zfs_acl.c revision 224174
1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21/* 22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2011 Nexenta Systems, Inc. All rights reserved. 24 */ 25 26#include <sys/types.h> 27#include <sys/param.h> 28#include <sys/time.h> 29#include <sys/systm.h> 30#include <sys/sysmacros.h> 31#include <sys/resource.h> 32#include <sys/vfs.h> 33#include <sys/vnode.h> 34#include <sys/file.h> 35#include <sys/stat.h> 36#include <sys/kmem.h> 37#include <sys/cmn_err.h> 38#include <sys/errno.h> 39#include <sys/unistd.h> 40#include <sys/sdt.h> 41#include <sys/fs/zfs.h> 42#include <sys/policy.h> 43#include <sys/zfs_znode.h> 44#include <sys/zfs_fuid.h> 45#include <sys/zfs_acl.h> 46#include <sys/zfs_dir.h> 47#include <sys/zfs_vfsops.h> 48#include <sys/dmu.h> 49#include <sys/dnode.h> 50#include <sys/zap.h> 51#include <sys/sa.h> 52#include <acl/acl_common.h> 53 54#define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE 55#define DENY ACE_ACCESS_DENIED_ACE_TYPE 56#define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 57#define MIN_ACE_TYPE ALLOW 58 59#define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) 60#define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ 61 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) 62#define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ 63 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 64#define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ 65 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 66 67#define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \ 68 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \ 69 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \ 70 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE) 71 72#define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS) 73#define WRITE_MASK_ATTRS (ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES| \ 74 ACE_DELETE|ACE_DELETE_CHILD) 75#define WRITE_MASK (WRITE_MASK_DATA|WRITE_MASK_ATTRS) 76 77#define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 78 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 79 80#define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 81 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 82 83#define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ 84 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE) 85 86#define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER) 87 88#define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\ 89 ZFS_ACL_PROTECTED) 90 91#define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\ 92 ZFS_ACL_OBJ_ACE) 93 94#define ALL_MODE_EXECS (S_IXUSR | S_IXGRP | S_IXOTH) 95 96static uint16_t 97zfs_ace_v0_get_type(void *acep) 98{ 99 return (((zfs_oldace_t *)acep)->z_type); 100} 101 102static uint16_t 103zfs_ace_v0_get_flags(void *acep) 104{ 105 return (((zfs_oldace_t *)acep)->z_flags); 106} 107 108static uint32_t 109zfs_ace_v0_get_mask(void *acep) 110{ 111 return (((zfs_oldace_t *)acep)->z_access_mask); 112} 113 114static uint64_t 115zfs_ace_v0_get_who(void *acep) 116{ 117 return (((zfs_oldace_t *)acep)->z_fuid); 118} 119 120static void 121zfs_ace_v0_set_type(void *acep, uint16_t type) 122{ 123 ((zfs_oldace_t *)acep)->z_type = type; 124} 125 126static void 127zfs_ace_v0_set_flags(void *acep, uint16_t flags) 128{ 129 ((zfs_oldace_t *)acep)->z_flags = flags; 130} 131 132static void 133zfs_ace_v0_set_mask(void *acep, uint32_t mask) 134{ 135 ((zfs_oldace_t *)acep)->z_access_mask = mask; 136} 137 138static void 139zfs_ace_v0_set_who(void *acep, uint64_t who) 140{ 141 ((zfs_oldace_t *)acep)->z_fuid = who; 142} 143 144/*ARGSUSED*/ 145static size_t 146zfs_ace_v0_size(void *acep) 147{ 148 return (sizeof (zfs_oldace_t)); 149} 150 151static size_t 152zfs_ace_v0_abstract_size(void) 153{ 154 return (sizeof (zfs_oldace_t)); 155} 156 157static int 158zfs_ace_v0_mask_off(void) 159{ 160 return (offsetof(zfs_oldace_t, z_access_mask)); 161} 162 163/*ARGSUSED*/ 164static int 165zfs_ace_v0_data(void *acep, void **datap) 166{ 167 *datap = NULL; 168 return (0); 169} 170 171static acl_ops_t zfs_acl_v0_ops = { 172 zfs_ace_v0_get_mask, 173 zfs_ace_v0_set_mask, 174 zfs_ace_v0_get_flags, 175 zfs_ace_v0_set_flags, 176 zfs_ace_v0_get_type, 177 zfs_ace_v0_set_type, 178 zfs_ace_v0_get_who, 179 zfs_ace_v0_set_who, 180 zfs_ace_v0_size, 181 zfs_ace_v0_abstract_size, 182 zfs_ace_v0_mask_off, 183 zfs_ace_v0_data 184}; 185 186static uint16_t 187zfs_ace_fuid_get_type(void *acep) 188{ 189 return (((zfs_ace_hdr_t *)acep)->z_type); 190} 191 192static uint16_t 193zfs_ace_fuid_get_flags(void *acep) 194{ 195 return (((zfs_ace_hdr_t *)acep)->z_flags); 196} 197 198static uint32_t 199zfs_ace_fuid_get_mask(void *acep) 200{ 201 return (((zfs_ace_hdr_t *)acep)->z_access_mask); 202} 203 204static uint64_t 205zfs_ace_fuid_get_who(void *args) 206{ 207 uint16_t entry_type; 208 zfs_ace_t *acep = args; 209 210 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 211 212 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 213 entry_type == ACE_EVERYONE) 214 return (-1); 215 return (((zfs_ace_t *)acep)->z_fuid); 216} 217 218static void 219zfs_ace_fuid_set_type(void *acep, uint16_t type) 220{ 221 ((zfs_ace_hdr_t *)acep)->z_type = type; 222} 223 224static void 225zfs_ace_fuid_set_flags(void *acep, uint16_t flags) 226{ 227 ((zfs_ace_hdr_t *)acep)->z_flags = flags; 228} 229 230static void 231zfs_ace_fuid_set_mask(void *acep, uint32_t mask) 232{ 233 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask; 234} 235 236static void 237zfs_ace_fuid_set_who(void *arg, uint64_t who) 238{ 239 zfs_ace_t *acep = arg; 240 241 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 242 243 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 244 entry_type == ACE_EVERYONE) 245 return; 246 acep->z_fuid = who; 247} 248 249static size_t 250zfs_ace_fuid_size(void *acep) 251{ 252 zfs_ace_hdr_t *zacep = acep; 253 uint16_t entry_type; 254 255 switch (zacep->z_type) { 256 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 257 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 258 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 259 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 260 return (sizeof (zfs_object_ace_t)); 261 case ALLOW: 262 case DENY: 263 entry_type = 264 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS); 265 if (entry_type == ACE_OWNER || 266 entry_type == OWNING_GROUP || 267 entry_type == ACE_EVERYONE) 268 return (sizeof (zfs_ace_hdr_t)); 269 /*FALLTHROUGH*/ 270 default: 271 return (sizeof (zfs_ace_t)); 272 } 273} 274 275static size_t 276zfs_ace_fuid_abstract_size(void) 277{ 278 return (sizeof (zfs_ace_hdr_t)); 279} 280 281static int 282zfs_ace_fuid_mask_off(void) 283{ 284 return (offsetof(zfs_ace_hdr_t, z_access_mask)); 285} 286 287static int 288zfs_ace_fuid_data(void *acep, void **datap) 289{ 290 zfs_ace_t *zacep = acep; 291 zfs_object_ace_t *zobjp; 292 293 switch (zacep->z_hdr.z_type) { 294 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 295 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 296 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 297 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 298 zobjp = acep; 299 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t); 300 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t)); 301 default: 302 *datap = NULL; 303 return (0); 304 } 305} 306 307static acl_ops_t zfs_acl_fuid_ops = { 308 zfs_ace_fuid_get_mask, 309 zfs_ace_fuid_set_mask, 310 zfs_ace_fuid_get_flags, 311 zfs_ace_fuid_set_flags, 312 zfs_ace_fuid_get_type, 313 zfs_ace_fuid_set_type, 314 zfs_ace_fuid_get_who, 315 zfs_ace_fuid_set_who, 316 zfs_ace_fuid_size, 317 zfs_ace_fuid_abstract_size, 318 zfs_ace_fuid_mask_off, 319 zfs_ace_fuid_data 320}; 321 322/* 323 * The following three functions are provided for compatibility with 324 * older ZPL version in order to determine if the file use to have 325 * an external ACL and what version of ACL previously existed on the 326 * file. Would really be nice to not need this, sigh. 327 */ 328uint64_t 329zfs_external_acl(znode_t *zp) 330{ 331 zfs_acl_phys_t acl_phys; 332 int error; 333 334 if (zp->z_is_sa) 335 return (0); 336 337 /* 338 * Need to deal with a potential 339 * race where zfs_sa_upgrade could cause 340 * z_isa_sa to change. 341 * 342 * If the lookup fails then the state of z_is_sa should have 343 * changed. 344 */ 345 346 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zp->z_zfsvfs), 347 &acl_phys, sizeof (acl_phys))) == 0) 348 return (acl_phys.z_acl_extern_obj); 349 else { 350 /* 351 * after upgrade the SA_ZPL_ZNODE_ACL should have been 352 * removed 353 */ 354 VERIFY(zp->z_is_sa && error == ENOENT); 355 return (0); 356 } 357} 358 359/* 360 * Determine size of ACL in bytes 361 * 362 * This is more complicated than it should be since we have to deal 363 * with old external ACLs. 364 */ 365static int 366zfs_acl_znode_info(znode_t *zp, int *aclsize, int *aclcount, 367 zfs_acl_phys_t *aclphys) 368{ 369 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 370 uint64_t acl_count; 371 int size; 372 int error; 373 374 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 375 if (zp->z_is_sa) { 376 if ((error = sa_size(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zfsvfs), 377 &size)) != 0) 378 return (error); 379 *aclsize = size; 380 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_COUNT(zfsvfs), 381 &acl_count, sizeof (acl_count))) != 0) 382 return (error); 383 *aclcount = acl_count; 384 } else { 385 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs), 386 aclphys, sizeof (*aclphys))) != 0) 387 return (error); 388 389 if (aclphys->z_acl_version == ZFS_ACL_VERSION_INITIAL) { 390 *aclsize = ZFS_ACL_SIZE(aclphys->z_acl_size); 391 *aclcount = aclphys->z_acl_size; 392 } else { 393 *aclsize = aclphys->z_acl_size; 394 *aclcount = aclphys->z_acl_count; 395 } 396 } 397 return (0); 398} 399 400int 401zfs_znode_acl_version(znode_t *zp) 402{ 403 zfs_acl_phys_t acl_phys; 404 405 if (zp->z_is_sa) 406 return (ZFS_ACL_VERSION_FUID); 407 else { 408 int error; 409 410 /* 411 * Need to deal with a potential 412 * race where zfs_sa_upgrade could cause 413 * z_isa_sa to change. 