open(2): Remove O_BENEATH and AT_BENEATH
with the reasoning that the flags did not worked properly, and were not shipped in a release. O_RESOLVE_BENEATH is kept as useful. Reviewed by: markj Tested by: arichardson, pho Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D28907
This commit is contained in:
parent
600756afb5
commit
20e91ca36a
@ -28,7 +28,7 @@
|
|||||||
.\" @(#)access.2 8.2 (Berkeley) 4/1/94
|
.\" @(#)access.2 8.2 (Berkeley) 4/1/94
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd September 23, 2020
|
.Dd February 23, 2021
|
||||||
.Dt ACCESS 2
|
.Dt ACCESS 2
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -120,15 +120,10 @@ list, defined in
|
|||||||
The checks for accessibility are performed using the effective user and group
|
The checks for accessibility are performed using the effective user and group
|
||||||
IDs instead of the real user and group ID as required in a call to
|
IDs instead of the real user and group ID as required in a call to
|
||||||
.Fn access .
|
.Fn access .
|
||||||
.It Dv AT_BENEATH
|
|
||||||
Only operate on files and directories below the topping directory.
|
|
||||||
See the description of the
|
|
||||||
.Dv O_BENEATH
|
|
||||||
flag in the
|
|
||||||
.Xr open 2
|
|
||||||
manual page.
|
|
||||||
.It Dv AT_RESOLVE_BENEATH
|
.It Dv AT_RESOLVE_BENEATH
|
||||||
Only walks paths below the topping directory.
|
Only walk paths below the directory specified by the
|
||||||
|
.Ar fd
|
||||||
|
descriptor.
|
||||||
See the description of the
|
See the description of the
|
||||||
.Dv O_RESOLVE_BENEATH
|
.Dv O_RESOLVE_BENEATH
|
||||||
flag in the
|
flag in the
|
||||||
@ -218,17 +213,6 @@ or contained a ".." component leading to a
|
|||||||
directory outside of the directory hierarchy specified by
|
directory outside of the directory hierarchy specified by
|
||||||
.Fa fd ,
|
.Fa fd ,
|
||||||
and the process is in capability mode.
|
and the process is in capability mode.
|
||||||
.It Bq Er ENOTCAPABLE
|
|
||||||
The
|
|
||||||
.Dv AT_BENEATH
|
|
||||||
flag was provided to
|
|
||||||
.Fn faccessat ,
|
|
||||||
and the absolute
|
|
||||||
.Fa path
|
|
||||||
does not have its tail fully contained under the topping directory,
|
|
||||||
or the relative
|
|
||||||
.Fa path
|
|
||||||
escapes it.
|
|
||||||
.El
|
.El
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr chmod 2 ,
|
.Xr chmod 2 ,
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
.\" @(#)chflags.2 8.3 (Berkeley) 5/2/95
|
.\" @(#)chflags.2 8.3 (Berkeley) 5/2/95
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd September 23, 2020
|
.Dd February 23, 2021
|
||||||
.Dt CHFLAGS 2
|
.Dt CHFLAGS 2
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -94,16 +94,10 @@ defined in
|
|||||||
If
|
If
|
||||||
.Fa path
|
.Fa path
|
||||||
names a symbolic link, then the flags of the symbolic link are changed.
|
names a symbolic link, then the flags of the symbolic link are changed.
|
||||||
.It Dv AT_BENEATH
|
|
||||||
Only allow to change flags for a file which is beneath of
|
|
||||||
the topping directory.
|
|
||||||
See the description of the
|
|
||||||
.Dv O_BENEATH
|
|
||||||
flag in the
|
|
||||||
.Xr open 2
|
|
||||||
manual page.
|
|
||||||
.It Dv AT_RESOLVE_BENEATH
|
.It Dv AT_RESOLVE_BENEATH
|
||||||
Only walks paths below the topping directory.
|
Only walk paths below the directory specified by the
|
||||||
|
.Ar fd
|
||||||
|
descriptor.
|
||||||
See the description of the
|
See the description of the
|
||||||
.Dv O_RESOLVE_BENEATH
|
.Dv O_RESOLVE_BENEATH
|
||||||
flag in the
|
flag in the
|
||||||
@ -327,18 +321,9 @@ is an absolute path,
|
|||||||
or contained a ".." component leading to a
|
or contained a ".." component leading to a
|
||||||
directory outside of the directory hierarchy specified by
|
directory outside of the directory hierarchy specified by
|
||||||
.Fa fd ,
|
.Fa fd ,
|
||||||
and the process is in capability mode.
|
and the process is in capability mode or the
|
||||||
.It Bq Er ENOTCAPABLE
|
.Dv AT_RESOLVE_BENEATH
|
||||||
The
|
flag was specified.
|
||||||
.Dv AT_BENEATH
|
|
||||||
flag was provided to
|
|
||||||
.Fn chflagsat ,
|
|
||||||
and the absolute
|
|
||||||
.Fa path
|
|
||||||
does not have its tail fully contained under the topping directory,
|
|
||||||
or the relative
|
|
||||||
.Fa path
|
|
||||||
escapes it.
|
|
||||||
.El
|
.El
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr chflags 1 ,
|
.Xr chflags 1 ,
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
.\" @(#)chmod.2 8.1 (Berkeley) 6/4/93
|
.\" @(#)chmod.2 8.1 (Berkeley) 6/4/93
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd September 23, 2020
|
.Dd February 23, 2021
|
||||||
.Dt CHMOD 2
|
.Dt CHMOD 2
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -101,16 +101,10 @@ in
|
|||||||
If
|
If
|
||||||
.Fa path
|
.Fa path
|
||||||
names a symbolic link, then the mode of the symbolic link is changed.
|
names a symbolic link, then the mode of the symbolic link is changed.
|
||||||
.It Dv AT_BENEATH
|
|
||||||
Only allow to change permissions of a file which is beneath of
|
|
||||||
the topping directory.
|
|
||||||
See the description of the
|
|
||||||
.Dv O_BENEATH
|
|
||||||
flag in the
|
|
||||||
.Xr open 2
|
|
||||||
manual page.
|
|
||||||
.It Dv AT_RESOLVE_BENEATH
|
.It Dv AT_RESOLVE_BENEATH
|
||||||
Only walks paths below the topping directory.
|
Only walk paths below the directory specified by the
|
||||||
|
.Ar fd
|
||||||
|
descriptor.
|
||||||
See the description of the
|
See the description of the
|
||||||
.Dv O_RESOLVE_BENEATH
|
.Dv O_RESOLVE_BENEATH
|
||||||
flag in the
|
flag in the
|
||||||
@ -310,18 +304,9 @@ is an absolute path,
|
|||||||
or contained a ".." component leading to a
|
or contained a ".." component leading to a
|
||||||
directory outside of the directory hierarchy specified by
|
directory outside of the directory hierarchy specified by
|
||||||
.Fa fd ,
|
.Fa fd ,
|
||||||
and the process is in capability mode.
|
and the process is in capability mode or the
|
||||||
.It Bq Er ENOTCAPABLE
|
.Dv AT_RESOLVE_BENEATH
|
||||||
The
|
flag was specified.
|
||||||
.Dv AT_BENEATH
|
|
||||||
flag was provided to
|
|
||||||
.Fn fchmodat ,
|
|
||||||
and the absolute
|
|
||||||
.Fa path
|
|
||||||
does not have its tail fully contained under the topping directory,
|
|
||||||
or the relative
|
|
||||||
.Fa path
|
|
||||||
escapes it.
|
|
||||||
.El
|
.El
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr chmod 1 ,
|
.Xr chmod 1 ,
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
.\" @(#)chown.2 8.4 (Berkeley) 4/19/94
|
.\" @(#)chown.2 8.4 (Berkeley) 4/19/94
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd September 23, 2020
|
.Dd February 23, 2021
|
||||||
.Dt CHOWN 2
|
.Dt CHOWN 2
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -118,16 +118,10 @@ list, defined in
|
|||||||
If
|
If
|
||||||
.Fa path
|
.Fa path
|
||||||
names a symbolic link, ownership of the symbolic link is changed.
|
names a symbolic link, ownership of the symbolic link is changed.
|
||||||
.It Dv AT_BENEATH
|
|
||||||
Only allow to change ownership of a file which is beneath of
|
|
||||||
the topping directory.
|
|
||||||
See the description of the
|
|
||||||
.Dv O_BENEATH
|
|
||||||
flag in the
|
|
||||||
.Xr open 2
|
|
||||||
manual page.
