4 * Copyright (C) 1991, 1992 Linus Torvalds
7 #include <linux/string.h>
9 #include <linux/file.h>
10 #include <linux/fdtable.h>
11 #include <linux/fsnotify.h>
12 #include <linux/module.h>
13 #include <linux/tty.h>
14 #include <linux/namei.h>
15 #include <linux/backing-dev.h>
16 #include <linux/capability.h>
17 #include <linux/securebits.h>
18 #include <linux/security.h>
19 #include <linux/mount.h>
20 #include <linux/fcntl.h>
21 #include <linux/slab.h>
22 #include <asm/uaccess.h>
24 #include <linux/personality.h>
25 #include <linux/pagemap.h>
26 #include <linux/syscalls.h>
27 #include <linux/rcupdate.h>
28 #include <linux/audit.h>
29 #include <linux/falloc.h>
30 #include <linux/fs_struct.h>
31 #include <linux/ima.h>
32 #include <linux/dnotify.h>
36 #define CREATE_TRACE_POINTS
37 #include <trace/events/fs.h>
39 int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,
43 struct iattr newattrs;
45 /* Not pretty: "inode->i_size" shouldn't really be signed. But it is. */
49 newattrs.ia_size = length;
50 newattrs.ia_valid = ATTR_SIZE | time_attrs;
52 newattrs.ia_file = filp;
53 newattrs.ia_valid |= ATTR_FILE;
56 /* Remove suid/sgid on truncate too */
57 ret = should_remove_suid(dentry);
59 newattrs.ia_valid |= ret | ATTR_FORCE;
61 mutex_lock(&dentry->d_inode->i_mutex);
62 ret = notify_change(dentry, &newattrs);
63 mutex_unlock(&dentry->d_inode->i_mutex);
67 static long do_sys_truncate(const char __user *pathname, loff_t length)
74 if (length < 0) /* sorry, but loff_t says... */
77 error = user_path(pathname, &path);
80 inode = path.dentry->d_inode;
82 /* For directories it's -EISDIR, for other non-regulars - -EINVAL */
84 if (S_ISDIR(inode->i_mode))
88 if (!S_ISREG(inode->i_mode))
91 error = mnt_want_write(path.mnt);
95 error = inode_permission(inode, MAY_WRITE);
97 goto mnt_drop_write_and_out;
100 if (IS_APPEND(inode))
101 goto mnt_drop_write_and_out;
103 error = get_write_access(inode);
105 goto mnt_drop_write_and_out;
108 * Make sure that there are no leases. get_write_access() protects
109 * against the truncate racing with a lease-granting setlease().
111 error = break_lease(inode, O_WRONLY);
113 goto put_write_and_out;
115 error = locks_verify_truncate(inode, NULL, length);
117 error = security_path_truncate(&path);
119 error = do_truncate(path.dentry, length, 0, NULL);
122 put_write_access(inode);
123 mnt_drop_write_and_out:
124 mnt_drop_write(path.mnt);
131 SYSCALL_DEFINE2(truncate, const char __user *, path, long, length)
133 return do_sys_truncate(path, length);
136 static long do_sys_ftruncate(unsigned int fd, loff_t length, int small)
138 struct inode * inode;
139 struct dentry *dentry;
151 /* explicitly opened as large or we are on 64-bit box */
152 if (file->f_flags & O_LARGEFILE)
155 dentry = file->f_path.dentry;
156 inode = dentry->d_inode;
158 if (!S_ISREG(inode->i_mode) || !(file->f_mode & FMODE_WRITE))
162 /* Cannot ftruncate over 2^31 bytes without large file support */
163 if (small && length > MAX_NON_LFS)
167 if (IS_APPEND(inode))
170 error = locks_verify_truncate(inode, file, length);
172 error = security_path_truncate(&file->f_path);
174 error = do_truncate(dentry, length, ATTR_MTIME|ATTR_CTIME, file);
181 SYSCALL_DEFINE2(ftruncate, unsigned int, fd, unsigned long, length)
183 long ret = do_sys_ftruncate(fd, length, 1);
184 /* avoid REGPARM breakage on x86: */
185 asmlinkage_protect(2, ret, fd, length);
