1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/param.h> 28 #include <sys/time.h> 29 #include <sys/systm.h> 30 #include <sys/sysmacros.h> 31 #include <sys/resource.h> 32 #include <sys/vfs.h> 33 #include <sys/vnode.h> 34 #include <sys/sid.h> 35 #include <sys/file.h> 36 #include <sys/stat.h> 37 #include <sys/kmem.h> 38 #include <sys/cmn_err.h> 39 #include <sys/errno.h> 40 #include <sys/unistd.h> 41 #include <sys/sdt.h> 42 #include <sys/fs/zfs.h> 43 #include <sys/mode.h> 44 #include <sys/policy.h> 45 #include <sys/zfs_znode.h> 46 #include <sys/zfs_fuid.h> 47 #include <sys/zfs_acl.h> 48 #include <sys/zfs_dir.h> 49 #include <sys/zfs_vfsops.h> 50 #include <sys/dmu.h> 51 #include <sys/dnode.h> 52 #include <sys/zap.h> 53 #include "fs/fs_subr.h" 54 #include <acl/acl_common.h> 55 56 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE 57 #define DENY ACE_ACCESS_DENIED_ACE_TYPE 58 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 59 #define MIN_ACE_TYPE ALLOW 60 61 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) 62 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ 63 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) 64 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ 65 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 66 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ 67 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 68 69 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \ 70 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \ 71 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \ 72 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE) 73 74 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS) 75 #define WRITE_MASK_ATTRS (ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES| \ 76 ACE_DELETE|ACE_DELETE_CHILD) 77 #define WRITE_MASK (WRITE_MASK_DATA|WRITE_MASK_ATTRS) 78 79 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 80 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 81 82 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 83 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 84 85 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ 86 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE) 87 88 #define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER) 89 90 #define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\ 91 ZFS_ACL_PROTECTED) 92 93 #define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\ 94 ZFS_ACL_OBJ_ACE) 95 96 static uint16_t 97 zfs_ace_v0_get_type(void *acep) 98 { 99 return (((zfs_oldace_t *)acep)->z_type); 100 } 101 102 static uint16_t 103 zfs_ace_v0_get_flags(void *acep) 104 { 105 return (((zfs_oldace_t *)acep)->z_flags); 106 } 107 108 static uint32_t 109 zfs_ace_v0_get_mask(void *acep) 110 { 111 return (((zfs_oldace_t *)acep)->z_access_mask); 112 } 113 114 static uint64_t 115 zfs_ace_v0_get_who(void *acep) 116 { 117 return (((zfs_oldace_t *)acep)->z_fuid); 118 } 119 120 static void 121 zfs_ace_v0_set_type(void *acep, uint16_t type) 122 { 123 ((zfs_oldace_t *)acep)->z_type = type; 124 } 125 126 static void 127 zfs_ace_v0_set_flags(void *acep, uint16_t flags) 128 { 129 ((zfs_oldace_t *)acep)->z_flags = flags; 130 } 131 132 static void 133 zfs_ace_v0_set_mask(void *acep, uint32_t mask) 134 { 135 ((zfs_oldace_t *)acep)->z_access_mask = mask; 136 } 137 138 static void 139 zfs_ace_v0_set_who(void *acep, uint64_t who) 140 { 141 ((zfs_oldace_t *)acep)->z_fuid = who; 142 } 143 144 /*ARGSUSED*/ 145 static size_t 146 zfs_ace_v0_size(void *acep) 147 { 148 return (sizeof (zfs_oldace_t)); 149 } 150 151 static size_t 152 zfs_ace_v0_abstract_size(void) 153 { 154 return (sizeof (zfs_oldace_t)); 155 } 156 157 static int 158 zfs_ace_v0_mask_off(void) 159 { 160 return (offsetof(zfs_oldace_t, z_access_mask)); 161 } 162 163 /*ARGSUSED*/ 164 static int 165 zfs_ace_v0_data(void *acep, void **datap) 166 { 167 *datap = NULL; 168 return (0); 169 } 170 171 static acl_ops_t zfs_acl_v0_ops = { 172 zfs_ace_v0_get_mask, 173 zfs_ace_v0_set_mask, 174 zfs_ace_v0_get_flags, 175 zfs_ace_v0_set_flags, 176 zfs_ace_v0_get_type, 177 zfs_ace_v0_set_type, 178 zfs_ace_v0_get_who, 179 zfs_ace_v0_set_who, 180 zfs_ace_v0_size, 181 zfs_ace_v0_abstract_size, 182 zfs_ace_v0_mask_off, 183 zfs_ace_v0_data 184 }; 185 186 static uint16_t 187 zfs_ace_fuid_get_type(void *acep) 188 { 189 return (((zfs_ace_hdr_t *)acep)->z_type); 190 } 191 192 static uint16_t 193 zfs_ace_fuid_get_flags(void *acep) 194 { 195 return (((zfs_ace_hdr_t *)acep)->z_flags); 196 } 197 198 static uint32_t 199 zfs_ace_fuid_get_mask(void *acep) 200 { 201 return (((zfs_ace_hdr_t *)acep)->z_access_mask); 202 } 203 204 static uint64_t 205 zfs_ace_fuid_get_who(void *args) 206 { 207 uint16_t entry_type; 208 zfs_ace_t *acep = args; 209 210 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 211 212 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 213 entry_type == ACE_EVERYONE) 214 return (-1); 215 return (((zfs_ace_t *)acep)->z_fuid); 216 } 217 218 static void 219 zfs_ace_fuid_set_type(void *acep, uint16_t type) 220 { 221 ((zfs_ace_hdr_t *)acep)->z_type = type; 222 } 223 224 static void 225 zfs_ace_fuid_set_flags(void *acep, uint16_t flags) 226 { 227 ((zfs_ace_hdr_t *)acep)->z_flags = flags; 228 } 229 230 static void 231 zfs_ace_fuid_set_mask(void *acep, uint32_t mask) 232 { 233 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask; 234 } 235 236 static void 237 zfs_ace_fuid_set_who(void *arg, uint64_t who) 238 { 239 zfs_ace_t *acep = arg; 240 241 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 242 243 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 244 entry_type == ACE_EVERYONE) 245 return; 246 acep->z_fuid = who; 247 } 248 249 static size_t 250 zfs_ace_fuid_size(void *acep) 251 { 252 zfs_ace_hdr_t *zacep = acep; 253 uint16_t entry_type; 254 255 switch (zacep->z_type) { 256 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 257 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 258 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 259 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 260 return (sizeof (zfs_object_ace_t)); 261 case ALLOW: 262 case DENY: 263 entry_type = 264 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS); 265 if (entry_type == ACE_OWNER || 266 entry_type == OWNING_GROUP || 267 entry_type == ACE_EVERYONE) 268 return (sizeof (zfs_ace_hdr_t)); 269 /*FALLTHROUGH*/ 270 default: 271 return (sizeof (zfs_ace_t)); 272 } 273 } 274 275 static size_t 276 zfs_ace_fuid_abstract_size(void) 277 { 278 return (sizeof (zfs_ace_hdr_t)); 279 } 280 281 static int 282 zfs_ace_fuid_mask_off(void) 283 { 284 return (offsetof(zfs_ace_hdr_t, z_access_mask)); 285 } 286 287 static int 288 zfs_ace_fuid_data(void *acep, void **datap) 289 { 290 zfs_ace_t *zacep = acep; 291 zfs_object_ace_t *zobjp; 292 293 switch (zacep->z_hdr.z_type) { 294 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 295 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 296 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 297 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 298 zobjp = acep; 299 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t); 300 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t)); 301 default: 302 *datap = NULL; 303 return (0); 304 } 305 } 306 307 static acl_ops_t zfs_acl_fuid_ops = { 308 zfs_ace_fuid_get_mask, 309 zfs_ace_fuid_set_mask, 310 zfs_ace_fuid_get_flags, 311 zfs_ace_fuid_set_flags, 312 zfs_ace_fuid_get_type, 313 zfs_ace_fuid_set_type, 314 zfs_ace_fuid_get_who, 315 zfs_ace_fuid_set_who, 316 zfs_ace_fuid_size, 317 zfs_ace_fuid_abstract_size, 318 zfs_ace_fuid_mask_off, 319 zfs_ace_fuid_data 320 }; 321 322 static int 323 zfs_acl_version(int version) 324 { 325 if (version < ZPL_VERSION_FUID) 326 return (ZFS_ACL_VERSION_INITIAL); 327 else 328 return (ZFS_ACL_VERSION_FUID); 329 } 330 331 static int 332 zfs_acl_version_zp(znode_t *zp) 333 { 334 return (zfs_acl_version(zp->z_zfsvfs->z_version)); 335 } 336 337 static zfs_acl_t * 338 zfs_acl_alloc(int vers) 339 { 340 zfs_acl_t *aclp; 341 342 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); 343 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t), 344 offsetof(zfs_acl_node_t, z_next)); 345 aclp->z_version = vers; 346 if (vers == ZFS_ACL_VERSION_FUID) 347 aclp->z_ops = zfs_acl_fuid_ops; 348 else 349 aclp->z_ops = zfs_acl_v0_ops; 350 return (aclp); 351 } 352 353 static zfs_acl_node_t * 354 zfs_acl_node_alloc(size_t bytes) 355 { 356 zfs_acl_node_t *aclnode; 357 358 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP); 359 if (bytes) { 360 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP); 361 aclnode->z_allocdata = aclnode->z_acldata; 362 aclnode->z_allocsize = bytes; 363 aclnode->z_size = bytes; 364 } 365 366 return (aclnode); 367 } 368 369 static void 370 zfs_acl_node_free(zfs_acl_node_t *aclnode) 371 { 372 if (aclnode->z_allocsize) 373 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize); 374 kmem_free(aclnode, sizeof (zfs_acl_node_t)); 375 } 376 377 static void 378 zfs_acl_release_nodes(zfs_acl_t *aclp) 379 { 380 zfs_acl_node_t *aclnode; 381 382 while (aclnode = list_head(&aclp->z_acl)) { 383 list_remove(&aclp->z_acl, aclnode); 384 zfs_acl_node_free(aclnode); 385 } 386 aclp->z_acl_count = 0; 387 aclp->z_acl_bytes = 0; 388 } 389 390 void 391 zfs_acl_free(zfs_acl_t *aclp) 392 { 393 zfs_acl_release_nodes(aclp); 394 list_destroy(&aclp->z_acl); 395 kmem_free(aclp, sizeof (zfs_acl_t)); 396 } 397 398 static boolean_t 399 zfs_acl_valid_ace_type(uint_t type, uint_t flags) 400 { 401 uint16_t entry_type; 402 403 switch (type) { 404 case ALLOW: 405 case DENY: 406 case ACE_SYSTEM_AUDIT_ACE_TYPE: 407 case ACE_SYSTEM_ALARM_ACE_TYPE: 408 entry_type = flags & ACE_TYPE_FLAGS; 409 return (entry_type == ACE_OWNER || 410 entry_type == OWNING_GROUP || 411 entry_type == ACE_EVERYONE || entry_type == 0 || 412 entry_type == ACE_IDENTIFIER_GROUP); 413 default: 414 if (type >= MIN_ACE_TYPE && type <= MAX_ACE_TYPE) 415 return (B_TRUE); 416 } 417 return (B_FALSE); 418 } 419 420 static boolean_t 421 zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags) 422 { 423 /* 424 * first check type of entry 425 */ 426 427 if (!zfs_acl_valid_ace_type(type, iflags)) 428 return (B_FALSE); 429 430 switch (type) { 431 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 432 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 433 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 434 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 435 if (aclp->z_version < ZFS_ACL_VERSION_FUID) 436 return (B_FALSE); 437 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 438 } 439 440 /* 441 * next check inheritance level flags 442 */ 443 444 if (obj_type == VDIR && 445 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 446 aclp->z_hints |= ZFS_INHERIT_ACE; 447 448 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { 449 if ((iflags & (ACE_FILE_INHERIT_ACE| 450 ACE_DIRECTORY_INHERIT_ACE)) == 0) { 451 return (B_FALSE); 452 } 453 } 454 455 return (B_TRUE); 456 } 457 458 static void * 459 zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who, 460 uint32_t *access_mask, uint16_t *iflags, uint16_t *type) 461 { 462 zfs_acl_node_t *aclnode; 463 464 if (start == NULL) { 465 aclnode = list_head(&aclp->z_acl); 466 if (aclnode == NULL) 467 return (NULL); 468 469 aclp->z_next_ace = aclnode->z_acldata; 470 aclp->z_curr_node = aclnode; 471 aclnode->z_ace_idx = 0; 472 } 473 474 aclnode = aclp->z_curr_node; 475 476 if (aclnode == NULL) 477 return (NULL); 478 479 if (aclnode->z_ace_idx >= aclnode->z_ace_count) { 480 aclnode = list_next(&aclp->z_acl, aclnode); 481 if (aclnode == NULL) 482 return (NULL); 483 else { 484 aclp->z_curr_node = aclnode; 485 aclnode->z_ace_idx = 0; 486 aclp->z_next_ace = aclnode->z_acldata; 487 } 488 } 489 490 if (aclnode->z_ace_idx < aclnode->z_ace_count) { 491 void *acep = aclp->z_next_ace; 492 size_t ace_size; 493 494 /* 495 * Make sure we don't overstep our bounds 496 */ 497 ace_size = aclp->z_ops.ace_size(acep); 498 499 if (((caddr_t)acep + ace_size) > 500 ((caddr_t)aclnode->z_acldata + aclnode->z_size)) { 501 return (NULL); 502 } 503 504 *iflags = aclp->z_ops.ace_flags_get(acep); 505 *type = aclp->z_ops.ace_type_get(acep); 506 *access_mask = aclp->z_ops.ace_mask_get(acep); 507 *who = aclp->z_ops.ace_who_get(acep); 508 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size; 509 aclnode->z_ace_idx++; 510 return ((void *)acep); 511 } 512 return (NULL); 513 } 514 515 /*ARGSUSED*/ 516 static uint64_t 517 zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt, 518 uint16_t *flags, uint16_t *type, uint32_t *mask) 519 { 520 zfs_acl_t *aclp = datap; 521 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie; 522 uint64_t who; 523 524 acep = zfs_acl_next_ace(aclp, acep, &who, mask, 525 flags, type); 526 return ((uint64_t)(uintptr_t)acep); 527 } 528 529 static zfs_acl_node_t * 530 zfs_acl_curr_node(zfs_acl_t *aclp) 531 { 532 ASSERT(aclp->z_curr_node); 533 return (aclp->z_curr_node); 534 } 535 536 /* 537 * Copy ACE to internal ZFS format. 538 * While processing the ACL each ACE will be validated for correctness. 539 * ACE FUIDs will be created later. 540 */ 541 int 542 zfs_copy_ace_2_fuid(vtype_t obj_type, zfs_acl_t *aclp, void *datap, 543 zfs_ace_t *z_acl, int aclcnt, size_t *size) 544 { 545 int i; 546 uint16_t entry_type; 547 zfs_ace_t *aceptr = z_acl; 548 ace_t *acep = datap; 549 zfs_object_ace_t *zobjacep; 550 ace_object_t *aceobjp; 551 552 for (i = 0; i != aclcnt; i++) { 553 aceptr->z_hdr.z_access_mask = acep->a_access_mask; 554 aceptr->z_hdr.z_flags = acep->a_flags; 555 aceptr->z_hdr.z_type = acep->a_type; 556 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS; 557 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP && 558 entry_type != ACE_EVERYONE) { 559 if (!aclp->z_has_fuids) 560 aclp->z_has_fuids = IS_EPHEMERAL(acep->a_who); 561 aceptr->z_fuid = (uint64_t)acep->a_who; 562 } 563 564 /* 565 * Make sure ACE is valid 566 */ 567 if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type, 568 aceptr->z_hdr.z_flags) != B_TRUE) 569 return (EINVAL); 570 571 switch (acep->a_type) { 572 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 573 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 574 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 575 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 576 zobjacep = (zfs_object_ace_t *)aceptr; 577 aceobjp = (ace_object_t *)acep; 578 579 bcopy(aceobjp->a_obj_type, zobjacep->z_object_type, 580 sizeof (aceobjp->a_obj_type)); 581 bcopy(aceobjp->a_inherit_obj_type, 582 zobjacep->z_inherit_type, 583 sizeof (aceobjp->a_inherit_obj_type)); 584 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t)); 585 break; 586 default: 587 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t)); 588 } 589 590 aceptr = (zfs_ace_t *)((caddr_t)aceptr + 591 aclp->z_ops.ace_size(aceptr)); 592 } 593 594 *size = (caddr_t)aceptr - (caddr_t)z_acl; 595 596 return (0); 597 } 598 599 /* 600 * Copy ZFS ACEs to fixed size ace_t layout 601 */ 602 static void 603 zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr, 604 void *datap, int filter) 605 { 606 uint64_t who; 607 uint32_t access_mask; 608 uint16_t iflags, type; 609 zfs_ace_hdr_t *zacep = NULL; 610 ace_t *acep = datap; 611 ace_object_t *objacep; 612 zfs_object_ace_t *zobjacep; 613 size_t ace_size; 614 uint16_t entry_type; 615 616 while (zacep = zfs_acl_next_ace(aclp, zacep, 617 &who, &access_mask, &iflags, &type)) { 618 619 switch (type) { 620 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 621 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 622 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 623 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 624 if (filter) { 625 continue; 626 } 627 zobjacep = (zfs_object_ace_t *)zacep; 628 objacep = (ace_object_t *)acep; 629 bcopy(zobjacep->z_object_type, 630 objacep->a_obj_type, 631 sizeof (zobjacep->z_object_type)); 632 bcopy(zobjacep->z_inherit_type, 633 objacep->a_inherit_obj_type, 634 sizeof (zobjacep->z_inherit_type)); 635 ace_size = sizeof (ace_object_t); 636 break; 637 default: 638 ace_size = sizeof (ace_t); 639 break; 640 } 641 642 entry_type = (iflags & ACE_TYPE_FLAGS); 643 if ((entry_type != ACE_OWNER && 644 entry_type != OWNING_GROUP && 645 entry_type != ACE_EVERYONE)) { 646 acep->a_who = zfs_fuid_map_id(zfsvfs, who, 647 cr, (entry_type & ACE_IDENTIFIER_GROUP) ? 648 ZFS_ACE_GROUP : ZFS_ACE_USER); 649 } else { 650 acep->a_who = (uid_t)(int64_t)who; 651 } 652 acep->a_access_mask = access_mask; 653 acep->a_flags = iflags; 654 acep->a_type = type; 655 acep = (ace_t *)((caddr_t)acep + ace_size); 656 } 657 } 658 659 static int 660 zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep, 661 zfs_oldace_t *z_acl, int aclcnt, size_t *size) 662 { 663 int i; 664 zfs_oldace_t *aceptr = z_acl; 665 666 for (i = 0; i != aclcnt; i++, aceptr++) { 667 aceptr->z_access_mask = acep[i].a_access_mask; 668 aceptr->z_type = acep[i].a_type; 669 aceptr->z_flags = acep[i].a_flags; 670 aceptr->z_fuid = acep[i].a_who; 671 /* 672 * Make sure ACE is valid 673 */ 674 if (zfs_ace_valid(obj_type, aclp, aceptr->z_type, 675 aceptr->z_flags) != B_TRUE) 676 return (EINVAL); 677 } 678 *size = (caddr_t)aceptr - (caddr_t)z_acl; 679 return (0); 680 } 681 682 /* 683 * convert old ACL format to new 684 */ 685 void 686 zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp) 687 { 688 zfs_oldace_t *oldaclp; 689 int i; 690 uint16_t type, iflags; 691 uint32_t access_mask; 692 uint64_t who; 693 void *cookie = NULL; 694 zfs_acl_node_t *newaclnode; 695 696 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL); 697 /* 698 * First create the ACE in a contiguous piece of memory 699 * for zfs_copy_ace_2_fuid(). 700 * 701 * We only convert an ACL once, so this won't happen 702 * everytime. 