1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #include <sys/types.h> 26 #include <sys/param.h> 27 #include <sys/time.h> 28 #include <sys/systm.h> 29 #include <sys/sysmacros.h> 30 #include <sys/resource.h> 31 #include <sys/vfs.h> 32 #include <sys/vnode.h> 33 #include <sys/sid.h> 34 #include <sys/file.h> 35 #include <sys/stat.h> 36 #include <sys/kmem.h> 37 #include <sys/cmn_err.h> 38 #include <sys/errno.h> 39 #include <sys/unistd.h> 40 #include <sys/sdt.h> 41 #include <sys/fs/zfs.h> 42 #include <sys/mode.h> 43 #include <sys/policy.h> 44 #include <sys/zfs_znode.h> 45 #include <sys/zfs_fuid.h> 46 #include <sys/zfs_acl.h> 47 #include <sys/zfs_dir.h> 48 #include <sys/zfs_vfsops.h> 49 #include <sys/dmu.h> 50 #include <sys/dnode.h> 51 #include <sys/zap.h> 52 #include <sys/sa.h> 53 #include "fs/fs_subr.h" 54 #include <acl/acl_common.h> 55 56 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE 57 #define DENY ACE_ACCESS_DENIED_ACE_TYPE 58 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 59 #define MIN_ACE_TYPE ALLOW 60 61 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) 62 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ 63 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) 64 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ 65 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 66 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ 67 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 68 69 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \ 70 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \ 71 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \ 72 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE) 73 74 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS) 75 #define WRITE_MASK_ATTRS (ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES| \ 76 ACE_DELETE|ACE_DELETE_CHILD) 77 #define WRITE_MASK (WRITE_MASK_DATA|WRITE_MASK_ATTRS) 78 79 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 80 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 81 82 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 83 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 84 85 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ 86 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE) 87 88 #define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER) 89 90 #define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\ 91 ZFS_ACL_PROTECTED) 92 93 #define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\ 94 ZFS_ACL_OBJ_ACE) 95 96 #define ALL_MODE_EXECS (S_IXUSR | S_IXGRP | S_IXOTH) 97 98 static uint16_t 99 zfs_ace_v0_get_type(void *acep) 100 { 101 return (((zfs_oldace_t *)acep)->z_type); 102 } 103 104 static uint16_t 105 zfs_ace_v0_get_flags(void *acep) 106 { 107 return (((zfs_oldace_t *)acep)->z_flags); 108 } 109 110 static uint32_t 111 zfs_ace_v0_get_mask(void *acep) 112 { 113 return (((zfs_oldace_t *)acep)->z_access_mask); 114 } 115 116 static uint64_t 117 zfs_ace_v0_get_who(void *acep) 118 { 119 return (((zfs_oldace_t *)acep)->z_fuid); 120 } 121 122 static void 123 zfs_ace_v0_set_type(void *acep, uint16_t type) 124 { 125 ((zfs_oldace_t *)acep)->z_type = type; 126 } 127 128 static void 129 zfs_ace_v0_set_flags(void *acep, uint16_t flags) 130 { 131 ((zfs_oldace_t *)acep)->z_flags = flags; 132 } 133 134 static void 135 zfs_ace_v0_set_mask(void *acep, uint32_t mask) 136 { 137 ((zfs_oldace_t *)acep)->z_access_mask = mask; 138 } 139 140 static void 141 zfs_ace_v0_set_who(void *acep, uint64_t who) 142 { 143 ((zfs_oldace_t *)acep)->z_fuid = who; 144 } 145 146 /*ARGSUSED*/ 147 static size_t 148 zfs_ace_v0_size(void *acep) 149 { 150 return (sizeof (zfs_oldace_t)); 151 } 152 153 static size_t 154 zfs_ace_v0_abstract_size(void) 155 { 156 return (sizeof (zfs_oldace_t)); 157 } 158 159 static int 160 zfs_ace_v0_mask_off(void) 161 { 162 return (offsetof(zfs_oldace_t, z_access_mask)); 163 } 164 165 /*ARGSUSED*/ 166 static int 167 zfs_ace_v0_data(void *acep, void **datap) 168 { 169 *datap = NULL; 170 return (0); 171 } 172 173 static acl_ops_t zfs_acl_v0_ops = { 174 zfs_ace_v0_get_mask, 175 zfs_ace_v0_set_mask, 176 zfs_ace_v0_get_flags, 177 zfs_ace_v0_set_flags, 178 zfs_ace_v0_get_type, 179 zfs_ace_v0_set_type, 180 zfs_ace_v0_get_who, 181 zfs_ace_v0_set_who, 182 zfs_ace_v0_size, 183 zfs_ace_v0_abstract_size, 184 zfs_ace_v0_mask_off, 185 zfs_ace_v0_data 186 }; 187 188 static uint16_t 189 zfs_ace_fuid_get_type(void *acep) 190 { 191 return (((zfs_ace_hdr_t *)acep)->z_type); 192 } 193 194 static uint16_t 195 zfs_ace_fuid_get_flags(void *acep) 196 { 197 return (((zfs_ace_hdr_t *)acep)->z_flags); 198 } 199 200 static uint32_t 201 zfs_ace_fuid_get_mask(void *acep) 202 { 203 return (((zfs_ace_hdr_t *)acep)->z_access_mask); 204 } 205 206 static uint64_t 207 zfs_ace_fuid_get_who(void *args) 208 { 209 uint16_t entry_type; 210 zfs_ace_t *acep = args; 211 212 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 213 214 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 215 entry_type == ACE_EVERYONE) 216 return (-1); 217 return (((zfs_ace_t *)acep)->z_fuid); 218 } 219 220 static void 221 zfs_ace_fuid_set_type(void *acep, uint16_t type) 222 { 223 ((zfs_ace_hdr_t *)acep)->z_type = type; 224 } 225 226 static void 227 zfs_ace_fuid_set_flags(void *acep, uint16_t flags) 228 { 229 ((zfs_ace_hdr_t *)acep)->z_flags = flags; 230 } 231 232 static void 233 zfs_ace_fuid_set_mask(void *acep, uint32_t mask) 234 { 235 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask; 236 } 237 238 static void 239 zfs_ace_fuid_set_who(void *arg, uint64_t who) 240 { 241 zfs_ace_t *acep = arg; 242 243 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 244 245 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 246 entry_type == ACE_EVERYONE) 247 return; 248 acep->z_fuid = who; 249 } 250 251 static size_t 252 zfs_ace_fuid_size(void *acep) 253 { 254 zfs_ace_hdr_t *zacep = acep; 255 uint16_t entry_type; 256 257 switch (zacep->z_type) { 258 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 259 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 260 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 261 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 262 return (sizeof (zfs_object_ace_t)); 263 case ALLOW: 264 case DENY: 265 entry_type = 266 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS); 267 if (entry_type == ACE_OWNER || 268 entry_type == OWNING_GROUP || 269 entry_type == ACE_EVERYONE) 270 return (sizeof (zfs_ace_hdr_t)); 271 /*FALLTHROUGH*/ 272 default: 273 return (sizeof (zfs_ace_t)); 274 } 275 } 276 277 static size_t 278 zfs_ace_fuid_abstract_size(void) 279 { 280 return (sizeof (zfs_ace_hdr_t)); 281 } 282 283 static int 284 zfs_ace_fuid_mask_off(void) 285 { 286 return (offsetof(zfs_ace_hdr_t, z_access_mask)); 287 } 288 289 static int 290 zfs_ace_fuid_data(void *acep, void **datap) 291 { 292 zfs_ace_t *zacep = acep; 293 zfs_object_ace_t *zobjp; 294 295 switch (zacep->z_hdr.z_type) { 296 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 297 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 298 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 299 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 300 zobjp = acep; 301 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t); 302 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t)); 303 default: 304 *datap = NULL; 305 return (0); 306 } 307 } 308 309 static acl_ops_t zfs_acl_fuid_ops = { 310 zfs_ace_fuid_get_mask, 311 zfs_ace_fuid_set_mask, 312 zfs_ace_fuid_get_flags, 313 zfs_ace_fuid_set_flags, 314 zfs_ace_fuid_get_type, 315 zfs_ace_fuid_set_type, 316 zfs_ace_fuid_get_who, 317 zfs_ace_fuid_set_who, 318 zfs_ace_fuid_size, 319 zfs_ace_fuid_abstract_size, 320 zfs_ace_fuid_mask_off, 321 zfs_ace_fuid_data 322 }; 323 324 /* 325 * The following three functions are provided for compatibility with 326 * older ZPL version in order to determine if the file use to have 327 * an external ACL and what version of ACL previously existed on the 328 * file. Would really be nice to not need this, sigh. 329 */ 330 331 uint64_t 332 zfs_external_acl(znode_t *zp) 333 { 334 zfs_acl_phys_t acl_phys; 335 336 if (zp->z_is_sa) 337 return (0); 338 339 VERIFY(0 == sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zp->z_zfsvfs), 340 &acl_phys, sizeof (acl_phys))); 341 342 return (acl_phys.z_acl_extern_obj); 343 } 344 345 /* 346 * Determine size of ACL in bytes 347 * 348 * This is more complicated than it should be since we have to deal 349 * with old external ACLs. 350 */ 351 static int 352 zfs_acl_znode_info(znode_t *zp, int *aclsize, int *aclcount, 353 zfs_acl_phys_t *aclphys) 354 { 355 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 356 uint64_t acl_count; 357 int size; 358 int error; 359 360 if (zp->z_is_sa) { 361 if ((error = sa_size(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zfsvfs), 362 &size)) != 0) 363 return (error); 364 *aclsize = size; 365 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_COUNT(zfsvfs), 366 &acl_count, sizeof (acl_count))) != 0) 367 return (error); 368 *aclcount = acl_count; 369 } else { 370 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs), 371 aclphys, sizeof (*aclphys))) != 0) 372 return (error); 373 374 if (aclphys->z_acl_version == ZFS_ACL_VERSION_INITIAL) { 375 *aclsize = ZFS_ACL_SIZE(aclphys->z_acl_size); 376 *aclcount = aclphys->z_acl_size; 377 } else { 378 *aclsize = aclphys->z_acl_size; 379 *aclcount = aclphys->z_acl_count; 380 } 381 } 382 return (0); 383 } 384 385 int 386 zfs_znode_acl_version(znode_t *zp) 387 { 388 zfs_acl_phys_t acl_phys; 389 390 if (zp->z_is_sa) { 391 return (ZFS_ACL_VERSION_FUID); 392 } else { 393 VERIFY(0 == sa_lookup(zp->z_sa_hdl, 394 SA_ZPL_ZNODE_ACL(zp->z_zfsvfs), 395 &acl_phys, sizeof (acl_phys))); 396 return (acl_phys.z_acl_version); 397 } 398 } 399 400 static int 401 zfs_acl_version(int version) 402 { 403 if (version < ZPL_VERSION_FUID) 404 return (ZFS_ACL_VERSION_INITIAL); 405 else 406 return (ZFS_ACL_VERSION_FUID); 407 } 408 409 static int 410 zfs_acl_version_zp(znode_t *zp) 411 { 412 return (zfs_acl_version(zp->z_zfsvfs->z_version)); 413 } 414 415 zfs_acl_t * 416 zfs_acl_alloc(int vers) 417 { 418 zfs_acl_t *aclp; 419 420 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); 421 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t), 422 offsetof(zfs_acl_node_t, z_next)); 423 aclp->z_version = vers; 424 if (vers == ZFS_ACL_VERSION_FUID) 425 aclp->z_ops = zfs_acl_fuid_ops; 426 else 427 aclp->z_ops = zfs_acl_v0_ops; 428 return (aclp); 429 } 430 431 zfs_acl_node_t * 432 zfs_acl_node_alloc(size_t bytes) 433 { 434 zfs_acl_node_t *aclnode; 435 436 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP); 437 if (bytes) { 438 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP); 439 aclnode->z_allocdata = aclnode->z_acldata; 440 aclnode->z_allocsize = bytes; 441 aclnode->z_size = bytes; 442 } 443 444 return (aclnode); 445 } 446 447 static void 448 zfs_acl_node_free(zfs_acl_node_t *aclnode) 449 { 450 if (aclnode->z_allocsize) 451 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize); 452 kmem_free(aclnode, sizeof (zfs_acl_node_t)); 453 } 454 455 static void 456 zfs_acl_release_nodes(zfs_acl_t *aclp) 457 { 458 zfs_acl_node_t *aclnode; 459 460 while (aclnode = list_head(&aclp->z_acl)) { 461 list_remove(&aclp->z_acl, aclnode); 462 zfs_acl_node_free(aclnode); 463 } 464 aclp->z_acl_count = 0; 465 aclp->z_acl_bytes = 0; 466 } 467 468 void 469 zfs_acl_free(zfs_acl_t *aclp) 470 { 471 zfs_acl_release_nodes(aclp); 472 list_destroy(&aclp->z_acl); 473 kmem_free(aclp, sizeof (zfs_acl_t)); 474 } 475 476 static boolean_t 477 zfs_acl_valid_ace_type(uint_t type, uint_t flags) 478 { 479 uint16_t entry_type; 480 481 switch (type) { 482 case ALLOW: 483 case DENY: 484 case ACE_SYSTEM_AUDIT_ACE_TYPE: 485 case ACE_SYSTEM_ALARM_ACE_TYPE: 486 entry_type = flags & ACE_TYPE_FLAGS; 487 return (entry_type == ACE_OWNER || 488 entry_type == OWNING_GROUP || 489 entry_type == ACE_EVERYONE || entry_type == 0 || 490 entry_type == ACE_IDENTIFIER_GROUP); 491 default: 492 if (type >= MIN_ACE_TYPE && type <= MAX_ACE_TYPE) 493 return (B_TRUE); 494 } 495 return (B_FALSE); 496 } 497 498 static boolean_t 499 zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags) 500 { 501 /* 502 * first check type of entry 503 */ 504 505 if (!zfs_acl_valid_ace_type(type, iflags)) 506 return (B_FALSE); 507 508 switch (type) { 509 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 510 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 511 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 512 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 513 if (aclp->z_version < ZFS_ACL_VERSION_FUID) 514 return (B_FALSE); 515 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 516 } 517 518 /* 519 * next check inheritance level flags 520 */ 521 522 if (obj_type == VDIR && 523 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 524 aclp->z_hints |= ZFS_INHERIT_ACE; 525 526 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { 527 if ((iflags & (ACE_FILE_INHERIT_ACE| 528 ACE_DIRECTORY_INHERIT_ACE)) == 0) { 529 return (B_FALSE); 530 } 531 } 532 533 return (B_TRUE); 534 } 535 536 static void * 537 zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who, 538 uint32_t *access_mask, uint16_t *iflags, uint16_t *type) 539 { 540 zfs_acl_node_t *aclnode; 541 542 ASSERT(aclp); 543 544 if (start == NULL) { 545 aclnode = list_head(&aclp->z_acl); 546 if (aclnode == NULL) 547 return (NULL); 548 549 aclp->z_next_ace = aclnode->z_acldata; 550 aclp->z_curr_node = aclnode; 551 aclnode->z_ace_idx = 0; 552 } 553 554 aclnode = aclp->z_curr_node; 555 556 if (aclnode == NULL) 557 return (NULL); 558 559 if (aclnode->z_ace_idx >= aclnode->z_ace_count) { 560 aclnode = list_next(&aclp->z_acl, aclnode); 561 if (aclnode == NULL) 562 return (NULL); 563 else { 564 aclp->z_curr_node = aclnode; 565 aclnode->z_ace_idx = 0; 566 aclp->z_next_ace = aclnode->z_acldata; 567 } 568 } 569 570 if (aclnode->z_ace_idx < aclnode->z_ace_count) { 571 void *acep = aclp->z_next_ace; 572 size_t ace_size; 573 574 /* 575 * Make sure we don't overstep our bounds 576 */ 577 ace_size = aclp->z_ops.ace_size(acep); 578 579 if (((caddr_t)acep + ace_size) > 580 ((caddr_t)aclnode->z_acldata + aclnode->z_size)) { 581 return (NULL); 582 } 583 584 *iflags = aclp->z_ops.ace_flags_get(acep); 585 *type = aclp->z_ops.ace_type_get(acep); 586 *access_mask = aclp->z_ops.ace_mask_get(acep); 587 *who = aclp->z_ops.ace_who_get(acep); 588 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size; 589 aclnode->z_ace_idx++; 590 591 return ((void *)acep); 592 } 593 return (NULL); 594 } 595 596 /*ARGSUSED*/ 597 static uint64_t 598 zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt, 599 uint16_t *flags, uint16_t *type, uint32_t *mask) 600 { 601 zfs_acl_t *aclp = datap; 602 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie; 603 uint64_t who; 604 605 acep = zfs_acl_next_ace(aclp, acep, &who, mask, 606 flags, type); 607 return ((uint64_t)(uintptr_t)acep); 608 } 609 610 static zfs_acl_node_t * 611 zfs_acl_curr_node(zfs_acl_t *aclp) 612 { 613 ASSERT(aclp->z_curr_node); 614 return (aclp->z_curr_node); 615 } 616 617 /* 618 * Copy ACE to internal ZFS format. 619 * While processing the ACL each ACE will be validated for correctness. 620 * ACE FUIDs will be created later. 621 */ 622 int 623 zfs_copy_ace_2_fuid(zfsvfs_t *zfsvfs, vtype_t obj_type, zfs_acl_t *aclp, 624 void *datap, zfs_ace_t *z_acl, uint64_t aclcnt, size_t *size, 625 zfs_fuid_info_t **fuidp, cred_t *cr) 626 { 627 int i; 628 uint16_t entry_type; 629 zfs_ace_t *aceptr = z_acl; 630 ace_t *acep = datap; 631 zfs_object_ace_t *zobjacep; 632 ace_object_t *aceobjp; 633 634 for (i = 0; i != aclcnt; i++) { 635 aceptr->z_hdr.z_access_mask = acep->a_access_mask; 636 aceptr->z_hdr.z_flags = acep->a_flags; 637 aceptr->z_hdr.z_type = acep->a_type; 638 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS; 639 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP && 640 entry_type != ACE_EVERYONE) { 641 aceptr->z_fuid = zfs_fuid_create(zfsvfs, acep->a_who, 642 cr, (entry_type == 0) ? 643 ZFS_ACE_USER : ZFS_ACE_GROUP, fuidp); 644 } 645 646 /* 647 * Make sure ACE is valid 648 */ 649 if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type, 650 aceptr->z_hdr.z_flags) != B_TRUE) 651 return (EINVAL); 652 653 switch (acep->a_type) { 654 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 655 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 656 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 657 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 658 zobjacep = (zfs_object_ace_t *)aceptr; 659 aceobjp = (ace_object_t *)acep; 660 661 bcopy(aceobjp->a_obj_type, zobjacep->z_object_type, 662 sizeof (aceobjp->a_obj_type)); 663 bcopy(aceobjp->a_inherit_obj_type, 664 zobjacep->z_inherit_type, 665 sizeof (aceobjp->a_inherit_obj_type)); 666 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t)); 667 break; 668 default: 669 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t)); 670 } 671 672 aceptr = (zfs_ace_t *)((caddr_t)aceptr + 673 aclp->z_ops.ace_size(aceptr)); 674 } 675 676 *size = (caddr_t)aceptr - (caddr_t)z_acl; 677 678 return (0); 679 } 680 681 /* 682 * Copy ZFS ACEs to fixed size ace_t layout 683 */ 684 static void 685 zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr, 686 void *datap, int filter) 687 { 688 uint64_t who; 689 uint32_t access_mask; 690 uint16_t iflags, type; 691 zfs_ace_hdr_t *zacep = NULL; 692 ace_t *acep = datap; 693 ace_object_t *objacep; 694 zfs_object_ace_t *zobjacep; 695 size_t ace_size; 696 uint16_t entry_type; 697 698 while (zacep = zfs_acl_next_ace(aclp, zacep, 699 &who, &access_mask, &iflags, &type)) { 700 701 switch (type) { 702 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 703 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 704 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 705 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 706 if (filter) { 707 continue; 708 } 709 zobjacep = (zfs_object_ace_t *)zacep; 710 objacep = (ace_object_t *)acep; 711 bcopy(zobjacep->z_object_type, 712 objacep->a_obj_type, 713 sizeof (zobjacep->z_object_type)); 714 bcopy(zobjacep->z_inherit_type, 715 objacep->a_inherit_obj_type, 716 sizeof (zobjacep->z_inherit_type)); 717 ace_size = sizeof (ace_object_t); 718 break; 719 default: 720 ace_size = sizeof (ace_t); 721 break; 722 } 723 724 entry_type = (iflags & ACE_TYPE_FLAGS); 725 if ((entry_type != ACE_OWNER && 726 entry_type != OWNING_GROUP && 727 entry_type != ACE_EVERYONE)) { 728 acep->a_who = zfs_fuid_map_id(zfsvfs, who, 729 cr, (entry_type & ACE_IDENTIFIER_GROUP) ? 