COLLAPSE_RANGE))
269 : return -EINVAL;
270 :
271 : /* Insert range should only be used exclusively. */
272 63832936 : if ((mode & FALLOC_FL_INSERT_RANGE) &&
273 3274356 : (mode & ~FALLOC_FL_INSERT_RANGE))
274 : return -EINVAL;
275 :
276 : /* Unshare range should only be used with allocate mode. */
277 63059429 : if ((mode & FALLOC_FL_UNSHARE_RANGE) &&
278 208 : (mode & ~(FALLOC_FL_UNSHARE_RANGE | FALLOC_FL_KEEP_SIZE)))
279 : return -EINVAL;
280 :
281 63059429 : if (!(file->f_mode & FMODE_WRITE))
282 : return -EBADF;
283 :
284 : /*
285 : * We can only allow pure fallocate on append only files
286 : */
287 63059429 : if ((mode & ~FALLOC_FL_KEEP_SIZE) && IS_APPEND(inode))
288 : return -EPERM;
289 :
290 63059429 : if (IS_IMMUTABLE(inode))
291 : return -EPERM;
292 :
293 : /*
294 : * We cannot allow any fallocate operation on an active swapfile
295 : */
296 63059429 : if (IS_SWAPFILE(inode))
297 : return -ETXTBSY;
298 :
299 : /*
300 : * Revalidate the write permissions, in case security policy has
301 : * changed since the files were opened.
302 : */
303 63059404 : ret = security_file_permission(file, MAY_WRITE);
304 63059404 : if (ret)
305 : return ret;
306 :
307 63059404 : if (S_ISFIFO(inode->i_mode))
308 : return -ESPIPE;
309 :
310 63059404 : if (S_ISDIR(inode->i_mode))
311 : return -EISDIR;
312 :
313 63059404 : if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode))
314 : return -ENODEV;
315 :
316 : /* Check for wrap through zero too */
317 63059404 : if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0))
318 : return -EFBIG;
319 :
320 63059382 : if (!file->f_op->fallocate)
321 : return -EOPNOTSUPP;
322 :
323 63059080 : file_start_write(file);
324 63059399 : ret = file->f_op->fallocate(file, mode, offset, len);
325 :
326 : /*
327 : * Create inotify and fanotify events.
328 : *
329 : * To keep the logic simple always create events if fallocate succeeds.
330 : * This implies that events are even created if the file size remains
331 : * unchanged, e.g. when using flag FALLOC_FL_KEEP_SIZE.
332 : */
333 63059781 : if (ret == 0)
334 61093793 : fsnotify_modify(file);
335 :
336 63059717 : file_end_write(file);
337 63059727 : return ret;
338 : }
339 : EXPORT_SYMBOL_GPL(vfs_fallocate);
340 :
341 210881835 : int ksys_fallocate(int fd, int mode, loff_t offset, loff_t len)
342 : {
343 210881835 : struct fd f = fdget(fd);
344 211145679 : int error = -EBADF;
345 :
346 211145679 : if (f.file) {
347 211145679 : error = vfs_fallocate(f.file, mode, offset, len);
348 211165351 : fdput(f);
349 : }
350 211299929 : return error;
351 : }
352 :
353 422406195 : SYSCALL_DEFINE4(fallocate, int, fd, int, mode, loff_t, offset, loff_t, len)
354 : {
355 211093689 : return ksys_fallocate(fd, mode, offset, len);
356 : }
357 :
358 : #if defined(CONFIG_COMPAT) && defined(__ARCH_WANT_COMPAT_FALLOCATE)
359 : COMPAT_SYSCALL_DEFINE6(fallocate, int, fd, int, mode, compat_arg_u64_dual(offset),
360 : compat_arg_u64_dual(len))
361 : {
362 : return ksys_fallocate(fd, mode, compat_arg_u64_glue(offset),
363 : compat_arg_u64_glue(len));
364 : }
365 : #endif
366 :
367 : /*
368 : * access() needs to use the real uid/gid, not the effective uid/gid.
369 : * We do this by temporarily clearing all FS-related capabilities and
370 : * switching the fsuid/fsgid around to the real ones.
371 : *
372 : * Creating new credentials is expensive, so we try to skip doing it,
373 : * which we can if the result would match what we already got.
374 : */
375 118658322 : static bool access_need_override_creds(int flags)
376 : {
377 118658322 : const struct cred *cred;
378 :
379 118658322 : if (flags & AT_EACCESS)
380 : return false;
381 :
382 118520603 : cred = current_cred();
383 118520603 : if (!uid_eq(cred->fsuid, cred->uid) ||
384 : !gid_eq(cred->fsgid, cred->gid))
385 : return true;
386 :
387 118513902 : if (!issecure(SECURE_NO_SETUID_FIXUP)) {
388 118515804 : kuid_t root_uid = make_kuid(cred->user_ns, 0);
389 118463282 : if (!uid_eq(cred->uid, root_uid)) {
390 421083 : if (!cap_isclear(cred->cap_effective))
391 68874 : return true;
392 : } else {
393 118042199 : if (!cap_isidentical(cred->cap_effective,
394 : cred->cap_permitted))
395 : return true;
396 : }
397 : }
398 :
399 : return false;
400 : }
401 :
402 75341 : static const struct cred *access_override_creds(void)
403 : {
404 75341 : const struct cred *old_cred;
405 75341 : struct cred *override_cred;
406 :
407 75341 : override_cred = prepare_creds();
408 75341 : if (!override_cred)
409 : return NULL;
410 :
411 : /*
412 : * XXX access_need_override_creds performs checks in hopes of skipping
413 : * this work. Make sure it stays in sync if making any changes in this
414 : * routine.
415 : */
416 :
417 75341 : override_cred->fsuid = override_cred->uid;
418 75341 : override_cred->fsgid = override_cred->gid;
419 :
420 75341 : if (!issecure(SECURE_NO_SETUID_FIXUP)) {
421 : /* Clear the capabilities if we switch to a non-root user */
422 75341 : kuid_t root_uid = make_kuid(override_cred->user_ns, 0);
423 75341 : if (!uid_eq(override_cred->uid, root_uid))
424 68952 : cap_clear(override_cred->cap_effective);
425 : else
426 6389 : override_cred->cap_effective =
427 : override_cred->cap_permitted;
428 : }
429 :
430 : /*
431 : * The new set of credentials can *only* be used in
432 : * task-synchronous circumstances, and does not need
433 : * RCU freeing, unless somebody then takes a separate
434 : * reference to it.
435 : *
436 : * NOTE! This is _only_ true because this credential
437 : * is used purely for override_creds() that installs
438 : * it as the subjective cred. Other threads will be
439 : * accessing ->real_cred, not the subjective cred.
440 : *
441 : * If somebody _does_ make a copy of this (using the
442 : * 'get_current_cred()' function), that will clear the
443 : * non_rcu field, because now that other user may be
444 : * expecting RCU freeing. But normal thread-synchronous
445 : * cred accesses will keep things non-RCY.
