Subversion Repositories test_project

/*

 *  linux/fs/namei.c

 *

 *  Copyright (C) 1991, 1992  Linus Torvalds

 */

/*

 * Some corrections by tytso.

 */

/* [Feb 1997 T. Schoebel-Theuer] Complete rewrite of the pathname

 * lookup logic.

 */

/* [Feb-Apr 2000, AV] Rewrite to the new namespace architecture.

 */

#include <linux/init.h>

#include <linux/module.h>

#include <linux/slab.h>

#include <linux/fs.h>

#include <linux/namei.h>

#include <linux/quotaops.h>

#include <linux/pagemap.h>

#include <linux/fsnotify.h>

#include <linux/personality.h>

#include <linux/security.h>

#include <linux/syscalls.h>

#include <linux/mount.h>

#include <linux/audit.h>

#include <linux/capability.h>

#include <linux/file.h>

#include <linux/fcntl.h>

#include <asm/namei.h>

#include <asm/uaccess.h>

#define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])

/* [Feb-1997 T. Schoebel-Theuer]

 * Fundamental changes in the pathname lookup mechanisms (namei)

 * were necessary because of omirr.  The reason is that omirr needs

 * to know the _real_ pathname, not the user-supplied one, in case

 * of symlinks (and also when transname replacements occur).

 *

 * The new code replaces the old recursive symlink resolution with

 * an iterative one (in case of non-nested symlink chains).  It does

 * this with calls to <fs>_follow_link().

 * As a side effect, dir_namei(), _namei() and follow_link() are now

 * replaced with a single function lookup_dentry() that can handle all

 * the special cases of the former code.

 *

 * With the new dcache, the pathname is stored at each inode, at least as

 * long as the refcount of the inode is positive.  As a side effect, the

 * size of the dcache depends on the inode cache and thus is dynamic.

 *

 * [29-Apr-1998 C. Scott Ananian] Updated above description of symlink

 * resolution to correspond with current state of the code.

 *

 * Note that the symlink resolution is not *completely* iterative.

 * There is still a significant amount of tail- and mid- recursion in

 * the algorithm.  Also, note that <fs>_readlink() is not used in

 * lookup_dentry(): lookup_dentry() on the result of <fs>_readlink()

 * may return different results than <fs>_follow_link().  Many virtual

 * filesystems (including /proc) exhibit this behavior.

 */

/* [24-Feb-97 T. Schoebel-Theuer] Side effects caused by new implementation:

 * New symlink semantics: when open() is called with flags O_CREAT | O_EXCL

 * and the name already exists in form of a symlink, try to create the new

 * name indicated by the symlink. The old code always complained that the

 * name already exists, due to not following the symlink even if its target

 * is nonexistent.  The new semantics affects also mknod() and link() when

 * the name is a symlink pointing to a non-existant name.

 *

 * I don't know which semantics is the right one, since I have no access

 * to standards. But I found by trial that HP-UX 9.0 has the full "new"

 * semantics implemented, while SunOS 4.1.1 and Solaris (SunOS 5.4) have the

 * "old" one. Personally, I think the new semantics is much more logical.

 * Note that "ln old new" where "new" is a symlink pointing to a non-existing

 * file does succeed in both HP-UX and SunOs, but not in Solaris

 * and in the old Linux semantics.

 */

/* [16-Dec-97 Kevin Buhr] For security reasons, we change some symlink

 * semantics.  See the comments in "open_namei" and "do_link" below.

 *

 * [10-Sep-98 Alan Modra] Another symlink change.

 */

/* [Feb-Apr 2000 AV] Complete rewrite. Rules for symlinks:

 *      inside the path - always follow.

 *      in the last component in creation/removal/renaming - never follow.

 *      if LOOKUP_FOLLOW passed - follow.

 *      if the pathname has trailing slashes - follow.

 *      otherwise - don't follow.

 * (applied in that order).

 *

 * [Jun 2000 AV] Inconsistent behaviour of open() in case if flags==O_CREAT

 * restored for 2.4. This is the last surviving part of old 4.2BSD bug.

 * During the 2.4 we need to fix the userland stuff depending on it -

 * hopefully we will be able to get rid of that wart in 2.5. So far only

 * XEmacs seems to be relying on it...

 */

/*

 * [Sep 2001 AV] Single-semaphore locking scheme (kudos to David Holland)

 * implemented.  Let's see if raised priority of ->s_vfs_rename_mutex gives

 * any extra contention...

