2005-01-06 23:35:40 +00:00
|
|
|
/*-
|
2006-12-23 00:10:36 +00:00
|
|
|
* Copyright (c) 1999-2001 Robert N. M. Watson
|
|
|
|
|
* All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* This software was developed by Robert Watson for the TrustedBSD Project.
|
1994-05-24 10:09:53 +00:00
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
|
*
|
2006-12-23 00:10:36 +00:00
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
1994-05-24 10:09:53 +00:00
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
2006-12-23 00:10:36 +00:00
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
1994-05-24 10:09:53 +00:00
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
|
*/
|
|
|
|
|
|
2003-06-11 00:56:59 +00:00
|
|
|
#include <sys/cdefs.h>
|
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/param.h>
|
|
|
|
|
#include <sys/systm.h>
|
2014-03-16 10:55:57 +00:00
|
|
|
#include <sys/capsicum.h>
|
2006-12-23 00:10:36 +00:00
|
|
|
#include <sys/lock.h>
|
1999-09-11 00:46:08 +00:00
|
|
|
#include <sys/mount.h>
|
2000-10-20 07:58:15 +00:00
|
|
|
#include <sys/mutex.h>
|
1995-11-12 06:43:28 +00:00
|
|
|
#include <sys/sysproto.h>
|
2008-03-31 12:01:21 +00:00
|
|
|
#include <sys/fcntl.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/namei.h>
|
|
|
|
|
#include <sys/filedesc.h>
|
2003-04-29 13:36:06 +00:00
|
|
|
#include <sys/limits.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/vnode.h>
|
|
|
|
|
#include <sys/proc.h>
|
1999-12-19 06:08:07 +00:00
|
|
|
#include <sys/extattr.h>
|
2001-08-23 13:51:17 +00:00
|
|
|
|
Add pathname and/or vnode argument auditing for the following system calls:
quotactl, statfs, fstatfs, fchdir, chdir, chroot, open, mknod, mkfifo,
link, symlink, undelete, unlink, access, eaccess, stat, lstat, pathconf,
readlink, chflags, lchflags, fchflags, chmod, lchmod, fchmod, chown,
lchown, fchown, utimes, lutimes, futimes, truncate, ftruncate, fsync,
rename, mkdir, rmdir, getdirentries, revoke, lgetfh, getfh, extattrctl,
extattr_set_file, extattr_set_link, extattr_get_file, extattr_get_link,
extattr_delete_file, extattr_delete_link, extattr_list_file, extattr_list_link.
In many cases the pathname and vnode auditing is done within namei lookup
instead of directly in the system call.
Audit the remaining arguments to these system calls:
fstatfs, fchdir, open, mknod, chflags, lchflags, fchflags, chmod, lchmod,
fchmod, chown, lchown, fchown, futimes, ftruncate, fsync, mkdir,
getdirentries.
2006-02-22 16:04:20 +00:00
|
|
|
#include <security/audit/audit.h>
|
2006-10-22 11:52:19 +00:00
|
|
|
#include <security/mac/mac_framework.h>
|
Add pathname and/or vnode argument auditing for the following system calls:
quotactl, statfs, fstatfs, fchdir, chdir, chroot, open, mknod, mkfifo,
link, symlink, undelete, unlink, access, eaccess, stat, lstat, pathconf,
readlink, chflags, lchflags, fchflags, chmod, lchmod, fchmod, chown,
lchown, fchown, utimes, lutimes, futimes, truncate, ftruncate, fsync,
rename, mkdir, rmdir, getdirentries, revoke, lgetfh, getfh, extattrctl,
extattr_set_file, extattr_set_link, extattr_get_file, extattr_get_link,
extattr_delete_file, extattr_delete_link, extattr_list_file, extattr_list_link.
In many cases the pathname and vnode auditing is done within namei lookup
instead of directly in the system call.
Audit the remaining arguments to these system calls:
fstatfs, fchdir, open, mknod, chflags, lchflags, fchflags, chmod, lchmod,
fchmod, chown, lchown, fchown, futimes, ftruncate, fsync, mkdir,
getdirentries.
2006-02-22 16:04:20 +00:00
|
|
|
|
1999-12-19 06:08:07 +00:00
|
|
|
/*
|
2006-12-23 00:30:03 +00:00
|
|
|
* Syscall to push extended attribute configuration information into the VFS.
|
|
|
|
|
* Accepts a path, which it converts to a mountpoint, as well as a command
|
|
|
|
|
* (int cmd), and attribute name and misc data.
|
1999-12-19 06:08:07 +00:00
|
|
|
*
|
2006-12-23 00:30:03 +00:00
|
|
|
* Currently this is used only by UFS1 extended attributes.
|
1999-12-19 06:08:07 +00:00
|
|
|
*/
|
|
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_extattrctl(td, uap)
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
2002-04-20 01:37:08 +00:00
|
|
|
struct extattrctl_args /* {
|
2002-12-14 02:07:32 +00:00
|
|
|
const char *path;
|
|
|
|
|
int cmd;
|
|
|
|
|
const char *filename;
|
|
|
|
|
int attrnamespace;
|
|
|
|
|
const char *attrname;
|
2002-04-20 01:37:08 +00:00
|
|
|
} */ *uap;
|
1999-12-19 06:08:07 +00:00
|
|
|
{
|
o Change the API and ABI of the Extended Attribute kernel interfaces to
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
2001-03-15 02:54:29 +00:00
|
|
|
struct vnode *filename_vp;
|
1999-12-19 06:08:07 +00:00
|
|
|
struct nameidata nd;
|
2002-02-08 05:58:41 +00:00
|
|
|
struct mount *mp, *mp_writable;
|
o Change the API and ABI of the Extended Attribute kernel interfaces to
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
2001-03-15 02:54:29 +00:00
|
|
|
char attrname[EXTATTR_MAXNAMELEN];
|
2012-10-22 17:50:54 +00:00
|
|
|
int error;
|
1999-12-19 06:08:07 +00:00
|
|
|
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_CMD(uap->cmd);
|
|
|
|
|
AUDIT_ARG_VALUE(uap->attrnamespace);
|
o Change the API and ABI of the Extended Attribute kernel interfaces to
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
2001-03-15 02:54:29 +00:00
|
|
|
/*
|
2002-04-20 01:37:08 +00:00
|
|
|
* uap->attrname is not always defined. We check again later when we
|
|
|
|
|
* invoke the VFS call so as to pass in NULL there if needed.
