1 /*- 2 * Copyright (c) 2008-2009 Edward Tomasz Napierała <trasz@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 /* 28 * ACL support routines specific to NFSv4 access control lists. These are 29 * utility routines for code common across file systems implementing NFSv4 30 * ACLs. 31 */ 32 33 #ifdef _KERNEL 34 #include <sys/cdefs.h> 35 __FBSDID("$FreeBSD$"); 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/mount.h> 40 #include <sys/priv.h> 41 #include <sys/vnode.h> 42 #include <sys/errno.h> 43 #include <sys/stat.h> 44 #include <sys/acl.h> 45 #else 46 #include <errno.h> 47 #include <assert.h> 48 #include <sys/acl.h> 49 #include <sys/stat.h> 50 #define KASSERT(a, b) assert(a) 51 #define CTASSERT(a) 52 #endif /* _KERNEL */ 53 54 #ifdef _KERNEL 55 56 static struct { 57 accmode_t accmode; 58 int mask; 59 } accmode2mask[] = {{VREAD, ACL_READ_DATA}, 60 {VWRITE, ACL_WRITE_DATA}, 61 {VAPPEND, ACL_APPEND_DATA}, 62 {VEXEC, ACL_EXECUTE}, 63 {VREAD_NAMED_ATTRS, ACL_READ_NAMED_ATTRS}, 64 {VWRITE_NAMED_ATTRS, ACL_WRITE_NAMED_ATTRS}, 65 {VDELETE_CHILD, ACL_DELETE_CHILD}, 66 {VREAD_ATTRIBUTES, ACL_READ_ATTRIBUTES}, 67 {VWRITE_ATTRIBUTES, ACL_WRITE_ATTRIBUTES}, 68 {VDELETE, ACL_DELETE}, 69 {VREAD_ACL, ACL_READ_ACL}, 70 {VWRITE_ACL, ACL_WRITE_ACL}, 71 {VWRITE_OWNER, ACL_WRITE_OWNER}, 72 {VSYNCHRONIZE, ACL_SYNCHRONIZE}, 73 {0, 0}}; 74 75 static int 76 _access_mask_from_accmode(accmode_t accmode) 77 { 78 int access_mask = 0, i; 79 80 for (i = 0; accmode2mask[i].accmode != 0; i++) { 81 if (accmode & accmode2mask[i].accmode) 82 access_mask |= accmode2mask[i].mask; 83 } 84 85 /* 86 * VAPPEND is just a modifier for VWRITE; if the caller asked 87 * for 'VAPPEND | VWRITE', we want to check for ACL_APPEND_DATA only. 88 */ 89 if (access_mask & ACL_APPEND_DATA) 90 access_mask &= ~ACL_WRITE_DATA; 91 92 return (access_mask); 93 } 94 95 /* 96 * Return 0, iff access is allowed, 1 otherwise. 97 */ 98 static int 99 _acl_denies(const struct acl *aclp, int access_mask, struct ucred *cred, 100 int file_uid, int file_gid, int *denied_explicitly) 101 { 102 int i; 103 const struct acl_entry *entry; 104 105 if (denied_explicitly != NULL) 106 *denied_explicitly = 0; 107 108 KASSERT(aclp->acl_cnt > 0, ("aclp->acl_cnt > 0")); 109 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES, 110 ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); 111 112 for (i = 0; i < aclp->acl_cnt; i++) { 113 entry = &(aclp->acl_entry[i]); 114 115 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && 116 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) 117 continue; 118 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY) 119 continue; 120 switch (entry->ae_tag) { 121 case ACL_USER_OBJ: 122 if (file_uid != cred->cr_uid) 123 continue; 124 break; 125 case ACL_USER: 126 if (entry->ae_id != cred->cr_uid) 127 continue; 128 break; 129 case ACL_GROUP_OBJ: 130 if (!groupmember(file_gid, cred)) 131 continue; 132 break; 133 case ACL_GROUP: 134 if (!groupmember(entry->ae_id, cred)) 135 continue; 136 break; 137 default: 138 KASSERT(entry->ae_tag == ACL_EVERYONE, 139 ("entry->ae_tag == ACL_EVERYONE")); 140 } 141 142 if (entry->ae_entry_type == ACL_ENTRY_TYPE_DENY) { 143 if (entry->ae_perm & access_mask) { 144 if (denied_explicitly != NULL) 145 *denied_explicitly = 1; 146 return (1); 147 } 148 } 149 150 access_mask &= ~(entry->ae_perm); 151 if (access_mask == 0) 152 return (0); 153 } 154 155 return (1); 156 } 157 158 int 159 vaccess_acl_nfs4(enum vtype type, uid_t file_uid, gid_t file_gid, 160 struct acl *aclp, accmode_t accmode, struct ucred *cred, int *privused) 161 { 162 accmode_t priv_granted = 0; 163 int denied, explicitly_denied, access_mask, is_directory, 164 must_be_owner = 0; 165 mode_t file_mode = 0; 166 167 KASSERT((accmode & ~(VEXEC | VWRITE | VREAD | VADMIN | VAPPEND | 168 VEXPLICIT_DENY | VREAD_NAMED_ATTRS | VWRITE_NAMED_ATTRS | 169 VDELETE_CHILD | VREAD_ATTRIBUTES | VWRITE_ATTRIBUTES | VDELETE | 170 VREAD_ACL | VWRITE_ACL | VWRITE_OWNER | VSYNCHRONIZE)) == 0, 171 ("invalid bit in accmode")); 172 KASSERT((accmode & VAPPEND) == 0 || (accmode & VWRITE), 173 ("VAPPEND without VWRITE")); 174 175 if (privused != NULL) 176 *privused = 0; 177 178 if (accmode & VADMIN) 179 must_be_owner = 1; 180 181 /* 182 * Ignore VSYNCHRONIZE permission. 