xref: /freebsd/sys/kern/subr_acl_posix1e.c (revision 6829dae12bb055451fa467da4589c43bd03b1e64)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 1999-2006 Robert N. M. Watson
5  * All rights reserved.
6  *
7  * This software was developed by Robert Watson for the TrustedBSD Project.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGE.
29  */
30 /*
31  * Developed by the TrustedBSD Project.
32  *
33  * ACL support routines specific to POSIX.1e access control lists.  These are
34  * utility routines for code common across file systems implementing POSIX.1e
35  * ACLs.
36  */
37 
38 #include <sys/cdefs.h>
39 __FBSDID("$FreeBSD$");
40 
41 #include <sys/param.h>
42 #include <sys/kernel.h>
43 #include <sys/module.h>
44 #include <sys/systm.h>
45 #include <sys/mount.h>
46 #include <sys/priv.h>
47 #include <sys/vnode.h>
48 #include <sys/errno.h>
49 #include <sys/stat.h>
50 #include <sys/acl.h>
51 
52 /*
53  * Implement a version of vaccess() that understands POSIX.1e ACL semantics;
54  * the access ACL has already been prepared for evaluation by the file system
55  * and is passed via 'uid', 'gid', and 'acl'.  Return 0 on success, else an
56  * errno value.
57  */
58 int
59 vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid,
60     struct acl *acl, accmode_t accmode, struct ucred *cred, int *privused)
61 {
62 	struct acl_entry *acl_other, *acl_mask;
63 	accmode_t dac_granted;
64 	accmode_t priv_granted;
65 	accmode_t acl_mask_granted;
66 	int group_matched, i;
67 
68 	KASSERT((accmode & ~(VEXEC | VWRITE | VREAD | VADMIN | VAPPEND)) == 0,
69 	    ("invalid bit in accmode"));
70 	KASSERT((accmode & VAPPEND) == 0 || (accmode & VWRITE),
71 	    	("VAPPEND without VWRITE"));
72 
73 	/*
74 	 * Look for a normal, non-privileged way to access the file/directory
75 	 * as requested.  If it exists, go with that.  Otherwise, attempt to
76 	 * use privileges granted via priv_granted.  In some cases, which
77 	 * privileges to use may be ambiguous due to "best match", in which
78 	 * case fall back on first match for the time being.
79 	 */
80 	if (privused != NULL)
81 		*privused = 0;
82 
83 	/*
84 	 * Determine privileges now, but don't apply until we've found a DAC
85 	 * entry that matches but has failed to allow access.
86 	 *
87 	 * XXXRW: Ideally, we'd determine the privileges required before
88 	 * asking for them.
89 	 */
90 	priv_granted = 0;
91 
92 	if (type == VDIR) {
93 		if ((accmode & VEXEC) && !priv_check_cred(cred, PRIV_VFS_LOOKUP))
94 			priv_granted |= VEXEC;
95 	} else {
96 		/*
97 		 * Ensure that at least one execute bit is on. Otherwise,
98 		 * a privileged user will always succeed, and we don't want
99 		 * this to happen unless the file really is executable.
100 		 */
101 		if ((accmode & VEXEC) && (acl_posix1e_acl_to_mode(acl) &
102 		    (S_IXUSR | S_IXGRP | S_IXOTH)) != 0 &&
103 		    !priv_check_cred(cred, PRIV_VFS_EXEC))
104 			priv_granted |= VEXEC;
105 	}
106 
107 	if ((accmode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ))
108 		priv_granted |= VREAD;
109 
110 	if (((accmode & VWRITE) || (accmode & VAPPEND)) &&
111 	    !priv_check_cred(cred, PRIV_VFS_WRITE))
112 		priv_granted |= (VWRITE | VAPPEND);
113 
114 	if ((accmode & VADMIN) && !priv_check_cred(cred, PRIV_VFS_ADMIN))
115 		priv_granted |= VADMIN;
116 
117 	/*
118 	 * The owner matches if the effective uid associated with the
119 	 * credential matches that of the ACL_USER_OBJ entry.  While we're
120 	 * doing the first scan, also cache the location of the ACL_MASK and
121 	 * ACL_OTHER entries, preventing some future iterations.
