subr_acl_nfs4.c revision 212906
1/*- 2 * Copyright (c) 2008-2009 Edward Tomasz Napiera��a <trasz@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27/* 28 * ACL support routines specific to NFSv4 access control lists. These are 29 * utility routines for code common across file systems implementing NFSv4 30 * ACLs. 31 */ 32 33#ifdef _KERNEL 34#include <sys/cdefs.h> 35__FBSDID("$FreeBSD: head/sys/kern/subr_acl_nfs4.c 212906 2010-09-20 17:10:06Z trasz $"); 36 37#include <sys/param.h> 38#include <sys/systm.h> 39#include <sys/mount.h> 40#include <sys/priv.h> 41#include <sys/vnode.h> 42#include <sys/errno.h> 43#include <sys/stat.h> 44#include <sys/acl.h> 45#else 46#include <errno.h> 47#include <assert.h> 48#include <sys/acl.h> 49#include <sys/stat.h> 50#define KASSERT(a, b) assert(a) 51#define CTASSERT(a) 52#endif /* _KERNEL */ 53 54#ifdef _KERNEL 55 56static struct { 57 accmode_t accmode; 58 int mask; 59} accmode2mask[] = {{VREAD, ACL_READ_DATA}, 60 {VWRITE, ACL_WRITE_DATA}, 61 {VAPPEND, ACL_APPEND_DATA}, 62 {VEXEC, ACL_EXECUTE}, 63 {VREAD_NAMED_ATTRS, ACL_READ_NAMED_ATTRS}, 64 {VWRITE_NAMED_ATTRS, ACL_WRITE_NAMED_ATTRS}, 65 {VDELETE_CHILD, ACL_DELETE_CHILD}, 66 {VREAD_ATTRIBUTES, ACL_READ_ATTRIBUTES}, 67 {VWRITE_ATTRIBUTES, ACL_WRITE_ATTRIBUTES}, 68 {VDELETE, ACL_DELETE}, 69 {VREAD_ACL, ACL_READ_ACL}, 70 {VWRITE_ACL, ACL_WRITE_ACL}, 71 {VWRITE_OWNER, ACL_WRITE_OWNER}, 72 {VSYNCHRONIZE, ACL_SYNCHRONIZE}, 73 {0, 0}}; 74 75static int 76_access_mask_from_accmode(accmode_t accmode) 77{ 78 int access_mask = 0, i; 79 80 for (i = 0; accmode2mask[i].accmode != 0; i++) { 81 if (accmode & accmode2mask[i].accmode) 82 access_mask |= accmode2mask[i].mask; 83 } 84 85 /* 86 * VAPPEND is just a modifier for VWRITE; if the caller asked 87 * for 'VAPPEND | VWRITE', we want to check for ACL_APPEND_DATA only. 88 */ 89 if (access_mask & ACL_APPEND_DATA) 90 access_mask &= ~ACL_WRITE_DATA; 91 92 return (access_mask); 93} 94 95/* 96 * Return 0, iff access is allowed, 1 otherwise. 97 */ 98static int 99_acl_denies(const struct acl *aclp, int access_mask, struct ucred *cred, 100 int file_uid, int file_gid, int *denied_explicitly) 101{ 102 int i; 103 const struct acl_entry *entry; 104 105 if (denied_explicitly != NULL) 106 *denied_explicitly = 0; 107 108 KASSERT(aclp->acl_cnt > 0, ("aclp->acl_cnt > 0")); 109 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES, 110 ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); 111 112 for (i = 0; i < aclp->acl_cnt; i++) { 113 entry = &(aclp->acl_entry[i]); 114 115 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && 116 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) 117 continue; 118 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY) 119 continue; 120 switch (entry->ae_tag) { 121 case ACL_USER_OBJ: 122 if (file_uid != cred->cr_uid) 123 continue; 124 break; 125 case ACL_USER: 126 if (entry->ae_id != cred->cr_uid) 127 continue; 128 break; 129 case ACL_GROUP_OBJ: 130 if (!groupmember(file_gid, cred)) 131 continue; 132 break; 133 case ACL_GROUP: 134 if (!groupmember(entry->ae_id, cred)) 135 continue; 136 break; 137 default: 138 KASSERT(entry->ae_tag == ACL_EVERYONE, 139 ("entry->ae_tag == ACL_EVERYONE")); 140 } 141 142 if (entry->ae_entry_type == ACL_ENTRY_TYPE_DENY) { 143 if (entry->ae_perm & access_mask) { 144 if (denied_explicitly != NULL) 145 *denied_explicitly = 1; 146 return (1); 147 } 148 } 149 150 access_mask &= ~(entry->ae_perm); 151 if (access_mask == 0) 152 return (0); 153 } 154 155 return (1); 156} 157 158int 159vaccess_acl_nfs4(enum vtype type, uid_t file_uid, gid_t file_gid, 160 struct acl *aclp, accmode_t accmode, struct ucred *cred, int *privused) 161{ 162 accmode_t priv_granted = 0; 163 int denied, explicitly_denied, access_mask, is_directory, 164 must_be_owner = 0; 165 mode_t file_mode; 166 167 KASSERT((accmode & ~(VEXEC | VWRITE | VREAD | VADMIN | VAPPEND | 168 VEXPLICIT_DENY | VREAD_NAMED_ATTRS | VWRITE_NAMED_ATTRS | 169 VDELETE_CHILD | VREAD_ATTRIBUTES | VWRITE_ATTRIBUTES | VDELETE | 170 VREAD_ACL | VWRITE_ACL | VWRITE_OWNER | VSYNCHRONIZE)) == 0, 171 ("invalid bit in accmode")); 172 KASSERT((accmode & VAPPEND) == 0 || (accmode & VWRITE), 173 ("VAPPEND without VWRITE")); 174 175 if (privused != NULL) 176 *privused = 0; 177 178 if (accmode & VADMIN) 179 must_be_owner = 1; 180 181 /* 182 * Ignore VSYNCHRONIZE permission. 