2 * Copyright (c) 2004 The DragonFly Project. All rights reserved.
4 * This code is derived from software contributed to The DragonFly Project
5 * by Matthew Dillon <dillon@backplane.com>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
17 * 3. Neither the name of The DragonFly Project nor the names of its
18 * contributors may be used to endorse or promote products derived
19 * from this software without specific, prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
26 * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING,
27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
29 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
30 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
31 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * nlookup() is the 'new' namei interface. Rather then return directory and
36 * leaf vnodes (in various lock states) the new interface instead deals in
37 * namecache records. Namecache records may represent both a positive or
38 * a negative hit. The namespace is locked via the namecache record instead
39 * of via the vnode, and only the leaf namecache record (representing the
40 * filename) needs to be locked.
42 * This greatly improves filesystem parallelism and is a huge simplification
43 * of the API verses the old vnode locking / namei scheme.
45 * Filesystems must actively control the caching aspects of the namecache,
46 * and since namecache pointers are used as handles they are non-optional
47 * even for filesystems which do not generally wish to cache things. It is
48 * intended that a separate cache coherency API will be constructed to handle
52 #include "opt_ktrace.h"
54 #include <sys/param.h>
55 #include <sys/systm.h>
56 #include <sys/kernel.h>
57 #include <sys/vnode.h>
58 #include <sys/mount.h>
59 #include <sys/filedesc.h>
61 #include <sys/namei.h>
62 #include <sys/nlookup.h>
63 #include <sys/malloc.h>
65 #include <sys/objcache.h>
67 #include <sys/kcollect.h>
70 #include <sys/ktrace.h>
73 static int naccess(struct nchandle *nch, int vmode, struct ucred *cred,
77 * unmount operations flag NLC_IGNBADDIR in order to allow the
78 * umount to successfully issue a nlookup() on the path in order
79 * to extract the mount point. Allow certain errors through.
83 keeperror(struct nlookupdata *nd, int error)
86 if ((nd->nl_flags & NLC_IGNBADDIR) == 0 ||
87 (error != EIO && error != EBADRPC && error != ESTALE)) {
95 * Initialize a nlookup() structure, early error return for copyin faults
96 * or a degenerate empty string (which is not allowed).
98 * The first process proc0's credentials are used if the calling thread
99 * is not associated with a process context.
104 nlookup_init(struct nlookupdata *nd,
105 const char *path, enum uio_seg seg, int flags)
116 * note: the pathlen set by copy*str() includes the terminating \0.
118 bzero(nd, sizeof(struct nlookupdata));
119 nd->nl_path = objcache_get(namei_oc, M_WAITOK);
120 nd->nl_flags |= NLC_HASBUF;
121 if (seg == UIO_SYSSPACE)
122 error = copystr(path, nd->nl_path, MAXPATHLEN, &pathlen);
124 error = copyinstr(path, nd->nl_path, MAXPATHLEN, &pathlen);
127 * Don't allow empty pathnames.
128 * POSIX.1 requirement: "" is not a vaild file name.
130 if (error == 0 && pathlen <= 1)
135 cache_copy_ncdir(p, &nd->nl_nch);
136 cache_copy(&p->p_fd->fd_nrdir, &nd->nl_rootnch);
137 if (p->p_fd->fd_njdir.ncp)
138 cache_copy(&p->p_fd->fd_njdir, &nd->nl_jailnch);
139 nd->nl_cred = td->td_ucred;
140 nd->nl_flags |= NLC_BORROWCRED | NLC_NCDIR;
142 cache_copy(&rootnch, &nd->nl_nch);
143 cache_copy(&nd->nl_nch, &nd->nl_rootnch);
144 cache_copy(&nd->nl_nch, &nd->nl_jailnch);
145 nd->nl_cred = proc0.p_ucred;
146 nd->nl_flags |= NLC_BORROWCRED;
149 nd->nl_flags |= flags;
158 * nlookup_init() for "at" family of syscalls.
160 * Works similarly to nlookup_init() but if path is relative and fd is not
161 * AT_FDCWD, path is interpreted relative to the directory pointed to by fd.
162 * In this case, the file entry pointed to by fd is ref'ed and returned in
165 * If the call succeeds, nlookup_done_at() must be called to clean-up the nd
166 * and release the ref to the file entry.
169 nlookup_init_at(struct nlookupdata *nd, struct file **fpp, int fd,
170 const char *path, enum uio_seg seg, int flags)
172 struct thread *td = curthread;
179 if ((error = nlookup_init(nd, path, seg, flags)) != 0) {
183 if (nd->nl_path[0] != '/' && fd != AT_FDCWD) {
184 if ((error = holdvnode(td, fd, &fp)) != 0)
186 vp = (struct vnode*)fp->f_data;
187 if (vp->v_type != VDIR || fp->f_nchandle.ncp == NULL) {
193 if (nd->nl_flags & NLC_NCDIR) {
194 cache_drop_ncdir(&nd->nl_nch);
195 nd->nl_flags &= ~NLC_NCDIR;
197 cache_drop(&nd->nl_nch);
199 cache_copy(&fp->f_nchandle, &nd->nl_nch);
212 * This works similarly to nlookup_init() but does not assume a process
213 * context. rootnch is always chosen for the root directory and the cred
214 * and starting directory are supplied in arguments.
