1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #include <sys/types.h> 26 #include <sys/param.h> 27 #include <sys/time.h> 28 #include <sys/systm.h> 29 #include <sys/sysmacros.h> 30 #include <sys/resource.h> 31 #include <sys/vfs.h> 32 #include <sys/vnode.h> 33 #include <sys/sid.h> 34 #include <sys/file.h> 35 #include <sys/stat.h> 36 #include <sys/kmem.h> 37 #include <sys/cmn_err.h> 38 #include <sys/errno.h> 39 #include <sys/unistd.h> 40 #include <sys/sdt.h> 41 #include <sys/fs/zfs.h> 42 #include <sys/mode.h> 43 #include <sys/policy.h> 44 #include <sys/zfs_znode.h> 45 #include <sys/zfs_fuid.h> 46 #include <sys/zfs_acl.h> 47 #include <sys/zfs_dir.h> 48 #include <sys/zfs_vfsops.h> 49 #include <sys/dmu.h> 50 #include <sys/dnode.h> 51 #include <sys/zap.h> 52 #include <sys/sa.h> 53 #include "fs/fs_subr.h" 54 #include <acl/acl_common.h> 55 56 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE 57 #define DENY ACE_ACCESS_DENIED_ACE_TYPE 58 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 59 #define MIN_ACE_TYPE ALLOW 60 61 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) 62 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ 63 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) 64 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ 65 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 66 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ 67 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 68 69 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \ 70 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \ 71 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \ 72 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE) 73 74 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS) 75 #define WRITE_MASK_ATTRS (ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES| \ 76 ACE_DELETE|ACE_DELETE_CHILD) 77 #define WRITE_MASK (WRITE_MASK_DATA|WRITE_MASK_ATTRS) 78 79 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 80 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 81 82 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 83 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 84 85 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ 86 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE) 87 88 #define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER) 89 90 #define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\ 91 ZFS_ACL_PROTECTED) 92 93 #define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\ 94 ZFS_ACL_OBJ_ACE) 95 96 #define ALL_MODE_EXECS (S_IXUSR | S_IXGRP | S_IXOTH) 97 98 static uint16_t 99 zfs_ace_v0_get_type(void *acep) 100 { 101 return (((zfs_oldace_t *)acep)->z_type); 102 } 103 104 static uint16_t 105 zfs_ace_v0_get_flags(void *acep) 106 { 107 return (((zfs_oldace_t *)acep)->z_flags); 108 } 109 110 static uint32_t 111 zfs_ace_v0_get_mask(void *acep) 112 { 113 return (((zfs_oldace_t *)acep)->z_access_mask); 114 } 115 116 static uint64_t 117 zfs_ace_v0_get_who(void *acep) 118 { 119 return (((zfs_oldace_t *)acep)->z_fuid); 120 } 121 122 static void 123 zfs_ace_v0_set_type(void *acep, uint16_t type) 124 { 125 ((zfs_oldace_t *)acep)->z_type = type; 126 } 127 128 static void 129 zfs_ace_v0_set_flags(void *acep, uint16_t flags) 130 { 131 ((zfs_oldace_t *)acep)->z_flags = flags; 132 } 133 134 static void 135 zfs_ace_v0_set_mask(void *acep, uint32_t mask) 136 { 137 ((zfs_oldace_t *)acep)->z_access_mask = mask; 138 } 139 140 static void 141 zfs_ace_v0_set_who(void *acep, uint64_t who) 142 { 143 ((zfs_oldace_t *)acep)->z_fuid = who; 144 } 145 146 /*ARGSUSED*/ 147 static size_t 148 zfs_ace_v0_size(void *acep) 149 { 150 return (sizeof (zfs_oldace_t)); 151 } 152 153 static size_t 154 zfs_ace_v0_abstract_size(void) 155 { 156 return (sizeof (zfs_oldace_t)); 157 } 158 159 static int 160 zfs_ace_v0_mask_off(void) 161 { 162 return (offsetof(zfs_oldace_t, z_access_mask)); 163 } 164 165 /*ARGSUSED*/ 166 static int 167 zfs_ace_v0_data(void *acep, void **datap) 168 { 169 *datap = NULL; 170 return (0); 171 } 172 173 static acl_ops_t zfs_acl_v0_ops = { 174 zfs_ace_v0_get_mask, 175 zfs_ace_v0_set_mask, 176 zfs_ace_v0_get_flags, 177 zfs_ace_v0_set_flags, 178 zfs_ace_v0_get_type, 179 zfs_ace_v0_set_type, 180 zfs_ace_v0_get_who, 181 zfs_ace_v0_set_who, 182 zfs_ace_v0_size, 183 zfs_ace_v0_abstract_size, 184 zfs_ace_v0_mask_off, 185 zfs_ace_v0_data 186 }; 187 188 static uint16_t 189 zfs_ace_fuid_get_type(void *acep) 190 { 191 return (((zfs_ace_hdr_t *)acep)->z_type); 192 } 193 194 static uint16_t 195 zfs_ace_fuid_get_flags(void *acep) 196 { 197 return (((zfs_ace_hdr_t *)acep)->z_flags); 198 } 199 200 static uint32_t 201 zfs_ace_fuid_get_mask(void *acep) 202 { 203 return (((zfs_ace_hdr_t *)acep)->z_access_mask); 204 } 205 206 static uint64_t 207 zfs_ace_fuid_get_who(void *args) 208 { 209 uint16_t entry_type; 210 zfs_ace_t *acep = args; 211 212 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 213 214 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 215 entry_type == ACE_EVERYONE) 216 return (-1); 217 return (((zfs_ace_t *)acep)->z_fuid); 218 } 219 220 static void 221 zfs_ace_fuid_set_type(void *acep, uint16_t type) 222 { 223 ((zfs_ace_hdr_t *)acep)->z_type = type; 224 } 225 226 static void 227 zfs_ace_fuid_set_flags(void *acep, uint16_t flags) 228 { 229 ((zfs_ace_hdr_t *)acep)->z_flags = flags; 230 } 231 232 static void 233 zfs_ace_fuid_set_mask(void *acep, uint32_t mask) 234 { 235 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask; 236 } 237 238 static void 239 zfs_ace_fuid_set_who(void *arg, uint64_t who) 240 { 241 zfs_ace_t *acep = arg; 242 243 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 244 245 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 246 entry_type == ACE_EVERYONE) 247 return; 248 acep->z_fuid = who; 249 } 250 251 static size_t 252 zfs_ace_fuid_size(void *acep) 253 { 254 zfs_ace_hdr_t *zacep = acep; 255 uint16_t entry_type; 256 257 switch (zacep->z_type) { 258 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 259 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 260 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 261 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 262 return (sizeof (zfs_object_ace_t)); 263 case ALLOW: 264 case DENY: 265 entry_type = 266 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS); 267 if (entry_type == ACE_OWNER || 268 entry_type == OWNING_GROUP || 269 entry_type == ACE_EVERYONE) 270 return (sizeof (zfs_ace_hdr_t)); 271 /*FALLTHROUGH*/ 272 default: 273 return (sizeof (zfs_ace_t)); 274 } 275 } 276 277 static size_t 278 zfs_ace_fuid_abstract_size(void) 279 { 280 return (sizeof (zfs_ace_hdr_t)); 281 } 282 283 static int 284 zfs_ace_fuid_mask_off(void) 285 { 286 return (offsetof(zfs_ace_hdr_t, z_access_mask)); 287 } 288 289 static int 290 zfs_ace_fuid_data(void *acep, void **datap) 291 { 292 zfs_ace_t *zacep = acep; 293 zfs_object_ace_t *zobjp; 294 295 switch (zacep->z_hdr.z_type) { 296 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 297 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 298 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 299 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 300 zobjp = acep; 301 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t); 302 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t)); 303 default: 304 *datap = NULL; 305 return (0); 306 } 307 } 308 309 static acl_ops_t zfs_acl_fuid_ops = { 310 zfs_ace_fuid_get_mask, 311 zfs_ace_fuid_set_mask, 312 zfs_ace_fuid_get_flags, 313 zfs_ace_fuid_set_flags, 314 zfs_ace_fuid_get_type, 315 zfs_ace_fuid_set_type, 316 zfs_ace_fuid_get_who, 317 zfs_ace_fuid_set_who, 318 zfs_ace_fuid_size, 319 zfs_ace_fuid_abstract_size, 320 zfs_ace_fuid_mask_off, 321 zfs_ace_fuid_data 322 }; 323 324 /* 325 * The following three functions are provided for compatibility with 326 * older ZPL version in order to determine if the file use to have 327 * an external ACL and what version of ACL previously existed on the 328 * file. Would really be nice to not need this, sigh. 329 */ 330 331 uint64_t 332 zfs_external_acl(znode_t *zp) 333 { 334 zfs_acl_phys_t acl_phys; 335 336 if (zp->z_is_sa) 337 return (0); 338 339 VERIFY(0 == sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zp->z_zfsvfs), 340 &acl_phys, sizeof (acl_phys))); 341 342 return (acl_phys.z_acl_extern_obj); 343 } 344 345 /* 346 * Determine size of ACL in bytes 347 * 348 * This is more complicated than it should be since we have to deal 349 * with old external ACLs. 350 */ 351 static int 352 zfs_acl_znode_info(znode_t *zp, int *aclsize, int *aclcount, 353 zfs_acl_phys_t *aclphys) 354 { 355 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 356 uint64_t acl_count; 357 int size; 358 int error; 359 360 if (zp->z_is_sa) { 361 if ((error = sa_size(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zfsvfs), 362 &size)) != 0) 363 return (error); 364 *aclsize = size; 365 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_COUNT(zfsvfs), 366 &acl_count, sizeof (acl_count))) != 0) 367 return (error); 368 *aclcount = acl_count; 369 } else { 370 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs), 371 aclphys, sizeof (*aclphys))) != 0) 372 return (error); 373 374 if (aclphys->z_acl_version == ZFS_ACL_VERSION_INITIAL) { 375 *aclsize = ZFS_ACL_SIZE(aclphys->z_acl_size); 