[thirdparty/glibc.git] / hurd / lookup-retry.c

/* hairy bits of Hurd file name lookup
   Copyright (C) 1992-2017 Free Software Foundation, Inc.
   This file is part of the GNU C Library.

   The GNU C Library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public
   License as published by the Free Software Foundation; either
   version 2.1 of the License, or (at your option) any later version.

   The GNU C Library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public
   License along with the GNU C Library; if not, see
   <http://www.gnu.org/licenses/>.  */

#include <hurd.h>
#include <hurd/lookup.h>
#include <hurd/term.h>
#include <hurd/paths.h>
#include <limits.h>
#include <fcntl.h>
#include <string.h>
#include <_itoa.h>
#include <eloop-threshold.h>

/* Translate the error from dir_lookup into the error the user sees.  */
static inline error_t
lookup_error (error_t error)
{
  switch (error)
    {
    case EOPNOTSUPP:
    case MIG_BAD_ID:
      /* These indicate that the server does not understand dir_lookup
	 at all.  If it were a directory, it would, by definition.  */
      return ENOTDIR;
    default:
      return error;
    }
}

error_t
__hurd_file_name_lookup_retry (error_t (*use_init_port)
				 (int which, error_t (*operate) (file_t)),
			       file_t (*get_dtable_port) (int fd),
			       error_t (*lookup)
				 (file_t dir, char *name,
				  int flags, mode_t mode,
				  retry_type *do_retry, string_t retry_name,
				  mach_port_t *result),
			       enum retry_type doretry,
			       char retryname[1024],
			       int flags, mode_t mode,
			       file_t *result)
{
  error_t err;
  char *file_name;
  int nloops;

  error_t lookup_op (file_t startdir)
    {
      if (file_name[0] == '/' && file_name[1] != '\0')
	{
	  while (file_name[1] == '/')
	    /* Remove double leading slash.  */
	    file_name++;
	  if (file_name[1] != '\0')
	    /* Remove leading slash when we have more than the slash.  */
	    file_name++;
	}

      return lookup_error ((*lookup) (startdir, file_name, flags, mode,
				      &doretry, retryname, result));
    }
  error_t reauthenticate (file_t unauth)
    {
      error_t err;
      mach_port_t ref = __mach_reply_port ();
      error_t reauth (auth_t auth)
	{
	  return __auth_user_authenticate (auth, ref,
					   MACH_MSG_TYPE_MAKE_SEND,
					   result);
	}
      err = __io_reauthenticate (unauth, ref, MACH_MSG_TYPE_MAKE_SEND);
      if (! err)
	err = (*use_init_port) (INIT_PORT_AUTH, &reauth);
      __mach_port_destroy (__mach_task_self (), ref);
      __mach_port_deallocate (__mach_task_self (), unauth);
      return err;
    }

  if (! lookup)
    lookup = __dir_lookup;

  nloops = 0;
  err = 0;
  do
    {
      file_t startdir = MACH_PORT_NULL;
      int dirport = INIT_PORT_CWDIR;

      switch (doretry)
	{
	case FS_RETRY_REAUTH:
	  if (err = reauthenticate (*result))
	    return err;
	  /* Fall through.  */

	case FS_RETRY_NORMAL:
	  if (nloops++ >= __eloop_threshold ())
	    {
	      __mach_port_deallocate (__mach_task_self (), *result);
	      return ELOOP;
	    }

	  /* An empty RETRYNAME indicates we have the final port.  */
	  if (retryname[0] == '\0' &&
	      /* If reauth'd, we must do one more retry on "" to give the new
		 translator a chance to make a new port for us.  */
	      doretry == FS_RETRY_NORMAL)
	    {
	      if (flags & O_NOFOLLOW)
		{
		  /* In Linux, O_NOFOLLOW means to reject symlinks.  If we
		     did an O_NOLINK lookup above and io_stat here to check
		     for S_IFLNK, a translator like firmlink could easily
		     spoof this check by not showing S_IFLNK, but in fact
		     redirecting the lookup to some other name
		     (i.e. opening the very same holes a symlink would).

