1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/param.h> 28 #include <sys/time.h> 29 #include <sys/systm.h> 30 #include <sys/sysmacros.h> 31 #include <sys/resource.h> 32 #include <sys/vfs.h> 33 #include <sys/vnode.h> 34 #include <sys/sid.h> 35 #include <sys/file.h> 36 #include <sys/stat.h> 37 #include <sys/kmem.h> 38 #include <sys/cmn_err.h> 39 #include <sys/errno.h> 40 #include <sys/unistd.h> 41 #include <sys/sdt.h> 42 #include <sys/fs/zfs.h> 43 #include <sys/mode.h> 44 #include <sys/policy.h> 45 #include <sys/zfs_znode.h> 46 #include <sys/zfs_fuid.h> 47 #include <sys/zfs_acl.h> 48 #include <sys/zfs_dir.h> 49 #include <sys/zfs_vfsops.h> 50 #include <sys/dmu.h> 51 #include <sys/dnode.h> 52 #include <sys/zap.h> 53 #include "fs/fs_subr.h" 54 #include <acl/acl_common.h> 55 56 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE 57 #define DENY ACE_ACCESS_DENIED_ACE_TYPE 58 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 59 #define MIN_ACE_TYPE ALLOW 60 61 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) 62 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ 63 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) 64 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ 65 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 66 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ 67 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 68 69 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \ 70 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \ 71 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \ 72 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE) 73 74 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS) 75 #define WRITE_MASK_ATTRS (ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES| \ 76 ACE_DELETE|ACE_DELETE_CHILD) 77 #define WRITE_MASK (WRITE_MASK_DATA|WRITE_MASK_ATTRS) 78 79 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 80 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 81 82 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 83 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 84 85 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ 86 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE) 87 88 #define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER) 89 90 #define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\ 91 ZFS_ACL_PROTECTED) 92 93 #define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\ 94 ZFS_ACL_OBJ_ACE) 95 96 static uint16_t 97 zfs_ace_v0_get_type(void *acep) 98 { 99 return (((zfs_oldace_t *)acep)->z_type); 100 } 101 102 static uint16_t 103 zfs_ace_v0_get_flags(void *acep) 104 { 105 return (((zfs_oldace_t *)acep)->z_flags); 106 } 107 108 static uint32_t 109 zfs_ace_v0_get_mask(void *acep) 110 { 111 return (((zfs_oldace_t *)acep)->z_access_mask); 112 } 113 114 static uint64_t 115 zfs_ace_v0_get_who(void *acep) 116 { 117 return (((zfs_oldace_t *)acep)->z_fuid); 118 } 119 120 static void 121 zfs_ace_v0_set_type(void *acep, uint16_t type) 122 { 123 ((zfs_oldace_t *)acep)->z_type = type; 124 } 125 126 static void 127 zfs_ace_v0_set_flags(void *acep, uint16_t flags) 128 { 129 ((zfs_oldace_t *)acep)->z_flags = flags; 130 } 131 132 static void 133 zfs_ace_v0_set_mask(void *acep, uint32_t mask) 134 { 135 ((zfs_oldace_t *)acep)->z_access_mask = mask; 136 } 137 138 static void 139 zfs_ace_v0_set_who(void *acep, uint64_t who) 140 { 141 ((zfs_oldace_t *)acep)->z_fuid = who; 142 } 143 144 /*ARGSUSED*/ 145 static size_t 146 zfs_ace_v0_size(void *acep) 147 { 148 return (sizeof (zfs_oldace_t)); 149 } 150 151 static size_t 152 zfs_ace_v0_abstract_size(void) 153 { 154 return (sizeof (zfs_oldace_t)); 155 } 156 157 static int 158 zfs_ace_v0_mask_off(void) 159 { 160 return (offsetof(zfs_oldace_t, z_access_mask)); 161 } 162 163 /*ARGSUSED*/ 164 static int 165 zfs_ace_v0_data(void *acep, void **datap) 166 { 167 *datap = NULL; 168 return (0); 169 } 170 171 static acl_ops_t zfs_acl_v0_ops = { 172 zfs_ace_v0_get_mask, 173 zfs_ace_v0_set_mask, 174 zfs_ace_v0_get_flags, 175 zfs_ace_v0_set_flags, 176 zfs_ace_v0_get_type, 177 zfs_ace_v0_set_type, 178 zfs_ace_v0_get_who, 179 zfs_ace_v0_set_who, 180 zfs_ace_v0_size, 181 zfs_ace_v0_abstract_size, 182 zfs_ace_v0_mask_off, 183 zfs_ace_v0_data 184 }; 185 186 static uint16_t 187 zfs_ace_fuid_get_type(void *acep) 188 { 189 return (((zfs_ace_hdr_t *)acep)->z_type); 190 } 191 192 static uint16_t 193 zfs_ace_fuid_get_flags(void *acep) 194 { 195 return (((zfs_ace_hdr_t *)acep)->z_flags); 196 } 197 198 static uint32_t 199 zfs_ace_fuid_get_mask(void *acep) 200 { 201 return (((zfs_ace_hdr_t *)acep)->z_access_mask); 202 } 203 204 static uint64_t 205 zfs_ace_fuid_get_who(void *args) 206 { 207 uint16_t entry_type; 208 zfs_ace_t *acep = args; 209 210 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 211 212 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 213 entry_type == ACE_EVERYONE) 214 return (-1); 215 return (((zfs_ace_t *)acep)->z_fuid); 216 } 217 218 static void 219 zfs_ace_fuid_set_type(void *acep, uint16_t type) 220 { 221 ((zfs_ace_hdr_t *)acep)->z_type = type; 222 } 223 224 static void 225 zfs_ace_fuid_set_flags(void *acep, uint16_t flags) 226 { 227 ((zfs_ace_hdr_t *)acep)->z_flags = flags; 228 } 229 230 static void 231 zfs_ace_fuid_set_mask(void *acep, uint32_t mask) 232 { 233 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask; 234 } 235 236 static void 237 zfs_ace_fuid_set_who(void *arg, uint64_t who) 238 { 239 zfs_ace_t *acep = arg; 240 241 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 242 243 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 244 entry_type == ACE_EVERYONE) 245 return; 246 acep->z_fuid = who; 247 } 248 249 static size_t 250 zfs_ace_fuid_size(void *acep) 251 { 252 zfs_ace_hdr_t *zacep = acep; 253 uint16_t entry_type; 254 255 switch (zacep->z_type) { 256 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 257 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 258 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 259 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 260 return (sizeof (zfs_object_ace_t)); 261 case ALLOW: 262 case DENY: 263 entry_type = 264 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS); 265 if (entry_type == ACE_OWNER || 266 entry_type == OWNING_GROUP || 267 entry_type == ACE_EVERYONE) 268 return (sizeof (zfs_ace_hdr_t)); 269 /*FALLTHROUGH*/ 270 default: 271 return (sizeof (zfs_ace_t)); 272 } 273 } 274 275 static size_t 276 zfs_ace_fuid_abstract_size(void) 277 { 278 return (sizeof (zfs_ace_hdr_t)); 279 } 280 281 static int 282 zfs_ace_fuid_mask_off(void) 283 { 284 return (offsetof(zfs_ace_hdr_t, z_access_mask)); 285 } 286 287 static int 288 zfs_ace_fuid_data(void *acep, void **datap) 289 { 290 zfs_ace_t *zacep = acep; 291 zfs_object_ace_t *zobjp; 292 293 switch (zacep->z_hdr.z_type) { 294 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 295 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 296 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 297 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 298 zobjp = acep; 299 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t); 300 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t)); 301 default: 302 *datap = NULL; 303 return (0); 304 } 305 } 306 307 static acl_ops_t zfs_acl_fuid_ops = { 308 zfs_ace_fuid_get_mask, 309 zfs_ace_fuid_set_mask, 310 zfs_ace_fuid_get_flags, 311 zfs_ace_fuid_set_flags, 312 zfs_ace_fuid_get_type, 313 zfs_ace_fuid_set_type, 314 zfs_ace_fuid_get_who, 315 zfs_ace_fuid_set_who, 316 zfs_ace_fuid_size, 317 zfs_ace_fuid_abstract_size, 318 zfs_ace_fuid_mask_off, 319 zfs_ace_fuid_data 320 }; 321 322 static int 323 zfs_acl_version(int version) 324 { 325 if (version < ZPL_VERSION_FUID) 326 return (ZFS_ACL_VERSION_INITIAL); 327 else 328 return (ZFS_ACL_VERSION_FUID); 329 } 330 331 static int 332 zfs_acl_version_zp(znode_t *zp) 333 { 334 return (zfs_acl_version(zp->z_zfsvfs->z_version)); 335 } 336 337 static zfs_acl_t * 338 zfs_acl_alloc(int vers) 339 { 340 zfs_acl_t *aclp; 341 342 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); 343 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t), 344 offsetof(zfs_acl_node_t, z_next)); 345 aclp->z_version = vers; 346 if (vers == ZFS_ACL_VERSION_FUID) 347 aclp->z_ops = zfs_acl_fuid_ops; 348 else 349 aclp->z_ops = zfs_acl_v0_ops; 350 return (aclp); 351 } 352 353 static zfs_acl_node_t * 354 zfs_acl_node_alloc(size_t bytes) 355 { 356 zfs_acl_node_t *aclnode; 357 358 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP); 359 if (bytes) { 360 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP); 361 aclnode->z_allocdata = aclnode->z_acldata; 362 aclnode->z_allocsize = bytes; 363 aclnode->z_size = bytes; 364 } 365 366 return (aclnode); 367 } 368 369 static void 370 zfs_acl_node_free(zfs_acl_node_t *aclnode) 371 { 372 if (aclnode->z_allocsize) 373 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize); 374 kmem_free(aclnode, sizeof (zfs_acl_node_t)); 375 } 376 377 static void 378 zfs_acl_release_nodes(zfs_acl_t *aclp) 379 { 380 zfs_acl_node_t *aclnode; 381 382 while (aclnode = list_head(&aclp->z_acl)) { 383 list_remove(&aclp->z_acl, aclnode); 384 zfs_acl_node_free(aclnode); 385 } 386 aclp->z_acl_count = 0; 387 aclp->z_acl_bytes = 0; 388 } 389 390 void 391 zfs_acl_free(zfs_acl_t *aclp) 392 { 393 zfs_acl_release_nodes(aclp); 394 list_destroy(&aclp->z_acl); 395 kmem_free(aclp, sizeof (zfs_acl_t)); 396 } 397 398 static boolean_t 399 zfs_acl_valid_ace_type(uint_t type, uint_t flags) 400 { 401 uint16_t entry_type; 402 403 switch (type) { 404 case ALLOW: 405 case DENY: 406 case ACE_SYSTEM_AUDIT_ACE_TYPE: 407 case ACE_SYSTEM_ALARM_ACE_TYPE: 408 entry_type = flags & ACE_TYPE_FLAGS; 409 return (entry_type == ACE_OWNER || 410 entry_type == OWNING_GROUP || 411 entry_type == ACE_EVERYONE || entry_type == 0 || 412 entry_type == ACE_IDENTIFIER_GROUP); 413 default: 414 if (type >= MIN_ACE_TYPE && type <= MAX_ACE_TYPE) 415 return (B_TRUE); 416 } 417 return (B_FALSE); 418 } 419 420 static boolean_t 421 zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags) 422 { 423 /* 424 * first check type of entry 425 */ 426 427 if (!zfs_acl_valid_ace_type(type, iflags)) 428 return (B_FALSE); 429 430 switch (type) { 431 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 432 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 433 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 434 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 435 if (aclp->z_version < ZFS_ACL_VERSION_FUID) 436 return (B_FALSE); 437 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 438 } 439 440 /* 441 * next check inheritance level flags 442 */ 443 444 if (obj_type == VDIR && 445 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 446 aclp->z_hints |= ZFS_INHERIT_ACE; 447 448 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { 449 if ((iflags & (ACE_FILE_INHERIT_ACE| 450 ACE_DIRECTORY_INHERIT_ACE)) == 0) { 451 return (B_FALSE); 452 } 453 } 454 455 return (B_TRUE); 456 } 457 458 static void * 459 zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who, 460 uint32_t *access_mask, uint16_t *iflags, uint16_t *type) 461 { 462 zfs_acl_node_t *aclnode; 463 464 if (start == NULL) { 465 aclnode = list_head(&aclp->z_acl); 466 if (aclnode == NULL) 467 return (NULL); 468 469 aclp->z_next_ace = aclnode->z_acldata; 470 aclp->z_curr_node = aclnode; 471 aclnode->z_ace_idx = 0; 472 } 473 474 aclnode = aclp->z_curr_node; 475 476 if (aclnode == NULL) 477 return (NULL); 478 479 if (aclnode->z_ace_idx >= aclnode->z_ace_count) { 480 aclnode = list_next(&aclp->z_acl, aclnode); 481 if (aclnode == NULL) 482 return (NULL); 483 else { 484 aclp->z_curr_node = aclnode; 485 aclnode->z_ace_idx = 0; 486 aclp->z_next_ace = aclnode->z_acldata; 487 } 488 } 489 490 if (aclnode->z_ace_idx < aclnode->z_ace_count) { 491 void *acep = aclp->z_next_ace; 492 size_t ace_size; 493 494 /* 495 * Make sure we don't overstep our bounds 496 */ 497 ace_size = aclp->z_ops.ace_size(acep); 498 499 if (((caddr_t)acep + ace_size) > 500 ((caddr_t)aclnode->z_acldata + aclnode->z_size)) { 501 return (NULL); 502 } 503 504 *iflags = aclp->z_ops.ace_flags_get(acep); 505 *type = aclp->z_ops.ace_type_get(acep); 506 *access_mask = aclp->z_ops.ace_mask_get(acep); 507 *who = aclp->z_ops.ace_who_get(acep); 508 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size; 509 aclnode->z_ace_idx++; 510 return ((void *)acep); 511 } 512 return (NULL); 513 } 514 515 /*ARGSUSED*/ 516 static uint64_t 517 zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt, 518 uint16_t *flags, uint16_t *type, uint32_t *mask) 519 { 520 zfs_acl_t *aclp = datap; 521 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie; 522 uint64_t who; 523 524 acep = zfs_acl_next_ace(aclp, acep, &who, mask, 525 flags, type); 526 return ((uint64_t)(uintptr_t)acep); 527 } 528 529 static zfs_acl_node_t * 530 zfs_acl_curr_node(zfs_acl_t *aclp) 531 { 532 ASSERT(aclp->z_curr_node); 533 return (aclp->z_curr_node); 534 } 535 536 /* 537 * Copy ACE to internal ZFS format. 538 * While processing the ACL each ACE will be validated for correctness. 539 * ACE FUIDs will be created later. 540 */ 541 int 542 zfs_copy_ace_2_fuid(zfsvfs_t *zfsvfs, vtype_t obj_type, zfs_acl_t *aclp, 543 void *datap, zfs_ace_t *z_acl, int aclcnt, size_t *size, 544 zfs_fuid_info_t **fuidp, cred_t *cr) 545 { 546 int i; 547 uint16_t entry_type; 548 zfs_ace_t *aceptr = z_acl; 549 ace_t *acep = datap; 550 zfs_object_ace_t *zobjacep; 551 ace_object_t *aceobjp; 552 553 for (i = 0; i != aclcnt; i++) { 554 aceptr->z_hdr.z_access_mask = acep->a_access_mask; 555 aceptr->z_hdr.z_flags = acep->a_flags; 556 aceptr->z_hdr.z_type = acep->a_type; 557 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS; 558 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP && 559 entry_type != ACE_EVERYONE) { 560 aceptr->z_fuid = zfs_fuid_create(zfsvfs, acep->a_who, 561 cr, (entry_type == 0) ? 562 ZFS_ACE_USER : ZFS_ACE_GROUP, fuidp); 563 } 564 565 /* 566 * Make sure ACE is valid 567 */ 568 if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type, 569 aceptr->z_hdr.z_flags) != B_TRUE) 570 return (EINVAL); 571 572 switch (acep->a_type) { 573 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 574 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 575 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 576 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 577 zobjacep = (zfs_object_ace_t *)aceptr; 578 aceobjp = (ace_object_t *)acep; 579 580 bcopy(aceobjp->a_obj_type, zobjacep->z_object_type, 581 sizeof (aceobjp->a_obj_type)); 582 bcopy(aceobjp->a_inherit_obj_type, 583 zobjacep->z_inherit_type, 584 sizeof (aceobjp->a_inherit_obj_type)); 585 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t)); 586 break; 587 default: 588 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t)); 589 } 590 591 aceptr = (zfs_ace_t *)((caddr_t)aceptr + 592 aclp->z_ops.ace_size(aceptr)); 593 } 594 595 *size = (caddr_t)aceptr - (caddr_t)z_acl; 596 597 return (0); 598 } 599 600 /* 601 * Copy ZFS ACEs to fixed size ace_t layout 602 */ 603 static void 604 zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr, 605 void *datap, int filter) 606 { 607 uint64_t who; 608 uint32_t access_mask; 609 uint16_t iflags, type; 610 zfs_ace_hdr_t *zacep = NULL; 611 ace_t *acep = datap; 612 ace_object_t *objacep; 613 zfs_object_ace_t *zobjacep; 614 size_t ace_size; 615 uint16_t entry_type; 616 617 while (zacep = zfs_acl_next_ace(aclp, zacep, 618 &who, &access_mask, &iflags, &type)) { 619 620 switch (type) { 621 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 622 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 623 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 624 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 625 if (filter) { 626 continue; 627 } 628 zobjacep = (zfs_object_ace_t *)zacep; 629 objacep = (ace_object_t *)acep; 630 bcopy(zobjacep->z_object_type, 631 objacep->a_obj_type, 632 sizeof (zobjacep->z_object_type)); 633 bcopy(zobjacep->z_inherit_type, 634 objacep->a_inherit_obj_type, 635 sizeof (zobjacep->z_inherit_type)); 636 ace_size = sizeof (ace_object_t); 637 break; 638 default: 639 ace_size = sizeof (ace_t); 640 break; 641 } 642 643 entry_type = (iflags & ACE_TYPE_FLAGS); 644 if ((entry_type != ACE_OWNER && 645 entry_type != OWNING_GROUP && 646 entry_type != ACE_EVERYONE)) { 647 acep->a_who = zfs_fuid_map_id(zfsvfs, who, 648 cr, (entry_type & ACE_IDENTIFIER_GROUP) ? 649 ZFS_ACE_GROUP : ZFS_ACE_USER); 650 } else { 651 acep->a_who = (uid_t)(int64_t)who; 652 } 653 acep->a_access_mask = access_mask; 654 acep->a_flags = iflags; 655 acep->a_type = type; 656 acep = (ace_t *)((caddr_t)acep + ace_size); 657 } 658 } 659 660 static int 661 zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep, 662 zfs_oldace_t *z_acl, int aclcnt, size_t *size) 663 { 664 int i; 665 zfs_oldace_t *aceptr = z_acl; 666 667 for (i = 0; i != aclcnt; i++, aceptr++) { 668 aceptr->z_access_mask = acep[i].a_access_mask; 669 aceptr->z_type = acep[i].a_type; 670 aceptr->z_flags = acep[i].a_flags; 671 aceptr->z_fuid = acep[i].a_who; 672 /* 673 * Make sure ACE is valid 674 */ 675 if (zfs_ace_valid(obj_type, aclp, aceptr->z_type, 676 aceptr->z_flags) != B_TRUE) 677 return (EINVAL); 678 } 679 *size = (caddr_t)aceptr - (caddr_t)z_acl; 680 return (0); 681 } 682 683 /* 684 * convert old ACL format to new 685 */ 686 void 687 zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp, cred_t *cr) 688 { 689 zfs_oldace_t *oldaclp; 690 int i; 691 uint16_t type, iflags; 692 uint32_t access_mask; 693 uint64_t who; 694 void *cookie = NULL; 695 zfs_acl_node_t *newaclnode; 696 697 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL); 698 /* 699 * First create the ACE in a contiguous piece of memory 700 * for zfs_copy_ace_2_fuid(). 701 * 702 * We only convert an ACL once, so this won't happen 703 * everytime. 704 */ 705 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count, 706 KM_SLEEP); 707 i = 0; 708 while (cookie = zfs_acl_next_ace(aclp, cookie, &who, 709 &access_mask, &iflags, &type)) { 710 oldaclp[i].z_flags = iflags; 711 oldaclp[i].z_type = type; 712 oldaclp[i].z_fuid = who; 713 oldaclp[i++].z_access_mask = access_mask; 714 } 715 716 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count * 717 sizeof (zfs_object_ace_t)); 718 aclp->z_ops = zfs_acl_fuid_ops; 719 VERIFY(zfs_copy_ace_2_fuid(zp->z_zfsvfs, ZTOV(zp)->v_type, aclp, 720 oldaclp, newaclnode->z_acldata, aclp->z_acl_count, 721 &newaclnode->z_size, NULL, cr) == 0); 722 newaclnode->z_ace_count = aclp->z_acl_count; 723 aclp->z_version = ZFS_ACL_VERSION; 724 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t)); 725 726 /* 727 * Release all previous ACL nodes 728 */ 729 730 zfs_acl_release_nodes(aclp); 731 732 list_insert_head(&aclp->z_acl, newaclnode); 733 734 aclp->z_acl_bytes = newaclnode->z_size; 735 aclp->z_acl_count = newaclnode->z_ace_count; 736 737 } 738 739 /* 740 * Convert unix access mask to v4 access mask 741 */ 742 static uint32_t 743 zfs_unix_to_v4(uint32_t access_mask) 744 { 745 uint32_t new_mask = 0; 746 747 if (access_mask & S_IXOTH) 748 new_mask |= ACE_EXECUTE; 749 if (access_mask & S_IWOTH) 750 new_mask |= ACE_WRITE_DATA; 751 if (access_mask & S_IROTH) 752 new_mask |= ACE_READ_DATA; 753 return (new_mask); 754 } 755 756 static void 757 zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask, 758 uint16_t access_type, uint64_t fuid, uint16_t entry_type) 759 { 760 uint16_t type = entry_type & ACE_TYPE_FLAGS; 761 762 aclp->z_ops.ace_mask_set(acep, access_mask); 763 aclp->z_ops.ace_type_set(acep, access_type); 764 aclp->z_ops.ace_flags_set(acep, entry_type); 765 if ((type != ACE_OWNER && type != OWNING_GROUP && 766 type != ACE_EVERYONE)) 767 aclp->z_ops.ace_who_set(acep, fuid); 768 } 769 770 /* 771 * Determine mode of file based on ACL. 772 * Also, create FUIDs for any User/Group ACEs 773 */ 774 static uint64_t 775 zfs_mode_compute(znode_t *zp, zfs_acl_t *aclp) 776 { 777 int entry_type; 778 mode_t mode; 779 mode_t seen = 0; 780 zfs_ace_hdr_t *acep = NULL; 781 uint64_t who; 782 uint16_t iflags, type; 783 uint32_t access_mask; 784 boolean_t an_exec_denied = B_FALSE; 785 786 mode = (zp->z_phys->zp_mode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); 787 788 while (acep = zfs_acl_next_ace(aclp, acep, &who, 789 &access_mask, &iflags, &type)) { 790 791 if (!zfs_acl_valid_ace_type(type, iflags)) 792 continue; 793 794 entry_type = (iflags & ACE_TYPE_FLAGS); 795 796 /* 797 * Skip over owner@, group@ or everyone@ inherit only ACEs 798 */ 799 if ((iflags & ACE_INHERIT_ONLY_ACE) && 800 (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 801 entry_type == OWNING_GROUP)) 802 continue; 803 804 if (entry_type == ACE_OWNER) { 805 if ((access_mask & ACE_READ_DATA) && 806 (!