git: 22c1852a04b0 - releng/13.0 - open(2): Remove O_BENEATH and AT_BENEATH
Konstantin Belousov
kib at FreeBSD.org
Thu Mar 4 20:08:45 UTC 2021
The branch releng/13.0 has been updated by kib:
URL: https://cgit.FreeBSD.org/src/commit/?id=22c1852a04b0fec9d91a74cb13de8f2827800029
commit 22c1852a04b0fec9d91a74cb13de8f2827800029
Author: Konstantin Belousov <kib at FreeBSD.org>
AuthorDate: 2021-02-16 03:31:40 +0000
Commit: Konstantin Belousov <kib at FreeBSD.org>
CommitDate: 2021-03-04 20:07:46 +0000
open(2): Remove O_BENEATH and AT_BENEATH
Approved by: re (gjb)
(cherry picked from commit 20e91ca36a56b8db1e6677f577ad011b66dd6eb3)
---
lib/libc/sys/access.2 | 24 +++------------
lib/libc/sys/chflags.2 | 29 +++++-------------
lib/libc/sys/chmod.2 | 29 +++++-------------
lib/libc/sys/chown.2 | 29 +++++-------------
lib/libc/sys/getfh.2 | 37 +++++------------------
lib/libc/sys/link.2 | 28 +++++------------
lib/libc/sys/open.2 | 77 ++++++++---------------------------------------
lib/libc/sys/stat.2 | 50 +++++--------------------------
lib/libc/sys/unlink.2 | 29 +++++-------------
lib/libc/sys/utimensat.2 | 29 +++++-------------
sys/kern/vfs_lookup.c | 78 +++++++-----------------------------------------
sys/kern/vfs_syscalls.c | 51 +++++++++++++------------------
sys/kern/vfs_vnops.c | 2 --
sys/sys/fcntl.h | 14 ++++-----
sys/sys/namei.h | 5 ----
15 files changed, 112 insertions(+), 399 deletions(-)
diff --git a/lib/libc/sys/access.2 b/lib/libc/sys/access.2
index 1cd7eed1301b..13bfd7e5a88a 100644
--- a/lib/libc/sys/access.2
+++ b/lib/libc/sys/access.2
@@ -28,7 +28,7 @@
.\" @(#)access.2 8.2 (Berkeley) 4/1/94
.\" $FreeBSD$
.\"
-.Dd September 23, 2020
+.Dd February 23, 2021
.Dt ACCESS 2
.Os
.Sh NAME
@@ -120,15 +120,10 @@ list, defined in
The checks for accessibility are performed using the effective user and group
IDs instead of the real user and group ID as required in a call to
.Fn access .
-.It Dv AT_BENEATH
-Only operate on files and directories below the topping directory.
-See the description of the
-.Dv O_BENEATH
-flag in the
-.Xr open 2
-manual page.
.It Dv AT_RESOLVE_BENEATH
-Only walks paths below the topping directory.
+Only walk paths below the directory specified by the
+.Ar fd
+descriptor.
See the description of the
.Dv O_RESOLVE_BENEATH
flag in the
@@ -218,17 +213,6 @@ or contained a ".." component leading to a
directory outside of the directory hierarchy specified by
.Fa fd ,
and the process is in capability mode.
-.It Bq Er ENOTCAPABLE
-The
-.Dv AT_BENEATH
-flag was provided to
-.Fn faccessat ,
-and the absolute
-.Fa path
-does not have its tail fully contained under the topping directory,
-or the relative
-.Fa path
-escapes it.
.El
.Sh SEE ALSO
.Xr chmod 2 ,
diff --git a/lib/libc/sys/chflags.2 b/lib/libc/sys/chflags.2
index b6b0b43249c7..a44713904599 100644
--- a/lib/libc/sys/chflags.2
+++ b/lib/libc/sys/chflags.2
@@ -28,7 +28,7 @@
.\" @(#)chflags.2 8.3 (Berkeley) 5/2/95
.\" $FreeBSD$
.\"
-.Dd September 23, 2020
+.Dd February 23, 2021
.Dt CHFLAGS 2
.Os
.Sh NAME
@@ -94,16 +94,10 @@ defined in
If
.Fa path
names a symbolic link, then the flags of the symbolic link are changed.
-.It Dv AT_BENEATH
-Only allow to change flags for a file which is beneath of
-the topping directory.
-See the description of the
-.Dv O_BENEATH
-flag in the
-.Xr open 2
-manual page.