 */

static int fastcall link_path_walk(const char *name, struct nameidata *nd);

/* In order to reduce some races, while at the same time doing additional

 * checking and hopefully speeding things up, we copy filenames to the

 * kernel data space before using them..

 *

 * POSIX.1 2.4: an empty pathname is invalid (ENOENT).

 * PATH_MAX includes the nul terminator --RR.

 */

static int do_getname(const char __user *filename, char *page)

{

        int retval;

        unsigned long len = PATH_MAX;

        if (!segment_eq(get_fs(), KERNEL_DS)) {

                if ((unsigned long) filename >= TASK_SIZE)

                        return -EFAULT;

                if (TASK_SIZE - (unsigned long) filename < PATH_MAX)

                        len = TASK_SIZE - (unsigned long) filename;

        }

        retval = strncpy_from_user(page, filename, len);

        if (retval > 0) {

                if (retval < len)

                        return 0;

                return -ENAMETOOLONG;

        } else if (!retval)

                retval = -ENOENT;

        return retval;

}

char * getname(const char __user * filename)

{

        char *tmp, *result;

        result = ERR_PTR(-ENOMEM);

        tmp = __getname();

        if (tmp)  {

                int retval = do_getname(filename, tmp);

                result = tmp;

                if (retval < 0) {

                        __putname(tmp);

                        result = ERR_PTR(retval);

                }

        }

        audit_getname(result);

        return result;

}

#ifdef CONFIG_AUDITSYSCALL

void putname(const char *name)

{

        if (unlikely(!audit_dummy_context()))

                audit_putname(name);

        else

                __putname(name);

}

EXPORT_SYMBOL(putname);

#endif

/**

 * generic_permission  -  check for access rights on a Posix-like filesystem

 * @inode:      inode to check access rights for

 * @mask:       right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)

 * @check_acl:  optional callback to check for Posix ACLs

 *

 * Used to check for read/write/execute permissions on a file.

 * We use "fsuid" for this, letting us set arbitrary permissions

 * for filesystem access without changing the "normal" uids which

 * are used for other things..

 */

int generic_permission(struct inode *inode, int mask,

                int (*check_acl)(struct inode *inode, int mask))

{

        umode_t                 mode = inode->i_mode;

        if (current->fsuid == inode->i_uid)

                mode >>= 6;

        else {

                if (IS_POSIXACL(inode) && (mode & S_IRWXG) && check_acl) {

                        int error = check_acl(inode, mask);

                        if (error == -EACCES)

                                goto check_capabilities;

                        else if (error != -EAGAIN)

                                return error;

                }

                if (in_group_p(inode->i_gid))

                        mode >>= 3;

        }

        /*

         * If the DACs are ok we don't need any capability check.

         */

        if (((mode & mask & (MAY_READ|MAY_WRITE|MAY_EXEC)) == mask))

                return 0;

 check_capabilities:

        /*

         * Read/write DACs are always overridable.

         * Executable DACs are overridable if at least one exec bit is set.

         */

        if (!(mask & MAY_EXEC) ||

            (inode->i_mode & S_IXUGO) || S_ISDIR(inode->i_mode))

                if (capable(CAP_DAC_OVERRIDE))

                        return 0;

        /*

         * Searching includes executable on directories, else just read.

         */

        if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))

                if (capable(CAP_DAC_READ_SEARCH))

                        return 0;

        return -EACCES;

}

int permission(struct inode *inode, int mask, struct nameidata *nd)

{

        int retval, submask;

        struct vfsmount *mnt = NULL;

        if (nd)

                mnt = nd->mnt;

        if (mask & MAY_WRITE) {

                umode_t mode = inode->i_mode;

                /*

                 * Nobody gets write access to a read-only fs.

                 */

                if (IS_RDONLY(inode) &&

                    (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode)))

                        return -EROFS;

                /*

                 * Nobody gets write access to an immutable file.

                 */

                if (IS_IMMUTABLE(inode))

                        return -EACCES;

        }

        if ((mask & MAY_EXEC) && S_ISREG(inode->i_mode)) {

                /*

                 * MAY_EXEC on regular files is denied if the fs is mounted

                 * with the "noexec" flag.

