1/*
2 * Copyright (c) 2000-2020 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28/* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */
29/*
30 * Copyright (c) 1982, 1986, 1989, 1993
31 * The Regents of the University of California. All rights reserved.
32 * (c) UNIX System Laboratories, Inc.
33 * All or some portions of this file are derived from material licensed
34 * to the University of California by American Telephone and Telegraph
35 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
36 * the permission of UNIX System Laboratories, Inc.
37 *
38 * Redistribution and use in source and binary forms, with or without
39 * modification, are permitted provided that the following conditions
40 * are met:
41 * 1. Redistributions of source code must retain the above copyright
42 * notice, this list of conditions and the following disclaimer.
43 * 2. Redistributions in binary form must reproduce the above copyright
44 * notice, this list of conditions and the following disclaimer in the
45 * documentation and/or other materials provided with the distribution.
46 * 3. All advertising materials mentioning features or use of this software
47 * must display the following acknowledgement:
48 * This product includes software developed by the University of
49 * California, Berkeley and its contributors.
50 * 4. Neither the name of the University nor the names of its contributors
51 * may be used to endorse or promote products derived from this software
52 * without specific prior written permission.
53 *
54 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
55 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
56 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
57 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
58 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
59 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
60 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
61 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
62 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
63 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
64 * SUCH DAMAGE.
65 *
66 * @(#)vfs_vnops.c 8.14 (Berkeley) 6/15/95
67 *
68 */
69/*
70 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
71 * support for mandatory and extensible security protections. This notice
72 * is included in support of clause 2.2 (b) of the Apple Public License,
73 * Version 2.0.
74 */
75
76#include <sys/param.h>
77#include <sys/types.h>
78#include <sys/systm.h>
79#include <sys/kernel.h>
80#include <sys/file_internal.h>
81#include <sys/stat.h>
82#include <sys/proc_internal.h>
83#include <sys/kauth.h>
84#include <sys/mount_internal.h>
85#include <sys/namei.h>
86#include <sys/vnode_internal.h>
87#include <sys/ioctl.h>
88#include <sys/fsctl.h>
89#include <sys/tty.h>
90#include <sys/ubc.h>
91#include <sys/conf.h>
92#include <sys/disk.h>
93#include <sys/fsevents.h>
94#include <sys/kdebug.h>
95#include <sys/xattr.h>
96#include <sys/ubc_internal.h>
97#include <sys/uio_internal.h>
98#include <sys/resourcevar.h>
99#include <sys/signalvar.h>
100
101#include <vm/vm_kern.h>
102#include <vm/vm_map.h>
103
104#include <miscfs/specfs/specdev.h>
105#include <miscfs/fifofs/fifo.h>
106
107#if CONFIG_MACF
108#include <security/mac_framework.h>
109#endif
110
111#include <IOKit/IOBSD.h>
112#include <libkern/section_keywords.h>
113
114static int vn_closefile(struct fileglob *fp, vfs_context_t ctx);
115static int vn_ioctl(struct fileproc *fp, u_long com, caddr_t data,
116 vfs_context_t ctx);
117static int vn_read(struct fileproc *fp, struct uio *uio, int flags,
118 vfs_context_t ctx);
119static int vn_write(struct fileproc *fp, struct uio *uio, int flags,
120 vfs_context_t ctx);
121static int vn_select( struct fileproc *fp, int which, void * wql,
122 vfs_context_t ctx);
123static int vn_kqfilter(struct fileproc *fp, struct knote *kn,
124 struct kevent_qos_s *kev);
125static void filt_vndetach(struct knote *kn);
126static int filt_vnode(struct knote *kn, long hint);
127static int filt_vnode_common(struct knote *kn, struct kevent_qos_s *kev,
128 vnode_t vp, long hint);
129static int vn_open_auth_finish(vnode_t vp, int fmode, vfs_context_t ctx);
130
131const struct fileops vnops = {
132 .fo_type = DTYPE_VNODE,
133 .fo_read = vn_read,
134 .fo_write = vn_write,
135 .fo_ioctl = vn_ioctl,
136 .fo_select = vn_select,
137 .fo_close = vn_closefile,
138 .fo_drain = fo_no_drain,
139 .fo_kqfilter = vn_kqfilter,
140};
141
142static int filt_vntouch(struct knote *kn, struct kevent_qos_s *kev);
143static int filt_vnprocess(struct knote *kn, struct kevent_qos_s*kev);
144
145SECURITY_READ_ONLY_EARLY(struct filterops) vnode_filtops = {
146 .f_isfd = 1,
147 .f_attach = NULL,
148 .f_detach = filt_vndetach,
149 .f_event = filt_vnode,
150 .f_touch = filt_vntouch,
151 .f_process = filt_vnprocess,
152};
153
154/*
155 * Common code for vnode open operations.
156 * Check permissions, and call the VNOP_OPEN or VNOP_CREATE routine.
157 *
158 * XXX the profusion of interfaces here is probably a bad thing.
159 */
160int
161vn_open(struct nameidata *ndp, int fmode, int cmode)
162{
163 return vn_open_modflags(ndp, fmode: &fmode, cmode);
164}
165
166int
167vn_open_modflags(struct nameidata *ndp, int *fmodep, int cmode)
168{
169 int error;
170 struct vnode_attr *vap;
171
172 vap = kalloc_type(struct vnode_attr, Z_WAITOK);
173
174 VATTR_INIT(vap);
175 VATTR_SET(vap, va_mode, (mode_t)cmode);
176
177 error = vn_open_auth(ndp, fmode: fmodep, vap, NULLVP);
178
179 kfree_type(struct vnode_attr, vap);
180
181 return error;
182}
183
184static int
185vn_open_auth_finish(vnode_t vp, int fmode, vfs_context_t ctx)
186{
187 int error;
188
189 if ((error = vnode_ref_ext(vp, fmode, 0)) != 0) {
190 goto bad;
191 }
192
193 /* Call out to allow 3rd party notification of open.
194 * Ignore result of kauth_authorize_fileop call.
195 */
196#if CONFIG_MACF
197 mac_vnode_notify_open(ctx, vp, acc_flags: fmode);
198#endif
199 kauth_authorize_fileop(credential: vfs_context_ucred(ctx), KAUTH_FILEOP_OPEN,
200 arg0: (uintptr_t)vp, arg1: 0);
201
202 return 0;
203
204bad:
205 return error;
206}
207
208/*
209 * May do nameidone() to allow safely adding an FSEvent. Cue off of ni_dvp to
210 * determine whether that has happened.
211 */
212static int
213vn_open_auth_do_create(struct nameidata *ndp, struct vnode_attr *vap, int fmode, boolean_t *did_create, boolean_t *did_open, vfs_context_t ctx)
214{
215 uint32_t status = 0;
216 vnode_t dvp = ndp->ni_dvp;
217 int batched;
218 int error;
219 vnode_t vp;
220
221 batched = vnode_compound_open_available(vp: ndp->ni_dvp);
222 *did_open = FALSE;
223
224 VATTR_SET(vap, va_type, VREG);
225 if (fmode & O_EXCL) {
226 vap->va_vaflags |= VA_EXCLUSIVE;
227 }
228
229#if NAMEDRSRCFORK
230 if (ndp->ni_cnd.cn_flags & CN_WANTSRSRCFORK) {
231 if ((error = vn_authorize_create(dvp, &ndp->ni_cnd, vap, ctx, NULL)) != 0) {
232 goto out;
233 }
234 if ((error = vnode_makenamedstream(dvp, &ndp->ni_vp, XATTR_RESOURCEFORK_NAME, 0, ctx)) != 0) {
235 goto out;
236 }
237 *did_create = TRUE;
238 } else {
239#endif
240 if (!batched) {
241 if ((error = vn_authorize_create(dvp, &ndp->ni_cnd, vap, ctx, NULL)) != 0) {
242 goto out;
243 }
244 }
245
246 error = vn_create(dvp, &ndp->ni_vp, ndp, vap, VN_CREATE_DOOPEN, fmode, &status, ctx);
247 if (error != 0) {
248 if (batched) {
249 *did_create = (status & COMPOUND_OPEN_STATUS_DID_CREATE) ? TRUE : FALSE;
250 } else {
251 *did_create = FALSE;
252 }
253
254 if (error == EKEEPLOOKING) {
255 if (*did_create) {
256 panic("EKEEPLOOKING, but we did a create?");
257 }
258 if (!batched) {
259 panic("EKEEPLOOKING from filesystem that doesn't support compound vnops?");
260 }
261 if ((ndp->ni_flag & NAMEI_CONTLOOKUP) == 0) {
262 panic("EKEEPLOOKING, but continue flag not set?");
263 }
264
265 /*
266 * Do NOT drop the dvp: we need everything to continue the lookup.
267 */
268 return error;
269 }
270 } else {
271 if (batched) {
272 *did_create = (status & COMPOUND_OPEN_STATUS_DID_CREATE) ? 1 : 0;
273 *did_open = TRUE;
274 } else {
275 *did_create = TRUE;
276 }
277 }
278#if NAMEDRSRCFORK
279}
280#endif
281
282 vp = ndp->ni_vp;
283
284 if (*did_create) {
285 int update_flags = 0;
286
287 // Make sure the name & parent pointers are hooked up
288 if (vp->v_name == NULL) {
289 update_flags |= VNODE_UPDATE_NAME;
290 }
291 if (vp->v_parent == NULLVP) {
292 update_flags |= VNODE_UPDATE_PARENT;
293 }
294
295 if (update_flags) {
296 vnode_update_identity(vp, dvp, name: ndp->ni_cnd.cn_nameptr, name_len: ndp->ni_cnd.cn_namelen, name_hashval: ndp->ni_cnd.cn_hash, flags: update_flags);
297 }
298
299 vnode_put(vp: dvp);
300 ndp->ni_dvp = NULLVP;
301
302#if CONFIG_FSE
303 if (need_fsevent(FSE_CREATE_FILE, vp)) {
304 add_fsevent(FSE_CREATE_FILE, ctx,
305 FSE_ARG_VNODE, vp,
306 FSE_ARG_DONE);
307 }
308#endif
309 }
310out:
311 if (ndp->ni_dvp != NULLVP) {
312 vnode_put(vp: dvp);
313 ndp->ni_dvp = NULLVP;
314 }
315
316 return error;
317}
318
319/*
320 * This is the number of times we'll loop in vn_open_auth without explicitly
321 * yielding the CPU when we determine we have to retry.
322 */
323#define RETRY_NO_YIELD_COUNT 5
324
325/*
326 * Open a file with authorization, updating the contents of the structures
327 * pointed to by ndp, fmodep, and vap as necessary to perform the requested
328 * operation. This function is used for both opens of existing files, and
329 * creation of new files.