189 /* LFS versions of truncate are only needed on 32 bit machines */
190 #if BITS_PER_LONG == 32
191 SYSCALL_DEFINE(truncate64)(const char __user * path, loff_t length)
193 return do_sys_truncate(path, length);
195 #ifdef CONFIG_HAVE_SYSCALL_WRAPPERS
196 asmlinkage long SyS_truncate64(long path, loff_t length)
198 return SYSC_truncate64((const char __user *) path, length);
200 SYSCALL_ALIAS(sys_truncate64, SyS_truncate64);
203 SYSCALL_DEFINE(ftruncate64)(unsigned int fd, loff_t length)
205 long ret = do_sys_ftruncate(fd, length, 0);
206 /* avoid REGPARM breakage on x86: */
207 asmlinkage_protect(2, ret, fd, length);
210 #ifdef CONFIG_HAVE_SYSCALL_WRAPPERS
211 asmlinkage long SyS_ftruncate64(long fd, loff_t length)
213 return SYSC_ftruncate64((unsigned int) fd, length);
215 SYSCALL_ALIAS(sys_ftruncate64, SyS_ftruncate64);
217 #endif /* BITS_PER_LONG == 32 */
220 int do_fallocate(struct file *file, int mode, loff_t offset, loff_t len)
222 struct inode *inode = file->f_path.dentry->d_inode;
225 if (offset < 0 || len <= 0)
228 /* Return error if mode is not supported */
229 if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE))
232 /* Punch hole must have keep size set */
233 if ((mode & FALLOC_FL_PUNCH_HOLE) &&
234 !(mode & FALLOC_FL_KEEP_SIZE))
237 if (!(file->f_mode & FMODE_WRITE))
240 /* It's not possible punch hole on append only file */
241 if (mode & FALLOC_FL_PUNCH_HOLE && IS_APPEND(inode))
244 if (IS_IMMUTABLE(inode))
248 * Revalidate the write permissions, in case security policy has
249 * changed since the files were opened.
251 ret = security_file_permission(file, MAY_WRITE);
255 if (S_ISFIFO(inode->i_mode))
259 * Let individual file system decide if it supports preallocation
260 * for directories or not.
262 if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode))
265 /* Check for wrap through zero too */
266 if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0))
269 if (!file->f_op->fallocate)
272 return file->f_op->fallocate(file, mode, offset, len);
275 SYSCALL_DEFINE(fallocate)(int fd, int mode, loff_t offset, loff_t len)
282 error = do_fallocate(file, mode, offset, len);
289 #ifdef CONFIG_HAVE_SYSCALL_WRAPPERS
290 asmlinkage long SyS_fallocate(long fd, long mode, loff_t offset, loff_t len)
292 return SYSC_fallocate((int)fd, (int)mode, offset, len);
294 SYSCALL_ALIAS(sys_fallocate, SyS_fallocate);
298 * access() needs to use the real uid/gid, not the effective uid/gid.
299 * We do this by temporarily clearing all FS-related capabilities and
300 * switching the fsuid/fsgid around to the real ones.
302 SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
304 const struct cred *old_cred;
305 struct cred *override_cred;
310 if (mode & ~S_IRWXO) /* where's F_OK, X_OK, W_OK, R_OK? */
313 override_cred = prepare_creds();
317 override_cred->fsuid = override_cred->uid;
318 override_cred->fsgid = override_cred->gid;
320 if (!issecure(SECURE_NO_SETUID_FIXUP)) {
321 /* Clear the capabilities if we switch to a non-root user */
322 if (override_cred->uid)
323 cap_clear(override_cred->cap_effective);
325 override_cred->cap_effective =
326 override_cred->cap_permitted;
329 old_cred = override_creds(override_cred);
331 res = user_path_at(dfd, filename, LOOKUP_FOLLOW, &path);
335 inode = path.dentry->d_inode;
337 if ((mode & MAY_EXEC) && S_ISREG(inode->i_mode)) {
339 * MAY_EXEC on regular files is denied if the fs is mounted
340 * with the "noexec" flag.
