NetBSD/sys/miscfs/genfs/genfs_rename.c

1225 lines
33 KiB
C

/* $NetBSD: genfs_rename.c,v 1.7 2021/10/20 13:29:06 thorpej Exp $ */
/*-
* Copyright (c) 2012 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Taylor R Campbell.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/*
* Generic rename abstraction.
*
* Rename is unbelievably hairy. Try to use this if you can --
* otherwise you are practically guaranteed to get it wrong.
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: genfs_rename.c,v 1.7 2021/10/20 13:29:06 thorpej Exp $");
#include <sys/param.h>
#include <sys/kauth.h>
#include <sys/mount.h>
#include <sys/namei.h>
#include <sys/stat.h>
#include <sys/vnode.h>
#include <sys/types.h>
#include <miscfs/genfs/genfs.h>
/*
* Sample copypasta for implementing VOP_RENAME via genfs_rename.
* Don't change this template without carefully considering whether
* every other file system that already uses it needs to change too.
* That way, once we have changed all the file systems to use it, we
* can easily replace mumblefs_rename by mumblefs_sane_rename and
* eliminate the insane API altogether.
*/
/* begin sample copypasta */
#if 0
static const struct genfs_rename_ops mumblefs_genfs_rename_ops;
/*
* mumblefs_sane_rename: The hairiest vop, with the saner API.
*
* Arguments:
*
* . fdvp (from directory vnode),
* . fcnp (from component name),
* . tdvp (to directory vnode),
* . tcnp (to component name),
* . cred (credentials structure), and
* . posixly_correct (flag for behaviour if target & source link same file).
*
* fdvp and tdvp may be the same, and must be referenced and unlocked.
*/
static int
mumblefs_sane_rename(
struct vnode *fdvp, struct componentname *fcnp,
struct vnode *tdvp, struct componentname *tcnp,
kauth_cred_t cred, bool posixly_correct)
{
struct mumblefs_lookup_results fulr, tulr;
return genfs_sane_rename(&mumblefs_genfs_rename_ops,
fdvp, fcnp, &fulr, tdvp, tcnp, &tulr,
cred, posixly_correct);
}
/*
* mumblefs_rename: The hairiest vop, with the insanest API. Defer to
* genfs_insane_rename immediately.
*/
int
mumblefs_rename(void *v)
{
return genfs_insane_rename(v, &mumblefs_sane_rename);
}
#endif
/* end sample copypasta */
/*
* Forward declarations
*/
static int genfs_rename_enter(const struct genfs_rename_ops *, struct mount *,
kauth_cred_t,
struct vnode *, struct componentname *, void *, struct vnode **,
struct vnode *, struct componentname *, void *, struct vnode **);
static int genfs_rename_enter_common(const struct genfs_rename_ops *,
struct mount *, kauth_cred_t, struct vnode *,
struct componentname *, void *, struct vnode **,
struct componentname *, void *, struct vnode **);
static int genfs_rename_enter_separate(const struct genfs_rename_ops *,
struct mount *, kauth_cred_t,
struct vnode *, struct componentname *, void *, struct vnode **,
struct vnode *, struct componentname *, void *, struct vnode **);
static int genfs_rename_lock(const struct genfs_rename_ops *, struct mount *,
kauth_cred_t, int, int, int,
struct vnode *, struct componentname *, bool, void *, struct vnode **,
struct vnode *, struct componentname *, bool, void *, struct vnode **);
static void genfs_rename_exit(const struct genfs_rename_ops *, struct mount *,
struct vnode *, struct vnode *,
struct vnode *, struct vnode *);
static int genfs_rename_remove(const struct genfs_rename_ops *, struct mount *,
kauth_cred_t,
struct vnode *, struct componentname *, void *, struct vnode *, nlink_t *);
/*
* genfs_insane_rename: Generic implementation of the insane API for
* the rename vop.
*
* Arguments:
*
* . fdvp (from directory vnode),
* . fvp (from vnode),
* . fcnp (from component name),
* . tdvp (to directory vnode),
* . tvp (to vnode, or NULL), and
* . tcnp (to component name).
*
* Any pair of vnode parameters may have the same vnode.
*
* On entry,
*
* . fdvp, fvp, tdvp, and tvp are referenced,
* . fdvp and fvp are unlocked, and
* . tdvp and tvp (if nonnull) are locked.
*
* On exit,
*
* . fdvp, fvp, tdvp, and tvp (if nonnull) are unreferenced, and
* . tdvp and tvp (if nonnull) are unlocked.
