1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
24 * Copyright (c) 2013 by Delphix. All rights reserved.
25 */
26
27 #include <sys/types.h>
28 #include <sys/param.h>
29 #include <sys/time.h>
30 #include <sys/systm.h>
31 #include <sys/sysmacros.h>
32 #include <sys/resource.h>
33 #include <sys/vfs.h>
34 #include <sys/vnode.h>
35 #include <sys/sid.h>
36 #include <sys/file.h>
37 #include <sys/stat.h>
38 #include <sys/kmem.h>
39 #include <sys/cmn_err.h>
40 #include <sys/errno.h>
41 #include <sys/unistd.h>
42 #include <sys/sdt.h>
43 #include <sys/fs/zfs.h>
44 #include <sys/mode.h>
45 #include <sys/policy.h>
46 #include <sys/zfs_znode.h>
47 #include <sys/zfs_fuid.h>
48 #include <sys/zfs_acl.h>
49 #include <sys/zfs_dir.h>
50 #include <sys/zfs_vfsops.h>
51 #include <sys/dmu.h>
52 #include <sys/dnode.h>
53 #include <sys/zap.h>
54 #include <sys/sa.h>
55 #include "fs/fs_subr.h"
56 #include <acl/acl_common.h>
57
58 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE
59 #define DENY ACE_ACCESS_DENIED_ACE_TYPE
60 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE
61 #define MIN_ACE_TYPE ALLOW
62
63 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP)
64 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \
65 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE)
66 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \
67 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
68 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \
69 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
70
71 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \
72 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \
73 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \
74 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE)
75
76 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS)
77 #define WRITE_MASK_ATTRS (ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES| \
78 ACE_DELETE|ACE_DELETE_CHILD)
79 #define WRITE_MASK (WRITE_MASK_DATA|WRITE_MASK_ATTRS)
80
81 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
82 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
83
84 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
85 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
86
87 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \
88 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE)
89
90 #define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER)
91
92 #define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\
93 ZFS_ACL_PROTECTED)
94
95 #define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\
96 ZFS_ACL_OBJ_ACE)
97
98 #define ALL_MODE_EXECS (S_IXUSR | S_IXGRP | S_IXOTH)
99
100 static uint16_t
zfs_ace_v0_get_type(void * acep)101 zfs_ace_v0_get_type(void *acep)
102 {
103 return (((zfs_oldace_t *)acep)->z_type);
104 }
105
106 static uint16_t
zfs_ace_v0_get_flags(void * acep)107 zfs_ace_v0_get_flags(void *acep)
108 {
109 return (((zfs_oldace_t *)acep)->z_flags);
110 }
111
112 static uint32_t
zfs_ace_v0_get_mask(void * acep)113 zfs_ace_v0_get_mask(void *acep)
114 {
115 return (((zfs_oldace_t *)acep)->z_access_mask);
116 }
117
118 static uint64_t
zfs_ace_v0_get_who(void * acep)119 zfs_ace_v0_get_who(void *acep)
120 {
121 return (((zfs_oldace_t *)acep)->z_fuid);
122 }
123
124 static void
zfs_ace_v0_set_type(void * acep,uint16_t type)125 zfs_ace_v0_set_type(void *acep, uint16_t type)
126 {
127 ((zfs_oldace_t *)acep)->z_type = type;
128 }
129
130 static void
zfs_ace_v0_set_flags(void * acep,uint16_t flags)131 zfs_ace_v0_set_flags(void *acep, uint16_t flags)
132 {
133 ((zfs_oldace_t *)acep)->z_flags = flags;
134 }
135
136 static void
zfs_ace_v0_set_mask(void * acep,uint32_t mask)137 zfs_ace_v0_set_mask(void *acep, uint32_t mask)
138 {
139 ((zfs_oldace_t *)acep)->z_access_mask = mask;
140 }
141
142 static void
zfs_ace_v0_set_who(void * acep,uint64_t who)143 zfs_ace_v0_set_who(void *acep, uint64_t who)
144 {
145 ((zfs_oldace_t *)acep)->z_fuid = who;
146 }
147
148 /*ARGSUSED*/
149 static size_t
zfs_ace_v0_size(void * acep)150 zfs_ace_v0_size(void *acep)
151 {
152 return (sizeof (zfs_oldace_t));
153 }
154
155 static size_t
zfs_ace_v0_abstract_size(void)156 zfs_ace_v0_abstract_size(void)
157 {
158 return (sizeof (zfs_oldace_t));
159 }
160
161 static int
zfs_ace_v0_mask_off(void)162 zfs_ace_v0_mask_off(void)
163 {
164 return (offsetof(zfs_oldace_t, z_access_mask));
165 }
166
167 /*ARGSUSED*/
168 static int
zfs_ace_v0_data(void * acep,void ** datap)169 zfs_ace_v0_data(void *acep, void **datap)
170 {
171 *datap = NULL;
172 return (0);
173 }
174
175 static acl_ops_t zfs_acl_v0_ops = {
176 zfs_ace_v0_get_mask,
177 zfs_ace_v0_set_mask,
178 zfs_ace_v0_get_flags,
179 zfs_ace_v0_set_flags,
180 zfs_ace_v0_get_type,
181 zfs_ace_v0_set_type,
182 zfs_ace_v0_get_who,
183 zfs_ace_v0_set_who,
184 zfs_ace_v0_size,
185 zfs_ace_v0_abstract_size,
186 zfs_ace_v0_mask_off,
187 zfs_ace_v0_data
188 };
189
190 static uint16_t
zfs_ace_fuid_get_type(void * acep)191 zfs_ace_fuid_get_type(void *acep)
192 {
193 return (((zfs_ace_hdr_t *)acep)->z_type);
194 }
195
196 static uint16_t
zfs_ace_fuid_get_flags(void * acep)197 zfs_ace_fuid_get_flags(void *acep)
198 {
199 return (((zfs_ace_hdr_t *)acep)->z_flags);
200 }
201
202 static uint32_t
zfs_ace_fuid_get_mask(void * acep)203 zfs_ace_fuid_get_mask(void *acep)
204 {
205 return (((zfs_ace_hdr_t *)acep)->z_access_mask);
206 }
207
208 static uint64_t
zfs_ace_fuid_get_who(void * args)209 zfs_ace_fuid_get_who(void *args)
210 {
211 uint16_t entry_type;
212 zfs_ace_t *acep = args;
213
214 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS;
215
216 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP ||
217 entry_type == ACE_EVERYONE)
218 return (-1);
219 return (((zfs_ace_t *)acep)->z_fuid);
220 }
221
222 static void
zfs_ace_fuid_set_type(void * acep,uint16_t type)223 zfs_ace_fuid_set_type(void *acep, uint16_t type)
224 {
225 ((zfs_ace_hdr_t *)acep)->z_type = type;
226 }
227
228 static void
zfs_ace_fuid_set_flags(void * acep,uint16_t flags)229 zfs_ace_fuid_set_flags(void *acep, uint16_t flags)
230 {
231 ((zfs_ace_hdr_t *)acep)->z_flags = flags;
232 }
233
234 static void
zfs_ace_fuid_set_mask(void * acep,uint32_t mask)235 zfs_ace_fuid_set_mask(void *acep, uint32_t mask)
236 {
237 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask;
238 }
239
240 static void
zfs_ace_fuid_set_who(void * arg,uint64_t who)241 zfs_ace_fuid_set_who(void *arg, uint64_t who)
242 {
243 zfs_ace_t *acep = arg;
244
245 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS;
246
247 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP ||
248 entry_type == ACE_EVERYONE)
249 return;
250 acep->z_fuid = who;
251 }
252
253 static size_t
zfs_ace_fuid_size(void * acep)254 zfs_ace_fuid_size(void *acep)
255 {
256 zfs_ace_hdr_t *zacep = acep;
257 uint16_t entry_type;
258
259 switch (zacep->z_type) {
260 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
261 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
262 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
263 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
264 return (sizeof (zfs_object_ace_t));
265 case ALLOW:
266 case DENY:
267 entry_type =
268 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS);
269 if (entry_type == ACE_OWNER ||
270 entry_type == OWNING_GROUP ||
271 entry_type == ACE_EVERYONE)
272 return (sizeof (zfs_ace_hdr_t));
273 /*FALLTHROUGH*/
274 default:
275 return (sizeof (zfs_ace_t));
276 }
277 }
278
279 static size_t
zfs_ace_fuid_abstract_size(void)280 zfs_ace_fuid_abstract_size(void)
281 {
282 return (sizeof (zfs_ace_hdr_t));
283 }
284
285 static int
zfs_ace_fuid_mask_off(void)286 zfs_ace_fuid_mask_off(void)
287 {
288 return (offsetof(zfs_ace_hdr_t, z_access_mask));
289 }
290
291 static int
zfs_ace_fuid_data(void * acep,void ** datap)292 zfs_ace_fuid_data(void *acep, void **datap)
293 {
294 zfs_ace_t *zacep = acep;
295 zfs_object_ace_t *zobjp;
296
297 switch (zacep->z_hdr.z_type) {
298 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
299 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
300 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
301 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
302 zobjp = acep;
303 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t);
304 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t));
305 default:
306 *datap = NULL;
307 return (0);
308 }
309 }
310
311 static acl_ops_t zfs_acl_fuid_ops = {
312 zfs_ace_fuid_get_mask,
313 zfs_ace_fuid_set_mask,
314 zfs_ace_fuid_get_flags,
315 zfs_ace_fuid_set_flags,
316 zfs_ace_fuid_get_type,
317 zfs_ace_fuid_set_type,
318 zfs_ace_fuid_get_who,
319 zfs_ace_fuid_set_who,
320 zfs_ace_fuid_size,
321 zfs_ace_fuid_abstract_size,
322 zfs_ace_fuid_mask_off,
323 zfs_ace_fuid_data
324 };
325
326 /*
327 * The following three functions are provided for compatibility with
328 * older ZPL version in order to determine if the file use to have
329 * an external ACL and what version of ACL previously existed on the
330 * file. Would really be nice to not need this, sigh.
331 */
332 uint64_t
zfs_external_acl(znode_t * zp)333 zfs_external_acl(znode_t *zp)
334 {
335 zfs_acl_phys_t acl_phys;
336 int error;
337
338 if (zp->z_is_sa)
339 return (0);
340
341 /*
342 * Need to deal with a potential
343 * race where zfs_sa_upgrade could cause
344 * z_isa_sa to change.
345 *
346 * If the lookup fails then the state of z_is_sa should have
347 * changed.
348 */
349
350 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zp->z_zfsvfs),
351 &acl_phys, sizeof (acl_phys))) == 0)
352 return (acl_phys.z_acl_extern_obj);
353 else {
354 /*
355 * after upgrade the SA_ZPL_ZNODE_ACL should have been
356 * removed
357 */
358 VERIFY(zp->z_is_sa && error == ENOENT);
359 return (0);
360 }
361 }
362
363 /*
364 * Determine size of ACL in bytes
365 *
366 * This is more complicated than it should be since we have to deal
367 * with old external ACLs.
368 */
369 static int
zfs_acl_znode_info(znode_t * zp,int * aclsize,int * aclcount,zfs_acl_phys_t * aclphys)370 zfs_acl_znode_info(znode_t *zp, int *aclsize, int *aclcount,
371 zfs_acl_phys_t *aclphys)
372 {
373 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
374 uint64_t acl_count;
375 int size;
376 int error;
377
378 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
379 if (zp->z_is_sa) {
380 if ((error = sa_size(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zfsvfs),
381 &size)) != 0)
382 return (error);
383 *aclsize = size;
384 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_COUNT(zfsvfs),
385 &acl_count, sizeof (acl_count))) != 0)
386 return (error);
387 *aclcount = acl_count;
388 } else {
389 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs),
390 aclphys, sizeof (*aclphys))) != 0)
391 return (error);
392
393 if (aclphys->z_acl_version == ZFS_ACL_VERSION_INITIAL) {
394 *aclsize = ZFS_ACL_SIZE(aclphys->z_acl_size);
395 *aclcount = aclphys->z_acl_size;
396 } else {
397 *aclsize = aclphys->z_acl_size;
398 *aclcount = aclphys->z_acl_count;
399 }
400 }
401 return (0);
402 }
403
404 int
zfs_znode_acl_version(znode_t * zp)405 zfs_znode_acl_version(znode_t *zp)
406 {
407 zfs_acl_phys_t acl_phys;
408
409 if (zp->z_is_sa)
410 return (ZFS_ACL_VERSION_FUID);
411 else {
412 int error;
413
414 /*
415 * Need to deal with a potential
416 * race where zfs_sa_upgrade could cause
417 * z_isa_sa to change.