		     Instead we do an O_NOTRANS lookup above, and stat the
		     underlying node: if it has a translator set, and its
		     owner is not root (st_uid 0) then we reject it.
		     Since the motivation for this feature is security, and
		     that security presumes we trust the containing
		     directory, this check approximates the security of
		     refusing symlinks while accepting mount points.
		     Note that we actually permit something Linux doesn't:
		     we follow root-owned symlinks; if that is deemed
		     undesireable, we can add a final check for that
		     one exception to our general translator-based rule.  */
		  struct stat64 st;
		  err = __io_stat (*result, &st);
		  if (!err
		      && (st.st_mode & (S_IPTRANS|S_IATRANS)))
		    {
		      if (st.st_uid != 0)
			err = ENOENT;
		      else if (st.st_mode & S_IPTRANS)
			{
			  char buf[1024];
			  char *trans = buf;
			  size_t translen = sizeof buf;
			  err = __file_get_translator (*result,
						       &trans, &translen);
			  if (!err
			      && translen > sizeof _HURD_SYMLINK
			      && !memcmp (trans,
					  _HURD_SYMLINK, sizeof _HURD_SYMLINK))
			    err = ENOENT;
			}
		    }
		}

	      /* We got a successful translation.  Now apply any open-time
		 action flags we were passed.  */

	      if (!err && (flags & O_TRUNC)) /* Asked to truncate the file.  */
		err = __file_set_size (*result, 0);

	      if (err)
		__mach_port_deallocate (__mach_task_self (), *result);
	      return err;
	    }

	  startdir = *result;
	  file_name = retryname;
	  break;

	case FS_RETRY_MAGICAL:
	  switch (retryname[0])
	    {
	    case '/':
	      dirport = INIT_PORT_CRDIR;
	      if (*result != MACH_PORT_NULL)
		__mach_port_deallocate (__mach_task_self (), *result);
	      if (nloops++ >= __eloop_threshold ())
		return ELOOP;
	      file_name = &retryname[1];
	      break;

	    case 'f':
	      if (retryname[1] == 'd' && retryname[2] == '/')
		{
		  int fd;
		  char *end;
		  int save = errno;
		  errno = 0;
		  fd = (int) __strtoul_internal (&retryname[3], &end, 10, 0);
		  if (end == NULL || errno || /* Malformed number.  */
		      /* Check for excess text after the number.  A slash
			 is valid; it ends the component.  Anything else
			 does not name a numeric file descriptor.  */
		      (*end != '/' && *end != '\0'))
		    {
		      errno = save;
		      return ENOENT;
		    }
		  if (! get_dtable_port)
		    err = EGRATUITOUS;
		  else
		    {
		      *result = (*get_dtable_port) (fd);
		      if (*result == MACH_PORT_NULL)
			{
			  /* If the name was a proper number, but the file
			     descriptor does not exist, we return EBADF instead
			     of ENOENT.  */
			  err = errno;
			  errno = save;
			}
		    }
		  errno = save;
		  if (err)
		    return err;
		  if (*end == '\0')
		    return 0;
		  else
		    {
		      /* Do a normal retry on the remaining components.  */
		      startdir = *result;
		      file_name = end + 1; /* Skip the slash.  */
		      break;
		    }
		}
	      else
		goto bad_magic;
	      break;

	    case 'm':
	      if (retryname[1] == 'a' && retryname[2] == 'c' &&
		  retryname[3] == 'h' && retryname[4] == 't' &&
		  retryname[5] == 'y' && retryname[6] == 'p' &&
		  retryname[7] == 'e')
		{
		  error_t err;
		  struct host_basic_info hostinfo;
		  mach_msg_type_number_t hostinfocnt = HOST_BASIC_INFO_COUNT;
		  char *p;
		  /* XXX want client's host */
		  if (err = __host_info (__mach_host_self (), HOST_BASIC_INFO,
					 (integer_t *) &hostinfo,
					 &hostinfocnt))
		    return err;
		  if (hostinfocnt != HOST_BASIC_INFO_COUNT)
		    return EGRATUITOUS;
		  p = _itoa (hostinfo.cpu_subtype, &retryname[8], 10, 0);
		  *--p = '/';
		  p = _itoa (hostinfo.cpu_type, &retryname[8], 10, 0);
		  if (p < retryname)
		    abort ();	/* XXX write this right if this ever happens */
		  if (p > retryname)
		    strcpy (retryname, p);
		  startdir = *result;
		}
	      else
		goto bad_magic;
	      break;