703 */ 704 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count, 705 KM_SLEEP); 706 i = 0; 707 while (cookie = zfs_acl_next_ace(aclp, cookie, &who, 708 &access_mask, &iflags, &type)) { 709 oldaclp[i].z_flags = iflags; 710 oldaclp[i].z_type = type; 711 oldaclp[i].z_fuid = who; 712 oldaclp[i++].z_access_mask = access_mask; 713 } 714 715 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count * 716 sizeof (zfs_object_ace_t)); 717 aclp->z_ops = zfs_acl_fuid_ops; 718 VERIFY(zfs_copy_ace_2_fuid(ZTOV(zp)->v_type, aclp, oldaclp, 719 newaclnode->z_acldata, aclp->z_acl_count, 720 &newaclnode->z_size) == 0); 721 newaclnode->z_ace_count = aclp->z_acl_count; 722 aclp->z_version = ZFS_ACL_VERSION; 723 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t)); 724 725 /* 726 * Release all previous ACL nodes 727 */ 728 729 zfs_acl_release_nodes(aclp); 730 731 list_insert_head(&aclp->z_acl, newaclnode); 732 733 aclp->z_acl_bytes = newaclnode->z_size; 734 aclp->z_acl_count = newaclnode->z_ace_count; 735 736 } 737 738 /* 739 * Convert unix access mask to v4 access mask 740 */ 741 static uint32_t 742 zfs_unix_to_v4(uint32_t access_mask) 743 { 744 uint32_t new_mask = 0; 745 746 if (access_mask & S_IXOTH) 747 new_mask |= ACE_EXECUTE; 748 if (access_mask & S_IWOTH) 749 new_mask |= ACE_WRITE_DATA; 750 if (access_mask & S_IROTH) 751 new_mask |= ACE_READ_DATA; 752 return (new_mask); 753 } 754 755 static void 756 zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask, 757 uint16_t access_type, uint64_t fuid, uint16_t entry_type) 758 { 759 uint16_t type = entry_type & ACE_TYPE_FLAGS; 760 761 aclp->z_ops.ace_mask_set(acep, access_mask); 762 aclp->z_ops.ace_type_set(acep, access_type); 763 aclp->z_ops.ace_flags_set(acep, entry_type); 764 if ((type != ACE_OWNER && type != OWNING_GROUP && 765 type != ACE_EVERYONE)) 766 aclp->z_ops.ace_who_set(acep, fuid); 767 } 768 769 /* 770 * Determine mode of file based on ACL. 771 * Also, create FUIDs for any User/Group ACEs 772 */ 773 static uint64_t 774 zfs_mode_fuid_compute(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, 775 zfs_fuid_info_t **fuidp, dmu_tx_t *tx) 776 { 777 int entry_type; 778 mode_t mode; 779 mode_t seen = 0; 780 zfs_ace_hdr_t *acep = NULL; 781 uint64_t who; 782 uint16_t iflags, type; 783 uint32_t access_mask; 784 785 mode = (zp->z_phys->zp_mode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); 786 787 while (acep = zfs_acl_next_ace(aclp, acep, &who, 788 &access_mask, &iflags, &type)) { 789 790 if (!zfs_acl_valid_ace_type(type, iflags)) 791 continue; 792 793 entry_type = (iflags & ACE_TYPE_FLAGS); 794 795 /* 796 * Skip over owner@, group@ or everyone@ inherit only ACEs 797 */ 798 if ((iflags & ACE_INHERIT_ONLY_ACE) && 799 (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 800 entry_type == OWNING_GROUP)) 801 continue; 802 803 if (entry_type == ACE_OWNER) { 804 if ((access_mask & ACE_READ_DATA) && 805 (!(seen & S_IRUSR))) { 806 seen |= S_IRUSR; 807 if (type == ALLOW) { 808 mode |= S_IRUSR; 809 } 810 } 811 if ((access_mask & ACE_WRITE_DATA) && 812 (!(seen & S_IWUSR))) { 813 seen |= S_IWUSR; 814 if (type == ALLOW) { 815 mode |= S_IWUSR; 816 } 817 } 818 if ((access_mask & ACE_EXECUTE) && 819 (!(seen & S_IXUSR))) { 820 seen |= S_IXUSR; 821 if (type == ALLOW) { 822 mode |= S_IXUSR; 823 } 824 } 825 } else if (entry_type == OWNING_GROUP) { 826 if ((access_mask & ACE_READ_DATA) && 827 (!(seen & S_IRGRP))) { 828 seen |= S_IRGRP; 829 if (type == ALLOW) { 830 mode |= S_IRGRP; 831 } 832 } 833 if ((access_mask & ACE_WRITE_DATA) && 834 (!(seen & S_IWGRP))) { 835 seen |= S_IWGRP; 836 if (type == ALLOW) { 837 mode |= S_IWGRP; 838 } 839 } 840 if ((access_mask & ACE_EXECUTE) && 841 (!(seen & S_IXGRP))) { 842 seen |= S_IXGRP; 843 if (type == ALLOW) { 844 mode |= S_IXGRP; 845 } 846 } 847 } else if (entry_type == ACE_EVERYONE) { 848 if ((access_mask & ACE_READ_DATA)) { 849 if (!(seen & S_IRUSR)) { 850 seen |= S_IRUSR; 851 if (type == ALLOW) { 852 mode |= S_IRUSR; 853 } 854 } 855 if (!(seen & S_IRGRP)) { 856 seen |= S_IRGRP; 857 if (type == ALLOW) { 858 mode |= S_IRGRP; 859 } 860 } 861 if (!(seen & S_IROTH)) { 862 seen |= S_IROTH; 863 if (type == ALLOW) { 864 mode |= S_IROTH; 865 } 866 } 867 } 868 if ((access_mask & ACE_WRITE_DATA)) { 869 if (!(seen & S_IWUSR)) { 870 seen |= S_IWUSR; 871 if (type == ALLOW) { 872 mode |= S_IWUSR; 873 } 874 } 875 if (!(seen & S_IWGRP)) { 876 seen |= S_IWGRP; 877 if (type == ALLOW) { 878 mode |= S_IWGRP; 879 } 880 } 881 if (!(seen & S_IWOTH)) { 882 seen |= S_IWOTH; 883 if (type == ALLOW) { 884 mode |= S_IWOTH; 885 } 886 } 887 } 888 if ((access_mask & ACE_EXECUTE)) { 889 if (!(seen & S_IXUSR)) { 890 seen |= S_IXUSR; 891 if (type == ALLOW) { 892 mode |= S_IXUSR; 893 } 894 } 895 if (!(seen & S_IXGRP)) { 896 seen |= S_IXGRP; 897 if (type == ALLOW) { 898 mode |= S_IXGRP; 899 } 900 } 901 if (!(seen & S_IXOTH)) { 902 seen |= S_IXOTH; 903 if (type == ALLOW) { 904 mode |= S_IXOTH; 905 } 906 } 907 } 908 } 909 /* 910 * Now handle FUID create for user/group ACEs 911 */ 912 if (entry_type == 0 || entry_type == ACE_IDENTIFIER_GROUP) { 913 aclp->z_ops.ace_who_set(acep, 914 zfs_fuid_create(zp->z_zfsvfs, who, cr, 915 (entry_type == 0) ? ZFS_ACE_USER : ZFS_ACE_GROUP, 916 tx, fuidp)); 917 } 918 } 919 return (mode); 920 } 921 922 static zfs_acl_t * 923 zfs_acl_node_read_internal(znode_t *zp, boolean_t will_modify) 924 { 925 zfs_acl_t *aclp; 926 zfs_acl_node_t *aclnode; 927 928 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version); 929 930 /* 931 * Version 0 to 1 znode_acl_phys has the size/count fields swapped. 932 * Version 0 didn't have a size field, only a count. 933 */ 934 if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) { 935 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_size; 936 aclp->z_acl_bytes = ZFS_ACL_SIZE(aclp->z_acl_count); 937 } else { 938 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count; 939 aclp->z_acl_bytes = zp->z_phys->zp_acl.z_acl_size; 940 } 941 942 aclnode = zfs_acl_node_alloc(will_modify ? aclp->z_acl_bytes : 0); 943 aclnode->z_ace_count = aclp->z_acl_count; 944 if (will_modify) { 945 bcopy(zp->z_phys->zp_acl.z_ace_data, aclnode->z_acldata, 946 aclp->z_acl_bytes); 947 } else { 948 aclnode->z_size = aclp->z_acl_bytes; 949 aclnode->z_acldata = &zp->z_phys->zp_acl.z_ace_data[0]; 950 } 951 952 list_insert_head(&aclp->z_acl, aclnode); 953 954 return (aclp); 955 } 956 957 /* 958 * Read an external acl object. 959 */ 960 static int 961 zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp, boolean_t will_modify) 962 { 963 uint64_t extacl = zp->z_phys->zp_acl.z_acl_extern_obj; 964 zfs_acl_t *aclp; 965 size_t aclsize; 966 size_t acl_count; 967 zfs_acl_node_t *aclnode; 968 int error; 969 970 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 971 972 if (zp->z_phys->zp_acl.z_acl_extern_obj == 0) { 973 *aclpp = zfs_acl_node_read_internal(zp, will_modify); 974 return (0); 975 } 976 977 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version); 978 if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) { 979 zfs_acl_phys_v0_t *zacl0 = 980 (zfs_acl_phys_v0_t *)&zp->z_phys->zp_acl; 981 982 aclsize = ZFS_ACL_SIZE(zacl0->z_acl_count); 983 acl_count = zacl0->z_acl_count; 984 } else { 985 aclsize = zp->z_phys->zp_acl.z_acl_size; 986 acl_count = zp->z_phys->zp_acl.z_acl_count; 987 if (aclsize == 0) 988 aclsize = acl_count * sizeof (zfs_ace_t); 989 } 990 aclnode = zfs_acl_node_alloc(aclsize); 991 list_insert_head(&aclp->z_acl, aclnode); 992 error = dmu_read(zp->z_zfsvfs->z_os, extacl, 0, 993 aclsize, aclnode->z_acldata); 994 aclnode->z_ace_count = acl_count; 995 aclp->z_acl_count = acl_count; 996 aclp->z_acl_bytes = aclsize; 997 998 if (error != 0) { 999 zfs_acl_free(aclp); 1000 /* convert checksum errors into IO errors */ 1001 if (error == ECKSUM) 1002 error = EIO; 1003 return (error); 1004 } 1005 1006 *aclpp = aclp; 1007 return (0); 1008 } 1009 1010 /* 1011 * common code for setting ACLs. 1012 * 1013 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. 1014 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's 1015 * already checked the acl and knows whether to inherit. 1016 */ 1017 int 1018 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, 1019 zfs_fuid_info_t **fuidp, dmu_tx_t *tx) 1020 { 1021 int error; 1022 znode_phys_t *zphys = zp->z_phys; 1023 zfs_acl_phys_t *zacl = &zphys->zp_acl; 1024 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1025 uint64_t aoid = zphys->zp_acl.z_acl_extern_obj; 1026 uint64_t off = 0; 1027 dmu_object_type_t otype; 1028 zfs_acl_node_t *aclnode; 1029 1030 ASSERT(MUTEX_HELD(&zp->z_lock)); 1031 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1032 1033 dmu_buf_will_dirty(zp->z_dbuf, tx); 1034 1035 zphys->zp_mode = zfs_mode_fuid_compute(zp, aclp, cr, fuidp, tx); 1036 1037 /* 1038 * Decide which opbject type to use. If we are forced to 1039 * use old ACL format than transform ACL into zfs_oldace_t 1040 * layout. 