1 /* $NetBSD: vfs_lookup.c,v 1.113 2009/02/11 00:19:11 enami Exp $ */ 2 3 /* 4 * Copyright (c) 1982, 1986, 1989, 1993 5 * The Regents of the University of California. All rights reserved. 6 * (c) UNIX System Laboratories, Inc. 7 * All or some portions of this file are derived from material licensed 8 * to the University of California by American Telephone and Telegraph 9 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 10 * the permission of UNIX System Laboratories, Inc. 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 3. Neither the name of the University nor the names of its contributors 21 * may be used to endorse or promote products derived from this software 22 * without specific prior written permission. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 * 36 * @(#)vfs_lookup.c 8.10 (Berkeley) 5/27/95 37 */ 38 39 #include <sys/cdefs.h> 40 __KERNEL_RCSID(0, "$NetBSD: vfs_lookup.c,v 1.113 2009/02/11 00:19:11 enami Exp $"); 41 42 #include "opt_magiclinks.h" 43 44 #include <sys/param.h> 45 #include <sys/systm.h> 46 #include <sys/kernel.h> 47 #include <sys/syslimits.h> 48 #include <sys/time.h> 49 #include <sys/namei.h> 50 #include <sys/vnode.h> 51 #include <sys/mount.h> 52 #include <sys/errno.h> 53 #include <sys/filedesc.h> 54 #include <sys/hash.h> 55 #include <sys/proc.h> 56 #include <sys/syslog.h> 57 #include <sys/kauth.h> 58 #include <sys/ktrace.h> 59 60 #ifndef MAGICLINKS 61 #define MAGICLINKS 0 62 #endif 63 64 struct pathname_internal { 65 char *pathbuf; 66 bool needfree; 67 }; 68 69 int vfs_magiclinks = MAGICLINKS; 70 71 pool_cache_t pnbuf_cache; /* pathname buffer cache */ 72 73 /* 74 * Substitute replacement text for 'magic' strings in symlinks. 75 * Returns 0 if successful, and returns non-zero if an error 76 * occurs. (Currently, the only possible error is running out 77 * of temporary pathname space.) 78 * 79 * Looks for "@<string>" and "@<string>/", where <string> is a 80 * recognized 'magic' string. Replaces the "@<string>" with the 81 * appropriate replacement text. (Note that in some cases the 82 * replacement text may have zero length.) 83 * 84 * This would have been table driven, but the variance in 85 * replacement strings (and replacement string lengths) made 86 * that impractical. 87 */ 88 #define VNL(x) \ 89 (sizeof(x) - 1) 90 91 #define VO '{' 92 #define VC '}' 93 94 #define MATCH(str) \ 95 ((termchar == '/' && i + VNL(str) == *len) || \ 96 (i + VNL(str) < *len && \ 97 cp[i + VNL(str)] == termchar)) && \ 98 !strncmp((str), &cp[i], VNL(str)) 99 100 #define SUBSTITUTE(m, s, sl) \ 101 if ((newlen + (sl)) > MAXPATHLEN) \ 102 return (1); \ 103 i += VNL(m); \ 104 if (termchar != '/') \ 105 i++; \ 106 memcpy(&tmp[newlen], (s), (sl)); \ 107 newlen += (sl); \ 108 change = 1; \ 109 termchar = '/'; 110 111 static int 112 symlink_magic(struct proc *p, char *cp, int *len) 113 { 114 char *tmp; 115 int change, i, newlen; 116 int termchar = '/'; 117 char uidtmp[11]; /* XXX elad */ 118 119 120 tmp = PNBUF_GET(); 121 for (change = i = newlen = 0; i < *len; ) { 122 if (cp[i] != '@') { 123 tmp[newlen++] = cp[i++]; 124 continue; 125 } 126 127 i++; 128 129 /* Check for @{var} syntax. */ 130 if (cp[i] == VO) { 131 termchar = VC; 132 i++; 133 } 134 135 /* 136 * The following checks should be ordered according 137 * to frequency of use. 138 */ 139 if (MATCH("machine_arch")) { 140 SUBSTITUTE("machine_arch", MACHINE_ARCH, 141 