Commit | Line | Data |
---|---|---|
690a3127 MD |
1 | /* |
2 | * Copyright (c) 2004 The DragonFly Project. All rights reserved. | |
3 | * | |
4 | * This code is derived from software contributed to The DragonFly Project | |
5 | * by Matthew Dillon <dillon@backplane.com> | |
6 | * | |
7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions | |
9 | * are met: | |
10 | * | |
11 | * 1. Redistributions of source code must retain the above copyright | |
12 | * notice, this list of conditions and the following disclaimer. | |
13 | * 2. Redistributions in binary form must reproduce the above copyright | |
14 | * notice, this list of conditions and the following disclaimer in | |
15 | * the documentation and/or other materials provided with the | |
16 | * distribution. | |
17 | * 3. Neither the name of The DragonFly Project nor the names of its | |
18 | * contributors may be used to endorse or promote products derived | |
19 | * from this software without specific, prior written permission. | |
20 | * | |
21 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |
22 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |
23 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS | |
24 | * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE | |
25 | * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, | |
26 | * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, | |
27 | * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
28 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED | |
29 | * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
30 | * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT | |
31 | * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
32 | * SUCH DAMAGE. | |
690a3127 MD |
33 | */ |
34 | /* | |
35 | * nlookup() is the 'new' namei interface. Rather then return directory and | |
36 | * leaf vnodes (in various lock states) the new interface instead deals in | |
37 | * namecache records. Namecache records may represent both a positive or | |
38 | * a negative hit. The namespace is locked via the namecache record instead | |
39 | * of via the vnode, and only the leaf namecache record (representing the | |
40 | * filename) needs to be locked. | |
41 | * | |
42 | * This greatly improves filesystem parallelism and is a huge simplification | |
43 | * of the API verses the old vnode locking / namei scheme. | |
44 | * | |
45 | * Filesystems must actively control the caching aspects of the namecache, | |
46 | * and since namecache pointers are used as handles they are non-optional | |
47 | * even for filesystems which do not generally wish to cache things. It is | |
48 | * intended that a separate cache coherency API will be constructed to handle | |
49 | * these issues. | |
50 | */ | |
51 | ||
52 | #include "opt_ktrace.h" | |
53 | ||
54 | #include <sys/param.h> | |
55 | #include <sys/systm.h> | |
56 | #include <sys/kernel.h> | |
57 | #include <sys/vnode.h> | |
58 | #include <sys/mount.h> | |
59 | #include <sys/filedesc.h> | |
60 | #include <sys/proc.h> | |
61 | #include <sys/namei.h> | |
62 | #include <sys/nlookup.h> | |
63 | #include <sys/malloc.h> | |
21739618 | 64 | #include <sys/stat.h> |
70aac194 | 65 | #include <sys/objcache.h> |
1db695af | 66 | #include <sys/file.h> |
690a3127 MD |
67 | |
68 | #ifdef KTRACE | |
69 | #include <sys/ktrace.h> | |
70 | #endif | |
71 | ||
e9b56058 | 72 | static int naccess(struct nchandle *nch, int vmode, struct ucred *cred, |
aabd5ce8 | 73 | int *stickyp); |
e9b56058 | 74 | |
690a3127 MD |
75 | /* |
76 | * Initialize a nlookup() structure, early error return for copyin faults | |
77 | * or a degenerate empty string (which is not allowed). | |
1f95166e HP |
78 | * |
79 | * The first process proc0's credentials are used if the calling thread | |
80 | * is not associated with a process context. | |
61f96b6f MD |
81 | * |
82 | * MPSAFE | |
690a3127 MD |
83 | */ |
84 | int | |
21739618 MD |
85 | nlookup_init(struct nlookupdata *nd, |
86 | const char *path, enum uio_seg seg, int flags) | |
690a3127 MD |
87 | { |
88 | size_t pathlen; | |
89 | struct proc *p; | |
90 | thread_t td; | |
91 | int error; | |
92 | ||
93 | td = curthread; | |
94 | p = td->td_proc; | |
95 | ||
96 | /* | |
97 | * note: the pathlen set by copy*str() includes the terminating \0. | |
98 | */ | |
99 | bzero(nd, sizeof(struct nlookupdata)); | |
70aac194 | 100 | nd->nl_path = objcache_get(namei_oc, M_WAITOK); |
690a3127 MD |
101 | nd->nl_flags |= NLC_HASBUF; |
102 | if (seg == UIO_SYSSPACE) | |
103 | error = copystr(path, nd->nl_path, MAXPATHLEN, &pathlen); | |
104 | else | |
105 | error = copyinstr(path, nd->nl_path, MAXPATHLEN, &pathlen); | |
106 | ||
107 | /* | |
108 | * Don't allow empty pathnames. | |
109 | * POSIX.1 requirement: "" is not a vaild file name. | |
110 | */ | |
111 | if (error == 0 && pathlen <= 1) | |
112 | error = ENOENT; | |
113 | ||
114 | if (error == 0) { | |
21739618 | 115 | if (p && p->p_fd) { |
28623bf9 MD |
116 | cache_copy(&p->p_fd->fd_ncdir, &nd->nl_nch); |
117 | cache_copy(&p->p_fd->fd_nrdir, &nd->nl_rootnch); | |
118 | if (p->p_fd->fd_njdir.ncp) | |
119 | cache_copy(&p->p_fd->fd_njdir, &nd->nl_jailnch); | |
21739618 | 120 | nd->nl_cred = crhold(p->p_ucred); |
690a3127 | 121 | } else { |
28623bf9 MD |
122 | cache_copy(&rootnch, &nd->nl_nch); |
123 | cache_copy(&nd->nl_nch, &nd->nl_rootnch); | |
124 | cache_copy(&nd->nl_nch, &nd->nl_jailnch); | |
21739618 | 125 | nd->nl_cred = crhold(proc0.p_ucred); |
690a3127 MD |
126 | } |
127 | nd->nl_td = td; | |
690a3127 MD |
128 | nd->nl_flags |= flags; |
129 | } else { | |
130 | nlookup_done(nd); | |
131 | } | |
132 | return(error); | |
133 | } | |
134 | ||
1db695af NT |
135 | |
136 | /* | |
137 | * nlookup_init() for "at" family of syscalls. | |
138 | * | |
139 | * Works similarly to nlookup_init() but if path is relative and fd is not | |
140 | * AT_FDCWD, path is interpreted relative to the directory pointed to by fd. | |
141 | * In this case, the file entry pointed to by fd is ref'ed and returned in | |
142 | * *fpp. | |
143 | * | |
144 | * If the call succeeds, nlookup_done_at() must be called to clean-up the nd | |
145 | * and release the ref to the file entry. | |
146 | */ | |
147 | int | |
148 | nlookup_init_at(struct nlookupdata *nd, struct file **fpp, int fd, | |
149 | const char *path, enum uio_seg seg, int flags) | |
150 | { | |
151 | struct thread *td = curthread; | |
152 | struct proc *p = td->td_proc; | |
153 | struct file* fp; | |
154 | struct vnode *vp; | |
155 | int error; | |
156 | ||
157 | *fpp = NULL; | |
158 | ||
159 | if ((error = nlookup_init(nd, path, seg, flags)) != 0) { | |
160 | return (error); | |
161 | } | |
162 | ||
163 | if (nd->nl_path[0] != '/' && fd != AT_FDCWD) { | |
