X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/d1ecb069dfe24481e4a83f44cb5217a2b06746d7..db6096698656d32db7df630594bd9617ee54f828:/bsd/vfs/vfs_subr.c diff --git a/bsd/vfs/vfs_subr.c b/bsd/vfs/vfs_subr.c index 9f528d32e..1c8bfc50e 100644 --- a/bsd/vfs/vfs_subr.c +++ b/bsd/vfs/vfs_subr.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000-2008 Apple Inc. All rights reserved. + * Copyright (c) 2000-2012 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * @@ -105,7 +105,9 @@ #include #include #include +#include #include +#include #include #include @@ -113,17 +115,25 @@ #include +#include +#include +#include #include #include #include +#include #include /* kalloc()/kfree() */ #include /* delay_for_interval() */ #include /* OSAddAtomic() */ +#ifdef JOE_DEBUG +#include +#endif + #include /* vnode_pager_vrele() */ #if CONFIG_MACF @@ -133,6 +143,10 @@ extern lck_grp_t *vnode_lck_grp; extern lck_attr_t *vnode_lck_attr; +#if CONFIG_TRIGGERS +extern lck_grp_t *trigger_vnode_lck_grp; +extern lck_attr_t *trigger_vnode_lck_attr; +#endif extern lck_mtx_t * mnt_list_mtx_lock; @@ -145,6 +159,16 @@ int vttoif_tab[9] = { S_IFSOCK, S_IFIFO, S_IFMT, }; + +/* XXX These should be in a BSD accessible Mach header, but aren't. */ +extern void memory_object_mark_used( + memory_object_control_t control); + +extern void memory_object_mark_unused( + memory_object_control_t control, + boolean_t rage); + + /* XXX next protptype should be from */ extern int nfs_vinvalbuf(vnode_t, int, vfs_context_t, int); @@ -164,16 +188,17 @@ __private_extern__ int unlink1(vfs_context_t, struct nameidata *, int); extern int system_inshutdown; static void vnode_list_add(vnode_t); +static void vnode_async_list_add(vnode_t); static void vnode_list_remove(vnode_t); static void vnode_list_remove_locked(vnode_t); +static void vnode_abort_advlocks(vnode_t); static errno_t vnode_drain(vnode_t); static void vgone(vnode_t, int flags); static void vclean(vnode_t vp, int flag); static void vnode_reclaim_internal(vnode_t, int, int, int); static void vnode_dropiocount (vnode_t); -static errno_t vnode_getiocount(vnode_t vp, unsigned int vid, int vflags); static vnode_t checkalias(vnode_t vp, dev_t nvp_rdev); static int vnode_reload(vnode_t); @@ -188,6 +213,9 @@ static int vnode_iterate_prepare(mount_t); static int vnode_iterate_reloadq(mount_t); static void vnode_iterate_clear(mount_t); static mount_t vfs_getvfs_locked(fsid_t *); +static int vn_create_reg(vnode_t dvp, vnode_t *vpp, struct nameidata *ndp, + struct vnode_attr *vap, uint32_t flags, int fmode, uint32_t *statusp, vfs_context_t ctx); +static int vnode_authattr_new_internal(vnode_t dvp, struct vnode_attr *vap, int noauth, uint32_t *defaulted_fieldsp, vfs_context_t ctx); errno_t rmdir_remove_orphaned_appleDouble(vnode_t, vfs_context_t, int *); @@ -195,8 +223,15 @@ errno_t rmdir_remove_orphaned_appleDouble(vnode_t, vfs_context_t, int *); static void record_vp(vnode_t vp, int count); #endif +#if CONFIG_TRIGGERS +static int vnode_resolver_create(mount_t, vnode_t, struct vnode_trigger_param *, boolean_t external); +static void vnode_resolver_detach(vnode_t); +#endif + TAILQ_HEAD(freelst, vnode) vnode_free_list; /* vnode free list */ TAILQ_HEAD(deadlst, vnode) vnode_dead_list; /* vnode dead list */ +TAILQ_HEAD(async_work_lst, vnode) vnode_async_work_list; + TAILQ_HEAD(ragelst, vnode) vnode_rage_list; /* vnode rapid age list */ struct timeval rage_tv; @@ -236,7 +271,6 @@ static int nummounts = 0; } while(0) - /* remove a vnode from dead vnode list */ #define VREMDEAD(fun, vp) \ do { \ @@ -248,6 +282,17 @@ static int nummounts = 0; } while(0) +/* remove a vnode from async work vnode list */ +#define VREMASYNC_WORK(fun, vp) \ + do { \ + VLISTCHECK((fun), (vp), "async_work"); \ + TAILQ_REMOVE(&vnode_async_work_list, (vp), v_freelist); \ + VLISTNONE((vp)); \ + vp->v_listflag &= ~VLIST_ASYNC_WORK; \ + async_work_vnodes--; \ + } while(0) + + /* remove a vnode from rage vnode list */ #define VREMRAGE(fun, vp) \ do { \ @@ -278,15 +323,21 @@ u_int32_t vnodetarget; /* target for vnreclaim() */ */ #define VNODE_FREE_MIN CONFIG_VNODE_FREE_MIN /* freelist should have at least this many */ + +static void async_work_continue(void); + /* * Initialize the vnode management data structures. */ __private_extern__ void vntblinit(void) { + thread_t thread = THREAD_NULL; + TAILQ_INIT(&vnode_free_list); TAILQ_INIT(&vnode_rage_list); TAILQ_INIT(&vnode_dead_list); + TAILQ_INIT(&vnode_async_work_list); TAILQ_INIT(&mountlist); if (!vnodetarget) @@ -303,6 +354,12 @@ vntblinit(void) * we want to cache */ (void) adjust_vm_object_cache(0, desiredvnodes - VNODE_FREE_MIN); + + /* + * create worker threads + */ + kernel_thread_start((thread_continue_t)async_work_continue, NULL, &thread); + thread_deallocate(thread); } /* Reset the VM Object Cache with the values passed in */ @@ -370,29 +427,27 @@ void vnode_writedone(vnode_t vp) { if (vp) { - OSAddAtomic(-1, &vp->v_numoutput); + int need_wakeup = 0; - if (vp->v_numoutput <= 1) { - int need_wakeup = 0; + OSAddAtomic(-1, &vp->v_numoutput); - vnode_lock_spin(vp); + vnode_lock_spin(vp); - if (vp->v_numoutput < 0) - panic("vnode_writedone: numoutput < 0"); + if (vp->v_numoutput < 0) + panic("vnode_writedone: numoutput < 0"); - if ((vp->v_flag & VTHROTTLED) && (vp->v_numoutput <= 1)) { - vp->v_flag &= ~VTHROTTLED; - need_wakeup = 1; - } - if ((vp->v_flag & VBWAIT) && (vp->v_numoutput == 0)) { - vp->v_flag &= ~VBWAIT; - need_wakeup = 1; - } - vnode_unlock(vp); - - if (need_wakeup) - wakeup((caddr_t)&vp->v_numoutput); + if ((vp->v_flag & VTHROTTLED)) { + vp->v_flag &= ~VTHROTTLED; + need_wakeup = 1; + } + if ((vp->v_flag & VBWAIT) && (vp->v_numoutput == 0)) { + vp->v_flag &= ~VBWAIT; + need_wakeup = 1; } + vnode_unlock(vp); + + if (need_wakeup) + wakeup((caddr_t)&vp->v_numoutput); } } @@ -781,6 +836,13 @@ mount_refdrain(mount_t mp) return(0); } +/* Tags the mount point as not supportine extended readdir for NFS exports */ +void +mount_set_noreaddirext(mount_t mp) { + mount_lock (mp); + mp->mnt_kern_flag |= MNTK_DENY_READDIREXT; + mount_unlock (mp); +} /* * Mark a mount point as busy. Used to synchronize access and to delay @@ -887,6 +949,8 @@ vfs_rootmountalloc_internal(struct vfstable *vfsp, const char *devname) mp->mnt_ioflags = 0; mp->mnt_realrootvp = NULLVP; mp->mnt_authcache_ttl = CACHED_LOOKUP_RIGHT_TTL; + mp->mnt_throttle_mask = LOWPRI_MAX_NUM_DEV - 1; + mp->mnt_devbsdunit = 0; mount_lock_init(mp); (void)vfs_busy(mp, LK_NOWAIT); @@ -1120,6 +1184,8 @@ vfs_getvfs_by_mntonname(char *path) if (!strncmp(mp->mnt_vfsstat.f_mntonname, path, sizeof(mp->mnt_vfsstat.f_mntonname))) { retmp = mp; + if (mount_iterref(retmp, 1)) + retmp = NULL; goto out; } } @@ -1166,9 +1232,14 @@ vfs_getnewfsid(struct mount *mp) * Routines having to do with the management of the vnode table. */ extern int (**dead_vnodeop_p)(void *); -long numvnodes, freevnodes, deadvnodes; +long numvnodes, freevnodes, deadvnodes, async_work_vnodes; +int async_work_timed_out = 0; +int async_work_handled = 0; +int dead_vnode_wanted = 0; +int dead_vnode_waited = 0; + /* * Move a vnode from one mount queue to another. */ @@ -1358,6 +1429,9 @@ found_alias: nvp->v_rdev = nvp_rdev; nvp->v_specflags = 0; nvp->v_speclastr = -1; + nvp->v_specinfo->si_opencount = 0; + nvp->v_specinfo->si_initted = 0; + nvp->v_specinfo->si_throttleable = 0; SPECHASH_LOCK(); @@ -1416,22 +1490,16 @@ int vget_internal(vnode_t vp, int vid, int vflags) { int error = 0; - int vpid; vnode_lock_spin(vp); - if (vflags & VNODE_WITHID) - vpid = vid; - else - vpid = vp->v_id; // save off the original v_id - if ((vflags & VNODE_WRITEABLE) && (vp->v_writecount == 0)) /* * vnode to be returned only if it has writers opened */ error = EINVAL; else - error = vnode_getiocount(vp, vpid, vflags); + error = vnode_getiocount(vp, vid, vflags); vnode_unlock(vp); @@ -1446,7 +1514,7 @@ int vnode_ref(vnode_t vp) { - return (vnode_ref_ext(vp, 0)); + return (vnode_ref_ext(vp, 0, 0)); } /* @@ -1454,7 +1522,7 @@ vnode_ref(vnode_t vp) * ENOENT No such file or directory [terminating] */ int -vnode_ref_ext(vnode_t vp, int fmode) +vnode_ref_ext(vnode_t vp, int fmode, int flags) { int error = 0; @@ -1471,10 +1539,12 @@ vnode_ref_ext(vnode_t vp, int fmode) /* * if you are the owner of drain/termination, can acquire usecount */ - if ((vp->v_lflag & (VL_DRAIN | VL_TERMINATE | VL_DEAD))) { - if (vp->v_owner != current_thread()) { - error = ENOENT; - goto out; + if ((flags & VNODE_REF_FORCE) == 0) { + if ((vp->v_lflag & (VL_DRAIN | VL_TERMINATE | VL_DEAD))) { + if (vp->v_owner != current_thread()) { + error = ENOENT; + goto out; + } } } vp->v_usecount++; @@ -1507,6 +1577,13 @@ vnode_ref_ext(vnode_t vp, int fmode) vnode_list_remove(vp); } } + if (vp->v_usecount == 1 && vp->v_type == VREG && !(vp->v_flag & VSYSTEM)) { + + if (vp->v_ubcinfo) { + vnode_lock_convert(vp); + memory_object_mark_used(vp->v_ubcinfo->ui_control); + } + } out: vnode_unlock(vp); @@ -1514,6 +1591,34 @@ out: } +static boolean_t +vnode_on_reliable_media(vnode_t vp) +{ + if ( !(vp->v_mount->mnt_kern_flag & MNTK_VIRTUALDEV) && (vp->v_mount->mnt_flag & MNT_LOCAL) ) + return (TRUE); + return (FALSE); +} + +static void +vnode_async_list_add(vnode_t vp) +{ + vnode_list_lock(); + + if (VONLIST(vp) || (vp->v_lflag & (VL_TERMINATE|VL_DEAD))) + panic("vnode_async_list_add: %p is in wrong state", vp); + + TAILQ_INSERT_HEAD(&vnode_async_work_list, vp, v_freelist); + vp->v_listflag |= VLIST_ASYNC_WORK; + + async_work_vnodes++; + + vnode_list_unlock(); + + wakeup(&vnode_async_work_list); + +} + + /* * put the vnode on appropriate free list. * called with vnode LOCKED @@ -1521,6 +1626,8 @@ out: static void vnode_list_add(vnode_t vp) { + boolean_t need_dead_wakeup = FALSE; + #if DIAGNOSTIC lck_mtx_assert(&vp->v_lock, LCK_MTX_ASSERT_OWNED); #endif @@ -1562,7 +1669,13 @@ vnode_list_add(vnode_t vp) TAILQ_INSERT_HEAD(&vnode_dead_list, vp, v_freelist); vp->v_listflag |= VLIST_DEAD; deadvnodes++; - } else if ((vp->v_flag & VAGE)) { + + if (dead_vnode_wanted) { + dead_vnode_wanted--; + need_dead_wakeup = TRUE; + } + + } else if ( (vp->v_flag & VAGE) ) { TAILQ_INSERT_HEAD(&vnode_free_list, vp, v_freelist); vp->v_flag &= ~VAGE; freevnodes++; @@ -1572,6 +1685,9 @@ vnode_list_add(vnode_t vp) } } vnode_list_unlock(); + + if (need_dead_wakeup == TRUE) + wakeup_one((caddr_t)&dead_vnode_wanted); } @@ -1592,6 +1708,8 @@ vnode_list_remove_locked(vnode_t vp) VREMRAGE("vnode_list_remove", vp); else if (vp->v_listflag & VLIST_DEAD) VREMDEAD("vnode_list_remove", vp); + else if (vp->v_listflag & VLIST_ASYNC_WORK) + VREMASYNC_WORK("vnode_list_remove", vp); else VREMFREE("vnode_list_remove", vp); } @@ -1659,6 +1777,7 @@ vnode_rele_ext(vnode_t vp, int fmode, int dont_reenter) void vnode_rele_internal(vnode_t vp, int fmode, int dont_reenter, int locked) { + if ( !locked) vnode_lock_spin(vp); #if DIAGNOSTIC @@ -1689,9 +1808,7 @@ vnode_rele_internal(vnode_t vp, int fmode, int dont_reenter, int locked) vp->v_lflag |= VL_NEEDINACTIVE; vp->v_flag &= ~(VNOCACHE_DATA | VRAOFF | VOPENEVT); } - if ( !locked) - vnode_unlock(vp); - return; + goto done; } vp->v_flag &= ~(VNOCACHE_DATA | VRAOFF | VOPENEVT); @@ -1704,14 +1821,19 @@ vnode_rele_internal(vnode_t vp, int fmode, int dont_reenter, int locked) * if it's been marked for termination */ if (dont_reenter) { - if ( !(vp->v_lflag & (VL_TERMINATE | VL_DEAD | VL_MARKTERM)) ) + if ( !(vp->v_lflag & (VL_TERMINATE | VL_DEAD | VL_MARKTERM)) ) { vp->v_lflag |= VL_NEEDINACTIVE; - vp->v_flag |= VAGE; + + if (vnode_on_reliable_media(vp) == FALSE) { + vnode_async_list_add(vp); + goto done; + } + } + vp->v_flag |= VAGE; } vnode_list_add(vp); - if ( !locked) - vnode_unlock(vp); - return; + + goto done; } /* * at this point both the iocount and usecount @@ -1746,15 +1868,22 @@ vnode_rele_internal(vnode_t vp, int fmode, int dont_reenter, int locked) if (ut->uu_defer_reclaims) { vp->v_defer_reclaimlist = ut->uu_vreclaims; - ut->uu_vreclaims = vp; - goto defer_reclaim; + ut->uu_vreclaims = vp; + goto done; } vnode_lock_convert(vp); vnode_reclaim_internal(vp, 1, 1, 0); } vnode_dropiocount(vp); vnode_list_add(vp); -defer_reclaim: +done: + if (vp->v_usecount == 0 && vp->v_type == VREG && !(vp->v_flag & VSYSTEM)) { + + if (vp->v_ubcinfo) { + vnode_lock_convert(vp); + memory_object_mark_unused(vp->v_ubcinfo->ui_control, (vp->v_flag & VRAGE) == VRAGE); + } + } if ( !locked) vnode_unlock(vp); return; @@ -1901,6 +2030,7 @@ loop: #ifdef JOE_DEBUG record_vp(vp, 1); #endif + vnode_abort_advlocks(vp); vnode_reclaim_internal(vp, 1, 1, 0); vnode_dropiocount(vp); vnode_list_add(vp); @@ -2020,13 +2150,13 @@ vclean(vnode_t vp, int flags) #endif { VNOP_FSYNC(vp, MNT_WAIT, ctx); - buf_invalidateblks(vp, BUF_WRITE_DATA, 0, 0); + buf_invalidateblks(vp, BUF_WRITE_DATA | BUF_INVALIDATE_LOCKED, 0, 0); } if (UBCINFOEXISTS(vp)) /* * Clean the pages in VM. */ - (void)ubc_sync_range(vp, (off_t)0, ubc_getsize(vp), UBC_PUSHALL); + (void)ubc_msync(vp, (off_t)0, ubc_getsize(vp), NULL, UBC_PUSHALL | UBC_INVALIDATE | UBC_SYNC); } if (active || need_inactive) VNOP_INACTIVE(vp, ctx); @@ -2061,6 +2191,14 @@ vclean(vnode_t vp, int flags) */ ubc_destroy_named(vp); +#if CONFIG_TRIGGERS + /* + * cleanup trigger info from vnode (if any) + */ + if (vp->v_resolve) + vnode_resolver_detach(vp); +#endif + /* * Reclaim the vnode. */ @@ -2290,7 +2428,7 @@ vcount(vnode_t vp) loop: if (!vnode_isaliased(vp)) - return (vp->v_usecount - vp->v_kusecount); + return (vp->v_specinfo->si_opencount); count = 0; SPECHASH_LOCK(); @@ -2321,7 +2459,7 @@ loop: vnode_unlock(vq); goto loop; } - count += (vq->v_usecount - vq->v_kusecount); + count += vq->v_specinfo->si_opencount; } vnode_unlock(vq); @@ -2587,6 +2725,10 @@ vfs_sysctl(int *name, u_int namelen, user_addr_t oldp, size_t *oldlenp, int error; struct vfsconf vfsc; + if (namelen > CTL_MAXNAME) { + return (EINVAL); + } + /* All non VFS_GENERIC and in VFS_GENERIC, * VFS_MAXTYPENUM, VFS_CONF, VFS_SET_PACKAGE_EXTS * needs to have root priv to have modifiers. @@ -2675,6 +2817,7 @@ vfs_sysctl(int *name, u_int namelen, user_addr_t oldp, size_t *oldlenp, * We need to get back into the general MIB, so we need to re-prepend * CTL_VFS to our name and try userland_sysctl(). */ + usernamelen = namelen + 1; MALLOC(username, int *, usernamelen * sizeof(*username), M_TEMP, M_WAITOK); @@ -2699,7 +2842,7 @@ sysctl_vnode } SYSCTL_PROC(_kern, KERN_VNODE, vnode, - CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_MASKED, + CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_MASKED | CTLFLAG_LOCKED, 0, 0, sysctl_vnode, "S,", ""); @@ -2793,6 +2936,8 @@ vnode_pager_vrele(vnode_t vp) #include +u_int32_t rootunit = (u_int32_t)-1; + errno_t vfs_init_io_attributes(vnode_t devvp, mount_t mp) { @@ -2811,26 +2956,27 @@ vfs_init_io_attributes(vnode_t devvp, mount_t mp) u_int64_t temp; u_int32_t features; vfs_context_t ctx = vfs_context_current(); - + int isssd = 0; int isvirtual = 0; + + + VNOP_IOCTL(devvp, DKIOCGETTHROTTLEMASK, (caddr_t)&mp->mnt_throttle_mask, 0, NULL); /* - * determine if this mount point exists on the same device as the root - * partition... if so, then it comes under the hard throttle control + * as a reasonable approximation, only use the lowest bit of the mask + * to generate a disk unit number */ - int thisunit = -1; - static int rootunit = -1; + mp->mnt_devbsdunit = num_trailing_0(mp->mnt_throttle_mask); - if (rootunit == -1) { - if (VNOP_IOCTL(rootvp, DKIOCGETBSDUNIT, (caddr_t)&rootunit, 0, ctx)) - rootunit = -1; - else if (rootvp == devvp) - mp->mnt_kern_flag |= MNTK_ROOTDEV; - } - if (devvp != rootvp && rootunit != -1) { - if (VNOP_IOCTL(devvp, DKIOCGETBSDUNIT, (caddr_t)&thisunit, 0, ctx) == 0) { - if (thisunit == rootunit) - mp->mnt_kern_flag |= MNTK_ROOTDEV; - } + if (devvp == rootvp) + rootunit = mp->mnt_devbsdunit; + + if (mp->mnt_devbsdunit == rootunit) { + /* + * this mount point exists on the same device as the root + * partition, so it comes under the hard throttle control... + * this is true even for the root mount point itself + */ + mp->mnt_kern_flag |= MNTK_ROOTDEV; } /* * force the spec device to re-cache @@ -2860,7 +3006,10 @@ vfs_init_io_attributes(vnode_t devvp, mount_t mp) if (isvirtual) mp->mnt_kern_flag |= MNTK_VIRTUALDEV; } - + if (VNOP_IOCTL(devvp, DKIOCISSOLIDSTATE, (caddr_t)&isssd, 0, ctx) == 0) { + if (isssd) + mp->mnt_kern_flag |= MNTK_SSD; + } if ((error = VNOP_IOCTL(devvp, DKIOCGETFEATURES, (caddr_t)&features, 0, ctx))) return (error); @@ -2980,6 +3129,9 @@ vfs_init_io_attributes(vnode_t devvp, mount_t mp) if (features & DK_FEATURE_FORCE_UNIT_ACCESS) mp->mnt_ioflags |= MNT_IOFLAGS_FUA_SUPPORTED; + if (features & DK_FEATURE_UNMAP) + mp->mnt_ioflags |= MNT_IOFLAGS_UNMAP_SUPPORTED; + return (error); } @@ -2997,8 +3149,20 @@ vfs_event_init(void) } void -vfs_event_signal(__unused fsid_t *fsid, u_int32_t event, __unused intptr_t data) -{ +vfs_event_signal(fsid_t *fsid, u_int32_t event, intptr_t data) +{ + if (event == VQ_DEAD || event == VQ_NOTRESP) { + struct mount *mp = vfs_getvfs(fsid); + if (mp) { + mount_lock_spin(mp); + if (data) + mp->mnt_kern_flag &= ~MNT_LNOTRESP; // Now responding + else + mp->mnt_kern_flag |= MNT_LNOTRESP; // Not responding + mount_unlock(mp); + } + } + lck_mtx_lock(fs_klist_lock); KNOTE(&fs_klist, event); lck_mtx_unlock(fs_klist_lock); @@ -3237,7 +3401,11 @@ sysctl_vfs_ctlbyfsid(__unused struct sysctl_oid *oidp, void *arg1, int arg2, sfs.f_fsid = sp->f_fsid; sfs.f_owner = sp->f_owner; - strlcpy(sfs.f_fstypename, sp->f_fstypename, MFSNAMELEN); + if (mp->mnt_kern_flag & MNTK_TYPENAME_OVERRIDE) { + strlcpy(&sfs.f_fstypename[0], &mp->fstypename_override[0], MFSTYPENAMELEN); + } else { + strlcpy(sfs.f_fstypename, sp->f_fstypename, MFSNAMELEN); + } strlcpy(sfs.f_mntonname, sp->f_mntonname, MNAMELEN); strlcpy(sfs.f_mntfromname, sp->f_mntfromname, MNAMELEN); @@ -3291,7 +3459,11 @@ sysctl_vfs_ctlbyfsid(__unused struct sysctl_oid *oidp, void *arg1, int arg2, sfs.f_fsid = sp->f_fsid; sfs.f_owner = sp->f_owner; - strlcpy(sfs.f_fstypename, sp->f_fstypename, MFSNAMELEN); + if (mp->mnt_kern_flag & MNTK_TYPENAME_OVERRIDE) { + strlcpy(&sfs.f_fstypename[0], &mp->fstypename_override[0], MFSTYPENAMELEN); + } else { + strlcpy(sfs.f_fstypename, sp->f_fstypename, MFSNAMELEN); + } strlcpy(sfs.f_mntonname, sp->f_mntonname, MNAMELEN); strlcpy(sfs.f_mntfromname, sp->f_mntfromname, MNAMELEN); @@ -3398,52 +3570,186 @@ sysctl_vfs_noremotehang(__unused struct sysctl_oid *oidp, } /* the vfs.generic. branch. */ -SYSCTL_NODE(_vfs, VFS_GENERIC, generic, CTLFLAG_RW|CTLFLAG_LOCKED, NULL, "vfs generic hinge"); +SYSCTL_NODE(_vfs, VFS_GENERIC, generic, CTLFLAG_RW | CTLFLAG_LOCKED, NULL, "vfs generic hinge"); /* retreive a list of mounted filesystem fsid_t */ -SYSCTL_PROC(_vfs_generic, OID_AUTO, vfsidlist, CTLFLAG_RD, +SYSCTL_PROC(_vfs_generic, OID_AUTO, vfsidlist, CTLFLAG_RD | CTLFLAG_LOCKED, NULL, 0, sysctl_vfs_vfslist, "S,fsid", "List of mounted filesystem ids"); /* perform operations on filesystem via fsid_t */ -SYSCTL_NODE(_vfs_generic, OID_AUTO, ctlbyfsid, CTLFLAG_RW|CTLFLAG_LOCKED, +SYSCTL_NODE(_vfs_generic, OID_AUTO, ctlbyfsid, CTLFLAG_RW | CTLFLAG_LOCKED, sysctl_vfs_ctlbyfsid, "ctlbyfsid"); -SYSCTL_PROC(_vfs_generic, OID_AUTO, noremotehang, CTLFLAG_RW|CTLFLAG_ANYBODY, +SYSCTL_PROC(_vfs_generic, OID_AUTO, noremotehang, CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_vfs_noremotehang, "I", "noremotehang"); long num_reusedvnodes = 0; + +static vnode_t +process_vp(vnode_t vp, int want_vp, int *deferred) +{ + unsigned int vpid; + + *deferred = 0; + + vpid = vp->v_id; + + vnode_list_remove_locked(vp); + + vnode_list_unlock(); + + vnode_lock_spin(vp); + + /* + * We could wait for the vnode_lock after removing the vp from the freelist + * and the vid is bumped only at the very end of reclaim. So it is possible + * that we are looking at a vnode that is being terminated. If so skip it. + */ + if ((vpid != vp->v_id) || (vp->v_usecount != 0) || (vp->v_iocount != 0) || + VONLIST(vp) || (vp->v_lflag & VL_TERMINATE)) { + /* + * we lost the race between dropping the list lock + * and picking up the vnode_lock... someone else + * used this vnode and it is now in a new state + */ + vnode_unlock(vp); + + return (NULLVP); + } + if ( (vp->v_lflag & (VL_NEEDINACTIVE | VL_MARKTERM)) == VL_NEEDINACTIVE ) { + /* + * we did a vnode_rele_ext that asked for + * us not to reenter the filesystem during + * the release even though VL_NEEDINACTIVE was + * set... we'll do it here by doing a + * vnode_get/vnode_put + * + * pick up an iocount so that we can call + * vnode_put and drive the VNOP_INACTIVE... + * vnode_put will either leave us off + * the freelist if a new ref comes in, + * or put us back on the end of the freelist + * or recycle us if we were marked for termination... + * so we'll just go grab a new candidate + */ + vp->v_iocount++; +#ifdef JOE_DEBUG + record_vp(vp, 1); +#endif + vnode_put_locked(vp); + vnode_unlock(vp); + + return (NULLVP); + } + /* + * Checks for anyone racing us for recycle + */ + if (vp->v_type != VBAD) { + if (want_vp && vnode_on_reliable_media(vp) == FALSE) { + vnode_async_list_add(vp); + vnode_unlock(vp); + + *deferred = 1; + + return (NULLVP); + } + if (vp->v_lflag & VL_DEAD) + panic("new_vnode(%p): the vnode is VL_DEAD but not VBAD", vp); + + vnode_lock_convert(vp); + (void)vnode_reclaim_internal(vp, 1, want_vp, 0); + + if (want_vp) { + if ((VONLIST(vp))) + panic("new_vnode(%p): vp on list", vp); + if (vp->v_usecount || vp->v_iocount || vp->v_kusecount || + (vp->v_lflag & (VNAMED_UBC | VNAMED_MOUNT | VNAMED_FSHASH))) + panic("new_vnode(%p): free vnode still referenced", vp); + if ((vp->v_mntvnodes.tqe_prev != 0) && (vp->v_mntvnodes.tqe_next != 0)) + panic("new_vnode(%p): vnode seems to be on mount list", vp); + if ( !LIST_EMPTY(&vp->v_nclinks) || !LIST_EMPTY(&vp->v_ncchildren)) + panic("new_vnode(%p): vnode still hooked into the name cache", vp); + } else { + vnode_unlock(vp); + vp = NULLVP; + } + } + return (vp); +} + + + +static void +async_work_continue(void) +{ + struct async_work_lst *q; + int deferred; + vnode_t vp; + + q = &vnode_async_work_list; + + for (;;) { + + vnode_list_lock(); + + if ( TAILQ_EMPTY(q) ) { + assert_wait(q, (THREAD_UNINT)); + + vnode_list_unlock(); + + thread_block((thread_continue_t)async_work_continue); + + continue; + } + async_work_handled++; + + vp = TAILQ_FIRST(q); + + vp = process_vp(vp, 0, &deferred); + + if (vp != NULLVP) + panic("found VBAD vp (%p) on async queue", vp); + } +} + + static int new_vnode(vnode_t *vpp) { vnode_t vp; - int retries = 0; /* retry incase of tablefull */ + uint32_t retries = 0, max_retries = 100; /* retry incase of tablefull */ int force_alloc = 0, walk_count = 0; - unsigned int vpid; - struct timespec ts; + boolean_t need_reliable_vp = FALSE; + int deferred; + struct timeval initial_tv; struct timeval current_tv; -#ifndef __LP64__ +#if CONFIG_VFS_FUNNEL struct unsafe_fsnode *l_unsafefs = 0; -#endif /* __LP64__ */ +#endif /* CONFIG_VFS_FUNNEL */ proc_t curproc = current_proc(); + initial_tv.tv_sec = 0; retry: - microuptime(¤t_tv); - vp = NULLVP; vnode_list_lock(); - if ( !TAILQ_EMPTY(&vnode_dead_list)) { - /* - * Can always reuse a dead one + if (need_reliable_vp == TRUE) + async_work_timed_out++; + + if ((numvnodes - deadvnodes) < desiredvnodes || force_alloc) { + struct timespec ts; + + if ( !TAILQ_EMPTY(&vnode_dead_list)) { + /* + * Can always reuse a dead one + */ + vp = TAILQ_FIRST(&vnode_dead_list); + goto steal_this_vp; + } + /* + * no dead vnodes available... if we're under + * the limit, we'll create a new vnode */ - vp = TAILQ_FIRST(&vnode_dead_list); - goto steal_this_vp; - } - /* - * no dead vnodes available... if we're under - * the limit, we'll create a new vnode - */ - if (numvnodes < desiredvnodes || force_alloc) { numvnodes++; vnode_list_unlock(); @@ -3465,6 +3771,7 @@ retry: vp->v_iocount = 1; goto done; } + microuptime(¤t_tv); #define MAX_WALK_COUNT 1000 @@ -3473,25 +3780,38 @@ retry: (current_tv.tv_sec - rage_tv.tv_sec) >= RAGE_TIME_LIMIT)) { TAILQ_FOREACH(vp, &vnode_rage_list, v_freelist) { - if ( !