beenull/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-25 17:10:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
ladybird/Kernel/FileSystem/VirtualFileSystem.cpp

1059 lines
35 KiB
C++
Raw Normal View History

Meta: Add license header to source files As suggested by Joshua, this commit adds the 2-clause BSD license as a comment block to the top of every source file. For the first pass, I've just added myself for simplicity. I encourage everyone to add themselves as copyright holders of any file they've added or modified in some significant way. If I've added myself in error somewhere, feel free to replace it with the appropriate copyright holder instead. Going forward, all new source files should include a license header.
2020-01-18 08:38:21 +00:00
/*
* Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
AK: Rename FileSystemPath -> LexicalPath And move canonicalized_path() to a static method on LexicalPath. This is to make it clear that FileSystemPath/canonicalized_path() only perform *lexical* canonicalization.
2020-05-26 11:52:44 +00:00
#include <AK/LexicalPath.h>
Kernel: Switch singletons to use new Singleton class MemoryManager cannot use the Singleton class because MemoryManager::initialize is called before the global constructors are run. That caused the Singleton to be re-initialized, causing it to create another MemoryManager instance. Fixes #3226
2020-08-25 01:35:19 +00:00
#include <AK/Singleton.h>
Add a VFS::absolutePath(InodeIdentifier). This is pretty inefficient for ext2fs. We walk the entire block group containing the inode, searching through every directory for an entry referencing this inode. It might be a good idea to cache this information somehow. I'm not sure how often we'll be searching for it. Obviously there are multiple caching layers missing in the file system.
2018-10-28 11:20:25 +00:00
#include <AK/StringBuilder.h>
Meta: Split debug defines into multiple headers. The following script was used to make these changes: #!/bin/bash set -e tmp=$(mktemp -d) echo "tmp=$tmp" find Kernel \( -name '*.cpp' -o -name '*.h' \) | sort > $tmp/Kernel.files find . \( -path ./Toolchain -prune -o -path ./Build -prune -o -path ./Kernel -prune \) -o \( -name '*.cpp' -o -name '*.h' \) -print | sort > $tmp/EverythingExceptKernel.files cat $tmp/Kernel.files | xargs grep -Eho '[A-Z0-9_]+_DEBUG' | sort | uniq > $tmp/Kernel.macros cat $tmp/EverythingExceptKernel.files | xargs grep -Eho '[A-Z0-9_]+_DEBUG' | sort | uniq > $tmp/EverythingExceptKernel.macros comm -23 $tmp/Kernel.macros $tmp/EverythingExceptKernel.macros > $tmp/Kernel.unique comm -1 $tmp/Kernel.macros $tmp/EverythingExceptKernel.macros > $tmp/EverythingExceptKernel.unique cat $tmp/Kernel.unique | awk '{ print "#cmakedefine01 "$1 }' > $tmp/Kernel.header cat $tmp/EverythingExceptKernel.unique | awk '{ print "#cmakedefine01 "$1 }' > $tmp/EverythingExceptKernel.header for macro in $(cat $tmp/Kernel.unique) do cat $tmp/Kernel.files | xargs grep -l $macro >> $tmp/Kernel.new-includes ||: done cat $tmp/Kernel.new-includes | sort > $tmp/Kernel.new-includes.sorted for macro in $(cat $tmp/EverythingExceptKernel.unique) do cat $tmp/Kernel.files | xargs grep -l $macro >> $tmp/Kernel.old-includes ||: done cat $tmp/Kernel.old-includes | sort > $tmp/Kernel.old-includes.sorted comm -23 $tmp/Kernel.new-includes.sorted $tmp/Kernel.old-includes.sorted > $tmp/Kernel.includes.new comm -13 $tmp/Kernel.new-includes.sorted $tmp/Kernel.old-includes.sorted > $tmp/Kernel.includes.old comm -12 $tmp/Kernel.new-includes.sorted $tmp/Kernel.old-includes.sorted > $tmp/Kernel.includes.mixed for file in $(cat $tmp/Kernel.includes.new) do sed -i -E 's/#include <AK\/Debug\.h>/#include <Kernel\/Debug\.h>/' $file done for file in $(cat $tmp/Kernel.includes.mixed) do echo "mixed include in $file, requires manual editing." done
2021-01-25 15:07:10 +00:00
#include <Kernel/Debug.h>
Kernel: Add forward declaration header
2020-02-16 00:50:16 +00:00
#include <Kernel/Devices/BlockDevice.h>
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
#include <Kernel/FileSystem/Custody.h>
Kernel: Change Ext2FS to be backed by a file instead of a block device In contrast to the previous patchset that was reverted, this time we use a "special" method to access a file with block size of 512 bytes (like a harddrive essentially).
2020-04-06 08:54:21 +00:00
#include <Kernel/FileSystem/FileBackedFileSystem.h>
Kernel: Run clang-format on everything.
2019-06-07 09:43:58 +00:00
#include <Kernel/FileSystem/FileDescription.h>
Kernel: Qualify a bunch of #include statements.
2019-06-07 17:29:34 +00:00
#include <Kernel/FileSystem/FileSystem.h>
#include <Kernel/FileSystem/VirtualFileSystem.h>
Kernel: Move all code into the Kernel namespace
2020-02-16 00:27:42 +00:00
#include <Kernel/KSyms.h>
Kernel: Run clang-format on everything.
2019-06-07 09:43:58 +00:00
#include <Kernel/Process.h>
#include <LibC/errno_numbers.h>
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
Kernel: Move all code into the Kernel namespace
2020-02-16 00:27:42 +00:00
namespace Kernel {
Kernel: Switch singletons to use new Singleton class MemoryManager cannot use the Singleton class because MemoryManager::initialize is called before the global constructors are run. That caused the Singleton to be re-initialized, causing it to create another MemoryManager instance. Fixes #3226
2020-08-25 01:35:19 +00:00
static AK::Singleton<VFS> s_the;
Kernel: Implement recursion limit on path resolution Cautiously use 5 as a limit for now so that we don't blow the stack. This can be increased in the future if we are sure that we won't be blowing the stack, or if the implementation is changed to not use recursion :^)
2019-12-24 09:39:21 +00:00
static constexpr int symlink_recursion_limit { 5 }; // FIXME: increase?
Kernel+Base: Mount root filesystem read-only :^) We remount /home and /root as read-write, to keep the ability to modify files there. /tmp remains read-write, as it is mounted from a TmpFS.
2020-05-28 15:06:13 +00:00
static constexpr int root_mount_flags = MS_NODEV | MS_NOSUID | MS_RDONLY;
Add an fd field to FileHandle in Kernel builds.
2018-10-18 08:27:07 +00:00
Kernel: Slap UNMAP_AFTER_INIT on a whole bunch of functions There's no real system here, I just added it to various functions that I don't believe we ever want to call after initialization has finished. With these changes, we're able to unmap 60 KiB of kernel text after init. :^)
2021-02-19 17:41:50 +00:00
UNMAP_AFTER_INIT void VFS::initialize()
Kernel: Switch singletons to use new Singleton class MemoryManager cannot use the Singleton class because MemoryManager::initialize is called before the global constructors are run. That caused the Singleton to be re-initialized, causing it to create another MemoryManager instance. Fixes #3226
2020-08-25 01:35:19 +00:00
{
s_the.ensure_instance();
}
Rename: VirtualFileSystem -> VFS VirtualFileSystem::Node -> Vnode
2018-11-15 13:43:10 +00:00
VFS& VFS::the()
Add an fd field to FileHandle in Kernel builds.
2018-10-18 08:27:07 +00:00
{
return *s_the;
}
Kernel: Slap UNMAP_AFTER_INIT on a whole bunch of functions There's no real system here, I just added it to various functions that I don't believe we ever want to call after initialization has finished. With these changes, we're able to unmap 60 KiB of kernel text after init. :^)
2021-02-19 17:41:50 +00:00
UNMAP_AFTER_INIT VFS::VFS()
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
Everywhere: Use CMake to generate AK/Debug.h. This was done with the help of several scripts, I dump them here to easily find them later: awk '/#ifdef/ { print "#cmakedefine01 "$2 }' AK/Debug.h.in for debug_macro in $(awk '/#ifdef/ { print $2 }' AK/Debug.h.in) do find . \( -name '*.cpp' -o -name '*.h' -o -name '*.in' \) -not -path './Toolchain/*' -not -path './Build/*' -exec sed -i -E 's/#ifdef '$debug_macro'/#if '$debug_macro'/' {} \; done # Remember to remove WRAPPER_GERNERATOR_DEBUG from the list. awk '/#cmake/ { print "set("$2" ON)" }' AK/Debug.h.in
2021-01-23 22:29:11 +00:00
#if VFS_DEBUG
Kernel: Use klog() instead of kprintf() Also, duplicate data in dbg() and klog() calls were removed. In addition, leakage of virtual address to kernel log is prevented. This is done by replacing kprintf() calls to dbg() calls with the leaked data instead. Also, other kprintf() calls were replaced with klog().
2020-03-01 19:45:39 +00:00
klog() << "VFS: Constructing VFS";
A lot of hacking: - More work on funneling console output through Console. - init() now breaks off into a separate task ASAP. - ..this leaves the "colonel" task as a simple hlt idle loop. - Mask all IRQs on startup (except IRQ2 for slave passthru) - Fix underallocation bug in Task::allocateRegion(). - Remember how many times each Task has been scheduled. The panel and scheduling banner are disabled until I get things working nicely in the (brave) new Console world.
2018-10-22 09:15:16 +00:00
#endif
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
}
Kernel: Slap UNMAP_AFTER_INIT on a whole bunch of functions There's no real system here, I just added it to various functions that I don't believe we ever want to call after initialization has finished. With these changes, we're able to unmap 60 KiB of kernel text after init. :^)
2021-02-19 17:41:50 +00:00
UNMAP_AFTER_INIT VFS::~VFS()
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
Virtual consoles kinda work! We now make three VirtualConsoles at boot: tty0, tty1, and tty2. We launch an instance of /bin/sh in each one. You switch between them with Alt+1/2/3 How very very cool :^)
2018-10-30 14:33:37 +00:00
}
Fix mkdir with relative paths.
2018-11-18 22:28:43 +00:00
InodeIdentifier VFS::root_inode_id() const
{
Get rid of Vnode concept. We already have an abstraction between Process and Inode/CharacterDevice/FIFO and it's called FileDescriptor. :^)
2019-01-16 11:57:07 +00:00
ASSERT(m_root_inode);
return m_root_inode->identifier();
Fix mkdir with relative paths.
2018-11-18 22:28:43 +00:00
}
Kernel+LibC: Add support for mount flags At the moment, the actual flags are ignored, but we correctly propagate them all the way from the original mount() syscall to each custody that resides on the mounted FS.
2020-01-11 15:25:26 +00:00
KResult VFS::mount(FS& file_system, Custody& mount_point, int flags)
Kernel: Some improvements to the mount syscall - You must now have superuser privileges to use mount(). - We now verify that the mount point is a valid path first, before trying to find a filesystem on the specified device. - Convert some dbgprintf() to dbg().
2019-08-02 17:03:50 +00:00
{
Kernel: Misc tweaks
2020-05-28 15:46:16 +00:00
LOCKER(m_lock);
Kernel: Some improvements to the mount syscall - You must now have superuser privileges to use mount(). - We now verify that the mount point is a valid path first, before trying to find a filesystem on the specified device. - Convert some dbgprintf() to dbg().
2019-08-02 17:03:50 +00:00
auto& inode = mount_point.inode();
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("VFS: Mounting {} at {} (inode: {}) with flags {}",
file_system.class_name(),
mount_point.absolute_path(),
inode.identifier(),
flags);
Kernel: Some improvements to the mount syscall - You must now have superuser privileges to use mount(). - We now verify that the mount point is a valid path first, before trying to find a filesystem on the specified device. - Convert some dbgprintf() to dbg().
2019-08-02 17:03:50 +00:00
// FIXME: check that this is not already a mount point
Kernel+LibC: Add support for mount flags At the moment, the actual flags are ignored, but we correctly propagate them all the way from the original mount() syscall to each custody that resides on the mounted FS.
2020-01-11 15:25:26 +00:00
Mount mount { file_system, &mount_point, flags };
Kernel: Some improvements to the mount syscall - You must now have superuser privileges to use mount(). - We now verify that the mount point is a valid path first, before trying to find a filesystem on the specified device. - Convert some dbgprintf() to dbg().
2019-08-02 17:03:50 +00:00
m_mounts.append(move(mount));
return KSuccess;
}
Kernel: Properly propagate bind mount flags Previously, when performing a bind mount flags other than MS_BIND were ignored. Now, they're properly propagated the same way a for any other mount.
2020-01-12 16:22:24 +00:00
KResult VFS::bind_mount(Custody& source, Custody& mount_point, int flags)
Kernel: Implement bind mounts You can now bind-mount files and directories. This essentially exposes an existing part of the file system in another place, and can be used as an alternative to symlinks or hardlinks. Here's an example of doing this: # mkdir /tmp/foo # mount /home/anon/myfile.txt /tmp/foo -o bind # cat /tmp/foo This is anon's file.
2020-01-11 16:08:35 +00:00
{
Kernel: Misc tweaks
2020-05-28 15:46:16 +00:00
LOCKER(m_lock);
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("VFS: Bind-mounting {} at {}", source.absolute_path(), mount_point.absolute_path());
Kernel: Implement bind mounts You can now bind-mount files and directories. This essentially exposes an existing part of the file system in another place, and can be used as an alternative to symlinks or hardlinks. Here's an example of doing this: # mkdir /tmp/foo # mount /home/anon/myfile.txt /tmp/foo -o bind # cat /tmp/foo This is anon's file.