183 */ 184 accmode &= ~VSYNCHRONIZE; 185 186 access_mask = _access_mask_from_accmode(accmode); 187 188 if (type == VDIR) 189 is_directory = 1; 190 else 191 is_directory = 0; 192 193 /* 194 * File owner is always allowed to read and write the ACL 195 * and basic attributes. This is to prevent a situation 196 * where user would change ACL in a way that prevents him 197 * from undoing the change. 198 */ 199 if (file_uid == cred->cr_uid) 200 access_mask &= ~(ACL_READ_ACL | ACL_WRITE_ACL | 201 ACL_READ_ATTRIBUTES | ACL_WRITE_ATTRIBUTES); 202 203 /* 204 * Ignore append permission for regular files; use write 205 * permission instead. 206 */ 207 if (!is_directory && (access_mask & ACL_APPEND_DATA)) { 208 access_mask &= ~ACL_APPEND_DATA; 209 access_mask |= ACL_WRITE_DATA; 210 } 211 212 denied = _acl_denies(aclp, access_mask, cred, file_uid, file_gid, 213 &explicitly_denied); 214 215 if (must_be_owner) { 216 if (file_uid != cred->cr_uid) 217 denied = EPERM; 218 } 219 220 /* 221 * For VEXEC, ensure that at least one execute bit is set for 222 * non-directories. We have to check the mode here to stay 223 * consistent with execve(2). See the test in 224 * exec_check_permissions(). 225 */ 226 acl_nfs4_sync_mode_from_acl(&file_mode, aclp); 227 if (!denied && !is_directory && (accmode & VEXEC) && 228 (file_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0) 229 denied = EACCES; 230 231 if (!denied) 232 return (0); 233 234 /* 235 * Access failed. Iff it was not denied explicitly and 236 * VEXPLICIT_DENY flag was specified, allow access. 237 */ 238 if ((accmode & VEXPLICIT_DENY) && explicitly_denied == 0) 239 return (0); 240 241 accmode &= ~VEXPLICIT_DENY; 242 243 /* 244 * No match. Try to use privileges, if there are any. 245 */ 246 if (is_directory) { 247 if ((accmode & VEXEC) && !priv_check_cred(cred, 248 PRIV_VFS_LOOKUP, 0)) 249 priv_granted |= VEXEC; 250 } else { 251 /* 252 * Ensure that at least one execute bit is on. Otherwise, 253 * a privileged user will always succeed, and we don't want 254 * this to happen unless the file really is executable. 255 */ 256 if ((accmode & VEXEC) && (file_mode & 257 (S_IXUSR | S_IXGRP | S_IXOTH)) != 0 && 258 !priv_check_cred(cred, PRIV_VFS_EXEC, 0)) 259 priv_granted |= VEXEC; 260 } 261 262 if ((accmode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ, 0)) 263 priv_granted |= VREAD; 264 265 if ((accmode & (VWRITE | VAPPEND | VDELETE_CHILD)) && 266 !priv_check_cred(cred, PRIV_VFS_WRITE, 0)) 267 priv_granted |= (VWRITE | VAPPEND | VDELETE_CHILD); 268 269 if ((accmode & VADMIN_PERMS) && 270 !priv_check_cred(cred, PRIV_VFS_ADMIN, 0)) 271 priv_granted |= VADMIN_PERMS; 272 273 if ((accmode & VSTAT_PERMS) && 274 !priv_check_cred(cred, PRIV_VFS_STAT, 0)) 275 priv_granted |= VSTAT_PERMS; 276 277 if ((accmode & priv_granted) == accmode) { 278 if (privused != NULL) 279 *privused = 1; 280 281 return (0); 282 } 283 284 if (accmode & (VADMIN_PERMS | VDELETE_CHILD | VDELETE)) 285 denied = EPERM; 286 else 287 denied = EACCES; 288 289 return (denied); 290 } 291 #endif /* _KERNEL */ 292 293 static int 294 _acl_entry_matches(struct acl_entry *entry, acl_tag_t tag, acl_perm_t perm, 295 acl_entry_type_t entry_type) 296 { 297 if (entry->ae_tag != tag) 298 return (0); 299 300 if (entry->ae_id != ACL_UNDEFINED_ID) 301 return (0); 302 303 if (entry->ae_perm != perm) 304 return (0); 305 306 if (entry->ae_entry_type != entry_type) 307 return (0); 308 309 if (entry->ae_flags != 0) 310 return (0); 311 312 return (1); 313 } 314 315 static struct acl_entry * 316 _acl_append(struct acl *aclp, acl_tag_t tag, acl_perm_t perm, 317 acl_entry_type_t entry_type) 318 { 319 struct acl_entry *entry; 320 321 KASSERT(aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES, 322 ("aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES")); 323 324 entry = &(aclp->acl_entry[aclp->acl_cnt]); 325 aclp->acl_cnt++; 326 327 entry->ae_tag = tag; 328 entry->ae_id = ACL_UNDEFINED_ID; 329 entry->ae_perm = perm; 330 entry->ae_entry_type = entry_type; 331 entry->ae_flags = 0; 332 333 return (entry); 334 } 335 336 static struct acl_entry * 337 _acl_duplicate_entry(struct acl *aclp, int entry_index) 338 { 339 int i; 340 341 KASSERT(aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES, 342 ("aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES")); 343 344 for (i = aclp->acl_cnt; i > entry_index; i--) 345 aclp->acl_entry[i] = aclp->acl_entry[i - 1]; 346 347 aclp->acl_cnt++; 348 349 return (&(aclp->acl_entry[entry_index + 1])); 350 } 351 352 /* 353 * Calculate trivial ACL in a manner compatible with PSARC/2010/029. 