|
|
||||||
.It Dv AT_RESOLVE_BENEATH
|
.It Dv AT_RESOLVE_BENEATH
|
||||||
Only walks paths below the topping directory.
|
Only walk paths below the directory specified by the
|
||||||
|
.Ar fd
|
||||||
|
descriptor.
|
||||||
See the description of the
|
See the description of the
|
||||||
.Dv O_RESOLVE_BENEATH
|
.Dv O_RESOLVE_BENEATH
|
||||||
flag in the
|
flag in the
|
||||||
@ -252,18 +246,9 @@ is an absolute path,
|
|||||||
or contained a ".." component leading to a
|
or contained a ".." component leading to a
|
||||||
directory outside of the directory hierarchy specified by
|
directory outside of the directory hierarchy specified by
|
||||||
.Fa fd ,
|
.Fa fd ,
|
||||||
and the process is in capability mode.
|
and the process is in capability mode or the
|
||||||
.It Bq Er ENOTCAPABLE
|
.Dv AT_RESOLVE_BENEATH
|
||||||
The
|
flag was specified.
|
||||||
.Dv AT_BENEATH
|
|
||||||
flag was provided to
|
|
||||||
.Fn fchownat ,
|
|
||||||
and the absolute
|
|
||||||
.Fa path
|
|
||||||
does not have its tail fully contained under the topping directory,
|
|
||||||
or the relative
|
|
||||||
.Fa path
|
|
||||||
escapes it.
|
|
||||||
.El
|
.El
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr chgrp 1 ,
|
.Xr chgrp 1 ,
|
||||||
|
@ -29,7 +29,7 @@
|
|||||||
.\" @(#)getfh.2 8.1 (Berkeley) 6/9/93
|
.\" @(#)getfh.2 8.1 (Berkeley) 6/9/93
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd September 23, 2020
|
.Dd February 23, 2021
|
||||||
.Dt GETFH 2
|
.Dt GETFH 2
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -76,9 +76,7 @@ and
|
|||||||
.Fn lgetfh
|
.Fn lgetfh
|
||||||
except when the
|
except when the
|
||||||
.Fa path
|
.Fa path
|
||||||
specifies a relative path, or the
|
specifies a relative path.
|
||||||
.Dv AT_BENEATH
|
|
||||||
flag is provided.
|
|
||||||
For
|
For
|
||||||
.Fn getfhat
|
.Fn getfhat
|
||||||
and relative
|
and relative
|
||||||
@ -87,13 +85,6 @@ the status is retrieved from a file relative to
|
|||||||
the directory associated with the file descriptor
|
the directory associated with the file descriptor
|
||||||
.Fa fd
|
.Fa fd
|
||||||
instead of the current working directory.
|
instead of the current working directory.
|
||||||
For
|
|
||||||
.Dv AT_BENEATH
|
|
||||||
and absolute
|
|
||||||
.Fa path ,
|
|
||||||
the status is retrieved from a file specified by the
|
|
||||||
.Fa path ,
|
|
||||||
but additional permission checks are performed, see below.
|
|
||||||
.Pp
|
.Pp
|
||||||
The values for the
|
The values for the
|
||||||
.Fa flag
|
.Fa flag
|
||||||
@ -105,15 +96,10 @@ defined in
|
|||||||
If
|
If
|
||||||
.Fa path
|
.Fa path
|
||||||
names a symbolic link, the status of the symbolic link is returned.
|
names a symbolic link, the status of the symbolic link is returned.
|
||||||
.It Dv AT_BENEATH
|
|
||||||
Only stat files and directories below the topping directory.
|
|
||||||
See the description of the
|
|
||||||
.Dv O_BENEATH
|
|
||||||
flag in the
|
|
||||||
.Xr open 2
|
|
||||||
manual page.
|
|
||||||
.It Dv AT_RESOLVE_BENEATH
|
.It Dv AT_RESOLVE_BENEATH
|
||||||
Only walks paths below the topping directory.
|
Only walk paths below the directory specified by the
|
||||||
|
.Ar fd
|
||||||
|
descriptor.
|
||||||
See the description of the
|
See the description of the
|
||||||
.Dv O_RESOLVE_BENEATH
|
.Dv O_RESOLVE_BENEATH
|
||||||
flag in the
|
flag in the
|
||||||
@ -140,19 +126,10 @@ bit is set in
|
|||||||
When
|
When
|
||||||
.Fn getfhat
|
.Fn getfhat
|
||||||
is called with an absolute
|
is called with an absolute
|
||||||
.Fa path
|
.Fa path ,
|
||||||
without the
|
it ignores the
|
||||||
.Dv AT_BENEATH
|
|
||||||
flag, it ignores the
|
|
||||||
.Fa fd
|
.Fa fd
|
||||||
argument.
|
argument.
|
||||||
When
|
|
||||||
.Dv AT_BENEATH
|
|
||||||
is specified with an absolute
|
|
||||||
.Fa path ,
|
|
||||||
a directory passed by the
|
|
||||||
.Fa fd
|
|
||||||
argument is used as the topping point for the resolution.
|
|
||||||
These system calls are restricted to the superuser.
|
These system calls are restricted to the superuser.
|
||||||
.Sh RETURN VALUES
|
.Sh RETURN VALUES
|
||||||
.Rv -std
|
.Rv -std
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
.\" @(#)link.2 8.3 (Berkeley) 1/12/94
|
.\" @(#)link.2 8.3 (Berkeley) 1/12/94
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd September 23, 2020
|
.Dd February 23, 2021
|
||||||
.Dt LINK 2
|
.Dt LINK 2
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -115,15 +115,10 @@ If
|
|||||||
.Fa name1
|
.Fa name1
|
||||||
names a symbolic link, a new link for the target of the symbolic link is
|
names a symbolic link, a new link for the target of the symbolic link is
|
||||||
created.
|
created.
|
||||||
.It Dv AT_BENEATH
|
|
||||||
Only allow to link to a file which is beneath of the topping directory.
|
|
||||||
See the description of the
|
|
||||||
.Dv O_BENEATH
|
|
||||||
flag in the
|
|
||||||
.Xr open 2
|
|
||||||
manual page.
|
|
||||||
.It Dv AT_RESOLVE_BENEATH
|
.It Dv AT_RESOLVE_BENEATH
|
||||||
Only walks paths below the topping directory.
|
Only walk paths below the directory specified by the
|
||||||
|
.Ar fd
|
||||||
|
descriptor.
|
||||||
See the description of the
|
See the description of the
|
||||||
.Dv O_RESOLVE_BENEATH
|
.Dv O_RESOLVE_BENEATH
|
||||||
flag in the
|
flag in the
|
||||||
@ -281,18 +276,9 @@ For example,
|
|||||||
is absolute or includes a ".." component that escapes
|
is absolute or includes a ".." component that escapes
|
||||||
the directory hierarchy specified by
|
the directory hierarchy specified by
|
||||||
.Fa fd ,
|
.Fa fd ,
|
||||||
and the process is in capability mode.
|
and the process is in capability mode or the
|
||||||
.It Bq Er ENOTCAPABLE
|
.Dv AT_RESOLVE_BENEATH
|
||||||
The
|
flag was specified.
|
||||||
.Dv AT_BENEATH
|
|
||||||
flag was provided to
|
|
||||||
.Fa linkat
|
|
||||||
and the absolute path
|
|
||||||
.Fa name1
|
|
||||||
does not have its tail fully contained under the topping directory,
|
|
||||||
or the relative path
|
|
||||||
.Fa name1
|
|
||||||
escapes it.
|
|
||||||
.El
|
.El
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr chflags 2 ,
|
.Xr chflags 2 ,
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
.\" @(#)open.2 8.2 (Berkeley) 11/16/93
|
.\" @(#)open.2 8.2 (Berkeley) 11/16/93
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd September 23, 2020
|
.Dd February 23, 2021
|
||||||
.Dt OPEN 2
|
.Dt OPEN 2
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -75,9 +75,7 @@ function is equivalent to the
|
|||||||
.Fn open
|
.Fn open
|
||||||
function except in the case where the
|
function except in the case where the
|
||||||
.Fa path
|
.Fa path
|
||||||
specifies a relative path, or the
|
specifies a relative path.
|
||||||
.Dv O_BENEATH
|
|
||||||
flag is provided.