418 *
419 * If the lookup fails then the state of z_is_sa should have
420 * changed.
421 */
422 if ((error = sa_lookup(zp->z_sa_hdl,
423 SA_ZPL_ZNODE_ACL(zp->z_zfsvfs),
424 &acl_phys, sizeof (acl_phys))) == 0)
425 return (acl_phys.z_acl_version);
426 else {
427 /*
428 * After upgrade SA_ZPL_ZNODE_ACL should have
429 * been removed.
430 */
431 VERIFY(zp->z_is_sa && error == ENOENT);
432 return (ZFS_ACL_VERSION_FUID);
433 }
434 }
435 }
436
437 static int
zfs_acl_version(int version)438 zfs_acl_version(int version)
439 {
440 if (version < ZPL_VERSION_FUID)
441 return (ZFS_ACL_VERSION_INITIAL);
442 else
443 return (ZFS_ACL_VERSION_FUID);
444 }
445
446 static int
zfs_acl_version_zp(znode_t * zp)447 zfs_acl_version_zp(znode_t *zp)
448 {
449 return (zfs_acl_version(zp->z_zfsvfs->z_version));
450 }
451
452 zfs_acl_t *
zfs_acl_alloc(int vers)453 zfs_acl_alloc(int vers)
454 {
455 zfs_acl_t *aclp;
456
457 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP);
458 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t),
459 offsetof(zfs_acl_node_t, z_next));
460 aclp->z_version = vers;
461 if (vers == ZFS_ACL_VERSION_FUID)
462 aclp->z_ops = zfs_acl_fuid_ops;
463 else
464 aclp->z_ops = zfs_acl_v0_ops;
465 return (aclp);
466 }
467
468 zfs_acl_node_t *
zfs_acl_node_alloc(size_t bytes)469 zfs_acl_node_alloc(size_t bytes)
470 {
471 zfs_acl_node_t *aclnode;
472
473 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP);
474 if (bytes) {
475 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP);
476 aclnode->z_allocdata = aclnode->z_acldata;
477 aclnode->z_allocsize = bytes;
478 aclnode->z_size = bytes;
479 }
480
481 return (aclnode);
482 }
483
484 static void
zfs_acl_node_free(zfs_acl_node_t * aclnode)485 zfs_acl_node_free(zfs_acl_node_t *aclnode)
486 {
487 if (aclnode->z_allocsize)
488 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize);
489 kmem_free(aclnode, sizeof (zfs_acl_node_t));
490 }
491
492 static void
zfs_acl_release_nodes(zfs_acl_t * aclp)493 zfs_acl_release_nodes(zfs_acl_t *aclp)
494 {
495 zfs_acl_node_t *aclnode;
496
497 while (aclnode = list_head(&aclp->z_acl)) {
498 list_remove(&aclp->z_acl, aclnode);
499 zfs_acl_node_free(aclnode);
500 }
501 aclp->z_acl_count = 0;
502 aclp->z_acl_bytes = 0;
503 }
504
505 void
zfs_acl_free(zfs_acl_t * aclp)506 zfs_acl_free(zfs_acl_t *aclp)
507 {
508 zfs_acl_release_nodes(aclp);
509 list_destroy(&aclp->z_acl);
510 kmem_free(aclp, sizeof (zfs_acl_t));
511 }
512
513 static boolean_t
zfs_acl_valid_ace_type(uint_t type,uint_t flags)514 zfs_acl_valid_ace_type(uint_t type, uint_t flags)
515 {
516 uint16_t entry_type;
517
518 switch (type) {
519 case ALLOW:
520 case DENY:
521 case ACE_SYSTEM_AUDIT_ACE_TYPE:
522 case ACE_SYSTEM_ALARM_ACE_TYPE:
523 entry_type = flags & ACE_TYPE_FLAGS;
524 return (entry_type == ACE_OWNER ||
525 entry_type == OWNING_GROUP ||
526 entry_type == ACE_EVERYONE || entry_type == 0 ||
527 entry_type == ACE_IDENTIFIER_GROUP);
528 default:
529 if (type >= MIN_ACE_TYPE && type <= MAX_ACE_TYPE)
530 return (B_TRUE);
531 }
532 return (B_FALSE);
533 }
534
535 static boolean_t
zfs_ace_valid(vtype_t obj_type,zfs_acl_t * aclp,uint16_t type,uint16_t iflags)536 zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags)
537 {
538 /*
539 * first check type of entry
540 */
541
542 if (!zfs_acl_valid_ace_type(type, iflags))
543 return (B_FALSE);
544
545 switch (type) {
546 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
547 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
548 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
549 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
550 if (aclp->z_version < ZFS_ACL_VERSION_FUID)
551 return (B_FALSE);
552 aclp->z_hints |= ZFS_ACL_OBJ_ACE;
553 }
554
555 /*
556 * next check inheritance level flags
557 */
558
559 if (obj_type == VDIR &&
560 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE)))
561 aclp->z_hints |= ZFS_INHERIT_ACE;
562
563 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) {
564 if ((iflags & (ACE_FILE_INHERIT_ACE|
565 ACE_DIRECTORY_INHERIT_ACE)) == 0) {
566 return (B_FALSE);
567 }
568 }
569
570 return (B_TRUE);
571 }
572
573 static void *
zfs_acl_next_ace(zfs_acl_t * aclp,void * start,uint64_t * who,uint32_t * access_mask,uint16_t * iflags,uint16_t * type)574 zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who,
575 uint32_t *access_mask, uint16_t *iflags, uint16_t *type)
576 {
577 zfs_acl_node_t *aclnode;
578
579 ASSERT(aclp);
580
581 if (start == NULL) {
582 aclnode = list_head(&aclp->z_acl);
583 if (aclnode == NULL)
584 return (NULL);
585
586 aclp->z_next_ace = aclnode->z_acldata;
587 aclp->z_curr_node = aclnode;
588 aclnode->z_ace_idx = 0;
589 }
590
591 aclnode = aclp->z_curr_node;
592
593 if (aclnode == NULL)
594 return (NULL);
595
596 if (aclnode->z_ace_idx >= aclnode->z_ace_count) {
597 aclnode = list_next(&aclp->z_acl, aclnode);
598 if (aclnode == NULL)
599 return (NULL);
600 else {
601 aclp->z_curr_node = aclnode;
602 aclnode->z_ace_idx = 0;
603 aclp->z_next_ace = aclnode->z_acldata;
604 }
605 }
606
607 if (aclnode->z_ace_idx < aclnode->z_ace_count) {
608 void *acep = aclp->z_next_ace;
609 size_t ace_size;
610
611 /*
612 * Make sure we don't overstep our bounds
613 */
614 ace_size = aclp->z_ops.ace_size(acep);
615
616 if (((caddr_t)acep + ace_size) >
617 ((caddr_t)aclnode->z_acldata + aclnode->z_size)) {
618 return (NULL);
619 }
620
621 *iflags = aclp->z_ops.ace_flags_get(acep);
622 *type = aclp->z_ops.ace_type_get(acep);
623 *access_mask = aclp->z_ops.ace_mask_get(acep);
624 *who = aclp->z_ops.ace_who_get(acep);
625 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size;
626 aclnode->z_ace_idx++;
627
628 return ((void *)acep);
629 }
630 return (NULL);
631 }
632
633 /*ARGSUSED*/
634 static uint64_t
zfs_ace_walk(void * datap,uint64_t cookie,int aclcnt,uint16_t * flags,uint16_t * type,uint32_t * mask)635 zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt,
636 uint16_t *flags, uint16_t *type, uint32_t *mask)
637 {
638 zfs_acl_t *aclp = datap;
639 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie;
640 uint64_t who;
641
642 acep = zfs_acl_next_ace(aclp, acep, &who, mask,
643 flags, type);
644 return ((uint64_t)(uintptr_t)acep);
645 }
646
647 static zfs_acl_node_t *
zfs_acl_curr_node(zfs_acl_t * aclp)648 zfs_acl_curr_node(zfs_acl_t *aclp)
649 {
650 ASSERT(aclp->z_curr_node);
651 return (aclp->z_curr_node);
652 }
653
654 /*
655 * Copy ACE to internal ZFS format.
656 * While processing the ACL each ACE will be validated for correctness.
657 * ACE FUIDs will be created later.
658 */
659 int
zfs_copy_ace_2_fuid(zfsvfs_t * zfsvfs,vtype_t obj_type,zfs_acl_t * aclp,void * datap,zfs_ace_t * z_acl,uint64_t aclcnt,size_t * size,zfs_fuid_info_t ** fuidp,cred_t * cr)660 zfs_copy_ace_2_fuid(zfsvfs_t *zfsvfs, vtype_t obj_type, zfs_acl_t *aclp,
661 void *datap, zfs_ace_t *z_acl, uint64_t aclcnt, size_t *size,
662 zfs_fuid_info_t **fuidp, cred_t *cr)
663 {
664 int i;
665 uint16_t entry_type;
666 zfs_ace_t *aceptr = z_acl;
667 ace_t *acep = datap;
668 zfs_object_ace_t *zobjacep;
669 ace_object_t *aceobjp;
670
671 for (i = 0; i != aclcnt; i++) {
672 aceptr->z_hdr.z_access_mask = acep->a_access_mask;
673 aceptr->z_hdr.z_flags = acep->a_flags;
674 aceptr->z_hdr.z_type = acep->a_type;
675 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS;
676 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP &&
677 entry_type != ACE_EVERYONE) {
678 aceptr->z_fuid = zfs_fuid_create(zfsvfs, acep->a_who,
679 cr, (entry_type == 0) ?
680 ZFS_ACE_USER : ZFS_ACE_GROUP, fuidp);
681 }
682
683 /*
684 * Make sure ACE is valid
685 */
686 if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type,
687 aceptr->z_hdr.z_flags) != B_TRUE)
688 return (SET_ERROR(EINVAL));
689
690 switch (acep->a_type) {
691 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
692 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
693 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
694 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
695 zobjacep = (zfs_object_ace_t *)aceptr;
696 aceobjp = (ace_object_t *)acep;
697
698 bcopy(aceobjp->a_obj_type, zobjacep->z_object_type,
699 sizeof (aceobjp->a_obj_type));
700 bcopy(aceobjp->a_inherit_obj_type,
701 zobjacep->z_inherit_type,
702 sizeof (aceobjp->a_inherit_obj_type));
703 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t));
704 break;
705 default:
706 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t));
707 }
708
709 aceptr = (zfs_ace_t *)((caddr_t)aceptr +
710 aclp->z_ops.ace_size(aceptr));
711 }
712
713 *size = (caddr_t)aceptr - (caddr_t)z_acl;
714
715 return (0);
716 }
717
718 /*
719 * Copy ZFS ACEs to fixed size ace_t layout
720 */
721 static void
zfs_copy_fuid_2_ace(zfsvfs_t * zfsvfs,zfs_acl_t * aclp,cred_t * cr,void * datap,int filter)722 zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr,
723 void *datap, int filter)
724 {
725 uint64_t who;
726 uint32_t access_mask;
727 uint16_t iflags, type;
728 zfs_ace_hdr_t *zacep = NULL;
729 ace_t *acep = datap;
730 ace_object_t *objacep;
731 zfs_object_ace_t *zobjacep;
732 size_t ace_size;
733 uint16_t entry_type;
734
735 while (zacep = zfs_acl_next_ace(aclp, zacep,
736 &who, &access_mask, &iflags, &type)) {
737
738 switch (type) {
739 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
740 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
741 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
742 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
743 if (filter) {
744 continue;
745 }
746 zobjacep = (zfs_object_ace_t *)zacep;
747 objacep = (ace_object_t *)acep;
748 bcopy(zobjacep->z_object_type,
749 objacep->a_obj_type,
750 sizeof (zobjacep->z_object_type));
751 bcopy(zobjacep->z_inherit_type,
752 objacep->a_inherit_obj_type,
753 sizeof (zobjacep->z_inherit_type));
754 ace_size = sizeof (ace_object_t);
755 break;
756 default:
757 ace_size = sizeof (ace_t);
758 break;
759 }
760
761 entry_type = (iflags & ACE_TYPE_FLAGS);
762 if ((entry_type != ACE_OWNER &&
763 entry_type != OWNING_GROUP &&
764 entry_type != ACE_EVERYONE)) {
765 acep->a_who = zfs_fuid_map_id(zfsvfs, who,
766 cr, (entry_type & ACE_IDENTIFIER_GROUP) ?