*/
int
genfs_insane_rename(void *v,
int (*sane_rename)(struct vnode *fdvp, struct componentname *fcnp,
struct vnode *tdvp, struct componentname *tcnp,
kauth_cred_t cred, bool posixly_correct))
{
struct vop_rename_args /* {
struct vnode *a_fdvp;
struct vnode *a_fvp;
struct componentname *a_fcnp;
struct vnode *a_tdvp;
struct vnode *a_tvp;
struct componentname *a_tcnp;
} */ *ap = v;
struct vnode *fdvp = ap->a_fdvp;
struct vnode *fvp = ap->a_fvp;
struct componentname *fcnp = ap->a_fcnp;
struct vnode *tdvp = ap->a_tdvp;
struct vnode *tvp = ap->a_tvp;
struct componentname *tcnp = ap->a_tcnp;
kauth_cred_t cred;
int error;
KASSERT(fdvp != NULL);
KASSERT(fvp != NULL);
KASSERT(fcnp != NULL);
KASSERT(fcnp->cn_nameptr != NULL);
KASSERT(tdvp != NULL);
KASSERT(tcnp != NULL);
KASSERT(fcnp->cn_nameptr != NULL);
/* KASSERT(VOP_ISLOCKED(fdvp) != LK_EXCLUSIVE); */
/* KASSERT(VOP_ISLOCKED(fvp) != LK_EXCLUSIVE); */
KASSERT(VOP_ISLOCKED(tdvp) == LK_EXCLUSIVE);
KASSERT((tvp == NULL) || (VOP_ISLOCKED(tvp) == LK_EXCLUSIVE));
KASSERT(fdvp->v_type == VDIR);
KASSERT(tdvp->v_type == VDIR);
cred = fcnp->cn_cred;
/*
* XXX Want a better equality test. `tcnp->cn_cred == cred'
* hoses p2k because puffs transmits the creds separately and
* allocates distinct but equivalent structures for them.
*/
KASSERT(kauth_cred_uidmatch(cred, tcnp->cn_cred));
/*
* Sanitize our world from the VFS insanity. Unlock the target
* directory and node, which are locked. Release the children,
* which are referenced, since we'll be looking them up again
* later.
*/
VOP_UNLOCK(tdvp);
if ((tvp != NULL) && (tvp != tdvp))
VOP_UNLOCK(tvp);
vrele(fvp);
if (tvp != NULL)
vrele(tvp);
error = (*sane_rename)(fdvp, fcnp, tdvp, tcnp, cred, false);
/*
* All done, whether with success or failure. Release the
* directory nodes now, as the caller expects from the VFS
* protocol.
*/
vrele(fdvp);
vrele(tdvp);
return error;
}
/*
* genfs_sane_rename: Generic implementation of the saner API for the
* rename vop. Handles ancestry checks, locking, and permissions
* checks. Caller is responsible for implementing the genfs rename
* operations.
*
* fdvp and tdvp must be referenced and unlocked.
*/
int
genfs_sane_rename(const struct genfs_rename_ops *ops,
struct vnode *fdvp, struct componentname *fcnp, void *fde,
struct vnode *tdvp, struct componentname *tcnp, void *tde,
kauth_cred_t cred, bool posixly_correct)
{
struct mount *mp;
struct vnode *fvp = NULL, *tvp = NULL;
nlink_t tvp_new_nlink = 0;
int error;
KASSERT(ops != NULL);
KASSERT(fdvp != NULL);
KASSERT(fcnp != NULL);
KASSERT(tdvp != NULL);
KASSERT(tcnp != NULL);
/* KASSERT(VOP_ISLOCKED(fdvp) != LK_EXCLUSIVE); */
/* KASSERT(VOP_ISLOCKED(tdvp) != LK_EXCLUSIVE); */
KASSERT(fdvp->v_type == VDIR);
KASSERT(tdvp->v_type == VDIR);
KASSERT(fdvp->v_mount == tdvp->v_mount);
KASSERT(fcnp != tcnp);
KASSERT(fcnp->cn_nameiop == DELETE);
KASSERT(tcnp->cn_nameiop == RENAME);
/* XXX Want a better equality test. */
KASSERT(kauth_cred_uidmatch(cred, fcnp->cn_cred));
KASSERT(kauth_cred_uidmatch(cred, tcnp->cn_cred));
mp = fdvp->v_mount;
KASSERT(mp != NULL);
KASSERT(mp == tdvp->v_mount);
/* XXX How can we be sure this stays true? */
KASSERT((mp->mnt_flag & MNT_RDONLY) == 0);
/* Reject rename("x/..", ...) and rename(..., "x/..") early. */
if ((fcnp->cn_flags | tcnp->cn_flags) & ISDOTDOT)
return EINVAL; /* XXX EISDIR? */
error = genfs_rename_enter(ops, mp, cred,
fdvp, fcnp, fde, &fvp,
tdvp, tcnp, tde, &tvp);
if (error)
return error;
/*
* Check that everything is locked and looks right.
*/
KASSERT(fvp != NULL);
KASSERT(VOP_ISLOCKED(fdvp) == LK_EXCLUSIVE);
KASSERT(VOP_ISLOCKED(fvp) == LK_EXCLUSIVE);
KASSERT(VOP_ISLOCKED(tdvp) == LK_EXCLUSIVE);
KASSERT((tvp == NULL) || (VOP_ISLOCKED(tvp) == LK_EXCLUSIVE));
/*
* If the source and destination are the same object, we need
* only at most delete the source entry. We are guaranteed at
* this point that the entries are distinct.
