1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright (c) 2013 by Delphix. All rights reserved. 24 * Copyright 2020 Tintri by DDN, Inc. All rights reserved. 25 * Copyright 2019-2023 RackTop Systems, Inc. 26 */ 27 28 #include <sys/types.h> 29 #include <sys/param.h> 30 #include <sys/time.h> 31 #include <sys/systm.h> 32 #include <sys/sysmacros.h> 33 #include <sys/resource.h> 34 #include <sys/vfs.h> 35 #include <sys/vnode.h> 36 #include <sys/sid.h> 37 #include <sys/file.h> 38 #include <sys/stat.h> 39 #include <sys/kmem.h> 40 #include <sys/cmn_err.h> 41 #include <sys/errno.h> 42 #include <sys/unistd.h> 43 #include <sys/sdt.h> 44 #include <sys/fs/zfs.h> 45 #include <sys/mode.h> 46 #include <sys/policy.h> 47 #include <sys/zfs_znode.h> 48 #include <sys/zfs_fuid.h> 49 #include <sys/zfs_acl.h> 50 #include <sys/zfs_dir.h> 51 #include <sys/zfs_vfsops.h> 52 #include <sys/dmu.h> 53 #include <sys/dnode.h> 54 #include <sys/zap.h> 55 #include <sys/sa.h> 56 #include "fs/fs_subr.h" 57 #include <acl/acl_common.h> 58 59 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE 60 #define DENY ACE_ACCESS_DENIED_ACE_TYPE 61 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 62 #define MIN_ACE_TYPE ALLOW 63 64 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) 65 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ 66 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) 67 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ 68 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 69 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ 70 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 71 72 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \ 73 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \ 74 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \ 75 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE) 76 77 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS) 78 #define WRITE_MASK_ATTRS (ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES| \ 79 ACE_DELETE|ACE_DELETE_CHILD) 80 #define WRITE_MASK (WRITE_MASK_DATA|WRITE_MASK_ATTRS) 81 82 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 83 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 84 85 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 86 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 87 88 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ 89 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE) 90 91 #define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER) 92 93 #define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\ 94 ZFS_ACL_PROTECTED) 95 96 #define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\ 97 ZFS_ACL_OBJ_ACE) 98 99 #define ALL_MODE_EXECS (S_IXUSR | S_IXGRP | S_IXOTH) 100 101 static uint16_t 102 zfs_ace_v0_get_type(void *acep) 103 { 104 return (((zfs_oldace_t *)acep)->z_type); 105 } 106 107 static uint16_t 108 zfs_ace_v0_get_flags(void *acep) 109 { 110 return (((zfs_oldace_t *)acep)->z_flags); 111 } 112 113 static uint32_t 114 zfs_ace_v0_get_mask(void *acep) 115 { 116 return (((zfs_oldace_t *)acep)->z_access_mask); 117 } 118 119 static uint64_t 120 zfs_ace_v0_get_who(void *acep) 121 { 122 return (((zfs_oldace_t *)acep)->z_fuid); 123 } 124 125 static void 126 zfs_ace_v0_set_type(void *acep, uint16_t type) 127 { 128 ((zfs_oldace_t *)acep)->z_type = type; 129 } 130 131 static void 132 zfs_ace_v0_set_flags(void *acep, uint16_t flags) 133 { 134 ((zfs_oldace_t *)acep)->z_flags = flags; 135 } 136 137 static void 138 zfs_ace_v0_set_mask(void *acep, uint32_t mask) 139 { 140 ((zfs_oldace_t *)acep)->z_access_mask = mask; 141 } 142 143 static void 144 zfs_ace_v0_set_who(void *acep, uint64_t who) 145 { 146 ((zfs_oldace_t *)acep)->z_fuid = who; 147 } 148 149 /*ARGSUSED*/ 150 static size_t 151 zfs_ace_v0_size(void *acep) 152 { 153 return (sizeof (zfs_oldace_t)); 154 } 155 156 static size_t 157 zfs_ace_v0_abstract_size(void) 158 { 159 return (sizeof (zfs_oldace_t)); 160 } 161 162 static int 163 zfs_ace_v0_mask_off(void) 164 { 165 return (offsetof(zfs_oldace_t, z_access_mask)); 166 } 167 168 /*ARGSUSED*/ 169 static int 170 zfs_ace_v0_data(void *acep, void **datap) 171 { 172 *datap = NULL; 173 return (0); 174 } 175 176 static acl_ops_t zfs_acl_v0_ops = { 177 zfs_ace_v0_get_mask, 178 zfs_ace_v0_set_mask, 179 zfs_ace_v0_get_flags, 180 zfs_ace_v0_set_flags, 181 zfs_ace_v0_get_type, 182 zfs_ace_v0_set_type, 183 zfs_ace_v0_get_who, 184 zfs_ace_v0_set_who, 185 zfs_ace_v0_size, 186 zfs_ace_v0_abstract_size, 187 zfs_ace_v0_mask_off, 188 zfs_ace_v0_data 189 }; 190 191 static uint16_t 192 zfs_ace_fuid_get_type(void *acep) 193 { 194 return (((zfs_ace_hdr_t *)acep)->z_type); 195 } 196 197 static uint16_t 198 zfs_ace_fuid_get_flags(void *acep) 199 { 200 return (((zfs_ace_hdr_t *)acep)->z_flags); 201 } 202 203 static uint32_t 204 zfs_ace_fuid_get_mask(void *acep) 205 { 206 return (((zfs_ace_hdr_t *)acep)->z_access_mask); 207 } 208 209 static uint64_t 210 zfs_ace_fuid_get_who(void *args) 211 { 212 uint16_t entry_type; 213 zfs_ace_t *acep = args; 214 215 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 216 217 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 218 entry_type == ACE_EVERYONE) 219 return (-1); 220 return (((zfs_ace_t *)acep)->z_fuid); 221 } 222 223 static void 224 zfs_ace_fuid_set_type(void *acep, uint16_t type) 225 { 226 ((zfs_ace_hdr_t *)acep)->z_type = type; 227 } 228 229 static void 230 zfs_ace_fuid_set_flags(void *acep, uint16_t flags) 231 { 232 ((zfs_ace_hdr_t *)acep)->z_flags = flags; 233 } 234 235 static void 236 zfs_ace_fuid_set_mask(void *acep, uint32_t mask) 237 { 238 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask; 239 } 240 241 static void 242 zfs_ace_fuid_set_who(void *arg, uint64_t who) 243 { 244 zfs_ace_t *acep = arg; 245 246 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 247 248 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 249 entry_type == ACE_EVERYONE) 250 return; 251 acep->z_fuid = who; 252 } 253 254 static size_t 255 zfs_ace_fuid_size(void *acep) 256 { 257 zfs_ace_hdr_t *zacep = acep; 258 uint16_t entry_type; 259 260 switch (zacep->z_type) { 261 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 262 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 263 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 264 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 265 return (sizeof (zfs_object_ace_t)); 266 case ALLOW: 267 case DENY: 268 entry_type = 269 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS); 270 if (entry_type == ACE_OWNER || 271 entry_type == OWNING_GROUP || 272 entry_type == ACE_EVERYONE) 273 return (sizeof (zfs_ace_hdr_t)); 274 /*FALLTHROUGH*/ 275 default: 276 return (sizeof (zfs_ace_t)); 277 } 278 } 279 280 static size_t 281 zfs_ace_fuid_abstract_size(void) 282 { 283 return (sizeof (zfs_ace_hdr_t)); 284 } 285 286 static int 287 zfs_ace_fuid_mask_off(void) 288 { 289 return (offsetof(zfs_ace_hdr_t, z_access_mask)); 290 } 291 292 static int 293 zfs_ace_fuid_data(void *acep, void **datap) 294 { 295 zfs_ace_t *zacep = acep; 296 zfs_object_ace_t *zobjp; 297 298 switch (zacep->z_hdr.z_type) { 299 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 300 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 301 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 302 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 303 zobjp = acep; 304 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t); 305 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t)); 306 default: 307 *datap = NULL; 308 return (0); 309 } 310 } 311 312 static acl_ops_t zfs_acl_fuid_ops = { 313 zfs_ace_fuid_get_mask, 314 zfs_ace_fuid_set_mask, 315 zfs_ace_fuid_get_flags, 316 zfs_ace_fuid_set_flags, 317 zfs_ace_fuid_get_type, 318 zfs_ace_fuid_set_type, 319 zfs_ace_fuid_get_who, 320 zfs_ace_fuid_set_who, 321 zfs_ace_fuid_size, 322 zfs_ace_fuid_abstract_size, 323 zfs_ace_fuid_mask_off, 324 zfs_ace_fuid_data 325 }; 326 327 /* 328 * The following three functions are provided for compatibility with 329 * older ZPL version in order to determine if the file use to have 330 * an external ACL and what version of ACL previously existed on the 331 * file. Would really be nice to not need this, sigh. 332 */ 333 uint64_t 334 zfs_external_acl(znode_t *zp) 335 { 336 zfs_acl_phys_t acl_phys; 337 int error; 338 339 if (zp->z_is_sa) 340 return (0); 341 342 /* 343 * Need to deal with a potential 344 * race where zfs_sa_upgrade could cause 345 * z_isa_sa to change. 346 * 347 * If the lookup fails then the state of z_is_sa should have 348 * changed. 349 */ 350 351 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zp->z_zfsvfs), 352 &acl_phys, sizeof (acl_phys))) == 0) 353 return (acl_phys.z_acl_extern_obj); 354 else { 355 /* 356 * after upgrade the SA_ZPL_ZNODE_ACL should have been 357 * removed 358 */ 359 VERIFY(zp->z_is_sa && error == ENOENT); 360 return (0); 361 } 362 } 363 364 /* 365 * Determine size of ACL in bytes 366 * 367 * This is more complicated than it should be since we have to deal 368 * with old external ACLs. 369 */ 370 static int 371 zfs_acl_znode_info(znode_t *zp, int *aclsize, int *aclcount, 372 zfs_acl_phys_t *aclphys) 373 { 374 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 375 uint64_t acl_count; 376 int size; 377 int error; 378 379 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 380 if (zp->z_is_sa) { 381 if ((error = sa_size(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zfsvfs), 382 &size)) != 0) 383 return (error); 384 *aclsize = size; 385 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_COUNT(zfsvfs), 386 &acl_count, sizeof (acl_count))) != 0) 387 return (error); 388 *aclcount = acl_count; 389 } else { 390 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs), 391 aclphys, sizeof (*aclphys))) != 0) 392 return (error); 393 394 if (aclphys->z_acl_version == ZFS_ACL_VERSION_INITIAL) { 395 *aclsize = ZFS_ACL_SIZE(aclphys->z_acl_size); 396 *aclcount = aclphys->z_acl_size; 397 } else { 398 *aclsize = aclphys->z_acl_size; 399 *aclcount = aclphys->z_acl_count; 400 } 401 } 402 return (0); 403 } 404 405 int 406 zfs_znode_acl_version(znode_t *zp) 407 { 408 zfs_acl_phys_t acl_phys; 409 410 if (zp->z_is_sa) 411 return (ZFS_ACL_VERSION_FUID); 412 else { 413 int error; 414 415 /* 416 * Need to deal with a potential 417 * race where zfs_sa_upgrade could cause 418 * z_isa_sa to change. 