zfs_acl.c revision 169023
1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21/* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26#pragma ident "%Z%%M% %I% %E% SMI" 27 28#include <sys/types.h> 29#include <sys/param.h> 30#include <sys/time.h> 31#include <sys/systm.h> 32#include <sys/sysmacros.h> 33#include <sys/resource.h> 34#include <sys/vfs.h> 35#include <sys/vnode.h> 36#include <sys/file.h> 37#include <sys/stat.h> 38#include <sys/kmem.h> 39#include <sys/cmn_err.h> 40#include <sys/errno.h> 41#include <sys/unistd.h> 42#include <sys/sdt.h> 43#include <sys/fs/zfs.h> 44#include <sys/policy.h> 45#include <sys/zfs_znode.h> 46#include <sys/zfs_acl.h> 47#include <sys/zfs_dir.h> 48#include <sys/zfs_vfsops.h> 49#include <sys/dmu.h> 50#include <sys/zap.h> 51#include <acl/acl_common.h> 52 53#define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE 54#define DENY ACE_ACCESS_DENIED_ACE_TYPE 55 56#define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) 57#define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ 58 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) 59#define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ 60 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 61#define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ 62 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 63#define WRITE_MASK (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS| \ 64 ACE_WRITE_ATTRIBUTES|ACE_WRITE_ACL|ACE_WRITE_OWNER) 65 66#define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 67 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 68 69#define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 70 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 71 72#define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ 73 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE) 74 75#define SECURE_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER) 76 77#define OGE_PAD 6 /* traditional owner/group/everyone ACES */ 78 79static int zfs_ace_can_use(znode_t *zp, ace_t *); 80 81static zfs_acl_t * 82zfs_acl_alloc(int slots) 83{ 84 zfs_acl_t *aclp; 85 86 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); 87 if (slots != 0) { 88 aclp->z_acl = kmem_alloc(ZFS_ACL_SIZE(slots), KM_SLEEP); 89 aclp->z_acl_count = 0; 90 aclp->z_state = ACL_DATA_ALLOCED; 91 } else { 92 aclp->z_state = 0; 93 } 94 aclp->z_slots = slots; 95 return (aclp); 96} 97 98void 99zfs_acl_free(zfs_acl_t *aclp) 100{ 101 if (aclp->z_state == ACL_DATA_ALLOCED) { 102 kmem_free(aclp->z_acl, ZFS_ACL_SIZE(aclp->z_slots)); 103 } 104 kmem_free(aclp, sizeof (zfs_acl_t)); 105} 106 107static uint32_t 108zfs_v4_to_unix(uint32_t access_mask) 109{ 110 uint32_t new_mask = 0; 111 112 /* 113 * This is used for mapping v4 permissions into permissions 114 * that can be passed to secpolicy_vnode_access() 115 */ 116 if (access_mask & (ACE_READ_DATA | ACE_LIST_DIRECTORY | 117 ACE_READ_ATTRIBUTES | ACE_READ_ACL)) 118 new_mask |= S_IROTH; 119 if (access_mask & (ACE_WRITE_DATA | ACE_APPEND_DATA | 120 ACE_WRITE_ATTRIBUTES | ACE_ADD_FILE | ACE_WRITE_NAMED_ATTRS)) 121 new_mask |= S_IWOTH; 122 if (access_mask & (ACE_EXECUTE | ACE_READ_NAMED_ATTRS)) 123 new_mask |= S_IXOTH; 124 125 return (new_mask); 126} 127 128/* 129 * Convert unix access mask to v4 access mask 130 */ 131static uint32_t 132zfs_unix_to_v4(uint32_t access_mask) 133{ 134 uint32_t new_mask = 0; 135 136 if (access_mask & 01) 137 new_mask |= (ACE_EXECUTE); 138 if (access_mask & 02) { 139 new_mask |= (ACE_WRITE_DATA); 140 } if (access_mask & 04) { 141 new_mask |= ACE_READ_DATA; 142 } 143 return (new_mask); 144} 145 146static void 147zfs_set_ace(ace_t *zacep, uint32_t access_mask, int access_type, 148 uid_t uid, int entry_type) 149{ 150 zacep->a_access_mask = access_mask; 151 zacep->a_type = access_type; 152 zacep->a_who = uid; 153 zacep->a_flags = entry_type; 154} 155 156static uint64_t 157zfs_mode_compute(znode_t *zp, zfs_acl_t *aclp) 158{ 159 int i; 160 int entry_type; 161 mode_t mode = (zp->z_phys->zp_mode & 162 (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); 163 mode_t seen = 0; 164 ace_t *acep; 165 166 for (i = 0, acep = aclp->z_acl; 167 i != aclp->z_acl_count; i++, acep++) { 168 entry_type = (acep->a_flags & ACE_TYPE_FLAGS); 169 if (entry_type == ACE_OWNER) { 170 if ((acep->a_access_mask & ACE_READ_DATA) && 171 (!(seen & S_IRUSR))) { 172 seen |= S_IRUSR; 173 if (acep->a_type == ALLOW) { 174 mode |= S_IRUSR; 175 } 176 } 177 if ((acep->a_access_mask & ACE_WRITE_DATA) && 178 (!(seen & S_IWUSR))) { 179 seen |= S_IWUSR; 180 if (acep->a_type == ALLOW) { 181 mode |= S_IWUSR; 182 } 183 } 184 if ((acep->a_access_mask & ACE_EXECUTE) && 185 (!(seen & S_IXUSR))) { 186 seen |= S_IXUSR; 187 if (acep->a_type == ALLOW) { 188 mode |= S_IXUSR; 189 } 190 } 191 } else if (entry_type == OWNING_GROUP) { 192 if ((acep->a_access_mask & ACE_READ_DATA) && 193 (!(seen & S_IRGRP))) { 194 seen |= S_IRGRP; 195 if (acep->a_type == ALLOW) { 196 mode |= S_IRGRP; 197 } 198 } 199 if ((acep->a_access_mask & ACE_WRITE_DATA) && 200 (!