217 nlookup_init_raw(struct nlookupdata *nd,
218 const char *path, enum uio_seg seg, int flags,
219 struct ucred *cred, struct nchandle *ncstart)
227 bzero(nd, sizeof(struct nlookupdata));
228 nd->nl_path = objcache_get(namei_oc, M_WAITOK);
229 nd->nl_flags |= NLC_HASBUF;
230 if (seg == UIO_SYSSPACE)
231 error = copystr(path, nd->nl_path, MAXPATHLEN, &pathlen);
233 error = copyinstr(path, nd->nl_path, MAXPATHLEN, &pathlen);
236 * Don't allow empty pathnames.
237 * POSIX.1 requirement: "" is not a vaild file name.
239 if (error == 0 && pathlen <= 1)
243 cache_copy(ncstart, &nd->nl_nch);
244 cache_copy(&rootnch, &nd->nl_rootnch);
245 cache_copy(&rootnch, &nd->nl_jailnch);
246 nd->nl_cred = crhold(cred);
248 nd->nl_flags |= flags;
256 * This works similarly to nlookup_init_raw() but does not rely
257 * on rootnch being initialized yet.
260 nlookup_init_root(struct nlookupdata *nd,
261 const char *path, enum uio_seg seg, int flags,
262 struct ucred *cred, struct nchandle *ncstart,
263 struct nchandle *ncroot)
271 bzero(nd, sizeof(struct nlookupdata));
272 nd->nl_path = objcache_get(namei_oc, M_WAITOK);
273 nd->nl_flags |= NLC_HASBUF;
274 if (seg == UIO_SYSSPACE)
275 error = copystr(path, nd->nl_path, MAXPATHLEN, &pathlen);
277 error = copyinstr(path, nd->nl_path, MAXPATHLEN, &pathlen);
280 * Don't allow empty pathnames.
281 * POSIX.1 requirement: "" is not a vaild file name.
283 if (error == 0 && pathlen <= 1)
287 cache_copy(ncstart, &nd->nl_nch);
288 cache_copy(ncroot, &nd->nl_rootnch);
289 cache_copy(ncroot, &nd->nl_jailnch);
290 nd->nl_cred = crhold(cred);
292 nd->nl_flags |= flags;
301 * Set a different credential; this credential will be used by future
302 * operations performed on nd.nl_open_vp and nlookupdata structure.
305 nlookup_set_cred(struct nlookupdata *nd, struct ucred *cred)
307 KKASSERT(nd->nl_cred != NULL);
309 if (nd->nl_cred != cred) {
311 if ((nd->nl_flags & NLC_BORROWCRED) == 0)
313 nd->nl_flags &= ~NLC_BORROWCRED;
320 * Cleanup a nlookupdata structure after we are through with it. This may
321 * be called on any nlookupdata structure initialized with nlookup_init().
322 * Calling nlookup_done() is mandatory in all cases except where nlookup_init()
323 * returns an error, even if as a consumer you believe you have taken all
324 * dynamic elements out of the nlookupdata structure.
327 nlookup_done(struct nlookupdata *nd)
329 if (nd->nl_nch.ncp) {
330 if (nd->nl_flags & NLC_NCPISLOCKED) {
331 nd->nl_flags &= ~NLC_NCPISLOCKED;
332 cache_unlock(&nd->nl_nch);
334 if (nd->nl_flags & NLC_NCDIR) {
335 cache_drop_ncdir(&nd->nl_nch);
336 nd->nl_flags &= ~NLC_NCDIR;
338 cache_drop(&nd->nl_nch); /* NULL's out the nch */
341 if (nd->nl_rootnch.ncp)
342 cache_drop_and_cache(&nd->nl_rootnch);
343 if (nd->nl_jailnch.ncp)
344 cache_drop_and_cache(&nd->nl_jailnch);
345 if ((nd->nl_flags & NLC_HASBUF) && nd->nl_path) {
346 objcache_put(namei_oc, nd->nl_path);
350 if ((nd->nl_flags & NLC_BORROWCRED) == 0)
353 nd->nl_flags &= ~NLC_BORROWCRED;
355 if (nd->nl_open_vp) {
356 if (nd->nl_flags & NLC_LOCKVP) {
357 vn_unlock(nd->nl_open_vp);
358 nd->nl_flags &= ~NLC_LOCKVP;
360 vn_close(nd->nl_open_vp, nd->nl_vp_fmode, NULL);
361 nd->nl_open_vp = NULL;
367 nd->nl_flags = 0; /* clear remaining flags (just clear everything) */
371 * Works similarly to nlookup_done() when nd initialized with
375 nlookup_done_at(struct nlookupdata *nd, struct file *fp)
383 nlookup_zero(struct nlookupdata *nd)
385 bzero(nd, sizeof(struct nlookupdata));
389 * Simple all-in-one nlookup. Returns a locked namecache structure or NULL
390 * if an error occured.
392 * Note that the returned ncp is not checked for permissions, though VEXEC
393 * is checked on the directory path leading up to the result. The caller
394 * must call naccess() to check the permissions of the returned leaf.
