2 * Copyright (c) 1989, 1993
3 * The Regents of the University of California. All rights reserved.
4 * (c) UNIX System Laboratories, Inc.
5 * All or some portions of this file are derived from material licensed
6 * to the University of California by American Telephone and Telegraph
7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
8 * the permission of UNIX System Laboratories, Inc.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. All advertising materials mentioning features or use of this software
19 * must display the following acknowledgement:
20 * This product includes software developed by the University of
21 * California, Berkeley and its contributors.
22 * 4. Neither the name of the University nor the names of its contributors
23 * may be used to endorse or promote products derived from this software
24 * without specific prior written permission.
26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * @(#)vfs_syscalls.c 8.13 (Berkeley) 4/15/94
39 * $FreeBSD: src/sys/kern/vfs_syscalls.c,v 1.151.2.18 2003/04/04 20:35:58 tegge Exp $
40 * $DragonFly: src/sys/kern/vfs_syscalls.c,v 1.135 2008/11/11 00:55:49 pavalos Exp $
43 #include <sys/param.h>
44 #include <sys/systm.h>
47 #include <sys/sysent.h>
48 #include <sys/malloc.h>
49 #include <sys/mount.h>
50 #include <sys/mountctl.h>
51 #include <sys/sysproto.h>
52 #include <sys/filedesc.h>
53 #include <sys/kernel.h>
54 #include <sys/fcntl.h>
56 #include <sys/linker.h>
58 #include <sys/unistd.h>
59 #include <sys/vnode.h>
63 #include <sys/namei.h>
64 #include <sys/nlookup.h>
65 #include <sys/dirent.h>
66 #include <sys/extattr.h>
67 #include <sys/spinlock.h>
68 #include <sys/kern_syscall.h>
69 #include <sys/objcache.h>
70 #include <sys/sysctl.h>
73 #include <sys/file2.h>
74 #include <sys/spinlock2.h>
77 #include <vm/vm_object.h>
78 #include <vm/vm_page.h>
80 #include <machine/limits.h>
81 #include <machine/stdarg.h>
83 #include <vfs/union/union.h>
85 static void mount_warning(struct mount *mp, const char *ctl, ...);
86 static int mount_path(struct proc *p, struct mount *mp, char **rb, char **fb);
87 static int checkvp_chdir (struct vnode *vn, struct thread *td);
88 static void checkdirs (struct nchandle *old_nch, struct nchandle *new_nch);
89 static int chroot_refuse_vdir_fds (struct filedesc *fdp);
90 static int chroot_visible_mnt(struct mount *mp, struct proc *p);
91 static int getutimes (const struct timeval *, struct timespec *);
92 static int setfown (struct vnode *, uid_t, gid_t);
93 static int setfmode (struct vnode *, int);
94 static int setfflags (struct vnode *, int);
95 static int setutimes (struct vnode *, const struct timespec *, int);
96 static int usermount = 0; /* if 1, non-root can mount fs. */
98 int (*union_dircheckp) (struct thread *, struct vnode **, struct file *);
100 SYSCTL_INT(_vfs, OID_AUTO, usermount, CTLFLAG_RW, &usermount, 0, "");
103 * Virtual File System System Calls
107 * Mount a file system.
110 * mount_args(char *type, char *path, int flags, caddr_t data)
114 sys_mount(struct mount_args *uap)
116 struct thread *td = curthread;
117 struct proc *p = td->td_proc;
121 struct vfsconf *vfsp;
122 int error, flag = 0, flag2 = 0;
125 struct nlookupdata nd;
126 char fstypename[MFSNAMELEN];
127 struct ucred *cred = p->p_ucred;
132 if (usermount == 0 && (error = priv_check(td, PRIV_ROOT)))
135 * Do not allow NFS export by non-root users.
137 if (uap->flags & MNT_EXPORTED) {
138 error = priv_check(td, PRIV_ROOT);
143 * Silently enforce MNT_NOSUID and MNT_NODEV for non-root users
145 if (priv_check(td, PRIV_ROOT))
146 uap->flags |= MNT_NOSUID | MNT_NODEV;
149 * Lookup the requested path and extract the nch and vnode.
151 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
153 if ((error = nlookup(&nd)) == 0) {
154 if (nd.nl_nch.ncp->nc_vp == NULL)
164 * Extract the locked+refd ncp and cleanup the nd structure
167 cache_zero(&nd.nl_nch);
170 if ((nch.ncp->nc_flag & NCF_ISMOUNTPT) && cache_findmount(&nch))
177 * now we have the locked ref'd nch and unreferenced vnode.
180 if ((error = vget(vp, LK_EXCLUSIVE)) != 0) {
187 * Now we have an unlocked ref'd nch and a locked ref'd vp
189 if (uap->flags & MNT_UPDATE) {
190 if ((vp->v_flag & (VROOT|VPFSROOT)) == 0) {
197 flag2 = mp->mnt_kern_flag;
199 * We only allow the filesystem to be reloaded if it
200 * is currently mounted read-only.
202 if ((uap->flags & MNT_RELOAD) &&
203 ((mp->mnt_flag & MNT_RDONLY) == 0)) {
206 return (EOPNOTSUPP); /* Needs translation */
209 * Only root, or the user that did the original mount is
210 * permitted to update it.
212 if (mp->mnt_stat.f_owner != cred->cr_uid &&
213 (error = priv_check(td, PRIV_ROOT))) {
218 if (vfs_busy(mp, LK_NOWAIT)) {
223 if ((vp->v_flag & VMOUNT) != 0 || hasmount) {
229 vp->v_flag |= VMOUNT;
231 uap->flags & (MNT_RELOAD | MNT_FORCE | MNT_UPDATE);
236 * If the user is not root, ensure that they own the directory
237 * onto which we are attempting to mount.
239 if ((error = VOP_GETATTR(vp, &va)) ||
240 (va.va_uid != cred->cr_uid && (error = priv_check(td, PRIV_ROOT)))) {
245 if ((error = vinvalbuf(vp, V_SAVE, 0, 0)) != 0) {
250 if (vp->v_type != VDIR) {
255 if (vp->v_mount->mnt_kern_flag & MNTK_NOSTKMNT) {
260 if ((error = copyinstr(uap->type, fstypename, MFSNAMELEN, NULL)) != 0) {
265 vfsp = vfsconf_find_by_name(fstypename);
269 /* Only load modules for root (very important!) */
270 if ((error = priv_check(td, PRIV_ROOT)) != 0) {
275 error = linker_load_file(fstypename, &lf);
276 if (error || lf == NULL) {
284 /* lookup again, see if the VFS was loaded */
285 vfsp = vfsconf_find_by_name(fstypename);
288 linker_file_unload(lf);
294 if ((vp->v_flag & VMOUNT) != 0 || hasmount) {
299 vp->v_flag |= VMOUNT;
302 * Allocate and initialize the filesystem.
304 mp = kmalloc(sizeof(struct mount), M_MOUNT, M_ZERO|M_WAITOK);
305 TAILQ_INIT(&mp->mnt_nvnodelist);
306 TAILQ_INIT(&mp->mnt_reservedvnlist);
307 TAILQ_INIT(&mp->mnt_jlist);
308 mp->mnt_nvnodelistsize = 0;
309 lockinit(&mp->mnt_lock, "vfslock", 0, 0);
310 vfs_busy(mp, LK_NOWAIT);
311 mp->mnt_op = vfsp->vfc_vfsops;
313 vfsp->vfc_refcount++;
314 mp->mnt_stat.f_type = vfsp->vfc_typenum;
315 mp->mnt_flag |= vfsp->vfc_flags & MNT_VISFLAGMASK;
316 strncpy(mp->mnt_stat.f_fstypename, vfsp->vfc_name, MFSNAMELEN);
317 mp->mnt_stat.f_owner = cred->cr_uid;
318 mp->mnt_iosize_max = DFLTPHYS;
322 * Set the mount level flags.
324 if (uap->flags & MNT_RDONLY)
325 mp->mnt_flag |= MNT_RDONLY;
326 else if (mp->mnt_flag & MNT_RDONLY)
327 mp->mnt_kern_flag |= MNTK_WANTRDWR;
328 mp->mnt_flag &=~ (MNT_NOSUID | MNT_NOEXEC | MNT_NODEV |
329 MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_NOATIME |
330 MNT_NOSYMFOLLOW | MNT_IGNORE |
331 MNT_NOCLUSTERR | MNT_NOCLUSTERW | MNT_SUIDDIR);
332 mp->mnt_flag |= uap->flags & (MNT_NOSUID | MNT_NOEXEC |
333 MNT_NODEV | MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_FORCE |
334 MNT_NOSYMFOLLOW | MNT_IGNORE |
335 MNT_NOATIME | MNT_NOCLUSTERR | MNT_NOCLUSTERW | MNT_SUIDDIR);
337 * Mount the filesystem.
338 * XXX The final recipients of VFS_MOUNT just overwrite the ndp they
341 error = VFS_MOUNT(mp, uap->path, uap->data, cred);
342 if (mp->mnt_flag & MNT_UPDATE) {
343 if (mp->mnt_kern_flag & MNTK_WANTRDWR)
344 mp->mnt_flag &= ~MNT_RDONLY;
345 mp->mnt_flag &=~ (MNT_UPDATE | MNT_RELOAD | MNT_FORCE);
346 mp->mnt_kern_flag &=~ MNTK_WANTRDWR;
349 mp->mnt_kern_flag = flag2;
352 vp->v_flag &= ~VMOUNT;
357 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
359 * Put the new filesystem on the mount list after root. The mount
360 * point gets its own mnt_ncmountpt (unless the VFS already set one
361 * up) which represents the root of the mount. The lookup code
362 * detects the mount point going forward and checks the root of
363 * the mount going backwards.
365 * It is not necessary to invalidate or purge the vnode underneath
366 * because elements under the mount will be given their own glue
370 if (mp->mnt_ncmountpt.ncp == NULL) {
372 * allocate, then unlock, but leave the ref intact
374 cache_allocroot(&mp->mnt_ncmountpt, mp, NULL);
375 cache_unlock(&mp->mnt_ncmountpt);
377 mp->mnt_ncmounton = nch; /* inherits ref */
378 nch.ncp->nc_flag |= NCF_ISMOUNTPT;
380 /* XXX get the root of the fs and cache_setvp(mnt_ncmountpt...) */
381 vp->v_flag &= ~VMOUNT;
382 mountlist_insert(mp, MNTINS_LAST);
384 checkdirs(&mp->mnt_ncmounton, &mp->mnt_ncmountpt);
385 error = vfs_allocate_syncvnode(mp);
387 error = VFS_START(mp, 0);
390 vfs_rm_vnodeops(mp, NULL, &mp->mnt_vn_coherency_ops);
391 vfs_rm_vnodeops(mp, NULL, &mp->mnt_vn_journal_ops);
392 vfs_rm_vnodeops(mp, NULL, &mp->mnt_vn_norm_ops);
393 vfs_rm_vnodeops(mp, NULL, &mp->mnt_vn_spec_ops);
394 vfs_rm_vnodeops(mp, NULL, &mp->mnt_vn_fifo_ops);
395 vp->v_flag &= ~VMOUNT;
396 mp->mnt_vfc->vfc_refcount--;
406 * Scan all active processes to see if any of them have a current
407 * or root directory onto which the new filesystem has just been
408 * mounted. If so, replace them with the new mount point.
410 * The passed ncp is ref'd and locked (from the mount code) and
411 * must be associated with the vnode representing the root of the
414 struct checkdirs_info {
415 struct nchandle old_nch;
416 struct nchandle new_nch;
417 struct vnode *old_vp;
418 struct vnode *new_vp;
421 static int checkdirs_callback(struct proc *p, void *data);
424 checkdirs(struct nchandle *old_nch, struct nchandle *new_nch)
426 struct checkdirs_info info;
432 * If the old mount point's vnode has a usecount of 1, it is not
433 * being held as a descriptor anywhere.