.It Dv AT_RESOLVE_BENEATH
-Only walks paths below the topping directory.
+Only walk paths below the directory specified by the
+.Ar fd
+descriptor.
See the description of the
.Dv O_RESOLVE_BENEATH
flag in the
@@ -327,18 +321,9 @@ is an absolute path,
or contained a ".." component leading to a
directory outside of the directory hierarchy specified by
.Fa fd ,
-and the process is in capability mode.
-.It Bq Er ENOTCAPABLE
-The
-.Dv AT_BENEATH
-flag was provided to
-.Fn chflagsat ,
-and the absolute
-.Fa path
-does not have its tail fully contained under the topping directory,
-or the relative
-.Fa path
-escapes it.
+and the process is in capability mode or the
+.Dv AT_RESOLVE_BENEATH
+flag was specified.
.El
.Sh SEE ALSO
.Xr chflags 1 ,
diff --git a/lib/libc/sys/chmod.2 b/lib/libc/sys/chmod.2
index 1d66408e3891..0127a5b629e4 100644
--- a/lib/libc/sys/chmod.2
+++ b/lib/libc/sys/chmod.2
@@ -28,7 +28,7 @@
.\" @(#)chmod.2 8.1 (Berkeley) 6/4/93
.\" $FreeBSD$
.\"
-.Dd September 23, 2020
+.Dd February 23, 2021
.Dt CHMOD 2
.Os
.Sh NAME
@@ -101,16 +101,10 @@ in
If
.Fa path
names a symbolic link, then the mode of the symbolic link is changed.
-.It Dv AT_BENEATH
-Only allow to change permissions of a file which is beneath of
-the topping directory.
-See the description of the
-.Dv O_BENEATH
-flag in the
-.Xr open 2
-manual page.
.It Dv AT_RESOLVE_BENEATH
-Only walks paths below the topping directory.
+Only walk paths below the directory specified by the
+.Ar fd
+descriptor.
See the description of the
.Dv O_RESOLVE_BENEATH
flag in the
@@ -310,18 +304,9 @@ is an absolute path,
or contained a ".." component leading to a
directory outside of the directory hierarchy specified by
.Fa fd ,
-and the process is in capability mode.
-.It Bq Er ENOTCAPABLE
-The
-.Dv AT_BENEATH
-flag was provided to
-.Fn fchmodat ,
-and the absolute
-.Fa path
-does not have its tail fully contained under the topping directory,
-or the relative
-.Fa path
-escapes it.
+and the process is in capability mode or the
+.Dv AT_RESOLVE_BENEATH
+flag was specified.
.El
.Sh SEE ALSO
.Xr chmod 1 ,
diff --git a/lib/libc/sys/chown.2 b/lib/libc/sys/chown.2
index 64bfdeaa961c..4c45ce9174bb 100644
--- a/lib/libc/sys/chown.2
+++ b/lib/libc/sys/chown.2
@@ -28,7 +28,7 @@
.\" @(#)chown.2 8.4 (Berkeley) 4/19/94
.\" $FreeBSD$
.\"
-.Dd September 23, 2020
+.Dd February 23, 2021
.Dt CHOWN 2
.Os
.Sh NAME
@@ -118,16 +118,10 @@ list, defined in
If
.Fa path
names a symbolic link, ownership of the symbolic link is changed.
-.It Dv AT_BENEATH
-Only allow to change ownership of a file which is beneath of
-the topping directory.
-See the description of the
-.Dv O_BENEATH
-flag in the
-.Xr open 2
-manual page.
.It Dv AT_RESOLVE_BENEATH
-Only walks paths below the topping directory.
+Only walk paths below the directory specified by the
+.Ar fd
+descriptor.
See the description of the
.Dv O_RESOLVE_BENEATH
flag in the
@@ -252,18 +246,9 @@ is an absolute path,
or contained a ".." component leading to a
directory outside of the directory hierarchy specified by
.Fa fd ,
-and the process is in capability mode.
-.It Bq Er ENOTCAPABLE
-The
-.Dv AT_BENEATH
-flag was provided to
-.Fn fchownat ,
-and the absolute
-.Fa path
-does not have its tail fully contained under the topping directory,
-or the relative
-.Fa path
-escapes it.
+and the process is in capability mode or the
+.Dv AT_RESOLVE_BENEATH
+flag was specified.
