/*
- * Copyright (c) 2004-2007 Apple Computer, Inc. All rights reserved.
+ * Copyright (c) 2004-2010 Apple Inc. All rights reserved.
*
- * @APPLE_LICENSE_HEADER_START@
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License"). You may not use this file except in compliance with the
- * License. Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
*
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
- * License for the specific language governing rights and limitations
- * under the License.
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
*
- * @APPLE_LICENSE_HEADER_END@
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
-
+/*
+ * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
+ * support for mandatory and extensible security protections. This notice
+ * is included in support of clause 2.2 (b) of the Apple Public License,
+ * Version 2.0.
+ */
+
#include <sys/param.h>
#include <sys/fcntl.h>
#include <sys/kernel.h>
#include <sys/kauth.h>
#include <sys/malloc.h>
+#include <sys/mount_internal.h>
#include <sys/namei.h>
#include <sys/proc_internal.h>
#include <sys/stat.h>
#include <sys/utfconv.h>
#include <sys/vnode.h>
#include <sys/vnode_internal.h>
-
#include <sys/xattr.h>
#include <libkern/OSByteOrder.h>
#include <vm/vm_kern.h>
+#if CONFIG_MACF
+#include <security/mac_framework.h>
+#endif
+
+
+#if NAMEDSTREAMS
+
/*
- * Default xattr support routines.
+ * We use %p to prevent loss of precision for pointers on varying architectures.
*/
-static int default_getxattr(vnode_t vp, const char *name, uio_t uio, size_t *size,
- int options, vfs_context_t context);
+#define MAKE_SHADOW_NAME(VP, NAME) \
+ snprintf((NAME), sizeof((NAME)), ".vfs_rsrc_stream_%p%08x%p", (void*)(VP), (VP)->v_id, (VP)->v_data);
+
+static int shadow_sequence;
+
+
+static int default_getnamedstream(vnode_t vp, vnode_t *svpp, const char *name, enum nsoperation op, vfs_context_t context);
+
+static int default_makenamedstream(vnode_t vp, vnode_t *svpp, const char *name, vfs_context_t context);
+
+static int default_removenamedstream(vnode_t vp, const char *name, vfs_context_t context);
+
+static int getshadowfile(vnode_t vp, vnode_t *svpp, int makestream, size_t *rsrcsize, int *creator, vfs_context_t context);
+
+static int get_shadow_dir(vnode_t *sdvpp, vfs_context_t context);
+
+#endif
-static int default_setxattr(vnode_t vp, const char *name, uio_t uio,
- int options, vfs_context_t context);
-static int default_removexattr(vnode_t vp, const char *name, int options, vfs_context_t context);
+/*
+ * Default xattr support routines.
+ */
static int default_listxattr(vnode_t vp, uio_t uio, size_t *size, int options,
vfs_context_t context);
if (!(vp->v_type == VREG || vp->v_type == VDIR || vp->v_type == VLNK)) {
return (EPERM);
}
- if ((error = xattr_validatename(name))) {
- return (error);
- }
- if (!(options & XATTR_NOSECURITY) && (error = vnode_authorize(vp, NULL, KAUTH_VNODE_READ_EXTATTRIBUTES, context)))
+#if NAMEDSTREAMS
+ /* getxattr calls are not allowed for streams. */
+ if (vp->v_flag & VISNAMEDSTREAM) {
+ error = EPERM;
goto out;
+ }
+#endif
+ /*
+ * Non-kernel request need extra checks performed.
+ *
+ * The XATTR_NOSECURITY flag implies a kernel request.
+ */
+ if (!(options & XATTR_NOSECURITY)) {
+#if CONFIG_MACF
+ error = mac_vnode_check_getextattr(context, vp, name, uio);
+ if (error)
+ goto out;
+#endif /* MAC */
+ if ((error = xattr_validatename(name))) {
+ goto out;
+ }
+ if ((error = vnode_authorize(vp, NULL, KAUTH_VNODE_READ_EXTATTRIBUTES, context))) {
+ goto out;
+ }
+ /* The offset can only be non-zero for resource forks. */
+ if (uio != NULL && uio_offset(uio) != 0 &&
+ bcmp(name, XATTR_RESOURCEFORK_NAME, sizeof(XATTR_RESOURCEFORK_NAME)) != 0) {
+ error = EINVAL;
+ goto out;
+ }
+ }
/* The offset can only be non-zero for resource forks. */
if (uio != NULL && uio_offset(uio) != 0 &&
}
error = VNOP_GETXATTR(vp, name, uio, size, options, context);
- if (error == ENOTSUP) {
+ if (error == ENOTSUP && !(options & XATTR_NODEFAULT)) {
/*
* A filesystem may keep some EAs natively and return ENOTSUP for others.
* SMB returns ENOTSUP for finderinfo and resource forks.
if (!(vp->v_type == VREG || vp->v_type == VDIR || vp->v_type == VLNK)) {
return (EPERM);
}
+#if NAMEDSTREAMS
+ /* setxattr calls are not allowed for streams. */
+ if (vp->v_flag & VISNAMEDSTREAM) {
+ error = EPERM;
+ goto out;
+ }
+#endif
if ((options & (XATTR_REPLACE|XATTR_CREATE)) == (XATTR_REPLACE|XATTR_CREATE)) {
return (EINVAL);
}
if ((error = xattr_validatename(name))) {
return (error);
}
- if (!(options & XATTR_NOSECURITY) && (error = vnode_authorize(vp, NULL, KAUTH_VNODE_WRITE_EXTATTRIBUTES, context)))
- goto out;
-
+ if (!(options & XATTR_NOSECURITY)) {
+#if CONFIG_MACF
+ error = mac_vnode_check_setextattr(context, vp, name, uio);
+ if (error)
+ goto out;
+#endif /* MAC */
+ error = vnode_authorize(vp, NULL, KAUTH_VNODE_WRITE_EXTATTRIBUTES, context);
+ if (error)
+ goto out;
+ }
/* The offset can only be non-zero for resource forks. */
if (uio_offset(uio) != 0 &&
bcmp(name, XATTR_RESOURCEFORK_NAME, sizeof(XATTR_RESOURCEFORK_NAME)) != 0 ) {
/* the mainline path here is to have error==ENOTSUP ... */
}
#endif /* DUAL_EAS */
- if (error == ENOTSUP) {
+ if (error == ENOTSUP && !(options & XATTR_NODEFAULT)) {
/*
* A filesystem may keep some EAs natively and return ENOTSUP for others.
* SMB returns ENOTSUP for finderinfo and resource forks.
*/
error = default_setxattr(vp, name, uio, options, context);
}
+#if CONFIG_MACF
+ if ((error == 0) && !(options & XATTR_NOSECURITY) &&
+ (vfs_flags(vnode_mount(vp)) & MNT_MULTILABEL))
+ mac_vnode_label_update_extattr(vnode_mount(vp), vp, name);
+#endif
out:
return (error);
}
if (!(vp->v_type == VREG || vp->v_type == VDIR || vp->v_type == VLNK)) {
return (EPERM);
}
+#if NAMEDSTREAMS
+ /* removexattr calls are not allowed for streams. */
+ if (vp->v_flag & VISNAMEDSTREAM) {
+ error = EPERM;
+ goto out;
+ }
+#endif
if ((error = xattr_validatename(name))) {
return (error);
}
- if (!(options & XATTR_NOSECURITY) && (error = vnode_authorize(vp, NULL, KAUTH_VNODE_WRITE_EXTATTRIBUTES, context)))
- goto out;
+ if (!(options & XATTR_NOSECURITY)) {
+#if CONFIG_MACF
+ error = mac_vnode_check_deleteextattr(context, vp, name);
+ if (error)
+ goto out;
+#endif /* MAC */
+ error = vnode_authorize(vp, NULL, KAUTH_VNODE_WRITE_EXTATTRIBUTES, context);
+ if (error)
+ goto out;
+ }
error = VNOP_REMOVEXATTR(vp, name, options, context);
- if (error == ENOTSUP) {
+ if (error == ENOTSUP && !(options & XATTR_NODEFAULT)) {
/*
* A filesystem may keep some EAs natively and return ENOTSUP for others.