sizeof(MACHINE_ARCH) - 1); 142 } else if (MATCH("machine")) { 143 SUBSTITUTE("machine", MACHINE, 144 sizeof(MACHINE) - 1); 145 } else if (MATCH("hostname")) { 146 SUBSTITUTE("hostname", hostname, 147 hostnamelen); 148 } else if (MATCH("osrelease")) { 149 SUBSTITUTE("osrelease", osrelease, 150 strlen(osrelease)); 151 } else if (MATCH("emul")) { 152 SUBSTITUTE("emul", p->p_emul->e_name, 153 strlen(p->p_emul->e_name)); 154 } else if (MATCH("kernel_ident")) { 155 SUBSTITUTE("kernel_ident", kernel_ident, 156 strlen(kernel_ident)); 157 } else if (MATCH("domainname")) { 158 SUBSTITUTE("domainname", domainname, 159 domainnamelen); 160 } else if (MATCH("ostype")) { 161 SUBSTITUTE("ostype", ostype, 162 strlen(ostype)); 163 } else if (MATCH("uid")) { 164 (void)snprintf(uidtmp, sizeof(uidtmp), "%u", 165 kauth_cred_geteuid(kauth_cred_get())); 166 SUBSTITUTE("uid", uidtmp, strlen(uidtmp)); 167 } else if (MATCH("ruid")) { 168 (void)snprintf(uidtmp, sizeof(uidtmp), "%u", 169 kauth_cred_getuid(kauth_cred_get())); 170 SUBSTITUTE("ruid", uidtmp, strlen(uidtmp)); 171 } else { 172 tmp[newlen++] = '@'; 173 if (termchar == VC) 174 tmp[newlen++] = VO; 175 } 176 } 177 178 if (change) { 179 memcpy(cp, tmp, newlen); 180 *len = newlen; 181 } 182 PNBUF_PUT(tmp); 183 184 return (0); 185 } 186 187 #undef VNL 188 #undef VO 189 #undef VC 190 #undef MATCH 191 #undef SUBSTITUTE 192 193 /* 194 * Convert a pathname into a pointer to a locked vnode. 195 * 196 * The FOLLOW flag is set when symbolic links are to be followed 197 * when they occur at the end of the name translation process. 198 * Symbolic links are always followed for all other pathname 199 * components other than the last. 200 * 201 * The segflg defines whether the name is to be copied from user 202 * space or kernel space. 203 * 204 * Overall outline of namei: 205 * 206 * copy in name 207 * get starting directory 208 * while (!done && !error) { 209 * call lookup to search path. 210 * if symbolic link, massage name in buffer and continue 211 * } 212 */ 213 int 214 namei(struct nameidata *ndp) 215 { 216 struct cwdinfo *cwdi; /* pointer to cwd state */ 217 char *cp; /* pointer into pathname argument */ 218 struct vnode *dp; /* the directory we are searching */ 219 struct iovec aiov; /* uio for reading symbolic links */ 220 struct lwp *l = curlwp; /* thread doing namei() */ 221 struct uio auio; 222 int error, linklen; 223 struct componentname *cnp = &ndp->ni_cnd; 224 225 #ifdef DIAGNOSTIC 226 if (!cnp->cn_cred) 227 panic("namei: bad cred/proc"); 228 if (cnp->cn_nameiop & (~OPMASK)) 229 panic("namei: nameiop contaminated with flags"); 230 if (cnp->cn_flags & OPMASK) 231 panic("namei: flags contaminated with nameiops"); 232 #endif 233 234 /* 235 * Get a buffer for the name to be translated, and copy the 236 * name into the buffer. 237 */ 238 if ((cnp->cn_flags & HASBUF) == 0) 239 cnp->cn_pnbuf = PNBUF_GET(); 240 emul_retry: 241 if (ndp->ni_segflg == UIO_SYSSPACE) 242 error = copystr(ndp->ni_dirp, cnp->cn_pnbuf, 243 MAXPATHLEN, &ndp->ni_pathlen); 244 else 245 error = copyinstr(ndp->ni_dirp, cnp->cn_pnbuf, 246 MAXPATHLEN, &ndp->ni_pathlen); 247 248 /* 249 * POSIX.1 requirement: "" is not a valid file name. 250 */ 251 if (!error && ndp->ni_pathlen == 1) 252 error = ENOENT; 253 254 if (error) { 255 PNBUF_PUT(cnp->cn_pnbuf); 256 ndp->ni_vp = NULL; 257 return (error); 258 } 259 ndp->ni_loopcnt = 0; 260 261 /* 262 * Get root directory for the translation. 