                 */

                if (mnt && (mnt->mnt_flags & MNT_NOEXEC))

                        return -EACCES;

        }

        /* Ordinary permission routines do not understand MAY_APPEND. */

        submask = mask & ~MAY_APPEND;

        if (inode->i_op && inode->i_op->permission) {

                retval = inode->i_op->permission(inode, submask, nd);

                if (!retval) {

                        /*

                         * Exec permission on a regular file is denied if none

                         * of the execute bits are set.

                         *

                         * This check should be done by the ->permission()

                         * method.

                         */

                        if ((mask & MAY_EXEC) && S_ISREG(inode->i_mode) &&

                            !(inode->i_mode & S_IXUGO))

                                return -EACCES;

                }

        } else {

                retval = generic_permission(inode, submask, NULL);

        }

        if (retval)

                return retval;

        return security_inode_permission(inode, mask, nd);

}

/**

 * vfs_permission  -  check for access rights to a given path

 * @nd:         lookup result that describes the path

 * @mask:       right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)

 *

 * Used to check for read/write/execute permissions on a path.

 * We use "fsuid" for this, letting us set arbitrary permissions

 * for filesystem access without changing the "normal" uids which

 * are used for other things.

 */

int vfs_permission(struct nameidata *nd, int mask)

{

        return permission(nd->dentry->d_inode, mask, nd);

}

/**

 * file_permission  -  check for additional access rights to a given file

 * @file:       file to check access rights for

 * @mask:       right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)

 *

 * Used to check for read/write/execute permissions on an already opened

 * file.

 *

 * Note:

 *      Do not use this function in new code.  All access checks should

 *      be done using vfs_permission().

 */

int file_permission(struct file *file, int mask)

{

        return permission(file->f_path.dentry->d_inode, mask, NULL);

}

/*

 * get_write_access() gets write permission for a file.

 * put_write_access() releases this write permission.

 * This is used for regular files.

 * We cannot support write (and maybe mmap read-write shared) accesses and

 * MAP_DENYWRITE mmappings simultaneously. The i_writecount field of an inode

 * can have the following values:

 * 0: no writers, no VM_DENYWRITE mappings

 * < 0: (-i_writecount) vm_area_structs with VM_DENYWRITE set exist

 * > 0: (i_writecount) users are writing to the file.

 *

 * Normally we operate on that counter with atomic_{inc,dec} and it's safe

 * except for the cases where we don't hold i_writecount yet. Then we need to

 * use {get,deny}_write_access() - these functions check the sign and refuse

 * to do the change if sign is wrong. Exclusion between them is provided by

 * the inode->i_lock spinlock.

 */

int get_write_access(struct inode * inode)

{

        spin_lock(&inode->i_lock);

        if (atomic_read(&inode->i_writecount) < 0) {

                spin_unlock(&inode->i_lock);

                return -ETXTBSY;

        }

        atomic_inc(&inode->i_writecount);

        spin_unlock(&inode->i_lock);

        return 0;

}

int deny_write_access(struct file * file)

{

        struct inode *inode = file->f_path.dentry->d_inode;

        spin_lock(&inode->i_lock);

        if (atomic_read(&inode->i_writecount) > 0) {

                spin_unlock(&inode->i_lock);

                return -ETXTBSY;

        }

        atomic_dec(&inode->i_writecount);

        spin_unlock(&inode->i_lock);

        return 0;

}

void path_release(struct nameidata *nd)

{

        dput(nd->dentry);

        mntput(nd->mnt);

}

/*

 * umount() mustn't call path_release()/mntput() as that would clear

 * mnt_expiry_mark

 */

void path_release_on_umount(struct nameidata *nd)

{

        dput(nd->dentry);

        mntput_no_expire(nd->mnt);

}

/**

 * release_open_intent - free up open intent resources

 * @nd: pointer to nameidata

 */

void release_open_intent(struct nameidata *nd)

{

        if (nd->intent.open.file->f_path.dentry == NULL)

                put_filp(nd->intent.open.file);

        else

                fput(nd->intent.open.file);

}

static inline struct dentry *

do_revalidate(struct dentry *dentry, struct nameidata *nd)

{

        int status = dentry->d_op->d_revalidate(dentry, nd);

        if (unlikely(status <= 0)) {

                /*

                 * The dentry failed validation.

                 * If d_revalidate returned 0 attempt to invalidate

                 * the dentry otherwise d_revalidate is asking us

                 * to return a fail status.

