2 * Copyright (c) 1982, 1986, 1989, 1993
3 * The Regents of the University of California. All rights reserved.
4 * (c) UNIX System Laboratories, Inc.
5 * All or some portions of this file are derived from material licensed
6 * to the University of California by American Telephone and Telegraph
7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
8 * the permission of UNIX System Laboratories, Inc.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the University nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * @(#)vfs_lookup.c 8.4 (Berkeley) 2/16/94
37 #include <sys/cdefs.h>
38 __FBSDID("$FreeBSD$");
40 #include "opt_capsicum.h"
41 #include "opt_ktrace.h"
43 #include <sys/param.h>
44 #include <sys/systm.h>
45 #include <sys/kernel.h>
46 #include <sys/capsicum.h>
47 #include <sys/fcntl.h>
50 #include <sys/mutex.h>
51 #include <sys/namei.h>
52 #include <sys/vnode.h>
53 #include <sys/mount.h>
54 #include <sys/filedesc.h>
57 #include <sys/syscallsubr.h>
58 #include <sys/sysctl.h>
60 #include <sys/ktrace.h>
63 #include <security/audit/audit.h>
64 #include <security/mac/mac_framework.h>
68 #define NAMEI_DIAGNOSTIC 1
69 #undef NAMEI_DIAGNOSTIC
71 SDT_PROVIDER_DECLARE(vfs);
72 SDT_PROBE_DEFINE3(vfs, namei, lookup, entry, "struct vnode *", "char *",
74 SDT_PROBE_DEFINE2(vfs, namei, lookup, return, "int", "struct vnode *");
76 /* Allocation zone for namei. */
77 uma_zone_t namei_zone;
79 /* Placeholder vnode for mp traversal. */
80 static struct vnode *vp_crossmp;
82 struct nameicap_tracker {
84 TAILQ_ENTRY(nameicap_tracker) nm_link;
87 /* Zone for cap mode tracker elements used for dotdot capability checks. */
88 static uma_zone_t nt_zone;
91 nameiinit(void *dummy __unused)
94 namei_zone = uma_zcreate("NAMEI", MAXPATHLEN, NULL, NULL, NULL, NULL,
96 nt_zone = uma_zcreate("rentr", sizeof(struct nameicap_tracker),
97 NULL, NULL, NULL, NULL, sizeof(void *), 0);
98 getnewvnode("crossmp", NULL, &dead_vnodeops, &vp_crossmp);
99 vn_lock(vp_crossmp, LK_EXCLUSIVE);
100 VN_LOCK_ASHARE(vp_crossmp);
101 VOP_UNLOCK(vp_crossmp, 0);
103 SYSINIT(vfs, SI_SUB_VFS, SI_ORDER_SECOND, nameiinit, NULL);
105 static int lookup_shared = 1;
106 SYSCTL_INT(_vfs, OID_AUTO, lookup_shared, CTLFLAG_RWTUN, &lookup_shared, 0,
107 "enables shared locks for path name translation");
110 * Intent is that lookup_cap_dotdot becomes unconditionally enabled,
111 * but it defaults to the disabled state until verification efforts
114 static int lookup_cap_dotdot = 0;
115 SYSCTL_INT(_vfs, OID_AUTO, lookup_cap_dotdot, CTLFLAG_RWTUN,
116 &lookup_cap_dotdot, 0,
117 "enables \"..\" components in path lookup in capability mode");
118 static int lookup_cap_dotdot_nonlocal = 0;
119 SYSCTL_INT(_vfs, OID_AUTO, lookup_cap_dotdot_nonlocal, CTLFLAG_RWTUN,
120 &lookup_cap_dotdot_nonlocal, 0,
121 "enables \"..\" components in path lookup in capability mode "
122 "on non-local mount");
125 nameicap_tracker_add(struct nameidata *ndp, struct vnode *dp)
127 struct nameicap_tracker *nt;
129 if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0 || dp->v_type != VDIR)
131 nt = uma_zalloc(nt_zone, M_WAITOK);
134 TAILQ_INSERT_TAIL(&ndp->ni_cap_tracker, nt, nm_link);
138 nameicap_cleanup(struct nameidata *ndp)
140 struct nameicap_tracker *nt, *nt1;
142 KASSERT(TAILQ_EMPTY(&ndp->ni_cap_tracker) ||
143 (ndp->ni_lcf & NI_LCF_CAP_DOTDOT) != 0, ("not strictrelative"));
144 TAILQ_FOREACH_SAFE(nt, &ndp->ni_cap_tracker, nm_link, nt1) {
145 TAILQ_REMOVE(&ndp->ni_cap_tracker, nt, nm_link);
147 uma_zfree(nt_zone, nt);
152 * For dotdot lookups in capability mode, only allow the component
153 * lookup to succeed if the resulting directory was already traversed
154 * during the operation. Also fail dotdot lookups for non-local
155 * filesystems, where external agents might assist local lookups to
156 * escape the compartment.
