DragonOS-Community · fslongjin · Dec 1, 2025 · Nov 28, 2025 · Nov 28, 2025 · Dec 1, 2025
diff --git a/kernel/src/debug/tracing/mod.rs b/kernel/src/debug/tracing/mod.rs
@@ -122,7 +122,7 @@ pub fn init_debugfs_tracing() -> Result<(), SystemError> {
 
     tracing_root.add_file(
         "trace_pipe".to_string(),
-        ModeType::from_bits_truncate(0o444),
+        ModeType::S_IRUGO,
         Some(4096),
         None,
         Some(&trace_pipe::TracePipeCallBack),
@@ -133,7 +133,7 @@ pub fn init_debugfs_tracing() -> Result<(), SystemError> {
     )?;
     tracing_root.add_file(
         "saved_cmdlines_size".to_string(),
-        ModeType::from_bits_truncate(0o444),
+        ModeType::S_IRUGO,
         None,
         None,
         Some(&trace_pipe::SavedCmdlinesSizeCallBack),

diff --git a/kernel/src/debug/tracing/trace_pipe.rs b/kernel/src/debug/tracing/trace_pipe.rs
@@ -91,7 +91,7 @@ impl KernFSCallback for TraceCallBack {
 
 pub fn kernel_inode_provider_trace() -> KernFSInodeArgs {
     KernFSInodeArgs {
-        mode: ModeType::from_bits_truncate(0o444),
+        mode: ModeType::S_IRUGO,
         callback: Some(&TraceCallBack),
         inode_type: KernInodeType::File,
         size: Some(4096),
@@ -205,7 +205,7 @@ impl KernFSCallback for SavedCmdlinesSizeCallBack {
 
 pub fn kernel_inode_provider_saved_cmdlines() -> KernFSInodeArgs {
     KernFSInodeArgs {
-        mode: ModeType::from_bits_truncate(0o444),
+        mode: ModeType::S_IRUGO,
         callback: Some(&SavedCmdlinesSnapshotCallBack),
         inode_type: KernInodeType::File,
         size: Some(4096),

diff --git a/kernel/src/filesystem/devfs/mod.rs b/kernel/src/filesystem/devfs/mod.rs
@@ -361,12 +361,8 @@ impl LockedDevFSInode {
     /// - `path`: 符号链接指向的路径
     /// - `symlink_name`: 符号链接的名称
     pub fn add_dev_symlink(&self, path: &str, symlink_name: &str) -> Result<(), SystemError> {
-        let new_inode = self.create_with_data(
-            symlink_name,
-            FileType::SymLink,
-            ModeType::from_bits_truncate(0o777),
-            0,
-        )?;
+        let new_inode =
+            self.create_with_data(symlink_name, FileType::SymLink, ModeType::S_IRWXUGO, 0)?;
 
         let buf = path.as_bytes();
         let len = buf.len();

diff --git a/kernel/src/filesystem/devpts/mod.rs b/kernel/src/filesystem/devpts/mod.rs
@@ -117,7 +117,7 @@ impl LockedDevPtsFSInode {
                     ctime: PosixTimeSpec::default(),
                     btime: PosixTimeSpec::default(),
                     file_type: FileType::Dir,
-                    mode: ModeType::from_bits_truncate(0o777),
+                    mode: ModeType::S_IRWXUGO,
                     nlinks: 1,
                     uid: 0,
                     gid: 0,