164 | if ((error = holdvnode(p->p_fd, fd, &fp)) != 0) | |
165 | goto done; | |
166 | vp = (struct vnode*)fp->f_data; | |
167 | if (vp->v_type != VDIR || fp->f_nchandle.ncp == NULL) { | |
168 | fdrop(fp); | |
169 | fp = NULL; | |
170 | error = ENOTDIR; | |
171 | goto done; | |
172 | } | |
173 | cache_drop(&nd->nl_nch); | |
174 | cache_copy(&fp->f_nchandle, &nd->nl_nch); | |
175 | *fpp = fp; | |
176 | } | |
177 | ||
178 | ||
179 | done: | |
180 | if (error) | |
181 | nlookup_done(nd); | |
182 | return (error); | |
183 | ||
184 | } | |
185 | ||
fad57d0e MD |
186 | /* |
187 | * This works similarly to nlookup_init() but does not assume a process | |
28623bf9 | 188 | * context. rootnch is always chosen for the root directory and the cred |
fad57d0e MD |
189 | * and starting directory are supplied in arguments. |
190 | */ | |
191 | int | |
192 | nlookup_init_raw(struct nlookupdata *nd, | |
193 | const char *path, enum uio_seg seg, int flags, | |
28623bf9 | 194 | struct ucred *cred, struct nchandle *ncstart) |
fad57d0e MD |
195 | { |
196 | size_t pathlen; | |
197 | thread_t td; | |
198 | int error; | |
199 | ||
200 | td = curthread; | |
201 | ||
202 | bzero(nd, sizeof(struct nlookupdata)); | |
70aac194 | 203 | nd->nl_path = objcache_get(namei_oc, M_WAITOK); |
fad57d0e MD |
204 | nd->nl_flags |= NLC_HASBUF; |
205 | if (seg == UIO_SYSSPACE) | |
206 | error = copystr(path, nd->nl_path, MAXPATHLEN, &pathlen); | |
207 | else | |
208 | error = copyinstr(path, nd->nl_path, MAXPATHLEN, &pathlen); | |
209 | ||
210 | /* | |
211 | * Don't allow empty pathnames. | |
212 | * POSIX.1 requirement: "" is not a vaild file name. | |
213 | */ | |
214 | if (error == 0 && pathlen <= 1) | |
215 | error = ENOENT; | |
216 | ||
217 | if (error == 0) { | |
28623bf9 MD |
218 | cache_copy(ncstart, &nd->nl_nch); |
219 | cache_copy(&rootnch, &nd->nl_rootnch); | |
220 | cache_copy(&rootnch, &nd->nl_jailnch); | |
fad57d0e MD |
221 | nd->nl_cred = crhold(cred); |
222 | nd->nl_td = td; | |
223 | nd->nl_flags |= flags; | |
224 | } else { | |
225 | nlookup_done(nd); | |
226 | } | |
227 | return(error); | |
228 | } | |
229 | ||
46077e84 AH |
230 | /* |
231 | * This works similarly to nlookup_init_raw() but does not rely | |
232 | * on rootnch being initialized yet. | |
233 | */ | |
234 | int | |
235 | nlookup_init_root(struct nlookupdata *nd, | |
236 | const char *path, enum uio_seg seg, int flags, | |
237 | struct ucred *cred, struct nchandle *ncstart, | |
238 | struct nchandle *ncroot) | |
239 | { | |
240 | size_t pathlen; | |
241 | thread_t td; | |
242 | int error; | |
243 | ||
244 | td = curthread; | |
245 | ||
246 | bzero(nd, sizeof(struct nlookupdata)); | |
247 | nd->nl_path = objcache_get(namei_oc, M_WAITOK); | |
248 | nd->nl_flags |= NLC_HASBUF; | |
249 | if (seg == UIO_SYSSPACE) | |
250 | error = copystr(path, nd->nl_path, MAXPATHLEN, &pathlen); | |
251 | else | |
252 | error = copyinstr(path, nd->nl_path, MAXPATHLEN, &pathlen); | |
253 | ||
254 | /* | |
255 | * Don't allow empty pathnames. | |
256 | * POSIX.1 requirement: "" is not a vaild file name. | |
257 | */ | |
258 | if (error == 0 && pathlen <= 1) | |
259 | error = ENOENT; | |
260 | ||
261 | if (error == 0) { | |
262 | cache_copy(ncstart, &nd->nl_nch); | |
263 | cache_copy(ncroot, &nd->nl_rootnch); | |
264 | cache_copy(ncroot, &nd->nl_jailnch); | |
265 | nd->nl_cred = crhold(cred); | |
266 | nd->nl_td = td; | |
267 | nd->nl_flags |= flags; | |
268 | } else { | |
269 | nlookup_done(nd); | |
270 | } | |
271 | return(error); | |
272 | } | |
273 | ||
1f95166e HP |
274 | /* |
275 | * Set a different credential; this credential will be used by future | |
276 | * operations performed on nd.nl_open_vp and nlookupdata structure. | |
277 | */ | |
278 | void | |
279 | nlookup_set_cred(struct nlookupdata *nd, struct ucred *cred) | |
280 | { | |
281 | KKASSERT(nd->nl_cred != NULL); | |
282 | ||
283 | if (nd->nl_cred != cred) { | |
284 | cred = crhold(cred); | |
285 | crfree(nd->nl_cred); | |
286 | nd->nl_cred = cred; | |
287 | } | |
288 | } | |
289 | ||
690a3127 | 290 | /* |
21739618 MD |
291 | * Cleanup a nlookupdata structure after we are through with it. This may |
292 | * be called on any nlookupdata structure initialized with nlookup_init(). | |
293 | * Calling nlookup_done() is mandatory in all cases except where nlookup_init() | |
294 | * returns an error, even if as a consumer you believe you have taken all | |
295 | * dynamic elements out of the nlookupdata structure. | |
690a3127 MD |
296 | */ |
297 | void | |
298 | nlookup_done(struct nlookupdata *nd) | |
299 | { | |
28623bf9 | 300 | if (nd->nl_nch.ncp) { |
21739618 MD |
301 | if (nd->nl_flags & NLC_NCPISLOCKED) { |
302 | nd->nl_flags &= ~NLC_NCPISLOCKED; | |
28623bf9 | 303 | cache_unlock(&nd->nl_nch); |
21739618 | 304 | } |
2247fe02 | 305 | cache_drop(&nd->nl_nch); /* NULL's out the nch */ |
690a3127 | 306 | } |
28623bf9 MD |
307 | if (nd->nl_rootnch.ncp) |
308 | cache_drop(&nd->nl_rootnch); | |
309 | if (nd->nl_jailnch.ncp) | |
310 | cache_drop(&nd->nl_jailnch); | |
690a3127 | 311 | if ((nd->nl_flags & NLC_HASBUF) && nd->nl_path) { |
70aac194 | 312 | objcache_put(namei_oc, nd->nl_path); |
690a3127 MD |
313 | nd->nl_path = NULL; |
314 | } | |
315 | if (nd->nl_cred) { | |
316 | crfree(nd->nl_cred); | |
317 | nd->nl_cred = NULL; | |
318 | } | |
fad57d0e MD |
319 | if (nd->nl_open_vp) { |
320 | if (nd->nl_flags & NLC_LOCKVP) { | |
a11aaa81 | 321 | vn_unlock(nd->nl_open_vp); |
fad57d0e MD |
322 | nd->nl_flags &= ~NLC_LOCKVP; |
323 | } | |
3596743e | 324 | vn_close(nd->nl_open_vp, nd->nl_vp_fmode, NULL); |
fad57d0e MD |
325 | nd->nl_open_vp = NULL; |
326 | } | |
5312fa43 MD |
327 | if (nd->nl_dvp) { |
328 | vrele(nd->nl_dvp); | |
329 | nd->nl_dvp = NULL; | |
330 | } | |
fad57d0e MD |
331 | nd->nl_flags = 0; /* clear remaining flags (just clear everything) */ |
332 | } | |
333 | ||
1db695af NT |
334 | /* |
335 | * Works similarly to nlookup_done() when nd initialized with | |
336 | * nlookup_init_at(). | |
337 | */ | |
338 | void | |
339 | nlookup_done_at(struct nlookupdata *nd, struct file *fp) | |
340 | { | |
341 | nlookup_done(nd); | |
342 | if (fp != NULL) | |
343 | fdrop(fp); | |
344 | } | |
345 | ||
fad57d0e MD |
346 | void |
347 | nlookup_zero(struct nlookupdata *nd) | |
348 | { | |
2247fe02 | 349 | bzero(nd, sizeof(struct nlookupdata)); |
690a3127 MD |
350 | } |
351 | ||
352 | /* | |
21739618 MD |
353 | * Simple all-in-one nlookup. Returns a locked namecache structure or NULL |
354 | * if an error occured. | |
355 | * | |
356 | * Note that the returned ncp is not checked for permissions, though VEXEC | |
357 | * is checked on the directory path leading up to the result. The caller | |