(seen & S_IRUSR))) { 807 seen |= S_IRUSR; 808 if (type == ALLOW) { 809 mode |= S_IRUSR; 810 } 811 } 812 if ((access_mask & ACE_WRITE_DATA) && 813 (!(seen & S_IWUSR))) { 814 seen |= S_IWUSR; 815 if (type == ALLOW) { 816 mode |= S_IWUSR; 817 } 818 } 819 if ((access_mask & ACE_EXECUTE) && 820 (!(seen & S_IXUSR))) { 821 seen |= S_IXUSR; 822 if (type == ALLOW) { 823 mode |= S_IXUSR; 824 } 825 } 826 } else if (entry_type == OWNING_GROUP) { 827 if ((access_mask & ACE_READ_DATA) && 828 (!(seen & S_IRGRP))) { 829 seen |= S_IRGRP; 830 if (type == ALLOW) { 831 mode |= S_IRGRP; 832 } 833 } 834 if ((access_mask & ACE_WRITE_DATA) && 835 (!(seen & S_IWGRP))) { 836 seen |= S_IWGRP; 837 if (type == ALLOW) { 838 mode |= S_IWGRP; 839 } 840 } 841 if ((access_mask & ACE_EXECUTE) && 842 (!(seen & S_IXGRP))) { 843 seen |= S_IXGRP; 844 if (type == ALLOW) { 845 mode |= S_IXGRP; 846 } 847 } 848 } else if (entry_type == ACE_EVERYONE) { 849 if ((access_mask & ACE_READ_DATA)) { 850 if (!(seen & S_IRUSR)) { 851 seen |= S_IRUSR; 852 if (type == ALLOW) { 853 mode |= S_IRUSR; 854 } 855 } 856 if (!(seen & S_IRGRP)) { 857 seen |= S_IRGRP; 858 if (type == ALLOW) { 859 mode |= S_IRGRP; 860 } 861 } 862 if (!(seen & S_IROTH)) { 863 seen |= S_IROTH; 864 if (type == ALLOW) { 865 mode |= S_IROTH; 866 } 867 } 868 } 869 if ((access_mask & ACE_WRITE_DATA)) { 870 if (!(seen & S_IWUSR)) { 871 seen |= S_IWUSR; 872 if (type == ALLOW) { 873 mode |= S_IWUSR; 874 } 875 } 876 if (!(seen & S_IWGRP)) { 877 seen |= S_IWGRP; 878 if (type == ALLOW) { 879 mode |= S_IWGRP; 880 } 881 } 882 if (!(seen & S_IWOTH)) { 883 seen |= S_IWOTH; 884 if (type == ALLOW) { 885 mode |= S_IWOTH; 886 } 887 } 888 } 889 if ((access_mask & ACE_EXECUTE)) { 890 if (!(seen & S_IXUSR)) { 891 seen |= S_IXUSR; 892 if (type == ALLOW) { 893 mode |= S_IXUSR; 894 } 895 } 896 if (!(seen & S_IXGRP)) { 897 seen |= S_IXGRP; 898 if (type == ALLOW) { 899 mode |= S_IXGRP; 900 } 901 } 902 if (!(seen & S_IXOTH)) { 903 seen |= S_IXOTH; 904 if (type == ALLOW) { 905 mode |= S_IXOTH; 906 } 907 } 908 } 909 } else { 910 /* 911 * Only care if this IDENTIFIER_GROUP or 912 * USER ACE denies execute access to someone, 913 * mode is not affected 914 */ 915 if ((access_mask & ACE_EXECUTE) && type == DENY) 916 an_exec_denied = B_TRUE; 917 } 918 } 919 920 if (!an_exec_denied && !(seen & (S_IXUSR | S_IXGRP | S_IXOTH)) || 921 !(mode & (S_IXUSR | S_IXGRP | S_IXOTH))) 922 an_exec_denied = B_TRUE; 923 924 if (an_exec_denied) 925 zp->z_phys->zp_flags &= ~ZFS_NO_EXECS_DENIED; 926 else 927 zp->z_phys->zp_flags |= ZFS_NO_EXECS_DENIED; 928 929 return (mode); 930 } 931 932 static zfs_acl_t * 933 zfs_acl_node_read_internal(znode_t *zp, boolean_t will_modify) 934 { 935 zfs_acl_t *aclp; 936 zfs_acl_node_t *aclnode; 937 938 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version); 939 940 /* 941 * Version 0 to 1 znode_acl_phys has the size/count fields swapped. 942 * Version 0 didn't have a size field, only a count. 943 */ 944 if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) { 945 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_size; 946 aclp->z_acl_bytes = ZFS_ACL_SIZE(aclp->z_acl_count); 947 } else { 948 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count; 949 aclp->z_acl_bytes = zp->z_phys->zp_acl.z_acl_size; 950 } 951 952 aclnode = zfs_acl_node_alloc(will_modify ? aclp->z_acl_bytes : 0); 953 aclnode->z_ace_count = aclp->z_acl_count; 954 if (will_modify) { 955 bcopy(zp->z_phys->zp_acl.z_ace_data, aclnode->z_acldata, 956 aclp->z_acl_bytes); 957 } else { 958 aclnode->z_size = aclp->z_acl_bytes; 959 aclnode->z_acldata = &zp->z_phys->zp_acl.z_ace_data[0]; 960 } 961 962 list_insert_head(&aclp->z_acl, aclnode); 963 964 return (aclp); 965 } 966 967 /* 968 * Read an external acl object. 969 */ 970 static int 971 zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp, boolean_t will_modify) 972 { 973 uint64_t extacl = zp->z_phys->zp_acl.z_acl_extern_obj; 974 zfs_acl_t *aclp; 975 size_t aclsize; 976 size_t acl_count; 977 zfs_acl_node_t *aclnode; 978 int error; 979 980 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 981 982 if (zp->z_acl_cached) { 983 *aclpp = zp->z_acl_cached; 984 return (0); 985 } 986 987 if (zp->z_phys->zp_acl.z_acl_extern_obj == 0) { 988 *aclpp = zfs_acl_node_read_internal(zp, will_modify); 989 zp->z_acl_cached = *aclpp; 990 return (0); 991 } 992 993 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version); 994 if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) { 995 zfs_acl_phys_v0_t *zacl0 = 996 (zfs_acl_phys_v0_t *)&zp->z_phys->zp_acl; 997 998 aclsize = ZFS_ACL_SIZE(zacl0->z_acl_count); 999 acl_count = zacl0->z_acl_count; 1000 } else { 1001 aclsize = zp->z_phys->zp_acl.z_acl_size; 1002 acl_count = zp->z_phys->zp_acl.z_acl_count; 1003 if (aclsize == 0) 1004 aclsize = acl_count * sizeof (zfs_ace_t); 1005 } 1006 aclnode = zfs_acl_node_alloc(aclsize); 1007 list_insert_head(&aclp->z_acl, aclnode); 1008 error = dmu_read(zp->z_zfsvfs->z_os, extacl, 0, 1009 aclsize, aclnode->z_acldata, DMU_READ_PREFETCH); 1010 aclnode->z_ace_count = acl_count; 1011 aclp->z_acl_count = acl_count; 1012 aclp->z_acl_bytes = aclsize; 1013 1014 if (error != 0) { 1015 zfs_acl_free(aclp); 1016 /* convert checksum errors into IO errors */ 1017 if (error == ECKSUM) 1018 error = EIO; 1019 return (error); 1020 } 1021 1022 zp->z_acl_cached = *aclpp = aclp; 1023 return (0); 1024 } 1025 1026 /* 1027 * common code for setting ACLs. 1028 * 1029 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. 1030 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's 1031 * already checked the acl and knows whether to inherit. 1032 */ 1033 int 1034 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, dmu_tx_t *tx) 1035 { 1036 int error; 1037 znode_phys_t *zphys = zp->z_phys; 1038 zfs_acl_phys_t *zacl = &zphys->zp_acl; 1039 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1040 uint64_t aoid = zphys->zp_acl.z_acl_extern_obj; 1041 uint64_t off = 0; 1042 dmu_object_type_t otype; 1043 zfs_acl_node_t *aclnode; 1044 1045 dmu_buf_will_dirty(zp->z_dbuf, tx); 1046 1047 if (zp->z_acl_cached != aclp && zp->z_acl_cached) { 1048 zfs_acl_free(zp->z_acl_cached); 1049 zp->z_acl_cached = NULL; 1050 } 1051 1052 zphys->zp_mode = zfs_mode_compute(zp, aclp); 1053 1054 /* 1055 * Decide which opbject type to use. If we are forced to 1056 * use old ACL format than transform ACL into zfs_oldace_t 1057 * layout. 1058 */ 1059 if (!zfsvfs->z_use_fuids) { 1060 otype = DMU_OT_OLDACL; 1061 } else { 1062 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) && 1063 (zfsvfs->z_version >= ZPL_VERSION_FUID)) 1064 zfs_acl_xform(zp, aclp, cr); 1065 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID); 1066 otype = DMU_OT_ACL; 1067 } 1068 1069 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 1070 /* 1071 * If ACL was previously external and we are now 1072 * converting to new ACL format then release old 1073 * ACL object and create a new one. 1074 */ 1075 if (aoid && aclp->z_version != zacl->z_acl_version) { 1076 error = dmu_object_free(zfsvfs->z_os, 1077 zp->z_phys->zp_acl.z_acl_extern_obj, tx); 1078 if (error) 1079 return (error); 1080 aoid = 0; 1081 } 1082 if (aoid == 0) { 1083 aoid = dmu_object_alloc(zfsvfs->z_os, 1084 otype, aclp->z_acl_bytes, 1085 otype == DMU_OT_ACL ? DMU_OT_SYSACL : DMU_OT_NONE, 1086 otype == DMU_OT_ACL ? DN_MAX_BONUSLEN : 0, tx); 1087 } else { 1088 (void) dmu_object_set_blocksize(zfsvfs->z_os, aoid, 1089 aclp->z_acl_bytes, 0, tx); 1090 } 1091 zphys->zp_acl.z_acl_extern_obj = aoid; 1092 for (aclnode = list_head(&aclp->z_acl); aclnode; 1093 aclnode = list_next(&aclp->z_acl, aclnode)) { 1094 if (aclnode->z_ace_count == 0) 1095 continue; 1096 dmu_write(zfsvfs->z_os, aoid, off, 1097 aclnode->z_size, aclnode->z_acldata, tx); 1098 off += aclnode->z_size; 1099 } 1100 } else { 1101 void *start = zacl->z_ace_data; 1102 /* 1103 * Migrating back embedded? 