.El
.Sh SEE ALSO
.Xr chgrp 1 ,
diff --git a/lib/libc/sys/getfh.2 b/lib/libc/sys/getfh.2
index 5dc5896af6d8..cd3d54f54d7f 100644
--- a/lib/libc/sys/getfh.2
+++ b/lib/libc/sys/getfh.2
@@ -29,7 +29,7 @@
.\" @(#)getfh.2 8.1 (Berkeley) 6/9/93
.\" $FreeBSD$
.\"
-.Dd September 23, 2020
+.Dd February 23, 2021
.Dt GETFH 2
.Os
.Sh NAME
@@ -76,9 +76,7 @@ and
.Fn lgetfh
except when the
.Fa path
-specifies a relative path, or the
-.Dv AT_BENEATH
-flag is provided.
+specifies a relative path.
For
.Fn getfhat
and relative
@@ -87,13 +85,6 @@ the status is retrieved from a file relative to
the directory associated with the file descriptor
.Fa fd
instead of the current working directory.
-For
-.Dv AT_BENEATH
-and absolute
-.Fa path ,
-the status is retrieved from a file specified by the
-.Fa path ,
-but additional permission checks are performed, see below.
.Pp
The values for the
.Fa flag
@@ -105,15 +96,10 @@ defined in
If
.Fa path
names a symbolic link, the status of the symbolic link is returned.
-.It Dv AT_BENEATH
-Only stat files and directories below the topping directory.
-See the description of the
-.Dv O_BENEATH
-flag in the
-.Xr open 2
-manual page.
.It Dv AT_RESOLVE_BENEATH
-Only walks paths below the topping directory.
+Only walk paths below the directory specified by the
+.Ar fd
+descriptor.
See the description of the
.Dv O_RESOLVE_BENEATH
flag in the
@@ -140,19 +126,10 @@ bit is set in
When
.Fn getfhat
is called with an absolute
-.Fa path
-without the
-.Dv AT_BENEATH
-flag, it ignores the
-.Fa fd
-argument.
-When
-.Dv AT_BENEATH
-is specified with an absolute
.Fa path ,
-a directory passed by the
+it ignores the
.Fa fd
-argument is used as the topping point for the resolution.
+argument.
These system calls are restricted to the superuser.
.Sh RETURN VALUES
.Rv -std
diff --git a/lib/libc/sys/link.2 b/lib/libc/sys/link.2
index c3451da10884..de0efd5e510f 100644
--- a/lib/libc/sys/link.2
+++ b/lib/libc/sys/link.2
@@ -28,7 +28,7 @@
.\" @(#)link.2 8.3 (Berkeley) 1/12/94
.\" $FreeBSD$
.\"
-.Dd September 23, 2020
+.Dd February 23, 2021
.Dt LINK 2
.Os
.Sh NAME
@@ -115,15 +115,10 @@ If
.Fa name1
names a symbolic link, a new link for the target of the symbolic link is
created.
-.It Dv AT_BENEATH
-Only allow to link to a file which is beneath of the topping directory.
-See the description of the
-.Dv O_BENEATH
-flag in the
-.Xr open 2
-manual page.
.It Dv AT_RESOLVE_BENEATH
-Only walks paths below the topping directory.
+Only walk paths below the directory specified by the
+.Ar fd
+descriptor.
See the description of the
.Dv O_RESOLVE_BENEATH
flag in the
@@ -281,18 +276,9 @@ For example,
is absolute or includes a ".." component that escapes
the directory hierarchy specified by
.Fa fd ,
-and the process is in capability mode.
-.It Bq Er ENOTCAPABLE
-The
-.Dv AT_BENEATH
-flag was provided to
-.Fa linkat
-and the absolute path
-.Fa name1
-does not have its tail fully contained under the topping directory,
-or the relative path
-.Fa name1
-escapes it.
+and the process is in capability mode or the
+.Dv AT_RESOLVE_BENEATH
+flag was specified.
.El
.Sh SEE ALSO
.Xr chflags 2 ,
diff --git a/lib/libc/sys/open.2 b/lib/libc/sys/open.2
index e43d012770df..e24c823d039a 100644
--- a/lib/libc/sys/open.2
+++ b/lib/libc/sys/open.2
@@ -28,7 +28,7 @@
.\" @(#)open.2 8.2 (Berkeley) 11/16/93
.\" $FreeBSD$
.\"
-.Dd September 23, 2020
+.Dd February 23, 2021
.Dt OPEN 2
.Os
.Sh NAME
@@ -75,9 +75,7 @@ function is equivalent to the
.Fn open
function except in the case where the
.Fa path
-specifies a relative path, or the
-.Dv O_BENEATH
-flag is provided.
+specifies a relative path.