358 | * must call naccess() to check the permissions of the returned leaf. | |
690a3127 | 359 | */ |
28623bf9 | 360 | struct nchandle |
21739618 MD |
361 | nlookup_simple(const char *str, enum uio_seg seg, |
362 | int niflags, int *error) | |
690a3127 MD |
363 | { |
364 | struct nlookupdata nd; | |
28623bf9 | 365 | struct nchandle nch; |
690a3127 MD |
366 | |
367 | *error = nlookup_init(&nd, str, seg, niflags); | |
368 | if (*error == 0) { | |
21739618 | 369 | if ((*error = nlookup(&nd)) == 0) { |
28623bf9 MD |
370 | nch = nd.nl_nch; /* keep hold ref from structure */ |
371 | cache_zero(&nd.nl_nch); /* and NULL out */ | |
21739618 | 372 | } else { |
28623bf9 | 373 | cache_zero(&nch); |
21739618 | 374 | } |
690a3127 MD |
375 | nlookup_done(&nd); |
376 | } else { | |
28623bf9 | 377 | cache_zero(&nch); |
690a3127 | 378 | } |
28623bf9 | 379 | return(nch); |
690a3127 MD |
380 | } |
381 | ||
12cdc371 MD |
382 | /* |
383 | * Returns non-zero if the path element is the last element | |
384 | */ | |
385 | static | |
386 | int | |
387 | islastelement(const char *ptr) | |
388 | { | |
389 | while (*ptr == '/') | |
390 | ++ptr; | |
391 | return (*ptr == 0); | |
392 | } | |
393 | ||
394 | /* | |
395 | * Returns non-zero if we need to lock the namecache element | |
396 | * exclusively. Unless otherwise requested by NLC_SHAREDLOCK, | |
397 | * the last element of the namecache lookup will be locked | |
398 | * exclusively. | |
399 | * | |
400 | * NOTE: Even if we return on-zero, an unresolved namecache record | |
401 | * will always be locked exclusively. | |
402 | */ | |
403 | static __inline | |
404 | int | |
405 | wantsexcllock(struct nlookupdata *nd, const char *ptr) | |
406 | { | |
407 | if ((nd->nl_flags & NLC_SHAREDLOCK) == 0) | |
408 | return(islastelement(ptr)); | |
409 | return(0); | |
410 | } | |
411 | ||
412 | ||
690a3127 MD |
413 | /* |
414 | * Do a generic nlookup. Note that the passed nd is not nlookup_done()'d | |
cd87afb1 MD |
415 | * on return, even if an error occurs. If no error occurs or NLC_CREATE |
416 | * is flagged and ENOENT is returned, then the returned nl_nch is always | |
417 | * referenced and locked exclusively. | |
418 | * | |
419 | * WARNING: For any general error other than ENOENT w/NLC_CREATE, the | |
420 | * the resulting nl_nch may or may not be locked and if locked | |
421 | * might be locked either shared or exclusive. | |
21739618 MD |
422 | * |
423 | * Intermediate directory elements, including the current directory, require | |
424 | * execute (search) permission. nlookup does not examine the access | |
425 | * permissions on the returned element. | |
fad57d0e | 426 | * |
945b476a MD |
427 | * If NLC_CREATE is set the last directory must allow node creation, |
428 | * and an error code of 0 will be returned for a non-existant | |
429 | * target (not ENOENT). | |
430 | * | |
3a907475 | 431 | * If NLC_RENAME_DST is set the last directory mut allow node deletion, |
945b476a | 432 | * plus the sticky check is made, and an error code of 0 will be returned |
3a907475 | 433 | * for a non-existant target (not ENOENT). |
945b476a MD |
434 | * |
435 | * If NLC_DELETE is set the last directory mut allow node deletion, | |
436 | * plus the sticky check is made. | |
5312fa43 MD |
437 | * |
438 | * If NLC_REFDVP is set nd->nl_dvp will be set to the directory vnode | |
439 | * of the returned entry. The vnode will be referenced, but not locked, | |
440 | * and will be released by nlookup_done() along with everything else. | |
79fd1696 MD |
441 | * |
442 | * NOTE: As an optimization we attempt to obtain a shared namecache lock | |
443 | * on any intermediate elements. On success, the returned element | |
444 | * is ALWAYS locked exclusively. | |
690a3127 MD |
445 | */ |
446 | int | |
447 | nlookup(struct nlookupdata *nd) | |
448 | { | |
5a9972aa | 449 | globaldata_t gd = mycpu; |
690a3127 | 450 | struct nlcomponent nlc; |
28623bf9 | 451 | struct nchandle nch; |
3a907475 | 452 | struct nchandle par; |
f63911bf | 453 | struct nchandle nctmp; |
28623bf9 | 454 | struct mount *mp; |
7222030f | 455 | struct vnode *hvp; /* hold to prevent recyclement */ |
f4d4e93a | 456 | int wasdotordotdot; |
690a3127 MD |
457 | char *ptr; |
458 | int error; | |
459 | int len; | |
3a907475 | 460 | int dflags; |
5a9972aa | 461 | int hit = 1; |
690a3127 MD |
462 | |
463 | #ifdef KTRACE | |
464 | if (KTRPOINT(nd->nl_td, KTR_NAMEI)) | |
9fb04d14 | 465 | ktrnamei(nd->nl_td->td_lwp, nd->nl_path); |
690a3127 MD |
466 | #endif |
467 | bzero(&nlc, sizeof(nlc)); | |
468 | ||
469 | /* | |
2247fe02 MD |
470 | * Setup for the loop. The current working namecache element is |
471 | * always at least referenced. We lock it as required, but always | |
472 | * return a locked, resolved namecache entry. | |
690a3127 MD |
473 | */ |
474 | nd->nl_loopcnt = 0; | |
2247fe02 | 475 | if (nd->nl_dvp) { |
5312fa43 MD |
476 | vrele(nd->nl_dvp); |
477 | nd->nl_dvp = NULL; | |
478 | } | |
690a3127 MD |
479 | ptr = nd->nl_path; |
480 | ||
481 | /* | |
28623bf9 | 482 | * Loop on the path components. At the top of the loop nd->nl_nch |
524c845c | 483 | * is ref'd and unlocked and represents our current position. |
690a3127 MD |
484 | */ |
485 | for (;;) { | |
2247fe02 MD |
486 | /* |
487 | * Make sure nl_nch is locked so we can access the vnode, resolution | |
488 | * state, etc. | |
489 | */ | |
490 | if ((nd->nl_flags & NLC_NCPISLOCKED) == 0) { | |
491 | nd->nl_flags |= NLC_NCPISLOCKED; | |
12cdc371 | 492 | cache_lock_maybe_shared(&nd->nl_nch, wantsexcllock(nd, ptr)); |
2247fe02 MD |
493 | } |
494 | ||
690a3127 MD |
495 | /* |
496 | * Check if the root directory should replace the current | |
497 | * directory. This is done at the start of a translation | |
498 | * or after a symbolic link has been found. In other cases | |
499 | * ptr will never be pointing at a '/'. | |
500 | */ | |
501 | if (*ptr == '/') { | |
502 | do { | |
503 | ++ptr; | |
504 | } while (*ptr == '/'); | |
79fd1696 MD |
505 | cache_unlock(&nd->nl_nch); |
506 | cache_get_maybe_shared(&nd->nl_rootnch, &nch, | |
12cdc371 | 507 | wantsexcllock(nd, ptr)); |
79fd1696 | 508 | cache_drop(&nd->nl_nch); |
2247fe02 | 509 | nd->nl_nch = nch; /* remains locked */ |
5312fa43 MD |
510 | |
511 | /* | |
512 | * Fast-track termination. There is no parent directory of | |
513 | * the root in the same mount from the point of view of | |
1acebc70 | 514 | * the caller so return EACCES if NLC_REFDVP is specified, |
515 | * and EEXIST if NLC_CREATE is also specified. | |
516 | * e.g. 'rmdir /' or 'mkdir /' are not allowed. | |
5312fa43 | 517 | */ |
21739618 | 518 | if (*ptr == 0) { |
2247fe02 | 519 | if (nd->nl_flags & NLC_REFDVP) |