330 *
331 * Parameters: ndp The nami data pointer describing the
332 * file
333 * fmodep A pointer to an int containg the mode
334 * information to be used for the open
335 * vap A pointer to the vnode attribute
336 * descriptor to be used for the open
337 * authvp If non-null and VA_DP_AUTHENTICATE is set in vap,
338 * have a supporting filesystem verify that the file
339 * to be opened is on the same volume as authvp and
340 * that authvp is on an authenticated volume
341 *
342 * Indirect: * Contents of the data structures pointed
343 * to by the parameters are modified as
344 * necessary to the requested operation.
345 *
346 * Returns: 0 Success
347 * !0 errno value
348 *
349 * Notes: The kauth_filesec_t in 'vap', if any, is in host byte order.
350 *
351 * The contents of '*ndp' will be modified, based on the other
352 * arguments to this function, and to return file and directory
353 * data necessary to satisfy the requested operation.
354 *
355 * If the file does not exist and we are creating it, then the
356 * O_TRUNC flag will be cleared in '*fmodep' to indicate to the
357 * caller that the file was not truncated.
358 *
359 * If the file exists and the O_EXCL flag was not specified, then
360 * the O_CREAT flag will be cleared in '*fmodep' to indicate to
361 * the caller that the existing file was merely opened rather
362 * than created.
363 *
364 * The contents of '*vap' will be modified as necessary to
365 * complete the operation, including setting of supported
366 * attribute, clearing of fields containing unsupported attributes
367 * in the request, if the request proceeds without them, etc..
368 *
369 * XXX: This function is too complicated in actings on its arguments
370 *
371 * XXX: We should enummerate the possible errno values here, and where
372 * in the code they originated.
373 */
374int
375vn_open_auth(struct nameidata *ndp, int *fmodep, struct vnode_attr *vap, vnode_t authvp)
376{
377 struct vnode *vp;
378 struct vnode *dvp;
379 vfs_context_t ctx = ndp->ni_cnd.cn_context;
380 int error;
381 int fmode;
382 uint32_t origcnflags;
383 boolean_t did_create;
384 boolean_t did_open;
385 boolean_t need_vnop_open;
386 boolean_t batched;
387 boolean_t ref_failed;
388 int nretries = 0;
389
390again:
391 vp = NULL;
392 dvp = NULL;
393 batched = FALSE;
394 did_create = FALSE;
395 need_vnop_open = TRUE;
396 ref_failed = FALSE;
397 fmode = *fmodep;
398 origcnflags = ndp->ni_cnd.cn_flags;
399
400 if (VATTR_IS_ACTIVE(vap, va_dataprotect_flags)) {
401 if ((authvp != NULLVP)
402 && !ISSET(vap->va_dataprotect_flags, VA_DP_AUTHENTICATE)) {
403 return EINVAL;
404 }
405 // If raw encrypted mode is requested, handle that here
406 if (ISSET(vap->va_dataprotect_flags, VA_DP_RAWENCRYPTED)) {
407 fmode |= FENCRYPTED;
408 }
409 }
410
411 if ((fmode & O_NOFOLLOW_ANY) && (fmode & (O_SYMLINK | O_NOFOLLOW))) {
412 error = EINVAL;
413 goto out;
414 }
415
416 /*
417 * O_CREAT
418 */
419 if (fmode & O_CREAT) {
420 if ((fmode & O_DIRECTORY)) {
421 error = EINVAL;
422 goto out;
423 }
424 ndp->ni_cnd.cn_nameiop = CREATE;
425#if CONFIG_TRIGGERS
426 ndp->ni_op = OP_LINK;
427#endif
428 /* Inherit USEDVP, vnode_open() supported flags only */
429 ndp->ni_cnd.cn_flags &= (USEDVP | NOCROSSMOUNT);
430 ndp->ni_cnd.cn_flags |= LOCKPARENT | LOCKLEAF | AUDITVNPATH1;
431 /* Inherit NAMEI_ROOTDIR flag only */
432 ndp->ni_flag &= NAMEI_ROOTDIR;
433 ndp->ni_flag |= NAMEI_COMPOUNDOPEN;
434#if NAMEDRSRCFORK
435 /* open calls are allowed for resource forks. */
436 ndp->ni_cnd.cn_flags |= CN_ALLOWRSRCFORK;
437#endif
438 if ((fmode & O_EXCL) == 0 && (fmode & O_NOFOLLOW) == 0 && (origcnflags & FOLLOW) != 0) {
439 ndp->ni_cnd.cn_flags |= FOLLOW;
440 }
441 if (fmode & O_NOFOLLOW_ANY) {
442 /* will return ELOOP on the first symlink to be hit */
443 ndp->ni_flag |= NAMEI_NOFOLLOW_ANY;
444 }
445
446continue_create_lookup:
447 if ((error = namei(ndp))) {
448 goto out;
449 }
450
451 dvp = ndp->ni_dvp;
452 vp = ndp->ni_vp;
453
454 batched = vnode_compound_open_available(vp: dvp);
455
456 /* not found, create */
457 if (vp == NULL) {
458 /* must have attributes for a new file */
459 if (vap == NULL) {
460 vnode_put(vp: dvp);
461 error = EINVAL;
462 goto out;
463 }
464 /*
465 * Attempt a create. For a system supporting compound VNOPs, we may
466 * find an existing file or create one; in either case, we will already
467 * have the file open and no VNOP_OPEN() will be needed.
468 */
469 error = vn_open_auth_do_create(ndp, vap, fmode, did_create: &did_create, did_open: &did_open, ctx);
470
471 dvp = ndp->ni_dvp;
472 vp = ndp->ni_vp;
473
474 /*
475 * Detected a node that the filesystem couldn't handle. Don't call
476 * nameidone() yet, because we need that path buffer.
477 */
478 if (error == EKEEPLOOKING) {
479 if (!batched) {
480 panic("EKEEPLOOKING from a filesystem that doesn't support compound VNOPs?");
481 }
482 goto continue_create_lookup;
483 }
484
485 nameidone(ndp);
486 if (dvp) {
487 panic("Shouldn't have a dvp here.");
488 }
489
490 if (error) {
491 /*
492 * Check for a create race.
493 */
494 if ((error == EEXIST) && !(fmode & O_EXCL)) {
495 if (vp) {
496 vnode_put(vp);
497 }
498 goto again;
499 }
500 goto bad;
501 }
502
503 need_vnop_open = !did_open;
504 } else {
505 if (fmode & O_EXCL) {
506 error = EEXIST;
507 }
508
509 /*
510 * We have a vnode. Use compound open if available
511 * or else fall through to "traditional" path. Note: can't
512 * do a compound open for root, because the parent belongs
513 * to a different FS.
514 */
515 if (error == 0 && batched && (vnode_mount(vp: dvp) == vnode_mount(vp))) {
516 error = VNOP_COMPOUND_OPEN(dvp, vpp: &ndp->ni_vp, ndp, flags: 0, fmode, NULL, NULL, ctx);
517
518 if (error == 0) {
519 vp = ndp->ni_vp;
520 need_vnop_open = FALSE;
521 } else if (error == EKEEPLOOKING) {
522 if ((ndp->ni_flag & NAMEI_CONTLOOKUP) == 0) {
523 panic("EKEEPLOOKING, but continue flag not set?");
524 }
525 goto continue_create_lookup;
526 }
527 }
528 nameidone(ndp);
529 vnode_put(vp: dvp);
530 ndp->ni_dvp = NULLVP;
531
532 if (error) {
533 goto bad;
534 }
535
536 fmode &= ~O_CREAT;
537
538 /* Fall through */
539 }
540 } else {
541 /*
542 * Not O_CREAT
543 */
544 ndp->ni_cnd.cn_nameiop = LOOKUP;
545 /* Inherit USEDVP, vnode_open() supported flags only */
546 ndp->ni_cnd.cn_flags &= (USEDVP | NOCROSSMOUNT);
547 ndp->ni_cnd.cn_flags |= FOLLOW | LOCKLEAF | AUDITVNPATH1 | WANTPARENT;
548#if NAMEDRSRCFORK
549 /* open calls are allowed for resource forks. */
550 ndp->ni_cnd.cn_flags |= CN_ALLOWRSRCFORK;
551#endif
552 if (fmode & FENCRYPTED) {
553 ndp->ni_cnd.cn_flags |= CN_RAW_ENCRYPTED | CN_SKIPNAMECACHE;
554 }
555 /* Inherit NAMEI_ROOTDIR flag only */
556 ndp->ni_flag &= NAMEI_ROOTDIR;
557 ndp->ni_flag |= NAMEI_COMPOUNDOPEN;
558
559 /* preserve NOFOLLOW from vnode_open() */
560 if (fmode & O_NOFOLLOW || fmode & O_SYMLINK || (origcnflags & FOLLOW) == 0) {
561 ndp->ni_cnd.cn_flags &= ~FOLLOW;
562 }
563 if (fmode & O_NOFOLLOW_ANY) {
564 /* will return ELOOP on the first symlink to be hit */
565 ndp->ni_flag |= NAMEI_NOFOLLOW_ANY;
566 }
567
568 /* Do a lookup, possibly going directly to filesystem for compound operation */
569 do {
570 if ((error = namei(ndp))) {
571 goto out;
572 }
573 vp = ndp->ni_vp;
574 dvp = ndp->ni_dvp;
575
576 /* Check for batched lookup-open */
577 batched = vnode_compound_open_available(vp: dvp);
578 if (batched && ((vp == NULLVP) || (vnode_mount(vp: dvp) == vnode_mount(vp)))) {
579 error = VNOP_COMPOUND_OPEN(dvp, vpp: &ndp->ni_vp, ndp, flags: 0, fmode, NULL, NULL, ctx);
580 vp = ndp->ni_vp;
581 if (error == 0) {
582 need_vnop_open = FALSE;
583 } else if (error == EKEEPLOOKING) {
584 if ((ndp->ni_flag & NAMEI_CONTLOOKUP) == 0) {
585 panic("EKEEPLOOKING, but continue flag not set?");
586 }
587 } else if ((fmode & (FREAD | FWRITE | FEXEC)) == FEXEC) {
588 /*
589 * Some file systems fail in vnop_open call with absense of
590 * both FREAD and FWRITE access modes. Retry the vnop_open
591 * call again with FREAD access mode added.