2020-01-11 16:08:35 +00:00
// FIXME: check that this is not already a mount point
Kernel: Properly propagate bind mount flags Previously, when performing a bind mount flags other than MS_BIND were ignored. Now, they're properly propagated the same way a for any other mount.
2020-01-12 16:22:24 +00:00
Mount mount { source.inode(), mount_point, flags };
Kernel: Implement bind mounts You can now bind-mount files and directories. This essentially exposes an existing part of the file system in another place, and can be used as an alternative to symlinks or hardlinks. Here's an example of doing this: # mkdir /tmp/foo # mount /home/anon/myfile.txt /tmp/foo -o bind # cat /tmp/foo This is anon's file.
2020-01-11 16:08:35 +00:00
m_mounts.append(move(mount));
return KSuccess;
}
Kernel+Userland: Support remounting filesystems :^) This makes it possible to change flags of a mount after the fact, with the caveats outlined in the man page.
2020-05-28 18:12:13 +00:00
KResult VFS::remount(Custody& mount_point, int new_flags)
{
LOCKER(m_lock);
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("VFS: Remounting {}", mount_point.absolute_path());
Kernel+Userland: Support remounting filesystems :^) This makes it possible to change flags of a mount after the fact, with the caveats outlined in the man page.
2020-05-28 18:12:13 +00:00
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-24 21:16:24 +00:00
Mount* mount = find_mount_for_guest(mount_point.inode());
Kernel+Userland: Support remounting filesystems :^) This makes it possible to change flags of a mount after the fact, with the caveats outlined in the man page.
2020-05-28 18:12:13 +00:00
if (!mount)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENODEV;
Kernel+Userland: Support remounting filesystems :^) This makes it possible to change flags of a mount after the fact, with the caveats outlined in the man page.
2020-05-28 18:12:13 +00:00
mount->set_flags(new_flags);
return KSuccess;
}
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-24 21:16:24 +00:00
KResult VFS::unmount(Inode& guest_inode)
Kernel: Added unmount ability to VFS It is now possible to unmount file systems from the VFS via `umount`. It works via looking up the `fsid` of the filesystem from the `Inode`'s metatdata so I'm not sure how fragile it is. It seems to work for now though as something to get us going.
2019-08-11 13:56:39 +00:00
{
LOCKER(m_lock);
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("VFS: unmount called with inode {}", guest_inode.identifier());
Kernel: Do the umount() by the guest's root inode identifier It was previously possible to unmount a filesystem mounted on /mnt by doing e.g "umount /mnt/some/path".
2019-08-17 12:24:50 +00:00
AK: Make Vector use size_t for its size and capacity
2020-02-25 13:49:47 +00:00
for (size_t i = 0; i < m_mounts.size(); ++i) {
Kernel: Do the umount() by the guest's root inode identifier It was previously possible to unmount a filesystem mounted on /mnt by doing e.g "umount /mnt/some/path".
2019-08-17 12:24:50 +00:00
auto& mount = m_mounts.at(i);
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-24 21:16:24 +00:00
if (&mount.guest() == &guest_inode) {
Kernel: Do the umount() by the guest's root inode identifier It was previously possible to unmount a filesystem mounted on /mnt by doing e.g "umount /mnt/some/path".
2019-08-17 12:24:50 +00:00
auto result = mount.guest_fs().prepare_to_unmount();
if (result.is_error()) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything: The modifications in this commit were automatically made using the following command: find . -name '*.cpp' -exec sed -i -E 's/dbg\(\) << ("[^"{]*");/dbgln\(\1\);/' {} \;
2021-01-09 17:51:44 +00:00
dbgln("VFS: Failed to unmount!");
Kernel: Do the umount() by the guest's root inode identifier It was previously possible to unmount a filesystem mounted on /mnt by doing e.g "umount /mnt/some/path".
2019-08-17 12:24:50 +00:00
return result;
Kernel: Added unmount ability to VFS It is now possible to unmount file systems from the VFS via `umount`. It works via looking up the `fsid` of the filesystem from the `Inode`'s metatdata so I'm not sure how fragile it is. It seems to work for now though as something to get us going.
2019-08-11 13:56:39 +00:00
}
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("VFS: found fs {} at mount index {}! Unmounting...", mount.guest_fs().fsid(), i);
AK: Make Vector::unstable_remove() return the removed value ...and rename it to unstable_take(), to align with other take...() methods.
2020-07-02 08:51:46 +00:00
m_mounts.unstable_take(i);
Kernel: Added unmount ability to VFS It is now possible to unmount file systems from the VFS via `umount`. It works via looking up the `fsid` of the filesystem from the `Inode`'s metatdata so I'm not sure how fragile it is. It seems to work for now though as something to get us going.
2019-08-11 13:56:39 +00:00
return KSuccess;
}
}
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.
2021-01-13 23:10:32 +00:00
dbgln("VFS: Nothing mounted on inode {}", guest_inode.identifier());
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENODEV;
Kernel: Added unmount ability to VFS It is now possible to unmount file systems from the VFS via `umount`. It works via looking up the `fsid` of the filesystem from the `Inode`'s metatdata so I'm not sure how fragile it is. It seems to work for now though as something to get us going.
2019-08-11 13:56:39 +00:00
}
Kernel: Simplify VFS::Mount handling No need to pass around RefPtr<>s and NonnullRefPtr<>s and no need to heap-allocate them. Also remove VFS::mount(NonnullRefPtr<FS>&&, StringView path) - it has been unused for a long time.
2020-01-11 15:05:24 +00:00
bool VFS::mount_root(FS& file_system)
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
Get rid of Vnode concept. We already have an abstraction between Process and Inode/CharacterDevice/FIFO and it's called FileDescriptor. :^)
2019-01-16 11:57:07 +00:00
if (m_root_inode) {
Kernel: Use klog() instead of kprintf() Also, duplicate data in dbg() and klog() calls were removed. In addition, leakage of virtual address to kernel log is prevented. This is done by replacing kprintf() calls to dbg() calls with the leaked data instead. Also, other kprintf() calls were replaced with klog().
2020-03-01 19:45:39 +00:00
klog() << "VFS: mount_root can't mount another root";
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
return false;
}
Kernel+Base: Mount root filesystem read-only :^) We remount /home and /root as read-write, to keep the ability to modify files there. /tmp remains read-write, as it is mounted from a TmpFS.
2020-05-28 15:06:13 +00:00
Mount mount { file_system, nullptr, root_mount_flags };
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
Kernel: Deemphasize inode identifiers These APIs were clearly modeled after Ext2FS internals, and make perfect sense in Ext2FS context. The new APIs are more generic, and map better to the semantics exported to the userspace, where inode identifiers only appear in stat() and readdir() output, but never in any input. This will also hopefully reduce the potential for races (see commit https://github.com/SerenityOS/serenity/commit/c44b4d61f350703fcf1bbd8f6e353b9c6c4210c2). Lastly, this makes it way more viable to implement a filesystem that only synthesizes its inodes lazily when queried, and destroys them when they are no longer in use. With inode identifiers being used to reference inodes, the only choice for such a filesystem is to persist any inode it has given out the identifier for, because it might be queried at any later time. With direct references to inodes, the filesystem will know when the last reference is dropped and the inode can be safely destroyed.
2020-06-24 20:35:56 +00:00
auto root_inode = file_system.root_inode();
Get rid of Vnode concept. We already have an abstraction between Process and Inode/CharacterDevice/FIFO and it's called FileDescriptor. :^)
2019-01-16 11:57:07 +00:00
if (!root_inode->is_directory()) {
Kernel: Add distinct InodeIndex type Use the DistinctNumeric mechanism to make InodeIndex a strongly typed integer type.
2021-02-12 08:18:47 +00:00
klog() << "VFS: root inode (" << String::format("%02u", file_system.fsid()) << ":" << String::format("%08u", root_inode->index().value()) << ") for / is not a directory :(";
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
return false;
}
Get rid of Vnode concept. We already have an abstraction between Process and Inode/CharacterDevice/FIFO and it's called FileDescriptor. :^)
2019-01-16 11:57:07 +00:00
m_root_inode = move(root_inode);
Kernel: Deemphasize inode identifiers These APIs were clearly modeled after Ext2FS internals, and make perfect sense in Ext2FS context. The new APIs are more generic, and map better to the semantics exported to the userspace, where inode identifiers only appear in stat() and readdir() output, but never in any input. This will also hopefully reduce the potential for races (see commit https://github.com/SerenityOS/serenity/commit/c44b4d61f350703fcf1bbd8f6e353b9c6c4210c2). Lastly, this makes it way more viable to implement a filesystem that only synthesizes its inodes lazily when queried, and destroys them when they are no longer in use. With inode identifiers being used to reference inodes, the only choice for such a filesystem is to persist any inode it has given out the identifier for, because it might be queried at any later time. With direct references to inodes, the filesystem will know when the last reference is dropped and the inode can be safely destroyed.
2020-06-24 20:35:56 +00:00
klog() << "VFS: mounted root from " << file_system.class_name() << " (" << static_cast<FileBackedFS&>(file_system).file_description().absolute_path() << ")";
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
VirtualFileSystem class builds inside Kernel.
2018-10-17 09:40:58 +00:00
m_mounts.append(move(mount));
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
return true;
}
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-24 21:16:24 +00:00
auto VFS::find_mount_for_host(Inode& inode) -> Mount*
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
for (auto& mount : m_mounts) {
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-24 21:16:24 +00:00
if (mount.host() == &inode)
Kernel: Convert Vector<OwnPtr> to NonnullOwnPtrVector.
2019-07-24 07:15:33 +00:00
return &mount;
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
}
return nullptr;
}
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-24 21:16:24 +00:00
auto VFS::find_mount_for_host(InodeIdentifier id) -> Mount*
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
for (auto& mount : m_mounts) {
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-24 21:16:24 +00:00
if (mount.host() && mount.host()->identifier() == id)
return &mount;
}
return nullptr;
}
auto VFS::find_mount_for_guest(Inode& inode) -> Mount*
{
for (auto& mount : m_mounts) {
if (&mount.guest() == &inode)
return &mount;
}
return nullptr;
}
auto VFS::find_mount_for_guest(InodeIdentifier id) -> Mount*
{
for (auto& mount : m_mounts) {
if (mount.guest().identifier() == id)
Kernel: Convert Vector<OwnPtr> to NonnullOwnPtrVector.
2019-07-24 07:15:33 +00:00
return &mount;
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
}
return nullptr;
}
Rename: VirtualFileSystem -> VFS VirtualFileSystem::Node -> Vnode
2018-11-15 13:43:10 +00:00
bool VFS::is_vfs_root(InodeIdentifier inode) const
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
Get rid of Vnode concept. We already have an abstraction between Process and Inode/CharacterDevice/FIFO and it's called FileDescriptor. :^)
2019-01-16 11:57:07 +00:00
return inode == root_inode_id();
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
}
Kernel: Add DirectoryEntryView for VFS directory traversal Unlike DirectoryEntry (which is used when constructing directories), DirectoryEntryView does not manage storage for file names. Names are just StringViews. This is much more suited to the directory traversal API and makes it easier to implement this in file system classes since they no longer need to create temporary name copies while traversing.
2020-08-18 10:41:27 +00:00
KResult VFS::traverse_directory_inode(Inode& dir_inode, Function<bool(const FS::DirectoryEntryView&)> callback)
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
Kernel: Add DirectoryEntryView for VFS directory traversal Unlike DirectoryEntry (which is used when constructing directories), DirectoryEntryView does not manage storage for file names. Names are just StringViews. This is much more suited to the directory traversal API and makes it easier to implement this in file system classes since they no longer need to create temporary name copies while traversing.
2020-08-18 10:41:27 +00:00
return dir_inode.traverse_as_directory([&](auto& entry) {
Big, possibly complete sweep of naming changes.
2019-01-31 16:31:23 +00:00
InodeIdentifier resolved_inode;
A pass of style/naming cleanup in VFS.
2018-11-15 14:10:12 +00:00
if (auto mount = find_mount_for_host(entry.inode))
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-24 21:16:24 +00:00
resolved_inode = mount->guest().identifier();
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
else
Big, possibly complete sweep of naming changes.
2019-01-31 16:31:23 +00:00
resolved_inode = entry.inode;
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
Kernel: Misc tweaks
2020-01-15 11:06:48 +00:00
// FIXME: This is now broken considering chroot and bind mounts.
Kernel: Deemphasize inode identifiers These APIs were clearly modeled after Ext2FS internals, and make perfect sense in Ext2FS context. The new APIs are more generic, and map better to the semantics exported to the userspace, where inode identifiers only appear in stat() and readdir() output, but never in any input. This will also hopefully reduce the potential for races (see commit https://github.com/SerenityOS/serenity/commit/c44b4d61f350703fcf1bbd8f6e353b9c6c4210c2). Lastly, this makes it way more viable to implement a filesystem that only synthesizes its inodes lazily when queried, and destroys them when they are no longer in use. With inode identifiers being used to reference inodes, the only choice for such a filesystem is to persist any inode it has given out the identifier for, because it might be queried at any later time. With direct references to inodes, the filesystem will know when the last reference is dropped and the inode can be safely destroyed.
