1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/param.h> 30 #include <sys/time.h> 31 #include <sys/systm.h> 32 #include <sys/sysmacros.h> 33 #include <sys/resource.h> 34 #include <sys/vfs.h> 35 #include <sys/vnode.h> 36 #include <sys/file.h> 37 #include <sys/stat.h> 38 #include <sys/kmem.h> 39 #include <sys/cmn_err.h> 40 #include <sys/errno.h> 41 #include <sys/unistd.h> 42 #include <sys/sdt.h> 43 #include <sys/fs/zfs.h> 44 #include <sys/mode.h> 45 #include <sys/policy.h> 46 #include <sys/zfs_znode.h> 47 #include <sys/zfs_acl.h> 48 #include <sys/zfs_dir.h> 49 #include <sys/zfs_vfsops.h> 50 #include <sys/dmu.h> 51 #include <sys/zap.h> 52 #include <util/qsort.h> 53 #include "fs/fs_subr.h" 54 #include <acl/acl_common.h> 55 56 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE 57 #define DENY ACE_ACCESS_DENIED_ACE_TYPE 58 59 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) 60 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ 61 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) 62 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ 63 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 64 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ 65 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 66 #define WRITE_MASK (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS| \ 67 ACE_WRITE_ATTRIBUTES|ACE_WRITE_ACL|ACE_WRITE_OWNER) 68 69 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 70 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 71 72 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 73 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 74 75 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ 76 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE) 77 78 #define SECURE_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER) 79 80 #define OGE_PAD 6 /* traditional owner/group/everyone ACES */ 81 82 static int zfs_ace_can_use(znode_t *zp, ace_t *); 83 84 static zfs_acl_t * 85 zfs_acl_alloc(int slots) 86 { 87 zfs_acl_t *aclp; 88 89 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); 90 if (slots != 0) { 91 aclp->z_acl = kmem_alloc(ZFS_ACL_SIZE(slots), KM_SLEEP); 92 aclp->z_acl_count = 0; 93 aclp->z_state = ACL_DATA_ALLOCED; 94 } else { 95 aclp->z_state = 0; 96 } 97 aclp->z_slots = slots; 98 return (aclp); 99 } 100 101 void 102 zfs_acl_free(zfs_acl_t *aclp) 103 { 104 if (aclp->z_state == ACL_DATA_ALLOCED) { 105 kmem_free(aclp->z_acl, ZFS_ACL_SIZE(aclp->z_slots)); 106 } 107 kmem_free(aclp, sizeof (zfs_acl_t)); 108 } 109 110 static uint32_t 111 zfs_v4_to_unix(uint32_t access_mask) 112 { 113 uint32_t new_mask = 0; 114 115 /* 116 * This is used for mapping v4 permissions into permissions 117 * that can be passed to secpolicy_vnode_access() 118 */ 119 if (access_mask & (ACE_READ_DATA | ACE_LIST_DIRECTORY | 120 ACE_READ_ATTRIBUTES | ACE_READ_ACL)) 121 new_mask |= S_IROTH; 122 if (access_mask & (ACE_WRITE_DATA | ACE_APPEND_DATA | 123 ACE_WRITE_ATTRIBUTES | ACE_ADD_FILE | ACE_WRITE_NAMED_ATTRS)) 124 new_mask |= S_IWOTH; 125 if (access_mask & (ACE_EXECUTE | ACE_READ_NAMED_ATTRS)) 126 new_mask |= S_IXOTH; 127 128 return (new_mask); 129 } 130 131 /* 132 * Convert unix access mask to v4 access mask 133 */ 134 static uint32_t 135 zfs_unix_to_v4(uint32_t access_mask) 136 { 137 uint32_t new_mask = 0; 138 139 if (access_mask & 01) 140 new_mask |= (ACE_EXECUTE); 141 if (access_mask & 02) { 142 new_mask |= (ACE_WRITE_DATA); 143 } if (access_mask & 04) { 144 new_mask |= ACE_READ_DATA; 145 } 146 return (new_mask); 147 } 148 149 static void 150 zfs_set_ace(ace_t *zacep, uint32_t access_mask, int access_type, 151 uid_t uid, int entry_type) 152 { 153 zacep->a_access_mask = access_mask; 154 zacep->a_type = access_type; 155 zacep->a_who = uid; 156 zacep->a_flags = entry_type; 157 } 158 159 static uint64_t 160 zfs_mode_compute(znode_t *zp, zfs_acl_t *aclp) 161 { 162 int i; 163 int entry_type; 164 mode_t mode = (zp->z_phys->zp_mode & 165 (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); 166 mode_t seen = 0; 167 ace_t *acep; 168 169 for (i = 0, acep = aclp->z_acl; 170 i != aclp->z_acl_count; i++, acep++) { 171 entry_type = (acep->a_flags & ACE_TYPE_FLAGS); 172 if (entry_type == ACE_OWNER) { 173 if ((acep->a_access_mask & ACE_READ_DATA) && 174 (!