|
o Change the API and ABI of the Extended Attribute kernel interfaces to
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
2001-03-15 02:54:29 +00:00
|
|
|
*/
|
2002-04-20 01:37:08 +00:00
|
|
|
if (uap->attrname != NULL) {
|
|
|
|
|
error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN,
|
|
|
|
|
NULL);
|
o Change the API and ABI of the Extended Attribute kernel interfaces to
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
2001-03-15 02:54:29 +00:00
|
|
|
if (error)
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_TEXT(attrname);
|
o Change the API and ABI of the Extended Attribute kernel interfaces to
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
2001-03-15 02:54:29 +00:00
|
|
|
|
2009-01-08 12:47:30 +00:00
|
|
|
mp = NULL;
|
o Change the API and ABI of the Extended Attribute kernel interfaces to
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
2001-03-15 02:54:29 +00:00
|
|
|
filename_vp = NULL;
|
2002-04-20 01:37:08 +00:00
|
|
|
if (uap->filename != NULL) {
|
2012-10-22 17:50:54 +00:00
|
|
|
NDINIT(&nd, LOOKUP, FOLLOW | AUDITVNODE2,
|
2009-01-08 12:47:30 +00:00
|
|
|
UIO_USERSPACE, uap->filename, td);
|
2002-10-10 13:59:58 +00:00
|
|
|
error = namei(&nd);
|
|
|
|
|
if (error)
|
o Change the API and ABI of the Extended Attribute kernel interfaces to
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
2001-03-15 02:54:29 +00:00
|
|
|
return (error);
|
|
|
|
|
filename_vp = nd.ni_vp;
|
2009-01-08 12:47:30 +00:00
|
|
|
NDFREE(&nd, NDF_NO_VP_RELE);
|
o Change the API and ABI of the Extended Attribute kernel interfaces to
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
2001-03-15 02:54:29 +00:00
|
|
|
}
|
|
|
|
|
|
2002-04-20 01:37:08 +00:00
|
|
|
/* uap->path is always defined. */
|
2012-10-22 17:50:54 +00:00
|
|
|
NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1,
|
2009-01-08 12:47:30 +00:00
|
|
|
UIO_USERSPACE, uap->path, td);
|
2002-10-10 13:59:58 +00:00
|
|
|
error = namei(&nd);
|
2009-01-08 12:47:30 +00:00
|
|
|
if (error)
|
2005-09-24 23:47:04 +00:00
|
|
|
goto out;
|
2002-02-08 05:58:41 +00:00
|
|
|
mp = nd.ni_vp->v_mount;
|
2009-01-08 12:47:30 +00:00
|
|
|
error = vfs_busy(mp, 0);
|
o Change the API and ABI of the Extended Attribute kernel interfaces to
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
2001-03-15 02:54:29 +00:00
|
|
|
if (error) {
|
2009-01-08 12:47:30 +00:00
|
|
|
NDFREE(&nd, 0);
|
|
|
|
|
mp = NULL;
|
2005-09-24 23:47:04 +00:00
|
|
|
goto out;
|
o Change the API and ABI of the Extended Attribute kernel interfaces to
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
2001-03-15 02:54:29 +00:00
|
|
|
}
|
2009-01-08 12:47:30 +00:00
|
|
|
VOP_UNLOCK(nd.ni_vp, 0);
|
|
|
|
|
error = vn_start_write(nd.ni_vp, &mp_writable, V_WAIT | PCATCH);
|
|
|
|
|
NDFREE(&nd, NDF_NO_VP_UNLOCK);
|
|
|
|
|
if (error)
|
|
|
|
|
goto out;
|
|
|
|
|
if (filename_vp != NULL) {
|
|
|
|
|
/*
|
|
|
|
|
* uap->filename is not always defined. If it is,
|
|
|
|
|
* grab a vnode lock, which VFS_EXTATTRCTL() will
|
|
|
|
|
* later release.
|
|
|
|
|
*/
|
|
|
|
|
error = vn_lock(filename_vp, LK_EXCLUSIVE);
|
|
|
|
|
if (error) {
|
|
|
|
|
vn_finished_write(mp_writable);
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
}
|
o Change the API and ABI of the Extended Attribute kernel interfaces to
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
2001-03-15 02:54:29 +00:00
|
|
|
|
2002-08-01 01:26:07 +00:00
|
|
|
error = VFS_EXTATTRCTL(mp, uap->cmd, filename_vp, uap->attrnamespace,
|
2009-05-11 15:33:26 +00:00
|
|
|
uap->attrname != NULL ? attrname : NULL);
|
o Change the API and ABI of the Extended Attribute kernel interfaces to
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
2001-03-15 02:54:29 +00:00
|
|
|
|
2002-02-08 05:58:41 +00:00
|
|
|
vn_finished_write(mp_writable);
|
2009-01-08 12:47:30 +00:00
|
|
|
out:
|
|
|
|
|
if (mp != NULL)
|
|
|
|
|
vfs_unbusy(mp);
|
|
|
|
|
|
o Change the API and ABI of the Extended Attribute kernel interfaces to
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
2001-03-15 02:54:29 +00:00
|
|
|
/*
|
2006-12-23 00:30:03 +00:00
|
|
|
* VFS_EXTATTRCTL will have unlocked, but not de-ref'd, filename_vp,
|
|
|
|
|
* so vrele it if it is defined.
|
o Change the API and ABI of the Extended Attribute kernel interfaces to
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
2001-03-15 02:54:29 +00:00
|
|
|
*/
|
|
|
|
|
if (filename_vp != NULL)
|
|
|
|
|
vrele(filename_vp);
|
2000-07-11 22:07:57 +00:00
|
|
|
return (error);
|
1999-12-19 06:08:07 +00:00
|
|
|
}
|
|
|
|
|
|
2010-07-18 20:57:53 +00:00
|
|
|
/*-
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
* Set a named extended attribute on a file or directory
|
2004-01-11 19:52:10 +00:00
|
|
|
*
|
2001-03-31 16:20:05 +00:00
|
|
|
* Arguments: unlocked vnode "vp", attribute namespace "attrnamespace",
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
* kernelspace string pointer "attrname", userspace buffer
|
|
|
|
|
* pointer "data", buffer length "nbytes", thread "td".
|
2001-03-31 16:20:05 +00:00
|
|
|
* Returns: 0 on success, an error number otherwise
|
|
|
|
|
* Locks: none
|
|
|
|
|
* References: vp must be a valid reference for the duration of the call
|
1999-12-19 06:08:07 +00:00
|
|
|
*/
|
2001-03-31 16:20:05 +00:00
|
|
|
static int
|
|
|
|
|
extattr_set_vp(struct vnode *vp, int attrnamespace, const char *attrname,
|
2002-02-10 05:31:55 +00:00
|
|
|
void *data, size_t nbytes, struct thread *td)
|
1999-12-19 06:08:07 +00:00
|
|
|
{
|
2000-07-11 22:07:57 +00:00
|
|
|
struct mount *mp;
|
1999-12-19 06:08:07 +00:00
|
|
|
struct uio auio;
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
struct iovec aiov;
|
|
|
|
|
ssize_t cnt;
|
|
|
|
|
int error;
|
1999-12-19 06:08:07 +00:00
|
|
|
|
2002-10-10 13:59:58 +00:00
|
|
|
error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
|
|
|
|
|
if (error)
|
2000-07-26 20:29:20 +00:00
|
|
|
return (error);
|
2008-01-10 01:10:58 +00:00
|
|
|
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
aiov.iov_base = data;
|
|
|
|
|
aiov.iov_len = nbytes;
|
|
|
|
|
auio.uio_iov = &aiov;
|
|
|
|
|
auio.uio_iovcnt = 1;
|
1999-12-19 06:08:07 +00:00
|
|
|
auio.uio_offset = 0;
|
2012-02-21 01:05:12 +00:00
|
|
|
if (nbytes > IOSIZE_MAX) {
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
error = EINVAL;
|
1999-12-19 06:08:07 +00:00
|
|
|
goto done;
|
|
|
|
|
}
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
auio.uio_resid = nbytes;
|
|
|
|
|
auio.uio_rw = UIO_WRITE;
|
|
|
|
|
auio.uio_segflg = UIO_USERSPACE;
|
|
|
|
|
auio.uio_td = td;
|
|
|
|
|
cnt = nbytes;
|
|
|
|
|
|
Introduce support for Mandatory Access Control and extensible
kernel access control.