414 * 415 * If the lookup fails then the state of z_is_sa should have 416 * changed. 417 */ 418 if ((error = sa_lookup(zp->z_sa_hdl, 419 SA_ZPL_ZNODE_ACL(zp->z_zfsvfs), 420 &acl_phys, sizeof (acl_phys))) == 0) 421 return (acl_phys.z_acl_version); 422 else { 423 /* 424 * After upgrade SA_ZPL_ZNODE_ACL should have 425 * been removed. 426 */ 427 VERIFY(zp->z_is_sa && error == ENOENT); 428 return (ZFS_ACL_VERSION_FUID); 429 } 430 } 431} 432 433static int 434zfs_acl_version(int version) 435{ 436 if (version < ZPL_VERSION_FUID) 437 return (ZFS_ACL_VERSION_INITIAL); 438 else 439 return (ZFS_ACL_VERSION_FUID); 440} 441 442static int 443zfs_acl_version_zp(znode_t *zp) 444{ 445 return (zfs_acl_version(zp->z_zfsvfs->z_version)); 446} 447 448zfs_acl_t * 449zfs_acl_alloc(int vers) 450{ 451 zfs_acl_t *aclp; 452 453 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); 454 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t), 455 offsetof(zfs_acl_node_t, z_next)); 456 aclp->z_version = vers; 457 if (vers == ZFS_ACL_VERSION_FUID) 458 aclp->z_ops = zfs_acl_fuid_ops; 459 else 460 aclp->z_ops = zfs_acl_v0_ops; 461 return (aclp); 462} 463 464zfs_acl_node_t * 465zfs_acl_node_alloc(size_t bytes) 466{ 467 zfs_acl_node_t *aclnode; 468 469 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP); 470 if (bytes) { 471 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP); 472 aclnode->z_allocdata = aclnode->z_acldata; 473 aclnode->z_allocsize = bytes; 474 aclnode->z_size = bytes; 475 } 476 477 return (aclnode); 478} 479 480static void 481zfs_acl_node_free(zfs_acl_node_t *aclnode) 482{ 483 if (aclnode->z_allocsize) 484 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize); 485 kmem_free(aclnode, sizeof (zfs_acl_node_t)); 486} 487 488static void 489zfs_acl_release_nodes(zfs_acl_t *aclp) 490{ 491 zfs_acl_node_t *aclnode; 492 493 while (aclnode = list_head(&aclp->z_acl)) { 494 list_remove(&aclp->z_acl, aclnode); 495 zfs_acl_node_free(aclnode); 496 } 497 aclp->z_acl_count = 0; 498 aclp->z_acl_bytes = 0; 499} 500 501void 502zfs_acl_free(zfs_acl_t *aclp) 503{ 504 zfs_acl_release_nodes(aclp); 505 list_destroy(&aclp->z_acl); 506 kmem_free(aclp, sizeof (zfs_acl_t)); 507} 508 509static boolean_t 510zfs_acl_valid_ace_type(uint_t type, uint_t flags) 511{ 512 uint16_t entry_type; 513 514 switch (type) { 515 case ALLOW: 516 case DENY: 517 case ACE_SYSTEM_AUDIT_ACE_TYPE: 518 case ACE_SYSTEM_ALARM_ACE_TYPE: 519 entry_type = flags & ACE_TYPE_FLAGS; 520 return (entry_type == ACE_OWNER || 521 entry_type == OWNING_GROUP || 522 entry_type == ACE_EVERYONE || entry_type == 0 || 523 entry_type == ACE_IDENTIFIER_GROUP); 524 default: 525 if (type >= MIN_ACE_TYPE && type <= MAX_ACE_TYPE) 526 return (B_TRUE); 527 } 528 return (B_FALSE); 529} 530 531static boolean_t 532zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags) 533{ 534 /* 535 * first check type of entry 536 */ 537 538 if (!zfs_acl_valid_ace_type(type, iflags)) 539 return (B_FALSE); 540 541 switch (type) { 542 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 543 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 544 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 545 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 546 if (aclp->z_version < ZFS_ACL_VERSION_FUID) 547 return (B_FALSE); 548 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 549 } 550 551 /* 552 * next check inheritance level flags 553 */ 554 555 if (obj_type == VDIR && 556 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 557 aclp->z_hints |= ZFS_INHERIT_ACE; 558 559 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { 560 if ((iflags & (ACE_FILE_INHERIT_ACE| 561 ACE_DIRECTORY_INHERIT_ACE)) == 0) { 562 return (B_FALSE); 563 } 564 } 565 566 return (B_TRUE); 567} 568 569static void * 570zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who, 571 uint32_t *access_mask, uint16_t *iflags, uint16_t *type) 572{ 573 zfs_acl_node_t *aclnode; 574 575 ASSERT(aclp); 576 577 if (start == NULL) { 578 aclnode = list_head(&aclp->z_acl); 579 if (aclnode == NULL) 580 return (NULL); 581 582 aclp->z_next_ace = aclnode->z_acldata; 583 aclp->z_curr_node = aclnode; 584 aclnode->z_ace_idx = 0; 585 } 586 587 aclnode = aclp->z_curr_node; 588 589 if (aclnode == NULL) 590 return (NULL); 591 592 if (aclnode->z_ace_idx >= aclnode->z_ace_count) { 593 aclnode = list_next(&aclp->z_acl, aclnode); 594 if (aclnode == NULL) 595 return (NULL); 596 else { 597 aclp->z_curr_node = aclnode; 598 aclnode->z_ace_idx = 0; 599 aclp->z_next_ace = aclnode->z_acldata; 600 } 601 } 602 603 if (aclnode->z_ace_idx < aclnode->z_ace_count) { 604 void *acep = aclp->z_next_ace; 605 size_t ace_size; 606 607 /* 608 * Make sure we don't overstep our bounds 609 */ 610 ace_size = aclp->z_ops.ace_size(acep); 611 612 if (((caddr_t)acep + ace_size) > 613 ((caddr_t)aclnode->z_acldata + aclnode->z_size)) { 614 return (NULL); 615 } 616 617 *iflags = aclp->z_ops.ace_flags_get(acep); 618 *type = aclp->z_ops.ace_type_get(acep); 619 *access_mask = aclp->z_ops.ace_mask_get(acep); 620 *who = aclp->z_ops.ace_who_get(acep); 621 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size; 622 aclnode->z_ace_idx++; 623 624 return ((void *)acep); 625 } 626 return (NULL); 627} 628 629/*ARGSUSED*/ 630static uint64_t 631zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt, 632 uint16_t *flags, uint16_t *type, uint32_t *mask) 633{ 634 zfs_acl_t *aclp = datap; 635 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie; 636 uint64_t who; 637 638 acep = zfs_acl_next_ace(aclp, acep, &who, mask, 639 flags, type); 640 return ((uint64_t)(uintptr_t)acep); 641} 642 643static zfs_acl_node_t * 644zfs_acl_curr_node(zfs_acl_t *aclp) 645{ 646 ASSERT(aclp->z_curr_node); 647 return (aclp->z_curr_node); 648} 649 650/* 651 * Copy ACE to internal ZFS format. 652 * While processing the ACL each ACE will be validated for correctness. 653 * ACE FUIDs will be created later. 654 */ 655int 656zfs_copy_ace_2_fuid(zfsvfs_t *zfsvfs, vtype_t obj_type, zfs_acl_t *aclp, 657 void *datap, zfs_ace_t *z_acl, uint64_t aclcnt, size_t *size, 658 zfs_fuid_info_t **fuidp, cred_t *cr) 659{ 660 int i; 661 uint16_t entry_type; 662 zfs_ace_t *aceptr = z_acl; 663 ace_t *acep = datap; 664 zfs_object_ace_t *zobjacep; 665 ace_object_t *aceobjp; 666 667 for (i = 0; i != aclcnt; i++) { 668 aceptr->z_hdr.z_access_mask = acep->a_access_mask; 669 aceptr->z_hdr.z_flags = acep->a_flags; 670 aceptr->z_hdr.z_type = acep->a_type; 671 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS; 672 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP && 673 entry_type != ACE_EVERYONE) { 674 aceptr->z_fuid = zfs_fuid_create(zfsvfs, acep->a_who, 675 cr, (entry_type == 0) ? 676 ZFS_ACE_USER : ZFS_ACE_GROUP, fuidp); 677 } 678 679 /* 680 * Make sure ACE is valid 681 */ 682 if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type, 683 aceptr->z_hdr.z_flags) != B_TRUE) 684 return (EINVAL); 685 686 switch (acep->a_type) { 687 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 688 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 689 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 690 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 691 zobjacep = (zfs_object_ace_t *)aceptr; 692 aceobjp = (ace_object_t *)acep; 693 694 bcopy(aceobjp->a_obj_type, zobjacep->z_object_type, 695 sizeof (aceobjp->a_obj_type)); 696 bcopy(aceobjp->a_inherit_obj_type, 697 zobjacep->z_inherit_type, 698 sizeof (aceobjp->a_inherit_obj_type)); 699 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t)); 700 break; 701 default: 702 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t)); 703 } 704 705 aceptr = (zfs_ace_t *)((caddr_t)aceptr + 706 aclp->z_ops.ace_size(aceptr)); 707 } 708 709 *size = (caddr_t)aceptr - (caddr_t)z_acl; 710 711 return (0); 712} 713 714/* 715 * Copy ZFS ACEs to fixed size ace_t layout 716 */ 717static void 718zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr, 719 void *datap, int filter) 720{ 721 uint64_t who; 722 uint32_t access_mask; 723 uint16_t iflags, type; 724 zfs_ace_hdr_t *zacep = NULL; 725 ace_t *acep = datap; 726 ace_object_t *objacep; 727 zfs_object_ace_t *zobjacep; 728 size_t ace_size; 729 uint16_t entry_type; 730 731 while (zacep = zfs_acl_next_ace(aclp, zacep, 732 &who, &access_mask, &iflags, &type)) { 733 734 switch (type) { 735 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 736 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 737 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 738 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 739 if (filter) { 740 continue; 741 } 742 zobjacep = (zfs_object_ace_t *)zacep; 743 objacep = (ace_object_t *)acep; 744 bcopy(zobjacep->z_object_type, 745 objacep->a_obj_type, 746 sizeof (zobjacep->z_object_type)); 747 bcopy(zobjacep->z_inherit_type, 748 objacep->a_inherit_obj_type, 749 sizeof (zobjacep->z_inherit_type)); 750 ace_size = sizeof (ace_object_t); 751 break; 752 default: 753 ace_size = sizeof (ace_t); 754 break; 755 } 756 757 entry_type = (iflags & ACE_TYPE_FLAGS); 758 if ((entry_type != ACE_OWNER && 759 entry_type != OWNING_GROUP && 760 entry_type != ACE_EVERYONE)) { 761 acep->a_who = zfs_fuid_map_id(zfsvfs, who, 762 cr, (entry_type & ACE_IDENTIFIER_GROUP) ? 