(seen & S_IRUSR))) { 175 seen |= S_IRUSR; 176 if (acep->a_type == ALLOW) { 177 mode |= S_IRUSR; 178 } 179 } 180 if ((acep->a_access_mask & ACE_WRITE_DATA) && 181 (!(seen & S_IWUSR))) { 182 seen |= S_IWUSR; 183 if (acep->a_type == ALLOW) { 184 mode |= S_IWUSR; 185 } 186 } 187 if ((acep->a_access_mask & ACE_EXECUTE) && 188 (!(seen & S_IXUSR))) { 189 seen |= S_IXUSR; 190 if (acep->a_type == ALLOW) { 191 mode |= S_IXUSR; 192 } 193 } 194 } else if (entry_type == OWNING_GROUP) { 195 if ((acep->a_access_mask & ACE_READ_DATA) && 196 (!(seen & S_IRGRP))) { 197 seen |= S_IRGRP; 198 if (acep->a_type == ALLOW) { 199 mode |= S_IRGRP; 200 } 201 } 202 if ((acep->a_access_mask & ACE_WRITE_DATA) && 203 (!(seen & S_IWGRP))) { 204 seen |= S_IWGRP; 205 if (acep->a_type == ALLOW) { 206 mode |= S_IWGRP; 207 } 208 } 209 if ((acep->a_access_mask & ACE_EXECUTE) && 210 (!(seen & S_IXGRP))) { 211 seen |= S_IXGRP; 212 if (acep->a_type == ALLOW) { 213 mode |= S_IXGRP; 214 } 215 } 216 } else if (entry_type == ACE_EVERYONE) { 217 if ((acep->a_access_mask & ACE_READ_DATA)) { 218 if (!(seen & S_IRUSR)) { 219 seen |= S_IRUSR; 220 if (acep->a_type == ALLOW) { 221 mode |= S_IRUSR; 222 } 223 } 224 if (!(seen & S_IRGRP)) { 225 seen |= S_IRGRP; 226 if (acep->a_type == ALLOW) { 227 mode |= S_IRGRP; 228 } 229 } 230 if (!(seen & S_IROTH)) { 231 seen |= S_IROTH; 232 if (acep->a_type == ALLOW) { 233 mode |= S_IROTH; 234 } 235 } 236 } 237 if ((acep->a_access_mask & ACE_WRITE_DATA)) { 238 if (!(seen & S_IWUSR)) { 239 seen |= S_IWUSR; 240 if (acep->a_type == ALLOW) { 241 mode |= S_IWUSR; 242 } 243 } 244 if (!(seen & S_IWGRP)) { 245 seen |= S_IWGRP; 246 if (acep->a_type == ALLOW) { 247 mode |= S_IWGRP; 248 } 249 } 250 if (!(seen & S_IWOTH)) { 251 seen |= S_IWOTH; 252 if (acep->a_type == ALLOW) { 253 mode |= S_IWOTH; 254 } 255 } 256 } 257 if ((acep->a_access_mask & ACE_EXECUTE)) { 258 if (!(seen & S_IXUSR)) { 259 seen |= S_IXUSR; 260 if (acep->a_type == ALLOW) { 261 mode |= S_IXUSR; 262 } 263 } 264 if (!(seen & S_IXGRP)) { 265 seen |= S_IXGRP; 266 if (acep->a_type == ALLOW) { 267 mode |= S_IXGRP; 268 } 269 } 270 if (!(seen & S_IXOTH)) { 271 seen |= S_IXOTH; 272 if (acep->a_type == ALLOW) { 273 mode |= S_IXOTH; 274 } 275 } 276 } 277 } 278 } 279 return (mode); 280 } 281 282 static zfs_acl_t * 283 zfs_acl_node_read_internal(znode_t *zp) 284 { 285 zfs_acl_t *aclp; 286 287 aclp = zfs_acl_alloc(0); 288 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count; 289 aclp->z_acl = &zp->z_phys->zp_acl.z_ace_data[0]; 290 291 return (aclp); 292 } 293 294 /* 295 * Read an external acl object. 296 */ 297 static int 298 zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp) 299 { 300 uint64_t extacl = zp->z_phys->zp_acl.z_acl_extern_obj; 301 zfs_acl_t *aclp; 302 int error; 303 304 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 305 306 if (zp->z_phys->zp_acl.z_acl_extern_obj == 0) { 307 *aclpp = zfs_acl_node_read_internal(zp); 308 return (0); 309 } 310 311 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_count); 312 313 error = dmu_read(zp->z_zfsvfs->z_os, extacl, 0, 314 ZFS_ACL_SIZE(zp->z_phys->zp_acl.z_acl_count), aclp->z_acl); 315 if (error != 0) { 316 zfs_acl_free(aclp); 317 return (error); 318 } 319 320 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count; 321 322 *aclpp = aclp; 323 return (0); 324 } 325 326 static boolean_t 327 zfs_acl_valid(znode_t *zp, ace_t *uace, int aclcnt, int *inherit) 328 { 329 ace_t *acep; 330 int i; 331 332 *inherit = 0; 333 334 if (aclcnt > MAX_ACL_ENTRIES || aclcnt <= 0) { 335 return (B_FALSE); 336 } 337 338 for (i = 0, acep = uace; i != aclcnt; i++, acep++) { 339 340 /* 341 * first check type of entry 342 */ 343 344 switch (acep->a_flags & ACE_TYPE_FLAGS) { 345 case ACE_OWNER: 346 acep->a_who = -1; 347 break; 348 case (ACE_IDENTIFIER_GROUP | ACE_GROUP): 349 case ACE_IDENTIFIER_GROUP: 350 if (acep->a_flags & ACE_GROUP) { 351 acep->a_who = -1; 352 } 353 break; 354 case ACE_EVERYONE: 355 acep->a_who = -1; 356 break; 357 } 358 359 /* 360 * next check inheritance level flags 361 */ 362 363 if (acep->a_type != ALLOW && acep->a_type != DENY) 364 return (B_FALSE); 365 366 /* 367 * Only directories should have inheritance flags. 368 */ 369 if (ZTOV(zp)->v_type != VDIR && (acep->a_flags & 370 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE| 371 ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE))) { 372 return (B_FALSE); 373 } 374 375 if (acep->a_flags & 376 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE)) 377 *inherit = 1; 378 379 if (acep->a_flags & 380 (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { 381 if ((acep->a_flags & (ACE_FILE_INHERIT_ACE| 382 ACE_DIRECTORY_INHERIT_ACE)) == 0) { 383 return (B_FALSE); 384 } 385 } 386 } 387 388 return (B_TRUE); 389 } 390 /* 391 * common code for setting acl's. 392 * 393 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. 394 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's 395 * already checked the acl and knows whether to inherit. 396 */ 397 int 398 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, dmu_tx_t *tx, int *ihp) 399 { 400 int inherit = 0; 401 int error; 402 znode_phys_t *zphys = zp->z_phys; 403 zfs_znode_acl_t *zacl = &zphys->zp_acl; 404 uint32_t acl_phys_size = ZFS_ACL_SIZE(aclp->z_acl_count); 405 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 406 uint64_t aoid = zphys->zp_acl.z_acl_extern_obj; 407 408 ASSERT(MUTEX_HELD(&zp->z_lock)); 409 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 410 411 if (ihp) 412 inherit = *ihp; /* already determined by caller */ 413 else if (!zfs_acl_valid(zp, aclp->z_acl, 414 aclp->z_acl_count, &inherit)) { 415 return (EINVAL); 416 } 417 418 dmu_buf_will_dirty(zp->z_dbuf, tx); 419 420 /* 421 * Will ACL fit internally? 422 */ 423 if (aclp->z_acl_count > ACE_SLOT_CNT) { 424 if (aoid == 0) { 425 aoid = dmu_object_alloc(zfsvfs->z_os, 426 DMU_OT_ACL, acl_phys_size, DMU_OT_NONE, 0, tx); 427 } else { 428 (void) dmu_object_set_blocksize(zfsvfs->z_os, aoid, 429 acl_phys_size, 0, tx); 430 } 431 zphys->zp_acl.z_acl_extern_obj = aoid; 432 zphys->zp_acl.z_acl_count = aclp->z_acl_count; 433 dmu_write(zfsvfs->z_os, aoid, 0, 434 acl_phys_size, aclp->z_acl, tx); 435 } else { 436 /* 437 * Migrating back embedded? 438 */ 439 if (zphys->zp_acl.z_acl_extern_obj) { 440 error = dmu_object_free(zfsvfs->z_os, 441 zp->z_phys->zp_acl.z_acl_extern_obj, tx); 442 if (error) 443 return (error); 444 zphys->zp_acl.z_acl_extern_obj = 0; 445 } 446 bcopy(aclp->z_acl, zacl->z_ace_data, 447 aclp->z_acl_count * sizeof (ace_t)); 448 zacl->z_acl_count = aclp->z_acl_count; 449 } 450 451 zp->z_phys->zp_flags &= ~(ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE); 452 if (inherit) { 453 zp->z_phys->zp_flags |= ZFS_INHERIT_ACE; 454 } else if (ace_trivial(zacl->z_ace_data, zacl->z_acl_count) == 0) { 455 zp->z_phys->zp_flags |= ZFS_ACL_TRIVIAL; 456 } 457 458 zphys->zp_mode = zfs_mode_compute(zp, aclp); 459 zfs_time_stamper_locked(zp, STATE_CHANGED, tx); 460 461 return (0); 462 } 463 464 /* 465 * Create space for slots_needed ACEs to be append 466 * to aclp. 467 */ 468 static void 469 zfs_acl_append(zfs_acl_t *aclp, int slots_needed) 470 { 471 ace_t *newacep; 472 ace_t *oldaclp; 473 int slot_cnt; 474 int slots_left = aclp->z_slots - aclp->z_acl_count; 475 476 if (aclp->z_state == ACL_DATA_ALLOCED) 477 ASSERT(aclp->z_slots >= aclp->z_acl_count); 478 if (slots_left < slots_needed || aclp->z_state != ACL_DATA_ALLOCED) { 479 slot_cnt = aclp->z_slots + 1 + (slots_needed - slots_left); 480 newacep = kmem_alloc(ZFS_ACL_SIZE(slot_cnt), KM_SLEEP); 481 bcopy(aclp->z_acl, newacep, 482 ZFS_ACL_SIZE(aclp->z_acl_count)); 483 oldaclp = aclp->z_acl; 484 if (aclp->z_state == ACL_DATA_ALLOCED) 485 kmem_free(oldaclp, ZFS_ACL_SIZE(aclp->z_slots)); 486 aclp->z_acl = newacep; 487 aclp->z_slots = slot_cnt; 488 aclp->z_state = ACL_DATA_ALLOCED; 489 } 490 } 491 492 /* 493 * Remove "slot" ACE from aclp 494 */ 495 static void 496 zfs_ace_remove(zfs_acl_t *aclp, int slot) 497 { 498 if (aclp->z_acl_count > 1) { 499 (void) memmove(&aclp->z_acl[slot], 500 &aclp->z_acl[slot +1], sizeof (ace_t) * 501 (--aclp->z_acl_count - slot)); 502 } else 503 aclp->z_acl_count--; 504 } 505 506 /* 507 * Update access mask for prepended ACE 508 * 509 * This applies the "groupmask" value for aclmode property. 510 */ 511 static void 512 zfs_acl_prepend_fixup(ace_t *acep, ace_t *origacep, mode_t mode, uid_t owner) 513 { 514 515 int rmask, wmask, xmask; 516 int user_ace; 517 518 user_ace = (!(acep->a_flags & 519 (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP))); 520 521 if (user_ace && (acep->a_who == owner)) { 522 rmask = S_IRUSR; 523 wmask = S_IWUSR; 524 xmask = S_IXUSR; 525 } else { 526 rmask = S_IRGRP; 527 wmask = S_IWGRP; 528 xmask = S_IXGRP; 529 } 530 531 if (origacep->a_access_mask & ACE_READ_DATA) { 532 if (mode & rmask) 533 acep->a_access_mask &= ~ACE_READ_DATA; 534 else 535 acep->a_access_mask |= ACE_READ_DATA; 536 } 537 538 if (origacep->a_access_mask & ACE_WRITE_DATA) { 539 if (mode & wmask) 540 acep->a_access_mask &= ~ACE_WRITE_DATA; 541 else 542 acep->a_access_mask |= ACE_WRITE_DATA; 543 } 544 545 if (origacep->a_access_mask & ACE_APPEND_DATA) { 546 if (mode & wmask) 547 acep->a_access_mask &= ~ACE_APPEND_DATA; 548 else 549 acep->a_access_mask |= ACE_APPEND_DATA; 550 } 551 552 if (origacep->a_access_mask & ACE_EXECUTE) { 553 if (mode & xmask) 554 acep->a_access_mask &= ~ACE_EXECUTE; 555 else 556 acep->a_access_mask |= ACE_EXECUTE; 557 } 558 } 559 560 /* 561 * Apply mode to canonical six ACEs. 562 */ 563 static void 564 zfs_acl_fixup_canonical_six(zfs_acl_t *aclp, mode_t mode) 565 { 566 int cnt; 567 ace_t *acep; 568 569 cnt = aclp->z_acl_count -1; 570 acep = aclp->z_acl; 571 572 /* 573 * Fixup final ACEs to match the mode 574 */ 575 576 ASSERT(cnt >= 5); 577 adjust_ace_pair(&acep[cnt - 1], mode); /* everyone@ */ 578 adjust_ace_pair(&acep[cnt - 3], (mode & 0070) >> 3); /* group@ */ 579 adjust_ace_pair(&acep[cnt - 5], (mode & 0700) >> 6); /* owner@ */ 580 } 581 582 583 static int 584 zfs_acl_ace_match(ace_t *acep, int allow_deny, int type, int mask) 585 { 586 return (acep->a_access_mask == mask && acep->a_type == allow_deny && 587 ((acep->a_flags & ACE_TYPE_FLAGS) == type)); 588 } 589 590 /* 591 * Can prepended ACE be reused? 592 */ 593 static int 594 zfs_reuse_deny(ace_t *acep, int i) 595 { 596 int okay_masks; 597 598 if (i < 1) 599 return (B_FALSE); 600 601 if (acep[i-1].a_type != DENY) 602 return (B_FALSE); 603 604 if (acep[i-1].a_flags != (acep[i].a_flags & ACE_IDENTIFIER_GROUP)) 605 return (B_FALSE); 606 607 okay_masks = (acep[i].a_access_mask & OKAY_MASK_BITS); 608 609 if (acep[i-1].a_access_mask & ~okay_masks) 610 return (B_FALSE); 611 612 return (B_TRUE); 613 } 614 615 /* 616 * Create space to prepend an ACE 617 */ 618 static void 619 zfs_acl_prepend(zfs_acl_t *aclp, int i) 620 { 621 ace_t *oldaclp = NULL; 622 ace_t *to, *from; 623 int slots_left = aclp->z_slots - aclp->z_acl_count; 624 int oldslots; 625 int need_free = 0; 626 627 if (aclp->z_state == ACL_DATA_ALLOCED) 628 ASSERT(aclp->z_slots >= aclp->z_acl_count); 629 630 if (slots_left == 0 || aclp->z_state != ACL_DATA_ALLOCED) { 631 632 to = kmem_alloc(ZFS_ACL_SIZE(aclp->z_acl_count + 633 OGE_PAD), KM_SLEEP); 634 if (aclp->z_state == ACL_DATA_ALLOCED) 635 need_free++; 