1 /* $NetBSD: vfs_lookup.c,v 1.111 2008/11/14 21:57:14 ad Exp $ */ 2 3 /* 4 * Copyright (c) 1982, 1986, 1989, 1993 5 * The Regents of the University of California. All rights reserved. 6 * (c) UNIX System Laboratories, Inc. 7 * All or some portions of this file are derived from material licensed 8 * to the University of California by American Telephone and Telegraph 9 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 10 * the permission of UNIX System Laboratories, Inc. 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 3. Neither the name of the University nor the names of its contributors 21 * may be used to endorse or promote products derived from this software 22 * without specific prior written permission. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 * 36 * @(#)vfs_lookup.c 8.10 (Berkeley) 5/27/95 37 */ 38 39 #include <sys/cdefs.h> 40 __KERNEL_RCSID(0, "$NetBSD: vfs_lookup.c,v 1.111 2008/11/14 21:57:14 ad Exp $"); 41 42 #include "opt_magiclinks.h" 43 44 #include <sys/param.h> 45 #include <sys/systm.h> 46 #include <sys/kernel.h> 47 #include <sys/syslimits.h> 48 #include <sys/time.h> 49 #include <sys/namei.h> 50 #include <sys/vnode.h> 51 #include <sys/mount.h> 52 #include <sys/errno.h> 53 #include <sys/filedesc.h> 54 #include <sys/hash.h> 55 #include <sys/malloc.h> 56 #include <sys/proc.h> 57 #include <sys/syslog.h> 58 #include <sys/kauth.h> 59 #include <sys/ktrace.h> 60 61 #ifndef MAGICLINKS 62 #define MAGICLINKS 0 63 #endif 64 65 struct pathname_internal { 66 char *pathbuf; 67 bool needfree; 68 }; 69 70 int vfs_magiclinks = MAGICLINKS; 71 72 pool_cache_t pnbuf_cache; /* pathname buffer cache */ 73 74 /* 75 * Substitute replacement text for 'magic' strings in symlinks. 76 * Returns 0 if successful, and returns non-zero if an error 77 * occurs. (Currently, the only possible error is running out 78 * of temporary pathname space.) 79 * 80 * Looks for "@<string>" and "@<string>/", where <string> is a 81 * recognized 'magic' string. Replaces the "@<string>" with the 82 * appropriate replacement text. (Note that in some cases the 83 * replacement text may have zero length.) 84 * 85 * This would have been table driven, but the variance in 86 * replacement strings (and replacement string lengths) made 87 * that impractical. 88 */ 89 #define VNL(x) \ 90 (sizeof(x) - 1) 91 92 #define VO '{' 93 #define VC '}' 94 95 #define MATCH(str) \ 96 ((termchar == '/' && i + VNL(str) == *len) || \ 97 (i + VNL(str) < *len && \ 98 cp[i + VNL(str)] == termchar)) && \ 99 !strncmp((str), &cp[i], VNL(str)) 100 101 #define SUBSTITUTE(m, s, sl) \ 102 if ((newlen + (sl)) > MAXPATHLEN) \ 103 return (1); \ 104 i += VNL(m); \ 105 if (termchar != '/') \ 106 i++; \ 107 memcpy(&tmp[newlen], (s), (sl)); \ 108 newlen += (sl); \ 109 change = 1; \ 110 termchar = '/'; 111 112 static int 113 symlink_magic(struct proc *p, char *cp, int *len) 114 { 115 char *tmp; 116 int change, i, newlen; 117 int termchar = '/'; 118 char uidtmp[11]; /* XXX elad */ 119 120 121 tmp = PNBUF_GET(); 122 for (change = i = newlen = 0; i < *len; ) { 123 if (cp[i] != '@') { 124 tmp[newlen++] = cp[i++]; 125 continue; 126 } 127 128 i++; 129 130 /* Check for @{var} syntax. */ 131 if (cp[i] == VO) { 132 termchar = VC; 133 i++; 134 } 135 136 /* 137 * The following checks should be ordered according 138 * to frequency of use. 139 */ 140 if (MATCH("machine_arch")) { 141 SUBSTITUTE("machine_arch", MACHINE_ARCH, 