*/
if (fvp == tvp) {
KASSERT(tvp != NULL);
if (fvp->v_type == VDIR)
/* XXX This shouldn't be possible. */
error = EINVAL;
else if (posixly_correct)
/* POSIX sez to leave them alone. */
error = 0;
else if ((fdvp == tdvp) &&
(fcnp->cn_namelen == tcnp->cn_namelen) &&
(memcmp(fcnp->cn_nameptr, tcnp->cn_nameptr,
fcnp->cn_namelen) == 0))
/* Renaming an entry over itself does nothing. */
error = 0;
else {
/* XXX Can't use VOP_REMOVE because of locking. */
error = genfs_rename_remove(ops, mp, cred,
fdvp, fcnp, fde, fvp, &tvp_new_nlink);
VN_KNOTE(fdvp, NOTE_WRITE);
VN_KNOTE(fvp,
tvp_new_nlink == 0 ? NOTE_DELETE : NOTE_LINK);
}
goto out;
}
KASSERT(fvp != tvp);
KASSERT((fdvp != tdvp) ||
(fcnp->cn_namelen != tcnp->cn_namelen) ||
(memcmp(fcnp->cn_nameptr, tcnp->cn_nameptr, fcnp->cn_namelen)
!= 0));
/*
* If the target exists, refuse to rename a directory over a
* non-directory or vice versa, or to clobber a non-empty
* directory.
*/
if (tvp != NULL) {
if (fvp->v_type == VDIR && tvp->v_type == VDIR)
error =
(ops->gro_directory_empty_p(mp, cred, tvp, tdvp)?
0 : ENOTEMPTY);
else if (fvp->v_type == VDIR && tvp->v_type != VDIR)
error = ENOTDIR;
else if (fvp->v_type != VDIR && tvp->v_type == VDIR)
error = EISDIR;
else
error = 0;
if (error)
goto out;
KASSERT((fvp->v_type == VDIR) == (tvp->v_type == VDIR));
}
/*
* Authorize the rename.
*/
error = ops->gro_rename_check_possible(mp, fdvp, fvp, tdvp, tvp);
if (error)
goto out;
error = ops->gro_rename_check_permitted(mp, cred, fdvp, fvp, tdvp, tvp);
error = kauth_authorize_vnode(cred, KAUTH_VNODE_DELETE, fvp, fdvp,
error);
error = kauth_authorize_vnode(cred, KAUTH_VNODE_RENAME, tvp, tdvp,
error);
if (error)
goto out;
/*
* Everything is hunky-dory. Shuffle the directory entries.
*/
error = ops->gro_rename(mp, cred,
fdvp, fcnp, fde, fvp,
tdvp, tcnp, tde, tvp,
&tvp_new_nlink);
if (error)
goto out;
/* Success! */
genfs_rename_knote(fdvp, fvp, tdvp, tvp, tvp_new_nlink);
out:
genfs_rename_exit(ops, mp, fdvp, fvp, tdvp, tvp);
return error;
}
/*
* genfs_rename_knote: Note events about the various vnodes in a
* rename. To be called by gro_rename on success. The only pair of
* vnodes that may be identical is {fdvp, tdvp}. tvp_new_nlink is
* the resulting link count of tvp.
*/
void
genfs_rename_knote(struct vnode *fdvp, struct vnode *fvp,
struct vnode *tdvp, struct vnode *tvp, nlink_t tvp_new_nlink)
{
long fdvp_events, tdvp_events;
bool directory_p, reparent_p, replaced_p;
KASSERT(fdvp != NULL);
KASSERT(fvp != NULL);
KASSERT(tdvp != NULL);
KASSERT(fdvp != fvp);
KASSERT(fdvp != tvp);
KASSERT(tdvp != fvp);
KASSERT(tdvp != tvp);
KASSERT(fvp != tvp);
KASSERT(VOP_ISLOCKED(fdvp) == LK_EXCLUSIVE);
KASSERT(VOP_ISLOCKED(fvp) == LK_EXCLUSIVE);
KASSERT(VOP_ISLOCKED(tdvp) == LK_EXCLUSIVE);
KASSERT((tvp == NULL) || (VOP_ISLOCKED(tvp) == LK_EXCLUSIVE));
directory_p = (fvp->v_type == VDIR);
reparent_p = (fdvp != tdvp);
replaced_p = (tvp != NULL);
KASSERT((tvp == NULL) || (directory_p == (tvp->v_type == VDIR)));
fdvp_events = NOTE_WRITE;
if (directory_p && reparent_p)
fdvp_events |= NOTE_LINK;
VN_KNOTE(fdvp, fdvp_events);
VN_KNOTE(fvp, NOTE_RENAME);
if (reparent_p) {
tdvp_events = NOTE_WRITE;
if (!replaced_p) {
tdvp_events |= NOTE_EXTEND;
if (directory_p)
tdvp_events |= NOTE_LINK;
}
VN_KNOTE(tdvp, tdvp_events);
}
if (replaced_p)
VN_KNOTE(tvp, (tvp_new_nlink == 0 ? NOTE_DELETE : NOTE_LINK));
}
/*
* genfs_rename_cache_purge: Purge the name cache. To be called by
* gro_rename on success. The only pair of vnodes that may be
* identical is {fdvp, tdvp}.
*/
void
genfs_rename_cache_purge(struct vnode *fdvp, struct vnode *fvp,
struct vnode *tdvp, struct vnode *tvp)
{
KASSERT(fdvp != NULL);
KASSERT(fvp != NULL);
KASSERT(tdvp != NULL);
KASSERT(fdvp != fvp);
KASSERT(fdvp != tvp);
KASSERT(tdvp != fvp);
KASSERT(tdvp != tvp);
KASSERT(fvp != tvp);
KASSERT(fdvp->v_type == VDIR);
KASSERT(tdvp->v_type == VDIR);
/*
* XXX What actually needs to be purged?