Invoke appropriate MAC entry points to authorize the following
operations:
truncate on open() (write)
access() (access)
readlink() (readlink)
chflags(), lchflags(), fchflags() (setflag)
chmod(), fchmod(), lchmod() (setmode)
chown(), fchown(), lchown() (setowner)
utimes(), lutimes(), futimes() (setutimes)
truncate(), ftrunfcate() (write)
revoke() (revoke)
fhopen() (open)
truncate on fhopen() (write)
extattr_set_fd, extattr_set_file() (setextattr)
extattr_get_fd, extattr_get_file() (getextattr)
extattr_delete_fd(), extattr_delete_file() (setextattr)
These entry points permit MAC policies to enforce a variety of
protections on vnodes. More vnode checks to come, especially in
non-native ABIs.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-01 15:37:12 +00:00
|
|
|
#ifdef MAC
|
2007-10-24 19:04:04 +00:00
|
|
|
error = mac_vnode_check_setextattr(td->td_ucred, vp, attrnamespace,
|
2009-03-08 12:32:06 +00:00
|
|
|
attrname);
|
Introduce support for Mandatory Access Control and extensible
kernel access control.
Invoke appropriate MAC entry points to authorize the following
operations:
truncate on open() (write)
access() (access)
readlink() (readlink)
chflags(), lchflags(), fchflags() (setflag)
chmod(), fchmod(), lchmod() (setmode)
chown(), fchown(), lchown() (setowner)
utimes(), lutimes(), futimes() (setutimes)
truncate(), ftrunfcate() (write)
revoke() (revoke)
fhopen() (open)
truncate on fhopen() (write)
extattr_set_fd, extattr_set_file() (setextattr)
extattr_get_fd, extattr_get_file() (getextattr)
extattr_delete_fd(), extattr_delete_file() (setextattr)
These entry points permit MAC policies to enforce a variety of
protections on vnodes. More vnode checks to come, especially in
non-native ABIs.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-01 15:37:12 +00:00
|
|
|
if (error)
|
|
|
|
|
goto done;
|
|
|
|
|
#endif
|
|
|
|
|
|
2001-03-31 16:20:05 +00:00
|
|
|
error = VOP_SETEXTATTR(vp, attrnamespace, attrname, &auio,
|
2002-02-27 18:32:23 +00:00
|
|
|
td->td_ucred, td);
|
1999-12-19 06:08:07 +00:00
|
|
|
cnt -= auio.uio_resid;
|
2001-09-12 08:38:13 +00:00
|
|
|
td->td_retval[0] = cnt;
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
|
1999-12-19 06:08:07 +00:00
|
|
|
done:
|
2008-01-13 14:44:15 +00:00
|
|
|
VOP_UNLOCK(vp, 0);
|
2000-07-11 22:07:57 +00:00
|
|
|
vn_finished_write(mp);
|
1999-12-19 06:08:07 +00:00
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_extattr_set_fd(td, uap)
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
2002-10-10 00:32:08 +00:00
|
|
|
struct extattr_set_fd_args /* {
|
2002-12-14 02:07:32 +00:00
|
|
|
int fd;
|
|
|
|
|
int attrnamespace;
|
|
|
|
|
const char *attrname;
|
|
|
|
|
void *data;
|
|
|
|
|
size_t nbytes;
|
2002-04-20 01:37:08 +00:00
|
|
|
} */ *uap;
|
1999-12-19 06:08:07 +00:00
|
|
|
{
|
2002-10-10 00:32:08 +00:00
|
|
|
struct file *fp;
|
1999-12-19 06:08:07 +00:00
|
|
|
char attrname[EXTATTR_MAXNAMELEN];
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_rights_t rights;
|
2012-10-22 17:50:54 +00:00
|
|
|
int error;
|
1999-12-19 06:08:07 +00:00
|
|
|
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_FD(uap->fd);
|
|
|
|
|
AUDIT_ARG_VALUE(uap->attrnamespace);
|
2002-04-20 01:37:08 +00:00
|
|
|
error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL);
|
1999-12-19 06:08:07 +00:00
|
|
|
if (error)
|
|
|
|
|
return (error);
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_TEXT(attrname);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
error = getvnode(td->td_proc->p_fd, uap->fd,
|
|
|
|
|
cap_rights_init(&rights, CAP_EXTATTR_SET), &fp);
|
2002-10-10 13:59:58 +00:00
|
|
|
if (error)
|
1999-12-19 06:08:07 +00:00
|
|
|
return (error);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2003-06-22 08:41:43 +00:00
|
|
|
error = extattr_set_vp(fp->f_vnode, uap->attrnamespace,
|
2002-10-10 00:32:08 +00:00
|
|
|
attrname, uap->data, uap->nbytes, td);
|
|
|
|
|
fdrop(fp, td);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_extattr_set_file(td, uap)
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
2002-10-10 00:32:08 +00:00
|
|
|
struct extattr_set_file_args /* {
|
2002-12-14 02:07:32 +00:00
|
|
|
const char *path;
|
|
|
|
|
int attrnamespace;
|
|
|
|
|
const char *attrname;
|
|
|
|
|
void *data;
|
|
|
|
|
size_t nbytes;
|
2002-04-20 01:37:08 +00:00
|
|
|
} */ *uap;
|
2001-03-31 16:20:05 +00:00
|
|
|
{
|
2002-10-10 00:32:08 +00:00
|
|
|
struct nameidata nd;
|
2001-03-31 16:20:05 +00:00
|
|
|
char attrname[EXTATTR_MAXNAMELEN];
|
2012-10-22 17:50:54 +00:00
|
|
|
int error;
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_VALUE(uap->attrnamespace);
|
2002-04-20 01:37:08 +00:00
|
|
|
error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL);
|
2001-03-31 16:20:05 +00:00
|
|
|
if (error)
|
|
|
|
|
return (error);
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_TEXT(attrname);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2012-10-22 17:50:54 +00:00
|
|
|
NDINIT(&nd, LOOKUP, FOLLOW | AUDITVNODE1, UIO_USERSPACE,
|
Add pathname and/or vnode argument auditing for the following system calls:
quotactl, statfs, fstatfs, fchdir, chdir, chroot, open, mknod, mkfifo,
link, symlink, undelete, unlink, access, eaccess, stat, lstat, pathconf,
readlink, chflags, lchflags, fchflags, chmod, lchmod, fchmod, chown,
lchown, fchown, utimes, lutimes, futimes, truncate, ftruncate, fsync,
rename, mkdir, rmdir, getdirentries, revoke, lgetfh, getfh, extattrctl,
extattr_set_file, extattr_set_link, extattr_get_file, extattr_get_link,
extattr_delete_file, extattr_delete_link, extattr_list_file, extattr_list_link.