354 * Note that this results in an ACL different from (but semantically 355 * equal to) the "canonical six" trivial ACL computed using algorithm 356 * described in draft-ietf-nfsv4-minorversion1-03.txt, 3.16.6.2. 357 */ 358 void 359 acl_nfs4_trivial_from_mode(struct acl *aclp, mode_t mode) 360 { 361 acl_perm_t user_allow_first = 0, user_deny = 0, group_deny = 0; 362 acl_perm_t user_allow, group_allow, everyone_allow; 363 364 KASSERT(aclp->acl_cnt == 0, ("aclp->acl_cnt == 0")); 365 366 user_allow = group_allow = everyone_allow = ACL_READ_ACL | 367 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS | ACL_SYNCHRONIZE; 368 user_allow |= ACL_WRITE_ACL | ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | 369 ACL_WRITE_NAMED_ATTRS; 370 371 if (mode & S_IRUSR) 372 user_allow |= ACL_READ_DATA; 373 if (mode & S_IWUSR) 374 user_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 375 if (mode & S_IXUSR) 376 user_allow |= ACL_EXECUTE; 377 378 if (mode & S_IRGRP) 379 group_allow |= ACL_READ_DATA; 380 if (mode & S_IWGRP) 381 group_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 382 if (mode & S_IXGRP) 383 group_allow |= ACL_EXECUTE; 384 385 if (mode & S_IROTH) 386 everyone_allow |= ACL_READ_DATA; 387 if (mode & S_IWOTH) 388 everyone_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 389 if (mode & S_IXOTH) 390 everyone_allow |= ACL_EXECUTE; 391 392 user_deny = ((group_allow | everyone_allow) & ~user_allow); 393 group_deny = everyone_allow & ~group_allow; 394 user_allow_first = group_deny & ~user_deny; 395 396 if (user_allow_first != 0) 397 _acl_append(aclp, ACL_USER_OBJ, user_allow_first, ACL_ENTRY_TYPE_ALLOW); 398 if (user_deny != 0) 399 _acl_append(aclp, ACL_USER_OBJ, user_deny, ACL_ENTRY_TYPE_DENY); 400 if (group_deny != 0) 401 _acl_append(aclp, ACL_GROUP_OBJ, group_deny, ACL_ENTRY_TYPE_DENY); 402 _acl_append(aclp, ACL_USER_OBJ, user_allow, ACL_ENTRY_TYPE_ALLOW); 403 _acl_append(aclp, ACL_GROUP_OBJ, group_allow, ACL_ENTRY_TYPE_ALLOW); 404 _acl_append(aclp, ACL_EVERYONE, everyone_allow, ACL_ENTRY_TYPE_ALLOW); 405 } 406 407 void 408 acl_nfs4_sync_acl_from_mode(struct acl *aclp, mode_t mode, int file_owner_id) 409 { 410 int i, meets, must_append; 411 struct acl_entry *entry, *copy, *previous, 412 *a1, *a2, *a3, *a4, *a5, *a6; 413 mode_t amode; 414 const int READ = 04; 415 const int WRITE = 02; 416 const int EXEC = 01; 417 418 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES, 419 ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); 420 421 /* 422 * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt 423 * 424 * 3.16.6.3. Applying a Mode to an Existing ACL 425 */ 426 427 /* 428 * 1. For each ACE: 429 */ 430 for (i = 0; i < aclp->acl_cnt; i++) { 431 entry = &(aclp->acl_entry[i]); 432 433 /* 434 * 1.1. If the type is neither ALLOW or DENY - skip. 435 */ 436 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && 437 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) 438 continue; 439 440 /* 441 * 1.2. If ACL_ENTRY_INHERIT_ONLY is set - skip. 442 */ 443 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY) 444 continue; 445 446 /* 447 * 1.3. If ACL_ENTRY_FILE_INHERIT or ACL_ENTRY_DIRECTORY_INHERIT 448 * are set: 449 */ 450 if (entry->ae_flags & 451 (ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT)) { 452 /* 453 * 1.3.1. A copy of the current ACE is made, and placed 454 * in the ACL immediately following the current 455 * ACE. 456 */ 457 copy = _acl_duplicate_entry(aclp, i); 458 459 /* 460 * 1.3.2. In the first ACE, the flag 461 * ACL_ENTRY_INHERIT_ONLY is set. 462 */ 463 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY; 464 465 /* 466 * 1.3.3. In the second ACE, the following flags 467 * are cleared: 468 * ACL_ENTRY_FILE_INHERIT, 469 * ACL_ENTRY_DIRECTORY_INHERIT, 470 * ACL_ENTRY_NO_PROPAGATE_INHERIT. 