767 ZFS_ACE_GROUP : ZFS_ACE_USER);
768 } else {
769 acep->a_who = (uid_t)(int64_t)who;
770 }
771 acep->a_access_mask = access_mask;
772 acep->a_flags = iflags;
773 acep->a_type = type;
774 acep = (ace_t *)((caddr_t)acep + ace_size);
775 }
776 }
777
778 static int
zfs_copy_ace_2_oldace(vtype_t obj_type,zfs_acl_t * aclp,ace_t * acep,zfs_oldace_t * z_acl,int aclcnt,size_t * size)779 zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep,
780 zfs_oldace_t *z_acl, int aclcnt, size_t *size)
781 {
782 int i;
783 zfs_oldace_t *aceptr = z_acl;
784
785 for (i = 0; i != aclcnt; i++, aceptr++) {
786 aceptr->z_access_mask = acep[i].a_access_mask;
787 aceptr->z_type = acep[i].a_type;
788 aceptr->z_flags = acep[i].a_flags;
789 aceptr->z_fuid = acep[i].a_who;
790 /*
791 * Make sure ACE is valid
792 */
793 if (zfs_ace_valid(obj_type, aclp, aceptr->z_type,
794 aceptr->z_flags) != B_TRUE)
795 return (SET_ERROR(EINVAL));
796 }
797 *size = (caddr_t)aceptr - (caddr_t)z_acl;
798 return (0);
799 }
800
801 /*
802 * convert old ACL format to new
803 */
804 void
zfs_acl_xform(znode_t * zp,zfs_acl_t * aclp,cred_t * cr)805 zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp, cred_t *cr)
806 {
807 zfs_oldace_t *oldaclp;
808 int i;
809 uint16_t type, iflags;
810 uint32_t access_mask;
811 uint64_t who;
812 void *cookie = NULL;
813 zfs_acl_node_t *newaclnode;
814
815 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL);
816 /*
817 * First create the ACE in a contiguous piece of memory
818 * for zfs_copy_ace_2_fuid().
819 *
820 * We only convert an ACL once, so this won't happen
821 * everytime.
822 */
823 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count,
824 KM_SLEEP);
825 i = 0;
826 while (cookie = zfs_acl_next_ace(aclp, cookie, &who,
827 &access_mask, &iflags, &type)) {
828 oldaclp[i].z_flags = iflags;
829 oldaclp[i].z_type = type;
830 oldaclp[i].z_fuid = who;
831 oldaclp[i++].z_access_mask = access_mask;
832 }
833
834 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count *
835 sizeof (zfs_object_ace_t));
836 aclp->z_ops = zfs_acl_fuid_ops;
837 VERIFY(zfs_copy_ace_2_fuid(zp->z_zfsvfs, ZTOV(zp)->v_type, aclp,
838 oldaclp, newaclnode->z_acldata, aclp->z_acl_count,
839 &newaclnode->z_size, NULL, cr) == 0);
840 newaclnode->z_ace_count = aclp->z_acl_count;
841 aclp->z_version = ZFS_ACL_VERSION;
842 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t));
843
844 /*
845 * Release all previous ACL nodes
846 */
847
848 zfs_acl_release_nodes(aclp);
849
850 list_insert_head(&aclp->z_acl, newaclnode);
851
852 aclp->z_acl_bytes = newaclnode->z_size;
853 aclp->z_acl_count = newaclnode->z_ace_count;
854
855 }
856
857 /*
858 * Convert unix access mask to v4 access mask
859 */
860 static uint32_t
zfs_unix_to_v4(uint32_t access_mask)861 zfs_unix_to_v4(uint32_t access_mask)
862 {
863 uint32_t new_mask = 0;
864
865 if (access_mask & S_IXOTH)
866 new_mask |= ACE_EXECUTE;
867 if (access_mask & S_IWOTH)
868 new_mask |= ACE_WRITE_DATA;
869 if (access_mask & S_IROTH)
870 new_mask |= ACE_READ_DATA;
871 return (new_mask);
872 }
873
874 static void
zfs_set_ace(zfs_acl_t * aclp,void * acep,uint32_t access_mask,uint16_t access_type,uint64_t fuid,uint16_t entry_type)875 zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask,
876 uint16_t access_type, uint64_t fuid, uint16_t entry_type)
877 {
878 uint16_t type = entry_type & ACE_TYPE_FLAGS;
879
880 aclp->z_ops.ace_mask_set(acep, access_mask);
881 aclp->z_ops.ace_type_set(acep, access_type);
882 aclp->z_ops.ace_flags_set(acep, entry_type);
883 if ((type != ACE_OWNER && type != OWNING_GROUP &&
884 type != ACE_EVERYONE))
885 aclp->z_ops.ace_who_set(acep, fuid);
886 }
887
888 /*
889 * Determine mode of file based on ACL.
890 * Also, create FUIDs for any User/Group ACEs
891 */
892 uint64_t
zfs_mode_compute(uint64_t fmode,zfs_acl_t * aclp,uint64_t * pflags,uint64_t fuid,uint64_t fgid)893 zfs_mode_compute(uint64_t fmode, zfs_acl_t *aclp,
894 uint64_t *pflags, uint64_t fuid, uint64_t fgid)
895 {
896 int entry_type;
897 mode_t mode;
898 mode_t seen = 0;
899 zfs_ace_hdr_t *acep = NULL;
900 uint64_t who;
901 uint16_t iflags, type;
902 uint32_t access_mask;
903 boolean_t an_exec_denied = B_FALSE;
904
905 mode = (fmode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX));
906
907 while (acep = zfs_acl_next_ace(aclp, acep, &who,
908 &access_mask, &iflags, &type)) {
909
910 if (!zfs_acl_valid_ace_type(type, iflags))
911 continue;
912
913 entry_type = (iflags & ACE_TYPE_FLAGS);
914
915 /*
916 * Skip over owner@, group@ or everyone@ inherit only ACEs
917 */
918 if ((iflags & ACE_INHERIT_ONLY_ACE) &&
919 (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE ||
920 entry_type == OWNING_GROUP))
921 continue;
922
923 if (entry_type == ACE_OWNER || (entry_type == 0 &&
924 who == fuid)) {
925 if ((access_mask & ACE_READ_DATA) &&
926 (!(seen & S_IRUSR))) {
927 seen |= S_IRUSR;
928 if (type == ALLOW) {
929 mode |= S_IRUSR;
930 }
931 }
932 if ((access_mask & ACE_WRITE_DATA) &&
933 (!(seen & S_IWUSR))) {
934 seen |= S_IWUSR;
935 if (type == ALLOW) {
936 mode |= S_IWUSR;
937 }
938 }
939 if ((access_mask & ACE_EXECUTE) &&
940 (!(seen & S_IXUSR))) {
941 seen |= S_IXUSR;
942 if (type == ALLOW) {
943 mode |= S_IXUSR;
944 }
945 }
946 } else if (entry_type == OWNING_GROUP ||
947 (entry_type == ACE_IDENTIFIER_GROUP && who == fgid)) {
948 if ((access_mask & ACE_READ_DATA) &&
949 (!(seen & S_IRGRP))) {
950 seen |= S_IRGRP;
951 if (type == ALLOW) {
952 mode |= S_IRGRP;
953 }
954 }
955 if ((access_mask & ACE_WRITE_DATA) &&
956 (!(seen & S_IWGRP))) {
957 seen |= S_IWGRP;
958 if (type == ALLOW) {
959 mode |= S_IWGRP;
960 }
961 }
962 if ((access_mask & ACE_EXECUTE) &&
963 (!(seen & S_IXGRP))) {
964 seen |= S_IXGRP;
965 if (type == ALLOW) {
966 mode |= S_IXGRP;
967 }
968 }
969 } else if (entry_type == ACE_EVERYONE) {
970 if ((access_mask & ACE_READ_DATA)) {
971 if (!(seen & S_IRUSR)) {
972 seen |= S_IRUSR;
973 if (type == ALLOW) {
974 mode |= S_IRUSR;
975 }
976 }
977 if (!(seen & S_IRGRP)) {
978 seen |= S_IRGRP;
979 if (type == ALLOW) {
980 mode |= S_IRGRP;
981 }
982 }
983 if (!(seen & S_IROTH)) {
984 seen |= S_IROTH;
985 if (type == ALLOW) {
986 mode |= S_IROTH;
987 }
988 }
989 }
990 if ((access_mask & ACE_WRITE_DATA)) {
991 if (!(seen & S_IWUSR)) {
992 seen |= S_IWUSR;
993 if (type == ALLOW) {
994 mode |= S_IWUSR;
995 }
996 }
997 if (!(seen & S_IWGRP)) {
998 seen |= S_IWGRP;
999 if (type == ALLOW) {
1000 mode |= S_IWGRP;
1001 }
1002 }
1003 if (!(seen & S_IWOTH)) {
1004 seen |= S_IWOTH;
1005 if (type == ALLOW) {
1006 mode |= S_IWOTH;
1007 }
1008 }
1009 }
1010 if ((access_mask & ACE_EXECUTE)) {
1011 if (!(seen & S_IXUSR)) {
1012 seen |= S_IXUSR;
1013 if (type == ALLOW) {
1014 mode |= S_IXUSR;
1015 }
1016 }
1017 if (!(seen & S_IXGRP)) {
1018 seen |= S_IXGRP;
1019 if (type == ALLOW) {
1020 mode |= S_IXGRP;
1021 }
1022 }
1023 if (!(seen & S_IXOTH)) {
1024 seen |= S_IXOTH;
1025 if (type == ALLOW) {
1026 mode |= S_IXOTH;
1027 }
1028 }
1029 }
1030 } else {
1031 /*
1032 * Only care if this IDENTIFIER_GROUP or
1033 * USER ACE denies execute access to someone,
1034 * mode is not affected
1035 */
1036 if ((access_mask & ACE_EXECUTE) && type == DENY)
1037 an_exec_denied = B_TRUE;
1038 }
1039 }
1040
1041 /*
1042 * Failure to allow is effectively a deny, so execute permission
1043 * is denied if it was never mentioned or if we explicitly
1044 * weren't allowed it.
1045 */
1046 if (!an_exec_denied &&
1047 ((seen & ALL_MODE_EXECS) != ALL_MODE_EXECS ||
1048 (mode & ALL_MODE_EXECS) != ALL_MODE_EXECS))
1049 an_exec_denied = B_TRUE;
1050
1051 if (an_exec_denied)
1052 *pflags &= ~ZFS_NO_EXECS_DENIED;
1053 else
1054 *pflags |= ZFS_NO_EXECS_DENIED;
1055
1056 return (mode);
1057 }
1058
1059 /*
1060 * Read an external acl object. If the intent is to modify, always
1061 * create a new acl and leave any cached acl in place.
1062 */
1063 static int
zfs_acl_node_read(znode_t * zp,boolean_t have_lock,zfs_acl_t ** aclpp,boolean_t will_modify)1064 zfs_acl_node_read(znode_t *zp, boolean_t have_lock, zfs_acl_t **aclpp,
1065 boolean_t will_modify)
1066 {
1067 zfs_acl_t *aclp;
1068 int aclsize;
1069 int acl_count;
1070 zfs_acl_node_t *aclnode;
1071 zfs_acl_phys_t znode_acl;
1072 int version;
1073 int error;
1074 boolean_t drop_lock = B_FALSE;
1075
1076 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
1077
1078 if (zp->z_acl_cached && !will_modify) {
1079 *aclpp = zp->z_acl_cached;
1080 return (0);
1081 }
1082
1083 /*
1084 * close race where znode could be upgrade while trying to
1085 * read the znode attributes.
