xref: /freebsd/sys/contrib/openzfs/module/os/linux/zfs/zpl_xattr.c (revision f374ba41f55c1a127303d92d830dd58eef2f5243)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or https://opensource.org/licenses/CDDL-1.0.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2011, Lawrence Livermore National Security, LLC.
23  *
24  * Extended attributes (xattr) on Solaris are implemented as files
25  * which exist in a hidden xattr directory.  These extended attributes
26  * can be accessed using the attropen() system call which opens
27  * the extended attribute.  It can then be manipulated just like
28  * a standard file descriptor.  This has a couple advantages such
29  * as practically no size limit on the file, and the extended
30  * attributes permissions may differ from those of the parent file.
31  * This interface is really quite clever, but it's also completely
32  * different than what is supported on Linux.  It also comes with a
33  * steep performance penalty when accessing small xattrs because they
34  * are not stored with the parent file.
35  *
36  * Under Linux extended attributes are manipulated by the system
37  * calls getxattr(2), setxattr(2), and listxattr(2).  They consider
38  * extended attributes to be name/value pairs where the name is a
39  * NULL terminated string.  The name must also include one of the
40  * following namespace prefixes:
41  *
42  *   user     - No restrictions and is available to user applications.
43  *   trusted  - Restricted to kernel and root (CAP_SYS_ADMIN) use.
44  *   system   - Used for access control lists (system.nfs4_acl, etc).
45  *   security - Used by SELinux to store a files security context.
46  *
47  * The value under Linux to limited to 65536 bytes of binary data.
48  * In practice, individual xattrs tend to be much smaller than this
49  * and are typically less than 100 bytes.  A good example of this
50  * are the security.selinux xattrs which are less than 100 bytes and
51  * exist for every file when xattr labeling is enabled.
52  *
53  * The Linux xattr implementation has been written to take advantage of
54  * this typical usage.  When the dataset property 'xattr=sa' is set,
55  * then xattrs will be preferentially stored as System Attributes (SA).
56  * This allows tiny xattrs (~100 bytes) to be stored with the dnode and
57  * up to 64k of xattrs to be stored in the spill block.  If additional
58  * xattr space is required, which is unlikely under Linux, they will
59  * be stored using the traditional directory approach.
60  *
61  * This optimization results in roughly a 3x performance improvement
62  * when accessing xattrs because it avoids the need to perform a seek
63  * for every xattr value.  When multiple xattrs are stored per-file
64  * the performance improvements are even greater because all of the
65  * xattrs stored in the spill block will be cached.
66  *
67  * However, by default SA based xattrs are disabled in the Linux port
68  * to maximize compatibility with other implementations.  If you do
69  * enable SA based xattrs then they will not be visible on platforms
70  * which do not support this feature.
71  *
72  * NOTE: One additional consequence of the xattr directory implementation
73  * is that when an extended attribute is manipulated an inode is created.
74  * This inode will exist in the Linux inode cache but there will be no
75  * associated entry in the dentry cache which references it.  This is
76  * safe but it may result in some confusion.  Enabling SA based xattrs
77  * largely avoids the issue except in the overflow case.
78  */
79 
80 #include <sys/zfs_znode.h>
81 #include <sys/zfs_vfsops.h>
82 #include <sys/zfs_vnops.h>
83 #include <sys/zap.h>
84 #include <sys/vfs.h>
85 #include <sys/zpl.h>
86 #include <linux/vfs_compat.h>
87 
88 enum xattr_permission {
89 	XAPERM_DENY,
90 	XAPERM_ALLOW,
91 	XAPERM_COMPAT,
92 };
93 
94 typedef struct xattr_filldir {
95 	size_t size;
96 	size_t offset;
97 	char *buf;
98 	struct dentry *dentry;
99 } xattr_filldir_t;
100 
101 static enum xattr_permission zpl_xattr_permission(xattr_filldir_t *,
102     const char *, int);
103 
104 static int zfs_xattr_compat = 0;
105 
106 /*
107  * Determine is a given xattr name should be visible and if so copy it
108  * in to the provided buffer (xf->buf).
109  */
110 static int
111 zpl_xattr_filldir(xattr_filldir_t *xf, const char *name, int name_len)
112 {
113 	enum xattr_permission perm;
114 
115 	/* Check permissions using the per-namespace list xattr handler. */
116 	perm = zpl_xattr_permission(xf, name, name_len);
117 	if (perm == XAPERM_DENY)
118 		return (0);
119 
120 	/* Prefix the name with "user." if it does not have a namespace. */
121 	if (perm == XAPERM_COMPAT) {
122 		if (xf->buf) {
123 			if (xf->offset + XATTR_USER_PREFIX_LEN + 1 > xf->size)
124 				return (-ERANGE);
125 
126 			memcpy(xf->buf + xf->offset, XATTR_USER_PREFIX,
127 			    XATTR_USER_PREFIX_LEN);
128 			xf->buf[xf->offset + XATTR_USER_PREFIX_LEN] = '\0';
129 		}
130 
131 		xf->offset += XATTR_USER_PREFIX_LEN;
132 	}
133 
134 	/* When xf->buf is NULL only calculate the required size. */
135 	if (xf->buf) {
136 		if (xf->offset + name_len + 1 > xf->size)
137 			return (-ERANGE);
138 
139 		memcpy(xf->buf + xf->offset, name, name_len);
140 		xf->buf[xf->offset + name_len] = '\0';
141 	}
142 
143 	xf->offset += (name_len + 1);
144 
145 	return (0);
146 }
147 
148 /*
149  * Read as many directory entry names as will fit in to the provided buffer,
150  * or when no buffer is provided calculate the required buffer size.