                 */

                if (!status) {

                        if (!d_invalidate(dentry)) {

                                dput(dentry);

                                dentry = NULL;

                        }

                } else {

                        dput(dentry);

                        dentry = ERR_PTR(status);

                }

        }

        return dentry;

}

/*

 * Internal lookup() using the new generic dcache.

 * SMP-safe

 */

static struct dentry * cached_lookup(struct dentry * parent, struct qstr * name, struct nameidata *nd)

{

        struct dentry * dentry = __d_lookup(parent, name);

        /* lockess __d_lookup may fail due to concurrent d_move()

         * in some unrelated directory, so try with d_lookup

         */

        if (!dentry)

                dentry = d_lookup(parent, name);

        if (dentry && dentry->d_op && dentry->d_op->d_revalidate)

                dentry = do_revalidate(dentry, nd);

        return dentry;

}

/*

 * Short-cut version of permission(), for calling by

 * path_walk(), when dcache lock is held.  Combines parts

 * of permission() and generic_permission(), and tests ONLY for

 * MAY_EXEC permission.

 *

 * If appropriate, check DAC only.  If not appropriate, or

 * short-cut DAC fails, then call permission() to do more

 * complete permission check.

 */

static int exec_permission_lite(struct inode *inode,

                                       struct nameidata *nd)

{

        umode_t mode = inode->i_mode;

        if (inode->i_op && inode->i_op->permission)

                return -EAGAIN;

        if (current->fsuid == inode->i_uid)

                mode >>= 6;

        else if (in_group_p(inode->i_gid))

                mode >>= 3;

        if (mode & MAY_EXEC)

                goto ok;

        if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))

                goto ok;

        if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_OVERRIDE))

                goto ok;

        if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))

                goto ok;

        return -EACCES;

ok:

        return security_inode_permission(inode, MAY_EXEC, nd);

}

/*

 * This is called when everything else fails, and we actually have

 * to go to the low-level filesystem to find out what we should do..

 *

 * We get the directory semaphore, and after getting that we also

 * make sure that nobody added the entry to the dcache in the meantime..

 * SMP-safe

 */

static struct dentry * real_lookup(struct dentry * parent, struct qstr * name, struct nameidata *nd)

{

        struct dentry * result;

        struct inode *dir = parent->d_inode;

        mutex_lock(&dir->i_mutex);

        /*

         * First re-do the cached lookup just in case it was created

         * while we waited for the directory semaphore..

         *

         * FIXME! This could use version numbering or similar to

         * avoid unnecessary cache lookups.

         *

         * The "dcache_lock" is purely to protect the RCU list walker

         * from concurrent renames at this point (we mustn't get false

         * negatives from the RCU list walk here, unlike the optimistic

         * fast walk).

         *

         * so doing d_lookup() (with seqlock), instead of lockfree __d_lookup

         */

        result = d_lookup(parent, name);

        if (!result) {

                struct dentry * dentry = d_alloc(parent, name);

                result = ERR_PTR(-ENOMEM);

                if (dentry) {

                        result = dir->i_op->lookup(dir, dentry, nd);

                        if (result)

                                dput(dentry);

                        else

                                result = dentry;

                }

                mutex_unlock(&dir->i_mutex);

                return result;

        }

        /*

         * Uhhuh! Nasty case: the cache was re-populated while

         * we waited on the semaphore. Need to revalidate.

         */

        mutex_unlock(&dir->i_mutex);

        if (result->d_op && result->d_op->d_revalidate) {

                result = do_revalidate(result, nd);

                if (!result)

                        result = ERR_PTR(-ENOENT);

        }

        return result;

}

static int __emul_lookup_dentry(const char *, struct nameidata *);

/* SMP-safe */

static __always_inline int

walk_init_root(const char *name, struct nameidata *nd)

{

        struct fs_struct *fs = current->fs;

        read_lock(&fs->lock);

        if (fs->altroot && !(nd->flags & LOOKUP_NOALT)) {

                nd->mnt = mntget(fs->altrootmnt);

                nd->dentry = dget(fs->altroot);

                read_unlock(&fs->lock);

                if (__emul_lookup_dentry(name,nd))

                        return 0;

                read_lock(&fs->lock);

        }

        nd->mnt = mntget(fs->rootmnt);

        nd->dentry = dget(fs->root);

        read_unlock(&fs->lock);

        return 1;

}

static __always_inline int __vfs_follow_link(struct nameidata *nd, const char *link)

{

        int res = 0;

        char *name;

        if (IS_ERR(link))

                goto fail;

        if (*link == '/') {

                path_release(nd);

                if (!walk_init_root(link, nd))

                        /* weird __emul_prefix() stuff did it */

                        goto out;

        }

        res = link_path_walk(link, nd);

out:

        if (nd->depth || res || nd->last_type!=LAST_NORM)

                return res;

        /*

         * If it is an iterative symlinks resolution in open_namei() we

         * have to copy the last component. And all that crap because of

         * bloody create() on broken symlinks. Furrfu...

