X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/89b3af67bb32e691275bf6fa803d1834b2284115..ebb1b9f42b62218f29061826217bb0f71cd375a6:/bsd/vfs/vfs_subr.c diff --git a/bsd/vfs/vfs_subr.c b/bsd/vfs/vfs_subr.c index c5dbcd1e3..4280f3bfd 100644 --- a/bsd/vfs/vfs_subr.c +++ b/bsd/vfs/vfs_subr.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000-2005 Apple Computer, Inc. All rights reserved. + * Copyright (c) 2000-2010 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * @@ -65,13 +65,17 @@ * * @(#)vfs_subr.c 8.31 (Berkeley) 5/26/95 */ +/* + * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce + * support for mandatory and extensible security protections. This notice + * is included in support of clause 2.2 (b) of the Apple Public License, + * Version 2.0. + */ /* * External virtual filesystem routines */ -#undef DIAGNOSTIC -#define DIAGNOSTIC 1 #include #include @@ -80,6 +84,7 @@ #include #include #include +#include #include #include #include @@ -87,6 +92,8 @@ #include #include #include +#include +#include #include #include #include @@ -98,6 +105,7 @@ #include #include #include +#include #include #include @@ -110,10 +118,30 @@ #include #include +#include + +#include /* kalloc()/kfree() */ +#include /* delay_for_interval() */ +#include /* OSAddAtomic() */ + + +#ifdef JOE_DEBUG +#include +#endif + +#include /* vnode_pager_vrele() */ + +#if CONFIG_MACF +#include +#endif extern lck_grp_t *vnode_lck_grp; extern lck_attr_t *vnode_lck_attr; +#if CONFIG_TRIGGERS +extern lck_grp_t *trigger_vnode_lck_grp; +extern lck_attr_t *trigger_vnode_lck_attr; +#endif extern lck_mtx_t * mnt_list_mtx_lock; @@ -126,37 +154,84 @@ int vttoif_tab[9] = { S_IFSOCK, S_IFIFO, S_IFMT, }; -extern int ubc_isinuse_locked(vnode_t, int, int); + +/* XXX These should be in a BSD accessible Mach header, but aren't. */ +extern void memory_object_mark_used( + memory_object_control_t control); + +extern void memory_object_mark_unused( + memory_object_control_t control, + boolean_t rage); + + +/* XXX next protptype should be from */ +extern int nfs_vinvalbuf(vnode_t, int, vfs_context_t, int); + +/* XXX next prototytype should be from libsa/stdlib.h> but conflicts libkern */ +__private_extern__ void qsort( + void * array, + size_t nmembers, + size_t member_size, + int (*)(const void *, const void *)); + extern kern_return_t adjust_vm_object_cache(vm_size_t oval, vm_size_t nval); +__private_extern__ void vntblinit(void); +__private_extern__ kern_return_t reset_vmobjectcache(unsigned int val1, + unsigned int val2); +__private_extern__ int unlink1(vfs_context_t, struct nameidata *, int); + +extern int system_inshutdown; static void vnode_list_add(vnode_t); static void vnode_list_remove(vnode_t); +static void vnode_list_remove_locked(vnode_t); static errno_t vnode_drain(vnode_t); -static void vgone(vnode_t); -static void vclean(vnode_t vp, int flag, proc_t p); -static void vnode_reclaim_internal(vnode_t, int, int); +static void vgone(vnode_t, int flags); +static void vclean(vnode_t vp, int flag); +static void vnode_reclaim_internal(vnode_t, int, int, int); -static void vnode_dropiocount (vnode_t, int); -static errno_t vnode_getiocount(vnode_t vp, int locked, int vid, int vflags); -static int vget_internal(vnode_t, int, int); +static void vnode_dropiocount (vnode_t); static vnode_t checkalias(vnode_t vp, dev_t nvp_rdev); static int vnode_reload(vnode_t); static int vnode_isinuse_locked(vnode_t, int, int); static void insmntque(vnode_t vp, mount_t mp); -mount_t mount_list_lookupby_fsid(fsid_t *, int, int); static int mount_getvfscnt(void); static int mount_fillfsids(fsid_t *, int ); static void vnode_iterate_setup(mount_t); -static int vnode_umount_preflight(mount_t, vnode_t, int); +int vnode_umount_preflight(mount_t, vnode_t, int); static int vnode_iterate_prepare(mount_t); static int vnode_iterate_reloadq(mount_t); static void vnode_iterate_clear(mount_t); +static mount_t vfs_getvfs_locked(fsid_t *); +static int vn_create_reg(vnode_t dvp, vnode_t *vpp, struct nameidata *ndp, + struct vnode_attr *vap, uint32_t flags, int fmode, uint32_t *statusp, vfs_context_t ctx); +static int vnode_authattr_new_internal(vnode_t dvp, struct vnode_attr *vap, int noauth, uint32_t *defaulted_fieldsp, vfs_context_t ctx); + +errno_t rmdir_remove_orphaned_appleDouble(vnode_t, vfs_context_t, int *); + +#ifdef JOE_DEBUG +static void record_vp(vnode_t vp, int count); +#endif + +#if CONFIG_TRIGGERS +static int vnode_resolver_create(mount_t, vnode_t, struct vnode_trigger_param *, boolean_t external); +static void vnode_resolver_detach(vnode_t); +#endif TAILQ_HEAD(freelst, vnode) vnode_free_list; /* vnode free list */ -TAILQ_HEAD(inactivelst, vnode) vnode_inactive_list; /* vnode inactive list */ +TAILQ_HEAD(deadlst, vnode) vnode_dead_list; /* vnode dead list */ + +TAILQ_HEAD(ragelst, vnode) vnode_rage_list; /* vnode rapid age list */ +struct timeval rage_tv; +int rage_limit = 0; +int ragevnodes = 0; + +#define RAGE_LIMIT_MIN 100 +#define RAGE_TIME_LIMIT 5 + struct mntlist mountlist; /* mounted filesystem list */ static int nummounts = 0; @@ -164,18 +239,8 @@ static int nummounts = 0; #define VLISTCHECK(fun, vp, list) \ if ((vp)->v_freelist.tqe_prev == (struct vnode **)0xdeadb) \ panic("%s: %s vnode not on %slist", (fun), (list), (list)); - -#define VINACTIVECHECK(fun, vp, expected) \ - do { \ - int __is_inactive = ISSET((vp)->v_flag, VUINACTIVE); \ - if (__is_inactive ^ expected) \ - panic("%s: %sinactive vnode, expected %s", (fun), \ - __is_inactive? "" : "not ", \ - expected? "inactive": "not inactive"); \ - } while(0) #else #define VLISTCHECK(fun, vp, list) -#define VINACTIVECHECK(fun, vp, expected) #endif /* DIAGNOSTIC */ #define VLISTNONE(vp) \ @@ -196,34 +261,39 @@ static int nummounts = 0; freevnodes--; \ } while(0) -/* remove a vnode from inactive vnode list */ -#define VREMINACTIVE(fun, vp) \ + + +/* remove a vnode from dead vnode list */ +#define VREMDEAD(fun, vp) \ do { \ - VLISTCHECK((fun), (vp), "inactive"); \ - VINACTIVECHECK((fun), (vp), VUINACTIVE); \ - TAILQ_REMOVE(&vnode_inactive_list, (vp), v_freelist); \ - CLR((vp)->v_flag, VUINACTIVE); \ + VLISTCHECK((fun), (vp), "dead"); \ + TAILQ_REMOVE(&vnode_dead_list, (vp), v_freelist); \ VLISTNONE((vp)); \ - inactivevnodes--; \ + vp->v_listflag &= ~VLIST_DEAD; \ + deadvnodes--; \ + } while(0) + + +/* remove a vnode from rage vnode list */ +#define VREMRAGE(fun, vp) \ + do { \ + if ( !(vp->v_listflag & VLIST_RAGE)) \ + panic("VREMRAGE: vp not on rage list"); \ + VLISTCHECK((fun), (vp), "rage"); \ + TAILQ_REMOVE(&vnode_rage_list, (vp), v_freelist); \ + VLISTNONE((vp)); \ + vp->v_listflag &= ~VLIST_RAGE; \ + ragevnodes--; \ } while(0) -/* - * Have to declare first two locks as actual data even if !MACH_SLOCKS, since - * a pointers to them get passed around. - */ -void * mntvnode_slock; -void * mntid_slock; -void * spechash_slock; /* - * vnodetarget is the amount of vnodes we expect to get back - * from the the inactive vnode list and VM object cache. - * As vnreclaim() is a mainly cpu bound operation for faster - * processers this number could be higher. - * Having this number too high introduces longer delays in - * the execution of new_vnode(). + * vnodetarget hasn't been used in a long time, but + * it was exported for some reason... I'm leaving in + * place for now... it should be deprecated out of the + * exports and removed eventually. */ -unsigned long vnodetarget; /* target for vnreclaim() */ +u_int32_t vnodetarget; /* target for vnreclaim() */ #define VNODE_FREE_TARGET 20 /* Default value for vnodetarget */ /* @@ -232,21 +302,7 @@ unsigned long vnodetarget; /* target for vnreclaim() */ * cache. Having too few vnodes on the free list causes serious disk * thrashing as we cycle through them. */ -#define VNODE_FREE_MIN 300 /* freelist should have at least these many */ - -/* - * We need to get vnodes back from the VM object cache when a certain # - * of vnodes are reused from the freelist. This is essential for the - * caching to be effective in the namecache and the buffer cache [for the - * metadata]. - */ -#define VNODE_TOOMANY_REUSED (VNODE_FREE_MIN/4) - -/* - * If we have enough vnodes on the freelist we do not want to reclaim - * the vnodes from the VM object cache. - */ -#define VNODE_FREE_ENOUGH (VNODE_FREE_MIN + (VNODE_FREE_MIN/2)) +#define VNODE_FREE_MIN CONFIG_VNODE_FREE_MIN /* freelist should have at least this many */ /* * Initialize the vnode management data structures. @@ -255,12 +311,19 @@ __private_extern__ void vntblinit(void) { TAILQ_INIT(&vnode_free_list); - TAILQ_INIT(&vnode_inactive_list); + TAILQ_INIT(&vnode_rage_list); + TAILQ_INIT(&vnode_dead_list); TAILQ_INIT(&mountlist); if (!vnodetarget) vnodetarget = VNODE_FREE_TARGET; + microuptime(&rage_tv); + rage_limit = desiredvnodes / 100; + + if (rage_limit < RAGE_LIMIT_MIN) + rage_limit = RAGE_LIMIT_MIN; + /* * Scale the vm_object_cache to accomodate the vnodes * we want to cache @@ -275,6 +338,10 @@ reset_vmobjectcache(unsigned int val1, unsigned int val2) vm_size_t oval = val1 - VNODE_FREE_MIN; vm_size_t nval; + if (val1 == val2) { + return KERN_SUCCESS; + } + if(val2 < VNODE_FREE_MIN) nval = 0; else @@ -286,7 +353,7 @@ reset_vmobjectcache(unsigned int val1, unsigned int val2) /* the timeout is in 10 msecs */ int -vnode_waitforwrites(vnode_t vp, int output_target, int slpflag, int slptimeout, char *msg) { +vnode_waitforwrites(vnode_t vp, int output_target, int slpflag, int slptimeout, const char *msg) { int error = 0; struct timespec ts; @@ -294,18 +361,21 @@ vnode_waitforwrites(vnode_t vp, int output_target, int slpflag, int slptimeout, if (vp->v_numoutput > output_target) { - slpflag &= ~PDROP; + slpflag |= PDROP; - vnode_lock(vp); + vnode_lock_spin(vp); while ((vp->v_numoutput > output_target) && error == 0) { if (output_target) vp->v_flag |= VTHROTTLED; else vp->v_flag |= VBWAIT; + ts.tv_sec = (slptimeout/100); ts.tv_nsec = (slptimeout % 1000) * 10 * NSEC_PER_USEC * 1000 ; error = msleep((caddr_t)&vp->v_numoutput, &vp->v_lock, (slpflag | (PRIBIO + 1)), msg, &ts); + + vnode_lock_spin(vp); } vnode_unlock(vp); } @@ -326,27 +396,27 @@ void vnode_writedone(vnode_t vp) { if (vp) { - int need_wakeup = 0; - + int need_wakeup = 0; + OSAddAtomic(-1, &vp->v_numoutput); - vnode_lock(vp); + vnode_lock_spin(vp); if (vp->v_numoutput < 0) panic("vnode_writedone: numoutput < 0"); - if ((vp->v_flag & VTHROTTLED) && (vp->v_numoutput < (VNODE_ASYNC_THROTTLE / 3))) { + if ((vp->v_flag & VTHROTTLED)) { vp->v_flag &= ~VTHROTTLED; need_wakeup = 1; } if ((vp->v_flag & VBWAIT) && (vp->v_numoutput == 0)) { - vp->v_flag &= ~VBWAIT; + vp->v_flag &= ~VBWAIT; need_wakeup = 1; } vnode_unlock(vp); if (need_wakeup) - wakeup((caddr_t)&vp->v_numoutput); + wakeup((caddr_t)&vp->v_numoutput); } } @@ -398,21 +468,24 @@ vnode_iterate_setup(mount_t mp) { while (mp->mnt_lflag & MNT_LITER) { mp->mnt_lflag |= MNT_LITERWAIT; - msleep((caddr_t)mp, &mp->mnt_mlock, PVFS, "vnode_iterate_setup", 0); + msleep((caddr_t)mp, &mp->mnt_mlock, PVFS, "vnode_iterate_setup", NULL); } mp->mnt_lflag |= MNT_LITER; } -static int +int vnode_umount_preflight(mount_t mp, vnode_t skipvp, int flags) { vnode_t vp; TAILQ_FOREACH(vp, &mp->mnt_vnodelist, v_mntvnodes) { - if (vp->v_type == VDIR) - continue; + /* disable preflight only for udf, a hack to be removed after 4073176 is fixed */ + if (vp->v_tag == VT_UDF) + return 0; + if (vp->v_type == VDIR) + continue; if (vp == skipvp) continue; if ((flags & SKIPSYSTEM) && ((vp->v_flag & VSYSTEM) || @@ -513,11 +586,8 @@ vnode_iterate_clear(mount_t mp) int -vnode_iterate(mp, flags, callout, arg) - mount_t mp; - int flags; - int (*callout)(struct vnode *, void *); - void * arg; +vnode_iterate(mount_t mp, int flags, int (*callout)(struct vnode *, void *), + void *arg) { struct vnode *vp; int vid, retval; @@ -613,6 +683,12 @@ mount_lock(mount_t mp) lck_mtx_lock(&mp->mnt_mlock); } +void +mount_lock_spin(mount_t mp) +{ + lck_mtx_lock_spin(&mp->mnt_mlock); +} + void mount_unlock(mount_t mp) { @@ -624,7 +700,7 @@ void mount_ref(mount_t mp, int locked) { if ( !locked) - mount_lock(mp); + mount_lock_spin(mp); mp->mnt_count++; @@ -637,7 +713,7 @@ void mount_drop(mount_t mp, int locked) { if ( !locked) - mount_lock(mp); + mount_lock_spin(mp); mp->mnt_count--; @@ -696,7 +772,7 @@ mount_iterdrain(mount_t mp) { mount_list_lock(); while (mp->mnt_iterref) - msleep((caddr_t)&mp->mnt_iterref, mnt_list_mtx_lock, PVFS, "mount_iterdrain", 0 ); + msleep((caddr_t)&mp->mnt_iterref, mnt_list_mtx_lock, PVFS, "mount_iterdrain", NULL); /* mount iterations drained */ mp->mnt_iterref = -1; mount_list_unlock(); @@ -719,7 +795,7 @@ mount_refdrain(mount_t mp) mp->mnt_lflag |= MNT_LDRAIN; while (mp->mnt_count) - msleep((caddr_t)&mp->mnt_lflag, &mp->mnt_mlock, PVFS, "mount_drain", 0 ); + msleep((caddr_t)&mp->mnt_lflag, &mp->mnt_mlock, PVFS, "mount_drain", NULL); if (mp->mnt_vnodelist.tqh_first != NULL) panic("mount_refdrain: dangling vnode"); @@ -729,6 +805,13 @@ mount_refdrain(mount_t mp) return(0); } +/* Tags the mount point as not supportine extended readdir for NFS exports */ +void +mount_set_noreaddirext(mount_t mp) { + mount_lock (mp); + mp->mnt_kern_flag |= MNTK_DENY_READDIREXT; + mount_unlock (mp); +} /* * Mark a mount point as busy. Used to synchronize access and to delay @@ -760,7 +843,7 @@ restart: * wakeup needs to be done is at the release of the * exclusive lock at the end of dounmount. */ - msleep((caddr_t)mp, &mp->mnt_mlock, (PVFS | PDROP), "vfsbusy", 0 ); + msleep((caddr_t)mp, &mp->mnt_mlock, (PVFS | PDROP), "vfsbusy", NULL); return (ENOENT); } mount_unlock(mp); @@ -802,6 +885,10 @@ vfs_rootmountfailed(mount_t mp) { mount_lock_destroy(mp); +#if CONFIG_MACF + mac_mount_label_destroy(mp); +#endif + FREE_ZONE(mp, sizeof(struct mount), M_MOUNT); } @@ -816,8 +903,8 @@ vfs_rootmountalloc_internal(struct vfstable *vfsp, const char *devname) { mount_t mp; - mp = _MALLOC_ZONE((u_long)sizeof(struct mount), M_MOUNT, M_WAITOK); - bzero((char *)mp, (u_long)sizeof(struct mount)); + mp = _MALLOC_ZONE(sizeof(struct mount), M_MOUNT, M_WAITOK); + bzero((char *)mp, sizeof(struct mount)); /* Initialize the default IO constraints */ mp->mnt_maxreadcnt = mp->mnt_maxwritecnt = MAXPHYS; @@ -825,6 +912,14 @@ vfs_rootmountalloc_internal(struct vfstable *vfsp, const char *devname) mp->mnt_maxsegreadsize = mp->mnt_maxreadcnt; mp->mnt_maxsegwritesize = mp->mnt_maxwritecnt; mp->mnt_devblocksize = DEV_BSIZE; + mp->mnt_alignmentmask = PAGE_MASK; + mp->mnt_ioqueue_depth = MNT_DEFAULT_IOQUEUE_DEPTH; + mp->mnt_ioscale = 1; + mp->mnt_ioflags = 0; + mp->mnt_realrootvp = NULLVP; + mp->mnt_authcache_ttl = CACHED_LOOKUP_RIGHT_TTL; + mp->mnt_throttle_mask = LOWPRI_MAX_NUM_DEV - 1; + mp->mnt_devbsdunit = 0; mount_lock_init(mp); (void)vfs_busy(mp, LK_NOWAIT); @@ -846,8 +941,13 @@ vfs_rootmountalloc_internal(struct vfstable *vfsp, const char *devname) strncpy(mp->mnt_vfsstat.f_fstypename, vfsp->vfc_name, MFSTYPENAMELEN); mp->mnt_vfsstat.f_mntonname[0] = '/'; - (void) copystr((char *)devname, mp->mnt_vfsstat.f_mntfromname, MAXPATHLEN - 1, 0); + /* XXX const poisoning layering violation */ + (void) copystr((const void *)devname, mp->mnt_vfsstat.f_mntfromname, MAXPATHLEN - 1, NULL); +#if CONFIG_MACF + mac_mount_label_init(mp); + mac_mount_label_associate(vfs_context_kernel(), mp); +#endif return (mp); } @@ -857,7 +957,8 @@ vfs_rootmountalloc(const char *fstypename, const char *devname, mount_t *mpp) struct vfstable *vfsp; for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next) - if (!strcmp(vfsp->vfc_name, fstypename)) + if (!strncmp(vfsp->vfc_name, fstypename, + sizeof(vfsp->vfc_name))) break; if (vfsp == NULL) return (ENODEV); @@ -880,26 +981,34 @@ vfs_rootmountalloc(const char *fstypename, const char *devname, mount_t *mpp) extern int (*mountroot)(void); int -vfs_mountroot() +vfs_mountroot(void) { +#if CONFIG_MACF + struct vnode *vp; +#endif struct vfstable *vfsp; - struct vfs_context context; + vfs_context_t ctx = vfs_context_kernel(); + struct vfs_attr vfsattr; int error; mount_t mp; + vnode_t bdevvp_rootvp; if (mountroot != NULL) { - /* + /* * used for netboot which follows a different set of rules */ - error = (*mountroot)(); + error = (*mountroot)(); return (error); } if ((error = bdevvp(rootdev, &rootvp))) { - printf("vfs_mountroot: can't setup bdevvp\n"); + printf("vfs_mountroot: can't setup bdevvp\n"); return (error); } - context.vc_proc = current_proc(); - context.vc_ucred = kauth_cred_get(); + /* + * 4951998 - code we call in vfc_mountroot may replace rootvp + * so keep a local copy for some house keeping. + */ + bdevvp_rootvp = rootvp; for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next) { if (vfsp->vfc_mountroot == NULL) @@ -908,10 +1017,24 @@ vfs_mountroot() mp = vfs_rootmountalloc_internal(vfsp, "root_device"); mp->mnt_devvp = rootvp; - if ((error = (*vfsp->vfc_mountroot)(mp, rootvp, &context)) == 0) { - mp->mnt_devvp->v_specflags |= SI_MOUNTEDON; + if ((error = (*vfsp->vfc_mountroot)(mp, rootvp, ctx)) == 0) { + if ( bdevvp_rootvp != rootvp ) { + /* + * rootvp changed... + * bump the iocount and fix up mnt_devvp for the + * new rootvp (it will already have a usecount taken)... + * drop the iocount and the usecount on the orignal + * since we are no longer going to use it... + */ + vnode_getwithref(rootvp); + mp->mnt_devvp = rootvp; + + vnode_rele(bdevvp_rootvp); + vnode_put(bdevvp_rootvp); + } + mp->mnt_devvp->v_specflags |= SI_MOUNTEDON; - vfs_unbusy(mp); + vfs_unbusy(mp); mount_list_add(mp); @@ -922,15 +1045,79 @@ vfs_mountroot() * defaults will have been set, so no reason to bail or care */ vfs_init_io_attributes(rootvp, mp); + + /* + * Shadow the VFC_VFSNATIVEXATTR flag to MNTK_EXTENDED_ATTRS. + */ + if (mp->mnt_vtable->vfc_vfsflags & VFC_VFSNATIVEXATTR) { + mp->mnt_kern_flag |= MNTK_EXTENDED_ATTRS; + } + if (mp->mnt_vtable->vfc_vfsflags & VFC_VFSPREFLIGHT) { + mp->mnt_kern_flag |= MNTK_UNMOUNT_PREFLIGHT; + } + + /* + * Probe root file system for additional features. + */ + (void)VFS_START(mp, 0, ctx); + + VFSATTR_INIT(&vfsattr); + VFSATTR_WANTED(&vfsattr, f_capabilities); + if (vfs_getattr(mp, &vfsattr, ctx) == 0 && + VFSATTR_IS_SUPPORTED(&vfsattr, f_capabilities)) { + if ((vfsattr.f_capabilities.capabilities[VOL_CAPABILITIES_INTERFACES] & VOL_CAP_INT_EXTENDED_ATTR) && + (vfsattr.f_capabilities.valid[VOL_CAPABILITIES_INTERFACES] & VOL_CAP_INT_EXTENDED_ATTR)) { + mp->mnt_kern_flag |= MNTK_EXTENDED_ATTRS; + } +#if NAMEDSTREAMS + if ((vfsattr.f_capabilities.capabilities[VOL_CAPABILITIES_INTERFACES] & VOL_CAP_INT_NAMEDSTREAMS) && + (vfsattr.f_capabilities.valid[VOL_CAPABILITIES_INTERFACES] & VOL_CAP_INT_NAMEDSTREAMS)) { + mp->mnt_kern_flag |= MNTK_NAMED_STREAMS; + } +#endif + if ((vfsattr.f_capabilities.capabilities[VOL_CAPABILITIES_FORMAT] & VOL_CAP_FMT_PATH_FROM_ID) && + (vfsattr.f_capabilities.valid[VOL_CAPABILITIES_FORMAT] & VOL_CAP_FMT_PATH_FROM_ID)) { + mp->mnt_kern_flag |= MNTK_PATH_FROM_ID; + } + } + /* * get rid of iocount reference returned - * by bdevvp... it will have also taken + * by bdevvp (or picked up by us on the substitued + * rootvp)... it (or we) will have also taken * a usecount reference which we want to keep */ vnode_put(rootvp); +#if CONFIG_MACF + if ((vfs_flags(mp) & MNT_MULTILABEL) == 0) + return (0); + + error = VFS_ROOT(mp, &vp, ctx); + if (error) { + printf("%s() VFS_ROOT() returned %d\n", + __func__, error); + dounmount(mp, MNT_FORCE, 0, ctx); + goto fail; + } + error = vnode_label(mp, NULL, vp, NULL, 0, ctx); + /* + * get rid of reference provided by VFS_ROOT + */ + vnode_put(vp); + + if (error) { + printf("%s() vnode_label() returned %d\n", + __func__, error); + dounmount(mp, MNT_FORCE, 0, ctx); + goto fail; + } +#endif return (0); } +#if CONFIG_MACF +fail: +#endif vfs_rootmountfailed(mp); if (error != EINVAL) @@ -942,32 +1129,32 @@ vfs_mountroot() /* * Lookup a mount point by filesystem identifier. */ -extern mount_t vfs_getvfs_locked(fsid_t *); struct mount * -vfs_getvfs(fsid) - fsid_t *fsid; +vfs_getvfs(fsid_t *fsid) { return (mount_list_lookupby_fsid(fsid, 0, 0)); } -struct mount * -vfs_getvfs_locked(fsid) - fsid_t *fsid; +static struct mount * +vfs_getvfs_locked(fsid_t *fsid) { return(mount_list_lookupby_fsid(fsid, 1, 0)); } struct mount * -vfs_getvfs_by_mntonname(u_char *path) +vfs_getvfs_by_mntonname(char *path) { mount_t retmp = (mount_t)0; mount_t mp; mount_list_lock(); TAILQ_FOREACH(mp, &mountlist, mnt_list) { - if (!strcmp(mp->mnt_vfsstat.f_mntonname, path)) { + if (!strncmp(mp->mnt_vfsstat.f_mntonname, path, + sizeof(mp->mnt_vfsstat.f_mntonname))) { retmp = mp; + if (mount_iterref(retmp, 1)) + retmp = NULL; goto out; } } @@ -982,8 +1169,7 @@ u_short mntid_gen = 0; * Get a new unique fsid */ void -vfs_getnewfsid(mp) - struct mount *mp; +vfs_getnewfsid(struct mount *mp) { fsid_t tfsid; @@ -1015,8 +1201,7 @@ vfs_getnewfsid(mp) * Routines having to do with the management of the vnode table. */ extern int (**dead_vnodeop_p)(void *); -long numvnodes, freevnodes; -long inactivevnodes; +long numvnodes, freevnodes, deadvnodes; /* @@ -1034,7 +1219,7 @@ insmntque(vnode_t vp, mount_t mp) panic("insmntque: vp not in mount vnode list"); vp->v_lflag &= ~VNAMED_MOUNT; - mount_lock(lmp); + mount_lock_spin(lmp); mount_drop(lmp, 1); @@ -1049,8 +1234,8 @@ insmntque(vnode_t vp, mount_t mp) vp->v_mntvnodes.tqe_next->v_mntvnodes.tqe_prev = vp->v_mntvnodes.tqe_prev; *vp->v_mntvnodes.tqe_prev = vp->v_mntvnodes.tqe_next; } - vp->v_mntvnodes.tqe_next = 0; - vp->v_mntvnodes.tqe_prev = 0; + vp->v_mntvnodes.tqe_next = NULL; + vp->v_mntvnodes.tqe_prev = NULL; mount_unlock(lmp); return; } @@ -1059,7 +1244,7 @@ insmntque(vnode_t vp, mount_t mp) * Insert into list of vnodes for the new mount point, if available. */ if ((vp->v_mount = mp) != NULL) { - mount_lock(mp); + mount_lock_spin(mp); if ((vp->v_mntvnodes.tqe_next != 0) && (vp->v_mntvnodes.tqe_prev != 0)) panic("vp already in mount list"); if (mp->mnt_lflag & MNT_LITER) @@ -1068,8 +1253,6 @@ insmntque(vnode_t vp, mount_t mp) TAILQ_INSERT_HEAD(&mp->mnt_vnodelist, vp, v_mntvnodes); if (vp->v_lflag & VNAMED_MOUNT) panic("insmntque: vp already in mount vnode list"); - if ((vp->v_freelist.tqe_prev != (struct vnode **)0xdeadb)) - panic("insmntque: vp on the free list\n"); vp->v_lflag |= VNAMED_MOUNT; mount_ref(mp, 1); mount_unlock(mp); @@ -1095,15 +1278,15 @@ bdevvp(dev_t dev, vnode_t *vpp) return (ENODEV); } - context.vc_proc = current_proc(); + context.vc_thread = current_thread(); context.vc_ucred = FSCRED; vfsp.vnfs_mp = (struct mount *)0; vfsp.vnfs_vtype = VBLK; vfsp.vnfs_str = "bdevvp"; - vfsp.vnfs_dvp = 0; - vfsp.vnfs_fsnode = 0; - vfsp.vnfs_cnp = 0; + vfsp.vnfs_dvp = NULL; + vfsp.vnfs_fsnode = NULL; + vfsp.vnfs_cnp = NULL; vfsp.vnfs_vops = spec_vnodeop_p; vfsp.vnfs_rdev = dev; vfsp.vnfs_filesize = 0; @@ -1117,6 +1300,10 @@ bdevvp(dev_t dev, vnode_t *vpp) *vpp = NULLVP; return (error); } + vnode_lock_spin(nvp); + nvp->v_flag |= VBDEVVP; + nvp->v_tag = VT_NON; /* set this to VT_NON so during aliasing it can be replaced */ + vnode_unlock(nvp); if ( (error = vnode_ref(nvp)) ) { panic("bdevvp failed: vnode_ref"); return (error); @@ -1129,6 +1316,14 @@ bdevvp(dev_t dev, vnode_t *vpp) panic("bdevvp failed: invalidateblks"); return (error); } + +#if CONFIG_MACF + /* + * XXXMAC: We can't put a MAC check here, the system will + * panic without this vnode. + */ +#endif /* MAC */ + if ( (error = VNOP_OPEN(nvp, FREAD, &context)) ) { panic("bdevvp failed: open"); return (error); @@ -1147,12 +1342,11 @@ bdevvp(dev_t dev, vnode_t *vpp) * caller is responsible for filling it with its new contents. */ static vnode_t -checkalias(nvp, nvp_rdev) - register struct vnode *nvp; - dev_t nvp_rdev; +checkalias(struct vnode *nvp, dev_t nvp_rdev) { struct vnode *vp; struct vnode **vpp; + struct specinfo *sin = NULL; int vid = 0; vpp = &speclisth[SPECHASH(nvp_rdev)]; @@ -1168,6 +1362,7 @@ loop: SPECHASH_UNLOCK(); if (vp) { +found_alias: if (vnode_getwithvid(vp,vid)) { goto loop; } @@ -1180,34 +1375,65 @@ loop: * Alias, but not in use, so flush it out. */ if ((vp->v_iocount == 1) && (vp->v_usecount == 0)) { - vnode_reclaim_internal(vp, 1, 0); + vnode_reclaim_internal(vp, 1, 1, 0); + vnode_put_locked(vp); vnode_unlock(vp); - vnode_put(vp); goto loop; } + } if (vp == NULL || vp->v_tag != VT_NON) { - MALLOC_ZONE(nvp->v_specinfo, struct specinfo *, sizeof(struct specinfo), - M_SPECINFO, M_WAITOK); + if (sin == NULL) { + MALLOC_ZONE(sin, struct specinfo *, sizeof(struct specinfo), + M_SPECINFO, M_WAITOK); + } + + nvp->v_specinfo = sin; bzero(nvp->v_specinfo, sizeof(struct specinfo)); nvp->v_rdev = nvp_rdev; nvp->v_specflags = 0; nvp->v_speclastr = -1; + nvp->v_specinfo->si_opencount = 0; SPECHASH_LOCK(); + + /* We dropped the lock, someone could have added */ + if (vp == NULLVP) { + for (vp = *vpp; vp; vp = vp->v_specnext) { + if (nvp_rdev == vp->v_rdev && nvp->v_type == vp->v_type) { + vid = vp->v_id; + SPECHASH_UNLOCK(); + goto found_alias; + } + } + } + nvp->v_hashchain = vpp; nvp->v_specnext = *vpp; *vpp = nvp; - SPECHASH_UNLOCK(); if (vp != NULLVP) { - nvp->v_flag |= VALIASED; - vp->v_flag |= VALIASED; + nvp->v_specflags |= SI_ALIASED; + vp->v_specflags |= SI_ALIASED; + SPECHASH_UNLOCK(); + vnode_put_locked(vp); vnode_unlock(vp); - vnode_put(vp); + } else { + SPECHASH_UNLOCK(); } + return (NULLVP); } + + if (sin) { + FREE_ZONE(sin, sizeof(struct specinfo), M_SPECINFO); + } + + if ((vp->v_flag & (VBDEVVP | VDEVFLUSH)) != 0) + return(vp); + + panic("checkalias with VT_NON vp that shouldn't: %p", vp); + return (vp); } @@ -1222,18 +1448,12 @@ loop: * and an error returned to indicate that the vnode is no longer * usable (possibly having been changed to a new file system type). */ -static int +int vget_internal(vnode_t vp, int vid, int vflags) { int error = 0; - u_long vpid; - - vnode_lock(vp); - if (vflags & VNODE_WITHID) - vpid = vid; - else - vpid = vp->v_id; // save off the original v_id + vnode_lock_spin(vp); if ((vflags & VNODE_WRITEABLE) && (vp->v_writecount == 0)) /* @@ -1241,26 +1461,34 @@ vget_internal(vnode_t vp, int vid, int vflags) */ error = EINVAL; else - error = vnode_getiocount(vp, 1, vpid, vflags); + error = vnode_getiocount(vp, vid, vflags); vnode_unlock(vp); return (error); } +/* + * Returns: 0 Success + * ENOENT No such file or directory [terminating] + */ int vnode_ref(vnode_t vp) { - return (vnode_ref_ext(vp, 0)); + return (vnode_ref_ext(vp, 0, 0)); } +/* + * Returns: 0 Success + * ENOENT No such file or directory [terminating] + */ int -vnode_ref_ext(vnode_t vp, int fmode) +vnode_ref_ext(vnode_t vp, int fmode, int flags) { int error = 0; - vnode_lock(vp); + vnode_lock_spin(vp); /* * once all the current call sites have been fixed to insure they have @@ -1268,15 +1496,17 @@ vnode_ref_ext(vnode_t vp, int fmode) * iocount is non-zero... a non-zero usecount doesn't insure correctness */ if (vp->v_iocount <= 0 && vp->v_usecount <= 0) - panic("vnode_ref_ext: vp %x has no valid reference %d, %d", vp, vp->v_iocount, vp->v_usecount); + panic("vnode_ref_ext: vp %p has no valid reference %d, %d", vp, vp->v_iocount, vp->v_usecount); /* * if you are the owner of drain/termination, can acquire usecount */ - if ((vp->v_lflag & (VL_DRAIN | VL_TERMINATE | VL_DEAD))) { - if (vp->v_owner != current_thread()) { - error = ENOENT; - goto out; + if ((flags & VNODE_REF_FORCE) == 0) { + if ((vp->v_lflag & (VL_DRAIN | VL_TERMINATE | VL_DEAD))) { + if (vp->v_owner != current_thread()) { + error = ENOENT; + goto out; + } } } vp->v_usecount++; @@ -1289,6 +1519,33 @@ vnode_ref_ext(vnode_t vp, int fmode) if (++vp->v_kusecount <= 0) panic("vnode_ref_ext: v_kusecount"); } + if (vp->v_flag & VRAGE) { + struct uthread *ut; + + ut = get_bsdthread_info(current_thread()); + + if ( !(current_proc()->p_lflag & P_LRAGE_VNODES) && + !(ut->uu_flag & UT_RAGE_VNODES)) { + /* + * a 'normal' process accessed this vnode + * so make sure its no longer marked + * for rapid aging... also, make sure + * it gets removed from the rage list... + * when v_usecount drops back to 0, it + * will be put back on the real free list + */ + vp->v_flag &= ~VRAGE; + vp->v_references = 0; + vnode_list_remove(vp); + } + } + if (vp->v_usecount == 1 && vp->v_type == VREG && !(vp->v_flag & VSYSTEM)) { + + if (vp->v_ubcinfo) { + vnode_lock_convert(vp); + memory_object_mark_used(vp->v_ubcinfo->ui_control); + } + } out: vnode_unlock(vp); @@ -1303,34 +1560,93 @@ out: static void vnode_list_add(vnode_t vp) { - +#if DIAGNOSTIC + lck_mtx_assert(&vp->v_lock, LCK_MTX_ASSERT_OWNED); +#endif /* * if it is already on a list or non zero references return */ - if (VONLIST(vp) || (vp->v_usecount != 0) || (vp->v_iocount != 0)) + if (VONLIST(vp) || (vp->v_usecount != 0) || (vp->v_iocount != 0) || (vp->v_lflag & VL_TERMINATE)) return; + vnode_list_lock(); - /* - * insert at tail of LRU list or at head if VAGE or VL_DEAD is set - */ - if ((vp->v_flag & VAGE) || (vp->v_lflag & VL_DEAD)) { - TAILQ_INSERT_HEAD(&vnode_free_list, vp, v_freelist); - vp->v_flag &= ~VAGE; + if ((vp->v_flag & VRAGE) && !(vp->v_lflag & VL_DEAD)) { + /* + * add the new guy to the appropriate end of the RAGE list + */ + if ((vp->v_flag & VAGE)) + TAILQ_INSERT_HEAD(&vnode_rage_list, vp, v_freelist); + else + TAILQ_INSERT_TAIL(&vnode_rage_list, vp, v_freelist); + + vp->v_listflag |= VLIST_RAGE; + ragevnodes++; + + /* + * reset the timestamp for the last inserted vp on the RAGE + * queue to let new_vnode know that its not ok to start stealing + * from this list... as long as we're actively adding to this list + * we'll push out the vnodes we want to donate to the real free list + * once we stop pushing, we'll let some time elapse before we start + * stealing them in the new_vnode routine + */ + microuptime(&rage_tv); } else { - TAILQ_INSERT_TAIL(&vnode_free_list, vp, v_freelist); + /* + * if VL_DEAD, insert it at head of the dead list + * else insert at tail of LRU list or at head if VAGE is set + */ + if ( (vp->v_lflag & VL_DEAD)) { + TAILQ_INSERT_HEAD(&vnode_dead_list, vp, v_freelist); + vp->v_listflag |= VLIST_DEAD; + deadvnodes++; + } else if ((vp->v_flag & VAGE)) { + TAILQ_INSERT_HEAD(&vnode_free_list, vp, v_freelist); + vp->v_flag &= ~VAGE; + freevnodes++; + } else { + TAILQ_INSERT_TAIL(&vnode_free_list, vp, v_freelist); + freevnodes++; + } } - freevnodes++; - vnode_list_unlock(); } + +/* + * remove the vnode from appropriate free list. + * called with vnode LOCKED and + * the list lock held + */ +static void +vnode_list_remove_locked(vnode_t vp) +{ + if (VONLIST(vp)) { + /* + * the v_listflag field is + * protected by the vnode_list_lock + */ + if (vp->v_listflag & VLIST_RAGE) + VREMRAGE("vnode_list_remove", vp); + else if (vp->v_listflag & VLIST_DEAD) + VREMDEAD("vnode_list_remove", vp); + else + VREMFREE("vnode_list_remove", vp); + } +} + + /* * remove the vnode from appropriate free list. + * called with vnode LOCKED */ static void vnode_list_remove(vnode_t vp) { +#if DIAGNOSTIC + lck_mtx_assert(&vp->v_lock, LCK_MTX_ASSERT_OWNED); +#endif /* * we want to avoid taking the list lock * in the case where we're not on the free @@ -1350,18 +1666,16 @@ vnode_list_remove(vnode_t vp) /* * however, we're not guaranteed that * we won't go from the on-list state - * to the non-on-list state until we + * to the not-on-list state until we * hold the vnode_list_lock... this - * is due to new_vnode removing vnodes + * is due to "new_vnode" removing vnodes * from the free list uder the list_lock * w/o the vnode lock... so we need to * check again whether we're currently * on the free list */ - if (VONLIST(vp)) { - VREMFREE("vnode_list_remove", vp); - VLISTNONE(vp); - } + vnode_list_remove_locked(vp); + vnode_list_unlock(); } } @@ -1384,22 +1698,27 @@ vnode_rele_ext(vnode_t vp, int fmode, int dont_reenter) void vnode_rele_internal(vnode_t vp, int fmode, int dont_reenter, int locked) { - struct vfs_context context; if ( !locked) - vnode_lock(vp); - + vnode_lock_spin(vp); +#if DIAGNOSTIC + else + lck_mtx_assert(&vp->v_lock, LCK_MTX_ASSERT_OWNED); +#endif if (--vp->v_usecount < 0) - panic("vnode_rele_ext: vp %x usecount -ve : %d", vp, vp->v_usecount); + panic("vnode_rele_ext: vp %p usecount -ve : %d. v_tag = %d, v_type = %d, v_flag = %x.", vp, vp->v_usecount, vp->v_tag, vp->v_type, vp->v_flag); if (fmode & FWRITE) { if (--vp->v_writecount < 0) - panic("vnode_rele_ext: vp %x writecount -ve : %d", vp, vp->v_writecount); + panic("vnode_rele_ext: vp %p writecount -ve : %d. v_tag = %d, v_type = %d, v_flag = %x.", vp, vp->v_writecount, vp->v_tag, vp->v_type, vp->v_flag); } if (fmode & O_EVTONLY) { if (--vp->v_kusecount < 0) - panic("vnode_rele_ext: vp %x kusecount -ve : %d", vp, vp->v_kusecount); + panic("vnode_rele_ext: vp %p kusecount -ve : %d. v_tag = %d, v_type = %d, v_flag = %x.", vp, vp->v_kusecount, vp->v_tag, vp->v_type, vp->v_flag); } + if (vp->v_kusecount > vp->v_usecount) + panic("vnode_rele_ext: vp %p kusecount(%d) out of balance with usecount(%d). v_tag = %d, v_type = %d, v_flag = %x.",vp, vp->v_kusecount, vp->v_usecount, vp->v_tag, vp->v_type, vp->v_flag); + if ((vp->v_iocount > 0) || (vp->v_usecount > 0)) { /* * vnode is still busy... if we're the last @@ -1408,13 +1727,11 @@ vnode_rele_internal(vnode_t vp, int fmode, int dont_reenter, int locked) */ if (vp->v_usecount == 0) { vp->v_lflag |= VL_NEEDINACTIVE; - vp->v_flag &= ~(VNOCACHE_DATA | VRAOFF); + vp->v_flag &= ~(VNOCACHE_DATA | VRAOFF | VOPENEVT); } - if ( !locked) - vnode_unlock(vp); - return; + goto done; } - vp->v_flag &= ~(VNOCACHE_DATA | VRAOFF); + vp->v_flag &= ~(VNOCACHE_DATA | VRAOFF | VOPENEVT); if ( (vp->v_lflag & (VL_TERMINATE | VL_DEAD)) || dont_reenter) { /* @@ -1430,9 +1747,8 @@ vnode_rele_internal(vnode_t vp, int fmode, int dont_reenter, int locked) vp->v_flag |= VAGE; } vnode_list_add(vp); - if ( !locked) - vnode_unlock(vp); - return; + + goto done; } /* * at this point both the iocount and usecount @@ -1447,11 +1763,9 @@ vnode_rele_internal(vnode_t vp, int fmode, int dont_reenter, int locked) vp->v_lflag &= ~VL_NEEDINACTIVE; vnode_unlock(vp); - context.vc_proc = current_proc(); - context.vc_ucred = kauth_cred_get(); - VNOP_INACTIVE(vp, &context); + VNOP_INACTIVE(vp, vfs_context_current()); - vnode_lock(vp); + vnode_lock_spin(vp); /* * because we dropped the vnode lock to call VNOP_INACTIVE * the state of the vnode may have changed... we may have @@ -1469,14 +1783,22 @@ vnode_rele_internal(vnode_t vp, int fmode, int dont_reenter, int locked) if (ut->uu_defer_reclaims) { vp->v_defer_reclaimlist = ut->uu_vreclaims; - ut->uu_vreclaims = vp; - goto defer_reclaim; + ut->uu_vreclaims = vp; + goto done; } - vnode_reclaim_internal(vp, 1, 0); + vnode_lock_convert(vp); + vnode_reclaim_internal(vp, 1, 1, 0); } - vnode_dropiocount(vp, 1); + vnode_dropiocount(vp); vnode_list_add(vp); -defer_reclaim: +done: + if (vp->v_usecount == 0 && vp->v_type == VREG && !