183 */ 184 accmode &= ~VSYNCHRONIZE; 185 186 access_mask = _access_mask_from_accmode(accmode); 187 188 if (type == VDIR) 189 is_directory = 1; 190 else 191 is_directory = 0; 192 193 /* 194 * File owner is always allowed to read and write the ACL 195 * and basic attributes. This is to prevent a situation 196 * where user would change ACL in a way that prevents him 197 * from undoing the change. 198 */ 199 if (file_uid == cred->cr_uid) 200 access_mask &= ~(ACL_READ_ACL | ACL_WRITE_ACL | 201 ACL_READ_ATTRIBUTES | ACL_WRITE_ATTRIBUTES); 202 203 /* 204 * Ignore append permission for regular files; use write 205 * permission instead. 206 */ 207 if (!is_directory && (access_mask & ACL_APPEND_DATA)) { 208 access_mask &= ~ACL_APPEND_DATA; 209 access_mask |= ACL_WRITE_DATA; 210 } 211 212 denied = _acl_denies(aclp, access_mask, cred, file_uid, file_gid, 213 &explicitly_denied); 214 215 if (must_be_owner) { 216 if (file_uid != cred->cr_uid) 217 denied = EPERM; 218 } 219 220 /* 221 * For VEXEC, ensure that at least one execute bit is set for 222 * non-directories. We have to check the mode here to stay 223 * consistent with execve(2). See the test in 224 * exec_check_permissions(). 225 */ 226 acl_nfs4_sync_mode_from_acl(&file_mode, aclp); 227 if (!denied && !is_directory && (accmode & VEXEC) && 228 (file_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0) 229 denied = EACCES; 230 231 if (!denied) 232 return (0); 233 234 /* 235 * Access failed. Iff it was not denied explicitly and 236 * VEXPLICIT_DENY flag was specified, allow access. 237 */ 238 if ((accmode & VEXPLICIT_DENY) && explicitly_denied == 0) 239 return (0); 240 241 accmode &= ~VEXPLICIT_DENY; 242 243 /* 244 * No match. Try to use privileges, if there are any. 245 */ 246 if (is_directory) { 247 if ((accmode & VEXEC) && !priv_check_cred(cred, 248 PRIV_VFS_LOOKUP, 0)) 249 priv_granted |= VEXEC; 250 } else { 251 /* 252 * Ensure that at least one execute bit is on. Otherwise, 253 * a privileged user will always succeed, and we don't want 254 * this to happen unless the file really is executable. 255 */ 256 if ((accmode & VEXEC) && (file_mode & 257 (S_IXUSR | S_IXGRP | S_IXOTH)) != 0 && 258 !priv_check_cred(cred, PRIV_VFS_EXEC, 0)) 259 priv_granted |= VEXEC; 260 } 261 262 if ((accmode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ, 0)) 263 priv_granted |= VREAD; 264 265 if ((accmode & (VWRITE | VAPPEND | VDELETE_CHILD)) && 266 !priv_check_cred(cred, PRIV_VFS_WRITE, 0)) 267 priv_granted |= (VWRITE | VAPPEND | VDELETE_CHILD); 268 269 if ((accmode & VADMIN_PERMS) && 270 !priv_check_cred(cred, PRIV_VFS_ADMIN, 0)) 271 priv_granted |= VADMIN_PERMS; 272 273 if ((accmode & VSTAT_PERMS) && 274 !priv_check_cred(cred, PRIV_VFS_STAT, 0)) 275 priv_granted |= VSTAT_PERMS; 276 277 if ((accmode & priv_granted) == accmode) { 278 if (privused != NULL) 279 *privused = 1; 280 281 return (0); 282 } 283 284 if (accmode & (VADMIN_PERMS | VDELETE_CHILD | VDELETE)) 285 denied = EPERM; 286 else 287 denied = EACCES; 288 289 return (denied); 290} 291#endif /* _KERNEL */ 292 293static int 294_acl_entry_matches(struct acl_entry *entry, acl_tag_t tag, acl_perm_t perm, 295 acl_entry_type_t entry_type) 296{ 297 if (entry->ae_tag != tag) 298 return (0); 299 300 if (entry->ae_id != ACL_UNDEFINED_ID) 301 return (0); 302 303 if (entry->ae_perm != perm) 304 return (0); 305 306 if (entry->ae_entry_type != entry_type) 307 return (0); 308 309 if (entry->ae_flags != 0) 310 return (0); 311 312 return (1); 313} 314 315static struct acl_entry * 316_acl_append(struct acl *aclp, acl_tag_t tag, acl_perm_t perm, 317 acl_entry_type_t entry_type) 318{ 319 struct acl_entry *entry; 320 321 KASSERT(aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES, 322 ("aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES")); 323 324 entry = &(aclp->acl_entry[aclp->acl_cnt]); 325 aclp->acl_cnt++; 326 327 entry->ae_tag = tag; 328 entry->ae_id = ACL_UNDEFINED_ID; 329 entry->ae_perm = perm; 330 entry->ae_entry_type = entry_type; 331 entry->ae_flags = 0; 332 333 return (entry); 334} 335 336static struct acl_entry * 337_acl_duplicate_entry(struct acl *aclp, int entry_index) 338{ 339 int i; 340 341 KASSERT(aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES, 342 ("aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES")); 343 344 for (i = aclp->acl_cnt; i > entry_index; i--) 345 aclp->acl_entry[i] = aclp->acl_entry[i - 1]; 346 347 aclp->acl_cnt++; 348 349 return (&(aclp->acl_entry[entry_index + 1])); 350} 351 352/* 353 * Calculate trivial ACL in a manner compatible with PSARC/2010/029. 