397 nlookup_simple(const char *str, enum uio_seg seg,
398 int niflags, int *error)
400 struct nlookupdata nd;
403 *error = nlookup_init(&nd, str, seg, niflags);
405 if ((*error = nlookup(&nd)) == 0) {
406 nch = nd.nl_nch; /* keep hold ref from structure */
407 cache_zero(&nd.nl_nch); /* and NULL out */
419 * Returns non-zero if the path element is the last element
423 islastelement(const char *ptr)
431 * Returns non-zero if we need to lock the namecache element
432 * exclusively. Unless otherwise requested by NLC_SHAREDLOCK,
433 * the last element of the namecache lookup will be locked
436 * NOTE: Even if we return on-zero, an unresolved namecache record
437 * will always be locked exclusively.
441 wantsexcllock(struct nlookupdata *nd, const char *ptr)
443 if ((nd->nl_flags & NLC_SHAREDLOCK) == 0)
444 return(islastelement(ptr));
450 * Do a generic nlookup. Note that the passed nd is not nlookup_done()'d
451 * on return, even if an error occurs. If no error occurs or NLC_CREATE
452 * is flagged and ENOENT is returned, then the returned nl_nch is always
453 * referenced and locked exclusively.
455 * WARNING: For any general error other than ENOENT w/NLC_CREATE, the
456 * the resulting nl_nch may or may not be locked and if locked
457 * might be locked either shared or exclusive.
459 * Intermediate directory elements, including the current directory, require
460 * execute (search) permission. nlookup does not examine the access
461 * permissions on the returned element.
463 * If NLC_CREATE is set the last directory must allow node creation,
464 * and an error code of 0 will be returned for a non-existant
465 * target (not ENOENT).
467 * If NLC_RENAME_DST is set the last directory mut allow node deletion,
468 * plus the sticky check is made, and an error code of 0 will be returned
469 * for a non-existant target (not ENOENT).
471 * If NLC_DELETE is set the last directory mut allow node deletion,
472 * plus the sticky check is made.
474 * If NLC_REFDVP is set nd->nl_dvp will be set to the directory vnode
475 * of the returned entry. The vnode will be referenced, but not locked,
476 * and will be released by nlookup_done() along with everything else.
478 * NOTE: As an optimization we attempt to obtain a shared namecache lock
479 * on any intermediate elements. On success, the returned element
480 * is ALWAYS locked exclusively.
483 nlookup(struct nlookupdata *nd)
485 globaldata_t gd = mycpu;
486 struct nlcomponent nlc;
489 struct nchandle nctmp;
491 struct vnode *hvp; /* hold to prevent recyclement */
499 int saveflag = nd->nl_flags & ~NLC_NCDIR;
500 boolean_t doretry = FALSE;
501 boolean_t inretry = FALSE;
505 if (KTRPOINT(nd->nl_td, KTR_NAMEI))
506 ktrnamei(nd->nl_td->td_lwp, nd->nl_path);
508 bzero(&nlc, sizeof(nlc));
511 * Setup for the loop. The current working namecache element is
512 * always at least referenced. We lock it as required, but always
513 * return a locked, resolved namecache entry.
523 * Loop on the path components. At the top of the loop nd->nl_nch
524 * is ref'd and unlocked and represents our current position.
528 * Make sure nl_nch is locked so we can access the vnode, resolution
531 if ((nd->nl_flags & NLC_NCPISLOCKED) == 0) {
532 nd->nl_flags |= NLC_NCPISLOCKED;
533 cache_lock_maybe_shared(&nd->nl_nch, wantsexcllock(nd, ptr));
537 * Check if the root directory should replace the current
538 * directory. This is done at the start of a translation
539 * or after a symbolic link has been found. In other cases
540 * ptr will never be pointing at a '/'.
545 } while (*ptr == '/');
546 cache_unlock(&nd->nl_nch);
547 cache_get_maybe_shared(&nd->nl_rootnch, &nch,
548 wantsexcllock(nd, ptr));
549 if (nd->nl_flags & NLC_NCDIR) {
550 cache_drop_ncdir(&nd->nl_nch);
551 nd->nl_flags &= ~NLC_NCDIR;
553 cache_drop(&nd->nl_nch);
555 nd->nl_nch = nch; /* remains locked */
558 * Fast-track termination. There is no parent directory of
559 * the root in the same mount from the point of view of
560 * the caller so return EACCES if NLC_REFDVP is specified,
561 * and EEXIST if NLC_CREATE is also specified.
562 * e.g. 'rmdir /' or 'mkdir /' are not allowed.
565 if (nd->nl_flags & NLC_REFDVP)
566 error = (nd->nl_flags & NLC_CREATE) ? EEXIST : EACCES;
575 * Pre-calculate next path component so we can check whether the
576 * current component directory is the last directory in the path
579 for (nptr = ptr; *nptr && *nptr != '/'; ++nptr)
583 * Check directory search permissions (nd->nl_nch is locked & refd).
584 * This will load dflags to obtain directory-special permissions to
585 * be checked along with the last component.
587 * We only need to pass-in &dflags for the second-to-last component.
588 * Optimize by passing-in NULL for any prior components, which may
589 * allow the code to bypass the naccess() call.
593 error = naccess(&nd->nl_nch, NLC_EXEC, nd->nl_cred, NULL);
595 error = naccess(&nd->nl_nch, NLC_EXEC, nd->nl_cred, &dflags);
597 if (keeperror(nd, error))
603 * Extract the next (or last) path component. Path components are
604 * limited to 255 characters.