122 	 */
123 	acl_mask = acl_other = NULL;
124 	for (i = 0; i < acl->acl_cnt; i++) {
125 		switch (acl->acl_entry[i].ae_tag) {
126 		case ACL_USER_OBJ:
127 			if (file_uid != cred->cr_uid)
128 				break;
129 			dac_granted = 0;
130 			dac_granted |= VADMIN;
131 			if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
132 				dac_granted |= VEXEC;
133 			if (acl->acl_entry[i].ae_perm & ACL_READ)
134 				dac_granted |= VREAD;
135 			if (acl->acl_entry[i].ae_perm & ACL_WRITE)
136 				dac_granted |= (VWRITE | VAPPEND);
137 			if ((accmode & dac_granted) == accmode)
138 				return (0);
139 
140 			/*
141 			 * XXXRW: Do privilege lookup here.
142 			 */
143 			if ((accmode & (dac_granted | priv_granted)) ==
144 			    accmode) {
145 				if (privused != NULL)
146 					*privused = 1;
147 				return (0);
148 			}
149 			goto error;
150 
151 		case ACL_MASK:
152 			acl_mask = &acl->acl_entry[i];
153 			break;
154 
155 		case ACL_OTHER:
156 			acl_other = &acl->acl_entry[i];
157 			break;
158 
159 		default:
160 			break;
161 		}
162 	}
163 
164 	/*
165 	 * An ACL_OTHER entry should always exist in a valid access ACL.  If
166 	 * it doesn't, then generate a serious failure.  For now, this means
167 	 * a debugging message and EPERM, but in the future should probably
168 	 * be a panic.
169 	 */
170 	if (acl_other == NULL) {
171 		/*
172 		 * XXX This should never happen
173 		 */
174 		printf("vaccess_acl_posix1e: ACL_OTHER missing\n");
175 		return (EPERM);
176 	}
177 
178 	/*
179 	 * Checks against ACL_USER, ACL_GROUP_OBJ, and ACL_GROUP fields are
180 	 * masked by an ACL_MASK entry, if any.  As such, first identify the
181 	 * ACL_MASK field, then iterate through identifying potential user
182 	 * matches, then group matches.  If there is no ACL_MASK, assume that
183 	 * the mask allows all requests to succeed.
184 	 */
185 	if (acl_mask != NULL) {
186 		acl_mask_granted = 0;
187 		if (acl_mask->ae_perm & ACL_EXECUTE)
188 			acl_mask_granted |= VEXEC;
189 		if (acl_mask->ae_perm & ACL_READ)
190 			acl_mask_granted |= VREAD;
191 		if (acl_mask->ae_perm & ACL_WRITE)
192 			acl_mask_granted |= (VWRITE | VAPPEND);
193 	} else
194 		acl_mask_granted = VEXEC | VREAD | VWRITE | VAPPEND;
195 
196 	/*
197 	 * Check ACL_USER ACL entries.  There will either be one or no
198 	 * matches; if there is one, we accept or rejected based on the
199 	 * match; otherwise, we continue on to groups.
200 	 */
201 	for (i = 0; i < acl->acl_cnt; i++) {
202 		switch (acl->acl_entry[i].ae_tag) {
203 		case ACL_USER:
204 			if (acl->acl_entry[i].ae_id != cred->cr_uid)
205 				break;
206 			dac_granted = 0;
207 			if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
208 				dac_granted |= VEXEC;
209 			if (acl->acl_entry[i].ae_perm & ACL_READ)
210 				dac_granted |= VREAD;
211 			if (acl->acl_entry[i].ae_perm & ACL_WRITE)
212 				dac_granted |= (VWRITE | VAPPEND);
213 			dac_granted &= acl_mask_granted;
214 			if ((accmode & dac_granted) == accmode)
215 				return (0);
216 			/*
217 			 * XXXRW: Do privilege lookup here.
218 			 */
219 			if ((accmode & (dac_granted | priv_granted)) !=
220 			    accmode)
221 				goto error;
222 
223 			if (privused != NULL)
224 				*privused = 1;
225 			return (0);
226 		}
227 	}
228 
229 	/*
230 	 * Group match is best-match, not first-match, so find a "best"
231 	 * match.  Iterate across, testing each potential group match.  Make
232 	 * sure we keep track of whether we found a match or not, so that we
233 	 * know if we should try again with any available privilege, or if we
234 	 * should move on to ACL_OTHER.