343 if (path.mnt->mnt_flags & MNT_NOEXEC)
344 goto out_path_release;
347 res = inode_permission(inode, mode | MAY_ACCESS);
348 /* SuS v2 requires we report a read only fs too */
349 if (res || !(mode & S_IWOTH) || special_file(inode->i_mode))
350 goto out_path_release;
352 * This is a rare case where using __mnt_is_readonly()
353 * is OK without a mnt_want/drop_write() pair. Since
354 * no actual write to the fs is performed here, we do
355 * not need to telegraph to that to anyone.
357 * By doing this, we accept that this access is
358 * inherently racy and know that the fs may change
359 * state before we even see this result.
361 if (__mnt_is_readonly(path.mnt))
367 revert_creds(old_cred);
368 put_cred(override_cred);
372 SYSCALL_DEFINE2(access, const char __user *, filename, int, mode)
374 return sys_faccessat(AT_FDCWD, filename, mode);
377 SYSCALL_DEFINE1(chdir, const char __user *, filename)
382 error = user_path_dir(filename, &path);
386 error = inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_CHDIR);
390 set_fs_pwd(current->fs, &path);
398 SYSCALL_DEFINE1(fchdir, unsigned int, fd)
409 inode = file->f_path.dentry->d_inode;
412 if (!S_ISDIR(inode->i_mode))
415 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
417 set_fs_pwd(current->fs, &file->f_path);
424 SYSCALL_DEFINE1(chroot, const char __user *, filename)
429 error = user_path_dir(filename, &path);
433 error = inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_CHDIR);
438 if (!capable(CAP_SYS_CHROOT))
440 error = security_path_chroot(&path);
444 set_fs_root(current->fs, &path);
452 SYSCALL_DEFINE2(fchmod, unsigned int, fd, mode_t, mode)
454 struct inode * inode;
455 struct dentry * dentry;
458 struct iattr newattrs;
464 dentry = file->f_path.dentry;
465 inode = dentry->d_inode;
467 audit_inode(NULL, dentry);
469 err = mnt_want_write_file(file);
472 mutex_lock(&inode->i_mutex);
473 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
476 if (mode == (mode_t) -1)
477 mode = inode->i_mode;
478 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
479 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
480 err = notify_change(dentry, &newattrs);
482 mutex_unlock(&inode->i_mutex);
483 mnt_drop_write(file->f_path.mnt);
490 SYSCALL_DEFINE3(fchmodat, int, dfd, const char __user *, filename, mode_t, mode)
495 struct iattr newattrs;
497 error = user_path_at(dfd, filename, LOOKUP_FOLLOW, &path);
500 inode = path.dentry->d_inode;
502 error = mnt_want_write(path.mnt);
505 mutex_lock(&inode->i_mutex);
506 error = security_path_chmod(path.dentry, path.mnt, mode);
509 if (mode == (mode_t) -1)
510 mode = inode->i_mode;
511 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
512 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
513 error = notify_change(path.dentry, &newattrs);
515 mutex_unlock(&inode->i_mutex);
516 mnt_drop_write(path.mnt);
523 SYSCALL_DEFINE2(chmod, const char __user *, filename, mode_t, mode)
525 return sys_fchmodat(AT_FDCWD, filename, mode);
528 static int chown_common(struct path *path, uid_t user, gid_t group)
530 struct inode *inode = path->dentry->d_inode;
532 struct iattr newattrs;
534 newattrs.ia_valid = ATTR_CTIME;
535 if (user != (uid_t) -1) {
536 newattrs.ia_valid |= ATTR_UID;
537 newattrs.ia_uid = user;
539 if (group != (gid_t) -1) {
540 newattrs.ia_valid |= ATTR_GID;