763 ZFS_ACE_GROUP : ZFS_ACE_USER); 764 } else { 765 acep->a_who = (uid_t)(int64_t)who; 766 } 767 acep->a_access_mask = access_mask; 768 acep->a_flags = iflags; 769 acep->a_type = type; 770 acep = (ace_t *)((caddr_t)acep + ace_size); 771 } 772} 773 774static int 775zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep, 776 zfs_oldace_t *z_acl, int aclcnt, size_t *size) 777{ 778 int i; 779 zfs_oldace_t *aceptr = z_acl; 780 781 for (i = 0; i != aclcnt; i++, aceptr++) { 782 aceptr->z_access_mask = acep[i].a_access_mask; 783 aceptr->z_type = acep[i].a_type; 784 aceptr->z_flags = acep[i].a_flags; 785 aceptr->z_fuid = acep[i].a_who; 786 /* 787 * Make sure ACE is valid 788 */ 789 if (zfs_ace_valid(obj_type, aclp, aceptr->z_type, 790 aceptr->z_flags) != B_TRUE) 791 return (EINVAL); 792 } 793 *size = (caddr_t)aceptr - (caddr_t)z_acl; 794 return (0); 795} 796 797/* 798 * convert old ACL format to new 799 */ 800void 801zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp, cred_t *cr) 802{ 803 zfs_oldace_t *oldaclp; 804 int i; 805 uint16_t type, iflags; 806 uint32_t access_mask; 807 uint64_t who; 808 void *cookie = NULL; 809 zfs_acl_node_t *newaclnode; 810 811 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL); 812 /* 813 * First create the ACE in a contiguous piece of memory 814 * for zfs_copy_ace_2_fuid(). 815 * 816 * We only convert an ACL once, so this won't happen 817 * everytime. 818 */ 819 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count, 820 KM_SLEEP); 821 i = 0; 822 while (cookie = zfs_acl_next_ace(aclp, cookie, &who, 823 &access_mask, &iflags, &type)) { 824 oldaclp[i].z_flags = iflags; 825 oldaclp[i].z_type = type; 826 oldaclp[i].z_fuid = who; 827 oldaclp[i++].z_access_mask = access_mask; 828 } 829 830 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count * 831 sizeof (zfs_object_ace_t)); 832 aclp->z_ops = zfs_acl_fuid_ops; 833 VERIFY(zfs_copy_ace_2_fuid(zp->z_zfsvfs, ZTOV(zp)->v_type, aclp, 834 oldaclp, newaclnode->z_acldata, aclp->z_acl_count, 835 &newaclnode->z_size, NULL, cr) == 0); 836 newaclnode->z_ace_count = aclp->z_acl_count; 837 aclp->z_version = ZFS_ACL_VERSION; 838 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t)); 839 840 /* 841 * Release all previous ACL nodes 842 */ 843 844 zfs_acl_release_nodes(aclp); 845 846 list_insert_head(&aclp->z_acl, newaclnode); 847 848 aclp->z_acl_bytes = newaclnode->z_size; 849 aclp->z_acl_count = newaclnode->z_ace_count; 850 851} 852 853/* 854 * Convert unix access mask to v4 access mask 855 */ 856static uint32_t 857zfs_unix_to_v4(uint32_t access_mask) 858{ 859 uint32_t new_mask = 0; 860 861 if (access_mask & S_IXOTH) 862 new_mask |= ACE_EXECUTE; 863 if (access_mask & S_IWOTH) 864 new_mask |= ACE_WRITE_DATA; 865 if (access_mask & S_IROTH) 866 new_mask |= ACE_READ_DATA; 867 return (new_mask); 868} 869 870static void 871zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask, 872 uint16_t access_type, uint64_t fuid, uint16_t entry_type) 873{ 874 uint16_t type = entry_type & ACE_TYPE_FLAGS; 875 876 aclp->z_ops.ace_mask_set(acep, access_mask); 877 aclp->z_ops.ace_type_set(acep, access_type); 878 aclp->z_ops.ace_flags_set(acep, entry_type); 879 if ((type != ACE_OWNER && type != OWNING_GROUP && 880 type != ACE_EVERYONE)) 881 aclp->z_ops.ace_who_set(acep, fuid); 882} 883 884/* 885 * Determine mode of file based on ACL. 886 * Also, create FUIDs for any User/Group ACEs 887 */ 888uint64_t 889zfs_mode_compute(uint64_t fmode, zfs_acl_t *aclp, 890 uint64_t *pflags, uint64_t fuid, uint64_t fgid) 891{ 892 int entry_type; 893 mode_t mode; 894 mode_t seen = 0; 895 zfs_ace_hdr_t *acep = NULL; 896 uint64_t who; 897 uint16_t iflags, type; 898 uint32_t access_mask; 899 boolean_t an_exec_denied = B_FALSE; 900 901 mode = (fmode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); 902 903 while (acep = zfs_acl_next_ace(aclp, acep, &who, 904 &access_mask, &iflags, &type)) { 905 906 if (!zfs_acl_valid_ace_type(type, iflags)) 907 continue; 908 909 entry_type = (iflags & ACE_TYPE_FLAGS); 910 911 /* 912 * Skip over owner@, group@ or everyone@ inherit only ACEs 913 */ 914 if ((iflags & ACE_INHERIT_ONLY_ACE) && 915 (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 916 entry_type == OWNING_GROUP)) 917 continue; 918 919 if (entry_type == ACE_OWNER || (entry_type == 0 && 920 who == fuid)) { 921 if ((access_mask & ACE_READ_DATA) && 922 (!(seen & S_IRUSR))) { 923 seen |= S_IRUSR; 924 if (type == ALLOW) { 925 mode |= S_IRUSR; 926 } 927 } 928 if ((access_mask & ACE_WRITE_DATA) && 929 (!(seen & S_IWUSR))) { 930 seen |= S_IWUSR; 931 if (type == ALLOW) { 932 mode |= S_IWUSR; 933 } 934 } 935 if ((access_mask & ACE_EXECUTE) && 936 (!(seen & S_IXUSR))) { 937 seen |= S_IXUSR; 938 if (type == ALLOW) { 939 mode |= S_IXUSR; 940 } 941 } 942 } else if (entry_type == OWNING_GROUP || 943 (entry_type == ACE_IDENTIFIER_GROUP && who == fgid)) { 944 if ((access_mask & ACE_READ_DATA) && 945 (!(seen & S_IRGRP))) { 946 seen |= S_IRGRP; 947 if (type == ALLOW) { 948 mode |= S_IRGRP; 949 } 950 } 951 if ((access_mask & ACE_WRITE_DATA) && 952 (!(seen & S_IWGRP))) { 953 seen |= S_IWGRP; 954 if (type == ALLOW) { 955 mode |= S_IWGRP; 956 } 957 } 958 if ((access_mask & ACE_EXECUTE) && 959 (!(seen & S_IXGRP))) { 960 seen |= S_IXGRP; 961 if (type == ALLOW) { 962 mode |= S_IXGRP; 963 } 964 } 965 } else if (entry_type == ACE_EVERYONE) { 966 if ((access_mask & ACE_READ_DATA)) { 967 if (!(seen & S_IRUSR)) { 968 seen |= S_IRUSR; 969 if (type == ALLOW) { 970 mode |= S_IRUSR; 971 } 972 } 973 if (!(seen & S_IRGRP)) { 974 seen |= S_IRGRP; 975 if (type == ALLOW) { 976 mode |= S_IRGRP; 977 } 978 } 979 if (!(seen & S_IROTH)) { 980 seen |= S_IROTH; 981 if (type == ALLOW) { 982 mode |= S_IROTH; 983 } 984 } 985 } 986 if ((access_mask & ACE_WRITE_DATA)) { 987 if (!(seen & S_IWUSR)) { 988 seen |= S_IWUSR; 989 if (type == ALLOW) { 990 mode |= S_IWUSR; 991 } 992 } 993 if (!(seen & S_IWGRP)) { 994 seen |= S_IWGRP; 995 if (type == ALLOW) { 996 mode |= S_IWGRP; 997 } 998 } 999 if (!(seen & S_IWOTH)) { 1000 seen |= S_IWOTH; 1001 if (type == ALLOW) { 1002 mode |= S_IWOTH; 1003 } 1004 } 1005 } 1006 if ((access_mask & ACE_EXECUTE)) { 1007 if (!(seen & S_IXUSR)) { 1008 seen |= S_IXUSR; 1009 if (type == ALLOW) { 1010 mode |= S_IXUSR; 1011 } 1012 } 1013 if (!(seen & S_IXGRP)) { 1014 seen |= S_IXGRP; 1015 if (type == ALLOW) { 1016 mode |= S_IXGRP; 1017 } 1018 } 1019 if (!(seen & S_IXOTH)) { 1020 seen |= S_IXOTH; 1021 if (type == ALLOW) { 1022 mode |= S_IXOTH; 1023 } 1024 } 1025 } 1026 } else { 1027 /* 1028 * Only care if this IDENTIFIER_GROUP or 1029 * USER ACE denies execute access to someone, 1030 * mode is not affected 1031 */ 1032 if ((access_mask & ACE_EXECUTE) && type == DENY) 1033 an_exec_denied = B_TRUE; 1034 } 1035 } 1036 1037 /* 1038 * Failure to allow is effectively a deny, so execute permission 1039 * is denied if it was never mentioned or if we explicitly 1040 * weren't allowed it. 1041 */ 1042 if (!an_exec_denied && 1043 ((seen & ALL_MODE_EXECS) != ALL_MODE_EXECS || 1044 (mode & ALL_MODE_EXECS) != ALL_MODE_EXECS)) 1045 an_exec_denied = B_TRUE; 1046 1047 if (an_exec_denied) 1048 *pflags &= ~ZFS_NO_EXECS_DENIED; 1049 else 1050 *pflags |= ZFS_NO_EXECS_DENIED; 1051 1052 return (mode); 1053} 1054 1055/* 1056 * Read an external acl object. If the intent is to modify, always 1057 * create a new acl and leave any cached acl in place. 1058 */ 1059static int 1060zfs_acl_node_read(znode_t *zp, boolean_t have_lock, zfs_acl_t **aclpp, 1061 boolean_t will_modify) 1062{ 1063 zfs_acl_t *aclp; 1064 int aclsize; 1065 int acl_count; 1066 zfs_acl_node_t *aclnode; 1067 zfs_acl_phys_t znode_acl; 1068 int version; 1069 int error; 1070 boolean_t drop_lock = B_FALSE; 1071 1072 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1073 1074 if (zp->z_acl_cached && !will_modify) { 1075 *aclpp = zp->z_acl_cached; 1076 return (0); 1077 } 1078 1079 /* 1080 * close race where znode could be upgrade while trying to 1081 * read the znode attributes. 