LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-10 13:00:29 +03:00
Code Issues Packages Projects Releases Wiki Activity
db0a48d34c
ladybird/Kernel/FileSystem/VirtualFileSystem.cpp

946 lines
33 KiB
C++
Raw Normal View History

Meta: Add license header to source files As suggested by Joshua, this commit adds the 2-clause BSD license as a comment block to the top of every source file. For the first pass, I've just added myself for simplicity. I encourage everyone to add themselves as copyright holders of any file they've added or modified in some significant way. If I've added myself in error somewhere, feel free to replace it with the appropriate copyright holder instead. Going forward, all new source files should include a license header.
2020-01-18 11:38:21 +03:00
/*
* Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>
*
Everything: Move to SPDX license identifiers in all files. SPDX License Identifiers are a more compact / standardized way of representing file license information. See: https://spdx.dev/resources/use/#identifiers This was done with the `ambr` search and replace tool. ambr --no-parent-ignore --key-from-file --rep-from-file key.txt rep.txt *
2021-04-22 11:24:48 +03:00
* SPDX-License-Identifier: BSD-2-Clause
Meta: Add license header to source files As suggested by Joshua, this commit adds the 2-clause BSD license as a comment block to the top of every source file. For the first pass, I've just added myself for simplicity. I encourage everyone to add themselves as copyright holders of any file they've added or modified in some significant way. If I've added myself in error somewhere, feel free to replace it with the appropriate copyright holder instead. Going forward, all new source files should include a license header.
2020-01-18 11:38:21 +03:00
*/
AK: Move FormatParser definition from header to implementation file This is primarily to be able to remove the GenericLexer include out of Format.h as well. A subsequent commit will add AK::Result to GenericLexer, which will cause naming conflicts with other structures named Result. This can be avoided (for now) by preventing nearly every file in the system from implicitly including GenericLexer. Other changes in this commit are to add the GenericLexer include to files where it is missing.
2021-08-18 14:22:52 +03:00
#include <AK/GenericLexer.h>
Kernel: Switch singletons to use new Singleton class MemoryManager cannot use the Singleton class because MemoryManager::initialize is called before the global constructors are run. That caused the Singleton to be re-initialized, causing it to create another MemoryManager instance. Fixes #3226
2020-08-25 04:35:19 +03:00
#include <AK/Singleton.h>
Add a VFS::absolutePath(InodeIdentifier). This is pretty inefficient for ext2fs. We walk the entire block group containing the inode, searching through every directory for an entry referencing this inode. It might be a good idea to cache this information somehow. I'm not sure how often we'll be searching for it. Obviously there are multiple caching layers missing in the file system.
2018-10-28 14:20:25 +03:00
#include <AK/StringBuilder.h>
Meta: Split debug defines into multiple headers. The following script was used to make these changes: #!/bin/bash set -e tmp=$(mktemp -d) echo "tmp=$tmp" find Kernel \( -name '*.cpp' -o -name '*.h' \) | sort > $tmp/Kernel.files find . \( -path ./Toolchain -prune -o -path ./Build -prune -o -path ./Kernel -prune \) -o \( -name '*.cpp' -o -name '*.h' \) -print | sort > $tmp/EverythingExceptKernel.files cat $tmp/Kernel.files | xargs grep -Eho '[A-Z0-9_]+_DEBUG' | sort | uniq > $tmp/Kernel.macros cat $tmp/EverythingExceptKernel.files | xargs grep -Eho '[A-Z0-9_]+_DEBUG' | sort | uniq > $tmp/EverythingExceptKernel.macros comm -23 $tmp/Kernel.macros $tmp/EverythingExceptKernel.macros > $tmp/Kernel.unique comm -1 $tmp/Kernel.macros $tmp/EverythingExceptKernel.macros > $tmp/EverythingExceptKernel.unique cat $tmp/Kernel.unique | awk '{ print "#cmakedefine01 "$1 }' > $tmp/Kernel.header cat $tmp/EverythingExceptKernel.unique | awk '{ print "#cmakedefine01 "$1 }' > $tmp/EverythingExceptKernel.header for macro in $(cat $tmp/Kernel.unique) do cat $tmp/Kernel.files | xargs grep -l $macro >> $tmp/Kernel.new-includes ||: done cat $tmp/Kernel.new-includes | sort > $tmp/Kernel.new-includes.sorted for macro in $(cat $tmp/EverythingExceptKernel.unique) do cat $tmp/Kernel.files | xargs grep -l $macro >> $tmp/Kernel.old-includes ||: done cat $tmp/Kernel.old-includes | sort > $tmp/Kernel.old-includes.sorted comm -23 $tmp/Kernel.new-includes.sorted $tmp/Kernel.old-includes.sorted > $tmp/Kernel.includes.new comm -13 $tmp/Kernel.new-includes.sorted $tmp/Kernel.old-includes.sorted > $tmp/Kernel.includes.old comm -12 $tmp/Kernel.new-includes.sorted $tmp/Kernel.old-includes.sorted > $tmp/Kernel.includes.mixed for file in $(cat $tmp/Kernel.includes.new) do sed -i -E 's/#include <AK\/Debug\.h>/#include <Kernel\/Debug\.h>/' $file done for file in $(cat $tmp/Kernel.includes.mixed) do echo "mixed include in $file, requires manual editing." done
2021-01-25 18:07:10 +03:00
#include <Kernel/Debug.h>
Kernel: Add forward declaration header
2020-02-16 03:50:16 +03:00
#include <Kernel/Devices/BlockDevice.h>
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 18:46:08 +03:00
#include <Kernel/FileSystem/Custody.h>
Kernel: Change Ext2FS to be backed by a file instead of a block device In contrast to the previous patchset that was reverted, this time we use a "special" method to access a file with block size of 512 bytes (like a harddrive essentially).
2020-04-06 11:54:21 +03:00
#include <Kernel/FileSystem/FileBackedFileSystem.h>
Kernel: Qualify a bunch of #include statements.
2019-06-07 20:29:34 +03:00
#include <Kernel/FileSystem/FileSystem.h>
Kernel: Rename FileDescription => OpenFileDescription Dr. POSIX really calls these "open file description", not just "file description", so let's call them exactly that. :^)
2021-09-07 14:39:11 +03:00
#include <Kernel/FileSystem/OpenFileDescription.h>
Kernel: Qualify a bunch of #include statements.
2019-06-07 20:29:34 +03:00
#include <Kernel/FileSystem/VirtualFileSystem.h>
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 12:21:52 +03:00
#include <Kernel/KLexicalPath.h>
Kernel: Move all code into the Kernel namespace
2020-02-16 03:27:42 +03:00
#include <Kernel/KSyms.h>
Kernel: Run clang-format on everything.
2019-06-07 12:43:58 +03:00
#include <Kernel/Process.h>
Kernel: Move special sections into Sections.h This also removes a lot of CPU.h includes infavor for Sections.h
2021-06-22 18:40:16 +03:00
#include <Kernel/Sections.h>
Kernel: Run clang-format on everything.
2019-06-07 12:43:58 +03:00
#include <LibC/errno_numbers.h>
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
Kernel: Move all code into the Kernel namespace
2020-02-16 03:27:42 +03:00
namespace Kernel {
Everywhere: Replace AK::Singleton => Singleton
2021-08-07 22:34:11 +03:00
static Singleton<VirtualFileSystem> s_the;
Kernel: Implement recursion limit on path resolution Cautiously use 5 as a limit for now so that we don't blow the stack. This can be increased in the future if we are sure that we won't be blowing the stack, or if the implementation is changed to not use recursion :^)
2019-12-24 12:39:21 +03:00
static constexpr int symlink_recursion_limit { 5 }; // FIXME: increase?
Kernel+Base: Mount root filesystem read-only :^) We remount /home and /root as read-write, to keep the ability to modify files there. /tmp remains read-write, as it is mounted from a TmpFS.
2020-05-28 18:06:13 +03:00
static constexpr int root_mount_flags = MS_NODEV | MS_NOSUID | MS_RDONLY;
Add an fd field to FileHandle in Kernel builds.
2018-10-18 11:27:07 +03:00
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
UNMAP_AFTER_INIT void VirtualFileSystem::initialize()
Kernel: Switch singletons to use new Singleton class MemoryManager cannot use the Singleton class because MemoryManager::initialize is called before the global constructors are run. That caused the Singleton to be re-initialized, causing it to create another MemoryManager instance. Fixes #3226
2020-08-25 04:35:19 +03:00
{
s_the.ensure_instance();
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
VirtualFileSystem& VirtualFileSystem::the()
Add an fd field to FileHandle in Kernel builds.
2018-10-18 11:27:07 +03:00
{
return *s_the;
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
UNMAP_AFTER_INIT VirtualFileSystem::VirtualFileSystem()
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
{
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
UNMAP_AFTER_INIT VirtualFileSystem::~VirtualFileSystem()
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
{
Virtual consoles kinda work! We now make three VirtualConsoles at boot: tty0, tty1, and tty2. We launch an instance of /bin/sh in each one. You switch between them with Alt+1/2/3 How very very cool :^)
2018-10-30 17:33:37 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
InodeIdentifier VirtualFileSystem::root_inode_id() const
Fix mkdir with relative paths.
2018-11-19 01:28:43 +03:00
{
Everywhere: Rename ASSERT => VERIFY (...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED) Since all of these checks are done in release builds as well, let's rename them to VERIFY to prevent confusion, as everyone is used to assertions being compiled out in release. We can introduce a new ASSERT macro that is specifically for debug checks, but I'm doing this wholesale conversion first since we've accumulated thousands of these already, and it's not immediately obvious which ones are suitable for ASSERT.
2021-02-23 22:42:32 +03:00
VERIFY(m_root_inode);
Get rid of Vnode concept. We already have an abstraction between Process and Inode/CharacterDevice/FIFO and it's called FileDescriptor. :^)
2019-01-16 14:57:07 +03:00
return m_root_inode->identifier();
Fix mkdir with relative paths.
2018-11-19 01:28:43 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::mount(FileSystem& fs, Custody& mount_point, int flags)
Kernel: Some improvements to the mount syscall - You must now have superuser privileges to use mount(). - We now verify that the mount point is a valid path first, before trying to find a filesystem on the specified device. - Convert some dbgprintf() to dbg().
2019-08-02 20:03:50 +03:00
{
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-16 02:40:19 +03:00
return m_mounts.with_exclusive([&](auto& mounts) -> KResult {
auto& inode = mount_point.inode();
Kernel: Improvements to Custody absolute path serialization - Renamed try_create_absolute_path() => try_serialize_absolute_path() - Use KResultOr and TRY() to propagate errors - Don't call this when it's only for debug logging
2021-09-06 13:24:36 +03:00
dbgln("VirtualFileSystem: Mounting {} at inode {} with flags {}",
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-16 02:40:19 +03:00
fs.class_name(),
inode.identifier(),
flags);
// FIXME: check that this is not already a mount point
Mount mount { fs, &mount_point, flags };
mounts.append(move(mount));
return KSuccess;
});
Kernel: Some improvements to the mount syscall - You must now have superuser privileges to use mount(). - We now verify that the mount point is a valid path first, before trying to find a filesystem on the specified device. - Convert some dbgprintf() to dbg().
2019-08-02 20:03:50 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::bind_mount(Custody& source, Custody& mount_point, int flags)
Kernel: Implement bind mounts You can now bind-mount files and directories. This essentially exposes an existing part of the file system in another place, and can be used as an alternative to symlinks or hardlinks. Here's an example of doing this: # mkdir /tmp/foo # mount /home/anon/myfile.txt /tmp/foo -o bind # cat /tmp/foo This is anon's file.
2020-01-11 19:08:35 +03:00
{
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-16 02:40:19 +03:00
return m_mounts.with_exclusive([&](auto& mounts) -> KResult {
Kernel: Improvements to Custody absolute path serialization - Renamed try_create_absolute_path() => try_serialize_absolute_path() - Use KResultOr and TRY() to propagate errors - Don't call this when it's only for debug logging
2021-09-06 13:24:36 +03:00
dbgln("VirtualFileSystem: Bind-mounting inode {} at inode {}", source.inode().identifier(), mount_point.inode().identifier());
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-16 02:40:19 +03:00
// FIXME: check that this is not already a mount point
Mount mount { source.inode(), mount_point, flags };
mounts.append(move(mount));
return KSuccess;
});
Kernel: Implement bind mounts You can now bind-mount files and directories. This essentially exposes an existing part of the file system in another place, and can be used as an alternative to symlinks or hardlinks. Here's an example of doing this: # mkdir /tmp/foo # mount /home/anon/myfile.txt /tmp/foo -o bind # cat /tmp/foo This is anon's file.
2020-01-11 19:08:35 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::remount(Custody& mount_point, int new_flags)
Kernel+Userland: Support remounting filesystems :^) This makes it possible to change flags of a mount after the fact, with the caveats outlined in the man page.
