From patchwork Fri Mar 22 15:09:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13600245 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3CC3A4DA04 for ; Fri, 22 Mar 2024 15:10:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711120226; cv=none; b=ZCJJDC+2YJoTEqx3TEDV67SeY4Fc1HtI+K+MeMfNbJ/7M26nEw3TvJr/zropKDUgigg9vN/zfabFuGd5U8yOtdEvhzzOoMMWmeSNWo9vPtfuixuKz01dGRq6QVSzcdmHlVxYYnViMuPVk2g20Puc3rjuJM4bkt4gK46hvIaG9WQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711120226; c=relaxed/simple; bh=+Hidl1ehKUSK8ydVzl55FyxdRreg3sym0kYT+TQBai8=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Rv2xGMa4wmlkYLB2SpwR89hVBeZFjpbnuuCvaiX7j5yZBJg+yl1i24ov48fwWyW4bTWkFUPWodT0e6HS5MJOcIAetob+ysCQOblwNzogtTOJVj2A25q4VFnlBfCt98W6vN+uzSMR+gIhsbsvc+wt28ubg2piQLDBoaHecdldrr0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=aD2x6u1b; arc=none smtp.client-ip=209.85.128.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="aD2x6u1b" Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-60a20c33f06so29765507b3.2 for ; Fri, 22 Mar 2024 08:10:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1711120223; x=1711725023; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=rrMfPjDTmime8VPkqMYXqjoi2kkgDssgVWNi4eoAsFo=; b=aD2x6u1b6VdYdGYiRrVrpmc1iOK2RVDAKOd0pSWe080t8eXDPvpdpSDSF/oAAf4Lwy qZYvTV45HnOxbj9A+PZVkJ0Z7H/NQYnzhNu0Rg5kk8D6KIuRJVEgk7nyaHNcTroduxVV 4UdX4pJXlShqVOdbQGe7Nzom8Qbl3cIxuWgSoMKO2EZMJNasrGs9djN4NRXa1tbrHP8o Cb2pqxl/r4X07sH5UVFRjsrcXUBV8BqeVPEURl3Ru++KGo9eLDY7fS0d4uDu8+fMj9Mn GYQWDlDpHd9uJ75nO5LISCdx1o1yJoNqQFNz0IW3MAy2NGh5c/7WpYV7oE17bTWehFb7 bhAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711120223; x=1711725023; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=rrMfPjDTmime8VPkqMYXqjoi2kkgDssgVWNi4eoAsFo=; b=QhQOXWRScbTD2ZDMPzLMt/TRz5Hyepfl+FKUOh3gUt8nZ7qj6Ih9GvJQz6xmHBbG32 LRZeZHN0woMwHDov09YNZYvDg9OgadwnEcSHwQzJYUYbHF/jyvFa0k7SQFw41Ww9/X5M VEaDIeYnFHFYB2IuX6l+rLIjBzUqoATUzSv1qPtri7Gc5vBQUkwNdomhUKKU6FtAhWGJ bMaTPrqmGJCUnCk+U8y7STQf8iwyPdeWZddzCvBfntr0sv+ZI6kyzbCaYBcmtO08H5V3 CL06gBeTbMf2dLY2KcKCAcUAFMbL8jYHsSMQEKmHkjpR26TvdY4JpGvOEbVugVd0LD/B Lbpg== X-Gm-Message-State: AOJu0YxE8rGUZhxYymHsqvuHhTzm2/Ut20IZ/MUhb9PePLRR/5QBT07O LCSwxtlnOyyQry3uUvVBTb0hQrI2dR7EnTGAZYFUYwOs+QELhw/RENZkmqY6NruN4lBZN9eSA+d WBTl54Igg1TgL5mEY4NFUijA+DV1x+EJzuTpBezGZ4dhDofsl56YKNBvow0vhqvCw3x9UBCtLkc W3MBDRAKokvPLvqKa4HaaOxJR6VJSHYEhj7Etr3r7cfYiSUoaCruUE X-Google-Smtp-Source: AGHT+IGlES/YNQ9UCh4CUNIF73oHCTUaMPNnteBer91iiVVUBqjuPX3EV2H6/jWDpiW9Dn/g7KKRRLWqLIA= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a81:5213:0:b0:610:ee9b:430c with SMTP id g19-20020a815213000000b00610ee9b430cmr627465ywb.5.1711120223243; Fri, 22 Mar 2024 08:10:23 -0700 (PDT) Date: Fri, 22 Mar 2024 15:09:54 +0000 In-Reply-To: <20240322151002.3653639-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240322151002.3653639-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.396.g6e790dbe36-goog Message-ID: <20240322151002.3653639-2-gnoack@google.com> Subject: [PATCH v11 1/9] fs: Add and use vfs_get_ioctl_handler() From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, Arnd Bergmann , Christian Brauner , " =?utf-8?q?G=C3=BCnther_Noack?