151  */
152 static int
153 zpl_xattr_readdir(struct inode *dxip, xattr_filldir_t *xf)
154 {
155 	zap_cursor_t zc;
156 	zap_attribute_t	zap;
157 	int error;
158 
159 	zap_cursor_init(&zc, ITOZSB(dxip)->z_os, ITOZ(dxip)->z_id);
160 
161 	while ((error = -zap_cursor_retrieve(&zc, &zap)) == 0) {
162 
163 		if (zap.za_integer_length != 8 || zap.za_num_integers != 1) {
164 			error = -ENXIO;
165 			break;
166 		}
167 
168 		error = zpl_xattr_filldir(xf, zap.za_name, strlen(zap.za_name));
169 		if (error)
170 			break;
171 
172 		zap_cursor_advance(&zc);
173 	}
174 
175 	zap_cursor_fini(&zc);
176 
177 	if (error == -ENOENT)
178 		error = 0;
179 
180 	return (error);
181 }
182 
183 static ssize_t
184 zpl_xattr_list_dir(xattr_filldir_t *xf, cred_t *cr)
185 {
186 	struct inode *ip = xf->dentry->d_inode;
187 	struct inode *dxip = NULL;
188 	znode_t *dxzp;
189 	int error;
190 
191 	/* Lookup the xattr directory */
192 	error = -zfs_lookup(ITOZ(ip), NULL, &dxzp, LOOKUP_XATTR,
193 	    cr, NULL, NULL);
194 	if (error) {
195 		if (error == -ENOENT)
196 			error = 0;
197 
198 		return (error);
199 	}
200 
201 	dxip = ZTOI(dxzp);
202 	error = zpl_xattr_readdir(dxip, xf);
203 	iput(dxip);
204 
205 	return (error);
206 }
207 
208 static ssize_t
209 zpl_xattr_list_sa(xattr_filldir_t *xf)
210 {
211 	znode_t *zp = ITOZ(xf->dentry->d_inode);
212 	nvpair_t *nvp = NULL;
213 	int error = 0;
214 
215 	mutex_enter(&zp->z_lock);
216 	if (zp->z_xattr_cached == NULL)
217 		error = -zfs_sa_get_xattr(zp);
218 	mutex_exit(&zp->z_lock);
219 
220 	if (error)
221 		return (error);
222 
223 	ASSERT(zp->z_xattr_cached);
224 
225 	while ((nvp = nvlist_next_nvpair(zp->z_xattr_cached, nvp)) != NULL) {
226 		ASSERT3U(nvpair_type(nvp), ==, DATA_TYPE_BYTE_ARRAY);
227 
228 		error = zpl_xattr_filldir(xf, nvpair_name(nvp),
229 		    strlen(nvpair_name(nvp)));
230 		if (error)
231 			return (error);
232 	}
233 
234 	return (0);
235 }
236 
237 ssize_t
238 zpl_xattr_list(struct dentry *dentry, char *buffer, size_t buffer_size)
239 {
240 	znode_t *zp = ITOZ(dentry->d_inode);
241 	zfsvfs_t *zfsvfs = ZTOZSB(zp);
242 	xattr_filldir_t xf = { buffer_size, 0, buffer, dentry };
243 	cred_t *cr = CRED();
244 	fstrans_cookie_t cookie;
245 	int error = 0;
246 
247 	crhold(cr);
248 	cookie = spl_fstrans_mark();
249 	if ((error = zpl_enter_verify_zp(zfsvfs, zp, FTAG)) != 0)
250 		goto out1;
251 	rw_enter(&zp->z_xattr_lock, RW_READER);
252 
253 	if (zfsvfs->z_use_sa && zp->z_is_sa) {
254 		error = zpl_xattr_list_sa(&xf);
255 		if (error)
256 			goto out;
257 	}
258 
259 	error = zpl_xattr_list_dir(&xf, cr);
260 	if (error)
261 		goto out;
262 
263 	error = xf.offset;
264 out:
265 
266 	rw_exit(&zp->z_xattr_lock);
267 	zpl_exit(zfsvfs, FTAG);
268 out1:
269 	spl_fstrans_unmark(cookie);
270 	crfree(cr);
271 
272 	return (error);
273 }
274 
275 static int
276 zpl_xattr_get_dir(struct inode *ip, const char *name, void *value,
277     size_t size, cred_t *cr)
278 {
279 	fstrans_cookie_t cookie;
280 	struct inode *xip = NULL;
281 	znode_t *dxzp = NULL;
282 	znode_t *xzp = NULL;
283 	int error;
284 
285 	/* Lookup the xattr directory */
286 	error = -zfs_lookup(ITOZ(ip), NULL, &dxzp, LOOKUP_XATTR,
287 	    cr, NULL, NULL);
288 	if (error)
289 		goto out;
290 
291 	/* Lookup a specific xattr name in the directory */
292 	error = -zfs_lookup(dxzp, (char *)name, &xzp, 0, cr, NULL, NULL);
293 	if (error)
294 		goto out;
295 
296 	xip = ZTOI(xzp);
297 	if (!size) {
298 		error = i_size_read(xip);
299 		goto out;
300 	}
301 
302 	if (size < i_size_read(xip)) {
303 		error = -ERANGE;
304 		goto out;
305 	}
306 
307 	struct iovec iov;
308 	iov.iov_base = (void *)value;
309 	iov.iov_len = size;
310 
311 	zfs_uio_t uio;
312 	zfs_uio_iovec_init(&uio, &iov, 1, 0, UIO_SYSSPACE, size, 0);
313 
314 	cookie = spl_fstrans_mark();
315 	error = -zfs_read(ITOZ(xip), &uio, 0, cr);
316 	spl_fstrans_unmark(cookie);
317 
318 	if (error == 0)
319 		error = size - zfs_uio_resid(&uio);
320 out:
321 	if (xzp)
322 		zrele(xzp);
323 
324 	if (dxzp)
325 		zrele(dxzp);
326 
327 	return (error);
328 }
329 
330 static int
331 zpl_xattr_get_sa(struct inode *ip, const char *name, void *value, size_t size)
332 {
333 	znode_t *zp = ITOZ(ip);
334 	uchar_t *nv_value;
335 	uint_t nv_size;
336 	int error = 0;
337 
338 	ASSERT(RW_LOCK_HELD(&zp->z_xattr_lock));
339 
340 	mutex_enter(&zp->z_lock);
341 	if (zp->z_xattr_cached == NULL)
342 		error = -zfs_sa_get_xattr(zp);
343 	mutex_exit(&zp->z_lock);
344 
345 	if (error)
346 		return (error);
347 
348 	ASSERT(zp->z_xattr_cached);
349 	error = -nvlist_lookup_byte_array(zp->z_xattr_cached, name,
350 	    &nv_value, &nv_size);
351 	if (error)
352 		return (error);
353 
354 	if (size == 0 || value == NULL)
355 		return (nv_size);
356 
357 	if (size < nv_size)
358 		return (-ERANGE);
359 
360 	memcpy(value, nv_value, nv_size);
361 
362 	return (nv_size);
363 }
364 
365 static int
366 __zpl_xattr_get(struct inode *ip, const char *name, void *value, size_t size,
367     cred_t *cr)
368 {
369 	znode_t *zp = ITOZ(ip);
370 	zfsvfs_t *zfsvfs = ZTOZSB(zp);
371 	int error;
372 
373 	ASSERT(RW_LOCK_HELD(&zp->z_xattr_lock));
374 
375 	if (zfsvfs->z_use_sa && zp->z_is_sa) {
376 		error = zpl_xattr_get_sa(ip, name, value, size);
377 		if (error != -ENOENT)
378 			goto out;
379 	}
380 
381 	error = zpl_xattr_get_dir(ip, name, value, size, cr);
382 out:
383 	if (error == -ENOENT)
384 		error = -ENODATA;
385 
386 	return (error);
387 }
388 
389 #define	XATTR_NOENT	0x0
390 #define	XATTR_IN_SA	0x1
391 #define	XATTR_IN_DIR	0x2
392 /* check where the xattr resides */
393 static int
394 __zpl_xattr_where(struct inode *ip, const char *name, int *where, cred_t *cr)
395 {
396 	znode_t *zp = ITOZ(ip);
397 	zfsvfs_t *zfsvfs = ZTOZSB(zp);
398 	int error;
399 
400 	ASSERT(where);
401 	ASSERT(RW_LOCK_HELD(&zp->z_xattr_lock));
402 
403 	*where = XATTR_NOENT;
404 	if (zfsvfs->z_use_sa && zp->z_is_sa) {
405 		error = zpl_xattr_get_sa(ip, name, NULL, 0);
406 		if (error >= 0)
407 			*where |= XATTR_IN_SA;
408 		else if (error != -ENOENT)
409 			return (error);
410 	}
411 
412 	error = zpl_xattr_get_dir(ip, name, NULL, 0, cr);
413 	if (error >= 0)
414 		*where |= XATTR_IN_DIR;
415 	else if (error != -ENOENT)
416 		return (error);
417 
418 	if (*where == (XATTR_IN_SA|XATTR_IN_DIR))
419 		cmn_err(CE_WARN, "ZFS: inode %p has xattr \"%s\""
420 		    " in both SA and dir", ip, name);
421 	if (*where == XATTR_NOENT)
422 		error = -ENODATA;
423 	else
424 		error = 0;
425 	return (error);
426 }
427 
428 static int
429 zpl_xattr_get(struct inode *ip, const char *name, void *value, size_t size)
430 {
431 	znode_t *zp = ITOZ(ip);
432 	zfsvfs_t *zfsvfs = ZTOZSB(zp);
433 	cred_t *cr = CRED();
434 	fstrans_cookie_t cookie;
435 	int error;
436 
437 	crhold(cr);
438 	cookie = spl_fstrans_mark();
439 	if ((error = zpl_enter_verify_zp(zfsvfs, zp, FTAG)) != 0)
440 		goto out;
441 	rw_enter(&zp->z_xattr_lock, RW_READER);
442 	error = __zpl_xattr_get(ip, name, value, size, cr);
443 	rw_exit(&zp->z_xattr_lock);
444 	zpl_exit(zfsvfs, FTAG);
445 out:
446 	spl_fstrans_unmark(cookie);
447 	crfree(cr);
448 
449 	return (error);
450 }
451 
452 static int
453 zpl_xattr_set_dir(struct inode *ip, const char *name, const void *value,
454     size_t size, int flags, cred_t *cr)
455 {
456 	znode_t *dxzp = NULL;
457 	znode_t *xzp = NULL;
458 	vattr_t *vap = NULL;
459 	int lookup_flags, error;
460 	const int xattr_mode = S_IFREG | 0644;
461 	loff_t pos = 0;
462 
463 	/*
464 	 * Lookup the xattr directory.  When we're adding an entry pass
465 	 * CREATE_XATTR_DIR to ensure the xattr directory is created.