(vp->v_flag & VSYSTEM)) { + + if (vp->v_ubcinfo) { + vnode_lock_convert(vp); + memory_object_mark_unused(vp->v_ubcinfo->ui_control, (vp->v_flag & VRAGE) == VRAGE); + } + } if ( !locked) vnode_unlock(vp); return; @@ -1498,16 +1820,13 @@ struct ctldebug debug1 = { "busyprt", &busyprt }; #endif int -vflush(mp, skipvp, flags) - struct mount *mp; - struct vnode *skipvp; - int flags; +vflush(struct mount *mp, struct vnode *skipvp, int flags) { - struct proc *p = current_proc(); struct vnode *vp; int busy = 0; int reclaimed = 0; - int vid, retval; + int retval; + unsigned int vid; mount_lock(mp); vnode_iterate_setup(mp); @@ -1518,7 +1837,7 @@ vflush(mp, skipvp, flags) * tries unmounting every so often to see whether * it is still busy or not. */ - if ((flags & FORCECLOSE)==0) { + if (((flags & FORCECLOSE)==0) && ((mp->mnt_kern_flag & MNTK_UNMOUNT_PREFLIGHT) != 0)) { if (vnode_umount_preflight(mp, skipvp, flags)) { vnode_iterate_clear(mp); mount_unlock(mp); @@ -1535,17 +1854,20 @@ loop: return(retval); } - /* iterate over all the vnodes */ - while (!TAILQ_EMPTY(&mp->mnt_workerqueue)) { - vp = TAILQ_FIRST(&mp->mnt_workerqueue); - TAILQ_REMOVE(&mp->mnt_workerqueue, vp, v_mntvnodes); - TAILQ_INSERT_TAIL(&mp->mnt_vnodelist, vp, v_mntvnodes); - if ( (vp->v_mount != mp) || (vp == skipvp)) { - continue; - } - vid = vp->v_id; - mount_unlock(mp); - vnode_lock(vp); + /* iterate over all the vnodes */ + while (!TAILQ_EMPTY(&mp->mnt_workerqueue)) { + + vp = TAILQ_FIRST(&mp->mnt_workerqueue); + TAILQ_REMOVE(&mp->mnt_workerqueue, vp, v_mntvnodes); + TAILQ_INSERT_TAIL(&mp->mnt_vnodelist, vp, v_mntvnodes); + + if ( (vp->v_mount != mp) || (vp == skipvp)) { + continue; + } + vid = vp->v_id; + mount_unlock(mp); + + vnode_lock_spin(vp); if ((vp->v_id != vid) || ((vp->v_lflag & (VL_DEAD | VL_TERMINATE)))) { vnode_unlock(vp); @@ -1572,7 +1894,7 @@ loop: continue; } /* - * If requested, skip over vnodes marked VSWAP. + * If requested, skip over vnodes marked VROOT. */ if ((flags & SKIPROOT) && (vp->v_flag & VROOT)) { vnode_unlock(vp); @@ -1595,15 +1917,17 @@ loop: */ if (((vp->v_usecount == 0) || ((vp->v_usecount - vp->v_kusecount) == 0))) { + + vnode_lock_convert(vp); vp->v_iocount++; /* so that drain waits for * other iocounts */ #ifdef JOE_DEBUG record_vp(vp, 1); #endif - vnode_reclaim_internal(vp, 1, 0); - vnode_dropiocount(vp, 1); + vnode_reclaim_internal(vp, 1, 1, 0); + vnode_dropiocount(vp); vnode_list_add(vp); - vnode_unlock(vp); + reclaimed++; mount_lock(mp); continue; @@ -1614,19 +1938,22 @@ loop: * anonymous device. For all other files, just kill them. */ if (flags & FORCECLOSE) { + vnode_lock_convert(vp); + if (vp->v_type != VBLK && vp->v_type != VCHR) { vp->v_iocount++; /* so that drain waits * for other iocounts */ #ifdef JOE_DEBUG record_vp(vp, 1); #endif - vnode_reclaim_internal(vp, 1, 0); - vnode_dropiocount(vp, 1); + vnode_reclaim_internal(vp, 1, 1, 0); + vnode_dropiocount(vp); vnode_list_add(vp); vnode_unlock(vp); } else { - vclean(vp, 0, p); + vclean(vp, 0); vp->v_lflag &= ~VL_DEAD; vp->v_op = spec_vnodeop_p; + vp->v_flag |= VDEVFLUSH; vnode_unlock(vp); } mount_lock(mp); @@ -1663,22 +1990,22 @@ loop: return (0); } -int num_recycledvnodes=0; +long num_recycledvnodes = 0; /* * Disassociate the underlying file system from a vnode. * The vnode lock is held on entry. */ static void -vclean(vnode_t vp, int flags, proc_t p) +vclean(vnode_t vp, int flags) { - struct vfs_context context; + vfs_context_t ctx = vfs_context_current(); int active; int need_inactive; int already_terminating; - kauth_cred_t ucred = NULL; - - context.vc_proc = p; - context.vc_ucred = kauth_cred_get(); + int clflags = 0; +#if NAMEDSTREAMS + int is_namedstream; +#endif /* * Check to see if the vnode is in use. @@ -1710,22 +2037,21 @@ vclean(vnode_t vp, int flags, proc_t p) */ insmntque(vp, (struct mount *)0); - ucred = vp->v_cred; - vp->v_cred = NOCRED; +#if NAMEDSTREAMS + is_namedstream = vnode_isnamedstream(vp); +#endif vnode_unlock(vp); - if (IS_VALID_CRED(ucred)) - kauth_cred_unref(&ucred); - - OSAddAtomic(1, &num_recycledvnodes); - /* - * purge from the name cache as early as possible... - */ - cache_purge(vp); + OSAddAtomicLong(1, &num_recycledvnodes); + if (flags & DOCLOSE) + clflags |= IO_NDELAY; + if (flags & REVOKEALL) + clflags |= IO_REVOKE; + if (active && (flags & DOCLOSE)) - VNOP_CLOSE(vp, IO_NDELAY, &context); + VNOP_CLOSE(vp, clflags, ctx); /* * Clean out any buffers associated with the vnode. @@ -1733,36 +2059,68 @@ vclean(vnode_t vp, int flags, proc_t p) if (flags & DOCLOSE) { #if NFSCLIENT if (vp->v_tag == VT_NFS) - nfs_vinvalbuf(vp, V_SAVE, NOCRED, p, 0); + nfs_vinvalbuf(vp, V_SAVE, ctx, 0); else #endif { - VNOP_FSYNC(vp, MNT_WAIT, &context); - buf_invalidateblks(vp, BUF_WRITE_DATA, 0, 0); + VNOP_FSYNC(vp, MNT_WAIT, ctx); + buf_invalidateblks(vp, BUF_WRITE_DATA | BUF_INVALIDATE_LOCKED, 0, 0); } if (UBCINFOEXISTS(vp)) /* * Clean the pages in VM. */ - (void)ubc_sync_range(vp, (off_t)0, ubc_getsize(vp), UBC_PUSHALL); + (void)ubc_msync(vp, (off_t)0, ubc_getsize(vp), NULL, UBC_PUSHALL | UBC_INVALIDATE | UBC_SYNC); } - if (UBCINFOEXISTS(vp)) - cluster_release(vp->v_ubcinfo); - if (active || need_inactive) - VNOP_INACTIVE(vp, &context); + VNOP_INACTIVE(vp, ctx); + +#if NAMEDSTREAMS + if ((is_namedstream != 0) && (vp->v_parent != NULLVP)) { + vnode_t pvp = vp->v_parent; + + /* Delete the shadow stream file before we reclaim its vnode */ + if (vnode_isshadow(vp)) { + vnode_relenamedstream(pvp, vp, ctx); + } + + /* + * No more streams associated with the parent. We + * have a ref on it, so its identity is stable. + * If the parent is on an opaque volume, then we need to know + * whether it has associated named streams. + */ + if (vfs_authopaque(pvp->v_mount)) { + vnode_lock_spin(pvp); + pvp->v_lflag &= ~VL_HASSTREAMS; + vnode_unlock(pvp); + } + } +#endif - /* Destroy ubc named reference */ + /* + * Destroy ubc named reference + * cluster_release is done on this path + * along with dropping the reference on the ucred + */ ubc_destroy_named(vp); +#if CONFIG_TRIGGERS + /* + * cleanup trigger info from vnode (if any) + */ + if (vp->v_resolve) + vnode_resolver_detach(vp); +#endif + /* * Reclaim the vnode. */ - if (VNOP_RECLAIM(vp, &context)) + if (VNOP_RECLAIM(vp, ctx)) panic("vclean: cannot reclaim"); // make sure the name & parent ptrs get cleaned out! - vnode_update_identity(vp, NULLVP, NULL, 0, 0, VNODE_UPDATE_PARENT | VNODE_UPDATE_NAME); + vnode_update_identity(vp, NULLVP, NULL, 0, 0, VNODE_UPDATE_PARENT | VNODE_UPDATE_NAME | VNODE_UPDATE_PURGE); vnode_lock(vp); @@ -1790,7 +2148,11 @@ vclean(vnode_t vp, int flags, proc_t p) * and with all vnodes aliased to the requested vnode. */ int +#if DIAGNOSTIC vn_revoke(vnode_t vp, int flags, __unused vfs_context_t a_context) +#else +vn_revoke(vnode_t vp, __unused int flags, __unused vfs_context_t a_context) +#endif { struct vnode *vq; int vid; @@ -1800,23 +2162,20 @@ vn_revoke(vnode_t vp, int flags, __unused vfs_context_t a_context) panic("vnop_revoke"); #endif - if (vp->v_flag & VALIASED) { + if (vnode_isaliased(vp)) { /* * If a vgone (or vclean) is already in progress, - * wait until it is done and return. + * return an immediate error */ - vnode_lock(vp); - if (vp->v_lflag & VL_TERMINATE) { - vnode_unlock(vp); + if (vp->v_lflag & VL_TERMINATE) return(ENOENT); - } - vnode_unlock(vp); + /* * Ensure that vp will not be vgone'd while we * are eliminating its aliases. */ SPECHASH_LOCK(); - while (vp->v_flag & VALIASED) { + while ((vp->v_specflags & SI_ALIASED)) { for (vq = *vp->v_hashchain; vq; vq = vq->v_specnext) { if (vq->v_rdev != vp->v_rdev || vq->v_type != vp->v_type || vp == vq) @@ -1827,7 +2186,7 @@ vn_revoke(vnode_t vp, int flags, __unused vfs_context_t a_context) SPECHASH_LOCK(); break; } - vnode_reclaim_internal(vq, 0, 0); + vnode_reclaim_internal(vq, 0, 1, 0); vnode_put(vq); SPECHASH_LOCK(); break; @@ -1835,7 +2194,7 @@ vn_revoke(vnode_t vp, int flags, __unused vfs_context_t a_context) } SPECHASH_UNLOCK(); } - vnode_reclaim_internal(vp, 0, 0); + vnode_reclaim_internal(vp, 0, 0, REVOKEALL); return (0); } @@ -1845,17 +2204,18 @@ vn_revoke(vnode_t vp, int flags, __unused vfs_context_t a_context) * Release the passed interlock if the vnode will be recycled. */ int -vnode_recycle(vp) - struct vnode *vp; +vnode_recycle(struct vnode *vp) { - vnode_lock(vp); + vnode_lock_spin(vp); if (vp->v_iocount || vp->v_usecount) { vp->v_lflag |= VL_MARKTERM; vnode_unlock(vp); return(0); } - vnode_reclaim_internal(vp, 1, 0); + vnode_lock_convert(vp); + vnode_reclaim_internal(vp, 1, 0, 0); + vnode_unlock(vp); return (1); @@ -1864,7 +2224,7 @@ vnode_recycle(vp) static int vnode_reload(vnode_t vp) { - vnode_lock(vp); + vnode_lock_spin(vp); if ((vp->v_iocount > 1) || vp->v_usecount) { vnode_unlock(vp); @@ -1882,7 +2242,7 @@ vnode_reload(vnode_t vp) static void -vgone(vnode_t vp) +vgone(vnode_t vp, int flags) { struct vnode *vq; struct vnode *vx; @@ -1892,7 +2252,7 @@ vgone(vnode_t vp) * vclean also takes care of removing the * vnode from any mount list it might be on */ - vclean(vp, DOCLOSE, current_proc()); + vclean(vp, flags | DOCLOSE); /* * If special device, remove it from special device alias list @@ -1912,7 +2272,7 @@ vgone(vnode_t vp) if (vq == NULL) panic("missing bdev"); } - if (vp->v_flag & VALIASED) { + if (vp->v_specflags & SI_ALIASED) { vx = NULL; for (vq = *vp->v_hashchain; vq; vq = vq->v_specnext) { if (vq->v_rdev != vp->v_rdev || @@ -1925,8 +2285,8 @@ vgone(vnode_t vp) if (vx == NULL) panic("missing alias"); if (vq == NULL) - vx->v_flag &= ~VALIASED; - vp->v_flag &= ~VALIASED; + vx->v_specflags &= ~SI_ALIASED; + vp->v_specflags &= ~SI_ALIASED; } SPECHASH_UNLOCK(); { @@ -1956,7 +2316,7 @@ loop: SPECHASH_UNLOCK(); if (vnode_getwithvid(vp,vid)) goto loop; - vnode_lock(vp); + vnode_lock_spin(vp); if ((vp->v_usecount > 0) || (vp->v_iocount > 1)) { vnode_unlock(vp); if ((*errorp = vfs_mountedon(vp)) != 0) @@ -1981,37 +2341,57 @@ vcount(vnode_t vp) int vid; loop: - if ((vp->v_flag & VALIASED) == 0) - return (vp->v_usecount - vp->v_kusecount); + if (!vnode_isaliased(vp)) + return (vp->v_specinfo->si_opencount); + count = 0; SPECHASH_LOCK(); - for (count = 0, vq = *vp->v_hashchain; vq; vq = vnext) { - vnext = vq->v_specnext; - if (vq->v_rdev != vp->v_rdev || vq->v_type != vp->v_type) - continue; - vid = vq->v_id; - SPECHASH_UNLOCK(); + /* + * Grab first vnode and its vid. + */ + vq = *vp->v_hashchain; + vid = vq ? vq->v_id : 0; + + SPECHASH_UNLOCK(); + while (vq) { + /* + * Attempt to get the vnode outside the SPECHASH lock. + */ if (vnode_getwithvid(vq, vid)) { goto loop; } - /* - * Alias, but not in use, so flush it out. - */ vnode_lock(vq); - if ((vq->v_usecount == 0) && (vq->v_iocount == 1) && vq != vp) { - vnode_reclaim_internal(vq, 1, 0); - vnode_unlock(vq); - vnode_put(vq); - goto loop; + + if (vq->v_rdev == vp->v_rdev && vq->v_type == vp->v_type) { + if ((vq->v_usecount == 0) && (vq->v_iocount == 1) && vq != vp) { + /* + * Alias, but not in use, so flush it out. + */ + vnode_reclaim_internal(vq, 1, 1, 0); + vnode_put_locked(vq); + vnode_unlock(vq); + goto loop; + } + count += vq->v_specinfo->si_opencount; } - count += (vq->v_usecount - vq->v_kusecount); vnode_unlock(vq); - vnode_put(vq); SPECHASH_LOCK(); + /* + * must do this with the reference still held on 'vq' + * so that it can't be destroyed while we're poking + * through v_specnext + */ + vnext = vq->v_specnext; + vid = vnext ? vnext->v_id : 0; + + SPECHASH_UNLOCK(); + + vnode_put(vq); + + vq = vnext; } - SPECHASH_UNLOCK(); return (count); } @@ -2021,7 +2401,7 @@ int prtactive = 0; /* 1 => print out reclaim of active vnodes */ /* * Print out a description of a vnode. */ -static char *typename[] = +static const char *typename[] = { "VNON", "VREG", "VDIR", "VBLK", "VCHR", "VLNK", "VSOCK", "VFIFO", "VBAD" }; void @@ -2035,17 +2415,17 @@ vprint(const char *label, struct vnode *vp) typename[vp->v_type], vp->v_usecount, vp->v_writecount); sbuf[0] = '\0'; if (vp->v_flag & VROOT) - strcat(sbuf, "|VROOT"); + strlcat(sbuf, "|VROOT", sizeof(sbuf)); if (vp->v_flag & VTEXT) - strcat(sbuf, "|VTEXT"); + strlcat(sbuf, "|VTEXT", sizeof(sbuf)); if (vp->v_flag & VSYSTEM) - strcat(sbuf, "|VSYSTEM"); + strlcat(sbuf, "|VSYSTEM", sizeof(sbuf)); if (vp->v_flag & VNOFLUSH) - strcat(sbuf, "|VNOFLUSH"); + strlcat(sbuf, "|VNOFLUSH", sizeof(sbuf)); if (vp->v_flag & VBWAIT) - strcat(sbuf, "|VBWAIT"); - if (vp->v_flag & VALIASED) - strcat(sbuf, "|VALIASED"); + strlcat(sbuf, "|VBWAIT", sizeof(sbuf)); + if (vnode_isaliased(vp)) + strlcat(sbuf, "|VALIASED", sizeof(sbuf)); if (sbuf[0] != '\0') printf(" flags (%s)", &sbuf[1]); } @@ -2054,7 +2434,19 @@ vprint(const char *label, struct vnode *vp) int vn_getpath(struct vnode *vp, char *pathbuf, int *len) { - return build_path(vp, pathbuf, *len, len); + return build_path(vp, pathbuf, *len, len, BUILDPATH_NO_FS_ENTER, vfs_context_current()); +} + +int +vn_getpath_fsenter(struct vnode *vp, char *pathbuf, int *len) +{ + return build_path(vp, pathbuf, *len, len, 0, vfs_context_current()); +} + +int +vn_getcdhash(struct vnode *vp, off_t offset, unsigned char *cdhash) +{ + return ubc_cs_getcdhash(vp, offset, cdhash); } @@ -2063,9 +2455,9 @@ static int nexts; static int max_ext_width; static int -extension_cmp(void *a, void *b) +extension_cmp(const void *a, const void *b) { - return (strlen((char *)a) - strlen((char *)b)); + return (strlen((const char *)a) - strlen((const char *)b)); } @@ -2081,42 +2473,57 @@ extension_cmp(void *a, void *b) // them (i.e. a short 8 character name can't have an 8 // character extension). // +extern lck_mtx_t *pkg_extensions_lck; + __private_extern__ int -set_package_extensions_table(void *data, int nentries, int maxwidth) +set_package_extensions_table(user_addr_t data, int nentries, int maxwidth) { - char *new_exts, *ptr; - int error, i, len; + char *new_exts, *old_exts; + int error; if (nentries <= 0 || nentries > 1024 || maxwidth <= 0 || maxwidth > 255) { return EINVAL; } - MALLOC(new_exts, char *, nentries * maxwidth, M_TEMP, M_WAITOK); + + // allocate one byte extra so we can guarantee null termination + MALLOC(new_exts, char *, (nentries * maxwidth) + 1, M_TEMP, M_WAITOK); + if (new_exts == NULL) { + return ENOMEM; + } - error = copyin(CAST_USER_ADDR_T(data), new_exts, nentries * maxwidth); + error = copyin(data, new_exts, nentries * maxwidth); if (error) { FREE(new_exts, M_TEMP); return error; } - if (extension_table) { - FREE(extension_table, M_TEMP); - } + new_exts[(nentries * maxwidth)] = '\0'; // guarantee null termination of the block + + qsort(new_exts, nentries, maxwidth, extension_cmp); + + lck_mtx_lock(pkg_extensions_lck); + + old_exts = extension_table; extension_table = new_exts; nexts = nentries; max_ext_width = maxwidth; - qsort(extension_table, nexts, maxwidth, extension_cmp); + lck_mtx_unlock(pkg_extensions_lck); + + if (old_exts) { + FREE(old_exts, M_TEMP); + } return 0; } __private_extern__ int -is_package_name(char *name, int len) +is_package_name(const char *name, int len) { int i, extlen; - char *ptr, *name_ext; + const char *ptr, *name_ext; if (len <= 3) { return 0; @@ -2137,16 +2544,21 @@ is_package_name(char *name, int len) // advance over the "." name_ext++; + lck_mtx_lock(pkg_extensions_lck); + // now iterate over all the extensions to see if any match ptr = &extension_table[0]; for(i=0; i < nexts; i++, ptr+=max_ext_width) { extlen = strlen(ptr); if (strncasecmp(name_ext, ptr, extlen) == 0 && name_ext[extlen] == '\0') { // aha, a match! + lck_mtx_unlock(pkg_extensions_lck); return 1; } } + lck_mtx_unlock(pkg_extensions_lck); + // if we get here, no extension matched return 0; } @@ -2192,6 +2604,25 @@ vn_path_package_check(__unused vnode_t vp, char *path, int pathlen, int *compone return 0; } +/* + * Determine if a name is inappropriate for a searchfs query. + * This list consists of /System currently. + */ + +int vn_searchfs_inappropriate_name(const char *name, int len) { + const char *bad_names[] = { "System" }; + int bad_len[] = { 6 }; + int i; + + for(i=0; i < (int) (sizeof(bad_names) / sizeof(bad_names[0])); i++) { + if (len == bad_len[i] && strncmp(name, bad_names[i], strlen(bad_names[i]) + 1) == 0) { + return 1; + } + } + + // if we get here, no name matched + return 0; +} /* * Top level filesystem related information gathering. @@ -2200,14 +2631,26 @@ extern unsigned int vfs_nummntops; int vfs_sysctl(int *name, u_int namelen, user_addr_t oldp, size_t *oldlenp, - user_addr_t newp, size_t newlen, struct proc *p) + user_addr_t newp, size_t newlen, proc_t p) { struct vfstable *vfsp; int *username; u_int usernamelen; int error; - struct vfsconf *vfsc; + struct vfsconf vfsc; + /* All non VFS_GENERIC and in VFS_GENERIC, + * VFS_MAXTYPENUM, VFS_CONF, VFS_SET_PACKAGE_EXTS + * needs to have root priv to have modifiers. + * For rest the userland_sysctl(CTLFLAG_ANYBODY) would cover. + */ + if ((newp != USER_ADDR_NULL) && ((name[0] != VFS_GENERIC) || + ((name[1] == VFS_MAXTYPENUM) || + (name[1] == VFS_CONF) || + (name[1] == VFS_SET_PACKAGE_EXTS))) + && (error = suser(kauth_cred_get(), &p->p_acflag))) { + return(error); + } /* * The VFS_NUMMNTOPS shouldn't be at name[0] since * is a VFS generic variable. So now we must check @@ -2226,18 +2669,27 @@ vfs_sysctl(int *name, u_int namelen, user_addr_t oldp, size_t *oldlenp, if (namelen < 2) return (EISDIR); /* overloaded */ if (name[0] != VFS_GENERIC) { - struct vfs_context context; - for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next) - if (vfsp->vfc_typenum == name[0]) + mount_list_lock(); + for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next) + if (vfsp->vfc_typenum == name[0]) { + vfsp->vfc_refcount++; break; + } + mount_list_unlock(); + if (vfsp == NULL) return (ENOTSUP); - context.vc_proc = p; - context.vc_ucred = kauth_cred_get(); - return ((*vfsp->vfc_vfsops->vfs_sysctl)(&name[1], namelen - 1, - oldp, oldlenp, newp, newlen, &context)); + /* XXX current context proxy for proc p? */ + error = ((*vfsp->vfc_vfsops->vfs_sysctl)(&name[1], namelen - 1, + oldp, oldlenp, newp, newlen, + vfs_context_current())); + + mount_list_lock(); + vfsp->vfc_refcount--; + mount_list_unlock(); + return error; } switch (name[1]) { case VFS_MAXTYPENUM: @@ -2245,31 +2697,31 @@ vfs_sysctl(int *name, u_int namelen, user_addr_t oldp, size_t *oldlenp, case VFS_CONF: if (namelen < 3) return (ENOTDIR); /* overloaded */ + + mount_list_lock(); for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next) if (vfsp->vfc_typenum == name[2]) break; - if (vfsp == NULL) + + if (vfsp == NULL) { + mount_list_unlock(); return (ENOTSUP); - vfsc = (struct vfsconf *)vfsp; - if (proc_is64bit(p)) { - struct user_vfsconf usr_vfsc; - usr_vfsc.vfc_vfsops = CAST_USER_ADDR_T(vfsc->vfc_vfsops); - bcopy(vfsc->vfc_name, usr_vfsc.vfc_name, sizeof(usr_vfsc.vfc_name)); - usr_vfsc.vfc_typenum = vfsc->vfc_typenum; - usr_vfsc.vfc_refcount = vfsc->vfc_refcount; - usr_vfsc.vfc_flags = vfsc->vfc_flags; - usr_vfsc.vfc_mountroot = CAST_USER_ADDR_T(vfsc->vfc_mountroot); - usr_vfsc.vfc_next = CAST_USER_ADDR_T(vfsc->vfc_next); - return (sysctl_rdstruct(oldp, oldlenp, newp, &usr_vfsc, - sizeof(usr_vfsc))); - } - else { - return (sysctl_rdstruct(oldp, oldlenp, newp, vfsc, - sizeof(struct vfsconf))); } + + vfsc.vfc_reserved1 = 0; + bcopy(vfsp->vfc_name, vfsc.vfc_name, sizeof(vfsc.vfc_name)); + vfsc.vfc_typenum = vfsp->vfc_typenum; + vfsc.vfc_refcount = vfsp->vfc_refcount; + vfsc.vfc_flags = vfsp->vfc_flags; + vfsc.vfc_reserved2 = 0; + vfsc.vfc_reserved3 = 0; + + mount_list_unlock(); + return (sysctl_rdstruct(oldp, oldlenp, newp, &vfsc, + sizeof(struct vfsconf))); case VFS_SET_PACKAGE_EXTS: - return set_package_extensions_table((void *)name[1], name[2], name[3]); + return set_package_extensions_table((user_addr_t)((unsigned)name[1]), name[2], name[3]); } /* * We need to get back into the general MIB, so we need to re-prepend @@ -2281,84 +2733,33 @@ vfs_sysctl(int *name, u_int namelen, user_addr_t oldp, size_t *oldlenp, bcopy(name, username + 1, namelen * sizeof(*name)); username[0] = CTL_VFS; error = userland_sysctl(p, username, usernamelen, oldp, - oldlenp, 1, newp, newlen, oldlenp); + oldlenp, newp, newlen, oldlenp); FREE(username, M_TEMP); return (error); } -int kinfo_vdebug = 1; -#define KINFO_VNODESLOP 10 /* - * Dump vnode list (via sysctl). - * Copyout address of vnode followed by vnode. + * Dump vnode list (via sysctl) - defunct + * use "pstat" instead */ /* ARGSUSED */ int -sysctl_vnode(__unused user_addr_t where, __unused size_t *sizep) +sysctl_vnode +(__unused struct sysctl_oid *oidp, __unused void *arg1, __unused int arg2, __unused struct sysctl_req *req) { -#if 0 - struct mount *mp, *nmp; - struct vnode *nvp, *vp; - char *bp = where, *savebp; - char *ewhere; - int error; - -#define VPTRSZ sizeof (struct vnode *) -#define VNODESZ sizeof (struct vnode) - if (where == NULL) { - *sizep = (numvnodes + KINFO_VNODESLOP) * (VPTRSZ + VNODESZ); - return (0); - } - ewhere = where + *sizep; - - for (mp = mountlist.cqh_first; mp != (void *)&mountlist; mp = nmp) { - if (vfs_busy(mp, LK_NOWAIT)) { - nmp = mp->mnt_list.cqe_next; - continue; - } - savebp = bp; -again: - TAILQ_FOREACH(vp, &mp->mnt_vnodelist, v_mntvnodes) { - /* - * Check that the vp is still associated with - * this filesystem. RACE: could have been - * recycled onto the same filesystem. - */ - if (vp->v_mount != mp) { - if (kinfo_vdebug) - printf("kinfo: vp changed\n"); - bp = savebp; - goto again; - } - if (bp + VPTRSZ + VNODESZ > ewhere) { - vfs_unbusy(mp); - *sizep = bp - where; - return (ENOMEM); - } - if ((error = copyout((caddr_t)&vp, bp, VPTRSZ)) || - (error = copyout((caddr_t)vp, bp + VPTRSZ, VNODESZ))) { - vfs_unbusy(mp); - return (error); - } - bp += VPTRSZ + VNODESZ; - } - nmp = mp->mnt_list.cqe_next; - vfs_unbusy(mp); - } - - *sizep = bp - where; - return (0); -#else return(EINVAL); -#endif } +SYSCTL_PROC(_kern, KERN_VNODE, vnode, + CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_MASKED | CTLFLAG_LOCKED, + 0, 0, sysctl_vnode, "S,", ""); + + /* * Check to see if a filesystem is mounted on a block device. */ int -vfs_mountedon(vp) - struct vnode *vp; +vfs_mountedon(struct vnode *vp) { struct vnode *vq; int error = 0; @@ -2368,7 +2769,7 @@ vfs_mountedon(vp) error = EBUSY; goto out; } - if (vp->v_flag & VALIASED) { + if (vp->v_specflags & SI_ALIASED) { for (vq = *vp->v_hashchain; vq; vq = vq->v_specnext) { if (vq->v_rdev != vp->v_rdev || vq->v_type != vp->v_type) @@ -2389,12 +2790,10 @@ out: * of mounting to avoid dependencies. */ __private_extern__ void -vfs_unmountall() +vfs_unmountall(void) { struct mount *mp; - struct proc *p = current_proc(); int error; - int skip_listremove; /* * Since this only runs when rebooting, it is not interlocked. @@ -2403,21 +2802,18 @@ vfs_unmountall() while(!TAILQ_EMPTY(&mountlist)) { mp = TAILQ_LAST(&mountlist, mntlist); mount_list_unlock(); - skip_listremove = 0; - error = dounmount(mp, MNT_FORCE, &skip_listremove, p); - if (error) { + error = dounmount(mp, MNT_FORCE, 0, vfs_context_current()); + if ((error != 0) && (error != EBUSY)) { + printf("unmount of %s failed (", mp->mnt_vfsstat.f_mntonname); + printf("%d)\n", error); mount_list_lock(); - if (skip_listremove == 0) { - TAILQ_REMOVE(&mountlist, mp, mnt_list); - printf("unmount of %s failed (", mp->mnt_vfsstat.f_mntonname); - } - - if (error == EBUSY) - printf("BUSY)\n"); - else - printf("%d)\n", error); + TAILQ_REMOVE(&mountlist, mp, mnt_list); continue; - } + } else if (error == EBUSY) { + /* If EBUSY is returned, the unmount was already in progress */ + printf("unmount of %p failed (", mp); + printf("BUSY)\n"); + } mount_list_lock(); } mount_list_unlock(); @@ -2425,80 +2821,71 @@ vfs_unmountall() /* - * This routine is called from vnode_pager_no_senders() - * which in turn can be called with vnode locked by vnode_uncache() - * But it could also get called as a result of vm_object_cache_trim(). - * In that case lock state is unknown. - * AGE the vnode so that it gets recycled quickly. + * This routine is called from vnode_pager_deallocate out of the VM + * The path to vnode_pager_deallocate can only be initiated by ubc_destroy_named + * on a vnode that has a UBCINFO */ __private_extern__ void -vnode_pager_vrele(struct vnode *vp) +vnode_pager_vrele(vnode_t vp) { - vnode_lock(vp); + struct ubc_info *uip; - if (!ISSET(vp->v_lflag, VL_TERMINATE)) - panic("vnode_pager_vrele: vp not in termination"); - vp->v_lflag &= ~VNAMED_UBC; + vnode_lock_spin(vp); - if (UBCINFOEXISTS(vp)) { - struct ubc_info *uip = vp->v_ubcinfo; + vp->v_lflag &= ~VNAMED_UBC; - if (ISSET(uip->ui_flags, UI_WASMAPPED)) - SET(vp->v_flag, VWASMAPPED); - vp->v_ubcinfo = UBC_INFO_NULL; + uip = vp->v_ubcinfo; + vp->v_ubcinfo = UBC_INFO_NULL; - ubc_info_deallocate(uip); - } else { - panic("NO ubcinfo in vnode_pager_vrele"); - } vnode_unlock(vp); - wakeup(&vp->v_lflag); + ubc_info_deallocate(uip); } #include +u_int32_t rootunit = (u_int32_t)-1; + errno_t vfs_init_io_attributes(vnode_t devvp, mount_t mp) { int error; - off_t readblockcnt; - off_t writeblockcnt; - off_t readmaxcnt; - off_t writemaxcnt; - off_t readsegcnt; - off_t writesegcnt; - off_t readsegsize; - off_t writesegsize; - u_long blksize; + off_t readblockcnt = 0; + off_t writeblockcnt = 0; + off_t readmaxcnt = 0; + off_t writemaxcnt = 0; + off_t readsegcnt = 0; + off_t writesegcnt = 0; + off_t readsegsize = 0; + off_t writesegsize = 0; + off_t alignment = 0; + off_t ioqueue_depth = 0; + u_int32_t blksize; u_int64_t temp; - struct vfs_context context; - - proc_t p = current_proc(); + u_int32_t features; + vfs_context_t ctx = vfs_context_current(); + int isssd = 0; + int isvirtual = 0; - context.vc_proc = p; - context.vc_ucred = kauth_cred_get(); - int isvirtual = 0; + VNOP_IOCTL(devvp, DKIOCGETTHROTTLEMASK, (caddr_t)&mp->mnt_throttle_mask, 0, NULL); /* - * determine if this mount point exists on the same device as the root - * partition... if so, then it comes under the hard throttle control + * as a reasonable approximation, only use the lowest bit of the mask + * to generate a disk unit number */ - int thisunit = -1; - static int rootunit = -1; + mp->mnt_devbsdunit = num_trailing_0(mp->mnt_throttle_mask); - if (rootunit == -1) { - if (VNOP_IOCTL(rootvp, DKIOCGETBSDUNIT, (caddr_t)&rootunit, 0, &context)) - rootunit = -1; - else if (rootvp == devvp) - mp->mnt_kern_flag |= MNTK_ROOTDEV; - } - if (devvp != rootvp && rootunit != -1) { - if (VNOP_IOCTL(devvp, DKIOCGETBSDUNIT, (caddr_t)&thisunit, 0, &context) == 0) { - if (thisunit == rootunit) - mp->mnt_kern_flag |= MNTK_ROOTDEV; - } + if (devvp == rootvp) + rootunit = mp->mnt_devbsdunit; + + if (mp->mnt_devbsdunit == rootunit) { + /* + * this mount point exists on the same device as the root + * partition, so it comes under the hard throttle control... + * this is true even for the root mount point itself + */ + mp->mnt_kern_flag |= MNTK_ROOTDEV; } /* * force the spec device to re-cache @@ -2509,78 +2896,115 @@ vfs_init_io_attributes(vnode_t devvp, mount_t mp) if ((error = VNOP_IOCTL(devvp, DKIOCGETBLOCKSIZE, - (caddr_t)&blksize, 0, &context))) + (caddr_t)&blksize, 0, ctx))) return (error); mp->mnt_devblocksize = blksize; - if (VNOP_IOCTL(devvp, DKIOCISVIRTUAL, (caddr_t)&isvirtual, 0, &context) == 0) { + /* + * set the maximum possible I/O size + * this may get clipped to a smaller value + * based on which constraints are being advertised + * and if those advertised constraints result in a smaller + * limit for a given I/O + */ + mp->mnt_maxreadcnt = MAX_UPL_SIZE * PAGE_SIZE; + mp->mnt_maxwritecnt = MAX_UPL_SIZE * PAGE_SIZE; + + if (VNOP_IOCTL(devvp, DKIOCISVIRTUAL, (caddr_t)&isvirtual, 0, ctx) == 0) { if (isvirtual) mp->mnt_kern_flag |= MNTK_VIRTUALDEV; } + if (VNOP_IOCTL(devvp, DKIOCISSOLIDSTATE, (caddr_t)&isssd, 0, ctx) == 0) { + if (isssd) + mp->mnt_kern_flag |= MNTK_SSD; + } + if ((error = VNOP_IOCTL(devvp, DKIOCGETFEATURES, + (caddr_t)&features, 0, ctx))) + return (error); if ((error = VNOP_IOCTL(devvp, DKIOCGETMAXBLOCKCOUNTREAD, - (caddr_t)&readblockcnt, 0, &context))) + (caddr_t)&readblockcnt, 0, ctx))) return (error); if ((error = VNOP_IOCTL(devvp, DKIOCGETMAXBLOCKCOUNTWRITE, - (caddr_t)&writeblockcnt, 0, &context))) + (caddr_t)&writeblockcnt, 0, ctx))) return (error); if ((error = VNOP_IOCTL(devvp, DKIOCGETMAXBYTECOUNTREAD, - (caddr_t)&readmaxcnt, 0, &context))) + (caddr_t)&readmaxcnt, 0, ctx))) return (error); if ((error = VNOP_IOCTL(devvp, DKIOCGETMAXBYTECOUNTWRITE, - (caddr_t)&writemaxcnt, 0, &context))) + (caddr_t)&writemaxcnt, 0, ctx))) return (error); if ((error = VNOP_IOCTL(devvp, DKIOCGETMAXSEGMENTCOUNTREAD, - (caddr_t)&readsegcnt, 0, &context))) + (caddr_t)&readsegcnt, 0, ctx))) return (error); if ((error = VNOP_IOCTL(devvp, DKIOCGETMAXSEGMENTCOUNTWRITE, - (caddr_t)&writesegcnt, 0, &context))) + (caddr_t)&writesegcnt, 0, ctx))) return (error); if ((error = VNOP_IOCTL(devvp, DKIOCGETMAXSEGMENTBYTECOUNTREAD, - (caddr_t)&readsegsize, 0, &context))) + (caddr_t)&readsegsize, 0, ctx))) return (error); if ((error = VNOP_IOCTL(devvp, DKIOCGETMAXSEGMENTBYTECOUNTWRITE, - (caddr_t)&writesegsize, 0, &context))) + (caddr_t)&writesegsize, 0, ctx))) + return (error); + + if ((error = VNOP_IOCTL(devvp, DKIOCGETMINSEGMENTALIGNMENTBYTECOUNT, + (caddr_t)&alignment, 0, ctx))) + return (error); + + if ((error = VNOP_IOCTL(devvp, DKIOCGETCOMMANDPOOLSIZE, + (caddr_t)&ioqueue_depth, 0, ctx))) return (error); if (readmaxcnt) - temp = (readmaxcnt > UINT32_MAX) ? UINT32_MAX : readmaxcnt; - else { - if (readblockcnt) { - temp = readblockcnt * blksize; - temp = (temp > UINT32_MAX) ? UINT32_MAX : temp; - } else - temp = MAXPHYS; + mp->mnt_maxreadcnt = (readmaxcnt > UINT32_MAX) ? UINT32_MAX : readmaxcnt; + + if (readblockcnt) { + temp = readblockcnt * blksize; + temp = (temp > UINT32_MAX) ? UINT32_MAX : temp; + + if (temp < mp->mnt_maxreadcnt) + mp->mnt_maxreadcnt = (u_int32_t)temp; } - mp->mnt_maxreadcnt = (u_int32_t)temp; if (writemaxcnt) - temp = (writemaxcnt > UINT32_MAX) ? UINT32_MAX : writemaxcnt; - else { - if (writeblockcnt) { - temp = writeblockcnt * blksize; - temp = (temp > UINT32_MAX) ? UINT32_MAX : temp; - } else - temp = MAXPHYS; + mp->mnt_maxwritecnt = (writemaxcnt > UINT32_MAX) ? UINT32_MAX : writemaxcnt; + + if (writeblockcnt) { + temp = writeblockcnt * blksize; + temp = (temp > UINT32_MAX) ? UINT32_MAX : temp; + + if (temp < mp->mnt_maxwritecnt) + mp->mnt_maxwritecnt = (u_int32_t)temp; } - mp->mnt_maxwritecnt = (u_int32_t)temp; if (readsegcnt) { temp = (readsegcnt > UINT16_MAX) ? UINT16_MAX : readsegcnt; - mp->mnt_segreadcnt = (u_int16_t)temp; + } else { + temp = mp->mnt_maxreadcnt / PAGE_SIZE; + + if (temp > UINT16_MAX) + temp = UINT16_MAX; } + mp->mnt_segreadcnt = (u_int16_t)temp; + if (writesegcnt) { temp = (writesegcnt > UINT16_MAX) ? UINT16_MAX : writesegcnt; - mp->mnt_segwritecnt = (u_int16_t)temp; + } else { + temp = mp->mnt_maxwritecnt / PAGE_SIZE; + + if (temp > UINT16_MAX) + temp = UINT16_MAX; } + mp->mnt_segwritecnt = (u_int16_t)temp; + if (readsegsize) temp = (readsegsize > UINT32_MAX) ? UINT32_MAX : readsegsize; else @@ -2593,23 +3017,50 @@ vfs_init_io_attributes(vnode_t devvp, mount_t mp) temp = mp->mnt_maxwritecnt; mp->mnt_maxsegwritesize = (u_int32_t)temp; + if (alignment) + temp = (alignment > PAGE_SIZE) ? PAGE_MASK : alignment - 1; + else + temp = 0; + mp->mnt_alignmentmask = temp; + + + if (ioqueue_depth > MNT_DEFAULT_IOQUEUE_DEPTH) + temp = ioqueue_depth; + else + temp = MNT_DEFAULT_IOQUEUE_DEPTH; + + mp->mnt_ioqueue_depth = temp; + mp->mnt_ioscale = (mp->mnt_ioqueue_depth + (MNT_DEFAULT_IOQUEUE_DEPTH - 1)) / MNT_DEFAULT_IOQUEUE_DEPTH; + + if (mp->mnt_ioscale > 1) + printf("ioqueue_depth = %d, ioscale = %d\n", (int)mp->mnt_ioqueue_depth, (int)mp->mnt_ioscale); + + if (features & DK_FEATURE_FORCE_UNIT_ACCESS) + mp->mnt_ioflags |= MNT_IOFLAGS_FUA_SUPPORTED; + if (features & DK_FEATURE_UNMAP) + mp->mnt_ioflags |= MNT_IOFLAGS_UNMAP_SUPPORTED; return (error); } static struct klist fs_klist; +lck_grp_t *fs_klist_lck_grp; +lck_mtx_t *fs_klist_lock; void vfs_event_init(void) { klist_init(&fs_klist); + fs_klist_lck_grp = lck_grp_alloc_init("fs_klist", NULL); + fs_klist_lock = lck_mtx_alloc_init(fs_klist_lck_grp, NULL); } void vfs_event_signal(__unused fsid_t *fsid, u_int32_t event, __unused intptr_t data) { - + lck_mtx_lock(fs_klist_lock); KNOTE(&fs_klist, event); + lck_mtx_unlock(fs_klist_lock); } /* @@ -2679,7 +3130,8 @@ sysctl_vfs_getvfslist(fsid_t *fsidlst, int count, int *actual) } static int -sysctl_vfs_vfslist SYSCTL_HANDLER_ARGS +sysctl_vfs_vfslist(__unused struct sysctl_oid *oidp, __unused void *arg1, + __unused int arg2, struct sysctl_req *req) { int actual, error; size_t space; @@ -2707,6 +3159,10 @@ again: return (ENOMEM); MALLOC(fsidlst, fsid_t *, req->oldlen, M_TEMP, M_WAITOK); + if (fsidlst == NULL) { + return (ENOMEM); + } + error = sysctl_vfs_getvfslist(fsidlst, req->oldlen / sizeof(fsid_t), &actual); /* @@ -2729,43 +3185,35 @@ again: * Do a sysctl by fsid. */ static int -sysctl_vfs_ctlbyfsid SYSCTL_HANDLER_ARGS +sysctl_vfs_ctlbyfsid(__unused struct sysctl_oid *oidp, void *arg1, int arg2, + struct sysctl_req *req) { - struct vfsidctl vc; - struct user_vfsidctl user_vc; + union union_vfsidctl vc; struct mount *mp; struct vfsstatfs *sp; - struct proc *p; - int *name; - int error, flags, namelen; - struct vfs_context context; + int *name, flags, namelen; + int error=0, gotref=0; + vfs_context_t ctx = vfs_context_current(); + proc_t p = req->p; /* XXX req->p != current_proc()? */ boolean_t is_64_bit; name = arg1; namelen = arg2; - p = req->p; - context.vc_proc = p; - context.vc_ucred = kauth_cred_get(); is_64_bit = proc_is64bit(p); - if (is_64_bit) { - error = SYSCTL_IN(req, &user_vc, sizeof(user_vc)); - if (error) - return (error); - if (user_vc.vc_vers != VFS_CTL_VERS1) - return (EINVAL); - mp = mount_list_lookupby_fsid(&user_vc.vc_fsid, 0, 0); - } - else { - error = SYSCTL_IN(req, &vc, sizeof(vc)); - if (error) - return (error); - if (vc.vc_vers != VFS_CTL_VERS1) - return (EINVAL); - mp = mount_list_lookupby_fsid(&vc.vc_fsid, 0, 0); + error = SYSCTL_IN(req, &vc, is_64_bit? sizeof(vc.vc64):sizeof(vc.vc32)); + if (error) + goto out; + if (vc.vc32.vc_vers != VFS_CTL_VERS1) { /* works for 32 and 64 */ + error = EINVAL; + goto out; } - if (mp == NULL) - return (ENOENT); + mp = mount_list_lookupby_fsid(&vc.vc32.vc_fsid, 0, 1); /* works for 32 and 64 */ + if (mp == NULL) { + error = ENOENT; + goto out; + } + gotref = 1; /* reset so that the fs specific code can fetch it. */ req->newidx = 0; /* @@ -2779,7 +3227,7 @@ sysctl_vfs_ctlbyfsid SYSCTL_HANDLER_ARGS error = mp->mnt_op->vfs_sysctl(name, namelen, CAST_USER_ADDR_T(req), NULL, USER_ADDR_NULL, 0, - &context); + ctx); } else { error = ENOTSUP; @@ -2789,68 +3237,78 @@ sysctl_vfs_ctlbyfsid SYSCTL_HANDLER_ARGS error = mp->mnt_op->vfs_sysctl(name, namelen, CAST_USER_ADDR_T(req), NULL, USER_ADDR_NULL, 0, - &context); + ctx); + } + if (error != ENOTSUP) { + goto out; } - if (error != ENOTSUP) - return (error); } switch (name[0]) { case VFS_CTL_UMOUNT: req->newidx = 0; if (is_64_bit) { - req->newptr = user_vc.vc_ptr; - req->newlen = (size_t)user_vc.vc_len; + req->newptr = vc.vc64.vc_ptr; + req->newlen = (size_t)vc.vc64.vc_len; } else { - req->newptr = CAST_USER_ADDR_T(vc.vc_ptr); - req->newlen = vc.vc_len; + req->newptr = CAST_USER_ADDR_T(vc.vc32.vc_ptr); + req->newlen = vc.vc32.vc_len; } error = SYSCTL_IN(req, &flags, sizeof(flags)); if (error) break; - error = safedounmount(mp, flags, p); + + mount_ref(mp, 0); + mount_iterdrop(mp); + gotref = 0; + /* safedounmount consumes a ref */ + error = safedounmount(mp, flags, ctx); break; case VFS_CTL_STATFS: req->newidx = 0; if (is_64_bit) { - req->newptr = user_vc.vc_ptr; - req->newlen = (size_t)user_vc.vc_len; + req->newptr = vc.vc64.vc_ptr; + req->newlen = (size_t)vc.vc64.vc_len; } else { - req->newptr = CAST_USER_ADDR_T(vc.vc_ptr); - req->newlen = vc.vc_len; + req->newptr = CAST_USER_ADDR_T(vc.vc32.vc_ptr); + req->newlen = vc.vc32.vc_len; } error = SYSCTL_IN(req, &flags, sizeof(flags)); if (error) break; sp = &mp->mnt_vfsstat; - if (((flags & MNT_NOWAIT) == 0 || (flags & MNT_WAIT)) && - (error = vfs_update_vfsstat(mp, &context))) - return (error); + if (((flags & MNT_NOWAIT) == 0 || (flags & (MNT_WAIT | MNT_DWAIT))) && + (error = vfs_update_vfsstat(mp, ctx, VFS_USER_EVENT))) + goto out; if (is_64_bit) { - struct user_statfs sfs; + struct user64_statfs sfs; bzero(&sfs, sizeof(sfs)); sfs.f_flags = mp->mnt_flag & MNT_VISFLAGMASK; sfs.f_type = mp->mnt_vtable->vfc_typenum; - sfs.f_bsize = (user_long_t)sp->f_bsize; - sfs.f_iosize = (user_long_t)sp->f_iosize; - sfs.f_blocks = (user_long_t)sp->f_blocks; - sfs.f_bfree = (user_long_t)sp->f_bfree; - sfs.f_bavail = (user_long_t)sp->f_bavail; - sfs.f_files = (user_long_t)sp->f_files; - sfs.f_ffree = (user_long_t)sp->f_ffree; + sfs.f_bsize = (user64_long_t)sp->f_bsize; + sfs.f_iosize = (user64_long_t)sp->f_iosize; + sfs.f_blocks = (user64_long_t)sp->f_blocks; + sfs.f_bfree = (user64_long_t)sp->f_bfree; + sfs.f_bavail = (user64_long_t)sp->f_bavail; + sfs.f_files = (user64_long_t)sp->f_files; + sfs.f_ffree = (user64_long_t)sp->f_ffree; sfs.f_fsid = sp->f_fsid; sfs.f_owner = sp->f_owner; - strncpy(&sfs.f_fstypename, &sp->f_fstypename, MFSNAMELEN-1); - strncpy(&sfs.f_mntonname, &sp->f_mntonname, MNAMELEN-1); - strncpy(&sfs.f_mntfromname, &sp->f_mntfromname, MNAMELEN-1); + if (mp->mnt_kern_flag & MNTK_TYPENAME_OVERRIDE) { + strlcpy(&sfs.f_fstypename[0], &mp->fstypename_override[0], MFSTYPENAMELEN); + } else { + strlcpy(sfs.f_fstypename, sp->f_fstypename, MFSNAMELEN); + } + strlcpy(sfs.f_mntonname, sp->f_mntonname, MNAMELEN); + strlcpy(sfs.f_mntfromname, sp->f_mntfromname, MNAMELEN); error = SYSCTL_OUT(req, &sfs, sizeof(sfs)); } else { - struct statfs sfs; - bzero(&sfs, sizeof(struct statfs)); + struct user32_statfs sfs; + bzero(&sfs, sizeof(sfs)); sfs.f_flags = mp->mnt_flag & MNT_VISFLAGMASK; sfs.f_type = mp->mnt_vtable->vfc_typenum; @@ -2859,7 +3317,7 @@ sysctl_vfs_ctlbyfsid SYSCTL_HANDLER_ARGS * have to fudge the numbers here in that case. We inflate the blocksize in order * to reflect the filesystem size as best we can. */ - if (sp->f_blocks > LONG_MAX) { + if (sp->f_blocks > INT_MAX) { int shift; /* @@ -2872,81 +3330,101 @@ sysctl_vfs_ctlbyfsid SYSCTL_HANDLER_ARGS * being smaller than f_bsize. */ for (shift = 0; shift < 32; shift++) { - if ((sp->f_blocks >> shift) <= LONG_MAX) + if ((sp->f_blocks >> shift) <= INT_MAX) break; - if ((sp->f_bsize << (shift + 1)) > LONG_MAX) + if ((((long long)sp->f_bsize) << (shift + 1)) > INT_MAX) break; } -#define __SHIFT_OR_CLIP(x, s) ((((x) >> (s)) > LONG_MAX) ? LONG_MAX : ((x) >> (s))) - sfs.f_blocks = (long)__SHIFT_OR_CLIP(sp->f_blocks, shift); - sfs.f_bfree = (long)__SHIFT_OR_CLIP(sp->f_bfree, shift); - sfs.f_bavail = (long)__SHIFT_OR_CLIP(sp->f_bavail, shift); +#define __SHIFT_OR_CLIP(x, s) ((((x) >> (s)) > INT_MAX) ? INT_MAX : ((x) >> (s))) + sfs.f_blocks = (user32_long_t)__SHIFT_OR_CLIP(sp->f_blocks, shift); + sfs.f_bfree = (user32_long_t)__SHIFT_OR_CLIP(sp->f_bfree, shift); + sfs.f_bavail = (user32_long_t)__SHIFT_OR_CLIP(sp->f_bavail, shift); #undef __SHIFT_OR_CLIP - sfs.f_bsize = (long)(sp->f_bsize << shift); + sfs.f_bsize = (user32_long_t)(sp->f_bsize << shift); sfs.f_iosize = lmax(sp->f_iosize, sp->f_bsize); } else { - sfs.f_bsize = (long)sp->f_bsize; - sfs.f_iosize = (long)sp->f_iosize; - sfs.f_blocks = (long)sp->f_blocks; - sfs.f_bfree = (long)sp->f_bfree; - sfs.f_bavail = (long)sp->f_bavail; + sfs.f_bsize = (user32_long_t)sp->f_bsize; + sfs.f_iosize = (user32_long_t)sp->f_iosize; + sfs.f_blocks = (user32_long_t)sp->f_blocks; + sfs.f_bfree = (user32_long_t)sp->f_bfree; + sfs.f_bavail = (user32_long_t)sp->f_bavail; } - sfs.f_files = (long)sp->f_files; - sfs.f_ffree = (long)sp->f_ffree; + sfs.f_files = (user32_long_t)sp->f_files; + sfs.f_ffree = (user32_long_t)sp->f_ffree; sfs.f_fsid = sp->f_fsid; sfs.f_owner = sp->f_owner; - strncpy(&sfs.f_fstypename, &sp->f_fstypename, MFSNAMELEN-1); - strncpy(&sfs.f_mntonname, &sp->f_mntonname, MNAMELEN-1); - strncpy(&sfs.f_mntfromname, &sp->f_mntfromname, MNAMELEN-1); + if (mp->mnt_kern_flag & MNTK_TYPENAME_OVERRIDE) { + strlcpy(&sfs.f_fstypename[0], &mp->fstypename_override[0], MFSTYPENAMELEN); + } else { + strlcpy(sfs.f_fstypename, sp->f_fstypename, MFSNAMELEN); + } + strlcpy(sfs.f_mntonname, sp->f_mntonname, MNAMELEN); + strlcpy(sfs.f_mntfromname, sp->f_mntfromname, MNAMELEN); error = SYSCTL_OUT(req, &sfs, sizeof(sfs)); } break; default: - return (ENOTSUP); + error = ENOTSUP; + goto out; } +out: + if(gotref != 0) + mount_iterdrop(mp); return (error); } static int filt_fsattach(struct knote *kn); static void filt_fsdetach(struct knote *kn); static int filt_fsevent(struct knote *kn, long hint); - -struct filterops fs_filtops = - { 0, filt_fsattach, filt_fsdetach, filt_fsevent }; +struct filterops fs_filtops = { + .f_attach = filt_fsattach, + .f_detach = filt_fsdetach, + .f_event = filt_fsevent, +}; static int filt_fsattach(struct knote *kn) { + lck_mtx_lock(fs_klist_lock); kn->kn_flags |= EV_CLEAR; KNOTE_ATTACH(&fs_klist, kn); + lck_mtx_unlock(fs_klist_lock); return (0); } static void filt_fsdetach(struct knote *kn) { - + lck_mtx_lock(fs_klist_lock); KNOTE_DETACH(&fs_klist, kn); + lck_mtx_unlock(fs_klist_lock); } static int filt_fsevent(struct knote *kn, long hint) { + /* + * Backwards compatibility: + * Other filters would do nothing if kn->kn_sfflags == 0 + */ + + if ((kn->kn_sfflags == 0) || (kn->kn_sfflags & hint)) { + kn->kn_fflags |= hint; + } - kn->kn_fflags |= hint; return (kn->kn_fflags != 0); } static int -sysctl_vfs_noremotehang SYSCTL_HANDLER_ARGS +sysctl_vfs_noremotehang(__unused struct sysctl_oid *oidp, + __unused void *arg1, __unused int arg2, struct sysctl_req *req) { int out, error; pid_t pid; - size_t space; - struct proc *p; + proc_t p; /* We need a pid. */ if (req->newptr == USER_ADDR_NULL) @@ -2956,7 +3434,7 @@ sysctl_vfs_noremotehang SYSCTL_HANDLER_ARGS if (error) return (error); - p = pfind(pid < 0 ? -pid : pid); + p = proc_find(pid < 0 ? -pid : pid); if (p == NULL) return (ESRCH); @@ -2966,79 +3444,175 @@ sysctl_vfs_noremotehang SYSCTL_HANDLER_ARGS */ if (req->oldptr != USER_ADDR_NULL) { out = !((p->p_flag & P_NOREMOTEHANG) == 0); + proc_rele(p); error = SYSCTL_OUT(req, &out, sizeof(out)); return (error); } - /* XXX req->p->p_ucred -> kauth_cred_get() - current unsafe ??? */ /* cansignal offers us enough security. */ - if (p != req->p && suser(req->p->p_ucred, &req->p->p_acflag) != 0) + if (p != req->p && proc_suser(req->p) != 0) { + proc_rele(p); return (EPERM); + } if (pid < 0) - p->p_flag &= ~P_NOREMOTEHANG; + OSBitAndAtomic(~((uint32_t)P_NOREMOTEHANG), &p->p_flag); else - p->p_flag |= P_NOREMOTEHANG; + OSBitOrAtomic(P_NOREMOTEHANG, &p->p_flag); + proc_rele(p); return (0); } + /* the vfs.generic. branch. */ -SYSCTL_NODE(_vfs, VFS_GENERIC, generic, CTLFLAG_RW, 0, "vfs generic hinge"); +SYSCTL_NODE(_vfs, VFS_GENERIC, generic, CTLFLAG_RW | CTLFLAG_LOCKED, NULL, "vfs generic hinge"); /* retreive a list of mounted filesystem fsid_t */ -SYSCTL_PROC(_vfs_generic, OID_AUTO, vfsidlist, CTLFLAG_RD, - 0, 0, sysctl_vfs_vfslist, "S,fsid", "List of mounted filesystem ids"); +SYSCTL_PROC(_vfs_generic, OID_AUTO, vfsidlist, CTLFLAG_RD | CTLFLAG_LOCKED, + NULL, 0, sysctl_vfs_vfslist, "S,fsid", "List of mounted filesystem ids"); /* perform operations on filesystem via fsid_t */ -SYSCTL_NODE(_vfs_generic, OID_AUTO, ctlbyfsid, CTLFLAG_RW, +SYSCTL_NODE(_vfs_generic, OID_AUTO, ctlbyfsid, CTLFLAG_RW | CTLFLAG_LOCKED, sysctl_vfs_ctlbyfsid, "ctlbyfsid"); -SYSCTL_PROC(_vfs_generic, OID_AUTO, noremotehang, CTLFLAG_RW, - 0, 0, sysctl_vfs_noremotehang, "I", "noremotehang"); +SYSCTL_PROC(_vfs_generic, OID_AUTO, noremotehang, CTLFLAG_RW | CTLFLAG_ANYBODY, + NULL, 0, sysctl_vfs_noremotehang, "I", "noremotehang"); -int num_reusedvnodes=0; +long num_reusedvnodes = 0; static int new_vnode(vnode_t *vpp) { vnode_t vp; int retries = 0; /* retry incase of tablefull */ - int vpid; + int force_alloc = 0, walk_count = 0; + unsigned int vpid; struct timespec ts; + struct timeval current_tv; +#ifndef __LP64__ + struct unsafe_fsnode *l_unsafefs = 0; +#endif /* __LP64__ */ + proc_t curproc = current_proc(); retry: - vnode_list_lock(); + microuptime(¤t_tv); - if ( !TAILQ_EMPTY(&vnode_free_list)) { - /* - * Pick the first vp for possible reuse - */ - vp = TAILQ_FIRST(&vnode_free_list); + vp = NULLVP; - if (vp->v_lflag & VL_DEAD) - goto steal_this_vp; - } else - vp = NULL; + vnode_list_lock(); - /* - * we're either empty, or the next guy on the - * list is a valid vnode... if we're under the - * limit, we'll create a new vnode - */ - if (numvnodes < desiredvnodes) { + if ((numvnodes - deadvnodes) < desiredvnodes || force_alloc) { + if ( !TAILQ_EMPTY(&vnode_dead_list)) { + /* + * Can always reuse a dead one + */ + vp = TAILQ_FIRST(&vnode_dead_list); + goto steal_this_vp; + } + /* + * no dead vnodes available... if we're under + * the limit, we'll create a new vnode + */ numvnodes++; vnode_list_unlock(); - MALLOC_ZONE(vp, struct vnode *, sizeof *vp, M_VNODE, M_WAITOK); - bzero((char *)vp, sizeof *vp); + + MALLOC_ZONE(vp, struct vnode *, sizeof(*vp), M_VNODE, M_WAITOK); + bzero((char *)vp, sizeof(*vp)); VLISTNONE(vp); /* avoid double queue removal */ lck_mtx_init(&vp->v_lock, vnode_lck_grp, vnode_lck_attr); + klist_init(&vp->v_knotes); nanouptime(&ts); vp->v_id = ts.tv_nsec; vp->v_flag = VSTANDARD; +#if CONFIG_MACF + if (mac_vnode_label_init_needed(vp)) + mac_vnode_label_init(vp); +#endif /* MAC */ + + vp->v_iocount = 1; goto done; } - if (vp == NULL) { + +#define MAX_WALK_COUNT 1000 + + if ( !TAILQ_EMPTY(&vnode_rage_list) && + (ragevnodes >= rage_limit || + (current_tv.tv_sec - rage_tv.tv_sec) >= RAGE_TIME_LIMIT)) { + + TAILQ_FOREACH(vp, &vnode_rage_list, v_freelist) { + if ( !(vp->v_listflag & VLIST_RAGE)) + panic("new_vnode: vp (%p) on RAGE list not marked VLIST_RAGE", vp); + + // if we're a dependency-capable process, skip vnodes that can + // cause recycling deadlocks. (i.e. this process is diskimages + // helper and the vnode is in a disk image). Querying the + // mnt_kern_flag for the mount's virtual device status + // is safer than checking the mnt_dependent_process, which + // may not be updated if there are multiple devnode layers + // in between the disk image and the final consumer. + + if ((curproc->p_flag & P_DEPENDENCY_CAPABLE) == 0 || vp->v_mount == NULL || + (vp->v_mount->mnt_kern_flag & MNTK_VIRTUALDEV) == 0) { + break; + } + + // don't iterate more than MAX_WALK_COUNT vnodes to + // avoid keeping the vnode list lock held for too long. + if (walk_count++ > MAX_WALK_COUNT) { + vp = NULL; + break; + } + } + + } + + if (vp == NULL && !TAILQ_EMPTY(&vnode_free_list)) { /* + * Pick the first vp for possible reuse + */ + walk_count = 0; + TAILQ_FOREACH(vp, &vnode_free_list, v_freelist) { + + // if we're a dependency-capable process, skip vnodes that can + // cause recycling deadlocks. (i.e. this process is diskimages + // helper and the vnode is in a disk image). Querying the + // mnt_kern_flag for the mount's virtual device status + // is safer than checking the mnt_dependent_process, which + // may not be updated if there are multiple devnode layers + // in between the disk image and the final consumer. + + if ((curproc->p_flag & P_DEPENDENCY_CAPABLE) == 0 || vp->v_mount == NULL || + (vp->v_mount->mnt_kern_flag & MNTK_VIRTUALDEV) == 0) { + break; + } + + // don't iterate more than MAX_WALK_COUNT vnodes to + // avoid keeping the vnode list lock held for too long. + if (walk_count++ > MAX_WALK_COUNT) { + vp = NULL; + break; + } + } + + } + + // + // if we don't have a vnode and the walk_count is >= MAX_WALK_COUNT + // then we're trying to create a vnode on behalf of a + // process like diskimages-helper that has file systems + // mounted on top of itself (and thus we can't reclaim + // vnodes in the file systems on top of us). if we can't + // find a vnode to reclaim then we'll just have to force + // the allocation. + // + if (vp == NULL && walk_count >= MAX_WALK_COUNT) { + force_alloc = 1; + vnode_list_unlock(); + goto retry; + } + + if (vp == NULL) { + /* * we've reached the system imposed maximum number of vnodes * but there isn't a single one available * wait a bit and then retry... if we can't get a vnode @@ -3046,26 +3620,44 @@ retry: */ if (++retries <= 100) { vnode_list_unlock(); - IOSleep(1); + delay_for_interval(1, 1000 * 1000); goto retry; } vnode_list_unlock(); tablefull("vnode"); log(LOG_EMERG, "%d desired, %d numvnodes, " - "%d free, %d inactive\n", - desiredvnodes, numvnodes, freevnodes, inactivevnodes); - *vpp = 0; + "%d free, %d dead, %d rage\n", + desiredvnodes, numvnodes, freevnodes, deadvnodes, ragevnodes); +#if CONFIG_EMBEDDED + /* + * Running out of vnodes tends to make a system unusable. Start killing + * processes that jetsam knows are killable. + */ + if (jetsam_kill_top_proc(TRUE, kJetsamFlagsKilledVnodes) < 0) { + /* + * If jetsam can't find any more processes to kill and there + * still aren't any free vnodes, panic. Hopefully we'll get a + * panic log to tell us why we ran out. + */ + panic("vnode table is full\n"); + } + + delay_for_interval(1, 1000 * 1000); + goto retry; +#endif + + *vpp = NULL; return (ENFILE); } steal_this_vp: vpid = vp->v_id; - VREMFREE("new_vnode", vp); - VLISTNONE(vp); + vnode_list_remove_locked(vp); vnode_list_unlock(); - vnode_lock(vp); + + vnode_lock_spin(vp); /* * We could wait for the vnode_lock after removing the vp from the freelist @@ -3107,40 +3699,69 @@ steal_this_vp: vnode_unlock(vp); goto retry; } - OSAddAtomic(1, &num_reusedvnodes); + OSAddAtomicLong(1, &num_reusedvnodes); /* Checks for anyone racing us for recycle */ if (vp->v_type != VBAD) { if (vp->v_lflag & VL_DEAD) - panic("new_vnode: the vnode is VL_DEAD but not VBAD"); - - (void)vnode_reclaim_internal(vp, 1, 1); + panic("new_vnode(%p): the vnode is VL_DEAD but not VBAD", vp); + vnode_lock_convert(vp); + (void)vnode_reclaim_internal(vp, 1, 1, 0); if ((VONLIST(vp))) - panic("new_vnode: vp on list "); + panic("new_vnode(%p): vp on list", vp); if (vp->v_usecount || vp->v_iocount || vp->v_kusecount || (vp->v_lflag & (VNAMED_UBC | VNAMED_MOUNT | VNAMED_FSHASH))) - panic("new_vnode: free vnode still referenced\n"); + panic("new_vnode(%p): free vnode still referenced", vp); if ((vp->v_mntvnodes.tqe_prev != 0) && (vp->v_mntvnodes.tqe_next != 0)) - panic("new_vnode: vnode seems to be on mount list "); + panic("new_vnode(%p): vnode seems to be on mount list", vp); if ( !LIST_EMPTY(&vp->v_nclinks) || !LIST_EMPTY(&vp->v_ncchildren)) - panic("new_vnode: vnode still hooked into the name cache"); + panic("new_vnode(%p): vnode still hooked into the name cache", vp); } + +#ifndef __LP64__ if (vp->v_unsafefs) { - lck_mtx_destroy(&vp->v_unsafefs->fsnodelock, vnode_lck_grp); - FREE_ZONE((void *)vp->v_unsafefs, sizeof(struct unsafe_fsnode), M_UNSAFEFS); + l_unsafefs = vp->v_unsafefs; vp->v_unsafefs = (struct unsafe_fsnode *)NULL; } +#endif /* __LP64__ */ + +#if CONFIG_MACF + /* + * We should never see VL_LABELWAIT or VL_LABEL here. + * as those operations hold a reference. + */ + assert ((vp->v_lflag & VL_LABELWAIT) != VL_LABELWAIT); + assert ((vp->v_lflag & VL_LABEL) != VL_LABEL); + if (vp->v_lflag & VL_LABELED) { + vnode_lock_convert(vp); + mac_vnode_label_recycle(vp); + } else if (mac_vnode_label_init_needed(vp)) { + vnode_lock_convert(vp); + mac_vnode_label_init(vp); + } + +#endif /* MAC */ + + vp->v_iocount = 1; vp->v_lflag = 0; vp->v_writecount = 0; vp->v_references = 0; vp->v_iterblkflags = 0; vp->v_flag = VSTANDARD; /* vbad vnodes can point to dead_mountp */ - vp->v_mount = 0; + vp->v_mount = NULL; vp->v_defer_reclaimlist = (vnode_t)0; vnode_unlock(vp); + +#ifndef __LP64__ + if (l_unsafefs) { + lck_mtx_destroy(&l_unsafefs->fsnodelock, vnode_lck_grp); + FREE_ZONE((void *)l_unsafefs, sizeof(struct unsafe_fsnode), M_UNSAFEFS); + } +#endif /* __LP64__ */ + done: *vpp = vp; @@ -3153,6 +3774,12 @@ vnode_lock(vnode_t vp) lck_mtx_lock(&vp->v_lock); } +void +vnode_lock_spin(vnode_t vp) +{ + lck_mtx_lock_spin(&vp->v_lock); +} + void vnode_unlock(vnode_t vp) { @@ -3164,25 +3791,52 @@ vnode_unlock(vnode_t vp) int vnode_get(struct vnode *vp) { - vnode_lock(vp); + int retval; - if ( (vp->v_iocount == 0) && (vp->v_lflag & (VL_TERMINATE | VL_DEAD)) ) { - vnode_unlock(vp); + vnode_lock_spin(vp); + retval = vnode_get_locked(vp); + vnode_unlock(vp); + + return(retval); +} + +int +vnode_get_locked(struct vnode *vp) +{ +#if DIAGNOSTIC + lck_mtx_assert(&vp->v_lock, LCK_MTX_ASSERT_OWNED); +#endif + if ((vp->v_iocount == 0) && (vp->v_lflag & (VL_TERMINATE | VL_DEAD))) { return(ENOENT); } vp->v_iocount++; #ifdef JOE_DEBUG record_vp(vp, 1); #endif - vnode_unlock(vp); + return (0); +} - return(0); +/* + * vnode_getwithvid() cuts in line in front of a vnode drain (that is, + * while the vnode is draining, but at no point after that) to prevent + * deadlocks when getting vnodes from filesystem hashes while holding + * resources that may prevent other iocounts from being released. + */ +int +vnode_getwithvid(vnode_t vp, uint32_t vid) +{ + return(vget_internal(vp, vid, ( VNODE_NODEAD | VNODE_WITHID | VNODE_DRAINO ))); } +/* + * vnode_getwithvid_drainok() is like vnode_getwithvid(), but *does* block behind a vnode + * drain; it exists for use in the VFS name cache, where we really do want to block behind + * vnode drain to prevent holding off an unmount. + */ int -vnode_getwithvid(vnode_t vp, int vid) +vnode_getwithvid_drainok(vnode_t vp, uint32_t vid) { - return(vget_internal(vp, vid, ( VNODE_NODEAD| VNODE_WITHID))); + return(vget_internal(vp, vid, ( VNODE_NODEAD | VNODE_WITHID ))); } int @@ -3192,12 +3846,18 @@ vnode_getwithref(vnode_t vp) } +__private_extern__ int +vnode_getalways(vnode_t vp) +{ + return(vget_internal(vp, 0, VNODE_ALWAYS)); +} + int vnode_put(vnode_t vp) { int retval; - vnode_lock(vp); + vnode_lock_spin(vp); retval = vnode_put_locked(vp); vnode_unlock(vp); @@ -3207,26 +3867,27 @@ vnode_put(vnode_t vp) int vnode_put_locked(vnode_t vp) { - struct vfs_context context; + vfs_context_t ctx = vfs_context_current(); /* hoist outside loop */ +#if DIAGNOSTIC + lck_mtx_assert(&vp->v_lock, LCK_MTX_ASSERT_OWNED); +#endif retry: if (vp->v_iocount < 1) - panic("vnode_put(%x): iocount < 1", vp); + panic("vnode_put(%p): iocount < 1", vp); if ((vp->v_usecount > 0) || (vp->v_iocount > 1)) { - vnode_dropiocount(vp, 1); + vnode_dropiocount(vp); return(0); } - if ((vp->v_lflag & (VL_MARKTERM | VL_TERMINATE | VL_DEAD | VL_NEEDINACTIVE)) == VL_NEEDINACTIVE) { + if ((vp->v_lflag & (VL_DEAD | VL_NEEDINACTIVE)) == VL_NEEDINACTIVE) { vp->v_lflag &= ~VL_NEEDINACTIVE; vnode_unlock(vp); - context.vc_proc = current_proc(); - context.vc_ucred = kauth_cred_get(); - VNOP_INACTIVE(vp, &context); + VNOP_INACTIVE(vp, ctx); - vnode_lock(vp); + vnode_lock_spin(vp); /* * because we had to drop the vnode lock before calling * VNOP_INACTIVE, the state of this vnode may have changed... @@ -3240,10 +3901,11 @@ retry: } vp->v_lflag &= ~VL_NEEDINACTIVE; - if ((vp->v_lflag & (VL_MARKTERM | VL_TERMINATE | VL_DEAD)) == VL_MARKTERM) - vnode_reclaim_internal(vp, 1, 0); - - vnode_dropiocount(vp, 1); + if ((vp->v_lflag & (VL_MARKTERM | VL_TERMINATE | VL_DEAD)) == VL_MARKTERM) { + vnode_lock_convert(vp); + vnode_reclaim_internal(vp, 1, 1, 0); + } + vnode_dropiocount(vp); vnode_list_add(vp); return(0); @@ -3263,8 +3925,8 @@ vnode_isinuse_locked(vnode_t vp, int refcnt, int locked) int retval = 0; if (!locked) - vnode_lock(vp); - if ((vp->v_type != VREG) && (vp->v_usecount > refcnt)) { + vnode_lock_spin(vp); + if ((vp->v_type != VREG) && ((vp->v_usecount - vp->v_kusecount) > refcnt)) { retval = 1; goto out; } @@ -3283,64 +3945,93 @@ out: errno_t vnode_resume(vnode_t vp) { + if ((vp->v_lflag & VL_SUSPENDED) && vp->v_owner == current_thread()) { - vnode_lock(vp); - - if (vp->v_owner == current_thread()) { + vnode_lock_spin(vp); vp->v_lflag &= ~VL_SUSPENDED; - vp->v_owner = 0; + vp->v_owner = NULL; vnode_unlock(vp); + wakeup(&vp->v_iocount); - } else - vnode_unlock(vp); + } + return(0); +} + +/* suspend vnode_t + * Please do not use on more than one vnode at a time as it may + * cause deadlocks. + * xxx should we explicity prevent this from happening? + */ + +errno_t +vnode_suspend(vnode_t vp) +{ + if (vp->v_lflag & VL_SUSPENDED) { + return(EBUSY); + } + + vnode_lock_spin(vp); + + /* + * xxx is this sufficient to check if a vnode_drain is + * progress? + */ + + if (vp->v_owner == NULL) { + vp->v_lflag |= VL_SUSPENDED; + vp->v_owner = current_thread(); + } + vnode_unlock(vp); return(0); } + + static errno_t vnode_drain(vnode_t vp) { if (vp->v_lflag & VL_DRAIN) { - panic("vnode_drain: recursuve drain"); + panic("vnode_drain: recursive drain"); return(ENOENT); } vp->v_lflag |= VL_DRAIN; vp->v_owner = current_thread(); while (vp->v_iocount > 1) - msleep(&vp->v_iocount, &vp->v_lock, PVFS, "vnode_drain", 0); + msleep(&vp->v_iocount, &vp->v_lock, PVFS, "vnode_drain", NULL); + + vp->v_lflag &= ~VL_DRAIN; + return(0); } /* * if the number of recent references via vnode_getwithvid or vnode_getwithref - * exceeds this threshhold, than 'UN-AGE' the vnode by removing it from + * exceeds this threshold, than 'UN-AGE' the vnode by removing it from * the LRU list if it's currently on it... once the iocount and usecount both drop * to 0, it will get put back on the end of the list, effectively making it younger * this allows us to keep actively referenced vnodes in the list without having * to constantly remove and add to the list each time a vnode w/o a usecount is * referenced which costs us taking and dropping a global lock twice. */ -#define UNAGE_THRESHHOLD 10 +#define UNAGE_THRESHHOLD 25 errno_t -vnode_getiocount(vnode_t vp, int locked, int vid, int vflags) +vnode_getiocount(vnode_t vp, unsigned int vid, int vflags) { int nodead = vflags & VNODE_NODEAD; int nosusp = vflags & VNODE_NOSUSPEND; - - if (!locked) - vnode_lock(vp); + int always = vflags & VNODE_ALWAYS; + int beatdrain = vflags & VNODE_DRAINO; for (;;) { /* * if it is a dead vnode with deadfs */ - if (nodead && (vp->v_lflag & VL_DEAD) && ((vp->v_type == VBAD) || (vp->v_data == 0))) { - if (!locked) - vnode_unlock(vp); + if (nodead && (vp->v_lflag & VL_DEAD) && ((vp->v_type == VBAD) || (vp->v_data == 0))) { return(ENOENT); } /* @@ -3353,8 +4044,6 @@ vnode_getiocount(vnode_t vp, int locked, int vid, int vflags) * if suspended vnodes are to be failed */ if (nosusp && (vp->v_lflag & VL_SUSPENDED)) { - if (!locked) - vnode_unlock(vp); return(ENOENT); } /* @@ -3365,16 +4054,31 @@ vnode_getiocount(vnode_t vp, int locked, int vid, int vflags) (vp->v_owner == current_thread())) { break; } + + if (always != 0) + break; + + /* + * In some situations, we want to get an iocount + * even if the vnode is draining to prevent deadlock, + * e.g. if we're in the filesystem, potentially holding + * resources that could prevent other iocounts from + * being released. + */ + if (beatdrain && (vp->v_lflag & VL_DRAIN)) { + break; + } + + vnode_lock_convert(vp); + if (vp->v_lflag & VL_TERMINATE) { vp->v_lflag |= VL_TERMWANT; - msleep(&vp->v_lflag, &vp->v_lock, PVFS, "vnode getiocount", 0); + msleep(&vp->v_lflag, &vp->v_lock, PVFS, "vnode getiocount", NULL); } else - msleep(&vp->v_iocount, &vp->v_lock, PVFS, "vnode_getiocount", 0); + msleep(&vp->v_iocount, &vp->v_lock, PVFS, "vnode_getiocount", NULL); } - if (vid != vp->v_id) { - if (!locked) - vnode_unlock(vp); + if (((vflags & VNODE_WITHID) != 0) && vid != vp->v_id) { return(ENOENT); } if (++vp->v_references >= UNAGE_THRESHHOLD) { @@ -3385,18 +4089,14 @@ vnode_getiocount(vnode_t vp, int locked, int vid, int vflags) #ifdef JOE_DEBUG record_vp(vp, 1); #endif - if (!locked) - vnode_unlock(vp); return(0); } static void -vnode_dropiocount (vnode_t vp, int locked) +vnode_dropiocount (vnode_t vp) { - if (!locked) - vnode_lock(vp); if (vp->v_iocount < 1) - panic("vnode_dropiocount(%x): v_iocount < 1", vp); + panic("vnode_dropiocount(%p): v_iocount < 1", vp); vp->v_iocount--; #ifdef JOE_DEBUG @@ -3404,21 +4104,18 @@ vnode_dropiocount (vnode_t vp, int locked) #endif if ((vp->v_lflag & (VL_DRAIN | VL_SUSPENDED)) && (vp->v_iocount <= 1)) wakeup(&vp->v_iocount); - - if (!locked) - vnode_unlock(vp); } void vnode_reclaim(struct vnode * vp) { - vnode_reclaim_internal(vp, 0, 0); + vnode_reclaim_internal(vp, 0, 0, 0); } __private_extern__ void -vnode_reclaim_internal(struct vnode * vp, int locked, int reuse) +vnode_reclaim_internal(struct vnode * vp, int locked, int reuse, int flags) { int isfifo = 0; @@ -3430,22 +4127,38 @@ vnode_reclaim_internal(struct vnode * vp, int locked, int reuse) } vp->v_lflag |= VL_TERMINATE; - if (vnode_drain(vp)) { - panic("vnode drain failed"); - vnode_unlock(vp); - return; - } + vn_clearunionwait(vp, 1); + + vnode_drain(vp); + isfifo = (vp->v_type == VFIFO); if (vp->v_type != VBAD) - vgone(vp); /* clean and reclaim the vnode */ + vgone(vp, flags); /* clean and reclaim the vnode */ /* - * give the vnode a new identity so - * that vnode_getwithvid will fail - * on any stale cache accesses + * give the vnode a new identity so that vnode_getwithvid will fail + * on any stale cache accesses... + * grab the list_lock so that if we're in "new_vnode" + * behind the list_lock trying to steal this vnode, the v_id is stable... + * once new_vnode drops the list_lock, it will block trying to take + * the vnode lock until we release it... at that point it will evaluate + * whether the v_vid has changed + * also need to make sure that the vnode isn't on a list where "new_vnode" + * can find it after the v_id has been bumped until we are completely done + * with the vnode (i.e. putting it back on a list has to be the very last + * thing we do to this vnode... many of the callers of vnode_reclaim_internal + * are holding an io_count on the vnode... they need to drop the io_count + * BEFORE doing a vnode_list_add or make sure to hold the vnode lock until + * they are completely done with the vnode */ + vnode_list_lock(); + + vnode_list_remove_locked(vp); vp->v_id++; + + vnode_list_unlock(); + if (isfifo) { struct fifoinfo * fip; @@ -3453,13 +4166,12 @@ vnode_reclaim_internal(struct vnode * vp, int locked, int reuse) vp->v_fifoinfo = NULL; FREE(fip, M_TEMP); } - vp->v_type = VBAD; if (vp->v_data) panic("vnode_reclaim_internal: cleaned vnode isn't"); if (vp->v_numoutput) - panic("vnode_reclaim_internal: Clean vnode has pending I/O's"); + panic("vnode_reclaim_internal: clean vnode has pending I/O's"); if (UBCINFOEXISTS(vp)) panic("vnode_reclaim_internal: ubcinfo not cleaned"); if (vp->v_parent) @@ -3467,18 +4179,27 @@ vnode_reclaim_internal(struct vnode * vp, int locked, int reuse) if (vp->v_name) panic("vnode_reclaim_internal: vname not removed"); - vp->v_socket = 0; + vp->v_socket = NULL; vp->v_lflag &= ~VL_TERMINATE; - vp->v_lflag &= ~VL_DRAIN; - vp->v_owner = 0; + vp->v_owner = NULL; + + KNOTE(&vp->v_knotes, NOTE_REVOKE); + + /* Make sure that when we reuse the vnode, no knotes left over */ + klist_init(&vp->v_knotes); if (vp->v_lflag & VL_TERMWANT) { vp->v_lflag &= ~VL_TERMWANT; wakeup(&vp->v_lflag); } - if (!reuse && vp->v_usecount == 0) + if (!reuse) { + /* + * make sure we get on the + * dead list if appropriate + */ vnode_list_add(vp); + } if (!locked) vnode_unlock(vp); } @@ -3487,159 +4208,228 @@ vnode_reclaim_internal(struct vnode * vp, int locked, int reuse) * The following api creates a vnode and associates all the parameter specified in vnode_fsparam * structure and returns a vnode handle with a reference. device aliasing is handled here so checkalias * is obsoleted by this. - * vnode_create(int flavor, size_t size, void * param, vnode_t *vp) */ int -vnode_create(int flavor, size_t size, void *data, vnode_t *vpp) +vnode_create(uint32_t flavor, uint32_t size, void *data, vnode_t *vpp) { int error; int insert = 1; vnode_t vp; vnode_t nvp; vnode_t dvp; + struct uthread *ut; struct componentname *cnp; struct vnode_fsparam *param = (struct vnode_fsparam *)data; - - if (flavor == VNCREATE_FLAVOR && (size == VCREATESIZE) && param) { - if ( (error = new_vnode(&vp)) ) { - return(error); - } else { - dvp = param->vnfs_dvp; - cnp = param->vnfs_cnp; +#if CONFIG_TRIGGERS + struct vnode_trigger_param *tinfo = NULL; +#endif + if (param == NULL) + return (EINVAL); - vp->v_op = param->vnfs_vops; - vp->v_type = param->vnfs_vtype; - vp->v_data = param->vnfs_fsnode; - vp->v_iocount = 1; +#if CONFIG_TRIGGERS + if ((flavor == VNCREATE_TRIGGER) && (size == VNCREATE_TRIGGER_SIZE)) { + tinfo = (struct vnode_trigger_param *)data; - if (param->vnfs_markroot) - vp->v_flag |= VROOT; - if (param->vnfs_marksystem) - vp->v_flag |= VSYSTEM; - else if (vp->v_type == VREG) { - /* - * only non SYSTEM vp - */ - error = ubc_info_init_withsize(vp, param->vnfs_filesize); - if (error) { + /* Validate trigger vnode input */ + if ((param->vnfs_vtype != VDIR) || + (tinfo->vnt_resolve_func == NULL) || + (tinfo->vnt_flags & ~VNT_VALID_MASK)) { + return (EINVAL); + } + /* Fall through a normal create (params will be the same) */ + flavor = VNCREATE_FLAVOR; + size = VCREATESIZE; + } +#endif + if ((flavor != VNCREATE_FLAVOR) || (size != VCREATESIZE)) + return (EINVAL); + + if ( (error = new_vnode(&vp)) ) + return(error); + + dvp = param->vnfs_dvp; + cnp = param->vnfs_cnp; + + vp->v_op = param->vnfs_vops; + vp->v_type = param->vnfs_vtype; + vp->v_data = param->vnfs_fsnode; + + if (param->vnfs_markroot) + vp->v_flag |= VROOT; + if (param->vnfs_marksystem) + vp->v_flag |= VSYSTEM; + if (vp->v_type == VREG) { + error = ubc_info_init_withsize(vp, param->vnfs_filesize); + if (error) { #ifdef JOE_DEBUG - record_vp(vp, 1); + record_vp(vp, 1); #endif - vp->v_mount = 0; - vp->v_op = dead_vnodeop_p; - vp->v_tag = VT_NON; - vp->v_data = NULL; - vp->v_type = VBAD; - vp->v_lflag |= VL_DEAD; - - vnode_put(vp); - return(error); - } - } + vp->v_mount = NULL; + vp->v_op = dead_vnodeop_p; + vp->v_tag = VT_NON; + vp->v_data = NULL; + vp->v_type = VBAD; + vp->v_lflag |= VL_DEAD; + + vnode_put(vp); + return(error); + } + } +#ifdef JOE_DEBUG + record_vp(vp, 1); +#endif + +#if CONFIG_TRIGGERS + /* + * For trigger vnodes, attach trigger info to vnode + */ + if ((vp->v_type == VDIR) && (tinfo != NULL)) { + /* + * Note: has a side effect of incrementing trigger count on the + * mount if successful, which we would need to undo on a + * subsequent failure. + */ +#ifdef JOE_DEBUG + record_vp(vp, -1); +#endif + error = vnode_resolver_create(param->vnfs_mp, vp, tinfo, FALSE); + if (error) { + printf("vnode_create: vnode_resolver_create() err %d\n", error); + vp->v_mount = NULL; + vp->v_op = dead_vnodeop_p; + vp->v_tag = VT_NON; + vp->v_data = NULL; + vp->v_type = VBAD; + vp->v_lflag |= VL_DEAD; #ifdef JOE_DEBUG record_vp(vp, 1); #endif - if (vp->v_type == VCHR || vp->v_type == VBLK) { - - if ( (nvp = checkalias(vp, param->vnfs_rdev)) ) { - /* - * if checkalias returns a vnode, it will be locked - * - * first get rid of the unneeded vnode we acquired - */ - vp->v_data = NULL; - vp->v_op = spec_vnodeop_p; - vp->v_type = VBAD; - vp->v_lflag = VL_DEAD; - vp->v_data = NULL; - vp->v_tag = VT_NON; - vnode_put(vp); + vnode_put(vp); + return (error); + } + } +#endif + if (vp->v_type == VCHR || vp->v_type == VBLK) { - /* - * switch to aliased vnode and finish - * preparing it - */ - vp = nvp; - - vclean(vp, 0, current_proc()); - vp->v_op = param->vnfs_vops; - vp->v_type = param->vnfs_vtype; - vp->v_data = param->vnfs_fsnode; - vp->v_lflag = 0; - vp->v_mount = NULL; - insmntque(vp, param->vnfs_mp); - insert = 0; - vnode_unlock(vp); - } - } + vp->v_tag = VT_DEVFS; /* callers will reset if needed (bdevvp) */ - if (vp->v_type == VFIFO) { - struct fifoinfo *fip; + if ( (nvp = checkalias(vp, param->vnfs_rdev)) ) { + /* + * if checkalias returns a vnode, it will be locked + * + * first get rid of the unneeded vnode we acquired + */ + vp->v_data = NULL; + vp->v_op = spec_vnodeop_p; + vp->v_type = VBAD; + vp->v_lflag = VL_DEAD; + vp->v_data = NULL; + vp->v_tag = VT_NON; + vnode_put(vp); - MALLOC(fip, struct fifoinfo *, - sizeof(*fip), M_TEMP, M_WAITOK); - bzero(fip, sizeof(struct fifoinfo )); - vp->v_fifoinfo = fip; - } - /* The file systems usually pass the address of the location where - * where there store the vnode pointer. When we add the vnode in mount - * point and name cache they are discoverable. So the file system node - * will have the connection to vnode setup by then + /* + * switch to aliased vnode and finish + * preparing it */ - *vpp = vp; - - if (param->vnfs_mp) { - if (param->vnfs_mp->mnt_kern_flag & MNTK_LOCK_LOCAL) - vp->v_flag |= VLOCKLOCAL; - if (insert) { - /* - * enter in mount vnode list - */ - insmntque(vp, param->vnfs_mp); - } -#ifdef INTERIM_FSNODE_LOCK - if (param->vnfs_mp->mnt_vtable->vfc_threadsafe == 0) { - MALLOC_ZONE(vp->v_unsafefs, struct unsafe_fsnode *, - sizeof(struct unsafe_fsnode), M_UNSAFEFS, M_WAITOK); - vp->v_unsafefs->fsnode_count = 0; - vp->v_unsafefs->fsnodeowner = (void *)NULL; - lck_mtx_init(&vp->v_unsafefs->fsnodelock, vnode_lck_grp, vnode_lck_attr); - } -#endif /* INTERIM_FSNODE_LOCK */ - } - if (dvp && vnode_ref(dvp) == 0) { - vp->v_parent = dvp; - } - if (cnp) { - if (dvp && ((param->vnfs_flags & (VNFS_NOCACHE | VNFS_CANTCACHE)) == 0)) { - /* - * enter into name cache - * we've got the info to enter it into the name cache now - */ - cache_enter(dvp, vp, cnp); - } - vp->v_name = vfs_addname(cnp->cn_nameptr, cnp->cn_namelen, cnp->cn_hash, 0); - } - if ((param->vnfs_flags & VNFS_CANTCACHE) == 0) { - /* - * this vnode is being created as cacheable in the name cache - * this allows us to re-enter it in the cache - */ - vp->v_flag |= VNCACHEABLE; - } - if ((vp->v_flag & VSYSTEM) && (vp->v_type != VREG)) - panic("incorrect vnode setup"); + vp = nvp; - return(0); + vclean(vp, 0); + vp->v_op = param->vnfs_vops; + vp->v_type = param->vnfs_vtype; + vp->v_data = param->vnfs_fsnode; + vp->v_lflag = 0; + vp->v_mount = NULL; + insmntque(vp, param->vnfs_mp); + insert = 0; + vnode_unlock(vp); + } + } + + if (vp->v_type == VFIFO) { + struct fifoinfo *fip; + + MALLOC(fip, struct fifoinfo *, + sizeof(*fip), M_TEMP, M_WAITOK); + bzero(fip, sizeof(struct fifoinfo )); + vp->v_fifoinfo = fip; + } + /* The file systems must pass the address of the location where + * they store the vnode pointer. When we add the vnode into the mount + * list and name cache they become discoverable. So the file system node + * must have the connection to vnode setup by then + */ + *vpp = vp; + + /* Add fs named reference. */ + if (param->vnfs_flags & VNFS_ADDFSREF) { + vp->v_lflag |= VNAMED_FSHASH; + } + if (param->vnfs_mp) { + if (param->vnfs_mp->mnt_kern_flag & MNTK_LOCK_LOCAL) + vp->v_flag |= VLOCKLOCAL; + if (insert) { + if ((vp->v_freelist.tqe_prev != (struct vnode **)0xdeadb)) + panic("insmntque: vp on the free list\n"); + + /* + * enter in mount vnode list + */ + insmntque(vp, param->vnfs_mp); } +#ifndef __LP64__ + if ((param->vnfs_mp->mnt_vtable->vfc_vfsflags & VFC_VFSTHREADSAFE) == 0) { + MALLOC_ZONE(vp->v_unsafefs, struct unsafe_fsnode *, + sizeof(struct unsafe_fsnode), M_UNSAFEFS, M_WAITOK); + vp->v_unsafefs->fsnode_count = 0; + vp->v_unsafefs->fsnodeowner = (void *)NULL; + lck_mtx_init(&vp->v_unsafefs->fsnodelock, vnode_lck_grp, vnode_lck_attr); + } +#endif /* __LP64__ */ + } + if (dvp && vnode_ref(dvp) == 0) { + vp->v_parent = dvp; + } + if (cnp) { + if (dvp && ((param->vnfs_flags & (VNFS_NOCACHE | VNFS_CANTCACHE)) == 0)) { + /* + * enter into name cache + * we've got the info to enter it into the name cache now + * cache_enter_create will pick up an extra reference on + * the name entered into the string cache + */ + vp->v_name = cache_enter_create(dvp, vp, cnp); + } else + vp->v_name = vfs_addname(cnp->cn_nameptr, cnp->cn_namelen, cnp->cn_hash, 0); + + if ((cnp->cn_flags & UNIONCREATED) == UNIONCREATED) + vp->v_flag |= VISUNION; + } + if ((param->vnfs_flags & VNFS_CANTCACHE) == 0) { + /* + * this vnode is being created as cacheable in the name cache + * this allows us to re-enter it in the cache + */ + vp->v_flag |= VNCACHEABLE; + } + ut = get_bsdthread_info(current_thread()); + + if ((current_proc()->p_lflag & P_LRAGE_VNODES) || + (ut->uu_flag & UT_RAGE_VNODES)) { + /* + * process has indicated that it wants any + * vnodes created on its behalf to be rapidly + * aged to reduce the impact on the cached set + * of vnodes + */ + vp->v_flag |= VRAGE; } - return (EINVAL); + return (0); } int vnode_addfsref(vnode_t vp) { - vnode_lock(vp); + vnode_lock_spin(vp); if (vp->v_lflag & VNAMED_FSHASH) panic("add_fsref: vp already has named reference"); if ((vp->v_freelist.tqe_prev != (struct vnode **)0xdeadb)) @@ -3652,7 +4442,7 @@ vnode_addfsref(vnode_t vp) int vnode_removefsref(vnode_t vp) { - vnode_lock(vp); + vnode_lock_spin(vp); if ((vp->v_lflag & VNAMED_FSHASH) == 0) panic("remove_fsref: no named reference"); vp->v_lflag &= ~VNAMED_FSHASH; @@ -3663,13 +4453,14 @@ vnode_removefsref(vnode_t vp) int -vfs_iterate(__unused int flags, int (*callout)(mount_t, void *), void *arg) +vfs_iterate(int flags, int (*callout)(mount_t, void *), void *arg) { mount_t mp; int ret = 0; fsid_t * fsid_list; int count, actualcount, i; void * allocmem; + int indx_start, indx_stop, indx_incr; count = mount_getvfscnt(); count += 10; @@ -3679,7 +4470,21 @@ vfs_iterate(__unused int flags, int (*callout)(mount_t, void *), void *arg) actualcount = mount_fillfsids(fsid_list, count); - for (i=0; i< actualcount; i++) { + /* + * Establish the iteration direction + * VFS_ITERATE_TAIL_FIRST overrides default head first order (oldest first) + */ + if (flags & VFS_ITERATE_TAIL_FIRST) { + indx_start = actualcount - 1; + indx_stop = -1; + indx_incr = -1; + } else /* Head first by default */ { + indx_start = 0; + indx_stop = actualcount; + indx_incr = 1; + } + + for (i=indx_start; i != indx_stop; i += indx_incr) { /* obtain the mount point with iteration reference */ mp = mount_list_lookupby_fsid(&fsid_list[i], 0, 1); @@ -3726,9 +4531,12 @@ out: /* * Update the vfsstatfs structure in the mountpoint. + * MAC: Parameter eventtype added, indicating whether the event that + * triggered this update came from user space, via a system call + * (VFS_USER_EVENT) or an internal kernel call (VFS_KERNEL_EVENT). */ int -vfs_update_vfsstat(mount_t mp, vfs_context_t ctx) +vfs_update_vfsstat(mount_t mp, vfs_context_t ctx, __unused int eventtype) { struct vfs_attr va; int error; @@ -3747,6 +4555,14 @@ vfs_update_vfsstat(mount_t mp, vfs_context_t ctx) VFSATTR_WANTED(&va, f_ffree); VFSATTR_WANTED(&va, f_bsize); VFSATTR_WANTED(&va, f_fssubtype); +#if CONFIG_MACF + if (eventtype == VFS_USER_EVENT) { + error = mac_mount_check_getattr(ctx, mp, &va); + if (error != 0) + return (error); + } +#endif + if ((error = vfs_getattr(mp, &va, ctx)) != 0) { KAUTH_DEBUG("STAT - filesystem returned error %d", error); return(error); @@ -3771,7 +4587,8 @@ vfs_update_vfsstat(mount_t mp, vfs_context_t ctx) * */ if (VFSATTR_IS_SUPPORTED(&va, f_bsize)) { - mp->mnt_vfsstat.f_bsize = va.f_bsize; + /* 4822056 - protect against malformed server mount */ + mp->mnt_vfsstat.f_bsize = (va.f_bsize > 0 ? va.f_bsize : 512); } else { mp->mnt_vfsstat.f_bsize = mp->mnt_devblocksize; /* default from the device block size */ } @@ -3800,13 +4617,22 @@ vfs_update_vfsstat(mount_t mp, vfs_context_t ctx) return(0); } -void +int mount_list_add(mount_t mp) { + int res; + mount_list_lock(); - TAILQ_INSERT_TAIL(&mountlist, mp, mnt_list); - nummounts++; + if (system_inshutdown != 0) { + res = -1; + } else { + TAILQ_INSERT_TAIL(&mountlist, mp, mnt_list); + nummounts++; + res = 0; + } mount_list_unlock(); + + return res; } void @@ -3815,8 +4641,8 @@ mount_list_remove(mount_t mp) mount_list_lock(); TAILQ_REMOVE(&mountlist, mp, mnt_list); nummounts--; - mp->mnt_list.tqe_next = 0; - mp->mnt_list.tqe_prev = 0; + mp->mnt_list.tqe_next = NULL; + mp->mnt_list.tqe_prev = NULL; mount_list_unlock(); } @@ -3824,12 +4650,14 @@ mount_t mount_lookupby_volfsid(int volfs_id, int withref) { mount_t cur_mount = (mount_t)0; - mount_t mp ; + mount_t mp; mount_list_lock(); - TAILQ_FOREACH(mp, &mountlist, mnt_list) { - if (validfsnode(mp) && mp->mnt_vfsstat.f_fsid.val[0] == volfs_id) { - cur_mount = mp; + TAILQ_FOREACH(mp, &mountlist, mnt_list) { + if (!(mp->mnt_kern_flag & MNTK_UNMOUNT) && + (mp->mnt_kern_flag & MNTK_PATH_FROM_ID) && + (mp->mnt_vfsstat.f_fsid.val[0] == volfs_id)) { + cur_mount = mp; if (withref) { if (mount_iterref(cur_mount, 1)) { cur_mount = (mount_t)0; @@ -3837,27 +4665,23 @@ mount_lookupby_volfsid(int volfs_id, int withref) goto out; } } - break; - } + break; + } } mount_list_unlock(); if (withref && (cur_mount != (mount_t)0)) { mp = cur_mount; if (vfs_busy(mp, LK_NOWAIT) != 0) { cur_mount = (mount_t)0; - } + } mount_iterdrop(mp); } out: return(cur_mount); } - mount_t -mount_list_lookupby_fsid(fsid, locked, withref) - fsid_t *fsid; - int locked; - int withref; +mount_list_lookupby_fsid(fsid_t *fsid, int locked, int withref) { mount_t retmp = (mount_t)0; mount_t mp; @@ -3881,18 +4705,14 @@ out: } errno_t -vnode_lookup(const char *path, int flags, vnode_t *vpp, vfs_context_t context) +vnode_lookup(const char *path, int flags, vnode_t *vpp, vfs_context_t ctx) { struct nameidata nd; int error; - struct vfs_context context2; - vfs_context_t ctx = context; - u_long ndflags = 0; + u_int32_t ndflags = 0; - if (context == NULL) { /* XXX technically an error */ - context2.vc_proc = current_proc(); - context2.vc_ucred = kauth_cred_get(); - ctx = &context2; + if (ctx == NULL) { /* XXX technically an error */ + ctx = vfs_context_current(); } if (flags & VNODE_LOOKUP_NOFOLLOW) @@ -3906,7 +4726,8 @@ vnode_lookup(const char *path, int flags, vnode_t *vpp, vfs_context_t context) ndflags |= DOWHITEOUT; /* XXX AUDITVNPATH1 needed ? */ - NDINIT(&nd, LOOKUP, ndflags, UIO_SYSSPACE, CAST_USER_ADDR_T(path), ctx); + NDINIT(&nd, LOOKUP, OP_LOOKUP, ndflags, UIO_SYSSPACE, + CAST_USER_ADDR_T(path), ctx); if ((error = namei(&nd))) return (error); @@ -3917,19 +4738,15 @@ vnode_lookup(const char *path, int flags, vnode_t *vpp, vfs_context_t context) } errno_t -vnode_open(const char *path, int fmode, int cmode, int flags, vnode_t *vpp, vfs_context_t context) +vnode_open(const char *path, int fmode, int cmode, int flags, vnode_t *vpp, vfs_context_t ctx) { struct nameidata nd; int error; - struct vfs_context context2; - vfs_context_t ctx = context; - u_long ndflags = 0; + u_int32_t ndflags = 0; int lflags = flags; - if (context == NULL) { /* XXX technically an error */ - context2.vc_proc = current_proc(); - context2.vc_ucred = kauth_cred_get(); - ctx = &context2; + if (ctx == NULL) { /* XXX technically an error */ + ctx = vfs_context_current(); } if (fmode & O_NOFOLLOW) @@ -3946,7 +4763,8 @@ vnode_open(const char *path, int fmode, int cmode, int flags, vnode_t *vpp, vfs_ ndflags |= DOWHITEOUT; /* XXX AUDITVNPATH1 needed ? */ - NDINIT(&nd, LOOKUP, ndflags, UIO_SYSSPACE, CAST_USER_ADDR_T(path), ctx); + NDINIT(&nd, LOOKUP, OP_OPEN, ndflags, UIO_SYSSPACE, + CAST_USER_ADDR_T(path), ctx); if ((error = vn_open(&nd, fmode, cmode))) *vpp = NULL; @@ -3957,25 +4775,23 @@ vnode_open(const char *path, int fmode, int cmode, int flags, vnode_t *vpp, vfs_ } errno_t -vnode_close(vnode_t vp, int flags, vfs_context_t context) +vnode_close(vnode_t vp, int flags, vfs_context_t ctx) { - kauth_cred_t cred; - struct proc *p; int error; - if (context) { - p = context->vc_proc; - cred = context->vc_ucred; - } else { - p = current_proc(); - cred = kauth_cred_get(); + if (ctx == NULL) { + ctx = vfs_context_current(); } - error = vn_close(vp, flags, cred, p); + error = vn_close(vp, flags, ctx); vnode_put(vp); return (error); } +/* + * Returns: 0 Success + * vnode_getattr:??? + */ errno_t vnode_size(vnode_t vp, off_t *sizep, vfs_context_t ctx) { @@ -4001,6 +4817,18 @@ vnode_setsize(vnode_t vp, off_t size, int ioflag, vfs_context_t ctx) return(vnode_setattr(vp, &va, ctx)); } +static int +vn_create_reg(vnode_t dvp, vnode_t *vpp, struct nameidata *ndp, struct vnode_attr *vap, uint32_t flags, int fmode, uint32_t *statusp, vfs_context_t ctx) +{ + /* Only use compound VNOP for compound operation */ + if (vnode_compound_open_available(dvp) && ((flags & VN_CREATE_DOOPEN) != 0)) { + *vpp = NULLVP; + return VNOP_COMPOUND_OPEN(dvp, vpp, ndp, VNOP_COMPOUND_OPEN_DO_CREATE, fmode, statusp, vap, ctx); + } else { + return VNOP_CREATE(dvp, vpp, &ndp->ni_cnd, vap, ctx); + } +} + /* * Create a filesystem object of arbitrary type with arbitrary attributes in * the spevied directory with the specified name. @@ -4043,70 +4871,48 @@ vnode_setsize(vnode_t vp, off_t size, int ioflag, vfs_context_t ctx) * in the code they originated. */ errno_t -vn_create(vnode_t dvp, vnode_t *vpp, struct componentname *cnp, struct vnode_attr *vap, int flags, vfs_context_t ctx) +vn_create(vnode_t dvp, vnode_t *vpp, struct nameidata *ndp, struct vnode_attr *vap, uint32_t flags, int fmode, uint32_t *statusp, vfs_context_t ctx) { - kauth_acl_t oacl, nacl; - int initial_acl; - errno_t error; + errno_t error, old_error; vnode_t vp = (vnode_t)0; + boolean_t batched; + struct componentname *cnp; + uint32_t defaulted; + cnp = &ndp->ni_cnd; error = 0; - oacl = nacl = NULL; - initial_acl = 0; + batched = namei_compound_available(dvp, ndp) ? TRUE : FALSE; KAUTH_DEBUG("%p CREATE - '%s'", dvp, cnp->cn_nameptr); + if (flags & VN_CREATE_NOINHERIT) + vap->va_vaflags |= VA_NOINHERIT; + if (flags & VN_CREATE_NOAUTH) + vap->va_vaflags |= VA_NOAUTH; /* - * Handle ACL inheritance. + * Handle ACL inheritance, initialize vap. */ - if (!(flags & VN_CREATE_NOINHERIT) && vfs_extendedsecurity(dvp->v_mount)) { - /* save the original filesec */ - if (VATTR_IS_ACTIVE(vap, va_acl)) { - initial_acl = 1; - oacl = vap->va_acl; - } + error = vn_attribute_prepare(dvp, vap, &defaulted, ctx); + if (error) { + return error; + } - vap->va_acl = NULL; - if ((error = kauth_acl_inherit(dvp, - oacl, - &nacl, - vap->va_type == VDIR, - ctx)) != 0) { - KAUTH_DEBUG("%p CREATE - error %d processing inheritance", dvp, error); - return(error); - } + if (vap->va_type != VREG && (fmode != 0 || (flags & VN_CREATE_DOOPEN) || statusp)) { + panic("Open parameters, but not a regular file."); + } + if ((fmode != 0) && ((flags & VN_CREATE_DOOPEN) == 0)) { + panic("Mode for open, but not trying to open..."); + } - /* - * If the generated ACL is NULL, then we can save ourselves some effort - * by clearing the active bit. - */ - if (nacl == NULL) { - VATTR_CLEAR_ACTIVE(vap, va_acl); - } else { - VATTR_SET(vap, va_acl, nacl); - } - } - - /* - * Check and default new attributes. - * This will set va_uid, va_gid, va_mode and va_create_time at least, if the caller - * hasn't supplied them. - */ - if ((error = vnode_authattr_new(dvp, vap, flags & VN_CREATE_NOAUTH, ctx)) != 0) { - KAUTH_DEBUG("%p CREATE - error %d handing/defaulting attributes", dvp, error); - goto out; - } - - /* * Create the requested node. */ switch(vap->va_type) { case VREG: - error = VNOP_CREATE(dvp, vpp, cnp, vap, ctx); + error = vn_create_reg(dvp, vpp, ndp, vap, flags, fmode, statusp, ctx); break; case VDIR: - error = VNOP_MKDIR(dvp, vpp, cnp, vap, ctx); + error = vn_mkdir(dvp, vpp, ndp, vap, ctx); break; case VSOCK: case VFIFO: @@ -4123,6 +4929,16 @@ vn_create(vnode_t dvp, vnode_t *vpp, struct componentname *cnp, struct vnode_att } vp = *vpp; + old_error = error; + +#if CONFIG_MACF + if (!(flags & VN_CREATE_NOLABEL)) { + error = vnode_label(vnode_mount(vp), dvp, vp, cnp, VNODE_LABEL_CREATE, ctx); + if (error) + goto error; + } +#endif + /* * If some of the requested attributes weren't handled by the VNOP, * use our fallback code. @@ -4131,30 +4947,33 @@ vn_create(vnode_t dvp, vnode_t *vpp, struct componentname *cnp, struct vnode_att KAUTH_DEBUG(" CREATE - doing fallback with ACL %p", vap->va_acl); error = vnode_setattr_fallback(*vpp, vap, ctx); } - if ((error != 0 ) && (vp != (vnode_t)0)) { - *vpp = (vnode_t) 0; - vnode_put(vp); +#if CONFIG_MACF +error: +#endif + if ((error != 0) && (vp != (vnode_t)0)) { + + /* If we've done a compound open, close */ + if (batched && (old_error == 0) && (vap->va_type == VREG)) { + VNOP_CLOSE(vp, fmode, ctx); + } + + /* Need to provide notifications if a create succeeded */ + if (!batched) { + *vpp = (vnode_t) 0; + vnode_put(vp); + } } out: - /* - * If the caller supplied a filesec in vap, it has been replaced - * now by the post-inheritance copy. We need to put the original back - * and free the inherited product. - */ - if (initial_acl) { - VATTR_SET(vap, va_acl, oacl); - } else { - VATTR_CLEAR_ACTIVE(vap, va_acl); - } - if (nacl != NULL) - kauth_acl_free(nacl); + vn_attribute_cleanup(vap, defaulted); return(error); } static kauth_scope_t vnode_scope; -static int vnode_authorize_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action, +static int vnode_authorize_callback(kauth_cred_t credential, void *idata, kauth_action_t action, + uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3); +static int vnode_authorize_callback_int(__unused kauth_cred_t credential, __unused void *idata, kauth_action_t action, uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3); typedef struct _vnode_authorize_context { @@ -4177,1671 +4996,3455 @@ vnode_authorize_init(void) vnode_scope = kauth_register_scope(KAUTH_SCOPE_VNODE, vnode_authorize_callback, NULL); } -/* - * Authorize an operation on a vnode. - * - * This is KPI, but here because it needs vnode_scope. - */ +#define VATTR_PREPARE_DEFAULTED_UID 0x1 +#define VATTR_PREPARE_DEFAULTED_GID 0x2 +#define VATTR_PREPARE_DEFAULTED_MODE 0x4 + int -vnode_authorize(vnode_t vp, vnode_t dvp, kauth_action_t action, vfs_context_t context) +vn_attribute_prepare(vnode_t dvp, struct vnode_attr *vap, uint32_t *defaulted_fieldsp, vfs_context_t ctx) { - int error, result; + kauth_acl_t nacl = NULL, oacl = NULL; + int error; /* - * We can't authorize against a dead vnode; allow all operations through so that - * the correct error can be returned. + * Handle ACL inheritance. */ - if (vp->v_type == VBAD) - return(0); + if (!(vap->va_vaflags & VA_NOINHERIT) && vfs_extendedsecurity(dvp->v_mount)) { + /* save the original filesec */ + if (VATTR_IS_ACTIVE(vap, va_acl)) { + oacl = vap->va_acl; + } + + vap->va_acl = NULL; + if ((error = kauth_acl_inherit(dvp, + oacl, + &nacl, + vap->va_type == VDIR, + ctx)) != 0) { + KAUTH_DEBUG("%p CREATE - error %d processing inheritance", dvp, error); + return(error); + } + + /* + * If the generated ACL is NULL, then we can save ourselves some effort + * by clearing the active bit. + */ + if (nacl == NULL) { + VATTR_CLEAR_ACTIVE(vap, va_acl); + } else { + vap->va_base_acl = oacl; + VATTR_SET(vap, va_acl, nacl); + } + } - error = 0; - result = kauth_authorize_action(vnode_scope, vfs_context_ucred(context), action, - (uintptr_t)context, (uintptr_t)vp, (uintptr_t)dvp, (uintptr_t)&error); - if (result == EPERM) /* traditional behaviour */ - result = EACCES; - /* did the lower layers give a better error return? */ - if ((result != 0) && (error != 0)) - return(error); - return(result); + error = vnode_authattr_new_internal(dvp, vap, (vap->va_vaflags & VA_NOAUTH), defaulted_fieldsp, ctx); + if (error) { + vn_attribute_cleanup(vap, *defaulted_fieldsp); + } + + return error; } -/* - * Test for vnode immutability. - * - * The 'append' flag is set when the authorization request is constrained - * to operations which only request the right to append to a file. - * - * The 'ignore' flag is set when an operation modifying the immutability flags - * is being authorized. We check the system securelevel to determine which - * immutability flags we can ignore. - */ -static int -vnode_immutable(struct vnode_attr *vap, int append, int ignore) +void +vn_attribute_cleanup(struct vnode_attr *vap, uint32_t defaulted_fields) { - int mask; - - /* start with all bits precluding the operation */ - mask = IMMUTABLE | APPEND; + /* + * If the caller supplied a filesec in vap, it has been replaced + * now by the post-inheritance copy. We need to put the original back + * and free the inherited product. + */ + kauth_acl_t nacl, oacl; - /* if appending only, remove the append-only bits */ - if (append) - mask &= ~APPEND; + if (VATTR_IS_ACTIVE(vap, va_acl)) { + nacl = vap->va_acl; + oacl = vap->va_base_acl; - /* ignore only set when authorizing flags changes */ - if (ignore) { - if (securelevel <= 0) { - /* in insecure state, flags do not inhibit changes */ - mask = 0; + if (oacl) { + VATTR_SET(vap, va_acl, oacl); + vap->va_base_acl = NULL; } else { - /* in secure state, user flags don't inhibit */ - mask &= ~(UF_IMMUTABLE | UF_APPEND); + VATTR_CLEAR_ACTIVE(vap, va_acl); + } + + if (nacl != NULL) { + kauth_acl_free(nacl); } } - KAUTH_DEBUG("IMMUTABLE - file flags 0x%x mask 0x%x append = %d ignore = %d", vap->va_flags, mask, append, ignore); - if ((vap->va_flags & mask) != 0) - return(EPERM); - return(0); + + if ((defaulted_fields & VATTR_PREPARE_DEFAULTED_MODE) != 0) { + VATTR_CLEAR_ACTIVE(vap, va_mode); + } + if ((defaulted_fields & VATTR_PREPARE_DEFAULTED_GID) != 0) { + VATTR_CLEAR_ACTIVE(vap, va_gid); + } + if ((defaulted_fields & VATTR_PREPARE_DEFAULTED_UID) != 0) { + VATTR_CLEAR_ACTIVE(vap, va_uid); + } + + return; } -static int -vauth_node_owner(struct vnode_attr *vap, kauth_cred_t cred) +int +vn_authorize_unlink(vnode_t dvp, vnode_t vp, struct componentname *cnp, vfs_context_t ctx, __unused void *reserved) { - int result; - - /* default assumption is not-owner */ - result = 0; + int error = 0; /* - * If the filesystem has given us a UID, we treat this as authoritative. + * Normally, unlinking of directories is not supported. + * However, some file systems may have limited support. */ - if (vap && VATTR_IS_SUPPORTED(vap, va_uid)) { - result = (vap->va_uid == kauth_cred_getuid(cred)) ? 1 : 0; + if ((vp->v_type == VDIR) && + !(vp->v_mount->mnt_vtable->vfc_vfsflags & VFC_VFSDIRLINKS)) { + return (EPERM); /* POSIX */ } - /* we could test the owner UUID here if we had a policy for it */ - - return(result); + + /* authorize the delete operation */ +#if CONFIG_MACF + if (!error) + error = mac_vnode_check_unlink(ctx, dvp, vp, cnp); +#endif /* MAC */ + if (!error) + error = vnode_authorize(vp, dvp, KAUTH_VNODE_DELETE, ctx); + + return error; } -static int -vauth_node_group(struct vnode_attr *vap, kauth_cred_t cred, int *ismember) +int +vn_authorize_open_existing(vnode_t vp, struct componentname *cnp, int fmode, vfs_context_t ctx, void *reserved) { - int error; - int result; - - error = 0; - result = 0; + /* Open of existing case */ + kauth_action_t action; + int error = 0; - /* the caller is expected to have asked the filesystem for a group at some point */ - if (vap && VATTR_IS_SUPPORTED(vap, va_gid)) { - error = kauth_cred_ismember_gid(cred, vap->va_gid, &result); + if (cnp->cn_ndp == NULL) { + panic("NULL ndp"); + } + if (reserved != NULL) { + panic("reserved not NULL."); } - /* we could test the group UUID here if we had a policy for it */ - - if (!error) - *ismember = result; - return(error); -} -static int -vauth_file_owner(vauth_ctx vcp) -{ - int result; +#if CONFIG_MACF + /* XXX may do duplicate work here, but ignore that for now (idempotent) */ + if (vfs_flags(vnode_mount(vp)) & MNT_MULTILABEL) { + error = vnode_label(vnode_mount(vp), NULL, vp, NULL, 0, ctx); + if (error) + return (error); + } +#endif - if (vcp->flags_valid & _VAC_IS_OWNER) { - result = (vcp->flags & _VAC_IS_OWNER) ? 1 : 0; - } else { - result = vauth_node_owner(vcp->vap, vcp->ctx->vc_ucred); + if ( (fmode & O_DIRECTORY) && vp->v_type != VDIR ) { + return (ENOTDIR); + } - /* cache our result */ - vcp->flags_valid |= _VAC_IS_OWNER; - if (result) { - vcp->flags |= _VAC_IS_OWNER; - } else { - vcp->flags &= ~_VAC_IS_OWNER; - } + if (vp->v_type == VSOCK && vp->v_tag != VT_FDESC) { + return (EOPNOTSUPP); /* Operation not supported on socket */ } - return(result); -} -static int -vauth_file_ingroup(vauth_ctx vcp, int *ismember) -{ - int error; + if (vp->v_type == VLNK && (fmode & O_NOFOLLOW) != 0) { + return (ELOOP); /* O_NOFOLLOW was specified and the target is a symbolic link */ + } - if (vcp->flags_valid & _VAC_IN_GROUP) { - *ismember = (vcp->flags & _VAC_IN_GROUP) ? 1 : 0; - error = 0; - } else { - error = vauth_node_group(vcp->vap, vcp->ctx->vc_ucred, ismember); + /* disallow write operations on directories */ + if (vnode_isdir(vp) && (fmode & (FWRITE | O_TRUNC))) { + return (EISDIR); + } - if (!error) { - /* cache our result */ - vcp->flags_valid |= _VAC_IN_GROUP; - if (*ismember) { - vcp->flags |= _VAC_IN_GROUP; - } else { - vcp->flags &= ~_VAC_IN_GROUP; - } + if ((cnp->cn_ndp->ni_flag & NAMEI_TRAILINGSLASH)) { + if (vp->v_type != VDIR) { + return (ENOTDIR); } - } - return(error); -} - -static int -vauth_dir_owner(vauth_ctx vcp) -{ - int result; - if (vcp->flags_valid & _VAC_IS_DIR_OWNER) { - result = (vcp->flags & _VAC_IS_DIR_OWNER) ? 1 : 0; - } else { - result = vauth_node_owner(vcp->dvap, vcp->ctx->vc_ucred); +#if CONFIG_MACF + /* If a file being opened is a shadow file containing + * namedstream data, ignore the macf checks because it + * is a kernel internal file and access should always + * be allowed. + */ + if (!(vnode_isshadow(vp) && vnode_isnamedstream(vp))) { + error = mac_vnode_check_open(ctx, vp, fmode); + if (error) { + return (error); + } + } +#endif - /* cache our result */ - vcp->flags_valid |= _VAC_IS_DIR_OWNER; - if (result) { - vcp->flags |= _VAC_IS_DIR_OWNER; + /* compute action to be authorized */ + action = 0; + if (fmode & FREAD) { + action |= KAUTH_VNODE_READ_DATA; + } + if (fmode & (FWRITE | O_TRUNC)) { + /* + * If we are writing, appending, and not truncating, + * indicate that we are appending so that if the + * UF_APPEND or SF_APPEND bits are set, we do not deny + * the open. + */ + if ((fmode & O_APPEND) && !(fmode & O_TRUNC)) { + action |= KAUTH_VNODE_APPEND_DATA; } else { - vcp->flags &= ~_VAC_IS_DIR_OWNER; + action |= KAUTH_VNODE_WRITE_DATA; } } - return(result); + return (vnode_authorize(vp, NULL, action, ctx)); } -static int -vauth_dir_ingroup(vauth_ctx vcp, int *ismember) +int +vn_authorize_create(vnode_t dvp, struct componentname *cnp, struct vnode_attr *vap, vfs_context_t ctx, void *reserved) { - int error; + /* Creation case */ + int error; - if (vcp->flags_valid & _VAC_IN_DIR_GROUP) { - *ismember = (vcp->flags & _VAC_IN_DIR_GROUP) ? 