636 from = aclp->z_acl; 637 oldaclp = aclp->z_acl; 638 (void) memmove(to, from, 639 sizeof (ace_t) * aclp->z_acl_count); 640 aclp->z_state = ACL_DATA_ALLOCED; 641 } else { 642 from = aclp->z_acl; 643 to = aclp->z_acl; 644 } 645 646 647 (void) memmove(&to[i + 1], &from[i], 648 sizeof (ace_t) * (aclp->z_acl_count - i)); 649 650 if (oldaclp) { 651 aclp->z_acl = to; 652 oldslots = aclp->z_slots; 653 aclp->z_slots = aclp->z_acl_count + OGE_PAD; 654 if (need_free) 655 kmem_free(oldaclp, ZFS_ACL_SIZE(oldslots)); 656 } 657 658 } 659 660 /* 661 * Prepend deny ACE 662 */ 663 static void 664 zfs_acl_prepend_deny(znode_t *zp, zfs_acl_t *aclp, int i, 665 mode_t mode) 666 { 667 ace_t *acep; 668 669 zfs_acl_prepend(aclp, i); 670 671 acep = aclp->z_acl; 672 zfs_set_ace(&acep[i], 0, DENY, acep[i + 1].a_who, 673 (acep[i + 1].a_flags & ACE_TYPE_FLAGS)); 674 zfs_acl_prepend_fixup(&acep[i], &acep[i+1], mode, zp->z_phys->zp_uid); 675 aclp->z_acl_count++; 676 } 677 678 /* 679 * Split an inherited ACE into inherit_only ACE 680 * and original ACE with inheritance flags stripped off. 681 */ 682 static void 683 zfs_acl_split_ace(zfs_acl_t *aclp, int i) 684 { 685 ace_t *acep = aclp->z_acl; 686 687 zfs_acl_prepend(aclp, i); 688 acep = aclp->z_acl; 689 acep[i] = acep[i + 1]; 690 acep[i].a_flags |= ACE_INHERIT_ONLY_ACE; 691 acep[i + 1].a_flags &= ~ALL_INHERIT; 692 aclp->z_acl_count++; 693 } 694 695 /* 696 * Are ACES started at index i, the canonical six ACES? 697 */ 698 static int 699 zfs_have_canonical_six(zfs_acl_t *aclp, int i) 700 { 701 ace_t *acep = aclp->z_acl; 702 703 if ((zfs_acl_ace_match(&acep[i], 704 DENY, ACE_OWNER, 0) && 705 zfs_acl_ace_match(&acep[i + 1], ALLOW, ACE_OWNER, 706 OWNER_ALLOW_MASK) && zfs_acl_ace_match(&acep[i + 2], 707 DENY, OWNING_GROUP, 0) && zfs_acl_ace_match(&acep[i + 3], 708 ALLOW, OWNING_GROUP, 0) && zfs_acl_ace_match(&acep[i + 4], 709 DENY, ACE_EVERYONE, EVERYONE_DENY_MASK) && 710 zfs_acl_ace_match(&acep[i + 5], ALLOW, ACE_EVERYONE, 711 EVERYONE_ALLOW_MASK))) { 712 return (1); 713 } else { 714 return (0); 715 } 716 } 717 718 /* 719 * Apply step 1g, to group entries 720 * 721 * Need to deal with corner case where group may have 722 * greater permissions than owner. If so then limit 723 * group permissions, based on what extra permissions 724 * group has. 725 */ 726 static void 727 zfs_fixup_group_entries(ace_t *acep, mode_t mode) 728 { 729 mode_t extramode = (mode >> 3) & 07; 730 mode_t ownermode = (mode >> 6); 731 732 if (acep[0].a_flags & ACE_IDENTIFIER_GROUP) { 733 734 extramode &= ~ownermode; 735 736 if (extramode) { 737 if (extramode & 04) { 738 acep[0].a_access_mask &= ~ACE_READ_DATA; 739 acep[1].a_access_mask &= ~ACE_READ_DATA; 740 } 741 if (extramode & 02) { 742 acep[0].a_access_mask &= 743 ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 744 acep[1].a_access_mask &= 745 ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 746 } 747 if (extramode & 01) { 748 acep[0].a_access_mask &= ~ACE_EXECUTE; 749 acep[1].a_access_mask &= ~ACE_EXECUTE; 750 } 751 } 752 } 753 } 754 755 /* 756 * Apply the chmod algorithm as described 757 * in PSARC/2002/240 758 */ 759 static int 760 zfs_acl_chmod(znode_t *zp, uint64_t mode, zfs_acl_t *aclp, 761 dmu_tx_t *tx) 762 { 763 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 764 ace_t *acep; 765 int i; 766 int error; 767 int entry_type; 768 int reuse_deny; 769 int need_canonical_six = 1; 770 int inherit = 0; 771 int iflags; 772 773 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 774 ASSERT(MUTEX_HELD(&zp->z_lock)); 775 776 i = 0; 777 while (i < aclp->z_acl_count) { 778 acep = aclp->z_acl; 779 entry_type = (acep[i].a_flags & ACE_TYPE_FLAGS); 780 iflags = (acep[i].a_flags & ALL_INHERIT); 781 782 if ((acep[i].a_type != ALLOW && acep[i].a_type != DENY) || 783 (iflags & ACE_INHERIT_ONLY_ACE)) { 784 i++; 785 if (iflags) 786 inherit = 1; 787 continue; 788 } 789 790 791 if (zfsvfs->z_acl_mode == ZFS_ACL_DISCARD) { 792 zfs_ace_remove(aclp, i); 793 continue; 794 } 795 796 /* 797 * Need to split ace into two? 798 */ 799 if ((iflags & (ACE_FILE_INHERIT_ACE| 800 ACE_DIRECTORY_INHERIT_ACE)) && 801 (!