730 ZFS_ACE_GROUP : ZFS_ACE_USER); 731 } else { 732 acep->a_who = (uid_t)(int64_t)who; 733 } 734 acep->a_access_mask = access_mask; 735 acep->a_flags = iflags; 736 acep->a_type = type; 737 acep = (ace_t *)((caddr_t)acep + ace_size); 738 } 739 } 740 741 static int 742 zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep, 743 zfs_oldace_t *z_acl, int aclcnt, size_t *size) 744 { 745 int i; 746 zfs_oldace_t *aceptr = z_acl; 747 748 for (i = 0; i != aclcnt; i++, aceptr++) { 749 aceptr->z_access_mask = acep[i].a_access_mask; 750 aceptr->z_type = acep[i].a_type; 751 aceptr->z_flags = acep[i].a_flags; 752 aceptr->z_fuid = acep[i].a_who; 753 /* 754 * Make sure ACE is valid 755 */ 756 if (zfs_ace_valid(obj_type, aclp, aceptr->z_type, 757 aceptr->z_flags) != B_TRUE) 758 return (EINVAL); 759 } 760 *size = (caddr_t)aceptr - (caddr_t)z_acl; 761 return (0); 762 } 763 764 /* 765 * convert old ACL format to new 766 */ 767 void 768 zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp, cred_t *cr) 769 { 770 zfs_oldace_t *oldaclp; 771 int i; 772 uint16_t type, iflags; 773 uint32_t access_mask; 774 uint64_t who; 775 void *cookie = NULL; 776 zfs_acl_node_t *newaclnode; 777 778 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL); 779 /* 780 * First create the ACE in a contiguous piece of memory 781 * for zfs_copy_ace_2_fuid(). 782 * 783 * We only convert an ACL once, so this won't happen 784 * everytime. 785 */ 786 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count, 787 KM_SLEEP); 788 i = 0; 789 while (cookie = zfs_acl_next_ace(aclp, cookie, &who, 790 &access_mask, &iflags, &type)) { 791 oldaclp[i].z_flags = iflags; 792 oldaclp[i].z_type = type; 793 oldaclp[i].z_fuid = who; 794 oldaclp[i++].z_access_mask = access_mask; 795 } 796 797 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count * 798 sizeof (zfs_object_ace_t)); 799 aclp->z_ops = zfs_acl_fuid_ops; 800 VERIFY(zfs_copy_ace_2_fuid(zp->z_zfsvfs, ZTOV(zp)->v_type, aclp, 801 oldaclp, newaclnode->z_acldata, aclp->z_acl_count, 802 &newaclnode->z_size, NULL, cr) == 0); 803 newaclnode->z_ace_count = aclp->z_acl_count; 804 aclp->z_version = ZFS_ACL_VERSION; 805 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t)); 806 807 /* 808 * Release all previous ACL nodes 809 */ 810 811 zfs_acl_release_nodes(aclp); 812 813 list_insert_head(&aclp->z_acl, newaclnode); 814 815 aclp->z_acl_bytes = newaclnode->z_size; 816 aclp->z_acl_count = newaclnode->z_ace_count; 817 818 } 819 820 /* 821 * Convert unix access mask to v4 access mask 822 */ 823 static uint32_t 824 zfs_unix_to_v4(uint32_t access_mask) 825 { 826 uint32_t new_mask = 0; 827 828 if (access_mask & S_IXOTH) 829 new_mask |= ACE_EXECUTE; 830 if (access_mask & S_IWOTH) 831 new_mask |= ACE_WRITE_DATA; 832 if (access_mask & S_IROTH) 833 new_mask |= ACE_READ_DATA; 834 return (new_mask); 835 } 836 837 static void 838 zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask, 839 uint16_t access_type, uint64_t fuid, uint16_t entry_type) 840 { 841 uint16_t type = entry_type & ACE_TYPE_FLAGS; 842 843 aclp->z_ops.ace_mask_set(acep, access_mask); 844 aclp->z_ops.ace_type_set(acep, access_type); 845 aclp->z_ops.ace_flags_set(acep, entry_type); 846 if ((type != ACE_OWNER && type != OWNING_GROUP && 847 type != ACE_EVERYONE)) 848 aclp->z_ops.ace_who_set(acep, fuid); 849 } 850 851 /* 852 * Determine mode of file based on ACL. 853 * Also, create FUIDs for any User/Group ACEs 854 */ 855 uint64_t 856 zfs_mode_compute(uint64_t fmode, zfs_acl_t *aclp, 857 uint64_t *pflags, uint64_t fuid, uint64_t fgid) 858 { 859 int entry_type; 860 mode_t mode; 861 mode_t seen = 0; 862 zfs_ace_hdr_t *acep = NULL; 863 uint64_t who; 864 uint16_t iflags, type; 865 uint32_t access_mask; 866 boolean_t an_exec_denied = B_FALSE; 867 868 mode = (fmode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); 869 870 while (acep = zfs_acl_next_ace(aclp, acep, &who, 871 &access_mask, &iflags, &type)) { 872 873 if (!zfs_acl_valid_ace_type(type, iflags)) 874 continue; 875 876 entry_type = (iflags & ACE_TYPE_FLAGS); 877 878 /* 879 * Skip over owner@, group@ or everyone@ inherit only ACEs 880 */ 881 if ((iflags & ACE_INHERIT_ONLY_ACE) && 882 (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 883 entry_type == OWNING_GROUP)) 884 continue; 885 886 if (entry_type == ACE_OWNER || (entry_type == 0 && 887 who == fuid)) { 888 if ((access_mask & ACE_READ_DATA) && 889 (!(seen & S_IRUSR))) { 890 seen |= S_IRUSR; 891 if (type == ALLOW) { 892 mode |= S_IRUSR; 893 } 894 } 895 if ((access_mask & ACE_WRITE_DATA) && 896 (!(seen & S_IWUSR))) { 897 seen |= S_IWUSR; 898 if (type == ALLOW) { 899 mode |= S_IWUSR; 900 } 901 } 902 if ((access_mask & ACE_EXECUTE) && 903 (!(seen & S_IXUSR))) { 904 seen |= S_IXUSR; 905 if (type == ALLOW) { 906 mode |= S_IXUSR; 907 } 908 } 909 } else if (entry_type == OWNING_GROUP || 910 (entry_type == ACE_IDENTIFIER_GROUP && who == fgid)) { 911 if ((access_mask & ACE_READ_DATA) && 912 (!(seen & S_IRGRP))) { 913 seen |= S_IRGRP; 914 if (type == ALLOW) { 915 mode |= S_IRGRP; 916 } 917 } 918 if ((access_mask & ACE_WRITE_DATA) && 919 (!(seen & S_IWGRP))) { 920 seen |= S_IWGRP; 921 if (type == ALLOW) { 922 mode |= S_IWGRP; 923 } 924 } 925 if ((access_mask & ACE_EXECUTE) && 926 (!(seen & S_IXGRP))) { 927 seen |= S_IXGRP; 928 if (type == ALLOW) { 929 mode |= S_IXGRP; 930 } 931 } 932 } else if (entry_type == ACE_EVERYONE) { 933 if ((access_mask & ACE_READ_DATA)) { 934 if (!(seen & S_IRUSR)) { 935 seen |= S_IRUSR; 936 if (type == ALLOW) { 937 mode |= S_IRUSR; 938 } 939 } 940 if (!(seen & S_IRGRP)) { 941 seen |= S_IRGRP; 942 if (type == ALLOW) { 943 mode |= S_IRGRP; 944 } 945 } 946 if (!(seen & S_IROTH)) { 947 seen |= S_IROTH; 948 if (type == ALLOW) { 949 mode |= S_IROTH; 950 } 951 } 952 } 953 if ((access_mask & ACE_WRITE_DATA)) { 954 if (!(seen & S_IWUSR)) { 955 seen |= S_IWUSR; 956 if (type == ALLOW) { 957 mode |= S_IWUSR; 958 } 959 } 960 if (!(seen & S_IWGRP)) { 961 seen |= S_IWGRP; 962 if (type == ALLOW) { 963 mode |= S_IWGRP; 964 } 965 } 966 if (!(seen & S_IWOTH)) { 967 seen |= S_IWOTH; 968 if (type == ALLOW) { 969 mode |= S_IWOTH; 970 } 971 } 972 } 973 if ((access_mask & ACE_EXECUTE)) { 974 if (!(seen & S_IXUSR)) { 975 seen |= S_IXUSR; 976 if (type == ALLOW) { 977 mode |= S_IXUSR; 978 } 979 } 980 if (!(seen & S_IXGRP)) { 981 seen |= S_IXGRP; 982 if (type == ALLOW) { 983 mode |= S_IXGRP; 984 } 985 } 986 if (!(seen & S_IXOTH)) { 987 seen |= S_IXOTH; 988 if (type == ALLOW) { 989 mode |= S_IXOTH; 990 } 991 } 992 } 993 } else { 994 /* 995 * Only care if this IDENTIFIER_GROUP or 996 * USER ACE denies execute access to someone, 997 * mode is not affected 998 */ 999 if ((access_mask & ACE_EXECUTE) && type == DENY) 1000 an_exec_denied = B_TRUE; 1001 } 1002 } 1003 1004 /* 1005 * Failure to allow is effectively a deny, so execute permission 1006 * is denied if it was never mentioned or if we explicitly 1007 * weren't allowed it. 1008 */ 1009 if (!an_exec_denied && 1010 ((seen & ALL_MODE_EXECS) != ALL_MODE_EXECS || 1011 (mode & ALL_MODE_EXECS) != ALL_MODE_EXECS)) 1012 an_exec_denied = B_TRUE; 1013 1014 if (an_exec_denied) 1015 *pflags &= ~ZFS_NO_EXECS_DENIED; 1016 else 1017 *pflags |= ZFS_NO_EXECS_DENIED; 1018 1019 return (mode); 1020 } 1021 1022 /* 1023 * Read an external acl object. If the intent is to modify, always 1024 * create a new acl and leave any cached acl in place. 1025 */ 1026 static int 1027 zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp, boolean_t will_modify) 1028 { 1029 zfs_acl_t *aclp; 1030 int aclsize; 1031 int acl_count; 1032 zfs_acl_node_t *aclnode; 1033 zfs_acl_phys_t znode_acl; 1034 int version; 1035 int error; 1036 1037 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1038 1039 if (zp->z_acl_cached && !will_modify) { 1040 *aclpp = zp->z_acl_cached; 1041 return (0); 1042 } 1043 1044 version = ZNODE_ACL_VERSION(zp); 1045 1046 if ((error = zfs_acl_znode_info(zp, &aclsize, 1047 &acl_count, &znode_acl)) != 0) 1048 return (error); 1049 1050 aclp = zfs_acl_alloc(version); 1051 1052 aclp->z_acl_count = acl_count; 1053 aclp->z_acl_bytes = aclsize; 1054 1055 aclnode = zfs_acl_node_alloc(aclsize); 1056 aclnode->z_ace_count = aclp->z_acl_count; 1057 aclnode->z_size = aclsize; 1058 1059 if (!zp->z_is_sa) { 1060 if (znode_acl.z_acl_extern_obj) { 1061 error = dmu_read(zp->z_zfsvfs->z_os, 1062 znode_acl.z_acl_extern_obj, 0, aclnode->z_size, 1063 aclnode->z_acldata, DMU_READ_PREFETCH); 1064 } else { 1065 bcopy(znode_acl.z_ace_data, aclnode->z_acldata, 1066 aclnode->z_size); 1067 } 1068 } else { 1069 error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zp->z_zfsvfs), 1070 aclnode->z_acldata, aclnode->z_size); 1071 } 1072 1073 if (error != 0) { 1074 zfs_acl_free(aclp); 1075 zfs_acl_node_free(aclnode); 1076 /* convert checksum errors into IO errors */ 1077 if (error == ECKSUM) 1078 error = EIO; 1079 return (error); 1080 } 1081 1082 list_insert_head(&aclp->z_acl, aclnode); 1083 1084 *aclpp = aclp; 1085 if (!will_modify) 1086 zp->z_acl_cached = aclp; 1087 return (0); 1088 } 1089 1090 /*ARGSUSED*/ 1091 void 1092 zfs_acl_data_locator(void **dataptr, uint32_t *length, uint32_t buflen, 1093 boolean_t start, void *userdata) 1094 { 1095 zfs_acl_locator_cb_t *cb = (zfs_acl_locator_cb_t *)userdata; 1096 1097 if (start) { 1098 cb->cb_acl_node = list_head(&cb->cb_aclp->z_acl); 1099 } else { 1100 