606 nlc.nlc_nameptr = ptr;
607 nlc.nlc_namelen = nptr - ptr;
609 if (nlc.nlc_namelen >= 256) {
610 error = ENAMETOOLONG;
615 * Lookup the path component in the cache, creating an unresolved
616 * entry if necessary. We have to handle "." and ".." as special
619 * When handling ".." we have to detect a traversal back through a
620 * mount point. If we are at the root, ".." just returns the root.
622 * When handling "." or ".." we also have to recalculate dflags
623 * since our dflags will be for some sub-directory instead of the
626 * This subsection returns a locked, refd 'nch' unless it errors out,
627 * and an unlocked but still ref'd nd->nl_nch.
629 * The namecache topology is not allowed to be disconnected, so
630 * encountering a NULL parent will generate EINVAL. This typically
631 * occurs when a directory is removed out from under a process.
633 * WARNING! The unlocking of nd->nl_nch is sensitive code.
635 KKASSERT(nd->nl_flags & NLC_NCPISLOCKED);
637 if (nlc.nlc_namelen == 1 && nlc.nlc_nameptr[0] == '.') {
638 cache_unlock(&nd->nl_nch);
639 nd->nl_flags &= ~NLC_NCPISLOCKED;
640 cache_get_maybe_shared(&nd->nl_nch, &nch, wantsexcllock(nd, ptr));
642 } else if (nlc.nlc_namelen == 2 &&
643 nlc.nlc_nameptr[0] == '.' && nlc.nlc_nameptr[1] == '.') {
644 if (nd->nl_nch.mount == nd->nl_rootnch.mount &&
645 nd->nl_nch.ncp == nd->nl_rootnch.ncp
648 * ".." at the root returns the root
650 cache_unlock(&nd->nl_nch);
651 nd->nl_flags &= ~NLC_NCPISLOCKED;
652 cache_get_maybe_shared(&nd->nl_nch, &nch,
653 wantsexcllock(nd, ptr));
656 * Locate the parent ncp. If we are at the root of a
657 * filesystem mount we have to skip to the mounted-on
658 * point in the underlying filesystem.
660 * Expect the parent to always be good since the
661 * mountpoint doesn't go away. XXX hack. cache_get()
662 * requires the ncp to already have a ref as a safety.
664 * However, a process which has been broken out of a chroot
665 * will wind up with a NULL parent if it tries to '..' above
666 * the real root, deal with the case. Note that this does
667 * not protect us from a jail breakout, it just stops a panic
668 * if the jail-broken process tries to '..' past the real
672 while (nctmp.ncp == nctmp.mount->mnt_ncmountpt.ncp) {
673 nctmp = nctmp.mount->mnt_ncmounton;
674 if (nctmp.ncp == NULL)
677 if (nctmp.ncp == NULL) {
678 if (curthread->td_proc) {
679 kprintf("vfs_nlookup: '..' traverse broke "
680 "jail: pid %d (%s)\n",
681 curthread->td_proc->p_pid,
684 nctmp = nd->nl_rootnch;
686 nctmp.ncp = nctmp.ncp->nc_parent;
689 cache_unlock(&nd->nl_nch);
690 nd->nl_flags &= ~NLC_NCPISLOCKED;
691 cache_get_maybe_shared(&nctmp, &nch, wantsexcllock(nd, ptr));
692 cache_drop(&nctmp); /* NOTE: zero's nctmp */
697 * Must unlock nl_nch when traversing down the path. However,
698 * the child ncp has not yet been found/created and the parent's
699 * child list might be empty. Thus releasing the lock can
700 * allow a race whereby the parent ncp's vnode is recycled.
701 * This case can occur especially when maxvnodes is set very low.
703 * We need the parent's ncp to remain resolved for all normal
704 * filesystem activities, so we vhold() the vp during the lookup
705 * to prevent recyclement due to vnlru / maxvnodes.
707 * If we race an unlink or rename the ncp might be marked
708 * DESTROYED after resolution, requiring a retry.
710 if ((hvp = nd->nl_nch.ncp->nc_vp) != NULL)
712 cache_unlock(&nd->nl_nch);
713 nd->nl_flags &= ~NLC_NCPISLOCKED;
714 error = cache_nlookup_maybe_shared(&nd->nl_nch, &nlc,
715 wantsexcllock(nd, ptr), &nch);
716 if (error == EWOULDBLOCK) {
717 nch = cache_nlookup(&nd->nl_nch, &nlc);
718 if (nch.ncp->nc_flag & NCF_UNRESOLVED)
721 error = cache_resolve(&nch, nd->nl_cred);
722 if (error != EAGAIN &&
723 (nch.ncp->nc_flag & NCF_DESTROYED) == 0) {
724 if (error == ESTALE) {
731 kprintf("[diagnostic] nlookup: relookup %*.*s\n",
732 nch.ncp->nc_nlen, nch.ncp->nc_nlen,
735 nch = cache_nlookup(&nd->nl_nch, &nlc);
744 * If the last component was "." or ".." our dflags no longer
745 * represents the parent directory and we have to explicitly
748 * Expect the parent to be good since nch is locked.
750 if (wasdotordotdot && error == 0) {
752 if ((par.ncp = nch.ncp->nc_parent) != NULL) {
753 par.mount = nch.mount;
755 cache_lock_maybe_shared(&par, wantsexcllock(nd, ptr));
756 error = naccess(&par, 0, nd->nl_cred, &dflags);
759 if (!keeperror(nd, error))
766 * [end of subsection]
768 * nch is locked and referenced.
