beenull/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-25 17:10:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
ladybird/Kernel/FileSystem/VirtualFileSystem.cpp

1276 lines
51 KiB
C++
Raw Normal View History

Meta: Add license header to source files As suggested by Joshua, this commit adds the 2-clause BSD license as a comment block to the top of every source file. For the first pass, I've just added myself for simplicity. I encourage everyone to add themselves as copyright holders of any file they've added or modified in some significant way. If I've added myself in error somewhere, feel free to replace it with the appropriate copyright holder instead. Going forward, all new source files should include a license header.
2020-01-18 08:38:21 +00:00
/*
* Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>
Kernel+LibCore+LibC: Split the mount syscall into multiple syscalls This is a preparation before we can create a usable mechanism to use filesystem-specific mount flags. To keep some compatibility with userland code, LibC and LibCore mount functions are kept being usable, but now instead of doing an "atomic" syscall, they do multiple syscalls to perform the complete procedure of mounting a filesystem. The FileBackedFileSystem IntrusiveList in the VFS code is now changed to be protected by a Mutex, because when we mount a new filesystem, we need to check if a filesystem is already created for a given source_fd so we do a scan for that OpenFileDescription in that list. If we fail to find an already-created filesystem we create a new one and register it in the list if we successfully mounted it. We use a Mutex because we might need to initiate disk access during the filesystem creation, which will take other mutexes in other parts of the kernel, therefore making it not possible to take a spinlock while doing this.
2022-12-15 09:42:40 +00:00
* Copyright (c) 2022-2023, Liav A. <liavalb@hotmail.co.il>
Meta: Add license header to source files As suggested by Joshua, this commit adds the 2-clause BSD license as a comment block to the top of every source file. For the first pass, I've just added myself for simplicity. I encourage everyone to add themselves as copyright holders of any file they've added or modified in some significant way. If I've added myself in error somewhere, feel free to replace it with the appropriate copyright holder instead. Going forward, all new source files should include a license header.
2020-01-18 08:38:21 +00:00
*
Everything: Move to SPDX license identifiers in all files. SPDX License Identifiers are a more compact / standardized way of representing file license information. See: https://spdx.dev/resources/use/#identifiers This was done with the `ambr` search and replace tool. ambr --no-parent-ignore --key-from-file --rep-from-file key.txt rep.txt *
2021-04-22 08:24:48 +00:00
* SPDX-License-Identifier: BSD-2-Clause
Meta: Add license header to source files As suggested by Joshua, this commit adds the 2-clause BSD license as a comment block to the top of every source file. For the first pass, I've just added myself for simplicity. I encourage everyone to add themselves as copyright holders of any file they've added or modified in some significant way. If I've added myself in error somewhere, feel free to replace it with the appropriate copyright holder instead. Going forward, all new source files should include a license header.
2020-01-18 08:38:21 +00:00
*/
Kernel/VFS: Check that mount-point is not in use Before committing the mount, verify that this host i-node is not already a mount-point.
2022-08-10 15:50:23 +00:00
#include <AK/AnyOf.h>
AK: Move FormatParser definition from header to implementation file This is primarily to be able to remove the GenericLexer include out of Format.h as well. A subsequent commit will add AK::Result to GenericLexer, which will cause naming conflicts with other structures named Result. This can be avoided (for now) by preventing nearly every file in the system from implicitly including GenericLexer. Other changes in this commit are to add the GenericLexer include to files where it is missing.
2021-08-18 11:22:52 +00:00
#include <AK/GenericLexer.h>
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
#include <AK/RefPtr.h>
Kernel: Switch singletons to use new Singleton class MemoryManager cannot use the Singleton class because MemoryManager::initialize is called before the global constructors are run. That caused the Singleton to be re-initialized, causing it to create another MemoryManager instance. Fixes #3226
2020-08-25 01:35:19 +00:00
#include <AK/Singleton.h>
Add a VFS::absolutePath(InodeIdentifier). This is pretty inefficient for ext2fs. We walk the entire block group containing the inode, searching through every directory for an entry referencing this inode. It might be a good idea to cache this information somehow. I'm not sure how often we'll be searching for it. Obviously there are multiple caching layers missing in the file system.
2018-10-28 11:20:25 +00:00
#include <AK/StringBuilder.h>
Kernel+LibC: Move errno definitions to Kernel/API/POSIX This fixes at least half of our LibC includes in the kernel. The source of truth for errno codes and their description strings now lives in Kernel/API/POSIX/errno.h as an enumeration, which LibC includes.
2021-09-12 11:29:28 +00:00
#include <Kernel/API/POSIX/errno.h>
Meta: Split debug defines into multiple headers. The following script was used to make these changes: #!/bin/bash set -e tmp=$(mktemp -d) echo "tmp=$tmp" find Kernel \( -name '*.cpp' -o -name '*.h' \) | sort > $tmp/Kernel.files find . \( -path ./Toolchain -prune -o -path ./Build -prune -o -path ./Kernel -prune \) -o \( -name '*.cpp' -o -name '*.h' \) -print | sort > $tmp/EverythingExceptKernel.files cat $tmp/Kernel.files | xargs grep -Eho '[A-Z0-9_]+_DEBUG' | sort | uniq > $tmp/Kernel.macros cat $tmp/EverythingExceptKernel.files | xargs grep -Eho '[A-Z0-9_]+_DEBUG' | sort | uniq > $tmp/EverythingExceptKernel.macros comm -23 $tmp/Kernel.macros $tmp/EverythingExceptKernel.macros > $tmp/Kernel.unique comm -1 $tmp/Kernel.macros $tmp/EverythingExceptKernel.macros > $tmp/EverythingExceptKernel.unique cat $tmp/Kernel.unique | awk '{ print "#cmakedefine01 "$1 }' > $tmp/Kernel.header cat $tmp/EverythingExceptKernel.unique | awk '{ print "#cmakedefine01 "$1 }' > $tmp/EverythingExceptKernel.header for macro in $(cat $tmp/Kernel.unique) do cat $tmp/Kernel.files | xargs grep -l $macro >> $tmp/Kernel.new-includes ||: done cat $tmp/Kernel.new-includes | sort > $tmp/Kernel.new-includes.sorted for macro in $(cat $tmp/EverythingExceptKernel.unique) do cat $tmp/Kernel.files | xargs grep -l $macro >> $tmp/Kernel.old-includes ||: done cat $tmp/Kernel.old-includes | sort > $tmp/Kernel.old-includes.sorted comm -23 $tmp/Kernel.new-includes.sorted $tmp/Kernel.old-includes.sorted > $tmp/Kernel.includes.new comm -13 $tmp/Kernel.new-includes.sorted $tmp/Kernel.old-includes.sorted > $tmp/Kernel.includes.old comm -12 $tmp/Kernel.new-includes.sorted $tmp/Kernel.old-includes.sorted > $tmp/Kernel.includes.mixed for file in $(cat $tmp/Kernel.includes.new) do sed -i -E 's/#include <AK\/Debug\.h>/#include <Kernel\/Debug\.h>/' $file done for file in $(cat $tmp/Kernel.includes.mixed) do echo "mixed include in $file, requires manual editing." done
2021-01-25 15:07:10 +00:00
#include <Kernel/Debug.h>
Kernel: Add forward declaration header
2020-02-16 00:50:16 +00:00
#include <Kernel/Devices/BlockDevice.h>
Kernel: Introduce the DeviceManagement singleton This singleton simplifies many aspects that we struggled with before: 1. There's no need to make derived classes of Device expose the constructor as public anymore. The singleton is a friend of them, so he can call the constructor. This solves the issue with try_create_device helper neatly, hopefully for good. 2. Getting a reference of the NullDevice is now being done from this singleton, which means that NullDevice no longer needs to use its own singleton, and we can apply the try_create_device helper on it too :) 3. We can now defer registration completely after the Device constructor which means the Device constructor is merely assigning the major and minor numbers of the Device, and the try_create_device helper ensures it calls the after_inserting method immediately after construction. This creates a great opportunity to make registration more OOM-safe.
2021-09-11 06:19:20 +00:00
#include <Kernel/Devices/DeviceManagement.h>
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
#include <Kernel/FileSystem/Custody.h>
Kernel: Change Ext2FS to be backed by a file instead of a block device In contrast to the previous patchset that was reverted, this time we use a "special" method to access a file with block size of 512 bytes (like a harddrive essentially).
2020-04-06 08:54:21 +00:00
#include <Kernel/FileSystem/FileBackedFileSystem.h>
Kernel: Qualify a bunch of #include statements.
2019-06-07 17:29:34 +00:00
#include <Kernel/FileSystem/FileSystem.h>
Kernel: Rename FileDescription => OpenFileDescription Dr. POSIX really calls these "open file description", not just "file description", so let's call them exactly that. :^)
2021-09-07 11:39:11 +00:00
#include <Kernel/FileSystem/OpenFileDescription.h>
Kernel: Qualify a bunch of #include statements.
2019-06-07 17:29:34 +00:00
#include <Kernel/FileSystem/VirtualFileSystem.h>
Kernel: Move all code into the Kernel namespace
2020-02-16 00:27:42 +00:00
#include <Kernel/KSyms.h>
Everywhere: Move global Kernel pattern code to Kernel/Library directory This has KString, KBuffer, DoubleBuffer, KBufferBuilder, IOWindow, UserOrKernelBuffer and ScopedCritical classes being moved to the Kernel/Library subdirectory. Also, move the panic and assertions handling code to that directory.
2023-02-24 18:10:59 +00:00
#include <Kernel/Library/KLexicalPath.h>
Kernel: Move special sections into Sections.h This also removes a lot of CPU.h includes infavor for Sections.h
2021-06-22 15:40:16 +00:00
#include <Kernel/Sections.h>
Kernel: Move all tasks-related code to the Tasks subdirectory
2023-02-24 17:45:37 +00:00
#include <Kernel/Tasks/Process.h>
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
Kernel+LibCore+LibC: Split the mount syscall into multiple syscalls This is a preparation before we can create a usable mechanism to use filesystem-specific mount flags. To keep some compatibility with userland code, LibC and LibCore mount functions are kept being usable, but now instead of doing an "atomic" syscall, they do multiple syscalls to perform the complete procedure of mounting a filesystem. The FileBackedFileSystem IntrusiveList in the VFS code is now changed to be protected by a Mutex, because when we mount a new filesystem, we need to check if a filesystem is already created for a given source_fd so we do a scan for that OpenFileDescription in that list. If we fail to find an already-created filesystem we create a new one and register it in the list if we successfully mounted it. We use a Mutex because we might need to initiate disk access during the filesystem creation, which will take other mutexes in other parts of the kernel, therefore making it not possible to take a spinlock while doing this.
2022-12-15 09:42:40 +00:00
#include <Kernel/FileSystem/DevPtsFS/FileSystem.h>
#include <Kernel/FileSystem/Ext2FS/FileSystem.h>
#include <Kernel/FileSystem/FATFS/FileSystem.h>
#include <Kernel/FileSystem/ISO9660FS/FileSystem.h>
#include <Kernel/FileSystem/Plan9FS/FileSystem.h>
#include <Kernel/FileSystem/ProcFS/FileSystem.h>
#include <Kernel/FileSystem/RAMFS/FileSystem.h>
#include <Kernel/FileSystem/SysFS/FileSystem.h>
Kernel: Move all code into the Kernel namespace
2020-02-16 00:27:42 +00:00
namespace Kernel {
Everywhere: Replace AK::Singleton => Singleton
2021-08-07 19:34:11 +00:00
static Singleton<VirtualFileSystem> s_the;
Kernel/FileSystem: Don't assume flags for root filesystem mount flags This is considered somewhat an abstraction layer violation, because we should always let userspace to decide on the root filesystem mount flags because it allows the user to configure the mount table to preferences that they desire. Now that SystemServer is modified to re-mount the root mount with the desired flags, we can just mount the root filesystem without assuming special flags.
2023-02-11 08:34:57 +00:00
static constexpr int root_mount_flags = 0;
Add an fd field to FileHandle in Kernel builds.
2018-10-18 08:27:07 +00:00
Kernel+LibCore+LibC: Split the mount syscall into multiple syscalls This is a preparation before we can create a usable mechanism to use filesystem-specific mount flags. To keep some compatibility with userland code, LibC and LibCore mount functions are kept being usable, but now instead of doing an "atomic" syscall, they do multiple syscalls to perform the complete procedure of mounting a filesystem. The FileBackedFileSystem IntrusiveList in the VFS code is now changed to be protected by a Mutex, because when we mount a new filesystem, we need to check if a filesystem is already created for a given source_fd so we do a scan for that OpenFileDescription in that list. If we fail to find an already-created filesystem we create a new one and register it in the list if we successfully mounted it. We use a Mutex because we might need to initiate disk access during the filesystem creation, which will take other mutexes in other parts of the kernel, therefore making it not possible to take a spinlock while doing this.
2022-12-15 09:42:40 +00:00
static ErrorOr<void> handle_mount_boolean_flag_as_invalid(Span<u8>, StringView, bool)
{
return EINVAL;
}
static ErrorOr<void> handle_mount_unsigned_integer_flag_as_invalid(Span<u8>, StringView, u64)
{
return EINVAL;
}
static ErrorOr<void> handle_mount_signed_integer_flag_as_invalid(Span<u8>, StringView, i64)
{
return EINVAL;
}
static ErrorOr<void> handle_mount_ascii_string_flag_as_invalid(Span<u8>, StringView, StringView)
{
return EINVAL;
}
static constexpr FileSystemInitializer s_initializers[] = {
{ "proc"sv, "ProcFS"sv, false, false, false, {}, ProcFS::try_create, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid },
{ "devpts"sv, "DevPtsFS"sv, false, false, false, {}, DevPtsFS::try_create, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid },
{ "sys"sv, "SysFS"sv, false, false, false, {}, SysFS::try_create, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid },
{ "ram"sv, "RAMFS"sv, false, false, false, {}, RAMFS::try_create, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid },
{ "ext2"sv, "Ext2FS"sv, true, true, true, Ext2FS::try_create, {}, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid },
{ "9p"sv, "Plan9FS"sv, true, true, true, Plan9FS::try_create, {}, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid },
{ "iso9660"sv, "ISO9660FS"sv, true, true, true, ISO9660FS::try_create, {}, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid },
{ "fat"sv, "FATFS"sv, true, true, true, FATFS::try_create, {}, handle_mount_boolean_flag_as_invalid, handle_mount_unsigned_integer_flag_as_invalid, handle_mount_signed_integer_flag_as_invalid, handle_mount_ascii_string_flag_as_invalid },
};
ErrorOr<FileSystemInitializer const*> VirtualFileSystem::find_filesystem_type_initializer(StringView fs_type)
{
for (auto& initializer_entry : s_initializers) {
if (fs_type == initializer_entry.short_name || fs_type == initializer_entry.name)
return &initializer_entry;
}
return ENODEV;
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-10 22:25:24 +00:00
UNMAP_AFTER_INIT void VirtualFileSystem::initialize()
Kernel: Switch singletons to use new Singleton class MemoryManager cannot use the Singleton class because MemoryManager::initialize is called before the global constructors are run. That caused the Singleton to be re-initialized, causing it to create another MemoryManager instance. Fixes #3226
2020-08-25 01:35:19 +00:00
{
s_the.ensure_instance();
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-10 22:25:24 +00:00
VirtualFileSystem& VirtualFileSystem::the()
Add an fd field to FileHandle in Kernel builds.
2018-10-18 08:27:07 +00:00
{
return *s_the;
}
Kernel: Rename VFS => VirtualFileSystem
2021-07-10 22:25:24 +00:00
UNMAP_AFTER_INIT VirtualFileSystem::VirtualFileSystem()
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
}
Kernel: Use default constructors/destructors https://isocpp.github.io/CppCoreGuidelines/CppCoreGuidelines#cother-other-default-operation-rules "The compiler is more likely to get the default semantics right and you cannot implement these functions better than the compiler."
2022-03-16 19:15:15 +00:00
UNMAP_AFTER_INIT VirtualFileSystem::~VirtualFileSystem() = default;
Virtual consoles kinda work! We now make three VirtualConsoles at boot: tty0, tty1, and tty2. We launch an instance of /bin/sh in each one. You switch between them with Alt+1/2/3 How very very cool :^)
2018-10-30 14:33:37 +00:00
Kernel/VFS: Ensure Custodies' absolute path don't match before mounting This ensures that the host mount point custody path is not the same like the new to-be-mounted custody. A scenario that could happen before adding this check is: ``` mkdir -p /tmp2 mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ # this will fail here ``` and after adding this check, the following scenario is now this: ``` mkdir -p /tmp2 mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ # this will fail here mount /dev/hda /tmp2/ # this will fail here too ```
2023-08-04 11:54:52 +00:00
bool VirtualFileSystem::check_matching_absolute_path_hierarchy(Custody const& first_custody, Custody const& second_custody)
{
// Are both custodies the root mount?
if (!first_custody.parent() && !second_custody.parent())
return true;
if (first_custody.name() != second_custody.name())
return false;
auto const* custody1 = &first_custody;
auto const* custody2 = &second_custody;
while (custody1->parent()) {
if (!custody2->parent())
return false;
if (custody1->parent().ptr() != custody2->parent().ptr())
return false;
custody1 = custody1->parent();
custody2 = custody2->parent();
}
return true;
}
bool VirtualFileSystem::mount_point_exists_at_custody(Custody& mount_point)
Kernel/VFS: Check that mount-point is not in use Before committing the mount, verify that this host i-node is not already a mount-point.
2022-08-10 15:50:23 +00:00
{
return m_mounts.with([&](auto& mounts) -> bool {
Kernel/VFS: Ensure Custodies' absolute path don't match before mounting This ensures that the host mount point custody path is not the same like the new to-be-mounted custody. A scenario that could happen before adding this check is: ``` mkdir -p /tmp2 mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ # this will fail here ``` and after adding this check, the following scenario is now this: ``` mkdir -p /tmp2 mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ # this will fail here mount /dev/hda /tmp2/ # this will fail here too ```
2023-08-04 11:54:52 +00:00
return any_of(mounts, [&mount_point](auto const& existing_mount) {
return existing_mount.host_custody() && check_matching_absolute_path_hierarchy(*existing_mount.host_custody(), mount_point);
Kernel/VFS: Check that mount-point is not in use Before committing the mount, verify that this host i-node is not already a mount-point.
2022-08-10 15:50:23 +00:00
});
});
}
Kernel+LibCore+LibC: Split the mount syscall into multiple syscalls This is a preparation before we can create a usable mechanism to use filesystem-specific mount flags. To keep some compatibility with userland code, LibC and LibCore mount functions are kept being usable, but now instead of doing an "atomic" syscall, they do multiple syscalls to perform the complete procedure of mounting a filesystem. The FileBackedFileSystem IntrusiveList in the VFS code is now changed to be protected by a Mutex, because when we mount a new filesystem, we need to check if a filesystem is already created for a given source_fd so we do a scan for that OpenFileDescription in that list. If we fail to find an already-created filesystem we create a new one and register it in the list if we successfully mounted it. We use a Mutex because we might need to initiate disk access during the filesystem creation, which will take other mutexes in other parts of the kernel, therefore making it not possible to take a spinlock while doing this.
2022-12-15 09:42:40 +00:00
ErrorOr<void> VirtualFileSystem::add_file_system_to_mount_table(FileSystem& file_system, Custody& mount_point, int flags)
Kernel: Some improvements to the mount syscall - You must now have superuser privileges to use mount(). - We now verify that the mount point is a valid path first, before trying to find a filesystem on the specified device. - Convert some dbgprintf() to dbg().
2019-08-02 17:03:50 +00:00
{
Kernel+LibCore+LibC: Split the mount syscall into multiple syscalls This is a preparation before we can create a usable mechanism to use filesystem-specific mount flags. To keep some compatibility with userland code, LibC and LibCore mount functions are kept being usable, but now instead of doing an "atomic" syscall, they do multiple syscalls to perform the complete procedure of mounting a filesystem. The FileBackedFileSystem IntrusiveList in the VFS code is now changed to be protected by a Mutex, because when we mount a new filesystem, we need to check if a filesystem is already created for a given source_fd so we do a scan for that OpenFileDescription in that list. If we fail to find an already-created filesystem we create a new one and register it in the list if we successfully mounted it. We use a Mutex because we might need to initiate disk access during the filesystem creation, which will take other mutexes in other parts of the kernel, therefore making it not possible to take a spinlock while doing this.
2022-12-15 09:42:40 +00:00
auto new_mount = TRY(adopt_nonnull_own_or_enomem(new (nothrow) Mount(file_system, &mount_point, flags)));
Kernel: Protect mounted filesystem list with spinlock instead of mutex
2022-02-03 00:37:46 +00:00
return m_mounts.with([&](auto& mounts) -> ErrorOr<void> {
Kernel/VFS: Ensure Custodies' absolute path don't match before mounting This ensures that the host mount point custody path is not the same like the new to-be-mounted custody. A scenario that could happen before adding this check is: ``` mkdir -p /tmp2 mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ # this will fail here ``` and after adding this check, the following scenario is now this: ``` mkdir -p /tmp2 mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ # this will fail here mount /dev/hda /tmp2/ # this will fail here too ```
2023-08-04 11:54:52 +00:00
auto& mount_point_inode = mount_point.inode();
Kernel/VFS: Remove misleading part of debug message when mounting
2023-08-04 11:47:20 +00:00
dbgln("VirtualFileSystem: FileSystemID {}, Mounting {} at inode {} with flags {}",
Kernel+LibCore+LibC: Split the mount syscall into multiple syscalls This is a preparation before we can create a usable mechanism to use filesystem-specific mount flags. To keep some compatibility with userland code, LibC and LibCore mount functions are kept being usable, but now instead of doing an "atomic" syscall, they do multiple syscalls to perform the complete procedure of mounting a filesystem. The FileBackedFileSystem IntrusiveList in the VFS code is now changed to be protected by a Mutex, because when we mount a new filesystem, we need to check if a filesystem is already created for a given source_fd so we do a scan for that OpenFileDescription in that list. If we fail to find an already-created filesystem we create a new one and register it in the list if we successfully mounted it. We use a Mutex because we might need to initiate disk access during the filesystem creation, which will take other mutexes in other parts of the kernel, therefore making it not possible to take a spinlock while doing this.