159 nameicap_check_dotdot(struct nameidata *ndp, struct vnode *dp)
161 struct nameicap_tracker *nt;
164 if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0 || dp == NULL ||
168 if (lookup_cap_dotdot_nonlocal == 0 && mp != NULL &&
169 (mp->mnt_flag & MNT_LOCAL) == 0)
170 return (ENOTCAPABLE);
171 TAILQ_FOREACH_REVERSE(nt, &ndp->ni_cap_tracker, nameicap_tracker_head,
176 return (ENOTCAPABLE);
180 namei_cleanup_cnp(struct componentname *cnp)
183 uma_zfree(namei_zone, cnp->cn_pnbuf);
185 cnp->cn_pnbuf = NULL;
186 cnp->cn_nameptr = NULL;
191 namei_handle_root(struct nameidata *ndp, struct vnode **dpp)
193 struct componentname *cnp;
196 if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0) {
198 if (KTRPOINT(curthread, KTR_CAPFAIL))
199 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
201 return (ENOTCAPABLE);
203 while (*(cnp->cn_nameptr) == '/') {
207 *dpp = ndp->ni_rootdir;
213 * Convert a pathname into a pointer to a locked vnode.
215 * The FOLLOW flag is set when symbolic links are to be followed
216 * when they occur at the end of the name translation process.
217 * Symbolic links are always followed for all other pathname
218 * components other than the last.
220 * The segflg defines whether the name is to be copied from user
221 * space or kernel space.
223 * Overall outline of namei:
226 * get starting directory
227 * while (!done && !error) {
228 * call lookup to search path.
229 * if symbolic link, massage name in buffer and continue
233 namei(struct nameidata *ndp)
235 struct filedesc *fdp; /* pointer to file descriptor state */
236 char *cp; /* pointer into pathname argument */
237 struct vnode *dp; /* the directory we are searching */
238 struct iovec aiov; /* uio for reading symbolic links */
239 struct componentname *cnp;
244 int error, linklen, startdir_used;
249 ndp->ni_cnd.cn_cred = ndp->ni_cnd.cn_thread->td_ucred;
250 KASSERT(cnp->cn_cred && p, ("namei: bad cred/proc"));
251 KASSERT((cnp->cn_nameiop & (~OPMASK)) == 0,
252 ("namei: nameiop contaminated with flags"));
253 KASSERT((cnp->cn_flags & OPMASK) == 0,
254 ("namei: flags contaminated with nameiops"));
255 MPASS(ndp->ni_startdir == NULL || ndp->ni_startdir->v_type == VDIR ||
256 ndp->ni_startdir->v_type == VBAD);
258 cnp->cn_flags &= ~LOCKSHARED;
260 TAILQ_INIT(&ndp->ni_cap_tracker);
263 /* We will set this ourselves if we need it. */
264 cnp->cn_flags &= ~TRAILINGSLASH;
267 * Get a buffer for the name to be translated, and copy the
268 * name into the buffer.
270 if ((cnp->cn_flags & HASBUF) == 0)
271 cnp->cn_pnbuf = uma_zalloc(namei_zone, M_WAITOK);
272 if (ndp->ni_segflg == UIO_SYSSPACE)
273 error = copystr(ndp->ni_dirp, cnp->cn_pnbuf, MAXPATHLEN,
276 error = copyinstr(ndp->ni_dirp, cnp->cn_pnbuf, MAXPATHLEN,
280 * Don't allow empty pathnames.
282 if (error == 0 && *cnp->cn_pnbuf == '\0')
285 #ifdef CAPABILITY_MODE
287 * In capability mode, lookups must be restricted to happen in
288 * the subtree with the root specified by the file descriptor:
289 * - The root must be real file descriptor, not the pseudo-descriptor
291 * - The passed path must be relative and not absolute.
292 * - If lookup_cap_dotdot is disabled, path must not contain the
294 * - If lookup_cap_dotdot is enabled, we verify that all '..'
295 * components lookups result in the directories which were
296 * previously walked by us, which prevents an escape from
299 if (error == 0 && IN_CAPABILITY_MODE(td) &&
300 (cnp->cn_flags & NOCAPCHECK) == 0) {
301 ndp->ni_lcf |= NI_LCF_STRICTRELATIVE;
302 if (ndp->ni_dirfd == AT_FDCWD) {
304 if (KTRPOINT(td, KTR_CAPFAIL))
305 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
312 namei_cleanup_cnp(cnp);
318 if (KTRPOINT(td, KTR_NAMEI)) {
319 KASSERT(cnp->cn_thread == curthread,
320 ("namei not using curthread"));
321 ktrnamei(cnp->cn_pnbuf);
325 * Get starting point for the translation.
328 ndp->ni_rootdir = fdp->fd_rdir;
329 VREF(ndp->ni_rootdir);
330 ndp->ni_topdir = fdp->fd_jdir;
333 * If we are auditing the kernel pathname, save the user pathname.
