/*******************************************************************************
Copyright(C) Jonas 'Sortie' Termansen 2012, 2013.
This file is part of Sortix.
Sortix is free software: you can redistribute it and/or modify it under the
terms of the GNU General Public License as published by the Free Software
Foundation, either version 3 of the License, or (at your option) any later
version.
Sortix is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
You should have received a copy of the GNU General Public License along with
Sortix. If not, see .
descriptor.cpp
A file descriptor.
*******************************************************************************/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
namespace Sortix {
// Flags for the various base modes to open a file in.
const int ACCESS_FLAGS = O_READ | O_WRITE | O_EXEC | O_SEARCH;
// Flags that only make sense at open time.
const int OPEN_FLAGS = O_CREATE | O_DIRECTORY | O_EXCL | O_TRUNC | O_NOFOLLOW;
// Flags that only make sense for descriptors.
const int DESCRIPTOR_FLAGS = O_APPEND | O_NONBLOCK;
bool LinkInodeInDir(ioctx_t* ctx, Ref dir, const char* name,
Ref inode)
{
Ref vnode(new Vnode(inode, Ref(), 0, 0));
if ( !vnode ) return false;
Ref desc(new Descriptor(Ref(vnode), 0));
if ( !desc ) return false;
return dir->link(ctx, name, desc) != 0;
}
Ref OpenDirContainingPath(ioctx_t* ctx, Ref from,
const char* path, char** finalp)
{
if ( !path[0] ) { errno = EINVAL; return Ref(); }
char* dirpath;
char* final;
if ( !SplitFinalElem(path, &dirpath, &final) )
return Ref();
// TODO: Removing trailing slashes in final may not the right thing.
size_t finallen = strlen(final);
while ( finallen && final[finallen-1] == '/' )
final[--finallen] = 0;
// Safe against buffer overflow because final contains at least one
// character because we reject the empty string above.
if ( !finallen )
final[0] = '.',
final[1] = '\0';
if ( !dirpath[0] )
{
delete[] dirpath;
*finalp = final;
return from;
}
Ref ret = from->open(ctx, dirpath, O_READ | O_DIRECTORY, 0);
delete[] dirpath;
if ( !ret ) { delete[] final; return Ref(); }
*finalp = final;
return ret;
}
// TODO: Add security checks.
Descriptor::Descriptor(Ref vnode, int dflags)
{
curofflock = KTHREAD_MUTEX_INITIALIZER;
this->vnode = vnode;
this->ino = vnode->ino;
this->dev = vnode->dev;
this->type = vnode->type;
this->dflags = dflags;
checked_seekable = false;
curoff = 0;
}
Descriptor::~Descriptor()
{
}
bool Descriptor::SetFlags(int new_dflags)
{
// TODO: Hmm, there is race condition between changing the flags here and
// the code that uses the flags below. We could add a lock, but that
// would kinda prevent concurrency on the same file descriptor. Since
// the chances of this becoming a problem is rather slim (but could
// happen!), we'll do the unsafe thing for now. (See below also)
dflags = (dflags & ~DESCRIPTOR_FLAGS) & (new_dflags & DESCRIPTOR_FLAGS);
return true;
}
int Descriptor::GetFlags()
{
// TODO: The race condition also applies here if the variable can change.
return dflags;
}
Ref Descriptor::Fork()
{
Ref ret(new Descriptor(vnode, dflags));
if ( !ret )
return Ref();
ret->curoff = curoff;
ret->checked_seekable = checked_seekable;
ret->seekable = seekable;
return ret;
}
bool Descriptor::IsSeekable()
{
if ( !checked_seekable )
{
// TODO: Is this enough? Check that errno happens to be ESPIPE?