142 sizeof(MACHINE_ARCH) - 1); 143 } else if (MATCH("machine")) { 144 SUBSTITUTE("machine", MACHINE, 145 sizeof(MACHINE) - 1); 146 } else if (MATCH("hostname")) { 147 SUBSTITUTE("hostname", hostname, 148 hostnamelen); 149 } else if (MATCH("osrelease")) { 150 SUBSTITUTE("osrelease", osrelease, 151 strlen(osrelease)); 152 } else if (MATCH("emul")) { 153 SUBSTITUTE("emul", p->p_emul->e_name, 154 strlen(p->p_emul->e_name)); 155 } else if (MATCH("kernel_ident")) { 156 SUBSTITUTE("kernel_ident", kernel_ident, 157 strlen(kernel_ident)); 158 } else if (MATCH("domainname")) { 159 SUBSTITUTE("domainname", domainname, 160 domainnamelen); 161 } else if (MATCH("ostype")) { 162 SUBSTITUTE("ostype", ostype, 163 strlen(ostype)); 164 } else if (MATCH("uid")) { 165 (void)snprintf(uidtmp, sizeof(uidtmp), "%u", 166 kauth_cred_geteuid(kauth_cred_get())); 167 SUBSTITUTE("uid", uidtmp, strlen(uidtmp)); 168 } else if (MATCH("ruid")) { 169 (void)snprintf(uidtmp, sizeof(uidtmp), "%u", 170 kauth_cred_getuid(kauth_cred_get())); 171 SUBSTITUTE("ruid", uidtmp, strlen(uidtmp)); 172 } else { 173 tmp[newlen++] = '@'; 174 if (termchar == VC) 175 tmp[newlen++] = VO; 176 } 177 } 178 179 if (change) { 180 memcpy(cp, tmp, newlen); 181 *len = newlen; 182 } 183 PNBUF_PUT(tmp); 184 185 return (0); 186 } 187 188 #undef VNL 189 #undef VO 190 #undef VC 191 #undef MATCH 192 #undef SUBSTITUTE 193 194 /* 195 * Convert a pathname into a pointer to a locked vnode. 196 * 197 * The FOLLOW flag is set when symbolic links are to be followed 198 * when they occur at the end of the name translation process. 199 * Symbolic links are always followed for all other pathname 200 * components other than the last. 201 * 202 * The segflg defines whether the name is to be copied from user 203 * space or kernel space. 204 * 205 * Overall outline of namei: 206 * 207 * copy in name 208 * get starting directory 209 * while (!done && !error) { 210 * call lookup to search path. 211 * if symbolic link, massage name in buffer and continue 212 * } 213 */ 214 int 215 namei(struct nameidata *ndp) 216 { 217 struct cwdinfo *cwdi; /* pointer to cwd state */ 218 char *cp; /* pointer into pathname argument */ 219 struct vnode *dp; /* the directory we are searching */ 220 struct iovec aiov; /* uio for reading symbolic links */ 221 struct lwp *l = curlwp; /* thread doing namei() */ 222 struct uio auio; 223 int error, linklen; 224 struct componentname *cnp = &ndp->ni_cnd; 225 226 #ifdef DIAGNOSTIC 227 if (!cnp->cn_cred) 228 panic("namei: bad cred/proc"); 229 if (cnp->cn_nameiop & (~OPMASK)) 230 panic("namei: nameiop contaminated with flags"); 231 if (cnp->cn_flags & OPMASK) 232 panic("namei: flags contaminated with nameiops"); 233 #endif 234 235 /* 236 * Get a buffer for the name to be translated, and copy the 237 * name into the buffer. 238 */ 239 if ((cnp->cn_flags & HASBUF) == 0) 240 cnp->cn_pnbuf = PNBUF_GET(); 241 emul_retry: 242 if (ndp->ni_segflg == UIO_SYSSPACE) 243 error = copystr(ndp->ni_dirp, cnp->cn_pnbuf, 244 MAXPATHLEN, &ndp->ni_pathlen); 245 else 246 error = copyinstr(ndp->ni_dirp, cnp->cn_pnbuf, 247 MAXPATHLEN, &ndp->ni_pathlen); 248 249 /* 250 * POSIX.1 requirement: "" is not a valid file name. 251 */ 252 if (!error && ndp->ni_pathlen == 1) 253 error = ENOENT; 254 255 if (error) { 256 PNBUF_PUT(cnp->cn_pnbuf); 257 ndp->ni_vp = NULL; 258 return (error); 259 } 260 ndp->ni_loopcnt = 0; 261 262 /* 263 * Get root directory for the translation. 