/*
- * Copyright (c) 1995-2016 Apple Inc. All rights reserved.
+ * Copyright (c) 1995-2018 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
#include <sys/fsevents.h>
#include <kern/kalloc.h>
#include <miscfs/specfs/specdev.h>
+#include <security/audit/audit.h>
#if CONFIG_MACF
#include <security/mac_framework.h>
#define ATTR_PACK8(AB, V) \
do { \
if ((AB.allocated - (AB.fixedcursor - AB.base)) >= 8) { \
- *(uint64_t *)AB.fixedcursor = *(uint64_t *)&V; \
+ memcpy(AB.fixedcursor, &V, 8); \
AB.fixedcursor += 8; \
} \
} while (0)
static struct getvolattrlist_attrtab getvolattrlist_vol_tab[] = {
{ATTR_VOL_FSTYPE, 0, sizeof(uint32_t)},
{ATTR_VOL_SIGNATURE, VFSATTR_BIT(f_signature), sizeof(uint32_t)},
- {ATTR_VOL_SIZE, VFSATTR_BIT(f_blocks), sizeof(off_t)},
+ {ATTR_VOL_SIZE, VFSATTR_BIT(f_blocks) | VFSATTR_BIT(f_bsize), sizeof(off_t)},
{ATTR_VOL_SPACEFREE, VFSATTR_BIT(f_bfree) | VFSATTR_BIT(f_bsize), sizeof(off_t)},
{ATTR_VOL_SPACEAVAIL, VFSATTR_BIT(f_bavail) | VFSATTR_BIT(f_bsize), sizeof(off_t)},
{ATTR_VOL_MINALLOCATION, VFSATTR_BIT(f_bsize), sizeof(off_t)},
{ATTR_VOL_ENCODINGSUSED, 0, sizeof(uint64_t)},
{ATTR_VOL_CAPABILITIES, VFSATTR_BIT(f_capabilities), sizeof(vol_capabilities_attr_t)},
{ATTR_VOL_UUID, VFSATTR_BIT(f_uuid), sizeof(uuid_t)},
- {ATTR_VOL_QUOTA_SIZE, VFSATTR_BIT(f_quota), sizeof(off_t)},
- {ATTR_VOL_RESERVED_SIZE, VFSATTR_BIT(f_reserved), sizeof(off_t)},
+ {ATTR_VOL_QUOTA_SIZE, VFSATTR_BIT(f_quota) | VFSATTR_BIT(f_bsize), sizeof(off_t)},
+ {ATTR_VOL_RESERVED_SIZE, VFSATTR_BIT(f_reserved) | VFSATTR_BIT(f_bsize), sizeof(off_t)},
{ATTR_VOL_ATTRIBUTES, VFSATTR_BIT(f_attributes), sizeof(vol_attributes_attr_t)},
{ATTR_VOL_INFO, 0, 0},
{0, 0, 0}
static struct getattrlist_attrtab getattrlist_common_extended_tab[] = {
{ATTR_CMNEXT_RELPATH, 0, sizeof(struct attrreference), KAUTH_VNODE_READ_ATTRIBUTES},
{ATTR_CMNEXT_PRIVATESIZE, VATTR_BIT(va_private_size), sizeof(off_t), KAUTH_VNODE_READ_ATTRIBUTES},
+ {ATTR_CMNEXT_LINKID, VATTR_BIT(va_fileid) | VATTR_BIT(va_linkid), sizeof(uint64_t), KAUTH_VNODE_READ_ATTRIBUTES},
{0, 0, 0, 0}
};
ATTR_CMN_DOCUMENT_ID | ATTR_CMN_GEN_COUNT | \
ATTR_CMN_DATA_PROTECT_FLAGS)
-#define VFS_DFLT_ATT_CMN_EXT (ATTR_CMNEXT_PRIVATESIZE)
+#define VFS_DFLT_ATTR_CMN_EXT (ATTR_CMNEXT_PRIVATESIZE | ATTR_CMNEXT_LINKID)
#define VFS_DFLT_ATTR_DIR (ATTR_DIR_LINKCOUNT | ATTR_DIR_MOUNTSTATUS)
attrp->validattr.volattr = VFS_DFLT_ATTR_VOL;
attrp->validattr.dirattr = VFS_DFLT_ATTR_DIR;
attrp->validattr.fileattr = VFS_DFLT_ATTR_FILE;
- attrp->validattr.forkattr = 0;
+ attrp->validattr.forkattr = VFS_DFLT_ATTR_CMN_EXT;
attrp->nativeattr.commonattr = 0;
attrp->nativeattr.volattr = 0;
* Note that since we won't ever copy out more than the caller requested,
* we never need to allocate more than they offer.