ioctx_t ctx; SetupKernelIOCtx(&ctx);
seekable = 0 <= vnode->lseek(&ctx, SEEK_SET, 0) || S_ISDIR(vnode->type);
checked_seekable = true;
}
return seekable;
}
int Descriptor::sync(ioctx_t* ctx)
{
// TODO: Possible denial-of-service attack if someone opens the file without
// that much rights and just syncs it a whole lot and slows down the
// system as a whole.
return vnode->sync(ctx);
}
int Descriptor::stat(ioctx_t* ctx, struct stat* st)
{
// TODO: Possible information leak if not O_READ | O_WRITE and the caller
// is told about the file size.
return vnode->stat(ctx, st);
}
int Descriptor::chmod(ioctx_t* ctx, mode_t mode)
{
return vnode->chmod(ctx, mode);
}
int Descriptor::chown(ioctx_t* ctx, uid_t owner, gid_t group)
{
if ( owner < 0 || group < 0 ) { errno = EINVAL; return -1; }
return vnode->chown(ctx, owner, group);
}
int Descriptor::truncate(ioctx_t* ctx, off_t length)
{
if ( length < 0 ) { errno = EINVAL; return -1; }
if ( !(dflags & O_WRITE) )
return errno = EPERM, -1;
return vnode->truncate(ctx, length);
}
off_t Descriptor::lseek(ioctx_t* ctx, off_t offset, int whence)
{
// TODO: Possible information leak to let someone without O_READ | O_WRITE
// seek the file and get information about data holes.
if ( !IsSeekable() )
return vnode->lseek(ctx, offset, whence);
ScopedLock lock(&curofflock);
off_t reloff;
if ( whence == SEEK_SET )
reloff = 0;
else if ( whence == SEEK_CUR )
reloff = curoff;
else if ( whence == SEEK_END )
{
if ( (reloff = vnode->lseek(ctx, offset, SEEK_END)) < 0 )
return -1;
}
else
return errno = EINVAL, -1;
if ( offset < 0 && reloff + offset < 0 )
return errno = EOVERFLOW, -1;
if ( OFF_MAX - curoff < offset )
return errno = EOVERFLOW, -1;
return curoff = reloff + offset;
}
ssize_t Descriptor::read(ioctx_t* ctx, uint8_t* buf, size_t count)
{
if ( !(dflags & O_READ) )
return errno = EPERM, -1;
if ( !count ) { return 0; }
if ( (size_t) SSIZE_MAX < count ) { count = SSIZE_MAX; }
ctx->dflags = dflags;
if ( !IsSeekable() )
return vnode->read(ctx, buf, count);
// TODO: Locking here only allows one task to read/write at once.
ScopedLock lock(&curofflock);
ssize_t ret = vnode->pread(ctx, buf, count, curoff);
if ( 0 <= ret )
curoff += ret;
return ret;
}
ssize_t Descriptor::pread(ioctx_t* ctx, uint8_t* buf, size_t count, off_t off)
{
if ( !(dflags & O_READ) )
return errno = EPERM, -1;
if ( off < 0 ) { errno = EINVAL; return -1; }
if ( !count ) { return 0; }
if ( SSIZE_MAX < count ) { count = SSIZE_MAX; }
ctx->dflags = dflags;
return vnode->pread(ctx, buf, count, off);
}
ssize_t Descriptor::write(ioctx_t* ctx, const uint8_t* buf, size_t count)
{
if ( !(dflags & O_WRITE) )
return errno = EPERM, -1;
if ( !count ) { return 0; }
if ( SSIZE_MAX < count ) { count = SSIZE_MAX; }
ctx->dflags = dflags;
if ( !IsSeekable() )
return vnode->write(ctx, buf, count);
// TODO: Locking here only allows one task to read/write at once.