2020-05-28 21:12:13 +03:00
{
Kernel: Improvements to Custody absolute path serialization - Renamed try_create_absolute_path() => try_serialize_absolute_path() - Use KResultOr and TRY() to propagate errors - Don't call this when it's only for debug logging
2021-09-06 13:24:36 +03:00
dbgln("VirtualFileSystem: Remounting inode {}", mount_point.inode().identifier());
Kernel+Userland: Support remounting filesystems :^) This makes it possible to change flags of a mount after the fact, with the caveats outlined in the man page.
2020-05-28 21:12:13 +03:00
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-16 02:40:19 +03:00
auto* mount = find_mount_for_guest(mount_point.inode().identifier());
Kernel+Userland: Support remounting filesystems :^) This makes it possible to change flags of a mount after the fact, with the caveats outlined in the man page.
2020-05-28 21:12:13 +03:00
if (!mount)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return ENODEV;
Kernel+Userland: Support remounting filesystems :^) This makes it possible to change flags of a mount after the fact, with the caveats outlined in the man page.
2020-05-28 21:12:13 +03:00
mount->set_flags(new_flags);
return KSuccess;
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::unmount(Inode& guest_inode)
Kernel: Added unmount ability to VFS It is now possible to unmount file systems from the VFS via `umount`. It works via looking up the `fsid` of the filesystem from the `Inode`'s metatdata so I'm not sure how fragile it is. It seems to work for now though as something to get us going.
2019-08-11 16:56:39 +03:00
{
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
dbgln("VirtualFileSystem: unmount called with inode {}", guest_inode.identifier());
Kernel: Do the umount() by the guest's root inode identifier It was previously possible to unmount a filesystem mounted on /mnt by doing e.g "umount /mnt/some/path".
2019-08-17 15:24:50 +03:00
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-16 02:40:19 +03:00
return m_mounts.with_exclusive([&](auto& mounts) -> KResult {
for (size_t i = 0; i < mounts.size(); ++i) {
auto& mount = mounts[i];
if (&mount.guest() != &guest_inode)
continue;
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
TRY(mount.guest_fs().prepare_to_unmount());
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-16 02:40:19 +03:00
dbgln("VirtualFileSystem: Unmounting file system {}...", mount.guest_fs().fsid());
mounts.unstable_take(i);
Kernel: Added unmount ability to VFS It is now possible to unmount file systems from the VFS via `umount`. It works via looking up the `fsid` of the filesystem from the `Inode`'s metatdata so I'm not sure how fragile it is. It seems to work for now though as something to get us going.
2019-08-11 16:56:39 +03:00
return KSuccess;
}
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-16 02:40:19 +03:00
dbgln("VirtualFileSystem: Nothing mounted on inode {}", guest_inode.identifier());
return ENODEV;
});
Kernel: Added unmount ability to VFS It is now possible to unmount file systems from the VFS via `umount`. It works via looking up the `fsid` of the filesystem from the `Inode`'s metatdata so I'm not sure how fragile it is. It seems to work for now though as something to get us going.
2019-08-11 16:56:39 +03:00
}
Kernel: Tidy up VirtualFileSystem::mount_root() a little bit - Return KResult instead of bool - Use TRY()
2021-09-05 15:46:44 +03:00
KResult VirtualFileSystem::mount_root(FileSystem& fs)
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
{
Get rid of Vnode concept. We already have an abstraction between Process and Inode/CharacterDevice/FIFO and it's called FileDescriptor. :^)
2019-01-16 14:57:07 +03:00
if (m_root_inode) {
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
dmesgln("VirtualFileSystem: mount_root can't mount another root");
Kernel: Tidy up VirtualFileSystem::mount_root() a little bit - Return KResult instead of bool - Use TRY()
2021-09-05 15:46:44 +03:00
return EEXIST;
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
}
Kernel: Rename FS => FileSystem This matches our common naming style better.
2021-07-11 01:20:38 +03:00
Mount mount { fs, nullptr, root_mount_flags };
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
Kernel: Make FileSystem::root_inode() return a plain Inode& All file system classes are expected to keep their root Inode object in memory, so this function can safely return an Inode&.
2021-07-18 02:50:47 +03:00
auto& root_inode = fs.root_inode();
if (!root_inode.is_directory()) {
dmesgln("VirtualFileSystem: root inode ({}) for / is not a directory :(", root_inode.identifier());
Kernel: Tidy up VirtualFileSystem::mount_root() a little bit - Return KResult instead of bool - Use TRY()
2021-09-05 15:46:44 +03:00
return ENOTDIR;
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
}
Kernel: Make FileSystem::root_inode() return a plain Inode& All file system classes are expected to keep their root Inode object in memory, so this function can safely return an Inode&.
2021-07-18 02:50:47 +03:00
m_root_inode = root_inode;
Kernel: Rename FileBackedFS => FileBackedFileSystem
2021-07-11 01:33:27 +03:00
dmesgln("VirtualFileSystem: mounted root from {} ({})", fs.class_name(), static_cast<FileBackedFileSystem&>(fs).file_description().absolute_path());
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-16 02:40:19 +03:00
m_mounts.with_exclusive([&](auto& mounts) {
mounts.append(move(mount));
});
Kernel: Plumb OOM propagation through Custody factory Modify the Custody::create(..) API so it has the ability to propagate OOM back to the caller.
2021-05-10 10:28:23 +03:00
Kernel: Tidy up VirtualFileSystem::mount_root() a little bit - Return KResult instead of bool - Use TRY()
2021-09-05 15:46:44 +03:00
m_root_custody = TRY(Custody::try_create(nullptr, "", *m_root_inode, root_mount_flags));
return KSuccess;
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
auto VirtualFileSystem::find_mount_for_host(InodeIdentifier id) -> Mount*
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
{
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-16 02:40:19 +03:00
return m_mounts.with_exclusive([&](auto& mounts) -> Mount* {
for (auto& mount : mounts) {
if (mount.host() && mount.host()->identifier() == id)
return &mount;
}
return nullptr;
});
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-25 00:16:24 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
auto VirtualFileSystem::find_mount_for_guest(InodeIdentifier id) -> Mount*
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-25 00:16:24 +03:00
{
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-16 02:40:19 +03:00
return m_mounts.with_exclusive([&](auto& mounts) -> Mount* {
for (auto& mount : mounts) {
if (mount.guest().identifier() == id)
return &mount;
}
return nullptr;
});
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
bool VirtualFileSystem::is_vfs_root(InodeIdentifier inode) const
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
{
Get rid of Vnode concept. We already have an abstraction between Process and Inode/CharacterDevice/FIFO and it's called FileDescriptor. :^)
2019-01-16 14:57:07 +03:00
return inode == root_inode_id();
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::traverse_directory_inode(Inode& dir_inode, Function<bool(FileSystem::DirectoryEntryView const&)> callback)
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
{
Kernel: Add DirectoryEntryView for VFS directory traversal Unlike DirectoryEntry (which is used when constructing directories), DirectoryEntryView does not manage storage for file names. Names are just StringViews. This is much more suited to the directory traversal API and makes it easier to implement this in file system classes since they no longer need to create temporary name copies while traversing.
2020-08-18 13:41:27 +03:00
return dir_inode.traverse_as_directory([&](auto& entry) {
Big, possibly complete sweep of naming changes.
2019-01-31 19:31:23 +03:00
InodeIdentifier resolved_inode;
A pass of style/naming cleanup in VFS.
2018-11-15 17:10:12 +03:00
if (auto mount = find_mount_for_host(entry.inode))
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-25 00:16:24 +03:00
resolved_inode = mount->guest().identifier();
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
else
Big, possibly complete sweep of naming changes.
2019-01-31 19:31:23 +03:00
resolved_inode = entry.inode;
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
Kernel: Misc tweaks
2020-01-15 14:06:48 +03:00
// FIXME: This is now broken considering chroot and bind mounts.
Kernel: Make FileSystem::root_inode() return a plain Inode& All file system classes are expected to keep their root Inode object in memory, so this function can safely return an Inode&.
2021-07-18 02:50:47 +03:00
bool is_root_inode = dir_inode.identifier() == dir_inode.fs().root_inode().identifier();
Kernel: Add DirectoryEntryView for VFS directory traversal Unlike DirectoryEntry (which is used when constructing directories), DirectoryEntryView does not manage storage for file names. Names are just StringViews. This is much more suited to the directory traversal API and makes it easier to implement this in file system classes since they no longer need to create temporary name copies while traversing.
2020-08-18 13:41:27 +03:00
if (is_root_inode && !is_vfs_root(dir_inode.identifier()) && entry.name == "..") {
Kernel: Only allow looking up Mounts by InodeIdentifier Let's simplify the interface by not allowing lookup by Inode&.
2021-07-11 01:50:08 +03:00
auto mount = find_mount_for_guest(dir_inode.identifier());
Everywhere: Rename ASSERT => VERIFY (...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED) Since all of these checks are done in release builds as well, let's rename them to VERIFY to prevent confusion, as everyone is used to assertions being compiled out in release. We can introduce a new ASSERT macro that is specifically for debug checks, but I'm doing this wholesale conversion first since we've accumulated thousands of these already, and it's not immediately obvious which ones are suitable for ASSERT.
2021-02-23 22:42:32 +03:00
VERIFY(mount);
VERIFY(mount->host());
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-25 00:16:24 +03:00
resolved_inode = mount->host()->identifier();
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
}
Kernel: Add DirectoryEntryView for VFS directory traversal Unlike DirectoryEntry (which is used when constructing directories), DirectoryEntryView does not manage storage for file names. Names are just StringViews. This is much more suited to the directory traversal API and makes it easier to implement this in file system classes since they no longer need to create temporary name copies while traversing.
2020-08-18 13:41:27 +03:00
callback({ entry.name, resolved_inode, entry.file_type });
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
return true;
});
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::utime(StringView path, Custody& base, time_t atime, time_t mtime)
Kernel: Add file permission checks to utime() syscall.
2019-02-21 18:37:41 +03:00
{
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
auto custody = TRY(resolve_path(path, base));
auto& inode = custody->inode();
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
auto& current_process = Process::current();
if (!current_process.is_superuser() && inode.metadata().uid != current_process.euid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
if (custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EROFS;
Kernel: Port more code to KResult and KResultOr<T>.
2019-03-07 00:14:31 +03:00
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
TRY(inode.set_atime(atime));
TRY(inode.set_mtime(mtime));
Kernel: Add KResult and KResultOr<T> classes. The idea here is to combine a potential syscall error code with an arbitrary type in the case of success. I feel like this will end up much less error prone than returning some arbitrary type that kinda sorta has bool semantics (but sometimes not really) and passing the error through an out-param. This patch only converts a few syscalls to using it. More to come.
2019-02-25 22:47:56 +03:00
return KSuccess;
Kernel: Add file permission checks to utime() syscall.
2019-02-21 18:37:41 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResultOr<InodeMetadata> VirtualFileSystem::lookup_metadata(StringView path, Custody& base, int options)
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 18:09:12 +03:00
{
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
auto custody = TRY(resolve_path(path, base, nullptr, options));
return custody->inode().metadata();
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 18:09:12 +03:00
}
Kernel: Rename FileDescription => OpenFileDescription Dr. POSIX really calls these "open file description", not just "file description", so let's call them exactly that. :^)
2021-09-07 14:39:11 +03:00
KResultOr<NonnullRefPtr<OpenFileDescription>> VirtualFileSystem::open(StringView path, int options, mode_t mode, Custody& base, Optional<UidAndGid> owner)
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
{
Kernel: Don't allow open() with (O_CREAT | O_DIRECTORY)
2020-01-03 04:23:50 +03:00
if ((options & O_CREAT) && (options & O_DIRECTORY))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EINVAL;
Kernel: Don't allow open() with (O_CREAT | O_DIRECTORY)
2020-01-03 04:23:50 +03:00
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 19:37:47 +03:00
RefPtr<Custody> parent_custody;
FileSystem: Don't perform path resolution twice for open() with O_CREAT.
2019-06-09 20:52:03 +03:00
auto custody_or_error = resolve_path(path, base, &parent_custody, options);
Kernel: Ignore null parent custody without error in VFS::open This modifies the error checks in VFS::open after the call to resolve_path to ignore a null parent custody if there is no error, as this is expected when the path to resolve points to "/". Rather, a null parent custody only constitutes an error if it is accompanied by ENOENT. This behavior is documented in the VFS::resolve_path_without_veil method. To accompany this change, the order of the error checks have been changed to more naturally fit the new logic.
2021-05-19 12:33:23 +03:00
if (custody_or_error.is_error()) {
// NOTE: ENOENT with a non-null parent custody signals us that the immediate parent
// of the file exists, but the file itself does not.