354 * Note that this results in an ACL different from (but semantically 355 * equal to) the "canonical six" trivial ACL computed using algorithm 356 * described in draft-ietf-nfsv4-minorversion1-03.txt, 3.16.6.2. 357 */ 358void 359acl_nfs4_trivial_from_mode(struct acl *aclp, mode_t mode) 360{ 361 acl_perm_t user_allow_first = 0, user_deny = 0, group_deny = 0; 362 acl_perm_t user_allow, group_allow, everyone_allow; 363 364 KASSERT(aclp->acl_cnt == 0, ("aclp->acl_cnt == 0")); 365 366 user_allow = group_allow = everyone_allow = ACL_READ_ACL | 367 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS | ACL_SYNCHRONIZE; 368 user_allow |= ACL_WRITE_ACL | ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | 369 ACL_WRITE_NAMED_ATTRS; 370 371 if (mode & S_IRUSR) 372 user_allow |= ACL_READ_DATA; 373 if (mode & S_IWUSR) 374 user_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 375 if (mode & S_IXUSR) 376 user_allow |= ACL_EXECUTE; 377 378 if (mode & S_IRGRP) 379 group_allow |= ACL_READ_DATA; 380 if (mode & S_IWGRP) 381 group_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 382 if (mode & S_IXGRP) 383 group_allow |= ACL_EXECUTE; 384 385 if (mode & S_IROTH) 386 everyone_allow |= ACL_READ_DATA; 387 if (mode & S_IWOTH) 388 everyone_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 389 if (mode & S_IXOTH) 390 everyone_allow |= ACL_EXECUTE; 391 392 user_deny = ((group_allow | everyone_allow) & ~user_allow); 393 group_deny = everyone_allow & ~group_allow; 394 user_allow_first = group_deny & ~user_deny; 395 396#if 1 397 /* 398 * This is a workaround for what looks like a bug in ZFS - trivial 399 * ACL for mode 0077 should look like this: 400 * 401 * owner@:rwxp----------:------:deny 402 * owner@:------aARWcCos:------:allow 403 * group@:rwxp--a-R-c--s:------:allow 404 * everyone@:rwxp--a-R-c--s:------:allow 405 * 406 * Instead, ZFS makes it like this: 407 * 408 * owner@:rwx-----------:------:deny 409 * owner@:------aARWcCos:------:allow 410 * group@:rwxp--a-R-c--s:------:allow 411 * everyone@:rwxp--a-R-c--s:------:allow 412 */ 413 user_allow_first &= ~ACL_APPEND_DATA; 414 user_deny &= ~ACL_APPEND_DATA; 415 group_deny &= ~ACL_APPEND_DATA; 416#endif 417 418 if (user_allow_first != 0) 419 _acl_append(aclp, ACL_USER_OBJ, user_allow_first, ACL_ENTRY_TYPE_ALLOW); 420 if (user_deny != 0) 421 _acl_append(aclp, ACL_USER_OBJ, user_deny, ACL_ENTRY_TYPE_DENY); 422 if (group_deny != 0) 423 _acl_append(aclp, ACL_GROUP_OBJ, group_deny, ACL_ENTRY_TYPE_DENY); 424 _acl_append(aclp, ACL_USER_OBJ, user_allow, ACL_ENTRY_TYPE_ALLOW); 425 _acl_append(aclp, ACL_GROUP_OBJ, group_allow, ACL_ENTRY_TYPE_ALLOW); 426 _acl_append(aclp, ACL_EVERYONE, everyone_allow, ACL_ENTRY_TYPE_ALLOW); 427} 428 429void 430acl_nfs4_sync_acl_from_mode(struct acl *aclp, mode_t mode, int file_owner_id) 431{ 432 int i, meets, must_append; 433 struct acl_entry *entry, *copy, *previous, 434 *a1, *a2, *a3, *a4, *a5, *a6; 435 mode_t amode; 436 const int READ = 04; 437 const int WRITE = 02; 438 const int EXEC = 01; 439 440 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES, 441 ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); 442 443 /* 444 * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt 445 * 446 * 3.16.6.3. Applying a Mode to an Existing ACL 447 */ 448 449 /* 450 * 1. For each ACE: 451 */ 452 for (i = 0; i < aclp->acl_cnt; i++) { 453 entry = &(aclp->acl_entry[i]); 454 455 /* 456 * 1.1. If the type is neither ALLOW or DENY - skip. 457 */ 458 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && 459 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) 460 continue; 461 462 /* 463 * 1.2. If ACL_ENTRY_INHERIT_ONLY is set - skip. 464 */ 465 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY) 466 continue; 467 468 /* 469 * 1.3. If ACL_ENTRY_FILE_INHERIT or ACL_ENTRY_DIRECTORY_INHERIT 470 * are set: 471 */ 472 if (entry->ae_flags & 473 (ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT)) { 474 /* 475 * 1.3.1. A copy of the current ACE is made, and placed 476 * in the ACL immediately following the current 477 * ACE. 478 */ 479 copy = _acl_duplicate_entry(aclp, i); 480 481 /* 482 * 1.3.2. In the first ACE, the flag 483 * ACL_ENTRY_INHERIT_ONLY is set. 484 */ 485 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY; 486 487 /* 488 * 1.3.3. In the second ACE, the following flags 489 * are cleared: 490 * ACL_ENTRY_FILE_INHERIT, 491 * ACL_ENTRY_DIRECTORY_INHERIT, 492 * ACL_ENTRY_NO_PROPAGATE_INHERIT. 