subr_acl_nfs4.c revision 212002
1/*- 2 * Copyright (c) 2008-2009 Edward Tomasz Napiera��a <trasz@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27/* 28 * ACL support routines specific to NFSv4 access control lists. These are 29 * utility routines for code common across file systems implementing NFSv4 30 * ACLs. 31 */ 32 33#ifdef _KERNEL 34#include <sys/cdefs.h> 35__FBSDID("$FreeBSD: head/sys/kern/subr_acl_nfs4.c 212002 2010-08-30 16:30:18Z jh $"); 36 37#include <sys/param.h> 38#include <sys/systm.h> 39#include <sys/mount.h> 40#include <sys/priv.h> 41#include <sys/vnode.h> 42#include <sys/errno.h> 43#include <sys/stat.h> 44#include <sys/acl.h> 45#else 46#include <errno.h> 47#include <assert.h> 48#include <sys/acl.h> 49#include <sys/stat.h> 50#define KASSERT(a, b) assert(a) 51#define CTASSERT(a) 52#endif /* _KERNEL */ 53 54#ifdef _KERNEL 55 56static struct { 57 accmode_t accmode; 58 int mask; 59} accmode2mask[] = {{VREAD, ACL_READ_DATA}, 60 {VWRITE, ACL_WRITE_DATA}, 61 {VAPPEND, ACL_APPEND_DATA}, 62 {VEXEC, ACL_EXECUTE}, 63 {VREAD_NAMED_ATTRS, ACL_READ_NAMED_ATTRS}, 64 {VWRITE_NAMED_ATTRS, ACL_WRITE_NAMED_ATTRS}, 65 {VDELETE_CHILD, ACL_DELETE_CHILD}, 66 {VREAD_ATTRIBUTES, ACL_READ_ATTRIBUTES}, 67 {VWRITE_ATTRIBUTES, ACL_WRITE_ATTRIBUTES}, 68 {VDELETE, ACL_DELETE}, 69 {VREAD_ACL, ACL_READ_ACL}, 70 {VWRITE_ACL, ACL_WRITE_ACL}, 71 {VWRITE_OWNER, ACL_WRITE_OWNER}, 72 {VSYNCHRONIZE, ACL_SYNCHRONIZE}, 73 {0, 0}}; 74 75static int 76_access_mask_from_accmode(accmode_t accmode) 77{ 78 int access_mask = 0, i; 79 80 for (i = 0; accmode2mask[i].accmode != 0; i++) { 81 if (accmode & accmode2mask[i].accmode) 82 access_mask |= accmode2mask[i].mask; 83 } 84 85 /* 86 * VAPPEND is just a modifier for VWRITE; if the caller asked 87 * for 'VAPPEND | VWRITE', we want to check for ACL_APPEND_DATA only. 88 */ 89 if (access_mask & ACL_APPEND_DATA) 90 access_mask &= ~ACL_WRITE_DATA; 91 92 return (access_mask); 93} 94 95/* 96 * Return 0, iff access is allowed, 1 otherwise. 97 */ 98static int 99_acl_denies(const struct acl *aclp, int access_mask, struct ucred *cred, 100 int file_uid, int file_gid, int *denied_explicitly) 101{ 102 int i; 103 const struct acl_entry *entry; 104 105 if (denied_explicitly != NULL) 106 *denied_explicitly = 0; 107 108 KASSERT(aclp->acl_cnt > 0, ("aclp->acl_cnt > 0")); 109 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES, 110 ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); 111 112 for (i = 0; i < aclp->acl_cnt; i++) { 113 entry = &(aclp->acl_entry[i]); 114 115 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && 116 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) 117 continue; 118 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY) 119 continue; 120 switch (entry->ae_tag) { 121 case ACL_USER_OBJ: 122 if (file_uid != cred->cr_uid) 123 continue; 124 break; 125 case ACL_USER: 126 if (entry->ae_id != cred->cr_uid) 127 continue; 128 break; 129 case ACL_GROUP_OBJ: 130 if (!groupmember(file_gid, cred)) 131 continue; 132 break; 133 case ACL_GROUP: 134 if (!groupmember(entry->ae_id, cred)) 135 continue; 136 break; 137 default: 138 KASSERT(entry->ae_tag == ACL_EVERYONE, 139 ("entry->ae_tag == ACL_EVERYONE")); 140 } 141 142 if (entry->ae_entry_type == ACL_ENTRY_TYPE_DENY) { 143 if (entry->ae_perm & access_mask) { 144 if (denied_explicitly != NULL) 145 *denied_explicitly = 1; 146 return (1); 147 } 148 } 149 150 access_mask &= ~(entry->ae_perm); 151 if (access_mask == 0) 152 return (0); 153 } 154 155 return (1); 156} 157 158int 159vaccess_acl_nfs4(enum vtype type, uid_t file_uid, gid_t file_gid, 160 struct acl *aclp, accmode_t accmode, struct ucred *cred, int *privused) 161{ 162 accmode_t priv_granted = 0; 163 int denied, explicitly_denied, access_mask, is_directory, 164 must_be_owner = 0; 165 mode_t file_mode; 166 167 KASSERT((accmode & ~(VEXEC | VWRITE | VREAD | VADMIN | VAPPEND | 168 VEXPLICIT_DENY | VREAD_NAMED_ATTRS | VWRITE_NAMED_ATTRS | 169 VDELETE_CHILD | VREAD_ATTRIBUTES | VWRITE_ATTRIBUTES | VDELETE | 170 VREAD_ACL | VWRITE_ACL | VWRITE_OWNER | VSYNCHRONIZE)) == 0, 171 ("invalid bit in accmode")); 172 KASSERT((accmode & VAPPEND) == 0 || (accmode & VWRITE), 173 ("VAPPEND without VWRITE")); 174 175 if (privused != NULL) 176 *privused = 0; 177 178 if (accmode & VADMIN) 179 must_be_owner = 1; 180 181 /* 182 * Ignore VSYNCHRONIZE permission. 