419 * 420 * If the lookup fails then the state of z_is_sa should have 421 * changed. 422 */ 423 if ((error = sa_lookup(zp->z_sa_hdl, 424 SA_ZPL_ZNODE_ACL(zp->z_zfsvfs), 425 &acl_phys, sizeof (acl_phys))) == 0) 426 return (acl_phys.z_acl_version); 427 else { 428 /* 429 * After upgrade SA_ZPL_ZNODE_ACL should have 430 * been removed. 431 */ 432 VERIFY(zp->z_is_sa && error == ENOENT); 433 return (ZFS_ACL_VERSION_FUID); 434 } 435 } 436 } 437 438 static int 439 zfs_acl_version(int version) 440 { 441 if (version < ZPL_VERSION_FUID) 442 return (ZFS_ACL_VERSION_INITIAL); 443 else 444 return (ZFS_ACL_VERSION_FUID); 445 } 446 447 static int 448 zfs_acl_version_zp(znode_t *zp) 449 { 450 return (zfs_acl_version(zp->z_zfsvfs->z_version)); 451 } 452 453 zfs_acl_t * 454 zfs_acl_alloc(int vers) 455 { 456 zfs_acl_t *aclp; 457 458 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); 459 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t), 460 offsetof(zfs_acl_node_t, z_next)); 461 aclp->z_version = vers; 462 if (vers == ZFS_ACL_VERSION_FUID) 463 aclp->z_ops = zfs_acl_fuid_ops; 464 else 465 aclp->z_ops = zfs_acl_v0_ops; 466 return (aclp); 467 } 468 469 zfs_acl_node_t * 470 zfs_acl_node_alloc(size_t bytes) 471 { 472 zfs_acl_node_t *aclnode; 473 474 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP); 475 if (bytes) { 476 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP); 477 aclnode->z_allocdata = aclnode->z_acldata; 478 aclnode->z_allocsize = bytes; 479 aclnode->z_size = bytes; 480 } 481 482 return (aclnode); 483 } 484 485 static void 486 zfs_acl_node_free(zfs_acl_node_t *aclnode) 487 { 488 if (aclnode->z_allocsize) 489 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize); 490 kmem_free(aclnode, sizeof (zfs_acl_node_t)); 491 } 492 493 static void 494 zfs_acl_release_nodes(zfs_acl_t *aclp) 495 { 496 zfs_acl_node_t *aclnode; 497 498 while (aclnode = list_head(&aclp->z_acl)) { 499 list_remove(&aclp->z_acl, aclnode); 500 zfs_acl_node_free(aclnode); 501 } 502 aclp->z_acl_count = 0; 503 aclp->z_acl_bytes = 0; 504 } 505 506 void 507 zfs_acl_free(zfs_acl_t *aclp) 508 { 509 zfs_acl_release_nodes(aclp); 510 list_destroy(&aclp->z_acl); 511 kmem_free(aclp, sizeof (zfs_acl_t)); 512 } 513 514 static boolean_t 515 zfs_acl_valid_ace_type(uint_t type, uint_t flags) 516 { 517 uint16_t entry_type; 518 519 switch (type) { 520 case ALLOW: 521 case DENY: 522 case ACE_SYSTEM_AUDIT_ACE_TYPE: 523 case ACE_SYSTEM_ALARM_ACE_TYPE: 524 entry_type = flags & ACE_TYPE_FLAGS; 525 return (entry_type == ACE_OWNER || 526 entry_type == OWNING_GROUP || 527 entry_type == ACE_EVERYONE || entry_type == 0 || 528 entry_type == ACE_IDENTIFIER_GROUP); 529 default: 530 if (type >= MIN_ACE_TYPE && type <= MAX_ACE_TYPE) 531 return (B_TRUE); 532 } 533 return (B_FALSE); 534 } 535 536 static boolean_t 537 zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags) 538 { 539 /* 540 * first check type of entry 541 */ 542 543 if (!zfs_acl_valid_ace_type(type, iflags)) 544 return (B_FALSE); 545 546 switch (type) { 547 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 548 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 549 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 550 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 551 if (aclp->z_version < ZFS_ACL_VERSION_FUID) 552 return (B_FALSE); 553 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 554 } 555 556 /* 557 * next check inheritance level flags 558 */ 559 560 if (obj_type == VDIR && 561 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 562 aclp->z_hints |= ZFS_INHERIT_ACE; 563 564 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { 565 if ((iflags & (ACE_FILE_INHERIT_ACE| 566 ACE_DIRECTORY_INHERIT_ACE)) == 0) { 567 return (B_FALSE); 568 } 569 } 570 571 return (B_TRUE); 572 } 573 574 static void * 575 zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who, 576 uint32_t *access_mask, uint16_t *iflags, uint16_t *type) 577 { 578 zfs_acl_node_t *aclnode; 579 580 ASSERT(aclp); 581 582 if (start == NULL) { 583 aclnode = list_head(&aclp->z_acl); 584 if (aclnode == NULL) 585 return (NULL); 586 587 aclp->z_next_ace = aclnode->z_acldata; 588 aclp->z_curr_node = aclnode; 589 aclnode->z_ace_idx = 0; 590 } 591 592 aclnode = aclp->z_curr_node; 593 594 if (aclnode == NULL) 595 return (NULL); 596 597 if (aclnode->z_ace_idx >= aclnode->z_ace_count) { 598 aclnode = list_next(&aclp->z_acl, aclnode); 599 if (aclnode == NULL) 600 return (NULL); 601 else { 602 aclp->z_curr_node = aclnode; 603 aclnode->z_ace_idx = 0; 604 aclp->z_next_ace = aclnode->z_acldata; 605 } 606 } 607 608 if (aclnode->z_ace_idx < aclnode->z_ace_count) { 609 void *acep = aclp->z_next_ace; 610 size_t ace_size; 611 612 /* 613 * Make sure we don't overstep our bounds 614 */ 615 ace_size = aclp->z_ops.ace_size(acep); 616 617 if (((caddr_t)acep + ace_size) > 618 ((caddr_t)aclnode->z_acldata + aclnode->z_size)) { 619 return (NULL); 620 } 621 622 *iflags = aclp->z_ops.ace_flags_get(acep); 623 *type = aclp->z_ops.ace_type_get(acep); 624 *access_mask = aclp->z_ops.ace_mask_get(acep); 625 *who = aclp->z_ops.ace_who_get(acep); 626 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size; 627 aclnode->z_ace_idx++; 628 629 return ((void *)acep); 630 } 631 return (NULL); 632 } 633 634 /*ARGSUSED*/ 635 static uint64_t 636 zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt, 637 uint16_t *flags, uint16_t *type, uint32_t *mask) 638 { 639 zfs_acl_t *aclp = datap; 640 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie; 641 uint64_t who; 642 643 acep = zfs_acl_next_ace(aclp, acep, &who, mask, 644 flags, type); 645 return ((uint64_t)(uintptr_t)acep); 646 } 647 648 static zfs_acl_node_t * 649 zfs_acl_curr_node(zfs_acl_t *aclp) 650 { 651 ASSERT(aclp->z_curr_node); 652 return (aclp->z_curr_node); 653 } 654 655 /* 656 * Copy ACE to internal ZFS format. 657 * While processing the ACL each ACE will be validated for correctness. 658 * ACE FUIDs will be created later. 659 */ 660 int 661 zfs_copy_ace_2_fuid(zfsvfs_t *zfsvfs, vtype_t obj_type, zfs_acl_t *aclp, 662 void *datap, zfs_ace_t *z_acl, uint64_t aclcnt, size_t *size, 663 zfs_fuid_info_t **fuidp, cred_t *cr) 664 { 665 int i; 666 uint16_t entry_type; 667 zfs_ace_t *aceptr = z_acl; 668 ace_t *acep = datap; 669 zfs_object_ace_t *zobjacep; 670 ace_object_t *aceobjp; 671 672 for (i = 0; i != aclcnt; i++) { 673 aceptr->z_hdr.z_access_mask = acep->a_access_mask; 674 aceptr->z_hdr.z_flags = acep->a_flags; 675 aceptr->z_hdr.z_type = acep->a_type; 676 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS; 677 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP && 678 entry_type != ACE_EVERYONE) { 679 aceptr->z_fuid = zfs_fuid_create(zfsvfs, acep->a_who, 680 cr, (entry_type == 0) ? 681 ZFS_ACE_USER : ZFS_ACE_GROUP, fuidp); 682 } 683 684 /* 685 * Make sure ACE is valid 686 */ 687 if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type, 688 aceptr->z_hdr.z_flags) != B_TRUE) 689 return (SET_ERROR(EINVAL)); 690 691 switch (acep->a_type) { 692 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 693 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 694 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 695 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 696 zobjacep = (zfs_object_ace_t *)aceptr; 697 aceobjp = (ace_object_t *)acep; 698 699 bcopy(aceobjp->a_obj_type, zobjacep->z_object_type, 700 sizeof (aceobjp->a_obj_type)); 701 bcopy(aceobjp->a_inherit_obj_type, 702 zobjacep->z_inherit_type, 703 sizeof (aceobjp->a_inherit_obj_type)); 704 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t)); 705 break; 706 default: 707 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t)); 708 } 709 710 aceptr = (zfs_ace_t *)((caddr_t)aceptr + 711 aclp->z_ops.ace_size(aceptr)); 712 } 713 714 *size = (caddr_t)aceptr - (caddr_t)z_acl; 715 716 return (0); 717 } 718 719 /* 720 * Copy ZFS ACEs to fixed size ace_t layout 721 */ 722 static void 723 zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr, 724 void *datap, int filter) 725 { 726 uint64_t who; 727 uint32_t access_mask; 728 uint16_t iflags, type; 729 zfs_ace_hdr_t *zacep = NULL; 730 ace_t *acep = datap; 731 ace_object_t *objacep; 732 zfs_object_ace_t *zobjacep; 733 size_t ace_size; 734 uint16_t entry_type; 735 736 while (zacep = zfs_acl_next_ace(aclp, zacep, 737 &who, &access_mask, &iflags, &type)) { 738 739 switch (type) { 740 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 741 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 742 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 743 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 744 if (filter) { 745 continue; 746 } 747 zobjacep = (zfs_object_ace_t *)zacep; 748 objacep = (ace_object_t *)acep; 749 bcopy(zobjacep->z_object_type, 750 objacep->a_obj_type, 751 sizeof (zobjacep->z_object_type)); 752 bcopy(zobjacep->z_inherit_type, 753 objacep->a_inherit_obj_type, 754 sizeof (zobjacep->z_inherit_type)); 755 ace_size = sizeof (ace_object_t); 756 break; 757 default: 758 ace_size = sizeof (ace_t); 759 break; 760 } 761 762 entry_type = (iflags & ACE_TYPE_FLAGS); 763 if ((entry_type != ACE_OWNER && 764 entry_type != OWNING_GROUP && 765 entry_type != ACE_EVERYONE)) { 766 acep->a_who = zfs_fuid_map_id(zfsvfs, who, 767 cr, (entry_type & ACE_IDENTIFIER_GROUP) ? 