335 if (cnp->cn_flags & AUDITVNODE1)
336 AUDIT_ARG_UPATH1(td, ndp->ni_dirfd, cnp->cn_pnbuf);
337 if (cnp->cn_flags & AUDITVNODE2)
338 AUDIT_ARG_UPATH2(td, ndp->ni_dirfd, cnp->cn_pnbuf);
342 cnp->cn_nameptr = cnp->cn_pnbuf;
343 if (cnp->cn_pnbuf[0] == '/') {
344 error = namei_handle_root(ndp, &dp);
346 if (ndp->ni_startdir != NULL) {
347 dp = ndp->ni_startdir;
349 } else if (ndp->ni_dirfd == AT_FDCWD) {
353 rights = ndp->ni_rightsneeded;
354 cap_rights_set(&rights, CAP_LOOKUP);
356 if (cnp->cn_flags & AUDITVNODE1)
357 AUDIT_ARG_ATFD1(ndp->ni_dirfd);
358 if (cnp->cn_flags & AUDITVNODE2)
359 AUDIT_ARG_ATFD2(ndp->ni_dirfd);
360 error = fgetvp_rights(td, ndp->ni_dirfd,
361 &rights, &ndp->ni_filecaps, &dp);
366 * If file descriptor doesn't have all rights,
367 * all lookups relative to it must also be
371 if (!cap_rights_contains(&ndp->ni_filecaps.fc_rights,
373 ndp->ni_filecaps.fc_fcntls != CAP_FCNTL_ALL ||
374 ndp->ni_filecaps.fc_nioctls != -1) {
375 ndp->ni_lcf |= NI_LCF_STRICTRELATIVE;
379 if (error == 0 && dp->v_type != VDIR)
382 FILEDESC_SUNLOCK(fdp);
383 if (ndp->ni_startdir != NULL && !startdir_used)
384 vrele(ndp->ni_startdir);
390 if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0 &&
391 lookup_cap_dotdot != 0)
392 ndp->ni_lcf |= NI_LCF_CAP_DOTDOT;
393 SDT_PROBE3(vfs, namei, lookup, entry, dp, cnp->cn_pnbuf,
396 ndp->ni_startdir = dp;
401 * If not a symbolic link, we're done.
403 if ((cnp->cn_flags & ISSYMLINK) == 0) {
404 vrele(ndp->ni_rootdir);
405 if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) {
406 namei_cleanup_cnp(cnp);
408 cnp->cn_flags |= HASBUF;
409 nameicap_cleanup(ndp);
410 SDT_PROBE2(vfs, namei, lookup, return, 0, ndp->ni_vp);
413 if (ndp->ni_loopcnt++ >= MAXSYMLINKS) {
418 if ((cnp->cn_flags & NOMACCHECK) == 0) {
419 error = mac_vnode_check_readlink(td->td_ucred,
425 if (ndp->ni_pathlen > 1)
426 cp = uma_zalloc(namei_zone, M_WAITOK);
430 aiov.iov_len = MAXPATHLEN;
431 auio.uio_iov = &aiov;
434 auio.uio_rw = UIO_READ;
435 auio.uio_segflg = UIO_SYSSPACE;
437 auio.uio_resid = MAXPATHLEN;
438 error = VOP_READLINK(ndp->ni_vp, &auio, cnp->cn_cred);
440 if (ndp->ni_pathlen > 1)
441 uma_zfree(namei_zone, cp);
444 linklen = MAXPATHLEN - auio.uio_resid;
446 if (ndp->ni_pathlen > 1)
447 uma_zfree(namei_zone, cp);
451 if (linklen + ndp->ni_pathlen >= MAXPATHLEN) {
452 if (ndp->ni_pathlen > 1)
453 uma_zfree(namei_zone, cp);
454 error = ENAMETOOLONG;
457 if (ndp->ni_pathlen > 1) {
458 bcopy(ndp->ni_next, cp + linklen, ndp->ni_pathlen);
459 uma_zfree(namei_zone, cnp->cn_pnbuf);
462 cnp->cn_pnbuf[linklen] = '\0';
463 ndp->ni_pathlen += linklen;
467 * Check if root directory should replace current directory.
469 cnp->cn_nameptr = cnp->cn_pnbuf;
470 if (*(cnp->cn_nameptr) == '/') {
472 error = namei_handle_root(ndp, &dp);
481 vrele(ndp->ni_rootdir);
482 namei_cleanup_cnp(cnp);
483 nameicap_cleanup(ndp);
484 SDT_PROBE2(vfs, namei, lookup, return, error, NULL);
489 compute_cn_lkflags(struct mount *mp, int lkflags, int cnflags)
492 if (mp == NULL || ((lkflags & LK_SHARED) &&
493 (!(mp->mnt_kern_flag & MNTK_LOOKUP_SHARED) ||
494 ((cnflags & ISDOTDOT) &&
495 (mp->mnt_kern_flag & MNTK_LOOKUP_EXCL_DOTDOT))))) {
496 lkflags &= ~LK_SHARED;
497 lkflags |= LK_EXCLUSIVE;
499 lkflags |= LK_NODDLKTREAT;
504 needs_exclusive_leaf(struct mount *mp, int flags)
508 * Intermediate nodes can use shared locks, we only need to
509 * force an exclusive lock for leaf nodes.
