/* * Copyright (c) 2018-2020, Andreas Kling * Copyright (c) 2022-2023, Liav A. * * SPDX-License-Identifier: BSD-2-Clause */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include namespace Kernel { static Singleton s_the; static constexpr int root_mount_flags = 0; static ErrorOr handle_mount_boolean_flag_as_invalid(Span, StringView, bool) { return EINVAL; } static ErrorOr handle_mount_unsigned_integer_flag_as_invalid(Span, StringView, u64) { return EINVAL; } static ErrorOr handle_mount_signed_integer_flag_as_invalid(Span, StringView, i64) { return EINVAL; } static ErrorOr handle_mount_ascii_string_flag_as_invalid(Span, StringView, StringView) { return EINVAL; } static constexpr FileSystemInitializer s_initializers[] = { { "proc"sv, "ProcFS"sv, false, false, false, {}, ProcFS::try_create, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid }, { "devpts"sv, "DevPtsFS"sv, false, false, false, {}, DevPtsFS::try_create, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid }, { "sys"sv, "SysFS"sv, false, false, false, {}, SysFS::try_create, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid }, { "ram"sv, "RAMFS"sv, false, false, false, {}, RAMFS::try_create, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid }, { "ext2"sv, "Ext2FS"sv, true, true, true, Ext2FS::try_create, {}, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid }, { "9p"sv, "Plan9FS"sv, true, true, true, Plan9FS::try_create, {}, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid }, { "iso9660"sv, "ISO9660FS"sv, true, true, true, ISO9660FS::try_create, {}, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid }, { "fat"sv, "FATFS"sv, true, true, true, FATFS::try_create, {}, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid }, { "devloop"sv, "DevLoopFS"sv, false, false, false, {}, DevLoopFS::try_create, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid }, }; ErrorOr VirtualFileSystem::find_filesystem_type_initializer(StringView fs_type) { for (auto& initializer_entry : s_initializers) { if (fs_type == initializer_entry.short_name || fs_type == initializer_entry.name) return &initializer_entry; } return ENODEV; } UNMAP_AFTER_INIT void VirtualFileSystem::initialize() { s_the.ensure_instance(); } VirtualFileSystem& VirtualFileSystem::the() { return *s_the; } UNMAP_AFTER_INIT VirtualFileSystem::VirtualFileSystem() { } UNMAP_AFTER_INIT VirtualFileSystem::~VirtualFileSystem() = default; bool VirtualFileSystem::check_matching_absolute_path_hierarchy(Custody const& first_custody, Custody const& second_custody) { // Are both custodies the root mount? if (!first_custody.parent() && !second_custody.parent()) return true; if (first_custody.name() != second_custody.name()) return false; auto const* custody1 = &first_custody; auto const* custody2 = &second_custody; while (custody1->parent()) { if (!custody2->parent()) return false; if (custody1->parent().ptr() != custody2->parent().ptr()) return false; custody1 = custody1->parent(); custody2 = custody2->parent(); } return true; } bool VirtualFileSystem::mount_point_exists_at_custody(Custody& mount_point) { return m_mounts.with([&](auto& mounts) -> bool { return any_of(mounts, [&mount_point](auto const& existing_mount) { return existing_mount.host_custody() && check_matching_absolute_path_hierarchy(*existing_mount.host_custody(), mount_point); }); }); } ErrorOr VirtualFileSystem::add_file_system_to_mount_table(FileSystem& file_system, Custody& mount_point, int flags) { auto new_mount = TRY(adopt_nonnull_own_or_enomem(new (nothrow) Mount(file_system, &mount_point, flags))); return m_mounts.with([&](auto& mounts) -> ErrorOr { auto& mount_point_inode = mount_point.inode(); dbgln("VirtualFileSystem: FileSystemID {}, Mounting {} at inode {} with flags {}", file_system.fsid(), file_system.class_name(), mount_point_inode.identifier(), flags); if (mount_point_exists_at_custody(mount_point)) { dbgln("VirtualFileSystem: Mounting unsuccessful - inode {} is already a mount-point.", mount_point_inode.identifier()); return EBUSY; } // Note: Actually add a mount for the filesystem and increment the filesystem mounted count new_mount->guest_fs().mounted_count({}).with([&](auto& mounted_count) { mounted_count++; // When this is the first time this FileSystem is mounted, // begin managing the FileSystem by adding it to the list of // managed file systems. This is symmetric with // VirtualFileSystem::unmount()'s `remove()` calls (which remove // the FileSystem once it is no longer mounted). if (mounted_count == 1) { m_file_systems_list.with([&](auto& fs_list) { fs_list.append(file_system); }); } }); // NOTE: Leak the mount pointer so it can be added to the mount list, but it won't be // deleted after being added. mounts.append(*new_mount.leak_ptr()); return {}; }); } ErrorOr VirtualFileSystem::mount(MountFile& mount_file, OpenFileDescription* source_description, Custody& mount_point, int flags) { auto const& file_system_initializer = mount_file.file_system_initializer(); if (!source_description) { if (file_system_initializer.requires_open_file_description) return ENOTSUP; if (!file_system_initializer.create) return ENOTSUP; RefPtr fs; TRY(mount_file.mount_file_system_specific_data().with_exclusive([&](auto& mount_specific_data) -> ErrorOr { fs = TRY(file_system_initializer.create(mount_specific_data->bytes())); return {}; })); VERIFY(fs); TRY(fs->initialize()); TRY(add_file_system_to_mount_table(*fs, mount_point, flags)); return {}; } // NOTE: Although it might be OK to support creating filesystems // without providing an actual file descriptor to their create() method // because the caller of this function actually supplied a valid file descriptor, // this will only make things complicated in the future, so we should block // this kind of behavior. if (!file_system_initializer.requires_open_file_description) return ENOTSUP; if (file_system_initializer.requires_block_device && !source_description->file().is_block_device()) return ENOTBLK; if (file_system_initializer.requires_seekable_file && !source_description->file().is_seekable()) { dbgln("mount: this is not a seekable file"); return ENODEV; } // NOTE: If there's an associated file description with the filesystem, we could // try to first find it from the VirtualFileSystem filesystem list and if it was not found, // then create it and add it. VERIFY(file_system_initializer.create_with_fd); return m_file_backed_file_systems_list.with_exclusive([&](auto& list) -> ErrorOr { RefPtr fs; for (auto& node : list) { if ((&node.file_description() == source_description) || (&node.file() == &source_description->file())) { fs = node; break; } } if (!fs) { TRY(mount_file.mount_file_system_specific_data().with_exclusive([&](auto& mount_specific_data) -> ErrorOr { fs = TRY(file_system_initializer.create_with_fd(*source_description, mount_specific_data->bytes())); return {}; })); TRY(fs->initialize()); } if (source_description->file().is_loop_device()) { auto& device = static_cast(source_description->file()); auto path = TRY(device.custody().try_serialize_absolute_path()); dbgln("VirtualFileSystem: mounting from loop device {}, originated from {}", device.index(), path->view()); } TRY(add_file_system_to_mount_table(*fs, mount_point, flags)); list.append(static_cast(*fs)); return {}; }); } ErrorOr VirtualFileSystem::bind_mount(Custody& source, Custody& mount_point, int flags) { auto new_mount = TRY(adopt_nonnull_own_or_enomem(new (nothrow) Mount(source.inode(), mount_point, flags))); return m_mounts.with([&](auto& mounts) -> ErrorOr { auto& inode = mount_point.inode(); dbgln("VirtualFileSystem: Bind-mounting inode {} at inode {}", source.inode().identifier(), inode.identifier()); if (mount_point_exists_at_custody(mount_point)) { dbgln("VirtualFileSystem: Bind-mounting unsuccessful - inode {} is already a mount-point.", mount_point.inode().identifier()); return EBUSY; } // A bind mount also counts as a normal mount from the perspective of unmount(), // so we need to keep track of it in order for prepare_to_clear_last_mount() to work properly. new_mount->guest_fs().mounted_count({}).with([&](auto& count) { count++; }); // NOTE: Leak the mount pointer so it can be added to the mount list, but it won't be // deleted after being added. mounts.append(*new_mount.leak_ptr()); return {}; }); } ErrorOr VirtualFileSystem::remount(Custody& mount_point, int new_flags) { dbgln("VirtualFileSystem: Remounting inode {}", mount_point.inode().identifier()); TRY(apply_to_mount_for_host_custody(mount_point, [new_flags](auto& mount) { mount.set_flags(new_flags); })); return {}; } void VirtualFileSystem::sync_filesystems() { Vector, 32> file_systems; m_file_systems_list.with([&](auto const& list) { for (auto& fs : list) file_systems.append(fs); }); for (auto& fs : file_systems) { auto result = fs->flush_writes(); if (result.is_error()) { // TODO: Figure out how to propagate error to a higher function. } } } void VirtualFileSystem::lock_all_filesystems() { Vector, 32> file_systems; m_file_systems_list.with([&](auto const& list) { for (auto& fs : list) file_systems.append(fs); }); for (auto& fs : file_systems) fs->m_lock.lock(); } ErrorOr VirtualFileSystem::unmount(Custody& mountpoint_custody) { auto& guest_inode = mountpoint_custody.inode(); auto custody_path = TRY(mountpoint_custody.try_serialize_absolute_path()); return unmount(guest_inode, custody_path->view()); } ErrorOr VirtualFileSystem::unmount(Inode& guest_inode, StringView custody_path) { return m_file_backed_file_systems_list.with_exclusive([&](auto& file_backed_fs_list) -> ErrorOr { TRY(m_mounts.with([&](auto& mounts) -> ErrorOr { for (auto& mount : mounts) { if (&mount.guest() != &guest_inode) continue; auto mountpoint_path = TRY(mount.absolute_path()); if (custody_path != mountpoint_path->view()) continue; NonnullRefPtr fs = mount.guest_fs(); TRY(fs->prepare_to_unmount(mount.guest())); fs->mounted_count({}).with([&](auto& mounted_count) { VERIFY(mounted_count > 0); if (mounted_count == 1) { dbgln("VirtualFileSystem: Unmounting file system {} for the last time...", fs->fsid()); m_file_systems_list.with([&](auto& list) { list.remove(*fs); }); if (fs->is_file_backed()) { dbgln("VirtualFileSystem: Unmounting file backed file system {} for the last time...", fs->fsid()); auto& file_backed_fs = static_cast(*fs); file_backed_fs_list.remove(file_backed_fs); } } else { mounted_count--; } }); dbgln("VirtualFileSystem: Unmounting file system {}...", fs->fsid()); mount.m_vfs_list_node.remove(); // NOTE: This is balanced by a `new` statement that is happening in various places before inserting the Mount object to the list. delete &mount; return {}; } dbgln("VirtualFileSystem: Nothing mounted on inode {}", guest_inode.identifier()); return ENODEV; })); return {}; }); } ErrorOr VirtualFileSystem::mount_root(FileSystem& fs) { if (m_root_inode) { dmesgln("VirtualFileSystem: mount_root can't mount another root"); return EEXIST; } auto new_mount = TRY(adopt_nonnull_own_or_enomem(new (nothrow) Mount(fs, nullptr, root_mount_flags))); auto& root_inode = fs.root_inode(); if (!root_inode.is_directory()) { dmesgln("VirtualFileSystem: root inode ({}) for / is not a directory :(", root_inode.identifier()); return ENOTDIR; } m_root_inode = root_inode; if (fs.is_file_backed()) { auto pseudo_path = TRY(static_cast(fs).file_description().pseudo_path()); dmesgln("VirtualFileSystem: mounted root({}) from {} ({})", fs.fsid(), fs.class_name(), pseudo_path); m_file_backed_file_systems_list.with_exclusive([&](auto& list) { list.append(static_cast(fs)); }); } else { dmesgln("VirtualFileSystem: mounted root({}) from {}", fs.fsid(), fs.class_name()); } m_file_systems_list.with([&](auto& fs_list) { fs_list.append(fs); }); fs.mounted_count({}).with([&](auto& mounted_count) { mounted_count++; }); // Note: Actually add a mount for the filesystem and increment the filesystem mounted count m_mounts.with([&](auto& mounts) { // NOTE: Leak the mount pointer so it can be added to the mount list, but it won't be // deleted after being added. mounts.append(*new_mount.leak_ptr()); }); RefPtr new_root_custody = TRY(Custody::try_create(nullptr, ""sv, *m_root_inode, root_mount_flags)); m_root_custody.with([&](auto& root_custody) { swap(root_custody, new_root_custody); }); return {}; } ErrorOr VirtualFileSystem::apply_to_mount_for_host_custody(Custody const& current_custody, Function callback) { return m_mounts.with([&](auto& mounts) -> ErrorOr { // NOTE: We either search for the root mount or for a mount that has a parent custody! if (!current_custody.parent()) { for (auto& mount : mounts) { if (!mount.host_custody()) { callback(mount); return {}; } } // NOTE: There must be a root mount entry, so fail if we don't find it. VERIFY_NOT_REACHED(); } else { for (auto& mount : mounts) { if (mount.host_custody() && check_matching_absolute_path_hierarchy(*mount.host_custody(), current_custody)) { callback(mount); return {}; } } } return Error::from_errno(ENODEV); }); } ErrorOr VirtualFileSystem::traverse_directory_inode(Inode& dir_inode, Function(FileSystem::DirectoryEntryView const&)> callback) { return dir_inode.traverse_as_directory([&](auto& entry) -> ErrorOr { TRY(callback({ entry.name, entry.inode, entry.file_type })); return {}; }); } ErrorOr VirtualFileSystem::utime(Credentials const& credentials, StringView path, Custody& base, time_t atime, time_t mtime) { auto custody = TRY(resolve_path(credentials, path, base)); auto& inode = custody->inode(); if (!credentials.is_superuser() && inode.metadata().uid != credentials.euid()) return EACCES; if (custody->is_readonly()) return EROFS; TRY(inode.update_timestamps(UnixDateTime::from_seconds_since_epoch(atime), {}, UnixDateTime::from_seconds_since_epoch(mtime))); return {}; } ErrorOr VirtualFileSystem::utimensat(Credentials const& credentials, StringView path, Custody& base, timespec const& atime, timespec const& mtime, int options) { auto custody = TRY(resolve_path(credentials, path, base, nullptr, options)); return do_utimens(credentials, custody, atime, mtime); } ErrorOr VirtualFileSystem::do_utimens(Credentials const& credentials, Custody& custody, timespec const& atime, timespec const& mtime) { auto& inode = custody.inode(); if (!credentials.is_superuser() && inode.metadata().uid != credentials.euid()) return EACCES; if (custody.is_readonly()) return EROFS; // NOTE: A standard ext2 inode cannot store nanosecond timestamps. TRY(inode.update_timestamps( (atime.tv_nsec != UTIME_OMIT) ? UnixDateTime::from_unix_timespec(atime) : Optional {}, {}, (mtime.tv_nsec != UTIME_OMIT) ? UnixDateTime::from_unix_timespec(mtime) : Optional {})); return {}; } ErrorOr VirtualFileSystem::lookup_metadata(Credentials const& credentials, StringView path, Custody& base, int options) { auto custody = TRY(resolve_path(credentials, path, base, nullptr, options)); return custody->inode().metadata(); } ErrorOr> VirtualFileSystem::open(Credentials const& credentials, StringView path, int options, mode_t mode, Custody& base, Optional owner) { return open(Process::current(), credentials, path, options, mode, base, owner); } ErrorOr> VirtualFileSystem::open(Process const& process, Credentials const& credentials, StringView path, int options, mode_t mode, Custody& base, Optional owner) { if ((options & O_CREAT) && (options & O_DIRECTORY)) return EINVAL; RefPtr parent_custody; auto custody_or_error = resolve_path(process, credentials, path, base, &parent_custody, options); if (custody_or_error.is_error()) { // NOTE: ENOENT with a non-null parent custody signals us that the immediate parent // of the file exists, but the file itself does not. if ((options & O_CREAT) && custody_or_error.error().code() == ENOENT && parent_custody) return create(process, credentials, path, options, mode, *parent_custody, move(owner)); return custody_or_error.release_error(); } if ((options & O_CREAT) && (options & O_EXCL)) return EEXIST; auto& custody = *custody_or_error.value(); auto& inode = custody.inode(); auto metadata = inode.metadata(); if (metadata.is_regular_file() && (custody.mount_flags() & MS_NOREGULAR)) return EACCES; if ((options & O_DIRECTORY) && !metadata.is_directory()) return ENOTDIR; bool should_truncate_file = false; if ((options & O_RDONLY) && !metadata.may_read(credentials)) return