diff -Nrub linux-2.6.11.7-orig/Makefile linux-2.6.11.7-snare/Makefile --- linux-2.6.11.7-orig/Makefile 2005-04-07 14:57:50.000000000 -0400 +++ linux-2.6.11.7-snare/Makefile 2005-04-22 11:22:37.030846744 -0400 @@ -1,7 +1,7 @@ VERSION = 2 PATCHLEVEL = 6 SUBLEVEL = 11 -EXTRAVERSION = .7 +EXTRAVERSION = .7-snare NAME=Woozy Numbat # *DOCUMENTATION* diff -Nrub linux-2.6.11.7-orig/fs/exec.c linux-2.6.11.7-snare/fs/exec.c --- linux-2.6.11.7-orig/fs/exec.c 2005-04-07 14:57:31.000000000 -0400 +++ linux-2.6.11.7-snare/fs/exec.c 2005-04-22 11:19:47.188666680 -0400 @@ -37,6 +37,7 @@ #include #include #include +#include #include #include #include @@ -1129,6 +1130,13 @@ int retval; int i; +#if defined(CONFIG_C2_AUDIT) + char *SNARE_arguments; + SNARE_arguments=saudit_copy_argv(argv); +#else + #define SNARE_arguments (char *)NULL +#endif + retval = -ENOMEM; bprm = kmalloc(sizeof(*bprm), GFP_KERNEL); if (!bprm) @@ -1189,6 +1197,7 @@ if (retval >= 0) { free_arg_pages(bprm); + saudit_execve((char *)NULL, filename, SNARE_arguments, retval); /* execve success */ security_bprm_free(bprm); acct_update_integrals(); @@ -1222,6 +1231,7 @@ kfree(bprm); out_ret: + saudit_execve((char *) NULL, filename, SNARE_arguments, retval); return retval; } diff -Nrub linux-2.6.11.7-orig/fs/exec.c.orig linux-2.6.11.7-snare/fs/exec.c.orig --- linux-2.6.11.7-orig/fs/exec.c.orig 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.6.11.7-snare/fs/exec.c.orig 2005-04-07 14:57:31.000000000 -0400 @@ -0,0 +1,1496 @@ +/* + * linux/fs/exec.c + * + * Copyright (C) 1991, 1992 Linus Torvalds + */ + +/* + * #!-checking implemented by tytso. + */ +/* + * Demand-loading implemented 01.12.91 - no need to read anything but + * the header into memory. The inode of the executable is put into + * "current->executable", and page faults do the actual loading. Clean. + * + * Once more I can proudly say that linux stood up to being changed: it + * was less than 2 hours work to get demand-loading completely implemented. + * + * Demand loading changed July 1993 by Eric Youngdale. Use mmap instead, + * current->executable is only used by the procfs. This allows a dispatch + * table to check for several different types of binary formats. We keep + * trying until we recognize the file or we run out of supported binary + * formats. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#ifdef CONFIG_KMOD +#include +#endif + +int core_uses_pid; +char core_pattern[65] = "core"; +/* The maximal length of core_pattern is also specified in sysctl.c */ + +static struct linux_binfmt *formats; +static DEFINE_RWLOCK(binfmt_lock); + +int register_binfmt(struct linux_binfmt * fmt) +{ + struct linux_binfmt ** tmp = &formats; + + if (!fmt) + return -EINVAL; + if (fmt->next) + return -EBUSY; + write_lock(&binfmt_lock); + while (*tmp) { + if (fmt == *tmp) { + write_unlock(&binfmt_lock); + return -EBUSY; + } + tmp = &(*tmp)->next; + } + fmt->next = formats; + formats = fmt; + write_unlock(&binfmt_lock); + return 0; +} + +EXPORT_SYMBOL(register_binfmt); + +int unregister_binfmt(struct linux_binfmt * fmt) +{ + struct linux_binfmt ** tmp = &formats; + + write_lock(&binfmt_lock); + while (*tmp) { + if (fmt == *tmp) { + *tmp = fmt->next; + write_unlock(&binfmt_lock); + return 0; + } + tmp = &(*tmp)->next; + } + write_unlock(&binfmt_lock); + return -EINVAL; +} + +EXPORT_SYMBOL(unregister_binfmt); + +static inline void put_binfmt(struct linux_binfmt * fmt) +{ + module_put(fmt->module); +} + +/* + * Note that a shared library must be both readable and executable due to + * security reasons. + * + * Also note that we take the address to load from from the file itself. + */ +asmlinkage long sys_uselib(const char __user * library) +{ + struct file * file; + struct nameidata nd; + int error; + + nd.intent.open.flags = FMODE_READ; + error = __user_walk(library, LOOKUP_FOLLOW|LOOKUP_OPEN, &nd); + if (error) + goto out; + + error = -EINVAL; + if (!S_ISREG(nd.dentry->d_inode->i_mode)) + goto exit; + + error = permission(nd.dentry->d_inode, MAY_READ | MAY_EXEC, &nd); + if (error) + goto exit; + + file = dentry_open(nd.dentry, nd.mnt, O_RDONLY); + error = PTR_ERR(file); + if (IS_ERR(file)) + goto out; + + error = -ENOEXEC; + if(file->f_op) { + struct linux_binfmt * fmt; + + read_lock(&binfmt_lock); + for (fmt = formats ; fmt ; fmt = fmt->next) { + if (!fmt->load_shlib) + continue; + if (!try_module_get(fmt->module)) + continue; + read_unlock(&binfmt_lock); + error = fmt->load_shlib(file); + read_lock(&binfmt_lock); + put_binfmt(fmt); + if (error != -ENOEXEC) + break; + } + read_unlock(&binfmt_lock); + } + fput(file); +out: + return error; +exit: + path_release(&nd); + goto out; +} + +/* + * count() counts the number of strings in array ARGV. + */ +static int count(char __user * __user * argv, int max) +{ + int i = 0; + + if (argv != NULL) { + for (;;) { + char __user * p; + + if (get_user(p, argv)) + return -EFAULT; + if (!p) + break; + argv++; + if(++i > max) + return -E2BIG; + cond_resched(); + } + } + return i; +} + +/* + * 'copy_strings()' copies argument/environment strings from user + * memory to free pages in kernel mem. These are in a format ready + * to be put directly into the top of new user memory. + */ +int copy_strings(int argc,char __user * __user * argv, struct linux_binprm *bprm) +{ + struct page *kmapped_page = NULL; + char *kaddr = NULL; + int ret; + + while (argc-- > 0) { + char __user *str; + int len; + unsigned long pos; + + if (get_user(str, argv+argc) || + !(len = strnlen_user(str, bprm->p))) { + ret = -EFAULT; + goto out; + } + + if (bprm->p < len) { + ret = -E2BIG; + goto out; + } + + bprm->p -= len; + /* XXX: add architecture specific overflow check here. */ + pos = bprm->p; + + while (len > 0) { + int i, new, err; + int offset, bytes_to_copy; + struct page *page; + + offset = pos % PAGE_SIZE; + i = pos/PAGE_SIZE; + page = bprm->page[i]; + new = 0; + if (!page) { + page = alloc_page(GFP_HIGHUSER); + bprm->page[i] = page; + if (!page) { + ret = -ENOMEM; + goto out; + } + new = 1; + } + + if (page != kmapped_page) { + if (kmapped_page) + kunmap(kmapped_page); + kmapped_page = page; + kaddr = kmap(kmapped_page); + } + if (new && offset) + memset(kaddr, 0, offset); + bytes_to_copy = PAGE_SIZE - offset; + if (bytes_to_copy > len) { + bytes_to_copy = len; + if (new) + memset(kaddr+offset+len, 0, + PAGE_SIZE-offset-len); + } + err = copy_from_user(kaddr+offset, str, bytes_to_copy); + if (err) { + ret = -EFAULT; + goto out; + } + + pos += bytes_to_copy; + str += bytes_to_copy; + len -= bytes_to_copy; + } + } + ret = 0; +out: + if (kmapped_page) + kunmap(kmapped_page); + return ret; +} + +/* + * Like copy_strings, but get argv and its values from kernel memory. + */ +int copy_strings_kernel(int argc,char ** argv, struct linux_binprm *bprm) +{ + int r; + mm_segment_t oldfs = get_fs(); + set_fs(KERNEL_DS); + r = copy_strings(argc, (char __user * __user *)argv, bprm); + set_fs(oldfs); + return r; +} + +EXPORT_SYMBOL(copy_strings_kernel); + +#ifdef CONFIG_MMU +/* + * This routine is used to map in a page into an address space: needed by + * execve() for the initial stack and environment pages. + * + * vma->vm_mm->mmap_sem is held for writing. + */ +void install_arg_page(struct vm_area_struct *vma, + struct page *page, unsigned long address) +{ + struct mm_struct *mm = vma->vm_mm; + pgd_t * pgd; + pud_t * pud; + pmd_t * pmd; + pte_t * pte; + + if (unlikely(anon_vma_prepare(vma))) + goto out_sig; + + flush_dcache_page(page); + pgd = pgd_offset(mm, address); + + spin_lock(&mm->page_table_lock); + pud = pud_alloc(mm, pgd, address); + if (!pud) + goto out; + pmd = pmd_alloc(mm, pud, address); + if (!pmd) + goto out; + pte = pte_alloc_map(mm, pmd, address); + if (!pte) + goto out; + if (!pte_none(*pte)) { + pte_unmap(pte); + goto out; + } + mm->rss++; + lru_cache_add_active(page); + set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte( + page, vma->vm_page_prot)))); + page_add_anon_rmap(page, vma, address); + pte_unmap(pte); + spin_unlock(&mm->page_table_lock); + + /* no need for flush_tlb */ + return; +out: + spin_unlock(&mm->page_table_lock); +out_sig: + __free_page(page); + force_sig(SIGKILL, current); +} + +#define EXTRA_STACK_VM_PAGES 20 /* random */ + +int setup_arg_pages(struct linux_binprm *bprm, + unsigned long stack_top, + int executable_stack) +{ + unsigned long stack_base; + struct vm_area_struct *mpnt; + struct mm_struct *mm = current->mm; + int i, ret; + long arg_size; + +#ifdef CONFIG_STACK_GROWSUP + /* Move the argument and environment strings to the bottom of the + * stack space. + */ + int offset, j; + char *to, *from; + + /* Start by shifting all the pages down */ + i = 0; + for (j = 0; j < MAX_ARG_PAGES; j++) { + struct page *page = bprm->page[j]; + if (!page) + continue; + bprm->page[i++] = page; + } + + /* Now move them within their pages */ + offset = bprm->p % PAGE_SIZE; + to = kmap(bprm->page[0]); + for (j = 1; j < i; j++) { + memmove(to, to + offset, PAGE_SIZE - offset); + from = kmap(bprm->page[j]); + memcpy(to + PAGE_SIZE - offset, from, offset); + kunmap(bprm->page[j - 1]); + to = from; + } + memmove(to, to + offset, PAGE_SIZE - offset); + kunmap(bprm->page[j - 1]); + + /* Limit stack size to 1GB */ + stack_base = current->signal->rlim[RLIMIT_STACK].rlim_max; + if (stack_base > (1 << 30)) + stack_base = 1 << 30; + stack_base = PAGE_ALIGN(stack_top - stack_base); + + /* Adjust bprm->p to point to the end of the strings. */ + bprm->p = stack_base + PAGE_SIZE * i - offset; + + mm->arg_start = stack_base; + arg_size = i << PAGE_SHIFT; + + /* zero pages that were copied above */ + while (i < MAX_ARG_PAGES) + bprm->page[i++] = NULL; +#else + stack_base = stack_top - MAX_ARG_PAGES * PAGE_SIZE; + bprm->p += stack_base; + mm->arg_start = bprm->p; + arg_size = stack_top - (PAGE_MASK & (unsigned long) mm->arg_start); +#endif + + arg_size += EXTRA_STACK_VM_PAGES * PAGE_SIZE; + + if (bprm->loader) + bprm->loader += stack_base; + bprm->exec += stack_base; + + mpnt = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL); + if (!mpnt) + return -ENOMEM; + + if (security_vm_enough_memory(arg_size >> PAGE_SHIFT)) { + kmem_cache_free(vm_area_cachep, mpnt); + return -ENOMEM; + } + + memset(mpnt, 0, sizeof(*mpnt)); + + down_write(&mm->mmap_sem); + { + mpnt->vm_mm = mm; +#ifdef CONFIG_STACK_GROWSUP + mpnt->vm_start = stack_base; + mpnt->vm_end = stack_base + arg_size; +#else + mpnt->vm_end = stack_top; + mpnt->vm_start = mpnt->vm_end - arg_size; +#endif + /* Adjust stack execute permissions; explicitly enable + * for EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X + * and leave alone (arch default) otherwise. */ + if (unlikely(executable_stack == EXSTACK_ENABLE_X)) + mpnt->vm_flags = VM_STACK_FLAGS | VM_EXEC; + else if (executable_stack == EXSTACK_DISABLE_X) + mpnt->vm_flags = VM_STACK_FLAGS & ~VM_EXEC; + else + mpnt->vm_flags = VM_STACK_FLAGS; + mpnt->vm_flags |= mm->def_flags; + mpnt->vm_page_prot = protection_map[mpnt->vm_flags & 0x7]; + if ((ret = insert_vm_struct(mm, mpnt))) { + up_write(&mm->mmap_sem); + kmem_cache_free(vm_area_cachep, mpnt); + return ret; + } + mm->stack_vm = mm->total_vm = vma_pages(mpnt); + } + + for (i = 0 ; i < MAX_ARG_PAGES ; i++) { + struct page *page = bprm->page[i]; + if (page) { + bprm->page[i] = NULL; + install_arg_page(mpnt, page, stack_base); + } + stack_base += PAGE_SIZE; + } + up_write(&mm->mmap_sem); + + return 0; +} + +EXPORT_SYMBOL(setup_arg_pages); + +#define free_arg_pages(bprm) do { } while (0) + +#else + +static inline void free_arg_pages(struct linux_binprm *bprm) +{ + int i; + + for (i = 0; i < MAX_ARG_PAGES; i++) { + if (bprm->page[i]) + __free_page(bprm->page[i]); + bprm->page[i] = NULL; + } +} + +#endif /* CONFIG_MMU */ + +struct file *open_exec(const char *name) +{ + struct nameidata nd; + int err; + struct file *file; + + nd.intent.open.flags = FMODE_READ; + err = path_lookup(name, LOOKUP_FOLLOW|LOOKUP_OPEN, &nd); + file = ERR_PTR(err); + + if (!err) { + struct inode *inode = nd.dentry->d_inode; + file = ERR_PTR(-EACCES); + if (!(nd.mnt->mnt_flags & MNT_NOEXEC) && + S_ISREG(inode->i_mode)) { + int err = permission(inode, MAY_EXEC, &nd); + if (!err && !(inode->i_mode & 0111)) + err = -EACCES; + file = ERR_PTR(err); + if (!err) { + file = dentry_open(nd.dentry, nd.mnt, O_RDONLY); + if (!IS_ERR(file)) { + err = deny_write_access(file); + if (err) { + fput(file); + file = ERR_PTR(err); + } + } +out: + return file; + } + } + path_release(&nd); + } + goto out; +} + +EXPORT_SYMBOL(open_exec); + +int kernel_read(struct file *file, unsigned long offset, + char *addr, unsigned long count) +{ + mm_segment_t old_fs; + loff_t pos = offset; + int result; + + old_fs = get_fs(); + set_fs(get_ds()); + /* The cast to a user pointer is valid due to the set_fs() */ + result = vfs_read(file, (void __user *)addr, count, &pos); + set_fs(old_fs); + return result; +} + +EXPORT_SYMBOL(kernel_read); + +static int exec_mmap(struct mm_struct *mm) +{ + struct task_struct *tsk; + struct mm_struct * old_mm, *active_mm; + + /* Notify parent that we're no longer interested in the old VM */ + tsk = current; + old_mm = current->mm; + mm_release(tsk, old_mm); + + if (old_mm) { + /* + * Make sure that if there is a core dump in progress + * for the old mm, we get out and die instead of going + * through with the exec. We must hold mmap_sem around + * checking core_waiters and changing tsk->mm. The + * core-inducing thread will increment core_waiters for + * each thread whose ->mm == old_mm. + */ + down_read(&old_mm->mmap_sem); + if (unlikely(old_mm->core_waiters)) { + up_read(&old_mm->mmap_sem); + return -EINTR; + } + } + task_lock(tsk); + active_mm = tsk->active_mm; + tsk->mm = mm; + tsk->active_mm = mm; + activate_mm(active_mm, mm); + task_unlock(tsk); + arch_pick_mmap_layout(mm); + if (old_mm) { + up_read(&old_mm->mmap_sem); + if (active_mm != old_mm) BUG(); + mmput(old_mm); + return 0; + } + mmdrop(active_mm); + return 0; +} + +/* + * This function makes sure the current process has its own signal table, + * so that flush_signal_handlers can later reset the handlers without + * disturbing other processes. (Other processes might share the signal + * table via the CLONE_SIGHAND option to clone().) + */ +static inline int de_thread(struct task_struct *tsk) +{ + struct signal_struct *sig = tsk->signal; + struct sighand_struct *newsighand, *oldsighand = tsk->sighand; + spinlock_t *lock = &oldsighand->siglock; + int count; + + /* + * If we don't share sighandlers, then we aren't sharing anything + * and we can just re-use it all. + */ + if (atomic_read(&oldsighand->count) <= 1) { + BUG_ON(atomic_read(&sig->count) != 1); + exit_itimers(sig); + return 0; + } + + newsighand = kmem_cache_alloc(sighand_cachep, GFP_KERNEL); + if (!newsighand) + return -ENOMEM; + + if (thread_group_empty(current)) + goto no_thread_group; + + /* + * Kill all other threads in the thread group. + * We must hold tasklist_lock to call zap_other_threads. + */ + read_lock(&tasklist_lock); + spin_lock_irq(lock); + if (sig->flags & SIGNAL_GROUP_EXIT) { + /* + * Another group action in progress, just + * return so that the signal is processed. + */ + spin_unlock_irq(lock); + read_unlock(&tasklist_lock); + kmem_cache_free(sighand_cachep, newsighand); + return -EAGAIN; + } + zap_other_threads(current); + read_unlock(&tasklist_lock); + + /* + * Account for the thread group leader hanging around: + */ + count = 2; + if (thread_group_leader(current)) + count = 1; + while (atomic_read(&sig->count) > count) { + sig->group_exit_task = current; + sig->notify_count = count; + __set_current_state(TASK_UNINTERRUPTIBLE); + spin_unlock_irq(lock); + schedule(); + spin_lock_irq(lock); + } + sig->group_exit_task = NULL; + sig->notify_count = 0; + spin_unlock_irq(lock); + + /* + * At this point all other threads have exited, all we have to + * do is to wait for the thread group leader to become inactive, + * and to assume its PID: + */ + if (!thread_group_leader(current)) { + struct task_struct *leader = current->group_leader, *parent; + struct dentry *proc_dentry1, *proc_dentry2; + unsigned long exit_state, ptrace; + + /* + * Wait for the thread group leader to be a zombie. + * It should already be zombie at this point, most + * of the time. + */ + while (leader->exit_state != EXIT_ZOMBIE) + yield(); + + spin_lock(&leader->proc_lock); + spin_lock(¤t->proc_lock); + proc_dentry1 = proc_pid_unhash(current); + proc_dentry2 = proc_pid_unhash(leader); + write_lock_irq(&tasklist_lock); + + if (leader->tgid != current->tgid) + BUG(); + if (current->pid == current->tgid) + BUG(); + /* + * An exec() starts a new thread group with the + * TGID of the previous thread group. Rehash the + * two threads with a switched PID, and release + * the former thread group leader: + */ + ptrace = leader->ptrace; + parent = leader->parent; + if (unlikely(ptrace) && unlikely(parent == current)) { + /* + * Joker was ptracing his own group leader, + * and now he wants to be his own parent! + * We can't have that. + */ + ptrace = 0; + } + + ptrace_unlink(current); + ptrace_unlink(leader); + remove_parent(current); + remove_parent(leader); + + switch_exec_pids(leader, current); + + current->parent = current->real_parent = leader->real_parent; + leader->parent = leader->real_parent = child_reaper; + current->group_leader = current; + leader->group_leader = leader; + + add_parent(current, current->parent); + add_parent(leader, leader->parent); + if (ptrace) { + current->ptrace = ptrace; + __ptrace_link(current, parent); + } + + list_del(¤t->tasks); + list_add_tail(¤t->tasks, &init_task.tasks); + current->exit_signal = SIGCHLD; + exit_state = leader->exit_state; + + write_unlock_irq(&tasklist_lock); + spin_unlock(&leader->proc_lock); + spin_unlock(¤t->proc_lock); + proc_pid_flush(proc_dentry1); + proc_pid_flush(proc_dentry2); + + if (exit_state != EXIT_ZOMBIE) + BUG(); + release_task(leader); + } + + /* + * Now there are really no other threads at all, + * so it's safe to stop telling them to kill themselves. + */ + sig->flags = 0; + +no_thread_group: + BUG_ON(atomic_read(&sig->count) != 1); + exit_itimers(sig); + + if (atomic_read(&oldsighand->count) == 1) { + /* + * Now that we nuked the rest of the thread group, + * it turns out we are not sharing sighand any more either. + * So we can just keep it. + */ + kmem_cache_free(sighand_cachep, newsighand); + } else { + /* + * Move our state over to newsighand and switch it in. + */ + spin_lock_init(&newsighand->siglock); + atomic_set(&newsighand->count, 1); + memcpy(newsighand->action, oldsighand->action, + sizeof(newsighand->action)); + + write_lock_irq(&tasklist_lock); + spin_lock(&oldsighand->siglock); + spin_lock(&newsighand->siglock); + + current->sighand = newsighand; + recalc_sigpending(); + + spin_unlock(&newsighand->siglock); + spin_unlock(&oldsighand->siglock); + write_unlock_irq(&tasklist_lock); + + if (atomic_dec_and_test(&oldsighand->count)) + kmem_cache_free(sighand_cachep, oldsighand); + } + + if (!thread_group_empty(current)) + BUG(); + if (!thread_group_leader(current)) + BUG(); + return 0; +} + +/* + * These functions flushes out all traces of the currently running executable + * so that a new one can be started + */ + +static inline void flush_old_files(struct files_struct * files) +{ + long j = -1; + + spin_lock(&files->file_lock); + for (;;) { + unsigned long set, i; + + j++; + i = j * __NFDBITS; + if (i >= files->max_fds || i >= files->max_fdset) + break; + set = files->close_on_exec->fds_bits[j]; + if (!set) + continue; + files->close_on_exec->fds_bits[j] = 0; + spin_unlock(&files->file_lock); + for ( ; set ; i++,set >>= 1) { + if (set & 1) { + sys_close(i); + } + } + spin_lock(&files->file_lock); + + } + spin_unlock(&files->file_lock); +} + +void get_task_comm(char *buf, struct task_struct *tsk) +{ + /* buf must be at least sizeof(tsk->comm) in size */ + task_lock(tsk); + strncpy(buf, tsk->comm, sizeof(tsk->comm)); + task_unlock(tsk); +} + +void set_task_comm(struct task_struct *tsk, char *buf) +{ + task_lock(tsk); + strlcpy(tsk->comm, buf, sizeof(tsk->comm)); + task_unlock(tsk); +} + +int flush_old_exec(struct linux_binprm * bprm) +{ + char * name; + int i, ch, retval; + struct files_struct *files; + char tcomm[sizeof(current->comm)]; + + /* + * Make sure we have a private signal table and that + * we are unassociated from the previous thread group. + */ + retval = de_thread(current); + if (retval) + goto out; + + /* + * Make sure we have private file handles. Ask the + * fork helper to do the work for us and the exit + * helper to do the cleanup of the old one. + */ + files = current->files; /* refcounted so safe to hold */ + retval = unshare_files(); + if (retval) + goto out; + /* + * Release all of the old mmap stuff + */ + retval = exec_mmap(bprm->mm); + if (retval) + goto mmap_failed; + + bprm->mm = NULL; /* We're using it now */ + + /* This is the point of no return */ + steal_locks(files); + put_files_struct(files); + + current->sas_ss_sp = current->sas_ss_size = 0; + + if (current->euid == current->uid && current->egid == current->gid) + current->mm->dumpable = 1; + name = bprm->filename; + for (i=0; (ch = *(name++)) != '\0';) { + if (ch == '/') + i = 0; + else + if (i < (sizeof(tcomm) - 1)) + tcomm[i++] = ch; + } + tcomm[i] = '\0'; + set_task_comm(current, tcomm); + + flush_thread(); + + if (bprm->e_uid != current->euid || bprm->e_gid != current->egid || + permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) || + (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) { + suid_keys(current); + current->mm->dumpable = 0; + } + + /* An exec changes our domain. We are no longer part of the thread + group */ + + current->self_exec_id++; + + flush_signal_handlers(current, 0); + flush_old_files(current->files); + + return 0; + +mmap_failed: + put_files_struct(current->files); + current->files = files; +out: + return retval; +} + +EXPORT_SYMBOL(flush_old_exec); + +/* + * Fill the binprm structure from the inode. + * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes + */ +int prepare_binprm(struct linux_binprm *bprm) +{ + int mode; + struct inode * inode = bprm->file->f_dentry->d_inode; + int retval; + + mode = inode->i_mode; + /* + * Check execute perms again - if the caller has CAP_DAC_OVERRIDE, + * generic_permission lets a non-executable through + */ + if (!(mode & 0111)) /* with at least _one_ execute bit set */ + return -EACCES; + if (bprm->file->f_op == NULL) + return -EACCES; + + bprm->e_uid = current->euid; + bprm->e_gid = current->egid; + + if(!(bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)) { + /* Set-uid? */ + if (mode & S_ISUID) { + current->personality &= ~PER_CLEAR_ON_SETID; + bprm->e_uid = inode->i_uid; + } + + /* Set-gid? */ + /* + * If setgid is set but no group execute bit then this + * is a candidate for mandatory locking, not a setgid + * executable. + */ + if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { + current->personality &= ~PER_CLEAR_ON_SETID; + bprm->e_gid = inode->i_gid; + } + } + + /* fill in binprm security blob */ + retval = security_bprm_set(bprm); + if (retval) + return retval; + + memset(bprm->buf,0,BINPRM_BUF_SIZE); + return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE); +} + +EXPORT_SYMBOL(prepare_binprm); + +static inline int unsafe_exec(struct task_struct *p) +{ + int unsafe = 0; + if (p->ptrace & PT_PTRACED) { + if (p->ptrace & PT_PTRACE_CAP) + unsafe |= LSM_UNSAFE_PTRACE_CAP; + else + unsafe |= LSM_UNSAFE_PTRACE; + } + if (atomic_read(&p->fs->count) > 1 || + atomic_read(&p->files->count) > 1 || + atomic_read(&p->sighand->count) > 1) + unsafe |= LSM_UNSAFE_SHARE; + + return unsafe; +} + +void compute_creds(struct linux_binprm *bprm) +{ + int unsafe; + + if (bprm->e_uid != current->uid) + suid_keys(current); + exec_keys(current); + + task_lock(current); + unsafe = unsafe_exec(current); + security_bprm_apply_creds(bprm, unsafe); + task_unlock(current); + security_bprm_post_apply_creds(bprm); +} + +EXPORT_SYMBOL(compute_creds); + +void remove_arg_zero(struct linux_binprm *bprm) +{ + if (bprm->argc) { + unsigned long offset; + char * kaddr; + struct page *page; + + offset = bprm->p % PAGE_SIZE; + goto inside; + + while (bprm->p++, *(kaddr+offset++)) { + if (offset != PAGE_SIZE) + continue; + offset = 0; + kunmap_atomic(kaddr, KM_USER0); +inside: + page = bprm->page[bprm->p/PAGE_SIZE]; + kaddr = kmap_atomic(page, KM_USER0); + } + kunmap_atomic(kaddr, KM_USER0); + bprm->argc--; + } +} + +EXPORT_SYMBOL(remove_arg_zero); + +/* + * cycle the list of binary formats handler, until one recognizes the image + */ +int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) +{ + int try,retval; + struct linux_binfmt *fmt; +#ifdef __alpha__ + /* handle /sbin/loader.. */ + { + struct exec * eh = (struct exec *) bprm->buf; + + if (!bprm->loader && eh->fh.f_magic == 0x183 && + (eh->fh.f_flags & 0x3000) == 0x3000) + { + struct file * file; + unsigned long loader; + + allow_write_access(bprm->file); + fput(bprm->file); + bprm->file = NULL; + + loader = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *); + + file = open_exec("/sbin/loader"); + retval = PTR_ERR(file); + if (IS_ERR(file)) + return retval; + + /* Remember if the application is TASO. */ + bprm->sh_bang = eh->ah.entry < 0x100000000UL; + + bprm->file = file; + bprm->loader = loader; + retval = prepare_binprm(bprm); + if (retval<0) + return retval; + /* should call search_binary_handler recursively here, + but it does not matter */ + } + } +#endif + retval = security_bprm_check(bprm); + if (retval) + return retval; + + /* kernel module loader fixup */ + /* so we don't try to load run modprobe in kernel space. */ + set_fs(USER_DS); + retval = -ENOENT; + for (try=0; try<2; try++) { + read_lock(&binfmt_lock); + for (fmt = formats ; fmt ; fmt = fmt->next) { + int (*fn)(struct linux_binprm *, struct pt_regs *) = fmt->load_binary; + if (!fn) + continue; + if (!try_module_get(fmt->module)) + continue; + read_unlock(&binfmt_lock); + retval = fn(bprm, regs); + if (retval >= 0) { + put_binfmt(fmt); + allow_write_access(bprm->file); + if (bprm->file) + fput(bprm->file); + bprm->file = NULL; + current->did_exec = 1; + return retval; + } + read_lock(&binfmt_lock); + put_binfmt(fmt); + if (retval != -ENOEXEC || bprm->mm == NULL) + break; + if (!bprm->file) { + read_unlock(&binfmt_lock); + return retval; + } + } + read_unlock(&binfmt_lock); + if (retval != -ENOEXEC || bprm->mm == NULL) { + break; +#ifdef CONFIG_KMOD + }else{ +#define printable(c) (((c)=='\t') || ((c)=='\n') || (0x20<=(c) && (c)<=0x7e)) + if (printable(bprm->buf[0]) && + printable(bprm->buf[1]) && + printable(bprm->buf[2]) && + printable(bprm->buf[3])) + break; /* -ENOEXEC */ + request_module("binfmt-%04x", *(unsigned short *)(&bprm->buf[2])); +#endif + } + } + return retval; +} + +EXPORT_SYMBOL(search_binary_handler); + +/* + * sys_execve() executes a new program. + */ +int do_execve(char * filename, + char __user *__user *argv, + char __user *__user *envp, + struct pt_regs * regs) +{ + struct linux_binprm *bprm; + struct file *file; + int retval; + int i; + + retval = -ENOMEM; + bprm = kmalloc(sizeof(*bprm), GFP_KERNEL); + if (!bprm) + goto out_ret; + memset(bprm, 0, sizeof(*bprm)); + + file = open_exec(filename); + retval = PTR_ERR(file); + if (IS_ERR(file)) + goto out_kfree; + + sched_exec(); + + bprm->p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *); + + bprm->file = file; + bprm->filename = filename; + bprm->interp = filename; + bprm->mm = mm_alloc(); + retval = -ENOMEM; + if (!bprm->mm) + goto out_file; + + retval = init_new_context(current, bprm->mm); + if (retval < 0) + goto out_mm; + + bprm->argc = count(argv, bprm->p / sizeof(void *)); + if ((retval = bprm->argc) < 0) + goto out_mm; + + bprm->envc = count(envp, bprm->p / sizeof(void *)); + if ((retval = bprm->envc) < 0) + goto out_mm; + + retval = security_bprm_alloc(bprm); + if (retval) + goto out; + + retval = prepare_binprm(bprm); + if (retval < 0) + goto out; + + retval = copy_strings_kernel(1, &bprm->filename, bprm); + if (retval < 0) + goto out; + + bprm->exec = bprm->p; + retval = copy_strings(bprm->envc, envp, bprm); + if (retval < 0) + goto out; + + retval = copy_strings(bprm->argc, argv, bprm); + if (retval < 0) + goto out; + + retval = search_binary_handler(bprm,regs); + if (retval >= 0) { + free_arg_pages(bprm); + + /* execve success */ + security_bprm_free(bprm); + acct_update_integrals(); + update_mem_hiwater(); + kfree(bprm); + return retval; + } + +out: + /* Something went wrong, return the inode and free the argument pages*/ + for (i = 0 ; i < MAX_ARG_PAGES ; i++) { + struct page * page = bprm->page[i]; + if (page) + __free_page(page); + } + + if (bprm->security) + security_bprm_free(bprm); + +out_mm: + if (bprm->mm) + mmdrop(bprm->mm); + +out_file: + if (bprm->file) { + allow_write_access(bprm->file); + fput(bprm->file); + } + +out_kfree: + kfree(bprm); + +out_ret: + return retval; +} + +int set_binfmt(struct linux_binfmt *new) +{ + struct linux_binfmt *old = current->binfmt; + + if (new) { + if (!try_module_get(new->module)) + return -1; + } + current->binfmt = new; + if (old) + module_put(old->module); + return 0; +} + +EXPORT_SYMBOL(set_binfmt); + +#define CORENAME_MAX_SIZE 64 + +/* format_corename will inspect the pattern parameter, and output a + * name into corename, which must have space for at least + * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator. + */ +static void format_corename(char *corename, const char *pattern, long signr) +{ + const char *pat_ptr = pattern; + char *out_ptr = corename; + char *const out_end = corename + CORENAME_MAX_SIZE; + int rc; + int pid_in_pattern = 0; + + /* Repeat as long as we have more pattern to process and more output + space */ + while (*pat_ptr) { + if (*pat_ptr != '%') { + if (out_ptr == out_end) + goto out; + *out_ptr++ = *pat_ptr++; + } else { + switch (*++pat_ptr) { + case 0: + goto out; + /* Double percent, output one percent */ + case '%': + if (out_ptr == out_end) + goto out; + *out_ptr++ = '%'; + break; + /* pid */ + case 'p': + pid_in_pattern = 1; + rc = snprintf(out_ptr, out_end - out_ptr, + "%d", current->tgid); + if (rc > out_end - out_ptr) + goto out; + out_ptr += rc; + break; + /* uid */ + case 'u': + rc = snprintf(out_ptr, out_end - out_ptr, + "%d", current->uid); + if (rc > out_end - out_ptr) + goto out; + out_ptr += rc; + break; + /* gid */ + case 'g': + rc = snprintf(out_ptr, out_end - out_ptr, + "%d", current->gid); + if (rc > out_end - out_ptr) + goto out; + out_ptr += rc; + break; + /* signal that caused the coredump */ + case 's': + rc = snprintf(out_ptr, out_end - out_ptr, + "%ld", signr); + if (rc > out_end - out_ptr) + goto out; + out_ptr += rc; + break; + /* UNIX time of coredump */ + case 't': { + struct timeval tv; + do_gettimeofday(&tv); + rc = snprintf(out_ptr, out_end - out_ptr, + "%lu", tv.tv_sec); + if (rc > out_end - out_ptr) + goto out; + out_ptr += rc; + break; + } + /* hostname */ + case 'h': + down_read(&uts_sem); + rc = snprintf(out_ptr, out_end - out_ptr, + "%s", system_utsname.nodename); + up_read(&uts_sem); + if (rc > out_end - out_ptr) + goto out; + out_ptr += rc; + break; + /* executable */ + case 'e': + rc = snprintf(out_ptr, out_end - out_ptr, + "%s", current->comm); + if (rc > out_end - out_ptr) + goto out; + out_ptr += rc; + break; + default: + break; + } + ++pat_ptr; + } + } + /* Backward compatibility with core_uses_pid: + * + * If core_pattern does not include a %p (as is the default) + * and core_uses_pid is set, then .