(seen & S_IWGRP))) { 201 seen |= S_IWGRP; 202 if (acep->a_type == ALLOW) { 203 mode |= S_IWGRP; 204 } 205 } 206 if ((acep->a_access_mask & ACE_EXECUTE) && 207 (!(seen & S_IXGRP))) { 208 seen |= S_IXGRP; 209 if (acep->a_type == ALLOW) { 210 mode |= S_IXGRP; 211 } 212 } 213 } else if (entry_type == ACE_EVERYONE) { 214 if ((acep->a_access_mask & ACE_READ_DATA)) { 215 if (!(seen & S_IRUSR)) { 216 seen |= S_IRUSR; 217 if (acep->a_type == ALLOW) { 218 mode |= S_IRUSR; 219 } 220 } 221 if (!(seen & S_IRGRP)) { 222 seen |= S_IRGRP; 223 if (acep->a_type == ALLOW) { 224 mode |= S_IRGRP; 225 } 226 } 227 if (!(seen & S_IROTH)) { 228 seen |= S_IROTH; 229 if (acep->a_type == ALLOW) { 230 mode |= S_IROTH; 231 } 232 } 233 } 234 if ((acep->a_access_mask & ACE_WRITE_DATA)) { 235 if (!(seen & S_IWUSR)) { 236 seen |= S_IWUSR; 237 if (acep->a_type == ALLOW) { 238 mode |= S_IWUSR; 239 } 240 } 241 if (!(seen & S_IWGRP)) { 242 seen |= S_IWGRP; 243 if (acep->a_type == ALLOW) { 244 mode |= S_IWGRP; 245 } 246 } 247 if (!(seen & S_IWOTH)) { 248 seen |= S_IWOTH; 249 if (acep->a_type == ALLOW) { 250 mode |= S_IWOTH; 251 } 252 } 253 } 254 if ((acep->a_access_mask & ACE_EXECUTE)) { 255 if (!(seen & S_IXUSR)) { 256 seen |= S_IXUSR; 257 if (acep->a_type == ALLOW) { 258 mode |= S_IXUSR; 259 } 260 } 261 if (!(seen & S_IXGRP)) { 262 seen |= S_IXGRP; 263 if (acep->a_type == ALLOW) { 264 mode |= S_IXGRP; 265 } 266 } 267 if (!(seen & S_IXOTH)) { 268 seen |= S_IXOTH; 269 if (acep->a_type == ALLOW) { 270 mode |= S_IXOTH; 271 } 272 } 273 } 274 } 275 } 276 return (mode); 277} 278 279static zfs_acl_t * 280zfs_acl_node_read_internal(znode_t *zp) 281{ 282 zfs_acl_t *aclp; 283 284 aclp = zfs_acl_alloc(0); 285 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count; 286 aclp->z_acl = &zp->z_phys->zp_acl.z_ace_data[0]; 287 288 return (aclp); 289} 290 291/* 292 * Read an external acl object. 293 */ 294static int 295zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp) 296{ 297 uint64_t extacl = zp->z_phys->zp_acl.z_acl_extern_obj; 298 zfs_acl_t *aclp; 299 int error; 300 301 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 302 303 if (zp->z_phys->zp_acl.z_acl_extern_obj == 0) { 304 *aclpp = zfs_acl_node_read_internal(zp); 305 return (0); 306 } 307 308 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_count); 309 310 error = dmu_read(zp->z_zfsvfs->z_os, extacl, 0, 311 ZFS_ACL_SIZE(zp->z_phys->zp_acl.z_acl_count), aclp->z_acl); 312 if (error != 0) { 313 zfs_acl_free(aclp); 314 return (error); 315 } 316 317 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count; 318 319 *aclpp = aclp; 320 return (0); 321} 322 323static boolean_t 324zfs_acl_valid(znode_t *zp, ace_t *uace, int aclcnt, int *inherit) 325{ 326 ace_t *acep; 327 int i; 328 329 *inherit = 0; 330 331 if (aclcnt > MAX_ACL_ENTRIES || aclcnt <= 0) { 332 return (B_FALSE); 333 } 334 335 for (i = 0, acep = uace; i != aclcnt; i++, acep++) { 336 337 /* 338 * first check type of entry 339 */ 340 341 switch (acep->a_flags & ACE_TYPE_FLAGS) { 342 case ACE_OWNER: 343 acep->a_who = -1; 344 break; 345 case (ACE_IDENTIFIER_GROUP | ACE_GROUP): 346 case ACE_IDENTIFIER_GROUP: 347 if (acep->a_flags & ACE_GROUP) { 348 acep->a_who = -1; 349 } 350 break; 351 case ACE_EVERYONE: 352 acep->a_who = -1; 353 break; 354 } 355 356 /* 357 * next check inheritance level flags 358 */ 359 360 if (acep->a_type != ALLOW && acep->a_type != DENY) 361 return (B_FALSE); 362 363 /* 364 * Only directories should have inheritance flags. 365 */ 366 if (ZTOV(zp)->v_type != VDIR && (acep->a_flags & 367 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE| 368 ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE))) { 369 return (B_FALSE); 370 } 371 372 if (acep->a_flags & 373 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE)) 374 *inherit = 1; 375 376 if (acep->a_flags & 377 (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { 378 if ((acep->a_flags & (ACE_FILE_INHERIT_ACE| 379 ACE_DIRECTORY_INHERIT_ACE)) == 0) { 380 return (B_FALSE); 381 } 382 } 383 } 384 385 return (B_TRUE); 386} 387/* 388 * common code for setting acl's. 389 * 390 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. 391 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's 392 * already checked the acl and knows whether to inherit. 393 */ 394int 395zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, dmu_tx_t *tx, int *ihp) 396{ 397 int inherit = 0; 398 int error; 399 znode_phys_t *zphys = zp->z_phys; 400 zfs_znode_acl_t *zacl = &zphys->zp_acl; 401 uint32_t acl_phys_size = ZFS_ACL_SIZE(aclp->z_acl_count); 402 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 403 uint64_t aoid = zphys->zp_acl.z_acl_extern_obj; 404 405 ASSERT(MUTEX_HELD(&zp->z_lock)); 406 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 407 408 if (ihp) 409 inherit = *ihp; /* already determined by caller */ 410 else if (!zfs_acl_valid(zp, aclp->z_acl, 411 aclp->z_acl_count, &inherit)) { 412 return (EINVAL); 413 } 414 415 dmu_buf_will_dirty(zp->z_dbuf, tx); 416 417 /* 418 * Will ACL fit internally? 