466 	 * When removing an entry this flag is not passed to avoid
467 	 * unnecessarily creating a new xattr directory.
468 	 */
469 	lookup_flags = LOOKUP_XATTR;
470 	if (value != NULL)
471 		lookup_flags |= CREATE_XATTR_DIR;
472 
473 	error = -zfs_lookup(ITOZ(ip), NULL, &dxzp, lookup_flags,
474 	    cr, NULL, NULL);
475 	if (error)
476 		goto out;
477 
478 	/* Lookup a specific xattr name in the directory */
479 	error = -zfs_lookup(dxzp, (char *)name, &xzp, 0, cr, NULL, NULL);
480 	if (error && (error != -ENOENT))
481 		goto out;
482 
483 	error = 0;
484 
485 	/* Remove a specific name xattr when value is set to NULL. */
486 	if (value == NULL) {
487 		if (xzp)
488 			error = -zfs_remove(dxzp, (char *)name, cr, 0);
489 
490 		goto out;
491 	}
492 
493 	/* Lookup failed create a new xattr. */
494 	if (xzp == NULL) {
495 		vap = kmem_zalloc(sizeof (vattr_t), KM_SLEEP);
496 		vap->va_mode = xattr_mode;
497 		vap->va_mask = ATTR_MODE;
498 		vap->va_uid = crgetuid(cr);
499 		vap->va_gid = crgetgid(cr);
500 
501 		error = -zfs_create(dxzp, (char *)name, vap, 0, 0644, &xzp,
502 		    cr, ATTR_NOACLCHECK, NULL, kcred->user_ns);
503 		if (error)
504 			goto out;
505 	}
506 
507 	ASSERT(xzp != NULL);
508 
509 	error = -zfs_freesp(xzp, 0, 0, xattr_mode, TRUE);
510 	if (error)
511 		goto out;
512 
513 	error = -zfs_write_simple(xzp, value, size, pos, NULL);
514 out:
515 	if (error == 0) {
516 		ip->i_ctime = current_time(ip);
517 		zfs_mark_inode_dirty(ip);
518 	}
519 
520 	if (vap)
521 		kmem_free(vap, sizeof (vattr_t));
522 
523 	if (xzp)
524 		zrele(xzp);
525 
526 	if (dxzp)
527 		zrele(dxzp);
528 
529 	if (error == -ENOENT)
530 		error = -ENODATA;
531 
532 	ASSERT3S(error, <=, 0);
533 
534 	return (error);
535 }
536 
537 static int
538 zpl_xattr_set_sa(struct inode *ip, const char *name, const void *value,
539     size_t size, int flags, cred_t *cr)
540 {
541 	znode_t *zp = ITOZ(ip);
542 	nvlist_t *nvl;
543 	size_t sa_size;
544 	int error = 0;
545 
546 	mutex_enter(&zp->z_lock);
547 	if (zp->z_xattr_cached == NULL)
548 		error = -zfs_sa_get_xattr(zp);
549 	mutex_exit(&zp->z_lock);
550 
551 	if (error)
552 		return (error);
553 
554 	ASSERT(zp->z_xattr_cached);
555 	nvl = zp->z_xattr_cached;
556 
557 	if (value == NULL) {
558 		error = -nvlist_remove(nvl, name, DATA_TYPE_BYTE_ARRAY);
559 		if (error == -ENOENT)
560 			error = zpl_xattr_set_dir(ip, name, NULL, 0, flags, cr);
561 	} else {
562 		/* Limited to 32k to keep nvpair memory allocations small */
563 		if (size > DXATTR_MAX_ENTRY_SIZE)
564 			return (-EFBIG);
565 
566 		/* Prevent the DXATTR SA from consuming the entire SA region */
567 		error = -nvlist_size(nvl, &sa_size, NV_ENCODE_XDR);
568 		if (error)
569 			return (error);
570 
571 		if (sa_size > DXATTR_MAX_SA_SIZE)
572 			return (-EFBIG);
573 
574 		error = -nvlist_add_byte_array(nvl, name,
575 		    (uchar_t *)value, size);
576 	}
577 
578 	/*
579 	 * Update the SA for additions, modifications, and removals. On
580 	 * error drop the inconsistent cached version of the nvlist, it
581 	 * will be reconstructed from the ARC when next accessed.
582 	 */
583 	if (error == 0)
584 		error = -zfs_sa_set_xattr(zp, name, value, size);
585 
586 	if (error) {
587 		nvlist_free(nvl);
588 		zp->z_xattr_cached = NULL;
589 	}
590 
591 	ASSERT3S(error, <=, 0);
592 
593 	return (error);
594 }
595 
596 static int
597 zpl_xattr_set(struct inode *ip, const char *name, const void *value,
598     size_t size, int flags)
599 {
600 	znode_t *zp = ITOZ(ip);
601 	zfsvfs_t *zfsvfs = ZTOZSB(zp);
602 	cred_t *cr = CRED();
603 	fstrans_cookie_t cookie;
604 	int where;
605 	int error;
606 
607 	crhold(cr);
608 	cookie = spl_fstrans_mark();
609 	if ((error = zpl_enter_verify_zp(zfsvfs, zp, FTAG)) != 0)
610 		goto out1;
611 	rw_enter(&zp->z_xattr_lock, RW_WRITER);
612 
613 	/*
614 	 * Before setting the xattr check to see if it already exists.
615 	 * This is done to ensure the following optional flags are honored.
616 	 *
617 	 *   XATTR_CREATE: fail if xattr already exists
618 	 *   XATTR_REPLACE: fail if xattr does not exist
619 	 *
620 	 * We also want to know if it resides in sa or dir, so we can make
621 	 * sure we don't end up with duplicate in both places.
622 	 */
623 	error = __zpl_xattr_where(ip, name, &where, cr);
624 	if (error < 0) {
625 		if (error != -ENODATA)
626 			goto out;
627 		if (flags & XATTR_REPLACE)
628 			goto out;
629 
630 		/* The xattr to be removed already doesn't exist */
631 		error = 0;
632 		if (value == NULL)
633 			goto out;
634 	} else {
635 		error = -EEXIST;
636 		if (flags & XATTR_CREATE)
637 			goto out;
638 	}
639 
640 	/* Preferentially store the xattr as a SA for better performance */
641 	if (zfsvfs->z_use_sa && zp->z_is_sa &&
642 	    (zfsvfs->z_xattr_sa || (value == NULL && where & XATTR_IN_SA))) {
643 		error = zpl_xattr_set_sa(ip, name, value, size, flags, cr);
644 		if (error == 0) {
645 			/*
646 			 * Successfully put into SA, we need to clear the one
647 			 * in dir.
648 			 */
649 			if (where & XATTR_IN_DIR)
650 				zpl_xattr_set_dir(ip, name, NULL, 0, 0, cr);
651 			goto out;
652 		}
653 	}
654 
655 	error = zpl_xattr_set_dir(ip, name, value, size, flags, cr);
656 	/*
657 	 * Successfully put into dir, we need to clear the one in SA.