435 olddp = old_nch->ncp->nc_vp;
436 if (olddp == NULL || olddp->v_sysref.refcnt == 1)
440 * Force the root vnode of the new mount point to be resolved
441 * so we can update any matching processes.
444 if (VFS_ROOT(mp, &newdp))
445 panic("mount: lost mount");
446 cache_setunresolved(new_nch);
447 cache_setvp(new_nch, newdp);
450 * Special handling of the root node
452 if (rootvnode == olddp) {
454 vfs_cache_setroot(newdp, cache_hold(new_nch));
458 * Pass newdp separately so the callback does not have to access
459 * it via new_nch->ncp->nc_vp.
461 info.old_nch = *old_nch;
462 info.new_nch = *new_nch;
464 allproc_scan(checkdirs_callback, &info);
469 * NOTE: callback is not MP safe because the scanned process's filedesc
470 * structure can be ripped out from under us, amoung other things.
473 checkdirs_callback(struct proc *p, void *data)
475 struct checkdirs_info *info = data;
476 struct filedesc *fdp;
477 struct nchandle ncdrop1;
478 struct nchandle ncdrop2;
479 struct vnode *vprele1;
480 struct vnode *vprele2;
482 if ((fdp = p->p_fd) != NULL) {
483 cache_zero(&ncdrop1);
484 cache_zero(&ncdrop2);
489 * MPUNSAFE - XXX fdp can be pulled out from under a
492 * A shared filedesc is ok, we don't have to copy it
493 * because we are making this change globally.
495 spin_lock_wr(&fdp->fd_spin);
496 if (fdp->fd_ncdir.mount == info->old_nch.mount &&
497 fdp->fd_ncdir.ncp == info->old_nch.ncp) {
498 vprele1 = fdp->fd_cdir;
500 fdp->fd_cdir = info->new_vp;
501 ncdrop1 = fdp->fd_ncdir;
502 cache_copy(&info->new_nch, &fdp->fd_ncdir);
504 if (fdp->fd_nrdir.mount == info->old_nch.mount &&
505 fdp->fd_nrdir.ncp == info->old_nch.ncp) {
506 vprele2 = fdp->fd_rdir;
508 fdp->fd_rdir = info->new_vp;
509 ncdrop2 = fdp->fd_nrdir;
510 cache_copy(&info->new_nch, &fdp->fd_nrdir);
512 spin_unlock_wr(&fdp->fd_spin);
514 cache_drop(&ncdrop1);
516 cache_drop(&ncdrop2);
526 * Unmount a file system.
528 * Note: unmount takes a path to the vnode mounted on as argument,
529 * not special file (as before).
532 * umount_args(char *path, int flags)
536 sys_unmount(struct unmount_args *uap)
538 struct thread *td = curthread;
539 struct proc *p = td->td_proc;
540 struct mount *mp = NULL;
542 struct nlookupdata nd;
545 if (p->p_ucred->cr_prison != NULL)
547 if (usermount == 0 && (error = priv_check(td, PRIV_ROOT)))
550 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
552 error = nlookup(&nd);
556 mp = nd.nl_nch.mount;
559 * Only root, or the user that did the original mount is
560 * permitted to unmount this filesystem.
562 if ((mp->mnt_stat.f_owner != p->p_ucred->cr_uid) &&
563 (error = priv_check(td, PRIV_ROOT)))
567 * Don't allow unmounting the root file system.
569 if (mp->mnt_flag & MNT_ROOTFS) {
575 * Must be the root of the filesystem
577 if (nd.nl_nch.ncp != mp->mnt_ncmountpt.ncp) {
586 return (dounmount(mp, uap->flags));
590 * Do the actual file system unmount.
593 dounmount_interlock(struct mount *mp)
595 if (mp->mnt_kern_flag & MNTK_UNMOUNT)
597 mp->mnt_kern_flag |= MNTK_UNMOUNT;
602 dounmount(struct mount *mp, int flags)
604 struct namecache *ncp;
613 * Exclusive access for unmounting purposes
615 if ((error = mountlist_interlock(dounmount_interlock, mp)) != 0)
619 * Allow filesystems to detect that a forced unmount is in progress.
621 if (flags & MNT_FORCE)
622 mp->mnt_kern_flag |= MNTK_UNMOUNTF;
623 lflags = LK_EXCLUSIVE | ((flags & MNT_FORCE) ? 0 : LK_NOWAIT);
624 error = lockmgr(&mp->mnt_lock, lflags);
626 mp->mnt_kern_flag &= ~(MNTK_UNMOUNT | MNTK_UNMOUNTF);
627 if (mp->mnt_kern_flag & MNTK_MWAIT)
632 if (mp->mnt_flag & MNT_EXPUBLIC)
633 vfs_setpublicfs(NULL, NULL, NULL);
635 vfs_msync(mp, MNT_WAIT);
636 async_flag = mp->mnt_flag & MNT_ASYNC;
637 mp->mnt_flag &=~ MNT_ASYNC;
640 * If this filesystem isn't aliasing other filesystems,
641 * try to invalidate any remaining namecache entries and
642 * check the count afterwords.
644 if ((mp->mnt_kern_flag & MNTK_NCALIASED) == 0) {
645 cache_lock(&mp->mnt_ncmountpt);
646 cache_inval(&mp->mnt_ncmountpt, CINV_DESTROY|CINV_CHILDREN);
647 cache_unlock(&mp->mnt_ncmountpt);
649 if ((ncp = mp->mnt_ncmountpt.ncp) != NULL &&
650 (ncp->nc_refs != 1 || TAILQ_FIRST(&ncp->nc_list))) {
652 if ((flags & MNT_FORCE) == 0) {
654 mount_warning(mp, "Cannot unmount: "
660 mount_warning(mp, "Forced unmount: "
671 * nchandle records ref the mount structure. Expect a count of 1
672 * (our mount->mnt_ncmountpt).
674 if (mp->mnt_refs != 1) {
675 if ((flags & MNT_FORCE) == 0) {
676 mount_warning(mp, "Cannot unmount: "
677 "%d process references still "
678 "present", mp->mnt_refs);
681 mount_warning(mp, "Forced unmount: "
682 "%d process references still "
683 "present", mp->mnt_refs);
689 * Decomission our special mnt_syncer vnode. This also stops
690 * the vnlru code. If we are unable to unmount we recommission
694 if ((vp = mp->mnt_syncer) != NULL) {
695 mp->mnt_syncer = NULL;
698 if (((mp->mnt_flag & MNT_RDONLY) ||
699 (error = VFS_SYNC(mp, MNT_WAIT)) == 0) ||
700 (flags & MNT_FORCE)) {
701 error = VFS_UNMOUNT(mp, flags);
705 if (mp->mnt_syncer == NULL)
706 vfs_allocate_syncvnode(mp);
707 mp->mnt_kern_flag &= ~(MNTK_UNMOUNT | MNTK_UNMOUNTF);
708 mp->mnt_flag |= async_flag;
709 lockmgr(&mp->mnt_lock, LK_RELEASE);
710 if (mp->mnt_kern_flag & MNTK_MWAIT)
715 * Clean up any journals still associated with the mount after
716 * filesystem activity has ceased.
718 journal_remove_all_journals(mp,
719 ((flags & MNT_FORCE) ? MC_JOURNAL_STOP_IMM : 0));
721 mountlist_remove(mp);
724 * Remove any installed vnode ops here so the individual VFSs don't
727 vfs_rm_vnodeops(mp, NULL, &mp->mnt_vn_coherency_ops);
728 vfs_rm_vnodeops(mp, NULL, &mp->mnt_vn_journal_ops);
729 vfs_rm_vnodeops(mp, NULL, &mp->mnt_vn_norm_ops);
730 vfs_rm_vnodeops(mp, NULL, &mp->mnt_vn_spec_ops);
731 vfs_rm_vnodeops(mp, NULL, &mp->mnt_vn_fifo_ops);
733 if (mp->mnt_ncmountpt.ncp != NULL) {
734 nch = mp->mnt_ncmountpt;
735 cache_zero(&mp->mnt_ncmountpt);
736 cache_clrmountpt(&nch);
739 if (mp->mnt_ncmounton.ncp != NULL) {
740 nch = mp->mnt_ncmounton;
741 cache_zero(&mp->mnt_ncmounton);
742 cache_clrmountpt(&nch);
746 mp->mnt_vfc->vfc_refcount--;
747 if (!TAILQ_EMPTY(&mp->mnt_nvnodelist))
748 panic("unmount: dangling vnode");
749 lockmgr(&mp->mnt_lock, LK_RELEASE);
750 if (mp->mnt_kern_flag & MNTK_MWAIT)
759 mount_warning(struct mount *mp, const char *ctl, ...)
766 if (cache_fullpath(NULL, &mp->mnt_ncmounton, &ptr, &buf) == 0) {
767 kprintf("unmount(%s): ", ptr);
772 kprintf("unmount(%p", mp);
773 if (mp->mnt_ncmounton.ncp && mp->mnt_ncmounton.ncp->nc_name)
774 kprintf(",%s", mp->mnt_ncmounton.ncp->nc_name);
783 * Shim cache_fullpath() to handle the case where a process is chrooted into
784 * a subdirectory of a mount. In this case if the root mount matches the
785 * process root directory's mount we have to specify the process's root
786 * directory instead of the mount point, because the mount point might
787 * be above the root directory.
791 mount_path(struct proc *p, struct mount *mp, char **rb, char **fb)
793 struct nchandle *nch;
795 if (p && p->p_fd->fd_nrdir.mount == mp)
796 nch = &p->p_fd->fd_nrdir;
798 nch = &mp->mnt_ncmountpt;
799 return(cache_fullpath(p, nch, rb, fb));
803 * Sync each mounted filesystem.
807 static int syncprt = 0;
808 SYSCTL_INT(_debug, OID_AUTO, syncprt, CTLFLAG_RW, &syncprt, 0, "");
811 static int sync_callback(struct mount *mp, void *data);
815 sys_sync(struct sync_args *uap)
817 mountlist_scan(sync_callback, NULL, MNTSCAN_FORWARD);
820 * print out buffer pool stat information on each sync() call.
830 sync_callback(struct mount *mp, void *data __unused)
834 if ((mp->mnt_flag & MNT_RDONLY) == 0) {
835 asyncflag = mp->mnt_flag & MNT_ASYNC;
836 mp->mnt_flag &= ~MNT_ASYNC;
837 vfs_msync(mp, MNT_NOWAIT);
838 VFS_SYNC(mp, MNT_NOWAIT);
839 mp->mnt_flag |= asyncflag;
844 /* XXX PRISON: could be per prison flag */
845 static int prison_quotas;
847 SYSCTL_INT(_kern_prison, OID_AUTO, quotas, CTLFLAG_RW, &prison_quotas, 0, "");
851 * quotactl_args(char *path, int fcmd, int uid, caddr_t arg)
853 * Change filesystem quotas.
857 sys_quotactl(struct quotactl_args *uap)
859 struct nlookupdata nd;
867 if (p->p_ucred->cr_prison && !prison_quotas)
870 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
872 error = nlookup(&nd);
874 mp = nd.nl_nch.mount;
875 error = VFS_QUOTACTL(mp, uap->cmd, uap->uid,
876 uap->arg, nd.nl_cred);
883 * mountctl(char *path, int op, int fd, const void *ctl, int ctllen,
884 * void *buf, int buflen)
886 * This function operates on a mount point and executes the specified
887 * operation using the specified control data, and possibly returns data.
889 * The actual number of bytes stored in the result buffer is returned, 0
890 * if none, otherwise an error is returned.
894 sys_mountctl(struct mountctl_args *uap)
896 struct thread *td = curthread;
897 struct proc *p = td->td_proc;
905 * Sanity and permissions checks. We must be root.