376 *aclcount = aclphys->z_acl_size; 377 } else { 378 *aclsize = aclphys->z_acl_size; 379 *aclcount = aclphys->z_acl_count; 380 } 381 } 382 return (0); 383 } 384 385 int 386 zfs_znode_acl_version(znode_t *zp) 387 { 388 zfs_acl_phys_t acl_phys; 389 390 if (zp->z_is_sa) { 391 return (ZFS_ACL_VERSION_FUID); 392 } else { 393 VERIFY(0 == sa_lookup(zp->z_sa_hdl, 394 SA_ZPL_ZNODE_ACL(zp->z_zfsvfs), 395 &acl_phys, sizeof (acl_phys))); 396 return (acl_phys.z_acl_version); 397 } 398 } 399 400 static int 401 zfs_acl_version(int version) 402 { 403 if (version < ZPL_VERSION_FUID) 404 return (ZFS_ACL_VERSION_INITIAL); 405 else 406 return (ZFS_ACL_VERSION_FUID); 407 } 408 409 static int 410 zfs_acl_version_zp(znode_t *zp) 411 { 412 return (zfs_acl_version(zp->z_zfsvfs->z_version)); 413 } 414 415 zfs_acl_t * 416 zfs_acl_alloc(int vers) 417 { 418 zfs_acl_t *aclp; 419 420 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); 421 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t), 422 offsetof(zfs_acl_node_t, z_next)); 423 aclp->z_version = vers; 424 if (vers == ZFS_ACL_VERSION_FUID) 425 aclp->z_ops = zfs_acl_fuid_ops; 426 else 427 aclp->z_ops = zfs_acl_v0_ops; 428 return (aclp); 429 } 430 431 zfs_acl_node_t * 432 zfs_acl_node_alloc(size_t bytes) 433 { 434 zfs_acl_node_t *aclnode; 435 436 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP); 437 if (bytes) { 438 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP); 439 aclnode->z_allocdata = aclnode->z_acldata; 440 aclnode->z_allocsize = bytes; 441 aclnode->z_size = bytes; 442 } 443 444 return (aclnode); 445 } 446 447 static void 448 zfs_acl_node_free(zfs_acl_node_t *aclnode) 449 { 450 if (aclnode->z_allocsize) 451 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize); 452 kmem_free(aclnode, sizeof (zfs_acl_node_t)); 453 } 454 455 static void 456 zfs_acl_release_nodes(zfs_acl_t *aclp) 457 { 458 zfs_acl_node_t *aclnode; 459 460 while (aclnode = list_head(&aclp->z_acl)) { 461 list_remove(&aclp->z_acl, aclnode); 462 zfs_acl_node_free(aclnode); 463 } 464 aclp->z_acl_count = 0; 465 aclp->z_acl_bytes = 0; 466 } 467 468 void 469 zfs_acl_free(zfs_acl_t *aclp) 470 { 471 zfs_acl_release_nodes(aclp); 472 list_destroy(&aclp->z_acl); 473 kmem_free(aclp, sizeof (zfs_acl_t)); 474 } 475 476 static boolean_t 477 zfs_acl_valid_ace_type(uint_t type, uint_t flags) 478 { 479 uint16_t entry_type; 480 481 switch (type) { 482 case ALLOW: 483 case DENY: 484 case ACE_SYSTEM_AUDIT_ACE_TYPE: 485 case ACE_SYSTEM_ALARM_ACE_TYPE: 486 entry_type = flags & ACE_TYPE_FLAGS; 487 return (entry_type == ACE_OWNER || 488 entry_type == OWNING_GROUP || 489 entry_type == ACE_EVERYONE || entry_type == 0 || 490 entry_type == ACE_IDENTIFIER_GROUP); 491 default: 492 if (type >= MIN_ACE_TYPE && type <= MAX_ACE_TYPE) 493 return (B_TRUE); 494 } 495 return (B_FALSE); 496 } 497 498 static boolean_t 499 zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags) 500 { 501 /* 502 * first check type of entry 503 */ 504 505 if (!zfs_acl_valid_ace_type(type, iflags)) 506 return (B_FALSE); 507 508 switch (type) { 509 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 510 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 511 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 512 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 513 if (aclp->z_version < ZFS_ACL_VERSION_FUID) 514 return (B_FALSE); 515 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 516 } 517 518 /* 519 * next check inheritance level flags 520 */ 521 522 if (obj_type == VDIR && 523 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 524 aclp->z_hints |= ZFS_INHERIT_ACE; 525 526 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { 527 if ((iflags & (ACE_FILE_INHERIT_ACE| 528 ACE_DIRECTORY_INHERIT_ACE)) == 0) { 529 return (B_FALSE); 530 } 531 } 532 533 return (B_TRUE); 534 } 535 536 static void * 537 zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who, 538 uint32_t *access_mask, uint16_t *iflags, uint16_t *type) 539 { 540 zfs_acl_node_t *aclnode; 541 542 ASSERT(aclp); 543 544 if (start == NULL) { 545 aclnode = list_head(&aclp->z_acl); 546 if (aclnode == NULL) 547 return (NULL); 548 549 aclp->z_next_ace = aclnode->z_acldata; 550 aclp->z_curr_node = aclnode; 551 aclnode->z_ace_idx = 0; 552 } 553 554 aclnode = aclp->z_curr_node; 555 556 if (aclnode == NULL) 557 return (NULL); 558 559 if (aclnode->z_ace_idx >= aclnode->z_ace_count) { 560 aclnode = list_next(&aclp->z_acl, aclnode); 561 if (aclnode == NULL) 562 return (NULL); 563 else { 564 aclp->z_curr_node = aclnode; 565 aclnode->z_ace_idx = 0; 566 aclp->z_next_ace = aclnode->z_acldata; 567 } 568 } 569 570 if (aclnode->z_ace_idx < aclnode->z_ace_count) { 571 void *acep = aclp->z_next_ace; 572 size_t ace_size; 573 574 /* 575 * Make sure we don't overstep our bounds 576 */ 577 ace_size = aclp->z_ops.ace_size(acep); 578 579 if (((caddr_t)acep + ace_size) > 580 ((caddr_t)aclnode->z_acldata + aclnode->z_size)) { 581 return (NULL); 582 } 583 584 *iflags = aclp->z_ops.ace_flags_get(acep); 585 *type = aclp->z_ops.ace_type_get(acep); 586 *access_mask = aclp->z_ops.ace_mask_get(acep); 587 *who = aclp->z_ops.ace_who_get(acep); 588 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size; 589 aclnode->z_ace_idx++; 590 591 return ((void *)acep); 592 } 593 return (NULL); 594 } 595 596 /*ARGSUSED*/ 597 static uint64_t 598 zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt, 599 uint16_t *flags, uint16_t *type, uint32_t *mask) 600 { 601 zfs_acl_t *aclp = datap; 602 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie; 603 uint64_t who; 604 605 acep = zfs_acl_next_ace(aclp, acep, &who, mask, 606 flags, type); 607 return ((uint64_t)(uintptr_t)acep); 608 } 609 610 static zfs_acl_node_t * 611 zfs_acl_curr_node(zfs_acl_t *aclp) 612 { 613 ASSERT(aclp->z_curr_node); 614 return (aclp->z_curr_node); 615 } 616 617 /* 618 * Copy ACE to internal ZFS format. 619 * While processing the ACL each ACE will be validated for correctness. 620 * ACE FUIDs will be created later. 621 */ 622 int 623 zfs_copy_ace_2_fuid(zfsvfs_t *zfsvfs, vtype_t obj_type, zfs_acl_t *aclp, 624 void *datap, zfs_ace_t *z_acl, uint64_t aclcnt, size_t *size, 625 zfs_fuid_info_t **fuidp, cred_t *cr) 626 { 627 int i; 628 uint16_t entry_type; 629 zfs_ace_t *aceptr = z_acl; 630 ace_t *acep = datap; 631 zfs_object_ace_t *zobjacep; 632 ace_object_t *aceobjp; 633 634 for (i = 0; i != aclcnt; i++) { 635 aceptr->z_hdr.z_access_mask = acep->a_access_mask; 636 aceptr->z_hdr.z_flags = acep->a_flags; 637 aceptr->z_hdr.z_type = acep->a_type; 638 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS; 639 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP && 640 entry_type != ACE_EVERYONE) { 641 aceptr->z_fuid = zfs_fuid_create(zfsvfs, acep->a_who, 642 cr, (entry_type == 0) ? 643 ZFS_ACE_USER : ZFS_ACE_GROUP, fuidp); 644 } 645 646 /* 647 * Make sure ACE is valid 648 */ 649 if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type, 650 aceptr->z_hdr.z_flags) != B_TRUE) 651 return (EINVAL); 652 653 switch (acep->a_type) { 654 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 655 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 656 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 657 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 658 zobjacep = (zfs_object_ace_t *)aceptr; 659 aceobjp = (ace_object_t *)acep; 660 661 bcopy(aceobjp->a_obj_type, zobjacep->z_object_type, 662 sizeof (aceobjp->a_obj_type)); 663 bcopy(aceobjp->a_inherit_obj_type, 664 zobjacep->z_inherit_type, 665 sizeof (aceobjp->a_inherit_obj_type)); 666 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t)); 667 break; 668 default: 669 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t)); 670 } 671 672 aceptr = (zfs_ace_t *)((caddr_t)aceptr + 673 aclp->z_ops.ace_size(aceptr)); 674 } 675 676 *size = (caddr_t)aceptr - (caddr_t)z_acl; 677 678 return (0); 679 } 680 681 /* 682 * Copy ZFS ACEs to fixed size ace_t layout 683 */ 684 static void 685 zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr, 686 void *datap, int filter) 687 { 688 uint64_t who; 689 uint32_t access_mask; 690 uint16_t iflags, type; 691 zfs_ace_hdr_t *zacep = NULL; 692 ace_t *acep = datap; 693 ace_object_t *objacep; 694 zfs_object_ace_t *zobjacep; 695 size_t ace_size; 696 uint16_t entry_type; 697 698 while (zacep = zfs_acl_next_ace(aclp, zacep, 699 &who, &access_mask, &iflags, &type)) { 700 701 switch (type) { 702 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 703 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 704 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 705 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 706 if (filter) { 707 continue; 708 } 709 zobjacep = (zfs_object_ace_t *)zacep; 710 objacep = (ace_object_t *)acep; 711 bcopy(zobjacep->z_object_type, 712 objacep->a_obj_type, 713 sizeof (zobjacep->z_object_type)); 714 bcopy(zobjacep->z_inherit_type, 715 objacep->a_inherit_obj_type, 716 sizeof (zobjacep->z_inherit_type)); 717 ace_size = sizeof (ace_object_t); 718 break; 719 default: 720 ace_size = sizeof (ace_t); 721 break; 722 } 723 724 entry_type = (iflags & ACE_TYPE_FLAGS); 725 if ((entry_type != ACE_OWNER && 726 entry_type != OWNING_GROUP && 727 entry_type != ACE_EVERYONE)) { 728 acep->a_who = zfs_fuid_map_id(zfsvfs, who, 729 cr, (entry_type & ACE_IDENTIFIER_GROUP) ? 