xref: /illumos-gate/usr/src/cmd/rmvolmgr/vold.c (revision abdf5d9abf528d6c318fd8533e09bc3cac1f228b)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * Vold compatibility for rmvolmgr: emulate old commands as well as
28  * action_filemgr.so to notify legacy apps via /tmp/.removable pipes.
29  * A lot of this code is copied verbatim from vold sources.
30  *
31  * Here's the original description of action_filemgr.so:
32  *
33  * action_filemgr.so - filemgr interface routines for rmmount
34  *
35  * This shared object allows rmmount to communicate with filemgr.
36  * This is done by communicating over a named pipe that filemgr
37  * creates in directory NOTIFY_DIR.  The name of the pipe must
38  * begin with NOTIFY_NAME.  This source file contains #define
39  * compiler directives set the values of NOTIFY_DIR and NOTIFY_NAME.
40  *
41  * After a partition on a medium has been mounted as a result of
42  * either insertion or remounting of the medium, the action()
43  * method creates a file named with the symbolic name of the
44  * device in which the medium is inserted and the partition name
45  * (e.g. "jaz0-s2") in NOTIFY_DIR.  The file consists of one text
46  * line containing a string naming the mount point of the partition,
47  * a string giving the raw device path to the partition, and a
48  * string naming the file system type on the partition.  The action()
49  * method then sends a single character ('i' for insertion, 'r' for
50  * remounting) through the named pipe NOTIFY_NAME to tell filemgr to
51  * look for new files in NOTIFY_DIR.
52  *
53  * If a medium containing no mountable partitions is inserted
54  * or remounted in a device, the action() method creates a file
55  * named with the symbolic name of the device in NOTIFY_DIR.
56  * The file consists of one text line containing a string
57  * giving the symbolic name of the device and a string naming
58  * the reason that the medium couldn't be mounted.  The action
59  * method then sends either an 'i' or an 'r' through the named
60  * pipe to tell filemgr to look for new files in NOTIFY_DIR.
61  *
62  * When a medium is ejected or unmounted, the action() method
63  * removes the files that were created in NOTIFY_DIR when the medium
64  * was inserted or remounted and sends a single character ('e' for
65  * ejection, 'u' for unmounting) through the named pipe.
66  *
67  * The following environment variables must be set before calling action():
68  *
69  *	VOLUME_ACTION		action that occurred (e.g. "insert", "eject")
70  *	VOLUME_SYMDEV		symbolic name (e.g. "cdrom0", "floppy1")
71  *	VOLUME_NAME		volume name (e.g. "unnamed_cdrom", "s2")
72  */
73 
74 
75 #include <stdio.h>
76 #include <stdlib.h>
77 #include <unistd.h>
78 #include <fcntl.h>
79 #include <string.h>
80 #include <strings.h>
81 #include <dirent.h>
82 #include <signal.h>
83 #include <errno.h>
84 #include <libintl.h>
85 #include <zone.h>
86 #include <pwd.h>
87 #include <sys/types.h>
88 #include <sys/stat.h>
89 #include <sys/dkio.h>
90 #include <sys/cdio.h>
91 #include <sys/vtoc.h>
92 #include <sys/param.h>
93 #include <sys/wait.h>
94 #include <libcontract.h>
95 #include <sys/contract/process.h>
96 #include <sys/ctfs.h>
97 #include <tsol/label.h>
98 
99 #include "vold.h"
100 #include "rmm_common.h"
101 
102 int		rmm_debug = 0;
103 boolean_t	rmm_vold_actions_enabled = B_FALSE;
104 boolean_t	rmm_vold_mountpoints_enabled = B_FALSE;
105 
106 static char	*prog_name = NULL;
107 static pid_t	prog_pid = 0;
108 static int	system_labeled = 0;
109 static uid_t	mnt_uid = (uid_t)-1;
110 static gid_t	mnt_gid = (gid_t)-1;
111 static zoneid_t	mnt_zoneid = -1;
112 static char	mnt_zoneroot[MAXPATHLEN];
113 static char	mnt_userdir[MAXPATHLEN];
114 
115 /*
116  * Private attribute types and attributes.
