723e51327f
The main purpose of this patch is to fix handling of unpause calls from PM while another call is ongoing. The solution to this problem sparked a full revision of the threading model, consisting of a large number of related changes: - all active worker threads are now always associated with a process, and every process has at most one active thread working for it; - the process lock is always held by a process's worker thread; - a process can now have both normal work and postponed PM work associated to it; - timer expiry and non-postponed PM work is done from the main thread; - filp garbage collection is done from a thread associated with VFS; - reboot calls from PM are now done from a thread associated with PM; - the DS events handler is protected from starting multiple threads; - support for a system worker thread has been removed; - the deadlock recovery thread has been replaced by a parameter to the worker_start() function; the number of worker threads has consequently been increased by one; - saving and restoring of global but per-thread variables is now centralized in worker_suspend() and worker_resume(); err_code is now saved and restored in all cases; - the concept of jobs has been removed, and job_m_in now points to a message stored in the worker thread structure instead; - the PM lock has been removed; - the separate exec lock has been replaced by a lock on the VM process, which was already being locked for exec calls anyway; - PM_UNPAUSE is now processed as a postponed PM request, from a thread associated with the target process; - the FP_DROP_WORK flag has been removed, since it is no longer more than just an optimization and only applied to processes operating on a pipe when getting killed; - assignment to "fp" now takes place only when obtaining new work in the main thread or a worker thread, when resuming execution of a thread, and in the special case of exiting processes during reboot; - there are no longer special cases where the yield() call is used to force a thread to run. Change-Id: I7a97b9b95c2450454a9b5318dfa0e6150d4e6858
312 lines
8.9 KiB
C
312 lines
8.9 KiB
C
/* This file deals with protection in the file system. It contains the code
|
|
* for four system calls that relate to protection.
|
|
*
|
|
* The entry points into this file are
|
|
* do_chmod: perform the CHMOD and FCHMOD system calls
|
|
* do_chown: perform the CHOWN and FCHOWN system calls
|
|
* do_umask: perform the UMASK system call
|
|
* do_access: perform the ACCESS system call
|
|
*/
|
|
|
|
#include "fs.h"
|
|
#include <sys/stat.h>
|
|
#include <unistd.h>
|
|
#include <assert.h>
|
|
#include <minix/callnr.h>
|
|
#include "file.h"
|
|
#include "path.h"
|
|
#include "param.h"
|
|
#include <minix/vfsif.h>
|
|
#include "vnode.h"
|
|
#include "vmnt.h"
|
|
|
|
/*===========================================================================*
|
|
* do_chmod *
|
|
*===========================================================================*/
|
|
int do_chmod(message *UNUSED(m_out))
|
|
{
|
|
/* Perform the chmod(name, mode) and fchmod(fd, mode) system calls.
|
|
* syscall might provide 'name' embedded in the message.
|
|
*/
|
|
|
|
struct filp *flp;
|
|
struct vnode *vp;
|
|
struct vmnt *vmp;
|
|
int r, rfd;
|
|
mode_t result_mode;
|
|
char fullpath[PATH_MAX];
|
|
struct lookup resolve;
|
|
vir_bytes vname;
|
|
size_t vname_length;
|
|
mode_t new_mode;
|
|
|
|
flp = NULL;
|
|
vname = (vir_bytes) job_m_in.name;
|
|
vname_length = (size_t) job_m_in.name_length;
|
|
rfd = job_m_in.fd;
|
|
new_mode = (mode_t) job_m_in.mode;
|
|
|
|
lookup_init(&resolve, fullpath, PATH_NOFLAGS, &vmp, &vp);
|
|
resolve.l_vmnt_lock = VMNT_READ;
|
|
resolve.l_vnode_lock = VNODE_WRITE;
|
|
|
|
if (job_call_nr == CHMOD) {
|
|
/* Temporarily open the file */
|
|
if (copy_name(vname_length, fullpath) != OK) {
|
|
/* Direct copy failed, try fetching from user space */
|
|
if (fetch_name(vname, vname_length, fullpath) != OK)
|
|
return(err_code);
|
|
}
|
|
if ((vp = eat_path(&resolve, fp)) == NULL) return(err_code);
|
|
} else { /* call_nr == FCHMOD */
|
|
/* File is already opened; get a pointer to vnode from filp. */
|
|
if ((flp = get_filp(rfd, VNODE_WRITE)) == NULL) return(err_code);
|
|
vp = flp->filp_vno;
|
|
assert(vp);
|
|
dup_vnode(vp);
|
|
}
|
|
|
|
assert(vp);
|
|
|
|
/* Only the owner or the super_user may change the mode of a file.
|
|
* No one may change the mode of a file on a read-only file system.