= " From: Mickaël Salaün Add a new vfs_get_ioctl_handler() helper to identify if an IOCTL command is handled by the first IOCTL layer. Each IOCTL command is now handled by a dedicated function, and all of them use the same signature. Apart from the VFS, this helper is also intended to be used by Landlock to cleanly categorize VFS IOCTLs and create appropriate security policies. This is an alternative to a first RFC [1] and a proposal for a new LSM hook [2]. By dereferencing some pointers only when required, this should also slightly improve do_vfs_ioctl(). Remove (double) pointer castings on put_user() calls. Remove potential double vfs_ioctl() call for FIONREAD. Fix ioctl_file_clone_range() return type from long to int. Cc: Arnd Bergmann Cc: Christian Brauner Cc: Günther Noack Cc: Paul Moore Link: https://lore.kernel.org/r/20240219183539.2926165-1-mic@digikod.net [1] Link: https://lore.kernel.org/r/20240309075320.160128-2-gnoack@google.com [2] Signed-off-by: Mickaël Salaün --- fs/ioctl.c | 213 +++++++++++++++++++++++++++++++-------------- include/linux/fs.h | 6 ++ 2 files changed, 155 insertions(+), 64 deletions(-) diff --git a/fs/ioctl.c b/fs/ioctl.c index 76cf22ac97d7..d2b6691ded16 100644 --- a/fs/ioctl.c +++ b/fs/ioctl.c @@ -56,8 +56,9 @@ long vfs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) } EXPORT_SYMBOL(vfs_ioctl); -static int ioctl_fibmap(struct file *filp, int __user *p) +static int ioctl_fibmap(struct file *filp, unsigned int fd, unsigned long arg) { + int __user *p = (void __user *)arg; struct inode *inode = file_inode(filp); struct super_block *sb = inode->i_sb; int error, ur_block; @@ -197,11 +198,12 @@ int fiemap_prep(struct inode *inode, struct fiemap_extent_info *fieinfo, } EXPORT_SYMBOL(fiemap_prep); -static int ioctl_fiemap(struct file *filp, struct fiemap __user *ufiemap) +static int ioctl_fiemap(struct file *filp, unsigned int fd, unsigned long arg) { struct fiemap fiemap; struct fiemap_extent_info fieinfo = { 0, }; struct inode *inode = file_inode(filp); + struct fiemap __user *ufiemap = (void __user *)arg; int error; if (!inode->i_op->fiemap) @@ -228,6 +230,18 @@ static int ioctl_fiemap(struct file *filp, struct fiemap __user *ufiemap) return error; } +static int ioctl_figetbsz(struct file *file, unsigned int fd, unsigned long arg) +{ + struct inode *inode = file_inode(file); + int __user *argp = (void __user *)arg; + + /* anon_bdev filesystems may not have a block size */ + if (!inode->i_sb->s_blocksize) + return -EINVAL; + + return put_user(inode->i_sb->s_blocksize, argp); +} + static long ioctl_file_clone(struct file *dst_file, unsigned long srcfd, u64 off, u64 olen, u64 destoff) { @@ -249,9 +263,15 @@ static long ioctl_file_clone(struct file *dst_file, unsigned long srcfd, return ret; } -static long ioctl_file_clone_range(struct file *file, - struct file_clone_range __user *argp) +static int ioctl_ficlone(struct file *file, unsigned int fd, unsigned long arg) +{ + return ioctl_file_clone(file, arg, 0, 0, 0); +} + +static int ioctl_file_clone_range(struct file *file, unsigned int fd, + unsigned long arg) { + struct file_clone_range __user *argp = (void __user *)arg; struct file_clone_range args; if (copy_from_user(&args, argp, sizeof(args))) @@ -292,6 +312,27 @@ static int ioctl_preallocate(struct file *filp, int mode, void __user *argp) sr.l_len); } +static int ioctl_resvsp(struct file *filp, unsigned int fd, unsigned long arg) +{ + int __user *p = (void __user *)arg; + + return ioctl_preallocate(filp, 0, p); +} + +static int ioctl_unresvsp(struct file *filp, unsigned int fd, unsigned long arg) +{ + int __user *p = (void __user *)arg; + + return ioctl_preallocate(filp, FALLOC_FL_PUNCH_HOLE, p); +} + +static int ioctl_zero_range(struct file *filp, unsigned int fd, unsigned long arg) +{ + int __user *p = (void __user *)arg; + + return ioctl_preallocate(filp, FALLOC_FL_ZERO_RANGE, p); +} + /* on ia32 l_start is on a 32-bit boundary */ #if defined CONFIG_COMPAT && defined(CONFIG_X86_64) /* just account for different alignment */ @@ -321,28 +362,41 @@ static int compat_ioctl_preallocate(struct file *file, int mode, } #endif -static int file_ioctl(struct file *filp, unsigned int cmd, int __user *p) +static ioctl_handler_t file_ioctl(unsigned int cmd) { switch (cmd) { case FIBMAP: - return ioctl_fibmap(filp, p); + return ioctl_fibmap; case FS_IOC_RESVSP: case FS_IOC_RESVSP64: - return ioctl_preallocate(filp, 0, p); + return ioctl_resvsp; case FS_IOC_UNRESVSP: case FS_IOC_UNRESVSP64: - return ioctl_preallocate(filp, FALLOC_FL_PUNCH_HOLE, p); + return ioctl_unresvsp; case FS_IOC_ZERO_RANGE: - return ioctl_preallocate(filp, FALLOC_FL_ZERO_RANGE, p); + return ioctl_zero_range; } - return -ENOIOCTLCMD; + return NULL; +} + +static int ioctl_fioclex(struct file *file, unsigned int fd, unsigned long arg) +{ + set_close_on_exec(fd, 1); + return 0; +} + +static int ioctl_fionclex(struct file *file, unsigned int fd, unsigned long arg) +{ + set_close_on_exec(fd, 0); + return 0; } -static int ioctl_fionbio(struct file *filp, int __user *argp) +static int ioctl_fionbio(struct file *filp, unsigned int fd, unsigned long arg) { unsigned int flag; int on, error; + int __user *argp = (void __user *)arg; error = get_user(on, argp); if (error) @@ -362,11 +416,11 @@ static int ioctl_fionbio(struct file *filp, int __user *argp) return error; } -static int ioctl_fioasync(unsigned int fd, struct file *filp, - int __user *argp) +static int ioctl_fioasync(struct file *filp, unsigned int fd, unsigned long arg) { unsigned int flag; int on, error; + int __user *argp = (void __user *)arg; error = get_user(on, argp); if (error) @@ -384,7 +438,22 @@ static int ioctl_fioasync(unsigned int fd, struct file *filp, return error < 0 ? error : 0; } -static int ioctl_fsfreeze(struct file *filp) +static int ioctl_fioqsize(struct file *file, unsigned int fd, unsigned long arg) +{ + struct inode *inode = file_inode(file); + void __user *argp = (void __user *)arg; + + if (S_ISDIR(inode->i_mode) || S_ISREG(inode->i_mode) || + S_ISLNK(inode->i_mode)) { + loff_t res = inode_get_bytes(inode); + + return copy_to_user(argp, &res, sizeof(res)) ? -EFAULT : 0; + } + + return -ENOTTY; +} + +static int ioctl_fsfreeze(struct file *filp, unsigned int fd, unsigned long arg) { struct super_block *sb = file_inode(filp)->i_sb; @@ -401,7 +470,7 @@ static int ioctl_fsfreeze(struct file *filp) return freeze_super(sb, FREEZE_HOLDER_USERSPACE); } -static int ioctl_fsthaw(struct file *filp) +static int ioctl_fsthaw(struct file *filp, unsigned int fd, unsigned long arg) { struct super_block *sb = file_inode(filp)->i_sb; @@ -414,9 +483,9 @@ static int ioctl_fsthaw(struct file *filp) return thaw_super(sb, FREEZE_HOLDER_USERSPACE); } -static int ioctl_file_dedupe_range(struct file *file, - struct file_dedupe_range __user *argp) +static int ioctl_file_dedupe_range(struct file *file, unsigned int fd, unsigned long arg) { + struct file_dedupe_range __user *argp = (void __user *)arg; struct file_dedupe_range *same = NULL; int ret; unsigned long size; @@ -454,6 +523,14 @@ static int ioctl_file_dedupe_range(struct file *file, return ret; } +static int ioctl_fionread(struct file *filp, unsigned int fd, unsigned long arg) +{ + int __user *argp = (void __user *)arg; + struct inode *inode = file_inode(filp); + + return put_user(i_size_read(inode) - filp->f_pos, argp); +} + /** * fileattr_fill_xflags - initialize fileattr with xflags * @fa: fileattr pointer @@ -702,8 +779,9 @@ int vfs_fileattr_set(struct mnt_idmap *idmap, struct dentry *dentry, } EXPORT_SYMBOL(vfs_fileattr_set); -static int ioctl_getflags(struct file *file, unsigned int __user *argp) +static int ioctl_getflags(struct file *file, unsigned int fd, unsigned long arg) { + unsigned int __user *argp = (void __user *)arg; struct fileattr fa = { .flags_valid = true }; /* hint only */ int err; @@ -713,8 +791,9 @@ static int ioctl_getflags(struct file *file, unsigned int __user *argp) return err; } -static int ioctl_setflags(struct file *file, unsigned int __user *argp) +static int ioctl_setflags(struct file *file, unsigned int fd, unsigned long arg) { + unsigned int __user *argp = (void __user *)arg; struct mnt_idmap *idmap = file_mnt_idmap(file); struct dentry *dentry = file->f_path.dentry; struct fileattr fa; @@ -733,8 +812,9 @@ static int ioctl_setflags(struct file *file, unsigned int __user *argp) return err; } -static int ioctl_fsgetxattr(struct file *file, void __user *argp) +static int ioctl_fsgetxattr(struct file *file, unsigned int fd, unsigned long arg) { + struct fsxattr __user *argp = (void __user *)arg; struct fileattr fa = { .fsx_valid = true }; /* hint only */ int err; @@ -745,8 +825,9 @@ static int ioctl_fsgetxattr(struct file *file, void __user *argp) return err; } -static int ioctl_fssetxattr(struct file *file, void __user *argp) +static int ioctl_fssetxattr(struct file *file, unsigned int fd, unsigned long arg) { + struct fsxattr __user *argp = (void __user *)arg; struct mnt_idmap *idmap = file_mnt_idmap(file); struct dentry *dentry = file->f_path.dentry; struct fileattr fa; @@ -764,94 +845,98 @@ static int ioctl_fssetxattr(struct file *file, void __user *argp) } /* - * do_vfs_ioctl() is not for drivers and not intended to be EXPORT_SYMBOL()'d. - * It's just a simple helper for sys_ioctl and compat_sys_ioctl. + * Return NULL when no handler exists for @cmd, or the appropriate function + * otherwise. This means that these handlers should never return -ENOIOCTLCMD. * * When you add any new common ioctls to the switches above and below, * please ensure they have compatible arguments in compat mode. */ -static int do_vfs_ioctl(struct file *filp, unsigned int fd, - unsigned int cmd, unsigned long arg) +ioctl_handler_t vfs_get_ioctl_handler(struct file *filp, unsigned int cmd) { - void __user *argp = (void __user *)arg; - struct