ScopedLock lock(&curofflock);
// TODO: What if lseek fails? Sets curoff = -1, which we forward to vnodes
// and we are not allowed to do that!
if ( dflags & O_APPEND )
curoff = vnode->lseek(ctx, 0, SEEK_END);
ssize_t ret = vnode->pwrite(ctx, buf, count, curoff);
if ( 0 <= ret )
curoff += ret;
return ret;
}
ssize_t Descriptor::pwrite(ioctx_t* ctx, const uint8_t* buf, size_t count, off_t off)
{
if ( !(dflags & O_WRITE) )
return errno = EPERM, -1;
if ( off < 0 ) { errno = EINVAL; return -1; }
if ( !count ) { return 0; }
if ( SSIZE_MAX < count ) { count = SSIZE_MAX; }
ctx->dflags = dflags;
return vnode->pwrite(ctx, buf, count, off);
}
int Descriptor::utimens(ioctx_t* ctx, const struct timespec* atime,
const struct timespec* ctime,
const struct timespec* mtime)
{
return vnode->utimens(ctx, atime, ctime, mtime);
}
int Descriptor::isatty(ioctx_t* ctx)
{
return vnode->isatty(ctx);
}
ssize_t Descriptor::readdirents(ioctx_t* ctx, struct kernel_dirent* dirent,
size_t size, size_t maxcount)
{
// TODO: COMPATIBILITY HACK: Traditionally, you can open a directory with
// O_RDONLY and pass it to fdopendir and then use it, which doesn't
// set the needed O_SEARCH flag! I think some software even do it with
// write permissions! Currently, we just let you search the directory
// if you opened with any of the O_SEARCH, O_READ or O_WRITE flags.
// A better solution would be to make fdopendir try to add the
// O_SEARCH flag to the file descriptor. Or perhaps just recheck the
// permissions to search (execute) the directory manually every time,
// though that is less pure. Unfortunately, POSIX is pretty vague on
// how O_SEARCH should be interpreted and most existing Unix systems
// such as Linux doesn't even have that flag! And how about combining
// it with the O_EXEC flag - POSIX allows that and it makes sense
// because the execute bit on directories control search permission.
if ( !(dflags & (O_SEARCH | O_READ | O_WRITE)) )
return errno = EPERM, -1;
if ( !maxcount ) { return 0; }
if ( SSIZE_MAX < size ) { size = SSIZE_MAX; }
if ( size < sizeof(*dirent) ) { errno = EINVAL; return -1; }
// TODO: Locking here only allows one task to read/write at once.
ScopedLock lock(&curofflock);
ssize_t ret = vnode->readdirents(ctx, dirent, size, curoff, maxcount);
if ( ret == 0 )
{
const char* name = "";
size_t namelen = strlen(name);
size_t needed = sizeof(*dirent) + namelen + 1;
struct kernel_dirent retdirent;
memset(&retdirent, 0, sizeof(retdirent));
retdirent.d_reclen = needed;
retdirent.d_off = 0;
retdirent.d_namelen = namelen;
if ( !ctx->copy_to_dest(dirent, &retdirent, sizeof(retdirent)) )
return -1;
if ( size < needed )
return errno = ERANGE, -1;
if ( !ctx->copy_to_dest(dirent->d_name, name, namelen+1) )
return -1;
return needed;
}
// TODO: Accessing data here is dangerous if it is userspace:
if ( 0 < ret )
for ( ; dirent; curoff++, dirent = kernel_dirent_next(dirent) );
return ret;
}
static bool IsSaneFlagModeCombination(int flags, mode_t /*mode*/)
{
// It doesn't make sense to pass O_CREATE or O_TRUNC when attempting to open
// a directory. We also reject O_TRUNC | O_DIRECTORY early to prevent
// opening a directory, attempting to truncate it, and then aborting with an
// error because a directory was opened.
if ( (flags & (O_CREATE | O_TRUNC)) && (flags & (O_DIRECTORY)) )
return errno = EINVAL, false;
return true;
}
static bool IsLastPathElement(const char* elem)
{
while ( !(*elem == '/' || *elem == '\0') )
elem++;
while ( *elem == '/' )
elem++;
return *elem == '\0';
}
Ref Descriptor::open(ioctx_t* ctx, const char* filename, int flags,
mode_t mode)
{
Process* process = CurrentProcess();
kthread_mutex_lock(&process->idlock);
mode &= ~process->umask;
kthread_mutex_unlock(&process->idlock);
// Unlike early Unix systems, the empty path does not mean the current
// directory on Sortix, so reject it.