768 ZFS_ACE_GROUP : ZFS_ACE_USER); 769 } else { 770 acep->a_who = (uid_t)(int64_t)who; 771 } 772 acep->a_access_mask = access_mask; 773 acep->a_flags = iflags; 774 acep->a_type = type; 775 acep = (ace_t *)((caddr_t)acep + ace_size); 776 } 777 } 778 779 static int 780 zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep, 781 zfs_oldace_t *z_acl, int aclcnt, size_t *size) 782 { 783 int i; 784 zfs_oldace_t *aceptr = z_acl; 785 786 for (i = 0; i != aclcnt; i++, aceptr++) { 787 aceptr->z_access_mask = acep[i].a_access_mask; 788 aceptr->z_type = acep[i].a_type; 789 aceptr->z_flags = acep[i].a_flags; 790 aceptr->z_fuid = acep[i].a_who; 791 /* 792 * Make sure ACE is valid 793 */ 794 if (zfs_ace_valid(obj_type, aclp, aceptr->z_type, 795 aceptr->z_flags) != B_TRUE) 796 return (SET_ERROR(EINVAL)); 797 } 798 *size = (caddr_t)aceptr - (caddr_t)z_acl; 799 return (0); 800 } 801 802 /* 803 * convert old ACL format to new 804 */ 805 void 806 zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp, cred_t *cr) 807 { 808 zfs_oldace_t *oldaclp; 809 int i; 810 uint16_t type, iflags; 811 uint32_t access_mask; 812 uint64_t who; 813 void *cookie = NULL; 814 zfs_acl_node_t *newaclnode; 815 816 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL); 817 /* 818 * First create the ACE in a contiguous piece of memory 819 * for zfs_copy_ace_2_fuid(). 820 * 821 * We only convert an ACL once, so this won't happen 822 * everytime. 823 */ 824 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count, 825 KM_SLEEP); 826 i = 0; 827 while (cookie = zfs_acl_next_ace(aclp, cookie, &who, 828 &access_mask, &iflags, &type)) { 829 oldaclp[i].z_flags = iflags; 830 oldaclp[i].z_type = type; 831 oldaclp[i].z_fuid = who; 832 oldaclp[i++].z_access_mask = access_mask; 833 } 834 835 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count * 836 sizeof (zfs_object_ace_t)); 837 aclp->z_ops = zfs_acl_fuid_ops; 838 VERIFY(zfs_copy_ace_2_fuid(zp->z_zfsvfs, ZTOV(zp)->v_type, aclp, 839 oldaclp, newaclnode->z_acldata, aclp->z_acl_count, 840 &newaclnode->z_size, NULL, cr) == 0); 841 newaclnode->z_ace_count = aclp->z_acl_count; 842 aclp->z_version = ZFS_ACL_VERSION; 843 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t)); 844 845 /* 846 * Release all previous ACL nodes 847 */ 848 849 zfs_acl_release_nodes(aclp); 850 851 list_insert_head(&aclp->z_acl, newaclnode); 852 853 aclp->z_acl_bytes = newaclnode->z_size; 854 aclp->z_acl_count = newaclnode->z_ace_count; 855 856 } 857 858 /* 859 * Convert unix access mask to v4 access mask 860 */ 861 static uint32_t 862 zfs_unix_to_v4(uint32_t access_mask) 863 { 864 uint32_t new_mask = 0; 865 866 if (access_mask & S_IXOTH) 867 new_mask |= ACE_EXECUTE; 868 if (access_mask & S_IWOTH) 869 new_mask |= ACE_WRITE_DATA; 870 if (access_mask & S_IROTH) 871 new_mask |= ACE_READ_DATA; 872 return (new_mask); 873 } 874 875 static void 876 zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask, 877 uint16_t access_type, uint64_t fuid, uint16_t entry_type) 878 { 879 uint16_t type = entry_type & ACE_TYPE_FLAGS; 880 881 aclp->z_ops.ace_mask_set(acep, access_mask); 882 aclp->z_ops.ace_type_set(acep, access_type); 883 aclp->z_ops.ace_flags_set(acep, entry_type); 884 if ((type != ACE_OWNER && type != OWNING_GROUP && 885 type != ACE_EVERYONE)) 886 aclp->z_ops.ace_who_set(acep, fuid); 887 } 888 889 /* 890 * Determine mode of file based on ACL. 891 */ 892 uint64_t 893 zfs_mode_compute(uint64_t fmode, zfs_acl_t *aclp, 894 uint64_t *pflags, uint64_t fuid, uint64_t fgid) 895 { 896 int entry_type; 897 mode_t mode; 898 mode_t seen = 0; 899 zfs_ace_hdr_t *acep = NULL; 900 uint64_t who; 901 uint16_t iflags, type; 902 uint32_t access_mask; 903 boolean_t an_exec_denied = B_FALSE; 904 905 mode = (fmode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); 906 907 while (acep = zfs_acl_next_ace(aclp, acep, &who, 908 &access_mask, &iflags, &type)) { 909 910 if (!zfs_acl_valid_ace_type(type, iflags)) 911 continue; 912 913 entry_type = (iflags & ACE_TYPE_FLAGS); 914 915 /* 916 * Skip over any inherit_only ACEs 917 */ 918 if (iflags & ACE_INHERIT_ONLY_ACE) 919 continue; 920 921 if (entry_type == ACE_OWNER || (entry_type == 0 && 922 who == fuid)) { 923 if ((access_mask & ACE_READ_DATA) && 924 (!(seen & S_IRUSR))) { 925 seen |= S_IRUSR; 926 if (type == ALLOW) { 927 mode |= S_IRUSR; 928 } 929 } 930 if ((access_mask & ACE_WRITE_DATA) && 931 (!(seen & S_IWUSR))) { 932 seen |= S_IWUSR; 933 if (type == ALLOW) { 934 mode |= S_IWUSR; 935 } 936 } 937 if ((access_mask & ACE_EXECUTE) && 938 (!(seen & S_IXUSR))) { 939 seen |= S_IXUSR; 940 if (type == ALLOW) { 941 mode |= S_IXUSR; 942 } 943 } 944 } else if (entry_type == OWNING_GROUP || 945 (entry_type == ACE_IDENTIFIER_GROUP && who == fgid)) { 946 if ((access_mask & ACE_READ_DATA) && 947 (!(seen & S_IRGRP))) { 948 seen |= S_IRGRP; 949 if (type == ALLOW) { 950 mode |= S_IRGRP; 951 } 952 } 953 if ((access_mask & ACE_WRITE_DATA) && 954 (!(seen & S_IWGRP))) { 955 seen |= S_IWGRP; 956 if (type == ALLOW) { 957 mode |= S_IWGRP; 958 } 959 } 960 if ((access_mask & ACE_EXECUTE) && 961 (!(seen & S_IXGRP))) { 962 seen |= S_IXGRP; 963 if (type == ALLOW) { 964 mode |= S_IXGRP; 965 } 966 } 967 } else if (entry_type == ACE_EVERYONE) { 968 if ((access_mask & ACE_READ_DATA)) { 969 if (!(seen & S_IRUSR)) { 970 seen |= S_IRUSR; 971 if (type == ALLOW) { 972 mode |= S_IRUSR; 973 } 974 } 975 if (!(seen & S_IRGRP)) { 976 seen |= S_IRGRP; 977 if (type == ALLOW) { 978 mode |= S_IRGRP; 979 } 980 } 981 if (!(seen & S_IROTH)) { 982 seen |= S_IROTH; 983 if (type == ALLOW) { 984 mode |= S_IROTH; 985 } 986 } 987 } 988 if ((access_mask & ACE_WRITE_DATA)) { 989 if (!(seen & S_IWUSR)) { 990 seen |= S_IWUSR; 991 if (type == ALLOW) { 992 mode |= S_IWUSR; 993 } 994 } 995 if (!(seen & S_IWGRP)) { 996 seen |= S_IWGRP; 997 if (type == ALLOW) { 998 mode |= S_IWGRP; 999 } 1000 } 1001 if (!(seen & S_IWOTH)) { 1002 seen |= S_IWOTH; 1003 if (type == ALLOW) { 1004 mode |= S_IWOTH; 1005 } 1006 } 1007 } 1008 if ((access_mask & ACE_EXECUTE)) { 1009 if (!(seen & S_IXUSR)) { 1010 seen |= S_IXUSR; 1011 if (type == ALLOW) { 1012 mode |= S_IXUSR; 1013 } 1014 } 1015 if (!(seen & S_IXGRP)) { 1016 seen |= S_IXGRP; 1017 if (type == ALLOW) { 1018 mode |= S_IXGRP; 1019 } 1020 } 1021 if (!(seen & S_IXOTH)) { 1022 seen |= S_IXOTH; 1023 if (type == ALLOW) { 1024 mode |= S_IXOTH; 1025 } 1026 } 1027 } 1028 } else { 1029 /* 1030 * Only care if this IDENTIFIER_GROUP or 1031 * USER ACE denies execute access to someone, 1032 * mode is not affected 1033 */ 1034 if ((access_mask & ACE_EXECUTE) && type == DENY) 1035 an_exec_denied = B_TRUE; 1036 } 1037 } 1038 1039 /* 1040 * Failure to allow is effectively a deny, so execute permission 1041 * is denied if it was never mentioned or if we explicitly 1042 * weren't allowed it. 1043 */ 1044 if (!an_exec_denied && 1045 ((seen & ALL_MODE_EXECS) != ALL_MODE_EXECS || 1046 (mode & ALL_MODE_EXECS) != ALL_MODE_EXECS)) 1047 an_exec_denied = B_TRUE; 1048 1049 if (an_exec_denied) 1050 *pflags &= ~ZFS_NO_EXECS_DENIED; 1051 else 1052 *pflags |= ZFS_NO_EXECS_DENIED; 1053 1054 return (mode); 1055 } 1056 1057 /* 1058 * Read an external acl object. If the intent is to modify, always 1059 * create a new acl and leave any cached acl in place. 1060 */ 1061 int 1062 zfs_acl_node_read(struct znode *zp, boolean_t have_lock, zfs_acl_t **aclpp, 1063 boolean_t will_modify) 1064 { 1065 zfs_acl_t *aclp; 1066 int aclsize; 1067 int acl_count; 1068 zfs_acl_node_t *aclnode; 1069 zfs_acl_phys_t znode_acl; 1070 int version; 1071 int error; 1072 boolean_t drop_lock = B_FALSE; 1073 1074 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1075 1076 if (zp->z_acl_cached && !will_modify) { 1077 *aclpp = zp->z_acl_cached; 1078 return (0); 1079 } 1080 1081 /* 1082 * close race where znode could be upgrade while trying to 1083 * read the znode attributes. 1084 * 1085 * But this could only happen if the file isn't already an SA 1086 * znode 1087 */ 1088 if (!zp->z_is_sa && !have_lock) { 1089 mutex_enter(&zp->z_lock); 1090 drop_lock = B_TRUE; 1091 } 1092 version = zfs_znode_acl_version(zp); 1093 1094 if ((error = zfs_acl_znode_info(zp, &aclsize, 1095 &acl_count, &znode_acl)) != 0) { 1096 goto done; 1097 } 1098 1099 aclp = zfs_acl_alloc(version); 1100 1101 aclp->z_acl_count = acl_count; 1102 aclp->z_acl_bytes = aclsize; 1103 1104 aclnode = zfs_acl_node_alloc(aclsize); 1105 aclnode->z_ace_count = aclp->z_acl_count; 1106 aclnode->z_size = aclsize; 1107 1108 if (!zp->z_is_sa) { 1109 if (znode_acl.z_acl_extern_obj) { 1110 error = dmu_read(zp->z_zfsvfs->z_os, 1111 znode_acl.z_acl_extern_obj, 0, aclnode->z_size, 1112 aclnode->z_acldata, DMU_READ_PREFETCH); 1113 } else { 1114 bcopy(znode_acl.z_ace_data, aclnode->z_acldata, 1115 aclnode->z_size); 1116 } 1117 } else { 1118 error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zp->z_zfsvfs), 1119 aclnode->z_acldata, aclnode->z_size); 1120 } 1121 1122 if (error != 0) { 1123 zfs_acl_free(aclp); 1124 zfs_acl_node_free(aclnode); 1125 /* convert checksum errors into IO errors */ 1126 if (error == ECKSUM) 1127 error = SET_ERROR(EIO); 1128 goto done; 1129 } 1130 1131 list_insert_head(&aclp->z_acl, aclnode); 1132 1133 *aclpp = aclp; 1134 if (!will_modify) 1135 zp->z_acl_cached = aclp; 1136 done: 1137 if (drop_lock) 1138 mutex_exit(&zp->z_lock); 1139 return (error); 1140 } 1141 1142 /*ARGSUSED*/ 1143 void 1144 zfs_acl_data_locator(void **dataptr, uint32_t *length, uint32_t buflen, 1145 boolean_t start, void *userdata) 1146 { 1147 zfs_acl_locator_cb_t *cb = (zfs_acl_locator_cb_t *)userdata; 1148 1149 if (start) { 1150 cb->cb_acl_node = list_head(&cb->cb_aclp->z_acl); 1151 } else { 1152 cb->cb_acl_node = list_next(&cb->cb_aclp->z_acl, 1153 cb->cb_acl_node); 1154 } 1155 *dataptr = cb->cb_acl_node->z_acldata; 1156 *length = cb->cb_acl_node->z_size; 1157 } 1158 1159 int 1160 zfs_acl_chown_setattr(znode_t *zp) 1161 { 1162 int error; 1163 zfs_acl_t *aclp; 1164 1165 ASSERT(MUTEX_HELD(&zp->z_lock)); 1166 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1167 1168 if ((error = zfs_acl_node_read(zp, B_TRUE, &aclp, B_FALSE)) == 0) 1169 zp->z_mode = zfs_mode_compute(zp->z_mode, aclp, 1170 &zp->z_pflags, zp->z_uid, zp->z_gid); 1171 return (error); 1172 } 1173 1174 /* 1175 * common code for setting ACLs. 1176 * 1177 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. 