541 newattrs.ia_gid = group;
543 if (!S_ISDIR(inode->i_mode))
545 ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
546 mutex_lock(&inode->i_mutex);
547 error = security_path_chown(path, user, group);
549 error = notify_change(path->dentry, &newattrs);
550 mutex_unlock(&inode->i_mutex);
555 SYSCALL_DEFINE3(chown, const char __user *, filename, uid_t, user, gid_t, group)
560 error = user_path(filename, &path);
563 error = mnt_want_write(path.mnt);
566 error = chown_common(&path, user, group);
567 mnt_drop_write(path.mnt);
574 SYSCALL_DEFINE5(fchownat, int, dfd, const char __user *, filename, uid_t, user,
575 gid_t, group, int, flag)
581 if ((flag & ~AT_SYMLINK_NOFOLLOW) != 0)
584 follow = (flag & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW;
585 error = user_path_at(dfd, filename, follow, &path);
588 error = mnt_want_write(path.mnt);
591 error = chown_common(&path, user, group);
592 mnt_drop_write(path.mnt);
599 SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group)
604 error = user_lpath(filename, &path);
607 error = mnt_want_write(path.mnt);
610 error = chown_common(&path, user, group);
611 mnt_drop_write(path.mnt);
618 SYSCALL_DEFINE3(fchown, unsigned int, fd, uid_t, user, gid_t, group)
622 struct dentry * dentry;
628 error = mnt_want_write_file(file);
631 dentry = file->f_path.dentry;
632 audit_inode(NULL, dentry);
633 error = chown_common(&file->f_path, user, group);
634 mnt_drop_write(file->f_path.mnt);
642 * You have to be very careful that these write
643 * counts get cleaned up in error cases and
644 * upon __fput(). This should probably never
645 * be called outside of __dentry_open().
647 static inline int __get_file_write_access(struct inode *inode,
648 struct vfsmount *mnt)
651 error = get_write_access(inode);
655 * Do not take mount writer counts on
656 * special files since no writes to
657 * the mount itself will occur.
659 if (!special_file(inode->i_mode)) {
661 * Balanced in __fput()
663 error = mnt_want_write(mnt);
665 put_write_access(inode);
670 static struct file *__dentry_open(struct dentry *dentry, struct vfsmount *mnt,
672 int (*open)(struct inode *, struct file *),
673 const struct cred *cred)
678 f->f_mode = OPEN_FMODE(f->f_flags) | FMODE_LSEEK |
679 FMODE_PREAD | FMODE_PWRITE;
680 inode = dentry->d_inode;
681 if (f->f_mode & FMODE_WRITE) {
682 error = __get_file_write_access(inode, mnt);
685 if (!special_file(inode->i_mode))
689 f->f_mapping = inode->i_mapping;
690 f->f_path.dentry = dentry;
693 f->f_op = fops_get(inode->i_fop);
694 file_sb_list_add(f, inode->i_sb);
696 error = security_dentry_open(f, cred);
700 if (!open && f->f_op)
701 open = f->f_op->open;
703 error = open(inode, f);
709 f->f_flags &= ~(O_CREAT | O_EXCL | O_NOCTTY | O_TRUNC);
711 file_ra_state_init(&f->f_ra, f->f_mapping->host->i_mapping);
713 /* NB: we're sure to have correct a_ops only after f_op->open */
714 if (f->f_flags & O_DIRECT) {
715 if (!f->f_mapping->a_ops ||
716 ((!f->f_mapping->a_ops->direct_IO) &&
717 (!f->f_mapping->a_ops->get_xip_mem))) {
719 f = ERR_PTR(-EINVAL);
727 if (f->f_mode & FMODE_WRITE) {
728 put_write_access(inode);
729 if (!special_file(inode->i_mode)) {
731 * We don't consider this a real
732 * mnt_want/drop_write() pair
733 * because it all happenend right
734 * here, so just reset the state.