*/
cache_purge(fdvp);
if (fvp->v_type == VDIR)
cache_purge(fvp);
if (tdvp != fdvp)
cache_purge(tdvp);
if ((tvp != NULL) && (tvp->v_type == VDIR))
cache_purge(tvp);
}
/*
* genfs_rename_enter: Look up fcnp in fdvp, and store the lookup
* results in *fde_ret and the associated vnode in *fvp_ret; fail if
* not found. Look up tcnp in tdvp, and store the lookup results in
* *tde_ret and the associated vnode in *tvp_ret; store null instead if
* not found. Fail if anything has been mounted on any of the nodes
* involved.
*
* fdvp and tdvp must be referenced.
*
* On entry, nothing is locked.
*
* On success, everything is locked, and *fvp_ret, and *tvp_ret if
* nonnull, are referenced. The only pairs of vnodes that may be
* identical are {fdvp, tdvp} and {fvp, tvp}.
*
* On failure, everything remains as was.
*
* Locking everything including the source and target nodes is
* necessary to make sure that, e.g., link count updates are OK. The
* locking order is, in general, ancestor-first, matching the order you
* need to use to look up a descendant anyway.
*/
static int
genfs_rename_enter(const struct genfs_rename_ops *ops,
struct mount *mp, kauth_cred_t cred,
struct vnode *fdvp, struct componentname *fcnp,
void *fde_ret, struct vnode **fvp_ret,
struct vnode *tdvp, struct componentname *tcnp,
void *tde_ret, struct vnode **tvp_ret)
{
int error;
KASSERT(mp != NULL);
KASSERT(fdvp != NULL);
KASSERT(fcnp != NULL);
KASSERT(fvp_ret != NULL);
KASSERT(tdvp != NULL);
KASSERT(tcnp != NULL);
KASSERT(tvp_ret != NULL);
KASSERT(fvp_ret != tvp_ret);
KASSERT(fdvp->v_type == VDIR);
KASSERT(tdvp->v_type == VDIR);
KASSERT(fdvp->v_mount == mp);
KASSERT(tdvp->v_mount == mp);
if (fdvp == tdvp)
error = genfs_rename_enter_common(ops, mp, cred, fdvp,
fcnp, fde_ret, fvp_ret,
tcnp, tde_ret, tvp_ret);
else
error = genfs_rename_enter_separate(ops, mp, cred,
fdvp, fcnp, fde_ret, fvp_ret,
tdvp, tcnp, tde_ret, tvp_ret);
if (error)
return error;
KASSERT(*fvp_ret != NULL);
KASSERT(VOP_ISLOCKED(*fvp_ret) == LK_EXCLUSIVE);
KASSERT((*tvp_ret == NULL) || (VOP_ISLOCKED(*tvp_ret) == LK_EXCLUSIVE));
KASSERT(*fvp_ret != fdvp);
KASSERT(*fvp_ret != tdvp);
KASSERT(*tvp_ret != fdvp);
KASSERT(*tvp_ret != tdvp);
return 0;
}
/*
* genfs_rename_enter_common: Lock and look up with a common
* source/target directory.
*/
static int
genfs_rename_enter_common(const struct genfs_rename_ops *ops,
struct mount *mp, kauth_cred_t cred, struct vnode *dvp,
struct componentname *fcnp,
void *fde_ret, struct vnode **fvp_ret,
struct componentname *tcnp,
void *tde_ret, struct vnode **tvp_ret)
{
struct vnode *fvp, *tvp;
int error;
KASSERT(ops != NULL);
KASSERT(mp != NULL);
KASSERT(dvp != NULL);
KASSERT(fcnp != NULL);
KASSERT(fvp_ret != NULL);
KASSERT(tcnp != NULL);
KASSERT(tvp_ret != NULL);
KASSERT(dvp->v_type == VDIR);
KASSERT(dvp->v_mount == mp);
error = ops->gro_lock_directory(mp, dvp);
if (error)
goto fail0;
/* Did we lose a race with mount? */
if (dvp->v_mountedhere != NULL) {
error = EBUSY;
goto fail1;
}
KASSERT(fcnp->cn_nameiop == DELETE);
error = ops->gro_lookup(mp, dvp, fcnp, fde_ret, &fvp);
if (error)
goto fail1;
KASSERT(fvp != NULL);
/* Refuse to rename `.'. */
if (fvp == dvp) {
error = EINVAL;
goto fail2;
}
KASSERT(fvp != dvp);
KASSERT(tcnp->cn_nameiop == RENAME);
error = ops->gro_lookup(mp, dvp, tcnp, tde_ret, &tvp);
if (error == ENOENT) {
tvp = NULL;
} else if (error) {
goto fail2;
} else {
KASSERT(tvp != NULL);
/* Refuse to rename over `.'. */
if (tvp == dvp) {
error = EISDIR; /* XXX EINVAL? */
goto fail2;
}
}
KASSERT(tvp != dvp);
/*
* We've looked up both nodes. Now lock them and check them.