769 * nd->nl_nch is unlocked and referenced.
771 * nl_nch must be unlocked or we could chain lock to the root
772 * if a resolve gets stuck (e.g. in NFS).
774 KKASSERT((nd->nl_flags & NLC_NCPISLOCKED) == 0);
777 * Resolve the namespace if necessary. The ncp returned by
778 * cache_nlookup() is referenced and locked.
780 * XXX neither '.' nor '..' should return EAGAIN since they were
781 * previously resolved and thus cannot be newly created ncp's.
783 if (nch.ncp->nc_flag & NCF_UNRESOLVED) {
785 error = cache_resolve(&nch, nd->nl_cred);
786 if (error == ESTALE) {
791 KKASSERT(error != EAGAIN);
793 error = nch.ncp->nc_error;
797 * Early completion. ENOENT is not an error if this is the last
798 * component and NLC_CREATE or NLC_RENAME (rename target) was
799 * requested. Note that ncp->nc_error is left as ENOENT in that
800 * case, which we check later on.
802 * Also handle invalid '.' or '..' components terminating a path
803 * for a create/rename/delete. The standard requires this and pax
804 * pretty stupidly depends on it.
806 if (islastelement(ptr)) {
807 if (error == ENOENT &&
808 (nd->nl_flags & (NLC_CREATE | NLC_RENAME_DST))
810 if (nd->nl_flags & NLC_NFS_RDONLY) {
813 error = naccess(&nch, nd->nl_flags | dflags,
817 if (error == 0 && wasdotordotdot &&
818 (nd->nl_flags & (NLC_CREATE | NLC_DELETE |
819 NLC_RENAME_SRC | NLC_RENAME_DST))) {
823 if (nd->nl_flags & NLC_CREATE)
825 else if (nd->nl_flags & NLC_DELETE)
826 error = (wasdotordotdot == 1) ? EINVAL : ENOTEMPTY;
833 * Early completion on error.
841 * If the element is a symlink and it is either not the last
842 * element or it is the last element and we are allowed to
843 * follow symlinks, resolve the symlink.
845 if ((nch.ncp->nc_flag & NCF_ISSYMLINK) &&
846 (*ptr || (nd->nl_flags & NLC_FOLLOW))
848 if (nd->nl_loopcnt++ >= MAXSYMLINKS) {
853 error = nreadsymlink(nd, &nch, &nlc);
859 * Concatenate trailing path elements onto the returned symlink.
860 * Note that if the path component (ptr) is not exhausted, it
861 * will being with a '/', so we do not have to add another one.
863 * The symlink may not be empty.
866 if (nlc.nlc_namelen == 0 || nlc.nlc_namelen + len >= MAXPATHLEN) {
867 error = nlc.nlc_namelen ? ENAMETOOLONG : ENOENT;
868 objcache_put(namei_oc, nlc.nlc_nameptr);
871 bcopy(ptr, nlc.nlc_nameptr + nlc.nlc_namelen, len + 1);
872 if (nd->nl_flags & NLC_HASBUF)
873 objcache_put(namei_oc, nd->nl_path);
874 nd->nl_path = nlc.nlc_nameptr;
875 nd->nl_flags |= NLC_HASBUF;
879 * Go back up to the top to resolve any initial '/'s in the
886 * If the element is a directory and we are crossing a mount point,
889 while ((nch.ncp->nc_flag & NCF_ISMOUNTPT) &&
890 (nd->nl_flags & NLC_NOCROSSMOUNT) == 0 &&
891 (mp = cache_findmount(&nch)) != NULL
897 * VFS must be busied before the namecache entry is locked,
898 * but we don't want to waste time calling vfs_busy() if the
899 * mount point is already resolved.
904 while (vfs_busy(mp, 0)) {
905 if (mp->mnt_kern_flag & MNTK_UNMOUNT) {
906 kprintf("nlookup: warning umount race avoided\n");
914 cache_get_maybe_shared(&mp->mnt_ncmountpt, &nch,
915 wantsexcllock(nd, ptr));
917 if (nch.ncp->nc_flag & NCF_UNRESOLVED) {
918 if (vfs_do_busy == 0) {
922 error = VFS_ROOT(mp, &tdp);
925 if (keeperror(nd, error)) {
930 cache_setvp(&nch, tdp);
939 if (keeperror(nd, error)) {
946 * Skip any slashes to get to the next element. If there
947 * are any slashes at all the current element must be a
948 * directory or, in the create case, intended to become a directory.
949 * If it isn't we break without incrementing ptr and fall through
950 * to the failure case below.
952 while (*ptr == '/') {
953 if ((nch.ncp->nc_flag & NCF_ISDIR) == 0 &&
954 !(nd->nl_flags & NLC_WILLBEDIR)
962 * Continuation case: additional elements and the current
963 * element is a directory.
965 if (*ptr && (nch.ncp->nc_flag & NCF_ISDIR)) {
966 if (nd->nl_flags & NLC_NCDIR) {
967 cache_drop_ncdir(&nd->nl_nch);
968 nd->nl_flags &= ~NLC_NCDIR;
970 cache_drop(&nd->nl_nch);
973 KKASSERT((nd->nl_flags & NLC_NCPISLOCKED) == 0);
979 * Failure case: additional elements and the current element
989 * Successful lookup of last element.