908 if (p->p_ucred->cr_prison != NULL)
910 if ((error = priv_check(td, PRIV_ROOT)) != 0)
914 * Argument length checks
916 if (uap->ctllen < 0 || uap->ctllen > 1024)
918 if (uap->buflen < 0 || uap->buflen > 16 * 1024)
920 if (uap->path == NULL)
924 * Allocate the necessary buffers and copyin data
926 path = objcache_get(namei_oc, M_WAITOK);
927 error = copyinstr(uap->path, path, MAXPATHLEN, NULL);
932 ctl = kmalloc(uap->ctllen + 1, M_TEMP, M_WAITOK|M_ZERO);
933 error = copyin(uap->ctl, ctl, uap->ctllen);
938 buf = kmalloc(uap->buflen + 1, M_TEMP, M_WAITOK|M_ZERO);
941 * Validate the descriptor
944 fp = holdfp(p->p_fd, uap->fd, -1);
954 * Execute the internal kernel function and clean up.
956 error = kern_mountctl(path, uap->op, fp, ctl, uap->ctllen, buf, uap->buflen, &uap->sysmsg_result);
959 if (error == 0 && uap->sysmsg_result > 0)
960 error = copyout(buf, uap->buf, uap->sysmsg_result);
963 objcache_put(namei_oc, path);
972 * Execute a mount control operation by resolving the path to a mount point
973 * and calling vop_mountctl().
975 * Use the mount point from the nch instead of the vnode so nullfs mounts
976 * can properly spike the VOP.
979 kern_mountctl(const char *path, int op, struct file *fp,
980 const void *ctl, int ctllen,
981 void *buf, int buflen, int *res)
985 struct nlookupdata nd;
990 error = nlookup_init(&nd, path, UIO_SYSSPACE, NLC_FOLLOW);
992 error = nlookup(&nd);
994 error = cache_vget(&nd.nl_nch, nd.nl_cred, LK_EXCLUSIVE, &vp);
995 mp = nd.nl_nch.mount;
1001 * Must be the root of the filesystem
1003 if ((vp->v_flag & (VROOT|VPFSROOT)) == 0) {
1007 error = vop_mountctl(mp->mnt_vn_use_ops, op, fp, ctl, ctllen,
1014 kern_statfs(struct nlookupdata *nd, struct statfs *buf)
1016 struct thread *td = curthread;
1017 struct proc *p = td->td_proc;
1020 char *fullpath, *freepath;
1023 if ((error = nlookup(nd)) != 0)
1025 mp = nd->nl_nch.mount;
1027 if ((error = VFS_STATFS(mp, sp, nd->nl_cred)) != 0)
1030 error = mount_path(p, mp, &fullpath, &freepath);
1033 bzero(sp->f_mntonname, sizeof(sp->f_mntonname));
1034 strlcpy(sp->f_mntonname, fullpath, sizeof(sp->f_mntonname));
1035 kfree(freepath, M_TEMP);
1037 sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
1038 bcopy(sp, buf, sizeof(*buf));
1039 /* Only root should have access to the fsid's. */
1040 if (priv_check(td, PRIV_ROOT))
1041 buf->f_fsid.val[0] = buf->f_fsid.val[1] = 0;
1046 * statfs_args(char *path, struct statfs *buf)
1048 * Get filesystem statistics.
1051 sys_statfs(struct statfs_args *uap)
1053 struct nlookupdata nd;
1057 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
1059 error = kern_statfs(&nd, &buf);
1062 error = copyout(&buf, uap->buf, sizeof(*uap->buf));
1067 kern_fstatfs(int fd, struct statfs *buf)
1069 struct thread *td = curthread;
1070 struct proc *p = td->td_proc;
1074 char *fullpath, *freepath;
1078 if ((error = holdvnode(p->p_fd, fd, &fp)) != 0)
1080 mp = ((struct vnode *)fp->f_data)->v_mount;
1085 if (fp->f_cred == NULL) {
1090 if ((error = VFS_STATFS(mp, sp, fp->f_cred)) != 0)
1093 if ((error = mount_path(p, mp, &fullpath, &freepath)) != 0)
1095 bzero(sp->f_mntonname, sizeof(sp->f_mntonname));
1096 strlcpy(sp->f_mntonname, fullpath, sizeof(sp->f_mntonname));
1097 kfree(freepath, M_TEMP);
1099 sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
1100 bcopy(sp, buf, sizeof(*buf));
1102 /* Only root should have access to the fsid's. */
1103 if (priv_check(td, PRIV_ROOT))
1104 buf->f_fsid.val[0] = buf->f_fsid.val[1] = 0;
1112 * fstatfs_args(int fd, struct statfs *buf)
1114 * Get filesystem statistics.
1117 sys_fstatfs(struct fstatfs_args *uap)
1122 error = kern_fstatfs(uap->fd, &buf);
1125 error = copyout(&buf, uap->buf, sizeof(*uap->buf));
1130 kern_statvfs(struct nlookupdata *nd, struct statvfs *buf)
1136 if ((error = nlookup(nd)) != 0)
1138 mp = nd->nl_nch.mount;
1139 sp = &mp->mnt_vstat;
1140 if ((error = VFS_STATVFS(mp, sp, nd->nl_cred)) != 0)
1144 if (mp->mnt_flag & MNT_RDONLY)
1145 sp->f_flag |= ST_RDONLY;
1146 if (mp->mnt_flag & MNT_NOSUID)
1147 sp->f_flag |= ST_NOSUID;
1148 bcopy(sp, buf, sizeof(*buf));
1153 * statfs_args(char *path, struct statfs *buf)
1155 * Get filesystem statistics.
1158 sys_statvfs(struct statvfs_args *uap)
1160 struct nlookupdata nd;
1164 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
1166 error = kern_statvfs(&nd, &buf);
1169 error = copyout(&buf, uap->buf, sizeof(*uap->buf));
1174 kern_fstatvfs(int fd, struct statvfs *buf)
1176 struct thread *td = curthread;
1177 struct proc *p = td->td_proc;
1184 if ((error = holdvnode(p->p_fd, fd, &fp)) != 0)
1186 mp = ((struct vnode *)fp->f_data)->v_mount;
1191 if (fp->f_cred == NULL) {
1195 sp = &mp->mnt_vstat;
1196 if ((error = VFS_STATVFS(mp, sp, fp->f_cred)) != 0)
1200 if (mp->mnt_flag & MNT_RDONLY)
1201 sp->f_flag |= ST_RDONLY;
1202 if (mp->mnt_flag & MNT_NOSUID)
1203 sp->f_flag |= ST_NOSUID;
1205 bcopy(sp, buf, sizeof(*buf));
1213 * fstatfs_args(int fd, struct statfs *buf)
1215 * Get filesystem statistics.
1218 sys_fstatvfs(struct fstatvfs_args *uap)
1223 error = kern_fstatvfs(uap->fd, &buf);
1226 error = copyout(&buf, uap->buf, sizeof(*uap->buf));
1231 * getfsstat_args(struct statfs *buf, long bufsize, int flags)
1233 * Get statistics on all filesystems.
1236 struct getfsstat_info {
1237 struct statfs *sfsp;
1245 static int getfsstat_callback(struct mount *, void *);
1249 sys_getfsstat(struct getfsstat_args *uap)
1251 struct thread *td = curthread;
1252 struct proc *p = td->td_proc;
1253 struct getfsstat_info info;
1255 bzero(&info, sizeof(info));
1257 info.maxcount = uap->bufsize / sizeof(struct statfs);
1258 info.sfsp = uap->buf;
1260 info.flags = uap->flags;
1263 mountlist_scan(getfsstat_callback, &info, MNTSCAN_FORWARD);
1264 if (info.sfsp && info.count > info.maxcount)
1265 uap->sysmsg_result = info.maxcount;
1267 uap->sysmsg_result = info.count;
1268 return (info.error);
1272 getfsstat_callback(struct mount *mp, void *data)
1274 struct getfsstat_info *info = data;
1280 if (info->sfsp && info->count < info->maxcount) {
1281 if (info->p && !chroot_visible_mnt(mp, info->p))
1286 * If MNT_NOWAIT or MNT_LAZY is specified, do not
1287 * refresh the fsstat cache. MNT_NOWAIT or MNT_LAZY
1288 * overrides MNT_WAIT.
1290 if (((info->flags & (MNT_LAZY|MNT_NOWAIT)) == 0 ||
1291 (info->flags & MNT_WAIT)) &&
1292 (error = VFS_STATFS(mp, sp, info->p->p_ucred))) {
1295 sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
1297 error = mount_path(info->p, mp, &fullpath, &freepath);
1299 info->error = error;
1302 bzero(sp->f_mntonname, sizeof(sp->f_mntonname));
1303 strlcpy(sp->f_mntonname, fullpath, sizeof(sp->f_mntonname));
1304 kfree(freepath, M_TEMP);
1306 error = copyout(sp, info->sfsp, sizeof(*sp));
1308 info->error = error;
1318 * getvfsstat_args(struct statfs *buf, struct statvfs *vbuf,
1319 long bufsize, int flags)
1321 * Get statistics on all filesystems.
1324 struct getvfsstat_info {
1325 struct statfs *sfsp;
1326 struct statvfs *vsfsp;
1334 static int getvfsstat_callback(struct mount *, void *);
1338 sys_getvfsstat(struct getvfsstat_args *uap)
1340 struct thread *td = curthread;
1341 struct proc *p = td->td_proc;
1342 struct getvfsstat_info info;
1344 bzero(&info, sizeof(info));
1346 info.maxcount = uap->vbufsize / sizeof(struct statvfs);
1347 info.sfsp = uap->buf;
1348 info.vsfsp = uap->vbuf;
1350 info.flags = uap->flags;
1353 mountlist_scan(getvfsstat_callback, &info, MNTSCAN_FORWARD);
1354 if (info.vsfsp && info.count > info.maxcount)
1355 uap->sysmsg_result = info.maxcount;
1357 uap->sysmsg_result = info.count;
1358 return (info.error);
1362 getvfsstat_callback(struct mount *mp, void *data)
1364 struct getvfsstat_info *info = data;
1366 struct statvfs *vsp;
1371 if (info->vsfsp && info->count < info->maxcount) {
1372 if (info->p && !chroot_visible_mnt(mp, info->p))
1375 vsp = &mp->mnt_vstat;
1378 * If MNT_NOWAIT or MNT_LAZY is specified, do not
1379 * refresh the fsstat cache. MNT_NOWAIT or MNT_LAZY
1380 * overrides MNT_WAIT.
1382 if (((info->flags & (MNT_LAZY|MNT_NOWAIT)) == 0 ||
1383 (info->flags & MNT_WAIT)) &&
1384 (error = VFS_STATFS(mp, sp, info->p->p_ucred))) {
1387 sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
1389 if (((info->flags & (MNT_LAZY|MNT_NOWAIT)) == 0 ||
1390 (info->flags & MNT_WAIT)) &&
1391 (error = VFS_STATVFS(mp, vsp, info->p->p_ucred))) {
1395 if (mp->mnt_flag & MNT_RDONLY)
1396 vsp->f_flag |= ST_RDONLY;
1397 if (mp->mnt_flag & MNT_NOSUID)
1398 vsp->f_flag |= ST_NOSUID;
1400 error = mount_path(info->p, mp, &fullpath, &freepath);
1402 info->error = error;
1405 bzero(sp->f_mntonname, sizeof(sp->f_mntonname));
1406 strlcpy(sp->f_mntonname, fullpath, sizeof(sp->f_mntonname));
1407 kfree(freepath, M_TEMP);
1409 error = copyout(sp, info->sfsp, sizeof(*sp));
1411 error = copyout(vsp, info->vsfsp, sizeof(*vsp));
1413 info->error = error;
1425 * fchdir_args(int fd)
1427 * Change current working directory to a given file descriptor.