1082 * 1083 * But this could only happen if the file isn't already an SA 1084 * znode 1085 */ 1086 if (!zp->z_is_sa && !have_lock) { 1087 mutex_enter(&zp->z_lock); 1088 drop_lock = B_TRUE; 1089 } 1090 version = zfs_znode_acl_version(zp); 1091 1092 if ((error = zfs_acl_znode_info(zp, &aclsize, 1093 &acl_count, &znode_acl)) != 0) { 1094 goto done; 1095 } 1096 1097 aclp = zfs_acl_alloc(version); 1098 1099 aclp->z_acl_count = acl_count; 1100 aclp->z_acl_bytes = aclsize; 1101 1102 aclnode = zfs_acl_node_alloc(aclsize); 1103 aclnode->z_ace_count = aclp->z_acl_count; 1104 aclnode->z_size = aclsize; 1105 1106 if (!zp->z_is_sa) { 1107 if (znode_acl.z_acl_extern_obj) { 1108 error = dmu_read(zp->z_zfsvfs->z_os, 1109 znode_acl.z_acl_extern_obj, 0, aclnode->z_size, 1110 aclnode->z_acldata, DMU_READ_PREFETCH); 1111 } else { 1112 bcopy(znode_acl.z_ace_data, aclnode->z_acldata, 1113 aclnode->z_size); 1114 } 1115 } else { 1116 error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zp->z_zfsvfs), 1117 aclnode->z_acldata, aclnode->z_size); 1118 } 1119 1120 if (error != 0) { 1121 zfs_acl_free(aclp); 1122 zfs_acl_node_free(aclnode); 1123 /* convert checksum errors into IO errors */ 1124 if (error == ECKSUM) 1125 error = EIO; 1126 goto done; 1127 } 1128 1129 list_insert_head(&aclp->z_acl, aclnode); 1130 1131 *aclpp = aclp; 1132 if (!will_modify) 1133 zp->z_acl_cached = aclp; 1134done: 1135 if (drop_lock) 1136 mutex_exit(&zp->z_lock); 1137 return (error); 1138} 1139 1140/*ARGSUSED*/ 1141void 1142zfs_acl_data_locator(void **dataptr, uint32_t *length, uint32_t buflen, 1143 boolean_t start, void *userdata) 1144{ 1145 zfs_acl_locator_cb_t *cb = (zfs_acl_locator_cb_t *)userdata; 1146 1147 if (start) { 1148 cb->cb_acl_node = list_head(&cb->cb_aclp->z_acl); 1149 } else { 1150 cb->cb_acl_node = list_next(&cb->cb_aclp->z_acl, 1151 cb->cb_acl_node); 1152 } 1153 *dataptr = cb->cb_acl_node->z_acldata; 1154 *length = cb->cb_acl_node->z_size; 1155} 1156 1157int 1158zfs_acl_chown_setattr(znode_t *zp) 1159{ 1160 int error; 1161 zfs_acl_t *aclp; 1162 1163 ASSERT(MUTEX_HELD(&zp->z_lock)); 1164 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1165 1166 if ((error = zfs_acl_node_read(zp, B_TRUE, &aclp, B_FALSE)) == 0) 1167 zp->z_mode = zfs_mode_compute(zp->z_mode, aclp, 1168 &zp->z_pflags, zp->z_uid, zp->z_gid); 1169 return (error); 1170} 1171 1172/* 1173 * common code for setting ACLs. 1174 * 1175 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. 1176 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's 1177 * already checked the acl and knows whether to inherit. 1178 */ 1179int 1180zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, dmu_tx_t *tx) 1181{ 1182 int error; 1183 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1184 dmu_object_type_t otype; 1185 zfs_acl_locator_cb_t locate = { 0 }; 1186 uint64_t mode; 1187 sa_bulk_attr_t bulk[5]; 1188 uint64_t ctime[2]; 1189 int count = 0; 1190 1191 mode = zp->z_mode; 1192 1193 mode = zfs_mode_compute(mode, aclp, &zp->z_pflags, 1194 zp->z_uid, zp->z_gid); 1195 1196 zp->z_mode = mode; 1197 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_MODE(zfsvfs), NULL, 1198 &mode, sizeof (mode)); 1199 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_FLAGS(zfsvfs), NULL, 1200 &zp->z_pflags, sizeof (zp->z_pflags)); 1201 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_CTIME(zfsvfs), NULL, 1202 &ctime, sizeof (ctime)); 1203 1204 if (zp->z_acl_cached) { 1205 zfs_acl_free(zp->z_acl_cached); 1206 zp->z_acl_cached = NULL; 1207 } 1208 1209 /* 1210 * Upgrade needed? 1211 */ 1212 if (!zfsvfs->z_use_fuids) { 1213 otype = DMU_OT_OLDACL; 1214 } else { 1215 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) && 1216 (zfsvfs->z_version >= ZPL_VERSION_FUID)) 1217 zfs_acl_xform(zp, aclp, cr); 1218 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID); 1219 otype = DMU_OT_ACL; 1220 } 1221 1222 /* 1223 * Arrgh, we have to handle old on disk format 1224 * as well as newer (preferred) SA format. 1225 */ 1226 1227 if (zp->z_is_sa) { /* the easy case, just update the ACL attribute */ 1228 locate.cb_aclp = aclp; 1229 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_ACES(zfsvfs), 1230 zfs_acl_data_locator, &locate, aclp->z_acl_bytes); 1231 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_COUNT(zfsvfs), 1232 NULL, &aclp->z_acl_count, sizeof (uint64_t)); 1233 } else { /* Painful legacy way */ 1234 zfs_acl_node_t *aclnode; 1235 uint64_t off = 0; 1236 zfs_acl_phys_t acl_phys; 1237 uint64_t aoid; 1238 1239 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs), 1240 &acl_phys, sizeof (acl_phys))) != 0) 1241 return (error); 1242 1243 aoid = acl_phys.z_acl_extern_obj; 1244 1245 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 1246 /* 1247 * If ACL was previously external and we are now 1248 * converting to new ACL format then release old 1249 * ACL object and create a new one. 1250 */ 1251 if (aoid && 1252 aclp->z_version != acl_phys.z_acl_version) { 1253 error = dmu_object_free(zfsvfs->z_os, aoid, tx); 1254 if (error) 1255 return (error); 1256 aoid = 0; 1257 } 1258 if (aoid == 0) { 1259 aoid = dmu_object_alloc(zfsvfs->z_os, 1260 otype, aclp->z_acl_bytes, 1261 otype == DMU_OT_ACL ? 1262 DMU_OT_SYSACL : DMU_OT_NONE, 1263 otype == DMU_OT_ACL ? 1264 DN_MAX_BONUSLEN : 0, tx); 1265 } else { 1266 (void) dmu_object_set_blocksize(zfsvfs->z_os, 1267 aoid, aclp->z_acl_bytes, 0, tx); 1268 } 1269 acl_phys.z_acl_extern_obj = aoid; 1270 for (aclnode = list_head(&aclp->z_acl); aclnode; 1271 aclnode = list_next(&aclp->z_acl, aclnode)) { 1272 if (aclnode->z_ace_count == 0) 1273 continue; 1274 dmu_write(zfsvfs->z_os, aoid, off, 1275 aclnode->z_size, aclnode->z_acldata, tx); 1276 off += aclnode->z_size; 1277 } 1278 } else { 1279 void *start = acl_phys.z_ace_data; 1280 /* 1281 * Migrating back embedded? 1282 */ 1283 if (acl_phys.z_acl_extern_obj) { 1284 error = dmu_object_free(zfsvfs->z_os, 1285 acl_phys.z_acl_extern_obj, tx); 1286 if (error) 1287 return (error); 1288 acl_phys.z_acl_extern_obj = 0; 1289 } 1290 1291 for (aclnode = list_head(&aclp->z_acl); aclnode; 1292 aclnode = list_next(&aclp->z_acl, aclnode)) { 1293 if (aclnode->z_ace_count == 0) 1294 continue; 1295 bcopy(aclnode->z_acldata, start, 1296 aclnode->z_size); 1297 start = (caddr_t)start + aclnode->z_size; 1298 } 1299 } 1300 /* 1301 * If Old version then swap count/bytes to match old 1302 * layout of znode_acl_phys_t. 1303 */ 1304 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1305 acl_phys.z_acl_size = aclp->z_acl_count; 1306 acl_phys.z_acl_count = aclp->z_acl_bytes; 1307 } else { 1308 acl_phys.z_acl_size = aclp->z_acl_bytes; 1309 acl_phys.z_acl_count = aclp->z_acl_count; 1310 } 1311 acl_phys.z_acl_version = aclp->z_version; 1312 1313 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_ZNODE_ACL(zfsvfs), NULL, 1314 &acl_phys, sizeof (acl_phys)); 1315 } 1316 1317 /* 1318 * Replace ACL wide bits, but first clear them. 1319 */ 1320 zp->z_pflags &= ~ZFS_ACL_WIDE_FLAGS; 1321 1322 zp->z_pflags |= aclp->z_hints; 1323 1324 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0) 1325 zp->z_pflags |= ZFS_ACL_TRIVIAL; 1326 1327 zfs_tstamp_update_setup(zp, STATE_CHANGED, NULL, ctime, B_TRUE); 1328 return (sa_bulk_update(zp->z_sa_hdl, bulk, count, tx)); 1329} 1330 1331static void 1332zfs_acl_chmod(vtype_t vtype, uint64_t mode, boolean_t trim, zfs_acl_t *aclp) 1333{ 1334 void *acep = NULL; 1335 uint64_t who; 1336 int new_count, new_bytes; 1337 int ace_size; 1338 int entry_type; 1339 uint16_t iflags, type; 1340 uint32_t access_mask; 1341 zfs_acl_node_t *newnode; 1342 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1343 void *zacep; 1344 boolean_t isdir; 1345 trivial_acl_t masks; 1346 1347 new_count = new_bytes = 0; 1348 1349 isdir = (vtype == VDIR); 1350 1351 acl_trivial_access_masks((mode_t)mode, isdir, &masks); 1352 1353 newnode = zfs_acl_node_alloc((abstract_size * 6) + aclp->z_acl_bytes); 1354 1355 zacep = newnode->z_acldata; 1356 if (masks.allow0) { 1357 zfs_set_ace(aclp, zacep, masks.allow0, ALLOW, -1, ACE_OWNER); 1358 zacep = (void *)((uintptr_t)zacep + abstract_size); 1359 new_count++; 1360 new_bytes += abstract_size; 1361 } if (masks.deny1) { 1362 zfs_set_ace(aclp, zacep, masks.deny1, DENY, -1, ACE_OWNER); 1363 zacep = (void *)((uintptr_t)zacep + abstract_size); 1364 new_count++; 1365 new_bytes += abstract_size; 1366 } 1367 if (masks.deny2) { 1368 zfs_set_ace(aclp, zacep, masks.deny2, DENY, -1, OWNING_GROUP); 1369 zacep = (void *)((uintptr_t)zacep + abstract_size); 1370 new_count++; 1371 new_bytes += abstract_size; 1372 } 1373 1374 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 1375 &iflags, &type)) { 1376 uint16_t inherit_flags; 1377 1378 entry_type = (iflags & ACE_TYPE_FLAGS); 1379 inherit_flags = (iflags & ALL_INHERIT); 1380 1381 if ((entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 1382 (entry_type == OWNING_GROUP)) && 1383 ((inherit_flags & ACE_INHERIT_ONLY_ACE) == 0)) { 1384 continue; 1385 } 1386 1387 /* 1388 * If this ACL has any inheritable ACEs, mark that in 1389 * the hints (which are later masked into the pflags) 1390 * so create knows to do inheritance. 1391 */ 1392 if (isdir && (inherit_flags & 1393 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 1394 aclp->z_hints |= ZFS_INHERIT_ACE; 1395 1396 if ((type != ALLOW && type != DENY) || 1397 (inherit_flags & ACE_INHERIT_ONLY_ACE)) { 1398 switch (type) { 1399 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1400 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1401 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1402 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1403 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 1404 break; 1405 } 1406 } else { 1407 1408 /* 1409 * Limit permissions to be no greater than 1410 * group permissions. 1411 * The "aclinherit" and "aclmode" properties 1412 * affect policy for create and chmod(2), 1413 * respectively. 