493 */ 494 copy->ae_flags &= ~(ACL_ENTRY_FILE_INHERIT | 495 ACL_ENTRY_DIRECTORY_INHERIT | 496 ACL_ENTRY_NO_PROPAGATE_INHERIT); 497 498 /* 499 * The algorithm continues on with the second ACE. 500 */ 501 i++; 502 entry = copy; 503 } 504 505 /* 506 * 1.4. If it's owner@, group@ or everyone@ entry, clear 507 * ACL_READ_DATA, ACL_WRITE_DATA, ACL_APPEND_DATA 508 * and ACL_EXECUTE. Continue to the next entry. 509 */ 510 if (entry->ae_tag == ACL_USER_OBJ || 511 entry->ae_tag == ACL_GROUP_OBJ || 512 entry->ae_tag == ACL_EVERYONE) { 513 entry->ae_perm &= ~(ACL_READ_DATA | ACL_WRITE_DATA | 514 ACL_APPEND_DATA | ACL_EXECUTE); 515 continue; 516 } 517 518 /* 519 * 1.5. Otherwise, if the "who" field did not match one 520 * of OWNER@, GROUP@, EVERYONE@: 521 * 522 * 1.5.1. If the type is ALLOW, check the preceding ACE. 523 * If it does not meet all of the following criteria: 524 */ 525 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW) 526 continue; 527 528 meets = 0; 529 if (i > 0) { 530 meets = 1; 531 previous = &(aclp->acl_entry[i - 1]); 532 533 /* 534 * 1.5.1.1. The type field is DENY, 535 */ 536 if (previous->ae_entry_type != ACL_ENTRY_TYPE_DENY) 537 meets = 0; 538 539 /* 540 * 1.5.1.2. The "who" field is the same as the current 541 * ACE, 542 * 543 * 1.5.1.3. The flag bit ACE4_IDENTIFIER_GROUP 544 * is the same as it is in the current ACE, 545 * and no other flag bits are set, 546 */ 547 if (previous->ae_id != entry->ae_id || 548 previous->ae_tag != entry->ae_tag) 549 meets = 0; 550 551 if (previous->ae_flags) 552 meets = 0; 553 554 /* 555 * 1.5.1.4. The mask bits are a subset of the mask bits 556 * of the current ACE, and are also subset of 557 * the following: ACL_READ_DATA, 558 * ACL_WRITE_DATA, ACL_APPEND_DATA, ACL_EXECUTE 559 */ 560 if (previous->ae_perm & ~(entry->ae_perm)) 561 meets = 0; 562 563 if (previous->ae_perm & ~(ACL_READ_DATA | 564 ACL_WRITE_DATA | ACL_APPEND_DATA | ACL_EXECUTE)) 565 meets = 0; 566 } 567 568 if (!meets) { 569 /* 570 * Then the ACE of type DENY, with a who equal 571 * to the current ACE, flag bits equal to 572 * (<current ACE flags> & <ACE_IDENTIFIER_GROUP>) 573 * and no mask bits, is prepended. 574 */ 575 previous = entry; 576 entry = _acl_duplicate_entry(aclp, i); 577 578 /* Adjust counter, as we've just added an entry. */ 579 i++; 580 581 previous->ae_tag = entry->ae_tag; 582 previous->ae_id = entry->ae_id; 583 previous->ae_flags = entry->ae_flags; 584 previous->ae_perm = 0; 585 previous->ae_entry_type = ACL_ENTRY_TYPE_DENY; 586 } 587 588 /* 589 * 1.5.2. The following modifications are made to the prepended 590 * ACE. The intent is to mask the following ACE 591 * to disallow ACL_READ_DATA, ACL_WRITE_DATA, 592 * ACL_APPEND_DATA, or ACL_EXECUTE, based upon the group 593 * permissions of the new mode. As a special case, 594 * if the ACE matches the current owner of the file, 595 * the owner bits are used, rather than the group bits. 596 * This is reflected in the algorithm below. 597 */ 598 amode = mode >> 3; 599 600 /* 601 * If ACE4_IDENTIFIER_GROUP is not set, and the "who" field 602 * in ACE matches the owner of the file, we shift amode three 603 * more bits, in order to have the owner permission bits 604 * placed in the three low order bits of amode. 