%pid will be appended to + * the filename */ + if (!pid_in_pattern + && (core_uses_pid || atomic_read(¤t->mm->mm_users) != 1)) { + rc = snprintf(out_ptr, out_end - out_ptr, + ".%d", current->tgid); + if (rc > out_end - out_ptr) + goto out; + out_ptr += rc; + } + out: + *out_ptr = 0; +} + +static void zap_threads (struct mm_struct *mm) +{ + struct task_struct *g, *p; + struct task_struct *tsk = current; + struct completion *vfork_done = tsk->vfork_done; + int traced = 0; + + /* + * Make sure nobody is waiting for us to release the VM, + * otherwise we can deadlock when we wait on each other + */ + if (vfork_done) { + tsk->vfork_done = NULL; + complete(vfork_done); + } + + read_lock(&tasklist_lock); + do_each_thread(g,p) + if (mm == p->mm && p != tsk) { + force_sig_specific(SIGKILL, p); + mm->core_waiters++; + if (unlikely(p->ptrace) && + unlikely(p->parent->mm == mm)) + traced = 1; + } + while_each_thread(g,p); + + read_unlock(&tasklist_lock); + + if (unlikely(traced)) { + /* + * We are zapping a thread and the thread it ptraces. + * If the tracee went into a ptrace stop for exit tracing, + * we could deadlock since the tracer is waiting for this + * coredump to finish. Detach them so they can both die. + */ + write_lock_irq(&tasklist_lock); + do_each_thread(g,p) { + if (mm == p->mm && p != tsk && + p->ptrace && p->parent->mm == mm) { + __ptrace_unlink(p); + } + } while_each_thread(g,p); + write_unlock_irq(&tasklist_lock); + } +} + +static void coredump_wait(struct mm_struct *mm) +{ + DECLARE_COMPLETION(startup_done); + + mm->core_waiters++; /* let other threads block */ + mm->core_startup_done = &startup_done; + + /* give other threads a chance to run: */ + yield(); + + zap_threads(mm); + if (--mm->core_waiters) { + up_write(&mm->mmap_sem); + wait_for_completion(&startup_done); + } else + up_write(&mm->mmap_sem); + BUG_ON(mm->core_waiters); +} + +int do_coredump(long signr, int exit_code, struct pt_regs * regs) +{ + char corename[CORENAME_MAX_SIZE + 1]; + struct mm_struct *mm = current->mm; + struct linux_binfmt * binfmt; + struct inode * inode; + struct file * file; + int retval = 0; + + binfmt = current->binfmt; + if (!binfmt || !binfmt->core_dump) + goto fail; + down_write(&mm->mmap_sem); + if (!mm->dumpable) { + up_write(&mm->mmap_sem); + goto fail; + } + mm->dumpable = 0; + init_completion(&mm->core_done); + spin_lock_irq(¤t->sighand->siglock); + current->signal->flags = SIGNAL_GROUP_EXIT; + current->signal->group_exit_code = exit_code; + spin_unlock_irq(¤t->sighand->siglock); + coredump_wait(mm); + + /* + * Clear any false indication of pending signals that might + * be seen by the filesystem code called to write the core file. + */ + current->signal->group_stop_count = 0; + clear_thread_flag(TIF_SIGPENDING); + + if (current->signal->rlim[RLIMIT_CORE].rlim_cur < binfmt->min_coredump) + goto fail_unlock; + + /* + * lock_kernel() because format_corename() is controlled by sysctl, which + * uses lock_kernel() + */ + lock_kernel(); + format_corename(corename, core_pattern, signr); + unlock_kernel(); + file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600); + if (IS_ERR(file)) + goto fail_unlock; + inode = file->f_dentry->d_inode; + if (inode->i_nlink > 1) + goto close_fail; /* multiple links - don't dump */ + if (d_unhashed(file->f_dentry)) + goto close_fail; + + if (!S_ISREG(inode->i_mode)) + goto close_fail; + if (!file->f_op) + goto close_fail; + if (!file->f_op->write) + goto close_fail; + if (do_truncate(file->f_dentry, 0) != 0) + goto close_fail; + + retval = binfmt->core_dump(signr, regs, file); + + if (retval) + current->signal->group_exit_code |= 0x80; +close_fail: + filp_close(file, NULL); +fail_unlock: + complete_all(&mm->core_done); +fail: + return retval; +} diff -Nrub linux-2.6.11.7-orig/fs/namei.c linux-2.6.11.7-snare/fs/namei.c --- linux-2.6.11.7-orig/fs/namei.c 2005-04-07 14:57:30.000000000 -0400 +++ linux-2.6.11.7-snare/fs/namei.c 2005-04-22 11:19:47.191666224 -0400 @@ -24,6 +24,7 @@ #include #include #include +#include #include #include #include @@ -1570,11 +1571,15 @@ struct dentry * dentry; struct nameidata nd; - if (S_ISDIR(mode)) + if (S_ISDIR(mode)) { + saudit_mknod((char *)NULL,filename,mode,dev,-EPERM); return -EPERM; + } tmp = getname(filename); - if (IS_ERR(tmp)) + if (IS_ERR(tmp)) { + saudit_mknod((char *)NULL,(char *)NULL,mode,dev,PTR_ERR(tmp)); return PTR_ERR(tmp); + } error = path_lookup(tmp, LOOKUP_PARENT, &nd); if (error) @@ -1607,6 +1612,7 @@ up(&nd.dentry->d_inode->i_sem); path_release(&nd); out: + saudit_mknod(tmp,(char *)NULL,mode,dev,error); putname(tmp); return error; @@ -1643,7 +1649,9 @@ tmp = getname(pathname); error = PTR_ERR(tmp); - if (!IS_ERR(tmp)) { + if (IS_ERR(tmp)) { + saudit_mkdir((char *)NULL,(char *)NULL,mode & ~current->fs->umask,error); + } else { struct dentry *dentry; struct nameidata nd; @@ -1661,6 +1669,7 @@ up(&nd.dentry->d_inode->i_sem); path_release(&nd); out: + saudit_mkdir(tmp,(char *)NULL,mode & ~current->fs->umask,error); putname(tmp); } @@ -1741,8 +1750,10 @@ struct nameidata nd; name = getname(pathname); - if(IS_ERR(name)) + if(IS_ERR(name)) { + saudit_rmdir((char *)NULL,(char *)NULL,PTR_ERR(name)); return PTR_ERR(name); + } error = path_lookup(name, LOOKUP_PARENT, &nd); if (error) @@ -1770,6 +1781,7 @@ exit1: path_release(&nd); exit: + saudit_rmdir(name,(char *)NULL,error); putname(name); return error; } @@ -1819,8 +1831,10 @@ struct inode *inode = NULL; name = getname(pathname); - if(IS_ERR(name)) + if(IS_ERR(name)) { + saudit_unlink((char *)NULL,pathname,PTR_ERR(name)); return PTR_ERR(name); + } error = path_lookup(name, LOOKUP_PARENT, &nd); if (error) @@ -1848,6 +1862,7 @@ exit1: path_release(&nd); exit: + saudit_unlink(name,(char *)NULL,error); putname(name); return error; @@ -1887,11 +1902,15 @@ char * to; from = getname(oldname); - if(IS_ERR(from)) + if(IS_ERR(from)) { + saudit_symlink((char *)NULL,(char *)NULL,(char *)NULL,newname,PTR_ERR(from)); return PTR_ERR(from); + } to = getname(newname); error = PTR_ERR(to); - if (!IS_ERR(to)) { + if(IS_ERR(to)) { + saudit_symlink(from,(char *)NULL,(char *)NULL,(char *)NULL,PTR_ERR(to)); + } else { struct dentry *dentry; struct nameidata nd; @@ -1907,6 +1926,7 @@ up(&nd.dentry->d_inode->i_sem); path_release(&nd); out: + saudit_symlink(from,(char *)NULL,to,(char *)NULL,error); putname(to); } putname(from); @@ -1970,8 +1990,10 @@ char * to; to = getname(newname); - if (IS_ERR(to)) + if (IS_ERR(to)) { + saudit_link((char *)NULL,oldname,(char *)NULL,(char *)NULL,PTR_ERR(to)); return PTR_ERR(to); + } error = __user_walk(oldname, 0, &old_nd); if (error) @@ -1994,6 +2016,7 @@ out: path_release(&old_nd); exit: + saudit_link((char *)NULL,oldname,to,(char *)NULL,error); putname(to); return error; @@ -2230,13 +2253,18 @@ char * to; from = getname(oldname); - if(IS_ERR(from)) + if(IS_ERR(from)) { + saudit_rename((char *)NULL,(char *)NULL,(char *)NULL,newname,PTR_ERR(from)); return PTR_ERR(from); + } to = getname(newname); error = PTR_ERR(to); if (!IS_ERR(to)) { error = do_rename(from,to); + saudit_rename(from,(char *)NULL,to,(char *)NULL,error); putname(to); + } else { + saudit_rename(from,(char *)NULL,(char *)NULL,(char *)NULL,error); } putname(from); return error; diff -Nrub linux-2.6.11.7-orig/fs/namei.c.orig linux-2.6.11.7-snare/fs/namei.c.orig --- linux-2.6.11.7-orig/fs/namei.c.orig 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.6.11.7-snare/fs/namei.c.orig 2005-04-07 14:57:30.000000000 -0400 @@ -0,0 +1,2418 @@ +/* + * linux/fs/namei.c + * + * Copyright (C) 1991, 1992 Linus Torvalds + */ + +/* + * Some corrections by tytso. + */ + +/* [Feb 1997 T. Schoebel-Theuer] Complete rewrite of the pathname + * lookup logic. + */ +/* [Feb-Apr 2000, AV] Rewrite to the new namespace architecture. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE]) + +/* [Feb-1997 T. Schoebel-Theuer] + * Fundamental changes in the pathname lookup mechanisms (namei) + * were necessary because of omirr. The reason is that omirr needs + * to know the _real_ pathname, not the user-supplied one, in case + * of symlinks (and also when transname replacements occur). + * + * The new code replaces the old recursive symlink resolution with + * an iterative one (in case of non-nested symlink chains). It does + * this with calls to _follow_link(). + * As a side effect, dir_namei(), _namei() and follow_link() are now + * replaced with a single function lookup_dentry() that can handle all + * the special cases of the former code. + * + * With the new dcache, the pathname is stored at each inode, at least as + * long as the refcount of the inode is positive. As a side effect, the + * size of the dcache depends on the inode cache and thus is dynamic. + * + * [29-Apr-1998 C. Scott Ananian] Updated above description of symlink + * resolution to correspond with current state of the code. + * + * Note that the symlink resolution is not *completely* iterative. + * There is still a significant amount of tail- and mid- recursion in + * the algorithm. Also, note that _readlink() is not used in + * lookup_dentry(): lookup_dentry() on the result of _readlink() + * may return different results than _follow_link(). Many virtual + * filesystems (including /proc) exhibit this behavior. + */ + +/* [24-Feb-97 T. Schoebel-Theuer] Side effects caused by new implementation: + * New symlink semantics: when open() is called with flags O_CREAT | O_EXCL + * and the name already exists in form of a symlink, try to create the new + * name indicated by the symlink. The old code always complained that the + * name already exists, due to not following the symlink even if its target + * is nonexistent. The new semantics affects also mknod() and link() when + * the name is a symlink pointing to a non-existant name. + * + * I don't know which semantics is the right one, since I have no access + * to standards. But I found by trial that HP-UX 9.0 has the full "new" + * semantics implemented, while SunOS 4.1.1 and Solaris (SunOS 5.4) have the + * "old" one. Personally, I think the new semantics is much more logical. + * Note that "ln old new" where "new" is a symlink pointing to a non-existing + * file does succeed in both HP-UX and SunOs, but not in Solaris + * and in the old Linux semantics. + */ + +/* [16-Dec-97 Kevin Buhr] For security reasons, we change some symlink + * semantics. See the comments in "open_namei" and "do_link" below. + * + * [10-Sep-98 Alan Modra] Another symlink change. + */ + +/* [Feb-Apr 2000 AV] Complete rewrite. Rules for symlinks: + * inside the path - always follow. + * in the last component in creation/removal/renaming - never follow. + * if LOOKUP_FOLLOW passed - follow. + * if the pathname has trailing slashes - follow. + * otherwise - don't follow. + * (applied in that order). + * + * [Jun 2000 AV] Inconsistent behaviour of open() in case if flags==O_CREAT + * restored for 2.4. This is the last surviving part of old 4.2BSD bug. + * During the 2.4 we need to fix the userland stuff depending on it - + * hopefully we will be able to get rid of that wart in 2.5. So far only + * XEmacs seems to be relying on it... + */ +/* + * [Sep 2001 AV] Single-semaphore locking scheme (kudos to David Holland) + * implemented. Let's see if raised priority of ->s_vfs_rename_sem gives + * any extra contention... + */ + +/* In order to reduce some races, while at the same time doing additional + * checking and hopefully speeding things up, we copy filenames to the + * kernel data space before using them.. + * + * POSIX.1 2.4: an empty pathname is invalid (ENOENT). + * PATH_MAX includes the nul terminator --RR. + */ +static inline int do_getname(const char __user *filename, char *page) +{ + int retval; + unsigned long len = PATH_MAX; + + if (!segment_eq(get_fs(), KERNEL_DS)) { + if ((unsigned long) filename >= TASK_SIZE) + return -EFAULT; + if (TASK_SIZE - (unsigned long) filename < PATH_MAX) + len = TASK_SIZE - (unsigned long) filename; + } + + retval = strncpy_from_user(page, filename, len); + if (retval > 0) { + if (retval < len) + return 0; + return -ENAMETOOLONG; + } else if (!retval) + retval = -ENOENT; + return retval; +} + +char * getname(const char __user * filename) +{ + char *tmp, *result; + + result = ERR_PTR(-ENOMEM); + tmp = __getname(); + if (tmp) { + int retval = do_getname(filename, tmp); + + result = tmp; + if (retval < 0) { + __putname(tmp); + result = ERR_PTR(retval); + } + } + if (unlikely(current->audit_context) && !IS_ERR(result) && result) + audit_getname(result); + return result; +} + +/** + * generic_permission - check for access rights on a Posix-like filesystem + * @inode: inode to check access rights for + * @mask: right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC) + * @check_acl: optional callback to check for Posix ACLs + * + * Used to check for read/write/execute permissions on a file. + * We use "fsuid" for this, letting us set arbitrary permissions + * for filesystem access without changing the "normal" uids which + * are used for other things.. + */ +int generic_permission(struct inode *inode, int mask, + int (*check_acl)(struct inode *inode, int mask)) +{ + umode_t mode = inode->i_mode; + + if (current->fsuid == inode->i_uid) + mode >>= 6; + else { + if (IS_POSIXACL(inode) && (mode & S_IRWXG) && check_acl) { + int error = check_acl(inode, mask); + if (error == -EACCES) + goto check_capabilities; + else if (error != -EAGAIN) + return error; + } + + if (in_group_p(inode->i_gid)) + mode >>= 3; + } + + /* + * If the DACs are ok we don't need any capability check. + */ + if (((mode & mask & (MAY_READ|MAY_WRITE|MAY_EXEC)) == mask)) + return 0; + + check_capabilities: + /* + * Read/write DACs are always overridable. + * Executable DACs are overridable if at least one exec bit is set. + */ + if (!