|
|
||||||
For
|
For
|
||||||
.Fn openat
|
.Fn openat
|
||||||
and relative
|
and relative
|
||||||
@ -104,28 +102,10 @@ and the behavior is identical to a call to
|
|||||||
When
|
When
|
||||||
.Fn openat
|
.Fn openat
|
||||||
is called with an absolute
|
is called with an absolute
|
||||||
.Fa path
|
.Fa path ,
|
||||||
without the
|
it ignores the
|
||||||
.Dv O_BENEATH
|
|
||||||
flag, it ignores the
|
|
||||||
.Fa fd
|
.Fa fd
|
||||||
argument.
|
argument.
|
||||||
When
|
|
||||||
.Dv O_BENEATH
|
|
||||||
is specified with an absolute
|
|
||||||
.Fa path ,
|
|
||||||
a directory passed by the
|
|
||||||
.Fa fd
|
|
||||||
argument is used as the topping point for the resolution.
|
|
||||||
When
|
|
||||||
.Dv O_BENEATH
|
|
||||||
is specified with a relative path, the
|
|
||||||
.Fa fd
|
|
||||||
argument is used both as the starting point, and as the topping point
|
|
||||||
for the resolution.
|
|
||||||
See the definition of the
|
|
||||||
.Dv O_BENEATH
|
|
||||||
flag below.
|
|
||||||
.Pp
|
.Pp
|
||||||
In
|
In
|
||||||
.Xr capsicum 4
|
.Xr capsicum 4
|
||||||
@ -137,9 +117,7 @@ The
|
|||||||
argument to
|
argument to
|
||||||
.Fn openat
|
.Fn openat
|
||||||
must be strictly relative to a file descriptor
|
must be strictly relative to a file descriptor
|
||||||
.Fa fd ,
|
.Fa fd .
|
||||||
as defined in
|
|
||||||
.Pa sys/kern/vfs_lookup.c .
|
|
||||||
.Fa path
|
.Fa path
|
||||||
must not be an absolute path and must not contain ".." components
|
must not be an absolute path and must not contain ".." components
|
||||||
which cause the path resolution to escape the directory hierarchy
|
which cause the path resolution to escape the directory hierarchy
|
||||||
@ -156,9 +134,8 @@ If the
|
|||||||
.Dv vfs.lookup_cap_dotdot
|
.Dv vfs.lookup_cap_dotdot
|
||||||
.Xr sysctl 3
|
.Xr sysctl 3
|
||||||
MIB is set to zero, ".." components in the paths,
|
MIB is set to zero, ".." components in the paths,
|
||||||
used in capability mode, or with the
|
used in capability mode,
|
||||||
.Dv O_BENEATH
|
are completely disabled.
|
||||||
flag, are completely disabled.
|
|
||||||
If the
|
If the
|
||||||
.Dv vfs.lookup_cap_dotdot_nonlocal
|
.Dv vfs.lookup_cap_dotdot_nonlocal
|
||||||
MIB is set to zero, ".." is not allowed if found on non-local filesystem.
|
MIB is set to zero, ".." is not allowed if found on non-local filesystem.
|
||||||
@ -190,8 +167,7 @@ O_TTY_INIT ignored
|
|||||||
O_DIRECTORY error if file is not a directory
|
O_DIRECTORY error if file is not a directory
|
||||||
O_CLOEXEC set FD_CLOEXEC upon open
|
O_CLOEXEC set FD_CLOEXEC upon open
|
||||||
O_VERIFY verify the contents of the file
|
O_VERIFY verify the contents of the file
|
||||||
O_BENEATH require resolved path to be strictly relative to topping directory
|
O_RESOLVE_BENEATH path resolution must not cross the fd directory
|
||||||
O_RESOLVE_BENEATH require walked path to be strictly relative to topping directory
|
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
Opening a file with
|
Opening a file with
|
||||||
@ -319,32 +295,12 @@ means is implementation specific.
|
|||||||
The run-time linker (rtld) uses this flag to ensure shared objects have
|
The run-time linker (rtld) uses this flag to ensure shared objects have
|
||||||
been verified before operating on them.
|
been verified before operating on them.
|
||||||
.Pp
|
.Pp
|
||||||
.Dv O_BENEATH
|
|
||||||
returns
|
|
||||||
.Er ENOTCAPABLE
|
|
||||||
if the specified path, after resolving all symlinks and ".."
|
|
||||||
references, does not end up with tail residing in the directory hierarchy of
|
|
||||||
children beneath the topping directory.
|
|
||||||
Topping directory is the process current directory if relative
|
|
||||||
.Fa path
|
|
||||||
is used for
|
|
||||||
.Fn open ,
|
|
||||||
and the directory referenced by the
|
|
||||||
.Fa fd
|
|
||||||
argument when using
|
|
||||||
.Fn openat .
|
|
||||||
.Dv O_BENEATH
|
|
||||||
allows arbitrary prefix that ends up at the topping directory,
|
|
||||||
after which all further resolved components must be under it.
|
|
||||||
.Pp
|
|
||||||
.Dv O_RESOLVE_BENEATH
|
.Dv O_RESOLVE_BENEATH
|
||||||
returns
|
returns
|
||||||
.Er ENOTCAPABLE
|
.Er ENOTCAPABLE
|
||||||
if any intermediate component of the specified relative path does not
|
if any intermediate component of the specified relative path does not
|
||||||
reside in the directory hierarchy beneath the topping directory.
|
reside in the directory hierarchy beneath the starting directory.
|
||||||
Comparing to
|
Absolute paths or even the temporal escape from beneath of the starting
|
||||||
.Dv O_BENEATH ,
|
|
||||||
absolute paths or even the temporal escape from beneath of the topping
|
|
||||||
directory is not allowed.
|
directory is not allowed.
|
||||||
.Pp
|
.Pp
|
||||||
When
|
When
|
||||||
@ -601,19 +557,12 @@ directory outside of the directory hierarchy specified by
|
|||||||
and the process is in capability mode.
|
and the process is in capability mode.
|
||||||
.It Bq Er ENOTCAPABLE
|
.It Bq Er ENOTCAPABLE
|
||||||
The
|
The
|
||||||
.Dv O_BENEATH
|
|
||||||
flag was provided, and the absolute
|
|
||||||
.Fa path
|
|
||||||
does not have its tail fully contained under the topping directory,
|
|
||||||
or the relative
|
|
||||||
.Fa path
|
|
||||||
escapes it.
|
|
||||||
.It Bq Er ENOTCAPABLE
|
|
||||||
The
|
|
||||||
.Dv O_RESOLVE_BENEATH
|
.Dv O_RESOLVE_BENEATH
|
||||||
flag was provided, and the relative
|
flag was provided, and the relative
|
||||||
.Fa path
|
.Fa path
|
||||||
escapes topping directory.
|
escapes the
|
||||||
|
.Ar fd
|
||||||
|
directory.
|
||||||
.El
|
.El
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr chmod 2 ,
|
.Xr chmod 2 ,
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
.\" @(#)stat.2 8.4 (Berkeley) 5/1/95
|
.\" @(#)stat.2 8.4 (Berkeley) 5/1/95
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd September 23, 2020
|
.Dd February 23, 2021
|
||||||
.Dt STAT 2
|
.Dt STAT 2
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -84,9 +84,7 @@ and
|
|||||||
.Fn lstat
|
.Fn lstat
|
||||||
except when the
|
except when the
|
||||||
.Fa path
|
.Fa path
|
||||||
specifies a relative path, or the
|
specifies a relative path.
|
||||||
.Dv AT_BENEATH
|
|
||||||
flag is provided.
|
|
||||||
For
|
For
|
||||||
.Fn fstatat
|
.Fn fstatat
|
||||||
and relative
|
and relative
|
||||||
@ -95,13 +93,6 @@ the status is retrieved from a file relative to
|
|||||||
the directory associated with the file descriptor
|
the directory associated with the file descriptor
|
||||||
.Fa fd
|
.Fa fd
|
||||||
instead of the current working directory.
|
instead of the current working directory.
|
||||||
For
|
|
||||||
.Dv AT_BENEATH
|
|
||||||
and absolute
|
|
||||||
.Fa path ,
|
|
||||||
the status is retrieved from a file specified by the
|
|
||||||
.Fa path ,
|
|
||||||
but additional permission checks are performed, see below.
|
|
||||||
.Pp
|
.Pp
|
||||||
The values for the
|
The values for the
|
||||||
.Fa flag
|
.Fa flag
|
||||||
@ -113,15 +104,8 @@ defined in
|
|||||||
If
|
If
|
||||||
.Fa path
|
.Fa path
|
||||||
names a symbolic link, the status of the symbolic link is returned.