183 */ 184 accmode &= ~VSYNCHRONIZE; 185 186 access_mask = _access_mask_from_accmode(accmode); 187 188 if (type == VDIR) 189 is_directory = 1; 190 else 191 is_directory = 0; 192 193 /* 194 * File owner is always allowed to read and write the ACL 195 * and basic attributes. This is to prevent a situation 196 * where user would change ACL in a way that prevents him 197 * from undoing the change. 198 */ 199 if (file_uid == cred->cr_uid) 200 access_mask &= ~(ACL_READ_ACL | ACL_WRITE_ACL | 201 ACL_READ_ATTRIBUTES | ACL_WRITE_ATTRIBUTES); 202 203 /* 204 * Ignore append permission for regular files; use write 205 * permission instead. 206 */ 207 if (!is_directory && (access_mask & ACL_APPEND_DATA)) { 208 access_mask &= ~ACL_APPEND_DATA; 209 access_mask |= ACL_WRITE_DATA; 210 } 211 212 denied = _acl_denies(aclp, access_mask, cred, file_uid, file_gid, 213 &explicitly_denied); 214 215 if (must_be_owner) { 216 if (file_uid != cred->cr_uid) 217 denied = EPERM; 218 } 219 220 /* 221 * For VEXEC, ensure that at least one execute bit is set for 222 * non-directories. We have to check the mode here to stay 223 * consistent with execve(2). See the test in 224 * exec_check_permissions(). 225 */ 226 acl_nfs4_sync_mode_from_acl(&file_mode, aclp); 227 if (!denied && !is_directory && (accmode & VEXEC) && 228 (file_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0) 229 denied = EACCES; 230 231 if (!denied) 232 return (0); 233 234 /* 235 * Access failed. Iff it was not denied explicitly and 236 * VEXPLICIT_DENY flag was specified, allow access. 237 */ 238 if ((accmode & VEXPLICIT_DENY) && explicitly_denied == 0) 239 return (0); 240 241 accmode &= ~VEXPLICIT_DENY; 242 243 /* 244 * No match. Try to use privileges, if there are any. 245 */ 246 if (is_directory) { 247 if ((accmode & VEXEC) && !priv_check_cred(cred, 248 PRIV_VFS_LOOKUP, 0)) 249 priv_granted |= VEXEC; 250 } else { 251 /* 252 * Ensure that at least one execute bit is on. Otherwise, 253 * a privileged user will always succeed, and we don't want 254 * this to happen unless the file really is executable. 255 */ 256 if ((accmode & VEXEC) && (file_mode & 257 (S_IXUSR | S_IXGRP | S_IXOTH)) != 0 && 258 !priv_check_cred(cred, PRIV_VFS_EXEC, 0)) 259 priv_granted |= VEXEC; 260 } 261 262 if ((accmode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ, 0)) 263 priv_granted |= VREAD; 264 265 if ((accmode & (VWRITE | VAPPEND | VDELETE_CHILD)) && 266 !priv_check_cred(cred, PRIV_VFS_WRITE, 0)) 267 priv_granted |= (VWRITE | VAPPEND | VDELETE_CHILD); 268 269 if ((accmode & VADMIN_PERMS) && 270 !priv_check_cred(cred, PRIV_VFS_ADMIN, 0)) 271 priv_granted |= VADMIN_PERMS; 272 273 if ((accmode & VSTAT_PERMS) && 274 !priv_check_cred(cred, PRIV_VFS_STAT, 0)) 275 priv_granted |= VSTAT_PERMS; 276 277 if ((accmode & priv_granted) == accmode) { 278 if (privused != NULL) 279 *privused = 1; 280 281 return (0); 282 } 283 284 if (accmode & (VADMIN_PERMS | VDELETE_CHILD | VDELETE)) 285 denied = EPERM; 286 else 287 denied = EACCES; 288 289 return (denied); 290} 291#endif /* _KERNEL */ 292 293static int 294_acl_entry_matches(struct acl_entry *entry, acl_tag_t tag, acl_perm_t perm, 295 acl_entry_type_t entry_type) 296{ 297 if (entry->ae_tag != tag) 298 return (0); 299 300 if (entry->ae_id != ACL_UNDEFINED_ID) 301 return (0); 302 303 if (entry->ae_perm != perm) 304 return (0); 305 306 if (entry->ae_entry_type != entry_type) 307 return (0); 308 309 if (entry->ae_flags != 0) 310 return (0); 311 312 return (1); 313} 314 315static struct acl_entry * 316_acl_append(struct acl *aclp, acl_tag_t tag, acl_perm_t perm, 317 acl_entry_type_t entry_type) 318{ 319 struct acl_entry *entry; 320 321 KASSERT(aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES, 322 ("aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES")); 323 324 entry = &(aclp->acl_entry[aclp->acl_cnt]); 325 aclp->acl_cnt++; 326 327 entry->ae_tag = tag; 328 entry->ae_id = ACL_UNDEFINED_ID; 329 entry->ae_perm = perm; 330 entry->ae_entry_type = entry_type; 331 entry->ae_flags = 0; 332 333 return (entry); 334} 335 336static struct acl_entry * 337_acl_duplicate_entry(struct acl *aclp, int entry_index) 338{ 339 int i; 340 341 KASSERT(aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES, 342 ("aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES")); 343 344 for (i = aclp->acl_cnt; i > entry_index; i--) 345 aclp->acl_entry[i] = aclp->acl_entry[i - 1]; 346 347 aclp->acl_cnt++; 348 349 return (&(aclp->acl_entry[entry_index + 1])); 350} 351 352void 353acl_nfs4_sync_acl_from_mode(struct acl *aclp, mode_t mode, int file_owner_id) 354{ 355 int i, meets, must_append; 356 struct acl_entry *entry, *copy, *previous, 357 *a1, *a2, *a3, *a4, *a5, *a6; 358 mode_t amode; 359 const int READ = 04; 360 const int WRITE = 02; 361 const int EXEC = 01; 362 363 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES, 364 ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); 365 366 /* 367 * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt 368 * 369 * 3.16.6.3. Applying a Mode to an Existing ACL 370 */ 371 372 /* 373 * 1. For each ACE: 374 */ 375 for (i = 0; i < aclp->acl_cnt; i++) { 376 entry = &(aclp->acl_entry[i]); 377 378 /* 379 * 1.1. If the type is neither ALLOW or DENY - skip. 380 */ 381 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && 382 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) 383 continue; 384 385 /* 386 * 1.2. If ACL_ENTRY_INHERIT_ONLY is set - skip. 387 */ 388 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY) 389 continue; 390 391 /* 392 * 1.3. If ACL_ENTRY_FILE_INHERIT or ACL_ENTRY_DIRECTORY_INHERIT 393 * are set: 394 */ 395 if (entry->ae_flags & 396 (ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT)) { 397 /* 398 * 1.3.1. A copy of the current ACE is made, and placed 399 * in the ACL immediately following the current 400 * ACE. 401 */ 402 copy = _acl_duplicate_entry(aclp, i); 403 404 /* 405 * 1.3.2. In the first ACE, the flag 406 * ACL_ENTRY_INHERIT_ONLY is set. 407 */ 408 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY; 409 410 /* 411 * 1.3.3. In the second ACE, the following flags 412 * are cleared: 413 * ACL_ENTRY_FILE_INHERIT, 414 * ACL_ENTRY_DIRECTORY_INHERIT, 415 * ACL_ENTRY_NO_PROPAGATE_INHERIT. 416 */ 417 copy->ae_flags &= ~(ACL_ENTRY_FILE_INHERIT | 418 ACL_ENTRY_DIRECTORY_INHERIT | 419 ACL_ENTRY_NO_PROPAGATE_INHERIT); 420 421 /* 422 * The algorithm continues on with the second ACE. 423 */ 424 i++; 425 entry = copy; 426 } 427 428 /* 429 * 1.4. If it's owner@, group@ or everyone@ entry, clear 430 * ACL_READ_DATA, ACL_WRITE_DATA, ACL_APPEND_DATA 431 * and ACL_EXECUTE. Continue to the next entry. 432 */ 433 if (entry->ae_tag == ACL_USER_OBJ || 434 entry->ae_tag == ACL_GROUP_OBJ || 435 entry->ae_tag == ACL_EVERYONE) { 436 entry->ae_perm &= ~(ACL_READ_DATA | ACL_WRITE_DATA | 437 ACL_APPEND_DATA | ACL_EXECUTE); 438 continue; 439 } 440 441 /* 442 * 1.5. Otherwise, if the "who" field did not match one 443 * of OWNER@, GROUP@, EVERYONE@: 444 * 445 * 1.5.1. If the type is ALLOW, check the preceding ACE. 446 * If it does not meet all of the following criteria: 447 */ 448 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW) 449 continue; 450 451 meets = 0; 452 if (i > 0) { 453 meets = 1; 454 previous = &(aclp->acl_entry[i - 1]); 455 456 /* 457 * 1.5.1.1. The type field is