1104 */ 1105 if (zphys->zp_acl.z_acl_extern_obj) { 1106 error = dmu_object_free(zfsvfs->z_os, 1107 zp->z_phys->zp_acl.z_acl_extern_obj, tx); 1108 if (error) 1109 return (error); 1110 zphys->zp_acl.z_acl_extern_obj = 0; 1111 } 1112 1113 for (aclnode = list_head(&aclp->z_acl); aclnode; 1114 aclnode = list_next(&aclp->z_acl, aclnode)) { 1115 if (aclnode->z_ace_count == 0) 1116 continue; 1117 bcopy(aclnode->z_acldata, start, aclnode->z_size); 1118 start = (caddr_t)start + aclnode->z_size; 1119 } 1120 } 1121 1122 /* 1123 * If Old version then swap count/bytes to match old 1124 * layout of znode_acl_phys_t. 1125 */ 1126 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1127 zphys->zp_acl.z_acl_size = aclp->z_acl_count; 1128 zphys->zp_acl.z_acl_count = aclp->z_acl_bytes; 1129 } else { 1130 zphys->zp_acl.z_acl_size = aclp->z_acl_bytes; 1131 zphys->zp_acl.z_acl_count = aclp->z_acl_count; 1132 } 1133 1134 zphys->zp_acl.z_acl_version = aclp->z_version; 1135 1136 /* 1137 * Replace ACL wide bits, but first clear them. 1138 */ 1139 zp->z_phys->zp_flags &= ~ZFS_ACL_WIDE_FLAGS; 1140 1141 zp->z_phys->zp_flags |= aclp->z_hints; 1142 1143 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0) 1144 zp->z_phys->zp_flags |= ZFS_ACL_TRIVIAL; 1145 1146 return (0); 1147 } 1148 1149 /* 1150 * Update access mask for prepended ACE 1151 * 1152 * This applies the "groupmask" value for aclmode property. 1153 */ 1154 static void 1155 zfs_acl_prepend_fixup(zfs_acl_t *aclp, void *acep, void *origacep, 1156 mode_t mode, uint64_t owner) 1157 { 1158 int rmask, wmask, xmask; 1159 int user_ace; 1160 uint16_t aceflags; 1161 uint32_t origmask, acepmask; 1162 uint64_t fuid; 1163 1164 aceflags = aclp->z_ops.ace_flags_get(acep); 1165 fuid = aclp->z_ops.ace_who_get(acep); 1166 origmask = aclp->z_ops.ace_mask_get(origacep); 1167 acepmask = aclp->z_ops.ace_mask_get(acep); 1168 1169 user_ace = (!(aceflags & 1170 (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP))); 1171 1172 if (user_ace && (fuid == owner)) { 1173 rmask = S_IRUSR; 1174 wmask = S_IWUSR; 1175 xmask = S_IXUSR; 1176 } else { 1177 rmask = S_IRGRP; 1178 wmask = S_IWGRP; 1179 xmask = S_IXGRP; 1180 } 1181 1182 if (origmask & ACE_READ_DATA) { 1183 if (mode & rmask) { 1184 acepmask &= ~ACE_READ_DATA; 1185 } else { 1186 acepmask |= ACE_READ_DATA; 1187 } 1188 } 1189 1190 if (origmask & ACE_WRITE_DATA) { 1191 if (mode & wmask) { 1192 acepmask &= ~ACE_WRITE_DATA; 1193 } else { 1194 acepmask |= ACE_WRITE_DATA; 1195 } 1196 } 1197 1198 if (origmask & ACE_APPEND_DATA) { 1199 if (mode & wmask) { 1200 acepmask &= ~ACE_APPEND_DATA; 1201 } else { 1202 acepmask |= ACE_APPEND_DATA; 1203 } 1204 } 1205 1206 if (origmask & ACE_EXECUTE) { 1207 if (mode & xmask) { 1208 acepmask &= ~ACE_EXECUTE; 1209 } else { 1210 acepmask |= ACE_EXECUTE; 1211 } 1212 } 1213 aclp->z_ops.ace_mask_set(acep, acepmask); 1214 } 1215 1216 /* 1217 * Apply mode to canonical six ACEs. 1218 */ 1219 static void 1220 zfs_acl_fixup_canonical_six(zfs_acl_t *aclp, mode_t mode) 1221 { 1222 zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl); 1223 void *acep; 1224 int maskoff = aclp->z_ops.ace_mask_off(); 1225 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1226 1227 ASSERT(aclnode != NULL); 1228 1229 acep = (void *)((caddr_t)aclnode->z_acldata + 1230 aclnode->z_size - (abstract_size * 6)); 1231 1232 /* 1233 * Fixup final ACEs to match the mode 1234 */ 1235 1236 adjust_ace_pair_common(acep, maskoff, abstract_size, 1237 (mode & 0700) >> 6); /* owner@ */ 1238 1239 acep = (caddr_t)acep + (abstract_size * 2); 1240 1241 adjust_ace_pair_common(acep, maskoff, abstract_size, 1242 (mode & 0070) >> 3); /* group@ */ 1243 1244 acep = (caddr_t)acep + (abstract_size * 2); 1245 adjust_ace_pair_common(acep, maskoff, 1246 abstract_size, mode); /* everyone@ */ 1247 } 1248 1249 1250 static int 1251 zfs_acl_ace_match(zfs_acl_t *aclp, void *acep, int allow_deny, 1252 int entry_type, int accessmask) 1253 { 1254 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1255 uint16_t type = aclp->z_ops.ace_type_get(acep); 1256 uint16_t flags = aclp->z_ops.ace_flags_get(acep); 1257 1258 return (mask == accessmask && type == allow_deny && 1259 ((flags & ACE_TYPE_FLAGS) == entry_type)); 1260 } 1261 1262 /* 1263 * Can prepended ACE be reused? 1264 */ 1265 static int 1266 zfs_reuse_deny(zfs_acl_t *aclp, void *acep, void *prevacep) 1267 { 1268 int okay_masks; 1269 uint16_t prevtype; 1270 uint16_t prevflags; 1271 uint16_t flags; 1272 uint32_t mask, prevmask; 1273 1274 if (prevacep == NULL) 1275 return (B_FALSE); 1276 1277 prevtype = aclp->z_ops.ace_type_get(prevacep); 1278 prevflags = aclp->z_ops.ace_flags_get(prevacep); 1279 flags = aclp->z_ops.ace_flags_get(acep); 1280 mask = aclp->z_ops.ace_mask_get(acep); 1281 prevmask = aclp->z_ops.ace_mask_get(prevacep); 1282 1283 if (prevtype != DENY) 1284 return (B_FALSE); 1285 1286 if (prevflags != (flags & ACE_IDENTIFIER_GROUP)) 1287 return (B_FALSE); 1288 1289 okay_masks = (mask & OKAY_MASK_BITS); 1290 1291 if (prevmask & ~okay_masks) 1292 return (B_FALSE); 1293 1294 return (B_TRUE); 1295 } 1296 1297 1298 /* 1299 * Insert new ACL node into chain of zfs_acl_node_t's 1300 * 1301 * This will result in two possible results. 1302 * 1. If the ACL is currently just a single zfs_acl_node and 1303 * we are prepending the entry then current acl node will have 1304 * a new node inserted above it. 1305 * 1306 * 2. If we are inserting in the middle of current acl node then 1307 * the current node will be split in two and new node will be inserted 1308 * in between the two split nodes. 1309 */ 1310 static zfs_acl_node_t * 1311 zfs_acl_ace_insert(zfs_acl_t *aclp, void *acep) 1312 { 1313 zfs_acl_node_t *newnode; 1314 zfs_acl_node_t *trailernode = NULL; 1315 zfs_acl_node_t *currnode = zfs_acl_curr_node(aclp); 1316 int curr_idx = aclp->z_curr_node->z_ace_idx; 1317 int trailer_count; 1318 size_t oldsize; 1319 1320 newnode = zfs_acl_node_alloc(aclp->z_ops.ace_size(acep)); 1321 newnode->z_ace_count = 1; 1322 1323 oldsize = currnode->z_size; 1324 1325 if (curr_idx != 1) { 1326 trailernode = zfs_acl_node_alloc(0); 1327 trailernode->z_acldata = acep; 1328 1329 trailer_count = currnode->z_ace_count - curr_idx + 1; 1330 currnode->z_ace_count = curr_idx - 1; 1331 currnode->z_size = (caddr_t)acep - (caddr_t)currnode->z_acldata; 1332 trailernode->z_size = oldsize - currnode->z_size; 1333 trailernode->z_ace_count = trailer_count; 1334 } 1335 1336 aclp->z_acl_count += 1; 1337 aclp->z_acl_bytes += aclp->z_ops.ace_size(acep); 1338 1339 if (curr_idx == 1) 1340 list_insert_before(&aclp->z_acl, currnode, newnode); 1341 else 1342 list_insert_after(&aclp->z_acl, currnode, newnode); 1343 if (trailernode) { 1344 list_insert_after(&aclp->z_acl, newnode, trailernode); 1345 aclp->z_curr_node = trailernode; 1346 trailernode->z_ace_idx = 1; 1347 } 1348 1349 return (newnode); 1350 } 1351 1352 /* 1353 * Prepend deny ACE 1354 */ 1355 static void * 1356 zfs_acl_prepend_deny(uint64_t uid, zfs_acl_t *aclp, void *acep, 1357 mode_t mode) 1358 { 1359 zfs_acl_node_t *aclnode; 1360 void *newacep; 1361 uint64_t fuid; 1362 uint16_t flags; 1363 1364 aclnode = zfs_acl_ace_insert(aclp, acep); 1365 newacep = aclnode->z_acldata; 1366 fuid = aclp->z_ops.ace_who_get(acep); 1367 flags = aclp->z_ops.ace_flags_get(acep); 1368 zfs_set_ace(aclp, newacep, 0, DENY, fuid, (flags & ACE_TYPE_FLAGS)); 1369 zfs_acl_prepend_fixup(aclp, newacep, acep, mode, uid); 1370 1371 return (newacep); 1372 } 1373 1374 /* 1375 * Split an inherited ACE into inherit_only ACE 1376 * and original ACE with inheritance flags stripped off. 1377 */ 1378 static void 1379 zfs_acl_split_ace(zfs_acl_t *aclp, zfs_ace_hdr_t *acep) 1380 { 1381 zfs_acl_node_t *aclnode; 1382 zfs_acl_node_t *currnode; 1383 void *newacep; 1384 uint16_t type, flags; 1385 uint32_t mask; 1386 uint64_t fuid; 1387 1388 type = aclp->z_ops.ace_type_get(acep); 1389 flags = aclp->z_ops.ace_flags_get(acep); 1390 mask = aclp->z_ops.ace_mask_get(acep); 1391 fuid = aclp->z_ops.ace_who_get(acep); 1392 1393 aclnode = zfs_acl_ace_insert(aclp, acep); 1394 newacep = aclnode->z_acldata; 1395 1396 aclp->z_ops.ace_type_set(newacep, type); 1397 aclp->z_ops.ace_flags_set(newacep, flags | ACE_INHERIT_ONLY_ACE); 1398 aclp->z_ops.ace_mask_set(newacep, mask); 1399 aclp->z_ops.ace_type_set(newacep, type); 1400 aclp->z_ops.ace_who_set(newacep, fuid); 1401 aclp->z_next_ace = acep; 1402 flags &= ~ALL_INHERIT; 1403 aclp->z_ops.ace_flags_set(acep, flags); 1404 currnode = zfs_acl_curr_node(aclp); 1405 ASSERT(currnode->z_ace_idx >= 1); 1406 currnode->z_ace_idx -= 1; 1407 } 1408 1409 /* 1410 * Are ACES started at index i, the canonical six ACES? 1411 */ 1412 static int 1413 zfs_have_canonical_six(zfs_acl_t *aclp) 1414 { 1415 void *acep; 1416 zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl); 1417 int i = 0; 1418 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1419 1420 ASSERT(aclnode != NULL); 1421 1422 if (aclnode->z_ace_count < 6) 1423 return (0); 1424 1425 acep = (void *)((caddr_t)aclnode->z_acldata + 1426 aclnode->z_size - (aclp->z_ops.ace_abstract_size() * 6)); 1427 1428 if ((zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1429 DENY, ACE_OWNER, 0) && 1430 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1431 ALLOW, ACE_OWNER, OWNER_ALLOW_MASK) && 1432 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), DENY, 1433 OWNING_GROUP, 0) && zfs_acl_ace_match(aclp, (caddr_t)acep + 1434 (abstract_size * i++), 1435 ALLOW, OWNING_GROUP, 0) && 1436 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1437 DENY, ACE_EVERYONE, EVERYONE_DENY_MASK) && 1438 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1439 ALLOW, ACE_EVERYONE, EVERYONE_ALLOW_MASK))) { 1440 return (1); 1441 } else { 1442 return (0); 1443 } 1444 } 1445 1446 1447 /* 1448 * Apply step 1g, to group entries 1449 * 1450 * Need to deal with corner case where group may have 1451 * greater permissions than owner. If so then limit 1452 * group permissions, based on what extra permissions 1453 * group has. 1454 */ 1455 static void 1456 zfs_fixup_group_entries(zfs_acl_t *aclp, void *acep, void *prevacep, 1457 mode_t mode) 1458 { 1459 uint32_t prevmask = aclp->z_ops.ace_mask_get(prevacep); 1460 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1461 uint16_t prevflags = aclp->z_ops.ace_flags_get(prevacep); 1462 mode_t extramode = (mode >> 3) & 07; 1463 mode_t ownermode = (mode >> 6); 1464 1465 if (prevflags & ACE_IDENTIFIER_GROUP) { 1466 1467 extramode &= ~ownermode; 1468 1469 if (extramode) { 1470 if (extramode & S_IROTH) { 1471 prevmask &= ~ACE_READ_DATA; 1472 mask &= ~ACE_READ_DATA; 1473 } 1474 if (extramode & S_IWOTH) { 1475 prevmask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1476 mask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1477 } 1478 if (extramode & S_IXOTH) { 1479 prevmask &= ~ACE_EXECUTE; 1480 mask &= ~ACE_EXECUTE; 1481 } 1482 } 1483 } 1484 aclp->z_ops.ace_mask_set(acep, mask); 1485 aclp->z_ops.ace_mask_set(prevacep, prevmask); 1486 } 1487 1488 /* 1489 * Apply the chmod algorithm as described 1490 * in PSARC/2002/240 1491 */ 1492 static void 1493 zfs_acl_chmod(zfsvfs_t *zfsvfs, uint64_t uid, 1494 uint64_t mode, zfs_acl_t *aclp) 1495 { 1496 void *acep = NULL, *prevacep = NULL; 1497 uint64_t who; 1498 int i; 1499 int entry_type; 1500 int reuse_deny; 1501 int need_canonical_six = 1; 1502 uint16_t iflags, type; 1503 uint32_t access_mask; 1504 1505 /* 1506 * If discard then just discard all ACL nodes which 1507 * represent the ACEs. 1508 * 1509 * New owner@/group@/everone@ ACEs will be added 1510 * later. 