511 if ((flags & (ISLASTCN | LOCKLEAF)) != (ISLASTCN | LOCKLEAF))
514 /* Always use exclusive locks if LOCKSHARED isn't set. */
515 if (!(flags & LOCKSHARED))
519 * For lookups during open(), if the mount point supports
520 * extended shared operations, then use a shared lock for the
521 * leaf node, otherwise use an exclusive lock.
523 if ((flags & ISOPEN) != 0)
524 return (!MNT_EXTENDED_SHARED(mp));
527 * Lookup requests outside of open() that specify LOCKSHARED
528 * only need a shared lock on the leaf vnode.
535 * This is a very central and rather complicated routine.
537 * The pathname is pointed to by ni_ptr and is of length ni_pathlen.
538 * The starting directory is taken from ni_startdir. The pathname is
539 * descended until done, or a symbolic link is encountered. The variable
540 * ni_more is clear if the path is completed; it is set to one if a
541 * symbolic link needing interpretation is encountered.
543 * The flag argument is LOOKUP, CREATE, RENAME, or DELETE depending on
544 * whether the name is to be looked up, created, renamed, or deleted.
545 * When CREATE, RENAME, or DELETE is specified, information usable in
546 * creating, renaming, or deleting a directory entry may be calculated.
547 * If flag has LOCKPARENT or'ed into it, the parent directory is returned
548 * locked. If flag has WANTPARENT or'ed into it, the parent directory is
549 * returned unlocked. Otherwise the parent directory is not returned. If
550 * the target of the pathname exists and LOCKLEAF is or'ed into the flag
551 * the target is returned locked, otherwise it is returned unlocked.
552 * When creating or renaming and LOCKPARENT is specified, the target may not
553 * be ".". When deleting and LOCKPARENT is specified, the target may be ".".
555 * Overall outline of lookup:
558 * identify next component of name at ndp->ni_ptr
559 * handle degenerate case where name is null string
560 * if .. and crossing mount points and on mounted filesys, find parent
561 * call VOP_LOOKUP routine for next component name
562 * directory vnode returned in ni_dvp, unlocked unless LOCKPARENT set
563 * component vnode returned in ni_vp (if it exists), locked.
564 * if result vnode is mounted on and crossing mount points,
565 * find mounted on vnode
566 * if more components of name, do next level at dirloop
567 * return the answer in ni_vp, locked if LOCKLEAF set
568 * if LOCKPARENT set, return locked parent in ni_dvp
569 * if WANTPARENT set, return unlocked parent in ni_dvp
572 lookup(struct nameidata *ndp)
574 char *cp; /* pointer into pathname argument */
575 struct vnode *dp = NULL; /* the directory we are searching */
576 struct vnode *tdp; /* saved dp */
577 struct mount *mp; /* mount table entry */
579 int docache; /* == 0 do not cache last component */
580 int wantparent; /* 1 => wantparent or lockparent flag */
581 int rdonly; /* lookup read-only flag bit */
583 int dpunlocked = 0; /* dp has already been unlocked */
584 int relookup = 0; /* do not consume the path component */
585 struct componentname *cnp = &ndp->ni_cnd;
590 * Setup: break out flag bits into variables.
593 wantparent = cnp->cn_flags & (LOCKPARENT | WANTPARENT);
594 KASSERT(cnp->cn_nameiop == LOOKUP || wantparent,
595 ("CREATE, DELETE, RENAME require LOCKPARENT or WANTPARENT."));
596 docache = (cnp->cn_flags & NOCACHE) ^ NOCACHE;
597 if (cnp->cn_nameiop == DELETE ||
598 (wantparent && cnp->cn_nameiop != CREATE &&
599 cnp->cn_nameiop != LOOKUP))
601 rdonly = cnp->cn_flags & RDONLY;
602 cnp->cn_flags &= ~ISSYMLINK;
605 * We use shared locks until we hit the parent of the last cn then
606 * we adjust based on the requesting flags.
609 cnp->cn_lkflags = LK_SHARED;
611 cnp->cn_lkflags = LK_EXCLUSIVE;
612 dp = ndp->ni_startdir;
613 ndp->ni_startdir = NULLVP;
615 compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags | LK_RETRY,
620 * Search a new directory.
622 * The last component of the filename is left accessible via
623 * cnp->cn_nameptr for callers that need the name. Callers needing
624 * the name set the SAVENAME flag. When done, they assume
625 * responsibility for freeing the pathname buffer.
