#
272461 |
|
02-Oct-2014 |
gjb |
Copy stable/10@r272459 to releng/10.1 as part of the 10.1-RELEASE process.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
#
255219 |
|
04-Sep-2013 |
pjd |
Change the cap_rights_t type from uint64_t to a structure that we can extend in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to represent one right, but we are running out of spare bits. Currently the new structure provides place for 114 rights (so 50 more than the previous cap_rights_t), but it is possible to grow the structure to hold at least 285 rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights { uint64_t cr_rights[CAP_RIGHTS_VERSION + 2]; };
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total number of elements in the array - 2. This means if those two bits are equal to 0, we have 2 array elements.
The top two bits in all remaining array elements should be 0. The next five bits in all array elements contain array index. Only one bit is used and bit position in this five-bits range defines array index. This means there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL) #define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...); void cap_rights_set(cap_rights_t *rights, ...); void cap_rights_clear(cap_rights_t *rights, ...); bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights); void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src); void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src); bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(), cap_rights_clear() and cap_rights_is_set() functions are provided by separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \ __cap_rights_set((rights), __VA_ARGS__, 0ULL) void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that there are no two rights belonging to different array elements provided together. For example this is illegal and will be detected, because CAP_LOOKUP belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls, but I see no other way to do that. This should be fine as Capsicum is still experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
|
#
254135 |
|
09-Aug-2013 |
trasz |
Don't dereference null pointer should acl_alloc() be passed M_NOWAIT and allocation failed. Nothing in the tree passed M_NOWAIT.
Obtained from: mjg MFC after: 1 month
|
#
246412 |
|
06-Feb-2013 |
pluknet |
Prezero the acl structure which is to be copied to usermode, to avoid leakage of the previous content of padding and unitialized fields.
Reported by: Ilia Noskov <noskov@nic.ru> Reviewed by: kib MFC after: 1 week
|
#
241896 |
|
22-Oct-2012 |
kib |
Remove the support for using non-mpsafe filesystem modules.
In particular, do not lock Giant conditionally when calling into the filesystem module, remove the VFS_LOCK_GIANT() and related macros. Stop handling buffers belonging to non-mpsafe filesystems.
The VFS_VERSION is bumped to indicate the interface change which does not result in the interface signatures changes.
Conducted and reviewed by: attilio Tested by: pho
|
#
225617 |
|
16-Sep-2011 |
kmacy |
In order to maximize the re-usability of kernel code in user space this patch modifies makesyscalls.sh to prefix all of the non-compatibility calls (e.g. not linux_, freebsd32_) with sys_ and updates the kernel entry points and all places in the code that use them. It also fixes an additional name space collision between the kernel function psignal and the libc function of the same name by renaming the kernel psignal kern_psignal(). By introducing this change now we will ease future MFCs that change syscalls.
Reviewed by: rwatson Approved by: re (bz)
|
#
224778 |
|
11-Aug-2011 |
rwatson |
Second-to-last commit implementing Capsicum capabilities in the FreeBSD kernel for FreeBSD 9.0:
Add a new capability mask argument to fget(9) and friends, allowing system call code to declare what capabilities are required when an integer file descriptor is converted into an in-kernel struct file *. With options CAPABILITIES compiled into the kernel, this enforces capability protection; without, this change is effectively a no-op.
Some cases require special handling, such as mmap(2), which must preserve information about the maximum rights at the time of mapping in the memory map so that they can later be enforced in mprotect(2) -- this is done by narrowing the rights in the existing max_protection field used for similar purposes with file permissions.
In namei(9), we assert that the code is not reached from within capability mode, as we're not yet ready to enforce namespace capabilities there. This will follow in a later commit.
Update two capability names: CAP_EVENT and CAP_KEVENT become CAP_POST_KEVENT and CAP_POLL_KEVENT to more accurately indicate what they represent.
Approved by: re (bz) Submitted by: jonathan Sponsored by: Google Inc
|
#
208781 |
|
03-Jun-2010 |
trasz |
The 'acl_cnt' field is unsigned; no point in checking if it's >= 0.
Found with: Coverity Prevent CID: 3688
|
#
200058 |
|
03-Dec-2009 |
trasz |
Add change that was somehow missed in r192586. It could manifest by incorrectly returning EINVAL from acl_valid(3) for applications linked against pre-8.0 libc.
|
#
198877 |
|
04-Nov-2009 |
trasz |
Fix build.