419 */ 420 if (aclp->z_acl_count > ACE_SLOT_CNT) { 421 if (aoid == 0) { 422 aoid = dmu_object_alloc(zfsvfs->z_os, 423 DMU_OT_ACL, acl_phys_size, DMU_OT_NONE, 0, tx); 424 } else { 425 (void) dmu_object_set_blocksize(zfsvfs->z_os, aoid, 426 acl_phys_size, 0, tx); 427 } 428 zphys->zp_acl.z_acl_extern_obj = aoid; 429 zphys->zp_acl.z_acl_count = aclp->z_acl_count; 430 dmu_write(zfsvfs->z_os, aoid, 0, 431 acl_phys_size, aclp->z_acl, tx); 432 } else { 433 /* 434 * Migrating back embedded? 435 */ 436 if (zphys->zp_acl.z_acl_extern_obj) { 437 error = dmu_object_free(zfsvfs->z_os, 438 zp->z_phys->zp_acl.z_acl_extern_obj, tx); 439 if (error) 440 return (error); 441 zphys->zp_acl.z_acl_extern_obj = 0; 442 } 443 bcopy(aclp->z_acl, zacl->z_ace_data, 444 aclp->z_acl_count * sizeof (ace_t)); 445 zacl->z_acl_count = aclp->z_acl_count; 446 } 447 448 zp->z_phys->zp_flags &= ~(ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE); 449 if (inherit) { 450 zp->z_phys->zp_flags |= ZFS_INHERIT_ACE; 451 } else if (ace_trivial(zacl->z_ace_data, zacl->z_acl_count) == 0) { 452 zp->z_phys->zp_flags |= ZFS_ACL_TRIVIAL; 453 } 454 455 zphys->zp_mode = zfs_mode_compute(zp, aclp); 456 zfs_time_stamper_locked(zp, STATE_CHANGED, tx); 457 458 return (0); 459} 460 461/* 462 * Create space for slots_needed ACEs to be append 463 * to aclp. 464 */ 465static void 466zfs_acl_append(zfs_acl_t *aclp, int slots_needed) 467{ 468 ace_t *newacep; 469 ace_t *oldaclp; 470 int slot_cnt; 471 int slots_left = aclp->z_slots - aclp->z_acl_count; 472 473 if (aclp->z_state == ACL_DATA_ALLOCED) 474 ASSERT(aclp->z_slots >= aclp->z_acl_count); 475 if (slots_left < slots_needed || aclp->z_state != ACL_DATA_ALLOCED) { 476 slot_cnt = aclp->z_slots + 1 + (slots_needed - slots_left); 477 newacep = kmem_alloc(ZFS_ACL_SIZE(slot_cnt), KM_SLEEP); 478 bcopy(aclp->z_acl, newacep, 479 ZFS_ACL_SIZE(aclp->z_acl_count)); 480 oldaclp = aclp->z_acl; 481 if (aclp->z_state == ACL_DATA_ALLOCED) 482 kmem_free(oldaclp, ZFS_ACL_SIZE(aclp->z_slots)); 483 aclp->z_acl = newacep; 484 aclp->z_slots = slot_cnt; 485 aclp->z_state = ACL_DATA_ALLOCED; 486 } 487} 488 489/* 490 * Remove "slot" ACE from aclp 491 */ 492static void 493zfs_ace_remove(zfs_acl_t *aclp, int slot) 494{ 495 if (aclp->z_acl_count > 1) { 496 (void) memmove(&aclp->z_acl[slot], 497 &aclp->z_acl[slot +1], sizeof (ace_t) * 498 (--aclp->z_acl_count - slot)); 499 } else 500 aclp->z_acl_count--; 501} 502 503/* 504 * Update access mask for prepended ACE 505 * 506 * This applies the "groupmask" value for aclmode property. 507 */ 508static void 509zfs_acl_prepend_fixup(ace_t *acep, ace_t *origacep, mode_t mode, uid_t owner) 510{ 511 512 int rmask, wmask, xmask; 513 int user_ace; 514 515 user_ace = (!(acep->a_flags & 516 (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP))); 517 518 if (user_ace && (acep->a_who == owner)) { 519 rmask = S_IRUSR; 520 wmask = S_IWUSR; 521 xmask = S_IXUSR; 522 } else { 523 rmask = S_IRGRP; 524 wmask = S_IWGRP; 525 xmask = S_IXGRP; 526 } 527 528 if (origacep->a_access_mask & ACE_READ_DATA) { 529 if (mode & rmask) 530 acep->a_access_mask &= ~ACE_READ_DATA; 531 else 532 acep->a_access_mask |= ACE_READ_DATA; 533 } 534 535 if (origacep->a_access_mask & ACE_WRITE_DATA) { 536 if (mode & wmask) 537 acep->a_access_mask &= ~ACE_WRITE_DATA; 538 else 539 acep->a_access_mask |= ACE_WRITE_DATA; 540 } 541 542 if (origacep->a_access_mask & ACE_APPEND_DATA) { 543 if (mode & wmask) 544 acep->a_access_mask &= ~ACE_APPEND_DATA; 545 else 546 acep->a_access_mask |= ACE_APPEND_DATA; 547 } 548 549 if (origacep->a_access_mask & ACE_EXECUTE) { 550 if (mode & xmask) 551 acep->a_access_mask &= ~ACE_EXECUTE; 552 else 553 acep->a_access_mask |= ACE_EXECUTE; 554 } 555} 556 557/* 558 * Apply mode to canonical six ACEs. 559 */ 560static void 561zfs_acl_fixup_canonical_six(zfs_acl_t *aclp, mode_t mode) 562{ 563 int cnt; 564 ace_t *acep; 565 566 cnt = aclp->z_acl_count -1; 567 acep = aclp->z_acl; 568 569 /* 570 * Fixup final ACEs to match the mode 571 */ 572 573 ASSERT(cnt >= 5); 574 adjust_ace_pair(&acep[cnt - 1], mode); /* everyone@ */ 575 adjust_ace_pair(&acep[cnt - 3], (mode & 0070) >> 3); /* group@ */ 576 adjust_ace_pair(&acep[cnt - 5], (mode & 0700) >> 6); /* owner@ */ 577} 578 579 580static int 581zfs_acl_ace_match(ace_t *acep, int allow_deny, int type, int mask) 582{ 583 return (acep->a_access_mask == mask && acep->a_type == allow_deny && 584 ((acep->a_flags & ACE_TYPE_FLAGS) == type)); 585} 586 587/* 588 * Can prepended ACE be reused? 