446 : */
447 75341 : override_cred->non_rcu = 1;
448 :
449 75341 : old_cred = override_creds(override_cred);
450 :
451 : /* override_cred() gets its own ref */
452 75341 : put_cred(override_cred);
453 :
454 75341 : return old_cred;
455 : }
456 :
457 118674864 : static long do_faccessat(int dfd, const char __user *filename, int mode, int flags)
458 : {
459 118674864 : struct path path;
460 118674864 : struct inode *inode;
461 118674864 : int res;
462 118674864 : unsigned int lookup_flags = LOOKUP_FOLLOW;
463 118674864 : const struct cred *old_cred = NULL;
464 :
465 118674864 : if (mode & ~S_IRWXO) /* where's F_OK, X_OK, W_OK, R_OK? */
466 : return -EINVAL;
467 :
468 118674864 : if (flags & ~(AT_EACCESS | AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH))
469 : return -EINVAL;
470 :
471 118674864 : if (flags & AT_SYMLINK_NOFOLLOW)
472 97521 : lookup_flags &= ~LOOKUP_FOLLOW;
473 118674864 : if (flags & AT_EMPTY_PATH)
474 0 : lookup_flags |= LOOKUP_EMPTY;
475 :
476 118674864 : if (access_need_override_creds(flags)) {
477 75341 : old_cred = access_override_creds();
478 75341 : if (!old_cred)
479 : return -ENOMEM;
480 : }
481 :
482 118605824 : retry:
483 118606037 : res = user_path_at(dfd, filename, lookup_flags, &path);
484 118688262 : if (res)
485 58440624 : goto out;
486 :
487 60247638 : inode = d_backing_inode(path.dentry);
488 :
489 60247638 : if ((mode & MAY_EXEC) && S_ISREG(inode->i_mode)) {
490 : /*
491 : * MAY_EXEC on regular files is denied if the fs is mounted
492 : * with the "noexec" flag.
493 : */
494 21755228 : res = -EACCES;
495 21755228 : if (path_noexec(&path))
496 0 : goto out_path_release;
497 : }
498 :
499 60239202 : res = inode_permission(mnt_idmap(path.mnt), inode, mode | MAY_ACCESS);
500 : /* SuS v2 requires we report a read only fs too */
501 60236384 : if (res || !(mode & S_IWOTH) || special_file(inode->i_mode))
502 59931790 : goto out_path_release;
503 : /*
504 : * This is a rare case where using __mnt_is_readonly()
505 : * is OK without a mnt_want/drop_write() pair. Since
506 : * no actual write to the fs is performed here, we do
507 : * not need to telegraph to that to anyone.
508 : *
509 : * By doing this, we accept that this access is
510 : * inherently racy and know that the fs may change
511 : * state before we even see this result.
512 : */
513 304594 : if (__mnt_is_readonly(path.mnt))
514 180 : res = -EROFS;
515 :
516 304404 : out_path_release:
517 60236374 : path_put(&path);
518 120562432 : if (retry_estale(res, lookup_flags)) {
519 216 : lookup_flags |= LOOKUP_REVAL;
520 216 : goto retry;
521 : }
522 60281003 : out:
523 118721627 : if (old_cred)
524 75341 : revert_creds(old_cred);
525 :
526 118714413 : return res;
527 : }
528 :
529 0 : SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
530 : {
531 0 : return do_faccessat(dfd, filename, mode, 0);
532 : }
533 :
534 2510351 : SYSCALL_DEFINE4(faccessat2, int, dfd, const char __user *, filename, int, mode,
535 : int, flags)
536 : {
537 1255008 : return do_faccessat(dfd, filename, mode, flags);
538 : }
539 :
540 234896544 : SYSCALL_DEFINE2(access, const char __user *, filename, int, mode)
541 : {
542 117464586 : return do_faccessat(AT_FDCWD, filename, mode, 0);
543 : }
544 :
545 2086689077 : SYSCALL_DEFINE1(chdir, const char __user *, filename)
546 : {
547 1043303710 : struct path path;
548 1043303710 : int error;
549 1043303710 : unsigned int lookup_flags = LOOKUP_FOLLOW | LOOKUP_DIRECTORY;
550 1043325751 : retry:
551 1043325751 : error = user_path_at(AT_FDCWD, filename, lookup_flags, &path);
552 1042712849 : if (error)
553 91380529 : goto out;
554 :
555 951332320 : error = path_permission(&path, MAY_EXEC | MAY_CHDIR);
556 951147716 : if (error)
557 0 : goto dput_and_out;
558 :
559 951147716 : set_fs_pwd(current->fs, &path);
560 :
561 951401370 : dput_and_out:
562 951401370 : path_put(&path);
563 1902882552 : if (retry_estale(error, lookup_flags)) {
564 22041 : lookup_flags |= LOOKUP_REVAL;
565 22041 : goto retry;
566 : }
567 951419235 : out:
568 1042799764 : return error;
569 : }
570 :
571 10223424 : SYSCALL_DEFINE1(fchdir, unsigned int, fd)
572 : {
573 5111712 : struct fd f = fdget_raw(fd);
574 5111713 : int error;
575 :
576 5111713 : error = -EBADF;
577 5111713 : if (!f.file)
578 0 : goto out;
579 :
580 5111713 : error = -ENOTDIR;
581 5111713 : if (!d_can_lookup(f.file->f_path.dentry))
582 0 : goto out_putf;
583 :
584 5111713 : error = file_permission(f.file, MAY_EXEC | MAY_CHDIR);
585 5111711 : if (!error)
586 5111711 : set_fs_pwd(current->fs, &f.file->f_path);
587 0 : out_putf:
588 5111713 : fdput(f);
589 5111713 : out:
590 5111713 : return error;
591 : }
592 :
593 128 : SYSCALL_DEFINE1(chroot, const char __user *, filename)
594 : {
595 64 : struct path path;
596 64 : int error;
597 64 : unsigned int lookup_flags = LOOKUP_FOLLOW | LOOKUP_DIRECTORY;
598 64 : retry:
599 64 : error = user_path_at(AT_FDCWD, filename, lookup_flags, &path);
600 64 : if (error)
601 0 : goto out;
602 :
603 64 : error = path_permission(&path, MAY_EXEC | MAY_CHDIR);
604 64 : if (error)
605 0 : goto dput_and_out;
606 :
607 64 : error = -EPERM;
608 64 : if (!ns_capable(current_user_ns(), CAP_SYS_CHROOT))
609 0 : goto dput_and_out;
610 64 : error = security_path_chroot(&path);
611 64 : if (error)
612 : goto dput_and_out;
613 :
614 64 : set_fs_root(current->fs, &path);
615 64 : error = 0;
616 64 : dput_and_out:
617 64 : path_put(&path);
618 128 : if (retry_estale(error, lookup_flags)) {
619 0 : lookup_flags |= LOOKUP_REVAL;
620 0 : goto retry;
621 : }
622 64 : out:
623 64 : return error;
624 : }
625 :
626 1458757 : int chmod_common(const struct path *path, umode_t mode)
627 : {
628 1458757 : struct inode *inode = path->dentry->d_inode;
