1a9315ddeSEdward Tomasz Napierala.\"- 2a9315ddeSEdward Tomasz Napierala.\" Copyright (c) 2001 Robert N. M. Watson 3a9315ddeSEdward Tomasz Napierala.\" All rights reserved. 4a9315ddeSEdward Tomasz Napierala.\" 5a9315ddeSEdward Tomasz Napierala.\" Redistribution and use in source and binary forms, with or without 6a9315ddeSEdward Tomasz Napierala.\" modification, are permitted provided that the following conditions 7a9315ddeSEdward Tomasz Napierala.\" are met: 8a9315ddeSEdward Tomasz Napierala.\" 1. Redistributions of source code must retain the above copyright 9a9315ddeSEdward Tomasz Napierala.\" notice, this list of conditions and the following disclaimer. 10a9315ddeSEdward Tomasz Napierala.\" 2. Redistributions in binary form must reproduce the above copyright 11a9315ddeSEdward Tomasz Napierala.\" notice, this list of conditions and the following disclaimer in the 12a9315ddeSEdward Tomasz Napierala.\" documentation and/or other materials provided with the distribution. 13a9315ddeSEdward Tomasz Napierala.\" 14a9315ddeSEdward Tomasz Napierala.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15a9315ddeSEdward Tomasz Napierala.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16a9315ddeSEdward Tomasz Napierala.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17a9315ddeSEdward Tomasz Napierala.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18a9315ddeSEdward Tomasz Napierala.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19a9315ddeSEdward Tomasz Napierala.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20a9315ddeSEdward Tomasz Napierala.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21a9315ddeSEdward Tomasz Napierala.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22a9315ddeSEdward Tomasz Napierala.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23a9315ddeSEdward Tomasz Napierala.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24a9315ddeSEdward Tomasz Napierala.\" SUCH DAMAGE. 25a9315ddeSEdward Tomasz Napierala.\" 26a9315ddeSEdward Tomasz Napierala.Dd September 18, 2009 27a9315ddeSEdward Tomasz Napierala.Dt VACCESS_ACL_NFS4 9 28aa12cea2SUlrich Spörlein.Os 29a9315ddeSEdward Tomasz Napierala.Sh NAME 30a9315ddeSEdward Tomasz Napierala.Nm vaccess_acl_nfs4 31a9315ddeSEdward Tomasz Napierala.Nd generate a NFSv4 ACL access control decision using vnode parameters 32a9315ddeSEdward Tomasz Napierala.Sh SYNOPSIS 33a9315ddeSEdward Tomasz Napierala.In sys/param.h 34a9315ddeSEdward Tomasz Napierala.In sys/vnode.h 35a9315ddeSEdward Tomasz Napierala.In sys/acl.h 36a9315ddeSEdward Tomasz Napierala.Ft int 37a9315ddeSEdward Tomasz Napierala.Fo vaccess_acl_nfs4 38a9315ddeSEdward Tomasz Napierala.Fa "enum vtype type" 39a9315ddeSEdward Tomasz Napierala.Fa "uid_t file_uid" 40a9315ddeSEdward Tomasz Napierala.Fa "gid_t file_gid" 41a9315ddeSEdward Tomasz Napierala.Fa "struct acl *acl" 42a9315ddeSEdward Tomasz Napierala.Fa "accmode_t accmode" 43a9315ddeSEdward Tomasz Napierala.Fa "struct ucred *cred" 44a9315ddeSEdward Tomasz Napierala.Fa "int *privused" 45a9315ddeSEdward Tomasz Napierala.Fc 46a9315ddeSEdward Tomasz Napierala.Sh DESCRIPTION 47a9315ddeSEdward Tomasz NapieralaThis call implements the logic for the 48a9315ddeSEdward Tomasz Napierala.Ux 49a9315ddeSEdward Tomasz Napieraladiscretionary file security model 50a9315ddeSEdward Tomasz Napieralawith NFSv4 ACL extensions. 51a9315ddeSEdward Tomasz NapieralaIt accepts the vnodes type 52a9315ddeSEdward Tomasz Napierala.Fa type , 53a9315ddeSEdward Tomasz Napieralaowning UID 54a9315ddeSEdward Tomasz Napierala.Fa file_uid , 55a9315ddeSEdward Tomasz Napieralaowning GID 56a9315ddeSEdward Tomasz Napierala.Fa file_gid , 57a9315ddeSEdward Tomasz Napieralaaccess ACL for the file 58a9315ddeSEdward Tomasz Napierala.Fa acl , 59a9315ddeSEdward Tomasz Napieraladesired access mode 60a9315ddeSEdward Tomasz Napierala.Fa accmode , 61a9315ddeSEdward Tomasz Napieralarequesting credential 62a9315ddeSEdward Tomasz Napierala.Fa cred , 63a9315ddeSEdward Tomasz Napieralaand an optional call-by-reference 64a9315ddeSEdward Tomasz Napierala.Vt int 65a9315ddeSEdward Tomasz Napieralapointer returning whether or not 66a9315ddeSEdward Tomasz Napieralaprivilege was required for successful evaluation of the call; the 67a9315ddeSEdward Tomasz Napierala.Fa privused 68a9315ddeSEdward Tomasz Napieralapointer may be set to 69a9315ddeSEdward Tomasz Napierala.Dv NULL 70a9315ddeSEdward Tomasz Napieralaby the caller in order not to be informed of 71a9315ddeSEdward Tomasz Napieralaprivilege information, or it may point to an integer that will be set to 72a9315ddeSEdward Tomasz Napierala1 if privilege is used, and 0 otherwise. 