1511 */ 1512 if (zfsvfs->z_acl_mode == ZFS_ACL_DISCARD) 1513 zfs_acl_release_nodes(aclp); 1514 1515 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 1516 &iflags, &type)) { 1517 1518 entry_type = (iflags & ACE_TYPE_FLAGS); 1519 iflags = (iflags & ALL_INHERIT); 1520 1521 if ((type != ALLOW && type != DENY) || 1522 (iflags & ACE_INHERIT_ONLY_ACE)) { 1523 if (iflags) 1524 aclp->z_hints |= ZFS_INHERIT_ACE; 1525 switch (type) { 1526 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1527 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1528 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1529 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1530 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 1531 break; 1532 } 1533 goto nextace; 1534 } 1535 1536 /* 1537 * Need to split ace into two? 1538 */ 1539 if ((iflags & (ACE_FILE_INHERIT_ACE| 1540 ACE_DIRECTORY_INHERIT_ACE)) && 1541 (!(iflags & ACE_INHERIT_ONLY_ACE))) { 1542 zfs_acl_split_ace(aclp, acep); 1543 aclp->z_hints |= ZFS_INHERIT_ACE; 1544 goto nextace; 1545 } 1546 1547 if (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 1548 (entry_type == OWNING_GROUP)) { 1549 access_mask &= ~OGE_CLEAR; 1550 aclp->z_ops.ace_mask_set(acep, access_mask); 1551 goto nextace; 1552 } else { 1553 reuse_deny = B_TRUE; 1554 if (type == ALLOW) { 1555 1556 /* 1557 * Check preceding ACE if any, to see 1558 * if we need to prepend a DENY ACE. 1559 * This is only applicable when the acl_mode 1560 * property == groupmask. 1561 */ 1562 if (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK) { 1563 1564 reuse_deny = zfs_reuse_deny(aclp, acep, 1565 prevacep); 1566 1567 if (!reuse_deny) { 1568 prevacep = 1569 zfs_acl_prepend_deny(uid, 1570 aclp, acep, mode); 1571 } else { 1572 zfs_acl_prepend_fixup( 1573 aclp, prevacep, 1574 acep, mode, uid); 1575 } 1576 zfs_fixup_group_entries(aclp, acep, 1577 prevacep, mode); 1578 } 1579 } 1580 } 1581 nextace: 1582 prevacep = acep; 1583 } 1584 1585 /* 1586 * Check out last six aces, if we have six. 1587 */ 1588 1589 if (aclp->z_acl_count >= 6) { 1590 if (zfs_have_canonical_six(aclp)) { 1591 need_canonical_six = 0; 1592 } 1593 } 1594 1595 if (need_canonical_six) { 1596 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1597 void *zacep; 1598 zfs_acl_node_t *aclnode = 1599 zfs_acl_node_alloc(abstract_size * 6); 1600 1601 aclnode->z_size = abstract_size * 6; 1602 aclnode->z_ace_count = 6; 1603 aclp->z_acl_bytes += aclnode->z_size; 1604 list_insert_tail(&aclp->z_acl, aclnode); 1605 1606 zacep = aclnode->z_acldata; 1607 1608 i = 0; 1609 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1610 0, DENY, -1, ACE_OWNER); 1611 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1612 OWNER_ALLOW_MASK, ALLOW, -1, ACE_OWNER); 1613 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0, 1614 DENY, -1, OWNING_GROUP); 1615 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0, 1616 ALLOW, -1, OWNING_GROUP); 1617 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1618 EVERYONE_DENY_MASK, DENY, -1, ACE_EVERYONE); 1619 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1620 EVERYONE_ALLOW_MASK, ALLOW, -1, ACE_EVERYONE); 1621 aclp->z_acl_count += 6; 1622 } 1623 1624 zfs_acl_fixup_canonical_six(aclp, mode); 1625 } 1626 1627 int 1628 zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode) 1629 { 1630 int error; 1631 1632 mutex_enter(&zp->z_lock); 1633 mutex_enter(&zp->z_acl_lock); 1634 *aclp = NULL; 1635 error = zfs_acl_node_read(zp, aclp, B_TRUE); 1636 if (error == 0) { 1637 (*aclp)->z_hints = zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS; 1638 zfs_acl_chmod(zp->z_zfsvfs, zp->z_phys->zp_uid, mode, *aclp); 1639 zp->z_acl_cached = *aclp; 1640 } 1641 mutex_exit(&zp->z_acl_lock); 1642 mutex_exit(&zp->z_lock); 1643 return (error); 1644 } 1645 1646 /* 1647 * strip off write_owner and write_acl 1648 */ 1649 static void 1650 zfs_restricted_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep) 1651 { 1652 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1653 1654 if ((zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) && 1655 (aclp->z_ops.ace_type_get(acep) == ALLOW)) { 1656 mask &= ~RESTRICTED_CLEAR; 1657 aclp->z_ops.ace_mask_set(acep, mask); 1658 } 1659 } 1660 1661 /* 1662 * Should ACE be inherited? 1663 */ 1664 static int 1665 zfs_ace_can_use(vtype_t vtype, uint16_t acep_flags) 1666 { 1667 int iflags = (acep_flags & 0xf); 1668 1669 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) 1670 return (1); 1671 else if (iflags & ACE_FILE_INHERIT_ACE) 1672 return (!((vtype == VDIR) && 1673 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); 1674 return (0); 1675 } 1676 1677 /* 1678 * inherit inheritable ACEs from parent 1679 */ 1680 static zfs_acl_t * 1681 zfs_acl_inherit(zfsvfs_t *zfsvfs, vtype_t vtype, zfs_acl_t *paclp, 1682 uint64_t mode, boolean_t *need_chmod) 1683 { 1684 void *pacep; 1685 void *acep, *acep2; 1686 zfs_acl_node_t *aclnode, *aclnode2; 1687 zfs_acl_t *aclp = NULL; 1688 uint64_t who; 1689 uint32_t access_mask; 1690 uint16_t iflags, newflags, type; 1691 size_t ace_size; 1692 void *data1, *data2; 1693 size_t data1sz, data2sz; 1694 boolean_t vdir = vtype == VDIR; 1695 boolean_t vreg = vtype == VREG; 1696 boolean_t passthrough, passthrough_x, noallow; 1697 1698 passthrough_x = 1699 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH_X; 1700 passthrough = passthrough_x || 1701 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH; 1702 noallow = 1703 zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW; 1704 1705 *need_chmod = B_TRUE; 1706 pacep = NULL; 1707 aclp = zfs_acl_alloc(paclp->z_version); 1708 if (zfsvfs->z_acl_inherit == ZFS_ACL_DISCARD) 1709 return (aclp); 1710 while (pacep = zfs_acl_next_ace(paclp, pacep, &who, 1711 &access_mask, &iflags, &type)) { 1712 1713 /* 1714 * don't inherit bogus ACEs 1715 */ 1716 if (!zfs_acl_valid_ace_type(type, iflags)) 1717 continue; 1718 1719 if (noallow && type == ALLOW) 1720 continue; 1721 1722 ace_size = aclp->z_ops.ace_size(pacep); 1723 1724 if (!zfs_ace_can_use(vtype, iflags)) 1725 continue; 1726 1727 /* 1728 * If owner@, group@, or everyone@ inheritable 1729 * then zfs_acl_chmod() isn't needed. 1730 */ 1731 if (passthrough && 1732 ((iflags & (ACE_OWNER|ACE_EVERYONE)) || 1733 ((iflags & OWNING_GROUP) == 1734 OWNING_GROUP)) && (vreg || (vdir && (iflags & 1735 ACE_DIRECTORY_INHERIT_ACE)))) { 1736 *need_chmod = B_FALSE; 1737 1738 if (!vdir && passthrough_x && 1739 ((mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) { 1740 access_mask &= ~ACE_EXECUTE; 1741 } 1742 } 1743 1744 aclnode = zfs_acl_node_alloc(ace_size); 1745 list_insert_tail(&aclp->z_acl, aclnode); 1746 acep = aclnode->z_acldata; 1747 1748 zfs_set_ace(aclp, acep, access_mask, type, 1749 who, iflags|ACE_INHERITED_ACE); 1750 1751 /* 1752 * Copy special opaque data if any 1753 */ 1754 if ((data1sz = paclp->z_ops.ace_data(pacep, &data1)) != 0) { 1755 VERIFY((data2sz = aclp->z_ops.ace_data(acep, 1756 &data2)) == data1sz); 1757 bcopy(data1, data2, data2sz); 1758 } 1759 aclp->z_acl_count++; 1760 aclnode->z_ace_count++; 1761 aclp->z_acl_bytes += aclnode->z_size; 1762 newflags = aclp->z_ops.ace_flags_get(acep); 1763 1764 if (vdir) 1765 aclp->z_hints |= ZFS_INHERIT_ACE; 1766 1767 if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || !vdir) { 1768 newflags &= ~ALL_INHERIT; 1769 aclp->z_ops.ace_flags_set(acep, 1770 newflags|ACE_INHERITED_ACE); 1771 zfs_restricted_update(zfsvfs, aclp, acep); 1772 continue; 1773 } 1774 1775 ASSERT(vdir); 1776 1777 newflags = aclp->z_ops.ace_flags_get(acep); 1778 if ((iflags & (ACE_FILE_INHERIT_ACE | 1779 ACE_DIRECTORY_INHERIT_ACE)) != 1780 ACE_FILE_INHERIT_ACE) { 1781 aclnode2 = zfs_acl_node_alloc(ace_size); 1782 list_insert_tail(&aclp->z_acl, aclnode2); 1783 acep2 = aclnode2->z_acldata; 1784 zfs_set_ace(aclp, acep2, 1785 access_mask, type, who, 1786 iflags|ACE_INHERITED_ACE); 1787 newflags |= ACE_INHERIT_ONLY_ACE; 1788 aclp->z_ops.ace_flags_set(acep, newflags); 1789 newflags &= ~ALL_INHERIT; 1790 aclp->z_ops.ace_flags_set(acep2, 1791 newflags|ACE_INHERITED_ACE); 1792 1793 /* 1794 * Copy special opaque data if any 1795 */ 1796 if ((data1sz = aclp->z_ops.ace_data(acep, 1797 &data1)) != 0) { 1798 VERIFY((data2sz = 1799 aclp->z_ops.ace_data(acep2, 1800 &data2)) == data1sz); 1801 bcopy(data1, data2, data1sz); 1802 } 1803 aclp->z_acl_count++; 1804 aclnode2->z_ace_count++; 1805 