2020-06-24 20:35:56 +00:00
bool is_root_inode = dir_inode.identifier() == dir_inode.fs().root_inode()->identifier();
Kernel: Add DirectoryEntryView for VFS directory traversal Unlike DirectoryEntry (which is used when constructing directories), DirectoryEntryView does not manage storage for file names. Names are just StringViews. This is much more suited to the directory traversal API and makes it easier to implement this in file system classes since they no longer need to create temporary name copies while traversing.
2020-08-18 10:41:27 +00:00
if (is_root_inode && !is_vfs_root(dir_inode.identifier()) && entry.name == "..") {
Kernel: Fix .. directory entry at mount point handling a little It's still broken, but at least it now appears to work if the file system doesn't return the same inode for "..".
2020-07-02 09:46:07 +00:00
auto mount = find_mount_for_guest(dir_inode);
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
ASSERT(mount);
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-24 21:16:24 +00:00
ASSERT(mount->host());
resolved_inode = mount->host()->identifier();
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
}
Kernel: Add DirectoryEntryView for VFS directory traversal Unlike DirectoryEntry (which is used when constructing directories), DirectoryEntryView does not manage storage for file names. Names are just StringViews. This is much more suited to the directory traversal API and makes it easier to implement this in file system classes since they no longer need to create temporary name copies while traversing.
2020-08-18 10:41:27 +00:00
callback({ entry.name, resolved_inode, entry.file_type });
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
return true;
});
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
KResult VFS::utime(StringView path, Custody& base, time_t atime, time_t mtime)
Kernel: Add file permission checks to utime() syscall.
2019-02-21 15:37:41 +00:00
{
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
auto custody_or_error = VFS::the().resolve_path(move(path), base);
if (custody_or_error.is_error())
return custody_or_error.error();
auto& custody = *custody_or_error.value();
auto& inode = custody.inode();
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
auto current_process = Process::current();
if (!current_process->is_superuser() && inode.metadata().uid != current_process->euid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (custody.is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Port more code to KResult and KResultOr<T>.
2019-03-06 21:14:31 +00:00
int error = inode.set_atime(atime);
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
if (error < 0)
return KResult((ErrnoCode)-error);
Kernel: Add file permission checks to utime() syscall.
2019-02-21 15:37:41 +00:00
error = inode.set_mtime(mtime);
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
if (error < 0)
return KResult((ErrnoCode)-error);
Kernel: Add KResult and KResultOr<T> classes. The idea here is to combine a potential syscall error code with an arbitrary type in the case of success. I feel like this will end up much less error prone than returning some arbitrary type that kinda sorta has bool semantics (but sometimes not really) and passing the error through an out-param. This patch only converts a few syscalls to using it. More to come.
2019-02-25 19:47:56 +00:00
return KSuccess;
Kernel: Add file permission checks to utime() syscall.
2019-02-21 15:37:41 +00:00
}
Kernel: Generalize VFS metadata lookup and use it in mount() and stat() Refactored VFS::stat() into VFS::lookup_metadata(), which can now be used for general VFS metadata lookup by path.
2019-08-02 17:23:23 +00:00
KResultOr<InodeMetadata> VFS::lookup_metadata(StringView path, Custody& base, int options)
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 15:09:12 +00:00
{
FileSystem: Rename VFS::resolve_path_to_custody() => resolve_path().
2019-05-31 13:30:09 +00:00
auto custody_or_error = resolve_path(path, base, nullptr, options);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (custody_or_error.is_error())
return custody_or_error.error();
Kernel: Generalize VFS metadata lookup and use it in mount() and stat() Refactored VFS::stat() into VFS::lookup_metadata(), which can now be used for general VFS metadata lookup by path.
2019-08-02 17:23:23 +00:00
return custody_or_error.value()->inode().metadata();
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 15:09:12 +00:00
}
Kernel: Allow passing initial UID and GID when creating new inodes If we're creating something that should have a different owner than the current process's UID/GID, we need to plumb that all the way through VFS down to the FS functions.
2020-01-03 19:13:21 +00:00
KResultOr<NonnullRefPtr<FileDescription>> VFS::open(StringView path, int options, mode_t mode, Custody& base, Optional<UidAndGid> owner)
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
Kernel: Don't allow open() with (O_CREAT | O_DIRECTORY)
2020-01-03 01:23:50 +00:00
if ((options & O_CREAT) && (options & O_DIRECTORY))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EINVAL;
Kernel: Don't allow open() with (O_CREAT | O_DIRECTORY)
2020-01-03 01:23:50 +00:00
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 16:37:47 +00:00
RefPtr<Custody> parent_custody;
FileSystem: Don't perform path resolution twice for open() with O_CREAT.
2019-06-09 17:52:03 +00:00
auto custody_or_error = resolve_path(path, base, &parent_custody, options);
Kernel: Begin fleshing out bind() syscall.
2019-02-14 13:38:30 +00:00
if (options & O_CREAT) {
FileSystem: Don't perform path resolution twice for open() with O_CREAT.
2019-06-09 17:52:03 +00:00
if (!parent_custody)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOENT;
FileSystem: Don't perform path resolution twice for open() with O_CREAT.
2019-06-09 17:52:03 +00:00
if (custody_or_error.is_error()) {
if (custody_or_error.error() != -ENOENT)
return custody_or_error.error();
Kernel: Allow passing initial UID and GID when creating new inodes If we're creating something that should have a different owner than the current process's UID/GID, we need to plumb that all the way through VFS down to the FS functions.
2020-01-03 19:13:21 +00:00
return create(path, options, mode, *parent_custody, move(owner));
FileSystem: Don't perform path resolution twice for open() with O_CREAT.
2019-06-09 17:52:03 +00:00
}
Kernel: Port more code to KResult and KResultOr<T>.
2019-03-06 21:14:31 +00:00
if (options & O_EXCL)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EEXIST;
Kernel: Support open() with O_CREAT. It's now possible to create zero-length files! :^) Also hook up the new functionality in /bin/touch.
2019-01-21 23:58:13 +00:00
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (custody_or_error.is_error())
return custody_or_error.error();
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 15:09:12 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& custody = *custody_or_error.value();
auto& inode = custody.inode();
auto metadata = inode.metadata();
Kernel: Add Inode::truncate(size). - Use this to implement the O_TRUNC open flag. - Fix creat() to pass O_CREAT | O_TRUNC | O_WRONLY. - Make sure we truncate wherever appropriate.
2019-03-27 15:42:30 +00:00
Kernel: Handle O_DIRECTORY in VFS::open() instead of in each syscall Just taking care of some FIXMEs.
2020-01-03 01:23:11 +00:00
if ((options & O_DIRECTORY) && !metadata.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOTDIR;
Kernel: Handle O_DIRECTORY in VFS::open() instead of in each syscall Just taking care of some FIXMEs.
2020-01-03 01:23:11 +00:00
Kernel: Add Inode::truncate(size). - Use this to implement the O_TRUNC open flag. - Fix creat() to pass O_CREAT | O_TRUNC | O_WRONLY. - Make sure we truncate wherever appropriate.
2019-03-27 15:42:30 +00:00
bool should_truncate_file = false;
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 15:09:12 +00:00
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
auto current_process = Process::current();
if ((options & O_RDONLY) && !metadata.may_read(*current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Make O_RDONLY non-zero Sergey suggested that having a non-zero O_RDONLY would make some things less confusing, and it seems like he's right about that. We can now easily check read/write permissions separately instead of dancing around with the bits. This patch also fixes unveil() validation for O_RDWR which previously forgot to check for "r" permission.
2020-01-21 12:14:26 +00:00
if (options & O_WRONLY) {
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
if (!metadata.may_write(*current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Port more code to KResult and KResultOr<T>.
2019-03-06 21:14:31 +00:00
if (metadata.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EISDIR;
Kernel: Add Inode::truncate(size). - Use this to implement the O_TRUNC open flag. - Fix creat() to pass O_CREAT | O_TRUNC | O_WRONLY. - Make sure we truncate wherever appropriate.
2019-03-27 15:42:30 +00:00
should_truncate_file = options & O_TRUNC;
Kernel: Start adding various file system permission checks. Fail with EACCES in various situations. Fix userland bugs that were exposed.
2019-02-21 14:45:31 +00:00
}
Kernel+LibC: Add O_EXEC, move exec permission checking to VFS::open() O_EXEC is mentioned by POSIX, so let's have it. Currently, it is only used inside the kernel to ensure the process has the right permissions when opening an executable.
2020-01-11 15:33:35 +00:00
if (options & O_EXEC) {
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
if (!metadata.may_execute(*current_process) || (custody.mount_flags() & MS_NOEXEC))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel+LibC: Add O_EXEC, move exec permission checking to VFS::open() O_EXEC is mentioned by POSIX, so let's have it. Currently, it is only used inside the kernel to ensure the process has the right permissions when opening an executable.
2020-01-11 15:33:35 +00:00
}
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 15:09:12 +00:00
Kernel: Let inodes provide pre-open file descriptions Some magical inodes, such as /proc/pid/fd/fileno, are going to want to open() to a custom FileDescription, so add a hook for that.
2020-01-15 11:03:14 +00:00
if (auto preopen_fd = inode.preopen_fd())
return *preopen_fd;
Kernel: Implement FIFOs/named pipes
2020-07-16 21:23:03 +00:00
if (metadata.is_fifo()) {
Kernel: Sprinkle some lockers in Inode It did look pretty suspicious the way we were accessing members in some of these functions without taking the lock first.
2020-12-31 01:10:31 +00:00
auto fifo = inode.fifo();
Kernel: Implement FIFOs/named pipes
2020-07-16 21:23:03 +00:00
if (options & O_WRONLY) {
Kernel: Improve ProcFS behavior in low memory conditions When ProcFS could no longer allocate KBuffer objects to serve calls to read, it would just return 0, indicating EOF. This then triggered parsing errors because code assumed it read the file. Because read isn't supposed to return ENOMEM, change ProcFS to populate the file data upon file open or seek to the beginning. This also means that calls to open can now return ENOMEM if needed. This allows the caller to either be able to successfully open the file and read it, or fail to open it in the first place.
2020-09-17 19:51:09 +00:00
auto open_result = fifo->open_direction_blocking(FIFO::Direction::Writer);
if (open_result.is_error())
return open_result.error();
auto& description = open_result.value();
Kernel: Implement FIFOs/named pipes
2020-07-16 21:23:03 +00:00
description->set_rw_mode(options);
description->set_file_flags(options);
description->set_original_inode({}, inode);
return description;
} else if (options & O_RDONLY) {
Kernel: Improve ProcFS behavior in low memory conditions When ProcFS could no longer allocate KBuffer objects to serve calls to read, it would just return 0, indicating EOF. This then triggered parsing errors because code assumed it read the file. Because read isn't supposed to return ENOMEM, change ProcFS to populate the file data upon file open or seek to the beginning. This also means that calls to open can now return ENOMEM if needed. This allows the caller to either be able to successfully open the file and read it, or fail to open it in the first place.
2020-09-17 19:51:09 +00:00
auto open_result = fifo->open_direction_blocking(FIFO::Direction::Reader);
if (open_result.is_error())
return open_result.error();
auto& description = open_result.value();
Kernel: Implement FIFOs/named pipes
2020-07-16 21:23:03 +00:00
description->set_rw_mode(options);
description->set_file_flags(options);
description->set_original_inode({}, inode);
return description;
}
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EINVAL;
Kernel: Implement FIFOs/named pipes
2020-07-16 21:23:03 +00:00
}
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 15:09:12 +00:00
if (metadata.is_device()) {
Kernel+LibC: Implement a few mount flags We now support these mount flags: * MS_NODEV: disallow opening any devices from this file system * MS_NOEXEC: disallow executing any executables from this file system * MS_NOSUID: ignore set-user-id bits on executables from this file system The fourth flag, MS_BIND, is defined, but currently ignored.
2020-01-11 15:45:38 +00:00
if (custody.mount_flags() & MS_NODEV)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Move device lookup to Device class itself Previously, VFS stored a list of all devices, and devices had to register and unregister themselves with it. This cleans up things a bit.
2019-08-18 11:48:15 +00:00
auto device = Device::get_device(metadata.major_device, metadata.minor_device);
if (device == nullptr) {
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENODEV;
Get rid of Vnode concept. We already have an abstraction between Process and Inode/CharacterDevice/FIFO and it's called FileDescriptor. :^)
2019-01-16 11:57:07 +00:00
}
Kernel: Move device lookup to Device class itself Previously, VFS stored a list of all devices, and devices had to register and unregister themselves with it. This cleans up things a bit.
2019-08-18 11:48:15 +00:00
auto descriptor_or_error = device->open(options);
Kernel: Don't panic if a call redirected to Device::open() has an error. Just pass the error to the user. I hit this when opening so many Terminal windows that PTYMultiplexer::open() ran out of master/slave pairs.
2019-03-20 01:55:12 +00:00
if (descriptor_or_error.is_error())
return descriptor_or_error.error();
Update Badge<T> instantiations to simply be {}.
2019-05-31 13:44:04 +00:00
descriptor_or_error.value()->set_original_inode({}, inode);
Kernel: Don't panic if a call redirected to Device::open() has an error. Just pass the error to the user. I hit this when opening so many Terminal windows that PTYMultiplexer::open() ran out of master/slave pairs.