471 */ 472 copy->ae_flags &= ~(ACL_ENTRY_FILE_INHERIT | 473 ACL_ENTRY_DIRECTORY_INHERIT | 474 ACL_ENTRY_NO_PROPAGATE_INHERIT); 475 476 /* 477 * The algorithm continues on with the second ACE. 478 */ 479 i++; 480 entry = copy; 481 } 482 483 /* 484 * 1.4. If it's owner@, group@ or everyone@ entry, clear 485 * ACL_READ_DATA, ACL_WRITE_DATA, ACL_APPEND_DATA 486 * and ACL_EXECUTE. Continue to the next entry. 487 */ 488 if (entry->ae_tag == ACL_USER_OBJ || 489 entry->ae_tag == ACL_GROUP_OBJ || 490 entry->ae_tag == ACL_EVERYONE) { 491 entry->ae_perm &= ~(ACL_READ_DATA | ACL_WRITE_DATA | 492 ACL_APPEND_DATA | ACL_EXECUTE); 493 continue; 494 } 495 496 /* 497 * 1.5. Otherwise, if the "who" field did not match one 498 * of OWNER@, GROUP@, EVERYONE@: 499 * 500 * 1.5.1. If the type is ALLOW, check the preceding ACE. 501 * If it does not meet all of the following criteria: 502 */ 503 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW) 504 continue; 505 506 meets = 0; 507 if (i > 0) { 508 meets = 1; 509 previous = &(aclp->acl_entry[i - 1]); 510 511 /* 512 * 1.5.1.1. The type field is DENY, 513 */ 514 if (previous->ae_entry_type != ACL_ENTRY_TYPE_DENY) 515 meets = 0; 516 517 /* 518 * 1.5.1.2. The "who" field is the same as the current 519 * ACE, 520 * 521 * 1.5.1.3. The flag bit ACE4_IDENTIFIER_GROUP 522 * is the same as it is in the current ACE, 523 * and no other flag bits are set, 524 */ 525 if (previous->ae_id != entry->ae_id || 526 previous->ae_tag != entry->ae_tag) 527 meets = 0; 528 529 if (previous->ae_flags) 530 meets = 0; 531 532 /* 533 * 1.5.1.4. The mask bits are a subset of the mask bits 534 * of the current ACE, and are also subset of 535 * the following: ACL_READ_DATA, 536 * ACL_WRITE_DATA, ACL_APPEND_DATA, ACL_EXECUTE 537 */ 538 if (previous->ae_perm & ~(entry->ae_perm)) 539 meets = 0; 540 541 if (previous->ae_perm & ~(ACL_READ_DATA | 542 ACL_WRITE_DATA | ACL_APPEND_DATA | ACL_EXECUTE)) 543 meets = 0; 544 } 545 546 if (!meets) { 547 /* 548 * Then the ACE of type DENY, with a who equal 549 * to the current ACE, flag bits equal to 550 * (<current ACE flags> & <ACE_IDENTIFIER_GROUP>) 551 * and no mask bits, is prepended. 552 */ 553 previous = entry; 554 entry = _acl_duplicate_entry(aclp, i); 555 556 /* Adjust counter, as we've just added an entry. */ 557 i++; 558 559 previous->ae_tag = entry->ae_tag; 560 previous->ae_id = entry->ae_id; 561 previous->ae_flags = entry->ae_flags; 562 previous->ae_perm = 0; 563 previous->ae_entry_type = ACL_ENTRY_TYPE_DENY; 564 } 565 566 /* 567 * 1.5.2. The following modifications are made to the prepended 568 * ACE. The intent is to mask the following ACE 569 * to disallow ACL_READ_DATA, ACL_WRITE_DATA, 570 * ACL_APPEND_DATA, or ACL_EXECUTE, based upon the group 571 * permissions of the new mode. As a special case, 572 * if the ACE matches the current owner of the file, 573 * the owner bits are used, rather than the group bits. 574 * This is reflected in the algorithm below. 575 */ 576 amode = mode >> 3; 577 578 /* 579 * If ACE4_IDENTIFIER_GROUP is not set, and the "who" field 580 * in ACE matches the owner of the file, we shift amode three 581 * more bits, in order to have the owner permission bits 582 * placed in the three low order bits of amode. 583 */ 584 if (entry->ae_tag == ACL_USER && entry->ae_id == file_owner_id) 585 amode = amode >> 3; 586 587 if (entry->ae_perm & ACL_READ_DATA) { 588 if (amode & READ) 589 previous->ae_perm &= ~ACL_READ_DATA; 590 else 591 previous->ae_perm |= ACL_READ_DATA; 592 } 593 594 if (entry->ae_perm & ACL_WRITE_DATA) { 595 if (amode & WRITE) 596 previous->ae_perm &= ~ACL_WRITE_DATA; 597 else 598 previous->ae_perm |= ACL_WRITE_DATA; 599 } 600 601 if (entry->ae_perm & ACL_APPEND_DATA) { 602 if (amode & WRITE) 603 previous->ae_perm &= ~ACL_APPEND_DATA; 604 else 605 previous->ae_perm |= ACL_APPEND_DATA; 606 } 607 608 if (entry->ae_perm & ACL_EXECUTE) { 609 if (amode & EXEC) 610 previous->ae_perm &= ~ACL_EXECUTE; 611 else 612 previous->ae_perm |= ACL_EXECUTE; 613 } 614 615 /* 616 * 1.5.3. If ACE4_IDENTIFIER_GROUP is set in the flags 617 * of the ALLOW ace: 618 * 619 * XXX: This point is not there in the Falkner's draft. 