629 1458757 : struct inode *delegated_inode = NULL;
630 1458757 : struct iattr newattrs;
631 1458757 : int error;
632 :
633 1458757 : error = mnt_want_write(path->mnt);
634 1460171 : if (error)
635 : return error;
636 1460142 : retry_deleg:
637 1460142 : inode_lock(inode);
638 1460259 : error = security_path_chmod(path, mode);
639 1460259 : if (error)
640 : goto out_unlock;
641 1460259 : newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
642 1460259 : newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
643 1460259 : error = notify_change(mnt_idmap(path->mnt), path->dentry,
644 : &newattrs, &delegated_inode);
645 : out_unlock:
646 1461160 : inode_unlock(inode);
647 1461788 : if (delegated_inode) {
648 0 : error = break_deleg_wait(&delegated_inode);
649 0 : if (!error)
650 0 : goto retry_deleg;
651 : }
652 1461788 : mnt_drop_write(path->mnt);
653 1461788 : return error;
654 : }
655 :
656 0 : int vfs_fchmod(struct file *file, umode_t mode)
657 : {
658 1421711 : audit_file(file);
659 0 : return chmod_common(&file->f_path, mode);
660 : }
661 :
662 2845121 : SYSCALL_DEFINE2(fchmod, unsigned int, fd, umode_t, mode)
663 : {
664 1422116 : struct fd f = fdget(fd);
665 1421711 : int err = -EBADF;
666 :
667 1421711 : if (f.file) {
668 1421711 : err = vfs_fchmod(f.file, mode);
669 1423921 : fdput(f);
670 : }
671 1425619 : return err;
672 : }
673 :
674 35336 : static int do_fchmodat(int dfd, const char __user *filename, umode_t mode)
675 : {
676 35336 : struct path path;
677 35336 : int error;
678 35336 : unsigned int lookup_flags = LOOKUP_FOLLOW;
679 35336 : retry:
680 35336 : error = user_path_at(dfd, filename, lookup_flags, &path);
681 35336 : if (!error) {
682 35336 : error = chmod_common(&path, mode);
683 35336 : path_put(&path);
684 70672 : if (retry_estale(error, lookup_flags)) {
685 0 : lookup_flags |= LOOKUP_REVAL;
686 0 : goto retry;
687 : }
688 : }
689 35336 : return error;
690 : }
691 :
692 9654 : SYSCALL_DEFINE3(fchmodat, int, dfd, const char __user *, filename,
693 : umode_t, mode)
694 : {
695 4827 : return do_fchmodat(dfd, filename, mode);
696 : }
697 :
698 61018 : SYSCALL_DEFINE2(chmod, const char __user *, filename, umode_t, mode)
699 : {
700 30509 : return do_fchmodat(AT_FDCWD, filename, mode);
701 : }
702 :
703 : /*
704 : * Check whether @kuid is valid and if so generate and set vfsuid_t in
705 : * ia_vfsuid.
706 : *
707 : * Return: true if @kuid is valid, false if not.
708 : */
709 : static inline bool setattr_vfsuid(struct iattr *attr, kuid_t kuid)
710 : {
711 18286818 : if (!uid_valid(kuid))
712 : return false;
713 18156753 : attr->ia_valid |= ATTR_UID;
714 18156753 : attr->ia_vfsuid = VFSUIDT_INIT(kuid);
715 18156753 : return true;
716 : }
717 :
718 : /*
719 : * Check whether @kgid is valid and if so generate and set vfsgid_t in
720 : * ia_vfsgid.
721 : *
722 : * Return: true if @kgid is valid, false if not.
723 : */
724 : static inline bool setattr_vfsgid(struct iattr *attr, kgid_t kgid)
725 : {
726 18130105 : if (!gid_valid(kgid))
727 : return false;
728 18130105 : attr->ia_valid |= ATTR_GID;
729 18130105 : attr->ia_vfsgid = VFSGIDT_INIT(kgid);
730 18130105 : return true;
731 : }
732 :
733 18305973 : int chown_common(const struct path *path, uid_t user, gid_t group)
734 : {
735 18305973 : struct mnt_idmap *idmap;
736 18305973 : struct user_namespace *fs_userns;
737 18305973 : struct inode *inode = path->dentry->d_inode;
738 18305973 : struct inode *delegated_inode = NULL;
739 18305973 : int error;
740 18305973 : struct iattr newattrs;
741 18305973 : kuid_t uid;
742 18305973 : kgid_t gid;
743 :
744 18305973 : uid = make_kuid(current_user_ns(), user);
745 18245041 : gid = make_kgid(current_user_ns(), group);
746 :
747 18290991 : idmap = mnt_idmap(path->mnt);
748 18290044 : fs_userns = i_user_ns(inode);
749 :
750 18262912 : retry_deleg:
751 18262912 : newattrs.ia_vfsuid = INVALID_VFSUID;
752 18262912 : newattrs.ia_vfsgid = INVALID_VFSGID;
753 18262912 : newattrs.ia_valid = ATTR_CTIME;
754 18262912 : if ((user != (uid_t)-1) && !setattr_vfsuid(&newattrs, uid))
755 : return -EINVAL;
756 18132847 : if ((group != (gid_t)-1) && !setattr_vfsgid(&newattrs, gid))
757 : return -EINVAL;
758 18132847 : inode_lock(inode);
759 18140055 : if (!S_ISDIR(inode->i_mode))
760 17125862 : newattrs.ia_valid |= ATTR_KILL_SUID | ATTR_KILL_PRIV |
761 17108549 : setattr_should_drop_sgid(idmap, inode);
762 : /* Continue to send actual fs values, not the mount values. */
763 18157368 : error = security_path_chown(
764 : path,
765 : from_vfsuid(idmap, fs_userns, newattrs.ia_vfsuid),
766 : from_vfsgid(idmap, fs_userns, newattrs.ia_vfsgid));
767 18120876 : if (!error)
768 18120876 : error = notify_change(idmap, path->dentry, &newattrs,
769 : &delegated_inode);
770 18280932 : inode_unlock(inode);
771 18276729 : if (delegated_inode) {
772 0 : error = break_deleg_wait(&delegated_inode);
773 7726 : if (!error)
774 7726 : goto retry_deleg;
775 : }
776 : return error;
777 : }
778 :
779 6606366 : int do_fchownat(int dfd, const char __user *filename, uid_t user, gid_t group,
780 : int flag)
781 : {
782 6606366 : struct path path;
783 6606366 : int error = -EINVAL;
784 6606366 : int lookup_flags;
785 :
786 6606366 : if ((flag & ~(AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH)) != 0)
787 0 : goto out;
788 :
789 6606366 : lookup_flags = (flag & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW;
790 6606366 : if (flag & AT_EMPTY_PATH)
791 5539 : lookup_flags |= LOOKUP_EMPTY;
792 6600827 : retry:
793 6606369 : error = user_path_at(dfd, filename, lookup_flags, &path);
794 6606425 : if (error)
795 6 : goto out;
796 6606419 : error = mnt_want_write(path.mnt);
797 6606406 : if (error)
798 0 : goto out_release;