235 	 */
236 	group_matched = 0;
237 	for (i = 0; i < acl->acl_cnt; i++) {
238 		switch (acl->acl_entry[i].ae_tag) {
239 		case ACL_GROUP_OBJ:
240 			if (!groupmember(file_gid, cred))
241 				break;
242 			dac_granted = 0;
243 			if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
244 				dac_granted |= VEXEC;
245 			if (acl->acl_entry[i].ae_perm & ACL_READ)
246 				dac_granted |= VREAD;
247 			if (acl->acl_entry[i].ae_perm & ACL_WRITE)
248 				dac_granted |= (VWRITE | VAPPEND);
249 			dac_granted  &= acl_mask_granted;
250 
251 			if ((accmode & dac_granted) == accmode)
252 				return (0);
253 
254 			group_matched = 1;
255 			break;
256 
257 		case ACL_GROUP:
258 			if (!groupmember(acl->acl_entry[i].ae_id, cred))
259 				break;
260 			dac_granted = 0;
261 			if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
262 				dac_granted |= VEXEC;
263 			if (acl->acl_entry[i].ae_perm & ACL_READ)
264 				dac_granted |= VREAD;
265 			if (acl->acl_entry[i].ae_perm & ACL_WRITE)
266 				dac_granted |= (VWRITE | VAPPEND);
267 			dac_granted  &= acl_mask_granted;
268 
269 			if ((accmode & dac_granted) == accmode)
270 				return (0);
271 
272 			group_matched = 1;
273 			break;
274 
275 		default:
276 			break;
277 		}
278 	}
279 
280 	if (group_matched == 1) {
281 		/*
282 		 * There was a match, but it did not grant rights via pure
283 		 * DAC.  Try again, this time with privilege.
284 		 */
285 		for (i = 0; i < acl->acl_cnt; i++) {
286 			switch (acl->acl_entry[i].ae_tag) {
287 			case ACL_GROUP_OBJ:
288 				if (!groupmember(file_gid, cred))
289 					break;
290 				dac_granted = 0;
291 				if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
292 					dac_granted |= VEXEC;
293 				if (acl->acl_entry[i].ae_perm & ACL_READ)
294 					dac_granted |= VREAD;
295 				if (acl->acl_entry[i].ae_perm & ACL_WRITE)
296 					dac_granted |= (VWRITE | VAPPEND);
297 				dac_granted &= acl_mask_granted;
298 
299 				/*
300 				 * XXXRW: Do privilege lookup here.
301 				 */
302 				if ((accmode & (dac_granted | priv_granted))
303 				    != accmode)
304 					break;
305 
306 				if (privused != NULL)
307 					*privused = 1;
308 				return (0);
309 
310 			case ACL_GROUP:
311 				if (!groupmember(acl->acl_entry[i].ae_id,
312 				    cred))
313 					break;
314 				dac_granted = 0;
315 				if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
316 				dac_granted |= VEXEC;
317 				if (acl->acl_entry[i].ae_perm & ACL_READ)
318 					dac_granted |= VREAD;
319 				if (acl->acl_entry[i].ae_perm & ACL_WRITE)
320 					dac_granted |= (VWRITE | VAPPEND);
321 				dac_granted &= acl_mask_granted;
322 
323 				/*
324 				 * XXXRW: Do privilege lookup here.
325 				 */
326 				if ((accmode & (dac_granted | priv_granted))
327 				    != accmode)
328 					break;
329 
330 				if (privused != NULL)
331 					*privused = 1;
332 				return (0);
333 
334 			default:
335 				break;
336 			}
337 		}
338 		/*
339 		 * Even with privilege, group membership was not sufficient.
340 		 * Return failure.
341 		 */
342 		goto error;
343 	}
344 
345 	/*
346 	 * Fall back on ACL_OTHER.  ACL_MASK is not applied to ACL_OTHER.
347 	 */
348 	dac_granted = 0;
349 	if (acl_other->ae_perm & ACL_EXECUTE)
350 		dac_granted |= VEXEC;
351 	if (acl_other->ae_perm & ACL_READ)
352 		dac_granted |= VREAD;
353 	if (acl_other->ae_perm & ACL_WRITE)
354 		dac_granted |= (VWRITE | VAPPEND);
355 
356 	if ((accmode & dac_granted) == accmode)
357 		return (0);
358 	/*
359 	 * XXXRW: Do privilege lookup here.