DENY, 458 */ 459 if (previous->ae_entry_type != ACL_ENTRY_TYPE_DENY) 460 meets = 0; 461 462 /* 463 * 1.5.1.2. The "who" field is the same as the current 464 * ACE, 465 * 466 * 1.5.1.3. The flag bit ACE4_IDENTIFIER_GROUP 467 * is the same as it is in the current ACE, 468 * and no other flag bits are set, 469 */ 470 if (previous->ae_id != entry->ae_id || 471 previous->ae_tag != entry->ae_tag) 472 meets = 0; 473 474 if (previous->ae_flags) 475 meets = 0; 476 477 /* 478 * 1.5.1.4. The mask bits are a subset of the mask bits 479 * of the current ACE, and are also subset of 480 * the following: ACL_READ_DATA, 481 * ACL_WRITE_DATA, ACL_APPEND_DATA, ACL_EXECUTE 482 */ 483 if (previous->ae_perm & ~(entry->ae_perm)) 484 meets = 0; 485 486 if (previous->ae_perm & ~(ACL_READ_DATA | 487 ACL_WRITE_DATA | ACL_APPEND_DATA | ACL_EXECUTE)) 488 meets = 0; 489 } 490 491 if (!meets) { 492 /* 493 * Then the ACE of type DENY, with a who equal 494 * to the current ACE, flag bits equal to 495 * (<current ACE flags> & <ACE_IDENTIFIER_GROUP>) 496 * and no mask bits, is prepended. 497 */ 498 previous = entry; 499 entry = _acl_duplicate_entry(aclp, i); 500 501 /* Adjust counter, as we've just added an entry. */ 502 i++; 503 504 previous->ae_tag = entry->ae_tag; 505 previous->ae_id = entry->ae_id; 506 previous->ae_flags = entry->ae_flags; 507 previous->ae_perm = 0; 508 previous->ae_entry_type = ACL_ENTRY_TYPE_DENY; 509 } 510 511 /* 512 * 1.5.2. The following modifications are made to the prepended 513 * ACE. The intent is to mask the following ACE 514 * to disallow ACL_READ_DATA, ACL_WRITE_DATA, 515 * ACL_APPEND_DATA, or ACL_EXECUTE, based upon the group 516 * permissions of the new mode. As a special case, 517 * if the ACE matches the current owner of the file, 518 * the owner bits are used, rather than the group bits. 519 * This is reflected in the algorithm below. 520 */ 521 amode = mode >> 3; 522 523 /* 524 * If ACE4_IDENTIFIER_GROUP is not set, and the "who" field 525 * in ACE matches the owner of the file, we shift amode three 526 * more bits, in order to have the owner permission bits 527 * placed in the three low order bits of amode. 528 */ 529 if (entry->ae_tag == ACL_USER && entry->ae_id == file_owner_id) 530 amode = amode >> 3; 531 532 if (entry->ae_perm & ACL_READ_DATA) { 533 if (amode & READ) 534 previous->ae_perm &= ~ACL_READ_DATA; 535 else 536 previous->ae_perm |= ACL_READ_DATA; 537 } 538 539 if (entry->ae_perm & ACL_WRITE_DATA) { 540 if (amode & WRITE) 541 previous->ae_perm &= ~ACL_WRITE_DATA; 542 else 543 previous->ae_perm |= ACL_WRITE_DATA; 544 } 545 546 if (entry->ae_perm & ACL_APPEND_DATA) { 547 if (amode & WRITE) 548 previous->ae_perm &= ~ACL_APPEND_DATA; 549 else 550 previous->ae_perm |= ACL_APPEND_DATA; 551 } 552 553 if (entry->ae_perm & ACL_EXECUTE) { 554 if (amode & EXEC) 555 previous->ae_perm &= ~ACL_EXECUTE; 556 else 557 previous->ae_perm |= ACL_EXECUTE; 558 } 559 560 /* 561 * 1.5.3. If ACE4_IDENTIFIER_GROUP is set in the flags 562 * of the ALLOW ace: 563 * 564 * XXX: This point is not there in the Falkner's draft. 565 */ 566 if (entry->ae_tag == ACL_GROUP && 567 entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) { 568 mode_t extramode, ownermode; 569 extramode = (mode >> 3) & 07; 570 ownermode = mode >> 6; 571 extramode &= ~ownermode; 572 573 if (extramode) { 574 if (extramode & READ) { 575 entry->ae_perm &= ~ACL_READ_DATA; 576 previous->ae_perm &= ~ACL_READ_DATA; 577 } 578 579 if (extramode & WRITE) { 580 entry->ae_perm &= 581 ~(ACL_WRITE_DATA | ACL_APPEND_DATA); 582 previous->ae_perm &= 583 ~(ACL_WRITE_DATA | ACL_APPEND_DATA); 584 } 585 586 if (extramode & EXEC) { 587 entry->ae_perm &= ~ACL_EXECUTE; 588 previous->ae_perm &= ~ACL_EXECUTE; 589 } 590 } 591 } 592 } 593 594 /* 595 * 2. If there at least six ACEs, the final six ACEs are examined. 