(mask & MAY_EXEC) || + (inode->i_mode & S_IXUGO) || S_ISDIR(inode->i_mode)) + if (capable(CAP_DAC_OVERRIDE)) + return 0; + + /* + * Searching includes executable on directories, else just read. + */ + if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE))) + if (capable(CAP_DAC_READ_SEARCH)) + return 0; + + return -EACCES; +} + +int permission(struct inode *inode, int mask, struct nameidata *nd) +{ + int retval, submask; + + if (mask & MAY_WRITE) { + umode_t mode = inode->i_mode; + + /* + * Nobody gets write access to a read-only fs. + */ + if (IS_RDONLY(inode) && + (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))) + return -EROFS; + + /* + * Nobody gets write access to an immutable file. + */ + if (IS_IMMUTABLE(inode)) + return -EACCES; + } + + + /* Ordinary permission routines do not understand MAY_APPEND. */ + submask = mask & ~MAY_APPEND; + if (inode->i_op && inode->i_op->permission) + retval = inode->i_op->permission(inode, submask, nd); + else + retval = generic_permission(inode, submask, NULL); + if (retval) + return retval; + + return security_inode_permission(inode, mask, nd); +} + +/* + * get_write_access() gets write permission for a file. + * put_write_access() releases this write permission. + * This is used for regular files. + * We cannot support write (and maybe mmap read-write shared) accesses and + * MAP_DENYWRITE mmappings simultaneously. The i_writecount field of an inode + * can have the following values: + * 0: no writers, no VM_DENYWRITE mappings + * < 0: (-i_writecount) vm_area_structs with VM_DENYWRITE set exist + * > 0: (i_writecount) users are writing to the file. + * + * Normally we operate on that counter with atomic_{inc,dec} and it's safe + * except for the cases where we don't hold i_writecount yet. Then we need to + * use {get,deny}_write_access() - these functions check the sign and refuse + * to do the change if sign is wrong. Exclusion between them is provided by + * the inode->i_lock spinlock. + */ + +int get_write_access(struct inode * inode) +{ + spin_lock(&inode->i_lock); + if (atomic_read(&inode->i_writecount) < 0) { + spin_unlock(&inode->i_lock); + return -ETXTBSY; + } + atomic_inc(&inode->i_writecount); + spin_unlock(&inode->i_lock); + + return 0; +} + +int deny_write_access(struct file * file) +{ + struct inode *inode = file->f_dentry->d_inode; + + spin_lock(&inode->i_lock); + if (atomic_read(&inode->i_writecount) > 0) { + spin_unlock(&inode->i_lock); + return -ETXTBSY; + } + atomic_dec(&inode->i_writecount); + spin_unlock(&inode->i_lock); + + return 0; +} + +void path_release(struct nameidata *nd) +{ + dput(nd->dentry); + mntput(nd->mnt); +} + +/* + * umount() mustn't call path_release()/mntput() as that would clear + * mnt_expiry_mark + */ +void path_release_on_umount(struct nameidata *nd) +{ + dput(nd->dentry); + _mntput(nd->mnt); +} + +/* + * Internal lookup() using the new generic dcache. + * SMP-safe + */ +static struct dentry * cached_lookup(struct dentry * parent, struct qstr * name, struct nameidata *nd) +{ + struct dentry * dentry = __d_lookup(parent, name); + + /* lockess __d_lookup may fail due to concurrent d_move() + * in some unrelated directory, so try with d_lookup + */ + if (!dentry) + dentry = d_lookup(parent, name); + + if (dentry && dentry->d_op && dentry->d_op->d_revalidate) { + if (!dentry->d_op->d_revalidate(dentry, nd) && !d_invalidate(dentry)) { + dput(dentry); + dentry = NULL; + } + } + return dentry; +} + +/* + * Short-cut version of permission(), for calling by + * path_walk(), when dcache lock is held. Combines parts + * of permission() and generic_permission(), and tests ONLY for + * MAY_EXEC permission. + * + * If appropriate, check DAC only. If not appropriate, or + * short-cut DAC fails, then call permission() to do more + * complete permission check. + */ +static inline int exec_permission_lite(struct inode *inode, + struct nameidata *nd) +{ + umode_t mode = inode->i_mode; + + if (inode->i_op && inode->i_op->permission) + return -EAGAIN; + + if (current->fsuid == inode->i_uid) + mode >>= 6; + else if (in_group_p(inode->i_gid)) + mode >>= 3; + + if (mode & MAY_EXEC) + goto ok; + + if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE)) + goto ok; + + if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_OVERRIDE)) + goto ok; + + if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH)) + goto ok; + + return -EACCES; +ok: + return security_inode_permission(inode, MAY_EXEC, nd); +} + +/* + * This is called when everything else fails, and we actually have + * to go to the low-level filesystem to find out what we should do.. + * + * We get the directory semaphore, and after getting that we also + * make sure that nobody added the entry to the dcache in the meantime.. + * SMP-safe + */ +static struct dentry * real_lookup(struct dentry * parent, struct qstr * name, struct nameidata *nd) +{ + struct dentry * result; + struct inode *dir = parent->d_inode; + + down(&dir->i_sem); + /* + * First re-do the cached lookup just in case it was created + * while we waited for the directory semaphore.. + * + * FIXME! This could use version numbering or similar to + * avoid unnecessary cache lookups. + * + * The "dcache_lock" is purely to protect the RCU list walker + * from concurrent renames at this point (we mustn't get false + * negatives from the RCU list walk here, unlike the optimistic + * fast walk). + * + * so doing d_lookup() (with seqlock), instead of lockfree __d_lookup + */ + result = d_lookup(parent, name); + if (!result) { + struct dentry * dentry = d_alloc(parent, name); + result = ERR_PTR(-ENOMEM); + if (dentry) { + result = dir->i_op->lookup(dir, dentry, nd); + if (result) + dput(dentry); + else + result = dentry; + } + up(&dir->i_sem); + return result; + } + + /* + * Uhhuh! Nasty case: the cache was re-populated while + * we waited on the semaphore. Need to revalidate. + */ + up(&dir->i_sem); + if (result->d_op && result->d_op->d_revalidate) { + if (!result->d_op->d_revalidate(result, nd) && !d_invalidate(result)) { + dput(result); + result = ERR_PTR(-ENOENT); + } + } + return result; +} + +static int __emul_lookup_dentry(const char *, struct nameidata *); + +/* SMP-safe */ +static inline int +walk_init_root(const char *name, struct nameidata *nd) +{ + read_lock(¤t->fs->lock); + if (current->fs->altroot && !(nd->flags & LOOKUP_NOALT)) { + nd->mnt = mntget(current->fs->altrootmnt); + nd->dentry = dget(current->fs->altroot); + read_unlock(¤t->fs->lock); + if (__emul_lookup_dentry(name,nd)) + return 0; + read_lock(¤t->fs->lock); + } + nd->mnt = mntget(current->fs->rootmnt); + nd->dentry = dget(current->fs->root); + read_unlock(¤t->fs->lock); + return 1; +} + +static inline int __vfs_follow_link(struct nameidata *nd, const char *link) +{ + int res = 0; + char *name; + if (IS_ERR(link)) + goto fail; + + if (*link == '/') { + path_release(nd); + if (!walk_init_root(link, nd)) + /* weird __emul_prefix() stuff did it */ + goto out; + } + res = link_path_walk(link, nd); +out: + if (nd->depth || res || nd->last_type!=LAST_NORM) + return res; + /* + * If it is an iterative symlinks resolution in open_namei() we + * have to copy the last component. And all that crap because of + * bloody create() on broken symlinks. Furrfu... + */ + name = __getname(); + if (unlikely(!name)) { + path_release(nd); + return -ENOMEM; + } + strcpy(name, nd->last.name); + nd->last.name = name; + return 0; +fail: + path_release(nd); + return PTR_ERR(link); +} + +static inline int __do_follow_link(struct dentry *dentry, struct nameidata *nd) +{ + int error; + + touch_atime(nd->mnt, dentry); + nd_set_link(nd, NULL); + error = dentry->d_inode->i_op->follow_link(dentry, nd); + if (!error) { + char *s = nd_get_link(nd); + if (s) + error = __vfs_follow_link(nd, s); + if (dentry->d_inode->i_op->put_link) + dentry->d_inode->i_op->put_link(dentry, nd); + } + + return error; +} + +/* + * This limits recursive symlink follows to 8, while + * limiting consecutive symlinks to 40. + * + * Without that kind of total limit, nasty chains of consecutive + * symlinks can cause almost arbitrarily long lookups. + */ +static inline int do_follow_link(struct dentry *dentry, struct nameidata *nd) +{ + int err = -ELOOP; + if (current->link_count >= MAX_NESTED_LINKS) + goto loop; + if (current->total_link_count >= 40) + goto loop; + BUG_ON(nd->depth >= MAX_NESTED_LINKS); + cond_resched(); + err = security_inode_follow_link(dentry, nd); + if (err) + goto loop; + current->link_count++; + current->total_link_count++; + nd->depth++; + err = __do_follow_link(dentry, nd); + current->link_count--; + nd->depth--; + return err; +loop: + path_release(nd); + return err; +} + +int follow_up(struct vfsmount **mnt, struct dentry **dentry) +{ + struct vfsmount *parent; + struct dentry *mountpoint; + spin_lock(&vfsmount_lock); + parent=(*mnt)->mnt_parent; + if (parent == *mnt) { + spin_unlock(&vfsmount_lock); + return 0; + } + mntget(parent); + mountpoint=dget((*mnt)->mnt_mountpoint); + spin_unlock(&vfsmount_lock); + dput(*dentry); + *dentry = mountpoint; + mntput(*mnt); + *mnt = parent; + return 1; +} + +/* no need for dcache_lock, as serialization is taken care in + * namespace.c + */ +static int follow_mount(struct vfsmount **mnt, struct dentry **dentry) +{ + int res = 0; + while (d_mountpoint(*dentry)) { + struct vfsmount *mounted = lookup_mnt(*mnt, *dentry); + if (!mounted) + break; + mntput(*mnt); + *mnt = mounted; + dput(*dentry); + *dentry = dget(mounted->mnt_root); + res = 1; + } + return res; +} + +/* no need for dcache_lock, as serialization is taken care in + * namespace.c + */ +static inline int __follow_down(struct vfsmount **mnt, struct dentry **dentry) +{ + struct vfsmount *mounted; + + mounted = lookup_mnt(*mnt, *dentry); + if (mounted) { + mntput(*mnt); + *mnt = mounted; + dput(*dentry); + *dentry = dget(mounted->mnt_root); + return 1; + } + return 0; +} + +int follow_down(struct vfsmount **mnt, struct dentry **dentry) +{ + return __follow_down(mnt,dentry); +} + +static inline void follow_dotdot(struct vfsmount **mnt, struct dentry **dentry) +{ + while(1) { + struct vfsmount *parent; + struct dentry *old = *dentry; + + read_lock(¤t->fs->lock); + if (*dentry == current->fs->root && + *mnt == current->fs->rootmnt) { + read_unlock(¤t->fs->lock); + break; + } + read_unlock(¤t->fs->lock); + spin_lock(&dcache_lock); + if (*dentry != (*mnt)->mnt_root) { + *dentry = dget((*dentry)->d_parent); + spin_unlock(&dcache_lock); + dput(old); + break; + } + spin_unlock(&dcache_lock); + spin_lock(&vfsmount_lock); + parent = (*mnt)->mnt_parent; + if (parent == *mnt) { + spin_unlock(&vfsmount_lock); + break; + } + mntget(parent); + *dentry = dget((*mnt)->mnt_mountpoint); + spin_unlock(&vfsmount_lock); + dput(old); + mntput(*mnt); + *mnt = parent; + } + follow_mount(mnt, dentry); +} + +struct path { + struct vfsmount *mnt; + struct dentry *dentry; +}; + +/* + * It's more convoluted than I'd like it to be, but... it's still fairly + * small and for now I'd prefer to have fast path as straight as possible. + * It _is_ time-critical. + */ +static int do_lookup(struct nameidata *nd, struct qstr *name, + struct path *path) +{ + struct vfsmount *mnt = nd->mnt; + struct dentry *dentry = __d_lookup(nd->dentry, name); + + if (!dentry) + goto need_lookup; + if (dentry->d_op && dentry->d_op->d_revalidate) + goto need_revalidate; +done: + path->mnt = mnt; + path->dentry = dentry; + return 0; + +need_lookup: + dentry = real_lookup(nd->dentry, name, nd); + if (IS_ERR(dentry)) + goto fail; + goto done; + +need_revalidate: + if (dentry->d_op->d_revalidate(dentry, nd)) + goto done; + if (d_invalidate(dentry)) + goto done; + dput(dentry); + goto need_lookup; + +fail: + return PTR_ERR(dentry); +} + +/* + * Name resolution. + * + * This is the basic name resolution function, turning a pathname + * into the final dentry. + * + * We expect 'base' to be positive and a directory. + */ +int fastcall link_path_walk(const char * name, struct nameidata *nd) +{ + struct path next; + struct inode *inode; + int err; + unsigned int lookup_flags = nd->flags; + + while (*name=='/') + name++; + if (!*name) + goto return_reval; + + inode = nd->dentry->d_inode; + if (nd->depth) + lookup_flags = LOOKUP_FOLLOW; + + /* At this point we know we have a real path component. */ + for(;;) { + unsigned long hash; + struct qstr this; + unsigned int c; + + err = exec_permission_lite(inode, nd); + if (err == -EAGAIN) { + err = permission(inode, MAY_EXEC, nd); + } + if (err) + break; + + this.name = name; + c = *(const unsigned char *)name; + + hash = init_name_hash(); + do { + name++; + hash = partial_name_hash(c, hash); + c = *(const unsigned char *)name; + } while (c && (c != '/')); + this.len = name - (const char *) this.name; + this.hash = end_name_hash(hash); + + /* remove trailing slashes? */ + if (!c) + goto last_component; + while (*++name == '/'); + if (!*name) + goto last_with_slashes; + + /* + * "." and ".." are special - ".." especially so because it has + * to be able to know about the current root directory and + * parent relationships. + */ + if (this.name[0] == '.') switch (this.len) { + default: + break; + case 2: + if (this.name[1] != '.') + break; + follow_dotdot(&nd->mnt, &nd->dentry); + inode = nd->dentry->d_inode; + /* fallthrough */ + case 1: + continue; + } + /* + * See if the low-level filesystem might want + * to use its own hash.. + */ + if (nd->dentry->d_op && nd->dentry->d_op->d_hash) { + err = nd->dentry->d_op->d_hash(nd->dentry, &this); + if (err < 0) + break; + } + nd->flags |= LOOKUP_CONTINUE; + /* This does the actual lookups.. */ + err = do_lookup(nd, &this, &next); + if (err) + break; + /* Check mountpoints.. */ + follow_mount(&next.mnt, &next.dentry); + + err = -ENOENT; + inode = next.dentry->d_inode; + if (!inode) + goto out_dput; + err = -ENOTDIR; + if (!inode->i_op) + goto out_dput; + + if (inode->i_op->follow_link) { + mntget(next.mnt); + err = do_follow_link(next.dentry, nd); + dput(next.dentry); + mntput(next.mnt); + if (err) + goto return_err; + err = -ENOENT; + inode = nd->dentry->d_inode; + if (!inode) + break; + err = -ENOTDIR; + if (!inode->i_op) + break; + } else { + dput(nd->dentry); + nd->mnt = next.mnt; + nd->dentry = next.dentry; + } + err = -ENOTDIR; + if (!inode->i_op->lookup) + break; + continue; + /* here ends the main loop */ + +last_with_slashes: + lookup_flags |= LOOKUP_FOLLOW | LOOKUP_DIRECTORY; +last_component: + nd->flags &= ~LOOKUP_CONTINUE; + if (lookup_flags & LOOKUP_PARENT) + goto lookup_parent; + if (this.name[0] == '.') switch (this.len) { + default: + break; + case 2: + if (this.name[1] != '.') + break; + follow_dotdot(&nd->mnt, &nd->dentry); + inode = nd->dentry->d_inode; + /* fallthrough */ + case 1: + goto return_reval; + } + if (nd->dentry->d_op && nd->dentry->d_op->d_hash) { + err = nd->dentry->d_op->d_hash(nd->dentry, &this); + if (err < 0) + break; + } + err = do_lookup(nd, &this, &next); + if (err) + break; + follow_mount(&next.mnt, &next.dentry); + inode = next.dentry->d_inode; + if ((lookup_flags & LOOKUP_FOLLOW) + && inode && inode->i_op && inode->i_op->follow_link) { + mntget(next.mnt); + err = do_follow_link(next.dentry, nd); + dput(next.dentry); + mntput(next.mnt); + if (err) + goto return_err; + inode = nd->dentry->d_inode; + } else { + dput(nd->dentry); + nd->mnt = next.mnt; + nd->dentry = next.dentry; + } + err = -ENOENT; + if (!inode) + break; + if (lookup_flags & LOOKUP_DIRECTORY) { + err = -ENOTDIR; + if (!inode->i_op || !inode->i_op->lookup) + break; + } + goto return_base; +lookup_parent: + nd->last = this; + nd->last_type = LAST_NORM; + if (this.name[0] != '.') + goto return_base; + if (this.len == 1) + nd->last_type = LAST_DOT; + else if (this.len == 2 && this.name[1] == '.') + nd->last_type = LAST_DOTDOT; + else + goto return_base; +return_reval: + /* + * We bypassed the ordinary revalidation routines. + * We may need to check the cached dentry for staleness. + */ + if (nd->dentry && nd->dentry->d_sb && + (nd->dentry->d_sb->s_type->fs_flags & FS_REVAL_DOT)) { + err = -ESTALE; + /* Note: we do not d_invalidate() */ + if (!nd->dentry->d_op->d_revalidate(nd->dentry, nd)) + break; + } +return_base: + return 0; +out_dput: + dput(next.dentry); + break; + } + path_release(nd); +return_err: + return err; +} + +int fastcall path_walk(const char * name, struct nameidata *nd) +{ + current->total_link_count = 0; + return link_path_walk(name, nd); +} + +/* SMP-safe */ +/* returns 1 if everything is done */ +static int __emul_lookup_dentry(const char *name, struct nameidata *nd) +{ + if (path_walk(name, nd)) + return 0; /* something went wrong... */ + + if (!nd->dentry->d_inode || S_ISDIR(nd->dentry->d_inode->i_mode)) { + struct dentry *old_dentry = nd->dentry; + struct vfsmount *old_mnt = nd->mnt; + struct qstr last = nd->last; + int last_type = nd->last_type; + /* + * NAME was not found in alternate root or it's a directory. Try to find + * it in the normal root: + */ + nd->last_type = LAST_ROOT; + read_lock(¤t->fs->lock); + nd->mnt = mntget(current->fs->rootmnt); + nd->dentry = dget(current->fs->root); + read_unlock(¤t->fs->lock); + if (path_walk(name, nd) == 0) { + if (nd->dentry->d_inode) { + dput(old_dentry); + mntput(old_mnt); + return 1; + } + path_release(nd); + } + nd->dentry = old_dentry; + nd->mnt = old_mnt; + nd->last = last; + nd->last_type = last_type; + } + return 1; +} + +void set_fs_altroot(void) +{ + char *emul = __emul_prefix(); + struct nameidata nd; + struct vfsmount *mnt = NULL, *oldmnt; + struct dentry *dentry = NULL, *olddentry; + int err; + + if (!emul) + goto set_it; + err = path_lookup(emul, LOOKUP_FOLLOW|LOOKUP_DIRECTORY|LOOKUP_NOALT, &nd); + if (!err) { + mnt = nd.mnt; + dentry = nd.dentry; + } +set_it: + write_lock(¤t->fs->lock); + oldmnt = current->fs->altrootmnt; + olddentry = current->fs->altroot; + current->fs->altrootmnt = mnt; + current->fs->altroot = dentry; + write_unlock(¤t->fs->lock); + if (olddentry) { + dput(olddentry); + mntput(oldmnt); + } +} + +int fastcall path_lookup(const char *name, unsigned int flags, struct nameidata *nd) +{ + int retval; + + nd->last_type = LAST_ROOT; /* if there are only slashes... */ + nd->flags = flags; + nd->depth = 0; + + read_lock(¤t->fs->lock); + if (*name=='/') { + if (current->fs->altroot && !