* SMB returns ENOTSUP for finderinfo and resource forks.
error = 0;
#endif /* DUAL_EAS */
}
+#if CONFIG_MACF
+ if ((error == 0) && !(options & XATTR_NOSECURITY) &&
+ (vfs_flags(vnode_mount(vp)) & MNT_MULTILABEL))
+ mac_vnode_label_update_extattr(vnode_mount(vp), vp, name);
+#endif
out:
return (error);
}
if (!(vp->v_type == VREG || vp->v_type == VDIR || vp->v_type == VLNK)) {
return (EPERM);
}
- if (!(options & XATTR_NOSECURITY) && (error = vnode_authorize(vp, NULL, KAUTH_VNODE_READ_EXTATTRIBUTES, context)))
- goto out;
+#if NAMEDSTREAMS
+ /* listxattr calls are not allowed for streams. */
+ if (vp->v_flag & VISNAMEDSTREAM) {
+ return (EPERM);
+ }
+#endif
+
+ if (!(options & XATTR_NOSECURITY)) {
+#if CONFIG_MACF
+ error = mac_vnode_check_listextattr(context, vp);
+ if (error)
+ goto out;
+#endif /* MAC */
+
+ error = vnode_authorize(vp, NULL, KAUTH_VNODE_READ_EXTATTRIBUTES, context);
+ if (error)
+ goto out;
+ }
error = VNOP_LISTXATTR(vp, uio, size, options, context);
- if (error == ENOTSUP) {
+ if (error == ENOTSUP && !(options & XATTR_NODEFAULT)) {
/*
* A filesystem may keep some but not all EAs natively, in which case
* the native EA names will have been uiomove-d out (or *size updated)
*/
error = default_listxattr(vp, uio, size, options, context);
}
-out:
+out:
+ return (error);
+}
+
+int
+xattr_validatename(const char *name)
+{
+ int namelen;
+
+ if (name == NULL || name[0] == '\0') {
+ return (EINVAL);
+ }
+ namelen = strnlen(name, XATTR_MAXNAMELEN);
+ if (name[namelen] != '\0')
+ return (ENAMETOOLONG);
+
+ if (utf8_validatestr((const unsigned char *)name, namelen) != 0)
+ return (EINVAL);
+
+ return (0);
+}
+
+
+/*
+ * Determine whether an EA is a protected system attribute.
+ */
+int
+xattr_protected(const char *attrname)
+{
+ return(!strncmp(attrname, "com.apple.system.", 17));
+}
+
+
+#if NAMEDSTREAMS
+/*
+ * Obtain a named stream from vnode vp.
+ */
+errno_t
+vnode_getnamedstream(vnode_t vp, vnode_t *svpp, const char *name, enum nsoperation op, int flags, vfs_context_t context)
+{
+ int error;
+
+ if (vp->v_mount->mnt_kern_flag & MNTK_NAMED_STREAMS)
+ error = VNOP_GETNAMEDSTREAM(vp, svpp, name, op, flags, context);
+ else
+ error = default_getnamedstream(vp, svpp, name, op, context);
+
+ if (error == 0) {
+ uint32_t streamflags = VISNAMEDSTREAM;
+ vnode_t svp = *svpp;
+
+ if ((vp->v_mount->mnt_kern_flag & MNTK_NAMED_STREAMS) == 0) {
+ streamflags |= VISSHADOW;
+ }
+
+ /* Tag the vnode. */
+ vnode_lock_spin(svp);
+ svp->v_flag |= streamflags;
+ vnode_unlock(svp);
+
+ /* Tag the parent so we know to flush credentials for streams on setattr */
+ vnode_lock_spin(vp);
+ vp->v_lflag |= VL_HASSTREAMS;
+ vnode_unlock(vp);
+
+ /* Make the file it's parent.
+ * Note: This parent link helps us distinguish vnodes for
+ * shadow stream files from vnodes for resource fork on file
+ * systems that support namedstream natively (both have
+ * VISNAMEDSTREAM set) by allowing access to mount structure
+ * for checking MNTK_NAMED_STREAMS bit at many places in the
+ * code.
+ */
+ vnode_update_identity(svp, vp, NULL, 0, 0, VNODE_UPDATE_PARENT);
+ }
+
+ return (error);
+}
+
+/*
+ * Make a named stream for vnode vp.
+ */
+errno_t
+vnode_makenamedstream(vnode_t vp, vnode_t *svpp, const char *name, int flags, vfs_context_t context)
+{
+ int error;
+
+ if (vp->v_mount->mnt_kern_flag & MNTK_NAMED_STREAMS)
+ error = VNOP_MAKENAMEDSTREAM(vp, svpp, name, flags, context);
+ else
+ error = default_makenamedstream(vp, svpp, name, context);
+
+ if (error == 0) {
+ uint32_t streamflags = VISNAMEDSTREAM;
+ vnode_t svp = *svpp;
+
+ /* Tag the vnode. */
+ if ((vp->v_mount->mnt_kern_flag & MNTK_NAMED_STREAMS) == 0) {
+ streamflags |= VISSHADOW;
+ }
+
+ /* Tag the vnode. */
+ vnode_lock_spin(svp);
+ svp->v_flag |= streamflags;
+ vnode_unlock(svp);
+
+ /* Tag the parent so we know to flush credentials for streams on setattr */
+ vnode_lock_spin(vp);
+ vp->v_lflag |= VL_HASSTREAMS;
+ vnode_unlock(vp);
+
+ /* Make the file it's parent.
+ * Note: This parent link helps us distinguish vnodes for
+ * shadow stream files from vnodes for resource fork on file
+ * systems that support namedstream natively (both have
+ * VISNAMEDSTREAM set) by allowing access to mount structure
+ * for checking MNTK_NAMED_STREAMS bit at many places in the
+ * code.
+ */
+ vnode_update_identity(svp, vp, NULL, 0, 0, VNODE_UPDATE_PARENT);
+ }
+ return (error);
+}
+
+/*
+ * Remove a named stream from vnode vp.
+ */
+errno_t
+vnode_removenamedstream(vnode_t vp, vnode_t svp, const char *name, int flags, vfs_context_t context)
+{
+ int error;
+
+ if (vp->v_mount->mnt_kern_flag & MNTK_NAMED_STREAMS)
+ error = VNOP_REMOVENAMEDSTREAM(vp, svp, name, flags, context);
+ else
+ error = default_removenamedstream(vp, name, context);
+
+ return (error);
+}
+
+#define NS_IOBUFSIZE (128 * 1024)
+
+/*
+ * Release a named stream shadow file.
+ *
+ * Note: This function is called from two places where we do not need
+ * to check if the vnode has any references held before deleting the
+ * shadow file. Once from vclean() when the vnode is being reclaimed
+ * and we do not hold any references on the vnode. Second time from
+ * default_getnamedstream() when we get an error during shadow stream
+ * file initialization so that other processes who are waiting for the
+ * shadow stream file initialization by the creator will get opportunity
+ * to create and initialize the file again.
+ */
+errno_t
+vnode_relenamedstream(vnode_t vp, vnode_t svp, vfs_context_t context)
+{
+ vnode_t dvp;
+ struct componentname cn;
+ char tmpname[80];
+ errno_t err;
+
+ cache_purge(svp);
+
+ vnode_lock(svp);
+ MAKE_SHADOW_NAME(vp, tmpname);
+ vnode_unlock(svp);
+
+ cn.cn_nameiop = DELETE;
+ cn.cn_flags = ISLASTCN;
+ cn.cn_context = context;
+ cn.cn_pnbuf = tmpname;
+ cn.cn_pnlen = sizeof(tmpname);
+ cn.cn_nameptr = cn.cn_pnbuf;
+ cn.cn_namelen = strlen(tmpname);
+
+ /* Obtain the vnode for the shadow files directory. */
+ err = get_shadow_dir(&dvp, context);
+ if (err != 0) {
+ return err;
+ }
+
+ (void) VNOP_REMOVE(dvp, svp, &cn, 0, context);
+ vnode_put(dvp);
+
+ return (0);
+}
+
+/*
+ * Flush a named stream shadow file.
+ */
+errno_t
+vnode_flushnamedstream(vnode_t vp, vnode_t svp, vfs_context_t context)
+{
+ struct vnode_attr va;
+ uio_t auio = NULL;
+ caddr_t bufptr = NULL;
+ size_t bufsize = 0;
+ size_t offset;
+ size_t iosize;
+ size_t datasize;
+ int error;
+
+ VATTR_INIT(&va);
+ VATTR_WANTED(&va, va_data_size);
+ if (VNOP_GETATTR(svp, &va, context) != 0 ||
+ !VATTR_IS_SUPPORTED(&va, va_data_size)) {
+ return (0);
+ }
+ datasize = va.va_data_size;
+ if (datasize == 0) {
+ (void) default_removexattr(vp, XATTR_RESOURCEFORK_NAME, 0, context);
+ return (0);
+ }
+
+ iosize = bufsize = MIN(datasize, NS_IOBUFSIZE);
+ if (kmem_alloc(kernel_map, (vm_offset_t *)&bufptr, bufsize)) {
+ return (ENOMEM);
+ }
+ auio = uio_create(1, 0, UIO_SYSSPACE, UIO_READ);
+ offset = 0;
+
+ /*
+ * Copy the shadow stream file data into the resource fork.
