error_t
iohelp_restrict_iouser (struct iouser **new_user,
const struct iouser *old_user,
const uid_t *uids, int nuids,
const gid_t *gids, int ngids)
{
if (idvec_contains (old_user->uids, 0))
/* OLD_USER has root access, and so may use any ids. */
return iohelp_create_complex_iouser (new_user, uids, nuids, gids, ngids);
else
{
struct idvec *uvec, *gvec;
int i;
error_t err;
uvec = make_idvec ();
if (! uvec)
return ENOMEM;
gvec = make_idvec ();
if (! gvec)
{
idvec_free (uvec);
return ENOMEM;
}
/* Otherwise, use any of the requested ids that OLD_USER already has. */
for (i = 0; i < old_user->uids->num; i++)
if (listmember (uids, old_user->uids->ids[i], nuids))
{
err = idvec_add (uvec, old_user->uids->ids[i]);
if (err)
goto out;
}
for (i = 0; i < old_user->gids->num; i++)
if (listmember (gids, old_user->gids->ids[i], ngids))
{
err = idvec_add (gvec, old_user->gids->ids[i]);
if (err)
goto out;
}
err = iohelp_create_iouser (new_user, uvec, gvec);
if (err)
{
out:
idvec_free (uvec);
idvec_free (gvec);
}
return err;
}
}
kern_return_t
trivfs_S_io_restrict_auth (struct trivfs_protid *cred,
mach_port_t reply,
mach_msg_type_name_t replytype,
mach_port_t *newport,
mach_msg_type_name_t *newporttype,
uid_t *uids, size_t nuids,
uid_t *gids, size_t ngids)
{
int i;
error_t err;
struct trivfs_protid *newcred;
struct idvec *uvec, *gvec;
struct iouser *user;
if (!cred)
return EOPNOTSUPP;
if (cred->isroot)
/* CRED has root access, and so may use any ids. */
{
err = iohelp_create_complex_iouser (&user, uids, nuids, gids, ngids);
if (err)
return err;
}
else
{
uvec = make_idvec ();
if (! uvec)
return ENOMEM;
gvec = make_idvec ();
if (! gvec)
{
idvec_free (uvec);
return ENOMEM;
}
/* Otherwise, use any of the requested ids that CRED already has. */
for (i = 0; i < cred->user->uids->num; i++)
if (listmember (uids, cred->user->uids->ids[i], nuids))
{
err = idvec_add (uvec, cred->user->uids->ids[i]);
if (err)
goto out;
}
for (i = 0; i < cred->user->gids->num; i++)
if (listmember (gids, cred->user->gids->ids[i], ngids))
{
err = idvec_add (gvec, cred->user->gids->ids[i]);
if (err)
goto out;
}
err = iohelp_create_iouser (&user, uvec, gvec);
if (err)
{
out:
idvec_free (uvec);
idvec_free (gvec);
return err;
}
}
err = ports_create_port (cred->po->cntl->protid_class,
cred->po->cntl->protid_bucket,
sizeof (struct trivfs_protid),
&newcred);
if (err)
{
iohelp_free_iouser (user);
return err;
}
newcred->isroot = 0;
mutex_lock (&cred->po->cntl->lock);
newcred->po = cred->po;
newcred->po->refcnt++;
mutex_unlock (&cred->po->cntl->lock);
if (cred->isroot && idvec_contains (user->uids, 0))
newcred->isroot = 1;
newcred->user = user;
newcred->hook = cred->hook;
err = io_restrict_auth (cred->realnode, &newcred->realnode,
user->uids->ids, user->uids->num,
user->gids->ids, user->gids->num);
if (!err && trivfs_protid_create_hook)
{
err = (*trivfs_protid_create_hook) (newcred);
if (err)
mach_port_deallocate (mach_task_self (), newcred->realnode);
}
if (err)
/* Signal that the user destroy hook shouldn't be called on NEWCRED. */
newcred->realnode = MACH_PORT_NULL;
else
{
*newport = ports_get_right (newcred);
*newporttype = MACH_MSG_TYPE_MAKE_SEND;
}
/* This will destroy NEWCRED if we got an error and didn't do the
ports_get_right above. */
ports_port_deref (newcred);
return 0;
}
/* Return in FILE & FILE_TYPE the file in FSYS corresponding to the NFS file
handle HANDLE & HANDLE_LEN. */
error_t
diskfs_S_fsys_getfile (mach_port_t fsys,
mach_port_t reply, mach_msg_type_name_t reply_type,
uid_t *uids, mach_msg_type_number_t nuids,
gid_t *gids, mach_msg_type_number_t ngids,
char *handle, mach_msg_type_number_t handle_len,
mach_port_t *file, mach_msg_type_name_t *file_type)
{
int flags;