In many cases the pathname and vnode auditing is done within namei lookup
instead of directly in the system call.
Audit the remaining arguments to these system calls:
fstatfs, fchdir, open, mknod, chflags, lchflags, fchflags, chmod, lchmod,
fchmod, chown, lchown, fchown, futimes, ftruncate, fsync, mkdir,
getdirentries.
2006-02-22 16:04:20 +00:00
|
|
|
uap->path, td);
|
2002-10-10 13:59:58 +00:00
|
|
|
error = namei(&nd);
|
|
|
|
|
if (error)
|
2001-03-31 16:20:05 +00:00
|
|
|
return (error);
|
2002-10-10 00:32:08 +00:00
|
|
|
NDFREE(&nd, NDF_ONLY_PNBUF);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2002-10-10 00:32:08 +00:00
|
|
|
error = extattr_set_vp(nd.ni_vp, uap->attrnamespace, attrname,
|
|
|
|
|
uap->data, uap->nbytes, td);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2002-10-10 00:32:08 +00:00
|
|
|
vrele(nd.ni_vp);
|
2001-03-31 16:20:05 +00:00
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
2002-10-09 21:48:22 +00:00
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_extattr_set_link(td, uap)
|
2002-10-09 21:48:22 +00:00
|
|
|
struct thread *td;
|
|
|
|
|
struct extattr_set_link_args /* {
|
2002-12-14 02:07:32 +00:00
|
|
|
const char *path;
|
|
|
|
|
int attrnamespace;
|
|
|
|
|
const char *attrname;
|
|
|
|
|
void *data;
|
|
|
|
|
size_t nbytes;
|
2002-10-09 21:48:22 +00:00
|
|
|
} */ *uap;
|
|
|
|
|
{
|
|
|
|
|
struct nameidata nd;
|
|
|
|
|
char attrname[EXTATTR_MAXNAMELEN];
|
2012-10-22 17:50:54 +00:00
|
|
|
int error;
|
2002-10-09 21:48:22 +00:00
|
|
|
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_VALUE(uap->attrnamespace);
|
2002-10-09 21:48:22 +00:00
|
|
|
error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL);
|
|
|
|
|
if (error)
|
|
|
|
|
return (error);
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_TEXT(attrname);
|
2002-10-09 21:48:22 +00:00
|
|
|
|
2012-10-22 17:50:54 +00:00
|
|
|
NDINIT(&nd, LOOKUP, NOFOLLOW | AUDITVNODE1, UIO_USERSPACE,
|
Add pathname and/or vnode argument auditing for the following system calls:
quotactl, statfs, fstatfs, fchdir, chdir, chroot, open, mknod, mkfifo,
link, symlink, undelete, unlink, access, eaccess, stat, lstat, pathconf,
readlink, chflags, lchflags, fchflags, chmod, lchmod, fchmod, chown,
lchown, fchown, utimes, lutimes, futimes, truncate, ftruncate, fsync,
rename, mkdir, rmdir, getdirentries, revoke, lgetfh, getfh, extattrctl,
extattr_set_file, extattr_set_link, extattr_get_file, extattr_get_link,
extattr_delete_file, extattr_delete_link, extattr_list_file, extattr_list_link.
In many cases the pathname and vnode auditing is done within namei lookup
instead of directly in the system call.
Audit the remaining arguments to these system calls:
fstatfs, fchdir, open, mknod, chflags, lchflags, fchflags, chmod, lchmod,
fchmod, chown, lchown, fchown, futimes, ftruncate, fsync, mkdir,
getdirentries.
2006-02-22 16:04:20 +00:00
|
|
|
uap->path, td);
|
2002-10-10 13:59:58 +00:00
|
|
|
error = namei(&nd);
|
|
|
|
|
if (error)
|
2002-10-09 21:48:22 +00:00
|
|
|
return (error);
|
|
|
|
|
NDFREE(&nd, NDF_ONLY_PNBUF);
|
|
|
|
|
|
|
|
|
|
error = extattr_set_vp(nd.ni_vp, uap->attrnamespace, attrname,
|
|
|
|
|
uap->data, uap->nbytes, td);
|
|
|
|
|
|
|
|
|
|
vrele(nd.ni_vp);
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
2010-07-18 20:57:53 +00:00
|
|
|
/*-
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
* Get a named extended attribute on a file or directory
|
2004-01-11 19:52:10 +00:00
|
|
|
*
|
2001-03-31 16:20:05 +00:00
|
|
|
* Arguments: unlocked vnode "vp", attribute namespace "attrnamespace",
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
* kernelspace string pointer "attrname", userspace buffer
|
|
|
|
|
* pointer "data", buffer length "nbytes", thread "td".
|
2001-03-31 16:20:05 +00:00
|
|
|
* Returns: 0 on success, an error number otherwise
|
|
|
|
|
* Locks: none
|
|
|
|
|
* References: vp must be a valid reference for the duration of the call
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
extattr_get_vp(struct vnode *vp, int attrnamespace, const char *attrname,
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
void *data, size_t nbytes, struct thread *td)
|
2001-03-31 16:20:05 +00:00
|
|
|
{
|
2002-04-23 01:27:38 +00:00
|
|
|
struct uio auio, *auiop;
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
struct iovec aiov;
|
|
|
|
|
ssize_t cnt;
|
2002-04-23 01:27:38 +00:00
|
|
|
size_t size, *sizep;
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
int error;
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2013-03-30 15:09:04 +00:00
|
|
|
vn_lock(vp, LK_SHARED | LK_RETRY);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
/*
|
|
|
|
|
* Slightly unusual semantics: if the user provides a NULL data
|
2006-12-23 00:30:03 +00:00
|
|
|
* pointer, they don't want to receive the data, just the maximum
|
|
|
|
|
* read length.
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
*/
|
2002-04-23 01:27:38 +00:00
|
|
|
auiop = NULL;
|
|
|
|
|
sizep = NULL;
|
|
|
|
|
cnt = 0;
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
if (data != NULL) {
|
|
|
|
|
aiov.iov_base = data;
|
|
|
|
|
aiov.iov_len = nbytes;
|
|
|
|
|
auio.uio_iov = &aiov;
|
2005-06-08 13:22:10 +00:00
|
|
|
auio.uio_iovcnt = 1;
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
auio.uio_offset = 0;
|
2012-02-21 01:05:12 +00:00
|
|
|
if (nbytes > IOSIZE_MAX) {
|
1999-12-19 06:08:07 +00:00
|
|
|
error = EINVAL;
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
auio.uio_resid = nbytes;
|
|
|
|
|
auio.uio_rw = UIO_READ;
|
|
|
|
|
auio.uio_segflg = UIO_USERSPACE;
|
|
|
|
|
auio.uio_td = td;
|
2002-04-23 01:27:38 +00:00
|
|
|
auiop = &auio;
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
cnt = nbytes;
|
2004-06-24 17:22:29 +00:00
|
|
|
} else
|
2002-04-23 01:27:38 +00:00
|
|
|
sizep = &size;
|
|
|
|
|
|
Introduce support for Mandatory Access Control and extensible
kernel access control.