264 */ 265 cwdi = l->l_proc->p_cwdi; 266 rw_enter(&cwdi->cwdi_lock, RW_READER); 267 dp = cwdi->cwdi_rdir; 268 if (dp == NULL) 269 dp = rootvnode; 270 ndp->ni_rootdir = dp; 271 272 /* 273 * Check if starting from root directory or current directory. 274 */ 275 if (cnp->cn_pnbuf[0] == '/') { 276 if (cnp->cn_flags & TRYEMULROOT) { 277 if (cnp->cn_flags & EMULROOTSET) { 278 /* Called from (eg) emul_find_interp() */ 279 dp = ndp->ni_erootdir; 280 } else { 281 if (cwdi->cwdi_edir == NULL 282 || (cnp->cn_pnbuf[1] == '.' 283 && cnp->cn_pnbuf[2] == '.' 284 && cnp->cn_pnbuf[3] == '/')) { 285 ndp->ni_erootdir = NULL; 286 } else { 287 dp = cwdi->cwdi_edir; 288 ndp->ni_erootdir = dp; 289 } 290 } 291 } else if (cnp->cn_flags & NOCHROOT) { 292 ndp->ni_rootdir = rootvnode; 293 } else { 294 ndp->ni_erootdir = NULL; 295 } 296 } else { 297 dp = cwdi->cwdi_cdir; 298 ndp->ni_erootdir = NULL; 299 } 300 VREF(dp); 301 rw_exit(&cwdi->cwdi_lock); 302 303 if (ktrpoint(KTR_NAMEI)) { 304 if (ndp->ni_erootdir != NULL) { 305 /* 306 * To make any sense, the trace entry need to have the 307 * text of the emulation path prepended. 308 * Usually we can get this from the current process, 309 * but when called from emul_find_interp() it is only 310 * in the exec_package - so we get it passed in ni_next 311 * (this is a hack). 312 */ 313 const char *emul_path; 314 if (cnp->cn_flags & EMULROOTSET) 315 emul_path = ndp->ni_next; 316 else 317 emul_path = l->l_proc->p_emul->e_path; 318 ktrnamei2(emul_path, strlen(emul_path), 319 cnp->cn_pnbuf, ndp->ni_pathlen); 320 } else 321 ktrnamei(cnp->cn_pnbuf, ndp->ni_pathlen); 322 } 323 324 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); 325 /* Loop through symbolic links */ 326 for (;;) { 327 if (!dp->v_mount) { 328 /* Give up if the directory is no longer mounted */ 329 vput(dp); 330 PNBUF_PUT(cnp->cn_pnbuf); 331 return (ENOENT); 332 } 333 cnp->cn_nameptr = cnp->cn_pnbuf; 334 ndp->ni_startdir = dp; 335 error = lookup(ndp); 336 if (error != 0) { 337 if (ndp->ni_dvp) { 338 vput(ndp->ni_dvp); 339 } 340 if (ndp->ni_erootdir != NULL) { 341 /* Retry the whole thing from the normal root */ 342 cnp->cn_flags &= ~TRYEMULROOT; 343 goto emul_retry; 344 } 345 PNBUF_PUT(cnp->cn_pnbuf); 346 return (error); 347 } 348 349 /* 350 * Check for symbolic link 351 */ 352 if ((cnp->cn_flags & ISSYMLINK) == 0) { 353 if ((cnp->cn_flags & LOCKPARENT) == 0 && ndp->ni_dvp) { 354 if (ndp->ni_dvp == ndp->ni_vp) { 355 vrele(ndp->ni_dvp); 356 } else { 357 vput(ndp->ni_dvp); 358 } 359 } 360 if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) 361 PNBUF_PUT(cnp->cn_pnbuf); 362 else 363 cnp->cn_flags |= HASBUF; 364 return (0); 365 } 366 367 if (ndp->ni_loopcnt++ >= MAXSYMLINKS) { 368 error = ELOOP; 369 break; 370 } 371 if (ndp->ni_vp->v_mount->mnt_flag & MNT_SYMPERM) { 372 error = VOP_ACCESS(ndp->ni_vp, VEXEC, cnp->cn_cred); 373 if (error != 0) 374 break; 375 } 376 if (ndp->ni_pathlen > 1) 377 cp = PNBUF_GET(); 378 else 379 cp = cnp->cn_pnbuf; 380 aiov.iov_base = cp; 381 aiov.iov_len = MAXPATHLEN; 382 auio.uio_iov = &aiov; 383 auio.uio_iovcnt = 1; 384 auio.uio_offset = 0; 385 auio.uio_rw = UIO_READ; 386 auio.uio_resid = MAXPATHLEN; 387 UIO_SETUP_SYSSPACE(&auio); 388 error = VOP_READLINK(ndp->ni_vp, &auio, cnp->cn_cred); 389 if (error) { 390 badlink: 391 if (ndp->ni_pathlen > 1) 392 PNBUF_PUT(cp); 393 break; 394 } 395 linklen = MAXPATHLEN - auio.uio_resid; 396 if (linklen == 0) { 397 error = ENOENT; 398 goto badlink; 399 } 400 401 /* 402 * Do symlink substitution, if appropriate, and 403 * check length for potential overflow. 