117  */
118 static const char notify_characters[] = {
119 	'e',
120 	'i',
121 	'r',
122 	'u'
123 };
124 
125 static const char *result_strings[] = {
126 	"FALSE",
127 	"TRUE"
128 };
129 
130 #define	NOTIFY_DIR	"/tmp/.removable"	/* dir where filemgr looks */
131 #define	NOTIFY_NAME	"notify"		/* named pipe to talk over */
132 
133 static void	volrmmount_usage();
134 static void	volcheck_usage();
135 static int	vold_action(struct action_arg *aap);
136 static void	vold_update_mountpoints(struct action_arg *aap);
137 static char	*not_mountable(struct action_arg *aa);
138 static int	create_one_notify_file(char *fstype,
139 				char *mount_point,
140 				char *notify_file,
141 				char *raw_partitionp,
142 				char *reason,
143 				char *symdev);
144 static int	create_notify_files(struct action_arg **aa);
145 static boolean_t notify_clients(action_t action, int do_notify);
146 static void	popdir(int fd);
147 static int	pushdir(const char *dir);
148 static boolean_t remove_notify_files(struct action_arg **aa);
149 
150 /*
151  * should be called once from main()
152  */
153 /* ARGSUSED */
154 void
155 vold_init(int argc, char **argv)
156 {
157 	system_labeled = is_system_labeled();
158 }
159 
160 /*
161  * Old version of rmmount(1M)
162  */
163 /* ARGSUSED */
164 int
165 vold_rmmount(int argc, char **argv)
166 {
167 	char		*volume_action;
168 	char		*volume_mediatype;
169 	char		*volume_mount_mode;
170 	char		*volume_name;
171 	char		*volume_path;
172 	char		*volume_pcfs_id;
173 	char		*volume_symdev;
174 	char		*volume_zonename;
175 	char		*volume_user;
176 	action_t	action;
177 	char		mountpoint[MAXPATHLEN];
178 	char		*zonemountpoint;
179 	char		*arg_mountpoint = NULL;
180 	LibHalContext	*hal_ctx;
181 	DBusError	error;
182 	rmm_error_t	rmm_error;
183 	int		ret;
184 
185 	prog_name = argv[0];
186 	prog_pid = getpid();
187 
188 	mnt_zoneroot[0] = '\0';
189 	mnt_userdir[0] = '\0';
190 
191 	volume_action = getenv("VOLUME_ACTION");
192 	volume_mediatype = getenv("VOLUME_MEDIATYPE");
193 	volume_mount_mode = getenv("VOLUME_MOUNT_MODE");
194 	volume_name = getenv("VOLUME_NAME");
195 	volume_path = getenv("VOLUME_PATH");
196 	volume_pcfs_id = getenv("VOLUME_PCFS_ID");
197 	volume_symdev = getenv("VOLUME_SYMDEV");
198 
199 	if (system_labeled) {
200 		volume_zonename = getenv("VOLUME_ZONE_NAME");
201 		volume_user = getenv("VOLUME_USER");
202 	}
203 	if (volume_action == NULL) {
204 		dprintf("%s(%ld): VOLUME_ACTION was null!!\n",
205 		    prog_name, prog_pid);
206 		return (-1);
207 	}
208 	if (volume_mediatype == NULL) {
209 		dprintf("%s(%ld): VOLUME_MEDIATYPE was null!!\n",
210 		    prog_name, prog_pid);
211 		return (-1);
212 	}
213 	if (volume_mount_mode == NULL) {
214 		volume_mount_mode = "rw";
215 	}
216 	if (volume_name == NULL) {
217 		dprintf("%s(%ld): VOLUME_NAME was null!!\n",
218 		    prog_name, prog_pid);
219 		return (-1);
220 	}
221 	if (volume_path == NULL) {
222 		dprintf("%s(%ld): VOLUME_PATH was null!!\n",
223 		    prog_name, prog_pid);
224 		return (-1);
225 	}
226 	if (volume_pcfs_id == NULL) {
227 		volume_pcfs_id = "";
228 	}
229 	if (volume_symdev == NULL) {
230 		dprintf("%s(%ld): VOLUME_SYMDEV was null!!\n",
231 		    prog_name, prog_pid);
232 		return (-1);
233 	}
234 
235 	if (system_labeled) {
236 		if (volume_zonename != NULL &&
237 		    strcmp(volume_zonename, GLOBAL_ZONENAME) != 0) {
238 			if ((mnt_zoneid =
239 			    getzoneidbyname(volume_zonename)) != -1) {
240 				if (zone_getattr(mnt_zoneid, ZONE_ATTR_ROOT,
241 				    mnt_zoneroot, MAXPATHLEN) == -1) {
242 					dprintf("%s(%ld): NO ZONEPATH!!\n",
243 					    prog_name, prog_pid);
244 					return (-1);
245 				}
246 			}
247 		} else {
248 			mnt_zoneid = GLOBAL_ZONEID;
249 			mnt_zoneroot[0] = '\0';
250 		}
251 		if (volume_user != NULL) {
252 			struct passwd	 *pw;
253 
254 			if ((pw = getpwnam(volume_user)) == NULL) {
255 				dprintf("%s(%ld) %s\n", prog_name, prog_pid,
256 				    ": VOLUME_USER was not a valid user!");
257 				return (-1);
258 			}
259 			mnt_uid = pw->pw_uid;
260 			mnt_gid = pw->pw_gid;
261 
262 			if (snprintf(mnt_userdir, sizeof (mnt_userdir),
263 			    "/%s-%s", volume_user, volume_symdev) >=
264 			    sizeof (mnt_userdir))
265 				return (-1);
266 		} else {
267 			mnt_uid = 0;
268 			mnt_userdir[0] = '\0';
269 		}
270 
271 		rmm_vold_mountpoints_enabled = B_FALSE;
272 		rmm_vold_actions_enabled = B_TRUE;
273 	} else {
274 		rmm_vold_mountpoints_enabled = B_TRUE;
275 		rmm_vold_actions_enabled = B_TRUE;
276 	}
277 
278 	if ((hal_ctx = rmm_hal_init(0, 0, 0, 0, &error, &rmm_error)) == NULL) {
279 		rmm_dbus_error_free(&error);
280 
281 		/* if HAL's not running, must be root */
282 		if (geteuid() != 0) {
283 			(void) fprintf(stderr,
284 			    gettext("%s(%ld) error: must be root to execute\n"),
285 			    prog_name, prog_pid);
286 			return (-1);
287 		}
288 	}
289 
290 	if (strcmp(volume_action, "eject") == 0) {
291 		action = EJECT;
292 	} else if (strcmp(volume_action, "insert") == 0) {
293 		action = INSERT;
294 
295 		if (system_labeled) {
296 			/*
297 			 * create mount point
298 			 */
299 			if (strlen(mnt_userdir) > 0) {
300 				if (snprintf(mountpoint, MAXPATHLEN,
301 				    "%s/%s%s", mnt_zoneroot, volume_mediatype,
302 				    mnt_userdir) > MAXPATHLEN) {
303 					return (-1);
304 
305 				}
306 				(void) makepath(mountpoint, 0700);
307 				(void) chown(mountpoint, mnt_uid, mnt_gid);
308 				/*
309 				 * set the top level directory bits to 0755
310 				 * so user can access it.