1086 *
1087 * But this could only happen if the file isn't already an SA
1088 * znode
1089 */
1090 if (!zp->z_is_sa && !have_lock) {
1091 mutex_enter(&zp->z_lock);
1092 drop_lock = B_TRUE;
1093 }
1094 version = zfs_znode_acl_version(zp);
1095
1096 if ((error = zfs_acl_znode_info(zp, &aclsize,
1097 &acl_count, &znode_acl)) != 0) {
1098 goto done;
1099 }
1100
1101 aclp = zfs_acl_alloc(version);
1102
1103 aclp->z_acl_count = acl_count;
1104 aclp->z_acl_bytes = aclsize;
1105
1106 aclnode = zfs_acl_node_alloc(aclsize);
1107 aclnode->z_ace_count = aclp->z_acl_count;
1108 aclnode->z_size = aclsize;
1109
1110 if (!zp->z_is_sa) {
1111 if (znode_acl.z_acl_extern_obj) {
1112 error = dmu_read(zp->z_zfsvfs->z_os,
1113 znode_acl.z_acl_extern_obj, 0, aclnode->z_size,
1114 aclnode->z_acldata, DMU_READ_PREFETCH);
1115 } else {
1116 bcopy(znode_acl.z_ace_data, aclnode->z_acldata,
1117 aclnode->z_size);
1118 }
1119 } else {
1120 error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zp->z_zfsvfs),
1121 aclnode->z_acldata, aclnode->z_size);
1122 }
1123
1124 if (error != 0) {
1125 zfs_acl_free(aclp);
1126 zfs_acl_node_free(aclnode);
1127 /* convert checksum errors into IO errors */
1128 if (error == ECKSUM)
1129 error = SET_ERROR(EIO);
1130 goto done;
1131 }
1132
1133 list_insert_head(&aclp->z_acl, aclnode);
1134
1135 *aclpp = aclp;
1136 if (!will_modify)
1137 zp->z_acl_cached = aclp;
1138 done:
1139 if (drop_lock)
1140 mutex_exit(&zp->z_lock);
1141 return (error);
1142 }
1143
1144 /*ARGSUSED*/
1145 void
zfs_acl_data_locator(void ** dataptr,uint32_t * length,uint32_t buflen,boolean_t start,void * userdata)1146 zfs_acl_data_locator(void **dataptr, uint32_t *length, uint32_t buflen,
1147 boolean_t start, void *userdata)
1148 {
1149 zfs_acl_locator_cb_t *cb = (zfs_acl_locator_cb_t *)userdata;
1150
1151 if (start) {
1152 cb->cb_acl_node = list_head(&cb->cb_aclp->z_acl);
1153 } else {
1154 cb->cb_acl_node = list_next(&cb->cb_aclp->z_acl,
1155 cb->cb_acl_node);
1156 }
1157 *dataptr = cb->cb_acl_node->z_acldata;
1158 *length = cb->cb_acl_node->z_size;
1159 }
1160
1161 int
zfs_acl_chown_setattr(znode_t * zp)1162 zfs_acl_chown_setattr(znode_t *zp)
1163 {
1164 int error;
1165 zfs_acl_t *aclp;
1166
1167 ASSERT(MUTEX_HELD(&zp->z_lock));
1168 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
1169
1170 if ((error = zfs_acl_node_read(zp, B_TRUE, &aclp, B_FALSE)) == 0)
1171 zp->z_mode = zfs_mode_compute(zp->z_mode, aclp,
1172 &zp->z_pflags, zp->z_uid, zp->z_gid);
1173 return (error);
1174 }
1175
1176 /*
1177 * common code for setting ACLs.
1178 *
1179 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl.
1180 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's
1181 * already checked the acl and knows whether to inherit.
1182 */
1183 int
zfs_aclset_common(znode_t * zp,zfs_acl_t * aclp,cred_t * cr,dmu_tx_t * tx)1184 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, dmu_tx_t *tx)
1185 {
1186 int error;
1187 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
1188 dmu_object_type_t otype;
1189 zfs_acl_locator_cb_t locate = { 0 };
1190 uint64_t mode;
1191 sa_bulk_attr_t bulk[5];
1192 uint64_t ctime[2];
1193 int count = 0;
1194
1195 mode = zp->z_mode;
1196
1197 mode = zfs_mode_compute(mode, aclp, &zp->z_pflags,
1198 zp->z_uid, zp->z_gid);
1199
1200 zp->z_mode = mode;
1201 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_MODE(zfsvfs), NULL,
1202 &mode, sizeof (mode));
1203 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_FLAGS(zfsvfs), NULL,
1204 &zp->z_pflags, sizeof (zp->z_pflags));
1205 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_CTIME(zfsvfs), NULL,
1206 &ctime, sizeof (ctime));
1207
1208 if (zp->z_acl_cached) {
1209 zfs_acl_free(zp->z_acl_cached);
1210 zp->z_acl_cached = NULL;
1211 }
1212
1213 /*
1214 * Upgrade needed?
1215 */
1216 if (!zfsvfs->z_use_fuids) {
1217 otype = DMU_OT_OLDACL;
1218 } else {
1219 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) &&
1220 (zfsvfs->z_version >= ZPL_VERSION_FUID))
1221 zfs_acl_xform(zp, aclp, cr);
1222 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID);
1223 otype = DMU_OT_ACL;
1224 }
1225
1226 /*
1227 * Arrgh, we have to handle old on disk format
1228 * as well as newer (preferred) SA format.
1229 */
1230
1231 if (zp->z_is_sa) { /* the easy case, just update the ACL attribute */
1232 locate.cb_aclp = aclp;
1233 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_ACES(zfsvfs),
1234 zfs_acl_data_locator, &locate, aclp->z_acl_bytes);
1235 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_COUNT(zfsvfs),
1236 NULL, &aclp->z_acl_count, sizeof (uint64_t));
1237 } else { /* Painful legacy way */
1238 zfs_acl_node_t *aclnode;
1239 uint64_t off = 0;
1240 zfs_acl_phys_t acl_phys;
1241 uint64_t aoid;
1242
1243 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs),
1244 &acl_phys, sizeof (acl_phys))) != 0)
1245 return (error);
1246
1247 aoid = acl_phys.z_acl_extern_obj;
1248
1249 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) {
1250 /*
1251 * If ACL was previously external and we are now
1252 * converting to new ACL format then release old
1253 * ACL object and create a new one.
1254 */
1255 if (aoid &&
1256 aclp->z_version != acl_phys.z_acl_version) {
1257 error = dmu_object_free(zfsvfs->z_os, aoid, tx);
1258 if (error)
1259 return (error);
1260 aoid = 0;
1261 }
1262 if (aoid == 0) {
1263 aoid = dmu_object_alloc(zfsvfs->z_os,
1264 otype, aclp->z_acl_bytes,
1265 otype == DMU_OT_ACL ?
1266 DMU_OT_SYSACL : DMU_OT_NONE,
1267 otype == DMU_OT_ACL ?
1268 DN_MAX_BONUSLEN : 0, tx);
1269 } else {
1270 (void) dmu_object_set_blocksize(zfsvfs->z_os,
1271 aoid, aclp->z_acl_bytes, 0, tx);
1272 }
1273 acl_phys.z_acl_extern_obj = aoid;
1274 for (aclnode = list_head(&aclp->z_acl); aclnode;
1275 aclnode = list_next(&aclp->z_acl, aclnode)) {
1276 if (aclnode->z_ace_count == 0)
1277 continue;
1278 dmu_write(zfsvfs->z_os, aoid, off,
1279 aclnode->z_size, aclnode->z_acldata, tx);
1280 off += aclnode->z_size;
1281 }
1282 } else {
1283 void *start = acl_phys.z_ace_data;
1284 /*
1285 * Migrating back embedded?
1286 */
1287 if (acl_phys.z_acl_extern_obj) {
1288 error = dmu_object_free(zfsvfs->z_os,
1289 acl_phys.z_acl_extern_obj, tx);
1290 if (error)
1291 return (error);
1292 acl_phys.z_acl_extern_obj = 0;
1293 }
1294
1295 for (aclnode = list_head(&aclp->z_acl); aclnode;
1296 aclnode = list_next(&aclp->z_acl, aclnode)) {
1297 if (aclnode->z_ace_count == 0)
1298 continue;
1299 bcopy(aclnode->z_acldata, start,
1300 aclnode->z_size);
1301 start = (caddr_t)start + aclnode->z_size;
1302 }
1303 }
1304 /*
1305 * If Old version then swap count/bytes to match old
1306 * layout of znode_acl_phys_t.
1307 */
1308 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) {
1309 acl_phys.z_acl_size = aclp->z_acl_count;
1310 acl_phys.z_acl_count = aclp->z_acl_bytes;
1311 } else {
1312 acl_phys.z_acl_size = aclp->z_acl_bytes;
1313 acl_phys.z_acl_count = aclp->z_acl_count;
1314 }
1315 acl_phys.z_acl_version = aclp->z_version;
1316
1317 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_ZNODE_ACL(zfsvfs), NULL,
1318 &acl_phys, sizeof (acl_phys));
1319 }
1320
1321 /*
1322 * Replace ACL wide bits, but first clear them.
1323 */
1324 zp->z_pflags &= ~ZFS_ACL_WIDE_FLAGS;
1325
1326 zp->z_pflags |= aclp->z_hints;
1327
1328 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0)
1329 zp->z_pflags |= ZFS_ACL_TRIVIAL;
1330
1331 zfs_tstamp_update_setup(zp, STATE_CHANGED, NULL, ctime, B_TRUE);
1332 return (sa_bulk_update(zp->z_sa_hdl, bulk, count, tx));
1333 }
1334
1335 static void
zfs_acl_chmod(vtype_t vtype,uint64_t mode,boolean_t trim,zfs_acl_t * aclp)1336 zfs_acl_chmod(vtype_t vtype, uint64_t mode, boolean_t trim, zfs_acl_t *aclp)
1337 {
1338 void *acep = NULL;
1339 uint64_t who;
1340 int new_count, new_bytes;
1341 int ace_size;
1342 int entry_type;
1343 uint16_t iflags, type;
1344 uint32_t access_mask;
1345 zfs_acl_node_t *newnode;
1346 size_t abstract_size = aclp->z_ops.ace_abstract_size();
1347 void *zacep;
1348 boolean_t isdir;
1349 trivial_acl_t masks;
1350
1351 new_count = new_bytes = 0;
1352
1353 isdir = (vtype == VDIR);
1354
1355 acl_trivial_access_masks((mode_t)mode, isdir, &masks);
1356
1357 newnode = zfs_acl_node_alloc((abstract_size * 6) + aclp->z_acl_bytes);
1358
1359 zacep = newnode->z_acldata;
1360 if (masks.allow0) {
1361 zfs_set_ace(aclp, zacep, masks.allow0, ALLOW, -1, ACE_OWNER);
1362 zacep = (void *)((uintptr_t)zacep + abstract_size);
1363 new_count++;
1364 new_bytes += abstract_size;
1365 }
1366 if (masks.deny1) {
1367 zfs_set_ace(aclp, zacep, masks.deny1, DENY, -1, ACE_OWNER);
1368 zacep = (void *)((uintptr_t)zacep + abstract_size);
1369 new_count++;
1370 new_bytes += abstract_size;
1371 }
1372 if (masks.deny2) {
1373 zfs_set_ace(aclp, zacep, masks.deny2, DENY, -1, OWNING_GROUP);
1374 zacep = (void *)((uintptr_t)zacep + abstract_size);
1375 new_count++;
1376 new_bytes += abstract_size;
1377 }
1378
1379 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask,
1380 &iflags, &type)) {
1381 uint16_t inherit_flags;
1382
1383 entry_type = (iflags & ACE_TYPE_FLAGS);
1384 inherit_flags = (iflags & ALL_INHERIT);
1385
1386 if ((entry_type == ACE_OWNER || entry_type == ACE_EVERYONE ||
1387 (entry_type == OWNING_GROUP)) &&
1388 ((inherit_flags & ACE_INHERIT_ONLY_ACE) == 0)) {
1389 continue;
1390 }
1391
1392 /*
1393 * If this ACL has any inheritable ACEs, mark that in
1394 * the hints (which are later masked into the pflags)
1395 * so create knows to do inheritance.