|
names a symbolic link, the status of the symbolic link is returned.
|
||||||
.It Dv AT_BENEATH
|
|
||||||
Only stat files and directories below the topping directory.
|
|
||||||
See the description of the
|
|
||||||
.Dv O_BENEATH
|
|
||||||
flag in the
|
|
||||||
.Xr open 2
|
|
||||||
manual page.
|
|
||||||
.It Dv AT_RESOLVE_BENEATH
|
.It Dv AT_RESOLVE_BENEATH
|
||||||
Only walks paths below the topping directory.
|
Only walk paths below the starting directory.
|
||||||
See the description of the
|
See the description of the
|
||||||
.Dv O_RESOLVE_BENEATH
|
.Dv O_RESOLVE_BENEATH
|
||||||
flag in the
|
flag in the
|
||||||
@ -148,19 +132,10 @@ bit is set in
|
|||||||
When
|
When
|
||||||
.Fn fstatat
|
.Fn fstatat
|
||||||
is called with an absolute
|
is called with an absolute
|
||||||
.Fa path
|
.Fa path ,
|
||||||
without the
|
it ignores the
|
||||||
.Dv AT_BENEATH
|
|
||||||
flag, it ignores the
|
|
||||||
.Fa fd
|
.Fa fd
|
||||||
argument.
|
argument.
|
||||||
When
|
|
||||||
.Dv AT_BENEATH
|
|
||||||
is specified with an absolute
|
|
||||||
.Fa path ,
|
|
||||||
a directory passed by the
|
|
||||||
.Fa fd
|
|
||||||
argument is used as the topping point for the resolution.
|
|
||||||
.Pp
|
.Pp
|
||||||
The
|
The
|
||||||
.Fa sb
|
.Fa sb
|
||||||
@ -459,18 +434,9 @@ is an absolute path,
|
|||||||
or contained a ".." component leading to a
|
or contained a ".." component leading to a
|
||||||
directory outside of the directory hierarchy specified by
|
directory outside of the directory hierarchy specified by
|
||||||
.Fa fd ,
|
.Fa fd ,
|
||||||
and the process is in capability mode.
|
and the process is in capability mode or the
|
||||||
.It Bq Er ENOTCAPABLE
|
.Dv AT_RESOLVE_BENEATH
|
||||||
The
|
flag was specified.
|
||||||
.Dv AT_BENEATH
|
|
||||||
flag was provided to
|
|
||||||
.Fn fstatat ,
|
|
||||||
and the absolute
|
|
||||||
.Fa path
|
|
||||||
does not have its tail fully contained under the topping directory,
|
|
||||||
or the relative
|
|
||||||
.Fa path
|
|
||||||
escapes it.
|
|
||||||
.El
|
.El
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr access 2 ,
|
.Xr access 2 ,
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
.\" @(#)unlink.2 8.1 (Berkeley) 6/4/93
|
.\" @(#)unlink.2 8.1 (Berkeley) 6/4/93
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd September 23, 2020
|
.Dd February 23, 2021
|
||||||
.Dt UNLINK 2
|
.Dt UNLINK 2
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -92,16 +92,10 @@ Remove the directory entry specified by
|
|||||||
and
|
and
|
||||||
.Fa path
|
.Fa path
|
||||||
as a directory, not a normal file.
|
as a directory, not a normal file.
|
||||||
.It Dv AT_BENEATH
|
|
||||||
Only unlink files and directories which are beneath of the topping
|
|
||||||
directory.
|
|
||||||
See the description of the
|
|
||||||
.Dv O_BENEATH
|
|
||||||
flag in the
|
|
||||||
.Xr open 2
|
|
||||||
manual page.
|
|
||||||
.It Dv AT_RESOLVE_BENEATH
|
.It Dv AT_RESOLVE_BENEATH
|
||||||
Only walks paths below the topping directory.
|
Only walk paths below the directory specified by the
|
||||||
|
.Ar fd
|
||||||
|
descriptor.
|
||||||
See the description of the
|
See the description of the
|
||||||
.Dv O_RESOLVE_BENEATH
|
.Dv O_RESOLVE_BENEATH
|
||||||
flag in the
|
flag in the
|
||||||
@ -246,18 +240,9 @@ is an absolute path,
|
|||||||
or contained a ".." component leading to a
|
or contained a ".." component leading to a
|
||||||
directory outside of the directory hierarchy specified by
|
directory outside of the directory hierarchy specified by
|
||||||
.Fa fd ,
|
.Fa fd ,
|
||||||
and the process is in capability mode.
|
and the process is in capability mode or the
|
||||||
.It Bq Er ENOTCAPABLE
|
.Dv AT_RESOLVE_BENEATH
|
||||||
The
|
flag was specified.
|
||||||
.Dv AT_BENEATH
|
|
||||||
flag was provided to
|
|
||||||
.Fn unlinkat ,
|
|
||||||
and the absolute
|
|
||||||
.Fa path
|
|
||||||
does not have its tail fully contained under the topping directory,
|
|
||||||
or the relative
|
|
||||||
.Fa path
|
|
||||||
escapes it.
|
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
In addition to the errors returned by
|
In addition to the errors returned by
|
||||||
|
@ -31,7 +31,7 @@
|
|||||||
.\" @(#)utimes.2 8.1 (Berkeley) 6/4/93
|
.\" @(#)utimes.2 8.1 (Berkeley) 6/4/93
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd September 23, 2020
|
.Dd February 23, 2021
|
||||||
.Dt UTIMENSAT 2
|
.Dt UTIMENSAT 2
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -146,16 +146,10 @@ names a symbolic link, the symbolic link's times are changed.
|
|||||||
By default,
|
By default,
|
||||||
.Fn utimensat
|
.Fn utimensat
|
||||||
changes the times of the file referenced by the symbolic link.
|
changes the times of the file referenced by the symbolic link.
|
||||||
.It Dv AT_BENEATH
|
|
||||||
Only allow to change the times of a file which is beneath of
|
|
||||||
the topping directory.
|
|
||||||
See the description of the
|
|
||||||
.Dv O_BENEATH
|
|
||||||
flag in the
|
|
||||||
.Xr open 2
|
|
||||||
manual page.
|
|
||||||
.It Dv AT_RESOLVE_BENEATH
|
.It Dv AT_RESOLVE_BENEATH
|
||||||
Only walks paths below the topping directory.
|
Only walk paths below the directory specified by the
|
||||||
|
.Ar fd
|
||||||
|
descriptor.
|
||||||
See the description of the
|
See the description of the
|
||||||
.Dv O_RESOLVE_BENEATH
|
.Dv O_RESOLVE_BENEATH
|
||||||
flag in the
|
flag in the
|
||||||
@ -290,18 +284,9 @@ is an absolute path,
|
|||||||
or contained a ".." component leading to a
|
or contained a ".." component leading to a
|
||||||
directory outside of the directory hierarchy specified by
|
directory outside of the directory hierarchy specified by
|
||||||
.Fa fd ,
|
.Fa fd ,
|
||||||
and the process is in capability mode.
|
and the process is in capability mode or the
|
||||||
.It Bq Er ENOTCAPABLE
|
.Dv AT_RESOLVE_BENEATH
|
||||||
The
|
flag was specified.
|
||||||
.Dv AT_BENEATH
|
|
||||||
flag was provided to
|
|
||||||
.Fn utimensat ,
|
|
||||||
and the absolute
|
|
||||||
.Fa path
|
|
||||||
does not have its tail fully contained under the topping directory,
|
|
||||||
or the relative
|
|
||||||
.Fa path
|
|
||||||
escapes it.