(nd->flags & LOOKUP_NOALT)) { + nd->mnt = mntget(current->fs->altrootmnt); + nd->dentry = dget(current->fs->altroot); + read_unlock(¤t->fs->lock); + if (__emul_lookup_dentry(name,nd)) + return 0; + read_lock(¤t->fs->lock); + } + nd->mnt = mntget(current->fs->rootmnt); + nd->dentry = dget(current->fs->root); + } else { + nd->mnt = mntget(current->fs->pwdmnt); + nd->dentry = dget(current->fs->pwd); + } + read_unlock(¤t->fs->lock); + current->total_link_count = 0; + retval = link_path_walk(name, nd); + if (unlikely(current->audit_context + && nd && nd->dentry && nd->dentry->d_inode)) + audit_inode(name, + nd->dentry->d_inode->i_ino, + nd->dentry->d_inode->i_rdev); + return retval; +} + +/* + * Restricted form of lookup. Doesn't follow links, single-component only, + * needs parent already locked. Doesn't follow mounts. + * SMP-safe. + */ +static struct dentry * __lookup_hash(struct qstr *name, struct dentry * base, struct nameidata *nd) +{ + struct dentry * dentry; + struct inode *inode; + int err; + + inode = base->d_inode; + err = permission(inode, MAY_EXEC, nd); + dentry = ERR_PTR(err); + if (err) + goto out; + + /* + * See if the low-level filesystem might want + * to use its own hash.. + */ + if (base->d_op && base->d_op->d_hash) { + err = base->d_op->d_hash(base, name); + dentry = ERR_PTR(err); + if (err < 0) + goto out; + } + + dentry = cached_lookup(base, name, nd); + if (!dentry) { + struct dentry *new = d_alloc(base, name); + dentry = ERR_PTR(-ENOMEM); + if (!new) + goto out; + dentry = inode->i_op->lookup(inode, new, nd); + if (!dentry) + dentry = new; + else + dput(new); + } +out: + return dentry; +} + +struct dentry * lookup_hash(struct qstr *name, struct dentry * base) +{ + return __lookup_hash(name, base, NULL); +} + +/* SMP-safe */ +struct dentry * lookup_one_len(const char * name, struct dentry * base, int len) +{ + unsigned long hash; + struct qstr this; + unsigned int c; + + this.name = name; + this.len = len; + if (!len) + goto access; + + hash = init_name_hash(); + while (len--) { + c = *(const unsigned char *)name++; + if (c == '/' || c == '\0') + goto access; + hash = partial_name_hash(c, hash); + } + this.hash = end_name_hash(hash); + + return lookup_hash(&this, base); +access: + return ERR_PTR(-EACCES); +} + +/* + * namei() + * + * is used by most simple commands to get the inode of a specified name. + * Open, link etc use their own routines, but this is enough for things + * like 'chmod' etc. + * + * namei exists in two versions: namei/lnamei. The only difference is + * that namei follows links, while lnamei does not. + * SMP-safe + */ +int fastcall __user_walk(const char __user *name, unsigned flags, struct nameidata *nd) +{ + char *tmp = getname(name); + int err = PTR_ERR(tmp); + + if (!IS_ERR(tmp)) { + err = path_lookup(tmp, flags, nd); + putname(tmp); + } + return err; +} + +/* + * It's inline, so penalty for filesystems that don't use sticky bit is + * minimal. + */ +static inline int check_sticky(struct inode *dir, struct inode *inode) +{ + if (!(dir->i_mode & S_ISVTX)) + return 0; + if (inode->i_uid == current->fsuid) + return 0; + if (dir->i_uid == current->fsuid) + return 0; + return !capable(CAP_FOWNER); +} + +/* + * Check whether we can remove a link victim from directory dir, check + * whether the type of victim is right. + * 1. We can't do it if dir is read-only (done in permission()) + * 2. We should have write and exec permissions on dir + * 3. We can't remove anything from append-only dir + * 4. We can't do anything with immutable dir (done in permission()) + * 5. If the sticky bit on dir is set we should either + * a. be owner of dir, or + * b. be owner of victim, or + * c. have CAP_FOWNER capability + * 6. If the victim is append-only or immutable we can't do antyhing with + * links pointing to it. + * 7. If we were asked to remove a directory and victim isn't one - ENOTDIR. + * 8. If we were asked to remove a non-directory and victim isn't one - EISDIR. + * 9. We can't remove a root or mountpoint. + * 10. We don't allow removal of NFS sillyrenamed files; it's handled by + * nfs_async_unlink(). + */ +static inline int may_delete(struct inode *dir,struct dentry *victim,int isdir) +{ + int error; + + if (!victim->d_inode) + return -ENOENT; + + BUG_ON(victim->d_parent->d_inode != dir); + + error = permission(dir,MAY_WRITE | MAY_EXEC, NULL); + if (error) + return error; + if (IS_APPEND(dir)) + return -EPERM; + if (check_sticky(dir, victim->d_inode)||IS_APPEND(victim->d_inode)|| + IS_IMMUTABLE(victim->d_inode)) + return -EPERM; + if (isdir) { + if (!S_ISDIR(victim->d_inode->i_mode)) + return -ENOTDIR; + if (IS_ROOT(victim)) + return -EBUSY; + } else if (S_ISDIR(victim->d_inode->i_mode)) + return -EISDIR; + if (IS_DEADDIR(dir)) + return -ENOENT; + if (victim->d_flags & DCACHE_NFSFS_RENAMED) + return -EBUSY; + return 0; +} + +/* Check whether we can create an object with dentry child in directory + * dir. + * 1. We can't do it if child already exists (open has special treatment for + * this case, but since we are inlined it's OK) + * 2. We can't do it if dir is read-only (done in permission()) + * 3. We should have write and exec permissions on dir + * 4. We can't do it if dir is immutable (done in permission()) + */ +static inline int may_create(struct inode *dir, struct dentry *child, + struct nameidata *nd) +{ + if (child->d_inode) + return -EEXIST; + if (IS_DEADDIR(dir)) + return -ENOENT; + return permission(dir,MAY_WRITE | MAY_EXEC, nd); +} + +/* + * Special case: O_CREAT|O_EXCL implies O_NOFOLLOW for security + * reasons. + * + * O_DIRECTORY translates into forcing a directory lookup. + */ +static inline int lookup_flags(unsigned int f) +{ + unsigned long retval = LOOKUP_FOLLOW; + + if (f & O_NOFOLLOW) + retval &= ~LOOKUP_FOLLOW; + + if ((f & (O_CREAT|O_EXCL)) == (O_CREAT|O_EXCL)) + retval &= ~LOOKUP_FOLLOW; + + if (f & O_DIRECTORY) + retval |= LOOKUP_DIRECTORY; + + return retval; +} + +/* + * p1 and p2 should be directories on the same fs. + */ +struct dentry *lock_rename(struct dentry *p1, struct dentry *p2) +{ + struct dentry *p; + + if (p1 == p2) { + down(&p1->d_inode->i_sem); + return NULL; + } + + down(&p1->d_inode->i_sb->s_vfs_rename_sem); + + for (p = p1; p->d_parent != p; p = p->d_parent) { + if (p->d_parent == p2) { + down(&p2->d_inode->i_sem); + down(&p1->d_inode->i_sem); + return p; + } + } + + for (p = p2; p->d_parent != p; p = p->d_parent) { + if (p->d_parent == p1) { + down(&p1->d_inode->i_sem); + down(&p2->d_inode->i_sem); + return p; + } + } + + down(&p1->d_inode->i_sem); + down(&p2->d_inode->i_sem); + return NULL; +} + +void unlock_rename(struct dentry *p1, struct dentry *p2) +{ + up(&p1->d_inode->i_sem); + if (p1 != p2) { + up(&p2->d_inode->i_sem); + up(&p1->d_inode->i_sb->s_vfs_rename_sem); + } +} + +int vfs_create(struct inode *dir, struct dentry *dentry, int mode, + struct nameidata *nd) +{ + int error = may_create(dir, dentry, nd); + + if (error) + return error; + + if (!dir->i_op || !dir->i_op->create) + return -EACCES; /* shouldn't it be ENOSYS? */ + mode &= S_IALLUGO; + mode |= S_IFREG; + error = security_inode_create(dir, dentry, mode); + if (error) + return error; + DQUOT_INIT(dir); + error = dir->i_op->create(dir, dentry, mode, nd); + if (!error) { + inode_dir_notify(dir, DN_CREATE); + security_inode_post_create(dir, dentry, mode); + } + return error; +} + +int may_open(struct nameidata *nd, int acc_mode, int flag) +{ + struct dentry *dentry = nd->dentry; + struct inode *inode = dentry->d_inode; + int error; + + if (!inode) + return -ENOENT; + + if (S_ISLNK(inode->i_mode)) + return -ELOOP; + + if (S_ISDIR(inode->i_mode) && (flag & FMODE_WRITE)) + return -EISDIR; + + error = permission(inode, acc_mode, nd); + if (error) + return error; + + /* + * FIFO's, sockets and device files are special: they don't + * actually live on the filesystem itself, and as such you + * can write to them even if the filesystem is read-only. + */ + if (S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { + flag &= ~O_TRUNC; + } else if (S_ISBLK(inode->i_mode) || S_ISCHR(inode->i_mode)) { + if (nd->mnt->mnt_flags & MNT_NODEV) + return -EACCES; + + flag &= ~O_TRUNC; + } else if (IS_RDONLY(inode) && (flag & FMODE_WRITE)) + return -EROFS; + /* + * An append-only file must be opened in append mode for writing. + */ + if (IS_APPEND(inode)) { + if ((flag & FMODE_WRITE) && !(flag & O_APPEND)) + return -EPERM; + if (flag & O_TRUNC) + return -EPERM; + } + + /* O_NOATIME can only be set by the owner or superuser */ + if (flag & O_NOATIME) + if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER)) + return -EPERM; + + /* + * Ensure there are no outstanding leases on the file. + */ + error = break_lease(inode, flag); + if (error) + return error; + + if (flag & O_TRUNC) { + error = get_write_access(inode); + if (error) + return error; + + /* + * Refuse to truncate files with mandatory locks held on them. + */ + error = locks_verify_locked(inode); + if (!error) { + DQUOT_INIT(inode); + + error = do_truncate(dentry, 0); + } + put_write_access(inode); + if (error) + return error; + } else + if (flag & FMODE_WRITE) + DQUOT_INIT(inode); + + return 0; +} + +/* + * open_namei() + * + * namei for open - this is in fact almost the whole open-routine. + * + * Note that the low bits of "flag" aren't the same as in the open + * system call - they are 00 - no permissions needed + * 01 - read permission needed + * 10 - write permission needed + * 11 - read/write permissions needed + * which is a lot more logical, and also allows the "no perm" needed + * for symlinks (where the permissions are checked later). + * SMP-safe + */ +int open_namei(const char * pathname, int flag, int mode, struct nameidata *nd) +{ + int acc_mode, error = 0; + struct dentry *dentry; + struct dentry *dir; + int count = 0; + + acc_mode = ACC_MODE(flag); + + /* Allow the LSM permission hook to distinguish append + access from general write access. */ + if (flag & O_APPEND) + acc_mode |= MAY_APPEND; + + /* Fill in the open() intent data */ + nd->intent.open.flags = flag; + nd->intent.open.create_mode = mode; + + /* + * The simplest case - just a plain lookup. + */ + if (!(flag & O_CREAT)) { + error = path_lookup(pathname, lookup_flags(flag)|LOOKUP_OPEN, nd); + if (error) + return error; + goto ok; + } + + /* + * Create - we need to know the parent. + */ + error = path_lookup(pathname, LOOKUP_PARENT|LOOKUP_OPEN|LOOKUP_CREATE, nd); + if (error) + return error; + + /* + * We have the parent and last component. First of all, check + * that we are not asked to creat(2) an obvious directory - that + * will not do. + */ + error = -EISDIR; + if (nd->last_type != LAST_NORM || nd->last.name[nd->last.len]) + goto exit; + + dir = nd->dentry; + nd->flags &= ~LOOKUP_PARENT; + down(&dir->d_inode->i_sem); + dentry = __lookup_hash(&nd->last, nd->dentry, nd); + +do_last: + error = PTR_ERR(dentry); + if (IS_ERR(dentry)) { + up(&dir->d_inode->i_sem); + goto exit; + } + + /* Negative dentry, just create the file */ + if (!dentry->d_inode) { + if (!IS_POSIXACL(dir->d_inode)) + mode &= ~current->fs->umask; + error = vfs_create(dir->d_inode, dentry, mode, nd); + up(&dir->d_inode->i_sem); + dput(nd->dentry); + nd->dentry = dentry; + if (error) + goto exit; + /* Don't check for write permission, don't truncate */ + acc_mode = 0; + flag &= ~O_TRUNC; + goto ok; + } + + /* + * It already exists. + */ + up(&dir->d_inode->i_sem); + + error = -EEXIST; + if (flag & O_EXCL) + goto exit_dput; + + if (d_mountpoint(dentry)) { + error = -ELOOP; + if (flag & O_NOFOLLOW) + goto exit_dput; + while (__follow_down(&nd->mnt,&dentry) && d_mountpoint(dentry)); + } + error = -ENOENT; + if (!dentry->d_inode) + goto exit_dput; + if (dentry->d_inode->i_op && dentry->d_inode->i_op->follow_link) + goto do_link; + + dput(nd->dentry); + nd->dentry = dentry; + error = -EISDIR; + if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) + goto exit; +ok: + error = may_open(nd, acc_mode, flag); + if (error) + goto exit; + return 0; + +exit_dput: + dput(dentry); +exit: + path_release(nd); + return error; + +do_link: + error = -ELOOP; + if (flag & O_NOFOLLOW) + goto exit_dput; + /* + * This is subtle. Instead of calling do_follow_link() we do the + * thing by hands. The reason is that this way we have zero link_count + * and path_walk() (called from ->follow_link) honoring LOOKUP_PARENT. + * After that we have the parent and last component, i.e. + * we are in the same situation as after the first path_walk(). + * Well, almost - if the last component is normal we get its copy + * stored in nd->last.name and we will have to putname() it when we + * are done. Procfs-like symlinks just set LAST_BIND. + */ + nd->flags |= LOOKUP_PARENT; + error = security_inode_follow_link(dentry, nd); + if (error) + goto exit_dput; + error = __do_follow_link(dentry, nd); + dput(dentry); + if (error) + return error; + nd->flags &= ~LOOKUP_PARENT; + if (nd->last_type == LAST_BIND) { + dentry = nd->dentry; + goto ok; + } + error = -EISDIR; + if (nd->last_type != LAST_NORM) + goto exit; + if (nd->last.name[nd->last.len]) { + putname(nd->last.name); + goto exit; + } + error = -ELOOP; + if (count++==32) { + putname(nd->last.name); + goto exit; + } + dir = nd->dentry; + down(&dir->d_inode->i_sem); + dentry = __lookup_hash(&nd->last, nd->dentry, nd); + putname(nd->last.name); + goto do_last; +} + +/** + * lookup_create - lookup a dentry, creating it if it doesn't exist + * @nd: nameidata info + * @is_dir: directory flag + * + * Simple function to lookup and return a dentry and create it + * if it doesn't exist. Is SMP-safe. + */ +struct dentry *lookup_create(struct nameidata *nd, int is_dir) +{ + struct dentry *dentry; + + down(&nd->dentry->d_inode->i_sem); + dentry = ERR_PTR(-EEXIST); + if (nd->last_type != LAST_NORM) + goto fail; + nd->flags &= ~LOOKUP_PARENT; + dentry = lookup_hash(&nd->last, nd->dentry); + if (IS_ERR(dentry)) + goto fail; + if (!is_dir && nd->last.name[nd->last.len] && !dentry->d_inode) + goto enoent; + return dentry; +enoent: + dput(dentry); + dentry = ERR_PTR(-ENOENT); +fail: + return dentry; +} + +int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) +{ + int error = may_create(dir, dentry, NULL); + + if (error) + return error; + + if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD)) + return -EPERM; + + if (!dir->i_op || !dir->i_op->mknod) + return -EPERM; + + error = security_inode_mknod(dir, dentry, mode, dev); + if (error) + return error; + + DQUOT_INIT(dir); + error = dir->i_op->mknod(dir, dentry, mode, dev); + if (!error) { + inode_dir_notify(dir, DN_CREATE); + security_inode_post_mknod(dir, dentry, mode, dev); + } + return error; +} + +asmlinkage long sys_mknod(const char __user * filename, int mode, unsigned dev) +{ + int error = 0; + char * tmp; + struct dentry * dentry; + struct nameidata nd; + + if (S_ISDIR(mode)) + return -EPERM; + tmp = getname(filename); + if (IS_ERR(tmp)) + return PTR_ERR(tmp); + + error = path_lookup(tmp, LOOKUP_PARENT, &nd); + if (error) + goto out; + dentry = lookup_create(&nd, 0); + error = PTR_ERR(dentry); + + if (!IS_POSIXACL(nd.dentry->d_inode)) + mode &= ~current->fs->umask; + if (!IS_ERR(dentry)) { + switch (mode & S_IFMT) { + case 0: case S_IFREG: + error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd); + break; + case S_IFCHR: case S_IFBLK: + error = vfs_mknod(nd.dentry->d_inode,dentry,mode, + new_decode_dev(dev)); + break; + case S_IFIFO: case S_IFSOCK: + error = vfs_mknod(nd.dentry->d_inode,dentry,mode,0); + break; + case S_IFDIR: + error = -EPERM; + break; + default: + error = -EINVAL; + } + dput(dentry); + } + up(&nd.dentry->d_inode->i_sem); + path_release(&nd); +out: + putname(tmp); + + return error; +} + +int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode) +{ + int error = may_create(dir, dentry, NULL); + + if (error) + return error; + + if (!dir->i_op || !dir->i_op->mkdir) + return -EPERM; + + mode &= (S_IRWXUGO|S_ISVTX); + error = security_inode_mkdir(dir, dentry, mode); + if (error) + return error; + + DQUOT_INIT(dir); + error = dir->i_op->mkdir(dir, dentry, mode); + if (!error) { + inode_dir_notify(dir, DN_CREATE); + security_inode_post_mkdir(dir,dentry, mode); + } + return error; +} + +asmlinkage long sys_mkdir(const char __user * pathname, int mode) +{ + int error = 0; + char * tmp; + + tmp = getname(pathname); + error = PTR_ERR(tmp); + if (!IS_ERR(tmp)) { + struct dentry *dentry; + struct nameidata nd; + + error = path_lookup(tmp, LOOKUP_PARENT, &nd); + if (error) + goto out; + dentry = lookup_create(&nd, 1); + error = PTR_ERR(dentry); + if (!IS_ERR(dentry)) { + if (!IS_POSIXACL(nd.dentry->d_inode)) + mode &= ~current->fs->umask; + error = vfs_mkdir(nd.dentry->d_inode, dentry, mode); + dput(dentry); + } + up(&nd.dentry->d_inode->i_sem); + path_release(&nd); +out: + putname(tmp); + } + + return error; +} + +/* + * We try to drop the dentry early: we should have + * a usage count of 2 if we're the only user of this + * dentry, and if that is true (possibly after pruning + * the dcache), then we drop the dentry now. + * + * A low-level filesystem can, if it choses, legally + * do a + * + * if (!d_unhashed(dentry)) + * return -EBUSY; + * + * if it cannot handle the case of removing a directory + * that is still in use by something else.. + */ +void dentry_unhash(struct dentry *dentry) +{ + dget(dentry); + spin_lock(&dcache_lock); + switch (atomic_read(&dentry->d_count)) { + default: + spin_unlock(&dcache_lock); + shrink_dcache_parent(dentry); + spin_lock(&dcache_lock); + if (atomic_read(&dentry->d_count) != 2) + break; + case 2: + __d_drop(dentry); + } + spin_unlock(&dcache_lock); +} + +int vfs_rmdir(struct inode *dir, struct dentry *dentry) +{ + int error = may_delete(dir, dentry, 1); + + if (error) + return error; + + if (!dir->i_op || !dir->i_op->rmdir) + return -EPERM; + + DQUOT_INIT(dir); + + down(&dentry->d_inode->i_sem); + dentry_unhash(dentry); + if (d_mountpoint(dentry)) + error = -EBUSY; + else { + error = security_inode_rmdir(dir, dentry); + if (!error) { + error = dir->i_op->rmdir(dir, dentry); + if (!error) + dentry->d_inode->i_flags |= S_DEAD; + } + } + up(&dentry->d_inode->i_sem); + if (!error) { + inode_dir_notify(dir, DN_DELETE); + d_delete(dentry); + } + dput(dentry); + + return error; +} + +asmlinkage long sys_rmdir(const char __user * pathname) +{ + int error = 0; + char * name; + struct dentry *dentry; + struct nameidata nd; + + name = getname(pathname); + if(IS_ERR(name)) + return PTR_ERR(name); + + error = path_lookup(name, LOOKUP_PARENT, &nd); + if (error) + goto exit; + + switch(nd.last_type) { + case LAST_DOTDOT: + error = -ENOTEMPTY; + goto exit1; + case LAST_DOT: + error = -EINVAL; + goto exit1; + case LAST_ROOT: + error = -EBUSY; + goto exit1; + } + down(&nd.dentry->d_inode->i_sem); + dentry = lookup_hash(&nd.last, nd.dentry); + error = PTR_ERR(dentry); + if (!IS_ERR(dentry)) { + error = vfs_rmdir(nd.dentry->d_inode, dentry); + dput(dentry); + } + up(&nd.dentry->d_inode->i_sem); +exit1: + path_release(&nd); +exit: + putname(name); + return error; +} + +int vfs_unlink(struct inode *dir, struct dentry *dentry) +{ + int error = may_delete(dir, dentry, 0); + + if (error) + return error; + + if (!dir->i_op || !dir->i_op->unlink) + return -EPERM; + + DQUOT_INIT(dir); + + down(&dentry->d_inode->i_sem); + if (d_mountpoint(dentry)) + error = -EBUSY; + else { + error = security_inode_unlink(dir, dentry); + if (!error) + error = dir->i_op->unlink(dir, dentry); + } + up(&dentry->d_inode->i_sem); + + /* We don't d_delete() NFS sillyrenamed files--they still exist. */ + if (!error && !(dentry->d_flags & DCACHE_NFSFS_RENAMED)) { + d_delete(dentry); + inode_dir_notify(dir, DN_DELETE); + } + return error; +} + +/* + * Make sure that the actual truncation of the file will occur outside its + * directory's i_sem. Truncate can take a long time if there is a lot of + * writeout happening, and we don't want to prevent access to the directory + * while waiting on the I/O. + */ +asmlinkage long sys_unlink(const char __user * pathname) +{ + int error = 0; + char * name; + struct dentry *dentry; + struct nameidata nd; + struct inode *inode = NULL; + + name = getname(pathname); + if(IS_ERR(name)) + return PTR_ERR(name); + + error = path_lookup(name, LOOKUP_PARENT, &nd); + if (error) + goto exit; + error = -EISDIR; + if (nd.last_type != LAST_NORM) + goto exit1; + down(&nd.dentry->d_inode->i_sem); + dentry = lookup_hash(&nd.last, nd.dentry); + error = PTR_ERR(dentry); + if (!IS_ERR(dentry)) { + /* Why not before? Because we want correct error value */ + if (nd.last.name[nd.last.len]) + goto slashes; + inode = dentry->d_inode; + if (inode) + atomic_inc(&inode->i_count); + error = vfs_unlink(nd.dentry->d_inode, dentry); + exit2: + dput(dentry); + } + up(&nd.dentry->d_inode->i_sem); + if (inode) + iput(inode); /* truncate the inode here */ +exit1: + path_release(&nd); +exit: + putname(name); + return error; + +slashes: + error = !dentry->d_inode ? -ENOENT : + S_ISDIR(dentry->d_inode->i_mode) ? -EISDIR : -ENOTDIR; + goto exit2; +} + +int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname, int mode) +{ + int error = may_create(dir, dentry, NULL); + + if (error) + return error; + + if (!dir->i_op || !dir->i_op->symlink) + return -EPERM; + + error = security_inode_symlink(dir, dentry, oldname); + if (error) + return error; + + DQUOT_INIT(dir); + error = dir->i_op->symlink(dir, dentry, oldname); + if (!error) { + inode_dir_notify(dir, DN_CREATE); + security_inode_post_symlink(dir, dentry, oldname); + } + return error; +} + +asmlinkage long sys_symlink(const char __user * oldname, const char __user * newname) +{ + int error = 0; + char * from; + char * to; + + from = getname(oldname); + if(IS_ERR(from)) + return PTR_ERR(from); + to = getname(newname); + error = PTR_ERR(to); + if (!IS_ERR(to)) { + struct dentry *dentry; + struct nameidata nd; + + error = path_lookup(to, LOOKUP_PARENT, &nd); + if (error) + goto out; + dentry = lookup_create(&nd, 0); + error = PTR_ERR(dentry); + if (!IS_ERR(dentry)) { + error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO); + dput(dentry); + } + up(&nd.dentry->d_inode->i_sem); + path_release(&nd); +out: + putname(to); + } + putname(from); + return error; +} + +int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) +{ + struct inode *inode = old_dentry->d_inode; + int error; + + if (!inode) + return -ENOENT; + + error = may_create(dir, new_dentry, NULL); + if (error) + return error; + + if (dir->i_sb != inode->i_sb) + return -EXDEV; + + /* + * A link to an append-only or immutable file cannot be created. + */ + if (IS_APPEND(inode) || IS_IMMUTABLE(inode)) + return -EPERM; + if (!dir->i_op || !dir->i_op->link) + return -EPERM; + if (S_ISDIR(old_dentry->d_inode->i_mode)) + return -EPERM; + + error = security_inode_link(old_dentry, dir, new_dentry); + if (error) + return error; + + down(&old_dentry->d_inode->i_sem); + DQUOT_INIT(dir); + error = dir->i_op->link(old_dentry, dir, new_dentry); + up(&old_dentry->d_inode->i_sem); + if (!error) { + inode_dir_notify(dir, DN_CREATE); + security_inode_post_link(old_dentry, dir, new_dentry); + } + return error; +} + +/* + * Hardlinks are often used in delicate situations. We avoid + * security-related surprises by not following symlinks on the + * newname. --KAB + * + * We don't follow them on the oldname either to be compatible + * with linux 2.0, and to avoid hard-linking to directories + * and other special files. --ADM + */ +asmlinkage long sys_link(const char __user * oldname, const char __user * newname) +{ + struct dentry *new_dentry; + struct nameidata nd, old_nd; + int error; + char * to; + + to = getname(newname); + if (IS_ERR(to)) + return PTR_ERR(to); + + error = __user_walk(oldname, 0, &old_nd); + if (error) + goto exit; + error = path_lookup(to, LOOKUP_PARENT, &nd); + if (error) + goto out; + error = -EXDEV; + if (old_nd.mnt != nd.mnt) + goto out_release; + new_dentry = lookup_create(&nd, 0); + error = PTR_ERR(new_dentry); + if (!IS_ERR(new_dentry)) { + error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); + dput(new_dentry); + } + up(&nd.dentry->d_inode->i_sem); +out_release: + path_release(&nd); +out: + path_release(&old_nd); +exit: + putname(to); + + return error; +} + +/* + * The worst of all namespace operations - renaming directory. "Perverted" + * doesn't even start to describe it. Somebody in UCB had a heck of a trip... + * Problems: + * a) we can get into loop creation. Check is done in is_subdir(). + * b) race potential - two innocent renames can create a loop together. + * That's where 4.4 screws up. Current fix: serialization on + * sb->s_vfs_rename_sem. We might be more accurate, but that's another + * story. + * c) we have to lock _three_ objects - parents and victim (if it exists). + * And that - after we got ->i_sem on parents (until then we don't know + * whether the target exists). Solution: try to be smart with locking + * order for inodes. We rely on the fact that tree topology may change + * only under ->s_vfs_rename_sem _and_ that parent of the object we + * move will be locked. Thus we can rank directories by the tree + * (ancestors first) and rank all non-directories after them. + * That works since everybody except rename does "lock parent, lookup, + * lock child" and rename is under ->s_vfs_rename_sem. + * HOWEVER, it relies on the assumption that any object with ->lookup() + * has no more than 1 dentry. If "hybrid" objects will ever appear, + * we'd better make sure that there's no link(2) for them. + * d) some filesystems don't support opened-but-unlinked directories, + * either because of layout or because they are not ready to deal with + * all cases correctly. The latter will be fixed (taking this sort of + * stuff into VFS), but the former is not going away. Solution: the same + * trick as in rmdir(). + * e) conversion from fhandle to dentry may come in the wrong moment - when + * we are removing the target. Solution: we will have to grab ->i_sem + * in the fhandle_to_dentry code. [FIXME - current nfsfh.c relies on + * ->i_sem on parents, which works but leads to some truely excessive + * locking]. + */ +int vfs_rename_dir(struct inode *old_dir, struct dentry *old_dentry, + struct inode *new_dir, struct dentry *new_dentry) +{ + int error = 0; + struct inode *target; + + /* + * If we are going to change the parent - check write permissions, + * we'll need to flip '..'. + */ + if (new_dir != old_dir) { + error = permission(old_dentry->d_inode, MAY_WRITE, NULL); + if (error) + return error; + } + + error = security_inode_rename(old_dir, old_dentry, new_dir, new_dentry); + if (error) + return error; + + target = new_dentry->d_inode; + if (target) { + down(&target->i_sem); + dentry_unhash(new_dentry); + } + if (d_mountpoint(old_dentry)||d_mountpoint(new_dentry)) + error = -EBUSY; + else + error = old_dir->i_op->rename(old_dir, old_dentry, new_dir, new_dentry); + if (target) { + if (!error) + target->i_flags |= S_DEAD; + up(&target->i_sem); + if (d_unhashed(new_dentry)) + d_rehash(new_dentry); + dput(new_dentry); + } + if (!error) { + d_move(old_dentry,new_dentry); + security_inode_post_rename(old_dir, old_dentry, + new_dir, new_dentry); + } + return error; +} + +int vfs_rename_other(struct inode *old_dir, struct dentry *old_dentry, + struct inode *new_dir, struct dentry *new_dentry) +{ + struct inode *target; + int error; + + error = security_inode_rename(old_dir, old_dentry, new_dir, new_dentry); + if (error) + return error; + + dget(new_dentry); + target = new_dentry->d_inode; + if (target) + down(&target->i_sem); + if (d_mountpoint(old_dentry)||d_mountpoint(new_dentry)) + error = -EBUSY; + else + error = old_dir->i_op->rename(old_dir, old_dentry, new_dir, new_dentry); + if (!error) { + /* The following d_move() should become unconditional */ + if (!(old_dir->i_sb->s_type->fs_flags & FS_ODD_RENAME)) + d_move(old_dentry, new_dentry); + security_inode_post_rename(old_dir, old_dentry, new_dir, new_dentry); + } + if (target) + up(&target->i_sem); + dput(new_dentry); + return error; +} + +int vfs_rename(struct inode *old_dir, struct dentry *old_dentry, + struct inode *new_dir, struct dentry *new_dentry) +{ + int error; + int is_dir = S_ISDIR(old_dentry->d_inode->i_mode); + + if (old_dentry->d_inode == new_dentry->d_inode) + return 0; + + error = may_delete(old_dir, old_dentry, is_dir); + if (error) + return error; + + if (!new_dentry->d_inode) + error = may_create(new_dir, new_dentry, NULL); + else + error = may_delete(new_dir, new_dentry, is_dir); + if (error) + return error; + + if (!old_dir->i_op || !old_dir->i_op->rename) + return -EPERM; + + DQUOT_INIT(old_dir); + DQUOT_INIT(new_dir); + + if (is_dir) + error = vfs_rename_dir(old_dir,old_dentry,new_dir,new_dentry); + else + error = vfs_rename_other(old_dir,old_dentry,new_dir,new_dentry); + if (!error) { + if (old_dir == new_dir) + inode_dir_notify(old_dir, DN_RENAME); + else { + inode_dir_notify(old_dir, DN_DELETE); + inode_dir_notify(new_dir, DN_CREATE); + } + } + return error; +} + +static inline int do_rename(const char * oldname, const char * newname) +{ + int error = 0; + struct dentry * old_dir, * new_dir; + struct dentry * old_dentry, *new_dentry; + struct dentry * trap; + struct nameidata oldnd, newnd; + + error = path_lookup(oldname, LOOKUP_PARENT, &oldnd); + if (error) + goto exit; + + error = path_lookup(newname, LOOKUP_PARENT, &newnd); + if (error) + goto exit1; + + error = -EXDEV; + if (oldnd.mnt != newnd.mnt) + goto exit2; + + old_dir = oldnd.dentry; + error = -EBUSY; + if (oldnd.last_type != LAST_NORM) + goto exit2; + + new_dir = newnd.dentry; + if (newnd.last_type != LAST_NORM) + goto exit2; + + trap = lock_rename(new_dir, old_dir); + + old_dentry = lookup_hash(&oldnd.last, old_dir); + error = PTR_ERR(old_dentry); + if (IS_ERR(old_dentry)) + goto exit3; + /* source must exist */ + error = -ENOENT; + if (!old_dentry->d_inode) + goto exit4; + /* unless the source is a directory trailing slashes give -ENOTDIR */ + if (!S_ISDIR(old_dentry->d_inode->i_mode)) { + error = -ENOTDIR; + if (oldnd.last.name[oldnd.last.len]) + goto exit4; + if (newnd.last.name[newnd.last.len]) + goto exit4; + } + /* source