1041 */ 1042 if (!zfsvfs->z_use_fuids) { 1043 otype = DMU_OT_OLDACL; 1044 } else { 1045 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) && 1046 (zfsvfs->z_version >= ZPL_VERSION_FUID)) 1047 zfs_acl_xform(zp, aclp); 1048 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID); 1049 otype = DMU_OT_ACL; 1050 } 1051 1052 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 1053 /* 1054 * If ACL was previously external and we are now 1055 * converting to new ACL format then release old 1056 * ACL object and create a new one. 1057 */ 1058 if (aoid && aclp->z_version != zacl->z_acl_version) { 1059 error = dmu_object_free(zfsvfs->z_os, 1060 zp->z_phys->zp_acl.z_acl_extern_obj, tx); 1061 if (error) 1062 return (error); 1063 aoid = 0; 1064 } 1065 if (aoid == 0) { 1066 aoid = dmu_object_alloc(zfsvfs->z_os, 1067 otype, aclp->z_acl_bytes, 1068 otype == DMU_OT_ACL ? DMU_OT_SYSACL : DMU_OT_NONE, 1069 otype == DMU_OT_ACL ? DN_MAX_BONUSLEN : 0, tx); 1070 } else { 1071 (void) dmu_object_set_blocksize(zfsvfs->z_os, aoid, 1072 aclp->z_acl_bytes, 0, tx); 1073 } 1074 zphys->zp_acl.z_acl_extern_obj = aoid; 1075 for (aclnode = list_head(&aclp->z_acl); aclnode; 1076 aclnode = list_next(&aclp->z_acl, aclnode)) { 1077 if (aclnode->z_ace_count == 0) 1078 continue; 1079 dmu_write(zfsvfs->z_os, aoid, off, 1080 aclnode->z_size, aclnode->z_acldata, tx); 1081 off += aclnode->z_size; 1082 } 1083 } else { 1084 void *start = zacl->z_ace_data; 1085 /* 1086 * Migrating back embedded? 1087 */ 1088 if (zphys->zp_acl.z_acl_extern_obj) { 1089 error = dmu_object_free(zfsvfs->z_os, 1090 zp->z_phys->zp_acl.z_acl_extern_obj, tx); 1091 if (error) 1092 return (error); 1093 zphys->zp_acl.z_acl_extern_obj = 0; 1094 } 1095 1096 for (aclnode = list_head(&aclp->z_acl); aclnode; 1097 aclnode = list_next(&aclp->z_acl, aclnode)) { 1098 if (aclnode->z_ace_count == 0) 1099 continue; 1100 bcopy(aclnode->z_acldata, start, aclnode->z_size); 1101 start = (caddr_t)start + aclnode->z_size; 1102 } 1103 } 1104 1105 /* 1106 * If Old version then swap count/bytes to match old 1107 * layout of znode_acl_phys_t. 1108 */ 1109 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1110 zphys->zp_acl.z_acl_size = aclp->z_acl_count; 1111 zphys->zp_acl.z_acl_count = aclp->z_acl_bytes; 1112 } else { 1113 zphys->zp_acl.z_acl_size = aclp->z_acl_bytes; 1114 zphys->zp_acl.z_acl_count = aclp->z_acl_count; 1115 } 1116 1117 zphys->zp_acl.z_acl_version = aclp->z_version; 1118 1119 /* 1120 * Replace ACL wide bits, but first clear them. 1121 */ 1122 zp->z_phys->zp_flags &= ~ZFS_ACL_WIDE_FLAGS; 1123 1124 zp->z_phys->zp_flags |= aclp->z_hints; 1125 1126 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0) 1127 zp->z_phys->zp_flags |= ZFS_ACL_TRIVIAL; 1128 1129 zfs_time_stamper_locked(zp, STATE_CHANGED, tx); 1130 return (0); 1131 } 1132 1133 /* 1134 * Update access mask for prepended ACE 1135 * 1136 * This applies the "groupmask" value for aclmode property. 1137 */ 1138 static void 1139 zfs_acl_prepend_fixup(zfs_acl_t *aclp, void *acep, void *origacep, 1140 mode_t mode, uint64_t owner) 1141 { 1142 int rmask, wmask, xmask; 1143 int user_ace; 1144 uint16_t aceflags; 1145 uint32_t origmask, acepmask; 1146 uint64_t fuid; 1147 1148 aceflags = aclp->z_ops.ace_flags_get(acep); 1149 fuid = aclp->z_ops.ace_who_get(acep); 1150 origmask = aclp->z_ops.ace_mask_get(origacep); 1151 acepmask = aclp->z_ops.ace_mask_get(acep); 1152 1153 user_ace = (!(aceflags & 1154 (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP))); 1155 1156 if (user_ace && (fuid == owner)) { 1157 rmask = S_IRUSR; 1158 wmask = S_IWUSR; 1159 xmask = S_IXUSR; 1160 } else { 1161 rmask = S_IRGRP; 1162 wmask = S_IWGRP; 1163 xmask = S_IXGRP; 1164 } 1165 1166 if (origmask & ACE_READ_DATA) { 1167 if (mode & rmask) { 1168 acepmask &= ~ACE_READ_DATA; 1169 } else { 1170 acepmask |= ACE_READ_DATA; 1171 } 1172 } 1173 1174 if (origmask & ACE_WRITE_DATA) { 1175 if (mode & wmask) { 1176 acepmask &= ~ACE_WRITE_DATA; 1177 } else { 1178 acepmask |= ACE_WRITE_DATA; 1179 } 1180 } 1181 1182 if (origmask & ACE_APPEND_DATA) { 1183 if (mode & wmask) { 1184 acepmask &= ~ACE_APPEND_DATA; 1185 } else { 1186 acepmask |= ACE_APPEND_DATA; 1187 } 1188 } 1189 1190 if (origmask & ACE_EXECUTE) { 1191 if (mode & xmask) { 1192 acepmask &= ~ACE_EXECUTE; 1193 } else { 1194 acepmask |= ACE_EXECUTE; 1195 } 1196 } 1197 aclp->z_ops.ace_mask_set(acep, acepmask); 1198 } 1199 1200 /* 1201 * Apply mode to canonical six ACEs. 1202 */ 1203 static void 1204 zfs_acl_fixup_canonical_six(zfs_acl_t *aclp, mode_t mode) 1205 { 1206 zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl); 1207 void *acep; 1208 int maskoff = aclp->z_ops.ace_mask_off(); 1209 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1210 1211 ASSERT(aclnode != NULL); 1212 1213 acep = (void *)((caddr_t)aclnode->z_acldata + 1214 aclnode->z_size - (abstract_size * 6)); 1215 1216 /* 1217 * Fixup final ACEs to match the mode 1218 */ 1219 1220 adjust_ace_pair_common(acep, maskoff, abstract_size, 1221 (mode & 0700) >> 6); /* owner@ */ 1222 1223 acep = (caddr_t)acep + (abstract_size * 2); 1224 1225 adjust_ace_pair_common(acep, maskoff, abstract_size, 1226 (mode & 0070) >> 3); /* group@ */ 1227 1228 acep = (caddr_t)acep + (abstract_size * 2); 1229 adjust_ace_pair_common(acep, maskoff, 1230 abstract_size, mode); /* everyone@ */ 1231 } 1232 1233 1234 static int 1235 zfs_acl_ace_match(zfs_acl_t *aclp, void *acep, int allow_deny, 1236 int entry_type, int accessmask) 1237 { 1238 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1239 uint16_t type = aclp->z_ops.ace_type_get(acep); 1240 uint16_t flags = aclp->z_ops.ace_flags_get(acep); 1241 1242 return (mask == accessmask && type == allow_deny && 1243 ((flags & ACE_TYPE_FLAGS) == entry_type)); 1244 } 1245 1246 /* 1247 * Can prepended ACE be reused? 1248 */ 1249 static int 1250 zfs_reuse_deny(zfs_acl_t *aclp, void *acep, void *prevacep) 1251 { 1252 int okay_masks; 1253 uint16_t prevtype; 1254 uint16_t prevflags; 1255 uint16_t flags; 1256 uint32_t mask, prevmask; 1257 1258 if (prevacep == NULL) 1259 return (B_FALSE); 1260 1261 prevtype = aclp->z_ops.ace_type_get(prevacep); 1262 prevflags = aclp->z_ops.ace_flags_get(prevacep); 1263 flags = aclp->z_ops.ace_flags_get(acep); 1264 mask = aclp->z_ops.ace_mask_get(acep); 1265 prevmask = aclp->z_ops.ace_mask_get(prevacep); 1266 1267 if (prevtype != DENY) 1268 return (B_FALSE); 1269 1270 if (prevflags != (flags & ACE_IDENTIFIER_GROUP)) 1271 return (B_FALSE); 1272 1273 okay_masks = (mask & OKAY_MASK_BITS); 1274 1275 if (prevmask & ~okay_masks) 1276 return (B_FALSE); 1277 1278 return (B_TRUE); 1279 } 1280 1281 1282 /* 1283 * Insert new ACL node into chain of zfs_acl_node_t's 1284 * 1285 * This will result in two possible results. 1286 * 1. If the ACL is currently just a single zfs_acl_node and 1287 * we are prepending the entry then current acl node will have 1288 * a new node inserted above it. 1289 * 1290 * 2. If we are inserting in the middle of current acl node then 1291 * the current node will be split in two and new node will be inserted 1292 * in between the two split nodes. 1293 */ 1294 static zfs_acl_node_t * 1295 zfs_acl_ace_insert(zfs_acl_t *aclp, void *acep) 1296 { 1297 zfs_acl_node_t *newnode; 1298 zfs_acl_node_t *trailernode = NULL; 1299 zfs_acl_node_t *currnode = zfs_acl_curr_node(aclp); 1300 int curr_idx = aclp->z_curr_node->z_ace_idx; 1301 int trailer_count; 1302 size_t oldsize; 1303 1304 newnode = zfs_acl_node_alloc(aclp->z_ops.ace_size(acep)); 1305 newnode->z_ace_count = 1; 1306 1307 oldsize = currnode->z_size; 1308 1309 if (curr_idx != 1) { 1310 trailernode = zfs_acl_node_alloc(0); 1311 trailernode->z_acldata = acep; 1312 1313 trailer_count = currnode->z_ace_count - curr_idx + 1; 1314 currnode->z_ace_count = curr_idx - 1; 1315 currnode->z_size = (caddr_t)acep - (caddr_t)currnode->z_acldata; 1316 trailernode->z_size = oldsize - currnode->z_size; 1317 trailernode->z_ace_count = trailer_count; 1318 } 1319 1320 aclp->z_acl_count += 1; 1321 aclp->z_acl_bytes += aclp->z_ops.ace_size(acep); 1322 1323 if (curr_idx == 1) 1324 list_insert_before(&aclp->z_acl, currnode, newnode); 1325 else 1326 list_insert_after(&aclp->z_acl, currnode, newnode); 1327 if (trailernode) { 1328 list_insert_after(&aclp->z_acl, newnode, trailernode); 1329 aclp->z_curr_node = trailernode; 1330 trailernode->z_ace_idx = 1; 1331 } 1332 1333 return (newnode); 1334 } 1335 1336 /* 1337 * Prepend deny ACE 1338 */ 1339 static void * 1340 zfs_acl_prepend_deny(znode_t *zp, zfs_acl_t *aclp, void *acep, 1341 mode_t mode) 1342 { 1343 zfs_acl_node_t *aclnode; 1344 void *newacep; 1345 uint64_t fuid; 1346 uint16_t flags; 1347 1348 aclnode = zfs_acl_ace_insert(aclp, acep); 1349 newacep = aclnode->z_acldata; 1350 fuid = aclp->z_ops.ace_who_get(acep); 1351 flags = aclp->z_ops.ace_flags_get(acep); 1352 zfs_set_ace(aclp, newacep, 0, DENY, fuid, (flags & ACE_TYPE_FLAGS)); 1353 zfs_acl_prepend_fixup(aclp, newacep, acep, mode, zp->z_phys->zp_uid); 1354 1355 return (newacep); 1356 } 1357 1358 /* 1359 * Split an inherited ACE into inherit_only ACE 1360 * and original ACE with inheritance flags stripped off. 1361 */ 1362 static void 1363 zfs_acl_split_ace(zfs_acl_t *aclp, zfs_ace_hdr_t *acep) 1364 { 1365 zfs_acl_node_t *aclnode; 1366 zfs_acl_node_t *currnode; 1367 void *newacep; 1368 uint16_t type, flags; 1369 uint32_t mask; 1370 uint64_t fuid; 1371 1372 type = aclp->z_ops.ace_type_get(acep); 1373 flags = aclp->z_ops.ace_flags_get(acep); 1374 mask = aclp->z_ops.ace_mask_get(acep); 1375 fuid = aclp->z_ops.ace_who_get(acep); 1376 1377 aclnode = zfs_acl_ace_insert(aclp, acep); 1378 newacep = aclnode->z_acldata; 1379 1380 