xref: /freebsd/sys/kern/subr_acl_posix1e.c (revision 4c9a0adad18263ec8725d9bfc5f560c6ad1da8bd)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 1999-2006 Robert N. M. Watson
5  * All rights reserved.
6  *
7  * This software was developed by Robert Watson for the TrustedBSD Project.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGE.
29  */
30 /*
31  * Developed by the TrustedBSD Project.
32  *
33  * ACL support routines specific to POSIX.1e access control lists.  These are
34  * utility routines for code common across file systems implementing POSIX.1e
35  * ACLs.
36  */
37 
38 #include <sys/cdefs.h>
39 #include <sys/param.h>
40 #include <sys/kernel.h>
41 #include <sys/module.h>
42 #include <sys/systm.h>
43 #include <sys/mount.h>
44 #include <sys/priv.h>
45 #include <sys/vnode.h>
46 #include <sys/errno.h>
47 #include <sys/stat.h>
48 #include <sys/acl.h>
49 
50 /*
51  * Implement a version of vaccess() that understands POSIX.1e ACL semantics;
52  * the access ACL has already been prepared for evaluation by the file system
53  * and is passed via 'uid', 'gid', and 'acl'.  Return 0 on success, else an
54  * errno value.
55  */
56 int
57 vaccess_acl_posix1e(__enum_uint8(vtype) type, uid_t file_uid, gid_t file_gid,
58     struct acl *acl, accmode_t accmode, struct ucred *cred)
59 {
60 	struct acl_entry *acl_other, *acl_mask;
61 	accmode_t dac_granted;
62 	accmode_t priv_granted;
63 	accmode_t acl_mask_granted;
64 	int group_matched, i;
65 
66 	KASSERT((accmode & ~(VEXEC | VWRITE | VREAD | VADMIN | VAPPEND)) == 0,
67 	    ("invalid bit in accmode"));
68 	KASSERT((accmode & VAPPEND) == 0 || (accmode & VWRITE),
69 	    	("VAPPEND without VWRITE"));
70 
71 	/*
72 	 * Look for a normal, non-privileged way to access the file/directory
73 	 * as requested.  If it exists, go with that.  Otherwise, attempt to
74 	 * use privileges granted via priv_granted.  In some cases, which
75 	 * privileges to use may be ambiguous due to "best match", in which
76 	 * case fall back on first match for the time being.
77 	 */
78 
79 	/*
80 	 * Determine privileges now, but don't apply until we've found a DAC
81 	 * entry that matches but has failed to allow access.
82 	 *
83 	 * XXXRW: Ideally, we'd determine the privileges required before
84 	 * asking for them.
85 	 */
86 	priv_granted = 0;
87 
88 	if (type == VDIR) {
89 		if ((accmode & VEXEC) && !priv_check_cred(cred, PRIV_VFS_LOOKUP))
90 			priv_granted |= VEXEC;
91 	} else {
92 		/*
93 		 * Ensure that at least one execute bit is on. Otherwise,
94 		 * a privileged user will always succeed, and we don't want
95 		 * this to happen unless the file really is executable.
96 		 */
97 		if ((accmode & VEXEC) && (acl_posix1e_acl_to_mode(acl) &
98 		    (S_IXUSR | S_IXGRP | S_IXOTH)) != 0 &&
99 		    !priv_check_cred(cred, PRIV_VFS_EXEC))
100 			priv_granted |= VEXEC;
101 	}
102 
103 	if ((accmode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ))
104 		priv_granted |= VREAD;
105 
106 	if (((accmode & VWRITE) || (accmode & VAPPEND)) &&
107 	    !priv_check_cred(cred, PRIV_VFS_WRITE))
108 		priv_granted |= (VWRITE | VAPPEND);
109 
110 	if ((accmode & VADMIN) && !priv_check_cred(cred, PRIV_VFS_ADMIN))
111 		priv_granted |= VADMIN;
112 
113 	/*
114 	 * The owner matches if the effective uid associated with the
115 	 * credential matches that of the ACL_USER_OBJ entry.  While we're
116 	 * doing the first scan, also cache the location of the ACL_MASK and
117 	 * ACL_OTHER entries, preventing some future iterations.