263 */ 264 cwdi = l->l_proc->p_cwdi; 265 rw_enter(&cwdi->cwdi_lock, RW_READER); 266 dp = cwdi->cwdi_rdir; 267 if (dp == NULL) 268 dp = rootvnode; 269 ndp->ni_rootdir = dp; 270 271 /* 272 * Check if starting from root directory or current directory. 273 */ 274 if (cnp->cn_pnbuf[0] == '/') { 275 if (cnp->cn_flags & TRYEMULROOT) { 276 if (cnp->cn_flags & EMULROOTSET) { 277 /* Called from (eg) emul_find_interp() */ 278 dp = ndp->ni_erootdir; 279 } else { 280 if (cwdi->cwdi_edir == NULL 281 || (cnp->cn_pnbuf[1] == '.' 282 && cnp->cn_pnbuf[2] == '.' 283 && cnp->cn_pnbuf[3] == '/')) { 284 ndp->ni_erootdir = NULL; 285 } else { 286 dp = cwdi->cwdi_edir; 287 ndp->ni_erootdir = dp; 288 } 289 } 290 } else { 291 ndp->ni_erootdir = NULL; 292 if (cnp->cn_flags & NOCHROOT) 293 dp = ndp->ni_rootdir = rootvnode; 294 } 295 } else { 296 dp = cwdi->cwdi_cdir; 297 ndp->ni_erootdir = NULL; 298 } 299 VREF(dp); 300 rw_exit(&cwdi->cwdi_lock); 301 302 if (ktrpoint(KTR_NAMEI)) { 303 if (ndp->ni_erootdir != NULL) { 304 /* 305 * To make any sense, the trace entry need to have the 306 * text of the emulation path prepended. 307 * Usually we can get this from the current process, 308 * but when called from emul_find_interp() it is only 309 * in the exec_package - so we get it passed in ni_next 310 * (this is a hack). 311 */ 312 const char *emul_path; 313 if (cnp->cn_flags & EMULROOTSET) 314 emul_path = ndp->ni_next; 315 else 316 emul_path = l->l_proc->p_emul->e_path; 317 ktrnamei2(emul_path, strlen(emul_path), 318 cnp->cn_pnbuf, ndp->ni_pathlen); 319 } else 320 ktrnamei(cnp->cn_pnbuf, ndp->ni_pathlen); 321 } 322 323 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); 324 /* Loop through symbolic links */ 325 for (;;) { 326 if (!dp->v_mount) { 327 /* Give up if the directory is no longer mounted */ 328 vput(dp); 329 PNBUF_PUT(cnp->cn_pnbuf); 330 return (ENOENT); 331 } 332 cnp->cn_nameptr = cnp->cn_pnbuf; 333 ndp->ni_startdir = dp; 334 error = lookup(ndp); 335 if (error != 0) { 336 if (ndp->ni_dvp) { 337 vput(ndp->ni_dvp); 338 } 339 if (ndp->ni_erootdir != NULL) { 340 /* Retry the whole thing from the normal root */ 341 cnp->cn_flags &= ~TRYEMULROOT; 342 goto emul_retry; 343 } 344 PNBUF_PUT(cnp->cn_pnbuf); 345 return (error); 346 } 347 348 /* 349 * Check for symbolic link 350 */ 351 if ((cnp->cn_flags & ISSYMLINK) == 0) { 352 if ((cnp->cn_flags & LOCKPARENT) == 0 && ndp->ni_dvp) { 353 if (ndp->ni_dvp == ndp->ni_vp) { 354 vrele(ndp->ni_dvp); 355 } else { 356 vput(ndp->ni_dvp); 357 } 358 } 359 if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) 360 PNBUF_PUT(cnp->cn_pnbuf); 361 else 362 cnp->cn_flags |= HASBUF; 363 return (0); 364 } 365 366 if (ndp->ni_loopcnt++ >= MAXSYMLINKS) { 367 error = ELOOP; 368 break; 369 } 370 if (ndp->ni_vp->v_mount->mnt_flag & MNT_SYMPERM) { 371 error = VOP_ACCESS(ndp->ni_vp, VEXEC, cnp->cn_cred); 372 if (error != 0) 373 break; 374 } 375 if (ndp->ni_pathlen > 1) 376 cp = PNBUF_GET(); 377 else 378 cp = cnp->cn_pnbuf; 379 aiov.iov_base = cp; 380 aiov.iov_len = MAXPATHLEN; 381 auio.uio_iov = &aiov; 382 auio.uio_iovcnt = 1; 383 auio.uio_offset = 0; 384 auio.uio_rw = UIO_READ; 385 auio.uio_resid = MAXPATHLEN; 386 UIO_SETUP_SYSSPACE(&auio); 387 error = VOP_READLINK(ndp->ni_vp, &auio, cnp->cn_cred); 388 if (error) { 389 badlink: 390 if (ndp->ni_pathlen > 1) 391 PNBUF_PUT(cp); 392 break; 393 } 394 linklen = MAXPATHLEN - auio.uio_resid; 395 if (linklen == 0) { 396 error = ENOENT; 397 goto badlink; 398 } 399 400 /* 401 * Do symlink substitution, if appropriate, and 402 * check length for potential overflow. 