Submitted by: Andrius Morkūnas <hinokind at gmail.com>
|
#
198875 |
|
04-Nov-2009 |
trasz |
Style fixes.
|
#
197789 |
|
05-Oct-2009 |
trasz |
Fix NFSv4 ACLs on sparc64. Turns out that fuword(9) fetches 64 bits instead of sizeof(int), and on sparc64 that resulted in fetching wrong value for acl_maxcnt, which in turn caused __acl_get_link(2) to fail with EINVAL.
PR: sparc64/139304 Submitted by: Dmitry Afanasiev <KOT at MATPOCKuH.Ru>
|
#
193511 |
|
05-Jun-2009 |
rwatson |
Move "options MAC" from opt_mac.h to opt_global.h, as it's now in GENERIC and used in a large number of files, but also because an increasing number of incorrect uses of MAC calls were sneaking in due to copy-and-paste of MAC-aware code without the associated opt_mac.h include.
Discussed with: pjd
|
#
192586 |
|
22-May-2009 |
trasz |
Make 'struct acl' larger, as required to support NFSv4 ACLs. Provide compatibility interfaces in both kernel and libc.
Reviewed by: rwatson
|
#
191266 |
|
19-Apr-2009 |
trasz |
When allocating 'struct acl' instances, use malloc(9) instead of uma(9). This struct will get much bigger soon, and we don't want to waste too much memory on UMA caches.
Reviewed by: rwatson
|
#
191249 |
|
18-Apr-2009 |
trasz |
Use acl_alloc() and acl_free() instead of using uma(9) directly. This will make switching to malloc(9) easier; also, it would be neccessary to add these routines if/when we implement variable-size ACLs.
|
#
190888 |
|
10-Apr-2009 |
rwatson |
Remove VOP_LEASE and supporting functions. This hasn't been used since the removal of NQNFS, but was left in in case it was required for NFSv4. Since our new NFSv4 client and server can't use it for their requirements, GC the old mechanism, as well as other unused lease- related code and interfaces.
Due to its impact on kernel programming and binary interfaces, this change should not be MFC'd.
Proposed by: jeff Reviewed by: jeff Discussed with: rmacklem, zach loafman @ isilon
|
#
177785 |
|
31-Mar-2008 |
kib |
Add the support for the AT_FDCWD and fd-relative name lookups to the namei(9).
Based on the submission by rdivacky, sponsored by Google Summer of Code 2007 Reviewed by: rwatson, rdivacky Tested by: pho
|
#
177253 |
|
16-Mar-2008 |
rwatson |
In keeping with style(9)'s recommendations on macros, use a ';' after each SYSINIT() macro invocation. This makes a number of lightweight C parsers much happier with the FreeBSD kernel source, including cflow's prcc and lxr.
MFC after: 1 month Discussed with: imp, rink
|
#
175294 |
|
13-Jan-2008 |
attilio |
VOP_LOCK1() (and so VOP_LOCK()) and VOP_UNLOCK() are only used in conjuction with 'thread' argument passing which is always curthread. Remove the unuseful extra-argument and pass explicitly curthread to lower layer functions, when necessary.
KPI results broken by this change, which should affect several ports, so version bumping and manpage update will be further committed.
Tested by: kris, pho, Diego Sardina <siarodx at gmail dot com>
|
#
175202 |
|
09-Jan-2008 |
attilio |
vn_lock() is currently only used with the 'curthread' passed as argument. Remove this argument and pass curthread directly to underlying VOP_LOCK1() VFS method. This modify makes the code cleaner and in particular remove an annoying dependence helping next lockmgr() cleanup. KPI results, obviously, changed.
Manpage and FreeBSD_version will be updated through further commits.
As a side note, would be valuable to say that next commits will address a similar cleanup about VFS methods, in particular vop_lock1 and vop_unlock.
Tested by: Diego Sardina <siarodx at gmail dot com>, Andrea Di Pasquale <whyx dot it at gmail dot com>
|
#
172930 |
|
24-Oct-2007 |
rwatson |
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms:
mac_<object>_<method/action> mac_<object>_check_<method/action>
The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names.
All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI.
Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
#
167234 |
|
05-Mar-2007 |
rwatson |
Replay minor system call comment cleanup applied to kern_acl.c in a race with repo-copy of kern_acl.c to vfs_acl.c.
|
#
167233 |
|
05-Mar-2007 |
rwatson |
Recognize repo-copy of kern_acl.c to vfs_acl.c, remove kern_acl.c, remove kern_acl.c from the build, connect vfs_acl.c to the build.
