1225 lines
33 KiB
C
1225 lines
33 KiB
C
/* $NetBSD: genfs_rename.c,v 1.7 2021/10/20 13:29:06 thorpej Exp $ */
|
|
|
|
/*-
|
|
* Copyright (c) 2012 The NetBSD Foundation, Inc.
|
|
* All rights reserved.
|
|
*
|
|
* This code is derived from software contributed to The NetBSD Foundation
|
|
* by Taylor R Campbell.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
/*
|
|
* Generic rename abstraction.
|
|
*
|
|
* Rename is unbelievably hairy. Try to use this if you can --
|
|
* otherwise you are practically guaranteed to get it wrong.
|
|
*/
|
|
|
|
#include <sys/cdefs.h>
|
|
__KERNEL_RCSID(0, "$NetBSD: genfs_rename.c,v 1.7 2021/10/20 13:29:06 thorpej Exp $");
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/kauth.h>
|
|
#include <sys/mount.h>
|
|
#include <sys/namei.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/vnode.h>
|
|
#include <sys/types.h>
|
|
|
|
#include <miscfs/genfs/genfs.h>
|
|
|
|
/*
|
|
* Sample copypasta for implementing VOP_RENAME via genfs_rename.
|
|
* Don't change this template without carefully considering whether
|
|
* every other file system that already uses it needs to change too.
|
|
* That way, once we have changed all the file systems to use it, we
|
|
* can easily replace mumblefs_rename by mumblefs_sane_rename and
|
|
* eliminate the insane API altogether.
|
|
*/
|
|
|
|
/* begin sample copypasta */
|
|
#if 0
|
|
|
|
static const struct genfs_rename_ops mumblefs_genfs_rename_ops;
|
|
|
|
/*
|
|
* mumblefs_sane_rename: The hairiest vop, with the saner API.
|
|
*
|
|
* Arguments:
|
|
*
|
|
* . fdvp (from directory vnode),
|
|
* . fcnp (from component name),
|
|
* . tdvp (to directory vnode),
|
|
* . tcnp (to component name),
|
|
* . cred (credentials structure), and
|
|
* . posixly_correct (flag for behaviour if target & source link same file).
|
|
*
|
|
* fdvp and tdvp may be the same, and must be referenced and unlocked.
|
|
*/
|
|
static int
|
|
mumblefs_sane_rename(
|
|
struct vnode *fdvp, struct componentname *fcnp,
|
|
struct vnode *tdvp, struct componentname *tcnp,
|
|
kauth_cred_t cred, bool posixly_correct)
|
|
{
|
|
struct mumblefs_lookup_results fulr, tulr;
|
|
|
|
return genfs_sane_rename(&mumblefs_genfs_rename_ops,
|
|
fdvp, fcnp, &fulr, tdvp, tcnp, &tulr,
|
|
cred, posixly_correct);
|
|
}
|
|
|
|
/*
|
|
* mumblefs_rename: The hairiest vop, with the insanest API. Defer to
|
|
* genfs_insane_rename immediately.
|
|
*/
|
|
int
|
|
mumblefs_rename(void *v)
|
|
{
|
|
|
|
return genfs_insane_rename(v, &mumblefs_sane_rename);
|
|
}
|
|
|
|
#endif
|
|
/* end sample copypasta */
|
|
|
|
/*
|
|
* Forward declarations
|
|
*/
|
|
|
|
static int genfs_rename_enter(const struct genfs_rename_ops *, struct mount *,
|
|
kauth_cred_t,
|
|
struct vnode *, struct componentname *, void *, struct vnode **,
|
|
struct vnode *, struct componentname *, void *, struct vnode **);
|
|
static int genfs_rename_enter_common(const struct genfs_rename_ops *,
|
|
struct mount *, kauth_cred_t, struct vnode *,
|
|
struct componentname *, void *, struct vnode **,
|
|
struct componentname *, void *, struct vnode **);
|
|
static int genfs_rename_enter_separate(const struct genfs_rename_ops *,
|
|
struct mount *, kauth_cred_t,
|
|
struct vnode *, struct componentname *, void *, struct vnode **,
|
|
struct vnode *, struct componentname *, void *, struct vnode **);
|
|
static int genfs_rename_lock(const struct genfs_rename_ops *, struct mount *,
|
|
kauth_cred_t, int, int, int,
|
|
struct vnode *, struct componentname *, bool, void *, struct vnode **,
|
|
struct vnode *, struct componentname *, bool, void *, struct vnode **);
|
|
static void genfs_rename_exit(const struct genfs_rename_ops *, struct mount *,
|
|
struct vnode *, struct vnode *,
|
|
struct vnode *, struct vnode *);
|
|
static int genfs_rename_remove(const struct genfs_rename_ops *, struct mount *,
|
|
kauth_cred_t,
|
|
struct vnode *, struct componentname *, void *, struct vnode *, nlink_t *);
|
|
|
|
/*
|
|
* genfs_insane_rename: Generic implementation of the insane API for
|
|
* the rename vop.
|
|
*
|
|
* Arguments:
|
|
*
|
|
* . fdvp (from directory vnode),
|
|
* . fvp (from vnode),
|
|
* . fcnp (from component name),
|
|
* . tdvp (to directory vnode),
|
|
* . tvp (to vnode, or NULL), and
|
|
* . tcnp (to component name).
|
|
*
|
|
* Any pair of vnode parameters may have the same vnode.
|
|
*
|
|
* On entry,
|
|
*
|
|
* . fdvp, fvp, tdvp, and tvp are referenced,
|
|
* . fdvp and fvp are unlocked, and
|
|
* . tdvp and tvp (if nonnull) are locked.
|
|
*
|
|
* On exit,
|
|
*
|
|
* . fdvp, fvp, tdvp, and tvp (if nonnull) are unreferenced, and
|
|
* . tdvp and tvp (if nonnull) are unlocked.