|
|
*/
|
|
if (vp->v_uid != fp->fp_effuid && fp->fp_effuid != SU_UID)
|
|
r = EPERM;
|
|
else
|
|
r = read_only(vp);
|
|
|
|
if (r == OK) {
|
|
/* Now make the change. Clear setgid bit if file is not in caller's
|
|
* group */
|
|
if (fp->fp_effuid != SU_UID && vp->v_gid != fp->fp_effgid)
|
|
new_mode &= ~I_SET_GID_BIT;
|
|
|
|
r = req_chmod(vp->v_fs_e, vp->v_inode_nr, new_mode, &result_mode);
|
|
if (r == OK)
|
|
vp->v_mode = result_mode;
|
|
}
|
|
|
|
if (job_call_nr == CHMOD) {
|
|
unlock_vnode(vp);
|
|
unlock_vmnt(vmp);
|
|
} else { /* FCHMOD */
|
|
unlock_filp(flp);
|
|
}
|
|
|
|
put_vnode(vp);
|
|
return(r);
|
|
}
|
|
|
|
|
|
/*===========================================================================*
|
|
* do_chown *
|
|
*===========================================================================*/
|
|
int do_chown(message *UNUSED(m_out))
|
|
{
|
|
/* Perform the chown(path, owner, group) and fchmod(fd, owner, group) system
|
|
* calls. */
|
|
struct filp *flp;
|
|
struct vnode *vp;
|
|
struct vmnt *vmp;
|
|
int r, rfd;
|
|
uid_t uid, new_uid;
|
|
gid_t gid, new_gid;
|
|
mode_t new_mode;
|
|
char fullpath[PATH_MAX];
|
|
struct lookup resolve;
|
|
vir_bytes vname1;
|
|
size_t vname1_length;
|
|
|
|
flp = NULL;
|
|
vname1 = (vir_bytes) job_m_in.name1;
|
|
vname1_length = (size_t) job_m_in.name1_length;
|
|
rfd = job_m_in.fd;
|
|
uid = job_m_in.owner;
|
|
gid = job_m_in.group;
|
|
|
|
lookup_init(&resolve, fullpath, PATH_NOFLAGS, &vmp, &vp);
|
|
resolve.l_vmnt_lock = VMNT_READ;
|
|
resolve.l_vnode_lock = VNODE_WRITE;
|
|
|
|
if (job_call_nr == CHOWN) {
|
|
/* Temporarily open the file. */
|
|
if (fetch_name(vname1, vname1_length, fullpath) != OK)
|
|
return(err_code);
|
|
if ((vp = eat_path(&resolve, fp)) == NULL) return(err_code);
|
|
} else { /* call_nr == FCHOWN */
|
|
/* File is already opened; get a pointer to the vnode from filp. */
|
|
if ((flp = get_filp(rfd, VNODE_WRITE)) == NULL)
|
|
return(err_code);
|
|
vp = flp->filp_vno;
|
|
dup_vnode(vp);
|
|
}
|
|
|
|
r = read_only(vp);
|
|
if (r == OK) {
|
|
/* FS is R/W. Whether call is allowed depends on ownership, etc. */
|
|
/* The super user can do anything, so check permissions only if we're
|
|
a regular user. */
|
|
if (fp->fp_effuid != SU_UID) {
|
|
/* Regular users can only change groups of their own files. */
|
|
if (vp->v_uid != fp->fp_effuid) r = EPERM;
|
|
if (vp->v_uid != uid) r = EPERM; /* no giving away */
|
|
if (fp->fp_effgid != gid) r = EPERM;
|
|
}
|
|
}
|
|
|
|
if (r == OK) {
|
|
/* Do not change uid/gid if new uid/gid is -1. */
|
|
new_uid = (uid == (uid_t)-1 ? vp->v_uid : uid);
|
|
new_gid = (gid == (gid_t)-1 ? vp->v_gid : gid);
|
|
|
|
if (new_uid > UID_MAX || new_gid > GID_MAX)
|
|
r = EINVAL;
|
|
else if ((r = req_chown(vp->v_fs_e, vp->v_inode_nr, new_uid, new_gid,
|
|
&new_mode)) == OK) {
|
|
vp->v_uid = new_uid;
|
|
vp->v_gid = new_gid;
|
|
vp->v_mode = new_mode;
|
|
}
|
|
}
|
|
|
|
if (job_call_nr == CHOWN) {
|
|
unlock_vnode(vp);
|
|
unlock_vmnt(vmp);
|
|
} else { /* FCHOWN */
|
|
unlock_filp(flp);
|
|
}
|
|
|
|
put_vnode(vp);
|
|
return(r);
|
|
}
|
|
|
|
/*===========================================================================*
|
|
* do_umask *
|
|
*===========================================================================*/
|
|
int do_umask(message *UNUSED(m_out))
|
|
{
|
|
/* Perform the umask(co_mode) system call. */
|
|
mode_t complement, new_umask;
|
|
|
|
new_umask = job_m_in.co_mode;
|
|
|
|
complement = ~fp->fp_umask; /* set 'r' to complement of old mask */
|
|
fp->fp_umask = ~(new_umask & RWX_MODES);
|
|
return(complement); /* return complement of old mask */
|
|
}
|
|
|
|
|
|
/*===========================================================================*
|
|
* do_access *
|
|
*===========================================================================*/
|
|
int do_access(message *UNUSED(m_out))
|
|
{
|
|
/* Perform the access(name, mode) system call.