1178 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's 1179 * already checked the acl and knows whether to inherit. 1180 */ 1181 int 1182 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, dmu_tx_t *tx) 1183 { 1184 int error; 1185 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1186 dmu_object_type_t otype; 1187 zfs_acl_locator_cb_t locate = { 0 }; 1188 uint64_t mode; 1189 sa_bulk_attr_t bulk[5]; 1190 uint64_t ctime[2]; 1191 int count = 0; 1192 zfs_acl_phys_t acl_phys; 1193 1194 mode = zp->z_mode; 1195 1196 mode = zfs_mode_compute(mode, aclp, &zp->z_pflags, 1197 zp->z_uid, zp->z_gid); 1198 1199 zp->z_mode = mode; 1200 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_MODE(zfsvfs), NULL, 1201 &mode, sizeof (mode)); 1202 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_FLAGS(zfsvfs), NULL, 1203 &zp->z_pflags, sizeof (zp->z_pflags)); 1204 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_CTIME(zfsvfs), NULL, 1205 &ctime, sizeof (ctime)); 1206 1207 if (zp->z_acl_cached) { 1208 zfs_acl_free(zp->z_acl_cached); 1209 zp->z_acl_cached = NULL; 1210 } 1211 1212 /* 1213 * Upgrade needed? 1214 */ 1215 if (!zfsvfs->z_use_fuids) { 1216 otype = DMU_OT_OLDACL; 1217 } else { 1218 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) && 1219 (zfsvfs->z_version >= ZPL_VERSION_FUID)) 1220 zfs_acl_xform(zp, aclp, cr); 1221 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID); 1222 otype = DMU_OT_ACL; 1223 } 1224 1225 /* 1226 * Arrgh, we have to handle old on disk format 1227 * as well as newer (preferred) SA format. 1228 */ 1229 1230 if (zp->z_is_sa) { /* the easy case, just update the ACL attribute */ 1231 locate.cb_aclp = aclp; 1232 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_ACES(zfsvfs), 1233 zfs_acl_data_locator, &locate, aclp->z_acl_bytes); 1234 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_COUNT(zfsvfs), 1235 NULL, &aclp->z_acl_count, sizeof (uint64_t)); 1236 } else { /* Painful legacy way */ 1237 zfs_acl_node_t *aclnode; 1238 uint64_t off = 0; 1239 uint64_t aoid; 1240 1241 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs), 1242 &acl_phys, sizeof (acl_phys))) != 0) 1243 return (error); 1244 1245 aoid = acl_phys.z_acl_extern_obj; 1246 1247 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 1248 /* 1249 * If ACL was previously external and we are now 1250 * converting to new ACL format then release old 1251 * ACL object and create a new one. 1252 */ 1253 if (aoid && 1254 aclp->z_version != acl_phys.z_acl_version) { 1255 error = dmu_object_free(zfsvfs->z_os, aoid, tx); 1256 if (error) 1257 return (error); 1258 aoid = 0; 1259 } 1260 if (aoid == 0) { 1261 aoid = dmu_object_alloc(zfsvfs->z_os, 1262 otype, aclp->z_acl_bytes, 1263 otype == DMU_OT_ACL ? 1264 DMU_OT_SYSACL : DMU_OT_NONE, 1265 otype == DMU_OT_ACL ? 1266 DN_OLD_MAX_BONUSLEN : 0, tx); 1267 } else { 1268 (void) dmu_object_set_blocksize(zfsvfs->z_os, 1269 aoid, aclp->z_acl_bytes, 0, tx); 1270 } 1271 acl_phys.z_acl_extern_obj = aoid; 1272 for (aclnode = list_head(&aclp->z_acl); aclnode; 1273 aclnode = list_next(&aclp->z_acl, aclnode)) { 1274 if (aclnode->z_ace_count == 0) 1275 continue; 1276 dmu_write(zfsvfs->z_os, aoid, off, 1277 aclnode->z_size, aclnode->z_acldata, tx); 1278 off += aclnode->z_size; 1279 } 1280 } else { 1281 void *start = acl_phys.z_ace_data; 1282 /* 1283 * Migrating back embedded? 1284 */ 1285 if (acl_phys.z_acl_extern_obj) { 1286 error = dmu_object_free(zfsvfs->z_os, 1287 acl_phys.z_acl_extern_obj, tx); 1288 if (error) 1289 return (error); 1290 acl_phys.z_acl_extern_obj = 0; 1291 } 1292 1293 for (aclnode = list_head(&aclp->z_acl); aclnode; 1294 aclnode = list_next(&aclp->z_acl, aclnode)) { 1295 if (aclnode->z_ace_count == 0) 1296 continue; 1297 bcopy(aclnode->z_acldata, start, 1298 aclnode->z_size); 1299 start = (caddr_t)start + aclnode->z_size; 1300 } 1301 } 1302 /* 1303 * If Old version then swap count/bytes to match old 1304 * layout of znode_acl_phys_t. 1305 */ 1306 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1307 acl_phys.z_acl_size = aclp->z_acl_count; 1308 acl_phys.z_acl_count = aclp->z_acl_bytes; 1309 } else { 1310 acl_phys.z_acl_size = aclp->z_acl_bytes; 1311 acl_phys.z_acl_count = aclp->z_acl_count; 1312 } 1313 acl_phys.z_acl_version = aclp->z_version; 1314 1315 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_ZNODE_ACL(zfsvfs), NULL, 1316 &acl_phys, sizeof (acl_phys)); 1317 } 1318 1319 /* 1320 * Replace ACL wide bits, but first clear them. 1321 */ 1322 zp->z_pflags &= ~ZFS_ACL_WIDE_FLAGS; 1323 1324 zp->z_pflags |= aclp->z_hints; 1325 1326 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0) 1327 zp->z_pflags |= ZFS_ACL_TRIVIAL; 1328 1329 zfs_tstamp_update_setup(zp, STATE_CHANGED, NULL, ctime, B_TRUE); 1330 return (sa_bulk_update(zp->z_sa_hdl, bulk, count, tx)); 1331 } 1332 1333 static void 1334 zfs_acl_chmod(vtype_t vtype, uint64_t mode, boolean_t split, boolean_t trim, 1335 zfs_acl_t *aclp) 1336 { 1337 void *acep = NULL; 1338 uint64_t who; 1339 int new_count, new_bytes; 1340 int ace_size; 1341 int entry_type; 1342 uint16_t iflags, type; 1343 uint32_t access_mask; 1344 zfs_acl_node_t *newnode; 1345 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1346 void *zacep; 1347 boolean_t isdir; 1348 trivial_acl_t masks; 1349 1350 new_count = new_bytes = 0; 1351 1352 isdir = (vtype == VDIR); 1353 1354 acl_trivial_access_masks((mode_t)mode, isdir, &masks); 1355 1356 newnode = zfs_acl_node_alloc((abstract_size * 6) + aclp->z_acl_bytes); 1357 1358 zacep = newnode->z_acldata; 1359 if (masks.allow0) { 1360 zfs_set_ace(aclp, zacep, masks.allow0, ALLOW, -1, ACE_OWNER); 1361 zacep = (void *)((uintptr_t)zacep + abstract_size); 1362 new_count++; 1363 new_bytes += abstract_size; 1364 } 1365 if (masks.deny1) { 1366 zfs_set_ace(aclp, zacep, masks.deny1, DENY, -1, ACE_OWNER); 1367 zacep = (void *)((uintptr_t)zacep + abstract_size); 1368 new_count++; 1369 new_bytes += abstract_size; 1370 } 1371 if (masks.deny2) { 1372 zfs_set_ace(aclp, zacep, masks.deny2, DENY, -1, OWNING_GROUP); 1373 zacep = (void *)((uintptr_t)zacep + abstract_size); 1374 new_count++; 1375 new_bytes += abstract_size; 1376 } 1377 1378 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 1379 &iflags, &type)) { 1380 entry_type = (iflags & ACE_TYPE_FLAGS); 1381 /* 1382 * ACEs used to represent the file mode may be divided 1383 * into an equivalent pair of inherit-only and regular 1384 * ACEs, if they are inheritable. 1385 * Skip regular ACEs, which are replaced by the new mode. 1386 */ 1387 if (split && (entry_type == ACE_OWNER || 1388 entry_type == OWNING_GROUP || 1389 entry_type == ACE_EVERYONE)) { 1390 if (!isdir || !(iflags & 1391 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 1392 continue; 1393 /* 1394 * We preserve owner@, group@, or @everyone 1395 * permissions, if they are inheritable, by 1396 * copying them to inherit_only ACEs. This 1397 * prevents inheritable permissions from being 1398 * altered along with the file mode. 1399 */ 1400 iflags |= ACE_INHERIT_ONLY_ACE; 1401 } 1402 1403 /* 1404 * If this ACL has any inheritable ACEs, mark that in 1405 * the hints (which are later masked into the pflags) 1406 * so create knows to do inheritance. 1407 */ 1408 if (isdir && (iflags & 1409 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 1410 aclp->z_hints |= ZFS_INHERIT_ACE; 1411 1412 if ((type != ALLOW && type != DENY) || 1413 (iflags & ACE_INHERIT_ONLY_ACE)) { 1414 switch (type) { 1415 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1416 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1417 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1418 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1419 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 1420 break; 1421 } 1422 } else { 1423 /* 1424 * Limit permissions granted by ACEs to be no greater 1425 * than permissions of the requested group mode. 1426 * Applies when the "aclmode" property is set to 1427 * "groupmask". 1428 */ 1429 if ((type == ALLOW) && trim) 1430 access_mask &= masks.group; 1431 } 1432 zfs_set_ace(aclp, zacep, access_mask, type, who, iflags); 1433 ace_size = aclp->z_ops.ace_size(acep); 1434 zacep = (void *)((uintptr_t)zacep + ace_size); 1435 new_count++; 1436 new_bytes += ace_size; 1437 } 1438 zfs_set_ace(aclp, zacep, masks.owner, ALLOW, -1, ACE_OWNER); 1439 zacep = (void *)((uintptr_t)zacep + abstract_size); 1440 zfs_set_ace(aclp, zacep, masks.group, ALLOW, -1, OWNING_GROUP); 1441 zacep = (void *)((uintptr_t)zacep + abstract_size); 1442 zfs_set_ace(aclp, zacep, masks.everyone, ALLOW, -1, ACE_EVERYONE); 1443 1444 new_count += 3; 1445 new_bytes += abstract_size * 3; 1446 zfs_acl_release_nodes(aclp); 1447 aclp->z_acl_count = new_count; 1448 aclp->z_acl_bytes = new_bytes; 1449 newnode->z_ace_count = new_count; 1450 newnode->z_size = new_bytes; 1451 list_insert_tail(&aclp->z_acl, newnode); 1452 } 1453 1454 int 1455 zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode) 1456 { 1457 int error = 0; 1458 1459 mutex_enter(&zp->z_acl_lock); 1460 mutex_enter(&zp->z_lock); 1461 if (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_DISCARD) 1462 *aclp = zfs_acl_alloc(zfs_acl_version_zp(zp)); 1463 else 1464 error = zfs_acl_node_read(zp, B_TRUE, aclp, B_TRUE); 1465 1466 if (error == 0) { 1467 (*aclp)->z_hints = zp->z_pflags & V4_ACL_WIDE_FLAGS; 1468 zfs_acl_chmod(ZTOV(zp)->v_type, mode, B_TRUE, 1469 (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK), *aclp); 1470 } 1471 mutex_exit(&zp->z_lock); 1472 mutex_exit(&zp->z_acl_lock); 1473 1474 return (error); 1475 } 1476 1477 /* 1478 * Should ACE be inherited? 