118 	 */
119 	acl_mask = acl_other = NULL;
120 	for (i = 0; i < acl->acl_cnt; i++) {
121 		switch (acl->acl_entry[i].ae_tag) {
122 		case ACL_USER_OBJ:
123 			if (file_uid != cred->cr_uid)
124 				break;
125 			dac_granted = 0;
126 			dac_granted |= VADMIN;
127 			if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
128 				dac_granted |= VEXEC;
129 			if (acl->acl_entry[i].ae_perm & ACL_READ)
130 				dac_granted |= VREAD;
131 			if (acl->acl_entry[i].ae_perm & ACL_WRITE)
132 				dac_granted |= (VWRITE | VAPPEND);
133 			if ((accmode & dac_granted) == accmode)
134 				return (0);
135 
136 			/*
137 			 * XXXRW: Do privilege lookup here.
138 			 */
139 			if ((accmode & (dac_granted | priv_granted)) ==
140 			    accmode) {
141 				return (0);
142 			}
143 			goto error;
144 
145 		case ACL_MASK:
146 			acl_mask = &acl->acl_entry[i];
147 			break;
148 
149 		case ACL_OTHER:
150 			acl_other = &acl->acl_entry[i];
151 			break;
152 
153 		default:
154 			break;
155 		}
156 	}
157 
158 	/*
159 	 * An ACL_OTHER entry should always exist in a valid access ACL.  If
160 	 * it doesn't, then generate a serious failure.  For now, this means
161 	 * a debugging message and EPERM, but in the future should probably
162 	 * be a panic.
163 	 */
164 	if (acl_other == NULL) {
165 		/*
166 		 * XXX This should never happen
167 		 */
168 		printf("vaccess_acl_posix1e: ACL_OTHER missing\n");
169 		return (EPERM);
170 	}
171 
172 	/*
173 	 * Checks against ACL_USER, ACL_GROUP_OBJ, and ACL_GROUP fields are
174 	 * masked by an ACL_MASK entry, if any.  As such, first identify the
175 	 * ACL_MASK field, then iterate through identifying potential user
176 	 * matches, then group matches.  If there is no ACL_MASK, assume that
177 	 * the mask allows all requests to succeed.
178 	 */
179 	if (acl_mask != NULL) {
180 		acl_mask_granted = 0;
181 		if (acl_mask->ae_perm & ACL_EXECUTE)
182 			acl_mask_granted |= VEXEC;
183 		if (acl_mask->ae_perm & ACL_READ)
184 			acl_mask_granted |= VREAD;
185 		if (acl_mask->ae_perm & ACL_WRITE)
186 			acl_mask_granted |= (VWRITE | VAPPEND);
187 	} else
188 		acl_mask_granted = VEXEC | VREAD | VWRITE | VAPPEND;
189 
190 	/*
191 	 * Check ACL_USER ACL entries.  There will either be one or no
192 	 * matches; if there is one, we accept or rejected based on the
193 	 * match; otherwise, we continue on to groups.
194 	 */
195 	for (i = 0; i < acl->acl_cnt; i++) {
196 		switch (acl->acl_entry[i].ae_tag) {
197 		case ACL_USER:
198 			if (acl->acl_entry[i].ae_id != cred->cr_uid)
199 				break;
200 			dac_granted = 0;
201 			if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
202 				dac_granted |= VEXEC;
203 			if (acl->acl_entry[i].ae_perm & ACL_READ)
204 				dac_granted |= VREAD;
205 			if (acl->acl_entry[i].ae_perm & ACL_WRITE)
206 				dac_granted |= (VWRITE | VAPPEND);
207 			dac_granted &= acl_mask_granted;
208 			if ((accmode & dac_granted) == accmode)
209 				return (0);
210 			/*
211 			 * XXXRW: Do privilege lookup here.
212 			 */
213 			if ((accmode & (dac_granted | priv_granted)) !=
214 			    accmode)
215 				goto error;
216 
217 			return (0);
218 		}
219 	}
220 
221 	/*
222 	 * Group match is best-match, not first-match, so find a "best"
223 	 * match.  Iterate across, testing each potential group match.  Make
224 	 * sure we keep track of whether we found a match or not, so that we
225 	 * know if we should try again with any available privilege, or if we
226 	 * should move on to ACL_OTHER.