	    case 't':
	      if (retryname[1] == 't' && retryname[2] == 'y')
		switch (retryname[3])
		  {
		    error_t opentty (file_t *result)
		      {
			error_t err;
			error_t ctty_open (file_t port)
			  {
			    if (port == MACH_PORT_NULL)
			      return ENXIO; /* No controlling terminal.  */
			    return __termctty_open_terminal (port,
							     flags,
							     result);
			  }
			err = (*use_init_port) (INIT_PORT_CTTYID, &ctty_open);
			if (! err)
			  err = reauthenticate (*result);
			return err;
		      }

		  case '\0':
		    return opentty (result);
		  case '/':
		    if (err = opentty (&startdir))
		      return err;
		    strcpy (retryname, &retryname[4]);
		    break;
		  default:
		    goto bad_magic;
		  }
	      else
		goto bad_magic;
	      break;

	    default:
	    bad_magic:
	      return EGRATUITOUS;
	    }
	  break;

	default:
	  return EGRATUITOUS;
	}

      if (startdir != MACH_PORT_NULL)
	{
	  err = lookup_op (startdir);
	  __mach_port_deallocate (__mach_task_self (), startdir);
	  startdir = MACH_PORT_NULL;
	}
      else
	err = (*use_init_port) (dirport, &lookup_op);
    } while (! err);