741 f->f_path.dentry = NULL;
742 f->f_path.mnt = NULL;
747 return ERR_PTR(error);
751 * lookup_instantiate_filp - instantiates the open intent filp
752 * @nd: pointer to nameidata
753 * @dentry: pointer to dentry
754 * @open: open callback
756 * Helper for filesystems that want to use lookup open intents and pass back
757 * a fully instantiated struct file to the caller.
758 * This function is meant to be called from within a filesystem's
760 * Beware of calling it for non-regular files! Those ->open methods might block
761 * (e.g. in fifo_open), leaving you with parent locked (and in case of fifo,
762 * leading to a deadlock, as nobody can open that fifo anymore, because
763 * another process to open fifo will block on locked parent when doing lookup).
764 * Note that in case of error, nd->intent.open.file is destroyed, but the
765 * path information remains valid.
766 * If the open callback is set to NULL, then the standard f_op->open()
767 * filesystem callback is substituted.
769 struct file *lookup_instantiate_filp(struct nameidata *nd, struct dentry *dentry,
770 int (*open)(struct inode *, struct file *))
772 const struct cred *cred = current_cred();
774 if (IS_ERR(nd->intent.open.file))
778 nd->intent.open.file = __dentry_open(dget(dentry), mntget(nd->path.mnt),
779 nd->intent.open.file,
782 return nd->intent.open.file;
784 release_open_intent(nd);
785 nd->intent.open.file = (struct file *)dentry;
788 EXPORT_SYMBOL_GPL(lookup_instantiate_filp);
791 * nameidata_to_filp - convert a nameidata to an open filp.
792 * @nd: pointer to nameidata
795 * Note that this function destroys the original nameidata
797 struct file *nameidata_to_filp(struct nameidata *nd)
799 const struct cred *cred = current_cred();
802 /* Pick up the filp from the open intent */
803 filp = nd->intent.open.file;
804 nd->intent.open.file = NULL;
806 /* Has the filesystem initialised the file for us? */
807 if (filp->f_path.dentry == NULL) {
809 filp = __dentry_open(nd->path.dentry, nd->path.mnt, filp,
816 * dentry_open() will have done dput(dentry) and mntput(mnt) if it returns an
819 struct file *dentry_open(struct dentry *dentry, struct vfsmount *mnt, int flags,
820 const struct cred *cred)
825 validate_creds(cred);
828 * We must always pass in a valid mount pointer. Historically
829 * callers got away with not passing it, but we must enforce this at
830 * the earliest possible point now to avoid strange problems deep in the
834 printk(KERN_WARNING "%s called with NULL vfsmount\n", __func__);
836 return ERR_PTR(-EINVAL);
840 f = get_empty_filp();
844 return ERR_PTR(error);
848 return __dentry_open(dentry, mnt, f, NULL, cred);
850 EXPORT_SYMBOL(dentry_open);
852 static void __put_unused_fd(struct files_struct *files, unsigned int fd)
854 struct fdtable *fdt = files_fdtable(files);
855 __FD_CLR(fd, fdt->open_fds);
856 if (fd < files->next_fd)
860 void put_unused_fd(unsigned int fd)
862 struct files_struct *files = current->files;
863 spin_lock(&files->file_lock);
864 __put_unused_fd(files, fd);
865 spin_unlock(&files->file_lock);
868 EXPORT_SYMBOL(put_unused_fd);
871 * Install a file pointer in the fd array.
873 * The VFS is full of places where we drop the files lock between
874 * setting the open_fds bitmap and installing the file in the file
875 * array. At any such point, we are vulnerable to a dup2() race
876 * installing a file in the array before us. We need to detect this and
877 * fput() the struct file we are about to overwrite in this case.