2019-03-20 01:55:12 +00:00
return descriptor_or_error;
Get rid of Vnode concept. We already have an abstraction between Process and Inode/CharacterDevice/FIFO and it's called FileDescriptor. :^)
2019-01-16 11:57:07 +00:00
}
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
// Check for read-only FS. Do this after handling preopen FD and devices,
// but before modifying the inode in any way.
if ((options & O_WRONLY) && custody.is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
Kernel: Opening a file with O_TRUNC should update mtime
2020-01-08 12:57:22 +00:00
if (should_truncate_file) {
Kernel: Propagate a few KResults properly in FileSystem subsystems Propagating un-obsevered KResults up the stack.
2020-08-05 09:07:31 +00:00
KResult result = inode.truncate(0);
if (result.is_error())
return result;
Kernel: Opening a file with O_TRUNC should update mtime
2020-01-08 12:57:22 +00:00
inode.set_mtime(kgettimeofday().tv_sec);
}
Kernel: Move setting file flags and r/w mode to VFS::open() Previously, VFS::open() would only use the passed flags for permission checking purposes, and Process::sys$open() would set them on the created FileDescription explicitly. Now, they should be set by VFS::open() on any files being opened, including files that the kernel opens internally. This also lets us get rid of the explicit check for whether or not the returned FileDescription was a preopen fd, and in fact, fixes a bug where a read-only preopen fd without any other flags would be considered freshly opened (due to O_RDONLY being indistinguishable from 0) and granted a new set of flags.
2020-01-18 22:15:52 +00:00
auto description = FileDescription::create(custody);
Kernel: Improve ProcFS behavior in low memory conditions When ProcFS could no longer allocate KBuffer objects to serve calls to read, it would just return 0, indicating EOF. This then triggered parsing errors because code assumed it read the file. Because read isn't supposed to return ENOMEM, change ProcFS to populate the file data upon file open or seek to the beginning. This also means that calls to open can now return ENOMEM if needed. This allows the caller to either be able to successfully open the file and read it, or fail to open it in the first place.
2020-09-17 19:51:09 +00:00
if (!description.is_error()) {
description.value()->set_rw_mode(options);
description.value()->set_file_flags(options);
}
Kernel: Move setting file flags and r/w mode to VFS::open() Previously, VFS::open() would only use the passed flags for permission checking purposes, and Process::sys$open() would set them on the created FileDescription explicitly. Now, they should be set by VFS::open() on any files being opened, including files that the kernel opens internally. This also lets us get rid of the explicit check for whether or not the returned FileDescription was a preopen fd, and in fact, fixes a bug where a read-only preopen fd without any other flags would be considered freshly opened (due to O_RDONLY being indistinguishable from 0) and granted a new set of flags.
2020-01-18 22:15:52 +00:00
return description;
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
KResult VFS::mknod(StringView path, mode_t mode, dev_t dev, Custody& base)
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 20:59:58 +00:00
{
if (!is_regular_file(mode) && !is_block_device(mode) && !is_character_device(mode) && !is_fifo(mode) && !is_socket(mode))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EINVAL;
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 20:59:58 +00:00
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 16:37:47 +00:00
RefPtr<Custody> parent_custody;
FileSystem: Rename VFS::resolve_path_to_custody() => resolve_path().
2019-05-31 13:30:09 +00:00
auto existing_file_or_error = resolve_path(path, base, &parent_custody);
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 20:59:58 +00:00
if (!existing_file_or_error.is_error())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EEXIST;
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!parent_custody)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOENT;
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 20:59:58 +00:00
if (existing_file_or_error.error() != -ENOENT)
return existing_file_or_error.error();
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& parent_inode = parent_custody->inode();
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
auto current_process = Process::current();
if (!parent_inode.metadata().may_write(*current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 20:59:58 +00:00
AK: Rename FileSystemPath -> LexicalPath And move canonicalized_path() to a static method on LexicalPath. This is to make it clear that FileSystemPath/canonicalized_path() only perform *lexical* canonicalization.
2020-05-26 11:52:44 +00:00
LexicalPath p(path);
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("VFS::mknod: '{}' mode={} dev={} in {}", p.basename(), mode, dev, parent_inode.identifier());
Kernel: Create new files with the current process EUID/EGID We were using the UID/GID and not the EUID/EGID, which didn't match other systems.
2021-01-21 08:56:18 +00:00
return parent_inode.create_child(p.basename(), mode, dev, current_process->euid(), current_process->egid()).result();
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 20:59:58 +00:00
}
Kernel: Allow passing initial UID and GID when creating new inodes If we're creating something that should have a different owner than the current process's UID/GID, we need to plumb that all the way through VFS down to the FS functions.
2020-01-03 19:13:21 +00:00
KResultOr<NonnullRefPtr<FileDescription>> VFS::create(StringView path, int options, mode_t mode, Custody& parent_custody, Optional<UidAndGid> owner)
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
Kernel: Use the resolved parent path when testing create veil (#5231)
2021-02-06 18:11:44 +00:00
LexicalPath p(path);
auto result = validate_path_against_process_veil(String::formatted("{}/{}", parent_custody.absolute_path(), p.basename()), options);
Kernel: Enforce file system veil on file creation Fixes #1621.
2020-04-04 14:40:36 +00:00
if (result.is_error())
return result;
Revert "Kernel: Make VFS::create() fail with EINVAL on invalid file mode" This reverts commit ca3489eec7c1c7910407c4872ed6d70c92ce50cf. Fixes #5087.
2021-01-24 07:31:18 +00:00
if (!is_socket(mode) && !is_fifo(mode) && !is_block_device(mode) && !is_character_device(mode)) {
// Turn it into a regular file. (This feels rather hackish.)
mode |= 0100000;
}
Ext2FS: Implement writing into inodes with arbitrary offset and length. Okay, this is pretty cool. :^) There are some issues and limitations for sure but the basic functionality is there.
2019-01-23 03:29:56 +00:00
FileSystem: Don't perform path resolution twice for open() with O_CREAT.
2019-06-09 17:52:03 +00:00
auto& parent_inode = parent_custody.inode();
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
auto current_process = Process::current();
if (!parent_inode.metadata().may_write(*current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (parent_custody.is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
Everywhere: Replace dbgln<flag>(...) with dbgln_if(flag, ...) Replacement made by `find Kernel Userland -name '*.h' -o -name '*.cpp' | sed -i -Ee 's/dbgln\b<(\w+)>\(/dbgln_if(\1, /g'`
2021-02-07 12:03:24 +00:00
dbgln_if(VFS_DEBUG, "VFS::create: '{}' in {}", p.basename(), parent_inode.identifier());
Kernel: Create new files with the current process EUID/EGID We were using the UID/GID and not the EUID/EGID, which didn't match other systems.
2021-01-21 08:56:18 +00:00
uid_t uid = owner.has_value() ? owner.value().uid : current_process->euid();
gid_t gid = owner.has_value() ? owner.value().gid : current_process->egid();
Kernel: Deemphasize inode identifiers These APIs were clearly modeled after Ext2FS internals, and make perfect sense in Ext2FS context. The new APIs are more generic, and map better to the semantics exported to the userspace, where inode identifiers only appear in stat() and readdir() output, but never in any input. This will also hopefully reduce the potential for races (see commit https://github.com/SerenityOS/serenity/commit/c44b4d61f350703fcf1bbd8f6e353b9c6c4210c2). Lastly, this makes it way more viable to implement a filesystem that only synthesizes its inodes lazily when queried, and destroys them when they are no longer in use. With inode identifiers being used to reference inodes, the only choice for such a filesystem is to persist any inode it has given out the identifier for, because it might be queried at any later time. With direct references to inodes, the filesystem will know when the last reference is dropped and the inode can be safely destroyed.
2020-06-24 20:35:56 +00:00
auto inode_or_error = parent_inode.create_child(p.basename(), mode, 0, uid, gid);
Kernel: Simplify FS::create_inode() a little bit Return a KResultOr<NonnullRefPtr<Inode>> instead of returning errors in an out-parameter.
2020-02-08 10:58:28 +00:00
if (inode_or_error.is_error())
return inode_or_error.error();
Kernel: Support open() with O_CREAT. It's now possible to create zero-length files! :^) Also hook up the new functionality in /bin/touch.
2019-01-21 23:58:13 +00:00
Kernel: Simplify FS::create_inode() a little bit Return a KResultOr<NonnullRefPtr<Inode>> instead of returning errors in an out-parameter.
2020-02-08 10:58:28 +00:00
auto new_custody = Custody::create(&parent_custody, p.basename(), inode_or_error.value(), parent_custody.mount_flags());
Kernel: Move setting file flags and r/w mode to VFS::open() Previously, VFS::open() would only use the passed flags for permission checking purposes, and Process::sys$open() would set them on the created FileDescription explicitly. Now, they should be set by VFS::open() on any files being opened, including files that the kernel opens internally. This also lets us get rid of the explicit check for whether or not the returned FileDescription was a preopen fd, and in fact, fixes a bug where a read-only preopen fd without any other flags would be considered freshly opened (due to O_RDONLY being indistinguishable from 0) and granted a new set of flags.
2020-01-18 22:15:52 +00:00
auto description = FileDescription::create(*new_custody);
Kernel: Improve ProcFS behavior in low memory conditions When ProcFS could no longer allocate KBuffer objects to serve calls to read, it would just return 0, indicating EOF. This then triggered parsing errors because code assumed it read the file. Because read isn't supposed to return ENOMEM, change ProcFS to populate the file data upon file open or seek to the beginning. This also means that calls to open can now return ENOMEM if needed. This allows the caller to either be able to successfully open the file and read it, or fail to open it in the first place.
2020-09-17 19:51:09 +00:00
if (!description.is_error()) {
description.value()->set_rw_mode(options);
description.value()->set_file_flags(options);
}
Kernel: Move setting file flags and r/w mode to VFS::open() Previously, VFS::open() would only use the passed flags for permission checking purposes, and Process::sys$open() would set them on the created FileDescription explicitly. Now, they should be set by VFS::open() on any files being opened, including files that the kernel opens internally. This also lets us get rid of the explicit check for whether or not the returned FileDescription was a preopen fd, and in fact, fixes a bug where a read-only preopen fd without any other flags would be considered freshly opened (due to O_RDONLY being indistinguishable from 0) and granted a new set of flags.
2020-01-18 22:15:52 +00:00
return description;
Implement creating a new directory.
2018-10-15 22:35:03 +00:00
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
KResult VFS::mkdir(StringView path, mode_t mode, Custody& base)
Implement creating a new directory.
2018-10-15 22:35:03 +00:00
{
Kernel: Support trailing slashes in VFS::mkdir() This is apparently a special case unlike any other, so let's handle it directly in VFS::mkdir() instead of adding an alternative code path into VFS::resolve_path(). Fixes https://github.com/SerenityOS/serenity/issues/1253
2020-02-20 14:28:36 +00:00
// Unlike in basically every other case, where it's only the last
// path component (the one being created) that is allowed not to
// exist, POSIX allows mkdir'ed path to have trailing slashes.
// Let's handle that case by trimming any trailing slashes.
while (path.length() > 1 && path.ends_with("/"))
path = path.substring_view(0, path.length() - 1);
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 16:37:47 +00:00
RefPtr<Custody> parent_custody;
FileSystem: Rename VFS::resolve_path_to_custody() => resolve_path().
2019-05-31 13:30:09 +00:00
auto result = resolve_path(path, base, &parent_custody);
Kernel: Add KResult and KResultOr<T> classes. The idea here is to combine a potential syscall error code with an arbitrary type in the case of success. I feel like this will end up much less error prone than returning some arbitrary type that kinda sorta has bool semantics (but sometimes not really) and passing the error through an out-param. This patch only converts a few syscalls to using it. More to come.
2019-02-25 19:47:56 +00:00
if (!result.is_error())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EEXIST;
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!parent_custody)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOENT;
Kernel: Add KResult and KResultOr<T> classes. The idea here is to combine a potential syscall error code with an arbitrary type in the case of success. I feel like this will end up much less error prone than returning some arbitrary type that kinda sorta has bool semantics (but sometimes not really) and passing the error through an out-param. This patch only converts a few syscalls to using it. More to come.
2019-02-25 19:47:56 +00:00
if (result.error() != -ENOENT)
return result.error();
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& parent_inode = parent_custody->inode();
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
auto current_process = Process::current();
if (!parent_inode.metadata().may_write(*current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Start adding various file system permission checks. Fail with EACCES in various situations. Fix userland bugs that were exposed.
2019-02-21 14:45:31 +00:00
AK: Rename FileSystemPath -> LexicalPath And move canonicalized_path() to a static method on LexicalPath. This is to make it clear that FileSystemPath/canonicalized_path() only perform *lexical* canonicalization.
2020-05-26 11:52:44 +00:00
LexicalPath p(path);
Everywhere: Replace dbgln<flag>(...) with dbgln_if(flag, ...) Replacement made by `find Kernel Userland -name '*.h' -o -name '*.cpp' | sed -i -Ee 's/dbgln\b<(\w+)>\(/dbgln_if(\1, /g'`
2021-02-07 12:03:24 +00:00
dbgln_if(VFS_DEBUG, "VFS::mkdir: '{}' in {}", p.basename(), parent_inode.identifier());
Kernel: Create new files with the current process EUID/EGID We were using the UID/GID and not the EUID/EGID, which didn't match other systems.
