Print this page
Reduce lint
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/fs/tmpfs/tmp_subr.c
+++ new/usr/src/uts/common/fs/tmpfs/tmp_subr.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 1990, 2010, Oracle and/or its affiliates. All rights reserved.
23 23 * Copyright 2015 Joyent, Inc.
24 24 */
25 25
26 26 #include <sys/types.h>
27 27 #include <sys/errno.h>
28 28 #include <sys/param.h>
29 29 #include <sys/t_lock.h>
30 30 #include <sys/systm.h>
31 31 #include <sys/sysmacros.h>
32 32 #include <sys/debug.h>
33 33 #include <sys/time.h>
34 34 #include <sys/cmn_err.h>
35 35 #include <sys/vnode.h>
36 36 #include <sys/stat.h>
37 37 #include <sys/vfs.h>
38 38 #include <sys/cred.h>
39 39 #include <sys/kmem.h>
40 40 #include <sys/atomic.h>
41 41 #include <sys/policy.h>
42 42 #include <sys/fs/tmp.h>
43 43 #include <sys/fs/tmpnode.h>
44 44 #include <sys/ddi.h>
45 45 #include <sys/sunddi.h>
46 46
47 47 #define KILOBYTE 1024
48 48 #define MEGABYTE (1024 * KILOBYTE)
49 49 #define GIGABYTE (1024 * MEGABYTE)
50 50
51 51 #define MODESHIFT 3
52 52
53 53 #define VALIDMODEBITS 07777
54 54
55 55 extern pgcnt_t swapfs_minfree;
56 56
57 57 int
58 58 tmp_taccess(void *vtp, int mode, struct cred *cred)
59 59 {
60 60 struct tmpnode *tp = vtp;
61 61 int shift = 0;
62 62 /*
63 63 * Check access based on owner, group and
64 64 * public permissions in tmpnode.
65 65 */
66 66 if (crgetuid(cred) != tp->tn_uid) {
67 67 shift += MODESHIFT;
68 68 if (groupmember(tp->tn_gid, cred) == 0)
69 69 shift += MODESHIFT;
70 70 }
71 71
72 72 return (secpolicy_vnode_access2(cred, TNTOV(tp), tp->tn_uid,
73 73 tp->tn_mode << shift, mode));
74 74 }
75 75
76 76 /*
77 77 * Decide whether it is okay to remove within a sticky directory.
78 78 * Two conditions need to be met: write access to the directory
79 79 * is needed. In sticky directories, write access is not sufficient;
80 80 * you can remove entries from a directory only if you own the directory,
81 81 * if you are privileged, if you own the entry or if they entry is
82 82 * a plain file and you have write access to that file.
83 83 * Function returns 0 if remove access is granted.
84 84 */
85 85 int
86 86 tmp_sticky_remove_access(struct tmpnode *dir, struct tmpnode *entry,
87 87 struct cred *cr)
88 88 {
89 89 uid_t uid = crgetuid(cr);
90 90
91 91 if ((dir->tn_mode & S_ISVTX) &&
92 92 uid != dir->tn_uid &&
93 93 uid != entry->tn_uid &&
94 94 (entry->tn_type != VREG ||
95 95 tmp_taccess(entry, VWRITE, cr) != 0))
96 96 return (secpolicy_vnode_remove(cr));
97 97
98 98 return (0);
99 99 }
100 100
101 101 /*
102 102 * Allocate zeroed memory if tmpfs_maxkmem has not been exceeded
103 103 * or the 'musthave' flag is set. 'musthave' allocations should
104 104 * always be subordinate to normal allocations so that tmpfs_maxkmem
105 105 * can't be exceeded by more than a few KB. Example: when creating
106 106 * a new directory, the tmpnode is a normal allocation; if that
107 107 * succeeds, the dirents for "." and ".." are 'musthave' allocations.
108 108 */
109 109 void *
110 110 tmp_memalloc(size_t size, int musthave)
111 111 {
112 112 static time_t last_warning;
113 113 time_t now;
114 114
115 115 if (atomic_add_long_nv(&tmp_kmemspace, size) < tmpfs_maxkmem ||
116 116 musthave)
117 117 return (kmem_zalloc(size, KM_SLEEP));
118 118
119 119 atomic_add_long(&tmp_kmemspace, -size);
120 120 now = gethrestime_sec();
121 121 if (last_warning != now) {
122 122 last_warning = now;
123 123 cmn_err(CE_WARN, "tmp_memalloc: tmpfs over memory limit");
124 124 }
125 125 return (NULL);
126 126 }
127 127
128 128 void
129 129 tmp_memfree(void *cp, size_t size)
130 130 {
131 131 kmem_free(cp, size);
132 132 atomic_add_long(&tmp_kmemspace, -size);
133 133 }
134 134
135 135 /*
136 136 * Convert a string containing a number (number of bytes) to a pgcnt_t,
137 137 * containing the corresponding number of pages. On 32-bit kernels, the
138 138 * maximum value encoded in 'str' is PAGESIZE * ULONG_MAX, while the value
139 139 * returned in 'maxpg' is at most ULONG_MAX.
