/*
- * Copyright (c) 2000-2012 Apple Inc. All rights reserved.
+ * Copyright (c) 2000-2015 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
#include <sys/kauth.h>
#include <sys/user.h>
#include <sys/paths.h>
+#include <os/overflow.h>
#if CONFIG_MACF
#include <security/mac_framework.h>
#define NCHHASH(dvp, hash_val) \
(&nchashtbl[(dvp->v_id ^ (hash_val)) & nchashmask])
+/*
+ * This function tries to check if a directory vp is a subdirectory of dvp
+ * only from valid v_parent pointers. It is called with the name cache lock
+ * held and does not drop the lock anytime inside the function.
+ *
+ * It returns a boolean that indicates whether or not it was able to
+ * successfully infer the parent/descendent relationship via the v_parent
+ * pointers, or if it could not infer such relationship and that the decision
+ * must be delegated to the owning filesystem.
+ *
+ * If it does not defer the decision, i.e. it was successfuly able to determine
+ * the parent/descendent relationship, *is_subdir tells the caller if vp is a
+ * subdirectory of dvp.
+ *
+ * If the decision is deferred, *next_vp is where it stopped i.e. *next_vp
+ * is the vnode whose parent is to be determined from the filesystem.
+ * *is_subdir, in this case, is not indicative of anything and should be
+ * ignored.
+ *
+ * The return value and output args should be used as follows :
+ *
+ * defer = cache_check_vnode_issubdir(vp, dvp, is_subdir, next_vp);
+ * if (!defer) {
+ * if (*is_subdir)
+ * vp is subdirectory;
+ * else
+ * vp is not a subdirectory;
+ * } else {
+ * if (*next_vp)
+ * check this vnode's parent from the filesystem
+ * else
+ * error (likely because of forced unmount).
+ * }
+ *
+ */
+static boolean_t
+cache_check_vnode_issubdir(vnode_t vp, vnode_t dvp, boolean_t *is_subdir,
+ vnode_t *next_vp)
+{
+ vnode_t tvp = vp;
+ int defer = FALSE;
+
+ *is_subdir = FALSE;
+ *next_vp = NULLVP;
+ while (1) {
+ mount_t tmp;
+
+ if (tvp == dvp) {
+ *is_subdir = TRUE;
+ break;
+ } else if (tvp == rootvnode) {
+ /* *is_subdir = FALSE */
+ break;
+ }
+
+ tmp = tvp->v_mount;
+ while ((tvp->v_flag & VROOT) && tmp && tmp->mnt_vnodecovered &&
+ tvp != dvp && tvp != rootvnode) {
+ tvp = tmp->mnt_vnodecovered;
+ tmp = tvp->v_mount;
+ }
+
+ /*
+ * If dvp is not at the top of a mount "stack" then
+ * vp is not a subdirectory of dvp either.
+ */
+ if (tvp == dvp || tvp == rootvnode) {
+ /* *is_subdir = FALSE */
+ break;
+ }
+
+ if (!tmp) {
+ defer = TRUE;
+ *next_vp = NULLVP;
+ break;
+ }
+
+ if ((tvp->v_flag & VISHARDLINK) || !(tvp->v_parent)) {
+ defer = TRUE;
+ *next_vp = tvp;
+ break;
+ }
+
+ tvp = tvp->v_parent;
+ }
+
+ return (defer);
+}
+
+/* maximum times retry from potentially transient errors in vnode_issubdir */
+#define MAX_ERROR_RETRY 3
+
+/*
+ * This function checks if a given directory (vp) is a subdirectory of dvp.
+ * It walks backwards from vp and if it hits dvp in its parent chain,
+ * it is a subdirectory. If it encounters the root directory, it is not
+ * a subdirectory.
+ *
+ * This function returns an error if it is unsuccessful and 0 on success.
+ *
+ * On entry (and exit) vp has an iocount and if this function has to take
+ * any iocounts on other vnodes in the parent chain traversal, it releases them.
+ */
+int
+vnode_issubdir(vnode_t vp, vnode_t dvp, int *is_subdir, vfs_context_t ctx)
+{
+ vnode_t start_vp, tvp;
+ vnode_t vp_with_iocount;
+ int error = 0;
+ char dotdotbuf[] = "..";
+ int error_retry_count = 0; /* retry count for potentially transient
+ errors */
+
+ *is_subdir = FALSE;
+ tvp = start_vp = vp;
+ /*
+ * Anytime we acquire an iocount in this function, we save the vnode
+ * in this variable and release it before exiting.