799 6606406 : error = chown_common(&path, user, group);
800 6606135 : mnt_drop_write(path.mnt);
801 6606021 : out_release:
802 6606021 : path_put(&path);
803 13211470 : if (retry_estale(error, lookup_flags)) {
804 5 : lookup_flags |= LOOKUP_REVAL;
805 5 : goto retry;
806 : }
807 6605732 : out:
808 6605738 : return error;
809 : }
810 :
811 2133540 : SYSCALL_DEFINE5(fchownat, int, dfd, const char __user *, filename, uid_t, user,
812 : gid_t, group, int, flag)
813 : {
814 1066770 : return do_fchownat(dfd, filename, user, group, flag);
815 : }
816 :
817 807070 : SYSCALL_DEFINE3(chown, const char __user *, filename, uid_t, user, gid_t, group)
818 : {
819 403535 : return do_fchownat(AT_FDCWD, filename, user, group, 0);
820 : }
821 :
822 10271829 : SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group)
823 : {
824 5136082 : return do_fchownat(AT_FDCWD, filename, user, group,
825 : AT_SYMLINK_NOFOLLOW);
826 : }
827 :
828 11747360 : int vfs_fchown(struct file *file, uid_t user, gid_t group)
829 : {
830 11747360 : int error;
831 :
832 11747360 : error = mnt_want_write_file(file);
833 11668713 : if (error)
834 : return error;
835 11672028 : audit_file(file);
836 11672028 : error = chown_common(&file->f_path, user, group);
837 11802598 : mnt_drop_write_file(file);
838 11802598 : return error;
839 : }
840 :
841 11727668 : int ksys_fchown(unsigned int fd, uid_t user, gid_t group)
842 : {
843 11727668 : struct fd f = fdget(fd);
844 11730303 : int error = -EBADF;
845 :
846 11730303 : if (f.file) {
847 11730303 : error = vfs_fchown(f.file, user, group);
848 11779386 : fdput(f);
849 : }
850 11779387 : return error;
851 : }
852 :
853 23525889 : SYSCALL_DEFINE3(fchown, unsigned int, fd, uid_t, user, gid_t, group)
854 : {
855 11742193 : return ksys_fchown(fd, user, group);
856 : }
857 :
858 1101891133 : static int do_dentry_open(struct file *f,
859 : struct inode *inode,
860 : int (*open)(struct inode *, struct file *))
861 : {
862 1101891133 : static const struct file_operations empty_fops = {};
863 1101891133 : int error;
864 :
865 1101891133 : path_get(&f->f_path);
866 1102982033 : f->f_inode = inode;
867 1102982033 : f->f_mapping = inode->i_mapping;
868 1102982033 : f->f_wb_err = filemap_sample_wb_err(f->f_mapping);
869 1103288301 : f->f_sb_err = file_sample_sb_err(f);
870 :
871 1103010040 : if (unlikely(f->f_flags & O_PATH)) {
872 65248570 : f->f_mode = FMODE_PATH | FMODE_OPENED;
873 65248570 : f->f_op = &empty_fops;
874 65248570 : return 0;
875 : }
876 :
877 1037761470 : if ((f->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) {
878 566277922 : i_readcount_inc(inode);
879 471483548 : } else if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) {
880 461705310 : error = get_write_access(inode);
881 462070067 : if (unlikely(error))
882 0 : goto cleanup_file;
883 462070067 : error = __mnt_want_write(f->f_path.mnt);
884 462004273 : if (unlikely(error)) {
885 0 : put_write_access(inode);
886 0 : goto cleanup_file;
887 : }
888 462004273 : f->f_mode |= FMODE_WRITER;
889 : }
890 :
891 : /* POSIX.1-2008/SUSv4 Section XSI 2.9.7 */
892 1038888910 : if (S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode))
893 1024879966 : f->f_mode |= FMODE_ATOMIC_POS;
894 :
895 1038888910 : f->f_op = fops_get(inode->i_fop);
896 1038356876 : if (WARN_ON(!f->f_op)) {
897 0 : error = -ENODEV;
898 0 : goto cleanup_all;
899 : }
900 :
901 1038356876 : error = security_file_open(f);
902 1038356876 : if (error)
903 : goto cleanup_all;
904 :
905 1038356876 : error = break_lease(file_inode(f), f->f_flags);
906 1039029672 : if (error)
907 0 : goto cleanup_all;
908 :
909 : /* normally all 3 are set; ->open() can clear them if needed */
910 1039029672 : f->f_mode |= FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE;
911 1039029672 : if (!open)
912 1039004931 : open = f->f_op->open;
913 1039029672 : if (open) {
914 1035193617 : error = open(inode, f);
915 1033653069 : if (error)
916 1092264 : goto cleanup_all;
917 : }
918 1036396860 : f->f_mode |= FMODE_OPENED;
919 1036396860 : if ((f->f_mode & FMODE_READ) &&
920 602108631 : likely(f->f_op->read || f->f_op->read_iter))
921 602001654 : f->f_mode |= FMODE_CAN_READ;
922 1036396860 : if ((f->f_mode & FMODE_WRITE) &&
923 470166547 : likely(f->f_op->write || f->f_op->write_iter))
924 470061041 : f->f_mode |= FMODE_CAN_WRITE;
925 1036396860 : if ((f->f_mode & FMODE_LSEEK) && !f->f_op->llseek)
926 1471 : f->f_mode &= ~FMODE_LSEEK;
927 1036396860 : if (f->f_mapping->a_ops && f->f_mapping->a_ops->direct_IO)
928 46026679 : f->f_mode |= FMODE_CAN_ODIRECT;
929 :
930 1036396860 : f->f_flags &= ~(O_CREAT | O_EXCL | O_NOCTTY | O_TRUNC);
931 1036396860 : f->f_iocb_flags = iocb_flags(f);
932 :
933 1036396860 : file_ra_state_init(&f->f_ra, f->f_mapping->host->i_mapping);
934 :
935 1035683291 : if ((f->f_flags & O_DIRECT) && !(f->f_mode & FMODE_CAN_ODIRECT))
936 : return -EINVAL;
937 :
938 : /*
939 : * XXX: Huge page cache doesn't support writing yet. Drop all page
940 : * cache for this file before processing writes.
941 : */
942 1035683284 : if (f->f_mode & FMODE_WRITE) {
943 : /*
944 : * Paired with smp_mb() in collapse_file() to ensure nr_thps
945 : * is up to date and the update to i_writecount by
946 : * get_write_access() is visible. Ensures subsequent insertion
947 : * of THPs into the page cache will fail.
948 : */
949 469935131 : smp_mb();
950 469935131 : if (filemap_nr_thps(inode->i_mapping)) {
951 : struct address_space *mapping = inode->i_mapping;
952 :
953 : filemap_invalidate_lock(inode->i_mapping);
954 : /*
955 : * unmap_mapping_range just need to be called once
956 : * here, because the private pages is not need to be
957 : * unmapped mapping (e.g. data segment of dynamic
958 : * shared libraries here).