360 	 */
361 	if ((accmode & (dac_granted | priv_granted)) == accmode) {
362 		if (privused != NULL)
363 			*privused = 1;
364 		return (0);
365 	}
366 
367 error:
368 	return ((accmode & VADMIN) ? EPERM : EACCES);
369 }
370 
371 /*
372  * For the purposes of filesystems maintaining the _OBJ entries in an inode
373  * with a mode_t field, this routine converts a mode_t entry to an
374  * acl_perm_t.
375  */
376 acl_perm_t
377 acl_posix1e_mode_to_perm(acl_tag_t tag, mode_t mode)
378 {
379 	acl_perm_t	perm = 0;
380 
381 	switch(tag) {
382 	case ACL_USER_OBJ:
383 		if (mode & S_IXUSR)
384 			perm |= ACL_EXECUTE;
385 		if (mode & S_IRUSR)
386 			perm |= ACL_READ;
387 		if (mode & S_IWUSR)
388 			perm |= ACL_WRITE;
389 		return (perm);
390 
391 	case ACL_GROUP_OBJ:
392 		if (mode & S_IXGRP)
393 			perm |= ACL_EXECUTE;
394 		if (mode & S_IRGRP)
395 			perm |= ACL_READ;
396 		if (mode & S_IWGRP)
397 			perm |= ACL_WRITE;
398 		return (perm);
399 
400 	case ACL_OTHER:
401 		if (mode & S_IXOTH)
402 			perm |= ACL_EXECUTE;
403 		if (mode & S_IROTH)
404 			perm |= ACL_READ;
405 		if (mode & S_IWOTH)
406 			perm |= ACL_WRITE;
407 		return (perm);
408 
409 	default:
410 		printf("acl_posix1e_mode_to_perm: invalid tag (%d)\n", tag);
411 		return (0);
412 	}
413 }
414 
415 /*
416  * Given inode information (uid, gid, mode), return an acl entry of the
417  * appropriate type.
418  */
419 struct acl_entry
420 acl_posix1e_mode_to_entry(acl_tag_t tag, uid_t uid, gid_t gid, mode_t mode)
421 {
422 	struct acl_entry	acl_entry;
423 
424 	acl_entry.ae_tag = tag;
425 	acl_entry.ae_perm = acl_posix1e_mode_to_perm(tag, mode);
426 	acl_entry.ae_entry_type = 0;
427 	acl_entry.ae_flags = 0;
428 	switch(tag) {
429 	case ACL_USER_OBJ:
430 		acl_entry.ae_id = uid;
431 		break;
432 
433 	case ACL_GROUP_OBJ:
434 		acl_entry.ae_id = gid;
435 		break;
436 
437 	case ACL_OTHER:
438 		acl_entry.ae_id = ACL_UNDEFINED_ID;
439 		break;
440 
441 	default:
442 		acl_entry.ae_id = ACL_UNDEFINED_ID;
443 		printf("acl_posix1e_mode_to_entry: invalid tag (%d)\n", tag);
444 	}
445 
446 	return (acl_entry);
447 }
448 
449 /*
450  * Utility function to generate a file mode given appropriate ACL entries.
451  */
452 mode_t
453 acl_posix1e_perms_to_mode(struct acl_entry *acl_user_obj_entry,
454     struct acl_entry *acl_group_obj_entry, struct acl_entry *acl_other_entry)
455 {
456 	mode_t	mode;
457 
458 	mode = 0;
459 	if (acl_user_obj_entry->ae_perm & ACL_EXECUTE)
460 		mode |= S_IXUSR;
461 	if (acl_user_obj_entry->ae_perm & ACL_READ)
462 		mode |= S_IRUSR;
463 	if (acl_user_obj_entry->ae_perm & ACL_WRITE)
464 		mode |= S_IWUSR;
465 	if (acl_group_obj_entry->ae_perm & ACL_EXECUTE)
466 		mode |= S_IXGRP;
467 	if (acl_group_obj_entry->ae_perm & ACL_READ)
468 		mode |= S_IRGRP;
469 	if (acl_group_obj_entry->ae_perm & ACL_WRITE)
470 		mode |= S_IWGRP;
471 	if (acl_other_entry->ae_perm & ACL_EXECUTE)
472 		mode |= S_IXOTH;
473 	if (acl_other_entry->ae_perm & ACL_READ)
474 		mode |= S_IROTH;
475 	if (acl_other_entry->ae_perm & ACL_WRITE)
476 		mode |= S_IWOTH;
477 
478 	return (mode);
479 }
480 
481 /*
482  * Utility function to generate a file mode given a complete POSIX.1e access
483  * ACL.  Note that if the ACL is improperly formed, this may result in a
484  * panic.