2022-12-15 09:42:40 +00:00
file_system.fsid(),
file_system.class_name(),
Kernel/VFS: Ensure Custodies' absolute path don't match before mounting This ensures that the host mount point custody path is not the same like the new to-be-mounted custody. A scenario that could happen before adding this check is: ``` mkdir -p /tmp2 mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ # this will fail here ``` and after adding this check, the following scenario is now this: ``` mkdir -p /tmp2 mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ # this will fail here mount /dev/hda /tmp2/ # this will fail here too ```
2023-08-04 11:54:52 +00:00
mount_point_inode.identifier(),
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-15 23:40:19 +00:00
flags);
Kernel/VFS: Ensure Custodies' absolute path don't match before mounting This ensures that the host mount point custody path is not the same like the new to-be-mounted custody. A scenario that could happen before adding this check is: ``` mkdir -p /tmp2 mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ # this will fail here ``` and after adding this check, the following scenario is now this: ``` mkdir -p /tmp2 mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ # this will fail here mount /dev/hda /tmp2/ # this will fail here too ```
2023-08-04 11:54:52 +00:00
if (mount_point_exists_at_custody(mount_point)) {
dbgln("VirtualFileSystem: Mounting unsuccessful - inode {} is already a mount-point.", mount_point_inode.identifier());
Kernel/VFS: Check that mount-point is not in use Before committing the mount, verify that this host i-node is not already a mount-point.
2022-08-10 15:50:23 +00:00
return EBUSY;
}
Kernel: Introduce support for using FileSystem object in multiple mounts The idea is to enable mounting FileSystem objects across multiple mounts in contrast to what happened until now - each mount has its own unique FileSystem object being attached to it. Considering a situation of mounting a block device at 2 different mount points at in system, there were a couple of critical flaws due to how the previous "design" worked: 1. BlockBasedFileSystem(s) that pointed to the same actual device had a separate DiskCache object being attached to them. Because both instances were not synchronized by any means, corruption of the filesystem is most likely achieveable by a simple cache flush of either of the instances. 2. For superblock-oriented filesystems (such as the ext2 filesystem), lack of synchronization between both instances can lead to severe corruption in the superblock, which could render the entire filesystem unusable. 3. Flags of a specific filesystem implementation (for example, with xfs on Linux, one can instruct to mount it with the discard option) must be honored across multiple mounts, to ensure expected behavior against a particular filesystem. This patch put the foundations to start fix the issues mentioned above. However, there are still major issues to solve, so this is only a start.
2022-08-19 21:03:24 +00:00
// Note: Actually add a mount for the filesystem and increment the filesystem mounted count
new_mount->guest_fs().mounted_count({}).with([&](auto& mounted_count) {
mounted_count++;
Kernel/FileSystem: Fix kernel panic during FS init or mount failure Resolves issue where a panic would occur if the file system failed to initialize or mount, due to how the FileSystem was already added to VFS's list. The newly-created FileSystem destructor would fail as a result of the object still remaining in the IntrusiveList.
2023-01-08 00:19:43 +00:00
// When this is the first time this FileSystem is mounted,
// begin managing the FileSystem by adding it to the list of
// managed file systems. This is symmetric with
// VirtualFileSystem::unmount()'s `remove()` calls (which remove
// the FileSystem once it is no longer mounted).
if (mounted_count == 1) {
m_file_systems_list.with([&](auto& fs_list) {
Kernel+LibCore+LibC: Split the mount syscall into multiple syscalls This is a preparation before we can create a usable mechanism to use filesystem-specific mount flags. To keep some compatibility with userland code, LibC and LibCore mount functions are kept being usable, but now instead of doing an "atomic" syscall, they do multiple syscalls to perform the complete procedure of mounting a filesystem. The FileBackedFileSystem IntrusiveList in the VFS code is now changed to be protected by a Mutex, because when we mount a new filesystem, we need to check if a filesystem is already created for a given source_fd so we do a scan for that OpenFileDescription in that list. If we fail to find an already-created filesystem we create a new one and register it in the list if we successfully mounted it. We use a Mutex because we might need to initiate disk access during the filesystem creation, which will take other mutexes in other parts of the kernel, therefore making it not possible to take a spinlock while doing this.
2022-12-15 09:42:40 +00:00
fs_list.append(file_system);
Kernel/FileSystem: Fix kernel panic during FS init or mount failure Resolves issue where a panic would occur if the file system failed to initialize or mount, due to how the FileSystem was already added to VFS's list. The newly-created FileSystem destructor would fail as a result of the object still remaining in the IntrusiveList.
2023-01-08 00:19:43 +00:00
});
}
Kernel: Introduce support for using FileSystem object in multiple mounts The idea is to enable mounting FileSystem objects across multiple mounts in contrast to what happened until now - each mount has its own unique FileSystem object being attached to it. Considering a situation of mounting a block device at 2 different mount points at in system, there were a couple of critical flaws due to how the previous "design" worked: 1. BlockBasedFileSystem(s) that pointed to the same actual device had a separate DiskCache object being attached to them. Because both instances were not synchronized by any means, corruption of the filesystem is most likely achieveable by a simple cache flush of either of the instances. 2. For superblock-oriented filesystems (such as the ext2 filesystem), lack of synchronization between both instances can lead to severe corruption in the superblock, which could render the entire filesystem unusable. 3. Flags of a specific filesystem implementation (for example, with xfs on Linux, one can instruct to mount it with the discard option) must be honored across multiple mounts, to ensure expected behavior against a particular filesystem. This patch put the foundations to start fix the issues mentioned above. However, there are still major issues to solve, so this is only a start.
2022-08-19 21:03:24 +00:00
});
Kernel/FileSystem: Convert the mount table from Vector to IntrusiveList The fact that we used a Vector meant that even if creating a Mount object succeeded, we were still at a risk that appending to the actual mounts Vector could fail due to OOM condition. To guard against this, the mount table is now an IntrusiveList, which always means that when allocation of a Mount object succeeded, then inserting that object to the list will succeed, which allows us to fail early in case of OOM condition.
2022-11-21 20:10:56 +00:00
// NOTE: Leak the mount pointer so it can be added to the mount list, but it won't be
// deleted after being added.
mounts.append(*new_mount.leak_ptr());
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-15 23:40:19 +00:00
});
Kernel: Some improvements to the mount syscall - You must now have superuser privileges to use mount(). - We now verify that the mount point is a valid path first, before trying to find a filesystem on the specified device. - Convert some dbgprintf() to dbg().
2019-08-02 17:03:50 +00:00
}
Kernel+LibCore+LibC: Split the mount syscall into multiple syscalls This is a preparation before we can create a usable mechanism to use filesystem-specific mount flags. To keep some compatibility with userland code, LibC and LibCore mount functions are kept being usable, but now instead of doing an "atomic" syscall, they do multiple syscalls to perform the complete procedure of mounting a filesystem. The FileBackedFileSystem IntrusiveList in the VFS code is now changed to be protected by a Mutex, because when we mount a new filesystem, we need to check if a filesystem is already created for a given source_fd so we do a scan for that OpenFileDescription in that list. If we fail to find an already-created filesystem we create a new one and register it in the list if we successfully mounted it. We use a Mutex because we might need to initiate disk access during the filesystem creation, which will take other mutexes in other parts of the kernel, therefore making it not possible to take a spinlock while doing this.
2022-12-15 09:42:40 +00:00
ErrorOr<void> VirtualFileSystem::mount(MountFile& mount_file, OpenFileDescription* source_description, Custody& mount_point, int flags)
{
auto const& file_system_initializer = mount_file.file_system_initializer();
if (!source_description) {
if (file_system_initializer.requires_open_file_description)
return ENOTSUP;
if (!file_system_initializer.create)
return ENOTSUP;
RefPtr<FileSystem> fs;
TRY(mount_file.mount_file_system_specific_data().with_exclusive([&](auto& mount_specific_data) -> ErrorOr<void> {
fs = TRY(file_system_initializer.create(mount_specific_data->bytes()));
return {};
}));
VERIFY(fs);
TRY(fs->initialize());
TRY(add_file_system_to_mount_table(*fs, mount_point, flags));
return {};
}
// NOTE: Although it might be OK to support creating filesystems
// without providing an actual file descriptor to their create() method
// because the caller of this function actually supplied a valid file descriptor,
// this will only make things complicated in the future, so we should block
// this kind of behavior.
if (!file_system_initializer.requires_open_file_description)
return ENOTSUP;
if (file_system_initializer.requires_block_device && !source_description->file().is_block_device())
return ENOTBLK;
if (file_system_initializer.requires_seekable_file && !source_description->file().is_seekable()) {
dbgln("mount: this is not a seekable file");
return ENODEV;
}
// NOTE: If there's an associated file description with the filesystem, we could
// try to first find it from the VirtualFileSystem filesystem list and if it was not found,
// then create it and add it.
VERIFY(file_system_initializer.create_with_fd);
return m_file_backed_file_systems_list.with_exclusive([&](auto& list) -> ErrorOr<void> {
RefPtr<FileSystem> fs;
for (auto& node : list) {
if ((&node.file_description() == source_description) || (&node.file() == &source_description->file())) {
fs = node;
break;
}
}
if (!fs) {
TRY(mount_file.mount_file_system_specific_data().with_exclusive([&](auto& mount_specific_data) -> ErrorOr<void> {
fs = TRY(file_system_initializer.create_with_fd(*source_description, mount_specific_data->bytes()));
return {};
}));
TRY(fs->initialize());
}
TRY(add_file_system_to_mount_table(*fs, mount_point, flags));
list.append(static_cast<FileBackedFileSystem&>(*fs));
return {};
});
}
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
ErrorOr<void> VirtualFileSystem::bind_mount(Custody& source, Custody& mount_point, int flags)
Kernel: Implement bind mounts You can now bind-mount files and directories. This essentially exposes an existing part of the file system in another place, and can be used as an alternative to symlinks or hardlinks. Here's an example of doing this: # mkdir /tmp/foo # mount /home/anon/myfile.txt /tmp/foo -o bind # cat /tmp/foo This is anon's file.
2020-01-11 16:08:35 +00:00
{
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
auto new_mount = TRY(adopt_nonnull_own_or_enomem(new (nothrow) Mount(source.inode(), mount_point, flags)));
Kernel: Protect mounted filesystem list with spinlock instead of mutex
2022-02-03 00:37:46 +00:00
return m_mounts.with([&](auto& mounts) -> ErrorOr<void> {
Kernel/VFS: Check that mount-point is not in use Before committing the mount, verify that this host i-node is not already a mount-point.
2022-08-10 15:50:23 +00:00
auto& inode = mount_point.inode();
dbgln("VirtualFileSystem: Bind-mounting inode {} at inode {}", source.inode().identifier(), inode.identifier());
Kernel/VFS: Ensure Custodies' absolute path don't match before mounting This ensures that the host mount point custody path is not the same like the new to-be-mounted custody. A scenario that could happen before adding this check is: ``` mkdir -p /tmp2 mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ # this will fail here ``` and after adding this check, the following scenario is now this: ``` mkdir -p /tmp2 mount /dev/hda /tmp2/ mount /dev/hda /tmp2/ # this will fail here mount /dev/hda /tmp2/ # this will fail here too ```
2023-08-04 11:54:52 +00:00
if (mount_point_exists_at_custody(mount_point)) {
Kernel/VFS: Check that mount-point is not in use Before committing the mount, verify that this host i-node is not already a mount-point.
2022-08-10 15:50:23 +00:00
dbgln("VirtualFileSystem: Bind-mounting unsuccessful - inode {} is already a mount-point.",
mount_point.inode().identifier());
return EBUSY;
}
Kernel/FileSystem: Convert the mount table from Vector to IntrusiveList The fact that we used a Vector meant that even if creating a Mount object succeeded, we were still at a risk that appending to the actual mounts Vector could fail due to OOM condition. To guard against this, the mount table is now an IntrusiveList, which always means that when allocation of a Mount object succeeded, then inserting that object to the list will succeed, which allows us to fail early in case of OOM condition.
2022-11-21 20:10:56 +00:00
Kernel/VirtualFileSystem: Count bind mounts towards normal FS mountcount This is correct since unmount doesn't treat bind mounts specially. If we don't do this, unmounting bind mounts will call prepare_for_last_unmount() on the guest FS much too early, which will most likely fail due to a busy file system.
2023-06-17 15:48:10 +00:00
// A bind mount also counts as a normal mount from the perspective of unmount(),
// so we need to keep track of it in order for prepare_to_clear_last_mount() to work properly.
new_mount->guest_fs().mounted_count({}).with([&](auto& count) { count++; });
Kernel/FileSystem: Convert the mount table from Vector to IntrusiveList The fact that we used a Vector meant that even if creating a Mount object succeeded, we were still at a risk that appending to the actual mounts Vector could fail due to OOM condition. To guard against this, the mount table is now an IntrusiveList, which always means that when allocation of a Mount object succeeded, then inserting that object to the list will succeed, which allows us to fail early in case of OOM condition.
2022-11-21 20:10:56 +00:00
// NOTE: Leak the mount pointer so it can be added to the mount list, but it won't be
// deleted after being added.
mounts.append(*new_mount.leak_ptr());
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-15 23:40:19 +00:00
});
Kernel: Implement bind mounts You can now bind-mount files and directories. This essentially exposes an existing part of the file system in another place, and can be used as an alternative to symlinks or hardlinks. Here's an example of doing this: # mkdir /tmp/foo # mount /home/anon/myfile.txt /tmp/foo -o bind # cat /tmp/foo This is anon's file.
2020-01-11 16:08:35 +00:00
}
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
ErrorOr<void> VirtualFileSystem::remount(Custody& mount_point, int new_flags)
Kernel+Userland: Support remounting filesystems :^) This makes it possible to change flags of a mount after the fact, with the caveats outlined in the man page.
2020-05-28 18:12:13 +00:00
{
Kernel: Improvements to Custody absolute path serialization - Renamed try_create_absolute_path() => try_serialize_absolute_path() - Use KResultOr and TRY() to propagate errors - Don't call this when it's only for debug logging
2021-09-06 10:24:36 +00:00
dbgln("VirtualFileSystem: Remounting inode {}", mount_point.inode().identifier());
Kernel+Userland: Support remounting filesystems :^) This makes it possible to change flags of a mount after the fact, with the caveats outlined in the man page.
2020-05-28 18:12:13 +00:00
Kernel/VFS: Ensure working with mount entry per a custody is safe Previously we could get a raw pointer to a Mount object which might be invalid when actually dereferencing it. To ensure this could not happen, we should just use a callback that will be used immediately after finding the appropriate Mount entry, while holding the mount table lock.
2023-08-04 19:57:25 +00:00
TRY(apply_to_mount_for_host_custody(mount_point, [new_flags](auto& mount) {
mount.set_flags(new_flags);
}));
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
Kernel+Userland: Support remounting filesystems :^) This makes it possible to change flags of a mount after the fact, with the caveats outlined in the man page.
2020-05-28 18:12:13 +00:00
}
Kernel/FileSystem: Discard safely filesystems when unmounted last time This commit reached that goal of "safely discarding" a filesystem by doing the following: 1. Stop using the s_file_system_map HashMap as it was an unsafe measure to access pointers of FileSystems. Instead, make sure to register all FileSystems at the VFS layer, with an IntrusiveList, to avoid problems related to OOM conditions. 2. Make sure to cleanly remove the DiskCache object from a BlockBased filesystem, so the destructor of such object will not need to do that in the destruction point. 3. For ext2 filesystems, don't cache the root inode at m_inode_cache HashMap. The reason for this is that when unmounting an ext2 filesystem, we lookup at the cache to see if there's a reference to a cached inode and if that's the case, we fail with EBUSY. If we keep the m_root_inode also being referenced at the m_inode_cache map, we have 2 references to that object, which will lead to fail with EBUSY. Also, it's much simpler to always ask for a root inode and get it immediately from m_root_inode, instead of looking up the cache for that inode.
2022-08-20 06:28:02 +00:00
void VirtualFileSystem::sync_filesystems()
{
Kernel: Stop using *LockRefPtr for FileSystem pointers There was only one permanent storage location for these: as a member in the Mount class. That member is never modified after Mount initialization, so we don't need to worry about races there.
2023-04-02 15:25:09 +00:00
Vector<NonnullRefPtr<FileSystem>, 32> file_systems;
Kernel/FileSystem: Discard safely filesystems when unmounted last time This commit reached that goal of "safely discarding" a filesystem by doing the following: 1. Stop using the s_file_system_map HashMap as it was an unsafe measure to access pointers of FileSystems. Instead, make sure to register all FileSystems at the VFS layer, with an IntrusiveList, to avoid problems related to OOM conditions. 2. Make sure to cleanly remove the DiskCache object from a BlockBased filesystem, so the destructor of such object will not need to do that in the destruction point. 3. For ext2 filesystems, don't cache the root inode at m_inode_cache HashMap. The reason for this is that when unmounting an ext2 filesystem, we lookup at the cache to see if there's a reference to a cached inode and if that's the case, we fail with EBUSY. If we keep the m_root_inode also being referenced at the m_inode_cache map, we have 2 references to that object, which will lead to fail with EBUSY. Also, it's much simpler to always ask for a root inode and get it immediately from m_root_inode, instead of looking up the cache for that inode.
2022-08-20 06:28:02 +00:00
m_file_systems_list.with([&](auto const& list) {
for (auto& fs : list)
file_systems.append(fs);
});
Kernel: Allow Ext2FS::flush_writes() to return ErrorOr<void>
2023-08-01 06:48:43 +00:00
for (auto& fs : file_systems) {
auto result = fs->flush_writes();
if (result.is_error()) {
Kernel: Run clang-format on a couple of FileSystem sources Fixes bad formatting in commit abcf05801ad259c06197b9ef54a76e58cf319509.
2023-08-25 12:30:04 +00:00
// TODO: Figure out how to propagate error to a higher function.
Kernel: Allow Ext2FS::flush_writes() to return ErrorOr<void>
2023-08-01 06:48:43 +00:00
}
}
Kernel/FileSystem: Discard safely filesystems when unmounted last time This commit reached that goal of "safely discarding" a filesystem by doing the following: 1. Stop using the s_file_system_map HashMap as it was an unsafe measure to access pointers of FileSystems. Instead, make sure to register all FileSystems at the VFS layer, with an IntrusiveList, to avoid problems related to OOM conditions. 2. Make sure to cleanly remove the DiskCache object from a BlockBased filesystem, so the destructor of such object will not need to do that in the destruction point. 3. For ext2 filesystems, don't cache the root inode at m_inode_cache HashMap. The reason for this is that when unmounting an ext2 filesystem, we lookup at the cache to see if there's a reference to a cached inode and if that's the case, we fail with EBUSY. If we keep the m_root_inode also being referenced at the m_inode_cache map, we have 2 references to that object, which will lead to fail with EBUSY. Also, it's much simpler to always ask for a root inode and get it immediately from m_root_inode, instead of looking up the cache for that inode.
2022-08-20 06:28:02 +00:00
}
void VirtualFileSystem::lock_all_filesystems()
{
Kernel: Stop using *LockRefPtr for FileSystem pointers There was only one permanent storage location for these: as a member in the Mount class. That member is never modified after Mount initialization, so we don't need to worry about races there.
2023-04-02 15:25:09 +00:00
Vector<NonnullRefPtr<FileSystem>, 32> file_systems;
Kernel/FileSystem: Discard safely filesystems when unmounted last time This commit reached that goal of "safely discarding" a filesystem by doing the following: 1. Stop using the s_file_system_map HashMap as it was an unsafe measure to access pointers of FileSystems. Instead, make sure to register all FileSystems at the VFS layer, with an IntrusiveList, to avoid problems related to OOM conditions. 2. Make sure to cleanly remove the DiskCache object from a BlockBased filesystem, so the destructor of such object will not need to do that in the destruction point. 3. For ext2 filesystems, don't cache the root inode at m_inode_cache HashMap. The reason for this is that when unmounting an ext2 filesystem, we lookup at the cache to see if there's a reference to a cached inode and if that's the case, we fail with EBUSY. If we keep the m_root_inode also being referenced at the m_inode_cache map, we have 2 references to that object, which will lead to fail with EBUSY. Also, it's much simpler to always ask for a root inode and get it immediately from m_root_inode, instead of looking up the cache for that inode.
2022-08-20 06:28:02 +00:00
m_file_systems_list.with([&](auto const& list) {
for (auto& fs : list)
file_systems.append(fs);
});
for (auto& fs : file_systems)
Kernel: Stop using NonnullLockRefPtrVector
2023-03-06 16:56:28 +00:00
fs->m_lock.lock();
Kernel/FileSystem: Discard safely filesystems when unmounted last time This commit reached that goal of "safely discarding" a filesystem by doing the following: 1. Stop using the s_file_system_map HashMap as it was an unsafe measure to access pointers of FileSystems. Instead, make sure to register all FileSystems at the VFS layer, with an IntrusiveList, to avoid problems related to OOM conditions. 2. Make sure to cleanly remove the DiskCache object from a BlockBased filesystem, so the destructor of such object will not need to do that in the destruction point. 3. For ext2 filesystems, don't cache the root inode at m_inode_cache HashMap. The reason for this is that when unmounting an ext2 filesystem, we lookup at the cache to see if there's a reference to a cached inode and if that's the case, we fail with EBUSY. If we keep the m_root_inode also being referenced at the m_inode_cache map, we have 2 references to that object, which will lead to fail with EBUSY. Also, it's much simpler to always ask for a root inode and get it immediately from m_root_inode, instead of looking up the cache for that inode.
2022-08-20 06:28:02 +00:00
}
Kernel: Introduce support for using FileSystem object in multiple mounts The idea is to enable mounting FileSystem objects across multiple mounts in contrast to what happened until now - each mount has its own unique FileSystem object being attached to it. Considering a situation of mounting a block device at 2 different mount points at in system, there were a couple of critical flaws due to how the previous "design" worked: 1. BlockBasedFileSystem(s) that pointed to the same actual device had a separate DiskCache object being attached to them. Because both instances were not synchronized by any means, corruption of the filesystem is most likely achieveable by a simple cache flush of either of the instances. 2. For superblock-oriented filesystems (such as the ext2 filesystem), lack of synchronization between both instances can lead to severe corruption in the superblock, which could render the entire filesystem unusable. 3. Flags of a specific filesystem implementation (for example, with xfs on Linux, one can instruct to mount it with the discard option) must be honored across multiple mounts, to ensure expected behavior against a particular filesystem. This patch put the foundations to start fix the issues mentioned above. However, there are still major issues to solve, so this is only a start.