605 */ 606 if (entry->ae_tag == ACL_USER && entry->ae_id == file_owner_id) 607 amode = amode >> 3; 608 609 if (entry->ae_perm & ACL_READ_DATA) { 610 if (amode & READ) 611 previous->ae_perm &= ~ACL_READ_DATA; 612 else 613 previous->ae_perm |= ACL_READ_DATA; 614 } 615 616 if (entry->ae_perm & ACL_WRITE_DATA) { 617 if (amode & WRITE) 618 previous->ae_perm &= ~ACL_WRITE_DATA; 619 else 620 previous->ae_perm |= ACL_WRITE_DATA; 621 } 622 623 if (entry->ae_perm & ACL_APPEND_DATA) { 624 if (amode & WRITE) 625 previous->ae_perm &= ~ACL_APPEND_DATA; 626 else 627 previous->ae_perm |= ACL_APPEND_DATA; 628 } 629 630 if (entry->ae_perm & ACL_EXECUTE) { 631 if (amode & EXEC) 632 previous->ae_perm &= ~ACL_EXECUTE; 633 else 634 previous->ae_perm |= ACL_EXECUTE; 635 } 636 637 /* 638 * 1.5.3. If ACE4_IDENTIFIER_GROUP is set in the flags 639 * of the ALLOW ace: 640 * 641 * XXX: This point is not there in the Falkner's draft. 642 */ 643 if (entry->ae_tag == ACL_GROUP && 644 entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) { 645 mode_t extramode, ownermode; 646 extramode = (mode >> 3) & 07; 647 ownermode = mode >> 6; 648 extramode &= ~ownermode; 649 650 if (extramode) { 651 if (extramode & READ) { 652 entry->ae_perm &= ~ACL_READ_DATA; 653 previous->ae_perm &= ~ACL_READ_DATA; 654 } 655 656 if (extramode & WRITE) { 657 entry->ae_perm &= 658 ~(ACL_WRITE_DATA | ACL_APPEND_DATA); 659 previous->ae_perm &= 660 ~(ACL_WRITE_DATA | ACL_APPEND_DATA); 661 } 662 663 if (extramode & EXEC) { 664 entry->ae_perm &= ~ACL_EXECUTE; 665 previous->ae_perm &= ~ACL_EXECUTE; 666 } 667 } 668 } 669 } 670 671 /* 672 * 2. If there at least six ACEs, the final six ACEs are examined. 673 * If they are not equal to what we want, append six ACEs. 674 */ 675 must_append = 0; 676 if (aclp->acl_cnt < 6) { 677 must_append = 1; 678 } else { 679 a6 = &(aclp->acl_entry[aclp->acl_cnt - 1]); 680 a5 = &(aclp->acl_entry[aclp->acl_cnt - 2]); 681 a4 = &(aclp->acl_entry[aclp->acl_cnt - 3]); 682 a3 = &(aclp->acl_entry[aclp->acl_cnt - 4]); 683 a2 = &(aclp->acl_entry[aclp->acl_cnt - 5]); 684 a1 = &(aclp->acl_entry[aclp->acl_cnt - 6]); 685 686 if (!_acl_entry_matches(a1, ACL_USER_OBJ, 0, 687 ACL_ENTRY_TYPE_DENY)) 688 must_append = 1; 689 if (!_acl_entry_matches(a2, ACL_USER_OBJ, ACL_WRITE_ACL | 690 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | 691 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_ALLOW)) 692 must_append = 1; 693 if (!_acl_entry_matches(a3, ACL_GROUP_OBJ, 0, 694 ACL_ENTRY_TYPE_DENY)) 695 must_append = 1; 696 if (!_acl_entry_matches(a4, ACL_GROUP_OBJ, 0, 697 ACL_ENTRY_TYPE_ALLOW)) 698 must_append = 1; 699 if (!_acl_entry_matches(a5, ACL_EVERYONE, ACL_WRITE_ACL | 700 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | 701 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_DENY)) 702 must_append = 1; 703 if (!_acl_entry_matches(a6, ACL_EVERYONE, ACL_READ_ACL | 704 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS | 705 ACL_SYNCHRONIZE, ACL_ENTRY_TYPE_ALLOW)) 706 must_append = 1; 707 } 708 709 if (must_append) { 710 KASSERT(aclp->acl_cnt + 6 <= ACL_MAX_ENTRIES, 711 ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); 712 713 a1 = _acl_append(aclp, ACL_USER_OBJ, 0, ACL_ENTRY_TYPE_DENY); 714 a2 = _acl_append(aclp, ACL_USER_OBJ, ACL_WRITE_ACL | 715 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | 716 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_ALLOW); 717 a3 = _acl_append(aclp, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_DENY); 718 a4 = _acl_append(aclp, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_ALLOW); 719 a5 = _acl_append(aclp, ACL_EVERYONE, ACL_WRITE_ACL | 720 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | 721 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_DENY); 722 a6 = _acl_append(aclp, ACL_EVERYONE, ACL_READ_ACL | 723 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS | 724 ACL_SYNCHRONIZE, ACL_ENTRY_TYPE_ALLOW); 725 726 KASSERT(a1 != NULL && a2 != NULL && a3 != NULL && a4 != NULL && 727 a5 != NULL && a6 != NULL, ("couldn't append to ACL.")); 728 } 729 730 /* 731 * 3. The final six ACEs are adjusted according to the incoming mode. 732 */ 733 if (mode & S_IRUSR) 734 a2->ae_perm |= ACL_READ_DATA; 735 else 736 a1->ae_perm |= ACL_READ_DATA; 737 if (mode & S_IWUSR) 738 a2->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 739 else 740 a1->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 741 if (mode & S_IXUSR) 742 a2->ae_perm |= ACL_EXECUTE; 743 else 744 a1->ae_perm |= ACL_EXECUTE; 745 746 if (mode & S_IRGRP) 747 a4->ae_perm |= ACL_READ_DATA; 748 else 749 a3->ae_perm |= ACL_READ_DATA; 750 if (mode & S_IWGRP) 