+ */
+ vp_with_iocount = NULLVP;
+
+ while (1) {
+ boolean_t defer;
+ vnode_t pvp;
+ uint32_t vid;
+ struct componentname cn;
+ boolean_t is_subdir_locked = FALSE;
+ if (tvp == dvp) {
+ *is_subdir = TRUE;
+ break;
+ } else if (tvp == rootvnode) {
+ /* *is_subdir = FALSE */
+ break;
+ }
+
+ NAME_CACHE_LOCK_SHARED();
+
+ defer = cache_check_vnode_issubdir(tvp, dvp, &is_subdir_locked,
+ &tvp);
+
+ if (defer && tvp)
+ vid = vnode_vid(tvp);
+
+ NAME_CACHE_UNLOCK();
+
+ if (!defer) {
+ *is_subdir = is_subdir_locked;
+ break;
+ }
+
+ if (!tvp) {
+ if (error_retry_count++ < MAX_ERROR_RETRY) {
+ tvp = vp;
+ continue;
+ }
+ error = ENOENT;
+ break;
+ }
+
+ if (tvp != start_vp) {
+ if (vp_with_iocount) {
+ vnode_put(vp_with_iocount);
+ vp_with_iocount = NULLVP;
+ }
+
+ error = vnode_getwithvid(tvp, vid);
+ if (error) {
+ if (error_retry_count++ < MAX_ERROR_RETRY) {
+ tvp = vp;
+ error = 0;
+ continue;
+ }
+ break;
+ }
+
+ vp_with_iocount = tvp;
+ }
+
+ bzero(&cn, sizeof(cn));
+ cn.cn_nameiop = LOOKUP;
+ cn.cn_flags = ISLASTCN | ISDOTDOT;
+ cn.cn_context = ctx;
+ cn.cn_pnbuf = &dotdotbuf[0];
+ cn.cn_pnlen = sizeof(dotdotbuf);
+ cn.cn_nameptr = cn.cn_pnbuf;
+ cn.cn_namelen = 2;
+
+ pvp = NULLVP;
+ if ((error = VNOP_LOOKUP(tvp, &pvp, &cn, ctx)))
+ break;
+
+ if (!(tvp->v_flag & VISHARDLINK) && tvp->v_parent != pvp) {
+ (void)vnode_update_identity(tvp, pvp, NULL, 0, 0,
+ VNODE_UPDATE_PARENT);
+ }
+
+ if (vp_with_iocount)
+ vnode_put(vp_with_iocount);
+
+ vp_with_iocount = tvp = pvp;
+ }
+
+ if (vp_with_iocount)
+ vnode_put(vp_with_iocount);
+
+ return (error);
+}
/*
- * This function builds the path to a filename in "buff". The
- * length of the buffer *INCLUDING* the trailing zero byte is
- * returned in outlen. NOTE: the length includes the trailing
- * zero byte and thus the length is one greater than what strlen
- * would return. This is important and lots of code elsewhere
- * in the kernel assumes this behavior.
+ * This function builds the path in "buff" from the supplied vnode.
+ * The length of the buffer *INCLUDING* the trailing zero byte is
+ * returned in outlen. NOTE: the length includes the trailing zero
+ * byte and thus the length is one greater than what strlen would
+ * return. This is important and lots of code elsewhere in the kernel
+ * assumes this behavior.
*
* This function can call vnop in file system if the parent vnode
* does not exist or when called for hardlinks via volfs path.
* cross over mount points during building the path.
*
* passed in vp must have a valid io_count reference
+ *
+ * If parent vnode is non-NULL it also must have an io count. This
+ * allows build_path_with_parent to be safely called for operations
+ * unlink, rmdir and rename that already have io counts on the target
+ * and the directory. In this way build_path_with_parent does not have
+ * to try and obtain an additional io count on the parent. Taking an
+ * io count ont the parent can lead to dead lock if a forced unmount
+ * occures at the right moment. For a fuller explaination on how this
+ * can occur see the comment for vn_getpath_with_parent.