|
|
*/
|
|
int
|
|
genfs_insane_rename(void *v,
|
|
int (*sane_rename)(struct vnode *fdvp, struct componentname *fcnp,
|
|
struct vnode *tdvp, struct componentname *tcnp,
|
|
kauth_cred_t cred, bool posixly_correct))
|
|
{
|
|
struct vop_rename_args /* {
|
|
struct vnode *a_fdvp;
|
|
struct vnode *a_fvp;
|
|
struct componentname *a_fcnp;
|
|
struct vnode *a_tdvp;
|
|
struct vnode *a_tvp;
|
|
struct componentname *a_tcnp;
|
|
} */ *ap = v;
|
|
struct vnode *fdvp = ap->a_fdvp;
|
|
struct vnode *fvp = ap->a_fvp;
|
|
struct componentname *fcnp = ap->a_fcnp;
|
|
struct vnode *tdvp = ap->a_tdvp;
|
|
struct vnode *tvp = ap->a_tvp;
|
|
struct componentname *tcnp = ap->a_tcnp;
|
|
kauth_cred_t cred;
|
|
int error;
|
|
|
|
KASSERT(fdvp != NULL);
|
|
KASSERT(fvp != NULL);
|
|
KASSERT(fcnp != NULL);
|
|
KASSERT(fcnp->cn_nameptr != NULL);
|
|
KASSERT(tdvp != NULL);
|
|
KASSERT(tcnp != NULL);
|
|
KASSERT(fcnp->cn_nameptr != NULL);
|
|
/* KASSERT(VOP_ISLOCKED(fdvp) != LK_EXCLUSIVE); */
|
|
/* KASSERT(VOP_ISLOCKED(fvp) != LK_EXCLUSIVE); */
|
|
KASSERT(VOP_ISLOCKED(tdvp) == LK_EXCLUSIVE);
|
|
KASSERT((tvp == NULL) || (VOP_ISLOCKED(tvp) == LK_EXCLUSIVE));
|
|
KASSERT(fdvp->v_type == VDIR);
|
|
KASSERT(tdvp->v_type == VDIR);
|
|
|
|
cred = fcnp->cn_cred;
|
|
|
|
/*
|
|
* XXX Want a better equality test. `tcnp->cn_cred == cred'
|
|
* hoses p2k because puffs transmits the creds separately and
|
|
* allocates distinct but equivalent structures for them.
|
|
*/
|
|
KASSERT(kauth_cred_uidmatch(cred, tcnp->cn_cred));
|
|
|
|
/*
|
|
* Sanitize our world from the VFS insanity. Unlock the target
|
|
* directory and node, which are locked. Release the children,
|
|
* which are referenced, since we'll be looking them up again
|
|
* later.
|
|
*/
|
|
|
|
VOP_UNLOCK(tdvp);
|
|
if ((tvp != NULL) && (tvp != tdvp))
|
|
VOP_UNLOCK(tvp);
|
|
|
|
vrele(fvp);
|
|
if (tvp != NULL)
|
|
vrele(tvp);
|
|
|
|
error = (*sane_rename)(fdvp, fcnp, tdvp, tcnp, cred, false);
|
|
|
|
/*
|
|
* All done, whether with success or failure. Release the
|
|
* directory nodes now, as the caller expects from the VFS
|
|
* protocol.
|
|
*/
|
|
vrele(fdvp);
|
|
vrele(tdvp);
|
|
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* genfs_sane_rename: Generic implementation of the saner API for the
|
|
* rename vop. Handles ancestry checks, locking, and permissions
|
|
* checks. Caller is responsible for implementing the genfs rename
|
|
* operations.
|
|
*
|
|
* fdvp and tdvp must be referenced and unlocked.
|
|
*/
|
|
int
|
|
genfs_sane_rename(const struct genfs_rename_ops *ops,
|
|
struct vnode *fdvp, struct componentname *fcnp, void *fde,
|
|
struct vnode *tdvp, struct componentname *tcnp, void *tde,
|
|
kauth_cred_t cred, bool posixly_correct)
|
|
{
|
|
struct mount *mp;
|
|
struct vnode *fvp = NULL, *tvp = NULL;
|
|
nlink_t tvp_new_nlink = 0;
|
|
int error;
|
|
|
|
KASSERT(ops != NULL);
|
|
KASSERT(fdvp != NULL);
|
|
KASSERT(fcnp != NULL);
|
|
KASSERT(tdvp != NULL);
|
|
KASSERT(tcnp != NULL);
|
|
/* KASSERT(VOP_ISLOCKED(fdvp) != LK_EXCLUSIVE); */
|
|
/* KASSERT(VOP_ISLOCKED(tdvp) != LK_EXCLUSIVE); */
|
|
KASSERT(fdvp->v_type == VDIR);
|
|
KASSERT(tdvp->v_type == VDIR);
|
|
KASSERT(fdvp->v_mount == tdvp->v_mount);
|
|
KASSERT(fcnp != tcnp);
|
|
KASSERT(fcnp->cn_nameiop == DELETE);
|
|
KASSERT(tcnp->cn_nameiop == RENAME);
|
|
|
|
/* XXX Want a better equality test. */
|
|
KASSERT(kauth_cred_uidmatch(cred, fcnp->cn_cred));
|
|
KASSERT(kauth_cred_uidmatch(cred, tcnp->cn_cred));
|
|
|
|
mp = fdvp->v_mount;
|
|
KASSERT(mp != NULL);
|
|
KASSERT(mp == tdvp->v_mount);
|
|
/* XXX How can we be sure this stays true? */
|
|
KASSERT((mp->mnt_flag & MNT_RDONLY) == 0);
|
|
|
|
/* Reject rename("x/..", ...) and rename(..., "x/..") early. */
|
|
if ((fcnp->cn_flags | tcnp->cn_flags) & ISDOTDOT)
|
|
return EINVAL; /* XXX EISDIR? */
|
|
|
|
error = genfs_rename_enter(ops, mp, cred,
|
|
fdvp, fcnp, fde, &fvp,
|
|
tdvp, tcnp, tde, &tvp);
|
|
if (error)
|
|
return error;
|
|
|
|
/*
|
|
* Check that everything is locked and looks right.
|
|
*/
|
|
KASSERT(fvp != NULL);
|
|
KASSERT(VOP_ISLOCKED(fdvp) == LK_EXCLUSIVE);
|
|
KASSERT(VOP_ISLOCKED(fvp) == LK_EXCLUSIVE);
|
|
KASSERT(VOP_ISLOCKED(tdvp) == LK_EXCLUSIVE);
|
|
KASSERT((tvp == NULL) || (VOP_ISLOCKED(tvp) == LK_EXCLUSIVE));
|
|
|
|
/*
|
|
* If the source and destination are the same object, we need
|
|
* only at most delete the source entry. We are guaranteed at
|
|
* this point that the entries are distinct.