730 ZFS_ACE_GROUP : ZFS_ACE_USER); 731 } else { 732 acep->a_who = (uid_t)(int64_t)who; 733 } 734 acep->a_access_mask = access_mask; 735 acep->a_flags = iflags; 736 acep->a_type = type; 737 acep = (ace_t *)((caddr_t)acep + ace_size); 738 } 739 } 740 741 static int 742 zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep, 743 zfs_oldace_t *z_acl, int aclcnt, size_t *size) 744 { 745 int i; 746 zfs_oldace_t *aceptr = z_acl; 747 748 for (i = 0; i != aclcnt; i++, aceptr++) { 749 aceptr->z_access_mask = acep[i].a_access_mask; 750 aceptr->z_type = acep[i].a_type; 751 aceptr->z_flags = acep[i].a_flags; 752 aceptr->z_fuid = acep[i].a_who; 753 /* 754 * Make sure ACE is valid 755 */ 756 if (zfs_ace_valid(obj_type, aclp, aceptr->z_type, 757 aceptr->z_flags) != B_TRUE) 758 return (EINVAL); 759 } 760 *size = (caddr_t)aceptr - (caddr_t)z_acl; 761 return (0); 762 } 763 764 /* 765 * convert old ACL format to new 766 */ 767 void 768 zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp, cred_t *cr) 769 { 770 zfs_oldace_t *oldaclp; 771 int i; 772 uint16_t type, iflags; 773 uint32_t access_mask; 774 uint64_t who; 775 void *cookie = NULL; 776 zfs_acl_node_t *newaclnode; 777 778 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL); 779 /* 780 * First create the ACE in a contiguous piece of memory 781 * for zfs_copy_ace_2_fuid(). 782 * 783 * We only convert an ACL once, so this won't happen 784 * everytime. 785 */ 786 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count, 787 KM_SLEEP); 788 i = 0; 789 while (cookie = zfs_acl_next_ace(aclp, cookie, &who, 790 &access_mask, &iflags, &type)) { 791 oldaclp[i].z_flags = iflags; 792 oldaclp[i].z_type = type; 793 oldaclp[i].z_fuid = who; 794 oldaclp[i++].z_access_mask = access_mask; 795 } 796 797 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count * 798 sizeof (zfs_object_ace_t)); 799 aclp->z_ops = zfs_acl_fuid_ops; 800 VERIFY(zfs_copy_ace_2_fuid(zp->z_zfsvfs, ZTOV(zp)->v_type, aclp, 801 oldaclp, newaclnode->z_acldata, aclp->z_acl_count, 802 &newaclnode->z_size, NULL, cr) == 0); 803 newaclnode->z_ace_count = aclp->z_acl_count; 804 aclp->z_version = ZFS_ACL_VERSION; 805 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t)); 806 807 /* 808 * Release all previous ACL nodes 809 */ 810 811 zfs_acl_release_nodes(aclp); 812 813 list_insert_head(&aclp->z_acl, newaclnode); 814 815 aclp->z_acl_bytes = newaclnode->z_size; 816 aclp->z_acl_count = newaclnode->z_ace_count; 817 818 } 819 820 /* 821 * Convert unix access mask to v4 access mask 822 */ 823 static uint32_t 824 zfs_unix_to_v4(uint32_t access_mask) 825 { 826 uint32_t new_mask = 0; 827 828 if (access_mask & S_IXOTH) 829 new_mask |= ACE_EXECUTE; 830 if (access_mask & S_IWOTH) 831 new_mask |= ACE_WRITE_DATA; 832 if (access_mask & S_IROTH) 833 new_mask |= ACE_READ_DATA; 834 return (new_mask); 835 } 836 837 static void 838 zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask, 839 uint16_t access_type, uint64_t fuid, uint16_t entry_type) 840 { 841 uint16_t type = entry_type & ACE_TYPE_FLAGS; 842 843 aclp->z_ops.ace_mask_set(acep, access_mask); 844 aclp->z_ops.ace_type_set(acep, access_type); 845 aclp->z_ops.ace_flags_set(acep, entry_type); 846 if ((type != ACE_OWNER && type != OWNING_GROUP && 847 type != ACE_EVERYONE)) 848 aclp->z_ops.ace_who_set(acep, fuid); 849 } 850 851 /* 852 * Determine mode of file based on ACL. 853 * Also, create FUIDs for any User/Group ACEs 854 */ 855 uint64_t 856 zfs_mode_compute(uint64_t fmode, zfs_acl_t *aclp, 857 uint64_t *pflags, uint64_t fuid, uint64_t fgid) 858 { 859 int entry_type; 860 mode_t mode; 861 mode_t seen = 0; 862 zfs_ace_hdr_t *acep = NULL; 863 uint64_t who; 864 uint16_t iflags, type; 865 uint32_t access_mask; 866 boolean_t an_exec_denied = B_FALSE; 867 868 mode = (fmode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); 869 870 while (acep = zfs_acl_next_ace(aclp, acep, &who, 871 &access_mask, &iflags, &type)) { 872 873 if (!zfs_acl_valid_ace_type(type, iflags)) 874 continue; 875 876 entry_type = (iflags & ACE_TYPE_FLAGS); 877 878 /* 879 * Skip over owner@, group@ or everyone@ inherit only ACEs 880 */ 881 if ((iflags & ACE_INHERIT_ONLY_ACE) && 882 (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 883 entry_type == OWNING_GROUP)) 884 continue; 885 886 if (entry_type == ACE_OWNER || (entry_type == 0 && 887 who == fuid)) { 888 if ((access_mask & ACE_READ_DATA) && 889 (!(seen & S_IRUSR))) { 890 seen |= S_IRUSR; 891 if (type == ALLOW) { 892 mode |= S_IRUSR; 893 } 894 } 895 if ((access_mask & ACE_WRITE_DATA) && 896 (!(seen & S_IWUSR))) { 897 seen |= S_IWUSR; 898 if (type == ALLOW) { 899 mode |= S_IWUSR; 900 } 901 } 902 if ((access_mask & ACE_EXECUTE) && 903 (!(seen & S_IXUSR))) { 904 seen |= S_IXUSR; 905 if (type == ALLOW) { 906 mode |= S_IXUSR; 907 } 908 } 909 } else if (entry_type == OWNING_GROUP || 910 (entry_type == ACE_IDENTIFIER_GROUP && who == fgid)) { 911 if ((access_mask & ACE_READ_DATA) && 912 (!(seen & S_IRGRP))) { 913 seen |= S_IRGRP; 914 if (type == ALLOW) { 915 mode |= S_IRGRP; 916 } 917 } 918 if ((access_mask & ACE_WRITE_DATA) && 919 (!(seen & S_IWGRP))) { 920 seen |= S_IWGRP; 921 if (type == ALLOW) { 922 mode |= S_IWGRP; 923 } 924 } 925 if ((access_mask & ACE_EXECUTE) && 926 (!(seen & S_IXGRP))) { 927 seen |= S_IXGRP; 928 if (type == ALLOW) { 929 mode |= S_IXGRP; 930 } 931 } 932 } else if (entry_type == ACE_EVERYONE) { 933 if ((access_mask & ACE_READ_DATA)) { 934 if (!(seen & S_IRUSR)) { 935 seen |= S_IRUSR; 936 if (type == ALLOW) { 937 mode |= S_IRUSR; 938 } 939 } 940 if (!(seen & S_IRGRP)) { 941 seen |= S_IRGRP; 942 if (type == ALLOW) { 943 mode |= S_IRGRP; 944 } 945 } 946 if (!(seen & S_IROTH)) { 947 seen |= S_IROTH; 948 if (type == ALLOW) { 949 mode |= S_IROTH; 950 } 951 } 952 } 953 if ((access_mask & ACE_WRITE_DATA)) { 954 if (!(seen & S_IWUSR)) { 955 seen |= S_IWUSR; 956 if (type == ALLOW) { 957 mode |= S_IWUSR; 958 } 959 } 960 if (!(seen & S_IWGRP)) { 961 seen |= S_IWGRP; 962 if (type == ALLOW) { 963 mode |= S_IWGRP; 964 } 965 } 966 if (!(seen & S_IWOTH)) { 967 seen |= S_IWOTH; 968 if (type == ALLOW) { 969 mode |= S_IWOTH; 970 } 971 } 972 } 973 if ((access_mask & ACE_EXECUTE)) { 974 if (!(seen & S_IXUSR)) { 975 seen |= S_IXUSR; 976 if (type == ALLOW) { 977 mode |= S_IXUSR; 978 } 979 } 980 if (!(seen & S_IXGRP)) { 981 seen |= S_IXGRP; 982 if (type == ALLOW) { 983 mode |= S_IXGRP; 984 } 985 } 986 if (!(seen & S_IXOTH)) { 987 seen |= S_IXOTH; 988 if (type == ALLOW) { 989 mode |= S_IXOTH; 990 } 991 } 992 } 993 } else { 994 /* 995 * Only care if this IDENTIFIER_GROUP or 996 * USER ACE denies execute access to someone, 997 * mode is not affected 998 */ 999 if ((access_mask & ACE_EXECUTE) && type == DENY) 1000 an_exec_denied = B_TRUE; 1001 } 1002 } 1003 1004 /* 1005 * Failure to allow is effectively a deny, so execute permission 1006 * is denied if it was never mentioned or if we explicitly 1007 * weren't allowed it. 1008 */ 1009 if (!an_exec_denied && 1010 ((seen & ALL_MODE_EXECS) != ALL_MODE_EXECS || 1011 (mode & ALL_MODE_EXECS) != ALL_MODE_EXECS)) 1012 an_exec_denied = B_TRUE; 1013 1014 if (an_exec_denied) 1015 *pflags &= ~ZFS_NO_EXECS_DENIED; 1016 else 1017 *pflags |= ZFS_NO_EXECS_DENIED; 1018 1019 return (mode); 1020 } 1021 1022 /* 1023 * Read an external acl object. If the intent is to modify, always 1024 * create a new acl and leave any cached acl in place. 1025 */ 1026 static int 1027 zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp, boolean_t will_modify) 1028 { 1029 zfs_acl_t *aclp; 1030 int aclsize; 1031 int acl_count; 1032 zfs_acl_node_t *aclnode; 1033 zfs_acl_phys_t znode_acl; 1034 int version; 1035 int error; 1036 1037 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1038 1039 if (zp->z_acl_cached && !will_modify) { 1040 *aclpp = zp->z_acl_cached; 1041 return (0); 1042 } 1043 1044 version = ZNODE_ACL_VERSION(zp); 1045 1046 if ((error = zfs_acl_znode_info(zp, &aclsize, 1047 &acl_count, &znode_acl)) != 0) 1048 return (error); 1049 1050 aclp = zfs_acl_alloc(version); 1051 1052 aclp->z_acl_count = acl_count; 1053 aclp->z_acl_bytes = aclsize; 1054 1055 aclnode = zfs_acl_node_alloc(aclsize); 1056 aclnode->z_ace_count = aclp->z_acl_count; 1057 aclnode->z_size = aclsize; 1058 1059 if (!zp->z_is_sa) { 1060 if (znode_acl.z_acl_extern_obj) { 1061 error = dmu_read(zp->z_zfsvfs->z_os, 1062 znode_acl.z_acl_extern_obj, 0, aclnode->z_size, 1063 aclnode->z_acldata, DMU_READ_PREFETCH); 1064 } else { 1065 bcopy(znode_acl.z_ace_data, aclnode->z_acldata, 1066 aclnode->z_size); 1067 } 1068 } else { 1069 error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zp->z_zfsvfs), 1070 aclnode->z_acldata, aclnode->z_size); 1071 } 1072 1073 if (error != 0) { 1074 zfs_acl_free(aclp); 1075 zfs_acl_node_free(aclnode); 1076 /* convert checksum errors into IO errors */ 1077 if (error == ECKSUM) 1078 error = EIO; 1079 return (error); 1080 } 1081 1082 list_insert_head(&aclp->z_acl, aclnode); 1083 1084 *aclpp = aclp; 1085 if (!will_modify) 1086 zp->z_acl_cached = aclp; 1087 return (0); 1088 } 1089 1090 /*ARGSUSED*/ 1091 void 1092 zfs_acl_data_locator(void **dataptr, uint32_t *length, uint32_t buflen, 1093 boolean_t start, void *userdata) 1094 { 1095 zfs_acl_locator_cb_t *cb = (zfs_acl_locator_cb_t *)userdata; 1096 1097 if (start) { 1098 cb->cb_acl_node = list_head(&cb->cb_aclp->z_acl); 1099 } else { 1100 cb->cb_acl_node = list_next(&cb->cb_aclp->z_acl, 1101 cb->cb_acl_node); 1102 } 1103 *dataptr = cb->cb_acl_node->z_acldata; 1104 *length = cb->cb_acl_node->z_size; 1105 } 1106 1107 1108 static int 1109 zfs_acl_get_owner_fuids(znode_t *zp, uint64_t *fuid, uint64_t *fgid) 1110 { 1111 int count = 0; 1112 sa_bulk_attr_t bulk[2]; 1113 int error; 1114 1115 if (IS_EPHEMERAL(zp->z_uid) || IS_EPHEMERAL(zp->z_gid)) { 1116 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_UID(zp->z_zfsvfs), NULL, 1117 &fuid, sizeof (fuid)); 1118 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_GID(zp->z_zfsvfs), NULL, 1119 &fgid, sizeof (fuid)); 1120 if ((error = sa_bulk_lookup(zp->z_sa_hdl, bulk, count)) != 0) { 1121 return (error); 1122 } 1123 } else { 1124 *fuid = zp->z_uid; 1125 *fgid = zp->z_gid; 1126 } 1127 return (0); 1128 } 1129 1130 int 1131 zfs_acl_chown_setattr(znode_t *zp) 1132 { 1133 int error; 1134 zfs_acl_t *aclp; 1135 uint64_t fuid, fgid; 1136 1137 if ((error = zfs_acl_get_owner_fuids(zp, &fuid, &fgid)) != 0) 1138 return (error); 1139 1140 mutex_enter(&zp->z_acl_lock); 1141 if ((error = zfs_acl_node_read(zp, &aclp, B_FALSE)) == 0) 1142 zp->z_mode = zfs_mode_compute(zp->z_mode, aclp, 1143 &zp->z_pflags, fuid, fgid); 1144 mutex_exit(&zp->z_acl_lock); 1145 return (error); 1146 } 1147 1148 /* 1149 * common code for setting ACLs. 1150 * 1151 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. 1152 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's 1153 * already checked the acl and knows whether to inherit. 1154 */ 1155 int 1156 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, dmu_tx_t *tx) 1157 { 1158 int error; 1159 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1160 dmu_object_type_t otype; 1161 zfs_acl_locator_cb_t locate = { 0 }; 1162 uint64_t mode; 1163 sa_bulk_attr_t bulk[5]; 1164 uint64_t ctime[2]; 1165 int count = 0; 1166 uint64_t fuid, fgid; 1167 1168 mode = zp->z_mode; 1169 1170 if ((error = zfs_acl_get_owner_fuids(zp, &fuid, &fgid)) != 0) 1171 return (error); 1172 1173 mode = zfs_mode_compute(mode, aclp, &zp->z_pflags, fuid, fgid); 1174 1175 zp->z_mode = mode; 1176 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_MODE(zfsvfs), NULL, 1177 &mode, sizeof (mode)); 1178 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_FLAGS(zfsvfs), NULL, 1179 &zp->z_pflags, sizeof (zp->z_pflags)); 1180 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_CTIME(zfsvfs), NULL, 1181 &ctime, sizeof (ctime)); 1182 1183 if (zp->z_acl_cached) { 1184 zfs_acl_free(zp->z_acl_cached); 1185 zp->z_acl_cached = NULL; 1186 } 1187 1188 /* 1189 * Upgrade needed? 1190 */ 1191 if (!zfsvfs->z_use_fuids) { 1192 otype = DMU_OT_OLDACL; 1193 } else { 1194 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) && 1195 (zfsvfs->z_version >= ZPL_VERSION_FUID)) 1196 zfs_acl_xform(zp, aclp, cr); 1197 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID); 1198 otype = DMU_OT_ACL; 1199 } 1200 1201 /* 1202 * Arrgh, we have to handle old on disk format 1203 * as well as newer (preferred) SA format. 1204 */ 1205 1206 if (zp->z_is_sa) { /* the easy case, just update the ACL attribute */ 1207 locate.cb_aclp = aclp; 1208 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_ACES(zfsvfs), 1209 zfs_acl_data_locator, &locate, aclp->z_acl_bytes); 1210 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_COUNT(zfsvfs), 1211 NULL, &aclp->z_acl_count, sizeof (uint64_t)); 1212 } else { /* Painful legacy way */ 1213 zfs_acl_node_t *aclnode; 1214 uint64_t off = 0; 1215 zfs_acl_phys_t acl_phys; 1216 uint64_t aoid; 1217 1218 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs), 1219 &acl_phys, sizeof (acl_phys))) != 0) 1220 return (error); 1221 1222 aoid = acl_phys.z_acl_extern_obj; 1223 1224 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 1225 /* 1226 * If ACL was previously external and we are now 1227 * converting to new ACL format then release old 1228 * ACL object and create a new one. 1229 */ 1230 if (aoid && 1231 aclp->z_version != acl_phys.z_acl_version) { 1232 error = dmu_object_free(zfsvfs->z_os, aoid, tx); 1233 if (error) 1234 return (error); 1235 aoid = 0; 1236 } 1237 if (aoid == 0) { 1238 aoid = dmu_object_alloc(zfsvfs->z_os, 1239 otype, aclp->z_acl_bytes, 1240 otype == DMU_OT_ACL ? 1241 DMU_OT_SYSACL : DMU_OT_NONE, 1242 otype == DMU_OT_ACL ? 1243 DN_MAX_BONUSLEN : 0, tx); 1244 } else { 1245 (void) dmu_object_set_blocksize(zfsvfs->z_os, 1246 aoid, aclp->z_acl_bytes, 0, tx); 1247 } 1248 acl_phys.z_acl_extern_obj = aoid; 1249 for (aclnode = list_head(&aclp->z_acl); aclnode; 1250 aclnode = list_next(&aclp->z_acl, aclnode)) { 1251 if (aclnode->z_ace_count == 0) 1252 continue; 1253 dmu_write(zfsvfs->z_os, aoid, off, 1254 aclnode->z_size, aclnode->z_acldata, tx); 1255 off += aclnode->z_size; 1256 } 1257 } else { 1258 void *start = acl_phys.z_ace_data; 1259 /* 1260 * Migrating back embedded? 1261 */ 1262 if (acl_phys.z_acl_extern_obj) { 1263 error = dmu_object_free(zfsvfs->z_os, 1264 acl_phys.z_acl_extern_obj, tx); 1265 if (error) 1266 return (error); 1267 acl_phys.z_acl_extern_obj = 0; 1268 } 1269 1270 for (aclnode = list_head(&aclp->z_acl); aclnode; 1271 aclnode = list_next(&aclp->z_acl, aclnode)) { 1272 if (aclnode->z_ace_count == 0) 1273 continue; 1274 bcopy(aclnode->z_acldata, start, 1275 aclnode->z_size); 1276 start = (caddr_t)start + aclnode->z_size; 1277 } 1278 } 1279 /* 1280 * If Old version then swap count/bytes to match old 1281 * layout of znode_acl_phys_t. 1282 */ 1283 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1284 acl_phys.z_acl_size = aclp->z_acl_count; 1285 acl_phys.z_acl_count = aclp->z_acl_bytes; 1286 } else { 1287 acl_phys.z_acl_size = aclp->z_acl_bytes; 1288 acl_phys.z_acl_count = aclp->z_acl_count; 1289 } 1290 acl_phys.z_acl_version = aclp->z_version; 1291 1292 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_ZNODE_ACL(zfsvfs), NULL, 1293 &acl_phys, sizeof (acl_phys)); 1294 } 1295 1296 /* 1297 * Replace ACL wide bits, but first clear them. 1298 */ 1299 zp->z_pflags &= ~ZFS_ACL_WIDE_FLAGS; 1300 1301 zp->z_pflags |= aclp->z_hints; 1302 1303 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0) 1304 zp->z_pflags |= ZFS_ACL_TRIVIAL; 1305 1306 zfs_tstamp_update_setup(zp, STATE_CHANGED, NULL, ctime, B_TRUE); 1307 return (sa_bulk_update(zp->z_sa_hdl, bulk, count, tx)); 1308 } 1309 1310 /* 1311 * Update access mask for prepended ACE 1312 * 1313 * This applies the "groupmask" value for aclmode property. 1314 */ 1315 static void 1316 zfs_acl_prepend_fixup(zfs_acl_t *aclp, void *acep, void *origacep, 1317 mode_t mode, uint64_t owner) 1318 { 1319 int rmask, wmask, xmask; 1320 int user_ace; 1321 uint16_t aceflags; 1322 uint32_t origmask, acepmask; 1323 uint64_t fuid; 1324 1325 aceflags = aclp->z_ops.ace_flags_get(acep); 1326 fuid = aclp->z_ops.ace_who_get(acep); 1327 origmask = aclp->z_ops.ace_mask_get(origacep); 1328 acepmask = aclp->z_ops.ace_mask_get(acep); 1329 1330 user_ace = (!(aceflags & 1331 (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP))); 1332 1333 if (user_ace && (fuid == owner)) { 1334 rmask = S_IRUSR; 1335 wmask = S_IWUSR; 1336 xmask = S_IXUSR; 1337 } else { 1338 rmask = S_IRGRP; 1339 wmask = S_IWGRP; 1340 xmask = S_IXGRP; 1341 } 1342 1343 if (origmask & ACE_READ_DATA) { 1344 if (mode & rmask) { 1345 acepmask &= ~ACE_READ_DATA; 1346 } else { 1347 acepmask |= ACE_READ_DATA; 1348 } 1349 } 1350 1351 if (origmask & ACE_WRITE_DATA) { 1352 if (mode & wmask) { 1353 acepmask &= ~ACE_WRITE_DATA; 1354 } else { 1355 acepmask |= ACE_WRITE_DATA; 1356 } 1357 } 1358 1359 if (origmask & ACE_APPEND_DATA) { 1360 if (mode & wmask) { 1361 acepmask &= ~ACE_APPEND_DATA; 1362 } else { 1363 acepmask |= ACE_APPEND_DATA; 1364 } 1365 } 1366 1367 if (origmask & ACE_EXECUTE) { 1368 if (mode & xmask) { 1369 acepmask &= ~ACE_EXECUTE; 1370 } else { 1371 acepmask |= ACE_EXECUTE; 1372 } 1373 } 1374 aclp->z_ops.ace_mask_set(acep, acepmask); 1375 } 1376 1377 static void 1378 zfs_acl_chmod(zfsvfs_t *zfsvfs, uint64_t mode, zfs_acl_t *aclp) 1379 { 1380 void *acep = NULL; 1381 uint64_t who; 1382 int new_count, new_bytes; 1383 int ace_size; 1384 int entry_type; 1385 uint16_t iflags, type; 1386 uint32_t access_mask; 1387 zfs_acl_node_t *newnode; 1388 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1389 void *zacep; 1390 uint32_t owner, group, everyone; 1391 uint32_t deny1, deny2, allow0; 1392 1393 new_count = new_bytes = 0; 1394 1395 acl_trivial_access_masks((mode_t)mode, &allow0, &deny1, &deny2, 1396 &owner, &group, &everyone); 1397 1398 newnode = zfs_acl_node_alloc((abstract_size * 6) + aclp->z_acl_bytes); 1399 1400 zacep = newnode->z_acldata; 1401 if (allow0) { 1402 zfs_set_ace(aclp, zacep, allow0, ALLOW, -1, ACE_OWNER); 1403 zacep = (void *)((uintptr_t)zacep + abstract_size); 1404 new_count++; 1405 new_bytes += abstract_size; 1406 } if (deny1) { 1407 zfs_set_ace(aclp, zacep, deny1, DENY, -1, ACE_OWNER); 1408 zacep = (void *)((uintptr_t)zacep + abstract_size); 1409 new_count++; 1410 new_bytes += abstract_size; 1411 } 1412 if (deny2) { 1413 zfs_set_ace(aclp, zacep, deny2, DENY, -1, OWNING_GROUP); 1414 zacep = (void *)((uintptr_t)zacep + abstract_size); 1415 new_count++; 1416 new_bytes += abstract_size; 1417 } 1418 1419 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 1420 &iflags, &type)) { 1421 uint16_t inherit_flags; 1422 1423 entry_type = (iflags & ACE_TYPE_FLAGS); 1424 inherit_flags = (iflags & ALL_INHERIT); 1425 1426 if ((entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 1427 (entry_type == OWNING_GROUP)) && 1428 ((inherit_flags & ACE_INHERIT_ONLY_ACE) == 0)) { 1429 continue; 1430 } 1431 1432 if ((type != ALLOW && type != DENY) || 1433 (inherit_flags & ACE_INHERIT_ONLY_ACE)) { 1434 if (inherit_flags) 1435 aclp->z_hints |= ZFS_INHERIT_ACE; 1436 switch (type) { 1437 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1438 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1439 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1440 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1441 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 1442 break; 1443 } 1444 } else { 1445 1446 /* 1447 * Limit permissions to be no greater than 1448 * group permissions 1449 */ 1450 if (zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) { 1451 if (!