1 : 0; - error = 0; - } else { - error = vauth_node_group(vcp->dvap, vcp->ctx->vc_ucred, ismember); + if (cnp->cn_ndp == NULL) { + panic("NULL cn_ndp"); + } + if (reserved != NULL) { + panic("reserved not NULL."); + } - if (!error) { - /* cache our result */ - vcp->flags_valid |= _VAC_IN_DIR_GROUP; - if (*ismember) { - vcp->flags |= _VAC_IN_DIR_GROUP; - } else { - vcp->flags &= ~_VAC_IN_DIR_GROUP; - } - } + /* Only validate path for creation if we didn't do a complete lookup */ + if (cnp->cn_ndp->ni_flag & NAMEI_UNFINISHED) { + error = lookup_validate_creation_path(cnp->cn_ndp); + if (error) + return (error); } - return(error); + +#if CONFIG_MACF + error = mac_vnode_check_create(ctx, dvp, cnp, vap); + if (error) + return (error); +#endif /* CONFIG_MACF */ + + return (vnode_authorize(dvp, NULL, KAUTH_VNODE_ADD_FILE, ctx)); } -/* - * Test the posix permissions in (vap) to determine whether (credential) - * may perform (action) - */ -static int -vnode_authorize_posix(vauth_ctx vcp, int action, int on_dir) +int +vn_authorize_rename(struct vnode *fdvp, struct vnode *fvp, struct componentname *fcnp, + struct vnode *tdvp, struct vnode *tvp, struct componentname *tcnp, + vfs_context_t ctx, void *reserved) { - struct vnode_attr *vap; - int needed, error, owner_ok, group_ok, world_ok, ismember; -#ifdef KAUTH_DEBUG_ENABLE - const char *where; -# define _SETWHERE(c) where = c; -#else -# define _SETWHERE(c) -#endif + int error = 0; + int moving = 0; - /* checking file or directory? */ - if (on_dir) { - vap = vcp->dvap; - } else { - vap = vcp->vap; + if (reserved != NULL) { + panic("Passed something other than NULL as reserved field!"); } - - error = 0; - + /* - * We want to do as little work here as possible. So first we check - * which sets of permissions grant us the access we need, and avoid checking - * whether specific permissions grant access when more generic ones would. + * Avoid renaming "." and "..". + * + * XXX No need to check for this in the FS. We should always have the leaves + * in VFS in this case. */ + if (fvp->v_type == VDIR && + ((fdvp == fvp) || + (fcnp->cn_namelen == 1 && fcnp->cn_nameptr[0] == '.') || + ((fcnp->cn_flags | tcnp->cn_flags) & ISDOTDOT)) ) { + error = EINVAL; + goto out; + } - /* owner permissions */ - needed = 0; - if (action & VREAD) - needed |= S_IRUSR; - if (action & VWRITE) - needed |= S_IWUSR; - if (action & VEXEC) - needed |= S_IXUSR; - owner_ok = (needed & vap->va_mode) == needed; - - /* group permissions */ - needed = 0; - if (action & VREAD) - needed |= S_IRGRP; - if (action & VWRITE) - needed |= S_IWGRP; - if (action & VEXEC) - needed |= S_IXGRP; - group_ok = (needed & vap->va_mode) == needed; - - /* world permissions */ - needed = 0; - if (action & VREAD) - needed |= S_IROTH; - if (action & VWRITE) - needed |= S_IWOTH; - if (action & VEXEC) - needed |= S_IXOTH; - world_ok = (needed & vap->va_mode) == needed; + if (tvp == NULLVP && vnode_compound_rename_available(tdvp)) { + error = lookup_validate_creation_path(tcnp->cn_ndp); + if (error) + goto out; + } - /* If granted/denied by all three, we're done */ - if (owner_ok && group_ok && world_ok) { - _SETWHERE("all"); + /***** *****/ +#if CONFIG_MACF + error = mac_vnode_check_rename_from(ctx, fdvp, fvp, fcnp); + if (error) goto out; - } - if (!owner_ok && !group_ok && !world_ok) { - _SETWHERE("all"); - error = EACCES; +#endif + +#if CONFIG_MACF + error = mac_vnode_check_rename_to(ctx, + tdvp, tvp, fdvp == tdvp, tcnp); + if (error) goto out; +#endif + /***** *****/ + + /***** *****/ + if (tvp != NULL) { + if (fvp->v_type == VDIR && tvp->v_type != VDIR) { + error = ENOTDIR; + goto out; + } else if (fvp->v_type != VDIR && tvp->v_type == VDIR) { + error = EISDIR; + goto out; + } } - /* Check ownership (relatively cheap) */ - if ((on_dir && vauth_dir_owner(vcp)) || - (!on_dir && vauth_file_owner(vcp))) { - _SETWHERE("user"); - if (!owner_ok) - error = EACCES; + if (fvp == tdvp) { + error = EINVAL; goto out; } - /* Not owner; if group and world both grant it we're done */ - if (group_ok && world_ok) { - _SETWHERE("group/world"); + /* + * The following edge case is caught here: + * (to cannot be a descendent of from) + * + * o fdvp + * / + * / + * o fvp + * \ + * \ + * o tdvp + * / + * / + * o tvp + */ + if (tdvp->v_parent == fvp) { + error = EINVAL; goto out; } - if (!group_ok && !world_ok) { - _SETWHERE("group/world"); - error = EACCES; - goto out; + /***** *****/ + + /***** *****/ + + error = 0; + if ((tvp != NULL) && vnode_isdir(tvp)) { + if (tvp != fdvp) + moving = 1; + } else if (tdvp != fdvp) { + moving = 1; } - /* Check group membership (most expensive) */ - ismember = 0; - if (on_dir) { - error = vauth_dir_ingroup(vcp, &ismember); + + /* + * must have delete rights to remove the old name even in + * the simple case of fdvp == tdvp. + * + * If fvp is a directory, and we are changing it's parent, + * then we also need rights to rewrite its ".." entry as well. + */ + if (vnode_isdir(fvp)) { + if ((error = vnode_authorize(fvp, fdvp, KAUTH_VNODE_DELETE | KAUTH_VNODE_ADD_SUBDIRECTORY, ctx)) != 0) + goto out; } else { - error = vauth_file_ingroup(vcp, &ismember); + if ((error = vnode_authorize(fvp, fdvp, KAUTH_VNODE_DELETE, ctx)) != 0) + goto out; } - if (error) - goto out; - if (ismember) { - _SETWHERE("group"); - if (!group_ok) - error = EACCES; + if (moving) { + /* moving into tdvp or tvp, must have rights to add */ + if ((error = vnode_authorize(((tvp != NULL) && vnode_isdir(tvp)) ? tvp : tdvp, + NULL, + vnode_isdir(fvp) ? KAUTH_VNODE_ADD_SUBDIRECTORY : KAUTH_VNODE_ADD_FILE, + ctx)) != 0) { + goto out; + } + } else { + /* node staying in same directory, must be allowed to add new name */ + if ((error = vnode_authorize(fdvp, NULL, + vnode_isdir(fvp) ? KAUTH_VNODE_ADD_SUBDIRECTORY : KAUTH_VNODE_ADD_FILE, ctx)) != 0) + goto out; + } + /* overwriting tvp */ + if ((tvp != NULL) && !vnode_isdir(tvp) && + ((error = vnode_authorize(tvp, tdvp, KAUTH_VNODE_DELETE, ctx)) != 0)) { goto out; } - /* Not owner, not in group, use world result */ - _SETWHERE("world"); - if (!world_ok) - error = EACCES; - - /* FALLTHROUGH */ + /***** *****/ + /* XXX more checks? */ out: - KAUTH_DEBUG("%p %s - posix %s permissions : need %s%s%s %x have %s%s%s%s%s%s%s%s%s UID = %d file = %d,%d", - vcp->vp, (error == 0) ? "ALLOWED" : "DENIED", where, - (action & VREAD) ? "r" : "-", - (action & VWRITE) ? "w" : "-", - (action & VEXEC) ? "x" : "-", - needed, - (vap->va_mode & S_IRUSR) ? "r" : "-", - (vap->va_mode & S_IWUSR) ? "w" : "-", - (vap->va_mode & S_IXUSR) ? "x" : "-", - (vap->va_mode & S_IRGRP) ? "r" : "-", - (vap->va_mode & S_IWGRP) ? "w" : "-", - (vap->va_mode & S_IXGRP) ? "x" : "-", - (vap->va_mode & S_IROTH) ? "r" : "-", - (vap->va_mode & S_IWOTH) ? "w" : "-", - (vap->va_mode & S_IXOTH) ? "x" : "-", - kauth_cred_getuid(vcp->ctx->vc_ucred), - on_dir ? vcp->dvap->va_uid : vcp->vap->va_uid, - on_dir ? vcp->dvap->va_gid : vcp->vap->va_gid); - return(error); + return error; } -/* - * Authorize the deletion of the node vp from the directory dvp. - * - * We assume that: - * - Neither the node nor the directory are immutable. - * - The user is not the superuser. - * - * Deletion is not permitted if the directory is sticky and the caller is not owner of the - * node or directory. - * - * If either the node grants DELETE, or the directory grants DELETE_CHILD, the node may be - * deleted. If neither denies the permission, and the caller has Posix write access to the - * directory, then the node may be deleted. - */ -static int -vnode_authorize_delete(vauth_ctx vcp) +int +vn_authorize_mkdir(vnode_t dvp, struct componentname *cnp, struct vnode_attr *vap, vfs_context_t ctx, void *reserved) { - struct vnode_attr *vap = vcp->vap; - struct vnode_attr *dvap = vcp->dvap; - kauth_cred_t cred = vcp->ctx->vc_ucred; - struct kauth_acl_eval eval; - int error, delete_denied, delete_child_denied, ismember; + int error; - /* check the ACL on the directory */ - delete_child_denied = 0; - if (VATTR_IS_NOT(dvap, va_acl, NULL)) { - eval.ae_requested = KAUTH_VNODE_DELETE_CHILD; - eval.ae_acl = &dvap->va_acl->acl_ace[0]; - eval.ae_count = dvap->va_acl->acl_entrycount; - eval.ae_options = 0; - if (vauth_dir_owner(vcp)) - eval.ae_options |= KAUTH_AEVAL_IS_OWNER; - if ((error = vauth_dir_ingroup(vcp, &ismember)) != 0) - return(error); - if (ismember) - eval.ae_options |= KAUTH_AEVAL_IN_GROUP; - eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS; - eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS; - eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS; - eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS; + if (reserved != NULL) { + panic("reserved not NULL in vn_authorize_mkdir()"); + } - error = kauth_acl_evaluate(cred, &eval); + /* XXX A hack for now, to make shadow files work */ + if (cnp->cn_ndp == NULL) { + return 0; + } - if (error != 0) { - KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error); - return(error); - } - if (eval.ae_result == KAUTH_RESULT_DENY) - delete_child_denied = 1; - if (eval.ae_result == KAUTH_RESULT_ALLOW) { - KAUTH_DEBUG("%p ALLOWED - granted by directory ACL", vcp->vp); - return(0); - } + if (vnode_compound_mkdir_available(dvp)) { + error = lookup_validate_creation_path(cnp->cn_ndp); + if (error) + goto out; } - /* check the ACL on the node */ - delete_denied = 0; - if (VATTR_IS_NOT(vap, va_acl, NULL)) { - eval.ae_requested = KAUTH_VNODE_DELETE; - eval.ae_acl = &vap->va_acl->acl_ace[0]; - eval.ae_count = vap->va_acl->acl_entrycount; - eval.ae_options = 0; - if (vauth_file_owner(vcp)) - eval.ae_options |= KAUTH_AEVAL_IS_OWNER; - if ((error = vauth_file_ingroup(vcp, &ismember)) != 0) - return(error); - if (ismember) - eval.ae_options |= KAUTH_AEVAL_IN_GROUP; - eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS; - eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS; - eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS; - eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS; +#if CONFIG_MACF + error = mac_vnode_check_create(ctx, + dvp, cnp, vap); + if (error) + goto out; +#endif - if ((error = kauth_acl_evaluate(cred, &eval)) != 0) { - KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error); - return(error); - } - if (eval.ae_result == KAUTH_RESULT_DENY) - delete_denied = 1; - if (eval.ae_result == KAUTH_RESULT_ALLOW) { - KAUTH_DEBUG("%p ALLOWED - granted by file ACL", vcp->vp); - return(0); - } - } + /* authorize addition of a directory to the parent */ + if ((error = vnode_authorize(dvp, NULL, KAUTH_VNODE_ADD_SUBDIRECTORY, ctx)) != 0) + goto out; + +out: + return error; +} - /* if denied by ACL on directory or node, return denial */ - if (delete_denied || delete_child_denied) { - KAUTH_DEBUG("%p ALLOWED - denied by ACL", vcp->vp); - return(EACCES); - } +int +vn_authorize_rmdir(vnode_t dvp, vnode_t vp, struct componentname *cnp, vfs_context_t ctx, void *reserved) +{ + int error; - /* enforce sticky bit behaviour */ - if ((dvap->va_mode & S_ISTXT) && !vauth_file_owner(vcp) && !vauth_dir_owner(vcp)) { - KAUTH_DEBUG("%p DENIED - sticky bit rules (user %d file %d dir %d)", - vcp->vp, cred->cr_uid, vap->va_uid, dvap->va_uid); - return(EACCES); + if (reserved != NULL) { + panic("Non-NULL reserved argument to vn_authorize_rmdir()"); } - /* check the directory */ - if ((error = vnode_authorize_posix(vcp, VWRITE, 1 /* on_dir */)) != 0) { - KAUTH_DEBUG("%p ALLOWED - granted by posix permisssions", vcp->vp); - return(error); - } + if (vp->v_type != VDIR) { + /* + * rmdir only deals with directories + */ + return ENOTDIR; + } + + if (dvp == vp) { + /* + * No rmdir "." please. + */ + return EINVAL; + } + +#if CONFIG_MACF + error = mac_vnode_check_unlink(ctx, dvp, + vp, cnp); + if (error) + return error; +#endif - /* not denied, must be OK */ - return(0); + return vnode_authorize(vp, dvp, KAUTH_VNODE_DELETE, ctx); } - /* - * Authorize an operation based on the node's attributes. + * Authorize an operation on a vnode. + * + * This is KPI, but here because it needs vnode_scope. + * + * Returns: 0 Success + * kauth_authorize_action:EPERM ... + * xlate => EACCES Permission denied + * kauth_authorize_action:0 Success + * kauth_authorize_action: Depends on callback return; this is + * usually only vnode_authorize_callback(), + * but may include other listerners, if any + * exist. + * EROFS + * EACCES + * EPERM + * ??? */ -static int -vnode_authorize_simple(vauth_ctx vcp, kauth_ace_rights_t acl_rights, kauth_ace_rights_t preauth_rights) +int +vnode_authorize(vnode_t vp, vnode_t dvp, kauth_action_t action, vfs_context_t ctx) { - struct vnode_attr *vap = vcp->vap; - kauth_cred_t cred = vcp->ctx->vc_ucred; - struct kauth_acl_eval eval; - int error, ismember; - mode_t posix_action; - - /* - * If we are the file owner, we automatically have some rights. - * - * Do we need to expand this to support group ownership? - */ - if (vauth_file_owner(vcp)) - acl_rights &= ~(KAUTH_VNODE_WRITE_SECURITY); + int error, result; /* - * If we are checking both TAKE_OWNERSHIP and WRITE_SECURITY, we can - * mask the latter. If TAKE_OWNERSHIP is requested the caller is about to - * change ownership to themselves, and WRITE_SECURITY is implicitly - * granted to the owner. We need to do this because at this point - * WRITE_SECURITY may not be granted as the caller is not currently - * the owner. + * We can't authorize against a dead vnode; allow all operations through so that + * the correct error can be returned. */ - if ((acl_rights & KAUTH_VNODE_TAKE_OWNERSHIP) && - (acl_rights & KAUTH_VNODE_WRITE_SECURITY)) - acl_rights &= ~KAUTH_VNODE_WRITE_SECURITY; - - if (acl_rights == 0) { - KAUTH_DEBUG("%p ALLOWED - implicit or no rights required", vcp->vp); + if (vp->v_type == VBAD) return(0); - } - - /* if we have an ACL, evaluate it */ - if (VATTR_IS_NOT(vap, va_acl, NULL)) { - eval.ae_requested = acl_rights; - eval.ae_acl = &vap->va_acl->acl_ace[0]; - eval.ae_count = vap->va_acl->acl_entrycount; - eval.ae_options = 0; - if (vauth_file_owner(vcp)) - eval.ae_options |= KAUTH_AEVAL_IS_OWNER; - if ((error = vauth_file_ingroup(vcp, &ismember)) != 0) - return(error); - if (ismember) - eval.ae_options |= KAUTH_AEVAL_IN_GROUP; - eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS; - eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS; - eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS; - eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS; - - if ((error = kauth_acl_evaluate(cred, &eval)) != 0) { - KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error); - return(error); - } - - if (eval.ae_result == KAUTH_RESULT_DENY) { - KAUTH_DEBUG("%p DENIED - by ACL", vcp->vp); - return(EACCES); /* deny, deny, counter-allege */ - } - if (eval.ae_result == KAUTH_RESULT_ALLOW) { - KAUTH_DEBUG("%p ALLOWED - all rights granted by ACL", vcp->vp); - return(0); - } - /* fall through and evaluate residual rights */ - } else { - /* no ACL, everything is residual */ - eval.ae_residual = acl_rights; - } + + error = 0; + result = kauth_authorize_action(vnode_scope, vfs_context_ucred(ctx), action, + (uintptr_t)ctx, (uintptr_t)vp, (uintptr_t)dvp, (uintptr_t)&error); + if (result == EPERM) /* traditional behaviour */ + result = EACCES; + /* did the lower layers give a better error return? */ + if ((result != 0) && (error != 0)) + return(error); + return(result); +} - /* - * Grant residual rights that have been pre-authorized. - */ - eval.ae_residual &= ~preauth_rights; +/* + * Test for vnode immutability. + * + * The 'append' flag is set when the authorization request is constrained + * to operations which only request the right to append to a file. + * + * The 'ignore' flag is set when an operation modifying the immutability flags + * is being authorized. We check the system securelevel to determine which + * immutability flags we can ignore. + */ +static int +vnode_immutable(struct vnode_attr *vap, int append, int ignore) +{ + int mask; - /* - * We grant WRITE_ATTRIBUTES to the owner if it hasn't been denied. - */ - if (vauth_file_owner(vcp)) - eval.ae_residual &= ~KAUTH_VNODE_WRITE_ATTRIBUTES; - - if (eval.ae_residual == 0) { - KAUTH_DEBUG("%p ALLOWED - rights already authorized", vcp->vp); - return(0); - } - - /* - * Bail if we have residual rights that can't be granted by posix permissions, - * or aren't presumed granted at this point. - * - * XXX these can be collapsed for performance - */ - if (eval.ae_residual & KAUTH_VNODE_CHANGE_OWNER) { - KAUTH_DEBUG("%p DENIED - CHANGE_OWNER not permitted", vcp->vp); - return(EACCES); - } - if (eval.ae_residual & KAUTH_VNODE_WRITE_SECURITY) { - KAUTH_DEBUG("%p DENIED - WRITE_SECURITY not permitted", vcp->vp); - return(EACCES); - } + /* start with all bits precluding the operation */ + mask = IMMUTABLE | APPEND; -#if DIAGNOSTIC - if (eval.ae_residual & KAUTH_VNODE_DELETE) - panic("vnode_authorize: can't be checking delete permission here"); -#endif + /* if appending only, remove the append-only bits */ + if (append) + mask &= ~APPEND; - /* - * Compute the fallback posix permissions that will satisfy the remaining - * rights. - */ - posix_action = 0; - if (eval.ae_residual & (KAUTH_VNODE_READ_DATA | - KAUTH_VNODE_LIST_DIRECTORY | - KAUTH_VNODE_READ_EXTATTRIBUTES)) - posix_action |= VREAD; - if (eval.ae_residual & (KAUTH_VNODE_WRITE_DATA | - KAUTH_VNODE_ADD_FILE | - KAUTH_VNODE_ADD_SUBDIRECTORY | - KAUTH_VNODE_DELETE_CHILD | - KAUTH_VNODE_WRITE_ATTRIBUTES | - KAUTH_VNODE_WRITE_EXTATTRIBUTES)) - posix_action |= VWRITE; - if (eval.ae_residual & (KAUTH_VNODE_EXECUTE | - KAUTH_VNODE_SEARCH)) - posix_action |= VEXEC; - - if (posix_action != 0) { - return(vnode_authorize_posix(vcp, posix_action, 0 /* !on_dir */)); - } else { - KAUTH_DEBUG("%p ALLOWED - residual rights %s%s%s%s%s%s%s%s%s%s%s%s%s%s granted due to no posix mapping", - vcp->vp, - (eval.ae_residual & KAUTH_VNODE_READ_DATA) - ? vnode_isdir(vcp->vp) ? " LIST_DIRECTORY" : " READ_DATA" : "", - (eval.ae_residual & KAUTH_VNODE_WRITE_DATA) - ? vnode_isdir(vcp->vp) ? " ADD_FILE" : " WRITE_DATA" : "", - (eval.ae_residual & KAUTH_VNODE_EXECUTE) - ? vnode_isdir(vcp->vp) ? " SEARCH" : " EXECUTE" : "", - (eval.ae_residual & KAUTH_VNODE_DELETE) - ? " DELETE" : "", - (eval.ae_residual & KAUTH_VNODE_APPEND_DATA) - ? vnode_isdir(vcp->vp) ? " ADD_SUBDIRECTORY" : " APPEND_DATA" : "", - (eval.ae_residual & KAUTH_VNODE_DELETE_CHILD) - ? " DELETE_CHILD" : "", - (eval.ae_residual & KAUTH_VNODE_READ_ATTRIBUTES) - ? " READ_ATTRIBUTES" : "", - (eval.ae_residual & KAUTH_VNODE_WRITE_ATTRIBUTES) - ? " WRITE_ATTRIBUTES" : "", - (eval.ae_residual & KAUTH_VNODE_READ_EXTATTRIBUTES) - ? " READ_EXTATTRIBUTES" : "", - (eval.ae_residual & KAUTH_VNODE_WRITE_EXTATTRIBUTES) - ? " WRITE_EXTATTRIBUTES" : "", - (eval.ae_residual & KAUTH_VNODE_READ_SECURITY) - ? " READ_SECURITY" : "", - (eval.ae_residual & KAUTH_VNODE_WRITE_SECURITY) - ? " WRITE_SECURITY" : "", - (eval.ae_residual & KAUTH_VNODE_CHECKIMMUTABLE) - ? " CHECKIMMUTABLE" : "", - (eval.ae_residual & KAUTH_VNODE_CHANGE_OWNER) - ? " CHANGE_OWNER" : ""); + /* ignore only set when authorizing flags changes */ + if (ignore) { + if (securelevel <= 0) { + /* in insecure state, flags do not inhibit changes */ + mask = 0; + } else { + /* in secure state, user flags don't inhibit */ + mask &= ~(UF_IMMUTABLE | UF_APPEND); + } } - - /* - * Lack of required Posix permissions implies no reason to deny access. - */ + KAUTH_DEBUG("IMMUTABLE - file flags 0x%x mask 0x%x append = %d ignore = %d", vap->va_flags, mask, append, ignore); + if ((vap->va_flags & mask) != 0) + return(EPERM); return(0); } -/* - * Check for file immutability. - */ static int -vnode_authorize_checkimmutable(vnode_t vp, struct vnode_attr *vap, int rights, int ignore) +vauth_node_owner(struct vnode_attr *vap, kauth_cred_t cred) { - mount_t mp; - int error; - int append; + int result; + + /* default assumption is not-owner */ + result = 0; /* - * Perform immutability checks for operations that change data. - * - * Sockets, fifos and devices require special handling. + * If the filesystem has given us a UID, we treat this as authoritative. */ - switch(vp->v_type) { - case VSOCK: - case VFIFO: - case VBLK: - case VCHR: - /* - * Writing to these nodes does not change the filesystem data, - * so forget that it's being tried. - */ - rights &= ~KAUTH_VNODE_WRITE_DATA; - break; - default: - break; + if (vap && VATTR_IS_SUPPORTED(vap, va_uid)) { + result = (vap->va_uid == kauth_cred_getuid(cred)) ? 1 : 0; } - - error = 0; - if (rights & KAUTH_VNODE_WRITE_RIGHTS) { - - /* check per-filesystem options if possible */ - mp = vnode_mount(vp); - if (mp != NULL) { + /* we could test the owner UUID here if we had a policy for it */ - /* check for no-EA filesystems */ - if ((rights & KAUTH_VNODE_WRITE_EXTATTRIBUTES) && - (vfs_flags(mp) & MNT_NOUSERXATTR)) { - KAUTH_DEBUG("%p DENIED - filesystem disallowed extended attributes", vp); - error = EACCES; /* User attributes disabled */ - goto out; - } - } - - /* check for file immutability */ - append = 0; - if (vp->v_type == VDIR) { - if ((rights & (KAUTH_VNODE_ADD_FILE | KAUTH_VNODE_ADD_SUBDIRECTORY)) == rights) - append = 1; - } else { - if ((rights & KAUTH_VNODE_APPEND_DATA) == rights) - append = 1; - } - if ((error = vnode_immutable(vap, append, ignore)) != 0) { - KAUTH_DEBUG("%p DENIED - file is immutable", vp); - goto out; - } - } -out: - return(error); + return(result); } /* - * Handle authorization actions for filesystems that advertise that the server will - * be enforcing. + * vauth_node_group + * + * Description: Ask if a cred is a member of the group owning the vnode object + * + * Parameters: vap vnode attribute + * vap->va_gid group owner of vnode object + * cred credential to check + * ismember pointer to where to put the answer + * idontknow Return this if we can't get an answer + * + * Returns: 0 Success + * idontknow Can't get information + * kauth_cred_ismember_gid:? Error from kauth subsystem + * kauth_cred_ismember_gid:? Error from kauth subsystem */ static int -vnode_authorize_opaque(vnode_t vp, int *resultp, kauth_action_t action, vfs_context_t ctx) +vauth_node_group(struct vnode_attr *vap, kauth_cred_t cred, int *ismember, int idontknow) { int error; + int result; + + error = 0; + result = 0; /* - * If the vp is a device node, socket or FIFO it actually represents a local - * endpoint, so we need to handle it locally. + * The caller is expected to have asked the filesystem for a group + * at some point prior to calling this function. The answer may + * have been that there is no group ownership supported for the + * vnode object, in which case we return */ - switch(vp->v_type) { - case VBLK: - case VCHR: - case VSOCK: - case VFIFO: - return(0); - default: - break; + if (vap && VATTR_IS_SUPPORTED(vap, va_gid)) { + error = kauth_cred_ismember_gid(cred, vap->va_gid, &result); + /* + * Credentials which are opted into external group membership + * resolution which are not known to the external resolver + * will result in an ENOENT error. We translate this into + * the appropriate 'idontknow' response for our caller. + * + * XXX We do not make a distinction here between an ENOENT + * XXX arising from a response from the external resolver, + * XXX and an ENOENT which is internally generated. This is + * XXX a deficiency of the published kauth_cred_ismember_gid() + * XXX KPI which can not be overcome without new KPI. For + * XXX all currently known cases, however, this wil result + * XXX in correct behaviour. + */ + if (error == ENOENT) + error = idontknow; } - /* - * In the advisory request case, if the filesystem doesn't think it's reliable - * we will attempt to formulate a result ourselves based on VNOP_GETATTR data. + * XXX We could test the group UUID here if we had a policy for it, + * XXX but this is problematic from the perspective of synchronizing + * XXX group UUID and POSIX GID ownership of a file and keeping the + * XXX values coherent over time. The problem is that the local + * XXX system will vend transient group UUIDs for unknown POSIX GID + * XXX values, and these are not persistent, whereas storage of values + * XXX is persistent. One potential solution to this is a local + * XXX (persistent) replica of remote directory entries and vended + * XXX local ids in a local directory server (think in terms of a + * XXX caching DNS server). */ - if ((action & KAUTH_VNODE_ACCESS) && !vfs_authopaqueaccess(vnode_mount(vp))) - return(0); - /* - * Let the filesystem have a say in the matter. It's OK for it to not implemnent - * VNOP_ACCESS, as most will authorise inline with the actual request. - */ - if ((error = VNOP_ACCESS(vp, action, ctx)) != ENOTSUP) { - *resultp = error; - KAUTH_DEBUG("%p DENIED - opaque filesystem VNOP_ACCESS denied access", vp); - return(1); - } - - /* - * Typically opaque filesystems do authorisation in-line, but exec is a special case. In - * order to be reasonably sure that exec will be permitted, we try a bit harder here. - */ - if ((action & KAUTH_VNODE_EXECUTE) && vnode_isreg(vp)) { - /* try a VNOP_OPEN for readonly access */ - if ((error = VNOP_OPEN(vp, FREAD, ctx)) != 0) { - *resultp = error; - KAUTH_DEBUG("%p DENIED - EXECUTE denied because file could not be opened readonly", vp); - return(1); + if (!error) + *ismember = result; + return(error); +} + +static int +vauth_file_owner(vauth_ctx vcp) +{ + int result; + + if (vcp->flags_valid & _VAC_IS_OWNER) { + result = (vcp->flags & _VAC_IS_OWNER) ? 1 : 0; + } else { + result = vauth_node_owner(vcp->vap, vcp->ctx->vc_ucred); + + /* cache our result */ + vcp->flags_valid |= _VAC_IS_OWNER; + if (result) { + vcp->flags |= _VAC_IS_OWNER; + } else { + vcp->flags &= ~_VAC_IS_OWNER; } - VNOP_CLOSE(vp, FREAD, ctx); } + return(result); +} - /* - * We don't have any reason to believe that the request has to be denied at this point, - * so go ahead and allow it. - */ - *resultp = 0; - KAUTH_DEBUG("%p ALLOWED - bypassing access check for non-local filesystem", vp); - return(1); + +/* + * vauth_file_ingroup + * + * Description: Ask if a user is a member of the group owning the directory + * + * Parameters: vcp The vnode authorization context that + * contains the user and directory info + * vcp->flags_valid Valid flags + * vcp->flags Flags values + * vcp->vap File vnode attributes + * vcp->ctx VFS Context (for user) + * ismember pointer to where to put the answer + * idontknow Return this if we can't get an answer + * + * Returns: 0 Success + * vauth_node_group:? Error from vauth_node_group() + * + * Implicit returns: *ismember 0 The user is not a group member + * 1 The user is a group member + */ +static int +vauth_file_ingroup(vauth_ctx vcp, int *ismember, int idontknow) +{ + int error; + + /* Check for a cached answer first, to avoid the check if possible */ + if (vcp->flags_valid & _VAC_IN_GROUP) { + *ismember = (vcp->flags & _VAC_IN_GROUP) ? 1 : 0; + error = 0; + } else { + /* Otherwise, go look for it */ + error = vauth_node_group(vcp->vap, vcp->ctx->vc_ucred, ismember, idontknow); + + if (!error) { + /* cache our result */ + vcp->flags_valid |= _VAC_IN_GROUP; + if (*ismember) { + vcp->flags |= _VAC_IN_GROUP; + } else { + vcp->flags &= ~_VAC_IN_GROUP; + } + } + + } + return(error); } static int -vnode_authorize_callback(__unused kauth_cred_t unused_cred, __unused void *idata, kauth_action_t action, - uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) +vauth_dir_owner(vauth_ctx vcp) { - struct _vnode_authorize_context auth_context; - vauth_ctx vcp; - vfs_context_t ctx; - vnode_t vp, dvp; - kauth_cred_t cred; - kauth_ace_rights_t rights; - struct vnode_attr va, dva; - int result; - int *errorp; - int noimmutable; + int result; - vcp = &auth_context; - ctx = vcp->ctx = (vfs_context_t)arg0; - vp = vcp->vp = (vnode_t)arg1; - dvp = vcp->dvp = (vnode_t)arg2; - errorp = (int *)arg3; - /* note that we authorize against the context, not the passed cred (the same thing anyway) */ - cred = ctx->vc_ucred; + if (vcp->flags_valid & _VAC_IS_DIR_OWNER) { + result = (vcp->flags & _VAC_IS_DIR_OWNER) ? 1 : 0; + } else { + result = vauth_node_owner(vcp->dvap, vcp->ctx->vc_ucred); - VATTR_INIT(&va); - vcp->vap = &va; - VATTR_INIT(&dva); - vcp->dvap = &dva; + /* cache our result */ + vcp->flags_valid |= _VAC_IS_DIR_OWNER; + if (result) { + vcp->flags |= _VAC_IS_DIR_OWNER; + } else { + vcp->flags &= ~_VAC_IS_DIR_OWNER; + } + } + return(result); +} - vcp->flags = vcp->flags_valid = 0; +/* + * vauth_dir_ingroup + * + * Description: Ask if a user is a member of the group owning the directory + * + * Parameters: vcp The vnode authorization context that + * contains the user and directory info + * vcp->flags_valid Valid flags + * vcp->flags Flags values + * vcp->dvap Dir vnode attributes + * vcp->ctx VFS Context (for user) + * ismember pointer to where to put the answer + * idontknow Return this if we can't get an answer + * + * Returns: 0 Success + * vauth_node_group:? Error from vauth_node_group() + * + * Implicit returns: *ismember 0 The user is not a group member + * 1 The user is a group member + */ +static int +vauth_dir_ingroup(vauth_ctx vcp, int *ismember, int idontknow) +{ + int error; -#if DIAGNOSTIC - if ((ctx == NULL) || (vp == NULL) || (cred == NULL)) - panic("vnode_authorize: bad arguments (context %p vp %p cred %p)", ctx, vp, cred); -#endif + /* Check for a cached answer first, to avoid the check if possible */ + if (vcp->flags_valid & _VAC_IN_DIR_GROUP) { + *ismember = (vcp->flags & _VAC_IN_DIR_GROUP) ? 1 : 0; + error = 0; + } else { + /* Otherwise, go look for it */ + error = vauth_node_group(vcp->dvap, vcp->ctx->vc_ucred, ismember, idontknow); - KAUTH_DEBUG("%p AUTH - %s %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s on %s '%s' (0x%x:%p/%p)", - vp, vfs_context_proc(ctx)->p_comm, - (action & KAUTH_VNODE_ACCESS) ? "access" : "auth", - (action & KAUTH_VNODE_READ_DATA) ? vnode_isdir(vp) ? " LIST_DIRECTORY" : " READ_DATA" : "", - (action & KAUTH_VNODE_WRITE_DATA) ? vnode_isdir(vp) ? " ADD_FILE" : " WRITE_DATA" : "", - (action & KAUTH_VNODE_EXECUTE) ? vnode_isdir(vp) ? " SEARCH" : " EXECUTE" : "", - (action & KAUTH_VNODE_DELETE) ? " DELETE" : "", - (action & KAUTH_VNODE_APPEND_DATA) ? vnode_isdir(vp) ? " ADD_SUBDIRECTORY" : " APPEND_DATA" : "", - (action & KAUTH_VNODE_DELETE_CHILD) ? " DELETE_CHILD" : "", - (action & KAUTH_VNODE_READ_ATTRIBUTES) ? " READ_ATTRIBUTES" : "", - (action & KAUTH_VNODE_WRITE_ATTRIBUTES) ? " WRITE_ATTRIBUTES" : "", - (action & KAUTH_VNODE_READ_EXTATTRIBUTES) ? " READ_EXTATTRIBUTES" : "", - (action & KAUTH_VNODE_WRITE_EXTATTRIBUTES) ? " WRITE_EXTATTRIBUTES" : "", - (action & KAUTH_VNODE_READ_SECURITY) ? " READ_SECURITY" : "", - (action & KAUTH_VNODE_WRITE_SECURITY) ? " WRITE_SECURITY" : "", - (action & KAUTH_VNODE_CHANGE_OWNER) ? " CHANGE_OWNER" : "", - (action & KAUTH_VNODE_NOIMMUTABLE) ? " (noimmutable)" : "", - vnode_isdir(vp) ? "directory" : "file", - vp->v_name ? vp->v_name : "", action, vp, dvp); + if (!error) { + /* cache our result */ + vcp->flags_valid |= _VAC_IN_DIR_GROUP; + if (*ismember) { + vcp->flags |= _VAC_IN_DIR_GROUP; + } else { + vcp->flags &= ~_VAC_IN_DIR_GROUP; + } + } + } + return(error); +} - /* - * Extract the control bits from the action, everything else is - * requested rights. - */ - noimmutable = (action & KAUTH_VNODE_NOIMMUTABLE) ? 