*/
- ab.allocated = ulmin(bufferSize, fixedsize + varsize);
- if (ab.allocated > ATTR_MAX_BUFFER) {
+ ab.allocated = fixedsize + varsize;
+ if (((size_t)ab.allocated) > ATTR_MAX_BUFFER) {
error = ENOMEM;
VFS_DEBUG(ctx, vp, "ATTRLIST - ERROR: buffer size too large (%d limit %d)", ab.allocated, ATTR_MAX_BUFFER);
goto out;
}
+
+ if (return_valid &&
+ (ab.allocated < (ssize_t)(sizeof(uint32_t) + sizeof(attribute_set_t))) &&
+ !(options & FSOPT_REPORT_FULLSIZE)) {
+ uint32_t num_bytes_valid = sizeof(uint32_t);
+ /*
+ * Not enough to return anything and we don't have to report
+ * how much space is needed. Get out now.
+ * N.B. - We have only been called after having verified that
+ * attributeBuffer is at least sizeof(uint32_t);
+ */
+ if (UIO_SEG_IS_USER_SPACE(segflg)) {
+ error = copyout(&num_bytes_valid,
+ CAST_USER_ADDR_T(attributeBuffer), num_bytes_valid);
+ } else {
+ bcopy(&num_bytes_valid, (void *)attributeBuffer,
+ (size_t)num_bytes_valid);
+ }
+ goto out;
+ }
+
MALLOC(ab.base, char *, ab.allocated, M_TEMP, M_ZERO | M_WAITOK);
if (ab.base == NULL) {
error = ENOMEM;
ab.needed = fixedsize + varsize;
/* common attributes **************************************************/
+ if (alp->commonattr & ATTR_CMN_ERROR) {
+ ATTR_PACK4(ab, 0);
+ ab.actual.commonattr |= ATTR_CMN_ERROR;
+ }
if (alp->commonattr & ATTR_CMN_NAME) {
attrlist_pack_string(&ab, cnp, cnl);
ab.actual.commonattr |= ATTR_CMN_NAME;
vs.f_capabilities.capabilities[VOL_CAPABILITIES_INTERFACES] &= ~VOL_CAP_INT_EXTENDED_SECURITY;
}
vs.f_capabilities.valid[VOL_CAPABILITIES_INTERFACES] |= VOL_CAP_INT_EXTENDED_SECURITY;
+
+ /*
+ * if the filesystem doesn't mark either VOL_CAP_FMT_NO_IMMUTABLE_FILES
+ * or VOL_CAP_FMT_NO_PERMISSIONS as valid, assume they're not supported
+ */
+ if (!(vs.f_capabilities.valid[VOL_CAPABILITIES_FORMAT] & VOL_CAP_FMT_NO_IMMUTABLE_FILES)) {
+ vs.f_capabilities.capabilities[VOL_CAPABILITIES_FORMAT] &= ~VOL_CAP_FMT_NO_IMMUTABLE_FILES;
+ vs.f_capabilities.valid[VOL_CAPABILITIES_FORMAT] |= VOL_CAP_FMT_NO_IMMUTABLE_FILES;
+ }
+
+ if (!(vs.f_capabilities.valid[VOL_CAPABILITIES_FORMAT] & VOL_CAP_FMT_NO_PERMISSIONS)) {
+ vs.f_capabilities.capabilities[VOL_CAPABILITIES_FORMAT] &= ~VOL_CAP_FMT_NO_PERMISSIONS;
+ vs.f_capabilities.valid[VOL_CAPABILITIES_FORMAT] |= VOL_CAP_FMT_NO_PERMISSIONS;
+ }
+
ATTR_PACK(&ab, vs.f_capabilities);
ab.actual.volattr |= ATTR_VOL_CAPABILITIES;
}
* of the result buffer, even if we copied less out. The caller knows how big a buffer
* they gave us, so they can always check for truncation themselves.