cb->cb_acl_node = list_next(&cb->cb_aclp->z_acl, 1101 cb->cb_acl_node); 1102 } 1103 *dataptr = cb->cb_acl_node->z_acldata; 1104 *length = cb->cb_acl_node->z_size; 1105 } 1106 1107 1108 static int 1109 zfs_acl_get_owner_fuids(znode_t *zp, uint64_t *fuid, uint64_t *fgid) 1110 { 1111 int count = 0; 1112 sa_bulk_attr_t bulk[2]; 1113 int error; 1114 1115 if (IS_EPHEMERAL(zp->z_uid) || IS_EPHEMERAL(zp->z_gid)) { 1116 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_UID(zp->z_zfsvfs), NULL, 1117 &fuid, sizeof (fuid)); 1118 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_GID(zp->z_zfsvfs), NULL, 1119 &fgid, sizeof (fuid)); 1120 if ((error = sa_bulk_lookup(zp->z_sa_hdl, bulk, count)) != 0) { 1121 return (error); 1122 } 1123 } else { 1124 *fuid = zp->z_uid; 1125 *fgid = zp->z_gid; 1126 } 1127 return (0); 1128 } 1129 1130 int 1131 zfs_acl_chown_setattr(znode_t *zp) 1132 { 1133 int error; 1134 zfs_acl_t *aclp; 1135 uint64_t fuid, fgid; 1136 1137 if ((error = zfs_acl_get_owner_fuids(zp, &fuid, &fgid)) != 0) 1138 return (error); 1139 1140 mutex_enter(&zp->z_acl_lock); 1141 if ((error = zfs_acl_node_read(zp, &aclp, B_FALSE)) == 0) 1142 zp->z_mode = zfs_mode_compute(zp->z_mode, aclp, 1143 &zp->z_pflags, fuid, fgid); 1144 mutex_exit(&zp->z_acl_lock); 1145 return (error); 1146 } 1147 1148 /* 1149 * common code for setting ACLs. 1150 * 1151 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. 1152 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's 1153 * already checked the acl and knows whether to inherit. 1154 */ 1155 int 1156 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, dmu_tx_t *tx) 1157 { 1158 int error; 1159 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1160 dmu_object_type_t otype; 1161 zfs_acl_locator_cb_t locate = { 0 }; 1162 uint64_t mode; 1163 sa_bulk_attr_t bulk[5]; 1164 uint64_t ctime[2]; 1165 int count = 0; 1166 uint64_t fuid, fgid; 1167 1168 mode = zp->z_mode; 1169 1170 if ((error = zfs_acl_get_owner_fuids(zp, &fuid, &fgid)) != 0) 1171 return (error); 1172 1173 mode = zfs_mode_compute(mode, aclp, &zp->z_pflags, fuid, fgid); 1174 1175 zp->z_mode = mode; 1176 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_MODE(zfsvfs), NULL, 1177 &mode, sizeof (mode)); 1178 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_FLAGS(zfsvfs), NULL, 1179 &zp->z_pflags, sizeof (zp->z_pflags)); 1180 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_CTIME(zfsvfs), NULL, 1181 &ctime, sizeof (ctime)); 1182 1183 if (zp->z_acl_cached) { 1184 zfs_acl_free(zp->z_acl_cached); 1185 zp->z_acl_cached = NULL; 1186 } 1187 1188 /* 1189 * Upgrade needed? 1190 */ 1191 if (!zfsvfs->z_use_fuids) { 1192 otype = DMU_OT_OLDACL; 1193 } else { 1194 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) && 1195 (zfsvfs->z_version >= ZPL_VERSION_FUID)) 1196 zfs_acl_xform(zp, aclp, cr); 1197 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID); 1198 otype = DMU_OT_ACL; 1199 } 1200 1201 /* 1202 * Arrgh, we have to handle old on disk format 1203 * as well as newer (preferred) SA format. 1204 */ 1205 1206 if (zp->z_is_sa) { /* the easy case, just update the ACL attribute */ 1207 locate.cb_aclp = aclp; 1208 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_ACES(zfsvfs), 1209 zfs_acl_data_locator, &locate, aclp->z_acl_bytes); 1210 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_COUNT(zfsvfs), 1211 NULL, &aclp->z_acl_count, sizeof (uint64_t)); 1212 } else { /* Painful legacy way */ 1213 zfs_acl_node_t *aclnode; 1214 uint64_t off = 0; 1215 zfs_acl_phys_t acl_phys; 1216 uint64_t aoid; 1217 1218 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs), 1219 &acl_phys, sizeof (acl_phys))) != 0) 1220 return (error); 1221 1222 aoid = acl_phys.z_acl_extern_obj; 1223 1224 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 1225 /* 1226 * If ACL was previously external and we are now 1227 * converting to new ACL format then release old 1228 * ACL object and create a new one. 1229 */ 1230 if (aoid && 1231 aclp->z_version != acl_phys.z_acl_version) { 1232 error = dmu_object_free(zfsvfs->z_os, aoid, tx); 1233 if (error) 1234 return (error); 1235 aoid = 0; 1236 } 1237 if (aoid == 0) { 1238 aoid = dmu_object_alloc(zfsvfs->z_os, 1239 otype, aclp->z_acl_bytes, 1240 otype == DMU_OT_ACL ? 1241 DMU_OT_SYSACL : DMU_OT_NONE, 1242 otype == DMU_OT_ACL ? 1243 DN_MAX_BONUSLEN : 0, tx); 1244 } else { 1245 (void) dmu_object_set_blocksize(zfsvfs->z_os, 1246 aoid, aclp->z_acl_bytes, 0, tx); 1247 } 1248 acl_phys.z_acl_extern_obj = aoid; 1249 for (aclnode = list_head(&aclp->z_acl); aclnode; 1250 aclnode = list_next(&aclp->z_acl, aclnode)) { 1251 if (aclnode->z_ace_count == 0) 1252 continue; 1253 dmu_write(zfsvfs->z_os, aoid, off, 1254 aclnode->z_size, aclnode->z_acldata, tx); 1255 off += aclnode->z_size; 1256 } 1257 } else { 1258 void *start = acl_phys.z_ace_data; 1259 /* 1260 * Migrating back embedded? 1261 */ 1262 if (acl_phys.z_acl_extern_obj) { 1263 error = dmu_object_free(zfsvfs->z_os, 1264 acl_phys.z_acl_extern_obj, tx); 1265 if (error) 1266 return (error); 1267 acl_phys.z_acl_extern_obj = 0; 1268 } 1269 1270 for (aclnode = list_head(&aclp->z_acl); aclnode; 1271 aclnode = list_next(&aclp->z_acl, aclnode)) { 1272 if (aclnode->z_ace_count == 0) 1273 continue; 1274 bcopy(aclnode->z_acldata, start, 1275 aclnode->z_size); 1276 start = (caddr_t)start + aclnode->z_size; 1277 } 1278 } 1279 /* 1280 * If Old version then swap count/bytes to match old 1281 * layout of znode_acl_phys_t. 1282 */ 1283 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1284 acl_phys.z_acl_size = aclp->z_acl_count; 1285 acl_phys.z_acl_count = aclp->z_acl_bytes; 1286 } else { 1287 acl_phys.z_acl_size = aclp->z_acl_bytes; 1288 acl_phys.z_acl_count = aclp->z_acl_count; 1289 } 1290 acl_phys.z_acl_version = aclp->z_version; 1291 1292 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_ZNODE_ACL(zfsvfs), NULL, 1293 &acl_phys, sizeof (acl_phys)); 1294 } 1295 1296 /* 1297 * Replace ACL wide bits, but first clear them. 1298 */ 1299 zp->z_pflags &= ~ZFS_ACL_WIDE_FLAGS; 1300 1301 zp->z_pflags |= aclp->z_hints; 1302 1303 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0) 1304 zp->z_pflags |= ZFS_ACL_TRIVIAL; 1305 1306 zfs_tstamp_update_setup(zp, STATE_CHANGED, NULL, ctime, B_TRUE); 1307 return (sa_bulk_update(zp->z_sa_hdl, bulk, count, tx)); 1308 } 1309 1310 /* 1311 * Update access mask for prepended ACE 1312 * 1313 * This applies the "groupmask" value for aclmode property. 1314 */ 1315 static void 1316 zfs_acl_prepend_fixup(zfs_acl_t *aclp, void *acep, void *origacep, 1317 mode_t mode, uint64_t owner) 1318 { 1319 int rmask, wmask, xmask; 1320 int user_ace; 1321 uint16_t aceflags; 1322 uint32_t origmask, acepmask; 1323 uint64_t fuid; 1324 1325 aceflags = aclp->z_ops.ace_flags_get(acep); 1326 fuid = aclp->z_ops.ace_who_get(acep); 1327 origmask = aclp->z_ops.ace_mask_get(origacep); 1328 acepmask = aclp->z_ops.ace_mask_get(acep); 1329 1330 user_ace = (!(aceflags & 1331 (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP))); 1332 1333 if (user_ace && (fuid == owner)) { 1334 rmask = S_IRUSR; 1335 wmask = S_IWUSR; 1336 xmask = S_IXUSR; 1337 } else { 1338 rmask = S_IRGRP; 1339 wmask = S_IWGRP; 1340 xmask = S_IXGRP; 1341 } 1342 1343 if (origmask & ACE_READ_DATA) { 1344 if (mode & rmask) { 1345 acepmask &= ~ACE_READ_DATA; 1346 } else { 1347 acepmask |= ACE_READ_DATA; 1348 } 1349 } 1350 1351 if (origmask & ACE_WRITE_DATA) { 1352 if (mode & wmask) { 1353 acepmask &= ~ACE_WRITE_DATA; 1354 } else { 1355 acepmask |= ACE_WRITE_DATA; 1356 } 1357 } 1358 1359 if (origmask & ACE_APPEND_DATA) { 1360 if (mode & wmask) { 1361 acepmask &= ~ACE_APPEND_DATA; 1362 } else { 1363 acepmask |= ACE_APPEND_DATA; 1364 } 1365 } 1366 1367 if (origmask & ACE_EXECUTE) { 1368 if (mode & xmask) { 1369 acepmask &= ~ACE_EXECUTE; 1370 } else { 1371 acepmask |= ACE_EXECUTE; 1372 } 1373 } 1374 aclp->z_ops.ace_mask_set(acep, acepmask); 1375 } 1376 1377 static void 1378 zfs_acl_chmod(zfsvfs_t *zfsvfs, uint64_t mode, zfs_acl_t *aclp) 1379 { 1380 void *acep = NULL; 1381 uint64_t who; 1382 int new_count, new_bytes; 1383 int ace_size; 1384 int entry_type; 1385 uint16_t iflags, type; 1386 uint32_t access_mask; 1387 zfs_acl_node_t *newnode; 1388 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1389 void *zacep; 1390 uint32_t owner, group, everyone; 1391 uint32_t deny1, deny2, allow0; 1392 1393 new_count = new_bytes = 0; 1394 1395 acl_trivial_access_masks((mode_t)mode, &allow0, &deny1, &deny2, 1396 &owner, &group, &everyone); 1397 1398 newnode = zfs_acl_node_alloc((abstract_size * 6) + aclp->z_acl_bytes); 1399 1400 zacep = newnode->z_acldata; 1401 if (allow0) { 1402 zfs_set_ace(aclp, zacep, allow0, ALLOW, -1, ACE_OWNER); 1403 zacep = (void *)((uintptr_t)zacep + abstract_size); 1404 new_count++; 1405 new_bytes += abstract_size; 1406 } if (deny1) { 1407 zfs_set_ace(aclp, zacep, deny1, DENY, -1, ACE_OWNER); 1408 zacep = (void *)((uintptr_t)zacep + abstract_size); 1409 new_count++; 1410 new_bytes += abstract_size; 1411 } 1412 if (deny2) { 1413 zfs_set_ace(aclp, zacep, deny2, DENY, -1, OWNING_GROUP); 1414 zacep = (void *)((uintptr_t)zacep + abstract_size); 1415 new_count++; 1416 new_bytes += abstract_size; 1417 } 1418 1419 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 1420 &iflags, &type)) { 1421 uint16_t inherit_flags; 1422 1423 entry_type = (iflags & ACE_TYPE_FLAGS); 1424 inherit_flags = (iflags & ALL_INHERIT); 1425 1426 if ((entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 1427 (entry_type == OWNING_GROUP)) && 1428 ((inherit_flags & ACE_INHERIT_ONLY_ACE) == 0)) { 1429 continue; 1430 } 1431 1432 if ((type != ALLOW && type != DENY) || 1433 (inherit_flags & ACE_INHERIT_ONLY_ACE)) { 1434 if (inherit_flags) 1435 aclp->z_hints |= ZFS_INHERIT_ACE; 1436 switch (type) { 1437 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1438 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1439 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1440 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1441 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 1442 break; 1443 } 1444 } else { 1445 1446 /* 1447 * Limit permissions to be no greater than 1448 * group permissions 1449 */ 1450 if (zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) { 1451 if (!