1 : 0; - rights = action & ~(KAUTH_VNODE_ACCESS | KAUTH_VNODE_NOIMMUTABLE); - - if (rights & KAUTH_VNODE_DELETE) { -#if DIAGNOSTIC - if (dvp == NULL) - panic("vnode_authorize: KAUTH_VNODE_DELETE test requires a directory"); +/* + * Test the posix permissions in (vap) to determine whether (credential) + * may perform (action) + */ +static int +vnode_authorize_posix(vauth_ctx vcp, int action, int on_dir) +{ + struct vnode_attr *vap; + int needed, error, owner_ok, group_ok, world_ok, ismember; +#ifdef KAUTH_DEBUG_ENABLE + const char *where = "uninitialized"; +# define _SETWHERE(c) where = c; +#else +# define _SETWHERE(c) #endif + + /* checking file or directory? */ + if (on_dir) { + vap = vcp->dvap; } else { - dvp = NULL; + vap = vcp->vap; } + error = 0; + /* - * Check for read-only filesystems. + * We want to do as little work here as possible. So first we check + * which sets of permissions grant us the access we need, and avoid checking + * whether specific permissions grant access when more generic ones would. */ - if ((rights & KAUTH_VNODE_WRITE_RIGHTS) && - (vp->v_mount->mnt_flag & MNT_RDONLY) && - ((vp->v_type == VREG) || (vp->v_type == VDIR) || - (vp->v_type == VLNK) || (vp->v_type == VCPLX) || - (rights & KAUTH_VNODE_DELETE) || (rights & KAUTH_VNODE_DELETE_CHILD))) { - result = EROFS; - goto out; - } - /* - * Check for noexec filesystems. - */ - if ((rights & KAUTH_VNODE_EXECUTE) && vnode_isreg(vp) && (vp->v_mount->mnt_flag & MNT_NOEXEC)) { - result = EACCES; - goto out; - } + /* owner permissions */ + needed = 0; + if (action & VREAD) + needed |= S_IRUSR; + if (action & VWRITE) + needed |= S_IWUSR; + if (action & VEXEC) + needed |= S_IXUSR; + owner_ok = (needed & vap->va_mode) == needed; - /* - * Handle cases related to filesystems with non-local enforcement. - * This call can return 0, in which case we will fall through to perform a - * check based on VNOP_GETATTR data. Otherwise it returns 1 and sets - * an appropriate result, at which point we can return immediately. - */ - if (vfs_authopaque(vp->v_mount) && vnode_authorize_opaque(vp, &result, action, ctx)) - goto out; + /* group permissions */ + needed = 0; + if (action & VREAD) + needed |= S_IRGRP; + if (action & VWRITE) + needed |= S_IWGRP; + if (action & VEXEC) + needed |= S_IXGRP; + group_ok = (needed & vap->va_mode) == needed; - /* - * Get vnode attributes and extended security information for the vnode - * and directory if required. - */ - VATTR_WANTED(&va, va_mode); - VATTR_WANTED(&va, va_uid); - VATTR_WANTED(&va, va_gid); - VATTR_WANTED(&va, va_flags); - VATTR_WANTED(&va, va_acl); - if ((result = vnode_getattr(vp, &va, ctx)) != 0) { - KAUTH_DEBUG("%p ERROR - failed to get vnode attributes - %d", vp, result); + /* world permissions */ + needed = 0; + if (action & VREAD) + needed |= S_IROTH; + if (action & VWRITE) + needed |= S_IWOTH; + if (action & VEXEC) + needed |= S_IXOTH; + world_ok = (needed & vap->va_mode) == needed; + + /* If granted/denied by all three, we're done */ + if (owner_ok && group_ok && world_ok) { + _SETWHERE("all"); goto out; } - if (dvp) { - VATTR_WANTED(&dva, va_mode); - VATTR_WANTED(&dva, va_uid); - VATTR_WANTED(&dva, va_gid); - VATTR_WANTED(&dva, va_flags); - VATTR_WANTED(&dva, va_acl); - if ((result = vnode_getattr(dvp, &dva, ctx)) != 0) { - KAUTH_DEBUG("%p ERROR - failed to get directory vnode attributes - %d", vp, result); - goto out; - } + if (!owner_ok && !group_ok && !world_ok) { + _SETWHERE("all"); + error = EACCES; + goto out; } - /* - * If the vnode is an extended attribute data vnode (eg. a resource fork), *_DATA becomes - * *_EXTATTRIBUTES. - */ - if (S_ISXATTR(va.va_mode)) { - if (rights & KAUTH_VNODE_READ_DATA) { - rights &= ~KAUTH_VNODE_READ_DATA; - rights |= KAUTH_VNODE_READ_EXTATTRIBUTES; - } - if (rights & KAUTH_VNODE_WRITE_DATA) { - rights &= ~KAUTH_VNODE_WRITE_DATA; - rights |= KAUTH_VNODE_WRITE_EXTATTRIBUTES; - } + /* Check ownership (relatively cheap) */ + if ((on_dir && vauth_dir_owner(vcp)) || + (!on_dir && vauth_file_owner(vcp))) { + _SETWHERE("user"); + if (!owner_ok) + error = EACCES; + goto out; } - - /* - * Check for immutability. - * - * In the deletion case, parent directory immutability vetoes specific - * file rights. - */ - if ((result = vnode_authorize_checkimmutable(vp, &va, rights, noimmutable)) != 0) + + /* Not owner; if group and world both grant it we're done */ + if (group_ok && world_ok) { + _SETWHERE("group/world"); goto out; - if ((rights & KAUTH_VNODE_DELETE) && - ((result = vnode_authorize_checkimmutable(dvp, &dva, KAUTH_VNODE_DELETE_CHILD, 0)) != 0)) + } + if (!group_ok && !world_ok) { + _SETWHERE("group/world"); + error = EACCES; goto out; + } - /* - * Clear rights that have been authorized by reaching this point, bail if nothing left to - * check. - */ - rights &= ~(KAUTH_VNODE_LINKTARGET | KAUTH_VNODE_CHECKIMMUTABLE); - if (rights == 0) - goto out; + /* Check group membership (most expensive) */ + ismember = 0; /* Default to allow, if the target has no group owner */ /* - * If we're not the superuser, authorize based on file properties. + * In the case we can't get an answer about the user from the call to + * vauth_dir_ingroup() or vauth_file_ingroup(), we want to fail on + * the side of caution, rather than simply granting access, or we will + * fail to correctly implement exclusion groups, so we set the third + * parameter on the basis of the state of 'group_ok'. */ - if (!vfs_context_issuser(ctx)) { - /* process delete rights */ - if ((rights & KAUTH_VNODE_DELETE) && - ((result = vnode_authorize_delete(vcp)) != 0)) - goto out; - - /* process remaining rights */ - if ((rights & ~KAUTH_VNODE_DELETE) && - ((result = vnode_authorize_simple(vcp, rights, rights & KAUTH_VNODE_DELETE)) != 0)) - goto out; + if (on_dir) { + error = vauth_dir_ingroup(vcp, &ismember, (!group_ok ? EACCES : 0)); } else { - - /* - * Execute is only granted to root if one of the x bits is set. This check only - * makes sense if the posix mode bits are actually supported. - */ - if ((rights & KAUTH_VNODE_EXECUTE) && - (vp->v_type == VREG) && - VATTR_IS_SUPPORTED(&va, va_mode) && - !(va.va_mode & (S_IXUSR | S_IXGRP | S_IXOTH))) { - result = EPERM; - KAUTH_DEBUG("%p DENIED - root execute requires at least one x bit in 0x%x", vp, va.va_mode); - goto out; - } - - KAUTH_DEBUG("%p ALLOWED - caller is superuser", vp); + error = vauth_file_ingroup(vcp, &ismember, (!group_ok ? EACCES : 0)); } - -out: - if (VATTR_IS_SUPPORTED(&va, va_acl) && (va.va_acl != NULL)) - kauth_acl_free(va.va_acl); - if (VATTR_IS_SUPPORTED(&dva, va_acl) && (dva.va_acl != NULL)) - kauth_acl_free(dva.va_acl); - if (result) { - *errorp = result; - KAUTH_DEBUG("%p DENIED - auth denied", vp); - return(KAUTH_RESULT_DENY); + if (error) { + if (!group_ok) + ismember = 1; + error = 0; + } + if (ismember) { + _SETWHERE("group"); + if (!group_ok) + error = EACCES; + goto out; } - /* - * Note that this implies that we will allow requests for no rights, as well as - * for rights that we do not recognise. There should be none of these. - */ - KAUTH_DEBUG("%p ALLOWED - auth granted", vp); - return(KAUTH_RESULT_ALLOW); + /* Not owner, not in group, use world result */ + _SETWHERE("world"); + if (!world_ok) + error = EACCES; + + /* FALLTHROUGH */ + +out: + KAUTH_DEBUG("%p %s - posix %s permissions : need %s%s%s %x have %s%s%s%s%s%s%s%s%s UID = %d file = %d,%d", + vcp->vp, (error == 0) ? "ALLOWED" : "DENIED", where, + (action & VREAD) ? "r" : "-", + (action & VWRITE) ? "w" : "-", + (action & VEXEC) ? "x" : "-", + needed, + (vap->va_mode & S_IRUSR) ? "r" : "-", + (vap->va_mode & S_IWUSR) ? "w" : "-", + (vap->va_mode & S_IXUSR) ? "x" : "-", + (vap->va_mode & S_IRGRP) ? "r" : "-", + (vap->va_mode & S_IWGRP) ? "w" : "-", + (vap->va_mode & S_IXGRP) ? "x" : "-", + (vap->va_mode & S_IROTH) ? "r" : "-", + (vap->va_mode & S_IWOTH) ? "w" : "-", + (vap->va_mode & S_IXOTH) ? "x" : "-", + kauth_cred_getuid(vcp->ctx->vc_ucred), + on_dir ? vcp->dvap->va_uid : vcp->vap->va_uid, + on_dir ? vcp->dvap->va_gid : vcp->vap->va_gid); + return(error); } /* - * Check that the attribute information in vattr can be legally applied to - * a new file by the context. + * Authorize the deletion of the node vp from the directory dvp. + * + * We assume that: + * - Neither the node nor the directory are immutable. + * - The user is not the superuser. + * + * Deletion is not permitted if the directory is sticky and the caller is + * not owner of the node or directory. + * + * If either the node grants DELETE, or the directory grants DELETE_CHILD, + * the node may be deleted. If neither denies the permission, and the + * caller has Posix write access to the directory, then the node may be + * deleted. + * + * As an optimization, we cache whether or not delete child is permitted + * on directories without the sticky bit set. */ int -vnode_authattr_new(vnode_t dvp, struct vnode_attr *vap, int noauth, vfs_context_t ctx) +vnode_authorize_delete(vauth_ctx vcp, boolean_t cached_delete_child); +/*static*/ int +vnode_authorize_delete(vauth_ctx vcp, boolean_t cached_delete_child) { - int error; - int is_suser, ismember, defaulted_owner, defaulted_group, defaulted_mode; - kauth_cred_t cred; - guid_t changer; - mount_t dmp; + struct vnode_attr *vap = vcp->vap; + struct vnode_attr *dvap = vcp->dvap; + kauth_cred_t cred = vcp->ctx->vc_ucred; + struct kauth_acl_eval eval; + int error, delete_denied, delete_child_denied, ismember; - error = 0; - defaulted_owner = defaulted_group = defaulted_mode = 0; + /* check the ACL on the directory */ + delete_child_denied = 0; + if (!cached_delete_child && VATTR_IS_NOT(dvap, va_acl, NULL)) { + eval.ae_requested = KAUTH_VNODE_DELETE_CHILD; + eval.ae_acl = &dvap->va_acl->acl_ace[0]; + eval.ae_count = dvap->va_acl->acl_entrycount; + eval.ae_options = 0; + if (vauth_dir_owner(vcp)) + eval.ae_options |= KAUTH_AEVAL_IS_OWNER; + /* + * We use ENOENT as a marker to indicate we could not get + * information in order to delay evaluation until after we + * have the ACL evaluation answer. Previously, we would + * always deny the operation at this point. + */ + if ((error = vauth_dir_ingroup(vcp, &ismember, ENOENT)) != 0 && error != ENOENT) + return(error); + if (error == ENOENT) + eval.ae_options |= KAUTH_AEVAL_IN_GROUP_UNKNOWN; + else if (ismember) + eval.ae_options |= KAUTH_AEVAL_IN_GROUP; + eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS; + eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS; + eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS; + eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS; - /* - * Require that the filesystem support extended security to apply any. - */ - if (!vfs_extendedsecurity(dvp->v_mount) && - (VATTR_IS_ACTIVE(vap, va_acl) || VATTR_IS_ACTIVE(vap, va_uuuid) || VATTR_IS_ACTIVE(vap, va_guuid))) { - error = EINVAL; - goto out; - } - - /* - * Default some fields. - */ - dmp = dvp->v_mount; + /* + * If there is no entry, we are going to defer to other + * authorization mechanisms. + */ + error = kauth_acl_evaluate(cred, &eval); - /* - * If the filesystem is mounted IGNORE_OWNERSHIP and an explicit owner is set, that - * owner takes ownership of all new files. - */ - if ((dmp->mnt_flag & MNT_IGNORE_OWNERSHIP) && (dmp->mnt_fsowner != KAUTH_UID_NONE)) { - VATTR_SET(vap, va_uid, dmp->mnt_fsowner); - defaulted_owner = 1; - } else { - if (!VATTR_IS_ACTIVE(vap, va_uid)) { - /* default owner is current user */ - VATTR_SET(vap, va_uid, kauth_cred_getuid(vfs_context_ucred(ctx))); - defaulted_owner = 1; + if (error != 0) { + KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error); + return(error); } - } - - /* - * If the filesystem is mounted IGNORE_OWNERSHIP and an explicit grouo is set, that - * group takes ownership of all new files. - */ - if ((dmp->mnt_flag & MNT_IGNORE_OWNERSHIP) && (dmp->mnt_fsgroup != KAUTH_GID_NONE)) { - VATTR_SET(vap, va_gid, dmp->mnt_fsgroup); - defaulted_group = 1; - } else { - if (!VATTR_IS_ACTIVE(vap, va_gid)) { - /* default group comes from parent object, fallback to current user */ - struct vnode_attr dva; - VATTR_INIT(&dva); - VATTR_WANTED(&dva, va_gid); - if ((error = vnode_getattr(dvp, &dva, ctx)) != 0) - goto out; - if (VATTR_IS_SUPPORTED(&dva, va_gid)) { - VATTR_SET(vap, va_gid, dva.va_gid); - } else { - VATTR_SET(vap, va_gid, kauth_cred_getgid(vfs_context_ucred(ctx))); - } - defaulted_group = 1; + switch(eval.ae_result) { + case KAUTH_RESULT_DENY: + delete_child_denied = 1; + break; + /* FALLSTHROUGH */ + case KAUTH_RESULT_ALLOW: + KAUTH_DEBUG("%p ALLOWED - granted by directory ACL", vcp->vp); + return(0); + case KAUTH_RESULT_DEFER: + default: + /* Effectively the same as !delete_child_denied */ + KAUTH_DEBUG("%p DEFERRED - directory ACL", vcp->vp); + break; } } - if (!VATTR_IS_ACTIVE(vap, va_flags)) + /* check the ACL on the node */ + delete_denied = 0; + if (VATTR_IS_NOT(vap, va_acl, NULL)) { + eval.ae_requested = KAUTH_VNODE_DELETE; + eval.ae_acl = &vap->va_acl->acl_ace[0]; + eval.ae_count = vap->va_acl->acl_entrycount; + eval.ae_options = 0; + if (vauth_file_owner(vcp)) + eval.ae_options |= KAUTH_AEVAL_IS_OWNER; + /* + * We use ENOENT as a marker to indicate we could not get + * information in order to delay evaluation until after we + * have the ACL evaluation answer. Previously, we would + * always deny the operation at this point. + */ + if ((error = vauth_file_ingroup(vcp, &ismember, ENOENT)) != 0 && error != ENOENT) + return(error); + if (error == ENOENT) + eval.ae_options |= KAUTH_AEVAL_IN_GROUP_UNKNOWN; + else if (ismember) + eval.ae_options |= KAUTH_AEVAL_IN_GROUP; + eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS; + eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS; + eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS; + eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS; + + if ((error = kauth_acl_evaluate(cred, &eval)) != 0) { + KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error); + return(error); + } + + switch(eval.ae_result) { + case KAUTH_RESULT_DENY: + delete_denied = 1; + break; + case KAUTH_RESULT_ALLOW: + KAUTH_DEBUG("%p ALLOWED - granted by file ACL", vcp->vp); + return(0); + case KAUTH_RESULT_DEFER: + default: + /* Effectively the same as !delete_child_denied */ + KAUTH_DEBUG("%p DEFERRED%s - by file ACL", vcp->vp, delete_denied ? "(DENY)" : ""); + break; + } + } + + /* if denied by ACL on directory or node, return denial */ + if (delete_denied || delete_child_denied) { + KAUTH_DEBUG("%p DENIED - denied by ACL", vcp->vp); + return(EACCES); + } + + /* enforce sticky bit behaviour */ + if ((dvap->va_mode & S_ISTXT) && !vauth_file_owner(vcp) && !vauth_dir_owner(vcp)) { + KAUTH_DEBUG("%p DENIED - sticky bit rules (user %d file %d dir %d)", + vcp->vp, cred->cr_posix.cr_uid, vap->va_uid, dvap->va_uid); + return(EACCES); + } + + /* check the directory */ + if (!cached_delete_child && (error = vnode_authorize_posix(vcp, VWRITE, 1 /* on_dir */)) != 0) { + KAUTH_DEBUG("%p DENIED - denied by posix permisssions", vcp->vp); + return(error); + } + + /* not denied, must be OK */ + return(0); +} + + +/* + * Authorize an operation based on the node's attributes. + */ +static int +vnode_authorize_simple(vauth_ctx vcp, kauth_ace_rights_t acl_rights, kauth_ace_rights_t preauth_rights, boolean_t *found_deny) +{ + struct vnode_attr *vap = vcp->vap; + kauth_cred_t cred = vcp->ctx->vc_ucred; + struct kauth_acl_eval eval; + int error, ismember; + mode_t posix_action; + + /* + * If we are the file owner, we automatically have some rights. + * + * Do we need to expand this to support group ownership? + */ + if (vauth_file_owner(vcp)) + acl_rights &= ~(KAUTH_VNODE_WRITE_SECURITY); + + /* + * If we are checking both TAKE_OWNERSHIP and WRITE_SECURITY, we can + * mask the latter. If TAKE_OWNERSHIP is requested the caller is about to + * change ownership to themselves, and WRITE_SECURITY is implicitly + * granted to the owner. We need to do this because at this point + * WRITE_SECURITY may not be granted as the caller is not currently + * the owner. + */ + if ((acl_rights & KAUTH_VNODE_TAKE_OWNERSHIP) && + (acl_rights & KAUTH_VNODE_WRITE_SECURITY)) + acl_rights &= ~KAUTH_VNODE_WRITE_SECURITY; + + if (acl_rights == 0) { + KAUTH_DEBUG("%p ALLOWED - implicit or no rights required", vcp->vp); + return(0); + } + + /* if we have an ACL, evaluate it */ + if (VATTR_IS_NOT(vap, va_acl, NULL)) { + eval.ae_requested = acl_rights; + eval.ae_acl = &vap->va_acl->acl_ace[0]; + eval.ae_count = vap->va_acl->acl_entrycount; + eval.ae_options = 0; + if (vauth_file_owner(vcp)) + eval.ae_options |= KAUTH_AEVAL_IS_OWNER; + /* + * We use ENOENT as a marker to indicate we could not get + * information in order to delay evaluation until after we + * have the ACL evaluation answer. Previously, we would + * always deny the operation at this point. + */ + if ((error = vauth_file_ingroup(vcp, &ismember, ENOENT)) != 0 && error != ENOENT) + return(error); + if (error == ENOENT) + eval.ae_options |= KAUTH_AEVAL_IN_GROUP_UNKNOWN; + else if (ismember) + eval.ae_options |= KAUTH_AEVAL_IN_GROUP; + eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS; + eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS; + eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS; + eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS; + + if ((error = kauth_acl_evaluate(cred, &eval)) != 0) { + KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error); + return(error); + } + + switch(eval.ae_result) { + case KAUTH_RESULT_DENY: + KAUTH_DEBUG("%p DENIED - by ACL", vcp->vp); + return(EACCES); /* deny, deny, counter-allege */ + case KAUTH_RESULT_ALLOW: + KAUTH_DEBUG("%p ALLOWED - all rights granted by ACL", vcp->vp); + return(0); + case KAUTH_RESULT_DEFER: + default: + /* Effectively the same as !delete_child_denied */ + KAUTH_DEBUG("%p DEFERRED - directory ACL", vcp->vp); + break; + } + + *found_deny = eval.ae_found_deny; + + /* fall through and evaluate residual rights */ + } else { + /* no ACL, everything is residual */ + eval.ae_residual = acl_rights; + } + + /* + * Grant residual rights that have been pre-authorized. + */ + eval.ae_residual &= ~preauth_rights; + + /* + * We grant WRITE_ATTRIBUTES to the owner if it hasn't been denied. + */ + if (vauth_file_owner(vcp)) + eval.ae_residual &= ~KAUTH_VNODE_WRITE_ATTRIBUTES; + + if (eval.ae_residual == 0) { + KAUTH_DEBUG("%p ALLOWED - rights already authorized", vcp->vp); + return(0); + } + + /* + * Bail if we have residual rights that can't be granted by posix permissions, + * or aren't presumed granted at this point. + * + * XXX these can be collapsed for performance + */ + if (eval.ae_residual & KAUTH_VNODE_CHANGE_OWNER) { + KAUTH_DEBUG("%p DENIED - CHANGE_OWNER not permitted", vcp->vp); + return(EACCES); + } + if (eval.ae_residual & KAUTH_VNODE_WRITE_SECURITY) { + KAUTH_DEBUG("%p DENIED - WRITE_SECURITY not permitted", vcp->vp); + return(EACCES); + } + +#if DIAGNOSTIC + if (eval.ae_residual & KAUTH_VNODE_DELETE) + panic("vnode_authorize: can't be checking delete permission here"); +#endif + + /* + * Compute the fallback posix permissions that will satisfy the remaining + * rights. + */ + posix_action = 0; + if (eval.ae_residual & (KAUTH_VNODE_READ_DATA | + KAUTH_VNODE_LIST_DIRECTORY | + KAUTH_VNODE_READ_EXTATTRIBUTES)) + posix_action |= VREAD; + if (eval.ae_residual & (KAUTH_VNODE_WRITE_DATA | + KAUTH_VNODE_ADD_FILE | + KAUTH_VNODE_ADD_SUBDIRECTORY | + KAUTH_VNODE_DELETE_CHILD | + KAUTH_VNODE_WRITE_ATTRIBUTES | + KAUTH_VNODE_WRITE_EXTATTRIBUTES)) + posix_action |= VWRITE; + if (eval.ae_residual & (KAUTH_VNODE_EXECUTE | + KAUTH_VNODE_SEARCH)) + posix_action |= VEXEC; + + if (posix_action != 0) { + return(vnode_authorize_posix(vcp, posix_action, 0 /* !on_dir */)); + } else { + KAUTH_DEBUG("%p ALLOWED - residual rights %s%s%s%s%s%s%s%s%s%s%s%s%s%s granted due to no posix mapping", + vcp->vp, + (eval.ae_residual & KAUTH_VNODE_READ_DATA) + ? vnode_isdir(vcp->vp) ? " LIST_DIRECTORY" : " READ_DATA" : "", + (eval.ae_residual & KAUTH_VNODE_WRITE_DATA) + ? vnode_isdir(vcp->vp) ? " ADD_FILE" : " WRITE_DATA" : "", + (eval.ae_residual & KAUTH_VNODE_EXECUTE) + ? vnode_isdir(vcp->vp) ? " SEARCH" : " EXECUTE" : "", + (eval.ae_residual & KAUTH_VNODE_DELETE) + ? " DELETE" : "", + (eval.ae_residual & KAUTH_VNODE_APPEND_DATA) + ? vnode_isdir(vcp->vp) ? " ADD_SUBDIRECTORY" : " APPEND_DATA" : "", + (eval.ae_residual & KAUTH_VNODE_DELETE_CHILD) + ? " DELETE_CHILD" : "", + (eval.ae_residual & KAUTH_VNODE_READ_ATTRIBUTES) + ? " READ_ATTRIBUTES" : "", + (eval.ae_residual & KAUTH_VNODE_WRITE_ATTRIBUTES) + ? " WRITE_ATTRIBUTES" : "", + (eval.ae_residual & KAUTH_VNODE_READ_EXTATTRIBUTES) + ? " READ_EXTATTRIBUTES" : "", + (eval.ae_residual & KAUTH_VNODE_WRITE_EXTATTRIBUTES) + ? " WRITE_EXTATTRIBUTES" : "", + (eval.ae_residual & KAUTH_VNODE_READ_SECURITY) + ? " READ_SECURITY" : "", + (eval.ae_residual & KAUTH_VNODE_WRITE_SECURITY) + ? " WRITE_SECURITY" : "", + (eval.ae_residual & KAUTH_VNODE_CHECKIMMUTABLE) + ? " CHECKIMMUTABLE" : "", + (eval.ae_residual & KAUTH_VNODE_CHANGE_OWNER) + ? " CHANGE_OWNER" : ""); + } + + /* + * Lack of required Posix permissions implies no reason to deny access. + */ + return(0); +} + +/* + * Check for file immutability. + */ +static int +vnode_authorize_checkimmutable(vnode_t vp, struct vnode_attr *vap, int rights, int ignore) +{ + mount_t mp; + int error; + int append; + + /* + * Perform immutability checks for operations that change data. + * + * Sockets, fifos and devices require special handling. + */ + switch(vp->v_type) { + case VSOCK: + case VFIFO: + case VBLK: + case VCHR: + /* + * Writing to these nodes does not change the filesystem data, + * so forget that it's being tried. + */ + rights &= ~KAUTH_VNODE_WRITE_DATA; + break; + default: + break; + } + + error = 0; + if (rights & KAUTH_VNODE_WRITE_RIGHTS) { + + /* check per-filesystem options if possible */ + mp = vp->v_mount; + if (mp != NULL) { + + /* check for no-EA filesystems */ + if ((rights & KAUTH_VNODE_WRITE_EXTATTRIBUTES) && + (vfs_flags(mp) & MNT_NOUSERXATTR)) { + KAUTH_DEBUG("%p DENIED - filesystem disallowed extended attributes", vp); + error = EACCES; /* User attributes disabled */ + goto out; + } + } + + /* + * check for file immutability. first, check if the requested rights are + * allowable for a UF_APPEND file. + */ + append = 0; + if (vp->v_type == VDIR) { + if ((rights & (KAUTH_VNODE_ADD_FILE | KAUTH_VNODE_ADD_SUBDIRECTORY | KAUTH_VNODE_WRITE_EXTATTRIBUTES)) == rights) + append = 1; + } else { + if ((rights & (KAUTH_VNODE_APPEND_DATA | KAUTH_VNODE_WRITE_EXTATTRIBUTES)) == rights) + append = 1; + } + if ((error = vnode_immutable(vap, append, ignore)) != 0) { + KAUTH_DEBUG("%p DENIED - file is immutable", vp); + goto out; + } + } +out: + return(error); +} + +/* + * Handle authorization actions for filesystems that advertise that the + * server will be enforcing. + * + * Returns: 0 Authorization should be handled locally + * 1 Authorization was handled by the FS + * + * Note: Imputed returns will only occur if the authorization request + * was handled by the FS. + * + * Imputed: *resultp, modified Return code from FS when the request is + * handled by the FS. + * VNOP_ACCESS:??? + * VNOP_OPEN:??? + */ +static int +vnode_authorize_opaque(vnode_t vp, int *resultp, kauth_action_t action, vfs_context_t ctx) +{ + int error; + + /* + * If the vp is a device node, socket or FIFO it actually represents a local + * endpoint, so we need to handle it locally. + */ + switch(vp->v_type) { + case VBLK: + case VCHR: + case VSOCK: + case VFIFO: + return(0); + default: + break; + } + + /* + * In the advisory request case, if the filesystem doesn't think it's reliable + * we will attempt to formulate a result ourselves based on VNOP_GETATTR data. + */ + if ((action & KAUTH_VNODE_ACCESS) && !vfs_authopaqueaccess(vp->v_mount)) + return(0); + + /* + * Let the filesystem have a say in the matter. It's OK for it to not implemnent + * VNOP_ACCESS, as most will authorise inline with the actual request. + */ + if ((error = VNOP_ACCESS(vp, action, ctx)) != ENOTSUP) { + *resultp = error; + KAUTH_DEBUG("%p DENIED - opaque filesystem VNOP_ACCESS denied access", vp); + return(1); + } + + /* + * Typically opaque filesystems do authorisation in-line, but exec is a special case. In + * order to be reasonably sure that exec will be permitted, we try a bit harder here. + */ + if ((action & KAUTH_VNODE_EXECUTE) && (vp->v_type == VREG)) { + /* try a VNOP_OPEN for readonly access */ + if ((error = VNOP_OPEN(vp, FREAD, ctx)) != 0) { + *resultp = error; + KAUTH_DEBUG("%p DENIED - EXECUTE denied because file could not be opened readonly", vp); + return(1); + } + VNOP_CLOSE(vp, FREAD, ctx); + } + + /* + * We don't have any reason to believe that the request has to be denied at this point, + * so go ahead and allow it. + */ + *resultp = 0; + KAUTH_DEBUG("%p ALLOWED - bypassing access check for non-local filesystem", vp); + return(1); +} + + + + +/* + * Returns: KAUTH_RESULT_ALLOW + * KAUTH_RESULT_DENY + * + * Imputed: *arg3, modified Error code in the deny case + * EROFS Read-only file system + * EACCES Permission denied + * EPERM Operation not permitted [no execute] + * vnode_getattr:ENOMEM Not enough space [only if has filesec] + * vnode_getattr:??? + * vnode_authorize_opaque:*arg2 ??? + * vnode_authorize_checkimmutable:??? + * vnode_authorize_delete:??? + * vnode_authorize_simple:??? + */ + + +static int +vnode_authorize_callback(kauth_cred_t cred, void *idata, kauth_action_t action, + uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) +{ + vfs_context_t ctx; + vnode_t cvp = NULLVP; + vnode_t vp, dvp; + int result = KAUTH_RESULT_DENY; + int parent_iocount = 0; + int parent_action; /* In case we need to use namedstream's data fork for cached rights*/ + + ctx = (vfs_context_t)arg0; + vp = (vnode_t)arg1; + dvp = (vnode_t)arg2; + + /* + * if there are 2 vnodes passed in, we don't know at + * this point which rights to look at based on the + * combined action being passed in... defer until later... + * otherwise check the kauth 'rights' cache hung + * off of the vnode we're interested in... if we've already + * been granted the right we're currently interested in, + * we can just return success... otherwise we'll go through + * the process of authorizing the requested right(s)... if that + * succeeds, we'll add the right(s) to the cache. + * VNOP_SETATTR and VNOP_SETXATTR will invalidate this cache + */ + if (dvp && vp) + goto defer; + if (dvp) { + cvp = dvp; + } else { + /* + * For named streams on local-authorization volumes, rights are cached on the parent; + * authorization is determined by looking at the parent's properties anyway, so storing + * on the parent means that we don't recompute for the named stream and that if + * we need to flush rights (e.g. on VNOP_SETATTR()) we don't need to track down the + * stream to flush its cache separately. If we miss in the cache, then we authorize + * as if there were no cached rights (passing the named stream vnode and desired rights to + * vnode_authorize_callback_int()). + * + * On an opaquely authorized volume, we don't know the relationship between the + * data fork's properties and the rights granted on a stream. Thus, named stream vnodes + * on such a volume are authorized directly (rather than using the parent) and have their + * own caches. When a named stream vnode is created, we mark the parent as having a named + * stream. On a VNOP_SETATTR() for the parent that may invalidate cached authorization, we + * find the stream and flush its cache. + */ + if (vnode_isnamedstream(vp) && (!vfs_authopaque(vp->v_mount))) { + cvp = vnode_getparent(vp); + if (cvp != NULLVP) { + parent_iocount = 1; + } else { + cvp = NULL; + goto defer; /* If we can't use the parent, take the slow path */ + } + + /* Have to translate some actions */ + parent_action = action; + if (parent_action & KAUTH_VNODE_READ_DATA) { + parent_action &= ~KAUTH_VNODE_READ_DATA; + parent_action |= KAUTH_VNODE_READ_EXTATTRIBUTES; + } + if (parent_action & KAUTH_VNODE_WRITE_DATA) { + parent_action &= ~KAUTH_VNODE_WRITE_DATA; + parent_action |= KAUTH_VNODE_WRITE_EXTATTRIBUTES; + } + + } else { + cvp = vp; + } + } + + if (vnode_cache_is_authorized(cvp, ctx, parent_iocount ? parent_action : action) == TRUE) { + result = KAUTH_RESULT_ALLOW; + goto out; + } +defer: + result = vnode_authorize_callback_int(cred, idata, action, arg0, arg1, arg2, arg3); + + if (result == KAUTH_RESULT_ALLOW && cvp != NULLVP) { + KAUTH_DEBUG("%p - caching action = %x", cvp, action); + vnode_cache_authorized_action(cvp, ctx, action); + } + +out: + if (parent_iocount) { + vnode_put(cvp); + } + + return result; +} + + +static int +vnode_authorize_callback_int(__unused kauth_cred_t unused_cred, __unused void *idata, kauth_action_t action, + uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) +{ + struct _vnode_authorize_context auth_context; + vauth_ctx vcp; + vfs_context_t ctx; + vnode_t vp, dvp; + kauth_cred_t cred; + kauth_ace_rights_t rights; + struct vnode_attr va, dva; + int result; + int *errorp; + int noimmutable; + boolean_t parent_authorized_for_delete_child = FALSE; + boolean_t found_deny = FALSE; + boolean_t parent_ref= FALSE; + + vcp = &auth_context; + ctx = vcp->ctx = (vfs_context_t)arg0; + vp = vcp->vp = (vnode_t)arg1; + dvp = vcp->dvp = (vnode_t)arg2; + errorp = (int *)arg3; + /* + * Note that we authorize against the context, not the passed cred + * (the same thing anyway) + */ + cred = ctx->vc_ucred; + + VATTR_INIT(&va); + vcp->vap = &va; + VATTR_INIT(&dva); + vcp->dvap = &dva; + + vcp->flags = vcp->flags_valid = 0; + +#if DIAGNOSTIC + if ((ctx == NULL) || (vp == NULL) || (cred == NULL)) + panic("vnode_authorize: bad arguments (context %p vp %p cred %p)", ctx, vp, cred); +#endif + + KAUTH_DEBUG("%p AUTH - %s %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s on %s '%s' (0x%x:%p/%p)", + vp, vfs_context_proc(ctx)->p_comm, + (action & KAUTH_VNODE_ACCESS) ? "access" : "auth", + (action & KAUTH_VNODE_READ_DATA) ? vnode_isdir(vp) ? " LIST_DIRECTORY" : " READ_DATA" : "", + (action & KAUTH_VNODE_WRITE_DATA) ? vnode_isdir(vp) ? " ADD_FILE" : " WRITE_DATA" : "", + (action & KAUTH_VNODE_EXECUTE) ? vnode_isdir(vp) ? " SEARCH" : " EXECUTE" : "", + (action & KAUTH_VNODE_DELETE) ? " DELETE" : "", + (action & KAUTH_VNODE_APPEND_DATA) ? vnode_isdir(vp) ? " ADD_SUBDIRECTORY" : " APPEND_DATA" : "", + (action & KAUTH_VNODE_DELETE_CHILD) ? " DELETE_CHILD" : "", + (action & KAUTH_VNODE_READ_ATTRIBUTES) ? " READ_ATTRIBUTES" : "", + (action & KAUTH_VNODE_WRITE_ATTRIBUTES) ? " WRITE_ATTRIBUTES" : "", + (action & KAUTH_VNODE_READ_EXTATTRIBUTES) ? " READ_EXTATTRIBUTES" : "", + (action & KAUTH_VNODE_WRITE_EXTATTRIBUTES) ? " WRITE_EXTATTRIBUTES" : "", + (action & KAUTH_VNODE_READ_SECURITY) ? " READ_SECURITY" : "", + (action & KAUTH_VNODE_WRITE_SECURITY) ? " WRITE_SECURITY" : "", + (action & KAUTH_VNODE_CHANGE_OWNER) ? " CHANGE_OWNER" : "", + (action & KAUTH_VNODE_NOIMMUTABLE) ? " (noimmutable)" : "", + vnode_isdir(vp) ? "directory" : "file", + vp->v_name ? vp->v_name : "", action, vp, dvp); + + /* + * Extract the control bits from the action, everything else is + * requested rights. + */ + noimmutable = (action & KAUTH_VNODE_NOIMMUTABLE) ? 1 : 0; + rights = action & ~(KAUTH_VNODE_ACCESS | KAUTH_VNODE_NOIMMUTABLE); + + if (rights & KAUTH_VNODE_DELETE) { +#if DIAGNOSTIC + if (dvp == NULL) + panic("vnode_authorize: KAUTH_VNODE_DELETE test requires a directory"); +#endif + /* + * check to see if we've already authorized the parent + * directory for deletion of its children... if so, we + * can skip a whole bunch of work... we will still have to + * authorize that this specific child can be removed + */ + if (vnode_cache_is_authorized(dvp, ctx, KAUTH_VNODE_DELETE_CHILD) == TRUE) + parent_authorized_for_delete_child = TRUE; + } else { + dvp = NULL; + } + + /* + * Check for read-only filesystems. + */ + if ((rights & KAUTH_VNODE_WRITE_RIGHTS) && + (vp->v_mount->mnt_flag & MNT_RDONLY) && + ((vp->v_type == VREG) || (vp->v_type == VDIR) || + (vp->v_type == VLNK) || (vp->v_type == VCPLX) || + (rights & KAUTH_VNODE_DELETE) || (rights & KAUTH_VNODE_DELETE_CHILD))) { + result = EROFS; + goto out; + } + + /* + * Check for noexec filesystems. + */ + if ((rights & KAUTH_VNODE_EXECUTE) && (vp->v_type == VREG) && (vp->v_mount->mnt_flag & MNT_NOEXEC)) { + result = EACCES; + goto out; + } + + /* + * Handle cases related to filesystems with non-local enforcement. + * This call can return 0, in which case we will fall through to perform a + * check based on VNOP_GETATTR data. Otherwise it returns 1 and sets + * an appropriate result, at which point we can return immediately. + */ + if ((vp->v_mount->mnt_kern_flag & MNTK_AUTH_OPAQUE) && vnode_authorize_opaque(vp, &result, action, ctx)) + goto out; + + /* + * Get vnode attributes and extended security information for the vnode + * and directory if required. + */ + VATTR_WANTED(&va, va_mode); + VATTR_WANTED(&va, va_uid); + VATTR_WANTED(&va, va_gid); + VATTR_WANTED(&va, va_flags); + VATTR_WANTED(&va, va_acl); + if ((result = vnode_getattr(vp, &va, ctx)) != 0) { + KAUTH_DEBUG("%p ERROR - failed to get vnode attributes - %d", vp, result); + goto out; + } + if (dvp) { + VATTR_WANTED(&dva, va_mode); + VATTR_WANTED(&dva, va_uid); + VATTR_WANTED(&dva, va_gid); + VATTR_WANTED(&dva, va_flags); + VATTR_WANTED(&dva, va_acl); + if ((result = vnode_getattr(dvp, &dva, ctx)) != 0) { + KAUTH_DEBUG("%p ERROR - failed to get directory vnode attributes - %d", vp, result); + goto out; + } + } + + /* + * If the vnode is an extended attribute data vnode (eg. a resource fork), *_DATA becomes + * *_EXTATTRIBUTES. + */ + if (vnode_isnamedstream(vp)) { + if (rights & KAUTH_VNODE_READ_DATA) { + rights &= ~KAUTH_VNODE_READ_DATA; + rights |= KAUTH_VNODE_READ_EXTATTRIBUTES; + } + if (rights & KAUTH_VNODE_WRITE_DATA) { + rights &= ~KAUTH_VNODE_WRITE_DATA; + rights |= KAUTH_VNODE_WRITE_EXTATTRIBUTES; + } + } + + /* + * Point 'vp' to the resource fork's parent for ACL checking + */ + if (vnode_isnamedstream(vp) && + (vp->v_parent != NULL) && + (vget_internal(vp->v_parent, 0, VNODE_NODEAD | VNODE_DRAINO) == 0)) { + parent_ref = TRUE; + vcp->vp = vp = vp->v_parent; + if (VATTR_IS_SUPPORTED(&va, va_acl) && (va.va_acl != NULL)) + kauth_acl_free(va.va_acl); + VATTR_INIT(&va); + VATTR_WANTED(&va, va_mode); + VATTR_WANTED(&va, va_uid); + VATTR_WANTED(&va, va_gid); + VATTR_WANTED(&va, va_flags); + VATTR_WANTED(&va, va_acl); + if ((result = vnode_getattr(vp, &va, ctx)) != 0) + goto out; + } + + /* + * Check for immutability. + * + * In the deletion case, parent directory immutability vetoes specific + * file rights. + */ + if ((result = vnode_authorize_checkimmutable(vp, &va, rights, noimmutable)) != 0) + goto out; + if ((rights & KAUTH_VNODE_DELETE) && + parent_authorized_for_delete_child == FALSE && + ((result = vnode_authorize_checkimmutable(dvp, &dva, KAUTH_VNODE_DELETE_CHILD, 0)) != 0)) + goto out; + + /* + * Clear rights that have been authorized by reaching this point, bail if nothing left to + * check. + */ + rights &= ~(KAUTH_VNODE_LINKTARGET | KAUTH_VNODE_CHECKIMMUTABLE); + if (rights == 0) + goto out; + + /* + * If we're not the superuser, authorize based on file properties; + * note that even if parent_authorized_for_delete_child is TRUE, we + * need to check on the node itself. + */ + if (!vfs_context_issuser(ctx)) { + /* process delete rights */ + if ((rights & KAUTH_VNODE_DELETE) && + ((result = vnode_authorize_delete(vcp, parent_authorized_for_delete_child)) != 0)) + goto out; + + /* process remaining rights */ + if ((rights & ~KAUTH_VNODE_DELETE) && + (result = vnode_authorize_simple(vcp, rights, rights & KAUTH_VNODE_DELETE, &found_deny)) != 0) + goto out; + } else { + + /* + * Execute is only granted to root if one of the x bits is set. This check only + * makes sense if the posix mode bits are actually supported. + */ + if ((rights & KAUTH_VNODE_EXECUTE) && + (vp->v_type == VREG) && + VATTR_IS_SUPPORTED(&va, va_mode) && + !