+ */
+ error = VNOP_OPEN(svp, 0, context);
+ if (error) {
+ printf("vnode_flushnamedstream: err %d opening file\n", error);
+ goto out;
+ }
+ while (offset < datasize) {
+ iosize = MIN(datasize - offset, iosize);
+
+ uio_reset(auio, offset, UIO_SYSSPACE, UIO_READ);
+ uio_addiov(auio, (uintptr_t)bufptr, iosize);
+ error = VNOP_READ(svp, auio, 0, context);
+ if (error) {
+ break;
+ }
+ /* Since there's no truncate xattr we must remove the resource fork. */
+ if (offset == 0) {
+ error = default_removexattr(vp, XATTR_RESOURCEFORK_NAME, 0, context);
+ if ((error != 0) && (error != ENOATTR)) {
+ break;
+ }
+ }
+ uio_reset(auio, offset, UIO_SYSSPACE, UIO_WRITE);
+ uio_addiov(auio, (uintptr_t)bufptr, iosize);
+ error = vn_setxattr(vp, XATTR_RESOURCEFORK_NAME, auio, XATTR_NOSECURITY, context);
+ if (error) {
+ break;
+ }
+ offset += iosize;
+ }
+ (void) VNOP_CLOSE(svp, 0, context);
+out:
+ if (bufptr) {
+ kmem_free(kernel_map, (vm_offset_t)bufptr, bufsize);
+ }
+ if (auio) {
+ uio_free(auio);
+ }
+ return (error);
+}
+
+
+static int
+getshadowfile(vnode_t vp, vnode_t *svpp, int makestream, size_t *rsrcsize,
+ int *creator, vfs_context_t context)
+{
+ vnode_t dvp = NULLVP;
+ vnode_t svp = NULLVP;
+ struct componentname cn;
+ struct vnode_attr va;
+ char tmpname[80];
+ size_t datasize = 0;
+ int error = 0;
+ int retries = 0;
+
+retry_create:
+ *creator = 0;
+ /* Establish a unique file name. */
+ MAKE_SHADOW_NAME(vp, tmpname);
+ bzero(&cn, sizeof(cn));
+ cn.cn_nameiop = LOOKUP;
+ cn.cn_flags = ISLASTCN;
+ cn.cn_context = context;
+ cn.cn_pnbuf = tmpname;
+ cn.cn_pnlen = sizeof(tmpname);
+ cn.cn_nameptr = cn.cn_pnbuf;
+ cn.cn_namelen = strlen(tmpname);
+
+ /* Pick up uid, gid, mode and date from original file. */
+ VATTR_INIT(&va);
+ VATTR_WANTED(&va, va_uid);
+ VATTR_WANTED(&va, va_gid);
+ VATTR_WANTED(&va, va_mode);
+ VATTR_WANTED(&va, va_create_time);
+ VATTR_WANTED(&va, va_modify_time);
+ if (VNOP_GETATTR(vp, &va, context) != 0 ||
+ !VATTR_IS_SUPPORTED(&va, va_uid) ||
+ !VATTR_IS_SUPPORTED(&va, va_gid) ||
+ !VATTR_IS_SUPPORTED(&va, va_mode)) {
+ va.va_uid = KAUTH_UID_NONE;
+ va.va_gid = KAUTH_GID_NONE;
+ va.va_mode = S_IRUSR | S_IWUSR;
+ }
+ va.va_vaflags = VA_EXCLUSIVE;
+ VATTR_SET(&va, va_type, VREG);
+ /* We no longer change the access, but we still hide it. */
+ VATTR_SET(&va, va_flags, UF_HIDDEN);
+
+ /* Obtain the vnode for the shadow files directory. */
+ if (get_shadow_dir(&dvp, context) != 0) {
+ error = ENOTDIR;
+ goto out;
+ }
+ if (!makestream) {
+ /* See if someone else already has it open. */
+ if (VNOP_LOOKUP(dvp, &svp, &cn, context) == 0) {
+ /* Double check existence by asking for size. */
+ VATTR_INIT(&va);
+ VATTR_WANTED(&va, va_data_size);
+ if (VNOP_GETATTR(svp, &va, context) == 0 &&
+ VATTR_IS_SUPPORTED(&va, va_data_size)) {
+ goto out; /* OK to use. */
+ }
+ }
+
+ /* Otherwise make sure the resource fork data exists. */
+ error = vn_getxattr(vp, XATTR_RESOURCEFORK_NAME, NULL, &datasize,
+ XATTR_NOSECURITY, context);
+ /*
+ * To maintain binary compatibility with legacy Carbon
+ * emulated resource fork support, if the resource fork
+ * doesn't exist but the Finder Info does, then act as
+ * if an empty resource fork is present (see 4724359).
+ */
+ if ((error == ENOATTR) &&
+ (vn_getxattr(vp, XATTR_FINDERINFO_NAME, NULL, &datasize,
+ XATTR_NOSECURITY, context) == 0)) {
+ datasize = 0;
+ error = 0;
+ } else {
+ if (error) {
+ goto out;
+ }
+
+ /* If the resource fork exists, its size is expected to be non-zero. */
+ if (datasize == 0) {
+ error = ENOATTR;
+ goto out;
+ }
+ }
+ }
+ /* Create the shadow stream file. */
+ error = VNOP_CREATE(dvp, &svp, &cn, &va, context);
+ if (error == 0) {
+ vnode_recycle(svp);
+ *creator = 1;
+ }
+ else if ((error == EEXIST) && !makestream) {
+ error = VNOP_LOOKUP(dvp, &svp, &cn, context);
+ }
+ else if ((error == ENOENT) && !makestream) {
+ /*
+ * We could have raced with a rmdir on the shadow directory
+ * post-lookup. Retry from the beginning, 1x only, to
+ * try and see if we need to re-create the shadow directory
+ * in get_shadow_dir.
+ */
+ if (retries == 0) {
+ retries++;
+ if (dvp) {
+ vnode_put (dvp);
+ dvp = NULLVP;
+ }
+ if (svp) {
+ vnode_put (svp);
+ svp = NULLVP;
+ }
+ goto retry_create;
+ }
+ /* Otherwise, just error out normally below */
+ }
+
+out:
+ if (dvp) {
+ vnode_put(dvp);
+ }
+ if (error) {
+ /* On errors, clean up shadow stream file. */
+ if (svp) {
+ vnode_put(svp);
+ svp = NULLVP;
+ }
+ }
+ *svpp = svp;
+ if (rsrcsize) {
+ *rsrcsize = datasize;
+ }
+ return (error);
+}
+
+
+static int
+default_getnamedstream(vnode_t vp, vnode_t *svpp, const char *name, enum nsoperation op, vfs_context_t context)
+{
+ vnode_t svp = NULLVP;
+ uio_t auio = NULL;
+ caddr_t bufptr = NULL;
+ size_t bufsize = 0;
+ size_t datasize = 0;
+ int creator;
+ int error;
+
+ /*
+ * Only the "com.apple.ResourceFork" stream is supported here.
+ */
+ if (bcmp(name, XATTR_RESOURCEFORK_NAME, sizeof(XATTR_RESOURCEFORK_NAME)) != 0) {
+ *svpp = NULLVP;
+ return (ENOATTR);
+ }
+retry:
+ /*
+ * Obtain a shadow file for the resource fork I/O.
+ */
+ error = getshadowfile(vp, &svp, 0, &datasize, &creator, context);
+ if (error) {
+ *svpp = NULLVP;
+ return (error);
+ }
+
+ /*
+ * The creator of the shadow file provides its file data,
+ * all other threads should wait until its ready. In order to
+ * prevent a deadlock during error codepaths, we need to check if the
+ * vnode is being created, or if it has failed out. Regardless of success or
+ * failure, we set the VISSHADOW bit on the vnode, so we check that
+ * if the vnode's flags don't have VISNAMEDSTREAM set. If it doesn't,
+ * then we can infer the creator isn't done yet. If it's there, but
+ * VISNAMEDSTREAM is not set, then we can infer it errored out and we should
+ * try again.
+ */
+ if (!creator) {
+ vnode_lock(svp);
+ if (svp->v_flag & VISNAMEDSTREAM) {
+ /* data is ready, go use it */
+ vnode_unlock(svp);
+ goto out;
+ } else {
+ /* It's not ready, wait for it (sleep using v_parent as channel) */
+ if ((svp->v_flag & VISSHADOW)) {
+ /*
+ * No VISNAMEDSTREAM, but we did see VISSHADOW, indicating that the other
+ * thread is done with this vnode. Just unlock the vnode and try again
+ */
+ vnode_unlock(svp);
+ }
+ else {
+ /* Otherwise, sleep if the shadow file is not created yet */
+ msleep((caddr_t)&svp->v_parent, &svp->v_lock, PINOD | PDROP,
+ "getnamedstream", NULL);
+ }
+ vnode_put(svp);
+ svp = NULLVP;
+ goto retry;
+ }
+ }
+
+ /*
+ * Copy the real resource fork data into shadow stream file.
+ */
+ if (op == NS_OPEN && datasize != 0) {
+ size_t offset;
+ size_t iosize;
+
+ iosize = bufsize = MIN(datasize, NS_IOBUFSIZE);
+ if (kmem_alloc(kernel_map, (vm_offset_t *)&bufptr, bufsize)) {
+ error = ENOMEM;
+ goto out;
+ }
+
+ auio = uio_create(1, 0, UIO_SYSSPACE, UIO_READ);
+ offset = 0;
+
+ error = VNOP_OPEN(svp, 0, context);
+ if (error) {
+ goto out;
+ }
+ while (offset < datasize) {
+ size_t tmpsize;
+
+ iosize = MIN(datasize - offset, iosize);
+
+ uio_reset(auio, offset, UIO_SYSSPACE, UIO_READ);
+ uio_addiov(auio, (uintptr_t)bufptr, iosize);
+ error = vn_getxattr(vp, XATTR_RESOURCEFORK_NAME, auio, &tmpsize,
+ XATTR_NOSECURITY, context);
+ if (error) {
+ break;
+ }
+
+ uio_reset(auio, offset, UIO_SYSSPACE, UIO_WRITE);
+ uio_addiov(auio, (uintptr_t)bufptr, iosize);
+ error = VNOP_WRITE(svp, auio, 0, context);
+ if (error) {
+ break;
+ }
+ offset += iosize;
+ }
+ (void) VNOP_CLOSE(svp, 0, context);
+ }
+out:
+ /* Wake up anyone waiting for svp file content */
+ if (creator) {
+ if (error == 0) {
+ vnode_lock(svp);
+ /* VISSHADOW would be set later on anyway, so we set it now */
+ svp->v_flag |= (VISNAMEDSTREAM | VISSHADOW);
+ wakeup((caddr_t)&svp->v_parent);
+ vnode_unlock(svp);
+ } else {
+ /* On post create errors, get rid of the shadow file. This
+ * way if there is another process waiting for initialization
+ * of the shadowfile by the current process will wake up and
+ * retry by creating and initializing the shadow file again.
+ * Also add the VISSHADOW bit here to indicate we're done operating
+ * on this vnode.
+ */
+ (void)vnode_relenamedstream(vp, svp, context);
+ vnode_lock (svp);
+ svp->v_flag |= VISSHADOW;
+ wakeup((caddr_t)&svp->v_parent);
+ vnode_unlock(svp);
+ }
+ }
+
+ if (bufptr) {
+ kmem_free(kernel_map, (vm_offset_t)bufptr, bufsize);
+ }
+ if (auio) {
+ uio_free(auio);
+ }
+ if (error) {
+ /* On errors, clean up shadow stream file. */
+ if (svp) {
+ vnode_put(svp);
+ svp = NULLVP;
+ }
+ }
+ *svpp = svp;
+ return (error);
+}
+
+static int
+default_makenamedstream(vnode_t vp, vnode_t *svpp, const char *name, vfs_context_t context)
+{
+ int creator;
+ int error;
+
+ /*
+ * Only the "com.apple.ResourceFork" stream is supported here.
+ */
+ if (bcmp(name, XATTR_RESOURCEFORK_NAME, sizeof(XATTR_RESOURCEFORK_NAME)) != 0) {
+ *svpp = NULLVP;
+ return (ENOATTR);
+ }
+ error = getshadowfile(vp, svpp, 1, NULL, &creator, context);
+
+ /*
+ * Wake up any waiters over in default_getnamedstream().
+ */
+ if ((error == 0) && (*svpp != NULL) && creator) {
+ vnode_t svp = *svpp;
+
+ vnode_lock(svp);
+ /* If we're the creator, mark it as a named stream */
+ svp->v_flag |= (VISNAMEDSTREAM | VISSHADOW);
+ /* Wakeup any waiters on the v_parent channel */
+ wakeup((caddr_t)&svp->v_parent);
+ vnode_unlock(svp);
+
+ }
+
return (error);
}
-int
-xattr_validatename(const char *name)
+static int
+default_removenamedstream(vnode_t vp, const char *name, vfs_context_t context)
{
- int namelen;
+ /*
+ * Only the "com.apple.ResourceFork" stream is supported here.
+ */
+ if (bcmp(name, XATTR_RESOURCEFORK_NAME, sizeof(XATTR_RESOURCEFORK_NAME)) != 0) {
+ return (ENOATTR);
+ }
+ /*
+ * XXX - what about other opened instances?
+ */
+ return default_removexattr(vp, XATTR_RESOURCEFORK_NAME, 0, context);
+}
- if (name == NULL || name[0] == '\0') {
- return (EINVAL);
+static int
+get_shadow_dir(vnode_t *sdvpp, vfs_context_t context)
+{
+ vnode_t dvp = NULLVP;
+ vnode_t sdvp = NULLVP;
+ struct componentname cn;
+ struct vnode_attr va;
+ char tmpname[80];
+ uint32_t tmp_fsid;
+ int error;
+
+
+ bzero(tmpname, sizeof(tmpname));
+ snprintf(tmpname, sizeof(tmpname), "/var/run/.vfs_rsrc_streams_%p%x",
+ (void*)rootvnode, shadow_sequence);
+ /*
+ * Look up the shadow directory to ensure that it still exists.
+ * By looking it up, we get an iocounted dvp to use, and avoid some coherency issues
+ * in caching it when multiple threads may be trying to manipulate the pointers.
+ */
+ error = vnode_lookup(tmpname, 0, &sdvp, context);
+ if (error == 0) {
+ /*
+ * If we get here, then we have successfully looked up the shadow dir,
+ * and it has an iocount from the lookup. Return the vp in the output argument.
+ */
+ *sdvpp = sdvp;
+ return (0);
}
- namelen = strnlen(name, XATTR_MAXNAMELEN);
- if (name[namelen] != '\0')
- return (ENAMETOOLONG);
+ /* In the failure case, no iocount is acquired */
+ sdvp = NULLVP;
+ bzero (tmpname, sizeof(tmpname));
- if (utf8_validatestr(name, namelen) != 0)
- return (EINVAL);
+ /* Obtain the vnode for "/var/run" directory. */
+ if (vnode_lookup("/var/run", 0, &dvp, context) != 0) {
+ error = ENOTSUP;
+ goto out;
+ }
+
+ /* Create the shadow stream directory. */
+ snprintf(tmpname, sizeof(tmpname), ".vfs_rsrc_streams_%p%x",
+ (void*)rootvnode, shadow_sequence);
+ bzero(&cn, sizeof(cn));
+ cn.cn_nameiop = LOOKUP;
+ cn.cn_flags = ISLASTCN;
+ cn.cn_context = context;
+ cn.cn_pnbuf = tmpname;
+ cn.cn_pnlen = sizeof(tmpname);
+ cn.cn_nameptr = cn.cn_pnbuf;
+ cn.cn_namelen = strlen(tmpname);
+
+ /*
+ * owned by root, only readable by root, hidden
+ */
+ VATTR_INIT(&va);
+ VATTR_SET(&va, va_uid, 0);
+ VATTR_SET(&va, va_gid, 0);
+ VATTR_SET(&va, va_mode, S_IRUSR | S_IXUSR);
+ VATTR_SET(&va, va_type, VDIR);
+ VATTR_SET(&va, va_flags, UF_HIDDEN);
+ va.va_vaflags = VA_EXCLUSIVE;
+
+ error = VNOP_MKDIR(dvp, &sdvp, &cn, &va, context);
- return (0);
-}
+ /*
+ * There can be only one winner for an exclusive create.
+ */
+ if (error == EEXIST) {
+ /* loser has to look up directory */
+ error = VNOP_LOOKUP(dvp, &sdvp, &cn, context);
+ if (error == 0) {
+ /* Make sure its in fact a directory */
+ if (sdvp->v_type != VDIR) {
+ goto baddir;
+ }
+ /* Obtain the fsid for /tmp directory */
+ VATTR_INIT(&va);
+ VATTR_WANTED(&va, va_fsid);
+ if (VNOP_GETATTR(dvp, &va, context) != 0 ||
+ !VATTR_IS_SUPPORTED(&va, va_fsid)) {
+ goto baddir;
+ }
+ tmp_fsid = va.va_fsid;
+ VATTR_INIT(&va);
+ VATTR_WANTED(&va, va_uid);
+ VATTR_WANTED(&va, va_gid);
+ VATTR_WANTED(&va, va_mode);
+ VATTR_WANTED(&va, va_fsid);
+ VATTR_WANTED(&va, va_dirlinkcount);
+ VATTR_WANTED(&va, va_acl);
+ /* Provide defaults for attrs that may not be supported */
+ va.va_dirlinkcount = 1;
+ va.va_acl = (kauth_acl_t) KAUTH_FILESEC_NONE;
+
+ if (VNOP_GETATTR(sdvp, &va, context) != 0 ||
+ !VATTR_IS_SUPPORTED(&va, va_uid) ||
+ !VATTR_IS_SUPPORTED(&va, va_gid) ||
+ !VATTR_IS_SUPPORTED(&va, va_mode) ||
+ !VATTR_IS_SUPPORTED(&va, va_fsid)) {
+ goto baddir;
+ }
+ /*
+ * Make sure its what we want:
+ * - owned by root
+ * - not writable by anyone
+ * - on same file system as /tmp
+ * - not a hard-linked directory
+ * - no ACLs (they might grant write access)
+ */
+ if ((va.va_uid != 0) || (va.va_gid != 0) ||
+ (va.va_mode & (S_IWUSR | S_IRWXG | S_IRWXO)) ||
+ (va.va_fsid != tmp_fsid) ||
+ (va.va_dirlinkcount != 1) ||
+ (va.va_acl != (kauth_acl_t) KAUTH_FILESEC_NONE)) {
+ goto baddir;
+ }
+ }
+ }
+out:
+ if (dvp) {
+ vnode_put(dvp);
+ }
+ if (error) {
+ /* On errors, clean up shadow stream directory. */
+ if (sdvp) {
+ vnode_put(sdvp);
+ sdvp = NULLVP;
+ }
+ }
+ *sdvpp = sdvp;
+ return (error);
-/*
- * Determine whether an EA is a protected system attribute.
- */
-int
-xattr_protected(const char *attrname)
-{
- return(!strncmp(attrname, "com.apple.system.", 17));
+baddir:
+ /* This is not the dir we're looking for, move along */
+ ++shadow_sequence; /* try something else next time */
+ error = ENOTDIR;
+ goto out;
}
+#endif
+
/*
#define ATTR_BUF_SIZE 4096 /* default size of the attr file and how much we'll grow by */
/* Implementation Limits */
-#define ATTR_MAX_SIZE (128*1024) /* 128K maximum attribute data size */
+#define ATTR_MAX_SIZE AD_XATTR_MAXSIZE
#define ATTR_MAX_HDR_SIZE 65536
/*
* Note: ATTR_MAX_HDR_SIZE is the largest attribute header
*/
-#pragma options align=mac68k
-
#define FINDERINFOSIZE 32
typedef struct apple_double_entry {
u_int32_t type; /* entry type: see list, 0 invalid */
u_int32_t offset; /* entry data offset from the beginning of the file. */
u_int32_t length; /* entry data length in bytes. */
-} apple_double_entry_t;
+} __attribute__((aligned(2), packed)) apple_double_entry_t;
typedef struct apple_double_header {
apple_double_entry_t entries[2]; /* 'finfo' & 'rsrc' always exist */
u_int8_t finfo[FINDERINFOSIZE]; /* Must start with Finder Info (32 bytes) */
u_int8_t pad[2]; /* get better alignment inside attr_header */
-} apple_double_header_t;
+} __attribute__((aligned(2), packed)) apple_double_header_t;
#define ADHDRSIZE (4+4+16+2)
u_int16_t flags;
u_int8_t namelen;
u_int8_t name[1]; /* NULL-terminated UTF-8 name (up to 128 bytes max) */
-} attr_entry_t;
+} __attribute__((aligned(2), packed)) attr_entry_t;
-/* Header + entries must fit into 64K. Data may extend beyond 64k. */
+/* Header + entries must fit into 64K. Data may extend beyond 64K. */
typedef struct attr_header {
apple_double_header_t appledouble;
u_int32_t magic; /* == ATTR_HDR_MAGIC */
u_int32_t reserved[3];
u_int16_t flags;
u_int16_t num_attrs;
-} attr_header_t;
+} __attribute__((aligned(2), packed)) attr_header_t;
/* Empty Resource Fork Header */
u_int16_t mh_Types;
u_int16_t mh_Names;
u_int16_t typeCount;
-} rsrcfork_header_t;
+} __attribute__((aligned(2), packed)) rsrcfork_header_t;
#define RF_FIRST_RESOURCE 256
#define RF_NULL_MAP_LENGTH 30
#define RF_EMPTY_TAG "This resource fork intentionally left blank "
-#pragma options align=reset
-
/* Runtime information about the attribute file. */
typedef struct attr_info {
vfs_context_t context;
size_t filesize;
size_t iosize;
u_int8_t *rawdata;
- size_t rawsize; /* minimum of filesize or ATTR_MAX_HDR_SIZE */
+ size_t rawsize; /* minimum of filesize or ATTR_MAX_HDR_SIZE */
apple_double_header_t *filehdr;
apple_double_entry_t *finderinfo;
apple_double_entry_t *rsrcfork;
#else
#define swap_adhdr(x)
-#define swap_attrhdr(x,y)
+#define swap_attrhdr(x, y)
#endif
-static int validate_attrhdr(attr_header_t *ah, size_t bufsize);
static int check_and_swap_attrhdr(attr_header_t *ah, attr_info_t* ainfop);
static int shift_data_down(vnode_t xvp, off_t start, size_t len, off_t delta, vfs_context_t context);
static int shift_data_up(vnode_t xvp, off_t start, size_t len, off_t delta, vfs_context_t context);
+
+
/*
* Sanity check and swap the header of an AppleDouble file. Assumes the buffer
* is in big endian (as it would exist on disk). Verifies the following:
* NOTE: Does not attempt to validate the extended attributes header that
* may be embedded in the Finder Info entry.
*/
-
static int check_and_swap_apple_double_header(attr_info_t *ainfop)
{
int i, j;
u_int32_t entry_end;
size_t rawsize;
apple_double_header_t *header;
-
+
rawsize = ainfop->rawsize;
header = (apple_double_header_t *) ainfop->rawdata;
-
+
/* Is the file big enough to contain an AppleDouble header? */
if (rawsize < offsetof(apple_double_header_t, entries))
return ENOATTR;
-
+
/* Swap the AppleDouble header fields to native order */
header->magic = SWAP32(header->magic);
header->version = SWAP32(header->version);
header->numEntries = SWAP16(header->numEntries);
-
+
/* Sanity check the AppleDouble header fields */
if (header->magic != ADH_MAGIC ||
- header->version != ADH_VERSION ||
- header->numEntries < 1 ||
- header->numEntries > 15) {
+ header->version != ADH_VERSION ||
+ header->numEntries < 1 ||
+ header->numEntries > 15) {
return ENOATTR;
}
-
+
/* Calculate where the entries[] array ends */
header_end = offsetof(apple_double_header_t, entries) +
header->numEntries * sizeof(apple_double_entry_t);
-
+
/* Is the file big enough to contain the AppleDouble entries? */
if (rawsize < header_end) {
- return ENOATTR;
+ return ENOATTR;
}
-
+
/* Swap and sanity check each AppleDouble entry */
for (i=0; i<header->numEntries; i++) {
/* Swap the per-entry fields to native order */
header->entries[i].type = SWAP32(header->entries[i].type);
header->entries[i].offset = SWAP32(header->entries[i].offset);
header->entries[i].length = SWAP32(header->entries[i].length);
-
+
entry_end = header->entries[i].offset + header->entries[i].length;
-
+
/*
* Does the entry's content start within the header itself,
* did the addition overflow, or does the entry's content
* extend past the end of the file?
*/
if (header->entries[i].offset < header_end ||
- entry_end < header->entries[i].offset ||
- entry_end > ainfop->filesize) {
+ entry_end < header->entries[i].offset ||
+ entry_end > ainfop->filesize) {
return ENOATTR;
}
-
+
/*
* Does the current entry's content overlap with a previous
* entry's content?
* But we have already ensured N < 16, and N is almost always 2.
* So there's no point in using a more complex algorithm.
*/
-
+
for (j=0; j<i; j++) {
if (entry_end > header->entries[j].offset &&
- header->entries[j].offset + header->entries[j].length > header->entries[i].offset) {
+ header->entries[j].offset + header->entries[j].length > header->entries[i].offset) {
return ENOATTR;
}
}
}
-
+
return 0;
}
+
+
/*
* Retrieve the data of an extended attribute.
*/
-static int
+int
default_getxattr(vnode_t vp, const char *name, uio_t uio, size_t *size,
__unused int options, vfs_context_t context)
{
* Search for attribute name in the header.
*/
for (i = 0; i < header->num_attrs && ATTR_VALID(entry, ainfo); i++) {
- if (strncmp(entry->name, name, namelen) == 0) {
+ if (strncmp((const char *)entry->name, name, namelen) == 0) {
datalen = (size_t)entry->length;
if (uio == NULL) {
*size = datalen;
error = 0;
break;
}
- if (uio_resid(uio) < datalen) {
+ if (uio_resid(uio) < (user_ssize_t)datalen) {
error = ERANGE;
break;
}
/*
* Set the data of an extended attribute.
*/
-static int
+int
default_setxattr(vnode_t vp, const char *name, uio_t uio, int options, vfs_context_t context)
{
vnode_t xvp = NULL;
int splitdata;
int fileflags;
int error;
-
+ char finfo[FINDERINFOSIZE];
+
datalen = uio_resid(uio);
namelen = strlen(name) + 1;
entrylen = ATTR_ENTRY_LENGTH(namelen);
- if (datalen > ATTR_MAX_SIZE) {
- return (E2BIG); /* EINVAL instead ? */
+ /*
+ * By convention, Finder Info that is all zeroes is equivalent to not
+ * having a Finder Info EA. So if we're trying to set the Finder Info
+ * to all zeroes, then delete it instead. If a file didn't have an
+ * AppleDouble file before, this prevents creating an AppleDouble file
+ * with no useful content.
+ *
+ * If neither XATTR_CREATE nor XATTR_REPLACE were specified, we check
+ * for all zeroes Finder Info before opening the AppleDouble file.
+ * But if either of those options were specified, we need to open the
+ * AppleDouble file to see whether there was already Finder Info (so we
+ * can return an error if needed); this case is handled further below.
+ *
+ * NOTE: this copies the Finder Info data into the "finfo" local.