596 * If they are not equal to what we want, append six ACEs. 597 */ 598 must_append = 0; 599 if (aclp->acl_cnt < 6) { 600 must_append = 1; 601 } else { 602 a6 = &(aclp->acl_entry[aclp->acl_cnt - 1]); 603 a5 = &(aclp->acl_entry[aclp->acl_cnt - 2]); 604 a4 = &(aclp->acl_entry[aclp->acl_cnt - 3]); 605 a3 = &(aclp->acl_entry[aclp->acl_cnt - 4]); 606 a2 = &(aclp->acl_entry[aclp->acl_cnt - 5]); 607 a1 = &(aclp->acl_entry[aclp->acl_cnt - 6]); 608 609 if (!_acl_entry_matches(a1, ACL_USER_OBJ, 0, 610 ACL_ENTRY_TYPE_DENY)) 611 must_append = 1; 612 if (!_acl_entry_matches(a2, ACL_USER_OBJ, ACL_WRITE_ACL | 613 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | 614 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_ALLOW)) 615 must_append = 1; 616 if (!_acl_entry_matches(a3, ACL_GROUP_OBJ, 0, 617 ACL_ENTRY_TYPE_DENY)) 618 must_append = 1; 619 if (!_acl_entry_matches(a4, ACL_GROUP_OBJ, 0, 620 ACL_ENTRY_TYPE_ALLOW)) 621 must_append = 1; 622 if (!_acl_entry_matches(a5, ACL_EVERYONE, ACL_WRITE_ACL | 623 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | 624 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_DENY)) 625 must_append = 1; 626 if (!_acl_entry_matches(a6, ACL_EVERYONE, ACL_READ_ACL | 627 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS | 628 ACL_SYNCHRONIZE, ACL_ENTRY_TYPE_ALLOW)) 629 must_append = 1; 630 } 631 632 if (must_append) { 633 KASSERT(aclp->acl_cnt + 6 <= ACL_MAX_ENTRIES, 634 ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); 635 636 a1 = _acl_append(aclp, ACL_USER_OBJ, 0, ACL_ENTRY_TYPE_DENY); 637 a2 = _acl_append(aclp, ACL_USER_OBJ, ACL_WRITE_ACL | 638 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | 639 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_ALLOW); 640 a3 = _acl_append(aclp, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_DENY); 641 a4 = _acl_append(aclp, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_ALLOW); 642 a5 = _acl_append(aclp, ACL_EVERYONE, ACL_WRITE_ACL | 643 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | 644 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_DENY); 645 a6 = _acl_append(aclp, ACL_EVERYONE, ACL_READ_ACL | 646 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS | 647 ACL_SYNCHRONIZE, ACL_ENTRY_TYPE_ALLOW); 648 649 KASSERT(a1 != NULL && a2 != NULL && a3 != NULL && a4 != NULL && 650 a5 != NULL && a6 != NULL, ("couldn't append to ACL.")); 651 } 652 653 /* 654 * 3. The final six ACEs are adjusted according to the incoming mode. 655 */ 656 if (mode & S_IRUSR) 657 a2->ae_perm |= ACL_READ_DATA; 658 else 659 a1->ae_perm |= ACL_READ_DATA; 660 if (mode & S_IWUSR) 661 a2->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 662 else 663 a1->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 664 if (mode & S_IXUSR) 665 a2->ae_perm |= ACL_EXECUTE; 666 else 667 a1->ae_perm |= ACL_EXECUTE; 668 669 if (mode & S_IRGRP) 670 a4->ae_perm |= ACL_READ_DATA; 671 else 672 a3->ae_perm |= ACL_READ_DATA; 673 if (mode & S_IWGRP) 674 a4->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 675 else 676 a3->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 677 if (mode & S_IXGRP) 678 a4->ae_perm |= ACL_EXECUTE; 679 else 680 a3->ae_perm |= ACL_EXECUTE; 681 682 if (mode & S_IROTH) 683 a6->ae_perm |= ACL_READ_DATA; 684 else 685 a5->ae_perm |= ACL_READ_DATA; 686 if (mode & S_IWOTH) 687 a6->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 688 else 689 a5->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 690 if (mode & S_IXOTH) 691 a6->ae_perm |= ACL_EXECUTE; 692 else 693 a5->ae_perm |= ACL_EXECUTE; 694} 695 696void 697acl_nfs4_sync_mode_from_acl(mode_t *_mode, const struct acl *aclp) 698{ 699 int i; 700 mode_t old_mode = *_mode, mode = 0, seen = 0; 701 const struct acl_entry *entry; 702 703 KASSERT(aclp->acl_cnt > 0, ("aclp->acl_cnt > 0")); 704 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES, 705 ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); 706 707 /* 708 * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt 709 * 710 * 3.16.6.1. Recomputing mode upon SETATTR of ACL 711 */ 712 713 for (i = 0; i < aclp->acl_cnt; i++) { 714 entry = &(aclp->acl_entry[i]); 715 716 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && 717 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) 718 continue; 719 720 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY) 721 continue; 722 723 if (entry->ae_tag == ACL_USER_OBJ) { 724 if ((entry->ae_perm & ACL_READ_DATA) && 725 ((seen & S_IRUSR) == 0)) { 726 seen |= S_IRUSR; 727 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 728 mode |= S_IRUSR; 729 } 730 if ((entry->ae_perm & ACL_WRITE_DATA) && 731 ((seen & S_IWUSR) == 0)) { 732 seen |= S_IWUSR; 733 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 734 mode |= S_IWUSR; 735 } 736 if ((entry->ae_perm & ACL_EXECUTE) && 737 ((seen & S_IXUSR) == 0)) { 738 seen |= S_IXUSR; 739 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 740 mode |= S_IXUSR; 741 } 742 } else if (entry->ae_tag == ACL_GROUP_OBJ) { 743 if ((entry->ae_perm & ACL_READ_DATA) && 744 ((seen & S_IRGRP) == 0)) { 745 seen |= S_IRGRP; 746 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 747 mode |= S_IRGRP; 748 } 749 if ((entry->ae_perm & ACL_WRITE_DATA) && 750 ((seen & S_IWGRP) == 0)) { 751 seen |= S_IWGRP; 752 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 753 mode |= S_IWGRP; 754 } 755 if ((entry->ae_perm & ACL_EXECUTE) && 756 ((seen & S_IXGRP) == 0)) { 757 seen |= S_IXGRP; 758 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 759 mode |= S_IXGRP; 760 } 761 } else if (entry->ae_tag == ACL_EVERYONE) { 762 if (entry->ae_perm & ACL_READ_DATA) { 763 if ((seen & S_IRUSR) == 0) { 764 seen |= S_IRUSR; 765 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 766 mode |= S_IRUSR; 767 } 768 if ((seen & S_IRGRP) == 0) { 769 seen |= S_IRGRP; 770 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 771 mode |= S_IRGRP; 772 } 773 if ((seen & S_IROTH) == 0) { 774 seen |= S_IROTH; 775 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 776 mode |= S_IROTH; 777 } 778 } 779 if (entry->ae_perm & ACL_WRITE_DATA) { 780 if ((seen & S_IWUSR) == 0) { 781 seen |= S_IWUSR; 782 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 783 mode |= S_IWUSR; 784 } 785 if ((seen & S_IWGRP) == 0) { 786 seen |= S_IWGRP; 787 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 788 mode |= S_IWGRP; 789 } 790 if ((seen & S_IWOTH) == 0) { 791 seen |= S_IWOTH; 792 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 793 mode |= S_IWOTH; 794 } 795 } 796 if (entry->ae_perm & ACL_EXECUTE) { 797 if ((seen & S_IXUSR) == 0) { 798 seen |= S_IXUSR; 799 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 800 mode |= S_IXUSR; 801 } 802 if ((seen & S_IXGRP) == 0) { 803 seen |= S_IXGRP; 804 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 805 mode |= S_IXGRP; 806 } 807 if ((seen & S_IXOTH) == 0) { 808 seen |= S_IXOTH; 809 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 810 mode |= S_IXOTH; 811 } 812 } 813 } 814 } 815 816 *_mode = mode | (old_mode & ACL_PRESERVE_MASK); 817} 818 819void 820acl_nfs4_compute_inherited_acl(const struct acl *parent_aclp, 821 struct acl *child_aclp, mode_t mode, int file_owner_id, 822 int is_directory) 823{ 824 int i, flags; 825 const struct acl_entry *parent_entry; 826 struct acl_entry *entry, *copy; 827 828 KASSERT(child_aclp->acl_cnt == 0, ("child_aclp->acl_cnt == 0")); 829 KASSERT(parent_aclp->acl_cnt > 0, ("parent_aclp->acl_cnt > 0")); 830 KASSERT(parent_aclp->acl_cnt <= ACL_MAX_ENTRIES, 831 ("parent_aclp->acl_cnt <= ACL_MAX_ENTRIES")); 832 833 /* 834 * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt 835 * 836 * 3.16.6.2. Applying the mode given to CREATE or OPEN 837 * to an inherited ACL 838 */ 839 840 /* 841 * 1. Form an ACL that is the concatenation of all inheritable ACEs. 842 */ 843 for (i = 0; i < parent_aclp->acl_cnt; i++) { 844 parent_entry = &(parent_aclp->acl_entry[i]); 845 flags = parent_entry->ae_flags; 846 847 /* 848 * Entry is not inheritable at all. 849 */ 850 if ((flags & (ACL_ENTRY_DIRECTORY_INHERIT | 851 ACL_ENTRY_FILE_INHERIT)) == 0) 852 continue; 853 854 /* 855 * We're creating a file, but entry is not inheritable 856 * by files. 