(mode & S_IRGRP)) 1452 access_mask &= ~ACE_READ_DATA; 1453 if (!(mode & S_IWGRP)) 1454 access_mask &= 1455 ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1456 if (!(mode & S_IXGRP)) 1457 access_mask &= ~ACE_EXECUTE; 1458 access_mask &= 1459 ~(ACE_WRITE_OWNER|ACE_WRITE_ACL| 1460 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS); 1461 } 1462 } 1463 zfs_set_ace(aclp, zacep, access_mask, type, who, iflags); 1464 ace_size = aclp->z_ops.ace_size(acep); 1465 zacep = (void *)((uintptr_t)zacep + ace_size); 1466 new_count++; 1467 new_bytes += ace_size; 1468 } 1469 zfs_set_ace(aclp, zacep, owner, 0, -1, ACE_OWNER); 1470 zacep = (void *)((uintptr_t)zacep + abstract_size); 1471 zfs_set_ace(aclp, zacep, group, 0, -1, OWNING_GROUP); 1472 zacep = (void *)((uintptr_t)zacep + abstract_size); 1473 zfs_set_ace(aclp, zacep, everyone, 0, -1, ACE_EVERYONE); 1474 1475 new_count += 3; 1476 new_bytes += abstract_size * 3; 1477 zfs_acl_release_nodes(aclp); 1478 aclp->z_acl_count = new_count; 1479 aclp->z_acl_bytes = new_bytes; 1480 newnode->z_ace_count = new_count; 1481 newnode->z_size = new_bytes; 1482 list_insert_tail(&aclp->z_acl, newnode); 1483 } 1484 1485 int 1486 zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode) 1487 { 1488 mutex_enter(&zp->z_lock); 1489 mutex_enter(&zp->z_acl_lock); 1490 *aclp = zfs_acl_alloc(zfs_acl_version_zp(zp)); 1491 (*aclp)->z_hints = zp->z_pflags & V4_ACL_WIDE_FLAGS; 1492 zfs_acl_chmod(zp->z_zfsvfs, mode, *aclp); 1493 mutex_exit(&zp->z_acl_lock); 1494 mutex_exit(&zp->z_lock); 1495 ASSERT(*aclp); 1496 return (0); 1497 } 1498 1499 /* 1500 * strip off write_owner and write_acl 1501 */ 1502 static void 1503 zfs_restricted_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep) 1504 { 1505 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1506 1507 if ((zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) && 1508 (aclp->z_ops.ace_type_get(acep) == ALLOW)) { 1509 mask &= ~RESTRICTED_CLEAR; 1510 aclp->z_ops.ace_mask_set(acep, mask); 1511 } 1512 } 1513 1514 /* 1515 * Should ACE be inherited? 1516 */ 1517 static int 1518 zfs_ace_can_use(vtype_t vtype, uint16_t acep_flags) 1519 { 1520 int iflags = (acep_flags & 0xf); 1521 1522 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) 1523 return (1); 1524 else if (iflags & ACE_FILE_INHERIT_ACE) 1525 return (!((vtype == VDIR) && 1526 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); 1527 return (0); 1528 } 1529 1530 /* 1531 * inherit inheritable ACEs from parent 1532 */ 1533 static zfs_acl_t * 1534 zfs_acl_inherit(zfsvfs_t *zfsvfs, vtype_t vtype, zfs_acl_t *paclp, 1535 uint64_t mode, boolean_t *need_chmod) 1536 { 1537 void *pacep; 1538 void *acep; 1539 zfs_acl_node_t *aclnode; 1540 zfs_acl_t *aclp = NULL; 1541 uint64_t who; 1542 uint32_t access_mask; 1543 uint16_t iflags, newflags, type; 1544 size_t ace_size; 1545 void *data1, *data2; 1546 size_t data1sz, data2sz; 1547 boolean_t vdir = vtype == VDIR; 1548 boolean_t vreg = vtype == VREG; 1549 boolean_t passthrough, passthrough_x, noallow; 1550 1551 passthrough_x = 1552 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH_X; 1553 passthrough = passthrough_x || 1554 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH; 1555 noallow = 1556 zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW; 1557 1558 *need_chmod = B_TRUE; 1559 pacep = NULL; 1560 aclp = zfs_acl_alloc(paclp->z_version); 1561 if (zfsvfs->z_acl_inherit == ZFS_ACL_DISCARD || vtype == VLNK) 1562 return (aclp); 1563 while (pacep = zfs_acl_next_ace(paclp, pacep, &who, 1564 &access_mask, &iflags, &type)) { 1565 1566 /* 1567 * don't inherit bogus ACEs 1568 */ 1569 if (!zfs_acl_valid_ace_type(type, iflags)) 1570 continue; 1571 1572 if (noallow && type == ALLOW) 1573 continue; 1574 1575 ace_size = aclp->z_ops.ace_size(pacep); 1576 1577 if (!zfs_ace_can_use(vtype, iflags)) 1578 continue; 1579 1580 /* 1581 * If owner@, group@, or everyone@ inheritable 1582 * then zfs_acl_chmod() isn't needed. 1583 */ 1584 if (passthrough && 1585 ((iflags & (ACE_OWNER|ACE_EVERYONE)) || 1586 ((iflags & OWNING_GROUP) == 1587 OWNING_GROUP)) && (vreg || (vdir && (iflags & 1588 ACE_DIRECTORY_INHERIT_ACE)))) { 1589 *need_chmod = B_FALSE; 1590 } 1591 1592 if (!vdir && passthrough_x && 1593 ((mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) { 1594 access_mask &= ~ACE_EXECUTE; 1595 } 1596 1597 aclnode = zfs_acl_node_alloc(ace_size); 1598 list_insert_tail(&aclp->z_acl, aclnode); 1599 acep = aclnode->z_acldata; 1600 1601 zfs_set_ace(aclp, acep, access_mask, type, 1602 who, iflags|ACE_INHERITED_ACE); 1603 1604 /* 1605 * Copy special opaque data if any 1606 */ 1607 if ((data1sz = paclp->z_ops.ace_data(pacep, &data1)) != 0) { 1608 VERIFY((data2sz = aclp->z_ops.ace_data(acep, 1609 &data2)) == data1sz); 1610 bcopy(data1, data2, data2sz); 1611 } 1612 1613 aclp->z_acl_count++; 1614 aclnode->z_ace_count++; 1615 aclp->z_acl_bytes += aclnode->z_size; 1616 newflags = aclp->z_ops.ace_flags_get(acep); 1617 1618 if (vdir) 1619 aclp->z_hints |= ZFS_INHERIT_ACE; 1620 1621 if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || !vdir) { 1622 newflags &= ~ALL_INHERIT; 1623 aclp->z_ops.ace_flags_set(acep, 1624 newflags|ACE_INHERITED_ACE); 1625 zfs_restricted_update(zfsvfs, aclp, acep); 1626 continue; 1627 } 1628 1629 ASSERT(vdir); 1630 1631 /* 1632 * If only FILE_INHERIT is set then turn on 1633 * inherit_only 1634 */ 1635 if ((iflags & (ACE_FILE_INHERIT_ACE | 1636 ACE_DIRECTORY_INHERIT_ACE)) == 1637 ACE_FILE_INHERIT_ACE) { 1638 newflags |= ACE_INHERIT_ONLY_ACE; 1639 aclp->z_ops.ace_flags_set(acep, 1640 newflags|ACE_INHERITED_ACE); 1641 } 1642 } 1643 return (aclp); 1644 } 1645 1646 /* 1647 * Create file system object initial permissions 1648 * including inheritable ACEs. 1649 */ 1650 int 1651 zfs_acl_ids_create(znode_t *dzp, int flag, vattr_t *vap, cred_t *cr, 1652 vsecattr_t *vsecp, zfs_acl_ids_t *acl_ids) 1653 { 1654 int error; 1655 zfsvfs_t *zfsvfs = dzp->z_zfsvfs; 1656 zfs_acl_t *paclp; 1657 gid_t gid; 1658 boolean_t need_chmod = B_TRUE; 1659 boolean_t inherited = B_FALSE; 1660 uint64_t parentgid; 1661 1662 bzero(acl_ids, sizeof (zfs_acl_ids_t)); 1663 acl_ids->z_mode = MAKEIMODE(vap->va_type, vap->va_mode); 1664 1665 if (vsecp) 1666 if ((error = zfs_vsec_2_aclp(zfsvfs, vap->va_type, vsecp, cr, 1667 &acl_ids->z_fuidp, &acl_ids->z_aclp)) != 0) 1668 return (error); 1669 /* 1670 * Determine uid and gid. 1671 */ 1672 if ((flag & IS_ROOT_NODE) || zfsvfs->z_replay || 1673 ((flag & IS_XATTR) && (vap->va_type == VDIR))) { 1674 acl_ids->z_fuid = zfs_fuid_create(zfsvfs, 1675 (uint64_t)vap->va_uid, cr, 1676 ZFS_OWNER, &acl_ids->z_fuidp); 1677 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1678 (uint64_t)vap->va_gid, cr, 1679 ZFS_GROUP, &acl_ids->z_fuidp); 1680 gid = vap->va_gid; 1681 } else { 1682 if (IS_EPHEMERAL(dzp->z_gid)) 1683 VERIFY(0 == sa_lookup(dzp->z_sa_hdl, SA_ZPL_GID(zfsvfs), 1684 &parentgid, sizeof (parentgid))); 1685 else 1686 parentgid = (uint64_t)dzp->z_gid; 1687 1688 acl_ids->z_fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER, 1689 cr, &acl_ids->z_fuidp); 1690 acl_ids->z_fgid = 0; 1691 if (vap->va_mask & AT_GID) { 1692 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1693 (uint64_t)vap->va_gid, 1694 cr, ZFS_GROUP, &acl_ids->z_fuidp); 1695 gid = vap->va_gid; 1696 if (acl_ids->z_fgid != parentgid && 1697 !groupmember(vap->va_gid, cr) && 1698 secpolicy_vnode_create_gid(cr) != 0) 1699 acl_ids->z_fgid = 0; 1700 } 1701 if (acl_ids->z_fgid == 0) { 1702 if (dzp->z_mode & S_ISGID) { 1703 char *domain; 1704 uint32_t rid; 1705 1706 acl_ids->z_fgid = parentgid; 1707 gid = zfs_fuid_map_id(zfsvfs, acl_ids->z_fgid, 1708 cr, ZFS_GROUP); 1709 1710 if (zfsvfs->z_use_fuids && 1711 IS_EPHEMERAL(acl_ids->z_fgid)) { 1712 domain = zfs_fuid_idx_domain( 1713 &zfsvfs->z_fuid_idx, 1714 FUID_INDEX(acl_ids->z_fgid)); 1715 rid = FUID_RID(acl_ids->z_fgid); 1716 zfs_fuid_node_add(&acl_ids->z_fuidp, 1717 domain, rid, 1718 FUID_INDEX(acl_ids->z_fgid), 1719 acl_ids->z_fgid, ZFS_GROUP); 1720 } 1721 } else { 1722 acl_ids->z_fgid = zfs_fuid_create_cred(zfsvfs, 1723 ZFS_GROUP, cr, &acl_ids->z_fuidp); 1724 gid = crgetgid(cr); 1725 } 1726 } 1727 } 1728 1729 /* 1730 * If we're creating a directory, and the parent directory has the 1731 * set-GID bit set, set in on the new directory. 