879 * It should never happen - if we allow dup2() do it, _really_ bad things
883 void fd_install(unsigned int fd, struct file *file)
885 struct files_struct *files = current->files;
887 spin_lock(&files->file_lock);
888 fdt = files_fdtable(files);
889 BUG_ON(fdt->fd[fd] != NULL);
890 rcu_assign_pointer(fdt->fd[fd], file);
891 spin_unlock(&files->file_lock);
894 EXPORT_SYMBOL(fd_install);
896 long do_sys_open(int dfd, const char __user *filename, int flags, int mode)
898 char *tmp = getname(filename);
899 int fd = PTR_ERR(tmp);
902 fd = get_unused_fd_flags(flags);
904 struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
911 trace_do_sys_open(tmp, flags, mode);
919 SYSCALL_DEFINE3(open, const char __user *, filename, int, flags, int, mode)
923 if (force_o_largefile())
924 flags |= O_LARGEFILE;
926 ret = do_sys_open(AT_FDCWD, filename, flags, mode);
927 /* avoid REGPARM breakage on x86: */
928 asmlinkage_protect(3, ret, filename, flags, mode);
932 SYSCALL_DEFINE4(openat, int, dfd, const char __user *, filename, int, flags,
937 if (force_o_largefile())
938 flags |= O_LARGEFILE;
940 ret = do_sys_open(dfd, filename, flags, mode);
941 /* avoid REGPARM breakage on x86: */
942 asmlinkage_protect(4, ret, dfd, filename, flags, mode);
949 * For backward compatibility? Maybe this should be moved
950 * into arch/i386 instead?
952 SYSCALL_DEFINE2(creat, const char __user *, pathname, int, mode)
954 return sys_open(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode);
960 * "id" is the POSIX thread ID. We use the
961 * files pointer for this..
963 int filp_close(struct file *filp, fl_owner_t id)
967 if (!file_count(filp)) {
968 printk(KERN_ERR "VFS: Close: file count is 0\n");
972 if (filp->f_op && filp->f_op->flush)
973 retval = filp->f_op->flush(filp, id);
975 dnotify_flush(filp, id);
976 locks_remove_posix(filp, id);
981 EXPORT_SYMBOL(filp_close);
984 * Careful here! We test whether the file pointer is NULL before
985 * releasing the fd. This ensures that one clone task can't release
986 * an fd while another clone is opening it.
988 SYSCALL_DEFINE1(close, unsigned int, fd)
991 struct files_struct *files = current->files;
995 spin_lock(&files->file_lock);
996 fdt = files_fdtable(files);
997 if (fd >= fdt->max_fds)
1002 rcu_assign_pointer(fdt->fd[fd], NULL);
1003 FD_CLR(fd, fdt->close_on_exec);
1004 __put_unused_fd(files, fd);
1005 spin_unlock(&files->file_lock);
1006 retval = filp_close(filp, files);
1008 /* can't restart close syscall because file table entry was cleared */
1009 if (unlikely(retval == -ERESTARTSYS ||
1010 retval == -ERESTARTNOINTR ||
1011 retval == -ERESTARTNOHAND ||
1012 retval == -ERESTART_RESTARTBLOCK))
1018 spin_unlock(&files->file_lock);
1021 EXPORT_SYMBOL(sys_close);
1024 * This routine simulates a hangup on the tty, to arrange that users
1025 * are given clean terminals at login time.
1027 SYSCALL_DEFINE0(vhangup)
1029 if (capable(CAP_SYS_TTY_CONFIG)) {
1037 * Called when an inode is about to be open.
1038 * We use this to disallow opening large files on 32bit systems if
1039 * the caller didn't specify O_LARGEFILE. On 64bit systems we force
1040 * on this flag in sys_open.
1042 int generic_file_open(struct inode * inode, struct file * filp)
1044 if (!(filp->f_flags & O_LARGEFILE) && i_size_read(inode) > MAX_NON_LFS)
1049 EXPORT_SYMBOL(generic_file_open);
1052 * This is used by subsystems that don't want seekable
1053 * file descriptors. The function is not supposed to ever fail, the only
1054 * reason it returns an 'int' and not 'void' is so that it can be plugged
1055 * directly into file_operations structure.
1057 int nonseekable_open(struct inode *inode, struct file *filp)
1059 filp->f_mode &= ~(FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE);
1063 EXPORT_SYMBOL(nonseekable_open);