620 */ 621 if (entry->ae_tag == ACL_GROUP && 622 entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) { 623 mode_t extramode, ownermode; 624 extramode = (mode >> 3) & 07; 625 ownermode = mode >> 6; 626 extramode &= ~ownermode; 627 628 if (extramode) { 629 if (extramode & READ) { 630 entry->ae_perm &= ~ACL_READ_DATA; 631 previous->ae_perm &= ~ACL_READ_DATA; 632 } 633 634 if (extramode & WRITE) { 635 entry->ae_perm &= 636 ~(ACL_WRITE_DATA | ACL_APPEND_DATA); 637 previous->ae_perm &= 638 ~(ACL_WRITE_DATA | ACL_APPEND_DATA); 639 } 640 641 if (extramode & EXEC) { 642 entry->ae_perm &= ~ACL_EXECUTE; 643 previous->ae_perm &= ~ACL_EXECUTE; 644 } 645 } 646 } 647 } 648 649 /* 650 * 2. If there at least six ACEs, the final six ACEs are examined. 651 * If they are not equal to what we want, append six ACEs. 652 */ 653 must_append = 0; 654 if (aclp->acl_cnt < 6) { 655 must_append = 1; 656 } else { 657 a6 = &(aclp->acl_entry[aclp->acl_cnt - 1]); 658 a5 = &(aclp->acl_entry[aclp->acl_cnt - 2]); 659 a4 = &(aclp->acl_entry[aclp->acl_cnt - 3]); 660 a3 = &(aclp->acl_entry[aclp->acl_cnt - 4]); 661 a2 = &(aclp->acl_entry[aclp->acl_cnt - 5]); 662 a1 = &(aclp->acl_entry[aclp->acl_cnt - 6]); 663 664 if (!_acl_entry_matches(a1, ACL_USER_OBJ, 0, 665 ACL_ENTRY_TYPE_DENY)) 666 must_append = 1; 667 if (!_acl_entry_matches(a2, ACL_USER_OBJ, ACL_WRITE_ACL | 668 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | 669 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_ALLOW)) 670 must_append = 1; 671 if (!_acl_entry_matches(a3, ACL_GROUP_OBJ, 0, 672 ACL_ENTRY_TYPE_DENY)) 673 must_append = 1; 674 if (!_acl_entry_matches(a4, ACL_GROUP_OBJ, 0, 675 ACL_ENTRY_TYPE_ALLOW)) 676 must_append = 1; 677 if (!_acl_entry_matches(a5, ACL_EVERYONE, ACL_WRITE_ACL | 678 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | 679 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_DENY)) 680 must_append = 1; 681 if (!_acl_entry_matches(a6, ACL_EVERYONE, ACL_READ_ACL | 682 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS | 683 ACL_SYNCHRONIZE, ACL_ENTRY_TYPE_ALLOW)) 684 must_append = 1; 685 } 686 687 if (must_append) { 688 KASSERT(aclp->acl_cnt + 6 <= ACL_MAX_ENTRIES, 689 ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); 690 691 a1 = _acl_append(aclp, ACL_USER_OBJ, 0, ACL_ENTRY_TYPE_DENY); 692 a2 = _acl_append(aclp, ACL_USER_OBJ, ACL_WRITE_ACL | 693 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | 694 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_ALLOW); 695 a3 = _acl_append(aclp, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_DENY); 696 a4 = _acl_append(aclp, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_ALLOW); 697 a5 = _acl_append(aclp, ACL_EVERYONE, ACL_WRITE_ACL | 698 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | 699 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_DENY); 700 a6 = _acl_append(aclp, ACL_EVERYONE, ACL_READ_ACL | 701 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS | 702 ACL_SYNCHRONIZE, ACL_ENTRY_TYPE_ALLOW); 703 704 KASSERT(a1 != NULL && a2 != NULL && a3 != NULL && a4 != NULL && 705 a5 != NULL && a6 != NULL, ("couldn't append to ACL.")); 706 } 707 708 /* 709 * 3. The final six ACEs are adjusted according to the incoming mode. 710 */ 711 if (mode & S_IRUSR) 712 a2->ae_perm |= ACL_READ_DATA; 713 else 714 a1->ae_perm |= ACL_READ_DATA; 715 if (mode & S_IWUSR) 716 a2->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 717 else 718 a1->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 719 if (mode & S_IXUSR) 720 a2->ae_perm |= ACL_EXECUTE; 721 else 722 a1->ae_perm |= ACL_EXECUTE; 723 724 if (mode & S_IRGRP) 725 a4->ae_perm |= ACL_READ_DATA; 726 else 727 a3->ae_perm |= ACL_READ_DATA; 728 if (mode & S_IWGRP) 729 a4->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 730 else 731 a3->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 732 if (mode & S_IXGRP) 733 a4->ae_perm |= ACL_EXECUTE; 734 else 735 a3->ae_perm |= ACL_EXECUTE; 736 737 if (mode & S_IROTH) 738 