diff --git a/kernel/src/filesystem/fat/fs.rs b/kernel/src/filesystem/fat/fs.rs
@@ -237,7 +237,7 @@ impl LockedFATInode {
                 ctime: PosixTimeSpec::default(),
                 btime: PosixTimeSpec::default(),
                 file_type,
-                mode: ModeType::from_bits_truncate(0o777),
+                mode: ModeType::S_IRWXUGO,
                 nlinks: 1,
                 uid: 0,
                 gid: 0,
@@ -502,7 +502,7 @@ impl FATFileSystem {
                 ctime: PosixTimeSpec::default(),
                 btime: PosixTimeSpec::default(),
                 file_type: FileType::Dir,
-                mode: ModeType::from_bits_truncate(0o777),
+                mode: ModeType::S_IRWXUGO,
                 nlinks: 1,
                 uid: 0,
                 gid: 0,
@@ -1999,18 +1999,28 @@ impl IndexNode for LockedFATInode {
         mode: ModeType,
         _dev_t: DeviceNumber,
     ) -> Result<Arc<dyn IndexNode>, SystemError> {
-        let inode = self.0.lock();
+        let mut inode = self.0.lock();
         if inode.metadata.file_type != FileType::Dir {
             return Err(SystemError::ENOTDIR);
         }
-        drop(inode);
+
+        let mode = if (mode.bits() & ModeType::S_IFMT.bits()) == 0 {
+            mode | ModeType::S_IFREG
+        } else {
+            mode
+        };
+        let umask = crate::process::ProcessManager::current_pcb()
+            .fs_struct()
+            .umask();
+        let final_mode = mode & !umask;
 
         // 判断需要创建的类型
-        if unlikely(mode.contains(ModeType::S_IFREG)) {
+        if unlikely(final_mode.contains(ModeType::S_IFREG)) {
             // 普通文件
+            drop(inode);
             return self.create(filename, FileType::File, mode);
         }
-        let mut inode = self.0.lock();
+
         let dname = DName::from(filename);
         let nod = LockedFATInode::new(
             dname,
@@ -2019,16 +2029,16 @@ impl IndexNode for LockedFATInode {
             FATDirEntry::File(FATFile::default()),
         );
 
-        if mode.contains(ModeType::S_IFIFO) {
+        if final_mode.contains(ModeType::S_IFIFO) {
             nod.0.lock().metadata.file_type = FileType::Pipe;
             // 创建pipe文件
             let pipe_inode = LockedPipeInode::new();
             // 设置special_node
             nod.0.lock().special_node = Some(SpecialNodeData::Pipe(pipe_inode));
-        } else if mode.contains(ModeType::S_IFBLK) {
+        } else if final_mode.contains(ModeType::S_IFBLK) {
             nod.0.lock().metadata.file_type = FileType::BlockDevice;
             unimplemented!()
-        } else if mode.contains(ModeType::S_IFCHR) {
+        } else if final_mode.contains(ModeType::S_IFCHR) {
             nod.0.lock().metadata.file_type = FileType::CharDevice;
             unimplemented!()
         } else {

diff --git a/kernel/src/filesystem/fs.rs b/kernel/src/filesystem/fs.rs
@@ -1,3 +1,5 @@
+use core::sync::atomic::{AtomicU32, Ordering};
+
 use alloc::sync::Arc;
 
 use crate::filesystem::vfs::syscall::ModeType;
@@ -21,14 +23,15 @@ impl PathContext {
 
 #[derive(Debug)]
 pub struct FsStruct {
-    umask: ModeType, //文件权限掩码
+    umask: AtomicU32, // 文件权限掩码 ModeType
     path_context: RwLock<PathContext>,
 }
 
 impl Clone for FsStruct {
     fn clone(&self) -> Self {
+        let current_umask = self.umask.load(Ordering::Relaxed);
         Self {
-            umask: self.umask,
+            umask: AtomicU32::new(current_umask),
             path_context: RwLock::new(self.path_context.read().clone()),
         }
     }
@@ -43,11 +46,23 @@ impl Default for FsStruct {
 impl FsStruct {
     pub fn new() -> Self {
         Self {
-            umask: ModeType::S_IWUGO,
+            umask: AtomicU32::new(ModeType::S_IWUGO.bits()),
             path_context: RwLock::new(PathContext::new()),
         }
     }
 