2021-01-21 08:56:18 +00:00
return parent_inode.create_child(p.basename(), S_IFDIR | mode, 0, current_process->euid(), current_process->egid()).result();
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
KResult VFS::access(StringView path, int mode, Custody& base)
Compat work towards porting vim.
2019-02-26 14:57:59 +00:00
{
FileSystem: Rename VFS::resolve_path_to_custody() => resolve_path().
2019-05-31 13:30:09 +00:00
auto custody_or_error = resolve_path(path, base);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (custody_or_error.is_error())
return custody_or_error.error();
auto& custody = *custody_or_error.value();
auto& inode = custody.inode();
auto metadata = inode.metadata();
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
auto current_process = Process::current();
Compat work towards porting vim.
2019-02-26 14:57:59 +00:00
if (mode & R_OK) {
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
if (!metadata.may_read(*current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Compat work towards porting vim.
2019-02-26 14:57:59 +00:00
}
if (mode & W_OK) {
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
if (!metadata.may_write(*current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (custody.is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Compat work towards porting vim.
2019-02-26 14:57:59 +00:00
}
if (mode & X_OK) {
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
if (!metadata.may_execute(*current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Compat work towards porting vim.
2019-02-26 14:57:59 +00:00
}
return KSuccess;
}
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 16:37:47 +00:00
KResultOr<NonnullRefPtr<Custody>> VFS::open_directory(StringView path, Custody& base)
Kernel: Support chdir() to a directory that's executable but not readable. Also the superuser should be allowed to resolve any possible path without getting tripped up by EACCES.
2019-03-01 22:54:07 +00:00
{
FileSystem: Rename VFS::resolve_path_to_custody() => resolve_path().
2019-05-31 13:30:09 +00:00
auto inode_or_error = resolve_path(path, base);
Kernel: Support chdir() to a directory that's executable but not readable. Also the superuser should be allowed to resolve any possible path without getting tripped up by EACCES.
2019-03-01 22:54:07 +00:00
if (inode_or_error.is_error())
return inode_or_error.error();
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& custody = *inode_or_error.value();
auto& inode = custody.inode();
if (!inode.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOTDIR;
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
if (!inode.metadata().may_execute(*Process::current()))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
return custody;
Kernel: Support chdir() to a directory that's executable but not readable. Also the superuser should be allowed to resolve any possible path without getting tripped up by EACCES.
2019-03-01 22:54:07 +00:00
}
Kernel: Pass a Custody instead of Inode to VFS methods VFS no longer deals with inodes in public API, only with custodies and file descriptions. Talk directly to the file system if you need to operate on a inode. In most cases you actually want to go though VFS, to get proper permission check and other niceties. For this to work, you have to provide a custody, which describes *how* you have opened the inode, not just what the inode is.
2020-05-28 14:41:04 +00:00
KResult VFS::chmod(Custody& custody, mode_t mode)
Implement basic chmod() syscall and /bin/chmod helper. Only raw octal modes are supported right now. This patch also changes mode_t from 32-bit to 16-bit to match the on-disk type used by Ext2FS. I also ran into EPERM being errno=0 which was confusing, so I inserted an ESUCCESS in its place.
2019-01-29 03:55:08 +00:00
{
Kernel: Pass a Custody instead of Inode to VFS methods VFS no longer deals with inodes in public API, only with custodies and file descriptions. Talk directly to the file system if you need to operate on a inode. In most cases you actually want to go though VFS, to get proper permission check and other niceties. For this to work, you have to provide a custody, which describes *how* you have opened the inode, not just what the inode is.
2020-05-28 14:41:04 +00:00
auto& inode = custody.inode();
Kernel: Start adding various file system permission checks. Fail with EACCES in various situations. Fix userland bugs that were exposed.
2019-02-21 14:45:31 +00:00
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
auto current_process = Process::current();
if (current_process->euid() != inode.metadata().uid && !current_process->is_superuser())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EPERM;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (custody.is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Implement basic chmod() syscall and /bin/chmod helper. Only raw octal modes are supported right now. This patch also changes mode_t from 32-bit to 16-bit to match the on-disk type used by Ext2FS. I also ran into EPERM being errno=0 which was confusing, so I inserted an ESUCCESS in its place.
2019-01-29 03:55:08 +00:00
// Only change the permission bits.
Kernel: Allow sys$chmod() to change the sticky bit We were incorrectly masking off the sticky bit when setting file modes.
2021-01-19 17:21:43 +00:00
mode = (inode.mode() & ~07777u) | (mode & 07777u);
Kernel+Userland: Implement fchmod() syscall and use it to improve /bin/cp. /bin/cp will now copy the permission bits from source to destination. :^)
2019-03-01 09:39:19 +00:00
return inode.chmod(mode);
}
Implement basic chmod() syscall and /bin/chmod helper. Only raw octal modes are supported right now. This patch also changes mode_t from 32-bit to 16-bit to match the on-disk type used by Ext2FS. I also ran into EPERM being errno=0 which was confusing, so I inserted an ESUCCESS in its place.
2019-01-29 03:55:08 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
KResult VFS::chmod(StringView path, mode_t mode, Custody& base)
Kernel+Userland: Implement fchmod() syscall and use it to improve /bin/cp. /bin/cp will now copy the permission bits from source to destination. :^)
2019-03-01 09:39:19 +00:00
{
FileSystem: Rename VFS::resolve_path_to_custody() => resolve_path().
2019-05-31 13:30:09 +00:00
auto custody_or_error = resolve_path(path, base);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (custody_or_error.is_error())
return custody_or_error.error();
auto& custody = *custody_or_error.value();
Kernel: Pass a Custody instead of Inode to VFS methods VFS no longer deals with inodes in public API, only with custodies and file descriptions. Talk directly to the file system if you need to operate on a inode. In most cases you actually want to go though VFS, to get proper permission check and other niceties. For this to work, you have to provide a custody, which describes *how* you have opened the inode, not just what the inode is.
2020-05-28 14:41:04 +00:00
return chmod(custody, mode);
Kernel: Add KResult and KResultOr<T> classes. The idea here is to combine a potential syscall error code with an arbitrary type in the case of success. I feel like this will end up much less error prone than returning some arbitrary type that kinda sorta has bool semantics (but sometimes not really) and passing the error through an out-param. This patch only converts a few syscalls to using it. More to come.
2019-02-25 19:47:56 +00:00
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
KResult VFS::rename(StringView old_path, StringView new_path, Custody& base)
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
{
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 16:37:47 +00:00
RefPtr<Custody> old_parent_custody;
Kernel: Allow sys$rename() to rename symlinks Previously, this syscall would try to rename the target of the link, not the link itself.
2020-12-27 14:38:07 +00:00
auto old_custody_or_error = resolve_path(old_path, base, &old_parent_custody, O_NOFOLLOW_NOERROR);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (old_custody_or_error.is_error())
return old_custody_or_error.error();
auto& old_custody = *old_custody_or_error.value();
auto& old_inode = old_custody.inode();
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 16:37:47 +00:00
RefPtr<Custody> new_parent_custody;
FileSystem: Rename VFS::resolve_path_to_custody() => resolve_path().
2019-05-31 13:30:09 +00:00
auto new_custody_or_error = resolve_path(new_path, base, &new_parent_custody);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (new_custody_or_error.is_error()) {
Kernel: Fix a panic in VFS::rename() If we get an -ENOENT when resolving the target because of some part, that is not the very last part, missing, we should just return the error instead of panicking later :^) To test: $ mkdir /tmp/foo/ $ mv /tmp/foo/ /tmp/bar/ Related to https://github.com/SerenityOS/serenity/issues/1253
2020-02-20 14:33:14 +00:00
if (new_custody_or_error.error() != -ENOENT || !new_parent_custody)
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
return new_custody_or_error.error();
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& old_parent_inode = old_parent_custody->inode();
auto& new_parent_inode = new_parent_custody->inode();
Kernel: rename() should fail with EXDEV for cross-device requests POSIX does not support rename() from one file system to another.
2020-01-03 03:10:05 +00:00
if (&old_parent_inode.fs() != &new_parent_inode.fs())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EXDEV;
Kernel: rename() should fail with EXDEV for cross-device requests POSIX does not support rename() from one file system to another.
2020-01-03 03:10:05 +00:00
Kernel+LibC: Don't allow a directory to become a subdirectory of itself If you try to do this (e.g "mv directory directory"), sys$rename() will now fail with EDIRINTOSELF. Dr. POSIX says we should return EINVAL for this, but a custom error code allows us to print a much more helpful error message when this problem occurs. :^)
2020-11-01 16:17:23 +00:00
for (auto* new_ancestor = new_parent_custody.ptr(); new_ancestor; new_ancestor = new_ancestor->parent()) {
if (&old_inode == &new_ancestor->inode())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EDIRINTOSELF;
Kernel+LibC: Don't allow a directory to become a subdirectory of itself If you try to do this (e.g "mv directory directory"), sys$rename() will now fail with EDIRINTOSELF. Dr. POSIX says we should return EINVAL for this, but a custom error code allows us to print a much more helpful error message when this problem occurs. :^)
2020-11-01 16:17:23 +00:00
}
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
auto current_process = Process::current();
if (!new_parent_inode.metadata().may_write(*current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
if (!old_parent_inode.metadata().may_write(*current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (old_parent_inode.metadata().is_sticky()) {
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
if (!current_process->is_superuser() && old_inode.metadata().uid != current_process->euid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
VFS: Implement sticky bit behavior for rename() and unlink(). Removing entries from a sticky directory is only allowed when you are either the owner of the entry, or the superuser. :^)
2019-04-28 20:54:30 +00:00
}
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (old_parent_custody->is_readonly() || new_parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
AK: Rename FileSystemPath -> LexicalPath And move canonicalized_path() to a static method on LexicalPath. This is to make it clear that FileSystemPath/canonicalized_path() only perform *lexical* canonicalization.
2020-05-26 11:52:44 +00:00
auto new_basename = LexicalPath(new_path).basename();
FileSystem: Reuse existing custodies when possible, and keep them updated. Walk the custody cache and try to reuse an existing one when possible. The VFS is responsible for updating them when something happens that would cause the described relationship to change. This is definitely not perfect but it does work for the basic scenarios like renaming and removing directory entries.
2019-05-31 13:22:52 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!new_custody_or_error.is_error()) {
auto& new_custody = *new_custody_or_error.value();
auto& new_inode = new_custody.inode();
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
// FIXME: Is this really correct? Check what other systems do.
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (&new_inode == &old_inode)
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
return KSuccess;
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (new_parent_inode.metadata().is_sticky()) {
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
if (!current_process->is_superuser() && new_inode.metadata().uid != current_process->euid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
VFS: Also respect the sticky bit of the new parent in rename(). Obviously we should not allow overwriting someone else's files in a sticky directory either.
2019-04-28 21:34:33 +00:00
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (new_inode.is_directory() && !old_inode.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EISDIR;
FileSystem: Reuse existing custodies when possible, and keep them updated. Walk the custody cache and try to reuse an existing one when possible. The VFS is responsible for updating them when something happens that would cause the described relationship to change. This is definitely not perfect but it does work for the basic scenarios like renaming and removing directory entries.
2019-05-31 13:22:52 +00:00
auto result = new_parent_inode.remove_child(new_basename);
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
if (result.is_error())
return result;
}
Kernel: Deemphasize inode identifiers These APIs were clearly modeled after Ext2FS internals, and make perfect sense in Ext2FS context. The new APIs are more generic, and map better to the semantics exported to the userspace, where inode identifiers only appear in stat() and readdir() output, but never in any input. This will also hopefully reduce the potential for races (see commit https://github.com/SerenityOS/serenity/commit/c44b4d61f350703fcf1bbd8f6e353b9c6c4210c2). Lastly, this makes it way more viable to implement a filesystem that only synthesizes its inodes lazily when queried, and destroys them when they are no longer in use. With inode identifiers being used to reference inodes, the only choice for such a filesystem is to persist any inode it has given out the identifier for, because it might be queried at any later time. With direct references to inodes, the filesystem will know when the last reference is dropped and the inode can be safely destroyed.
2020-06-24 20:35:56 +00:00
auto result = new_parent_inode.add_child(old_inode, new_basename, old_inode.mode());
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
if (result.is_error())
return result;
AK: Rename FileSystemPath -> LexicalPath And move canonicalized_path() to a static method on LexicalPath. This is to make it clear that FileSystemPath/canonicalized_path() only perform *lexical* canonicalization.
2020-05-26 11:52:44 +00:00
result = old_parent_inode.remove_child(LexicalPath(old_path).basename());
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
if (result.is_error())
return result;
return KSuccess;
}
Kernel: Pass a Custody instead of Inode to VFS methods VFS no longer deals with inodes in public API, only with custodies and file descriptions. Talk directly to the file system if you need to operate on a inode. In most cases you actually want to go though VFS, to get proper permission check and other niceties. For this to work, you have to provide a custody, which describes *how* you have opened the inode, not just what the inode is.
2020-05-28 14:41:04 +00:00
KResult VFS::chown(Custody& custody, uid_t a_uid, gid_t a_gid)
Add chown() syscall and a simple /bin/chown program.
2019-02-27 11:32:53 +00:00
{
Kernel: Pass a Custody instead of Inode to VFS methods VFS no longer deals with inodes in public API, only with custodies and file descriptions. Talk directly to the file system if you need to operate on a inode. In most cases you actually want to go though VFS, to get proper permission check and other niceties. For this to work, you have to provide a custody, which describes *how* you have opened the inode, not just what the inode is.