aclp->z_acl_bytes += aclnode->z_size; 1806 zfs_restricted_update(zfsvfs, aclp, acep2); 1807 } else { 1808 newflags |= ACE_INHERIT_ONLY_ACE; 1809 aclp->z_ops.ace_flags_set(acep, 1810 newflags|ACE_INHERITED_ACE); 1811 } 1812 } 1813 return (aclp); 1814 } 1815 1816 /* 1817 * Create file system object initial permissions 1818 * including inheritable ACEs. 1819 */ 1820 int 1821 zfs_acl_ids_create(znode_t *dzp, int flag, vattr_t *vap, cred_t *cr, 1822 vsecattr_t *vsecp, zfs_acl_ids_t *acl_ids) 1823 { 1824 int error; 1825 zfsvfs_t *zfsvfs = dzp->z_zfsvfs; 1826 zfs_acl_t *paclp; 1827 gid_t gid; 1828 boolean_t need_chmod = B_TRUE; 1829 1830 bzero(acl_ids, sizeof (zfs_acl_ids_t)); 1831 acl_ids->z_mode = MAKEIMODE(vap->va_type, vap->va_mode); 1832 1833 if (vsecp) 1834 if ((error = zfs_vsec_2_aclp(zfsvfs, vap->va_type, vsecp, cr, 1835 &acl_ids->z_fuidp, &acl_ids->z_aclp)) != 0) 1836 return (error); 1837 1838 /* 1839 * Determine uid and gid. 1840 */ 1841 if ((flag & (IS_ROOT_NODE | IS_REPLAY)) || 1842 ((flag & IS_XATTR) && (vap->va_type == VDIR))) { 1843 acl_ids->z_fuid = zfs_fuid_create(zfsvfs, 1844 (uint64_t)vap->va_uid, cr, 1845 ZFS_OWNER, &acl_ids->z_fuidp); 1846 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1847 (uint64_t)vap->va_gid, cr, 1848 ZFS_GROUP, &acl_ids->z_fuidp); 1849 gid = vap->va_gid; 1850 } else { 1851 acl_ids->z_fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER, 1852 cr, &acl_ids->z_fuidp); 1853 acl_ids->z_fgid = 0; 1854 if (vap->va_mask & AT_GID) { 1855 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1856 (uint64_t)vap->va_gid, 1857 cr, ZFS_GROUP, &acl_ids->z_fuidp); 1858 gid = vap->va_gid; 1859 if (acl_ids->z_fgid != dzp->z_phys->zp_gid && 1860 !groupmember(vap->va_gid, cr) && 1861 secpolicy_vnode_create_gid(cr) != 0) 1862 acl_ids->z_fgid = 0; 1863 } 1864 if (acl_ids->z_fgid == 0) { 1865 if (dzp->z_phys->zp_mode & S_ISGID) { 1866 acl_ids->z_fgid = dzp->z_phys->zp_gid; 1867 gid = zfs_fuid_map_id(zfsvfs, acl_ids->z_fgid, 1868 cr, ZFS_GROUP); 1869 } else { 1870 acl_ids->z_fgid = zfs_fuid_create_cred(zfsvfs, 1871 ZFS_GROUP, cr, &acl_ids->z_fuidp); 1872 gid = crgetgid(cr); 1873 } 1874 } 1875 } 1876 1877 /* 1878 * If we're creating a directory, and the parent directory has the 1879 * set-GID bit set, set in on the new directory. 1880 * Otherwise, if the user is neither privileged nor a member of the 1881 * file's new group, clear the file's set-GID bit. 1882 */ 1883 1884 if (!(flag & IS_ROOT_NODE) && (dzp->z_phys->zp_mode & S_ISGID) && 1885 (vap->va_type == VDIR)) { 1886 acl_ids->z_mode |= S_ISGID; 1887 } else { 1888 if ((acl_ids->z_mode & S_ISGID) && 1889 secpolicy_vnode_setids_setgids(cr, gid) != 0) 1890 acl_ids->z_mode &= ~S_ISGID; 1891 } 1892 1893 if (acl_ids->z_aclp == NULL) { 1894 mutex_enter(&dzp->z_lock); 1895 if (!(flag & IS_ROOT_NODE) && (ZTOV(dzp)->v_type == VDIR && 1896 (dzp->z_phys->zp_flags & ZFS_INHERIT_ACE)) && 1897 !(dzp->z_phys->zp_flags & ZFS_XATTR)) { 1898 mutex_enter(&dzp->z_acl_lock); 1899 VERIFY(0 == zfs_acl_node_read(dzp, &paclp, B_FALSE)); 1900 mutex_exit(&dzp->z_acl_lock); 1901 acl_ids->z_aclp = zfs_acl_inherit(zfsvfs, 1902 vap->va_type, paclp, acl_ids->z_mode, &need_chmod); 1903 } else { 1904 acl_ids->z_aclp = 1905 zfs_acl_alloc(zfs_acl_version_zp(dzp)); 1906 } 1907 mutex_exit(&dzp->z_lock); 1908 if (need_chmod) { 1909 acl_ids->z_aclp->z_hints = (vap->va_type == VDIR) ? 1910 ZFS_ACL_AUTO_INHERIT : 0; 1911 zfs_acl_chmod(zfsvfs, acl_ids->z_fuid, 1912 acl_ids->z_mode, acl_ids->z_aclp); 1913 } 1914 } 1915 1916 return (0); 1917 } 1918 1919 /* 1920 * Free ACL and fuid_infop, but not the acl_ids structure 1921 */ 1922 void 1923 zfs_acl_ids_free(zfs_acl_ids_t *acl_ids) 1924 { 1925 if (acl_ids->z_aclp) 1926 zfs_acl_free(acl_ids->z_aclp); 1927 if (acl_ids->z_fuidp) 1928 zfs_fuid_info_free(acl_ids->z_fuidp); 1929 acl_ids->z_aclp = NULL; 1930 acl_ids->z_fuidp = NULL; 1931 } 1932 1933 boolean_t 1934 zfs_acl_ids_overquota(zfsvfs_t *zfsvfs, zfs_acl_ids_t *acl_ids) 1935 { 1936 return (zfs_usergroup_overquota(zfsvfs, B_FALSE, acl_ids->z_fuid) || 1937 zfs_usergroup_overquota(zfsvfs, B_TRUE, acl_ids->z_fgid)); 1938 } 1939 1940 /* 1941 * Retrieve a files ACL 1942 */ 1943 int 1944 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1945 { 1946 zfs_acl_t *aclp; 1947 ulong_t mask; 1948 int error; 1949 int count = 0; 1950 int largeace = 0; 1951 1952 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT | 1953 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES); 1954 1955 if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr)) 1956 return (error); 1957 1958 if (mask == 0) 1959 return (ENOSYS); 1960 1961 mutex_enter(&zp->z_acl_lock); 1962 1963 error = zfs_acl_node_read(zp, &aclp, B_FALSE); 1964 if (error != 0) { 1965 mutex_exit(&zp->z_acl_lock); 1966 return (error); 1967 } 1968 1969 /* 1970 * Scan ACL to determine number of ACEs 1971 */ 1972 if ((zp->z_phys->zp_flags & ZFS_ACL_OBJ_ACE) && 1973 !(mask & VSA_ACE_ALLTYPES)) { 1974 void *zacep = NULL; 1975 uint64_t who; 1976 uint32_t access_mask; 1977 uint16_t type, iflags; 1978 1979 while (zacep = zfs_acl_next_ace(aclp, zacep, 1980 &who, &access_mask, &iflags, &type)) { 1981 switch (type) { 1982 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1983 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1984 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1985 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1986 largeace++; 1987 continue; 1988 default: 1989 count++; 1990 } 1991 } 1992 vsecp->vsa_aclcnt = count; 1993 } else 1994 count = aclp->z_acl_count; 1995 1996 if (mask & VSA_ACECNT) { 1997 vsecp->vsa_aclcnt = count; 1998 } 1999 2000 if (mask & VSA_ACE) { 2001 size_t aclsz; 2002 2003 zfs_acl_node_t *aclnode = list_head(&aclp->z_acl); 2004 2005 aclsz = count * sizeof (ace_t) + 2006 sizeof (ace_object_t) * largeace; 2007 2008 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP); 2009 vsecp->vsa_aclentsz = aclsz; 2010 2011 if (aclp->z_version == ZFS_ACL_VERSION_FUID) 2012 zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr, 2013 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES)); 2014 else { 2015 bcopy(aclnode->z_acldata, vsecp->vsa_aclentp, 2016 count * sizeof (ace_t)); 2017 } 2018 } 2019 if (mask & VSA_ACE_ACLFLAGS) { 2020 vsecp->vsa_aclflags = 0; 2021 if (zp->z_phys->zp_flags & ZFS_ACL_DEFAULTED) 2022 vsecp->vsa_aclflags |= ACL_DEFAULTED; 2023 if (zp->z_phys->zp_flags & ZFS_ACL_PROTECTED) 2024 vsecp->vsa_aclflags |= ACL_PROTECTED; 2025 if (zp->z_phys->zp_flags & ZFS_ACL_AUTO_INHERIT) 2026 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT; 2027 } 2028 2029 mutex_exit(&zp->z_acl_lock); 2030 2031 return (0); 2032 } 2033 2034 int 2035 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type, 2036 vsecattr_t *vsecp, cred_t *cr, zfs_fuid_info_t **fuidp, zfs_acl_t **zaclp) 2037 { 2038 zfs_acl_t *aclp; 2039 zfs_acl_node_t *aclnode; 2040 int aclcnt = vsecp->vsa_aclcnt; 2041 int error; 2042 2043 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0) 2044 return (EINVAL); 2045 2046 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version)); 2047 2048 aclp->z_hints = 0; 2049 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t)); 2050 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 2051 if ((error = zfs_copy_ace_2_oldace(obj_type, aclp, 2052 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata, 2053 aclcnt, &aclnode->z_size)) != 0) { 2054 zfs_acl_free(aclp); 2055 zfs_acl_node_free(aclnode); 2056 return (error); 2057 } 2058 } else { 2059 if ((error = zfs_copy_ace_2_fuid(zfsvfs, obj_type, aclp, 2060 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt, 2061 &aclnode->z_size, fuidp, cr)) != 0) { 2062 zfs_acl_free(aclp); 2063 zfs_acl_node_free(aclnode); 2064 return (error); 2065 } 2066 } 2067 aclp->z_acl_bytes = aclnode->z_size; 2068 aclnode->z_ace_count = aclcnt; 2069 aclp->z_acl_count = aclcnt; 2070 list_insert_head(&aclp->z_acl, aclnode); 2071 2072 /* 2073 * If flags are being set then add them to z_hints 2074 */ 2075 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) { 2076 if (vsecp->vsa_aclflags & ACL_PROTECTED) 2077 aclp->z_hints |= ZFS_ACL_PROTECTED; 2078 if (vsecp->vsa_aclflags & ACL_DEFAULTED) 2079 aclp->z_hints |= ZFS_ACL_DEFAULTED; 2080 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT) 2081 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 2082 } 2083 2084 *zaclp = aclp; 2085 2086 return (0); 2087 } 2088 2089 /* 2090 * Set a files ACL 2091 */ 2092 int 2093 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 2094 { 2095 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2096 zilog_t *zilog = zfsvfs->z_log; 2097 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 2098 dmu_tx_t *tx; 2099 int error; 2100 zfs_acl_t *aclp; 2101 zfs_fuid_info_t *fuidp = NULL; 2102 boolean_t fuid_dirtied; 2103 2104 if (mask == 0) 2105 return (ENOSYS); 2106 2107 if (zp->z_phys->zp_flags & ZFS_IMMUTABLE) 2108 return (EPERM); 2109 2110 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) 2111 return (error); 2112 2113 error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, cr, &fuidp, 2114 &aclp); 2115 if (error) 2116 return (error); 2117 2118 /* 2119 * If ACL wide flags aren't being set then preserve any 2120 * existing flags. 