|
|
*/
|
|
if (fvp == tvp) {
|
|
KASSERT(tvp != NULL);
|
|
if (fvp->v_type == VDIR)
|
|
/* XXX This shouldn't be possible. */
|
|
error = EINVAL;
|
|
else if (posixly_correct)
|
|
/* POSIX sez to leave them alone. */
|
|
error = 0;
|
|
else if ((fdvp == tdvp) &&
|
|
(fcnp->cn_namelen == tcnp->cn_namelen) &&
|
|
(memcmp(fcnp->cn_nameptr, tcnp->cn_nameptr,
|
|
fcnp->cn_namelen) == 0))
|
|
/* Renaming an entry over itself does nothing. */
|
|
error = 0;
|
|
else {
|
|
/* XXX Can't use VOP_REMOVE because of locking. */
|
|
error = genfs_rename_remove(ops, mp, cred,
|
|
fdvp, fcnp, fde, fvp, &tvp_new_nlink);
|
|
VN_KNOTE(fdvp, NOTE_WRITE);
|
|
VN_KNOTE(fvp,
|
|
tvp_new_nlink == 0 ? NOTE_DELETE : NOTE_LINK);
|
|
}
|
|
goto out;
|
|
}
|
|
KASSERT(fvp != tvp);
|
|
KASSERT((fdvp != tdvp) ||
|
|
(fcnp->cn_namelen != tcnp->cn_namelen) ||
|
|
(memcmp(fcnp->cn_nameptr, tcnp->cn_nameptr, fcnp->cn_namelen)
|
|
!= 0));
|
|
|
|
/*
|
|
* If the target exists, refuse to rename a directory over a
|
|
* non-directory or vice versa, or to clobber a non-empty
|
|
* directory.
|
|
*/
|
|
if (tvp != NULL) {
|
|
if (fvp->v_type == VDIR && tvp->v_type == VDIR)
|
|
error =
|
|
(ops->gro_directory_empty_p(mp, cred, tvp, tdvp)?
|
|
0 : ENOTEMPTY);
|
|
else if (fvp->v_type == VDIR && tvp->v_type != VDIR)
|
|
error = ENOTDIR;
|
|
else if (fvp->v_type != VDIR && tvp->v_type == VDIR)
|
|
error = EISDIR;
|
|
else
|
|
error = 0;
|
|
if (error)
|
|
goto out;
|
|
KASSERT((fvp->v_type == VDIR) == (tvp->v_type == VDIR));
|
|
}
|
|
|
|
/*
|
|
* Authorize the rename.
|
|
*/
|
|
error = ops->gro_rename_check_possible(mp, fdvp, fvp, tdvp, tvp);
|
|
if (error)
|
|
goto out;
|
|
error = ops->gro_rename_check_permitted(mp, cred, fdvp, fvp, tdvp, tvp);
|
|
error = kauth_authorize_vnode(cred, KAUTH_VNODE_DELETE, fvp, fdvp,
|
|
error);
|
|
error = kauth_authorize_vnode(cred, KAUTH_VNODE_RENAME, tvp, tdvp,
|
|
error);
|
|
if (error)
|
|
goto out;
|
|
|
|
/*
|
|
* Everything is hunky-dory. Shuffle the directory entries.
|
|
*/
|
|
error = ops->gro_rename(mp, cred,
|
|
fdvp, fcnp, fde, fvp,
|
|
tdvp, tcnp, tde, tvp,
|
|
&tvp_new_nlink);
|
|
if (error)
|
|
goto out;
|
|
|
|
/* Success! */
|
|
genfs_rename_knote(fdvp, fvp, tdvp, tvp, tvp_new_nlink);
|
|
|
|
out:
|
|
genfs_rename_exit(ops, mp, fdvp, fvp, tdvp, tvp);
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* genfs_rename_knote: Note events about the various vnodes in a
|
|
* rename. To be called by gro_rename on success. The only pair of
|
|
* vnodes that may be identical is {fdvp, tdvp}. tvp_new_nlink is
|
|
* the resulting link count of tvp.
|
|
*/
|
|
void
|
|
genfs_rename_knote(struct vnode *fdvp, struct vnode *fvp,
|
|
struct vnode *tdvp, struct vnode *tvp, nlink_t tvp_new_nlink)
|
|
{
|
|
long fdvp_events, tdvp_events;
|
|
bool directory_p, reparent_p, replaced_p;
|
|
|
|
KASSERT(fdvp != NULL);
|
|
KASSERT(fvp != NULL);
|
|
KASSERT(tdvp != NULL);
|
|
KASSERT(fdvp != fvp);
|
|
KASSERT(fdvp != tvp);
|
|
KASSERT(tdvp != fvp);
|
|
KASSERT(tdvp != tvp);
|
|
KASSERT(fvp != tvp);
|
|
KASSERT(VOP_ISLOCKED(fdvp) == LK_EXCLUSIVE);
|
|
KASSERT(VOP_ISLOCKED(fvp) == LK_EXCLUSIVE);
|
|
KASSERT(VOP_ISLOCKED(tdvp) == LK_EXCLUSIVE);
|
|
KASSERT((tvp == NULL) || (VOP_ISLOCKED(tvp) == LK_EXCLUSIVE));
|
|
|
|
directory_p = (fvp->v_type == VDIR);
|
|
reparent_p = (fdvp != tdvp);
|
|
replaced_p = (tvp != NULL);
|
|
|
|
KASSERT((tvp == NULL) || (directory_p == (tvp->v_type == VDIR)));
|
|
|
|
fdvp_events = NOTE_WRITE;
|
|
if (directory_p && reparent_p)
|
|
fdvp_events |= NOTE_LINK;
|
|
VN_KNOTE(fdvp, fdvp_events);
|
|
|
|
VN_KNOTE(fvp, NOTE_RENAME);
|
|
|
|
if (reparent_p) {
|
|
tdvp_events = NOTE_WRITE;
|
|
if (!replaced_p) {
|
|
tdvp_events |= NOTE_EXTEND;
|
|
if (directory_p)
|
|
tdvp_events |= NOTE_LINK;
|
|
}
|
|
VN_KNOTE(tdvp, tdvp_events);
|
|
}
|
|
|
|
if (replaced_p)
|
|
VN_KNOTE(tvp, (tvp_new_nlink == 0 ? NOTE_DELETE : NOTE_LINK));
|
|
}
|
|
|
|
/*
|
|
* genfs_rename_cache_purge: Purge the name cache. To be called by
|
|
* gro_rename on success. The only pair of vnodes that may be
|
|
* identical is {fdvp, tdvp}.
|
|
*/
|
|
void
|
|
genfs_rename_cache_purge(struct vnode *fdvp, struct vnode *fvp,
|
|
struct vnode *tdvp, struct vnode *tvp)
|
|
{
|
|
|
|
KASSERT(fdvp != NULL);
|
|
KASSERT(fvp != NULL);
|
|
KASSERT(tdvp != NULL);
|
|
KASSERT(fdvp != fvp);
|
|
KASSERT(fdvp != tvp);
|
|
KASSERT(tdvp != fvp);
|
|
KASSERT(tdvp != tvp);
|
|
KASSERT(fvp != tvp);
|
|
KASSERT(fdvp->v_type == VDIR);
|
|
KASSERT(tdvp->v_type == VDIR);
|
|
|
|
/*
|
|
* XXX What actually needs to be purged?