1414 */ 1415 if ((type == ALLOW) && trim) 1416 access_mask &= masks.group; 1417 } 1418 zfs_set_ace(aclp, zacep, access_mask, type, who, iflags); 1419 ace_size = aclp->z_ops.ace_size(acep); 1420 zacep = (void *)((uintptr_t)zacep + ace_size); 1421 new_count++; 1422 new_bytes += ace_size; 1423 } 1424 zfs_set_ace(aclp, zacep, masks.owner, 0, -1, ACE_OWNER); 1425 zacep = (void *)((uintptr_t)zacep + abstract_size); 1426 zfs_set_ace(aclp, zacep, masks.group, 0, -1, OWNING_GROUP); 1427 zacep = (void *)((uintptr_t)zacep + abstract_size); 1428 zfs_set_ace(aclp, zacep, masks.everyone, 0, -1, ACE_EVERYONE); 1429 1430 new_count += 3; 1431 new_bytes += abstract_size * 3; 1432 zfs_acl_release_nodes(aclp); 1433 aclp->z_acl_count = new_count; 1434 aclp->z_acl_bytes = new_bytes; 1435 newnode->z_ace_count = new_count; 1436 newnode->z_size = new_bytes; 1437 list_insert_tail(&aclp->z_acl, newnode); 1438} 1439 1440int 1441zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode) 1442{ 1443 int error = 0; 1444 1445 mutex_enter(&zp->z_acl_lock); 1446 mutex_enter(&zp->z_lock); 1447 if (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_DISCARD) 1448 *aclp = zfs_acl_alloc(zfs_acl_version_zp(zp)); 1449 else 1450 error = zfs_acl_node_read(zp, B_TRUE, aclp, B_TRUE); 1451 1452 if (error == 0) { 1453 (*aclp)->z_hints = zp->z_pflags & V4_ACL_WIDE_FLAGS; 1454 zfs_acl_chmod(ZTOV(zp)->v_type, mode, 1455 (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK), *aclp); 1456 } 1457 mutex_exit(&zp->z_lock); 1458 mutex_exit(&zp->z_acl_lock); 1459 1460 return (error); 1461} 1462 1463/* 1464 * strip off write_owner and write_acl 1465 */ 1466static void 1467zfs_restricted_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep) 1468{ 1469 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1470 1471 if ((zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) && 1472 (aclp->z_ops.ace_type_get(acep) == ALLOW)) { 1473 mask &= ~RESTRICTED_CLEAR; 1474 aclp->z_ops.ace_mask_set(acep, mask); 1475 } 1476} 1477 1478/* 1479 * Should ACE be inherited? 1480 */ 1481static int 1482zfs_ace_can_use(vtype_t vtype, uint16_t acep_flags) 1483{ 1484 int iflags = (acep_flags & 0xf); 1485 1486 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) 1487 return (1); 1488 else if (iflags & ACE_FILE_INHERIT_ACE) 1489 return (!((vtype == VDIR) && 1490 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); 1491 return (0); 1492} 1493 1494/* 1495 * inherit inheritable ACEs from parent 1496 */ 1497static zfs_acl_t * 1498zfs_acl_inherit(zfsvfs_t *zfsvfs, vtype_t vtype, zfs_acl_t *paclp, 1499 uint64_t mode, boolean_t *need_chmod) 1500{ 1501 void *pacep; 1502 void *acep; 1503 zfs_acl_node_t *aclnode; 1504 zfs_acl_t *aclp = NULL; 1505 uint64_t who; 1506 uint32_t access_mask; 1507 uint16_t iflags, newflags, type; 1508 size_t ace_size; 1509 void *data1, *data2; 1510 size_t data1sz, data2sz; 1511 boolean_t vdir = vtype == VDIR; 1512 boolean_t vreg = vtype == VREG; 1513 boolean_t passthrough, passthrough_x, noallow; 1514 1515 passthrough_x = 1516 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH_X; 1517 passthrough = passthrough_x || 1518 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH; 1519 noallow = 1520 zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW; 1521 1522 *need_chmod = B_TRUE; 1523 pacep = NULL; 1524 aclp = zfs_acl_alloc(paclp->z_version); 1525 if (zfsvfs->z_acl_inherit == ZFS_ACL_DISCARD || vtype == VLNK) 1526 return (aclp); 1527 while (pacep = zfs_acl_next_ace(paclp, pacep, &who, 1528 &access_mask, &iflags, &type)) { 1529 1530 /* 1531 * don't inherit bogus ACEs 1532 */ 1533 if (!zfs_acl_valid_ace_type(type, iflags)) 1534 continue; 1535 1536 if (noallow && type == ALLOW) 1537 continue; 1538 1539 ace_size = aclp->z_ops.ace_size(pacep); 1540 1541 if (!zfs_ace_can_use(vtype, iflags)) 1542 continue; 1543 1544 /* 1545 * If owner@, group@, or everyone@ inheritable 1546 * then zfs_acl_chmod() isn't needed. 1547 */ 1548 if (passthrough && 1549 ((iflags & (ACE_OWNER|ACE_EVERYONE)) || 1550 ((iflags & OWNING_GROUP) == 1551 OWNING_GROUP)) && (vreg || (vdir && (iflags & 1552 ACE_DIRECTORY_INHERIT_ACE)))) { 1553 *need_chmod = B_FALSE; 1554 } 1555 1556 if (!vdir && passthrough_x && 1557 ((mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) { 1558 access_mask &= ~ACE_EXECUTE; 1559 } 1560 1561 aclnode = zfs_acl_node_alloc(ace_size); 1562 list_insert_tail(&aclp->z_acl, aclnode); 1563 acep = aclnode->z_acldata; 1564 1565 zfs_set_ace(aclp, acep, access_mask, type, 1566 who, iflags|ACE_INHERITED_ACE); 1567 1568 /* 1569 * Copy special opaque data if any 1570 */ 1571 if ((data1sz = paclp->z_ops.ace_data(pacep, &data1)) != 0) { 1572 VERIFY((data2sz = aclp->z_ops.ace_data(acep, 1573 &data2)) == data1sz); 1574 bcopy(data1, data2, data2sz); 1575 } 1576 1577 aclp->z_acl_count++; 1578 aclnode->z_ace_count++; 1579 aclp->z_acl_bytes += aclnode->z_size; 1580 newflags = aclp->z_ops.ace_flags_get(acep); 1581 1582 if (vdir) 1583 aclp->z_hints |= ZFS_INHERIT_ACE; 1584 1585 if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || !vdir) { 1586 newflags &= ~ALL_INHERIT; 1587 aclp->z_ops.ace_flags_set(acep, 1588 newflags|ACE_INHERITED_ACE); 1589 zfs_restricted_update(zfsvfs, aclp, acep); 1590 continue; 1591 } 1592 1593 ASSERT(vdir); 1594 1595 /* 1596 * If only FILE_INHERIT is set then turn on 1597 * inherit_only 1598 */ 1599 if ((iflags & (ACE_FILE_INHERIT_ACE | 1600 ACE_DIRECTORY_INHERIT_ACE)) == ACE_FILE_INHERIT_ACE) { 1601 newflags |= ACE_INHERIT_ONLY_ACE; 1602 aclp->z_ops.ace_flags_set(acep, 1603 newflags|ACE_INHERITED_ACE); 1604 } else { 1605 newflags &= ~ACE_INHERIT_ONLY_ACE; 1606 aclp->z_ops.ace_flags_set(acep, 1607 newflags|ACE_INHERITED_ACE); 1608 } 1609 } 1610 return (aclp); 1611} 1612 1613/* 1614 * Create file system object initial permissions 1615 * including inheritable ACEs. 1616 */ 1617int 1618zfs_acl_ids_create(znode_t *dzp, int flag, vattr_t *vap, cred_t *cr, 1619 vsecattr_t *vsecp, zfs_acl_ids_t *acl_ids) 1620{ 1621 int error; 1622 zfsvfs_t *zfsvfs = dzp->z_zfsvfs; 1623 zfs_acl_t *paclp; 1624 gid_t gid; 1625 boolean_t need_chmod = B_TRUE; 1626 boolean_t inherited = B_FALSE; 1627 1628 bzero(acl_ids, sizeof (zfs_acl_ids_t)); 1629 acl_ids->z_mode = MAKEIMODE(vap->va_type, vap->va_mode); 1630 1631 if (vsecp) 1632 if ((error = zfs_vsec_2_aclp(zfsvfs, vap->va_type, vsecp, cr, 1633 &acl_ids->z_fuidp, &acl_ids->z_aclp)) != 0) 1634 return (error); 1635 /* 1636 * Determine uid and gid. 1637 */ 1638 if ((flag & IS_ROOT_NODE) || zfsvfs->z_replay || 1639 ((flag & IS_XATTR) && (vap->va_type == VDIR))) { 1640 acl_ids->z_fuid = zfs_fuid_create(zfsvfs, 1641 (uint64_t)vap->va_uid, cr, 1642 ZFS_OWNER, &acl_ids->z_fuidp); 1643 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1644 (uint64_t)vap->va_gid, cr, 1645 ZFS_GROUP, &acl_ids->z_fuidp); 1646 gid = vap->va_gid; 1647 } else { 1648 acl_ids->z_fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER, 1649 cr, &acl_ids->z_fuidp); 1650 acl_ids->z_fgid = 0; 1651 if (vap->va_mask & AT_GID) { 1652 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1653 (uint64_t)vap->va_gid, 1654 cr, ZFS_GROUP, &acl_ids->z_fuidp); 1655 gid = vap->va_gid; 1656 if (acl_ids->z_fgid != dzp->z_gid && 1657 !groupmember(vap->va_gid, cr) && 1658 secpolicy_vnode_create_gid(cr) != 0) 1659 acl_ids->z_fgid = 0; 1660 } 1661 if (acl_ids->z_fgid == 0) { 1662 if (dzp->z_mode & S_ISGID) { 1663 char *domain; 1664 uint32_t rid; 1665 1666 acl_ids->z_fgid = dzp->z_gid; 1667 gid = zfs_fuid_map_id(zfsvfs, acl_ids->z_fgid, 1668 cr, ZFS_GROUP); 1669 1670 if (zfsvfs->z_use_fuids && 1671 IS_EPHEMERAL(acl_ids->z_fgid)) { 1672 domain = zfs_fuid_idx_domain( 1673 &zfsvfs->z_fuid_idx, 1674 FUID_INDEX(acl_ids->z_fgid)); 1675 rid = FUID_RID(acl_ids->z_fgid); 1676 zfs_fuid_node_add(&acl_ids->z_fuidp, 1677 domain, rid, 1678 FUID_INDEX(acl_ids->z_fgid), 1679 acl_ids->z_fgid, ZFS_GROUP); 1680 } 1681 } else { 1682 acl_ids->z_fgid = zfs_fuid_create_cred(zfsvfs, 1683 ZFS_GROUP, cr, &acl_ids->z_fuidp); 1684#ifdef __FreeBSD__ 1685 gid = acl_ids->z_fgid = dzp->z_gid; 1686#else 1687 gid = crgetgid(cr); 1688#endif 1689 } 1690 } 1691 } 1692 1693 /* 1694 * If we're creating a directory, and the parent directory has the 1695 * set-GID bit set, set in on the new directory. 1696 * Otherwise, if the user is neither privileged nor a member of the 1697 * file's new group, clear the file's set-GID bit. 1698 */ 1699 1700 if (!(flag & IS_ROOT_NODE) && (dzp->z_mode & S_ISGID) && 1701 (vap->va_type == VDIR)) { 1702 acl_ids->z_mode |= S_ISGID; 1703 } else { 1704 if ((acl_ids->z_mode & S_ISGID) && 1705 secpolicy_vnode_setids_setgids(ZTOV(dzp), cr, gid) != 0) 1706 acl_ids->z_mode &= ~S_ISGID; 1707 } 1708 1709 if (acl_ids->z_aclp == NULL) { 1710 mutex_enter(&dzp->z_acl_lock); 1711 mutex_enter(&dzp->z_lock); 1712 if (!(flag & IS_ROOT_NODE) && 1713 (dzp->z_pflags & ZFS_INHERIT_ACE) && 1714 !(dzp->z_pflags & ZFS_XATTR)) { 1715 VERIFY(0 == zfs_acl_node_read(dzp, B_TRUE, 1716 &paclp, B_FALSE)); 1717 acl_ids->z_aclp = zfs_acl_inherit(zfsvfs, 1718 vap->va_type, paclp, acl_ids->z_mode, &need_chmod); 1719 inherited = B_TRUE; 1720 } else { 1721 acl_ids->z_aclp = 1722 zfs_acl_alloc(zfs_acl_version_zp(dzp)); 1723 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL; 1724 } 1725 mutex_exit(&dzp->z_lock); 1726 mutex_exit(&dzp->z_acl_lock); 1727 if (need_chmod) { 1728 acl_ids->z_aclp->z_hints |= (vap->va_type == VDIR) ? 