1396 */
1397 if (isdir && (inherit_flags &
1398 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE)))
1399 aclp->z_hints |= ZFS_INHERIT_ACE;
1400
1401 if ((type != ALLOW && type != DENY) ||
1402 (inherit_flags & ACE_INHERIT_ONLY_ACE)) {
1403 switch (type) {
1404 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
1405 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
1406 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
1407 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
1408 aclp->z_hints |= ZFS_ACL_OBJ_ACE;
1409 break;
1410 }
1411 } else {
1412
1413 /*
1414 * Limit permissions to be no greater than
1415 * group permissions.
1416 * The "aclinherit" and "aclmode" properties
1417 * affect policy for create and chmod(2),
1418 * respectively.
1419 */
1420 if ((type == ALLOW) && trim)
1421 access_mask &= masks.group;
1422 }
1423 zfs_set_ace(aclp, zacep, access_mask, type, who, iflags);
1424 ace_size = aclp->z_ops.ace_size(acep);
1425 zacep = (void *)((uintptr_t)zacep + ace_size);
1426 new_count++;
1427 new_bytes += ace_size;
1428 }
1429 zfs_set_ace(aclp, zacep, masks.owner, 0, -1, ACE_OWNER);
1430 zacep = (void *)((uintptr_t)zacep + abstract_size);
1431 zfs_set_ace(aclp, zacep, masks.group, 0, -1, OWNING_GROUP);
1432 zacep = (void *)((uintptr_t)zacep + abstract_size);
1433 zfs_set_ace(aclp, zacep, masks.everyone, 0, -1, ACE_EVERYONE);
1434
1435 new_count += 3;
1436 new_bytes += abstract_size * 3;
1437 zfs_acl_release_nodes(aclp);
1438 aclp->z_acl_count = new_count;
1439 aclp->z_acl_bytes = new_bytes;
1440 newnode->z_ace_count = new_count;
1441 newnode->z_size = new_bytes;
1442 list_insert_tail(&aclp->z_acl, newnode);
1443 }
1444
1445 int
zfs_acl_chmod_setattr(znode_t * zp,zfs_acl_t ** aclp,uint64_t mode)1446 zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode)
1447 {
1448 int error = 0;
1449
1450 mutex_enter(&zp->z_acl_lock);
1451 mutex_enter(&zp->z_lock);
1452 if (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_DISCARD)
1453 *aclp = zfs_acl_alloc(zfs_acl_version_zp(zp));
1454 else
1455 error = zfs_acl_node_read(zp, B_TRUE, aclp, B_TRUE);
1456
1457 if (error == 0) {
1458 (*aclp)->z_hints = zp->z_pflags & V4_ACL_WIDE_FLAGS;
1459 zfs_acl_chmod(ZTOV(zp)->v_type, mode,
1460 (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK), *aclp);
1461 }
1462 mutex_exit(&zp->z_lock);
1463 mutex_exit(&zp->z_acl_lock);
1464
1465 return (error);
1466 }
1467
1468 /*
1469 * strip off write_owner and write_acl
1470 */
1471 static void
zfs_restricted_update(zfsvfs_t * zfsvfs,zfs_acl_t * aclp,void * acep)1472 zfs_restricted_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep)
1473 {
1474 uint32_t mask = aclp->z_ops.ace_mask_get(acep);
1475
1476 if ((zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) &&
1477 (aclp->z_ops.ace_type_get(acep) == ALLOW)) {
1478 mask &= ~RESTRICTED_CLEAR;
1479 aclp->z_ops.ace_mask_set(acep, mask);
1480 }
1481 }
1482
1483 /*
1484 * Should ACE be inherited?
1485 */
1486 static int
zfs_ace_can_use(vtype_t vtype,uint16_t acep_flags)1487 zfs_ace_can_use(vtype_t vtype, uint16_t acep_flags)
1488 {
1489 int iflags = (acep_flags & 0xf);
1490
1491 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE))
1492 return (1);
1493 else if (iflags & ACE_FILE_INHERIT_ACE)
1494 return (!((vtype == VDIR) &&
1495 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE)));
1496 return (0);
1497 }
1498
1499 /*
1500 * inherit inheritable ACEs from parent
1501 */
1502 static zfs_acl_t *
zfs_acl_inherit(zfsvfs_t * zfsvfs,vtype_t vtype,zfs_acl_t * paclp,uint64_t mode,boolean_t * need_chmod)1503 zfs_acl_inherit(zfsvfs_t *zfsvfs, vtype_t vtype, zfs_acl_t *paclp,
1504 uint64_t mode, boolean_t *need_chmod)
1505 {
1506 void *pacep;
1507 void *acep;
1508 zfs_acl_node_t *aclnode;
1509 zfs_acl_t *aclp = NULL;
1510 uint64_t who;
1511 uint32_t access_mask;
1512 uint16_t iflags, newflags, type;
1513 size_t ace_size;
1514 void *data1, *data2;
1515 size_t data1sz, data2sz;
1516 boolean_t vdir = vtype == VDIR;
1517 boolean_t vreg = vtype == VREG;
1518 boolean_t passthrough, passthrough_x, noallow;
1519
1520 passthrough_x =
1521 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH_X;
1522 passthrough = passthrough_x ||
1523 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH;
1524 noallow =
1525 zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW;
1526
1527 *need_chmod = B_TRUE;
1528 pacep = NULL;
1529 aclp = zfs_acl_alloc(paclp->z_version);
1530 if (zfsvfs->z_acl_inherit == ZFS_ACL_DISCARD || vtype == VLNK)
1531 return (aclp);
1532 while (pacep = zfs_acl_next_ace(paclp, pacep, &who,
1533 &access_mask, &iflags, &type)) {
1534
1535 /*
1536 * don't inherit bogus ACEs
1537 */
1538 if (!zfs_acl_valid_ace_type(type, iflags))
1539 continue;
1540
1541 if (noallow && type == ALLOW)
1542 continue;
1543
1544 ace_size = aclp->z_ops.ace_size(pacep);
1545
1546 if (!zfs_ace_can_use(vtype, iflags))
1547 continue;
1548
1549 /*
1550 * If owner@, group@, or everyone@ inheritable
1551 * then zfs_acl_chmod() isn't needed.
1552 */
1553 if (passthrough &&
1554 ((iflags & (ACE_OWNER|ACE_EVERYONE)) ||
1555 ((iflags & OWNING_GROUP) ==
1556 OWNING_GROUP)) && (vreg || (vdir && (iflags &
1557 ACE_DIRECTORY_INHERIT_ACE)))) {
1558 *need_chmod = B_FALSE;
1559 }
1560
1561 if (!vdir && passthrough_x &&
1562 ((mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) {
1563 access_mask &= ~ACE_EXECUTE;
1564 }
1565
1566 aclnode = zfs_acl_node_alloc(ace_size);
1567 list_insert_tail(&aclp->z_acl, aclnode);
1568 acep = aclnode->z_acldata;
1569
1570 zfs_set_ace(aclp, acep, access_mask, type,
1571 who, iflags|ACE_INHERITED_ACE);
1572
1573 /*
1574 * Copy special opaque data if any
1575 */
1576 if ((data1sz = paclp->z_ops.ace_data(pacep, &data1)) != 0) {
1577 VERIFY((data2sz = aclp->z_ops.ace_data(acep,
1578 &data2)) == data1sz);
1579 bcopy(data1, data2, data2sz);
1580 }
1581
1582 aclp->z_acl_count++;
1583 aclnode->z_ace_count++;
1584 aclp->z_acl_bytes += aclnode->z_size;
1585 newflags = aclp->z_ops.ace_flags_get(acep);
1586
1587 if (vdir)
1588 aclp->z_hints |= ZFS_INHERIT_ACE;
1589
1590 if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || !vdir) {
1591 newflags &= ~ALL_INHERIT;
1592 aclp->z_ops.ace_flags_set(acep,
1593 newflags|ACE_INHERITED_ACE);
1594 zfs_restricted_update(zfsvfs, aclp, acep);
1595 continue;
1596 }
1597
1598 ASSERT(vdir);
1599
1600 /*
1601 * If only FILE_INHERIT is set then turn on
1602 * inherit_only
1603 */
1604 if ((iflags & (ACE_FILE_INHERIT_ACE |
1605 ACE_DIRECTORY_INHERIT_ACE)) == ACE_FILE_INHERIT_ACE) {
1606 newflags |= ACE_INHERIT_ONLY_ACE;
1607 aclp->z_ops.ace_flags_set(acep,
1608 newflags|ACE_INHERITED_ACE);
1609 } else {
1610 newflags &= ~ACE_INHERIT_ONLY_ACE;
1611 aclp->z_ops.ace_flags_set(acep,
1612 newflags|ACE_INHERITED_ACE);
1613 }
1614 }
1615 return (aclp);
1616 }
1617
1618 /*
1619 * Create file system object initial permissions
1620 * including inheritable ACEs.
1621 */
1622 int
zfs_acl_ids_create(znode_t * dzp,int flag,vattr_t * vap,cred_t * cr,vsecattr_t * vsecp,zfs_acl_ids_t * acl_ids)1623 zfs_acl_ids_create(znode_t *dzp, int flag, vattr_t *vap, cred_t *cr,
1624 vsecattr_t *vsecp, zfs_acl_ids_t *acl_ids)
1625 {
1626 int error;
1627 zfsvfs_t *zfsvfs = dzp->z_zfsvfs;
1628 zfs_acl_t *paclp;
1629 gid_t gid;
1630 boolean_t need_chmod = B_TRUE;
1631 boolean_t inherited = B_FALSE;
1632
1633 bzero(acl_ids, sizeof (zfs_acl_ids_t));
1634 acl_ids->z_mode = MAKEIMODE(vap->va_type, vap->va_mode);
1635
1636 if (vsecp)
1637 if ((error = zfs_vsec_2_aclp(zfsvfs, vap->va_type, vsecp, cr,
1638 &acl_ids->z_fuidp, &acl_ids->z_aclp)) != 0)
1639 return (error);
1640 /*
1641 * Determine uid and gid.
1642 */
1643 if ((flag & IS_ROOT_NODE) || zfsvfs->z_replay ||
1644 ((flag & IS_XATTR) && (vap->va_type == VDIR))) {
1645 acl_ids->z_fuid = zfs_fuid_create(zfsvfs,
1646 (uint64_t)vap->va_uid, cr,
1647 ZFS_OWNER, &acl_ids->z_fuidp);
1648 acl_ids->z_fgid = zfs_fuid_create(zfsvfs,
1649 (uint64_t)vap->va_gid, cr,
1650 ZFS_GROUP, &acl_ids->z_fuidp);
1651 gid = vap->va_gid;
1652 } else {
1653 acl_ids->z_fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER,
1654 cr, &acl_ids->z_fuidp);
1655 acl_ids->z_fgid = 0;
1656 if (vap->va_mask & AT_GID) {
1657 acl_ids->z_fgid = zfs_fuid_create(zfsvfs,
1658 (uint64_t)vap->va_gid,
1659 cr, ZFS_GROUP, &acl_ids->z_fuidp);
1660 gid = vap->va_gid;
1661 if (acl_ids->z_fgid != dzp->z_gid &&
1662 !groupmember(vap->va_gid, cr) &&
1663 secpolicy_vnode_create_gid(cr) != 0)
1664 acl_ids->z_fgid = 0;
1665 }
1666 if (acl_ids->z_fgid == 0) {
1667 if (dzp->z_mode & S_ISGID) {
1668 char *domain;
1669 uint32_t rid;
1670
1671 acl_ids->z_fgid = dzp->z_gid;
1672 gid = zfs_fuid_map_id(zfsvfs, acl_ids->z_fgid,
1673 cr, ZFS_GROUP);
1674
1675 if (zfsvfs->z_use_fuids &&
1676 IS_EPHEMERAL(acl_ids->z_fgid)) {
1677 domain = zfs_fuid_idx_domain(
1678 &zfsvfs->z_fuid_idx,
1679 FUID_INDEX(acl_ids->z_fgid));
1680 rid = FUID_RID(acl_ids->z_fgid);
1681 zfs_fuid_node_add(&acl_ids->z_fuidp,
1682 domain, rid,
1683 FUID_INDEX(acl_ids->z_fgid),
1684 acl_ids->z_fgid, ZFS_GROUP);
1685 }
1686 } else {
1687 acl_ids->z_fgid = zfs_fuid_create_cred(zfsvfs,
1688 ZFS_GROUP, cr, &acl_ids->z_fuidp);
1689 gid = crgetgid(cr);
1690 }
1691 }
1692 }
1693
1694 /*
1695 * If we're creating a directory, and the parent directory has the
1696 * set-GID bit set, set in on the new directory.