140 140 *
141 141 * The number may be followed by a magnitude suffix: "k" or "K" for kilobytes;
142 142 * "m" or "M" for megabytes; "g" or "G" for gigabytes. This interface allows
143 143 * for an arguably esoteric interpretation of multiple suffix characters:
144 144 * namely, they cascade. For example, the caller may specify "2mk", which is
145 145 * interpreted as 2 gigabytes. It would seem, at this late stage, that the
146 146 * horse has left not only the barn but indeed the country, and possibly the
147 147 * entire planetary system. Alternatively, the number may be followed by a
148 148 * single '%' sign, indicating the size is a percentage of either the zone's
149 149 * swap limit or the system's overall swap size.
150 150 *
151 151 * Parse and overflow errors are detected and a non-zero number returned on
152 152 * error.
153 153 */
154 154 int
155 155 tmp_convnum(char *str, pgcnt_t *maxpg)
156 156 {
157 157 u_longlong_t num = 0;
158 158 #ifdef _LP64
159 159 u_longlong_t max_bytes = ULONG_MAX;
160 160 #else
161 161 u_longlong_t max_bytes = PAGESIZE * (uint64_t)ULONG_MAX;
162 162 #endif
163 163 char *c;
164 164 const struct convchar {
165 165 char *cc_char;
166 166 uint64_t cc_factor;
167 167 } convchars[] = {
168 168 { "kK", KILOBYTE },
169 169 { "mM", MEGABYTE },
170 170 { "gG", GIGABYTE },
171 171 { NULL, 0 }
172 172 };
173 173
174 174 if (str == NULL) {
175 175 return (EINVAL);
176 176 }
177 177 c = str;
178 178
179 179 /*
180 180 * Convert the initial numeric portion of the input string.
181 181 */
|
↓ open down ↓ |
181 lines elided |
↑ open up ↑ |
182 182 if (ddi_strtoull(str, &c, 10, &num) != 0) {
183 183 return (EINVAL);
184 184 }
185 185
186 186 /*
187 187 * Handle a size in percent. Anything other than a single percent
188 188 * modifier is invalid. We use either the zone's swap limit or the
189 189 * system's total available swap size as the initial value. Perform the
190 190 * intermediate calculation in pages to avoid overflow.
191 191 */
192 - if (*c == '\%') {
192 + if (*c == '%') {
193 193 u_longlong_t cap;
194 194
195 195 if (*(c + 1) != '\0')
196 196 return (EINVAL);
197 197
198 198 if (num > 100)
199 199 return (EINVAL);
200 200
201 201 cap = (u_longlong_t)curproc->p_zone->zone_max_swap_ctl;
202 202 if (cap == UINT64_MAX) {
203 203 /*
204 204 * Use the amount of available physical and memory swap
205 205 */
206 206 mutex_enter(&anoninfo_lock);
207 207 cap = TOTAL_AVAILABLE_SWAP;
208 208 mutex_exit(&anoninfo_lock);
209 209 } else {
210 210 cap = btop(cap);
211 211 }
212 212
213 213 num = ptob(cap * num / 100);
214 214 goto done;
215 215 }
216 216
217 217 /*
218 218 * Apply the (potentially cascading) magnitude suffixes until an
219 219 * invalid character is found, or the string comes to an end.
220 220 */
221 221 for (; *c != '\0'; c++) {
222 222 int i;
223 223
224 224 for (i = 0; convchars[i].cc_char != NULL; i++) {
225 225 /*
226 226 * Check if this character matches this multiplier
227 227 * class:
228 228 */
229 229 if (strchr(convchars[i].cc_char, *c) != NULL) {
230 230 /*
231 231 * Check for overflow:
232 232 */
233 233 if (num > max_bytes / convchars[i].cc_factor) {
234 234 return (EINVAL);
235 235 }
236 236
237 237 num *= convchars[i].cc_factor;
238 238 goto valid_char;
239 239 }
240 240 }
241 241
242 242 /*
243 243 * This was not a valid multiplier suffix character.
244 244 */
245 245 return (EINVAL);
246 246
247 247 valid_char:
248 248 continue;
249 249 }
250 250
251 251 done:
252 252 /*
253 253 * Since btopr() rounds up to page granularity, this round-up can
254 254 * cause an overflow only if 'num' is between (max_bytes - PAGESIZE)
255 255 * and (max_bytes). In this case the resulting number is zero, which
256 256 * is what we check for below.
257 257 */
258 258 if ((*maxpg = (pgcnt_t)btopr(num)) == 0 && num != 0)
259 259 return (EINVAL);
260 260 return (0);
261 261 }
262 262
263 263 /*
264 264 * Parse an octal mode string for use as the permissions set for the root
265 265 * of the tmpfs mount.
266 266 */
267 267 int
268 268 tmp_convmode(char *str, mode_t *mode)
269 269 {
270 270 ulong_t num;
271 271 char *c;
272 272
273 273 if (str == NULL) {
274 274 return (EINVAL);
275 275 }
276 276
277 277 if (ddi_strtoul(str, &c, 8, &num) != 0) {
278 278 return (EINVAL);
279 279 }
280 280
281 281 if ((num & ~VALIDMODEBITS) != 0) {
282 282 return (EINVAL);
283 283 }
284 284
285 285 *mode = VALIDMODEBITS & num;
286 286 return (0);
287 287 }
|
↓ open down ↓ |
85 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX