zfs_acl.c revision 195785
1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21/* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26#include <sys/types.h> 27#include <sys/param.h> 28#include <sys/time.h> 29#include <sys/systm.h> 30#include <sys/sysmacros.h> 31#include <sys/resource.h> 32#include <sys/vfs.h> 33#include <sys/vnode.h> 34#include <sys/file.h> 35#include <sys/stat.h> 36#include <sys/kmem.h> 37#include <sys/cmn_err.h> 38#include <sys/errno.h> 39#include <sys/unistd.h> 40#include <sys/sdt.h> 41#include <sys/fs/zfs.h> 42#include <sys/policy.h> 43#include <sys/zfs_znode.h> 44#include <sys/zfs_fuid.h> 45#include <sys/zfs_acl.h> 46#include <sys/zfs_dir.h> 47#include <sys/zfs_vfsops.h> 48#include <sys/dmu.h> 49#include <sys/dnode.h> 50#include <sys/zap.h> 51#include <acl/acl_common.h> 52 53#define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE 54#define DENY ACE_ACCESS_DENIED_ACE_TYPE 55#define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 56#define MIN_ACE_TYPE ALLOW 57 58#define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) 59#define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ 60 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) 61#define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ 62 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 63#define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ 64 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 65#define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS) 66 67#define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \ 68 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \ 69 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \ 70 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE) 71 72#define WRITE_MASK (WRITE_MASK_DATA|ACE_WRITE_ATTRIBUTES|ACE_WRITE_ACL|\ 73 ACE_WRITE_OWNER|ACE_DELETE|ACE_DELETE_CHILD) 74 75#define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 76 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 77 78#define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 79 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 80 81#define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ 82 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE) 83 84#define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER) 85 86#define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\ 87 ZFS_ACL_PROTECTED) 88 89#define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\ 90 ZFS_ACL_OBJ_ACE) 91 92static uint16_t 93zfs_ace_v0_get_type(void *acep) 94{ 95 return (((zfs_oldace_t *)acep)->z_type); 96} 97 98static uint16_t 99zfs_ace_v0_get_flags(void *acep) 100{ 101 return (((zfs_oldace_t *)acep)->z_flags); 102} 103 104static uint32_t 105zfs_ace_v0_get_mask(void *acep) 106{ 107 return (((zfs_oldace_t *)acep)->z_access_mask); 108} 109 110static uint64_t 111zfs_ace_v0_get_who(void *acep) 112{ 113 return (((zfs_oldace_t *)acep)->z_fuid); 114} 115 116static void 117zfs_ace_v0_set_type(void *acep, uint16_t type) 118{ 119 ((zfs_oldace_t *)acep)->z_type = type; 120} 121 122static void 123zfs_ace_v0_set_flags(void *acep, uint16_t flags) 124{ 125 ((zfs_oldace_t *)acep)->z_flags = flags; 126} 127 128static void 129zfs_ace_v0_set_mask(void *acep, uint32_t mask) 130{ 131 ((zfs_oldace_t *)acep)->z_access_mask = mask; 132} 133 134static void 135zfs_ace_v0_set_who(void *acep, uint64_t who) 136{ 137 ((zfs_oldace_t *)acep)->z_fuid = who; 138} 139 140/*ARGSUSED*/ 141static size_t 142zfs_ace_v0_size(void *acep) 143{ 144 return (sizeof (zfs_oldace_t)); 145} 146 147static size_t 148zfs_ace_v0_abstract_size(void) 149{ 150 return (sizeof (zfs_oldace_t)); 151} 152 153static int 154zfs_ace_v0_mask_off(void) 155{ 156 return (offsetof(zfs_oldace_t, z_access_mask)); 157} 158 159/*ARGSUSED*/ 160static int 161zfs_ace_v0_data(void *acep, void **datap) 162{ 163 *datap = NULL; 164 return (0); 165} 166 167static acl_ops_t zfs_acl_v0_ops = { 168 zfs_ace_v0_get_mask, 169 zfs_ace_v0_set_mask, 170 zfs_ace_v0_get_flags, 171 zfs_ace_v0_set_flags, 172 zfs_ace_v0_get_type, 173 zfs_ace_v0_set_type, 174 zfs_ace_v0_get_who, 175 zfs_ace_v0_set_who, 176 zfs_ace_v0_size, 177 zfs_ace_v0_abstract_size, 178 zfs_ace_v0_mask_off, 179 zfs_ace_v0_data 180}; 181 182static uint16_t 183zfs_ace_fuid_get_type(void *acep) 184{ 185 return (((zfs_ace_hdr_t *)acep)->z_type); 186} 187 188static uint16_t 189zfs_ace_fuid_get_flags(void *acep) 190{ 191 return (((zfs_ace_hdr_t *)acep)->z_flags); 192} 193 194static uint32_t 195zfs_ace_fuid_get_mask(void *acep) 196{ 197 return (((zfs_ace_hdr_t *)acep)->z_access_mask); 198} 199 200static uint64_t 201zfs_ace_fuid_get_who(void *args) 202{ 203 uint16_t entry_type; 204 zfs_ace_t *acep = args; 205 206 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 207 208 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 209 entry_type == ACE_EVERYONE) 210 return (-1); 211 return (((zfs_ace_t *)acep)->z_fuid); 212} 213 214static void 215zfs_ace_fuid_set_type(void *acep, uint16_t type) 216{ 217 ((zfs_ace_hdr_t *)acep)->z_type = type; 218} 219 220static void 221zfs_ace_fuid_set_flags(void *acep, uint16_t flags) 222{ 223 ((zfs_ace_hdr_t *)acep)->z_flags = flags; 224} 225 226static void 227zfs_ace_fuid_set_mask(void *acep, uint32_t mask) 228{ 229 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask; 230} 231 232static void 233zfs_ace_fuid_set_who(void *arg, uint64_t who) 234{ 235 zfs_ace_t *acep = arg; 236 237 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 238 239 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 240 entry_type == ACE_EVERYONE) 241 return; 242 acep->z_fuid = who; 243} 244 245static size_t 246zfs_ace_fuid_size(void *acep) 247{ 248 zfs_ace_hdr_t *zacep = acep; 249 uint16_t entry_type; 250 251 switch (zacep->z_type) { 252 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 253 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 254 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 255 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 256 return (sizeof (zfs_object_ace_t)); 257 case ALLOW: 258 case DENY: 259 entry_type = 260 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS); 261 if (entry_type == ACE_OWNER || 262 entry_type == OWNING_GROUP || 263 entry_type == ACE_EVERYONE) 264 return (sizeof (zfs_ace_hdr_t)); 265 /*FALLTHROUGH*/ 266 default: 267 return (sizeof (zfs_ace_t)); 268 } 269} 270 271static size_t 272zfs_ace_fuid_abstract_size(void) 273{ 274 return (sizeof (zfs_ace_hdr_t)); 275} 276 277static int 278zfs_ace_fuid_mask_off(void) 279{ 280 return (offsetof(zfs_ace_hdr_t, z_access_mask)); 281} 282 283static int 284zfs_ace_fuid_data(void *acep, void **datap) 285{ 286 zfs_ace_t *zacep = acep; 287 zfs_object_ace_t *zobjp; 288 289 switch (zacep->z_hdr.z_type) { 290 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 291 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 292 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 293 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 294 zobjp = acep; 295 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t); 296 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t)); 297 default: 298 *datap = NULL; 299 return (0); 300 } 301} 302 303static acl_ops_t zfs_acl_fuid_ops = { 304 zfs_ace_fuid_get_mask, 305 zfs_ace_fuid_set_mask, 306 zfs_ace_fuid_get_flags, 307 zfs_ace_fuid_set_flags, 308 zfs_ace_fuid_get_type, 309 zfs_ace_fuid_set_type, 310 zfs_ace_fuid_get_who, 311 zfs_ace_fuid_set_who, 312 zfs_ace_fuid_size, 313 zfs_ace_fuid_abstract_size, 314 zfs_ace_fuid_mask_off, 315 zfs_ace_fuid_data 316}; 317 318static int 319zfs_acl_version(int version) 320{ 321 if (version < ZPL_VERSION_FUID) 322 return (ZFS_ACL_VERSION_INITIAL); 323 else 324 return (ZFS_ACL_VERSION_FUID); 325} 326 327static int 328zfs_acl_version_zp(znode_t *zp) 329{ 330 return (zfs_acl_version(zp->z_zfsvfs->z_version)); 331} 332 333static zfs_acl_t * 334zfs_acl_alloc(int vers) 335{ 336 zfs_acl_t *aclp; 337 338 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); 339 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t), 340 offsetof(zfs_acl_node_t, z_next)); 341 aclp->z_version = vers; 342 if (vers == ZFS_ACL_VERSION_FUID) 343 aclp->z_ops = zfs_acl_fuid_ops; 344 else 345 aclp->z_ops = zfs_acl_v0_ops; 346 return (aclp); 347} 348 349static zfs_acl_node_t * 350zfs_acl_node_alloc(size_t bytes) 351{ 352 zfs_acl_node_t *aclnode; 353 354 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP); 355 if (bytes) { 356 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP); 357 aclnode->z_allocdata = aclnode->z_acldata; 358 aclnode->z_allocsize = bytes; 359 aclnode->z_size = bytes; 360 } 361 362 return (aclnode); 363} 364 365static void 366zfs_acl_node_free(zfs_acl_node_t *aclnode) 367{ 368 if (aclnode->z_allocsize) 369 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize); 370 kmem_free(aclnode, sizeof (zfs_acl_node_t)); 371} 372 373static void 374zfs_acl_release_nodes(zfs_acl_t *aclp) 375{ 376 zfs_acl_node_t *aclnode; 377 378 while (aclnode = list_head(&aclp->z_acl)) { 379 list_remove(&aclp->z_acl, aclnode); 380 zfs_acl_node_free(aclnode); 381 } 382 