(vp->v_listflag & VLIST_RAGE)) - panic("new_vnode: vp (%p) on RAGE list not marked VLIST_RAGE", vp); - - // if we're a dependency-capable process, skip vnodes that can - // cause recycling deadlocks. (i.e. this process is diskimages - // helper and the vnode is in a disk image). - // - if ((curproc->p_flag & P_DEPENDENCY_CAPABLE) == 0 || vp->v_mount == NULL || vp->v_mount->mnt_dependent_process == NULL) { - break; - } + if ( !(vp->v_listflag & VLIST_RAGE)) + panic("new_vnode: vp (%p) on RAGE list not marked VLIST_RAGE", vp); + + // if we're a dependency-capable process, skip vnodes that can + // cause recycling deadlocks. (i.e. this process is diskimages + // helper and the vnode is in a disk image). Querying the + // mnt_kern_flag for the mount's virtual device status + // is safer than checking the mnt_dependent_process, which + // may not be updated if there are multiple devnode layers + // in between the disk image and the final consumer. + + if ((curproc->p_flag & P_DEPENDENCY_CAPABLE) == 0 || vp->v_mount == NULL || + (vp->v_mount->mnt_kern_flag & MNTK_VIRTUALDEV) == 0) { + /* + * if need_reliable_vp == TRUE, then we've already sent one or more + * non-reliable vnodes to the async thread for processing and timed + * out waiting for a dead vnode to show up. Use the MAX_WALK_COUNT + * mechanism to first scan for a reliable vnode before forcing + * a new vnode to be created + */ + if (need_reliable_vp == FALSE || vnode_on_reliable_media(vp) == TRUE) + break; + } - // don't iterate more than MAX_WALK_COUNT vnodes to - // avoid keeping the vnode list lock held for too long. - if (walk_count++ > MAX_WALK_COUNT) { - vp = NULL; - break; - } - } + // don't iterate more than MAX_WALK_COUNT vnodes to + // avoid keeping the vnode list lock held for too long. + if (walk_count++ > MAX_WALK_COUNT) { + vp = NULL; + break; + } + } } if (vp == NULL && !TAILQ_EMPTY(&vnode_free_list)) { @@ -3500,22 +3820,36 @@ retry: */ walk_count = 0; TAILQ_FOREACH(vp, &vnode_free_list, v_freelist) { - // if we're a dependency-capable process, skip vnodes that can - // cause recycling deadlocks. (i.e. this process is diskimages - // helper and the vnode is in a disk image) - // - if ((curproc->p_flag & P_DEPENDENCY_CAPABLE) == 0 || vp->v_mount == NULL || vp->v_mount->mnt_dependent_process == NULL) { - break; - } - // don't iterate more than MAX_WALK_COUNT vnodes to - // avoid keeping the vnode list lock held for too long. - if (walk_count++ > MAX_WALK_COUNT) { - vp = NULL; - break; - } - } + // if we're a dependency-capable process, skip vnodes that can + // cause recycling deadlocks. (i.e. this process is diskimages + // helper and the vnode is in a disk image). Querying the + // mnt_kern_flag for the mount's virtual device status + // is safer than checking the mnt_dependent_process, which + // may not be updated if there are multiple devnode layers + // in between the disk image and the final consumer. + + if ((curproc->p_flag & P_DEPENDENCY_CAPABLE) == 0 || vp->v_mount == NULL || + (vp->v_mount->mnt_kern_flag & MNTK_VIRTUALDEV) == 0) { + /* + * if need_reliable_vp == TRUE, then we've already sent one or more + * non-reliable vnodes to the async thread for processing and timed + * out waiting for a dead vnode to show up. Use the MAX_WALK_COUNT + * mechanism to first scan for a reliable vnode before forcing + * a new vnode to be created + */ + if (need_reliable_vp == FALSE || vnode_on_reliable_media(vp) == TRUE) + break; + } + // don't iterate more than MAX_WALK_COUNT vnodes to + // avoid keeping the vnode list lock held for too long. + + if (walk_count++ > MAX_WALK_COUNT) { + vp = NULL; + break; + } + } } // @@ -3528,9 +3862,9 @@ retry: // the allocation. // if (vp == NULL && walk_count >= MAX_WALK_COUNT) { - force_alloc = 1; - vnode_list_unlock(); - goto retry; + force_alloc = 1; + vnode_list_unlock(); + goto retry; } if (vp == NULL) { @@ -3538,9 +3872,9 @@ retry: * we've reached the system imposed maximum number of vnodes * but there isn't a single one available * wait a bit and then retry... if we can't get a vnode - * after 100 retries, than log a complaint + * after our target number of retries, than log a complaint */ - if (++retries <= 100) { + if (++retries <= max_retries) { vnode_list_unlock(); delay_for_interval(1, 1000 * 1000); goto retry; @@ -3551,12 +3885,12 @@ retry: log(LOG_EMERG, "%d desired, %d numvnodes, " "%d free, %d dead, %d rage\n", desiredvnodes, numvnodes, freevnodes, deadvnodes, ragevnodes); -#if CONFIG_EMBEDDED +#if CONFIG_JETSAM /* * Running out of vnodes tends to make a system unusable. Start killing * processes that jetsam knows are killable. */ - if (jetsam_kill_top_proc() < 0) { + if (memorystatus_kill_top_proc(TRUE, kMemorystatusFlagsKilledVnodes) < 0) { /* * If jetsam can't find any more processes to kill and there * still aren't any free vnodes, panic. Hopefully we'll get a @@ -3565,7 +3899,13 @@ retry: panic("vnode table is full\n"); } - delay_for_interval(1, 1000 * 1000); + /* + * Now that we've killed someone, wait a bit and continue looking + * (with fewer retries before trying another kill). + */ + delay_for_interval(3, 1000 * 1000); + retries = 0; + max_retries = 10; goto retry; #endif @@ -3573,80 +3913,66 @@ retry: return (ENFILE); } steal_this_vp: - vpid = vp->v_id; + if ((vp = process_vp(vp, 1, &deferred)) == NULLVP) { + if (deferred) { + int elapsed_msecs; + struct timeval elapsed_tv; - vnode_list_remove_locked(vp); + if (initial_tv.tv_sec == 0) + microuptime(&initial_tv); - vnode_list_unlock(); + vnode_list_lock(); - vnode_lock_spin(vp); + dead_vnode_waited++; + dead_vnode_wanted++; - /* - * We could wait for the vnode_lock after removing the vp from the freelist - * and the vid is bumped only at the very end of reclaim. So it is possible - * that we are looking at a vnode that is being terminated. If so skip it. - */ - if ((vpid != vp->v_id) || (vp->v_usecount != 0) || (vp->v_iocount != 0) || - VONLIST(vp) || (vp->v_lflag & VL_TERMINATE)) { - /* - * we lost the race between dropping the list lock - * and picking up the vnode_lock... someone else - * used this vnode and it is now in a new state - * so we need to go back and try again - */ - vnode_unlock(vp); - goto retry; - } - if ( (vp->v_lflag & (VL_NEEDINACTIVE | VL_MARKTERM)) == VL_NEEDINACTIVE ) { - /* - * we did a vnode_rele_ext that asked for - * us not to reenter the filesystem during - * the release even though VL_NEEDINACTIVE was - * set... we'll do it here by doing a - * vnode_get/vnode_put - * - * pick up an iocount so that we can call - * vnode_put and drive the VNOP_INACTIVE... - * vnode_put will either leave us off - * the freelist if a new ref comes in, - * or put us back on the end of the freelist - * or recycle us if we were marked for termination... - * so we'll just go grab a new candidate - */ - vp->v_iocount++; -#ifdef JOE_DEBUG - record_vp(vp, 1); -#endif - vnode_put_locked(vp); - vnode_unlock(vp); + /* + * note that we're only going to explicitly wait 10ms + * for a dead vnode to become available, since even if one + * isn't available, a reliable vnode might now be available + * at the head of the VRAGE or free lists... if so, we + * can satisfy the new_vnode request with less latency then waiting + * for the full 100ms duration we're ultimately willing to tolerate + */ + assert_wait_timeout((caddr_t)&dead_vnode_wanted, (THREAD_INTERRUPTIBLE), 10000, NSEC_PER_USEC); + + vnode_list_unlock(); + + thread_block(THREAD_CONTINUE_NULL); + + microuptime(&elapsed_tv); + + timevalsub(&elapsed_tv, &initial_tv); + elapsed_msecs = elapsed_tv.tv_sec * 1000 + elapsed_tv.tv_usec / 1000; + + if (elapsed_msecs >= 100) { + /* + * we've waited long enough... 100ms is + * somewhat arbitrary for this case, but the + * normal worst case latency used for UI + * interaction is 100ms, so I've chosen to + * go with that. + * + * setting need_reliable_vp to TRUE + * forces us to find a reliable vnode + * that we can process synchronously, or + * to create a new one if the scan for + * a reliable one hits the scan limit + */ + need_reliable_vp = TRUE; + } + } goto retry; } OSAddAtomicLong(1, &num_reusedvnodes); - /* Checks for anyone racing us for recycle */ - if (vp->v_type != VBAD) { - if (vp->v_lflag & VL_DEAD) - panic("new_vnode(%p): the vnode is VL_DEAD but not VBAD", vp); - vnode_lock_convert(vp); - (void)vnode_reclaim_internal(vp, 1, 1, 0); - - if ((VONLIST(vp))) - panic("new_vnode(%p): vp on list", vp); - if (vp->v_usecount || vp->v_iocount || vp->v_kusecount || - (vp->v_lflag & (VNAMED_UBC | VNAMED_MOUNT | VNAMED_FSHASH))) - panic("new_vnode(%p): free vnode still referenced", vp); - if ((vp->v_mntvnodes.tqe_prev != 0) && (vp->v_mntvnodes.tqe_next != 0)) - panic("new_vnode(%p): vnode seems to be on mount list", vp); - if ( !LIST_EMPTY(&vp->v_nclinks) || !LIST_EMPTY(&vp->v_ncchildren)) - panic("new_vnode(%p): vnode still hooked into the name cache", vp); - } -#ifndef __LP64__ +#if CONFIG_VFS_FUNNEL if (vp->v_unsafefs) { l_unsafefs = vp->v_unsafefs; vp->v_unsafefs = (struct unsafe_fsnode *)NULL; } -#endif /* __LP64__ */ +#endif /* CONFIG_VFS_FUNNEL */ #if CONFIG_MACF /* @@ -3677,12 +4003,12 @@ steal_this_vp: vnode_unlock(vp); -#ifndef __LP64__ +#if CONFIG_VFS_FUNNEL if (l_unsafefs) { lck_mtx_destroy(&l_unsafefs->fsnodelock, vnode_lck_grp); FREE_ZONE((void *)l_unsafefs, sizeof(struct unsafe_fsnode), M_UNSAFEFS); } -#endif /* __LP64__ */ +#endif /* CONFIG_VFS_FUNNEL */ done: *vpp = vp; @@ -3738,10 +4064,27 @@ vnode_get_locked(struct vnode *vp) return (0); } +/* + * vnode_getwithvid() cuts in line in front of a vnode drain (that is, + * while the vnode is draining, but at no point after that) to prevent + * deadlocks when getting vnodes from filesystem hashes while holding + * resources that may prevent other iocounts from being released. + */ int vnode_getwithvid(vnode_t vp, uint32_t vid) { - return(vget_internal(vp, vid, ( VNODE_NODEAD| VNODE_WITHID))); + return(vget_internal(vp, vid, ( VNODE_NODEAD | VNODE_WITHID | VNODE_DRAINO ))); +} + +/* + * vnode_getwithvid_drainok() is like vnode_getwithvid(), but *does* block behind a vnode + * drain; it exists for use in the VFS name cache, where we really do want to block behind + * vnode drain to prevent holding off an unmount. + */ +int +vnode_getwithvid_drainok(vnode_t vp, uint32_t vid) +{ + return(vget_internal(vp, vid, ( VNODE_NODEAD | VNODE_WITHID ))); } int @@ -3785,7 +4128,7 @@ retry: vnode_dropiocount(vp); return(0); } - if ((vp->v_lflag & (VL_MARKTERM | VL_TERMINATE | VL_DEAD | VL_NEEDINACTIVE)) == VL_NEEDINACTIVE) { + if ((vp->v_lflag & (VL_DEAD | VL_NEEDINACTIVE)) == VL_NEEDINACTIVE) { vp->v_lflag &= ~VL_NEEDINACTIVE; vnode_unlock(vp); @@ -3891,6 +4234,18 @@ vnode_suspend(vnode_t vp) return(0); } +/* + * Release any blocked locking requests on the vnode. + * Used for forced-unmounts. + * + * XXX What about network filesystems? + */ +static void +vnode_abort_advlocks(vnode_t vp) +{ + if (vp->v_flag & VLOCKLOCAL) + lf_abort_advlocks(vp); +} static errno_t @@ -3898,7 +4253,7 @@ vnode_drain(vnode_t vp) { if (vp->v_lflag & VL_DRAIN) { - panic("vnode_drain: recursuve drain"); + panic("vnode_drain: recursive drain"); return(ENOENT); } vp->v_lflag |= VL_DRAIN; @@ -3906,13 +4261,16 @@ vnode_drain(vnode_t vp) while (vp->v_iocount > 1) msleep(&vp->v_iocount, &vp->v_lock, PVFS, "vnode_drain", NULL); + + vp->v_lflag &= ~VL_DRAIN; + return(0); } /* * if the number of recent references via vnode_getwithvid or vnode_getwithref - * exceeds this threshhold, than 'UN-AGE' the vnode by removing it from + * exceeds this threshold, than 'UN-AGE' the vnode by removing it from * the LRU list if it's currently on it... once the iocount and usecount both drop * to 0, it will get put back on the end of the list, effectively making it younger * this allows us to keep actively referenced vnodes in the list without having @@ -3921,12 +4279,13 @@ vnode_drain(vnode_t vp) */ #define UNAGE_THRESHHOLD 25 -static errno_t +errno_t vnode_getiocount(vnode_t vp, unsigned int vid, int vflags) { int nodead = vflags & VNODE_NODEAD; int nosusp = vflags & VNODE_NOSUSPEND; int always = vflags & VNODE_ALWAYS; + int beatdrain = vflags & VNODE_DRAINO; for (;;) { /* @@ -3958,6 +4317,18 @@ vnode_getiocount(vnode_t vp, unsigned int vid, int vflags) if (always != 0) break; + + /* + * In some situations, we want to get an iocount + * even if the vnode is draining to prevent deadlock, + * e.g. if we're in the filesystem, potentially holding + * resources that could prevent other iocounts from + * being released. + */ + if (beatdrain && (vp->v_lflag & VL_DRAIN)) { + break; + } + vnode_lock_convert(vp); if (vp->v_lflag & VL_TERMINATE) { @@ -3967,7 +4338,7 @@ vnode_getiocount(vnode_t vp, unsigned int vid, int vflags) } else msleep(&vp->v_iocount, &vp->v_lock, PVFS, "vnode_getiocount", NULL); } - if (vid != vp->v_id) { + if (((vflags & VNODE_WITHID) != 0) && vid != vp->v_id) { return(ENOENT); } if (++vp->v_references >= UNAGE_THRESHHOLD) { @@ -4071,7 +4442,6 @@ vnode_reclaim_internal(struct vnode * vp, int locked, int reuse, int flags) vp->v_socket = NULL; vp->v_lflag &= ~VL_TERMINATE; - vp->v_lflag &= ~VL_DRAIN; vp->v_owner = NULL; KNOTE(&vp->v_knotes, NOTE_REVOKE); @@ -4098,7 +4468,6 @@ vnode_reclaim_internal(struct vnode * vp, int locked, int reuse, int flags) * The following api creates a vnode and associates all the parameter specified in vnode_fsparam * structure and returns a vnode handle with a reference. device aliasing is handled here so checkalias * is obsoleted by this. - * vnode_create(int flavor, size_t size, void * param, vnode_t *vp) */ int vnode_create(uint32_t flavor, uint32_t size, void *data, vnode_t *vpp) @@ -4111,159 +4480,223 @@ vnode_create(uint32_t flavor, uint32_t size, void *data, vnode_t *vpp) struct uthread *ut; struct componentname *cnp; struct vnode_fsparam *param = (struct vnode_fsparam *)data; - - if (flavor == VNCREATE_FLAVOR && (size == VCREATESIZE) && param) { - if ( (error = new_vnode(&vp)) ) { - return(error); - } else { - dvp = param->vnfs_dvp; - cnp = param->vnfs_cnp; +#if CONFIG_TRIGGERS + struct vnode_trigger_param *tinfo = NULL; +#endif + if (param == NULL) + return (EINVAL); - vp->v_op = param->vnfs_vops; - vp->v_type = param->vnfs_vtype; - vp->v_data = param->vnfs_fsnode; + /* Do quick sanity check on the parameters */ + if (param->vnfs_vtype == VBAD) { + return (EINVAL); + } + +#if CONFIG_TRIGGERS + if ((flavor == VNCREATE_TRIGGER) && (size == VNCREATE_TRIGGER_SIZE)) { + tinfo = (struct vnode_trigger_param *)data; + + /* Validate trigger vnode input */ + if ((param->vnfs_vtype != VDIR) || + (tinfo->vnt_resolve_func == NULL) || + (tinfo->vnt_flags & ~VNT_VALID_MASK)) { + return (EINVAL); + } + /* Fall through a normal create (params will be the same) */ + flavor = VNCREATE_FLAVOR; + size = VCREATESIZE; + } +#endif + if ((flavor != VNCREATE_FLAVOR) || (size != VCREATESIZE)) + return (EINVAL); + + if ( (error = new_vnode(&vp)) ) + return(error); - if (param->vnfs_markroot) - vp->v_flag |= VROOT; - if (param->vnfs_marksystem) - vp->v_flag |= VSYSTEM; - if (vp->v_type == VREG) { - error = ubc_info_init_withsize(vp, param->vnfs_filesize); - if (error) { + dvp = param->vnfs_dvp; + cnp = param->vnfs_cnp; + + vp->v_op = param->vnfs_vops; + vp->v_type = param->vnfs_vtype; + vp->v_data = param->vnfs_fsnode; + + if (param->vnfs_markroot) + vp->v_flag |= VROOT; + if (param->vnfs_marksystem) + vp->v_flag |= VSYSTEM; + if (vp->v_type == VREG) { + error = ubc_info_init_withsize(vp, param->vnfs_filesize); + if (error) { #ifdef JOE_DEBUG - record_vp(vp, 1); + record_vp(vp, 1); #endif - vp->v_mount = NULL; - vp->v_op = dead_vnodeop_p; - vp->v_tag = VT_NON; - vp->v_data = NULL; - vp->v_type = VBAD; - vp->v_lflag |= VL_DEAD; - - vnode_put(vp); - return(error); - } - } + vp->v_mount = NULL; + vp->v_op = dead_vnodeop_p; + vp->v_tag = VT_NON; + vp->v_data = NULL; + vp->v_type = VBAD; + vp->v_lflag |= VL_DEAD; + + vnode_put(vp); + return(error); + } + } +#ifdef JOE_DEBUG + record_vp(vp, 1); +#endif + +#if CONFIG_TRIGGERS + /* + * For trigger vnodes, attach trigger info to vnode + */ + if ((vp->v_type == VDIR) && (tinfo != NULL)) { + /* + * Note: has a side effect of incrementing trigger count on the + * mount if successful, which we would need to undo on a + * subsequent failure. + */ +#ifdef JOE_DEBUG + record_vp(vp, -1); +#endif + error = vnode_resolver_create(param->vnfs_mp, vp, tinfo, FALSE); + if (error) { + printf("vnode_create: vnode_resolver_create() err %d\n", error); + vp->v_mount = NULL; + vp->v_op = dead_vnodeop_p; + vp->v_tag = VT_NON; + vp->v_data = NULL; + vp->v_type = VBAD; + vp->v_lflag |= VL_DEAD; #ifdef JOE_DEBUG record_vp(vp, 1); #endif - if (vp->v_type == VCHR || vp->v_type == VBLK) { - - vp->v_tag = VT_DEVFS; /* callers will reset if needed (bdevvp) */ - - if ( (nvp = checkalias(vp, param->vnfs_rdev)) ) { - /* - * if checkalias returns a vnode, it will be locked - * - * first get rid of the unneeded vnode we acquired - */ - vp->v_data = NULL; - vp->v_op = spec_vnodeop_p; - vp->v_type = VBAD; - vp->v_lflag = VL_DEAD; - vp->v_data = NULL; - vp->v_tag = VT_NON; - vnode_put(vp); + vnode_put(vp); + return (error); + } + } +#endif + if (vp->v_type == VCHR || vp->v_type == VBLK) { - /* - * switch to aliased vnode and finish - * preparing it - */ - vp = nvp; - - vclean(vp, 0); - vp->v_op = param->vnfs_vops; - vp->v_type = param->vnfs_vtype; - vp->v_data = param->vnfs_fsnode; - vp->v_lflag = 0; - vp->v_mount = NULL; - insmntque(vp, param->vnfs_mp); - insert = 0; - vnode_unlock(vp); - } - } + vp->v_tag = VT_DEVFS; /* callers will reset if needed (bdevvp) */ - if (vp->v_type == VFIFO) { - struct fifoinfo *fip; + if ( (nvp = checkalias(vp, param->vnfs_rdev)) ) { + /* + * if checkalias returns a vnode, it will be locked + * + * first get rid of the unneeded vnode we acquired + */ + vp->v_data = NULL; + vp->v_op = spec_vnodeop_p; + vp->v_type = VBAD; + vp->v_lflag = VL_DEAD; + vp->v_data = NULL; + vp->v_tag = VT_NON; + vnode_put(vp); - MALLOC(fip, struct fifoinfo *, - sizeof(*fip), M_TEMP, M_WAITOK); - bzero(fip, sizeof(struct fifoinfo )); - vp->v_fifoinfo = fip; - } - /* The file systems must pass the address of the location where - * they store the vnode pointer. When we add the vnode into the mount - * list and name cache they become discoverable. So the file system node - * must have the connection to vnode setup by then + /* + * switch to aliased vnode and finish + * preparing it */ - *vpp = vp; + vp = nvp; - /* Add fs named reference. */ - if (param->vnfs_flags & VNFS_ADDFSREF) { - vp->v_lflag |= VNAMED_FSHASH; - } - if (param->vnfs_mp) { - if (param->vnfs_mp->mnt_kern_flag & MNTK_LOCK_LOCAL) - vp->v_flag |= VLOCKLOCAL; - if (insert) { - if ((vp->v_freelist.tqe_prev != (struct vnode **)0xdeadb)) - panic("insmntque: vp on the free list\n"); - /* - * enter in mount vnode list - */ - insmntque(vp, param->vnfs_mp); - } -#ifndef __LP64__ - if ((param->vnfs_mp->mnt_vtable->vfc_vfsflags & VFC_VFSTHREADSAFE) == 0) { - MALLOC_ZONE(vp->v_unsafefs, struct unsafe_fsnode *, - sizeof(struct unsafe_fsnode), M_UNSAFEFS, M_WAITOK); - vp->v_unsafefs->fsnode_count = 0; - vp->v_unsafefs->fsnodeowner = (void *)NULL; - lck_mtx_init(&vp->v_unsafefs->fsnodelock, vnode_lck_grp, vnode_lck_attr); - } -#endif /* __LP64__ */ - } - if (dvp && vnode_ref(dvp) == 0) { - vp->v_parent = dvp; - } - if (cnp) { - if (dvp && ((param->vnfs_flags & (VNFS_NOCACHE | VNFS_CANTCACHE)) == 0)) { - /* - * enter into name cache - * we've got the info to enter it into the name cache now - * cache_enter_create will pick up an extra reference on - * the name entered into the string cache - */ - vp->v_name = cache_enter_create(dvp, vp, cnp); - } else - vp->v_name = vfs_addname(cnp->cn_nameptr, cnp->cn_namelen, cnp->cn_hash, 0); + vclean(vp, 0); + vp->v_op = param->vnfs_vops; + vp->v_type = param->vnfs_vtype; + vp->v_data = param->vnfs_fsnode; + vp->v_lflag = 0; + vp->v_mount = NULL; + insmntque(vp, param->vnfs_mp); + insert = 0; + vnode_unlock(vp); + } - if ((cnp->cn_flags & UNIONCREATED) == UNIONCREATED) - vp->v_flag |= VISUNION; - } - if ((param->vnfs_flags & VNFS_CANTCACHE) == 0) { - /* - * this vnode is being created as cacheable in the name cache - * this allows us to re-enter it in the cache - */ - vp->v_flag |= VNCACHEABLE; - } - ut = get_bsdthread_info(current_thread()); - - if ((current_proc()->p_lflag & P_LRAGE_VNODES) || - (ut->uu_flag & UT_RAGE_VNODES)) { - /* - * process has indicated that it wants any - * vnodes created on its behalf to be rapidly - * aged to reduce the impact on the cached set - * of vnodes - */ - vp->v_flag |= VRAGE; - } - return(0); + if (VCHR == vp->v_type) { + u_int maj = major(vp->v_rdev); + + if (maj < (u_int)nchrdev && + (D_TYPEMASK & cdevsw[maj].d_type) == D_TTY) + vp->v_flag |= VISTTY; + } + } + + if (vp->v_type == VFIFO) { + struct fifoinfo *fip; + + MALLOC(fip, struct fifoinfo *, + sizeof(*fip), M_TEMP, M_WAITOK); + bzero(fip, sizeof(struct fifoinfo )); + vp->v_fifoinfo = fip; + } + /* The file systems must pass the address of the location where + * they store the vnode pointer. When we add the vnode into the mount + * list and name cache they become discoverable. So the file system node + * must have the connection to vnode setup by then + */ + *vpp = vp; + + /* Add fs named reference. */ + if (param->vnfs_flags & VNFS_ADDFSREF) { + vp->v_lflag |= VNAMED_FSHASH; + } + if (param->vnfs_mp) { + if (param->vnfs_mp->mnt_kern_flag & MNTK_LOCK_LOCAL) + vp->v_flag |= VLOCKLOCAL; + if (insert) { + if ((vp->v_freelist.tqe_prev != (struct vnode **)0xdeadb)) + panic("insmntque: vp on the free list\n"); + + /* + * enter in mount vnode list + */ + insmntque(vp, param->vnfs_mp); + } +#if CONFIG_VFS_FUNNEL + if ((param->vnfs_mp->mnt_vtable->vfc_vfsflags & VFC_VFSTHREADSAFE) == 0) { + MALLOC_ZONE(vp->v_unsafefs, struct unsafe_fsnode *, + sizeof(struct unsafe_fsnode), M_UNSAFEFS, M_WAITOK); + vp->v_unsafefs->fsnode_count = 0; + vp->v_unsafefs->fsnodeowner = (void *)NULL; + lck_mtx_init(&vp->v_unsafefs->fsnodelock, vnode_lck_grp, vnode_lck_attr); } +#endif /* CONFIG_VFS_FUNNEL */ + } + if (dvp && vnode_ref(dvp) == 0) { + vp->v_parent = dvp; + } + if (cnp) { + if (dvp && ((param->vnfs_flags & (VNFS_NOCACHE | VNFS_CANTCACHE)) == 0)) { + /* + * enter into name cache + * we've got the info to enter it into the name cache now + * cache_enter_create will pick up an extra reference on + * the name entered into the string cache + */ + vp->v_name = cache_enter_create(dvp, vp, cnp); + } else + vp->v_name = vfs_addname(cnp->cn_nameptr, cnp->cn_namelen, cnp->cn_hash, 0); + + if ((cnp->cn_flags & UNIONCREATED) == UNIONCREATED) + vp->v_flag |= VISUNION; + } + if ((param->vnfs_flags & VNFS_CANTCACHE) == 0) { + /* + * this vnode is being created as cacheable in the name cache + * this allows us to re-enter it in the cache + */ + vp->v_flag |= VNCACHEABLE; + } + ut = get_bsdthread_info(current_thread()); + + if ((current_proc()->p_lflag & P_LRAGE_VNODES) || + (ut->uu_flag & UT_RAGE_VNODES)) { + /* + * process has indicated that it wants any + * vnodes created on its behalf to be rapidly + * aged to reduce the impact on the cached set + * of vnodes + */ + vp->v_flag |= VRAGE; } - return (EINVAL); + return (0); } int @@ -4293,13 +4726,14 @@ vnode_removefsref(vnode_t vp) int -vfs_iterate(__unused int flags, int (*callout)(mount_t, void *), void *arg) +vfs_iterate(int flags, int (*callout)(mount_t, void *), void *arg) { mount_t mp; int ret = 0; fsid_t * fsid_list; int count, actualcount, i; void * allocmem; + int indx_start, indx_stop, indx_incr; count = mount_getvfscnt(); count += 10; @@ -4309,7 +4743,21 @@ vfs_iterate(__unused int flags, int (*callout)(mount_t, void *), void *arg) actualcount = mount_fillfsids(fsid_list, count); - for (i=0; i< actualcount; i++) { + /* + * Establish the iteration direction + * VFS_ITERATE_TAIL_FIRST overrides default head first order (oldest first) + */ + if (flags & VFS_ITERATE_TAIL_FIRST) { + indx_start = actualcount - 1; + indx_stop = -1; + indx_incr = -1; + } else /* Head first by default */ { + indx_start = 0; + indx_stop = actualcount; + indx_incr = 1; + } + + for (i=indx_start; i != indx_stop; i += indx_incr) { /* obtain the mount point with iteration reference */ mp = mount_list_lookupby_fsid(&fsid_list[i], 0, 1); @@ -4551,7 +4999,8 @@ vnode_lookup(const char *path, int flags, vnode_t *vpp, vfs_context_t ctx) ndflags |= DOWHITEOUT; /* XXX AUDITVNPATH1 needed ? */ - NDINIT(&nd, LOOKUP, ndflags, UIO_SYSSPACE, CAST_USER_ADDR_T(path), ctx); + NDINIT(&nd, LOOKUP, OP_LOOKUP, ndflags, UIO_SYSSPACE, + CAST_USER_ADDR_T(path), ctx); if ((error = namei(&nd))) return (error); @@ -4587,7 +5036,8 @@ vnode_open(const char *path, int fmode, int cmode, int flags, vnode_t *vpp, vfs_ ndflags |= DOWHITEOUT; /* XXX AUDITVNPATH1 needed ? */ - NDINIT(&nd, LOOKUP, ndflags, UIO_SYSSPACE, CAST_USER_ADDR_T(path), ctx); + NDINIT(&nd, LOOKUP, OP_OPEN, ndflags, UIO_SYSSPACE, + CAST_USER_ADDR_T(path), ctx); if ((error = vn_open(&nd, fmode, cmode))) *vpp = NULL; @@ -4640,6 +5090,18 @@ vnode_setsize(vnode_t vp, off_t size, int ioflag, vfs_context_t ctx) return(vnode_setattr(vp, &va, ctx)); } +static int +vn_create_reg(vnode_t dvp, vnode_t *vpp, struct nameidata *ndp, struct vnode_attr *vap, uint32_t flags, int fmode, uint32_t *statusp, vfs_context_t ctx) +{ + /* Only use compound VNOP for compound operation */ + if (vnode_compound_open_available(dvp) && ((flags & VN_CREATE_DOOPEN) != 0)) { + *vpp = NULLVP; + return VNOP_COMPOUND_OPEN(dvp, vpp, ndp, VNOP_COMPOUND_OPEN_DO_CREATE, fmode, statusp, vap, ctx); + } else { + return VNOP_CREATE(dvp, vpp, &ndp->ni_cnd, vap, ctx); + } +} + /* * Create a filesystem object of arbitrary type with arbitrary attributes in * the spevied directory with the specified name. @@ -4682,70 +5144,48 @@ vnode_setsize(vnode_t vp, off_t size, int ioflag, vfs_context_t ctx) * in the code they originated. */ errno_t -vn_create(vnode_t dvp, vnode_t *vpp, struct componentname *cnp, struct vnode_attr *vap, int flags, vfs_context_t ctx) +vn_create(vnode_t dvp, vnode_t *vpp, struct nameidata *ndp, struct vnode_attr *vap, uint32_t flags, int fmode, uint32_t *statusp, vfs_context_t ctx) { - kauth_acl_t oacl, nacl; - int initial_acl; - errno_t error; + errno_t error, old_error; vnode_t vp = (vnode_t)0; + boolean_t batched; + struct componentname *cnp; + uint32_t defaulted; + cnp = &ndp->ni_cnd; error = 0; - oacl = nacl = NULL; - initial_acl = 0; + batched = namei_compound_available(dvp, ndp) ? TRUE : FALSE; KAUTH_DEBUG("%p CREATE - '%s'", dvp, cnp->cn_nameptr); + if (flags & VN_CREATE_NOINHERIT) + vap->va_vaflags |= VA_NOINHERIT; + if (flags & VN_CREATE_NOAUTH) + vap->va_vaflags |= VA_NOAUTH; /* - * Handle ACL inheritance. + * Handle ACL inheritance, initialize vap. */ - if (!(flags & VN_CREATE_NOINHERIT) && vfs_extendedsecurity(dvp->v_mount)) { - /* save the original filesec */ - if (VATTR_IS_ACTIVE(vap, va_acl)) { - initial_acl = 1; - oacl = vap->va_acl; - } - - vap->va_acl = NULL; - if ((error = kauth_acl_inherit(dvp, - oacl, - &nacl, - vap->va_type == VDIR, - ctx)) != 0) { - KAUTH_DEBUG("%p CREATE - error %d processing inheritance", dvp, error); - return(error); - } + error = vn_attribute_prepare(dvp, vap, &defaulted, ctx); + if (error) { + return error; + } - /* - * If the generated ACL is NULL, then we can save ourselves some effort - * by clearing the active bit. - */ - if (nacl == NULL) { - VATTR_CLEAR_ACTIVE(vap, va_acl); - } else { - VATTR_SET(vap, va_acl, nacl); - } + if (vap->va_type != VREG && (fmode != 0 || (flags & VN_CREATE_DOOPEN) || statusp)) { + panic("Open parameters, but not a regular file."); } - - /* - * Check and default new attributes. - * This will set va_uid, va_gid, va_mode and va_create_time at least, if the caller - * hasn't supplied them. - */ - if ((error = vnode_authattr_new(dvp, vap, flags & VN_CREATE_NOAUTH, ctx)) != 0) { - KAUTH_DEBUG("%p CREATE - error %d handing/defaulting attributes", dvp, error); - goto out; + if ((fmode != 0) && ((flags & VN_CREATE_DOOPEN) == 0)) { + panic("Mode for open, but not trying to open..."); } - /* * Create the requested node. */ switch(vap->va_type) { case VREG: - error = VNOP_CREATE(dvp, vpp, cnp, vap, ctx); + error = vn_create_reg(dvp, vpp, ndp, vap, flags, fmode, statusp, ctx); break; case VDIR: - error = VNOP_MKDIR(dvp, vpp, cnp, vap, ctx); + error = vn_mkdir(dvp, vpp, ndp, vap, ctx); break; case VSOCK: case VFIFO: @@ -4762,6 +5202,8 @@ vn_create(vnode_t dvp, vnode_t *vpp, struct componentname *cnp, struct vnode_att } vp = *vpp; + old_error = error; + #if CONFIG_MACF if (!(flags & VN_CREATE_NOLABEL)) { error = vnode_label(vnode_mount(vp), dvp, vp, cnp, VNODE_LABEL_CREATE, ctx); @@ -4781,24 +5223,22 @@ vn_create(vnode_t dvp, vnode_t *vpp, struct componentname *cnp, struct vnode_att #if CONFIG_MACF error: #endif - if ((error != 0 ) && (vp != (vnode_t)0)) { - *vpp = (vnode_t) 0; - vnode_put(vp); + if ((error != 0) && (vp != (vnode_t)0)) { + + /* If we've done a compound open, close */ + if (batched && (old_error == 0) && (vap->va_type == VREG)) { + VNOP_CLOSE(vp, fmode, ctx); + } + + /* Need to provide notifications if a create succeeded */ + if (!batched) { + *vpp = (vnode_t) 0; + vnode_put(vp); + } } out: - /* - * If the caller supplied a filesec in vap, it has been replaced - * now by the post-inheritance copy. We need to put the original back - * and free the inherited product. - */ - if (initial_acl) { - VATTR_SET(vap, va_acl, oacl); - } else { - VATTR_CLEAR_ACTIVE(vap, va_acl); - } - if (nacl != NULL) - kauth_acl_free(nacl); + vn_attribute_cleanup(vap, defaulted); return(error); } @@ -4829,1124 +5269,1702 @@ vnode_authorize_init(void) vnode_scope = kauth_register_scope(KAUTH_SCOPE_VNODE, vnode_authorize_callback, NULL); } -/* - * Authorize an operation on a vnode. - * - * This is KPI, but here because it needs vnode_scope. - * - * Returns: 0 Success - * kauth_authorize_action:EPERM ... - * xlate => EACCES Permission denied - * kauth_authorize_action:0 Success - * kauth_authorize_action: Depends on callback return; this is - * usually only vnode_authorize_callback(), - * but may include other listerners, if any - * exist. - * EROFS - * EACCES - * EPERM - * ??? - */ +#define VATTR_PREPARE_DEFAULTED_UID 0x1 +#define VATTR_PREPARE_DEFAULTED_GID 0x2 +#define VATTR_PREPARE_DEFAULTED_MODE 0x4 + int -vnode_authorize(vnode_t vp, vnode_t dvp, kauth_action_t action, vfs_context_t ctx) +vn_attribute_prepare(vnode_t dvp, struct vnode_attr *vap, uint32_t *defaulted_fieldsp, vfs_context_t ctx) { - int error, result; + kauth_acl_t nacl = NULL, oacl = NULL; + int error; /* - * We can't authorize against a dead vnode; allow all operations through so that - * the correct error can be returned. + * Handle ACL inheritance. */ - if (vp->v_type == VBAD) - return(0); + if (!(vap->va_vaflags & VA_NOINHERIT) && vfs_extendedsecurity(dvp->v_mount)) { + /* save the original filesec */ + if (VATTR_IS_ACTIVE(vap, va_acl)) { + oacl = vap->va_acl; + } + + vap->va_acl = NULL; + if ((error = kauth_acl_inherit(dvp, + oacl, + &nacl, + vap->va_type == VDIR, + ctx)) != 0) { + KAUTH_DEBUG("%p CREATE - error %d processing inheritance", dvp, error); + return(error); + } + + /* + * If the generated ACL is NULL, then we can save ourselves some effort + * by clearing the active bit. + */ + if (nacl == NULL) { + VATTR_CLEAR_ACTIVE(vap, va_acl); + } else { + vap->va_base_acl = oacl; + VATTR_SET(vap, va_acl, nacl); + } + } - error = 0; - result = kauth_authorize_action(vnode_scope, vfs_context_ucred(ctx), action, - (uintptr_t)ctx, (uintptr_t)vp, (uintptr_t)dvp, (uintptr_t)&error); - if (result == EPERM) /* traditional behaviour */ - result = EACCES; - /* did the lower layers give a better error return? */ - if ((result != 0) && (error != 0)) - return(error); - return(result); + error = vnode_authattr_new_internal(dvp, vap, (vap->va_vaflags & VA_NOAUTH), defaulted_fieldsp, ctx); + if (error) { + vn_attribute_cleanup(vap, *defaulted_fieldsp); + } + + return error; } -/* - * Test for vnode immutability. - * - * The 'append' flag is set when the authorization request is constrained - * to operations which only request the right to append to a file. - * - * The 'ignore' flag is set when an operation modifying the immutability flags - * is being authorized. We check the system securelevel to determine which - * immutability flags we can ignore. - */ -static int -vnode_immutable(struct vnode_attr *vap, int append, int ignore) +void +vn_attribute_cleanup(struct vnode_attr *vap, uint32_t defaulted_fields) { - int mask; - - /* start with all bits precluding the operation */ - mask = IMMUTABLE | APPEND; + /* + * If the caller supplied a filesec in vap, it has been replaced + * now by the post-inheritance copy. We need to put the original back + * and free the inherited product. + */ + kauth_acl_t nacl, oacl; - /* if appending only, remove the append-only bits */ - if (append) - mask &= ~APPEND; + if (VATTR_IS_ACTIVE(vap, va_acl)) { + nacl = vap->va_acl; + oacl = vap->va_base_acl; - /* ignore only set when authorizing flags changes */ - if (ignore) { - if (securelevel <= 0) { - /* in insecure state, flags do not inhibit changes */ - mask = 0; + if (oacl) { + VATTR_SET(vap, va_acl, oacl); + vap->va_base_acl = NULL; } else { - /* in secure state, user flags don't inhibit */ - mask &= ~(UF_IMMUTABLE | UF_APPEND); + VATTR_CLEAR_ACTIVE(vap, va_acl); + } + + if (nacl != NULL) { + kauth_acl_free(nacl); } } - KAUTH_DEBUG("IMMUTABLE - file flags 0x%x mask 0x%x append = %d ignore = %d", vap->va_flags, mask, append, ignore); - if ((vap->va_flags & mask) != 0) - return(EPERM); - return(0); + + if ((defaulted_fields & VATTR_PREPARE_DEFAULTED_MODE) != 0) { + VATTR_CLEAR_ACTIVE(vap, va_mode); + } + if ((defaulted_fields & VATTR_PREPARE_DEFAULTED_GID) != 0) { + VATTR_CLEAR_ACTIVE(vap, va_gid); + } + if ((defaulted_fields & VATTR_PREPARE_DEFAULTED_UID) != 0) { + VATTR_CLEAR_ACTIVE(vap, va_uid); + } + + return; } -static int -vauth_node_owner(struct vnode_attr *vap, kauth_cred_t cred) +int +vn_authorize_unlink(vnode_t dvp, vnode_t vp, struct componentname *cnp, vfs_context_t ctx, __unused void *reserved) { - int result; - - /* default assumption is not-owner */ - result = 0; + int error = 0; /* - * If the filesystem has given us a UID, we treat this as authoritative. + * Normally, unlinking of directories is not supported. + * However, some file systems may have limited support. */ - if (vap && VATTR_IS_SUPPORTED(vap, va_uid)) { - result = (vap->va_uid == kauth_cred_getuid(cred)) ? 1 : 0; + if ((vp->v_type == VDIR) && + !(vp->v_mount->mnt_vtable->vfc_vfsflags & VFC_VFSDIRLINKS)) { + return (EPERM); /* POSIX */ } - /* we could test the owner UUID here if we had a policy for it */ - - return(result); + + /* authorize the delete operation */ +#if CONFIG_MACF + if (!error) + error = mac_vnode_check_unlink(ctx, dvp, vp, cnp); +#endif /* MAC */ + if (!error) + error = vnode_authorize(vp, dvp, KAUTH_VNODE_DELETE, ctx); + + return error; } -static int -vauth_node_group(struct vnode_attr *vap, kauth_cred_t cred, int *ismember) +int +vn_authorize_open_existing(vnode_t vp, struct componentname *cnp, int fmode, vfs_context_t ctx, void *reserved) { - int error; - int result; - - error = 0; - result = 0; + /* Open of existing case */ + kauth_action_t action; + int error = 0; - /* the caller is expected to have asked the filesystem for a group at some point */ - if (vap && VATTR_IS_SUPPORTED(vap, va_gid)) { - error = kauth_cred_ismember_gid(cred, vap->va_gid, &result); + if (cnp->cn_ndp == NULL) { + panic("NULL ndp"); + } + if (reserved != NULL) { + panic("reserved not NULL."); } - /* we could test the group UUID here if we had a policy for it */ - - if (!error) - *ismember = result; - return(error); -} -static int -vauth_file_owner(vauth_ctx vcp) -{ - int result; +#if CONFIG_MACF + /* XXX may do duplicate work here, but ignore that for now (idempotent) */ + if (vfs_flags(vnode_mount(vp)) & MNT_MULTILABEL) { + error = vnode_label(vnode_mount(vp), NULL, vp, NULL, 0, ctx); + if (error) + return (error); + } +#endif - if (vcp->flags_valid & _VAC_IS_OWNER) { - result = (vcp->flags & _VAC_IS_OWNER) ? 1 : 0; - } else { - result = vauth_node_owner(vcp->vap, vcp->ctx->vc_ucred); + if ( (fmode & O_DIRECTORY) && vp->v_type != VDIR ) { + return (ENOTDIR); + } - /* cache our result */ - vcp->flags_valid |= _VAC_IS_OWNER; - if (result) { - vcp->flags |= _VAC_IS_OWNER; - } else { - vcp->flags &= ~_VAC_IS_OWNER; - } + if (vp->v_type == VSOCK && vp->v_tag != VT_FDESC) { + return (EOPNOTSUPP); /* Operation not supported on socket */ } - return(result); -} -static int -vauth_file_ingroup(vauth_ctx vcp, int *ismember) -{ - int error; + if (vp->v_type == VLNK && (fmode & O_NOFOLLOW) != 0) { + return (ELOOP); /* O_NOFOLLOW was specified and the target is a symbolic link */ + } - if (vcp->flags_valid & _VAC_IN_GROUP) { - *ismember = (vcp->flags & _VAC_IN_GROUP) ? 1 : 0; - error = 0; - } else { - error = vauth_node_group(vcp->vap, vcp->ctx->vc_ucred, ismember); + /* disallow write operations on directories */ + if (vnode_isdir(vp) && (fmode & (FWRITE | O_TRUNC))) { + return (EISDIR); + } - if (!error) { - /* cache our result */ - vcp->flags_valid |= _VAC_IN_GROUP; - if (*ismember) { - vcp->flags |= _VAC_IN_GROUP; - } else { - vcp->flags &= ~_VAC_IN_GROUP; - } + if ((cnp->cn_ndp->ni_flag & NAMEI_TRAILINGSLASH)) { + if (vp->v_type != VDIR) { + return (ENOTDIR); } - } - return(error); -} -static int -vauth_dir_owner(vauth_ctx vcp) -{ - int result; - - if (vcp->flags_valid & _VAC_IS_DIR_OWNER) { - result = (vcp->flags & _VAC_IS_DIR_OWNER) ? 1 : 0; - } else { - result = vauth_node_owner(vcp->dvap, vcp->ctx->vc_ucred); +#if CONFIG_MACF + /* If a file being opened is a shadow file containing + * namedstream data, ignore the macf checks because it + * is a kernel internal file and access should always + * be allowed. + */ + if (!(vnode_isshadow(vp) && vnode_isnamedstream(vp))) { + error = mac_vnode_check_open(ctx, vp, fmode); + if (error) { + return (error); + } + } +#endif - /* cache our result */ - vcp->flags_valid |= _VAC_IS_DIR_OWNER; - if (result) { - vcp->flags |= _VAC_IS_DIR_OWNER; + /* compute action to be authorized */ + action = 0; + if (fmode & FREAD) { + action |= KAUTH_VNODE_READ_DATA; + } + if (fmode & (FWRITE | O_TRUNC)) { + /* + * If we are writing, appending, and not truncating, + * indicate that we are appending so that if the + * UF_APPEND or SF_APPEND bits are set, we do not deny + * the open. + */ + if ((fmode & O_APPEND) && !(fmode & O_TRUNC)) { + action |= KAUTH_VNODE_APPEND_DATA; } else { - vcp->flags &= ~_VAC_IS_DIR_OWNER; + action |= KAUTH_VNODE_WRITE_DATA; } } - return(result); + return (vnode_authorize(vp, NULL, action, ctx)); } -static int -vauth_dir_ingroup(vauth_ctx vcp, int *ismember) +int +vn_authorize_create(vnode_t dvp, struct componentname *cnp, struct vnode_attr *vap, vfs_context_t ctx, void *reserved) { - int error; + /* Creation case */ + int error; - if (vcp->flags_valid & _VAC_IN_DIR_GROUP) { - *ismember = (vcp->flags & _VAC_IN_DIR_GROUP) ? 1 : 0; - error = 0; - } else { - error = vauth_node_group(vcp->dvap, vcp->ctx->vc_ucred, ismember); + if (cnp->cn_ndp == NULL) { + panic("NULL cn_ndp"); + } + if (reserved != NULL) { + panic("reserved not NULL."); + } - if (!error) { - /* cache our result */ - vcp->flags_valid |= _VAC_IN_DIR_GROUP; - if (*ismember) { - vcp->flags |= _VAC_IN_DIR_GROUP; - } else { - vcp->flags &= ~_VAC_IN_DIR_GROUP; - } - } + /* Only validate path for creation if we didn't do a complete lookup */ + if (cnp->cn_ndp->ni_flag & NAMEI_UNFINISHED) { + error = lookup_validate_creation_path(cnp->cn_ndp); + if (error) + return (error); } - return(error); + +#if CONFIG_MACF + error = mac_vnode_check_create(ctx, dvp, cnp, vap); + if (error) + return (error); +#endif /* CONFIG_MACF */ + + return (vnode_authorize(dvp, NULL, KAUTH_VNODE_ADD_FILE, ctx)); } -/* - * Test the posix permissions in (vap) to determine whether (credential) - * may perform (action) - */ -static int -vnode_authorize_posix(vauth_ctx vcp, int action, int on_dir) +int +vn_authorize_rename(struct vnode *fdvp, struct vnode *fvp, struct componentname *fcnp, + struct vnode *tdvp, struct vnode *tvp, struct componentname *tcnp, + vfs_context_t ctx, void *reserved) { - struct vnode_attr *vap; - int needed, error, owner_ok, group_ok, world_ok, ismember; -#ifdef KAUTH_DEBUG_ENABLE - const char *where = "uninitialized"; -# define _SETWHERE(c) where = c; -#else -# define _SETWHERE(c) -#endif + int error = 0; + int moving = 0; - /* checking file or directory? */ - if (on_dir) { - vap = vcp->dvap; - } else { - vap = vcp->vap; + if (reserved != NULL) { + panic("Passed something other than NULL as reserved field!"); } - - error = 0; - + /* - * We want to do as little work here as possible. So first we check - * which sets of permissions grant us the access we need, and avoid checking - * whether specific permissions grant access when more generic ones would. + * Avoid renaming "." and "..". + * + * XXX No need to check for this in the FS. We should always have the leaves + * in VFS in this case. */ + if (fvp->v_type == VDIR && + ((fdvp == fvp) || + (fcnp->cn_namelen == 1 && fcnp->cn_nameptr[0] == '.') || + ((fcnp->cn_flags | tcnp->cn_flags) & ISDOTDOT)) ) { + error = EINVAL; + goto out; + } - /* owner permissions */ - needed = 0; - if (action & VREAD) - needed |= S_IRUSR; - if (action & VWRITE) - needed |= S_IWUSR; - if (action & VEXEC) - needed |= S_IXUSR; - owner_ok = (needed & vap->va_mode) == needed; - - /* group permissions */ - needed = 0; - if (action & VREAD) - needed |= S_IRGRP; - if (action & VWRITE) - needed |= S_IWGRP; - if (action & VEXEC) - needed |= S_IXGRP; - group_ok = (needed & vap->va_mode) == needed; - - /* world permissions */ - needed = 0; - if (action & VREAD) - needed |= S_IROTH; - if (action & VWRITE) - needed |= S_IWOTH; - if (action & VEXEC) - needed |= S_IXOTH; - world_ok = (needed & vap->va_mode) == needed; + if (tvp == NULLVP && vnode_compound_rename_available(tdvp)) { + error = lookup_validate_creation_path(tcnp->cn_ndp); + if (error) + goto out; + } - /* If granted/denied by all three, we're done */ - if (owner_ok && group_ok && world_ok) { - _SETWHERE("all"); + /***** *****/ +#if CONFIG_MACF + error = mac_vnode_check_rename_from(ctx, fdvp, fvp, fcnp); + if (error) goto out; - } - if (!owner_ok && !group_ok && !world_ok) { - _SETWHERE("all"); - error = EACCES; +#endif + +#if CONFIG_MACF + error = mac_vnode_check_rename_to(ctx, + tdvp, tvp, fdvp == tdvp, tcnp); + if (error) goto out; +#endif + /***** *****/ + + /***** *****/ + if (tvp != NULL) { + if (fvp->v_type == VDIR && tvp->v_type != VDIR) { + error = ENOTDIR; + goto out; + } else if (fvp->v_type != VDIR && tvp->v_type == VDIR) { + error = EISDIR; + goto out; + } } - /* Check ownership (relatively cheap) */ - if ((on_dir && vauth_dir_owner(vcp)) || - (!on_dir && vauth_file_owner(vcp))) { - _SETWHERE("user"); - if (!owner_ok) - error = EACCES; + if (fvp == tdvp) { + error = EINVAL; goto out; } - /* Not owner; if group and world both grant it we're done */ - if (group_ok && world_ok) { - _SETWHERE("group/world"); + /* + * The following edge case is caught here: + * (to cannot be a descendent of from) + * + * o fdvp + * / + * / + * o fvp + * \ + * \ + * o tdvp + * / + * / + * o tvp + */ + if (tdvp->v_parent == fvp) { + error = EINVAL; goto out; } - if (!group_ok && !world_ok) { - _SETWHERE("group/world"); - error = EACCES; - goto out; + /***** *****/ + + /***** *****/ + + error = 0; + if ((tvp != NULL) && vnode_isdir(tvp)) { + if (tvp != fdvp) + moving = 1; + } else if (tdvp != fdvp) { + moving = 1; } - /* Check group membership (most expensive) */ - ismember = 0; - if (on_dir) { - error = vauth_dir_ingroup(vcp, &ismember); + + /* + * must have delete rights to remove the old name even in + * the simple case of fdvp == tdvp. + * + * If fvp is a directory, and we are changing it's parent, + * then we also need rights to rewrite its ".." entry as well. + */ + if (vnode_isdir(fvp)) { + if ((error = vnode_authorize(fvp, fdvp, KAUTH_VNODE_DELETE | KAUTH_VNODE_ADD_SUBDIRECTORY, ctx)) != 0) + goto out; } else { - error = vauth_file_ingroup(vcp, &ismember); + if ((error = vnode_authorize(fvp, fdvp, KAUTH_VNODE_DELETE, ctx)) != 0) + goto