403 */ 404 if ((vfs_magiclinks && 405 symlink_magic(l->l_proc, cp, &linklen)) || 406 (linklen + ndp->ni_pathlen >= MAXPATHLEN)) { 407 error = ENAMETOOLONG; 408 goto badlink; 409 } 410 if (ndp->ni_pathlen > 1) { 411 memcpy(cp + linklen, ndp->ni_next, ndp->ni_pathlen); 412 PNBUF_PUT(cnp->cn_pnbuf); 413 cnp->cn_pnbuf = cp; 414 } else 415 cnp->cn_pnbuf[linklen] = '\0'; 416 ndp->ni_pathlen += linklen; 417 vput(ndp->ni_vp); 418 dp = ndp->ni_dvp; 419 420 /* 421 * Check if root directory should replace current directory. 422 */ 423 if (cnp->cn_pnbuf[0] == '/') { 424 vput(dp); 425 /* Keep absolute symbolic links inside emulation root */ 426 dp = ndp->ni_erootdir; 427 if (dp == NULL || (cnp->cn_pnbuf[1] == '.' 428 && cnp->cn_pnbuf[2] == '.' 429 && cnp->cn_pnbuf[3] == '/')) { 430 ndp->ni_erootdir = NULL; 431 dp = ndp->ni_rootdir; 432 } 433 VREF(dp); 434 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); 435 } 436 } 437 /* Failed to process a symbolic link */ 438 KASSERT(ndp->ni_dvp != ndp->ni_vp); 439 vput(ndp->ni_dvp); 440 vput(ndp->ni_vp); 441 ndp->ni_vp = NULL; 442 PNBUF_PUT(cnp->cn_pnbuf); 443 return (error); 444 } 445 446 /* 447 * Determine the namei hash (for cn_hash) for name. 448 * If *ep != NULL, hash from name to ep-1. 449 * If *ep == NULL, hash from name until the first NUL or '/', and 450 * return the location of this termination character in *ep. 451 * 452 * This function returns an equivalent hash to the MI hash32_strn(). 453 * The latter isn't used because in the *ep == NULL case, determining 454 * the length of the string to the first NUL or `/' and then calling 455 * hash32_strn() involves unnecessary double-handling of the data. 456 */ 457 uint32_t 458 namei_hash(const char *name, const char **ep) 459 { 460 uint32_t hash; 461 462 hash = HASH32_STR_INIT; 463 if (*ep != NULL) { 464 for (; name < *ep; name++) 465 hash = hash * 33 + *(const uint8_t *)name; 466 } else { 467 for (; *name != '\0' && *name != '/'; name++) 468 hash = hash * 33 + *(const uint8_t *)name; 469 *ep = name; 470 } 471 return (hash + (hash >> 5)); 472 } 473 474 /* 475 * Search a pathname. 476 * This is a very central and rather complicated routine. 477 * 478 * The pathname is pointed to by ni_ptr and is of length ni_pathlen. 479 * The starting directory is taken from ni_startdir. The pathname is 480 * descended until done, or a symbolic link is encountered. The variable 481 * ni_more is clear if the path is completed; it is set to one if a 482 * symbolic link needing interpretation is encountered. 483 * 484 * The flag argument is LOOKUP, CREATE, RENAME, or DELETE depending on 485 * whether the name is to be looked up, created, renamed, or deleted. 486 * When CREATE, RENAME, or DELETE is specified, information usable in 487 * creating, renaming, or deleting a directory entry may be calculated. 488 * If flag has LOCKPARENT or'ed into it, the parent directory is returned 489 * locked. Otherwise the parent directory is not returned. If the target 490 * of the pathname exists and LOCKLEAF is or'ed into the flag the target 491 * is returned locked, otherwise it is returned unlocked. When creating 492 * or renaming and LOCKPARENT is specified, the target may not be ".". 