aclp->z_acl_count = 0; 383 aclp->z_acl_bytes = 0; 384} 385 386void 387zfs_acl_free(zfs_acl_t *aclp) 388{ 389 zfs_acl_release_nodes(aclp); 390 list_destroy(&aclp->z_acl); 391 kmem_free(aclp, sizeof (zfs_acl_t)); 392} 393 394static boolean_t 395zfs_acl_valid_ace_type(uint_t type, uint_t flags) 396{ 397 uint16_t entry_type; 398 399 switch (type) { 400 case ALLOW: 401 case DENY: 402 case ACE_SYSTEM_AUDIT_ACE_TYPE: 403 case ACE_SYSTEM_ALARM_ACE_TYPE: 404 entry_type = flags & ACE_TYPE_FLAGS; 405 return (entry_type == ACE_OWNER || 406 entry_type == OWNING_GROUP || 407 entry_type == ACE_EVERYONE || entry_type == 0 || 408 entry_type == ACE_IDENTIFIER_GROUP); 409 default: 410 if (type >= MIN_ACE_TYPE && type <= MAX_ACE_TYPE) 411 return (B_TRUE); 412 } 413 return (B_FALSE); 414} 415 416static boolean_t 417zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags) 418{ 419 /* 420 * first check type of entry 421 */ 422 423 if (!zfs_acl_valid_ace_type(type, iflags)) 424 return (B_FALSE); 425 426 switch (type) { 427 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 428 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 429 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 430 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 431 if (aclp->z_version < ZFS_ACL_VERSION_FUID) 432 return (B_FALSE); 433 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 434 } 435 436 /* 437 * next check inheritance level flags 438 */ 439 440 if (obj_type == VDIR && 441 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 442 aclp->z_hints |= ZFS_INHERIT_ACE; 443 444 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { 445 if ((iflags & (ACE_FILE_INHERIT_ACE| 446 ACE_DIRECTORY_INHERIT_ACE)) == 0) { 447 return (B_FALSE); 448 } 449 } 450 451 return (B_TRUE); 452} 453 454static void * 455zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who, 456 uint32_t *access_mask, uint16_t *iflags, uint16_t *type) 457{ 458 zfs_acl_node_t *aclnode; 459 460 if (start == NULL) { 461 aclnode = list_head(&aclp->z_acl); 462 if (aclnode == NULL) 463 return (NULL); 464 465 aclp->z_next_ace = aclnode->z_acldata; 466 aclp->z_curr_node = aclnode; 467 aclnode->z_ace_idx = 0; 468 } 469 470 aclnode = aclp->z_curr_node; 471 472 if (aclnode == NULL) 473 return (NULL); 474 475 if (aclnode->z_ace_idx >= aclnode->z_ace_count) { 476 aclnode = list_next(&aclp->z_acl, aclnode); 477 if (aclnode == NULL) 478 return (NULL); 479 else { 480 aclp->z_curr_node = aclnode; 481 aclnode->z_ace_idx = 0; 482 aclp->z_next_ace = aclnode->z_acldata; 483 } 484 } 485 486 if (aclnode->z_ace_idx < aclnode->z_ace_count) { 487 void *acep = aclp->z_next_ace; 488 size_t ace_size; 489 490 /* 491 * Make sure we don't overstep our bounds 492 */ 493 ace_size = aclp->z_ops.ace_size(acep); 494 495 if (((caddr_t)acep + ace_size) > 496 ((caddr_t)aclnode->z_acldata + aclnode->z_size)) { 497 return (NULL); 498 } 499 500 *iflags = aclp->z_ops.ace_flags_get(acep); 501 *type = aclp->z_ops.ace_type_get(acep); 502 *access_mask = aclp->z_ops.ace_mask_get(acep); 503 *who = aclp->z_ops.ace_who_get(acep); 504 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size; 505 aclnode->z_ace_idx++; 506 return ((void *)acep); 507 } 508 return (NULL); 509} 510 511/*ARGSUSED*/ 512static uint64_t 513zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt, 514 uint16_t *flags, uint16_t *type, uint32_t *mask) 515{ 516 zfs_acl_t *aclp = datap; 517 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie; 518 uint64_t who; 519 520 acep = zfs_acl_next_ace(aclp, acep, &who, mask, 521 flags, type); 522 return ((uint64_t)(uintptr_t)acep); 523} 524 525static zfs_acl_node_t * 526zfs_acl_curr_node(zfs_acl_t *aclp) 527{ 528 ASSERT(aclp->z_curr_node); 529 return (aclp->z_curr_node); 530} 531 532/* 533 * Copy ACE to internal ZFS format. 534 * While processing the ACL each ACE will be validated for correctness. 535 * ACE FUIDs will be created later. 536 */ 537int 538zfs_copy_ace_2_fuid(vtype_t obj_type, zfs_acl_t *aclp, void *datap, 539 zfs_ace_t *z_acl, int aclcnt, size_t *size) 540{ 541 int i; 542 uint16_t entry_type; 543 zfs_ace_t *aceptr = z_acl; 544 ace_t *acep = datap; 545 zfs_object_ace_t *zobjacep; 546 ace_object_t *aceobjp; 547 548 for (i = 0; i != aclcnt; i++) { 549 aceptr->z_hdr.z_access_mask = acep->a_access_mask; 550 aceptr->z_hdr.z_flags = acep->a_flags; 551 aceptr->z_hdr.z_type = acep->a_type; 552 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS; 553 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP && 554 entry_type != ACE_EVERYONE) { 555 if (!aclp->z_has_fuids) 556 aclp->z_has_fuids = IS_EPHEMERAL(acep->a_who); 557 aceptr->z_fuid = (uint64_t)acep->a_who; 558 } 559 560 /* 561 * Make sure ACE is valid 562 */ 563 if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type, 564 aceptr->z_hdr.z_flags) != B_TRUE) 565 return (EINVAL); 566 567 switch (acep->a_type) { 568 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 569 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 570 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 571 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 572 zobjacep = (zfs_object_ace_t *)aceptr; 573 aceobjp = (ace_object_t *)acep; 574 575 bcopy(aceobjp->a_obj_type, zobjacep->z_object_type, 576 sizeof (aceobjp->a_obj_type)); 577 bcopy(aceobjp->a_inherit_obj_type, 578 zobjacep->z_inherit_type, 579 sizeof (aceobjp->a_inherit_obj_type)); 580 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t)); 581 break; 582 default: 583 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t)); 584 } 585 586 aceptr = (zfs_ace_t *)((caddr_t)aceptr + 587 aclp->z_ops.ace_size(aceptr)); 588 } 589 590 *size = (caddr_t)aceptr - (caddr_t)z_acl; 591 592 return (0); 593} 594 595/* 596 * Copy ZFS ACEs to fixed size ace_t layout 597 */ 598static void 599zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr, 600 void *datap, int filter) 601{ 602 uint64_t who; 603 uint32_t access_mask; 604 uint16_t iflags, type; 605 zfs_ace_hdr_t *zacep = NULL; 606 ace_t *acep = datap; 607 ace_object_t *objacep; 608 zfs_object_ace_t *zobjacep; 609 size_t ace_size; 610 uint16_t entry_type; 611 612 while (zacep = zfs_acl_next_ace(aclp, zacep, 613 &who, &access_mask, &iflags, &type)) { 614 615 switch (type) { 616 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 617 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 618 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 619 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 620 if (filter) { 621 continue; 622 } 623 zobjacep = (zfs_object_ace_t *)zacep; 624 objacep = (ace_object_t *)acep; 625 bcopy(zobjacep->z_object_type, 626 objacep->a_obj_type, 627 sizeof (zobjacep->z_object_type)); 628 bcopy(zobjacep->z_inherit_type, 629 objacep->a_inherit_obj_type, 630 sizeof (zobjacep->z_inherit_type)); 631 ace_size = sizeof (ace_object_t); 632 break; 633 default: 634 ace_size = sizeof (ace_t); 635 break; 636 } 637 638 entry_type = (iflags & ACE_TYPE_FLAGS); 639 if ((entry_type != ACE_OWNER && 640 entry_type != OWNING_GROUP && 641 entry_type != ACE_EVERYONE)) { 642 acep->a_who = zfs_fuid_map_id(zfsvfs, who, 643 cr, (entry_type & ACE_IDENTIFIER_GROUP) ? 644 ZFS_ACE_GROUP : ZFS_ACE_USER); 645 } else { 646 acep->a_who = (uid_t)(int64_t)who; 647 } 648 acep->a_access_mask = access_mask; 649 acep->a_flags = iflags; 650 acep->a_type = type; 651 acep = (ace_t *)((caddr_t)acep + ace_size); 652 } 653} 654 655static int 656zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep, 657 zfs_oldace_t *z_acl, int aclcnt, size_t *size) 658{ 659 int i; 660 zfs_oldace_t *aceptr = z_acl; 661 662 for (i = 0; i != aclcnt; i++, aceptr++) { 663 aceptr->z_access_mask = acep[i].a_access_mask; 664 aceptr->z_type = acep[i].a_type; 665 aceptr->z_flags = acep[i].a_flags; 666 aceptr->z_fuid = acep[i].a_who; 667 /* 668 * Make sure ACE is valid 669 */ 670 if (zfs_ace_valid(obj_type, aclp, aceptr->z_type, 671 aceptr->z_flags) != B_TRUE) 672 return (EINVAL); 673 } 674 *size = (caddr_t)aceptr - (caddr_t)z_acl; 675 return (0); 676} 677 678/* 679 * convert old ACL format to new 680 */ 681void 682zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp) 683{ 684 zfs_oldace_t *oldaclp; 685 int i; 686 uint16_t type, iflags; 687 uint32_t access_mask; 688 uint64_t who; 689 void *cookie = NULL; 690 zfs_acl_node_t *newaclnode; 691 692 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL); 693 /* 694 * First create the ACE in a contiguous piece of memory 695 * for zfs_copy_ace_2_fuid(). 696 * 697 * We only convert an ACL once, so this won't happen 698 * everytime. 