(mode & S_IRGRP)) 1452 access_mask &= ~ACE_READ_DATA; 1453 if (!(mode & S_IWGRP)) 1454 access_mask &= 1455 ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1456 if (!(mode & S_IXGRP)) 1457 access_mask &= ~ACE_EXECUTE; 1458 access_mask &= 1459 ~(ACE_WRITE_OWNER|ACE_WRITE_ACL| 1460 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS); 1461 } 1462 } 1463 zfs_set_ace(aclp, zacep, access_mask, type, who, iflags); 1464 ace_size = aclp->z_ops.ace_size(acep); 1465 zacep = (void *)((uintptr_t)zacep + ace_size); 1466 new_count++; 1467 new_bytes += ace_size; 1468 } 1469 zfs_set_ace(aclp, zacep, owner, 0, -1, ACE_OWNER); 1470 zacep = (void *)((uintptr_t)zacep + abstract_size); 1471 zfs_set_ace(aclp, zacep, group, 0, -1, OWNING_GROUP); 1472 zacep = (void *)((uintptr_t)zacep + abstract_size); 1473 zfs_set_ace(aclp, zacep, everyone, 0, -1, ACE_EVERYONE); 1474 1475 new_count += 3; 1476 new_bytes += abstract_size * 3; 1477 zfs_acl_release_nodes(aclp); 1478 aclp->z_acl_count = new_count; 1479 aclp->z_acl_bytes = new_bytes; 1480 newnode->z_ace_count = new_count; 1481 newnode->z_size = new_bytes; 1482 list_insert_tail(&aclp->z_acl, newnode); 1483 } 1484 1485 int 1486 zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode) 1487 { 1488 mutex_enter(&zp->z_lock); 1489 mutex_enter(&zp->z_acl_lock); 1490 *aclp = zfs_acl_alloc(zfs_acl_version_zp(zp)); 1491 (*aclp)->z_hints = zp->z_pflags & V4_ACL_WIDE_FLAGS; 1492 zfs_acl_chmod(zp->z_zfsvfs, mode, *aclp); 1493 mutex_exit(&zp->z_acl_lock); 1494 mutex_exit(&zp->z_lock); 1495 ASSERT(*aclp); 1496 return (0); 1497 } 1498 1499 /* 1500 * strip off write_owner and write_acl 1501 */ 1502 static void 1503 zfs_restricted_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep) 1504 { 1505 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1506 1507 if ((zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) && 1508 (aclp->z_ops.ace_type_get(acep) == ALLOW)) { 1509 mask &= ~RESTRICTED_CLEAR; 1510 aclp->z_ops.ace_mask_set(acep, mask); 1511 } 1512 } 1513 1514 /* 1515 * Should ACE be inherited? 1516 */ 1517 static int 1518 zfs_ace_can_use(vtype_t vtype, uint16_t acep_flags) 1519 { 1520 int iflags = (acep_flags & 0xf); 1521 1522 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) 1523 return (1); 1524 else if (iflags & ACE_FILE_INHERIT_ACE) 1525 return (!((vtype == VDIR) && 1526 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); 1527 return (0); 1528 } 1529 1530 /* 1531 * inherit inheritable ACEs from parent 1532 */ 1533 static zfs_acl_t * 1534 zfs_acl_inherit(zfsvfs_t *zfsvfs, vtype_t vtype, zfs_acl_t *paclp, 1535 uint64_t mode, boolean_t *need_chmod) 1536 { 1537 void *pacep; 1538 void *acep; 1539 zfs_acl_node_t *aclnode; 1540 zfs_acl_t *aclp = NULL; 1541 uint64_t who; 1542 uint32_t access_mask; 1543 uint16_t iflags, newflags, type; 1544 size_t ace_size; 1545 void *data1, *data2; 1546 size_t data1sz, data2sz; 1547 boolean_t vdir = vtype == VDIR; 1548 boolean_t vreg = vtype == VREG; 1549 boolean_t passthrough, passthrough_x, noallow; 1550 1551 passthrough_x = 1552 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH_X; 1553 passthrough = passthrough_x || 1554 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH; 1555 noallow = 1556 zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW; 1557 1558 *need_chmod = B_TRUE; 1559 pacep = NULL; 1560 aclp = zfs_acl_alloc(paclp->z_version); 1561 if (zfsvfs->z_acl_inherit == ZFS_ACL_DISCARD || vtype == VLNK) 1562 return (aclp); 1563 while (pacep = zfs_acl_next_ace(paclp, pacep, &who, 1564 &access_mask, &iflags, &type)) { 1565 1566 /* 1567 * don't inherit bogus ACEs 1568 */ 1569 if (!zfs_acl_valid_ace_type(type, iflags)) 1570 continue; 1571 1572 if (noallow && type == ALLOW) 1573 continue; 1574 1575 ace_size = aclp->z_ops.ace_size(pacep); 1576 1577 if (!zfs_ace_can_use(vtype, iflags)) 1578 continue; 1579 1580 /* 1581 * If owner@, group@, or everyone@ inheritable 1582 * then zfs_acl_chmod() isn't needed. 1583 */ 1584 if (passthrough && 1585 ((iflags & (ACE_OWNER|ACE_EVERYONE)) || 1586 ((iflags & OWNING_GROUP) == 1587 OWNING_GROUP)) && (vreg || (vdir && (iflags & 1588 ACE_DIRECTORY_INHERIT_ACE)))) { 1589 *need_chmod = B_FALSE; 1590 } 1591 1592 if (!vdir && passthrough_x && 1593 ((mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) { 1594 access_mask &= ~ACE_EXECUTE; 1595 } 1596 1597 aclnode = zfs_acl_node_alloc(ace_size); 1598 list_insert_tail(&aclp->z_acl, aclnode); 1599 acep = aclnode->z_acldata; 1600 1601 zfs_set_ace(aclp, acep, access_mask, type, 1602 who, iflags|ACE_INHERITED_ACE); 1603 1604 /* 1605 * Copy special opaque data if any 1606 */ 1607 if ((data1sz = paclp->z_ops.ace_data(pacep, &data1)) != 0) { 1608 VERIFY((data2sz = aclp->z_ops.ace_data(acep, 1609 &data2)) == data1sz); 1610 bcopy(data1, data2, data2sz); 1611 } 1612 1613 aclp->z_acl_count++; 1614 aclnode->z_ace_count++; 1615 aclp->z_acl_bytes += aclnode->z_size; 1616 newflags = aclp->z_ops.ace_flags_get(acep); 1617 1618 if (vdir) 1619 aclp->z_hints |= ZFS_INHERIT_ACE; 1620 1621 if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || !vdir) { 1622 newflags &= ~ALL_INHERIT; 1623 aclp->z_ops.ace_flags_set(acep, 1624 newflags|ACE_INHERITED_ACE); 1625 zfs_restricted_update(zfsvfs, aclp, acep); 1626 continue; 1627 } 1628 1629 ASSERT(vdir); 1630 1631 /* 1632 * If only FILE_INHERIT is set then turn on 1633 * inherit_only 1634 */ 1635 if ((iflags & (ACE_FILE_INHERIT_ACE | 1636 ACE_DIRECTORY_INHERIT_ACE)) == ACE_FILE_INHERIT_ACE) { 1637 newflags |= ACE_INHERIT_ONLY_ACE; 1638 aclp->z_ops.ace_flags_set(acep, 1639 newflags|ACE_INHERITED_ACE); 1640 } else { 1641 newflags &= ~ACE_INHERIT_ONLY_ACE; 1642 aclp->z_ops.ace_flags_set(acep, 1643 newflags|ACE_INHERITED_ACE); 1644 } 1645 } 1646 return (aclp); 1647 } 1648 1649 /* 1650 * Create file system object initial permissions 1651 * including inheritable ACEs. 1652 */ 1653 int 1654 zfs_acl_ids_create(znode_t *dzp, int flag, vattr_t *vap, cred_t *cr, 1655 vsecattr_t *vsecp, zfs_acl_ids_t *acl_ids) 1656 { 1657 int error; 1658 zfsvfs_t *zfsvfs = dzp->z_zfsvfs; 1659 zfs_acl_t *paclp; 1660 gid_t gid; 1661 boolean_t need_chmod = B_TRUE; 1662 boolean_t inherited = B_FALSE; 1663 uint64_t parentgid; 1664 1665 bzero(acl_ids, sizeof (zfs_acl_ids_t)); 1666 acl_ids->z_mode = MAKEIMODE(vap->va_type, vap->va_mode); 1667 1668 if (vsecp) 1669 if ((error = zfs_vsec_2_aclp(zfsvfs, vap->va_type, vsecp, cr, 1670 &acl_ids->z_fuidp, &acl_ids->z_aclp)) != 0) 1671 return (error); 1672 /* 1673 * Determine uid and gid. 1674 */ 1675 if ((flag & IS_ROOT_NODE) || zfsvfs->z_replay || 1676 ((flag & IS_XATTR) && (vap->va_type == VDIR))) { 1677 acl_ids->z_fuid = zfs_fuid_create(zfsvfs, 1678 (uint64_t)vap->va_uid, cr, 1679 ZFS_OWNER, &acl_ids->z_fuidp); 1680 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1681 (uint64_t)vap->va_gid, cr, 1682 ZFS_GROUP, &acl_ids->z_fuidp); 1683 gid = vap->va_gid; 1684 } else { 1685 if (IS_EPHEMERAL(dzp->z_gid)) 1686 VERIFY(0 == sa_lookup(dzp->z_sa_hdl, SA_ZPL_GID(zfsvfs), 1687 &parentgid, sizeof (parentgid))); 1688 else 1689 parentgid = (uint64_t)dzp->z_gid; 1690 1691 acl_ids->z_fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER, 1692 cr, &acl_ids->z_fuidp); 1693 acl_ids->z_fgid = 0; 1694 if (vap->va_mask & AT_GID) { 1695 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1696 (uint64_t)vap->va_gid, 1697 cr, ZFS_GROUP, &acl_ids->z_fuidp); 1698 gid = vap->va_gid; 1699 if (acl_ids->z_fgid != parentgid && 1700 !groupmember(vap->va_gid, cr) && 1701 secpolicy_vnode_create_gid(cr) != 0) 1702 acl_ids->z_fgid = 0; 1703 } 1704 if (acl_ids->z_fgid == 0) { 1705 if (dzp->z_mode & S_ISGID) { 1706 char *domain; 1707 uint32_t rid; 1708 1709 acl_ids->z_fgid = parentgid; 1710 gid = zfs_fuid_map_id(zfsvfs, acl_ids->z_fgid, 1711 cr, ZFS_GROUP); 1712 1713 if (zfsvfs->z_use_fuids && 1714 IS_EPHEMERAL(acl_ids->z_fgid)) { 1715 domain = zfs_fuid_idx_domain( 1716 &zfsvfs->z_fuid_idx, 1717 FUID_INDEX(acl_ids->z_fgid)); 1718 rid = FUID_RID(acl_ids->z_fgid); 1719 zfs_fuid_node_add(&acl_ids->z_fuidp, 1720 domain, rid, 1721 FUID_INDEX(acl_ids->z_fgid), 1722 acl_ids->z_fgid, ZFS_GROUP); 1723 } 1724 } else { 1725 acl_ids->z_fgid = zfs_fuid_create_cred(zfsvfs, 1726 ZFS_GROUP, cr, &acl_ids->z_fuidp); 1727 gid = crgetgid(cr); 1728 } 1729 } 1730 } 1731 1732 /* 1733 * If we're creating a directory, and the parent directory has the 1734 * set-GID bit set, set in on the new directory. 