aclp->z_ops.ace_type_set(newacep, type); 1381 aclp->z_ops.ace_flags_set(newacep, flags | ACE_INHERIT_ONLY_ACE); 1382 aclp->z_ops.ace_mask_set(newacep, mask); 1383 aclp->z_ops.ace_type_set(newacep, type); 1384 aclp->z_ops.ace_who_set(newacep, fuid); 1385 aclp->z_next_ace = acep; 1386 flags &= ~ALL_INHERIT; 1387 aclp->z_ops.ace_flags_set(acep, flags); 1388 currnode = zfs_acl_curr_node(aclp); 1389 ASSERT(currnode->z_ace_idx >= 1); 1390 currnode->z_ace_idx -= 1; 1391 } 1392 1393 /* 1394 * Are ACES started at index i, the canonical six ACES? 1395 */ 1396 static int 1397 zfs_have_canonical_six(zfs_acl_t *aclp) 1398 { 1399 void *acep; 1400 zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl); 1401 int i = 0; 1402 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1403 1404 ASSERT(aclnode != NULL); 1405 1406 if (aclnode->z_ace_count < 6) 1407 return (0); 1408 1409 acep = (void *)((caddr_t)aclnode->z_acldata + 1410 aclnode->z_size - (aclp->z_ops.ace_abstract_size() * 6)); 1411 1412 if ((zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1413 DENY, ACE_OWNER, 0) && 1414 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1415 ALLOW, ACE_OWNER, OWNER_ALLOW_MASK) && 1416 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), DENY, 1417 OWNING_GROUP, 0) && zfs_acl_ace_match(aclp, (caddr_t)acep + 1418 (abstract_size * i++), 1419 ALLOW, OWNING_GROUP, 0) && 1420 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1421 DENY, ACE_EVERYONE, EVERYONE_DENY_MASK) && 1422 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1423 ALLOW, ACE_EVERYONE, EVERYONE_ALLOW_MASK))) { 1424 return (1); 1425 } else { 1426 return (0); 1427 } 1428 } 1429 1430 1431 /* 1432 * Apply step 1g, to group entries 1433 * 1434 * Need to deal with corner case where group may have 1435 * greater permissions than owner. If so then limit 1436 * group permissions, based on what extra permissions 1437 * group has. 1438 */ 1439 static void 1440 zfs_fixup_group_entries(zfs_acl_t *aclp, void *acep, void *prevacep, 1441 mode_t mode) 1442 { 1443 uint32_t prevmask = aclp->z_ops.ace_mask_get(prevacep); 1444 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1445 uint16_t prevflags = aclp->z_ops.ace_flags_get(prevacep); 1446 mode_t extramode = (mode >> 3) & 07; 1447 mode_t ownermode = (mode >> 6); 1448 1449 if (prevflags & ACE_IDENTIFIER_GROUP) { 1450 1451 extramode &= ~ownermode; 1452 1453 if (extramode) { 1454 if (extramode & S_IROTH) { 1455 prevmask &= ~ACE_READ_DATA; 1456 mask &= ~ACE_READ_DATA; 1457 } 1458 if (extramode & S_IWOTH) { 1459 prevmask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1460 mask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1461 } 1462 if (extramode & S_IXOTH) { 1463 prevmask &= ~ACE_EXECUTE; 1464 mask &= ~ACE_EXECUTE; 1465 } 1466 } 1467 } 1468 aclp->z_ops.ace_mask_set(acep, mask); 1469 aclp->z_ops.ace_mask_set(prevacep, prevmask); 1470 } 1471 1472 /* 1473 * Apply the chmod algorithm as described 1474 * in PSARC/2002/240 1475 */ 1476 static void 1477 zfs_acl_chmod(znode_t *zp, uint64_t mode, zfs_acl_t *aclp) 1478 { 1479 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1480 void *acep = NULL, *prevacep = NULL; 1481 uint64_t who; 1482 int i; 1483 int entry_type; 1484 int reuse_deny; 1485 int need_canonical_six = 1; 1486 uint16_t iflags, type; 1487 uint32_t access_mask; 1488 1489 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1490 ASSERT(MUTEX_HELD(&zp->z_lock)); 1491 1492 aclp->z_hints = (zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS); 1493 1494 /* 1495 * If discard then just discard all ACL nodes which 1496 * represent the ACEs. 1497 * 1498 * New owner@/group@/everone@ ACEs will be added 1499 * later. 1500 */ 1501 if (zfsvfs->z_acl_mode == ZFS_ACL_DISCARD) 1502 zfs_acl_release_nodes(aclp); 1503 1504 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 1505 &iflags, &type)) { 1506 1507 entry_type = (iflags & ACE_TYPE_FLAGS); 1508 iflags = (iflags & ALL_INHERIT); 1509 1510 if ((type != ALLOW && type != DENY) || 1511 (iflags & ACE_INHERIT_ONLY_ACE)) { 1512 if (iflags) 1513 aclp->z_hints |= ZFS_INHERIT_ACE; 1514 switch (type) { 1515 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1516 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1517 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1518 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1519 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 1520 break; 1521 } 1522 goto nextace; 1523 } 1524 1525 /* 1526 * Need to split ace into two? 1527 */ 1528 if ((iflags & (ACE_FILE_INHERIT_ACE| 1529 ACE_DIRECTORY_INHERIT_ACE)) && 1530 (!(iflags & ACE_INHERIT_ONLY_ACE))) { 1531 zfs_acl_split_ace(aclp, acep); 1532 aclp->z_hints |= ZFS_INHERIT_ACE; 1533 goto nextace; 1534 } 1535 1536 if (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 1537 (entry_type == OWNING_GROUP)) { 1538 access_mask &= ~OGE_CLEAR; 1539 aclp->z_ops.ace_mask_set(acep, access_mask); 1540 goto nextace; 1541 } else { 1542 reuse_deny = B_TRUE; 1543 if (type == ALLOW) { 1544 1545 /* 1546 * Check preceding ACE if any, to see 1547 * if we need to prepend a DENY ACE. 1548 * This is only applicable when the acl_mode 1549 * property == groupmask. 1550 */ 1551 if (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK) { 1552 1553 reuse_deny = zfs_reuse_deny(aclp, acep, 1554 prevacep); 1555 1556 if (!reuse_deny) { 1557 prevacep = 1558 zfs_acl_prepend_deny(zp, 1559 aclp, acep, mode); 1560 } else { 1561 zfs_acl_prepend_fixup( 1562 aclp, prevacep, 1563 acep, mode, 1564 zp->z_phys->zp_uid); 1565 } 1566 zfs_fixup_group_entries(aclp, acep, 1567 prevacep, mode); 1568 1569 } 1570 } 1571 } 1572 nextace: 1573 prevacep = acep; 1574 } 1575 1576 /* 1577 * Check out last six aces, if we have six. 1578 */ 1579 1580 if (aclp->z_acl_count >= 6) { 1581 if (zfs_have_canonical_six(aclp)) { 1582 need_canonical_six = 0; 1583 } 1584 } 1585 1586 if (need_canonical_six) { 1587 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1588 void *zacep; 1589 zfs_acl_node_t *aclnode = 1590 zfs_acl_node_alloc(abstract_size * 6); 1591 1592 aclnode->z_size = abstract_size * 6; 1593 aclnode->z_ace_count = 6; 1594 aclp->z_acl_bytes += aclnode->z_size; 1595 list_insert_tail(&aclp->z_acl, aclnode); 1596 1597 zacep = aclnode->z_acldata; 1598 1599 i = 0; 1600 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1601 0, DENY, -1, ACE_OWNER); 1602 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1603 OWNER_ALLOW_MASK, ALLOW, -1, ACE_OWNER); 1604 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0, 1605 DENY, -1, OWNING_GROUP); 1606 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0, 1607 ALLOW, -1, OWNING_GROUP); 1608 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1609 EVERYONE_DENY_MASK, DENY, -1, ACE_EVERYONE); 1610 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1611 EVERYONE_ALLOW_MASK, ALLOW, -1, ACE_EVERYONE); 1612 aclp->z_acl_count += 6; 1613 } 1614 1615 zfs_acl_fixup_canonical_six(aclp, mode); 1616 } 1617 1618 int 1619 zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode) 1620 { 1621 int error; 1622 1623 mutex_enter(&zp->z_lock); 1624 mutex_enter(&zp->z_acl_lock); 1625 *aclp = NULL; 1626 error = zfs_acl_node_read(zp, aclp, B_TRUE); 1627 if (error == 0) 1628 zfs_acl_chmod(zp, mode, *aclp); 1629 mutex_exit(&zp->z_acl_lock); 1630 mutex_exit(&zp->z_lock); 1631 return (error); 1632 } 1633 1634 /* 1635 * strip off write_owner and write_acl 1636 */ 1637 static void 1638 zfs_restricted_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep) 1639 { 1640 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1641 1642 if ((zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) && 1643 (aclp->z_ops.ace_type_get(acep) == ALLOW)) { 1644 mask &= ~RESTRICTED_CLEAR; 1645 aclp->z_ops.ace_mask_set(acep, mask); 1646 } 1647 } 1648 1649 /* 1650 * Should ACE be inherited? 1651 */ 1652 static int 1653 zfs_ace_can_use(znode_t *zp, uint16_t acep_flags) 1654 { 1655 int vtype = ZTOV(zp)->v_type; 1656 int iflags = (acep_flags & 0xf); 1657 1658 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) 1659 return (1); 1660 else if (iflags & ACE_FILE_INHERIT_ACE) 1661 return (!((vtype == VDIR) && 1662 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); 1663 return (0); 1664 } 1665 1666 /* 1667 * inherit inheritable ACEs from parent 1668 */ 1669 static zfs_acl_t * 1670 zfs_acl_inherit(znode_t *zp, zfs_acl_t *paclp, uint64_t mode, 1671 boolean_t *need_chmod) 1672 { 1673 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1674 void *pacep; 1675 void *acep, *acep2; 1676 zfs_acl_node_t *aclnode, *aclnode2; 1677 zfs_acl_t *aclp = NULL; 1678 uint64_t who; 1679 uint32_t access_mask; 1680 uint16_t iflags, newflags, type; 1681 size_t ace_size; 1682 void *data1, *data2; 1683 size_t data1sz, data2sz; 1684 boolean_t vdir = ZTOV(zp)->v_type == VDIR; 1685 boolean_t vreg = ZTOV(zp)->v_type == VREG; 1686 boolean_t passthrough, passthrough_x, noallow; 1687 1688 passthrough_x = 1689 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH_X; 1690 passthrough = passthrough_x || 1691 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH; 1692 noallow = 1693 zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW; 1694 1695 *need_chmod = B_TRUE; 1696 pacep = NULL; 1697 aclp = zfs_acl_alloc(paclp->z_version); 1698 if (zfsvfs->z_acl_inherit == ZFS_ACL_DISCARD) 1699 return (aclp); 1700 while (pacep = zfs_acl_next_ace(paclp, pacep, &who, 1701 &access_mask, &iflags, &type)) { 1702 1703 /* 1704 * don't inherit bogus ACEs 1705 */ 1706 if (!zfs_acl_valid_ace_type(type, iflags)) 1707 continue; 1708 1709 if (noallow && type == ALLOW) 1710 continue; 1711 1712 ace_size = aclp->z_ops.ace_size(pacep); 1713 1714 if (!zfs_ace_can_use(zp, iflags)) 1715 continue; 1716 1717 /* 1718 * If owner@, group@, or everyone@ inheritable 1719 * then zfs_acl_chmod() isn't needed. 