1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Copyright (c) 1982, 1986, 1989, 1993
|
|
|
|
* The Regents of the University of California. All rights reserved.
|
|
|
|
* (c) UNIX System Laboratories, Inc.
|
|
|
|
* All or some portions of this file are derived from material licensed
|
|
|
|
* to the University of California by American Telephone and Telegraph
|
|
|
|
* Co. or Unix System Laboratories, Inc. and are reproduced herein with
|
|
|
|
* the permission of UNIX System Laboratories, Inc.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
* 3. All advertising materials mentioning features or use of this software
|
|
|
|
* must display the following acknowledgement:
|
|
|
|
* This product includes software developed by the University of
|
|
|
|
* California, Berkeley and its contributors.
|
|
|
|
* 4. Neither the name of the University nor the names of its contributors
|
|
|
|
* may be used to endorse or promote products derived from this software
|
|
|
|
* without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*
|
|
|
|
* @(#)vfs_vnops.c 8.2 (Berkeley) 1/21/94
|
1999-08-28 01:08:13 +00:00
|
|
|
* $FreeBSD$
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
|
|
|
|
2002-08-01 17:14:28 +00:00
|
|
|
#include "opt_mac.h"
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/param.h>
|
|
|
|
#include <sys/systm.h>
|
1997-03-23 03:37:54 +00:00
|
|
|
#include <sys/fcntl.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/file.h>
|
|
|
|
#include <sys/stat.h>
|
|
|
|
#include <sys/proc.h>
|
2001-10-11 17:52:20 +00:00
|
|
|
#include <sys/lock.h>
|
2002-08-01 17:14:28 +00:00
|
|
|
#include <sys/mac.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/mount.h>
|
2000-10-20 07:58:15 +00:00
|
|
|
#include <sys/mutex.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/namei.h>
|
|
|
|
#include <sys/vnode.h>
|
2000-05-05 09:59:14 +00:00
|
|
|
#include <sys/bio.h>
|
1999-08-04 18:53:50 +00:00
|
|
|
#include <sys/buf.h>
|
1997-03-24 11:52:29 +00:00
|
|
|
#include <sys/filio.h>
|
2002-03-26 01:09:51 +00:00
|
|
|
#include <sys/sx.h>
|
1997-03-24 11:52:29 +00:00
|
|
|
#include <sys/ttycom.h>
|
1999-08-13 11:22:48 +00:00
|
|
|
#include <sys/conf.h>
|
2001-12-18 20:48:54 +00:00
|
|
|
#include <sys/syslog.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2001-08-23 17:56:48 +00:00
|
|
|
#include <machine/limits.h>
|
|
|
|
|
2002-03-19 21:25:46 +00:00
|
|
|
static int vn_closefile(struct file *fp, struct thread *td);
|
2002-06-29 01:50:25 +00:00
|
|
|
static int vn_ioctl(struct file *fp, u_long com, void *data,
|
2002-08-17 02:36:16 +00:00
|
|
|
struct ucred *active_cred, struct thread *td);
|
2002-03-19 21:25:46 +00:00
|
|
|
static int vn_read(struct file *fp, struct uio *uio,
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
struct ucred *active_cred, int flags, struct thread *td);
|
Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential. Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential. Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument. This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.
Trickle this change down into fo_stat/poll() implementations:
- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
to vn_stat(). Pass active_cred to MAC and fp->f_cred to VOP_POLL()
to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
and consumers so that this distinction is maintained at the VFS
as well as 'struct file' layer. Pass active_cred instead of
td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.
- fifofs: modify the creation of a "filetemp" so that the file
credential is properly initialized and can be used in the socket
code if desired. Pass ap->a_td->td_ucred as the active
credential to soo_poll(). If we teach the vnop interface about
the distinction between file and active credentials, we would use
the active credential here.
Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained. It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
|
|
|
static int vn_poll(struct file *fp, int events, struct ucred *active_cred,
|
2002-03-19 21:25:46 +00:00
|
|
|
struct thread *td);
|
|
|
|
static int vn_kqfilter(struct file *fp, struct knote *kn);
|
Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential. Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential. Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument. This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.
Trickle this change down into fo_stat/poll() implementations:
- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
to vn_stat(). Pass active_cred to MAC and fp->f_cred to VOP_POLL()
to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
and consumers so that this distinction is maintained at the VFS
as well as 'struct file' layer. Pass active_cred instead of
td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.
- fifofs: modify the creation of a "filetemp" so that the file
credential is properly initialized and can be used in the socket
code if desired. Pass ap->a_td->td_ucred as the active
credential to soo_poll(). If we teach the vnop interface about
the distinction between file and active credentials, we would use
the active credential here.
Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained. It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
|
|
|
static int vn_statfile(struct file *fp, struct stat *sb,
|
|
|
|
struct ucred *active_cred, struct thread *td);
|
2002-03-19 21:25:46 +00:00
|
|
|
static int vn_write(struct file *fp, struct uio *uio,
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
struct ucred *active_cred, int flags, struct thread *td);
|
1995-12-17 21:23:44 +00:00
|
|
|
|
2001-02-15 16:34:11 +00:00
|
|
|
struct fileops vnops = {
|
|
|
|
vn_read, vn_write, vn_ioctl, vn_poll, vn_kqfilter,
|
|
|
|
vn_statfile, vn_closefile
|
2000-04-16 18:53:38 +00:00
|
|
|
};
|
|
|
|
|
2001-11-11 22:39:07 +00:00
|
|
|
int
|
|
|
|
vn_open(ndp, flagp, cmode)
|
|
|
|
register struct nameidata *ndp;
|
|
|
|
int *flagp, cmode;
|
|
|
|
{
|
|
|
|
struct thread *td = ndp->ni_cnd.cn_thread;
|
|
|
|
|
2002-02-27 18:32:23 +00:00
|
|
|
return (vn_open_cred(ndp, flagp, cmode, td->td_ucred));
|
2001-11-11 22:39:07 +00:00
|
|
|
}
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Common code for vnode open operations.
|
|
|
|
* Check permissions, and call the VOP_OPEN or VOP_CREATE routine.
|
1999-12-15 23:02:35 +00:00
|
|
|
*
|
2000-05-12 16:06:49 +00:00
|
|
|
* Note that this does NOT free nameidata for the successful case,
|
1999-12-15 23:02:35 +00:00
|
|
|
* due to the NDINIT being done elsewhere.
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
1994-05-25 09:21:21 +00:00
|
|
|
int
|
2001-11-11 22:39:07 +00:00
|
|
|
vn_open_cred(ndp, flagp, cmode, cred)
|
1994-05-24 10:09:53 +00:00
|
|
|
register struct nameidata *ndp;
|
2000-07-04 03:34:11 +00:00
|
|
|
int *flagp, cmode;
|
2001-11-11 22:39:07 +00:00
|
|
|
struct ucred *cred;
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
2000-07-04 03:34:11 +00:00
|
|
|
struct vnode *vp;
|
2000-07-11 22:07:57 +00:00
|
|
|
struct mount *mp;
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td = ndp->ni_cnd.cn_thread;
|
1994-05-24 10:09:53 +00:00
|
|
|
struct vattr vat;
|
|
|
|
struct vattr *vap = &vat;
|
2000-07-04 03:34:11 +00:00
|
|
|
int mode, fmode, error;
|
2002-05-14 21:59:49 +00:00
|
|
|
#ifdef LOOKUP_SHARED
|
2002-03-12 04:00:11 +00:00
|
|
|
int exclusive; /* The current intended lock state */
|
|
|
|
|
|
|
|
exclusive = 0;
|
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2000-07-11 22:07:57 +00:00
|
|
|
restart:
|
2000-07-04 03:34:11 +00:00
|
|
|
fmode = *flagp;
|
1994-05-24 10:09:53 +00:00
|
|
|
if (fmode & O_CREAT) {
|
|
|
|
ndp->ni_cnd.cn_nameiop = CREATE;
|
|
|
|
ndp->ni_cnd.cn_flags = LOCKPARENT | LOCKLEAF;
|
1998-04-06 18:25:21 +00:00
|
|
|
if ((fmode & O_EXCL) == 0 && (fmode & O_NOFOLLOW) == 0)
|
1994-05-24 10:09:53 +00:00
|
|
|
ndp->ni_cnd.cn_flags |= FOLLOW;
|
2000-01-10 00:08:53 +00:00
|
|
|
bwillwrite();
|
2000-07-04 03:34:11 +00:00
|
|
|
if ((error = namei(ndp)) != 0)
|
1994-05-24 10:09:53 +00:00
|
|
|
return (error);
|
|
|
|
if (ndp->ni_vp == NULL) {
|
|
|
|
VATTR_NULL(vap);
|
|
|
|
vap->va_type = VREG;
|
|
|
|
vap->va_mode = cmode;
|
1997-02-10 02:22:35 +00:00
|
|
|
if (fmode & O_EXCL)
|