out; } - if (error) - goto out; - if (ismember) { - _SETWHERE("group"); - if (!group_ok) - error = EACCES; + if (moving) { + /* moving into tdvp or tvp, must have rights to add */ + if ((error = vnode_authorize(((tvp != NULL) && vnode_isdir(tvp)) ? tvp : tdvp, + NULL, + vnode_isdir(fvp) ? KAUTH_VNODE_ADD_SUBDIRECTORY : KAUTH_VNODE_ADD_FILE, + ctx)) != 0) { + goto out; + } + } else { + /* node staying in same directory, must be allowed to add new name */ + if ((error = vnode_authorize(fdvp, NULL, + vnode_isdir(fvp) ? KAUTH_VNODE_ADD_SUBDIRECTORY : KAUTH_VNODE_ADD_FILE, ctx)) != 0) + goto out; + } + /* overwriting tvp */ + if ((tvp != NULL) && !vnode_isdir(tvp) && + ((error = vnode_authorize(tvp, tdvp, KAUTH_VNODE_DELETE, ctx)) != 0)) { goto out; } - /* Not owner, not in group, use world result */ - _SETWHERE("world"); - if (!world_ok) - error = EACCES; - - /* FALLTHROUGH */ + /***** *****/ + /* XXX more checks? */ out: - KAUTH_DEBUG("%p %s - posix %s permissions : need %s%s%s %x have %s%s%s%s%s%s%s%s%s UID = %d file = %d,%d", - vcp->vp, (error == 0) ? "ALLOWED" : "DENIED", where, - (action & VREAD) ? "r" : "-", - (action & VWRITE) ? "w" : "-", - (action & VEXEC) ? "x" : "-", - needed, - (vap->va_mode & S_IRUSR) ? "r" : "-", - (vap->va_mode & S_IWUSR) ? "w" : "-", - (vap->va_mode & S_IXUSR) ? "x" : "-", - (vap->va_mode & S_IRGRP) ? "r" : "-", - (vap->va_mode & S_IWGRP) ? "w" : "-", - (vap->va_mode & S_IXGRP) ? "x" : "-", - (vap->va_mode & S_IROTH) ? "r" : "-", - (vap->va_mode & S_IWOTH) ? "w" : "-", - (vap->va_mode & S_IXOTH) ? "x" : "-", - kauth_cred_getuid(vcp->ctx->vc_ucred), - on_dir ? vcp->dvap->va_uid : vcp->vap->va_uid, - on_dir ? vcp->dvap->va_gid : vcp->vap->va_gid); - return(error); + return error; } -/* - * Authorize the deletion of the node vp from the directory dvp. - * - * We assume that: - * - Neither the node nor the directory are immutable. - * - The user is not the superuser. - * - * Deletion is not permitted if the directory is sticky and the caller is - * not owner of the node or directory. - * - * If either the node grants DELETE, or the directory grants DELETE_CHILD, - * the node may be deleted. If neither denies the permission, and the - * caller has Posix write access to the directory, then the node may be - * deleted. - * - * As an optimization, we cache whether or not delete child is permitted - * on directories without the sticky bit set. - */ int -vnode_authorize_delete(vauth_ctx vcp, boolean_t cached_delete_child); -/*static*/ int -vnode_authorize_delete(vauth_ctx vcp, boolean_t cached_delete_child) +vn_authorize_mkdir(vnode_t dvp, struct componentname *cnp, struct vnode_attr *vap, vfs_context_t ctx, void *reserved) { - struct vnode_attr *vap = vcp->vap; - struct vnode_attr *dvap = vcp->dvap; - kauth_cred_t cred = vcp->ctx->vc_ucred; - struct kauth_acl_eval eval; - int error, delete_denied, delete_child_denied, ismember; + int error; - /* check the ACL on the directory */ - delete_child_denied = 0; - if (!cached_delete_child && VATTR_IS_NOT(dvap, va_acl, NULL)) { - eval.ae_requested = KAUTH_VNODE_DELETE_CHILD; - eval.ae_acl = &dvap->va_acl->acl_ace[0]; - eval.ae_count = dvap->va_acl->acl_entrycount; - eval.ae_options = 0; - if (vauth_dir_owner(vcp)) - eval.ae_options |= KAUTH_AEVAL_IS_OWNER; - if ((error = vauth_dir_ingroup(vcp, &ismember)) != 0) - return(error); - if (ismember) - eval.ae_options |= KAUTH_AEVAL_IN_GROUP; - eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS; - eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS; - eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS; - eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS; + if (reserved != NULL) { + panic("reserved not NULL in vn_authorize_mkdir()"); + } - error = kauth_acl_evaluate(cred, &eval); + /* XXX A hack for now, to make shadow files work */ + if (cnp->cn_ndp == NULL) { + return 0; + } - if (error != 0) { - KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error); - return(error); - } - if (eval.ae_result == KAUTH_RESULT_DENY) - delete_child_denied = 1; - if (eval.ae_result == KAUTH_RESULT_ALLOW) { - KAUTH_DEBUG("%p ALLOWED - granted by directory ACL", vcp->vp); - return(0); - } + if (vnode_compound_mkdir_available(dvp)) { + error = lookup_validate_creation_path(cnp->cn_ndp); + if (error) + goto out; } - /* check the ACL on the node */ - delete_denied = 0; - if (VATTR_IS_NOT(vap, va_acl, NULL)) { - eval.ae_requested = KAUTH_VNODE_DELETE; - eval.ae_acl = &vap->va_acl->acl_ace[0]; - eval.ae_count = vap->va_acl->acl_entrycount; - eval.ae_options = 0; - if (vauth_file_owner(vcp)) - eval.ae_options |= KAUTH_AEVAL_IS_OWNER; - if ((error = vauth_file_ingroup(vcp, &ismember)) != 0) - return(error); - if (ismember) - eval.ae_options |= KAUTH_AEVAL_IN_GROUP; - eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS; - eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS; - eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS; - eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS; +#if CONFIG_MACF + error = mac_vnode_check_create(ctx, + dvp, cnp, vap); + if (error) + goto out; +#endif - if ((error = kauth_acl_evaluate(cred, &eval)) != 0) { - KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error); - return(error); - } - if (eval.ae_result == KAUTH_RESULT_DENY) - delete_denied = 1; - if (eval.ae_result == KAUTH_RESULT_ALLOW) { - KAUTH_DEBUG("%p ALLOWED - granted by file ACL", vcp->vp); - return(0); - } - } + /* authorize addition of a directory to the parent */ + if ((error = vnode_authorize(dvp, NULL, KAUTH_VNODE_ADD_SUBDIRECTORY, ctx)) != 0) + goto out; + +out: + return error; +} - /* if denied by ACL on directory or node, return denial */ - if (delete_denied || delete_child_denied) { - KAUTH_DEBUG("%p ALLOWED - denied by ACL", vcp->vp); - return(EACCES); - } +int +vn_authorize_rmdir(vnode_t dvp, vnode_t vp, struct componentname *cnp, vfs_context_t ctx, void *reserved) +{ + int error; - /* - * enforce sticky bit behaviour; the cached_delete_child property will - * be false and the dvap contents valis for sticky bit directories; - * this makes us check the directory each time, but it's unavoidable, - * as sticky bit is an exception to caching. - */ - if (!cached_delete_child && (dvap->va_mode & S_ISTXT) && !vauth_file_owner(vcp) && !vauth_dir_owner(vcp)) { - KAUTH_DEBUG("%p DENIED - sticky bit rules (user %d file %d dir %d)", - vcp->vp, cred->cr_uid, vap->va_uid, dvap->va_uid); - return(EACCES); + if (reserved != NULL) { + panic("Non-NULL reserved argument to vn_authorize_rmdir()"); } - /* check the directory */ - if (!cached_delete_child && (error = vnode_authorize_posix(vcp, VWRITE, 1 /* on_dir */)) != 0) { - KAUTH_DEBUG("%p ALLOWED - granted by posix permisssions", vcp->vp); - return(error); - } + if (vp->v_type != VDIR) { + /* + * rmdir only deals with directories + */ + return ENOTDIR; + } + + if (dvp == vp) { + /* + * No rmdir "." please. + */ + return EINVAL; + } + +#if CONFIG_MACF + error = mac_vnode_check_unlink(ctx, dvp, + vp, cnp); + if (error) + return error; +#endif - /* not denied, must be OK */ - return(0); + return vnode_authorize(vp, dvp, KAUTH_VNODE_DELETE, ctx); } - /* - * Authorize an operation based on the node's attributes. + * Authorize an operation on a vnode. + * + * This is KPI, but here because it needs vnode_scope. + * + * Returns: 0 Success + * kauth_authorize_action:EPERM ... + * xlate => EACCES Permission denied + * kauth_authorize_action:0 Success + * kauth_authorize_action: Depends on callback return; this is + * usually only vnode_authorize_callback(), + * but may include other listerners, if any + * exist. + * EROFS + * EACCES + * EPERM + * ??? */ -static int -vnode_authorize_simple(vauth_ctx vcp, kauth_ace_rights_t acl_rights, kauth_ace_rights_t preauth_rights, boolean_t *found_deny) +int +vnode_authorize(vnode_t vp, vnode_t dvp, kauth_action_t action, vfs_context_t ctx) { - struct vnode_attr *vap = vcp->vap; - kauth_cred_t cred = vcp->ctx->vc_ucred; - struct kauth_acl_eval eval; - int error, ismember; - mode_t posix_action; + int error, result; /* - * If we are the file owner, we automatically have some rights. - * - * Do we need to expand this to support group ownership? - */ - if (vauth_file_owner(vcp)) - acl_rights &= ~(KAUTH_VNODE_WRITE_SECURITY); - - /* - * If we are checking both TAKE_OWNERSHIP and WRITE_SECURITY, we can - * mask the latter. If TAKE_OWNERSHIP is requested the caller is about to - * change ownership to themselves, and WRITE_SECURITY is implicitly - * granted to the owner. We need to do this because at this point - * WRITE_SECURITY may not be granted as the caller is not currently - * the owner. + * We can't authorize against a dead vnode; allow all operations through so that + * the correct error can be returned. */ - if ((acl_rights & KAUTH_VNODE_TAKE_OWNERSHIP) && - (acl_rights & KAUTH_VNODE_WRITE_SECURITY)) - acl_rights &= ~KAUTH_VNODE_WRITE_SECURITY; - - if (acl_rights == 0) { - KAUTH_DEBUG("%p ALLOWED - implicit or no rights required", vcp->vp); + if (vp->v_type == VBAD) return(0); - } + + error = 0; + result = kauth_authorize_action(vnode_scope, vfs_context_ucred(ctx), action, + (uintptr_t)ctx, (uintptr_t)vp, (uintptr_t)dvp, (uintptr_t)&error); + if (result == EPERM) /* traditional behaviour */ + result = EACCES; + /* did the lower layers give a better error return? */ + if ((result != 0) && (error != 0)) + return(error); + return(result); +} - /* if we have an ACL, evaluate it */ - if (VATTR_IS_NOT(vap, va_acl, NULL)) { - eval.ae_requested = acl_rights; - eval.ae_acl = &vap->va_acl->acl_ace[0]; - eval.ae_count = vap->va_acl->acl_entrycount; - eval.ae_options = 0; - if (vauth_file_owner(vcp)) - eval.ae_options |= KAUTH_AEVAL_IS_OWNER; - if ((error = vauth_file_ingroup(vcp, &ismember)) != 0) - return(error); - if (ismember) - eval.ae_options |= KAUTH_AEVAL_IN_GROUP; - eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS; - eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS; - eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS; - eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS; - - if ((error = kauth_acl_evaluate(cred, &eval)) != 0) { - KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error); - return(error); - } - - if (eval.ae_result == KAUTH_RESULT_DENY) { - KAUTH_DEBUG("%p DENIED - by ACL", vcp->vp); - return(EACCES); /* deny, deny, counter-allege */ - } - if (eval.ae_result == KAUTH_RESULT_ALLOW) { - KAUTH_DEBUG("%p ALLOWED - all rights granted by ACL", vcp->vp); - return(0); - } - *found_deny = eval.ae_found_deny; +/* + * Test for vnode immutability. + * + * The 'append' flag is set when the authorization request is constrained + * to operations which only request the right to append to a file. + * + * The 'ignore' flag is set when an operation modifying the immutability flags + * is being authorized. We check the system securelevel to determine which + * immutability flags we can ignore. + */ +static int +vnode_immutable(struct vnode_attr *vap, int append, int ignore) +{ + int mask; - /* fall through and evaluate residual rights */ - } else { - /* no ACL, everything is residual */ - eval.ae_residual = acl_rights; - } + /* start with all bits precluding the operation */ + mask = IMMUTABLE | APPEND; - /* - * Grant residual rights that have been pre-authorized. - */ - eval.ae_residual &= ~preauth_rights; + /* if appending only, remove the append-only bits */ + if (append) + mask &= ~APPEND; - /* - * We grant WRITE_ATTRIBUTES to the owner if it hasn't been denied. - */ - if (vauth_file_owner(vcp)) - eval.ae_residual &= ~KAUTH_VNODE_WRITE_ATTRIBUTES; - - if (eval.ae_residual == 0) { - KAUTH_DEBUG("%p ALLOWED - rights already authorized", vcp->vp); - return(0); - } - - /* - * Bail if we have residual rights that can't be granted by posix permissions, - * or aren't presumed granted at this point. - * - * XXX these can be collapsed for performance - */ - if (eval.ae_residual & KAUTH_VNODE_CHANGE_OWNER) { - KAUTH_DEBUG("%p DENIED - CHANGE_OWNER not permitted", vcp->vp); - return(EACCES); - } - if (eval.ae_residual & KAUTH_VNODE_WRITE_SECURITY) { - KAUTH_DEBUG("%p DENIED - WRITE_SECURITY not permitted", vcp->vp); - return(EACCES); + /* ignore only set when authorizing flags changes */ + if (ignore) { + if (securelevel <= 0) { + /* in insecure state, flags do not inhibit changes */ + mask = 0; + } else { + /* in secure state, user flags don't inhibit */ + mask &= ~(UF_IMMUTABLE | UF_APPEND); + } } + KAUTH_DEBUG("IMMUTABLE - file flags 0x%x mask 0x%x append = %d ignore = %d", vap->va_flags, mask, append, ignore); + if ((vap->va_flags & mask) != 0) + return(EPERM); + return(0); +} -#if DIAGNOSTIC - if (eval.ae_residual & KAUTH_VNODE_DELETE) - panic("vnode_authorize: can't be checking delete permission here"); -#endif +static int +vauth_node_owner(struct vnode_attr *vap, kauth_cred_t cred) +{ + int result; - /* - * Compute the fallback posix permissions that will satisfy the remaining - * rights. - */ - posix_action = 0; - if (eval.ae_residual & (KAUTH_VNODE_READ_DATA | - KAUTH_VNODE_LIST_DIRECTORY | - KAUTH_VNODE_READ_EXTATTRIBUTES)) - posix_action |= VREAD; - if (eval.ae_residual & (KAUTH_VNODE_WRITE_DATA | - KAUTH_VNODE_ADD_FILE | - KAUTH_VNODE_ADD_SUBDIRECTORY | - KAUTH_VNODE_DELETE_CHILD | - KAUTH_VNODE_WRITE_ATTRIBUTES | - KAUTH_VNODE_WRITE_EXTATTRIBUTES)) - posix_action |= VWRITE; - if (eval.ae_residual & (KAUTH_VNODE_EXECUTE | - KAUTH_VNODE_SEARCH)) - posix_action |= VEXEC; - - if (posix_action != 0) { - return(vnode_authorize_posix(vcp, posix_action, 0 /* !on_dir */)); - } else { - KAUTH_DEBUG("%p ALLOWED - residual rights %s%s%s%s%s%s%s%s%s%s%s%s%s%s granted due to no posix mapping", - vcp->vp, - (eval.ae_residual & KAUTH_VNODE_READ_DATA) - ? vnode_isdir(vcp->vp) ? " LIST_DIRECTORY" : " READ_DATA" : "", - (eval.ae_residual & KAUTH_VNODE_WRITE_DATA) - ? vnode_isdir(vcp->vp) ? " ADD_FILE" : " WRITE_DATA" : "", - (eval.ae_residual & KAUTH_VNODE_EXECUTE) - ? vnode_isdir(vcp->vp) ? " SEARCH" : " EXECUTE" : "", - (eval.ae_residual & KAUTH_VNODE_DELETE) - ? " DELETE" : "", - (eval.ae_residual & KAUTH_VNODE_APPEND_DATA) - ? vnode_isdir(vcp->vp) ? " ADD_SUBDIRECTORY" : " APPEND_DATA" : "", - (eval.ae_residual & KAUTH_VNODE_DELETE_CHILD) - ? " DELETE_CHILD" : "", - (eval.ae_residual & KAUTH_VNODE_READ_ATTRIBUTES) - ? " READ_ATTRIBUTES" : "", - (eval.ae_residual & KAUTH_VNODE_WRITE_ATTRIBUTES) - ? " WRITE_ATTRIBUTES" : "", - (eval.ae_residual & KAUTH_VNODE_READ_EXTATTRIBUTES) - ? " READ_EXTATTRIBUTES" : "", - (eval.ae_residual & KAUTH_VNODE_WRITE_EXTATTRIBUTES) - ? " WRITE_EXTATTRIBUTES" : "", - (eval.ae_residual & KAUTH_VNODE_READ_SECURITY) - ? " READ_SECURITY" : "", - (eval.ae_residual & KAUTH_VNODE_WRITE_SECURITY) - ? " WRITE_SECURITY" : "", - (eval.ae_residual & KAUTH_VNODE_CHECKIMMUTABLE) - ? " CHECKIMMUTABLE" : "", - (eval.ae_residual & KAUTH_VNODE_CHANGE_OWNER) - ? " CHANGE_OWNER" : ""); - } + /* default assumption is not-owner */ + result = 0; /* - * Lack of required Posix permissions implies no reason to deny access. + * If the filesystem has given us a UID, we treat this as authoritative. */ - return(0); + if (vap && VATTR_IS_SUPPORTED(vap, va_uid)) { + result = (vap->va_uid == kauth_cred_getuid(cred)) ? 1 : 0; + } + /* we could test the owner UUID here if we had a policy for it */ + + return(result); } /* - * Check for file immutability. + * vauth_node_group + * + * Description: Ask if a cred is a member of the group owning the vnode object + * + * Parameters: vap vnode attribute + * vap->va_gid group owner of vnode object + * cred credential to check + * ismember pointer to where to put the answer + * idontknow Return this if we can't get an answer + * + * Returns: 0 Success + * idontknow Can't get information + * kauth_cred_ismember_gid:? Error from kauth subsystem + * kauth_cred_ismember_gid:? Error from kauth subsystem */ static int -vnode_authorize_checkimmutable(vnode_t vp, struct vnode_attr *vap, int rights, int ignore) +vauth_node_group(struct vnode_attr *vap, kauth_cred_t cred, int *ismember, int idontknow) { - mount_t mp; - int error; - int append; + int error; + int result; + + error = 0; + result = 0; /* - * Perform immutability checks for operations that change data. - * - * Sockets, fifos and devices require special handling. + * The caller is expected to have asked the filesystem for a group + * at some point prior to calling this function. The answer may + * have been that there is no group ownership supported for the + * vnode object, in which case we return */ - switch(vp->v_type) { - case VSOCK: - case VFIFO: - case VBLK: - case VCHR: + if (vap && VATTR_IS_SUPPORTED(vap, va_gid)) { + error = kauth_cred_ismember_gid(cred, vap->va_gid, &result); /* - * Writing to these nodes does not change the filesystem data, - * so forget that it's being tried. + * Credentials which are opted into external group membership + * resolution which are not known to the external resolver + * will result in an ENOENT error. We translate this into + * the appropriate 'idontknow' response for our caller. + * + * XXX We do not make a distinction here between an ENOENT + * XXX arising from a response from the external resolver, + * XXX and an ENOENT which is internally generated. This is + * XXX a deficiency of the published kauth_cred_ismember_gid() + * XXX KPI which can not be overcome without new KPI. For + * XXX all currently known cases, however, this wil result + * XXX in correct behaviour. */ - rights &= ~KAUTH_VNODE_WRITE_DATA; - break; - default: - break; + if (error == ENOENT) + error = idontknow; } + /* + * XXX We could test the group UUID here if we had a policy for it, + * XXX but this is problematic from the perspective of synchronizing + * XXX group UUID and POSIX GID ownership of a file and keeping the + * XXX values coherent over time. The problem is that the local + * XXX system will vend transient group UUIDs for unknown POSIX GID + * XXX values, and these are not persistent, whereas storage of values + * XXX is persistent. One potential solution to this is a local + * XXX (persistent) replica of remote directory entries and vended + * XXX local ids in a local directory server (think in terms of a + * XXX caching DNS server). + */ - error = 0; - if (rights & KAUTH_VNODE_WRITE_RIGHTS) { - - /* check per-filesystem options if possible */ - mp = vp->v_mount; - if (mp != NULL) { - - /* check for no-EA filesystems */ - if ((rights & KAUTH_VNODE_WRITE_EXTATTRIBUTES) && - (vfs_flags(mp) & MNT_NOUSERXATTR)) { - KAUTH_DEBUG("%p DENIED - filesystem disallowed extended attributes", vp); - error = EACCES; /* User attributes disabled */ - goto out; - } - } + if (!error) + *ismember = result; + return(error); +} - /* - * check for file immutability. first, check if the requested rights are - * allowable for a UF_APPEND file. - */ - append = 0; - if (vp->v_type == VDIR) { - if ((rights & (KAUTH_VNODE_ADD_FILE | KAUTH_VNODE_ADD_SUBDIRECTORY | KAUTH_VNODE_WRITE_EXTATTRIBUTES)) == rights) - append = 1; +static int +vauth_file_owner(vauth_ctx vcp) +{ + int result; + + if (vcp->flags_valid & _VAC_IS_OWNER) { + result = (vcp->flags & _VAC_IS_OWNER) ? 1 : 0; + } else { + result = vauth_node_owner(vcp->vap, vcp->ctx->vc_ucred); + + /* cache our result */ + vcp->flags_valid |= _VAC_IS_OWNER; + if (result) { + vcp->flags |= _VAC_IS_OWNER; } else { - if ((rights & (KAUTH_VNODE_APPEND_DATA | KAUTH_VNODE_WRITE_EXTATTRIBUTES)) == rights) - append = 1; - } - if ((error = vnode_immutable(vap, append, ignore)) != 0) { - KAUTH_DEBUG("%p DENIED - file is immutable", vp); - goto out; + vcp->flags &= ~_VAC_IS_OWNER; } } -out: - return(error); + return(result); } + /* - * Handle authorization actions for filesystems that advertise that the - * server will be enforcing. + * vauth_file_ingroup * - * Returns: 0 Authorization should be handled locally - * 1 Authorization was handled by the FS + * Description: Ask if a user is a member of the group owning the directory * - * Note: Imputed returns will only occur if the authorization request - * was handled by the FS. + * Parameters: vcp The vnode authorization context that + * contains the user and directory info + * vcp->flags_valid Valid flags + * vcp->flags Flags values + * vcp->vap File vnode attributes + * vcp->ctx VFS Context (for user) + * ismember pointer to where to put the answer + * idontknow Return this if we can't get an answer * - * Imputed: *resultp, modified Return code from FS when the request is - * handled by the FS. - * VNOP_ACCESS:??? - * VNOP_OPEN:??? + * Returns: 0 Success + * vauth_node_group:? Error from vauth_node_group() + * + * Implicit returns: *ismember 0 The user is not a group member + * 1 The user is a group member */ static int -vnode_authorize_opaque(vnode_t vp, int *resultp, kauth_action_t action, vfs_context_t ctx) +vauth_file_ingroup(vauth_ctx vcp, int *ismember, int idontknow) { int error; - /* - * If the vp is a device node, socket or FIFO it actually represents a local - * endpoint, so we need to handle it locally. - */ - switch(vp->v_type) { - case VBLK: - case VCHR: - case VSOCK: - case VFIFO: - return(0); - default: - break; - } - - /* - * In the advisory request case, if the filesystem doesn't think it's reliable - * we will attempt to formulate a result ourselves based on VNOP_GETATTR data. - */ - if ((action & KAUTH_VNODE_ACCESS) && !vfs_authopaqueaccess(vp->v_mount)) - return(0); + /* Check for a cached answer first, to avoid the check if possible */ + if (vcp->flags_valid & _VAC_IN_GROUP) { + *ismember = (vcp->flags & _VAC_IN_GROUP) ? 1 : 0; + error = 0; + } else { + /* Otherwise, go look for it */ + error = vauth_node_group(vcp->vap, vcp->ctx->vc_ucred, ismember, idontknow); - /* - * Let the filesystem have a say in the matter. It's OK for it to not implemnent - * VNOP_ACCESS, as most will authorise inline with the actual request. - */ - if ((error = VNOP_ACCESS(vp, action, ctx)) != ENOTSUP) { - *resultp = error; - KAUTH_DEBUG("%p DENIED - opaque filesystem VNOP_ACCESS denied access", vp); - return(1); - } - - /* - * Typically opaque filesystems do authorisation in-line, but exec is a special case. In - * order to be reasonably sure that exec will be permitted, we try a bit harder here. - */ - if ((action & KAUTH_VNODE_EXECUTE) && (vp->v_type == VREG)) { - /* try a VNOP_OPEN for readonly access */ - if ((error = VNOP_OPEN(vp, FREAD, ctx)) != 0) { - *resultp = error; - KAUTH_DEBUG("%p DENIED - EXECUTE denied because file could not be opened readonly", vp); - return(1); + if (!error) { + /* cache our result */ + vcp->flags_valid |= _VAC_IN_GROUP; + if (*ismember) { + vcp->flags |= _VAC_IN_GROUP; + } else { + vcp->flags &= ~_VAC_IN_GROUP; + } } - VNOP_CLOSE(vp, FREAD, ctx); + } - - /* - * We don't have any reason to believe that the request has to be denied at this point, - * so go ahead and allow it. - */ - *resultp = 0; - KAUTH_DEBUG("%p ALLOWED - bypassing access check for non-local filesystem", vp); - return(1); + return(error); } +static int +vauth_dir_owner(vauth_ctx vcp) +{ + int result; + if (vcp->flags_valid & _VAC_IS_DIR_OWNER) { + result = (vcp->flags & _VAC_IS_DIR_OWNER) ? 