(iflags & ACE_INHERIT_ONLY_ACE))) { 802 zfs_acl_split_ace(aclp, i); 803 i++; 804 inherit = 1; 805 continue; 806 } 807 808 if (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 809 (entry_type == OWNING_GROUP)) { 810 acep[i].a_access_mask &= ~OGE_CLEAR; 811 i++; 812 continue; 813 814 } else { 815 if (acep[i].a_type == ALLOW) { 816 817 /* 818 * Check preceding ACE if any, to see 819 * if we need to prepend a DENY ACE. 820 * This is only applicable when the acl_mode 821 * property == groupmask. 822 */ 823 if (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK) { 824 825 reuse_deny = zfs_reuse_deny(acep, i); 826 827 if (reuse_deny == B_FALSE) { 828 zfs_acl_prepend_deny(zp, aclp, 829 i, mode); 830 i++; 831 acep = aclp->z_acl; 832 } else { 833 zfs_acl_prepend_fixup( 834 &acep[i - 1], 835 &acep[i], mode, 836 zp->z_phys->zp_uid); 837 } 838 zfs_fixup_group_entries(&acep[i - 1], 839 mode); 840 } 841 } 842 i++; 843 } 844 } 845 846 /* 847 * Check out last six aces, if we have six. 848 */ 849 850 if (aclp->z_acl_count >= 6) { 851 i = aclp->z_acl_count - 6; 852 853 if (zfs_have_canonical_six(aclp, i)) { 854 need_canonical_six = 0; 855 } 856 } 857 858 if (need_canonical_six) { 859 860 zfs_acl_append(aclp, 6); 861 i = aclp->z_acl_count; 862 acep = aclp->z_acl; 863 zfs_set_ace(&acep[i++], 0, DENY, -1, ACE_OWNER); 864 zfs_set_ace(&acep[i++], OWNER_ALLOW_MASK, ALLOW, -1, ACE_OWNER); 865 zfs_set_ace(&acep[i++], 0, DENY, -1, OWNING_GROUP); 866 zfs_set_ace(&acep[i++], 0, ALLOW, -1, OWNING_GROUP); 867 zfs_set_ace(&acep[i++], EVERYONE_DENY_MASK, 868 DENY, -1, ACE_EVERYONE); 869 zfs_set_ace(&acep[i++], EVERYONE_ALLOW_MASK, 870 ALLOW, -1, ACE_EVERYONE); 871 aclp->z_acl_count += 6; 872 } 873 874 zfs_acl_fixup_canonical_six(aclp, mode); 875 876 zp->z_phys->zp_mode = mode; 877 error = zfs_aclset_common(zp, aclp, tx, &inherit); 878 return (error); 879 } 880 881 882 int 883 zfs_acl_chmod_setattr(znode_t *zp, uint64_t mode, dmu_tx_t *tx) 884 { 885 zfs_acl_t *aclp = NULL; 886 int error; 887 888 ASSERT(MUTEX_HELD(&zp->z_lock)); 889 mutex_enter(&zp->z_acl_lock); 890 error = zfs_acl_node_read(zp, &aclp); 891 if (error == 0) 892 error = zfs_acl_chmod(zp, mode, aclp, tx); 893 mutex_exit(&zp->z_acl_lock); 894 if (aclp) 895 zfs_acl_free(aclp); 896 return (error); 897 } 898 899 /* 900 * strip off write_owner and write_acl 901 */ 902 static void 903 zfs_securemode_update(zfsvfs_t *zfsvfs, ace_t *acep) 904 { 905 if ((zfsvfs->z_acl_inherit == ZFS_ACL_SECURE) && 906 (acep->a_type == ALLOW)) 907 acep->a_access_mask &= ~SECURE_CLEAR; 908 } 909 910 /* 911 * inherit inheritable ACEs from parent 912 */ 913 static zfs_acl_t * 914 zfs_acl_inherit(znode_t *zp, zfs_acl_t *paclp) 915 { 916 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 917 ace_t *pacep; 918 ace_t *acep; 919 int ace_cnt = 0; 920 int pace_cnt; 921 int i, j; 922 zfs_acl_t *aclp = NULL; 923 924 i = j = 0; 925 pace_cnt = paclp->z_acl_count; 926 pacep = paclp->z_acl; 927 if (zfsvfs->z_acl_inherit != ZFS_ACL_DISCARD) { 928 for (i = 0; i != pace_cnt; i++) { 929 930 if (zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW && 931 pacep[i].a_type == ALLOW) 932 continue; 933 934 if (zfs_ace_can_use(zp, &pacep[i])) { 935 ace_cnt++; 936 if (!