1732 * Otherwise, if the user is neither privileged nor a member of the 1733 * file's new group, clear the file's set-GID bit. 1734 */ 1735 1736 if (!(flag & IS_ROOT_NODE) && (dzp->z_mode & S_ISGID) && 1737 (vap->va_type == VDIR)) { 1738 acl_ids->z_mode |= S_ISGID; 1739 } else { 1740 if ((acl_ids->z_mode & S_ISGID) && 1741 secpolicy_vnode_setids_setgids(cr, gid) != 0) 1742 acl_ids->z_mode &= ~S_ISGID; 1743 } 1744 1745 if (acl_ids->z_aclp == NULL) { 1746 mutex_enter(&dzp->z_lock); 1747 if (!(flag & IS_ROOT_NODE) && (ZTOV(dzp)->v_type == VDIR && 1748 (dzp->z_pflags & ZFS_INHERIT_ACE)) && 1749 !(dzp->z_pflags & ZFS_XATTR)) { 1750 mutex_enter(&dzp->z_acl_lock); 1751 VERIFY(0 == zfs_acl_node_read(dzp, &paclp, B_FALSE)); 1752 acl_ids->z_aclp = zfs_acl_inherit(zfsvfs, 1753 vap->va_type, paclp, acl_ids->z_mode, &need_chmod); 1754 mutex_exit(&dzp->z_acl_lock); 1755 inherited = B_TRUE; 1756 } else { 1757 acl_ids->z_aclp = 1758 zfs_acl_alloc(zfs_acl_version_zp(dzp)); 1759 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL; 1760 } 1761 mutex_exit(&dzp->z_lock); 1762 if (need_chmod) { 1763 acl_ids->z_aclp->z_hints |= (vap->va_type == VDIR) ? 1764 ZFS_ACL_AUTO_INHERIT : 0; 1765 zfs_acl_chmod(zfsvfs, acl_ids->z_mode, acl_ids->z_aclp); 1766 } 1767 } 1768 1769 if (inherited || vsecp) { 1770 acl_ids->z_mode = zfs_mode_compute(acl_ids->z_mode, 1771 acl_ids->z_aclp, &acl_ids->z_aclp->z_hints, 1772 acl_ids->z_fuid, acl_ids->z_fgid); 1773 if (ace_trivial_common(acl_ids->z_aclp, 0, zfs_ace_walk) == 0) 1774 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL; 1775 } 1776 1777 return (0); 1778 } 1779 1780 /* 1781 * Free ACL and fuid_infop, but not the acl_ids structure 1782 */ 1783 void 1784 zfs_acl_ids_free(zfs_acl_ids_t *acl_ids) 1785 { 1786 if (acl_ids->z_aclp) 1787 zfs_acl_free(acl_ids->z_aclp); 1788 if (acl_ids->z_fuidp) 1789 zfs_fuid_info_free(acl_ids->z_fuidp); 1790 acl_ids->z_aclp = NULL; 1791 acl_ids->z_fuidp = NULL; 1792 } 1793 1794 boolean_t 1795 zfs_acl_ids_overquota(zfsvfs_t *zfsvfs, zfs_acl_ids_t *acl_ids) 1796 { 1797 return (zfs_fuid_overquota(zfsvfs, B_FALSE, acl_ids->z_fuid) || 1798 zfs_fuid_overquota(zfsvfs, B_TRUE, acl_ids->z_fgid)); 1799 } 1800 1801 /* 1802 * Retrieve a files ACL 1803 */ 1804 int 1805 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1806 { 1807 zfs_acl_t *aclp; 1808 ulong_t mask; 1809 int error; 1810 int count = 0; 1811 int largeace = 0; 1812 1813 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT | 1814 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES); 1815 1816 if (mask == 0) 1817 return (ENOSYS); 1818 1819 if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr)) 1820 return (error); 1821 1822 mutex_enter(&zp->z_acl_lock); 1823 1824 error = zfs_acl_node_read(zp, &aclp, B_FALSE); 1825 if (error != 0) { 1826 mutex_exit(&zp->z_acl_lock); 1827 return (error); 1828 } 1829 1830 /* 1831 * Scan ACL to determine number of ACEs 1832 */ 1833 if ((zp->z_pflags & ZFS_ACL_OBJ_ACE) && !(mask & VSA_ACE_ALLTYPES)) { 1834 void *zacep = NULL; 1835 uint64_t who; 1836 uint32_t access_mask; 1837 uint16_t type, iflags; 1838 1839 while (zacep = zfs_acl_next_ace(aclp, zacep, 1840 &who, &access_mask, &iflags, &type)) { 1841 switch (type) { 1842 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1843 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1844 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1845 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1846 largeace++; 1847 continue; 1848 default: 1849 count++; 1850 } 1851 } 1852 vsecp->vsa_aclcnt = count; 1853 } else 1854 count = (int)aclp->z_acl_count; 1855 1856 if (mask & VSA_ACECNT) { 1857 vsecp->vsa_aclcnt = count; 1858 } 1859 1860 if (mask & VSA_ACE) { 1861 size_t aclsz; 1862 1863 aclsz = count * sizeof (ace_t) + 1864 sizeof (ace_object_t) * largeace; 1865 1866 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP); 1867 vsecp->vsa_aclentsz = aclsz; 1868 1869 if (aclp->z_version == ZFS_ACL_VERSION_FUID) 1870 zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr, 1871 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES)); 1872 else { 1873 zfs_acl_node_t *aclnode; 1874 void *start = vsecp->vsa_aclentp; 1875 1876 for (aclnode = list_head(&aclp->z_acl); aclnode; 1877 aclnode = list_next(&aclp->z_acl, aclnode)) { 1878 bcopy(aclnode->z_acldata, start, 1879 aclnode->z_size); 1880 start = (caddr_t)start + aclnode->z_size; 1881 } 1882 ASSERT((caddr_t)start - (caddr_t)vsecp->vsa_aclentp == 1883 aclp->z_acl_bytes); 1884 } 1885 } 1886 if (mask & VSA_ACE_ACLFLAGS) { 1887 vsecp->vsa_aclflags = 0; 1888 if (zp->z_pflags & ZFS_ACL_DEFAULTED) 1889 vsecp->vsa_aclflags |= ACL_DEFAULTED; 1890 if (zp->z_pflags & ZFS_ACL_PROTECTED) 1891 vsecp->vsa_aclflags |= ACL_PROTECTED; 1892 if (zp->z_pflags & ZFS_ACL_AUTO_INHERIT) 1893 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT; 1894 } 1895 1896 mutex_exit(&zp->z_acl_lock); 1897 1898 return (0); 1899 } 1900 1901 int 1902 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type, 1903 vsecattr_t *vsecp, cred_t *cr, zfs_fuid_info_t **fuidp, zfs_acl_t **zaclp) 1904 { 1905 zfs_acl_t *aclp; 1906 zfs_acl_node_t *aclnode; 1907 int aclcnt = vsecp->vsa_aclcnt; 1908 int error; 1909 1910 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0) 1911 return (EINVAL); 1912 1913 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version)); 1914 1915 aclp->z_hints = 0; 1916 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t)); 1917 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1918 if ((error = zfs_copy_ace_2_oldace(obj_type, aclp, 1919 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata, 1920 aclcnt, &aclnode->z_size)) != 0) { 1921 zfs_acl_free(aclp); 1922 zfs_acl_node_free(aclnode); 1923 return (error); 1924 } 1925 } else { 1926 if ((error = zfs_copy_ace_2_fuid(zfsvfs, obj_type, aclp, 1927 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt, 1928 &aclnode->z_size, fuidp, cr)) != 0) { 1929 zfs_acl_free(aclp); 1930 zfs_acl_node_free(aclnode); 1931 return (error); 1932 } 1933 } 1934 aclp->z_acl_bytes = aclnode->z_size; 1935 aclnode->z_ace_count = aclcnt; 1936 aclp->z_acl_count = aclcnt; 1937 list_insert_head(&aclp->z_acl, aclnode); 1938 1939 /* 1940 * If flags are being set then add them to z_hints 1941 */ 1942 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) { 1943 if (vsecp->vsa_aclflags & ACL_PROTECTED) 1944 aclp->z_hints |= ZFS_ACL_PROTECTED; 1945 if (vsecp->vsa_aclflags & ACL_DEFAULTED) 1946 aclp->z_hints |= ZFS_ACL_DEFAULTED; 1947 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT) 1948 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 1949 } 1950 1951 *zaclp = aclp; 1952 1953 return (0); 1954 } 1955 1956 /* 1957 * Set a files ACL 1958 */ 1959 int 1960 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1961 { 1962 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1963 zilog_t *zilog = zfsvfs->z_log; 1964 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 1965 dmu_tx_t *tx; 1966 int error; 1967 zfs_acl_t *aclp; 1968 zfs_fuid_info_t *fuidp = NULL; 1969 boolean_t fuid_dirtied; 1970 1971 if (mask == 0) 1972 return (ENOSYS); 1973 1974 if (zp->z_pflags & ZFS_IMMUTABLE) 1975 return (EPERM); 1976 1977 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) 1978 return (error); 1979 1980 error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, cr, &fuidp, 1981 &aclp); 1982 if (error) 1983 return (error); 1984 1985 /* 1986 * If ACL wide flags aren't being set then preserve any 1987 * existing flags. 1988 */ 1989 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) { 1990 aclp->z_hints |= 1991 (zp->z_pflags & V4_ACL_WIDE_FLAGS); 1992 } 1993 top: 1994 mutex_enter(&zp->z_lock); 1995 mutex_enter(&zp->z_acl_lock); 1996 1997 tx = dmu_tx_create(zfsvfs->z_os); 1998 1999 dmu_tx_hold_sa(tx, zp->z_sa_hdl, B_TRUE); 2000 2001 fuid_dirtied = zfsvfs->z_fuid_dirty; 2002 if (fuid_dirtied) 2003 zfs_fuid_txhold(zfsvfs, tx); 2004 2005 /* 2006 * If old version and ACL won't fit in bonus and we aren't 2007 * upgrading then take out necessary DMU holds 2008 */ 2009 2010 if (ZFS_EXTERNAL_ACL(zp)) { 2011 if (zfsvfs->z_version <= ZPL_VERSION_SA && 2012 ZNODE_ACL_VERSION(zp) <= ZFS_ACL_VERSION_INITIAL) { 2013 dmu_tx_hold_free(tx, ZFS_EXTERNAL_ACL(zp), 0, 2014 DMU_OBJECT_END); 2015 } else { 2016 dmu_tx_hold_write(tx, ZFS_EXTERNAL_ACL(zp), 2017 0, aclp->z_acl_bytes); 2018 } 2019 } else if (!zp->z_is_sa && aclp->z_acl_bytes > ZFS_ACE_SPACE) { 2020 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes); 2021 } 2022 2023 zfs_sa_upgrade_txholds(tx, zp); 2024 error = dmu_tx_assign(tx, TXG_NOWAIT); 2025 if (error) { 2026 mutex_exit(&zp->z_acl_lock); 2027 mutex_exit(&zp->z_lock); 2028 2029 if (error == ERESTART) { 2030 dmu_tx_wait(tx); 2031 dmu_tx_abort(tx); 2032 goto top; 2033 } 2034 dmu_tx_abort(tx); 2035 zfs_acl_free(aclp); 2036 return (error); 2037 } 2038 2039 error = zfs_aclset_common(zp, aclp, cr, tx); 2040 ASSERT(error == 0); 2041 zp->z_acl_cached = aclp; 2042 2043 if (fuid_dirtied) 2044 zfs_fuid_sync(zfsvfs, tx); 2045 2046 zfs_log_acl(zilog, tx, zp, vsecp, fuidp); 2047 2048 if (fuidp) 2049 zfs_fuid_info_free(fuidp); 2050 dmu_tx_commit(tx); 2051 done: 2052 mutex_exit(&zp->z_acl_lock); 2053 mutex_exit(&zp->z_lock); 2054 2055 return (error); 2056 } 2057 2058 /* 2059 * Check accesses of interest (AoI) against attributes of the dataset 2060 * such as read-only. Returns zero if no AoI conflict with dataset 2061 * attributes, otherwise an appropriate errno is returned. 