  return err;
}
weak_alias (__hurd_file_name_lookup_retry, hurd_file_name_lookup_retry)
Commit	Line	Data
5fe915ee	1	/* hairy bits of Hurd file name lookup
bfff8b1b	2	Copyright (C) 1992-2017 Free Software Foundation, Inc.
5fe915ee RM	3	This file is part of the GNU C Library.
	4
	5	The GNU C Library is free software; you can redistribute it and/or
41bdb6e2 AJ	6	modify it under the terms of the GNU Lesser General Public
	7	License as published by the Free Software Foundation; either
	8	version 2.1 of the License, or (at your option) any later version.
5fe915ee RM	9
	10	The GNU C Library is distributed in the hope that it will be useful,
	11	but WITHOUT ANY WARRANTY; without even the implied warranty of
	12	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
41bdb6e2	13	Lesser General Public License for more details.
5fe915ee	14
41bdb6e2	15	You should have received a copy of the GNU Lesser General Public
59ba27a6 PE	16	License along with the GNU C Library; if not, see
59ba27a6 PE	17	<http://www.gnu.org/licenses/>. */
5fe915ee RM	18
	19	#include <hurd.h>
	20	#include <hurd/lookup.h>
	21	#include <hurd/term.h>
	22	#include <hurd/paths.h>
	23	#include <limits.h>
	24	#include <fcntl.h>
	25	#include <string.h>
eb96ffb0	26	#include <_itoa.h>
4f75b7a0	27	#include <eloop-threshold.h>
5fe915ee RM	28
	29	/* Translate the error from dir_lookup into the error the user sees. */
	30	static inline error_t
	31	lookup_error (error_t error)
	32	{
	33	switch (error)
	34	{
	35	case EOPNOTSUPP:
	36	case MIG_BAD_ID:
	37	/* These indicate that the server does not understand dir_lookup
	38	at all. If it were a directory, it would, by definition. */
	39	return ENOTDIR;
	40	default:
	41	return error;
	42	}
	43	}
	44
	45	error_t
	46	__hurd_file_name_lookup_retry (error_t (*use_init_port)
10589b4a	47	(int which, error_t (*operate) (file_t)),
5fe915ee RM	48	file_t (*get_dtable_port) (int fd),
5fe915ee RM	49	error_t (*lookup)
10589b4a	50	(file_t dir, char *name,
5fe915ee RM	51	int flags, mode_t mode,
	52	retry_type *do_retry, string_t retry_name,
	53	mach_port_t *result),
	54	enum retry_type doretry,
	55	char retryname[1024],
	56	int flags, mode_t mode,
	57	file_t *result)
	58	{
	59	error_t err;
	60	char *file_name;
	61	int nloops;
	62
	63	error_t lookup_op (file_t startdir)
	64	{
e42ce0f4 FC	65	if (file_name[0] == '/' && file_name[1] != '\0')
	66	{
	67	while (file_name[1] == '/')
	68	/* Remove double leading slash. */
	69	file_name++;
	70	if (file_name[1] != '\0')
	71	/* Remove leading slash when we have more than the slash. */
	72	file_name++;
	73	}
5fe915ee RM	74
	75	return lookup_error ((*lookup) (startdir, file_name, flags, mode,
	76	&doretry, retryname, result));
	77	}
	78	error_t reauthenticate (file_t unauth)
	79	{
	80	error_t err;
	81	mach_port_t ref = __mach_reply_port ();
	82	error_t reauth (auth_t auth)
	83	{
	84	return __auth_user_authenticate (auth, ref,
	85	MACH_MSG_TYPE_MAKE_SEND,
	86	result);
	87	}
	88	err = __io_reauthenticate (unauth, ref, MACH_MSG_TYPE_MAKE_SEND);
	89	if (! err)
	90	err = (*use_init_port) (INIT_PORT_AUTH, &reauth);
	91	__mach_port_destroy (__mach_task_self (), ref);
	92	__mach_port_deallocate (__mach_task_self (), unauth);
	93	return err;
	94	}
	95
	96	if (! lookup)
	97	lookup = __dir_lookup;
	98
	99	nloops = 0;
	100	err = 0;
	101	do
	102	{
	103	file_t startdir = MACH_PORT_NULL;
	104	int dirport = INIT_PORT_CWDIR;
	105
	106	switch (doretry)
	107	{
	108	case FS_RETRY_REAUTH:
	109	if (err = reauthenticate (*result))
	110	return err;
	111	/* Fall through. */
	112
	113	case FS_RETRY_NORMAL:
4f75b7a0	114	if (nloops++ >= __eloop_threshold ())
5fe915ee RM	115	{
	116	__mach_port_deallocate (__mach_task_self (), *result);
	117	return ELOOP;
	118	}
	119
	120	/* An empty RETRYNAME indicates we have the final port. */
	121	if (retryname[0] == '\0' &&
	122	/* If reauth'd, we must do one more retry on "" to give the new
	123	translator a chance to make a new port for us. */
	124	doretry == FS_RETRY_NORMAL)
	125	{
	126	if (flags & O_NOFOLLOW)
	127	{
	128	/* In Linux, O_NOFOLLOW means to reject symlinks. If we
	129	did an O_NOLINK lookup above and io_stat here to check
	130	for S_IFLNK, a translator like firmlink could easily
	131	spoof this check by not showing S_IFLNK, but in fact
	132	redirecting the lookup to some other name
	133	(i.e. opening the very same holes a symlink would).
	134
	135	Instead we do an O_NOTRANS lookup above, and stat the
	136	underlying node: if it has a translator set, and its
	137	owner is not root (st_uid 0) then we reject it.
	138	Since the motivation for this feature is security, and
	139	that security presumes we trust the containing
	140	directory, this check approximates the security of
	141	refusing symlinks while accepting mount points.
	142	Note that we actually permit something Linux doesn't:
	143	we follow root-owned symlinks; if that is deemed
	144	undesireable, we can add a final check for that
	145	one exception to our general translator-based rule. */
337738b7	146	struct stat64 st;
5fe915ee RM	147	err = __io_stat (*result, &st);
	148	if (!err
	149	&& (st.st_mode & (S_IPTRANS\|S_IATRANS)))
	150	{
	151	if (st.st_uid != 0)
	152	err = ENOENT;
	153	else if (st.st_mode & S_IPTRANS)
	154	{
	155	char buf[1024];
	156	char *trans = buf;
	157	size_t translen = sizeof buf;
	158	err = __file_get_translator (*result,
	159	&trans, &translen);
	160	if (!err
	161	&& translen > sizeof _HURD_SYMLINK
	162	&& !memcmp (trans,
	163	_HURD_SYMLINK, sizeof _HURD_SYMLINK))
	164	err = ENOENT;
	165	}
	166	}
	167	}
	168
	169	/* We got a successful translation. Now apply any open-time
	170	action flags we were passed. */
	171
	172	if (!err && (flags & O_TRUNC)) /* Asked to truncate the file. */
	173	err = __file_set_size (*result, 0);
	174
	175	if (err)
	176	__mach_port_deallocate (__mach_task_self (), *result);
	177	return err;
	178	}
	179
	180	startdir = *result;
	181	file_name = retryname;
	182	break;
	183
	184	case FS_RETRY_MAGICAL:
	185	switch (retryname[0])
	186	{
	187	case '/':
	188	dirport = INIT_PORT_CRDIR;
	189	if (*result != MACH_PORT_NULL)
	190	__mach_port_deallocate (__mach_task_self (), *result);
4f75b7a0	191	if (nloops++ >= __eloop_threshold ())
5fe915ee RM	192	return ELOOP;
	193	file_name = &retryname[1];
	194	break;
	195
	196	case 'f':
	197	if (retryname[1] == 'd' && retryname[2] == '/')
	198	{
	199	int fd;
	200	char *end;
	201	int save = errno;
	202	errno = 0;
10589b4a	203	fd = (int) __strtoul_internal (&retryname[3], &end, 10, 0);
5fe915ee RM	204	if (end == NULL \|\| errno \|\| /* Malformed number. */
	205	/* Check for excess text after the number. A slash
	206	is valid; it ends the component. Anything else
	207	does not name a numeric file descriptor. */
	208	(end != '/' && end != '\0'))
	209	{
	210	errno = save;
	211	return ENOENT;
	212	}
	213	if (! get_dtable_port)
	214	err = EGRATUITOUS;
	215	else
	216	{
	217	result = (get_dtable_port) (fd);
	218	if (*result == MACH_PORT_NULL)
	219	{
	220	/* If the name was a proper number, but the file
	221	descriptor does not exist, we return EBADF instead
	222	of ENOENT. */
	223	err = errno;
	224	errno = save;
	225	}
	226	}
	227	errno = save;
	228	if (err)
	229	return err;
	230	if (*end == '\0')
	231	return 0;
	232	else
	233	{
	234	/* Do a normal retry on the remaining components. */
	235	startdir = *result;
	236	file_name = end + 1; /* Skip the slash. */
	237	break;
	238	}
	239	}
	240	else
	241	goto bad_magic;
	242	break;
	243
	244	case 'm':
	245	if (retryname[1] == 'a' && retryname[2] == 'c' &&
	246	retryname[3] == 'h' && retryname[4] == 't' &&
	247	retryname[5] == 'y' && retryname[6] == 'p' &&
	248	retryname[7] == 'e')
	249	{
	250	error_t err;
	251	struct host_basic_info hostinfo;
	252	mach_msg_type_number_t hostinfocnt = HOST_BASIC_INFO_COUNT;
	253	char *p;
	254	/* XXX want client's host */
	255	if (err = __host_info (__mach_host_self (), HOST_BASIC_INFO,
8ad684db	256	(integer_t *) &hostinfo,
5fe915ee RM	257	&hostinfocnt))
	258	return err;
	259	if (hostinfocnt != HOST_BASIC_INFO_COUNT)
	260	return EGRATUITOUS;
	261	p = _itoa (hostinfo.cpu_subtype, &retryname[8], 10, 0);
	262	*--p = '/';
	263	p = _itoa (hostinfo.cpu_type, &retryname[8], 10, 0);
	264	if (p < retryname)
	265	abort (); /* XXX write this right if this ever happens */
	266	if (p > retryname)
	267	strcpy (retryname, p);
	268	startdir = *result;
	269	}
	270	else
	271	goto bad_magic;
	272	break;
	273
	274	case 't':
	275	if (retryname[1] == 't' && retryname[2] == 'y')
	276	switch (retryname[3])
	277	{
	278	error_t opentty (file_t *result)
	279	{
	280	error_t err;
	281	error_t ctty_open (file_t port)
	282	{
	283	if (port == MACH_PORT_NULL)
	284	return ENXIO; /* No controlling terminal. */
	285	return __termctty_open_terminal (port,
	286	flags,
	287	result);
	288	}
	289	err = (*use_init_port) (INIT_PORT_CTTYID, &ctty_open);
	290	if (! err)
	291	err = reauthenticate (*result);
	292	return err;
	293	}
	294
	295	case '\0':
	296	return opentty (result);
	297	case '/':
	298	if (err = opentty (&startdir))
	299	return err;
	300	strcpy (retryname, &retryname[4]);
	301	break;
	302	default:
	303	goto bad_magic;
	304	}
	305	else
	306	goto bad_magic;
	307	break;
	308
	309	default:
	310	bad_magic:
	311	return EGRATUITOUS;
	312	}
	313	break;
	314
	315	default:
	316	return EGRATUITOUS;
	317	}
	318
	319	if (startdir != MACH_PORT_NULL)
	320	{
321	err = lookup_op (startdir);
322	__mach_port_deallocate (__mach_task_self (), startdir);
323	startdir = MACH_PORT_NULL;
324	}
325	else
326	err = (*use_init_port) (dirport, &lookup_op);
327	} while (! err);
328
329	return err;
330	}
331	weak_alias (__hurd_file_name_lookup_retry, hurd_file_name_lookup_retry)