Thanks to: joe
|
#
167211 |
|
04-Mar-2007 |
rwatson |
Remove 'MPSAFE' annotations from the comments above most system calls: all system calls now enter without Giant held, and then in some cases, acquire Giant explicitly.
Remove a number of other MPSAFE annotations in the credential code and tweak one or two other adjacent comments.
|
#
165983 |
|
12-Jan-2007 |
rwatson |
Re-wrap comments to wider margins now that they have been relocated from within functions.
|
#
163606 |
|
22-Oct-2006 |
rwatson |
Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now contains the userspace and user<->kernel API and definitions, with all in-kernel interfaces moved to mac_framework.h, which is now included across most of the kernel instead.
This change is the first step in a larger cleanup and sweep of MAC Framework interfaces in the kernel, and will not be MFC'd.
Obtained from: TrustedBSD Project Sponsored by: SPARTA
|
#
160146 |
|
06-Jul-2006 |
rwatson |
Move POSIX.1e-specific utility routines from kern_acl.c to subr_acl_posix1e.c, leaving kern_acl.c containing only ACL system calls and utility routines common across ACL types.
Add subr_acl_posix1e.c to the build.
Obtained from: TrustedBSD Project
|
#
150262 |
|
17-Sep-2005 |
csjp |
Implement new world order in VFS locking for ACLs. This will remove the unconditional acquisition of Giant for ACL related operations. If the file system is set as being MP safe and debug.mpsafevfs is 1, do not pickup giant.
For any operations which require namei(9) lookups:
__acl_get_file __acl_get_link __acl_set_file __acl_set_link __acl_delete_file __acl_delete_link __acl_aclcheck_file __acl_aclcheck_link
-Set the MPSAFE flag in NDINIT -Initialize vfslocked variable using the NDHASGIANT macro
For functions which operate on fds, make sure the operations are locked:
__acl_get_fd __acl_set_fd __acl_delete_fd __acl_aclcheck_fd
-Initialize vfslocked using VFS_LOCK_GIANT before we manipulate the vnode
Discussed with: jeff
|
#
149811 |
|
05-Sep-2005 |
csjp |
Convert the primary ACL allocator from malloc(9) to using a UMA zone instead. Also introduce an aclinit function which will be used to create the UMA zone for use by file systems at system start up.
MFC after: 1 month Discussed with: rwatson
|
#
132653 |
|
26-Jul-2004 |
cperciva |
Rename suser_cred()'s PRISON_ROOT flag to SUSER_ALLOWJAIL. This is somewhat clearer, but more importantly allows for a consistent naming scheme for suser_cred flags.
The old name is still defined, but will be removed in a few days (unless I hear any complaints...)
Discussed with: rwatson, scottl Requested by: jhb
|
#
126097 |
|
21-Feb-2004 |
rwatson |
Update my personal copyrights and NETA copyrights in the kernel to use the "year1-year3" format, as opposed to "year1, year2, year3". This seems to make lawyers more happy, but also prevents the lines from getting excessively long as the years start to add up.
Suggested by: imp
|
#
118407 |
|
04-Aug-2003 |
rwatson |
Move more ACL logic from the UFS code (ufs_acl.c) to the central POSIX.1e support routines in kern_acl.c:
- Define ACL_OVERRIDE_MASK and ACL_PRESERVE_MASK centrally in acl.h: the mode bits that are (and aren't) stored in the ACL.
- Add acl_posix1e_acl_to_mode(): given a POSIX.1e extended ACL, generate a compatibility mode (only the bits supported by the POSIX.1e ACL).
- acl_posix1e_newfilemode(): Given a requested creation mode and default ACL, calculate the mode for the new file system object (only the bits supported by the POSIX.1e ACL).
PR: 50148 Reported by: Ritz, Bruno <bruno_ritz@gmx.ch> Obtained from: TrustedBSD Project
|
#
116678 |
|
22-Jun-2003 |
phk |
Add a f_vnode field to struct file.
Several of the subtypes have an associated vnode which is used for stuff like the f*() functions.
By giving the vnode a speparate field, a number of checks for the specific subtype can be replaced simply with a check for f_vnode != NULL, and we can later free f_data up to subtype specific use.