658 	 */
659 	if (error == 0 && (where & XATTR_IN_SA))
660 		zpl_xattr_set_sa(ip, name, NULL, 0, 0, cr);
661 out:
662 	rw_exit(&zp->z_xattr_lock);
663 	zpl_exit(zfsvfs, FTAG);
664 out1:
665 	spl_fstrans_unmark(cookie);
666 	crfree(cr);
667 	ASSERT3S(error, <=, 0);
668 
669 	return (error);
670 }
671 
672 /*
673  * Extended user attributes
674  *
675  * "Extended user attributes may be assigned to files and directories for
676  * storing arbitrary additional information such as the mime type,
677  * character set or encoding of a file.  The access permissions for user
678  * attributes are defined by the file permission bits: read permission
679  * is required to retrieve the attribute value, and writer permission is
680  * required to change it.
681  *
682  * The file permission bits of regular files and directories are
683  * interpreted differently from the file permission bits of special
684  * files and symbolic links.  For regular files and directories the file
685  * permission bits define access to the file's contents, while for
686  * device special files they define access to the device described by
687  * the special file.  The file permissions of symbolic links are not
688  * used in access checks.  These differences would allow users to
689  * consume filesystem resources in a way not controllable by disk quotas
690  * for group or world writable special files and directories.
691  *
692  * For this reason, extended user attributes are allowed only for
693  * regular files and directories, and access to extended user attributes
694  * is restricted to the owner and to users with appropriate capabilities
695  * for directories with the sticky bit set (see the chmod(1) manual page
696  * for an explanation of the sticky bit)." - xattr(7)
697  *
698  * ZFS allows extended user attributes to be disabled administratively
699  * by setting the 'xattr=off' property on the dataset.
700  */
701 static int
702 __zpl_xattr_user_list(struct inode *ip, char *list, size_t list_size,
703     const char *name, size_t name_len)
704 {
705 	return (ITOZSB(ip)->z_flags & ZSB_XATTR);
706 }
707 ZPL_XATTR_LIST_WRAPPER(zpl_xattr_user_list);
708 
709 static int
710 __zpl_xattr_user_get(struct inode *ip, const char *name,
711     void *value, size_t size)
712 {
713 	int error;
714 	/* xattr_resolve_name will do this for us if this is defined */
715 #ifndef HAVE_XATTR_HANDLER_NAME
716 	if (strcmp(name, "") == 0)
717 		return (-EINVAL);
718 #endif
719 	if (ZFS_XA_NS_PREFIX_FORBIDDEN(name))
720 		return (-EINVAL);
721 	if (!(ITOZSB(ip)->z_flags & ZSB_XATTR))
722 		return (-EOPNOTSUPP);
723 
724 	/*
725 	 * Try to look up the name with the namespace prefix first for
726 	 * compatibility with xattrs from this platform.  If that fails,
727 	 * try again without the namespace prefix for compatibility with
728 	 * other platforms.
729 	 */
730 	char *xattr_name = kmem_asprintf("%s%s", XATTR_USER_PREFIX, name);
731 	error = zpl_xattr_get(ip, xattr_name, value, size);
732 	kmem_strfree(xattr_name);
733 	if (error == -ENODATA)
734 		error = zpl_xattr_get(ip, name, value, size);
735 
736 	return (error);
737 }
738 ZPL_XATTR_GET_WRAPPER(zpl_xattr_user_get);
739 
740 static int
741 __zpl_xattr_user_set(struct user_namespace *user_ns,
742     struct inode *ip, const char *name,
743     const void *value, size_t size, int flags)
744 {
745 	(void) user_ns;
746 	int error = 0;
747 	/* xattr_resolve_name will do this for us if this is defined */
748 #ifndef HAVE_XATTR_HANDLER_NAME
749 	if (strcmp(name, "") == 0)
750 		return (-EINVAL);
751 #endif
752 	if (ZFS_XA_NS_PREFIX_FORBIDDEN(name))
753 		return (-EINVAL);
754 	if (!(ITOZSB(ip)->z_flags & ZSB_XATTR))
755 		return (-EOPNOTSUPP);
756 
757 	/*
758 	 * Remove alternate compat version of the xattr so we only set the
759 	 * version specified by the zfs_xattr_compat tunable.
760 	 *
761 	 * The following flags must be handled correctly:
762 	 *
763 	 *   XATTR_CREATE: fail if xattr already exists
764 	 *   XATTR_REPLACE: fail if xattr does not exist
765 	 */
766 	char *prefixed_name = kmem_asprintf("%s%s", XATTR_USER_PREFIX, name);
767 	const char *clear_name, *set_name;
768 	if (zfs_xattr_compat) {
769 		clear_name = prefixed_name;
770 		set_name = name;
771 	} else {
772 		clear_name = name;
773 		set_name = prefixed_name;
774 	}
775 	/*
776 	 * Clear the old value with the alternative name format, if it exists.
777 	 */
778 	error = zpl_xattr_set(ip, clear_name, NULL, 0, flags);
779 	/*
780 	 * XATTR_CREATE was specified and we failed to clear the xattr
781 	 * because it already exists.  Stop here.
782 	 */
783 	if (error == -EEXIST)
784 		goto out;
785 	/*
786 	 * If XATTR_REPLACE was specified and we succeeded to clear
787 	 * an xattr, we don't need to replace anything when setting
788 	 * the new value.  If we failed with -ENODATA that's fine,
789 	 * there was nothing to be cleared and we can ignore the error.
790 	 */
791 	if (error == 0)
792 		flags &= ~XATTR_REPLACE;
793 	/*
794 	 * Set the new value with the configured name format.