For
.Fn openat
and relative
@@ -104,28 +102,10 @@ and the behavior is identical to a call to
When
.Fn openat
is called with an absolute
-.Fa path
-without the
-.Dv O_BENEATH
-flag, it ignores the
-.Fa fd
-argument.
-When
-.Dv O_BENEATH
-is specified with an absolute
.Fa path ,
-a directory passed by the
-.Fa fd
-argument is used as the topping point for the resolution.
-When
-.Dv O_BENEATH
-is specified with a relative path, the
+it ignores the
.Fa fd
-argument is used both as the starting point, and as the topping point
-for the resolution.
-See the definition of the
-.Dv O_BENEATH
-flag below.
+argument.
.Pp
In
.Xr capsicum 4
@@ -137,9 +117,7 @@ The
argument to
.Fn openat
must be strictly relative to a file descriptor
-.Fa fd ,
-as defined in
-.Pa sys/kern/vfs_lookup.c .
+.Fa fd .
.Fa path
must not be an absolute path and must not contain ".." components
which cause the path resolution to escape the directory hierarchy
@@ -156,9 +134,8 @@ If the
.Dv vfs.lookup_cap_dotdot
.Xr sysctl 3
MIB is set to zero, ".." components in the paths,
-used in capability mode, or with the
-.Dv O_BENEATH
-flag, are completely disabled.
+used in capability mode,
+are completely disabled.
If the
.Dv vfs.lookup_cap_dotdot_nonlocal
MIB is set to zero, ".." is not allowed if found on non-local filesystem.
@@ -190,8 +167,7 @@ O_TTY_INIT ignored
O_DIRECTORY error if file is not a directory
O_CLOEXEC set FD_CLOEXEC upon open
O_VERIFY verify the contents of the file
-O_BENEATH require resolved path to be strictly relative to topping directory
-O_RESOLVE_BENEATH require walked path to be strictly relative to topping directory
+O_RESOLVE_BENEATH path resolution must not cross the fd directory
.Ed
.Pp
Opening a file with
@@ -319,32 +295,12 @@ means is implementation specific.
The run-time linker (rtld) uses this flag to ensure shared objects have
been verified before operating on them.
.Pp
-.Dv O_BENEATH
-returns
-.Er ENOTCAPABLE
-if the specified path, after resolving all symlinks and ".."
-references, does not end up with tail residing in the directory hierarchy of
-children beneath the topping directory.
-Topping directory is the process current directory if relative
-.Fa path
-is used for
-.Fn open ,
-and the directory referenced by the
-.Fa fd
-argument when using
-.Fn openat .
-.Dv O_BENEATH
-allows arbitrary prefix that ends up at the topping directory,
-after which all further resolved components must be under it.
-.Pp
.Dv O_RESOLVE_BENEATH
returns
.Er ENOTCAPABLE
if any intermediate component of the specified relative path does not
-reside in the directory hierarchy beneath the topping directory.
-Comparing to
-.Dv O_BENEATH ,
-absolute paths or even the temporal escape from beneath of the topping
+reside in the directory hierarchy beneath the starting directory.
+Absolute paths or even the temporal escape from beneath of the starting
directory is not allowed.
.Pp
When
@@ -601,19 +557,12 @@ directory outside of the directory hierarchy specified by
and the process is in capability mode.
.It Bq Er ENOTCAPABLE
The
-.Dv O_BENEATH
-flag was provided, and the absolute
-.Fa path
-does not have its tail fully contained under the topping directory,
-or the relative
-.Fa path
-escapes it.
-.It Bq Er ENOTCAPABLE
-The
.Dv O_RESOLVE_BENEATH
flag was provided, and the relative
.Fa path
-escapes topping directory.
+escapes the
+.Ar fd
+directory.
.El
.Sh SEE ALSO
.Xr chmod 2 ,
diff --git a/lib/libc/sys/stat.2 b/lib/libc/sys/stat.2
index 4759d297e8da..0ed70620af63 100644
--- a/lib/libc/sys/stat.2
+++ b/lib/libc/sys/stat.2
@@ -28,7 +28,7 @@
.\" @(#)stat.2 8.4 (Berkeley) 5/1/95
.\" $FreeBSD$
.\"
-.Dd September 23, 2020
+.Dd February 23, 2021
.Dt STAT 2
.Os
.Sh NAME
@@ -84,9 +84,7 @@ and
.Fn lstat
except when the
.Fa path
-specifies a relative path, or the
-.Dv AT_BENEATH
-flag is provided.