Invoke appropriate MAC entry points to authorize the following
operations:
truncate on open() (write)
access() (access)
readlink() (readlink)
chflags(), lchflags(), fchflags() (setflag)
chmod(), fchmod(), lchmod() (setmode)
chown(), fchown(), lchown() (setowner)
utimes(), lutimes(), futimes() (setutimes)
truncate(), ftrunfcate() (write)
revoke() (revoke)
fhopen() (open)
truncate on fhopen() (write)
extattr_set_fd, extattr_set_file() (setextattr)
extattr_get_fd, extattr_get_file() (getextattr)
extattr_delete_fd(), extattr_delete_file() (setextattr)
These entry points permit MAC policies to enforce a variety of
protections on vnodes. More vnode checks to come, especially in
non-native ABIs.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-01 15:37:12 +00:00
|
|
|
#ifdef MAC
|
2007-10-24 19:04:04 +00:00
|
|
|
error = mac_vnode_check_getextattr(td->td_ucred, vp, attrnamespace,
|
2009-03-08 12:32:06 +00:00
|
|
|
attrname);
|
Introduce support for Mandatory Access Control and extensible
kernel access control.
Invoke appropriate MAC entry points to authorize the following
operations:
truncate on open() (write)
access() (access)
readlink() (readlink)
chflags(), lchflags(), fchflags() (setflag)
chmod(), fchmod(), lchmod() (setmode)
chown(), fchown(), lchown() (setowner)
utimes(), lutimes(), futimes() (setutimes)
truncate(), ftrunfcate() (write)
revoke() (revoke)
fhopen() (open)
truncate on fhopen() (write)
extattr_set_fd, extattr_set_file() (setextattr)
extattr_get_fd, extattr_get_file() (getextattr)
extattr_delete_fd(), extattr_delete_file() (setextattr)
These entry points permit MAC policies to enforce a variety of
protections on vnodes. More vnode checks to come, especially in
non-native ABIs.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-01 15:37:12 +00:00
|
|
|
if (error)
|
|
|
|
|
goto done;
|
|
|
|
|
#endif
|
|
|
|
|
|
2002-04-23 01:27:38 +00:00
|
|
|
error = VOP_GETEXTATTR(vp, attrnamespace, attrname, auiop, sizep,
|
|
|
|
|
td->td_ucred, td);
|
|
|
|
|
|
|
|
|
|
if (auiop != NULL) {
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
cnt -= auio.uio_resid;
|
|
|
|
|
td->td_retval[0] = cnt;
|
2004-06-24 17:22:29 +00:00
|
|
|
} else
|
Part I: Update extended attribute API and ABI:
o Modify the system call syntax for extattr_{get,set}_{fd,file}() so
as not to use the scatter gather API (which appeared not to be used
by any consumers, and be less portable), rather, accepts 'data'
and 'nbytes' in the style of other simple read/write interfaces.
This changes the API and ABI.
o Modify system call semantics so that extattr_get_{fd,file}() return
a size_t. When performing a read, the number of bytes read will
be returned, unless the data pointer is NULL, in which case the
number of bytes of data are returned. This changes the API only.
o Modify the VOP_GETEXTATTR() vnode operation to accept a *size_t
argument so as to return the size, if desirable. If set to NULL,
the size will not be returned.
o Update various filesystems (pseodofs, ufs) to DTRT.
These changes should make extended attributes more useful and more
portable. More commits to rebuild the system call files, as well
as update userland utilities to follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-02-10 04:43:22 +00:00
|
|
|
td->td_retval[0] = size;
|
2002-04-23 01:27:38 +00:00
|
|
|
|
1999-12-19 06:08:07 +00:00
|
|
|
done:
|
2008-01-13 14:44:15 +00:00
|
|
|
VOP_UNLOCK(vp, 0);
|
2001-03-31 16:20:05 +00:00
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_extattr_get_fd(td, uap)
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
2002-10-10 00:32:08 +00:00
|
|
|
struct extattr_get_fd_args /* {
|
2002-12-14 02:07:32 +00:00
|
|
|
int fd;
|
|
|
|
|
int attrnamespace;
|
|
|
|
|
const char *attrname;
|
|
|
|
|
void *data;
|
|
|
|
|
size_t nbytes;
|
2002-04-20 01:37:08 +00:00
|
|
|
} */ *uap;
|
2001-03-31 16:20:05 +00:00
|
|
|
{
|
2002-10-10 00:32:08 +00:00
|
|
|
struct file *fp;
|
2001-03-31 16:20:05 +00:00
|
|
|
char attrname[EXTATTR_MAXNAMELEN];
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_rights_t rights;
|
2012-10-22 17:50:54 +00:00
|
|
|
int error;
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_FD(uap->fd);
|
|
|
|
|
AUDIT_ARG_VALUE(uap->attrnamespace);
|
2002-04-20 01:37:08 +00:00
|
|
|
error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL);
|
2001-03-31 16:20:05 +00:00
|
|
|
if (error)
|
|
|
|
|
return (error);
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_TEXT(attrname);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
error = getvnode(td->td_proc->p_fd, uap->fd,
|
|
|
|
|
cap_rights_init(&rights, CAP_EXTATTR_GET), &fp);
|
2002-10-10 13:59:58 +00:00
|
|
|
if (error)
|
2001-03-31 16:20:05 +00:00
|
|
|
return (error);
|
|
|
|
|
|
2003-06-22 08:41:43 +00:00
|
|
|
error = extattr_get_vp(fp->f_vnode, uap->attrnamespace,
|
2002-10-10 00:32:08 +00:00
|
|
|
attrname, uap->data, uap->nbytes, td);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2002-10-10 00:32:08 +00:00
|
|
|
fdrop(fp, td);
|
2001-03-31 16:20:05 +00:00
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_extattr_get_file(td, uap)
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
2002-10-10 00:32:08 +00:00
|
|
|