should not be ancestor of target */ + error = -EINVAL; + if (old_dentry == trap) + goto exit4; + new_dentry = lookup_hash(&newnd.last, new_dir); + error = PTR_ERR(new_dentry); + if (IS_ERR(new_dentry)) + goto exit4; + /* target should not be an ancestor of source */ + error = -ENOTEMPTY; + if (new_dentry == trap) + goto exit5; + + error = vfs_rename(old_dir->d_inode, old_dentry, + new_dir->d_inode, new_dentry); +exit5: + dput(new_dentry); +exit4: + dput(old_dentry); +exit3: + unlock_rename(new_dir, old_dir); +exit2: + path_release(&newnd); +exit1: + path_release(&oldnd); +exit: + return error; +} + +asmlinkage long sys_rename(const char __user * oldname, const char __user * newname) +{ + int error; + char * from; + char * to; + + from = getname(oldname); + if(IS_ERR(from)) + return PTR_ERR(from); + to = getname(newname); + error = PTR_ERR(to); + if (!IS_ERR(to)) { + error = do_rename(from,to); + putname(to); + } + putname(from); + return error; +} + +int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) +{ + int len; + + len = PTR_ERR(link); + if (IS_ERR(link)) + goto out; + + len = strlen(link); + if (len > (unsigned) buflen) + len = buflen; + if (copy_to_user(buffer, link, len)) + len = -EFAULT; +out: + return len; +} + +/* + * A helper for ->readlink(). This should be used *ONLY* for symlinks that + * have ->follow_link() touching nd only in nd_set_link(). Using (or not + * using) it for any given inode is up to filesystem. + */ +int generic_readlink(struct dentry *dentry, char __user *buffer, int buflen) +{ + struct nameidata nd; + int res; + nd.depth = 0; + res = dentry->d_inode->i_op->follow_link(dentry, &nd); + if (!res) { + res = vfs_readlink(dentry, buffer, buflen, nd_get_link(&nd)); + if (dentry->d_inode->i_op->put_link) + dentry->d_inode->i_op->put_link(dentry, &nd); + } + return res; +} + +int vfs_follow_link(struct nameidata *nd, const char *link) +{ + return __vfs_follow_link(nd, link); +} + +/* get the link contents into pagecache */ +static char *page_getlink(struct dentry * dentry, struct page **ppage) +{ + struct page * page; + struct address_space *mapping = dentry->d_inode->i_mapping; + page = read_cache_page(mapping, 0, (filler_t *)mapping->a_ops->readpage, + NULL); + if (IS_ERR(page)) + goto sync_fail; + wait_on_page_locked(page); + if (!PageUptodate(page)) + goto async_fail; + *ppage = page; + return kmap(page); + +async_fail: + page_cache_release(page); + return ERR_PTR(-EIO); + +sync_fail: + return (char*)page; +} + +int page_readlink(struct dentry *dentry, char __user *buffer, int buflen) +{ + struct page *page = NULL; + char *s = page_getlink(dentry, &page); + int res = vfs_readlink(dentry,buffer,buflen,s); + if (page) { + kunmap(page); + page_cache_release(page); + } + return res; +} + +int page_follow_link_light(struct dentry *dentry, struct nameidata *nd) +{ + struct page *page; + nd_set_link(nd, page_getlink(dentry, &page)); + return 0; +} + +void page_put_link(struct dentry *dentry, struct nameidata *nd) +{ + if (!IS_ERR(nd_get_link(nd))) { + struct page *page; + page = find_get_page(dentry->d_inode->i_mapping, 0); + if (!page) + BUG(); + kunmap(page); + page_cache_release(page); + page_cache_release(page); + } +} + +int page_symlink(struct inode *inode, const char *symname, int len) +{ + struct address_space *mapping = inode->i_mapping; + struct page *page = grab_cache_page(mapping, 0); + int err = -ENOMEM; + char *kaddr; + + if (!page) + goto fail; + err = mapping->a_ops->prepare_write(NULL, page, 0, len-1); + if (err) + goto fail_map; + kaddr = kmap_atomic(page, KM_USER0); + memcpy(kaddr, symname, len-1); + kunmap_atomic(kaddr, KM_USER0); + mapping->a_ops->commit_write(NULL, page, 0, len-1); + /* + * Notice that we are _not_ going to block here - end of page is + * unmapped, so this will only try to map the rest of page, see + * that it is unmapped (typically even will not look into inode - + * ->i_size will be enough for everything) and zero it out. + * OTOH it's obviously correct and should make the page up-to-date. + */ + if (!PageUptodate(page)) { + err = mapping->a_ops->readpage(NULL, page); + wait_on_page_locked(page); + } else { + unlock_page(page); + } + page_cache_release(page); + if (err < 0) + goto fail; + mark_inode_dirty(inode); + return 0; +fail_map: + unlock_page(page); + page_cache_release(page); +fail: + return err; +} + +struct inode_operations page_symlink_inode_operations = { + .readlink = generic_readlink, + .follow_link = page_follow_link_light, + .put_link = page_put_link, +}; + +EXPORT_SYMBOL(__user_walk); +EXPORT_SYMBOL(follow_down); +EXPORT_SYMBOL(follow_up); +EXPORT_SYMBOL(get_write_access); /* binfmt_aout */ +EXPORT_SYMBOL(getname); +EXPORT_SYMBOL(lock_rename); +EXPORT_SYMBOL(lookup_hash); +EXPORT_SYMBOL(lookup_one_len); +EXPORT_SYMBOL(page_follow_link_light); +EXPORT_SYMBOL(page_put_link); +EXPORT_SYMBOL(page_readlink); +EXPORT_SYMBOL(page_symlink); +EXPORT_SYMBOL(page_symlink_inode_operations); +EXPORT_SYMBOL(path_lookup); +EXPORT_SYMBOL(path_release); +EXPORT_SYMBOL(path_walk); +EXPORT_SYMBOL(permission); +EXPORT_SYMBOL(unlock_rename); +EXPORT_SYMBOL(vfs_create); +EXPORT_SYMBOL(vfs_follow_link); +EXPORT_SYMBOL(vfs_link); +EXPORT_SYMBOL(vfs_mkdir); +EXPORT_SYMBOL(vfs_mknod); +EXPORT_SYMBOL(generic_permission); +EXPORT_SYMBOL(vfs_readlink); +EXPORT_SYMBOL(vfs_rename); +EXPORT_SYMBOL(vfs_rmdir); +EXPORT_SYMBOL(vfs_symlink); +EXPORT_SYMBOL(vfs_unlink); +EXPORT_SYMBOL(dentry_unhash); +EXPORT_SYMBOL(generic_readlink); diff -Nrub linux-2.6.11.7-orig/fs/namespace.c linux-2.6.11.7-snare/fs/namespace.c --- linux-2.6.11.7-orig/fs/namespace.c 2005-04-07 14:57:46.000000000 -0400 +++ linux-2.6.11.7-snare/fs/namespace.c 2005-04-22 11:19:47.192666072 -0400 @@ -19,6 +19,7 @@ #include #include #include +#include #include #include #include @@ -487,6 +488,7 @@ dput_and_out: path_release_on_umount(&nd); out: + saudit_umount((char *)NULL,name,flags,retval); return retval; } @@ -1156,17 +1158,23 @@ char *dir_page; retval = copy_mount_options (type, &type_page); - if (retval < 0) + if (retval < 0) { + saudit_mount((char *)NULL,dev_name,(char *)NULL,dir_name,flags,retval); return retval; + } dir_page = getname(dir_name); retval = PTR_ERR(dir_page); - if (IS_ERR(dir_page)) + if (IS_ERR(dir_page)) { + saudit_mount((char *)NULL,dev_name,(char *)NULL,dir_name,flags,retval); goto out1; + } retval = copy_mount_options (dev_name, &dev_page); - if (retval < 0) + if (retval < 0) { + saudit_mount((char *)NULL,dev_name,dir_page,(char *)NULL,flags,retval); goto out2; + } retval = copy_mount_options (data, &data_page); if (retval < 0) @@ -1179,6 +1187,7 @@ free_page(data_page); out3: + saudit_mount((char *)dev_page,(char *)NULL,dir_page,(char *)NULL,flags,retval); free_page(dev_page); out2: putname(dir_page); diff -Nrub linux-2.6.11.7-orig/fs/open.c linux-2.6.11.7-snare/fs/open.c --- linux-2.6.11.7-orig/fs/open.c 2005-04-07 14:57:09.000000000 -0400 +++ linux-2.6.11.7-snare/fs/open.c 2005-04-22 11:19:47.193665920 -0400 @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -217,12 +218,16 @@ int error; error = -EINVAL; - if (length < 0) /* sorry, but loff_t says... */ + if (length < 0) { /* sorry, but loff_t says... */ + saudit_truncate((char *)NULL,path,length,error); goto out; + } error = user_path_walk(path, &nd); - if (error) + if (error) { + saudit_truncate((char *)NULL,path,length,error); goto out; + } inode = nd.dentry->d_inode; /* For directories it's -EISDIR, for other non-regulars - -EINVAL */ @@ -267,6 +272,7 @@ dput_and_out: path_release(&nd); out: + saudit_truncate((char *)NULL,path,length,error); return error; } @@ -572,8 +578,10 @@ int error; error = __user_walk(filename, LOOKUP_FOLLOW | LOOKUP_DIRECTORY | LOOKUP_NOALT, &nd); - if (error) + if (error) { + saudit_chroot((char *)NULL,filename,error); goto out; + } error = permission(nd.dentry->d_inode,MAY_EXEC,&nd); if (error) @@ -589,6 +597,7 @@ dput_and_out: path_release(&nd); out: + saudit_chroot((char *)NULL,filename,error); return error; } @@ -635,8 +644,10 @@ struct iattr newattrs; error = user_path_walk(filename, &nd); - if (error) + if (error) { + saudit_chmod((char *)NULL,filename,mode,error); goto out; + } inode = nd.dentry->d_inode; error = -EROFS; @@ -658,6 +669,7 @@ dput_and_out: path_release(&nd); out: + saudit_chmod((char *)NULL,filename,mode,error); return error; } @@ -706,6 +718,7 @@ error = chown_common(nd.dentry, user, group); path_release(&nd); } + saudit_chown((char *)NULL,filename,user,group,error); return error; } @@ -719,6 +732,7 @@ error = chown_common(nd.dentry, user, group); path_release(&nd); } + saudit_chown((char *)NULL,filename,user,group,error); return error; } @@ -940,16 +954,21 @@ #endif tmp = getname(filename); fd = PTR_ERR(tmp); - if (!IS_ERR(tmp)) { + if (IS_ERR(tmp)) { + saudit_open((char *)NULL,(char *)NULL,flags,mode,fd); + } else { fd = get_unused_fd(); if (fd >= 0) { struct file *f = filp_open(tmp, flags, mode); error = PTR_ERR(f); - if (IS_ERR(f)) + if (IS_ERR(f)) { + saudit_open(tmp,(char *)NULL,flags,mode,fd); goto out_error; + } fd_install(fd, f); } out: + saudit_open(tmp,(char *)NULL,flags,mode,fd); putname(tmp); } return fd; diff -Nrub linux-2.6.11.7-orig/fs/open.c.orig linux-2.6.11.7-snare/fs/open.c.orig --- linux-2.6.11.7-orig/fs/open.c.orig 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.6.11.7-snare/fs/open.c.orig 2005-04-07 14:57:09.000000000 -0400 @@ -0,0 +1,1076 @@ +/* + * linux/fs/open.c + * + * Copyright (C) 1991, 1992 Linus Torvalds + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +int vfs_statfs(struct super_block *sb, struct kstatfs *buf) +{ + int retval = -ENODEV; + + if (sb) { + retval = -ENOSYS; + if (sb->s_op->statfs) { + memset(buf, 0, sizeof(*buf)); + retval = security_sb_statfs(sb); + if (retval) + return retval; + retval = sb->s_op->statfs(sb, buf); + if (retval == 0 && buf->f_frsize == 0) + buf->f_frsize = buf->f_bsize; + } + } + return retval; +} + +EXPORT_SYMBOL(vfs_statfs); + +static int vfs_statfs_native(struct super_block *sb, struct statfs *buf) +{ + struct kstatfs st; + int retval; + + retval = vfs_statfs(sb, &st); + if (retval) + return retval; + + if (sizeof(*buf) == sizeof(st)) + memcpy(buf, &st, sizeof(st)); + else { + if (sizeof buf->f_blocks == 4) { + if ((st.f_blocks | st.f_bfree | st.f_bavail) & + 0xffffffff00000000ULL) + return -EOVERFLOW; + /* + * f_files and f_ffree may be -1; it's okay to stuff + * that into 32 bits + */ + if (st.f_files != -1 && + (st.f_files & 0xffffffff00000000ULL)) + return -EOVERFLOW; + if (st.f_ffree != -1 && + (st.f_ffree & 0xffffffff00000000ULL)) + return -EOVERFLOW; + } + + buf->f_type = st.f_type; + buf->f_bsize = st.f_bsize; + buf->f_blocks = st.f_blocks; + buf->f_bfree = st.f_bfree; + buf->f_bavail = st.f_bavail; + buf->f_files = st.f_files; + buf->f_ffree = st.f_ffree; + buf->f_fsid = st.f_fsid; + buf->f_namelen = st.f_namelen; + buf->f_frsize = st.f_frsize; + memset(buf->f_spare, 0, sizeof(buf->f_spare)); + } + return 0; +} + +static int vfs_statfs64(struct super_block *sb, struct statfs64 *buf) +{ + struct kstatfs st; + int retval; + + retval = vfs_statfs(sb, &st); + if (retval) + return retval; + + if (sizeof(*buf) == sizeof(st)) + memcpy(buf, &st, sizeof(st)); + else { + buf->f_type = st.f_type; + buf->f_bsize = st.f_bsize; + buf->f_blocks = st.f_blocks; + buf->f_bfree = st.f_bfree; + buf->f_bavail = st.f_bavail; + buf->f_files = st.f_files; + buf->f_ffree = st.f_ffree; + buf->f_fsid = st.f_fsid; + buf->f_namelen = st.f_namelen; + buf->f_frsize = st.f_frsize; + memset(buf->f_spare, 0, sizeof(buf->f_spare)); + } + return 0; +} + +asmlinkage long sys_statfs(const char __user * path, struct statfs __user * buf) +{ + struct nameidata nd; + int error; + + error = user_path_walk(path, &nd); + if (!error) { + struct statfs tmp; + error = vfs_statfs_native(nd.dentry->d_inode->i_sb, &tmp); + if (!error && copy_to_user(buf, &tmp, sizeof(tmp))) + error = -EFAULT; + path_release(&nd); + } + return error; +} + + +asmlinkage long sys_statfs64(const char __user *path, size_t sz, struct statfs64 __user *buf) +{ + struct nameidata nd; + long error; + + if (sz != sizeof(*buf)) + return -EINVAL; + error = user_path_walk(path, &nd); + if (!error) { + struct statfs64 tmp; + error = vfs_statfs64(nd.dentry->d_inode->i_sb, &tmp); + if (!error && copy_to_user(buf, &tmp, sizeof(tmp))) + error = -EFAULT; + path_release(&nd); + } + return error; +} + + +asmlinkage long sys_fstatfs(unsigned int fd, struct statfs __user * buf) +{ + struct file * file; + struct statfs tmp; + int error; + + error = -EBADF; + file = fget(fd); + if (!file) + goto out; + error = vfs_statfs_native(file->f_dentry->d_inode->i_sb, &tmp); + if (!error && copy_to_user(buf, &tmp, sizeof(tmp))) + error = -EFAULT; + fput(file); +out: + return error; +} + +asmlinkage long sys_fstatfs64(unsigned int fd, size_t sz, struct statfs64 __user *buf) +{ + struct file * file; + struct statfs64 tmp; + int error; + + if (sz != sizeof(*buf)) + return -EINVAL; + + error = -EBADF; + file = fget(fd); + if (!file) + goto out; + error = vfs_statfs64(file->f_dentry->d_inode->i_sb, &tmp); + if (!error && copy_to_user(buf, &tmp, sizeof(tmp))) + error = -EFAULT; + fput(file); +out: + return error; +} + +int do_truncate(struct dentry *dentry, loff_t length) +{ + int err; + struct iattr newattrs; + + /* Not pretty: "inode->i_size" shouldn't really be signed. But it is. */ + if (length < 0) + return -EINVAL; + + newattrs.ia_size = length; + newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME; + + down(&dentry->d_inode->i_sem); + err = notify_change(dentry, &newattrs); + up(&dentry->d_inode->i_sem); + return err; +} + +static inline long do_sys_truncate(const char __user * path, loff_t length) +{ + struct nameidata nd; + struct inode * inode; + int error; + + error = -EINVAL; + if (length < 0) /* sorry, but loff_t says... */ + goto out; + + error = user_path_walk(path, &nd); + if (error) + goto out; + inode = nd.dentry->d_inode; + + /* For directories it's -EISDIR, for other non-regulars - -EINVAL */ + error = -EISDIR; + if (S_ISDIR(inode->i_mode)) + goto dput_and_out; + + error = -EINVAL; + if (!S_ISREG(inode->i_mode)) + goto dput_and_out; + + error = permission(inode,MAY_WRITE,&nd); + if (error) + goto dput_and_out; + + error = -EROFS; + if (IS_RDONLY(inode)) + goto dput_and_out; + + error = -EPERM; + if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) + goto dput_and_out; + + /* + * Make sure that there are no leases. + */ + error = break_lease(inode, FMODE_WRITE); + if (error) + goto dput_and_out; + + error = get_write_access(inode); + if (error) + goto dput_and_out; + + error = locks_verify_truncate(inode, NULL, length); + if (!error) { + DQUOT_INIT(inode); + error = do_truncate(nd.dentry, length); + } + put_write_access(inode); + +dput_and_out: + path_release(&nd); +out: + return error; +} + +asmlinkage long sys_truncate(const char __user * path, unsigned long length) +{ + /* on 32-bit boxen it will cut the range 2^31--2^32-1 off */ + return do_sys_truncate(path, (long)length); +} + +static inline long do_sys_ftruncate(unsigned int fd, loff_t length, int small) +{ + struct inode * inode; + struct dentry *dentry; + struct file * file; + int error; + + error = -EINVAL; + if (length < 0) + goto out; + error = -EBADF; + file = fget(fd); + if (!file) + goto out; + + /* explicitly opened as large or we are on 64-bit box */ + if (file->f_flags & O_LARGEFILE) + small = 0; + + dentry = file->f_dentry; + inode = dentry->d_inode; + error = -EINVAL; + if (!S_ISREG(inode->i_mode) || !