+specifies a relative path.
For
.Fn fstatat
and relative
@@ -95,13 +93,6 @@ the status is retrieved from a file relative to
the directory associated with the file descriptor
.Fa fd
instead of the current working directory.
-For
-.Dv AT_BENEATH
-and absolute
-.Fa path ,
-the status is retrieved from a file specified by the
-.Fa path ,
-but additional permission checks are performed, see below.
.Pp
The values for the
.Fa flag
@@ -113,15 +104,8 @@ defined in
If
.Fa path
names a symbolic link, the status of the symbolic link is returned.
-.It Dv AT_BENEATH
-Only stat files and directories below the topping directory.
-See the description of the
-.Dv O_BENEATH
-flag in the
-.Xr open 2
-manual page.
.It Dv AT_RESOLVE_BENEATH
-Only walks paths below the topping directory.
+Only walk paths below the starting directory.
See the description of the
.Dv O_RESOLVE_BENEATH
flag in the
@@ -148,19 +132,10 @@ bit is set in
When
.Fn fstatat
is called with an absolute
-.Fa path
-without the
-.Dv AT_BENEATH
-flag, it ignores the
-.Fa fd
-argument.
-When
-.Dv AT_BENEATH
-is specified with an absolute
.Fa path ,
-a directory passed by the
+it ignores the
.Fa fd
-argument is used as the topping point for the resolution.
+argument.
.Pp
The
.Fa sb
@@ -459,18 +434,9 @@ is an absolute path,
or contained a ".." component leading to a
directory outside of the directory hierarchy specified by
.Fa fd ,
-and the process is in capability mode.
-.It Bq Er ENOTCAPABLE
-The
-.Dv AT_BENEATH
-flag was provided to
-.Fn fstatat ,
-and the absolute
-.Fa path
-does not have its tail fully contained under the topping directory,
-or the relative
-.Fa path
-escapes it.
+and the process is in capability mode or the
+.Dv AT_RESOLVE_BENEATH
+flag was specified.
.El
.Sh SEE ALSO
.Xr access 2 ,
diff --git a/lib/libc/sys/unlink.2 b/lib/libc/sys/unlink.2
index 838d4da68af2..11fff875abad 100644
--- a/lib/libc/sys/unlink.2
+++ b/lib/libc/sys/unlink.2
@@ -28,7 +28,7 @@
.\" @(#)unlink.2 8.1 (Berkeley) 6/4/93
.\" $FreeBSD$
.\"
-.Dd September 23, 2020
+.Dd February 23, 2021
.Dt UNLINK 2
.Os
.Sh NAME
@@ -92,16 +92,10 @@ Remove the directory entry specified by
and
.Fa path
as a directory, not a normal file.
-.It Dv AT_BENEATH
-Only unlink files and directories which are beneath of the topping
-directory.
-See the description of the
-.Dv O_BENEATH
-flag in the
-.Xr open 2
-manual page.
.It Dv AT_RESOLVE_BENEATH
-Only walks paths below the topping directory.
+Only walk paths below the directory specified by the
+.Ar fd
+descriptor.
See the description of the
.Dv O_RESOLVE_BENEATH
flag in the
@@ -246,18 +240,9 @@ is an absolute path,
or contained a ".." component leading to a
directory outside of the directory hierarchy specified by
.Fa fd ,
-and the process is in capability mode.
-.It Bq Er ENOTCAPABLE
-The
-.Dv AT_BENEATH
-flag was provided to
-.Fn unlinkat ,
-and the absolute
-.Fa path
-does not have its tail fully contained under the topping directory,
-or the relative
-.Fa path
-escapes it.
+and the process is in capability mode or the
+.Dv AT_RESOLVE_BENEATH
+flag was specified.
.El
.Pp
In addition to the errors returned by
diff --git a/lib/libc/sys/utimensat.2 b/lib/libc/sys/utimensat.2
index 3016d1af72aa..d31ee1f1515a 100644
--- a/lib/libc/sys/utimensat.2
+++ b/lib/libc/sys/utimensat.2
@@ -31,7 +31,7 @@
.\" @(#)utimes.2 8.1 (Berkeley) 6/4/93
.\" $FreeBSD$
.\"
-.Dd September 23, 2020
+.Dd February 23, 2021
.Dt UTIMENSAT 2
.Os
.Sh NAME
@@ -146,16 +146,10 @@ names a symbolic link, the symbolic link's times are changed.
By default,
.Fn utimensat
changes the times of the file referenced by the symbolic link.