struct extattr_get_file_args /* {
|
2002-12-14 02:07:32 +00:00
|
|
|
const char *path;
|
|
|
|
|
int attrnamespace;
|
|
|
|
|
const char *attrname;
|
|
|
|
|
void *data;
|
|
|
|
|
size_t nbytes;
|
2002-04-20 01:37:08 +00:00
|
|
|
} */ *uap;
|
2001-03-31 16:20:05 +00:00
|
|
|
{
|
2002-10-10 00:32:08 +00:00
|
|
|
struct nameidata nd;
|
2001-03-31 16:20:05 +00:00
|
|
|
char attrname[EXTATTR_MAXNAMELEN];
|
2012-10-22 17:50:54 +00:00
|
|
|
int error;
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_VALUE(uap->attrnamespace);
|
2002-04-20 01:37:08 +00:00
|
|
|
error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL);
|
2001-03-31 16:20:05 +00:00
|
|
|
if (error)
|
|
|
|
|
return (error);
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_TEXT(attrname);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2012-10-22 17:50:54 +00:00
|
|
|
NDINIT(&nd, LOOKUP, FOLLOW | AUDITVNODE1, UIO_USERSPACE, uap->path, td);
|
2002-10-10 13:59:58 +00:00
|
|
|
error = namei(&nd);
|
|
|
|
|
if (error)
|
2001-03-31 16:20:05 +00:00
|
|
|
return (error);
|
2002-10-10 00:32:08 +00:00
|
|
|
NDFREE(&nd, NDF_ONLY_PNBUF);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2002-10-10 00:32:08 +00:00
|
|
|
error = extattr_get_vp(nd.ni_vp, uap->attrnamespace, attrname,
|
|
|
|
|
uap->data, uap->nbytes, td);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2002-10-10 00:32:08 +00:00
|
|
|
vrele(nd.ni_vp);
|
2001-03-31 16:20:05 +00:00
|
|
|
return (error);
|
1999-12-19 06:08:07 +00:00
|
|
|
}
|
|
|
|
|
|
2002-10-09 21:48:22 +00:00
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_extattr_get_link(td, uap)
|
2002-10-09 21:48:22 +00:00
|
|
|
struct thread *td;
|
|
|
|
|
struct extattr_get_link_args /* {
|
2002-12-14 02:07:32 +00:00
|
|
|
const char *path;
|
|
|
|
|
int attrnamespace;
|
|
|
|
|
const char *attrname;
|
|
|
|
|
void *data;
|
|
|
|
|
size_t nbytes;
|
2002-10-09 21:48:22 +00:00
|
|
|
} */ *uap;
|
|
|
|
|
{
|
|
|
|
|
struct nameidata nd;
|
|
|
|
|
char attrname[EXTATTR_MAXNAMELEN];
|
2012-10-22 17:50:54 +00:00
|
|
|
int error;
|
2002-10-09 21:48:22 +00:00
|
|
|
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_VALUE(uap->attrnamespace);
|
2002-10-09 21:48:22 +00:00
|
|
|
error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL);
|
|
|
|
|
if (error)
|
|
|
|
|
return (error);
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_TEXT(attrname);
|
2002-10-09 21:48:22 +00:00
|
|
|
|
2012-10-22 17:50:54 +00:00
|
|
|
NDINIT(&nd, LOOKUP, NOFOLLOW | AUDITVNODE1, UIO_USERSPACE, uap->path,
|
|
|
|
|
td);
|
2002-10-10 13:59:58 +00:00
|
|
|
error = namei(&nd);
|
|
|
|
|
if (error)
|
2002-10-09 21:48:22 +00:00
|
|
|
return (error);
|
|
|
|
|
NDFREE(&nd, NDF_ONLY_PNBUF);
|
|
|
|
|
|
|
|
|
|
error = extattr_get_vp(nd.ni_vp, uap->attrnamespace, attrname,
|
|
|
|
|
uap->data, uap->nbytes, td);
|
|
|
|
|
|
|
|
|
|
vrele(nd.ni_vp);
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
1999-12-19 06:08:07 +00:00
|
|
|
/*
|
2001-03-31 16:20:05 +00:00
|
|
|
* extattr_delete_vp(): Delete a named extended attribute on a file or
|
|
|
|
|
* directory
|
2004-01-11 19:52:10 +00:00
|
|
|
*
|
2001-03-31 16:20:05 +00:00
|
|
|
* Arguments: unlocked vnode "vp", attribute namespace "attrnamespace",
|
|
|
|
|
* kernelspace string pointer "attrname", proc "p"
|
|
|
|
|
* Returns: 0 on success, an error number otherwise
|
|
|
|
|
* Locks: none
|
|
|
|
|
* References: vp must be a valid reference for the duration of the call
|
1999-12-19 06:08:07 +00:00
|
|
|
*/
|
2001-03-31 16:20:05 +00:00
|
|
|
static int
|
|
|
|
|
extattr_delete_vp(struct vnode *vp, int attrnamespace, const char *attrname,
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td)
|
2001-03-31 16:20:05 +00:00
|
|
|
{
|
|
|
|
|
struct mount *mp;
|
|
|
|
|
int error;
|
|
|
|
|
|
2002-10-10 13:59:58 +00:00
|
|
|
error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
|
|
|
|
|
if (error)
|
2001-03-31 16:20:05 +00:00
|
|
|
return (error);
|
2008-01-10 01:10:58 +00:00
|
|
|
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
Introduce support for Mandatory Access Control and extensible
kernel access control.
Invoke appropriate MAC entry points to authorize the following
operations:
truncate on open() (write)
access() (access)
readlink() (readlink)
chflags(), lchflags(), fchflags() (setflag)
chmod(), fchmod(), lchmod() (setmode)
chown(), fchown(), lchown() (setowner)
utimes(), lutimes(), futimes() (setutimes)
truncate(), ftrunfcate() (write)
revoke() (revoke)
fhopen() (open)
truncate on fhopen() (write)
extattr_set_fd, extattr_set_file() (setextattr)
extattr_get_fd, extattr_get_file() (getextattr)
extattr_delete_fd(), extattr_delete_file() (setextattr)
These entry points permit MAC policies to enforce a variety of
protections on vnodes. More vnode checks to come, especially in
non-native ABIs.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-01 15:37:12 +00:00
|
|
|
#ifdef MAC
|
2007-10-24 19:04:04 +00:00
|
|
|
error = mac_vnode_check_deleteextattr(td->td_ucred, vp, attrnamespace,
|
2003-08-21 13:53:01 +00:00
|
|
|
attrname);
|
2002-10-10 13:59:58 +00:00
|
|
|
if (error)
|
|
|
|
|
goto done;
|
Introduce support for Mandatory Access Control and extensible
kernel access control.