(pacep[i].a_flags & 937 ACE_NO_PROPAGATE_INHERIT_ACE)) 938 ace_cnt++; 939 } 940 } 941 } 942 943 aclp = zfs_acl_alloc(ace_cnt + OGE_PAD); 944 if (ace_cnt && zfsvfs->z_acl_inherit != ZFS_ACL_DISCARD) { 945 acep = aclp->z_acl; 946 pacep = paclp->z_acl; 947 for (i = 0; i != pace_cnt; i++) { 948 949 if (zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW && 950 pacep[i].a_type == ALLOW) 951 continue; 952 953 if (zfs_ace_can_use(zp, &pacep[i])) { 954 955 /* 956 * Now create entry for inherited ace 957 */ 958 959 acep[j] = pacep[i]; 960 961 /* 962 * When AUDIT/ALARM a_types are supported 963 * they should be inherited here. 964 */ 965 966 if ((pacep[i].a_flags & 967 ACE_NO_PROPAGATE_INHERIT_ACE) || 968 (ZTOV(zp)->v_type != VDIR)) { 969 acep[j].a_flags &= ~ALL_INHERIT; 970 zfs_securemode_update(zfsvfs, &acep[j]); 971 j++; 972 continue; 973 } 974 975 ASSERT(ZTOV(zp)->v_type == VDIR); 976 977 /* 978 * If we are inheriting an ACE targeted for 979 * only files, then make sure inherit_only 980 * is on for future propagation. 981 */ 982 if ((pacep[i].a_flags & (ACE_FILE_INHERIT_ACE | 983 ACE_DIRECTORY_INHERIT_ACE)) != 984 ACE_FILE_INHERIT_ACE) { 985 j++; 986 acep[j] = acep[j-1]; 987 acep[j-1].a_flags |= 988 ACE_INHERIT_ONLY_ACE; 989 acep[j].a_flags &= ~ALL_INHERIT; 990 } else { 991 acep[j].a_flags |= ACE_INHERIT_ONLY_ACE; 992 } 993 zfs_securemode_update(zfsvfs, &acep[j]); 994 j++; 995 } 996 } 997 } 998 aclp->z_acl_count = j; 999 ASSERT(aclp->z_slots >= aclp->z_acl_count); 1000 1001 return (aclp); 1002 } 1003 1004 /* 1005 * Create file system object initial permissions 1006 * including inheritable ACEs. 1007 */ 1008 void 1009 zfs_perm_init(znode_t *zp, znode_t *parent, int flag, 1010 vattr_t *vap, dmu_tx_t *tx, cred_t *cr) 1011 { 1012 uint64_t mode; 1013 uid_t uid; 1014 gid_t gid; 1015 int error; 1016 int pull_down; 1017 zfs_acl_t *aclp, *paclp; 1018 1019 mode = MAKEIMODE(vap->va_type, vap->va_mode); 1020 1021 /* 1022 * Determine uid and gid. 1023 */ 1024 if ((flag & (IS_ROOT_NODE | IS_REPLAY)) || 1025 ((flag & IS_XATTR) && (vap->va_type == VDIR))) { 1026 uid = vap->va_uid; 1027 gid = vap->va_gid; 1028 } else { 1029 uid = crgetuid(cr); 1030 if ((vap->va_mask & AT_GID) && 1031 ((vap->va_gid == parent->z_phys->zp_gid) || 1032 groupmember(vap->va_gid, cr) || 1033 secpolicy_vnode_create_gid(cr) == 0)) 1034 gid = vap->va_gid; 1035 else 1036 gid = (parent->z_phys->zp_mode & S_ISGID) ? 1037 parent->z_phys->zp_gid : crgetgid(cr); 1038 } 1039 1040 /* 1041 * If we're creating a directory, and the parent directory has the 1042 * set-GID bit set, set in on the new directory. 1043 * Otherwise, if the user is neither privileged nor a member of the 1044 * file's new group, clear the file's set-GID bit. 1045 */ 1046 1047 if ((parent->z_phys->zp_mode & S_ISGID) && (vap->va_type == VDIR)) 1048 mode |= S_ISGID; 1049 else { 1050 if ((mode & S_ISGID) && 1051 secpolicy_vnode_setids_setgids(cr, gid) != 0) 1052 mode &= ~S_ISGID; 1053 } 1054 1055 zp->z_phys->zp_uid = uid; 1056 zp->z_phys->zp_gid = gid; 1057 zp->z_phys->zp_mode = mode; 1058 1059 mutex_enter(&parent->z_lock); 1060 pull_down = (parent->z_phys->zp_flags & ZFS_INHERIT_ACE); 1061 if (pull_down) { 1062 mutex_enter(&parent->z_acl_lock); 1063 VERIFY(0 == zfs_acl_node_read(parent, &paclp)); 1064 mutex_exit(&parent->z_acl_lock); 1065 aclp = zfs_acl_inherit(zp, paclp); 1066 zfs_acl_free(paclp); 1067 } else { 1068 aclp = zfs_acl_alloc(6); 1069 } 1070 mutex_exit(&parent->z_lock); 1071 mutex_enter(&zp->z_lock); 1072 mutex_enter(&zp->z_acl_lock); 1073 error = zfs_acl_chmod(zp, mode, aclp, tx); 1074 mutex_exit(&zp->z_lock); 1075 mutex_exit(&zp->z_acl_lock); 1076 ASSERT3U(error, ==, 0); 1077 zfs_acl_free(aclp); 1078 } 1079 1080 /* 1081 * Should ACE be inherited? 1082 */ 1083 static int 1084 zfs_ace_can_use(znode_t *zp, ace_t *acep) 1085 { 1086 int vtype = ZTOV(zp)->v_type; 1087 1088 int iflags = (acep->a_flags & 0xf); 1089 1090 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) 1091 return (1); 1092 else if (iflags & ACE_FILE_INHERIT_ACE) 1093 return (!