*/
- *(uint32_t *)ab.base = (options & FSOPT_REPORT_FULLSIZE) ? ab.needed : imin(ab.allocated, ab.needed);
-
+ *(uint32_t *)ab.base = (options & FSOPT_REPORT_FULLSIZE) ? ab.needed : imin(bufferSize, ab.needed);
+
/* Return attribute set output if requested. */
- if (return_valid) {
+ if (return_valid &&
+ (ab.allocated >= (ssize_t)(sizeof(uint32_t) + sizeof(ab.actual)))) {
ab.actual.commonattr |= ATTR_CMN_RETURNED_ATTRS;
if (pack_invalid) {
/* Only report the attributes that are valid */
if (UIO_SEG_IS_USER_SPACE(segflg))
error = copyout(ab.base, CAST_USER_ADDR_T(attributeBuffer),
- ab.allocated);
+ ulmin(bufferSize, ab.needed));
else
- bcopy(ab.base, (void *)attributeBuffer, (size_t)ab.allocated);
+ bcopy(ab.base, (void *)attributeBuffer, (size_t)ulmin(bufferSize, ab.needed));
out:
if (vs.f_vol_name != NULL)
}
}
+ if (alp->forkattr & ATTR_CMNEXT_LINKID) {
+ uint64_t linkid;
+
+ if (VATTR_IS_SUPPORTED(vap, va_linkid))
+ linkid = vap->va_linkid;
+ else
+ linkid = vap->va_fileid;
+
+ ATTR_PACK8((*abp), linkid);
+ abp->actual.forkattr |= ATTR_CMNEXT_LINKID;
+ }
+
return 0;
}
static int
getattrlist_internal(vfs_context_t ctx, vnode_t vp, struct attrlist *alp,
user_addr_t attributeBuffer, size_t bufferSize, uint64_t options,
- enum uio_seg segflg, char* alt_name, struct ucred *file_cred)
+ enum uio_seg segflg, char* authoritative_name, struct ucred *file_cred)
{
struct vnode_attr va;
kauth_action_t action;
// must be true for fork attributes to be used as new common attributes
const int use_fork = (options & FSOPT_ATTR_CMN_EXTENDED) != 0;
+ if (bufferSize < sizeof(uint32_t))
+ return (ERANGE);
+
proc_is64 = proc_is64bit(vfs_context_proc(ctx));
if (segflg == UIO_USERSPACE) {
VFS_DEBUG(ctx, vp, "ATTRLIST - ERROR: cannot allocate va_name buffer");
goto out;
}
+ /*
+ * If we have an authoritative_name, prefer that name.
+ *
+ * N.B. Since authoritative_name implies this is coming from getattrlistbulk,
+ * we know the name is authoritative. For /dev/fd, we want to use the file
+ * descriptor as the name not the underlying name of the associate vnode in a
+ * particular file system.
+ */
+ if (authoritative_name) {
+ /* Don't ask the file system */
+ VATTR_CLEAR_ACTIVE(&va, va_name);
+ strlcpy(va_name, authoritative_name, MAXPATHLEN);
+ }
}
- va.va_name = va_name;
+ va.va_name = authoritative_name ? NULL : va_name;
/*
* Call the filesystem.
#endif
/*
- * If ATTR_CMN_NAME is not supported by filesystem and the
- * caller has provided a name, use that.
+ * It we ask for the name, i.e., vname is non null and
+ * we have an authoritative name, then reset va_name is
+ * active and if needed set va_name is supported.
+ *
* A (buggy) filesystem may change fields which belong
* to us. We try to deal with that here as well.
*/
va.va_active = va_active;
- if (alt_name && va_name &&
- !(VATTR_IS_SUPPORTED(&va, va_name))) {
- strlcpy(va_name, alt_name, MAXPATHLEN);
- VATTR_SET_SUPPORTED(&va, va_name);
+ if (authoritative_name && va_name) {
+ VATTR_SET_ACTIVE(&va, va_name);
+ if (!(VATTR_IS_SUPPORTED(&va, va_name))) {
+ VATTR_SET_SUPPORTED(&va, va_name);
+ }
}
va.va_name = va_name;
}
struct fileproc *fp;
struct fd_vn_data *fvdata;
vfs_context_t ctx;
+ uthread_t ut;
enum uio_seg segflg;
int count;
uio_t auio = NULL;
fvdata = NULL;
eofflag = 0;
ctx = vfs_context_current();
+ ut = get_bsdthread_info(current_thread());
segflg = IS_64BIT_PROCESS(p) ? UIO_USERSPACE64 : UIO_USERSPACE32;
if ((fp->f_fglob->fg_flag & FREAD) == 0) {
if (uap->options & FSOPT_LIST_SNAPSHOT) {
vnode_t snapdvp;
- if (!vfs_context_issuser(ctx)) {
- error = EPERM;
- goto out;
- }
-
if (!vnode_isvroot(dvp)) {
error = EINVAL;
goto out;
(void)getattrlist_setupvattr_all(&al, &va, VNON, NULL,
IS_64BIT_PROCESS(p), (uap->options & FSOPT_ATTR_CMN_EXTENDED));
+ /*
+ * Set UT_KERN_RAGE_VNODES to cause all vnodes created by the
+ * filesystem to be rapidly aged.