1697 * Otherwise, if the user is neither privileged nor a member of the
1698 * file's new group, clear the file's set-GID bit.
1699 */
1700
1701 if (!(flag & IS_ROOT_NODE) && (dzp->z_mode & S_ISGID) &&
1702 (vap->va_type == VDIR)) {
1703 acl_ids->z_mode |= S_ISGID;
1704 } else {
1705 if ((acl_ids->z_mode & S_ISGID) &&
1706 secpolicy_vnode_setids_setgids(cr, gid) != 0)
1707 acl_ids->z_mode &= ~S_ISGID;
1708 }
1709
1710 if (acl_ids->z_aclp == NULL) {
1711 mutex_enter(&dzp->z_acl_lock);
1712 mutex_enter(&dzp->z_lock);
1713 if (!(flag & IS_ROOT_NODE) &&
1714 (dzp->z_pflags & ZFS_INHERIT_ACE) &&
1715 !(dzp->z_pflags & ZFS_XATTR)) {
1716 VERIFY(0 == zfs_acl_node_read(dzp, B_TRUE,
1717 &paclp, B_FALSE));
1718 acl_ids->z_aclp = zfs_acl_inherit(zfsvfs,
1719 vap->va_type, paclp, acl_ids->z_mode, &need_chmod);
1720 inherited = B_TRUE;
1721 } else {
1722 acl_ids->z_aclp =
1723 zfs_acl_alloc(zfs_acl_version_zp(dzp));
1724 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL;
1725 }
1726 mutex_exit(&dzp->z_lock);
1727 mutex_exit(&dzp->z_acl_lock);
1728 if (need_chmod) {
1729 acl_ids->z_aclp->z_hints |= (vap->va_type == VDIR) ?
1730 ZFS_ACL_AUTO_INHERIT : 0;
1731 zfs_acl_chmod(vap->va_type, acl_ids->z_mode,
1732 (zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED),
1733 acl_ids->z_aclp);
1734 }
1735 }
1736
1737 if (inherited || vsecp) {
1738 acl_ids->z_mode = zfs_mode_compute(acl_ids->z_mode,
1739 acl_ids->z_aclp, &acl_ids->z_aclp->z_hints,
1740 acl_ids->z_fuid, acl_ids->z_fgid);
1741 if (ace_trivial_common(acl_ids->z_aclp, 0, zfs_ace_walk) == 0)
1742 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL;
1743 }
1744
1745 return (0);
1746 }
1747
1748 /*
1749 * Free ACL and fuid_infop, but not the acl_ids structure
1750 */
1751 void
zfs_acl_ids_free(zfs_acl_ids_t * acl_ids)1752 zfs_acl_ids_free(zfs_acl_ids_t *acl_ids)
1753 {
1754 if (acl_ids->z_aclp)
1755 zfs_acl_free(acl_ids->z_aclp);
1756 if (acl_ids->z_fuidp)
1757 zfs_fuid_info_free(acl_ids->z_fuidp);
1758 acl_ids->z_aclp = NULL;
1759 acl_ids->z_fuidp = NULL;
1760 }
1761
1762 boolean_t
zfs_acl_ids_overquota(zfsvfs_t * zfsvfs,zfs_acl_ids_t * acl_ids)1763 zfs_acl_ids_overquota(zfsvfs_t *zfsvfs, zfs_acl_ids_t *acl_ids)
1764 {
1765 return (zfs_fuid_overquota(zfsvfs, B_FALSE, acl_ids->z_fuid) ||
1766 zfs_fuid_overquota(zfsvfs, B_TRUE, acl_ids->z_fgid));
1767 }
1768
1769 /*
1770 * Retrieve a file's ACL
1771 */
1772 int
zfs_getacl(znode_t * zp,vsecattr_t * vsecp,boolean_t skipaclchk,cred_t * cr)1773 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr)
1774 {
1775 zfs_acl_t *aclp;
1776 ulong_t mask;
1777 int error;
1778 int count = 0;
1779 int largeace = 0;
1780
1781 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT |
1782 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES);
1783
1784 if (mask == 0)
1785 return (SET_ERROR(ENOSYS));
1786
1787 if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr))
1788 return (error);
1789
1790 mutex_enter(&zp->z_acl_lock);
1791
1792 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE);
1793 if (error != 0) {
1794 mutex_exit(&zp->z_acl_lock);
1795 return (error);
1796 }
1797
1798 /*
1799 * Scan ACL to determine number of ACEs
1800 */
1801 if ((zp->z_pflags & ZFS_ACL_OBJ_ACE) && !(mask & VSA_ACE_ALLTYPES)) {
1802 void *zacep = NULL;
1803 uint64_t who;
1804 uint32_t access_mask;
1805 uint16_t type, iflags;
1806
1807 while (zacep = zfs_acl_next_ace(aclp, zacep,
1808 &who, &access_mask, &iflags, &type)) {
1809 switch (type) {
1810 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
1811 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
1812 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
1813 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
1814 largeace++;
1815 continue;
1816 default:
1817 count++;
1818 }
1819 }
1820 vsecp->vsa_aclcnt = count;
1821 } else
1822 count = (int)aclp->z_acl_count;
1823
1824 if (mask & VSA_ACECNT) {
1825 vsecp->vsa_aclcnt = count;
1826 }
1827
1828 if (mask & VSA_ACE) {
1829 size_t aclsz;
1830
1831 aclsz = count * sizeof (ace_t) +
1832 sizeof (ace_object_t) * largeace;
1833
1834 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP);
1835 vsecp->vsa_aclentsz = aclsz;
1836
1837 if (aclp->z_version == ZFS_ACL_VERSION_FUID)
1838 zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr,
1839 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES));
1840 else {
1841 zfs_acl_node_t *aclnode;
1842 void *start = vsecp->vsa_aclentp;
1843
1844 for (aclnode = list_head(&aclp->z_acl); aclnode;
1845 aclnode = list_next(&aclp->z_acl, aclnode)) {
1846 bcopy(aclnode->z_acldata, start,
1847 aclnode->z_size);
1848 start = (caddr_t)start + aclnode->z_size;
1849 }
1850 ASSERT((caddr_t)start - (caddr_t)vsecp->vsa_aclentp ==
1851 aclp->z_acl_bytes);
1852 }
1853 }
1854 if (mask & VSA_ACE_ACLFLAGS) {
1855 vsecp->vsa_aclflags = 0;
1856 if (zp->z_pflags & ZFS_ACL_DEFAULTED)
1857 vsecp->vsa_aclflags |= ACL_DEFAULTED;
1858 if (zp->z_pflags & ZFS_ACL_PROTECTED)
1859 vsecp->vsa_aclflags |= ACL_PROTECTED;
1860 if (zp->z_pflags & ZFS_ACL_AUTO_INHERIT)
1861 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT;
1862 }
1863
1864 mutex_exit(&zp->z_acl_lock);
1865
1866 return (0);
1867 }
1868
1869 int
zfs_vsec_2_aclp(zfsvfs_t * zfsvfs,vtype_t obj_type,vsecattr_t * vsecp,cred_t * cr,zfs_fuid_info_t ** fuidp,zfs_acl_t ** zaclp)1870 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type,
1871 vsecattr_t *vsecp, cred_t *cr, zfs_fuid_info_t **fuidp, zfs_acl_t **zaclp)
1872 {
1873 zfs_acl_t *aclp;
1874 zfs_acl_node_t *aclnode;
1875 int aclcnt = vsecp->vsa_aclcnt;
1876 int error;
1877
1878 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0)
1879 return (SET_ERROR(EINVAL));
1880
1881 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version));
1882
1883 aclp->z_hints = 0;
1884 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t));
1885 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) {
1886 if ((error = zfs_copy_ace_2_oldace(obj_type, aclp,
1887 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata,
1888 aclcnt, &aclnode->z_size)) != 0) {
1889 zfs_acl_free(aclp);
1890 zfs_acl_node_free(aclnode);
1891 return (error);
1892 }
1893 } else {
1894 if ((error = zfs_copy_ace_2_fuid(zfsvfs, obj_type, aclp,
1895 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt,
1896 &aclnode->z_size, fuidp, cr)) != 0) {
1897 zfs_acl_free(aclp);
1898 zfs_acl_node_free(aclnode);
1899 return (error);
1900 }
1901 }
1902 aclp->z_acl_bytes = aclnode->z_size;
1903 aclnode->z_ace_count = aclcnt;
1904 aclp->z_acl_count = aclcnt;
1905 list_insert_head(&aclp->z_acl, aclnode);
1906
1907 /*
1908 * If flags are being set then add them to z_hints
1909 */
1910 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) {
1911 if (vsecp->vsa_aclflags & ACL_PROTECTED)
1912 aclp->z_hints |= ZFS_ACL_PROTECTED;
1913 if (vsecp->vsa_aclflags & ACL_DEFAULTED)
1914 aclp->z_hints |= ZFS_ACL_DEFAULTED;
1915 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT)
1916 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT;
1917 }
1918
1919 *zaclp = aclp;
1920
1921 return (0);
1922 }
1923
1924 /*
1925 * Set a file's ACL
1926 */
1927 int
zfs_setacl(znode_t * zp,vsecattr_t * vsecp,boolean_t skipaclchk,cred_t * cr)1928 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr)
1929 {
1930 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
1931 zilog_t *zilog = zfsvfs->z_log;
1932 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT);
1933 dmu_tx_t *tx;
1934 int error;
1935 zfs_acl_t *aclp;
1936 zfs_fuid_info_t *fuidp = NULL;
1937 boolean_t fuid_dirtied;
1938 uint64_t acl_obj;
1939
1940 if (mask == 0)
1941 return (SET_ERROR(ENOSYS));
1942
1943 if (zp->z_pflags & ZFS_IMMUTABLE)
1944 return (SET_ERROR(EPERM));
1945
1946 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr))
1947 return (error);
1948
1949 error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, cr, &fuidp,
1950 &aclp);
1951 if (error)
1952 return (error);
1953
1954 /*
1955 * If ACL wide flags aren't being set then preserve any
1956 * existing flags.
1957 */
1958 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) {
1959 aclp->z_hints |=
1960 (zp->z_pflags & V4_ACL_WIDE_FLAGS);
1961 }
1962 top:
1963 mutex_enter(&zp->z_acl_lock);
1964 mutex_enter(&zp->z_lock);
1965
1966 tx = dmu_tx_create(zfsvfs->z_os);
1967
1968 dmu_tx_hold_sa(tx, zp->z_sa_hdl, B_TRUE);
1969
1970 fuid_dirtied = zfsvfs->z_fuid_dirty;
1971 if (fuid_dirtied)
1972 zfs_fuid_txhold(zfsvfs, tx);
1973
1974 /*
1975 * If old version and ACL won't fit in bonus and we aren't
1976 * upgrading then take out necessary DMU holds
1977 */
1978
1979 if ((acl_obj = zfs_external_acl(zp)) != 0) {
1980 if (zfsvfs->z_version >= ZPL_VERSION_FUID &&
1981 zfs_znode_acl_version(zp) <= ZFS_ACL_VERSION_INITIAL) {
1982 dmu_tx_hold_free(tx, acl_obj, 0,
1983 DMU_OBJECT_END);
1984 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0,
1985 aclp->z_acl_bytes);
1986 } else {
1987 dmu_tx_hold_write(tx, acl_obj, 0, aclp->z_acl_bytes);
1988 }
1989 } else if (!zp->z_is_sa && aclp->z_acl_bytes > ZFS_ACE_SPACE) {
1990 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes);
1991 }
1992
1993 zfs_sa_upgrade_txholds(tx, zp);
1994 error = dmu_tx_assign(tx, TXG_NOWAIT);
1995 if (error) {
1996 mutex_exit(&zp->z_acl_lock);
1997 mutex_exit(&zp->z_lock);
1998
1999 if (error == ERESTART) {
2000 dmu_tx_wait(tx);
2001 dmu_tx_abort(tx);
2002 goto top;
2003 }
2004 dmu_tx_abort(tx);
2005 zfs_acl_free(aclp);
2006 return (error);
2007 }
2008
2009 error = zfs_aclset_common(zp, aclp, cr, tx);
2010 ASSERT(error == 0);
2011 ASSERT(zp->z_acl_cached == NULL);
2012 zp->z_acl_cached = aclp;
2013
2014 if (fuid_dirtied)
2015 zfs_fuid_sync(zfsvfs, tx);
2016
2017 zfs_log_acl(zilog, tx, zp, vsecp, fuidp);
2018
2019 if (fuidp)
2020 zfs_fuid_info_free(fuidp);
2021 dmu_tx_commit(tx);
2022 done:
2023 mutex_exit(&zp->z_lock);
2024 mutex_exit(&zp->z_acl_lock);
2025
2026 return (error);
2027 }
2028
2029 /*
2030 * Check accesses of interest (AoI) against attributes of the dataset
2031 * such as read-only. Returns zero if no AoI conflict with dataset
2032 * attributes, otherwise an appropriate errno is returned.