857 */ 858 if (!is_directory && (flags & ACL_ENTRY_FILE_INHERIT) == 0) 859 continue; 860 861 /* 862 * Entry is inheritable only by files, but has NO_PROPAGATE 863 * flag set, and we're creating a directory, so it wouldn't 864 * propagate to any file in that directory anyway. 865 */ 866 if (is_directory && 867 (flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0 && 868 (flags & ACL_ENTRY_NO_PROPAGATE_INHERIT)) 869 continue; 870 871 KASSERT(child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES, 872 ("child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES")); 873 child_aclp->acl_entry[child_aclp->acl_cnt] = *parent_entry; 874 child_aclp->acl_cnt++; 875 } 876 877 /* 878 * 2. For each entry in the new ACL, adjust its flags, possibly 879 * creating two entries in place of one. 880 */ 881 for (i = 0; i < child_aclp->acl_cnt; i++) { 882 entry = &(child_aclp->acl_entry[i]); 883 884 /* 885 * This is not in the specification, but SunOS 886 * apparently does that. 887 */ 888 if (((entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT) || 889 !is_directory) && 890 entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 891 entry->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER); 892 893 /* 894 * 2.A. If the ACL_ENTRY_NO_PROPAGATE_INHERIT is set, or if the object 895 * being created is not a directory, then clear the 896 * following flags: ACL_ENTRY_NO_PROPAGATE_INHERIT, 897 * ACL_ENTRY_FILE_INHERIT, ACL_ENTRY_DIRECTORY_INHERIT, 898 * ACL_ENTRY_INHERIT_ONLY. 899 */ 900 if (entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT || 901 !is_directory) { 902 entry->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT | 903 ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT | 904 ACL_ENTRY_INHERIT_ONLY); 905 906 /* 907 * Continue on to the next ACE. 908 */ 909 continue; 910 } 911 912 /* 913 * 2.B. If the object is a directory and ACL_ENTRY_FILE_INHERIT 914 * is set, but ACL_ENTRY_NO_PROPAGATE_INHERIT is not set, ensure 915 * that ACL_ENTRY_INHERIT_ONLY is set. Continue to the 916 * next ACE. Otherwise... 917 */ 918 /* 919 * XXX: Read it again and make sure what does the "otherwise" 920 * apply to. 921 */ 922 if (is_directory && 923 (entry->ae_flags & ACL_ENTRY_FILE_INHERIT) && 924 ((entry->ae_flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0)) { 925 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY; 926 continue; 927 } 928 929 /* 930 * 2.C. If the type of the ACE is neither ALLOW nor deny, 931 * then continue. 932 */ 933 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && 934 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) 935 continue; 936 937 /* 938 * 2.D. Copy the original ACE into a second, adjacent ACE. 939 */ 940 copy = _acl_duplicate_entry(child_aclp, i); 941 942 /* 943 * 2.E. On the first ACE, ensure that ACL_ENTRY_INHERIT_ONLY 944 * is set. 945 */ 946 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY; 947 948 /* 949 * 2.F. On the second ACE, clear the following flags: 950 * ACL_ENTRY_NO_PROPAGATE_INHERIT, ACL_ENTRY_FILE_INHERIT, 951 * ACL_ENTRY_DIRECTORY_INHERIT, ACL_ENTRY_INHERIT_ONLY. 952 */ 953 copy->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT | 954 ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT | 955 ACL_ENTRY_INHERIT_ONLY); 956 957 /* 958 * 2.G. On the second ACE, if the type is ALLOW, 959 * an implementation MAY clear the following 960 * mask bits: ACL_WRITE_ACL, ACL_WRITE_OWNER. 961 */ 962 if (copy->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 963 copy->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER); 964 965 /* 966 * Increment the counter to skip the copied entry. 