699 */ 700 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count, 701 KM_SLEEP); 702 i = 0; 703 while (cookie = zfs_acl_next_ace(aclp, cookie, &who, 704 &access_mask, &iflags, &type)) { 705 oldaclp[i].z_flags = iflags; 706 oldaclp[i].z_type = type; 707 oldaclp[i].z_fuid = who; 708 oldaclp[i++].z_access_mask = access_mask; 709 } 710 711 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count * 712 sizeof (zfs_object_ace_t)); 713 aclp->z_ops = zfs_acl_fuid_ops; 714 VERIFY(zfs_copy_ace_2_fuid(ZTOV(zp)->v_type, aclp, oldaclp, 715 newaclnode->z_acldata, aclp->z_acl_count, 716 &newaclnode->z_size) == 0); 717 newaclnode->z_ace_count = aclp->z_acl_count; 718 aclp->z_version = ZFS_ACL_VERSION; 719 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t)); 720 721 /* 722 * Release all previous ACL nodes 723 */ 724 725 zfs_acl_release_nodes(aclp); 726 727 list_insert_head(&aclp->z_acl, newaclnode); 728 729 aclp->z_acl_bytes = newaclnode->z_size; 730 aclp->z_acl_count = newaclnode->z_ace_count; 731 732} 733 734/* 735 * Convert unix access mask to v4 access mask 736 */ 737static uint32_t 738zfs_unix_to_v4(uint32_t access_mask) 739{ 740 uint32_t new_mask = 0; 741 742 if (access_mask & S_IXOTH) 743 new_mask |= ACE_EXECUTE; 744 if (access_mask & S_IWOTH) 745 new_mask |= ACE_WRITE_DATA; 746 if (access_mask & S_IROTH) 747 new_mask |= ACE_READ_DATA; 748 return (new_mask); 749} 750 751static void 752zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask, 753 uint16_t access_type, uint64_t fuid, uint16_t entry_type) 754{ 755 uint16_t type = entry_type & ACE_TYPE_FLAGS; 756 757 aclp->z_ops.ace_mask_set(acep, access_mask); 758 aclp->z_ops.ace_type_set(acep, access_type); 759 aclp->z_ops.ace_flags_set(acep, entry_type); 760 if ((type != ACE_OWNER && type != OWNING_GROUP && 761 type != ACE_EVERYONE)) 762 aclp->z_ops.ace_who_set(acep, fuid); 763} 764 765/* 766 * Determine mode of file based on ACL. 767 * Also, create FUIDs for any User/Group ACEs 768 */ 769static uint64_t 770zfs_mode_fuid_compute(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, 771 zfs_fuid_info_t **fuidp, dmu_tx_t *tx) 772{ 773 int entry_type; 774 mode_t mode; 775 mode_t seen = 0; 776 zfs_ace_hdr_t *acep = NULL; 777 uint64_t who; 778 uint16_t iflags, type; 779 uint32_t access_mask; 780 781 mode = (zp->z_phys->zp_mode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); 782 783 while (acep = zfs_acl_next_ace(aclp, acep, &who, 784 &access_mask, &iflags, &type)) { 785 786 if (!zfs_acl_valid_ace_type(type, iflags)) 787 continue; 788 789 entry_type = (iflags & ACE_TYPE_FLAGS); 790 791 /* 792 * Skip over owner@, group@ or everyone@ inherit only ACEs 793 */ 794 if ((iflags & ACE_INHERIT_ONLY_ACE) && 795 (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 796 entry_type == OWNING_GROUP)) 797 continue; 798 799 if (entry_type == ACE_OWNER) { 800 if ((access_mask & ACE_READ_DATA) && 801 (!(seen & S_IRUSR))) { 802 seen |= S_IRUSR; 803 if (type == ALLOW) { 804 mode |= S_IRUSR; 805 } 806 } 807 if ((access_mask & ACE_WRITE_DATA) && 808 (!(seen & S_IWUSR))) { 809 seen |= S_IWUSR; 810 if (type == ALLOW) { 811 mode |= S_IWUSR; 812 } 813 } 814 if ((access_mask & ACE_EXECUTE) && 815 (!(seen & S_IXUSR))) { 816 seen |= S_IXUSR; 817 if (type == ALLOW) { 818 mode |= S_IXUSR; 819 } 820 } 821 } else if (entry_type == OWNING_GROUP) { 822 if ((access_mask & ACE_READ_DATA) && 823 (!(seen & S_IRGRP))) { 824 seen |= S_IRGRP; 825 if (type == ALLOW) { 826 mode |= S_IRGRP; 827 } 828 } 829 if ((access_mask & ACE_WRITE_DATA) && 830 (!(seen & S_IWGRP))) { 831 seen |= S_IWGRP; 832 if (type == ALLOW) { 833 mode |= S_IWGRP; 834 } 835 } 836 if ((access_mask & ACE_EXECUTE) && 837 (!(seen & S_IXGRP))) { 838 seen |= S_IXGRP; 839 if (type == ALLOW) { 840 mode |= S_IXGRP; 841 } 842 } 843 } else if (entry_type == ACE_EVERYONE) { 844 if ((access_mask & ACE_READ_DATA)) { 845 if (!(seen & S_IRUSR)) { 846 seen |= S_IRUSR; 847 if (type == ALLOW) { 848 mode |= S_IRUSR; 849 } 850 } 851 if (!(seen & S_IRGRP)) { 852 seen |= S_IRGRP; 853 if (type == ALLOW) { 854 mode |= S_IRGRP; 855 } 856 } 857 if (!(seen & S_IROTH)) { 858 seen |= S_IROTH; 859 if (type == ALLOW) { 860 mode |= S_IROTH; 861 } 862 } 863 } 864 if ((access_mask & ACE_WRITE_DATA)) { 865 if (!(seen & S_IWUSR)) { 866 seen |= S_IWUSR; 867 if (type == ALLOW) { 868 mode |= S_IWUSR; 869 } 870 } 871 if (!(seen & S_IWGRP)) { 872 seen |= S_IWGRP; 873 if (type == ALLOW) { 874 mode |= S_IWGRP; 875 } 876 } 877 if (!(seen & S_IWOTH)) { 878 seen |= S_IWOTH; 879 if (type == ALLOW) { 880 mode |= S_IWOTH; 881 } 882 } 883 } 884 if ((access_mask & ACE_EXECUTE)) { 885 if (!(seen & S_IXUSR)) { 886 seen |= S_IXUSR; 887 if (type == ALLOW) { 888 mode |= S_IXUSR; 889 } 890 } 891 if (!(seen & S_IXGRP)) { 892 seen |= S_IXGRP; 893 if (type == ALLOW) { 894 mode |= S_IXGRP; 895 } 896 } 897 if (!(seen & S_IXOTH)) { 898 seen |= S_IXOTH; 899 if (type == ALLOW) { 900 mode |= S_IXOTH; 901 } 902 } 903 } 904 } 905 /* 906 * Now handle FUID create for user/group ACEs 907 */ 908 if (entry_type == 0 || entry_type == ACE_IDENTIFIER_GROUP) { 909 aclp->z_ops.ace_who_set(acep, 910 zfs_fuid_create(zp->z_zfsvfs, who, cr, 911 (entry_type == 0) ? ZFS_ACE_USER : ZFS_ACE_GROUP, 912 tx, fuidp)); 913 } 914 } 915 return (mode); 916} 917 918static zfs_acl_t * 919zfs_acl_node_read_internal(znode_t *zp, boolean_t will_modify) 920{ 921 zfs_acl_t *aclp; 922 zfs_acl_node_t *aclnode; 923 924 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version); 925 926 /* 927 * Version 0 to 1 znode_acl_phys has the size/count fields swapped. 928 * Version 0 didn't have a size field, only a count. 929 */ 930 if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) { 931 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_size; 932 aclp->z_acl_bytes = ZFS_ACL_SIZE(aclp->z_acl_count); 933 } else { 934 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count; 935 aclp->z_acl_bytes = zp->z_phys->zp_acl.z_acl_size; 936 } 937 938 aclnode = zfs_acl_node_alloc(will_modify ? aclp->z_acl_bytes : 0); 939 aclnode->z_ace_count = aclp->z_acl_count; 940 if (will_modify) { 941 bcopy(zp->z_phys->zp_acl.z_ace_data, aclnode->z_acldata, 942 aclp->z_acl_bytes); 943 } else { 944 aclnode->z_size = aclp->z_acl_bytes; 945 aclnode->z_acldata = &zp->z_phys->zp_acl.z_ace_data[0]; 946 } 947 948 list_insert_head(&aclp->z_acl, aclnode); 949 950 return (aclp); 951} 952 953/* 954 * Read an external acl object. 955 */ 956static int 957zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp, boolean_t will_modify) 958{ 959 uint64_t extacl = zp->z_phys->zp_acl.z_acl_extern_obj; 960 zfs_acl_t *aclp; 961 size_t aclsize; 962 size_t acl_count; 963 zfs_acl_node_t *aclnode; 964 int error; 965 966 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 967 968 if (zp->z_phys->zp_acl.z_acl_extern_obj == 0) { 969 *aclpp = zfs_acl_node_read_internal(zp, will_modify); 970 return (0); 971 } 972 973 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version); 974 if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) { 975 zfs_acl_phys_v0_t *zacl0 = 976 (zfs_acl_phys_v0_t *)&zp->z_phys->zp_acl; 977 978 aclsize = ZFS_ACL_SIZE(zacl0->z_acl_count); 979 acl_count = zacl0->z_acl_count; 980 } else { 981 aclsize = zp->z_phys->zp_acl.z_acl_size; 982 acl_count = zp->z_phys->zp_acl.z_acl_count; 983 if (aclsize == 0) 984 aclsize = acl_count * sizeof (zfs_ace_t); 985 } 986 aclnode = zfs_acl_node_alloc(aclsize); 987 list_insert_head(&aclp->z_acl, aclnode); 988 error = dmu_read(zp->z_zfsvfs->z_os, extacl, 0, 989 aclsize, aclnode->z_acldata); 990 aclnode->z_ace_count = acl_count; 991 aclp->z_acl_count = acl_count; 992 aclp->z_acl_bytes = aclsize; 993 994 if (error != 0) { 995 zfs_acl_free(aclp); 996 /* convert checksum errors into IO errors */ 997 if (error == ECKSUM) 998 error = EIO; 999 return (error); 1000 } 1001 1002 *aclpp = aclp; 1003 return (0); 1004} 1005 1006/* 1007 * common code for setting ACLs. 1008 * 1009 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. 1010 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's 1011 * already checked the acl and knows whether to inherit. 1012 */ 1013int 1014zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, 1015 zfs_fuid_info_t **fuidp, dmu_tx_t *tx) 1016{ 1017 int error; 1018 znode_phys_t *zphys = zp->z_phys; 1019 zfs_acl_phys_t *zacl = &zphys->zp_acl; 1020 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1021 uint64_t aoid = zphys->zp_acl.z_acl_extern_obj; 1022 uint64_t off = 0; 1023 dmu_object_type_t otype; 1024 zfs_acl_node_t *aclnode; 1025 1026 ASSERT(MUTEX_HELD(&zp->z_lock)); 1027 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1028 1029 dmu_buf_will_dirty(zp->z_dbuf, tx); 1030 1031 zphys->zp_mode = zfs_mode_fuid_compute(zp, aclp, cr, fuidp, tx); 1032 1033 /* 1034 * Decide which opbject type to use. If we are forced to 1035 * use old ACL format than transform ACL into zfs_oldace_t 1036 * layout. 1037 */ 1038 if (!zfsvfs->z_use_fuids) { 1039 otype = DMU_OT_OLDACL; 1040 } else { 1041 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) && 1042 (zfsvfs->z_version >= ZPL_VERSION_FUID)) 1043 zfs_acl_xform(zp, aclp); 1044 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID); 1045 otype = DMU_OT_ACL; 1046 } 1047 1048 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 1049 /* 1050 * If ACL was previously external and we are now 1051 * converting to new ACL format then release old 1052 * ACL object and create a new one. 1053 */ 1054 if (aoid && aclp->z_version != zacl->z_acl_version) { 1055 error = dmu_object_free(zfsvfs->z_os, 1056 zp->z_phys->zp_acl.z_acl_extern_obj, tx); 1057 if (error) 1058 return (error); 1059 aoid = 0; 1060 } 1061 if (aoid == 0) { 1062 aoid = dmu_object_alloc(zfsvfs->z_os, 1063 otype, aclp->z_acl_bytes, 1064 otype == DMU_OT_ACL ? DMU_OT_SYSACL : DMU_OT_NONE, 1065 otype == DMU_OT_ACL ? DN_MAX_BONUSLEN : 0, tx); 1066 } else { 1067 (void) dmu_object_set_blocksize(zfsvfs->z_os, aoid, 1068 aclp->z_acl_bytes, 0, tx); 1069 } 1070 zphys->zp_acl.z_acl_extern_obj = aoid; 1071 for (aclnode = list_head(&aclp->z_acl); aclnode; 1072 aclnode = list_next(&aclp->z_acl, aclnode)) { 1073 if (aclnode->z_ace_count == 0) 1074 continue; 1075 dmu_write(zfsvfs->z_os, aoid, off, 1076 aclnode->z_size, aclnode->z_acldata, tx); 1077 off += aclnode->z_size; 1078 } 1079 } else { 1080 void *start = zacl->z_ace_data; 1081 /* 1082 * Migrating back embedded? 