+ *
*/
int
-build_path(vnode_t first_vp, char *buff, int buflen, int *outlen, int flags, vfs_context_t ctx)
+build_path_with_parent(vnode_t first_vp, vnode_t parent_vp, char *buff, int buflen, int *outlen, int flags, vfs_context_t ctx)
{
vnode_t vp, tvp;
vnode_t vp_with_iocount;
* and disallow further path construction
*/
if ((vp->v_parent == NULLVP) && (rootvnode != vp)) {
- /* Only '/' is allowed to have a NULL parent pointer */
- ret = EINVAL;
+ /*
+ * Only '/' is allowed to have a NULL parent
+ * pointer. Upper level callers should ideally
+ * re-drive name lookup on receiving a ENOENT.
+ */
+ ret = ENOENT;
/* The code below will exit early if 'tvp = vp' == NULL */
}
NAME_CACHE_UNLOCK();
- if (vp != first_vp && vp != vp_with_iocount) {
+ if (vp != first_vp && vp != parent_vp && vp != vp_with_iocount) {
if (vp_with_iocount) {
vnode_put(vp_with_iocount);
vp_with_iocount = NULLVP;
vp = vp->v_parent;
}
+ if (vp && (flags & BUILDPATH_CHECKACCESS)) {
+ vid = vp->v_id;
+
+ NAME_CACHE_UNLOCK();
+
+ if (vp != first_vp && vp != parent_vp && vp != vp_with_iocount) {
+ if (vp_with_iocount) {
+ vnode_put(vp_with_iocount);
+ vp_with_iocount = NULLVP;
+ }
+ if (vnode_getwithvid(vp, vid))
+ goto again;
+ vp_with_iocount = vp;
+ }
+ if ((ret = vnode_authorize(vp, NULL, KAUTH_VNODE_SEARCH, ctx)))
+ goto out; /* no peeking */
+
+ NAME_CACHE_LOCK_SHARED();
+ }
+
/*
* When a mount point is crossed switch the vp.
* Continue until we find the root or we find
if (tvp == NULLVP)
goto out_unlock;
vp = tvp;
-
- if (vp && (flags & BUILDPATH_CHECKACCESS)) {
- vid = vp->v_id;
-
- NAME_CACHE_UNLOCK();
-
- if (vp != first_vp && vp != vp_with_iocount) {
- if (vp_with_iocount) {
- vnode_put(vp_with_iocount);
- vp_with_iocount = NULLVP;
- }
- if (vnode_getwithvid(vp, vid))
- goto again;
- vp_with_iocount = vp;
- }
- if ((ret = vnode_authorize(vp, NULL, KAUTH_VNODE_SEARCH, ctx)))
- goto out; /* no peeking */
-
- NAME_CACHE_LOCK_SHARED();
- }
}
out_unlock:
NAME_CACHE_UNLOCK();
return (ret);
}
+int
+build_path(vnode_t first_vp, char *buff, int buflen, int *outlen, int flags, vfs_context_t ctx)
+{
+ return (build_path_with_parent(first_vp, NULL, buff, buflen, outlen, flags, ctx));
+}
/*
* return NULLVP if vp's parent doesn't
{
struct namecache *ncp;
vnode_t old_parentvp = NULLVP;
-#if NAMEDSTREAMS
int isstream = (vp->v_flag & VISNAMEDSTREAM);
int kusecountbumped = 0;
-#endif
kauth_cred_t tcred = NULL;
const char *vname = NULL;
const char *tname = NULL;
if (dvp && vnode_ref(dvp) != 0) {
dvp = NULLVP;
}
-#if NAMEDSTREAMS
/* Don't count a stream's parent ref during unmounts */
if (isstream && dvp && (dvp != vp) && (dvp != vp->v_parent) && (dvp->v_type == VREG)) {
vnode_lock_spin(dvp);
kusecountbumped = 1;
vnode_unlock(dvp);
}
-#endif
} else {
dvp = NULLVP;
}
while ( (ncp = LIST_FIRST(&vp->v_nclinks)) )
cache_delete(ncp, 1);
- while ( (ncp = LIST_FIRST(&vp->v_ncchildren)) )
+ while ( (ncp = TAILQ_FIRST(&vp->v_ncchildren)) )
cache_delete(ncp, 1);
/*
tcred = vp->v_cred;
vp->v_cred = NOCRED;