592 */
593 error = VNOP_COMPOUND_OPEN(dvp, vpp: &ndp->ni_vp, ndp, flags: 0,
594 fmode: fmode | FREAD, NULL, NULL, ctx);
595 if (error == 0) {
596 vp = ndp->ni_vp;
597 need_vnop_open = FALSE;
598 }
599 }
600 }
601 } while (error == EKEEPLOOKING);
602
603 nameidone(ndp);
604 vnode_put(vp: dvp);
605 ndp->ni_dvp = NULLVP;
606
607 if (error) {
608 goto bad;
609 }
610 }
611
612 /*
613 * By this point, nameidone() is called, dvp iocount is dropped,
614 * and dvp pointer is cleared.
615 */
616 if (ndp->ni_dvp != NULLVP) {
617 panic("Haven't cleaned up adequately in vn_open_auth()");
618 }
619
620 /*
621 * Expect to use this code for filesystems without compound VNOPs, for the root
622 * of a filesystem, which can't be "looked up" in the sense of VNOP_LOOKUP(),
623 * and for shadow files, which do not live on the same filesystems as their "parents."
624 */
625 if (need_vnop_open) {
626 if (batched && !vnode_isvroot(vp) && !vnode_isnamedstream(vp)) {
627 panic("Why am I trying to use VNOP_OPEN() on anything other than the root or a named stream?");
628 }
629
630 if (!did_create) {
631 error = vn_authorize_open_existing(vp, cnp: &ndp->ni_cnd, fmode, ctx, NULL);
632 if (error) {
633 goto bad;
634 }
635 }
636
637 if (VATTR_IS_ACTIVE(vap, va_dataprotect_flags)) {
638 if (ISSET(vap->va_dataprotect_flags, VA_DP_RAWUNENCRYPTED)) {
639 /* Don't allow unencrypted io request from user space unless entitled */
640 boolean_t entitled = FALSE;
641#if !SECURE_KERNEL
642 entitled = IOCurrentTaskHasEntitlement(entitlement: "com.apple.private.security.file-unencrypt-access");
643#endif /* SECURE_KERNEL */
644 if (!entitled) {
645 error = EPERM;
646 goto bad;
647 }
648 fmode |= FUNENCRYPTED;
649 }
650
651 if (ISSET(vap->va_dataprotect_flags, VA_DP_AUTHENTICATE)) {
652 fsioc_auth_fs_t afs = { .authvp = authvp };
653
654 error = VNOP_IOCTL(vp, FSIOC_AUTH_FS, data: (caddr_t)&afs, fflag: 0, ctx);
655 if (error) {
656 goto bad;
657 }
658 }
659 }
660
661 error = VNOP_OPEN(vp, fmode, ctx);
662 if (error) {
663 /*
664 * Some file systems fail in vnop_open call with absense of both
665 * FREAD and FWRITE access modes. Retry the vnop_open call again
666 * with FREAD access mode added.
667 */
668 if ((fmode & (FREAD | FWRITE | FEXEC)) == FEXEC) {
669 error = VNOP_OPEN(vp, fmode | FREAD, ctx);
670 }
671 if (error) {
672 goto bad;
673 }
674 }
675 need_vnop_open = FALSE;
676 }
677
678 // if the vnode is tagged VOPENEVT and the current process
679 // has the P_CHECKOPENEVT flag set, then we or in the O_EVTONLY
680 // flag to the open mode so that this open won't count against
681 // the vnode when carbon delete() does a vnode_isinuse() to see
682 // if a file is currently in use. this allows spotlight
683 // importers to not interfere with carbon apps that depend on
684 // the no-delete-if-busy semantics of carbon delete().
685 //
686 if (!did_create && (vp->v_flag & VOPENEVT) && (current_proc()->p_flag & P_CHECKOPENEVT)) {
687 fmode |= O_EVTONLY;
688 }
689
690 /*
691 * Grab reference, etc.
692 */
693 error = vn_open_auth_finish(vp, fmode, ctx);
694 if (error) {
695 ref_failed = TRUE;
696 goto bad;
697 }
698
699 /* Compound VNOP open is responsible for doing the truncate */
700 if (batched || did_create) {
701 fmode &= ~O_TRUNC;
702 }
703
704 *fmodep = fmode;
705 return 0;
706
707bad:
708 /* Opened either explicitly or by a batched create */
709 if (!need_vnop_open) {
710 VNOP_CLOSE(vp, fmode, ctx);
711 }
712
713 ndp->ni_vp = NULL;
714 if (vp) {
715#if NAMEDRSRCFORK
716 /* Aggressively recycle shadow files if we error'd out during open() */
717 if ((vnode_isnamedstream(vp)) &&
718 (vp->v_parent != NULLVP) &&
719 (vnode_isshadow(vp))) {
720 vnode_recycle(vp);
721 }
722#endif
723 vnode_put(vp);
724 /*
725 * Check for a race against unlink. We had a vnode
726 * but according to vnode_authorize or VNOP_OPEN it
727 * no longer exists.
728 *
729 * EREDRIVEOPEN: means that we were hit by the tty allocation race or NFSv4 open/create race.
730 */
731 if (((error == ENOENT) && (*fmodep & O_CREAT)) || (error == EREDRIVEOPEN) || ref_failed) {
732 /*
733 * We'll retry here but it may be possible that we get
734 * into a retry "spin" inside the kernel and not allow
735 * threads, which need to run in order for the retry
736 * loop to end, to run. An example is an open of a
737 * terminal which is getting revoked and we spin here
738 * without yielding becasue namei and VNOP_OPEN are
739 * successful but vnode_ref fails. The revoke needs
740 * threads with an iocount to run but if spin here we
741 * may possibly be blcoking other threads from running.
742 *
743 * We start yielding the CPU after some number of
744 * retries for increasing durations. Note that this is
745 * still a loop without an exit condition.
746 */
747 nretries += 1;
748 if (nretries > RETRY_NO_YIELD_COUNT) {
749 /* Every hz/100 secs is 10 msecs ... */
750 tsleep(chan: &nretries, PVFS, wmesg: "vn_open_auth_retry",
751 MIN((nretries * (hz / 100)), hz));
752 }
753 goto again;
754 }
755 }
756
757out:
758 return error;
759}
760
761#if vn_access_DEPRECATED
762/*
763 * Authorize an action against a vnode. This has been the canonical way to
764 * ensure that the credential/process/etc. referenced by a vfs_context
765 * is granted the rights called out in 'mode' against the vnode 'vp'.
766 *
767 * Unfortunately, the use of VREAD/VWRITE/VEXEC makes it very difficult
768 * to add support for more rights. As such, this interface will be deprecated
769 * and callers will use vnode_authorize instead.
770 */
771int
772vn_access(vnode_t vp, int mode, vfs_context_t context)
773{
774 kauth_action_t action;
775
776 action = 0;
777 if (mode & VREAD) {
778 action |= KAUTH_VNODE_READ_DATA;
779 }
780 if (mode & VWRITE) {
781 action |= KAUTH_VNODE_WRITE_DATA;
782 }
783 if (mode & VEXEC) {
784 action |= KAUTH_VNODE_EXECUTE;
785 }
786
787 return vnode_authorize(vp, NULL, action, context);
788}
789#endif /* vn_access_DEPRECATED */
790
791/*
792 * Vnode close call
793 */
794int
795vn_close(struct vnode *vp, int flags, vfs_context_t ctx)
796{
797 int error;
798 int flusherror = 0;
799
800#if NAMEDRSRCFORK
801 /* Sync data from resource fork shadow file if needed. */
802 if ((vp->v_flag & VISNAMEDSTREAM) &&
803 (vp->v_parent != NULLVP) &&
804 vnode_isshadow(vp)) {
805 if (flags & FWASWRITTEN) {
806 flusherror = vnode_flushnamedstream(vp: vp->v_parent, svp: vp, context: ctx);
807 }
808 }
809#endif
810 /*
811 * If vnode @vp belongs to a chardev or a blkdev then it is handled
812 * specially. We first drop its user reference count @vp->v_usecount
813 * before calling VNOP_CLOSE(). This was done historically to ensure
814 * that the last close of a special device vnode performed some
815 * conditional cleanups. Now we still need to drop this reference here
816 * to ensure that devfsspec_close() can check if the vnode is still in
817 * use.
818 */
819 if (vnode_isspec(vp)) {
820 (void)vnode_rele_ext(vp, flags, 0);
821 }
822
823 /*
824 * On HFS, we flush when the last writer closes. We do this
825 * because resource fork vnodes hold a reference on data fork
826 * vnodes and that will prevent them from getting VNOP_INACTIVE
827 * which will delay when we flush cached data. In future, we
828 * might find it beneficial to do this for all file systems.
829 * Note that it's OK to access v_writecount without the lock
830 * in this context.
831 */
832 if (vp->v_tag == VT_HFS && (flags & FWRITE) && vp->v_writecount == 1) {
833 VNOP_FSYNC(vp, MNT_NOWAIT, ctx);
834 }
835
836 error = VNOP_CLOSE(vp, flags, ctx);
837
838#if CONFIG_FSE
839 if (flags & FWASWRITTEN) {
840 if (need_fsevent(FSE_CONTENT_MODIFIED, vp)) {
841 add_fsevent(FSE_CONTENT_MODIFIED, ctx,
842 FSE_ARG_VNODE, vp,
843 FSE_ARG_DONE);
844 }
845 }
846#endif
847
848 if (!vnode_isspec(vp)) {
849 (void)vnode_rele_ext(vp, flags, 0);
850 }
851
852 if (flusherror) {
853 error = flusherror;
854 }
855 return error;
856}
857
858static int
859vn_read_swapfile(
860 struct vnode *vp,
861 uio_t uio)
862{
863 int error;
864 off_t swap_count, this_count;
865 off_t file_end, read_end;
866 off_t prev_resid;
867 char *my_swap_page;
868
869 /*
870 * Reading from a swap file will get you zeroes.
871 */
872
873 my_swap_page = NULL;
874 error = 0;
875 swap_count = uio_resid(a_uio: uio);
876
877 file_end = ubc_getsize(vp);
878 read_end = uio->uio_offset + uio_resid(a_uio: uio);
879 if (uio->uio_offset >= file_end) {
880 /* uio starts after end of file: nothing to read */
881 swap_count = 0;
882 } else if (read_end > file_end) {
883 /* uio extends beyond end of file: stop before that */
884 swap_count -= (read_end - file_end);
885 }
886
887 while (swap_count > 0) {
888 if (my_swap_page == NULL) {
889 my_swap_page = kalloc_data(PAGE_SIZE, Z_WAITOK | Z_ZERO);
890 /* add an end-of-line to keep line counters happy */
891 my_swap_page[PAGE_SIZE - 1] = '\n';
892 }
893 this_count = swap_count;
894 if (this_count > PAGE_SIZE) {
895 this_count = PAGE_SIZE;
896 }
897
898 prev_resid = uio_resid(a_uio: uio);
899 error = uiomove(cp: (caddr_t) my_swap_page,
900 n: (int)this_count,
901 uio);
902 if (error) {
903 break;
904 }
905 swap_count -= (prev_resid - uio_resid(a_uio: uio));
906 }
907 kfree_data(my_swap_page, PAGE_SIZE);
908
909 return error;
910}
911/*
912 * Package up an I/O request on a vnode into a uio and do it.