404 */ 405 if ((vfs_magiclinks && 406 symlink_magic(l->l_proc, cp, &linklen)) || 407 (linklen + ndp->ni_pathlen >= MAXPATHLEN)) { 408 error = ENAMETOOLONG; 409 goto badlink; 410 } 411 if (ndp->ni_pathlen > 1) { 412 memcpy(cp + linklen, ndp->ni_next, ndp->ni_pathlen); 413 PNBUF_PUT(cnp->cn_pnbuf); 414 cnp->cn_pnbuf = cp; 415 } else 416 cnp->cn_pnbuf[linklen] = '\0'; 417 ndp->ni_pathlen += linklen; 418 vput(ndp->ni_vp); 419 dp = ndp->ni_dvp; 420 421 /* 422 * Check if root directory should replace current directory. 423 */ 424 if (cnp->cn_pnbuf[0] == '/') { 425 vput(dp); 426 /* Keep absolute symbolic links inside emulation root */ 427 dp = ndp->ni_erootdir; 428 if (dp == NULL || (cnp->cn_pnbuf[1] == '.' 429 && cnp->cn_pnbuf[2] == '.' 430 && cnp->cn_pnbuf[3] == '/')) { 431 ndp->ni_erootdir = NULL; 432 dp = ndp->ni_rootdir; 433 } 434 VREF(dp); 435 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); 436 } 437 } 438 /* Failed to process a symbolic link */ 439 KASSERT(ndp->ni_dvp != ndp->ni_vp); 440 vput(ndp->ni_dvp); 441 vput(ndp->ni_vp); 442 ndp->ni_vp = NULL; 443 PNBUF_PUT(cnp->cn_pnbuf); 444 return (error); 445 } 446 447 /* 448 * Determine the namei hash (for cn_hash) for name. 449 * If *ep != NULL, hash from name to ep-1. 450 * If *ep == NULL, hash from name until the first NUL or '/', and 451 * return the location of this termination character in *ep. 452 * 453 * This function returns an equivalent hash to the MI hash32_strn(). 454 * The latter isn't used because in the *ep == NULL case, determining 455 * the length of the string to the first NUL or `/' and then calling 456 * hash32_strn() involves unnecessary double-handling of the data. 457 */ 458 uint32_t 459 namei_hash(const char *name, const char **ep) 460 { 461 uint32_t hash; 462 463 hash = HASH32_STR_INIT; 464 if (*ep != NULL) { 465 for (; name < *ep; name++) 466 hash = hash * 33 + *(const uint8_t *)name; 467 } else { 468 for (; *name != '\0' && *name != '/'; name++) 469 hash = hash * 33 + *(const uint8_t *)name; 470 *ep = name; 471 } 472 return (hash + (hash >> 5)); 473 } 474 475 /* 476 * Search a pathname. 477 * This is a very central and rather complicated routine. 478 * 479 * The pathname is pointed to by ni_ptr and is of length ni_pathlen. 480 * The starting directory is taken from ni_startdir. The pathname is 481 * descended until done, or a symbolic link is encountered. The variable 482 * ni_more is clear if the path is completed; it is set to one if a 483 * symbolic link needing interpretation is encountered. 484 * 485 * The flag argument is LOOKUP, CREATE, RENAME, or DELETE depending on 486 * whether the name is to be looked up, created, renamed, or deleted. 487 * When CREATE, RENAME, or DELETE is specified, information usable in 488 * creating, renaming, or deleting a directory entry may be calculated. 489 * If flag has LOCKPARENT or'ed into it, the parent directory is returned 490 * locked. Otherwise the parent directory is not returned. If the target 491 * of the pathname exists and LOCKLEAF is or'ed into the flag the target 492 * is returned locked, otherwise it is returned unlocked. When creating 493 * or renaming and LOCKPARENT is specified, the target may not be ".". 