a6->ae_perm |= ACL_READ_DATA; 739 else 740 a5->ae_perm |= ACL_READ_DATA; 741 if (mode & S_IWOTH) 742 a6->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 743 else 744 a5->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); 745 if (mode & S_IXOTH) 746 a6->ae_perm |= ACL_EXECUTE; 747 else 748 a5->ae_perm |= ACL_EXECUTE; 749 } 750 751 void 752 acl_nfs4_sync_mode_from_acl(mode_t *_mode, const struct acl *aclp) 753 { 754 int i; 755 mode_t old_mode = *_mode, mode = 0, seen = 0; 756 const struct acl_entry *entry; 757 758 KASSERT(aclp->acl_cnt > 0, ("aclp->acl_cnt > 0")); 759 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES, 760 ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); 761 762 /* 763 * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt 764 * 765 * 3.16.6.1. Recomputing mode upon SETATTR of ACL 766 */ 767 768 for (i = 0; i < aclp->acl_cnt; i++) { 769 entry = &(aclp->acl_entry[i]); 770 771 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && 772 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) 773 continue; 774 775 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY) 776 continue; 777 778 if (entry->ae_tag == ACL_USER_OBJ) { 779 if ((entry->ae_perm & ACL_READ_DATA) && 780 ((seen & S_IRUSR) == 0)) { 781 seen |= S_IRUSR; 782 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 783 mode |= S_IRUSR; 784 } 785 if ((entry->ae_perm & ACL_WRITE_DATA) && 786 ((seen & S_IWUSR) == 0)) { 787 seen |= S_IWUSR; 788 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 789 mode |= S_IWUSR; 790 } 791 if ((entry->ae_perm & ACL_EXECUTE) && 792 ((seen & S_IXUSR) == 0)) { 793 seen |= S_IXUSR; 794 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 795 mode |= S_IXUSR; 796 } 797 } else if (entry->ae_tag == ACL_GROUP_OBJ) { 798 if ((entry->ae_perm & ACL_READ_DATA) && 799 ((seen & S_IRGRP) == 0)) { 800 seen |= S_IRGRP; 801 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 802 mode |= S_IRGRP; 803 } 804 if ((entry->ae_perm & ACL_WRITE_DATA) && 805 ((seen & S_IWGRP) == 0)) { 806 seen |= S_IWGRP; 807 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 808 mode |= S_IWGRP; 809 } 810 if ((entry->ae_perm & ACL_EXECUTE) && 811 ((seen & S_IXGRP) == 0)) { 812 seen |= S_IXGRP; 813 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 814 mode |= S_IXGRP; 815 } 816 } else if (entry->ae_tag == ACL_EVERYONE) { 817 if (entry->ae_perm & ACL_READ_DATA) { 818 if ((seen & S_IRUSR) == 0) { 819 seen |= S_IRUSR; 820 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 821 mode |= S_IRUSR; 822 } 823 if ((seen & S_IRGRP) == 0) { 824 seen |= S_IRGRP; 825 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 826 mode |= S_IRGRP; 827 } 828 if ((seen & S_IROTH) == 0) { 829 seen |= S_IROTH; 830 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 831 mode |= S_IROTH; 832 } 833 } 834 if (entry->ae_perm & ACL_WRITE_DATA) { 835 if ((seen & S_IWUSR) == 0) { 836 seen |= S_IWUSR; 837 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 838 mode |= S_IWUSR; 839 } 840 if ((seen & S_IWGRP) == 0) { 841 seen |= S_IWGRP; 842 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 843 mode |= S_IWGRP; 844 } 845 if ((seen & S_IWOTH) == 0) { 846 seen |= S_IWOTH; 847 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 848 mode |= S_IWOTH; 849 } 850 } 851 if (entry->ae_perm & ACL_EXECUTE) { 852 if ((seen & S_IXUSR) == 0) { 853 seen |= S_IXUSR; 854 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 855 mode |= S_IXUSR; 856 } 857 if ((seen & S_IXGRP) == 0) { 858 seen |= S_IXGRP; 859 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 860 mode |= S_IXGRP; 861 } 862 if ((seen & S_IXOTH) == 0) { 863 seen |= S_IXOTH; 864 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 865 mode |= S_IXOTH; 866 } 867 } 868 } 869 } 870 871 *_mode = mode | (old_mode & ACL_PRESERVE_MASK); 872 } 873 874 void 875 acl_nfs4_compute_inherited_acl(const struct acl *parent_aclp, 876 struct acl *child_aclp, mode_t mode, int file_owner_id, 877 int is_directory) 878 { 879 int i, flags; 880 const struct acl_entry *parent_entry; 881 struct acl_entry *entry, *copy; 882 883 KASSERT(child_aclp->acl_cnt == 0, ("child_aclp->acl_cnt == 0")); 