959 : */
960 : unmap_mapping_range(mapping, 0, 0, 0);
961 : truncate_inode_pages(mapping, 0);
962 : filemap_invalidate_unlock(inode->i_mapping);
963 : }
964 : }
965 :
966 : /*
967 : * Once we return a file with FMODE_OPENED, __fput() will call
968 : * fsnotify_close(), so we need fsnotify_open() here for symmetry.
969 : */
970 1036669763 : fsnotify_open(f);
971 1036669763 : return 0;
972 :
973 1092264 : cleanup_all:
974 1092264 : if (WARN_ON_ONCE(error > 0))
975 0 : error = -EINVAL;
976 1092264 : fops_put(f->f_op);
977 1092263 : put_file_access(f);
978 1092258 : cleanup_file:
979 1092258 : path_put(&f->f_path);
980 1092264 : f->f_path.mnt = NULL;
981 1092264 : f->f_path.dentry = NULL;
982 1092264 : f->f_inode = NULL;
983 1092264 : return error;
984 : }
985 :
986 : /**
987 : * finish_open - finish opening a file
988 : * @file: file pointer
989 : * @dentry: pointer to dentry
990 : * @open: open callback
991 : *
992 : * This can be used to finish opening a file passed to i_op->atomic_open().
993 : *
994 : * If the open callback is set to NULL, then the standard f_op->open()
995 : * filesystem callback is substituted.
996 : *
997 : * NB: the dentry reference is _not_ consumed. If, for example, the dentry is
998 : * the return value of d_splice_alias(), then the caller needs to perform dput()
999 : * on it after finish_open().
1000 : *
1001 : * Returns zero on success or -errno if the open failed.
1002 : */
1003 8053268 : int finish_open(struct file *file, struct dentry *dentry,
1004 : int (*open)(struct inode *, struct file *))
1005 : {
1006 8053268 : BUG_ON(file->f_mode & FMODE_OPENED); /* once it's opened, it's opened */
1007 :
1008 8053268 : file->f_path.dentry = dentry;
1009 8053268 : return do_dentry_open(file, d_backing_inode(dentry), open);
1010 : }
1011 : EXPORT_SYMBOL(finish_open);
1012 :
1013 : /**
1014 : * finish_no_open - finish ->atomic_open() without opening the file
1015 : *
1016 : * @file: file pointer
1017 : * @dentry: dentry or NULL (as returned from ->lookup())
1018 : *
1019 : * This can be used to set the result of a successful lookup in ->atomic_open().
1020 : *
1021 : * NB: unlike finish_open() this function does consume the dentry reference and
1022 : * the caller need not dput() it.
1023 : *
1024 : * Returns "0" which must be the return value of ->atomic_open() after having
1025 : * called this function.
1026 : */
1027 27888 : int finish_no_open(struct file *file, struct dentry *dentry)
1028 : {
1029 27888 : file->f_path.dentry = dentry;
1030 27888 : return 0;
1031 : }
1032 : EXPORT_SYMBOL(finish_no_open);
1033 :
1034 175 : char *file_path(struct file *filp, char *buf, int buflen)
1035 : {
1036 175 : return d_path(&filp->f_path, buf, buflen);
1037 : }
1038 : EXPORT_SYMBOL(file_path);
1039 :
1040 : /**
1041 : * vfs_open - open the file at the given path
1042 : * @path: path to open
1043 : * @file: newly allocated file with f_flag initialized
1044 : */
1045 1056086936 : int vfs_open(const struct path *path, struct file *file)
1046 : {
1047 1056086936 : file->f_path = *path;
1048 1056086936 : return do_dentry_open(file, d_backing_inode(path->dentry), NULL);
1049 : }
1050 :
1051 93232626 : struct file *dentry_open(const struct path *path, int flags,
1052 : const struct cred *cred)
1053 : {
1054 93232626 : int error;
1055 93232626 : struct file *f;
1056 :
1057 93232626 : validate_creds(cred);
1058 :
1059 : /* We must always pass in a valid mount pointer. */
1060 93232626 : BUG_ON(!path->mnt);
1061 :
1062 93232626 : f = alloc_empty_file(flags, cred);
1063 92464306 : if (!IS_ERR(f)) {
1064 92464306 : error = vfs_open(path, f);
1065 92357498 : if (error) {
1066 0 : fput(f);
1067 0 : f = ERR_PTR(error);
1068 : }
1069 : }
1070 92357498 : return f;
1071 : }
1072 : EXPORT_SYMBOL(dentry_open);
1073 :
1074 : /**
1075 : * dentry_create - Create and open a file
1076 : * @path: path to create
1077 : * @flags: O_ flags
1078 : * @mode: mode bits for new file
1079 : * @cred: credentials to use
1080 : *
1081 : * Caller must hold the parent directory's lock, and have prepared
1082 : * a negative dentry, placed in @path->dentry, for the new file.
1083 : *
1084 : * Caller sets @path->mnt to the vfsmount of the filesystem where
1085 : * the new file is to be created. The parent directory and the
1086 : * negative dentry must reside on the same filesystem instance.
1087 : *
1088 : * On success, returns a "struct file *". Otherwise a ERR_PTR
1089 : * is returned.
1090 : */
1091 0 : struct file *dentry_create(const struct path *path, int flags, umode_t mode,
1092 : const struct cred *cred)
1093 : {
1094 0 : struct file *f;
1095 0 : int error;
1096 :
1097 0 : validate_creds(cred);
1098 0 : f = alloc_empty_file(flags, cred);
1099 0 : if (IS_ERR(f))
1100 : return f;
1101 :
1102 0 : error = vfs_create(mnt_idmap(path->mnt),
1103 0 : d_inode(path->dentry->d_parent),
1104 0 : path->dentry, mode, true);
1105 0 : if (!error)
1106 0 : error = vfs_open(path, f);
1107 :
1108 0 : if (unlikely(error)) {
1109 0 : fput(f);
1110 0 : return ERR_PTR(error);
1111 : }
1112 : return f;
1113 : }
1114 : EXPORT_SYMBOL(dentry_create);
1115 :
1116 : /**
1117 : * kernel_file_open - open a file for kernel internal use
1118 : * @path: path of the file to open
1119 : * @flags: open flags
1120 : * @inode: the inode
1121 : * @cred: credentials for open
1122 : *
1123 : * Open a file for use by in-kernel consumers. The file is not accounted
1124 : * against nr_files and must not be installed into the file descriptor
1125 : * table.
1126 : *
1127 : * Return: Opened file on success, an error pointer on failure.
1128 : */
1129 0 : struct file *kernel_file_open(const struct path *path, int flags,
1130 : struct inode *inode, const struct cred *cred)
1131 : {
1132 0 : struct file *f;
1133 0 : int error;
1134 :
1135 0 : f = alloc_empty_file_noaccount(flags, cred);
1136 0 : if (IS_ERR(f))
1137 : return f;
1138 :
1139 0 : f->f_path = *path;
1140 0 : error = do_dentry_open(f, inode, NULL);
1141 0 : if (error) {
1142 0 : fput(f);
1143 0 : f = ERR_PTR(error);
1144 : }
1145 : return f;
1146 : }
1147 : EXPORT_SYMBOL_GPL(kernel_file_open);
1148 :
1149 : /**
1150 : * backing_file_open - open a backing file for kernel internal use
1151 : * @path: path of the file to open
1152 : * @flags: open flags
1153 : * @path: path of the backing file
1154 : * @cred: credentials for open
1155 : *
1156 : * Open a backing file for a stackable filesystem (e.g., overlayfs).