1acebc70 | 520 | error = (nd->nl_flags & NLC_CREATE) ? EEXIST : EACCES; |
2247fe02 | 521 | else |
5312fa43 | 522 | error = 0; |
21739618 MD |
523 | break; |
524 | } | |
690a3127 MD |
525 | continue; |
526 | } | |
527 | ||
21739618 | 528 | /* |
79fd1696 | 529 | * Check directory search permissions (nd->nl_nch is locked & refd) |
21739618 | 530 | */ |
3a907475 | 531 | dflags = 0; |
aabd5ce8 | 532 | error = naccess(&nd->nl_nch, NLC_EXEC, nd->nl_cred, &dflags); |
e9b56058 | 533 | if (error) |
21739618 MD |
534 | break; |
535 | ||
690a3127 | 536 | /* |
d7c75c7a MD |
537 | * Extract the path component. Path components are limited to |
538 | * 255 characters. | |
690a3127 MD |
539 | */ |
540 | nlc.nlc_nameptr = ptr; | |
541 | while (*ptr && *ptr != '/') | |
542 | ++ptr; | |
543 | nlc.nlc_namelen = ptr - nlc.nlc_nameptr; | |
d7c75c7a MD |
544 | if (nlc.nlc_namelen >= 256) { |
545 | error = ENAMETOOLONG; | |
546 | break; | |
547 | } | |
690a3127 MD |
548 | |
549 | /* | |
21739618 MD |
550 | * Lookup the path component in the cache, creating an unresolved |
551 | * entry if necessary. We have to handle "." and ".." as special | |
552 | * cases. | |
553 | * | |
554 | * When handling ".." we have to detect a traversal back through a | |
28623bf9 | 555 | * mount point. If we are at the root, ".." just returns the root. |
524c845c | 556 | * |
3a907475 MD |
557 | * When handling "." or ".." we also have to recalculate dflags |
558 | * since our dflags will be for some sub-directory instead of the | |
559 | * parent dir. | |
560 | * | |
79fd1696 MD |
561 | * This subsection returns a locked, refd 'nch' unless it errors out, |
562 | * and an unlocked but still ref'd nd->nl_nch. | |
563 | * | |
fad57d0e MD |
564 | * The namecache topology is not allowed to be disconnected, so |
565 | * encountering a NULL parent will generate EINVAL. This typically | |
566 | * occurs when a directory is removed out from under a process. | |
79fd1696 MD |
567 | * |
568 | * WARNING! The unlocking of nd->nl_nch is sensitive code. | |
21739618 | 569 | */ |
79fd1696 MD |
570 | KKASSERT(nd->nl_flags & NLC_NCPISLOCKED); |
571 | ||
21739618 | 572 | if (nlc.nlc_namelen == 1 && nlc.nlc_nameptr[0] == '.') { |
79fd1696 MD |
573 | cache_unlock(&nd->nl_nch); |
574 | nd->nl_flags &= ~NLC_NCPISLOCKED; | |
12cdc371 | 575 | cache_get_maybe_shared(&nd->nl_nch, &nch, wantsexcllock(nd, ptr)); |
f4d4e93a | 576 | wasdotordotdot = 1; |
21739618 MD |
577 | } else if (nlc.nlc_namelen == 2 && |
578 | nlc.nlc_nameptr[0] == '.' && nlc.nlc_nameptr[1] == '.') { | |
28623bf9 MD |
579 | if (nd->nl_nch.mount == nd->nl_rootnch.mount && |
580 | nd->nl_nch.ncp == nd->nl_rootnch.ncp | |
581 | ) { | |
582 | /* | |
583 | * ".." at the root returns the root | |
584 | */ | |
79fd1696 MD |
585 | cache_unlock(&nd->nl_nch); |
586 | nd->nl_flags &= ~NLC_NCPISLOCKED; | |
12cdc371 MD |
587 | cache_get_maybe_shared(&nd->nl_nch, &nch, |
588 | wantsexcllock(nd, ptr)); | |
21739618 | 589 | } else { |
28623bf9 MD |
590 | /* |
591 | * Locate the parent ncp. If we are at the root of a | |
592 | * filesystem mount we have to skip to the mounted-on | |
593 | * point in the underlying filesystem. | |
f63911bf MD |
594 | * |
595 | * Expect the parent to always be good since the | |
596 | * mountpoint doesn't go away. XXX hack. cache_get() | |
597 | * requires the ncp to already have a ref as a safety. | |
20648721 MD |
598 | * |
599 | * However, a process which has been broken out of a chroot | |
600 | * will wind up with a NULL parent if it tries to '..' above | |
601 | * the real root, deal with the case. Note that this does | |
602 | * not protect us from a jail breakout, it just stops a panic | |
603 | * if the jail-broken process tries to '..' past the real | |
604 | * root. | |
28623bf9 | 605 | */ |
f63911bf | 606 | nctmp = nd->nl_nch; |
20648721 | 607 | while (nctmp.ncp == nctmp.mount->mnt_ncmountpt.ncp) { |
f63911bf | 608 | nctmp = nctmp.mount->mnt_ncmounton; |
20648721 MD |
609 | if (nctmp.ncp == NULL) |
610 | break; | |
611 | } | |
612 | if (nctmp.ncp == NULL) { | |
613 | if (curthread->td_proc) { | |
614 | kprintf("vfs_nlookup: '..' traverse broke " | |
615 | "jail: pid %d (%s)\n", | |
616 | curthread->td_proc->p_pid, | |
617 | curthread->td_comm); | |
618 | } | |
619 | nctmp = nd->nl_rootnch; | |
620 | } else { | |
621 | nctmp.ncp = nctmp.ncp->nc_parent; | |
622 | } | |
2247fe02 | 623 | cache_hold(&nctmp); |
79fd1696 MD |
624 | cache_unlock(&nd->nl_nch); |
625 | nd->nl_flags &= ~NLC_NCPISLOCKED; | |
12cdc371 | 626 | cache_get_maybe_shared(&nctmp, &nch, wantsexcllock(nd, ptr)); |
f63911bf | 627 | cache_drop(&nctmp); /* NOTE: zero's nctmp */ |
21739618 | 628 | } |
d7c75c7a | 629 | wasdotordotdot = 2; |
21739618 | 630 | } else { |
2247fe02 | 631 | /* |
7222030f MD |
632 | * Must unlock nl_nch when traversing down the path. However, |
633 | * the child ncp has not yet been found/created and the parent's | |
634 | * child list might be empty. Thus releasing the lock can | |
635 | * allow a race whereby the parent ncp's vnode is recycled. | |
636 | * This case can occur especially when maxvnodes is set very low. | |
637 | * | |
638 | * We need the parent's ncp to remain resolved for all normal | |
639 | * filesystem activities, so we vhold() the vp during the lookup | |
640 | * to prevent recyclement due to vnlru / maxvnodes. | |
8d09ad3d MD |
641 | * |
642 | * If we race an unlink or rename the ncp might be marked | |
643 | * DESTROYED after resolution, requiring a retry. | |
2247fe02 | 644 | */ |
7222030f MD |
645 | if ((hvp = nd->nl_nch.ncp->nc_vp) != NULL) |
646 | vhold(hvp); | |
2247fe02 MD |
647 | cache_unlock(&nd->nl_nch); |
648 | nd->nl_flags &= ~NLC_NCPISLOCKED; | |
79fd1696 | 649 | error = cache_nlookup_maybe_shared(&nd->nl_nch, &nlc, |
12cdc371 | 650 | wantsexcllock(nd, ptr), &nch); |
79fd1696 MD |
651 | if (error == EWOULDBLOCK) { |
652 | nch = cache_nlookup(&nd->nl_nch, &nlc); | |
653 | if (nch.ncp->nc_flag & NCF_UNRESOLVED) | |
654 | hit = 0; | |
655 | for (;;) { | |
656 | error = cache_resolve(&nch, nd->nl_cred); | |
657 | if (error != EAGAIN && | |
658 | (nch.ncp->nc_flag & NCF_DESTROYED) == 0) { | |
659 | break; | |
660 | } | |
661 | kprintf("[diagnostic] nlookup: relookup %*.*s\n", | |
662 | nch.ncp->nc_nlen, nch.ncp->nc_nlen, | |
663 | nch.ncp->nc_name); | |
664 | cache_put(&nch); | |
665 | nch = cache_nlookup(&nd->nl_nch, &nlc); | |
666 | } | |
8e005a45 | 667 | } |
7222030f MD |
668 | if (hvp) |
669 | vdrop(hvp); | |
f4d4e93a | 670 | wasdotordotdot = 0; |
21739618 | 671 | } |
3a907475 MD |
672 | |
673 | /* | |
674 | * If the last component was "." or ".." our dflags no longer | |
675 | * represents the parent directory and we have to explicitly | |