2022-08-19 21:03:24 +00:00
ErrorOr<void> VirtualFileSystem::unmount(Custody& mountpoint_custody)
Kernel: Added unmount ability to VFS It is now possible to unmount file systems from the VFS via `umount`. It works via looking up the `fsid` of the filesystem from the `Inode`'s metatdata so I'm not sure how fragile it is. It seems to work for now though as something to get us going.
2019-08-11 13:56:39 +00:00
{
Kernel: Introduce support for using FileSystem object in multiple mounts The idea is to enable mounting FileSystem objects across multiple mounts in contrast to what happened until now - each mount has its own unique FileSystem object being attached to it. Considering a situation of mounting a block device at 2 different mount points at in system, there were a couple of critical flaws due to how the previous "design" worked: 1. BlockBasedFileSystem(s) that pointed to the same actual device had a separate DiskCache object being attached to them. Because both instances were not synchronized by any means, corruption of the filesystem is most likely achieveable by a simple cache flush of either of the instances. 2. For superblock-oriented filesystems (such as the ext2 filesystem), lack of synchronization between both instances can lead to severe corruption in the superblock, which could render the entire filesystem unusable. 3. Flags of a specific filesystem implementation (for example, with xfs on Linux, one can instruct to mount it with the discard option) must be honored across multiple mounts, to ensure expected behavior against a particular filesystem. This patch put the foundations to start fix the issues mentioned above. However, there are still major issues to solve, so this is only a start.
2022-08-19 21:03:24 +00:00
auto& guest_inode = mountpoint_custody.inode();
auto custody_path = TRY(mountpoint_custody.try_serialize_absolute_path());
Kernel/VirtualFileSystem: Allow unmounting via inode and mount path This pair of information uniquely identifies any mount point, and it can be used in situations where mount point custodies are not available.
2023-06-17 16:17:00 +00:00
return unmount(guest_inode, custody_path->view());
}
Kernel: Do the umount() by the guest's root inode identifier It was previously possible to unmount a filesystem mounted on /mnt by doing e.g "umount /mnt/some/path".
2019-08-17 12:24:50 +00:00
Kernel/VirtualFileSystem: Allow unmounting via inode and mount path This pair of information uniquely identifies any mount point, and it can be used in situations where mount point custodies are not available.
2023-06-17 16:17:00 +00:00
ErrorOr<void> VirtualFileSystem::unmount(Inode& guest_inode, StringView custody_path)
{
Kernel+LibCore+LibC: Split the mount syscall into multiple syscalls This is a preparation before we can create a usable mechanism to use filesystem-specific mount flags. To keep some compatibility with userland code, LibC and LibCore mount functions are kept being usable, but now instead of doing an "atomic" syscall, they do multiple syscalls to perform the complete procedure of mounting a filesystem. The FileBackedFileSystem IntrusiveList in the VFS code is now changed to be protected by a Mutex, because when we mount a new filesystem, we need to check if a filesystem is already created for a given source_fd so we do a scan for that OpenFileDescription in that list. If we fail to find an already-created filesystem we create a new one and register it in the list if we successfully mounted it. We use a Mutex because we might need to initiate disk access during the filesystem creation, which will take other mutexes in other parts of the kernel, therefore making it not possible to take a spinlock while doing this.
2022-12-15 09:42:40 +00:00
return m_file_backed_file_systems_list.with_exclusive([&](auto& file_backed_fs_list) -> ErrorOr<void> {
TRY(m_mounts.with([&](auto& mounts) -> ErrorOr<void> {
for (auto& mount : mounts) {
if (&mount.guest() != &guest_inode)
continue;
auto mountpoint_path = TRY(mount.absolute_path());
Kernel/VirtualFileSystem: Allow unmounting via inode and mount path This pair of information uniquely identifies any mount point, and it can be used in situations where mount point custodies are not available.
2023-06-17 16:17:00 +00:00
if (custody_path != mountpoint_path->view())
Kernel+LibCore+LibC: Split the mount syscall into multiple syscalls This is a preparation before we can create a usable mechanism to use filesystem-specific mount flags. To keep some compatibility with userland code, LibC and LibCore mount functions are kept being usable, but now instead of doing an "atomic" syscall, they do multiple syscalls to perform the complete procedure of mounting a filesystem. The FileBackedFileSystem IntrusiveList in the VFS code is now changed to be protected by a Mutex, because when we mount a new filesystem, we need to check if a filesystem is already created for a given source_fd so we do a scan for that OpenFileDescription in that list. If we fail to find an already-created filesystem we create a new one and register it in the list if we successfully mounted it. We use a Mutex because we might need to initiate disk access during the filesystem creation, which will take other mutexes in other parts of the kernel, therefore making it not possible to take a spinlock while doing this.
2022-12-15 09:42:40 +00:00
continue;
NonnullRefPtr<FileSystem> fs = mount.guest_fs();
Kernel/FileSystem: Pass last mount point guest inode to unmount prepare This will be important later on when we check file system busyness.
2023-07-02 12:23:53 +00:00
TRY(fs->prepare_to_unmount(mount.guest()));
Kernel+LibCore+LibC: Split the mount syscall into multiple syscalls This is a preparation before we can create a usable mechanism to use filesystem-specific mount flags. To keep some compatibility with userland code, LibC and LibCore mount functions are kept being usable, but now instead of doing an "atomic" syscall, they do multiple syscalls to perform the complete procedure of mounting a filesystem. The FileBackedFileSystem IntrusiveList in the VFS code is now changed to be protected by a Mutex, because when we mount a new filesystem, we need to check if a filesystem is already created for a given source_fd so we do a scan for that OpenFileDescription in that list. If we fail to find an already-created filesystem we create a new one and register it in the list if we successfully mounted it. We use a Mutex because we might need to initiate disk access during the filesystem creation, which will take other mutexes in other parts of the kernel, therefore making it not possible to take a spinlock while doing this.
2022-12-15 09:42:40 +00:00
fs->mounted_count({}).with([&](auto& mounted_count) {
VERIFY(mounted_count > 0);
if (mounted_count == 1) {
dbgln("VirtualFileSystem: Unmounting file system {} for the last time...", fs->fsid());
m_file_systems_list.with([&](auto& list) {
list.remove(*fs);
Kernel/FileSystem: Discard safely filesystems when unmounted last time This commit reached that goal of "safely discarding" a filesystem by doing the following: 1. Stop using the s_file_system_map HashMap as it was an unsafe measure to access pointers of FileSystems. Instead, make sure to register all FileSystems at the VFS layer, with an IntrusiveList, to avoid problems related to OOM conditions. 2. Make sure to cleanly remove the DiskCache object from a BlockBased filesystem, so the destructor of such object will not need to do that in the destruction point. 3. For ext2 filesystems, don't cache the root inode at m_inode_cache HashMap. The reason for this is that when unmounting an ext2 filesystem, we lookup at the cache to see if there's a reference to a cached inode and if that's the case, we fail with EBUSY. If we keep the m_root_inode also being referenced at the m_inode_cache map, we have 2 references to that object, which will lead to fail with EBUSY. Also, it's much simpler to always ask for a root inode and get it immediately from m_root_inode, instead of looking up the cache for that inode.
2022-08-20 06:28:02 +00:00
});
Kernel+LibCore+LibC: Split the mount syscall into multiple syscalls This is a preparation before we can create a usable mechanism to use filesystem-specific mount flags. To keep some compatibility with userland code, LibC and LibCore mount functions are kept being usable, but now instead of doing an "atomic" syscall, they do multiple syscalls to perform the complete procedure of mounting a filesystem. The FileBackedFileSystem IntrusiveList in the VFS code is now changed to be protected by a Mutex, because when we mount a new filesystem, we need to check if a filesystem is already created for a given source_fd so we do a scan for that OpenFileDescription in that list. If we fail to find an already-created filesystem we create a new one and register it in the list if we successfully mounted it. We use a Mutex because we might need to initiate disk access during the filesystem creation, which will take other mutexes in other parts of the kernel, therefore making it not possible to take a spinlock while doing this.
2022-12-15 09:42:40 +00:00
if (fs->is_file_backed()) {
dbgln("VirtualFileSystem: Unmounting file backed file system {} for the last time...", fs->fsid());
auto& file_backed_fs = static_cast<FileBackedFileSystem&>(*fs);
file_backed_fs_list.remove(file_backed_fs);
}
} else {
mounted_count--;
Kernel/FileSystem: Discard safely filesystems when unmounted last time This commit reached that goal of "safely discarding" a filesystem by doing the following: 1. Stop using the s_file_system_map HashMap as it was an unsafe measure to access pointers of FileSystems. Instead, make sure to register all FileSystems at the VFS layer, with an IntrusiveList, to avoid problems related to OOM conditions. 2. Make sure to cleanly remove the DiskCache object from a BlockBased filesystem, so the destructor of such object will not need to do that in the destruction point. 3. For ext2 filesystems, don't cache the root inode at m_inode_cache HashMap. The reason for this is that when unmounting an ext2 filesystem, we lookup at the cache to see if there's a reference to a cached inode and if that's the case, we fail with EBUSY. If we keep the m_root_inode also being referenced at the m_inode_cache map, we have 2 references to that object, which will lead to fail with EBUSY. Also, it's much simpler to always ask for a root inode and get it immediately from m_root_inode, instead of looking up the cache for that inode.
2022-08-20 06:28:02 +00:00
}
Kernel+LibCore+LibC: Split the mount syscall into multiple syscalls This is a preparation before we can create a usable mechanism to use filesystem-specific mount flags. To keep some compatibility with userland code, LibC and LibCore mount functions are kept being usable, but now instead of doing an "atomic" syscall, they do multiple syscalls to perform the complete procedure of mounting a filesystem. The FileBackedFileSystem IntrusiveList in the VFS code is now changed to be protected by a Mutex, because when we mount a new filesystem, we need to check if a filesystem is already created for a given source_fd so we do a scan for that OpenFileDescription in that list. If we fail to find an already-created filesystem we create a new one and register it in the list if we successfully mounted it. We use a Mutex because we might need to initiate disk access during the filesystem creation, which will take other mutexes in other parts of the kernel, therefore making it not possible to take a spinlock while doing this.
2022-12-15 09:42:40 +00:00
});
dbgln("VirtualFileSystem: Unmounting file system {}...", fs->fsid());
mount.m_vfs_list_node.remove();
// NOTE: This is balanced by a `new` statement that is happening in various places before inserting the Mount object to the list.
delete &mount;
return {};
}
dbgln("VirtualFileSystem: Nothing mounted on inode {}", guest_inode.identifier());
return ENODEV;
}));
return {};
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-15 23:40:19 +00:00
});
Kernel: Added unmount ability to VFS It is now possible to unmount file systems from the VFS via `umount`. It works via looking up the `fsid` of the filesystem from the `Inode`'s metatdata so I'm not sure how fragile it is. It seems to work for now though as something to get us going.
2019-08-11 13:56:39 +00:00
}
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
ErrorOr<void> VirtualFileSystem::mount_root(FileSystem& fs)
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
Get rid of Vnode concept. We already have an abstraction between Process and Inode/CharacterDevice/FIFO and it's called FileDescriptor. :^)
2019-01-16 11:57:07 +00:00
if (m_root_inode) {
Kernel: Rename VFS => VirtualFileSystem
2021-07-10 22:25:24 +00:00
dmesgln("VirtualFileSystem: mount_root can't mount another root");
Kernel: Tidy up VirtualFileSystem::mount_root() a little bit - Return KResult instead of bool - Use TRY()
2021-09-05 12:46:44 +00:00
return EEXIST;
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
}
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
auto new_mount = TRY(adopt_nonnull_own_or_enomem(new (nothrow) Mount(fs, nullptr, root_mount_flags)));
Kernel: Make FileSystem::root_inode() return a plain Inode& All file system classes are expected to keep their root Inode object in memory, so this function can safely return an Inode&.
2021-07-17 23:50:47 +00:00
auto& root_inode = fs.root_inode();
if (!root_inode.is_directory()) {
dmesgln("VirtualFileSystem: root inode ({}) for / is not a directory :(", root_inode.identifier());
Kernel: Tidy up VirtualFileSystem::mount_root() a little bit - Return KResult instead of bool - Use TRY()
2021-09-05 12:46:44 +00:00
return ENOTDIR;
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
}
Kernel: Make FileSystem::root_inode() return a plain Inode& All file system classes are expected to keep their root Inode object in memory, so this function can safely return an Inode&.
2021-07-17 23:50:47 +00:00
m_root_inode = root_inode;
Kernel: Append root filesystem to the VFS FileBackedFileSystem list
2022-08-19 21:11:59 +00:00
if (fs.is_file_backed()) {
Kernel/FileSystem: Discard safely filesystems when unmounted last time This commit reached that goal of "safely discarding" a filesystem by doing the following: 1. Stop using the s_file_system_map HashMap as it was an unsafe measure to access pointers of FileSystems. Instead, make sure to register all FileSystems at the VFS layer, with an IntrusiveList, to avoid problems related to OOM conditions. 2. Make sure to cleanly remove the DiskCache object from a BlockBased filesystem, so the destructor of such object will not need to do that in the destruction point. 3. For ext2 filesystems, don't cache the root inode at m_inode_cache HashMap. The reason for this is that when unmounting an ext2 filesystem, we lookup at the cache to see if there's a reference to a cached inode and if that's the case, we fail with EBUSY. If we keep the m_root_inode also being referenced at the m_inode_cache map, we have 2 references to that object, which will lead to fail with EBUSY. Also, it's much simpler to always ask for a root inode and get it immediately from m_root_inode, instead of looking up the cache for that inode.
2022-08-20 06:28:02 +00:00
auto pseudo_path = TRY(static_cast<FileBackedFileSystem&>(fs).file_description().pseudo_path());
dmesgln("VirtualFileSystem: mounted root({}) from {} ({})", fs.fsid(), fs.class_name(), pseudo_path);
Kernel+LibCore+LibC: Split the mount syscall into multiple syscalls This is a preparation before we can create a usable mechanism to use filesystem-specific mount flags. To keep some compatibility with userland code, LibC and LibCore mount functions are kept being usable, but now instead of doing an "atomic" syscall, they do multiple syscalls to perform the complete procedure of mounting a filesystem. The FileBackedFileSystem IntrusiveList in the VFS code is now changed to be protected by a Mutex, because when we mount a new filesystem, we need to check if a filesystem is already created for a given source_fd so we do a scan for that OpenFileDescription in that list. If we fail to find an already-created filesystem we create a new one and register it in the list if we successfully mounted it. We use a Mutex because we might need to initiate disk access during the filesystem creation, which will take other mutexes in other parts of the kernel, therefore making it not possible to take a spinlock while doing this.
2022-12-15 09:42:40 +00:00
m_file_backed_file_systems_list.with_exclusive([&](auto& list) {
Kernel: Append root filesystem to the VFS FileBackedFileSystem list
2022-08-19 21:11:59 +00:00
list.append(static_cast<FileBackedFileSystem&>(fs));
});
Kernel/FileSystem: Discard safely filesystems when unmounted last time This commit reached that goal of "safely discarding" a filesystem by doing the following: 1. Stop using the s_file_system_map HashMap as it was an unsafe measure to access pointers of FileSystems. Instead, make sure to register all FileSystems at the VFS layer, with an IntrusiveList, to avoid problems related to OOM conditions. 2. Make sure to cleanly remove the DiskCache object from a BlockBased filesystem, so the destructor of such object will not need to do that in the destruction point. 3. For ext2 filesystems, don't cache the root inode at m_inode_cache HashMap. The reason for this is that when unmounting an ext2 filesystem, we lookup at the cache to see if there's a reference to a cached inode and if that's the case, we fail with EBUSY. If we keep the m_root_inode also being referenced at the m_inode_cache map, we have 2 references to that object, which will lead to fail with EBUSY. Also, it's much simpler to always ask for a root inode and get it immediately from m_root_inode, instead of looking up the cache for that inode.
2022-08-20 06:28:02 +00:00
} else {
dmesgln("VirtualFileSystem: mounted root({}) from {}", fs.fsid(), fs.class_name());
Kernel: Append root filesystem to the VFS FileBackedFileSystem list
2022-08-19 21:11:59 +00:00
}
Kernel/FileSystem: Discard safely filesystems when unmounted last time This commit reached that goal of "safely discarding" a filesystem by doing the following: 1. Stop using the s_file_system_map HashMap as it was an unsafe measure to access pointers of FileSystems. Instead, make sure to register all FileSystems at the VFS layer, with an IntrusiveList, to avoid problems related to OOM conditions. 2. Make sure to cleanly remove the DiskCache object from a BlockBased filesystem, so the destructor of such object will not need to do that in the destruction point. 3. For ext2 filesystems, don't cache the root inode at m_inode_cache HashMap. The reason for this is that when unmounting an ext2 filesystem, we lookup at the cache to see if there's a reference to a cached inode and if that's the case, we fail with EBUSY. If we keep the m_root_inode also being referenced at the m_inode_cache map, we have 2 references to that object, which will lead to fail with EBUSY. Also, it's much simpler to always ask for a root inode and get it immediately from m_root_inode, instead of looking up the cache for that inode.
2022-08-20 06:28:02 +00:00
m_file_systems_list.with([&](auto& fs_list) {
fs_list.append(fs);
});
Kernel/FileSystem: Convert the mount table from Vector to IntrusiveList The fact that we used a Vector meant that even if creating a Mount object succeeded, we were still at a risk that appending to the actual mounts Vector could fail due to OOM condition. To guard against this, the mount table is now an IntrusiveList, which always means that when allocation of a Mount object succeeded, then inserting that object to the list will succeed, which allows us to fail early in case of OOM condition.
2022-11-21 20:10:56 +00:00
fs.mounted_count({}).with([&](auto& mounted_count) {
mounted_count++;
});
Kernel: Introduce support for using FileSystem object in multiple mounts The idea is to enable mounting FileSystem objects across multiple mounts in contrast to what happened until now - each mount has its own unique FileSystem object being attached to it. Considering a situation of mounting a block device at 2 different mount points at in system, there were a couple of critical flaws due to how the previous "design" worked: 1. BlockBasedFileSystem(s) that pointed to the same actual device had a separate DiskCache object being attached to them. Because both instances were not synchronized by any means, corruption of the filesystem is most likely achieveable by a simple cache flush of either of the instances. 2. For superblock-oriented filesystems (such as the ext2 filesystem), lack of synchronization between both instances can lead to severe corruption in the superblock, which could render the entire filesystem unusable. 3. Flags of a specific filesystem implementation (for example, with xfs on Linux, one can instruct to mount it with the discard option) must be honored across multiple mounts, to ensure expected behavior against a particular filesystem. This patch put the foundations to start fix the issues mentioned above. However, there are still major issues to solve, so this is only a start.
2022-08-19 21:03:24 +00:00
// Note: Actually add a mount for the filesystem and increment the filesystem mounted count
Kernel: Protect mounted filesystem list with spinlock instead of mutex
2022-02-03 00:37:46 +00:00
m_mounts.with([&](auto& mounts) {
Kernel/FileSystem: Convert the mount table from Vector to IntrusiveList The fact that we used a Vector meant that even if creating a Mount object succeeded, we were still at a risk that appending to the actual mounts Vector could fail due to OOM condition. To guard against this, the mount table is now an IntrusiveList, which always means that when allocation of a Mount object succeeded, then inserting that object to the list will succeed, which allows us to fail early in case of OOM condition.
2022-11-21 20:10:56 +00:00
// NOTE: Leak the mount pointer so it can be added to the mount list, but it won't be
// deleted after being added.
mounts.append(*new_mount.leak_ptr());
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-15 23:40:19 +00:00
});
Kernel: Plumb OOM propagation through Custody factory Modify the Custody::create(..) API so it has the ability to propagate OOM back to the caller.
2021-05-10 07:28:23 +00:00
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
RefPtr<Custody> new_root_custody = TRY(Custody::try_create(nullptr, ""sv, *m_root_inode, root_mount_flags));
m_root_custody.with([&](auto& root_custody) {
swap(root_custody, new_root_custody);
});
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
}
Kernel/VFS: Ensure working with mount entry per a custody is safe Previously we could get a raw pointer to a Mount object which might be invalid when actually dereferencing it. To ensure this could not happen, we should just use a callback that will be used immediately after finding the appropriate Mount entry, while holding the mount table lock.
2023-08-04 19:57:25 +00:00
ErrorOr<void> VirtualFileSystem::apply_to_mount_for_host_custody(Custody const& current_custody, Function<void(Mount&)> callback)
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
Kernel/VFS: Ensure working with mount entry per a custody is safe Previously we could get a raw pointer to a Mount object which might be invalid when actually dereferencing it. To ensure this could not happen, we should just use a callback that will be used immediately after finding the appropriate Mount entry, while holding the mount table lock.
2023-08-04 19:57:25 +00:00
return m_mounts.with([&](auto& mounts) -> ErrorOr<void> {
Kernel/VFS: Check matching absolute path when jump to mount guest inode We could easily encounter a case where we do the following: ``` mkdir -p /tmp2 mount /dev/hda /tmp2 ``` would produce a bug that doing `ls /tmp2/tmp2` will give the contents on `/dev/hda` ext2 root directory and also on `/tmp2/tmp2/tmp2` and so on. To prevent this, we must compare the current custody against each mount entry's custody to ensure their paths match.
2023-08-04 19:03:24 +00:00
// NOTE: We either search for the root mount or for a mount that has a parent custody!
if (!current_custody.parent()) {
for (auto& mount : mounts) {
Kernel/VFS: Ensure working with mount entry per a custody is safe Previously we could get a raw pointer to a Mount object which might be invalid when actually dereferencing it. To ensure this could not happen, we should just use a callback that will be used immediately after finding the appropriate Mount entry, while holding the mount table lock.