227 	 */
228 	group_matched = 0;
229 	for (i = 0; i < acl->acl_cnt; i++) {
230 		switch (acl->acl_entry[i].ae_tag) {
231 		case ACL_GROUP_OBJ:
232 			if (!groupmember(file_gid, cred))
233 				break;
234 			dac_granted = 0;
235 			if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
236 				dac_granted |= VEXEC;
237 			if (acl->acl_entry[i].ae_perm & ACL_READ)
238 				dac_granted |= VREAD;
239 			if (acl->acl_entry[i].ae_perm & ACL_WRITE)
240 				dac_granted |= (VWRITE | VAPPEND);
241 			dac_granted  &= acl_mask_granted;
242 
243 			if ((accmode & dac_granted) == accmode)
244 				return (0);
245 
246 			group_matched = 1;
247 			break;
248 
249 		case ACL_GROUP:
250 			if (!groupmember(acl->acl_entry[i].ae_id, cred))
251 				break;
252 			dac_granted = 0;
253 			if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
254 				dac_granted |= VEXEC;
255 			if (acl->acl_entry[i].ae_perm & ACL_READ)
256 				dac_granted |= VREAD;
257 			if (acl->acl_entry[i].ae_perm & ACL_WRITE)
258 				dac_granted |= (VWRITE | VAPPEND);
259 			dac_granted  &= acl_mask_granted;
260 
261 			if ((accmode & dac_granted) == accmode)
262 				return (0);
263 
264 			group_matched = 1;
265 			break;
266 
267 		default:
268 			break;
269 		}
270 	}
271 
272 	if (group_matched == 1) {
273 		/*
274 		 * There was a match, but it did not grant rights via pure
275 		 * DAC.  Try again, this time with privilege.
276 		 */
277 		for (i = 0; i < acl->acl_cnt; i++) {
278 			switch (acl->acl_entry[i].ae_tag) {
279 			case ACL_GROUP_OBJ:
280 				if (!groupmember(file_gid, cred))
281 					break;
282 				dac_granted = 0;
283 				if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
284 					dac_granted |= VEXEC;
285 				if (acl->acl_entry[i].ae_perm & ACL_READ)
286 					dac_granted |= VREAD;
287 				if (acl->acl_entry[i].ae_perm & ACL_WRITE)
288 					dac_granted |= (VWRITE | VAPPEND);
289 				dac_granted &= acl_mask_granted;
290 
291 				/*
292 				 * XXXRW: Do privilege lookup here.
293 				 */
294 				if ((accmode & (dac_granted | priv_granted))
295 				    != accmode)
296 					break;
297 
298 				return (0);
299 
300 			case ACL_GROUP:
301 				if (!groupmember(acl->acl_entry[i].ae_id,
302 				    cred))
303 					break;
304 				dac_granted = 0;
305 				if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
306 				dac_granted |= VEXEC;
307 				if (acl->acl_entry[i].ae_perm & ACL_READ)
308 					dac_granted |= VREAD;
309 				if (acl->acl_entry[i].ae_perm & ACL_WRITE)
310 					dac_granted |= (VWRITE | VAPPEND);
311 				dac_granted &= acl_mask_granted;
312 
313 				/*
314 				 * XXXRW: Do privilege lookup here.
315 				 */
316 				if ((accmode & (dac_granted | priv_granted))
317 				    != accmode)
318 					break;
319 
320 				return (0);
321 
322 			default:
323 				break;
324 			}
325 		}
326 		/*
327 		 * Even with privilege, group membership was not sufficient.
328 		 * Return failure.
329 		 */
330 		goto error;
331 	}
332 
333 	/*
334 	 * Fall back on ACL_OTHER.  ACL_MASK is not applied to ACL_OTHER.
335 	 */
336 	dac_granted = 0;
337 	if (acl_other->ae_perm & ACL_EXECUTE)
338 		dac_granted |= VEXEC;
339 	if (acl_other->ae_perm & ACL_READ)
340 		dac_granted |= VREAD;
341 	if (acl_other->ae_perm & ACL_WRITE)
342 		dac_granted |= (VWRITE | VAPPEND);
343 
344 	if ((accmode & dac_granted) == accmode)
345 		return (0);
346 	/*
347 	 * XXXRW: Do privilege lookup here.