Invoke appropriate MAC entry points to authorize the following
operations:
truncate on open() (write)
access() (access)
readlink() (readlink)
chflags(), lchflags(), fchflags() (setflag)
chmod(), fchmod(), lchmod() (setmode)
chown(), fchown(), lchown() (setowner)
utimes(), lutimes(), futimes() (setutimes)
truncate(), ftrunfcate() (write)
revoke() (revoke)
fhopen() (open)
truncate on fhopen() (write)
extattr_set_fd, extattr_set_file() (setextattr)
extattr_get_fd, extattr_get_file() (getextattr)
extattr_delete_fd(), extattr_delete_file() (setextattr)
These entry points permit MAC policies to enforce a variety of
protections on vnodes. More vnode checks to come, especially in
non-native ABIs.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-01 15:37:12 +00:00
|
|
|
#endif
|
|
|
|
|
|
2003-07-28 18:53:29 +00:00
|
|
|
error = VOP_DELETEEXTATTR(vp, attrnamespace, attrname, td->td_ucred,
|
|
|
|
|
td);
|
2003-06-22 23:03:07 +00:00
|
|
|
if (error == EOPNOTSUPP)
|
|
|
|
|
error = VOP_SETEXTATTR(vp, attrnamespace, attrname, NULL,
|
|
|
|
|
td->td_ucred, td);
|
2002-10-10 13:59:58 +00:00
|
|
|
#ifdef MAC
|
|
|
|
|
done:
|
|
|
|
|
#endif
|
2008-01-13 14:44:15 +00:00
|
|
|
VOP_UNLOCK(vp, 0);
|
2001-03-31 16:20:05 +00:00
|
|
|
vn_finished_write(mp);
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
1999-12-19 06:08:07 +00:00
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_extattr_delete_fd(td, uap)
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
2002-10-10 00:32:08 +00:00
|
|
|
struct extattr_delete_fd_args /* {
|
2002-12-14 02:07:32 +00:00
|
|
|
int fd;
|
|
|
|
|
int attrnamespace;
|
|
|
|
|
const char *attrname;
|
2002-04-20 01:37:08 +00:00
|
|
|
} */ *uap;
|
1999-12-19 06:08:07 +00:00
|
|
|
{
|
2002-10-10 00:32:08 +00:00
|
|
|
struct file *fp;
|
1999-12-19 06:08:07 +00:00
|
|
|
char attrname[EXTATTR_MAXNAMELEN];
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_rights_t rights;
|
2012-10-22 17:50:54 +00:00
|
|
|
int error;
|
1999-12-19 06:08:07 +00:00
|
|
|
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_FD(uap->fd);
|
|
|
|
|
AUDIT_ARG_VALUE(uap->attrnamespace);
|
2002-04-20 01:37:08 +00:00
|
|
|
error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL);
|
1999-12-19 06:08:07 +00:00
|
|
|
if (error)
|
2002-10-10 00:32:08 +00:00
|
|
|
return (error);
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_TEXT(attrname);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
error = getvnode(td->td_proc->p_fd, uap->fd,
|
|
|
|
|
cap_rights_init(&rights, CAP_EXTATTR_DELETE), &fp);
|
2002-10-10 13:59:58 +00:00
|
|
|
if (error)
|
2002-10-10 00:32:08 +00:00
|
|
|
return (error);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2005-09-24 23:47:04 +00:00
|
|
|
error = extattr_delete_vp(fp->f_vnode, uap->attrnamespace,
|
|
|
|
|
attrname, td);
|
2002-10-10 00:32:08 +00:00
|
|
|
fdrop(fp, td);
|
|
|
|
|
return (error);
|
1999-12-19 06:08:07 +00:00
|
|
|
}
|
2001-03-31 16:20:05 +00:00
|
|
|
|
|
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_extattr_delete_file(td, uap)
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
2002-10-10 00:32:08 +00:00
|
|
|
struct extattr_delete_file_args /* {
|
2002-12-14 02:07:32 +00:00
|
|
|
const char *path;
|
|
|
|
|
int attrnamespace;
|
|
|
|
|
const char *attrname;
|
2002-04-20 01:37:08 +00:00
|
|
|
} */ *uap;
|
2001-03-31 16:20:05 +00:00
|
|
|
{
|
2002-10-10 00:32:08 +00:00
|
|
|
struct nameidata nd;
|
2001-03-31 16:20:05 +00:00
|
|
|
char attrname[EXTATTR_MAXNAMELEN];
|
2012-10-22 17:50:54 +00:00
|
|
|
int error;
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_VALUE(uap->attrnamespace);
|
2002-04-20 01:37:08 +00:00
|
|
|
error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL);
|
2001-03-31 16:20:05 +00:00
|
|
|
if (error)
|
2002-10-10 00:32:08 +00:00
|
|
|
return(error);
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_TEXT(attrname);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2012-10-22 17:50:54 +00:00
|
|
|
NDINIT(&nd, LOOKUP, FOLLOW | AUDITVNODE1, UIO_USERSPACE, uap->path, td);
|
2002-10-10 13:59:58 +00:00
|
|
|
error = namei(&nd);
|
|
|
|
|
if (error)
|
2002-10-10 00:32:08 +00:00
|
|
|
return(error);
|
|
|
|
|
NDFREE(&nd, NDF_ONLY_PNBUF);
|
2001-03-31 16:20:05 +00:00
|
|
|
|
2002-10-10 00:32:08 +00:00
|
|
|
error = extattr_delete_vp(nd.ni_vp, uap->attrnamespace, attrname, td);
|
|
|
|
|
vrele(nd.ni_vp);
|
|
|
|
|
return(error);
|
2001-03-31 16:20:05 +00:00
|
|
|
}
|
2002-10-09 21:48:22 +00:00
|
|
|
|
|
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_extattr_delete_link(td, uap)
|
2002-10-09 21:48:22 +00:00
|
|
|
struct thread *td;
|
|
|
|
|
struct extattr_delete_link_args /* {
|
2002-12-14 02:07:32 +00:00
|
|
|
const char *path;
|
|
|
|
|
int attrnamespace;
|
|
|
|
|
const char *attrname;
|
2002-10-09 21:48:22 +00:00
|
|
|
} */ *uap;
|
|
|
|
|
{
|
|
|
|
|
struct nameidata nd;
|
|
|
|
|
char attrname[EXTATTR_MAXNAMELEN];
|
2012-10-22 17:50:54 +00:00
|
|
|
int error;
|
2002-10-09 21:48:22 +00:00
|
|
|
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_VALUE(uap->attrnamespace);
|
2002-10-09 21:48:22 +00:00
|
|
|
error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL);
|
|
|
|
|
if (error)
|
|
|
|
|
return(error);
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_TEXT(attrname);
|
2002-10-09 21:48:22 +00:00
|
|
|
|
2012-10-22 17:50:54 +00:00
|
|
|
NDINIT(&nd, LOOKUP, NOFOLLOW | AUDITVNODE1, UIO_USERSPACE, uap->path, td);
|
2002-10-10 13:59:58 +00:00
|
|
|
error = namei(&nd);
|
|
|
|
|
if (error)
|
2002-10-09 21:48:22 +00:00
|
|
|
return(error);
|
|
|
|
|
NDFREE(&nd, NDF_ONLY_PNBUF);
|
|
|
|
|
|
|
|
|
|
error = extattr_delete_vp(nd.ni_vp, uap->attrnamespace, attrname, td);
|
|
|
|
|
vrele(nd.ni_vp);
|
|
|
|
|
return(error);
|
|
|
|
|
}
|
2003-06-04 03:57:28 +00:00
|
|
|
|
2010-07-18 20:57:53 +00:00
|
|
|
/*-
|
2003-06-04 03:57:28 +00:00
|
|
|
* Retrieve a list of extended attributes on a file or directory.
|
|
|
|
|
*
|
|
|
|
|
* Arguments: unlocked vnode "vp", attribute namespace 'attrnamespace",
|
|
|
|
|
* userspace buffer pointer "data", buffer length "nbytes",
|
|
|
|
|
* thread "td".