311 				 */
312 				if (snprintf(mountpoint, MAXPATHLEN,
313 				    "%s/%s", mnt_zoneroot,
314 				    volume_mediatype) <= MAXPATHLEN) {
315 					(void) chmod(mountpoint, 0755);
316 				}
317 			}
318 			if (snprintf(mountpoint, MAXPATHLEN,
319 			    "%s/%s%s/%s", mnt_zoneroot, volume_mediatype,
320 			    mnt_userdir, volume_name) > MAXPATHLEN) {
321 				(void) fprintf(stderr,
322 				    gettext("%s(%ld) error: path too long\n"),
323 				    prog_name, prog_pid);
324 				return (-1);
325 			}
326 
327 			/* make our mountpoint */
328 			(void) makepath(mountpoint, 0755);
329 
330 			arg_mountpoint = mountpoint;
331 		}
332 	} else if (strcmp(volume_action, "remount") == 0) {
333 		action = REMOUNT;
334 	} else if (strcmp(volume_action, "unmount") == 0) {
335 		action = UNMOUNT;
336 	}
337 
338 	ret = rmm_action(hal_ctx, volume_symdev, action, 0, 0, 0,
339 	    arg_mountpoint) ? 0 : 1;
340 
341 	if (hal_ctx != NULL) {
342 		rmm_hal_fini(hal_ctx);
343 	}
344 
345 	return (ret);
346 }
347 
348 
349 /*
350  * this should be called after rmm_hal_{mount,unmount,eject}
351  */
352 int
353 vold_postprocess(LibHalContext *hal_ctx, const char *udi,
354     struct action_arg *aap)
355 {
356 	int	ret = 0;
357 
358 	/* valid mountpoint required */
359 	if ((aap->aa_action == INSERT) || (aap->aa_action == REMOUNT)) {
360 		rmm_volume_aa_update_mountpoint(hal_ctx, udi, aap);
361 		if ((aap->aa_mountpoint == NULL) ||
362 		    (strlen(aap->aa_mountpoint) == 0)) {
363 			return (1);
364 		}
365 	}
366 
367 	if (rmm_vold_mountpoints_enabled) {
368 		vold_update_mountpoints(aap);
369 	}
370 	if (rmm_vold_actions_enabled) {
371 		ret = vold_action(aap);
372 	}
373 
374 	return (ret);
375 }
376 
377 /*
378  * update legacy symlinks
379  *
380  * For cdrom:
381  *
382  *	/cdrom/<name> -> original mountpoint
383  *	/cdrom/cdrom0 -> ./<name>
384  *	/cdrom/cdrom -> cdrom0  (only for cdrom0)
385  *
386  * If it's a slice or partition, /cdrom/<name> becomes a directory:
387  *
388  *	/cdrom/<name>/s0
389  *
390  * Same for rmdisk and floppy.
391  *
392  * On labeled system (Trusted Solaris), links are in a user directory.