+    pub fn umask(&self) -> ModeType {
+        ModeType::from_bits_truncate(self.umask.load(Ordering::SeqCst))
+    }
+
+    /// Linux: xchg(&current->fs->umask, mask & S_IRWXUGO)
+    pub fn set_umask(&self, mask: ModeType) -> ModeType {
+        ModeType::from_bits_truncate(
+            self.umask
+                .swap(mask.bits() & ModeType::S_IRWXUGO.bits(), Ordering::SeqCst),
+        )
+    }
+
     pub fn set_root(&self, inode: Arc<dyn IndexNode>) {
         self.path_context.write().root = inode;
     }

diff --git a/kernel/src/filesystem/kernfs/mod.rs b/kernel/src/filesystem/kernfs/mod.rs
@@ -639,7 +639,7 @@ impl KernFSInode {
         let inode = self.inner_create(
             name,
             KernInodeType::SymLink,
-            ModeType::S_IFLNK | ModeType::from_bits_truncate(0o777),
+            ModeType::S_IFLNK | ModeType::S_IRWXUGO,
             0,
             None,
             None,

diff --git a/kernel/src/filesystem/procfs/mod.rs b/kernel/src/filesystem/procfs/mod.rs
@@ -612,11 +612,7 @@ impl ProcFS {
         )?;
         // 创建相关文件
         // status文件
-        let status_binding = pid_dir.create(
-            "status",
-            FileType::File,
-            ModeType::from_bits_truncate(0o444),
-        )?;
+        let status_binding = pid_dir.create("status", FileType::File, ModeType::S_IRUGO)?;
         let status_file: &LockedProcFSInode = status_binding
             .as_any_ref()
             .downcast_ref::<LockedProcFSInode>()
@@ -625,12 +621,8 @@ impl ProcFS {
         status_file.0.lock().fdata.ftype = ProcFileType::ProcStatus;
 
         // exe文件
-        let exe_binding = pid_dir.create_with_data(
-            "exe",
-            FileType::SymLink,
-            ModeType::from_bits_truncate(0o444),
-            0,
-        )?;
+        let exe_binding =
+            pid_dir.create_with_data("exe", FileType::SymLink, ModeType::S_IRUGO, 0)?;
         let exe_file = exe_binding
             .as_any_ref()
             .downcast_ref::<LockedProcFSInode>()
@@ -720,11 +712,7 @@ impl LockedProcFSInode {
         let file = fd_table.get_file_by_fd(fd);
         if file.is_some() {
             let _ = self.unlink(&fd.to_string());
-            let fd_file = self.create(
-                &fd.to_string(),
-                FileType::SymLink,
-                ModeType::from_bits_truncate(0o444),
-            )?;
+            let fd_file = self.create(&fd.to_string(), FileType::SymLink, ModeType::S_IRUGO)?;
             let fd_file_proc = fd_file
                 .as_any_ref()
                 .downcast_ref::<LockedProcFSInode>()

diff --git a/kernel/src/filesystem/ramfs/mod.rs b/kernel/src/filesystem/ramfs/mod.rs
@@ -90,7 +90,7 @@ impl RamFSInode {
                 ctime: PosixTimeSpec::default(),
                 btime: PosixTimeSpec::default(),
                 file_type: FileType::Dir,
-                mode: ModeType::from_bits_truncate(0o777),
+                mode: ModeType::S_IRWXUGO,
                 nlinks: 1,
                 uid: 0,
                 gid: 0,

diff --git a/kernel/src/filesystem/sysfs/file.rs b/kernel/src/filesystem/sysfs/file.rs
@@ -154,7 +154,7 @@ impl SysFS {
         let sys_priv = SysFSKernPrivateData::File(SysKernFilePriv::new(&kobj, Some(attr), None));
         let r = parent.add_file(
             attr.name().to_string(),
-            mode.bitand(ModeType::from_bits_truncate(0o777)),
+            mode.bitand(ModeType::S_IRWXUGO),
             Some(4096),
             Some(KernInodePrivateData::SysFS(sys_priv)),
             Some(kern_callback),
@@ -266,7 +266,7 @@ impl SysFS {
             SysFSKernPrivateData::File(SysKernFilePriv::new(&kobj, None, Some(attr.clone())));
         let r = parent.add_file(
             attr.name().to_string(),
-            mode.bitand(ModeType::from_bits_truncate(0o777)),
+            mode.bitand(ModeType::S_IRWXUGO),
             Some(attr.size()),
             Some(KernInodePrivateData::SysFS(sys_priv)),
             Some(kern_callback),

