1
/*
2
 *  linux/fs/attr.c
3
 *
4
 *  Copyright (C) 1991, 1992  Linus Torvalds
5
 *  changes by Thomas Schoebel-Theuer
6
 */
7

8
#include <linux/module.h>
9
#include <linux/time.h>
10
#include <linux/mm.h>
11
#include <linux/string.h>
12
#include <linux/capability.h>
13
#include <linux/fsnotify.h>
14
#include <linux/fcntl.h>
15
#include <linux/security.h>
16

17
/**
18
 * inode_change_ok - check if attribute changes to an inode are allowed
19
 * @inode:	inode to check
20
 * @attr:	attributes to change
21
 *
22
 * Check if we are allowed to change the attributes contained in @attr
23
 * in the given inode.  This includes the normal unix access permission
24
 * checks, as well as checks for rlimits and others.
25
 *
26
 * Should be called as the first thing in ->setattr implementations,
27
 * possibly after taking additional locks.
28
 */
29
int inode_change_ok(const struct inode *inode, struct iattr *attr)
30
{
31
	unsigned int ia_valid = attr->ia_valid;
32

33
	/*
34
	 * First check size constraints.  These can't be overriden using
35
	 * ATTR_FORCE.
36
	 */
37
	if (ia_valid & ATTR_SIZE) {
38
		int error = inode_newsize_ok(inode, attr->ia_size);
39
		if (error)
40
			return error;
41
	}
42

43
	/* If force is set do it anyway. */
44
	if (ia_valid & ATTR_FORCE)
45
		return 0;
46

47
	/* Make sure a caller can chown. */
48
	if ((ia_valid & ATTR_UID) &&
49
	    (current_fsuid() != inode->i_uid ||
50
	     attr->ia_uid != inode->i_uid) && !capable(CAP_CHOWN))
51
		return -EPERM;
52

53
	/* Make sure caller can chgrp. */
54
	if ((ia_valid & ATTR_GID) &&
55
	    (current_fsuid() != inode->i_uid ||
56
	    (!in_group_p(attr->ia_gid) && attr->ia_gid != inode->i_gid)) &&
57
	    !capable(CAP_CHOWN))
58
		return -EPERM;
59

60
	/* Make sure a caller can chmod. */
61
	if (ia_valid & ATTR_MODE) {
62
		if (!inode_owner_or_capable(inode))
63
			return -EPERM;
64
		/* Also check the setgid bit! */
65
		if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid :
66
				inode->i_gid) && !capable(CAP_FSETID))
67
			attr->ia_mode &= ~S_ISGID;
68
	}
69

70
	/* Check for setting the inode time. */
71
	if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) {
72
		if (!inode_owner_or_capable(inode))
73
			return -EPERM;
74
	}
75

76
	return 0;
77
}
78
EXPORT_SYMBOL(inode_change_ok);
79

80
/**
81
 * inode_newsize_ok - may this inode be truncated to a given size
82
 * @inode:	the inode to be truncated
83
 * @offset:	the new size to assign to the inode
84
 * @Returns:	0 on success, -ve errno on failure
85
 *
86
 * inode_newsize_ok must be called with i_mutex held.
87
 *
88
 * inode_newsize_ok will check filesystem limits and ulimits to check that the
89
 * new inode size is within limits. inode_newsize_ok will also send SIGXFSZ
90
 * when necessary. Caller must not proceed with inode size change if failure is
91
 * returned. @inode must be a file (not directory), with appropriate
92
 * permissions to allow truncate (inode_newsize_ok does NOT check these
93
 * conditions).
94
 */
95
int inode_newsize_ok(const struct inode *inode, loff_t offset)
96
{
97
	if (inode->i_size < offset) {
98
		unsigned long limit;
99

100
		limit = rlimit(RLIMIT_FSIZE);
101
		if (limit != RLIM_INFINITY && offset > limit)
102
			goto out_sig;
103
		if (offset > inode->i_sb->s_maxbytes)
104
			goto out_big;
105
	} else {
106
		/*
107
		 * truncation of in-use swapfiles is disallowed - it would
108
		 * cause subsequent swapout to scribble on the now-freed
109
		 * blocks.
110
		 */
111
		if (IS_SWAPFILE(inode))
112
			return -ETXTBSY;
113
	}
114

115
	return 0;
116
out_sig:
117
	send_sig(SIGXFSZ, current, 0);
118
out_big:
119
	return -EFBIG;
120
}
121
EXPORT_SYMBOL(inode_newsize_ok);
122