1729 ZFS_ACL_AUTO_INHERIT : 0; 1730 zfs_acl_chmod(vap->va_type, acl_ids->z_mode, 1731 (zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED), 1732 acl_ids->z_aclp); 1733 } 1734 } 1735 1736 if (inherited || vsecp) { 1737 acl_ids->z_mode = zfs_mode_compute(acl_ids->z_mode, 1738 acl_ids->z_aclp, &acl_ids->z_aclp->z_hints, 1739 acl_ids->z_fuid, acl_ids->z_fgid); 1740 if (ace_trivial_common(acl_ids->z_aclp, 0, zfs_ace_walk) == 0) 1741 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL; 1742 } 1743 1744 return (0); 1745} 1746 1747/* 1748 * Free ACL and fuid_infop, but not the acl_ids structure 1749 */ 1750void 1751zfs_acl_ids_free(zfs_acl_ids_t *acl_ids) 1752{ 1753 if (acl_ids->z_aclp) 1754 zfs_acl_free(acl_ids->z_aclp); 1755 if (acl_ids->z_fuidp) 1756 zfs_fuid_info_free(acl_ids->z_fuidp); 1757 acl_ids->z_aclp = NULL; 1758 acl_ids->z_fuidp = NULL; 1759} 1760 1761boolean_t 1762zfs_acl_ids_overquota(zfsvfs_t *zfsvfs, zfs_acl_ids_t *acl_ids) 1763{ 1764 return (zfs_fuid_overquota(zfsvfs, B_FALSE, acl_ids->z_fuid) || 1765 zfs_fuid_overquota(zfsvfs, B_TRUE, acl_ids->z_fgid)); 1766} 1767 1768/* 1769 * Retrieve a files ACL 1770 */ 1771int 1772zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1773{ 1774 zfs_acl_t *aclp; 1775 ulong_t mask; 1776 int error; 1777 int count = 0; 1778 int largeace = 0; 1779 1780 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT | 1781 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES); 1782 1783 if (mask == 0) 1784 return (ENOSYS); 1785 1786 if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr)) 1787 return (error); 1788 1789 mutex_enter(&zp->z_acl_lock); 1790 1791 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE); 1792 if (error != 0) { 1793 mutex_exit(&zp->z_acl_lock); 1794 return (error); 1795 } 1796 1797 /* 1798 * Scan ACL to determine number of ACEs 1799 */ 1800 if ((zp->z_pflags & ZFS_ACL_OBJ_ACE) && !(mask & VSA_ACE_ALLTYPES)) { 1801 void *zacep = NULL; 1802 uint64_t who; 1803 uint32_t access_mask; 1804 uint16_t type, iflags; 1805 1806 while (zacep = zfs_acl_next_ace(aclp, zacep, 1807 &who, &access_mask, &iflags, &type)) { 1808 switch (type) { 1809 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1810 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1811 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1812 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1813 largeace++; 1814 continue; 1815 default: 1816 count++; 1817 } 1818 } 1819 vsecp->vsa_aclcnt = count; 1820 } else 1821 count = (int)aclp->z_acl_count; 1822 1823 if (mask & VSA_ACECNT) { 1824 vsecp->vsa_aclcnt = count; 1825 } 1826 1827 if (mask & VSA_ACE) { 1828 size_t aclsz; 1829 1830 aclsz = count * sizeof (ace_t) + 1831 sizeof (ace_object_t) * largeace; 1832 1833 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP); 1834 vsecp->vsa_aclentsz = aclsz; 1835 1836 if (aclp->z_version == ZFS_ACL_VERSION_FUID) 1837 zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr, 1838 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES)); 1839 else { 1840 zfs_acl_node_t *aclnode; 1841 void *start = vsecp->vsa_aclentp; 1842 1843 for (aclnode = list_head(&aclp->z_acl); aclnode; 1844 aclnode = list_next(&aclp->z_acl, aclnode)) { 1845 bcopy(aclnode->z_acldata, start, 1846 aclnode->z_size); 1847 start = (caddr_t)start + aclnode->z_size; 1848 } 1849 ASSERT((caddr_t)start - (caddr_t)vsecp->vsa_aclentp == 1850 aclp->z_acl_bytes); 1851 } 1852 } 1853 if (mask & VSA_ACE_ACLFLAGS) { 1854 vsecp->vsa_aclflags = 0; 1855 if (zp->z_pflags & ZFS_ACL_DEFAULTED) 1856 vsecp->vsa_aclflags |= ACL_DEFAULTED; 1857 if (zp->z_pflags & ZFS_ACL_PROTECTED) 1858 vsecp->vsa_aclflags |= ACL_PROTECTED; 1859 if (zp->z_pflags & ZFS_ACL_AUTO_INHERIT) 1860 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT; 1861 } 1862 1863 mutex_exit(&zp->z_acl_lock); 1864 1865 return (0); 1866} 1867 1868int 1869zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type, 1870 vsecattr_t *vsecp, cred_t *cr, zfs_fuid_info_t **fuidp, zfs_acl_t **zaclp) 1871{ 1872 zfs_acl_t *aclp; 1873 zfs_acl_node_t *aclnode; 1874 int aclcnt = vsecp->vsa_aclcnt; 1875 int error; 1876 1877 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0) 1878 return (EINVAL); 1879 1880 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version)); 1881 1882 aclp->z_hints = 0; 1883 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t)); 1884 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1885 if ((error = zfs_copy_ace_2_oldace(obj_type, aclp, 1886 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata, 1887 aclcnt, &aclnode->z_size)) != 0) { 1888 zfs_acl_free(aclp); 1889 zfs_acl_node_free(aclnode); 1890 return (error); 1891 } 1892 } else { 1893 if ((error = zfs_copy_ace_2_fuid(zfsvfs, obj_type, aclp, 1894 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt, 1895 &aclnode->z_size, fuidp, cr)) != 0) { 1896 zfs_acl_free(aclp); 1897 zfs_acl_node_free(aclnode); 1898 return (error); 1899 } 1900 } 1901 aclp->z_acl_bytes = aclnode->z_size; 1902 aclnode->z_ace_count = aclcnt; 1903 aclp->z_acl_count = aclcnt; 1904 list_insert_head(&aclp->z_acl, aclnode); 1905 1906 /* 1907 * If flags are being set then add them to z_hints 1908 */ 1909 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) { 1910 if (vsecp->vsa_aclflags & ACL_PROTECTED) 1911 aclp->z_hints |= ZFS_ACL_PROTECTED; 1912 if (vsecp->vsa_aclflags & ACL_DEFAULTED) 1913 aclp->z_hints |= ZFS_ACL_DEFAULTED; 1914 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT) 1915 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 1916 } 1917 1918 *zaclp = aclp; 1919 1920 return (0); 1921} 1922 1923/* 1924 * Set a files ACL 1925 */ 1926int 1927zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1928{ 1929 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1930 zilog_t *zilog = zfsvfs->z_log; 1931 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 1932 dmu_tx_t *tx; 1933 int error; 1934 zfs_acl_t *aclp; 1935 zfs_fuid_info_t *fuidp = NULL; 1936 boolean_t fuid_dirtied; 1937 uint64_t acl_obj; 1938 1939 if (mask == 0) 1940 return (ENOSYS); 1941 1942 if (zp->z_pflags & ZFS_IMMUTABLE) 1943 return (EPERM); 1944 1945 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) 1946 return (error); 1947 1948 error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, cr, &fuidp, 1949 &aclp); 1950 if (error) 1951 return (error); 1952 1953 /* 1954 * If ACL wide flags aren't being set then preserve any 1955 * existing flags. 1956 */ 1957 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) { 1958 aclp->z_hints |= 1959 (zp->z_pflags & V4_ACL_WIDE_FLAGS); 1960 } 1961top: 1962 mutex_enter(&zp->z_acl_lock); 1963 mutex_enter(&zp->z_lock); 1964 1965 tx = dmu_tx_create(zfsvfs->z_os); 1966 1967 dmu_tx_hold_sa(tx, zp->z_sa_hdl, B_TRUE); 1968 1969 fuid_dirtied = zfsvfs->z_fuid_dirty; 1970 if (fuid_dirtied) 1971 zfs_fuid_txhold(zfsvfs, tx); 1972 1973 /* 1974 * If old version and ACL won't fit in bonus and we aren't 1975 * upgrading then take out necessary DMU holds 1976 */ 1977 1978 if ((acl_obj = zfs_external_acl(zp)) != 0) { 1979 if (zfsvfs->z_version >= ZPL_VERSION_FUID && 1980 zfs_znode_acl_version(zp) <= ZFS_ACL_VERSION_INITIAL) { 1981 dmu_tx_hold_free(tx, acl_obj, 0, 1982 DMU_OBJECT_END); 1983 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, 1984 aclp->z_acl_bytes); 1985 } else { 1986 dmu_tx_hold_write(tx, acl_obj, 0, aclp->z_acl_bytes); 1987 } 1988 } else if (!zp->z_is_sa && aclp->z_acl_bytes > ZFS_ACE_SPACE) { 1989 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes); 1990 } 1991 1992 zfs_sa_upgrade_txholds(tx, zp); 1993 error = dmu_tx_assign(tx, TXG_NOWAIT); 1994 if (error) { 1995 mutex_exit(&zp->z_acl_lock); 1996 mutex_exit(&zp->z_lock); 1997 1998 if (error == ERESTART) { 1999 dmu_tx_wait(tx); 2000 dmu_tx_abort(tx); 2001 goto top; 2002 } 2003 dmu_tx_abort(tx); 2004 zfs_acl_free(aclp); 2005 return (error); 2006 } 2007 2008 error = zfs_aclset_common(zp, aclp, cr, tx); 2009 ASSERT(error == 0); 2010 ASSERT(zp->z_acl_cached == NULL); 2011 zp->z_acl_cached = aclp; 2012 2013 if (fuid_dirtied) 2014 zfs_fuid_sync(zfsvfs, tx); 2015 2016 zfs_log_acl(zilog, tx, zp, vsecp, fuidp); 2017 2018 if (fuidp) 2019 zfs_fuid_info_free(fuidp); 2020 dmu_tx_commit(tx); 2021done: 2022 mutex_exit(&zp->z_lock); 2023 mutex_exit(&zp->z_acl_lock); 2024 2025 return (error); 2026} 2027 2028/* 2029 * Check accesses of interest (AoI) against attributes of the dataset 2030 * such as read-only. Returns zero if no AoI conflict with dataset 2031 * attributes, otherwise an appropriate errno is returned. 2032 */ 2033static int 2034zfs_zaccess_dataset_check(znode_t *zp, uint32_t v4_mode) 2035{ 2036 if ((v4_mode & WRITE_MASK) && 2037 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && 2038 (!IS_DEVVP(ZTOV(zp)) || 2039 (IS_DEVVP(ZTOV(zp)) && (v4_mode & WRITE_MASK_ATTRS)))) { 2040 return (EROFS); 2041 } 2042 2043 /* 2044 * Only check for READONLY on non-directories. 2045 */ 2046 if ((v4_mode & WRITE_MASK_DATA) && 2047 (((ZTOV(zp)->v_type != VDIR) && 2048 (zp->z_pflags & (ZFS_READONLY | ZFS_IMMUTABLE))) || 2049 (ZTOV(zp)->v_type == VDIR && 2050 (zp->z_pflags & ZFS_IMMUTABLE)))) { 2051 return (EPERM); 2052 } 2053 2054#ifdef sun 2055 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) && 2056 (zp->z_pflags & ZFS_NOUNLINK)) { 2057 return (EPERM); 2058 } 2059#else 2060 /* 2061 * In FreeBSD we allow to modify directory's content is ZFS_NOUNLINK 2062 * (sunlnk) is set. We just don't allow directory removal, which is 2063 * handled in zfs_zaccess_delete(). 