At this point in time, f_data still points to the vnode, so any code I might have overlooked will still work.
|
#
116182 |
|
10-Jun-2003 |
obrien |
Use __FBSDID().
|
#
109153 |
|
12-Jan-2003 |
dillon |
Bow to the whining masses and change a union back into void *. Retain removal of unnecessary casts and throw in some minor cleanups to see if anyone complains, just for the hell of it.
|
#
109123 |
|
11-Jan-2003 |
dillon |
Change struct file f_data to un_data, a union of the correct struct pointer types, and remove a huge number of casts from code using it.
Change struct xfile xf_data to xun_data (ABI is still compatible).
If we need to add a #define for f_data and xf_data we can, but I don't think it will be necessary. There are no operational changes in this commit.
|
#
108524 |
|
31-Dec-2002 |
alfred |
When compiling the kernel do not implicitly include filedesc.h from proc.h, this was causing filedesc work to be very painful. In order to make this work split out sigio definitions to thier own header (sigio.h) which is included from proc.h for the time being.
|
#
108407 |
|
29-Dec-2002 |
rwatson |
Implement new ACL system calls which do not follow symbolic links: __acl_get_link(), __acl_set_link(), acl_delete_link(), and __acl_aclcheck_link(), with almost identical implementations to the existing __acl_*_file() variants on these calls. Update copyright.
Obtained from: TrustedBSD Project
|
#
107855 |
|
14-Dec-2002 |
alfred |
unwrap lines made short enough by SCARGS removal
|
#
107849 |
|
13-Dec-2002 |
alfred |
SCARGS removal take II.
|
#
107839 |
|
13-Dec-2002 |
alfred |
Backout removal SCARGS, the code freeze is only "selectively" over.
|
#
107838 |
|
13-Dec-2002 |
alfred |
Remove SCARGS.
Reviewed by: md5
|
#
101122 |
|
31-Jul-2002 |
rwatson |
Introduce support for Mandatory Access Control and extensible kernel access control.
Instrument the kernel ACL retrieval and modification system calls to invoke MAC framework entry points to authorize these operations.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
100481 |
|
22-Jul-2002 |
rwatson |
Teach discretionary access control methods for files about VAPPEND and VALLPERM.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
98928 |
|
27-Jun-2002 |
rwatson |
Fix a bug that prevented the deletion of non-default ACLs from being passed down the VFS stack. While I'm here, replace a '0' with a 'NULL' to make the code more readable.
Sponsored by: DARPA, NAI Labs Obtained from: TrustedBSD Project
|
#
98927 |
|
27-Jun-2002 |
rwatson |
A bit of whitespace magic.
|
#
98192 |
|
13-Jun-2002 |
rwatson |
opt_cap.c no longer needed
|
#
96755 |
|
16-May-2002 |
trhodes |
More s/file system/filesystem/g
|
#
93593 |
|
01-Apr-2002 |
jhb |
Change the suser() API to take advantage of td_ucred as well as do a general cleanup of the API. The entire API now consists of two functions similar to the pre-KSE API. The suser() function takes a thread pointer as its only argument. The td_ucred member of this thread must be valid so the only valid thread pointers are curthread and a few kernel threads such as thread0. The suser_cred() function takes a pointer to a struct ucred as its first argument and an integer flag as its second argument. The flag is currently only used for the PRISON_ROOT flag.
Discussed on: smp@
|
#
92666 |
|
19-Mar-2002 |
peter |
Fix a gcc-3.1+ warning. warning: deprecated use of label at end of compound statement
ie: you cannot do this anymore: switch(foo) { ....
default: }
|
#
91406 |
|
27-Feb-2002 |
jhb |
Simple p_ucred -> td_ucred changes to start using the per-thread ucred reference.
|
#
90202 |
|
04-Feb-2002 |
rwatson |
o Scatter vn_start_write() and vn_finished_write() through ACL code so that it interacts properly with snapshotting.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
90192 |
|
04-Feb-2002 |
rwatson |
Note that Kirk apparently missed adding vn_start_write() and friends to kern_acl.c when he added snapshotting. This will need to be added at some point.
|
#
89306 |
|
13-Jan-2002 |
alfred |
SMP Lock struct file, filedesc and the global file list.
Seigo Tanimura (tanimura) posted the initial delta.
I've polished it quite a bit reducing the need for locking and adapting it for KSE.
Locks:
1 mutex in each filedesc protects all the fields. protects "struct file" initialization, while a struct file is being changed from &badfileops -> &pipeops or something the filedesc should be locked.