2121 */ 2122 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) { 2123 aclp->z_hints |= (zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS); 2124 } 2125 top: 2126 mutex_enter(&zp->z_lock); 2127 mutex_enter(&zp->z_acl_lock); 2128 2129 tx = dmu_tx_create(zfsvfs->z_os); 2130 dmu_tx_hold_bonus(tx, zp->z_id); 2131 2132 if (zp->z_phys->zp_acl.z_acl_extern_obj) { 2133 /* Are we upgrading ACL? */ 2134 if (zfsvfs->z_version <= ZPL_VERSION_FUID && 2135 zp->z_phys->zp_acl.z_acl_version == 2136 ZFS_ACL_VERSION_INITIAL) { 2137 dmu_tx_hold_free(tx, 2138 zp->z_phys->zp_acl.z_acl_extern_obj, 2139 0, DMU_OBJECT_END); 2140 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 2141 0, aclp->z_acl_bytes); 2142 } else { 2143 dmu_tx_hold_write(tx, 2144 zp->z_phys->zp_acl.z_acl_extern_obj, 2145 0, aclp->z_acl_bytes); 2146 } 2147 } else if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 2148 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes); 2149 } 2150 fuid_dirtied = zfsvfs->z_fuid_dirty; 2151 if (fuid_dirtied) 2152 zfs_fuid_txhold(zfsvfs, tx); 2153 2154 error = dmu_tx_assign(tx, TXG_NOWAIT); 2155 if (error) { 2156 mutex_exit(&zp->z_acl_lock); 2157 mutex_exit(&zp->z_lock); 2158 2159 if (error == ERESTART) { 2160 dmu_tx_wait(tx); 2161 dmu_tx_abort(tx); 2162 goto top; 2163 } 2164 dmu_tx_abort(tx); 2165 zfs_acl_free(aclp); 2166 return (error); 2167 } 2168 2169 error = zfs_aclset_common(zp, aclp, cr, tx); 2170 ASSERT(error == 0); 2171 2172 if (fuid_dirtied) 2173 zfs_fuid_sync(zfsvfs, tx); 2174 2175 zfs_time_stamper_locked(zp, STATE_CHANGED, tx); 2176 zfs_log_acl(zilog, tx, zp, vsecp, fuidp); 2177 2178 if (fuidp) 2179 zfs_fuid_info_free(fuidp); 2180 zp->z_acl_cached = aclp; 2181 dmu_tx_commit(tx); 2182 done: 2183 mutex_exit(&zp->z_acl_lock); 2184 mutex_exit(&zp->z_lock); 2185 2186 return (error); 2187 } 2188 2189 /* 2190 * Check accesses of interest (AoI) against attributes of the dataset 2191 * such as read-only. Returns zero if no AoI conflict with dataset 2192 * attributes, otherwise an appropriate errno is returned. 2193 */ 2194 static int 2195 zfs_zaccess_dataset_check(znode_t *zp, uint32_t v4_mode) 2196 { 2197 if ((v4_mode & WRITE_MASK) && 2198 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && 2199 (!IS_DEVVP(ZTOV(zp)) || 2200 (IS_DEVVP(ZTOV(zp)) && (v4_mode & WRITE_MASK_ATTRS)))) { 2201 return (EROFS); 2202 } 2203 2204 /* 2205 * Only check for READONLY on non-directories. 2206 */ 2207 if ((v4_mode & WRITE_MASK_DATA) && 2208 (((ZTOV(zp)->v_type != VDIR) && 2209 (zp->z_phys->zp_flags & (ZFS_READONLY | ZFS_IMMUTABLE))) || 2210 (ZTOV(zp)->v_type == VDIR && 2211 (zp->z_phys->zp_flags & ZFS_IMMUTABLE)))) { 2212 return (EPERM); 2213 } 2214 2215 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) && 2216 (zp->z_phys->zp_flags & ZFS_NOUNLINK)) { 2217 return (EPERM); 2218 } 2219 2220 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) && 2221 (zp->z_phys->zp_flags & ZFS_AV_QUARANTINED))) { 2222 return (EACCES); 2223 } 2224 2225 return (0); 2226 } 2227 2228 /* 2229 * The primary usage of this function is to loop through all of the 2230 * ACEs in the znode, determining what accesses of interest (AoI) to 2231 * the caller are allowed or denied. The AoI are expressed as bits in 2232 * the working_mode parameter. As each ACE is processed, bits covered 2233 * by that ACE are removed from the working_mode. This removal 2234 * facilitates two things. The first is that when the working mode is 2235 * empty (= 0), we know we've looked at all the AoI. The second is 2236 * that the ACE interpretation rules don't allow a later ACE to undo 2237 * something granted or denied by an earlier ACE. Removing the 2238 * discovered access or denial enforces this rule. At the end of 2239 * processing the ACEs, all AoI that were found to be denied are 2240 * placed into the working_mode, giving the caller a mask of denied 2241 * accesses. Returns: 2242 * 0 if all AoI granted 2243 * EACCESS if the denied mask is non-zero 2244 * other error if abnormal failure (e.g., IO error) 2245 * 2246 * A secondary usage of the function is to determine if any of the 2247 * AoI are granted. If an ACE grants any access in 2248 * the working_mode, we immediately short circuit out of the function. 2249 * This mode is chosen by setting anyaccess to B_TRUE. The 2250 * working_mode is not a denied access mask upon exit if the function 2251 * is used in this manner. 2252 */ 2253 static int 2254 zfs_zaccess_aces_check(znode_t *zp, uint32_t *working_mode, 2255 boolean_t anyaccess, cred_t *cr) 2256 { 2257 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2258 zfs_acl_t *aclp; 2259 int error; 2260 uid_t uid = crgetuid(cr); 2261 uint64_t who; 2262 uint16_t type, iflags; 2263 uint16_t entry_type; 2264 uint32_t access_mask; 2265 uint32_t deny_mask = 0; 2266 zfs_ace_hdr_t *acep = NULL; 2267 boolean_t checkit; 2268 uid_t fowner; 2269 uid_t gowner; 2270 2271 zfs_fuid_map_ids(zp, cr, &fowner, &gowner); 2272 2273 mutex_enter(&zp->z_acl_lock); 2274 2275 error = zfs_acl_node_read(zp, &aclp, B_FALSE); 2276 if (error != 0) { 2277 mutex_exit(&zp->z_acl_lock); 2278 return (error); 2279 } 2280 2281 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 2282 &iflags, &type)) { 2283 uint32_t mask_matched; 2284 2285 if (!zfs_acl_valid_ace_type(type, iflags)) 2286 continue; 2287 2288 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE)) 2289 continue; 2290 2291 /* Skip ACE if it does not affect any AoI */ 2292 mask_matched = (access_mask & *working_mode); 2293 if (!mask_matched) 2294 continue; 2295 2296 entry_type = (iflags & ACE_TYPE_FLAGS); 2297 2298 checkit = B_FALSE; 2299 2300 switch (entry_type) { 2301 case ACE_OWNER: 2302 if (uid == fowner) 2303 checkit = B_TRUE; 2304 break; 2305 case OWNING_GROUP: 2306 who = gowner; 2307 /*FALLTHROUGH*/ 2308 case ACE_IDENTIFIER_GROUP: 2309 checkit = zfs_groupmember(zfsvfs, who, cr); 2310 break; 2311 case ACE_EVERYONE: 2312 checkit = B_TRUE; 2313 break; 2314 2315 /* USER Entry */ 2316 default: 2317 if (entry_type == 0) { 2318 uid_t newid; 2319 2320 newid = zfs_fuid_map_id(zfsvfs, who, cr, 2321 ZFS_ACE_USER); 2322 if (newid != IDMAP_WK_CREATOR_OWNER_UID && 2323 uid == newid) 2324 checkit = B_TRUE; 2325 break; 2326 } else { 2327 mutex_exit(&zp->z_acl_lock); 2328 return (EIO); 2329 } 2330 } 2331 2332 if (checkit) { 2333 if (type == DENY) { 2334 DTRACE_PROBE3(zfs__ace__denies, 2335 znode_t *, zp, 2336 zfs_ace_hdr_t *, acep, 2337 uint32_t, mask_matched); 2338 deny_mask |= mask_matched; 2339 } else { 2340 DTRACE_PROBE3(zfs__ace__allows, 2341 znode_t *, zp, 2342 zfs_ace_hdr_t *, acep, 2343 uint32_t, mask_matched); 2344 if (anyaccess) { 2345 mutex_exit(&zp->z_acl_lock); 2346 zfs_acl_free(aclp); 2347 return (0); 2348 } 2349 } 2350 *working_mode &= ~mask_matched; 2351 } 2352 2353 /* Are we done? */ 2354 if (*working_mode == 0) 2355 break; 2356 } 2357 2358 mutex_exit(&zp->z_acl_lock); 2359 2360 /* Put the found 'denies' back on the working mode */ 2361 if (deny_mask) { 2362 *working_mode |= deny_mask; 2363 return (EACCES); 2364 } else if (*working_mode) { 2365 return (-1); 2366 } 2367 2368 return (0); 2369 } 2370 2371 /* 2372 * Return true if any access whatsoever granted, we don't actually 2373 * care what access is granted. 2374 */ 2375 boolean_t 2376 zfs_has_access(znode_t *zp, cred_t *cr) 2377 { 2378 uint32_t have = ACE_ALL_PERMS; 2379 2380 if (zfs_zaccess_aces_check(zp, &have, B_TRUE, cr) != 0) { 2381 uid_t owner; 2382 2383 owner = zfs_fuid_map_id(zp->z_zfsvfs, 2384 zp->z_phys->zp_uid, cr, ZFS_OWNER); 2385 2386 return ( 2387 secpolicy_vnode_access(cr, ZTOV(zp), owner, VREAD) == 0 || 2388 secpolicy_vnode_access(cr, ZTOV(zp), owner, VWRITE) == 0 || 2389 secpolicy_vnode_access(cr, ZTOV(zp), owner, VEXEC) == 0 || 2390 secpolicy_vnode_chown(cr, owner) == 0 || 2391 secpolicy_vnode_setdac(cr, owner) == 0 || 2392 secpolicy_vnode_remove(cr) == 0); 2393 } 2394 return (B_TRUE); 2395 } 2396 2397 static int 2398 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode, 2399 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr) 2400 { 2401 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2402 int err; 2403 2404 *working_mode = v4_mode; 2405 *check_privs = B_TRUE; 2406 2407 /* 2408 * Short circuit empty requests 2409 */ 2410 if (v4_mode == 0 || zfsvfs->z_replay) { 2411 *working_mode = 0; 2412 return (0); 2413 } 2414 2415 if ((err = zfs_zaccess_dataset_check(zp, v4_mode)) != 0) { 2416 *check_privs = B_FALSE; 2417 return (err); 2418 } 2419 2420 /* 2421 * The caller requested that the ACL check be skipped. This 2422 * would only happen if the caller checked VOP_ACCESS() with a 2423 * 32 bit ACE mask and already had the appropriate permissions. 2424 */ 2425 if (skipaclchk) { 2426 *working_mode = 0; 2427 return (0); 2428 } 2429 2430 return (zfs_zaccess_aces_check(zp, working_mode, B_FALSE, cr)); 2431 } 2432 2433 static int 2434 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs, 2435 cred_t *cr) 2436 { 2437 if (*working_mode != ACE_WRITE_DATA) 2438 return (EACCES); 2439 2440 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode, 2441 check_privs, B_FALSE, cr)); 2442 } 2443 2444 int 2445 zfs_fastaccesschk_execute(znode_t *zdp, cred_t *cr) 2446 { 2447 boolean_t owner = B_FALSE; 2448 boolean_t groupmbr = B_FALSE; 2449 boolean_t is_attr; 2450 uid_t fowner; 2451 uid_t gowner; 2452 uid_t uid = crgetuid(cr); 2453 int error; 2454 2455 if (zdp->z_phys->zp_flags & ZFS_AV_QUARANTINED) 2456 return (EACCES); 2457 2458 is_attr = ((zdp->z_phys->zp_flags & ZFS_XATTR) && 2459 (ZTOV(zdp)->v_type == VDIR)); 2460 if (is_attr) 2461 goto slow; 2462 2463 mutex_enter(&zdp->z_acl_lock); 2464 2465 if (zdp->z_phys->zp_flags & ZFS_NO_EXECS_DENIED) { 2466 mutex_exit(&zdp->z_acl_lock); 2467 return (0); 2468 } 2469 2470 if (FUID_INDEX(zdp->z_phys->zp_uid) != 0 || 2471 FUID_INDEX(zdp->z_phys->zp_gid) != 0) { 2472 mutex_exit(&zdp->z_acl_lock); 2473 goto slow; 2474 } 2475 2476 fowner = (uid_t)zdp->z_phys->zp_uid; 2477 gowner = (uid_t)zdp->z_phys->zp_gid; 2478 2479 if (uid == fowner) { 2480 owner = B_TRUE; 2481 if (zdp->z_phys->zp_mode & S_IXUSR) { 2482 mutex_exit(&zdp->z_acl_lock); 2483 return (0); 2484 } 2485 } 2486 if (groupmember(gowner, cr)) { 2487 groupmbr = B_TRUE; 2488 if (zdp->z_phys->zp_mode & S_IXGRP) { 2489 mutex_exit(&zdp->z_acl_lock); 2490 return (0); 2491 } 2492 } 2493 if (!owner && !groupmbr) { 2494 if (zdp->z_phys->zp_mode & S_IXOTH) { 2495 mutex_exit(&zdp->z_acl_lock); 2496 return (0); 2497 } 2498 } 2499 2500 mutex_exit(&zdp->z_acl_lock); 2501 2502 slow: 2503 DTRACE_PROBE(zfs__fastpath__execute__access__miss); 2504 ZFS_ENTER(zdp->z_zfsvfs); 2505 error = zfs_zaccess(zdp, ACE_EXECUTE, 0, B_FALSE, cr); 2506 ZFS_EXIT(zdp->z_zfsvfs); 2507 return (error); 2508 } 2509 2510 /* 2511 * Determine whether Access should be granted/denied, invoking least 2512 * priv subsytem when a deny is determined. 