991 * Check permissions if the target exists. If the target does not
992 * exist directory permissions were already tested in the early
993 * completion code above.
995 * nd->nl_flags will be adjusted on return with NLC_APPENDONLY
996 * if the file is marked append-only, and NLC_STICKY if the directory
997 * containing the file is sticky.
999 if (nch.ncp->nc_vp && (nd->nl_flags & NLC_ALLCHKS)) {
1000 error = naccess(&nch, nd->nl_flags | dflags,
1002 if (keeperror(nd, error)) {
1009 * Termination: no more elements.
1011 * If NLC_REFDVP is set acquire a referenced parent dvp.
1013 if (nd->nl_flags & NLC_REFDVP) {
1014 cache_lock(&nd->nl_nch);
1015 error = cache_vref(&nd->nl_nch, nd->nl_cred, &nd->nl_dvp);
1016 cache_unlock(&nd->nl_nch);
1017 if (keeperror(nd, error)) {
1018 kprintf("NLC_REFDVP: Cannot ref dvp of %p\n", nch.ncp);
1023 if (nd->nl_flags & NLC_NCDIR) {
1024 cache_drop_ncdir(&nd->nl_nch);
1025 nd->nl_flags &= ~NLC_NCDIR;
1027 cache_drop(&nd->nl_nch);
1030 nd->nl_flags |= NLC_NCPISLOCKED;
1036 ++gd->gd_nchstats->ncs_longhits;
1038 ++gd->gd_nchstats->ncs_longmiss;
1040 if (nd->nl_flags & NLC_NCPISLOCKED)
1041 KKASSERT(cache_lockstatus(&nd->nl_nch) > 0);
1044 * Retry the whole thing if doretry flag is set, but only once.
1045 * autofs(5) may mount another filesystem under its root directory
1046 * while resolving a path.
1048 if (doretry && !inretry) {
1050 nd->nl_flags &= NLC_NCDIR;
1051 nd->nl_flags |= saveflag;
1056 * NOTE: If NLC_CREATE was set the ncp may represent a negative hit
1057 * (ncp->nc_error will be ENOENT), but we will still return an error
1064 * Resolve a mount point's glue ncp. This ncp connects creates the illusion
1065 * of continuity in the namecache tree by connecting the ncp related to the
1066 * vnode under the mount to the ncp related to the mount's root vnode.
1068 * If no error occured a locked, ref'd ncp is stored in *ncpp.
1071 nlookup_mp(struct mount *mp, struct nchandle *nch)
1077 cache_get(&mp->mnt_ncmountpt, nch);
1078 if (nch->ncp->nc_flag & NCF_UNRESOLVED) {
1079 while (vfs_busy(mp, 0))
1081 error = VFS_ROOT(mp, &vp);
1086 cache_setvp(nch, vp);
1094 * Read the contents of a symlink, allocate a path buffer out of the
1095 * namei_oc and initialize the supplied nlcomponent with the result.
1097 * If an error occurs no buffer will be allocated or returned in the nlc.
1100 nreadsymlink(struct nlookupdata *nd, struct nchandle *nch,
1101 struct nlcomponent *nlc)
1110 nlc->nlc_nameptr = NULL;
1111 nlc->nlc_namelen = 0;
1112 if (nch->ncp->nc_vp == NULL)
1114 if ((error = cache_vget(nch, nd->nl_cred, LK_SHARED, &vp)) != 0)
1116 cp = objcache_get(namei_oc, M_WAITOK);
1118 aiov.iov_len = MAXPATHLEN;
1119 auio.uio_iov = &aiov;
1120 auio.uio_iovcnt = 1;
1121 auio.uio_offset = 0;
1122 auio.uio_rw = UIO_READ;
1123 auio.uio_segflg = UIO_SYSSPACE;
1124 auio.uio_td = nd->nl_td;
1125 auio.uio_resid = MAXPATHLEN - 1;
1126 error = VOP_READLINK(vp, &auio, nd->nl_cred);
1129 linklen = MAXPATHLEN - 1 - auio.uio_resid;
1130 if (varsym_enable) {
1131 linklen = varsymreplace(cp, linklen, MAXPATHLEN - 1);
1133 error = ENAMETOOLONG;
1138 nlc->nlc_nameptr = cp;
1139 nlc->nlc_namelen = linklen;
1143 objcache_put(namei_oc, cp);
1149 * Check access [XXX cache vattr!] [XXX quota]
1151 * Generally check the NLC_* access bits. All specified bits must pass
1152 * for this function to return 0.
1154 * The file does not have to exist when checking NLC_CREATE or NLC_RENAME_DST
1155 * access, otherwise it must exist. No error is returned in this case.
1157 * The file must not exist if NLC_EXCL is specified.
1159 * Directory permissions in general are tested for NLC_CREATE if the file
1160 * does not exist, NLC_DELETE if the file does exist, and NLC_RENAME_DST
1161 * whether the file exists or not.
1163 * The directory sticky bit is tested for NLC_DELETE and NLC_RENAME_DST,
1164 * the latter is only tested if the target exists.
1166 * The passed ncp must be referenced and locked. If it is already resolved
1167 * it may be locked shared but otherwise should be locked exclusively.