*/
vn_lock(fvp, LK_EXCLUSIVE | LK_RETRY);
KASSERT(fvp->v_mount == mp);
/* Refuse to rename a mount point. */
if ((fvp->v_type == VDIR) && (fvp->v_mountedhere != NULL)) {
error = EBUSY;
goto fail3;
}
if ((tvp != NULL) && (tvp != fvp)) {
vn_lock(tvp, LK_EXCLUSIVE | LK_RETRY);
KASSERT(tvp->v_mount == mp);
/* Refuse to rename over a mount point. */
if ((tvp->v_type == VDIR) && (tvp->v_mountedhere != NULL)) {
error = EBUSY;
goto fail4;
}
}
KASSERT(VOP_ISLOCKED(dvp) == LK_EXCLUSIVE);
KASSERT(VOP_ISLOCKED(fvp) == LK_EXCLUSIVE);
KASSERT((tvp == NULL) || (VOP_ISLOCKED(tvp) == LK_EXCLUSIVE));
*fvp_ret = fvp;
*tvp_ret = tvp;
return 0;
fail4: if ((tvp != NULL) && (tvp != fvp))
VOP_UNLOCK(tvp);
fail3: VOP_UNLOCK(fvp);
if (tvp != NULL)
vrele(tvp);
fail2: vrele(fvp);
fail1: VOP_UNLOCK(dvp);
fail0: return error;
}
/*
* genfs_rename_enter_separate: Lock and look up with separate source
* and target directories.
*/
static int
genfs_rename_enter_separate(const struct genfs_rename_ops *ops,
struct mount *mp, kauth_cred_t cred,
struct vnode *fdvp, struct componentname *fcnp,
void *fde_ret, struct vnode **fvp_ret,
struct vnode *tdvp, struct componentname *tcnp,
void *tde_ret, struct vnode **tvp_ret)
{
struct vnode *intermediate_node;
struct vnode *fvp, *tvp;
int error;
KASSERT(ops != NULL);
KASSERT(mp != NULL);
KASSERT(fdvp != NULL);
KASSERT(fcnp != NULL);
KASSERT(fvp_ret != NULL);
KASSERT(tdvp != NULL);
KASSERT(tcnp != NULL);
KASSERT(tvp_ret != NULL);
KASSERT(fdvp != tdvp);
KASSERT(fcnp != tcnp);
KASSERT(fcnp->cn_nameiop == DELETE);
KASSERT(tcnp->cn_nameiop == RENAME);
KASSERT(fvp_ret != tvp_ret);
KASSERT(fdvp->v_type == VDIR);
KASSERT(tdvp->v_type == VDIR);
KASSERT(fdvp->v_mount == mp);
KASSERT(tdvp->v_mount == mp);
error = ops->gro_genealogy(mp, cred, fdvp, tdvp, &intermediate_node);
if (error)
return error;
/*
* intermediate_node == NULL means fdvp is not an ancestor of tdvp.
*/
if (intermediate_node == NULL)
error = genfs_rename_lock(ops, mp, cred,
ENOTEMPTY, EISDIR, EINVAL,
tdvp, tcnp, true, tde_ret, &tvp,
fdvp, fcnp, false, fde_ret, &fvp);
else
error = genfs_rename_lock(ops, mp, cred,
EINVAL, EISDIR, EINVAL,
fdvp, fcnp, false, fde_ret, &fvp,
tdvp, tcnp, true, tde_ret, &tvp);
if (error)
goto out;
KASSERT(fvp != NULL);
/*
* Reject rename("foo/bar", "foo/bar/baz/quux/zot").
*/
if (fvp == intermediate_node) {
genfs_rename_exit(ops, mp, fdvp, fvp, tdvp, tvp);
error = EINVAL;
goto out;
}
*fvp_ret = fvp;
*tvp_ret = tvp;
error = 0;
out: if (intermediate_node != NULL)
vrele(intermediate_node);
return error;
}
/*
* genfs_rename_lock: Lookup and lock it all. The lock order is:
*
* a_dvp -> a_vp -> b_dvp -> b_vp,
*
* except if a_vp is a nondirectory in which case the lock order is:
*
* a_dvp -> b_dvp -> b_vp -> a_vp,
*
* which can't violate ancestor->descendant because a_vp has no
* descendants in this case. This edge case is necessary because some
* file systems can only lookup/lock/unlock, and we can't hold a_vp
* locked when we lookup/lock/unlock b_vp if they turn out to be the
* same, and we can't find out that they're the same until after the
* lookup.
*
* b_dvp must not be an ancestor of a_dvp, although a_dvp may be an
* ancestor of b_dvp.
*
* Fail with overlap_error if node a is directory b. Neither
* componentname may be `.' or `..'.
*
* a_dvp and b_dvp must be referenced.
*
* On entry, a_dvp and b_dvp are unlocked.
*
* On success,
* . a_dvp and b_dvp are locked,
* . *a_dirent_ret is filled with a directory entry whose node is
* locked and referenced,
* . *b_vp_ret is filled with the corresponding vnode,
* . *b_dirent_ret is filled either with null or with a directory entry
* whose node is locked and referenced,
* . *b_vp is filled either with null or with the corresponding vnode,
* and
* . the only pair of vnodes that may be identical is a_vp and b_vp.