1 : 0; + } else { + result = vauth_node_owner(vcp->dvap, vcp->ctx->vc_ucred); + /* cache our result */ + vcp->flags_valid |= _VAC_IS_DIR_OWNER; + if (result) { + vcp->flags |= _VAC_IS_DIR_OWNER; + } else { + vcp->flags &= ~_VAC_IS_DIR_OWNER; + } + } + return(result); +} /* - * Returns: KAUTH_RESULT_ALLOW - * KAUTH_RESULT_DENY + * vauth_dir_ingroup * - * Imputed: *arg3, modified Error code in the deny case - * EROFS Read-only file system - * EACCES Permission denied - * EPERM Operation not permitted [no execute] - * vnode_getattr:ENOMEM Not enough space [only if has filesec] - * vnode_getattr:??? - * vnode_authorize_opaque:*arg2 ??? - * vnode_authorize_checkimmutable:??? - * vnode_authorize_delete:??? - * vnode_authorize_simple:??? + * Description: Ask if a user is a member of the group owning the directory + * + * Parameters: vcp The vnode authorization context that + * contains the user and directory info + * vcp->flags_valid Valid flags + * vcp->flags Flags values + * vcp->dvap Dir vnode attributes + * vcp->ctx VFS Context (for user) + * ismember pointer to where to put the answer + * idontknow Return this if we can't get an answer + * + * Returns: 0 Success + * vauth_node_group:? Error from vauth_node_group() + * + * Implicit returns: *ismember 0 The user is not a group member + * 1 The user is a group member */ - - static int -vnode_authorize_callback(kauth_cred_t cred, void *idata, kauth_action_t action, - uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) +vauth_dir_ingroup(vauth_ctx vcp, int *ismember, int idontknow) { - vfs_context_t ctx; - vnode_t cvp = NULLVP; - vnode_t vp, dvp; - int result = KAUTH_RESULT_DENY; - int parent_iocount = 0; - int parent_action; /* In case we need to use namedstream's data fork for cached rights*/ - - ctx = (vfs_context_t)arg0; - vp = (vnode_t)arg1; - dvp = (vnode_t)arg2; + int error; - /* - * if there are 2 vnodes passed in, we don't know at - * this point which rights to look at based on the - * combined action being passed in... defer until later... - * otherwise check the kauth 'rights' cache hung - * off of the vnode we're interested in... if we've already - * been granted the right we're currently interested in, - * we can just return success... otherwise we'll go through - * the process of authorizing the requested right(s)... if that - * succeeds, we'll add the right(s) to the cache. - * VNOP_SETATTR and VNOP_SETXATTR will invalidate this cache - */ - if (dvp && vp) - goto defer; - if (dvp) { - cvp = dvp; + /* Check for a cached answer first, to avoid the check if possible */ + if (vcp->flags_valid & _VAC_IN_DIR_GROUP) { + *ismember = (vcp->flags & _VAC_IN_DIR_GROUP) ? 1 : 0; + error = 0; } else { - /* - * For named streams on local-authorization volumes, rights are cached on the parent; - * authorization is determined by looking at the parent's properties anyway, so storing - * on the parent means that we don't recompute for the named stream and that if - * we need to flush rights (e.g. on VNOP_SETATTR()) we don't need to track down the - * stream to flush its cache separately. If we miss in the cache, then we authorize - * as if there were no cached rights (passing the named stream vnode and desired rights to - * vnode_authorize_callback_int()). - * - * On an opaquely authorized volume, we don't know the relationship between the - * data fork's properties and the rights granted on a stream. Thus, named stream vnodes - * on such a volume are authorized directly (rather than using the parent) and have their - * own caches. When a named stream vnode is created, we mark the parent as having a named - * stream. On a VNOP_SETATTR() for the parent that may invalidate cached authorization, we - * find the stream and flush its cache. - */ - if (vnode_isnamedstream(vp) && (!vfs_authopaque(vp->v_mount))) { - cvp = vp->v_parent; - if ((cvp != NULLVP) && (vnode_getwithref(cvp) == 0)) { - parent_iocount = 1; - } else { - cvp = NULL; - goto defer; /* If we can't use the parent, take the slow path */ - } + /* Otherwise, go look for it */ + error = vauth_node_group(vcp->dvap, vcp->ctx->vc_ucred, ismember, idontknow); - /* Have to translate some actions */ - parent_action = action; - if (parent_action & KAUTH_VNODE_READ_DATA) { - parent_action &= ~KAUTH_VNODE_READ_DATA; - parent_action |= KAUTH_VNODE_READ_EXTATTRIBUTES; - } - if (parent_action & KAUTH_VNODE_WRITE_DATA) { - parent_action &= ~KAUTH_VNODE_WRITE_DATA; - parent_action |= KAUTH_VNODE_WRITE_EXTATTRIBUTES; + if (!error) { + /* cache our result */ + vcp->flags_valid |= _VAC_IN_DIR_GROUP; + if (*ismember) { + vcp->flags |= _VAC_IN_DIR_GROUP; + } else { + vcp->flags &= ~_VAC_IN_DIR_GROUP; } - - } else { - cvp = vp; } } - - if (vnode_cache_is_authorized(cvp, ctx, parent_iocount ? parent_action : action) == TRUE) { - result = KAUTH_RESULT_ALLOW; - goto out; - } -defer: - result = vnode_authorize_callback_int(cred, idata, action, arg0, arg1, arg2, arg3); - - if (result == KAUTH_RESULT_ALLOW && cvp != NULLVP) - vnode_cache_authorized_action(cvp, ctx, action); - -out: - if (parent_iocount) { - vnode_put(cvp); - } - - return result; + return(error); } - +/* + * Test the posix permissions in (vap) to determine whether (credential) + * may perform (action) + */ static int -vnode_authorize_callback_int(__unused kauth_cred_t unused_cred, __unused void *idata, kauth_action_t action, - uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) +vnode_authorize_posix(vauth_ctx vcp, int action, int on_dir) { - struct _vnode_authorize_context auth_context; - vauth_ctx vcp; - vfs_context_t ctx; - vnode_t vp, dvp; - kauth_cred_t cred; - kauth_ace_rights_t rights; - struct vnode_attr va, dva; - int result; - int *errorp; - int noimmutable; - boolean_t parent_authorized_for_delete_child = FALSE; - boolean_t found_deny = FALSE; - boolean_t parent_ref= FALSE; + struct vnode_attr *vap; + int needed, error, owner_ok, group_ok, world_ok, ismember; +#ifdef KAUTH_DEBUG_ENABLE + const char *where = "uninitialized"; +# define _SETWHERE(c) where = c; +#else +# define _SETWHERE(c) +#endif - vcp = &auth_context; - ctx = vcp->ctx = (vfs_context_t)arg0; - vp = vcp->vp = (vnode_t)arg1; - dvp = vcp->dvp = (vnode_t)arg2; - errorp = (int *)arg3; + /* checking file or directory? */ + if (on_dir) { + vap = vcp->dvap; + } else { + vap = vcp->vap; + } + + error = 0; + /* - * Note that we authorize against the context, not the passed cred - * (the same thing anyway) + * We want to do as little work here as possible. So first we check + * which sets of permissions grant us the access we need, and avoid checking + * whether specific permissions grant access when more generic ones would. */ - cred = ctx->vc_ucred; - - VATTR_INIT(&va); - vcp->vap = &va; - VATTR_INIT(&dva); - vcp->dvap = &dva; - vcp->flags = vcp->flags_valid = 0; + /* owner permissions */ + needed = 0; + if (action & VREAD) + needed |= S_IRUSR; + if (action & VWRITE) + needed |= S_IWUSR; + if (action & VEXEC) + needed |= S_IXUSR; + owner_ok = (needed & vap->va_mode) == needed; -#if DIAGNOSTIC - if ((ctx == NULL) || (vp == NULL) || (cred == NULL)) - panic("vnode_authorize: bad arguments (context %p vp %p cred %p)", ctx, vp, cred); -#endif + /* group permissions */ + needed = 0; + if (action & VREAD) + needed |= S_IRGRP; + if (action & VWRITE) + needed |= S_IWGRP; + if (action & VEXEC) + needed |= S_IXGRP; + group_ok = (needed & vap->va_mode) == needed; - KAUTH_DEBUG("%p AUTH - %s %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s on %s '%s' (0x%x:%p/%p)", - vp, vfs_context_proc(ctx)->p_comm, - (action & KAUTH_VNODE_ACCESS) ? "access" : "auth", - (action & KAUTH_VNODE_READ_DATA) ? vnode_isdir(vp) ? " LIST_DIRECTORY" : " READ_DATA" : "", - (action & KAUTH_VNODE_WRITE_DATA) ? vnode_isdir(vp) ? " ADD_FILE" : " WRITE_DATA" : "", - (action & KAUTH_VNODE_EXECUTE) ? vnode_isdir(vp) ? " SEARCH" : " EXECUTE" : "", - (action & KAUTH_VNODE_DELETE) ? " DELETE" : "", - (action & KAUTH_VNODE_APPEND_DATA) ? vnode_isdir(vp) ? " ADD_SUBDIRECTORY" : " APPEND_DATA" : "", - (action & KAUTH_VNODE_DELETE_CHILD) ? " DELETE_CHILD" : "", - (action & KAUTH_VNODE_READ_ATTRIBUTES) ? " READ_ATTRIBUTES" : "", - (action & KAUTH_VNODE_WRITE_ATTRIBUTES) ? " WRITE_ATTRIBUTES" : "", - (action & KAUTH_VNODE_READ_EXTATTRIBUTES) ? " READ_EXTATTRIBUTES" : "", - (action & KAUTH_VNODE_WRITE_EXTATTRIBUTES) ? " WRITE_EXTATTRIBUTES" : "", - (action & KAUTH_VNODE_READ_SECURITY) ? " READ_SECURITY" : "", - (action & KAUTH_VNODE_WRITE_SECURITY) ? " WRITE_SECURITY" : "", - (action & KAUTH_VNODE_CHANGE_OWNER) ? " CHANGE_OWNER" : "", - (action & KAUTH_VNODE_NOIMMUTABLE) ? " (noimmutable)" : "", - vnode_isdir(vp) ? "directory" : "file", - vp->v_name ? vp->v_name : "", action, vp, dvp); + /* world permissions */ + needed = 0; + if (action & VREAD) + needed |= S_IROTH; + if (action & VWRITE) + needed |= S_IWOTH; + if (action & VEXEC) + needed |= S_IXOTH; + world_ok = (needed & vap->va_mode) == needed; - /* - * Extract the control bits from the action, everything else is - * requested rights. - */ - noimmutable = (action & KAUTH_VNODE_NOIMMUTABLE) ? 1 : 0; - rights = action & ~(KAUTH_VNODE_ACCESS | KAUTH_VNODE_NOIMMUTABLE); - - if (rights & KAUTH_VNODE_DELETE) { -#if DIAGNOSTIC - if (dvp == NULL) - panic("vnode_authorize: KAUTH_VNODE_DELETE test requires a directory"); -#endif - /* - * check to see if we've already authorized the parent - * directory for deletion of its children... if so, we - * can skip a whole bunch of work... we will still have to - * authorize that this specific child can be removed - */ - if (vnode_cache_is_authorized(dvp, ctx, KAUTH_VNODE_DELETE_CHILD) == TRUE) - parent_authorized_for_delete_child = TRUE; - } else { - dvp = NULL; - } - - /* - * Check for read-only filesystems. - */ - if ((rights & KAUTH_VNODE_WRITE_RIGHTS) && - (vp->v_mount->mnt_flag & MNT_RDONLY) && - ((vp->v_type == VREG) || (vp->v_type == VDIR) || - (vp->v_type == VLNK) || (vp->v_type == VCPLX) || - (rights & KAUTH_VNODE_DELETE) || (rights & KAUTH_VNODE_DELETE_CHILD))) { - result = EROFS; + /* If granted/denied by all three, we're done */ + if (owner_ok && group_ok && world_ok) { + _SETWHERE("all"); goto out; } - - /* - * Check for noexec filesystems. - */ - if ((rights & KAUTH_VNODE_EXECUTE) && (vp->v_type == VREG) && (vp->v_mount->mnt_flag & MNT_NOEXEC)) { - result = EACCES; + if (!owner_ok && !group_ok && !world_ok) { + _SETWHERE("all"); + error = EACCES; goto out; } - /* - * Handle cases related to filesystems with non-local enforcement. - * This call can return 0, in which case we will fall through to perform a - * check based on VNOP_GETATTR data. Otherwise it returns 1 and sets - * an appropriate result, at which point we can return immediately. - */ - if ((vp->v_mount->mnt_kern_flag & MNTK_AUTH_OPAQUE) && vnode_authorize_opaque(vp, &result, action, ctx)) + /* Check ownership (relatively cheap) */ + if ((on_dir && vauth_dir_owner(vcp)) || + (!on_dir && vauth_file_owner(vcp))) { + _SETWHERE("user"); + if (!owner_ok) + error = EACCES; goto out; + } - /* - * Get vnode attributes and extended security information for the vnode - * and directory if required. - */ - VATTR_WANTED(&va, va_mode); - VATTR_WANTED(&va, va_uid); - VATTR_WANTED(&va, va_gid); - VATTR_WANTED(&va, va_flags); - VATTR_WANTED(&va, va_acl); - if ((result = vnode_getattr(vp, &va, ctx)) != 0) { - KAUTH_DEBUG("%p ERROR - failed to get vnode attributes - %d", vp, result); + /* Not owner; if group and world both grant it we're done */ + if (group_ok && world_ok) { + _SETWHERE("group/world"); goto out; } - if (dvp && parent_authorized_for_delete_child == FALSE) { - VATTR_WANTED(&dva, va_mode); - VATTR_WANTED(&dva, va_uid); - VATTR_WANTED(&dva, va_gid); - VATTR_WANTED(&dva, va_flags); - VATTR_WANTED(&dva, va_acl); - if ((result = vnode_getattr(dvp, &dva, ctx)) != 0) { - KAUTH_DEBUG("%p ERROR - failed to get directory vnode attributes - %d", vp, result); - goto out; - } + if (!group_ok && !world_ok) { + _SETWHERE("group/world"); + error = EACCES; + goto out; } - /* - * If the vnode is an extended attribute data vnode (eg. a resource fork), *_DATA becomes - * *_EXTATTRIBUTES. - */ - if (vnode_isnamedstream(vp)) { - if (rights & KAUTH_VNODE_READ_DATA) { - rights &= ~KAUTH_VNODE_READ_DATA; - rights |= KAUTH_VNODE_READ_EXTATTRIBUTES; - } - if (rights & KAUTH_VNODE_WRITE_DATA) { - rights &= ~KAUTH_VNODE_WRITE_DATA; - rights |= KAUTH_VNODE_WRITE_EXTATTRIBUTES; - } - } + /* Check group membership (most expensive) */ + ismember = 0; /* Default to allow, if the target has no group owner */ /* - * Point 'vp' to the resource fork's parent for ACL checking + * In the case we can't get an answer about the user from the call to + * vauth_dir_ingroup() or vauth_file_ingroup(), we want to fail on + * the side of caution, rather than simply granting access, or we will + * fail to correctly implement exclusion groups, so we set the third + * parameter on the basis of the state of 'group_ok'. */ - if (vnode_isnamedstream(vp) && - (vp->v_parent != NULL) && - (vget_internal(vp->v_parent, 0, VNODE_NODEAD) == 0)) { - parent_ref = TRUE; - vcp->vp = vp = vp->v_parent; - if (VATTR_IS_SUPPORTED(&va, va_acl) && (va.va_acl != NULL)) - kauth_acl_free(va.va_acl); - VATTR_INIT(&va); - VATTR_WANTED(&va, va_mode); - VATTR_WANTED(&va, va_uid); - VATTR_WANTED(&va, va_gid); - VATTR_WANTED(&va, va_flags); - VATTR_WANTED(&va, va_acl); - if ((result = vnode_getattr(vp, &va, ctx)) != 0) - goto out; + if (on_dir) { + error = vauth_dir_ingroup(vcp, &ismember, (!group_ok ? EACCES : 0)); + } else { + error = vauth_file_ingroup(vcp, &ismember, (!group_ok ? EACCES : 0)); } - - /* - * Check for immutability. - * - * In the deletion case, parent directory immutability vetoes specific - * file rights. - */ - if ((result = vnode_authorize_checkimmutable(vp, &va, rights, noimmutable)) != 0) - goto out; - if ((rights & KAUTH_VNODE_DELETE) && - parent_authorized_for_delete_child == FALSE && - ((result = vnode_authorize_checkimmutable(dvp, &dva, KAUTH_VNODE_DELETE_CHILD, 0)) != 0)) - goto out; - - /* - * Clear rights that have been authorized by reaching this point, bail if nothing left to - * check. - */ - rights &= ~(KAUTH_VNODE_LINKTARGET | KAUTH_VNODE_CHECKIMMUTABLE); - if (rights == 0) + if (error) { + if (!group_ok) + ismember = 1; + error = 0; + } + if (ismember) { + _SETWHERE("group"); + if (!group_ok) + error = EACCES; goto out; + } - /* - * If we're not the superuser, authorize based on file properties; - * note that even if parent_authorized_for_delete_child is TRUE, we - * need to check on the node itself. - */ - if (!vfs_context_issuser(ctx)) { - /* process delete rights */ - if ((rights & KAUTH_VNODE_DELETE) && - ((result = vnode_authorize_delete(vcp, parent_authorized_for_delete_child)) != 0)) - goto out; + /* Not owner, not in group, use world result */ + _SETWHERE("world"); + if (!world_ok) + error = EACCES; - /* process remaining rights */ - if ((rights & ~KAUTH_VNODE_DELETE) && - (result = vnode_authorize_simple(vcp, rights, rights & KAUTH_VNODE_DELETE, &found_deny)) != 0) - goto out; - } else { + /* FALLTHROUGH */ - /* - * Execute is only granted to root if one of the x bits is set. This check only - * makes sense if the posix mode bits are actually supported. - */ - if ((rights & KAUTH_VNODE_EXECUTE) && - (vp->v_type == VREG) && - VATTR_IS_SUPPORTED(&va, va_mode) && - !(va.va_mode & (S_IXUSR | S_IXGRP | S_IXOTH))) { - result = EPERM; - KAUTH_DEBUG("%p DENIED - root execute requires at least one x bit in 0x%x", vp, va.va_mode); - goto out; - } - - KAUTH_DEBUG("%p ALLOWED - caller is superuser", vp); - } +out: + KAUTH_DEBUG("%p %s - posix %s permissions : need %s%s%s %x have %s%s%s%s%s%s%s%s%s UID = %d file = %d,%d", + vcp->vp, (error == 0) ? "ALLOWED" : "DENIED", where, + (action & VREAD) ? "r" : "-", + (action & VWRITE) ? "w" : "-", + (action & VEXEC) ? "x" : "-", + needed, + (vap->va_mode & S_IRUSR) ? "r" : "-", + (vap->va_mode & S_IWUSR) ? "w" : "-", + (vap->va_mode & S_IXUSR) ? "x" : "-", + (vap->va_mode & S_IRGRP) ? "r" : "-", + (vap->va_mode & S_IWGRP) ? "w" : "-", + (vap->va_mode & S_IXGRP) ? "x" : "-", + (vap->va_mode & S_IROTH) ? "r" : "-", + (vap->va_mode & S_IWOTH) ? "w" : "-", + (vap->va_mode & S_IXOTH) ? "x" : "-", + kauth_cred_getuid(vcp->ctx->vc_ucred), + on_dir ? vcp->dvap->va_uid : vcp->vap->va_uid, + on_dir ? vcp->dvap->va_gid : vcp->vap->va_gid); + return(error); +} + +/* + * Authorize the deletion of the node vp from the directory dvp. + * + * We assume that: + * - Neither the node nor the directory are immutable. + * - The user is not the superuser. + * + * Deletion is not permitted if the directory is sticky and the caller is + * not owner of the node or directory. + * + * If either the node grants DELETE, or the directory grants DELETE_CHILD, + * the node may be deleted. If neither denies the permission, and the + * caller has Posix write access to the directory, then the node may be + * deleted. + * + * As an optimization, we cache whether or not delete child is permitted + * on directories without the sticky bit set. + */ +int +vnode_authorize_delete(vauth_ctx vcp, boolean_t cached_delete_child); +/*static*/ int +vnode_authorize_delete(vauth_ctx vcp, boolean_t cached_delete_child) +{ + struct vnode_attr *vap = vcp->vap; + struct vnode_attr *dvap = vcp->dvap; + kauth_cred_t cred = vcp->ctx->vc_ucred; + struct kauth_acl_eval eval; + int error, delete_denied, delete_child_denied, ismember; + + /* check the ACL on the directory */ + delete_child_denied = 0; + if (!cached_delete_child && VATTR_IS_NOT(dvap, va_acl, NULL)) { + eval.ae_requested = KAUTH_VNODE_DELETE_CHILD; + eval.ae_acl = &dvap->va_acl->acl_ace[0]; + eval.ae_count = dvap->va_acl->acl_entrycount; + eval.ae_options = 0; + if (vauth_dir_owner(vcp)) + eval.ae_options |= KAUTH_AEVAL_IS_OWNER; + /* + * We use ENOENT as a marker to indicate we could not get + * information in order to delay evaluation until after we + * have the ACL evaluation answer. Previously, we would + * always deny the operation at this point. + */ + if ((error = vauth_dir_ingroup(vcp, &ismember, ENOENT)) != 0 && error != ENOENT) + return(error); + if (error == ENOENT) + eval.ae_options |= KAUTH_AEVAL_IN_GROUP_UNKNOWN; + else if (ismember) + eval.ae_options |= KAUTH_AEVAL_IN_GROUP; + eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS; + eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS; + eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS; + eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS; + + /* + * If there is no entry, we are going to defer to other + * authorization mechanisms. + */ + error = kauth_acl_evaluate(cred, &eval); + + if (error != 0) { + KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error); + return(error); + } + switch(eval.ae_result) { + case KAUTH_RESULT_DENY: + delete_child_denied = 1; + break; + /* FALLSTHROUGH */ + case KAUTH_RESULT_ALLOW: + KAUTH_DEBUG("%p ALLOWED - granted by directory ACL", vcp->vp); + return(0); + case KAUTH_RESULT_DEFER: + default: + /* Effectively the same as !delete_child_denied */ + KAUTH_DEBUG("%p DEFERRED - directory ACL", vcp->vp); + break; + } + } + + /* check the ACL on the node */ + delete_denied = 0; + if (VATTR_IS_NOT(vap, va_acl, NULL)) { + eval.ae_requested = KAUTH_VNODE_DELETE; + eval.ae_acl = &vap->va_acl->acl_ace[0]; + eval.ae_count = vap->va_acl->acl_entrycount; + eval.ae_options = 0; + if (vauth_file_owner(vcp)) + eval.ae_options |= KAUTH_AEVAL_IS_OWNER; + /* + * We use ENOENT as a marker to indicate we could not get + * information in order to delay evaluation until after we + * have the ACL evaluation answer. Previously, we would + * always deny the operation at this point. + */ + if ((error = vauth_file_ingroup(vcp, &ismember, ENOENT)) != 0 && error != ENOENT) + return(error); + if (error == ENOENT) + eval.ae_options |= KAUTH_AEVAL_IN_GROUP_UNKNOWN; + else if (ismember) + eval.ae_options |= KAUTH_AEVAL_IN_GROUP; + eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS; + eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS; + eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS; + eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS; + + if ((error = kauth_acl_evaluate(cred, &eval)) != 0) { + KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error); + return(error); + } + + switch(eval.ae_result) { + case KAUTH_RESULT_DENY: + delete_denied = 1; + break; + case KAUTH_RESULT_ALLOW: + KAUTH_DEBUG("%p ALLOWED - granted by file ACL", vcp->vp); + return(0); + case KAUTH_RESULT_DEFER: + default: + /* Effectively the same as !delete_child_denied */ + KAUTH_DEBUG("%p DEFERRED%s - by file ACL", vcp->vp, delete_denied ? "(DENY)" : ""); + break; + } + } + + /* if denied by ACL on directory or node, return denial */ + if (delete_denied || delete_child_denied) { + KAUTH_DEBUG("%p DENIED - denied by ACL", vcp->vp); + return(EACCES); + } + + /* enforce sticky bit behaviour */ + if ((dvap->va_mode & S_ISTXT) && !vauth_file_owner(vcp) && !vauth_dir_owner(vcp)) { + KAUTH_DEBUG("%p DENIED - sticky bit rules (user %d file %d dir %d)", + vcp->vp, cred->cr_posix.cr_uid, vap->va_uid, dvap->va_uid); + return(EACCES); + } + + /* check the directory */ + if (!cached_delete_child && (error = vnode_authorize_posix(vcp, VWRITE, 1 /* on_dir */)) != 0) { + KAUTH_DEBUG("%p DENIED - denied by posix permisssions", vcp->vp); + return(error); + } + + /* not denied, must be OK */ + return(0); +} + + +/* + * Authorize an operation based on the node's attributes. + */ +static int +vnode_authorize_simple(vauth_ctx vcp, kauth_ace_rights_t acl_rights, kauth_ace_rights_t preauth_rights, boolean_t *found_deny) +{ + struct vnode_attr *vap = vcp->vap; + kauth_cred_t cred = vcp->ctx->vc_ucred; + struct kauth_acl_eval eval; + int error, ismember; + mode_t posix_action; + + /* + * If we are the file owner, we automatically have some rights. + * + * Do we need to expand this to support group ownership? + */ + if (vauth_file_owner(vcp)) + acl_rights &= ~(KAUTH_VNODE_WRITE_SECURITY); + + /* + * If we are checking both TAKE_OWNERSHIP and WRITE_SECURITY, we can + * mask the latter. If TAKE_OWNERSHIP is requested the caller is about to + * change ownership to themselves, and WRITE_SECURITY is implicitly + * granted to the owner. We need to do this because at this point + * WRITE_SECURITY may not be granted as the caller is not currently + * the owner. + */ + if ((acl_rights & KAUTH_VNODE_TAKE_OWNERSHIP) && + (acl_rights & KAUTH_VNODE_WRITE_SECURITY)) + acl_rights &= ~KAUTH_VNODE_WRITE_SECURITY; + + if (acl_rights == 0) { + KAUTH_DEBUG("%p ALLOWED - implicit or no rights required", vcp->vp); + return(0); + } + + /* if we have an ACL, evaluate it */ + if (VATTR_IS_NOT(vap, va_acl, NULL)) { + eval.ae_requested = acl_rights; + eval.ae_acl = &vap->va_acl->acl_ace[0]; + eval.ae_count = vap->va_acl->acl_entrycount; + eval.ae_options = 0; + if (vauth_file_owner(vcp)) + eval.ae_options |= KAUTH_AEVAL_IS_OWNER; + /* + * We use ENOENT as a marker to indicate we could not get + * information in order to delay evaluation until after we + * have the ACL evaluation answer. Previously, we would + * always deny the operation at this point. + */ + if ((error = vauth_file_ingroup(vcp, &ismember, ENOENT)) != 0 && error != ENOENT) + return(error); + if (error == ENOENT) + eval.ae_options |= KAUTH_AEVAL_IN_GROUP_UNKNOWN; + else if (ismember) + eval.ae_options |= KAUTH_AEVAL_IN_GROUP; + eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS; + eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS; + eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS; + eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS; + + if ((error = kauth_acl_evaluate(cred, &eval)) != 0) { + KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error); + return(error); + } + + switch(eval.ae_result) { + case KAUTH_RESULT_DENY: + KAUTH_DEBUG("%p DENIED - by ACL", vcp->vp); + return(EACCES); /* deny, deny, counter-allege */ + case KAUTH_RESULT_ALLOW: + KAUTH_DEBUG("%p ALLOWED - all rights granted by ACL", vcp->vp); + return(0); + case KAUTH_RESULT_DEFER: + default: + /* Effectively the same as !delete_child_denied */ + KAUTH_DEBUG("%p DEFERRED - directory ACL", vcp->vp); + break; + } + + *found_deny = eval.ae_found_deny; + + /* fall through and evaluate residual rights */ + } else { + /* no ACL, everything is residual */ + eval.ae_residual = acl_rights; + } + + /* + * Grant residual rights that have been pre-authorized. + */ + eval.ae_residual &= ~preauth_rights; + + /* + * We grant WRITE_ATTRIBUTES to the owner if it hasn't been denied. + */ + if (vauth_file_owner(vcp)) + eval.ae_residual &= ~KAUTH_VNODE_WRITE_ATTRIBUTES; + + if (eval.ae_residual == 0) { + KAUTH_DEBUG("%p ALLOWED - rights already authorized", vcp->vp); + return(0); + } + + /* + * Bail if we have residual rights that can't be granted by posix permissions, + * or aren't presumed granted at this point. + * + * XXX these can be collapsed for performance + */ + if (eval.ae_residual & KAUTH_VNODE_CHANGE_OWNER) { + KAUTH_DEBUG("%p DENIED - CHANGE_OWNER not permitted", vcp->vp); + return(EACCES); + } + if (eval.ae_residual & KAUTH_VNODE_WRITE_SECURITY) { + KAUTH_DEBUG("%p DENIED - WRITE_SECURITY not permitted", vcp->vp); + return(EACCES); + } + +#if DIAGNOSTIC + if (eval.ae_residual & KAUTH_VNODE_DELETE) + panic("vnode_authorize: can't be checking delete permission here"); +#endif + + /* + * Compute the fallback posix permissions that will satisfy the remaining + * rights. + */ + posix_action = 0; + if (eval.ae_residual & (KAUTH_VNODE_READ_DATA | + KAUTH_VNODE_LIST_DIRECTORY | + KAUTH_VNODE_READ_EXTATTRIBUTES)) + posix_action |= VREAD; + if (eval.ae_residual & (KAUTH_VNODE_WRITE_DATA | + KAUTH_VNODE_ADD_FILE | + KAUTH_VNODE_ADD_SUBDIRECTORY | + KAUTH_VNODE_DELETE_CHILD | + KAUTH_VNODE_WRITE_ATTRIBUTES | + KAUTH_VNODE_WRITE_EXTATTRIBUTES)) + posix_action |= VWRITE; + if (eval.ae_residual & (KAUTH_VNODE_EXECUTE | + KAUTH_VNODE_SEARCH)) + posix_action |= VEXEC; + + if (posix_action != 0) { + return(vnode_authorize_posix(vcp, posix_action, 0 /* !on_dir */)); + } else { + KAUTH_DEBUG("%p ALLOWED - residual rights %s%s%s%s%s%s%s%s%s%s%s%s%s%s granted due to no posix mapping", + vcp->vp, + (eval.ae_residual & KAUTH_VNODE_READ_DATA) + ? vnode_isdir(vcp->vp) ? " LIST_DIRECTORY" : " READ_DATA" : "", + (eval.ae_residual & KAUTH_VNODE_WRITE_DATA) + ? vnode_isdir(vcp->vp) ? " ADD_FILE" : " WRITE_DATA" : "", + (eval.ae_residual & KAUTH_VNODE_EXECUTE) + ? vnode_isdir(vcp->vp) ? " SEARCH" : " EXECUTE" : "", + (eval.ae_residual & KAUTH_VNODE_DELETE) + ? " DELETE" : "", + (eval.ae_residual & KAUTH_VNODE_APPEND_DATA) + ? vnode_isdir(vcp->vp) ? " ADD_SUBDIRECTORY" : " APPEND_DATA" : "", + (eval.ae_residual & KAUTH_VNODE_DELETE_CHILD) + ? " DELETE_CHILD" : "", + (eval.ae_residual & KAUTH_VNODE_READ_ATTRIBUTES) + ? " READ_ATTRIBUTES" : "", + (eval.ae_residual & KAUTH_VNODE_WRITE_ATTRIBUTES) + ? " WRITE_ATTRIBUTES" : "", + (eval.ae_residual & KAUTH_VNODE_READ_EXTATTRIBUTES) + ? " READ_EXTATTRIBUTES" : "", + (eval.ae_residual & KAUTH_VNODE_WRITE_EXTATTRIBUTES) + ? " WRITE_EXTATTRIBUTES" : "", + (eval.ae_residual & KAUTH_VNODE_READ_SECURITY) + ? " READ_SECURITY" : "", + (eval.ae_residual & KAUTH_VNODE_WRITE_SECURITY) + ? " WRITE_SECURITY" : "", + (eval.ae_residual & KAUTH_VNODE_CHECKIMMUTABLE) + ? " CHECKIMMUTABLE" : "", + (eval.ae_residual & KAUTH_VNODE_CHANGE_OWNER) + ? " CHANGE_OWNER" : ""); + } + + /* + * Lack of required Posix permissions implies no reason to deny access. + */ + return(0); +} + +/* + * Check for file immutability. + */ +static int +vnode_authorize_checkimmutable(vnode_t vp, struct vnode_attr *vap, int rights, int ignore) +{ + mount_t mp; + int error; + int append; + + /* + * Perform immutability checks for operations that change data. + * + * Sockets, fifos and devices require special handling. + */ + switch(vp->v_type) { + case VSOCK: + case VFIFO: + case VBLK: + case VCHR: + /* + * Writing to these nodes does not change the filesystem data, + * so forget that it's being tried. + */ + rights &= ~KAUTH_VNODE_WRITE_DATA; + break; + default: + break; + } + + error = 0; + if (rights & KAUTH_VNODE_WRITE_RIGHTS) { + + /* check per-filesystem options if possible */ + mp = vp->v_mount; + if (mp != NULL) { + + /* check for no-EA filesystems */ + if ((rights & KAUTH_VNODE_WRITE_EXTATTRIBUTES) && + (vfs_flags(mp) & MNT_NOUSERXATTR)) { + KAUTH_DEBUG("%p DENIED - filesystem disallowed extended attributes", vp); + error = EACCES; /* User attributes disabled */ + goto out; + } + } + + /* + * check for file immutability. first, check if the requested rights are + * allowable for a UF_APPEND file. + */ + append = 0; + if (vp->v_type == VDIR) { + if ((rights & (KAUTH_VNODE_ADD_FILE | KAUTH_VNODE_ADD_SUBDIRECTORY | KAUTH_VNODE_WRITE_EXTATTRIBUTES)) == rights) + append = 1; + } else { + if ((rights & (KAUTH_VNODE_APPEND_DATA | KAUTH_VNODE_WRITE_EXTATTRIBUTES)) == rights) + append = 1; + } + if ((error = vnode_immutable(vap, append, ignore)) != 0) { + KAUTH_DEBUG("%p DENIED - file is immutable", vp); + goto out; + } + } +out: + return(error); +} + +/* + * Handle authorization actions for filesystems that advertise that the + * server will be enforcing. + * + * Returns: 0 Authorization should be handled locally + * 1 Authorization was handled by the FS + * + * Note: Imputed returns will only occur if the authorization request + * was handled by the FS. + * + * Imputed: *resultp, modified Return code from FS when the request is + * handled by the FS. + * VNOP_ACCESS:??? + * VNOP_OPEN:??? + */ +static int +vnode_authorize_opaque(vnode_t vp, int *resultp, kauth_action_t action, vfs_context_t ctx) +{ + int error; + + /* + * If the vp is a device node, socket or FIFO it actually represents a local + * endpoint, so we need to handle it locally. + */ + switch(vp->v_type) { + case VBLK: + case VCHR: + case VSOCK: + case VFIFO: + return(0); + default: + break; + } + + /* + * In the advisory request case, if the filesystem doesn't think it's reliable + * we will attempt to formulate a result ourselves based on VNOP_GETATTR data. + */ + if ((action & KAUTH_VNODE_ACCESS) && !vfs_authopaqueaccess(vp->v_mount)) + return(0); + + /* + * Let the filesystem have a say in the matter. It's OK for it to not implemnent + * VNOP_ACCESS, as most will authorise inline with the actual request. + */ + if ((error = VNOP_ACCESS(vp, action, ctx)) != ENOTSUP) { + *resultp = error; + KAUTH_DEBUG("%p DENIED - opaque filesystem VNOP_ACCESS denied access", vp); + return(1); + } + + /* + * Typically opaque filesystems do authorisation in-line, but exec is a special case. In + * order to be reasonably sure that exec will be permitted, we try a bit harder here. + */ + if ((action & KAUTH_VNODE_EXECUTE) && (vp->v_type == VREG)) { + /* try a VNOP_OPEN for readonly access */ + if ((error = VNOP_OPEN(vp, FREAD, ctx)) != 0) { + *resultp = error; + KAUTH_DEBUG("%p DENIED - EXECUTE denied because file could not be opened readonly", vp); + return(1); + } + VNOP_CLOSE(vp, FREAD, ctx); + } + + /* + * We don't have any reason to believe that the request has to be denied at this point, + * so go ahead and allow it. + */ + *resultp = 0; + KAUTH_DEBUG("%p ALLOWED - bypassing access check for non-local filesystem", vp); + return(1); +} + + + + +/* + * Returns: KAUTH_RESULT_ALLOW + * KAUTH_RESULT_DENY + * + * Imputed: *arg3, modified Error code in the deny case + * EROFS Read-only file system + * EACCES Permission denied + * EPERM Operation not permitted [no execute] + * vnode_getattr:ENOMEM Not enough space [only if has filesec] + * vnode_getattr:??? + * vnode_authorize_opaque:*arg2 ??? + * vnode_authorize_checkimmutable:??? + * vnode_authorize_delete:??? + * vnode_authorize_simple:??? + */ + + +static int +vnode_authorize_callback(kauth_cred_t cred, void *idata, kauth_action_t action, + uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) +{ + vfs_context_t ctx; + vnode_t cvp = NULLVP; + vnode_t vp, dvp; + int result = KAUTH_RESULT_DENY; + int parent_iocount = 0; + int parent_action; /* In case we need to use namedstream's data fork for cached rights*/ + + ctx = (vfs_context_t)arg0; + vp = (vnode_t)arg1; + dvp = (vnode_t)arg2; + + /* + * if there are 2 vnodes passed in, we don't know at + * this point which rights to look at based on the + * combined action being passed in... defer until later... + * otherwise check the kauth 'rights' cache hung + * off of the vnode we're interested in... if we've already + * been granted the right we're currently interested in, + * we can just return success... otherwise we'll go through + * the process of authorizing the requested right(s)... if that + * succeeds, we'll add the right(s) to the cache. + * VNOP_SETATTR and VNOP_SETXATTR will invalidate this cache + */ + if (dvp && vp) + goto defer; + if (dvp) { + cvp = dvp; + } else { + /* + * For named streams on local-authorization volumes, rights are cached on the parent; + * authorization is determined by looking at the parent's properties anyway, so storing + * on the parent means that we don't recompute for the named stream and that if + * we need to flush rights (e.g. on VNOP_SETATTR()) we don't need to track down the + * stream to flush its cache separately. If we miss in the cache, then we authorize + * as if there were no cached rights (passing the named stream vnode and desired rights to + * vnode_authorize_callback_int()). + * + * On an opaquely authorized volume, we don't know the relationship between the + * data fork's properties and the rights granted on a stream. Thus, named stream vnodes + * on such a volume are authorized directly (rather than using the parent) and have their + * own caches. When a named stream vnode is created, we mark the parent as having a named + * stream. On a VNOP_SETATTR() for the parent that may invalidate cached authorization, we + * find the stream and flush its cache. + */ + if (vnode_isnamedstream(vp) && (!vfs_authopaque(vp->v_mount))) { + cvp = vnode_getparent(vp); + if (cvp != NULLVP) { + parent_iocount = 1; + } else { + cvp = NULL; + goto defer; /* If we can't use the parent, take the slow path */ + } + + /* Have to translate some actions */ + parent_action = action; + if (parent_action & KAUTH_VNODE_READ_DATA) { + parent_action &= ~KAUTH_VNODE_READ_DATA; + parent_action |= KAUTH_VNODE_READ_EXTATTRIBUTES; + } + if (parent_action & KAUTH_VNODE_WRITE_DATA) { + parent_action &= ~KAUTH_VNODE_WRITE_DATA; + parent_action |= KAUTH_VNODE_WRITE_EXTATTRIBUTES; + } + + } else { + cvp = vp; + } + } + + if (vnode_cache_is_authorized(cvp, ctx, parent_iocount ? parent_action : action) == TRUE) { + result = KAUTH_RESULT_ALLOW; + goto out; + } +defer: + result = vnode_authorize_callback_int(cred, idata, action, arg0, arg1, arg2, arg3); + + if (result == KAUTH_RESULT_ALLOW && cvp != NULLVP) { + KAUTH_DEBUG("%p - caching action = %x", cvp, action); + vnode_cache_authorized_action(cvp, ctx, action); + } + +out: + if (parent_iocount) { + vnode_put(cvp); + } + + return result; +} + + +static int +vnode_authorize_callback_int(__unused kauth_cred_t unused_cred, __unused void *idata, kauth_action_t action, + uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) +{ + struct _vnode_authorize_context auth_context; + vauth_ctx vcp; + vfs_context_t ctx; + vnode_t vp, dvp; + kauth_cred_t cred; + kauth_ace_rights_t rights; + struct vnode_attr va, dva; + int result; + int *errorp; + int noimmutable; + boolean_t parent_authorized_for_delete_child = FALSE; + boolean_t found_deny = FALSE; + boolean_t parent_ref= FALSE; + + vcp = &auth_context; + ctx = vcp->ctx = (vfs_context_t)arg0; + vp = vcp->vp = (vnode_t)arg1; + dvp = vcp->dvp = (vnode_t)arg2; + errorp = (int *)arg3; + /* + * Note that we authorize against the context, not the passed cred + * (the same thing anyway) + */ + cred = ctx->vc_ucred; + + VATTR_INIT(&va); + vcp->vap = &va; + VATTR_INIT(&dva); + vcp->dvap = &dva; + + vcp->flags = vcp->flags_valid = 0; + +#if DIAGNOSTIC + if ((ctx == NULL) || (vp == NULL) || (cred == NULL)) + panic("vnode_authorize: bad arguments (context %p vp %p cred %p)", ctx, vp, cred); +#endif + + KAUTH_DEBUG("%p AUTH - %s %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s on %s '%s' (0x%x:%p/%p)", + vp, vfs_context_proc(ctx)->p_comm, + (action & KAUTH_VNODE_ACCESS) ? "access" : "auth", + (action & KAUTH_VNODE_READ_DATA) ? vnode_isdir(vp) ? " LIST_DIRECTORY" : " READ_DATA" : "", + (action & KAUTH_VNODE_WRITE_DATA) ? vnode_isdir(vp) ? " ADD_FILE" : " WRITE_DATA" : "", + (action & KAUTH_VNODE_EXECUTE) ? vnode_isdir(vp) ? " SEARCH" : " EXECUTE" : "", + (action & KAUTH_VNODE_DELETE) ? " DELETE" : "", + (action & KAUTH_VNODE_APPEND_DATA) ? vnode_isdir(vp) ? " ADD_SUBDIRECTORY" : " APPEND_DATA" : "", + (action & KAUTH_VNODE_DELETE_CHILD) ? " DELETE_CHILD" : "", + (action & KAUTH_VNODE_READ_ATTRIBUTES) ? " READ_ATTRIBUTES" : "", + (action & KAUTH_VNODE_WRITE_ATTRIBUTES) ? " WRITE_ATTRIBUTES" : "", + (action & KAUTH_VNODE_READ_EXTATTRIBUTES) ? " READ_EXTATTRIBUTES" : "", + (action & KAUTH_VNODE_WRITE_EXTATTRIBUTES) ? " WRITE_EXTATTRIBUTES" : "", + (action & KAUTH_VNODE_READ_SECURITY) ? " READ_SECURITY" : "", + (action & KAUTH_VNODE_WRITE_SECURITY) ? " WRITE_SECURITY" : "", + (action & KAUTH_VNODE_CHANGE_OWNER) ? " CHANGE_OWNER" : "", + (action & KAUTH_VNODE_NOIMMUTABLE) ? " (noimmutable)" : "", + vnode_isdir(vp) ? "directory" : "file", + vp->v_name ? vp->v_name : "", action, vp, dvp); + + /* + * Extract the control bits from the action, everything else is + * requested rights. + */ + noimmutable = (action & KAUTH_VNODE_NOIMMUTABLE) ? 1 : 0; + rights = action & ~(KAUTH_VNODE_ACCESS | KAUTH_VNODE_NOIMMUTABLE); + + if (rights & KAUTH_VNODE_DELETE) { +#if DIAGNOSTIC + if (dvp == NULL) + panic("vnode_authorize: KAUTH_VNODE_DELETE test requires a directory"); +#endif + /* + * check to see if we've already authorized the parent + * directory for deletion of its children... if so, we + * can skip a whole bunch of work... we will still have to + * authorize that this specific child can be removed + */ + if (vnode_cache_is_authorized(dvp, ctx, KAUTH_VNODE_DELETE_CHILD) == TRUE) + parent_authorized_for_delete_child = TRUE; + } else { + dvp = NULL; + } + + /* + * Check for read-only filesystems. + */ + if ((rights & KAUTH_VNODE_WRITE_RIGHTS) && + (vp->v_mount->mnt_flag & MNT_RDONLY) && + ((vp->v_type == VREG) || (vp->v_type == VDIR) || + (vp->v_type == VLNK) || (vp->v_type == VCPLX) || + (rights & KAUTH_VNODE_DELETE) || (rights & KAUTH_VNODE_DELETE_CHILD))) { + result = EROFS; + goto out; + } + + /* + * Check for noexec filesystems. + */ + if ((rights & KAUTH_VNODE_EXECUTE) && (vp->v_type == VREG) && (vp->v_mount->mnt_flag & MNT_NOEXEC)) { + result = EACCES; + goto out; + } + + /* + * Handle cases related to filesystems with non-local enforcement. + * This call can return 0, in which case we will fall through to perform a + * check based on VNOP_GETATTR data. Otherwise it returns 1 and sets + * an appropriate result, at which point we can return immediately. + */ + if ((vp->v_mount->mnt_kern_flag & MNTK_AUTH_OPAQUE) && vnode_authorize_opaque(vp, &result, action, ctx)) + goto out; + + /* + * Get vnode attributes and extended security information for the vnode + * and directory if required. + */ + VATTR_WANTED(&va, va_mode); + VATTR_WANTED(&va, va_uid); + VATTR_WANTED(&va, va_gid); + VATTR_WANTED(&va, va_flags); + VATTR_WANTED(&va, va_acl); + if ((result = vnode_getattr(vp, &va, ctx)) != 0) { + KAUTH_DEBUG("%p ERROR - failed to get vnode attributes - %d", vp, result); + goto out; + } + if (dvp) { + VATTR_WANTED(&dva, va_mode); + VATTR_WANTED(&dva, va_uid); + VATTR_WANTED(&dva, va_gid); + VATTR_WANTED(&dva, va_flags); + VATTR_WANTED(&dva, va_acl); + if ((result = vnode_getattr(dvp, &dva, ctx)) != 0) { + KAUTH_DEBUG("%p ERROR - failed to get directory vnode attributes - %d", vp, result); + goto out; + } + } + + /* + * If the vnode is an extended attribute data vnode (eg. a resource fork), *_DATA becomes + * *_EXTATTRIBUTES. + */ + if (vnode_isnamedstream(vp)) { + if (rights & KAUTH_VNODE_READ_DATA) { + rights &= ~KAUTH_VNODE_READ_DATA; + rights |= KAUTH_VNODE_READ_EXTATTRIBUTES; + } + if (rights & KAUTH_VNODE_WRITE_DATA) { + rights &= ~KAUTH_VNODE_WRITE_DATA; + rights |= KAUTH_VNODE_WRITE_EXTATTRIBUTES; + } + } + + /* + * Point 'vp' to the resource fork's parent for ACL checking + */ + if (vnode_isnamedstream(vp) && + (vp->v_parent != NULL) && + (vget_internal(vp->v_parent, 0, VNODE_NODEAD | VNODE_DRAINO) == 0)) { + parent_ref = TRUE; + vcp->vp = vp = vp->v_parent; + if (VATTR_IS_SUPPORTED(&va, va_acl) && (va.va_acl != NULL)) + kauth_acl_free(va.va_acl); + VATTR_INIT(&va); + VATTR_WANTED(&va, va_mode); + VATTR_WANTED(&va, va_uid); + VATTR_WANTED(&va, va_gid); + VATTR_WANTED(&va, va_flags); + VATTR_WANTED(&va, va_acl); + if ((result = vnode_getattr(vp, &va, ctx)) != 0) + goto out; + } + + /* + * Check for immutability. + * + * In the deletion case, parent directory immutability vetoes specific + * file rights. + */ + if ((result = vnode_authorize_checkimmutable(vp, &va, rights, noimmutable)) != 0) + goto out; + if ((rights & KAUTH_VNODE_DELETE) && + parent_authorized_for_delete_child == FALSE && + ((result = vnode_authorize_checkimmutable(dvp, &dva, KAUTH_VNODE_DELETE_CHILD, 0)) != 0)) + goto out; + + /* + * Clear rights that have been authorized by reaching this point, bail if nothing left to + * check. + */ + rights &= ~(KAUTH_VNODE_LINKTARGET | KAUTH_VNODE_CHECKIMMUTABLE); + if (rights == 0) + goto out; + + /* + * If we're not the superuser, authorize based on file properties; + * note that even if parent_authorized_for_delete_child is TRUE, we + * need to check on the node itself. + */ + if (!vfs_context_issuser(ctx)) { + /* process delete rights */ + if ((rights & KAUTH_VNODE_DELETE) && + ((result = vnode_authorize_delete(vcp, parent_authorized_for_delete_child)) != 0)) + goto out; + + /* process remaining rights */ + if ((rights & ~KAUTH_VNODE_DELETE) && + (result = vnode_authorize_simple(vcp, rights, rights & KAUTH_VNODE_DELETE, &found_deny)) != 0) + goto out; + } else { + + /* + * Execute is only granted to root if one of the x bits is set. This check only + * makes sense if the posix mode bits are actually supported. + */ + if ((rights & KAUTH_VNODE_EXECUTE) && + (vp->v_type == VREG) && + VATTR_IS_SUPPORTED(&va, va_mode) && + !(va.va_mode & (S_IXUSR | S_IXGRP | S_IXOTH))) { + result = EPERM; + KAUTH_DEBUG("%p DENIED - root execute requires at least one x bit in 0x%x", vp, va.va_mode); + goto out; + } + + KAUTH_DEBUG("%p ALLOWED - caller is superuser", vp); + } out: if (VATTR_IS_SUPPORTED(&va, va_acl) && (va.va_acl != NULL)) kauth_acl_free(va.va_acl); @@ -5986,6 +7004,7 @@ out: if (VATTR_IS_SUPPORTED(&dva, va_mode) && !