EACCES; if (options & O_WRONLY) { if (!metadata.may_write(credentials)) return EACCES; if (metadata.is_directory()) return EISDIR; should_truncate_file = options & O_TRUNC; } if (options & O_EXEC) { if (!metadata.may_execute(credentials) || (custody.mount_flags() & MS_NOEXEC)) return EACCES; } if (metadata.is_fifo()) { auto fifo = TRY(inode.fifo()); if (options & O_WRONLY) { auto description = TRY(fifo->open_direction_blocking(FIFO::Direction::Writer)); description->set_rw_mode(options); description->set_file_flags(options); description->set_original_inode({}, inode); return description; } else if (options & O_RDONLY) { auto description = TRY(fifo->open_direction_blocking(FIFO::Direction::Reader)); description->set_rw_mode(options); description->set_file_flags(options); description->set_original_inode({}, inode); return description; } return EINVAL; } if (metadata.is_device()) { if (custody.mount_flags() & MS_NODEV) return EACCES; auto device = DeviceManagement::the().get_device(metadata.major_device, metadata.minor_device); if (device == nullptr) { return ENODEV; } auto description = TRY(device->open(options)); description->set_original_inode({}, inode); description->set_original_custody({}, custody); return description; } // Check for read-only FS. Do this after handling devices, but before modifying the inode in any way. if ((options & O_WRONLY) && custody.is_readonly()) return EROFS; if (should_truncate_file) { TRY(inode.truncate(0)); TRY(inode.update_timestamps({}, {}, kgettimeofday())); } auto description = TRY(OpenFileDescription::try_create(custody)); description->set_rw_mode(options); description->set_file_flags(options); return description; } ErrorOr VirtualFileSystem::mknod(Credentials const& credentials, StringView path, mode_t mode, dev_t dev, Custody& base) { if (!is_regular_file(mode) && !is_block_device(mode) && !is_character_device(mode) && !is_fifo(mode) && !is_socket(mode)) return EINVAL; RefPtr parent_custody; auto existing_file_or_error = resolve_path(credentials, path, base, &parent_custody); if (!existing_file_or_error.is_error()) return EEXIST; if (!parent_custody) return ENOENT; if (existing_file_or_error.error().code() != ENOENT) return existing_file_or_error.release_error(); auto& parent_inode = parent_custody->inode(); if (!parent_inode.metadata().may_write(credentials)) return EACCES; if (parent_custody->is_readonly()) return EROFS; auto basename = KLexicalPath::basename(path); dbgln_if(VFS_DEBUG, "VirtualFileSystem::mknod: '{}' mode={} dev={} in {}", basename, mode, dev, parent_inode.identifier()); (void)TRY(parent_inode.create_child(basename, mode, dev, credentials.euid(), credentials.egid())); return {}; } ErrorOr> VirtualFileSystem::create(Credentials const& credentials, StringView path, int options, mode_t mode, Custody& parent_custody, Optional owner) { return create(Process::current(), credentials, path, options, mode, parent_custody, owner); } ErrorOr> VirtualFileSystem::create(Process const& process, Credentials const& credentials, StringView path, int options, mode_t mode, Custody& parent_custody, Optional owner) { auto basename = KLexicalPath::basename(path); auto parent_path = TRY(parent_custody.try_serialize_absolute_path()); auto full_path = TRY(KLexicalPath::try_join(parent_path->view(), basename)); TRY(validate_path_against_process_veil(process, full_path->view(), options)); if (!is_socket(mode) && !is_fifo(mode) && !is_block_device(mode) && !is_character_device(mode)) { // Turn it into a regular file. (This feels rather hackish.) mode |= 0100000; } auto& parent_inode = parent_custody.inode(); if (!parent_inode.metadata().may_write(credentials)) return EACCES; if (parent_custody.is_readonly()) return EROFS; if (is_regular_file(mode) && (parent_custody.mount_flags() & MS_NOREGULAR)) return EACCES; dbgln_if(VFS_DEBUG, "VirtualFileSystem::create: '{}' in {}", basename, parent_inode.identifier()); auto uid = owner.has_value() ? owner.value().uid : credentials.euid(); auto gid = owner.has_value() ? owner.value().gid : credentials.egid(); auto inode = TRY(parent_inode.create_child(basename, mode, 0, uid, gid)); auto custody = TRY(Custody::try_create(&parent_custody, basename, inode, parent_custody.mount_flags())); auto description = TRY(OpenFileDescription::try_create(move(custody))); description->set_rw_mode(options); description->set_file_flags(options); return description; } ErrorOr VirtualFileSystem::mkdir(Credentials const& credentials, StringView path, mode_t mode, Custody& base) { // Unlike in basically every other case, where it's only the last // path component (the one being created) that is allowed not to // exist, POSIX allows mkdir'ed path to have trailing slashes. // Let's handle that case by trimming any trailing slashes. path = path.trim("/"sv, TrimMode::Right); if (path.is_empty()) { // NOTE: This means the path was a series of slashes, which resolves to "/". path = "/"sv; } RefPtr parent_custody; // FIXME: The errors returned by resolve_path_without_veil can leak information about paths that are not unveiled, // e.g. when the error is EACCESS or similar. auto result = resolve_path_without_veil(credentials, path, base, &parent_custody); if (!result.is_error()) return EEXIST; else if (!parent_custody) return result.release_error(); // NOTE: If resolve_path fails with a non-null parent custody, the error should be