393  */
394 static void
395 vold_update_mountpoints(struct action_arg *aap)
396 {
397 	boolean_t	is_partition;
398 	char		part_dir[2 * MAXNAMELEN];
399 	char		symname_mp[2 * MAXNAMELEN];
400 	char		symcontents_mp[MAXNAMELEN];
401 	char		symname[2 * MAXNAMELEN];
402 	char		symcontents[MAXNAMELEN];
403 
404 	is_partition = (aap->aa_partname != NULL);
405 
406 	if (!system_labeled) {
407 		if (!is_partition) {
408 			/* /cdrom/<name> -> original mountpoint */
409 			(void) snprintf(symcontents_mp, sizeof (symcontents_mp),
410 			    "%s", aap->aa_mountpoint);
411 			(void) snprintf(symname_mp, sizeof (symname_mp),
412 			    "/%s/%s", aap->aa_media, aap->aa_name);
413 		} else {
414 			/* /cdrom/<name>/slice -> original mountpoint */
415 			(void) snprintf(part_dir, sizeof (part_dir),
416 			    "/%s/%s", aap->aa_media, aap->aa_name);
417 			(void) snprintf(symcontents_mp, sizeof (symcontents_mp),
418 			    "%s", aap->aa_mountpoint);
419 			(void) snprintf(symname_mp, sizeof (symname_mp),
420 			    "/%s/%s/%s", aap->aa_media, aap->aa_name,
421 			    aap->aa_partname);
422 
423 		}
424 		/* /cdrom/cdrom0 -> ./<name> */
425 		(void) snprintf(symcontents, sizeof (symcontents),
426 		    "./%s", aap->aa_name);
427 		(void) snprintf(symname, sizeof (symname),
428 		    "/%s/%s", aap->aa_media, aap->aa_symdev);
429 	} else {
430 		if (!is_partition) {
431 			/* /cdrom/<user>/<name> -> original mountpoint */
432 			(void) snprintf(symcontents_mp, sizeof (symcontents_mp),
433 			    "%s", aap->aa_mountpoint);
434 			(void) snprintf(symname_mp, sizeof (symname_mp),
435 			    "%s/%s/%s", mnt_zoneroot, aap->aa_media,
436 			    aap->aa_symdev);
437 		} else {
438 			/* /cdrom/<user>/<name>/slice -> original mountpoint */
439 			(void) snprintf(symcontents_mp, sizeof (symcontents_mp),
440 			    "%s", aap->aa_mountpoint);
441 			(void) snprintf(symname_mp, sizeof (symname_mp),
442 			    "%s/%s/%s", mnt_zoneroot, aap->aa_media,
443 			    aap->aa_symdev, aap->aa_partname);
444 		}
445 
446 		/* /cdrom/<user>/cdrom0 -> ./<user>/<name> */
447 		(void) snprintf(symcontents, sizeof (symcontents),
448 		    ".%s/%s", mnt_userdir, aap->aa_name);
449 		(void) snprintf(symname, sizeof (symname), "%s/%s/%s",
450 		    mnt_zoneroot, aap->aa_media, aap->aa_symdev);
451 	}
452 
453 	(void) unlink(symname);
454 	(void) unlink(symname_mp);
455 	if (is_partition) {
456 		(void) rmdir(part_dir);
457 	}
458 
459 	if ((aap->aa_action == INSERT) || (aap->aa_action == REMOUNT)) {
460 		(void) mkdir(aap->aa_media, 0755);
461 		if (is_partition) {
462 			(void) mkdir(part_dir, 0755);
463 		}
464 		(void) symlink(symcontents_mp, symname_mp);
465 		(void) symlink(symcontents, symname);
466 	}
467 }
468 
469 
470 static int
471 vold_action(struct action_arg *aap)
472 {
473 	action_t	action;
474 	int		result;
475 	int		do_notify = FALSE;
476 	action_t	notify_act = EJECT;
477 	struct action_arg *aa[2];
478 	struct action_arg a1;
479 
480 	dprintf("%s[%d]: entering action()\n", __FILE__, __LINE__);
481 
482 	/*
483 	 * on Trusted Extensions, actions are executed in the user's zone
484 	 */
485 	if (mnt_zoneid > GLOBAL_ZONEID) {
486 		pid_t	pid;
487 		int	status;
488 		int	ifx;
489 		int	tmpl_fd;
490 		int	err = 0;
491 
492 		tmpl_fd = open64(CTFS_ROOT "/process/template",
493 		    O_RDWR);
494 		if (tmpl_fd == -1)
495 			return (1);
496 
497 		/*
498 		 * Deliver no events, don't inherit,
499 		 * and allow it to be orphaned.
500 		 */
501 		err |= ct_tmpl_set_critical(tmpl_fd, 0);
502 		err |= ct_tmpl_set_informative(tmpl_fd, 0);
503 		err |= ct_pr_tmpl_set_fatal(tmpl_fd,
504 		    CT_PR_EV_HWERR);
505 		err |= ct_pr_tmpl_set_param(tmpl_fd,
506 		    CT_PR_PGRPONLY |
507 		    CT_PR_REGENT);
508 		if (err || ct_tmpl_activate(tmpl_fd)) {
509 			(void) close(tmpl_fd);
510 			return (1);
511 		}
512 		switch (pid = fork1()) {
513 		case 0:
514 			(void) ct_tmpl_clear(tmpl_fd);
515 			for (ifx = 0; ifx < _NFILE; ifx++)
516 				(void) close(ifx);
517 
518 			if (zone_enter(mnt_zoneid) == -1)
519 				_exit(0);
520 
521 			/* entered zone, proceed to action */
522 			break;
523 		case -1:
524 			dprintf("fork1 failed \n ");
525 			return (1);
526 		default :
527 			(void) ct_tmpl_clear(tmpl_fd);
528 			(void) close(tmpl_fd);
529 			if (waitpid(pid, &status, 0) < 0) {
530 				dprintf("%s(%ld): waitpid() "
531 				    "failed (errno %d) \n",
532 				    prog_name, prog_pid, errno);
533 				return (1);
534 			}
535 		}
536 	}
537 
538 	/* only support one action at a time XXX */
539 	a1.aa_path = NULL;
540 	aa[0] = aap;
541 	aa[1] = &a1;
542 
543 	action = aa[0]->aa_action;
544 
545 	if (action == CLEAR_MOUNTS) {
546 		/*
547 		 * Remove the notifications files, but don't
548 		 * notify the client.  The "clear_mounts" action
549 		 * simply clears all existing mounts of a medium's
550 		 * partitions after a medium has been repartitioned.