+ */
+ if (bcmp(name, XATTR_FINDERINFO_NAME, sizeof(XATTR_FINDERINFO_NAME)) == 0) {
+ /*
+ * TODO: check the XATTR_CREATE and XATTR_REPLACE flags.
+ * That means we probably have to open_xattrfile and get_xattrinfo.
+ */
+ if (uio_offset(uio) != 0 || datalen != FINDERINFOSIZE) {
+ return EINVAL;
+ }
+ error = uiomove(finfo, datalen, uio);
+ if (error)
+ return error;
+ if ((options & (XATTR_CREATE|XATTR_REPLACE)) == 0 &&
+ bcmp(finfo, emptyfinfo, FINDERINFOSIZE) == 0) {
+ error = default_removexattr(vp, name, 0, context);
+ if (error == ENOATTR)
+ error = 0;
+ return error;
+ }
}
+
start:
/*
* Open the file locked since setting an attribute
goto out;
}
}
- if (uio_offset(uio) != 0 || datalen != FINDERINFOSIZE) {
- error = EINVAL;
- goto out;
+ if (options != 0 && bcmp(finfo, emptyfinfo, FINDERINFOSIZE) == 0) {
+ /*
+ * Setting the Finder Info to all zeroes is equivalent to
+ * removing it. Close the xattr file and let
+ * default_removexattr do the work (including deleting
+ * the xattr file if there are no other xattrs).
+ *
+ * Note that we have to handle the case where the
+ * Finder Info was already all zeroes, and we ignore
+ * ENOATTR.
+ *
+ * The common case where options == 0 was handled above.
+ */
+ rel_xattrinfo(&ainfo);
+ close_xattrfile(xvp, fileflags, context);
+ error = default_removexattr(vp, name, 0, context);
+ if (error == ENOATTR)
+ error = 0;
+ return error;
}
if (ainfo.finderinfo) {
attrdata = (u_int8_t *)ainfo.filehdr + ainfo.finderinfo->offset;
- error = uiomove((caddr_t)attrdata, datalen, uio);
- if (error)
- goto out;
+ bcopy(finfo, attrdata, datalen);
ainfo.iosize = sizeof(attr_header_t);
error = write_xattrinfo(&ainfo);
goto out;
goto out;
}
+ if (datalen > ATTR_MAX_SIZE) {
+ return (E2BIG); /* EINVAL instead ? */
+ }
+
if (ainfo.attrhdr == NULL) {
error = ENOATTR;
goto out;
* See if attribute already exists.
*/
for (i = 0; i < header->num_attrs && ATTR_VALID(entry, ainfo); i++) {
- if (strncmp(entry->name, name, namelen) == 0) {
+ if (strncmp((const char *)entry->name, name, namelen) == 0) {
found = 1;
break;
}
close_xattrfile(xvp, fileflags, context);
error = default_removexattr(vp, name, options, context);
if (error) {
- goto out;
+ return (error);
}
+ /* Clear XATTR_REPLACE option since we just removed the attribute. */
+ options &= ~XATTR_REPLACE;
goto start; /* start over */
}
(void) vnode_setattr(vp, &va, context);
}
}
+
+ post_event_if_success(vp, error, NOTE_ATTRIB);
+
return (error);
}
/*
* Remove an extended attribute.
*/
-static int
+int
default_removexattr(vnode_t vp, const char *name, __unused int options, vfs_context_t context)
{
vnode_t xvp = NULL;
* See if this attribute exists.
*/
for (i = 0; i < header->num_attrs && ATTR_VALID(entry, ainfo); i++) {
- if (strncmp(entry->name, name, namelen) == 0) {
+ if (strncmp((const char *)entry->name, name, namelen) == 0) {
found = 1;
if ((i+1) == header->num_attrs)
lastone = 1;
(void) vnode_setattr(vp, &va, context);
}
}
+
+ post_event_if_success(vp, error, NOTE_ATTRIB);
+
return (error);
}
return (error);
}
if ((error = get_xattrinfo(xvp, 0, &ainfo, context))) {
+ if (error == ENOATTR)
+ error = 0;
close_xattrfile(xvp, FREAD, context);
return (error);
}
if (ainfo.finderinfo && !ainfo.emptyfinderinfo) {
if (uio == NULL) {
*size += sizeof(XATTR_FINDERINFO_NAME);
- } else if (uio_resid(uio) < sizeof(XATTR_FINDERINFO_NAME)) {
+ } else if (uio_resid(uio) < (user_ssize_t)sizeof(XATTR_FINDERINFO_NAME)) {
error = ERANGE;
goto out;
} else {
- error = uiomove((caddr_t)XATTR_FINDERINFO_NAME,
+ error = uiomove(XATTR_FINDERINFO_NAME,
sizeof(XATTR_FINDERINFO_NAME), uio);
if (error) {
error = ERANGE;
if (vnode_isreg(vp) && ainfo.rsrcfork) {
if (uio == NULL) {
*size += sizeof(XATTR_RESOURCEFORK_NAME);
- } else if (uio_resid(uio) < sizeof(XATTR_RESOURCEFORK_NAME)) {
+ } else if (uio_resid(uio) < (user_ssize_t)sizeof(XATTR_RESOURCEFORK_NAME)) {
error = ERANGE;
goto out;
} else {
- error = uiomove((caddr_t)XATTR_RESOURCEFORK_NAME,
+ error = uiomove(XATTR_RESOURCEFORK_NAME,
sizeof(XATTR_RESOURCEFORK_NAME), uio);
if (error) {
error = ERANGE;
if (ainfo.attrhdr) {
count = ainfo.attrhdr->num_attrs;
for (i = 0, entry = ainfo.attr_entry; i < count && ATTR_VALID(entry, ainfo); i++) {
- if (xattr_protected(entry->name) ||
- xattr_validatename(entry->name) != 0) {
+ if (xattr_protected((const char *)entry->name) ||
+ xattr_validatename((const char *)entry->name) != 0) {
entry = ATTR_NEXT(entry);
continue;
}
return (error);
}
+/*
+ * Check the header of a ._ file to verify that it is in fact an Apple Double
+ * file. Returns 0 if the header is valid, non-zero if invalid.
+ */
+int check_appledouble_header(vnode_t vp, vfs_context_t ctx)
+{
+ int error = 0;
+ attr_info_t ainfo;
+ struct vnode_attr va;
+ uio_t auio = NULL;
+ void *buffer = NULL;
+ int iosize;
+
+ ainfo.filevp = vp;
+ ainfo.context = ctx;
+ VATTR_INIT(&va);
+ VATTR_WANTED(&va, va_data_size);
+ if ((error = vnode_getattr(vp, &va, ctx))) {
+ goto out;
+ }
+ ainfo.filesize = va.va_data_size;
+
+ iosize = MIN(ATTR_MAX_HDR_SIZE, ainfo.filesize);
+ if (iosize == 0) {
+ error = ENOATTR;
+ goto out;
+ }
+ ainfo.iosize = iosize;
+
+ MALLOC(buffer, void *, iosize, M_TEMP, M_WAITOK);
+ if (buffer == NULL) {
+ error = ENOMEM;
+ goto out;
+ }
+
+ auio = uio_create(1, 0, UIO_SYSSPACE, UIO_READ);
+ uio_addiov(auio, (uintptr_t)buffer, iosize);
+
+ /* Read the header */
+ error = VNOP_READ(vp, auio, 0, ctx);
+ if (error) {
+ goto out;
+ }
+ ainfo.rawsize = iosize - uio_resid(auio);
+ ainfo.rawdata = (u_int8_t *)buffer;
+
+ error = check_and_swap_apple_double_header(&ainfo);
+ if (error) {
+ goto out;
+ }
+
+ /* If we made it here, then the header is ok */
+
+out:
+ if (auio) {
+ uio_free(auio);
+ }
+ if (buffer) {
+ FREE(buffer, M_TEMP);
+ }
+
+ return error;
+}
+
static int
open_xattrfile(vnode_t vp, int fileflags, vnode_t *xvpp, vfs_context_t context)
{
struct nameidata nd;
char smallname[64];
char *filename = NULL;
- char *basename = NULL;
+ const char *basename = NULL;
size_t len;
errno_t error;
int opened = 0;
* For the root directory use "._." to hold the attributes.