751 a4->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 752 else 753 a3->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 754 if (mode & S_IXGRP) 755 a4->ae_perm |= ACL_EXECUTE; 756 else 757 a3->ae_perm |= ACL_EXECUTE; 758 759 if (mode & S_IROTH) 760 a6->ae_perm |= ACL_READ_DATA; 761 else 762 a5->ae_perm |= ACL_READ_DATA; 763 if (mode & S_IWOTH) 764 a6->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 765 else 766 a5->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 767 if (mode & S_IXOTH) 768 a6->ae_perm |= ACL_EXECUTE; 769 else 770 a5->ae_perm |= ACL_EXECUTE; 771} 772 773void 774acl_nfs4_sync_mode_from_acl(mode_t *_mode, const struct acl *aclp) 775{ 776 int i; 777 mode_t old_mode = *_mode, mode = 0, seen = 0; 778 const struct acl_entry *entry; 779 780 KASSERT(aclp->acl_cnt > 0, ("aclp->acl_cnt > 0")); 781 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES, 782 ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); 783 784 /* 785 * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt 786 * 787 * 3.16.6.1. Recomputing mode upon SETATTR of ACL 788 */ 789 790 for (i = 0; i < aclp->acl_cnt; i++) { 791 entry = &(aclp->acl_entry[i]); 792 793 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && 794 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) 795 continue; 796 797 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY) 798 continue; 799 800 if (entry->ae_tag == ACL_USER_OBJ) { 801 if ((entry->ae_perm & ACL_READ_DATA) && 802 ((seen & S_IRUSR) == 0)) { 803 seen |= S_IRUSR; 804 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 805 mode |= S_IRUSR; 806 } 807 if ((entry->ae_perm & ACL_WRITE_DATA) && 808 ((seen & S_IWUSR) == 0)) { 809 seen |= S_IWUSR; 810 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 811 mode |= S_IWUSR; 812 } 813 if ((entry->ae_perm & ACL_EXECUTE) && 814 ((seen & S_IXUSR) == 0)) { 815 seen |= S_IXUSR; 816 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 817 mode |= S_IXUSR; 818 } 819 } else if (entry->ae_tag == ACL_GROUP_OBJ) { 820 if ((entry->ae_perm & ACL_READ_DATA) && 821 ((seen & S_IRGRP) == 0)) { 822 seen |= S_IRGRP; 823 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 824 mode |= S_IRGRP; 825 } 826 if ((entry->ae_perm & ACL_WRITE_DATA) && 827 ((seen & S_IWGRP) == 0)) { 828 seen |= S_IWGRP; 829 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 830 mode |= S_IWGRP; 831 } 832 if ((entry->ae_perm & ACL_EXECUTE) && 833 ((seen & S_IXGRP) == 0)) { 834 seen |= S_IXGRP; 835 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 836 mode |= S_IXGRP; 837 } 838 } else if (entry->ae_tag == ACL_EVERYONE) { 839 if (entry->ae_perm & ACL_READ_DATA) { 840 if ((seen & S_IRUSR) == 0) { 841 seen |= S_IRUSR; 842 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 843 mode |= S_IRUSR; 844 } 845 if ((seen & S_IRGRP) == 0) { 846 seen |= S_IRGRP; 847 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 848 mode |= S_IRGRP; 849 } 850 if ((seen & S_IROTH) == 0) { 851 seen |= S_IROTH; 852 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 853 mode |= S_IROTH; 854 } 855 } 856 if (entry->ae_perm & ACL_WRITE_DATA) { 857 if ((seen & S_IWUSR) == 0) { 858 seen |= S_IWUSR; 859 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 860 mode |= S_IWUSR; 861 } 862 if ((seen & S_IWGRP) == 0) { 863 seen |= S_IWGRP; 864 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 865 mode |= S_IWGRP; 866 } 867 if ((seen & S_IWOTH) == 0) { 868 seen |= S_IWOTH; 869 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 870 mode |= S_IWOTH; 871 } 872 } 873 if (entry->ae_perm & ACL_EXECUTE) { 874 if ((seen & S_IXUSR) == 0) { 875 seen |= S_IXUSR; 876 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 877 mode |= S_IXUSR; 878 } 879 if ((seen & S_IXGRP) == 0) { 880 seen |= S_IXGRP; 881 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 882 mode |= S_IXGRP; 883 } 884 if ((seen & S_IXOTH) == 0) { 885 seen |= S_IXOTH; 886 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 887 mode |= S_IXOTH; 888 } 889 } 890 } 891 } 892 893 *_mode = mode | (old_mode & ACL_PRESERVE_MASK); 894} 895 896void 897acl_nfs4_compute_inherited_acl(const struct acl *parent_aclp, 898 struct acl *child_aclp, mode_t mode, int file_owner_id, 899 int is_directory) 