|
|
*/
|
|
|
|
cache_purge(fdvp);
|
|
|
|
if (fvp->v_type == VDIR)
|
|
cache_purge(fvp);
|
|
|
|
if (tdvp != fdvp)
|
|
cache_purge(tdvp);
|
|
|
|
if ((tvp != NULL) && (tvp->v_type == VDIR))
|
|
cache_purge(tvp);
|
|
}
|
|
|
|
/*
|
|
* genfs_rename_enter: Look up fcnp in fdvp, and store the lookup
|
|
* results in *fde_ret and the associated vnode in *fvp_ret; fail if
|
|
* not found. Look up tcnp in tdvp, and store the lookup results in
|
|
* *tde_ret and the associated vnode in *tvp_ret; store null instead if
|
|
* not found. Fail if anything has been mounted on any of the nodes
|
|
* involved.
|
|
*
|
|
* fdvp and tdvp must be referenced.
|
|
*
|
|
* On entry, nothing is locked.
|
|
*
|
|
* On success, everything is locked, and *fvp_ret, and *tvp_ret if
|
|
* nonnull, are referenced. The only pairs of vnodes that may be
|
|
* identical are {fdvp, tdvp} and {fvp, tvp}.
|
|
*
|
|
* On failure, everything remains as was.
|
|
*
|
|
* Locking everything including the source and target nodes is
|
|
* necessary to make sure that, e.g., link count updates are OK. The
|
|
* locking order is, in general, ancestor-first, matching the order you
|
|
* need to use to look up a descendant anyway.
|
|
*/
|
|
static int
|
|
genfs_rename_enter(const struct genfs_rename_ops *ops,
|
|
struct mount *mp, kauth_cred_t cred,
|
|
struct vnode *fdvp, struct componentname *fcnp,
|
|
void *fde_ret, struct vnode **fvp_ret,
|
|
struct vnode *tdvp, struct componentname *tcnp,
|
|
void *tde_ret, struct vnode **tvp_ret)
|
|
{
|
|
int error;
|
|
|
|
KASSERT(mp != NULL);
|
|
KASSERT(fdvp != NULL);
|
|
KASSERT(fcnp != NULL);
|
|
KASSERT(fvp_ret != NULL);
|
|
KASSERT(tdvp != NULL);
|
|
KASSERT(tcnp != NULL);
|
|
KASSERT(tvp_ret != NULL);
|
|
KASSERT(fvp_ret != tvp_ret);
|
|
KASSERT(fdvp->v_type == VDIR);
|
|
KASSERT(tdvp->v_type == VDIR);
|
|
KASSERT(fdvp->v_mount == mp);
|
|
KASSERT(tdvp->v_mount == mp);
|
|
|
|
if (fdvp == tdvp)
|
|
error = genfs_rename_enter_common(ops, mp, cred, fdvp,
|
|
fcnp, fde_ret, fvp_ret,
|
|
tcnp, tde_ret, tvp_ret);
|
|
else
|
|
error = genfs_rename_enter_separate(ops, mp, cred,
|
|
fdvp, fcnp, fde_ret, fvp_ret,
|
|
tdvp, tcnp, tde_ret, tvp_ret);
|
|
|
|
if (error)
|
|
return error;
|
|
|
|
KASSERT(*fvp_ret != NULL);
|
|
KASSERT(VOP_ISLOCKED(*fvp_ret) == LK_EXCLUSIVE);
|
|
KASSERT((*tvp_ret == NULL) || (VOP_ISLOCKED(*tvp_ret) == LK_EXCLUSIVE));
|
|
KASSERT(*fvp_ret != fdvp);
|
|
KASSERT(*fvp_ret != tdvp);
|
|
KASSERT(*tvp_ret != fdvp);
|
|
KASSERT(*tvp_ret != tdvp);
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* genfs_rename_enter_common: Lock and look up with a common
|
|
* source/target directory.
|
|
*/
|
|
static int
|
|
genfs_rename_enter_common(const struct genfs_rename_ops *ops,
|
|
struct mount *mp, kauth_cred_t cred, struct vnode *dvp,
|
|
struct componentname *fcnp,
|
|
void *fde_ret, struct vnode **fvp_ret,
|
|
struct componentname *tcnp,
|
|
void *tde_ret, struct vnode **tvp_ret)
|
|
{
|
|
struct vnode *fvp, *tvp;
|
|
int error;
|
|
|
|
KASSERT(ops != NULL);
|
|
KASSERT(mp != NULL);
|
|
KASSERT(dvp != NULL);
|
|
KASSERT(fcnp != NULL);
|
|
KASSERT(fvp_ret != NULL);
|
|
KASSERT(tcnp != NULL);
|
|
KASSERT(tvp_ret != NULL);
|
|
KASSERT(dvp->v_type == VDIR);
|
|
KASSERT(dvp->v_mount == mp);
|
|
|
|
error = ops->gro_lock_directory(mp, dvp);
|
|
if (error)
|
|
goto fail0;
|
|
|
|
/* Did we lose a race with mount? */
|
|
if (dvp->v_mountedhere != NULL) {
|
|
error = EBUSY;
|
|
goto fail1;
|
|
}
|
|
|
|
KASSERT(fcnp->cn_nameiop == DELETE);
|
|
error = ops->gro_lookup(mp, dvp, fcnp, fde_ret, &fvp);
|
|
if (error)
|
|
goto fail1;
|
|
|
|
KASSERT(fvp != NULL);
|
|
|
|
/* Refuse to rename `.'. */
|
|
if (fvp == dvp) {
|
|
error = EINVAL;
|
|
goto fail2;
|
|
}
|
|
KASSERT(fvp != dvp);
|
|
|
|
KASSERT(tcnp->cn_nameiop == RENAME);
|
|
error = ops->gro_lookup(mp, dvp, tcnp, tde_ret, &tvp);
|
|
if (error == ENOENT) {
|
|
tvp = NULL;
|
|
} else if (error) {
|
|
goto fail2;
|
|
} else {
|
|
KASSERT(tvp != NULL);
|
|
|
|
/* Refuse to rename over `.'. */
|
|
if (tvp == dvp) {
|
|
error = EISDIR; /* XXX EINVAL? */
|
|
goto fail2;
|
|
}
|
|
}
|
|
KASSERT(tvp != dvp);
|
|
|
|
/*
|
|
* We've looked up both nodes. Now lock them and check them.