2513 */ 2514 int 2515 zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr) 2516 { 2517 uint32_t working_mode; 2518 int error; 2519 int is_attr; 2520 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2521 boolean_t check_privs; 2522 znode_t *xzp; 2523 znode_t *check_zp = zp; 2524 2525 is_attr = ((zp->z_phys->zp_flags & ZFS_XATTR) && 2526 (ZTOV(zp)->v_type == VDIR)); 2527 2528 /* 2529 * If attribute then validate against base file 2530 */ 2531 if (is_attr) { 2532 if ((error = zfs_zget(zp->z_zfsvfs, 2533 zp->z_phys->zp_parent, &xzp)) != 0) { 2534 return (error); 2535 } 2536 2537 check_zp = xzp; 2538 2539 /* 2540 * fixup mode to map to xattr perms 2541 */ 2542 2543 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { 2544 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 2545 mode |= ACE_WRITE_NAMED_ATTRS; 2546 } 2547 2548 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { 2549 mode &= ~(ACE_READ_DATA|ACE_EXECUTE); 2550 mode |= ACE_READ_NAMED_ATTRS; 2551 } 2552 } 2553 2554 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode, 2555 &check_privs, skipaclchk, cr)) == 0) { 2556 if (is_attr) 2557 VN_RELE(ZTOV(xzp)); 2558 return (0); 2559 } 2560 2561 if (error && !check_privs) { 2562 if (is_attr) 2563 VN_RELE(ZTOV(xzp)); 2564 return (error); 2565 } 2566 2567 if (error && (flags & V_APPEND)) { 2568 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr); 2569 } 2570 2571 if (error && check_privs) { 2572 uid_t owner; 2573 mode_t checkmode = 0; 2574 2575 owner = zfs_fuid_map_id(zfsvfs, check_zp->z_phys->zp_uid, cr, 2576 ZFS_OWNER); 2577 2578 /* 2579 * First check for implicit owner permission on 2580 * read_acl/read_attributes 2581 */ 2582 2583 error = 0; 2584 ASSERT(working_mode != 0); 2585 2586 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) && 2587 owner == crgetuid(cr))) 2588 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2589 2590 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2591 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2592 checkmode |= VREAD; 2593 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2594 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2595 checkmode |= VWRITE; 2596 if (working_mode & ACE_EXECUTE) 2597 checkmode |= VEXEC; 2598 2599 if (checkmode) 2600 error = secpolicy_vnode_access(cr, ZTOV(check_zp), 2601 owner, checkmode); 2602 2603 if (error == 0 && (working_mode & ACE_WRITE_OWNER)) 2604 error = secpolicy_vnode_chown(cr, owner); 2605 if (error == 0 && (working_mode & ACE_WRITE_ACL)) 2606 error = secpolicy_vnode_setdac(cr, owner); 2607 2608 if (error == 0 && (working_mode & 2609 (ACE_DELETE|ACE_DELETE_CHILD))) 2610 error = secpolicy_vnode_remove(cr); 2611 2612 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) { 2613 error = secpolicy_vnode_chown(cr, owner); 2614 } 2615 if (error == 0) { 2616 /* 2617 * See if any bits other than those already checked 2618 * for are still present. If so then return EACCES 2619 */ 2620 if (working_mode & ~(ZFS_CHECKED_MASKS)) { 2621 error = EACCES; 2622 } 2623 } 2624 } 2625 2626 if (is_attr) 2627 VN_RELE(ZTOV(xzp)); 2628 2629 return (error); 2630 } 2631 2632 /* 2633 * Translate traditional unix VREAD/VWRITE/VEXEC mode into 2634 * native ACL format and call zfs_zaccess() 2635 */ 2636 int 2637 zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr) 2638 { 2639 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr)); 2640 } 2641 2642 /* 2643 * Access function for secpolicy_vnode_setattr 2644 */ 2645 int 2646 zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr) 2647 { 2648 int v4_mode = zfs_unix_to_v4(mode >> 6); 2649 2650 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr)); 2651 } 2652 2653 static int 2654 zfs_delete_final_check(znode_t *zp, znode_t *dzp, 2655 mode_t missing_perms, cred_t *cr) 2656 { 2657 int error; 2658 uid_t downer; 2659 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2660 2661 downer = zfs_fuid_map_id(zfsvfs, dzp->z_phys->zp_uid, cr, ZFS_OWNER); 2662 2663 error = secpolicy_vnode_access(cr, ZTOV(dzp), downer, missing_perms); 2664 2665 if (error == 0) 2666 error = zfs_sticky_remove_access(dzp, zp, cr); 2667 2668 return (error); 2669 } 2670 2671 /* 2672 * Determine whether Access should be granted/deny, without 2673 * consulting least priv subsystem. 2674 * 2675 * 2676 * The following chart is the recommended NFSv4 enforcement for 2677 * ability to delete an object. 2678 * 2679 * ------------------------------------------------------- 2680 * | Parent Dir | Target Object Permissions | 2681 * | permissions | | 2682 * ------------------------------------------------------- 2683 * | | ACL Allows | ACL Denies| Delete | 2684 * | | Delete | Delete | unspecified| 2685 * ------------------------------------------------------- 2686 * | ACL Allows | Permit | Permit | Permit | 2687 * | DELETE_CHILD | | 2688 * ------------------------------------------------------- 2689 * | ACL Denies | Permit | Deny | Deny | 2690 * | DELETE_CHILD | | | | 2691 * ------------------------------------------------------- 2692 * | ACL specifies | | | | 2693 * | only allow | Permit | Permit | Permit | 2694 * | write and | | | | 2695 * | execute | | | | 2696 * ------------------------------------------------------- 2697 * | ACL denies | | | | 2698 * | write and | Permit | Deny | Deny | 2699 * | execute | | | | 2700 * ------------------------------------------------------- 2701 * ^ 2702 * | 2703 * No search privilege, can't even look up file? 2704 * 2705 */ 2706 int 2707 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) 2708 { 2709 uint32_t dzp_working_mode = 0; 2710 uint32_t zp_working_mode = 0; 2711 int dzp_error, zp_error; 2712 mode_t missing_perms; 2713 boolean_t dzpcheck_privs = B_TRUE; 2714 boolean_t zpcheck_privs = B_TRUE; 2715 2716 /* 2717 * We want specific DELETE permissions to 2718 * take precedence over WRITE/EXECUTE. We don't 2719 * want an ACL such as this to mess us up. 2720 * user:joe:write_data:deny,user:joe:delete:allow 2721 * 2722 * However, deny permissions may ultimately be overridden 2723 * by secpolicy_vnode_access(). 2724 * 2725 * We will ask for all of the necessary permissions and then 2726 * look at the working modes from the directory and target object 2727 * to determine what was found. 2728 */ 2729 2730 if (zp->z_phys->zp_flags & (ZFS_IMMUTABLE | ZFS_NOUNLINK)) 2731 return (EPERM); 2732 2733 /* 2734 * First row 2735 * If the directory permissions allow the delete, we are done. 2736 */ 2737 if ((dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD, 2738 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) 2739 return (0); 2740 2741 /* 2742 * If target object has delete permission then we are done 2743 */ 2744 if ((zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, 2745 &zpcheck_privs, B_FALSE, cr)) == 0) 2746 return (0); 2747 2748 ASSERT(dzp_error && zp_error); 2749 2750 if (!dzpcheck_privs) 2751 return (dzp_error); 2752 if (!zpcheck_privs) 2753 return (zp_error); 2754 2755 /* 2756 * Second row 2757 * 2758 * If directory returns EACCES then delete_child was denied 2759 * due to deny delete_child. In this case send the request through 2760 * secpolicy_vnode_remove(). We don't use zfs_delete_final_check() 2761 * since that *could* allow the delete based on write/execute permission 2762 * and we want delete permissions to override write/execute. 2763 */ 2764 2765 if (dzp_error == EACCES) 2766 return (secpolicy_vnode_remove(cr)); 2767 2768 /* 2769 * Third Row 2770 * only need to see if we have write/execute on directory. 2771 */ 2772 2773 if ((dzp_error = zfs_zaccess_common(dzp, ACE_EXECUTE|ACE_WRITE_DATA, 2774 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) 2775 return (zfs_sticky_remove_access(dzp, zp, cr)); 2776 2777 if (!dzpcheck_privs) 2778 return (dzp_error); 2779 2780 /* 2781 * Fourth row 2782 */ 2783 2784 missing_perms = (dzp_working_mode & ACE_WRITE_DATA) ? VWRITE : 0; 2785 missing_perms |= (dzp_working_mode & ACE_EXECUTE) ? VEXEC : 0; 2786 2787 ASSERT(missing_perms); 2788 2789 return (zfs_delete_final_check(zp, dzp, missing_perms, cr)); 2790 2791 } 2792 2793 int 2794 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, 2795 znode_t *tzp, cred_t *cr) 2796 { 2797 int add_perm; 2798 int error; 2799 2800 if (szp->z_phys->zp_flags & ZFS_AV_QUARANTINED) 2801 return (EACCES); 2802 2803 add_perm = (ZTOV(szp)->v_type == VDIR) ? 2804 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; 2805 2806 /* 2807 * Rename permissions are combination of delete permission + 2808 * add file/subdir permission. 2809 */ 2810 2811 /* 2812 * first make sure we do the delete portion. 2813 * 2814 * If that succeeds then check for add_file/add_subdir permissions 2815 */ 2816 2817 if (error = zfs_zaccess_delete(sdzp, szp, cr)) 2818 return (error); 2819 2820 /* 2821 * If we have a tzp, see if we can delete it? 2822 */ 2823 if (tzp) { 2824 if (error = zfs_zaccess_delete(tdzp, tzp, cr)) 2825 return (error); 2826 } 2827 2828 /* 2829 * Now check for add permissions 2830 */ 2831 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr); 2832 2833 return (error); 2834 } 2835