1083 */ 1084 if (zphys->zp_acl.z_acl_extern_obj) { 1085 error = dmu_object_free(zfsvfs->z_os, 1086 zp->z_phys->zp_acl.z_acl_extern_obj, tx); 1087 if (error) 1088 return (error); 1089 zphys->zp_acl.z_acl_extern_obj = 0; 1090 } 1091 1092 for (aclnode = list_head(&aclp->z_acl); aclnode; 1093 aclnode = list_next(&aclp->z_acl, aclnode)) { 1094 if (aclnode->z_ace_count == 0) 1095 continue; 1096 bcopy(aclnode->z_acldata, start, aclnode->z_size); 1097 start = (caddr_t)start + aclnode->z_size; 1098 } 1099 } 1100 1101 /* 1102 * If Old version then swap count/bytes to match old 1103 * layout of znode_acl_phys_t. 1104 */ 1105 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1106 zphys->zp_acl.z_acl_size = aclp->z_acl_count; 1107 zphys->zp_acl.z_acl_count = aclp->z_acl_bytes; 1108 } else { 1109 zphys->zp_acl.z_acl_size = aclp->z_acl_bytes; 1110 zphys->zp_acl.z_acl_count = aclp->z_acl_count; 1111 } 1112 1113 zphys->zp_acl.z_acl_version = aclp->z_version; 1114 1115 /* 1116 * Replace ACL wide bits, but first clear them. 1117 */ 1118 zp->z_phys->zp_flags &= ~ZFS_ACL_WIDE_FLAGS; 1119 1120 zp->z_phys->zp_flags |= aclp->z_hints; 1121 1122 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0) 1123 zp->z_phys->zp_flags |= ZFS_ACL_TRIVIAL; 1124 1125 zfs_time_stamper_locked(zp, STATE_CHANGED, tx); 1126 return (0); 1127} 1128 1129/* 1130 * Update access mask for prepended ACE 1131 * 1132 * This applies the "groupmask" value for aclmode property. 1133 */ 1134static void 1135zfs_acl_prepend_fixup(zfs_acl_t *aclp, void *acep, void *origacep, 1136 mode_t mode, uint64_t owner) 1137{ 1138 int rmask, wmask, xmask; 1139 int user_ace; 1140 uint16_t aceflags; 1141 uint32_t origmask, acepmask; 1142 uint64_t fuid; 1143 1144 aceflags = aclp->z_ops.ace_flags_get(acep); 1145 fuid = aclp->z_ops.ace_who_get(acep); 1146 origmask = aclp->z_ops.ace_mask_get(origacep); 1147 acepmask = aclp->z_ops.ace_mask_get(acep); 1148 1149 user_ace = (!(aceflags & 1150 (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP))); 1151 1152 if (user_ace && (fuid == owner)) { 1153 rmask = S_IRUSR; 1154 wmask = S_IWUSR; 1155 xmask = S_IXUSR; 1156 } else { 1157 rmask = S_IRGRP; 1158 wmask = S_IWGRP; 1159 xmask = S_IXGRP; 1160 } 1161 1162 if (origmask & ACE_READ_DATA) { 1163 if (mode & rmask) { 1164 acepmask &= ~ACE_READ_DATA; 1165 } else { 1166 acepmask |= ACE_READ_DATA; 1167 } 1168 } 1169 1170 if (origmask & ACE_WRITE_DATA) { 1171 if (mode & wmask) { 1172 acepmask &= ~ACE_WRITE_DATA; 1173 } else { 1174 acepmask |= ACE_WRITE_DATA; 1175 } 1176 } 1177 1178 if (origmask & ACE_APPEND_DATA) { 1179 if (mode & wmask) { 1180 acepmask &= ~ACE_APPEND_DATA; 1181 } else { 1182 acepmask |= ACE_APPEND_DATA; 1183 } 1184 } 1185 1186 if (origmask & ACE_EXECUTE) { 1187 if (mode & xmask) { 1188 acepmask &= ~ACE_EXECUTE; 1189 } else { 1190 acepmask |= ACE_EXECUTE; 1191 } 1192 } 1193 aclp->z_ops.ace_mask_set(acep, acepmask); 1194} 1195 1196/* 1197 * Apply mode to canonical six ACEs. 1198 */ 1199static void 1200zfs_acl_fixup_canonical_six(zfs_acl_t *aclp, mode_t mode) 1201{ 1202 zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl); 1203 void *acep; 1204 int maskoff = aclp->z_ops.ace_mask_off(); 1205 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1206 1207 ASSERT(aclnode != NULL); 1208 1209 acep = (void *)((caddr_t)aclnode->z_acldata + 1210 aclnode->z_size - (abstract_size * 6)); 1211 1212 /* 1213 * Fixup final ACEs to match the mode 1214 */ 1215 1216 adjust_ace_pair_common(acep, maskoff, abstract_size, 1217 (mode & 0700) >> 6); /* owner@ */ 1218 1219 acep = (caddr_t)acep + (abstract_size * 2); 1220 1221 adjust_ace_pair_common(acep, maskoff, abstract_size, 1222 (mode & 0070) >> 3); /* group@ */ 1223 1224 acep = (caddr_t)acep + (abstract_size * 2); 1225 adjust_ace_pair_common(acep, maskoff, 1226 abstract_size, mode); /* everyone@ */ 1227} 1228 1229 1230static int 1231zfs_acl_ace_match(zfs_acl_t *aclp, void *acep, int allow_deny, 1232 int entry_type, int accessmask) 1233{ 1234 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1235 uint16_t type = aclp->z_ops.ace_type_get(acep); 1236 uint16_t flags = aclp->z_ops.ace_flags_get(acep); 1237 1238 return (mask == accessmask && type == allow_deny && 1239 ((flags & ACE_TYPE_FLAGS) == entry_type)); 1240} 1241 1242/* 1243 * Can prepended ACE be reused? 1244 */ 1245static int 1246zfs_reuse_deny(zfs_acl_t *aclp, void *acep, void *prevacep) 1247{ 1248 int okay_masks; 1249 uint16_t prevtype; 1250 uint16_t prevflags; 1251 uint16_t flags; 1252 uint32_t mask, prevmask; 1253 1254 if (prevacep == NULL) 1255 return (B_FALSE); 1256 1257 prevtype = aclp->z_ops.ace_type_get(prevacep); 1258 prevflags = aclp->z_ops.ace_flags_get(prevacep); 1259 flags = aclp->z_ops.ace_flags_get(acep); 1260 mask = aclp->z_ops.ace_mask_get(acep); 1261 prevmask = aclp->z_ops.ace_mask_get(prevacep); 1262 1263 if (prevtype != DENY) 1264 return (B_FALSE); 1265 1266 if (prevflags != (flags & ACE_IDENTIFIER_GROUP)) 1267 return (B_FALSE); 1268 1269 okay_masks = (mask & OKAY_MASK_BITS); 1270 1271 if (prevmask & ~okay_masks) 1272 return (B_FALSE); 1273 1274 return (B_TRUE); 1275} 1276 1277 1278/* 1279 * Insert new ACL node into chain of zfs_acl_node_t's 1280 * 1281 * This will result in two possible results. 1282 * 1. If the ACL is currently just a single zfs_acl_node and 1283 * we are prepending the entry then current acl node will have 1284 * a new node inserted above it. 1285 * 1286 * 2. If we are inserting in the middle of current acl node then 1287 * the current node will be split in two and new node will be inserted 1288 * in between the two split nodes. 1289 */ 1290static zfs_acl_node_t * 1291zfs_acl_ace_insert(zfs_acl_t *aclp, void *acep) 1292{ 1293 zfs_acl_node_t *newnode; 1294 zfs_acl_node_t *trailernode = NULL; 1295 zfs_acl_node_t *currnode = zfs_acl_curr_node(aclp); 1296 int curr_idx = aclp->z_curr_node->z_ace_idx; 1297 int trailer_count; 1298 size_t oldsize; 1299 1300 newnode = zfs_acl_node_alloc(aclp->z_ops.ace_size(acep)); 1301 newnode->z_ace_count = 1; 1302 1303 oldsize = currnode->z_size; 1304 1305 if (curr_idx != 1) { 1306 trailernode = zfs_acl_node_alloc(0); 1307 trailernode->z_acldata = acep; 1308 1309 trailer_count = currnode->z_ace_count - curr_idx + 1; 1310 currnode->z_ace_count = curr_idx - 1; 1311 currnode->z_size = (caddr_t)acep - (caddr_t)currnode->z_acldata; 1312 trailernode->z_size = oldsize - currnode->z_size; 1313 trailernode->z_ace_count = trailer_count; 1314 } 1315 1316 aclp->z_acl_count += 1; 1317 aclp->z_acl_bytes += aclp->z_ops.ace_size(acep); 1318 1319 if (curr_idx == 1) 1320 list_insert_before(&aclp->z_acl, currnode, newnode); 1321 else 1322 list_insert_after(&aclp->z_acl, currnode, newnode); 1323 if (trailernode) { 1324 list_insert_after(&aclp->z_acl, newnode, trailernode); 1325 aclp->z_curr_node = trailernode; 1326 trailernode->z_ace_idx = 1; 1327 } 1328 1329 return (newnode); 1330} 1331 1332/* 1333 * Prepend deny ACE 1334 */ 1335static void * 1336zfs_acl_prepend_deny(znode_t *zp, zfs_acl_t *aclp, void *acep, 1337 mode_t mode) 1338{ 1339 zfs_acl_node_t *aclnode; 1340 void *newacep; 1341 uint64_t fuid; 1342 uint16_t flags; 1343 1344 aclnode = zfs_acl_ace_insert(aclp, acep); 1345 newacep = aclnode->z_acldata; 1346 fuid = aclp->z_ops.ace_who_get(acep); 1347 flags = aclp->z_ops.ace_flags_get(acep); 1348 zfs_set_ace(aclp, newacep, 0, DENY, fuid, (flags & ACE_TYPE_FLAGS)); 1349 zfs_acl_prepend_fixup(aclp, newacep, acep, mode, zp->z_phys->zp_uid); 1350 1351 return (newacep); 1352} 1353 1354/* 1355 * Split an inherited ACE into inherit_only ACE 1356 * and original ACE with inheritance flags stripped off. 1357 */ 1358static void 1359zfs_acl_split_ace(zfs_acl_t *aclp, zfs_ace_hdr_t *acep) 1360{ 1361 zfs_acl_node_t *aclnode; 1362 zfs_acl_node_t *currnode; 1363 void *newacep; 1364 uint16_t type, flags; 1365 uint32_t mask; 1366 uint64_t fuid; 1367 1368 type = aclp->z_ops.ace_type_get(acep); 1369 flags = aclp->z_ops.ace_flags_get(acep); 1370 mask = aclp->z_ops.ace_mask_get(acep); 1371 fuid = aclp->z_ops.ace_who_get(acep); 1372 1373 aclnode = zfs_acl_ace_insert(aclp, acep); 1374 newacep = aclnode->z_acldata; 1375 1376 aclp->z_ops.ace_type_set(newacep, type); 1377 aclp->z_ops.ace_flags_set(newacep, flags | ACE_INHERIT_ONLY_ACE); 1378 aclp->z_ops.ace_mask_set(newacep, mask); 1379 aclp->z_ops.ace_type_set(newacep, type); 1380 aclp->z_ops.ace_who_set(newacep, fuid); 1381 aclp->z_next_ace = acep; 1382 flags &= ~ALL_INHERIT; 1383 aclp->z_ops.ace_flags_set(acep, flags); 1384 currnode = zfs_acl_curr_node(aclp); 1385 ASSERT(currnode->z_ace_idx >= 1); 1386 currnode->z_ace_idx -= 1; 1387} 1388 1389/* 1390 * Are ACES started at index i, the canonical six ACES? 1391 */ 1392static int 1393zfs_have_canonical_six(zfs_acl_t *aclp) 1394{ 1395 void *acep; 1396 zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl); 1397 int i = 0; 1398 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1399 1400 ASSERT(aclnode != NULL); 1401 1402 if (aclnode->z_ace_count < 6) 1403 return (0); 1404 1405 acep = (void *)((caddr_t)aclnode->z_acldata + 1406 aclnode->z_size - (aclp->z_ops.ace_abstract_size() * 6)); 1407 1408 if ((zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1409 DENY, ACE_OWNER, 0) && 1410 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1411 ALLOW, ACE_OWNER, OWNER_ALLOW_MASK) && 1412 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), DENY, 1413 OWNING_GROUP, 0) && zfs_acl_ace_match(aclp, (caddr_t)acep + 1414 (abstract_size * i++), 1415 ALLOW, OWNING_GROUP, 0) && 1416 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1417 DENY, ACE_EVERYONE, EVERYONE_DENY_MASK) && 1418 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1419 ALLOW, ACE_EVERYONE, EVERYONE_ALLOW_MASK))) { 1420 return (1); 1421 } else { 1422 return (0); 1423 } 1424} 1425 1426 1427/* 1428 * Apply step 1g, to group entries 1429 * 1430 * Need to deal with corner case where group may have 1431 * greater permissions than owner. If so then limit 1432 * group permissions, based on what extra permissions 1433 * group has. 1434 */ 1435static void 1436zfs_fixup_group_entries(zfs_acl_t *aclp, void *acep, void *prevacep, 1437 mode_t mode) 1438{ 1439 uint32_t prevmask = aclp->z_ops.ace_mask_get(prevacep); 1440 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1441 uint16_t prevflags = aclp->z_ops.ace_flags_get(prevacep); 1442 mode_t extramode = (mode >> 3) & 07; 1443 mode_t ownermode = (mode >> 6); 1444 1445 if (prevflags & ACE_IDENTIFIER_GROUP) { 1446 1447 extramode &= ~ownermode; 1448 1449 if (extramode) { 1450 if (extramode & S_IROTH) { 1451 prevmask &= ~ACE_READ_DATA; 1452 mask &= ~ACE_READ_DATA; 1453 } 1454 if (extramode & S_IWOTH) { 1455 prevmask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1456 mask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1457 } 1458 if (extramode & S_IXOTH) { 1459 prevmask &= ~ACE_EXECUTE; 1460 mask &= ~ACE_EXECUTE; 1461 } 1462 } 1463 } 1464 aclp->z_ops.ace_mask_set(acep, mask); 1465 aclp->z_ops.ace_mask_set(prevacep, prevmask); 1466} 1467 1468/* 1469 * Apply the chmod algorithm as described 1470 * in PSARC/2002/240 1471 */ 1472static void 1473zfs_acl_chmod(znode_t *zp, uint64_t mode, zfs_acl_t *aclp) 1474{ 1475 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1476 void *acep = NULL, *prevacep = NULL; 1477 uint64_t who; 1478 int i; 1479 int entry_type; 1480 int reuse_deny; 1481 int need_canonical_six = 1; 1482 uint16_t iflags, type; 1483 uint32_t access_mask; 1484 1485 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1486 ASSERT(MUTEX_HELD(&zp->z_lock)); 1487 1488 aclp->z_hints = (zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS); 1489 1490 /* 1491 * If discard then just discard all ACL nodes which 1492 * represent the ACEs. 1493 * 1494 * New owner@/group@/everone@ ACEs will be added 1495 * later. 1496 */ 1497 if (zfsvfs->z_acl_mode == ZFS_ACL_DISCARD) 1498 zfs_acl_release_nodes(aclp); 1499 1500 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 1501 &iflags, &type)) { 1502 1503 entry_type = (iflags & ACE_TYPE_FLAGS); 1504 iflags = (iflags & ALL_INHERIT); 1505 1506 if ((type != ALLOW && type != DENY) || 1507 (iflags & ACE_INHERIT_ONLY_ACE)) { 1508 if (iflags) 1509 aclp->z_hints |= ZFS_INHERIT_ACE; 1510 switch (type) { 1511 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1512 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1513 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1514 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1515 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 1516 break; 1517 } 1518 goto nextace; 1519 } 1520 1521 /* 1522 * Need to split ace into two? 1523 */ 1524 if ((iflags & (ACE_FILE_INHERIT_ACE| 1525 ACE_DIRECTORY_INHERIT_ACE)) && 1526 (!(iflags & ACE_INHERIT_ONLY_ACE))) { 1527 zfs_acl_split_ace(aclp, acep); 1528 aclp->z_hints |= ZFS_INHERIT_ACE; 1529 goto nextace; 1530 } 1531 1532 if (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 1533 (entry_type == OWNING_GROUP)) { 1534 access_mask &= ~OGE_CLEAR; 1535 aclp->z_ops.ace_mask_set(acep, access_mask); 1536 goto nextace; 1537 } else { 1538 reuse_deny = B_TRUE; 1539 if (type == ALLOW) { 1540 1541 /* 1542 * Check preceding ACE if any, to see 1543 * if we need to prepend a DENY ACE. 1544 * This is only applicable when the acl_mode 1545 * property == groupmask. 1546 */ 1547 if (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK) { 1548 1549 reuse_deny = zfs_reuse_deny(aclp, acep, 1550 prevacep); 1551 1552 if (!reuse_deny) { 1553 prevacep = 1554 zfs_acl_prepend_deny(zp, 1555 aclp, acep, mode); 1556 } else { 1557 zfs_acl_prepend_fixup( 1558 aclp, prevacep, 1559 acep, mode, 1560 zp->z_phys->zp_uid); 1561 } 1562 zfs_fixup_group_entries(aclp, acep, 1563 prevacep, mode); 1564 1565 } 1566 } 1567 } 1568nextace: 1569 prevacep = acep; 1570 } 1571 1572 /* 1573 * Check out last six aces, if we have six. 1574 */ 1575 1576 if (aclp->z_acl_count >= 6) { 1577 if (zfs_have_canonical_six(aclp)) { 1578 need_canonical_six = 0; 1579 } 1580 } 1581 1582 if (need_canonical_six) { 1583 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1584 void *zacep; 1585 zfs_acl_node_t *aclnode = 1586 zfs_acl_node_alloc(abstract_size * 6); 1587 1588 aclnode->z_size = abstract_size * 6; 1589 aclnode->z_ace_count = 6; 1590 aclp->z_acl_bytes += aclnode->z_size; 1591 list_insert_tail(&aclp->z_acl, aclnode); 1592 1593 zacep = aclnode->z_acldata; 1594 1595 i = 0; 1596 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1597 0, DENY, -1, ACE_OWNER); 1598 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1599 OWNER_ALLOW_MASK, ALLOW, -1, ACE_OWNER); 1600 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0, 1601 DENY, -1, OWNING_GROUP); 1602 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0, 1603 ALLOW, -1, OWNING_GROUP); 1604 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1605 EVERYONE_DENY_MASK, DENY, -1, ACE_EVERYONE); 1606 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1607 EVERYONE_ALLOW_MASK, ALLOW, -1, ACE_EVERYONE); 1608 aclp->z_acl_count += 6; 1609 } 1610 1611 zfs_acl_fixup_canonical_six(aclp, mode); 1612} 1613 1614int 1615zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode) 1616{ 1617 int error; 1618 1619 mutex_enter(&zp->z_lock); 1620 mutex_enter(&zp->z_acl_lock); 1621 *aclp = NULL; 1622 error = zfs_acl_node_read(zp, aclp, B_TRUE); 1623 if (error == 0) 1624 zfs_acl_chmod(zp, mode, *aclp); 1625 mutex_exit(&zp->z_acl_lock); 1626 mutex_exit(&zp->z_lock); 1627 return (error); 1628} 1629 1630/* 1631 * strip off write_owner and write_acl 1632 */ 1633static void 1634zfs_restricted_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep) 1635{ 1636 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1637 1638 if ((zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) && 1639 (aclp->z_ops.ace_type_get(acep) == ALLOW)) { 1640 mask &= ~RESTRICTED_CLEAR; 1641 aclp->z_ops.ace_mask_set(acep, mask); 1642 } 1643} 1644 1645/* 1646 * Should ACE be inherited? 1647 */ 1648static int 1649zfs_ace_can_use(znode_t *zp, uint16_t acep_flags) 1650{ 1651 int vtype = ZTOV(zp)->v_type; 1652 int iflags = (acep_flags & 0xf); 1653 1654 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) 1655 return (1); 1656 else if (iflags & ACE_FILE_INHERIT_ACE) 1657 return (!((vtype == VDIR) && 1658 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); 1659 return (0); 1660} 1661 1662/* 1663 * inherit inheritable ACEs from parent 1664 */ 1665static zfs_acl_t * 1666zfs_acl_inherit(znode_t *zp, zfs_acl_t *paclp, boolean_t *need_chmod) 1667{ 1668 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1669 void *pacep; 1670 void *acep, *acep2; 1671 zfs_acl_node_t *aclnode, *aclnode2; 1672 zfs_acl_t *aclp = NULL; 1673 uint64_t who; 1674 uint32_t access_mask; 1675 uint16_t iflags, newflags, type; 1676 size_t ace_size; 1677 void *data1, *data2; 1678 size_t data1sz, data2sz; 1679 enum vtype vntype = ZTOV(zp)->v_type; 1680 1681 *need_chmod = B_TRUE; 1682 pacep = NULL; 1683 aclp = zfs_acl_alloc(paclp->z_version); 1684 if (zfsvfs->z_acl_inherit != ZFS_ACL_DISCARD) { 1685 while (pacep = zfs_acl_next_ace(paclp, pacep, &who, 1686 &access_mask, &iflags, &type)) { 1687 1688 /* 1689 * don't inherit bogus ACEs 1690 */ 1691 if (!zfs_acl_valid_ace_type(type, iflags)) 1692 continue; 1693 1694 if (zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW && 1695 type == ALLOW) 1696 continue; 1697 1698 ace_size = aclp->z_ops.ace_size(pacep); 1699 1700 if (!zfs_ace_can_use(zp, iflags)) 1701 continue; 1702 1703 /* 1704 * If owner@, group@, or everyone@ inheritable 1705 * then zfs_acl_chmod() isn't needed. 