348 	 */
349 	if ((accmode & (dac_granted | priv_granted)) == accmode) {
350 		return (0);
351 	}
352 
353 error:
354 	return ((accmode & VADMIN) ? EPERM : EACCES);
355 }
356 
357 /*
358  * For the purposes of filesystems maintaining the _OBJ entries in an inode
359  * with a mode_t field, this routine converts a mode_t entry to an
360  * acl_perm_t.
361  */
362 acl_perm_t
363 acl_posix1e_mode_to_perm(acl_tag_t tag, mode_t mode)
364 {
365 	acl_perm_t	perm = 0;
366 
367 	switch(tag) {
368 	case ACL_USER_OBJ:
369 		if (mode & S_IXUSR)
370 			perm |= ACL_EXECUTE;
371 		if (mode & S_IRUSR)
372 			perm |= ACL_READ;
373 		if (mode & S_IWUSR)
374 			perm |= ACL_WRITE;
375 		return (perm);
376 
377 	case ACL_GROUP_OBJ:
378 		if (mode & S_IXGRP)
379 			perm |= ACL_EXECUTE;
380 		if (mode & S_IRGRP)
381 			perm |= ACL_READ;
382 		if (mode & S_IWGRP)
383 			perm |= ACL_WRITE;
384 		return (perm);
385 
386 	case ACL_OTHER:
387 		if (mode & S_IXOTH)
388 			perm |= ACL_EXECUTE;
389 		if (mode & S_IROTH)
390 			perm |= ACL_READ;
391 		if (mode & S_IWOTH)
392 			perm |= ACL_WRITE;
393 		return (perm);
394 
395 	default:
396 		printf("acl_posix1e_mode_to_perm: invalid tag (%d)\n", tag);
397 		return (0);
398 	}
399 }
400 
401 /*
402  * Given inode information (uid, gid, mode), return an acl entry of the
403  * appropriate type.
404  */
405 struct acl_entry
406 acl_posix1e_mode_to_entry(acl_tag_t tag, uid_t uid, gid_t gid, mode_t mode)
407 {
408 	struct acl_entry	acl_entry;
409 
410 	acl_entry.ae_tag = tag;
411 	acl_entry.ae_perm = acl_posix1e_mode_to_perm(tag, mode);
412 	acl_entry.ae_entry_type = 0;
413 	acl_entry.ae_flags = 0;
414 	switch(tag) {
415 	case ACL_USER_OBJ:
416 		acl_entry.ae_id = uid;
417 		break;
418 
419 	case ACL_GROUP_OBJ:
420 		acl_entry.ae_id = gid;
421 		break;
422 
423 	case ACL_OTHER:
424 		acl_entry.ae_id = ACL_UNDEFINED_ID;
425 		break;
426 
427 	default:
428 		acl_entry.ae_id = ACL_UNDEFINED_ID;
429 		printf("acl_posix1e_mode_to_entry: invalid tag (%d)\n", tag);
430 	}
431 
432 	return (acl_entry);
433 }
434 
435 /*
436  * Utility function to generate a file mode given appropriate ACL entries.
437  */
438 mode_t
439 acl_posix1e_perms_to_mode(struct acl_entry *acl_user_obj_entry,
440     struct acl_entry *acl_group_obj_entry, struct acl_entry *acl_other_entry)
441 {
442 	mode_t	mode;
443 
444 	mode = 0;
445 	if (acl_user_obj_entry->ae_perm & ACL_EXECUTE)
446 		mode |= S_IXUSR;
447 	if (acl_user_obj_entry->ae_perm & ACL_READ)
448 		mode |= S_IRUSR;
449 	if (acl_user_obj_entry->ae_perm & ACL_WRITE)
450 		mode |= S_IWUSR;
451 	if (acl_group_obj_entry->ae_perm & ACL_EXECUTE)
452 		mode |= S_IXGRP;
453 	if (acl_group_obj_entry->ae_perm & ACL_READ)
454 		mode |= S_IRGRP;
455 	if (acl_group_obj_entry->ae_perm & ACL_WRITE)
456 		mode |= S_IWGRP;
457 	if (acl_other_entry->ae_perm & ACL_EXECUTE)
458 		mode |= S_IXOTH;
459 	if (acl_other_entry->ae_perm & ACL_READ)
460 		mode |= S_IROTH;
461 	if (acl_other_entry->ae_perm & ACL_WRITE)
462 		mode |= S_IWOTH;
463 
464 	return (mode);
465 }
466 
467 /*
468  * Utility function to generate a file mode given a complete POSIX.1e access
469  * ACL.  Note that if the ACL is improperly formed, this may result in a
470  * panic.