vp->v_authorized_actions = 0;
+ vp->v_cred_timestamp = 0;
}
if ( (flags & VNODE_UPDATE_NAME) ) {
vname = vp->v_name;
kauth_cred_unref(&tcred);
}
if (dvp != NULLVP) {
-#if NAMEDSTREAMS
/* Back-out the ref we took if we lost a race for vp->v_parent. */
if (kusecountbumped) {
vnode_lock_spin(dvp);
--dvp->v_kusecount;
vnode_unlock(dvp);
}
-#endif
vnode_rele(dvp);
}
if (old_parentvp) {
struct uthread *ut;
-#if NAMEDSTREAMS
if (isstream) {
vnode_lock_spin(old_parentvp);
if ((old_parentvp->v_type != VDIR) && (old_parentvp->v_kusecount > 0))
--old_parentvp->v_kusecount;
vnode_unlock(old_parentvp);
}
-#endif
ut = get_bsdthread_info(current_thread());
/*
mount_t mp;
unsigned int hash;
int error = 0;
+ boolean_t dotdotchecked = FALSE;
#if CONFIG_TRIGGERS
vnode_t trigger_vp;
#if CONFIG_MACF
- /*
+ /*
* Name cache provides authorization caching (see below)
* that will short circuit MAC checks in lookup().
* We must perform MAC check here. On denial
}
}
#endif /* MAC */
- if (ttl_enabled && ((tv.tv_sec - dp->v_cred_timestamp) > dp->v_mount->mnt_authcache_ttl))
+ if (ttl_enabled &&
+ (dp->v_mount->mnt_authcache_ttl == 0 ||
+ ((tv.tv_sec - dp->v_cred_timestamp) > dp->v_mount->mnt_authcache_ttl))) {
break;
+ }
/*
* NAME_CACHE_LOCK holds these fields stable
+ *
+ * We can't cache KAUTH_VNODE_SEARCHBYANYONE for root correctly
+ * so we make an ugly check for root here. root is always
+ * allowed and breaking out of here only to find out that is
+ * authorized by virtue of being root is very very expensive.
+ * However, the check for not root is valid only for filesystems
+ * which use local authorization.
+ *
+ * XXX: Remove the check for root when we can reliably set
+ * KAUTH_VNODE_SEARCHBYANYONE as root.
*/
if ((dp->v_cred != ucred || !(dp->v_authorized_actions & KAUTH_VNODE_SEARCH)) &&
- !(dp->v_authorized_actions & KAUTH_VNODE_SEARCHBYANYONE))
+ !(dp->v_authorized_actions & KAUTH_VNODE_SEARCHBYANYONE) &&
+ (ttl_enabled || !vfs_context_issuser(ctx))) {
break;
+ }
/*
* indicate that we're allowed to traverse this directory...
* Force directory hardlinks to go to
* file system for ".." requests.
*/
- if (dp && (dp->v_flag & VISHARDLINK)) {
+ if ((dp->v_flag & VISHARDLINK)) {
break;
}
/*
*/
if (cnp->cn_namelen == 1 && cnp->cn_nameptr[0] == '.')
vp = dp;
- else if ( (cnp->cn_flags & ISDOTDOT) )
- vp = dp->v_parent;
- else {
+ else if ( (cnp->cn_flags & ISDOTDOT) ) {
+ /*
+ * If this is a chrooted process, we need to check if
+ * the process is trying to break out of its chrooted
+ * jail. We do that by trying to determine if dp is
+ * a subdirectory of ndp->ni_rootdir. If we aren't
+ * able to determine that by the v_parent pointers, we
+ * will leave the fast path.
+ *
+ * Since this function may see dotdot components
+ * many times and it has the name cache lock held for
+ * the entire duration, we optimise this by doing this
+ * check only once per cache_lookup_path call.
+ * If dotdotchecked is set, it means we've done this
+ * check once already and don't need to do it again.