589 */ 590static int 591zfs_reuse_deny(ace_t *acep, int i) 592{ 593 int okay_masks; 594 595 if (i < 1) 596 return (B_FALSE); 597 598 if (acep[i-1].a_type != DENY) 599 return (B_FALSE); 600 601 if (acep[i-1].a_flags != (acep[i].a_flags & ACE_IDENTIFIER_GROUP)) 602 return (B_FALSE); 603 604 okay_masks = (acep[i].a_access_mask & OKAY_MASK_BITS); 605 606 if (acep[i-1].a_access_mask & ~okay_masks) 607 return (B_FALSE); 608 609 return (B_TRUE); 610} 611 612/* 613 * Create space to prepend an ACE 614 */ 615static void 616zfs_acl_prepend(zfs_acl_t *aclp, int i) 617{ 618 ace_t *oldaclp = NULL; 619 ace_t *to, *from; 620 int slots_left = aclp->z_slots - aclp->z_acl_count; 621 int oldslots; 622 int need_free = 0; 623 624 if (aclp->z_state == ACL_DATA_ALLOCED) 625 ASSERT(aclp->z_slots >= aclp->z_acl_count); 626 627 if (slots_left == 0 || aclp->z_state != ACL_DATA_ALLOCED) { 628 629 to = kmem_alloc(ZFS_ACL_SIZE(aclp->z_acl_count + 630 OGE_PAD), KM_SLEEP); 631 if (aclp->z_state == ACL_DATA_ALLOCED) 632 need_free++; 633 from = aclp->z_acl; 634 oldaclp = aclp->z_acl; 635 (void) memmove(to, from, 636 sizeof (ace_t) * aclp->z_acl_count); 637 aclp->z_state = ACL_DATA_ALLOCED; 638 } else { 639 from = aclp->z_acl; 640 to = aclp->z_acl; 641 } 642 643 644 (void) memmove(&to[i + 1], &from[i], 645 sizeof (ace_t) * (aclp->z_acl_count - i)); 646 647 if (oldaclp) { 648 aclp->z_acl = to; 649 oldslots = aclp->z_slots; 650 aclp->z_slots = aclp->z_acl_count + OGE_PAD; 651 if (need_free) 652 kmem_free(oldaclp, ZFS_ACL_SIZE(oldslots)); 653 } 654 655} 656 657/* 658 * Prepend deny ACE 659 */ 660static void 661zfs_acl_prepend_deny(znode_t *zp, zfs_acl_t *aclp, int i, 662 mode_t mode) 663{ 664 ace_t *acep; 665 666 zfs_acl_prepend(aclp, i); 667 668 acep = aclp->z_acl; 669 zfs_set_ace(&acep[i], 0, DENY, acep[i + 1].a_who, 670 (acep[i + 1].a_flags & ACE_TYPE_FLAGS)); 671 zfs_acl_prepend_fixup(&acep[i], &acep[i+1], mode, zp->z_phys->zp_uid); 672 aclp->z_acl_count++; 673} 674 675/* 676 * Split an inherited ACE into inherit_only ACE 677 * and original ACE with inheritance flags stripped off. 678 */ 679static void 680zfs_acl_split_ace(zfs_acl_t *aclp, int i) 681{ 682 ace_t *acep = aclp->z_acl; 683 684 zfs_acl_prepend(aclp, i); 685 acep = aclp->z_acl; 686 acep[i] = acep[i + 1]; 687 acep[i].a_flags |= ACE_INHERIT_ONLY_ACE; 688 acep[i + 1].a_flags &= ~ALL_INHERIT; 689 aclp->z_acl_count++; 690} 691 692/* 693 * Are ACES started at index i, the canonical six ACES? 694 */ 695static int 696zfs_have_canonical_six(zfs_acl_t *aclp, int i) 697{ 698 ace_t *acep = aclp->z_acl; 699 700 if ((zfs_acl_ace_match(&acep[i], 701 DENY, ACE_OWNER, 0) && 702 zfs_acl_ace_match(&acep[i + 1], ALLOW, ACE_OWNER, 703 OWNER_ALLOW_MASK) && zfs_acl_ace_match(&acep[i + 2], 704 DENY, OWNING_GROUP, 0) && zfs_acl_ace_match(&acep[i + 3], 705 ALLOW, OWNING_GROUP, 0) && zfs_acl_ace_match(&acep[i + 4], 706 DENY, ACE_EVERYONE, EVERYONE_DENY_MASK) && 707 zfs_acl_ace_match(&acep[i + 5], ALLOW, ACE_EVERYONE, 708 EVERYONE_ALLOW_MASK))) { 709 return (1); 710 } else { 711 return (0); 712 } 713} 714 715/* 716 * Apply step 1g, to group entries 717 * 718 * Need to deal with corner case where group may have 719 * greater permissions than owner. If so then limit 720 * group permissions, based on what extra permissions 721 * group has. 722 */ 723static void 724zfs_fixup_group_entries(ace_t *acep, mode_t mode) 725{ 726 mode_t extramode = (mode >> 3) & 07; 727 mode_t ownermode = (mode >> 6); 728 729 if (acep[0].a_flags & ACE_IDENTIFIER_GROUP) { 730 731 extramode &= ~ownermode; 732 733 if (extramode) { 734 if (extramode & 04) { 735 acep[0].a_access_mask &= ~ACE_READ_DATA; 736 acep[1].a_access_mask &= ~ACE_READ_DATA; 737 } 738 if (extramode & 02) { 739 acep[0].a_access_mask &= 740 ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 741 acep[1].a_access_mask &= 742 ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 743 } 744 if (extramode & 01) { 745 acep[0].a_access_mask &= ~ACE_EXECUTE; 746 acep[1].a_access_mask &= ~ACE_EXECUTE; 747 } 748 } 749 } 750} 751 752/* 753 * Apply the chmod algorithm as described 754 * in PSARC/2002/240 755 */ 756static int 757zfs_acl_chmod(znode_t *zp, uint64_t mode, zfs_acl_t *aclp, 758 dmu_tx_t *tx) 759{ 760 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 761 ace_t *acep; 762 int i; 763 int error; 764 int entry_type; 765 int reuse_deny; 766 int need_canonical_six = 1; 767 int inherit = 0; 768 int iflags; 769 770 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 771 ASSERT(MUTEX_HELD(&zp->z_lock)); 772 773 i = 0; 774 while (i < aclp->z_acl_count) { 775 acep = aclp->z_acl; 776 entry_type = (acep[i].a_flags & ACE_TYPE_FLAGS); 777 iflags = (acep[i].a_flags & ALL_INHERIT); 778 779 if ((acep[i].a_type != ALLOW && acep[i].a_type != DENY) || 780 (iflags & ACE_INHERIT_ONLY_ACE)) { 781 i++; 782 if (iflags) 783 inherit = 1; 784 continue; 785 } 786 787 788 if (zfsvfs->z_acl_mode == ZFS_ACL_DISCARD) { 789 zfs_ace_remove(aclp, i); 790 continue; 791 } 792 793 /* 794 * Need to split ace into two? 795 */ 796 if ((iflags & (ACE_FILE_INHERIT_ACE| 797 ACE_DIRECTORY_INHERIT_ACE)) && 798 (!(iflags & ACE_INHERIT_ONLY_ACE))) { 799 zfs_acl_split_ace(aclp, i); 800 i++; 801 inherit = 1; 802 continue; 803 } 804 805 if (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 806 (entry_type == OWNING_GROUP)) { 807 acep[i].a_access_mask &= ~OGE_CLEAR; 808 i++; 809 continue; 810 811 } else { 812 if (acep[i].a_type == ALLOW) { 813 814 /* 815 * Check preceding ACE if any, to see 816 * if we need to prepend a DENY ACE. 817 * This is only applicable when the acl_mode 818 * property == groupmask. 