471  */
472 mode_t
473 acl_posix1e_acl_to_mode(struct acl *acl)
474 {
475 	struct acl_entry *acl_mask, *acl_user_obj, *acl_group_obj, *acl_other;
476 	int i;
477 
478 	/*
479 	 * Find the ACL entries relevant to a POSIX permission mode.
480 	 */
481 	acl_user_obj = acl_group_obj = acl_other = acl_mask = NULL;
482 	for (i = 0; i < acl->acl_cnt; i++) {
483 		switch (acl->acl_entry[i].ae_tag) {
484 		case ACL_USER_OBJ:
485 			acl_user_obj = &acl->acl_entry[i];
486 			break;
487 
488 		case ACL_GROUP_OBJ:
489 			acl_group_obj = &acl->acl_entry[i];
490 			break;
491 
492 		case ACL_OTHER:
493 			acl_other = &acl->acl_entry[i];
494 			break;
495 
496 		case ACL_MASK:
497 			acl_mask = &acl->acl_entry[i];
498 			break;
499 
500 		case ACL_USER:
501 		case ACL_GROUP:
502 			break;
503 
504 		default:
505 			panic("acl_posix1e_acl_to_mode: bad ae_tag");
506 		}
507 	}
508 
509 	if (acl_user_obj == NULL || acl_group_obj == NULL || acl_other == NULL)
510 		panic("acl_posix1e_acl_to_mode: missing base ae_tags");
511 
512 	/*
513 	 * POSIX.1e specifies that if there is an ACL_MASK entry, we replace
514 	 * the mode "group" bits with its permissions.  If there isn't, we
515 	 * use the ACL_GROUP_OBJ permissions.
516 	 */
517 	if (acl_mask != NULL)
518 		return (acl_posix1e_perms_to_mode(acl_user_obj, acl_mask,
519 		    acl_other));
520 	else
521 		return (acl_posix1e_perms_to_mode(acl_user_obj, acl_group_obj,
522 		    acl_other));
523 }
524 
525 /*
526  * Perform a syntactic check of the ACL, sufficient to allow an implementing
527  * filesystem to determine if it should accept this and rely on the POSIX.1e
528  * ACL properties.
529  */
530 int
531 acl_posix1e_check(struct acl *acl)
532 {
533 	int num_acl_user_obj, num_acl_user, num_acl_group_obj, num_acl_group;
534 	int num_acl_mask, num_acl_other, i;
535 
536 	/*
537 	 * Verify that the number of entries does not exceed the maximum
538 	 * defined for acl_t.
539 	 *
540 	 * Verify that the correct number of various sorts of ae_tags are
541 	 * present:
542 	 *   Exactly one ACL_USER_OBJ
543 	 *   Exactly one ACL_GROUP_OBJ
544 	 *   Exactly one ACL_OTHER
545 	 *   If any ACL_USER or ACL_GROUP entries appear, then exactly one
546 	 *   ACL_MASK entry must also appear.
547 	 *
548 	 * Verify that all ae_perm entries are in ACL_PERM_BITS.
549 	 *
550 	 * Verify all ae_tag entries are understood by this implementation.
551 	 *
552 	 * Note: Does not check for uniqueness of qualifier (ae_id) field.
553 	 */
554 	num_acl_user_obj = num_acl_user = num_acl_group_obj = num_acl_group =
555 	    num_acl_mask = num_acl_other = 0;
556 	if (acl->acl_cnt > ACL_MAX_ENTRIES)
557 		return (EINVAL);
558 	for (i = 0; i < acl->acl_cnt; i++) {
559 		/*
560 		 * Check for a valid tag.