900{ 901 int i, flags; 902 const struct acl_entry *parent_entry; 903 struct acl_entry *entry, *copy; 904 905 KASSERT(child_aclp->acl_cnt == 0, ("child_aclp->acl_cnt == 0")); 906 KASSERT(parent_aclp->acl_cnt > 0, ("parent_aclp->acl_cnt > 0")); 907 KASSERT(parent_aclp->acl_cnt <= ACL_MAX_ENTRIES, 908 ("parent_aclp->acl_cnt <= ACL_MAX_ENTRIES")); 909 910 /* 911 * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt 912 * 913 * 3.16.6.2. Applying the mode given to CREATE or OPEN 914 * to an inherited ACL 915 */ 916 917 /* 918 * 1. Form an ACL that is the concatenation of all inheritable ACEs. 919 */ 920 for (i = 0; i < parent_aclp->acl_cnt; i++) { 921 parent_entry = &(parent_aclp->acl_entry[i]); 922 flags = parent_entry->ae_flags; 923 924 /* 925 * Entry is not inheritable at all. 926 */ 927 if ((flags & (ACL_ENTRY_DIRECTORY_INHERIT | 928 ACL_ENTRY_FILE_INHERIT)) == 0) 929 continue; 930 931 /* 932 * We're creating a file, but entry is not inheritable 933 * by files. 934 */ 935 if (!is_directory && (flags & ACL_ENTRY_FILE_INHERIT) == 0) 936 continue; 937 938 /* 939 * Entry is inheritable only by files, but has NO_PROPAGATE 940 * flag set, and we're creating a directory, so it wouldn't 941 * propagate to any file in that directory anyway. 942 */ 943 if (is_directory && 944 (flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0 && 945 (flags & ACL_ENTRY_NO_PROPAGATE_INHERIT)) 946 continue; 947 948 KASSERT(child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES, 949 ("child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES")); 950 child_aclp->acl_entry[child_aclp->acl_cnt] = *parent_entry; 951 child_aclp->acl_cnt++; 952 } 953 954 /* 955 * 2. For each entry in the new ACL, adjust its flags, possibly 956 * creating two entries in place of one. 957 */ 958 for (i = 0; i < child_aclp->acl_cnt; i++) { 959 entry = &(child_aclp->acl_entry[i]); 960 961 /* 962 * This is not in the specification, but SunOS 963 * apparently does that. 964 */ 965 if (((entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT) || 966 !is_directory) && 967 entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 968 entry->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER); 969 970 /* 971 * 2.A. If the ACL_ENTRY_NO_PROPAGATE_INHERIT is set, or if the object 972 * being created is not a directory, then clear the 973 * following flags: ACL_ENTRY_NO_PROPAGATE_INHERIT, 974 * ACL_ENTRY_FILE_INHERIT, ACL_ENTRY_DIRECTORY_INHERIT, 975 * ACL_ENTRY_INHERIT_ONLY. 976 */ 977 if (entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT || 978 !is_directory) { 979 entry->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT | 980 ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT | 981 ACL_ENTRY_INHERIT_ONLY); 982 983 /* 984 * Continue on to the next ACE. 985 */ 986 continue; 987 } 988 989 /* 990 * 2.B. If the object is a directory and ACL_ENTRY_FILE_INHERIT 991 * is set, but ACL_ENTRY_NO_PROPAGATE_INHERIT is not set, ensure 992 * that ACL_ENTRY_INHERIT_ONLY is set. Continue to the 993 * next ACE. Otherwise... 994 */ 995 /* 996 * XXX: Read it again and make sure what does the "otherwise" 997 * apply to. 998 */ 999 if (is_directory && 1000 (entry->ae_flags & ACL_ENTRY_FILE_INHERIT) && 1001 ((entry->ae_flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0)) { 1002 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY; 1003 continue; 1004 } 1005 1006 /* 1007 * 2.C. If the type of the ACE is neither ALLOW nor deny, 1008 * then continue. 1009 */ 1010 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && 1011 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) 1012 continue; 1013 1014 /* 1015 * 2.D. Copy the original ACE into a second, adjacent ACE. 1016 */ 1017 copy = _acl_duplicate_entry(child_aclp, i); 1018 1019 /* 1020 * 2.E. On the first ACE, ensure that ACL_ENTRY_INHERIT_ONLY 1021 * is set. 1022 */ 1023 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY; 1024 1025 /* 1026 * 2.F. On the second ACE, clear the following flags: 1027 * ACL_ENTRY_NO_PROPAGATE_INHERIT, ACL_ENTRY_FILE_INHERIT, 1028 * ACL_ENTRY_DIRECTORY_INHERIT, ACL_ENTRY_INHERIT_ONLY. 1029 */ 1030 copy->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT | 1031 ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT | 1032 ACL_ENTRY_INHERIT_ONLY); 1033 1034 /* 1035 * 2.G. On the second ACE, if the type is ALLOW, 1036 * an implementation MAY clear the following 1037 * mask bits: ACL_WRITE_ACL, ACL_WRITE_OWNER. 