819 */ 820 if (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK) { 821 822 reuse_deny = zfs_reuse_deny(acep, i); 823 824 if (reuse_deny == B_FALSE) { 825 zfs_acl_prepend_deny(zp, aclp, 826 i, mode); 827 i++; 828 acep = aclp->z_acl; 829 } else { 830 zfs_acl_prepend_fixup( 831 &acep[i - 1], 832 &acep[i], mode, 833 zp->z_phys->zp_uid); 834 } 835 zfs_fixup_group_entries(&acep[i - 1], 836 mode); 837 } 838 } 839 i++; 840 } 841 } 842 843 /* 844 * Check out last six aces, if we have six. 845 */ 846 847 if (aclp->z_acl_count >= 6) { 848 i = aclp->z_acl_count - 6; 849 850 if (zfs_have_canonical_six(aclp, i)) { 851 need_canonical_six = 0; 852 } 853 } 854 855 if (need_canonical_six) { 856 857 zfs_acl_append(aclp, 6); 858 i = aclp->z_acl_count; 859 acep = aclp->z_acl; 860 zfs_set_ace(&acep[i++], 0, DENY, -1, ACE_OWNER); 861 zfs_set_ace(&acep[i++], OWNER_ALLOW_MASK, ALLOW, -1, ACE_OWNER); 862 zfs_set_ace(&acep[i++], 0, DENY, -1, OWNING_GROUP); 863 zfs_set_ace(&acep[i++], 0, ALLOW, -1, OWNING_GROUP); 864 zfs_set_ace(&acep[i++], EVERYONE_DENY_MASK, 865 DENY, -1, ACE_EVERYONE); 866 zfs_set_ace(&acep[i++], EVERYONE_ALLOW_MASK, 867 ALLOW, -1, ACE_EVERYONE); 868 aclp->z_acl_count += 6; 869 } 870 871 zfs_acl_fixup_canonical_six(aclp, mode); 872 873 zp->z_phys->zp_mode = mode; 874 error = zfs_aclset_common(zp, aclp, tx, &inherit); 875 return (error); 876} 877 878 879int 880zfs_acl_chmod_setattr(znode_t *zp, uint64_t mode, dmu_tx_t *tx) 881{ 882 zfs_acl_t *aclp = NULL; 883 int error; 884 885 ASSERT(MUTEX_HELD(&zp->z_lock)); 886 mutex_enter(&zp->z_acl_lock); 887 error = zfs_acl_node_read(zp, &aclp); 888 if (error == 0) 889 error = zfs_acl_chmod(zp, mode, aclp, tx); 890 mutex_exit(&zp->z_acl_lock); 891 if (aclp) 892 zfs_acl_free(aclp); 893 return (error); 894} 895 896/* 897 * strip off write_owner and write_acl 898 */ 899static void 900zfs_securemode_update(zfsvfs_t *zfsvfs, ace_t *acep) 901{ 902 if ((zfsvfs->z_acl_inherit == ZFS_ACL_SECURE) && 903 (acep->a_type == ALLOW)) 904 acep->a_access_mask &= ~SECURE_CLEAR; 905} 906 907/* 908 * inherit inheritable ACEs from parent 909 */ 910static zfs_acl_t * 911zfs_acl_inherit(znode_t *zp, zfs_acl_t *paclp) 912{ 913 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 914 ace_t *pacep; 915 ace_t *acep; 916 int ace_cnt = 0; 917 int pace_cnt; 918 int i, j; 919 zfs_acl_t *aclp = NULL; 920 921 i = j = 0; 922 pace_cnt = paclp->z_acl_count; 923 pacep = paclp->z_acl; 924 if (zfsvfs->z_acl_inherit != ZFS_ACL_DISCARD) { 925 for (i = 0; i != pace_cnt; i++) { 926 927 if (zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW && 928 pacep[i].a_type == ALLOW) 929 continue; 930 931 if (zfs_ace_can_use(zp, &pacep[i])) { 932 ace_cnt++; 933 if (!(pacep[i].a_flags & 934 ACE_NO_PROPAGATE_INHERIT_ACE)) 935 ace_cnt++; 936 } 937 } 938 } 939 940 aclp = zfs_acl_alloc(ace_cnt + OGE_PAD); 941 if (ace_cnt && zfsvfs->z_acl_inherit != ZFS_ACL_DISCARD) { 942 acep = aclp->z_acl; 943 pacep = paclp->z_acl; 944 for (i = 0; i != pace_cnt; i++) { 945 946 if (zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW && 947 pacep[i].a_type == ALLOW) 948 continue; 949 950 if (zfs_ace_can_use(zp, &pacep[i])) { 951 952 /* 953 * Now create entry for inherited ace 954 */ 955 956 acep[j] = pacep[i]; 957 958 /* 959 * When AUDIT/ALARM a_types are supported 960 * they should be inherited here. 961 */ 962 963 if ((pacep[i].a_flags & 964 ACE_NO_PROPAGATE_INHERIT_ACE) || 965 (ZTOV(zp)->v_type != VDIR)) { 966 acep[j].a_flags &= ~ALL_INHERIT; 967 zfs_securemode_update(zfsvfs, &acep[j]); 968 j++; 969 continue; 970 } 971 972 ASSERT(ZTOV(zp)->v_type == VDIR); 973 974 /* 975 * If we are inheriting an ACE targeted for 976 * only files, then make sure inherit_only 977 * is on for future propagation. 978 */ 979 if ((pacep[i].a_flags & (ACE_FILE_INHERIT_ACE | 980 ACE_DIRECTORY_INHERIT_ACE)) != 981 ACE_FILE_INHERIT_ACE) { 982 j++; 983 acep[j] = acep[j-1]; 984 acep[j-1].a_flags |= 985 ACE_INHERIT_ONLY_ACE; 986 acep[j].a_flags &= ~ALL_INHERIT; 987 } else { 988 acep[j].a_flags |= ACE_INHERIT_ONLY_ACE; 989 } 990 zfs_securemode_update(zfsvfs, &acep[j]); 991 j++; 992 } 993 } 994 } 995 aclp->z_acl_count = j; 996 ASSERT(aclp->z_slots >= aclp->z_acl_count); 997 998 return (aclp); 999} 1000 1001/* 1002 * Create file system object initial permissions 1003 * including inheritable ACEs. 1004 */ 1005void 1006zfs_perm_init(znode_t *zp, znode_t *parent, int flag, 1007 vattr_t *vap, dmu_tx_t *tx, cred_t *cr) 1008{ 1009 uint64_t mode; 1010 uid_t uid; 1011 gid_t gid; 1012 int error; 1013 int pull_down; 1014 zfs_acl_t *aclp, *paclp; 1015 1016 mode = MAKEIMODE(vap->va_type, vap->va_mode); 1017 1018 /* 1019 * Determine uid and gid. 1020 */ 1021 if ((flag & (IS_ROOT_NODE | IS_REPLAY)) || 1022 ((flag & IS_XATTR) && (vap->va_type == VDIR))) { 1023 uid = vap->va_uid; 1024 gid = vap->va_gid; 1025 } else { 1026 uid = crgetuid(cr); 1027 if ((vap->va_mask & AT_GID) && 1028 ((vap->va_gid == parent->z_phys->zp_gid) || 1029 groupmember(vap->va_gid, cr) || 1030 secpolicy_vnode_create_gid(cr) == 0)) 1031 gid = vap->va_gid; 1032 else 1033#ifdef __FreeBSD__ 1034 gid = parent->z_phys->zp_gid; 1035#else 1036 gid = (parent->z_phys->zp_mode & S_ISGID) ? 