1431 sys_fchdir(struct fchdir_args *uap)
1433 struct thread *td = curthread;
1434 struct proc *p = td->td_proc;
1435 struct filedesc *fdp = p->p_fd;
1436 struct vnode *vp, *ovp;
1439 struct nchandle nch, onch, tnch;
1442 if ((error = holdvnode(fdp, uap->fd, &fp)) != 0)
1444 vp = (struct vnode *)fp->f_data;
1446 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
1447 if (vp->v_type != VDIR || fp->f_nchandle.ncp == NULL)
1450 error = VOP_ACCESS(vp, VEXEC, p->p_ucred);
1456 cache_copy(&fp->f_nchandle, &nch);
1459 * If the ncp has become a mount point, traverse through
1463 while (!error && (nch.ncp->nc_flag & NCF_ISMOUNTPT) &&
1464 (mp = cache_findmount(&nch)) != NULL
1466 error = nlookup_mp(mp, &tnch);
1468 cache_unlock(&tnch); /* leave ref intact */
1470 vp = tnch.ncp->nc_vp;
1471 error = vget(vp, LK_SHARED);
1472 KKASSERT(error == 0);
1479 onch = fdp->fd_ncdir;
1480 vn_unlock(vp); /* leave ref intact */
1482 fdp->fd_ncdir = nch;
1494 kern_chdir(struct nlookupdata *nd)
1496 struct thread *td = curthread;
1497 struct proc *p = td->td_proc;
1498 struct filedesc *fdp = p->p_fd;
1499 struct vnode *vp, *ovp;
1500 struct nchandle onch;
1503 if ((error = nlookup(nd)) != 0)
1505 if ((vp = nd->nl_nch.ncp->nc_vp) == NULL)
1507 if ((error = vget(vp, LK_SHARED)) != 0)
1510 error = checkvp_chdir(vp, td);
1514 onch = fdp->fd_ncdir;
1515 cache_unlock(&nd->nl_nch); /* leave reference intact */
1516 fdp->fd_ncdir = nd->nl_nch;
1520 cache_zero(&nd->nl_nch);
1528 * chdir_args(char *path)
1530 * Change current working directory (``.'').
1533 sys_chdir(struct chdir_args *uap)
1535 struct nlookupdata nd;
1538 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
1540 error = kern_chdir(&nd);
1546 * Helper function for raised chroot(2) security function: Refuse if
1547 * any filedescriptors are open directories.
1550 chroot_refuse_vdir_fds(struct filedesc *fdp)
1557 for (fd = 0; fd < fdp->fd_nfiles ; fd++) {
1558 if ((error = holdvnode(fdp, fd, &fp)) != 0)
1560 vp = (struct vnode *)fp->f_data;
1561 if (vp->v_type != VDIR) {
1572 * This sysctl determines if we will allow a process to chroot(2) if it
1573 * has a directory open:
1574 * 0: disallowed for all processes.
1575 * 1: allowed for processes that were not already chroot(2)'ed.
1576 * 2: allowed for all processes.
1579 static int chroot_allow_open_directories = 1;
1581 SYSCTL_INT(_kern, OID_AUTO, chroot_allow_open_directories, CTLFLAG_RW,
1582 &chroot_allow_open_directories, 0, "");
1585 * chroot to the specified namecache entry. We obtain the vp from the
1586 * namecache data. The passed ncp must be locked and referenced and will
1587 * remain locked and referenced on return.
1590 kern_chroot(struct nchandle *nch)
1592 struct thread *td = curthread;
1593 struct proc *p = td->td_proc;
1594 struct filedesc *fdp = p->p_fd;
1599 * Only root can chroot
1601 if ((error = priv_check_cred(p->p_ucred, PRIV_ROOT, PRISON_ROOT)) != 0)
1605 * Disallow open directory descriptors (fchdir() breakouts).
1607 if (chroot_allow_open_directories == 0 ||
1608 (chroot_allow_open_directories == 1 && fdp->fd_rdir != rootvnode)) {
1609 if ((error = chroot_refuse_vdir_fds(fdp)) != 0)
1612 if ((vp = nch->ncp->nc_vp) == NULL)
1615 if ((error = vget(vp, LK_SHARED)) != 0)
1619 * Check the validity of vp as a directory to change to and
1620 * associate it with rdir/jdir.
1622 error = checkvp_chdir(vp, td);
1623 vn_unlock(vp); /* leave reference intact */
1625 vrele(fdp->fd_rdir);
1626 fdp->fd_rdir = vp; /* reference inherited by fd_rdir */
1627 cache_drop(&fdp->fd_nrdir);
1628 cache_copy(nch, &fdp->fd_nrdir);
1629 if (fdp->fd_jdir == NULL) {
1632 cache_copy(nch, &fdp->fd_njdir);
1641 * chroot_args(char *path)
1643 * Change notion of root (``/'') directory.
1647 sys_chroot(struct chroot_args *uap)
1649 struct thread *td = curthread;
1650 struct nlookupdata nd;
1653 KKASSERT(td->td_proc);
1654 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
1659 error = nlookup(&nd);
1661 error = kern_chroot(&nd.nl_nch);
1667 * Common routine for chroot and chdir. Given a locked, referenced vnode,
1668 * determine whether it is legal to chdir to the vnode. The vnode's state
1669 * is not changed by this call.
1672 checkvp_chdir(struct vnode *vp, struct thread *td)
1676 if (vp->v_type != VDIR)
1679 error = VOP_ACCESS(vp, VEXEC, td->td_proc->p_ucred);
1684 kern_open(struct nlookupdata *nd, int oflags, int mode, int *res)
1686 struct thread *td = curthread;
1687 struct proc *p = td->td_proc;
1688 struct lwp *lp = td->td_lwp;
1689 struct filedesc *fdp = p->p_fd;
1694 int type, indx, error;
1697 if ((oflags & O_ACCMODE) == O_ACCMODE)
1699 flags = FFLAGS(oflags);
1700 error = falloc(p, &nfp, NULL);
1704 cmode = ((mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT;
1707 * XXX p_dupfd is a real mess. It allows a device to return a
1708 * file descriptor to be duplicated rather then doing the open
1714 * Call vn_open() to do the lookup and assign the vnode to the
1715 * file pointer. vn_open() does not change the ref count on fp
1716 * and the vnode, on success, will be inherited by the file pointer
1719 nd->nl_flags |= NLC_LOCKVP;
1720 error = vn_open(nd, fp, flags, cmode);
1724 * handle special fdopen() case. bleh. dupfdopen() is
1725 * responsible for dropping the old contents of ofiles[indx]
1728 * Note that fsetfd() will add a ref to fp which represents
1729 * the fd_files[] assignment. We must still drop our
1732 if ((error == ENODEV || error == ENXIO) && lp->lwp_dupfd >= 0) {
1733 if (fdalloc(p, 0, &indx) == 0) {
1734 error = dupfdopen(p, indx, lp->lwp_dupfd, flags, error);
1737 fdrop(fp); /* our ref */
1740 fsetfd(p, NULL, indx);
1743 fdrop(fp); /* our ref */
1744 if (error == ERESTART)
1750 * ref the vnode for ourselves so it can't be ripped out from under
1751 * is. XXX need an ND flag to request that the vnode be returned
1754 * Reserve a file descriptor but do not assign it until the open
1757 vp = (struct vnode *)fp->f_data;
1759 if ((error = fdalloc(p, 0, &indx)) != 0) {
1766 * If no error occurs the vp will have been assigned to the file
1771 if (flags & (O_EXLOCK | O_SHLOCK)) {
1772 lf.l_whence = SEEK_SET;
1775 if (flags & O_EXLOCK)
1776 lf.l_type = F_WRLCK;
1778 lf.l_type = F_RDLCK;
1779 if (flags & FNONBLOCK)
1784 if ((error = VOP_ADVLOCK(vp, (caddr_t)fp, F_SETLK, &lf, type)) != 0) {
1786 * lock request failed. Clean up the reserved
1790 fsetfd(p, NULL, indx);
1794 fp->f_flag |= FHASLOCK;
1798 * Assert that all regular file vnodes were created with a object.
1800 KASSERT(vp->v_type != VREG || vp->v_object != NULL,
1801 ("open: regular file has no backing object after vn_open"));
1807 * release our private reference, leaving the one associated with the
1808 * descriptor table intact.
1810 fsetfd(p, fp, indx);
1817 * open_args(char *path, int flags, int mode)
1819 * Check permissions, allocate an open file structure,
1820 * and call the device open routine if any.
1823 sys_open(struct open_args *uap)
1825 struct nlookupdata nd;
1828 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
1830 error = kern_open(&nd, uap->flags,
1831 uap->mode, &uap->sysmsg_result);
1838 kern_mknod(struct nlookupdata *nd, int mode, int rmajor, int rminor)
1840 struct thread *td = curthread;
1841 struct proc *p = td->td_proc;
1849 switch (mode & S_IFMT) {
1852 error = priv_check(td, PRIV_ROOT);
1855 error = priv_check_cred(p->p_ucred, PRIV_ROOT, PRISON_ROOT);
1862 nd->nl_flags |= NLC_CREATE | NLC_REFDVP;
1863 if ((error = nlookup(nd)) != 0)
1865 if (nd->nl_nch.ncp->nc_vp)
1867 if ((error = ncp_writechk(&nd->nl_nch)) != 0)
1871 vattr.va_mode = (mode & ALLPERMS) &~ p->p_fd->fd_cmask;
1872 vattr.va_rmajor = rmajor;
1873 vattr.va_rminor = rminor;
1876 switch (mode & S_IFMT) {
1877 case S_IFMT: /* used by badsect to flag bad sectors */
1878 vattr.va_type = VBAD;
1881 vattr.va_type = VCHR;
1884 vattr.va_type = VBLK;
1890 /* special directories support for HAMMER */
1891 vattr.va_type = VDIR;
1899 error = VOP_NWHITEOUT(&nd->nl_nch, nd->nl_dvp,
1900 nd->nl_cred, NAMEI_CREATE);
1903 error = VOP_NMKNOD(&nd->nl_nch, nd->nl_dvp,
1904 &vp, nd->nl_cred, &vattr);
1913 * mknod_args(char *path, int mode, int dev)
1915 * Create a special file.
1918 sys_mknod(struct mknod_args *uap)
1920 struct nlookupdata nd;
1923 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, 0);
1925 error = kern_mknod(&nd, uap->mode,
1926 umajor(uap->dev), uminor(uap->dev));
1933 kern_mkfifo(struct nlookupdata *nd, int mode)
1935 struct thread *td = curthread;
1936 struct proc *p = td->td_proc;
1943 nd->nl_flags |= NLC_CREATE | NLC_REFDVP;
1944 if ((error = nlookup(nd)) != 0)
1946 if (nd->nl_nch.ncp->nc_vp)
1948 if ((error = ncp_writechk(&nd->nl_nch)) != 0)
1952 vattr.va_type = VFIFO;
1953 vattr.va_mode = (mode & ALLPERMS) &~ p->p_fd->fd_cmask;
1955 error = VOP_NMKNOD(&nd->nl_nch, nd->nl_dvp, &vp, nd->nl_cred, &vattr);
1962 * mkfifo_args(char *path, int mode)
1964 * Create a named pipe.