913 */
914int
915vn_rdwr(
916 enum uio_rw rw,
917 struct vnode *vp,
918 caddr_t base,
919 int len,
920 off_t offset,
921 enum uio_seg segflg,
922 int ioflg,
923 kauth_cred_t cred,
924 int *aresid,
925 proc_t p)
926{
927 int64_t resid;
928 int result;
929
930 if (len < 0) {
931 return EINVAL;
932 }
933
934 result = vn_rdwr_64(rw,
935 vp,
936 base: (uint64_t)(uintptr_t)base,
937 len: (int64_t)len,
938 offset,
939 segflg,
940 ioflg,
941 cred,
942 aresid: &resid,
943 p);
944
945 /* "resid" should be bounded above by "len," which is an int */
946 if (aresid != NULL) {
947 *aresid = (int)resid;
948 }
949
950 return result;
951}
952
953
954int
955vn_rdwr_64(
956 enum uio_rw rw,
957 struct vnode *vp,
958 uint64_t base,
959 int64_t len,
960 off_t offset,
961 enum uio_seg segflg,
962 int ioflg,
963 kauth_cred_t cred,
964 int64_t *aresid,
965 proc_t p)
966{
967 uio_t auio;
968 int spacetype;
969 struct vfs_context context;
970 int error = 0;
971 UIO_STACKBUF(uio_buf, 1);
972
973 context.vc_thread = current_thread();
974 context.vc_ucred = cred;
975
976 if (UIO_SEG_IS_USER_SPACE(segflg)) {
977 spacetype = proc_is64bit(p) ? UIO_USERSPACE64 : UIO_USERSPACE32;
978 } else {
979 spacetype = UIO_SYSSPACE;
980 }
981
982 if (len < 0) {
983 return EINVAL;
984 }
985
986 auio = uio_createwithbuffer(a_iovcount: 1, a_offset: offset, a_spacetype: spacetype, a_iodirection: rw,
987 a_buf_p: &uio_buf[0], a_buffer_size: sizeof(uio_buf));
988 uio_addiov(a_uio: auio, CAST_USER_ADDR_T(base), a_length: (user_size_t)len);
989
990#if CONFIG_MACF
991 /* XXXMAC
992 * IO_NOAUTH should be re-examined.
993 * Likely that mediation should be performed in caller.
994 */
995 if ((ioflg & IO_NOAUTH) == 0) {
996 /* passed cred is fp->f_cred */
997 if (rw == UIO_READ) {
998 error = mac_vnode_check_read(ctx: &context, file_cred: cred, vp);
999 } else {
1000 error = mac_vnode_check_write(ctx: &context, file_cred: cred, vp);
1001 }
1002 }
1003#endif
1004
1005 if (error == 0) {
1006 if (rw == UIO_READ) {
1007 if (vnode_isswap(vp) && ((ioflg & IO_SWAP_DISPATCH) == 0)) {
1008 error = vn_read_swapfile(vp, uio: auio);
1009 } else {
1010 error = VNOP_READ(vp, uio: auio, ioflag: ioflg, ctx: &context);
1011 }
1012 } else {
1013 error = VNOP_WRITE(vp, uio: auio, ioflag: ioflg, ctx: &context);
1014 }
1015 }
1016
1017 if (aresid) {
1018 *aresid = uio_resid(a_uio: auio);
1019 assert(*aresid <= len);
1020 } else if (uio_resid(a_uio: auio) && error == 0) {
1021 error = EIO;
1022 }
1023 return error;
1024}
1025
1026void
1027vn_offset_lock(struct fileglob *fg)
1028{
1029 lck_mtx_lock_spin(lck: &fg->fg_lock);
1030 while (fg->fg_lflags & FG_OFF_LOCKED) {
1031 fg->fg_lflags |= FG_OFF_LOCKWANT;
1032 msleep(chan: &fg->fg_lflags, mtx: &fg->fg_lock, PVFS | PSPIN,
1033 wmesg: "fg_offset_lock_wait", ts: 0);
1034 }
1035 fg->fg_lflags |= FG_OFF_LOCKED;
1036 lck_mtx_unlock(lck: &fg->fg_lock);
1037}
1038
1039void
1040vn_offset_unlock(struct fileglob *fg)
1041{
1042 int lock_wanted = 0;
1043
1044 lck_mtx_lock_spin(lck: &fg->fg_lock);
1045 if (fg->fg_lflags & FG_OFF_LOCKWANT) {
1046 lock_wanted = 1;
1047 }
1048 fg->fg_lflags &= ~(FG_OFF_LOCKED | FG_OFF_LOCKWANT);
1049 lck_mtx_unlock(lck: &fg->fg_lock);
1050 if (lock_wanted) {
1051 wakeup(chan: &fg->fg_lflags);
1052 }
1053}
1054
1055static int
1056vn_read_common(vnode_t vp, struct uio *uio, int fflag, vfs_context_t ctx)
1057{
1058 int error;
1059 int ioflag;
1060 off_t read_offset;
1061 user_ssize_t read_len;
1062 user_ssize_t adjusted_read_len;
1063 user_ssize_t clippedsize;
1064
1065 /* Caller has already validated read_len. */
1066 read_len = uio_resid(a_uio: uio);
1067 assert(read_len >= 0 && read_len <= INT_MAX);
1068
1069 adjusted_read_len = read_len;
1070 clippedsize = 0;
1071
1072#if CONFIG_MACF
1073 error = mac_vnode_check_read(ctx, file_cred: vfs_context_ucred(ctx), vp);
1074 if (error) {
1075 return error;
1076 }
1077#endif
1078
1079 /* This signals to VNOP handlers that this read came from a file table read */
1080 ioflag = IO_SYSCALL_DISPATCH;
1081
1082 if (fflag & FNONBLOCK) {
1083 ioflag |= IO_NDELAY;
1084 }
1085 if ((fflag & FNOCACHE) || vnode_isnocache(vp)) {
1086 ioflag |= IO_NOCACHE;
1087 }
1088 if (fflag & FENCRYPTED) {
1089 ioflag |= IO_ENCRYPTED;
1090 }
1091 if (fflag & FUNENCRYPTED) {
1092 ioflag |= IO_SKIP_ENCRYPTION;
1093 }
1094 if (fflag & O_EVTONLY) {
1095 ioflag |= IO_EVTONLY;
1096 }
1097 if (fflag & FNORDAHEAD) {
1098 ioflag |= IO_RAOFF;
1099 }
1100
1101 read_offset = uio_offset(a_uio: uio);
1102 /* POSIX allows negative offsets for character devices. */
1103 if ((read_offset < 0) && (vnode_vtype(vp) != VCHR)) {
1104 error = EINVAL;
1105 goto error_out;
1106 }
1107
1108 if (read_offset == INT64_MAX) {
1109 /* can't read any more */
1110 error = 0;
1111 goto error_out;
1112 }
1113
1114 /*
1115 * If offset + len will cause overflow, reduce the len to a value
1116 * (adjusted_read_len) where it won't
1117 */
1118 if ((read_offset >= 0) && (INT64_MAX - read_offset) < read_len) {
1119 /*
1120 * 0 read_offset INT64_MAX
1121 * |-----------------------------------------------|----------|~~~
1122 * <--read_len-->
1123 * <-adjusted->
1124 */
1125 adjusted_read_len = (user_ssize_t)(INT64_MAX - read_offset);
1126 }
1127
1128 if (adjusted_read_len < read_len) {
1129 uio_setresid(a_uio: uio, a_value: adjusted_read_len);
1130 clippedsize = read_len - adjusted_read_len;
1131 }
1132
1133 if (vnode_isswap(vp) && !(IO_SKIP_ENCRYPTION & ioflag)) {
1134 /* special case for swap files */
1135 error = vn_read_swapfile(vp, uio);
1136 } else {
1137 error = VNOP_READ(vp, uio, ioflag, ctx);
1138 }
1139
1140 if (clippedsize) {
1141 uio_setresid(a_uio: uio, a_value: (uio_resid(a_uio: uio) + clippedsize));
1142 }
1143
1144error_out:
1145 return error;
1146}
1147
1148/*
1149 * File table vnode read routine.
1150 */
1151static int
1152vn_read(struct fileproc *fp, struct uio *uio, int flags, vfs_context_t ctx)
1153{
1154 vnode_t vp;
1155 user_ssize_t read_len;
1156 int error;
1157 bool offset_locked;
1158
1159 read_len = uio_resid(a_uio: uio);
1160 if (read_len < 0 || read_len > INT_MAX) {
1161 return EINVAL;
1162 }
1163
1164 if ((flags & FOF_OFFSET) == 0) {
1165 vn_offset_lock(fg: fp->fp_glob);
1166 offset_locked = true;
1167 } else {
1168 offset_locked = false;
1169 }
1170 vp = (struct vnode *)fp_get_data(fp);
1171 if ((error = vnode_getwithref(vp))) {
1172 if (offset_locked) {
1173 vn_offset_unlock(fg: fp->fp_glob);
1174 }
1175 return error;
1176 }
1177
1178 if (offset_locked && (vnode_vtype(vp) != VREG || vnode_isswap(vp))) {
1179 vn_offset_unlock(fg: fp->fp_glob);
1180 offset_locked = false;
1181 }
1182
1183 if ((flags & FOF_OFFSET) == 0) {
1184 uio_setoffset(a_uio: uio, a_offset: fp->fp_glob->fg_offset);
1185 }
1186
1187 error = vn_read_common(vp, uio, fflag: fp->fp_glob->fg_flag, ctx);
1188
1189 if ((flags & FOF_OFFSET) == 0) {
1190 fp->fp_glob->fg_offset += read_len - uio_resid(a_uio: uio);
1191 }
1192
1193 if (offset_locked) {
1194 vn_offset_unlock(fg: fp->fp_glob);
1195 offset_locked = false;
1196 }
1197
1198 vnode_put(vp);
1199 return error;
1200}
1201
1202/*
1203 * File table vnode write routine.