1720 */ 1721 if (passthrough && 1722 ((iflags & (ACE_OWNER|ACE_EVERYONE)) || 1723 ((iflags & OWNING_GROUP) == 1724 OWNING_GROUP)) && (vreg || (vdir && (iflags & 1725 ACE_DIRECTORY_INHERIT_ACE)))) { 1726 *need_chmod = B_FALSE; 1727 1728 if (!vdir && passthrough_x && 1729 ((mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) { 1730 access_mask &= ~ACE_EXECUTE; 1731 } 1732 } 1733 1734 aclnode = zfs_acl_node_alloc(ace_size); 1735 list_insert_tail(&aclp->z_acl, aclnode); 1736 acep = aclnode->z_acldata; 1737 1738 zfs_set_ace(aclp, acep, access_mask, type, 1739 who, iflags|ACE_INHERITED_ACE); 1740 1741 /* 1742 * Copy special opaque data if any 1743 */ 1744 if ((data1sz = paclp->z_ops.ace_data(pacep, &data1)) != 0) { 1745 VERIFY((data2sz = aclp->z_ops.ace_data(acep, 1746 &data2)) == data1sz); 1747 bcopy(data1, data2, data2sz); 1748 } 1749 aclp->z_acl_count++; 1750 aclnode->z_ace_count++; 1751 aclp->z_acl_bytes += aclnode->z_size; 1752 newflags = aclp->z_ops.ace_flags_get(acep); 1753 1754 if (vdir) 1755 aclp->z_hints |= ZFS_INHERIT_ACE; 1756 1757 if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || !vdir) { 1758 newflags &= ~ALL_INHERIT; 1759 aclp->z_ops.ace_flags_set(acep, 1760 newflags|ACE_INHERITED_ACE); 1761 zfs_restricted_update(zfsvfs, aclp, acep); 1762 continue; 1763 } 1764 1765 ASSERT(vdir); 1766 1767 newflags = aclp->z_ops.ace_flags_get(acep); 1768 if ((iflags & (ACE_FILE_INHERIT_ACE | 1769 ACE_DIRECTORY_INHERIT_ACE)) != 1770 ACE_FILE_INHERIT_ACE) { 1771 aclnode2 = zfs_acl_node_alloc(ace_size); 1772 list_insert_tail(&aclp->z_acl, aclnode2); 1773 acep2 = aclnode2->z_acldata; 1774 zfs_set_ace(aclp, acep2, 1775 access_mask, type, who, 1776 iflags|ACE_INHERITED_ACE); 1777 newflags |= ACE_INHERIT_ONLY_ACE; 1778 aclp->z_ops.ace_flags_set(acep, newflags); 1779 newflags &= ~ALL_INHERIT; 1780 aclp->z_ops.ace_flags_set(acep2, 1781 newflags|ACE_INHERITED_ACE); 1782 1783 /* 1784 * Copy special opaque data if any 1785 */ 1786 if ((data1sz = aclp->z_ops.ace_data(acep, 1787 &data1)) != 0) { 1788 VERIFY((data2sz = 1789 aclp->z_ops.ace_data(acep2, 1790 &data2)) == data1sz); 1791 bcopy(data1, data2, data1sz); 1792 } 1793 aclp->z_acl_count++; 1794 aclnode2->z_ace_count++; 1795 aclp->z_acl_bytes += aclnode->z_size; 1796 zfs_restricted_update(zfsvfs, aclp, acep2); 1797 } else { 1798 newflags |= ACE_INHERIT_ONLY_ACE; 1799 aclp->z_ops.ace_flags_set(acep, 1800 newflags|ACE_INHERITED_ACE); 1801 } 1802 } 1803 return (aclp); 1804 } 1805 1806 /* 1807 * Create file system object initial permissions 1808 * including inheritable ACEs. 1809 */ 1810 void 1811 zfs_perm_init(znode_t *zp, znode_t *parent, int flag, 1812 vattr_t *vap, dmu_tx_t *tx, cred_t *cr, 1813 zfs_acl_t *setaclp, zfs_fuid_info_t **fuidp) 1814 { 1815 uint64_t mode, fuid, fgid; 1816 int error; 1817 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1818 zfs_acl_t *aclp = NULL; 1819 zfs_acl_t *paclp; 1820 xvattr_t *xvap = (xvattr_t *)vap; 1821 gid_t gid; 1822 boolean_t need_chmod = B_TRUE; 1823 1824 if (setaclp) 1825 aclp = setaclp; 1826 1827 mode = MAKEIMODE(vap->va_type, vap->va_mode); 1828 1829 /* 1830 * Determine uid and gid. 1831 */ 1832 if ((flag & (IS_ROOT_NODE | IS_REPLAY)) || 1833 ((flag & IS_XATTR) && (vap->va_type == VDIR))) { 1834 fuid = zfs_fuid_create(zfsvfs, vap->va_uid, cr, 1835 ZFS_OWNER, tx, fuidp); 1836 fgid = zfs_fuid_create(zfsvfs, vap->va_gid, cr, 1837 ZFS_GROUP, tx, fuidp); 1838 gid = vap->va_gid; 1839 } else { 1840 fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER, tx, cr, fuidp); 1841 fgid = 0; 1842 if (vap->va_mask & AT_GID) { 1843 fgid = zfs_fuid_create(zfsvfs, vap->va_gid, cr, 1844 ZFS_GROUP, tx, fuidp); 1845 gid = vap->va_gid; 1846 if (fgid != parent->z_phys->zp_gid && 1847 !groupmember(vap->va_gid, cr) && 1848 secpolicy_vnode_create_gid(cr) != 0) 1849 fgid = 0; 1850 } 1851 if (fgid == 0) { 1852 if (parent->z_phys->zp_mode & S_ISGID) { 1853 fgid = parent->z_phys->zp_gid; 1854 gid = zfs_fuid_map_id(zfsvfs, fgid, 1855 cr, ZFS_GROUP); 1856 } else { 1857 fgid = zfs_fuid_create_cred(zfsvfs, 1858 ZFS_GROUP, tx, cr, fuidp); 1859 gid = crgetgid(cr); 1860 } 1861 } 1862 } 1863 1864 /* 1865 * If we're creating a directory, and the parent directory has the 1866 * set-GID bit set, set in on the new directory. 1867 * Otherwise, if the user is neither privileged nor a member of the 1868 * file's new group, clear the file's set-GID bit. 1869 */ 1870 1871 if ((parent->z_phys->zp_mode & S_ISGID) && (vap->va_type == VDIR)) { 1872 mode |= S_ISGID; 1873 } else { 1874 if ((mode & S_ISGID) && 1875 secpolicy_vnode_setids_setgids(cr, gid) != 0) 1876 mode &= ~S_ISGID; 1877 } 1878 1879 zp->z_phys->zp_uid = fuid; 1880 zp->z_phys->zp_gid = fgid; 1881 zp->z_phys->zp_mode = mode; 1882 1883 if (aclp == NULL) { 1884 mutex_enter(&parent->z_lock); 1885 if ((ZTOV(parent)->v_type == VDIR && 1886 (parent->z_phys->zp_flags & ZFS_INHERIT_ACE)) && 1887 !(zp->z_phys->zp_flags & ZFS_XATTR)) { 1888 mutex_enter(&parent->z_acl_lock); 1889 VERIFY(0 == zfs_acl_node_read(parent, &paclp, B_FALSE)); 1890 mutex_exit(&parent->z_acl_lock); 1891 aclp = zfs_acl_inherit(zp, paclp, mode, &need_chmod); 1892 zfs_acl_free(paclp); 1893 } else { 1894 aclp = zfs_acl_alloc(zfs_acl_version_zp(zp)); 1895 } 1896 mutex_exit(&parent->z_lock); 1897 mutex_enter(&zp->z_lock); 1898 mutex_enter(&zp->z_acl_lock); 1899 if (need_chmod) 1900 zfs_acl_chmod(zp, mode, aclp); 1901 } else { 1902 mutex_enter(&zp->z_lock); 1903 mutex_enter(&zp->z_acl_lock); 1904 } 1905 1906 /* Force auto_inherit on all new directory objects */ 1907 if (vap->va_type == VDIR) 1908 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 1909 1910 error = zfs_aclset_common(zp, aclp, cr, fuidp, tx); 1911 1912 /* Set optional attributes if any */ 1913 if (vap->va_mask & AT_XVATTR) 1914 zfs_xvattr_set(zp, xvap); 1915 1916 mutex_exit(&zp->z_lock); 1917 mutex_exit(&zp->z_acl_lock); 1918 ASSERT3U(error, ==, 0); 1919 1920 if (aclp != setaclp) 1921 zfs_acl_free(aclp); 1922 } 1923 1924 /* 1925 * Retrieve a files ACL 1926 */ 1927 int 1928 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1929 { 1930 zfs_acl_t *aclp; 1931 ulong_t mask; 1932 int error; 1933 int count = 0; 1934 int largeace = 0; 1935 1936 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT | 1937 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES); 1938 1939 if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr)) 1940 return (error); 1941 1942 if (mask == 0) 1943 return (ENOSYS); 1944 1945 mutex_enter(&zp->z_acl_lock); 1946 1947 error = zfs_acl_node_read(zp, &aclp, B_FALSE); 1948 if (error != 0) { 1949 mutex_exit(&zp->z_acl_lock); 1950 return (error); 1951 } 1952 1953 /* 1954 * Scan ACL to determine number of ACEs 1955 */ 1956 if ((zp->z_phys->zp_flags & ZFS_ACL_OBJ_ACE) && 1957 !(mask & VSA_ACE_ALLTYPES)) { 1958 void *zacep = NULL; 1959 uint64_t who; 1960 uint32_t access_mask; 1961 uint16_t type, iflags; 1962 1963 while (zacep = zfs_acl_next_ace(aclp, zacep, 1964 &who, &access_mask, &iflags, &type)) { 1965 switch (type) { 1966 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1967 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1968 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1969 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1970 largeace++; 1971 continue; 1972 default: 1973 count++; 1974 } 1975 } 1976 vsecp->vsa_aclcnt = count; 1977 } else 1978 count = aclp->z_acl_count; 1979 1980 if (mask & VSA_ACECNT) { 1981 vsecp->vsa_aclcnt = count; 1982 } 1983 1984 if (mask & VSA_ACE) { 1985 size_t aclsz; 1986 1987 zfs_acl_node_t *aclnode = list_head(&aclp->z_acl); 1988 1989 aclsz = count * sizeof (ace_t) + 1990 sizeof (ace_object_t) * largeace; 1991 1992 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP); 1993 vsecp->vsa_aclentsz = aclsz; 1994 1995 if (aclp->z_version == ZFS_ACL_VERSION_FUID) 1996 zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr, 1997 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES)); 1998 else { 1999 bcopy(aclnode->z_acldata, vsecp->vsa_aclentp, 2000 count * sizeof (ace_t)); 2001 } 2002 } 2003 if (mask & VSA_ACE_ACLFLAGS) { 2004 vsecp->vsa_aclflags = 0; 2005 if (zp->z_phys->zp_flags & ZFS_ACL_DEFAULTED) 2006 vsecp->vsa_aclflags |= ACL_DEFAULTED; 2007 if (zp->z_phys->zp_flags & ZFS_ACL_PROTECTED) 2008 vsecp->vsa_aclflags |= ACL_PROTECTED; 2009 if (zp->z_phys->zp_flags & ZFS_ACL_AUTO_INHERIT) 2010 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT; 