1170 #define S_WXOK_MASK (S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)
1173 naccess(struct nchandle *nch, int nflags, struct ucred *cred, int *nflagsp)
1177 struct namecache *ncp;
1181 KKASSERT(cache_lockstatus(nch) > 0);
1184 if (ncp->nc_flag & NCF_UNRESOLVED) {
1185 cache_resolve(nch, cred);
1188 error = ncp->nc_error;
1191 * Directory permissions checks. Silently ignore ENOENT if these
1192 * tests pass. It isn't an error.
1194 * We can safely resolve ncp->nc_parent because ncp is currently
1197 if (nflags & (NLC_CREATE | NLC_DELETE | NLC_RENAME_SRC | NLC_RENAME_DST)) {
1198 if (((nflags & NLC_CREATE) && ncp->nc_vp == NULL) ||
1199 ((nflags & NLC_DELETE) && ncp->nc_vp != NULL) ||
1200 ((nflags & NLC_RENAME_SRC) && ncp->nc_vp != NULL) ||
1201 (nflags & NLC_RENAME_DST)
1203 struct nchandle par;
1205 if ((par.ncp = ncp->nc_parent) == NULL) {
1206 if (error != EAGAIN)
1208 } else if (error == 0 || error == ENOENT) {
1209 par.mount = nch->mount;
1211 cache_lock_maybe_shared(&par, 0);
1212 error = naccess(&par, NLC_WRITE, cred, NULL);
1219 * NLC_EXCL check. Target file must not exist.
1221 if (error == 0 && (nflags & NLC_EXCL) && ncp->nc_vp != NULL)
1225 * Try to short-cut the vnode operation for intermediate directory
1226 * components. This is a major SMP win because it avoids having
1227 * to execute a lot of code for intermediate directory components,
1228 * including shared refs and locks on intermediate directory vnodes.
1230 * We can only do this if the caller does not need nflagsp.
1232 if (error == 0 && nflagsp == NULL &&
1233 nflags == NLC_EXEC && (ncp->nc_flag & NCF_WXOK)) {
1238 * Get the vnode attributes so we can do the rest of our checks.
1240 * NOTE: We only call naccess_va() if the target exists.
1243 error = cache_vget(nch, cred, LK_SHARED, &vp);
1244 if (error == ENOENT) {
1246 * Silently zero-out ENOENT if creating or renaming
1247 * (rename target). It isn't an error.
1249 if (nflags & (NLC_CREATE | NLC_RENAME_DST))
1251 } else if (error == 0) {
1253 * Get the vnode attributes and check for illegal O_TRUNC
1254 * requests and read-only mounts.
1256 * NOTE: You can still open devices on read-only mounts for
1259 * NOTE: creates/deletes/renames are handled by the NLC_WRITE
1260 * check on the parent directory above.
1262 * XXX cache the va in the namecache or in the vnode
1264 error = VOP_GETATTR(vp, &va);
1265 if (error == 0 && (nflags & NLC_TRUNCATE)) {
1266 switch(va.va_type) {
1281 if (error == 0 && (nflags & NLC_WRITE) && vp->v_mount &&
1282 (vp->v_mount->mnt_flag & MNT_RDONLY)
1284 switch(va.va_type) {
1298 * Check permissions based on file attributes. The passed
1299 * flags (*nflagsp) are modified with feedback based on
1300 * special attributes and requirements.
1304 * Adjust the returned (*nflagsp) if non-NULL.
1307 if ((va.va_mode & VSVTX) && va.va_uid != cred->cr_uid)
1308 *nflagsp |= NLC_STICKY;
1309 if (va.va_flags & APPEND)
1310 *nflagsp |= NLC_APPENDONLY;
1311 if (va.va_flags & IMMUTABLE)
1312 *nflagsp |= NLC_IMMUTABLE;
1316 * NCF_WXOK can be set for world-searchable directories.
1318 * XXX When we implement capabilities this code would also
1319 * need a cap check, or only set the flag if there are no
1323 if (va.va_type == VDIR &&
1324 (va.va_mode & S_WXOK_MASK) == S_WXOK_MASK) {
1329 * Track swapcache management flags in the namecache.
1331 * Calculate the flags based on the current vattr info
1332 * and recalculate the inherited flags from the parent
1333 * (the original cache linkage may have occurred without
1334 * getattrs and thus have stale flags).
1336 if (va.va_flags & SF_NOCACHE)
1337 cflags |= NCF_SF_NOCACHE;
1338 if (va.va_flags & UF_CACHE)
1339 cflags |= NCF_UF_CACHE;
1340 if (ncp->nc_parent) {
1341 if (ncp->nc_parent->nc_flag &
1342 (NCF_SF_NOCACHE | NCF_SF_PNOCACHE)) {
1343 cflags |= NCF_SF_PNOCACHE;
1345 if (ncp->nc_parent->nc_flag &
1346 (NCF_UF_CACHE | NCF_UF_PCACHE)) {
1347 cflags |= NCF_UF_PCACHE;
1352 * We're not supposed to update nc_flag when holding a shared
1353 * lock, but we allow the case for certain flags. Note that
1354 * holding an exclusive lock allows updating nc_flag without
1355 * atomics. nc_flag is not allowe to be updated at all unless
1356 * a shared or exclusive lock is held.