ENOENT. VERIFY(result.error().code() == ENOENT); TRY(validate_path_against_process_veil(*parent_custody, O_CREAT)); auto& parent_inode = parent_custody->inode(); if (!parent_inode.metadata().may_write(credentials)) return EACCES; if (parent_custody->is_readonly()) return EROFS; auto basename = KLexicalPath::basename(path); dbgln_if(VFS_DEBUG, "VirtualFileSystem::mkdir: '{}' in {}", basename, parent_inode.identifier()); (void)TRY(parent_inode.create_child(basename, S_IFDIR | mode, 0, credentials.euid(), credentials.egid())); return {}; } ErrorOr VirtualFileSystem::access(Credentials const& credentials, StringView path, int mode, Custody& base, AccessFlags access_flags) { auto should_follow_symlinks = !has_flag(access_flags, AccessFlags::DoNotFollowSymlinks); auto custody = TRY(resolve_path(credentials, path, base, nullptr, should_follow_symlinks ? 0 : O_NOFOLLOW_NOERROR)); auto& inode = custody->inode(); auto metadata = inode.metadata(); auto use_effective_ids = has_flag(access_flags, AccessFlags::EffectiveAccess) ? UseEffectiveIDs::Yes : UseEffectiveIDs::No; if (mode & R_OK) { if (!metadata.may_read(credentials, use_effective_ids)) return EACCES; } if (mode & W_OK) { if (!metadata.may_write(credentials, use_effective_ids)) return EACCES; if (custody->is_readonly()) return EROFS; } if (mode & X_OK) { if (!metadata.may_execute(credentials, use_effective_ids)) return EACCES; } return {}; } ErrorOr> VirtualFileSystem::open_directory(Credentials const& credentials, StringView path, Custody& base) { auto custody = TRY(resolve_path(credentials, path, base)); auto& inode = custody->inode(); if (!inode.is_directory()) return ENOTDIR; if (!inode.metadata().may_execute(credentials)) return EACCES; return custody; } ErrorOr VirtualFileSystem::chmod(Credentials const& credentials, Custody& custody, mode_t mode) { auto& inode = custody.inode(); if (credentials.euid() != inode.metadata().uid && !credentials.is_superuser()) return EPERM; if (custody.is_readonly()) return EROFS; // Only change the permission bits. mode = (inode.mode() & ~07777u) | (mode & 07777u); return inode.chmod(mode); } ErrorOr VirtualFileSystem::chmod(Credentials const& credentials, StringView path, mode_t mode, Custody& base, int options) { auto custody = TRY(resolve_path(credentials, path, base, nullptr, options)); return chmod(credentials, custody, mode); } ErrorOr VirtualFileSystem::rename(Credentials const& credentials, Custody& old_base, StringView old_path, Custody& new_base, StringView new_path) { RefPtr old_parent_custody; auto old_custody = TRY(resolve_path(credentials, old_path, old_base, &old_parent_custody, O_NOFOLLOW_NOERROR)); auto& old_inode = old_custody->inode(); RefPtr new_parent_custody; auto new_custody_or_error = resolve_path(credentials, new_path, new_base, &new_parent_custody); if (new_custody_or_error.is_error()) { if (new_custody_or_error.error().code() != ENOENT || !new_parent_custody) return new_custody_or_error.release_error(); } if (!old_parent_custody || !new_parent_custody) { return EPERM; } if (!new_custody_or_error.is_error()) { auto& new_inode = new_custody_or_error.value()->inode(); if (old_inode.index() != new_inode.index() && old_inode.is_directory() && new_inode.is_directory()) { size_t child_count = 0; TRY(new_inode.traverse_as_directory([&child_count](auto&) -> ErrorOr { ++child_count; return {}; })); if (child_count > 2) return ENOTEMPTY; } } auto& old_parent_inode = old_parent_custody->inode(); auto& new_parent_inode = new_parent_custody->inode(); if (&old_parent_inode.fs() != &new_parent_inode.fs()) return EXDEV; for (auto* new_ancestor = new_parent_custody.ptr(); new_ancestor; new_ancestor = new_ancestor->parent()) { if (&old_inode == &new_ancestor->inode()) return EDIRINTOSELF; } if (!new_parent_inode.metadata().may_write(credentials)) return EACCES; if (!old_parent_inode.metadata().may_write(credentials)) return EACCES; if (old_parent_inode.metadata().is_sticky()) { if (!credentials.is_superuser() && old_parent_inode.metadata().uid != credentials.euid() && old_inode.metadata().uid != credentials.euid()) return EACCES; } if (old_parent_custody->is_readonly() || new_parent_custody->is_readonly()) return EROFS; auto old_basename = KLexicalPath::basename(old_path); if (old_basename.is_empty() || old_basename == "."sv || old_basename == ".."sv) return EINVAL; auto new_basename = KLexicalPath::basename(new_path); if (new_basename.is_empty() || new_basename == "."sv || new_basename == ".."sv) return EINVAL; if (old_basename == new_basename && old_parent_inode.index() == new_parent_inode.index()) return {}; if (!new_custody_or_error.is_error()) { auto& new_custody = *new_custody_or_error.value(); auto& new_inode = new_custody.inode(); // When the source/dest inodes are the same (in other words, // when `old_path` and `new_path` are the same), perform a no-op // and return success. // Linux (`vfs_rename()`) and OpenBSD (`dorenameat()`) appear to have // this same no-op behavior. if (&new_inode == &old_inode) return {}; if (new_parent_inode.metadata().is_sticky()) { if (!credentials.is_superuser() && new_inode.metadata().uid != credentials.euid()) return EACCES; } if (new_inode.is_directory() && !old_inode.is_directory()) return EISDIR; TRY(new_parent_inode.remove_child(new_basename)); } TRY(new_parent_inode.add_child(old_inode, new_basename, old_inode.mode())); TRY(old_parent_inode.remove_child(old_basename)); // If the inode that we moved is a directory and we