-.It Dv AT_BENEATH
-Only allow to change the times of a file which is beneath of
-the topping directory.
-See the description of the
-.Dv O_BENEATH
-flag in the
-.Xr open 2
-manual page.
.It Dv AT_RESOLVE_BENEATH
-Only walks paths below the topping directory.
+Only walk paths below the directory specified by the
+.Ar fd
+descriptor.
See the description of the
.Dv O_RESOLVE_BENEATH
flag in the
@@ -290,18 +284,9 @@ is an absolute path,
or contained a ".." component leading to a
directory outside of the directory hierarchy specified by
.Fa fd ,
-and the process is in capability mode.
-.It Bq Er ENOTCAPABLE
-The
-.Dv AT_BENEATH
-flag was provided to
-.Fn utimensat ,
-and the absolute
-.Fa path
-does not have its tail fully contained under the topping directory,
-or the relative
-.Fa path
-escapes it.
+and the process is in capability mode or the
+.Dv AT_RESOLVE_BENEATH
+flag was specified.
.El
.Sh SEE ALSO
.Xr chflags 2 ,
diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c
index ad65ab11bb1d..4ddd7b63ce5c 100644
--- a/sys/kern/vfs_lookup.c
+++ b/sys/kern/vfs_lookup.c
@@ -182,13 +182,6 @@ nameicap_tracker_add(struct nameidata *ndp, struct vnode *dp)
if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0 || dp->v_type != VDIR)
return;
cnp = &ndp->ni_cnd;
- if ((cnp->cn_flags & BENEATH) != 0 &&
- (ndp->ni_lcf & NI_LCF_BENEATH_LATCHED) == 0) {
- MPASS((ndp->ni_lcf & NI_LCF_LATCH) != 0);
- if (dp != ndp->ni_beneath_latch)
- return;
- ndp->ni_lcf |= NI_LCF_BENEATH_LATCHED;
- }
nt = malloc(sizeof(*nt), M_NAMEITRACKER, M_WAITOK);
vhold(dp);
nt->dp = dp;
@@ -196,7 +189,7 @@ nameicap_tracker_add(struct nameidata *ndp, struct vnode *dp)
}
static void
-nameicap_cleanup(struct nameidata *ndp, bool clean_latch)
+nameicap_cleanup(struct nameidata *ndp)
{
struct nameicap_tracker *nt, *nt1;
@@ -207,10 +200,6 @@ nameicap_cleanup(struct nameidata *ndp, bool clean_latch)
vdrop(nt->dp);
free(nt, M_NAMEITRACKER);
}
- if (clean_latch && (ndp->ni_lcf & NI_LCF_LATCH) != 0) {
- ndp->ni_lcf &= ~NI_LCF_LATCH;
- vrele(ndp->ni_beneath_latch);
- }
}
/*
@@ -230,21 +219,17 @@ nameicap_check_dotdot(struct nameidata *ndp, struct vnode *dp)
struct nameicap_tracker *nt;
struct mount *mp;
- if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0 || dp == NULL ||
- dp->v_type != VDIR)
+ if (dp == NULL || dp->v_type != VDIR || (ndp->ni_lcf &
+ NI_LCF_STRICTRELATIVE) == 0)
return (0);
+ if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0)
+ return (ENOTCAPABLE);
mp = dp->v_mount;
if (lookup_cap_dotdot_nonlocal == 0 && mp != NULL &&
(mp->mnt_flag & MNT_LOCAL) == 0)
return (ENOTCAPABLE);
TAILQ_FOREACH_REVERSE(nt, &ndp->ni_cap_tracker, nameicap_tracker_head,
nm_link) {