if ( !filename[0] )
return errno = ENOENT, Ref();
// Reject some non-sensical flag combinations early.
if ( !IsSaneFlagModeCombination(flags, mode) )
return errno = EINVAL, Ref();
Ref desc(this);
while ( filename[0] )
{
// Reaching a slash in the path means that the caller intended what came
// before to be a directory, stop the open call if it isn't.
if ( filename[0] == '/' )
{
if ( !S_ISDIR(desc->type) )
return errno = ENOTDIR, Ref();
filename++;
continue;
}
// Cut out the next path element from the input string.
size_t slashpos = strcspn(filename, "/");
char* elem = String::Substring(filename, 0, slashpos);
if ( !elem )
return Ref();
// Decide how to open the next element in the path.
bool lastelem = IsLastPathElement(filename);
int open_flags = lastelem ? flags : O_READ | O_DIRECTORY;
mode_t open_mode = lastelem ? mode : 0;
// Open the next element in the path.
Ref next = desc->open_elem(ctx, elem, open_flags, open_mode);
delete[] elem;
if ( !next )
return Ref();
desc = next;
filename += slashpos;
}
// Abort the open if the user wanted a directory but this wasn't.
if ( flags & O_DIRECTORY && !S_ISDIR(desc->type) )
return errno = ENOTDIR, Ref();
// TODO: The new file descriptor may not be opened with the correct
// permissions in the below case!
// If the path only contains slashes, we'll get outselves back, be sure to
// get ourselves back.
return desc == this ? Fork() : desc;
}
Ref Descriptor::open_elem(ioctx_t* ctx, const char* filename,
int flags, mode_t mode)
{
assert(!strchr(filename, '/'));
// Verify that at least one of the base access modes are being used.
if ( !(flags & ACCESS_FLAGS) )
return errno = EINVAL, Ref();
// Filter away flags that only make sense for descriptors.
int retvnode_flags = flags & ~DESCRIPTOR_FLAGS;
Ref retvnode = vnode->open(ctx, filename, retvnode_flags, mode);
if ( !retvnode )
return Ref();
// Filter away flags that only made sense at during the open call.
int ret_flags = flags & ~OPEN_FLAGS;
Ref ret(new Descriptor(retvnode, ret_flags));
if ( !ret )
return Ref();
// Truncate the file if requested.
// TODO: This is a bit dodgy, should this be moved to the inode open method
// or something? And how should error handling be done here?