795 	 */
796 	error = zpl_xattr_set(ip, set_name, value, size, flags);
797 out:
798 	kmem_strfree(prefixed_name);
799 	return (error);
800 }
801 ZPL_XATTR_SET_WRAPPER(zpl_xattr_user_set);
802 
803 static xattr_handler_t zpl_xattr_user_handler =
804 {
805 	.prefix	= XATTR_USER_PREFIX,
806 	.list	= zpl_xattr_user_list,
807 	.get	= zpl_xattr_user_get,
808 	.set	= zpl_xattr_user_set,
809 };
810 
811 /*
812  * Trusted extended attributes
813  *
814  * "Trusted extended attributes are visible and accessible only to
815  * processes that have the CAP_SYS_ADMIN capability.  Attributes in this
816  * class are used to implement mechanisms in user space (i.e., outside
817  * the kernel) which keep information in extended attributes to which
818  * ordinary processes should not have access." - xattr(7)
819  */
820 static int
821 __zpl_xattr_trusted_list(struct inode *ip, char *list, size_t list_size,
822     const char *name, size_t name_len)
823 {
824 	return (capable(CAP_SYS_ADMIN));
825 }
826 ZPL_XATTR_LIST_WRAPPER(zpl_xattr_trusted_list);
827 
828 static int
829 __zpl_xattr_trusted_get(struct inode *ip, const char *name,
830     void *value, size_t size)
831 {
832 	char *xattr_name;
833 	int error;
834 
835 	if (!capable(CAP_SYS_ADMIN))
836 		return (-EACCES);
837 	/* xattr_resolve_name will do this for us if this is defined */
838 #ifndef HAVE_XATTR_HANDLER_NAME
839 	if (strcmp(name, "") == 0)
840 		return (-EINVAL);
841 #endif
842 	xattr_name = kmem_asprintf("%s%s", XATTR_TRUSTED_PREFIX, name);
843 	error = zpl_xattr_get(ip, xattr_name, value, size);
844 	kmem_strfree(xattr_name);
845 
846 	return (error);
847 }
848 ZPL_XATTR_GET_WRAPPER(zpl_xattr_trusted_get);
849 
850 static int
851 __zpl_xattr_trusted_set(struct user_namespace *user_ns,
852     struct inode *ip, const char *name,
853     const void *value, size_t size, int flags)
854 {
855 	(void) user_ns;
856 	char *xattr_name;
857 	int error;
858 
859 	if (!capable(CAP_SYS_ADMIN))
860 		return (-EACCES);
861 	/* xattr_resolve_name will do this for us if this is defined */
862 #ifndef HAVE_XATTR_HANDLER_NAME
863 	if (strcmp(name, "") == 0)
864 		return (-EINVAL);
865 #endif
866 	xattr_name = kmem_asprintf("%s%s", XATTR_TRUSTED_PREFIX, name);
867 	error = zpl_xattr_set(ip, xattr_name, value, size, flags);
868 	kmem_strfree(xattr_name);
869 
870 	return (error);
871 }
872 ZPL_XATTR_SET_WRAPPER(zpl_xattr_trusted_set);
873 
874 static xattr_handler_t zpl_xattr_trusted_handler = {
875 	.prefix	= XATTR_TRUSTED_PREFIX,
876 	.list	= zpl_xattr_trusted_list,
877 	.get	= zpl_xattr_trusted_get,
878 	.set	= zpl_xattr_trusted_set,
879 };
880 
881 /*
882  * Extended security attributes
883  *
884  * "The security attribute namespace is used by kernel security modules,
885  * such as Security Enhanced Linux, and also to implement file
886  * capabilities (see capabilities(7)).  Read and write access
887  * permissions to security attributes depend on the policy implemented
888  * for each security attribute by the security module.  When no security
889  * module is loaded, all processes have read access to extended security
890  * attributes, and write access is limited to processes that have the
891  * CAP_SYS_ADMIN capability." - xattr(7)
892  */
893 static int
894 __zpl_xattr_security_list(struct inode *ip, char *list, size_t list_size,
895     const char *name, size_t name_len)
896 {
897 	return (1);
898 }
899 ZPL_XATTR_LIST_WRAPPER(zpl_xattr_security_list);
900 
901 static int
902 __zpl_xattr_security_get(struct inode *ip, const char *name,
903     void *value, size_t size)
904 {
905 	char *xattr_name;
906 	int error;
907 	/* xattr_resolve_name will do this for us if this is defined */
908 #ifndef HAVE_XATTR_HANDLER_NAME
909 	if (strcmp(name, "") == 0)
910 		return (-EINVAL);
911 #endif
912 	xattr_name = kmem_asprintf("%s%s", XATTR_SECURITY_PREFIX, name);
913 	error = zpl_xattr_get(ip, xattr_name, value, size);
914 	kmem_strfree(xattr_name);
915 
916 	return (error);
917 }
918 ZPL_XATTR_GET_WRAPPER(zpl_xattr_security_get);
919 
920 static int
921 __zpl_xattr_security_set(struct user_namespace *user_ns,
922     struct inode *ip, const char *name,
923     const void *value, size_t size, int flags)
924 {
925 	(void) user_ns;
926 	char *xattr_name;
927 	int error;
928 	/* xattr_resolve_name will do this for us if this is defined */
929 #ifndef HAVE_XATTR_HANDLER_NAME
930 	if (strcmp(name, "") == 0)
931 		return (-EINVAL);
932 #endif
933 	xattr_name = kmem_asprintf("%s%s", XATTR_SECURITY_PREFIX, name);
934 	error = zpl_xattr_set(ip, xattr_name, value, size, flags);
935 	kmem_strfree(xattr_name);
936 
937 	return (error);
938 }
939 ZPL_XATTR_SET_WRAPPER(zpl_xattr_security_set);
940 
941 static int
942 zpl_xattr_security_init_impl(struct inode *ip, const struct xattr *xattrs,
943     void *fs_info)
944 {
945 	const struct xattr *xattr;
946 	int error = 0;
947 
948 	for (xattr = xattrs; xattr->name != NULL; xattr++) {
949 		error = __zpl_xattr_security_set(NULL, ip,
950 		    xattr->name, xattr->value, xattr->value_len, 0);
951 
952 		if (error < 0)
953 			break;
954 	}
955 
956 	return (error);
957 }
958 
959 int
960 zpl_xattr_security_init(struct inode *ip, struct inode *dip,
961     const struct qstr *qstr)
962 {
963 	return security_inode_init_security(ip, dip, qstr,
964 	    &zpl_xattr_security_init_impl, NULL);
965 }
966 
967 /*
968  * Security xattr namespace handlers.
969  */
970 static xattr_handler_t zpl_xattr_security_handler = {
971 	.prefix	= XATTR_SECURITY_PREFIX,
972 	.list	= zpl_xattr_security_list,
973 	.get	= zpl_xattr_security_get,
974 	.set	= zpl_xattr_security_set,
975 };
976 
977 /*
978  * Extended system attributes
979  *
980  * "Extended system attributes are used by the kernel to store system
981  * objects such as Access Control Lists.  Read and write access permissions
982  * to system attributes depend on the policy implemented for each system
983  * attribute implemented by filesystems in the kernel." - xattr(7)
984  */
985 #ifdef CONFIG_FS_POSIX_ACL
986 static int
987 zpl_set_acl_impl(struct inode *ip, struct posix_acl *acl, int type)
988 {
989 	char *name, *value = NULL;
990 	int error = 0;
991 	size_t size = 0;
992 
993 	if (S_ISLNK(ip->i_mode))
994 		return (-EOPNOTSUPP);
995 
996 	switch (type) {
997 	case ACL_TYPE_ACCESS:
998 		name = XATTR_NAME_POSIX_ACL_ACCESS;
999 		if (acl) {
1000 			umode_t mode = ip->i_mode;
1001 			error = posix_acl_equiv_mode(acl, &mode);
1002 			if (error < 0) {
1003 				return (error);
1004 			} else {
1005 				/*
1006 				 * The mode bits will have been set by
1007 				 * ->zfs_setattr()->zfs_acl_chmod_setattr()
1008 				 * using the ZFS ACL conversion.  If they
1009 				 * differ from the Posix ACL conversion dirty
1010 				 * the inode to write the Posix mode bits.
1011 				 */
1012 				if (ip->i_mode != mode) {
1013 					ip->i_mode = ITOZ(ip)->z_mode = mode;
1014 					ip->i_ctime = current_time(ip);
1015 					zfs_mark_inode_dirty(ip);
1016 				}
1017 
1018 				if (error == 0)
1019 					acl = NULL;
1020 			}
1021 		}
1022 		break;
1023 
1024 	case ACL_TYPE_DEFAULT:
1025 		name = XATTR_NAME_POSIX_ACL_DEFAULT;
1026 		if (!S_ISDIR(ip->i_mode))
1027 			return (acl ? -EACCES : 0);
1028 		break;
1029 
1030 	default:
1031 		return (-EINVAL);
1032 	}
1033 
1034 	if (acl) {
1035 		size = posix_acl_xattr_size(acl->a_count);
1036 		value = kmem_alloc(size, KM_SLEEP);
1037 
1038 		error = zpl_acl_to_xattr(acl, value, size);
1039 		if (error < 0) {
1040 			kmem_free(value, size);
1041 			return (error);
1042 		}
1043 	}
1044 
1045 	error = zpl_xattr_set(ip, name, value, size, 0);
1046 	if (value)
1047 		kmem_free(value, size);
1048 
1049 	if (!error) {
1050 		if (acl)
1051 			zpl_set_cached_acl(ip, type, acl);
1052 		else
1053 			zpl_forget_cached_acl(ip, type);
1054 	}
1055 
1056 	return (error);
1057 }
1058 
1059 #ifdef HAVE_SET_ACL
1060 int
1061 #ifdef HAVE_SET_ACL_USERNS
1062 zpl_set_acl(struct user_namespace *userns, struct inode *ip,
1063     struct posix_acl *acl, int type)
1064 #elif defined(HAVE_SET_ACL_USERNS_DENTRY_ARG2)
1065 zpl_set_acl(struct user_namespace *userns, struct dentry *dentry,
1066     struct posix_acl *acl, int type)
1067 #else
1068 zpl_set_acl(struct inode *ip, struct posix_acl *acl, int type)
1069 #endif /* HAVE_SET_ACL_USERNS */
1070 {
1071 #ifdef HAVE_SET_ACL_USERNS_DENTRY_ARG2
1072 	return (zpl_set_acl_impl(d_inode(dentry), acl, type));
1073 #else
1074 	return (zpl_set_acl_impl(ip, acl, type));
1075 #endif /* HAVE_SET_ACL_USERNS_DENTRY_ARG2 */
1076 }
1077 #endif /* HAVE_SET_ACL */
1078 
1079 static struct posix_acl *
1080 zpl_get_acl_impl(struct inode *ip, int type)
1081 {
1082 	struct posix_acl *acl;
1083 	void *value = NULL;
1084 	char *name;
1085 
1086 	/*
1087 	 * As of Linux 3.14, the kernel get_acl will check this for us.