|
|
*/
|
|
|
|
vn_lock(fvp, LK_EXCLUSIVE | LK_RETRY);
|
|
KASSERT(fvp->v_mount == mp);
|
|
/* Refuse to rename a mount point. */
|
|
if ((fvp->v_type == VDIR) && (fvp->v_mountedhere != NULL)) {
|
|
error = EBUSY;
|
|
goto fail3;
|
|
}
|
|
|
|
if ((tvp != NULL) && (tvp != fvp)) {
|
|
vn_lock(tvp, LK_EXCLUSIVE | LK_RETRY);
|
|
KASSERT(tvp->v_mount == mp);
|
|
/* Refuse to rename over a mount point. */
|
|
if ((tvp->v_type == VDIR) && (tvp->v_mountedhere != NULL)) {
|
|
error = EBUSY;
|
|
goto fail4;
|
|
}
|
|
}
|
|
|
|
KASSERT(VOP_ISLOCKED(dvp) == LK_EXCLUSIVE);
|
|
KASSERT(VOP_ISLOCKED(fvp) == LK_EXCLUSIVE);
|
|
KASSERT((tvp == NULL) || (VOP_ISLOCKED(tvp) == LK_EXCLUSIVE));
|
|
|
|
*fvp_ret = fvp;
|
|
*tvp_ret = tvp;
|
|
return 0;
|
|
|
|
fail4: if ((tvp != NULL) && (tvp != fvp))
|
|
VOP_UNLOCK(tvp);
|
|
fail3: VOP_UNLOCK(fvp);
|
|
if (tvp != NULL)
|
|
vrele(tvp);
|
|
fail2: vrele(fvp);
|
|
fail1: VOP_UNLOCK(dvp);
|
|
fail0: return error;
|
|
}
|
|
|
|
/*
|
|
* genfs_rename_enter_separate: Lock and look up with separate source
|
|
* and target directories.
|
|
*/
|
|
static int
|
|
genfs_rename_enter_separate(const struct genfs_rename_ops *ops,
|
|
struct mount *mp, kauth_cred_t cred,
|
|
struct vnode *fdvp, struct componentname *fcnp,
|
|
void *fde_ret, struct vnode **fvp_ret,
|
|
struct vnode *tdvp, struct componentname *tcnp,
|
|
void *tde_ret, struct vnode **tvp_ret)
|
|
{
|
|
struct vnode *intermediate_node;
|
|
struct vnode *fvp, *tvp;
|
|
int error;
|
|
|
|
KASSERT(ops != NULL);
|
|
KASSERT(mp != NULL);
|
|
KASSERT(fdvp != NULL);
|
|
KASSERT(fcnp != NULL);
|
|
KASSERT(fvp_ret != NULL);
|
|
KASSERT(tdvp != NULL);
|
|
KASSERT(tcnp != NULL);
|
|
KASSERT(tvp_ret != NULL);
|
|
KASSERT(fdvp != tdvp);
|
|
KASSERT(fcnp != tcnp);
|
|
KASSERT(fcnp->cn_nameiop == DELETE);
|
|
KASSERT(tcnp->cn_nameiop == RENAME);
|
|
KASSERT(fvp_ret != tvp_ret);
|
|
KASSERT(fdvp->v_type == VDIR);
|
|
KASSERT(tdvp->v_type == VDIR);
|
|
KASSERT(fdvp->v_mount == mp);
|
|
KASSERT(tdvp->v_mount == mp);
|
|
|
|
error = ops->gro_genealogy(mp, cred, fdvp, tdvp, &intermediate_node);
|
|
if (error)
|
|
return error;
|
|
|
|
/*
|
|
* intermediate_node == NULL means fdvp is not an ancestor of tdvp.
|
|
*/
|
|
if (intermediate_node == NULL)
|
|
error = genfs_rename_lock(ops, mp, cred,
|
|
ENOTEMPTY, EISDIR, EINVAL,
|
|
tdvp, tcnp, true, tde_ret, &tvp,
|
|
fdvp, fcnp, false, fde_ret, &fvp);
|
|
else
|
|
error = genfs_rename_lock(ops, mp, cred,
|
|
EINVAL, EISDIR, EINVAL,
|
|
fdvp, fcnp, false, fde_ret, &fvp,
|
|
tdvp, tcnp, true, tde_ret, &tvp);
|
|
if (error)
|
|
goto out;
|
|
|
|
KASSERT(fvp != NULL);
|
|
|
|
/*
|
|
* Reject rename("foo/bar", "foo/bar/baz/quux/zot").
|
|
*/
|
|
if (fvp == intermediate_node) {
|
|
genfs_rename_exit(ops, mp, fdvp, fvp, tdvp, tvp);
|
|
error = EINVAL;
|
|
goto out;
|
|
}
|
|
|
|
*fvp_ret = fvp;
|
|
*tvp_ret = tvp;
|
|
error = 0;
|
|
|
|
out: if (intermediate_node != NULL)
|
|
vrele(intermediate_node);
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* genfs_rename_lock: Lookup and lock it all. The lock order is:
|
|
*
|
|
* a_dvp -> a_vp -> b_dvp -> b_vp,
|
|
*
|
|
* except if a_vp is a nondirectory in which case the lock order is:
|
|
*
|
|
* a_dvp -> b_dvp -> b_vp -> a_vp,
|
|
*
|
|
* which can't violate ancestor->descendant because a_vp has no
|
|
* descendants in this case. This edge case is necessary because some
|
|
* file systems can only lookup/lock/unlock, and we can't hold a_vp
|
|
* locked when we lookup/lock/unlock b_vp if they turn out to be the
|
|
* same, and we can't find out that they're the same until after the
|
|
* lookup.
|
|
*
|
|
* b_dvp must not be an ancestor of a_dvp, although a_dvp may be an
|
|
* ancestor of b_dvp.
|
|
*
|
|
* Fail with overlap_error if node a is directory b. Neither
|
|
* componentname may be `.' or `..'.
|
|
*
|
|
* a_dvp and b_dvp must be referenced.
|
|
*
|
|
* On entry, a_dvp and b_dvp are unlocked.
|
|
*
|
|
* On success,
|
|
* . a_dvp and b_dvp are locked,
|
|
* . *a_dirent_ret is filled with a directory entry whose node is
|
|
* locked and referenced,
|
|
* . *b_vp_ret is filled with the corresponding vnode,
|
|
* . *b_dirent_ret is filled either with null or with a directory entry
|
|
* whose node is locked and referenced,
|
|
* . *b_vp is filled either with null or with the corresponding vnode,
|
|
* and
|
|
* . the only pair of vnodes that may be identical is a_vp and b_vp.
|
|
*
|
|
* On failure, a_dvp and b_dvp are left unlocked, and *a_dirent_ret,
|
|
* *a_vp, *b_dirent_ret, and *b_vp are left alone.
|
|
*/
|
|
static int
|
|
genfs_rename_lock(const struct genfs_rename_ops *ops,
|
|
struct mount *mp, kauth_cred_t cred,
|
|
int overlap_error, int a_dot_error, int b_dot_error,
|
|
struct vnode *a_dvp, struct componentname *a_cnp, bool a_missing_ok,
|
|
void *a_de_ret, struct vnode **a_vp_ret,
|
|
struct vnode *b_dvp, struct componentname *b_cnp, bool b_missing_ok,
|
|
void *b_de_ret, struct vnode **b_vp_ret)
|
|
{
|
|
struct vnode *a_vp, *b_vp;
|
|
int error;
|
|
|
|
KASSERT(ops != NULL);
|
|
KASSERT(mp != NULL);
|
|
KASSERT(a_dvp != NULL);
|
|
KASSERT(a_cnp != NULL);
|
|
KASSERT(a_vp_ret != NULL);
|
|
KASSERT(b_dvp != NULL);
|
|
KASSERT(b_cnp != NULL);
|
|
KASSERT(b_vp_ret != NULL);
|
|
KASSERT(a_dvp != b_dvp);
|
|
KASSERT(a_vp_ret != b_vp_ret);
|
|
KASSERT(a_dvp->v_type == VDIR);
|
|
KASSERT(b_dvp->v_type == VDIR);
|
|
KASSERT(a_dvp->v_mount == mp);
|
|
KASSERT(b_dvp->v_mount == mp);
|
|
KASSERT(a_missing_ok != b_missing_ok);
|
|
|
|
/*
|
|
* 1. Lock a_dvp.
|
|
*/
|
|
error = ops->gro_lock_directory(mp, a_dvp);
|
|
if (error)
|
|
goto fail0;
|
|
|
|
/* Did we lose a race with mount? */
|
|
if (a_dvp->v_mountedhere != NULL) {
|
|
error = EBUSY;
|
|
goto fail1;
|
|
}
|
|
|
|
/*
|
|
* 2. Lookup a_vp. May lock/unlock a_vp.
|
|
*/
|
|
error = ops->gro_lookup(mp, a_dvp, a_cnp, a_de_ret, &a_vp);
|
|
if (error) {
|
|
if (a_missing_ok && (error == ENOENT))
|
|
a_vp = NULL;
|
|
else
|
|
goto fail1;
|
|
} else {
|
|
KASSERT(a_vp != NULL);
|
|
|
|
/* Refuse to rename (over) `.'. */
|
|
if (a_vp == a_dvp) {
|
|
error = a_dot_error;
|
|
goto fail2;
|
|
}
|
|
|
|
/* Reject rename("x", "x/y") or rename("x/y", "x"). */
|
|
if (a_vp == b_dvp) {
|
|
error = overlap_error;
|
|
goto fail2;
|
|
}
|
|
}
|
|
|
|
KASSERT(a_vp != a_dvp);
|
|
KASSERT(a_vp != b_dvp);
|
|
|
|
/*
|
|
* 3. Lock a_vp, if it is a directory.
|
|
*
|
|
* We already ruled out a_vp == a_dvp (i.e., a_cnp is `.'), so
|
|
* this is not locking against self, and we already ruled out
|
|
* a_vp == b_dvp, so this won't cause subsequent locking of
|
|
* b_dvp to lock against self.
|
|
*
|
|
* If a_vp is a nondirectory, we can't hold it when we lookup
|
|
* b_vp in case (a) the file system can only lookup/lock/unlock
|
|
* and (b) b_vp turns out to be the same file as a_vp due to
|
|
* hard links -- and we can't even detect that case until after
|
|
* we've looked up b_vp. Fortunately, if a_vp is a
|
|
* nondirectory, then it is a leaf, so we can safely lock it
|
|
* last.
|
|
*/
|
|
if (a_vp != NULL && a_vp->v_type == VDIR) {
|
|
vn_lock(a_vp, LK_EXCLUSIVE | LK_RETRY);
|
|
KASSERT(a_vp->v_mount == mp);
|
|
/* Refuse to rename (over) a mount point. */
|
|
if (a_vp->v_mountedhere != NULL) {
|
|
error = EBUSY;
|
|
goto fail3;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* 4. Lock b_dvp.
|
|
*/
|
|
error = ops->gro_lock_directory(mp, b_dvp);
|
|
if (error)
|
|
goto fail3;
|
|
|
|
/* Did we lose a race with mount? */
|
|
if (b_dvp->v_mountedhere != NULL) {
|
|
error = EBUSY;
|
|
goto fail4;
|
|
}
|
|
|
|
/*
|
|
* 5. Lookup b_vp. May lock/unlock b_vp.
|
|
*/
|
|
error = ops->gro_lookup(mp, b_dvp, b_cnp, b_de_ret, &b_vp);
|
|
if (error) {
|
|
if (b_missing_ok && (error == ENOENT))
|
|
b_vp = NULL;
|
|
else
|
|
goto fail4;
|
|
} else {
|
|
KASSERT(b_vp != NULL);
|
|
|
|
/* Refuse to rename (over) `.'. */
|
|
if (b_vp == b_dvp) {
|
|
error = b_dot_error;
|
|
goto fail5;
|
|
}
|
|
|
|
/*
|
|
* b_dvp must not be an ancestor of a_dvp, so if we
|
|
* find b_dvp/b_vp=a_dvp/a_vp something is wrong.
|
|
*/
|
|
if (b_vp == a_dvp) {
|
|
/*
|
|
* We have a directory hard link before us.
|
|
* XXX What error should this return? EDEADLK?
|
|
* Panic?
|
|
*/
|
|
error = EIO;
|
|
goto fail5;
|
|
}
|
|
}
|
|
KASSERT(b_vp != b_dvp);
|
|
KASSERT(b_vp != a_dvp);
|
|
|
|
/*
|
|
* 6. Lock a_vp, if it is a nondirectory.
|
|
*
|
|
* In this case a_vp is a leaf, so it is either equal to or
|
|
* incommensurate with b_vp, and so we can safely lock it at
|
|
* any point now.
|
|
*/
|
|
if (a_vp != NULL && a_vp->v_type != VDIR) {
|
|
vn_lock(a_vp, LK_EXCLUSIVE | LK_RETRY);
|
|
KASSERT(a_vp->v_mount == mp);
|
|
/* (not a directory so can't have anything mounted here) */
|
|
}
|
|
|
|
/*
|
|
* 7. Lock b_vp, if it is not a_vp.