73a9315ddeSEdward Tomasz Napierala.Pp 74a9315ddeSEdward Tomasz NapieralaThis call is intended to support implementations of 75a9315ddeSEdward Tomasz Napierala.Xr VOP_ACCESS 9 , 76a9315ddeSEdward Tomasz Napieralawhich will use their own access methods to retrieve the vnode properties, 77a9315ddeSEdward Tomasz Napieralaand then invoke 78a9315ddeSEdward Tomasz Napierala.Fn vaccess_acl_nfs4 79a9315ddeSEdward Tomasz Napieralain order to perform the actual check. 80a9315ddeSEdward Tomasz NapieralaImplementations of 81a9315ddeSEdward Tomasz Napierala.Xr VOP_ACCESS 9 82a9315ddeSEdward Tomasz Napieralamay choose to implement additional security mechanisms whose results will 83a9315ddeSEdward Tomasz Napieralabe composed with the return value. 84a9315ddeSEdward Tomasz Napierala.Pp 85a9315ddeSEdward Tomasz NapieralaThe algorithm used by 86a9315ddeSEdward Tomasz Napierala.Fn vaccess_acl_nfs4 87a9315ddeSEdward Tomasz Napieralais based on the NFSv4 ACL evaluation algorithm, as described in 88a9315ddeSEdward Tomasz NapieralaNFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-21.txt. 89a9315ddeSEdward Tomasz NapieralaThe algorithm selects a 90a9315ddeSEdward Tomasz Napierala.Em matching 91a9315ddeSEdward Tomasz Napieralaentry from the access ACL, which may 92a9315ddeSEdward Tomasz Napieralathen be composed with an available ACL mask entry, providing 93a9315ddeSEdward Tomasz Napierala.Ux 94a9315ddeSEdward Tomasz Napieralasecurity compatibility. 95a9315ddeSEdward Tomasz Napierala.Pp 96a9315ddeSEdward Tomasz NapieralaOnce appropriate protections are selected for the current credential, 97a9315ddeSEdward Tomasz Napieralathe requested access mode, in combination with the vnode type, will be 98a9315ddeSEdward Tomasz Napieralacompared with the discretionary rights available for the credential. 99a9315ddeSEdward Tomasz NapieralaIf the rights granted by discretionary protections are insufficient, 100a9315ddeSEdward Tomasz Napieralathen super-user privilege, if available for the credential, will also be 101a9315ddeSEdward Tomasz Napieralaconsidered. 102a9315ddeSEdward Tomasz Napierala.Sh RETURN VALUES 103a9315ddeSEdward Tomasz Napierala.Fn vaccess_acl_nfs4 104a9315ddeSEdward Tomasz Napieralawill return 0 on success, or a non-zero error value on failure. 105a9315ddeSEdward Tomasz Napierala.Sh ERRORS 106a9315ddeSEdward Tomasz Napierala.Bl -tag -width Er 107a9315ddeSEdward Tomasz Napierala.It Bq Er EACCES 108a9315ddeSEdward Tomasz NapieralaPermission denied. 109a9315ddeSEdward Tomasz NapieralaAn attempt was made to access a file in a way forbidden by its file access 110a9315ddeSEdward Tomasz Napieralapermissions. 111a9315ddeSEdward Tomasz Napierala.It Bq Er EPERM 112a9315ddeSEdward Tomasz NapieralaOperation not permitted. 113a9315ddeSEdward Tomasz NapieralaAn attempt was made to perform an operation limited to processes with 114a9315ddeSEdward Tomasz Napieralaappropriate privileges or to the owner of a file or other resource. 115a9315ddeSEdward Tomasz Napierala.El 116a9315ddeSEdward Tomasz Napierala.Sh SEE ALSO 117a9315ddeSEdward Tomasz Napierala.Xr vaccess 9 , 118a9315ddeSEdward Tomasz Napierala.Xr vnode 9 , 119a9315ddeSEdward Tomasz Napierala.Xr VOP_ACCESS 9 120a9315ddeSEdward Tomasz Napierala.Sh AUTHORS 121a9315ddeSEdward Tomasz NapieralaCurrent implementation of 122a9315ddeSEdward Tomasz Napierala.Fn vaccess_acl_nfs4 123a9315ddeSEdward Tomasz Napieralawas written by 124*8a7314fcSBaptiste Daroussin.An Edward Tomasz Napierala Aq Mt trasz@FreeBSD.org . 125a9315ddeSEdward Tomasz Napierala.Sh BUGS 126a9315ddeSEdward Tomasz NapieralaThis manual page should include a full description of the NFSv4 ACL 127a9315ddeSEdward Tomasz Napieralaevaluation algorithm, or cross reference another page that does. 128