changed parent // directories, then we also have to make .. point to the new parent inode, // because .. is its own inode. if (old_inode.is_directory() && old_parent_inode.index() != new_parent_inode.index()) { TRY(old_inode.replace_child(".."sv, new_parent_inode)); } return {}; } ErrorOr VirtualFileSystem::chown(Credentials const& credentials, Custody& custody, UserID a_uid, GroupID a_gid) { auto& inode = custody.inode(); auto metadata = inode.metadata(); if (credentials.euid() != metadata.uid && !credentials.is_superuser()) return EPERM; UserID new_uid = metadata.uid; GroupID new_gid = metadata.gid; if (a_uid != (uid_t)-1) { if (credentials.euid() != a_uid && !credentials.is_superuser()) return EPERM; new_uid = a_uid; } if (a_gid != (gid_t)-1) { if (!credentials.in_group(a_gid) && !credentials.is_superuser()) return EPERM; new_gid = a_gid; } if (custody.is_readonly()) return EROFS; dbgln_if(VFS_DEBUG, "VirtualFileSystem::chown(): inode {} <- uid={} gid={}", inode.identifier(), new_uid, new_gid); if (metadata.is_setuid() || metadata.is_setgid()) { dbgln_if(VFS_DEBUG, "VirtualFileSystem::chown(): Stripping SUID/SGID bits from {}", inode.identifier()); TRY(inode.chmod(metadata.mode & ~(04000 | 02000))); } return inode.chown(new_uid, new_gid); } ErrorOr VirtualFileSystem::chown(Credentials const& credentials, StringView path, UserID a_uid, GroupID a_gid, Custody& base, int options) { auto custody = TRY(resolve_path(credentials, path, base, nullptr, options)); return chown(credentials, custody, a_uid, a_gid); } static bool hard_link_allowed(Credentials const& credentials, Inode const& inode) { auto metadata = inode.metadata(); if (credentials.euid() == metadata.uid) return true; if (metadata.is_regular_file() && !metadata.is_setuid() && !(metadata.is_setgid() && metadata.mode & S_IXGRP) && metadata.may_write(credentials)) { return true; } return false; } ErrorOr VirtualFileSystem::link(Credentials const& credentials, StringView old_path, StringView new_path, Custody& base) { // NOTE: To prevent unveil bypass by creating an hardlink after unveiling a path as read-only, // check that if write permission is allowed by the veil info on the old_path. auto old_custody = TRY(resolve_path(credentials, old_path, base, nullptr, O_RDWR)); auto& old_inode = old_custody->inode(); RefPtr parent_custody; auto new_custody_or_error = resolve_path(credentials, new_path, base, &parent_custody); if (!new_custody_or_error.is_error()) return EEXIST; if (!parent_custody) return ENOENT; auto& parent_inode = parent_custody->inode(); if (parent_inode.fsid() != old_inode.fsid()) return EXDEV; if (!parent_inode.metadata().may_write(credentials)) return EACCES; if (old_inode.is_directory()) return EPERM; if (parent_custody->is_readonly()) return EROFS; if (!hard_link_allowed(credentials, old_inode)) return EPERM; return parent_inode.add_child(old_inode, KLexicalPath::basename(new_path), old_inode.mode()); } ErrorOr VirtualFileSystem::unlink(Credentials const& credentials, StringView path, Custody& base) { RefPtr parent_custody; auto custody = TRY(resolve_path(credentials, path, base, &parent_custody, O_WRONLY | O_NOFOLLOW_NOERROR | O_UNLINK_INTERNAL)); auto& inode = custody->inode(); if (inode.is_directory()) return EISDIR; // We have just checked that the inode is not a directory, and thus it's not // the root. So it should have a parent. Note that this would be invalidated // if we were to support bind-mounting regular files on top of the root. VERIFY(parent_custody); auto& parent_inode = parent_custody->inode(); if (!parent_inode.metadata().may_write(credentials)) return EACCES; if (parent_inode.metadata().is_sticky()) { if (!credentials.is_superuser() && parent_inode.metadata().uid != credentials.euid() && inode.metadata().uid != credentials.euid()) return EACCES; } if (parent_custody->is_readonly()) return EROFS; return parent_inode.remove_child(KLexicalPath::basename(path)); } ErrorOr VirtualFileSystem::symlink(Credentials const& credentials, StringView target, StringView linkpath, Custody& base) { // NOTE: Check that the actual target (if it exists right now) is unveiled and prevent creating symlinks on veiled paths! if (auto target_custody_or_error = resolve_path_without_veil(credentials, target, base, nullptr, O_RDWR, 0); !target_custody_or_error.is_error()) { auto target_custody = target_custody_or_error.release_value(); TRY(validate_path_against_process_veil(*target_custody, O_RDWR)); } RefPtr parent_custody; auto existing_custody_or_error = resolve_path(credentials, linkpath, base, &parent_custody, O_RDWR); if (!existing_custody_or_error.is_error()) return EEXIST; if (!parent_custody) return ENOENT; // NOTE: VERY IMPORTANT! We prevent creating symlinks in case the program didn't unveil the parent_custody // path! For example, say the program wanted to create a symlink in /tmp/symlink to /tmp/test/pointee_symlink // and unveiled the /tmp/test/ directory path beforehand, but not the /tmp directory path - the symlink syscall will // fail here because we can't create the symlink in a parent directory path we didn't unveil beforehand. TRY(validate_path_against_process_veil(*parent_custody, O_RDWR)); if (existing_custody_or_error.is_error() && existing_custody_or_error.error().code() != ENOENT) return existing_custody_or_error.release_error(); auto& parent_inode = parent_custody->inode(); if (!parent_inode.metadata().may_write(credentials)) return