*
* On failure, a_dvp and b_dvp are left unlocked, and *a_dirent_ret,
* *a_vp, *b_dirent_ret, and *b_vp are left alone.
*/
static int
genfs_rename_lock(const struct genfs_rename_ops *ops,
struct mount *mp, kauth_cred_t cred,
int overlap_error, int a_dot_error, int b_dot_error,
struct vnode *a_dvp, struct componentname *a_cnp, bool a_missing_ok,
void *a_de_ret, struct vnode **a_vp_ret,
struct vnode *b_dvp, struct componentname *b_cnp, bool b_missing_ok,
void *b_de_ret, struct vnode **b_vp_ret)
{
struct vnode *a_vp, *b_vp;
int error;
KASSERT(ops != NULL);
KASSERT(mp != NULL);
KASSERT(a_dvp != NULL);
KASSERT(a_cnp != NULL);
KASSERT(a_vp_ret != NULL);
KASSERT(b_dvp != NULL);
KASSERT(b_cnp != NULL);
KASSERT(b_vp_ret != NULL);
KASSERT(a_dvp != b_dvp);
KASSERT(a_vp_ret != b_vp_ret);
KASSERT(a_dvp->v_type == VDIR);
KASSERT(b_dvp->v_type == VDIR);
KASSERT(a_dvp->v_mount == mp);
KASSERT(b_dvp->v_mount == mp);
KASSERT(a_missing_ok != b_missing_ok);
/*
* 1. Lock a_dvp.
*/
error = ops->gro_lock_directory(mp, a_dvp);
if (error)
goto fail0;
/* Did we lose a race with mount? */
if (a_dvp->v_mountedhere != NULL) {
error = EBUSY;
goto fail1;
}
/*
* 2. Lookup a_vp. May lock/unlock a_vp.
*/
error = ops->gro_lookup(mp, a_dvp, a_cnp, a_de_ret, &a_vp);
if (error) {
if (a_missing_ok && (error == ENOENT))
a_vp = NULL;
else
goto fail1;
} else {
KASSERT(a_vp != NULL);
/* Refuse to rename (over) `.'. */
if (a_vp == a_dvp) {
error = a_dot_error;
goto fail2;
}
/* Reject rename("x", "x/y") or rename("x/y", "x"). */
if (a_vp == b_dvp) {
error = overlap_error;
goto fail2;
}
}
KASSERT(a_vp != a_dvp);
KASSERT(a_vp != b_dvp);
/*
* 3. Lock a_vp, if it is a directory.
*
* We already ruled out a_vp == a_dvp (i.e., a_cnp is `.'), so
* this is not locking against self, and we already ruled out
* a_vp == b_dvp, so this won't cause subsequent locking of
* b_dvp to lock against self.
*
* If a_vp is a nondirectory, we can't hold it when we lookup
* b_vp in case (a) the file system can only lookup/lock/unlock
* and (b) b_vp turns out to be the same file as a_vp due to
* hard links -- and we can't even detect that case until after
* we've looked up b_vp. Fortunately, if a_vp is a
* nondirectory, then it is a leaf, so we can safely lock it
* last.
*/
if (a_vp != NULL && a_vp->v_type == VDIR) {
vn_lock(a_vp, LK_EXCLUSIVE | LK_RETRY);
KASSERT(a_vp->v_mount == mp);
/* Refuse to rename (over) a mount point. */
if (a_vp->v_mountedhere != NULL) {
error = EBUSY;
goto fail3;
}
}
/*
* 4. Lock b_dvp.
*/
error = ops->gro_lock_directory(mp, b_dvp);
if (error)
goto fail3;
/* Did we lose a race with mount? */
if (b_dvp->v_mountedhere != NULL) {
error = EBUSY;
goto fail4;
}
/*
* 5. Lookup b_vp. May lock/unlock b_vp.
*/
error = ops->gro_lookup(mp, b_dvp, b_cnp, b_de_ret, &b_vp);
if (error) {
if (b_missing_ok && (error == ENOENT))
b_vp = NULL;
else
goto fail4;
} else {
KASSERT(b_vp != NULL);
/* Refuse to rename (over) `.'. */
if (b_vp == b_dvp) {
error = b_dot_error;
goto fail5;
}
/*
* b_dvp must not be an ancestor of a_dvp, so if we
* find b_dvp/b_vp=a_dvp/a_vp something is wrong.
*/
if (b_vp == a_dvp) {
/*
* We have a directory hard link before us.
* XXX What error should this return? EDEADLK?
* Panic?
*/
error = EIO;
goto fail5;
}
}
KASSERT(b_vp != b_dvp);
KASSERT(b_vp != a_dvp);
/*
* 6. Lock a_vp, if it is a nondirectory.
*
* In this case a_vp is a leaf, so it is either equal to or
* incommensurate with b_vp, and so we can safely lock it at
* any point now.
*/
if (a_vp != NULL && a_vp->v_type != VDIR) {
vn_lock(a_vp, LK_EXCLUSIVE | LK_RETRY);
KASSERT(a_vp->v_mount == mp);
/* (not a directory so can't have anything mounted here) */
}
/*
* 7. Lock b_vp, if it is not a_vp.
*
* b_vp and a_vp may the same inode if they are hard links to
* one another.