676 | * look it up. | |
f63911bf MD |
677 | * |
678 | * Expect the parent to be good since nch is locked. | |
3a907475 MD |
679 | */ |
680 | if (wasdotordotdot && error == 0) { | |
681 | dflags = 0; | |
682 | if ((par.ncp = nch.ncp->nc_parent) != NULL) { | |
683 | par.mount = nch.mount; | |
684 | cache_hold(&par); | |
12cdc371 | 685 | cache_lock_maybe_shared(&par, wantsexcllock(nd, ptr)); |
aabd5ce8 | 686 | error = naccess(&par, 0, nd->nl_cred, &dflags); |
2247fe02 | 687 | cache_put(&par); |
3a907475 MD |
688 | } |
689 | } | |
690 | ||
524c845c | 691 | /* |
2247fe02 MD |
692 | * [end of subsection] |
693 | * | |
694 | * nch is locked and referenced. | |
695 | * nd->nl_nch is unlocked and referenced. | |
696 | * | |
697 | * nl_nch must be unlocked or we could chain lock to the root | |
698 | * if a resolve gets stuck (e.g. in NFS). | |
524c845c | 699 | */ |
79fd1696 | 700 | KKASSERT((nd->nl_flags & NLC_NCPISLOCKED) == 0); |
21739618 MD |
701 | |
702 | /* | |
703 | * Resolve the namespace if necessary. The ncp returned by | |
704 | * cache_nlookup() is referenced and locked. | |
8e005a45 MD |
705 | * |
706 | * XXX neither '.' nor '..' should return EAGAIN since they were | |
707 | * previously resolved and thus cannot be newly created ncp's. | |
690a3127 | 708 | */ |
28623bf9 | 709 | if (nch.ncp->nc_flag & NCF_UNRESOLVED) { |
5a9972aa | 710 | hit = 0; |
28623bf9 | 711 | error = cache_resolve(&nch, nd->nl_cred); |
8e005a45 | 712 | KKASSERT(error != EAGAIN); |
690a3127 | 713 | } else { |
28623bf9 | 714 | error = nch.ncp->nc_error; |
690a3127 | 715 | } |
21739618 MD |
716 | |
717 | /* | |
fad57d0e | 718 | * Early completion. ENOENT is not an error if this is the last |
945b476a MD |
719 | * component and NLC_CREATE or NLC_RENAME (rename target) was |
720 | * requested. Note that ncp->nc_error is left as ENOENT in that | |
721 | * case, which we check later on. | |
722 | * | |
f4d4e93a | 723 | * Also handle invalid '.' or '..' components terminating a path |
945b476a MD |
724 | * for a create/rename/delete. The standard requires this and pax |
725 | * pretty stupidly depends on it. | |
fad57d0e | 726 | */ |
79fd1696 | 727 | if (islastelement(ptr)) { |
3a907475 MD |
728 | if (error == ENOENT && |
729 | (nd->nl_flags & (NLC_CREATE | NLC_RENAME_DST)) | |
730 | ) { | |
731 | if (nd->nl_flags & NLC_NFS_RDONLY) { | |
c9aef211 | 732 | error = EROFS; |
3a907475 MD |
733 | } else { |
734 | error = naccess(&nch, nd->nl_flags | dflags, | |
aabd5ce8 | 735 | nd->nl_cred, NULL); |
3a907475 | 736 | } |
c9aef211 | 737 | } |
945b476a | 738 | if (error == 0 && wasdotordotdot && |
3a907475 MD |
739 | (nd->nl_flags & (NLC_CREATE | NLC_DELETE | |
740 | NLC_RENAME_SRC | NLC_RENAME_DST))) { | |
d7c75c7a MD |
741 | /* |
742 | * POSIX junk | |
743 | */ | |
744 | if (nd->nl_flags & NLC_CREATE) | |
745 | error = EEXIST; | |
746 | else if (nd->nl_flags & NLC_DELETE) | |
747 | error = (wasdotordotdot == 1) ? EINVAL : ENOTEMPTY; | |
748 | else | |
749 | error = EINVAL; | |
945b476a | 750 | } |
fad57d0e MD |
751 | } |
752 | ||
753 | /* | |
754 | * Early completion on error. | |
21739618 | 755 | */ |
690a3127 | 756 | if (error) { |
28623bf9 | 757 | cache_put(&nch); |
690a3127 MD |
758 | break; |
759 | } | |
760 | ||
761 | /* | |
762 | * If the element is a symlink and it is either not the last | |
763 | * element or it is the last element and we are allowed to | |
764 | * follow symlinks, resolve the symlink. | |
765 | */ | |
28623bf9 | 766 | if ((nch.ncp->nc_flag & NCF_ISSYMLINK) && |
690a3127 MD |
767 | (*ptr || (nd->nl_flags & NLC_FOLLOW)) |
768 | ) { | |
769 | if (nd->nl_loopcnt++ >= MAXSYMLINKS) { | |
21739618 | 770 | error = ELOOP; |
28623bf9 | 771 | cache_put(&nch); |
690a3127 MD |
772 | break; |
773 | } | |
28623bf9 MD |
774 | error = nreadsymlink(nd, &nch, &nlc); |
775 | cache_put(&nch); | |
21739618 MD |
776 | if (error) |
777 | break; | |
690a3127 MD |
778 | |
779 | /* | |
780 | * Concatenate trailing path elements onto the returned symlink. | |
781 | * Note that if the path component (ptr) is not exhausted, it | |
782 | * will being with a '/', so we do not have to add another one. | |
783 | * | |
784 | * The symlink may not be empty. | |
785 | */ | |
786 | len = strlen(ptr); | |
787 | if (nlc.nlc_namelen == 0 || nlc.nlc_namelen + len >= MAXPATHLEN) { | |
788 | error = nlc.nlc_namelen ? ENAMETOOLONG : ENOENT; | |
70aac194 | 789 | objcache_put(namei_oc, nlc.nlc_nameptr); |
690a3127 MD |
790 | break; |
791 | } | |
792 | bcopy(ptr, nlc.nlc_nameptr + nlc.nlc_namelen, len + 1); | |
793 | if (nd->nl_flags & NLC_HASBUF) | |
70aac194 | 794 | objcache_put(namei_oc, nd->nl_path); |
690a3127 MD |
795 | nd->nl_path = nlc.nlc_nameptr; |
796 | nd->nl_flags |= NLC_HASBUF; | |
797 | ptr = nd->nl_path; | |
798 | ||
799 | /* | |
800 | * Go back up to the top to resolve any initial '/'s in the | |
801 | * symlink. | |
802 | */ | |
803 | continue; | |
804 | } | |
805 | ||
21739618 MD |
806 | /* |
807 | * If the element is a directory and we are crossing a mount point, | |
28623bf9 | 808 | * Locate the mount. |
21739618 | 809 | */ |
28623bf9 MD |
810 | while ((nch.ncp->nc_flag & NCF_ISMOUNTPT) && |
811 | (nd->nl_flags & NLC_NOCROSSMOUNT) == 0 && | |
812 | (mp = cache_findmount(&nch)) != NULL | |
21739618 | 813 | ) { |
21739618 | 814 | struct vnode *tdp; |
63f86bf7 | 815 | int vfs_do_busy = 0; |
21739618 | 816 | |
63f86bf7 MD |
817 | /* |
818 | * VFS must be busied before the namecache entry is locked, | |
819 | * but we don't want to waste time calling vfs_busy() if the | |
820 | * mount point is already resolved. | |
821 | */ | |
822 | again: | |
28623bf9 | 823 | cache_put(&nch); |
63f86bf7 | 824 | if (vfs_do_busy) { |
ace53c28 MD |
825 | while (vfs_busy(mp, 0)) { |
826 | if (mp->mnt_kern_flag & MNTK_UNMOUNT) { | |
827 | kprintf("nlookup: warning umount race avoided\n"); | |
828 | cache_dropmount(mp); | |
829 | error = EBUSY; | |
830 | vfs_do_busy = 0; | |
831 | goto double_break; | |
832 | } | |
833 | } | |
63f86bf7 | 834 | } |
79fd1696 | 835 | cache_get_maybe_shared(&mp->mnt_ncmountpt, &nch, |
12cdc371 | 836 | wantsexcllock(nd, ptr)); |
21739618 | 837 | |
28623bf9 | 838 | if (nch.ncp->nc_flag & NCF_UNRESOLVED) { |
63f86bf7 MD |
839 | if (vfs_do_busy == 0) { |
840 | vfs_do_busy = 1; | |
841 | goto again; | |
842 | } | |
21739618 | 843 | error = VFS_ROOT(mp, &tdp); |
f9642f56 | 844 | vfs_unbusy(mp); |
63f86bf7 | 845 | vfs_do_busy = 0; |
6fa06591 MD |
846 | if (error) { |
847 | cache_dropmount(mp); | |
21739618 | 848 | break; |
6fa06591 | 849 | } |
28623bf9 | 850 | cache_setvp(&nch, tdp); |
21739618 MD |
851 | vput(tdp); |
852 | } | |
63f86bf7 MD |
853 | if (vfs_do_busy) |
854 | vfs_unbusy(mp); | |
6fa06591 | 855 | cache_dropmount(mp); |