2062 */ 2063 static int 2064 zfs_zaccess_dataset_check(znode_t *zp, uint32_t v4_mode) 2065 { 2066 if ((v4_mode & WRITE_MASK) && 2067 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && 2068 (!IS_DEVVP(ZTOV(zp)) || 2069 (IS_DEVVP(ZTOV(zp)) && (v4_mode & WRITE_MASK_ATTRS)))) { 2070 return (EROFS); 2071 } 2072 2073 /* 2074 * Only check for READONLY on non-directories. 2075 */ 2076 if ((v4_mode & WRITE_MASK_DATA) && 2077 (((ZTOV(zp)->v_type != VDIR) && 2078 (zp->z_pflags & (ZFS_READONLY | ZFS_IMMUTABLE))) || 2079 (ZTOV(zp)->v_type == VDIR && 2080 (zp->z_pflags & ZFS_IMMUTABLE)))) { 2081 return (EPERM); 2082 } 2083 2084 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) && 2085 (zp->z_pflags & ZFS_NOUNLINK)) { 2086 return (EPERM); 2087 } 2088 2089 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) && 2090 (zp->z_pflags & ZFS_AV_QUARANTINED))) { 2091 return (EACCES); 2092 } 2093 2094 return (0); 2095 } 2096 2097 /* 2098 * The primary usage of this function is to loop through all of the 2099 * ACEs in the znode, determining what accesses of interest (AoI) to 2100 * the caller are allowed or denied. The AoI are expressed as bits in 2101 * the working_mode parameter. As each ACE is processed, bits covered 2102 * by that ACE are removed from the working_mode. This removal 2103 * facilitates two things. The first is that when the working mode is 2104 * empty (= 0), we know we've looked at all the AoI. The second is 2105 * that the ACE interpretation rules don't allow a later ACE to undo 2106 * something granted or denied by an earlier ACE. Removing the 2107 * discovered access or denial enforces this rule. At the end of 2108 * processing the ACEs, all AoI that were found to be denied are 2109 * placed into the working_mode, giving the caller a mask of denied 2110 * accesses. Returns: 2111 * 0 if all AoI granted 2112 * EACCESS if the denied mask is non-zero 2113 * other error if abnormal failure (e.g., IO error) 2114 * 2115 * A secondary usage of the function is to determine if any of the 2116 * AoI are granted. If an ACE grants any access in 2117 * the working_mode, we immediately short circuit out of the function. 2118 * This mode is chosen by setting anyaccess to B_TRUE. The 2119 * working_mode is not a denied access mask upon exit if the function 2120 * is used in this manner. 2121 */ 2122 static int 2123 zfs_zaccess_aces_check(znode_t *zp, uint32_t *working_mode, 2124 boolean_t anyaccess, cred_t *cr) 2125 { 2126 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2127 zfs_acl_t *aclp; 2128 int error; 2129 uid_t uid = crgetuid(cr); 2130 uint64_t who; 2131 uint16_t type, iflags; 2132 uint16_t entry_type; 2133 uint32_t access_mask; 2134 uint32_t deny_mask = 0; 2135 zfs_ace_hdr_t *acep = NULL; 2136 boolean_t checkit; 2137 uint64_t gowner; 2138 2139 mutex_enter(&zp->z_acl_lock); 2140 2141 error = zfs_acl_node_read(zp, &aclp, B_FALSE); 2142 if (error != 0) { 2143 mutex_exit(&zp->z_acl_lock); 2144 return (error); 2145 } 2146 2147 ASSERT(zp->z_acl_cached); 2148 2149 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_GID(zfsvfs), 2150 &gowner, sizeof (gowner))) != 0) { 2151 mutex_exit(&zp->z_acl_lock); 2152 return (error); 2153 } 2154 2155 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 2156 &iflags, &type)) { 2157 uint32_t mask_matched; 2158 2159 if (!zfs_acl_valid_ace_type(type, iflags)) 2160 continue; 2161 2162 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE)) 2163 continue; 2164 2165 /* Skip ACE if it does not affect any AoI */ 2166 mask_matched = (access_mask & *working_mode); 2167 if (!mask_matched) 2168 continue; 2169 2170 entry_type = (iflags & ACE_TYPE_FLAGS); 2171 2172 checkit = B_FALSE; 2173 2174 switch (entry_type) { 2175 case ACE_OWNER: 2176 if (uid == zp->z_uid) 2177 checkit = B_TRUE; 2178 break; 2179 case OWNING_GROUP: 2180 who = gowner; 2181 /*FALLTHROUGH*/ 2182 case ACE_IDENTIFIER_GROUP: 2183 checkit = zfs_groupmember(zfsvfs, who, cr); 2184 break; 2185 case ACE_EVERYONE: 2186 checkit = B_TRUE; 2187 break; 2188 2189 /* USER Entry */ 2190 default: 2191 if (entry_type == 0) { 2192 uid_t newid; 2193 2194 newid = zfs_fuid_map_id(zfsvfs, who, cr, 2195 ZFS_ACE_USER); 2196 if (newid != IDMAP_WK_CREATOR_OWNER_UID && 2197 uid == newid) 2198 checkit = B_TRUE; 2199 break; 2200 } else { 2201 mutex_exit(&zp->z_acl_lock); 2202 return (EIO); 2203 } 2204 } 2205 2206 if (checkit) { 2207 if (type == DENY) { 2208 DTRACE_PROBE3(zfs__ace__denies, 2209 znode_t *, zp, 2210 zfs_ace_hdr_t *, acep, 2211 uint32_t, mask_matched); 2212 deny_mask |= mask_matched; 2213 } else { 2214 DTRACE_PROBE3(zfs__ace__allows, 2215 znode_t *, zp, 2216 zfs_ace_hdr_t *, acep, 2217 uint32_t, mask_matched); 2218 if (anyaccess) { 2219 mutex_exit(&zp->z_acl_lock); 2220 return (0); 2221 } 2222 } 2223 *working_mode &= ~mask_matched; 2224 } 2225 2226 /* Are we done? */ 2227 if (*working_mode == 0) 2228 break; 2229 } 2230 2231 mutex_exit(&zp->z_acl_lock); 2232 2233 /* Put the found 'denies' back on the working mode */ 2234 if (deny_mask) { 2235 *working_mode |= deny_mask; 2236 return (EACCES); 2237 } else if (*working_mode) { 2238 return (-1); 2239 } 2240 2241 return (0); 2242 } 2243 2244 /* 2245 * Return true if any access whatsoever granted, we don't actually 2246 * care what access is granted. 2247 */ 2248 boolean_t 2249 zfs_has_access(znode_t *zp, cred_t *cr) 2250 { 2251 uint32_t have = ACE_ALL_PERMS; 2252 2253 if (zfs_zaccess_aces_check(zp, &have, B_TRUE, cr) != 0) { 2254 return (secpolicy_vnode_any_access(cr, ZTOV(zp), 2255 zp->z_uid) == 0); 2256 } 2257 return (B_TRUE); 2258 } 2259 2260 static int 2261 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode, 2262 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr) 2263 { 2264 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2265 int err; 2266 2267 *working_mode = v4_mode; 2268 *check_privs = B_TRUE; 2269 2270 /* 2271 * Short circuit empty requests 2272 */ 2273 if (v4_mode == 0 || zfsvfs->z_replay) { 2274 *working_mode = 0; 2275 return (0); 2276 } 2277 2278 if ((err = zfs_zaccess_dataset_check(zp, v4_mode)) != 0) { 2279 *check_privs = B_FALSE; 2280 return (err); 2281 } 2282 2283 /* 2284 * The caller requested that the ACL check be skipped. This 2285 * would only happen if the caller checked VOP_ACCESS() with a 2286 * 32 bit ACE mask and already had the appropriate permissions. 2287 */ 2288 if (skipaclchk) { 2289 *working_mode = 0; 2290 return (0); 2291 } 2292 2293 return (zfs_zaccess_aces_check(zp, working_mode, B_FALSE, cr)); 2294 } 2295 2296 static int 2297 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs, 2298 cred_t *cr) 2299 { 2300 if (*working_mode != ACE_WRITE_DATA) 2301 return (EACCES); 2302 2303 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode, 2304 check_privs, B_FALSE, cr)); 2305 } 2306 2307 int 2308 zfs_fastaccesschk_execute(znode_t *zdp, cred_t *cr) 2309 { 2310 boolean_t owner = B_FALSE; 2311 boolean_t groupmbr = B_FALSE; 2312 boolean_t is_attr; 2313 uid_t uid = crgetuid(cr); 2314 int error; 2315 2316 if (zdp->z_pflags & ZFS_AV_QUARANTINED) 2317 return (EACCES); 2318 2319 is_attr = ((zdp->z_pflags & ZFS_XATTR) && 2320 (ZTOV(zdp)->v_type == VDIR)); 2321 if (is_attr) 2322 goto slow; 2323 2324 2325 mutex_enter(&zdp->z_acl_lock); 2326 2327 if (zdp->z_pflags & ZFS_NO_EXECS_DENIED) { 2328 mutex_exit(&zdp->z_acl_lock); 2329 return (0); 2330 } 2331 2332 if (IS_EPHEMERAL(zdp->z_uid) != 0 || IS_EPHEMERAL(zdp->z_gid) != 0) { 2333 mutex_exit(&zdp->z_acl_lock); 2334 goto slow; 2335 } 2336 2337 if (uid == zdp->z_uid) { 2338 owner = B_TRUE; 2339 if (zdp->z_mode & S_IXUSR) { 2340 mutex_exit(&zdp->z_acl_lock); 2341 return (0); 2342 } else { 2343 mutex_exit(&zdp->z_acl_lock); 2344 goto slow; 2345 } 2346 } 2347 if (groupmember(zdp->z_gid, cr)) { 2348 groupmbr = B_TRUE; 2349 if (zdp->z_mode & S_IXGRP) { 2350 mutex_exit(&zdp->z_acl_lock); 2351 return (0); 2352 } else { 2353 mutex_exit(&zdp->z_acl_lock); 2354 goto slow; 2355 } 2356 } 2357 if (!owner && !groupmbr) { 2358 if (zdp->z_mode & S_IXOTH) { 2359 mutex_exit(&zdp->z_acl_lock); 2360 return (0); 2361 } 2362 } 2363 2364 mutex_exit(&zdp->z_acl_lock); 2365 2366 slow: 2367 DTRACE_PROBE(zfs__fastpath__execute__access__miss); 2368 ZFS_ENTER(zdp->z_zfsvfs); 2369 error = zfs_zaccess(zdp, ACE_EXECUTE, 0, B_FALSE, cr); 2370 ZFS_EXIT(zdp->z_zfsvfs); 2371 return (error); 2372 } 2373 2374 /* 2375 * Determine whether Access should be granted/denied. 2376 * The least priv subsytem is always consulted as a basic privilege 2377 * can define any form of access. 