Kernel: Stop allowing implicit conversion from KResult to int This patch removes KResult::operator int() and deals with the fallout. This forces a lot of code to be more explicit in its handling of errors, greatly improving readability.
2021-08-14 16:15:11 +03:00
if ((options & O_CREAT) && custody_or_error.error() == ENOENT && parent_custody)
Kernel: Allow passing initial UID and GID when creating new inodes If we're creating something that should have a different owner than the current process's UID/GID, we need to plumb that all the way through VFS down to the FS functions.
2020-01-03 22:13:21 +03:00
return create(path, options, mode, *parent_custody, move(owner));
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
return custody_or_error.error();
Kernel: Ignore null parent custody without error in VFS::open This modifies the error checks in VFS::open after the call to resolve_path to ignore a null parent custody if there is no error, as this is expected when the path to resolve points to "/". Rather, a null parent custody only constitutes an error if it is accompanied by ENOENT. This behavior is documented in the VFS::resolve_path_without_veil method. To accompany this change, the order of the error checks have been changed to more naturally fit the new logic.
2021-05-19 12:33:23 +03:00
}
if ((options & O_CREAT) && (options & O_EXCL))
return EEXIST;
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 18:09:12 +03:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
auto& custody = *custody_or_error.value();
auto& inode = custody.inode();
auto metadata = inode.metadata();
Kernel: Add Inode::truncate(size). - Use this to implement the O_TRUNC open flag. - Fix creat() to pass O_CREAT | O_TRUNC | O_WRONLY. - Make sure we truncate wherever appropriate.
2019-03-27 18:42:30 +03:00
Kernel: Handle O_DIRECTORY in VFS::open() instead of in each syscall Just taking care of some FIXMEs.
2020-01-03 04:23:11 +03:00
if ((options & O_DIRECTORY) && !metadata.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return ENOTDIR;
Kernel: Handle O_DIRECTORY in VFS::open() instead of in each syscall Just taking care of some FIXMEs.
2020-01-03 04:23:11 +03:00
Kernel: Add Inode::truncate(size). - Use this to implement the O_TRUNC open flag. - Fix creat() to pass O_CREAT | O_TRUNC | O_WRONLY. - Make sure we truncate wherever appropriate.
2019-03-27 18:42:30 +03:00
bool should_truncate_file = false;
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 18:09:12 +03:00
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
auto& current_process = Process::current();
if ((options & O_RDONLY) && !metadata.may_read(current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Make O_RDONLY non-zero Sergey suggested that having a non-zero O_RDONLY would make some things less confusing, and it seems like he's right about that. We can now easily check read/write permissions separately instead of dancing around with the bits. This patch also fixes unveil() validation for O_RDWR which previously forgot to check for "r" permission.
2020-01-21 15:14:26 +03:00
if (options & O_WRONLY) {
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (!metadata.may_write(current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Port more code to KResult and KResultOr<T>.
2019-03-07 00:14:31 +03:00
if (metadata.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EISDIR;
Kernel: Add Inode::truncate(size). - Use this to implement the O_TRUNC open flag. - Fix creat() to pass O_CREAT | O_TRUNC | O_WRONLY. - Make sure we truncate wherever appropriate.
2019-03-27 18:42:30 +03:00
should_truncate_file = options & O_TRUNC;
Kernel: Start adding various file system permission checks. Fail with EACCES in various situations. Fix userland bugs that were exposed.
2019-02-21 17:45:31 +03:00
}
Kernel+LibC: Add O_EXEC, move exec permission checking to VFS::open() O_EXEC is mentioned by POSIX, so let's have it. Currently, it is only used inside the kernel to ensure the process has the right permissions when opening an executable.
2020-01-11 18:33:35 +03:00
if (options & O_EXEC) {
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (!metadata.may_execute(current_process) || (custody.mount_flags() & MS_NOEXEC))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel+LibC: Add O_EXEC, move exec permission checking to VFS::open() O_EXEC is mentioned by POSIX, so let's have it. Currently, it is only used inside the kernel to ensure the process has the right permissions when opening an executable.
2020-01-11 18:33:35 +03:00
}
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 18:09:12 +03:00
Kernel: Let inodes provide pre-open file descriptions Some magical inodes, such as /proc/pid/fd/fileno, are going to want to open() to a custom FileDescription, so add a hook for that.
2020-01-15 14:03:14 +03:00
if (auto preopen_fd = inode.preopen_fd())
return *preopen_fd;
Kernel: Implement FIFOs/named pipes
2020-07-17 00:23:03 +03:00
if (metadata.is_fifo()) {
Kernel: Use KResultOr and TRY() for FIFO
2021-09-07 14:56:10 +03:00
auto fifo = TRY(inode.fifo());
Kernel: Implement FIFOs/named pipes
2020-07-17 00:23:03 +03:00
if (options & O_WRONLY) {
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
auto description = TRY(fifo->open_direction_blocking(FIFO::Direction::Writer));
Kernel: Implement FIFOs/named pipes
2020-07-17 00:23:03 +03:00
description->set_rw_mode(options);
description->set_file_flags(options);
description->set_original_inode({}, inode);
return description;
} else if (options & O_RDONLY) {
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
auto description = TRY(fifo->open_direction_blocking(FIFO::Direction::Reader));
Kernel: Implement FIFOs/named pipes
2020-07-17 00:23:03 +03:00
description->set_rw_mode(options);
description->set_file_flags(options);
description->set_original_inode({}, inode);
return description;
}
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EINVAL;
Kernel: Implement FIFOs/named pipes
2020-07-17 00:23:03 +03:00
}
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 18:09:12 +03:00
if (metadata.is_device()) {
Kernel+LibC: Implement a few mount flags We now support these mount flags: * MS_NODEV: disallow opening any devices from this file system * MS_NOEXEC: disallow executing any executables from this file system * MS_NOSUID: ignore set-user-id bits on executables from this file system The fourth flag, MS_BIND, is defined, but currently ignored.
2020-01-11 18:45:38 +03:00
if (custody.mount_flags() & MS_NODEV)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Move device lookup to Device class itself Previously, VFS stored a list of all devices, and devices had to register and unregister themselves with it. This cleans up things a bit.
2019-08-18 14:48:15 +03:00
auto device = Device::get_device(metadata.major_device, metadata.minor_device);
if (device == nullptr) {
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return ENODEV;
Get rid of Vnode concept. We already have an abstraction between Process and Inode/CharacterDevice/FIFO and it's called FileDescriptor. :^)
2019-01-16 14:57:07 +03:00
}
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
auto description = TRY(device->open(options));
description->set_original_inode({}, inode);
Kernel+SystemServer: Defer creation of device nodes to userspace Don't create these device nodes in the Kernel, so we essentially enforce userspace (SystemServer) to take control of this operation and to decide how to create these device nodes. This makes the DevFS to resemble linux devtmpfs, and allows us to remove a bunch of unneeded overriding implementations of device name creation in the Kernel.
2021-08-14 05:04:56 +03:00
description->set_original_custody({}, custody);
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
return description;
Get rid of Vnode concept. We already have an abstraction between Process and Inode/CharacterDevice/FIFO and it's called FileDescriptor. :^)
2019-01-16 14:57:07 +03:00
}
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
// Check for read-only FS. Do this after handling preopen FD and devices,
// but before modifying the inode in any way.
if ((options & O_WRONLY) && custody.is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
Kernel: Opening a file with O_TRUNC should update mtime
2020-01-08 15:57:22 +03:00
if (should_truncate_file) {
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
TRY(inode.truncate(0));
TRY(inode.set_mtime(kgettimeofday().to_truncated_seconds()));
Kernel: Improve ProcFS behavior in low memory conditions When ProcFS could no longer allocate KBuffer objects to serve calls to read, it would just return 0, indicating EOF. This then triggered parsing errors because code assumed it read the file. Because read isn't supposed to return ENOMEM, change ProcFS to populate the file data upon file open or seek to the beginning. This also means that calls to open can now return ENOMEM if needed. This allows the caller to either be able to successfully open the file and read it, or fail to open it in the first place.
2020-09-17 22:51:09 +03:00
}
Kernel: Rename FileDescription => OpenFileDescription Dr. POSIX really calls these "open file description", not just "file description", so let's call them exactly that. :^)
2021-09-07 14:39:11 +03:00
auto description = TRY(OpenFileDescription::try_create(custody));
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
description->set_rw_mode(options);
description->set_file_flags(options);
Kernel: Move setting file flags and r/w mode to VFS::open() Previously, VFS::open() would only use the passed flags for permission checking purposes, and Process::sys$open() would set them on the created FileDescription explicitly. Now, they should be set by VFS::open() on any files being opened, including files that the kernel opens internally. This also lets us get rid of the explicit check for whether or not the returned FileDescription was a preopen fd, and in fact, fixes a bug where a read-only preopen fd without any other flags would be considered freshly opened (due to O_RDONLY being indistinguishable from 0) and granted a new set of flags.
2020-01-19 01:15:52 +03:00
return description;
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::mknod(StringView path, mode_t mode, dev_t dev, Custody& base)
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 23:59:58 +03:00
{
if (!is_regular_file(mode) && !is_block_device(mode) && !is_character_device(mode) && !is_fifo(mode) && !is_socket(mode))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EINVAL;
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 23:59:58 +03:00
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 19:37:47 +03:00
RefPtr<Custody> parent_custody;
FileSystem: Rename VFS::resolve_path_to_custody() => resolve_path().
2019-05-31 16:30:09 +03:00
auto existing_file_or_error = resolve_path(path, base, &parent_custody);
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 23:59:58 +03:00
if (!existing_file_or_error.is_error())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EEXIST;
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
if (!parent_custody)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return ENOENT;
Kernel: Stop allowing implicit conversion from KResult to int This patch removes KResult::operator int() and deals with the fallout. This forces a lot of code to be more explicit in its handling of errors, greatly improving readability.
2021-08-14 16:15:11 +03:00
if (existing_file_or_error.error() != ENOENT)
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 23:59:58 +03:00
return existing_file_or_error.error();
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
auto& parent_inode = parent_custody->inode();
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
auto& current_process = Process::current();
if (!parent_inode.metadata().may_write(current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
if (parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EROFS;
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 23:59:58 +03:00
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 12:21:52 +03:00
auto basename = KLexicalPath::basename(path);
Kernel/VFS: Silence mknod debug spam Since we populate the DevFS now in userspace, this creates a bunch of unnecessary noise in the kernel log.
2021-08-14 07:11:30 +03:00
dbgln_if(VFS_DEBUG, "VirtualFileSystem::mknod: '{}' mode={} dev={} in {}", basename, mode, dev, parent_inode.identifier());
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
return parent_inode.create_child(basename, mode, dev, current_process.euid(), current_process.egid()).result();
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 23:59:58 +03:00
}
Kernel: Rename FileDescription => OpenFileDescription Dr. POSIX really calls these "open file description", not just "file description", so let's call them exactly that. :^)
2021-09-07 14:39:11 +03:00
KResultOr<NonnullRefPtr<OpenFileDescription>> VirtualFileSystem::create(StringView path, int options, mode_t mode, Custody& parent_custody, Optional<UidAndGid> owner)
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
{
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 12:21:52 +03:00
auto basename = KLexicalPath::basename(path);
Kernel: Improvements to Custody absolute path serialization - Renamed try_create_absolute_path() => try_serialize_absolute_path() - Use KResultOr and TRY() to propagate errors - Don't call this when it's only for debug logging
2021-09-06 13:24:36 +03:00
auto parent_path = TRY(parent_custody.try_serialize_absolute_path());
Kernel: Make KString factories return KResultOr + use TRY() everywhere There are a number of places that don't have an error propagation path right now, so I've added FIXME's about that.
2021-09-06 20:24:54 +03:00
auto full_path = TRY(KLexicalPath::try_join(parent_path->view(), basename));
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
TRY(validate_path_against_process_veil(full_path->view(), options));
Kernel: Enforce file system veil on file creation Fixes #1621.
2020-04-04 17:40:36 +03:00
Revert "Kernel: Make VFS::create() fail with EINVAL on invalid file mode" This reverts commit ca3489eec7c1c7910407c4872ed6d70c92ce50cf. Fixes #5087.
2021-01-24 10:31:18 +03:00
if (!is_socket(mode) && !is_fifo(mode) && !is_block_device(mode) && !is_character_device(mode)) {
// Turn it into a regular file. (This feels rather hackish.)
mode |= 0100000;
}
Ext2FS: Implement writing into inodes with arbitrary offset and length. Okay, this is pretty cool. :^) There are some issues and limitations for sure but the basic functionality is there.
2019-01-23 06:29:56 +03:00
FileSystem: Don't perform path resolution twice for open() with O_CREAT.