*/
if ((b_vp != NULL) && (b_vp != a_vp)) {
vn_lock(b_vp, LK_EXCLUSIVE | LK_RETRY);
KASSERT(b_vp->v_mount == mp);
/* Refuse to rename (over) a mount point. */
if ((b_vp->v_type == VDIR) && (b_vp->v_mountedhere != NULL)) {
error = EBUSY;
goto fail6;
}
}
KASSERT(VOP_ISLOCKED(a_dvp) == LK_EXCLUSIVE);
KASSERT(VOP_ISLOCKED(b_dvp) == LK_EXCLUSIVE);
KASSERT(a_missing_ok || (a_vp != NULL));
KASSERT(b_missing_ok || (b_vp != NULL));
KASSERT((a_vp == NULL) || (VOP_ISLOCKED(a_vp) == LK_EXCLUSIVE));
KASSERT((b_vp == NULL) || (VOP_ISLOCKED(b_vp) == LK_EXCLUSIVE));
*a_vp_ret = a_vp;
*b_vp_ret = b_vp;
return 0;
fail6: if ((b_vp != NULL) && (b_vp != a_vp))
VOP_UNLOCK(b_vp);
if (a_vp != NULL && a_vp->v_type != VDIR)
VOP_UNLOCK(a_vp);
fail5: if (b_vp != NULL)
vrele(b_vp);
fail4: VOP_UNLOCK(b_dvp);
fail3: if (a_vp != NULL && a_vp->v_type == VDIR)
VOP_UNLOCK(a_vp);
fail2: if (a_vp != NULL)
vrele(a_vp);
fail1: VOP_UNLOCK(a_dvp);
fail0: return error;
}
/*
* genfs_rename_exit: Unlock everything we locked for rename.
*
* fdvp and tdvp must be referenced.
*
* On entry, everything is locked, and fvp and tvp referenced.
*
* On exit, everything is unlocked, and fvp and tvp are released.
*/
static void
genfs_rename_exit(const struct genfs_rename_ops *ops,
struct mount *mp,
struct vnode *fdvp, struct vnode *fvp,
struct vnode *tdvp, struct vnode *tvp)
{
(void)ops;
KASSERT(ops != NULL);
KASSERT(mp != NULL);
KASSERT(fdvp != NULL);
KASSERT(fvp != NULL);
KASSERT(fdvp != fvp);
KASSERT(fdvp != tvp);
KASSERT(tdvp != tvp);
KASSERT(tdvp != fvp);
KASSERT(VOP_ISLOCKED(fdvp) == LK_EXCLUSIVE);
KASSERT(VOP_ISLOCKED(tdvp) == LK_EXCLUSIVE);
KASSERT(VOP_ISLOCKED(fvp) == LK_EXCLUSIVE);
KASSERT((tvp == NULL) || (VOP_ISLOCKED(tvp) == LK_EXCLUSIVE));
if ((tvp != NULL) && (tvp != fvp))
VOP_UNLOCK(tvp);
VOP_UNLOCK(fvp);
if (tvp != NULL)
vrele(tvp);
if (tdvp != fdvp)
VOP_UNLOCK(tdvp);
vrele(fvp);
VOP_UNLOCK(fdvp);
}
/*
* genfs_rename_remove: Remove the entry for the non-directory vp with
* componentname cnp from the directory dvp, using the lookup results
* de. It is the responsibility of gro_remove to purge the name cache.
*
* Everything must be locked and referenced.
*/
static int
genfs_rename_remove(const struct genfs_rename_ops *ops,
struct mount *mp, kauth_cred_t cred,
struct vnode *dvp, struct componentname *cnp, void *de, struct vnode *vp,
nlink_t *tvp_nlinkp)
{
int error;
KASSERT(ops != NULL);
KASSERT(mp != NULL);
KASSERT(dvp != NULL);
KASSERT(cnp != NULL);
KASSERT(vp != NULL);
KASSERT(dvp != vp);
KASSERT(dvp->v_type == VDIR);
KASSERT(vp->v_type != VDIR);
KASSERT(dvp->v_mount == mp);
KASSERT(vp->v_mount == mp);
KASSERT(VOP_ISLOCKED(dvp) == LK_EXCLUSIVE);
KASSERT(VOP_ISLOCKED(vp) == LK_EXCLUSIVE);
error = ops->gro_remove_check_possible(mp, dvp, vp);
if (error)
return error;
error = ops->gro_remove_check_permitted(mp, cred, dvp, vp);
error = kauth_authorize_vnode(cred, KAUTH_VNODE_DELETE, vp, dvp,
error);
if (error)
return error;
error = ops->gro_remove(mp, cred, dvp, cnp, de, vp, tvp_nlinkp);
if (error)
return error;
return 0;
}
static int
genfs_ufslike_check_sticky(kauth_cred_t, mode_t, uid_t, struct vnode *, uid_t);
/*
* genfs_ufslike_rename_check_possible: Check whether a rename is
* possible independent of credentials, assuming UFS-like inode flag
* semantics. clobber_p is true iff the target node already exists.