+ */
+ if (!dotdotchecked && (ndp->ni_rootdir != rootvnode)) {
+ vnode_t tvp = dp;
+ boolean_t defer = FALSE;
+ boolean_t is_subdir = FALSE;
+
+ defer = cache_check_vnode_issubdir(tvp,
+ ndp->ni_rootdir, &is_subdir, &tvp);
+
+ if (defer) {
+ /* defer to Filesystem */
+ break;
+ } else if (!is_subdir) {
+ /*
+ * This process is trying to break out
+ * of its chrooted jail, so all its
+ * dotdot accesses will be translated to
+ * its root directory.
+ */
+ vp = ndp->ni_rootdir;
+ } else {
+ /*
+ * All good, let this dotdot access
+ * proceed normally
+ */
+ vp = dp->v_parent;
+ }
+ dotdotchecked = TRUE;
+ } else {
+ vp = dp->v_parent;
+ }
+ } else {
if ( (vp = cache_lookup_locked(dp, cnp)) == NULLVP)
break;
}
if ( (mp = vp->v_mountedhere) && ((cnp->cn_flags & NOCROSSMOUNT) == 0)) {
-
- if (mp->mnt_realrootvp == NULLVP || mp->mnt_generation != mount_generation ||
- mp->mnt_realrootvp_vid != mp->mnt_realrootvp->v_id)
- break;
- vp = mp->mnt_realrootvp;
+ vnode_t tmp_vp = mp->mnt_realrootvp;
+ if (tmp_vp == NULLVP || mp->mnt_generation != mount_generation ||
+ mp->mnt_realrootvp_vid != tmp_vp->v_id)
+ break;
+ vp = tmp_vp;
}
#if CONFIG_TRIGGERS
* trigger in hand, resolve it. Note that we don't need to
* leave the fast path if the mount has already happened.
*/
- if ((vp->v_resolve != NULL) &&
- (vp->v_resolve->vr_resolve_func != NULL)) {
+ if (vp->v_resolve)
break;
- }
#endif /* CONFIG_TRIGGERS */
ncpp = NCHHASH(dvp, cnp->cn_hash);
LIST_FOREACH(ncp, ncpp, nc_hash) {
if ((ncp->nc_dvp == dvp) && (ncp->nc_hashval == hashval)) {
- if (memcmp(ncp->nc_name, cnp->cn_nameptr, namelen) == 0 && ncp->nc_name[namelen] == 0)
+ if (strncmp(ncp->nc_name, cnp->cn_nameptr, namelen) == 0 && ncp->nc_name[namelen] == 0)
break;
}
}
ncpp = NCHHASH(dvp, cnp->cn_hash);
LIST_FOREACH(ncp, ncpp, nc_hash) {
if ((ncp->nc_dvp == dvp) && (ncp->nc_hashval == hashval)) {
- if (memcmp(ncp->nc_name, cnp->cn_nameptr, namelen) == 0 && ncp->nc_name[namelen] == 0)
+ if (strncmp(ncp->nc_name, cnp->cn_nameptr, namelen) == 0 && ncp->nc_name[namelen] == 0)
break;
}
}
ncp->nc_name = add_name_internal(cnp->cn_nameptr, cnp->cn_namelen, cnp->cn_hash, FALSE, 0);
else
ncp->nc_name = strname;
+
+ //
+ // If the bytes of the name associated with the vnode differ,
+ // use the name associated with the vnode since the file system
+ // may have set that explicitly in the case of a lookup on a
+ // case-insensitive file system where the case of the looked up
+ // name differs from what is on disk. For more details, see:
+ // <rdar://problem/8044697> FSEvents doesn't always decompose diacritical unicode chars in the paths of the changed directories
+ //
+ const char *vn_name = vp ? vp->v_name : NULL;
+ unsigned int len = vn_name ? strlen(vn_name) : 0;
+ if (vn_name && ncp && ncp->nc_name && strncmp(ncp->nc_name, vn_name, len) != 0) {
+ unsigned int hash = hash_string(vn_name, len);
+
+ vfs_removename(ncp->nc_name);
+ ncp->nc_name = add_name_internal(vn_name, len, hash, FALSE, 0);
+ ncp->nc_hashval = hash;
+ }
+
/*