1 mutex in each struct file protects the refcount fields. doesn't protect anything else. the flags used for garbage collection have been moved to f_gcflag which was the FILLER short, this doesn't need locking because the garbage collection is a single threaded container. could likely be made to use a pool mutex.
1 sx lock for the global filelist.
struct file * fhold(struct file *fp); /* increments reference count on a file */
struct file * fhold_locked(struct file *fp); /* like fhold but expects file to locked */
struct file * ffind_hold(struct thread *, int fd); /* finds the struct file in thread, adds one reference and returns it unlocked */
struct file * ffind_lock(struct thread *, int fd); /* ffind_hold, but returns file locked */
I still have to smp-safe the fget cruft, I'll get to that asap.
|
#
85872 |
|
02-Nov-2001 |
rwatson |
o Since kern_acl.c uses #ifdef CAPABILITIES to control capability-specific semantics, #include "opt_cap.h".
Obtained from: TrustedBSD Project
|
#
85845 |
|
01-Nov-2001 |
rwatson |
o Update copyright dates. o Add reference to TrustedBSD Project in license header. o Update dated comments, including comment in extattr.h claiming that no file systems support extended attributes. o Improve comment consistency.
|
#
85583 |
|
27-Oct-2001 |
rwatson |
o Update copyright dates.
Obtained from: TrustedBSD Project
|
#
85582 |
|
27-Oct-2001 |
rwatson |
o Improve style(9) compliance following KSE modifications. In particular, strip the space from '( struct thread *...', wrap long lines. o Remove an unneeded comment on the topic of no lock being required as part of the NDINIT() in __acl_get_file(), as it's really not required there.
Obtained from: TrustedBSD Project
|
#
83366 |
|
12-Sep-2001 |
julian |
KSE Milestone 2 Note ALL MODULES MUST BE RECOMPILED make the kernel aware that there are smaller units of scheduling than the process. (but only allow one thread per process at this time). This is functionally equivalent to teh previousl -current except that there is a thread associated with each process.
Sorry john! (your next MFC will be a doosie!)
Reviewed by: peter@freebsd.org, dillon@freebsd.org
X-MFC after: ha ha ha ha
|
#
82769 |
|
01-Sep-2001 |
jedgar |
In the case of ACL_OTHER and undefined ACL entry id's, set ae_id to ACL_UNDEFINED_ID instead of 0.
Reviewed by: rwatson
|
#
82713 |
|
01-Sep-2001 |
dillon |
Giant Pushdown ACL syscalls:
__acl_get_file, __acl_set_file, __acl_get_fd, __acl_set_fd, __acl_delete_file, __acl_delete_fd, __acl_aclcheck_file, __acl_aclcheck_fd
|
#
82255 |
|
23-Aug-2001 |
rwatson |
o Clarify comments in vaccess_acl_posix1e() ACL evaluation routine so as to improve readability and accuracy.
Obtained from: TrustedBSD Project
|
#
76139 |
|
29-Apr-2001 |
rwatson |
o As part of the move to not maintaining copies of the vnode owning uid and gid in the ACL, vaccess_acl_posix1e() was changed to accept explicit file_uid and file_gid as arguments. However, in making the change, I explicitly checked file_gid against cr->cr_groups[0], rather than using groupmember, resulting in ACL_GROUP_OBJ entries being compared to the caller's effective gid only, not the remainder of its groups. This was recently corrected for the version of the group call without privilege, but the second test (when privilege is added) was missed. This change replaces an additiona cr->cr_groups[0] check with groupmember().
Pointed out by: jedgar Reviewed by: jedgar Obtained from: TrustedBSD Project
|
#
75888 |
|
23-Apr-2001 |
tmm |
Fix a bug introduced in the last commit: vaccess_acl_posix1 only checked the file gid gainst the egid of the accessing process for the ACL_GROUP_OBJ case, and ignored supplementary groups.
Approved by: rwatson
|
#
75571 |
|
17-Apr-2001 |
rwatson |
In my first reading of POSIX.1e, I misinterpreted handling of the ACL_USER_OBJ and ACL_GROUP_OBJ fields, believing that modification of the access ACL could be used by privileged processes to change file/directory ownership. In fact, this is incorrect; ACL_*_OBJ (+ ACL_MASK and ACL_OTHER) should have undefined ae_id fields; this commit attempts to correct that misunderstanding.
o Modify arguments to vaccess_acl_posix1e() to accept the uid and gid associated with the vnode, as those can no longer be extracted from the ACL passed as an argument. Perform all comparisons against the passed arguments. This actually has the effect of simplifying a number of components of this call, as well as reducing the indent level, but now seperates handling of ACL_GROUP_OBJ from ACL_GROUP.