1037 parent->z_phys->zp_gid : crgetgid(cr); 1038#endif 1039 } 1040 1041 /* 1042 * If we're creating a directory, and the parent directory has the 1043 * set-GID bit set, set in on the new directory. 1044 * Otherwise, if the user is neither privileged nor a member of the 1045 * file's new group, clear the file's set-GID bit. 1046 */ 1047 1048 if ((parent->z_phys->zp_mode & S_ISGID) && (vap->va_type == VDIR)) 1049 mode |= S_ISGID; 1050 else { 1051 if ((mode & S_ISGID) && 1052 secpolicy_vnode_setids_setgids(cr, gid) != 0) 1053 mode &= ~S_ISGID; 1054 } 1055 1056 zp->z_phys->zp_uid = uid; 1057 zp->z_phys->zp_gid = gid; 1058 zp->z_phys->zp_mode = mode; 1059 1060 mutex_enter(&parent->z_lock); 1061 pull_down = (parent->z_phys->zp_flags & ZFS_INHERIT_ACE); 1062 if (pull_down) { 1063 mutex_enter(&parent->z_acl_lock); 1064 VERIFY(0 == zfs_acl_node_read(parent, &paclp)); 1065 mutex_exit(&parent->z_acl_lock); 1066 aclp = zfs_acl_inherit(zp, paclp); 1067 zfs_acl_free(paclp); 1068 } else { 1069 aclp = zfs_acl_alloc(6); 1070 } 1071 mutex_exit(&parent->z_lock); 1072 mutex_enter(&zp->z_lock); 1073 mutex_enter(&zp->z_acl_lock); 1074 error = zfs_acl_chmod(zp, mode, aclp, tx); 1075 mutex_exit(&zp->z_lock); 1076 mutex_exit(&zp->z_acl_lock); 1077 ASSERT3U(error, ==, 0); 1078 zfs_acl_free(aclp); 1079} 1080 1081/* 1082 * Should ACE be inherited? 1083 */ 1084static int 1085zfs_ace_can_use(znode_t *zp, ace_t *acep) 1086{ 1087 int vtype = ZTOV(zp)->v_type; 1088 1089 int iflags = (acep->a_flags & 0xf); 1090 1091 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) 1092 return (1); 1093 else if (iflags & ACE_FILE_INHERIT_ACE) 1094 return (!((vtype == VDIR) && 1095 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); 1096 return (0); 1097} 1098 1099#ifdef TODO 1100/* 1101 * Retrieve a files ACL 1102 */ 1103int 1104zfs_getacl(znode_t *zp, vsecattr_t *vsecp, cred_t *cr) 1105{ 1106 zfs_acl_t *aclp; 1107 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 1108 int error; 1109 1110 if (error = zfs_zaccess(zp, ACE_READ_ACL, cr)) { 1111 /* 1112 * If owner of file then allow reading of the 1113 * ACL. 1114 */ 1115 if (crgetuid(cr) != zp->z_phys->zp_uid) 1116 return (error); 1117 } 1118 1119 if (mask == 0) 1120 return (ENOSYS); 1121 1122 mutex_enter(&zp->z_acl_lock); 1123 1124 error = zfs_acl_node_read(zp, &aclp); 1125 if (error != 0) { 1126 mutex_exit(&zp->z_acl_lock); 1127 return (error); 1128 } 1129 1130 1131 if (mask & VSA_ACECNT) { 1132 vsecp->vsa_aclcnt = aclp->z_acl_count; 1133 } 1134 1135 if (mask & VSA_ACE) { 1136 vsecp->vsa_aclentp = kmem_alloc(aclp->z_acl_count * 1137 sizeof (ace_t), KM_SLEEP); 1138 bcopy(aclp->z_acl, vsecp->vsa_aclentp, 1139 aclp->z_acl_count * sizeof (ace_t)); 1140 } 1141 1142 mutex_exit(&zp->z_acl_lock); 1143 1144 zfs_acl_free(aclp); 1145 1146 return (0); 1147} 1148#endif /* TODO */ 1149 1150#ifdef TODO 1151/* 1152 * Set a files ACL 1153 */ 1154int 1155zfs_setacl(znode_t *zp, vsecattr_t *vsecp, cred_t *cr) 1156{ 1157 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1158 zilog_t *zilog = zfsvfs->z_log; 1159 ace_t *acep = vsecp->vsa_aclentp; 1160 int aclcnt = vsecp->vsa_aclcnt; 1161 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 1162 dmu_tx_t *tx; 1163 int error; 1164 int inherit; 1165 zfs_acl_t *aclp; 1166 1167 if (mask == 0) 1168 return (EINVAL); 1169 1170 if (!zfs_acl_valid(zp, acep, aclcnt, &inherit)) 1171 return (EINVAL); 1172top: 1173 error = zfs_zaccess_v4_perm(zp, ACE_WRITE_ACL, cr); 1174 if (error == EACCES || error == ACCESS_UNDETERMINED) { 1175 if ((error = secpolicy_vnode_setdac(cr, 1176 zp->z_phys->zp_uid)) != 0) { 1177 return (error); 1178 } 1179 } else if (error) { 1180 return (error == EROFS ? error : EPERM); 1181 } 1182 1183 mutex_enter(&zp->z_lock); 1184 mutex_enter(&zp->z_acl_lock); 1185 1186 tx = dmu_tx_create(zfsvfs->z_os); 1187 dmu_tx_hold_bonus(tx, zp->z_id); 1188 1189 if (zp->z_phys->zp_acl.z_acl_extern_obj) { 1190 dmu_tx_hold_write(tx, zp->z_phys->zp_acl.z_acl_extern_obj, 1191 0, ZFS_ACL_SIZE(aclcnt)); 1192 } else if (aclcnt > ACE_SLOT_CNT) { 1193 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, ZFS_ACL_SIZE(aclcnt)); 1194 } 1195 1196 error = dmu_tx_assign(tx, zfsvfs->z_assign); 1197 if (error) { 1198 mutex_exit(&zp->z_acl_lock); 1199 mutex_exit(&zp->z_lock); 1200 1201 if (error == ERESTART && zfsvfs->z_assign == TXG_NOWAIT) { 1202 dmu_tx_wait(tx); 1203 dmu_tx_abort(tx); 1204 goto top; 1205 } 1206 dmu_tx_abort(tx); 1207 return (error); 1208 } 1209 1210 aclp = zfs_acl_alloc(aclcnt); 1211 bcopy(acep, aclp->z_acl, sizeof (ace_t) * aclcnt); 1212 aclp->z_acl_count = aclcnt; 1213 error = zfs_aclset_common(zp, aclp, tx, &inherit); 1214 ASSERT(error == 0); 1215 1216 zfs_acl_free(aclp); 1217 zfs_log_acl(zilog, tx, TX_ACL, zp, aclcnt, acep); 1218 dmu_tx_commit(tx); 1219done: 1220 mutex_exit(&zp->z_acl_lock); 1221 mutex_exit(&zp->z_lock); 1222 1223 return (error); 1224} 1225#endif /* TODO */ 1226 1227static int 1228zfs_ace_access(ace_t *zacep, int *working_mode) 1229{ 1230 if (*working_mode == 0) { 1231 return (0); 1232 } 1233 1234 if (zacep->a_access_mask & *working_mode) { 1235 if (zacep->a_type == ALLOW) { 1236 *working_mode &= 1237 ~(*working_mode & zacep->a_access_mask); 1238 if (*working_mode == 0) 1239 return (0); 1240 } else if (zacep->a_type == DENY) { 1241 return (EACCES); 1242 } 1243 } 1244 1245 /* 1246 * haven't been specifcally denied at this point 1247 * so return UNDETERMINED. 