2020-05-28 14:41:04 +00:00
auto& inode = custody.inode();
FileSystem: Only retrieve inode metadata once in VFS::chown().
2019-06-02 08:31:25 +00:00
auto metadata = inode.metadata();
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
auto current_process = Process::current();
if (current_process->euid() != metadata.uid && !current_process->is_superuser())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EPERM;
Add chown() syscall and a simple /bin/chown program.
2019-02-27 11:32:53 +00:00
FileSystem: Only retrieve inode metadata once in VFS::chown().
2019-06-02 08:31:25 +00:00
uid_t new_uid = metadata.uid;
gid_t new_gid = metadata.gid;
Add chown() syscall and a simple /bin/chown program.
2019-02-27 11:32:53 +00:00
if (a_uid != (uid_t)-1) {
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
if (current_process->euid() != a_uid && !current_process->is_superuser())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EPERM;
Add chown() syscall and a simple /bin/chown program.
2019-02-27 11:32:53 +00:00
new_uid = a_uid;
}
if (a_gid != (gid_t)-1) {
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
if (!current_process->in_group(a_gid) && !current_process->is_superuser())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EPERM;
Add chown() syscall and a simple /bin/chown program.
2019-02-27 11:32:53 +00:00
new_gid = a_gid;
}
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (custody.is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("VFS::chown(): inode {} <- uid={} gid={}", inode.identifier(), new_uid, new_gid);
Kernel: Strip SUID+SGID bits from file when written to or chowned Fixes #1624.
2020-04-04 17:46:55 +00:00
if (metadata.is_setuid() || metadata.is_setgid()) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("VFS::chown(): Stripping SUID/SGID bits from {}", inode.identifier());
Kernel: Strip SUID+SGID bits from file when written to or chowned Fixes #1624.
2020-04-04 17:46:55 +00:00
auto result = inode.chmod(metadata.mode & ~(04000 | 02000));
if (result.is_error())
return result;
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
return inode.chown(new_uid, new_gid);
Add chown() syscall and a simple /bin/chown program.
2019-02-27 11:32:53 +00:00
}
FileSystem: Route chown() and fchown() through VFS for access control.
2019-06-02 10:30:24 +00:00
KResult VFS::chown(StringView path, uid_t a_uid, gid_t a_gid, Custody& base)
{
auto custody_or_error = resolve_path(path, base);
if (custody_or_error.is_error())
return custody_or_error.error();
auto& custody = *custody_or_error.value();
Kernel: Pass a Custody instead of Inode to VFS methods VFS no longer deals with inodes in public API, only with custodies and file descriptions. Talk directly to the file system if you need to operate on a inode. In most cases you actually want to go though VFS, to get proper permission check and other niceties. For this to work, you have to provide a custody, which describes *how* you have opened the inode, not just what the inode is.
2020-05-28 14:41:04 +00:00
return chown(custody, a_uid, a_gid);
FileSystem: Route chown() and fchown() through VFS for access control.
2019-06-02 10:30:24 +00:00
}
Kernel: Implement the same hard link protection as Linux sys$link() will now fail to create hard links in some cases where you don't own or have write access to the link target. Work towards #4934
2021-01-19 16:59:32 +00:00
static bool hard_link_allowed(const Inode& inode)
{
auto metadata = inode.metadata();
if (Process::current()->euid() == metadata.uid)
return true;
if (metadata.is_regular_file()
&& !metadata.is_setuid()
&& !(metadata.is_setgid() && metadata.mode & S_IXGRP)
&& metadata.may_write(*Process::current())) {
return true;
}
return false;
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
KResult VFS::link(StringView old_path, StringView new_path, Custody& base)
Kernel: Add link() syscall to create hard links. This accidentally grew into a little bit of VFS cleanup as well. Also add a simple /bin/ln implementation to exercise it.
2019-02-21 12:26:40 +00:00
{
FileSystem: Rename VFS::resolve_path_to_custody() => resolve_path().
2019-05-31 13:30:09 +00:00
auto old_custody_or_error = resolve_path(old_path, base);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (old_custody_or_error.is_error())
return old_custody_or_error.error();
auto& old_custody = *old_custody_or_error.value();
auto& old_inode = old_custody.inode();
Kernel: Add link() syscall to create hard links. This accidentally grew into a little bit of VFS cleanup as well. Also add a simple /bin/ln implementation to exercise it.
2019-02-21 12:26:40 +00:00
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 16:37:47 +00:00
RefPtr<Custody> parent_custody;
FileSystem: Rename VFS::resolve_path_to_custody() => resolve_path().
2019-05-31 13:30:09 +00:00
auto new_custody_or_error = resolve_path(new_path, base, &parent_custody);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!new_custody_or_error.is_error())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EEXIST;
Add unlink() syscall and /bin/rm. This patch adds most of the plumbing for working file deletion in Ext2FS. Directory entries are removed and inode link counts updated. We don't yet update the inode or block bitmaps, I will do that separately.
2019-01-22 06:03:44 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!parent_custody)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOENT;
Kernel: Use KResult in link().
2019-02-27 14:31:26 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& parent_inode = parent_custody->inode();
if (parent_inode.fsid() != old_inode.fsid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EXDEV;
Kernel: Use KResult in link().
2019-02-27 14:31:26 +00:00
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
if (!parent_inode.metadata().may_write(*Process::current()))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Use KResult in link().
2019-02-27 14:31:26 +00:00
Kernel: Trying to sys$link() a directory should fail with EPERM
2020-01-15 21:10:38 +00:00
if (old_inode.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EPERM;
Kernel: Trying to sys$link() a directory should fail with EPERM
2020-01-15 21:10:38 +00:00
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
Kernel: Implement the same hard link protection as Linux sys$link() will now fail to create hard links in some cases where you don't own or have write access to the link target. Work towards #4934
2021-01-19 16:59:32 +00:00
if (!hard_link_allowed(old_inode))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EPERM;
Kernel: Implement the same hard link protection as Linux sys$link() will now fail to create hard links in some cases where you don't own or have write access to the link target. Work towards #4934
2021-01-19 16:59:32 +00:00
Kernel: Deemphasize inode identifiers These APIs were clearly modeled after Ext2FS internals, and make perfect sense in Ext2FS context. The new APIs are more generic, and map better to the semantics exported to the userspace, where inode identifiers only appear in stat() and readdir() output, but never in any input. This will also hopefully reduce the potential for races (see commit https://github.com/SerenityOS/serenity/commit/c44b4d61f350703fcf1bbd8f6e353b9c6c4210c2). Lastly, this makes it way more viable to implement a filesystem that only synthesizes its inodes lazily when queried, and destroys them when they are no longer in use. With inode identifiers being used to reference inodes, the only choice for such a filesystem is to persist any inode it has given out the identifier for, because it might be queried at any later time. With direct references to inodes, the filesystem will know when the last reference is dropped and the inode can be safely destroyed.
2020-06-24 20:35:56 +00:00
return parent_inode.add_child(old_inode, LexicalPath(new_path).basename(), old_inode.mode());
Kernel: Add link() syscall to create hard links. This accidentally grew into a little bit of VFS cleanup as well. Also add a simple /bin/ln implementation to exercise it.
2019-02-21 12:26:40 +00:00
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
KResult VFS::unlink(StringView path, Custody& base)
Kernel: Add link() syscall to create hard links. This accidentally grew into a little bit of VFS cleanup as well. Also add a simple /bin/ln implementation to exercise it.
2019-02-21 12:26:40 +00:00
{
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 16:37:47 +00:00
RefPtr<Custody> parent_custody;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
auto custody_or_error = resolve_path(path, base, &parent_custody, O_NOFOLLOW_NOERROR | O_UNLINK_INTERNAL);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (custody_or_error.is_error())
return custody_or_error.error();
auto& custody = *custody_or_error.value();
auto& inode = custody.inode();
VFS: unlink() should fail when called on a directory.
2019-01-23 04:35:42 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (inode.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EISDIR;
Kernel: Start adding various file system permission checks. Fail with EACCES in various situations. Fix userland bugs that were exposed.
2019-02-21 14:45:31 +00:00
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
// We have just checked that the inode is not a directory, and thus it's not
// the root. So it should have a parent. Note that this would be invalidated
// if we were to support bind-mounting regular files on top of the root.
ASSERT(parent_custody);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& parent_inode = parent_custody->inode();
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
auto current_process = Process::current();
if (!parent_inode.metadata().may_write(*current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Add unlink() syscall and /bin/rm. This patch adds most of the plumbing for working file deletion in Ext2FS. Directory entries are removed and inode link counts updated. We don't yet update the inode or block bitmaps, I will do that separately.
2019-01-22 06:03:44 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (parent_inode.metadata().is_sticky()) {
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
if (!current_process->is_superuser() && inode.metadata().uid != current_process->euid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
VFS: Implement sticky bit behavior for rename() and unlink(). Removing entries from a sticky directory is only allowed when you are either the owner of the entry, or the superuser. :^)
2019-04-28 20:54:30 +00:00
}
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
AK: Rename FileSystemPath -> LexicalPath And move canonicalized_path() to a static method on LexicalPath. This is to make it clear that FileSystemPath/canonicalized_path() only perform *lexical* canonicalization.
2020-05-26 11:52:44 +00:00
auto result = parent_inode.remove_child(LexicalPath(path).basename());
FileSystem: Reuse existing custodies when possible, and keep them updated. Walk the custody cache and try to reuse an existing one when possible. The VFS is responsible for updating them when something happens that would cause the described relationship to change. This is definitely not perfect but it does work for the basic scenarios like renaming and removing directory entries.
2019-05-31 13:22:52 +00:00
if (result.is_error())
return result;
return KSuccess;
Add unlink() syscall and /bin/rm. This patch adds most of the plumbing for working file deletion in Ext2FS. Directory entries are removed and inode link counts updated. We don't yet update the inode or block bitmaps, I will do that separately.
2019-01-22 06:03:44 +00:00
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
KResult VFS::symlink(StringView target, StringView linkpath, Custody& base)
Kernel+Userland: Add symlink() syscall and add "-s" flag to /bin/ln. It's now possible to create symbolic links! :^) This exposed an issue in Ext2FS where we'd write uninitialized data past the end of an inode's content. Fix this by zeroing out the tail end of the last block in a file.
2019-03-02 00:50:34 +00:00
{
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 16:37:47 +00:00
RefPtr<Custody> parent_custody;
FileSystem: Rename VFS::resolve_path_to_custody() => resolve_path().
2019-05-31 13:30:09 +00:00
auto existing_custody_or_error = resolve_path(linkpath, base, &parent_custody);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!existing_custody_or_error.is_error())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EEXIST;
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!parent_custody)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOENT;
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (existing_custody_or_error.error() != -ENOENT)
return existing_custody_or_error.error();
auto& parent_inode = parent_custody->inode();
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
auto current_process = Process::current();
if (!parent_inode.metadata().may_write(*current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel+Userland: Add symlink() syscall and add "-s" flag to /bin/ln. It's now possible to create symbolic links! :^) This exposed an issue in Ext2FS where we'd write uninitialized data past the end of an inode's content. Fix this by zeroing out the tail end of the last block in a file.
2019-03-02 00:50:34 +00:00
AK: Rename FileSystemPath -> LexicalPath And move canonicalized_path() to a static method on LexicalPath. This is to make it clear that FileSystemPath/canonicalized_path() only perform *lexical* canonicalization.
2020-05-26 11:52:44 +00:00
LexicalPath p(linkpath);
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("VFS::symlink: '{}' (-> '{}') in {}", p.basename(), target, parent_inode.identifier());
Kernel: Create new files with the current process EUID/EGID We were using the UID/GID and not the EUID/EGID, which didn't match other systems.
2021-01-21 08:56:18 +00:00
auto inode_or_error = parent_inode.create_child(p.basename(), S_IFLNK | 0644, 0, current_process->euid(), current_process->egid());
Kernel: Simplify FS::create_inode() a little bit Return a KResultOr<NonnullRefPtr<Inode>> instead of returning errors in an out-parameter.
2020-02-08 10:58:28 +00:00
if (inode_or_error.is_error())
return inode_or_error.error();
auto& inode = inode_or_error.value();
Kernel: Make copy_to/from_user safe and remove unnecessary checks Since the CPU already does almost all necessary validation steps for us, we don't really need to attempt to do this. Doing it ourselves doesn't really work very reliably, because we'd have to account for other processors modifying virtual memory, and we'd have to account for e.g. pages not being able to be allocated due to insufficient resources. So change the copy_to/from_user (and associated helper functions) to use the new safe_memcpy, which will return whether it succeeded or not. The only manual validation step needed (which the CPU can't perform for us) is making sure the pointers provided by user mode aren't pointing to kernel mappings. To make it easier to read/write from/to either kernel or user mode data add the UserOrKernelBuffer helper class, which will internally either use copy_from/to_user or directly memcpy, or pass the data through directly using a temporary buffer on the stack. Last but not least we need to keep syscall params trivial as we need to copy them from/to user mode using copy_from/to_user.
2020-09-12 03:11:07 +00:00
auto target_buffer = UserOrKernelBuffer::for_kernel_buffer(const_cast<u8*>((const u8*)target.characters_without_null_termination()));
ssize_t nwritten = inode->write_bytes(0, target.length(), target_buffer, nullptr);
Kernel+Userland: Add symlink() syscall and add "-s" flag to /bin/ln. It's now possible to create symbolic links! :^) This exposed an issue in Ext2FS where we'd write uninitialized data past the end of an inode's content. Fix this by zeroing out the tail end of the last block in a file.