1967 sys_mkfifo(struct mkfifo_args *uap)
1969 struct nlookupdata nd;
1972 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, 0);
1974 error = kern_mkfifo(&nd, uap->mode);
1979 static int hardlink_check_uid = 0;
1980 SYSCTL_INT(_security, OID_AUTO, hardlink_check_uid, CTLFLAG_RW,
1981 &hardlink_check_uid, 0,
1982 "Unprivileged processes cannot create hard links to files owned by other "
1984 static int hardlink_check_gid = 0;
1985 SYSCTL_INT(_security, OID_AUTO, hardlink_check_gid, CTLFLAG_RW,
1986 &hardlink_check_gid, 0,
1987 "Unprivileged processes cannot create hard links to files owned by other "
1991 can_hardlink(struct vnode *vp, struct thread *td, struct ucred *cred)
1997 * Shortcut if disabled
1999 if (hardlink_check_uid == 0 && hardlink_check_gid == 0)
2003 * root cred can always hardlink
2005 if (priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT) == 0)
2009 * Otherwise only if the originating file is owned by the
2010 * same user or group. Note that any group is allowed if
2011 * the file is owned by the caller.
2013 error = VOP_GETATTR(vp, &va);
2017 if (hardlink_check_uid) {
2018 if (cred->cr_uid != va.va_uid)
2022 if (hardlink_check_gid) {
2023 if (cred->cr_uid != va.va_uid && !groupmember(va.va_gid, cred))
2031 kern_link(struct nlookupdata *nd, struct nlookupdata *linknd)
2033 struct thread *td = curthread;
2038 * Lookup the source and obtained a locked vnode.
2040 * XXX relookup on vget failure / race ?
2043 if ((error = nlookup(nd)) != 0)
2045 vp = nd->nl_nch.ncp->nc_vp;
2046 KKASSERT(vp != NULL);
2047 if (vp->v_type == VDIR)
2048 return (EPERM); /* POSIX */
2049 if ((error = ncp_writechk(&nd->nl_nch)) != 0)
2051 if ((error = vget(vp, LK_EXCLUSIVE)) != 0)
2055 * Unlock the source so we can lookup the target without deadlocking
2056 * (XXX vp is locked already, possible other deadlock?). The target
2059 KKASSERT(nd->nl_flags & NLC_NCPISLOCKED);
2060 nd->nl_flags &= ~NLC_NCPISLOCKED;
2061 cache_unlock(&nd->nl_nch);
2063 linknd->nl_flags |= NLC_CREATE | NLC_REFDVP;
2064 if ((error = nlookup(linknd)) != 0) {
2068 if (linknd->nl_nch.ncp->nc_vp) {
2074 * Finally run the new API VOP.
2076 error = can_hardlink(vp, td, td->td_proc->p_ucred);
2078 error = VOP_NLINK(&linknd->nl_nch, linknd->nl_dvp,
2079 vp, linknd->nl_cred);
2086 * link_args(char *path, char *link)
2088 * Make a hard file link.
2091 sys_link(struct link_args *uap)
2093 struct nlookupdata nd, linknd;
2096 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
2098 error = nlookup_init(&linknd, uap->link, UIO_USERSPACE, 0);
2100 error = kern_link(&nd, &linknd);
2101 nlookup_done(&linknd);
2108 kern_symlink(struct nlookupdata *nd, char *path, int mode)
2116 nd->nl_flags |= NLC_CREATE | NLC_REFDVP;
2117 if ((error = nlookup(nd)) != 0)
2119 if (nd->nl_nch.ncp->nc_vp)
2121 if ((error = ncp_writechk(&nd->nl_nch)) != 0)
2125 vattr.va_mode = mode;
2126 error = VOP_NSYMLINK(&nd->nl_nch, dvp, &vp, nd->nl_cred, &vattr, path);
2133 * symlink(char *path, char *link)
2135 * Make a symbolic link.
2138 sys_symlink(struct symlink_args *uap)
2140 struct thread *td = curthread;
2141 struct nlookupdata nd;
2146 path = objcache_get(namei_oc, M_WAITOK);
2147 error = copyinstr(uap->path, path, MAXPATHLEN, NULL);
2149 error = nlookup_init(&nd, uap->link, UIO_USERSPACE, 0);
2151 mode = ACCESSPERMS & ~td->td_proc->p_fd->fd_cmask;
2152 error = kern_symlink(&nd, path, mode);
2156 objcache_put(namei_oc, path);
2161 * undelete_args(char *path)
2163 * Delete a whiteout from the filesystem.
2167 sys_undelete(struct undelete_args *uap)
2169 struct nlookupdata nd;
2172 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, 0);
2174 nd.nl_flags |= NLC_DELETE | NLC_REFDVP;
2176 error = nlookup(&nd);
2178 error = ncp_writechk(&nd.nl_nch);
2180 error = VOP_NWHITEOUT(&nd.nl_nch, nd.nl_dvp, nd.nl_cred,
2188 kern_unlink(struct nlookupdata *nd)
2193 nd->nl_flags |= NLC_DELETE | NLC_REFDVP;
2194 if ((error = nlookup(nd)) != 0)
2196 if ((error = ncp_writechk(&nd->nl_nch)) != 0)
2198 error = VOP_NREMOVE(&nd->nl_nch, nd->nl_dvp, nd->nl_cred);
2203 * unlink_args(char *path)
2205 * Delete a name from the filesystem.
2208 sys_unlink(struct unlink_args *uap)
2210 struct nlookupdata nd;
2213 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, 0);
2215 error = kern_unlink(&nd);
2221 kern_lseek(int fd, off_t offset, int whence, off_t *res)
2223 struct thread *td = curthread;
2224 struct proc *p = td->td_proc;
2231 fp = holdfp(p->p_fd, fd, -1);
2234 if (fp->f_type != DTYPE_VNODE) {
2238 vp = (struct vnode *)fp->f_data;
2242 new_offset = fp->f_offset + offset;
2246 error = VOP_GETATTR(vp, &vattr);
2247 new_offset = offset + vattr.va_size;
2250 new_offset = offset;
2260 * Validate the seek position. Negative offsets are not allowed
2261 * for regular files, block specials, or directories.
2264 if (new_offset < 0 &&
2265 (vp->v_type == VREG || vp->v_type == VDIR ||
2266 vp->v_type == VCHR || vp->v_type == VBLK)) {
2269 fp->f_offset = new_offset;
2272 *res = fp->f_offset;
2279 * lseek_args(int fd, int pad, off_t offset, int whence)
2281 * Reposition read/write file offset.
2284 sys_lseek(struct lseek_args *uap)
2288 error = kern_lseek(uap->fd, uap->offset, uap->whence,
2289 &uap->sysmsg_offset);
2295 kern_access(struct nlookupdata *nd, int aflags)
2300 if ((error = nlookup(nd)) != 0)
2303 error = cache_vget(&nd->nl_nch, nd->nl_cred, LK_EXCLUSIVE, &vp);
2307 /* Flags == 0 means only check for existence. */
2316 if ((flags & VWRITE) == 0 ||
2317 (error = vn_writechk(vp, &nd->nl_nch)) == 0)
2318 error = VOP_ACCESS(vp, flags, nd->nl_cred);
2321 * If the file handle is stale we have to re-resolve the
2322 * entry. This is a hack at the moment.
2324 if (error == ESTALE) {
2326 cache_setunresolved(&nd->nl_nch);
2327 error = cache_resolve(&nd->nl_nch, nd->nl_cred);
2340 * access_args(char *path, int flags)
2342 * Check access permissions.
2345 sys_access(struct access_args *uap)
2347 struct nlookupdata nd;
2350 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
2352 error = kern_access(&nd, uap->flags);
2358 kern_stat(struct nlookupdata *nd, struct stat *st)
2364 if ((error = nlookup(nd)) != 0)
2367 if ((vp = nd->nl_nch.ncp->nc_vp) == NULL)
2371 if ((error = vget(vp, LK_SHARED)) != 0)
2373 error = vn_stat(vp, st, nd->nl_cred);
2376 * If the file handle is stale we have to re-resolve the entry. This
2377 * is a hack at the moment.
2379 if (error == ESTALE) {
2381 cache_setunresolved(&nd->nl_nch);
2382 error = cache_resolve(&nd->nl_nch, nd->nl_cred);
2392 * stat_args(char *path, struct stat *ub)
2394 * Get file status; this version follows links.
2397 sys_stat(struct stat_args *uap)
2399 struct nlookupdata nd;
2403 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
2405 error = kern_stat(&nd, &st);
2407 error = copyout(&st, uap->ub, sizeof(*uap->ub));
2414 * lstat_args(char *path, struct stat *ub)
2416 * Get file status; this version does not follow links.
2419 sys_lstat(struct lstat_args *uap)
2421 struct nlookupdata nd;
2425 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, 0);
2427 error = kern_stat(&nd, &st);
2429 error = copyout(&st, uap->ub, sizeof(*uap->ub));
2436 * pathconf_Args(char *path, int name)
2438 * Get configurable pathname variables.
2442 sys_pathconf(struct pathconf_args *uap)
2444 struct nlookupdata nd;
2449 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
2451 error = nlookup(&nd);
2453 error = cache_vget(&nd.nl_nch, nd.nl_cred, LK_EXCLUSIVE, &vp);
2456 error = VOP_PATHCONF(vp, uap->name, &uap->sysmsg_reg);
2464 * kern_readlink isn't properly split yet. There is a copyin burried
2465 * in VOP_READLINK().
2468 kern_readlink(struct nlookupdata *nd, char *buf, int count, int *res)
2470 struct thread *td = curthread;
2471 struct proc *p = td->td_proc;
2477 if ((error = nlookup(nd)) != 0)
2479 error = cache_vget(&nd->nl_nch, nd->nl_cred, LK_EXCLUSIVE, &vp);
2482 if (vp->v_type != VLNK) {
2485 aiov.iov_base = buf;
2486 aiov.iov_len = count;
2487 auio.uio_iov = &aiov;
2488 auio.uio_iovcnt = 1;
2489 auio.uio_offset = 0;
2490 auio.uio_rw = UIO_READ;
2491 auio.uio_segflg = UIO_USERSPACE;
2493 auio.uio_resid = count;
2494 error = VOP_READLINK(vp, &auio, p->p_ucred);
2497 *res = count - auio.uio_resid;
2502 * readlink_args(char *path, char *buf, int count)
2504 * Return target name of a symbolic link.
2507 sys_readlink(struct readlink_args *uap)
2509 struct nlookupdata nd;
2512 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, 0);
2514 error = kern_readlink(&nd, uap->buf, uap->count,
2515 &uap->sysmsg_result);
2522 setfflags(struct vnode *vp, int flags)
2524 struct thread *td = curthread;
2525 struct proc *p = td->td_proc;
2530 * Prevent non-root users from setting flags on devices. When
2531 * a device is reused, users can retain ownership of the device
2532 * if they are allowed to set flags and programs assume that
2533 * chown can't fail when done as root.
2535 if ((vp->v_type == VCHR || vp->v_type == VBLK) &&
2536 ((error = priv_check_cred(p->p_ucred, PRIV_ROOT, PRISON_ROOT)) != 0))
2540 * note: vget is required for any operation that might mod the vnode
2541 * so VINACTIVE is properly cleared.
2543 if ((error = vget(vp, LK_EXCLUSIVE)) == 0) {
2545 vattr.va_flags = flags;
2546 error = VOP_SETATTR(vp, &vattr, p->p_ucred);
2553 * chflags(char *path, int flags)
2555 * Change flags of a file given a path name.
2559 sys_chflags(struct chflags_args *uap)
2561 struct nlookupdata nd;
2566 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
2567 /* XXX Add NLC flag indicating modifying operation? */
2569 error = nlookup(&nd);
2571 error = ncp_writechk(&nd.nl_nch);
2573 error = cache_vref(&nd.nl_nch, nd.nl_cred, &vp);
2576 error = setfflags(vp, uap->flags);
2583 * lchflags(char *path, int flags)
2585 * Change flags of a file given a path name, but don't follow symlinks.
2589 sys_lchflags(struct lchflags_args *uap)
2591 struct nlookupdata nd;
2596 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, 0);
2597 /* XXX Add NLC flag indicating modifying operation? */
2599 error = nlookup(&nd);
2601 error = ncp_writechk(&nd.nl_nch);
2603 error = cache_vref(&nd.nl_nch, nd.nl_cred, &vp);
2606 error = setfflags(vp, uap->flags);
2613 * fchflags_args(int fd, int flags)
2615 * Change flags of a file given a file descriptor.