1204 */
1205static int
1206vn_write(struct fileproc *fp, struct uio *uio, int flags, vfs_context_t ctx)
1207{
1208 struct vnode *vp;
1209 int error, ioflag;
1210 off_t write_offset;
1211 off_t write_end_offset;
1212 user_ssize_t write_len;
1213 user_ssize_t adjusted_write_len;
1214 user_ssize_t clippedsize;
1215 bool offset_locked;
1216 proc_t p = vfs_context_proc(ctx);
1217 rlim_t rlim_cur_fsize = p ? proc_limitgetcur(p, RLIMIT_FSIZE) : 0;
1218
1219 write_len = uio_resid(a_uio: uio);
1220 if (write_len < 0 || write_len > INT_MAX) {
1221 return EINVAL;
1222 }
1223 adjusted_write_len = write_len;
1224 clippedsize = 0;
1225
1226 if ((flags & FOF_OFFSET) == 0) {
1227 vn_offset_lock(fg: fp->fp_glob);
1228 offset_locked = true;
1229 } else {
1230 offset_locked = false;
1231 }
1232
1233 vp = (struct vnode *)fp_get_data(fp);
1234 if ((error = vnode_getwithref(vp))) {
1235 if (offset_locked) {
1236 vn_offset_unlock(fg: fp->fp_glob);
1237 }
1238 return error;
1239 }
1240
1241 if (offset_locked && (vnode_vtype(vp) != VREG || vnode_isswap(vp))) {
1242 vn_offset_unlock(fg: fp->fp_glob);
1243 offset_locked = false;
1244 }
1245
1246#if CONFIG_MACF
1247 error = mac_vnode_check_write(ctx, file_cred: vfs_context_ucred(ctx), vp);
1248 if (error) {
1249 (void)vnode_put(vp);
1250 if (offset_locked) {
1251 vn_offset_unlock(fg: fp->fp_glob);
1252 }
1253 return error;
1254 }
1255#endif
1256
1257 /*
1258 * IO_SYSCALL_DISPATCH signals to VNOP handlers that this write came from
1259 * a file table write
1260 */
1261 ioflag = (IO_UNIT | IO_SYSCALL_DISPATCH);
1262
1263 if (vp->v_type == VREG && (fp->fp_glob->fg_flag & O_APPEND)) {
1264 ioflag |= IO_APPEND;
1265 }
1266 if (fp->fp_glob->fg_flag & FNONBLOCK) {
1267 ioflag |= IO_NDELAY;
1268 }
1269 if ((fp->fp_glob->fg_flag & FNOCACHE) || vnode_isnocache(vp)) {
1270 ioflag |= IO_NOCACHE;
1271 }
1272 if (fp->fp_glob->fg_flag & FNODIRECT) {
1273 ioflag |= IO_NODIRECT;
1274 }
1275 if (fp->fp_glob->fg_flag & FSINGLE_WRITER) {
1276 ioflag |= IO_SINGLE_WRITER;
1277 }
1278 if (fp->fp_glob->fg_flag & O_EVTONLY) {
1279 ioflag |= IO_EVTONLY;
1280 }
1281
1282 /*
1283 * Treat synchronous mounts and O_FSYNC on the fd as equivalent.
1284 *
1285 * XXX We treat O_DSYNC as O_FSYNC for now, since we can not delay
1286 * XXX the non-essential metadata without some additional VFS work;
1287 * XXX the intent at this point is to plumb the interface for it.
1288 */
1289 if ((fp->fp_glob->fg_flag & (O_FSYNC | O_DSYNC)) ||
1290 (vp->v_mount && (vp->v_mount->mnt_flag & MNT_SYNCHRONOUS))) {
1291 ioflag |= IO_SYNC;
1292 }
1293
1294 if ((flags & FOF_OFFSET) == 0) {
1295 write_offset = fp->fp_glob->fg_offset;
1296 uio_setoffset(a_uio: uio, a_offset: write_offset);
1297 } else {
1298 /* for pwrite, append should be ignored */
1299 ioflag &= ~IO_APPEND;
1300 write_offset = uio_offset(a_uio: uio);
1301 /* POSIX allows negative offsets for character devices. */
1302 if ((write_offset < 0) && (vnode_vtype(vp) != VCHR)) {
1303 error = EINVAL;
1304 goto error_out;
1305 }
1306 }
1307
1308 if (write_offset == INT64_MAX) {
1309 /* writes are not possible */
1310 error = EFBIG;
1311 goto error_out;
1312 }
1313
1314 /*
1315 * write_len is the original write length that was requested.
1316 * We may however need to reduce that becasue of two reasons
1317 *
1318 * 1) If write_offset + write_len will exceed OFF_T_MAX (i.e. INT64_MAX)
1319 * and/or
1320 * 2) If write_offset + write_len will exceed the administrative
1321 * limit for the maximum file size.
1322 *
1323 * In both cases the write will be denied if we can't write even a single
1324 * byte otherwise it will be "clipped" (i.e. a short write).
1325 */
1326
1327 /*
1328 * If offset + len will cause overflow, reduce the len
1329 * to a value (adjusted_write_len) where it won't
1330 */
1331 if ((write_offset >= 0) && (INT64_MAX - write_offset) < write_len) {
1332 /*
1333 * 0 write_offset INT64_MAX
1334 * |-----------------------------------------------|----------|~~~
1335 * <--write_len-->
1336 * <-adjusted->
1337 */
1338 adjusted_write_len = (user_ssize_t)(INT64_MAX - write_offset);
1339 }
1340
1341 /* write_end_offset will always be [0, INT64_MAX] */
1342 write_end_offset = write_offset + adjusted_write_len;
1343
1344 if (p && (vp->v_type == VREG) &&
1345 (rlim_cur_fsize != RLIM_INFINITY) &&
1346 (rlim_cur_fsize <= INT64_MAX) &&
1347 (write_end_offset > (off_t)rlim_cur_fsize)) {
1348 /*
1349 * If the requested residual would cause us to go past the
1350 * administrative limit, then we need to adjust the residual
1351 * down to cause fewer bytes than requested to be written. If
1352 * we can't do that (e.g. the residual is already 1 byte),
1353 * then we fail the write with EFBIG.
1354 */
1355 if (write_offset >= (off_t)rlim_cur_fsize) {
1356 /*
1357 * 0 rlim_fsize write_offset write_end INT64_MAX
1358 * |------------------------|----------|-------------|--------|
1359 * <--write_len-->
1360 *
1361 * write not permitted
1362 */
1363 psignal(p, SIGXFSZ);
1364 error = EFBIG;
1365 goto error_out;
1366 }
1367
1368 /*
1369 * 0 write_offset rlim_fsize write_end INT64_MAX
1370 * |------------------------|-----------|---------|------------|
1371 * <------write_len------>
1372 * <-adjusted-->
1373 */
1374 adjusted_write_len = (user_ssize_t)((off_t)rlim_cur_fsize - write_offset);
1375 assert((adjusted_write_len > 0) && (adjusted_write_len < write_len));
1376 }
1377
1378 if (adjusted_write_len < write_len) {
1379 uio_setresid(a_uio: uio, a_value: adjusted_write_len);
1380 clippedsize = write_len - adjusted_write_len;
1381 }
1382
1383 error = VNOP_WRITE(vp, uio, ioflag, ctx);
1384
1385 /*
1386 * If we had to reduce the size of write requested either because
1387 * of rlimit or because it would have exceeded
1388 * maximum file size, we have to add that back to the residual so
1389 * it correctly reflects what we did in this function.
1390 */
1391 if (clippedsize) {
1392 uio_setresid(a_uio: uio, a_value: (uio_resid(a_uio: uio) + clippedsize));
1393 }
1394
1395 if ((flags & FOF_OFFSET) == 0) {
1396 if (ioflag & IO_APPEND) {
1397 fp->fp_glob->fg_offset = uio_offset(a_uio: uio);
1398 } else {
1399 fp->fp_glob->fg_offset += (write_len - uio_resid(a_uio: uio));
1400 }
1401 if (offset_locked) {
1402 vn_offset_unlock(fg: fp->fp_glob);
1403 offset_locked = false;
1404 }
1405 }
1406
1407 /*
1408 * Set the credentials on successful writes
1409 */
1410 if ((error == 0) && (vp->v_tag == VT_NFS) && (UBCINFOEXISTS(vp))) {
1411 ubc_setcred(vp, vfs_context_ucred(ctx));
1412 }
1413
1414#if CONFIG_FILE_LEASES
1415 /*
1416 * On success, break the parent dir lease as the file's attributes (size
1417 * and/or mtime) have changed. Best attempt to break lease, just drop the
1418 * the error upon failure as there is no point to return error when the
1419 * write has completed successfully.
1420 */
1421 if (__probable(error == 0)) {
1422 vnode_breakdirlease(vp, true, O_WRONLY);
1423 }
1424#endif /* CONFIG_FILE_LEASES */
1425
1426 (void)vnode_put(vp);
1427 return error;
1428
1429error_out:
1430 if (offset_locked) {
1431 vn_offset_unlock(fg: fp->fp_glob);
1432 }
1433 (void)vnode_put(vp);
1434 return error;
1435}
1436
1437/*
1438 * File table vnode stat routine.
1439 *
1440 * Returns: 0 Success
1441 * EBADF
1442 * ENOMEM
1443 * vnode_getattr:???
1444 */
1445int
1446vn_stat_noauth(struct vnode *vp, void *sbptr, kauth_filesec_t *xsec, int isstat64,
1447 int needsrealdev, vfs_context_t ctx, struct ucred *file_cred)
1448{
1449 struct vnode_attr va;
1450 int error;
1451 u_short mode;
1452 kauth_filesec_t fsec;
1453 struct stat *sb = (struct stat *)0; /* warning avoidance ; protected by isstat64 */
1454 struct stat64 * sb64 = (struct stat64 *)0; /* warning avoidance ; protected by isstat64 */
1455
1456 if (isstat64 != 0) {
1457 sb64 = (struct stat64 *)sbptr;
1458 } else {
1459 sb = (struct stat *)sbptr;
1460 }
1461 memset(s: &va, c: 0, n: sizeof(va));
1462 VATTR_INIT(&va);
1463 VATTR_WANTED(&va, va_fsid);
1464 VATTR_WANTED(&va, va_fileid);
1465 VATTR_WANTED(&va, va_mode);
1466 VATTR_WANTED(&va, va_type);
1467 VATTR_WANTED(&va, va_nlink);
1468 VATTR_WANTED(&va, va_uid);
1469 VATTR_WANTED(&va, va_gid);
1470 VATTR_WANTED(&va, va_rdev);
1471 VATTR_WANTED(&va, va_data_size);
1472 VATTR_WANTED(&va, va_access_time);
1473 VATTR_WANTED(&va, va_modify_time);
1474 VATTR_WANTED(&va, va_change_time);
1475 VATTR_WANTED(&va, va_create_time);
1476 VATTR_WANTED(&va, va_flags);
1477 VATTR_WANTED(&va, va_gen);
1478 VATTR_WANTED(&va, va_iosize);
1479 /* lower layers will synthesise va_total_alloc from va_data_size if required */
1480 VATTR_WANTED(&va, va_total_alloc);
1481 if (xsec != NULL) {
1482 VATTR_WANTED(&va, va_uuuid);
1483 VATTR_WANTED(&va, va_guuid);
1484 VATTR_WANTED(&va, va_acl);
1485 }
1486 if (needsrealdev) {
1487 va.va_vaflags = VA_REALFSID;
1488 }
1489 error = vnode_getattr(vp, vap: &va, ctx);
1490 if (error) {
1491 goto out;
1492 }
1493#if CONFIG_MACF
1494 /*
1495 * Give MAC polices a chance to reject or filter the attributes
1496 * returned by the filesystem. Note that MAC policies are consulted
1497 * *after* calling the filesystem because filesystems can return more
1498 * attributes than were requested so policies wouldn't be authoritative
1499 * is consulted beforehand. This also gives policies an opportunity
1500 * to change the values of attributes retrieved.
