61  * Is the given group ID tid (test-id) any of the gid's in agids?
81  * of ACEs, or find something explicitly denied (DENIED!),
82  * or have cleared out all our attempt-something bits.  Once
91  * -1 (negative = no = denied), or 0 (no strong answer).
112 	for (i = 0; mask != 0 && i < acl->acl_nace; i++) {  in l9p_check_aces()
113 		ace = &acl->acl_aces[i];  in l9p_check_aces()
114 		switch (ace->ace_type) {  in l9p_check_aces()
119 			/* audit, alarm - ignore */  in l9p_check_aces()
125 		if (ace->ace_flags & L9P_ACEF_OWNER) {  in l9p_check_aces()
129 			match = st->st_uid == uid;  in l9p_check_aces()
130 		} else if (ace->ace_flags & L9P_ACEF_GROUP) {  in l9p_check_aces()
134 			match = l9p_ingroup(st->st_gid, gid, gids, ngids);  in l9p_check_aces()
135 		} else if (ace->ace_flags & L9P_ACEF_EVERYONE) {  in l9p_check_aces()
141 			if (ace->ace_idsize != sizeof(tid))  in l9p_check_aces()
146 			memcpy(&tid, &ace->ace_idbytes, sizeof(tid));  in l9p_check_aces()
147 			if (ace->ace_flags & L9P_ACEF_IDENTIFIER_GROUP) {  in l9p_check_aces()
166 		allowdeny = ace->ace_type == L9P_ACET_ACCESS_DENIED ?  in l9p_check_aces()
169 		if (match && (ace->ace_mask & (uint32_t)mask) != 0) {  in l9p_check_aces()
175 				    (u_int)mask, (u_int)ace->ace_mask);  in l9p_check_aces()
180 				    (u_int)mask, (u_int)ace->ace_mask);  in l9p_check_aces()
182 			if (ace->ace_type == L9P_ACET_ACCESS_DENIED)  in l9p_check_aces()
183 				return (-1);  in l9p_check_aces()
184 			mask &= ~ace->ace_mask;  in l9p_check_aces()
187 			    (u_int)ace->ace_mask, (u_int)mask);  in l9p_check_aces()
197 				    (u_int)ace->ace_mask);  in l9p_check_aces()
204 				    (u_int)ace->ace_mask);  in l9p_check_aces()
211 	L9P_LOG(L9P_DEBUG, "ACE: end of ACEs, mask now 0x%x: %s",  in l9p_check_aces()
212 	    mask, mask ? "no-definitive-answer" : "ALLOW");  in l9p_check_aces()
224  * set the mask to test the directory permissions (not ADD_FILE but
226  * you must set the opmask to test file ADD_FILE.
254 	parent = args->aca_parent;  in l9p_acl_check_access()
255 	pstat = args->aca_pstat;  in l9p_acl_check_access()
256 	child = args->aca_child;  in l9p_acl_check_access()
257 	cstat = args->aca_cstat;  in l9p_acl_check_access()
258 	uid = args->aca_uid;  in l9p_acl_check_access()
259 	gid = args->aca_gid;  in l9p_acl_check_access()
260 	gids = args->aca_groups;  in l9p_acl_check_access()
261 	ngids = args->aca_ngroups;  in l9p_acl_check_access()
272 	if (uid == 0 && args->aca_superuser)  in l9p_acl_check_access()
276 	 * If told to ignore ACLs and use only stat-based permissions,  in l9p_acl_check_access()
277 	 * discard any non-NULL ACL pointers.  in l9p_acl_check_access()
281 	if ((args->aca_aclmode & L9P_ACM_NFS_ACL) == 0)  in l9p_acl_check_access()
284 	assert(parent == NULL || parent->acl_acetype == L9P_ACLTYPE_NFSv4);  in l9p_acl_check_access()
286 	assert(child == NULL || child->acl_acetype == L9P_ACLTYPE_NFSv4);  in l9p_acl_check_access()