2619 sys_fchflags(struct fchflags_args *uap)
2621 struct thread *td = curthread;
2622 struct proc *p = td->td_proc;
2626 if ((error = holdvnode(p->p_fd, uap->fd, &fp)) != 0)
2628 if (fp->f_nchandle.ncp)
2629 error = ncp_writechk(&fp->f_nchandle);
2631 error = setfflags((struct vnode *) fp->f_data, uap->flags);
2637 setfmode(struct vnode *vp, int mode)
2639 struct thread *td = curthread;
2640 struct proc *p = td->td_proc;
2645 * note: vget is required for any operation that might mod the vnode
2646 * so VINACTIVE is properly cleared.
2648 if ((error = vget(vp, LK_EXCLUSIVE)) == 0) {
2650 vattr.va_mode = mode & ALLPERMS;
2651 error = VOP_SETATTR(vp, &vattr, p->p_ucred);
2658 kern_chmod(struct nlookupdata *nd, int mode)
2663 /* XXX Add NLC flag indicating modifying operation? */
2664 if ((error = nlookup(nd)) != 0)
2666 if ((error = cache_vref(&nd->nl_nch, nd->nl_cred, &vp)) != 0)
2668 if ((error = ncp_writechk(&nd->nl_nch)) == 0)
2669 error = setfmode(vp, mode);
2675 * chmod_args(char *path, int mode)
2677 * Change mode of a file given path name.
2681 sys_chmod(struct chmod_args *uap)
2683 struct nlookupdata nd;
2686 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
2688 error = kern_chmod(&nd, uap->mode);
2694 * lchmod_args(char *path, int mode)
2696 * Change mode of a file given path name (don't follow links.)
2700 sys_lchmod(struct lchmod_args *uap)
2702 struct nlookupdata nd;
2705 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, 0);
2707 error = kern_chmod(&nd, uap->mode);
2713 * fchmod_args(int fd, int mode)
2715 * Change mode of a file given a file descriptor.
2719 sys_fchmod(struct fchmod_args *uap)
2721 struct thread *td = curthread;
2722 struct proc *p = td->td_proc;
2726 if ((error = holdvnode(p->p_fd, uap->fd, &fp)) != 0)
2728 if (fp->f_nchandle.ncp)
2729 error = ncp_writechk(&fp->f_nchandle);
2731 error = setfmode((struct vnode *)fp->f_data, uap->mode);
2737 setfown(struct vnode *vp, uid_t uid, gid_t gid)
2739 struct thread *td = curthread;
2740 struct proc *p = td->td_proc;
2745 * note: vget is required for any operation that might mod the vnode
2746 * so VINACTIVE is properly cleared.
2748 if ((error = vget(vp, LK_EXCLUSIVE)) == 0) {
2752 error = VOP_SETATTR(vp, &vattr, p->p_ucred);
2759 kern_chown(struct nlookupdata *nd, int uid, int gid)
2764 /* XXX Add NLC flag indicating modifying operation? */
2765 if ((error = nlookup(nd)) != 0)
2767 if ((error = cache_vref(&nd->nl_nch, nd->nl_cred, &vp)) != 0)
2769 if ((error = ncp_writechk(&nd->nl_nch)) == 0)
2770 error = setfown(vp, uid, gid);
2776 * chown(char *path, int uid, int gid)
2778 * Set ownership given a path name.
2781 sys_chown(struct chown_args *uap)
2783 struct nlookupdata nd;
2786 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
2788 error = kern_chown(&nd, uap->uid, uap->gid);
2794 * lchown_args(char *path, int uid, int gid)
2796 * Set ownership given a path name, do not cross symlinks.
2799 sys_lchown(struct lchown_args *uap)
2801 struct nlookupdata nd;
2804 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, 0);
2806 error = kern_chown(&nd, uap->uid, uap->gid);
2812 * fchown_args(int fd, int uid, int gid)
2814 * Set ownership given a file descriptor.
2818 sys_fchown(struct fchown_args *uap)
2820 struct thread *td = curthread;
2821 struct proc *p = td->td_proc;
2825 if ((error = holdvnode(p->p_fd, uap->fd, &fp)) != 0)
2827 if (fp->f_nchandle.ncp)
2828 error = ncp_writechk(&fp->f_nchandle);
2830 error = setfown((struct vnode *)fp->f_data, uap->uid, uap->gid);
2836 getutimes(const struct timeval *tvp, struct timespec *tsp)
2838 struct timeval tv[2];
2842 TIMEVAL_TO_TIMESPEC(&tv[0], &tsp[0]);
2845 TIMEVAL_TO_TIMESPEC(&tvp[0], &tsp[0]);
2846 TIMEVAL_TO_TIMESPEC(&tvp[1], &tsp[1]);
2852 setutimes(struct vnode *vp, const struct timespec *ts, int nullflag)
2854 struct thread *td = curthread;
2855 struct proc *p = td->td_proc;
2860 * note: vget is required for any operation that might mod the vnode
2861 * so VINACTIVE is properly cleared.
2863 if ((error = vget(vp, LK_EXCLUSIVE)) == 0) {
2865 vattr.va_atime = ts[0];
2866 vattr.va_mtime = ts[1];
2868 vattr.va_vaflags |= VA_UTIMES_NULL;
2869 error = VOP_SETATTR(vp, &vattr, p->p_ucred);
2876 kern_utimes(struct nlookupdata *nd, struct timeval *tptr)
2878 struct timespec ts[2];
2882 if ((error = getutimes(tptr, ts)) != 0)
2884 /* XXX Add NLC flag indicating modifying operation? */
2885 if ((error = nlookup(nd)) != 0)
2887 if ((error = ncp_writechk(&nd->nl_nch)) != 0)
2889 if ((error = cache_vref(&nd->nl_nch, nd->nl_cred, &vp)) != 0)
2893 * NOTE: utimes() succeeds for the owner even if the file
2894 * is not user-writable.
2896 if ((error = vn_writechk(vp, &nd->nl_nch)) == 0 &&
2897 (error = VOP_ACCESS(vp, VWRITE | VOWN, nd->nl_cred)) == 0) {
2898 error = setutimes(vp, ts, tptr == NULL);
2905 * utimes_args(char *path, struct timeval *tptr)
2907 * Set the access and modification times of a file.
2910 sys_utimes(struct utimes_args *uap)
2912 struct timeval tv[2];
2913 struct nlookupdata nd;
2917 error = copyin(uap->tptr, tv, sizeof(tv));
2921 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
2923 error = kern_utimes(&nd, uap->tptr ? tv : NULL);
2929 * lutimes_args(char *path, struct timeval *tptr)
2931 * Set the access and modification times of a file.
2934 sys_lutimes(struct lutimes_args *uap)
2936 struct timeval tv[2];
2937 struct nlookupdata nd;
2941 error = copyin(uap->tptr, tv, sizeof(tv));
2945 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, 0);
2947 error = kern_utimes(&nd, uap->tptr ? tv : NULL);
2953 kern_futimes(int fd, struct timeval *tptr)
2955 struct thread *td = curthread;
2956 struct proc *p = td->td_proc;
2957 struct timespec ts[2];
2961 error = getutimes(tptr, ts);
2964 if ((error = holdvnode(p->p_fd, fd, &fp)) != 0)
2966 if (fp->f_nchandle.ncp)
2967 error = ncp_writechk(&fp->f_nchandle);
2969 error = setutimes((struct vnode *)fp->f_data, ts, tptr == NULL);
2975 * futimes_args(int fd, struct timeval *tptr)
2977 * Set the access and modification times of a file.
2980 sys_futimes(struct futimes_args *uap)
2982 struct timeval tv[2];
2986 error = copyin(uap->tptr, tv, sizeof(tv));
2991 error = kern_futimes(uap->fd, uap->tptr ? tv : NULL);
2997 kern_truncate(struct nlookupdata *nd, off_t length)
3005 /* XXX Add NLC flag indicating modifying operation? */
3006 if ((error = nlookup(nd)) != 0)
3008 if ((error = ncp_writechk(&nd->nl_nch)) != 0)
3010 if ((error = cache_vref(&nd->nl_nch, nd->nl_cred, &vp)) != 0)
3012 if ((error = vn_lock(vp, LK_EXCLUSIVE | LK_RETRY)) != 0) {
3016 if (vp->v_type == VDIR) {
3018 } else if ((error = vn_writechk(vp, &nd->nl_nch)) == 0 &&
3019 (error = VOP_ACCESS(vp, VWRITE, nd->nl_cred)) == 0) {
3021 vattr.va_size = length;
3022 error = VOP_SETATTR(vp, &vattr, nd->nl_cred);
3029 * truncate(char *path, int pad, off_t length)
3031 * Truncate a file given its path name.
3034 sys_truncate(struct truncate_args *uap)
3036 struct nlookupdata nd;
3039 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
3041 error = kern_truncate(&nd, uap->length);
3047 kern_ftruncate(int fd, off_t length)
3049 struct thread *td = curthread;
3050 struct proc *p = td->td_proc;
3058 if ((error = holdvnode(p->p_fd, fd, &fp)) != 0)
3060 if (fp->f_nchandle.ncp) {
3061 error = ncp_writechk(&fp->f_nchandle);
3065 if ((fp->f_flag & FWRITE) == 0) {
3069 vp = (struct vnode *)fp->f_data;
3070 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
3071 if (vp->v_type == VDIR) {
3073 } else if ((error = vn_writechk(vp, NULL)) == 0) {
3075 vattr.va_size = length;
3076 error = VOP_SETATTR(vp, &vattr, fp->f_cred);
3085 * ftruncate_args(int fd, int pad, off_t length)
3087 * Truncate a file given a file descriptor.
3090 sys_ftruncate(struct ftruncate_args *uap)
3094 error = kern_ftruncate(uap->fd, uap->length);
3102 * Sync an open file.
3106 sys_fsync(struct fsync_args *uap)
3108 struct thread *td = curthread;
3109 struct proc *p = td->td_proc;
3115 if ((error = holdvnode(p->p_fd, uap->fd, &fp)) != 0)
3117 vp = (struct vnode *)fp->f_data;
3118 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
3119 if ((obj = vp->v_object) != NULL)
3120 vm_object_page_clean(obj, 0, 0, 0);
3121 if ((error = VOP_FSYNC(vp, MNT_WAIT)) == 0 && vp->v_mount)
3122 error = buf_fsync(vp);
3129 kern_rename(struct nlookupdata *fromnd, struct nlookupdata *tond)
3131 struct nchandle fnchd;
3132 struct nchandle tnchd;
3133 struct namecache *ncp;
3140 fromnd->nl_flags |= NLC_REFDVP | NLC_DELETE;
3141 if ((error = nlookup(fromnd)) != 0)
3143 if ((fnchd.ncp = fromnd->nl_nch.ncp->nc_parent) == NULL)
3145 fnchd.mount = fromnd->nl_nch.mount;
3149 * unlock the source nch so we can lookup the target nch without
3150 * deadlocking. The target may or may not exist so we do not check
3151 * for a target vp like kern_mkdir() and other creation functions do.