- if ((ndp->ni_lcf & NI_LCF_LATCH) != 0 &&
- ndp->ni_beneath_latch == nt->dp) {
- ndp->ni_lcf &= ~NI_LCF_BENEATH_LATCHED;
- nameicap_cleanup(ndp, false);
- return (0);
- }
if (dp == nt->dp)
return (0);
}
@@ -275,11 +260,6 @@ namei_handle_root(struct nameidata *ndp, struct vnode **dpp)
#endif
return (ENOTCAPABLE);
}
- if ((cnp->cn_flags & BENEATH) != 0) {
- ndp->ni_lcf |= NI_LCF_BENEATH_ABS;
- ndp->ni_lcf &= ~NI_LCF_BENEATH_LATCHED;
- nameicap_cleanup(ndp, false);
- }
while (*(cnp->cn_nameptr) == '/') {
cnp->cn_nameptr++;
ndp->ni_pathlen--;
@@ -297,7 +277,6 @@ namei_setup(struct nameidata *ndp, struct vnode **dpp, struct pwd **pwdp)
struct thread *td;
struct pwd *pwd;
cap_rights_t rights;
- struct filecaps dirfd_caps;
int error;
bool startdir_used;
@@ -410,26 +389,8 @@ namei_setup(struct nameidata *ndp, struct vnode **dpp, struct pwd **pwdp)
if (error == 0 && (*dpp)->v_type != VDIR)
error = ENOTDIR;
}
- if (error == 0 && (cnp->cn_flags & BENEATH) != 0) {
- if (ndp->ni_dirfd == AT_FDCWD) {
- ndp->ni_beneath_latch = pwd->pwd_cdir;
- vrefact(ndp->ni_beneath_latch);
- } else {
- rights = *ndp->ni_rightsneeded;
- cap_rights_set_one(&rights, CAP_LOOKUP);
- error = fgetvp_rights(td, ndp->ni_dirfd, &rights,
- &dirfd_caps, &ndp->ni_beneath_latch);
- if (error == 0 && (*dpp)->v_type != VDIR) {
- vrele(ndp->ni_beneath_latch);
- error = ENOTDIR;
- }
- }
- if (error == 0)
- ndp->ni_lcf |= NI_LCF_LATCH;
- }
if (error == 0 && (cnp->cn_flags & RBENEATH) != 0) {
- if (cnp->cn_pnbuf[0] == '/' ||
- (ndp->ni_lcf & NI_LCF_BENEATH_ABS) != 0) {
+ if (cnp->cn_pnbuf[0] == '/') {
error = EINVAL;
} else if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) == 0) {
ndp->ni_lcf |= NI_LCF_STRICTRELATIVE |
@@ -452,12 +413,8 @@ namei_setup(struct nameidata *ndp, struct vnode **dpp, struct pwd **pwdp)
pwd_drop(pwd);
return (error);
}
- MPASS((ndp->ni_lcf & (NI_LCF_BENEATH_ABS | NI_LCF_LATCH)) !=
- NI_LCF_BENEATH_ABS);
- if (((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0 &&
- lookup_cap_dotdot != 0) ||
- ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) == 0 &&
- (cnp->cn_flags & BENEATH) != 0))
+ if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0 &&
+ lookup_cap_dotdot != 0)
ndp->ni_lcf |= NI_LCF_CAP_DOTDOT;
SDT_PROBE4(vfs, namei, lookup, entry, *dpp, cnp->cn_pnbuf,
cnp->cn_flags, false);
@@ -636,16 +593,8 @@ namei(struct nameidata *ndp)
for (;;) {
ndp->ni_startdir = dp;
error = lookup(ndp);
- if (error != 0) {
- /*
- * Override an error to not allow user to use
- * BENEATH as an oracle.
- */
- if ((ndp->ni_lcf & (NI_LCF_LATCH |
- NI_LCF_BENEATH_LATCHED)) == NI_LCF_LATCH)
- error = ENOTCAPABLE;
+ if (error != 0)
goto out;
- }
/*
* If not a symbolic link, we're done.