493 * When deleting and LOCKPARENT is specified, the target may be ".". 494 * 495 * Overall outline of lookup: 496 * 497 * dirloop: 498 * identify next component of name at ndp->ni_ptr 499 * handle degenerate case where name is null string 500 * if .. and crossing mount points and on mounted filesys, find parent 501 * call VOP_LOOKUP routine for next component name 502 * directory vnode returned in ni_dvp, locked. 503 * component vnode returned in ni_vp (if it exists), locked. 504 * if result vnode is mounted on and crossing mount points, 505 * find mounted on vnode 506 * if more components of name, do next level at dirloop 507 * return the answer in ni_vp, locked if LOCKLEAF set 508 * if LOCKPARENT set, return locked parent in ni_dvp 509 */ 510 int 511 lookup(struct nameidata *ndp) 512 { 513 const char *cp; /* pointer into pathname argument */ 514 struct vnode *dp = 0; /* the directory we are searching */ 515 struct vnode *tdp; /* saved dp */ 516 struct mount *mp; /* mount table entry */ 517 int docache; /* == 0 do not cache last component */ 518 int rdonly; /* lookup read-only flag bit */ 519 int error = 0; 520 int slashes; 521 struct componentname *cnp = &ndp->ni_cnd; 522 struct lwp *l = curlwp; 523 524 /* 525 * Setup: break out flag bits into variables. 526 */ 527 docache = (cnp->cn_flags & NOCACHE) ^ NOCACHE; 528 if (cnp->cn_nameiop == DELETE) 529 docache = 0; 530 rdonly = cnp->cn_flags & RDONLY; 531 ndp->ni_dvp = NULL; 532 cnp->cn_flags &= ~ISSYMLINK; 533 dp = ndp->ni_startdir; 534 ndp->ni_startdir = NULLVP; 535 536 /* 537 * If we have a leading string of slashes, remove them, and just make 538 * sure the current node is a directory. 539 */ 540 cp = cnp->cn_nameptr; 541 if (*cp == '/') { 542 do { 543 cp++; 544 } while (*cp == '/'); 545 ndp->ni_pathlen -= cp - cnp->cn_nameptr; 546 cnp->cn_nameptr = cp; 547 548 if (dp->v_type != VDIR) { 549 error = ENOTDIR; 550 vput(dp); 551 goto bad; 552 } 553 554 /* 555 * If we've exhausted the path name, then just return the 556 * current node. 557 */ 558 if (cnp->cn_nameptr[0] == '\0') { 559 ndp->ni_vp = dp; 560 cnp->cn_flags |= ISLASTCN; 561 goto terminal; 562 } 563 } 564 565 dirloop: 566 /* 567 * Search a new directory. 568 * 569 * The cn_hash value is for use by vfs_cache. 570 * The last component of the filename is left accessible via 571 * cnp->cn_nameptr for callers that need the name. Callers needing 572 * the name set the SAVENAME flag. When done, they assume 573 * responsibility for freeing the pathname buffer. 574 * 575 * At this point, our only vnode state is that "dp" is held and locked. 576 */ 577 cnp->cn_consume = 0; 578 cp = NULL; 579 cnp->cn_hash = namei_hash(cnp->cn_nameptr, &cp); 580 cnp->cn_namelen = cp - cnp->cn_nameptr; 581 if (cnp->cn_namelen > NAME_MAX) { 582 vput(dp); 583 error = ENAMETOOLONG; 584 ndp->ni_dvp = NULL; 585 goto bad; 586 } 587 #ifdef NAMEI_DIAGNOSTIC 588 { char c = *cp; 589 *(char *)cp = '\0'; 590 printf("{%s}: ", cnp->cn_nameptr); 591 *(char *)cp = c; } 592 #endif /* NAMEI_DIAGNOSTIC */ 593 ndp->ni_pathlen -= cnp->cn_namelen; 594 ndp->ni_next = cp; 595 /* 596 * If this component is followed by a slash, then move the pointer to 597 * the next component forward, and remember that this component must be 598 * a directory. 