627 for (cp = cnp->cn_nameptr; *cp != 0 && *cp != '/'; cp++)
629 cnp->cn_namelen = cp - cnp->cn_nameptr;
630 if (cnp->cn_namelen > NAME_MAX) {
631 error = ENAMETOOLONG;
634 #ifdef NAMEI_DIAGNOSTIC
637 printf("{%s}: ", cnp->cn_nameptr);
640 ndp->ni_pathlen -= cnp->cn_namelen;
644 * Replace multiple slashes by a single slash and trailing slashes
645 * by a null. This must be done before VOP_LOOKUP() because some
646 * fs's don't know about trailing slashes. Remember if there were
647 * trailing slashes to handle symlinks, existing non-directories
648 * and non-existing files that won't be directories specially later.
650 while (*cp == '/' && (cp[1] == '/' || cp[1] == '\0')) {
654 *ndp->ni_next = '\0';
655 cnp->cn_flags |= TRAILINGSLASH;
660 cnp->cn_flags |= MAKEENTRY;
661 if (*cp == '\0' && docache == 0)
662 cnp->cn_flags &= ~MAKEENTRY;
663 if (cnp->cn_namelen == 2 &&
664 cnp->cn_nameptr[1] == '.' && cnp->cn_nameptr[0] == '.')
665 cnp->cn_flags |= ISDOTDOT;
667 cnp->cn_flags &= ~ISDOTDOT;
668 if (*ndp->ni_next == 0)
669 cnp->cn_flags |= ISLASTCN;
671 cnp->cn_flags &= ~ISLASTCN;
673 if ((cnp->cn_flags & ISLASTCN) != 0 &&
674 cnp->cn_namelen == 1 && cnp->cn_nameptr[0] == '.' &&
675 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) {
680 nameicap_tracker_add(ndp, dp);
683 * Check for degenerate name (e.g. / or "")
684 * which is a way of talking about a directory,
685 * e.g. like "/." or ".".
687 if (cnp->cn_nameptr[0] == '\0') {
688 if (dp->v_type != VDIR) {
692 if (cnp->cn_nameiop != LOOKUP) {
702 if (cnp->cn_flags & AUDITVNODE1)
703 AUDIT_ARG_VNODE1(dp);
704 else if (cnp->cn_flags & AUDITVNODE2)
705 AUDIT_ARG_VNODE2(dp);
707 if (!(cnp->cn_flags & (LOCKPARENT | LOCKLEAF)))
709 /* XXX This should probably move to the top of function. */
710 if (cnp->cn_flags & SAVESTART)
711 panic("lookup: SAVESTART");
716 * Handle "..": five special cases.
717 * 0. If doing a capability lookup and lookup_cap_dotdot is
718 * disabled, return ENOTCAPABLE.
719 * 1. Return an error if this is the last component of
720 * the name and the operation is DELETE or RENAME.
721 * 2. If at root directory (e.g. after chroot)
722 * or at absolute root directory
723 * then ignore it so can't get out.
724 * 3. If this vnode is the root of a mounted
725 * filesystem, then replace it with the
726 * vnode which was mounted on so we take the
727 * .. in the other filesystem.
728 * 4. If the vnode is the top directory of
729 * the jail or chroot, don't let them out.
730 * 5. If doing a capability lookup and lookup_cap_dotdot is
731 * enabled, return ENOTCAPABLE if the lookup would escape
732 * from the initial file descriptor directory. Checks are
733 * done by ensuring that namei() already traversed the
734 * result of dotdot lookup.
736 if (cnp->cn_flags & ISDOTDOT) {
737 if ((ndp->ni_lcf & (NI_LCF_STRICTRELATIVE | NI_LCF_CAP_DOTDOT))
738 == NI_LCF_STRICTRELATIVE) {
740 if (KTRPOINT(curthread, KTR_CAPFAIL))
741 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
746 if ((cnp->cn_flags & ISLASTCN) != 0 &&
747 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) {
752 for (pr = cnp->cn_cred->cr_prison; pr != NULL;
754 if (dp == pr->pr_root)
756 if (dp == ndp->ni_rootdir ||
757 dp == ndp->ni_topdir ||
760 ((dp->v_vflag & VV_ROOT) != 0 &&
761 (cnp->cn_flags & NOCROSSMOUNT) != 0)) {
767 if ((dp->v_vflag & VV_ROOT) == 0)
769 if (dp->v_iflag & VI_DOOMED) { /* forced unmount */
774 dp = dp->v_mount->mnt_vnodecovered;
778 compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags |
779 LK_RETRY, ISDOTDOT));
780 error = nameicap_check_dotdot(ndp, dp);
783 if (KTRPOINT(curthread, KTR_CAPFAIL))
784 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
792 * We now have a segment name to search for, and a directory to search.
796 if ((cnp->cn_flags & NOMACCHECK) == 0) {
797 error = mac_vnode_check_lookup(cnp->cn_thread->td_ucred, dp,
805 ASSERT_VOP_LOCKED(dp, "lookup");
807 * If we have a shared lock we may need to upgrade the lock for the
810 if (dp != vp_crossmp &&
811 VOP_ISLOCKED(dp) == LK_SHARED &&
812 (cnp->cn_flags & ISLASTCN) && (cnp->cn_flags & LOCKPARENT))
813 vn_lock(dp, LK_UPGRADE|LK_RETRY);
814 if ((dp->v_iflag & VI_DOOMED) != 0) {
819 * If we're looking up the last component and we need an exclusive
820 * lock, adjust our lkflags.