1706 */ 1707 if (zfsvfs->z_acl_inherit == 1708 ZFS_ACL_PASSTHROUGH && 1709 ((iflags & (ACE_OWNER|ACE_EVERYONE)) || 1710 ((iflags & OWNING_GROUP) == 1711 OWNING_GROUP)) && (vntype == VREG || 1712 (vntype == VDIR && 1713 (iflags & ACE_DIRECTORY_INHERIT_ACE)))) 1714 *need_chmod = B_FALSE; 1715 1716 aclnode = zfs_acl_node_alloc(ace_size); 1717 list_insert_tail(&aclp->z_acl, aclnode); 1718 acep = aclnode->z_acldata; 1719 zfs_set_ace(aclp, acep, access_mask, type, 1720 who, iflags|ACE_INHERITED_ACE); 1721 1722 /* 1723 * Copy special opaque data if any 1724 */ 1725 if ((data1sz = paclp->z_ops.ace_data(pacep, 1726 &data1)) != 0) { 1727 VERIFY((data2sz = aclp->z_ops.ace_data(acep, 1728 &data2)) == data1sz); 1729 bcopy(data1, data2, data2sz); 1730 } 1731 aclp->z_acl_count++; 1732 aclnode->z_ace_count++; 1733 aclp->z_acl_bytes += aclnode->z_size; 1734 newflags = aclp->z_ops.ace_flags_get(acep); 1735 1736 if (vntype == VDIR) 1737 aclp->z_hints |= ZFS_INHERIT_ACE; 1738 1739 if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || 1740 (vntype != VDIR)) { 1741 newflags &= ~ALL_INHERIT; 1742 aclp->z_ops.ace_flags_set(acep, 1743 newflags|ACE_INHERITED_ACE); 1744 zfs_restricted_update(zfsvfs, aclp, acep); 1745 continue; 1746 } 1747 1748 ASSERT(vntype == VDIR); 1749 1750 newflags = aclp->z_ops.ace_flags_get(acep); 1751 if ((iflags & (ACE_FILE_INHERIT_ACE | 1752 ACE_DIRECTORY_INHERIT_ACE)) != 1753 ACE_FILE_INHERIT_ACE) { 1754 aclnode2 = zfs_acl_node_alloc(ace_size); 1755 list_insert_tail(&aclp->z_acl, aclnode2); 1756 acep2 = aclnode2->z_acldata; 1757 zfs_set_ace(aclp, acep2, 1758 access_mask, type, who, 1759 iflags|ACE_INHERITED_ACE); 1760 newflags |= ACE_INHERIT_ONLY_ACE; 1761 aclp->z_ops.ace_flags_set(acep, newflags); 1762 newflags &= ~ALL_INHERIT; 1763 aclp->z_ops.ace_flags_set(acep2, 1764 newflags|ACE_INHERITED_ACE); 1765 1766 /* 1767 * Copy special opaque data if any 1768 */ 1769 if ((data1sz = aclp->z_ops.ace_data(acep, 1770 &data1)) != 0) { 1771 VERIFY((data2sz = 1772 aclp->z_ops.ace_data(acep2, 1773 &data2)) == data1sz); 1774 bcopy(data1, data2, data1sz); 1775 } 1776 aclp->z_acl_count++; 1777 aclnode2->z_ace_count++; 1778 aclp->z_acl_bytes += aclnode->z_size; 1779 zfs_restricted_update(zfsvfs, aclp, acep2); 1780 } else { 1781 newflags |= ACE_INHERIT_ONLY_ACE; 1782 aclp->z_ops.ace_flags_set(acep, 1783 newflags|ACE_INHERITED_ACE); 1784 } 1785 } 1786 } 1787 return (aclp); 1788} 1789 1790/* 1791 * Create file system object initial permissions 1792 * including inheritable ACEs. 1793 */ 1794void 1795zfs_perm_init(znode_t *zp, znode_t *parent, int flag, 1796 vattr_t *vap, dmu_tx_t *tx, cred_t *cr, 1797 zfs_acl_t *setaclp, zfs_fuid_info_t **fuidp) 1798{ 1799 uint64_t mode, fuid, fgid; 1800 int error; 1801 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1802 zfs_acl_t *aclp = NULL; 1803 zfs_acl_t *paclp; 1804 xvattr_t *xvap = (xvattr_t *)vap; 1805 gid_t gid; 1806 boolean_t need_chmod = B_TRUE; 1807 1808 if (setaclp) 1809 aclp = setaclp; 1810 1811 mode = MAKEIMODE(vap->va_type, vap->va_mode); 1812 1813 /* 1814 * Determine uid and gid. 1815 */ 1816 if ((flag & (IS_ROOT_NODE | IS_REPLAY)) || 1817 ((flag & IS_XATTR) && (vap->va_type == VDIR))) { 1818 fuid = zfs_fuid_create(zfsvfs, vap->va_uid, cr, 1819 ZFS_OWNER, tx, fuidp); 1820 fgid = zfs_fuid_create(zfsvfs, vap->va_gid, cr, 1821 ZFS_GROUP, tx, fuidp); 1822 gid = vap->va_gid; 1823 } else { 1824 fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER, tx, cr, fuidp); 1825 fgid = 0; 1826 if (vap->va_mask & AT_GID) { 1827 fgid = zfs_fuid_create(zfsvfs, vap->va_gid, cr, 1828 ZFS_GROUP, tx, fuidp); 1829 gid = vap->va_gid; 1830 if (fgid != parent->z_phys->zp_gid && 1831 !groupmember(vap->va_gid, cr) && 1832 secpolicy_vnode_create_gid(cr) != 0) 1833 fgid = 0; 1834 } 1835 if (fgid == 0) { 1836 if (parent->z_phys->zp_mode & S_ISGID) { 1837 fgid = parent->z_phys->zp_gid; 1838 gid = zfs_fuid_map_id(zfsvfs, fgid, 1839 cr, ZFS_GROUP); 1840 } else { 1841 fgid = zfs_fuid_create_cred(zfsvfs, 1842 ZFS_GROUP, tx, cr, fuidp); 1843#ifdef __FreeBSD__ 1844 gid = parent->z_phys->zp_gid; 1845#else 1846 gid = crgetgid(cr); 1847#endif 1848 } 1849 } 1850 } 1851 1852 /* 1853 * If we're creating a directory, and the parent directory has the 1854 * set-GID bit set, set in on the new directory. 1855 * Otherwise, if the user is neither privileged nor a member of the 1856 * file's new group, clear the file's set-GID bit. 1857 */ 1858 1859 if ((parent->z_phys->zp_mode & S_ISGID) && (vap->va_type == VDIR)) { 1860 mode |= S_ISGID; 1861 } else { 1862 if ((mode & S_ISGID) && 1863 secpolicy_vnode_setids_setgids(ZTOV(zp), cr, gid) != 0) 1864 mode &= ~S_ISGID; 1865 } 1866 1867 zp->z_phys->zp_uid = fuid; 1868 zp->z_phys->zp_gid = fgid; 1869 zp->z_phys->zp_mode = mode; 1870 1871 if (aclp == NULL) { 1872 mutex_enter(&parent->z_lock); 1873 if ((ZTOV(parent)->v_type == VDIR && 1874 (parent->z_phys->zp_flags & ZFS_INHERIT_ACE)) && 1875 !(zp->z_phys->zp_flags & ZFS_XATTR)) { 1876 mutex_enter(&parent->z_acl_lock); 1877 VERIFY(0 == zfs_acl_node_read(parent, &paclp, B_FALSE)); 1878 mutex_exit(&parent->z_acl_lock); 1879 aclp = zfs_acl_inherit(zp, paclp, &need_chmod); 1880 zfs_acl_free(paclp); 1881 } else { 1882 aclp = zfs_acl_alloc(zfs_acl_version_zp(zp)); 1883 } 1884 mutex_exit(&parent->z_lock); 1885 mutex_enter(&zp->z_lock); 1886 mutex_enter(&zp->z_acl_lock); 1887 if (need_chmod) 1888 zfs_acl_chmod(zp, mode, aclp); 1889 } else { 1890 mutex_enter(&zp->z_lock); 1891 mutex_enter(&zp->z_acl_lock); 1892 } 1893 1894 /* Force auto_inherit on all new directory objects */ 1895 if (vap->va_type == VDIR) 1896 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 1897 1898 error = zfs_aclset_common(zp, aclp, cr, fuidp, tx); 1899 1900 /* Set optional attributes if any */ 1901 if (vap->va_mask & AT_XVATTR) 1902 zfs_xvattr_set(zp, xvap); 1903 1904 mutex_exit(&zp->z_lock); 1905 mutex_exit(&zp->z_acl_lock); 1906 ASSERT3U(error, ==, 0); 1907 1908 if (aclp != setaclp) 1909 zfs_acl_free(aclp); 1910} 1911 1912/* 1913 * Retrieve a files ACL 1914 */ 1915int 1916zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1917{ 1918 zfs_acl_t *aclp; 1919 ulong_t mask; 1920 int error; 1921 int count = 0; 1922 int largeace = 0; 1923 1924 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT | 1925 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES); 1926 1927 if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr)) 1928 return (error); 1929 1930 if (mask == 0) 1931 return (ENOSYS); 1932 1933 mutex_enter(&zp->z_acl_lock); 1934 1935 error = zfs_acl_node_read(zp, &aclp, B_FALSE); 1936 if (error != 0) { 1937 mutex_exit(&zp->z_acl_lock); 1938 return (error); 1939 } 1940 1941 /* 1942 * Scan ACL to determine number of ACEs 1943 */ 1944 if ((zp->z_phys->zp_flags & ZFS_ACL_OBJ_ACE) && 1945 !(mask & VSA_ACE_ALLTYPES)) { 1946 void *zacep = NULL; 1947 uint64_t who; 1948 uint32_t access_mask; 1949 uint16_t type, iflags; 1950 1951 while (zacep = zfs_acl_next_ace(aclp, zacep, 1952 &who, &access_mask, &iflags, &type)) { 1953 switch (type) { 1954 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1955 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1956 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1957 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1958 largeace++; 1959 continue; 1960 default: 1961 count++; 1962 } 1963 } 1964 vsecp->vsa_aclcnt = count; 1965 } else 1966 count = aclp->z_acl_count; 1967 1968 if (mask & VSA_ACECNT) { 1969 vsecp->vsa_aclcnt = count; 1970 } 1971 1972 if (mask & VSA_ACE) { 1973 size_t aclsz; 1974 1975 zfs_acl_node_t *aclnode = list_head(&aclp->z_acl); 1976 1977 aclsz = count * sizeof (ace_t) + 1978 sizeof (ace_object_t) * largeace; 1979 1980 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP); 1981 vsecp->vsa_aclentsz = aclsz; 1982 1983 if (aclp->z_version == ZFS_ACL_VERSION_FUID) 1984 zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr, 1985 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES)); 1986 else { 1987 bcopy(aclnode->z_acldata, vsecp->vsa_aclentp, 1988 count * sizeof (ace_t)); 1989 } 1990 } 1991 if (mask & VSA_ACE_ACLFLAGS) { 1992 vsecp->vsa_aclflags = 0; 1993 if (zp->z_phys->zp_flags & ZFS_ACL_DEFAULTED) 1994 vsecp->vsa_aclflags |= ACL_DEFAULTED; 1995 if (zp->z_phys->zp_flags & ZFS_ACL_PROTECTED) 1996 vsecp->vsa_aclflags |= ACL_PROTECTED; 1997 if (zp->z_phys->zp_flags & ZFS_ACL_AUTO_INHERIT) 1998 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT; 1999 } 2000 2001 mutex_exit(&zp->z_acl_lock); 2002 2003 zfs_acl_free(aclp); 2004 2005 return (0); 2006} 2007 2008int 2009zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type, 2010 vsecattr_t *vsecp, zfs_acl_t **zaclp) 2011{ 2012 zfs_acl_t *aclp; 2013 zfs_acl_node_t *aclnode; 2014 int aclcnt = vsecp->vsa_aclcnt; 2015 int error; 2016 2017 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0) 2018 return (EINVAL); 2019 2020 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version)); 2021 2022 aclp->z_hints = 0; 2023 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t)); 2024 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 