1358 atomic_clear_short(&ncp->nc_flag,
1359 (NCF_SF_NOCACHE | NCF_UF_CACHE |
1360 NCF_SF_PNOCACHE | NCF_UF_PCACHE |
1361 NCF_WXOK) & ~cflags);
1362 atomic_set_short(&ncp->nc_flag, cflags);
1365 * Process general access.
1367 error = naccess_va(&va, nflags, cred);
1375 * Check the requested access against the given vattr using cred.
1378 naccess_va(struct vattr *va, int nflags, struct ucred *cred)
1384 * Test the immutable bit. Creations, deletions, renames (source
1385 * or destination) are not allowed. chown/chmod/other is also not
1386 * allowed but is handled by SETATTR. Hardlinks to the immutable
1389 * If the directory is set to immutable then creations, deletions,
1390 * renames (source or dest) and hardlinks to files within the directory
1391 * are not allowed, and regular files opened through the directory may
1392 * not be written to or truncated (unless a special device).
1394 * NOTE! New hardlinks to immutable files work but new hardlinks to
1395 * files, immutable or not, sitting inside an immutable directory are
1396 * not allowed. As always if the file is hardlinked via some other
1397 * path additional hardlinks may be possible even if the file is marked
1398 * immutable. The sysop needs to create a closure by checking the hard
1399 * link count. Once closure is achieved you are good, and security
1400 * scripts should check link counts anyway.
1402 * Writes and truncations are only allowed on special devices.
1404 if ((va->va_flags & IMMUTABLE) || (nflags & NLC_IMMUTABLE)) {
1405 if ((nflags & NLC_IMMUTABLE) && (nflags & NLC_HLINK))
1407 if (nflags & (NLC_CREATE | NLC_DELETE |
1408 NLC_RENAME_SRC | NLC_RENAME_DST)) {
1411 if (nflags & (NLC_WRITE | NLC_TRUNCATE)) {
1412 switch(va->va_type) {
1426 * Test the no-unlink and append-only bits for opens, rename targets,
1427 * and deletions. These bits are not tested for creations or
1430 * Unlike FreeBSD we allow a file with APPEND set to be renamed.
1431 * If you do not wish this you must also set NOUNLINK.
1433 * If the governing directory is marked APPEND-only it implies
1434 * NOUNLINK for all entries in the directory.
1436 if (((va->va_flags & NOUNLINK) || (nflags & NLC_APPENDONLY)) &&
1437 (nflags & (NLC_DELETE | NLC_RENAME_SRC | NLC_RENAME_DST))
1443 * A file marked append-only may not be deleted but can be renamed.
1445 if ((va->va_flags & APPEND) &&
1446 (nflags & (NLC_DELETE | NLC_RENAME_DST))
1452 * A file marked append-only which is opened for writing must also
1453 * be opened O_APPEND.
1455 if ((va->va_flags & APPEND) && (nflags & (NLC_OPEN | NLC_TRUNCATE))) {
1456 if (nflags & NLC_TRUNCATE)
1458 if ((nflags & (NLC_OPEN | NLC_WRITE)) == (NLC_OPEN | NLC_WRITE)) {
1459 if ((nflags & NLC_APPEND) == 0)
1465 * root gets universal access
1467 if (cred->cr_uid == 0)
1471 * Check owner perms.
1473 * If NLC_OWN is set the owner of the file is allowed no matter when
1474 * the owner-mode bits say (utimes).
1477 if (nflags & NLC_READ)
1479 if (nflags & NLC_WRITE)
1481 if (nflags & NLC_EXEC)
1484 if (cred->cr_uid == va->va_uid) {
1485 if ((nflags & NLC_OWN) == 0) {
1486 if ((vmode & va->va_mode) != vmode)
1493 * If NLC_STICKY is set only the owner may delete or rename a file.
1494 * This bit is typically set on /tmp.
1496 * Note that the NLC_READ/WRITE/EXEC bits are not typically set in
1497 * the specific delete or rename case. For deletions and renames we
1498 * usually just care about directory permissions, not file permissions.
1500 if ((nflags & NLC_STICKY) &&
1501 (nflags & (NLC_RENAME_SRC | NLC_RENAME_DST | NLC_DELETE))) {
1509 for (i = 0; i < cred->cr_ngroups; ++i) {
1510 if (va->va_gid == cred->cr_groups[i]) {
1511 if ((vmode & va->va_mode) != vmode)
1521 if ((vmode & va->va_mode) != vmode)
1527 * Long-term (10-second interval) statistics collection
1531 collect_nlookup_callback(int n)
1533 static uint64_t last_total;
1538 for (n = 0; n < ncpus; ++n) {
1539 globaldata_t gd = globaldata_find(n);
1540 struct nchstats *sp;
1542 if ((sp = gd->gd_nchstats) != NULL)
1543 total += sp->ncs_longhits + sp->ncs_longmiss;
1546 total = total - last_total;
1554 nlookup_collect_init(void *dummy __unused)
1556 kcollect_register(KCOLLECT_NLOOKUP, "nlookup", collect_nlookup_callback,
1557 KCOLLECT_SCALE(KCOLLECT_NLOOKUP_FORMAT, 0));
1559 SYSINIT(collect_nlookup, SI_SUB_PROP, SI_ORDER_ANY, nlookup_collect_init, 0);