822 if (needs_exclusive_leaf(dp->v_mount, cnp->cn_flags))
823 cnp->cn_lkflags = LK_EXCLUSIVE;
824 #ifdef NAMEI_DIAGNOSTIC
825 vn_printf(dp, "lookup in ");
827 lkflags_save = cnp->cn_lkflags;
828 cnp->cn_lkflags = compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags,
830 error = VOP_LOOKUP(dp, &ndp->ni_vp, cnp);
831 cnp->cn_lkflags = lkflags_save;
833 KASSERT(ndp->ni_vp == NULL, ("leaf should be empty"));
834 #ifdef NAMEI_DIAGNOSTIC
835 printf("not found\n");
837 if ((error == ENOENT) &&
838 (dp->v_vflag & VV_ROOT) && (dp->v_mount != NULL) &&
839 (dp->v_mount->mnt_flag & MNT_UNION)) {
841 dp = dp->v_mount->mnt_vnodecovered;
845 compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags |
846 LK_RETRY, cnp->cn_flags));
847 nameicap_tracker_add(ndp, dp);
851 if (error == ERELOOKUP) {
859 if (error != EJUSTRETURN)
862 * At this point, we know we're at the end of the
863 * pathname. If creating / renaming, we can consider
864 * allowing the file or directory to be created / renamed,
865 * provided we're not on a read-only filesystem.
871 /* trailing slash only allowed for directories */
872 if ((cnp->cn_flags & TRAILINGSLASH) &&
873 !(cnp->cn_flags & WILLBEDIR)) {
877 if ((cnp->cn_flags & LOCKPARENT) == 0)
880 * We return with ni_vp NULL to indicate that the entry
881 * doesn't currently exist, leaving a pointer to the
882 * (possibly locked) directory vnode in ndp->ni_dvp.
884 if (cnp->cn_flags & SAVESTART) {
885 ndp->ni_startdir = ndp->ni_dvp;
886 VREF(ndp->ni_startdir);
892 #ifdef NAMEI_DIAGNOSTIC
898 * Check to see if the vnode has been mounted on;
899 * if so find the root of the mounted filesystem.
901 while (dp->v_type == VDIR && (mp = dp->v_mountedhere) &&
902 (cnp->cn_flags & NOCROSSMOUNT) == 0) {
906 if (dp != ndp->ni_dvp)
911 ndp->ni_dvp = vp_crossmp;
912 error = VFS_ROOT(mp, compute_cn_lkflags(mp, cnp->cn_lkflags,
913 cnp->cn_flags), &tdp);
915 if (vn_lock(vp_crossmp, LK_SHARED | LK_NOWAIT))
916 panic("vp_crossmp exclusively locked or reclaimed");
921 ndp->ni_vp = dp = tdp;
925 * Check for symbolic link
927 if ((dp->v_type == VLNK) &&
928 ((cnp->cn_flags & FOLLOW) || (cnp->cn_flags & TRAILINGSLASH) ||
929 *ndp->ni_next == '/')) {
930 cnp->cn_flags |= ISSYMLINK;
931 if (dp->v_iflag & VI_DOOMED) {
933 * We can't know whether the directory was mounted with
934 * NOSYMFOLLOW, so we can't follow safely.
939 if (dp->v_mount->mnt_flag & MNT_NOSYMFOLLOW) {
944 * Symlink code always expects an unlocked dvp.
946 if (ndp->ni_dvp != ndp->ni_vp) {
947 VOP_UNLOCK(ndp->ni_dvp, 0);
955 * Not a symbolic link that we will follow. Continue with the
956 * next component if there is any; otherwise, we're done.
958 KASSERT((cnp->cn_flags & ISLASTCN) || *ndp->ni_next == '/',
959 ("lookup: invalid path state."));
962 if (ndp->ni_dvp != dp)
968 if (cnp->cn_flags & ISDOTDOT) {
969 error = nameicap_check_dotdot(ndp, ndp->ni_vp);
972 if (KTRPOINT(curthread, KTR_CAPFAIL))
973 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
978 if (*ndp->ni_next == '/') {
979 cnp->cn_nameptr = ndp->ni_next;
980 while (*cnp->cn_nameptr == '/') {
984 if (ndp->ni_dvp != dp)
991 * If we're processing a path with a trailing slash,
992 * check that the end result is a directory.
994 if ((cnp->cn_flags & TRAILINGSLASH) && dp->v_type != VDIR) {
999 * Disallow directory write attempts on read-only filesystems.