1501 */
1502 error = mac_vnode_check_getattr(ctx, file_cred, vp, va: &va);
1503 if (error) {
1504 goto out;
1505 }
1506#endif
1507 /*
1508 * Copy from vattr table
1509 */
1510 if (isstat64 != 0) {
1511 sb64->st_dev = va.va_fsid;
1512 sb64->st_ino = (ino64_t)va.va_fileid;
1513 } else {
1514 sb->st_dev = va.va_fsid;
1515 sb->st_ino = (ino_t)va.va_fileid;
1516 }
1517 mode = va.va_mode;
1518 switch (vp->v_type) {
1519 case VREG:
1520 mode |= S_IFREG;
1521 break;
1522 case VDIR:
1523 mode |= S_IFDIR;
1524 break;
1525 case VBLK:
1526 mode |= S_IFBLK;
1527 break;
1528 case VCHR:
1529 mode |= S_IFCHR;
1530 break;
1531 case VLNK:
1532 mode |= S_IFLNK;
1533 break;
1534 case VSOCK:
1535 mode |= S_IFSOCK;
1536 break;
1537 case VFIFO:
1538 mode |= S_IFIFO;
1539 break;
1540 default:
1541 error = EBADF;
1542 goto out;
1543 }
1544 ;
1545 if (isstat64 != 0) {
1546 sb64->st_mode = mode;
1547 sb64->st_nlink = VATTR_IS_SUPPORTED(&va, va_nlink) ? va.va_nlink > UINT16_MAX ? UINT16_MAX : (u_int16_t)va.va_nlink : 1;
1548 sb64->st_uid = va.va_uid;
1549 sb64->st_gid = va.va_gid;
1550 sb64->st_rdev = va.va_rdev;
1551 sb64->st_size = va.va_data_size;
1552 sb64->st_atimespec = va.va_access_time;
1553 sb64->st_mtimespec = va.va_modify_time;
1554 sb64->st_ctimespec = va.va_change_time;
1555 if (VATTR_IS_SUPPORTED(&va, va_create_time)) {
1556 sb64->st_birthtimespec = va.va_create_time;
1557 } else {
1558 sb64->st_birthtimespec.tv_sec = sb64->st_birthtimespec.tv_nsec = 0;
1559 }
1560 sb64->st_blksize = va.va_iosize;
1561 sb64->st_flags = va.va_flags;
1562 sb64->st_blocks = roundup(va.va_total_alloc, 512) / 512;
1563 } else {
1564 sb->st_mode = mode;
1565 sb->st_nlink = VATTR_IS_SUPPORTED(&va, va_nlink) ? va.va_nlink > UINT16_MAX ? UINT16_MAX : (u_int16_t)va.va_nlink : 1;
1566 sb->st_uid = va.va_uid;
1567 sb->st_gid = va.va_gid;
1568 sb->st_rdev = va.va_rdev;
1569 sb->st_size = va.va_data_size;
1570 sb->st_atimespec = va.va_access_time;
1571 sb->st_mtimespec = va.va_modify_time;
1572 sb->st_ctimespec = va.va_change_time;
1573 sb->st_blksize = va.va_iosize;
1574 sb->st_flags = va.va_flags;
1575 sb->st_blocks = roundup(va.va_total_alloc, 512) / 512;
1576 }
1577
1578 /* if we're interested in extended security data and we got an ACL */
1579 if (xsec != NULL) {
1580 if (!VATTR_IS_SUPPORTED(&va, va_acl) &&
1581 !VATTR_IS_SUPPORTED(&va, va_uuuid) &&
1582 !VATTR_IS_SUPPORTED(&va, va_guuid)) {
1583 *xsec = KAUTH_FILESEC_NONE;
1584 } else {
1585 if (VATTR_IS_SUPPORTED(&va, va_acl) && (va.va_acl != NULL)) {
1586 fsec = kauth_filesec_alloc(size: va.va_acl->acl_entrycount);
1587 } else {
1588 fsec = kauth_filesec_alloc(size: 0);
1589 }
1590 if (fsec == NULL) {
1591 error = ENOMEM;
1592 goto out;
1593 }
1594 fsec->fsec_magic = KAUTH_FILESEC_MAGIC;
1595 if (VATTR_IS_SUPPORTED(&va, va_uuuid)) {
1596 fsec->fsec_owner = va.va_uuuid;
1597 } else {
1598 fsec->fsec_owner = kauth_null_guid;
1599 }
1600 if (VATTR_IS_SUPPORTED(&va, va_guuid)) {
1601 fsec->fsec_group = va.va_guuid;
1602 } else {
1603 fsec->fsec_group = kauth_null_guid;
1604 }
1605 if (VATTR_IS_SUPPORTED(&va, va_acl) && (va.va_acl != NULL)) {
1606 __nochk_bcopy(src: va.va_acl, dst: &(fsec->fsec_acl), KAUTH_ACL_COPYSIZE(va.va_acl));
1607 } else {
1608 fsec->fsec_acl.acl_entrycount = KAUTH_FILESEC_NOACL;
1609 }
1610 *xsec = fsec;
1611 }
1612 }
1613
1614 /* Do not give the generation number out to unpriviledged users */
1615 if (va.va_gen && !vfs_context_issuser(ctx)) {
1616 if (isstat64 != 0) {
1617 sb64->st_gen = 0;
1618 } else {
1619 sb->st_gen = 0;
1620 }
1621 } else {
1622 if (isstat64 != 0) {
1623 sb64->st_gen = va.va_gen;
1624 } else {
1625 sb->st_gen = va.va_gen;
1626 }
1627 }
1628
1629 error = 0;
1630out:
1631 if (VATTR_IS_SUPPORTED(&va, va_acl) && va.va_acl != NULL) {
1632 kauth_acl_free(fsp: va.va_acl);
1633 }
1634 return error;
1635}
1636
1637int
1638vn_stat(struct vnode *vp, void *sb, kauth_filesec_t *xsec, int isstat64, int needsrealdev, vfs_context_t ctx)
1639{
1640 int error;
1641
1642#if CONFIG_MACF
1643 error = mac_vnode_check_stat(ctx, NOCRED, vp);
1644 if (error) {
1645 return error;
1646 }
1647#endif
1648
1649 /* authorize */
1650 if ((error = vnode_authorize(vp, NULL, KAUTH_VNODE_READ_ATTRIBUTES | KAUTH_VNODE_READ_SECURITY, ctx)) != 0) {
1651 return error;
1652 }
1653
1654 /* actual stat */
1655 return vn_stat_noauth(vp, sbptr: sb, xsec, isstat64, needsrealdev, ctx, NOCRED);
1656}
1657
1658
1659/*
1660 * File table vnode ioctl routine.
1661 */
1662static int
1663vn_ioctl(struct fileproc *fp, u_long com, caddr_t data, vfs_context_t ctx)
1664{
1665 struct vnode *vp = (struct vnode *)fp_get_data(fp);
1666 off_t file_size;
1667 int error;
1668 struct vnode *ttyvp;
1669
1670 if ((error = vnode_getwithref(vp))) {
1671 return error;
1672 }
1673
1674#if CONFIG_MACF
1675 error = mac_vnode_check_ioctl(ctx, vp, cmd: com);
1676 if (error) {
1677 goto out;
1678 }
1679#endif
1680
1681 switch (vp->v_type) {
1682 case VREG:
1683 case VDIR:
1684 if (com == FIONREAD) {
1685 off_t temp_nbytes;
1686 if ((error = vnode_size(vp, &file_size, ctx)) != 0) {
1687 goto out;
1688 }
1689 temp_nbytes = file_size - fp->fp_glob->fg_offset;
1690 if (temp_nbytes > INT_MAX) {
1691 *(int *)data = INT_MAX;
1692 } else if (temp_nbytes < 0) {
1693 *(int *)data = 0;
1694 } else {
1695 *(int *)data = (int)temp_nbytes;
1696 }
1697 goto out;
1698 }
1699 if (com == FIONBIO || com == FIOASYNC) { /* XXX */
1700 goto out;
1701 }
1702 OS_FALLTHROUGH;
1703
1704 default:
1705 error = ENOTTY;
1706 goto out;
1707
1708 case VFIFO:
1709 case VCHR:
1710 case VBLK:
1711
1712 if (com == TIOCREVOKE || com == TIOCREVOKECLEAR) {
1713 error = ENOTTY;
1714 goto out;
1715 }
1716
1717 /* Should not be able to set block size from user space */
1718 if (com == DKIOCSETBLOCKSIZE) {
1719 error = EPERM;
1720 goto out;
1721 }
1722
1723 /* Should not be able to check if filesystem is authenticated from user space */
1724 if (com == FSIOC_AUTH_FS) {
1725 error = ENOTTY;
1726 goto out;
1727 }
1728
1729 if (com == FIODTYPE) {
1730 if (vp->v_type == VBLK) {
1731 if (major(vp->v_rdev) >= nblkdev) {
1732 error = ENXIO;
1733 goto out;
1734 }
1735 *(int *)data = bdevsw[major(vp->v_rdev)].d_type;
1736 } else if (vp->v_type == VCHR) {
1737 if (major(vp->v_rdev) >= nchrdev) {
1738 error = ENXIO;
1739 goto out;
1740 }
1741 *(int *)data = cdevsw[major(vp->v_rdev)].d_type;
1742 } else {
1743 error = ENOTTY;
1744 goto out;
1745 }
1746 goto out;
1747 }
1748 error = VNOP_IOCTL(vp, command: com, data, fflag: fp->fp_glob->fg_flag, ctx);
1749
1750 if (error == 0 && com == TIOCSCTTY) {
1751 struct session *sessp;
1752 struct pgrp *pg;
1753
1754 pg = proc_pgrp(vfs_context_proc(ctx), &sessp);
1755
1756 session_lock(sess: sessp);
1757 ttyvp = sessp->s_ttyvp;
1758 sessp->s_ttyvp = vp;
1759 sessp->s_ttyvid = vnode_vid(vp);
1760 session_unlock(sess: sessp);
1761
1762 pgrp_rele(pgrp: pg);
1763 }
1764 }
1765out:
1766 (void)vnode_put(vp);
1767 return error;
1768}
1769
1770/*
1771 * File table vnode select routine.