551 		 * Then vold builds a new file system that reflects
552 		 * the medium's new partition structure and mounts
553 		 * the new partitions by calling rmmount, and therefore
554 		 * action(), with the VOLUME_ACTION environment variable
555 		 * set to "remount".
556 		 */
557 		result = remove_notify_files(aa);
558 		result = TRUE;
559 	} else if (action == EJECT) {
560 		result = remove_notify_files(aa);
561 		if (result == TRUE) {
562 			do_notify = TRUE;
563 			notify_act = EJECT;
564 		}
565 	} else if (action = INSERT) {
566 		result = create_notify_files(aa);
567 		if (result == TRUE) {
568 			do_notify = TRUE;
569 			notify_act = INSERT;
570 		}
571 	} else if (action == REMOUNT) {
572 		result = create_notify_files(aa);
573 		if (result == TRUE) {
574 			do_notify = TRUE;
575 			notify_act = REMOUNT;
576 		}
577 	} else if (action == UNMOUNT) {
578 		result = remove_notify_files(aa);
579 		if (result == TRUE) {
580 			do_notify = TRUE;
581 			notify_act = UNMOUNT;
582 		}
583 	} else {
584 		dprintf("%s[%d]: action(): invalid action: %s\n",
585 		    __FILE__, __LINE__, action);
586 		result = FALSE;
587 	}
588 
589 	if (result == TRUE) {
590 		result = notify_clients(notify_act, do_notify);
591 	}
592 
593 	dprintf("%s[%d]: leaving action(), result = %s\n",
594 	    __FILE__, __LINE__, result_strings[result]);
595 
596 	if (mnt_zoneid > GLOBAL_ZONEID) {
597 		/* exit forked local zone process */
598 		_exit(0);
599 	}
600 
601 	if (result == TRUE) {
602 		/*
603 		 * File Manager is running. return 0.
604 		 * see man page rmmount.conf(4).
605 		 */
606 		return (0);
607 	} else {
608 		return (1);
609 	}
610 }
611 
612 
613 /*
614  * Returns NULL if a medium or partition is mountable
615  * and a string stating the reason the medium or partition
616  * can't be mounted if the medium or partition isn't mountable.
617  *
618  * If the volume_name of the medium or partition is one of the
619  * following, the medium or partition isn't mountable.
620  *
621  * unlabeled_<media_type>
622  * unknown_format
623  * password_protected
624  */
625 /* ARGSUSED */
626 static char *
627 not_mountable(struct action_arg *aa)
628 {
629 	return (NULL);
630 }
631 
632 static int
633 create_notify_files(struct action_arg **aa)
634 {
635 	int	ai;
636 	char	*fstype;
637 	char	*mount_point;
638 	char	notify_file[64];
639 	char	*raw_partitionp;
640 	char	*reason; /* Why the medium wasn't mounted */
641 	int	result;
642 	char	*symdev;
643 
644 	dprintf("%s[%d]: entering create_notify_files()\n", __FILE__, __LINE__);
645 
646 	ai = 0;
647 	result = FALSE;
648 	symdev = aa[ai]->aa_symdev;
649 	while ((aa[ai] != NULL) && (aa[ai]->aa_path != NULL)) {
650 		if (aa[ai]->aa_mountpoint != NULL) {
651 			if (aa[ai]->aa_type) {
652 				fstype = aa[ai]->aa_type;
653 			} else {
654 				fstype = "unknown";
655 			}
656 			mount_point = aa[ai]->aa_mountpoint;
657 			if (aa[ai]->aa_partname != NULL) {
658 				/*
659 				 * Is aa_partname ever NULL?
660 				 * When time permits, check.
661 				 * If it is, the action taken
662 				 * in the else clause could produce
663 				 * file name conflicts.
664 				 */
665 				sprintf(notify_file, "%s-%s", symdev,
666 				    aa[ai]->aa_partname);
667 			} else {
668 				sprintf(notify_file, "%s-0", symdev);
669 			}
670 			reason = NULL;
671 		} else {
672 			/*
673 			 * The partition isn't mounted.
674 			 */
675 			fstype = "none";
676 			mount_point = "none";
677 			reason = not_mountable(aa[ai]);
678 			if (reason != NULL) {
679 				sprintf(notify_file, "%s-0", symdev);
680 			} else {
681 				/*
682 				 * Either the partition is a backup slice, or
683 				 * rmmount tried to mount the partition, but
684 				 * idenf_fs couldn't identify the file system
685 				 * type; that can occur when rmmount is
686 				 * trying to mount all the slices in a Solaris
687 				 * VTOC, and one or more partitions don't have
688 				 * file systems in them.