1002 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) {
1006 if (cnp->cn_flags & SAVESTART) {
1007 ndp->ni_startdir = ndp->ni_dvp;
1008 VREF(ndp->ni_startdir);
1011 ni_dvp_unlocked = 2;
1012 if (ndp->ni_dvp != dp)
1016 } else if ((cnp->cn_flags & LOCKPARENT) == 0 && ndp->ni_dvp != dp) {
1017 VOP_UNLOCK(ndp->ni_dvp, 0);
1018 ni_dvp_unlocked = 1;
1021 if (cnp->cn_flags & AUDITVNODE1)
1022 AUDIT_ARG_VNODE1(dp);
1023 else if (cnp->cn_flags & AUDITVNODE2)
1024 AUDIT_ARG_VNODE2(dp);
1026 if ((cnp->cn_flags & LOCKLEAF) == 0)
1030 * Because of lookup_shared we may have the vnode shared locked, but
1031 * the caller may want it to be exclusively locked.
1033 if (needs_exclusive_leaf(dp->v_mount, cnp->cn_flags) &&
1034 VOP_ISLOCKED(dp) != LK_EXCLUSIVE) {
1035 vn_lock(dp, LK_UPGRADE | LK_RETRY);
1036 if (dp->v_iflag & VI_DOOMED) {
1044 if (ni_dvp_unlocked != 2) {
1045 if (dp != ndp->ni_dvp && !ni_dvp_unlocked)
1058 * relookup - lookup a path name component
1059 * Used by lookup to re-acquire things.
1062 relookup(struct vnode *dvp, struct vnode **vpp, struct componentname *cnp)
1064 struct vnode *dp = NULL; /* the directory we are searching */
1065 int wantparent; /* 1 => wantparent or lockparent flag */
1066 int rdonly; /* lookup read-only flag bit */
1069 KASSERT(cnp->cn_flags & ISLASTCN,
1070 ("relookup: Not given last component."));
1072 * Setup: break out flag bits into variables.
1074 wantparent = cnp->cn_flags & (LOCKPARENT|WANTPARENT);
1075 KASSERT(wantparent, ("relookup: parent not wanted."));
1076 rdonly = cnp->cn_flags & RDONLY;
1077 cnp->cn_flags &= ~ISSYMLINK;
1079 cnp->cn_lkflags = LK_EXCLUSIVE;
1080 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY);
1083 * Search a new directory.
1085 * The last component of the filename is left accessible via
1086 * cnp->cn_nameptr for callers that need the name. Callers needing
1087 * the name set the SAVENAME flag. When done, they assume
1088 * responsibility for freeing the pathname buffer.
1090 #ifdef NAMEI_DIAGNOSTIC
1091 printf("{%s}: ", cnp->cn_nameptr);
1095 * Check for "" which represents the root directory after slash
1098 if (cnp->cn_nameptr[0] == '\0') {
1100 * Support only LOOKUP for "/" because lookup()
1101 * can't succeed for CREATE, DELETE and RENAME.
1103 KASSERT(cnp->cn_nameiop == LOOKUP, ("nameiop must be LOOKUP"));
1104 KASSERT(dp->v_type == VDIR, ("dp is not a directory"));
1106 if (!(cnp->cn_flags & LOCKLEAF))
1109 /* XXX This should probably move to the top of function. */
1110 if (cnp->cn_flags & SAVESTART)
1111 panic("lookup: SAVESTART");
1115 if (cnp->cn_flags & ISDOTDOT)
1116 panic ("relookup: lookup on dot-dot");
1119 * We now have a segment name to search for, and a directory to search.
1121 #ifdef NAMEI_DIAGNOSTIC
1122 vn_printf(dp, "search in ");
1124 if ((error = VOP_LOOKUP(dp, vpp, cnp)) != 0) {
1125 KASSERT(*vpp == NULL, ("leaf should be empty"));
1126 if (error != EJUSTRETURN)
1129 * If creating and at end of pathname, then can consider
1130 * allowing file to be created.
1136 /* ASSERT(dvp == ndp->ni_startdir) */
1137 if (cnp->cn_flags & SAVESTART)
1139 if ((cnp->cn_flags & LOCKPARENT) == 0)
1142 * We return with ni_vp NULL to indicate that the entry
1143 * doesn't currently exist, leaving a pointer to the
1144 * (possibly locked) directory vnode in ndp->ni_dvp.
1152 * Disallow directory write attempts on read-only filesystems.
1155 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) {
1164 * Set the parent lock/ref state to the requested state.