494 * When deleting and LOCKPARENT is specified, the target may be ".". 495 * 496 * Overall outline of lookup: 497 * 498 * dirloop: 499 * identify next component of name at ndp->ni_ptr 500 * handle degenerate case where name is null string 501 * if .. and crossing mount points and on mounted filesys, find parent 502 * call VOP_LOOKUP routine for next component name 503 * directory vnode returned in ni_dvp, locked. 504 * component vnode returned in ni_vp (if it exists), locked. 505 * if result vnode is mounted on and crossing mount points, 506 * find mounted on vnode 507 * if more components of name, do next level at dirloop 508 * return the answer in ni_vp, locked if LOCKLEAF set 509 * if LOCKPARENT set, return locked parent in ni_dvp 510 */ 511 int 512 lookup(struct nameidata *ndp) 513 { 514 const char *cp; /* pointer into pathname argument */ 515 struct vnode *dp = 0; /* the directory we are searching */ 516 struct vnode *tdp; /* saved dp */ 517 struct mount *mp; /* mount table entry */ 518 int docache; /* == 0 do not cache last component */ 519 int rdonly; /* lookup read-only flag bit */ 520 int error = 0; 521 int slashes; 522 struct componentname *cnp = &ndp->ni_cnd; 523 struct lwp *l = curlwp; 524 525 /* 526 * Setup: break out flag bits into variables. 527 */ 528 docache = (cnp->cn_flags & NOCACHE) ^ NOCACHE; 529 if (cnp->cn_nameiop == DELETE) 530 docache = 0; 531 rdonly = cnp->cn_flags & RDONLY; 532 ndp->ni_dvp = NULL; 533 cnp->cn_flags &= ~ISSYMLINK; 534 dp = ndp->ni_startdir; 535 ndp->ni_startdir = NULLVP; 536 537 /* 538 * If we have a leading string of slashes, remove them, and just make 539 * sure the current node is a directory. 540 */ 541 cp = cnp->cn_nameptr; 542 if (*cp == '/') { 543 do { 544 cp++; 545 } while (*cp == '/'); 546 ndp->ni_pathlen -= cp - cnp->cn_nameptr; 547 cnp->cn_nameptr = cp; 548 549 if (dp->v_type != VDIR) { 550 error = ENOTDIR; 551 vput(dp); 552 goto bad; 553 } 554 555 /* 556 * If we've exhausted the path name, then just return the 557 * current node. 558 */ 559 if (cnp->cn_nameptr[0] == '\0') { 560 ndp->ni_vp = dp; 561 cnp->cn_flags |= ISLASTCN; 562 goto terminal; 563 } 564 } 565 566 dirloop: 567 /* 568 * Search a new directory. 569 * 570 * The cn_hash value is for use by vfs_cache. 571 * The last component of the filename is left accessible via 572 * cnp->cn_nameptr for callers that need the name. Callers needing 573 * the name set the SAVENAME flag. When done, they assume 574 * responsibility for freeing the pathname buffer. 575 * 576 * At this point, our only vnode state is that "dp" is held and locked. 577 */ 578 cnp->cn_consume = 0; 579 cp = NULL; 580 cnp->cn_hash = namei_hash(cnp->cn_nameptr, &cp); 581 cnp->cn_namelen = cp - cnp->cn_nameptr; 582 if (cnp->cn_namelen > NAME_MAX) { 583 vput(dp); 584 error = ENAMETOOLONG; 585 ndp->ni_dvp = NULL; 586 goto bad; 587 } 588 #ifdef NAMEI_DIAGNOSTIC 589 { char c = *cp; 590 *(char *)cp = '\0'; 591 printf("{%s}: ", cnp->cn_nameptr); 592 *(char *)cp = c; } 593 #endif /* NAMEI_DIAGNOSTIC */ 594 ndp->ni_pathlen -= cnp->cn_namelen; 595 ndp->ni_next = cp; 596 /* 597 * If this component is followed by a slash, then move the pointer to 598 * the next component forward, and remember that this component must be 599 * a directory. 