689 				 */
690 				if (aa[0]->aa_partname != NULL) {
691 					/*
692 					 * Is aa_partname ever NULL?
693 					 * When time permits, check.
694 					 * If it is, the action taken
695 					 * in the else clause could produce
696 					 * file name conflicts.
697 					 */
698 					sprintf(notify_file, "%s-%s", symdev,
699 					    aa[0]->aa_partname);
700 				} else {
701 					sprintf(notify_file, "%s-0", symdev);
702 				}
703 				if ((aa[0]->aa_type != NULL) &&
704 				    (strcmp(aa[0]->aa_type, "backup_slice")
705 				    == 0)) {
706 					reason = "backup_slice";
707 				} else {
708 					reason = "unformatted_media";
709 				}
710 				/*
711 				 * "unformatted_media" should be
712 				 * changed to "unformmated_medium" for
713 				 * grammatical correctness, but
714 				 * "unformatted_media" is now specified
715 				 * in the interface to filemgr, so the
716 				 * change can't be made without the
717 				 * approval of the CDE group.
718 				 */
719 			}
720 		}
721 		raw_partitionp = aa[0]->aa_rawpath;
722 		result = create_one_notify_file(fstype,
723 		    mount_point,
724 		    notify_file,
725 		    raw_partitionp,
726 		    reason,
727 		    symdev);
728 		ai++;
729 	}
730 	dprintf("%s[%d]: leaving create_notify_files(), result = %s\n",
731 	    __FILE__, __LINE__, result_strings[result]);
732 	return (result);
733 }
734 
735 static int
736 create_one_notify_file(char *fstype,
737 	char *mount_point,
738 	char *notify_file,
739 	char *raw_partitionp,
740 	char *reason,
741 	char *symdev)
742 {
743 	/*
744 	 * For a mounted partition, create a notification file
745 	 * indicating the mount point,  the raw device pathname
746 	 * of the partition, and the partition's file system
747 	 * type.  For an unmounted partition, create a
748 	 * notification file containing the reason that the
749 	 * partition wasn't mounted and the raw device pathname
750 	 * of the partition.
751 	 *
752 	 * Create the file as root in a world-writable
753 	 * directory that resides in a world-writable directory.
754 	 *
755 	 * Handle two possible race conditions that could
756 	 * allow security breaches.
757 	 */
758 
759 	int	current_working_dir_fd;
760 	int	file_descriptor;
761 	FILE	*filep;
762 	int	result;
763 
764 	dprintf("%s[%d]:Entering create_one_notify_file()\n",
765 	    __FILE__, __LINE__);
766 	dprintf("\tcreate_one_notify_file(): fstype = %s\n", fstype);
767 	dprintf("\tcreate_one_notify_file(): mount_point = %s\n", mount_point);
768 	dprintf("\tcreate_one_notify_file(): notify_file = %s\n", notify_file);
769 	dprintf("\tcreate_one_notify_file(): raw_partitionp = %s\n",
770 	    raw_partitionp);
771 	if (reason != NULL) {
772 		dprintf("\tcreate_one_notify_file(): reason = %s\n", reason);
773 	} else {
774 		dprintf("\tcreate_one_notify_file(): reason = NULL\n");
775 	}
776 	dprintf("\tcreate_one_notify_file(): symdev = %s\n", symdev);
777 
778 	result = TRUE;
779 	/*
780 	 * Handle Race Condition One:
781 	 *
782 	 *   If NOTIFY_DIR exists, make sure it is not a symlink.
783 	 *   if it is, remove it and try to create it.  Check
784 	 *   again to make sure NOTIFY_DIR isn't a symlink.
785 	 *   If it is, remove it and return without creating
786 	 *   a notification file.  The condition can only occur if
787 	 *   someone is trying to break into the system by running
788 	 *   a program that repeatedly creates NOTIFY_DIR as a
789 	 *   symlink.  If NOTIFY_DIR exists and isn't a symlink,
790 	 *   change the working directory to NOTIFY_DIR.
791 	 */
792 	current_working_dir_fd = pushdir(NOTIFY_DIR);
793 	if (current_working_dir_fd < 0) {
794 		(void) makepath(NOTIFY_DIR, 0777);
795 		current_working_dir_fd = pushdir(NOTIFY_DIR);
796 		if (current_working_dir_fd < 0) {
797 			result = FALSE;
798 		}
799 	}
800 	/*
801 	 * Handle Race Condition Two:
802 	 *
803 	 * Create the notification file in NOTIFY_DIR.
804 	 * Remove any files with the same name that may already be
805 	 * there, using remove(), as it safely removes directories.
806 	 * Then open the file O_CREAT|O_EXCL, which doesn't follow
807 	 * symlinks and requires that the file not exist already,
808 	 * so the new file actually resides in the current working
809 	 * directory.  Create the file with access mode 644, which
810 	 * renders it unusable by anyone trying to break into the
811 	 * system.
812 	 */
813 	if (result == TRUE) {
814 		/*
815 		 * The current working directory is now NOTIFY_DIR.