2019-03-02 00:50:34 +00:00
if (nwritten < 0)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return KResult((ErrnoCode)-nwritten);
Kernel+Userland: Add symlink() syscall and add "-s" flag to /bin/ln. It's now possible to create symbolic links! :^) This exposed an issue in Ext2FS where we'd write uninitialized data past the end of an inode's content. Fix this by zeroing out the tail end of the last block in a file.
2019-03-02 00:50:34 +00:00
return KSuccess;
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
KResult VFS::rmdir(StringView path, Custody& base)
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 03:16:01 +00:00
{
AK: Rename RetainPtr => RefPtr and Retained => NonnullRefPtr.
2019-06-21 16:37:47 +00:00
RefPtr<Custody> parent_custody;
FileSystem: Rename VFS::resolve_path_to_custody() => resolve_path().
2019-05-31 13:30:09 +00:00
auto custody_or_error = resolve_path(path, base, &parent_custody);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (custody_or_error.is_error())
return KResult(custody_or_error.error());
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 03:16:01 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& custody = *custody_or_error.value();
auto& inode = custody.inode();
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 03:16:01 +00:00
// FIXME: We should return EINVAL if the last component of the path is "."
// FIXME: We should return ENOTEMPTY if the last component of the path is ".."
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!inode.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOTDIR;
Kernel: Start adding various file system permission checks. Fail with EACCES in various situations. Fix userland bugs that were exposed.
2019-02-21 14:45:31 +00:00
Kernel: rmdir("/") should fail instead of asserting We can't assume there's always a parent custody -- when we open "/" there isn't gonna be one! Fixes #1858.
2020-04-19 16:07:16 +00:00
if (!parent_custody)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EBUSY;
Kernel: rmdir("/") should fail instead of asserting We can't assume there's always a parent custody -- when we open "/" there isn't gonna be one! Fixes #1858.
2020-04-19 16:07:16 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& parent_inode = parent_custody->inode();
Kernel: Don't allow non-root, non-owners to rmdir any child of sticky We were not handling sticky parents properly in sys$rmdir(). Child directories of a sticky parent should not be rmdir'able by just anyone. Only the owner and root. Fixes #4875.
2021-01-10 09:12:15 +00:00
auto parent_metadata = parent_inode.metadata();
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
Kernel: Don't allow non-root, non-owners to rmdir any child of sticky We were not handling sticky parents properly in sys$rmdir(). Child directories of a sticky parent should not be rmdir'able by just anyone. Only the owner and root. Fixes #4875.
2021-01-10 09:12:15 +00:00
if (!parent_metadata.may_write(*Process::current()))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 03:16:01 +00:00
Kernel: Don't allow non-root, non-owners to rmdir any child of sticky We were not handling sticky parents properly in sys$rmdir(). Child directories of a sticky parent should not be rmdir'able by just anyone. Only the owner and root. Fixes #4875.
2021-01-10 09:12:15 +00:00
if (parent_metadata.is_sticky()) {
if (!Process::current()->is_superuser() && inode.metadata().uid != Process::current()->euid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Don't allow non-root, non-owners to rmdir any child of sticky We were not handling sticky parents properly in sys$rmdir(). Child directories of a sticky parent should not be rmdir'able by just anyone. Only the owner and root. Fixes #4875.
2021-01-10 09:12:15 +00:00
}
Kernel: Make Inode::directory_entry_count errors observable. Certain implementations of Inode::directory_entry_count were calling functions which returned errors, but had no way of surfacing them. Switch the return type to KResultOr<size_t> and start observing these error paths.
2020-08-05 08:00:18 +00:00
KResultOr<size_t> dir_count_result = inode.directory_entry_count();
if (dir_count_result.is_error())
return dir_count_result.result();
if (dir_count_result.value() != 2)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOTEMPTY;
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 03:16:01 +00:00
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (custody.is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto result = inode.remove_child(".");
Kernel: Use KResult in unlink() and rmdir().
2019-02-27 13:11:25 +00:00
if (result.is_error())
return result;
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 03:16:01 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
result = inode.remove_child("..");
Kernel: Use KResult in unlink() and rmdir().
2019-02-27 13:11:25 +00:00
if (result.is_error())
return result;
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 03:16:01 +00:00
AK: Rename FileSystemPath -> LexicalPath And move canonicalized_path() to a static method on LexicalPath. This is to make it clear that FileSystemPath/canonicalized_path() only perform *lexical* canonicalization.
2020-05-26 11:52:44 +00:00
return parent_inode.remove_child(LexicalPath(path).basename());
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 03:16:01 +00:00
}
Kernel+LibC: Add support for mount flags At the moment, the actual flags are ignored, but we correctly propagate them all the way from the original mount() syscall to each custody that resides on the mounted FS.
2020-01-11 15:25:26 +00:00
VFS::Mount::Mount(FS& guest_fs, Custody* host_custody, int flags)
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-24 21:16:24 +00:00
: m_guest(guest_fs.root_inode())
Kernel: Simplify VFS::Mount handling No need to pass around RefPtr<>s and NonnullRefPtr<>s and no need to heap-allocate them. Also remove VFS::mount(NonnullRefPtr<FS>&&, StringView path) - it has been unused for a long time.
2020-01-11 15:05:24 +00:00
, m_guest_fs(guest_fs)
, m_host_custody(host_custody)
Kernel+LibC: Add support for mount flags At the moment, the actual flags are ignored, but we correctly propagate them all the way from the original mount() syscall to each custody that resides on the mounted FS.
2020-01-11 15:25:26 +00:00
, m_flags(flags)
FileSystem: Get rid of VFS::absolute_path() and teach Mount about custodies.
2019-05-30 19:29:26 +00:00
{
}
Kernel: Properly propagate bind mount flags Previously, when performing a bind mount flags other than MS_BIND were ignored. Now, they're properly propagated the same way a for any other mount.
2020-01-12 16:22:24 +00:00
VFS::Mount::Mount(Inode& source, Custody& host_custody, int flags)
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-24 21:16:24 +00:00
: m_guest(source)
Kernel: Implement bind mounts You can now bind-mount files and directories. This essentially exposes an existing part of the file system in another place, and can be used as an alternative to symlinks or hardlinks. Here's an example of doing this: # mkdir /tmp/foo # mount /home/anon/myfile.txt /tmp/foo -o bind # cat /tmp/foo This is anon's file.
2020-01-11 16:08:35 +00:00
, m_guest_fs(source.fs())
, m_host_custody(host_custody)
Kernel: Properly propagate bind mount flags Previously, when performing a bind mount flags other than MS_BIND were ignored. Now, they're properly propagated the same way a for any other mount.
2020-01-12 16:22:24 +00:00
, m_flags(flags)
Kernel: Implement bind mounts You can now bind-mount files and directories. This essentially exposes an existing part of the file system in another place, and can be used as an alternative to symlinks or hardlinks. Here's an example of doing this: # mkdir /tmp/foo # mount /home/anon/myfile.txt /tmp/foo -o bind # cat /tmp/foo This is anon's file.
2020-01-11 16:08:35 +00:00
{
}
FileSystem: Get rid of VFS::absolute_path() and teach Mount about custodies.
2019-05-30 19:29:26 +00:00
String VFS::Mount::absolute_path() const
{
if (!m_host_custody)
return "/";
return m_host_custody->absolute_path();
}
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-24 21:16:24 +00:00
Inode* VFS::Mount::host()
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
FileSystem: Get rid of VFS::absolute_path() and teach Mount about custodies.
2019-05-30 19:29:26 +00:00
if (!m_host_custody)
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-24 21:16:24 +00:00
return nullptr;
return &m_host_custody->inode();
}
const Inode* VFS::Mount::host() const
{
if (!m_host_custody)
return nullptr;
return &m_host_custody->inode();
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
}
A pass of style/naming cleanup in VFS.
2018-11-15 14:10:12 +00:00
void VFS::for_each_mount(Function<void(const Mount&)> callback) const
Add a simple /proc/mounts that enumerates the current VFS mounts.
2018-10-26 16:43:25 +00:00
{
for (auto& mount : m_mounts) {
Kernel: Convert Vector<OwnPtr> to NonnullOwnPtrVector.
2019-07-24 07:15:33 +00:00
callback(mount);
Add a simple /proc/mounts that enumerates the current VFS mounts.
2018-10-26 16:43:25 +00:00
}
}
Add sync() syscall and a /bin/sync. It walks all the live Inode objects and flushes pending metadata changes wherever needed. This could be optimized by keeping a separate list of dirty Inodes, but let's not get ahead of ourselves.
2018-12-19 23:39:29 +00:00
void VFS::sync()
{
FS::sync();
}
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
Custody& VFS::root_custody()
{
if (!m_root_custody)
Kernel+Base: Mount root filesystem read-only :^) We remount /home and /root as read-write, to keep the ability to modify files there. /tmp remains read-write, as it is mounted from a TmpFS.
2020-05-28 15:06:13 +00:00
m_root_custody = Custody::create(nullptr, "", *m_root_inode, root_mount_flags);
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
return *m_root_custody;
}
Kernel: Implement unveil() as a prefix-tree Fixes #4530.
2020-12-26 10:24:34 +00:00
const UnveilNode* VFS::find_matching_unveiled_path(StringView path)
{
auto& unveil_root = Process::current()->unveiled_paths();
if (unveil_root.is_empty())
return nullptr;
LexicalPath lexical_path { path };
auto& path_parts = lexical_path.parts();
auto& last_matching_node = unveil_root.traverse_until_last_accessible_node(path_parts.begin(), path_parts.end());
return &last_matching_node;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
}
KResult VFS::validate_path_against_process_veil(StringView path, int options)
{
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
if (Process::current()->veil_state() == VeilState::None)
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
return KSuccess;
Loader: Stabilize loader & Use shared libraries everywhere :^) The dynamic loader is now stable enough to be used everywhere in the system - so this commit does just that. No More .a Files, Long Live .so's!
2020-10-17 11:39:36 +00:00
if (path == "/usr/lib/Loader.so")
return KSuccess;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
// FIXME: Figure out a nicer way to do this.
if (String(path).contains("/.."))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EINVAL;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
auto* unveiled_path = find_matching_unveiled_path(path);
if (!unveiled_path) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("Rejecting path '{}' since it hasn't been unveiled.", path);
Kernel: Dump backtrace when denying a path because of a veil This will make it much easier to see why a process wants to open the file.
2020-01-30 11:05:36 +00:00
dump_backtrace();
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOENT;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
}
if (options & O_CREAT) {
Kernel: Implement unveil() as a prefix-tree Fixes #4530.
2020-12-26 10:24:34 +00:00
if (!(unveiled_path->permissions() & UnveilAccess::CreateOrRemove)) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("Rejecting path '{}' since it hasn't been unveiled with 'c' permission.", path);
Kernel: Dump backtrace when denying a path because of a veil This will make it much easier to see why a process wants to open the file.
2020-01-30 11:05:36 +00:00
dump_backtrace();
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
}
}
if (options & O_UNLINK_INTERNAL) {
Kernel: Implement unveil() as a prefix-tree Fixes #4530.
2020-12-26 10:24:34 +00:00
if (!(unveiled_path->permissions() & UnveilAccess::CreateOrRemove)) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("Rejecting path '{}' for unlink since it hasn't been unveiled with 'c' permission.", path);
Kernel: Dump backtrace when denying a path because of a veil This will make it much easier to see why a process wants to open the file.
2020-01-30 11:05:36 +00:00
dump_backtrace();
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
}
return KSuccess;
}
Kernel: Make O_RDONLY non-zero Sergey suggested that having a non-zero O_RDONLY would make some things less confusing, and it seems like he's right about that. We can now easily check read/write permissions separately instead of dancing around with the bits. This patch also fixes unveil() validation for O_RDWR which previously forgot to check for "r" permission.
2020-01-21 12:14:26 +00:00
if (options & O_RDONLY) {
Kernel: Add unveil('b') This is a new "browse" permission that lets you open (and subsequently list contents of) directories underneath the path, but not regular files or any other types of files.
2020-11-21 19:55:20 +00:00
if (options & O_DIRECTORY) {
Kernel: Implement unveil() as a prefix-tree Fixes #4530.
2020-12-26 10:24:34 +00:00
if (!(unveiled_path->permissions() & (UnveilAccess::Read | UnveilAccess::Browse))) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("Rejecting path '{}' since it hasn't been unveiled with 'r' or 'b' permissions.", path);
Kernel: Add unveil('b') This is a new "browse" permission that lets you open (and subsequently list contents of) directories underneath the path, but not regular files or any other types of files.
2020-11-21 19:55:20 +00:00
dump_backtrace();
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Add unveil('b') This is a new "browse" permission that lets you open (and subsequently list contents of) directories underneath the path, but not regular files or any other types of files.
2020-11-21 19:55:20 +00:00
}
} else {
Kernel: Implement unveil() as a prefix-tree Fixes #4530.
2020-12-26 10:24:34 +00:00
if (!(unveiled_path->permissions() & UnveilAccess::Read)) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("Rejecting path '{}' since it hasn't been unveiled with 'r' permission.", path);
Kernel: Add unveil('b') This is a new "browse" permission that lets you open (and subsequently list contents of) directories underneath the path, but not regular files or any other types of files.