1248 */ 1249 1250 return (ACCESS_UNDETERMINED); 1251} 1252 1253 1254static int 1255zfs_zaccess_common(znode_t *zp, int v4_mode, int *working_mode, cred_t *cr) 1256{ 1257 zfs_acl_t *aclp; 1258 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1259 ace_t *zacep; 1260 gid_t gid; 1261 int cnt; 1262 int i; 1263 int error; 1264 int access_deny = ACCESS_UNDETERMINED; 1265 uint_t entry_type; 1266 uid_t uid = crgetuid(cr); 1267 1268 if (zfsvfs->z_assign >= TXG_INITIAL) { /* ZIL replay */ 1269 *working_mode = 0; 1270 return (0); 1271 } 1272 1273 *working_mode = v4_mode; 1274 1275 if ((v4_mode & WRITE_MASK) && 1276 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && 1277 (!IS_DEVVP(ZTOV(zp)))) { 1278 return (EROFS); 1279 } 1280 1281 mutex_enter(&zp->z_acl_lock); 1282 1283 error = zfs_acl_node_read(zp, &aclp); 1284 if (error != 0) { 1285 mutex_exit(&zp->z_acl_lock); 1286 return (error); 1287 } 1288 1289 1290 zacep = aclp->z_acl; 1291 cnt = aclp->z_acl_count; 1292 1293 for (i = 0; i != cnt; i++) { 1294 1295 DTRACE_PROBE2(zfs__access__common, 1296 ace_t *, &zacep[i], int, *working_mode); 1297 1298 if (zacep[i].a_flags & ACE_INHERIT_ONLY_ACE) 1299 continue; 1300 1301 entry_type = (zacep[i].a_flags & ACE_TYPE_FLAGS); 1302 switch (entry_type) { 1303 case ACE_OWNER: 1304 if (uid == zp->z_phys->zp_uid) { 1305 access_deny = zfs_ace_access(&zacep[i], 1306 working_mode); 1307 } 1308 break; 1309 case (ACE_IDENTIFIER_GROUP | ACE_GROUP): 1310 case ACE_IDENTIFIER_GROUP: 1311 /* 1312 * Owning group gid is in znode not ACL 1313 */ 1314 if (entry_type == (ACE_IDENTIFIER_GROUP | ACE_GROUP)) 1315 gid = zp->z_phys->zp_gid; 1316 else 1317 gid = zacep[i].a_who; 1318 1319 if (groupmember(gid, cr)) { 1320 access_deny = zfs_ace_access(&zacep[i], 1321 working_mode); 1322 } 1323 break; 1324 case ACE_EVERYONE: 1325 access_deny = zfs_ace_access(&zacep[i], working_mode); 1326 break; 1327 1328 /* USER Entry */ 1329 default: 1330 if (entry_type == 0) { 1331 if (uid == zacep[i].a_who) { 1332 access_deny = zfs_ace_access(&zacep[i], 1333 working_mode); 1334 } 1335 break; 1336 } 1337 zfs_acl_free(aclp); 1338 mutex_exit(&zp->z_acl_lock); 1339 return (EIO); 1340 } 1341 1342 if (access_deny != ACCESS_UNDETERMINED) 1343 break; 1344 } 1345 1346 mutex_exit(&zp->z_acl_lock); 1347 zfs_acl_free(aclp); 1348 1349 return (access_deny); 1350} 1351 1352 1353/* 1354 * Determine whether Access should be granted/denied, invoking least 1355 * priv subsytem when a deny is determined. 1356 */ 1357int 1358zfs_zaccess(znode_t *zp, int mode, cred_t *cr) 1359{ 1360 int working_mode; 1361 int error; 1362 int is_attr; 1363 znode_t *xzp; 1364 znode_t *check_zp = zp; 1365 1366 is_attr = ((zp->z_phys->zp_flags & ZFS_XATTR) && 1367 (ZTOV(zp)->v_type == VDIR)); 1368 1369 /* 1370 * If attribute then validate against base file 1371 */ 1372 if (is_attr) { 1373 if ((error = zfs_zget(zp->z_zfsvfs, 1374 zp->z_phys->zp_parent, &xzp)) != 0) { 1375 return (error); 1376 } 1377 check_zp = xzp; 1378 /* 1379 * fixup mode to map to xattr perms 1380 */ 1381 1382 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { 1383 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1384 mode |= ACE_WRITE_NAMED_ATTRS; 1385 } 1386 1387 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { 1388 mode &= ~(ACE_READ_DATA|ACE_EXECUTE); 1389 mode |= ACE_READ_NAMED_ATTRS; 1390 } 1391 } 1392 1393 error = zfs_zaccess_common(check_zp, mode, &working_mode, cr); 1394 1395 if (error == EROFS) { 1396 if (is_attr) 1397 VN_RELE(ZTOV(xzp)); 1398 return (error); 1399 } 1400 1401 if (error || working_mode) { 1402 working_mode = (zfs_v4_to_unix(working_mode) << 6); 1403 error = secpolicy_vnode_access(cr, ZTOV(check_zp), 1404 check_zp->z_phys->zp_uid, working_mode); 1405 } 1406 1407 if (is_attr) 1408 VN_RELE(ZTOV(xzp)); 1409 1410 return (error); 1411} 1412 1413/* 1414 * Special zaccess function to check for special nfsv4 perm. 1415 * doesn't call secpolicy_vnode_access() for failure, since that 1416 * would probably be the wrong policy function to call. 1417 * instead its up to the caller to handle that situation. 