         */

        name = __getname();

        if (unlikely(!name)) {

                path_release(nd);

                return -ENOMEM;

        }

        strcpy(name, nd->last.name);

        nd->last.name = name;

        return 0;

fail:

        path_release(nd);

        return PTR_ERR(link);

}

static inline void dput_path(struct path *path, struct nameidata *nd)

{

        dput(path->dentry);

        if (path->mnt != nd->mnt)

                mntput(path->mnt);

}

static inline void path_to_nameidata(struct path *path, struct nameidata *nd)

{

        dput(nd->dentry);

        if (nd->mnt != path->mnt)

                mntput(nd->mnt);

        nd->mnt = path->mnt;

        nd->dentry = path->dentry;

}

static __always_inline int __do_follow_link(struct path *path, struct nameidata *nd)

{

        int error;

        void *cookie;

        struct dentry *dentry = path->dentry;

        touch_atime(path->mnt, dentry);

        nd_set_link(nd, NULL);

        if (path->mnt != nd->mnt) {

                path_to_nameidata(path, nd);

                dget(dentry);

        }

        mntget(path->mnt);

        cookie = dentry->d_inode->i_op->follow_link(dentry, nd);

        error = PTR_ERR(cookie);

        if (!IS_ERR(cookie)) {

                char *s = nd_get_link(nd);

                error = 0;

                if (s)

                        error = __vfs_follow_link(nd, s);

                if (dentry->d_inode->i_op->put_link)

                        dentry->d_inode->i_op->put_link(dentry, nd, cookie);

        }

        dput(dentry);

        mntput(path->mnt);

        return error;

}

/*

 * This limits recursive symlink follows to 8, while

 * limiting consecutive symlinks to 40.

 *

 * Without that kind of total limit, nasty chains of consecutive

 * symlinks can cause almost arbitrarily long lookups.

 */

static inline int do_follow_link(struct path *path, struct nameidata *nd)

{

        int err = -ELOOP;

        if (current->link_count >= MAX_NESTED_LINKS)

                goto loop;

        if (current->total_link_count >= 40)

                goto loop;

        BUG_ON(nd->depth >= MAX_NESTED_LINKS);

        cond_resched();

        err = security_inode_follow_link(path->dentry, nd);

        if (err)

                goto loop;

        current->link_count++;

        current->total_link_count++;

        nd->depth++;

        err = __do_follow_link(path, nd);

        current->link_count--;

        nd->depth--;

        return err;

loop:

        dput_path(path, nd);

        path_release(nd);

        return err;

}

int follow_up(struct vfsmount **mnt, struct dentry **dentry)

{

        struct vfsmount *parent;

        struct dentry *mountpoint;

        spin_lock(&vfsmount_lock);

        parent=(*mnt)->mnt_parent;

        if (parent == *mnt) {

                spin_unlock(&vfsmount_lock);

                return 0;

        }

        mntget(parent);

        mountpoint=dget((*mnt)->mnt_mountpoint);

        spin_unlock(&vfsmount_lock);

        dput(*dentry);

        *dentry = mountpoint;

        mntput(*mnt);

        *mnt = parent;

        return 1;

}

/* no need for dcache_lock, as serialization is taken care in

 * namespace.c

 */

static int __follow_mount(struct path *path)

{

        int res = 0;

        while (d_mountpoint(path->dentry)) {

                struct vfsmount *mounted = lookup_mnt(path->mnt, path->dentry);

                if (!mounted)

                        break;

                dput(path->dentry);

                if (res)

                        mntput(path->mnt);

                path->mnt = mounted;

                path->dentry = dget(mounted->mnt_root);

                res = 1;

        }

        return res;

}

static void follow_mount(struct vfsmount **mnt, struct dentry **dentry)