2033 */
2034 static int
zfs_zaccess_dataset_check(znode_t * zp,uint32_t v4_mode)2035 zfs_zaccess_dataset_check(znode_t *zp, uint32_t v4_mode)
2036 {
2037 if ((v4_mode & WRITE_MASK) &&
2038 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) &&
2039 (!IS_DEVVP(ZTOV(zp)) ||
2040 (IS_DEVVP(ZTOV(zp)) && (v4_mode & WRITE_MASK_ATTRS)))) {
2041 return (SET_ERROR(EROFS));
2042 }
2043
2044 /*
2045 * Only check for READONLY on non-directories.
2046 */
2047 if ((v4_mode & WRITE_MASK_DATA) &&
2048 (((ZTOV(zp)->v_type != VDIR) &&
2049 (zp->z_pflags & (ZFS_READONLY | ZFS_IMMUTABLE))) ||
2050 (ZTOV(zp)->v_type == VDIR &&
2051 (zp->z_pflags & ZFS_IMMUTABLE)))) {
2052 return (SET_ERROR(EPERM));
2053 }
2054
2055 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) &&
2056 (zp->z_pflags & ZFS_NOUNLINK)) {
2057 return (SET_ERROR(EPERM));
2058 }
2059
2060 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) &&
2061 (zp->z_pflags & ZFS_AV_QUARANTINED))) {
2062 return (SET_ERROR(EACCES));
2063 }
2064
2065 return (0);
2066 }
2067
2068 /*
2069 * The primary usage of this function is to loop through all of the
2070 * ACEs in the znode, determining what accesses of interest (AoI) to
2071 * the caller are allowed or denied. The AoI are expressed as bits in
2072 * the working_mode parameter. As each ACE is processed, bits covered
2073 * by that ACE are removed from the working_mode. This removal
2074 * facilitates two things. The first is that when the working mode is
2075 * empty (= 0), we know we've looked at all the AoI. The second is
2076 * that the ACE interpretation rules don't allow a later ACE to undo
2077 * something granted or denied by an earlier ACE. Removing the
2078 * discovered access or denial enforces this rule. At the end of
2079 * processing the ACEs, all AoI that were found to be denied are
2080 * placed into the working_mode, giving the caller a mask of denied
2081 * accesses. Returns:
2082 * 0 if all AoI granted
2083 * EACCESS if the denied mask is non-zero
2084 * other error if abnormal failure (e.g., IO error)
2085 *
2086 * A secondary usage of the function is to determine if any of the
2087 * AoI are granted. If an ACE grants any access in
2088 * the working_mode, we immediately short circuit out of the function.
2089 * This mode is chosen by setting anyaccess to B_TRUE. The
2090 * working_mode is not a denied access mask upon exit if the function
2091 * is used in this manner.
2092 */
2093 static int
zfs_zaccess_aces_check(znode_t * zp,uint32_t * working_mode,boolean_t anyaccess,cred_t * cr)2094 zfs_zaccess_aces_check(znode_t *zp, uint32_t *working_mode,
2095 boolean_t anyaccess, cred_t *cr)
2096 {
2097 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
2098 zfs_acl_t *aclp;
2099 int error;
2100 uid_t uid = crgetuid(cr);
2101 uint64_t who;
2102 uint16_t type, iflags;
2103 uint16_t entry_type;
2104 uint32_t access_mask;
2105 uint32_t deny_mask = 0;
2106 zfs_ace_hdr_t *acep = NULL;
2107 boolean_t checkit;
2108 uid_t gowner;
2109 uid_t fowner;
2110
2111 zfs_fuid_map_ids(zp, cr, &fowner, &gowner);
2112
2113 mutex_enter(&zp->z_acl_lock);
2114
2115 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE);
2116 if (error != 0) {
2117 mutex_exit(&zp->z_acl_lock);
2118 return (error);
2119 }
2120
2121 ASSERT(zp->z_acl_cached);
2122
2123 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask,
2124 &iflags, &type)) {
2125 uint32_t mask_matched;
2126
2127 if (!zfs_acl_valid_ace_type(type, iflags))
2128 continue;
2129
2130 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE))
2131 continue;
2132
2133 /* Skip ACE if it does not affect any AoI */
2134 mask_matched = (access_mask & *working_mode);
2135 if (!mask_matched)
2136 continue;
2137
2138 entry_type = (iflags & ACE_TYPE_FLAGS);
2139
2140 checkit = B_FALSE;
2141
2142 switch (entry_type) {
2143 case ACE_OWNER:
2144 if (uid == fowner)
2145 checkit = B_TRUE;
2146 break;
2147 case OWNING_GROUP:
2148 who = gowner;
2149 /*FALLTHROUGH*/
2150 case ACE_IDENTIFIER_GROUP:
2151 checkit = zfs_groupmember(zfsvfs, who, cr);
2152 break;
2153 case ACE_EVERYONE:
2154 checkit = B_TRUE;
2155 break;
2156
2157 /* USER Entry */
2158 default:
2159 if (entry_type == 0) {
2160 uid_t newid;
2161
2162 newid = zfs_fuid_map_id(zfsvfs, who, cr,
2163 ZFS_ACE_USER);
2164 if (newid != IDMAP_WK_CREATOR_OWNER_UID &&
2165 uid == newid)
2166 checkit = B_TRUE;
2167 break;
2168 } else {
2169 mutex_exit(&zp->z_acl_lock);
2170 return (SET_ERROR(EIO));
2171 }
2172 }
2173
2174 if (checkit) {
2175 if (type == DENY) {
2176 DTRACE_PROBE3(zfs__ace__denies,
2177 znode_t *, zp,
2178 zfs_ace_hdr_t *, acep,
2179 uint32_t, mask_matched);
2180 deny_mask |= mask_matched;
2181 } else {
2182 DTRACE_PROBE3(zfs__ace__allows,
2183 znode_t *, zp,
2184 zfs_ace_hdr_t *, acep,
2185 uint32_t, mask_matched);
2186 if (anyaccess) {
2187 mutex_exit(&zp->z_acl_lock);
2188 return (0);
2189 }
2190 }
2191 *working_mode &= ~mask_matched;
2192 }
2193
2194 /* Are we done? */
2195 if (*working_mode == 0)
2196 break;
2197 }
2198
2199 mutex_exit(&zp->z_acl_lock);
2200
2201 /* Put the found 'denies' back on the working mode */
2202 if (deny_mask) {
2203 *working_mode |= deny_mask;
2204 return (SET_ERROR(EACCES));
2205 } else if (*working_mode) {
2206 return (-1);
2207 }
2208
2209 return (0);
2210 }
2211
2212 /*
2213 * Return true if any access whatsoever granted, we don't actually
2214 * care what access is granted.
2215 */
2216 boolean_t
zfs_has_access(znode_t * zp,cred_t * cr)2217 zfs_has_access(znode_t *zp, cred_t *cr)
2218 {
2219 uint32_t have = ACE_ALL_PERMS;
2220
2221 if (zfs_zaccess_aces_check(zp, &have, B_TRUE, cr) != 0) {
2222 uid_t owner;
2223
2224 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER);
2225 return (secpolicy_vnode_any_access(cr, ZTOV(zp), owner) == 0);
2226 }
2227 return (B_TRUE);
2228 }
2229
2230 static int
zfs_zaccess_common(znode_t * zp,uint32_t v4_mode,uint32_t * working_mode,boolean_t * check_privs,boolean_t skipaclchk,cred_t * cr)2231 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode,
2232 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr)
2233 {
2234 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
2235 int err;
2236
2237 *working_mode = v4_mode;
2238 *check_privs = B_TRUE;
2239
2240 /*
2241 * Short circuit empty requests
2242 */
2243 if (v4_mode == 0 || zfsvfs->z_replay) {
2244 *working_mode = 0;
2245 return (0);
2246 }
2247
2248 if ((err = zfs_zaccess_dataset_check(zp, v4_mode)) != 0) {
2249 *check_privs = B_FALSE;
2250 return (err);
2251 }
2252
2253 /*
2254 * The caller requested that the ACL check be skipped. This
2255 * would only happen if the caller checked VOP_ACCESS() with a
2256 * 32 bit ACE mask and already had the appropriate permissions.
2257 */
2258 if (skipaclchk) {
2259 *working_mode = 0;
2260 return (0);
2261 }
2262
2263 return (zfs_zaccess_aces_check(zp, working_mode, B_FALSE, cr));
2264 }
2265
2266 static int
zfs_zaccess_append(znode_t * zp,uint32_t * working_mode,boolean_t * check_privs,cred_t * cr)2267 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs,
2268 cred_t *cr)
2269 {
2270 if (*working_mode != ACE_WRITE_DATA)
2271 return (SET_ERROR(EACCES));
2272
2273 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode,
2274 check_privs, B_FALSE, cr));
2275 }
2276
2277 int
zfs_fastaccesschk_execute(znode_t * zdp,cred_t * cr)2278 zfs_fastaccesschk_execute(znode_t *zdp, cred_t *cr)
2279 {
2280 boolean_t owner = B_FALSE;
2281 boolean_t groupmbr = B_FALSE;
2282 boolean_t is_attr;
2283 uid_t uid = crgetuid(cr);
2284 int error;
2285
2286 if (zdp->z_pflags & ZFS_AV_QUARANTINED)
2287 return (SET_ERROR(EACCES));
2288
2289 is_attr = ((zdp->z_pflags & ZFS_XATTR) &&
2290 (ZTOV(zdp)->v_type == VDIR));
2291 if (is_attr)
2292 goto slow;
2293
2294
2295 mutex_enter(&zdp->z_acl_lock);
2296
2297 if (zdp->z_pflags & ZFS_NO_EXECS_DENIED) {
2298 mutex_exit(&zdp->z_acl_lock);
2299 return (0);
2300 }
2301
2302 if (FUID_INDEX(zdp->z_uid) != 0 || FUID_INDEX(zdp->z_gid) != 0) {
2303 mutex_exit(&zdp->z_acl_lock);
2304 goto slow;
2305 }
2306
2307 if (uid == zdp->z_uid) {
2308 owner = B_TRUE;
2309 if (zdp->z_mode & S_IXUSR) {
2310 mutex_exit(&zdp->z_acl_lock);
2311 return (0);
2312 } else {
2313 mutex_exit(&zdp->z_acl_lock);
2314 goto slow;
2315 }
2316 }
2317 if (groupmember(zdp->z_gid, cr)) {
2318 groupmbr = B_TRUE;
2319 if (zdp->z_mode & S_IXGRP) {
2320 mutex_exit(&zdp->z_acl_lock);
2321 return (0);
2322 } else {
2323 mutex_exit(&zdp->z_acl_lock);
2324 goto slow;
2325 }
2326 }
2327 if (!owner && !groupmbr) {
2328 if (zdp->z_mode & S_IXOTH) {
2329 mutex_exit(&zdp->z_acl_lock);
2330 return (0);
2331 }
2332 }
2333
2334 mutex_exit(&zdp->z_acl_lock);
2335
2336 slow:
2337 DTRACE_PROBE(zfs__fastpath__execute__access__miss);
2338 ZFS_ENTER(zdp->z_zfsvfs);
2339 error = zfs_zaccess(zdp, ACE_EXECUTE, 0, B_FALSE, cr);
2340 ZFS_EXIT(zdp->z_zfsvfs);
2341 return (error);
2342 }
2343
2344 /*
2345 * Determine whether Access should be granted/denied.