1479 */ 1480 static int 1481 zfs_ace_can_use(vtype_t vtype, uint16_t acep_flags) 1482 { 1483 int iflags = (acep_flags & 0xf); 1484 1485 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) 1486 return (1); 1487 else if (iflags & ACE_FILE_INHERIT_ACE) 1488 return (!((vtype == VDIR) && 1489 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); 1490 return (0); 1491 } 1492 1493 /* 1494 * inherit inheritable ACEs from parent 1495 */ 1496 static zfs_acl_t * 1497 zfs_acl_inherit(zfsvfs_t *zfsvfs, vtype_t vtype, zfs_acl_t *paclp, 1498 uint64_t mode, boolean_t *need_chmod) 1499 { 1500 void *pacep = NULL; 1501 void *acep; 1502 zfs_acl_node_t *aclnode; 1503 zfs_acl_t *aclp = NULL; 1504 uint64_t who; 1505 uint32_t access_mask; 1506 uint16_t iflags, newflags, type; 1507 size_t ace_size; 1508 void *data1, *data2; 1509 size_t data1sz, data2sz; 1510 uint_t aclinherit; 1511 boolean_t isdir = (vtype == VDIR); 1512 boolean_t isreg = (vtype == VREG); 1513 1514 *need_chmod = B_TRUE; 1515 1516 aclp = zfs_acl_alloc(paclp->z_version); 1517 aclinherit = zfsvfs->z_acl_inherit; 1518 if (aclinherit == ZFS_ACL_DISCARD || vtype == VLNK) 1519 return (aclp); 1520 1521 while (pacep = zfs_acl_next_ace(paclp, pacep, &who, 1522 &access_mask, &iflags, &type)) { 1523 1524 /* 1525 * don't inherit bogus ACEs 1526 */ 1527 if (!zfs_acl_valid_ace_type(type, iflags)) 1528 continue; 1529 1530 /* 1531 * Check if ACE is inheritable by this vnode 1532 */ 1533 if ((aclinherit == ZFS_ACL_NOALLOW && type == ALLOW) || 1534 !zfs_ace_can_use(vtype, iflags)) 1535 continue; 1536 1537 /* 1538 * If owner@, group@, or everyone@ inheritable 1539 * then zfs_acl_chmod() isn't needed. 1540 */ 1541 if ((aclinherit == ZFS_ACL_PASSTHROUGH || 1542 aclinherit == ZFS_ACL_PASSTHROUGH_X) && 1543 ((iflags & (ACE_OWNER|ACE_EVERYONE)) || 1544 ((iflags & OWNING_GROUP) == OWNING_GROUP)) && 1545 (isreg || (isdir && (iflags & ACE_DIRECTORY_INHERIT_ACE)))) 1546 *need_chmod = B_FALSE; 1547 1548 /* 1549 * Strip inherited execute permission from file if 1550 * not in mode 1551 */ 1552 if (aclinherit == ZFS_ACL_PASSTHROUGH_X && type == ALLOW && 1553 !isdir && ((mode & (S_IXUSR|S_IXGRP|S_IXOTH)) == 0)) { 1554 access_mask &= ~ACE_EXECUTE; 1555 } 1556 1557 /* 1558 * Strip write_acl and write_owner from permissions 1559 * when inheriting an ACE 1560 */ 1561 if (aclinherit == ZFS_ACL_RESTRICTED && type == ALLOW) { 1562 access_mask &= ~RESTRICTED_CLEAR; 1563 } 1564 1565 ace_size = aclp->z_ops.ace_size(pacep); 1566 aclnode = zfs_acl_node_alloc(ace_size); 1567 list_insert_tail(&aclp->z_acl, aclnode); 1568 acep = aclnode->z_acldata; 1569 1570 zfs_set_ace(aclp, acep, access_mask, type, 1571 who, iflags|ACE_INHERITED_ACE); 1572 1573 /* 1574 * Copy special opaque data if any 1575 */ 1576 if ((data1sz = paclp->z_ops.ace_data(pacep, &data1)) != 0) { 1577 VERIFY((data2sz = aclp->z_ops.ace_data(acep, 1578 &data2)) == data1sz); 1579 bcopy(data1, data2, data2sz); 1580 } 1581 1582 aclp->z_acl_count++; 1583 aclnode->z_ace_count++; 1584 aclp->z_acl_bytes += aclnode->z_size; 1585 newflags = aclp->z_ops.ace_flags_get(acep); 1586 1587 /* 1588 * If ACE is not to be inherited further, or if the vnode is 1589 * not a directory, remove all inheritance flags 1590 */ 1591 if (!isdir || (iflags & ACE_NO_PROPAGATE_INHERIT_ACE)) { 1592 newflags &= ~ALL_INHERIT; 1593 aclp->z_ops.ace_flags_set(acep, 1594 newflags|ACE_INHERITED_ACE); 1595 continue; 1596 } 1597 1598 /* 1599 * This directory has an inheritable ACE 1600 */ 1601 aclp->z_hints |= ZFS_INHERIT_ACE; 1602 1603 /* 1604 * If only FILE_INHERIT is set then turn on 1605 * inherit_only 1606 */ 1607 if ((iflags & (ACE_FILE_INHERIT_ACE | 1608 ACE_DIRECTORY_INHERIT_ACE)) == ACE_FILE_INHERIT_ACE) { 1609 newflags |= ACE_INHERIT_ONLY_ACE; 1610 aclp->z_ops.ace_flags_set(acep, 1611 newflags|ACE_INHERITED_ACE); 1612 } else { 1613 newflags &= ~ACE_INHERIT_ONLY_ACE; 1614 aclp->z_ops.ace_flags_set(acep, 1615 newflags|ACE_INHERITED_ACE); 1616 } 1617 } 1618 1619 return (aclp); 1620 } 1621 1622 /* 1623 * Create file system object initial permissions 1624 * including inheritable ACEs. 1625 * Also, create FUIDs for owner and group. 1626 */ 1627 int 1628 zfs_acl_ids_create(znode_t *dzp, int flag, vattr_t *vap, cred_t *cr, 1629 vsecattr_t *vsecp, zfs_acl_ids_t *acl_ids) 1630 { 1631 int error; 1632 zfsvfs_t *zfsvfs = dzp->z_zfsvfs; 1633 zfs_acl_t *paclp; 1634 gid_t gid; 1635 boolean_t need_chmod = B_TRUE; 1636 boolean_t trim = B_FALSE; 1637 boolean_t inherited = B_FALSE; 1638 1639 bzero(acl_ids, sizeof (zfs_acl_ids_t)); 1640 acl_ids->z_mode = MAKEIMODE(vap->va_type, vap->va_mode); 1641 1642 if (vsecp) 1643 if ((error = zfs_vsec_2_aclp(zfsvfs, vap->va_type, vsecp, cr, 1644 &acl_ids->z_fuidp, &acl_ids->z_aclp)) != 0) 1645 return (error); 1646 /* 1647 * Determine uid and gid. 1648 */ 1649 if ((flag & IS_ROOT_NODE) || zfsvfs->z_replay || 1650 ((flag & IS_XATTR) && (vap->va_type == VDIR))) { 1651 acl_ids->z_fuid = zfs_fuid_create(zfsvfs, 1652 (uint64_t)vap->va_uid, cr, 1653 ZFS_OWNER, &acl_ids->z_fuidp); 1654 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1655 (uint64_t)vap->va_gid, cr, 1656 ZFS_GROUP, &acl_ids->z_fuidp); 1657 gid = vap->va_gid; 1658 } else { 1659 acl_ids->z_fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER, 1660 cr, &acl_ids->z_fuidp); 1661 acl_ids->z_fgid = 0; 1662 if (vap->va_mask & AT_GID) { 1663 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1664 (uint64_t)vap->va_gid, 1665 cr, ZFS_GROUP, &acl_ids->z_fuidp); 1666 gid = vap->va_gid; 1667 if (acl_ids->z_fgid != dzp->z_gid && 1668 !groupmember(vap->va_gid, cr) && 1669 secpolicy_vnode_create_gid(cr) != 0) 1670 acl_ids->z_fgid = 0; 1671 } 1672 if (acl_ids->z_fgid == 0) { 1673 if (dzp->z_mode & S_ISGID) { 1674 char *domain; 1675 uint32_t rid; 1676 1677 acl_ids->z_fgid = dzp->z_gid; 1678 gid = zfs_fuid_map_id(zfsvfs, acl_ids->z_fgid, 1679 cr, ZFS_GROUP); 1680 1681 if (zfsvfs->z_use_fuids && 1682 IS_EPHEMERAL(acl_ids->z_fgid)) { 1683 domain = zfs_fuid_idx_domain( 1684 &zfsvfs->z_fuid_idx, 1685 FUID_INDEX(acl_ids->z_fgid)); 1686 rid = FUID_RID(acl_ids->z_fgid); 1687 zfs_fuid_node_add(&acl_ids->z_fuidp, 1688 domain, rid, 1689 FUID_INDEX(acl_ids->z_fgid), 1690 acl_ids->z_fgid, ZFS_GROUP); 1691 } 1692 } else { 1693 acl_ids->z_fgid = zfs_fuid_create_cred(zfsvfs, 1694 ZFS_GROUP, cr, &acl_ids->z_fuidp); 1695 gid = crgetgid(cr); 1696 } 1697 } 1698 } 1699 1700 /* 1701 * If we're creating a directory, and the parent directory has the 1702 * set-GID bit set, set in on the new directory. 1703 * Otherwise, if the user is neither privileged nor a member of the 1704 * file's new group, clear the file's set-GID bit. 1705 */ 1706 1707 if (!(flag & IS_ROOT_NODE) && (dzp->z_mode & S_ISGID) && 1708 (vap->va_type == VDIR)) { 1709 acl_ids->z_mode |= S_ISGID; 1710 } else { 1711 if ((acl_ids->z_mode & S_ISGID) && 1712 secpolicy_vnode_setids_setgids(cr, gid) != 0) 1713 acl_ids->z_mode &= ~S_ISGID; 1714 } 1715 1716 if (acl_ids->z_aclp == NULL) { 1717 mutex_enter(&dzp->z_acl_lock); 1718 mutex_enter(&dzp->z_lock); 1719 if (!(flag & IS_ROOT_NODE) && 1720 (dzp->z_pflags & ZFS_INHERIT_ACE) && 1721 !(dzp->z_pflags & ZFS_XATTR)) { 1722 VERIFY(0 == zfs_acl_node_read(dzp, B_TRUE, 1723 &paclp, B_FALSE)); 1724 acl_ids->z_aclp = zfs_acl_inherit(zfsvfs, 1725 vap->va_type, paclp, acl_ids->z_mode, &need_chmod); 1726 inherited = B_TRUE; 1727 } else { 1728 acl_ids->z_aclp = 1729 zfs_acl_alloc(zfs_acl_version_zp(dzp)); 1730 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL; 1731 } 1732 mutex_exit(&dzp->z_lock); 1733 mutex_exit(&dzp->z_acl_lock); 1734 1735 if (need_chmod) { 1736 if (vap->va_type == VDIR) 1737 acl_ids->z_aclp->z_hints |= 1738 ZFS_ACL_AUTO_INHERIT; 1739 1740 if (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK && 1741 zfsvfs->z_acl_inherit != ZFS_ACL_PASSTHROUGH && 1742 zfsvfs->z_acl_inherit != ZFS_ACL_PASSTHROUGH_X) 1743 trim = B_TRUE; 1744 zfs_acl_chmod(vap->va_type, acl_ids->z_mode, B_FALSE, 1745 trim, acl_ids->z_aclp); 1746 } 1747 } 1748 1749 if (inherited || vsecp) { 1750 acl_ids->z_mode = zfs_mode_compute(acl_ids->z_mode, 1751 acl_ids->z_aclp, &acl_ids->z_aclp->z_hints, 1752 acl_ids->z_fuid, acl_ids->z_fgid); 1753 if (ace_trivial_common(acl_ids->z_aclp, 0, zfs_ace_walk) == 0) 1754 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL; 1755 } 1756 1757 return (0); 1758 } 1759 1760 /* 1761 * Free ACL and fuid_infop, but not the acl_ids structure 1762 */ 1763 void 1764 zfs_acl_ids_free(zfs_acl_ids_t *acl_ids) 1765 { 1766 if (acl_ids->z_aclp) 1767 zfs_acl_free(acl_ids->z_aclp); 1768 if (acl_ids->z_fuidp) 1769 zfs_fuid_info_free(acl_ids->z_fuidp); 1770 acl_ids->z_aclp = NULL; 1771 acl_ids->z_fuidp = NULL; 1772 } 1773 1774 boolean_t 1775 zfs_acl_ids_overquota(zfsvfs_t *zv, zfs_acl_ids_t *acl_ids, uint64_t projid) 1776 { 1777 return (zfs_id_overquota(zv, DMU_USERUSED_OBJECT, acl_ids->z_fuid) || 1778 zfs_id_overquota(zv, DMU_GROUPUSED_OBJECT, acl_ids->z_fgid) || 1779 (projid != ZFS_DEFAULT_PROJID && projid != ZFS_INVALID_PROJID && 1780 zfs_id_overquota(zv, DMU_PROJECTUSED_OBJECT, projid))); 1781 } 1782 1783 /* 1784 * Retrieve a file's ACL 1785 */ 1786 int 1787 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1788 { 1789 zfs_acl_t *aclp; 1790 ulong_t mask; 1791 int error; 1792 int count = 0; 1793 int largeace = 0; 1794 1795 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT | 1796 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES); 1797 1798 if (mask == 0) 1799 return (SET_ERROR(ENOSYS)); 1800 1801 if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr)) 1802 return (error); 1803 1804 mutex_enter(&zp->z_acl_lock); 1805 1806 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE); 1807 if (error != 0) { 1808 mutex_exit(&zp->z_acl_lock); 1809 return (error); 1810 } 1811 1812 /* 1813 * Scan ACL to determine number of ACEs 1814 */ 1815 if ((zp->z_pflags & ZFS_ACL_OBJ_ACE) && !