|
|
*
|
|
* b_vp and a_vp may the same inode if they are hard links to
|
|
* one another.
|
|
*/
|
|
if ((b_vp != NULL) && (b_vp != a_vp)) {
|
|
vn_lock(b_vp, LK_EXCLUSIVE | LK_RETRY);
|
|
KASSERT(b_vp->v_mount == mp);
|
|
/* Refuse to rename (over) a mount point. */
|
|
if ((b_vp->v_type == VDIR) && (b_vp->v_mountedhere != NULL)) {
|
|
error = EBUSY;
|
|
goto fail6;
|
|
}
|
|
}
|
|
|
|
KASSERT(VOP_ISLOCKED(a_dvp) == LK_EXCLUSIVE);
|
|
KASSERT(VOP_ISLOCKED(b_dvp) == LK_EXCLUSIVE);
|
|
KASSERT(a_missing_ok || (a_vp != NULL));
|
|
KASSERT(b_missing_ok || (b_vp != NULL));
|
|
KASSERT((a_vp == NULL) || (VOP_ISLOCKED(a_vp) == LK_EXCLUSIVE));
|
|
KASSERT((b_vp == NULL) || (VOP_ISLOCKED(b_vp) == LK_EXCLUSIVE));
|
|
|
|
*a_vp_ret = a_vp;
|
|
*b_vp_ret = b_vp;
|
|
return 0;
|
|
|
|
fail6: if ((b_vp != NULL) && (b_vp != a_vp))
|
|
VOP_UNLOCK(b_vp);
|
|
if (a_vp != NULL && a_vp->v_type != VDIR)
|
|
VOP_UNLOCK(a_vp);
|
|
fail5: if (b_vp != NULL)
|
|
vrele(b_vp);
|
|
fail4: VOP_UNLOCK(b_dvp);
|
|
fail3: if (a_vp != NULL && a_vp->v_type == VDIR)
|
|
VOP_UNLOCK(a_vp);
|
|
fail2: if (a_vp != NULL)
|
|
vrele(a_vp);
|
|
fail1: VOP_UNLOCK(a_dvp);
|
|
fail0: return error;
|
|
}
|
|
|
|
/*
|
|
* genfs_rename_exit: Unlock everything we locked for rename.
|
|
*
|
|
* fdvp and tdvp must be referenced.
|
|
*
|
|
* On entry, everything is locked, and fvp and tvp referenced.
|
|
*
|
|
* On exit, everything is unlocked, and fvp and tvp are released.
|
|
*/
|
|
static void
|
|
genfs_rename_exit(const struct genfs_rename_ops *ops,
|
|
struct mount *mp,
|
|
struct vnode *fdvp, struct vnode *fvp,
|
|
struct vnode *tdvp, struct vnode *tvp)
|
|
{
|
|
|
|
(void)ops;
|
|
KASSERT(ops != NULL);
|
|
KASSERT(mp != NULL);
|
|
KASSERT(fdvp != NULL);
|
|
KASSERT(fvp != NULL);
|
|
KASSERT(fdvp != fvp);
|
|
KASSERT(fdvp != tvp);
|
|
KASSERT(tdvp != tvp);
|
|
KASSERT(tdvp != fvp);
|
|
KASSERT(VOP_ISLOCKED(fdvp) == LK_EXCLUSIVE);
|
|
KASSERT(VOP_ISLOCKED(tdvp) == LK_EXCLUSIVE);
|
|
KASSERT(VOP_ISLOCKED(fvp) == LK_EXCLUSIVE);
|
|
KASSERT((tvp == NULL) || (VOP_ISLOCKED(tvp) == LK_EXCLUSIVE));
|
|
|
|
if ((tvp != NULL) && (tvp != fvp))
|
|
VOP_UNLOCK(tvp);
|
|
VOP_UNLOCK(fvp);
|
|
if (tvp != NULL)
|
|
vrele(tvp);
|
|
if (tdvp != fdvp)
|
|
VOP_UNLOCK(tdvp);
|
|
vrele(fvp);
|
|
VOP_UNLOCK(fdvp);
|
|
}
|
|
|
|
/*
|
|
* genfs_rename_remove: Remove the entry for the non-directory vp with
|
|
* componentname cnp from the directory dvp, using the lookup results
|
|
* de. It is the responsibility of gro_remove to purge the name cache.
|
|
*
|
|
* Everything must be locked and referenced.
|
|
*/
|
|
static int
|
|
genfs_rename_remove(const struct genfs_rename_ops *ops,
|
|
struct mount *mp, kauth_cred_t cred,
|
|
struct vnode *dvp, struct componentname *cnp, void *de, struct vnode *vp,
|
|
nlink_t *tvp_nlinkp)
|
|
{
|
|
int error;
|
|
|
|
KASSERT(ops != NULL);
|
|
KASSERT(mp != NULL);
|
|
KASSERT(dvp != NULL);
|
|
KASSERT(cnp != NULL);
|
|
KASSERT(vp != NULL);
|
|
KASSERT(dvp != vp);
|
|
KASSERT(dvp->v_type == VDIR);
|
|
KASSERT(vp->v_type != VDIR);
|
|
KASSERT(dvp->v_mount == mp);
|
|
KASSERT(vp->v_mount == mp);
|
|
KASSERT(VOP_ISLOCKED(dvp) == LK_EXCLUSIVE);
|
|
KASSERT(VOP_ISLOCKED(vp) == LK_EXCLUSIVE);
|
|
|
|
error = ops->gro_remove_check_possible(mp, dvp, vp);
|
|
if (error)
|
|
return error;
|
|
|
|
error = ops->gro_remove_check_permitted(mp, cred, dvp, vp);
|
|
error = kauth_authorize_vnode(cred, KAUTH_VNODE_DELETE, vp, dvp,
|
|
error);
|
|
if (error)
|
|
return error;
|
|
|
|
error = ops->gro_remove(mp, cred, dvp, cnp, de, vp, tvp_nlinkp);
|
|
if (error)
|
|
return error;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
genfs_ufslike_check_sticky(kauth_cred_t, mode_t, uid_t, struct vnode *, uid_t);
|
|
|
|
/*
|
|
* genfs_ufslike_rename_check_possible: Check whether a rename is
|
|
* possible independent of credentials, assuming UFS-like inode flag
|
|
* semantics. clobber_p is true iff the target node already exists.