21739618 | 856 | } |
ace53c28 | 857 | |
21739618 | 858 | if (error) { |
28623bf9 | 859 | cache_put(&nch); |
d6069a5c | 860 | double_break: |
21739618 MD |
861 | break; |
862 | } | |
863 | ||
690a3127 MD |
864 | /* |
865 | * Skip any slashes to get to the next element. If there | |
866 | * are any slashes at all the current element must be a | |
fad57d0e MD |
867 | * directory or, in the create case, intended to become a directory. |
868 | * If it isn't we break without incrementing ptr and fall through | |
869 | * to the failure case below. | |
690a3127 MD |
870 | */ |
871 | while (*ptr == '/') { | |
28623bf9 | 872 | if ((nch.ncp->nc_flag & NCF_ISDIR) == 0 && |
fad57d0e MD |
873 | !(nd->nl_flags & NLC_WILLBEDIR) |
874 | ) { | |
690a3127 | 875 | break; |
fad57d0e | 876 | } |
690a3127 MD |
877 | ++ptr; |
878 | } | |
879 | ||
880 | /* | |
881 | * Continuation case: additional elements and the current | |
882 | * element is a directory. | |
883 | */ | |
28623bf9 MD |
884 | if (*ptr && (nch.ncp->nc_flag & NCF_ISDIR)) { |
885 | cache_drop(&nd->nl_nch); | |
886 | cache_unlock(&nch); | |
2247fe02 | 887 | KKASSERT((nd->nl_flags & NLC_NCPISLOCKED) == 0); |
28623bf9 | 888 | nd->nl_nch = nch; |
690a3127 MD |
889 | continue; |
890 | } | |
891 | ||
892 | /* | |
893 | * Failure case: additional elements and the current element | |
894 | * is not a directory | |
895 | */ | |
896 | if (*ptr) { | |
28623bf9 | 897 | cache_put(&nch); |
690a3127 MD |
898 | error = ENOTDIR; |
899 | break; | |
900 | } | |
901 | ||
fad57d0e MD |
902 | /* |
903 | * Successful lookup of last element. | |
904 | * | |
3a907475 MD |
905 | * Check permissions if the target exists. If the target does not |
906 | * exist directory permissions were already tested in the early | |
907 | * completion code above. | |
945b476a | 908 | * |
3a907475 MD |
909 | * nd->nl_flags will be adjusted on return with NLC_APPENDONLY |
910 | * if the file is marked append-only, and NLC_STICKY if the directory | |
911 | * containing the file is sticky. | |
fad57d0e | 912 | */ |
3a907475 MD |
913 | if (nch.ncp->nc_vp && (nd->nl_flags & NLC_ALLCHKS)) { |
914 | error = naccess(&nch, nd->nl_flags | dflags, | |
aabd5ce8 | 915 | nd->nl_cred, NULL); |
945b476a | 916 | if (error) { |
28623bf9 | 917 | cache_put(&nch); |
fad57d0e MD |
918 | break; |
919 | } | |
920 | } | |
921 | ||
690a3127 | 922 | /* |
3a907475 | 923 | * Termination: no more elements. |
5312fa43 MD |
924 | * |
925 | * If NLC_REFDVP is set acquire a referenced parent dvp. | |
690a3127 | 926 | */ |
5312fa43 | 927 | if (nd->nl_flags & NLC_REFDVP) { |
2247fe02 | 928 | cache_lock(&nd->nl_nch); |
5312fa43 | 929 | error = cache_vref(&nd->nl_nch, nd->nl_cred, &nd->nl_dvp); |
2247fe02 | 930 | cache_unlock(&nd->nl_nch); |
5312fa43 MD |
931 | if (error) { |
932 | kprintf("NLC_REFDVP: Cannot ref dvp of %p\n", nch.ncp); | |
933 | cache_put(&nch); | |
934 | break; | |
935 | } | |
936 | } | |
28623bf9 MD |
937 | cache_drop(&nd->nl_nch); |
938 | nd->nl_nch = nch; | |
690a3127 MD |
939 | nd->nl_flags |= NLC_NCPISLOCKED; |
940 | error = 0; | |
941 | break; | |
942 | } | |
3a907475 | 943 | |
5a9972aa | 944 | if (hit) |
79fd1696 | 945 | ++gd->gd_nchstats->ncs_longhits; |
5a9972aa | 946 | else |
79fd1696 MD |
947 | ++gd->gd_nchstats->ncs_longmiss; |
948 | ||
949 | if (nd->nl_flags & NLC_NCPISLOCKED) | |
cd87afb1 | 950 | KKASSERT(cache_lockstatus(&nd->nl_nch) > 0); |
5a9972aa | 951 | |
3a907475 MD |
952 | /* |
953 | * NOTE: If NLC_CREATE was set the ncp may represent a negative hit | |
954 | * (ncp->nc_error will be ENOENT), but we will still return an error | |
955 | * code of 0. | |
956 | */ | |
690a3127 MD |
957 | return(error); |
958 | } | |
959 | ||
21739618 MD |
960 | /* |
961 | * Resolve a mount point's glue ncp. This ncp connects creates the illusion | |
962 | * of continuity in the namecache tree by connecting the ncp related to the | |
963 | * vnode under the mount to the ncp related to the mount's root vnode. | |
964 | * | |
965 | * If no error occured a locked, ref'd ncp is stored in *ncpp. | |
966 | */ | |
967 | int | |
28623bf9 | 968 | nlookup_mp(struct mount *mp, struct nchandle *nch) |
21739618 | 969 | { |
21739618 MD |
970 | struct vnode *vp; |
971 | int error; | |
972 | ||
973 | error = 0; | |
28623bf9 MD |
974 | cache_get(&mp->mnt_ncmountpt, nch); |
975 | if (nch->ncp->nc_flag & NCF_UNRESOLVED) { | |
f9642f56 | 976 | while (vfs_busy(mp, 0)) |
21739618 MD |
977 | ; |
978 | error = VFS_ROOT(mp, &vp); | |
f9642f56 | 979 | vfs_unbusy(mp); |
21739618 | 980 | if (error) { |
28623bf9 | 981 | cache_put(nch); |
21739618 | 982 | } else { |
28623bf9 | 983 | cache_setvp(nch, vp); |
21739618 MD |
984 | vput(vp); |
985 | } | |
986 | } | |
21739618 MD |
987 | return(error); |
988 | } | |
989 | ||
690a3127 MD |
990 | /* |
991 | * Read the contents of a symlink, allocate a path buffer out of the | |
70aac194 | 992 | * namei_oc and initialize the supplied nlcomponent with the result. |
690a3127 MD |
993 | * |
994 | * If an error occurs no buffer will be allocated or returned in the nlc. | |
995 | */ | |
996 | int | |
28623bf9 | 997 | nreadsymlink(struct nlookupdata *nd, struct nchandle *nch, |
690a3127 MD |
998 | struct nlcomponent *nlc) |
999 | { | |
21739618 | 1000 | struct vnode *vp; |
690a3127 MD |
1001 | struct iovec aiov; |
1002 | struct uio auio; | |
1003 | int linklen; | |
1004 | int error; | |
1005 | char *cp; | |
1006 | ||
1007 | nlc->nlc_nameptr = NULL; | |
1008 | nlc->nlc_namelen = 0; | |
28623bf9 | 1009 | if (nch->ncp->nc_vp == NULL) |
690a3127 | 1010 | return(ENOENT); |
28623bf9 | 1011 | if ((error = cache_vget(nch, nd->nl_cred, LK_SHARED, &vp)) != 0) |
690a3127 | 1012 | return(error); |
70aac194 | 1013 | cp = objcache_get(namei_oc, M_WAITOK); |
690a3127 MD |
1014 | aiov.iov_base = cp; |
1015 | aiov.iov_len = MAXPATHLEN; | |
1016 | auio.uio_iov = &aiov; | |
1017 | auio.uio_iovcnt = 1; | |
1018 | auio.uio_offset = 0; | |
1019 | auio.uio_rw = UIO_READ; | |
1020 | auio.uio_segflg = UIO_SYSSPACE; | |
1021 | auio.uio_td = nd->nl_td; | |
1022 | auio.uio_resid = MAXPATHLEN - 1; | |
21739618 | 1023 | error = VOP_READLINK(vp, &auio, nd->nl_cred); |
690a3127 MD |
1024 | if (error) |
1025 | goto fail; | |
21739618 | 1026 | linklen = MAXPATHLEN - 1 - auio.uio_resid; |
690a3127 MD |
1027 | if (varsym_enable) { |
1028 | linklen = varsymreplace(cp, linklen, MAXPATHLEN - 1); | |
1029 | if (linklen < 0) { | |
1030 | error = ENAMETOOLONG; | |
1031 | goto fail; | |
1032 | } | |
1033 | } | |
1034 | cp[linklen] = 0; | |
1035 | nlc->nlc_nameptr = cp; | |
1036 | nlc->nlc_namelen = linklen; | |
21739618 | 1037 | vput(vp); |
690a3127 MD |
1038 | return(0); |
1039 | fail: | |