2019-06-09 20:52:03 +03:00
auto& parent_inode = parent_custody.inode();
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
auto& current_process = Process::current();
if (!parent_inode.metadata().may_write(current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
if (parent_custody.is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
dbgln_if(VFS_DEBUG, "VirtualFileSystem::create: '{}' in {}", basename, parent_inode.identifier());
Kernel: Strongly typed user & group ID's Prior to this change, both uid_t and gid_t were typedef'ed to `u32`. This made it easy to use them interchangeably. Let's not allow that. This patch adds UserID and GroupID using the AK::DistinctNumeric mechanism we've already been employing for pid_t/ProcessID.
2021-08-28 23:11:16 +03:00
auto uid = owner.has_value() ? owner.value().uid : current_process.euid();
auto gid = owner.has_value() ? owner.value().gid : current_process.egid();
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
auto inode = TRY(parent_inode.create_child(basename, mode, 0, uid, gid));
auto custody = TRY(Custody::try_create(&parent_custody, basename, inode, parent_custody.mount_flags()));
Kernel: Rename FileDescription => OpenFileDescription Dr. POSIX really calls these "open file description", not just "file description", so let's call them exactly that. :^)
2021-09-07 14:39:11 +03:00
auto description = TRY(OpenFileDescription::try_create(move(custody)));
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
description->set_rw_mode(options);
description->set_file_flags(options);
Kernel: Move setting file flags and r/w mode to VFS::open() Previously, VFS::open() would only use the passed flags for permission checking purposes, and Process::sys$open() would set them on the created FileDescription explicitly. Now, they should be set by VFS::open() on any files being opened, including files that the kernel opens internally. This also lets us get rid of the explicit check for whether or not the returned FileDescription was a preopen fd, and in fact, fixes a bug where a read-only preopen fd without any other flags would be considered freshly opened (due to O_RDONLY being indistinguishable from 0) and granted a new set of flags.
2020-01-19 01:15:52 +03:00
return description;
Implement creating a new directory.
2018-10-16 01:35:03 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::mkdir(StringView path, mode_t mode, Custody& base)
Implement creating a new directory.
2018-10-16 01:35:03 +03:00
{
Kernel: Support trailing slashes in VFS::mkdir() This is apparently a special case unlike any other, so let's handle it directly in VFS::mkdir() instead of adding an alternative code path into VFS::resolve_path(). Fixes https://github.com/SerenityOS/serenity/issues/1253
2020-02-20 17:28:36 +03:00
// Unlike in basically every other case, where it's only the last
// path component (the one being created) that is allowed not to
// exist, POSIX allows mkdir'ed path to have trailing slashes.
// Let's handle that case by trimming any trailing slashes.
Kernel: Return correct error numbers for the mkdir syscall Previously, VirtualFileSystem::mkdir() would always return ENOENT if no parent custody was returned by resolve_path(). This is incorrect when e.g. the user has no search permission in a component of the path prefix (=> EACCES), or if on component of the path prefix is a file (=> ENOTDIR). This patch fixes that behavior.
2021-07-11 14:46:05 +03:00
path = path.trim("/"sv, TrimMode::Right);
if (path.is_empty()) {
// NOTE: This means the path was a series of slashes, which resolves to "/".
path = "/";
}
Kernel: Support trailing slashes in VFS::mkdir() This is apparently a special case unlike any other, so let's handle it directly in VFS::mkdir() instead of adding an alternative code path into VFS::resolve_path(). Fixes https://github.com/SerenityOS/serenity/issues/1253
2020-02-20 17:28:36 +03:00
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 19:37:47 +03:00
RefPtr<Custody> parent_custody;
Kernel: Return correct error numbers for the mkdir syscall Previously, VirtualFileSystem::mkdir() would always return ENOENT if no parent custody was returned by resolve_path(). This is incorrect when e.g. the user has no search permission in a component of the path prefix (=> EACCES), or if on component of the path prefix is a file (=> ENOTDIR). This patch fixes that behavior.
2021-07-11 14:46:05 +03:00
auto result = resolve_path(path, base, &parent_custody);
if (!result.is_error())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EEXIST;
Kernel: Use more if-with-initializer in VFS
2021-04-11 01:40:38 +03:00
else if (!parent_custody)
Kernel: Add KResult and KResultOr<T> classes. The idea here is to combine a potential syscall error code with an arbitrary type in the case of success. I feel like this will end up much less error prone than returning some arbitrary type that kinda sorta has bool semantics (but sometimes not really) and passing the error through an out-param. This patch only converts a few syscalls to using it. More to come.
2019-02-25 22:47:56 +03:00
return result.error();
Kernel: Return correct error numbers for the mkdir syscall Previously, VirtualFileSystem::mkdir() would always return ENOENT if no parent custody was returned by resolve_path(). This is incorrect when e.g. the user has no search permission in a component of the path prefix (=> EACCES), or if on component of the path prefix is a file (=> ENOTDIR). This patch fixes that behavior.
2021-07-11 14:46:05 +03:00
// NOTE: If resolve_path fails with a non-null parent custody, the error should be ENOENT.
Kernel: Stop allowing implicit conversion from KResult to int This patch removes KResult::operator int() and deals with the fallout. This forces a lot of code to be more explicit in its handling of errors, greatly improving readability.
2021-08-14 16:15:11 +03:00
VERIFY(result.error() == ENOENT);
Kernel: Add KResult and KResultOr<T> classes. The idea here is to combine a potential syscall error code with an arbitrary type in the case of success. I feel like this will end up much less error prone than returning some arbitrary type that kinda sorta has bool semantics (but sometimes not really) and passing the error through an out-param. This patch only converts a few syscalls to using it. More to come.
2019-02-25 22:47:56 +03:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
auto& parent_inode = parent_custody->inode();
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
auto& current_process = Process::current();
if (!parent_inode.metadata().may_write(current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
if (parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EROFS;
Kernel: Start adding various file system permission checks. Fail with EACCES in various situations. Fix userland bugs that were exposed.
2019-02-21 17:45:31 +03:00
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 12:21:52 +03:00
auto basename = KLexicalPath::basename(path);
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
dbgln_if(VFS_DEBUG, "VirtualFileSystem::mkdir: '{}' in {}", basename, parent_inode.identifier());
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
return parent_inode.create_child(basename, S_IFDIR | mode, 0, current_process.euid(), current_process.egid()).result();
Import all this stuff into a single repo called Serenity.
2018-10-10 12:53:07 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::access(StringView path, int mode, Custody& base)
Compat work towards porting vim.
2019-02-26 17:57:59 +03:00
{
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
auto custody = TRY(resolve_path(path, base));
auto& inode = custody->inode();
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
auto metadata = inode.metadata();
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
auto& current_process = Process::current();
Compat work towards porting vim.
2019-02-26 17:57:59 +03:00
if (mode & R_OK) {
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (!metadata.may_read(current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Compat work towards porting vim.
2019-02-26 17:57:59 +03:00
}
if (mode & W_OK) {
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (!metadata.may_write(current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
if (custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EROFS;
Compat work towards porting vim.
2019-02-26 17:57:59 +03:00
}
if (mode & X_OK) {
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (!metadata.may_execute(current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Compat work towards porting vim.
2019-02-26 17:57:59 +03:00
}
return KSuccess;
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResultOr<NonnullRefPtr<Custody>> VirtualFileSystem::open_directory(StringView path, Custody& base)
Kernel: Support chdir() to a directory that's executable but not readable. Also the superuser should be allowed to resolve any possible path without getting tripped up by EACCES.
2019-03-02 01:54:07 +03:00
{
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
auto custody = TRY(resolve_path(path, base));
auto& inode = custody->inode();
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
if (!inode.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return ENOTDIR;
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (!inode.metadata().may_execute(Process::current()))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
return custody;
Kernel: Support chdir() to a directory that's executable but not readable. Also the superuser should be allowed to resolve any possible path without getting tripped up by EACCES.
2019-03-02 01:54:07 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::chmod(Custody& custody, mode_t mode)
Implement basic chmod() syscall and /bin/chmod helper. Only raw octal modes are supported right now. This patch also changes mode_t from 32-bit to 16-bit to match the on-disk type used by Ext2FS. I also ran into EPERM being errno=0 which was confusing, so I inserted an ESUCCESS in its place.
2019-01-29 06:55:08 +03:00
{
Kernel: Pass a Custody instead of Inode to VFS methods VFS no longer deals with inodes in public API, only with custodies and file descriptions. Talk directly to the file system if you need to operate on a inode. In most cases you actually want to go though VFS, to get proper permission check and other niceties. For this to work, you have to provide a custody, which describes *how* you have opened the inode, not just what the inode is.
2020-05-28 17:41:04 +03:00
auto& inode = custody.inode();
Kernel: Start adding various file system permission checks. Fail with EACCES in various situations. Fix userland bugs that were exposed.
2019-02-21 17:45:31 +03:00
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
auto& current_process = Process::current();
if (current_process.euid() != inode.metadata().uid && !current_process.is_superuser())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EPERM;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
if (custody.is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EROFS;
Implement basic chmod() syscall and /bin/chmod helper. Only raw octal modes are supported right now. This patch also changes mode_t from 32-bit to 16-bit to match the on-disk type used by Ext2FS. I also ran into EPERM being errno=0 which was confusing, so I inserted an ESUCCESS in its place.
2019-01-29 06:55:08 +03:00
// Only change the permission bits.
Kernel: Allow sys$chmod() to change the sticky bit We were incorrectly masking off the sticky bit when setting file modes.
2021-01-19 20:21:43 +03:00
mode = (inode.mode() & ~07777u) | (mode & 07777u);
Kernel+Userland: Implement fchmod() syscall and use it to improve /bin/cp. /bin/cp will now copy the permission bits from source to destination. :^)
2019-03-01 12:39:19 +03:00
return inode.chmod(mode);
}
Implement basic chmod() syscall and /bin/chmod helper. Only raw octal modes are supported right now. This patch also changes mode_t from 32-bit to 16-bit to match the on-disk type used by Ext2FS. I also ran into EPERM being errno=0 which was confusing, so I inserted an ESUCCESS in its place.
2019-01-29 06:55:08 +03:00
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::chmod(StringView path, mode_t mode, Custody& base)
Kernel+Userland: Implement fchmod() syscall and use it to improve /bin/cp. /bin/cp will now copy the permission bits from source to destination. :^)
2019-03-01 12:39:19 +03:00
{
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
auto custody = TRY(resolve_path(path, base));
Kernel: Pass a Custody instead of Inode to VFS methods VFS no longer deals with inodes in public API, only with custodies and file descriptions. Talk directly to the file system if you need to operate on a inode. In most cases you actually want to go though VFS, to get proper permission check and other niceties. For this to work, you have to provide a custody, which describes *how* you have opened the inode, not just what the inode is.
2020-05-28 17:41:04 +03:00
return chmod(custody, mode);
Kernel: Add KResult and KResultOr<T> classes. The idea here is to combine a potential syscall error code with an arbitrary type in the case of success. I feel like this will end up much less error prone than returning some arbitrary type that kinda sorta has bool semantics (but sometimes not really) and passing the error through an out-param. This patch only converts a few syscalls to using it. More to come.
2019-02-25 22:47:56 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::rename(StringView old_path, StringView new_path, Custody& base)
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-08 00:35:26 +03:00
{
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 19:37:47 +03:00
RefPtr<Custody> old_parent_custody;
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
auto old_custody = TRY(resolve_path(old_path, base, &old_parent_custody, O_NOFOLLOW_NOERROR));
auto& old_inode = old_custody->inode();
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-08 00:35:26 +03:00
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 19:37:47 +03:00
RefPtr<Custody> new_parent_custody;
FileSystem: Rename VFS::resolve_path_to_custody() => resolve_path().
2019-05-31 16:30:09 +03:00
auto new_custody_or_error = resolve_path(new_path, base, &new_parent_custody);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
if (new_custody_or_error.is_error()) {
Kernel: Stop allowing implicit conversion from KResult to int This patch removes KResult::operator int() and deals with the fallout. This forces a lot of code to be more explicit in its handling of errors, greatly improving readability.
2021-08-14 16:15:11 +03:00
if (new_custody_or_error.error() != ENOENT || !new_parent_custody)
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
return new_custody_or_error.error();
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-08 00:35:26 +03:00
}
Kernel-VFS: Fixed kernel crash if parent custody is null In VFS::rename, if new_path is equal to '/', then, parent custody is set to null. VFS::rename would then use parent custody without checking it first. Fixed VFS::rename to check both old and new path parent custody before actually using them.
2021-05-06 20:35:34 +03:00
if (!old_parent_custody || !new_parent_custody) {
return EPERM;
}
VirtualFileSystem: Don't let rename() overwrite non-empty directory According to POSIX, rename shouldn't succeed if newpath is a non-empty directory.