2023-08-04 19:57:25 +00:00
if (!mount.host_custody()) {
callback(mount);
return {};
}
Kernel/VFS: Check matching absolute path when jump to mount guest inode We could easily encounter a case where we do the following: ``` mkdir -p /tmp2 mount /dev/hda /tmp2 ``` would produce a bug that doing `ls /tmp2/tmp2` will give the contents on `/dev/hda` ext2 root directory and also on `/tmp2/tmp2/tmp2` and so on. To prevent this, we must compare the current custody against each mount entry's custody to ensure their paths match.
2023-08-04 19:03:24 +00:00
}
// NOTE: There must be a root mount entry, so fail if we don't find it.
VERIFY_NOT_REACHED();
} else {
for (auto& mount : mounts) {
if (mount.host_custody() && check_matching_absolute_path_hierarchy(*mount.host_custody(), current_custody)) {
Kernel/VFS: Ensure working with mount entry per a custody is safe Previously we could get a raw pointer to a Mount object which might be invalid when actually dereferencing it. To ensure this could not happen, we should just use a callback that will be used immediately after finding the appropriate Mount entry, while holding the mount table lock.
2023-08-04 19:57:25 +00:00
callback(mount);
return {};
Kernel/VFS: Check matching absolute path when jump to mount guest inode We could easily encounter a case where we do the following: ``` mkdir -p /tmp2 mount /dev/hda /tmp2 ``` would produce a bug that doing `ls /tmp2/tmp2` will give the contents on `/dev/hda` ext2 root directory and also on `/tmp2/tmp2/tmp2` and so on. To prevent this, we must compare the current custody against each mount entry's custody to ensure their paths match.
2023-08-04 19:03:24 +00:00
}
}
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-15 23:40:19 +00:00
}
Kernel/VFS: Ensure working with mount entry per a custody is safe Previously we could get a raw pointer to a Mount object which might be invalid when actually dereferencing it. To ensure this could not happen, we should just use a callback that will be used immediately after finding the appropriate Mount entry, while holding the mount table lock.
2023-08-04 19:57:25 +00:00
return Error::from_errno(ENODEV);
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-15 23:40:19 +00:00
});
Kernel: Port mounts to reference inodes directly ...instead of going through their identifiers. See the previous commit for reasoning.
2020-06-24 21:16:24 +00:00
}
Kernel: Make Inode::traverse_as_directory() callback return ErrorOr This allows us to propagate errors from inside the callback with TRY().
2021-11-10 14:42:39 +00:00
ErrorOr<void> VirtualFileSystem::traverse_directory_inode(Inode& dir_inode, Function<ErrorOr<void>(FileSystem::DirectoryEntryView const&)> callback)
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
Kernel: Make Inode::traverse_as_directory() callback return ErrorOr This allows us to propagate errors from inside the callback with TRY().
2021-11-10 14:42:39 +00:00
return dir_inode.traverse_as_directory([&](auto& entry) -> ErrorOr<void> {
Kernel/VFS: Don't resolve root inode mounts when traversing a directory This is not useful, as we have literally zero knowledge about where this inode is actually located at with respect to the entire global path tree so we could easily encounter a case where we do the following: ``` mkdir -p /tmp2 mount /dev/hda /tmp2 ``` and when traversing the /tmp2 directory entries, we will see the root inode of /dev/hda on "/tmp2/tmp2", even if it was not mounted. Therefore, we should just plainly give the raw directory entries as they are written "on the disk". Anything else that needs to exactly know if there's an underlying mounted filesystem, can just use the stat syscall instead.
2023-08-04 18:57:37 +00:00
TRY(callback({ entry.name, entry.inode, entry.file_type }));
Kernel: Make Inode::traverse_as_directory() callback return ErrorOr This allows us to propagate errors from inside the callback with TRY().
2021-11-10 14:42:39 +00:00
return {};
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
});
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<void> VirtualFileSystem::utime(Credentials const& credentials, StringView path, Custody& base, time_t atime, time_t mtime)
Kernel: Add file permission checks to utime() syscall.
2019-02-21 15:37:41 +00:00
{
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
auto custody = TRY(resolve_path(credentials, path, base));
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
auto& inode = custody->inode();
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!credentials.is_superuser() && inode.metadata().uid != credentials.euid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
if (custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Port more code to KResult and KResultOr<T>.
2019-03-06 21:14:31 +00:00
Kernel: Use UnixDateTime wherever applicable "Wherever applicable" = most places, actually :^), especially for networking and filesystem timestamps. This includes changes to unzip, which uses DOSPackedTime, since that is changed for the FAT file systems.
2023-03-13 21:11:13 +00:00
TRY(inode.update_timestamps(UnixDateTime::from_seconds_since_epoch(atime), {}, UnixDateTime::from_seconds_since_epoch(mtime)));
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
Kernel: Add file permission checks to utime() syscall.
2019-02-21 15:37:41 +00:00
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<void> VirtualFileSystem::utimensat(Credentials const& credentials, StringView path, Custody& base, timespec const& atime, timespec const& mtime, int options)
Kernel+LibC+VFS: Implement utimensat(3) Create POSIX utimensat() library call and corresponding system call to update file access and modification times.
2022-05-02 20:26:10 +00:00
{
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
auto custody = TRY(resolve_path(credentials, path, base, nullptr, options));
Kernel: Add the futimens syscall We have a problem with the original utimensat syscall because when we do call LibC futimens function, internally we provide an empty path, and the Kernel get_syscall_path_argument method will detect this as an invalid path. This happens to spit an error for example in the touch utility, so if a user is running "touch non_existing_file", it will create that file, but the user will still see an error coming from LibC futimens function. This new syscall gets an open file description and it provides the same functionality as utimensat, on the specified open file description. The new syscall will be used later by LibC to properly implement LibC futimens function so the situation described with relation to the "touch" utility could be fixed.
2023-04-08 08:37:15 +00:00
return do_utimens(credentials, custody, atime, mtime);
}
ErrorOr<void> VirtualFileSystem::do_utimens(Credentials const& credentials, Custody& custody, timespec const& atime, timespec const& mtime)
{
auto& inode = custody.inode();
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!credentials.is_superuser() && inode.metadata().uid != credentials.euid())
Kernel+LibC+VFS: Implement utimensat(3) Create POSIX utimensat() library call and corresponding system call to update file access and modification times.
2022-05-02 20:26:10 +00:00
return EACCES;
Kernel: Add the futimens syscall We have a problem with the original utimensat syscall because when we do call LibC futimens function, internally we provide an empty path, and the Kernel get_syscall_path_argument method will detect this as an invalid path. This happens to spit an error for example in the touch utility, so if a user is running "touch non_existing_file", it will create that file, but the user will still see an error coming from LibC futimens function. This new syscall gets an open file description and it provides the same functionality as utimensat, on the specified open file description. The new syscall will be used later by LibC to properly implement LibC futimens function so the situation described with relation to the "touch" utility could be fixed.
2023-04-08 08:37:15 +00:00
if (custody.is_readonly())
Kernel+LibC+VFS: Implement utimensat(3) Create POSIX utimensat() library call and corresponding system call to update file access and modification times.
2022-05-02 20:26:10 +00:00
return EROFS;
// NOTE: A standard ext2 inode cannot store nanosecond timestamps.
Kernel: Update atime/ctime/mtime timestamps atomically Instead of having three separate APIs (one for each timestamp), there's now only Inode::update_timestamps() and it takes 3x optional timestamps. The non-empty timestamps are updated while holding the inode mutex, and the outside world no longer has to look at intermediate timestamp states.
2022-08-22 11:34:22 +00:00
TRY(inode.update_timestamps(
Kernel: Use UnixDateTime wherever applicable "Wherever applicable" = most places, actually :^), especially for networking and filesystem timestamps. This includes changes to unzip, which uses DOSPackedTime, since that is changed for the FAT file systems.
2023-03-13 21:11:13 +00:00
(atime.tv_nsec != UTIME_OMIT) ? UnixDateTime::from_unix_timespec(atime) : Optional<UnixDateTime> {},
Kernel: Update atime/ctime/mtime timestamps atomically Instead of having three separate APIs (one for each timestamp), there's now only Inode::update_timestamps() and it takes 3x optional timestamps. The non-empty timestamps are updated while holding the inode mutex, and the outside world no longer has to look at intermediate timestamp states.
2022-08-22 11:34:22 +00:00
{},
Kernel: Use UnixDateTime wherever applicable "Wherever applicable" = most places, actually :^), especially for networking and filesystem timestamps. This includes changes to unzip, which uses DOSPackedTime, since that is changed for the FAT file systems.
2023-03-13 21:11:13 +00:00
(mtime.tv_nsec != UTIME_OMIT) ? UnixDateTime::from_unix_timespec(mtime) : Optional<UnixDateTime> {}));
Kernel+LibC+VFS: Implement utimensat(3) Create POSIX utimensat() library call and corresponding system call to update file access and modification times.
2022-05-02 20:26:10 +00:00
return {};
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<InodeMetadata> VirtualFileSystem::lookup_metadata(Credentials const& credentials, StringView path, Custody& base, int options)
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 15:09:12 +00:00
{
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
auto custody = TRY(resolve_path(credentials, path, base, nullptr, options));
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
return custody->inode().metadata();
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 15:09:12 +00:00
}
Kernel: Use non-locking {Nonnull,}RefPtr for OpenFileDescription This patch switches away from {Nonnull,}LockRefPtr to the non-locking smart pointers throughout the kernel. I've looked at the handful of places where these were being persisted and I don't see any race situations. Note that the process file descriptor table (Process::m_fds) was already guarded via MutexProtected.
2023-03-06 18:29:25 +00:00
ErrorOr<NonnullRefPtr<OpenFileDescription>> VirtualFileSystem::open(Credentials const& credentials, StringView path, int options, mode_t mode, Custody& base, Optional<UidAndGid> owner)
Kernel: Actually check Process unveil data when creating perfcore dump Before of this patch, we looked at the unveil data of the FinalizerTask, which naturally doesn't have any unveil restrictions, therefore allowing an unveil bypass for a process that enabled performance coredumps. To ensure we always check the dumped process unveil data, an option to pass a Process& has been added to a couple of methods in the class of VirtualFileSystem.
2023-03-04 18:01:54 +00:00
{
return open(Process::current(), credentials, path, options, mode, base, owner);
}
Kernel: Use non-locking {Nonnull,}RefPtr for OpenFileDescription This patch switches away from {Nonnull,}LockRefPtr to the non-locking smart pointers throughout the kernel. I've looked at the handful of places where these were being persisted and I don't see any race situations. Note that the process file descriptor table (Process::m_fds) was already guarded via MutexProtected.
2023-03-06 18:29:25 +00:00
ErrorOr<NonnullRefPtr<OpenFileDescription>> VirtualFileSystem::open(Process const& process, Credentials const& credentials, StringView path, int options, mode_t mode, Custody& base, Optional<UidAndGid> owner)
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
Kernel: Don't allow open() with (O_CREAT | O_DIRECTORY)
2020-01-03 01:23:50 +00:00
if ((options & O_CREAT) && (options & O_DIRECTORY))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EINVAL;
Kernel: Don't allow open() with (O_CREAT | O_DIRECTORY)
2020-01-03 01:23:50 +00:00
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
RefPtr<Custody> parent_custody;
Kernel: Actually check Process unveil data when creating perfcore dump Before of this patch, we looked at the unveil data of the FinalizerTask, which naturally doesn't have any unveil restrictions, therefore allowing an unveil bypass for a process that enabled performance coredumps. To ensure we always check the dumped process unveil data, an option to pass a Process& has been added to a couple of methods in the class of VirtualFileSystem.
2023-03-04 18:01:54 +00:00
auto custody_or_error = resolve_path(process, credentials, path, base, &parent_custody, options);
Kernel: Ignore null parent custody without error in VFS::open This modifies the error checks in VFS::open after the call to resolve_path to ignore a null parent custody if there is no error, as this is expected when the path to resolve points to "/". Rather, a null parent custody only constitutes an error if it is accompanied by ENOENT. This behavior is documented in the VFS::resolve_path_without_veil method. To accompany this change, the order of the error checks have been changed to more naturally fit the new logic.
2021-05-19 09:33:23 +00:00
if (custody_or_error.is_error()) {
// NOTE: ENOENT with a non-null parent custody signals us that the immediate parent
// of the file exists, but the file itself does not.
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
if ((options & O_CREAT) && custody_or_error.error().code() == ENOENT && parent_custody)
Kernel: Actually check Process unveil data when creating perfcore dump Before of this patch, we looked at the unveil data of the FinalizerTask, which naturally doesn't have any unveil restrictions, therefore allowing an unveil bypass for a process that enabled performance coredumps. To ensure we always check the dumped process unveil data, an option to pass a Process& has been added to a couple of methods in the class of VirtualFileSystem.
2023-03-04 18:01:54 +00:00
return create(process, credentials, path, options, mode, *parent_custody, move(owner));
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return custody_or_error.release_error();
Kernel: Ignore null parent custody without error in VFS::open This modifies the error checks in VFS::open after the call to resolve_path to ignore a null parent custody if there is no error, as this is expected when the path to resolve points to "/". Rather, a null parent custody only constitutes an error if it is accompanied by ENOENT. This behavior is documented in the VFS::resolve_path_without_veil method. To accompany this change, the order of the error checks have been changed to more naturally fit the new logic.
2021-05-19 09:33:23 +00:00
}
if ((options & O_CREAT) && (options & O_EXCL))
return EEXIST;
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 15:09:12 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& custody = *custody_or_error.value();
auto& inode = custody.inode();
auto metadata = inode.metadata();
Kernel: Add Inode::truncate(size). - Use this to implement the O_TRUNC open flag. - Fix creat() to pass O_CREAT | O_TRUNC | O_WRONLY. - Make sure we truncate wherever appropriate.
2019-03-27 15:42:30 +00:00
Kernel+Base: Introduce MS_NOREGULAR mount flag This flag doesn't conform to any POSIX standard nor is found in any OS out there. The idea behind this mount flag is to ensure that only non-regular files will be placed in a filesystem, which includes device nodes, symbolic links, directories, FIFOs and sockets. Currently, the only valid case for using this mount flag is for TmpFS instances, where we want to mount a TmpFS but disallow any kind of regular file and only allow other types of files on the filesystem.
2022-10-21 16:29:50 +00:00
if (metadata.is_regular_file() && (custody.mount_flags() & MS_NOREGULAR))
return EACCES;
Kernel: Handle O_DIRECTORY in VFS::open() instead of in each syscall Just taking care of some FIXMEs.
2020-01-03 01:23:11 +00:00
if ((options & O_DIRECTORY) && !metadata.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOTDIR;
Kernel: Handle O_DIRECTORY in VFS::open() instead of in each syscall Just taking care of some FIXMEs.
2020-01-03 01:23:11 +00:00
Kernel: Add Inode::truncate(size). - Use this to implement the O_TRUNC open flag. - Fix creat() to pass O_CREAT | O_TRUNC | O_WRONLY. - Make sure we truncate wherever appropriate.
2019-03-27 15:42:30 +00:00
bool should_truncate_file = false;
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 15:09:12 +00:00
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if ((options & O_RDONLY) && !metadata.may_read(credentials))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Make O_RDONLY non-zero Sergey suggested that having a non-zero O_RDONLY would make some things less confusing, and it seems like he's right about that. We can now easily check read/write permissions separately instead of dancing around with the bits. This patch also fixes unveil() validation for O_RDWR which previously forgot to check for "r" permission.
2020-01-21 12:14:26 +00:00
if (options & O_WRONLY) {
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!metadata.may_write(credentials))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Port more code to KResult and KResultOr<T>.
2019-03-06 21:14:31 +00:00
if (metadata.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EISDIR;
Kernel: Add Inode::truncate(size). - Use this to implement the O_TRUNC open flag. - Fix creat() to pass O_CREAT | O_TRUNC | O_WRONLY. - Make sure we truncate wherever appropriate.
2019-03-27 15:42:30 +00:00
should_truncate_file = options & O_TRUNC;
Kernel: Start adding various file system permission checks. Fail with EACCES in various situations. Fix userland bugs that were exposed.
2019-02-21 14:45:31 +00:00
}
Kernel+LibC: Add O_EXEC, move exec permission checking to VFS::open() O_EXEC is mentioned by POSIX, so let's have it. Currently, it is only used inside the kernel to ensure the process has the right permissions when opening an executable.
2020-01-11 15:33:35 +00:00
if (options & O_EXEC) {
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!metadata.may_execute(credentials) || (custody.mount_flags() & MS_NOEXEC))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel+LibC: Add O_EXEC, move exec permission checking to VFS::open() O_EXEC is mentioned by POSIX, so let's have it. Currently, it is only used inside the kernel to ensure the process has the right permissions when opening an executable.
2020-01-11 15:33:35 +00:00
}
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 15:09:12 +00:00
Kernel: Implement FIFOs/named pipes
2020-07-16 21:23:03 +00:00
if (metadata.is_fifo()) {
Kernel: Use KResultOr and TRY() for FIFO
2021-09-07 11:56:10 +00:00
auto fifo = TRY(inode.fifo());
Kernel: Implement FIFOs/named pipes
2020-07-16 21:23:03 +00:00
if (options & O_WRONLY) {
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 12:55:25 +00:00
auto description = TRY(fifo->open_direction_blocking(FIFO::Direction::Writer));
Kernel: Implement FIFOs/named pipes
2020-07-16 21:23:03 +00:00
description->set_rw_mode(options);
description->set_file_flags(options);
description->set_original_inode({}, inode);
return description;
} else if (options & O_RDONLY) {
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 12:55:25 +00:00
auto description = TRY(fifo->open_direction_blocking(FIFO::Direction::Reader));
Kernel: Implement FIFOs/named pipes
2020-07-16 21:23:03 +00:00
description->set_rw_mode(options);
description->set_file_flags(options);
description->set_original_inode({}, inode);
return description;
}
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EINVAL;
Kernel: Implement FIFOs/named pipes
2020-07-16 21:23:03 +00:00
}
Kernel: Separate VFS stat() from open(). It was very confusing that you had to open a FileDescriptor in order to stat a file. This patch gives VFS a separate stat() function and uses it to implement the stat() and lstat() syscalls.
2019-02-21 15:09:12 +00:00
if (metadata.is_device()) {
Kernel+LibC: Implement a few mount flags We now support these mount flags: * MS_NODEV: disallow opening any devices from this file system * MS_NOEXEC: disallow executing any executables from this file system * MS_NOSUID: ignore set-user-id bits on executables from this file system The fourth flag, MS_BIND, is defined, but currently ignored.
2020-01-11 15:45:38 +00:00
if (custody.mount_flags() & MS_NODEV)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Introduce the DeviceManagement singleton This singleton simplifies many aspects that we struggled with before: 1. There's no need to make derived classes of Device expose the constructor as public anymore. The singleton is a friend of them, so he can call the constructor. This solves the issue with try_create_device helper neatly, hopefully for good. 2. Getting a reference of the NullDevice is now being done from this singleton, which means that NullDevice no longer needs to use its own singleton, and we can apply the try_create_device helper on it too :) 3. We can now defer registration completely after the Device constructor which means the Device constructor is merely assigning the major and minor numbers of the Device, and the try_create_device helper ensures it calls the after_inserting method immediately after construction. This creates a great opportunity to make registration more OOM-safe.
2021-09-11 06:19:20 +00:00
auto device = DeviceManagement::the().get_device(metadata.major_device, metadata.minor_device);
Kernel: Move device lookup to Device class itself Previously, VFS stored a list of all devices, and devices had to register and unregister themselves with it. This cleans up things a bit.
2019-08-18 11:48:15 +00:00
if (device == nullptr) {
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENODEV;
Get rid of Vnode concept. We already have an abstraction between Process and Inode/CharacterDevice/FIFO and it's called FileDescriptor. :^)
2019-01-16 11:57:07 +00:00
}
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
auto description = TRY(device->open(options));
description->set_original_inode({}, inode);
Kernel+SystemServer: Defer creation of device nodes to userspace Don't create these device nodes in the Kernel, so we essentially enforce userspace (SystemServer) to take control of this operation and to decide how to create these device nodes. This makes the DevFS to resemble linux devtmpfs, and allows us to remove a bunch of unneeded overriding implementations of device name creation in the Kernel.
2021-08-14 02:04:56 +00:00
description->set_original_custody({}, custody);
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
return description;
Get rid of Vnode concept. We already have an abstraction between Process and Inode/CharacterDevice/FIFO and it's called FileDescriptor. :^)
2019-01-16 11:57:07 +00:00
}
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
Kernel: Remove unused Inode::preopen_fd()
2021-12-05 09:49:21 +00:00
// Check for read-only FS. Do this after handling devices, but before modifying the inode in any way.
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if ((options & O_WRONLY) && custody.is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
Kernel: Opening a file with O_TRUNC should update mtime
2020-01-08 12:57:22 +00:00
if (should_truncate_file) {
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 12:55:25 +00:00
TRY(inode.truncate(0));
Kernel: Use AK::Time for InodeMetadata timestamps instead of time_t Before this change, we were truncating the nanosecond part of file timestamps in many different places.
2022-11-22 20:01:45 +00:00
TRY(inode.update_timestamps({}, {}, kgettimeofday()));
Kernel: Improve ProcFS behavior in low memory conditions When ProcFS could no longer allocate KBuffer objects to serve calls to read, it would just return 0, indicating EOF. This then triggered parsing errors because code assumed it read the file. Because read isn't supposed to return ENOMEM, change ProcFS to populate the file data upon file open or seek to the beginning. This also means that calls to open can now return ENOMEM if needed. This allows the caller to either be able to successfully open the file and read it, or fail to open it in the first place.
2020-09-17 19:51:09 +00:00
}
Kernel: Rename FileDescription => OpenFileDescription Dr. POSIX really calls these "open file description", not just "file description", so let's call them exactly that. :^)
2021-09-07 11:39:11 +00:00
auto description = TRY(OpenFileDescription::try_create(custody));
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 12:55:25 +00:00
description->set_rw_mode(options);
description->set_file_flags(options);
Kernel: Move setting file flags and r/w mode to VFS::open() Previously, VFS::open() would only use the passed flags for permission checking purposes, and Process::sys$open() would set them on the created FileDescription explicitly. Now, they should be set by VFS::open() on any files being opened, including files that the kernel opens internally. This also lets us get rid of the explicit check for whether or not the returned FileDescription was a preopen fd, and in fact, fixes a bug where a read-only preopen fd without any other flags would be considered freshly opened (due to O_RDONLY being indistinguishable from 0) and granted a new set of flags.