|
|
|
vap->va_vaflags |= VA_EXCLUSIVE;
|
2000-07-11 22:07:57 +00:00
|
|
|
if (vn_start_write(ndp->ni_dvp, &mp, V_NOWAIT) != 0) {
|
|
|
|
NDFREE(ndp, NDF_ONLY_PNBUF);
|
|
|
|
vput(ndp->ni_dvp);
|
|
|
|
if ((error = vn_start_write(NULL, &mp,
|
|
|
|
V_XSLEEP | PCATCH)) != 0)
|
|
|
|
return (error);
|
|
|
|
goto restart;
|
|
|
|
}
|
2002-10-19 20:56:44 +00:00
|
|
|
#ifdef MAC
|
|
|
|
error = mac_check_vnode_create(cred, ndp->ni_dvp,
|
|
|
|
&ndp->ni_cnd, vap);
|
|
|
|
if (error == 0) {
|
|
|
|
#endif
|
|
|
|
VOP_LEASE(ndp->ni_dvp, td, cred, LEASE_WRITE);
|
|
|
|
error = VOP_CREATE(ndp->ni_dvp, &ndp->ni_vp,
|
|
|
|
&ndp->ni_cnd, vap);
|
|
|
|
#ifdef MAC
|
|
|
|
}
|
|
|
|
#endif
|
2000-07-04 03:34:11 +00:00
|
|
|
vput(ndp->ni_dvp);
|
2000-07-11 22:07:57 +00:00
|
|
|
vn_finished_write(mp);
|
1999-12-15 23:02:35 +00:00
|
|
|
if (error) {
|
|
|
|
NDFREE(ndp, NDF_ONLY_PNBUF);
|
1994-05-24 10:09:53 +00:00
|
|
|
return (error);
|
1999-12-15 23:02:35 +00:00
|
|
|
}
|
1997-04-04 17:46:21 +00:00
|
|
|
ASSERT_VOP_UNLOCKED(ndp->ni_dvp, "create");
|
|
|
|
ASSERT_VOP_LOCKED(ndp->ni_vp, "create");
|
1994-05-24 10:09:53 +00:00
|
|
|
fmode &= ~O_TRUNC;
|
|
|
|
vp = ndp->ni_vp;
|
2002-05-14 21:59:49 +00:00
|
|
|
#ifdef LOOKUP_SHARED
|
2002-03-12 04:00:11 +00:00
|
|
|
exclusive = 1;
|
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
} else {
|
|
|
|
if (ndp->ni_dvp == ndp->ni_vp)
|
|
|
|
vrele(ndp->ni_dvp);
|
|
|
|
else
|
|
|
|
vput(ndp->ni_dvp);
|
|
|
|
ndp->ni_dvp = NULL;
|
|
|
|
vp = ndp->ni_vp;
|
|
|
|
if (fmode & O_EXCL) {
|
|
|
|
error = EEXIST;
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
fmode &= ~O_CREAT;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
ndp->ni_cnd.cn_nameiop = LOOKUP;
|
2002-05-14 21:59:49 +00:00
|
|
|
#ifdef LOOKUP_SHARED
|
2002-03-12 04:00:11 +00:00
|
|
|
ndp->ni_cnd.cn_flags =
|
|
|
|
((fmode & O_NOFOLLOW) ? NOFOLLOW : FOLLOW) |
|
|
|
|
LOCKSHARED | LOCKLEAF;
|
|
|
|
#else
|
1998-04-06 17:38:43 +00:00
|
|
|
ndp->ni_cnd.cn_flags =
|
|
|
|
((fmode & O_NOFOLLOW) ? NOFOLLOW : FOLLOW) | LOCKLEAF;
|
2002-03-12 04:00:11 +00:00
|
|
|
#endif
|
2000-07-04 03:34:11 +00:00
|
|
|
if ((error = namei(ndp)) != 0)
|
1994-05-24 10:09:53 +00:00
|
|
|
return (error);
|
|
|
|
vp = ndp->ni_vp;
|
|
|
|
}
|
1998-04-06 18:43:28 +00:00
|
|
|
if (vp->v_type == VLNK) {
|
1998-04-06 19:32:37 +00:00
|
|
|
error = EMLINK;
|
1998-04-06 18:43:28 +00:00
|
|
|
goto bad;
|
|
|
|
}
|
1998-04-06 19:32:37 +00:00
|
|
|
if (vp->v_type == VSOCK) {
|
1994-05-24 10:09:53 +00:00
|
|
|
error = EOPNOTSUPP;
|
|
|
|
goto bad;
|
|
|
|
}
|
2002-08-01 17:14:28 +00:00
|
|
|
mode = 0;
|
|
|
|
if (fmode & (FWRITE | O_TRUNC)) {
|
|
|
|
if (vp->v_type == VDIR) {
|
|
|
|
error = EISDIR;
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
mode |= VWRITE;
|
|
|
|
}
|
|
|
|
if (fmode & FREAD)
|
|
|
|
mode |= VREAD;
|
|
|
|
if (fmode & O_APPEND)
|
|
|
|
mode |= VAPPEND;
|
|
|
|
#ifdef MAC
|
|
|
|
error = mac_check_vnode_open(cred, vp, mode);
|
|
|
|
if (error)
|
|
|
|
goto bad;
|
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
if ((fmode & O_CREAT) == 0) {
|
2002-08-01 17:14:28 +00:00
|
|
|
if (mode & VWRITE) {
|
1994-10-02 17:35:40 +00:00
|
|
|
error = vn_writechk(vp);
|
1995-05-10 18:59:11 +00:00
|
|
|
if (error)
|
1994-10-02 17:35:40 +00:00
|
|
|
goto bad;
|
1998-11-02 02:36:16 +00:00
|
|
|
}
|
|
|
|
if (mode) {
|
2001-09-12 08:38:13 +00:00
|
|
|
error = VOP_ACCESS(vp, mode, cred, td);
|
1995-05-10 18:59:11 +00:00
|
|
|
if (error)
|
1994-05-24 10:09:53 +00:00
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
}
|
2002-07-31 12:19:49 +00:00
|
|
|
if ((error = VOP_GETATTR(vp, vap, cred, td)) == 0) {
|
|
|
|
vp->v_cachedfs = vap->va_fsid;
|
|
|
|
vp->v_cachedid = vap->va_fileid;
|
|
|
|
}
|
2001-09-12 08:38:13 +00:00
|
|
|
if ((error = VOP_OPEN(vp, fmode, cred, td)) != 0)
|
1994-05-24 10:09:53 +00:00
|
|
|
goto bad;
|
1994-10-05 09:48:45 +00:00
|
|
|
/*
|
1996-08-21 21:56:23 +00:00
|
|
|
* Make sure that a VM object is created for VMIO support.
|
1994-10-05 09:48:45 +00:00
|
|
|
*/
|
1999-07-26 06:25:53 +00:00
|
|
|
if (vn_canvmio(vp) == TRUE) {
|
2002-05-14 21:59:49 +00:00
|
|
|
#ifdef LOOKUP_SHARED
|
2002-03-12 04:00:11 +00:00
|
|
|
int flock;
|
|
|
|
|
2002-04-14 10:18:48 +00:00
|
|
|
if (!exclusive && VOP_GETVOBJECT(vp, NULL) != 0)
|
2002-03-12 04:00:11 +00:00
|
|
|
VOP_LOCK(vp, LK_UPGRADE, td);
|
|
|
|
/*
|
|
|
|
* In cases where the object is marked as dead object_create
|
|
|
|
* will unlock and relock exclusive. It is safe to call in
|
|
|
|
* here with a shared lock because we only examine fields that
|
|
|
|
* the shared lock guarantees will be stable. In the UPGRADE
|
|
|
|
* case it is not likely that anyone has used this vnode yet
|
|
|
|
* so there will be no contention. The logic after this call
|
|
|
|
* restores the requested locking state.
|
|
|
|
*/
|
|
|
|
#endif
|
2002-02-18 12:46:18 +00:00
|
|
|
if ((error = vfs_object_create(vp, td, cred)) != 0) {
|
2002-02-20 00:11:57 +00:00
|
|
|
VOP_UNLOCK(vp, 0, td);
|
2002-02-18 00:26:10 +00:00
|
|
|
VOP_CLOSE(vp, fmode, cred, td);
|
2002-02-20 00:11:57 +00:00
|
|
|
NDFREE(ndp, NDF_ONLY_PNBUF);
|
|
|
|
vrele(vp);
|
|
|
|
*flagp = fmode;
|
|
|
|
return (error);
|
2002-02-18 12:46:18 +00:00
|
|
|
}
|
2002-05-14 21:59:49 +00:00
|
|
|
#ifdef LOOKUP_SHARED
|
2002-03-12 04:00:11 +00:00
|
|
|
flock = VOP_ISLOCKED(vp, td);
|
|
|
|
if (!exclusive && flock == LK_EXCLUSIVE)
|
|
|
|
VOP_LOCK(vp, LK_DOWNGRADE, td);
|
|
|
|
#endif
|
1994-10-05 09:48:45 +00:00
|
|
|
}
|
1996-08-21 21:56:23 +00:00
|
|
|
|
NOTE: libkvm, w, ps, 'top', and any other utility which depends on struct
proc or any VM system structure will have to be rebuilt!!!
Much needed overhaul of the VM system. Included in this first round of
changes:
1) Improved pager interfaces: init, alloc, dealloc, getpages, putpages,
haspage, and sync operations are supported. The haspage interface now
provides information about clusterability. All pager routines now take
struct vm_object's instead of "pagers".
2) Improved data structures. In the previous paradigm, there is constant
confusion caused by pagers being both a data structure ("allocate a
pager") and a collection of routines. The idea of a pager structure has
escentially been eliminated. Objects now have types, and this type is
used to index the appropriate pager. In most cases, items in the pager
structure were duplicated in the object data structure and thus were
unnecessary. In the few cases that remained, a un_pager structure union
was created in the object to contain these items.
3) Because of the cleanup of #1 & #2, a lot of unnecessary layering can now
be removed. For instance, vm_object_enter(), vm_object_lookup(),
vm_object_remove(), and the associated object hash list were some of the
things that were removed.
4) simple_lock's removed. Discussion with several people reveals that the
SMP locking primitives used in the VM system aren't likely the mechanism
that we'll be adopting. Even if it were, the locking that was in the code
was very inadequate and would have to be mostly re-done anyway. The
locking in a uni-processor kernel was a no-op but went a long way toward
making the code difficult to read and debug.
5) Places that attempted to kludge-up the fact that we don't have kernel
thread support have been fixed to reflect the reality that we are really
dealing with processes, not threads. The VM system didn't have complete
thread support, so the comments and mis-named routines were just wrong.
We now use tsleep and wakeup directly in the lock routines, for instance.
6) Where appropriate, the pagers have been improved, especially in the
pager_alloc routines. Most of the pager_allocs have been rewritten and
are now faster and easier to maintain.
7) The pagedaemon pageout clustering algorithm has been rewritten and
now tries harder to output an even number of pages before and after
the requested page. This is sort of the reverse of the ideal pagein
algorithm and should provide better overall performance.
8) Unnecessary (incorrect) casts to caddr_t in calls to tsleep & wakeup
have been removed. Some other unnecessary casts have also been removed.
9) Some almost useless debugging code removed.
10) Terminology of shadow objects vs. backing objects straightened out.