EACCES; if (parent_custody->is_readonly()) return EROFS; auto basename = KLexicalPath::basename(linkpath); dbgln_if(VFS_DEBUG, "VirtualFileSystem::symlink: '{}' (-> '{}') in {}", basename, target, parent_inode.identifier()); auto inode = TRY(parent_inode.create_child(basename, S_IFLNK | 0644, 0, credentials.euid(), credentials.egid())); auto target_buffer = UserOrKernelBuffer::for_kernel_buffer(const_cast((u8 const*)target.characters_without_null_termination())); TRY(inode->write_bytes(0, target.length(), target_buffer, nullptr)); return {}; } // https://pubs.opengroup.org/onlinepubs/9699919799/functions/rmdir.html ErrorOr VirtualFileSystem::rmdir(Credentials const& credentials, StringView path, Custody& base) { RefPtr parent_custody; auto custody = TRY(resolve_path(credentials, path, base, &parent_custody, O_CREAT)); auto& inode = custody->inode(); auto last_component = KLexicalPath::basename(path); // [EINVAL] The path argument contains a last component that is dot. if (last_component == "."sv) return EINVAL; // [ENOTDIR] A component of path names an existing file that is neither a directory // nor a symbolic link to a directory. if (!inode.is_directory()) return ENOTDIR; // [EBUSY] The directory to be removed is currently in use by the system or some process // and the implementation considers this to be an error. // NOTE: If there is no parent, that means we're trying to rmdir the root directory! if (!parent_custody) return EBUSY; auto& parent_inode = parent_custody->inode(); auto parent_metadata = parent_inode.metadata(); // [EACCES] Search permission is denied on a component of the path prefix, // or write permission is denied on the parent directory of the directory to be removed. if (!parent_metadata.may_write(credentials)) return EACCES; if (parent_metadata.is_sticky()) { // [EACCES] The S_ISVTX flag is set on the directory containing the file referred to by the path argument // and the process does not satisfy the criteria specified in XBD Directory Protection. if (!credentials.is_superuser() && inode.metadata().uid != credentials.euid() && parent_metadata.uid != credentials.euid()) { return EACCES; } } size_t child_count = 0; TRY(inode.traverse_as_directory([&child_count](auto&) -> ErrorOr { ++child_count; return {}; })); // [ENOTEMPTY] The path argument names a directory that is not an empty directory, // or there are hard links to the directory other than dot or a single entry in dot-dot. if (child_count != 2) return ENOTEMPTY; // [EROFS] The directory entry to be removed resides on a read-only file system. if (custody->is_readonly()) return EROFS; TRY(inode.remove_child("."sv)); TRY(inode.remove_child(".."sv)); return parent_inode.remove_child(KLexicalPath::basename(path)); } ErrorOr VirtualFileSystem::for_each_mount(Function(Mount const&)> callback) const { return m_mounts.with([&](auto& mounts) -> ErrorOr { for (auto& mount : mounts) TRY(callback(mount)); return {}; }); } void VirtualFileSystem::sync() { FileSystem::sync(); } NonnullRefPtr VirtualFileSystem::root_custody() { return m_root_custody.with([](auto& root_custody) -> NonnullRefPtr { return *root_custody; }); } UnveilNode const& VirtualFileSystem::find_matching_unveiled_path(Process const& process, StringView path) { VERIFY(process.veil_state() != VeilState::None); return process.unveil_data().with([&](auto const& unveil_data) -> UnveilNode const& { auto path_parts = KLexicalPath::parts(path); return unveil_data.paths.traverse_until_last_accessible_node(path_parts.begin(), path_parts.end()); }); } ErrorOr VirtualFileSystem::validate_path_against_process_veil(Custody const& custody, int options) { return validate_path_against_process_veil(Process::current(), custody, options); } ErrorOr VirtualFileSystem::validate_path_against_process_veil(Process const& process, Custody const& custody, int options) { if (process.veil_state() == VeilState::None) return {}; auto absolute_path = TRY(custody.try_serialize_absolute_path()); return validate_path_against_process_veil(process, absolute_path->view(), options); } ErrorOr VirtualFileSystem::validate_path_against_process_veil(Process const& process, StringView path, int options) { if (process.veil_state() == VeilState::None) return {}; VERIFY(path.starts_with('/')); VERIFY(!path.contains("/../"sv) && !path.ends_with("/.."sv)); VERIFY(!path.contains("/./"sv) && !path.ends_with("/."sv)); #ifdef SKIP_PATH_VALIDATION_FOR_COVERAGE_INSTRUMENTATION // Skip veil validation against profile data when coverage is enabled for userspace // so that all processes can write out coverage data even with veils in place if (KLexicalPath::basename(path).ends_with(".profraw"sv)) return {}; #endif auto log_veiled_path = [&](Optional const& with_permissions = {}) { if (with_permissions.has_value()) dbgln("\033[31;1mRejecting path '{}' because it hasn't been unveiled with {} permissions\033[0m", path, *with_permissions); else dbgln("\033[31;1mRejecting path '{}' because it hasn't been unveiled\033[0m", path); dump_backtrace(); }; auto& unveiled_path = find_matching_unveiled_path(process, path); if (unveiled_path.permissions() == UnveilAccess::None) { log_veiled_path(); return ENOENT; } if (options & O_CREAT) { if (!(unveiled_path.permissions() & UnveilAccess::CreateOrRemove)) { log_veiled_path("'c'"sv); return EACCES; } } if (options & O_UNLINK_INTERNAL) { if (!