816 		 */
817 		(void) remove(notify_file);
818 		file_descriptor =
819 		    open(notify_file, O_CREAT|O_EXCL|O_WRONLY, 0644);
820 		if (file_descriptor < 0) {
821 			dprintf("%s[%d]: can't create %s/%s; %m\n",
822 			    __FILE__, __LINE__, NOTIFY_DIR, notify_file);
823 			result = FALSE;
824 		} else {
825 			filep = fdopen(file_descriptor, "w");
826 			if (filep != NULL) {
827 				if (reason == NULL) {
828 					(void) fprintf(filep, "%s %s %s",
829 					    mount_point,
830 					    raw_partitionp,
831 					    fstype);
832 					(void) fclose(filep);
833 				dprintf("%s[%d]: Just wrote %s %s %s to %s\n",
834 				    __FILE__,
835 				    __LINE__,
836 				    mount_point,
837 				    raw_partitionp,
838 				    fstype,
839 				    notify_file);
840 				} else {
841 					(void) fprintf(filep, "%s %s",
842 					    reason, raw_partitionp);
843 					(void) fclose(filep);
844 				dprintf("%s[%d]: Just wrote %s %s to %s\n",
845 				    __FILE__,
846 				    __LINE__,
847 				    reason,
848 				    raw_partitionp,
849 				    notify_file);
850 				}
851 			} else {
852 				dprintf("%s[%d]: can't write %s/%s; %m\n",
853 				    __FILE__, __LINE__,
854 				    NOTIFY_DIR, notify_file);
855 				(void) close(file_descriptor);
856 				result = FALSE;
857 			}
858 		}
859 		popdir(current_working_dir_fd);
860 	}
861 	dprintf("%s[%d]: leaving create_one_notify_file, result = %s\n",
862 	    __FILE__, __LINE__, result_strings[result]);
863 	return (result);
864 }
865 
866 static boolean_t
867 notify_clients(action_t action, int do_notify)
868 {
869 	/*
870 	 * Notify interested applications of changes in the state
871 	 * of removable media.  Interested applications are those
872 	 * that create a named pipe in NOTIFY_DIR with a name that
873 	 * begins with "notify".  Open the pipe and write a
874 	 * character through it that indicates the type of state
875 	 * change = 'e' for ejections, 'i' for insertions, 'r'
876 	 * for remounts of the file systems on repartitioned media,
877 	 * and 'u' for unmounts of file systems.
878 	 */
879 
880 	int		current_working_dir_fd;
881 	DIR		*dirp;
882 	struct dirent	*dir_entryp;
883 	size_t		len;
884 	int		fd;
885 	char		namebuf[MAXPATHLEN];
886 	char		notify_character;
887 	void		(*old_signal_handler)();
888 	int		result;
889 	struct stat	sb;
890 
891 	dprintf("%s[%d]: entering notify_clients()\n", __FILE__, __LINE__);
892 
893 	result = TRUE;
894 	/*
895 	 * Use relative pathnames after changing the
896 	 * working directory to the notification directory.
897 	 * Check to make sure that each "notify" file is a
898 	 * named pipe to make sure that it hasn't changed
899 	 * its file type, which could mean that someone is
900 	 * trying to use "notify" files to break into the
901 	 * system.
902 	 */
903 	if ((current_working_dir_fd = pushdir(NOTIFY_DIR)) < 0) {
904 		result = FALSE;
905 	}
906 	if (result == TRUE) {
907 		dirp = opendir(".");
908 		if (dirp == NULL) {
909 			dprintf("%s[%d]:opendir failed on '.'; %m\n",
910 			    __FILE__, __LINE__);
911 			popdir(current_working_dir_fd);
912 			result = FALSE;
913 		}
914 	}
915 	if (result == TRUE) {
916 		/*
917 		 * Read through the directory and write a notify
918 		 * character to all files whose names start with "notify".
919 		 */
920 		result = FALSE;
921 		old_signal_handler = signal(SIGPIPE, SIG_IGN);
922 		len = strlen(NOTIFY_NAME);
923 		while (dir_entryp = readdir(dirp)) {
924 			if (strncmp(dir_entryp->d_name, NOTIFY_NAME, len)
925 			    != 0) {
926 				continue;
927 			}
928 			result = TRUE;
929 			if (do_notify != TRUE) {
930 				continue;
931 			}
932 			(void) sprintf(namebuf, "%s/%s",
933 			    NOTIFY_DIR, dir_entryp->d_name);
934 			if ((fd = open(namebuf, O_WRONLY|O_NDELAY)) < 0) {
935 				dprintf("%s[%d]: open failed for %s; %m\n",
936 				    __FILE__, __LINE__, namebuf);
937 				continue;
938 			}
939 			/*
940 			 * Check to be sure that the entry is a named pipe.
941 			 * That closes a small security hole that could
942 			 * enable unauthorized access to the system root.