The fact that the vm_object data structure escentially had this
backwards really confused things. The use of "shadow" and "backing
object" throughout the code is now internally consistent and correct
in the Mach terminology.
11) Several minor bug fixes, including one in the vm daemon that caused
0 RSS objects to not get purged as intended.
12) A "default pager" has now been created which cleans up the transition
of objects to the "swap" type. The previous checks throughout the code
for swp->pg_data != NULL were really ugly. This change also provides
the rudiments for future backing of "anonymous" memory by something
other than the swap pager (via the vnode pager, for example), and it
allows the decision about which of these pagers to use to be made
dynamically (although will need some additional decision code to do
this, of course).
13) (dyson) MAP_COPY has been deprecated and the corresponding "copy
object" code has been removed. MAP_COPY was undocumented and non-
standard. It was furthermore broken in several ways which caused its
behavior to degrade to MAP_PRIVATE. Binaries that use MAP_COPY will
continue to work correctly, but via the slightly different semantics
of MAP_PRIVATE.
14) (dyson) Sharing maps have been removed. It's marginal usefulness in a
threads design can be worked around in other ways. Both #12 and #13
were done to simplify the code and improve readability and maintain-
ability. (As were most all of these changes)
TODO:
1) Rewrite most of the vnode pager to use VOP_GETPAGES/PUTPAGES. Doing
this will reduce the vnode pager to a mere fraction of its current size.
2) Rewrite vm_fault and the swap/vnode pagers to use the clustering
information provided by the new haspage pager interface. This will
substantially reduce the overhead by eliminating a large number of
VOP_BMAP() calls. The VOP_BMAP() filesystem interface should be
improved to provide both a "behind" and "ahead" indication of
contiguousness.
3) Implement the extended features of pager_haspage in swap_pager_haspage().
It currently just says 0 pages ahead/behind.
4) Re-implement the swap device (swstrategy) in a more elegant way, perhaps
via a much more general mechanism that could also be used for disk
striping of regular filesystems.
5) Do something to improve the architecture of vm_object_collapse(). The
fact that it makes calls into the swap pager and knows too much about
how the swap pager operates really bothers me. It also doesn't allow
for collapsing of non-swap pager objects ("unnamed" objects backed by
other pagers).
1995-07-13 08:48:48 +00:00
|
|
|
if (fmode & FWRITE)
|
|
|
|
vp->v_writecount++;
|
2000-07-04 03:34:11 +00:00
|
|
|
*flagp = fmode;
|
1994-05-24 10:09:53 +00:00
|
|
|
return (0);
|
|
|
|
bad:
|
1999-12-15 23:02:35 +00:00
|
|
|
NDFREE(ndp, NDF_ONLY_PNBUF);
|
1994-05-24 10:09:53 +00:00
|
|
|
vput(vp);
|
2000-07-04 03:34:11 +00:00
|
|
|
*flagp = fmode;
|
1994-05-24 10:09:53 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check for write permissions on the specified vnode.
|
1997-02-10 02:22:35 +00:00
|
|
|
* Prototype text segments cannot be written.
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
1994-05-25 09:21:21 +00:00
|
|
|
int
|
1994-05-24 10:09:53 +00:00
|
|
|
vn_writechk(vp)
|
|
|
|
register struct vnode *vp;
|
|
|
|
{
|
|
|
|
|
2002-08-04 10:29:36 +00:00
|
|
|
ASSERT_VOP_LOCKED(vp, "vn_writechk");
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* If there's shared text associated with
|
|
|
|
* the vnode, try to free it up once. If
|
|
|
|
* we fail, we can't allow writing.
|
|
|
|
*/
|
2002-08-04 10:29:36 +00:00
|
|
|
if (vp->v_vflag & VV_TEXT)
|
1994-05-24 10:09:53 +00:00
|
|
|
return (ETXTBSY);
|
2002-08-04 10:29:36 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Vnode close call
|
|
|
|
*/
|
1994-05-25 09:21:21 +00:00
|
|
|
int
|
Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential. Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential. Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument. This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.
Trickle this change down into fo_stat/poll() implementations:
- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
to vn_stat(). Pass active_cred to MAC and fp->f_cred to VOP_POLL()
to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
and consumers so that this distinction is maintained at the VFS
as well as 'struct file' layer. Pass active_cred instead of
td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.
- fifofs: modify the creation of a "filetemp" so that the file
credential is properly initialized and can be used in the socket
code if desired. Pass ap->a_td->td_ucred as the active
credential to soo_poll(). If we teach the vnop interface about
the distinction between file and active credentials, we would use
the active credential here.
Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained. It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
|
|
|
vn_close(vp, flags, file_cred, td)
|
1994-05-24 10:09:53 +00:00
|
|
|
register struct vnode *vp;
|
|
|
|
int flags;
|
Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential. Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential. Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument. This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.
Trickle this change down into fo_stat/poll() implementations:
- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
to vn_stat(). Pass active_cred to MAC and fp->f_cred to VOP_POLL()
to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
and consumers so that this distinction is maintained at the VFS
as well as 'struct file' layer. Pass active_cred instead of
td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.
- fifofs: modify the creation of a "filetemp" so that the file
credential is properly initialized and can be used in the socket
code if desired. Pass ap->a_td->td_ucred as the active
credential to soo_poll(). If we teach the vnop interface about
the distinction between file and active credentials, we would use
the active credential here.
Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained. It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
|
|
|
struct ucred *file_cred;
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
|
|
|
if (flags & FWRITE)
|
|
|
|
vp->v_writecount--;
|
Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential. Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential. Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument. This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.
Trickle this change down into fo_stat/poll() implementations:
- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
to vn_stat(). Pass active_cred to MAC and fp->f_cred to VOP_POLL()
to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
and consumers so that this distinction is maintained at the VFS
as well as 'struct file' layer. Pass active_cred instead of
td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.
- fifofs: modify the creation of a "filetemp" so that the file
credential is properly initialized and can be used in the socket
code if desired. Pass ap->a_td->td_ucred as the active
credential to soo_poll(). If we teach the vnop interface about
the distinction between file and active credentials, we would use
the active credential here.
Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained. It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
|
|
|
error = VOP_CLOSE(vp, flags, file_cred, td);
|
2001-04-25 08:11:18 +00:00
|
|
|
/*
|
|
|
|
* XXX - In certain instances VOP_CLOSE has to do the vrele
|
|
|
|
* itself. If the vrele has been done, it will return EAGAIN
|
|
|
|
* to indicate that the vrele should not be done again. When
|
|
|
|
* this happens, we just return success. The correct thing to
|
|
|
|
* do would be to have all VOP_CLOSE instances do the vrele.
|
|
|
|
*/
|
|
|
|
if (error == EAGAIN)
|
|
|
|
return (0);
|
1996-08-21 21:56:23 +00:00
|
|
|
vrele(vp);
|
1994-05-24 10:09:53 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
2002-03-05 15:38:49 +00:00
|
|
|
/*
|
|
|
|
* Sequential heuristic - detect sequential operation
|
|
|
|
*/
|
2000-04-02 00:55:28 +00:00
|
|
|
static __inline
|
|
|
|
int
|
|
|
|
sequential_heuristic(struct uio *uio, struct file *fp)
|
|
|
|
{
|
2002-01-13 11:58:06 +00:00
|
|
|
|
2000-04-02 00:55:28 +00:00
|
|
|
if ((uio->uio_offset == 0 && fp->f_seqcount > 0) ||
|
|
|
|
uio->uio_offset == fp->f_nextoff) {
|
|
|
|
/*
|
|
|
|
* XXX we assume that the filesystem block size is
|
|
|
|
* the default. Not true, but still gives us a pretty
|
|
|
|
* good indicator of how sequential the read operations
|
|
|
|
* are.
|
|
|
|
*/
|
|
|
|
fp->f_seqcount += (uio->uio_resid + BKVASIZE - 1) / BKVASIZE;
|
|
|
|
if (fp->f_seqcount >= 127)
|
|
|
|
fp->f_seqcount = 127;
|
|
|
|
return(fp->f_seqcount << 16);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Not sequential, quick draw-down of seqcount
|
|
|
|
*/
|
|
|
|
if (fp->f_seqcount > 1)
|
|
|
|
fp->f_seqcount = 1;
|
|
|
|
else
|
|
|
|
fp->f_seqcount = 0;
|
|
|
|
return(0);
|
|
|
|
}
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Package up an I/O request on a vnode into a uio and do it.
|
|
|
|
*/
|
1994-05-25 09:21:21 +00:00
|
|
|
int
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred,
|
|
|
|
aresid, td)
|
1994-05-24 10:09:53 +00:00
|
|
|
enum uio_rw rw;
|
|
|
|
struct vnode *vp;
|
|
|
|
caddr_t base;
|
|
|
|
int len;
|
|
|
|
off_t offset;
|
|
|
|
enum uio_seg segflg;
|
|
|
|
int ioflg;
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
struct ucred *active_cred;
|
|
|
|
struct ucred *file_cred;
|
1994-05-24 10:09:53 +00:00
|
|
|
int *aresid;
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
|
|
|
struct uio auio;
|
|
|
|
struct iovec aiov;
|
2000-07-11 22:07:57 +00:00
|
|
|
struct mount *mp;
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
struct ucred *cred;
|
1994-05-24 10:09:53 +00:00
|
|
|
int error;
|
|
|
|
|
2000-07-11 22:07:57 +00:00
|
|
|
if ((ioflg & IO_NODELOCKED) == 0) {
|
|
|
|
mp = NULL;
|
2002-06-28 17:51:11 +00:00
|
|
|
if (rw == UIO_WRITE) {
|
|
|
|
if (vp->v_type != VCHR &&
|
|
|
|
(error = vn_start_write(vp, &mp, V_WAIT | PCATCH))
|
|
|
|
!= 0)
|
|
|
|
return (error);
|
|
|
|
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
|
|
|
|
} else {
|
2002-08-22 07:26:18 +00:00
|
|
|
/*
|
|
|
|
* XXX This should be LK_SHARED but I don't trust VFS
|
|
|
|
* enough to leave it like that until it has been
|
|
|
|
* reviewed further.
|
|
|
|
*/
|
|
|
|
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
|
2002-06-28 17:51:11 +00:00
|
|
|
}
|
|
|
|
|
2000-07-11 22:07:57 +00:00
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
auio.uio_iov = &aiov;
|
|
|
|
auio.uio_iovcnt = 1;
|
|
|
|
aiov.iov_base = base;
|
|
|
|
aiov.iov_len = len;
|
|
|
|
auio.uio_resid = len;
|
|
|
|
auio.uio_offset = offset;
|
|
|
|
auio.uio_segflg = segflg;
|
|
|
|
auio.uio_rw = rw;
|
2001-09-12 08:38:13 +00:00
|
|
|
auio.uio_td = td;
|
2002-08-12 16:15:34 +00:00
|
|
|
error = 0;
|
|
|
|
#ifdef MAC
|
|
|
|
if ((ioflg & IO_NOMACCHECK) == 0) {
|
|
|
|
if (rw == UIO_READ)
|
2002-08-19 19:04:53 +00:00
|
|
|
error = mac_check_vnode_read(active_cred, file_cred,
|
|
|
|
vp);
|
2002-08-12 16:15:34 +00:00
|
|
|
else
|
2002-08-19 19:04:53 +00:00
|
|
|
error = mac_check_vnode_write(active_cred, file_cred,
|
|
|
|
vp);
|
2002-08-12 16:15:34 +00:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
if (error == 0) {
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
if (file_cred)
|
|
|
|
cred = file_cred;
|
|
|
|
else
|
|
|
|
cred = active_cred;
|
2002-08-12 16:15:34 +00:00
|
|
|
if (rw == UIO_READ)
|
|
|
|
error = VOP_READ(vp, &auio, ioflg, cred);
|
|
|
|
else
|
|
|
|
error = VOP_WRITE(vp, &auio, ioflg, cred);
|
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
if (aresid)
|
|
|
|
*aresid = auio.uio_resid;
|
|
|
|
else
|
|
|
|
if (auio.uio_resid && error == 0)
|
|
|
|
error = EIO;
|
2000-07-11 22:07:57 +00:00
|
|
|
if ((ioflg & IO_NODELOCKED) == 0) {
|
2002-06-28 17:51:11 +00:00
|
|
|
if (rw == UIO_WRITE)
|
|
|
|
vn_finished_write(mp);
|
2001-09-12 08:38:13 +00:00
|
|
|
VOP_UNLOCK(vp, 0, td);
|
2000-07-11 22:07:57 +00:00
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
2001-09-08 20:02:33 +00:00
|
|
|
/*
|
|
|
|
* Package up an I/O request on a vnode into a uio and do it. The I/O
|
|
|
|
* request is split up into smaller chunks and we try to avoid saturating
|
|
|
|
* the buffer cache while potentially holding a vnode locked, so we
|
2001-09-26 06:54:32 +00:00
|
|
|
* check bwillwrite() before calling vn_rdwr(). We also call uio_yield()
|
|
|
|
* to give other processes a chance to lock the vnode (either other processes
|
|
|
|
* core'ing the same binary, or unrelated processes scanning the directory).
|
2001-09-08 20:02:33 +00:00
|
|
|
*/
|
|
|
|
int
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
vn_rdwr_inchunks(rw, vp, base, len, offset, segflg, ioflg, active_cred,
|
|
|
|
file_cred, aresid, td)
|
2001-09-08 20:02:33 +00:00
|
|
|
enum uio_rw rw;
|
|
|
|
struct vnode *vp;
|
|
|
|
caddr_t base;
|
|
|
|
int len;
|
|
|
|
off_t offset;
|
|
|
|
enum uio_seg segflg;
|
|
|
|
int ioflg;
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
struct ucred *active_cred;
|
|
|
|
struct ucred *file_cred;
|
2001-09-08 20:02:33 +00:00
|
|
|
int *aresid;
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
2001-09-08 20:02:33 +00:00
|
|
|
{
|
|
|
|
int error = 0;
|
|
|
|
|
|
|
|
do {
|
|
|
|
int chunk = (len > MAXBSIZE) ? MAXBSIZE : len;
|
|
|
|
|
|
|
|
if (rw != UIO_READ && vp->v_type == VREG)
|
|
|
|
bwillwrite();
|
|
|
|
error = vn_rdwr(rw, vp, base, chunk, offset, segflg,
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
ioflg, active_cred, file_cred, aresid, td);
|
2001-09-08 20:02:33 +00:00
|
|
|
len -= chunk; /* aresid calc already includes length */
|
|
|
|
if (error)
|
|
|
|
break;
|
|
|
|
offset += chunk;
|
|
|
|
base += chunk;
|
2001-09-26 06:54:32 +00:00
|
|
|
uio_yield();
|
2001-09-08 20:02:33 +00:00
|
|
|
} while (len);
|
|
|
|
if (aresid)
|
|
|
|
*aresid += len;
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* File table vnode read routine.
|
|
|
|
*/
|
1995-12-17 21:23:44 +00:00
|
|
|
static int
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
vn_read(fp, uio, active_cred, flags, td)
|
1994-05-24 10:09:53 +00:00
|
|
|
struct file *fp;
|
|
|
|
struct uio *uio;
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
struct ucred *active_cred;
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
1999-04-04 21:41:28 +00:00
|
|
|
int flags;
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
This is what was "fdfix2.patch," a fix for fd sharing. It's pretty
far-reaching in fd-land, so you'll want to consult the code for
changes. The biggest change is that now, you don't use
fp->f_ops->fo_foo(fp, bar)
but instead
fo_foo(fp, bar),
which increments and decrements the fp refcount upon entry and exit.
Two new calls, fhold() and fdrop(), are provided. Each does what it
seems like it should, and if fdrop() brings the refcount to zero, the
fd is freed as well.
Thanks to peter ("to hell with it, it looks ok to me.") for his review.
Thanks to msmith for keeping me from putting locks everywhere :)
Reviewed by: peter
1999-09-19 17:00:25 +00:00
|
|
|
struct vnode *vp;
|
1999-04-21 05:56:45 +00:00
|
|
|
int error, ioflag;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2002-03-15 08:03:46 +00:00
|
|
|
mtx_lock(&Giant);
|
2001-09-12 08:38:13 +00:00
|
|
|
KASSERT(uio->uio_td == td, ("uio_td %p is not td %p",
|
|
|
|
uio->uio_td, td));
|
This is what was "fdfix2.patch," a fix for fd sharing. It's pretty
far-reaching in fd-land, so you'll want to consult the code for
changes. The biggest change is that now, you don't use
fp->f_ops->fo_foo(fp, bar)
but instead
fo_foo(fp, bar),
which increments and decrements the fp refcount upon entry and exit.
Two new calls, fhold() and fdrop(), are provided. Each does what it
seems like it should, and if fdrop() brings the refcount to zero, the
fd is freed as well.
Thanks to peter ("to hell with it, it looks ok to me.") for his review.
Thanks to msmith for keeping me from putting locks everywhere :)
Reviewed by: peter
1999-09-19 17:00:25 +00:00
|
|
|
vp = (struct vnode *)fp->f_data;
|
1999-04-21 05:56:45 +00:00
|
|
|
ioflag = 0;
|
|
|
|
if (fp->f_flag & FNONBLOCK)
|
|
|
|
ioflag |= IO_NDELAY;
|
2001-05-24 07:22:27 +00:00
|
|
|
if (fp->f_flag & O_DIRECT)
|
|
|
|
ioflag |= IO_DIRECT;
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
VOP_LEASE(vp, td, fp->f_cred, LEASE_READ);
|
2002-08-22 07:26:18 +00:00
|
|
|
/*
|
|
|
|
* According to McKusick the vn lock is protecting f_offset here.
|
|
|
|
* Once this field has it's own lock we can acquire this shared.
|
|
|
|
*/
|
|
|
|
vn_lock(vp, LK_EXCLUSIVE | LK_NOPAUSE | LK_RETRY, td);
|
1999-04-21 05:56:45 +00:00
|
|
|
if ((flags & FOF_OFFSET) == 0)
|
|
|
|
uio->uio_offset = fp->f_offset;
|
1999-03-26 20:25:21 +00:00
|
|
|
|
2000-04-02 00:55:28 +00:00
|
|
|
ioflag |= sequential_heuristic(uio, fp);
|
|
|
|
|
2002-08-01 17:23:22 +00:00
|
|
|
#ifdef MAC
|
2002-08-19 19:04:53 +00:00
|
|
|
error = mac_check_vnode_read(active_cred, fp->f_cred, vp);
|
2002-08-01 17:23:22 +00:00
|
|
|
if (error == 0)
|
|
|
|
#endif
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
error = VOP_READ(vp, uio, ioflag, fp->f_cred);
|
1999-04-21 05:56:45 +00:00
|
|
|
if ((flags & FOF_OFFSET) == 0)
|
|
|
|
fp->f_offset = uio->uio_offset;
|
2000-04-02 00:55:28 +00:00
|
|
|
fp->f_nextoff = uio->uio_offset;
|
2001-09-12 08:38:13 +00:00
|
|
|
VOP_UNLOCK(vp, 0, td);
|
2002-03-15 08:03:46 +00:00
|
|
|
mtx_unlock(&Giant);
|
1994-05-24 10:09:53 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* File table vnode write routine.
|
|
|
|
*/
|
1995-12-17 21:23:44 +00:00
|
|
|
static int
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
vn_write(fp, uio, active_cred, flags, td)
|
1994-05-24 10:09:53 +00:00
|
|
|
struct file *fp;
|
|
|
|
struct uio *uio;
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
struct ucred *active_cred;
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
1999-04-04 21:41:28 +00:00
|
|
|
int flags;
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
1999-07-08 06:06:00 +00:00
|
|
|
struct vnode *vp;
|
2000-07-11 22:07:57 +00:00
|
|
|
struct mount *mp;
|
1999-04-21 05:56:45 +00:00
|
|
|
int error, ioflag;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2002-03-15 08:03:46 +00:00
|
|
|
mtx_lock(&Giant);
|
2001-09-12 08:38:13 +00:00
|
|
|
KASSERT(uio->uio_td == td, ("uio_td %p is not td %p",
|
|
|
|
uio->uio_td, td));
|
1999-07-08 06:06:00 +00:00
|
|
|
vp = (struct vnode *)fp->f_data;
|
|
|
|
if (vp->v_type == VREG)
|
|
|
|
bwillwrite();
|
1999-04-21 05:56:45 +00:00
|
|
|
ioflag = IO_UNIT;
|
|
|
|
if (vp->v_type == VREG && (fp->f_flag & O_APPEND))
|
1994-05-24 10:09:53 +00:00
|
|
|
ioflag |= IO_APPEND;
|
|
|
|
if (fp->f_flag & FNONBLOCK)
|
|
|
|
ioflag |= IO_NDELAY;
|
2001-05-24 07:22:27 +00:00
|
|
|
if (fp->f_flag & O_DIRECT)
|
|
|
|
ioflag |= IO_DIRECT;
|
1997-02-10 02:22:35 +00:00
|
|
|
if ((fp->f_flag & O_FSYNC) ||
|
|
|
|
(vp->v_mount && (vp->v_mount->mnt_flag & MNT_SYNCHRONOUS)))
|
|
|
|
ioflag |= IO_SYNC;
|
2000-07-11 22:07:57 +00:00
|
|
|
mp = NULL;
|
2000-11-02 21:14:13 +00:00
|
|
|
if (vp->v_type != VCHR &&
|
2002-03-15 08:03:46 +00:00
|
|
|
(error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) {
|
|
|
|
mtx_unlock(&Giant);
|
2000-07-11 22:07:57 +00:00
|
|
|
return (error);
|
2002-03-15 08:03:46 +00:00
|
|
|
}
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
VOP_LEASE(vp, td, fp->f_cred, LEASE_WRITE);
|
2001-09-12 08:38:13 +00:00
|
|
|
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
|
1999-04-21 05:56:45 +00:00
|
|
|
if ((flags & FOF_OFFSET) == 0)
|
|
|
|
uio->uio_offset = fp->f_offset;
|
2000-04-02 00:55:28 +00:00
|
|
|
ioflag |= sequential_heuristic(uio, fp);
|
2002-08-01 17:23:22 +00:00
|
|
|
#ifdef MAC
|
2002-08-19 19:04:53 +00:00
|
|
|
error = mac_check_vnode_write(active_cred, fp->f_cred, vp);
|
2002-08-01 17:23:22 +00:00
|
|
|
if (error == 0)
|
|
|
|
#endif
|
In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:
- Change fo_read() and fo_write() to accept "active_cred" instead of
"cred", and change the semantics of consumers of fo_read() and
fo_write() to pass the active credential of the thread requesting
an operation rather than the cached file cred. The cached file
cred is still available in fo_read() and fo_write() consumers
via fp->f_cred. These changes largely in sys_generic.c.
For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:
- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
pipe_read/write() now authorize MAC using active_cred rather
than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
VOP_READ/WRITE() with fp->f_cred
Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred. Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not. If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.
Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.
These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.
Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
|
|
|
error = VOP_WRITE(vp, uio, ioflag, fp->f_cred);
|
1999-04-21 05:56:45 +00:00
|
|
|
if ((flags & FOF_OFFSET) == 0)
|
1994-05-24 10:09:53 +00:00
|
|
|
fp->f_offset = uio->uio_offset;
|
2000-04-02 00:55:28 +00:00
|
|
|
fp->f_nextoff = uio->uio_offset;
|
2001-09-12 08:38:13 +00:00
|
|
|
VOP_UNLOCK(vp, 0, td);
|
2000-07-11 22:07:57 +00:00
|
|
|
vn_finished_write(mp);
|
2002-03-15 08:03:46 +00:00
|
|
|
mtx_unlock(&Giant);
|
1994-05-24 10:09:53 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* File table vnode stat routine.
|
|
|
|
*/
|
1999-11-08 03:32:15 +00:00
|
|
|
static int
|
Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential. Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential. Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument. This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.
Trickle this change down into fo_stat/poll() implementations:
- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
to vn_stat(). Pass active_cred to MAC and fp->f_cred to VOP_POLL()
to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
and consumers so that this distinction is maintained at the VFS
as well as 'struct file' layer. Pass active_cred instead of
td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.
- fifofs: modify the creation of a "filetemp" so that the file
credential is properly initialized and can be used in the socket
code if desired. Pass ap->a_td->td_ucred as the active
credential to soo_poll(). If we teach the vnop interface about
the distinction between file and active credentials, we would use
the active credential here.
Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained. It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
|
|
|
vn_statfile(fp, sb, active_cred, td)
|
1999-11-08 03:32:15 +00:00
|
|
|
struct file *fp;
|
|
|
|
struct stat *sb;
|
Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential. Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential. Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument. This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.
Trickle this change down into fo_stat/poll() implementations:
- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
to vn_stat(). Pass active_cred to MAC and fp->f_cred to VOP_POLL()
to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
and consumers so that this distinction is maintained at the VFS
as well as 'struct file' layer. Pass active_cred instead of
td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.
- fifofs: modify the creation of a "filetemp" so that the file
credential is properly initialized and can be used in the socket
code if desired. Pass ap->a_td->td_ucred as the active
credential to soo_poll(). If we teach the vnop interface about
the distinction between file and active credentials, we would use
the active credential here.
Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained. It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
|
|
|
struct ucred *active_cred;
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
1999-11-08 03:32:15 +00:00
|
|
|
{
|
|
|
|
struct vnode *vp = (struct vnode *)fp->f_data;
|
2002-02-10 21:44:30 +00:00
|
|
|
int error;
|
1999-11-08 03:32:15 +00:00
|
|
|
|
2002-02-10 21:44:30 +00:00
|
|
|
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
|
Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential. Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential. Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument. This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.
Trickle this change down into fo_stat/poll() implementations:
- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
to vn_stat(). Pass active_cred to MAC and fp->f_cred to VOP_POLL()
to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
and consumers so that this distinction is maintained at the VFS
as well as 'struct file' layer. Pass active_cred instead of
td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.
- fifofs: modify the creation of a "filetemp" so that the file
credential is properly initialized and can be used in the socket
code if desired. Pass ap->a_td->td_ucred as the active
credential to soo_poll(). If we teach the vnop interface about
the distinction between file and active credentials, we would use
the active credential here.
Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained. It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
|
|
|
error = vn_stat(vp, sb, active_cred, fp->f_cred, td);
|
2002-02-10 21:44:30 +00:00
|
|
|
VOP_UNLOCK(vp, 0, td);
|
|
|
|
|
|
|
|
return (error);
|
1999-11-08 03:32:15 +00:00
|
|
|
}
|
|
|
|
|
2002-03-05 15:38:49 +00:00
|
|
|
/*
|
|
|
|
* Stat a vnode; implementation for the stat syscall
|
|
|
|
*/
|
1994-05-25 09:21:21 +00:00
|
|
|
int
|
Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential. Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential. Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument. This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.
Trickle this change down into fo_stat/poll() implementations:
- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
to vn_stat(). Pass active_cred to MAC and fp->f_cred to VOP_POLL()
to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
and consumers so that this distinction is maintained at the VFS
as well as 'struct file' layer. Pass active_cred instead of
td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.
- fifofs: modify the creation of a "filetemp" so that the file
credential is properly initialized and can be used in the socket
code if desired. Pass ap->a_td->td_ucred as the active
credential to soo_poll(). If we teach the vnop interface about
the distinction between file and active credentials, we would use
the active credential here.
Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained. It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
|
|
|
vn_stat(vp, sb, active_cred, file_cred, td)
|
1994-05-24 10:09:53 +00:00
|
|
|
struct vnode *vp;
|
|
|
|
register struct stat *sb;
|
Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential. Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential. Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument. This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.
Trickle this change down into fo_stat/poll() implementations:
- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
to vn_stat(). Pass active_cred to MAC and fp->f_cred to VOP_POLL()
to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
and consumers so that this distinction is maintained at the VFS
as well as 'struct file' layer. Pass active_cred instead of
td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.
- fifofs: modify the creation of a "filetemp" so that the file
credential is properly initialized and can be used in the socket
code if desired. Pass ap->a_td->td_ucred as the active
credential to soo_poll(). If we teach the vnop interface about
the distinction between file and active credentials, we would use
the active credential here.
Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained. It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
|
|
|
struct ucred *active_cred;
|
|
|
|
struct ucred *file_cred;
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
|
|
|
struct vattr vattr;
|
|
|
|
register struct vattr *vap;
|
|
|
|
int error;
|
|
|
|
u_short mode;
|
|
|
|
|
2002-08-01 17:23:22 +00:00
|
|
|
#ifdef MAC
|
2002-08-19 19:04:53 +00:00
|
|
|
error = mac_check_vnode_stat(active_cred, file_cred, vp);
|
2002-08-01 17:23:22 +00:00
|
|
|
if (error)
|
|
|
|
return (error);
|
|
|
|
#endif
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
vap = &vattr;
|
Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential. Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential. Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument. This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.
Trickle this change down into fo_stat/poll() implementations:
- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
to vn_stat(). Pass active_cred to MAC and fp->f_cred to VOP_POLL()
to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
and consumers so that this distinction is maintained at the VFS
as well as 'struct file' layer. Pass active_cred instead of
td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.
- fifofs: modify the creation of a "filetemp" so that the file
credential is properly initialized and can be used in the socket
code if desired. Pass ap->a_td->td_ucred as the active
credential to soo_poll(). If we teach the vnop interface about
the distinction between file and active credentials, we would use
the active credential here.
Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained. It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
|
|
|
error = VOP_GETATTR(vp, vap, active_cred, td);
|
1994-05-24 10:09:53 +00:00
|
|
|
if (error)
|
|
|
|
return (error);
|
1999-11-18 08:14:20 +00:00
|
|
|
|
2002-07-31 12:19:49 +00:00
|
|
|
vp->v_cachedfs = vap->va_fsid;
|
|
|
|
vp->v_cachedid = vap->va_fileid;
|
|
|
|
|
1999-11-18 08:14:20 +00:00
|
|
|
/*
|
|
|
|
* Zero the spare stat fields
|
|
|
|
*/
|
2002-06-24 07:14:44 +00:00
|
|
|
bzero(sb, sizeof *sb);
|
1999-11-18 08:14:20 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Copy from vattr table
|
|
|
|
*/
|
1999-07-02 16:29:47 +00:00
|
|
|
if (vap->va_fsid != VNOVAL)
|
|
|
|
sb->st_dev = vap->va_fsid;
|
|
|
|
else
|
|
|
|
sb->st_dev = vp->v_mount->mnt_stat.f_fsid.val[0];
|
1994-05-24 10:09:53 +00:00
|
|
|
sb->st_ino = vap->va_fileid;
|
|
|
|
mode = vap->va_mode;
|
1998-06-27 06:43:09 +00:00
|
|
|
switch (vap->va_type) {
|
1994-05-24 10:09:53 +00:00
|
|
|
case VREG:
|
|
|
|
mode |= S_IFREG;
|
|
|
|
break;
|
|
|
|
case VDIR:
|
|
|
|
mode |= S_IFDIR;
|
|
|
|
break;
|
|
|
|
case VBLK:
|
|
|
|
mode |= S_IFBLK;
|
|
|
|
break;
|
|
|
|
case VCHR:
|
|
|
|
mode |= S_IFCHR;
|
|
|
|
break;
|
|
|
|
case VLNK:
|
|
|
|
mode |= S_IFLNK;
|
1998-04-10 00:09:04 +00:00
|
|
|
/* This is a cosmetic change, symlinks do not have a mode. */
|
1998-04-08 18:31:59 +00:00
|
|
|
if (vp->v_mount->mnt_flag & MNT_NOSYMFOLLOW)
|
|
|
|
sb->st_mode &= ~ACCESSPERMS; /* 0000 */
|
|
|
|
else
|
|
|
|
sb->st_mode |= ACCESSPERMS; /* 0777 */
|
1994-05-24 10:09:53 +00:00
|
|
|
break;
|
|
|
|
case VSOCK:
|
|
|
|
mode |= S_IFSOCK;
|
|
|
|
break;
|
|
|
|
case VFIFO:
|
|
|
|
mode |= S_IFIFO;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return (EBADF);
|
|
|
|
};
|
|
|
|
sb->st_mode = mode;
|
|
|
|
sb->st_nlink = vap->va_nlink;
|
|
|
|
sb->st_uid = vap->va_uid;
|
|
|
|
sb->st_gid = vap->va_gid;
|
|
|
|
sb->st_rdev = vap->va_rdev;
|
2001-08-23 17:56:48 +00:00
|
|
|
if (vap->va_size > OFF_MAX)
|
|
|
|
return (EOVERFLOW);
|
1994-05-24 10:09:53 +00:00
|
|
|
sb->st_size = vap->va_size;
|
|
|
|
sb->st_atimespec = vap->va_atime;
|
1997-02-10 02:22:35 +00:00
|
|
|
sb->st_mtimespec = vap->va_mtime;
|
1994-05-24 10:09:53 +00:00
|
|
|
sb->st_ctimespec = vap->va_ctime;
|
2002-07-16 22:36:00 +00:00
|
|
|
sb->st_birthtimespec = vap->va_birthtime;
|
1999-09-09 19:08:44 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* According to www.opengroup.org, the meaning of st_blksize is
|
|
|
|
* "a filesystem-specific preferred I/O block size for this
|
|
|
|
* object. In some filesystem types, this may vary from file
|
|
|
|
* to file"
|
2002-01-25 16:39:57 +00:00
|
|
|
* Default to PAGE_SIZE after much discussion.
|
1999-08-13 10:56:07 +00:00
|
|
|
*/
|
1999-09-09 19:08:44 +00:00
|
|
|
|
|
|
|
if (vap->va_type == VREG) {
|
1999-09-03 05:16:59 +00:00
|
|
|
sb->st_blksize = vap->va_blocksize;
|
2000-01-10 12:04:27 +00:00
|
|
|
} else if (vn_isdisk(vp, NULL)) {
|
1999-09-09 19:08:44 +00:00
|
|
|
sb->st_blksize = vp->v_rdev->si_bsize_best;
|
|
|
|
if (sb->st_blksize < vp->v_rdev->si_bsize_phys)
|
|
|
|
sb->st_blksize = vp->v_rdev->si_bsize_phys;
|
|
|
|
if (sb->st_blksize < BLKDEV_IOSIZE)
|
|
|
|
sb->st_blksize = BLKDEV_IOSIZE;
|
|
|
|
} else {
|
2002-01-25 16:39:57 +00:00
|
|
|
sb->st_blksize = PAGE_SIZE;
|
1999-09-03 05:16:59 +00:00
|
|
|
}
|
1999-09-09 19:08:44 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
sb->st_flags = vap->va_flags;
|
2002-04-01 21:31:13 +00:00
|
|
|
if (suser(td))
|
1997-03-08 15:14:30 +00:00
|
|
|
sb->st_gen = 0;
|
|
|
|
else
|
|
|
|
sb->st_gen = vap->va_gen;
|
1997-03-07 07:42:41 +00:00
|
|
|
|
1995-10-06 09:43:32 +00:00
|
|
|
#if (S_BLKSIZE == 512)
|
|
|
|
/* Optimize this case */
|
|
|
|
sb->st_blocks = vap->va_bytes >> 9;
|
|
|
|
#else
|
1994-05-24 10:09:53 +00:00
|
|
|
sb->st_blocks = vap->va_bytes / S_BLKSIZE;
|
1995-10-06 09:43:32 +00:00
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* File table vnode ioctl routine.
|
|
|
|
*/
|
1995-12-17 21:23:44 +00:00
|
|
|
static int
|
2002-08-17 02:36:16 +00:00
|
|
|
vn_ioctl(fp, com, data, active_cred, td)
|
1994-05-24 10:09:53 +00:00
|
|
|
struct file *fp;
|
1998-06-07 17:13:14 +00:00
|
|
|
u_long com;
|
2002-06-29 01:50:25 +00:00
|
|
|
void *data;
|
2002-08-17 02:36:16 +00:00
|
|
|
struct ucred *active_cred;
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
|
|
|
register struct vnode *vp = ((struct vnode *)fp->f_data);
|
2002-02-23 11:12:57 +00:00
|
|
|
struct vnode *vpold;
|
1994-05-24 10:09:53 +00:00
|
|
|
struct vattr vattr;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
switch (vp->v_type) {
|
|
|
|
|
|
|
|
case VREG:
|
|
|
|
case VDIR:
|
|
|
|
if (com == FIONREAD) {
|
2002-02-10 21:44:30 +00:00
|
|
|
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
|
2002-08-17 02:36:16 +00:00
|
|
|
error = VOP_GETATTR(vp, &vattr, active_cred, td);
|
2002-02-10 21:44:30 +00:00
|
|
|
VOP_UNLOCK(vp, 0, td);
|
1994-10-02 17:35:40 +00:00
|
|
|
if (error)
|
1994-05-24 10:09:53 +00:00
|
|
|
return (error);
|
|
|
|
*(int *)data = vattr.va_size - fp->f_offset;
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
if (com == FIONBIO || com == FIOASYNC) /* XXX */
|
|
|
|
return (0); /* XXX */
|
2002-08-25 13:23:09 +00:00
|
|
|
/* FALLTHROUGH */
|
1994-05-24 10:09:53 +00:00
|
|
|
|
|
|
|
default:
|
1997-12-06 04:11:14 +00:00
|
|
|
#if 0
|
1994-05-24 10:09:53 +00:00
|
|
|
return (ENOTTY);
|
1997-12-06 04:11:14 +00:00
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
case VFIFO:
|
|
|
|
case VCHR:
|
|
|
|
case VBLK:
|
1999-08-27 16:35:37 +00:00
|
|
|
if (com == FIODTYPE) {
|
|
|
|
if (vp->v_type != VCHR && vp->v_type != VBLK)
|
|
|
|
return (ENOTTY);
|
|
|
|
*(int *)data = devsw(vp->v_rdev)->d_flags & D_TYPEMASK;
|
|
|
|
return (0);
|
|
|
|
}
|
2002-08-17 02:36:16 +00:00
|
|
|
error = VOP_IOCTL(vp, com, data, fp->f_flag, active_cred, td);
|
2002-09-26 21:21:13 +00:00
|
|
|
if (error == ENOIOCTL) {
|
|
|
|
#ifdef DIAGNOSTIC
|
|
|
|
Debugger("ENOIOCTL leaked through");
|
|
|
|
#endif
|
|
|
|
error = ENOTTY;
|
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
if (error == 0 && com == TIOCSCTTY) {
|
1994-08-18 03:53:38 +00:00
|
|
|
|
|
|
|
/* Do nothing if reassigning same control tty */
|
2002-04-16 17:11:34 +00:00
|
|
|
sx_slock(&proctree_lock);
|
2002-02-23 11:12:57 +00:00
|
|
|
if (td->td_proc->p_session->s_ttyvp == vp) {
|
2002-04-16 17:11:34 +00:00
|
|
|
sx_sunlock(&proctree_lock);
|
1994-08-18 03:53:38 +00:00
|
|
|
return (0);
|
2002-02-23 11:12:57 +00:00
|
|
|
}
|
1994-08-18 03:53:38 +00:00
|
|
|
|
2002-02-23 11:12:57 +00:00
|
|
|
vpold = td->td_proc->p_session->s_ttyvp;
|
1994-05-24 10:09:53 +00:00
|
|
|
VREF(vp);
|
2002-02-23 11:12:57 +00:00
|
|
|
SESS_LOCK(td->td_proc->p_session);
|
|
|
|
td->td_proc->p_session->s_ttyvp = vp;
|
|
|
|
SESS_UNLOCK(td->td_proc->p_session);
|
|
|
|
|
2002-04-16 17:11:34 +00:00
|
|
|
sx_sunlock(&proctree_lock);
|
2002-02-23 11:12:57 +00:00
|
|
|
|
|
|
|
/* Get rid of reference to old control tty */
|
|
|
|
if (vpold)
|
|
|
|
vrele(vpold);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
1997-09-14 02:51:16 +00:00
|
|
|
* File table vnode poll routine.