884 KASSERT(parent_aclp->acl_cnt > 0, ("parent_aclp->acl_cnt > 0")); 885 KASSERT(parent_aclp->acl_cnt <= ACL_MAX_ENTRIES, 886 ("parent_aclp->acl_cnt <= ACL_MAX_ENTRIES")); 887 888 /* 889 * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt 890 * 891 * 3.16.6.2. Applying the mode given to CREATE or OPEN 892 * to an inherited ACL 893 */ 894 895 /* 896 * 1. Form an ACL that is the concatenation of all inheritable ACEs. 897 */ 898 for (i = 0; i < parent_aclp->acl_cnt; i++) { 899 parent_entry = &(parent_aclp->acl_entry[i]); 900 flags = parent_entry->ae_flags; 901 902 /* 903 * Entry is not inheritable at all. 904 */ 905 if ((flags & (ACL_ENTRY_DIRECTORY_INHERIT | 906 ACL_ENTRY_FILE_INHERIT)) == 0) 907 continue; 908 909 /* 910 * We're creating a file, but entry is not inheritable 911 * by files. 912 */ 913 if (!is_directory && (flags & ACL_ENTRY_FILE_INHERIT) == 0) 914 continue; 915 916 /* 917 * Entry is inheritable only by files, but has NO_PROPAGATE 918 * flag set, and we're creating a directory, so it wouldn't 919 * propagate to any file in that directory anyway. 920 */ 921 if (is_directory && 922 (flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0 && 923 (flags & ACL_ENTRY_NO_PROPAGATE_INHERIT)) 924 continue; 925 926 KASSERT(child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES, 927 ("child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES")); 928 child_aclp->acl_entry[child_aclp->acl_cnt] = *parent_entry; 929 child_aclp->acl_cnt++; 930 } 931 932 /* 933 * 2. For each entry in the new ACL, adjust its flags, possibly 934 * creating two entries in place of one. 935 */ 936 for (i = 0; i < child_aclp->acl_cnt; i++) { 937 entry = &(child_aclp->acl_entry[i]); 938 939 /* 940 * This is not in the specification, but SunOS 941 * apparently does that. 942 */ 943 if (((entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT) || 944 !is_directory) && 945 entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 946 entry->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER); 947 948 /* 949 * 2.A. If the ACL_ENTRY_NO_PROPAGATE_INHERIT is set, or if the object 950 * being created is not a directory, then clear the 951 * following flags: ACL_ENTRY_NO_PROPAGATE_INHERIT, 952 * ACL_ENTRY_FILE_INHERIT, ACL_ENTRY_DIRECTORY_INHERIT, 953 * ACL_ENTRY_INHERIT_ONLY. 954 */ 955 if (entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT || 956 !is_directory) { 957 entry->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT | 958 ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT | 959 ACL_ENTRY_INHERIT_ONLY); 960 961 /* 962 * Continue on to the next ACE. 963 */ 964 continue; 965 } 966 967 /* 968 * 2.B. If the object is a directory and ACL_ENTRY_FILE_INHERIT 969 * is set, but ACL_ENTRY_NO_PROPAGATE_INHERIT is not set, ensure 970 * that ACL_ENTRY_INHERIT_ONLY is set. Continue to the 971 * next ACE. Otherwise... 972 */ 973 /* 974 * XXX: Read it again and make sure what does the "otherwise" 975 * apply to. 976 */ 977 if (is_directory && 978 (entry->ae_flags & ACL_ENTRY_FILE_INHERIT) && 979 ((entry->ae_flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0)) { 980 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY; 981 continue; 982 } 983 984 /* 985 * 2.C. If the type of the ACE is neither ALLOW nor deny, 986 * then continue. 987 */ 988 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && 989 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) 990 continue; 991 992 /* 993 * 2.D. Copy the original ACE into a second, adjacent ACE. 994 */ 995 copy = _acl_duplicate_entry(child_aclp, i); 996 997 /* 998 * 2.E. On the first ACE, ensure that ACL_ENTRY_INHERIT_ONLY 999 * is set. 1000 */ 1001 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY; 1002 1003 /* 1004 * 2.F. On the second ACE, clear the following flags: 1005 * ACL_ENTRY_NO_PROPAGATE_INHERIT, ACL_ENTRY_FILE_INHERIT, 1006 * ACL_ENTRY_DIRECTORY_INHERIT, ACL_ENTRY_INHERIT_ONLY. 1007 */ 1008 copy->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT | 1009 ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT | 1010 ACL_ENTRY_INHERIT_ONLY); 1011 1012 /* 1013 * 2.G. On the second ACE, if the type is ALLOW, 1014 * an implementation MAY clear the following 1015 * mask bits: ACL_WRITE_ACL, ACL_WRITE_OWNER. 