123
/**
124
 * setattr_copy - copy simple metadata updates into the generic inode
125
 * @inode:	the inode to be updated
126
 * @attr:	the new attributes
127
 *
128
 * setattr_copy must be called with i_mutex held.
129
 *
130
 * setattr_copy updates the inode's metadata with that specified
131
 * in attr. Noticeably missing is inode size update, which is more complex
132
 * as it requires pagecache updates.
133
 *
134
 * The inode is not marked as dirty after this operation. The rationale is
135
 * that for "simple" filesystems, the struct inode is the inode storage.
136
 * The caller is free to mark the inode dirty afterwards if needed.
137
 */
138
void setattr_copy(struct inode *inode, const struct iattr *attr)
139
{
140
	unsigned int ia_valid = attr->ia_valid;
141

142
	if (ia_valid & ATTR_UID)
143
		inode->i_uid = attr->ia_uid;
144
	if (ia_valid & ATTR_GID)
145
		inode->i_gid = attr->ia_gid;
146
	if (ia_valid & ATTR_ATIME)
147
		inode->i_atime = timespec_trunc(attr->ia_atime,
148
						inode->i_sb->s_time_gran);
149
	if (ia_valid & ATTR_MTIME)
150
		inode->i_mtime = timespec_trunc(attr->ia_mtime,
151
						inode->i_sb->s_time_gran);
152
	if (ia_valid & ATTR_CTIME)
153
		inode->i_ctime = timespec_trunc(attr->ia_ctime,
154
						inode->i_sb->s_time_gran);
155
	if (ia_valid & ATTR_MODE) {
156
		umode_t mode = attr->ia_mode;
157

158
		if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
159
			mode &= ~S_ISGID;
160
		inode->i_mode = mode;
161
	}
162
}
163
EXPORT_SYMBOL(setattr_copy);
164

165
int notify_change(struct dentry * dentry, struct iattr * attr)
166
{
167
	struct inode *inode = dentry->d_inode;
168
	mode_t mode = inode->i_mode;
169
	int error;
170
	struct timespec now;
171
	unsigned int ia_valid = attr->ia_valid;
172

173
	if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) {
174
		if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
175
			return -EPERM;
176
	}
177

178
	if ((ia_valid & ATTR_MODE)) {
179
		mode_t amode = attr->ia_mode;
180
		/* Flag setting protected by i_mutex */
181
		if (is_sxid(amode))
182
			inode->i_flags &= ~S_NOSEC;
183
	}
184

185
	now = current_fs_time(inode->i_sb);
186

187
	attr->ia_ctime = now;
188
	if (!(ia_valid & ATTR_ATIME_SET))
189
		attr->ia_atime = now;
190
	if (!(ia_valid & ATTR_MTIME_SET))
191
		attr->ia_mtime = now;
192
	if (ia_valid & ATTR_KILL_PRIV) {
193
		attr->ia_valid &= ~ATTR_KILL_PRIV;
194
		ia_valid &= ~ATTR_KILL_PRIV;
195
		error = security_inode_need_killpriv(dentry);
196
		if (error > 0)
197
			error = security_inode_killpriv(dentry);
198
		if (error)
199
			return error;
200
	}
201

202
	/*
203
	 * We now pass ATTR_KILL_S*ID to the lower level setattr function so
204
	 * that the function has the ability to reinterpret a mode change
205
	 * that's due to these bits. This adds an implicit restriction that
206
	 * no function will ever call notify_change with both ATTR_MODE and
207
	 * ATTR_KILL_S*ID set.
208
	 */
209
	if ((ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) &&
210
	    (ia_valid & ATTR_MODE))
211
		BUG();
212

213
	if (ia_valid & ATTR_KILL_SUID) {
214
		if (mode & S_ISUID) {
215
			ia_valid = attr->ia_valid |= ATTR_MODE;
216
			attr->ia_mode = (inode->i_mode & ~S_ISUID);
217
		}
218
	}
219
	if (ia_valid & ATTR_KILL_SGID) {
220
		if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
221
			if (!(ia_valid & ATTR_MODE)) {
222
				ia_valid = attr->ia_valid |= ATTR_MODE;
223
				attr->ia_mode = inode->i_mode;
224
			}
225
			attr->ia_mode &= ~S_ISGID;
226
		}
227
	}
228
	if (!(attr->ia_valid & ~(ATTR_KILL_SUID | ATTR_KILL_SGID)))
229
		return 0;
230

231
	error = security_inode_setattr(dentry, attr);
232
	if (error)
233
		return error;
234

235
	if (ia_valid & ATTR_SIZE)
236
		down_write(&dentry->d_inode->i_alloc_sem);
237

238
	if (inode->i_op->setattr)
239
		error = inode->i_op->setattr(dentry, attr);
240
	else
241
		error = simple_setattr(dentry, attr);
242

243
	if (ia_valid & ATTR_SIZE)
244
		up_write(&dentry->d_inode->i_alloc_sem);
245

246
	if (!error)
247
		fsnotify_change(dentry, ia_valid);
248

249
	return error;
250
}
251

252
EXPORT_SYMBOL(notify_change);
253

254