1735 * Otherwise, if the user is neither privileged nor a member of the 1736 * file's new group, clear the file's set-GID bit. 1737 */ 1738 1739 if (!(flag & IS_ROOT_NODE) && (dzp->z_mode & S_ISGID) && 1740 (vap->va_type == VDIR)) { 1741 acl_ids->z_mode |= S_ISGID; 1742 } else { 1743 if ((acl_ids->z_mode & S_ISGID) && 1744 secpolicy_vnode_setids_setgids(cr, gid) != 0) 1745 acl_ids->z_mode &= ~S_ISGID; 1746 } 1747 1748 if (acl_ids->z_aclp == NULL) { 1749 mutex_enter(&dzp->z_lock); 1750 if (!(flag & IS_ROOT_NODE) && (ZTOV(dzp)->v_type == VDIR && 1751 (dzp->z_pflags & ZFS_INHERIT_ACE)) && 1752 !(dzp->z_pflags & ZFS_XATTR)) { 1753 mutex_enter(&dzp->z_acl_lock); 1754 VERIFY(0 == zfs_acl_node_read(dzp, &paclp, B_FALSE)); 1755 acl_ids->z_aclp = zfs_acl_inherit(zfsvfs, 1756 vap->va_type, paclp, acl_ids->z_mode, &need_chmod); 1757 mutex_exit(&dzp->z_acl_lock); 1758 inherited = B_TRUE; 1759 } else { 1760 acl_ids->z_aclp = 1761 zfs_acl_alloc(zfs_acl_version_zp(dzp)); 1762 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL; 1763 } 1764 mutex_exit(&dzp->z_lock); 1765 if (need_chmod) { 1766 acl_ids->z_aclp->z_hints |= (vap->va_type == VDIR) ? 1767 ZFS_ACL_AUTO_INHERIT : 0; 1768 zfs_acl_chmod(zfsvfs, acl_ids->z_mode, acl_ids->z_aclp); 1769 } 1770 } 1771 1772 if (inherited || vsecp) { 1773 acl_ids->z_mode = zfs_mode_compute(acl_ids->z_mode, 1774 acl_ids->z_aclp, &acl_ids->z_aclp->z_hints, 1775 acl_ids->z_fuid, acl_ids->z_fgid); 1776 if (ace_trivial_common(acl_ids->z_aclp, 0, zfs_ace_walk) == 0) 1777 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL; 1778 } 1779 1780 return (0); 1781 } 1782 1783 /* 1784 * Free ACL and fuid_infop, but not the acl_ids structure 1785 */ 1786 void 1787 zfs_acl_ids_free(zfs_acl_ids_t *acl_ids) 1788 { 1789 if (acl_ids->z_aclp) 1790 zfs_acl_free(acl_ids->z_aclp); 1791 if (acl_ids->z_fuidp) 1792 zfs_fuid_info_free(acl_ids->z_fuidp); 1793 acl_ids->z_aclp = NULL; 1794 acl_ids->z_fuidp = NULL; 1795 } 1796 1797 boolean_t 1798 zfs_acl_ids_overquota(zfsvfs_t *zfsvfs, zfs_acl_ids_t *acl_ids) 1799 { 1800 return (zfs_fuid_overquota(zfsvfs, B_FALSE, acl_ids->z_fuid) || 1801 zfs_fuid_overquota(zfsvfs, B_TRUE, acl_ids->z_fgid)); 1802 } 1803 1804 /* 1805 * Retrieve a files ACL 1806 */ 1807 int 1808 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1809 { 1810 zfs_acl_t *aclp; 1811 ulong_t mask; 1812 int error; 1813 int count = 0; 1814 int largeace = 0; 1815 1816 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT | 1817 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES); 1818 1819 if (mask == 0) 1820 return (ENOSYS); 1821 1822 if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr)) 1823 return (error); 1824 1825 mutex_enter(&zp->z_acl_lock); 1826 1827 error = zfs_acl_node_read(zp, &aclp, B_FALSE); 1828 if (error != 0) { 1829 mutex_exit(&zp->z_acl_lock); 1830 return (error); 1831 } 1832 1833 /* 1834 * Scan ACL to determine number of ACEs 1835 */ 1836 if ((zp->z_pflags & ZFS_ACL_OBJ_ACE) && !(mask & VSA_ACE_ALLTYPES)) { 1837 void *zacep = NULL; 1838 uint64_t who; 1839 uint32_t access_mask; 1840 uint16_t type, iflags; 1841 1842 while (zacep = zfs_acl_next_ace(aclp, zacep, 1843 &who, &access_mask, &iflags, &type)) { 1844 switch (type) { 1845 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1846 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1847 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1848 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1849 largeace++; 1850 continue; 1851 default: 1852 count++; 1853 } 1854 } 1855 vsecp->vsa_aclcnt = count; 1856 } else 1857 count = (int)aclp->z_acl_count; 1858 1859 if (mask & VSA_ACECNT) { 1860 vsecp->vsa_aclcnt = count; 1861 } 1862 1863 if (mask & VSA_ACE) { 1864 size_t aclsz; 1865 1866 aclsz = count * sizeof (ace_t) + 1867 sizeof (ace_object_t) * largeace; 1868 1869 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP); 1870 vsecp->vsa_aclentsz = aclsz; 1871 1872 if (aclp->z_version == ZFS_ACL_VERSION_FUID) 1873 zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr, 1874 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES)); 1875 else { 1876 zfs_acl_node_t *aclnode; 1877 void *start = vsecp->vsa_aclentp; 1878 1879 for (aclnode = list_head(&aclp->z_acl); aclnode; 1880 aclnode = list_next(&aclp->z_acl, aclnode)) { 1881 bcopy(aclnode->z_acldata, start, 1882 aclnode->z_size); 1883 start = (caddr_t)start + aclnode->z_size; 1884 } 1885 ASSERT((caddr_t)start - (caddr_t)vsecp->vsa_aclentp == 1886 aclp->z_acl_bytes); 1887 } 1888 } 1889 if (mask & VSA_ACE_ACLFLAGS) { 1890 vsecp->vsa_aclflags = 0; 1891 if (zp->z_pflags & ZFS_ACL_DEFAULTED) 1892 vsecp->vsa_aclflags |= ACL_DEFAULTED; 1893 if (zp->z_pflags & ZFS_ACL_PROTECTED) 1894 vsecp->vsa_aclflags |= ACL_PROTECTED; 1895 if (zp->z_pflags & ZFS_ACL_AUTO_INHERIT) 1896 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT; 1897 } 1898 1899 mutex_exit(&zp->z_acl_lock); 1900 1901 return (0); 1902 } 1903 1904 int 1905 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type, 1906 vsecattr_t *vsecp, cred_t *cr, zfs_fuid_info_t **fuidp, zfs_acl_t **zaclp) 1907 { 1908 zfs_acl_t *aclp; 1909 zfs_acl_node_t *aclnode; 1910 int aclcnt = vsecp->vsa_aclcnt; 1911 int error; 1912 1913 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0) 1914 return (EINVAL); 1915 1916 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version)); 1917 1918 aclp->z_hints = 0; 1919 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t)); 1920 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1921 if ((error = zfs_copy_ace_2_oldace(obj_type, aclp, 1922 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata, 1923 aclcnt, &aclnode->z_size)) != 0) { 1924 zfs_acl_free(aclp); 1925 zfs_acl_node_free(aclnode); 1926 return (error); 1927 } 1928 } else { 1929 if ((error = zfs_copy_ace_2_fuid(zfsvfs, obj_type, aclp, 1930 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt, 1931 &aclnode->z_size, fuidp, cr)) != 0) { 1932 zfs_acl_free(aclp); 1933 zfs_acl_node_free(aclnode); 1934 return (error); 1935 } 1936 } 1937 aclp->z_acl_bytes = aclnode->z_size; 1938 aclnode->z_ace_count = aclcnt; 1939 aclp->z_acl_count = aclcnt; 1940 list_insert_head(&aclp->z_acl, aclnode); 1941 1942 /* 1943 * If flags are being set then add them to z_hints 1944 */ 1945 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) { 1946 if (vsecp->vsa_aclflags & ACL_PROTECTED) 1947 aclp->z_hints |= ZFS_ACL_PROTECTED; 1948 if (vsecp->vsa_aclflags & ACL_DEFAULTED) 1949 aclp->z_hints |= ZFS_ACL_DEFAULTED; 1950 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT) 1951 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 1952 } 1953 1954 *zaclp = aclp; 1955 1956 return (0); 1957 } 1958 1959 /* 1960 * Set a files ACL 1961 */ 1962 int 1963 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1964 { 1965 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1966 zilog_t *zilog = zfsvfs->z_log; 1967 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 1968 dmu_tx_t *tx; 1969 int error; 1970 zfs_acl_t *aclp; 1971 zfs_fuid_info_t *fuidp = NULL; 1972 boolean_t fuid_dirtied; 1973 1974 if (mask == 0) 1975 return (ENOSYS); 1976 1977 if (zp->z_pflags & ZFS_IMMUTABLE) 1978 return (EPERM); 1979 1980 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) 1981 return (error); 1982 1983 error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, cr, &fuidp, 1984 &aclp); 1985 if (error) 1986 return (error); 1987 1988 /* 1989 * If ACL wide flags aren't being set then preserve any 1990 * existing flags. 1991 */ 1992 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) { 1993 aclp->z_hints |= 1994 (zp->z_pflags & V4_ACL_WIDE_FLAGS); 1995 } 1996 top: 1997 mutex_enter(&zp->z_lock); 1998 mutex_enter(&zp->z_acl_lock); 1999 2000 tx = dmu_tx_create(zfsvfs->z_os); 2001 2002 dmu_tx_hold_sa(tx, zp->z_sa_hdl, B_TRUE); 2003 2004 fuid_dirtied = zfsvfs->z_fuid_dirty; 2005 if (fuid_dirtied) 2006 zfs_fuid_txhold(zfsvfs, tx); 2007 2008 /* 2009 * If old version and ACL won't fit in bonus and we aren't 2010 * upgrading then take out necessary DMU holds 2011 */ 2012 2013 if (ZFS_EXTERNAL_ACL(zp)) { 2014 if (zfsvfs->z_version <= ZPL_VERSION_SA && 2015 ZNODE_ACL_VERSION(zp) <= ZFS_ACL_VERSION_INITIAL) { 2016 dmu_tx_hold_free(tx, ZFS_EXTERNAL_ACL(zp), 0, 2017 DMU_OBJECT_END); 2018 } else { 2019 dmu_tx_hold_write(tx, ZFS_EXTERNAL_ACL(zp), 2020 0, aclp->z_acl_bytes); 2021 } 2022 } else if (!zp->z_is_sa && aclp->z_acl_bytes > ZFS_ACE_SPACE) { 2023 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes); 2024 } 2025 2026 zfs_sa_upgrade_txholds(tx, zp); 2027 error = dmu_tx_assign(tx, TXG_NOWAIT); 2028 if (error) { 2029 mutex_exit(&zp->z_acl_lock); 2030 mutex_exit(&zp->z_lock); 2031 2032 if (error == ERESTART) { 2033 dmu_tx_wait(tx); 2034 dmu_tx_abort(tx); 2035 goto top; 2036 } 2037 dmu_tx_abort(tx); 2038 zfs_acl_free(aclp); 2039 return (error); 2040 } 2041 2042 error = zfs_aclset_common(zp, aclp, cr, tx); 2043 ASSERT(error == 0); 2044 zp->z_acl_cached = aclp; 2045 2046 if (fuid_dirtied) 2047 zfs_fuid_sync(zfsvfs, tx); 2048 2049 zfs_log_acl(zilog, tx, zp, vsecp, fuidp); 2050 2051 if (fuidp) 2052 zfs_fuid_info_free(fuidp); 2053 dmu_tx_commit(tx); 2054 done: 2055 mutex_exit(&zp->z_acl_lock); 2056 mutex_exit(&zp->z_lock); 2057 2058 return (error); 2059 } 2060 2061 /* 2062 * Check accesses of interest (AoI) against attributes of the dataset 2063 * such as read-only. Returns zero if no AoI conflict with dataset 2064 * attributes, otherwise an appropriate errno is returned. 