70aac194 | 1040 | objcache_put(namei_oc, cp); |
21739618 | 1041 | vput(vp); |
690a3127 MD |
1042 | return(error); |
1043 | } | |
1044 | ||
21739618 MD |
1045 | /* |
1046 | * Check access [XXX cache vattr!] [XXX quota] | |
1047 | * | |
3a907475 MD |
1048 | * Generally check the NLC_* access bits. All specified bits must pass |
1049 | * for this function to return 0. | |
21739618 | 1050 | * |
3a907475 MD |
1051 | * The file does not have to exist when checking NLC_CREATE or NLC_RENAME_DST |
1052 | * access, otherwise it must exist. No error is returned in this case. | |
945b476a | 1053 | * |
3a907475 | 1054 | * The file must not exist if NLC_EXCL is specified. |
21739618 | 1055 | * |
3a907475 MD |
1056 | * Directory permissions in general are tested for NLC_CREATE if the file |
1057 | * does not exist, NLC_DELETE if the file does exist, and NLC_RENAME_DST | |
1058 | * whether the file exists or not. | |
21739618 | 1059 | * |
3a907475 MD |
1060 | * The directory sticky bit is tested for NLC_DELETE and NLC_RENAME_DST, |
1061 | * the latter is only tested if the target exists. | |
dae8d54f | 1062 | * |
79fd1696 MD |
1063 | * The passed ncp must be referenced and locked. If it is already resolved |
1064 | * it may be locked shared but otherwise should be locked exclusively. | |
21739618 | 1065 | */ |
5a3f9be0 | 1066 | static int |
aabd5ce8 | 1067 | naccess(struct nchandle *nch, int nflags, struct ucred *cred, int *nflagsp) |
21739618 MD |
1068 | { |
1069 | struct vnode *vp; | |
1070 | struct vattr va; | |
aabd5ce8 | 1071 | struct namecache *ncp; |
21739618 | 1072 | int error; |
e9b56058 | 1073 | int cflags; |
21739618 | 1074 | |
79fd1696 MD |
1075 | KKASSERT(cache_lockstatus(nch) > 0); |
1076 | ||
aabd5ce8 MD |
1077 | ncp = nch->ncp; |
1078 | if (ncp->nc_flag & NCF_UNRESOLVED) { | |
28623bf9 | 1079 | cache_resolve(nch, cred); |
aabd5ce8 | 1080 | ncp = nch->ncp; |
21739618 | 1081 | } |
aabd5ce8 | 1082 | error = ncp->nc_error; |
dae8d54f | 1083 | |
945b476a | 1084 | /* |
3a907475 MD |
1085 | * Directory permissions checks. Silently ignore ENOENT if these |
1086 | * tests pass. It isn't an error. | |
2247fe02 | 1087 | * |
aabd5ce8 MD |
1088 | * We can safely resolve ncp->nc_parent because ncp is currently |
1089 | * locked. | |
945b476a | 1090 | */ |
3a907475 | 1091 | if (nflags & (NLC_CREATE | NLC_DELETE | NLC_RENAME_SRC | NLC_RENAME_DST)) { |
aabd5ce8 MD |
1092 | if (((nflags & NLC_CREATE) && ncp->nc_vp == NULL) || |
1093 | ((nflags & NLC_DELETE) && ncp->nc_vp != NULL) || | |
1094 | ((nflags & NLC_RENAME_SRC) && ncp->nc_vp != NULL) || | |
3a907475 | 1095 | (nflags & NLC_RENAME_DST) |
21739618 | 1096 | ) { |
f63911bf MD |
1097 | struct nchandle par; |
1098 | ||
aabd5ce8 | 1099 | if ((par.ncp = ncp->nc_parent) == NULL) { |
8e005a45 | 1100 | if (error != EAGAIN) |
fad57d0e | 1101 | error = EINVAL; |
3a907475 | 1102 | } else if (error == 0 || error == ENOENT) { |
28623bf9 | 1103 | par.mount = nch->mount; |
2247fe02 | 1104 | cache_hold(&par); |
79fd1696 | 1105 | cache_lock_maybe_shared(&par, 0); |
aabd5ce8 | 1106 | error = naccess(&par, NLC_WRITE, cred, NULL); |
2247fe02 | 1107 | cache_put(&par); |
8e005a45 | 1108 | } |
21739618 | 1109 | } |
21739618 | 1110 | } |
3a907475 MD |
1111 | |
1112 | /* | |
1113 | * NLC_EXCL check. Target file must not exist. | |
1114 | */ | |
aabd5ce8 | 1115 | if (error == 0 && (nflags & NLC_EXCL) && ncp->nc_vp != NULL) |
3a907475 MD |
1116 | error = EEXIST; |
1117 | ||
1118 | /* | |
1119 | * Get the vnode attributes so we can do the rest of our checks. | |
1120 | * | |
1121 | * NOTE: We only call naccess_va() if the target exists. | |
1122 | */ | |
21739618 | 1123 | if (error == 0) { |
28623bf9 | 1124 | error = cache_vget(nch, cred, LK_SHARED, &vp); |
21739618 | 1125 | if (error == ENOENT) { |
3a907475 MD |
1126 | /* |
1127 | * Silently zero-out ENOENT if creating or renaming | |
1128 | * (rename target). It isn't an error. | |
1129 | */ | |
1130 | if (nflags & (NLC_CREATE | NLC_RENAME_DST)) | |
21739618 MD |
1131 | error = 0; |
1132 | } else if (error == 0) { | |
3a907475 MD |
1133 | /* |
1134 | * Get the vnode attributes and check for illegal O_TRUNC | |
1135 | * requests and read-only mounts. | |
1136 | * | |
1137 | * NOTE: You can still open devices on read-only mounts for | |
1138 | * writing. | |
1139 | * | |
1140 | * NOTE: creates/deletes/renames are handled by the NLC_WRITE | |
1141 | * check on the parent directory above. | |
1142 | * | |
1143 | * XXX cache the va in the namecache or in the vnode | |
1144 | */ | |
1145 | error = VOP_GETATTR(vp, &va); | |
1146 | if (error == 0 && (nflags & NLC_TRUNCATE)) { | |
1147 | switch(va.va_type) { | |
1148 | case VREG: | |
1149 | case VDATABASE: | |
1150 | case VCHR: | |
1151 | case VBLK: | |
c9c08c19 | 1152 | case VFIFO: |
3a907475 | 1153 | break; |
d7c75c7a MD |
1154 | case VDIR: |
1155 | error = EISDIR; | |
1156 | break; | |
3a907475 MD |
1157 | default: |
1158 | error = EINVAL; | |
1159 | break; | |
1160 | } | |
1161 | } | |
1162 | if (error == 0 && (nflags & NLC_WRITE) && vp->v_mount && | |
1163 | (vp->v_mount->mnt_flag & MNT_RDONLY) | |
1164 | ) { | |
1165 | switch(va.va_type) { | |
1166 | case VDIR: | |
1167 | case VLNK: | |
1168 | case VREG: | |
1169 | case VDATABASE: | |
1170 | error = EROFS; | |
1171 | break; | |
1172 | default: | |
1173 | break; | |
21739618 MD |
1174 | } |
1175 | } | |
1176 | vput(vp); | |
dae8d54f | 1177 | |
3a907475 MD |
1178 | /* |
1179 | * Check permissions based on file attributes. The passed | |
1180 | * flags (*nflagsp) are modified with feedback based on | |
1181 | * special attributes and requirements. | |
1182 | */ | |
dae8d54f MD |
1183 | if (error == 0) { |
1184 | /* | |
3a907475 | 1185 | * Adjust the returned (*nflagsp) if non-NULL. |
dae8d54f | 1186 | */ |
3a907475 MD |
1187 | if (nflagsp) { |
1188 | if ((va.va_mode & VSVTX) && va.va_uid != cred->cr_uid) | |
1189 | *nflagsp |= NLC_STICKY; | |
1190 | if (va.va_flags & APPEND) | |
1191 | *nflagsp |= NLC_APPENDONLY; | |
1192 | if (va.va_flags & IMMUTABLE) | |
1193 | *nflagsp |= NLC_IMMUTABLE; | |
1194 | } | |
dae8d54f | 1195 | |
e9b56058 MD |
1196 | /* |
1197 | * Track swapcache management flags in the namecache. | |
aabd5ce8 MD |
1198 | * |
1199 | * Calculate the flags based on the current vattr info | |
1200 | * and recalculate the inherited flags from the parent | |
1201 | * (the original cache linkage may have occurred without | |
1202 | * getattrs and thus have stale flags). | |
e9b56058 | 1203 | */ |
aabd5ce8 | 1204 | cflags = 0; |
e9b56058 | 1205 | if (va.va_flags & SF_NOCACHE) |
aabd5ce8 | 1206 | cflags |= NCF_SF_NOCACHE; |
e9b56058 | 1207 | if (va.va_flags & UF_CACHE) |
aabd5ce8 MD |
1208 | cflags |= NCF_UF_CACHE; |