2025 if ((error = zfs_copy_ace_2_oldace(obj_type, aclp, 2026 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata, 2027 aclcnt, &aclnode->z_size)) != 0) { 2028 zfs_acl_free(aclp); 2029 zfs_acl_node_free(aclnode); 2030 return (error); 2031 } 2032 } else { 2033 if ((error = zfs_copy_ace_2_fuid(obj_type, aclp, 2034 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt, 2035 &aclnode->z_size)) != 0) { 2036 zfs_acl_free(aclp); 2037 zfs_acl_node_free(aclnode); 2038 return (error); 2039 } 2040 } 2041 aclp->z_acl_bytes = aclnode->z_size; 2042 aclnode->z_ace_count = aclcnt; 2043 aclp->z_acl_count = aclcnt; 2044 list_insert_head(&aclp->z_acl, aclnode); 2045 2046 /* 2047 * If flags are being set then add them to z_hints 2048 */ 2049 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) { 2050 if (vsecp->vsa_aclflags & ACL_PROTECTED) 2051 aclp->z_hints |= ZFS_ACL_PROTECTED; 2052 if (vsecp->vsa_aclflags & ACL_DEFAULTED) 2053 aclp->z_hints |= ZFS_ACL_DEFAULTED; 2054 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT) 2055 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 2056 } 2057 2058 *zaclp = aclp; 2059 2060 return (0); 2061} 2062 2063/* 2064 * Set a files ACL 2065 */ 2066int 2067zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 2068{ 2069 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2070 zilog_t *zilog = zfsvfs->z_log; 2071 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 2072 dmu_tx_t *tx; 2073 int error; 2074 zfs_acl_t *aclp; 2075 zfs_fuid_info_t *fuidp = NULL; 2076 2077 if (mask == 0) 2078 return (ENOSYS); 2079 2080 if (zp->z_phys->zp_flags & ZFS_IMMUTABLE) 2081 return (EPERM); 2082 2083 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) 2084 return (error); 2085 2086 error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, &aclp); 2087 if (error) 2088 return (error); 2089 2090 /* 2091 * If ACL wide flags aren't being set then preserve any 2092 * existing flags. 2093 */ 2094 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) { 2095 aclp->z_hints |= (zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS); 2096 } 2097top: 2098 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) { 2099 zfs_acl_free(aclp); 2100 return (error); 2101 } 2102 2103 mutex_enter(&zp->z_lock); 2104 mutex_enter(&zp->z_acl_lock); 2105 2106 tx = dmu_tx_create(zfsvfs->z_os); 2107 dmu_tx_hold_bonus(tx, zp->z_id); 2108 2109 if (zp->z_phys->zp_acl.z_acl_extern_obj) { 2110 /* Are we upgrading ACL? */ 2111 if (zfsvfs->z_version <= ZPL_VERSION_FUID && 2112 zp->z_phys->zp_acl.z_acl_version == 2113 ZFS_ACL_VERSION_INITIAL) { 2114 dmu_tx_hold_free(tx, 2115 zp->z_phys->zp_acl.z_acl_extern_obj, 2116 0, DMU_OBJECT_END); 2117 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 2118 0, aclp->z_acl_bytes); 2119 } else { 2120 dmu_tx_hold_write(tx, 2121 zp->z_phys->zp_acl.z_acl_extern_obj, 2122 0, aclp->z_acl_bytes); 2123 } 2124 } else if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 2125 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes); 2126 } 2127 if (aclp->z_has_fuids) { 2128 if (zfsvfs->z_fuid_obj == 0) { 2129 dmu_tx_hold_bonus(tx, DMU_NEW_OBJECT); 2130 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, 2131 FUID_SIZE_ESTIMATE(zfsvfs)); 2132 dmu_tx_hold_zap(tx, MASTER_NODE_OBJ, FALSE, NULL); 2133 } else { 2134 dmu_tx_hold_bonus(tx, zfsvfs->z_fuid_obj); 2135 dmu_tx_hold_write(tx, zfsvfs->z_fuid_obj, 0, 2136 FUID_SIZE_ESTIMATE(zfsvfs)); 2137 } 2138 } 2139 2140 error = dmu_tx_assign(tx, zfsvfs->z_assign); 2141 if (error) { 2142 mutex_exit(&zp->z_acl_lock); 2143 mutex_exit(&zp->z_lock); 2144 2145 if (error == ERESTART && zfsvfs->z_assign == TXG_NOWAIT) { 2146 dmu_tx_wait(tx); 2147 dmu_tx_abort(tx); 2148 goto top; 2149 } 2150 dmu_tx_abort(tx); 2151 zfs_acl_free(aclp); 2152 return (error); 2153 } 2154 2155 error = zfs_aclset_common(zp, aclp, cr, &fuidp, tx); 2156 ASSERT(error == 0); 2157 2158 zfs_log_acl(zilog, tx, zp, vsecp, fuidp); 2159 2160 if (fuidp) 2161 zfs_fuid_info_free(fuidp); 2162 zfs_acl_free(aclp); 2163 dmu_tx_commit(tx); 2164done: 2165 mutex_exit(&zp->z_acl_lock); 2166 mutex_exit(&zp->z_lock); 2167 2168 return (error); 2169} 2170 2171/* 2172 * working_mode returns the permissions that were not granted 2173 */ 2174static int 2175zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode, 2176 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr) 2177{ 2178 zfs_acl_t *aclp; 2179 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2180 int error; 2181 uid_t uid = crgetuid(cr); 2182 uint64_t who; 2183 uint16_t type, iflags; 2184 uint16_t entry_type; 2185 uint32_t access_mask; 2186 uint32_t deny_mask = 0; 2187 zfs_ace_hdr_t *acep = NULL; 2188 boolean_t checkit; 2189 uid_t fowner; 2190 uid_t gowner; 2191 2192 /* 2193 * Short circuit empty requests 2194 */ 2195 if (v4_mode == 0) 2196 return (0); 2197 2198 *check_privs = B_TRUE; 2199 2200 if (zfsvfs->z_assign >= TXG_INITIAL) { /* ZIL replay */ 2201 *working_mode = 0; 2202 return (0); 2203 } 2204 2205 *working_mode = v4_mode; 2206 2207 if ((v4_mode & WRITE_MASK) && 2208 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && 2209 (!IS_DEVVP(ZTOV(zp)))) { 2210 *check_privs = B_FALSE; 2211 return (EROFS); 2212 } 2213 2214 /* 2215 * Only check for READONLY on non-directories. 2216 */ 2217 if ((v4_mode & WRITE_MASK_DATA) && 2218 (((ZTOV(zp)->v_type != VDIR) && 2219 (zp->z_phys->zp_flags & (ZFS_READONLY | ZFS_IMMUTABLE))) || 2220 (ZTOV(zp)->v_type == VDIR && 2221 (zp->z_phys->zp_flags & ZFS_IMMUTABLE)))) { 2222 *check_privs = B_FALSE; 2223 return (EPERM); 2224 } 2225 2226 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) && 2227 (zp->z_phys->zp_flags & ZFS_NOUNLINK)) { 2228 *check_privs = B_FALSE; 2229 return (EPERM); 2230 } 2231 2232 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) && 2233 (zp->z_phys->zp_flags & ZFS_AV_QUARANTINED))) { 2234 *check_privs = B_FALSE; 2235 return (EACCES); 2236 } 2237 2238 /* 2239 * The caller requested that the ACL check be skipped. This 2240 * would only happen if the caller checked VOP_ACCESS() with a 2241 * 32 bit ACE mask and already had the appropriate permissions. 2242 */ 2243 if (skipaclchk) { 2244 *working_mode = 0; 2245 return (0); 2246 } 2247 2248 zfs_fuid_map_ids(zp, cr, &fowner, &gowner); 2249 2250 mutex_enter(&zp->z_acl_lock); 2251 2252 error = zfs_acl_node_read(zp, &aclp, B_FALSE); 2253 if (error != 0) { 2254 mutex_exit(&zp->z_acl_lock); 2255 return (error); 2256 } 2257 2258 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 2259 &iflags, &type)) { 2260 2261 if (!zfs_acl_valid_ace_type(type, iflags)) 2262 continue; 2263 2264 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE)) 2265 continue; 2266 2267 entry_type = (iflags & ACE_TYPE_FLAGS); 2268 2269 checkit = B_FALSE; 2270 2271 switch (entry_type) { 2272 case ACE_OWNER: 2273 if (uid == fowner) 2274 checkit = B_TRUE; 2275 break; 2276 case OWNING_GROUP: 2277 who = gowner; 2278 /*FALLTHROUGH*/ 2279 case ACE_IDENTIFIER_GROUP: 2280 checkit = zfs_groupmember(zfsvfs, who, cr); 2281 break; 2282 case ACE_EVERYONE: 2283 checkit = B_TRUE; 2284 break; 2285 2286 /* USER Entry */ 2287 default: 2288 if (entry_type == 0) { 2289 uid_t newid; 2290 2291 newid = zfs_fuid_map_id(zfsvfs, who, cr, 2292 ZFS_ACE_USER); 2293 if (newid != IDMAP_WK_CREATOR_OWNER_UID && 2294 uid == newid) 2295 checkit = B_TRUE; 2296 break; 2297 } else { 2298 zfs_acl_free(aclp); 2299 mutex_exit(&zp->z_acl_lock); 2300 return (EIO); 2301 } 2302 } 2303 2304 if (checkit) { 2305 uint32_t mask_matched = (access_mask & *working_mode); 2306 2307 if (mask_matched) { 2308 if (type == DENY) 2309 deny_mask |= mask_matched; 2310 2311 *working_mode &= ~mask_matched; 2312 } 2313 } 2314 2315 /* Are we done? */ 2316 if (*working_mode == 0) 2317 break; 2318 } 2319 2320 mutex_exit(&zp->z_acl_lock); 2321 zfs_acl_free(aclp); 2322 2323 /* Put the found 'denies' back on the working mode */ 2324 if (deny_mask) { 2325 *working_mode |= deny_mask; 2326 return (EACCES); 2327 } else if (*working_mode) { 2328 return (-1); 2329 } 2330 2331 return (0); 2332} 2333 2334static int 2335zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs, 2336 cred_t *cr) 2337{ 2338 if (*working_mode != ACE_WRITE_DATA) 2339 return (EACCES); 2340 2341 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode, 2342 check_privs, B_FALSE, cr)); 2343} 2344 2345/* 2346 * Determine whether Access should be granted/denied, invoking least 2347 * priv subsytem when a deny is determined. 2348 */ 2349int 2350zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr) 2351{ 2352 uint32_t working_mode; 2353 int error; 2354 int is_attr; 2355 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2356 boolean_t check_privs; 2357 znode_t *xzp; 2358 znode_t *check_zp = zp; 2359 2360 is_attr = ((zp->z_phys->zp_flags & ZFS_XATTR) && 2361 (ZTOV(zp)->v_type == VDIR)); 2362 2363#ifdef __FreeBSD__ 2364 /* 2365 * In FreeBSD, we don't care about permissions of individual ADS. 2366 * Note that not checking them is not just an optimization - without 2367 * this shortcut, EA operations may bogusly fail with EACCES. 