943 			 */
944 			if ((fstat(fd, &sb) < 0) || (!S_ISFIFO(sb.st_mode))) {
945 				dprintf("%s[%d]: %s isn't a named pipe\n",
946 				    __FILE__, __LINE__, namebuf);
947 
948 				(void) close(fd);
949 				continue;
950 			}
951 			notify_character = notify_characters[action];
952 			if (write(fd, &notify_character, 1) < 0) {
953 				dprintf("%s[%d]: write failed for %s; %m\n",
954 				    __FILE__, __LINE__, namebuf);
955 				(void) close(fd);
956 				continue;
957 			}
958 			(void) close(fd);
959 		}
960 		(void) closedir(dirp);
961 		(void) signal(SIGPIPE, old_signal_handler);
962 		popdir(current_working_dir_fd);
963 	}
964 	dprintf("%s[%d]: leaving notify_clients(), result = %s\n",
965 	    __FILE__, __LINE__, result_strings[result]);
966 	return (result);
967 }
968 
969 static void
970 popdir(int fd)
971 {
972 	/*
973 	 * Change the current working directory to the directory
974 	 * specified by fd and close the fd.  Exit the program
975 	 * on failure.
976 	 */
977 	if (fchdir(fd) < 0) {
978 		dprintf("%s[%d]: popdir() failed\n", __FILE__, __LINE__);
979 		exit(1);
980 	}
981 	(void) close(fd);
982 }
983 
984 static int
985 pushdir(const char *dir)
986 {
987 	/*
988 	 * Change the current working directory to dir and
989 	 * return a file descriptor for the old working
990 	 * directory.
991 	 *
992 	 * Exception handling:
993 	 *
994 	 * If dir doesn't exist, leave the current working
995 	 * directory the same and return -1.
996 	 *
997 	 * If dir isn't a directory, remove it, leave the
998 	 * current working directory the same, and return -1.
999 	 *
1000 	 * If open() fails on the current working directory
1001 	 * or the chdir operation fails on dir, leave the
1002 	 * current working directory the same and return -1.
1003 	 */
1004 
1005 	int		current_working_dir_fd;
1006 	struct stat	stat_buf;
1007 
1008 	if (lstat(dir, &stat_buf) < 0) {
1009 		dprintf("%s[%d]: push_dir_and_check(): %s does not exist\n",
1010 		    __FILE__, __LINE__, dir);
1011 		return (-1);
1012 	}
1013 
1014 	if (!(S_ISDIR(stat_buf.st_mode))) {
1015 		dprintf("%s[%d]: push_dir_and_check(): %s not a directory.\n",
1016 		    __FILE__, __LINE__, dir);
1017 		(void) remove(dir);
1018 		return (-1);
1019 	}
1020 	if ((current_working_dir_fd = open(".", O_RDONLY)) < 0) {
1021 		dprintf("%s[%d]: push_dir_and_check(): can't open %s.\n",
1022 		    __FILE__, __LINE__, dir);
1023 		return (-1);
1024 	}
1025 	if (chdir(dir) < 0) {
1026 		(void) close(current_working_dir_fd);
1027 		dprintf("%s[%d]: push_dir_and_check(): can't chdir() to %s.\n",
1028 		    __FILE__, __LINE__, dir);
1029 		return (-1);
1030 	}
1031 	return (current_working_dir_fd);
1032 }
1033 
1034 static boolean_t
1035 remove_notify_files(struct action_arg **aa)
1036 {
1037 	int	ai;
1038 	int	current_working_dir_fd;
1039 	char	notify_file[64];
1040 	int	result;
1041 	char	*symdev;
1042 
1043 	dprintf("%s[%d]: entering remove_notify_files()\n", __FILE__, __LINE__);
1044 
1045 	ai = 0;
1046 	result = TRUE;
1047 	symdev = aa[ai]->aa_symdev;
1048 	while ((result == TRUE) &&
1049 	    (aa[ai] != NULL) &&
1050 	    (aa[ai]->aa_path != NULL)) {
1051 
1052 		if (not_mountable(aa[ai])) {
1053 			sprintf(notify_file, "%s-0", symdev);
1054 		} else if (aa[ai]->aa_partname != NULL) {
1055 			/*
1056 			 * Is aa_partname ever NULL?
1057 			 * When time permits, check.
1058 			 * If it is, the action taken
1059 			 * in the else clause could produce
1060 			 * file name conflicts.
1061 			 */
1062 			sprintf(notify_file, "%s-%s",
1063 			    symdev, aa[0]->aa_partname);
1064 		} else {
1065 			sprintf(notify_file, "%s-0", symdev);
1066 		}
1067 
1068 		current_working_dir_fd = pushdir(NOTIFY_DIR);
1069 		if (current_working_dir_fd < 0) {
1070 			result = FALSE;
1071 		}
1072 		if ((result == TRUE) && (remove(notify_file) < 0)) {
1073 			dprintf("%s[%d]: remove %s/%s; %m\n",
1074 			    __FILE__, __LINE__, NOTIFY_DIR, notify_file);
1075 			result = FALSE;
1076 		}
1077 		if (current_working_dir_fd != -1) {
1078 			popdir(current_working_dir_fd);
1079 		}
1080 		ai++;
1081 	}
1082 	dprintf("%s[%d]: leaving remove_notify_files(), result = %s\n",
1083 	    __FILE__, __LINE__, result_strings[result]);
1084 
1085 	return (result);
1086 }
1087