(va.va_mode & (S_IXUSR | S_IXGRP | S_IXOTH))) { + result = EPERM; + KAUTH_DEBUG("%p DENIED - root execute requires at least one x bit in 0x%x", vp, va.va_mode); + goto out; + } + + KAUTH_DEBUG("%p ALLOWED - caller is superuser", vp); + } +out: + if (VATTR_IS_SUPPORTED(&va, va_acl) && (va.va_acl != NULL)) + kauth_acl_free(va.va_acl); + if (VATTR_IS_SUPPORTED(&dva, va_acl) && (dva.va_acl != NULL)) + kauth_acl_free(dva.va_acl); + + if (result) { + if (parent_ref) + vnode_put(vp); + *errorp = result; + KAUTH_DEBUG("%p DENIED - auth denied", vp); + return(KAUTH_RESULT_DENY); + } + if ((rights & KAUTH_VNODE_SEARCH) && found_deny == FALSE && vp->v_type == VDIR) { + /* + * if we were successfully granted the right to search this directory + * and there were NO ACL DENYs for search and the posix permissions also don't + * deny execute, we can synthesize a global right that allows anyone to + * traverse this directory during a pathname lookup without having to + * match the credential associated with this cache of rights. + */ + if (!VATTR_IS_SUPPORTED(&va, va_mode) || + ((va.va_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == + (S_IXUSR | S_IXGRP | S_IXOTH))) { + vnode_cache_authorized_action(vp, ctx, KAUTH_VNODE_SEARCHBYANYONE); + } + } + if ((rights & KAUTH_VNODE_DELETE) && parent_authorized_for_delete_child == FALSE) { + /* + * parent was successfully and newly authorized for content deletions + * add it to the cache, but only if it doesn't have the sticky + * bit set on it. This same check is done earlier guarding + * fetching of dva, and if we jumped to out without having done + * this, we will have returned already because of a non-zero + * 'result' value. + */ + if (VATTR_IS_SUPPORTED(&dva, va_mode) && + !(dva.va_mode & (S_ISVTX))) { + /* OK to cache delete rights */ + KAUTH_DEBUG("%p - caching DELETE_CHILD rights", dvp); + vnode_cache_authorized_action(dvp, ctx, KAUTH_VNODE_DELETE_CHILD); + } + } + if (parent_ref) + vnode_put(vp); + /* + * Note that this implies that we will allow requests for no rights, as well as + * for rights that we do not recognise. There should be none of these. + */ + KAUTH_DEBUG("%p ALLOWED - auth granted", vp); + return(KAUTH_RESULT_ALLOW); +} + +int +vnode_authattr_new(vnode_t dvp, struct vnode_attr *vap, int noauth, vfs_context_t ctx) +{ + return vnode_authattr_new_internal(dvp, vap, noauth, NULL, ctx); +} + +/* + * Check that the attribute information in vattr can be legally applied to + * a new file by the context. + */ +static int +vnode_authattr_new_internal(vnode_t dvp, struct vnode_attr *vap, int noauth, uint32_t *defaulted_fieldsp, vfs_context_t ctx) +{ + int error; + int has_priv_suser, ismember, defaulted_owner, defaulted_group, defaulted_mode; + kauth_cred_t cred; + guid_t changer; + mount_t dmp; + + error = 0; + + if (defaulted_fieldsp) { + *defaulted_fieldsp = 0; + } + + defaulted_owner = defaulted_group = defaulted_mode = 0; + + /* + * Require that the filesystem support extended security to apply any. + */ + if (!vfs_extendedsecurity(dvp->v_mount) && + (VATTR_IS_ACTIVE(vap, va_acl) || VATTR_IS_ACTIVE(vap, va_uuuid) || VATTR_IS_ACTIVE(vap, va_guuid))) { + error = EINVAL; + goto out; + } + + /* + * Default some fields. + */ + dmp = dvp->v_mount; + + /* + * If the filesystem is mounted IGNORE_OWNERSHIP and an explicit owner is set, that + * owner takes ownership of all new files. + */ + if ((dmp->mnt_flag & MNT_IGNORE_OWNERSHIP) && (dmp->mnt_fsowner != KAUTH_UID_NONE)) { + VATTR_SET(vap, va_uid, dmp->mnt_fsowner); + defaulted_owner = 1; + } else { + if (!VATTR_IS_ACTIVE(vap, va_uid)) { + /* default owner is current user */ + VATTR_SET(vap, va_uid, kauth_cred_getuid(vfs_context_ucred(ctx))); + defaulted_owner = 1; + } + } + + /* + * If the filesystem is mounted IGNORE_OWNERSHIP and an explicit grouo is set, that + * group takes ownership of all new files. + */ + if ((dmp->mnt_flag & MNT_IGNORE_OWNERSHIP) && (dmp->mnt_fsgroup != KAUTH_GID_NONE)) { + VATTR_SET(vap, va_gid, dmp->mnt_fsgroup); + defaulted_group = 1; + } else { + if (!VATTR_IS_ACTIVE(vap, va_gid)) { + /* default group comes from parent object, fallback to current user */ + struct vnode_attr dva; + VATTR_INIT(&dva); + VATTR_WANTED(&dva, va_gid); + if ((error = vnode_getattr(dvp, &dva, ctx)) != 0) + goto out; + if (VATTR_IS_SUPPORTED(&dva, va_gid)) { + VATTR_SET(vap, va_gid, dva.va_gid); + } else { + VATTR_SET(vap, va_gid, kauth_cred_getgid(vfs_context_ucred(ctx))); + } + defaulted_group = 1; + } + } + + if (!VATTR_IS_ACTIVE(vap, va_flags)) VATTR_SET(vap, va_flags, 0); - /* default mode is everything, masked with current umask */ - if (!VATTR_IS_ACTIVE(vap, va_mode)) { - VATTR_SET(vap, va_mode, ACCESSPERMS & ~vfs_context_proc(ctx)->p_fd->fd_cmask); - KAUTH_DEBUG("ATTR - defaulting new file mode to %o from umask %o", vap->va_mode, vfs_context_proc(ctx)->p_fd->fd_cmask); - defaulted_mode = 1; + /* default mode is everything, masked with current umask */ + if (!VATTR_IS_ACTIVE(vap, va_mode)) { + VATTR_SET(vap, va_mode, ACCESSPERMS & ~vfs_context_proc(ctx)->p_fd->fd_cmask); + KAUTH_DEBUG("ATTR - defaulting new file mode to %o from umask %o", vap->va_mode, vfs_context_proc(ctx)->p_fd->fd_cmask); + defaulted_mode = 1; + } + /* set timestamps to now */ + if (!VATTR_IS_ACTIVE(vap, va_create_time)) { + nanotime(&vap->va_create_time); + VATTR_SET_ACTIVE(vap, va_create_time); + } + + /* + * Check for attempts to set nonsensical fields. + */ + if (vap->va_active & ~VNODE_ATTR_NEWOBJ) { + error = EINVAL; + KAUTH_DEBUG("ATTR - ERROR - attempt to set unsupported new-file attributes %llx", + vap->va_active & ~VNODE_ATTR_NEWOBJ); + goto out; + } + + /* + * Quickly check for the applicability of any enforcement here. + * Tests below maintain the integrity of the local security model. + */ + if (vfs_authopaque(dvp->v_mount)) + goto out; + + /* + * We need to know if the caller is the superuser, or if the work is + * otherwise already authorised. + */ + cred = vfs_context_ucred(ctx); + if (noauth) { + /* doing work for the kernel */ + has_priv_suser = 1; + } else { + has_priv_suser = vfs_context_issuser(ctx); + } + + + if (VATTR_IS_ACTIVE(vap, va_flags)) { + if (has_priv_suser) { + if ((vap->va_flags & (UF_SETTABLE | SF_SETTABLE)) != vap->va_flags) { + error = EPERM; + KAUTH_DEBUG(" DENIED - superuser attempt to set illegal flag(s)"); + goto out; + } + } else { + if ((vap->va_flags & UF_SETTABLE) != vap->va_flags) { + error = EPERM; + KAUTH_DEBUG(" DENIED - user attempt to set illegal flag(s)"); + goto out; + } + } + } + + /* if not superuser, validate legality of new-item attributes */ + if (!has_priv_suser) { + if (!defaulted_mode && VATTR_IS_ACTIVE(vap, va_mode)) { + /* setgid? */ + if (vap->va_mode & S_ISGID) { + if ((error = kauth_cred_ismember_gid(cred, vap->va_gid, &ismember)) != 0) { + KAUTH_DEBUG("ATTR - ERROR: got %d checking for membership in %d", error, vap->va_gid); + goto out; + } + if (!ismember) { + KAUTH_DEBUG(" DENIED - can't set SGID bit, not a member of %d", vap->va_gid); + error = EPERM; + goto out; + } + } + + /* setuid? */ + if ((vap->va_mode & S_ISUID) && (vap->va_uid != kauth_cred_getuid(cred))) { + KAUTH_DEBUG("ATTR - ERROR: illegal attempt to set the setuid bit"); + error = EPERM; + goto out; + } + } + if (!defaulted_owner && (vap->va_uid != kauth_cred_getuid(cred))) { + KAUTH_DEBUG(" DENIED - cannot create new item owned by %d", vap->va_uid); + error = EPERM; + goto out; + } + if (!defaulted_group) { + if ((error = kauth_cred_ismember_gid(cred, vap->va_gid, &ismember)) != 0) { + KAUTH_DEBUG(" ERROR - got %d checking for membership in %d", error, vap->va_gid); + goto out; + } + if (!ismember) { + KAUTH_DEBUG(" DENIED - cannot create new item with group %d - not a member", vap->va_gid); + error = EPERM; + goto out; + } + } + + /* initialising owner/group UUID */ + if (VATTR_IS_ACTIVE(vap, va_uuuid)) { + if ((error = kauth_cred_getguid(cred, &changer)) != 0) { + KAUTH_DEBUG(" ERROR - got %d trying to get caller UUID", error); + /* XXX ENOENT here - no GUID - should perhaps become EPERM */ + goto out; + } + if (!kauth_guid_equal(&vap->va_uuuid, &changer)) { + KAUTH_DEBUG(" ERROR - cannot create item with supplied owner UUID - not us"); + error = EPERM; + goto out; + } + } + if (VATTR_IS_ACTIVE(vap, va_guuid)) { + if ((error = kauth_cred_ismember_guid(cred, &vap->va_guuid, &ismember)) != 0) { + KAUTH_DEBUG(" ERROR - got %d trying to check group membership", error); + goto out; + } + if (!ismember) { + KAUTH_DEBUG(" ERROR - cannot create item with supplied group UUID - not a member"); + error = EPERM; + goto out; + } + } + } +out: + if (defaulted_fieldsp) { + if (defaulted_mode) { + *defaulted_fieldsp |= VATTR_PREPARE_DEFAULTED_MODE; + } + if (defaulted_group) { + *defaulted_fieldsp |= VATTR_PREPARE_DEFAULTED_GID; + } + if (defaulted_owner) { + *defaulted_fieldsp |= VATTR_PREPARE_DEFAULTED_UID; + } + } + return(error); +} + +/* + * Check that the attribute information in vap can be legally written by the + * context. + * + * Call this when you're not sure about the vnode_attr; either its contents + * have come from an unknown source, or when they are variable. + * + * Returns errno, or zero and sets *actionp to the KAUTH_VNODE_* actions that + * must be authorized to be permitted to write the vattr. + */ +int +vnode_authattr(vnode_t vp, struct vnode_attr *vap, kauth_action_t *actionp, vfs_context_t ctx) +{ + struct vnode_attr ova; + kauth_action_t required_action; + int error, has_priv_suser, ismember, chowner, chgroup, clear_suid, clear_sgid; + guid_t changer; + gid_t group; + uid_t owner; + mode_t newmode; + kauth_cred_t cred; + uint32_t fdelta; + + VATTR_INIT(&ova); + required_action = 0; + error = 0; + + /* + * Quickly check for enforcement applicability. + */ + if (vfs_authopaque(vp->v_mount)) + goto out; + + /* + * Check for attempts to set nonsensical fields. + */ + if (vap->va_active & VNODE_ATTR_RDONLY) { + KAUTH_DEBUG("ATTR - ERROR: attempt to set readonly attribute(s)"); + error = EINVAL; + goto out; + } + + /* + * We need to know if the caller is the superuser. + */ + cred = vfs_context_ucred(ctx); + has_priv_suser = kauth_cred_issuser(cred); + + /* + * If any of the following are changing, we need information from the old file: + * va_uid + * va_gid + * va_mode + * va_uuuid + * va_guuid + */ + if (VATTR_IS_ACTIVE(vap, va_uid) || + VATTR_IS_ACTIVE(vap, va_gid) || + VATTR_IS_ACTIVE(vap, va_mode) || + VATTR_IS_ACTIVE(vap, va_uuuid) || + VATTR_IS_ACTIVE(vap, va_guuid)) { + VATTR_WANTED(&ova, va_mode); + VATTR_WANTED(&ova, va_uid); + VATTR_WANTED(&ova, va_gid); + VATTR_WANTED(&ova, va_uuuid); + VATTR_WANTED(&ova, va_guuid); + KAUTH_DEBUG("ATTR - security information changing, fetching existing attributes"); + } + + /* + * If timestamps are being changed, we need to know who the file is owned + * by. + */ + if (VATTR_IS_ACTIVE(vap, va_create_time) || + VATTR_IS_ACTIVE(vap, va_change_time) || + VATTR_IS_ACTIVE(vap, va_modify_time) || + VATTR_IS_ACTIVE(vap, va_access_time) || + VATTR_IS_ACTIVE(vap, va_backup_time)) { + + VATTR_WANTED(&ova, va_uid); +#if 0 /* enable this when we support UUIDs as official owners */ + VATTR_WANTED(&ova, va_uuuid); +#endif + KAUTH_DEBUG("ATTR - timestamps changing, fetching uid and GUID"); + } + + /* + * If flags are being changed, we need the old flags. + */ + if (VATTR_IS_ACTIVE(vap, va_flags)) { + KAUTH_DEBUG("ATTR - flags changing, fetching old flags"); + VATTR_WANTED(&ova, va_flags); + } + + /* + * If ACLs are being changed, we need the old ACLs. + */ + if (VATTR_IS_ACTIVE(vap, va_acl)) { + KAUTH_DEBUG("ATTR - acl changing, fetching old flags"); + VATTR_WANTED(&ova, va_acl); + } + + /* + * If the size is being set, make sure it's not a directory. + */ + if (VATTR_IS_ACTIVE(vap, va_data_size)) { + /* size is meaningless on a directory, don't permit this */ + if (vnode_isdir(vp)) { + KAUTH_DEBUG("ATTR - ERROR: size change requested on a directory"); + error = EISDIR; + goto out; + } + } + + /* + * Get old data. + */ + KAUTH_DEBUG("ATTR - fetching old attributes %016llx", ova.va_active); + if ((error = vnode_getattr(vp, &ova, ctx)) != 0) { + KAUTH_DEBUG(" ERROR - got %d trying to get attributes", error); + goto out; + } + + /* + * Size changes require write access to the file data. + */ + if (VATTR_IS_ACTIVE(vap, va_data_size)) { + /* if we can't get the size, or it's different, we need write access */ + KAUTH_DEBUG("ATTR - size change, requiring WRITE_DATA"); + required_action |= KAUTH_VNODE_WRITE_DATA; + } + + /* + * Changing timestamps? + * + * Note that we are only called to authorize user-requested time changes; + * side-effect time changes are not authorized. Authorisation is only + * required for existing files. + * + * Non-owners are not permitted to change the time on an existing + * file to anything other than the current time. + */ + if (VATTR_IS_ACTIVE(vap, va_create_time) || + VATTR_IS_ACTIVE(vap, va_change_time) || + VATTR_IS_ACTIVE(vap, va_modify_time) || + VATTR_IS_ACTIVE(vap, va_access_time) || + VATTR_IS_ACTIVE(vap, va_backup_time)) { + /* + * The owner and root may set any timestamps they like, + * provided that the file is not immutable. The owner still needs + * WRITE_ATTRIBUTES (implied by ownership but still deniable). + */ + if (has_priv_suser || vauth_node_owner(&ova, cred)) { + KAUTH_DEBUG("ATTR - root or owner changing timestamps"); + required_action |= KAUTH_VNODE_CHECKIMMUTABLE | KAUTH_VNODE_WRITE_ATTRIBUTES; + } else { + /* just setting the current time? */ + if (vap->va_vaflags & VA_UTIMES_NULL) { + KAUTH_DEBUG("ATTR - non-root/owner changing timestamps, requiring WRITE_ATTRIBUTES"); + required_action |= KAUTH_VNODE_WRITE_ATTRIBUTES; + } else { + KAUTH_DEBUG("ATTR - ERROR: illegal timestamp modification attempted"); + error = EACCES; + goto out; + } + } + } + + /* + * Changing file mode? + */ + if (VATTR_IS_ACTIVE(vap, va_mode) && VATTR_IS_SUPPORTED(&ova, va_mode) && (ova.va_mode != vap->va_mode)) { + KAUTH_DEBUG("ATTR - mode change from %06o to %06o", ova.va_mode, vap->va_mode); + + /* + * Mode changes always have the same basic auth requirements. + */ + if (has_priv_suser) { + KAUTH_DEBUG("ATTR - superuser mode change, requiring immutability check"); + required_action |= KAUTH_VNODE_CHECKIMMUTABLE; + } else { + /* need WRITE_SECURITY */ + KAUTH_DEBUG("ATTR - non-superuser mode change, requiring WRITE_SECURITY"); + required_action |= KAUTH_VNODE_WRITE_SECURITY; + } + + /* + * Can't set the setgid bit if you're not in the group and not root. Have to have + * existing group information in the case we're not setting it right now. + */ + if (vap->va_mode & S_ISGID) { + required_action |= KAUTH_VNODE_CHECKIMMUTABLE; /* always required */ + if (!has_priv_suser) { + if (VATTR_IS_ACTIVE(vap, va_gid)) { + group = vap->va_gid; + } else if (VATTR_IS_SUPPORTED(&ova, va_gid)) { + group = ova.va_gid; + } else { + KAUTH_DEBUG("ATTR - ERROR: setgid but no gid available"); + error = EINVAL; + goto out; + } + /* + * This might be too restrictive; WRITE_SECURITY might be implied by + * membership in this case, rather than being an additional requirement. + */ + if ((error = kauth_cred_ismember_gid(cred, group, &ismember)) != 0) { + KAUTH_DEBUG("ATTR - ERROR: got %d checking for membership in %d", error, vap->va_gid); + goto out; + } + if (!ismember) { + KAUTH_DEBUG(" DENIED - can't set SGID bit, not a member of %d", group); + error = EPERM; + goto out; + } + } + } + + /* + * Can't set the setuid bit unless you're root or the file's owner. + */ + if (vap->va_mode & S_ISUID) { + required_action |= KAUTH_VNODE_CHECKIMMUTABLE; /* always required */ + if (!has_priv_suser) { + if (VATTR_IS_ACTIVE(vap, va_uid)) { + owner = vap->va_uid; + } else if (VATTR_IS_SUPPORTED(&ova, va_uid)) { + owner = ova.va_uid; + } else { + KAUTH_DEBUG("ATTR - ERROR: setuid but no uid available"); + error = EINVAL; + goto out; + } + if (owner != kauth_cred_getuid(cred)) { + /* + * We could allow this if WRITE_SECURITY is permitted, perhaps. + */ + KAUTH_DEBUG("ATTR - ERROR: illegal attempt to set the setuid bit"); + error = EPERM; + goto out; + } + } + } + } + + /* + * Validate/mask flags changes. This checks that only the flags in + * the UF_SETTABLE mask are being set, and preserves the flags in + * the SF_SETTABLE case. + * + * Since flags changes may be made in conjunction with other changes, + * we will ask the auth code to ignore immutability in the case that + * the SF_* flags are not set and we are only manipulating the file flags. + * + */ + if (VATTR_IS_ACTIVE(vap, va_flags)) { + /* compute changing flags bits */ + if (VATTR_IS_SUPPORTED(&ova, va_flags)) { + fdelta = vap->va_flags ^ ova.va_flags; + } else { + fdelta = vap->va_flags; + } + + if (fdelta != 0) { + KAUTH_DEBUG("ATTR - flags changing, requiring WRITE_SECURITY"); + required_action |= KAUTH_VNODE_WRITE_SECURITY; + + /* check that changing bits are legal */ + if (has_priv_suser) { + /* + * The immutability check will prevent us from clearing the SF_* + * flags unless the system securelevel permits it, so just check + * for legal flags here. + */ + if (fdelta & ~(UF_SETTABLE | SF_SETTABLE)) { + error = EPERM; + KAUTH_DEBUG(" DENIED - superuser attempt to set illegal flag(s)"); + goto out; + } + } else { + if (fdelta & ~UF_SETTABLE) { + error = EPERM; + KAUTH_DEBUG(" DENIED - user attempt to set illegal flag(s)"); + goto out; + } + } + /* + * If the caller has the ability to manipulate file flags, + * security is not reduced by ignoring them for this operation. + * + * A more complete test here would consider the 'after' states of the flags + * to determine whether it would permit the operation, but this becomes + * very complex. + * + * Ignoring immutability is conditional on securelevel; this does not bypass + * the SF_* flags if securelevel > 0. + */ + required_action |= KAUTH_VNODE_NOIMMUTABLE; + } + } + + /* + * Validate ownership information. + */ + chowner = 0; + chgroup = 0; + clear_suid = 0; + clear_sgid = 0; + + /* + * uid changing + * Note that if the filesystem didn't give us a UID, we expect that it doesn't + * support them in general, and will ignore it if/when we try to set it. + * We might want to clear the uid out of vap completely here. + */ + if (VATTR_IS_ACTIVE(vap, va_uid)) { + if (VATTR_IS_SUPPORTED(&ova, va_uid) && (vap->va_uid != ova.va_uid)) { + if (!has_priv_suser && (kauth_cred_getuid(cred) != vap->va_uid)) { + KAUTH_DEBUG(" DENIED - non-superuser cannot change ownershipt to a third party"); + error = EPERM; + goto out; + } + chowner = 1; + } + clear_suid = 1; + } + + /* + * gid changing + * Note that if the filesystem didn't give us a GID, we expect that it doesn't + * support them in general, and will ignore it if/when we try to set it. + * We might want to clear the gid out of vap completely here. + */ + if (VATTR_IS_ACTIVE(vap, va_gid)) { + if (VATTR_IS_SUPPORTED(&ova, va_gid) && (vap->va_gid != ova.va_gid)) { + if (!has_priv_suser) { + if ((error = kauth_cred_ismember_gid(cred, vap->va_gid, &ismember)) != 0) { + KAUTH_DEBUG(" ERROR - got %d checking for membership in %d", error, vap->va_gid); + goto out; + } + if (!ismember) { + KAUTH_DEBUG(" DENIED - group change from %d to %d but not a member of target group", + ova.va_gid, vap->va_gid); + error = EPERM; + goto out; + } + } + chgroup = 1; } - /* set timestamps to now */ - if (!VATTR_IS_ACTIVE(vap, va_create_time)) { - nanotime(&vap->va_create_time); - VATTR_SET_ACTIVE(vap, va_create_time); + clear_sgid = 1; + } + + /* + * Owner UUID being set or changed. + */ + if (VATTR_IS_ACTIVE(vap, va_uuuid)) { + /* if the owner UUID is not actually changing ... */ + if (VATTR_IS_SUPPORTED(&ova, va_uuuid)) { + if (kauth_guid_equal(&vap->va_uuuid, &ova.va_uuuid)) + goto no_uuuid_change; + + /* + * If the current owner UUID is a null GUID, check + * it against the UUID corresponding to the owner UID. + */ + if (kauth_guid_equal(&ova.va_uuuid, &kauth_null_guid) && + VATTR_IS_SUPPORTED(&ova, va_uid)) { + guid_t uid_guid; + + if (kauth_cred_uid2guid(ova.va_uid, &uid_guid) == 0 && + kauth_guid_equal(&vap->va_uuuid, &uid_guid)) + goto no_uuuid_change; + } + } + + /* + * The owner UUID cannot be set by a non-superuser to anything other than + * their own or a null GUID (to "unset" the owner UUID). + * Note that file systems must be prepared to handle the + * null UUID case in a manner appropriate for that file + * system. + */ + if (!has_priv_suser) { + if ((error = kauth_cred_getguid(cred, &changer)) != 0) { + KAUTH_DEBUG(" ERROR - got %d trying to get caller UUID", error); + /* XXX ENOENT here - no UUID - should perhaps become EPERM */ + goto out; + } + if (!kauth_guid_equal(&vap->va_uuuid, &changer) && + !kauth_guid_equal(&vap->va_uuuid, &kauth_null_guid)) { + KAUTH_DEBUG(" ERROR - cannot set supplied owner UUID - not us / null"); + error = EPERM; + goto out; + } + } + chowner = 1; + clear_suid = 1; + } +no_uuuid_change: + /* + * Group UUID being set or changed. + */ + if (VATTR_IS_ACTIVE(vap, va_guuid)) { + /* if the group UUID is not actually changing ... */ + if (VATTR_IS_SUPPORTED(&ova, va_guuid)) { + if (kauth_guid_equal(&vap->va_guuid, &ova.va_guuid)) + goto no_guuid_change; + + /* + * If the current group UUID is a null UUID, check + * it against the UUID corresponding to the group GID. + */ + if (kauth_guid_equal(&ova.va_guuid, &kauth_null_guid) && + VATTR_IS_SUPPORTED(&ova, va_gid)) { + guid_t gid_guid; + + if (kauth_cred_gid2guid(ova.va_gid, &gid_guid) == 0 && + kauth_guid_equal(&vap->va_guuid, &gid_guid)) + goto no_guuid_change; + } + } + + /* + * The group UUID cannot be set by a non-superuser to anything other than + * one of which they are a member or a null GUID (to "unset" + * the group UUID). + * Note that file systems must be prepared to handle the + * null UUID case in a manner appropriate for that file + * system. + */ + if (!has_priv_suser) { + if (kauth_guid_equal(&vap->va_guuid, &kauth_null_guid)) + ismember = 1; + else if ((error = kauth_cred_ismember_guid(cred, &vap->va_guuid, &ismember)) != 0) { + KAUTH_DEBUG(" ERROR - got %d trying to check group membership", error); + goto out; + } + if (!ismember) { + KAUTH_DEBUG(" ERROR - cannot set supplied group UUID - not a member / null"); + error = EPERM; + goto out; + } + } + chgroup = 1; + } +no_guuid_change: + + /* + * Compute authorisation for group/ownership changes. + */ + if (chowner || chgroup || clear_suid || clear_sgid) { + if (has_priv_suser) { + KAUTH_DEBUG("ATTR - superuser changing file owner/group, requiring immutability check"); + required_action |= KAUTH_VNODE_CHECKIMMUTABLE; + } else { + if (chowner) { + KAUTH_DEBUG("ATTR - ownership change, requiring TAKE_OWNERSHIP"); + required_action |= KAUTH_VNODE_TAKE_OWNERSHIP; + } + if (chgroup && !chowner) { + KAUTH_DEBUG("ATTR - group change, requiring WRITE_SECURITY"); + required_action |= KAUTH_VNODE_WRITE_SECURITY; + } + + /* clear set-uid and set-gid bits as required by Posix */ + if (VATTR_IS_ACTIVE(vap, va_mode)) { + newmode = vap->va_mode; + } else if (VATTR_IS_SUPPORTED(&ova, va_mode)) { + newmode = ova.va_mode; + } else { + KAUTH_DEBUG("CHOWN - trying to change owner but cannot get mode from filesystem to mask setugid bits"); + newmode = 0; + } + if (newmode & (S_ISUID | S_ISGID)) { + VATTR_SET(vap, va_mode, newmode & ~(S_ISUID | S_ISGID)); + KAUTH_DEBUG("CHOWN - masking setugid bits from mode %o to %o", newmode, vap->va_mode); + } + } + } + + /* + * Authorise changes in the ACL. + */ + if (VATTR_IS_ACTIVE(vap, va_acl)) { + + /* no existing ACL */ + if (!VATTR_IS_ACTIVE(&ova, va_acl) || (ova.va_acl == NULL)) { + + /* adding an ACL */ + if (vap->va_acl != NULL) { + required_action |= KAUTH_VNODE_WRITE_SECURITY; + KAUTH_DEBUG("CHMOD - adding ACL"); + } + + /* removing an existing ACL */ + } else if (vap->va_acl == NULL) { + required_action |= KAUTH_VNODE_WRITE_SECURITY; + KAUTH_DEBUG("CHMOD - removing ACL"); + + /* updating an existing ACL */ + } else { + if (vap->va_acl->acl_entrycount != ova.va_acl->acl_entrycount) { + /* entry count changed, must be different */ + required_action |= KAUTH_VNODE_WRITE_SECURITY; + KAUTH_DEBUG("CHMOD - adding/removing ACL entries"); + } else if (vap->va_acl->acl_entrycount > 0) { + /* both ACLs have the same ACE count, said count is 1 or more, bitwise compare ACLs */ + if (memcmp(&vap->va_acl->acl_ace[0], &ova.va_acl->acl_ace[0], + sizeof(struct kauth_ace) * vap->va_acl->acl_entrycount)) { + required_action |= KAUTH_VNODE_WRITE_SECURITY; + KAUTH_DEBUG("CHMOD - changing ACL entries"); + } + } + } } + + /* + * Other attributes that require authorisation. + */ + if (VATTR_IS_ACTIVE(vap, va_encoding)) + required_action |= KAUTH_VNODE_WRITE_ATTRIBUTES; +out: + if (VATTR_IS_SUPPORTED(&ova, va_acl) && (ova.va_acl != NULL)) + kauth_acl_free(ova.va_acl); + if (error == 0) + *actionp = required_action; + return(error); +} + +static int +setlocklocal_callback(struct vnode *vp, __unused void *cargs) +{ + vnode_lock_spin(vp); + vp->v_flag |= VLOCKLOCAL; + vnode_unlock(vp); + + return (VNODE_RETURNED); +} + +void +vfs_setlocklocal(mount_t mp) +{ + mount_lock_spin(mp); + mp->mnt_kern_flag |= MNTK_LOCK_LOCAL; + mount_unlock(mp); + /* - * Check for attempts to set nonsensical fields. + * The number of active vnodes is expected to be + * very small when vfs_setlocklocal is invoked. */ - if (vap->va_active & ~VNODE_ATTR_NEWOBJ) { - error = EINVAL; - KAUTH_DEBUG("ATTR - ERROR - attempt to set unsupported new-file attributes %llx", - vap->va_active & ~VNODE_ATTR_NEWOBJ); - goto out; + vnode_iterate(mp, 0, setlocklocal_callback, NULL); +} + +void +vfs_setunmountpreflight(mount_t mp) +{ + mount_lock_spin(mp); + mp->mnt_kern_flag |= MNTK_UNMOUNT_PREFLIGHT; + mount_unlock(mp); +} + +void +vfs_setcompoundopen(mount_t mp) +{ + mount_lock_spin(mp); + mp->mnt_compound_ops |= COMPOUND_VNOP_OPEN; + mount_unlock(mp); +} + +void +vn_setunionwait(vnode_t vp) +{ + vnode_lock_spin(vp); + vp->v_flag |= VISUNION; + vnode_unlock(vp); +} + + +void +vn_checkunionwait(vnode_t vp) +{ + vnode_lock_spin(vp); + while ((vp->v_flag & VISUNION) == VISUNION) + msleep((caddr_t)&vp->v_flag, &vp->v_lock, 0, 0, 0); + vnode_unlock(vp); +} + +void +vn_clearunionwait(vnode_t vp, int locked) +{ + if (!locked) + vnode_lock_spin(vp); + if((vp->v_flag & VISUNION) == VISUNION) { + vp->v_flag &= ~VISUNION; + wakeup((caddr_t)&vp->v_flag); } + if (!locked) + vnode_unlock(vp); +} + +/* + * XXX - get "don't trigger mounts" flag for thread; used by autofs. + */ +extern int thread_notrigger(void); + +int +thread_notrigger(void) +{ + struct uthread *uth = (struct uthread *)get_bsdthread_info(current_thread()); + return (uth->uu_notrigger); +} + +/* + * Removes orphaned apple double files during a rmdir + * Works by: + * 1. vnode_suspend(). + * 2. Call VNOP_READDIR() till the end of directory is reached. + * 3. Check if the directory entries returned are regular files with name starting with "._". If not, return ENOTEMPTY. + * 4. Continue (2) and (3) till end of directory is reached. + * 5. If all the entries in the directory were files with "._" name, delete all the files. + * 6. vnode_resume() + * 7. If deletion of all files succeeded, call VNOP_RMDIR() again. + */ + +errno_t rmdir_remove_orphaned_appleDouble(vnode_t vp , vfs_context_t ctx, int * restart_flag) +{ + +#define UIO_BUFF_SIZE 2048 + uio_t auio = NULL; + int eofflag, siz = UIO_BUFF_SIZE, nentries = 0; + int open_flag = 0, full_erase_flag = 0; + char uio_buf[ UIO_SIZEOF(1) ]; + char *rbuf = NULL, *cpos, *cend; + struct nameidata nd_temp; + struct dirent *dp; + errno_t error; + + error = vnode_suspend(vp); /* - * Quickly check for the applicability of any enforcement here. - * Tests below maintain the integrity of the local security model. + * restart_flag is set so that the calling rmdir sleeps and resets */ - if (vfs_authopaque(vnode_mount(dvp))) - goto out; + if (error == EBUSY) + *restart_flag = 1; + if (error != 0) + goto outsc; /* - * We need to know if the caller is the superuser, or if the work is - * otherwise already authorised. + * set up UIO */ - cred = vfs_context_ucred(ctx); - if (noauth) { - /* doing work for the kernel */ - is_suser = 1; - } else { - is_suser = vfs_context_issuser(ctx); + MALLOC(rbuf, caddr_t, siz, M_TEMP, M_WAITOK); + if (rbuf) + auio = uio_createwithbuffer(1, 0, UIO_SYSSPACE, UIO_READ, + &uio_buf[0], sizeof(uio_buf)); + if (!rbuf || !auio) { + error = ENOMEM; + goto outsc; } + uio_setoffset(auio,0); - if (VATTR_IS_ACTIVE(vap, va_flags)) { - if (is_suser) { - if ((vap->va_flags & (UF_SETTABLE | SF_SETTABLE)) != vap->va_flags) { - error = EPERM; - KAUTH_DEBUG(" DENIED - superuser attempt to set illegal flag(s)"); - goto out; + eofflag = 0; + + if ((error = VNOP_OPEN(vp, FREAD, ctx))) + goto outsc; + else + open_flag = 1; + + /* + * First pass checks if all files are appleDouble files. + */ + + do { + siz = UIO_BUFF_SIZE; + uio_reset(auio, uio_offset(auio), UIO_SYSSPACE, UIO_READ); + uio_addiov(auio, CAST_USER_ADDR_T(rbuf), UIO_BUFF_SIZE); + + if((error = VNOP_READDIR(vp, auio, 0, &eofflag, &nentries, ctx))) + goto outsc; + + if (uio_resid(auio) != 0) + siz -= uio_resid(auio); + + /* + * Iterate through directory + */ + cpos = rbuf; + cend = rbuf + siz; + dp = (struct dirent*) cpos; + + if (cpos == cend) + eofflag = 1; + + while ((cpos < cend)) { + /* + * Check for . and .. as well as directories + */ + if (dp->d_ino != 0 && + !((dp->d_namlen == 1 && dp->d_name[0] == '.') || + (dp->d_namlen == 2 && dp->d_name[0] == '.' && dp->d_name[1] == '.'))) { + /* + * Check for irregular files and ._ files + * If there is a ._._ file abort the op + */ + if ( dp->d_namlen < 2 || + strncmp(dp->d_name,"._",2) || + (dp->d_namlen >= 4 && !strncmp(&(dp->d_name[2]), "._",2))) { + error = ENOTEMPTY; + goto outsc; + } } - } else { - if ((vap->va_flags & UF_SETTABLE) != vap->va_flags) { - error = EPERM; - KAUTH_DEBUG(" DENIED - user attempt to set illegal flag(s)"); - goto out; + cpos += dp->d_reclen; + dp = (struct dirent*)cpos; + } + + /* + * workaround for HFS/NFS setting eofflag before end of file + */ + if (vp->v_tag == VT_HFS && nentries > 2) + eofflag=0; + + if (vp->v_tag == VT_NFS) { + if (eofflag && !full_erase_flag) { + full_erase_flag = 1; + eofflag = 0; + uio_reset(auio, 0, UIO_SYSSPACE, UIO_READ); } + else if (!eofflag && full_erase_flag) + full_erase_flag = 0; } - } - /* if not superuser, validate legality of new-item attributes */ - if (!is_suser) { - if (!defaulted_mode && VATTR_IS_ACTIVE(vap, va_mode)) { - /* setgid? */ - if (vap->va_mode & S_ISGID) { - if ((error = kauth_cred_ismember_gid(cred, vap->va_gid, &ismember)) != 0) { - KAUTH_DEBUG("ATTR - ERROR: got %d checking for membership in %d", error, vap->va_gid); - goto out; - } - if (!ismember) { - KAUTH_DEBUG(" DENIED - can't set SGID bit, not a member of %d", vap->va_gid); - error = EPERM; - goto out; + } while (!eofflag); + /* + * If we've made it here all the files in the dir are ._ files. + * We can delete the files even though the node is suspended + * because we are the owner of the file. + */ + + uio_reset(auio, 0, UIO_SYSSPACE, UIO_READ); + eofflag = 0; + full_erase_flag = 0; + + do { + siz = UIO_BUFF_SIZE; + uio_reset(auio, uio_offset(auio), UIO_SYSSPACE, UIO_READ); + uio_addiov(auio, CAST_USER_ADDR_T(rbuf), UIO_BUFF_SIZE); + + error = VNOP_READDIR(vp, auio, 0, &eofflag, &nentries, ctx); + + if (error != 0) + goto outsc; + + if (uio_resid(auio) != 0) + siz -= uio_resid(auio); + + /* + * Iterate through directory + */ + cpos = rbuf; + cend = rbuf + siz; + dp = (struct dirent*) cpos; + + if (cpos == cend) + eofflag = 1; + + while ((cpos < cend)) { + /* + * Check for . and .. as well as directories + */ + if (dp->d_ino != 0 && + !