2021-08-01 23:58:50 +03:00
if (!new_custody_or_error.is_error()) {
auto& new_inode = new_custody_or_error.value()->inode();
if (old_inode.index() != new_inode.index() && old_inode.is_directory() && new_inode.is_directory()) {
size_t child_count = 0;
Kernel: Wrap two VirtualFileSystem directory traversals in TRY()
2021-09-06 21:30:18 +03:00
TRY(new_inode.traverse_as_directory([&child_count](auto&) {
VirtualFileSystem: Don't let rename() overwrite non-empty directory According to POSIX, rename shouldn't succeed if newpath is a non-empty directory.
2021-08-01 23:58:50 +03:00
++child_count;
return child_count <= 2;
Kernel: Wrap two VirtualFileSystem directory traversals in TRY()
2021-09-06 21:30:18 +03:00
}));
VirtualFileSystem: Don't let rename() overwrite non-empty directory According to POSIX, rename shouldn't succeed if newpath is a non-empty directory.
2021-08-01 23:58:50 +03:00
if (child_count > 2)
return ENOTEMPTY;
}
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
auto& old_parent_inode = old_parent_custody->inode();
auto& new_parent_inode = new_parent_custody->inode();
Kernel: rename() should fail with EXDEV for cross-device requests POSIX does not support rename() from one file system to another.
2020-01-03 06:10:05 +03:00
if (&old_parent_inode.fs() != &new_parent_inode.fs())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EXDEV;
Kernel: rename() should fail with EXDEV for cross-device requests POSIX does not support rename() from one file system to another.
2020-01-03 06:10:05 +03:00
Kernel+LibC: Don't allow a directory to become a subdirectory of itself If you try to do this (e.g "mv directory directory"), sys$rename() will now fail with EDIRINTOSELF. Dr. POSIX says we should return EINVAL for this, but a custom error code allows us to print a much more helpful error message when this problem occurs. :^)
2020-11-01 19:17:23 +03:00
for (auto* new_ancestor = new_parent_custody.ptr(); new_ancestor; new_ancestor = new_ancestor->parent()) {
if (&old_inode == &new_ancestor->inode())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EDIRINTOSELF;
Kernel+LibC: Don't allow a directory to become a subdirectory of itself If you try to do this (e.g "mv directory directory"), sys$rename() will now fail with EDIRINTOSELF. Dr. POSIX says we should return EINVAL for this, but a custom error code allows us to print a much more helpful error message when this problem occurs. :^)
2020-11-01 19:17:23 +03:00
}
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
auto& current_process = Process::current();
if (!new_parent_inode.metadata().may_write(current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-08 00:35:26 +03:00
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (!old_parent_inode.metadata().may_write(current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-08 00:35:26 +03:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
if (old_parent_inode.metadata().is_sticky()) {
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (!current_process.is_superuser() && old_inode.metadata().uid != current_process.euid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
VFS: Implement sticky bit behavior for rename() and unlink(). Removing entries from a sticky directory is only allowed when you are either the owner of the entry, or the superuser. :^)
2019-04-28 23:54:30 +03:00
}
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
if (old_parent_custody->is_readonly() || new_parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
VirtualFileSystem: Check for '.' '..' and empty filenames This commit adds a check, to prevent empty dot or dot-dot filenames when renaming a file and returns EINVAL in that case.
2021-07-16 22:12:07 +03:00
auto old_basename = KLexicalPath::basename(old_path);
if (old_basename.is_empty() || old_basename == "."sv || old_basename == ".."sv)
return EINVAL;
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 12:21:52 +03:00
auto new_basename = KLexicalPath::basename(new_path);
VirtualFileSystem: Check for '.' '..' and empty filenames This commit adds a check, to prevent empty dot or dot-dot filenames when renaming a file and returns EINVAL in that case.
2021-07-16 22:12:07 +03:00
if (new_basename.is_empty() || new_basename == "."sv || new_basename == ".."sv)
return EINVAL;
FileSystem: Reuse existing custodies when possible, and keep them updated. Walk the custody cache and try to reuse an existing one when possible. The VFS is responsible for updating them when something happens that would cause the described relationship to change. This is definitely not perfect but it does work for the basic scenarios like renaming and removing directory entries.
2019-05-31 16:22:52 +03:00
VirtualFileSystem: Return early in rename() when old_path==new_path This change fixes disappearing symlink after trying to do the following thing: cp /res/icons/16x16/add-event.png . ln -s add-event.png a mv a a
2021-08-10 14:39:44 +03:00
if (old_basename == new_basename && old_parent_inode.index() == new_parent_inode.index())
return KSuccess;
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
if (!new_custody_or_error.is_error()) {
auto& new_custody = *new_custody_or_error.value();
auto& new_inode = new_custody.inode();
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-08 00:35:26 +03:00
// FIXME: Is this really correct? Check what other systems do.
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
if (&new_inode == &old_inode)
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-08 00:35:26 +03:00
return KSuccess;
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
if (new_parent_inode.metadata().is_sticky()) {
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (!current_process.is_superuser() && new_inode.metadata().uid != current_process.euid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
VFS: Also respect the sticky bit of the new parent in rename(). Obviously we should not allow overwriting someone else's files in a sticky directory either.
2019-04-29 00:34:33 +03:00
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
if (new_inode.is_directory() && !old_inode.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EISDIR;
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
TRY(new_parent_inode.remove_child(new_basename));
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-08 00:35:26 +03:00
}
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
TRY(new_parent_inode.add_child(old_inode, new_basename, old_inode.mode()));
TRY(old_parent_inode.remove_child(old_basename));
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-08 00:35:26 +03:00
return KSuccess;
}
Kernel: Strongly typed user & group ID's Prior to this change, both uid_t and gid_t were typedef'ed to `u32`. This made it easy to use them interchangeably. Let's not allow that. This patch adds UserID and GroupID using the AK::DistinctNumeric mechanism we've already been employing for pid_t/ProcessID.
2021-08-28 23:11:16 +03:00
KResult VirtualFileSystem::chown(Custody& custody, UserID a_uid, GroupID a_gid)
Add chown() syscall and a simple /bin/chown program.
2019-02-27 14:32:53 +03:00
{
Kernel: Pass a Custody instead of Inode to VFS methods VFS no longer deals with inodes in public API, only with custodies and file descriptions. Talk directly to the file system if you need to operate on a inode. In most cases you actually want to go though VFS, to get proper permission check and other niceties. For this to work, you have to provide a custody, which describes *how* you have opened the inode, not just what the inode is.
2020-05-28 17:41:04 +03:00
auto& inode = custody.inode();
FileSystem: Only retrieve inode metadata once in VFS::chown().
2019-06-02 11:31:25 +03:00
auto metadata = inode.metadata();
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
auto& current_process = Process::current();
if (current_process.euid() != metadata.uid && !current_process.is_superuser())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EPERM;
Add chown() syscall and a simple /bin/chown program.
2019-02-27 14:32:53 +03:00
Kernel: Strongly typed user & group ID's Prior to this change, both uid_t and gid_t were typedef'ed to `u32`. This made it easy to use them interchangeably. Let's not allow that. This patch adds UserID and GroupID using the AK::DistinctNumeric mechanism we've already been employing for pid_t/ProcessID.
2021-08-28 23:11:16 +03:00
UserID new_uid = metadata.uid;
GroupID new_gid = metadata.gid;
Add chown() syscall and a simple /bin/chown program.
2019-02-27 14:32:53 +03:00
if (a_uid != (uid_t)-1) {
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (current_process.euid() != a_uid && !current_process.is_superuser())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EPERM;
Add chown() syscall and a simple /bin/chown program.
2019-02-27 14:32:53 +03:00
new_uid = a_uid;
}
if (a_gid != (gid_t)-1) {
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (!current_process.in_group(a_gid) && !current_process.is_superuser())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EPERM;
Add chown() syscall and a simple /bin/chown program.
2019-02-27 14:32:53 +03:00
new_gid = a_gid;
}
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
if (custody.is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
dbgln_if(VFS_DEBUG, "VirtualFileSystem::chown(): inode {} <- uid={} gid={}", inode.identifier(), new_uid, new_gid);
Kernel: Strip SUID+SGID bits from file when written to or chowned Fixes #1624.
2020-04-04 20:46:55 +03:00
if (metadata.is_setuid() || metadata.is_setgid()) {
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
dbgln_if(VFS_DEBUG, "VirtualFileSystem::chown(): Stripping SUID/SGID bits from {}", inode.identifier());
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
TRY(inode.chmod(metadata.mode & ~(04000 | 02000)));
Kernel: Strip SUID+SGID bits from file when written to or chowned Fixes #1624.
2020-04-04 20:46:55 +03:00
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
return inode.chown(new_uid, new_gid);
Add chown() syscall and a simple /bin/chown program.
2019-02-27 14:32:53 +03:00
}
Kernel: Strongly typed user & group ID's Prior to this change, both uid_t and gid_t were typedef'ed to `u32`. This made it easy to use them interchangeably. Let's not allow that. This patch adds UserID and GroupID using the AK::DistinctNumeric mechanism we've already been employing for pid_t/ProcessID.
2021-08-28 23:11:16 +03:00
KResult VirtualFileSystem::chown(StringView path, UserID a_uid, GroupID a_gid, Custody& base)
FileSystem: Route chown() and fchown() through VFS for access control.
2019-06-02 13:30:24 +03:00
{
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
auto custody = TRY(resolve_path(path, base));
Kernel: Pass a Custody instead of Inode to VFS methods VFS no longer deals with inodes in public API, only with custodies and file descriptions. Talk directly to the file system if you need to operate on a inode. In most cases you actually want to go though VFS, to get proper permission check and other niceties. For this to work, you have to provide a custody, which describes *how* you have opened the inode, not just what the inode is.
2020-05-28 17:41:04 +03:00
return chown(custody, a_uid, a_gid);
FileSystem: Route chown() and fchown() through VFS for access control.
2019-06-02 13:30:24 +03:00
}
Kernel: Implement the same hard link protection as Linux sys$link() will now fail to create hard links in some cases where you don't own or have write access to the link target. Work towards #4934
2021-01-19 19:59:32 +03:00
static bool hard_link_allowed(const Inode& inode)
{
auto metadata = inode.metadata();
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (Process::current().euid() == metadata.uid)
Kernel: Implement the same hard link protection as Linux sys$link() will now fail to create hard links in some cases where you don't own or have write access to the link target. Work towards #4934
2021-01-19 19:59:32 +03:00
return true;
if (metadata.is_regular_file()
&& !metadata.is_setuid()
&& !(metadata.is_setgid() && metadata.mode & S_IXGRP)
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
&& metadata.may_write(Process::current())) {
Kernel: Implement the same hard link protection as Linux sys$link() will now fail to create hard links in some cases where you don't own or have write access to the link target. Work towards #4934
2021-01-19 19:59:32 +03:00
return true;
}
return false;
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::link(StringView old_path, StringView new_path, Custody& base)
Kernel: Add link() syscall to create hard links. This accidentally grew into a little bit of VFS cleanup as well. Also add a simple /bin/ln implementation to exercise it.
2019-02-21 15:26:40 +03:00
{
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
auto old_custody = TRY(resolve_path(old_path, base));
auto& old_inode = old_custody->inode();
Kernel: Add link() syscall to create hard links. This accidentally grew into a little bit of VFS cleanup as well. Also add a simple /bin/ln implementation to exercise it.
2019-02-21 15:26:40 +03:00
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 19:37:47 +03:00
RefPtr<Custody> parent_custody;
FileSystem: Rename VFS::resolve_path_to_custody() => resolve_path().
2019-05-31 16:30:09 +03:00
auto new_custody_or_error = resolve_path(new_path, base, &parent_custody);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
if (!new_custody_or_error.is_error())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EEXIST;
Add unlink() syscall and /bin/rm. This patch adds most of the plumbing for working file deletion in Ext2FS. Directory entries are removed and inode link counts updated. We don't yet update the inode or block bitmaps, I will do that separately.
2019-01-22 09:03:44 +03:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
if (!parent_custody)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return ENOENT;
Kernel: Use KResult in link().
2019-02-27 17:31:26 +03:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
auto& parent_inode = parent_custody->inode();
if (parent_inode.fsid() != old_inode.fsid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EXDEV;
Kernel: Use KResult in link().
2019-02-27 17:31:26 +03:00
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (!parent_inode.metadata().may_write(Process::current()))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Use KResult in link().