600 */ 601 if (*cp == '/') { 602 do { 603 cp++; 604 } while (*cp == '/'); 605 slashes = cp - ndp->ni_next; 606 ndp->ni_pathlen -= slashes; 607 ndp->ni_next = cp; 608 cnp->cn_flags |= REQUIREDIR; 609 } else { 610 slashes = 0; 611 cnp->cn_flags &= ~REQUIREDIR; 612 } 613 /* 614 * We do special processing on the last component, whether or not it's 615 * a directory. Cache all intervening lookups, but not the final one. 616 */ 617 if (*cp == '\0') { 618 if (docache) 619 cnp->cn_flags |= MAKEENTRY; 620 else 621 cnp->cn_flags &= ~MAKEENTRY; 622 cnp->cn_flags |= ISLASTCN; 623 } else { 624 cnp->cn_flags |= MAKEENTRY; 625 cnp->cn_flags &= ~ISLASTCN; 626 } 627 if (cnp->cn_namelen == 2 && 628 cnp->cn_nameptr[1] == '.' && cnp->cn_nameptr[0] == '.') 629 cnp->cn_flags |= ISDOTDOT; 630 else 631 cnp->cn_flags &= ~ISDOTDOT; 632 633 /* 634 * Handle "..": two special cases. 635 * 1. If at root directory (e.g. after chroot) 636 * or at absolute root directory 637 * then ignore it so can't get out. 638 * 1a. If at the root of the emulation filesystem go to the real 639 * root. So "/../<path>" is always absolute. 640 * 1b. If we have somehow gotten out of a jail, warn 641 * and also ignore it so we can't get farther out. 642 * 2. If this vnode is the root of a mounted 643 * filesystem, then replace it with the 644 * vnode which was mounted on so we take the 645 * .. in the other file system. 646 */ 647 if (cnp->cn_flags & ISDOTDOT) { 648 struct proc *p = l->l_proc; 649 650 for (;;) { 651 if (dp == ndp->ni_rootdir || dp == rootvnode) { 652 ndp->ni_dvp = dp; 653 ndp->ni_vp = dp; 654 VREF(dp); 655 goto nextname; 656 } 657 if (ndp->ni_rootdir != rootvnode) { 658 int retval; 659 660 VOP_UNLOCK(dp, 0); 661 retval = vn_isunder(dp, ndp->ni_rootdir, l); 662 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); 663 if (!retval) { 664 /* Oops! We got out of jail! */ 665 log(LOG_WARNING, 666 "chrooted pid %d uid %d (%s) " 667 "detected outside of its chroot\n", 668 p->p_pid, kauth_cred_geteuid(l->l_cred), 669 p->p_comm); 670 /* Put us at the jail root. */ 671 vput(dp); 672 dp = ndp->ni_rootdir; 673 ndp->ni_dvp = dp; 674 ndp->ni_vp = dp; 675 VREF(dp); 676 VREF(dp); 677 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); 678 goto nextname; 679 } 680 } 681 if ((dp->v_vflag & VV_ROOT) == 0 || 682 (cnp->cn_flags & NOCROSSMOUNT)) 683 break; 684 tdp = dp; 685 dp = dp->v_mount->mnt_vnodecovered; 686 vput(tdp); 687 VREF(dp); 688 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); 689 } 690 } 691 692 /* 693 * We now have a segment name to search for, and a directory to search. 694 * Again, our only vnode state is that "dp" is held and locked. 695 */ 696 unionlookup: 697 ndp->ni_dvp = dp; 698 ndp->ni_vp = NULL; 699 error = VOP_LOOKUP(dp, &ndp->ni_vp, cnp); 700 if (error != 0) { 701 #ifdef DIAGNOSTIC 702 if (ndp->ni_vp != NULL) 703 panic("leaf `%s' should be empty", cnp->cn_nameptr); 704 #endif /* DIAGNOSTIC */ 705 #ifdef NAMEI_DIAGNOSTIC 706 printf("not found\n"); 707 #endif /* NAMEI_DIAGNOSTIC */ 708 if ((error == ENOENT) && 709 (dp->v_vflag & VV_ROOT) && 710 (dp->v_mount->mnt_flag & MNT_UNION)) { 711 tdp = dp; 712 dp = dp->v_mount->mnt_vnodecovered; 713 vput(tdp); 714 VREF(dp); 715 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); 716 goto unionlookup; 717 } 718 719 if (error != EJUSTRETURN) 720 goto bad; 721 722 /* 723 * If this was not the last component, or there were trailing 724 * slashes, and we are not going to create a directory, 725 * then the name must exist. 