|
|
* syscall might provide 'name' embedded in the message.
|
|
*/
|
|
int r;
|
|
struct vnode *vp;
|
|
struct vmnt *vmp;
|
|
char fullpath[PATH_MAX];
|
|
struct lookup resolve;
|
|
vir_bytes vname;
|
|
size_t vname_length;
|
|
mode_t access;
|
|
|
|
vname = (vir_bytes) job_m_in.name;
|
|
vname_length = (size_t) job_m_in.name_length;
|
|
access = job_m_in.mode;
|
|
|
|
lookup_init(&resolve, fullpath, PATH_NOFLAGS, &vmp, &vp);
|
|
resolve.l_vmnt_lock = VMNT_READ;
|
|
resolve.l_vnode_lock = VNODE_READ;
|
|
|
|
/* First check to see if the mode is correct. */
|
|
if ( (access & ~(R_OK | W_OK | X_OK)) != 0 && access != F_OK)
|
|
return(EINVAL);
|
|
|
|
/* Temporarily open the file. */
|
|
if (copy_name(vname_length, fullpath) != OK) {
|
|
/* Direct copy failed, try fetching from user space */
|
|
if (fetch_name(vname, vname_length, fullpath) != OK)
|
|
return(err_code);
|
|
}
|
|
if ((vp = eat_path(&resolve, fp)) == NULL) return(err_code);
|
|
|
|
r = forbidden(fp, vp, access);
|
|
|
|
unlock_vnode(vp);
|
|
unlock_vmnt(vmp);
|
|
|
|
put_vnode(vp);
|
|
return(r);
|
|
}
|
|
|
|
|
|
/*===========================================================================*
|
|
* forbidden *
|
|
*===========================================================================*/
|
|
int forbidden(struct fproc *rfp, struct vnode *vp, mode_t access_desired)
|
|
{
|
|
/* Given a pointer to an vnode, 'vp', and the access desired, determine
|
|
* if the access is allowed, and if not why not. The routine looks up the
|
|
* caller's uid in the 'fproc' table. If access is allowed, OK is returned
|
|
* if it is forbidden, EACCES is returned.
|
|
*/
|
|
|
|
register mode_t bits, perm_bits;
|
|
uid_t uid;
|
|
gid_t gid;
|
|
int r, shift;
|
|
|
|
if (vp->v_uid == (uid_t) -1 || vp->v_gid == (gid_t) -1) return(EACCES);
|
|
|
|
/* Isolate the relevant rwx bits from the mode. */
|
|
bits = vp->v_mode;
|
|
uid = (job_call_nr == ACCESS ? rfp->fp_realuid : rfp->fp_effuid);
|
|
gid = (job_call_nr == ACCESS ? rfp->fp_realgid : rfp->fp_effgid);
|
|
|
|
if (uid == SU_UID) {
|
|
/* Grant read and write permission. Grant search permission for
|
|
* directories. Grant execute permission (for non-directories) if
|
|
* and only if one of the 'X' bits is set.
|
|
*/
|
|
if ( S_ISDIR(bits) || bits & ((X_BIT << 6) | (X_BIT << 3) | X_BIT))
|
|
perm_bits = R_BIT | W_BIT | X_BIT;
|
|
else
|
|
perm_bits = R_BIT | W_BIT;
|
|
} else {
|
|
if (uid == vp->v_uid) shift = 6; /* owner */
|
|
else if (gid == vp->v_gid) shift = 3; /* group */
|
|
else if (in_group(fp, vp->v_gid) == OK) shift = 3; /* suppl. groups */
|
|
else shift = 0; /* other */
|
|
perm_bits = (bits >> shift) & (R_BIT | W_BIT | X_BIT);
|
|
}
|
|
|
|
/* If access desired is not a subset of what is allowed, it is refused. */
|
|
r = OK;
|
|
if ((perm_bits | access_desired) != perm_bits) r = EACCES;
|
|
|
|
/* Check to see if someone is trying to write on a file system that is
|
|
* mounted read-only.
|
|
*/
|
|
if (r == OK)
|
|
if (access_desired & W_BIT)
|
|
r = read_only(vp);
|
|
|
|
return(r);
|
|
}
|
|
|
|
/*===========================================================================*
|
|
* read_only *
|
|
*===========================================================================*/
|
|
int read_only(vp)
|
|
struct vnode *vp; /* ptr to inode whose file sys is to be cked */
|
|
{
|
|
/* Check to see if the file system on which the inode 'ip' resides is mounted
|
|
* read only. If so, return EROFS, else return OK.
|
|
*/
|
|
assert(vp);
|
|
return(vp->v_vmnt && (vp->v_vmnt->m_flags & VMNT_READONLY) ? EROFS : OK);
|
|
}
|