|
|
|
|
|
* Returns: 0 on success, an error number otherwise
|
|
|
|
|
* Locks: none
|
|
|
|
|
* References: vp must be a valid reference for the duration of the call
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
extattr_list_vp(struct vnode *vp, int attrnamespace, void *data,
|
|
|
|
|
size_t nbytes, struct thread *td)
|
|
|
|
|
{
|
|
|
|
|
struct uio auio, *auiop;
|
|
|
|
|
size_t size, *sizep;
|
|
|
|
|
struct iovec aiov;
|
|
|
|
|
ssize_t cnt;
|
|
|
|
|
int error;
|
|
|
|
|
|
2008-01-10 01:10:58 +00:00
|
|
|
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
|
2003-06-04 03:57:28 +00:00
|
|
|
|
|
|
|
|
auiop = NULL;
|
|
|
|
|
sizep = NULL;
|
|
|
|
|
cnt = 0;
|
|
|
|
|
if (data != NULL) {
|
|
|
|
|
aiov.iov_base = data;
|
|
|
|
|
aiov.iov_len = nbytes;
|
|
|
|
|
auio.uio_iov = &aiov;
|
2005-06-08 13:22:10 +00:00
|
|
|
auio.uio_iovcnt = 1;
|
2003-06-04 03:57:28 +00:00
|
|
|
auio.uio_offset = 0;
|
2012-02-21 01:05:12 +00:00
|
|
|
if (nbytes > IOSIZE_MAX) {
|
2003-06-04 03:57:28 +00:00
|
|
|
error = EINVAL;
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
auio.uio_resid = nbytes;
|
|
|
|
|
auio.uio_rw = UIO_READ;
|
|
|
|
|
auio.uio_segflg = UIO_USERSPACE;
|
|
|
|
|
auio.uio_td = td;
|
|
|
|
|
auiop = &auio;
|
|
|
|
|
cnt = nbytes;
|
2004-06-24 17:22:29 +00:00
|
|
|
} else
|
2003-06-04 03:57:28 +00:00
|
|
|
sizep = &size;
|
|
|
|
|
|
|
|
|
|
#ifdef MAC
|
2007-10-24 19:04:04 +00:00
|
|
|
error = mac_vnode_check_listextattr(td->td_ucred, vp, attrnamespace);
|
2003-06-04 03:57:28 +00:00
|
|
|
if (error)
|
|
|
|
|
goto done;
|
|
|
|
|
#endif
|
|
|
|
|
|
2003-06-05 05:55:34 +00:00
|
|
|
error = VOP_LISTEXTATTR(vp, attrnamespace, auiop, sizep,
|
2003-06-04 03:57:28 +00:00
|
|
|
td->td_ucred, td);
|
|
|
|
|
|
|
|
|
|
if (auiop != NULL) {
|
|
|
|
|
cnt -= auio.uio_resid;
|
|
|
|
|
td->td_retval[0] = cnt;
|
2004-06-24 17:22:29 +00:00
|
|
|
} else
|
2003-06-04 03:57:28 +00:00
|
|
|
td->td_retval[0] = size;
|
|
|
|
|
|
|
|
|
|
done:
|
2008-01-13 14:44:15 +00:00
|
|
|
VOP_UNLOCK(vp, 0);
|
2003-06-04 03:57:28 +00:00
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_extattr_list_fd(td, uap)
|
2003-06-04 03:57:28 +00:00
|
|
|
struct thread *td;
|
|
|
|
|
struct extattr_list_fd_args /* {
|
|
|
|
|
int fd;
|
|
|
|
|
int attrnamespace;
|
|
|
|
|
void *data;
|
|
|
|
|
size_t nbytes;
|
|
|
|
|
} */ *uap;
|
|
|
|
|
{
|
|
|
|
|
struct file *fp;
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_rights_t rights;
|
2012-10-22 17:50:54 +00:00
|
|
|
int error;
|
2003-06-04 03:57:28 +00:00
|
|
|
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_FD(uap->fd);
|
|
|
|
|
AUDIT_ARG_VALUE(uap->attrnamespace);
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
error = getvnode(td->td_proc->p_fd, uap->fd,
|
|
|
|
|
cap_rights_init(&rights, CAP_EXTATTR_LIST), &fp);
|
2003-06-04 03:57:28 +00:00
|
|
|
if (error)
|
|
|
|
|
return (error);
|
|
|
|
|
|
2003-06-22 08:41:43 +00:00
|
|
|
error = extattr_list_vp(fp->f_vnode, uap->attrnamespace, uap->data,
|
2003-06-04 03:57:28 +00:00
|
|
|
uap->nbytes, td);
|
|
|
|
|
|
|
|
|
|
fdrop(fp, td);
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_extattr_list_file(td, uap)
|
2003-06-04 03:57:28 +00:00
|
|
|
struct thread*td;
|
|
|
|
|
struct extattr_list_file_args /* {
|
|
|
|
|
const char *path;
|
|
|
|
|
int attrnamespace;
|
|
|
|
|
void *data;
|
|
|
|
|
size_t nbytes;
|
|
|
|
|
} */ *uap;
|
|
|
|
|
{
|
|
|
|
|
struct nameidata nd;
|
2012-10-22 17:50:54 +00:00
|
|
|
int error;
|
2003-06-04 03:57:28 +00:00
|
|
|
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_VALUE(uap->attrnamespace);
|
2012-10-22 17:50:54 +00:00
|
|
|
NDINIT(&nd, LOOKUP, FOLLOW | AUDITVNODE1, UIO_USERSPACE, uap->path, td);
|
2003-06-04 03:57:28 +00:00
|
|
|
error = namei(&nd);
|
|
|
|
|
if (error)
|
|
|
|
|
return (error);
|
|
|
|
|
NDFREE(&nd, NDF_ONLY_PNBUF);
|
|
|
|
|
|
|
|
|
|
error = extattr_list_vp(nd.ni_vp, uap->attrnamespace, uap->data,
|
|
|
|
|
uap->nbytes, td);
|
|
|
|
|
|
|
|
|
|
vrele(nd.ni_vp);
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_extattr_list_link(td, uap)
|
2003-06-04 03:57:28 +00:00
|
|
|
struct thread*td;
|
|
|
|
|
struct extattr_list_link_args /* {
|
|
|
|
|
const char *path;
|
|
|
|
|
int attrnamespace;
|
|
|
|
|
void *data;
|
|
|
|
|
size_t nbytes;
|
|
|
|
|
} */ *uap;
|
|
|
|
|
{
|
|
|
|
|
struct nameidata nd;
|
2012-10-22 17:50:54 +00:00
|
|
|
int error;
|
2003-06-04 03:57:28 +00:00
|
|
|
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_VALUE(uap->attrnamespace);
|
2012-10-22 17:50:54 +00:00
|
|
|
NDINIT(&nd, LOOKUP, NOFOLLOW | AUDITVNODE1, UIO_USERSPACE, uap->path,
|
|
|
|
|
td);
|
2003-06-04 03:57:28 +00:00
|
|
|
error = namei(&nd);
|
|
|
|
|
if (error)
|
|
|
|
|
return (error);
|
|
|
|
|
NDFREE(&nd, NDF_ONLY_PNBUF);
|
|
|
|
|
|
|
|
|
|
error = extattr_list_vp(nd.ni_vp, uap->attrnamespace, uap->data,
|
|
|
|
|
uap->nbytes, td);
|
|
|
|
|
|
|
|
|
|
vrele(nd.ni_vp);
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