((dp->d_namlen == 1 && dp->d_name[0] == '.') || + (dp->d_namlen == 2 && dp->d_name[0] == '.' && dp->d_name[1] == '.')) + ) { + + NDINIT(&nd_temp, DELETE, OP_UNLINK, USEDVP, + UIO_SYSSPACE, CAST_USER_ADDR_T(dp->d_name), + ctx); + nd_temp.ni_dvp = vp; + error = unlink1(ctx, &nd_temp, 0); + + if (error && error != ENOENT) { + goto outsc; } - } - /* setuid? */ - if ((vap->va_mode & S_ISUID) && (vap->va_uid != kauth_cred_getuid(cred))) { - KAUTH_DEBUG("ATTR - ERROR: illegal attempt to set the setuid bit"); - error = EPERM; - goto out; } + cpos += dp->d_reclen; + dp = (struct dirent*)cpos; } - if (!defaulted_owner && (vap->va_uid != kauth_cred_getuid(cred))) { - KAUTH_DEBUG(" DENIED - cannot create new item owned by %d", vap->va_uid); - error = EPERM; - goto out; - } - if (!defaulted_group) { - if ((error = kauth_cred_ismember_gid(cred, vap->va_gid, &ismember)) != 0) { - KAUTH_DEBUG(" ERROR - got %d checking for membership in %d", error, vap->va_gid); - goto out; - } - if (!ismember) { - KAUTH_DEBUG(" DENIED - cannot create new item with group %d - not a member", vap->va_gid); - error = EPERM; - goto out; + + /* + * workaround for HFS/NFS setting eofflag before end of file + */ + if (vp->v_tag == VT_HFS && nentries > 2) + eofflag=0; + + if (vp->v_tag == VT_NFS) { + if (eofflag && !full_erase_flag) { + full_erase_flag = 1; + eofflag = 0; + uio_reset(auio, 0, UIO_SYSSPACE, UIO_READ); } + else if (!eofflag && full_erase_flag) + full_erase_flag = 0; } - /* initialising owner/group UUID */ - if (VATTR_IS_ACTIVE(vap, va_uuuid)) { - if ((error = kauth_cred_getguid(cred, &changer)) != 0) { - KAUTH_DEBUG(" ERROR - got %d trying to get caller UUID", error); - /* XXX ENOENT here - no GUID - should perhaps become EPERM */ - goto out; - } - if (!kauth_guid_equal(&vap->va_uuuid, &changer)) { - KAUTH_DEBUG(" ERROR - cannot create item with supplied owner UUID - not us"); - error = EPERM; - goto out; - } - } - if (VATTR_IS_ACTIVE(vap, va_guuid)) { - if ((error = kauth_cred_ismember_guid(cred, &vap->va_guuid, &ismember)) != 0) { - KAUTH_DEBUG(" ERROR - got %d trying to check group membership", error); - goto out; - } - if (!ismember) { - KAUTH_DEBUG(" ERROR - cannot create item with supplied group UUID - not a member"); - error = EPERM; - goto out; - } + } while (!eofflag); + + + error = 0; + +outsc: + if (open_flag) + VNOP_CLOSE(vp, FREAD, ctx); + + uio_free(auio); + FREE(rbuf, M_TEMP); + + vnode_resume(vp); + + + return(error); + +} + + +void +lock_vnode_and_post(vnode_t vp, int kevent_num) +{ + /* Only take the lock if there's something there! */ + if (vp->v_knotes.slh_first != NULL) { + vnode_lock(vp); + KNOTE(&vp->v_knotes, kevent_num); + vnode_unlock(vp); + } +} + +#ifdef JOE_DEBUG +static void record_vp(vnode_t vp, int count) { + struct uthread *ut; + +#if CONFIG_TRIGGERS + if (vp->v_resolve) + return; +#endif + if ((vp->v_flag & VSYSTEM)) + return; + + ut = get_bsdthread_info(current_thread()); + ut->uu_iocount += count; + + if (count == 1) { + if (ut->uu_vpindex < 32) { + OSBacktrace((void **)&ut->uu_pcs[ut->uu_vpindex][0], 10); + + ut->uu_vps[ut->uu_vpindex] = vp; + ut->uu_vpindex++; } } -out: - return(error); } +#endif + + +#if CONFIG_TRIGGERS + +#define TRIG_DEBUG 0 + +#if TRIG_DEBUG +#define TRIG_LOG(...) do { printf("%s: ", __FUNCTION__); printf(__VA_ARGS__); } while (0) +#else +#define TRIG_LOG(...) +#endif /* - * Check that the attribute information in vap can be legally written by the context. - * - * Call this when you're not sure about the vnode_attr; either its contents have come - * from an unknown source, or when they are variable. - * - * Returns errno, or zero and sets *actionp to the KAUTH_VNODE_* actions that - * must be authorized to be permitted to write the vattr. + * Resolver result functions */ + +resolver_result_t +vfs_resolver_result(uint32_t seq, enum resolver_status stat, int aux) +{ + /* + * |<--- 32 --->|<--- 28 --->|<- 4 ->| + * sequence auxiliary status + */ + return (((uint64_t)seq) << 32) | + (((uint64_t)(aux & 0x0fffffff)) << 4) | + (uint64_t)(stat & 0x0000000F); +} + +enum resolver_status +vfs_resolver_status(resolver_result_t result) +{ + /* lower 4 bits is status */ + return (result & 0x0000000F); +} + +uint32_t +vfs_resolver_sequence(resolver_result_t result) +{ + /* upper 32 bits is sequence */ + return (uint32_t)(result >> 32); +} + int -vnode_authattr(vnode_t vp, struct vnode_attr *vap, kauth_action_t *actionp, vfs_context_t ctx) +vfs_resolver_auxiliary(resolver_result_t result) { - struct vnode_attr ova; - kauth_action_t required_action; - int error, is_suser, ismember, chowner, chgroup; - guid_t changer; - gid_t group; - uid_t owner; - mode_t newmode; - kauth_cred_t cred; - uint32_t fdelta; + /* 28 bits of auxiliary */ + return (int)(((uint32_t)(result & 0xFFFFFFF0)) >> 4); +} - VATTR_INIT(&ova); - required_action = 0; - error = 0; +/* + * SPI + * Call in for resolvers to update vnode trigger state + */ +int +vnode_trigger_update(vnode_t vp, resolver_result_t result) +{ + vnode_resolve_t rp; + uint32_t seq; + enum resolver_status stat; - /* - * Quickly check for enforcement applicability. - */ - if (vfs_authopaque(vnode_mount(vp))) - goto out; - - /* - * Check for attempts to set nonsensical fields. - */ - if (vap->va_active & VNODE_ATTR_RDONLY) { - KAUTH_DEBUG("ATTR - ERROR: attempt to set readonly attribute(s)"); - error = EINVAL; - goto out; + if (vp->v_resolve == NULL) { + return (EINVAL); } - /* - * We need to know if the caller is the superuser. - */ - cred = vfs_context_ucred(ctx); - is_suser = kauth_cred_issuser(cred); - - /* - * If any of the following are changing, we need information from the old file: - * va_uid - * va_gid - * va_mode - * va_uuuid - * va_guuid - */ - if (VATTR_IS_ACTIVE(vap, va_uid) || - VATTR_IS_ACTIVE(vap, va_gid) || - VATTR_IS_ACTIVE(vap, va_mode) || - VATTR_IS_ACTIVE(vap, va_uuuid) || - VATTR_IS_ACTIVE(vap, va_guuid)) { - VATTR_WANTED(&ova, va_mode); - VATTR_WANTED(&ova, va_uid); - VATTR_WANTED(&ova, va_gid); - VATTR_WANTED(&ova, va_uuuid); - VATTR_WANTED(&ova, va_guuid); - KAUTH_DEBUG("ATTR - security information changing, fetching existing attributes"); + stat = vfs_resolver_status(result); + seq = vfs_resolver_sequence(result); + + if ((stat != RESOLVER_RESOLVED) && (stat != RESOLVER_UNRESOLVED)) { + return (EINVAL); + } + + rp = vp->v_resolve; + lck_mtx_lock(&rp->vr_lock); + + if (seq > rp->vr_lastseq) { + if (stat == RESOLVER_RESOLVED) + rp->vr_flags |= VNT_RESOLVED; + else + rp->vr_flags &= ~VNT_RESOLVED; + + rp->vr_lastseq = seq; } - /* - * If timestamps are being changed, we need to know who the file is owned - * by. - */ - if (VATTR_IS_ACTIVE(vap, va_create_time) || - VATTR_IS_ACTIVE(vap, va_change_time) || - VATTR_IS_ACTIVE(vap, va_modify_time) || - VATTR_IS_ACTIVE(vap, va_access_time) || - VATTR_IS_ACTIVE(vap, va_backup_time)) { + lck_mtx_unlock(&rp->vr_lock); + + return (0); +} + +static int +vnode_resolver_attach(vnode_t vp, vnode_resolve_t rp, boolean_t ref) +{ + int error; - VATTR_WANTED(&ova, va_uid); -#if 0 /* enable this when we support UUIDs as official owners */ - VATTR_WANTED(&ova, va_uuuid); -#endif - KAUTH_DEBUG("ATTR - timestamps changing, fetching uid and GUID"); + vnode_lock_spin(vp); + if (vp->v_resolve != NULL) { + vnode_unlock(vp); + return EINVAL; + } else { + vp->v_resolve = rp; } - - /* - * If flags are being changed, we need the old flags. - */ - if (VATTR_IS_ACTIVE(vap, va_flags)) { - KAUTH_DEBUG("ATTR - flags changing, fetching old flags"); - VATTR_WANTED(&ova, va_flags); + vnode_unlock(vp); + + if (ref) { + error = vnode_ref_ext(vp, O_EVTONLY, VNODE_REF_FORCE); + if (error != 0) { + panic("VNODE_REF_FORCE didn't help..."); + } } - /* - * If the size is being set, make sure it's not a directory. - */ - if (VATTR_IS_ACTIVE(vap, va_data_size)) { - /* size is meaningless on a directory, don't permit this */ - if (vnode_isdir(vp)) { - KAUTH_DEBUG("ATTR - ERROR: size change requested on a directory"); - error = EISDIR; - goto out; - } + return 0; +} + +/* + * VFS internal interfaces for vnode triggers + * + * vnode must already have an io count on entry + * v_resolve is stable when io count is non-zero + */ +static int +vnode_resolver_create(mount_t mp, vnode_t vp, struct vnode_trigger_param *tinfo, boolean_t external) +{ + vnode_resolve_t rp; + int result; + char byte; + +#if 1 + /* minimum pointer test (debugging) */ + if (tinfo->vnt_data) + byte = *((char *)tinfo->vnt_data); +#endif + MALLOC(rp, vnode_resolve_t, sizeof(*rp), M_TEMP, M_WAITOK); + if (rp == NULL) + return (ENOMEM); + + lck_mtx_init(&rp->vr_lock, trigger_vnode_lck_grp, trigger_vnode_lck_attr); + + rp->vr_resolve_func = tinfo->vnt_resolve_func; + rp->vr_unresolve_func = tinfo->vnt_unresolve_func; + rp->vr_rearm_func = tinfo->vnt_rearm_func; + rp->vr_reclaim_func = tinfo->vnt_reclaim_func; + rp->vr_data = tinfo->vnt_data; + rp->vr_lastseq = 0; + rp->vr_flags = tinfo->vnt_flags & VNT_VALID_MASK; + if (external) { + rp->vr_flags |= VNT_EXTERNAL; } - /* - * Get old data. - */ - KAUTH_DEBUG("ATTR - fetching old attributes %016llx", ova.va_active); - if ((error = vnode_getattr(vp, &ova, ctx)) != 0) { - KAUTH_DEBUG(" ERROR - got %d trying to get attributes", error); + result = vnode_resolver_attach(vp, rp, external); + if (result != 0) { goto out; } - /* - * Size changes require write access to the file data. - */ - if (VATTR_IS_ACTIVE(vap, va_data_size)) { - /* if we can't get the size, or it's different, we need write access */ - KAUTH_DEBUG("ATTR - size change, requiring WRITE_DATA"); - required_action |= KAUTH_VNODE_WRITE_DATA; + if (mp) { + OSAddAtomic(1, &mp->mnt_numtriggers); } + return (result); + +out: + FREE(rp, M_TEMP); + return result; +} + +static void +vnode_resolver_release(vnode_resolve_t rp) +{ /* - * Changing timestamps? - * - * Note that we are only called to authorize user-requested time changes; - * side-effect time changes are not authorized. Authorisation is only - * required for existing files. - * - * Non-owners are not permitted to change the time on an existing - * file to anything other than the current time. + * Give them a chance to free any private data */ - if (VATTR_IS_ACTIVE(vap, va_create_time) || - VATTR_IS_ACTIVE(vap, va_change_time) || - VATTR_IS_ACTIVE(vap, va_modify_time) || - VATTR_IS_ACTIVE(vap, va_access_time) || - VATTR_IS_ACTIVE(vap, va_backup_time)) { - /* - * The owner and root may set any timestamps they like, - * provided that the file is not immutable. The owner still needs - * WRITE_ATTRIBUTES (implied by ownership but still deniable). - */ - if (is_suser || vauth_node_owner(&ova, cred)) { - KAUTH_DEBUG("ATTR - root or owner changing timestamps"); - required_action |= KAUTH_VNODE_CHECKIMMUTABLE | KAUTH_VNODE_WRITE_ATTRIBUTES; - } else { - /* just setting the current time? */ - if (vap->va_vaflags & VA_UTIMES_NULL) { - KAUTH_DEBUG("ATTR - non-root/owner changing timestamps, requiring WRITE_ATTRIBUTES"); - required_action |= KAUTH_VNODE_WRITE_ATTRIBUTES; - } else { - KAUTH_DEBUG("ATTR - ERROR: illegal timestamp modification attempted"); - error = EACCES; - goto out; - } - } + if (rp->vr_data && rp->vr_reclaim_func) { + rp->vr_reclaim_func(NULLVP, rp->vr_data); } - /* - * Changing file mode? - */ - if (VATTR_IS_ACTIVE(vap, va_mode) && VATTR_IS_SUPPORTED(&ova, va_mode) && (ova.va_mode != vap->va_mode)) { - KAUTH_DEBUG("ATTR - mode change from %06o to %06o", ova.va_mode, vap->va_mode); + lck_mtx_destroy(&rp->vr_lock, trigger_vnode_lck_grp); + FREE(rp, M_TEMP); - /* - * Mode changes always have the same basic auth requirements. - */ - if (is_suser) { - KAUTH_DEBUG("ATTR - superuser mode change, requiring immutability check"); - required_action |= KAUTH_VNODE_CHECKIMMUTABLE; - } else { - /* need WRITE_SECURITY */ - KAUTH_DEBUG("ATTR - non-superuser mode change, requiring WRITE_SECURITY"); - required_action |= KAUTH_VNODE_WRITE_SECURITY; - } +} - /* - * Can't set the setgid bit if you're not in the group and not root. Have to have - * existing group information in the case we're not setting it right now. - */ - if (vap->va_mode & S_ISGID) { - required_action |= KAUTH_VNODE_CHECKIMMUTABLE; /* always required */ - if (!is_suser) { - if (VATTR_IS_ACTIVE(vap, va_gid)) { - group = vap->va_gid; - } else if (VATTR_IS_SUPPORTED(&ova, va_gid)) { - group = ova.va_gid; - } else { - KAUTH_DEBUG("ATTR - ERROR: setgid but no gid available"); - error = EINVAL; - goto out; - } - /* - * This might be too restrictive; WRITE_SECURITY might be implied by - * membership in this case, rather than being an additional requirement. - */ - if ((error = kauth_cred_ismember_gid(cred, group, &ismember)) != 0) { - KAUTH_DEBUG("ATTR - ERROR: got %d checking for membership in %d", error, vap->va_gid); - goto out; - } - if (!ismember) { - KAUTH_DEBUG(" DENIED - can't set SGID bit, not a member of %d", group); - error = EPERM; - goto out; - } - } - } +/* Called after the vnode has been drained */ +static void +vnode_resolver_detach(vnode_t vp) +{ + vnode_resolve_t rp; + mount_t mp; - /* - * Can't set the setuid bit unless you're root or the file's owner. - */ - if (vap->va_mode & S_ISUID) { - required_action |= KAUTH_VNODE_CHECKIMMUTABLE; /* always required */ - if (!is_suser) { - if (VATTR_IS_ACTIVE(vap, va_uid)) { - owner = vap->va_uid; - } else if (VATTR_IS_SUPPORTED(&ova, va_uid)) { - owner = ova.va_uid; - } else { - KAUTH_DEBUG("ATTR - ERROR: setuid but no uid available"); - error = EINVAL; - goto out; - } - if (owner != kauth_cred_getuid(cred)) { - /* - * We could allow this if WRITE_SECURITY is permitted, perhaps. - */ - KAUTH_DEBUG("ATTR - ERROR: illegal attempt to set the setuid bit"); - error = EPERM; - goto out; - } - } - } + mp = vnode_mount(vp); + + vnode_lock(vp); + rp = vp->v_resolve; + vp->v_resolve = NULL; + vnode_unlock(vp); + + if ((rp->vr_flags & VNT_EXTERNAL) != 0) { + vnode_rele_ext(vp, O_EVTONLY, 1); + } + + vnode_resolver_release(rp); + + /* Keep count of active trigger vnodes per mount */ + OSAddAtomic(-1, &mp->mnt_numtriggers); +} + +/* + * Pathname operations that don't trigger a mount for trigger vnodes + */ +static const u_int64_t ignorable_pathops_mask = + 1LL << OP_MOUNT | + 1LL << OP_UNMOUNT | + 1LL << OP_STATFS | + 1LL << OP_ACCESS | + 1LL << OP_GETATTR | + 1LL << OP_LISTXATTR; + +int +vfs_istraditionaltrigger(enum path_operation op, const struct componentname *cnp) +{ + if (cnp->cn_flags & ISLASTCN) + return ((1LL << op) & ignorable_pathops_mask) == 0; + else + return (1); +} + +__private_extern__ +void +vnode_trigger_rearm(vnode_t vp, vfs_context_t ctx) +{ + vnode_resolve_t rp; + resolver_result_t result; + enum resolver_status status; + uint32_t seq; + + if ((vp->v_resolve == NULL) || + (vp->v_resolve->vr_rearm_func == NULL) || + (vp->v_resolve->vr_flags & VNT_AUTO_REARM) == 0) { + return; } - + + rp = vp->v_resolve; + lck_mtx_lock(&rp->vr_lock); + /* - * Validate/mask flags changes. This checks that only the flags in - * the UF_SETTABLE mask are being set, and preserves the flags in - * the SF_SETTABLE case. - * - * Since flags changes may be made in conjunction with other changes, - * we will ask the auth code to ignore immutability in the case that - * the SF_* flags are not set and we are only manipulating the file flags. - * + * Check if VFS initiated this unmount. If so, we'll catch it after the unresolve completes. */ - if (VATTR_IS_ACTIVE(vap, va_flags)) { - /* compute changing flags bits */ - if (VATTR_IS_SUPPORTED(&ova, va_flags)) { - fdelta = vap->va_flags ^ ova.va_flags; - } else { - fdelta = vap->va_flags; - } + if (rp->vr_flags & VNT_VFS_UNMOUNTED) { + lck_mtx_unlock(&rp->vr_lock); + return; + } - if (fdelta != 0) { - KAUTH_DEBUG("ATTR - flags changing, requiring WRITE_SECURITY"); - required_action |= KAUTH_VNODE_WRITE_SECURITY; + /* Check if this vnode is already armed */ + if ((rp->vr_flags & VNT_RESOLVED) == 0) { + lck_mtx_unlock(&rp->vr_lock); + return; + } - /* check that changing bits are legal */ - if (is_suser) { - /* - * The immutability check will prevent us from clearing the SF_* - * flags unless the system securelevel permits it, so just check - * for legal flags here. - */ - if (fdelta & ~(UF_SETTABLE | SF_SETTABLE)) { - error = EPERM; - KAUTH_DEBUG(" DENIED - superuser attempt to set illegal flag(s)"); - goto out; - } - } else { - if (fdelta & ~UF_SETTABLE) { - error = EPERM; - KAUTH_DEBUG(" DENIED - user attempt to set illegal flag(s)"); - goto out; - } - } - /* - * If the caller has the ability to manipulate file flags, - * security is not reduced by ignoring them for this operation. - * - * A more complete test here would consider the 'after' states of the flags - * to determine whether it would permit the operation, but this becomes - * very complex. - * - * Ignoring immutability is conditional on securelevel; this does not bypass - * the SF_* flags if securelevel > 0. - */ - required_action |= KAUTH_VNODE_NOIMMUTABLE; - } + lck_mtx_unlock(&rp->vr_lock); + + result = rp->vr_rearm_func(vp, 0, rp->vr_data, ctx); + status = vfs_resolver_status(result); + seq = vfs_resolver_sequence(result); + + lck_mtx_lock(&rp->vr_lock); + if (seq > rp->vr_lastseq) { + if (status == RESOLVER_UNRESOLVED) + rp->vr_flags &= ~VNT_RESOLVED; + rp->vr_lastseq = seq; } + lck_mtx_unlock(&rp->vr_lock); +} - /* - * Validate ownership information. - */ - chowner = 0; - chgroup = 0; +__private_extern__ +int +vnode_trigger_resolve(vnode_t vp, struct nameidata *ndp, vfs_context_t ctx) +{ + vnode_resolve_t rp; + enum path_operation op; + resolver_result_t result; + enum resolver_status status; + uint32_t seq; + + /* Only trigger on topmost vnodes */ + if ((vp->v_resolve == NULL) || + (vp->v_resolve->vr_resolve_func == NULL) || + (vp->v_mountedhere != NULL)) { + return (0); + } + + rp = vp->v_resolve; + lck_mtx_lock(&rp->vr_lock); + + /* Check if this vnode is already resolved */ + if (rp->vr_flags & VNT_RESOLVED) { + lck_mtx_unlock(&rp->vr_lock); + return (0); + } + + lck_mtx_unlock(&rp->vr_lock); /* - * uid changing - * Note that if the filesystem didn't give us a UID, we expect that it doesn't - * support them in general, and will ignore it if/when we try to set it. - * We might want to clear the uid out of vap completely here. + * XXX + * assumes that resolver will not access this trigger vnode (otherwise the kernel will deadlock) + * is there anyway to know this??? + * there can also be other legitimate lookups in parallel + * + * XXX - should we call this on a separate thread with a timeout? + * + * XXX - should we use ISLASTCN to pick the op value??? Perhaps only leafs should + * get the richer set and non-leafs should get generic OP_LOOKUP? TBD */ - if (VATTR_IS_ACTIVE(vap, va_uid) && VATTR_IS_SUPPORTED(&ova, va_uid) && (vap->va_uid != ova.va_uid)) { - if (!is_suser && (kauth_cred_getuid(cred) != vap->va_uid)) { - KAUTH_DEBUG(" DENIED - non-superuser cannot change ownershipt to a third party"); - error = EPERM; - goto out; - } - chowner = 1; + op = (ndp->ni_op < OP_MAXOP) ? ndp->ni_op: OP_LOOKUP; + + result = rp->vr_resolve_func(vp, &ndp->ni_cnd, op, 0, rp->vr_data, ctx); + status = vfs_resolver_status(result); + seq = vfs_resolver_sequence(result); + + lck_mtx_lock(&rp->vr_lock); + if (seq > rp->vr_lastseq) { + if (status == RESOLVER_RESOLVED) + rp->vr_flags |= VNT_RESOLVED; + rp->vr_lastseq = seq; } - + lck_mtx_unlock(&rp->vr_lock); + + /* On resolver errors, propagate the error back up */ + return (status == RESOLVER_ERROR ? vfs_resolver_auxiliary(result) : 0); +} + +static int +vnode_trigger_unresolve(vnode_t vp, int flags, vfs_context_t ctx) +{ + vnode_resolve_t rp; + resolver_result_t result; + enum resolver_status status; + uint32_t seq; + + if ((vp->v_resolve == NULL) || (vp->v_resolve->vr_unresolve_func == NULL)) { + return (0); + } + + rp = vp->v_resolve; + lck_mtx_lock(&rp->vr_lock); + + /* Check if this vnode is already resolved */ + if ((rp->vr_flags & VNT_RESOLVED) == 0) { + printf("vnode_trigger_unresolve: not currently resolved\n"); + lck_mtx_unlock(&rp->vr_lock); + return (0); + } + + rp->vr_flags |= VNT_VFS_UNMOUNTED; + + lck_mtx_unlock(&rp->vr_lock); + /* - * gid changing - * Note that if the filesystem didn't give us a GID, we expect that it doesn't - * support them in general, and will ignore it if/when we try to set it. - * We might want to clear the gid out of vap completely here. + * XXX + * assumes that resolver will not access this trigger vnode (otherwise the kernel will deadlock) + * there can also be other legitimate lookups in parallel + * + * XXX - should we call this on a separate thread with a timeout? */ - if (VATTR_IS_ACTIVE(vap, va_gid) && VATTR_IS_SUPPORTED(&ova, va_gid) && (vap->va_gid != ova.va_gid)) { - if (!is_suser) { - if ((error = kauth_cred_ismember_gid(cred, vap->va_gid, &ismember)) != 0) { - KAUTH_DEBUG(" ERROR - got %d checking for membership in %d", error, vap->va_gid); - goto out; - } - if (!ismember) { - KAUTH_DEBUG(" DENIED - group change from %d to %d but not a member of target group", - ova.va_gid, vap->va_gid); - error = EPERM; - goto out; - } - } - chgroup = 1; + + result = rp->vr_unresolve_func(vp, flags, rp->vr_data, ctx); + status = vfs_resolver_status(result); + seq = vfs_resolver_sequence(result); + + lck_mtx_lock(&rp->vr_lock); + if (seq > rp->vr_lastseq) { + if (status == RESOLVER_UNRESOLVED) + rp->vr_flags &= ~VNT_RESOLVED; + rp->vr_lastseq = seq; } + rp->vr_flags &= ~VNT_VFS_UNMOUNTED; + lck_mtx_unlock(&rp->vr_lock); + + /* On resolver errors, propagate the error back up */ + return (status == RESOLVER_ERROR ? vfs_resolver_auxiliary(result) : 0); +} + +static int +triggerisdescendant(mount_t mp, mount_t rmp) +{ + int match = FALSE; /* - * Owner UUID being set or changed. + * walk up vnode covered chain looking for a match */ - if (VATTR_IS_ACTIVE(vap, va_uuuid)) { - /* if the owner UUID is not actually changing ... */ - if (VATTR_IS_SUPPORTED(&ova, va_uuuid) && kauth_guid_equal(&vap->va_uuuid, &ova.va_uuuid)) - goto no_uuuid_change; - - /* - * The owner UUID cannot be set by a non-superuser to anything other than - * their own. - */ - if (!is_suser) { - if ((error = kauth_cred_getguid(cred, &changer)) != 0) { - KAUTH_DEBUG(" ERROR - got %d trying to get caller UUID", error); - /* XXX ENOENT here - no UUID - should perhaps become EPERM */ - goto out; - } - if (!kauth_guid_equal(&vap->va_uuuid, &changer)) { - KAUTH_DEBUG(" ERROR - cannot set supplied owner UUID - not us"); - error = EPERM; - goto out; - } + name_cache_lock_shared(); + + while (1) { + vnode_t vp; + + /* did we encounter "/" ? */ + if (mp->mnt_flag & MNT_ROOTFS) + break; + + vp = mp->mnt_vnodecovered; + if (vp == NULLVP) + break; + + mp = vp->v_mount; + if (mp == rmp) { + match = TRUE; + break; } - chowner = 1; } -no_uuuid_change: + + name_cache_unlock(); + + return (match); +} + +struct trigger_unmount_info { + vfs_context_t ctx; + mount_t top_mp; + vnode_t trigger_vp; + mount_t trigger_mp; + uint32_t trigger_vid; + int flags; +}; + +static int +trigger_unmount_callback(mount_t mp, void * arg) +{ + struct trigger_unmount_info * infop = (struct trigger_unmount_info *)arg; + boolean_t mountedtrigger = FALSE; + /* - * Group UUID being set or changed. + * When we encounter the top level mount we're done */ - if (VATTR_IS_ACTIVE(vap, va_guuid)) { - /* if the group UUID is not actually changing ... */ - if (VATTR_IS_SUPPORTED(&ova, va_guuid) && kauth_guid_equal(&vap->va_guuid, &ova.va_guuid)) - goto no_guuid_change; + if (mp == infop->top_mp) + return (VFS_RETURNED_DONE); - /* - * The group UUID cannot be set by a non-superuser to anything other than - * one of which they are a member. - */ - if (!is_suser) { - if ((error = kauth_cred_ismember_guid(cred, &vap->va_guuid, &ismember)) != 0) { - KAUTH_DEBUG(" ERROR - got %d trying to check group membership", error); - goto out; - } - if (!ismember) { - KAUTH_DEBUG(" ERROR - cannot create item with supplied group UUID - not a member"); - error = EPERM; - goto out; - } - } - chgroup = 1; + if ((mp->mnt_vnodecovered == NULL) || + (vnode_getwithref(mp->mnt_vnodecovered) != 0)) { + return (VFS_RETURNED); } -no_guuid_change: + + if ((mp->mnt_vnodecovered->v_mountedhere == mp) && + (mp->mnt_vnodecovered->v_resolve != NULL) && + (mp->mnt_vnodecovered->v_resolve->vr_flags & VNT_RESOLVED)) { + mountedtrigger = TRUE; + } + vnode_put(mp->mnt_vnodecovered); /* - * Compute authorisation for group/ownership changes. + * When we encounter a mounted trigger, check if its under the top level mount */ - if (chowner || chgroup) { - if (is_suser) { - KAUTH_DEBUG("ATTR - superuser changing file owner/group, requiring immutability check"); - required_action |= KAUTH_VNODE_CHECKIMMUTABLE; - } else { - if (chowner) { - KAUTH_DEBUG("ATTR - ownership change, requiring TAKE_OWNERSHIP"); - required_action |= KAUTH_VNODE_TAKE_OWNERSHIP; - } - if (chgroup && !chowner) { - KAUTH_DEBUG("ATTR - group change, requiring WRITE_SECURITY"); - required_action |= KAUTH_VNODE_WRITE_SECURITY; - } - - /* clear set-uid and set-gid bits as required by Posix */ - if (VATTR_IS_ACTIVE(vap, va_mode)) { - newmode = vap->va_mode; - } else if (VATTR_IS_SUPPORTED(&ova, va_mode)) { - newmode = ova.va_mode; - } else { - KAUTH_DEBUG("CHOWN - trying to change owner but cannot get mode from filesystem to mask setugid bits"); - newmode = 0; - } - if (newmode & (S_ISUID | S_ISGID)) { - VATTR_SET(vap, va_mode, newmode & ~(S_ISUID | S_ISGID)); - KAUTH_DEBUG("CHOWN - masking setugid bits from mode %o to %o", newmode, vap->va_mode); - } + if ( !mountedtrigger || !triggerisdescendant(mp, infop->top_mp) ) + return (VFS_RETURNED); + + /* + * Process any pending nested mount (now that its not referenced) + */ + if ((infop->trigger_vp != NULLVP) && + (vnode_getwithvid(infop->trigger_vp, infop->trigger_vid) == 0)) { + vnode_t vp = infop->trigger_vp; + int error; + + infop->trigger_vp = NULLVP; + + if (mp == vp->v_mountedhere) { + vnode_put(vp); + printf("trigger_unmount_callback: unexpected match '%s'\n", + mp->mnt_vfsstat.f_mntonname); + return (VFS_RETURNED); + } + if (infop->trigger_mp != vp->v_mountedhere) { + vnode_put(vp); + printf("trigger_unmount_callback: trigger mnt changed! (%p != %p)\n", + infop->trigger_mp, vp->v_mountedhere); + goto savenext; } - } + error = vnode_trigger_unresolve(vp, infop->flags, infop->ctx); + vnode_put(vp); + if (error) { + printf("unresolving: '%s', err %d\n", + vp->v_mountedhere ? vp->v_mountedhere->mnt_vfsstat.f_mntonname : + "???", error); + return (VFS_RETURNED_DONE); /* stop iteration on errors */ + } + } +savenext: /* - * Authorise changes in the ACL. + * We can't call resolver here since we hold a mount iter + * ref on mp so save its covered vp for later processing */ - if (VATTR_IS_ACTIVE(vap, va_acl)) { + infop->trigger_vp = mp->mnt_vnodecovered; + if ((infop->trigger_vp != NULLVP) && + (vnode_getwithref(infop->trigger_vp) == 0)) { + if (infop->trigger_vp->v_mountedhere == mp) { + infop->trigger_vid = infop->trigger_vp->v_id; + infop->trigger_mp = mp; + } + vnode_put(infop->trigger_vp); + } - /* no existing ACL */ - if (!VATTR_IS_ACTIVE(&ova, va_acl) || (ova.va_acl == NULL)) { + return (VFS_RETURNED); +} - /* adding an ACL */ - if (vap->va_acl != NULL) { - required_action |= KAUTH_VNODE_WRITE_SECURITY; - KAUTH_DEBUG("CHMOD - adding ACL"); - } +/* + * Attempt to unmount any trigger mounts nested underneath a mount. + * This is a best effort attempt and no retries are performed here. + * + * Note: mp->mnt_rwlock is held exclusively on entry (so be carefull) + */ +__private_extern__ +void +vfs_nested_trigger_unmounts(mount_t mp, int flags, vfs_context_t ctx) +{ + struct trigger_unmount_info info; - /* removing an existing ACL */ - } else if (vap->va_acl == NULL) { - required_action |= KAUTH_VNODE_WRITE_SECURITY; - KAUTH_DEBUG("CHMOD - removing ACL"); + /* Must have trigger vnodes */ + if (mp->mnt_numtriggers == 0) { + return; + } + /* Avoid recursive requests (by checking covered vnode) */ + if ((mp->mnt_vnodecovered != NULL) && + (vnode_getwithref(mp->mnt_vnodecovered) == 0)) { + boolean_t recursive = FALSE; - /* updating an existing ACL */ - } else { - if (vap->va_acl->acl_entrycount != ova.va_acl->acl_entrycount) { - /* entry count changed, must be different */ - required_action |= KAUTH_VNODE_WRITE_SECURITY; - KAUTH_DEBUG("CHMOD - adding/removing ACL entries"); - } else if (vap->va_acl->acl_entrycount > 0) { - /* both ACLs have the same ACE count, said count is 1 or more, bitwise compare ACLs */ - if (!memcmp(&vap->va_acl->acl_ace[0], &ova.va_acl->acl_ace[0], - sizeof(struct kauth_ace) * vap->va_acl->acl_entrycount)) { - required_action |= KAUTH_VNODE_WRITE_SECURITY; - KAUTH_DEBUG("CHMOD - changing ACL entries"); - } - } + if ((mp->mnt_vnodecovered->v_mountedhere == mp) && + (mp->mnt_vnodecovered->v_resolve != NULL) && + (mp->mnt_vnodecovered->v_resolve->vr_flags & VNT_VFS_UNMOUNTED)) { + recursive = TRUE; } + vnode_put(mp->mnt_vnodecovered); + if (recursive) + return; } /* - * Other attributes that require authorisation. + * Attempt to unmount any nested trigger mounts (best effort) */ - if (VATTR_IS_ACTIVE(vap, va_encoding)) - required_action |= KAUTH_VNODE_WRITE_ATTRIBUTES; - -out: - if (VATTR_IS_SUPPORTED(&ova, va_acl) && (ova.va_acl != NULL)) - kauth_acl_free(ova.va_acl); - if (error == 0) - *actionp = required_action; - return(error); -} + info.ctx = ctx; + info.top_mp = mp; + info.trigger_vp = NULLVP; + info.trigger_vid = 0; + info.trigger_mp = NULL; + info.flags = flags; - -void -vfs_setlocklocal(mount_t mp) -{ - vnode_t vp; - - mount_lock(mp); - mp->mnt_kern_flag |= MNTK_LOCK_LOCAL; + (void) vfs_iterate(VFS_ITERATE_TAIL_FIRST, trigger_unmount_callback, &info); /* - * We do not expect anyone to be using any vnodes at the - * time this routine is called. So no need for vnode locking + * Process remaining nested mount (now that its not referenced) */ - TAILQ_FOREACH(vp, &mp->mnt_vnodelist, v_mntvnodes) { - vp->v_flag |= VLOCKLOCAL; - } - TAILQ_FOREACH(vp, &mp->mnt_workerqueue, v_mntvnodes) { - vp->v_flag |= VLOCKLOCAL; - } - TAILQ_FOREACH(vp, &mp->mnt_newvnodes, v_mntvnodes) { - vp->v_flag |= VLOCKLOCAL; + if ((info.trigger_vp != NULLVP) && + (vnode_getwithvid(info.trigger_vp, info.trigger_vid) == 0)) { + vnode_t vp = info.trigger_vp; + + if (info.trigger_mp == vp->v_mountedhere) { + (void) vnode_trigger_unresolve(vp, flags, ctx); + } + vnode_put(vp); } - mount_unlock(mp); } +int +vfs_addtrigger(mount_t mp, const char *relpath, struct vnode_trigger_info *vtip, vfs_context_t ctx) +{ + struct nameidata nd; + int res; + vnode_t rvp, vp; + struct vnode_trigger_param vtp; + + /* + * Must be called for trigger callback, wherein rwlock is held + */ + lck_rw_assert(&mp->mnt_rwlock, LCK_RW_ASSERT_HELD); -#ifdef JOE_DEBUG - -record_vp(vnode_t vp, int count) { - struct uthread *ut; - int i; + TRIG_LOG("Adding trigger at %s\n", relpath); + TRIG_LOG("Trying VFS_ROOT\n"); - if ((vp->v_flag & VSYSTEM)) - return; + /* + * We do a lookup starting at the root of the mountpoint, unwilling + * to cross into other mountpoints. + */ + res = VFS_ROOT(mp, &rvp, ctx); + if (res != 0) { + goto out; + } - ut = get_bsdthread_info(current_thread()); - ut->uu_iocount += count; + TRIG_LOG("Trying namei\n"); - if (ut->uu_vpindex < 32) { - for (i = 0; i < ut->uu_vpindex; i++) { - if (ut->uu_vps[i] == vp) - return; - } - ut->uu_vps[ut->uu_vpindex] = vp; - ut->uu_vpindex++; + NDINIT(&nd, LOOKUP, OP_LOOKUP, USEDVP | NOCROSSMOUNT | FOLLOW, UIO_SYSSPACE, + CAST_USER_ADDR_T(relpath), ctx); + nd.ni_dvp = rvp; + res = namei(&nd); + if (res != 0) { + vnode_put(rvp); + goto out; } + + vp = nd.ni_vp; + nameidone(&nd); + vnode_put(rvp); + + TRIG_LOG("Trying vnode_resolver_create()\n"); + + /* + * Set up blob. vnode_create() takes a larger structure + * with creation info, and we needed something different + * for this case. One needs to win, or we need to munge both; + * vnode_create() wins. + */ + bzero(&vtp, sizeof(vtp)); + vtp.vnt_resolve_func = vtip->vti_resolve_func; + vtp.vnt_unresolve_func = vtip->vti_unresolve_func; + vtp.vnt_rearm_func = vtip->vti_rearm_func; + vtp.vnt_reclaim_func = vtip->vti_reclaim_func; + vtp.vnt_reclaim_func = vtip->vti_reclaim_func; + vtp.vnt_data = vtip->vti_data; + vtp.vnt_flags = vtip->vti_flags; + + res = vnode_resolver_create(mp, vp, &vtp, TRUE); + vnode_put(vp); +out: + TRIG_LOG("Returning %d\n", res); + return res; } -#endif + +#endif /* CONFIG_TRIGGERS */