2019-02-27 17:31:26 +03:00
Kernel: Trying to sys$link() a directory should fail with EPERM
2020-01-16 00:10:38 +03:00
if (old_inode.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EPERM;
Kernel: Trying to sys$link() a directory should fail with EPERM
2020-01-16 00:10:38 +03:00
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
if (parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
Kernel: Implement the same hard link protection as Linux sys$link() will now fail to create hard links in some cases where you don't own or have write access to the link target. Work towards #4934
2021-01-19 19:59:32 +03:00
if (!hard_link_allowed(old_inode))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EPERM;
Kernel: Implement the same hard link protection as Linux sys$link() will now fail to create hard links in some cases where you don't own or have write access to the link target. Work towards #4934
2021-01-19 19:59:32 +03:00
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 12:21:52 +03:00
return parent_inode.add_child(old_inode, KLexicalPath::basename(new_path), old_inode.mode());
Kernel: Add link() syscall to create hard links. This accidentally grew into a little bit of VFS cleanup as well. Also add a simple /bin/ln implementation to exercise it.
2019-02-21 15:26:40 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::unlink(StringView path, Custody& base)
Kernel: Add link() syscall to create hard links. This accidentally grew into a little bit of VFS cleanup as well. Also add a simple /bin/ln implementation to exercise it.
2019-02-21 15:26:40 +03:00
{
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 19:37:47 +03:00
RefPtr<Custody> parent_custody;
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
auto custody = TRY(resolve_path(path, base, &parent_custody, O_NOFOLLOW_NOERROR | O_UNLINK_INTERNAL));
auto& inode = custody->inode();
VFS: unlink() should fail when called on a directory.
2019-01-23 07:35:42 +03:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
if (inode.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EISDIR;
Kernel: Start adding various file system permission checks. Fail with EACCES in various situations. Fix userland bugs that were exposed.
2019-02-21 17:45:31 +03:00
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
// We have just checked that the inode is not a directory, and thus it's not
// the root. So it should have a parent. Note that this would be invalidated
// if we were to support bind-mounting regular files on top of the root.
Everywhere: Rename ASSERT => VERIFY (...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED) Since all of these checks are done in release builds as well, let's rename them to VERIFY to prevent confusion, as everyone is used to assertions being compiled out in release. We can introduce a new ASSERT macro that is specifically for debug checks, but I'm doing this wholesale conversion first since we've accumulated thousands of these already, and it's not immediately obvious which ones are suitable for ASSERT.
2021-02-23 22:42:32 +03:00
VERIFY(parent_custody);
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
auto& parent_inode = parent_custody->inode();
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
auto& current_process = Process::current();
if (!parent_inode.metadata().may_write(current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Add unlink() syscall and /bin/rm. This patch adds most of the plumbing for working file deletion in Ext2FS. Directory entries are removed and inode link counts updated. We don't yet update the inode or block bitmaps, I will do that separately.
2019-01-22 09:03:44 +03:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
if (parent_inode.metadata().is_sticky()) {
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (!current_process.is_superuser() && inode.metadata().uid != current_process.euid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
VFS: Implement sticky bit behavior for rename() and unlink(). Removing entries from a sticky directory is only allowed when you are either the owner of the entry, or the superuser. :^)
2019-04-28 23:54:30 +03:00
}
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
if (parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
return parent_inode.remove_child(KLexicalPath::basename(path));
Add unlink() syscall and /bin/rm. This patch adds most of the plumbing for working file deletion in Ext2FS. Directory entries are removed and inode link counts updated. We don't yet update the inode or block bitmaps, I will do that separately.
2019-01-22 09:03:44 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::symlink(StringView target, StringView linkpath, Custody& base)
Kernel+Userland: Add symlink() syscall and add "-s" flag to /bin/ln. It's now possible to create symbolic links! :^) This exposed an issue in Ext2FS where we'd write uninitialized data past the end of an inode's content. Fix this by zeroing out the tail end of the last block in a file.
2019-03-02 03:50:34 +03:00
{
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 19:37:47 +03:00
RefPtr<Custody> parent_custody;
FileSystem: Rename VFS::resolve_path_to_custody() => resolve_path().
2019-05-31 16:30:09 +03:00
auto existing_custody_or_error = resolve_path(linkpath, base, &parent_custody);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
if (!existing_custody_or_error.is_error())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EEXIST;
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
if (!parent_custody)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return ENOENT;
Kernel: Stop allowing implicit conversion from KResult to int This patch removes KResult::operator int() and deals with the fallout. This forces a lot of code to be more explicit in its handling of errors, greatly improving readability.
2021-08-14 16:15:11 +03:00
if (existing_custody_or_error.is_error() && existing_custody_or_error.error() != ENOENT)
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
return existing_custody_or_error.error();
auto& parent_inode = parent_custody->inode();
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
auto& current_process = Process::current();
if (!parent_inode.metadata().may_write(current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
if (parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EROFS;
Kernel+Userland: Add symlink() syscall and add "-s" flag to /bin/ln. It's now possible to create symbolic links! :^) This exposed an issue in Ext2FS where we'd write uninitialized data past the end of an inode's content. Fix this by zeroing out the tail end of the last block in a file.
2019-03-02 03:50:34 +03:00
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 12:21:52 +03:00
auto basename = KLexicalPath::basename(linkpath);
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
dbgln_if(VFS_DEBUG, "VirtualFileSystem::symlink: '{}' (-> '{}') in {}", basename, target, parent_inode.identifier());
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
auto inode = TRY(parent_inode.create_child(basename, S_IFLNK | 0644, 0, current_process.euid(), current_process.egid()));
Kernel: Make copy_to/from_user safe and remove unnecessary checks Since the CPU already does almost all necessary validation steps for us, we don't really need to attempt to do this. Doing it ourselves doesn't really work very reliably, because we'd have to account for other processors modifying virtual memory, and we'd have to account for e.g. pages not being able to be allocated due to insufficient resources. So change the copy_to/from_user (and associated helper functions) to use the new safe_memcpy, which will return whether it succeeded or not. The only manual validation step needed (which the CPU can't perform for us) is making sure the pointers provided by user mode aren't pointing to kernel mappings. To make it easier to read/write from/to either kernel or user mode data add the UserOrKernelBuffer helper class, which will internally either use copy_from/to_user or directly memcpy, or pass the data through directly using a temporary buffer on the stack. Last but not least we need to keep syscall params trivial as we need to copy them from/to user mode using copy_from/to_user.
2020-09-12 06:11:07 +03:00
auto target_buffer = UserOrKernelBuffer::for_kernel_buffer(const_cast<u8*>((const u8*)target.characters_without_null_termination()));
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
TRY(inode->write_bytes(0, target.length(), target_buffer, nullptr));
Kernel+Userland: Add symlink() syscall and add "-s" flag to /bin/ln. It's now possible to create symbolic links! :^) This exposed an issue in Ext2FS where we'd write uninitialized data past the end of an inode's content. Fix this by zeroing out the tail end of the last block in a file.
2019-03-02 03:50:34 +03:00
return KSuccess;
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::rmdir(StringView path, Custody& base)
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 06:16:01 +03:00
{
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 19:37:47 +03:00
RefPtr<Custody> parent_custody;
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
auto custody = TRY(resolve_path(path, base, &parent_custody));
auto& inode = custody->inode();
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 06:16:01 +03:00
// FIXME: We should return EINVAL if the last component of the path is "."
// FIXME: We should return ENOTEMPTY if the last component of the path is ".."
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
if (!inode.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return ENOTDIR;
Kernel: Start adding various file system permission checks. Fail with EACCES in various situations. Fix userland bugs that were exposed.
2019-02-21 17:45:31 +03:00
Kernel: rmdir("/") should fail instead of asserting We can't assume there's always a parent custody -- when we open "/" there isn't gonna be one! Fixes #1858.
2020-04-19 19:07:16 +03:00
if (!parent_custody)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EBUSY;
Kernel: rmdir("/") should fail instead of asserting We can't assume there's always a parent custody -- when we open "/" there isn't gonna be one! Fixes #1858.
2020-04-19 19:07:16 +03:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
auto& parent_inode = parent_custody->inode();
Kernel: Don't allow non-root, non-owners to rmdir any child of sticky We were not handling sticky parents properly in sys$rmdir(). Child directories of a sticky parent should not be rmdir'able by just anyone. Only the owner and root. Fixes #4875.
2021-01-10 12:12:15 +03:00
auto parent_metadata = parent_inode.metadata();
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 19:58:59 +03:00
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
auto& current_process = Process::current();
if (!parent_metadata.may_write(current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 06:16:01 +03:00
Kernel: Don't allow non-root, non-owners to rmdir any child of sticky We were not handling sticky parents properly in sys$rmdir(). Child directories of a sticky parent should not be rmdir'able by just anyone. Only the owner and root. Fixes #4875.
2021-01-10 12:12:15 +03:00
if (parent_metadata.is_sticky()) {
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (!current_process.is_superuser() && inode.metadata().uid != current_process.euid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Don't allow non-root, non-owners to rmdir any child of sticky We were not handling sticky parents properly in sys$rmdir(). Child directories of a sticky parent should not be rmdir'able by just anyone. Only the owner and root. Fixes #4875.
2021-01-10 12:12:15 +03:00
}
Kernel: Count remaining children in VirtualFileSystem::rmdir() manually To count the remaining children, we simply need to traverse the directory and increment a counter. No need for a custom virtual that all file systems have to implement. :^)
2021-07-17 23:34:43 +03:00
size_t child_count = 0;
Kernel: Wrap two VirtualFileSystem directory traversals in TRY()
2021-09-06 21:30:18 +03:00
TRY(inode.traverse_as_directory([&child_count](auto&) {
Kernel: Count remaining children in VirtualFileSystem::rmdir() manually To count the remaining children, we simply need to traverse the directory and increment a counter. No need for a custom virtual that all file systems have to implement. :^)
2021-07-17 23:34:43 +03:00
++child_count;
return true;
Kernel: Wrap two VirtualFileSystem directory traversals in TRY()
2021-09-06 21:30:18 +03:00
}));
Kernel: Make Inode::directory_entry_count errors observable. Certain implementations of Inode::directory_entry_count were calling functions which returned errors, but had no way of surfacing them. Switch the return type to KResultOr<size_t> and start observing these error paths.
2020-08-05 11:00:18 +03:00
Kernel: Count remaining children in VirtualFileSystem::rmdir() manually To count the remaining children, we simply need to traverse the directory and increment a counter. No need for a custom virtual that all file systems have to implement. :^)
2021-07-17 23:34:43 +03:00
if (child_count != 2)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return ENOTEMPTY;
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 06:16:01 +03:00
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
if (custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 17:56:25 +03:00
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
TRY(inode.remove_child("."));
TRY(inode.remove_child(".."));
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 06:16:01 +03:00
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 12:21:52 +03:00
return parent_inode.remove_child(KLexicalPath::basename(path));
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 06:16:01 +03:00
}
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-16 02:40:19 +03:00
void VirtualFileSystem::for_each_mount(Function<void(Mount const&)> callback) const
Add a simple /proc/mounts that enumerates the current VFS mounts.
2018-10-26 19:43:25 +03:00
{
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-16 02:40:19 +03:00
m_mounts.with_shared([&](auto& mounts) {
for (auto& mount : mounts) {
callback(mount);
}
});
Add a simple /proc/mounts that enumerates the current VFS mounts.
2018-10-26 19:43:25 +03:00
}
Add sync() syscall and a /bin/sync. It walks all the live Inode objects and flushes pending metadata changes wherever needed. This could be optimized by keeping a separate list of dirty Inodes, but let's not get ahead of ourselves.
2018-12-20 02:39:29 +03:00
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
void VirtualFileSystem::sync()
Add sync() syscall and a /bin/sync. It walks all the live Inode objects and flushes pending metadata changes wherever needed. This could be optimized by keeping a separate list of dirty Inodes, but let's not get ahead of ourselves.
2018-12-20 02:39:29 +03:00
{
Kernel: Rename FS => FileSystem This matches our common naming style better.
2021-07-11 01:20:38 +03:00
FileSystem::sync();
Add sync() syscall and a /bin/sync. It walks all the live Inode objects and flushes pending metadata changes wherever needed. This could be optimized by keeping a separate list of dirty Inodes, but let's not get ahead of ourselves.
2018-12-20 02:39:29 +03:00
}
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 18:46:08 +03:00
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
Custody& VirtualFileSystem::root_custody()
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 18:46:08 +03:00
{
return *m_root_custody;
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
UnveilNode const& VirtualFileSystem::find_matching_unveiled_path(StringView path)
Kernel: Implement unveil() as a prefix-tree Fixes #4530.
2020-12-26 13:24:34 +03:00
{
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
auto& current_process = Process::current();
VERIFY(current_process.veil_state() != VeilState::None);
auto& unveil_root = current_process.unveiled_paths();
Kernel: Implement unveil() as a prefix-tree Fixes #4530.