599 */ 600 if (*cp == '/') { 601 do { 602 cp++; 603 } while (*cp == '/'); 604 slashes = cp - ndp->ni_next; 605 ndp->ni_pathlen -= slashes; 606 ndp->ni_next = cp; 607 cnp->cn_flags |= REQUIREDIR; 608 } else { 609 slashes = 0; 610 cnp->cn_flags &= ~REQUIREDIR; 611 } 612 /* 613 * We do special processing on the last component, whether or not it's 614 * a directory. Cache all intervening lookups, but not the final one. 615 */ 616 if (*cp == '\0') { 617 if (docache) 618 cnp->cn_flags |= MAKEENTRY; 619 else 620 cnp->cn_flags &= ~MAKEENTRY; 621 cnp->cn_flags |= ISLASTCN; 622 } else { 623 cnp->cn_flags |= MAKEENTRY; 624 cnp->cn_flags &= ~ISLASTCN; 625 } 626 if (cnp->cn_namelen == 2 && 627 cnp->cn_nameptr[1] == '.' && cnp->cn_nameptr[0] == '.') 628 cnp->cn_flags |= ISDOTDOT; 629 else 630 cnp->cn_flags &= ~ISDOTDOT; 631 632 /* 633 * Handle "..": two special cases. 634 * 1. If at root directory (e.g. after chroot) 635 * or at absolute root directory 636 * then ignore it so can't get out. 637 * 1a. If at the root of the emulation filesystem go to the real 638 * root. So "/../<path>" is always absolute. 639 * 1b. If we have somehow gotten out of a jail, warn 640 * and also ignore it so we can't get farther out. 641 * 2. If this vnode is the root of a mounted 642 * filesystem, then replace it with the 643 * vnode which was mounted on so we take the 644 * .. in the other file system. 645 */ 646 if (cnp->cn_flags & ISDOTDOT) { 647 struct proc *p = l->l_proc; 648 649 for (;;) { 650 if (dp == ndp->ni_rootdir || dp == rootvnode) { 651 ndp->ni_dvp = dp; 652 ndp->ni_vp = dp; 653 VREF(dp); 654 goto nextname; 655 } 656 if (ndp->ni_rootdir != rootvnode) { 657 int retval; 658 659 VOP_UNLOCK(dp, 0); 660 retval = vn_isunder(dp, ndp->ni_rootdir, l); 661 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); 662 if (!retval) { 663 /* Oops! We got out of jail! */ 664 log(LOG_WARNING, 665 "chrooted pid %d uid %d (%s) " 666 "detected outside of its chroot\n", 667 p->p_pid, kauth_cred_geteuid(l->l_cred), 668 p->p_comm); 669 /* Put us at the jail root. */ 670 vput(dp); 671 dp = ndp->ni_rootdir; 672 ndp->ni_dvp = dp; 673 ndp->ni_vp = dp; 674 VREF(dp); 675 VREF(dp); 676 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); 677 goto nextname; 678 } 679 } 680 if ((dp->v_vflag & VV_ROOT) == 0 || 681 (cnp->cn_flags & NOCROSSMOUNT)) 682 break; 683 tdp = dp; 684 dp = dp->v_mount->mnt_vnodecovered; 685 vput(tdp); 686 VREF(dp); 687 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); 688 } 689 } 690 691 /* 692 * We now have a segment name to search for, and a directory to search. 693 * Again, our only vnode state is that "dp" is held and locked. 694 */ 695 unionlookup: 696 ndp->ni_dvp = dp; 697 ndp->ni_vp = NULL; 698 error = VOP_LOOKUP(dp, &ndp->ni_vp, cnp); 699 if (error != 0) { 700 #ifdef DIAGNOSTIC 701 if (ndp->ni_vp != NULL) 702 panic("leaf `%s' should be empty", cnp->cn_nameptr); 703 #endif /* DIAGNOSTIC */ 704 #ifdef NAMEI_DIAGNOSTIC 705 printf("not found\n"); 706 #endif /* NAMEI_DIAGNOSTIC */ 707 if ((error == ENOENT) && 708 (dp->v_vflag & VV_ROOT) && 709 (dp->v_mount->mnt_flag & MNT_UNION)) { 710 tdp = dp; 711 dp = dp->v_mount->mnt_vnodecovered; 712 vput(tdp); 713 VREF(dp); 714 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); 715 goto unionlookup; 716 } 717 718 if (error != EJUSTRETURN) 719 goto bad; 720 721 /* 722 * If this was not the last component, or there were trailing 723 * slashes, and we are not going to create a directory, 724 * then the name must exist. 