1209 | if (ncp->nc_parent) { | |
1210 | if (ncp->nc_parent->nc_flag & | |
1211 | (NCF_SF_NOCACHE | NCF_SF_PNOCACHE)) { | |
1212 | cflags |= NCF_SF_PNOCACHE; | |
1213 | } | |
1214 | if (ncp->nc_parent->nc_flag & | |
1215 | (NCF_UF_CACHE | NCF_UF_PCACHE)) { | |
1216 | cflags |= NCF_UF_PCACHE; | |
1217 | } | |
1218 | } | |
79fd1696 MD |
1219 | |
1220 | /* | |
1221 | * XXX we're not supposed to update nc_flag when holding | |
1222 | * a shared lock. | |
1223 | */ | |
1224 | atomic_clear_short(&ncp->nc_flag, | |
1225 | (NCF_SF_NOCACHE | NCF_UF_CACHE | | |
1226 | NCF_SF_PNOCACHE | NCF_UF_PCACHE) & ~cflags); | |
1227 | atomic_set_short(&ncp->nc_flag, cflags); | |
e9b56058 | 1228 | |
dae8d54f MD |
1229 | /* |
1230 | * Process general access. | |
1231 | */ | |
3a907475 | 1232 | error = naccess_va(&va, nflags, cred); |
dae8d54f | 1233 | } |
21739618 MD |
1234 | } |
1235 | } | |
1236 | return(error); | |
1237 | } | |
1238 | ||
1239 | /* | |
1240 | * Check the requested access against the given vattr using cred. | |
1241 | */ | |
1242 | int | |
3a907475 | 1243 | naccess_va(struct vattr *va, int nflags, struct ucred *cred) |
21739618 MD |
1244 | { |
1245 | int i; | |
3a907475 | 1246 | int vmode; |
21739618 MD |
1247 | |
1248 | /* | |
3a907475 MD |
1249 | * Test the immutable bit. Creations, deletions, renames (source |
1250 | * or destination) are not allowed. chown/chmod/other is also not | |
1251 | * allowed but is handled by SETATTR. Hardlinks to the immutable | |
1252 | * file are allowed. | |
1253 | * | |
1254 | * If the directory is set to immutable then creations, deletions, | |
1255 | * renames (source or dest) and hardlinks to files within the directory | |
1256 | * are not allowed, and regular files opened through the directory may | |
1257 | * not be written to or truncated (unless a special device). | |
945b476a | 1258 | * |
3a907475 MD |
1259 | * NOTE! New hardlinks to immutable files work but new hardlinks to |
1260 | * files, immutable or not, sitting inside an immutable directory are | |
1261 | * not allowed. As always if the file is hardlinked via some other | |
1262 | * path additional hardlinks may be possible even if the file is marked | |
1263 | * immutable. The sysop needs to create a closure by checking the hard | |
1264 | * link count. Once closure is achieved you are good, and security | |
1265 | * scripts should check link counts anyway. | |
1266 | * | |
1267 | * Writes and truncations are only allowed on special devices. | |
21739618 | 1268 | */ |
3a907475 MD |
1269 | if ((va->va_flags & IMMUTABLE) || (nflags & NLC_IMMUTABLE)) { |
1270 | if ((nflags & NLC_IMMUTABLE) && (nflags & NLC_HLINK)) | |
1271 | return (EPERM); | |
1272 | if (nflags & (NLC_CREATE | NLC_DELETE | | |
1273 | NLC_RENAME_SRC | NLC_RENAME_DST)) { | |
1274 | return (EPERM); | |
1275 | } | |
1276 | if (nflags & (NLC_WRITE | NLC_TRUNCATE)) { | |
1277 | switch(va->va_type) { | |
1278 | case VDIR: | |
d7c75c7a | 1279 | return (EISDIR); |
3a907475 MD |
1280 | case VLNK: |
1281 | case VREG: | |
1282 | case VDATABASE: | |
1283 | return (EPERM); | |
1284 | default: | |
1285 | break; | |
1286 | } | |
1287 | } | |
1288 | } | |
1289 | ||
1290 | /* | |
1291 | * Test the no-unlink and append-only bits for opens, rename targets, | |
1292 | * and deletions. These bits are not tested for creations or | |
1293 | * rename sources. | |
1294 | * | |
1295 | * Unlike FreeBSD we allow a file with APPEND set to be renamed. | |
1296 | * If you do not wish this you must also set NOUNLINK. | |
1297 | * | |
1298 | * If the governing directory is marked APPEND-only it implies | |
1299 | * NOUNLINK for all entries in the directory. | |
1300 | */ | |
1301 | if (((va->va_flags & NOUNLINK) || (nflags & NLC_APPENDONLY)) && | |
1302 | (nflags & (NLC_DELETE | NLC_RENAME_SRC | NLC_RENAME_DST)) | |
1303 | ) { | |
1304 | return (EPERM); | |
1305 | } | |
1306 | ||
1307 | /* | |
1308 | * A file marked append-only may not be deleted but can be renamed. | |
1309 | */ | |
1310 | if ((va->va_flags & APPEND) && | |
1311 | (nflags & (NLC_DELETE | NLC_RENAME_DST)) | |
1312 | ) { | |
1313 | return (EPERM); | |
1314 | } | |
1315 | ||
1316 | /* | |
1317 | * A file marked append-only which is opened for writing must also | |
1318 | * be opened O_APPEND. | |
1319 | */ | |
1320 | if ((va->va_flags & APPEND) && (nflags & (NLC_OPEN | NLC_TRUNCATE))) { | |
1321 | if (nflags & NLC_TRUNCATE) | |
1322 | return (EPERM); | |
1323 | if ((nflags & (NLC_OPEN | NLC_WRITE)) == (NLC_OPEN | NLC_WRITE)) { | |
1324 | if ((nflags & NLC_APPEND) == 0) | |
21739618 MD |
1325 | return (EPERM); |
1326 | } | |
1327 | } | |
1328 | ||
1329 | /* | |
1330 | * root gets universal access | |
1331 | */ | |
1332 | if (cred->cr_uid == 0) | |
1333 | return(0); | |
1334 | ||
1335 | /* | |
dae8d54f MD |
1336 | * Check owner perms. |
1337 | * | |
3a907475 | 1338 | * If NLC_OWN is set the owner of the file is allowed no matter when |
dae8d54f | 1339 | * the owner-mode bits say (utimes). |
21739618 | 1340 | */ |
3a907475 MD |
1341 | vmode = 0; |
1342 | if (nflags & NLC_READ) | |
1343 | vmode |= S_IRUSR; | |
1344 | if (nflags & NLC_WRITE) | |
1345 | vmode |= S_IWUSR; | |
1346 | if (nflags & NLC_EXEC) | |
1347 | vmode |= S_IXUSR; | |
1348 | ||
21739618 | 1349 | if (cred->cr_uid == va->va_uid) { |
3a907475 | 1350 | if ((nflags & NLC_OWN) == 0) { |
ee89633d MD |
1351 | if ((vmode & va->va_mode) != vmode) |
1352 | return(EACCES); | |
1353 | } | |
21739618 MD |
1354 | return(0); |
1355 | } | |
dae8d54f MD |
1356 | |
1357 | /* | |
3a907475 MD |
1358 | * If NLC_STICKY is set only the owner may delete or rename a file. |
1359 | * This bit is typically set on /tmp. | |
dae8d54f | 1360 | * |
3a907475 MD |
1361 | * Note that the NLC_READ/WRITE/EXEC bits are not typically set in |
1362 | * the specific delete or rename case. For deletions and renames we | |
1363 | * usually just care about directory permissions, not file permissions. | |
dae8d54f | 1364 | */ |
3a907475 MD |
1365 | if ((nflags & NLC_STICKY) && |
1366 | (nflags & (NLC_RENAME_SRC | NLC_RENAME_DST | NLC_DELETE))) { | |
dae8d54f | 1367 | return(EACCES); |
3a907475 | 1368 | } |
dae8d54f MD |
1369 | |
1370 | /* | |
1371 | * Check group perms | |
1372 | */ | |
21739618 MD |
1373 | vmode >>= 3; |
1374 | for (i = 0; i < cred->cr_ngroups; ++i) { | |
1375 | if (va->va_gid == cred->cr_groups[i]) { | |
1376 | if ((vmode & va->va_mode) != vmode) | |
1377 | return(EACCES); | |
1378 | return(0); | |
1379 | } | |
1380 | } | |
1381 | ||
dae8d54f MD |
1382 | /* |
1383 | * Check world perms | |
1384 | */ | |
21739618 MD |
1385 | vmode >>= 3; |
1386 | if ((vmode & va->va_mode) != vmode) | |
1387 | return(EACCES); | |
1388 | return(0); | |
1389 | } | |
1390 |