2020-01-18 22:15:52 +00:00
return description;
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<void> VirtualFileSystem::mknod(Credentials const& credentials, StringView path, mode_t mode, dev_t dev, Custody& base)
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 20:59:58 +00:00
{
if (!is_regular_file(mode) && !is_block_device(mode) && !is_character_device(mode) && !is_fifo(mode) && !is_socket(mode))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EINVAL;
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 20:59:58 +00:00
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
RefPtr<Custody> parent_custody;
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
auto existing_file_or_error = resolve_path(credentials, path, base, &parent_custody);
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 20:59:58 +00:00
if (!existing_file_or_error.is_error())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EEXIST;
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!parent_custody)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOENT;
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
if (existing_file_or_error.error().code() != ENOENT)
return existing_file_or_error.release_error();
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& parent_inode = parent_custody->inode();
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!parent_inode.metadata().may_write(credentials))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 20:59:58 +00:00
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 09:21:52 +00:00
auto basename = KLexicalPath::basename(path);
Kernel/VFS: Silence mknod debug spam Since we populate the DevFS now in userspace, this creates a bunch of unnecessary noise in the kernel log.
2021-08-14 04:11:30 +00:00
dbgln_if(VFS_DEBUG, "VirtualFileSystem::mknod: '{}' mode={} dev={} in {}", basename, mode, dev, parent_inode.identifier());
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
(void)TRY(parent_inode.create_child(basename, mode, dev, credentials.euid(), credentials.egid()));
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
Kernel+Userland: Implement mknod() syscall and add a /bin/mknod program.
2019-05-03 20:59:58 +00:00
}
Kernel: Use non-locking {Nonnull,}RefPtr for OpenFileDescription This patch switches away from {Nonnull,}LockRefPtr to the non-locking smart pointers throughout the kernel. I've looked at the handful of places where these were being persisted and I don't see any race situations. Note that the process file descriptor table (Process::m_fds) was already guarded via MutexProtected.
2023-03-06 18:29:25 +00:00
ErrorOr<NonnullRefPtr<OpenFileDescription>> VirtualFileSystem::create(Credentials const& credentials, StringView path, int options, mode_t mode, Custody& parent_custody, Optional<UidAndGid> owner)
Kernel: Actually check Process unveil data when creating perfcore dump Before of this patch, we looked at the unveil data of the FinalizerTask, which naturally doesn't have any unveil restrictions, therefore allowing an unveil bypass for a process that enabled performance coredumps. To ensure we always check the dumped process unveil data, an option to pass a Process& has been added to a couple of methods in the class of VirtualFileSystem.
2023-03-04 18:01:54 +00:00
{
return create(Process::current(), credentials, path, options, mode, parent_custody, owner);
}
Kernel: Use non-locking {Nonnull,}RefPtr for OpenFileDescription This patch switches away from {Nonnull,}LockRefPtr to the non-locking smart pointers throughout the kernel. I've looked at the handful of places where these were being persisted and I don't see any race situations. Note that the process file descriptor table (Process::m_fds) was already guarded via MutexProtected.
2023-03-06 18:29:25 +00:00
ErrorOr<NonnullRefPtr<OpenFileDescription>> VirtualFileSystem::create(Process const& process, Credentials const& credentials, StringView path, int options, mode_t mode, Custody& parent_custody, Optional<UidAndGid> owner)
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
{
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 09:21:52 +00:00
auto basename = KLexicalPath::basename(path);
Kernel: Improvements to Custody absolute path serialization - Renamed try_create_absolute_path() => try_serialize_absolute_path() - Use KResultOr and TRY() to propagate errors - Don't call this when it's only for debug logging
2021-09-06 10:24:36 +00:00
auto parent_path = TRY(parent_custody.try_serialize_absolute_path());
Kernel: Make KString factories return KResultOr + use TRY() everywhere There are a number of places that don't have an error propagation path right now, so I've added FIXME's about that.
2021-09-06 17:24:54 +00:00
auto full_path = TRY(KLexicalPath::try_join(parent_path->view(), basename));
Kernel: Actually check Process unveil data when creating perfcore dump Before of this patch, we looked at the unveil data of the FinalizerTask, which naturally doesn't have any unveil restrictions, therefore allowing an unveil bypass for a process that enabled performance coredumps. To ensure we always check the dumped process unveil data, an option to pass a Process& has been added to a couple of methods in the class of VirtualFileSystem.
2023-03-04 18:01:54 +00:00
TRY(validate_path_against_process_veil(process, full_path->view(), options));
Kernel: Enforce file system veil on file creation Fixes #1621.
2020-04-04 14:40:36 +00:00
Revert "Kernel: Make VFS::create() fail with EINVAL on invalid file mode" This reverts commit ca3489eec7c1c7910407c4872ed6d70c92ce50cf. Fixes #5087.
2021-01-24 07:31:18 +00:00
if (!is_socket(mode) && !is_fifo(mode) && !is_block_device(mode) && !is_character_device(mode)) {
// Turn it into a regular file. (This feels rather hackish.)
mode |= 0100000;
}
Ext2FS: Implement writing into inodes with arbitrary offset and length. Okay, this is pretty cool. :^) There are some issues and limitations for sure but the basic functionality is there.
2019-01-23 03:29:56 +00:00
FileSystem: Don't perform path resolution twice for open() with O_CREAT.
2019-06-09 17:52:03 +00:00
auto& parent_inode = parent_custody.inode();
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!parent_inode.metadata().may_write(credentials))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (parent_custody.is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel+Base: Introduce MS_NOREGULAR mount flag This flag doesn't conform to any POSIX standard nor is found in any OS out there. The idea behind this mount flag is to ensure that only non-regular files will be placed in a filesystem, which includes device nodes, symbolic links, directories, FIFOs and sockets. Currently, the only valid case for using this mount flag is for TmpFS instances, where we want to mount a TmpFS but disallow any kind of regular file and only allow other types of files on the filesystem.
2022-10-21 16:29:50 +00:00
if (is_regular_file(mode) && (parent_custody.mount_flags() & MS_NOREGULAR))
return EACCES;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
Kernel: Rename VFS => VirtualFileSystem
2021-07-10 22:25:24 +00:00
dbgln_if(VFS_DEBUG, "VirtualFileSystem::create: '{}' in {}", basename, parent_inode.identifier());
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
auto uid = owner.has_value() ? owner.value().uid : credentials.euid();
auto gid = owner.has_value() ? owner.value().gid : credentials.egid();
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
auto inode = TRY(parent_inode.create_child(basename, mode, 0, uid, gid));
auto custody = TRY(Custody::try_create(&parent_custody, basename, inode, parent_custody.mount_flags()));
Kernel: Rename FileDescription => OpenFileDescription Dr. POSIX really calls these "open file description", not just "file description", so let's call them exactly that. :^)
2021-09-07 11:39:11 +00:00
auto description = TRY(OpenFileDescription::try_create(move(custody)));
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 12:55:25 +00:00
description->set_rw_mode(options);
description->set_file_flags(options);
Kernel: Move setting file flags and r/w mode to VFS::open() Previously, VFS::open() would only use the passed flags for permission checking purposes, and Process::sys$open() would set them on the created FileDescription explicitly. Now, they should be set by VFS::open() on any files being opened, including files that the kernel opens internally. This also lets us get rid of the explicit check for whether or not the returned FileDescription was a preopen fd, and in fact, fixes a bug where a read-only preopen fd without any other flags would be considered freshly opened (due to O_RDONLY being indistinguishable from 0) and granted a new set of flags.
2020-01-18 22:15:52 +00:00
return description;
Implement creating a new directory.
2018-10-15 22:35:03 +00:00
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<void> VirtualFileSystem::mkdir(Credentials const& credentials, StringView path, mode_t mode, Custody& base)
Implement creating a new directory.
2018-10-15 22:35:03 +00:00
{
Kernel: Support trailing slashes in VFS::mkdir() This is apparently a special case unlike any other, so let's handle it directly in VFS::mkdir() instead of adding an alternative code path into VFS::resolve_path(). Fixes https://github.com/SerenityOS/serenity/issues/1253
2020-02-20 14:28:36 +00:00
// Unlike in basically every other case, where it's only the last
// path component (the one being created) that is allowed not to
// exist, POSIX allows mkdir'ed path to have trailing slashes.
// Let's handle that case by trimming any trailing slashes.
Kernel: Return correct error numbers for the mkdir syscall Previously, VirtualFileSystem::mkdir() would always return ENOENT if no parent custody was returned by resolve_path(). This is incorrect when e.g. the user has no search permission in a component of the path prefix (=> EACCES), or if on component of the path prefix is a file (=> ENOTDIR). This patch fixes that behavior.
2021-07-11 11:46:05 +00:00
path = path.trim("/"sv, TrimMode::Right);
if (path.is_empty()) {
// NOTE: This means the path was a series of slashes, which resolves to "/".
Everywhere: Add sv suffix to strings relying on StringView(char const*) Each of these strings would previously rely on StringView's char const* constructor overload, which would call __builtin_strlen on the string. Since we now have operator ""sv, we can replace these with much simpler versions. This opens the door to being able to remove StringView(char const*). No functional changes.
2022-07-11 17:32:29 +00:00
path = "/"sv;
Kernel: Return correct error numbers for the mkdir syscall Previously, VirtualFileSystem::mkdir() would always return ENOENT if no parent custody was returned by resolve_path(). This is incorrect when e.g. the user has no search permission in a component of the path prefix (=> EACCES), or if on component of the path prefix is a file (=> ENOTDIR). This patch fixes that behavior.
2021-07-11 11:46:05 +00:00
}
Kernel: Support trailing slashes in VFS::mkdir() This is apparently a special case unlike any other, so let's handle it directly in VFS::mkdir() instead of adding an alternative code path into VFS::resolve_path(). Fixes https://github.com/SerenityOS/serenity/issues/1253
2020-02-20 14:28:36 +00:00
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
RefPtr<Custody> parent_custody;
Kernel/VFS: Add FIXMEs about error codes leaking data from veiled paths Error codes can leak information about veiled paths, if the path resolution fails with e.g. EACCESS. This is non-trivial to fix, as there is a group of error codes we want to propagate to the caller, such as ENOMEM.
2022-02-13 16:31:33 +00:00
// FIXME: The errors returned by resolve_path_without_veil can leak information about paths that are not unveiled,
// e.g. when the error is EACCESS or similar.
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
auto result = resolve_path_without_veil(credentials, path, base, &parent_custody);
Kernel: Return correct error numbers for the mkdir syscall Previously, VirtualFileSystem::mkdir() would always return ENOENT if no parent custody was returned by resolve_path(). This is incorrect when e.g. the user has no search permission in a component of the path prefix (=> EACCES), or if on component of the path prefix is a file (=> ENOTDIR). This patch fixes that behavior.
2021-07-11 11:46:05 +00:00
if (!result.is_error())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EEXIST;
Kernel: Use more if-with-initializer in VFS
2021-04-10 22:40:38 +00:00
else if (!parent_custody)
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return result.release_error();
Kernel: Return correct error numbers for the mkdir syscall Previously, VirtualFileSystem::mkdir() would always return ENOENT if no parent custody was returned by resolve_path(). This is incorrect when e.g. the user has no search permission in a component of the path prefix (=> EACCES), or if on component of the path prefix is a file (=> ENOTDIR). This patch fixes that behavior.
2021-07-11 11:46:05 +00:00
// NOTE: If resolve_path fails with a non-null parent custody, the error should be ENOENT.
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
VERIFY(result.error().code() == ENOENT);
Kernel: Add KResult and KResultOr<T> classes. The idea here is to combine a potential syscall error code with an arbitrary type in the case of success. I feel like this will end up much less error prone than returning some arbitrary type that kinda sorta has bool semantics (but sometimes not really) and passing the error through an out-param. This patch only converts a few syscalls to using it. More to come.
2019-02-25 19:47:56 +00:00
Kernel/VFS: Validate paths against process veil in mkdir() VirtualFileSystem::mkdir() relies on resolve_path() returning an error, since it is only interested in the out_parent passed as a pointer. Since resolve_path_without_veil returns an error, no process veil validation is done by resolve_path() in that case. Due to this problem, mkdir() should use resolve_path_without_veil() and then manually validate if the parent directory of the to-be-created directory is unveiled with 'c' permissions. This fixes a bug where the mkdir syscall would not respect the process veil at all.
2021-07-11 12:50:15 +00:00
TRY(validate_path_against_process_veil(*parent_custody, O_CREAT));
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& parent_inode = parent_custody->inode();
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!parent_inode.metadata().may_write(credentials))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Start adding various file system permission checks. Fail with EACCES in various situations. Fix userland bugs that were exposed.
2019-02-21 14:45:31 +00:00
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 09:21:52 +00:00
auto basename = KLexicalPath::basename(path);
Kernel: Rename VFS => VirtualFileSystem
2021-07-10 22:25:24 +00:00
dbgln_if(VFS_DEBUG, "VirtualFileSystem::mkdir: '{}' in {}", basename, parent_inode.identifier());
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
(void)TRY(parent_inode.create_child(basename, S_IFDIR | mode, 0, credentials.euid(), credentials.egid()));
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
Import all this stuff into a single repo called Serenity.
2018-10-10 09:53:07 +00:00
}
Kernel+LibC+LibCore+UserspaceEmulator: Implement `faccessat(2)` Co-Authored-By: Daniel Bertalan <dani@danielbertalan.dev>
2022-10-01 12:24:56 +00:00
ErrorOr<void> VirtualFileSystem::access(Credentials const& credentials, StringView path, int mode, Custody& base, AccessFlags access_flags)
Compat work towards porting vim.
2019-02-26 14:57:59 +00:00
{
Kernel+LibC+LibCore+UserspaceEmulator: Implement `faccessat(2)` Co-Authored-By: Daniel Bertalan <dani@danielbertalan.dev>
2022-10-01 12:24:56 +00:00
auto should_follow_symlinks = !has_flag(access_flags, AccessFlags::DoNotFollowSymlinks);
auto custody = TRY(resolve_path(credentials, path, base, nullptr, should_follow_symlinks ? 0 : O_NOFOLLOW_NOERROR));
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
auto& inode = custody->inode();
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto metadata = inode.metadata();
Kernel+LibC+LibCore+UserspaceEmulator: Implement `faccessat(2)` Co-Authored-By: Daniel Bertalan <dani@danielbertalan.dev>
2022-10-01 12:24:56 +00:00
auto use_effective_ids = has_flag(access_flags, AccessFlags::EffectiveAccess) ? UseEffectiveIDs::Yes : UseEffectiveIDs::No;
Compat work towards porting vim.
2019-02-26 14:57:59 +00:00
if (mode & R_OK) {
Kernel+LibC+LibCore+UserspaceEmulator: Implement `faccessat(2)` Co-Authored-By: Daniel Bertalan <dani@danielbertalan.dev>
2022-10-01 12:24:56 +00:00
if (!metadata.may_read(credentials, use_effective_ids))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Compat work towards porting vim.
2019-02-26 14:57:59 +00:00
}
if (mode & W_OK) {
Kernel+LibC+LibCore+UserspaceEmulator: Implement `faccessat(2)` Co-Authored-By: Daniel Bertalan <dani@danielbertalan.dev>
2022-10-01 12:24:56 +00:00
if (!metadata.may_write(credentials, use_effective_ids))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
if (custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Compat work towards porting vim.
2019-02-26 14:57:59 +00:00
}
if (mode & X_OK) {
Kernel+LibC+LibCore+UserspaceEmulator: Implement `faccessat(2)` Co-Authored-By: Daniel Bertalan <dani@danielbertalan.dev>
2022-10-01 12:24:56 +00:00
if (!metadata.may_execute(credentials, use_effective_ids))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Compat work towards porting vim.
2019-02-26 14:57:59 +00:00
}
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
Compat work towards porting vim.
2019-02-26 14:57:59 +00:00
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<NonnullRefPtr<Custody>> VirtualFileSystem::open_directory(Credentials const& credentials, StringView path, Custody& base)
Kernel: Support chdir() to a directory that's executable but not readable. Also the superuser should be allowed to resolve any possible path without getting tripped up by EACCES.
2019-03-01 22:54:07 +00:00
{
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
auto custody = TRY(resolve_path(credentials, path, base));
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
auto& inode = custody->inode();
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!inode.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOTDIR;
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!inode.metadata().may_execute(credentials))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
return custody;
Kernel: Support chdir() to a directory that's executable but not readable. Also the superuser should be allowed to resolve any possible path without getting tripped up by EACCES.
2019-03-01 22:54:07 +00:00
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<void> VirtualFileSystem::chmod(Credentials const& credentials, Custody& custody, mode_t mode)
Implement basic chmod() syscall and /bin/chmod helper. Only raw octal modes are supported right now. This patch also changes mode_t from 32-bit to 16-bit to match the on-disk type used by Ext2FS. I also ran into EPERM being errno=0 which was confusing, so I inserted an ESUCCESS in its place.
2019-01-29 03:55:08 +00:00
{
Kernel: Pass a Custody instead of Inode to VFS methods VFS no longer deals with inodes in public API, only with custodies and file descriptions. Talk directly to the file system if you need to operate on a inode. In most cases you actually want to go though VFS, to get proper permission check and other niceties. For this to work, you have to provide a custody, which describes *how* you have opened the inode, not just what the inode is.
2020-05-28 14:41:04 +00:00
auto& inode = custody.inode();
Kernel: Start adding various file system permission checks. Fail with EACCES in various situations. Fix userland bugs that were exposed.
2019-02-21 14:45:31 +00:00
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (credentials.euid() != inode.metadata().uid && !credentials.is_superuser())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EPERM;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (custody.is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Implement basic chmod() syscall and /bin/chmod helper. Only raw octal modes are supported right now. This patch also changes mode_t from 32-bit to 16-bit to match the on-disk type used by Ext2FS. I also ran into EPERM being errno=0 which was confusing, so I inserted an ESUCCESS in its place.
2019-01-29 03:55:08 +00:00
// Only change the permission bits.
Kernel: Allow sys$chmod() to change the sticky bit We were incorrectly masking off the sticky bit when setting file modes.
2021-01-19 17:21:43 +00:00
mode = (inode.mode() & ~07777u) | (mode & 07777u);
Kernel+Userland: Implement fchmod() syscall and use it to improve /bin/cp. /bin/cp will now copy the permission bits from source to destination. :^)
2019-03-01 09:39:19 +00:00
return inode.chmod(mode);
}
Implement basic chmod() syscall and /bin/chmod helper. Only raw octal modes are supported right now. This patch also changes mode_t from 32-bit to 16-bit to match the on-disk type used by Ext2FS. I also ran into EPERM being errno=0 which was confusing, so I inserted an ESUCCESS in its place.
2019-01-29 03:55:08 +00:00
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<void> VirtualFileSystem::chmod(Credentials const& credentials, StringView path, mode_t mode, Custody& base, int options)
Kernel+Userland: Implement fchmod() syscall and use it to improve /bin/cp. /bin/cp will now copy the permission bits from source to destination. :^)
2019-03-01 09:39:19 +00:00
{
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
auto custody = TRY(resolve_path(credentials, path, base, nullptr, options));
return chmod(credentials, custody, mode);
Kernel: Add KResult and KResultOr<T> classes. The idea here is to combine a potential syscall error code with an arbitrary type in the case of success. I feel like this will end up much less error prone than returning some arbitrary type that kinda sorta has bool semantics (but sometimes not really) and passing the error through an out-param. This patch only converts a few syscalls to using it. More to come.
2019-02-25 19:47:56 +00:00
}
Kernel+LibC+LibCore: Implement `renameat(2)` Now with the ability to specify different bases for the old and new paths.
2022-10-01 11:42:25 +00:00
ErrorOr<void> VirtualFileSystem::rename(Credentials const& credentials, Custody& old_base, StringView old_path, Custody& new_base, StringView new_path)
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
{
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
RefPtr<Custody> old_parent_custody;
Kernel+LibC+LibCore: Implement `renameat(2)` Now with the ability to specify different bases for the old and new paths.
2022-10-01 11:42:25 +00:00
auto old_custody = TRY(resolve_path(credentials, old_path, old_base, &old_parent_custody, O_NOFOLLOW_NOERROR));
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
auto& old_inode = old_custody->inode();
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
RefPtr<Custody> new_parent_custody;
Kernel+LibC+LibCore: Implement `renameat(2)` Now with the ability to specify different bases for the old and new paths.
2022-10-01 11:42:25 +00:00
auto new_custody_or_error = resolve_path(credentials, new_path, new_base, &new_parent_custody);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (new_custody_or_error.is_error()) {
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
if (new_custody_or_error.error().code() != ENOENT || !new_parent_custody)
return new_custody_or_error.release_error();
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
}
Kernel-VFS: Fixed kernel crash if parent custody is null In VFS::rename, if new_path is equal to '/', then, parent custody is set to null. VFS::rename would then use parent custody without checking it first. Fixed VFS::rename to check both old and new path parent custody before actually using them.
2021-05-06 17:35:34 +00:00
if (!old_parent_custody || !new_parent_custody) {
return EPERM;
}
VirtualFileSystem: Don't let rename() overwrite non-empty directory According to POSIX, rename shouldn't succeed if newpath is a non-empty directory.
2021-08-01 20:58:50 +00:00
if (!new_custody_or_error.is_error()) {
auto& new_inode = new_custody_or_error.value()->inode();
if (old_inode.index() != new_inode.index() && old_inode.is_directory() && new_inode.is_directory()) {
size_t child_count = 0;
Kernel: Make Inode::traverse_as_directory() callback return ErrorOr This allows us to propagate errors from inside the callback with TRY().
2021-11-10 14:42:39 +00:00
TRY(new_inode.traverse_as_directory([&child_count](auto&) -> ErrorOr<void> {
VirtualFileSystem: Don't let rename() overwrite non-empty directory According to POSIX, rename shouldn't succeed if newpath is a non-empty directory.