*/
filename = &smallname[0];
- sprintf(filename, "%s%s", ATTR_FILE_PREFIX, ".");
+ snprintf(filename, sizeof(smallname), "%s%s", ATTR_FILE_PREFIX, ".");
dvp = vp; /* the "._." file resides in the root dir */
goto lookup;
}
* file security from the EA must always get access
*/
lookup:
- NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW | USEDVP | DONOTAUTH, UIO_SYSSPACE,
- CAST_USER_ADDR_T(filename), context);
+ NDINIT(&nd, LOOKUP, OP_OPEN, LOCKLEAF | NOFOLLOW | USEDVP | DONOTAUTH,
+ UIO_SYSSPACE, CAST_USER_ADDR_T(filename), context);
nd.ni_dvp = dvp;
if (fileflags & O_CREAT) {
nd.ni_cnd.cn_nameiop = CREATE;
+#if CONFIG_TRIGGERS
+ nd.ni_op = OP_LINK;
+#endif
if (dvp != vp) {
nd.ni_cnd.cn_flags |= LOCKPARENT;
}
if (gid != KAUTH_GID_NONE)
VATTR_SET(&va, va_gid, gid);
- error = vn_create(dvp, &nd.ni_vp, &nd.ni_cnd, &va,
- VN_CREATE_NOAUTH | VN_CREATE_NOINHERIT,
+ error = vn_create(dvp, &nd.ni_vp, &nd, &va,
+ VN_CREATE_NOAUTH | VN_CREATE_NOINHERIT | VN_CREATE_NOLABEL,
+ 0, NULL,
context);
- if (error == 0)
- xvp = nd.ni_vp;
+ if (error)
+ error = ENOATTR;
+ else
+ xvp = nd.ni_vp;
}
nameidone(&nd);
if (dvp != vp) {
if (error)
goto out;
} else {
- if ((error = namei(&nd))) {
- nd.ni_dvp = NULLVP;
+ if ((error = namei(&nd))) {
+ nd.ni_dvp = NULLVP;
error = ENOATTR;
- goto out;
+ goto out;
}
xvp = nd.ni_vp;
nameidone(&nd);
}
}
- if ( (error = VNOP_OPEN(xvp, fileflags, context))) {
+ if ( (error = VNOP_OPEN(xvp, fileflags & ~(O_EXLOCK | O_SHLOCK), context))) {
error = ENOATTR;
goto out;
}
locktype = (fileflags & O_EXLOCK) ? F_WRLCK : F_RDLCK;
error = lock_xattrfile(xvp, locktype, context);
+ if (error)
+ error = ENOATTR;
}
out:
if (dvp && (dvp != vp)) {
{
vnode_t dvp;
struct nameidata nd;
- char *path;
+ char *path = NULL;
int pathlen;
int error = 0;
- path = get_pathbuff();
+ MALLOC_ZONE(path, char *, MAXPATHLEN, M_NAMEI, M_WAITOK);
+ if (path == NULL)
+ return ENOMEM;
+
pathlen = MAXPATHLEN;
- vn_getpath(xvp, path, &pathlen);
+ error = vn_getpath(xvp, path, &pathlen);
+ if (error) {
+ FREE_ZONE(path, MAXPATHLEN, M_NAMEI);
+ return (error);
+ }
- NDINIT(&nd, DELETE, LOCKPARENT | NOFOLLOW | DONOTAUTH,
+ NDINIT(&nd, DELETE, OP_UNLINK, LOCKPARENT | NOFOLLOW | DONOTAUTH,
UIO_SYSSPACE, CAST_USER_ADDR_T(path), context);
error = namei(&nd);
- release_pathbuff(path);
+ FREE_ZONE(path, MAXPATHLEN, M_NAMEI);
if (error) {
return (error);
}
return (error);
}
+
/*
* Read in and parse the AppleDouble header and entries, and the extended
* attribute header and entries if any. Populates the fields of ainfop
goto bail;
}
- auio = uio_create(1, 0, UIO_SYSSPACE32, UIO_READ);
+ auio = uio_create(1, 0, UIO_SYSSPACE, UIO_READ);
uio_addiov(auio, (uintptr_t)buffer, iosize);
/* Read the file header. */
}
ainfop->rawsize = iosize - uio_resid(auio);
ainfop->rawdata = (u_int8_t *)buffer;
-
+
filehdr = (apple_double_header_t *)buffer;
error = check_and_swap_apple_double_header(ainfop);
if (error)
goto bail;
-
+
ainfop->filehdr = filehdr; /* valid AppleDouble header */
/* rel_xattrinfo is responsible for freeing the header buffer */
/* Find the Finder Info and Resource Fork entries, if any */
for (i = 0; i < filehdr->numEntries; ++i) {
if (filehdr->entries[i].type == AD_FINDERINFO &&
- filehdr->entries[i].length >= FINDERINFOSIZE) {
+ filehdr->entries[i].length >= FINDERINFOSIZE) {
/* We found the Finder Info entry. */
ainfop->finderinfo = &filehdr->entries[i];
-
+
/*
* Is the Finder Info "empty" (all zeroes)? If so,
* we'll pretend like the Finder Info extended attribute
* Finder Info is non-empty.
*/
if (ainfop->finderinfo->offset + FINDERINFOSIZE <= ainfop->rawsize &&
- bcmp((u_int8_t*)ainfop->filehdr + ainfop->finderinfo->offset, emptyfinfo, sizeof(emptyfinfo)) == 0) {
+ bcmp((u_int8_t*)ainfop->filehdr + ainfop->finderinfo->offset, emptyfinfo, sizeof(emptyfinfo)) == 0) {
ainfop->emptyfinderinfo = 1;
}
-
}
-
if (filehdr->entries[i].type == AD_RESOURCE) {
/*
* Ignore zero-length resource forks when getting. If setting,
*/
if (filehdr->entries[i].length == 0 && !setting)
continue;
-
+
/*
* Check to see if any "empty" resource fork is ours (i.e. is ignorable).
*
u_int8_t systemData[64];
int rf_err;
+
/* Read the system data which starts at byte 16 */
- rf_uio = uio_create(1, 0, UIO_SYSSPACE32, UIO_READ);
+ rf_uio = uio_create(1, 0, UIO_SYSSPACE, UIO_READ);
uio_addiov(rf_uio, (uintptr_t)systemData, sizeof(systemData));
uio_setoffset(rf_uio, filehdr->entries[i].offset + 16);
rf_err = VNOP_READ(xvp, rf_uio, 0, context);
uio_free(rf_uio);
if (rf_err != 0 ||
- bcmp(systemData, RF_EMPTY_TAG, sizeof(RF_EMPTY_TAG)) == 0) {
+ bcmp(systemData, RF_EMPTY_TAG, sizeof(RF_EMPTY_TAG)) == 0) {
continue; /* skip this resource fork */
}
}
continue;
}
}
-
+
/*
* See if this file looks like it is laid out correctly to contain
* extended attributes. If so, then do the following:
* (if any).
*/
if (filehdr->numEntries == 2 &&
- ainfop->finderinfo == &filehdr->entries[0] &&
- ainfop->rsrcfork == &filehdr->entries[1] &&
- ainfop->finderinfo->offset == offsetof(apple_double_header_t, finfo)) {
+ ainfop->finderinfo == &filehdr->entries[0] &&
+ ainfop->rsrcfork == &filehdr->entries[1] &&
+ ainfop->finderinfo->offset == offsetof(apple_double_header_t, finfo)) {
attr_header_t *attrhdr;
attrhdr = (attr_header_t *)filehdr;
/*
if (setting && ainfop->finderinfo->length == FINDERINFOSIZE) {
size_t delta;
size_t writesize;
-
+
delta = ATTR_BUF_SIZE - (filehdr->entries[0].offset + FINDERINFOSIZE);
if (ainfop->rsrcfork && filehdr->entries[1].length) {
/* Make some room before existing resource fork. */
} else {
/* Create a new, empty resource fork. */
rsrcfork_header_t *rsrcforkhdr;
-
+
vnode_setsize(xvp, filehdr->entries[1].offset + delta, 0, context);
-
+
/* Steal some space for an empty RF header. */
delta -= sizeof(rsrcfork_header_t);
-
+
bzero(&attrhdr->appledouble.pad[0], delta);
rsrcforkhdr = (rsrcfork_header_t *)((char *)filehdr + filehdr->entries[1].offset + delta);
-
+
/* Fill in Empty Resource Fork Header. */
init_empty_resource_fork(rsrcforkhdr);
-
+
filehdr->entries[1].length = sizeof(rsrcfork_header_t);
writesize = ATTR_BUF_SIZE;
}
filehdr->entries[0].length += delta;
filehdr->entries[1].offset += delta;
-
+
/* Fill in Attribute Header. */
attrhdr->magic = ATTR_HDR_MAGIC;
attrhdr->debug_tag = (u_int32_t)va.va_fileid;
attrhdr->reserved[2] = 0;
attrhdr->flags = 0;
attrhdr->num_attrs = 0;
-
+
/* Push out new header */
- uio_reset(auio, 0, UIO_SYSSPACE32, UIO_WRITE);
+ uio_reset(auio, 0, UIO_SYSSPACE, UIO_WRITE);
uio_addiov(auio, (uintptr_t)filehdr, writesize);
-
+
swap_adhdr(filehdr); /* to big endian */
swap_attrhdr(attrhdr, ainfop); /* to big endian */
error = VNOP_WRITE(xvp, auio, 0, context);
/* The attribute header gets swapped below. */
}
}
-
/*
* Swap and sanity check the extended attribute header and
* entries (if any). The Finder Info content must be big enough
* header was found.