725 */ 726 if ((cnp->cn_flags & (REQUIREDIR | CREATEDIR)) == REQUIREDIR) { 727 error = ENOENT; 728 goto bad; 729 } 730 731 /* 732 * If creating and at end of pathname, then can consider 733 * allowing file to be created. 734 */ 735 if (rdonly) { 736 error = EROFS; 737 goto bad; 738 } 739 740 /* 741 * We return with ni_vp NULL to indicate that the entry 742 * doesn't currently exist, leaving a pointer to the 743 * (possibly locked) directory vnode in ndp->ni_dvp. 744 */ 745 if (cnp->cn_flags & SAVESTART) { 746 ndp->ni_startdir = ndp->ni_dvp; 747 VREF(ndp->ni_startdir); 748 } 749 return (0); 750 } 751 #ifdef NAMEI_DIAGNOSTIC 752 printf("found\n"); 753 #endif /* NAMEI_DIAGNOSTIC */ 754 755 /* 756 * Take into account any additional components consumed by the 757 * underlying filesystem. This will include any trailing slashes after 758 * the last component consumed. 759 */ 760 if (cnp->cn_consume > 0) { 761 ndp->ni_pathlen -= cnp->cn_consume - slashes; 762 ndp->ni_next += cnp->cn_consume - slashes; 763 cnp->cn_consume = 0; 764 if (ndp->ni_next[0] == '\0') 765 cnp->cn_flags |= ISLASTCN; 766 } 767 768 dp = ndp->ni_vp; 769 770 /* 771 * "dp" and "ndp->ni_dvp" are both locked and held, 772 * and may be the same vnode. 773 */ 774 775 /* 776 * Check to see if the vnode has been mounted on; 777 * if so find the root of the mounted file system. 778 */ 779 while (dp->v_type == VDIR && (mp = dp->v_mountedhere) && 780 (cnp->cn_flags & NOCROSSMOUNT) == 0) { 781 error = vfs_busy(mp, NULL); 782 if (error != 0) { 783 vput(dp); 784 goto bad; 785 } 786 KASSERT(ndp->ni_dvp != dp); 787 VOP_UNLOCK(ndp->ni_dvp, 0); 788 vput(dp); 789 error = VFS_ROOT(mp, &tdp); 790 vfs_unbusy(mp, false, NULL); 791 if (error) { 792 vn_lock(ndp->ni_dvp, LK_EXCLUSIVE | LK_RETRY); 793 goto bad; 794 } 795 VOP_UNLOCK(tdp, 0); 796 ndp->ni_vp = dp = tdp; 797 vn_lock(ndp->ni_dvp, LK_EXCLUSIVE | LK_RETRY); 798 vn_lock(ndp->ni_vp, LK_EXCLUSIVE | LK_RETRY); 799 } 800 801 /* 802 * Check for symbolic link. Back up over any slashes that we skipped, 803 * as we will need them again. 804 */ 805 if ((dp->v_type == VLNK) && (cnp->cn_flags & (FOLLOW|REQUIREDIR))) { 806 ndp->ni_pathlen += slashes; 807 ndp->ni_next -= slashes; 808 cnp->cn_flags |= ISSYMLINK; 809 return (0); 810 } 811 812 /* 813 * Check for directory, if the component was followed by a series of 814 * slashes. 815 */ 816 if ((dp->v_type != VDIR) && (cnp->cn_flags & REQUIREDIR)) { 817 error = ENOTDIR; 818 KASSERT(dp != ndp->ni_dvp); 819 vput(dp); 820 goto bad; 821 } 822 823 nextname: 824 825 /* 826 * Not a symbolic link. If this was not the last component, then 827 * continue at the next component, else return. 828 */ 829 if (!(cnp->cn_flags & ISLASTCN)) { 830 cnp->cn_nameptr = ndp->ni_next; 831 if (ndp->ni_dvp == dp) { 832 vrele(ndp->ni_dvp); 833 } else { 834 vput(ndp->ni_dvp); 835 } 836 goto dirloop; 837 } 838 839 terminal: 840 if (dp == ndp->ni_erootdir) { 841 /* 842 * We are about to return the emulation root. 843 * This isn't a good idea because code might repeatedly 844 * lookup ".." until the file matches that returned 845 * for "/" and loop forever. 