2368 */ 2369 if (zp->z_phys->zp_flags & ZFS_XATTR) 2370 return (0); 2371#else 2372 /* 2373 * If attribute then validate against base file 2374 */ 2375 if (is_attr) { 2376 if ((error = zfs_zget(zp->z_zfsvfs, 2377 zp->z_phys->zp_parent, &xzp)) != 0) { 2378 return (error); 2379 } 2380 2381 check_zp = xzp; 2382 2383 /* 2384 * fixup mode to map to xattr perms 2385 */ 2386 2387 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { 2388 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 2389 mode |= ACE_WRITE_NAMED_ATTRS; 2390 } 2391 2392 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { 2393 mode &= ~(ACE_READ_DATA|ACE_EXECUTE); 2394 mode |= ACE_READ_NAMED_ATTRS; 2395 } 2396 } 2397#endif 2398 2399 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode, 2400 &check_privs, skipaclchk, cr)) == 0) { 2401 if (is_attr) 2402 VN_RELE(ZTOV(xzp)); 2403 return (0); 2404 } 2405 2406 if (error && !check_privs) { 2407 if (is_attr) 2408 VN_RELE(ZTOV(xzp)); 2409 return (error); 2410 } 2411 2412 if (error && (flags & V_APPEND)) { 2413 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr); 2414 } 2415 2416 if (error && check_privs) { 2417 uid_t owner; 2418 mode_t checkmode = 0; 2419 2420 owner = zfs_fuid_map_id(zfsvfs, check_zp->z_phys->zp_uid, cr, 2421 ZFS_OWNER); 2422 2423 /* 2424 * First check for implicit owner permission on 2425 * read_acl/read_attributes 2426 */ 2427 2428 error = 0; 2429 ASSERT(working_mode != 0); 2430 2431 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) && 2432 owner == crgetuid(cr))) 2433 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2434 2435 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2436 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2437 checkmode |= VREAD; 2438 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2439 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2440 checkmode |= VWRITE; 2441 if (working_mode & ACE_EXECUTE) 2442 checkmode |= VEXEC; 2443 2444 if (checkmode) 2445 error = secpolicy_vnode_access(cr, ZTOV(check_zp), 2446 owner, checkmode); 2447 2448 if (error == 0 && (working_mode & ACE_WRITE_OWNER)) 2449 error = secpolicy_vnode_chown(ZTOV(check_zp), cr, B_TRUE); 2450 if (error == 0 && (working_mode & ACE_WRITE_ACL)) 2451 error = secpolicy_vnode_setdac(ZTOV(check_zp), cr, owner); 2452 2453 if (error == 0 && (working_mode & 2454 (ACE_DELETE|ACE_DELETE_CHILD))) 2455 error = secpolicy_vnode_remove(ZTOV(check_zp), cr); 2456 2457 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) { 2458 error = secpolicy_vnode_chown(ZTOV(check_zp), cr, B_FALSE); 2459 } 2460 if (error == 0) { 2461 /* 2462 * See if any bits other than those already checked 2463 * for are still present. If so then return EACCES 2464 */ 2465 if (working_mode & ~(ZFS_CHECKED_MASKS)) { 2466 error = EACCES; 2467 } 2468 } 2469 } 2470 2471 if (is_attr) 2472 VN_RELE(ZTOV(xzp)); 2473 2474 return (error); 2475} 2476 2477/* 2478 * Translate traditional unix VREAD/VWRITE/VEXEC mode into 2479 * native ACL format and call zfs_zaccess() 2480 */ 2481int 2482zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr) 2483{ 2484 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr)); 2485} 2486 2487/* 2488 * Access function for secpolicy_vnode_setattr 2489 */ 2490int 2491zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr) 2492{ 2493 int v4_mode = zfs_unix_to_v4(mode >> 6); 2494 2495 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr)); 2496} 2497 2498static int 2499zfs_delete_final_check(znode_t *zp, znode_t *dzp, 2500 mode_t missing_perms, cred_t *cr) 2501{ 2502 int error; 2503 uid_t downer; 2504 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2505 2506 downer = zfs_fuid_map_id(zfsvfs, dzp->z_phys->zp_uid, cr, ZFS_OWNER); 2507 2508 error = secpolicy_vnode_access(cr, ZTOV(dzp), downer, missing_perms); 2509 2510 if (error == 0) 2511 error = zfs_sticky_remove_access(dzp, zp, cr); 2512 2513 return (error); 2514} 2515 2516/* 2517 * Determine whether Access should be granted/deny, without 2518 * consulting least priv subsystem. 2519 * 2520 * 2521 * The following chart is the recommended NFSv4 enforcement for 2522 * ability to delete an object. 2523 * 2524 * ------------------------------------------------------- 2525 * | Parent Dir | Target Object Permissions | 2526 * | permissions | | 2527 * ------------------------------------------------------- 2528 * | | ACL Allows | ACL Denies| Delete | 2529 * | | Delete | Delete | unspecified| 2530 * ------------------------------------------------------- 2531 * | ACL Allows | Permit | Permit | Permit | 2532 * | DELETE_CHILD | | 2533 * ------------------------------------------------------- 2534 * | ACL Denies | Permit | Deny | Deny | 2535 * | DELETE_CHILD | | | | 2536 * ------------------------------------------------------- 2537 * | ACL specifies | | | | 2538 * | only allow | Permit | Permit | Permit | 2539 * | write and | | | | 2540 * | execute | | | | 2541 * ------------------------------------------------------- 2542 * | ACL denies | | | | 2543 * | write and | Permit | Deny | Deny | 2544 * | execute | | | | 2545 * ------------------------------------------------------- 2546 * ^ 2547 * | 2548 * No search privilege, can't even look up file? 2549 * 2550 */ 2551int 2552zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) 2553{ 2554 uint32_t dzp_working_mode = 0; 2555 uint32_t zp_working_mode = 0; 2556 int dzp_error, zp_error; 2557 mode_t missing_perms; 2558 boolean_t dzpcheck_privs = B_TRUE; 2559 boolean_t zpcheck_privs = B_TRUE; 2560 2561 /* 2562 * We want specific DELETE permissions to 2563 * take precedence over WRITE/EXECUTE. We don't 2564 * want an ACL such as this to mess us up. 2565 * user:joe:write_data:deny,user:joe:delete:allow 2566 * 2567 * However, deny permissions may ultimately be overridden 2568 * by secpolicy_vnode_access(). 2569 * 2570 * We will ask for all of the necessary permissions and then 2571 * look at the working modes from the directory and target object 2572 * to determine what was found. 2573 */ 2574 2575 if (zp->z_phys->zp_flags & (ZFS_IMMUTABLE | ZFS_NOUNLINK)) 2576 return (EPERM); 2577 2578 /* 2579 * First row 2580 * If the directory permissions allow the delete, we are done. 2581 */ 2582 if ((dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD, 2583 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) 2584 return (0); 2585 2586 /* 2587 * If target object has delete permission then we are done 2588 */ 2589 if ((zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, 2590 &zpcheck_privs, B_FALSE, cr)) == 0) 2591 return (0); 2592 2593 ASSERT(dzp_error && zp_error); 2594 2595 if (!dzpcheck_privs) 2596 return (dzp_error); 2597 if (!zpcheck_privs) 2598 return (zp_error); 2599 2600 /* 2601 * Second row 2602 * 2603 * If directory returns EACCES then delete_child was denied 2604 * due to deny delete_child. In this case send the request through 2605 * secpolicy_vnode_remove(). We don't use zfs_delete_final_check() 2606 * since that *could* allow the delete based on write/execute permission 2607 * and we want delete permissions to override write/execute. 2608 */ 2609 2610 if (dzp_error == EACCES) 2611 return (secpolicy_vnode_remove(ZTOV(dzp), cr)); /* XXXPJD: s/dzp/zp/ ? */ 2612 2613 /* 2614 * Third Row 2615 * only need to see if we have write/execute on directory. 2616 */ 2617 2618 if ((dzp_error = zfs_zaccess_common(dzp, ACE_EXECUTE|ACE_WRITE_DATA, 2619 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) 2620 return (zfs_sticky_remove_access(dzp, zp, cr)); 2621 2622 if (!dzpcheck_privs) 2623 return (dzp_error); 2624 2625 /* 2626 * Fourth row 2627 */ 2628 2629 missing_perms = (dzp_working_mode & ACE_WRITE_DATA) ? VWRITE : 0; 2630 missing_perms |= (dzp_working_mode & ACE_EXECUTE) ? VEXEC : 0; 2631 2632 ASSERT(missing_perms); 2633 2634 return (zfs_delete_final_check(zp, dzp, missing_perms, cr)); 2635 2636} 2637 2638int 2639zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, 2640 znode_t *tzp, cred_t *cr) 2641{ 2642 int add_perm; 2643 int error; 2644 2645 if (szp->z_phys->zp_flags & ZFS_AV_QUARANTINED) 2646 return (EACCES); 2647 2648 add_perm = (ZTOV(szp)->v_type == VDIR) ? 2649 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; 2650 2651 /* 2652 * Rename permissions are combination of delete permission + 2653 * add file/subdir permission. 2654 * 2655 * BSD operating systems also require write permission 2656 * on the directory being moved from one parent directory 2657 * to another. 2658 */ 2659 if (ZTOV(szp)->v_type == VDIR && ZTOV(sdzp) != ZTOV(tdzp)) { 2660 if (error = zfs_zaccess(szp, ACE_WRITE_DATA, 0, B_FALSE, cr)) 2661 return (error); 2662 } 2663 2664 /* 2665 * first make sure we do the delete portion. 2666 * 2667 * If that succeeds then check for add_file/add_subdir permissions 2668 */ 2669 2670 if (error = zfs_zaccess_delete(sdzp, szp, cr)) 2671 return (error); 2672 2673 /* 2674 * If we have a tzp, see if we can delete it? 2675 */ 2676 if (tzp) { 2677 if (error = zfs_zaccess_delete(tdzp, tzp, cr)) 2678 return (error); 2679 } 2680 2681 /* 2682 * Now check for add permissions 2683 */ 2684 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr); 2685 2686 return (error); 2687} 2688