1418 */ 1419 1420int 1421zfs_zaccess_v4_perm(znode_t *zp, int mode, cred_t *cr) 1422{ 1423 int working_mode = 0; 1424 return (zfs_zaccess_common(zp, mode, &working_mode, cr)); 1425} 1426 1427/* 1428 * Translate tradition unix VREAD/VWRITE/VEXEC mode into 1429 * native ACL format and call zfs_zaccess() 1430 */ 1431int 1432zfs_zaccess_rwx(znode_t *zp, mode_t mode, cred_t *cr) 1433{ 1434 int v4_mode = zfs_unix_to_v4(mode >> 6); 1435 1436 return (zfs_zaccess(zp, v4_mode, cr)); 1437} 1438 1439static int 1440zfs_delete_final_check(znode_t *zp, znode_t *dzp, cred_t *cr) 1441{ 1442 int error; 1443 1444 error = secpolicy_vnode_access(cr, ZTOV(zp), 1445 dzp->z_phys->zp_uid, S_IWRITE|S_IEXEC); 1446 1447 if (error == 0) 1448 error = zfs_sticky_remove_access(dzp, zp, cr); 1449 1450 return (error); 1451} 1452 1453/* 1454 * Determine whether Access should be granted/deny, without 1455 * consulting least priv subsystem. 1456 * 1457 * 1458 * The following chart is the recommended NFSv4 enforcement for 1459 * ability to delete an object. 1460 * 1461 * ------------------------------------------------------- 1462 * | Parent Dir | Target Object Permissions | 1463 * | permissions | | 1464 * ------------------------------------------------------- 1465 * | | ACL Allows | ACL Denies| Delete | 1466 * | | Delete | Delete | unspecified| 1467 * ------------------------------------------------------- 1468 * | ACL Allows | Permit | Permit | Permit | 1469 * | DELETE_CHILD | | 1470 * ------------------------------------------------------- 1471 * | ACL Denies | Permit | Deny | Deny | 1472 * | DELETE_CHILD | | | | 1473 * ------------------------------------------------------- 1474 * | ACL specifies | | | | 1475 * | only allow | Permit | Permit | Permit | 1476 * | write and | | | | 1477 * | execute | | | | 1478 * ------------------------------------------------------- 1479 * | ACL denies | | | | 1480 * | write and | Permit | Deny | Deny | 1481 * | execute | | | | 1482 * ------------------------------------------------------- 1483 * ^ 1484 * | 1485 * No search privilege, can't even look up file? 1486 * 1487 */ 1488int 1489zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) 1490{ 1491 int dzp_working_mode = 0; 1492 int zp_working_mode = 0; 1493 int dzp_error, zp_error; 1494 1495 /* 1496 * Arghh, this check is going to require a couple of questions 1497 * to be asked. We want specific DELETE permissions to 1498 * take precedence over WRITE/EXECUTE. We don't 1499 * want an ACL such as this to mess us up. 1500 * user:joe:write_data:deny,user:joe:delete:allow 1501 * 1502 * However, deny permissions may ultimately be overridden 1503 * by secpolicy_vnode_access(). 1504 */ 1505 1506 dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD, 1507 &dzp_working_mode, cr); 1508 zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, cr); 1509 1510 if (dzp_error == EROFS || zp_error == EROFS) 1511 return (dzp_error); 1512 1513 /* 1514 * First check the first row. 1515 * We only need to see if parent Allows delete_child 1516 */ 1517 if ((dzp_working_mode & ACE_DELETE_CHILD) == 0) 1518 return (0); 1519 1520 /* 1521 * Second row 1522 * we already have the necessary information in 1523 * zp_working_mode, zp_error and dzp_error. 1524 */ 1525 1526 if ((zp_working_mode & ACE_DELETE) == 0) 1527 return (0); 1528 1529 /* 1530 * Now zp_error should either be EACCES which indicates 1531 * a "deny" delete entry or ACCESS_UNDETERMINED if the "delete" 1532 * entry exists on the target. 1533 * 1534 * dzp_error should be either EACCES which indicates a "deny" 1535 * entry for delete_child or ACCESS_UNDETERMINED if no delete_child 1536 * entry exists. If value is EACCES then we are done 1537 * and zfs_delete_final_check() will make the final decision 1538 * regarding to allow the delete. 1539 */ 1540 1541 ASSERT(zp_error != 0 && dzp_error != 0); 1542 if (dzp_error == EACCES) 1543 return (zfs_delete_final_check(zp, dzp, cr)); 1544 1545 /* 1546 * Third Row 1547 * Only need to check for write/execute on parent 1548 */ 1549 1550 dzp_error = zfs_zaccess_common(dzp, ACE_WRITE_DATA|ACE_EXECUTE, 1551 &dzp_working_mode, cr); 1552 1553 if (dzp_error == EROFS) 1554 return (dzp_error); 1555 1556 if ((dzp_working_mode & (ACE_WRITE_DATA|ACE_EXECUTE)) == 0) 1557 return (zfs_sticky_remove_access(dzp, zp, cr)); 1558 1559 /* 1560 * Fourth Row 1561 */ 1562 1563 if (((dzp_working_mode & (ACE_WRITE_DATA|ACE_EXECUTE)) != 0) && 1564 ((zp_working_mode & ACE_DELETE) == 0)) 1565 return (zfs_sticky_remove_access(dzp, zp, cr)); 1566 1567 return (zfs_delete_final_check(zp, dzp, cr)); 1568} 1569 1570int 1571zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, 1572 znode_t *tzp, cred_t *cr) 1573{ 1574 int add_perm; 1575 int error; 1576 1577 add_perm = (ZTOV(szp)->v_type == VDIR) ? 1578 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; 1579 1580 /* 1581 * Rename permissions are combination of delete permission + 1582 * add file/subdir permission. 1583 */ 1584 1585 /* 1586 * first make sure we do the delete portion. 1587 * 1588 * If that succeeds then check for add_file/add_subdir permissions 1589 */ 1590 1591 if (error = zfs_zaccess_delete(sdzp, szp, cr)) 1592 return (error); 1593 1594 /* 1595 * If we have a tzp, see if we can delete it? 1596 */ 1597 if (tzp) { 1598 if (error = zfs_zaccess_delete(tdzp, tzp, cr)) 1599 return (error); 1600 } 1601 1602 /* 1603 * Now check for add permissions 1604 */ 1605 error = zfs_zaccess(tdzp, add_perm, cr); 1606 1607 return (error); 1608} 1609