561 		 */
562 		switch(acl->acl_entry[i].ae_tag) {
563 		case ACL_USER_OBJ:
564 			acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID; /* XXX */
565 			if (acl->acl_entry[i].ae_id != ACL_UNDEFINED_ID)
566 				return (EINVAL);
567 			num_acl_user_obj++;
568 			break;
569 		case ACL_GROUP_OBJ:
570 			acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID; /* XXX */
571 			if (acl->acl_entry[i].ae_id != ACL_UNDEFINED_ID)
572 				return (EINVAL);
573 			num_acl_group_obj++;
574 			break;
575 		case ACL_USER:
576 			if (acl->acl_entry[i].ae_id == ACL_UNDEFINED_ID)
577 				return (EINVAL);
578 			num_acl_user++;
579 			break;
580 		case ACL_GROUP:
581 			if (acl->acl_entry[i].ae_id == ACL_UNDEFINED_ID)
582 				return (EINVAL);
583 			num_acl_group++;
584 			break;
585 		case ACL_OTHER:
586 			acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID; /* XXX */
587 			if (acl->acl_entry[i].ae_id != ACL_UNDEFINED_ID)
588 				return (EINVAL);
589 			num_acl_other++;
590 			break;
591 		case ACL_MASK:
592 			acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID; /* XXX */
593 			if (acl->acl_entry[i].ae_id != ACL_UNDEFINED_ID)
594 				return (EINVAL);
595 			num_acl_mask++;
596 			break;
597 		default:
598 			return (EINVAL);
599 		}
600 		/*
601 		 * Check for valid perm entries.
602 		 */
603 		if ((acl->acl_entry[i].ae_perm | ACL_PERM_BITS) !=
604 		    ACL_PERM_BITS)
605 			return (EINVAL);
606 	}
607 	if ((num_acl_user_obj != 1) || (num_acl_group_obj != 1) ||
608 	    (num_acl_other != 1) || (num_acl_mask != 0 && num_acl_mask != 1))
609 		return (EINVAL);
610 	if (((num_acl_group != 0) || (num_acl_user != 0)) &&
611 	    (num_acl_mask != 1))
612 		return (EINVAL);
613 	return (0);
614 }
615 
616 /*
617  * Given a requested mode for a new object, and a default ACL, combine the
618  * two to produce a new mode.  Be careful not to clear any bits that aren't
619  * intended to be affected by the POSIX.1e ACL.  Eventually, this might also
620  * take the cmask as an argument, if we push that down into
621  * per-filesystem-code.
622  */
623 mode_t
624 acl_posix1e_newfilemode(mode_t cmode, struct acl *dacl)
625 {
626 	mode_t mode;
627 
628 	mode = cmode;
629 	/*
630 	 * The current composition policy is that a permission bit must be
631 	 * set in *both* the ACL and the requested creation mode for it to
632 	 * appear in the resulting mode/ACL.  First clear any possibly
633 	 * effected bits, then reconstruct.
634 	 */
635 	mode &= ACL_PRESERVE_MASK;
636 	mode |= (ACL_OVERRIDE_MASK & cmode & acl_posix1e_acl_to_mode(dacl));
637 
638 	return (mode);
639 }
640 
641 static int
642 acl_posix1e_modload(module_t mod, int what, void *arg)
643 {
644 	int ret;
645 
646 	ret = 0;
647 
648 	switch (what) {
649 	case MOD_LOAD:
650 	case MOD_SHUTDOWN:
651 		break;
652 
653 	case MOD_QUIESCE:
654 		/* XXX TODO */
655 		ret = 0;
656 		break;
657 
658 	case MOD_UNLOAD:
659 		/* XXX TODO */
660 		ret = 0;
661 		break;
662 	default:
663 		ret = EINVAL;
664 		break;
665 	}
666 
667 	return (ret);
668 }
669 
670 static moduledata_t acl_posix1e_mod = {
671 	"acl_posix1e",
672 	acl_posix1e_modload,
673 	NULL
674 };
675 
676 DECLARE_MODULE(acl_posix1e, acl_posix1e_mod, SI_SUB_VFS, SI_ORDER_FIRST);
677 MODULE_VERSION(acl_posix1e, 1);
678