304 		 * Remove child-only bits from parent op and  in l9p_acl_check_access()
305 		 * parent-only bits from child op.  in l9p_acl_check_access()
307 		 * L9P_ACE_DELETE is child-only.  in l9p_acl_check_access()
309 		 * L9P_ACE_DELETE_CHILD is parent-only, and three data  in l9p_acl_check_access()
320 		 * Remove child-only bits from parent op.  We need  in l9p_acl_check_access()
346 			 * not 100% clear how to handle the two-answer  in l9p_acl_check_access()
356 			/* non-definitive answer from one! move on */  in l9p_acl_check_access()
372 	 * If so, find write-and-execute permission on parent.  in l9p_acl_check_access()
373 	 * Note that WRITE overlaps with ADD_FILE -- that's ZFS's  in l9p_acl_check_access()
374 	 * way of saying "allow write to dir" -- but EXECUTE is  in l9p_acl_check_access()
383 	if ((args->aca_aclmode & L9P_ACM_ZFS_ACL) &&  in l9p_acl_check_access()
396 	 * or set the mode to suppress them.  in l9p_acl_check_access()
399 	 * (i.e., this is a dir op), or if the DELETE_CHILD bit is set  in l9p_acl_check_access()
403 	if (args->aca_aclmode & L9P_ACM_STAT_MODE) {  in l9p_acl_check_access()
410 		if (uid == st->st_uid)  in l9p_acl_check_access()
411 			bits = (st->st_mode >> 6) & 7;  in l9p_acl_check_access()
412 		else if (l9p_ingroup(st->st_gid, gid, gids, ngids))  in l9p_acl_check_access()
413 			bits = (st->st_mode >> 3) & 7;  in l9p_acl_check_access()
415 			bits = st->st_mode & 7;  in l9p_acl_check_access()
417 		 * If all the desired bits are set, we're OK.  in l9p_acl_check_access()
458  * Allocate new ACL holder and ACEs.
470 		ret->acl_acetype = acetype;  in l9p_new_acl()
471 		ret->acl_nace = 0;  in l9p_new_acl()
472 		ret->acl_aceasize = aceasize;  in l9p_new_acl()
480  * Currently won't shrink, only grow, so it's a fast no-op until
490 	if (acl->acl_aceasize < aceasize) {  in l9p_growacl()
502  * Annoyingly, there's no POSIX-standard way to count the number
503  * of ACEs in a system ACL other than to walk through them all.
523  * Create ACL with ACEs from the given acl_t.  We use the given
544 		error = (*convert)(entry, &acl->acl_aces[n]);  in l9p_sysacl_to_acl()
549 	acl->acl_nace = n;  in l9p_sysacl_to_acl()
589 	/* move user/group/everyone + id-is-group-id into flags */  in l9p_frombsdnfs4()
618 		ace->ace_type = L9P_ACET_ACCESS_ALLOWED;  in l9p_frombsdnfs4()
622 		ace->ace_type = L9P_ACET_ACCESS_DENIED;  in l9p_frombsdnfs4()
626 		ace->ace_type = L9P_ACET_SYSTEM_AUDIT;  in l9p_frombsdnfs4()
630 		ace->ace_type = L9P_ACET_SYSTEM_ALARM;  in l9p_frombsdnfs4()
637 	/* transform remaining BSD flags to internal NFS-y form */  in l9p_frombsdnfs4()
651 	ace->ace_flags = flags;  in l9p_frombsdnfs4()
694 	ace->ace_mask = mask;  in l9p_frombsdnfs4()
696 	/* fill in variable-size user or group ID bytes */  in l9p_frombsdnfs4()
698 		ace->ace_idsize = 0;  in l9p_frombsdnfs4()
700 		ace->ace_idsize = sizeof(uid);  in l9p_frombsdnfs4()
701 		memcpy(&ace->ace_idbytes[0], aid, sizeof(uid));  in l9p_frombsdnfs4()