1772 */
1773static int
1774vn_select(struct fileproc *fp, int which, void *wql, __unused vfs_context_t ctx)
1775{
1776 int error;
1777 struct vnode * vp = (struct vnode *)fp_get_data(fp);
1778 struct vfs_context context;
1779
1780 if ((error = vnode_getwithref(vp)) == 0) {
1781 context.vc_thread = current_thread();
1782 context.vc_ucred = fp->fp_glob->fg_cred;
1783
1784#if CONFIG_MACF
1785 /*
1786 * XXX We should use a per thread credential here; minimally,
1787 * XXX the process credential should have a persistent
1788 * XXX reference on it before being passed in here.
1789 */
1790 error = mac_vnode_check_select(ctx, vp, which);
1791 if (error == 0)
1792#endif
1793 error = VNOP_SELECT(vp, which, fp->fp_glob->fg_flag, wql, ctx);
1794
1795 (void)vnode_put(vp);
1796 }
1797 return error;
1798}
1799
1800/*
1801 * File table vnode close routine.
1802 */
1803static int
1804vn_closefile(struct fileglob *fg, vfs_context_t ctx)
1805{
1806 struct vnode *vp = fg_get_data(fg);
1807 int error;
1808
1809 if ((error = vnode_getwithref(vp)) == 0) {
1810 if (FILEGLOB_DTYPE(fg) == DTYPE_VNODE &&
1811 ((fg->fg_flag & FWASLOCKED) != 0 ||
1812 (fg->fg_lflags & FG_HAS_OFDLOCK) != 0)) {
1813 struct flock lf = {
1814 .l_whence = SEEK_SET,
1815 .l_start = 0,
1816 .l_len = 0,
1817 .l_type = F_UNLCK
1818 };
1819
1820 if ((fg->fg_flag & FWASLOCKED) != 0) {
1821 (void) VNOP_ADVLOCK(vp, (caddr_t)fg,
1822 F_UNLCK, &lf, F_FLOCK, ctx, NULL);
1823 }
1824
1825 if ((fg->fg_lflags & FG_HAS_OFDLOCK) != 0) {
1826 (void) VNOP_ADVLOCK(vp, ofd_to_id(fg),
1827 F_UNLCK, &lf, F_OFD_LOCK, ctx, NULL);
1828 }
1829 }
1830#if CONFIG_FILE_LEASES
1831 if (FILEGLOB_DTYPE(fg) == DTYPE_VNODE && !LIST_EMPTY(&vp->v_leases)) {
1832 /* Expected open count doesn't matter for release. */
1833 (void)vnode_setlease(vp, fg, F_UNLCK, expcounts: 0, ctx);
1834 }
1835#endif
1836 error = vn_close(vp, flags: fg->fg_flag, ctx);
1837 (void) vnode_put(vp);
1838 }
1839 return error;
1840}
1841
1842/*
1843 * Returns: 0 Success
1844 * VNOP_PATHCONF:???
1845 */
1846int
1847vn_pathconf(vnode_t vp, int name, int32_t *retval, vfs_context_t ctx)
1848{
1849 int error = 0;
1850 struct vfs_attr vfa;
1851
1852 switch (name) {
1853 case _PC_EXTENDED_SECURITY_NP:
1854 *retval = vfs_extendedsecurity(vnode_mount(vp)) ? 1 : 0;
1855 break;
1856 case _PC_AUTH_OPAQUE_NP:
1857 *retval = vfs_authopaque(mp: vnode_mount(vp));
1858 break;
1859 case _PC_2_SYMLINKS:
1860 *retval = 1; /* XXX NOTSUP on MSDOS, etc. */
1861 break;
1862 case _PC_ALLOC_SIZE_MIN:
1863 *retval = 1; /* XXX lie: 1 byte */
1864 break;
1865 case _PC_ASYNC_IO: /* unistd.h: _POSIX_ASYNCHRONUS_IO */
1866 *retval = 1; /* [AIO] option is supported */
1867 break;
1868 case _PC_PRIO_IO: /* unistd.h: _POSIX_PRIORITIZED_IO */
1869 *retval = 0; /* [PIO] option is not supported */
1870 break;
1871 case _PC_REC_INCR_XFER_SIZE:
1872 *retval = 4096; /* XXX go from MIN to MAX 4K at a time */
1873 break;
1874 case _PC_REC_MIN_XFER_SIZE:
1875 *retval = 4096; /* XXX recommend 4K minimum reads/writes */
1876 break;
1877 case _PC_REC_MAX_XFER_SIZE:
1878 *retval = 65536; /* XXX recommend 64K maximum reads/writes */
1879 break;
1880 case _PC_REC_XFER_ALIGN:
1881 *retval = 4096; /* XXX recommend page aligned buffers */
1882 break;
1883 case _PC_SYMLINK_MAX:
1884 *retval = 255; /* Minimum acceptable POSIX value */
1885 break;
1886 case _PC_SYNC_IO: /* unistd.h: _POSIX_SYNCHRONIZED_IO */
1887 *retval = 0; /* [SIO] option is not supported */
1888 break;
1889 case _PC_XATTR_SIZE_BITS:
1890 /* The number of bits used to store maximum extended
1891 * attribute size in bytes. For example, if the maximum
1892 * attribute size supported by a file system is 128K, the
1893 * value returned will be 18. However a value 18 can mean
1894 * that the maximum attribute size can be anywhere from
1895 * (256KB - 1) to 128KB. As a special case, the resource
1896 * fork can have much larger size, and some file system
1897 * specific extended attributes can have smaller and preset
1898 * size; for example, Finder Info is always 32 bytes.
1899 */
1900 memset(s: &vfa, c: 0, n: sizeof(vfa));
1901 VFSATTR_INIT(&vfa);
1902 VFSATTR_WANTED(&vfa, f_capabilities);
1903 if (vfs_getattr(mp: vnode_mount(vp), vfa: &vfa, ctx) == 0 &&
1904 (VFSATTR_IS_SUPPORTED(&vfa, f_capabilities)) &&
1905 (vfa.f_capabilities.capabilities[VOL_CAPABILITIES_INTERFACES] & VOL_CAP_INT_EXTENDED_ATTR) &&
1906 (vfa.f_capabilities.valid[VOL_CAPABILITIES_INTERFACES] & VOL_CAP_INT_EXTENDED_ATTR)) {
1907 /* Supports native extended attributes */
1908 error = VNOP_PATHCONF(vp, name, retval, ctx);
1909 } else {
1910 /* Number of bits used to represent the maximum size of
1911 * extended attribute stored in an Apple Double file.
1912 */
1913 *retval = AD_XATTR_SIZE_BITS;
1914 }
1915 break;
1916 default:
1917 error = VNOP_PATHCONF(vp, name, retval, ctx);
1918 break;
1919 }
1920
1921 return error;
1922}
1923
1924static int
1925vn_kqfilter(struct fileproc *fp, struct knote *kn, struct kevent_qos_s *kev)
1926{
1927 vfs_context_t ctx = vfs_context_current();
1928 struct vnode *vp;
1929 int error = 0;
1930 int result = 0;
1931
1932 vp = (struct vnode *)fp_get_data(fp);
1933
1934 /*
1935 * Don't attach a knote to a dead vnode.
1936 */
1937 if ((error = vget_internal(vp, 0, VNODE_NODEAD)) == 0) {
1938 switch (kn->kn_filter) {
1939 case EVFILT_READ:
1940 case EVFILT_WRITE:
1941 if (vnode_isfifo(vp)) {
1942 /* We'll only watch FIFOs that use our fifofs */
1943 if (!(vp->v_fifoinfo && vp->v_fifoinfo->fi_readsock)) {
1944 error = ENOTSUP;
1945 }
1946 } else if (!vnode_isreg(vp)) {
1947 if (vnode_ischr(vp)) {
1948 result = spec_kqfilter(vp, kn, kev);
1949 if ((kn->kn_flags & EV_ERROR) == 0) {
1950 /* claimed by a special device */
1951 vnode_put(vp);
1952 return result;
1953 }
1954 }
1955 error = EINVAL;
1956 }
1957 break;
1958 case EVFILT_VNODE:
1959 break;
1960 default:
1961 error = EINVAL;
1962 }
1963
1964 if (error == 0) {
1965#if CONFIG_MACF
1966 error = mac_vnode_check_kqfilter(ctx, file_cred: fp->fp_glob->fg_cred, kn, vp);
1967 if (error) {
1968 vnode_put(vp);
1969 goto out;
1970 }
1971#endif
1972
1973 kn->kn_filtid = EVFILTID_VN;
1974 knote_kn_hook_set_raw(kn, kn_hook: (void *)vp);
1975 vnode_hold(vp);
1976
1977 vnode_lock(vp);
1978 KNOTE_ATTACH(&vp->v_knotes, kn);
1979 result = filt_vnode_common(kn, NULL, vp, hint: 0);
1980 vnode_unlock(vp);
1981
1982 /*
1983 * Ask the filesystem to provide remove notifications,
1984 * but ignore failure
1985 */
1986 VNOP_MONITOR(vp, events: 0, VNODE_MONITOR_BEGIN, handle: (void*) kn, ctx);
1987 }
1988
1989 vnode_put(vp);
1990 }
1991
1992out:
1993 if (error) {
1994 knote_set_error(kn, error);
1995 }
1996
1997 return result;
1998}
1999
2000static void
2001filt_vndetach(struct knote *kn)
2002{
2003 vfs_context_t ctx = vfs_context_current();
2004 struct vnode *vp = (struct vnode *)knote_kn_hook_get_raw(kn);
2005 uint32_t vid = vnode_vid(vp);
2006 if (vnode_getwithvid(vp, vid)) {
2007 vnode_drop(vp);
2008 return;
2009 }
2010 vnode_drop(vp);
2011
2012 vnode_lock(vp);
2013 KNOTE_DETACH(&vp->v_knotes, kn);
2014 vnode_unlock(vp);
2015
2016 /*
2017 * Tell a (generally networked) filesystem that we're no longer watching
2018 * If the FS wants to track contexts, it should still be using the one from
2019 * the VNODE_MONITOR_BEGIN.