1157 : * @path may be on the stackable filesystem and backing inode on the
1158 : * underlying filesystem. In this case, we want to be able to return
1159 : * the @real_path of the backing inode. This is done by embedding the
1160 : * returned file into a container structure that also stores the path of
1161 : * the backing inode on the underlying filesystem, which can be
1162 : * retrieved using backing_file_real_path().
1163 : */
1164 38035262 : struct file *backing_file_open(const struct path *path, int flags,
1165 : const struct path *real_path,
1166 : const struct cred *cred)
1167 : {
1168 38035262 : struct file *f;
1169 38035262 : int error;
1170 :
1171 38035262 : f = alloc_empty_backing_file(flags, cred);
1172 38072589 : if (IS_ERR(f))
1173 : return f;
1174 :
1175 38072589 : f->f_path = *path;
1176 38072589 : path_get(real_path);
1177 38094424 : *backing_file_real_path(f) = *real_path;
1178 38058534 : error = do_dentry_open(f, d_inode(real_path->dentry), NULL);
1179 38079381 : if (error) {
1180 68 : fput(f);
1181 68 : f = ERR_PTR(error);
1182 : }
1183 :
1184 : return f;
1185 : }
1186 : EXPORT_SYMBOL_GPL(backing_file_open);
1187 :
1188 : #define WILL_CREATE(flags) (flags & (O_CREAT | __O_TMPFILE))
1189 : #define O_PATH_FLAGS (O_DIRECTORY | O_NOFOLLOW | O_PATH | O_CLOEXEC)
1190 :
1191 0 : inline struct open_how build_open_how(int flags, umode_t mode)
1192 : {
1193 929240895 : struct open_how how = {
1194 0 : .flags = flags & VALID_OPEN_FLAGS,
1195 929240895 : .mode = mode & S_IALLUGO,
1196 : };
1197 :
1198 : /* O_PATH beats everything else. */
1199 0 : if (how.flags & O_PATH)
1200 67020218 : how.flags &= O_PATH_FLAGS;
1201 : /* Modes should only be set for create-like flags. */
1202 929240895 : if (!WILL_CREATE(how.flags))
1203 855577628 : how.mode = 0;
1204 929240895 : return how;
1205 : }
1206 :
1207 928855750 : inline int build_open_flags(const struct open_how *how, struct open_flags *op)
1208 : {
1209 928855750 : u64 flags = how->flags;
1210 928855750 : u64 strip = __FMODE_NONOTIFY | O_CLOEXEC;
1211 928855750 : int lookup_flags = 0;
1212 928855750 : int acc_mode = ACC_MODE(flags);
1213 :
1214 928855750 : BUILD_BUG_ON_MSG(upper_32_bits(VALID_OPEN_FLAGS),
1215 : "struct open_flags doesn't yet handle flags > 32 bits");
1216 :
1217 : /*
1218 : * Strip flags that either shouldn't be set by userspace like
1219 : * FMODE_NONOTIFY or that aren't relevant in determining struct
1220 : * open_flags like O_CLOEXEC.
1221 : */
1222 928855750 : flags &= ~strip;
1223 :
1224 : /*
1225 : * Older syscalls implicitly clear all of the invalid flags or argument
1226 : * values before calling build_open_flags(), but openat2(2) checks all
1227 : * of its arguments.
1228 : */
1229 928855750 : if (flags & ~VALID_OPEN_FLAGS)
1230 : return -EINVAL;
1231 928855750 : if (how->resolve & ~VALID_RESOLVE_FLAGS)
1232 : return -EINVAL;
1233 :
1234 : /* Scoping flags are mutually exclusive. */
1235 928855750 : if ((how->resolve & RESOLVE_BENEATH) && (how->resolve & RESOLVE_IN_ROOT))
1236 : return -EINVAL;
1237 :
1238 : /* Deal with the mode. */
1239 928855750 : if (WILL_CREATE(flags)) {
1240 73431821 : if (how->mode & ~S_IALLUGO)
1241 : return -EINVAL;
1242 73431821 : op->mode = how->mode | S_IFREG;
1243 : } else {
1244 855423929 : if (how->mode != 0)
1245 : return -EINVAL;
1246 855423929 : op->mode = 0;
1247 : }
1248 :
1249 : /*
1250 : * Block bugs where O_DIRECTORY | O_CREAT created regular files.
1251 : * Note, that blocking O_DIRECTORY | O_CREAT here also protects
1252 : * O_TMPFILE below which requires O_DIRECTORY being raised.
1253 : */
1254 928855750 : if ((flags & (O_DIRECTORY | O_CREAT)) == (O_DIRECTORY | O_CREAT))
1255 : return -EINVAL;
1256 :
1257 : /* Now handle the creative implementation of O_TMPFILE. */
1258 928855750 : if (flags & __O_TMPFILE) {
1259 : /*
1260 : * In order to ensure programs get explicit errors when trying
1261 : * to use O_TMPFILE on old kernels we enforce that O_DIRECTORY
1262 : * is raised alongside __O_TMPFILE.
1263 : */
1264 8206718 : if (!(flags & O_DIRECTORY))
1265 : return -EINVAL;
1266 8206718 : if (!(acc_mode & MAY_WRITE))
1267 : return -EINVAL;
1268 : }
1269 928855737 : if (flags & O_PATH) {
1270 : /* O_PATH only permits certain other flags to be set. */
1271 66882031 : if (flags & ~O_PATH_FLAGS)
1272 : return -EINVAL;
1273 : acc_mode = 0;
1274 : }
1275 :
1276 : /*
1277 : * O_SYNC is implemented as __O_SYNC|O_DSYNC. As many places only
1278 : * check for O_DSYNC if the need any syncing at all we enforce it's
1279 : * always set instead of having to deal with possibly weird behaviour
1280 : * for malicious applications setting only __O_SYNC.