error_t err;
struct node *node;
const union diskfs_fhandle *f;
struct protid *new_cred;
struct peropen *new_po;
struct iouser *user;
struct port_info *pt =
ports_lookup_port (diskfs_port_bucket, fsys, diskfs_control_class);
if (!pt)
return EOPNOTSUPP;
if (handle_len != sizeof *f)
{
ports_port_deref (pt);
return EINVAL;
}
f = (const union diskfs_fhandle *) handle;
err = diskfs_cached_lookup (f->data.cache_id, &node);
if (err)
{
ports_port_deref (pt);
return err;
}
if (node->dn_stat.st_gen != f->data.gen)
{
diskfs_nput (node);
ports_port_deref (pt);
return ESTALE;
}
err = iohelp_create_complex_iouser (&user, uids, nuids, gids, ngids);
if (err)
{
diskfs_nput (node);
ports_port_deref (pt);
return err;
}
flags = 0;
if (! fshelp_access (&node->dn_stat, S_IREAD, user))
flags |= O_READ;
if (! fshelp_access (&node->dn_stat, S_IEXEC, user))
flags |= O_EXEC;
if (! fshelp_access (&node->dn_stat, S_IWRITE, user)
&& ! S_ISDIR (node->dn_stat.st_mode)
&& ! diskfs_check_readonly ())
flags |= O_WRITE;
err = diskfs_make_peropen (node, flags, 0, &new_po);
if (! err)
{
err = diskfs_create_protid (new_po, user, &new_cred);
if (err)
diskfs_release_peropen (new_po);
}
iohelp_free_iouser (user);
diskfs_nput (node);
ports_port_deref (pt);
if (! err)
{
*file = ports_get_right (new_cred);
*file_type = MACH_MSG_TYPE_MAKE_SEND;
}
return err;
}
kern_return_t
trivfs_S_fsys_getroot (struct trivfs_control *cntl,
mach_port_t reply_port,
mach_msg_type_name_t reply_port_type,
mach_port_t dotdot,
uid_t *uids, size_t nuids,
uid_t *gids, size_t ngids,
int flags,
retry_type *do_retry,
char *retry_name,
mach_port_t *newpt,
mach_msg_type_name_t *newpttype)
{
int perms;
error_t err = 0;
mach_port_t new_realnode;
struct trivfs_protid *cred;
struct iouser *user;
if (!cntl)
return EOPNOTSUPP;
if (trivfs_getroot_hook)
{
err = (*trivfs_getroot_hook) (cntl, reply_port, reply_port_type, dotdot,
uids, nuids, gids, ngids, flags,
do_retry, retry_name, newpt, newpttype);
if (err != EAGAIN)
return err;
}
if ((flags & O_WRITE & trivfs_allow_open) != (flags & O_WRITE))
return EROFS;
if ((flags & (O_READ|O_WRITE|O_EXEC) & trivfs_allow_open)
!= (flags & (O_READ|O_WRITE|O_EXEC)))
return EACCES;
/* O_CREAT and O_EXCL are not meaningful here; O_NOLINK and O_NOTRANS
will only be useful when trivfs supports translators (which it doesn't
now). */
flags &= O_HURD;
flags &= ~(O_CREAT|O_EXCL|O_NOLINK|O_NOTRANS);
struct idvec idvec = {
.ids = uids,
.num = nuids,
.alloced = nuids,
};
if (_is_privileged (&idvec))
/* Privileged users should be given all our rights. */
err = io_duplicate (cntl->underlying, &new_realnode);
else
/* Non-privileged, restrict rights. */
err = io_restrict_auth (cntl->underlying,
&new_realnode, uids, nuids, gids, ngids);
if (err)
return err;
err = iohelp_create_complex_iouser (&user, uids, nuids, gids, ngids);
if (err)
return err;
/* Validate permissions. */
if (! trivfs_check_access_hook)
file_check_access (new_realnode, &perms);
else
(*trivfs_check_access_hook) (cntl, user, new_realnode, &perms);
if ((flags & (O_READ|O_WRITE|O_EXEC) & perms)
!= (flags & (O_READ|O_WRITE|O_EXEC)))
err = EACCES;
if (!err && trivfs_check_open_hook)
err = (*trivfs_check_open_hook) (cntl, user, flags);
if (!err)
{
if (! trivfs_open_hook)
{
err = trivfs_open (cntl, user, flags, new_realnode, &cred);
if (!err)
mach_port_deallocate (mach_task_self (), dotdot);
}
else
err = (*trivfs_open_hook) (cntl, user, dotdot, flags, new_realnode,
&cred);
}
if (err)
{
mach_port_deallocate (mach_task_self (), new_realnode);
iohelp_free_iouser (user);
}
else
{
*do_retry = FS_RETRY_NORMAL;
*retry_name = '\0';
*newpt = ports_get_right (cred);
*newpttype = MACH_MSG_TYPE_MAKE_SEND;
ports_port_deref (cred);
}
return err;
}