|
|
||||||
.El
|
.El
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr chflags 2 ,
|
.Xr chflags 2 ,
|
||||||
|
@ -182,13 +182,6 @@ nameicap_tracker_add(struct nameidata *ndp, struct vnode *dp)
|
|||||||
if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0 || dp->v_type != VDIR)
|
if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0 || dp->v_type != VDIR)
|
||||||
return;
|
return;
|
||||||
cnp = &ndp->ni_cnd;
|
cnp = &ndp->ni_cnd;
|
||||||
if ((cnp->cn_flags & BENEATH) != 0 &&
|
|
||||||
(ndp->ni_lcf & NI_LCF_BENEATH_LATCHED) == 0) {
|
|
||||||
MPASS((ndp->ni_lcf & NI_LCF_LATCH) != 0);
|
|
||||||
if (dp != ndp->ni_beneath_latch)
|
|
||||||
return;
|
|
||||||
ndp->ni_lcf |= NI_LCF_BENEATH_LATCHED;
|
|
||||||
}
|
|
||||||
nt = malloc(sizeof(*nt), M_NAMEITRACKER, M_WAITOK);
|
nt = malloc(sizeof(*nt), M_NAMEITRACKER, M_WAITOK);
|
||||||
vhold(dp);
|
vhold(dp);
|
||||||
nt->dp = dp;
|
nt->dp = dp;
|
||||||
@ -196,7 +189,7 @@ nameicap_tracker_add(struct nameidata *ndp, struct vnode *dp)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
nameicap_cleanup(struct nameidata *ndp, bool clean_latch)
|
nameicap_cleanup(struct nameidata *ndp)
|
||||||
{
|
{
|
||||||
struct nameicap_tracker *nt, *nt1;
|
struct nameicap_tracker *nt, *nt1;
|
||||||
|
|
||||||
@ -207,10 +200,6 @@ nameicap_cleanup(struct nameidata *ndp, bool clean_latch)
|
|||||||
vdrop(nt->dp);
|
vdrop(nt->dp);
|
||||||
free(nt, M_NAMEITRACKER);
|
free(nt, M_NAMEITRACKER);
|
||||||
}
|
}
|
||||||
if (clean_latch && (ndp->ni_lcf & NI_LCF_LATCH) != 0) {
|
|
||||||
ndp->ni_lcf &= ~NI_LCF_LATCH;
|
|
||||||
vrele(ndp->ni_beneath_latch);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -230,21 +219,17 @@ nameicap_check_dotdot(struct nameidata *ndp, struct vnode *dp)
|
|||||||
struct nameicap_tracker *nt;
|
struct nameicap_tracker *nt;
|
||||||
struct mount *mp;
|
struct mount *mp;
|
||||||
|
|
||||||
if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0 || dp == NULL ||
|
if (dp == NULL || dp->v_type != VDIR || (ndp->ni_lcf &
|
||||||
dp->v_type != VDIR)
|
NI_LCF_STRICTRELATIVE) == 0)
|
||||||
return (0);
|
return (0);
|
||||||
|
if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0)
|
||||||
|
return (ENOTCAPABLE);
|
||||||
mp = dp->v_mount;
|
mp = dp->v_mount;
|
||||||
if (lookup_cap_dotdot_nonlocal == 0 && mp != NULL &&
|
if (lookup_cap_dotdot_nonlocal == 0 && mp != NULL &&
|
||||||
(mp->mnt_flag & MNT_LOCAL) == 0)
|
(mp->mnt_flag & MNT_LOCAL) == 0)
|
||||||
return (ENOTCAPABLE);
|
return (ENOTCAPABLE);
|
||||||
TAILQ_FOREACH_REVERSE(nt, &ndp->ni_cap_tracker, nameicap_tracker_head,
|
TAILQ_FOREACH_REVERSE(nt, &ndp->ni_cap_tracker, nameicap_tracker_head,
|
||||||
nm_link) {
|
nm_link) {
|
||||||
if ((ndp->ni_lcf & NI_LCF_LATCH) != 0 &&
|
|
||||||
ndp->ni_beneath_latch == nt->dp) {
|
|
||||||
ndp->ni_lcf &= ~NI_LCF_BENEATH_LATCHED;
|
|
||||||
nameicap_cleanup(ndp, false);
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
if (dp == nt->dp)
|
if (dp == nt->dp)
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
@ -275,11 +260,6 @@ namei_handle_root(struct nameidata *ndp, struct vnode **dpp)
|
|||||||
#endif
|
#endif
|
||||||
return (ENOTCAPABLE);
|
return (ENOTCAPABLE);
|
||||||
}
|
}
|
||||||
if ((cnp->cn_flags & BENEATH) != 0) {
|
|
||||||
ndp->ni_lcf |= NI_LCF_BENEATH_ABS;
|
|
||||||
ndp->ni_lcf &= ~NI_LCF_BENEATH_LATCHED;
|
|
||||||
nameicap_cleanup(ndp, false);
|
|
||||||
}
|
|
||||||
while (*(cnp->cn_nameptr) == '/') {
|
while (*(cnp->cn_nameptr) == '/') {
|
||||||
cnp->cn_nameptr++;
|
cnp->cn_nameptr++;
|
||||||
ndp->ni_pathlen--;
|
ndp->ni_pathlen--;
|
||||||
@ -297,7 +277,6 @@ namei_setup(struct nameidata *ndp, struct vnode **dpp, struct pwd **pwdp)
|
|||||||
struct thread *td;
|
struct thread *td;
|
||||||
struct pwd *pwd;
|
struct pwd *pwd;
|
||||||
cap_rights_t rights;
|
cap_rights_t rights;
|
||||||
struct filecaps dirfd_caps;
|
|
||||||
int error;
|
int error;
|
||||||
bool startdir_used;
|
bool startdir_used;
|
||||||
|
|
||||||
@ -410,26 +389,8 @@ namei_setup(struct nameidata *ndp, struct vnode **dpp, struct pwd **pwdp)
|
|||||||
if (error == 0 && (*dpp)->v_type != VDIR)
|
if (error == 0 && (*dpp)->v_type != VDIR)
|
||||||
error = ENOTDIR;
|
error = ENOTDIR;
|
||||||
}
|
}
|
||||||
if (error == 0 && (cnp->cn_flags & BENEATH) != 0) {
|
|
||||||
if (ndp->ni_dirfd == AT_FDCWD) {
|
|
||||||
ndp->ni_beneath_latch = pwd->pwd_cdir;
|
|
||||||
vrefact(ndp->ni_beneath_latch);
|
|
||||||
} else {
|
|
||||||
rights = *ndp->ni_rightsneeded;
|
|
||||||
cap_rights_set_one(&rights, CAP_LOOKUP);
|
|
||||||
error = fgetvp_rights(td, ndp->ni_dirfd, &rights,
|
|
||||||
&dirfd_caps, &ndp->ni_beneath_latch);
|
|
||||||
if (error == 0 && (*dpp)->v_type != VDIR) {
|
|
||||||
vrele(ndp->ni_beneath_latch);
|
|
||||||
error = ENOTDIR;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (error == 0)
|
|
||||||
ndp->ni_lcf |= NI_LCF_LATCH;
|
|
||||||
}
|
|
||||||
if (error == 0 && (cnp->cn_flags & RBENEATH) != 0) {
|
if (error == 0 && (cnp->cn_flags & RBENEATH) != 0) {
|
||||||
if (cnp->cn_pnbuf[0] == '/' ||
|
if (cnp->cn_pnbuf[0] == '/') {
|
||||||
(ndp->ni_lcf & NI_LCF_BENEATH_ABS) != 0) {
|
|
||||||
error = EINVAL;
|
error = EINVAL;
|
||||||
} else if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) == 0) {
|
} else if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) == 0) {
|
||||||
ndp->ni_lcf |= NI_LCF_STRICTRELATIVE |
|
ndp->ni_lcf |= NI_LCF_STRICTRELATIVE |
|
||||||
@ -452,12 +413,8 @@ namei_setup(struct nameidata *ndp, struct vnode **dpp, struct pwd **pwdp)
|
|||||||
pwd_drop(pwd);
|
pwd_drop(pwd);
|
||||||
return (error);
|
return (error);
|
||||||
}
|
}
|
||||||
MPASS((ndp->ni_lcf & (NI_LCF_BENEATH_ABS | NI_LCF_LATCH)) !=
|
if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0 &&
|
||||||
NI_LCF_BENEATH_ABS);
|
lookup_cap_dotdot != 0)
|
||||||
if (((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0 &&
|
|
||||||
lookup_cap_dotdot != 0) ||
|
|
||||||
((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) == 0 &&
|
|
||||||
(cnp->cn_flags & BENEATH) != 0))
|
|
||||||
ndp->ni_lcf |= NI_LCF_CAP_DOTDOT;
|
ndp->ni_lcf |= NI_LCF_CAP_DOTDOT;
|
||||||
SDT_PROBE4(vfs, namei, lookup, entry, *dpp, cnp->cn_pnbuf,
|
SDT_PROBE4(vfs, namei, lookup, entry, *dpp, cnp->cn_pnbuf,
|
||||||
cnp->cn_flags, false);
|
cnp->cn_flags, false);
|
||||||
@ -636,16 +593,8 @@ namei(struct nameidata *ndp)
|
|||||||
for (;;) {
|
for (;;) {
|
||||||
ndp->ni_startdir = dp;
|
ndp->ni_startdir = dp;
|
||||||
error = lookup(ndp);
|
error = lookup(ndp);
|
||||||
if (error != 0) {
|
if (error != 0)
|
||||||
/*
|
|
||||||
* Override an error to not allow user to use
|
|
||||||
* BENEATH as an oracle.