2020-12-26 13:24:34 +03:00
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 12:21:52 +03:00
auto path_parts = KLexicalPath::parts(path);
Kernel: Don't assume there are no nodes if m_unveiled_paths.is_empty() If m_unveiled_paths.is_empty(), the root node (which is m_unveiled_paths itself) is the matching veil. This means we should not return nullptr in this case, but just use the code path for the general case. This fixes a bug where calling e.g. unveil("/", "r") would refuse you access to anything, because find_matching_unveiled_path would wrongly return nullptr. Since find_matching_unveiled_path can no longer return nullptr, we can now just return a reference instead.
2021-06-07 00:13:26 +03:00
return unveil_root.traverse_until_last_accessible_node(path_parts.begin(), path_parts.end());
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-21 00:12:04 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::validate_path_against_process_veil(Custody const& custody, int options)
Kernel: Don't allocate Strings unnecessarily in process veil validation Previously, Custody::absolute_path() was called for every call to validate_path_against_process_veil(). For processes that don't have a veil, the path is not used by the function. This means that it is unnecessarily generated. This introduces an overload to validate_path_against_process_veil(), which takes a Custody const& and only generates the absolute path if it there is actually a veil and it is thus needed. This patch results in a speed up of Assistant's file system cache building by around 16 percent.
2021-07-05 18:15:07 +03:00
{
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (Process::current().veil_state() == VeilState::None)
Kernel: Don't allocate Strings unnecessarily in process veil validation Previously, Custody::absolute_path() was called for every call to validate_path_against_process_veil(). For processes that don't have a veil, the path is not used by the function. This means that it is unnecessarily generated. This introduces an overload to validate_path_against_process_veil(), which takes a Custody const& and only generates the absolute path if it there is actually a veil and it is thus needed. This patch results in a speed up of Assistant's file system cache building by around 16 percent.
2021-07-05 18:15:07 +03:00
return KSuccess;
Kernel: Improvements to Custody absolute path serialization - Renamed try_create_absolute_path() => try_serialize_absolute_path() - Use KResultOr and TRY() to propagate errors - Don't call this when it's only for debug logging
2021-09-06 13:24:36 +03:00
auto absolute_path = TRY(custody.try_serialize_absolute_path());
Kernel: Custody::absolute_path() => try_create_absolute_path() This converts most users of Custody::absolute_path() to use the new try_create_absolute_path() API, and return ENOMEM if the KString allocation fails.
2021-07-06 13:58:03 +03:00
return validate_path_against_process_veil(absolute_path->view(), options);
Kernel: Don't allocate Strings unnecessarily in process veil validation Previously, Custody::absolute_path() was called for every call to validate_path_against_process_veil(). For processes that don't have a veil, the path is not used by the function. This means that it is unnecessarily generated. This introduces an overload to validate_path_against_process_veil(), which takes a Custody const& and only generates the absolute path if it there is actually a veil and it is thus needed. This patch results in a speed up of Assistant's file system cache building by around 16 percent.
2021-07-05 18:15:07 +03:00
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResult VirtualFileSystem::validate_path_against_process_veil(StringView path, int options)
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-21 00:12:04 +03:00
{
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (Process::current().veil_state() == VeilState::None)
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-21 00:12:04 +03:00
return KSuccess;
Loader: Stabilize loader & Use shared libraries everywhere :^) The dynamic loader is now stable enough to be used everywhere in the system - so this commit does just that. No More .a Files, Long Live .so's!
2020-10-17 14:39:36 +03:00
if (path == "/usr/lib/Loader.so")
return KSuccess;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-21 00:12:04 +03:00
Kernel: Stricter path checking in validate_path_against_process_veil This change enforces that paths passed to VFS::validate_path_against_process_veil are absolute and do not contain any '..' or '.' parts. We should VERIFY here instead of returning EINVAL since the code that calls this should resolve non-canonical paths before calling this function.
2021-07-05 19:03:54 +03:00
VERIFY(path.starts_with('/'));
VERIFY(!path.contains("/../"sv) && !path.ends_with("/.."sv));
VERIFY(!path.contains("/./"sv) && !path.ends_with("/."sv));
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-21 00:12:04 +03:00
Kernel: Don't assume there are no nodes if m_unveiled_paths.is_empty() If m_unveiled_paths.is_empty(), the root node (which is m_unveiled_paths itself) is the matching veil. This means we should not return nullptr in this case, but just use the code path for the general case. This fixes a bug where calling e.g. unveil("/", "r") would refuse you access to anything, because find_matching_unveiled_path would wrongly return nullptr. Since find_matching_unveiled_path can no longer return nullptr, we can now just return a reference instead.
2021-06-07 00:13:26 +03:00
auto& unveiled_path = find_matching_unveiled_path(path);
if (unveiled_path.permissions() == UnveilAccess::None) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 17:17:54 +03:00
dbgln("Rejecting path '{}' since it hasn't been unveiled.", path);
Kernel: Dump backtrace when denying a path because of a veil This will make it much easier to see why a process wants to open the file.
2020-01-30 14:05:36 +03:00
dump_backtrace();
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return ENOENT;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-21 00:12:04 +03:00
}
if (options & O_CREAT) {
Kernel: Don't assume there are no nodes if m_unveiled_paths.is_empty() If m_unveiled_paths.is_empty(), the root node (which is m_unveiled_paths itself) is the matching veil. This means we should not return nullptr in this case, but just use the code path for the general case. This fixes a bug where calling e.g. unveil("/", "r") would refuse you access to anything, because find_matching_unveiled_path would wrongly return nullptr. Since find_matching_unveiled_path can no longer return nullptr, we can now just return a reference instead.
2021-06-07 00:13:26 +03:00
if (!(unveiled_path.permissions() & UnveilAccess::CreateOrRemove)) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 17:17:54 +03:00
dbgln("Rejecting path '{}' since it hasn't been unveiled with 'c' permission.", path);
Kernel: Dump backtrace when denying a path because of a veil This will make it much easier to see why a process wants to open the file.
2020-01-30 14:05:36 +03:00
dump_backtrace();
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-21 00:12:04 +03:00
}
}
if (options & O_UNLINK_INTERNAL) {
Kernel: Don't assume there are no nodes if m_unveiled_paths.is_empty() If m_unveiled_paths.is_empty(), the root node (which is m_unveiled_paths itself) is the matching veil. This means we should not return nullptr in this case, but just use the code path for the general case. This fixes a bug where calling e.g. unveil("/", "r") would refuse you access to anything, because find_matching_unveiled_path would wrongly return nullptr. Since find_matching_unveiled_path can no longer return nullptr, we can now just return a reference instead.
2021-06-07 00:13:26 +03:00
if (!(unveiled_path.permissions() & UnveilAccess::CreateOrRemove)) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 17:17:54 +03:00
dbgln("Rejecting path '{}' for unlink since it hasn't been unveiled with 'c' permission.", path);
Kernel: Dump backtrace when denying a path because of a veil This will make it much easier to see why a process wants to open the file.
2020-01-30 14:05:36 +03:00
dump_backtrace();
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-21 00:12:04 +03:00
}
return KSuccess;
}
Kernel: Make O_RDONLY non-zero Sergey suggested that having a non-zero O_RDONLY would make some things less confusing, and it seems like he's right about that. We can now easily check read/write permissions separately instead of dancing around with the bits. This patch also fixes unveil() validation for O_RDWR which previously forgot to check for "r" permission.
2020-01-21 15:14:26 +03:00
if (options & O_RDONLY) {
Kernel: Add unveil('b') This is a new "browse" permission that lets you open (and subsequently list contents of) directories underneath the path, but not regular files or any other types of files.
2020-11-21 22:55:20 +03:00
if (options & O_DIRECTORY) {
Kernel: Don't assume there are no nodes if m_unveiled_paths.is_empty() If m_unveiled_paths.is_empty(), the root node (which is m_unveiled_paths itself) is the matching veil. This means we should not return nullptr in this case, but just use the code path for the general case. This fixes a bug where calling e.g. unveil("/", "r") would refuse you access to anything, because find_matching_unveiled_path would wrongly return nullptr. Since find_matching_unveiled_path can no longer return nullptr, we can now just return a reference instead.
2021-06-07 00:13:26 +03:00
if (!(unveiled_path.permissions() & (UnveilAccess::Read | UnveilAccess::Browse))) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 17:17:54 +03:00
dbgln("Rejecting path '{}' since it hasn't been unveiled with 'r' or 'b' permissions.", path);
Kernel: Add unveil('b') This is a new "browse" permission that lets you open (and subsequently list contents of) directories underneath the path, but not regular files or any other types of files.
2020-11-21 22:55:20 +03:00
dump_backtrace();
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Add unveil('b') This is a new "browse" permission that lets you open (and subsequently list contents of) directories underneath the path, but not regular files or any other types of files.
2020-11-21 22:55:20 +03:00
}
} else {
Kernel: Don't assume there are no nodes if m_unveiled_paths.is_empty() If m_unveiled_paths.is_empty(), the root node (which is m_unveiled_paths itself) is the matching veil. This means we should not return nullptr in this case, but just use the code path for the general case. This fixes a bug where calling e.g. unveil("/", "r") would refuse you access to anything, because find_matching_unveiled_path would wrongly return nullptr. Since find_matching_unveiled_path can no longer return nullptr, we can now just return a reference instead.
2021-06-07 00:13:26 +03:00
if (!(unveiled_path.permissions() & UnveilAccess::Read)) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 17:17:54 +03:00
dbgln("Rejecting path '{}' since it hasn't been unveiled with 'r' permission.", path);
Kernel: Add unveil('b') This is a new "browse" permission that lets you open (and subsequently list contents of) directories underneath the path, but not regular files or any other types of files.
2020-11-21 22:55:20 +03:00
dump_backtrace();
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Add unveil('b') This is a new "browse" permission that lets you open (and subsequently list contents of) directories underneath the path, but not regular files or any other types of files.
2020-11-21 22:55:20 +03:00
}
Kernel: Make O_RDONLY non-zero Sergey suggested that having a non-zero O_RDONLY would make some things less confusing, and it seems like he's right about that. We can now easily check read/write permissions separately instead of dancing around with the bits. This patch also fixes unveil() validation for O_RDWR which previously forgot to check for "r" permission.
2020-01-21 15:14:26 +03:00
}
}
if (options & O_WRONLY) {
Kernel: Don't assume there are no nodes if m_unveiled_paths.is_empty() If m_unveiled_paths.is_empty(), the root node (which is m_unveiled_paths itself) is the matching veil. This means we should not return nullptr in this case, but just use the code path for the general case. This fixes a bug where calling e.g. unveil("/", "r") would refuse you access to anything, because find_matching_unveiled_path would wrongly return nullptr. Since find_matching_unveiled_path can no longer return nullptr, we can now just return a reference instead.
2021-06-07 00:13:26 +03:00
if (!(unveiled_path.permissions() & UnveilAccess::Write)) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 17:17:54 +03:00
dbgln("Rejecting path '{}' since it hasn't been unveiled with 'w' permission.", path);
Kernel: Dump backtrace when denying a path because of a veil This will make it much easier to see why a process wants to open the file.
2020-01-30 14:05:36 +03:00
dump_backtrace();
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-21 00:12:04 +03:00
}
Kernel: Make O_RDONLY non-zero Sergey suggested that having a non-zero O_RDONLY would make some things less confusing, and it seems like he's right about that. We can now easily check read/write permissions separately instead of dancing around with the bits. This patch also fixes unveil() validation for O_RDWR which previously forgot to check for "r" permission.
2020-01-21 15:14:26 +03:00
}
if (options & O_EXEC) {
Kernel: Don't assume there are no nodes if m_unveiled_paths.is_empty() If m_unveiled_paths.is_empty(), the root node (which is m_unveiled_paths itself) is the matching veil. This means we should not return nullptr in this case, but just use the code path for the general case. This fixes a bug where calling e.g. unveil("/", "r") would refuse you access to anything, because find_matching_unveiled_path would wrongly return nullptr. Since find_matching_unveiled_path can no longer return nullptr, we can now just return a reference instead.
2021-06-07 00:13:26 +03:00
if (!(unveiled_path.permissions() & UnveilAccess::Execute)) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 17:17:54 +03:00
dbgln("Rejecting path '{}' since it hasn't been unveiled with 'x' permission.", path);
Kernel: Dump backtrace when denying a path because of a veil This will make it much easier to see why a process wants to open the file.