(dva.va_mode & (S_ISVTX))) { /* OK to cache delete rights */ + KAUTH_DEBUG("%p - caching DELETE_CHILD rights", dvp); vnode_cache_authorized_action(dvp, ctx, KAUTH_VNODE_DELETE_CHILD); } } @@ -5999,12 +7018,18 @@ out: return(KAUTH_RESULT_ALLOW); } +int +vnode_authattr_new(vnode_t dvp, struct vnode_attr *vap, int noauth, vfs_context_t ctx) +{ + return vnode_authattr_new_internal(dvp, vap, noauth, NULL, ctx); +} + /* * Check that the attribute information in vattr can be legally applied to * a new file by the context. */ -int -vnode_authattr_new(vnode_t dvp, struct vnode_attr *vap, int noauth, vfs_context_t ctx) +static int +vnode_authattr_new_internal(vnode_t dvp, struct vnode_attr *vap, int noauth, uint32_t *defaulted_fieldsp, vfs_context_t ctx) { int error; int has_priv_suser, ismember, defaulted_owner, defaulted_group, defaulted_mode; @@ -6013,6 +7038,11 @@ vnode_authattr_new(vnode_t dvp, struct vnode_attr *vap, int noauth, vfs_context_ mount_t dmp; error = 0; + + if (defaulted_fieldsp) { + *defaulted_fieldsp = 0; + } + defaulted_owner = defaulted_group = defaulted_mode = 0; /* @@ -6195,6 +7225,17 @@ vnode_authattr_new(vnode_t dvp, struct vnode_attr *vap, int noauth, vfs_context_ } } out: + if (defaulted_fieldsp) { + if (defaulted_mode) { + *defaulted_fieldsp |= VATTR_PREPARE_DEFAULTED_MODE; + } + if (defaulted_group) { + *defaulted_fieldsp |= VATTR_PREPARE_DEFAULTED_GID; + } + if (defaulted_owner) { + *defaulted_fieldsp |= VATTR_PREPARE_DEFAULTED_UID; + } + } return(error); } @@ -6292,6 +7333,14 @@ vnode_authattr(vnode_t vp, struct vnode_attr *vap, kauth_action_t *actionp, vfs_ VATTR_WANTED(&ova, va_flags); } + /* + * If ACLs are being changed, we need the old ACLs. + */ + if (VATTR_IS_ACTIVE(vap, va_acl)) { + KAUTH_DEBUG("ATTR - acl changing, fetching old flags"); + VATTR_WANTED(&ova, va_acl); + } + /* * If the size is being set, make sure it's not a directory. */ @@ -6406,634 +7455,1269 @@ vnode_authattr(vnode_t vp, struct vnode_attr *vap, kauth_action_t *actionp, vfs_ goto out; } } - } - - /* - * Can't set the setuid bit unless you're root or the file's owner. - */ - if (vap->va_mode & S_ISUID) { - required_action |= KAUTH_VNODE_CHECKIMMUTABLE; /* always required */ - if (!has_priv_suser) { - if (VATTR_IS_ACTIVE(vap, va_uid)) { - owner = vap->va_uid; - } else if (VATTR_IS_SUPPORTED(&ova, va_uid)) { - owner = ova.va_uid; - } else { - KAUTH_DEBUG("ATTR - ERROR: setuid but no uid available"); - error = EINVAL; - goto out; - } - if (owner != kauth_cred_getuid(cred)) { - /* - * We could allow this if WRITE_SECURITY is permitted, perhaps. - */ - KAUTH_DEBUG("ATTR - ERROR: illegal attempt to set the setuid bit"); - error = EPERM; - goto out; - } + } + + /* + * Can't set the setuid bit unless you're root or the file's owner. + */ + if (vap->va_mode & S_ISUID) { + required_action |= KAUTH_VNODE_CHECKIMMUTABLE; /* always required */ + if (!has_priv_suser) { + if (VATTR_IS_ACTIVE(vap, va_uid)) { + owner = vap->va_uid; + } else if (VATTR_IS_SUPPORTED(&ova, va_uid)) { + owner = ova.va_uid; + } else { + KAUTH_DEBUG("ATTR - ERROR: setuid but no uid available"); + error = EINVAL; + goto out; + } + if (owner != kauth_cred_getuid(cred)) { + /* + * We could allow this if WRITE_SECURITY is permitted, perhaps. + */ + KAUTH_DEBUG("ATTR - ERROR: illegal attempt to set the setuid bit"); + error = EPERM; + goto out; + } + } + } + } + + /* + * Validate/mask flags changes. This checks that only the flags in + * the UF_SETTABLE mask are being set, and preserves the flags in + * the SF_SETTABLE case. + * + * Since flags changes may be made in conjunction with other changes, + * we will ask the auth code to ignore immutability in the case that + * the SF_* flags are not set and we are only manipulating the file flags. + * + */ + if (VATTR_IS_ACTIVE(vap, va_flags)) { + /* compute changing flags bits */ + if (VATTR_IS_SUPPORTED(&ova, va_flags)) { + fdelta = vap->va_flags ^ ova.va_flags; + } else { + fdelta = vap->va_flags; + } + + if (fdelta != 0) { + KAUTH_DEBUG("ATTR - flags changing, requiring WRITE_SECURITY"); + required_action |= KAUTH_VNODE_WRITE_SECURITY; + + /* check that changing bits are legal */ + if (has_priv_suser) { + /* + * The immutability check will prevent us from clearing the SF_* + * flags unless the system securelevel permits it, so just check + * for legal flags here. + */ + if (fdelta & ~(UF_SETTABLE | SF_SETTABLE)) { + error = EPERM; + KAUTH_DEBUG(" DENIED - superuser attempt to set illegal flag(s)"); + goto out; + } + } else { + if (fdelta & ~UF_SETTABLE) { + error = EPERM; + KAUTH_DEBUG(" DENIED - user attempt to set illegal flag(s)"); + goto out; + } + } + /* + * If the caller has the ability to manipulate file flags, + * security is not reduced by ignoring them for this operation. + * + * A more complete test here would consider the 'after' states of the flags + * to determine whether it would permit the operation, but this becomes + * very complex. + * + * Ignoring immutability is conditional on securelevel; this does not bypass + * the SF_* flags if securelevel > 0. + */ + required_action |= KAUTH_VNODE_NOIMMUTABLE; + } + } + + /* + * Validate ownership information. + */ + chowner = 0; + chgroup = 0; + clear_suid = 0; + clear_sgid = 0; + + /* + * uid changing + * Note that if the filesystem didn't give us a UID, we expect that it doesn't + * support them in general, and will ignore it if/when we try to set it. + * We might want to clear the uid out of vap completely here. + */ + if (VATTR_IS_ACTIVE(vap, va_uid)) { + if (VATTR_IS_SUPPORTED(&ova, va_uid) && (vap->va_uid != ova.va_uid)) { + if (!has_priv_suser && (kauth_cred_getuid(cred) != vap->va_uid)) { + KAUTH_DEBUG(" DENIED - non-superuser cannot change ownershipt to a third party"); + error = EPERM; + goto out; + } + chowner = 1; + } + clear_suid = 1; + } + + /* + * gid changing + * Note that if the filesystem didn't give us a GID, we expect that it doesn't + * support them in general, and will ignore it if/when we try to set it. + * We might want to clear the gid out of vap completely here. + */ + if (VATTR_IS_ACTIVE(vap, va_gid)) { + if (VATTR_IS_SUPPORTED(&ova, va_gid) && (vap->va_gid != ova.va_gid)) { + if (!has_priv_suser) { + if ((error = kauth_cred_ismember_gid(cred, vap->va_gid, &ismember)) != 0) { + KAUTH_DEBUG(" ERROR - got %d checking for membership in %d", error, vap->va_gid); + goto out; + } + if (!ismember) { + KAUTH_DEBUG(" DENIED - group change from %d to %d but not a member of target group", + ova.va_gid, vap->va_gid); + error = EPERM; + goto out; + } + } + chgroup = 1; + } + clear_sgid = 1; + } + + /* + * Owner UUID being set or changed. + */ + if (VATTR_IS_ACTIVE(vap, va_uuuid)) { + /* if the owner UUID is not actually changing ... */ + if (VATTR_IS_SUPPORTED(&ova, va_uuuid)) { + if (kauth_guid_equal(&vap->va_uuuid, &ova.va_uuuid)) + goto no_uuuid_change; + + /* + * If the current owner UUID is a null GUID, check + * it against the UUID corresponding to the owner UID. + */ + if (kauth_guid_equal(&ova.va_uuuid, &kauth_null_guid) && + VATTR_IS_SUPPORTED(&ova, va_uid)) { + guid_t uid_guid; + + if (kauth_cred_uid2guid(ova.va_uid, &uid_guid) == 0 && + kauth_guid_equal(&vap->va_uuuid, &uid_guid)) + goto no_uuuid_change; + } + } + + /* + * The owner UUID cannot be set by a non-superuser to anything other than + * their own or a null GUID (to "unset" the owner UUID). + * Note that file systems must be prepared to handle the + * null UUID case in a manner appropriate for that file + * system. + */ + if (!has_priv_suser) { + if ((error = kauth_cred_getguid(cred, &changer)) != 0) { + KAUTH_DEBUG(" ERROR - got %d trying to get caller UUID", error); + /* XXX ENOENT here - no UUID - should perhaps become EPERM */ + goto out; + } + if (!kauth_guid_equal(&vap->va_uuuid, &changer) && + !kauth_guid_equal(&vap->va_uuuid, &kauth_null_guid)) { + KAUTH_DEBUG(" ERROR - cannot set supplied owner UUID - not us / null"); + error = EPERM; + goto out; + } + } + chowner = 1; + clear_suid = 1; + } +no_uuuid_change: + /* + * Group UUID being set or changed. + */ + if (VATTR_IS_ACTIVE(vap, va_guuid)) { + /* if the group UUID is not actually changing ... */ + if (VATTR_IS_SUPPORTED(&ova, va_guuid)) { + if (kauth_guid_equal(&vap->va_guuid, &ova.va_guuid)) + goto no_guuid_change; + + /* + * If the current group UUID is a null UUID, check + * it against the UUID corresponding to the group GID. + */ + if (kauth_guid_equal(&ova.va_guuid, &kauth_null_guid) && + VATTR_IS_SUPPORTED(&ova, va_gid)) { + guid_t gid_guid; + + if (kauth_cred_gid2guid(ova.va_gid, &gid_guid) == 0 && + kauth_guid_equal(&vap->va_guuid, &gid_guid)) + goto no_guuid_change; + } + } + + /* + * The group UUID cannot be set by a non-superuser to anything other than + * one of which they are a member or a null GUID (to "unset" + * the group UUID). + * Note that file systems must be prepared to handle the + * null UUID case in a manner appropriate for that file + * system. + */ + if (!has_priv_suser) { + if (kauth_guid_equal(&vap->va_guuid, &kauth_null_guid)) + ismember = 1; + else if ((error = kauth_cred_ismember_guid(cred, &vap->va_guuid, &ismember)) != 0) { + KAUTH_DEBUG(" ERROR - got %d trying to check group membership", error); + goto out; + } + if (!ismember) { + KAUTH_DEBUG(" ERROR - cannot set supplied group UUID - not a member / null"); + error = EPERM; + goto out; } } + chgroup = 1; } - +no_guuid_change: + /* - * Validate/mask flags changes. This checks that only the flags in - * the UF_SETTABLE mask are being set, and preserves the flags in - * the SF_SETTABLE case. - * - * Since flags changes may be made in conjunction with other changes, - * we will ask the auth code to ignore immutability in the case that - * the SF_* flags are not set and we are only manipulating the file flags. - * + * Compute authorisation for group/ownership changes. */ - if (VATTR_IS_ACTIVE(vap, va_flags)) { - /* compute changing flags bits */ - if (VATTR_IS_SUPPORTED(&ova, va_flags)) { - fdelta = vap->va_flags ^ ova.va_flags; + if (chowner || chgroup || clear_suid || clear_sgid) { + if (has_priv_suser) { + KAUTH_DEBUG("ATTR - superuser changing file owner/group, requiring immutability check"); + required_action |= KAUTH_VNODE_CHECKIMMUTABLE; } else { - fdelta = vap->va_flags; + if (chowner) { + KAUTH_DEBUG("ATTR - ownership change, requiring TAKE_OWNERSHIP"); + required_action |= KAUTH_VNODE_TAKE_OWNERSHIP; + } + if (chgroup && !chowner) { + KAUTH_DEBUG("ATTR - group change, requiring WRITE_SECURITY"); + required_action |= KAUTH_VNODE_WRITE_SECURITY; + } + + /* clear set-uid and set-gid bits as required by Posix */ + if (VATTR_IS_ACTIVE(vap, va_mode)) { + newmode = vap->va_mode; + } else if (VATTR_IS_SUPPORTED(&ova, va_mode)) { + newmode = ova.va_mode; + } else { + KAUTH_DEBUG("CHOWN - trying to change owner but cannot get mode from filesystem to mask setugid bits"); + newmode = 0; + } + if (newmode & (S_ISUID | S_ISGID)) { + VATTR_SET(vap, va_mode, newmode & ~(S_ISUID | S_ISGID)); + KAUTH_DEBUG("CHOWN - masking setugid bits from mode %o to %o", newmode, vap->va_mode); + } } + } - if (fdelta != 0) { - KAUTH_DEBUG("ATTR - flags changing, requiring WRITE_SECURITY"); + /* + * Authorise changes in the ACL. + */ + if (VATTR_IS_ACTIVE(vap, va_acl)) { + + /* no existing ACL */ + if (!VATTR_IS_ACTIVE(&ova, va_acl) || (ova.va_acl == NULL)) { + + /* adding an ACL */ + if (vap->va_acl != NULL) { + required_action |= KAUTH_VNODE_WRITE_SECURITY; + KAUTH_DEBUG("CHMOD - adding ACL"); + } + + /* removing an existing ACL */ + } else if (vap->va_acl == NULL) { required_action |= KAUTH_VNODE_WRITE_SECURITY; + KAUTH_DEBUG("CHMOD - removing ACL"); - /* check that changing bits are legal */ - if (has_priv_suser) { - /* - * The immutability check will prevent us from clearing the SF_* - * flags unless the system securelevel permits it, so just check - * for legal flags here. - */ - if (fdelta & ~(UF_SETTABLE | SF_SETTABLE)) { - error = EPERM; - KAUTH_DEBUG(" DENIED - superuser attempt to set illegal flag(s)"); - goto out; - } - } else { - if (fdelta & ~UF_SETTABLE) { - error = EPERM; - KAUTH_DEBUG(" DENIED - user attempt to set illegal flag(s)"); - goto out; + /* updating an existing ACL */ + } else { + if (vap->va_acl->acl_entrycount != ova.va_acl->acl_entrycount) { + /* entry count changed, must be different */ + required_action |= KAUTH_VNODE_WRITE_SECURITY; + KAUTH_DEBUG("CHMOD - adding/removing ACL entries"); + } else if (vap->va_acl->acl_entrycount > 0) { + /* both ACLs have the same ACE count, said count is 1 or more, bitwise compare ACLs */ + if (memcmp(&vap->va_acl->acl_ace[0], &ova.va_acl->acl_ace[0], + sizeof(struct kauth_ace) * vap->va_acl->acl_entrycount)) { + required_action |= KAUTH_VNODE_WRITE_SECURITY; + KAUTH_DEBUG("CHMOD - changing ACL entries"); } } - /* - * If the caller has the ability to manipulate file flags, - * security is not reduced by ignoring them for this operation. - * - * A more complete test here would consider the 'after' states of the flags - * to determine whether it would permit the operation, but this becomes - * very complex. - * - * Ignoring immutability is conditional on securelevel; this does not bypass - * the SF_* flags if securelevel > 0. - */ - required_action |= KAUTH_VNODE_NOIMMUTABLE; } } /* - * Validate ownership information. + * Other attributes that require authorisation. */ - chowner = 0; - chgroup = 0; - clear_suid = 0; - clear_sgid = 0; + if (VATTR_IS_ACTIVE(vap, va_encoding)) + required_action |= KAUTH_VNODE_WRITE_ATTRIBUTES; + +out: + if (VATTR_IS_SUPPORTED(&ova, va_acl) && (ova.va_acl != NULL)) + kauth_acl_free(ova.va_acl); + if (error == 0) + *actionp = required_action; + return(error); +} + +static int +setlocklocal_callback(struct vnode *vp, __unused void *cargs) +{ + vnode_lock_spin(vp); + vp->v_flag |= VLOCKLOCAL; + vnode_unlock(vp); + + return (VNODE_RETURNED); +} + +void +vfs_setlocklocal(mount_t mp) +{ + mount_lock_spin(mp); + mp->mnt_kern_flag |= MNTK_LOCK_LOCAL; + mount_unlock(mp); /* - * uid changing - * Note that if the filesystem didn't give us a UID, we expect that it doesn't - * support them in general, and will ignore it if/when we try to set it. - * We might want to clear the uid out of vap completely here. + * The number of active vnodes is expected to be + * very small when vfs_setlocklocal is invoked. */ - if (VATTR_IS_ACTIVE(vap, va_uid)) { - if (VATTR_IS_SUPPORTED(&ova, va_uid) && (vap->va_uid != ova.va_uid)) { - if (!has_priv_suser && (kauth_cred_getuid(cred) != vap->va_uid)) { - KAUTH_DEBUG(" DENIED - non-superuser cannot change ownershipt to a third party"); - error = EPERM; - goto out; - } - chowner = 1; - } - clear_suid = 1; + vnode_iterate(mp, 0, setlocklocal_callback, NULL); +} + +void +vfs_setunmountpreflight(mount_t mp) +{ + mount_lock_spin(mp); + mp->mnt_kern_flag |= MNTK_UNMOUNT_PREFLIGHT; + mount_unlock(mp); +} + +void +vfs_setcompoundopen(mount_t mp) +{ + mount_lock_spin(mp); + mp->mnt_compound_ops |= COMPOUND_VNOP_OPEN; + mount_unlock(mp); +} + +void +vn_setunionwait(vnode_t vp) +{ + vnode_lock_spin(vp); + vp->v_flag |= VISUNION; + vnode_unlock(vp); +} + + +void +vn_checkunionwait(vnode_t vp) +{ + vnode_lock_spin(vp); + while ((vp->v_flag & VISUNION) == VISUNION) + msleep((caddr_t)&vp->v_flag, &vp->v_lock, 0, 0, 0); + vnode_unlock(vp); +} + +void +vn_clearunionwait(vnode_t vp, int locked) +{ + if (!locked) + vnode_lock_spin(vp); + if((vp->v_flag & VISUNION) == VISUNION) { + vp->v_flag &= ~VISUNION; + wakeup((caddr_t)&vp->v_flag); } - + if (!locked) + vnode_unlock(vp); +} + +/* + * XXX - get "don't trigger mounts" flag for thread; used by autofs. + */ +extern int thread_notrigger(void); + +int +thread_notrigger(void) +{ + struct uthread *uth = (struct uthread *)get_bsdthread_info(current_thread()); + return (uth->uu_notrigger); +} + +/* + * Removes orphaned apple double files during a rmdir + * Works by: + * 1. vnode_suspend(). + * 2. Call VNOP_READDIR() till the end of directory is reached. + * 3. Check if the directory entries returned are regular files with name starting with "._". If not, return ENOTEMPTY. + * 4. Continue (2) and (3) till end of directory is reached. + * 5. If all the entries in the directory were files with "._" name, delete all the files. + * 6. vnode_resume() + * 7. If deletion of all files succeeded, call VNOP_RMDIR() again. + */ + +errno_t rmdir_remove_orphaned_appleDouble(vnode_t vp , vfs_context_t ctx, int * restart_flag) +{ + +#define UIO_BUFF_SIZE 2048 + uio_t auio = NULL; + int eofflag, siz = UIO_BUFF_SIZE, nentries = 0; + int open_flag = 0, full_erase_flag = 0; + char uio_buf[ UIO_SIZEOF(1) ]; + char *rbuf = NULL, *cpos, *cend; + struct nameidata nd_temp; + struct dirent *dp; + errno_t error; + + error = vnode_suspend(vp); + /* - * gid changing - * Note that if the filesystem didn't give us a GID, we expect that it doesn't - * support them in general, and will ignore it if/when we try to set it. - * We might want to clear the gid out of vap completely here. + * restart_flag is set so that the calling rmdir sleeps and resets */ - if (VATTR_IS_ACTIVE(vap, va_gid)) { - if (VATTR_IS_SUPPORTED(&ova, va_gid) && (vap->va_gid != ova.va_gid)) { - if (!has_priv_suser) { - if ((error = kauth_cred_ismember_gid(cred, vap->va_gid, &ismember)) != 0) { - KAUTH_DEBUG(" ERROR - got %d checking for membership in %d", error, vap->va_gid); - goto out; - } - if (!ismember) { - KAUTH_DEBUG(" DENIED - group change from %d to %d but not a member of target group", - ova.va_gid, vap->va_gid); - error = EPERM; - goto out; - } - } - chgroup = 1; - } - clear_sgid = 1; + if (error == EBUSY) + *restart_flag = 1; + if (error != 0) + goto outsc; + + /* + * set up UIO + */ + MALLOC(rbuf, caddr_t, siz, M_TEMP, M_WAITOK); + if (rbuf) + auio = uio_createwithbuffer(1, 0, UIO_SYSSPACE, UIO_READ, + &uio_buf[0], sizeof(uio_buf)); + if (!rbuf || !auio) { + error = ENOMEM; + goto outsc; } + uio_setoffset(auio,0); + + eofflag = 0; + + if ((error = VNOP_OPEN(vp, FREAD, ctx))) + goto outsc; + else + open_flag = 1; + /* - * Owner UUID being set or changed. + * First pass checks if all files are appleDouble files. */ - if (VATTR_IS_ACTIVE(vap, va_uuuid)) { - /* if the owner UUID is not actually changing ... */ - if (VATTR_IS_SUPPORTED(&ova, va_uuuid)) { - if (kauth_guid_equal(&vap->va_uuuid, &ova.va_uuuid)) - goto no_uuuid_change; - + + do { + siz = UIO_BUFF_SIZE; + uio_reset(auio, uio_offset(auio), UIO_SYSSPACE, UIO_READ); + uio_addiov(auio, CAST_USER_ADDR_T(rbuf), UIO_BUFF_SIZE); + + if((error = VNOP_READDIR(vp, auio, 0, &eofflag, &nentries, ctx))) + goto outsc; + + if (uio_resid(auio) != 0) + siz -= uio_resid(auio); + + /* + * Iterate through directory + */ + cpos = rbuf; + cend = rbuf + siz; + dp = (struct dirent*) cpos; + + if (cpos == cend) + eofflag = 1; + + while ((cpos < cend)) { /* - * If the current owner UUID is a null GUID, check - * it against the UUID corresponding to the owner UID. + * Check for . and .. as well as directories */ - if (kauth_guid_equal(&ova.va_uuuid, &kauth_null_guid) && - VATTR_IS_SUPPORTED(&ova, va_uid)) { - guid_t uid_guid; - - if (kauth_cred_uid2guid(ova.va_uid, &uid_guid) == 0 && - kauth_guid_equal(&vap->va_uuuid, &uid_guid)) - goto no_uuuid_change; + if (dp->d_ino != 0 && + !((dp->d_namlen == 1 && dp->d_name[0] == '.') || + (dp->d_namlen == 2 && dp->d_name[0] == '.' && dp->d_name[1] == '.'))) { + /* + * Check for irregular files and ._ files + * If there is a ._._ file abort the op + */ + if ( dp->d_namlen < 2 || + strncmp(dp->d_name,"._",2) || + (dp->d_namlen >= 4 && !strncmp(&(dp->d_name[2]), "._",2))) { + error = ENOTEMPTY; + goto outsc; + } } + cpos += dp->d_reclen; + dp = (struct dirent*)cpos; } /* - * The owner UUID cannot be set by a non-superuser to anything other than - * their own or a null GUID (to "unset" the owner UUID). - * Note that file systems must be prepared to handle the - * null UUID case in a manner appropriate for that file - * system. + * workaround for HFS/NFS setting eofflag before end of file */ - if (!has_priv_suser) { - if ((error = kauth_cred_getguid(cred, &changer)) != 0) { - KAUTH_DEBUG(" ERROR - got %d trying to get caller UUID", error); - /* XXX ENOENT here - no UUID - should perhaps become EPERM */ - goto out; - } - if (!kauth_guid_equal(&vap->va_uuuid, &changer) && - !kauth_guid_equal(&vap->va_uuuid, &kauth_null_guid)) { - KAUTH_DEBUG(" ERROR - cannot set supplied owner UUID - not us / null"); - error = EPERM; - goto out; + if (vp->v_tag == VT_HFS && nentries > 2) + eofflag=0; + + if (vp->v_tag == VT_NFS) { + if (eofflag && !full_erase_flag) { + full_erase_flag = 1; + eofflag = 0; + uio_reset(auio, 0, UIO_SYSSPACE, UIO_READ); } + else if (!eofflag && full_erase_flag) + full_erase_flag = 0; } - chowner = 1; - clear_suid = 1; - } -no_uuuid_change: + + } while (!eofflag); /* - * Group UUID being set or changed. + * If we've made it here all the files in the dir are ._ files. + * We can delete the files even though the node is suspended + * because we are the owner of the file. */ - if (VATTR_IS_ACTIVE(vap, va_guuid)) { - /* if the group UUID is not actually changing ... */ - if (VATTR_IS_SUPPORTED(&ova, va_guuid)) { - if (kauth_guid_equal(&vap->va_guuid, &ova.va_guuid)) - goto no_guuid_change; + uio_reset(auio, 0, UIO_SYSSPACE, UIO_READ); + eofflag = 0; + full_erase_flag = 0; + + do { + siz = UIO_BUFF_SIZE; + uio_reset(auio, uio_offset(auio), UIO_SYSSPACE, UIO_READ); + uio_addiov(auio, CAST_USER_ADDR_T(rbuf), UIO_BUFF_SIZE); + + error = VNOP_READDIR(vp, auio, 0, &eofflag, &nentries, ctx); + + if (error != 0) + goto outsc; + + if (uio_resid(auio) != 0) + siz -= uio_resid(auio); + + /* + * Iterate through directory + */ + cpos = rbuf; + cend = rbuf + siz; + dp = (struct dirent*) cpos; + + if (cpos == cend) + eofflag = 1; + + while ((cpos < cend)) { /* - * If the current group UUID is a null UUID, check - * it against the UUID corresponding to the group GID. + * Check for . and .. as well as directories */ - if (kauth_guid_equal(&ova.va_guuid, &kauth_null_guid) && - VATTR_IS_SUPPORTED(&ova, va_gid)) { - guid_t gid_guid; + if (dp->d_ino != 0 && + !