1088 	 * Also as of Linux 4.7, comparing against ACL_NOT_CACHED is wrong
1089 	 * as the kernel get_acl will set it to temporary sentinel value.
1090 	 */
1091 #ifndef HAVE_KERNEL_GET_ACL_HANDLE_CACHE
1092 	acl = get_cached_acl(ip, type);
1093 	if (acl != ACL_NOT_CACHED)
1094 		return (acl);
1095 #endif
1096 
1097 	switch (type) {
1098 	case ACL_TYPE_ACCESS:
1099 		name = XATTR_NAME_POSIX_ACL_ACCESS;
1100 		break;
1101 	case ACL_TYPE_DEFAULT:
1102 		name = XATTR_NAME_POSIX_ACL_DEFAULT;
1103 		break;
1104 	default:
1105 		return (ERR_PTR(-EINVAL));
1106 	}
1107 
1108 	int size = zpl_xattr_get(ip, name, NULL, 0);
1109 	if (size > 0) {
1110 		value = kmem_alloc(size, KM_SLEEP);
1111 		size = zpl_xattr_get(ip, name, value, size);
1112 	}
1113 
1114 	if (size > 0) {
1115 		acl = zpl_acl_from_xattr(value, size);
1116 	} else if (size == -ENODATA || size == -ENOSYS) {
1117 		acl = NULL;
1118 	} else {
1119 		acl = ERR_PTR(-EIO);
1120 	}
1121 
1122 	if (size > 0)
1123 		kmem_free(value, size);
1124 
1125 	/* As of Linux 4.7, the kernel get_acl will set this for us */
1126 #ifndef HAVE_KERNEL_GET_ACL_HANDLE_CACHE
1127 	if (!IS_ERR(acl))
1128 		zpl_set_cached_acl(ip, type, acl);
1129 #endif
1130 
1131 	return (acl);
1132 }
1133 
1134 #if defined(HAVE_GET_ACL_RCU) || defined(HAVE_GET_INODE_ACL)
1135 struct posix_acl *
1136 zpl_get_acl(struct inode *ip, int type, bool rcu)
1137 {
1138 	if (rcu)
1139 		return (ERR_PTR(-ECHILD));
1140 
1141 	return (zpl_get_acl_impl(ip, type));
1142 }
1143 #elif defined(HAVE_GET_ACL)
1144 struct posix_acl *
1145 zpl_get_acl(struct inode *ip, int type)
1146 {
1147 	return (zpl_get_acl_impl(ip, type));
1148 }
1149 #else
1150 #error "Unsupported iops->get_acl() implementation"
1151 #endif /* HAVE_GET_ACL_RCU */
1152 
1153 int
1154 zpl_init_acl(struct inode *ip, struct inode *dir)
1155 {
1156 	struct posix_acl *acl = NULL;
1157 	int error = 0;
1158 
1159 	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1160 		return (0);
1161 
1162 	if (!S_ISLNK(ip->i_mode)) {
1163 		acl = zpl_get_acl_impl(dir, ACL_TYPE_DEFAULT);
1164 		if (IS_ERR(acl))
1165 			return (PTR_ERR(acl));
1166 		if (!acl) {
1167 			ITOZ(ip)->z_mode = (ip->i_mode &= ~current_umask());
1168 			ip->i_ctime = current_time(ip);
1169 			zfs_mark_inode_dirty(ip);
1170 			return (0);
1171 		}
1172 	}
1173 
1174 	if (acl) {
1175 		umode_t mode;
1176 
1177 		if (S_ISDIR(ip->i_mode)) {
1178 			error = zpl_set_acl_impl(ip, acl, ACL_TYPE_DEFAULT);
1179 			if (error)
1180 				goto out;
1181 		}
1182 
1183 		mode = ip->i_mode;
1184 		error = __posix_acl_create(&acl, GFP_KERNEL, &mode);
1185 		if (error >= 0) {
1186 			ip->i_mode = ITOZ(ip)->z_mode = mode;
1187 			zfs_mark_inode_dirty(ip);
1188 			if (error > 0) {
1189 				error = zpl_set_acl_impl(ip, acl,
1190 				    ACL_TYPE_ACCESS);
1191 			}
1192 		}
1193 	}
1194 out:
1195 	zpl_posix_acl_release(acl);
1196 
1197 	return (error);
1198 }
1199 
1200 int
1201 zpl_chmod_acl(struct inode *ip)
1202 {
1203 	struct posix_acl *acl;
1204 	int error;
1205 
1206 	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1207 		return (0);
1208 
1209 	if (S_ISLNK(ip->i_mode))
1210 		return (-EOPNOTSUPP);
1211 
1212 	acl = zpl_get_acl_impl(ip, ACL_TYPE_ACCESS);
1213 	if (IS_ERR(acl) || !acl)
1214 		return (PTR_ERR(acl));
1215 
1216 	error = __posix_acl_chmod(&acl, GFP_KERNEL, ip->i_mode);
1217 	if (!error)
1218 		error = zpl_set_acl_impl(ip, acl, ACL_TYPE_ACCESS);
1219 
1220 	zpl_posix_acl_release(acl);
1221 
1222 	return (error);
1223 }
1224 
1225 static int
1226 __zpl_xattr_acl_list_access(struct inode *ip, char *list, size_t list_size,
1227     const char *name, size_t name_len)
1228 {
1229 	char *xattr_name = XATTR_NAME_POSIX_ACL_ACCESS;
1230 	size_t xattr_size = sizeof (XATTR_NAME_POSIX_ACL_ACCESS);
1231 
1232 	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1233 		return (0);
1234 
1235 	if (list && xattr_size <= list_size)
1236 		memcpy(list, xattr_name, xattr_size);
1237 
1238 	return (xattr_size);
1239 }
1240 ZPL_XATTR_LIST_WRAPPER(zpl_xattr_acl_list_access);
1241 
1242 static int
1243 __zpl_xattr_acl_list_default(struct inode *ip, char *list, size_t list_size,
1244     const char *name, size_t name_len)
1245 {
1246 	char *xattr_name = XATTR_NAME_POSIX_ACL_DEFAULT;
1247 	size_t xattr_size = sizeof (XATTR_NAME_POSIX_ACL_DEFAULT);
1248 
1249 	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1250 		return (0);
1251 
1252 	if (list && xattr_size <= list_size)
1253 		memcpy(list, xattr_name, xattr_size);
1254 
1255 	return (xattr_size);
1256 }
1257 ZPL_XATTR_LIST_WRAPPER(zpl_xattr_acl_list_default);
1258 
1259 static int
1260 __zpl_xattr_acl_get_access(struct inode *ip, const char *name,
1261     void *buffer, size_t size)
1262 {
1263 	struct posix_acl *acl;
1264 	int type = ACL_TYPE_ACCESS;
1265 	int error;
1266 	/* xattr_resolve_name will do this for us if this is defined */