if ( (flags & O_TRUNC) && S_ISREG(ret->type) )
if ( flags & O_WRITE )
ret->truncate(ctx, 0);
return ret;
}
int Descriptor::mkdir(ioctx_t* ctx, const char* filename, mode_t mode)
{
Process* process = CurrentProcess();
kthread_mutex_lock(&process->idlock);
mode &= ~process->umask;
kthread_mutex_unlock(&process->idlock);
char* final;
Ref dir = OpenDirContainingPath(ctx, Ref(this),
filename, &final);
if ( !dir )
return -1;
int ret = dir->vnode->mkdir(ctx, final, mode);
delete[] final;
return ret;
}
int Descriptor::link(ioctx_t* ctx, const char* filename, Ref node)
{
char* final;
Ref dir = OpenDirContainingPath(ctx, Ref(this),
filename, &final);
if ( !dir )
return -1;
int ret = dir->vnode->link(ctx, final, node->vnode);
delete[] final;
return ret;
}
int Descriptor::unlink(ioctx_t* ctx, const char* filename)
{
char* final;
Ref dir = OpenDirContainingPath(ctx, Ref(this),
filename, &final);
if ( !dir )
return -1;
int ret = dir->vnode->unlink(ctx, final);
delete[] final;
return ret;
}
int Descriptor::rmdir(ioctx_t* ctx, const char* filename)
{
char* final;
Ref dir = OpenDirContainingPath(ctx, Ref(this),
filename, &final);
if ( !dir )
return -1;
int ret = dir->vnode->rmdir(ctx, final);
delete[] final;
return ret;
}
int Descriptor::symlink(ioctx_t* ctx, const char* oldname, const char* filename)
{
char* final;
Ref dir = OpenDirContainingPath(ctx, Ref(this),
filename, &final);
if ( !dir )
return -1;
int ret = dir->vnode->symlink(ctx, oldname, final);
delete[] final;
return ret;
}
int Descriptor::rename_here(ioctx_t* ctx, Ref from,
const char* oldpath, const char* newpath)
{
char* olddir_elem;
char* newdir_elem;
Ref olddir = OpenDirContainingPath(ctx, from, oldpath,
&olddir_elem);
if ( !olddir ) return -1;
Ref newdir = OpenDirContainingPath(ctx, Ref(this),
newpath, &newdir_elem);
if ( !newdir ) { delete[] olddir_elem; return -1; }
int ret = newdir->vnode->rename_here(ctx, olddir->vnode, olddir_elem,
newdir_elem);
delete[] newdir_elem;
delete[] olddir_elem;
return ret;
}
ssize_t Descriptor::readlink(ioctx_t* ctx, char* buf, size_t bufsize)
{
if ( !(dflags & O_READ) )
return errno = EPERM, -1;
if ( (size_t) SSIZE_MAX < bufsize )
bufsize = (size_t) SSIZE_MAX;
return vnode->readlink(ctx, buf, bufsize);
}
int Descriptor::tcgetwinsize(ioctx_t* ctx, struct winsize* ws)
{
return vnode->tcgetwinsize(ctx, ws);
}
int Descriptor::tcsetpgrp(ioctx_t* ctx, pid_t pgid)
{
return vnode->tcsetpgrp(ctx, pgid);
}
pid_t Descriptor::tcgetpgrp(ioctx_t* ctx)
{
return vnode->tcgetpgrp(ctx);
}
int Descriptor::settermmode(ioctx_t* ctx, unsigned mode)
{
return vnode->settermmode(ctx, mode);
}
int Descriptor::gettermmode(ioctx_t* ctx, unsigned* mode)
{
return vnode->gettermmode(ctx, mode);
}
int Descriptor::poll(ioctx_t* ctx, PollNode* node)
{
// TODO: Perhaps deny polling against some kind of events if this
// descriptor's dflags would reject doing these operations?
return vnode->poll(ctx, node);
}
Ref Descriptor::accept(ioctx_t* ctx, uint8_t* addr, size_t* addrlen, int flags)
{
Ref retvnode = vnode->accept(ctx, addr, addrlen, flags);
if ( !retvnode )
return Ref();
return Ref(new Descriptor(retvnode, O_READ | O_WRITE));
}
int Descriptor::bind(ioctx_t* ctx, const uint8_t* addr, size_t addrlen)
{
return vnode->bind(ctx, addr, addrlen);
}
int Descriptor::connect(ioctx_t* ctx, const uint8_t* addr, size_t addrlen)
{
return vnode->connect(ctx, addr, addrlen);
}
int Descriptor::listen(ioctx_t* ctx, int backlog)
{
return vnode->listen(ctx, backlog);
}
ssize_t Descriptor::recv(ioctx_t* ctx, uint8_t* buf, size_t count, int flags)
{
return vnode->recv(ctx, buf, count, flags);
}
ssize_t Descriptor::send(ioctx_t* ctx, const uint8_t* buf, size_t count, int flags)
{
return vnode->send(ctx, buf, count, flags);
}
} // namespace Sortix