2011 } 2012 2013 mutex_exit(&zp->z_acl_lock); 2014 2015 zfs_acl_free(aclp); 2016 2017 return (0); 2018 } 2019 2020 int 2021 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type, 2022 vsecattr_t *vsecp, zfs_acl_t **zaclp) 2023 { 2024 zfs_acl_t *aclp; 2025 zfs_acl_node_t *aclnode; 2026 int aclcnt = vsecp->vsa_aclcnt; 2027 int error; 2028 2029 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0) 2030 return (EINVAL); 2031 2032 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version)); 2033 2034 aclp->z_hints = 0; 2035 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t)); 2036 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 2037 if ((error = zfs_copy_ace_2_oldace(obj_type, aclp, 2038 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata, 2039 aclcnt, &aclnode->z_size)) != 0) { 2040 zfs_acl_free(aclp); 2041 zfs_acl_node_free(aclnode); 2042 return (error); 2043 } 2044 } else { 2045 if ((error = zfs_copy_ace_2_fuid(obj_type, aclp, 2046 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt, 2047 &aclnode->z_size)) != 0) { 2048 zfs_acl_free(aclp); 2049 zfs_acl_node_free(aclnode); 2050 return (error); 2051 } 2052 } 2053 aclp->z_acl_bytes = aclnode->z_size; 2054 aclnode->z_ace_count = aclcnt; 2055 aclp->z_acl_count = aclcnt; 2056 list_insert_head(&aclp->z_acl, aclnode); 2057 2058 /* 2059 * If flags are being set then add them to z_hints 2060 */ 2061 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) { 2062 if (vsecp->vsa_aclflags & ACL_PROTECTED) 2063 aclp->z_hints |= ZFS_ACL_PROTECTED; 2064 if (vsecp->vsa_aclflags & ACL_DEFAULTED) 2065 aclp->z_hints |= ZFS_ACL_DEFAULTED; 2066 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT) 2067 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 2068 } 2069 2070 *zaclp = aclp; 2071 2072 return (0); 2073 } 2074 2075 /* 2076 * Set a files ACL 2077 */ 2078 int 2079 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 2080 { 2081 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2082 zilog_t *zilog = zfsvfs->z_log; 2083 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 2084 dmu_tx_t *tx; 2085 int error; 2086 zfs_acl_t *aclp; 2087 zfs_fuid_info_t *fuidp = NULL; 2088 2089 if (mask == 0) 2090 return (ENOSYS); 2091 2092 if (zp->z_phys->zp_flags & ZFS_IMMUTABLE) 2093 return (EPERM); 2094 2095 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) 2096 return (error); 2097 2098 error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, &aclp); 2099 if (error) 2100 return (error); 2101 2102 /* 2103 * If ACL wide flags aren't being set then preserve any 2104 * existing flags. 2105 */ 2106 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) { 2107 aclp->z_hints |= (zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS); 2108 } 2109 top: 2110 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) { 2111 zfs_acl_free(aclp); 2112 return (error); 2113 } 2114 2115 mutex_enter(&zp->z_lock); 2116 mutex_enter(&zp->z_acl_lock); 2117 2118 tx = dmu_tx_create(zfsvfs->z_os); 2119 dmu_tx_hold_bonus(tx, zp->z_id); 2120 2121 if (zp->z_phys->zp_acl.z_acl_extern_obj) { 2122 /* Are we upgrading ACL? */ 2123 if (zfsvfs->z_version <= ZPL_VERSION_FUID && 2124 zp->z_phys->zp_acl.z_acl_version == 2125 ZFS_ACL_VERSION_INITIAL) { 2126 dmu_tx_hold_free(tx, 2127 zp->z_phys->zp_acl.z_acl_extern_obj, 2128 0, DMU_OBJECT_END); 2129 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 2130 0, aclp->z_acl_bytes); 2131 } else { 2132 dmu_tx_hold_write(tx, 2133 zp->z_phys->zp_acl.z_acl_extern_obj, 2134 0, aclp->z_acl_bytes); 2135 } 2136 } else if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 2137 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes); 2138 } 2139 if (aclp->z_has_fuids) { 2140 if (zfsvfs->z_fuid_obj == 0) { 2141 dmu_tx_hold_bonus(tx, DMU_NEW_OBJECT); 2142 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, 2143 FUID_SIZE_ESTIMATE(zfsvfs)); 2144 dmu_tx_hold_zap(tx, MASTER_NODE_OBJ, FALSE, NULL); 2145 } else { 2146 dmu_tx_hold_bonus(tx, zfsvfs->z_fuid_obj); 2147 dmu_tx_hold_write(tx, zfsvfs->z_fuid_obj, 0, 2148 FUID_SIZE_ESTIMATE(zfsvfs)); 2149 } 2150 } 2151 2152 error = dmu_tx_assign(tx, TXG_NOWAIT); 2153 if (error) { 2154 mutex_exit(&zp->z_acl_lock); 2155 mutex_exit(&zp->z_lock); 2156 2157 if (error == ERESTART) { 2158 dmu_tx_wait(tx); 2159 dmu_tx_abort(tx); 2160 goto top; 2161 } 2162 dmu_tx_abort(tx); 2163 zfs_acl_free(aclp); 2164 return (error); 2165 } 2166 2167 error = zfs_aclset_common(zp, aclp, cr, &fuidp, tx); 2168 ASSERT(error == 0); 2169 2170 zfs_log_acl(zilog, tx, zp, vsecp, fuidp); 2171 2172 if (fuidp) 2173 zfs_fuid_info_free(fuidp); 2174 zfs_acl_free(aclp); 2175 dmu_tx_commit(tx); 2176 done: 2177 mutex_exit(&zp->z_acl_lock); 2178 mutex_exit(&zp->z_lock); 2179 2180 return (error); 2181 } 2182 2183 /* 2184 * working_mode returns the permissions that were not granted 2185 */ 2186 static int 2187 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode, 2188 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr) 2189 { 2190 zfs_acl_t *aclp; 2191 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2192 int error; 2193 uid_t uid = crgetuid(cr); 2194 uint64_t who; 2195 uint16_t type, iflags; 2196 uint16_t entry_type; 2197 uint32_t access_mask; 2198 uint32_t deny_mask = 0; 2199 zfs_ace_hdr_t *acep = NULL; 2200 boolean_t checkit; 2201 uid_t fowner; 2202 uid_t gowner; 2203 2204 /* 2205 * Short circuit empty requests 2206 */ 2207 if (v4_mode == 0) 2208 return (0); 2209 2210 *check_privs = B_TRUE; 2211 2212 if (zfsvfs->z_replay) { 2213 *working_mode = 0; 2214 return (0); 2215 } 2216 2217 *working_mode = v4_mode; 2218 2219 if ((v4_mode & WRITE_MASK) && 2220 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && 2221 (!IS_DEVVP(ZTOV(zp)) || 2222 (IS_DEVVP(ZTOV(zp)) && (v4_mode & WRITE_MASK_ATTRS)))) { 2223 *check_privs = B_FALSE; 2224 return (EROFS); 2225 } 2226 2227 /* 2228 * Only check for READONLY on non-directories. 2229 */ 2230 if ((v4_mode & WRITE_MASK_DATA) && 2231 (((ZTOV(zp)->v_type != VDIR) && 2232 (zp->z_phys->zp_flags & (ZFS_READONLY | ZFS_IMMUTABLE))) || 2233 (ZTOV(zp)->v_type == VDIR && 2234 (zp->z_phys->zp_flags & ZFS_IMMUTABLE)))) { 2235 *check_privs = B_FALSE; 2236 return (EPERM); 2237 } 2238 2239 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) && 2240 (zp->z_phys->zp_flags & ZFS_NOUNLINK)) { 2241 *check_privs = B_FALSE; 2242 return (EPERM); 2243 } 2244 2245 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) && 2246 (zp->z_phys->zp_flags & ZFS_AV_QUARANTINED))) { 2247 *check_privs = B_FALSE; 2248 return (EACCES); 2249 } 2250 2251 /* 2252 * The caller requested that the ACL check be skipped. This 2253 * would only happen if the caller checked VOP_ACCESS() with a 2254 * 32 bit ACE mask and already had the appropriate permissions. 2255 */ 2256 if (skipaclchk) { 2257 *working_mode = 0; 2258 return (0); 2259 } 2260 2261 zfs_fuid_map_ids(zp, cr, &fowner, &gowner); 2262 2263 mutex_enter(&zp->z_acl_lock); 2264 2265 error = zfs_acl_node_read(zp, &aclp, B_FALSE); 2266 if (error != 0) { 2267 mutex_exit(&zp->z_acl_lock); 2268 return (error); 2269 } 2270 2271 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 2272 &iflags, &type)) { 2273 2274 if (!zfs_acl_valid_ace_type(type, iflags)) 2275 continue; 2276 2277 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE)) 2278 continue; 2279 2280 entry_type = (iflags & ACE_TYPE_FLAGS); 2281 2282 checkit = B_FALSE; 2283 2284 switch (entry_type) { 2285 case ACE_OWNER: 2286 if (uid == fowner) 2287 checkit = B_TRUE; 2288 break; 2289 case OWNING_GROUP: 2290 who = gowner; 2291 /*FALLTHROUGH*/ 2292 case ACE_IDENTIFIER_GROUP: 2293 checkit = zfs_groupmember(zfsvfs, who, cr); 2294 break; 2295 case ACE_EVERYONE: 2296 checkit = B_TRUE; 2297 break; 2298 2299 /* USER Entry */ 2300 default: 2301 if (entry_type == 0) { 2302 uid_t newid; 2303 2304 newid = zfs_fuid_map_id(zfsvfs, who, cr, 2305 ZFS_ACE_USER); 2306 if (newid != IDMAP_WK_CREATOR_OWNER_UID && 2307 uid == newid) 2308 checkit = B_TRUE; 2309 break; 2310 } else { 2311 zfs_acl_free(aclp); 2312 mutex_exit(&zp->z_acl_lock); 2313 return (EIO); 2314 } 2315 } 2316 2317 if (checkit) { 2318 uint32_t mask_matched = (access_mask & *working_mode); 2319 2320 if (mask_matched) { 2321 if (type == DENY) 2322 deny_mask |= mask_matched; 2323 2324 *working_mode &= ~mask_matched; 2325 } 2326 } 2327 2328 /* Are we done? */ 2329 if (*working_mode == 0) 2330 break; 2331 } 2332 2333 mutex_exit(&zp->z_acl_lock); 2334 zfs_acl_free(aclp); 2335 2336 /* Put the found 'denies' back on the working mode */ 2337 if (deny_mask) { 2338 *working_mode |= deny_mask; 2339 return (EACCES); 2340 } else if (*working_mode) { 2341 return (-1); 2342 } 2343 2344 return (0); 2345 } 2346 2347 static int 2348 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs, 2349 cred_t *cr) 2350 { 2351 if (*working_mode != ACE_WRITE_DATA) 2352 return (EACCES); 2353 2354 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode, 2355 check_privs, B_FALSE, cr)); 2356 } 2357 2358 /* 2359 * Determine whether Access should be granted/denied, invoking least 2360 * priv subsytem when a deny is determined. 