1166 if ((cnp->cn_flags & LOCKPARENT) == 0 && dvp != dp) {
1171 } else if (!wantparent)
1174 * Check for symbolic link
1176 KASSERT(dp->v_type != VLNK || !(cnp->cn_flags & FOLLOW),
1177 ("relookup: symlink found.\n"));
1179 /* ASSERT(dvp == ndp->ni_startdir) */
1180 if (cnp->cn_flags & SAVESTART)
1183 if ((cnp->cn_flags & LOCKLEAF) == 0)
1193 NDINIT_ALL(struct nameidata *ndp, u_long op, u_long flags, enum uio_seg segflg,
1194 const char *namep, int dirfd, struct vnode *startdir, cap_rights_t *rightsp,
1198 ndp->ni_cnd.cn_nameiop = op;
1199 ndp->ni_cnd.cn_flags = flags;
1200 ndp->ni_segflg = segflg;
1201 ndp->ni_dirp = namep;
1202 ndp->ni_dirfd = dirfd;
1203 ndp->ni_startdir = startdir;
1204 if (rightsp != NULL)
1205 ndp->ni_rightsneeded = *rightsp;
1207 cap_rights_init(&ndp->ni_rightsneeded);
1208 filecaps_init(&ndp->ni_filecaps);
1209 ndp->ni_cnd.cn_thread = td;
1213 * Free data allocated by namei(); see namei(9) for details.
1216 NDFREE(struct nameidata *ndp, const u_int flags)
1224 if (!(flags & NDF_NO_FREE_PNBUF) &&
1225 (ndp->ni_cnd.cn_flags & HASBUF)) {
1226 uma_zfree(namei_zone, ndp->ni_cnd.cn_pnbuf);
1227 ndp->ni_cnd.cn_flags &= ~HASBUF;
1229 if (!(flags & NDF_NO_VP_UNLOCK) &&
1230 (ndp->ni_cnd.cn_flags & LOCKLEAF) && ndp->ni_vp)
1232 if (!(flags & NDF_NO_VP_RELE) && ndp->ni_vp) {
1241 VOP_UNLOCK(ndp->ni_vp, 0);
1242 if (!(flags & NDF_NO_DVP_UNLOCK) &&
1243 (ndp->ni_cnd.cn_flags & LOCKPARENT) &&
1244 ndp->ni_dvp != ndp->ni_vp)
1246 if (!(flags & NDF_NO_DVP_RELE) &&
1247 (ndp->ni_cnd.cn_flags & (LOCKPARENT|WANTPARENT))) {
1256 VOP_UNLOCK(ndp->ni_dvp, 0);
1257 if (!(flags & NDF_NO_STARTDIR_RELE) &&
1258 (ndp->ni_cnd.cn_flags & SAVESTART)) {
1259 vrele(ndp->ni_startdir);
1260 ndp->ni_startdir = NULL;
1265 * Determine if there is a suitable alternate filename under the specified
1266 * prefix for the specified path. If the create flag is set, then the
1267 * alternate prefix will be used so long as the parent directory exists.
1268 * This is used by the various compatibility ABIs so that Linux binaries prefer
1269 * files under /compat/linux for example. The chosen path (whether under
1270 * the prefix or under /) is returned in a kernel malloc'd buffer pointed
1271 * to by pathbuf. The caller is responsible for free'ing the buffer from
1272 * the M_TEMP bucket if one is returned.
1275 kern_alternate_path(struct thread *td, const char *prefix, const char *path,
1276 enum uio_seg pathseg, char **pathbuf, int create, int dirfd)
1278 struct nameidata nd, ndroot;
1279 char *ptr, *buf, *cp;
1283 buf = (char *) malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
1286 /* Copy the prefix into the new pathname as a starting point. */
1287 len = strlcpy(buf, prefix, MAXPATHLEN);
1288 if (len >= MAXPATHLEN) {
1293 sz = MAXPATHLEN - len;
1296 /* Append the filename to the prefix. */
1297 if (pathseg == UIO_SYSSPACE)
1298 error = copystr(path, ptr, sz, &len);
1300 error = copyinstr(path, ptr, sz, &len);
1308 /* Only use a prefix with absolute pathnames. */
1314 if (dirfd != AT_FDCWD) {
1316 * We want the original because the "prefix" is
1317 * included in the already opened dirfd.
1319 bcopy(ptr, buf, len);
1324 * We know that there is a / somewhere in this pathname.
1325 * Search backwards for it, to find the file's parent dir
1326 * to see if it exists in the alternate tree. If it does,
1327 * and we want to create a file (cflag is set). We don't
1328 * need to worry about the root comparison in this case.
1332 for (cp = &ptr[len] - 1; *cp != '/'; cp--);
1335 NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, buf, td);
1341 NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, buf, td);
1348 * We now compare the vnode of the prefix to the one
1349 * vnode asked. If they resolve to be the same, then we
1350 * ignore the match so that the real root gets used.
1351 * This avoids the problem of traversing "../.." to find the
1352 * root directory and never finding it, because "/" resolves
1353 * to the emulation root directory. This is expensive :-(
1355 NDINIT(&ndroot, LOOKUP, FOLLOW, UIO_SYSSPACE, prefix,
1358 /* We shouldn't ever get an error from this namei(). */
1359 error = namei(&ndroot);
1361 if (nd.ni_vp == ndroot.ni_vp)
1364 NDFREE(&ndroot, NDF_ONLY_PNBUF);
1365 vrele(ndroot.ni_vp);
1369 NDFREE(&nd, NDF_ONLY_PNBUF);
1373 /* If there was an error, use the original path name. */
1375 bcopy(ptr, buf, len);