2020 */
2021 VNOP_MONITOR(vp, events: 0, VNODE_MONITOR_END, handle: (void*)kn, ctx);
2022 vnode_put(vp);
2023}
2024
2025
2026/*
2027 * Used for EVFILT_READ
2028 *
2029 * Takes only VFIFO or VREG. vnode is locked. We handle the "poll" case
2030 * differently than the regular case for VREG files. If not in poll(),
2031 * then we need to know current fileproc offset for VREG.
2032 */
2033static int64_t
2034vnode_readable_data_count(vnode_t vp, off_t current_offset, int ispoll)
2035{
2036 if (vnode_isfifo(vp)) {
2037#if FIFO
2038 int cnt;
2039 int err = fifo_charcount(vp, count: &cnt);
2040 if (err == 0) {
2041 return (int64_t)cnt;
2042 } else
2043#endif
2044 {
2045 return 0;
2046 }
2047 } else if (vnode_isreg(vp)) {
2048 if (ispoll) {
2049 return 1;
2050 }
2051
2052 off_t amount;
2053 amount = vp->v_un.vu_ubcinfo->ui_size - current_offset;
2054 if (amount > INT64_MAX) {
2055 return INT64_MAX;
2056 } else if (amount < INT64_MIN) {
2057 return INT64_MIN;
2058 } else {
2059 return (int64_t)amount;
2060 }
2061 } else {
2062 panic("Should never have an EVFILT_READ except for reg or fifo.");
2063 return 0;
2064 }
2065}
2066
2067/*
2068 * Used for EVFILT_WRITE.
2069 *
2070 * For regular vnodes, we can always write (1). For named pipes,
2071 * see how much space there is in the buffer. Nothing else is covered.
2072 */
2073static intptr_t
2074vnode_writable_space_count(vnode_t vp)
2075{
2076 if (vnode_isfifo(vp)) {
2077#if FIFO
2078 long spc;
2079 int err = fifo_freespace(vp, count: &spc);
2080 if (err == 0) {
2081 return (intptr_t)spc;
2082 } else
2083#endif
2084 {
2085 return (intptr_t)0;
2086 }
2087 } else if (vnode_isreg(vp)) {
2088 return (intptr_t)1;
2089 } else {
2090 panic("Should never have an EVFILT_READ except for reg or fifo.");
2091 return 0;
2092 }
2093}
2094
2095/*
2096 * Determine whether this knote should be active
2097 *
2098 * This is kind of subtle.
2099 * --First, notice if the vnode has been revoked: in so, override hint
2100 * --EVFILT_READ knotes are checked no matter what the hint is
2101 * --Other knotes activate based on hint.
2102 * --If hint is revoke, set special flags and activate
2103 */
2104static int
2105filt_vnode_common(struct knote *kn, struct kevent_qos_s *kev, vnode_t vp, long hint)
2106{
2107 int activate = 0;
2108 int64_t data = 0;
2109
2110 lck_mtx_assert(lck: &vp->v_lock, LCK_MTX_ASSERT_OWNED);
2111
2112 /* Special handling for vnodes that are in recycle or already gone */
2113 if (NOTE_REVOKE == hint) {
2114 kn->kn_flags |= (EV_EOF | EV_ONESHOT);
2115 activate = 1;
2116
2117 if ((kn->kn_filter == EVFILT_VNODE) && (kn->kn_sfflags & NOTE_REVOKE)) {
2118 kn->kn_fflags |= NOTE_REVOKE;
2119 }
2120 } else {
2121 switch (kn->kn_filter) {
2122 case EVFILT_READ:
2123 data = vnode_readable_data_count(vp, current_offset: kn->kn_fp->fp_glob->fg_offset, ispoll: (kn->kn_flags & EV_POLL));
2124 activate = (data != 0);
2125 break;
2126 case EVFILT_WRITE:
2127 data = vnode_writable_space_count(vp);
2128 activate = (data != 0);
2129 break;
2130 case EVFILT_VNODE:
2131 /* Check events this note matches against the hint */
2132 if (kn->kn_sfflags & hint) {
2133 kn->kn_fflags |= (uint32_t)hint; /* Set which event occurred */
2134 }
2135 activate = (kn->kn_fflags != 0);
2136 break;
2137 default:
2138 panic("Invalid knote filter on a vnode!");
2139 }
2140 }
2141
2142 if (kev && activate) {
2143 knote_fill_kevent(kn, kev, data);
2144 }
2145
2146 return activate;
2147}
2148
2149static int
2150filt_vnode(struct knote *kn, long hint)
2151{
2152 vnode_t vp = (struct vnode *)knote_kn_hook_get_raw(kn);
2153
2154 return filt_vnode_common(kn, NULL, vp, hint);
2155}
2156
2157static int
2158filt_vntouch(struct knote *kn, struct kevent_qos_s *kev)
2159{
2160 vnode_t vp = (struct vnode *)knote_kn_hook_get_raw(kn);
2161 uint32_t vid = vnode_vid(vp);
2162 int activate;
2163 int hint = 0;
2164
2165 vnode_lock(vp);
2166 if (vnode_getiocount(vp, vid, VNODE_NODEAD | VNODE_WITHID) != 0) {
2167 /* is recycled */
2168 hint = NOTE_REVOKE;
2169 }
2170
2171 /* accept new input fflags mask */
2172 kn->kn_sfflags = kev->fflags;
2173
2174 activate = filt_vnode_common(kn, NULL, vp, hint);
2175
2176 if (hint == 0) {
2177 vnode_put_locked(vp);
2178 }
2179 vnode_unlock(vp);
2180
2181 return activate;
2182}
2183
2184static int
2185filt_vnprocess(struct knote *kn, struct kevent_qos_s *kev)
2186{
2187 vnode_t vp = (struct vnode *)knote_kn_hook_get_raw(kn);
2188 uint32_t vid = vnode_vid(vp);
2189 int activate;
2190 int hint = 0;
2191
2192 vnode_lock(vp);
2193 if (vnode_getiocount(vp, vid, VNODE_NODEAD | VNODE_WITHID) != 0) {
2194 /* Is recycled */
2195 hint = NOTE_REVOKE;
2196 }
2197 activate = filt_vnode_common(kn, kev, vp, hint);
2198
2199 /* Definitely need to unlock, may need to put */
2200 if (hint == 0) {
2201 vnode_put_locked(vp);
2202 }
2203 vnode_unlock(vp);
2204
2205 return activate;
2206}
2207
2208struct vniodesc {
2209 vnode_t vnio_vnode; /* associated vnode */
2210 int vnio_fflags; /* cached fileglob flags */
2211};
2212
2213errno_t
2214vnio_openfd(int fd, vniodesc_t *vniop)
2215{
2216 proc_t p = current_proc();
2217 struct fileproc *fp = NULL;
2218 vniodesc_t vnio;
2219 vnode_t vp;
2220 int error;
2221 bool need_drop = false;
2222
2223 vnio = kalloc_type(struct vniodesc, Z_WAITOK);
2224
2225 error = fp_getfvp(p, fd, resultfp: &fp, resultvp: &vp);
2226 if (error) {
2227 goto out;
2228 }
2229 need_drop = true;
2230
2231 if ((fp->fp_glob->fg_flag & (FREAD | FWRITE)) == 0) {
2232 error = EBADF;
2233 goto out;
2234 }
2235
2236 if (vnode_isswap(vp)) {
2237 error = EPERM;
2238 goto out;
2239 }
2240
2241 if (vp->v_type != VREG) {
2242 error = EFTYPE;
2243 goto out;
2244 }
2245
2246 error = vnode_getwithref(vp);
2247 if (error) {
2248 goto out;
2249 }
2250
2251 vnio->vnio_vnode = vp;
2252 vnio->vnio_fflags = fp->fp_glob->fg_flag;
2253
2254 (void)fp_drop(p, fd, fp, locked: 0);
2255 need_drop = false;
2256
2257 error = vnode_ref_ext(vp, vnio->vnio_fflags, 0);
2258 if (error == 0) {
2259 *vniop = vnio;
2260 vnio = NULL;
2261 }
2262
2263 vnode_put(vp);
2264
2265out:
2266 if (need_drop) {
2267 fp_drop(p, fd, fp, locked: 0);
2268 }
2269 if (vnio != NULL) {
2270 kfree_type(struct vniodesc, vnio);
2271 }
2272 return error;
2273}
2274
2275errno_t
2276vnio_close(vniodesc_t vnio)
2277{
2278 int error;
2279
2280 /*
2281 * The vniodesc is always destroyed, because the close
2282 * always "succeeds". We just return whatever error
2283 * might have been encountered while doing so.
2284 */
2285
2286 error = vnode_getwithref(vp: vnio->vnio_vnode);
2287 if (error == 0) {
2288 error = vnode_close(vp: vnio->vnio_vnode, flags: vnio->vnio_fflags, NULL);
2289 }
2290
2291 kfree_type(struct vniodesc, vnio);
2292
2293 return error;
2294}
2295
2296errno_t
2297vnio_read(vniodesc_t vnio, uio_t uio)
2298{
2299 vnode_t vp = vnio->vnio_vnode;
2300 user_ssize_t read_len;
2301 int error;
2302
2303 read_len = uio_resid(a_uio: uio);
2304 if (read_len < 0 || read_len > INT_MAX) {
2305 return EINVAL;
2306 }
2307
2308 error = vnode_getwithref(vp);
2309 if (error == 0) {
2310 error = vn_read_common(vp, uio, fflag: vnio->vnio_fflags,
2311 ctx: vfs_context_current());
2312 vnode_put(vp);
2313 }
2314
2315 return error;
2316}
2317
2318vnode_t
2319vnio_vnode(vniodesc_t vnio)
2320{
2321 return vnio->vnio_vnode;
2322}
2323
2324int
2325vnode_isauthfs(vnode_t vp)
2326{
2327 fsioc_auth_fs_t afs = { .authvp = NULL };
2328 int error;
2329
2330 error = VNOP_IOCTL(vp, FSIOC_AUTH_FS, data: (caddr_t)&afs, fflag: 0,
2331 ctx: vfs_context_current());
2332
2333 return error == 0 ? 1 : 0;
2334}
2335