1281 : */
1282 928855737 : if (flags & __O_SYNC)
1283 72488 : flags |= O_DSYNC;
1284 :
1285 928855737 : op->open_flag = flags;
1286 :
1287 : /* O_TRUNC implies we need access checks for write permissions */
1288 928855737 : if (flags & O_TRUNC)
1289 37943550 : acc_mode |= MAY_WRITE;
1290 :
1291 : /* Allow the LSM permission hook to distinguish append
1292 : access from general write access. */
1293 928855737 : if (flags & O_APPEND)
1294 4288917 : acc_mode |= MAY_APPEND;
1295 :
1296 928855737 : op->acc_mode = acc_mode;
1297 :
1298 928855737 : op->intent = flags & O_PATH ? 0 : LOOKUP_OPEN;
1299 :
1300 928855737 : if (flags & O_CREAT) {
1301 64927174 : op->intent |= LOOKUP_CREATE;
1302 64927174 : if (flags & O_EXCL) {
1303 16539958 : op->intent |= LOOKUP_EXCL;
1304 16539958 : flags |= O_NOFOLLOW;
1305 : }
1306 : }
1307 :
1308 928855737 : if (flags & O_DIRECTORY)
1309 40062739 : lookup_flags |= LOOKUP_DIRECTORY;
1310 928855737 : if (!(flags & O_NOFOLLOW))
1311 835581199 : lookup_flags |= LOOKUP_FOLLOW;
1312 :
1313 928855737 : if (how->resolve & RESOLVE_NO_XDEV)
1314 0 : lookup_flags |= LOOKUP_NO_XDEV;
1315 928855737 : if (how->resolve & RESOLVE_NO_MAGICLINKS)
1316 0 : lookup_flags |= LOOKUP_NO_MAGICLINKS;
1317 928855737 : if (how->resolve & RESOLVE_NO_SYMLINKS)
1318 0 : lookup_flags |= LOOKUP_NO_SYMLINKS;
1319 928855737 : if (how->resolve & RESOLVE_BENEATH)
1320 0 : lookup_flags |= LOOKUP_BENEATH;
1321 928855737 : if (how->resolve & RESOLVE_IN_ROOT)
1322 0 : lookup_flags |= LOOKUP_IN_ROOT;
1323 928855737 : if (how->resolve & RESOLVE_CACHED) {
1324 : /* Don't bother even trying for create/truncate/tmpfile open */
1325 0 : if (flags & (O_TRUNC | O_CREAT | O_TMPFILE))
1326 : return -EAGAIN;
1327 0 : lookup_flags |= LOOKUP_CACHED;
1328 : }
1329 :
1330 928855737 : op->lookup_flags = lookup_flags;
1331 928855737 : return 0;
1332 : }
1333 :
1334 : /**
1335 : * file_open_name - open file and return file pointer
1336 : *
1337 : * @name: struct filename containing path to open
1338 : * @flags: open flags as per the open(2) second argument
1339 : * @mode: mode for the new file if O_CREAT is set, else ignored
1340 : *
1341 : * This is the helper to open a file from kernelspace if you really
1342 : * have to. But in generally you should not do this, so please move
1343 : * along, nothing to see here..
1344 : */
1345 20945 : struct file *file_open_name(struct filename *name, int flags, umode_t mode)
1346 : {
1347 20945 : struct open_flags op;
1348 20945 : struct open_how how = build_open_how(flags, mode);
1349 20945 : int err = build_open_flags(&how, &op);
1350 20945 : if (err)
1351 0 : return ERR_PTR(err);
1352 20945 : return do_filp_open(AT_FDCWD, name, &op);
1353 : }
1354 :
1355 : /**
1356 : * filp_open - open file and return file pointer
1357 : *
1358 : * @filename: path to open
1359 : * @flags: open flags as per the open(2) second argument
1360 : * @mode: mode for the new file if O_CREAT is set, else ignored
1361 : *
1362 : * This is the helper to open a file from kernelspace if you really
1363 : * have to. But in generally you should not do this, so please move
1364 : * along, nothing to see here..
1365 : */
1366 19885 : struct file *filp_open(const char *filename, int flags, umode_t mode)
1367 : {
1368 19885 : struct filename *name = getname_kernel(filename);
1369 19886 : struct file *file = ERR_CAST(name);
1370 :
1371 19886 : if (!IS_ERR(name)) {
1372 19886 : file = file_open_name(name, flags, mode);
1373 19891 : putname(name);
1374 : }
1375 19887 : return file;
1376 : }
1377 : EXPORT_SYMBOL(filp_open);
1378 :
1379 41444 : struct file *file_open_root(const struct path *root,
1380 : const char *filename, int flags, umode_t mode)
1381 : {
1382 41444 : struct open_flags op;
1383 41444 : struct open_how how = build_open_how(flags, mode);
1384 41444 : int err = build_open_flags(&how, &op);
1385 41444 : if (err)
1386 0 : return ERR_PTR(err);
1387 41444 : return do_file_open_root(root, filename, &op);
1388 : }
1389 : EXPORT_SYMBOL(file_open_root);
1390 :
1391 929068886 : static long do_sys_openat2(int dfd, const char __user *filename,
1392 : struct open_how *how)
1393 : {
1394 929068886 : struct open_flags op;
1395 929068886 : int fd = build_open_flags(how, &op);
1396 927651133 : struct filename *tmp;
1397 :
1398 927651133 : if (fd)
1399 13 : return fd;
1400 :
1401 927651120 : tmp = getname(filename);
1402 928366431 : if (IS_ERR(tmp))
1403 2649 : return PTR_ERR(tmp);
1404 :
1405 928363782 : fd = get_unused_fd_flags(how->flags);
1406 930218767 : if (fd >= 0) {
1407 930190436 : struct file *f = do_filp_open(dfd, tmp, &op);
1408 929637767 : if (IS_ERR(f)) {
1409 23433111 : put_unused_fd(fd);
1410 23458277 : fd = PTR_ERR(f);
1411 : } else {
1412 906204656 : fd_install(fd, f);
1413 : }
1414 : }
1415 929760517 : putname(tmp);
1416 929223608 : return fd;
1417 : }
1418 :
1419 929178506 : long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode)
1420 : {
1421 929178506 : struct open_how how = build_open_how(flags, mode);
1422 929178506 : return do_sys_openat2(dfd, filename, &how);
1423 : }
1424 :
1425 :
1426 0 : SYSCALL_DEFINE3(open, const char __user *, filename, int, flags, umode_t, mode)
1427 : {
1428 0 : if (force_o_largefile())
1429 0 : flags |= O_LARGEFILE;
1430 0 : return do_sys_open(AT_FDCWD, filename, flags, mode);
1431 : }
1432 :
1433 1822136654 : SYSCALL_DEFINE4(openat, int, dfd, const char __user *, filename, int, flags,
1434 : umode_t, mode)
1435 : {
1436 911053733 : if (force_o_largefile())
1437 911053733 : flags |= O_LARGEFILE;
1438 911053733 : return do_sys_open(dfd, filename, flags, mode);
1439 : }
1440 :
1441 0 : SYSCALL_DEFINE4(openat2, int, dfd, const char __user *, filename,
1442 : struct open_how __user *, how, size_t, usize)
1443 : {
1444 0 : int err;
1445 0 : struct open_how tmp;
1446 :
1447 0 : BUILD_BUG_ON(sizeof(struct open_how) < OPEN_HOW_SIZE_VER0);
1448 0 : BUILD_BUG_ON(sizeof(struct open_how) != OPEN_HOW_SIZE_LATEST);
1449 :
1450 0 : if (unlikely(usize < OPEN_HOW_SIZE_VER0))
1451 : return -EINVAL;
1452 :
1453 0 : err = copy_struct_from_user(&tmp, sizeof(tmp), how, usize);
1454 0 : if (err)
1455 0 : return err;
1456 :
1457 0 : audit_openat2_how(&tmp);
1458 :
1459 : /* O_LARGEFILE is only allowed for non-O_PATH. */
1460 0 : if (!(tmp.flags & O_PATH) && force_o_largefile())
1461 0 : tmp.flags |= O_LARGEFILE;
1462 :
1463 0 : return do_sys_openat2(dfd, filename, &tmp);
1464 : }
1465 :
1466 : #ifdef CONFIG_COMPAT
1467 : /*
1468 : * Exactly like sys_open(), except that it doesn't set the
1469 : * O_LARGEFILE flag.