2346 *
2347 * The least priv subsytem is always consulted as a basic privilege
2348 * can define any form of access.
2349 */
2350 int
zfs_zaccess(znode_t * zp,int mode,int flags,boolean_t skipaclchk,cred_t * cr)2351 zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr)
2352 {
2353 uint32_t working_mode;
2354 int error;
2355 int is_attr;
2356 boolean_t check_privs;
2357 znode_t *xzp;
2358 znode_t *check_zp = zp;
2359 mode_t needed_bits;
2360 uid_t owner;
2361
2362 is_attr = ((zp->z_pflags & ZFS_XATTR) && (ZTOV(zp)->v_type == VDIR));
2363
2364 /*
2365 * If attribute then validate against base file
2366 */
2367 if (is_attr) {
2368 uint64_t parent;
2369
2370 if ((error = sa_lookup(zp->z_sa_hdl,
2371 SA_ZPL_PARENT(zp->z_zfsvfs), &parent,
2372 sizeof (parent))) != 0)
2373 return (error);
2374
2375 if ((error = zfs_zget(zp->z_zfsvfs,
2376 parent, &xzp)) != 0) {
2377 return (error);
2378 }
2379
2380 check_zp = xzp;
2381
2382 /*
2383 * fixup mode to map to xattr perms
2384 */
2385
2386 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) {
2387 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
2388 mode |= ACE_WRITE_NAMED_ATTRS;
2389 }
2390
2391 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) {
2392 mode &= ~(ACE_READ_DATA|ACE_EXECUTE);
2393 mode |= ACE_READ_NAMED_ATTRS;
2394 }
2395 }
2396
2397 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER);
2398 /*
2399 * Map the bits required to the standard vnode flags VREAD|VWRITE|VEXEC
2400 * in needed_bits. Map the bits mapped by working_mode (currently
2401 * missing) in missing_bits.
2402 * Call secpolicy_vnode_access2() with (needed_bits & ~checkmode),
2403 * needed_bits.
2404 */
2405 needed_bits = 0;
2406
2407 working_mode = mode;
2408 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES)) &&
2409 owner == crgetuid(cr))
2410 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES);
2411
2412 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS|
2413 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE))
2414 needed_bits |= VREAD;
2415 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS|
2416 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE))
2417 needed_bits |= VWRITE;
2418 if (working_mode & ACE_EXECUTE)
2419 needed_bits |= VEXEC;
2420
2421 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode,
2422 &check_privs, skipaclchk, cr)) == 0) {
2423 if (is_attr)
2424 VN_RELE(ZTOV(xzp));
2425 return (secpolicy_vnode_access2(cr, ZTOV(zp), owner,
2426 needed_bits, needed_bits));
2427 }
2428
2429 if (error && !check_privs) {
2430 if (is_attr)
2431 VN_RELE(ZTOV(xzp));
2432 return (error);
2433 }
2434
2435 if (error && (flags & V_APPEND)) {
2436 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr);
2437 }
2438
2439 if (error && check_privs) {
2440 mode_t checkmode = 0;
2441
2442 /*
2443 * First check for implicit owner permission on
2444 * read_acl/read_attributes
2445 */
2446
2447 error = 0;
2448 ASSERT(working_mode != 0);
2449
2450 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) &&
2451 owner == crgetuid(cr)))
2452 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES);
2453
2454 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS|
2455 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE))
2456 checkmode |= VREAD;
2457 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS|
2458 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE))
2459 checkmode |= VWRITE;
2460 if (working_mode & ACE_EXECUTE)
2461 checkmode |= VEXEC;
2462
2463 error = secpolicy_vnode_access2(cr, ZTOV(check_zp), owner,
2464 needed_bits & ~checkmode, needed_bits);
2465
2466 if (error == 0 && (working_mode & ACE_WRITE_OWNER))
2467 error = secpolicy_vnode_chown(cr, owner);
2468 if (error == 0 && (working_mode & ACE_WRITE_ACL))
2469 error = secpolicy_vnode_setdac(cr, owner);
2470
2471 if (error == 0 && (working_mode &
2472 (ACE_DELETE|ACE_DELETE_CHILD)))
2473 error = secpolicy_vnode_remove(cr);
2474
2475 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) {
2476 error = secpolicy_vnode_chown(cr, owner);
2477 }
2478 if (error == 0) {
2479 /*
2480 * See if any bits other than those already checked
2481 * for are still present. If so then return EACCES
2482 */
2483 if (working_mode & ~(ZFS_CHECKED_MASKS)) {
2484 error = SET_ERROR(EACCES);
2485 }
2486 }
2487 } else if (error == 0) {
2488 error = secpolicy_vnode_access2(cr, ZTOV(zp), owner,
2489 needed_bits, needed_bits);
2490 }
2491
2492
2493 if (is_attr)
2494 VN_RELE(ZTOV(xzp));
2495
2496 return (error);
2497 }
2498
2499 /*
2500 * Translate traditional unix VREAD/VWRITE/VEXEC mode into
2501 * native ACL format and call zfs_zaccess()
2502 */
2503 int
zfs_zaccess_rwx(znode_t * zp,mode_t mode,int flags,cred_t * cr)2504 zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr)
2505 {
2506 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr));
2507 }
2508
2509 /*
2510 * Access function for secpolicy_vnode_setattr
2511 */
2512 int
zfs_zaccess_unix(znode_t * zp,mode_t mode,cred_t * cr)2513 zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr)
2514 {
2515 int v4_mode = zfs_unix_to_v4(mode >> 6);
2516
2517 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr));
2518 }
2519
2520 static int
zfs_delete_final_check(znode_t * zp,znode_t * dzp,mode_t available_perms,cred_t * cr)2521 zfs_delete_final_check(znode_t *zp, znode_t *dzp,
2522 mode_t available_perms, cred_t *cr)
2523 {
2524 int error;
2525 uid_t downer;
2526
2527 downer = zfs_fuid_map_id(dzp->z_zfsvfs, dzp->z_uid, cr, ZFS_OWNER);
2528
2529 error = secpolicy_vnode_access2(cr, ZTOV(dzp),
2530 downer, available_perms, VWRITE|VEXEC);
2531
2532 if (error == 0)
2533 error = zfs_sticky_remove_access(dzp, zp, cr);
2534
2535 return (error);
2536 }
2537
2538 /*
2539 * Determine whether Access should be granted/deny, without
2540 * consulting least priv subsystem.
2541 *
2542 * The following chart is the recommended NFSv4 enforcement for
2543 * ability to delete an object.
2544 *
2545 * -------------------------------------------------------
2546 * | Parent Dir | Target Object Permissions |
2547 * | permissions | |
2548 * -------------------------------------------------------
2549 * | | ACL Allows | ACL Denies| Delete |
2550 * | | Delete | Delete | unspecified|
2551 * -------------------------------------------------------
2552 * | ACL Allows | Permit | Permit | Permit |
2553 * | DELETE_CHILD | |
2554 * -------------------------------------------------------
2555 * | ACL Denies | Permit | Deny | Deny |
2556 * | DELETE_CHILD | | | |
2557 * -------------------------------------------------------
2558 * | ACL specifies | | | |
2559 * | only allow | Permit | Permit | Permit |
2560 * | write and | | | |
2561 * | execute | | | |
2562 * -------------------------------------------------------
2563 * | ACL denies | | | |
2564 * | write and | Permit | Deny | Deny |
2565 * | execute | | | |
2566 * -------------------------------------------------------
2567 * ^
2568 * |
2569 * No search privilege, can't even look up file?
2570 *
2571 */
2572 int
zfs_zaccess_delete(znode_t * dzp,znode_t * zp,cred_t * cr)2573 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr)
2574 {
2575 uint32_t dzp_working_mode = 0;
2576 uint32_t zp_working_mode = 0;
2577 int dzp_error, zp_error;
2578 mode_t available_perms;
2579 boolean_t dzpcheck_privs = B_TRUE;
2580 boolean_t zpcheck_privs = B_TRUE;
2581
2582 /*
2583 * We want specific DELETE permissions to
2584 * take precedence over WRITE/EXECUTE. We don't
2585 * want an ACL such as this to mess us up.
2586 * user:joe:write_data:deny,user:joe:delete:allow
2587 *
2588 * However, deny permissions may ultimately be overridden
2589 * by secpolicy_vnode_access().
2590 *
2591 * We will ask for all of the necessary permissions and then
2592 * look at the working modes from the directory and target object
2593 * to determine what was found.
2594 */
2595
2596 if (zp->z_pflags & (ZFS_IMMUTABLE | ZFS_NOUNLINK))
2597 return (SET_ERROR(EPERM));
2598
2599 /*
2600 * First row
2601 * If the directory permissions allow the delete, we are done.
2602 */
2603 if ((dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD,
2604 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0)
2605 return (0);
2606
2607 /*
2608 * If target object has delete permission then we are done
2609 */
2610 if ((zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode,
2611 &zpcheck_privs, B_FALSE, cr)) == 0)
2612 return (0);
2613
2614 ASSERT(dzp_error && zp_error);
2615
2616 if (!dzpcheck_privs)
2617 return (dzp_error);
2618 if (!zpcheck_privs)
2619 return (zp_error);
2620
2621 /*
2622 * Second row
2623 *
2624 * If directory returns EACCES then delete_child was denied
2625 * due to deny delete_child. In this case send the request through
2626 * secpolicy_vnode_remove(). We don't use zfs_delete_final_check()
2627 * since that *could* allow the delete based on write/execute permission
2628 * and we want delete permissions to override write/execute.
2629 */
2630
2631 if (dzp_error == EACCES)
2632 return (secpolicy_vnode_remove(cr));
2633
2634 /*
2635 * Third Row
2636 * only need to see if we have write/execute on directory.
2637 */
2638
2639 dzp_error = zfs_zaccess_common(dzp, ACE_EXECUTE|ACE_WRITE_DATA,
2640 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr);
2641
2642 if (dzp_error != 0 && !dzpcheck_privs)
2643 return (dzp_error);
2644
2645 /*
2646 * Fourth row
2647 */
2648
2649 available_perms = (dzp_working_mode & ACE_WRITE_DATA) ? 0 : VWRITE;
2650 available_perms |= (dzp_working_mode & ACE_EXECUTE) ? 0 : VEXEC;
2651
2652 return (zfs_delete_final_check(zp, dzp, available_perms, cr));
2653
2654 }
2655
2656 int
zfs_zaccess_rename(znode_t * sdzp,znode_t * szp,znode_t * tdzp,znode_t * tzp,cred_t * cr)2657 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp,
2658 znode_t *tzp, cred_t *cr)
2659 {
2660 int add_perm;
2661 int error;
2662
2663 if (szp->z_pflags & ZFS_AV_QUARANTINED)
2664 return (SET_ERROR(EACCES));
2665
2666 add_perm = (ZTOV(szp)->v_type == VDIR) ?
2667 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE;
2668
2669 /*
2670 * Rename permissions are combination of delete permission +
2671 * add file/subdir permission.
2672 */
2673
2674 /*
2675 * first make sure we do the delete portion.
2676 *
2677 * If that succeeds then check for add_file/add_subdir permissions
2678 */
2679
2680 if (error = zfs_zaccess_delete(sdzp, szp, cr))
2681 return (error);
2682
2683 /*
2684 * If we have a tzp, see if we can delete it?
2685 */
2686 if (tzp) {
2687 if (error = zfs_zaccess_delete(tdzp, tzp, cr))
2688 return (error);
2689 }
2690
2691 /*
2692 * Now check for add permissions
2693 */
2694 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr);
2695
2696 return (error);
2697 }
2698