inode *inode = file_inode(filp); - switch (cmd) { case FIOCLEX: - set_close_on_exec(fd, 1); - return 0; + return ioctl_fioclex; case FIONCLEX: - set_close_on_exec(fd, 0); - return 0; + return ioctl_fionclex; case FIONBIO: - return ioctl_fionbio(filp, argp); + return ioctl_fionbio; case FIOASYNC: - return ioctl_fioasync(fd, filp, argp); + return ioctl_fioasync; case FIOQSIZE: - if (S_ISDIR(inode->i_mode) || S_ISREG(inode->i_mode) || - S_ISLNK(inode->i_mode)) { - loff_t res = inode_get_bytes(inode); - return copy_to_user(argp, &res, sizeof(res)) ? - -EFAULT : 0; - } - - return -ENOTTY; + return ioctl_fioqsize; case FIFREEZE: - return ioctl_fsfreeze(filp); + return ioctl_fsfreeze; case FITHAW: - return ioctl_fsthaw(filp); + return ioctl_fsthaw; case FS_IOC_FIEMAP: - return ioctl_fiemap(filp, argp); + return ioctl_fiemap; case FIGETBSZ: - /* anon_bdev filesystems may not have a block size */ - if (!inode->i_sb->s_blocksize) - return -EINVAL; - - return put_user(inode->i_sb->s_blocksize, (int __user *)argp); + return ioctl_figetbsz; case FICLONE: - return ioctl_file_clone(filp, arg, 0, 0, 0); + return ioctl_ficlone; case FICLONERANGE: - return ioctl_file_clone_range(filp, argp); + return ioctl_file_clone_range; case FIDEDUPERANGE: - return ioctl_file_dedupe_range(filp, argp); + return ioctl_file_dedupe_range; case FIONREAD: - if (!S_ISREG(inode->i_mode)) - return vfs_ioctl(filp, cmd, arg); + if (!S_ISREG(file_inode(filp)->i_mode)) + break; - return put_user(i_size_read(inode) - filp->f_pos, - (int __user *)argp); + return ioctl_fionread; case FS_IOC_GETFLAGS: - return ioctl_getflags(filp, argp); + return ioctl_getflags; case FS_IOC_SETFLAGS: - return ioctl_setflags(filp, argp); + return ioctl_setflags; case FS_IOC_FSGETXATTR: - return ioctl_fsgetxattr(filp, argp); + return ioctl_fsgetxattr; case FS_IOC_FSSETXATTR: - return ioctl_fssetxattr(filp, argp); + return ioctl_fssetxattr; default: - if (S_ISREG(inode->i_mode)) - return file_ioctl(filp, cmd, argp); + if (S_ISREG(file_inode(filp)->i_mode)) + return file_ioctl(cmd); break; } - return -ENOIOCTLCMD; + /* Forwards call to vfs_ioctl(filp, cmd, arg) */ + return NULL; +} + +/* + * do_vfs_ioctl() is not for drivers and not intended to be EXPORT_SYMBOL()'d. + * It's just a simple helper for sys_ioctl and compat_sys_ioctl. + */ +static int do_vfs_ioctl(struct file *filp, unsigned int fd, + unsigned int cmd, unsigned long arg) +{ + ioctl_handler_t handler = vfs_get_ioctl_handler(filp, cmd); + int ret; + + if (!handler) + return -ENOIOCTLCMD; + + ret = (*handler)(filp, fd, arg); + /* Makes sure handle() really handles this command. */ + if (WARN_ON_ONCE(ret == -ENOIOCTLCMD)) + return -ENOTTY; + + return ret; } SYSCALL_DEFINE3(ioctl, unsigned int, fd, unsigned int, cmd, unsigned long, arg) diff --git a/include/linux/fs.h b/include/linux/fs.h index 1fbc72c5f112..92bf421aae83 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1904,6 +1904,12 @@ extern long compat_ptr_ioctl(struct file *file, unsigned int cmd, #define compat_ptr_ioctl NULL #endif +typedef int (*ioctl_handler_t)(struct file *file, unsigned int fd, + unsigned long arg); + +extern ioctl_handler_t vfs_get_ioctl_handler(struct file *filp, + unsigned int cmd); + /* * VFS file helper functions. */