2065 */ 2066 static int 2067 zfs_zaccess_dataset_check(znode_t *zp, uint32_t v4_mode) 2068 { 2069 if ((v4_mode & WRITE_MASK) && 2070 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && 2071 (!IS_DEVVP(ZTOV(zp)) || 2072 (IS_DEVVP(ZTOV(zp)) && (v4_mode & WRITE_MASK_ATTRS)))) { 2073 return (EROFS); 2074 } 2075 2076 /* 2077 * Only check for READONLY on non-directories. 2078 */ 2079 if ((v4_mode & WRITE_MASK_DATA) && 2080 (((ZTOV(zp)->v_type != VDIR) && 2081 (zp->z_pflags & (ZFS_READONLY | ZFS_IMMUTABLE))) || 2082 (ZTOV(zp)->v_type == VDIR && 2083 (zp->z_pflags & ZFS_IMMUTABLE)))) { 2084 return (EPERM); 2085 } 2086 2087 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) && 2088 (zp->z_pflags & ZFS_NOUNLINK)) { 2089 return (EPERM); 2090 } 2091 2092 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) && 2093 (zp->z_pflags & ZFS_AV_QUARANTINED))) { 2094 return (EACCES); 2095 } 2096 2097 return (0); 2098 } 2099 2100 /* 2101 * The primary usage of this function is to loop through all of the 2102 * ACEs in the znode, determining what accesses of interest (AoI) to 2103 * the caller are allowed or denied. The AoI are expressed as bits in 2104 * the working_mode parameter. As each ACE is processed, bits covered 2105 * by that ACE are removed from the working_mode. This removal 2106 * facilitates two things. The first is that when the working mode is 2107 * empty (= 0), we know we've looked at all the AoI. The second is 2108 * that the ACE interpretation rules don't allow a later ACE to undo 2109 * something granted or denied by an earlier ACE. Removing the 2110 * discovered access or denial enforces this rule. At the end of 2111 * processing the ACEs, all AoI that were found to be denied are 2112 * placed into the working_mode, giving the caller a mask of denied 2113 * accesses. Returns: 2114 * 0 if all AoI granted 2115 * EACCESS if the denied mask is non-zero 2116 * other error if abnormal failure (e.g., IO error) 2117 * 2118 * A secondary usage of the function is to determine if any of the 2119 * AoI are granted. If an ACE grants any access in 2120 * the working_mode, we immediately short circuit out of the function. 2121 * This mode is chosen by setting anyaccess to B_TRUE. The 2122 * working_mode is not a denied access mask upon exit if the function 2123 * is used in this manner. 2124 */ 2125 static int 2126 zfs_zaccess_aces_check(znode_t *zp, uint32_t *working_mode, 2127 boolean_t anyaccess, cred_t *cr) 2128 { 2129 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2130 zfs_acl_t *aclp; 2131 int error; 2132 uid_t uid = crgetuid(cr); 2133 uint64_t who; 2134 uint16_t type, iflags; 2135 uint16_t entry_type; 2136 uint32_t access_mask; 2137 uint32_t deny_mask = 0; 2138 zfs_ace_hdr_t *acep = NULL; 2139 boolean_t checkit; 2140 uint64_t gowner; 2141 2142 mutex_enter(&zp->z_acl_lock); 2143 2144 error = zfs_acl_node_read(zp, &aclp, B_FALSE); 2145 if (error != 0) { 2146 mutex_exit(&zp->z_acl_lock); 2147 return (error); 2148 } 2149 2150 ASSERT(zp->z_acl_cached); 2151 2152 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_GID(zfsvfs), 2153 &gowner, sizeof (gowner))) != 0) { 2154 mutex_exit(&zp->z_acl_lock); 2155 return (error); 2156 } 2157 2158 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 2159 &iflags, &type)) { 2160 uint32_t mask_matched; 2161 2162 if (!zfs_acl_valid_ace_type(type, iflags)) 2163 continue; 2164 2165 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE)) 2166 continue; 2167 2168 /* Skip ACE if it does not affect any AoI */ 2169 mask_matched = (access_mask & *working_mode); 2170 if (!mask_matched) 2171 continue; 2172 2173 entry_type = (iflags & ACE_TYPE_FLAGS); 2174 2175 checkit = B_FALSE; 2176 2177 switch (entry_type) { 2178 case ACE_OWNER: 2179 if (uid == zp->z_uid) 2180 checkit = B_TRUE; 2181 break; 2182 case OWNING_GROUP: 2183 who = gowner; 2184 /*FALLTHROUGH*/ 2185 case ACE_IDENTIFIER_GROUP: 2186 checkit = zfs_groupmember(zfsvfs, who, cr); 2187 break; 2188 case ACE_EVERYONE: 2189 checkit = B_TRUE; 2190 break; 2191 2192 /* USER Entry */ 2193 default: 2194 if (entry_type == 0) { 2195 uid_t newid; 2196 2197 newid = zfs_fuid_map_id(zfsvfs, who, cr, 2198 ZFS_ACE_USER); 2199 if (newid != IDMAP_WK_CREATOR_OWNER_UID && 2200 uid == newid) 2201 checkit = B_TRUE; 2202 break; 2203 } else { 2204 mutex_exit(&zp->z_acl_lock); 2205 return (EIO); 2206 } 2207 } 2208 2209 if (checkit) { 2210 if (type == DENY) { 2211 DTRACE_PROBE3(zfs__ace__denies, 2212 znode_t *, zp, 2213 zfs_ace_hdr_t *, acep, 2214 uint32_t, mask_matched); 2215 deny_mask |= mask_matched; 2216 } else { 2217 DTRACE_PROBE3(zfs__ace__allows, 2218 znode_t *, zp, 2219 zfs_ace_hdr_t *, acep, 2220 uint32_t, mask_matched); 2221 if (anyaccess) { 2222 mutex_exit(&zp->z_acl_lock); 2223 return (0); 2224 } 2225 } 2226 *working_mode &= ~mask_matched; 2227 } 2228 2229 /* Are we done? */ 2230 if (*working_mode == 0) 2231 break; 2232 } 2233 2234 mutex_exit(&zp->z_acl_lock); 2235 2236 /* Put the found 'denies' back on the working mode */ 2237 if (deny_mask) { 2238 *working_mode |= deny_mask; 2239 return (EACCES); 2240 } else if (*working_mode) { 2241 return (-1); 2242 } 2243 2244 return (0); 2245 } 2246 2247 /* 2248 * Return true if any access whatsoever granted, we don't actually 2249 * care what access is granted. 2250 */ 2251 boolean_t 2252 zfs_has_access(znode_t *zp, cred_t *cr) 2253 { 2254 uint32_t have = ACE_ALL_PERMS; 2255 2256 if (zfs_zaccess_aces_check(zp, &have, B_TRUE, cr) != 0) { 2257 return (secpolicy_vnode_any_access(cr, ZTOV(zp), 2258 zp->z_uid) == 0); 2259 } 2260 return (B_TRUE); 2261 } 2262 2263 static int 2264 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode, 2265 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr) 2266 { 2267 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2268 int err; 2269 2270 *working_mode = v4_mode; 2271 *check_privs = B_TRUE; 2272 2273 /* 2274 * Short circuit empty requests 2275 */ 2276 if (v4_mode == 0 || zfsvfs->z_replay) { 2277 *working_mode = 0; 2278 return (0); 2279 } 2280 2281 if ((err = zfs_zaccess_dataset_check(zp, v4_mode)) != 0) { 2282 *check_privs = B_FALSE; 2283 return (err); 2284 } 2285 2286 /* 2287 * The caller requested that the ACL check be skipped. This 2288 * would only happen if the caller checked VOP_ACCESS() with a 2289 * 32 bit ACE mask and already had the appropriate permissions. 2290 */ 2291 if (skipaclchk) { 2292 *working_mode = 0; 2293 return (0); 2294 } 2295 2296 return (zfs_zaccess_aces_check(zp, working_mode, B_FALSE, cr)); 2297 } 2298 2299 static int 2300 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs, 2301 cred_t *cr) 2302 { 2303 if (*working_mode != ACE_WRITE_DATA) 2304 return (EACCES); 2305 2306 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode, 2307 check_privs, B_FALSE, cr)); 2308 } 2309 2310 int 2311 zfs_fastaccesschk_execute(znode_t *zdp, cred_t *cr) 2312 { 2313 boolean_t owner = B_FALSE; 2314 boolean_t groupmbr = B_FALSE; 2315 boolean_t is_attr; 2316 uid_t uid = crgetuid(cr); 2317 int error; 2318 2319 if (zdp->z_pflags & ZFS_AV_QUARANTINED) 2320 return (EACCES); 2321 2322 is_attr = ((zdp->z_pflags & ZFS_XATTR) && 2323 (ZTOV(zdp)->v_type == VDIR)); 2324 if (is_attr) 2325 goto slow; 2326 2327 2328 mutex_enter(&zdp->z_acl_lock); 2329 2330 if (zdp->z_pflags & ZFS_NO_EXECS_DENIED) { 2331 mutex_exit(&zdp->z_acl_lock); 2332 return (0); 2333 } 2334 2335 if (IS_EPHEMERAL(zdp->z_uid) != 0 || IS_EPHEMERAL(zdp->z_gid) != 0) { 2336 mutex_exit(&zdp->z_acl_lock); 2337 goto slow; 2338 } 2339 2340 if (uid == zdp->z_uid) { 2341 owner = B_TRUE; 2342 if (zdp->z_mode & S_IXUSR) { 2343 mutex_exit(&zdp->z_acl_lock); 2344 return (0); 2345 } else { 2346 mutex_exit(&zdp->z_acl_lock); 2347 goto slow; 2348 } 2349 } 2350 if (groupmember(zdp->z_gid, cr)) { 2351 groupmbr = B_TRUE; 2352 if (zdp->z_mode & S_IXGRP) { 2353 mutex_exit(&zdp->z_acl_lock); 2354 return (0); 2355 } else { 2356 mutex_exit(&zdp->z_acl_lock); 2357 goto slow; 2358 } 2359 } 2360 if (!owner && !groupmbr) { 2361 if (zdp->z_mode & S_IXOTH) { 2362 mutex_exit(&zdp->z_acl_lock); 2363 return (0); 2364 } 2365 } 2366 2367 mutex_exit(&zdp->z_acl_lock); 2368 2369 slow: 2370 DTRACE_PROBE(zfs__fastpath__execute__access__miss); 2371 ZFS_ENTER(zdp->z_zfsvfs); 2372 error = zfs_zaccess(zdp, ACE_EXECUTE, 0, B_FALSE, cr); 2373 ZFS_EXIT(zdp->z_zfsvfs); 2374 return (error); 2375 } 2376 2377 /* 2378 * Determine whether Access should be granted/denied. 2379 * The least priv subsytem is always consulted as a basic privilege 2380 * can define any form of access. 