1038 */ 1039 if (copy->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 1040 copy->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER); 1041 1042 /* 1043 * Increment the counter to skip the copied entry. 1044 */ 1045 i++; 1046 } 1047 1048 /* 1049 * 3. To ensure that the mode is honored, apply the algorithm describe 1050 * in Section 2.16.6.3, using the mode that is to be used for file 1051 * creation. 1052 */ 1053 acl_nfs4_sync_acl_from_mode(child_aclp, mode, file_owner_id); 1054} 1055 1056#ifdef _KERNEL 1057static int 1058_acls_are_equal(const struct acl *a, const struct acl *b) 1059{ 1060 int i; 1061 const struct acl_entry *entrya, *entryb; 1062 1063 if (a->acl_cnt != b->acl_cnt) 1064 return (0); 1065 1066 for (i = 0; i < b->acl_cnt; i++) { 1067 entrya = &(a->acl_entry[i]); 1068 entryb = &(b->acl_entry[i]); 1069 1070 if (entrya->ae_tag != entryb->ae_tag || 1071 entrya->ae_id != entryb->ae_id || 1072 entrya->ae_perm != entryb->ae_perm || 1073 entrya->ae_entry_type != entryb->ae_entry_type || 1074 entrya->ae_flags != entryb->ae_flags) 1075 return (0); 1076 } 1077 1078 return (1); 1079} 1080 1081/* 1082 * This routine is used to determine whether to remove extended attribute 1083 * that stores ACL contents. 1084 */ 1085int 1086acl_nfs4_is_trivial(const struct acl *aclp, int file_owner_id) 1087{ 1088 int trivial; 1089 mode_t tmpmode = 0; 1090 struct acl *tmpaclp; 1091 1092 if (aclp->acl_cnt != 6) 1093 return (0); 1094 1095 /* 1096 * Compute the mode from the ACL, then compute new ACL from that mode. 1097 * If the ACLs are identical, then the ACL is trivial. 1098 * 1099 * XXX: I guess there is a faster way to do this. However, even 1100 * this slow implementation significantly speeds things up 1101 * for files that don't have non-trivial ACLs - it's critical 1102 * for performance to not use EA when they are not needed. 1103 */ 1104 tmpaclp = acl_alloc(M_WAITOK | M_ZERO); 1105 acl_nfs4_sync_mode_from_acl(&tmpmode, aclp); 1106 acl_nfs4_sync_acl_from_mode(tmpaclp, tmpmode, file_owner_id); 1107 trivial = _acls_are_equal(aclp, tmpaclp); 1108 acl_free(tmpaclp); 1109 1110 return (trivial); 1111} 1112#endif /* _KERNEL */ 1113 1114int 1115acl_nfs4_check(const struct acl *aclp, int is_directory) 1116{ 1117 int i; 1118 const struct acl_entry *entry; 1119 1120 /* 1121 * The spec doesn't seem to say anything about ACL validity. 1122 * It seems there is not much to do here. There is even no need 1123 * to count "owner@" or "everyone@" (ACL_USER_OBJ and ACL_EVERYONE) 1124 * entries, as there can be several of them and that's perfectly 1125 * valid. There can be none of them too. Really. 1126 */ 1127 1128 if (aclp->acl_cnt > ACL_MAX_ENTRIES || aclp->acl_cnt <= 0) 1129 return (EINVAL); 1130 1131 for (i = 0; i < aclp->acl_cnt; i++) { 1132 entry = &(aclp->acl_entry[i]); 1133 1134 switch (entry->ae_tag) { 1135 case ACL_USER_OBJ: 1136 case ACL_GROUP_OBJ: 1137 case ACL_EVERYONE: 1138 if (entry->ae_id != ACL_UNDEFINED_ID) 1139 return (EINVAL); 1140 break; 1141 1142 case ACL_USER: 1143 case ACL_GROUP: 1144 if (entry->ae_id == ACL_UNDEFINED_ID) 1145 return (EINVAL); 1146 break; 1147 1148 default: 1149 return (EINVAL); 1150 } 1151 1152 if ((entry->ae_perm | ACL_NFS4_PERM_BITS) != ACL_NFS4_PERM_BITS) 1153 return (EINVAL); 1154 1155 /* 1156 * Disallow ACL_ENTRY_TYPE_AUDIT and ACL_ENTRY_TYPE_ALARM for now. 1157 */ 1158 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && 1159 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) 1160 return (EINVAL); 1161 1162 if ((entry->ae_flags | ACL_FLAGS_BITS) != ACL_FLAGS_BITS) 1163 return (EINVAL); 1164 1165 /* Disallow unimplemented flags. */ 1166 if (entry->ae_flags & (ACL_ENTRY_SUCCESSFUL_ACCESS | 1167 ACL_ENTRY_FAILED_ACCESS)) 1168 return (EINVAL); 1169 1170 /* Disallow flags not allowed for ordinary files. */ 1171 if (!is_directory) { 1172 if (entry->ae_flags & (ACL_ENTRY_FILE_INHERIT | 1173 ACL_ENTRY_DIRECTORY_INHERIT | 1174 ACL_ENTRY_NO_PROPAGATE_INHERIT | ACL_ENTRY_INHERIT_ONLY)) 1175 return (EINVAL); 1176 } 1177 } 1178 1179 return (0); 1180} 1181