(mask & VSA_ACE_ALLTYPES)) { 1816 void *zacep = NULL; 1817 uint64_t who; 1818 uint32_t access_mask; 1819 uint16_t type, iflags; 1820 1821 while (zacep = zfs_acl_next_ace(aclp, zacep, 1822 &who, &access_mask, &iflags, &type)) { 1823 switch (type) { 1824 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1825 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1826 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1827 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1828 largeace++; 1829 continue; 1830 default: 1831 count++; 1832 } 1833 } 1834 vsecp->vsa_aclcnt = count; 1835 } else 1836 count = (int)aclp->z_acl_count; 1837 1838 if (mask & VSA_ACECNT) { 1839 vsecp->vsa_aclcnt = count; 1840 } 1841 1842 if (mask & VSA_ACE) { 1843 size_t aclsz; 1844 1845 aclsz = count * sizeof (ace_t) + 1846 sizeof (ace_object_t) * largeace; 1847 1848 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP); 1849 vsecp->vsa_aclentsz = aclsz; 1850 1851 if (aclp->z_version == ZFS_ACL_VERSION_FUID) 1852 zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr, 1853 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES)); 1854 else { 1855 zfs_acl_node_t *aclnode; 1856 void *start = vsecp->vsa_aclentp; 1857 1858 for (aclnode = list_head(&aclp->z_acl); aclnode; 1859 aclnode = list_next(&aclp->z_acl, aclnode)) { 1860 bcopy(aclnode->z_acldata, start, 1861 aclnode->z_size); 1862 start = (caddr_t)start + aclnode->z_size; 1863 } 1864 ASSERT((caddr_t)start - (caddr_t)vsecp->vsa_aclentp == 1865 aclp->z_acl_bytes); 1866 } 1867 } 1868 if (mask & VSA_ACE_ACLFLAGS) { 1869 vsecp->vsa_aclflags = 0; 1870 if (zp->z_pflags & ZFS_ACL_DEFAULTED) 1871 vsecp->vsa_aclflags |= ACL_DEFAULTED; 1872 if (zp->z_pflags & ZFS_ACL_PROTECTED) 1873 vsecp->vsa_aclflags |= ACL_PROTECTED; 1874 if (zp->z_pflags & ZFS_ACL_AUTO_INHERIT) 1875 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT; 1876 } 1877 1878 mutex_exit(&zp->z_acl_lock); 1879 1880 return (0); 1881 } 1882 1883 int 1884 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type, 1885 vsecattr_t *vsecp, cred_t *cr, zfs_fuid_info_t **fuidp, zfs_acl_t **zaclp) 1886 { 1887 zfs_acl_t *aclp; 1888 zfs_acl_node_t *aclnode; 1889 int aclcnt = vsecp->vsa_aclcnt; 1890 int error; 1891 1892 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0) 1893 return (SET_ERROR(EINVAL)); 1894 1895 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version)); 1896 1897 aclp->z_hints = 0; 1898 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t)); 1899 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1900 if ((error = zfs_copy_ace_2_oldace(obj_type, aclp, 1901 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata, 1902 aclcnt, &aclnode->z_size)) != 0) { 1903 zfs_acl_free(aclp); 1904 zfs_acl_node_free(aclnode); 1905 return (error); 1906 } 1907 } else { 1908 if ((error = zfs_copy_ace_2_fuid(zfsvfs, obj_type, aclp, 1909 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt, 1910 &aclnode->z_size, fuidp, cr)) != 0) { 1911 zfs_acl_free(aclp); 1912 zfs_acl_node_free(aclnode); 1913 return (error); 1914 } 1915 } 1916 aclp->z_acl_bytes = aclnode->z_size; 1917 aclnode->z_ace_count = aclcnt; 1918 aclp->z_acl_count = aclcnt; 1919 list_insert_head(&aclp->z_acl, aclnode); 1920 1921 /* 1922 * If flags are being set then add them to z_hints 1923 */ 1924 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) { 1925 if (vsecp->vsa_aclflags & ACL_PROTECTED) 1926 aclp->z_hints |= ZFS_ACL_PROTECTED; 1927 if (vsecp->vsa_aclflags & ACL_DEFAULTED) 1928 aclp->z_hints |= ZFS_ACL_DEFAULTED; 1929 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT) 1930 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 1931 } 1932 1933 *zaclp = aclp; 1934 1935 return (0); 1936 } 1937 1938 /* 1939 * Set a file's ACL 1940 */ 1941 int 1942 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1943 { 1944 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1945 zilog_t *zilog = zfsvfs->z_log; 1946 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 1947 dmu_tx_t *tx; 1948 int error; 1949 zfs_acl_t *aclp; 1950 zfs_fuid_info_t *fuidp = NULL; 1951 boolean_t fuid_dirtied; 1952 uint64_t acl_obj; 1953 1954 if (mask == 0) 1955 return (SET_ERROR(ENOSYS)); 1956 1957 if (zp->z_pflags & ZFS_IMMUTABLE) 1958 return (SET_ERROR(EPERM)); 1959 1960 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) 1961 return (error); 1962 1963 error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, cr, &fuidp, 1964 &aclp); 1965 if (error) 1966 return (error); 1967 1968 /* 1969 * If ACL wide flags aren't being set then preserve any 1970 * existing flags. 1971 */ 1972 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) { 1973 aclp->z_hints |= 1974 (zp->z_pflags & V4_ACL_WIDE_FLAGS); 1975 } 1976 top: 1977 mutex_enter(&zp->z_acl_lock); 1978 mutex_enter(&zp->z_lock); 1979 1980 tx = dmu_tx_create(zfsvfs->z_os); 1981 1982 dmu_tx_hold_sa(tx, zp->z_sa_hdl, B_TRUE); 1983 1984 fuid_dirtied = zfsvfs->z_fuid_dirty; 1985 if (fuid_dirtied) 1986 zfs_fuid_txhold(zfsvfs, tx); 1987 1988 /* 1989 * If old version and ACL won't fit in bonus and we aren't 1990 * upgrading then take out necessary DMU holds 1991 */ 1992 1993 if ((acl_obj = zfs_external_acl(zp)) != 0) { 1994 if (zfsvfs->z_version >= ZPL_VERSION_FUID && 1995 zfs_znode_acl_version(zp) <= ZFS_ACL_VERSION_INITIAL) { 1996 dmu_tx_hold_free(tx, acl_obj, 0, 1997 DMU_OBJECT_END); 1998 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, 1999 aclp->z_acl_bytes); 2000 } else { 2001 dmu_tx_hold_write(tx, acl_obj, 0, aclp->z_acl_bytes); 2002 } 2003 } else if (!zp->z_is_sa && aclp->z_acl_bytes > ZFS_ACE_SPACE) { 2004 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes); 2005 } 2006 2007 zfs_sa_upgrade_txholds(tx, zp); 2008 error = dmu_tx_assign(tx, TXG_NOWAIT); 2009 if (error) { 2010 mutex_exit(&zp->z_acl_lock); 2011 mutex_exit(&zp->z_lock); 2012 2013 if (error == ERESTART) { 2014 dmu_tx_wait(tx); 2015 dmu_tx_abort(tx); 2016 goto top; 2017 } 2018 dmu_tx_abort(tx); 2019 zfs_acl_free(aclp); 2020 return (error); 2021 } 2022 2023 error = zfs_aclset_common(zp, aclp, cr, tx); 2024 ASSERT(error == 0); 2025 ASSERT(zp->z_acl_cached == NULL); 2026 zp->z_acl_cached = aclp; 2027 2028 if (fuid_dirtied) 2029 zfs_fuid_sync(zfsvfs, tx); 2030 2031 zfs_log_acl(zilog, tx, zp, vsecp, fuidp); 2032 2033 if (fuidp) 2034 zfs_fuid_info_free(fuidp); 2035 dmu_tx_commit(tx); 2036 done: 2037 mutex_exit(&zp->z_lock); 2038 mutex_exit(&zp->z_acl_lock); 2039 2040 return (error); 2041 } 2042 2043 /* 2044 * Check accesses of interest (AoI) against attributes of the dataset 2045 * such as read-only. Returns zero if no AoI conflict with dataset 2046 * attributes, otherwise an appropriate errno is returned. 2047 */ 2048 static int 2049 zfs_zaccess_dataset_check(znode_t *zp, uint32_t v4_mode) 2050 { 2051 if ((v4_mode & WRITE_MASK) && 2052 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && 2053 (!IS_DEVVP(ZTOV(zp)) || 2054 (IS_DEVVP(ZTOV(zp)) && (v4_mode & WRITE_MASK_ATTRS)))) { 2055 return (SET_ERROR(EROFS)); 2056 } 2057 2058 /* 2059 * Intentionally allow ZFS_READONLY through here. 2060 * See zfs_zaccess_common(). 2061 */ 2062 if ((v4_mode & WRITE_MASK_DATA) && 2063 (zp->z_pflags & ZFS_IMMUTABLE)) { 2064 return (SET_ERROR(EPERM)); 2065 } 2066 2067 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) && 2068 (zp->z_pflags & ZFS_NOUNLINK)) { 2069 return (SET_ERROR(EPERM)); 2070 } 2071 2072 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) && 2073 (zp->z_pflags & ZFS_AV_QUARANTINED))) { 2074 return (SET_ERROR(EACCES)); 2075 } 2076 2077 return (0); 2078 } 2079 2080 /* 2081 * The primary usage of this function is to loop through all of the 2082 * ACEs in the znode, determining what accesses of interest (AoI) to 2083 * the caller are allowed or denied. The AoI are expressed as bits in 2084 * the working_mode parameter. As each ACE is processed, bits covered 2085 * by that ACE are removed from the working_mode. This removal 2086 * facilitates two things. The first is that when the working mode is 2087 * empty (= 0), we know we've looked at all the AoI. The second is 2088 * that the ACE interpretation rules don't allow a later ACE to undo 2089 * something granted or denied by an earlier ACE. Removing the 2090 * discovered access or denial enforces this rule. At the end of 2091 * processing the ACEs, all AoI that were found to be denied are 2092 * placed into the working_mode, giving the caller a mask of denied 2093 * accesses. Returns: 2094 * 0 if all AoI granted 2095 * EACCES if the denied mask is non-zero 2096 * other error if abnormal failure (e.g., IO error) 2097 * 2098 * A secondary usage of the function is to determine if any of the 2099 * AoI are granted. If an ACE grants any access in 2100 * the working_mode, we immediately short circuit out of the function. 2101 * This mode is chosen by setting anyaccess to B_TRUE. The 2102 * working_mode is not a denied access mask upon exit if the function 2103 * is used in this manner. 2104 */ 2105 static int 2106 zfs_zaccess_aces_check(znode_t *zp, uint32_t *working_mode, 2107 boolean_t anyaccess, cred_t *cr) 2108 { 2109 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2110 zfs_acl_t *aclp; 2111 int error; 2112 uint64_t who; /* FUID from the ACE */ 2113 uint16_t type, iflags; 2114 uint16_t entry_type; 2115 uint32_t access_mask; 2116 uint32_t deny_mask = 0; 2117 zfs_ace_hdr_t *acep = NULL; 2118 boolean_t checkit; /* ACE ID matches */ 2119 2120 mutex_enter(&zp->z_acl_lock); 2121 2122 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE); 2123 if (error != 0) { 2124 mutex_exit(&zp->z_acl_lock); 2125 return (error); 2126 } 2127 2128 ASSERT(zp->z_acl_cached); 2129 2130 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 2131 &iflags, &type)) { 2132 uint32_t mask_matched; 2133 2134 if (!zfs_acl_valid_ace_type(type, iflags)) 2135 continue; 2136 2137 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE)) 2138 continue; 2139 2140 /* Skip ACE if it does not affect any AoI */ 2141 mask_matched = (access_mask & *working_mode); 2142 if (!mask_matched) 2143 continue; 2144 2145 entry_type = (iflags & ACE_TYPE_FLAGS); 2146 2147 checkit = B_FALSE; 2148 2149 switch (entry_type) { 2150 case ACE_OWNER: 2151 who = zp->z_uid; 2152 /*FALLTHROUGH*/ 2153 case 0: /* USER Entry */ 2154 checkit = zfs_user_in_cred(zfsvfs, who, cr); 2155 break; 2156 case OWNING_GROUP: 2157 who = zp->z_gid; 2158 /*FALLTHROUGH*/ 2159 case ACE_IDENTIFIER_GROUP: 2160 checkit = zfs_groupmember(zfsvfs, who, cr); 2161 break; 2162 case ACE_EVERYONE: 2163 checkit = B_TRUE; 2164 break; 2165 2166 default: 2167 /* 2168 * The zfs_acl_valid_ace_type check above 2169 * should make this case impossible. 