2381 */ 2382 int 2383 zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr) 2384 { 2385 uint32_t working_mode; 2386 int error; 2387 int is_attr; 2388 boolean_t check_privs; 2389 znode_t *xzp; 2390 znode_t *check_zp = zp; 2391 mode_t needed_bits; 2392 2393 is_attr = ((zp->z_pflags & ZFS_XATTR) && (ZTOV(zp)->v_type == VDIR)); 2394 2395 /* 2396 * If attribute then validate against base file 2397 */ 2398 if (is_attr) { 2399 uint64_t parent; 2400 2401 if ((error = sa_lookup(zp->z_sa_hdl, 2402 SA_ZPL_PARENT(zp->z_zfsvfs), &parent, 2403 sizeof (parent))) != 0) 2404 return (error); 2405 2406 if ((error = zfs_zget(zp->z_zfsvfs, 2407 parent, &xzp)) != 0) { 2408 return (error); 2409 } 2410 2411 check_zp = xzp; 2412 2413 /* 2414 * fixup mode to map to xattr perms 2415 */ 2416 2417 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { 2418 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 2419 mode |= ACE_WRITE_NAMED_ATTRS; 2420 } 2421 2422 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { 2423 mode &= ~(ACE_READ_DATA|ACE_EXECUTE); 2424 mode |= ACE_READ_NAMED_ATTRS; 2425 } 2426 } 2427 2428 /* 2429 * Map the bits required to the standard vnode flags VREAD|VWRITE|VEXEC 2430 * in needed_bits. Map the bits mapped by working_mode (currently 2431 * missing) in missing_bits. 2432 * Call secpolicy_vnode_access2() with (needed_bits & ~checkmode), 2433 * needed_bits. 2434 */ 2435 needed_bits = 0; 2436 2437 working_mode = mode; 2438 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES)) && 2439 zp->z_uid == crgetuid(cr)) 2440 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2441 2442 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2443 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2444 needed_bits |= VREAD; 2445 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2446 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2447 needed_bits |= VWRITE; 2448 if (working_mode & ACE_EXECUTE) 2449 needed_bits |= VEXEC; 2450 2451 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode, 2452 &check_privs, skipaclchk, cr)) == 0) { 2453 if (is_attr) 2454 VN_RELE(ZTOV(xzp)); 2455 return (secpolicy_vnode_access2(cr, ZTOV(zp), zp->z_uid, 2456 needed_bits, needed_bits)); 2457 } 2458 2459 if (error && !check_privs) { 2460 if (is_attr) 2461 VN_RELE(ZTOV(xzp)); 2462 return (error); 2463 } 2464 2465 if (error && (flags & V_APPEND)) { 2466 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr); 2467 } 2468 2469 if (error && check_privs) { 2470 mode_t checkmode = 0; 2471 2472 /* 2473 * First check for implicit owner permission on 2474 * read_acl/read_attributes 2475 */ 2476 2477 error = 0; 2478 ASSERT(working_mode != 0); 2479 2480 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) && 2481 zp->z_uid == crgetuid(cr))) 2482 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2483 2484 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2485 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2486 checkmode |= VREAD; 2487 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2488 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2489 checkmode |= VWRITE; 2490 if (working_mode & ACE_EXECUTE) 2491 checkmode |= VEXEC; 2492 2493 error = secpolicy_vnode_access2(cr, ZTOV(check_zp), zp->z_uid, 2494 needed_bits & ~checkmode, needed_bits); 2495 2496 if (error == 0 && (working_mode & ACE_WRITE_OWNER)) 2497 error = secpolicy_vnode_chown(cr, zp->z_uid); 2498 if (error == 0 && (working_mode & ACE_WRITE_ACL)) 2499 error = secpolicy_vnode_setdac(cr, zp->z_uid); 2500 2501 if (error == 0 && (working_mode & 2502 (ACE_DELETE|ACE_DELETE_CHILD))) 2503 error = secpolicy_vnode_remove(cr); 2504 2505 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) { 2506 error = secpolicy_vnode_chown(cr, zp->z_uid); 2507 } 2508 if (error == 0) { 2509 /* 2510 * See if any bits other than those already checked 2511 * for are still present. If so then return EACCES 2512 */ 2513 if (working_mode & ~(ZFS_CHECKED_MASKS)) { 2514 error = EACCES; 2515 } 2516 } 2517 } else if (error == 0) { 2518 error = secpolicy_vnode_access2(cr, ZTOV(zp), zp->z_uid, 2519 needed_bits, needed_bits); 2520 } 2521 2522 2523 if (is_attr) 2524 VN_RELE(ZTOV(xzp)); 2525 2526 return (error); 2527 } 2528 2529 /* 2530 * Translate traditional unix VREAD/VWRITE/VEXEC mode into 2531 * native ACL format and call zfs_zaccess() 2532 */ 2533 int 2534 zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr) 2535 { 2536 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr)); 2537 } 2538 2539 /* 2540 * Access function for secpolicy_vnode_setattr 2541 */ 2542 int 2543 zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr) 2544 { 2545 int v4_mode = zfs_unix_to_v4(mode >> 6); 2546 2547 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr)); 2548 } 2549 2550 static int 2551 zfs_delete_final_check(znode_t *zp, znode_t *dzp, 2552 mode_t available_perms, cred_t *cr) 2553 { 2554 int error; 2555 2556 error = secpolicy_vnode_access2(cr, ZTOV(dzp), 2557 dzp->z_uid, available_perms, VWRITE|VEXEC); 2558 2559 if (error == 0) 2560 error = zfs_sticky_remove_access(dzp, zp, cr); 2561 2562 return (error); 2563 } 2564 2565 /* 2566 * Determine whether Access should be granted/deny, without 2567 * consulting least priv subsystem. 2568 * 2569 * 2570 * The following chart is the recommended NFSv4 enforcement for 2571 * ability to delete an object. 2572 * 2573 * ------------------------------------------------------- 2574 * | Parent Dir | Target Object Permissions | 2575 * | permissions | | 2576 * ------------------------------------------------------- 2577 * | | ACL Allows | ACL Denies| Delete | 2578 * | | Delete | Delete | unspecified| 2579 * ------------------------------------------------------- 2580 * | ACL Allows | Permit | Permit | Permit | 2581 * | DELETE_CHILD | | 2582 * ------------------------------------------------------- 2583 * | ACL Denies | Permit | Deny | Deny | 2584 * | DELETE_CHILD | | | | 2585 * ------------------------------------------------------- 2586 * | ACL specifies | | | | 2587 * | only allow | Permit | Permit | Permit | 2588 * | write and | | | | 2589 * | execute | | | | 2590 * ------------------------------------------------------- 2591 * | ACL denies | | | | 2592 * | write and | Permit | Deny | Deny | 2593 * | execute | | | | 2594 * ------------------------------------------------------- 2595 * ^ 2596 * | 2597 * No search privilege, can't even look up file? 2598 * 2599 */ 2600 int 2601 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) 2602 { 2603 uint32_t dzp_working_mode = 0; 2604 uint32_t zp_working_mode = 0; 2605 int dzp_error, zp_error; 2606 mode_t available_perms; 2607 boolean_t dzpcheck_privs = B_TRUE; 2608 boolean_t zpcheck_privs = B_TRUE; 2609 2610 /* 2611 * We want specific DELETE permissions to 2612 * take precedence over WRITE/EXECUTE. We don't 2613 * want an ACL such as this to mess us up. 2614 * user:joe:write_data:deny,user:joe:delete:allow 2615 * 2616 * However, deny permissions may ultimately be overridden 2617 * by secpolicy_vnode_access(). 2618 * 2619 * We will ask for all of the necessary permissions and then 2620 * look at the working modes from the directory and target object 2621 * to determine what was found. 2622 */ 2623 2624 if (zp->z_pflags & (ZFS_IMMUTABLE | ZFS_NOUNLINK)) 2625 return (EPERM); 2626 2627 /* 2628 * First row 2629 * If the directory permissions allow the delete, we are done. 2630 */ 2631 if ((dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD, 2632 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) 2633 return (0); 2634 2635 /* 2636 * If target object has delete permission then we are done 2637 */ 2638 if ((zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, 2639 &zpcheck_privs, B_FALSE, cr)) == 0) 2640 return (0); 2641 2642 ASSERT(dzp_error && zp_error); 2643 2644 if (!dzpcheck_privs) 2645 return (dzp_error); 2646 if (!zpcheck_privs) 2647 return (zp_error); 2648 2649 /* 2650 * Second row 2651 * 2652 * If directory returns EACCES then delete_child was denied 2653 * due to deny delete_child. In this case send the request through 2654 * secpolicy_vnode_remove(). We don't use zfs_delete_final_check() 2655 * since that *could* allow the delete based on write/execute permission 2656 * and we want delete permissions to override write/execute. 2657 */ 2658 2659 if (dzp_error == EACCES) 2660 return (secpolicy_vnode_remove(cr)); 2661 2662 /* 2663 * Third Row 2664 * only need to see if we have write/execute on directory. 2665 */ 2666 2667 dzp_error = zfs_zaccess_common(dzp, ACE_EXECUTE|ACE_WRITE_DATA, 2668 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr); 2669 2670 if (dzp_error != 0 && !dzpcheck_privs) 2671 return (dzp_error); 2672 2673 /* 2674 * Fourth row 2675 */ 2676 2677 available_perms = (dzp_working_mode & ACE_WRITE_DATA) ? 0 : VWRITE; 2678 available_perms |= (dzp_working_mode & ACE_EXECUTE) ? 0 : VEXEC; 2679 2680 return (zfs_delete_final_check(zp, dzp, available_perms, cr)); 2681 2682 } 2683 2684 int 2685 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, 2686 znode_t *tzp, cred_t *cr) 2687 { 2688 int add_perm; 2689 int error; 2690 2691 if (szp->z_pflags & ZFS_AV_QUARANTINED) 2692 return (EACCES); 2693 2694 add_perm = (ZTOV(szp)->v_type == VDIR) ? 2695 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; 2696 2697 /* 2698 * Rename permissions are combination of delete permission + 2699 * add file/subdir permission. 2700 */ 2701 2702 /* 2703 * first make sure we do the delete portion. 2704 * 2705 * If that succeeds then check for add_file/add_subdir permissions 2706 */ 2707 2708 if (error = zfs_zaccess_delete(sdzp, szp, cr)) 2709 return (error); 2710 2711 /* 2712 * If we have a tzp, see if we can delete it? 2713 */ 2714 if (tzp) { 2715 if (error = zfs_zaccess_delete(tdzp, tzp, cr)) 2716 return (error); 2717 } 2718 2719 /* 2720 * Now check for add permissions 2721 */ 2722 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr); 2723 2724 return (error); 2725 } 2726