2064 */ 2065 if ((v4_mode & ACE_DELETE) && 2066 (zp->z_pflags & ZFS_NOUNLINK)) { 2067 return (EPERM); 2068 } 2069#endif 2070 2071 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) && 2072 (zp->z_pflags & ZFS_AV_QUARANTINED))) { 2073 return (EACCES); 2074 } 2075 2076 return (0); 2077} 2078 2079/* 2080 * The primary usage of this function is to loop through all of the 2081 * ACEs in the znode, determining what accesses of interest (AoI) to 2082 * the caller are allowed or denied. The AoI are expressed as bits in 2083 * the working_mode parameter. As each ACE is processed, bits covered 2084 * by that ACE are removed from the working_mode. This removal 2085 * facilitates two things. The first is that when the working mode is 2086 * empty (= 0), we know we've looked at all the AoI. The second is 2087 * that the ACE interpretation rules don't allow a later ACE to undo 2088 * something granted or denied by an earlier ACE. Removing the 2089 * discovered access or denial enforces this rule. At the end of 2090 * processing the ACEs, all AoI that were found to be denied are 2091 * placed into the working_mode, giving the caller a mask of denied 2092 * accesses. Returns: 2093 * 0 if all AoI granted 2094 * EACCESS if the denied mask is non-zero 2095 * other error if abnormal failure (e.g., IO error) 2096 * 2097 * A secondary usage of the function is to determine if any of the 2098 * AoI are granted. If an ACE grants any access in 2099 * the working_mode, we immediately short circuit out of the function. 2100 * This mode is chosen by setting anyaccess to B_TRUE. The 2101 * working_mode is not a denied access mask upon exit if the function 2102 * is used in this manner. 2103 */ 2104static int 2105zfs_zaccess_aces_check(znode_t *zp, uint32_t *working_mode, 2106 boolean_t anyaccess, cred_t *cr) 2107{ 2108 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2109 zfs_acl_t *aclp; 2110 int error; 2111 uid_t uid = crgetuid(cr); 2112 uint64_t who; 2113 uint16_t type, iflags; 2114 uint16_t entry_type; 2115 uint32_t access_mask; 2116 uint32_t deny_mask = 0; 2117 zfs_ace_hdr_t *acep = NULL; 2118 boolean_t checkit; 2119 uid_t gowner; 2120 uid_t fowner; 2121 2122 zfs_fuid_map_ids(zp, cr, &fowner, &gowner); 2123 2124 mutex_enter(&zp->z_acl_lock); 2125 2126 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE); 2127 if (error != 0) { 2128 mutex_exit(&zp->z_acl_lock); 2129 return (error); 2130 } 2131 2132 ASSERT(zp->z_acl_cached); 2133 2134 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 2135 &iflags, &type)) { 2136 uint32_t mask_matched; 2137 2138 if (!zfs_acl_valid_ace_type(type, iflags)) 2139 continue; 2140 2141 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE)) 2142 continue; 2143 2144 /* Skip ACE if it does not affect any AoI */ 2145 mask_matched = (access_mask & *working_mode); 2146 if (!mask_matched) 2147 continue; 2148 2149 entry_type = (iflags & ACE_TYPE_FLAGS); 2150 2151 checkit = B_FALSE; 2152 2153 switch (entry_type) { 2154 case ACE_OWNER: 2155 if (uid == fowner) 2156 checkit = B_TRUE; 2157 break; 2158 case OWNING_GROUP: 2159 who = gowner; 2160 /*FALLTHROUGH*/ 2161 case ACE_IDENTIFIER_GROUP: 2162 checkit = zfs_groupmember(zfsvfs, who, cr); 2163 break; 2164 case ACE_EVERYONE: 2165 checkit = B_TRUE; 2166 break; 2167 2168 /* USER Entry */ 2169 default: 2170 if (entry_type == 0) { 2171 uid_t newid; 2172 2173 newid = zfs_fuid_map_id(zfsvfs, who, cr, 2174 ZFS_ACE_USER); 2175 if (newid != IDMAP_WK_CREATOR_OWNER_UID && 2176 uid == newid) 2177 checkit = B_TRUE; 2178 break; 2179 } else { 2180 mutex_exit(&zp->z_acl_lock); 2181 return (EIO); 2182 } 2183 } 2184 2185 if (checkit) { 2186 if (type == DENY) { 2187 DTRACE_PROBE3(zfs__ace__denies, 2188 znode_t *, zp, 2189 zfs_ace_hdr_t *, acep, 2190 uint32_t, mask_matched); 2191 deny_mask |= mask_matched; 2192 } else { 2193 DTRACE_PROBE3(zfs__ace__allows, 2194 znode_t *, zp, 2195 zfs_ace_hdr_t *, acep, 2196 uint32_t, mask_matched); 2197 if (anyaccess) { 2198 mutex_exit(&zp->z_acl_lock); 2199 return (0); 2200 } 2201 } 2202 *working_mode &= ~mask_matched; 2203 } 2204 2205 /* Are we done? */ 2206 if (*working_mode == 0) 2207 break; 2208 } 2209 2210 mutex_exit(&zp->z_acl_lock); 2211 2212 /* Put the found 'denies' back on the working mode */ 2213 if (deny_mask) { 2214 *working_mode |= deny_mask; 2215 return (EACCES); 2216 } else if (*working_mode) { 2217 return (-1); 2218 } 2219 2220 return (0); 2221} 2222 2223/* 2224 * Return true if any access whatsoever granted, we don't actually 2225 * care what access is granted. 2226 */ 2227boolean_t 2228zfs_has_access(znode_t *zp, cred_t *cr) 2229{ 2230 uint32_t have = ACE_ALL_PERMS; 2231 2232 if (zfs_zaccess_aces_check(zp, &have, B_TRUE, cr) != 0) { 2233 uid_t owner; 2234 2235 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER); 2236 return (secpolicy_vnode_any_access(cr, ZTOV(zp), owner) == 0); 2237 } 2238 return (B_TRUE); 2239} 2240 2241static int 2242zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode, 2243 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr) 2244{ 2245 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2246 int err; 2247 2248 *working_mode = v4_mode; 2249 *check_privs = B_TRUE; 2250 2251 /* 2252 * Short circuit empty requests 2253 */ 2254 if (v4_mode == 0 || zfsvfs->z_replay) { 2255 *working_mode = 0; 2256 return (0); 2257 } 2258 2259 if ((err = zfs_zaccess_dataset_check(zp, v4_mode)) != 0) { 2260 *check_privs = B_FALSE; 2261 return (err); 2262 } 2263 2264 /* 2265 * The caller requested that the ACL check be skipped. This 2266 * would only happen if the caller checked VOP_ACCESS() with a 2267 * 32 bit ACE mask and already had the appropriate permissions. 2268 */ 2269 if (skipaclchk) { 2270 *working_mode = 0; 2271 return (0); 2272 } 2273 2274 return (zfs_zaccess_aces_check(zp, working_mode, B_FALSE, cr)); 2275} 2276 2277static int 2278zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs, 2279 cred_t *cr) 2280{ 2281 if (*working_mode != ACE_WRITE_DATA) 2282 return (EACCES); 2283 2284 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode, 2285 check_privs, B_FALSE, cr)); 2286} 2287 2288int 2289zfs_fastaccesschk_execute(znode_t *zdp, cred_t *cr) 2290{ 2291 boolean_t owner = B_FALSE; 2292 boolean_t groupmbr = B_FALSE; 2293 boolean_t is_attr; 2294 uid_t uid = crgetuid(cr); 2295 int error; 2296 2297 if (zdp->z_pflags & ZFS_AV_QUARANTINED) 2298 return (EACCES); 2299 2300 is_attr = ((zdp->z_pflags & ZFS_XATTR) && 2301 (ZTOV(zdp)->v_type == VDIR)); 2302 if (is_attr) 2303 goto slow; 2304 2305 2306 mutex_enter(&zdp->z_acl_lock); 2307 2308 if (zdp->z_pflags & ZFS_NO_EXECS_DENIED) { 2309 mutex_exit(&zdp->z_acl_lock); 2310 return (0); 2311 } 2312 2313 if (FUID_INDEX(zdp->z_uid) != 0 || FUID_INDEX(zdp->z_gid) != 0) { 2314 mutex_exit(&zdp->z_acl_lock); 2315 goto slow; 2316 } 2317 2318 if (uid == zdp->z_uid) { 2319 owner = B_TRUE; 2320 if (zdp->z_mode & S_IXUSR) { 2321 mutex_exit(&zdp->z_acl_lock); 2322 return (0); 2323 } else { 2324 mutex_exit(&zdp->z_acl_lock); 2325 goto slow; 2326 } 2327 } 2328 if (groupmember(zdp->z_gid, cr)) { 2329 groupmbr = B_TRUE; 2330 if (zdp->z_mode & S_IXGRP) { 2331 mutex_exit(&zdp->z_acl_lock); 2332 return (0); 2333 } else { 2334 mutex_exit(&zdp->z_acl_lock); 2335 goto slow; 2336 } 2337 } 2338 if (!owner && !groupmbr) { 2339 if (zdp->z_mode & S_IXOTH) { 2340 mutex_exit(&zdp->z_acl_lock); 2341 return (0); 2342 } 2343 } 2344 2345 mutex_exit(&zdp->z_acl_lock); 2346 2347slow: 2348 DTRACE_PROBE(zfs__fastpath__execute__access__miss); 2349 ZFS_ENTER(zdp->z_zfsvfs); 2350 error = zfs_zaccess(zdp, ACE_EXECUTE, 0, B_FALSE, cr); 2351 ZFS_EXIT(zdp->z_zfsvfs); 2352 return (error); 2353} 2354 2355/* 2356 * Determine whether Access should be granted/denied. 2357 * The least priv subsytem is always consulted as a basic privilege 2358 * can define any form of access. 2359 */ 2360int 2361zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr) 2362{ 2363 uint32_t working_mode; 2364 int error; 2365 int is_attr; 2366 boolean_t check_privs; 2367 znode_t *xzp; 2368 znode_t *check_zp = zp; 2369 mode_t needed_bits; 2370 uid_t owner; 2371 2372 is_attr = ((zp->z_pflags & ZFS_XATTR) && (ZTOV(zp)->v_type == VDIR)); 2373 2374#ifdef __FreeBSD__ 2375 /* 2376 * In FreeBSD, we don't care about permissions of individual ADS. 2377 * Note that not checking them is not just an optimization - without 2378 * this shortcut, EA operations may bogusly fail with EACCES. 