2021-08-01 20:58:50 +00:00
++child_count;
Kernel: Make Inode::traverse_as_directory() callback return ErrorOr This allows us to propagate errors from inside the callback with TRY().
2021-11-10 14:42:39 +00:00
return {};
Kernel: Wrap two VirtualFileSystem directory traversals in TRY()
2021-09-06 18:30:18 +00:00
}));
VirtualFileSystem: Don't let rename() overwrite non-empty directory According to POSIX, rename shouldn't succeed if newpath is a non-empty directory.
2021-08-01 20:58:50 +00:00
if (child_count > 2)
return ENOTEMPTY;
}
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& old_parent_inode = old_parent_custody->inode();
auto& new_parent_inode = new_parent_custody->inode();
Kernel: rename() should fail with EXDEV for cross-device requests POSIX does not support rename() from one file system to another.
2020-01-03 03:10:05 +00:00
if (&old_parent_inode.fs() != &new_parent_inode.fs())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EXDEV;
Kernel: rename() should fail with EXDEV for cross-device requests POSIX does not support rename() from one file system to another.
2020-01-03 03:10:05 +00:00
Kernel+LibC: Don't allow a directory to become a subdirectory of itself If you try to do this (e.g "mv directory directory"), sys$rename() will now fail with EDIRINTOSELF. Dr. POSIX says we should return EINVAL for this, but a custom error code allows us to print a much more helpful error message when this problem occurs. :^)
2020-11-01 16:17:23 +00:00
for (auto* new_ancestor = new_parent_custody.ptr(); new_ancestor; new_ancestor = new_ancestor->parent()) {
if (&old_inode == &new_ancestor->inode())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EDIRINTOSELF;
Kernel+LibC: Don't allow a directory to become a subdirectory of itself If you try to do this (e.g "mv directory directory"), sys$rename() will now fail with EDIRINTOSELF. Dr. POSIX says we should return EINVAL for this, but a custom error code allows us to print a much more helpful error message when this problem occurs. :^)
2020-11-01 16:17:23 +00:00
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!new_parent_inode.metadata().may_write(credentials))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!old_parent_inode.metadata().may_write(credentials))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (old_parent_inode.metadata().is_sticky()) {
Kernel: Allow to remove files from sticky directory if user owns it It's what the Linux chmod(1) manpage says (in the 'Restricted Deletion Flag or Sticky Bit' section), and it just makes sense to me. :^)
2022-09-01 12:16:32 +00:00
if (!credentials.is_superuser() && old_parent_inode.metadata().uid != credentials.euid() && old_inode.metadata().uid != credentials.euid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
VFS: Implement sticky bit behavior for rename() and unlink(). Removing entries from a sticky directory is only allowed when you are either the owner of the entry, or the superuser. :^)
2019-04-28 20:54:30 +00:00
}
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (old_parent_custody->is_readonly() || new_parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
VirtualFileSystem: Check for '.' '..' and empty filenames This commit adds a check, to prevent empty dot or dot-dot filenames when renaming a file and returns EINVAL in that case.
2021-07-16 19:12:07 +00:00
auto old_basename = KLexicalPath::basename(old_path);
if (old_basename.is_empty() || old_basename == "."sv || old_basename == ".."sv)
return EINVAL;
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 09:21:52 +00:00
auto new_basename = KLexicalPath::basename(new_path);
VirtualFileSystem: Check for '.' '..' and empty filenames This commit adds a check, to prevent empty dot or dot-dot filenames when renaming a file and returns EINVAL in that case.
2021-07-16 19:12:07 +00:00
if (new_basename.is_empty() || new_basename == "."sv || new_basename == ".."sv)
return EINVAL;
FileSystem: Reuse existing custodies when possible, and keep them updated. Walk the custody cache and try to reuse an existing one when possible. The VFS is responsible for updating them when something happens that would cause the described relationship to change. This is definitely not perfect but it does work for the basic scenarios like renaming and removing directory entries.
2019-05-31 13:22:52 +00:00
VirtualFileSystem: Return early in rename() when old_path==new_path This change fixes disappearing symlink after trying to do the following thing: cp /res/icons/16x16/add-event.png . ln -s add-event.png a mv a a
2021-08-10 11:39:44 +00:00
if (old_basename == new_basename && old_parent_inode.index() == new_parent_inode.index())
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
VirtualFileSystem: Return early in rename() when old_path==new_path This change fixes disappearing symlink after trying to do the following thing: cp /res/icons/16x16/add-event.png . ln -s add-event.png a mv a a
2021-08-10 11:39:44 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!new_custody_or_error.is_error()) {
auto& new_custody = *new_custody_or_error.value();
auto& new_inode = new_custody.inode();
Kernel/FileSystem: Remove FIXME about old/new path being the same Added comment after confirming that Linux and OpenBSD implenment the same behavior.
2022-12-31 06:44:45 +00:00
// When the source/dest inodes are the same (in other words,
// when `old_path` and `new_path` are the same), perform a no-op
// and return success.
// Linux (`vfs_rename()`) and OpenBSD (`dorenameat()`) appear to have
// this same no-op behavior.
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (&new_inode == &old_inode)
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (new_parent_inode.metadata().is_sticky()) {
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!credentials.is_superuser() && new_inode.metadata().uid != credentials.euid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
VFS: Also respect the sticky bit of the new parent in rename(). Obviously we should not allow overwriting someone else's files in a sticky directory either.
2019-04-28 21:34:33 +00:00
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (new_inode.is_directory() && !old_inode.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EISDIR;
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 12:55:25 +00:00
TRY(new_parent_inode.remove_child(new_basename));
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
}
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 12:55:25 +00:00
TRY(new_parent_inode.add_child(old_inode, new_basename, old_inode.mode()));
TRY(old_parent_inode.remove_child(old_basename));
Kernel: Update the ".." inode for directories after a rename Because the ".." entry in a directory is a separate inode, if a directory is renamed to a new location, then we should update this entry the point to the new parent directory as well. Co-authored-by: Liav A <liavalb@gmail.com>
2022-10-08 09:22:12 +00:00
// If the inode that we moved is a directory and we changed parent
// directories, then we also have to make .. point to the new parent inode,
// because .. is its own inode.
if (old_inode.is_directory() && old_parent_inode.index() != new_parent_inode.index()) {
TRY(old_inode.replace_child(".."sv, new_parent_inode));
}
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
Kernel+Userland: Add the rename() syscall along with a basic /bin/mv.
2019-04-07 21:35:26 +00:00
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<void> VirtualFileSystem::chown(Credentials const& credentials, Custody& custody, UserID a_uid, GroupID a_gid)
Add chown() syscall and a simple /bin/chown program.
2019-02-27 11:32:53 +00:00
{
Kernel: Pass a Custody instead of Inode to VFS methods VFS no longer deals with inodes in public API, only with custodies and file descriptions. Talk directly to the file system if you need to operate on a inode. In most cases you actually want to go though VFS, to get proper permission check and other niceties. For this to work, you have to provide a custody, which describes *how* you have opened the inode, not just what the inode is.
2020-05-28 14:41:04 +00:00
auto& inode = custody.inode();
FileSystem: Only retrieve inode metadata once in VFS::chown().
2019-06-02 08:31:25 +00:00
auto metadata = inode.metadata();
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (credentials.euid() != metadata.uid && !credentials.is_superuser())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EPERM;
Add chown() syscall and a simple /bin/chown program.
2019-02-27 11:32:53 +00:00
Kernel: Strongly typed user & group ID's Prior to this change, both uid_t and gid_t were typedef'ed to `u32`. This made it easy to use them interchangeably. Let's not allow that. This patch adds UserID and GroupID using the AK::DistinctNumeric mechanism we've already been employing for pid_t/ProcessID.
2021-08-28 20:11:16 +00:00
UserID new_uid = metadata.uid;
GroupID new_gid = metadata.gid;
Add chown() syscall and a simple /bin/chown program.
2019-02-27 11:32:53 +00:00
if (a_uid != (uid_t)-1) {
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (credentials.euid() != a_uid && !credentials.is_superuser())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EPERM;
Add chown() syscall and a simple /bin/chown program.
2019-02-27 11:32:53 +00:00
new_uid = a_uid;
}
if (a_gid != (gid_t)-1) {
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!credentials.in_group(a_gid) && !credentials.is_superuser())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EPERM;
Add chown() syscall and a simple /bin/chown program.
2019-02-27 11:32:53 +00:00
new_gid = a_gid;
}
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (custody.is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
Kernel: Rename VFS => VirtualFileSystem
2021-07-10 22:25:24 +00:00
dbgln_if(VFS_DEBUG, "VirtualFileSystem::chown(): inode {} <- uid={} gid={}", inode.identifier(), new_uid, new_gid);
Kernel: Strip SUID+SGID bits from file when written to or chowned Fixes #1624.
2020-04-04 17:46:55 +00:00
if (metadata.is_setuid() || metadata.is_setgid()) {
Kernel: Rename VFS => VirtualFileSystem
2021-07-10 22:25:24 +00:00
dbgln_if(VFS_DEBUG, "VirtualFileSystem::chown(): Stripping SUID/SGID bits from {}", inode.identifier());
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 12:55:25 +00:00
TRY(inode.chmod(metadata.mode & ~(04000 | 02000)));
Kernel: Strip SUID+SGID bits from file when written to or chowned Fixes #1624.
2020-04-04 17:46:55 +00:00
}
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
return inode.chown(new_uid, new_gid);
Add chown() syscall and a simple /bin/chown program.
2019-02-27 11:32:53 +00:00
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<void> VirtualFileSystem::chown(Credentials const& credentials, StringView path, UserID a_uid, GroupID a_gid, Custody& base, int options)
FileSystem: Route chown() and fchown() through VFS for access control.
2019-06-02 10:30:24 +00:00
{
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
auto custody = TRY(resolve_path(credentials, path, base, nullptr, options));
return chown(credentials, custody, a_uid, a_gid);
FileSystem: Route chown() and fchown() through VFS for access control.
2019-06-02 10:30:24 +00:00
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
static bool hard_link_allowed(Credentials const& credentials, Inode const& inode)
Kernel: Implement the same hard link protection as Linux sys$link() will now fail to create hard links in some cases where you don't own or have write access to the link target. Work towards #4934
2021-01-19 16:59:32 +00:00
{
auto metadata = inode.metadata();
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (credentials.euid() == metadata.uid)
Kernel: Implement the same hard link protection as Linux sys$link() will now fail to create hard links in some cases where you don't own or have write access to the link target. Work towards #4934
2021-01-19 16:59:32 +00:00
return true;
if (metadata.is_regular_file()
&& !metadata.is_setuid()
&& !(metadata.is_setgid() && metadata.mode & S_IXGRP)
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
&& metadata.may_write(credentials)) {
Kernel: Implement the same hard link protection as Linux sys$link() will now fail to create hard links in some cases where you don't own or have write access to the link target. Work towards #4934
2021-01-19 16:59:32 +00:00
return true;
}
return false;
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<void> VirtualFileSystem::link(Credentials const& credentials, StringView old_path, StringView new_path, Custody& base)
Kernel: Add link() syscall to create hard links. This accidentally grew into a little bit of VFS cleanup as well. Also add a simple /bin/ln implementation to exercise it.
2019-02-21 12:26:40 +00:00
{
Kernel: Reject create links on paths that were not unveiled as writable This solves one of the security issues being mentioned in issue #15996. We simply don't allow creating hardlinks on paths that were not unveiled as writable to prevent possible bypass on a certain path that was unveiled as non-writable.
2022-11-26 09:48:02 +00:00
// NOTE: To prevent unveil bypass by creating an hardlink after unveiling a path as read-only,
// check that if write permission is allowed by the veil info on the old_path.
auto old_custody = TRY(resolve_path(credentials, old_path, base, nullptr, O_RDWR));
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
auto& old_inode = old_custody->inode();
Kernel: Add link() syscall to create hard links. This accidentally grew into a little bit of VFS cleanup as well. Also add a simple /bin/ln implementation to exercise it.
2019-02-21 12:26:40 +00:00
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
RefPtr<Custody> parent_custody;
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
auto new_custody_or_error = resolve_path(credentials, new_path, base, &parent_custody);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!new_custody_or_error.is_error())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EEXIST;
Add unlink() syscall and /bin/rm. This patch adds most of the plumbing for working file deletion in Ext2FS. Directory entries are removed and inode link counts updated. We don't yet update the inode or block bitmaps, I will do that separately.
2019-01-22 06:03:44 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!parent_custody)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOENT;
Kernel: Use KResult in link().
2019-02-27 14:31:26 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& parent_inode = parent_custody->inode();
if (parent_inode.fsid() != old_inode.fsid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EXDEV;
Kernel: Use KResult in link().
2019-02-27 14:31:26 +00:00
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!parent_inode.metadata().may_write(credentials))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Use KResult in link().
2019-02-27 14:31:26 +00:00
Kernel: Trying to sys$link() a directory should fail with EPERM
2020-01-15 21:10:38 +00:00
if (old_inode.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EPERM;
Kernel: Trying to sys$link() a directory should fail with EPERM
2020-01-15 21:10:38 +00:00
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!hard_link_allowed(credentials, old_inode))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EPERM;
Kernel: Implement the same hard link protection as Linux sys$link() will now fail to create hard links in some cases where you don't own or have write access to the link target. Work towards #4934
2021-01-19 16:59:32 +00:00
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 09:21:52 +00:00
return parent_inode.add_child(old_inode, KLexicalPath::basename(new_path), old_inode.mode());
Kernel: Add link() syscall to create hard links. This accidentally grew into a little bit of VFS cleanup as well. Also add a simple /bin/ln implementation to exercise it.
2019-02-21 12:26:40 +00:00
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<void> VirtualFileSystem::unlink(Credentials const& credentials, StringView path, Custody& base)
Kernel: Add link() syscall to create hard links. This accidentally grew into a little bit of VFS cleanup as well. Also add a simple /bin/ln implementation to exercise it.
2019-02-21 12:26:40 +00:00
{
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
RefPtr<Custody> parent_custody;
Kernel+Userland: Ensure proper unveil permissions before using rm/rmdir When deleting a directory, the rmdir syscall should fail if the path was unveiled without the 'c' permission. This matches the same behavior that OpenBSD enforces when doing this kind of operation. When deleting a file, the unlink syscall should fail if the path was unveiled without the 'w' permission, to ensure that userspace is aware of the possibility of removing a file only when the path was unveiled as writable. When using the userdel utility, we now unveil that directory path with the unveil 'c' permission so removal of an account home directory is done properly.
2023-06-01 23:32:31 +00:00
auto custody = TRY(resolve_path(credentials, path, base, &parent_custody, O_WRONLY | O_NOFOLLOW_NOERROR | O_UNLINK_INTERNAL));
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
auto& inode = custody->inode();
VFS: unlink() should fail when called on a directory.
2019-01-23 04:35:42 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (inode.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EISDIR;
Kernel: Start adding various file system permission checks. Fail with EACCES in various situations. Fix userland bugs that were exposed.
2019-02-21 14:45:31 +00:00
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
// We have just checked that the inode is not a directory, and thus it's not
// the root. So it should have a parent. Note that this would be invalidated
// if we were to support bind-mounting regular files on top of the root.
Everywhere: Rename ASSERT => VERIFY (...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED) Since all of these checks are done in release builds as well, let's rename them to VERIFY to prevent confusion, as everyone is used to assertions being compiled out in release. We can introduce a new ASSERT macro that is specifically for debug checks, but I'm doing this wholesale conversion first since we've accumulated thousands of these already, and it's not immediately obvious which ones are suitable for ASSERT.
2021-02-23 19:42:32 +00:00
VERIFY(parent_custody);
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& parent_inode = parent_custody->inode();
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!parent_inode.metadata().may_write(credentials))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Add unlink() syscall and /bin/rm. This patch adds most of the plumbing for working file deletion in Ext2FS. Directory entries are removed and inode link counts updated. We don't yet update the inode or block bitmaps, I will do that separately.
2019-01-22 06:03:44 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (parent_inode.metadata().is_sticky()) {
Kernel: Allow to remove files from sticky directory if user owns it It's what the Linux chmod(1) manpage says (in the 'Restricted Deletion Flag or Sticky Bit' section), and it just makes sense to me. :^)
2022-09-01 12:16:32 +00:00
if (!credentials.is_superuser() && parent_inode.metadata().uid != credentials.euid() && inode.metadata().uid != credentials.euid())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
VFS: Implement sticky bit behavior for rename() and unlink(). Removing entries from a sticky directory is only allowed when you are either the owner of the entry, or the superuser. :^)
2019-04-28 20:54:30 +00:00
}
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 12:55:25 +00:00
return parent_inode.remove_child(KLexicalPath::basename(path));
Add unlink() syscall and /bin/rm. This patch adds most of the plumbing for working file deletion in Ext2FS. Directory entries are removed and inode link counts updated. We don't yet update the inode or block bitmaps, I will do that separately.
2019-01-22 06:03:44 +00:00
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<void> VirtualFileSystem::symlink(Credentials const& credentials, StringView target, StringView linkpath, Custody& base)
Kernel+Userland: Add symlink() syscall and add "-s" flag to /bin/ln. It's now possible to create symbolic links! :^) This exposed an issue in Ext2FS where we'd write uninitialized data past the end of an inode's content. Fix this by zeroing out the tail end of the last block in a file.
2019-03-02 00:50:34 +00:00
{
Kernel/FileSystem: Prevent symlink creation in veiled directory paths Also, try to resolve the target path and check if it is allowed to be accessed under the unveil rules.
2022-12-17 05:55:38 +00:00
// NOTE: Check that the actual target (if it exists right now) is unveiled and prevent creating symlinks on veiled paths!
if (auto target_custody_or_error = resolve_path_without_veil(credentials, target, base, nullptr, O_RDWR, 0); !target_custody_or_error.is_error()) {
auto target_custody = target_custody_or_error.release_value();
TRY(validate_path_against_process_veil(*target_custody, O_RDWR));
}
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
RefPtr<Custody> parent_custody;
Kernel/FileSystem: Prevent symlink creation in veiled directory paths Also, try to resolve the target path and check if it is allowed to be accessed under the unveil rules.
2022-12-17 05:55:38 +00:00
auto existing_custody_or_error = resolve_path(credentials, linkpath, base, &parent_custody, O_RDWR);
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!existing_custody_or_error.is_error())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EEXIST;
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!parent_custody)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOENT;
Kernel/FileSystem: Prevent symlink creation in veiled directory paths Also, try to resolve the target path and check if it is allowed to be accessed under the unveil rules.
2022-12-17 05:55:38 +00:00
// NOTE: VERY IMPORTANT! We prevent creating symlinks in case the program didn't unveil the parent_custody
// path! For example, say the program wanted to create a symlink in /tmp/symlink to /tmp/test/pointee_symlink
// and unveiled the /tmp/test/ directory path beforehand, but not the /tmp directory path - the symlink syscall will
// fail here because we can't create the symlink in a parent directory path we didn't unveil beforehand.
TRY(validate_path_against_process_veil(*parent_custody, O_RDWR));
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
if (existing_custody_or_error.is_error() && existing_custody_or_error.error().code() != ENOENT)
return existing_custody_or_error.release_error();
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& parent_inode = parent_custody->inode();
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!parent_inode.metadata().may_write(credentials))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
if (parent_custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel+Userland: Add symlink() syscall and add "-s" flag to /bin/ln. It's now possible to create symbolic links! :^) This exposed an issue in Ext2FS where we'd write uninitialized data past the end of an inode's content. Fix this by zeroing out the tail end of the last block in a file.
2019-03-02 00:50:34 +00:00
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 09:21:52 +00:00
auto basename = KLexicalPath::basename(linkpath);
Kernel: Rename VFS => VirtualFileSystem
2021-07-10 22:25:24 +00:00
dbgln_if(VFS_DEBUG, "VirtualFileSystem::symlink: '{}' (-> '{}') in {}", basename, target, parent_inode.identifier());
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
auto inode = TRY(parent_inode.create_child(basename, S_IFLNK | 0644, 0, credentials.euid(), credentials.egid()));
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
Everywhere: Run clang-format
2022-04-01 17:58:27 +00:00
auto target_buffer = UserOrKernelBuffer::for_kernel_buffer(const_cast<u8*>((u8 const*)target.characters_without_null_termination()));
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
TRY(inode->write_bytes(0, target.length(), target_buffer, nullptr));
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
Kernel+Userland: Add symlink() syscall and add "-s" flag to /bin/ln. It's now possible to create symbolic links! :^) This exposed an issue in Ext2FS where we'd write uninitialized data past the end of an inode's content. Fix this by zeroing out the tail end of the last block in a file.
2019-03-02 00:50:34 +00:00
}
Kernel: Annotate VirtualFileSystem::rmdir() errors with spec comments
2022-12-19 18:05:44 +00:00
// https://pubs.opengroup.org/onlinepubs/9699919799/functions/rmdir.html
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<void> VirtualFileSystem::rmdir(Credentials const& credentials, StringView path, Custody& base)
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 03:16:01 +00:00
{
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
RefPtr<Custody> parent_custody;
Kernel+Userland: Ensure proper unveil permissions before using rm/rmdir When deleting a directory, the rmdir syscall should fail if the path was unveiled without the 'c' permission. This matches the same behavior that OpenBSD enforces when doing this kind of operation. When deleting a file, the unlink syscall should fail if the path was unveiled without the 'w' permission, to ensure that userspace is aware of the possibility of removing a file only when the path was unveiled as writable. When using the userdel utility, we now unveil that directory path with the unveil 'c' permission so removal of an account home directory is done properly.
2023-06-01 23:32:31 +00:00
auto custody = TRY(resolve_path(credentials, path, base, &parent_custody, O_CREAT));
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
auto& inode = custody->inode();
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 03:16:01 +00:00
Kernel+Tests: Make sys$rmdir() fail with EINVAL if basename is "." Dr. POSIX says that we should reject attempts to rmdir() the file named "." so this patch does exactly that. We also add a test. This solves a FIXME from January 2019. :^)
2022-12-19 17:47:35 +00:00
auto last_component = KLexicalPath::basename(path);
// [EINVAL] The path argument contains a last component that is dot.
if (last_component == "."sv)
return EINVAL;
Kernel: Annotate VirtualFileSystem::rmdir() errors with spec comments
2022-12-19 18:05:44 +00:00
// [ENOTDIR] A component of path names an existing file that is neither a directory
// nor a symbolic link to a directory.