485  */
486 mode_t
487 acl_posix1e_acl_to_mode(struct acl *acl)
488 {
489 	struct acl_entry *acl_mask, *acl_user_obj, *acl_group_obj, *acl_other;
490 	int i;
491 
492 	/*
493 	 * Find the ACL entries relevant to a POSIX permission mode.
494 	 */
495 	acl_user_obj = acl_group_obj = acl_other = acl_mask = NULL;
496 	for (i = 0; i < acl->acl_cnt; i++) {
497 		switch (acl->acl_entry[i].ae_tag) {
498 		case ACL_USER_OBJ:
499 			acl_user_obj = &acl->acl_entry[i];
500 			break;
501 
502 		case ACL_GROUP_OBJ:
503 			acl_group_obj = &acl->acl_entry[i];
504 			break;
505 
506 		case ACL_OTHER:
507 			acl_other = &acl->acl_entry[i];
508 			break;
509 
510 		case ACL_MASK:
511 			acl_mask = &acl->acl_entry[i];
512 			break;
513 
514 		case ACL_USER:
515 		case ACL_GROUP:
516 			break;
517 
518 		default:
519 			panic("acl_posix1e_acl_to_mode: bad ae_tag");
520 		}
521 	}
522 
523 	if (acl_user_obj == NULL || acl_group_obj == NULL || acl_other == NULL)
524 		panic("acl_posix1e_acl_to_mode: missing base ae_tags");
525 
526 	/*
527 	 * POSIX.1e specifies that if there is an ACL_MASK entry, we replace
528 	 * the mode "group" bits with its permissions.  If there isn't, we
529 	 * use the ACL_GROUP_OBJ permissions.
530 	 */
531 	if (acl_mask != NULL)
532 		return (acl_posix1e_perms_to_mode(acl_user_obj, acl_mask,
533 		    acl_other));
534 	else
535 		return (acl_posix1e_perms_to_mode(acl_user_obj, acl_group_obj,
536 		    acl_other));
537 }
538 
539 /*
540  * Perform a syntactic check of the ACL, sufficient to allow an implementing
541  * filesystem to determine if it should accept this and rely on the POSIX.1e
542  * ACL properties.
543  */
544 int
545 acl_posix1e_check(struct acl *acl)
546 {
547 	int num_acl_user_obj, num_acl_user, num_acl_group_obj, num_acl_group;
548 	int num_acl_mask, num_acl_other, i;
549 
550 	/*
551 	 * Verify that the number of entries does not exceed the maximum
552 	 * defined for acl_t.
553 	 *
554 	 * Verify that the correct number of various sorts of ae_tags are
555 	 * present:
556 	 *   Exactly one ACL_USER_OBJ
557 	 *   Exactly one ACL_GROUP_OBJ
558 	 *   Exactly one ACL_OTHER
559 	 *   If any ACL_USER or ACL_GROUP entries appear, then exactly one
560 	 *   ACL_MASK entry must also appear.
561 	 *
562 	 * Verify that all ae_perm entries are in ACL_PERM_BITS.
563 	 *
564 	 * Verify all ae_tag entries are understood by this implementation.
565 	 *
566 	 * Note: Does not check for uniqueness of qualifier (ae_id) field.
567 	 */
568 	num_acl_user_obj = num_acl_user = num_acl_group_obj = num_acl_group =
569 	    num_acl_mask = num_acl_other = 0;
570 	if (acl->acl_cnt > ACL_MAX_ENTRIES)
571 		return (EINVAL);
572 	for (i = 0; i < acl->acl_cnt; i++) {
573 		/*
574 		 * Check for a valid tag.