((dp->d_namlen == 1 && dp->d_name[0] == '.') || + (dp->d_namlen == 2 && dp->d_name[0] == '.' && dp->d_name[1] == '.')) + ) { + + NDINIT(&nd_temp, DELETE, OP_UNLINK, USEDVP, + UIO_SYSSPACE, CAST_USER_ADDR_T(dp->d_name), + ctx); + nd_temp.ni_dvp = vp; + error = unlink1(ctx, &nd_temp, VNODE_REMOVE_SKIP_NAMESPACE_EVENT); + + if (error && error != ENOENT) { + goto outsc; + } - if (kauth_cred_gid2guid(ova.va_gid, &gid_guid) == 0 && - kauth_guid_equal(&vap->va_guuid, &gid_guid)) - goto no_guuid_change; } + cpos += dp->d_reclen; + dp = (struct dirent*)cpos; } - + /* - * The group UUID cannot be set by a non-superuser to anything other than - * one of which they are a member or a null GUID (to "unset" - * the group UUID). - * Note that file systems must be prepared to handle the - * null UUID case in a manner appropriate for that file - * system. + * workaround for HFS/NFS setting eofflag before end of file */ - if (!has_priv_suser) { - if (kauth_guid_equal(&vap->va_guuid, &kauth_null_guid)) - ismember = 1; - else if ((error = kauth_cred_ismember_guid(cred, &vap->va_guuid, &ismember)) != 0) { - KAUTH_DEBUG(" ERROR - got %d trying to check group membership", error); - goto out; - } - if (!ismember) { - KAUTH_DEBUG(" ERROR - cannot set supplied group UUID - not a member / null"); - error = EPERM; - goto out; - } - } - chgroup = 1; - } -no_guuid_change: - - /* - * Compute authorisation for group/ownership changes. - */ - if (chowner || chgroup || clear_suid || clear_sgid) { - if (has_priv_suser) { - KAUTH_DEBUG("ATTR - superuser changing file owner/group, requiring immutability check"); - required_action |= KAUTH_VNODE_CHECKIMMUTABLE; - } else { - if (chowner) { - KAUTH_DEBUG("ATTR - ownership change, requiring TAKE_OWNERSHIP"); - required_action |= KAUTH_VNODE_TAKE_OWNERSHIP; - } - if (chgroup && !chowner) { - KAUTH_DEBUG("ATTR - group change, requiring WRITE_SECURITY"); - required_action |= KAUTH_VNODE_WRITE_SECURITY; - } - - /* clear set-uid and set-gid bits as required by Posix */ - if (VATTR_IS_ACTIVE(vap, va_mode)) { - newmode = vap->va_mode; - } else if (VATTR_IS_SUPPORTED(&ova, va_mode)) { - newmode = ova.va_mode; - } else { - KAUTH_DEBUG("CHOWN - trying to change owner but cannot get mode from filesystem to mask setugid bits"); - newmode = 0; - } - if (newmode & (S_ISUID | S_ISGID)) { - VATTR_SET(vap, va_mode, newmode & ~(S_ISUID | S_ISGID)); - KAUTH_DEBUG("CHOWN - masking setugid bits from mode %o to %o", newmode, vap->va_mode); + if (vp->v_tag == VT_HFS && nentries > 2) + eofflag=0; + + if (vp->v_tag == VT_NFS) { + if (eofflag && !full_erase_flag) { + full_erase_flag = 1; + eofflag = 0; + uio_reset(auio, 0, UIO_SYSSPACE, UIO_READ); } + else if (!eofflag && full_erase_flag) + full_erase_flag = 0; } + + } while (!eofflag); + + + error = 0; + +outsc: + if (open_flag) + VNOP_CLOSE(vp, FREAD, ctx); + + uio_free(auio); + FREE(rbuf, M_TEMP); + + vnode_resume(vp); + + + return(error); + +} + + +void +lock_vnode_and_post(vnode_t vp, int kevent_num) +{ + /* Only take the lock if there's something there! */ + if (vp->v_knotes.slh_first != NULL) { + vnode_lock(vp); + KNOTE(&vp->v_knotes, kevent_num); + vnode_unlock(vp); } +} - /* - * Authorise changes in the ACL. - */ - if (VATTR_IS_ACTIVE(vap, va_acl)) { +#ifdef JOE_DEBUG +static void record_vp(vnode_t vp, int count) { + struct uthread *ut; - /* no existing ACL */ - if (!VATTR_IS_ACTIVE(&ova, va_acl) || (ova.va_acl == NULL)) { +#if CONFIG_TRIGGERS + if (vp->v_resolve) + return; +#endif + if ((vp->v_flag & VSYSTEM)) + return; - /* adding an ACL */ - if (vap->va_acl != NULL) { - required_action |= KAUTH_VNODE_WRITE_SECURITY; - KAUTH_DEBUG("CHMOD - adding ACL"); - } + ut = get_bsdthread_info(current_thread()); + ut->uu_iocount += count; - /* removing an existing ACL */ - } else if (vap->va_acl == NULL) { - required_action |= KAUTH_VNODE_WRITE_SECURITY; - KAUTH_DEBUG("CHMOD - removing ACL"); + if (count == 1) { + if (ut->uu_vpindex < 32) { + OSBacktrace((void **)&ut->uu_pcs[ut->uu_vpindex][0], 10); - /* updating an existing ACL */ - } else { - if (vap->va_acl->acl_entrycount != ova.va_acl->acl_entrycount) { - /* entry count changed, must be different */ - required_action |= KAUTH_VNODE_WRITE_SECURITY; - KAUTH_DEBUG("CHMOD - adding/removing ACL entries"); - } else if (vap->va_acl->acl_entrycount > 0) { - /* both ACLs have the same ACE count, said count is 1 or more, bitwise compare ACLs */ - if (!memcmp(&vap->va_acl->acl_ace[0], &ova.va_acl->acl_ace[0], - sizeof(struct kauth_ace) * vap->va_acl->acl_entrycount)) { - required_action |= KAUTH_VNODE_WRITE_SECURITY; - KAUTH_DEBUG("CHMOD - changing ACL entries"); - } - } + ut->uu_vps[ut->uu_vpindex] = vp; + ut->uu_vpindex++; } } +} +#endif + + +#if CONFIG_TRIGGERS + +#define TRIG_DEBUG 0 +#if TRIG_DEBUG +#define TRIG_LOG(...) do { printf("%s: ", __FUNCTION__); printf(__VA_ARGS__); } while (0) +#else +#define TRIG_LOG(...) +#endif + +/* + * Resolver result functions + */ + +resolver_result_t +vfs_resolver_result(uint32_t seq, enum resolver_status stat, int aux) +{ /* - * Other attributes that require authorisation. + * |<--- 32 --->|<--- 28 --->|<- 4 ->| + * sequence auxiliary status */ - if (VATTR_IS_ACTIVE(vap, va_encoding)) - required_action |= KAUTH_VNODE_WRITE_ATTRIBUTES; - -out: - if (VATTR_IS_SUPPORTED(&ova, va_acl) && (ova.va_acl != NULL)) - kauth_acl_free(ova.va_acl); - if (error == 0) - *actionp = required_action; - return(error); + return (((uint64_t)seq) << 32) | + (((uint64_t)(aux & 0x0fffffff)) << 4) | + (uint64_t)(stat & 0x0000000F); } +enum resolver_status +vfs_resolver_status(resolver_result_t result) +{ + /* lower 4 bits is status */ + return (result & 0x0000000F); +} -void -vfs_setlocklocal(mount_t mp) +uint32_t +vfs_resolver_sequence(resolver_result_t result) { - vnode_t vp; - - mount_lock(mp); - mp->mnt_kern_flag |= MNTK_LOCK_LOCAL; + /* upper 32 bits is sequence */ + return (uint32_t)(result >> 32); +} - /* - * We do not expect anyone to be using any vnodes at the - * time this routine is called. So no need for vnode locking - */ - TAILQ_FOREACH(vp, &mp->mnt_vnodelist, v_mntvnodes) { - vp->v_flag |= VLOCKLOCAL; +int +vfs_resolver_auxiliary(resolver_result_t result) +{ + /* 28 bits of auxiliary */ + return (int)(((uint32_t)(result & 0xFFFFFFF0)) >> 4); +} + +/* + * SPI + * Call in for resolvers to update vnode trigger state + */ +int +vnode_trigger_update(vnode_t vp, resolver_result_t result) +{ + vnode_resolve_t rp; + uint32_t seq; + enum resolver_status stat; + + if (vp->v_resolve == NULL) { + return (EINVAL); } - TAILQ_FOREACH(vp, &mp->mnt_workerqueue, v_mntvnodes) { - vp->v_flag |= VLOCKLOCAL; + + stat = vfs_resolver_status(result); + seq = vfs_resolver_sequence(result); + + if ((stat != RESOLVER_RESOLVED) && (stat != RESOLVER_UNRESOLVED)) { + return (EINVAL); } - TAILQ_FOREACH(vp, &mp->mnt_newvnodes, v_mntvnodes) { - vp->v_flag |= VLOCKLOCAL; + + rp = vp->v_resolve; + lck_mtx_lock(&rp->vr_lock); + + if (seq > rp->vr_lastseq) { + if (stat == RESOLVER_RESOLVED) + rp->vr_flags |= VNT_RESOLVED; + else + rp->vr_flags &= ~VNT_RESOLVED; + + rp->vr_lastseq = seq; } - mount_unlock(mp); -} -void -vfs_setunmountpreflight(mount_t mp) -{ - mount_lock_spin(mp); - mp->mnt_kern_flag |= MNTK_UNMOUNT_PREFLIGHT; - mount_unlock(mp); + lck_mtx_unlock(&rp->vr_lock); + + return (0); } -void -vn_setunionwait(vnode_t vp) +static int +vnode_resolver_attach(vnode_t vp, vnode_resolve_t rp, boolean_t ref) { + int error; + vnode_lock_spin(vp); - vp->v_flag |= VISUNION; + if (vp->v_resolve != NULL) { + vnode_unlock(vp); + return EINVAL; + } else { + vp->v_resolve = rp; + } vnode_unlock(vp); -} + + if (ref) { + error = vnode_ref_ext(vp, O_EVTONLY, VNODE_REF_FORCE); + if (error != 0) { + panic("VNODE_REF_FORCE didn't help..."); + } + } + return 0; +} -void -vn_checkunionwait(vnode_t vp) +/* + * VFS internal interfaces for vnode triggers + * + * vnode must already have an io count on entry + * v_resolve is stable when io count is non-zero + */ +static int +vnode_resolver_create(mount_t mp, vnode_t vp, struct vnode_trigger_param *tinfo, boolean_t external) { - vnode_lock_spin(vp); - while ((vp->v_flag & VISUNION) == VISUNION) - msleep((caddr_t)&vp->v_flag, &vp->v_lock, 0, 0, 0); - vnode_unlock(vp); + vnode_resolve_t rp; + int result; + char byte; + +#if 1 + /* minimum pointer test (debugging) */ + if (tinfo->vnt_data) + byte = *((char *)tinfo->vnt_data); +#endif + MALLOC(rp, vnode_resolve_t, sizeof(*rp), M_TEMP, M_WAITOK); + if (rp == NULL) + return (ENOMEM); + + lck_mtx_init(&rp->vr_lock, trigger_vnode_lck_grp, trigger_vnode_lck_attr); + + rp->vr_resolve_func = tinfo->vnt_resolve_func; + rp->vr_unresolve_func = tinfo->vnt_unresolve_func; + rp->vr_rearm_func = tinfo->vnt_rearm_func; + rp->vr_reclaim_func = tinfo->vnt_reclaim_func; + rp->vr_data = tinfo->vnt_data; + rp->vr_lastseq = 0; + rp->vr_flags = tinfo->vnt_flags & VNT_VALID_MASK; + if (external) { + rp->vr_flags |= VNT_EXTERNAL; + } + + result = vnode_resolver_attach(vp, rp, external); + if (result != 0) { + goto out; + } + + if (mp) { + OSAddAtomic(1, &mp->mnt_numtriggers); + } + + return (result); + +out: + FREE(rp, M_TEMP); + return result; } -void -vn_clearunionwait(vnode_t vp, int locked) +static void +vnode_resolver_release(vnode_resolve_t rp) { - if (!locked) - vnode_lock_spin(vp); - if((vp->v_flag & VISUNION) == VISUNION) { - vp->v_flag &= ~VISUNION; - wakeup((caddr_t)&vp->v_flag); + /* + * Give them a chance to free any private data + */ + if (rp->vr_data && rp->vr_reclaim_func) { + rp->vr_reclaim_func(NULLVP, rp->vr_data); } - if (!locked) - vnode_unlock(vp); + + lck_mtx_destroy(&rp->vr_lock, trigger_vnode_lck_grp); + FREE(rp, M_TEMP); + +} + +/* Called after the vnode has been drained */ +static void +vnode_resolver_detach(vnode_t vp) +{ + vnode_resolve_t rp; + mount_t mp; + + mp = vnode_mount(vp); + + vnode_lock(vp); + rp = vp->v_resolve; + vp->v_resolve = NULL; + vnode_unlock(vp); + + if ((rp->vr_flags & VNT_EXTERNAL) != 0) { + vnode_rele_ext(vp, O_EVTONLY, 1); + } + + vnode_resolver_release(rp); + + /* Keep count of active trigger vnodes per mount */ + OSAddAtomic(-1, &mp->mnt_numtriggers); } /* - * XXX - get "don't trigger mounts" flag for thread; used by autofs. + * Pathname operations that don't trigger a mount for trigger vnodes */ -extern int thread_notrigger(void); +static const u_int64_t ignorable_pathops_mask = + 1LL << OP_MOUNT | + 1LL << OP_UNMOUNT | + 1LL << OP_STATFS | + 1LL << OP_ACCESS | + 1LL << OP_GETATTR | + 1LL << OP_LISTXATTR; int -thread_notrigger(void) +vfs_istraditionaltrigger(enum path_operation op, const struct componentname *cnp) { - struct uthread *uth = (struct uthread *)get_bsdthread_info(current_thread()); - return (uth->uu_notrigger); + if (cnp->cn_flags & ISLASTCN) + return ((1LL << op) & ignorable_pathops_mask) == 0; + else + return (1); } -/* - * Removes orphaned apple double files during a rmdir - * Works by: - * 1. vnode_suspend(). - * 2. Call VNOP_READDIR() till the end of directory is reached. - * 3. Check if the directory entries returned are regular files with name starting with "._". If not, return ENOTEMPTY. - * 4. Continue (2) and (3) till end of directory is reached. - * 5. If all the entries in the directory were files with "._" name, delete all the files. - * 6. vnode_resume() - * 7. If deletion of all files succeeded, call VNOP_RMDIR() again. - */ +__private_extern__ +void +vnode_trigger_rearm(vnode_t vp, vfs_context_t ctx) +{ + vnode_resolve_t rp; + resolver_result_t result; + enum resolver_status status; + uint32_t seq; + + if ((vp->v_resolve == NULL) || + (vp->v_resolve->vr_rearm_func == NULL) || + (vp->v_resolve->vr_flags & VNT_AUTO_REARM) == 0) { + return; + } + + rp = vp->v_resolve; + lck_mtx_lock(&rp->vr_lock); + + /* + * Check if VFS initiated this unmount. If so, we'll catch it after the unresolve completes. + */ + if (rp->vr_flags & VNT_VFS_UNMOUNTED) { + lck_mtx_unlock(&rp->vr_lock); + return; + } + + /* Check if this vnode is already armed */ + if ((rp->vr_flags & VNT_RESOLVED) == 0) { + lck_mtx_unlock(&rp->vr_lock); + return; + } + + lck_mtx_unlock(&rp->vr_lock); + + result = rp->vr_rearm_func(vp, 0, rp->vr_data, ctx); + status = vfs_resolver_status(result); + seq = vfs_resolver_sequence(result); + + lck_mtx_lock(&rp->vr_lock); + if (seq > rp->vr_lastseq) { + if (status == RESOLVER_UNRESOLVED) + rp->vr_flags &= ~VNT_RESOLVED; + rp->vr_lastseq = seq; + } + lck_mtx_unlock(&rp->vr_lock); +} + +__private_extern__ +int +vnode_trigger_resolve(vnode_t vp, struct nameidata *ndp, vfs_context_t ctx) +{ + vnode_resolve_t rp; + enum path_operation op; + resolver_result_t result; + enum resolver_status status; + uint32_t seq; + + /* Only trigger on topmost vnodes */ + if ((vp->v_resolve == NULL) || + (vp->v_resolve->vr_resolve_func == NULL) || + (vp->v_mountedhere != NULL)) { + return (0); + } + + rp = vp->v_resolve; + lck_mtx_lock(&rp->vr_lock); + + /* Check if this vnode is already resolved */ + if (rp->vr_flags & VNT_RESOLVED) { + lck_mtx_unlock(&rp->vr_lock); + return (0); + } + + lck_mtx_unlock(&rp->vr_lock); + + /* + * XXX + * assumes that resolver will not access this trigger vnode (otherwise the kernel will deadlock) + * is there anyway to know this??? + * there can also be other legitimate lookups in parallel + * + * XXX - should we call this on a separate thread with a timeout? + * + * XXX - should we use ISLASTCN to pick the op value??? Perhaps only leafs should + * get the richer set and non-leafs should get generic OP_LOOKUP? TBD + */ + op = (ndp->ni_op < OP_MAXOP) ? ndp->ni_op: OP_LOOKUP; -errno_t rmdir_remove_orphaned_appleDouble(vnode_t vp , vfs_context_t ctx, int * restart_flag) + result = rp->vr_resolve_func(vp, &ndp->ni_cnd, op, 0, rp->vr_data, ctx); + status = vfs_resolver_status(result); + seq = vfs_resolver_sequence(result); + + lck_mtx_lock(&rp->vr_lock); + if (seq > rp->vr_lastseq) { + if (status == RESOLVER_RESOLVED) + rp->vr_flags |= VNT_RESOLVED; + rp->vr_lastseq = seq; + } + lck_mtx_unlock(&rp->vr_lock); + + /* On resolver errors, propagate the error back up */ + return (status == RESOLVER_ERROR ? vfs_resolver_auxiliary(result) : 0); +} + +static int +vnode_trigger_unresolve(vnode_t vp, int flags, vfs_context_t ctx) { + vnode_resolve_t rp; + resolver_result_t result; + enum resolver_status status; + uint32_t seq; -#define UIO_BUFF_SIZE 2048 - uio_t auio = NULL; - int eofflag, siz = UIO_BUFF_SIZE, nentries = 0; - int open_flag = 0, full_erase_flag = 0; - char uio_buf[ UIO_SIZEOF(1) ]; - char *rbuf = NULL, *cpos, *cend; - struct nameidata nd_temp; - struct dirent *dp; - errno_t error; + if ((vp->v_resolve == NULL) || (vp->v_resolve->vr_unresolve_func == NULL)) { + return (0); + } - error = vnode_suspend(vp); + rp = vp->v_resolve; + lck_mtx_lock(&rp->vr_lock); - /* - * restart_flag is set so that the calling rmdir sleeps and resets - */ - if (error == EBUSY) - *restart_flag = 1; - if (error != 0) - goto outsc; + /* Check if this vnode is already resolved */ + if ((rp->vr_flags & VNT_RESOLVED) == 0) { + printf("vnode_trigger_unresolve: not currently resolved\n"); + lck_mtx_unlock(&rp->vr_lock); + return (0); + } + + rp->vr_flags |= VNT_VFS_UNMOUNTED; + + lck_mtx_unlock(&rp->vr_lock); /* - * set up UIO + * XXX + * assumes that resolver will not access this trigger vnode (otherwise the kernel will deadlock) + * there can also be other legitimate lookups in parallel + * + * XXX - should we call this on a separate thread with a timeout? */ - MALLOC(rbuf, caddr_t, siz, M_TEMP, M_WAITOK); - if (rbuf) - auio = uio_createwithbuffer(1, 0, UIO_SYSSPACE, UIO_READ, - &uio_buf[0], sizeof(uio_buf)); - if (!rbuf || !auio) { - error = ENOMEM; - goto outsc; - } - uio_setoffset(auio,0); + result = rp->vr_unresolve_func(vp, flags, rp->vr_data, ctx); + status = vfs_resolver_status(result); + seq = vfs_resolver_sequence(result); - eofflag = 0; + lck_mtx_lock(&rp->vr_lock); + if (seq > rp->vr_lastseq) { + if (status == RESOLVER_UNRESOLVED) + rp->vr_flags &= ~VNT_RESOLVED; + rp->vr_lastseq = seq; + } + rp->vr_flags &= ~VNT_VFS_UNMOUNTED; + lck_mtx_unlock(&rp->vr_lock); - if ((error = VNOP_OPEN(vp, FREAD, ctx))) - goto outsc; - else - open_flag = 1; + /* On resolver errors, propagate the error back up */ + return (status == RESOLVER_ERROR ? vfs_resolver_auxiliary(result) : 0); +} + +static int +triggerisdescendant(mount_t mp, mount_t rmp) +{ + int match = FALSE; /* - * First pass checks if all files are appleDouble files. + * walk up vnode covered chain looking for a match */ + name_cache_lock_shared(); - do { - siz = UIO_BUFF_SIZE; - uio_reset(auio, uio_offset(auio), UIO_SYSSPACE, UIO_READ); - uio_addiov(auio, CAST_USER_ADDR_T(rbuf), UIO_BUFF_SIZE); + while (1) { + vnode_t vp; - if((error = VNOP_READDIR(vp, auio, 0, &eofflag, &nentries, ctx))) - goto outsc; + /* did we encounter "/" ? */ + if (mp->mnt_flag & MNT_ROOTFS) + break; - if (uio_resid(auio) != 0) - siz -= uio_resid(auio); + vp = mp->mnt_vnodecovered; + if (vp == NULLVP) + break; - /* - * Iterate through directory - */ - cpos = rbuf; - cend = rbuf + siz; - dp = (struct dirent*) cpos; + mp = vp->v_mount; + if (mp == rmp) { + match = TRUE; + break; + } + } - if (cpos == cend) - eofflag = 1; + name_cache_unlock(); - while ((cpos < cend)) { - /* - * Check for . and .. as well as directories - */ - if (dp->d_ino != 0 && - !((dp->d_namlen == 1 && dp->d_name[0] == '.') || - (dp->d_namlen == 2 && dp->d_name[0] == '.' && dp->d_name[1] == '.'))) { - /* - * Check for irregular files and ._ files - * If there is a ._._ file abort the op - */ - if ( dp->d_namlen < 2 || - strncmp(dp->d_name,"._",2) || - (dp->d_namlen >= 4 && !strncmp(&(dp->d_name[2]), "._",2))) { - error = ENOTEMPTY; - goto outsc; - } - } - cpos += dp->d_reclen; - dp = (struct dirent*)cpos; - } - - /* - * workaround for HFS/NFS setting eofflag before end of file - */ - if (vp->v_tag == VT_HFS && nentries > 2) - eofflag=0; + return (match); +} - if (vp->v_tag == VT_NFS) { - if (eofflag && !full_erase_flag) { - full_erase_flag = 1; - eofflag = 0; - uio_reset(auio, 0, UIO_SYSSPACE, UIO_READ); - } - else if (!eofflag && full_erase_flag) - full_erase_flag = 0; - } +struct trigger_unmount_info { + vfs_context_t ctx; + mount_t top_mp; + vnode_t trigger_vp; + mount_t trigger_mp; + uint32_t trigger_vid; + int flags; +}; + +static int +trigger_unmount_callback(mount_t mp, void * arg) +{ + struct trigger_unmount_info * infop = (struct trigger_unmount_info *)arg; + boolean_t mountedtrigger = FALSE; - } while (!eofflag); /* - * If we've made it here all the files in the dir are ._ files. - * We can delete the files even though the node is suspended - * because we are the owner of the file. + * When we encounter the top level mount we're done */ + if (mp == infop->top_mp) + return (VFS_RETURNED_DONE); - uio_reset(auio, 0, UIO_SYSSPACE, UIO_READ); - eofflag = 0; - full_erase_flag = 0; - - do { - siz = UIO_BUFF_SIZE; - uio_reset(auio, uio_offset(auio), UIO_SYSSPACE, UIO_READ); - uio_addiov(auio, CAST_USER_ADDR_T(rbuf), UIO_BUFF_SIZE); + if ((mp->mnt_vnodecovered == NULL) || + (vnode_getwithref(mp->mnt_vnodecovered) != 0)) { + return (VFS_RETURNED); + } - error = VNOP_READDIR(vp, auio, 0, &eofflag, &nentries, ctx); + if ((mp->mnt_vnodecovered->v_mountedhere == mp) && + (mp->mnt_vnodecovered->v_resolve != NULL) && + (mp->mnt_vnodecovered->v_resolve->vr_flags & VNT_RESOLVED)) { + mountedtrigger = TRUE; + } + vnode_put(mp->mnt_vnodecovered); - if (error != 0) - goto outsc; + /* + * When we encounter a mounted trigger, check if its under the top level mount + */ + if ( !mountedtrigger || !triggerisdescendant(mp, infop->top_mp) ) + return (VFS_RETURNED); - if (uio_resid(auio) != 0) - siz -= uio_resid(auio); + /* + * Process any pending nested mount (now that its not referenced) + */ + if ((infop->trigger_vp != NULLVP) && + (vnode_getwithvid(infop->trigger_vp, infop->trigger_vid) == 0)) { + vnode_t vp = infop->trigger_vp; + int error; - /* - * Iterate through directory - */ - cpos = rbuf; - cend = rbuf + siz; - dp = (struct dirent*) cpos; + infop->trigger_vp = NULLVP; - if (cpos == cend) - eofflag = 1; - - while ((cpos < cend)) { - /* - * Check for . and .. as well as directories - */ - if (dp->d_ino != 0 && - !((dp->d_namlen == 1 && dp->d_name[0] == '.') || - (dp->d_namlen == 2 && dp->d_name[0] == '.' && dp->d_name[1] == '.')) - ) { - - NDINIT(&nd_temp, DELETE, USEDVP, UIO_SYSSPACE, CAST_USER_ADDR_T(dp->d_name), ctx); - nd_temp.ni_dvp = vp; - error = unlink1(ctx, &nd_temp, 0); - if (error && error != ENOENT) { - goto outsc; - } - } - cpos += dp->d_reclen; - dp = (struct dirent*)cpos; + if (mp == vp->v_mountedhere) { + vnode_put(vp); + printf("trigger_unmount_callback: unexpected match '%s'\n", + mp->mnt_vfsstat.f_mntonname); + return (VFS_RETURNED); } - - /* - * workaround for HFS/NFS setting eofflag before end of file - */ - if (vp->v_tag == VT_HFS && nentries > 2) - eofflag=0; - - if (vp->v_tag == VT_NFS) { - if (eofflag && !full_erase_flag) { - full_erase_flag = 1; - eofflag = 0; - uio_reset(auio, 0, UIO_SYSSPACE, UIO_READ); - } - else if (!eofflag && full_erase_flag) - full_erase_flag = 0; + if (infop->trigger_mp != vp->v_mountedhere) { + vnode_put(vp); + printf("trigger_unmount_callback: trigger mnt changed! (%p != %p)\n", + infop->trigger_mp, vp->v_mountedhere); + goto savenext; } - } while (!eofflag); + error = vnode_trigger_unresolve(vp, infop->flags, infop->ctx); + vnode_put(vp); + if (error) { + printf("unresolving: '%s', err %d\n", + vp->v_mountedhere ? vp->v_mountedhere->mnt_vfsstat.f_mntonname : + "???", error); + return (VFS_RETURNED_DONE); /* stop iteration on errors */ + } + } +savenext: + /* + * We can't call resolver here since we hold a mount iter + * ref on mp so save its covered vp for later processing + */ + infop->trigger_vp = mp->mnt_vnodecovered; + if ((infop->trigger_vp != NULLVP) && + (vnode_getwithref(infop->trigger_vp) == 0)) { + if (infop->trigger_vp->v_mountedhere == mp) { + infop->trigger_vid = infop->trigger_vp->v_id; + infop->trigger_mp = mp; + } + vnode_put(infop->trigger_vp); + } + return (VFS_RETURNED); +} - error = 0; +/* + * Attempt to unmount any trigger mounts nested underneath a mount. + * This is a best effort attempt and no retries are performed here. + * + * Note: mp->mnt_rwlock is held exclusively on entry (so be carefull) + */ +__private_extern__ +void +vfs_nested_trigger_unmounts(mount_t mp, int flags, vfs_context_t ctx) +{ + struct trigger_unmount_info info; -outsc: - if (open_flag) - VNOP_CLOSE(vp, FREAD, ctx); + /* Must have trigger vnodes */ + if (mp->mnt_numtriggers == 0) { + return; + } + /* Avoid recursive requests (by checking covered vnode) */ + if ((mp->mnt_vnodecovered != NULL) && + (vnode_getwithref(mp->mnt_vnodecovered) == 0)) { + boolean_t recursive = FALSE; - uio_free(auio); - FREE(rbuf, M_TEMP); + if ((mp->mnt_vnodecovered->v_mountedhere == mp) && + (mp->mnt_vnodecovered->v_resolve != NULL) && + (mp->mnt_vnodecovered->v_resolve->vr_flags & VNT_VFS_UNMOUNTED)) { + recursive = TRUE; + } + vnode_put(mp->mnt_vnodecovered); + if (recursive) + return; + } - vnode_resume(vp); + /* + * Attempt to unmount any nested trigger mounts (best effort) + */ + info.ctx = ctx; + info.top_mp = mp; + info.trigger_vp = NULLVP; + info.trigger_vid = 0; + info.trigger_mp = NULL; + info.flags = flags; + (void) vfs_iterate(VFS_ITERATE_TAIL_FIRST, trigger_unmount_callback, &info); - return(error); + /* + * Process remaining nested mount (now that its not referenced) + */ + if ((info.trigger_vp != NULLVP) && + (vnode_getwithvid(info.trigger_vp, info.trigger_vid) == 0)) { + vnode_t vp = info.trigger_vp; + if (info.trigger_mp == vp->v_mountedhere) { + (void) vnode_trigger_unresolve(vp, flags, ctx); + } + vnode_put(vp); + } } - -void -lock_vnode_and_post(vnode_t vp, int kevent_num) +int +vfs_addtrigger(mount_t mp, const char *relpath, struct vnode_trigger_info *vtip, vfs_context_t ctx) { - /* Only take the lock if there's something there! */ - if (vp->v_knotes.slh_first != NULL) { - vnode_lock(vp); - KNOTE(&vp->v_knotes, kevent_num); - vnode_unlock(vp); - } -} + struct nameidata nd; + int res; + vnode_t rvp, vp; + struct vnode_trigger_param vtp; + + /* + * Must be called for trigger callback, wherein rwlock is held + */ + lck_rw_assert(&mp->mnt_rwlock, LCK_RW_ASSERT_HELD); -#ifdef JOE_DEBUG -static void record_vp(vnode_t vp, int count) { - struct uthread *ut; - int i; + TRIG_LOG("Adding trigger at %s\n", relpath); + TRIG_LOG("Trying VFS_ROOT\n"); - if ((vp->v_flag & VSYSTEM)) - return; + /* + * We do a lookup starting at the root of the mountpoint, unwilling + * to cross into other mountpoints. + */ + res = VFS_ROOT(mp, &rvp, ctx); + if (res != 0) { + goto out; + } - ut = get_bsdthread_info(current_thread()); - ut->uu_iocount += count; + TRIG_LOG("Trying namei\n"); - if (ut->uu_vpindex < 32) { - for (i = 0; i < ut->uu_vpindex; i++) { - if (ut->uu_vps[i] == vp) - return; - } - ut->uu_vps[ut->uu_vpindex] = vp; - ut->uu_vpindex++; + NDINIT(&nd, LOOKUP, OP_LOOKUP, USEDVP | NOCROSSMOUNT | FOLLOW, UIO_SYSSPACE, + CAST_USER_ADDR_T(relpath), ctx); + nd.ni_dvp = rvp; + res = namei(&nd); + if (res != 0) { + vnode_put(rvp); + goto out; } + + vp = nd.ni_vp; + nameidone(&nd); + vnode_put(rvp); + + TRIG_LOG("Trying vnode_resolver_create()\n"); + + /* + * Set up blob. vnode_create() takes a larger structure + * with creation info, and we needed something different + * for this case. One needs to win, or we need to munge both; + * vnode_create() wins. + */ + bzero(&vtp, sizeof(vtp)); + vtp.vnt_resolve_func = vtip->vti_resolve_func; + vtp.vnt_unresolve_func = vtip->vti_unresolve_func; + vtp.vnt_rearm_func = vtip->vti_rearm_func; + vtp.vnt_reclaim_func = vtip->vti_reclaim_func; + vtp.vnt_reclaim_func = vtip->vti_reclaim_func; + vtp.vnt_data = vtip->vti_data; + vtp.vnt_flags = vtip->vti_flags; + + res = vnode_resolver_create(mp, vp, &vtp, TRUE); + vnode_put(vp); +out: + TRIG_LOG("Returning %d\n", res); + return res; } -#endif + +#endif /* CONFIG_TRIGGERS */