2020-11-21 19:55:20 +00:00
dump_backtrace();
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Add unveil('b') This is a new "browse" permission that lets you open (and subsequently list contents of) directories underneath the path, but not regular files or any other types of files.
2020-11-21 19:55:20 +00:00
}
Kernel: Make O_RDONLY non-zero Sergey suggested that having a non-zero O_RDONLY would make some things less confusing, and it seems like he's right about that. We can now easily check read/write permissions separately instead of dancing around with the bits. This patch also fixes unveil() validation for O_RDWR which previously forgot to check for "r" permission.
2020-01-21 12:14:26 +00:00
}
}
if (options & O_WRONLY) {
Kernel: Implement unveil() as a prefix-tree Fixes #4530.
2020-12-26 10:24:34 +00:00
if (!(unveiled_path->permissions() & UnveilAccess::Write)) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("Rejecting path '{}' since it hasn't been unveiled with 'w' permission.", path);
Kernel: Dump backtrace when denying a path because of a veil This will make it much easier to see why a process wants to open the file.
2020-01-30 11:05:36 +00:00
dump_backtrace();
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
}
Kernel: Make O_RDONLY non-zero Sergey suggested that having a non-zero O_RDONLY would make some things less confusing, and it seems like he's right about that. We can now easily check read/write permissions separately instead of dancing around with the bits. This patch also fixes unveil() validation for O_RDWR which previously forgot to check for "r" permission.
2020-01-21 12:14:26 +00:00
}
if (options & O_EXEC) {
Kernel: Implement unveil() as a prefix-tree Fixes #4530.
2020-12-26 10:24:34 +00:00
if (!(unveiled_path->permissions() & UnveilAccess::Execute)) {
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything:
2021-01-10 14:17:54 +00:00
dbgln("Rejecting path '{}' since it hasn't been unveiled with 'x' permission.", path);
Kernel: Dump backtrace when denying a path because of a veil This will make it much easier to see why a process wants to open the file.
2020-01-30 11:05:36 +00:00
dump_backtrace();
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
}
}
return KSuccess;
}
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 07:52:33 +00:00
KResultOr<NonnullRefPtr<Custody>> VFS::resolve_path(StringView path, Custody& base, RefPtr<Custody>* out_parent, int options, int symlink_recursion_level)
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
{
Kernel: Resolve relative paths when there is a veil (#1474)
2020-03-19 08:57:34 +00:00
auto custody_or_error = resolve_path_without_veil(path, base, out_parent, options, symlink_recursion_level);
if (custody_or_error.is_error())
return custody_or_error.error();
auto& custody = custody_or_error.value();
auto result = validate_path_against_process_veil(custody->absolute_path(), options);
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
if (result.is_error())
return result;
Kernel: Resolve relative paths when there is a veil (#1474)
2020-03-19 08:57:34 +00:00
return custody;
}
Kernel: Implement the same symlink protection as Linux Path resolution will now refuse to follow symlinks in some cases where you don't own the symlink, or when it's in a sticky world-writable directory and the link has a different owner than the directory. The point of all this is to prevent classic TOCTOU bugs in /tmp etc. Fixes #4934
2021-01-19 17:12:09 +00:00
static bool safe_to_follow_symlink(const Inode& inode, const InodeMetadata& parent_metadata)
{
auto metadata = inode.metadata();
if (Process::current()->euid() == metadata.uid)
return true;
if (!(parent_metadata.is_sticky() && parent_metadata.mode & S_IWOTH))
return true;
if (metadata.uid == parent_metadata.uid)
return true;
return false;
}
Kernel: Resolve relative paths when there is a veil (#1474)
2020-03-19 08:57:34 +00:00
KResultOr<NonnullRefPtr<Custody>> VFS::resolve_path_without_veil(StringView path, Custody& base, RefPtr<Custody>* out_parent, int options, int symlink_recursion_level)
{
Kernel: Implement recursion limit on path resolution Cautiously use 5 as a limit for now so that we don't blow the stack. This can be increased in the future if we are sure that we won't be blowing the stack, or if the implementation is changed to not use recursion :^)
2019-12-24 09:39:21 +00:00
if (symlink_recursion_level >= symlink_recursion_limit)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ELOOP;
FileSystem: Add FIXME about resolve_path bug
2019-08-25 16:18:51 +00:00
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
if (path.is_empty())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EINVAL;
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
Kernel: Make proper use of the new keep_empty argument
2019-09-20 21:45:16 +00:00
auto parts = path.split_view('/', true);
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
auto current_process = Process::current();
auto& current_root = current_process->root_directory();
Kernel: Add a basic chroot() syscall :^) The chroot() syscall now allows the superuser to isolate a process into a specific subtree of the filesystem. This is not strictly permanent, as it is also possible for a superuser to break *out* of a chroot, but it is a useful mechanism for isolating unprivileged processes. The VFS now uses the current process's root_directory() as the root for path resolution purposes. The root directory is stored as an uncached Custody in the Process object.
2020-01-10 22:14:04 +00:00
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 07:52:33 +00:00
NonnullRefPtr<Custody> custody = path[0] == '/' ? current_root : base;
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
AK: Make Vector use size_t for its size and capacity
2020-02-25 13:49:47 +00:00
for (size_t i = 0; i < parts.size(); ++i) {
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 07:52:33 +00:00
Custody& parent = custody;
auto parent_metadata = parent.inode().metadata();
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
if (!parent_metadata.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOTDIR;
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
// Ensure the current user is allowed to resolve paths inside this directory.
Kernel: Turn Thread::current and Process::current into functions This allows us to query the current thread and process on a per processor basis
2020-06-28 21:34:31 +00:00
if (!parent_metadata.may_execute(*current_process))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Fix not returning errors for the last path item. Previously the check for an empty part would happen before the check for access and for the parent being a directory, and so an error in those would not be detected.
2019-06-13 13:33:01 +00:00
auto& part = parts[i];
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
bool have_more_parts = i + 1 < parts.size();
if (part == "..") {
// If we encounter a "..", take a step back, but don't go beyond the root.
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 07:52:33 +00:00
if (custody->parent())
custody = *custody->parent();
Kernel: Make proper use of the new keep_empty argument
2019-09-20 21:45:16 +00:00
continue;
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
} else if (part == "." || part.is_empty()) {
continue;
}
Kernel: Fix not returning errors for the last path item. Previously the check for an empty part would happen before the check for access and for the parent being a directory, and so an error in those would not be detected.
2019-06-13 13:33:01 +00:00
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
// Okay, let's look up this part.
Kernel: Make Inode::lookup() return a RefPtr<Inode> Previously this API would return an InodeIdentifier, which meant that there was a race in path resolution where an inode could be unlinked in between finding the InodeIdentifier for a path component, and actually resolving that to an Inode object. Attaching a test that would quickly trip an assertion before. Test: Kernel/path-resolution-race.cpp
2020-02-01 08:23:46 +00:00
auto child_inode = parent.inode().lookup(part);
if (!child_inode) {
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 07:52:33 +00:00
if (out_parent) {
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
// ENOENT with a non-null parent custody signals to caller that
Kernel: Fix awkward bug where "touch /foo/bar/baz" could create "/baz" To accomodate file creation, path resolution optionally returns the last valid parent directory seen while traversing the path. Clients will then interpret "ENOENT, but I have a parent for you" as meaning that the file doesn't exist, but its immediate parent directory does. The client then goes ahead and creates a new file. In the case of "/foo/bar/baz" where there is no "/foo", it would fail with ENOENT and "/" as the last seen parent directory, causing e.g the open() syscall to create "/baz". Covered by test_io.
2020-01-03 02:53:06 +00:00
// we found the immediate parent of the file, but the file itself
// does not exist yet.
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 07:52:33 +00:00
*out_parent = have_more_parts ? nullptr : &parent;
Kernel: Fix awkward bug where "touch /foo/bar/baz" could create "/baz" To accomodate file creation, path resolution optionally returns the last valid parent directory seen while traversing the path. Clients will then interpret "ENOENT, but I have a parent for you" as meaning that the file doesn't exist, but its immediate parent directory does. The client then goes ahead and creates a new file. In the case of "/foo/bar/baz" where there is no "/foo", it would fail with ENOENT and "/" as the last seen parent directory, causing e.g the open() syscall to create "/baz". Covered by test_io.
2020-01-03 02:53:06 +00:00
}
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOENT;
Kernel: Fix awkward bug where "touch /foo/bar/baz" could create "/baz" To accomodate file creation, path resolution optionally returns the last valid parent directory seen while traversing the path. Clients will then interpret "ENOENT, but I have a parent for you" as meaning that the file doesn't exist, but its immediate parent directory does. The client then goes ahead and creates a new file. In the case of "/foo/bar/baz" where there is no "/foo", it would fail with ENOENT and "/" as the last seen parent directory, causing e.g the open() syscall to create "/baz". Covered by test_io.
2020-01-03 02:53:06 +00:00
}
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 07:52:33 +00:00
int mount_flags_for_child = parent.mount_flags();
Kernel: Make Inode::lookup() return a RefPtr<Inode> Previously this API would return an InodeIdentifier, which meant that there was a race in path resolution where an inode could be unlinked in between finding the InodeIdentifier for a path component, and actually resolving that to an Inode object. Attaching a test that would quickly trip an assertion before. Test: Kernel/path-resolution-race.cpp
2020-02-01 08:23:46 +00:00
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
// See if there's something mounted on the child; in that case
// we would need to return the guest inode, not the host inode.
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-24 21:16:24 +00:00
if (auto mount = find_mount_for_host(*child_inode)) {
child_inode = mount->guest();
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
mount_flags_for_child = mount->flags();
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
}
FileSystem: Merge symlink following logic into path resolution. When encountering a symlink, we abandon the custody chain we've been working on and start over with a new one (by recursing into a new resolution call.) Caching symlinks in the custody model would be incredibly difficult to get right with all the extra invalidation it would require, so let's just not.
2019-05-31 04:42:49 +00:00
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 07:52:33 +00:00
custody = Custody::create(&parent, part, *child_inode, mount_flags_for_child);
FileSystem: Merge symlink following logic into path resolution. When encountering a symlink, we abandon the custody chain we've been working on and start over with a new one (by recursing into a new resolution call.) Caching symlinks in the custody model would be incredibly difficult to get right with all the extra invalidation it would require, so let's just not.
2019-05-31 04:42:49 +00:00
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
if (child_inode->metadata().is_symlink()) {
if (!have_more_parts) {
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
if (options & O_NOFOLLOW)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ELOOP;
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
if (options & O_NOFOLLOW_NOERROR)
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
break;
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
}
Kernel: Implement the same symlink protection as Linux Path resolution will now refuse to follow symlinks in some cases where you don't own the symlink, or when it's in a sticky world-writable directory and the link has a different owner than the directory. The point of all this is to prevent classic TOCTOU bugs in /tmp etc. Fixes #4934
2021-01-19 17:12:09 +00:00
if (!safe_to_follow_symlink(*child_inode, parent_metadata))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Implement the same symlink protection as Linux Path resolution will now refuse to follow symlinks in some cases where you don't own the symlink, or when it's in a sticky world-writable directory and the link has a different owner than the directory. The point of all this is to prevent classic TOCTOU bugs in /tmp etc. Fixes #4934
2021-01-19 17:12:09 +00:00
Kernel: Use the resolved parent path when testing create veil (#5231)
2021-02-06 18:11:44 +00:00
auto result = validate_path_against_process_veil(custody->absolute_path(), options);
if (result.is_error())
return result;
Kernel: Let symlinks resolve themselves Symlink resolution is now a virtual method on an inode, Inode::resolve_as_symlink(). The default implementation just reads the stored inode contents, treats them as a path and calls through to VFS::resolve_path(). This will let us support other, magical files that appear to be plain old symlinks but resolve to something else. This is particularly useful for ProcFS.
2020-01-15 10:59:50 +00:00
auto symlink_target = child_inode->resolve_as_link(parent, out_parent, options, symlink_recursion_level + 1);
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
if (symlink_target.is_error() || !have_more_parts)
Kernel: Fix resolving symlinks in the middle of a path. If a symlink is not the last part of a path, the remaining part of the path has to be further resolved against the symlink target. With this, a path containing a symlink always resolves to the target of the first (leftmost) symlink in it, for example any path of form /proc/self/... resolves to the corresponding /proc/pid directory.
2019-06-12 13:36:05 +00:00
return symlink_target;
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
// Now, resolve the remaining path relative to the symlink target.
// We prepend a "." to it to ensure that it's not empty and that
// any initial slashes it might have get interpreted properly.
StringBuilder remaining_path;
remaining_path.append('.');
remaining_path.append(path.substring_view_starting_after_substring(part));
Kernel: Fix resolving symlinks in the middle of a path. If a symlink is not the last part of a path, the remaining part of the path has to be further resolved against the symlink target. With this, a path containing a symlink always resolves to the target of the first (leftmost) symlink in it, for example any path of form /proc/self/... resolves to the corresponding /proc/pid directory.
2019-06-12 13:36:05 +00:00
Kernel: Resolve relative paths when there is a veil (#1474)
2020-03-19 08:57:34 +00:00
return resolve_path_without_veil(remaining_path.to_string(), *symlink_target.value(), out_parent, options, symlink_recursion_level + 1);
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
}
}
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 07:52:33 +00:00
if (out_parent)
*out_parent = custody->parent();
return custody;
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
}
Kernel: Move all code into the Kernel namespace
2020-02-16 00:27:42 +00:00
}
Reference in a new issue Copy permalink