1267 #ifndef HAVE_XATTR_HANDLER_NAME
1268 	if (strcmp(name, "") != 0)
1269 		return (-EINVAL);
1270 #endif
1271 	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1272 		return (-EOPNOTSUPP);
1273 
1274 	acl = zpl_get_acl_impl(ip, type);
1275 	if (IS_ERR(acl))
1276 		return (PTR_ERR(acl));
1277 	if (acl == NULL)
1278 		return (-ENODATA);
1279 
1280 	error = zpl_acl_to_xattr(acl, buffer, size);
1281 	zpl_posix_acl_release(acl);
1282 
1283 	return (error);
1284 }
1285 ZPL_XATTR_GET_WRAPPER(zpl_xattr_acl_get_access);
1286 
1287 static int
1288 __zpl_xattr_acl_get_default(struct inode *ip, const char *name,
1289     void *buffer, size_t size)
1290 {
1291 	struct posix_acl *acl;
1292 	int type = ACL_TYPE_DEFAULT;
1293 	int error;
1294 	/* xattr_resolve_name will do this for us if this is defined */
1295 #ifndef HAVE_XATTR_HANDLER_NAME
1296 	if (strcmp(name, "") != 0)
1297 		return (-EINVAL);
1298 #endif
1299 	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1300 		return (-EOPNOTSUPP);
1301 
1302 	acl = zpl_get_acl_impl(ip, type);
1303 	if (IS_ERR(acl))
1304 		return (PTR_ERR(acl));
1305 	if (acl == NULL)
1306 		return (-ENODATA);
1307 
1308 	error = zpl_acl_to_xattr(acl, buffer, size);
1309 	zpl_posix_acl_release(acl);
1310 
1311 	return (error);
1312 }
1313 ZPL_XATTR_GET_WRAPPER(zpl_xattr_acl_get_default);
1314 
1315 static int
1316 __zpl_xattr_acl_set_access(struct user_namespace *mnt_ns,
1317     struct inode *ip, const char *name,
1318     const void *value, size_t size, int flags)
1319 {
1320 	struct posix_acl *acl;
1321 	int type = ACL_TYPE_ACCESS;
1322 	int error = 0;
1323 	/* xattr_resolve_name will do this for us if this is defined */
1324 #ifndef HAVE_XATTR_HANDLER_NAME
1325 	if (strcmp(name, "") != 0)
1326 		return (-EINVAL);
1327 #endif
1328 	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1329 		return (-EOPNOTSUPP);
1330 
1331 #if defined(HAVE_XATTR_SET_USERNS)
1332 	if (!zpl_inode_owner_or_capable(mnt_ns, ip))
1333 		return (-EPERM);
1334 #else
1335 	(void) mnt_ns;
1336 	if (!zpl_inode_owner_or_capable(kcred->user_ns, ip))
1337 		return (-EPERM);
1338 #endif
1339 
1340 	if (value) {
1341 		acl = zpl_acl_from_xattr(value, size);
1342 		if (IS_ERR(acl))
1343 			return (PTR_ERR(acl));
1344 		else if (acl) {
1345 			error = zpl_posix_acl_valid(ip, acl);
1346 			if (error) {
1347 				zpl_posix_acl_release(acl);
1348 				return (error);
1349 			}
1350 		}
1351 	} else {
1352 		acl = NULL;
1353 	}
1354 	error = zpl_set_acl_impl(ip, acl, type);
1355 	zpl_posix_acl_release(acl);
1356 
1357 	return (error);
1358 }
1359 ZPL_XATTR_SET_WRAPPER(zpl_xattr_acl_set_access);
1360 
1361 static int
1362 __zpl_xattr_acl_set_default(struct user_namespace *mnt_ns,
1363     struct inode *ip, const char *name,
1364     const void *value, size_t size, int flags)
1365 {
1366 	struct posix_acl *acl;
1367 	int type = ACL_TYPE_DEFAULT;
1368 	int error = 0;
1369 	/* xattr_resolve_name will do this for us if this is defined */
1370 #ifndef HAVE_XATTR_HANDLER_NAME
1371 	if (strcmp(name, "") != 0)
1372 		return (-EINVAL);
1373 #endif
1374 	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1375 		return (-EOPNOTSUPP);
1376 
1377 #if defined(HAVE_XATTR_SET_USERNS)
1378 	if (!zpl_inode_owner_or_capable(mnt_ns, ip))
1379 		return (-EPERM);
1380 #else
1381 	(void) mnt_ns;
1382 	if (!zpl_inode_owner_or_capable(kcred->user_ns, ip))
1383 		return (-EPERM);
1384 #endif
1385 
1386 	if (value) {
1387 		acl = zpl_acl_from_xattr(value, size);
1388 		if (IS_ERR(acl))
1389 			return (PTR_ERR(acl));
1390 		else if (acl) {
1391 			error = zpl_posix_acl_valid(ip, acl);
1392 			if (error) {
1393 				zpl_posix_acl_release(acl);
1394 				return (error);
1395 			}
1396 		}
1397 	} else {
1398 		acl = NULL;
1399 	}
1400 
1401 	error = zpl_set_acl_impl(ip, acl, type);
1402 	zpl_posix_acl_release(acl);
1403 
1404 	return (error);
1405 }
1406 ZPL_XATTR_SET_WRAPPER(zpl_xattr_acl_set_default);
1407 
1408 /*
1409  * ACL access xattr namespace handlers.
1410  *
1411  * Use .name instead of .prefix when available. xattr_resolve_name will match
1412  * whole name and reject anything that has .name only as prefix.
1413  */
1414 static xattr_handler_t zpl_xattr_acl_access_handler = {
1415 #ifdef HAVE_XATTR_HANDLER_NAME
1416 	.name	= XATTR_NAME_POSIX_ACL_ACCESS,
1417 #else
1418 	.prefix	= XATTR_NAME_POSIX_ACL_ACCESS,
1419 #endif
1420 	.list	= zpl_xattr_acl_list_access,
1421 	.get	= zpl_xattr_acl_get_access,
1422 	.set	= zpl_xattr_acl_set_access,
1423 #if defined(HAVE_XATTR_LIST_SIMPLE) || \
1424     defined(HAVE_XATTR_LIST_DENTRY) || \
1425     defined(HAVE_XATTR_LIST_HANDLER)
1426 	.flags	= ACL_TYPE_ACCESS,
1427 #endif
1428 };
1429 
1430 /*
1431  * ACL default xattr namespace handlers.
1432  *
1433  * Use .name instead of .prefix when available. xattr_resolve_name will match
1434  * whole name and reject anything that has .name only as prefix.