2170 */ 2171 mutex_exit(&zp->z_acl_lock); 2172 return (SET_ERROR(EIO)); 2173 } 2174 2175 if (checkit) { 2176 if (type == DENY) { 2177 DTRACE_PROBE3(zfs__ace__denies, 2178 znode_t *, zp, 2179 zfs_ace_hdr_t *, acep, 2180 uint32_t, mask_matched); 2181 deny_mask |= mask_matched; 2182 } else { 2183 DTRACE_PROBE3(zfs__ace__allows, 2184 znode_t *, zp, 2185 zfs_ace_hdr_t *, acep, 2186 uint32_t, mask_matched); 2187 if (anyaccess) { 2188 mutex_exit(&zp->z_acl_lock); 2189 return (0); 2190 } 2191 } 2192 *working_mode &= ~mask_matched; 2193 } 2194 2195 /* Are we done? */ 2196 if (*working_mode == 0) 2197 break; 2198 } 2199 2200 mutex_exit(&zp->z_acl_lock); 2201 2202 /* Put the found 'denies' back on the working mode */ 2203 if (deny_mask) { 2204 *working_mode |= deny_mask; 2205 return (SET_ERROR(EACCES)); 2206 } else if (*working_mode) { 2207 return (-1); 2208 } 2209 2210 return (0); 2211 } 2212 2213 /* 2214 * Return true if any access whatsoever granted, we don't actually 2215 * care what access is granted. 2216 */ 2217 boolean_t 2218 zfs_has_access(znode_t *zp, cred_t *cr) 2219 { 2220 uint32_t have = ACE_ALL_PERMS; 2221 2222 if (zfs_zaccess_aces_check(zp, &have, B_TRUE, cr) != 0) { 2223 uid_t owner; 2224 2225 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER); 2226 return (secpolicy_vnode_any_access(cr, ZTOV(zp), owner) == 0); 2227 } 2228 return (B_TRUE); 2229 } 2230 2231 static int 2232 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode, 2233 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr) 2234 { 2235 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2236 int err; 2237 2238 *working_mode = v4_mode; 2239 *check_privs = B_TRUE; 2240 2241 /* 2242 * Short circuit empty requests 2243 */ 2244 if (v4_mode == 0 || zfsvfs->z_replay) { 2245 *working_mode = 0; 2246 return (0); 2247 } 2248 2249 if ((err = zfs_zaccess_dataset_check(zp, v4_mode)) != 0) { 2250 *check_privs = B_FALSE; 2251 return (err); 2252 } 2253 2254 /* 2255 * The caller requested that the ACL check be skipped. This 2256 * would only happen if the caller checked VOP_ACCESS() with a 2257 * 32 bit ACE mask and already had the appropriate permissions. 2258 */ 2259 if (skipaclchk) { 2260 *working_mode = 0; 2261 return (0); 2262 } 2263 2264 /* 2265 * Note: ZFS_READONLY represents the "DOS R/O" attribute. 2266 * When that flag is set, we should behave as if write access 2267 * were not granted by anything in the ACL. In particular: 2268 * We _must_ allow writes after opening the file r/w, then 2269 * setting the DOS R/O attribute, and writing some more. 2270 * (Similar to how you can write after fchmod(fd, 0444).) 2271 * 2272 * Therefore ZFS_READONLY is ignored in the dataset check 2273 * above, and checked here as if part of the ACL check. 2274 * Also note: DOS R/O is ignored for directories. 2275 */ 2276 if ((v4_mode & WRITE_MASK_DATA) && 2277 (ZTOV(zp)->v_type != VDIR) && 2278 (zp->z_pflags & ZFS_READONLY)) { 2279 return (SET_ERROR(EPERM)); 2280 } 2281 2282 return (zfs_zaccess_aces_check(zp, working_mode, B_FALSE, cr)); 2283 } 2284 2285 static int 2286 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs, 2287 cred_t *cr) 2288 { 2289 if (*working_mode != ACE_WRITE_DATA) 2290 return (SET_ERROR(EACCES)); 2291 2292 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode, 2293 check_privs, B_FALSE, cr)); 2294 } 2295 2296 int 2297 zfs_fastaccesschk_execute(znode_t *zdp, cred_t *cr, boolean_t skipaclchk) 2298 { 2299 boolean_t owner = B_FALSE; 2300 boolean_t groupmbr = B_FALSE; 2301 boolean_t is_attr; 2302 uid_t uid = crgetuid(cr); 2303 int error; 2304 2305 if (zdp->z_pflags & ZFS_AV_QUARANTINED) 2306 return (SET_ERROR(EACCES)); 2307 2308 is_attr = ((zdp->z_pflags & ZFS_XATTR) && 2309 (ZTOV(zdp)->v_type == VDIR)); 2310 if (is_attr) 2311 goto slow; 2312 2313 2314 mutex_enter(&zdp->z_acl_lock); 2315 2316 if (zdp->z_pflags & ZFS_NO_EXECS_DENIED) { 2317 mutex_exit(&zdp->z_acl_lock); 2318 return (0); 2319 } 2320 2321 if (FUID_INDEX(zdp->z_uid) != 0 || FUID_INDEX(zdp->z_gid) != 0) { 2322 mutex_exit(&zdp->z_acl_lock); 2323 goto slow; 2324 } 2325 2326 if (uid == zdp->z_uid) { 2327 owner = B_TRUE; 2328 if (zdp->z_mode & S_IXUSR) { 2329 mutex_exit(&zdp->z_acl_lock); 2330 return (0); 2331 } else { 2332 mutex_exit(&zdp->z_acl_lock); 2333 goto slow; 2334 } 2335 } 2336 if (groupmember(zdp->z_gid, cr)) { 2337 groupmbr = B_TRUE; 2338 if (zdp->z_mode & S_IXGRP) { 2339 mutex_exit(&zdp->z_acl_lock); 2340 return (0); 2341 } else { 2342 mutex_exit(&zdp->z_acl_lock); 2343 goto slow; 2344 } 2345 } 2346 if (!owner && !groupmbr) { 2347 if (zdp->z_mode & S_IXOTH) { 2348 mutex_exit(&zdp->z_acl_lock); 2349 return (0); 2350 } 2351 } 2352 2353 mutex_exit(&zdp->z_acl_lock); 2354 2355 slow: 2356 DTRACE_PROBE(zfs__fastpath__execute__access__miss); 2357 ZFS_ENTER(zdp->z_zfsvfs); 2358 error = zfs_zaccess(zdp, ACE_EXECUTE, 0, skipaclchk, cr); 2359 ZFS_EXIT(zdp->z_zfsvfs); 2360 return (error); 2361 } 2362 2363 /* 2364 * Determine whether Access should be granted/denied. 2365 * 2366 * The least priv subsystem is always consulted as a basic privilege 2367 * can define any form of access. 2368 */ 2369 int 2370 zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr) 2371 { 2372 uint32_t working_mode; 2373 int error; 2374 int is_attr; 2375 boolean_t check_privs; 2376 znode_t *xzp; 2377 znode_t *check_zp = zp; 2378 mode_t needed_bits; 2379 uid_t owner; 2380 2381 is_attr = ((zp->z_pflags & ZFS_XATTR) && (ZTOV(zp)->v_type == VDIR)); 2382 2383 /* 2384 * If attribute then validate against base file 2385 */ 2386 if (is_attr) { 2387 uint64_t parent; 2388 2389 if ((error = sa_lookup(zp->z_sa_hdl, 2390 SA_ZPL_PARENT(zp->z_zfsvfs), &parent, 2391 sizeof (parent))) != 0) 2392 return (error); 2393 2394 if ((error = zfs_zget(zp->z_zfsvfs, 2395 parent, &xzp)) != 0) { 2396 return (error); 2397 } 2398 2399 check_zp = xzp; 2400 2401 /* 2402 * fixup mode to map to xattr perms 2403 */ 2404 2405 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { 2406 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 2407 mode |= ACE_WRITE_NAMED_ATTRS; 2408 } 2409 2410 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { 2411 mode &= ~(ACE_READ_DATA|ACE_EXECUTE); 2412 mode |= ACE_READ_NAMED_ATTRS; 2413 } 2414 } 2415 2416 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER); 2417 /* 2418 * Map the bits required to the standard vnode flags VREAD|VWRITE|VEXEC 2419 * in needed_bits. Map the bits mapped by working_mode (currently 2420 * missing) in missing_bits. 2421 * Call secpolicy_vnode_access2() with (needed_bits & ~checkmode), 2422 * needed_bits. 2423 */ 2424 needed_bits = 0; 2425 2426 working_mode = mode; 2427 2428 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES)) && 2429 owner == crgetuid(cr)) 2430 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2431 2432 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2433 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2434 needed_bits |= VREAD; 2435 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2436 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2437 needed_bits |= VWRITE; 2438 if (working_mode & ACE_EXECUTE) 2439 needed_bits |= VEXEC; 2440 2441 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode, 2442 &check_privs, skipaclchk, cr)) == 0) { 2443 if (is_attr) 2444 VN_RELE(ZTOV(xzp)); 2445 return (secpolicy_vnode_access2(cr, ZTOV(zp), owner, 2446 needed_bits, needed_bits)); 2447 } 2448 2449 if (error && !check_privs) { 2450 if (is_attr) 2451 VN_RELE(ZTOV(xzp)); 2452 return (error); 2453 } 2454 2455 if (error && (flags & V_APPEND)) { 2456 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr); 2457 } 2458 2459 if (error && check_privs) { 2460 mode_t checkmode = 0; 2461 2462 /* 2463 * First check for implicit owner permission on 2464 * read_acl/read_attributes 2465 */ 2466 2467 error = 0; 2468 ASSERT(working_mode != 0); 2469 2470 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) && 2471 owner == crgetuid(cr))) 2472 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2473 2474 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2475 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2476 checkmode |= VREAD; 2477 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2478 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2479 checkmode |= VWRITE; 2480 if (working_mode & ACE_EXECUTE) 2481 checkmode |= VEXEC; 2482 2483 error = secpolicy_vnode_access2(cr, ZTOV(check_zp), owner, 2484 needed_bits & ~checkmode, needed_bits); 2485 2486 if (error == 0 && (working_mode & ACE_WRITE_OWNER)) 2487 error = secpolicy_vnode_chown(cr, owner); 2488 if (error == 0 && (working_mode & ACE_WRITE_ACL)) 2489 error = secpolicy_vnode_setdac3(cr, owner, 2490 zp->z_zfsvfs->z_acl_implicit); 2491 2492 if (error == 0 && (working_mode & 2493 (ACE_DELETE|ACE_DELETE_CHILD))) 2494 error = secpolicy_vnode_remove(cr); 2495 2496 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) { 2497 error = secpolicy_vnode_chown(cr, owner); 2498 } 2499 if (error == 0) { 2500 /* 2501 * See if any bits other than those already checked 2502 * for are still present. If so then return EACCES 2503 */ 2504 if (working_mode & ~(ZFS_CHECKED_MASKS)) { 2505 error = SET_ERROR(EACCES); 2506 } 2507 } 2508 } else if (error == 0) { 2509 error = secpolicy_vnode_access2(cr, ZTOV(zp), owner, 2510 needed_bits, needed_bits); 2511 } 2512 2513 2514 if (is_attr) 2515 VN_RELE(ZTOV(xzp)); 2516 2517 return (error); 2518 } 2519 2520 /* 2521 * Translate traditional unix VREAD/VWRITE/VEXEC mode into 2522 * native ACL format and call zfs_zaccess() 2523 */ 2524 int 2525 zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr) 2526 { 2527 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr)); 2528 } 2529 2530 /* 2531 * Access function for secpolicy_vnode_setattr 2532 */ 2533 int 2534 zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr) 2535 { 2536 int v4_mode = zfs_unix_to_v4(mode >> 6); 2537 2538 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr)); 2539 } 2540 2541 /* See zfs_zaccess_delete() */ 2542 int zfs_write_implies_delete_child = 1; 2543 2544 /* 2545 * Determine whether delete access should be granted. 