1016 */ 1017 if (copy->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) 1018 copy->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER); 1019 1020 /* 1021 * Increment the counter to skip the copied entry. 1022 */ 1023 i++; 1024 } 1025 1026 /* 1027 * 3. To ensure that the mode is honored, apply the algorithm describe 1028 * in Section 2.16.6.3, using the mode that is to be used for file 1029 * creation. 1030 */ 1031 acl_nfs4_sync_acl_from_mode(child_aclp, mode, file_owner_id); 1032 } 1033 1034 #ifdef _KERNEL 1035 static int 1036 _acls_are_equal(const struct acl *a, const struct acl *b) 1037 { 1038 int i; 1039 const struct acl_entry *entrya, *entryb; 1040 1041 if (a->acl_cnt != b->acl_cnt) 1042 return (0); 1043 1044 for (i = 0; i < b->acl_cnt; i++) { 1045 entrya = &(a->acl_entry[i]); 1046 entryb = &(b->acl_entry[i]); 1047 1048 if (entrya->ae_tag != entryb->ae_tag || 1049 entrya->ae_id != entryb->ae_id || 1050 entrya->ae_perm != entryb->ae_perm || 1051 entrya->ae_entry_type != entryb->ae_entry_type || 1052 entrya->ae_flags != entryb->ae_flags) 1053 return (0); 1054 } 1055 1056 return (1); 1057 } 1058 1059 /* 1060 * This routine is used to determine whether to remove extended attribute 1061 * that stores ACL contents. 1062 */ 1063 int 1064 acl_nfs4_is_trivial(const struct acl *aclp, int file_owner_id) 1065 { 1066 int trivial; 1067 mode_t tmpmode = 0; 1068 struct acl *tmpaclp; 1069 1070 if (aclp->acl_cnt != 6) 1071 return (0); 1072 1073 /* 1074 * Compute the mode from the ACL, then compute new ACL from that mode. 1075 * If the ACLs are identical, then the ACL is trivial. 1076 * 1077 * XXX: I guess there is a faster way to do this. However, even 1078 * this slow implementation significantly speeds things up 1079 * for files that don't have non-trivial ACLs - it's critical 1080 * for performance to not use EA when they are not needed. 1081 */ 1082 tmpaclp = acl_alloc(M_WAITOK | M_ZERO); 1083 acl_nfs4_sync_mode_from_acl(&tmpmode, aclp); 1084 acl_nfs4_sync_acl_from_mode(tmpaclp, tmpmode, file_owner_id); 1085 trivial = _acls_are_equal(aclp, tmpaclp); 1086 acl_free(tmpaclp); 1087 1088 return (trivial); 1089 } 1090 #endif /* _KERNEL */ 1091 1092 int 1093 acl_nfs4_check(const struct acl *aclp, int is_directory) 1094 { 1095 int i; 1096 const struct acl_entry *entry; 1097 1098 /* 1099 * The spec doesn't seem to say anything about ACL validity. 1100 * It seems there is not much to do here. There is even no need 1101 * to count "owner@" or "everyone@" (ACL_USER_OBJ and ACL_EVERYONE) 1102 * entries, as there can be several of them and that's perfectly 1103 * valid. There can be none of them too. Really. 1104 */ 1105 1106 if (aclp->acl_cnt > ACL_MAX_ENTRIES || aclp->acl_cnt <= 0) 1107 return (EINVAL); 1108 1109 for (i = 0; i < aclp->acl_cnt; i++) { 1110 entry = &(aclp->acl_entry[i]); 1111 1112 switch (entry->ae_tag) { 1113 case ACL_USER_OBJ: 1114 case ACL_GROUP_OBJ: 1115 case ACL_EVERYONE: 1116 if (entry->ae_id != ACL_UNDEFINED_ID) 1117 return (EINVAL); 1118 break; 1119 1120 case ACL_USER: 1121 case ACL_GROUP: 1122 if (entry->ae_id == ACL_UNDEFINED_ID) 1123 return (EINVAL); 1124 break; 1125 1126 default: 1127 return (EINVAL); 1128 } 1129 1130 if ((entry->ae_perm | ACL_NFS4_PERM_BITS) != ACL_NFS4_PERM_BITS) 1131 return (EINVAL); 1132 1133 /* 1134 * Disallow ACL_ENTRY_TYPE_AUDIT and ACL_ENTRY_TYPE_ALARM for now. 1135 */ 1136 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && 1137 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) 1138 return (EINVAL); 1139 1140 if ((entry->ae_flags | ACL_FLAGS_BITS) != ACL_FLAGS_BITS) 1141 return (EINVAL); 1142 1143 /* Disallow unimplemented flags. */ 1144 if (entry->ae_flags & (ACL_ENTRY_SUCCESSFUL_ACCESS | 1145 ACL_ENTRY_FAILED_ACCESS)) 1146 return (EINVAL); 1147 1148 /* Disallow flags not allowed for ordinary files. */ 1149 if (!is_directory) { 1150 if (entry->ae_flags & (ACL_ENTRY_FILE_INHERIT | 1151 ACL_ENTRY_DIRECTORY_INHERIT | 1152 ACL_ENTRY_NO_PROPAGATE_INHERIT | ACL_ENTRY_INHERIT_ONLY)) 1153 return (EINVAL); 1154 } 1155 } 1156 1157 return (0); 1158 } 1159