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
if (!inode.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOTDIR;
Kernel: Start adding various file system permission checks. Fail with EACCES in various situations. Fix userland bugs that were exposed.
2019-02-21 14:45:31 +00:00
Kernel: Annotate VirtualFileSystem::rmdir() errors with spec comments
2022-12-19 18:05:44 +00:00
// [EBUSY] The directory to be removed is currently in use by the system or some process
// and the implementation considers this to be an error.
// NOTE: If there is no parent, that means we're trying to rmdir the root directory!
Kernel: rmdir("/") should fail instead of asserting We can't assume there's always a parent custody -- when we open "/" there isn't gonna be one! Fixes #1858.
2020-04-19 16:07:16 +00:00
if (!parent_custody)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EBUSY;
Kernel: rmdir("/") should fail instead of asserting We can't assume there's always a parent custody -- when we open "/" there isn't gonna be one! Fixes #1858.
2020-04-19 16:07:16 +00:00
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
auto& parent_inode = parent_custody->inode();
Kernel: Don't allow non-root, non-owners to rmdir any child of sticky We were not handling sticky parents properly in sys$rmdir(). Child directories of a sticky parent should not be rmdir'able by just anyone. Only the owner and root. Fixes #4875.
2021-01-10 09:12:15 +00:00
auto parent_metadata = parent_inode.metadata();
FileSystem: Port most of the code over to using custodies. The current working directory is now stored as a custody. Likewise for a process executable file. This unbreaks /proc/PID/fd which has not been working since we made the filesystem bigger. This still needs a bunch of work, for instance when renaming or removing a file somewhere, we have to update the relevant custody links.
2019-05-30 16:58:59 +00:00
Kernel: Annotate VirtualFileSystem::rmdir() errors with spec comments
2022-12-19 18:05:44 +00:00
// [EACCES] Search permission is denied on a component of the path prefix,
// or write permission is denied on the parent directory of the directory to be removed.
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!parent_metadata.may_write(credentials))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 03:16:01 +00:00
Kernel: Don't allow non-root, non-owners to rmdir any child of sticky We were not handling sticky parents properly in sys$rmdir(). Child directories of a sticky parent should not be rmdir'able by just anyone. Only the owner and root. Fixes #4875.
2021-01-10 09:12:15 +00:00
if (parent_metadata.is_sticky()) {
Kernel+Tests: Allow deleting someone else's file in my sticky directory This should be allowed according to Dr. POSIX. :^)
2022-12-19 18:32:31 +00:00
// [EACCES] The S_ISVTX flag is set on the directory containing the file referred to by the path argument
// and the process does not satisfy the criteria specified in XBD Directory Protection.
if (!credentials.is_superuser()
&& inode.metadata().uid != credentials.euid()
&& parent_metadata.uid != credentials.euid()) {
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel+Tests: Allow deleting someone else's file in my sticky directory This should be allowed according to Dr. POSIX. :^)
2022-12-19 18:32:31 +00:00
}
Kernel: Don't allow non-root, non-owners to rmdir any child of sticky We were not handling sticky parents properly in sys$rmdir(). Child directories of a sticky parent should not be rmdir'able by just anyone. Only the owner and root. Fixes #4875.
2021-01-10 09:12:15 +00:00
}
Kernel: Count remaining children in VirtualFileSystem::rmdir() manually To count the remaining children, we simply need to traverse the directory and increment a counter. No need for a custom virtual that all file systems have to implement. :^)
2021-07-17 20:34:43 +00:00
size_t child_count = 0;
Kernel: Make Inode::traverse_as_directory() callback return ErrorOr This allows us to propagate errors from inside the callback with TRY().
2021-11-10 14:42:39 +00:00
TRY(inode.traverse_as_directory([&child_count](auto&) -> ErrorOr<void> {
Kernel: Count remaining children in VirtualFileSystem::rmdir() manually To count the remaining children, we simply need to traverse the directory and increment a counter. No need for a custom virtual that all file systems have to implement. :^)
2021-07-17 20:34:43 +00:00
++child_count;
Kernel: Make Inode::traverse_as_directory() callback return ErrorOr This allows us to propagate errors from inside the callback with TRY().
2021-11-10 14:42:39 +00:00
return {};
Kernel: Wrap two VirtualFileSystem directory traversals in TRY()
2021-09-06 18:30:18 +00:00
}));
Kernel: Make Inode::directory_entry_count errors observable. Certain implementations of Inode::directory_entry_count were calling functions which returned errors, but had no way of surfacing them. Switch the return type to KResultOr<size_t> and start observing these error paths.
2020-08-05 08:00:18 +00:00
Kernel: Annotate VirtualFileSystem::rmdir() errors with spec comments
2022-12-19 18:05:44 +00:00
// [ENOTEMPTY] The path argument names a directory that is not an empty directory,
// or there are hard links to the directory other than dot or a single entry in dot-dot.
Kernel: Count remaining children in VirtualFileSystem::rmdir() manually To count the remaining children, we simply need to traverse the directory and increment a counter. No need for a custom virtual that all file systems have to implement. :^)
2021-07-17 20:34:43 +00:00
if (child_count != 2)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOTEMPTY;
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 03:16:01 +00:00
Kernel: Annotate VirtualFileSystem::rmdir() errors with spec comments
2022-12-19 18:05:44 +00:00
// [EROFS] The directory entry to be removed resides on a read-only file system.
Kernel: Use TRY() in VirtualFileSystem
2021-09-05 12:00:18 +00:00
if (custody->is_readonly())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EROFS;
Kernel: Support read-only filesystem mounts This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow any attempts to write to the newly mounted filesystem. As this flag is per-mount, and different mounts of the same filesystems (such as in case of bind mounts) can have different mutability settings, you have to go though a custody to find out if the filesystem is mounted read-only, instead of just asking the filesystem itself whether it's inherently read-only. This also adds a lot of checks we were previously missing; and moves some of them to happen after more specific checks (such as regular permission checks). One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no way we can know if the original file description this region has been mounted from had been opened through a readonly mount point. Currently, we always allow such sys$mprotect() calls to succeed, which effectively allows anyone to circumvent the effect of MS_RDONLY. We should solve this one way or another.
2020-05-28 14:56:25 +00:00
Everywhere: Add sv suffix to strings relying on StringView(char const*) Each of these strings would previously rely on StringView's char const* constructor overload, which would call __builtin_strlen on the string. Since we now have operator ""sv, we can replace these with much simpler versions. This opens the door to being able to remove StringView(char const*). No functional changes.
2022-07-11 17:32:29 +00:00
TRY(inode.remove_child("."sv));
TRY(inode.remove_child(".."sv));
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 03:16:01 +00:00
Kernel: Replace usage of LexicalPath with KLexicalPath This replaces all uses of LexicalPath in the Kernel with the functions from KLexicalPath. This also allows the Kernel to stop including AK::LexicalPath.
2021-07-06 09:21:52 +00:00
return parent_inode.remove_child(KLexicalPath::basename(path));
Add support for removing directories. It's really only supported in Ext2FS since SynthFS doesn't really want you mucking around with its files. This is pretty neat though :^) I ran into some trouble with HashMap while working on this but opted to work around it and leave that for a separate investigation.
2019-01-28 03:16:01 +00:00
}
Everywhere: Make JSON serialization fallible This allows us to eliminate a major source of infallible allocation in the Kernel, as well as lay down the groundwork for OOM fallibility in userland.
2022-02-24 18:08:48 +00:00
ErrorOr<void> VirtualFileSystem::for_each_mount(Function<ErrorOr<void>(Mount const&)> callback) const
Add a simple /proc/mounts that enumerates the current VFS mounts.
2018-10-26 16:43:25 +00:00
{
Everywhere: Make JSON serialization fallible This allows us to eliminate a major source of infallible allocation in the Kernel, as well as lay down the groundwork for OOM fallibility in userland.
2022-02-24 18:08:48 +00:00
return m_mounts.with([&](auto& mounts) -> ErrorOr<void> {
for (auto& mount : mounts)
Kernel/FileSystem: Convert the mount table from Vector to IntrusiveList The fact that we used a Vector meant that even if creating a Mount object succeeded, we were still at a risk that appending to the actual mounts Vector could fail due to OOM condition. To guard against this, the mount table is now an IntrusiveList, which always means that when allocation of a Mount object succeeded, then inserting that object to the list will succeed, which allows us to fail early in case of OOM condition.
2022-11-21 20:10:56 +00:00
TRY(callback(mount));
Everywhere: Make JSON serialization fallible This allows us to eliminate a major source of infallible allocation in the Kernel, as well as lay down the groundwork for OOM fallibility in userland.
2022-02-24 18:08:48 +00:00
return {};
Kernel: Use ProtectedValue for VirtualFileSystem::m_mounts This is what VirtualFileSystem::m_lock was actually guarding, and wrapping it in a ProtectedValue makes it so much more obvious how it all works. :^)
2021-08-15 23:40:19 +00:00
});
Add a simple /proc/mounts that enumerates the current VFS mounts.
2018-10-26 16:43:25 +00:00
}
Add sync() syscall and a /bin/sync. It walks all the live Inode objects and flushes pending metadata changes wherever needed. This could be optimized by keeping a separate list of dirty Inodes, but let's not get ahead of ourselves.
2018-12-19 23:39:29 +00:00
Kernel: Rename VFS => VirtualFileSystem
2021-07-10 22:25:24 +00:00
void VirtualFileSystem::sync()
Add sync() syscall and a /bin/sync. It walks all the live Inode objects and flushes pending metadata changes wherever needed. This could be optimized by keeping a separate list of dirty Inodes, but let's not get ahead of ourselves.
2018-12-19 23:39:29 +00:00
{
Kernel: Rename FS => FileSystem This matches our common naming style better.
2021-07-10 22:20:38 +00:00
FileSystem::sync();
Add sync() syscall and a /bin/sync. It walks all the live Inode objects and flushes pending metadata changes wherever needed. This could be optimized by keeping a separate list of dirty Inodes, but let's not get ahead of ourselves.
2018-12-19 23:39:29 +00:00
}
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
NonnullRefPtr<Custody> VirtualFileSystem::root_custody()
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
{
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
return m_root_custody.with([](auto& root_custody) -> NonnullRefPtr<Custody> { return *root_custody; });
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
}
Kernel: Actually check Process unveil data when creating perfcore dump Before of this patch, we looked at the unveil data of the FinalizerTask, which naturally doesn't have any unveil restrictions, therefore allowing an unveil bypass for a process that enabled performance coredumps. To ensure we always check the dumped process unveil data, an option to pass a Process& has been added to a couple of methods in the class of VirtualFileSystem.
2023-03-04 18:01:54 +00:00
UnveilNode const& VirtualFileSystem::find_matching_unveiled_path(Process const& process, StringView path)
Kernel: Implement unveil() as a prefix-tree Fixes #4530.
2020-12-26 10:24:34 +00:00
{
Kernel: Actually check Process unveil data when creating perfcore dump Before of this patch, we looked at the unveil data of the FinalizerTask, which naturally doesn't have any unveil restrictions, therefore allowing an unveil bypass for a process that enabled performance coredumps. To ensure we always check the dumped process unveil data, an option to pass a Process& has been added to a couple of methods in the class of VirtualFileSystem.
2023-03-04 18:01:54 +00:00
VERIFY(process.veil_state() != VeilState::None);
return process.unveil_data().with([&](auto const& unveil_data) -> UnveilNode const& {
Kernel: Put Process unveil state in a SpinlockProtected container This makes path resolution safe to perform without holding the big lock.
2022-03-07 20:23:08 +00:00
auto path_parts = KLexicalPath::parts(path);
return unveil_data.paths.traverse_until_last_accessible_node(path_parts.begin(), path_parts.end());
});
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
}
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
ErrorOr<void> VirtualFileSystem::validate_path_against_process_veil(Custody const& custody, int options)
Kernel: Don't allocate Strings unnecessarily in process veil validation Previously, Custody::absolute_path() was called for every call to validate_path_against_process_veil(). For processes that don't have a veil, the path is not used by the function. This means that it is unnecessarily generated. This introduces an overload to validate_path_against_process_veil(), which takes a Custody const& and only generates the absolute path if it there is actually a veil and it is thus needed. This patch results in a speed up of Assistant's file system cache building by around 16 percent.
2021-07-05 15:15:07 +00:00
{
Kernel: Actually check Process unveil data when creating perfcore dump Before of this patch, we looked at the unveil data of the FinalizerTask, which naturally doesn't have any unveil restrictions, therefore allowing an unveil bypass for a process that enabled performance coredumps. To ensure we always check the dumped process unveil data, an option to pass a Process& has been added to a couple of methods in the class of VirtualFileSystem.
2023-03-04 18:01:54 +00:00
return validate_path_against_process_veil(Process::current(), custody, options);
}
ErrorOr<void> VirtualFileSystem::validate_path_against_process_veil(Process const& process, Custody const& custody, int options)
{
if (process.veil_state() == VeilState::None)
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
Kernel: Improvements to Custody absolute path serialization - Renamed try_create_absolute_path() => try_serialize_absolute_path() - Use KResultOr and TRY() to propagate errors - Don't call this when it's only for debug logging
2021-09-06 10:24:36 +00:00
auto absolute_path = TRY(custody.try_serialize_absolute_path());
Kernel: Actually check Process unveil data when creating perfcore dump Before of this patch, we looked at the unveil data of the FinalizerTask, which naturally doesn't have any unveil restrictions, therefore allowing an unveil bypass for a process that enabled performance coredumps. To ensure we always check the dumped process unveil data, an option to pass a Process& has been added to a couple of methods in the class of VirtualFileSystem.
2023-03-04 18:01:54 +00:00
return validate_path_against_process_veil(process, absolute_path->view(), options);
Kernel: Don't allocate Strings unnecessarily in process veil validation Previously, Custody::absolute_path() was called for every call to validate_path_against_process_veil(). For processes that don't have a veil, the path is not used by the function. This means that it is unnecessarily generated. This introduces an overload to validate_path_against_process_veil(), which takes a Custody const& and only generates the absolute path if it there is actually a veil and it is thus needed. This patch results in a speed up of Assistant's file system cache building by around 16 percent.
2021-07-05 15:15:07 +00:00
}
Kernel: Actually check Process unveil data when creating perfcore dump Before of this patch, we looked at the unveil data of the FinalizerTask, which naturally doesn't have any unveil restrictions, therefore allowing an unveil bypass for a process that enabled performance coredumps. To ensure we always check the dumped process unveil data, an option to pass a Process& has been added to a couple of methods in the class of VirtualFileSystem.
2023-03-04 18:01:54 +00:00
ErrorOr<void> VirtualFileSystem::validate_path_against_process_veil(Process const& process, StringView path, int options)
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
{
Kernel: Actually check Process unveil data when creating perfcore dump Before of this patch, we looked at the unveil data of the FinalizerTask, which naturally doesn't have any unveil restrictions, therefore allowing an unveil bypass for a process that enabled performance coredumps. To ensure we always check the dumped process unveil data, an option to pass a Process& has been added to a couple of methods in the class of VirtualFileSystem.
2023-03-04 18:01:54 +00:00
if (process.veil_state() == VeilState::None)
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
Kernel: Stricter path checking in validate_path_against_process_veil This change enforces that paths passed to VFS::validate_path_against_process_veil are absolute and do not contain any '..' or '.' parts. We should VERIFY here instead of returning EINVAL since the code that calls this should resolve non-canonical paths before calling this function.
2021-07-05 16:03:54 +00:00
VERIFY(path.starts_with('/'));
VERIFY(!path.contains("/../"sv) && !path.ends_with("/.."sv));
VERIFY(!path.contains("/./"sv) && !path.ends_with("/."sv));
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
Kernel: Don't check pledges or veil against code coverage data files Coverage tools like LLVM's source-based coverage or GNU's --coverage need to be able to write out coverage files from any binary, regardless of its security posture. Not ignoring these pledges and veils means we can't get our coverage data out without playing some serious tricks. However this is pretty terrible for normal exeuction, so only skip these checks when we explicitly configured userspace for coverage.
2022-03-05 01:05:24 +00:00
#ifdef SKIP_PATH_VALIDATION_FOR_COVERAGE_INSTRUMENTATION
// Skip veil validation against profile data when coverage is enabled for userspace
// so that all processes can write out coverage data even with veils in place
if (KLexicalPath::basename(path).ends_with(".profraw"sv))
return {};
#endif
Kernel: Colorize log message for paths which haven't been unveiled The log message can be hard to spot in a sea of debug messages. Colorize it to make the message more immediately pop out.
2023-04-25 14:29:10 +00:00
auto log_veiled_path = [&](Optional<StringView> const& with_permissions = {}) {
if (with_permissions.has_value())
dbgln("\033[31;1mRejecting path '{}' because it hasn't been unveiled with {} permissions\033[0m", path, *with_permissions);
else
dbgln("\033[31;1mRejecting path '{}' because it hasn't been unveiled\033[0m", path);
dump_backtrace();
};
Kernel: Actually check Process unveil data when creating perfcore dump Before of this patch, we looked at the unveil data of the FinalizerTask, which naturally doesn't have any unveil restrictions, therefore allowing an unveil bypass for a process that enabled performance coredumps. To ensure we always check the dumped process unveil data, an option to pass a Process& has been added to a couple of methods in the class of VirtualFileSystem.
2023-03-04 18:01:54 +00:00
auto& unveiled_path = find_matching_unveiled_path(process, path);
Kernel: Don't assume there are no nodes if m_unveiled_paths.is_empty() If m_unveiled_paths.is_empty(), the root node (which is m_unveiled_paths itself) is the matching veil. This means we should not return nullptr in this case, but just use the code path for the general case. This fixes a bug where calling e.g. unveil("/", "r") would refuse you access to anything, because find_matching_unveiled_path would wrongly return nullptr. Since find_matching_unveiled_path can no longer return nullptr, we can now just return a reference instead.
2021-06-06 21:13:26 +00:00
if (unveiled_path.permissions() == UnveilAccess::None) {
Kernel: Colorize log message for paths which haven't been unveiled The log message can be hard to spot in a sea of debug messages. Colorize it to make the message more immediately pop out.
2023-04-25 14:29:10 +00:00
log_veiled_path();
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOENT;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
}
if (options & O_CREAT) {
Kernel: Don't assume there are no nodes if m_unveiled_paths.is_empty() If m_unveiled_paths.is_empty(), the root node (which is m_unveiled_paths itself) is the matching veil. This means we should not return nullptr in this case, but just use the code path for the general case. This fixes a bug where calling e.g. unveil("/", "r") would refuse you access to anything, because find_matching_unveiled_path would wrongly return nullptr. Since find_matching_unveiled_path can no longer return nullptr, we can now just return a reference instead.
2021-06-06 21:13:26 +00:00
if (!(unveiled_path.permissions() & UnveilAccess::CreateOrRemove)) {
Kernel: Colorize log message for paths which haven't been unveiled The log message can be hard to spot in a sea of debug messages. Colorize it to make the message more immediately pop out.
2023-04-25 14:29:10 +00:00
log_veiled_path("'c'"sv);
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
}
}
if (options & O_UNLINK_INTERNAL) {
Kernel: Don't assume there are no nodes if m_unveiled_paths.is_empty() If m_unveiled_paths.is_empty(), the root node (which is m_unveiled_paths itself) is the matching veil. This means we should not return nullptr in this case, but just use the code path for the general case. This fixes a bug where calling e.g. unveil("/", "r") would refuse you access to anything, because find_matching_unveiled_path would wrongly return nullptr. Since find_matching_unveiled_path can no longer return nullptr, we can now just return a reference instead.
2021-06-06 21:13:26 +00:00
if (!(unveiled_path.permissions() & UnveilAccess::CreateOrRemove)) {
Kernel: Colorize log message for paths which haven't been unveiled The log message can be hard to spot in a sea of debug messages. Colorize it to make the message more immediately pop out.
2023-04-25 14:29:10 +00:00
log_veiled_path("'c'"sv);
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
}
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
}
Kernel: Make O_RDONLY non-zero Sergey suggested that having a non-zero O_RDONLY would make some things less confusing, and it seems like he's right about that. We can now easily check read/write permissions separately instead of dancing around with the bits. This patch also fixes unveil() validation for O_RDWR which previously forgot to check for "r" permission.
2020-01-21 12:14:26 +00:00
if (options & O_RDONLY) {
Kernel: Add unveil('b') This is a new "browse" permission that lets you open (and subsequently list contents of) directories underneath the path, but not regular files or any other types of files.
2020-11-21 19:55:20 +00:00
if (options & O_DIRECTORY) {
Kernel: Don't assume there are no nodes if m_unveiled_paths.is_empty() If m_unveiled_paths.is_empty(), the root node (which is m_unveiled_paths itself) is the matching veil. This means we should not return nullptr in this case, but just use the code path for the general case. This fixes a bug where calling e.g. unveil("/", "r") would refuse you access to anything, because find_matching_unveiled_path would wrongly return nullptr. Since find_matching_unveiled_path can no longer return nullptr, we can now just return a reference instead.
2021-06-06 21:13:26 +00:00
if (!(unveiled_path.permissions() & (UnveilAccess::Read | UnveilAccess::Browse))) {
Kernel: Colorize log message for paths which haven't been unveiled The log message can be hard to spot in a sea of debug messages. Colorize it to make the message more immediately pop out.
2023-04-25 14:29:10 +00:00
log_veiled_path("'r' or 'b'"sv);
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Add unveil('b') This is a new "browse" permission that lets you open (and subsequently list contents of) directories underneath the path, but not regular files or any other types of files.
2020-11-21 19:55:20 +00:00
}
} else {
Kernel: Don't assume there are no nodes if m_unveiled_paths.is_empty() If m_unveiled_paths.is_empty(), the root node (which is m_unveiled_paths itself) is the matching veil. This means we should not return nullptr in this case, but just use the code path for the general case. This fixes a bug where calling e.g. unveil("/", "r") would refuse you access to anything, because find_matching_unveiled_path would wrongly return nullptr. Since find_matching_unveiled_path can no longer return nullptr, we can now just return a reference instead.