575 		 */
576 		switch(acl->acl_entry[i].ae_tag) {
577 		case ACL_USER_OBJ:
578 			acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID; /* XXX */
579 			if (acl->acl_entry[i].ae_id != ACL_UNDEFINED_ID)
580 				return (EINVAL);
581 			num_acl_user_obj++;
582 			break;
583 		case ACL_GROUP_OBJ:
584 			acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID; /* XXX */
585 			if (acl->acl_entry[i].ae_id != ACL_UNDEFINED_ID)
586 				return (EINVAL);
587 			num_acl_group_obj++;
588 			break;
589 		case ACL_USER:
590 			if (acl->acl_entry[i].ae_id == ACL_UNDEFINED_ID)
591 				return (EINVAL);
592 			num_acl_user++;
593 			break;
594 		case ACL_GROUP:
595 			if (acl->acl_entry[i].ae_id == ACL_UNDEFINED_ID)
596 				return (EINVAL);
597 			num_acl_group++;
598 			break;
599 		case ACL_OTHER:
600 			acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID; /* XXX */
601 			if (acl->acl_entry[i].ae_id != ACL_UNDEFINED_ID)
602 				return (EINVAL);
603 			num_acl_other++;
604 			break;
605 		case ACL_MASK:
606 			acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID; /* XXX */
607 			if (acl->acl_entry[i].ae_id != ACL_UNDEFINED_ID)
608 				return (EINVAL);
609 			num_acl_mask++;
610 			break;
611 		default:
612 			return (EINVAL);
613 		}
614 		/*
615 		 * Check for valid perm entries.
616 		 */
617 		if ((acl->acl_entry[i].ae_perm | ACL_PERM_BITS) !=
618 		    ACL_PERM_BITS)
619 			return (EINVAL);
620 	}
621 	if ((num_acl_user_obj != 1) || (num_acl_group_obj != 1) ||
622 	    (num_acl_other != 1) || (num_acl_mask != 0 && num_acl_mask != 1))
623 		return (EINVAL);
624 	if (((num_acl_group != 0) || (num_acl_user != 0)) &&
625 	    (num_acl_mask != 1))
626 		return (EINVAL);
627 	return (0);
628 }
629 
630 /*
631  * Given a requested mode for a new object, and a default ACL, combine the
632  * two to produce a new mode.  Be careful not to clear any bits that aren't
633  * intended to be affected by the POSIX.1e ACL.  Eventually, this might also
634  * take the cmask as an argument, if we push that down into
635  * per-filesystem-code.
636  */
637 mode_t
638 acl_posix1e_newfilemode(mode_t cmode, struct acl *dacl)
639 {
640 	mode_t mode;
641 
642 	mode = cmode;
643 	/*
644 	 * The current composition policy is that a permission bit must be
645 	 * set in *both* the ACL and the requested creation mode for it to
646 	 * appear in the resulting mode/ACL.  First clear any possibly
647 	 * effected bits, then reconstruct.
648 	 */
649 	mode &= ACL_PRESERVE_MASK;
650 	mode |= (ACL_OVERRIDE_MASK & cmode & acl_posix1e_acl_to_mode(dacl));
651 
652 	return (mode);
653 }
654 
655 
656 static int
657 acl_posix1e_modload(module_t mod, int what, void *arg)
658 {
659 	int ret;
660 
661 	ret = 0;
662 
663 	switch (what) {
664 	case MOD_LOAD:
665 	case MOD_SHUTDOWN:
666 		break;
667 
668 	case MOD_QUIESCE:
669 		/* XXX TODO */
670 		ret = 0;
671 		break;
672 
673 	case MOD_UNLOAD:
674 		/* XXX TODO */
675 		ret = 0;
676 		break;
677 	default:
678 		ret = EINVAL;
679 		break;
680 	}
681 
682 	return (ret);
683 }
684 
685 static moduledata_t acl_posix1e_mod = {
686 	"acl_posix1e",
687 	acl_posix1e_modload,
688 	NULL
689 };
690 
691 DECLARE_MODULE(acl_posix1e, acl_posix1e_mod, SI_SUB_VFS, SI_ORDER_FIRST);
692 MODULE_VERSION(acl_posix1e, 1);
693