2546 * 2547 * The following chart outlines how we handle delete permissions which is 2548 * how recent versions of windows (Windows 2008) handles it. The efficiency 2549 * comes from not having to check the parent ACL where the object itself grants 2550 * delete: 2551 * 2552 * ------------------------------------------------------- 2553 * | Parent Dir | Target Object Permissions | 2554 * | permissions | | 2555 * ------------------------------------------------------- 2556 * | | ACL Allows | ACL Denies| Delete | 2557 * | | Delete | Delete | unspecified| 2558 * ------------------------------------------------------- 2559 * | ACL Allows | Permit | Deny * | Permit | 2560 * | DELETE_CHILD | | | | 2561 * ------------------------------------------------------- 2562 * | ACL Denies | Permit | Deny | Deny | 2563 * | DELETE_CHILD | | | | 2564 * ------------------------------------------------------- 2565 * | ACL specifies | | | | 2566 * | only allow | Permit | Deny * | Permit | 2567 * | write and | | | | 2568 * | execute | | | | 2569 * ------------------------------------------------------- 2570 * | ACL denies | | | | 2571 * | write and | Permit | Deny | Deny | 2572 * | execute | | | | 2573 * ------------------------------------------------------- 2574 * ^ 2575 * | 2576 * Re. execute permission on the directory: if that's missing, 2577 * the vnode lookup of the target will fail before we get here. 2578 * 2579 * Re [*] in the table above: NFSv4 would normally Permit delete for 2580 * these two cells of the matrix. 2581 * See acl.h for notes on which ACE_... flags should be checked for which 2582 * operations. Specifically, the NFSv4 committee recommendation is in 2583 * conflict with the Windows interpretation of DENY ACEs, where DENY ACEs 2584 * should take precedence ahead of ALLOW ACEs. 2585 * 2586 * This implementation always consults the target object's ACL first. 2587 * If a DENY ACE is present on the target object that specifies ACE_DELETE, 2588 * delete access is denied. If an ALLOW ACE with ACE_DELETE is present on 2589 * the target object, access is allowed. If and only if no entries with 2590 * ACE_DELETE are present in the object's ACL, check the container's ACL 2591 * for entries with ACE_DELETE_CHILD. 2592 * 2593 * A summary of the logic implemented from the table above is as follows: 2594 * 2595 * First check for DENY ACEs that apply. 2596 * If either target or container has a deny, EACCES. 2597 * 2598 * Delete access can then be summarized as follows: 2599 * 1: The object to be deleted grants ACE_DELETE, or 2600 * 2: The containing directory grants ACE_DELETE_CHILD. 2601 * In a Windows system, that would be the end of the story. 2602 * In this system, (2) has some complications... 2603 * 2a: "sticky" bit on a directory adds restrictions, and 2604 * 2b: existing ACEs from previous versions of ZFS may 2605 * not carry ACE_DELETE_CHILD where they should, so we 2606 * also allow delete when ACE_WRITE_DATA is granted. 2607 * 2608 * Note: 2b is technically a work-around for a prior bug, 2609 * which hopefully can go away some day. For those who 2610 * no longer need the work around, and for testing, this 2611 * work-around is made conditional via the tunable: 2612 * zfs_write_implies_delete_child 2613 */ 2614 int 2615 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) 2616 { 2617 uint32_t wanted_dirperms; 2618 uint32_t dzp_working_mode = 0; 2619 uint32_t zp_working_mode = 0; 2620 int dzp_error, zp_error; 2621 boolean_t dzpcheck_privs; 2622 boolean_t zpcheck_privs; 2623 2624 if (zp->z_pflags & (ZFS_IMMUTABLE | ZFS_NOUNLINK)) 2625 return (SET_ERROR(EPERM)); 2626 2627 /* 2628 * Case 1: 2629 * If target object grants ACE_DELETE then we are done. This is 2630 * indicated by a return value of 0. For this case we don't worry 2631 * about the sticky bit because sticky only applies to the parent 2632 * directory and this is the child access result. 2633 * 2634 * If we encounter a DENY ACE here, we're also done (EACCES). 2635 * Note that if we hit a DENY ACE here (on the target) it should 2636 * take precedence over a DENY ACE on the container, so that when 2637 * we have more complete auditing support we will be able to 2638 * report an access failure against the specific target. 2639 * (This is part of why we're checking the target first.) 2640 */ 2641 zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, 2642 &zpcheck_privs, B_FALSE, cr); 2643 if (zp_error == EACCES) { 2644 /* We hit a DENY ACE. */ 2645 if (!zpcheck_privs) 2646 return (SET_ERROR(zp_error)); 2647 return (secpolicy_vnode_remove(cr)); 2648 2649 } 2650 if (zp_error == 0) 2651 return (0); 2652 2653 /* 2654 * Case 2: 2655 * If the containing directory grants ACE_DELETE_CHILD, 2656 * or we're in backward compatibility mode and the 2657 * containing directory has ACE_WRITE_DATA, allow. 2658 * Case 2b is handled with wanted_dirperms. 2659 */ 2660 wanted_dirperms = ACE_DELETE_CHILD; 2661 if (zfs_write_implies_delete_child) 2662 wanted_dirperms |= ACE_WRITE_DATA; 2663 dzp_error = zfs_zaccess_common(dzp, wanted_dirperms, 2664 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr); 2665 if (dzp_error == EACCES) { 2666 /* We hit a DENY ACE. */ 2667 if (!dzpcheck_privs) 2668 return (SET_ERROR(dzp_error)); 2669 return (secpolicy_vnode_remove(cr)); 2670 } 2671 2672 /* 2673 * Cases 2a, 2b (continued) 2674 * 2675 * Note: dzp_working_mode now contains any permissions 2676 * that were NOT granted. Therefore, if any of the 2677 * wanted_dirperms WERE granted, we will have: 2678 * dzp_working_mode != wanted_dirperms 2679 * We're really asking if ANY of those permissions 2680 * were granted, and if so, grant delete access. 2681 */ 2682 if (dzp_working_mode != wanted_dirperms) 2683 dzp_error = 0; 2684 2685 /* 2686 * dzp_error is 0 if the container granted us permissions to "modify". 2687 * If we do not have permission via one or more ACEs, our current 2688 * privileges may still permit us to modify the container. 2689 * 2690 * dzpcheck_privs is false when i.e. the FS is read-only. 2691 * Otherwise, do privilege checks for the container. 2692 */ 2693 if (dzp_error != 0 && dzpcheck_privs) { 2694 uid_t owner; 2695 2696 /* 2697 * The secpolicy call needs the requested access and 2698 * the current access mode of the container, but it 2699 * only knows about Unix-style modes (VEXEC, VWRITE), 2700 * so this must condense the fine-grained ACE bits into 2701 * Unix modes. 2702 * 2703 * The VEXEC flag is easy, because we know that has 2704 * always been checked before we get here (during the 2705 * lookup of the target vnode). The container has not 2706 * granted us permissions to "modify", so we do not set 2707 * the VWRITE flag in the current access mode. 2708 */ 2709 owner = zfs_fuid_map_id(dzp->z_zfsvfs, dzp->z_uid, cr, 2710 ZFS_OWNER); 2711 dzp_error = secpolicy_vnode_access2(cr, ZTOV(dzp), 2712 owner, VEXEC, VWRITE|VEXEC); 2713 } 2714 if (dzp_error != 0) { 2715 /* 2716 * Note: We may have dzp_error = -1 here (from 2717 * zfs_zacess_common). Don't return that. 2718 */ 2719 return (SET_ERROR(EACCES)); 2720 } 2721 2722 /* 2723 * At this point, we know that the directory permissions allow 2724 * us to modify, but we still need to check for the additional 2725 * restrictions that apply when the "sticky bit" is set. 2726 * 2727 * Yes, zfs_sticky_remove_access() also checks this bit, but 2728 * checking it here and skipping the call below is nice when 2729 * you're watching all of this with dtrace. 2730 */ 2731 if ((dzp->z_mode & S_ISVTX) == 0) 2732 return (0); 2733 2734 /* 2735 * zfs_sticky_remove_access will succeed if: 2736 * 1. The sticky bit is absent. 2737 * 2. We pass the sticky bit restrictions. 2738 * 3. We have privileges that always allow file removal. 2739 */ 2740 return (zfs_sticky_remove_access(dzp, zp, cr)); 2741 } 2742 2743 int 2744 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, 2745 znode_t *tzp, cred_t *cr) 2746 { 2747 int add_perm; 2748 int error; 2749 2750 if (szp->z_pflags & ZFS_AV_QUARANTINED) 2751 return (SET_ERROR(EACCES)); 2752 2753 add_perm = (ZTOV(szp)->v_type == VDIR) ? 2754 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; 2755 2756 /* 2757 * Rename permissions are combination of delete permission + 2758 * add file/subdir permission. 2759 */ 2760 2761 /* 2762 * first make sure we do the delete portion. 2763 * 2764 * If that succeeds then check for add_file/add_subdir permissions 2765 */ 2766 2767 if (error = zfs_zaccess_delete(sdzp, szp, cr)) 2768 return (error); 2769 2770 /* 2771 * If we have a tzp, see if we can delete it? 2772 */ 2773 if (tzp) { 2774 if (error = zfs_zaccess_delete(tdzp, tzp, cr)) 2775 return (error); 2776 } 2777 2778 /* 2779 * Now check for add permissions 2780 */ 2781 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr); 2782 2783 return (error); 2784 } 2785