726 */ 727 if ((cnp->cn_flags & (REQUIREDIR | CREATEDIR)) == REQUIREDIR) { 728 error = ENOENT; 729 goto bad; 730 } 731 732 /* 733 * If creating and at end of pathname, then can consider 734 * allowing file to be created. 735 */ 736 if (rdonly) { 737 error = EROFS; 738 goto bad; 739 } 740 741 /* 742 * We return with ni_vp NULL to indicate that the entry 743 * doesn't currently exist, leaving a pointer to the 744 * (possibly locked) directory vnode in ndp->ni_dvp. 745 */ 746 if (cnp->cn_flags & SAVESTART) { 747 ndp->ni_startdir = ndp->ni_dvp; 748 VREF(ndp->ni_startdir); 749 } 750 return (0); 751 } 752 #ifdef NAMEI_DIAGNOSTIC 753 printf("found\n"); 754 #endif /* NAMEI_DIAGNOSTIC */ 755 756 /* 757 * Take into account any additional components consumed by the 758 * underlying filesystem. This will include any trailing slashes after 759 * the last component consumed. 760 */ 761 if (cnp->cn_consume > 0) { 762 ndp->ni_pathlen -= cnp->cn_consume - slashes; 763 ndp->ni_next += cnp->cn_consume - slashes; 764 cnp->cn_consume = 0; 765 if (ndp->ni_next[0] == '\0') 766 cnp->cn_flags |= ISLASTCN; 767 } 768 769 dp = ndp->ni_vp; 770 771 /* 772 * "dp" and "ndp->ni_dvp" are both locked and held, 773 * and may be the same vnode. 774 */ 775 776 /* 777 * Check to see if the vnode has been mounted on; 778 * if so find the root of the mounted file system. 779 */ 780 while (dp->v_type == VDIR && (mp = dp->v_mountedhere) && 781 (cnp->cn_flags & NOCROSSMOUNT) == 0) { 782 error = vfs_busy(mp, NULL); 783 if (error != 0) { 784 vput(dp); 785 goto bad; 786 } 787 KASSERT(ndp->ni_dvp != dp); 788 VOP_UNLOCK(ndp->ni_dvp, 0); 789 vput(dp); 790 error = VFS_ROOT(mp, &tdp); 791 vfs_unbusy(mp, false, NULL); 792 if (error) { 793 vn_lock(ndp->ni_dvp, LK_EXCLUSIVE | LK_RETRY); 794 goto bad; 795 } 796 VOP_UNLOCK(tdp, 0); 797 ndp->ni_vp = dp = tdp; 798 vn_lock(ndp->ni_dvp, LK_EXCLUSIVE | LK_RETRY); 799 vn_lock(ndp->ni_vp, LK_EXCLUSIVE | LK_RETRY); 800 } 801 802 /* 803 * Check for symbolic link. Back up over any slashes that we skipped, 804 * as we will need them again. 805 */ 806 if ((dp->v_type == VLNK) && (cnp->cn_flags & (FOLLOW|REQUIREDIR))) { 807 ndp->ni_pathlen += slashes; 808 ndp->ni_next -= slashes; 809 cnp->cn_flags |= ISSYMLINK; 810 return (0); 811 } 812 813 /* 814 * Check for directory, if the component was followed by a series of 815 * slashes. 816 */ 817 if ((dp->v_type != VDIR) && (cnp->cn_flags & REQUIREDIR)) { 818 error = ENOTDIR; 819 KASSERT(dp != ndp->ni_dvp); 820 vput(dp); 821 goto bad; 822 } 823 824 nextname: 825 826 /* 827 * Not a symbolic link. If this was not the last component, then 828 * continue at the next component, else return. 829 */ 830 if (!(cnp->cn_flags & ISLASTCN)) { 831 cnp->cn_nameptr = ndp->ni_next; 832 if (ndp->ni_dvp == dp) { 833 vrele(ndp->ni_dvp); 834 } else { 835 vput(ndp->ni_dvp); 836 } 837 goto dirloop; 838 } 839 840 terminal: 841 if (dp == ndp->ni_erootdir) { 842 /* 843 * We are about to return the emulation root. 844 * This isn't a good idea because code might repeatedly 845 * lookup ".." until the file matches that returned 846 * for "/" and loop forever. 