(file->f_mode & FMODE_WRITE)) + goto out_putf; + + error = -EINVAL; + /* Cannot ftruncate over 2^31 bytes without large file support */ + if (small && length > MAX_NON_LFS) + goto out_putf; + + error = -EPERM; + if (IS_APPEND(inode)) + goto out_putf; + + error = locks_verify_truncate(inode, file, length); + if (!error) + error = do_truncate(dentry, length); +out_putf: + fput(file); +out: + return error; +} + +asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length) +{ + return do_sys_ftruncate(fd, length, 1); +} + +/* LFS versions of truncate are only needed on 32 bit machines */ +#if BITS_PER_LONG == 32 +asmlinkage long sys_truncate64(const char __user * path, loff_t length) +{ + return do_sys_truncate(path, length); +} + +asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length) +{ + return do_sys_ftruncate(fd, length, 0); +} +#endif + +#ifdef __ARCH_WANT_SYS_UTIME + +/* + * sys_utime() can be implemented in user-level using sys_utimes(). + * Is this for backwards compatibility? If so, why not move it + * into the appropriate arch directory (for those architectures that + * need it). + */ + +/* If times==NULL, set access and modification to current time, + * must be owner or have write permission. + * Else, update from *times, must be owner or super user. + */ +asmlinkage long sys_utime(char __user * filename, struct utimbuf __user * times) +{ + int error; + struct nameidata nd; + struct inode * inode; + struct iattr newattrs; + + error = user_path_walk(filename, &nd); + if (error) + goto out; + inode = nd.dentry->d_inode; + + error = -EROFS; + if (IS_RDONLY(inode)) + goto dput_and_out; + + /* Don't worry, the checks are done in inode_change_ok() */ + newattrs.ia_valid = ATTR_CTIME | ATTR_MTIME | ATTR_ATIME; + if (times) { + error = -EPERM; + if (IS_APPEND(inode) || IS_IMMUTABLE(inode)) + goto dput_and_out; + + error = get_user(newattrs.ia_atime.tv_sec, ×->actime); + newattrs.ia_atime.tv_nsec = 0; + if (!error) + error = get_user(newattrs.ia_mtime.tv_sec, ×->modtime); + newattrs.ia_mtime.tv_nsec = 0; + if (error) + goto dput_and_out; + + newattrs.ia_valid |= ATTR_ATIME_SET | ATTR_MTIME_SET; + } else { + error = -EACCES; + if (IS_IMMUTABLE(inode)) + goto dput_and_out; + + if (current->fsuid != inode->i_uid && + (error = permission(inode,MAY_WRITE,&nd)) != 0) + goto dput_and_out; + } + down(&inode->i_sem); + error = notify_change(nd.dentry, &newattrs); + up(&inode->i_sem); +dput_and_out: + path_release(&nd); +out: + return error; +} + +#endif + +/* If times==NULL, set access and modification to current time, + * must be owner or have write permission. + * Else, update from *times, must be owner or super user. + */ +long do_utimes(char __user * filename, struct timeval * times) +{ + int error; + struct nameidata nd; + struct inode * inode; + struct iattr newattrs; + + error = user_path_walk(filename, &nd); + + if (error) + goto out; + inode = nd.dentry->d_inode; + + error = -EROFS; + if (IS_RDONLY(inode)) + goto dput_and_out; + + /* Don't worry, the checks are done in inode_change_ok() */ + newattrs.ia_valid = ATTR_CTIME | ATTR_MTIME | ATTR_ATIME; + if (times) { + error = -EPERM; + if (IS_APPEND(inode) || IS_IMMUTABLE(inode)) + goto dput_and_out; + + newattrs.ia_atime.tv_sec = times[0].tv_sec; + newattrs.ia_atime.tv_nsec = times[0].tv_usec * 1000; + newattrs.ia_mtime.tv_sec = times[1].tv_sec; + newattrs.ia_mtime.tv_nsec = times[1].tv_usec * 1000; + newattrs.ia_valid |= ATTR_ATIME_SET | ATTR_MTIME_SET; + } else { + error = -EACCES; + if (IS_IMMUTABLE(inode)) + goto dput_and_out; + + if (current->fsuid != inode->i_uid && + (error = permission(inode,MAY_WRITE,&nd)) != 0) + goto dput_and_out; + } + down(&inode->i_sem); + error = notify_change(nd.dentry, &newattrs); + up(&inode->i_sem); +dput_and_out: + path_release(&nd); +out: + return error; +} + +asmlinkage long sys_utimes(char __user * filename, struct timeval __user * utimes) +{ + struct timeval times[2]; + + if (utimes && copy_from_user(×, utimes, sizeof(times))) + return -EFAULT; + return do_utimes(filename, utimes ? times : NULL); +} + + +/* + * access() needs to use the real uid/gid, not the effective uid/gid. + * We do this by temporarily clearing all FS-related capabilities and + * switching the fsuid/fsgid around to the real ones. + */ +asmlinkage long sys_access(const char __user * filename, int mode) +{ + struct nameidata nd; + int old_fsuid, old_fsgid; + kernel_cap_t old_cap; + int res; + + if (mode & ~S_IRWXO) /* where's F_OK, X_OK, W_OK, R_OK? */ + return -EINVAL; + + old_fsuid = current->fsuid; + old_fsgid = current->fsgid; + old_cap = current->cap_effective; + + current->fsuid = current->uid; + current->fsgid = current->gid; + + /* + * Clear the capabilities if we switch to a non-root user + * + * FIXME: There is a race here against sys_capset. The + * capabilities can change yet we will restore the old + * value below. We should hold task_capabilities_lock, + * but we cannot because user_path_walk can sleep. + */ + if (current->uid) + cap_clear(current->cap_effective); + else + current->cap_effective = current->cap_permitted; + + res = __user_walk(filename, LOOKUP_FOLLOW|LOOKUP_ACCESS, &nd); + if (!res) { + res = permission(nd.dentry->d_inode, mode, &nd); + /* SuS v2 requires we report a read only fs too */ + if(!res && (mode & S_IWOTH) && IS_RDONLY(nd.dentry->d_inode) + && !special_file(nd.dentry->d_inode->i_mode)) + res = -EROFS; + path_release(&nd); + } + + current->fsuid = old_fsuid; + current->fsgid = old_fsgid; + current->cap_effective = old_cap; + + return res; +} + +asmlinkage long sys_chdir(const char __user * filename) +{ + struct nameidata nd; + int error; + + error = __user_walk(filename, LOOKUP_FOLLOW|LOOKUP_DIRECTORY, &nd); + if (error) + goto out; + + error = permission(nd.dentry->d_inode,MAY_EXEC,&nd); + if (error) + goto dput_and_out; + + set_fs_pwd(current->fs, nd.mnt, nd.dentry); + +dput_and_out: + path_release(&nd); +out: + return error; +} + +asmlinkage long sys_fchdir(unsigned int fd) +{ + struct file *file; + struct dentry *dentry; + struct inode *inode; + struct vfsmount *mnt; + int error; + + error = -EBADF; + file = fget(fd); + if (!file) + goto out; + + dentry = file->f_dentry; + mnt = file->f_vfsmnt; + inode = dentry->d_inode; + + error = -ENOTDIR; + if (!S_ISDIR(inode->i_mode)) + goto out_putf; + + error = permission(inode, MAY_EXEC, NULL); + if (!error) + set_fs_pwd(current->fs, mnt, dentry); +out_putf: + fput(file); +out: + return error; +} + +asmlinkage long sys_chroot(const char __user * filename) +{ + struct nameidata nd; + int error; + + error = __user_walk(filename, LOOKUP_FOLLOW | LOOKUP_DIRECTORY | LOOKUP_NOALT, &nd); + if (error) + goto out; + + error = permission(nd.dentry->d_inode,MAY_EXEC,&nd); + if (error) + goto dput_and_out; + + error = -EPERM; + if (!capable(CAP_SYS_CHROOT)) + goto dput_and_out; + + set_fs_root(current->fs, nd.mnt, nd.dentry); + set_fs_altroot(); + error = 0; +dput_and_out: + path_release(&nd); +out: + return error; +} + +asmlinkage long sys_fchmod(unsigned int fd, mode_t mode) +{ + struct inode * inode; + struct dentry * dentry; + struct file * file; + int err = -EBADF; + struct iattr newattrs; + + file = fget(fd); + if (!file) + goto out; + + dentry = file->f_dentry; + inode = dentry->d_inode; + + err = -EROFS; + if (IS_RDONLY(inode)) + goto out_putf; + err = -EPERM; + if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) + goto out_putf; + down(&inode->i_sem); + if (mode == (mode_t) -1) + mode = inode->i_mode; + newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); + newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; + err = notify_change(dentry, &newattrs); + up(&inode->i_sem); + +out_putf: + fput(file); +out: + return err; +} + +asmlinkage long sys_chmod(const char __user * filename, mode_t mode) +{ + struct nameidata nd; + struct inode * inode; + int error; + struct iattr newattrs; + + error = user_path_walk(filename, &nd); + if (error) + goto out; + inode = nd.dentry->d_inode; + + error = -EROFS; + if (IS_RDONLY(inode)) + goto dput_and_out; + + error = -EPERM; + if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) + goto dput_and_out; + + down(&inode->i_sem); + if (mode == (mode_t) -1) + mode = inode->i_mode; + newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); + newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; + error = notify_change(nd.dentry, &newattrs); + up(&inode->i_sem); + +dput_and_out: + path_release(&nd); +out: + return error; +} + +static int chown_common(struct dentry * dentry, uid_t user, gid_t group) +{ + struct inode * inode; + int error; + struct iattr newattrs; + + error = -ENOENT; + if (!(inode = dentry->d_inode)) { + printk(KERN_ERR "chown_common: NULL inode\n"); + goto out; + } + error = -EROFS; + if (IS_RDONLY(inode)) + goto out; + error = -EPERM; + if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) + goto out; + newattrs.ia_valid = ATTR_CTIME; + if (user != (uid_t) -1) { + newattrs.ia_valid |= ATTR_UID; + newattrs.ia_uid = user; + } + if (group != (gid_t) -1) { + newattrs.ia_valid |= ATTR_GID; + newattrs.ia_gid = group; + } + if (!S_ISDIR(inode->i_mode)) + newattrs.ia_valid |= ATTR_KILL_SUID|ATTR_KILL_SGID; + down(&inode->i_sem); + error = notify_change(dentry, &newattrs); + up(&inode->i_sem); +out: + return error; +} + +asmlinkage long sys_chown(const char __user * filename, uid_t user, gid_t group) +{ + struct nameidata nd; + int error; + + error = user_path_walk(filename, &nd); + if (!error) { + error = chown_common(nd.dentry, user, group); + path_release(&nd); + } + return error; +} + +asmlinkage long sys_lchown(const char __user * filename, uid_t user, gid_t group) +{ + struct nameidata nd; + int error; + + error = user_path_walk_link(filename, &nd); + if (!error) { + error = chown_common(nd.dentry, user, group); + path_release(&nd); + } + return error; +} + + +asmlinkage long sys_fchown(unsigned int fd, uid_t user, gid_t group) +{ + struct file * file; + int error = -EBADF; + + file = fget(fd); + if (file) { + error = chown_common(file->f_dentry, user, group); + fput(file); + } + return error; +} + +/* + * Note that while the flag value (low two bits) for sys_open means: + * 00 - read-only + * 01 - write-only + * 10 - read-write + * 11 - special + * it is changed into + * 00 - no permissions needed + * 01 - read-permission + * 10 - write-permission + * 11 - read-write + * for the internal routines (ie open_namei()/follow_link() etc). 00 is + * used by symlinks. + */ +struct file *filp_open(const char * filename, int flags, int mode) +{ + int namei_flags, error; + struct nameidata nd; + + namei_flags = flags; + if ((namei_flags+1) & O_ACCMODE) + namei_flags++; + if (namei_flags & O_TRUNC) + namei_flags |= 2; + + error = open_namei(filename, namei_flags, mode, &nd); + if (!error) + return dentry_open(nd.dentry, nd.mnt, flags); + + return ERR_PTR(error); +} + +EXPORT_SYMBOL(filp_open); + +struct file *dentry_open(struct dentry *dentry, struct vfsmount *mnt, int flags) +{ + struct file * f; + struct inode *inode; + int error; + + error = -ENFILE; + f = get_empty_filp(); + if (!f) + goto cleanup_dentry; + f->f_flags = flags; + f->f_mode = ((flags+1) & O_ACCMODE) | FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE; + inode = dentry->d_inode; + if (f->f_mode & FMODE_WRITE) { + error = get_write_access(inode); + if (error) + goto cleanup_file; + } + + f->f_mapping = inode->i_mapping; + f->f_dentry = dentry; + f->f_vfsmnt = mnt; + f->f_pos = 0; + f->f_op = fops_get(inode->i_fop); + file_move(f, &inode->i_sb->s_files); + + if (f->f_op && f->f_op->open) { + error = f->f_op->open(inode,f); + if (error) + goto cleanup_all; + } + f->f_flags &= ~(O_CREAT | O_EXCL | O_NOCTTY | O_TRUNC); + + file_ra_state_init(&f->f_ra, f->f_mapping->host->i_mapping); + + /* NB: we're sure to have correct a_ops only after f_op->open */ + if (f->f_flags & O_DIRECT) { + if (!f->f_mapping->a_ops || !f->f_mapping->a_ops->direct_IO) { + fput(f); + f = ERR_PTR(-EINVAL); + } + } + + return f; + +cleanup_all: + fops_put(f->f_op); + if (f->f_mode & FMODE_WRITE) + put_write_access(inode); + file_kill(f); + f->f_dentry = NULL; + f->f_vfsmnt = NULL; +cleanup_file: + put_filp(f); +cleanup_dentry: + dput(dentry); + mntput(mnt); + return ERR_PTR(error); +} + +EXPORT_SYMBOL(dentry_open); + +/* + * Find an empty file descriptor entry, and mark it busy. + */ +int get_unused_fd(void) +{ + struct files_struct * files = current->files; + int fd, error; + + error = -EMFILE; + spin_lock(&files->file_lock); + +repeat: + fd = find_next_zero_bit(files->open_fds->fds_bits, + files->max_fdset, + files->next_fd); + + /* + * N.B. For clone tasks sharing a files structure, this test + * will limit the total number of files that can be opened. + */ + if (fd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur) + goto out; + + /* Do we need to expand the fd array or fd set? */ + error = expand_files(files, fd); + if (error < 0) + goto out; + + if (error) { + /* + * If we needed to expand the fs array we + * might have blocked - try again. + */ + error = -EMFILE; + goto repeat; + } + + FD_SET(fd, files->open_fds); + FD_CLR(fd, files->close_on_exec); + files->next_fd = fd + 1; +#if 1 + /* Sanity check */ + if (files->fd[fd] != NULL) { + printk(KERN_WARNING "get_unused_fd: slot %d not NULL!\n", fd); + files->fd[fd] = NULL; + } +#endif + error = fd; + +out: + spin_unlock(&files->file_lock); + return error; +} + +EXPORT_SYMBOL(get_unused_fd); + +static inline void __put_unused_fd(struct files_struct *files, unsigned int fd) +{ + __FD_CLR(fd, files->open_fds); + if (fd < files->next_fd) + files->next_fd = fd; +} + +void fastcall put_unused_fd(unsigned int fd) +{ + struct files_struct *files = current->files; + spin_lock(&files->file_lock); + __put_unused_fd(files, fd); + spin_unlock(&files->file_lock); +} + +EXPORT_SYMBOL(put_unused_fd); + +/* + * Install a file pointer in the fd array. + * + * The VFS is full of places where we drop the files lock between + * setting the open_fds bitmap and installing the file in the file + * array. At any such point, we are vulnerable to a dup2() race + * installing a file in the array before us. We need to detect this and + * fput() the struct file we are about to overwrite in this case. + * + * It should never happen - if we allow dup2() do it, _really_ bad things + * will follow. + */ + +void fastcall fd_install(unsigned int fd, struct file * file) +{ + struct files_struct *files = current->files; + spin_lock(&files->file_lock); + if (unlikely(files->fd[fd] != NULL)) + BUG(); + files->fd[fd] = file; + spin_unlock(&files->file_lock); +} + +EXPORT_SYMBOL(fd_install); + +asmlinkage long sys_open(const char __user * filename, int flags, int mode) +{ + char * tmp; + int fd, error; + +#if BITS_PER_LONG != 32 + flags |= O_LARGEFILE; +#endif + tmp = getname(filename); + fd = PTR_ERR(tmp); + if (!IS_ERR(tmp)) { + fd = get_unused_fd(); + if (fd >= 0) { + struct file *f = filp_open(tmp, flags, mode); + error = PTR_ERR(f); + if (IS_ERR(f)) + goto out_error; + fd_install(fd, f); + } +out: + putname(tmp); + } + return fd; + +out_error: + put_unused_fd(fd); + fd = error; + goto out; +} +EXPORT_SYMBOL_GPL(sys_open); + +#ifndef __alpha__ + +/* + * For backward compatibility? Maybe this should be moved + * into arch/i386 instead? + */ +asmlinkage long sys_creat(const char __user * pathname, int mode) +{ + return sys_open(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); +} + +#endif + +/* + * "id" is the POSIX thread ID. We use the + * files pointer for this.. + */ +int filp_close(struct file *filp, fl_owner_t id) +{ + int retval; + + /* Report and clear outstanding errors */ + retval = filp->f_error; + if (retval) + filp->f_