2020-01-30 14:05:36 +03:00
dump_backtrace();
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-21 00:12:04 +03:00
}
}
return KSuccess;
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResultOr<NonnullRefPtr<Custody>> VirtualFileSystem::resolve_path(StringView path, Custody& base, RefPtr<Custody>* out_parent, int options, int symlink_recursion_level)
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 18:46:08 +03:00
{
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
auto custody = TRY(resolve_path_without_veil(path, base, out_parent, options, symlink_recursion_level));
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
TRY(validate_path_against_process_veil(*custody, options));
Kernel: Resolve relative paths when there is a veil (#1474)
2020-03-19 11:57:34 +03:00
return custody;
}
Kernel: Implement the same symlink protection as Linux Path resolution will now refuse to follow symlinks in some cases where you don't own the symlink, or when it's in a sticky world-writable directory and the link has a different owner than the directory. The point of all this is to prevent classic TOCTOU bugs in /tmp etc. Fixes #4934
2021-01-19 20:12:09 +03:00
static bool safe_to_follow_symlink(const Inode& inode, const InodeMetadata& parent_metadata)
{
auto metadata = inode.metadata();
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (Process::current().euid() == metadata.uid)
Kernel: Implement the same symlink protection as Linux Path resolution will now refuse to follow symlinks in some cases where you don't own the symlink, or when it's in a sticky world-writable directory and the link has a different owner than the directory. The point of all this is to prevent classic TOCTOU bugs in /tmp etc. Fixes #4934
2021-01-19 20:12:09 +03:00
return true;
if (!(parent_metadata.is_sticky() && parent_metadata.mode & S_IWOTH))
return true;
if (metadata.uid == parent_metadata.uid)
return true;
return false;
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-11 01:25:24 +03:00
KResultOr<NonnullRefPtr<Custody>> VirtualFileSystem::resolve_path_without_veil(StringView path, Custody& base, RefPtr<Custody>* out_parent, int options, int symlink_recursion_level)
Kernel: Resolve relative paths when there is a veil (#1474)
2020-03-19 11:57:34 +03:00
{
Kernel: Implement recursion limit on path resolution Cautiously use 5 as a limit for now so that we don't blow the stack. This can be increased in the future if we are sure that we won't be blowing the stack, or if the implementation is changed to not use recursion :^)
2019-12-24 12:39:21 +03:00
if (symlink_recursion_level >= symlink_recursion_limit)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return ELOOP;
FileSystem: Add FIXME about resolve_path bug
2019-08-25 19:18:51 +03:00
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 18:46:08 +03:00
if (path.is_empty())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EINVAL;
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 18:46:08 +03:00
Kernel: Remove an allocation from VFS::resolve_path_without_veil (#7287) Use GenericLexer to replace a call to StringView::split() since that returns its result in a heap-allocating Vector.
2021-05-22 01:12:32 +03:00
GenericLexer path_lexer(path);
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
auto& current_process = Process::current();
Kernel: Add a basic chroot() syscall :^) The chroot() syscall now allows the superuser to isolate a process into a specific subtree of the filesystem. This is not strictly permanent, as it is also possible for a superuser to break *out* of a chroot, but it is a useful mechanism for isolating unprivileged processes. The VFS now uses the current process's root_directory() as the root for path resolution purposes. The root directory is stored as an uncached Custody in the Process object.
2020-01-11 01:14:04 +03:00
Kernel+Userland: Remove chroot functionality We are not using this for anything and it's just been sitting there gathering dust for well over a year, so let's stop carrying all this complexity around for no good reason.
2021-08-15 02:29:44 +03:00
NonnullRefPtr<Custody> custody = path[0] == '/' ? root_custody() : base;
Kernel: Remove an allocation from VFS::resolve_path_without_veil (#7287) Use GenericLexer to replace a call to StringView::split() since that returns its result in a heap-allocating Vector.
2021-05-22 01:12:32 +03:00
bool extra_iteration = path[path.length() - 1] == '/';
while (!path_lexer.is_eof() || extra_iteration) {
if (path_lexer.is_eof())
extra_iteration = false;
auto part = path_lexer.consume_until('/');
path_lexer.consume_specific('/');
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 18:46:08 +03:00
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 10:52:33 +03:00
Custody& parent = custody;
auto parent_metadata = parent.inode().metadata();
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 13:30:15 +03:00
if (!parent_metadata.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return ENOTDIR;
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 13:30:15 +03:00
// Ensure the current user is allowed to resolve paths inside this directory.
Kernel: Make Process::current() return a Process& instead of Process* This has several benefits: 1) We no longer just blindly derefence a null pointer in various places 2) We will get nicer runtime error messages if the current process does turn out to be null in the call location 3) GCC no longer complains about possible nullptr dereferences when compiling without KUBSAN
2021-08-19 22:45:07 +03:00
if (!parent_metadata.may_execute(current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Fix not returning errors for the last path item. Previously the check for an empty part would happen before the check for access and for the parent being a directory, and so an error in those would not be detected.
2019-06-13 16:33:01 +03:00
Kernel: Remove an allocation from VFS::resolve_path_without_veil (#7287) Use GenericLexer to replace a call to StringView::split() since that returns its result in a heap-allocating Vector.
2021-05-22 01:12:32 +03:00
bool have_more_parts = !path_lexer.is_eof() || extra_iteration;
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 13:30:15 +03:00
if (part == "..") {
// If we encounter a "..", take a step back, but don't go beyond the root.
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 10:52:33 +03:00
if (custody->parent())
custody = *custody->parent();
Kernel: Make proper use of the new keep_empty argument
2019-09-21 00:45:16 +03:00
continue;
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 13:30:15 +03:00
} else if (part == "." || part.is_empty()) {
continue;
}
Kernel: Fix not returning errors for the last path item. Previously the check for an empty part would happen before the check for access and for the parent being a directory, and so an error in those would not be detected.
2019-06-13 16:33:01 +03:00
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 13:30:15 +03:00
// Okay, let's look up this part.
Kernel: Make Inode::lookup() return a KResultOr<NonnullRefPtr<Inode>> This allows file systems to return arbitrary error codes instead of just an Inode or not an Inode.
2021-08-14 14:32:35 +03:00
auto child_or_error = parent.inode().lookup(part);
if (child_or_error.is_error()) {
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 10:52:33 +03:00
if (out_parent) {
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 13:30:15 +03:00
// ENOENT with a non-null parent custody signals to caller that
Kernel: Fix awkward bug where "touch /foo/bar/baz" could create "/baz" To accomodate file creation, path resolution optionally returns the last valid parent directory seen while traversing the path. Clients will then interpret "ENOENT, but I have a parent for you" as meaning that the file doesn't exist, but its immediate parent directory does. The client then goes ahead and creates a new file. In the case of "/foo/bar/baz" where there is no "/foo", it would fail with ENOENT and "/" as the last seen parent directory, causing e.g the open() syscall to create "/baz". Covered by test_io.
2020-01-03 05:53:06 +03:00
// we found the immediate parent of the file, but the file itself
// does not exist yet.
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 10:52:33 +03:00
*out_parent = have_more_parts ? nullptr : &parent;
Kernel: Fix awkward bug where "touch /foo/bar/baz" could create "/baz" To accomodate file creation, path resolution optionally returns the last valid parent directory seen while traversing the path. Clients will then interpret "ENOENT, but I have a parent for you" as meaning that the file doesn't exist, but its immediate parent directory does. The client then goes ahead and creates a new file. In the case of "/foo/bar/baz" where there is no "/foo", it would fail with ENOENT and "/" as the last seen parent directory, causing e.g the open() syscall to create "/baz". Covered by test_io.
2020-01-03 05:53:06 +03:00
}
Kernel: Make Inode::lookup() return a KResultOr<NonnullRefPtr<Inode>> This allows file systems to return arbitrary error codes instead of just an Inode or not an Inode.
2021-08-14 14:32:35 +03:00
return child_or_error.error();
Kernel: Fix awkward bug where "touch /foo/bar/baz" could create "/baz" To accomodate file creation, path resolution optionally returns the last valid parent directory seen while traversing the path. Clients will then interpret "ENOENT, but I have a parent for you" as meaning that the file doesn't exist, but its immediate parent directory does. The client then goes ahead and creates a new file. In the case of "/foo/bar/baz" where there is no "/foo", it would fail with ENOENT and "/" as the last seen parent directory, causing e.g the open() syscall to create "/baz". Covered by test_io.
2020-01-03 05:53:06 +03:00
}
Kernel: Make Inode::lookup() return a KResultOr<NonnullRefPtr<Inode>> This allows file systems to return arbitrary error codes instead of just an Inode or not an Inode.
2021-08-14 14:32:35 +03:00
auto child_inode = child_or_error.release_value();
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 13:30:15 +03:00
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 10:52:33 +03:00
int mount_flags_for_child = parent.mount_flags();
Kernel: Make Inode::lookup() return a RefPtr<Inode> Previously this API would return an InodeIdentifier, which meant that there was a race in path resolution where an inode could be unlinked in between finding the InodeIdentifier for a path component, and actually resolving that to an Inode object. Attaching a test that would quickly trip an assertion before. Test: Kernel/path-resolution-race.cpp
2020-02-01 11:23:46 +03:00
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 13:30:15 +03:00
// See if there's something mounted on the child; in that case
// we would need to return the guest inode, not the host inode.
Kernel: Only allow looking up Mounts by InodeIdentifier Let's simplify the interface by not allowing lookup by Inode&.
2021-07-11 01:50:08 +03:00
if (auto mount = find_mount_for_host(child_inode->identifier())) {
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-25 00:16:24 +03:00
child_inode = mount->guest();
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 13:30:15 +03:00
mount_flags_for_child = mount->flags();
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 18:46:08 +03:00
}
FileSystem: Merge symlink following logic into path resolution. When encountering a symlink, we abandon the custody chain we've been working on and start over with a new one (by recursing into a new resolution call.) Caching symlinks in the custody model would be incredibly difficult to get right with all the extra invalidation it would require, so let's just not.
2019-05-31 07:42:49 +03:00
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 15:00:18 +03:00
custody = TRY(Custody::try_create(&parent, part, *child_inode, mount_flags_for_child));
FileSystem: Merge symlink following logic into path resolution. When encountering a symlink, we abandon the custody chain we've been working on and start over with a new one (by recursing into a new resolution call.) Caching symlinks in the custody model would be incredibly difficult to get right with all the extra invalidation it would require, so let's just not.
2019-05-31 07:42:49 +03:00
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 13:30:15 +03:00
if (child_inode->metadata().is_symlink()) {
if (!have_more_parts) {
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 18:46:08 +03:00
if (options & O_NOFOLLOW)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return ELOOP;
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 18:46:08 +03:00
if (options & O_NOFOLLOW_NOERROR)
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 13:30:15 +03:00
break;
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 18:46:08 +03:00
}
Kernel: Implement the same symlink protection as Linux Path resolution will now refuse to follow symlinks in some cases where you don't own the symlink, or when it's in a sticky world-writable directory and the link has a different owner than the directory. The point of all this is to prevent classic TOCTOU bugs in /tmp etc. Fixes #4934
2021-01-19 20:12:09 +03:00
if (!safe_to_follow_symlink(*child_inode, parent_metadata))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-21 01:11:17 +03:00
return EACCES;
Kernel: Implement the same symlink protection as Linux Path resolution will now refuse to follow symlinks in some cases where you don't own the symlink, or when it's in a sticky world-writable directory and the link has a different owner than the directory. The point of all this is to prevent classic TOCTOU bugs in /tmp etc. Fixes #4934
2021-01-19 20:12:09 +03:00
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
TRY(validate_path_against_process_veil(*custody, options));
Kernel: Use the resolved parent path when testing create veil (#5231)
2021-02-06 21:11:44 +03:00
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
auto symlink_target = TRY(child_inode->resolve_as_link(parent, out_parent, options, symlink_recursion_level + 1));
if (!have_more_parts)
Kernel: Fix resolving symlinks in the middle of a path. If a symlink is not the last part of a path, the remaining part of the path has to be further resolved against the symlink target. With this, a path containing a symlink always resolves to the target of the first (leftmost) symlink in it, for example any path of form /proc/self/... resolves to the corresponding /proc/pid directory.
2019-06-12 16:36:05 +03:00
return symlink_target;
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 13:30:15 +03:00
// Now, resolve the remaining path relative to the symlink target.
// We prepend a "." to it to ensure that it's not empty and that
// any initial slashes it might have get interpreted properly.
StringBuilder remaining_path;
remaining_path.append('.');
remaining_path.append(path.substring_view_starting_after_substring(part));
Kernel: Fix resolving symlinks in the middle of a path. If a symlink is not the last part of a path, the remaining part of the path has to be further resolved against the symlink target. With this, a path containing a symlink always resolves to the target of the first (leftmost) symlink in it, for example any path of form /proc/self/... resolves to the corresponding /proc/pid directory.
2019-06-12 16:36:05 +03:00
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 15:55:25 +03:00
return resolve_path_without_veil(remaining_path.to_string(), symlink_target, out_parent, options, symlink_recursion_level + 1);
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 18:46:08 +03:00
}
}
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 13:30:15 +03:00
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 10:52:33 +03:00
if (out_parent)
*out_parent = custody->parent();
return custody;
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 18:46:08 +03:00
}
Kernel: Move all code into the Kernel namespace
2020-02-16 03:27:42 +03:00
}
Reference in New Issue Copy Permalink