2378 */ 2379 int 2380 zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr) 2381 { 2382 uint32_t working_mode; 2383 int error; 2384 int is_attr; 2385 boolean_t check_privs; 2386 znode_t *xzp; 2387 znode_t *check_zp = zp; 2388 mode_t needed_bits; 2389 2390 is_attr = ((zp->z_pflags & ZFS_XATTR) && (ZTOV(zp)->v_type == VDIR)); 2391 2392 /* 2393 * If attribute then validate against base file 2394 */ 2395 if (is_attr) { 2396 uint64_t parent; 2397 2398 if ((error = sa_lookup(zp->z_sa_hdl, 2399 SA_ZPL_PARENT(zp->z_zfsvfs), &parent, 2400 sizeof (parent))) != 0) 2401 return (error); 2402 2403 if ((error = zfs_zget(zp->z_zfsvfs, 2404 parent, &xzp)) != 0) { 2405 return (error); 2406 } 2407 2408 check_zp = xzp; 2409 2410 /* 2411 * fixup mode to map to xattr perms 2412 */ 2413 2414 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { 2415 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 2416 mode |= ACE_WRITE_NAMED_ATTRS; 2417 } 2418 2419 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { 2420 mode &= ~(ACE_READ_DATA|ACE_EXECUTE); 2421 mode |= ACE_READ_NAMED_ATTRS; 2422 } 2423 } 2424 2425 /* 2426 * Map the bits required to the standard vnode flags VREAD|VWRITE|VEXEC 2427 * in needed_bits. Map the bits mapped by working_mode (currently 2428 * missing) in missing_bits. 2429 * Call secpolicy_vnode_access2() with (needed_bits & ~checkmode), 2430 * needed_bits. 2431 */ 2432 needed_bits = 0; 2433 2434 working_mode = mode; 2435 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES)) && 2436 zp->z_uid == crgetuid(cr)) 2437 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2438 2439 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2440 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2441 needed_bits |= VREAD; 2442 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2443 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2444 needed_bits |= VWRITE; 2445 if (working_mode & ACE_EXECUTE) 2446 needed_bits |= VEXEC; 2447 2448 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode, 2449 &check_privs, skipaclchk, cr)) == 0) { 2450 if (is_attr) 2451 VN_RELE(ZTOV(xzp)); 2452 return (secpolicy_vnode_access2(cr, ZTOV(zp), zp->z_uid, 2453 needed_bits, needed_bits)); 2454 } 2455 2456 if (error && !check_privs) { 2457 if (is_attr) 2458 VN_RELE(ZTOV(xzp)); 2459 return (error); 2460 } 2461 2462 if (error && (flags & V_APPEND)) { 2463 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr); 2464 } 2465 2466 if (error && check_privs) { 2467 mode_t checkmode = 0; 2468 2469 /* 2470 * First check for implicit owner permission on 2471 * read_acl/read_attributes 2472 */ 2473 2474 error = 0; 2475 ASSERT(working_mode != 0); 2476 2477 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) && 2478 zp->z_uid == crgetuid(cr))) 2479 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2480 2481 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2482 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2483 checkmode |= VREAD; 2484 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2485 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2486 checkmode |= VWRITE; 2487 if (working_mode & ACE_EXECUTE) 2488 checkmode |= VEXEC; 2489 2490 error = secpolicy_vnode_access2(cr, ZTOV(check_zp), zp->z_uid, 2491 needed_bits & ~checkmode, needed_bits); 2492 2493 if (error == 0 && (working_mode & ACE_WRITE_OWNER)) 2494 error = secpolicy_vnode_chown(cr, zp->z_uid); 2495 if (error == 0 && (working_mode & ACE_WRITE_ACL)) 2496 error = secpolicy_vnode_setdac(cr, zp->z_uid); 2497 2498 if (error == 0 && (working_mode & 2499 (ACE_DELETE|ACE_DELETE_CHILD))) 2500 error = secpolicy_vnode_remove(cr); 2501 2502 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) { 2503 error = secpolicy_vnode_chown(cr, zp->z_uid); 2504 } 2505 if (error == 0) { 2506 /* 2507 * See if any bits other than those already checked 2508 * for are still present. If so then return EACCES 2509 */ 2510 if (working_mode & ~(ZFS_CHECKED_MASKS)) { 2511 error = EACCES; 2512 } 2513 } 2514 } else if (error == 0) { 2515 error = secpolicy_vnode_access2(cr, ZTOV(zp), zp->z_uid, 2516 needed_bits, needed_bits); 2517 } 2518 2519 2520 if (is_attr) 2521 VN_RELE(ZTOV(xzp)); 2522 2523 return (error); 2524 } 2525 2526 /* 2527 * Translate traditional unix VREAD/VWRITE/VEXEC mode into 2528 * native ACL format and call zfs_zaccess() 2529 */ 2530 int 2531 zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr) 2532 { 2533 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr)); 2534 } 2535 2536 /* 2537 * Access function for secpolicy_vnode_setattr 2538 */ 2539 int 2540 zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr) 2541 { 2542 int v4_mode = zfs_unix_to_v4(mode >> 6); 2543 2544 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr)); 2545 } 2546 2547 static int 2548 zfs_delete_final_check(znode_t *zp, znode_t *dzp, 2549 mode_t available_perms, cred_t *cr) 2550 { 2551 int error; 2552 2553 error = secpolicy_vnode_access2(cr, ZTOV(dzp), 2554 dzp->z_uid, available_perms, VWRITE|VEXEC); 2555 2556 if (error == 0) 2557 error = zfs_sticky_remove_access(dzp, zp, cr); 2558 2559 return (error); 2560 } 2561 2562 /* 2563 * Determine whether Access should be granted/deny, without 2564 * consulting least priv subsystem. 2565 * 2566 * 2567 * The following chart is the recommended NFSv4 enforcement for 2568 * ability to delete an object. 2569 * 2570 * ------------------------------------------------------- 2571 * | Parent Dir | Target Object Permissions | 2572 * | permissions | | 2573 * ------------------------------------------------------- 2574 * | | ACL Allows | ACL Denies| Delete | 2575 * | | Delete | Delete | unspecified| 2576 * ------------------------------------------------------- 2577 * | ACL Allows | Permit | Permit | Permit | 2578 * | DELETE_CHILD | | 2579 * ------------------------------------------------------- 2580 * | ACL Denies | Permit | Deny | Deny | 2581 * | DELETE_CHILD | | | | 2582 * ------------------------------------------------------- 2583 * | ACL specifies | | | | 2584 * | only allow | Permit | Permit | Permit | 2585 * | write and | | | | 2586 * | execute | | | | 2587 * ------------------------------------------------------- 2588 * | ACL denies | | | | 2589 * | write and | Permit | Deny | Deny | 2590 * | execute | | | | 2591 * ------------------------------------------------------- 2592 * ^ 2593 * | 2594 * No search privilege, can't even look up file? 2595 * 2596 */ 2597 int 2598 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) 2599 { 2600 uint32_t dzp_working_mode = 0; 2601 uint32_t zp_working_mode = 0; 2602 int dzp_error, zp_error; 2603 mode_t available_perms; 2604 boolean_t dzpcheck_privs = B_TRUE; 2605 boolean_t zpcheck_privs = B_TRUE; 2606 2607 /* 2608 * We want specific DELETE permissions to 2609 * take precedence over WRITE/EXECUTE. We don't 2610 * want an ACL such as this to mess us up. 2611 * user:joe:write_data:deny,user:joe:delete:allow 2612 * 2613 * However, deny permissions may ultimately be overridden 2614 * by secpolicy_vnode_access(). 2615 * 2616 * We will ask for all of the necessary permissions and then 2617 * look at the working modes from the directory and target object 2618 * to determine what was found. 2619 */ 2620 2621 if (zp->z_pflags & (ZFS_IMMUTABLE | ZFS_NOUNLINK)) 2622 return (EPERM); 2623 2624 /* 2625 * First row 2626 * If the directory permissions allow the delete, we are done. 2627 */ 2628 if ((dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD, 2629 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) 2630 return (0); 2631 2632 /* 2633 * If target object has delete permission then we are done 2634 */ 2635 if ((zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, 2636 &zpcheck_privs, B_FALSE, cr)) == 0) 2637 return (0); 2638 2639 ASSERT(dzp_error && zp_error); 2640 2641 if (!dzpcheck_privs) 2642 return (dzp_error); 2643 if (!zpcheck_privs) 2644 return (zp_error); 2645 2646 /* 2647 * Second row 2648 * 2649 * If directory returns EACCES then delete_child was denied 2650 * due to deny delete_child. In this case send the request through 2651 * secpolicy_vnode_remove(). We don't use zfs_delete_final_check() 2652 * since that *could* allow the delete based on write/execute permission 2653 * and we want delete permissions to override write/execute. 2654 */ 2655 2656 if (dzp_error == EACCES) 2657 return (secpolicy_vnode_remove(cr)); 2658 2659 /* 2660 * Third Row 2661 * only need to see if we have write/execute on directory. 2662 */ 2663 2664 dzp_error = zfs_zaccess_common(dzp, ACE_EXECUTE|ACE_WRITE_DATA, 2665 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr); 2666 2667 if (dzp_error != 0 && !dzpcheck_privs) 2668 return (dzp_error); 2669 2670 /* 2671 * Fourth row 2672 */ 2673 2674 available_perms = (dzp_working_mode & ACE_WRITE_DATA) ? 0 : VWRITE; 2675 available_perms |= (dzp_working_mode & ACE_EXECUTE) ? 0 : VEXEC; 2676 2677 return (zfs_delete_final_check(zp, dzp, available_perms, cr)); 2678 2679 } 2680 2681 int 2682 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, 2683 znode_t *tzp, cred_t *cr) 2684 { 2685 int add_perm; 2686 int error; 2687 2688 if (szp->z_pflags & ZFS_AV_QUARANTINED) 2689 return (EACCES); 2690 2691 add_perm = (ZTOV(szp)->v_type == VDIR) ? 2692 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; 2693 2694 /* 2695 * Rename permissions are combination of delete permission + 2696 * add file/subdir permission. 2697 */ 2698 2699 /* 2700 * first make sure we do the delete portion. 2701 * 2702 * If that succeeds then check for add_file/add_subdir permissions 2703 */ 2704 2705 if (error = zfs_zaccess_delete(sdzp, szp, cr)) 2706 return (error); 2707 2708 /* 2709 * If we have a tzp, see if we can delete it? 2710 */ 2711 if (tzp) { 2712 if (error = zfs_zaccess_delete(tdzp, tzp, cr)) 2713 return (error); 2714 } 2715 2716 /* 2717 * Now check for add permissions 2718 */ 2719 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr); 2720 2721 return (error); 2722 } 2723