@@ -657,12 +606,7 @@ namei(struct nameidata *ndp)
namei_cleanup_cnp(cnp);
} else
cnp->cn_flags |= HASBUF;
- if ((ndp->ni_lcf & (NI_LCF_LATCH |
- NI_LCF_BENEATH_LATCHED)) == NI_LCF_LATCH) {
- NDFREE(ndp, 0);
- error = ENOTCAPABLE;
- }
- nameicap_cleanup(ndp, true);
+ nameicap_cleanup(ndp);
pwd_drop(pwd);
if (error == 0)
NDVALIDATE(ndp);
@@ -739,7 +683,7 @@ out:
MPASS(error != 0);
SDT_PROBE4(vfs, namei, lookup, return, error, NULL, false, ndp);
namei_cleanup_cnp(cnp);
- nameicap_cleanup(ndp, true);
+ nameicap_cleanup(ndp);
pwd_drop(pwd);
return (error);
}
diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index a51d693446e3..52604d3da829 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -120,8 +120,6 @@ at2cnpflags(u_int at_flags, u_int mask)
res = 0;
at_flags &= mask;
- if ((at_flags & AT_BENEATH) != 0)
- res |= BENEATH;
if ((at_flags & AT_RESOLVE_BENEATH) != 0)
res |= RBENEATH;
if ((at_flags & AT_SYMLINK_FOLLOW) != 0)
@@ -1500,12 +1498,11 @@ sys_linkat(struct thread *td, struct linkat_args *uap)
int flag;
flag = uap->flag;
- if ((flag & ~(AT_SYMLINK_FOLLOW | AT_BENEATH |
- AT_RESOLVE_BENEATH)) != 0)
+ if ((flag & ~(AT_SYMLINK_FOLLOW | AT_RESOLVE_BENEATH)) != 0)
return (EINVAL);
return (kern_linkat(td, uap->fd1, uap->fd2, uap->path1, uap->path2,
- UIO_USERSPACE, at2cnpflags(flag, AT_SYMLINK_FOLLOW | AT_BENEATH |
+ UIO_USERSPACE, at2cnpflags(flag, AT_SYMLINK_FOLLOW |
AT_RESOLVE_BENEATH)));
}
@@ -1875,7 +1872,7 @@ kern_funlinkat(struct thread *td, int dfd, const char *path, int fd,
restart:
bwillwrite();
NDINIT_ATRIGHTS(&nd, DELETE, LOCKPARENT | LOCKLEAF | AUDITVNODE1 |
- at2cnpflags(flag, AT_BENEATH | AT_RESOLVE_BENEATH),
+ at2cnpflags(flag, AT_RESOLVE_BENEATH),
pathseg, path, dfd, &cap_unlinkat_rights, td);
if ((error = namei(&nd)) != 0) {
if (error == EINVAL)
@@ -2080,7 +2077,7 @@ kern_accessat(struct thread *td, int fd, const char *path,
struct nameidata nd;
int error;
- if ((flag & ~(AT_EACCESS | AT_BENEATH | AT_RESOLVE_BENEATH)) != 0)
+ if ((flag & ~(AT_EACCESS | AT_RESOLVE_BENEATH)) != 0)
return (EINVAL);
if (amode != F_OK && (amode & ~(R_OK | W_OK | X_OK)) != 0)
return (EINVAL);
@@ -2101,7 +2098,7 @@ kern_accessat(struct thread *td, int fd, const char *path,
usecred = cred;
AUDIT_ARG_VALUE(amode);
NDINIT_ATRIGHTS(&nd, LOOKUP, FOLLOW | LOCKSHARED | LOCKLEAF |
- AUDITVNODE1 | at2cnpflags(flag, AT_BENEATH | AT_RESOLVE_BENEATH),
+ AUDITVNODE1 | at2cnpflags(flag, AT_RESOLVE_BENEATH),
pathseg, path, fd, &cap_fstat_rights, td);
if ((error = namei(&nd)) != 0)
goto out;
@@ -2392,13 +2389,12 @@ kern_statat(struct thread *td, int flag, int fd, const char *path,
struct nameidata nd;
int error;
- if ((flag & ~(AT_SYMLINK_NOFOLLOW | AT_BENEATH |
- AT_RESOLVE_BENEATH)) != 0)
+ if ((flag & ~(AT_SYMLINK_NOFOLLOW | AT_RESOLVE_BENEATH)) != 0)
return (EINVAL);
- NDINIT_ATRIGHTS(&nd, LOOKUP, at2cnpflags(flag, AT_BENEATH |
- AT_RESOLVE_BENEATH | AT_SYMLINK_NOFOLLOW) | LOCKSHARED | LOCKLEAF |
- AUDITVNODE1, pathseg, path, fd, &cap_fstat_rights, td);
+ NDINIT_ATRIGHTS(&nd, LOOKUP, at2cnpflags(flag, AT_RESOLVE_BENEATH |
+ AT_SYMLINK_NOFOLLOW) | LOCKSHARED | LOCKLEAF | AUDITVNODE1,
+ pathseg, path, fd, &cap_fstat_rights, td);
if ((error = namei(&nd)) != 0)
return (error);
@@ -2716,8 +2712,7 @@ int
sys_chflagsat(struct thread *td, struct chflagsat_args *uap)
{
- if ((uap->atflag & ~(AT_SYMLINK_NOFOLLOW | AT_BENEATH |
- AT_RESOLVE_BENEATH)) != 0)
+ if ((uap->atflag & ~(AT_SYMLINK_NOFOLLOW | AT_RESOLVE_BENEATH)) != 0)
return (EINVAL);
return (kern_chflagsat(td, uap->fd, uap->path, UIO_USERSPACE,
*** 169 LINES SKIPPED ***
More information about the dev-commits-src-all
mailing list