*/
int
genfs_ufslike_rename_check_possible(
unsigned long fdflags, unsigned long fflags,
unsigned long tdflags, unsigned long tflags, bool clobber_p,
unsigned long immutable, unsigned long append)
{
if ((fdflags | fflags) & (immutable | append))
return EPERM;
if (tdflags & (immutable | (clobber_p? append : 0)))
return EPERM;
if (clobber_p && (tflags & (immutable | append)))
return EPERM;
return 0;
}
/*
* genfs_ufslike_rename_check_permitted: Check whether a rename is
* permitted given our credentials, assuming UFS-like permission and
* ownership semantics.
*
* The only pair of vnodes that may be identical is {fdvp, tdvp}.
*
* Everything must be locked and referenced.
*/
int
genfs_ufslike_rename_check_permitted(kauth_cred_t cred,
struct vnode *fdvp, mode_t fdmode, uid_t fduid,
struct vnode *fvp, uid_t fuid,
struct vnode *tdvp, mode_t tdmode, uid_t tduid,
struct vnode *tvp, uid_t tuid)
{
int error;
KASSERT(fdvp != NULL);
KASSERT(fvp != NULL);
KASSERT(tdvp != NULL);
KASSERT(fdvp != fvp);
KASSERT(fdvp != tvp);
KASSERT(tdvp != fvp);
KASSERT(tdvp != tvp);
KASSERT(fvp != tvp);
KASSERT(fdvp->v_type == VDIR);
KASSERT(tdvp->v_type == VDIR);
KASSERT(fdvp->v_mount == fvp->v_mount);
KASSERT(fdvp->v_mount == tdvp->v_mount);
KASSERT((tvp == NULL) || (fdvp->v_mount == tvp->v_mount));
KASSERT(VOP_ISLOCKED(fdvp) == LK_EXCLUSIVE);
KASSERT(VOP_ISLOCKED(fvp) == LK_EXCLUSIVE);
KASSERT(VOP_ISLOCKED(tdvp) == LK_EXCLUSIVE);
KASSERT((tvp == NULL) || (VOP_ISLOCKED(tvp) == LK_EXCLUSIVE));
/*
* We need to remove or change an entry in the source directory.
*/
error = VOP_ACCESS(fdvp, VWRITE, cred);
if (error)
return error;
/*
* If we are changing directories, then we need to write to the
* target directory to add or change an entry. Also, if fvp is
* a directory, we need to write to it to change its `..'
* entry.
*/
if (fdvp != tdvp) {
error = VOP_ACCESS(tdvp, VWRITE, cred);
if (error)
return error;
if (fvp->v_type == VDIR) {
error = VOP_ACCESS(fvp, VWRITE, cred);
if (error)
return error;
}
}
error = genfs_ufslike_check_sticky(cred, fdmode, fduid, fvp, fuid);
if (error)
return error;
error = genfs_ufslike_check_sticky(cred, tdmode, tduid, tvp, tuid);
if (error)
return error;
return 0;
}
/*
* genfs_ufslike_remove_check_possible: Check whether a remove is
* possible independent of credentials, assuming UFS-like inode flag
* semantics.
*/
int
genfs_ufslike_remove_check_possible(unsigned long dflags, unsigned long flags,
unsigned long immutable, unsigned long append)
{
/*
* We want to delete the entry. If the directory is immutable,
* we can't write to it to delete the entry. If the directory
* is append-only, the only change we can make is to add
* entries, so we can't delete entries. If the node is
* immutable, we can't change the links to it, so we can't
* delete the entry. If the node is append-only...well, this
* is what UFS does.
*/
if ((dflags | flags) & (immutable | append))
return EPERM;
return 0;
}
/*
* genfs_ufslike_remove_check_permitted: Check whether a remove is
* permitted given our credentials, assuming UFS-like permission and
* ownership semantics.
*
* Everything must be locked and referenced.
*/
int
genfs_ufslike_remove_check_permitted(kauth_cred_t cred,
struct vnode *dvp, mode_t dmode, uid_t duid,
struct vnode *vp, uid_t uid)
{
int error;
KASSERT(dvp != NULL);
KASSERT(vp != NULL);
KASSERT(dvp != vp);
KASSERT(dvp->v_type == VDIR);
KASSERT(vp->v_type != VDIR);
KASSERT(dvp->v_mount == vp->v_mount);
KASSERT(VOP_ISLOCKED(dvp) == LK_EXCLUSIVE);
KASSERT(VOP_ISLOCKED(vp) == LK_EXCLUSIVE);
/*
* We need to write to the directory to remove from it.
*/
error = VOP_ACCESS(dvp, VWRITE, cred);
if (error)
return error;
error = genfs_ufslike_check_sticky(cred, dmode, duid, vp, uid);
if (error)
return error;
return 0;
}
/*
* genfs_ufslike_check_sticky: Check whether a party with credentials
* cred may change an entry in a sticky directory, assuming UFS-like
* permission, ownership, and stickiness semantics: If the directory is
* sticky and the entry exists, the user must own either the directory
* or the entry's node in order to change the entry.
*
* Everything must be locked and referenced.
*/
int
genfs_ufslike_check_sticky(kauth_cred_t cred, mode_t dmode, uid_t duid,
struct vnode *vp, uid_t uid)
{
if ((dmode & S_ISTXT) && (vp != NULL))
return genfs_can_sticky(vp, cred, duid, uid);
return 0;
}