diff --git a/kernel/src/filesystem/sysfs/mod.rs b/kernel/src/filesystem/sysfs/mod.rs
@@ -118,7 +118,7 @@ pub trait AttributeGroup: Debug + Send + Sync {
 }
 
 /// sysfs只读属性文件的权限
-pub const SYSFS_ATTR_MODE_RO: ModeType = ModeType::from_bits_truncate(0o444);
+pub const SYSFS_ATTR_MODE_RO: ModeType = ModeType::S_IRUGO;
 /// sysfs只写属性文件的权限
 pub const SYSFS_ATTR_MODE_WO: ModeType = ModeType::from_bits_truncate(0o200);
 /// sysfs读写属性文件的权限

diff --git a/kernel/src/filesystem/vfs/mount.rs b/kernel/src/filesystem/vfs/mount.rs
@@ -1277,7 +1277,7 @@ pub fn do_mount_mkdir(
     let inode = do_mkdir_at(
         AtFlags::AT_FDCWD.bits(),
         mount_point,
-        FileMode::from_bits_truncate(0o755),
+        ModeType::from_bits_truncate(0o755),
     )?;
     let result = ProcessManager::current_mntns().get_mount_point(mount_point);
     if let Some((_, rest, _fs)) = result {

diff --git a/kernel/src/filesystem/vfs/permission.rs b/kernel/src/filesystem/vfs/permission.rs
@@ -69,10 +69,10 @@ impl Cred {
         // 确定要检查哪组权限位
         let perm = if self.is_owner(metadata) {
             // 所有者权限（第 6-8 位）
-            file_mode & ModeType::S_IRWXU.bits() >> 6
+            (file_mode & ModeType::S_IRWXU.bits()) >> 6
         } else if self.in_group(metadata) {
             // 组权限（第 3-5 位）
-            file_mode & ModeType::S_IRWXG.bits() >> 3
+            (file_mode & ModeType::S_IRWXG.bits()) >> 3
         } else {
             // 其他用户权限（第 0-2 位）
             file_mode & ModeType::S_IRWXO.bits()
@@ -107,7 +107,6 @@ impl Cred {
         if self.fsgid.data() == metadata.gid {
             return true;
         }
-
         // 检查附加组
         self.groups.iter().any(|gid| gid.data() == metadata.gid)
     }
@@ -121,30 +120,31 @@ impl Cred {
     fn try_capability_override(&self, metadata: &Metadata, mask: u32) -> bool {
         // CAP_DAC_OVERRIDE: 绕过所有文件读、写和执行权限检查
         if self.has_capability(CAPFlags::CAP_DAC_OVERRIDE) {
-            // 对于目录：总是允许
-            if metadata.file_type == super::FileType::Dir {
-                return true;
-            }
-
-            // 对于文件：如果不是仅执行请求，或文件对某人可执行，则允许
-            if mask != PermissionMask::MAY_EXEC.bits() {
-                return true;
-            }
-            if metadata.mode.bits() & PermissionMask::MAY_RWX.bits() != 0 {
+            // 对于目录或文件，只要满足下列条件之一就允许
+            if metadata.file_type == super::FileType::Dir
+                || mask & PermissionMask::MAY_EXEC.bits() == 0
+                || metadata.mode.bits() & PermissionMask::MAY_RWX.bits() != 0
+            {
                 return true;
             }
         }
 