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
1995-12-17 21:23:44 +00:00
|
|
|
static int
|
Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential. Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential. Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument. This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.
Trickle this change down into fo_stat/poll() implementations:
- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
to vn_stat(). Pass active_cred to MAC and fp->f_cred to VOP_POLL()
to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
and consumers so that this distinction is maintained at the VFS
as well as 'struct file' layer. Pass active_cred instead of
td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.
- fifofs: modify the creation of a "filetemp" so that the file
credential is properly initialized and can be used in the socket
code if desired. Pass ap->a_td->td_ucred as the active
credential to soo_poll(). If we teach the vnop interface about
the distinction between file and active credentials, we would use
the active credential here.
Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained. It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
|
|
|
vn_poll(fp, events, active_cred, td)
|
1994-05-24 10:09:53 +00:00
|
|
|
struct file *fp;
|
1997-09-14 02:51:16 +00:00
|
|
|
int events;
|
Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential. Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential. Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument. This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.
Trickle this change down into fo_stat/poll() implementations:
- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
to vn_stat(). Pass active_cred to MAC and fp->f_cred to VOP_POLL()
to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
and consumers so that this distinction is maintained at the VFS
as well as 'struct file' layer. Pass active_cred instead of
td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.
- fifofs: modify the creation of a "filetemp" so that the file
credential is properly initialized and can be used in the socket
code if desired. Pass ap->a_td->td_ucred as the active
credential to soo_poll(). If we teach the vnop interface about
the distinction between file and active credentials, we would use
the active credential here.
Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained. It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
|
|
|
struct ucred *active_cred;
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
2002-08-01 17:23:22 +00:00
|
|
|
struct vnode *vp;
|
|
|
|
#ifdef MAC
|
|
|
|
int error;
|
|
|
|
#endif
|
|
|
|
|
|
|
|
vp = (struct vnode *)fp->f_data;
|
|
|
|
#ifdef MAC
|
|
|
|
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
|
2002-08-19 19:04:53 +00:00
|
|
|
error = mac_check_vnode_poll(active_cred, fp->f_cred, vp);
|
2002-08-01 17:23:22 +00:00
|
|
|
VOP_UNLOCK(vp, 0, td);
|
|
|
|
if (error)
|
|
|
|
return (error);
|
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
|
Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential. Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential. Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument. This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.
Trickle this change down into fo_stat/poll() implementations:
- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
to vn_stat(). Pass active_cred to MAC and fp->f_cred to VOP_POLL()
to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
and consumers so that this distinction is maintained at the VFS
as well as 'struct file' layer. Pass active_cred instead of
td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.
- fifofs: modify the creation of a "filetemp" so that the file
credential is properly initialized and can be used in the socket
code if desired. Pass ap->a_td->td_ucred as the active
credential to soo_poll(). If we teach the vnop interface about
the distinction between file and active credentials, we would use
the active credential here.
Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained. It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
|
|
|
return (VOP_POLL(vp, events, fp->f_cred, td));
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
|
1997-02-10 02:22:35 +00:00
|
|
|
/*
|
|
|
|
* Check that the vnode is still valid, and if so
|
|
|
|
* acquire requested lock.
|
|
|
|
*/
|
|
|
|
int
|
1999-01-20 14:49:12 +00:00
|
|
|
#ifndef DEBUG_LOCKS
|
2001-09-12 08:38:13 +00:00
|
|
|
vn_lock(vp, flags, td)
|
1999-01-20 14:49:12 +00:00
|
|
|
#else
|
2001-09-12 08:38:13 +00:00
|
|
|
debug_vn_lock(vp, flags, td, filename, line)
|
1999-01-20 14:49:12 +00:00
|
|
|
#endif
|
1997-02-10 02:22:35 +00:00
|
|
|
struct vnode *vp;
|
|
|
|
int flags;
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
1999-01-20 14:49:12 +00:00
|
|
|
#ifdef DEBUG_LOCKS
|
|
|
|
const char *filename;
|
|
|
|
int line;
|
|
|
|
#endif
|
1997-02-10 02:22:35 +00:00
|
|
|
{
|
|
|
|
int error;
|
2001-03-26 12:45:35 +00:00
|
|
|
|
1997-02-10 02:22:35 +00:00
|
|
|
do {
|
1997-10-27 15:26:23 +00:00
|
|
|
if ((flags & LK_INTERLOCK) == 0)
|
2002-08-04 10:29:36 +00:00
|
|
|
VI_LOCK(vp);
|
|
|
|
if ((vp->v_iflag & VI_XLOCK) && vp->v_vxproc != curthread) {
|
|
|
|
vp->v_iflag |= VI_XWANT;
|
2002-08-23 00:32:03 +00:00
|
|
|
msleep(vp, VI_MTX(vp), PINOD, "vn_lock", 0);
|
1997-02-10 02:22:35 +00:00
|
|
|
error = ENOENT;
|
2002-08-22 07:57:43 +00:00
|
|
|
if ((flags & LK_RETRY) == 0) {
|
|
|
|
VI_UNLOCK(vp);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
}
|
1999-01-20 14:49:12 +00:00
|
|
|
#ifdef DEBUG_LOCKS
|
2002-08-22 07:57:43 +00:00
|
|
|
vp->filename = filename;
|
|
|
|
vp->line = line;
|
1999-01-20 14:49:12 +00:00
|
|
|
#endif
|
2002-08-22 07:57:43 +00:00
|
|
|
/*
|
|
|
|
* lockmgr drops interlock before it will return for
|
|
|
|
* any reason. So force the code above to relock it.
|
|
|
|
*/
|
|
|
|
error = VOP_LOCK(vp, flags | LK_NOPAUSE | LK_INTERLOCK, td);
|
|
|
|
flags &= ~LK_INTERLOCK;
|
2002-08-22 06:58:11 +00:00
|
|
|
} while (flags & LK_RETRY && error != 0);
|
1997-02-10 02:22:35 +00:00
|
|
|
return (error);
|
|
|
|
}
|
1997-10-27 15:26:23 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* File table vnode close routine.
|
|
|
|
*/
|
|
|
|
static int
|
2001-09-12 08:38:13 +00:00
|
|
|
vn_closefile(fp, td)
|
1997-10-27 15:26:23 +00:00
|
|
|
struct file *fp;
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
1997-10-27 15:26:23 +00:00
|
|
|
{
|
|
|
|
|
1999-08-04 18:53:50 +00:00
|
|
|
fp->f_ops = &badfileops;
|
1997-10-27 15:26:23 +00:00
|
|
|
return (vn_close(((struct vnode *)fp->f_data), fp->f_flag,
|
2001-09-12 08:38:13 +00:00
|
|
|
fp->f_cred, td));
|
1997-10-27 15:26:23 +00:00
|
|
|
}
|
2000-04-16 18:53:38 +00:00
|
|
|
|
2000-07-11 22:07:57 +00:00
|
|
|
/*
|
|
|
|
* Preparing to start a filesystem write operation. If the operation is
|
|
|
|
* permitted, then we bump the count of operations in progress and
|
|
|
|
* proceed. If a suspend request is in progress, we wait until the
|
|
|
|
* suspension is over, and then proceed.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
vn_start_write(vp, mpp, flags)
|
|
|
|
struct vnode *vp;
|
|
|
|
struct mount **mpp;
|
|
|
|
int flags;
|
|
|
|
{
|
|
|
|
struct mount *mp;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If a vnode is provided, get and return the mount point that
|
|
|
|
* to which it will write.
|
|
|
|
*/
|
|
|
|
if (vp != NULL) {
|
|
|
|
if ((error = VOP_GETWRITEMOUNT(vp, mpp)) != 0) {
|
|
|
|
*mpp = NULL;
|
|
|
|
if (error != EOPNOTSUPP)
|
|
|
|
return (error);
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if ((mp = *mpp) == NULL)
|
|
|
|
return (0);
|
|
|
|
/*
|
|
|
|
* Check on status of suspension.
|
|
|
|
*/
|
|
|
|
while ((mp->mnt_kern_flag & MNTK_SUSPEND) != 0) {
|
|
|
|
if (flags & V_NOWAIT)
|
|
|
|
return (EWOULDBLOCK);
|
|
|
|
error = tsleep(&mp->mnt_flag, (PUSER - 1) | (flags & PCATCH),
|
|
|
|
"suspfs", 0);
|
|
|
|
if (error)
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
if (flags & V_XSLEEP)
|
|
|
|
return (0);
|
|
|
|
mp->mnt_writeopcount++;
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Secondary suspension. Used by operations such as vop_inactive
|
|
|
|
* routines that are needed by the higher level functions. These
|
|
|
|
* are allowed to proceed until all the higher level functions have
|
|
|
|
* completed (indicated by mnt_writeopcount dropping to zero). At that
|
|
|
|
* time, these operations are halted until the suspension is over.
|
|
|
|
*/
|
|
|
|
int
|
2000-07-24 05:28:33 +00:00
|
|
|
vn_write_suspend_wait(vp, mp, flags)
|
2000-07-11 22:07:57 +00:00
|
|
|
struct vnode *vp;
|
2000-07-24 05:28:33 +00:00
|
|
|
struct mount *mp;
|
2000-07-11 22:07:57 +00:00
|
|
|
int flags;
|
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
2000-07-24 05:28:33 +00:00
|
|
|
if (vp != NULL) {
|
|
|
|
if ((error = VOP_GETWRITEMOUNT(vp, &mp)) != 0) {
|
|
|
|
if (error != EOPNOTSUPP)
|
|
|
|
return (error);
|
|
|
|
return (0);
|
|
|
|
}
|
2000-07-11 22:07:57 +00:00
|
|
|
}
|
|
|
|
/*
|
|
|
|
* If we are not suspended or have not yet reached suspended
|
|
|
|
* mode, then let the operation proceed.