|
|
||||||
*/
|
|
||||||
if ((ndp->ni_lcf & (NI_LCF_LATCH |
|
|
||||||
NI_LCF_BENEATH_LATCHED)) == NI_LCF_LATCH)
|
|
||||||
error = ENOTCAPABLE;
|
|
||||||
goto out;
|
goto out;
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If not a symbolic link, we're done.
|
* If not a symbolic link, we're done.
|
||||||
@ -657,12 +606,7 @@ namei(struct nameidata *ndp)
|
|||||||
namei_cleanup_cnp(cnp);
|
namei_cleanup_cnp(cnp);
|
||||||
} else
|
} else
|
||||||
cnp->cn_flags |= HASBUF;
|
cnp->cn_flags |= HASBUF;
|
||||||
if ((ndp->ni_lcf & (NI_LCF_LATCH |
|
nameicap_cleanup(ndp);
|
||||||
NI_LCF_BENEATH_LATCHED)) == NI_LCF_LATCH) {
|
|
||||||
NDFREE(ndp, 0);
|
|
||||||
error = ENOTCAPABLE;
|
|
||||||
}
|
|
||||||
nameicap_cleanup(ndp, true);
|
|
||||||
pwd_drop(pwd);
|
pwd_drop(pwd);
|
||||||
if (error == 0)
|
if (error == 0)
|
||||||
NDVALIDATE(ndp);
|
NDVALIDATE(ndp);
|
||||||
@ -739,7 +683,7 @@ namei(struct nameidata *ndp)
|
|||||||
MPASS(error != 0);
|
MPASS(error != 0);
|
||||||
SDT_PROBE4(vfs, namei, lookup, return, error, NULL, false, ndp);
|
SDT_PROBE4(vfs, namei, lookup, return, error, NULL, false, ndp);
|
||||||
namei_cleanup_cnp(cnp);
|
namei_cleanup_cnp(cnp);
|
||||||
nameicap_cleanup(ndp, true);
|
nameicap_cleanup(ndp);
|
||||||
pwd_drop(pwd);
|
pwd_drop(pwd);
|
||||||
return (error);
|
return (error);
|
||||||
}
|
}
|
||||||
|
@ -120,8 +120,6 @@ at2cnpflags(u_int at_flags, u_int mask)
|
|||||||
|
|
||||||
res = 0;
|
res = 0;
|
||||||
at_flags &= mask;
|
at_flags &= mask;
|
||||||
if ((at_flags & AT_BENEATH) != 0)
|
|
||||||
res |= BENEATH;
|
|
||||||
if ((at_flags & AT_RESOLVE_BENEATH) != 0)
|
if ((at_flags & AT_RESOLVE_BENEATH) != 0)
|
||||||
res |= RBENEATH;
|
res |= RBENEATH;
|
||||||
if ((at_flags & AT_SYMLINK_FOLLOW) != 0)
|
if ((at_flags & AT_SYMLINK_FOLLOW) != 0)
|
||||||
@ -1498,12 +1496,11 @@ sys_linkat(struct thread *td, struct linkat_args *uap)
|
|||||||
int flag;
|
int flag;
|
||||||
|
|
||||||
flag = uap->flag;
|
flag = uap->flag;
|
||||||
if ((flag & ~(AT_SYMLINK_FOLLOW | AT_BENEATH |
|
if ((flag & ~(AT_SYMLINK_FOLLOW | AT_RESOLVE_BENEATH)) != 0)
|
||||||
AT_RESOLVE_BENEATH)) != 0)
|
|
||||||
return (EINVAL);
|
return (EINVAL);
|
||||||
|
|
||||||
return (kern_linkat(td, uap->fd1, uap->fd2, uap->path1, uap->path2,
|
return (kern_linkat(td, uap->fd1, uap->fd2, uap->path1, uap->path2,
|
||||||
UIO_USERSPACE, at2cnpflags(flag, AT_SYMLINK_FOLLOW | AT_BENEATH |
|
UIO_USERSPACE, at2cnpflags(flag, AT_SYMLINK_FOLLOW |
|
||||||
AT_RESOLVE_BENEATH)));
|
AT_RESOLVE_BENEATH)));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1873,7 +1870,7 @@ kern_funlinkat(struct thread *td, int dfd, const char *path, int fd,
|
|||||||
restart:
|
restart:
|
||||||
bwillwrite();
|
bwillwrite();
|
||||||
NDINIT_ATRIGHTS(&nd, DELETE, LOCKPARENT | LOCKLEAF | AUDITVNODE1 |
|
NDINIT_ATRIGHTS(&nd, DELETE, LOCKPARENT | LOCKLEAF | AUDITVNODE1 |
|
||||||
at2cnpflags(flag, AT_BENEATH | AT_RESOLVE_BENEATH),
|
at2cnpflags(flag, AT_RESOLVE_BENEATH),
|
||||||
pathseg, path, dfd, &cap_unlinkat_rights, td);
|
pathseg, path, dfd, &cap_unlinkat_rights, td);
|
||||||
if ((error = namei(&nd)) != 0) {
|
if ((error = namei(&nd)) != 0) {
|
||||||
if (error == EINVAL)
|
if (error == EINVAL)
|
||||||
@ -2078,7 +2075,7 @@ kern_accessat(struct thread *td, int fd, const char *path,
|
|||||||
struct nameidata nd;
|
struct nameidata nd;
|
||||||
int error;
|
int error;
|
||||||
|
|
||||||
if ((flag & ~(AT_EACCESS | AT_BENEATH | AT_RESOLVE_BENEATH)) != 0)
|
if ((flag & ~(AT_EACCESS | AT_RESOLVE_BENEATH)) != 0)
|
||||||
return (EINVAL);
|
return (EINVAL);
|
||||||
if (amode != F_OK && (amode & ~(R_OK | W_OK | X_OK)) != 0)
|
if (amode != F_OK && (amode & ~(R_OK | W_OK | X_OK)) != 0)
|
||||||
return (EINVAL);
|
return (EINVAL);
|
||||||
@ -2099,7 +2096,7 @@ kern_accessat(struct thread *td, int fd, const char *path,
|
|||||||
usecred = cred;
|
usecred = cred;
|
||||||
AUDIT_ARG_VALUE(amode);
|
AUDIT_ARG_VALUE(amode);
|
||||||
NDINIT_ATRIGHTS(&nd, LOOKUP, FOLLOW | LOCKSHARED | LOCKLEAF |
|
NDINIT_ATRIGHTS(&nd, LOOKUP, FOLLOW | LOCKSHARED | LOCKLEAF |
|
||||||
AUDITVNODE1 | at2cnpflags(flag, AT_BENEATH | AT_RESOLVE_BENEATH),
|
AUDITVNODE1 | at2cnpflags(flag, AT_RESOLVE_BENEATH),
|
||||||
pathseg, path, fd, &cap_fstat_rights, td);
|
pathseg, path, fd, &cap_fstat_rights, td);
|
||||||
if ((error = namei(&nd)) != 0)
|
if ((error = namei(&nd)) != 0)
|
||||||
goto out;
|
goto out;
|
||||||
@ -2390,13 +2387,12 @@ kern_statat(struct thread *td, int flag, int fd, const char *path,
|
|||||||
struct nameidata nd;
|
struct nameidata nd;
|
||||||
int error;
|
int error;
|
||||||
|
|
||||||
if ((flag & ~(AT_SYMLINK_NOFOLLOW | AT_BENEATH |
|
if ((flag & ~(AT_SYMLINK_NOFOLLOW | AT_RESOLVE_BENEATH)) != 0)
|
||||||
AT_RESOLVE_BENEATH)) != 0)
|
|
||||||
return (EINVAL);
|
return (EINVAL);
|
||||||
|
|
||||||
NDINIT_ATRIGHTS(&nd, LOOKUP, at2cnpflags(flag, AT_BENEATH |
|
NDINIT_ATRIGHTS(&nd, LOOKUP, at2cnpflags(flag, AT_RESOLVE_BENEATH |
|
||||||
AT_RESOLVE_BENEATH | AT_SYMLINK_NOFOLLOW) | LOCKSHARED | LOCKLEAF |
|
AT_SYMLINK_NOFOLLOW) | LOCKSHARED | LOCKLEAF | AUDITVNODE1,
|
||||||
AUDITVNODE1, pathseg, path, fd, &cap_fstat_rights, td);
|
pathseg, path, fd, &cap_fstat_rights, td);
|
||||||
|
|
||||||
if ((error = namei(&nd)) != 0)
|
if ((error = namei(&nd)) != 0)
|
||||||
return (error);
|
return (error);
|
||||||