* make us the newest entry in the cache
* i.e. we'll be the last to be stolen
* add us to the list of name cache entries that
* are children of dvp
*/
- LIST_INSERT_HEAD(&dvp->v_ncchildren, ncp, nc_child);
+ if (vp)
+ TAILQ_INSERT_TAIL(&dvp->v_ncchildren, ncp, nc_child);
+ else
+ TAILQ_INSERT_HEAD(&dvp->v_ncchildren, ncp, nc_child);
}
int
-resize_namecache(u_int newsize)
+resize_namecache(int newsize)
{
struct nchashhead *new_table;
struct nchashhead *old_table;
struct nchashhead *old_head, *head;
struct namecache *entry, *next;
uint32_t i, hashval;
- int dNodes, dNegNodes;
+ int dNodes, dNegNodes, nelements;
u_long new_size, old_size;
+ if (newsize < 0)
+ return EINVAL;
+
dNegNodes = (newsize / 10);
dNodes = newsize + dNegNodes;
-
// we don't support shrinking yet
if (dNodes <= desiredNodes) {
- return 0;
+ return 0;
+ }
+
+ if (os_mul_overflow(dNodes, 2, &nelements)) {
+ return EINVAL;
}
- new_table = hashinit(2 * dNodes, M_CACHE, &nchashmask);
+
+ new_table = hashinit(nelements, M_CACHE, &nchashmask);
new_size = nchashmask + 1;
if (new_table == NULL) {
- return ENOMEM;
+ return ENOMEM;
}
NAME_CACHE_LOCK();
}
static void
-cache_delete(struct namecache *ncp, int age_entry)
+cache_delete(struct namecache *ncp, int free_entry)
{
NCHSTAT(ncs_deletes);
TAILQ_REMOVE(&neghead, ncp, nc_un.nc_negentry);
ncs_negtotal--;
}
- LIST_REMOVE(ncp, nc_child);
+ TAILQ_REMOVE(&(ncp->nc_dvp->v_ncchildren), ncp, nc_child);
LIST_REMOVE(ncp, nc_hash);
/*
*/
ncp->nc_hash.le_prev = NULL;
- if (age_entry) {
- /*
- * make it the next one available
- * for cache_enter's use
- */
- TAILQ_REMOVE(&nchead, ncp, nc_entry);
- TAILQ_INSERT_HEAD(&nchead, ncp, nc_entry);
- }
vfs_removename(ncp->nc_name);
ncp->nc_name = NULL;
+ if (free_entry) {
+ TAILQ_REMOVE(&nchead, ncp, nc_entry);
+ FREE_ZONE(ncp, sizeof(*ncp), M_CACHE);
+ numcache--;
+ }
}
kauth_cred_t tcred = NULL;
if ((LIST_FIRST(&vp->v_nclinks) == NULL) &&
- (LIST_FIRST(&vp->v_ncchildren) == NULL) &&
+ (TAILQ_FIRST(&vp->v_ncchildren) == NULL) &&
(vp->v_cred == NOCRED) &&
(vp->v_parent == NULLVP))
return;
while ( (ncp = LIST_FIRST(&vp->v_nclinks)) )
cache_delete(ncp, 1);
- while ( (ncp = LIST_FIRST(&vp->v_ncchildren)) )
+ while ( (ncp = TAILQ_FIRST(&vp->v_ncchildren)) )
cache_delete(ncp, 1);
/*
NAME_CACHE_LOCK();
- LIST_FOREACH_SAFE(ncp, &vp->v_ncchildren, nc_child, next_ncp)
- if (ncp->nc_vp == NULL)
- cache_delete(ncp , 1);
+ TAILQ_FOREACH_SAFE(ncp, &vp->v_ncchildren, nc_child, next_ncp) {
+ if (ncp->nc_vp)
+ break;
+
+ cache_delete(ncp, 1);
+ }
NAME_CACHE_UNLOCK();
}
uint32_t lock_index;
char *ptr;
+ if (len > MAXPATHLEN)
+ len = MAXPATHLEN;
+
/*
* if the length already accounts for the null-byte, then
* subtract one so later on we don't index past the end
lck_mtx_lock_spin(&strcache_mtx_locks[lock_index]);
for (entry = head->lh_first; entry != NULL; chain_len++, entry = entry->hash_chain.le_next) {
- if (memcmp(entry->str, name, len) == 0 && entry->str[len] == 0) {
+ if (strncmp(entry->str, name, len) == 0 && entry->str[len] == 0) {
entry->refcount++;
break;
}