967 */ 968 i++; 969 } 970 971 /* 972 * 3. To ensure that the mode is honored, apply the algorithm describe 973 * in Section 2.16.6.3, using the mode that is to be used for file 974 * creation. 975 */ 976 acl_nfs4_sync_acl_from_mode(child_aclp, mode, file_owner_id); 977} 978 979#ifdef _KERNEL 980static int 981_acls_are_equal(const struct acl *a, const struct acl *b) 982{ 983 int i; 984 const struct acl_entry *entrya, *entryb; 985 986 if (a->acl_cnt != b->acl_cnt) 987 return (0); 988 989 for (i = 0; i < b->acl_cnt; i++) { 990 entrya = &(a->acl_entry[i]); 991 entryb = &(b->acl_entry[i]); 992 993 if (entrya->ae_tag != entryb->ae_tag || 994 entrya->ae_id != entryb->ae_id || 995 entrya->ae_perm != entryb->ae_perm || 996 entrya->ae_entry_type != entryb->ae_entry_type || 997 entrya->ae_flags != entryb->ae_flags) 998 return (0); 999 } 1000 1001 return (1); 1002} 1003 1004/* 1005 * This routine is used to determine whether to remove extended attribute 1006 * that stores ACL contents. 1007 */ 1008int 1009acl_nfs4_is_trivial(const struct acl *aclp, int file_owner_id) 1010{ 1011 int trivial; 1012 mode_t tmpmode = 0; 1013 struct acl *tmpaclp; 1014 1015 if (aclp->acl_cnt != 6) 1016 return (0); 1017 1018 /* 1019 * Compute the mode from the ACL, then compute new ACL from that mode. 1020 * If the ACLs are identical, then the ACL is trivial. 1021 * 1022 * XXX: I guess there is a faster way to do this. However, even 1023 * this slow implementation significantly speeds things up 1024 * for files that don't have non-trivial ACLs - it's critical 1025 * for performance to not use EA when they are not needed. 1026 */ 1027 tmpaclp = acl_alloc(M_WAITOK | M_ZERO); 1028 acl_nfs4_sync_mode_from_acl(&tmpmode, aclp); 1029 acl_nfs4_sync_acl_from_mode(tmpaclp, tmpmode, file_owner_id); 1030 trivial = _acls_are_equal(aclp, tmpaclp); 1031 acl_free(tmpaclp); 1032 1033 return (trivial); 1034} 1035#endif /* _KERNEL */ 1036 1037int 1038acl_nfs4_check(const struct acl *aclp, int is_directory) 1039{ 1040 int i; 1041 const struct acl_entry *entry; 1042 1043 /* 1044 * The spec doesn't seem to say anything about ACL validity. 1045 * It seems there is not much to do here. There is even no need 1046 * to count "owner@" or "everyone@" (ACL_USER_OBJ and ACL_EVERYONE) 1047 * entries, as there can be several of them and that's perfectly 1048 * valid. There can be none of them too. Really. 1049 */ 1050 1051 if (aclp->acl_cnt > ACL_MAX_ENTRIES || aclp->acl_cnt <= 0) 1052 return (EINVAL); 1053 1054 for (i = 0; i < aclp->acl_cnt; i++) { 1055 entry = &(aclp->acl_entry[i]); 1056 1057 switch (entry->ae_tag) { 1058 case ACL_USER_OBJ: 1059 case ACL_GROUP_OBJ: 1060 case ACL_EVERYONE: 1061 if (entry->ae_id != ACL_UNDEFINED_ID) 1062 return (EINVAL); 1063 break; 1064 1065 case ACL_USER: 1066 case ACL_GROUP: 1067 if (entry->ae_id == ACL_UNDEFINED_ID) 1068 return (EINVAL); 1069 break; 1070 1071 default: 1072 return (EINVAL); 1073 } 1074 1075 if ((entry->ae_perm | ACL_NFS4_PERM_BITS) != ACL_NFS4_PERM_BITS) 1076 return (EINVAL); 1077 1078 /* 1079 * Disallow ACL_ENTRY_TYPE_AUDIT and ACL_ENTRY_TYPE_ALARM for now. 1080 */ 1081 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && 1082 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) 1083 return (EINVAL); 1084 1085 if ((entry->ae_flags | ACL_FLAGS_BITS) != ACL_FLAGS_BITS) 1086 return (EINVAL); 1087 1088 /* Disallow unimplemented flags. */ 1089 if (entry->ae_flags & (ACL_ENTRY_SUCCESSFUL_ACCESS | 1090 ACL_ENTRY_FAILED_ACCESS)) 1091 return (EINVAL); 1092 1093 /* Disallow flags not allowed for ordinary files. */ 1094 if (!is_directory) { 1095 if (entry->ae_flags & (ACL_ENTRY_FILE_INHERIT | 1096 ACL_ENTRY_DIRECTORY_INHERIT | 1097 ACL_ENTRY_NO_PROPAGATE_INHERIT | ACL_ENTRY_INHERIT_ONLY)) 1098 return (EINVAL); 1099 } 1100 } 1101 1102 return (0); 1103} 1104