2379 */ 2380 if (zp->z_pflags & ZFS_XATTR) 2381 return (0); 2382#else 2383 /* 2384 * If attribute then validate against base file 2385 */ 2386 if (is_attr) { 2387 uint64_t parent; 2388 2389 if ((error = sa_lookup(zp->z_sa_hdl, 2390 SA_ZPL_PARENT(zp->z_zfsvfs), &parent, 2391 sizeof (parent))) != 0) 2392 return (error); 2393 2394 if ((error = zfs_zget(zp->z_zfsvfs, 2395 parent, &xzp)) != 0) { 2396 return (error); 2397 } 2398 2399 check_zp = xzp; 2400 2401 /* 2402 * fixup mode to map to xattr perms 2403 */ 2404 2405 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { 2406 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 2407 mode |= ACE_WRITE_NAMED_ATTRS; 2408 } 2409 2410 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { 2411 mode &= ~(ACE_READ_DATA|ACE_EXECUTE); 2412 mode |= ACE_READ_NAMED_ATTRS; 2413 } 2414 } 2415#endif 2416 2417 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER); 2418 /* 2419 * Map the bits required to the standard vnode flags VREAD|VWRITE|VEXEC 2420 * in needed_bits. Map the bits mapped by working_mode (currently 2421 * missing) in missing_bits. 2422 * Call secpolicy_vnode_access2() with (needed_bits & ~checkmode), 2423 * needed_bits. 2424 */ 2425 needed_bits = 0; 2426 2427 working_mode = mode; 2428 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES)) && 2429 owner == crgetuid(cr)) 2430 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2431 2432 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2433 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2434 needed_bits |= VREAD; 2435 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2436 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2437 needed_bits |= VWRITE; 2438 if (working_mode & ACE_EXECUTE) 2439 needed_bits |= VEXEC; 2440 2441 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode, 2442 &check_privs, skipaclchk, cr)) == 0) { 2443 if (is_attr) 2444 VN_RELE(ZTOV(xzp)); 2445 return (secpolicy_vnode_access2(cr, ZTOV(zp), owner, 2446 needed_bits, needed_bits)); 2447 } 2448 2449 if (error && !check_privs) { 2450 if (is_attr) 2451 VN_RELE(ZTOV(xzp)); 2452 return (error); 2453 } 2454 2455 if (error && (flags & V_APPEND)) { 2456 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr); 2457 } 2458 2459 if (error && check_privs) { 2460 mode_t checkmode = 0; 2461 2462 /* 2463 * First check for implicit owner permission on 2464 * read_acl/read_attributes 2465 */ 2466 2467 error = 0; 2468 ASSERT(working_mode != 0); 2469 2470 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) && 2471 owner == crgetuid(cr))) 2472 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2473 2474 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2475 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2476 checkmode |= VREAD; 2477 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2478 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2479 checkmode |= VWRITE; 2480 if (working_mode & ACE_EXECUTE) 2481 checkmode |= VEXEC; 2482 2483 error = secpolicy_vnode_access2(cr, ZTOV(check_zp), owner, 2484 needed_bits & ~checkmode, needed_bits); 2485 2486 if (error == 0 && (working_mode & ACE_WRITE_OWNER)) 2487 error = secpolicy_vnode_chown(ZTOV(check_zp), cr, owner); 2488 if (error == 0 && (working_mode & ACE_WRITE_ACL)) 2489 error = secpolicy_vnode_setdac(ZTOV(check_zp), cr, owner); 2490 2491 if (error == 0 && (working_mode & 2492 (ACE_DELETE|ACE_DELETE_CHILD))) 2493 error = secpolicy_vnode_remove(ZTOV(check_zp), cr); 2494 2495 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) { 2496 error = secpolicy_vnode_chown(ZTOV(check_zp), cr, owner); 2497 } 2498 if (error == 0) { 2499 /* 2500 * See if any bits other than those already checked 2501 * for are still present. If so then return EACCES 2502 */ 2503 if (working_mode & ~(ZFS_CHECKED_MASKS)) { 2504 error = EACCES; 2505 } 2506 } 2507 } else if (error == 0) { 2508 error = secpolicy_vnode_access2(cr, ZTOV(zp), owner, 2509 needed_bits, needed_bits); 2510 } 2511 2512 2513 if (is_attr) 2514 VN_RELE(ZTOV(xzp)); 2515 2516 return (error); 2517} 2518 2519/* 2520 * Translate traditional unix VREAD/VWRITE/VEXEC mode into 2521 * native ACL format and call zfs_zaccess() 2522 */ 2523int 2524zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr) 2525{ 2526 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr)); 2527} 2528 2529/* 2530 * Access function for secpolicy_vnode_setattr 2531 */ 2532int 2533zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr) 2534{ 2535 int v4_mode = zfs_unix_to_v4(mode >> 6); 2536 2537 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr)); 2538} 2539 2540static int 2541zfs_delete_final_check(znode_t *zp, znode_t *dzp, 2542 mode_t available_perms, cred_t *cr) 2543{ 2544 int error; 2545 uid_t downer; 2546 2547 downer = zfs_fuid_map_id(dzp->z_zfsvfs, dzp->z_uid, cr, ZFS_OWNER); 2548 2549 error = secpolicy_vnode_access2(cr, ZTOV(dzp), 2550 downer, available_perms, VWRITE|VEXEC); 2551 2552 if (error == 0) 2553 error = zfs_sticky_remove_access(dzp, zp, cr); 2554 2555 return (error); 2556} 2557 2558/* 2559 * Determine whether Access should be granted/deny, without 2560 * consulting least priv subsystem. 2561 * 2562 * 2563 * The following chart is the recommended NFSv4 enforcement for 2564 * ability to delete an object. 2565 * 2566 * ------------------------------------------------------- 2567 * | Parent Dir | Target Object Permissions | 2568 * | permissions | | 2569 * ------------------------------------------------------- 2570 * | | ACL Allows | ACL Denies| Delete | 2571 * | | Delete | Delete | unspecified| 2572 * ------------------------------------------------------- 2573 * | ACL Allows | Permit | Permit | Permit | 2574 * | DELETE_CHILD | | 2575 * ------------------------------------------------------- 2576 * | ACL Denies | Permit | Deny | Deny | 2577 * | DELETE_CHILD | | | | 2578 * ------------------------------------------------------- 2579 * | ACL specifies | | | | 2580 * | only allow | Permit | Permit | Permit | 2581 * | write and | | | | 2582 * | execute | | | | 2583 * ------------------------------------------------------- 2584 * | ACL denies | | | | 2585 * | write and | Permit | Deny | Deny | 2586 * | execute | | | | 2587 * ------------------------------------------------------- 2588 * ^ 2589 * | 2590 * No search privilege, can't even look up file? 2591 * 2592 */ 2593int 2594zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) 2595{ 2596 uint32_t dzp_working_mode = 0; 2597 uint32_t zp_working_mode = 0; 2598 int dzp_error, zp_error; 2599 mode_t available_perms; 2600 boolean_t dzpcheck_privs = B_TRUE; 2601 boolean_t zpcheck_privs = B_TRUE; 2602 2603 /* 2604 * We want specific DELETE permissions to 2605 * take precedence over WRITE/EXECUTE. We don't 2606 * want an ACL such as this to mess us up. 2607 * user:joe:write_data:deny,user:joe:delete:allow 2608 * 2609 * However, deny permissions may ultimately be overridden 2610 * by secpolicy_vnode_access(). 2611 * 2612 * We will ask for all of the necessary permissions and then 2613 * look at the working modes from the directory and target object 2614 * to determine what was found. 2615 */ 2616 2617 if (zp->z_pflags & (ZFS_IMMUTABLE | ZFS_NOUNLINK)) 2618 return (EPERM); 2619 2620 /* 2621 * First row 2622 * If the directory permissions allow the delete, we are done. 2623 */ 2624 if ((dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD, 2625 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) 2626 return (0); 2627 2628 /* 2629 * If target object has delete permission then we are done 2630 */ 2631 if ((zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, 2632 &zpcheck_privs, B_FALSE, cr)) == 0) 2633 return (0); 2634 2635 ASSERT(dzp_error && zp_error); 2636 2637 if (!dzpcheck_privs) 2638 return (dzp_error); 2639 if (!zpcheck_privs) 2640 return (zp_error); 2641 2642 /* 2643 * Second row 2644 * 2645 * If directory returns EACCES then delete_child was denied 2646 * due to deny delete_child. In this case send the request through 2647 * secpolicy_vnode_remove(). We don't use zfs_delete_final_check() 2648 * since that *could* allow the delete based on write/execute permission 2649 * and we want delete permissions to override write/execute. 2650 */ 2651 2652 if (dzp_error == EACCES) 2653 return (secpolicy_vnode_remove(ZTOV(dzp), cr)); /* XXXPJD: s/dzp/zp/ ? */ 2654 2655 /* 2656 * Third Row 2657 * only need to see if we have write/execute on directory. 2658 */ 2659 2660 dzp_error = zfs_zaccess_common(dzp, ACE_EXECUTE|ACE_WRITE_DATA, 2661 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr); 2662 2663 if (dzp_error != 0 && !dzpcheck_privs) 2664 return (dzp_error); 2665 2666 /* 2667 * Fourth row 2668 */ 2669 2670 available_perms = (dzp_working_mode & ACE_WRITE_DATA) ? 0 : VWRITE; 2671 available_perms |= (dzp_working_mode & ACE_EXECUTE) ? 0 : VEXEC; 2672 2673 return (zfs_delete_final_check(zp, dzp, available_perms, cr)); 2674 2675} 2676 2677int 2678zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, 2679 znode_t *tzp, cred_t *cr) 2680{ 2681 int add_perm; 2682 int error; 2683 2684 if (szp->z_pflags & ZFS_AV_QUARANTINED) 2685 return (EACCES); 2686 2687 add_perm = (ZTOV(szp)->v_type == VDIR) ? 2688 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; 2689 2690 /* 2691 * Rename permissions are combination of delete permission + 2692 * add file/subdir permission. 2693 * 2694 * BSD operating systems also require write permission 2695 * on the directory being moved from one parent directory 2696 * to another. 2697 */ 2698 if (ZTOV(szp)->v_type == VDIR && ZTOV(sdzp) != ZTOV(tdzp)) { 2699 if (error = zfs_zaccess(szp, ACE_WRITE_DATA, 0, B_FALSE, cr)) 2700 return (error); 2701 } 2702 2703 /* 2704 * first make sure we do the delete portion. 2705 * 2706 * If that succeeds then check for add_file/add_subdir permissions 2707 */ 2708 2709 if (error = zfs_zaccess_delete(sdzp, szp, cr)) 2710 return (error); 2711 2712 /* 2713 * If we have a tzp, see if we can delete it? 2714 */ 2715 if (tzp) { 2716 if (error = zfs_zaccess_delete(tdzp, tzp, cr)) 2717 return (error); 2718 } 2719 2720 /* 2721 * Now check for add permissions 2722 */ 2723 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr); 2724 2725 return (error); 2726} 2727