@ -2714,8 +2710,7 @@ int
|
|||||||
sys_chflagsat(struct thread *td, struct chflagsat_args *uap)
|
sys_chflagsat(struct thread *td, struct chflagsat_args *uap)
|
||||||
{
|
{
|
||||||
|
|
||||||
if ((uap->atflag & ~(AT_SYMLINK_NOFOLLOW | AT_BENEATH |
|
if ((uap->atflag & ~(AT_SYMLINK_NOFOLLOW | AT_RESOLVE_BENEATH)) != 0)
|
||||||
AT_RESOLVE_BENEATH)) != 0)
|
|
||||||
return (EINVAL);
|
return (EINVAL);
|
||||||
|
|
||||||
return (kern_chflagsat(td, uap->fd, uap->path, UIO_USERSPACE,
|
return (kern_chflagsat(td, uap->fd, uap->path, UIO_USERSPACE,
|
||||||
@ -2748,7 +2743,7 @@ kern_chflagsat(struct thread *td, int fd, const char *path,
|
|||||||
|
|
||||||
AUDIT_ARG_FFLAGS(flags);
|
AUDIT_ARG_FFLAGS(flags);
|
||||||
NDINIT_ATRIGHTS(&nd, LOOKUP, at2cnpflags(atflag, AT_SYMLINK_NOFOLLOW |
|
NDINIT_ATRIGHTS(&nd, LOOKUP, at2cnpflags(atflag, AT_SYMLINK_NOFOLLOW |
|
||||||
AT_BENEATH | AT_RESOLVE_BENEATH) | AUDITVNODE1, pathseg, path, fd,
|
AT_RESOLVE_BENEATH) | AUDITVNODE1, pathseg, path, fd,
|
||||||
&cap_fchflags_rights, td);
|
&cap_fchflags_rights, td);
|
||||||
if ((error = namei(&nd)) != 0)
|
if ((error = namei(&nd)) != 0)
|
||||||
return (error);
|
return (error);
|
||||||
@ -2843,8 +2838,7 @@ int
|
|||||||
sys_fchmodat(struct thread *td, struct fchmodat_args *uap)
|
sys_fchmodat(struct thread *td, struct fchmodat_args *uap)
|
||||||
{
|
{
|
||||||
|
|
||||||
if ((uap->flag & ~(AT_SYMLINK_NOFOLLOW | AT_BENEATH |
|
if ((uap->flag & ~(AT_SYMLINK_NOFOLLOW | AT_RESOLVE_BENEATH)) != 0)
|
||||||
AT_RESOLVE_BENEATH)) != 0)
|
|
||||||
return (EINVAL);
|
return (EINVAL);
|
||||||
|
|
||||||
return (kern_fchmodat(td, uap->fd, uap->path, UIO_USERSPACE,
|
return (kern_fchmodat(td, uap->fd, uap->path, UIO_USERSPACE,
|
||||||
@ -2877,7 +2871,7 @@ kern_fchmodat(struct thread *td, int fd, const char *path,
|
|||||||
|
|
||||||
AUDIT_ARG_MODE(mode);
|
AUDIT_ARG_MODE(mode);
|
||||||
NDINIT_ATRIGHTS(&nd, LOOKUP, at2cnpflags(flag, AT_SYMLINK_NOFOLLOW |
|
NDINIT_ATRIGHTS(&nd, LOOKUP, at2cnpflags(flag, AT_SYMLINK_NOFOLLOW |
|
||||||
AT_BENEATH | AT_RESOLVE_BENEATH) | AUDITVNODE1, pathseg, path, fd,
|
AT_RESOLVE_BENEATH) | AUDITVNODE1, pathseg, path, fd,
|
||||||
&cap_fchmod_rights, td);
|
&cap_fchmod_rights, td);
|
||||||
if ((error = namei(&nd)) != 0)
|
if ((error = namei(&nd)) != 0)
|
||||||
return (error);
|
return (error);
|
||||||
@ -2972,8 +2966,7 @@ int
|
|||||||
sys_fchownat(struct thread *td, struct fchownat_args *uap)
|
sys_fchownat(struct thread *td, struct fchownat_args *uap)
|
||||||
{
|
{
|
||||||
|
|
||||||
if ((uap->flag & ~(AT_SYMLINK_NOFOLLOW | AT_BENEATH |
|
if ((uap->flag & ~(AT_SYMLINK_NOFOLLOW | AT_RESOLVE_BENEATH)) != 0)
|
||||||
AT_RESOLVE_BENEATH)) != 0)
|
|
||||||
return (EINVAL);
|
return (EINVAL);
|
||||||
|
|
||||||
return (kern_fchownat(td, uap->fd, uap->path, UIO_USERSPACE, uap->uid,
|
return (kern_fchownat(td, uap->fd, uap->path, UIO_USERSPACE, uap->uid,
|
||||||
@ -2989,7 +2982,7 @@ kern_fchownat(struct thread *td, int fd, const char *path,
|
|||||||
|
|
||||||
AUDIT_ARG_OWNER(uid, gid);
|
AUDIT_ARG_OWNER(uid, gid);
|
||||||
NDINIT_ATRIGHTS(&nd, LOOKUP, at2cnpflags(flag, AT_SYMLINK_NOFOLLOW |
|
NDINIT_ATRIGHTS(&nd, LOOKUP, at2cnpflags(flag, AT_SYMLINK_NOFOLLOW |
|
||||||
AT_BENEATH | AT_RESOLVE_BENEATH) | AUDITVNODE1, pathseg, path, fd,
|
AT_RESOLVE_BENEATH) | AUDITVNODE1, pathseg, path, fd,
|
||||||
&cap_fchown_rights, td);
|
&cap_fchown_rights, td);
|
||||||
|
|
||||||
if ((error = namei(&nd)) != 0)
|
if ((error = namei(&nd)) != 0)
|
||||||
@ -3341,14 +3334,13 @@ kern_utimensat(struct thread *td, int fd, const char *path,
|
|||||||
struct timespec ts[2];
|
struct timespec ts[2];
|
||||||
int error, flags;
|
int error, flags;
|
||||||
|
|
||||||
if ((flag & ~(AT_SYMLINK_NOFOLLOW | AT_BENEATH |
|
if ((flag & ~(AT_SYMLINK_NOFOLLOW | AT_RESOLVE_BENEATH)) != 0)
|
||||||
AT_RESOLVE_BENEATH)) != 0)
|
|
||||||
return (EINVAL);
|
return (EINVAL);
|
||||||
|
|
||||||
if ((error = getutimens(tptr, tptrseg, ts, &flags)) != 0)
|
if ((error = getutimens(tptr, tptrseg, ts, &flags)) != 0)
|
||||||
return (error);
|
return (error);
|
||||||
NDINIT_ATRIGHTS(&nd, LOOKUP, at2cnpflags(flag, AT_SYMLINK_NOFOLLOW |
|
NDINIT_ATRIGHTS(&nd, LOOKUP, at2cnpflags(flag, AT_SYMLINK_NOFOLLOW |
|
||||||
AT_BENEATH | AT_RESOLVE_BENEATH) | AUDITVNODE1,
|
AT_RESOLVE_BENEATH) | AUDITVNODE1,
|
||||||
pathseg, path, fd, &cap_futimes_rights, td);
|
pathseg, path, fd, &cap_futimes_rights, td);
|
||||||
if ((error = namei(&nd)) != 0)
|
if ((error = namei(&nd)) != 0)
|
||||||
return (error);
|
return (error);
|
||||||
@ -3835,7 +3827,7 @@ kern_frmdirat(struct thread *td, int dfd, const char *path, int fd,
|
|||||||
restart:
|
restart:
|
||||||
bwillwrite();
|
bwillwrite();
|
||||||
NDINIT_ATRIGHTS(&nd, DELETE, LOCKPARENT | LOCKLEAF | AUDITVNODE1 |
|
NDINIT_ATRIGHTS(&nd, DELETE, LOCKPARENT | LOCKLEAF | AUDITVNODE1 |
|
||||||
at2cnpflags(flag, AT_BENEATH | AT_RESOLVE_BENEATH),
|
at2cnpflags(flag, AT_RESOLVE_BENEATH),
|
||||||
pathseg, path, dfd, &cap_unlinkat_rights, td);
|
pathseg, path, dfd, &cap_unlinkat_rights, td);
|
||||||
if ((error = namei(&nd)) != 0)
|
if ((error = namei(&nd)) != 0)
|
||||||
goto fdout;
|
goto fdout;
|
||||||
@ -4322,8 +4314,7 @@ int
|
|||||||
sys_getfhat(struct thread *td, struct getfhat_args *uap)
|
sys_getfhat(struct thread *td, struct getfhat_args *uap)
|
||||||
{
|
{
|
||||||
|
|