*/
if (ainfop->finderinfo &&
- ainfop->finderinfo == &filehdr->entries[0] &&
- ainfop->finderinfo->length >= (sizeof(attr_header_t) - sizeof(apple_double_header_t))) {
+ ainfop->finderinfo == &filehdr->entries[0] &&
+ ainfop->finderinfo->length >= (sizeof(attr_header_t) - sizeof(apple_double_header_t))) {
attr_header_t *attrhdr = (attr_header_t*)filehdr;
+
if ((error = check_and_swap_attrhdr(attrhdr, ainfop)) == 0) {
ainfop->attrhdr = attrhdr; /* valid attribute header */
/* First attr_entry starts immediately following attribute header */
bzero(buffer, ATTR_BUF_SIZE);
xah = (attr_header_t *)buffer;
- auio = uio_create(1, 0, UIO_SYSSPACE32, UIO_WRITE);
+ auio = uio_create(1, 0, UIO_SYSSPACE, UIO_WRITE);
uio_addiov(auio, (uintptr_t)buffer, ATTR_BUF_SIZE);
rsrcforksize = sizeof(rsrcfork_header_t);
rsrcforkhdr = (rsrcfork_header_t *) ((char *)buffer + ATTR_BUF_SIZE - rsrcforksize);
uio_t auio;
int error;
- auio = uio_create(1, 0, UIO_SYSSPACE32, UIO_WRITE);
+ auio = uio_create(1, 0, UIO_SYSSPACE, UIO_WRITE);
uio_addiov(auio, (uintptr_t)ainfop->filehdr, ainfop->iosize);
swap_adhdr(ainfop->filehdr);
- if (ainfop->attrhdr != NULL)
- swap_attrhdr(ainfop->attrhdr, ainfop);
+ if (ainfop->attrhdr != NULL) {
+ swap_attrhdr(ainfop->attrhdr, ainfop);
+ }
error = VNOP_WRITE(ainfop->filevp, auio, 0, ainfop->context);
swap_adhdr(ainfop->filehdr);
- if (ainfop->attrhdr != NULL)
- swap_attrhdr(ainfop->attrhdr, ainfop);
+ if (ainfop->attrhdr != NULL) {
+ swap_attrhdr(ainfop->attrhdr, ainfop);
+ }
+ uio_free(auio);
- uio_free(auio);
return (error);
}
* enough to contain the attr_header structure itself. Therefore, we can
* swap the header fields before sanity checking them.
*/
- static int
+static int
check_and_swap_attrhdr(attr_header_t *ah, attr_info_t *ainfop)
{
attr_entry_t *ae;
if (SWAP32(ah->magic) != ATTR_HDR_MAGIC)
return EINVAL;
-
+
/* Swap the basic header fields */
ah->magic = SWAP32(ah->magic);
ah->debug_tag = SWAP32 (ah->debug_tag);
*/
end = ah->data_start + ah->data_length;
if (ah->total_size > ainfop->finderinfo->offset + ainfop->finderinfo->length ||
- end < ah->data_start ||
- end > ah->total_size) {
+ end < ah->data_start ||
+ end > ah->total_size) {
return EINVAL;
}
-
+
/*
* Make sure each of the attr_entry_t's fits within total_size.
*/
buf_end = ainfop->rawdata + ah->total_size;
count = ah->num_attrs;
ae = (attr_entry_t *)(&ah[1]);
-
+
for (i=0; i<count; i++) {
/* Make sure the fixed-size part of this attr_entry_t fits. */
if ((u_int8_t *) &ae[1] > buf_end)
return EINVAL;
-
+
/* Make sure the variable-length name fits (+1 is for NUL terminator) */
/* TODO: Make sure namelen matches strnlen(name,namelen+1)? */
if (&ae->name[ae->namelen+1] > buf_end)
return EINVAL;
-
+
/* Swap the attribute entry fields */
ae->offset = SWAP32(ae->offset);
ae->length = SWAP32(ae->length);
ae->flags = SWAP16(ae->flags);
-
+
/* Make sure the attribute content fits. */
end = ae->offset + ae->length;
if (end < ae->offset || end > ah->total_size)
return EINVAL;
-
+
ae = ATTR_NEXT(ae);
}
-
+
/*
* TODO: Make sure the contents of attributes don't overlap the header
* and don't overlap each other. The hard part is that we don't know
return 0;
}
-
//
// "start" & "end" are byte offsets in the file.
// "to" is the byte offset we want to move the
size_t chunk, orig_chunk;
char *buff;
off_t pos;
- ucred_t ucred = vfs_context_ucred(context);
+ kauth_cred_t ucred = vfs_context_ucred(context);
proc_t p = vfs_context_proc(context);
if (delta == 0 || len == 0) {
}
for(pos=start+len-chunk; pos >= start; pos-=chunk) {
- ret = vn_rdwr(UIO_READ, xvp, buff, chunk, pos, UIO_SYSSPACE, IO_NODELOCKED, ucred, &iolen, p);
+ ret = vn_rdwr(UIO_READ, xvp, buff, chunk, pos, UIO_SYSSPACE, IO_NODELOCKED|IO_NOAUTH, ucred, &iolen, p);
if (iolen != 0) {
- printf("xattr:shift_data: error reading data @ %lld (read %d of %d) (%d)\n",
+ printf("xattr:shift_data: error reading data @ %lld (read %d of %lu) (%d)\n",
pos, ret, chunk, ret);
break;
}
- ret = vn_rdwr(UIO_WRITE, xvp, buff, chunk, pos + delta, UIO_SYSSPACE, IO_NODELOCKED, ucred, &iolen, p);
+ ret = vn_rdwr(UIO_WRITE, xvp, buff, chunk, pos + delta, UIO_SYSSPACE, IO_NODELOCKED|IO_NOAUTH, ucred, &iolen, p);
if (iolen != 0) {
- printf("xattr:shift_data: error writing data @ %lld (wrote %d of %d) (%d)\n",
+ printf("xattr:shift_data: error writing data @ %lld (wrote %d of %lu) (%d)\n",
pos+delta, ret, chunk, ret);
break;
}
- if ((pos - chunk) < start) {
+ if ((pos - (off_t)chunk) < start) {
chunk = pos - start;
if (chunk == 0) { // we're all done
char *buff;
off_t pos;
off_t end;
- ucred_t ucred = vfs_context_ucred(context);
+ kauth_cred_t ucred = vfs_context_ucred(context);
proc_t p = vfs_context_proc(context);
if (delta == 0 || len == 0) {
}
for(pos = start; pos < end; pos += chunk) {
- ret = vn_rdwr(UIO_READ, xvp, buff, chunk, pos, UIO_SYSSPACE, IO_NODELOCKED, ucred, &iolen, p);
+ ret = vn_rdwr(UIO_READ, xvp, buff, chunk, pos, UIO_SYSSPACE, IO_NODELOCKED|IO_NOAUTH, ucred, &iolen, p);
if (iolen != 0) {
- printf("xattr:shift_data: error reading data @ %lld (read %d of %d) (%d)\n",
+ printf("xattr:shift_data: error reading data @ %lld (read %d of %lu) (%d)\n",
pos, ret, chunk, ret);
break;
}
- ret = vn_rdwr(UIO_WRITE, xvp, buff, chunk, pos - delta, UIO_SYSSPACE, IO_NODELOCKED, ucred, &iolen, p);
+ ret = vn_rdwr(UIO_WRITE, xvp, buff, chunk, pos - delta, UIO_SYSSPACE, IO_NODELOCKED|IO_NOAUTH, ucred, &iolen, p);
if (iolen != 0) {
- printf("xattr:shift_data: error writing data @ %lld (wrote %d of %d) (%d)\n",
+ printf("xattr:shift_data: error writing data @ %lld (wrote %d of %lu) (%d)\n",
pos+delta, ret, chunk, ret);
break;
}
- if ((pos + chunk) > end) {
+ if ((pos + (off_t)chunk) > end) {
chunk = end - pos;
if (chunk == 0) { // we're all done
lock_xattrfile(vnode_t xvp, short locktype, vfs_context_t context)
{
struct flock lf;
+ int error;
lf.l_whence = SEEK_SET;
lf.l_start = 0;
lf.l_len = 0;
lf.l_type = locktype; /* F_WRLCK or F_RDLCK */
/* Note: id is just a kernel address that's not a proc */
- return VNOP_ADVLOCK(xvp, (caddr_t)xvp, F_SETLK, &lf, F_FLOCK, context);
+ error = VNOP_ADVLOCK(xvp, (caddr_t)xvp, F_SETLK, &lf, F_FLOCK|F_WAIT, context);
+ return (error == ENOTSUP ? 0 : error);
}
static int
unlock_xattrfile(vnode_t xvp, vfs_context_t context)
{
struct flock lf;
+ int error;
lf.l_whence = SEEK_SET;
lf.l_start = 0;
lf.l_len = 0;
lf.l_type = F_UNLCK;
/* Note: id is just a kernel address that's not a proc */
- return VNOP_ADVLOCK(xvp, (caddr_t)xvp, F_UNLCK, &lf, F_FLOCK, context);
+ error = VNOP_ADVLOCK(xvp, (caddr_t)xvp, F_UNLCK, &lf, F_FLOCK, context);
+ return (error == ENOTSUP ? 0 : error);
}
projects / apple / xnu.git / blobdiff