|
|
|
|
*/
|
|
|
|
if (mp == NULL || (mp->mnt_kern_flag & MNTK_SUSPENDED) == 0)
|
|
|
|
return (0);
|
|
|
|
if (flags & V_NOWAIT)
|
|
|
|
return (EWOULDBLOCK);
|
|
|
|
/*
|
|
|
|
* Wait for the suspension to finish.
|
|
|
|
*/
|
|
|
|
return (tsleep(&mp->mnt_flag, (PUSER - 1) | (flags & PCATCH),
|
|
|
|
"suspfs", 0));
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Filesystem write operation has completed. If we are suspending and this
|
|
|
|
* operation is the last one, notify the suspender that the suspension is
|
|
|
|
* now in effect.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
vn_finished_write(mp)
|
|
|
|
struct mount *mp;
|
|
|
|
{
|
|
|
|
|
|
|
|
if (mp == NULL)
|
|
|
|
return;
|
|
|
|
mp->mnt_writeopcount--;
|
|
|
|
if (mp->mnt_writeopcount < 0)
|
|
|
|
panic("vn_finished_write: neg cnt");
|
|
|
|
if ((mp->mnt_kern_flag & MNTK_SUSPEND) != 0 &&
|
|
|
|
mp->mnt_writeopcount <= 0)
|
|
|
|
wakeup(&mp->mnt_writeopcount);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Request a filesystem to suspend write operations.
|
|
|
|
*/
|
2002-10-25 00:20:37 +00:00
|
|
|
int
|
2000-07-11 22:07:57 +00:00
|
|
|
vfs_write_suspend(mp)
|
|
|
|
struct mount *mp;
|
|
|
|
{
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td = curthread;
|
2002-10-25 00:20:37 +00:00
|
|
|
int error;
|
2000-07-11 22:07:57 +00:00
|
|
|
|
|
|
|
if (mp->mnt_kern_flag & MNTK_SUSPEND)
|
2002-10-25 00:20:37 +00:00
|
|
|
return (0);
|
2000-07-11 22:07:57 +00:00
|
|
|
mp->mnt_kern_flag |= MNTK_SUSPEND;
|
|
|
|
if (mp->mnt_writeopcount > 0)
|
|
|
|
(void) tsleep(&mp->mnt_writeopcount, PUSER - 1, "suspwt", 0);
|
2002-10-25 00:20:37 +00:00
|
|
|
if ((error = VFS_SYNC(mp, MNT_WAIT, td->td_ucred, td)) != 0) {
|
|
|
|
vfs_write_resume(mp);
|
|
|
|
return (error);
|
|
|
|
}
|
2000-07-11 22:07:57 +00:00
|
|
|
mp->mnt_kern_flag |= MNTK_SUSPENDED;
|
2002-10-25 00:20:37 +00:00
|
|
|
return (0);
|
2000-07-11 22:07:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Request a filesystem to resume write operations.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
vfs_write_resume(mp)
|
|
|
|
struct mount *mp;
|
|
|
|
{
|
|
|
|
|
|
|
|
if ((mp->mnt_kern_flag & MNTK_SUSPEND) == 0)
|
|
|
|
return;
|
|
|
|
mp->mnt_kern_flag &= ~(MNTK_SUSPEND | MNTK_SUSPENDED);
|
|
|
|
wakeup(&mp->mnt_writeopcount);
|
|
|
|
wakeup(&mp->mnt_flag);
|
|
|
|
}
|
|
|
|
|
2002-03-05 15:38:49 +00:00
|
|
|
/*
|
|
|
|
* Implement kqueues for files by translating it to vnode operation.
|
|
|
|
*/
|
2000-04-16 18:53:38 +00:00
|
|
|
static int
|
2001-02-15 16:34:11 +00:00
|
|
|
vn_kqfilter(struct file *fp, struct knote *kn)
|
2000-04-16 18:53:38 +00:00
|
|
|
{
|
|
|
|
|
2001-02-15 16:34:11 +00:00
|
|
|
return (VOP_KQFILTER(((struct vnode *)fp->f_data), kn));
|
2000-04-16 18:53:38 +00:00
|
|
|
}
|
2000-08-08 17:15:32 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Simplified in-kernel wrapper calls for extended attribute access.
|
|
|
|
* Both calls pass in a NULL credential, authorizing as "kernel" access.
|
|
|
|
* Set IO_NODELOCKED in ioflg if the vnode is already locked.
|
|
|
|
*/
|
|
|
|
int
|
2001-03-19 05:44:15 +00:00
|
|
|
vn_extattr_get(struct vnode *vp, int ioflg, int attrnamespace,
|
2001-09-12 08:38:13 +00:00
|
|
|
const char *attrname, int *buflen, char *buf, struct thread *td)
|
2000-08-08 17:15:32 +00:00
|
|
|
{
|
|
|
|
struct uio auio;
|
|
|
|
struct iovec iov;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
iov.iov_len = *buflen;
|
|
|
|
iov.iov_base = buf;
|
|
|
|
|
|
|
|
auio.uio_iov = &iov;
|
|
|
|
auio.uio_iovcnt = 1;
|
|
|
|
auio.uio_rw = UIO_READ;
|
|
|
|
auio.uio_segflg = UIO_SYSSPACE;
|
2001-09-12 08:38:13 +00:00
|
|
|
auio.uio_td = td;
|
2000-08-08 17:15:32 +00:00
|
|
|
auio.uio_offset = 0;
|
|
|
|
auio.uio_resid = *buflen;
|
|
|
|
|
|
|
|
if ((ioflg & IO_NODELOCKED) == 0)
|
2001-09-12 08:38:13 +00:00
|
|
|
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
|
2000-08-08 17:15:32 +00:00
|
|
|
|
|
|
|
/* authorize attribute retrieval as kernel */
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
error = VOP_GETEXTATTR(vp, attrnamespace, attrname, &auio, NULL, NULL,
|
|
|
|
td);
|
2000-08-08 17:15:32 +00:00
|
|
|
|
|
|
|
if ((ioflg & IO_NODELOCKED) == 0)
|
2001-09-12 08:38:13 +00:00
|
|
|
VOP_UNLOCK(vp, 0, td);
|
2000-08-08 17:15:32 +00:00
|
|
|
|
|
|
|
if (error == 0) {
|
|
|
|
*buflen = *buflen - auio.uio_resid;
|
|
|
|
}
|
|
|
|
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* XXX failure mode if partially written?
|
|
|
|
*/
|
|
|
|
int
|
2001-03-19 05:44:15 +00:00
|
|
|
vn_extattr_set(struct vnode *vp, int ioflg, int attrnamespace,
|
2001-09-12 08:38:13 +00:00
|
|
|
const char *attrname, int buflen, char *buf, struct thread *td)
|
2000-08-08 17:15:32 +00:00
|
|
|
{
|
|
|
|
struct uio auio;
|
|
|
|
struct iovec iov;
|
2000-09-05 03:15:02 +00:00
|
|
|
struct mount *mp;
|
2000-08-08 17:15:32 +00:00
|
|
|
int error;
|
|
|
|
|
|
|
|
iov.iov_len = buflen;
|
|
|
|
iov.iov_base = buf;
|
|
|
|
|
|
|
|
auio.uio_iov = &iov;
|
|
|
|
auio.uio_iovcnt = 1;
|
|
|
|
auio.uio_rw = UIO_WRITE;
|
|
|
|
auio.uio_segflg = UIO_SYSSPACE;
|
2001-09-12 08:38:13 +00:00
|
|
|
auio.uio_td = td;
|
2000-08-08 17:15:32 +00:00
|
|
|
auio.uio_offset = 0;
|
|
|
|
auio.uio_resid = buflen;
|
|
|
|
|
2000-09-05 03:15:02 +00:00
|
|
|
if ((ioflg & IO_NODELOCKED) == 0) {
|
|
|
|
if ((error = vn_start_write(vp, &mp, V_WAIT)) != 0)
|
|
|
|
return (error);
|
2001-09-12 08:38:13 +00:00
|
|
|
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
|
2000-09-05 03:15:02 +00:00
|
|
|
}
|
2000-08-08 17:15:32 +00:00
|
|
|
|
|
|
|
/* authorize attribute setting as kernel */
|
2001-09-12 08:38:13 +00:00
|
|
|
error = VOP_SETEXTATTR(vp, attrnamespace, attrname, &auio, NULL, td);
|
2000-08-08 17:15:32 +00:00
|
|
|
|
2000-09-05 03:15:02 +00:00
|
|
|
if ((ioflg & IO_NODELOCKED) == 0) {
|
|
|
|
vn_finished_write(mp);
|
2001-09-12 08:38:13 +00:00
|
|
|
VOP_UNLOCK(vp, 0, td);
|
2000-09-05 03:15:02 +00:00
|
|
|
}
|
2000-08-08 17:15:32 +00:00
|
|
|
|
|
|
|
return (error);
|
|
|
|
}
|
2000-09-22 22:33:13 +00:00
|
|
|
|
|
|
|
int
|
2001-03-19 05:44:15 +00:00
|
|
|
vn_extattr_rm(struct vnode *vp, int ioflg, int attrnamespace,
|
2001-09-12 08:38:13 +00:00
|
|
|
const char *attrname, struct thread *td)
|
2000-09-22 22:33:13 +00:00
|
|
|
{
|
|
|
|
struct mount *mp;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
if ((ioflg & IO_NODELOCKED) == 0) {
|
|
|
|
if ((error = vn_start_write(vp, &mp, V_WAIT)) != 0)
|
|
|
|
return (error);
|
2001-09-12 08:38:13 +00:00
|
|
|
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
|
2000-09-22 22:33:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* authorize attribute removal as kernel */
|
2001-09-12 08:38:13 +00:00
|
|
|
error = VOP_SETEXTATTR(vp, attrnamespace, attrname, NULL, NULL, td);
|
2000-09-22 22:33:13 +00:00
|
|
|
|
|
|
|
if ((ioflg & IO_NODELOCKED) == 0) {
|
|
|
|
vn_finished_write(mp);
|
2001-09-12 08:38:13 +00:00
|
|
|
VOP_UNLOCK(vp, 0, td);
|
2000-09-22 22:33:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return (error);
|
|
|
|
}
|