||||||
if ((uap->flags & ~(AT_SYMLINK_NOFOLLOW | AT_BENEATH |
|
if ((uap->flags & ~(AT_SYMLINK_NOFOLLOW | AT_RESOLVE_BENEATH)) != 0)
|
||||||
AT_RESOLVE_BENEATH)) != 0)
|
|
||||||
return (EINVAL);
|
return (EINVAL);
|
||||||
return (kern_getfhat(td, uap->flags, uap->fd, uap->path, UIO_USERSPACE,
|
return (kern_getfhat(td, uap->flags, uap->fd, uap->path, UIO_USERSPACE,
|
||||||
uap->fhp, UIO_USERSPACE));
|
uap->fhp, UIO_USERSPACE));
|
||||||
@ -4342,8 +4333,8 @@ kern_getfhat(struct thread *td, int flags, int fd, const char *path,
|
|||||||
if (error != 0)
|
if (error != 0)
|
||||||
return (error);
|
return (error);
|
||||||
NDINIT_AT(&nd, LOOKUP, at2cnpflags(flags, AT_SYMLINK_NOFOLLOW |
|
NDINIT_AT(&nd, LOOKUP, at2cnpflags(flags, AT_SYMLINK_NOFOLLOW |
|
||||||
AT_BENEATH | AT_RESOLVE_BENEATH) | LOCKLEAF | AUDITVNODE1,
|
AT_RESOLVE_BENEATH) | LOCKLEAF | AUDITVNODE1, pathseg, path,
|
||||||
pathseg, path, fd, td);
|
fd, td);
|
||||||
error = namei(&nd);
|
error = namei(&nd);
|
||||||
if (error != 0)
|
if (error != 0)
|
||||||
return (error);
|
return (error);
|
||||||
|
@ -199,8 +199,6 @@ open2nameif(int fmode, u_int vn_open_flags)
|
|||||||
uint64_t res;
|
uint64_t res;
|
||||||
|
|
||||||
res = ISOPEN | LOCKLEAF;
|
res = ISOPEN | LOCKLEAF;
|
||||||
if ((fmode & O_BENEATH) != 0)
|
|
||||||
res |= BENEATH;
|
|
||||||
if ((fmode & O_RESOLVE_BENEATH) != 0)
|
if ((fmode & O_RESOLVE_BENEATH) != 0)
|
||||||
res |= RBENEATH;
|
res |= RBENEATH;
|
||||||
if ((vn_open_flags & VN_OPEN_NOAUDIT) == 0)
|
if ((vn_open_flags & VN_OPEN_NOAUDIT) == 0)
|
||||||
|
@ -135,10 +135,9 @@ typedef __pid_t pid_t;
|
|||||||
|
|
||||||
#if __BSD_VISIBLE
|
#if __BSD_VISIBLE
|
||||||
#define O_VERIFY 0x00200000 /* open only after verification */
|
#define O_VERIFY 0x00200000 /* open only after verification */
|
||||||
#define O_BENEATH 0x00400000 /* Fail if not under cwd */
|
/* #define O_UNUSED1 0x00400000 */ /* Was O_BENEATH */
|
||||||
#define O_RESOLVE_BENEATH 0x00800000 /* As O_BENEATH, but do not allow
|
#define O_RESOLVE_BENEATH 0x00800000 /* Do not allow name resolution to walk
|
||||||
resolve to walk out of cwd even to
|
out of cwd */
|
||||||
return back */
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#define O_DSYNC 0x01000000 /* POSIX data sync */
|
#define O_DSYNC 0x01000000 /* POSIX data sync */
|
||||||
@ -220,10 +219,9 @@ typedef __pid_t pid_t;
|
|||||||
#define AT_SYMLINK_NOFOLLOW 0x0200 /* Do not follow symbolic links */
|
#define AT_SYMLINK_NOFOLLOW 0x0200 /* Do not follow symbolic links */
|
||||||
#define AT_SYMLINK_FOLLOW 0x0400 /* Follow symbolic link */
|
#define AT_SYMLINK_FOLLOW 0x0400 /* Follow symbolic link */
|
||||||
#define AT_REMOVEDIR 0x0800 /* Remove directory instead of file */
|
#define AT_REMOVEDIR 0x0800 /* Remove directory instead of file */
|
||||||
#define AT_BENEATH 0x1000 /* Fail if not under dirfd */
|
/* #define AT_UNUSED1 0x1000 *//* Was AT_BENEATH */
|
||||||
#define AT_RESOLVE_BENEATH 0x2000 /* As AT_BENEATH, but do not allow
|
#define AT_RESOLVE_BENEATH 0x2000 /* Do not allow name resolution
|
||||||
resolve to walk out of dirfd even
|
to walk out of dirfd */
|
||||||
to return back */
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -111,7 +111,6 @@ struct nameidata {
|
|||||||
*/
|
*/
|
||||||
struct componentname ni_cnd;
|
struct componentname ni_cnd;
|
||||||
struct nameicap_tracker_head ni_cap_tracker;
|
struct nameicap_tracker_head ni_cap_tracker;
|
||||||
struct vnode *ni_beneath_latch;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
#ifdef _KERNEL
|
#ifdef _KERNEL
|
||||||
@ -145,7 +144,6 @@ int cache_fplookup(struct nameidata *ndp, enum cache_fpl_status *status,
|
|||||||
#define WANTPARENT 0x0010 /* want parent vnode returned unlocked */
|
#define WANTPARENT 0x0010 /* want parent vnode returned unlocked */
|
||||||
#define FAILIFEXISTS 0x0020 /* return EEXIST if found */
|
#define FAILIFEXISTS 0x0020 /* return EEXIST if found */
|
||||||
#define FOLLOW 0x0040 /* follow symbolic links */
|
#define FOLLOW 0x0040 /* follow symbolic links */
|
||||||
#define BENEATH 0x0080 /* No escape from the start dir */
|
|
||||||
#define LOCKSHARED 0x0100 /* Shared lock leaf */
|
#define LOCKSHARED 0x0100 /* Shared lock leaf */
|
||||||
#define NOFOLLOW 0x0000 /* do not follow symbolic links (pseudo) */
|
#define NOFOLLOW 0x0000 /* do not follow symbolic links (pseudo) */
|
||||||
#define RBENEATH 0x100000000ULL /* No escape, even tmp, from start dir */
|
#define RBENEATH 0x100000000ULL /* No escape, even tmp, from start dir */
|
||||||
@ -206,9 +204,6 @@ int cache_fplookup(struct nameidata *ndp, enum cache_fpl_status *status,
|
|||||||
*/
|
*/
|
||||||
#define NI_LCF_STRICTRELATIVE 0x0001 /* relative lookup only */
|
#define NI_LCF_STRICTRELATIVE 0x0001 /* relative lookup only */
|
||||||
#define NI_LCF_CAP_DOTDOT 0x0002 /* ".." in strictrelative case */
|
#define NI_LCF_CAP_DOTDOT 0x0002 /* ".." in strictrelative case */
|
||||||
#define NI_LCF_BENEATH_ABS 0x0004 /* BENEATH with absolute path */
|
|
||||||
#define NI_LCF_BENEATH_LATCHED 0x0008 /* BENEATH_ABS traversed starting dir */
|
|
||||||
#define NI_LCF_LATCH 0x0010 /* ni_beneath_latch valid */
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Initialization of a nameidata structure.
|
* Initialization of a nameidata structure.
|
||||||
|
Loading…
Reference in New Issue
Block a user