(unveiled_path.permissions() & UnveilAccess::CreateOrRemove)) { log_veiled_path("'c'"sv); return EACCES; } return {}; } if (options & O_RDONLY) { if (options & O_DIRECTORY) { if (!(unveiled_path.permissions() & (UnveilAccess::Read | UnveilAccess::Browse))) { log_veiled_path("'r' or 'b'"sv); return EACCES; } } else { if (!(unveiled_path.permissions() & UnveilAccess::Read)) { log_veiled_path("'r'"sv); return EACCES; } } } if (options & O_WRONLY) { if (!(unveiled_path.permissions() & UnveilAccess::Write)) { log_veiled_path("'w'"sv); return EACCES; } } if (options & O_EXEC) { if (!(unveiled_path.permissions() & UnveilAccess::Execute)) { log_veiled_path("'x'"sv); return EACCES; } } return {}; } ErrorOr VirtualFileSystem::validate_path_against_process_veil(StringView path, int options) { return validate_path_against_process_veil(Process::current(), path, options); } ErrorOr> VirtualFileSystem::resolve_path(Credentials const& credentials, StringView path, NonnullRefPtr base, RefPtr* out_parent, int options, int symlink_recursion_level) { return resolve_path(Process::current(), credentials, path, base, out_parent, options, symlink_recursion_level); } ErrorOr> VirtualFileSystem::resolve_path(Process const& process, Credentials const& credentials, StringView path, NonnullRefPtr base, RefPtr* out_parent, int options, int symlink_recursion_level) { // FIXME: The errors returned by resolve_path_without_veil can leak information about paths that are not unveiled, // e.g. when the error is EACCESS or similar. auto custody = TRY(resolve_path_without_veil(credentials, path, base, out_parent, options, symlink_recursion_level)); if (auto result = validate_path_against_process_veil(process, *custody, options); result.is_error()) { if (out_parent) out_parent->clear(); return result.release_error(); } return custody; } static bool safe_to_follow_symlink(Credentials const& credentials, Inode const& inode, InodeMetadata const& parent_metadata) { auto metadata = inode.metadata(); if (credentials.euid() == metadata.uid) return true; if (!(parent_metadata.is_sticky() && parent_metadata.mode & S_IWOTH)) return true; if (metadata.uid == parent_metadata.uid) return true; return false; } ErrorOr> VirtualFileSystem::resolve_path_without_veil(Credentials const& credentials, StringView path, NonnullRefPtr base, RefPtr* out_parent, int options, int symlink_recursion_level) { if (symlink_recursion_level >= symlink_recursion_limit) return ELOOP; if (path.is_empty()) return EINVAL; GenericLexer path_lexer(path); NonnullRefPtr custody = path[0] == '/' ? root_custody() : base; bool extra_iteration = path[path.length() - 1] == '/'; while (!path_lexer.is_eof() || extra_iteration) { if (path_lexer.is_eof()) extra_iteration = false; auto part = path_lexer.consume_until('/'); path_lexer.ignore(); Custody& parent = custody; auto parent_metadata = parent.inode().metadata(); if (!parent_metadata.is_directory()) return ENOTDIR; // Ensure the current user is allowed to resolve paths inside this directory. if (!parent_metadata.may_execute(credentials)) return EACCES; bool have_more_parts = !path_lexer.is_eof() || extra_iteration; if (part == "..") { // If we encounter a "..", take a step back, but don't go beyond the root. if (custody->parent()) custody = *custody->parent(); continue; } else if (part == "." || part.is_empty()) { continue; } // Okay, let's look up this part. auto child_or_error = parent.inode().lookup(part); if (child_or_error.is_error()) { if (out_parent) { // ENOENT with a non-null parent custody signals to caller that // we found the immediate parent of the file, but the file itself // does not exist yet. *out_parent = have_more_parts ? nullptr : &parent; } return child_or_error.release_error(); } auto child_inode = child_or_error.release_value(); int mount_flags_for_child = parent.mount_flags(); auto current_custody = TRY(Custody::try_create(&parent, part, *child_inode, mount_flags_for_child)); // See if there's something mounted on the child; in that case // we would need to return the guest inode, not the host inode. auto found_mount_or_error = apply_to_mount_for_host_custody(current_custody, [&child_inode, &mount_flags_for_child](auto& mount) { child_inode = mount.guest(); mount_flags_for_child = mount.flags(); }); if (!found_mount_or_error.is_error()) { custody = TRY(Custody::try_create(&parent, part, *child_inode, mount_flags_for_child)); } else { custody = current_custody; } if (child_inode->metadata().is_symlink()) { if (!have_more_parts) { if (options & O_NOFOLLOW) return ELOOP; if (options & O_NOFOLLOW_NOERROR) break; } if (!safe_to_follow_symlink(credentials, *child_inode, parent_metadata)) return EACCES; TRY(validate_path_against_process_veil(*custody, options)); auto symlink_target = TRY(child_inode->resolve_as_link(credentials, parent, out_parent, options, symlink_recursion_level + 1)); if (!have_more_parts) return symlink_target; // Now, resolve the remaining path relative to the symlink target. // We prepend a "." to it to ensure that it's not empty and that // any initial slashes it might have get interpreted properly. StringBuilder remaining_path; TRY(remaining_path.try_append('.')); TRY(remaining_path.try_append(path.substring_view_starting_after_substring(part))); return resolve_path_without_veil(credentials, remaining_path.string_view(), symlink_target, out_parent, options, symlink_recursion_level + 1); } } if (out_parent) *out_parent = custody->parent(); return custody; } }