+ */
+ ut->uu_flag |= UT_KERN_RAGE_VNODES;
error = VNOP_GETATTRLISTBULK(dvp, &al, &va, auio, NULL,
options, &eofflag, &count, ctx);
+ ut->uu_flag &= ~UT_KERN_RAGE_VNODES;
FREE(va_name, M_TEMP);
eofflag = 0;
count = 0;
+ ut->uu_flag |= UT_KERN_RAGE_VNODES;
error = readdirattr(dvp, fvdata, auio, &al, options,
&count, &eofflag, ctx);
+ ut->uu_flag &= ~UT_KERN_RAGE_VNODES;
}
if (count) {
goto out;
}
+#if DEVELOPMENT || DEBUG
+ /*
+ * XXX VSWAP: Check for entitlements or special flag here
+ * so we can restrict access appropriately.
+ */
+#else /* DEVELOPMENT || DEBUG */
+
+ if (vnode_isswap(vp) && (ctx != vfs_context_kernel())) {
+ error = EPERM;
+ goto out;
+ }
+#endif /* DEVELOPMENT || DEBUG */
+
VFS_DEBUG(ctx, vp, "%p ATTRLIST - %s set common %08x vol %08x file %08x dir %08x fork %08x %sfollow on '%s'",
vp, p->p_comm, al.commonattr, al.volattr, al.fileattr, al.dirattr, al.forkattr,
(uap->options & FSOPT_NOFOLLOW) ? "no":"", vp->v_name);
ATTR_UNPACK(va.va_guuid);
VATTR_SET_ACTIVE(&va, va_guuid);
}
+ if (al.commonattr & ATTR_CMN_ADDEDTIME) {
+ ATTR_UNPACK_TIME(va.va_addedtime, proc_is64);
+ VATTR_SET_ACTIVE(&va, va_addedtime);
+ }
/* Support setattrlist of data protection class */
if (al.commonattr & ATTR_CMN_DATA_PROTECT_FLAGS) {
ATTR_UNPACK(va.va_dataprotect_class);
return error;
}
+int
+setattrlistat(proc_t p, struct setattrlistat_args *uap, __unused int32_t *retval)
+{
+ struct setattrlist_args ap;
+ struct vfs_context *ctx;
+ struct nameidata nd;
+ vnode_t vp = NULLVP;
+ uint32_t nameiflags;
+ int error;
+
+ ctx = vfs_context_current();
+
+ AUDIT_ARG(fd, uap->fd);
+ /*
+ * Look up the file.
+ */
+ nameiflags = AUDITVNPATH1;
+ if (!(uap->options & FSOPT_NOFOLLOW))
+ nameiflags |= FOLLOW;
+ NDINIT(&nd, LOOKUP, OP_SETATTR, nameiflags, UIO_USERSPACE, uap->path, ctx);
+ if ((error = nameiat(&nd, uap->fd)) != 0)
+ goto out;
+ vp = nd.ni_vp;
+ nameidone(&nd);
+
+ ap.path = 0;
+ ap.alist = uap->alist;
+ ap.attributeBuffer = uap->attributeBuffer;
+ ap.bufferSize = uap->bufferSize;
+ ap.options = uap->options;
+
+ error = setattrlist_internal(vp, &ap, p, ctx);
+out:
+ if (vp)
+ vnode_put(vp);
+ return (error);
+}
+
int
fsetattrlist(proc_t p, struct fsetattrlist_args *uap, __unused int32_t *retval)
{
projects / apple / xnu.git / blobdiff