2021-06-06 21:13:26 +00:00
if (!(unveiled_path.permissions() & UnveilAccess::Read)) {
Kernel: Colorize log message for paths which haven't been unveiled The log message can be hard to spot in a sea of debug messages. Colorize it to make the message more immediately pop out.
2023-04-25 14:29:10 +00:00
log_veiled_path("'r'"sv);
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Add unveil('b') This is a new "browse" permission that lets you open (and subsequently list contents of) directories underneath the path, but not regular files or any other types of files.
2020-11-21 19:55:20 +00:00
}
Kernel: Make O_RDONLY non-zero Sergey suggested that having a non-zero O_RDONLY would make some things less confusing, and it seems like he's right about that. We can now easily check read/write permissions separately instead of dancing around with the bits. This patch also fixes unveil() validation for O_RDWR which previously forgot to check for "r" permission.
2020-01-21 12:14:26 +00:00
}
}
if (options & O_WRONLY) {
Kernel: Don't assume there are no nodes if m_unveiled_paths.is_empty() If m_unveiled_paths.is_empty(), the root node (which is m_unveiled_paths itself) is the matching veil. This means we should not return nullptr in this case, but just use the code path for the general case. This fixes a bug where calling e.g. unveil("/", "r") would refuse you access to anything, because find_matching_unveiled_path would wrongly return nullptr. Since find_matching_unveiled_path can no longer return nullptr, we can now just return a reference instead.
2021-06-06 21:13:26 +00:00
if (!(unveiled_path.permissions() & UnveilAccess::Write)) {
Kernel: Colorize log message for paths which haven't been unveiled The log message can be hard to spot in a sea of debug messages. Colorize it to make the message more immediately pop out.
2023-04-25 14:29:10 +00:00
log_veiled_path("'w'"sv);
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
}
Kernel: Make O_RDONLY non-zero Sergey suggested that having a non-zero O_RDONLY would make some things less confusing, and it seems like he's right about that. We can now easily check read/write permissions separately instead of dancing around with the bits. This patch also fixes unveil() validation for O_RDWR which previously forgot to check for "r" permission.
2020-01-21 12:14:26 +00:00
}
if (options & O_EXEC) {
Kernel: Don't assume there are no nodes if m_unveiled_paths.is_empty() If m_unveiled_paths.is_empty(), the root node (which is m_unveiled_paths itself) is the matching veil. This means we should not return nullptr in this case, but just use the code path for the general case. This fixes a bug where calling e.g. unveil("/", "r") would refuse you access to anything, because find_matching_unveiled_path would wrongly return nullptr. Since find_matching_unveiled_path can no longer return nullptr, we can now just return a reference instead.
2021-06-06 21:13:26 +00:00
if (!(unveiled_path.permissions() & UnveilAccess::Execute)) {
Kernel: Colorize log message for paths which haven't been unveiled The log message can be hard to spot in a sea of debug messages. Colorize it to make the message more immediately pop out.
2023-04-25 14:29:10 +00:00
log_veiled_path("'x'"sv);
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
}
}
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return {};
Kernel: Add a basic implementation of unveil() This syscall is a complement to pledge() and adds the same sort of incremental relinquishing of capabilities for filesystem access. The first call to unveil() will "drop a veil" on the process, and from now on, only unveiled parts of the filesystem are visible to it. Each call to unveil() specifies a path to either a directory or a file along with permissions for that path. The permissions are a combination of the following: - r: Read access (like the "rpath" promise) - w: Write access (like the "wpath" promise) - x: Execute access - c: Create/remove access (like the "cpath" promise) Attempts to open a path that has not been unveiled with fail with ENOENT. If the unveiled path lacks sufficient permissions, it will fail with EACCES. Like pledge(), subsequent calls to unveil() with the same path can only remove permissions, not add them. Once you call unveil(nullptr, nullptr), the veil is locked, and it's no longer possible to unveil any more paths for the process, ever. This concept comes from OpenBSD, and their implementation does various things differently, I'm sure. This is just a first implementation for SerenityOS, and we'll keep improving on it as we go. :^)
2020-01-20 21:12:04 +00:00
}
Kernel: Actually check Process unveil data when creating perfcore dump Before of this patch, we looked at the unveil data of the FinalizerTask, which naturally doesn't have any unveil restrictions, therefore allowing an unveil bypass for a process that enabled performance coredumps. To ensure we always check the dumped process unveil data, an option to pass a Process& has been added to a couple of methods in the class of VirtualFileSystem.
2023-03-04 18:01:54 +00:00
ErrorOr<void> VirtualFileSystem::validate_path_against_process_veil(StringView path, int options)
{
return validate_path_against_process_veil(Process::current(), path, options);
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<NonnullRefPtr<Custody>> VirtualFileSystem::resolve_path(Credentials const& credentials, StringView path, NonnullRefPtr<Custody> base, RefPtr<Custody>* out_parent, int options, int symlink_recursion_level)
Kernel: Actually check Process unveil data when creating perfcore dump Before of this patch, we looked at the unveil data of the FinalizerTask, which naturally doesn't have any unveil restrictions, therefore allowing an unveil bypass for a process that enabled performance coredumps. To ensure we always check the dumped process unveil data, an option to pass a Process& has been added to a couple of methods in the class of VirtualFileSystem.
2023-03-04 18:01:54 +00:00
{
return resolve_path(Process::current(), credentials, path, base, out_parent, options, symlink_recursion_level);
}
ErrorOr<NonnullRefPtr<Custody>> VirtualFileSystem::resolve_path(Process const& process, Credentials const& credentials, StringView path, NonnullRefPtr<Custody> base, RefPtr<Custody>* out_parent, int options, int symlink_recursion_level)
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
{
Kernel/VFS: Add FIXMEs about error codes leaking data from veiled paths Error codes can leak information about veiled paths, if the path resolution fails with e.g. EACCESS. This is non-trivial to fix, as there is a group of error codes we want to propagate to the caller, such as ENOMEM.
2022-02-13 16:31:33 +00:00
// FIXME: The errors returned by resolve_path_without_veil can leak information about paths that are not unveiled,
// e.g. when the error is EACCESS or similar.
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
auto custody = TRY(resolve_path_without_veil(credentials, path, base, out_parent, options, symlink_recursion_level));
Kernel: Actually check Process unveil data when creating perfcore dump Before of this patch, we looked at the unveil data of the FinalizerTask, which naturally doesn't have any unveil restrictions, therefore allowing an unveil bypass for a process that enabled performance coredumps. To ensure we always check the dumped process unveil data, an option to pass a Process& has been added to a couple of methods in the class of VirtualFileSystem.
2023-03-04 18:01:54 +00:00
if (auto result = validate_path_against_process_veil(process, *custody, options); result.is_error()) {
Kernel/VFS: Clear out_parent if path is veiled Previously, VirtualFileSystem::resolve_path() could return a non-null RefPtr<Custody>* out_parent even if the function errored because the path has been veiled. If code relies on recieving the parent custody even if the path is veiled, it should just call resolve_path_without_veil and do the veil validation manually. This is because it could be that the parent is unveiled but the child isn't or the other way round.
2021-07-11 12:46:15 +00:00
if (out_parent)
out_parent->clear();
return result.release_error();
}
Kernel: Resolve relative paths when there is a veil (#1474)
2020-03-19 08:57:34 +00:00
return custody;
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
static bool safe_to_follow_symlink(Credentials const& credentials, Inode const& inode, InodeMetadata const& parent_metadata)
Kernel: Implement the same symlink protection as Linux Path resolution will now refuse to follow symlinks in some cases where you don't own the symlink, or when it's in a sticky world-writable directory and the link has a different owner than the directory. The point of all this is to prevent classic TOCTOU bugs in /tmp etc. Fixes #4934
2021-01-19 17:12:09 +00:00
{
auto metadata = inode.metadata();
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (credentials.euid() == metadata.uid)
Kernel: Implement the same symlink protection as Linux Path resolution will now refuse to follow symlinks in some cases where you don't own the symlink, or when it's in a sticky world-writable directory and the link has a different owner than the directory. The point of all this is to prevent classic TOCTOU bugs in /tmp etc. Fixes #4934
2021-01-19 17:12:09 +00:00
return true;
if (!(parent_metadata.is_sticky() && parent_metadata.mode & S_IWOTH))
return true;
if (metadata.uid == parent_metadata.uid)
return true;
return false;
}
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
ErrorOr<NonnullRefPtr<Custody>> VirtualFileSystem::resolve_path_without_veil(Credentials const& credentials, StringView path, NonnullRefPtr<Custody> base, RefPtr<Custody>* out_parent, int options, int symlink_recursion_level)
Kernel: Resolve relative paths when there is a veil (#1474)
2020-03-19 08:57:34 +00:00
{
Kernel: Implement recursion limit on path resolution Cautiously use 5 as a limit for now so that we don't blow the stack. This can be increased in the future if we are sure that we won't be blowing the stack, or if the implementation is changed to not use recursion :^)
2019-12-24 09:39:21 +00:00
if (symlink_recursion_level >= symlink_recursion_limit)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ELOOP;
FileSystem: Add FIXME about resolve_path bug
2019-08-25 16:18:51 +00:00
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
if (path.is_empty())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EINVAL;
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
Kernel: Remove an allocation from VFS::resolve_path_without_veil (#7287) Use GenericLexer to replace a call to StringView::split() since that returns its result in a heap-allocating Vector.
2021-05-21 22:12:32 +00:00
GenericLexer path_lexer(path);
Kernel: Add a basic chroot() syscall :^) The chroot() syscall now allows the superuser to isolate a process into a specific subtree of the filesystem. This is not strictly permanent, as it is also possible for a superuser to break *out* of a chroot, but it is a useful mechanism for isolating unprivileged processes. The VFS now uses the current process's root_directory() as the root for path resolution purposes. The root directory is stored as an uncached Custody in the Process object.
2020-01-10 22:14:04 +00:00
Kernel: Use RefPtr instead of LockRefPtr for Custody By protecting all the RefPtr<Custody> objects that may be accessed from multiple threads at the same time (with spinlocks), we remove the need for using LockRefPtr<Custody> (which is basically a RefPtr with a built-in spinlock.)
2022-08-20 23:04:35 +00:00
NonnullRefPtr<Custody> custody = path[0] == '/' ? root_custody() : base;
Kernel: Remove an allocation from VFS::resolve_path_without_veil (#7287) Use GenericLexer to replace a call to StringView::split() since that returns its result in a heap-allocating Vector.
2021-05-21 22:12:32 +00:00
bool extra_iteration = path[path.length() - 1] == '/';
while (!path_lexer.is_eof() || extra_iteration) {
if (path_lexer.is_eof())
extra_iteration = false;
auto part = path_lexer.consume_until('/');
AK: Standardize the behaviour of GenericLexer::consume_until overloads Before this commit all consume_until overloads aside from the Predicate one would consume (and ignore) the stop char/string, while the Predicate overload would not, in order to keep behaviour consistent, the other overloads no longer consume the stop char/string as well.
2022-01-24 21:47:22 +00:00
path_lexer.ignore();
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 07:52:33 +00:00
Custody& parent = custody;
auto parent_metadata = parent.inode().metadata();
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
if (!parent_metadata.is_directory())
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ENOTDIR;
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
// Ensure the current user is allowed to resolve paths inside this directory.
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!parent_metadata.may_execute(credentials))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Fix not returning errors for the last path item. Previously the check for an empty part would happen before the check for access and for the parent being a directory, and so an error in those would not be detected.
2019-06-13 13:33:01 +00:00
Kernel: Remove an allocation from VFS::resolve_path_without_veil (#7287) Use GenericLexer to replace a call to StringView::split() since that returns its result in a heap-allocating Vector.
2021-05-21 22:12:32 +00:00
bool have_more_parts = !path_lexer.is_eof() || extra_iteration;
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
if (part == "..") {
// If we encounter a "..", take a step back, but don't go beyond the root.
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 07:52:33 +00:00
if (custody->parent())
custody = *custody->parent();
Kernel: Make proper use of the new keep_empty argument
2019-09-20 21:45:16 +00:00
continue;
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
} else if (part == "." || part.is_empty()) {
continue;
}
Kernel: Fix not returning errors for the last path item. Previously the check for an empty part would happen before the check for access and for the parent being a directory, and so an error in those would not be detected.
2019-06-13 13:33:01 +00:00
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
// Okay, let's look up this part.
Kernel: Make Inode::lookup() return a KResultOr<NonnullRefPtr<Inode>> This allows file systems to return arbitrary error codes instead of just an Inode or not an Inode.
2021-08-14 11:32:35 +00:00
auto child_or_error = parent.inode().lookup(part);
if (child_or_error.is_error()) {
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 07:52:33 +00:00
if (out_parent) {
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
// ENOENT with a non-null parent custody signals to caller that
Kernel: Fix awkward bug where "touch /foo/bar/baz" could create "/baz" To accomodate file creation, path resolution optionally returns the last valid parent directory seen while traversing the path. Clients will then interpret "ENOENT, but I have a parent for you" as meaning that the file doesn't exist, but its immediate parent directory does. The client then goes ahead and creates a new file. In the case of "/foo/bar/baz" where there is no "/foo", it would fail with ENOENT and "/" as the last seen parent directory, causing e.g the open() syscall to create "/baz". Covered by test_io.
2020-01-03 02:53:06 +00:00
// we found the immediate parent of the file, but the file itself
// does not exist yet.
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 07:52:33 +00:00
*out_parent = have_more_parts ? nullptr : &parent;
Kernel: Fix awkward bug where "touch /foo/bar/baz" could create "/baz" To accomodate file creation, path resolution optionally returns the last valid parent directory seen while traversing the path. Clients will then interpret "ENOENT, but I have a parent for you" as meaning that the file doesn't exist, but its immediate parent directory does. The client then goes ahead and creates a new file. In the case of "/foo/bar/baz" where there is no "/foo", it would fail with ENOENT and "/" as the last seen parent directory, causing e.g the open() syscall to create "/baz". Covered by test_io.
2020-01-03 02:53:06 +00:00
}
Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^)
2021-11-07 23:51:39 +00:00
return child_or_error.release_error();
Kernel: Fix awkward bug where "touch /foo/bar/baz" could create "/baz" To accomodate file creation, path resolution optionally returns the last valid parent directory seen while traversing the path. Clients will then interpret "ENOENT, but I have a parent for you" as meaning that the file doesn't exist, but its immediate parent directory does. The client then goes ahead and creates a new file. In the case of "/foo/bar/baz" where there is no "/foo", it would fail with ENOENT and "/" as the last seen parent directory, causing e.g the open() syscall to create "/baz". Covered by test_io.
2020-01-03 02:53:06 +00:00
}
Kernel: Make Inode::lookup() return a KResultOr<NonnullRefPtr<Inode>> This allows file systems to return arbitrary error codes instead of just an Inode or not an Inode.
2021-08-14 11:32:35 +00:00
auto child_inode = child_or_error.release_value();
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 07:52:33 +00:00
int mount_flags_for_child = parent.mount_flags();
Kernel: Make Inode::lookup() return a RefPtr<Inode> Previously this API would return an InodeIdentifier, which meant that there was a race in path resolution where an inode could be unlinked in between finding the InodeIdentifier for a path component, and actually resolving that to an Inode object. Attaching a test that would quickly trip an assertion before. Test: Kernel/path-resolution-race.cpp
2020-02-01 08:23:46 +00:00
Kernel/VFS: Check matching absolute path when jump to mount guest inode We could easily encounter a case where we do the following: ``` mkdir -p /tmp2 mount /dev/hda /tmp2 ``` would produce a bug that doing `ls /tmp2/tmp2` will give the contents on `/dev/hda` ext2 root directory and also on `/tmp2/tmp2/tmp2` and so on. To prevent this, we must compare the current custody against each mount entry's custody to ensure their paths match.
2023-08-04 19:03:24 +00:00
auto current_custody = TRY(Custody::try_create(&parent, part, *child_inode, mount_flags_for_child));
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
// See if there's something mounted on the child; in that case
// we would need to return the guest inode, not the host inode.
Kernel/VFS: Ensure working with mount entry per a custody is safe Previously we could get a raw pointer to a Mount object which might be invalid when actually dereferencing it. To ensure this could not happen, we should just use a callback that will be used immediately after finding the appropriate Mount entry, while holding the mount table lock.
2023-08-04 19:57:25 +00:00
auto found_mount_or_error = apply_to_mount_for_host_custody(current_custody, [&child_inode, &mount_flags_for_child](auto& mount) {
child_inode = mount.guest();
mount_flags_for_child = mount.flags();
});
if (!found_mount_or_error.is_error()) {
Kernel/VFS: Check matching absolute path when jump to mount guest inode We could easily encounter a case where we do the following: ``` mkdir -p /tmp2 mount /dev/hda /tmp2 ``` would produce a bug that doing `ls /tmp2/tmp2` will give the contents on `/dev/hda` ext2 root directory and also on `/tmp2/tmp2/tmp2` and so on. To prevent this, we must compare the current custody against each mount entry's custody to ensure their paths match.
2023-08-04 19:03:24 +00:00
custody = TRY(Custody::try_create(&parent, part, *child_inode, mount_flags_for_child));
} else {
custody = current_custody;
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
}
FileSystem: Merge symlink following logic into path resolution. When encountering a symlink, we abandon the custody chain we've been working on and start over with a new one (by recursing into a new resolution call.) Caching symlinks in the custody model would be incredibly difficult to get right with all the extra invalidation it would require, so let's just not.
2019-05-31 04:42:49 +00:00
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
if (child_inode->metadata().is_symlink()) {
if (!have_more_parts) {
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
if (options & O_NOFOLLOW)
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return ELOOP;
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
if (options & O_NOFOLLOW_NOERROR)
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
break;
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
}
Kernel: Implement the same symlink protection as Linux Path resolution will now refuse to follow symlinks in some cases where you don't own the symlink, or when it's in a sticky world-writable directory and the link has a different owner than the directory. The point of all this is to prevent classic TOCTOU bugs in /tmp etc. Fixes #4934
2021-01-19 17:12:09 +00:00
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
if (!safe_to_follow_symlink(credentials, *child_inode, parent_metadata))
Kernel+LibC: Turn errno codes into a strongly typed enum ..and allow implicit creation of KResult and KResultOr from ErrnoCode. This means that kernel functions that return those types can finally do "return EINVAL;" and it will just work. There's a handful of functions that still deal with signed integers that should be converted to return KResults.
2021-01-20 22:11:17 +00:00
return EACCES;
Kernel: Implement the same symlink protection as Linux Path resolution will now refuse to follow symlinks in some cases where you don't own the symlink, or when it's in a sticky world-writable directory and the link has a different owner than the directory. The point of all this is to prevent classic TOCTOU bugs in /tmp etc. Fixes #4934
2021-01-19 17:12:09 +00:00
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 12:55:25 +00:00
TRY(validate_path_against_process_veil(*custody, options));
Kernel: Use the resolved parent path when testing create veil (#5231)
2021-02-06 18:11:44 +00:00
Kernel: Make Inode::resolve_as_link() take credentials as input
2022-08-21 14:17:13 +00:00
auto symlink_target = TRY(child_inode->resolve_as_link(credentials, parent, out_parent, options, symlink_recursion_level + 1));
Kernel: Use TRY() even more in VirtualFileSystem Allowing TRY() with KResult unlocked a whole lot more opportunities.
2021-09-05 12:55:25 +00:00
if (!have_more_parts)
Kernel: Fix resolving symlinks in the middle of a path. If a symlink is not the last part of a path, the remaining part of the path has to be further resolved against the symlink target. With this, a path containing a symlink always resolves to the target of the first (leftmost) symlink in it, for example any path of form /proc/self/... resolves to the corresponding /proc/pid directory.
2019-06-12 13:36:05 +00:00
return symlink_target;
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
// Now, resolve the remaining path relative to the symlink target.
// We prepend a "." to it to ensure that it's not empty and that
// any initial slashes it might have get interpreted properly.
StringBuilder remaining_path;
Kernel: Propagate allocation failure in resolve_path_without_veil
2021-12-29 19:13:29 +00:00
TRY(remaining_path.try_append('.'));
TRY(remaining_path.try_append(path.substring_view_starting_after_substring(part)));
Kernel: Fix resolving symlinks in the middle of a path. If a symlink is not the last part of a path, the remaining part of the path has to be further resolved against the symlink target. With this, a path containing a symlink always resolves to the target of the first (leftmost) symlink in it, for example any path of form /proc/self/... resolves to the corresponding /proc/pid directory.
2019-06-12 13:36:05 +00:00
Kernel: Make VirtualFileSystem functions take credentials as input Instead of getting credentials from Process::current(), we now require that they be provided as input to the various VFS functions. This ensures that an atomic set of credentials is used throughout an entire VFS operation.
2022-08-21 14:02:24 +00:00
return resolve_path_without_veil(credentials, remaining_path.string_view(), symlink_target, out_parent, options, symlink_recursion_level + 1);
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
}
}
Kernel: Refactor/rewrite VFS::resolve_path() This makes the implementation easier to follow, but also fixes multiple issues with the old implementation. In particular, it now deals properly with . and .. in paths, including around mount points. Hopefully there aren't many new bugs this introduces :^)
2020-01-14 10:30:15 +00:00
Kernel: Simplify VFS::resolve_path() further It turns out we don't even need to store the whole custody chain, as we only ever access its last element. So we can just store one custody. This also fixes a performance FIXME :^) Also, rename parent_custody to out_parent.
2020-01-15 07:52:33 +00:00
if (out_parent)
*out_parent = custody->parent();
return custody;
FileSystem: Add a Custody class that represents a parent/child guardianship. A custody is kind of a directory entry abstraction that represents a single entry in a parent directory that tells us the name of a child inode. The idea here is for path resolution to produce a chain of custody objects.
2019-05-30 15:46:08 +00:00
}
Kernel: Move all code into the Kernel namespace
2020-02-16 00:27:42 +00:00
}
Reference in a new issue Copy permalink