o Modify acl_posix1e_check() to return EINVAL if the ae_id field of any of the ACL_{USER_OBJ,GROUP_OBJ,MASK,OTHER} entries is a value other than ACL_UNDEFINED_ID. As a temporary work-around to allow clean upgrades, set the ae_id field to ACL_UNDEFINED_ID before each check so that this cannot cause a failure in the short term (this work-around will be removed when the userland libraries and utilities are updated to take this change into account).
o Modify ufs_sync_acl_from_inode() so that it forces ACL_{USER_OBJ,GROUP_OBJ,MASK,OTHER} ae_id fields to ACL_UNDEFINED_ID when synchronizing the ACL from the inode.
o Modify ufs_sync_inode_from_acl to not propagate uid and gid information to the inode from the ACL during ACL update. Also modify the masking of permission bits that may be set from ALLPERMS to (S_IRWXU|S_IRWXG|S_IRWXO), as ACLs currently do not carry none-ACCESSPERMS (S_ISUID, S_ISGID, S_ISTXT).
o Modify ufs_getacl() so that when it emulates an access ACL from the inode, it initializes the ae_id fields to ACL_UNDEFINED_ID.
o Clean up ufs_setacl() substantially since it is no longer possible to perform chown/chgrp operations using vop_setacl(), so all the access control for that can be eliminated.
o Modify ufs_access() so that it passes owner uid and gid information into vaccess_acl_posix1e().
Pointed out by: jedger Obtained from: TrustedBSD Project
|
#
75404 |
|
11-Apr-2001 |
jedgar |
Correct the following defines to match the POSIX.1e spec:
ACL_PERM_EXEC -> ACL_EXECUTE ACL_PERM_READ -> ACL_READ ACL_PERM_WRITE -> ACL_WRITE
Obtained from: TrustedBSD
|
#
73890 |
|
06-Mar-2001 |
rwatson |
o Introduce filesystem-independent POSIX.1e ACL utility routines to support implementations of ACLs in file systems. Introduce the following new functions:
vaccess_acl_posix1e() vaccess() that accepts an ACL acl_posix1e_mode_to_perm() Convert mode bits to ACL rights acl_posix1e_mode_to_entry() Build ACL entry from mode/uid/gid acl_posix1e_perms_to_mode() Generate file mode from ACL acl_posix1e_check() Syntax verification for ACL
These functions allow a file system to rely on central ACL evaluation and syntax checking, as well as providing useful utilities to allow ACL-based file systems to generate mode/owner/etc information to return via VOP_GETATTR(), and to support file systems that split their ACL information over their existing inode storage (mode, uid, gid) and extended ACL into extended attributes (additional users, groups, ACL mask).
o Add prototypes for exported functions to sys/acl.h, sys/vnode.h
Reviewed by: trustedbsd-discuss, freebsd-arch Obtained from: TrustedBSD Project
|
#
71699 |
|
26-Jan-2001 |
jhb |
Back out proc locking to protect p_ucred for obtaining additional references along with the actual obtaining of additional references.
|
#
71500 |
|
23-Jan-2001 |
jhb |
Proc locking.
|
#
69774 |
|
08-Dec-2000 |
phk |
Staticize some malloc M_ instances.
|
#
66184 |
|
21-Sep-2000 |
rwatson |
o Change locking rules for VOP_GETACL() to indicate that vnode locks must be held when retrieving ACLs from vnodes. This is required for EA-based UFS ACL implementations. o Update vacl_get_acl() so that it does appropriate vnode locking. o Remove static from M_ACL malloc define so that it is accessible for consumers of ACLs other than in kern_acl.c
Obtained from: TrustedBSD Project
|
#
59794 |
|
30-Apr-2000 |
phk |
Remove unneeded #include <vm/vm_zone.h>
Generated by: src/tools/tools/kerninclude
|
#
56272 |
|
19-Jan-2000 |
rwatson |
Fix bde'isms in acl/extattr syscall interface, renaming syscalls to prettier (?) names, adding some const's around here, et al.
Reviewed by: bde
|
#
54803 |
|
19-Dec-1999 |
rwatson |
Second pass commit to introduce new ACL and Extended Attribute system calls, vnops, vfsops, both in /kern, and to individual file systems that require a vfsop_ array entry.
Reviewed by: eivind
|