846 * So convert it to the real root. 847 */ 848 if (ndp->ni_dvp == dp) 849 vrele(dp); 850 else 851 if (ndp->ni_dvp != NULL) 852 vput(ndp->ni_dvp); 853 ndp->ni_dvp = NULL; 854 vput(dp); 855 dp = ndp->ni_rootdir; 856 VREF(dp); 857 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); 858 ndp->ni_vp = dp; 859 } 860 861 /* 862 * If the caller requested the parent node (i.e. 863 * it's a CREATE, DELETE, or RENAME), and we don't have one 864 * (because this is the root directory), then we must fail. 865 */ 866 if (ndp->ni_dvp == NULL && cnp->cn_nameiop != LOOKUP) { 867 switch (cnp->cn_nameiop) { 868 case CREATE: 869 error = EEXIST; 870 break; 871 case DELETE: 872 case RENAME: 873 error = EBUSY; 874 break; 875 default: 876 KASSERT(0); 877 } 878 vput(dp); 879 goto bad; 880 } 881 882 /* 883 * Disallow directory write attempts on read-only lookups. 884 * Prefers EEXIST over EROFS for the CREATE case. 885 */ 886 if (rdonly && 887 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) { 888 error = EROFS; 889 if (dp != ndp->ni_dvp) { 890 vput(dp); 891 } 892 goto bad; 893 } 894 if (ndp->ni_dvp != NULL) { 895 if (cnp->cn_flags & SAVESTART) { 896 ndp->ni_startdir = ndp->ni_dvp; 897 VREF(ndp->ni_startdir); 898 } 899 } 900 if ((cnp->cn_flags & LOCKLEAF) == 0) { 901 VOP_UNLOCK(dp, 0); 902 } 903 return (0); 904 905 bad: 906 ndp->ni_vp = NULL; 907 return (error); 908 } 909 910 /* 911 * Reacquire a path name component. 912 * dvp is locked on entry and exit. 913 * *vpp is locked on exit unless it's NULL. 914 */ 915 int 916 relookup(struct vnode *dvp, struct vnode **vpp, struct componentname *cnp) 917 { 918 int rdonly; /* lookup read-only flag bit */ 919 int error = 0; 920 #ifdef DEBUG 921 uint32_t newhash; /* DEBUG: check name hash */ 922 const char *cp; /* DEBUG: check name ptr/len */ 923 #endif /* DEBUG */ 924 925 /* 926 * Setup: break out flag bits into variables. 927 */ 928 rdonly = cnp->cn_flags & RDONLY; 929 cnp->cn_flags &= ~ISSYMLINK; 930 931 /* 932 * Search a new directory. 933 * 934 * The cn_hash value is for use by vfs_cache. 935 * The last component of the filename is left accessible via 936 * cnp->cn_nameptr for callers that need the name. Callers needing 937 * the name set the SAVENAME flag. When done, they assume 938 * responsibility for freeing the pathname buffer. 939 */ 940 #ifdef DEBUG 941 cp = NULL; 942 newhash = namei_hash(cnp->cn_nameptr, &cp); 943 if ((uint32_t)newhash != (uint32_t)cnp->cn_hash) 944 panic("relookup: bad hash"); 945 if (cnp->cn_namelen != cp - cnp->cn_nameptr) 946 panic("relookup: bad len"); 947 while (*cp == '/') 948 cp++; 949 if (*cp != 0) 950 panic("relookup: not last component"); 951 #endif /* DEBUG */ 952 953 /* 954 * Check for degenerate name (e.g. / or "") 955 * which is a way of talking about a directory, 956 * e.g. like "/." or ".". 957 */ 958 if (cnp->cn_nameptr[0] == '\0') 959 panic("relookup: null name"); 960 961 if (cnp->cn_flags & ISDOTDOT) 962 panic("relookup: lookup on dot-dot"); 963 964 /* 965 * We now have a segment name to search for, and a directory to search. 966 */ 967 if ((error = VOP_LOOKUP(dvp, vpp, cnp)) != 0) { 968 #ifdef DIAGNOSTIC 969 if (*vpp != NULL) 970 panic("leaf `%s' should be empty", cnp->cn_nameptr); 971 #endif 972 if (error != EJUSTRETURN) 973 goto bad; 974 } 975 976 #ifdef DIAGNOSTIC 977 /* 978 * Check for symbolic link 979 */ 980 if (*vpp && (*vpp)->v_type == VLNK && (cnp->cn_flags & FOLLOW)) 981 panic("relookup: symlink found"); 982 #endif 983 984 /* 985 * Check for read-only lookups. 986 */ 987 if (rdonly && cnp->cn_nameiop != LOOKUP) { 988 error = EROFS; 989 if (*vpp) { 990 vput(*vpp); 991 } 992 goto bad; 993 } 994 if (cnp->cn_flags & SAVESTART) 995 VREF(dvp); 996 return (0); 997 998 bad: 999 *vpp = NULL; 1000 return (error); 1001 } 1002