847 * So convert it to the real root. 848 */ 849 if (ndp->ni_dvp == dp) 850 vrele(dp); 851 else 852 if (ndp->ni_dvp != NULL) 853 vput(ndp->ni_dvp); 854 ndp->ni_dvp = NULL; 855 vput(dp); 856 dp = ndp->ni_rootdir; 857 VREF(dp); 858 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); 859 ndp->ni_vp = dp; 860 } 861 862 /* 863 * If the caller requested the parent node (i.e. 864 * it's a CREATE, DELETE, or RENAME), and we don't have one 865 * (because this is the root directory), then we must fail. 866 */ 867 if (ndp->ni_dvp == NULL && cnp->cn_nameiop != LOOKUP) { 868 switch (cnp->cn_nameiop) { 869 case CREATE: 870 error = EEXIST; 871 break; 872 case DELETE: 873 case RENAME: 874 error = EBUSY; 875 break; 876 default: 877 KASSERT(0); 878 } 879 vput(dp); 880 goto bad; 881 } 882 883 /* 884 * Disallow directory write attempts on read-only lookups. 885 * Prefers EEXIST over EROFS for the CREATE case. 886 */ 887 if (rdonly && 888 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) { 889 error = EROFS; 890 if (dp != ndp->ni_dvp) { 891 vput(dp); 892 } 893 goto bad; 894 } 895 if (ndp->ni_dvp != NULL) { 896 if (cnp->cn_flags & SAVESTART) { 897 ndp->ni_startdir = ndp->ni_dvp; 898 VREF(ndp->ni_startdir); 899 } 900 } 901 if ((cnp->cn_flags & LOCKLEAF) == 0) { 902 VOP_UNLOCK(dp, 0); 903 } 904 return (0); 905 906 bad: 907 ndp->ni_vp = NULL; 908 return (error); 909 } 910 911 /* 912 * Reacquire a path name component. 913 * dvp is locked on entry and exit. 914 * *vpp is locked on exit unless it's NULL. 915 */ 916 int 917 relookup(struct vnode *dvp, struct vnode **vpp, struct componentname *cnp) 918 { 919 int rdonly; /* lookup read-only flag bit */ 920 int error = 0; 921 #ifdef DEBUG 922 uint32_t newhash; /* DEBUG: check name hash */ 923 const char *cp; /* DEBUG: check name ptr/len */ 924 #endif /* DEBUG */ 925 926 /* 927 * Setup: break out flag bits into variables. 928 */ 929 rdonly = cnp->cn_flags & RDONLY; 930 cnp->cn_flags &= ~ISSYMLINK; 931 932 /* 933 * Search a new directory. 934 * 935 * The cn_hash value is for use by vfs_cache. 936 * The last component of the filename is left accessible via 937 * cnp->cn_nameptr for callers that need the name. Callers needing 938 * the name set the SAVENAME flag. When done, they assume 939 * responsibility for freeing the pathname buffer. 940 */ 941 #ifdef DEBUG 942 cp = NULL; 943 newhash = namei_hash(cnp->cn_nameptr, &cp); 944 if ((uint32_t)newhash != (uint32_t)cnp->cn_hash) 945 panic("relookup: bad hash"); 946 if (cnp->cn_namelen != cp - cnp->cn_nameptr) 947 panic("relookup: bad len"); 948 while (*cp == '/') 949 cp++; 950 if (*cp != 0) 951 panic("relookup: not last component"); 952 #endif /* DEBUG */ 953 954 /* 955 * Check for degenerate name (e.g. / or "") 956 * which is a way of talking about a directory, 957 * e.g. like "/." or ".". 958 */ 959 if (cnp->cn_nameptr[0] == '\0') 960 panic("relookup: null name"); 961 962 if (cnp->cn_flags & ISDOTDOT) 963 panic("relookup: lookup on dot-dot"); 964 965 /* 966 * We now have a segment name to search for, and a directory to search. 967 */ 968 if ((error = VOP_LOOKUP(dvp, vpp, cnp)) != 0) { 969 #ifdef DIAGNOSTIC 970 if (*vpp != NULL) 971 panic("leaf `%s' should be empty", cnp->cn_nameptr); 972 #endif 973 if (error != EJUSTRETURN) 974 goto bad; 975 } 976 977 #ifdef DIAGNOSTIC 978 /* 979 * Check for symbolic link 980 */ 981 if (*vpp && (*vpp)->v_type == VLNK && (cnp->cn_flags & FOLLOW)) 982 panic("relookup: symlink found"); 983 #endif 984 985 /* 986 * Check for read-only lookups. 987 */ 988 if (rdonly && cnp->cn_nameiop != LOOKUP) { 989 error = EROFS; 990 if (*vpp) { 991 vput(*vpp); 992 } 993 goto bad; 994 } 995 if (cnp->cn_flags & SAVESTART) 996 VREF(dvp); 997 return (0); 998 999 bad: 1000 *vpp = NULL; 1001 return (error); 1002 } 1003