         // CAP_DAC_READ_SEARCH: 绕过读和搜索（目录上的执行）检查
         if self.has_capability(CAPFlags::CAP_DAC_READ_SEARCH) {
-            // 允许读任何文件
-            if mask == PermissionMask::MAY_READ.bits() {
-                return true;
-            }
-
-            // 允许搜索（执行）目录
-            if metadata.file_type == FileType::Dir && mask == PermissionMask::MAY_EXEC.bits() {
-                return true;
+            // 目录：只要不请求写权限，就允许 (即允许 Read 和 Exec/Search)
+            if metadata.file_type == FileType::Dir {
+                if (mask & PermissionMask::MAY_WRITE.bits()) == 0 {
+                    return true;
+                }
+            } else {
+                // 文件：仅允许只读权限
+                let check_mask = mask
+                    & (PermissionMask::MAY_READ.bits()
+                        | PermissionMask::MAY_EXEC.bits()
+                        | PermissionMask::MAY_WRITE.bits());
+                if check_mask == PermissionMask::MAY_READ.bits() {
+                    return true;
+                }
             }
         }
 

diff --git a/kernel/src/filesystem/vfs/syscall/symlink_utils.rs b/kernel/src/filesystem/vfs/syscall/symlink_utils.rs
@@ -36,12 +36,8 @@ pub fn do_symlinkat(from: &str, newdfd: Option<i32>, to: &str) -> Result<usize,
         return Err(SystemError::ENOTDIR);
     }
 
-    let new_inode = new_parent.create_with_data(
-        new_name,
-        FileType::SymLink,
-        ModeType::from_bits_truncate(0o777),
-        0,
-    )?;
+    let new_inode =
+        new_parent.create_with_data(new_name, FileType::SymLink, ModeType::S_IRWXUGO, 0)?;
 
     let buf = old_remain_path.as_bytes();
     let len = buf.len();

diff --git a/kernel/src/filesystem/vfs/syscall/sys_mkdir.rs b/kernel/src/filesystem/vfs/syscall/sys_mkdir.rs
@@ -1,7 +1,7 @@
 use crate::arch::interrupt::TrapFrame;
 use crate::arch::syscall::nr::SYS_MKDIR;
 use crate::filesystem::vfs::fcntl::AtFlags;
-use crate::filesystem::vfs::file::FileMode;
+use crate::filesystem::vfs::syscall::ModeType;
 use crate::filesystem::vfs::vcore::do_mkdir_at;
 use crate::syscall::table::FormattedSyscallParam;
 use crate::syscall::table::Syscall;
@@ -35,7 +35,7 @@ impl Syscall for SysMkdirHandle {
         do_mkdir_at(
             AtFlags::AT_FDCWD.bits(),
             &path,
-            FileMode::from_bits_truncate(mode as u32),
+            ModeType::from_bits_truncate(mode as u32),
         )?;
         return Ok(0);
     }

diff --git a/kernel/src/filesystem/vfs/syscall/sys_mkdirat.rs b/kernel/src/filesystem/vfs/syscall/sys_mkdirat.rs
@@ -2,7 +2,7 @@
 
 use crate::arch::interrupt::TrapFrame;
 use crate::arch::syscall::nr::SYS_MKDIRAT;
-use crate::filesystem::vfs::file::FileMode;
+use crate::filesystem::vfs::syscall::ModeType;
 use crate::filesystem::vfs::vcore::do_mkdir_at;
 use crate::syscall::table::{FormattedSyscallParam, Syscall};
 use alloc::vec::Vec;
@@ -28,7 +28,7 @@ impl Syscall for SysMkdirAtHandle {
         )?
         .into_string()
         .map_err(|_| SystemError::EINVAL)?;
-        do_mkdir_at(dirfd, &path, FileMode::from_bits_truncate(mode as u32))?;
+        do_mkdir_at(dirfd, &path, ModeType::from_bits_truncate(mode as u32))?;
         Ok(0)
     }