3153 * The source and target directories are ref'd and rechecked after
3154 * everything is relocked to determine if the source or target file
3157 KKASSERT(fromnd->nl_flags & NLC_NCPISLOCKED);
3158 fromnd->nl_flags &= ~NLC_NCPISLOCKED;
3159 cache_unlock(&fromnd->nl_nch);
3161 tond->nl_flags |= NLC_RENAME | NLC_REFDVP;
3162 if ((error = nlookup(tond)) != 0) {
3166 if ((tnchd.ncp = tond->nl_nch.ncp->nc_parent) == NULL) {
3170 tnchd.mount = tond->nl_nch.mount;
3174 * If the source and target are the same there is nothing to do
3176 if (fromnd->nl_nch.ncp == tond->nl_nch.ncp) {
3183 * Mount points cannot be renamed or overwritten
3185 if ((fromnd->nl_nch.ncp->nc_flag | tond->nl_nch.ncp->nc_flag) &
3194 * relock the source ncp. NOTE AFTER RELOCKING: the source ncp
3195 * may have become invalid while it was unlocked, nc_vp and nc_mount
3198 if (cache_lock_nonblock(&fromnd->nl_nch) == 0) {
3199 cache_resolve(&fromnd->nl_nch, fromnd->nl_cred);
3200 } else if (fromnd->nl_nch.ncp > tond->nl_nch.ncp) {
3201 cache_lock(&fromnd->nl_nch);
3202 cache_resolve(&fromnd->nl_nch, fromnd->nl_cred);
3204 cache_unlock(&tond->nl_nch);
3205 cache_lock(&fromnd->nl_nch);
3206 cache_resolve(&fromnd->nl_nch, fromnd->nl_cred);
3207 cache_lock(&tond->nl_nch);
3208 cache_resolve(&tond->nl_nch, tond->nl_cred);
3210 fromnd->nl_flags |= NLC_NCPISLOCKED;
3213 * make sure the parent directories linkages are the same
3215 if (fnchd.ncp != fromnd->nl_nch.ncp->nc_parent ||
3216 tnchd.ncp != tond->nl_nch.ncp->nc_parent) {
3223 * Both the source and target must be within the same filesystem and
3224 * in the same filesystem as their parent directories within the
3225 * namecache topology.
3227 * NOTE: fromnd's nc_mount or nc_vp could be NULL.
3230 if (mp != tnchd.mount || mp != fromnd->nl_nch.mount ||
3231 mp != tond->nl_nch.mount) {
3238 * Make sure the mount point is writable
3240 if ((error = ncp_writechk(&tond->nl_nch)) != 0) {
3247 * If the target exists and either the source or target is a directory,
3248 * then both must be directories.
3250 * Due to relocking of the source, fromnd->nl_nch.ncp->nc_vp might h
3253 if (tond->nl_nch.ncp->nc_vp) {
3254 if (fromnd->nl_nch.ncp->nc_vp == NULL) {
3256 } else if (fromnd->nl_nch.ncp->nc_vp->v_type == VDIR) {
3257 if (tond->nl_nch.ncp->nc_vp->v_type != VDIR)
3259 } else if (tond->nl_nch.ncp->nc_vp->v_type == VDIR) {
3265 * You cannot rename a source into itself or a subdirectory of itself.
3266 * We check this by travsersing the target directory upwards looking
3267 * for a match against the source.
3270 for (ncp = tnchd.ncp; ncp; ncp = ncp->nc_parent) {
3271 if (fromnd->nl_nch.ncp == ncp) {
3282 * Even though the namespaces are different, they may still represent
3283 * hardlinks to the same file. The filesystem might have a hard time
3284 * with this so we issue a NREMOVE of the source instead of a NRENAME
3285 * when we detect the situation.
3288 fdvp = fromnd->nl_dvp;
3289 tdvp = tond->nl_dvp;
3290 if (fdvp == NULL || tdvp == NULL) {
3292 } else if (fromnd->nl_nch.ncp->nc_vp == tond->nl_nch.ncp->nc_vp) {
3293 error = VOP_NREMOVE(&fromnd->nl_nch, fdvp,
3296 error = VOP_NRENAME(&fromnd->nl_nch, &tond->nl_nch,
3297 fdvp, tdvp, tond->nl_cred);
3304 * rename_args(char *from, char *to)
3306 * Rename files. Source and destination must either both be directories,
3307 * or both not be directories. If target is a directory, it must be empty.
3310 sys_rename(struct rename_args *uap)
3312 struct nlookupdata fromnd, tond;
3315 error = nlookup_init(&fromnd, uap->from, UIO_USERSPACE, 0);
3317 error = nlookup_init(&tond, uap->to, UIO_USERSPACE, 0);
3319 error = kern_rename(&fromnd, &tond);
3320 nlookup_done(&tond);
3322 nlookup_done(&fromnd);
3327 kern_mkdir(struct nlookupdata *nd, int mode)
3329 struct thread *td = curthread;
3330 struct proc *p = td->td_proc;
3336 nd->nl_flags |= NLC_WILLBEDIR | NLC_CREATE | NLC_REFDVP;
3337 if ((error = nlookup(nd)) != 0)
3340 if (nd->nl_nch.ncp->nc_vp)
3342 if ((error = ncp_writechk(&nd->nl_nch)) != 0)
3345 vattr.va_type = VDIR;
3346 vattr.va_mode = (mode & ACCESSPERMS) &~ p->p_fd->fd_cmask;
3349 error = VOP_NMKDIR(&nd->nl_nch, nd->nl_dvp, &vp, p->p_ucred, &vattr);
3356 * mkdir_args(char *path, int mode)
3358 * Make a directory file.
3362 sys_mkdir(struct mkdir_args *uap)
3364 struct nlookupdata nd;
3367 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, 0);
3369 error = kern_mkdir(&nd, uap->mode);
3375 kern_rmdir(struct nlookupdata *nd)
3380 nd->nl_flags |= NLC_DELETE | NLC_REFDVP;
3381 if ((error = nlookup(nd)) != 0)
3385 * Do not allow directories representing mount points to be
3386 * deleted, even if empty. Check write perms on mount point
3387 * in case the vnode is aliased (aka nullfs).
3389 if (nd->nl_nch.ncp->nc_flag & (NCF_ISMOUNTPT))
3391 if ((error = ncp_writechk(&nd->nl_nch)) != 0)
3393 error = VOP_NRMDIR(&nd->nl_nch, nd->nl_dvp, nd->nl_cred);
3398 * rmdir_args(char *path)
3400 * Remove a directory file.
3404 sys_rmdir(struct rmdir_args *uap)
3406 struct nlookupdata nd;
3409 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, 0);
3411 error = kern_rmdir(&nd);
3417 kern_getdirentries(int fd, char *buf, u_int count, long *basep, int *res,
3418 enum uio_seg direction)
3420 struct thread *td = curthread;
3421 struct proc *p = td->td_proc;
3429 if ((error = holdvnode(p->p_fd, fd, &fp)) != 0)
3431 if ((fp->f_flag & FREAD) == 0) {
3435 vp = (struct vnode *)fp->f_data;
3437 if (vp->v_type != VDIR) {
3441 aiov.iov_base = buf;
3442 aiov.iov_len = count;
3443 auio.uio_iov = &aiov;
3444 auio.uio_iovcnt = 1;
3445 auio.uio_rw = UIO_READ;
3446 auio.uio_segflg = direction;
3448 auio.uio_resid = count;
3449 loff = auio.uio_offset = fp->f_offset;
3450 error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, NULL, NULL);
3451 fp->f_offset = auio.uio_offset;
3454 if (count == auio.uio_resid) {
3455 if (union_dircheckp) {
3456 error = union_dircheckp(td, &vp, fp);
3463 if ((vp->v_flag & VROOT) &&
3464 (vp->v_mount->mnt_flag & MNT_UNION)) {
3465 struct vnode *tvp = vp;
3466 vp = vp->v_mount->mnt_vnodecovered;
3477 * WARNING! *basep may not be wide enough to accomodate the
3478 * seek offset. XXX should we hack this to return the upper 32 bits
3479 * for offsets greater then 4G?
3482 *basep = (long)loff;
3484 *res = count - auio.uio_resid;
3491 * getdirentries_args(int fd, char *buf, u_int conut, long *basep)
3493 * Read a block of directory entries in a file system independent format.
3496 sys_getdirentries(struct getdirentries_args *uap)
3501 error = kern_getdirentries(uap->fd, uap->buf, uap->count, &base,
3502 &uap->sysmsg_result, UIO_USERSPACE);
3504 if (error == 0 && uap->basep)
3505 error = copyout(&base, uap->basep, sizeof(*uap->basep));
3510 * getdents_args(int fd, char *buf, size_t count)
3513 sys_getdents(struct getdents_args *uap)
3517 error = kern_getdirentries(uap->fd, uap->buf, uap->count, NULL,
3518 &uap->sysmsg_result, UIO_USERSPACE);
3524 * umask(int newmask)
3526 * Set the mode mask for creation of filesystem nodes.
3531 sys_umask(struct umask_args *uap)
3533 struct thread *td = curthread;
3534 struct proc *p = td->td_proc;
3535 struct filedesc *fdp;
3538 uap->sysmsg_result = fdp->fd_cmask;
3539 fdp->fd_cmask = uap->newmask & ALLPERMS;
3544 * revoke(char *path)
3546 * Void all references to file by ripping underlying filesystem
3551 sys_revoke(struct revoke_args *uap)
3553 struct nlookupdata nd;
3560 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
3562 error = nlookup(&nd);
3564 error = cache_vref(&nd.nl_nch, nd.nl_cred, &vp);
3565 cred = crhold(nd.nl_cred);
3569 error = VOP_GETATTR(vp, &vattr);
3570 if (error == 0 && cred->cr_uid != vattr.va_uid)
3571 error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT);
3572 if (error == 0 && (vp->v_type == VCHR || vp->v_type == VBLK)) {
3573 if (count_udev(vp->v_umajor, vp->v_uminor) > 0)
3574 error = vrevoke(vp, cred);
3575 } else if (error == 0) {
3576 error = vrevoke(vp, cred);
3586 * getfh_args(char *fname, fhandle_t *fhp)
3588 * Get (NFS) file handle
3590 * NOTE: We use the fsid of the covering mount, even if it is a nullfs
3591 * mount. This allows nullfs mounts to be explicitly exported.
3593 * WARNING: nullfs mounts of HAMMER PFS ROOTs are safe.
3595 * nullfs mounts of subdirectories are not safe. That is, it will
3596 * work, but you do not really have protection against access to
3597 * the related parent directories.
3600 sys_getfh(struct getfh_args *uap)
3602 struct thread *td = curthread;
3603 struct nlookupdata nd;
3610 * Must be super user
3612 if ((error = priv_check(td, PRIV_ROOT)) != 0)
3616 error = nlookup_init(&nd, uap->fname, UIO_USERSPACE, NLC_FOLLOW);
3618 error = nlookup(&nd);
3620 error = cache_vget(&nd.nl_nch, nd.nl_cred, LK_EXCLUSIVE, &vp);
3621 mp = nd.nl_nch.mount;
3624 bzero(&fh, sizeof(fh));
3625 fh.fh_fsid = mp->mnt_stat.f_fsid;
3626 error = VFS_VPTOFH(vp, &fh.fh_fid);
3629 error = copyout(&fh, uap->fhp, sizeof(fh));
3635 * fhopen_args(const struct fhandle *u_fhp, int flags)
3637 * syscall for the rpc.lockd to use to translate a NFS file handle into
3638 * an open descriptor.
3640 * warning: do not remove the priv_check() call or this becomes one giant
3644 sys_fhopen(struct fhopen_args *uap)
3646 struct thread *td = curthread;
3647 struct proc *p = td->td_proc;
3652 struct vattr *vap = &vat;
3654 int fmode, mode, error, type;
3660 * Must be super user
3662 error = priv_check(td, PRIV_ROOT);
3666 fmode = FFLAGS(uap->flags);
3667 /* why not allow a non-read/write open for our lockd? */
3668 if (((fmode & (FREAD | FWRITE)) == 0) || (fmode & O_CREAT))
3670 error = copyin(uap->u_fhp, &fhp, sizeof(fhp));
3673 /* find the mount point */
3674 mp = vfs_getvfs(&fhp.fh_fsid);
3677 /* now give me my vnode, it gets returned to me locked */
3678 error = VFS_FHTOVP(mp, NULL, &fhp.fh_fid, &vp);
3682 * from now on we have to make sure not
3683 * to forget about the vnode
3684 * any error that causes an abort must vput(vp)
3685 * just set error = err and 'goto bad;'.