1435  */
1436 static xattr_handler_t zpl_xattr_acl_default_handler = {
1437 #ifdef HAVE_XATTR_HANDLER_NAME
1438 	.name	= XATTR_NAME_POSIX_ACL_DEFAULT,
1439 #else
1440 	.prefix	= XATTR_NAME_POSIX_ACL_DEFAULT,
1441 #endif
1442 	.list	= zpl_xattr_acl_list_default,
1443 	.get	= zpl_xattr_acl_get_default,
1444 	.set	= zpl_xattr_acl_set_default,
1445 #if defined(HAVE_XATTR_LIST_SIMPLE) || \
1446     defined(HAVE_XATTR_LIST_DENTRY) || \
1447     defined(HAVE_XATTR_LIST_HANDLER)
1448 	.flags	= ACL_TYPE_DEFAULT,
1449 #endif
1450 };
1451 
1452 #endif /* CONFIG_FS_POSIX_ACL */
1453 
1454 xattr_handler_t *zpl_xattr_handlers[] = {
1455 	&zpl_xattr_security_handler,
1456 	&zpl_xattr_trusted_handler,
1457 	&zpl_xattr_user_handler,
1458 #ifdef CONFIG_FS_POSIX_ACL
1459 	&zpl_xattr_acl_access_handler,
1460 	&zpl_xattr_acl_default_handler,
1461 #endif /* CONFIG_FS_POSIX_ACL */
1462 	NULL
1463 };
1464 
1465 static const struct xattr_handler *
1466 zpl_xattr_handler(const char *name)
1467 {
1468 	if (strncmp(name, XATTR_USER_PREFIX,
1469 	    XATTR_USER_PREFIX_LEN) == 0)
1470 		return (&zpl_xattr_user_handler);
1471 
1472 	if (strncmp(name, XATTR_TRUSTED_PREFIX,
1473 	    XATTR_TRUSTED_PREFIX_LEN) == 0)
1474 		return (&zpl_xattr_trusted_handler);
1475 
1476 	if (strncmp(name, XATTR_SECURITY_PREFIX,
1477 	    XATTR_SECURITY_PREFIX_LEN) == 0)
1478 		return (&zpl_xattr_security_handler);
1479 
1480 #ifdef CONFIG_FS_POSIX_ACL
1481 	if (strncmp(name, XATTR_NAME_POSIX_ACL_ACCESS,
1482 	    sizeof (XATTR_NAME_POSIX_ACL_ACCESS)) == 0)
1483 		return (&zpl_xattr_acl_access_handler);
1484 
1485 	if (strncmp(name, XATTR_NAME_POSIX_ACL_DEFAULT,
1486 	    sizeof (XATTR_NAME_POSIX_ACL_DEFAULT)) == 0)
1487 		return (&zpl_xattr_acl_default_handler);
1488 #endif /* CONFIG_FS_POSIX_ACL */
1489 
1490 	return (NULL);
1491 }
1492 
1493 static enum xattr_permission
1494 zpl_xattr_permission(xattr_filldir_t *xf, const char *name, int name_len)
1495 {
1496 	const struct xattr_handler *handler;
1497 	struct dentry *d __maybe_unused = xf->dentry;
1498 	enum xattr_permission perm = XAPERM_ALLOW;
1499 
1500 	handler = zpl_xattr_handler(name);
1501 	if (handler == NULL) {
1502 		/* Do not expose FreeBSD system namespace xattrs. */
1503 		if (ZFS_XA_NS_PREFIX_MATCH(FREEBSD, name))
1504 			return (XAPERM_DENY);
1505 		/*
1506 		 * Anything that doesn't match a known namespace gets put in the
1507 		 * user namespace for compatibility with other platforms.
1508 		 */
1509 		perm = XAPERM_COMPAT;
1510 		handler = &zpl_xattr_user_handler;
1511 	}
1512 
1513 	if (handler->list) {
1514 #if defined(HAVE_XATTR_LIST_SIMPLE)
1515 		if (!handler->list(d))
1516 			return (XAPERM_DENY);
1517 #elif defined(HAVE_XATTR_LIST_DENTRY)
1518 		if (!handler->list(d, NULL, 0, name, name_len, 0))
1519 			return (XAPERM_DENY);
1520 #elif defined(HAVE_XATTR_LIST_HANDLER)
1521 		if (!handler->list(handler, d, NULL, 0, name, name_len))
1522 			return (XAPERM_DENY);
1523 #endif
1524 	}
1525 
1526 	return (perm);
1527 }
1528 
1529 #if defined(CONFIG_FS_POSIX_ACL) && \
1530 	(!defined(HAVE_POSIX_ACL_RELEASE) || \
1531 		defined(HAVE_POSIX_ACL_RELEASE_GPL_ONLY))
1532 struct acl_rel_struct {
1533 	struct acl_rel_struct *next;
1534 	struct posix_acl *acl;
1535 	clock_t time;
1536 };
1537 
1538 #define	ACL_REL_GRACE	(60*HZ)
1539 #define	ACL_REL_WINDOW	(1*HZ)
1540 #define	ACL_REL_SCHED	(ACL_REL_GRACE+ACL_REL_WINDOW)
1541 
1542 /*
1543  * Lockless multi-producer single-consumer fifo list.
1544  * Nodes are added to tail and removed from head. Tail pointer is our
1545  * synchronization point. It always points to the next pointer of the last
1546  * node, or head if list is empty.
1547  */
1548 static struct acl_rel_struct *acl_rel_head = NULL;
1549 static struct acl_rel_struct **acl_rel_tail = &acl_rel_head;
1550 
1551 static void
1552 zpl_posix_acl_free(void *arg)
1553 {
1554 	struct acl_rel_struct *freelist = NULL;
1555 	struct acl_rel_struct *a;
1556 	clock_t new_time;
1557 	boolean_t refire = B_FALSE;
1558 
1559 	ASSERT3P(acl_rel_head, !=, NULL);
1560 	while (acl_rel_head) {
1561 		a = acl_rel_head;
1562 		if (ddi_get_lbolt() - a->time >= ACL_REL_GRACE) {
1563 			/*
1564 			 * If a is the last node we need to reset tail, but we
1565 			 * need to use cmpxchg to make sure it is still the
1566 			 * last node.
1567 			 */
1568 			if (acl_rel_tail == &a->next) {
1569 				acl_rel_head = NULL;
1570 				if (cmpxchg(&acl_rel_tail, &a->next,
1571 				    &acl_rel_head) == &a->next) {
1572 					ASSERT3P(a->next, ==, NULL);
1573 					a->next = freelist;
1574 					freelist = a;
1575 					break;
1576 				}
1577 			}
1578 			/*
1579 			 * a is not last node, make sure next pointer is set
1580 			 * by the adder and advance the head.
1581 			 */
1582 			while (READ_ONCE(a->next) == NULL)
1583 				cpu_relax();
1584 			acl_rel_head = a->next;
1585 			a->next = freelist;
1586 			freelist = a;
1587 		} else {
1588 			/*
1589 			 * a is still in grace period. We are responsible to
1590 			 * reschedule the free task, since adder will only do
1591 			 * so if list is empty.
1592 			 */
1593 			new_time = a->time + ACL_REL_SCHED;
1594 			refire = B_TRUE;
1595 			break;
1596 		}
1597 	}
1598 
1599 	if (refire)
1600 		taskq_dispatch_delay(system_delay_taskq, zpl_posix_acl_free,
1601 		    NULL, TQ_SLEEP, new_time);
1602 
1603 	while (freelist) {
1604 		a = freelist;
1605 		freelist = a->next;
1606 		kfree(a->acl);
1607 		kmem_free(a, sizeof (struct acl_rel_struct));
1608 	}
1609 }
1610 
1611 void
1612 zpl_posix_acl_release_impl(struct posix_acl *acl)
1613 {
1614 	struct acl_rel_struct *a, **prev;
1615 
1616 	a = kmem_alloc(sizeof (struct acl_rel_struct), KM_SLEEP);
1617 	a->next = NULL;
1618 	a->acl = acl;
1619 	a->time = ddi_get_lbolt();
1620 	/* atomically points tail to us and get the previous tail */
1621 	prev = xchg(&acl_rel_tail, &a->next);
1622 	ASSERT3P(*prev, ==, NULL);
1623 	*prev = a;
1624 	/* if it was empty before, schedule the free task */
1625 	if (prev == &acl_rel_head)
1626 		taskq_dispatch_delay(system_delay_taskq, zpl_posix_acl_free,
1627 		    NULL, TQ_SLEEP, ddi_get_lbolt() + ACL_REL_SCHED);
1628 }
1629 #endif
1630 
1631 ZFS_MODULE_PARAM(zfs, zfs_, xattr_compat, INT, ZMOD_RW,
1632 	"Use legacy ZFS xattr naming for writing new user namespace xattrs");
1633