2361 */ 2362 int 2363 zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr) 2364 { 2365 uint32_t working_mode; 2366 int error; 2367 int is_attr; 2368 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2369 boolean_t check_privs; 2370 znode_t *xzp; 2371 znode_t *check_zp = zp; 2372 2373 is_attr = ((zp->z_phys->zp_flags & ZFS_XATTR) && 2374 (ZTOV(zp)->v_type == VDIR)); 2375 2376 /* 2377 * If attribute then validate against base file 2378 */ 2379 if (is_attr) { 2380 if ((error = zfs_zget(zp->z_zfsvfs, 2381 zp->z_phys->zp_parent, &xzp)) != 0) { 2382 return (error); 2383 } 2384 2385 check_zp = xzp; 2386 2387 /* 2388 * fixup mode to map to xattr perms 2389 */ 2390 2391 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { 2392 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 2393 mode |= ACE_WRITE_NAMED_ATTRS; 2394 } 2395 2396 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { 2397 mode &= ~(ACE_READ_DATA|ACE_EXECUTE); 2398 mode |= ACE_READ_NAMED_ATTRS; 2399 } 2400 } 2401 2402 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode, 2403 &check_privs, skipaclchk, cr)) == 0) { 2404 if (is_attr) 2405 VN_RELE(ZTOV(xzp)); 2406 return (0); 2407 } 2408 2409 if (error && !check_privs) { 2410 if (is_attr) 2411 VN_RELE(ZTOV(xzp)); 2412 return (error); 2413 } 2414 2415 if (error && (flags & V_APPEND)) { 2416 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr); 2417 } 2418 2419 if (error && check_privs) { 2420 uid_t owner; 2421 mode_t checkmode = 0; 2422 2423 owner = zfs_fuid_map_id(zfsvfs, check_zp->z_phys->zp_uid, cr, 2424 ZFS_OWNER); 2425 2426 /* 2427 * First check for implicit owner permission on 2428 * read_acl/read_attributes 2429 */ 2430 2431 error = 0; 2432 ASSERT(working_mode != 0); 2433 2434 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) && 2435 owner == crgetuid(cr))) 2436 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2437 2438 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2439 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2440 checkmode |= VREAD; 2441 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2442 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2443 checkmode |= VWRITE; 2444 if (working_mode & ACE_EXECUTE) 2445 checkmode |= VEXEC; 2446 2447 if (checkmode) 2448 error = secpolicy_vnode_access(cr, ZTOV(check_zp), 2449 owner, checkmode); 2450 2451 if (error == 0 && (working_mode & ACE_WRITE_OWNER)) 2452 error = secpolicy_vnode_chown(cr, B_TRUE); 2453 if (error == 0 && (working_mode & ACE_WRITE_ACL)) 2454 error = secpolicy_vnode_setdac(cr, owner); 2455 2456 if (error == 0 && (working_mode & 2457 (ACE_DELETE|ACE_DELETE_CHILD))) 2458 error = secpolicy_vnode_remove(cr); 2459 2460 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) { 2461 error = secpolicy_vnode_chown(cr, B_FALSE); 2462 } 2463 if (error == 0) { 2464 /* 2465 * See if any bits other than those already checked 2466 * for are still present. If so then return EACCES 2467 */ 2468 if (working_mode & ~(ZFS_CHECKED_MASKS)) { 2469 error = EACCES; 2470 } 2471 } 2472 } 2473 2474 if (is_attr) 2475 VN_RELE(ZTOV(xzp)); 2476 2477 return (error); 2478 } 2479 2480 /* 2481 * Translate traditional unix VREAD/VWRITE/VEXEC mode into 2482 * native ACL format and call zfs_zaccess() 2483 */ 2484 int 2485 zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr) 2486 { 2487 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr)); 2488 } 2489 2490 /* 2491 * Access function for secpolicy_vnode_setattr 2492 */ 2493 int 2494 zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr) 2495 { 2496 int v4_mode = zfs_unix_to_v4(mode >> 6); 2497 2498 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr)); 2499 } 2500 2501 static int 2502 zfs_delete_final_check(znode_t *zp, znode_t *dzp, 2503 mode_t missing_perms, cred_t *cr) 2504 { 2505 int error; 2506 uid_t downer; 2507 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2508 2509 downer = zfs_fuid_map_id(zfsvfs, dzp->z_phys->zp_uid, cr, ZFS_OWNER); 2510 2511 error = secpolicy_vnode_access(cr, ZTOV(dzp), downer, missing_perms); 2512 2513 if (error == 0) 2514 error = zfs_sticky_remove_access(dzp, zp, cr); 2515 2516 return (error); 2517 } 2518 2519 /* 2520 * Determine whether Access should be granted/deny, without 2521 * consulting least priv subsystem. 2522 * 2523 * 2524 * The following chart is the recommended NFSv4 enforcement for 2525 * ability to delete an object. 2526 * 2527 * ------------------------------------------------------- 2528 * | Parent Dir | Target Object Permissions | 2529 * | permissions | | 2530 * ------------------------------------------------------- 2531 * | | ACL Allows | ACL Denies| Delete | 2532 * | | Delete | Delete | unspecified| 2533 * ------------------------------------------------------- 2534 * | ACL Allows | Permit | Permit | Permit | 2535 * | DELETE_CHILD | | 2536 * ------------------------------------------------------- 2537 * | ACL Denies | Permit | Deny | Deny | 2538 * | DELETE_CHILD | | | | 2539 * ------------------------------------------------------- 2540 * | ACL specifies | | | | 2541 * | only allow | Permit | Permit | Permit | 2542 * | write and | | | | 2543 * | execute | | | | 2544 * ------------------------------------------------------- 2545 * | ACL denies | | | | 2546 * | write and | Permit | Deny | Deny | 2547 * | execute | | | | 2548 * ------------------------------------------------------- 2549 * ^ 2550 * | 2551 * No search privilege, can't even look up file? 2552 * 2553 */ 2554 int 2555 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) 2556 { 2557 uint32_t dzp_working_mode = 0; 2558 uint32_t zp_working_mode = 0; 2559 int dzp_error, zp_error; 2560 mode_t missing_perms; 2561 boolean_t dzpcheck_privs = B_TRUE; 2562 boolean_t zpcheck_privs = B_TRUE; 2563 2564 /* 2565 * We want specific DELETE permissions to 2566 * take precedence over WRITE/EXECUTE. We don't 2567 * want an ACL such as this to mess us up. 2568 * user:joe:write_data:deny,user:joe:delete:allow 2569 * 2570 * However, deny permissions may ultimately be overridden 2571 * by secpolicy_vnode_access(). 2572 * 2573 * We will ask for all of the necessary permissions and then 2574 * look at the working modes from the directory and target object 2575 * to determine what was found. 2576 */ 2577 2578 if (zp->z_phys->zp_flags & (ZFS_IMMUTABLE | ZFS_NOUNLINK)) 2579 return (EPERM); 2580 2581 /* 2582 * First row 2583 * If the directory permissions allow the delete, we are done. 2584 */ 2585 if ((dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD, 2586 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) 2587 return (0); 2588 2589 /* 2590 * If target object has delete permission then we are done 2591 */ 2592 if ((zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, 2593 &zpcheck_privs, B_FALSE, cr)) == 0) 2594 return (0); 2595 2596 ASSERT(dzp_error && zp_error); 2597 2598 if (!dzpcheck_privs) 2599 return (dzp_error); 2600 if (!zpcheck_privs) 2601 return (zp_error); 2602 2603 /* 2604 * Second row 2605 * 2606 * If directory returns EACCES then delete_child was denied 2607 * due to deny delete_child. In this case send the request through 2608 * secpolicy_vnode_remove(). We don't use zfs_delete_final_check() 2609 * since that *could* allow the delete based on write/execute permission 2610 * and we want delete permissions to override write/execute. 2611 */ 2612 2613 if (dzp_error == EACCES) 2614 return (secpolicy_vnode_remove(cr)); 2615 2616 /* 2617 * Third Row 2618 * only need to see if we have write/execute on directory. 2619 */ 2620 2621 if ((dzp_error = zfs_zaccess_common(dzp, ACE_EXECUTE|ACE_WRITE_DATA, 2622 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) 2623 return (zfs_sticky_remove_access(dzp, zp, cr)); 2624 2625 if (!dzpcheck_privs) 2626 return (dzp_error); 2627 2628 /* 2629 * Fourth row 2630 */ 2631 2632 missing_perms = (dzp_working_mode & ACE_WRITE_DATA) ? VWRITE : 0; 2633 missing_perms |= (dzp_working_mode & ACE_EXECUTE) ? VEXEC : 0; 2634 2635 ASSERT(missing_perms); 2636 2637 return (zfs_delete_final_check(zp, dzp, missing_perms, cr)); 2638 2639 } 2640 2641 int 2642 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, 2643 znode_t *tzp, cred_t *cr) 2644 { 2645 int add_perm; 2646 int error; 2647 2648 if (szp->z_phys->zp_flags & ZFS_AV_QUARANTINED) 2649 return (EACCES); 2650 2651 add_perm = (ZTOV(szp)->v_type == VDIR) ? 2652 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; 2653 2654 /* 2655 * Rename permissions are combination of delete permission + 2656 * add file/subdir permission. 2657 */ 2658 2659 /* 2660 * first make sure we do the delete portion. 2661 * 2662 * If that succeeds then check for add_file/add_subdir permissions 2663 */ 2664 2665 if (error = zfs_zaccess_delete(sdzp, szp, cr)) 2666 return (error); 2667 2668 /* 2669 * If we have a tzp, see if we can delete it? 2670 */ 2671 if (tzp) { 2672 if (error = zfs_zaccess_delete(tdzp, tzp, cr)) 2673 return (error); 2674 } 2675 2676 /* 2677 * Now check for add permissions 2678 */ 2679 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr); 2680 2681 return (error); 2682 } 2683