3691 if (vp->v_type == VLNK) {
3695 if (vp->v_type == VSOCK) {
3700 if (fmode & (FWRITE | O_TRUNC)) {
3701 if (vp->v_type == VDIR) {
3705 error = vn_writechk(vp, NULL);
3713 error = VOP_ACCESS(vp, mode, p->p_ucred);
3717 if (fmode & O_TRUNC) {
3718 vn_unlock(vp); /* XXX */
3719 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY); /* XXX */
3722 error = VOP_SETATTR(vp, vap, p->p_ucred);
3728 * VOP_OPEN needs the file pointer so it can potentially override
3731 * WARNING! no f_nchandle will be associated when fhopen()ing a
3734 if ((error = falloc(p, &nfp, &indx)) != 0)
3738 error = VOP_OPEN(vp, fmode, p->p_ucred, fp);
3741 * setting f_ops this way prevents VOP_CLOSE from being
3742 * called or fdrop() releasing the vp from v_data. Since
3743 * the VOP_OPEN failed we don't want to VOP_CLOSE.
3745 fp->f_ops = &badfileops;
3751 * The fp is given its own reference, we still have our ref and lock.
3753 * Assert that all regular files must be created with a VM object.
3755 if (vp->v_type == VREG && vp->v_object == NULL) {
3756 kprintf("fhopen: regular file did not have VM object: %p\n", vp);
3761 * The open was successful. Handle any locking requirements.
3763 if (fmode & (O_EXLOCK | O_SHLOCK)) {
3764 lf.l_whence = SEEK_SET;
3767 if (fmode & O_EXLOCK)
3768 lf.l_type = F_WRLCK;
3770 lf.l_type = F_RDLCK;
3771 if (fmode & FNONBLOCK)
3776 if ((error = VOP_ADVLOCK(vp, (caddr_t)fp, F_SETLK, &lf, type)) != 0) {
3778 * release our private reference.
3780 fsetfd(p, NULL, indx);
3785 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
3786 fp->f_flag |= FHASLOCK;
3790 * Clean up. Associate the file pointer with the previously
3791 * reserved descriptor and return it.
3794 fsetfd(p, fp, indx);
3796 uap->sysmsg_result = indx;
3800 fsetfd(p, NULL, indx);
3808 * fhstat_args(struct fhandle *u_fhp, struct stat *sb)
3811 sys_fhstat(struct fhstat_args *uap)
3813 struct thread *td = curthread;
3821 * Must be super user
3823 error = priv_check(td, PRIV_ROOT);
3827 error = copyin(uap->u_fhp, &fh, sizeof(fhandle_t));
3831 if ((mp = vfs_getvfs(&fh.fh_fsid)) == NULL)
3833 if ((error = VFS_FHTOVP(mp, NULL, &fh.fh_fid, &vp)))
3835 error = vn_stat(vp, &sb, td->td_proc->p_ucred);
3839 error = copyout(&sb, uap->sb, sizeof(sb));
3844 * fhstatfs_args(struct fhandle *u_fhp, struct statfs *buf)
3847 sys_fhstatfs(struct fhstatfs_args *uap)
3849 struct thread *td = curthread;
3850 struct proc *p = td->td_proc;
3855 char *fullpath, *freepath;
3860 * Must be super user
3862 if ((error = priv_check(td, PRIV_ROOT)))
3865 if ((error = copyin(uap->u_fhp, &fh, sizeof(fhandle_t))) != 0)
3868 if ((mp = vfs_getvfs(&fh.fh_fsid)) == NULL)
3871 if (p != NULL && !chroot_visible_mnt(mp, p))
3874 if ((error = VFS_FHTOVP(mp, NULL, &fh.fh_fid, &vp)))
3879 if ((error = VFS_STATFS(mp, sp, p->p_ucred)) != 0)
3882 error = mount_path(p, mp, &fullpath, &freepath);
3885 bzero(sp->f_mntonname, sizeof(sp->f_mntonname));
3886 strlcpy(sp->f_mntonname, fullpath, sizeof(sp->f_mntonname));
3887 kfree(freepath, M_TEMP);
3889 sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
3890 if (priv_check(td, PRIV_ROOT)) {
3891 bcopy(sp, &sb, sizeof(sb));
3892 sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
3895 return (copyout(sp, uap->buf, sizeof(*sp)));
3899 * fhstatvfs_args(struct fhandle *u_fhp, struct statvfs *buf)
3902 sys_fhstatvfs(struct fhstatvfs_args *uap)
3904 struct thread *td = curthread;
3905 struct proc *p = td->td_proc;
3913 * Must be super user
3915 if ((error = priv_check(td, PRIV_ROOT)))
3918 if ((error = copyin(uap->u_fhp, &fh, sizeof(fhandle_t))) != 0)
3921 if ((mp = vfs_getvfs(&fh.fh_fsid)) == NULL)
3924 if (p != NULL && !chroot_visible_mnt(mp, p))
3927 if ((error = VFS_FHTOVP(mp, NULL, &fh.fh_fid, &vp)))
3930 sp = &mp->mnt_vstat;
3932 if ((error = VFS_STATVFS(mp, sp, p->p_ucred)) != 0)
3936 if (mp->mnt_flag & MNT_RDONLY)
3937 sp->f_flag |= ST_RDONLY;
3938 if (mp->mnt_flag & MNT_NOSUID)
3939 sp->f_flag |= ST_NOSUID;
3941 return (copyout(sp, uap->buf, sizeof(*sp)));
3946 * Syscall to push extended attribute configuration information into the
3947 * VFS. Accepts a path, which it converts to a mountpoint, as well as
3948 * a command (int cmd), and attribute name and misc data. For now, the
3949 * attribute name is left in userspace for consumption by the VFS_op.
3950 * It will probably be changed to be copied into sysspace by the
3951 * syscall in the future, once issues with various consumers of the
3952 * attribute code have raised their hands.
3954 * Currently this is used only by UFS Extended Attributes.
3957 sys_extattrctl(struct extattrctl_args *uap)
3959 struct nlookupdata nd;
3965 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
3967 error = nlookup(&nd);
3969 mp = nd.nl_nch.mount;
3970 error = VFS_EXTATTRCTL(mp, uap->cmd,
3971 uap->attrname, uap->arg,
3979 * Syscall to set a named extended attribute on a file or directory.
3980 * Accepts attribute name, and a uio structure pointing to the data to set.
3981 * The uio is consumed in the style of writev(). The real work happens
3982 * in VOP_SETEXTATTR().
3985 sys_extattr_set_file(struct extattr_set_file_args *uap)
3987 char attrname[EXTATTR_MAXNAMELEN];
3988 struct iovec aiov[UIO_SMALLIOV];
3989 struct iovec *needfree;
3990 struct nlookupdata nd;
3999 error = copyin(uap->attrname, attrname, EXTATTR_MAXNAMELEN);
4004 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
4006 error = nlookup(&nd);
4008 error = ncp_writechk(&nd.nl_nch);
4010 error = cache_vget(&nd.nl_nch, nd.nl_cred, LK_EXCLUSIVE, &vp);
4017 iovlen = uap->iovcnt * sizeof(struct iovec);
4018 if (uap->iovcnt > UIO_SMALLIOV) {
4019 if (uap->iovcnt > UIO_MAXIOV) {
4023 MALLOC(iov, struct iovec *, iovlen, M_IOV, M_WAITOK);
4029 auio.uio_iovcnt = uap->iovcnt;
4030 auio.uio_rw = UIO_WRITE;
4031 auio.uio_segflg = UIO_USERSPACE;
4032 auio.uio_td = nd.nl_td;
4033 auio.uio_offset = 0;
4034 if ((error = copyin(uap->iovp, iov, iovlen)))
4037 for (i = 0; i < uap->iovcnt; i++) {
4038 if (iov->iov_len > INT_MAX - auio.uio_resid) {
4042 auio.uio_resid += iov->iov_len;
4045 cnt = auio.uio_resid;
4046 error = VOP_SETEXTATTR(vp, attrname, &auio, nd.nl_cred);
4047 cnt -= auio.uio_resid;
4048 uap->sysmsg_result = cnt;
4053 FREE(needfree, M_IOV);
4058 * Syscall to get a named extended attribute on a file or directory.
4059 * Accepts attribute name, and a uio structure pointing to a buffer for the
4060 * data. The uio is consumed in the style of readv(). The real work
4061 * happens in VOP_GETEXTATTR();
4064 sys_extattr_get_file(struct extattr_get_file_args *uap)
4066 char attrname[EXTATTR_MAXNAMELEN];
4067 struct iovec aiov[UIO_SMALLIOV];
4068 struct iovec *needfree;
4069 struct nlookupdata nd;
4078 error = copyin(uap->attrname, attrname, EXTATTR_MAXNAMELEN);
4083 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
4085 error = nlookup(&nd);
4087 error = cache_vget(&nd.nl_nch, nd.nl_cred, LK_EXCLUSIVE, &vp);
4093 iovlen = uap->iovcnt * sizeof (struct iovec);
4095 if (uap->iovcnt > UIO_SMALLIOV) {
4096 if (uap->iovcnt > UIO_MAXIOV) {
4100 MALLOC(iov, struct iovec *, iovlen, M_IOV, M_WAITOK);
4106 auio.uio_iovcnt = uap->iovcnt;
4107 auio.uio_rw = UIO_READ;
4108 auio.uio_segflg = UIO_USERSPACE;
4109 auio.uio_td = nd.nl_td;
4110 auio.uio_offset = 0;
4111 if ((error = copyin(uap->iovp, iov, iovlen)))
4114 for (i = 0; i < uap->iovcnt; i++) {
4115 if (iov->iov_len > INT_MAX - auio.uio_resid) {
4119 auio.uio_resid += iov->iov_len;
4122 cnt = auio.uio_resid;
4123 error = VOP_GETEXTATTR(vp, attrname, &auio, nd.nl_cred);
4124 cnt -= auio.uio_resid;
4125 uap->sysmsg_result = cnt;
4130 FREE(needfree, M_IOV);
4135 * Syscall to delete a named extended attribute from a file or directory.
4136 * Accepts attribute name. The real work happens in VOP_SETEXTATTR().
4139 sys_extattr_delete_file(struct extattr_delete_file_args *uap)
4141 char attrname[EXTATTR_MAXNAMELEN];
4142 struct nlookupdata nd;
4146 error = copyin(uap->attrname, attrname, EXTATTR_MAXNAMELEN);
4151 error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
4153 error = nlookup(&nd);
4155 error = ncp_writechk(&nd.nl_nch);
4157 error = cache_vget(&nd.nl_nch, nd.nl_cred, LK_EXCLUSIVE, &vp);
4163 error = VOP_SETEXTATTR(vp, attrname, NULL, nd.nl_cred);
4170 * Determine if the mount is visible to the process.
4173 chroot_visible_mnt(struct mount *mp, struct proc *p)
4175 struct nchandle nch;
4178 * Traverse from the mount point upwards. If we hit the process
4179 * root then the mount point is visible to the process.
4181 nch = mp->mnt_ncmountpt;
4183 if (nch.mount == p->p_fd->fd_nrdir.mount &&
4184 nch.ncp == p->p_fd->fd_nrdir.ncp) {
4187 if (nch.ncp == nch.mount->mnt_ncmountpt.ncp) {
4188 nch = nch.mount->mnt_ncmounton;
4190 nch.ncp = nch.ncp->nc_parent;
4195 * If the mount point is not visible to the process, but the
4196 * process root is in a subdirectory of the mount, return
4199 if (p->p_fd->fd_nrdir.mount == mp)
projects / dragonfly.git / blob