1470 : */
1471 0 : COMPAT_SYSCALL_DEFINE3(open, const char __user *, filename, int, flags, umode_t, mode)
1472 : {
1473 0 : return do_sys_open(AT_FDCWD, filename, flags, mode);
1474 : }
1475 :
1476 : /*
1477 : * Exactly like sys_openat(), except that it doesn't set the
1478 : * O_LARGEFILE flag.
1479 : */
1480 44 : COMPAT_SYSCALL_DEFINE4(openat, int, dfd, const char __user *, filename, int, flags, umode_t, mode)
1481 : {
1482 22 : return do_sys_open(dfd, filename, flags, mode);
1483 : }
1484 : #endif
1485 :
1486 : #ifndef __alpha__
1487 :
1488 : /*
1489 : * For backward compatibility? Maybe this should be moved
1490 : * into arch/i386 instead?
1491 : */
1492 36977205 : SYSCALL_DEFINE2(creat, const char __user *, pathname, umode_t, mode)
1493 : {
1494 18483361 : int flags = O_CREAT | O_WRONLY | O_TRUNC;
1495 :
1496 18483361 : if (force_o_largefile())
1497 18483361 : flags |= O_LARGEFILE;
1498 18483361 : return do_sys_open(AT_FDCWD, pathname, flags, mode);
1499 : }
1500 : #endif
1501 :
1502 : /*
1503 : * "id" is the POSIX thread ID. We use the
1504 : * files pointer for this..
1505 : */
1506 1412794435 : int filp_close(struct file *filp, fl_owner_t id)
1507 : {
1508 1412794435 : int retval = 0;
1509 :
1510 1412794435 : if (CHECK_DATA_CORRUPTION(file_count(filp) == 0,
1511 : "VFS: Close: file count is 0 (f_op=%ps)",
1512 : filp->f_op)) {
1513 : return 0;
1514 : }
1515 :
1516 1412794435 : if (filp->f_op->flush)
1517 235695292 : retval = filp->f_op->flush(filp, id);
1518 :
1519 1412812320 : if (likely(!(filp->f_mode & FMODE_PATH))) {
1520 1347617091 : dnotify_flush(filp, id);
1521 1347603953 : locks_remove_posix(filp, id);
1522 : }
1523 1411952313 : fput(filp);
1524 1412469370 : return retval;
1525 : }
1526 :
1527 : EXPORT_SYMBOL(filp_close);
1528 :
1529 : /*
1530 : * Careful here! We test whether the file pointer is NULL before
1531 : * releasing the fd. This ensures that one clone task can't release
1532 : * an fd while another clone is opening it.
1533 : */
1534 2368901030 : SYSCALL_DEFINE1(close, unsigned int, fd)
1535 : {
1536 1184117023 : int retval = close_fd(fd);
1537 :
1538 : /* can't restart close syscall because file table entry was cleared */
1539 1186007361 : if (unlikely(retval == -ERESTARTSYS ||
1540 : retval == -ERESTARTNOINTR ||
1541 : retval == -ERESTARTNOHAND ||
1542 : retval == -ERESTART_RESTARTBLOCK))
1543 0 : retval = -EINTR;
1544 :
1545 1186007361 : return retval;
1546 : }
1547 :
1548 : /**
1549 : * close_range() - Close all file descriptors in a given range.
1550 : *
1551 : * @fd: starting file descriptor to close
1552 : * @max_fd: last file descriptor to close
1553 : * @flags: reserved for future extensions
1554 : *
1555 : * This closes a range of file descriptors. All file descriptors
1556 : * from @fd up to and including @max_fd are closed.
1557 : * Currently, errors to close a given file descriptor are ignored.
1558 : */
1559 207529 : SYSCALL_DEFINE3(close_range, unsigned int, fd, unsigned int, max_fd,
1560 : unsigned int, flags)
1561 : {
1562 103764 : return __close_range(fd, max_fd, flags);
1563 : }
1564 :
1565 : /*
1566 : * This routine simulates a hangup on the tty, to arrange that users
1567 : * are given clean terminals at login time.
1568 : */
1569 0 : SYSCALL_DEFINE0(vhangup)
1570 : {
1571 0 : if (capable(CAP_SYS_TTY_CONFIG)) {
1572 0 : tty_vhangup_self();
1573 0 : return 0;
1574 : }
1575 : return -EPERM;
1576 : }
1577 :
1578 : /*
1579 : * Called when an inode is about to be open.
1580 : * We use this to disallow opening large files on 32bit systems if
1581 : * the caller didn't specify O_LARGEFILE. On 64bit systems we force
1582 : * on this flag in sys_open.
1583 : */
1584 654768348 : int generic_file_open(struct inode * inode, struct file * filp)
1585 : {
1586 654768348 : if (!(filp->f_flags & O_LARGEFILE) && i_size_read(inode) > MAX_NON_LFS)
1587 0 : return -EOVERFLOW;
1588 : return 0;
1589 : }
1590 :
1591 : EXPORT_SYMBOL(generic_file_open);
1592 :
1593 : /*
1594 : * This is used by subsystems that don't want seekable
1595 : * file descriptors. The function is not supposed to ever fail, the only
1596 : * reason it returns an 'int' and not 'void' is so that it can be plugged
1597 : * directly into file_operations structure.
1598 : */
1599 226840 : int nonseekable_open(struct inode *inode, struct file *filp)
1600 : {
1601 226840 : filp->f_mode &= ~(FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE);
1602 226840 : return 0;
1603 : }
1604 :
1605 : EXPORT_SYMBOL(nonseekable_open);
1606 :
1607 : /*
1608 : * stream_open is used by subsystems that want stream-like file descriptors.
1609 : * Such file descriptors are not seekable and don't have notion of position
1610 : * (file.f_pos is always 0 and ppos passed to .read()/.write() is always NULL).
1611 : * Contrary to file descriptors of other regular files, .read() and .write()
1612 : * can run simultaneously.
1613 : *
1614 : * stream_open never fails and is marked to return int so that it could be
1615 : * directly used as file_operations.open .
1616 : */
1617 53519230 : int stream_open(struct inode *inode, struct file *filp)
1618 : {
1619 53519230 : filp->f_mode &= ~(FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE | FMODE_ATOMIC_POS);
1620 53519230 : filp->f_mode |= FMODE_STREAM;
1621 53519230 : return 0;
1622 : }
1623 :
1624 : EXPORT_SYMBOL(stream_open);
|