|
|
*/
|
|
int
|
|
genfs_ufslike_rename_check_possible(
|
|
unsigned long fdflags, unsigned long fflags,
|
|
unsigned long tdflags, unsigned long tflags, bool clobber_p,
|
|
unsigned long immutable, unsigned long append)
|
|
{
|
|
|
|
if ((fdflags | fflags) & (immutable | append))
|
|
return EPERM;
|
|
|
|
if (tdflags & (immutable | (clobber_p? append : 0)))
|
|
return EPERM;
|
|
|
|
if (clobber_p && (tflags & (immutable | append)))
|
|
return EPERM;
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* genfs_ufslike_rename_check_permitted: Check whether a rename is
|
|
* permitted given our credentials, assuming UFS-like permission and
|
|
* ownership semantics.
|
|
*
|
|
* The only pair of vnodes that may be identical is {fdvp, tdvp}.
|
|
*
|
|
* Everything must be locked and referenced.
|
|
*/
|
|
int
|
|
genfs_ufslike_rename_check_permitted(kauth_cred_t cred,
|
|
struct vnode *fdvp, mode_t fdmode, uid_t fduid,
|
|
struct vnode *fvp, uid_t fuid,
|
|
struct vnode *tdvp, mode_t tdmode, uid_t tduid,
|
|
struct vnode *tvp, uid_t tuid)
|
|
{
|
|
int error;
|
|
|
|
KASSERT(fdvp != NULL);
|
|
KASSERT(fvp != NULL);
|
|
KASSERT(tdvp != NULL);
|
|
KASSERT(fdvp != fvp);
|
|
KASSERT(fdvp != tvp);
|
|
KASSERT(tdvp != fvp);
|
|
KASSERT(tdvp != tvp);
|
|
KASSERT(fvp != tvp);
|
|
KASSERT(fdvp->v_type == VDIR);
|
|
KASSERT(tdvp->v_type == VDIR);
|
|
KASSERT(fdvp->v_mount == fvp->v_mount);
|
|
KASSERT(fdvp->v_mount == tdvp->v_mount);
|
|
KASSERT((tvp == NULL) || (fdvp->v_mount == tvp->v_mount));
|
|
KASSERT(VOP_ISLOCKED(fdvp) == LK_EXCLUSIVE);
|
|
KASSERT(VOP_ISLOCKED(fvp) == LK_EXCLUSIVE);
|
|
KASSERT(VOP_ISLOCKED(tdvp) == LK_EXCLUSIVE);
|
|
KASSERT((tvp == NULL) || (VOP_ISLOCKED(tvp) == LK_EXCLUSIVE));
|
|
|
|
/*
|
|
* We need to remove or change an entry in the source directory.
|
|
*/
|
|
error = VOP_ACCESS(fdvp, VWRITE, cred);
|
|
if (error)
|
|
return error;
|
|
|
|
/*
|
|
* If we are changing directories, then we need to write to the
|
|
* target directory to add or change an entry. Also, if fvp is
|
|
* a directory, we need to write to it to change its `..'
|
|
* entry.
|
|
*/
|
|
if (fdvp != tdvp) {
|
|
error = VOP_ACCESS(tdvp, VWRITE, cred);
|
|
if (error)
|
|
return error;
|
|
if (fvp->v_type == VDIR) {
|
|
error = VOP_ACCESS(fvp, VWRITE, cred);
|
|
if (error)
|
|
return error;
|
|
}
|
|
}
|
|
|
|
error = genfs_ufslike_check_sticky(cred, fdmode, fduid, fvp, fuid);
|
|
if (error)
|
|
return error;
|
|
|
|
error = genfs_ufslike_check_sticky(cred, tdmode, tduid, tvp, tuid);
|
|
if (error)
|
|
return error;
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* genfs_ufslike_remove_check_possible: Check whether a remove is
|
|
* possible independent of credentials, assuming UFS-like inode flag
|
|
* semantics.
|
|
*/
|
|
int
|
|
genfs_ufslike_remove_check_possible(unsigned long dflags, unsigned long flags,
|
|
unsigned long immutable, unsigned long append)
|
|
{
|
|
|
|
/*
|
|
* We want to delete the entry. If the directory is immutable,
|
|
* we can't write to it to delete the entry. If the directory
|
|
* is append-only, the only change we can make is to add
|
|
* entries, so we can't delete entries. If the node is
|
|
* immutable, we can't change the links to it, so we can't
|
|
* delete the entry. If the node is append-only...well, this
|
|
* is what UFS does.
|
|
*/
|
|
if ((dflags | flags) & (immutable | append))
|
|
return EPERM;
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* genfs_ufslike_remove_check_permitted: Check whether a remove is
|
|
* permitted given our credentials, assuming UFS-like permission and
|
|
* ownership semantics.
|
|
*
|
|
* Everything must be locked and referenced.
|
|
*/
|
|
int
|
|
genfs_ufslike_remove_check_permitted(kauth_cred_t cred,
|
|
struct vnode *dvp, mode_t dmode, uid_t duid,
|
|
struct vnode *vp, uid_t uid)
|
|
{
|
|
int error;
|
|
|
|
KASSERT(dvp != NULL);
|
|
KASSERT(vp != NULL);
|
|
KASSERT(dvp != vp);
|
|
KASSERT(dvp->v_type == VDIR);
|
|
KASSERT(vp->v_type != VDIR);
|
|
KASSERT(dvp->v_mount == vp->v_mount);
|
|
KASSERT(VOP_ISLOCKED(dvp) == LK_EXCLUSIVE);
|
|
KASSERT(VOP_ISLOCKED(vp) == LK_EXCLUSIVE);
|
|
|
|
/*
|
|
* We need to write to the directory to remove from it.
|
|
*/
|
|
error = VOP_ACCESS(dvp, VWRITE, cred);
|
|
if (error)
|
|
return error;
|
|
|
|
error = genfs_ufslike_check_sticky(cred, dmode, duid, vp, uid);
|
|
if (error)
|
|
return error;
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* genfs_ufslike_check_sticky: Check whether a party with credentials
|
|
* cred may change an entry in a sticky directory, assuming UFS-like
|
|
* permission, ownership, and stickiness semantics: If the directory is
|
|
* sticky and the entry exists, the user must own either the directory
|
|
* or the entry's node in order to change the entry.
|
|
*
|
|
* Everything must be locked and referenced.
|
|
*/
|
|
int
|
|
genfs_ufslike_check_sticky(kauth_cred_t cred, mode_t dmode, uid_t duid,
|
|
struct vnode *vp, uid_t uid)
|
|
{
|
|
|
|
if ((dmode & S_ISTXT) && (vp != NULL))
|
|
return genfs_can_sticky(vp, cred, duid, uid);
|
|
|
|
return 0;
|
|
}
|