((vtype == VDIR) && 1094 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); 1095 return (0); 1096 } 1097 1098 /* 1099 * Retrieve a files ACL 1100 */ 1101 int 1102 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, cred_t *cr) 1103 { 1104 zfs_acl_t *aclp; 1105 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 1106 int error; 1107 1108 if (error = zfs_zaccess(zp, ACE_READ_ACL, cr)) { 1109 /* 1110 * If owner of file then allow reading of the 1111 * ACL. 1112 */ 1113 if (crgetuid(cr) != zp->z_phys->zp_uid) 1114 return (error); 1115 } 1116 1117 if (mask == 0) 1118 return (ENOSYS); 1119 1120 mutex_enter(&zp->z_acl_lock); 1121 1122 error = zfs_acl_node_read(zp, &aclp); 1123 if (error != 0) { 1124 mutex_exit(&zp->z_acl_lock); 1125 return (error); 1126 } 1127 1128 1129 if (mask & VSA_ACECNT) { 1130 vsecp->vsa_aclcnt = aclp->z_acl_count; 1131 } 1132 1133 if (mask & VSA_ACE) { 1134 vsecp->vsa_aclentp = kmem_alloc(aclp->z_acl_count * 1135 sizeof (ace_t), KM_SLEEP); 1136 bcopy(aclp->z_acl, vsecp->vsa_aclentp, 1137 aclp->z_acl_count * sizeof (ace_t)); 1138 } 1139 1140 mutex_exit(&zp->z_acl_lock); 1141 1142 zfs_acl_free(aclp); 1143 1144 return (0); 1145 } 1146 1147 /* 1148 * Set a files ACL 1149 */ 1150 int 1151 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, cred_t *cr) 1152 { 1153 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1154 zilog_t *zilog = zfsvfs->z_log; 1155 ace_t *acep = vsecp->vsa_aclentp; 1156 int aclcnt = vsecp->vsa_aclcnt; 1157 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 1158 dmu_tx_t *tx; 1159 int error; 1160 int inherit; 1161 zfs_acl_t *aclp; 1162 1163 if (mask == 0) 1164 return (ENOSYS); 1165 1166 if (!zfs_acl_valid(zp, acep, aclcnt, &inherit)) 1167 return (EINVAL); 1168 top: 1169 error = zfs_zaccess_v4_perm(zp, ACE_WRITE_ACL, cr); 1170 if (error == EACCES || error == ACCESS_UNDETERMINED) { 1171 if ((error = secpolicy_vnode_setdac(cr, 1172 zp->z_phys->zp_uid)) != 0) { 1173 return (error); 1174 } 1175 } else if (error) { 1176 return (error == EROFS ? error : EPERM); 1177 } 1178 1179 mutex_enter(&zp->z_lock); 1180 mutex_enter(&zp->z_acl_lock); 1181 1182 tx = dmu_tx_create(zfsvfs->z_os); 1183 dmu_tx_hold_bonus(tx, zp->z_id); 1184 1185 if (zp->z_phys->zp_acl.z_acl_extern_obj) { 1186 dmu_tx_hold_write(tx, zp->z_phys->zp_acl.z_acl_extern_obj, 1187 0, ZFS_ACL_SIZE(aclcnt)); 1188 } else if (aclcnt > ACE_SLOT_CNT) { 1189 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, ZFS_ACL_SIZE(aclcnt)); 1190 } 1191 1192 error = dmu_tx_assign(tx, zfsvfs->z_assign); 1193 if (error) { 1194 mutex_exit(&zp->z_acl_lock); 1195 mutex_exit(&zp->z_lock); 1196 1197 if (error == ERESTART && zfsvfs->z_assign == TXG_NOWAIT) { 1198 dmu_tx_wait(tx); 1199 dmu_tx_abort(tx); 1200 goto top; 1201 } 1202 dmu_tx_abort(tx); 1203 return (error); 1204 } 1205 1206 aclp = zfs_acl_alloc(aclcnt); 1207 bcopy(acep, aclp->z_acl, sizeof (ace_t) * aclcnt); 1208 aclp->z_acl_count = aclcnt; 1209 error = zfs_aclset_common(zp, aclp, tx, &inherit); 1210 ASSERT(error == 0); 1211 1212 zfs_acl_free(aclp); 1213 zfs_log_acl(zilog, tx, TX_ACL, zp, aclcnt, acep); 1214 dmu_tx_commit(tx); 1215 done: 1216 mutex_exit(&zp->z_acl_lock); 1217 mutex_exit(&zp->z_lock); 1218 1219 return (error); 1220 } 1221 1222 static int 1223 zfs_ace_access(ace_t *zacep, int *working_mode) 1224 { 1225 if (*working_mode == 0) { 1226 return (0); 1227 } 1228 1229 if (zacep->a_access_mask & *working_mode) { 1230 if (zacep->a_type == ALLOW) { 1231 *working_mode &= 1232 ~(*working_mode & zacep->a_access_mask); 1233 if (*working_mode == 0) 1234 return (0); 1235 } else if (zacep->a_type == DENY) { 1236 return (EACCES); 1237 } 1238 } 1239 1240 /* 1241 * haven't been specifcally denied at this point 1242 * so return UNDETERMINED. 1243 */ 1244 1245 return (ACCESS_UNDETERMINED); 1246 } 1247 1248 1249 static int 1250 zfs_zaccess_common(znode_t *zp, int v4_mode, int *working_mode, cred_t *cr) 1251 { 1252 zfs_acl_t *aclp; 1253 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1254 ace_t *zacep; 1255 gid_t gid; 1256 int cnt; 1257 int i; 1258 int error; 1259 int access_deny = ACCESS_UNDETERMINED; 1260 uint_t entry_type; 1261 uid_t uid = crgetuid(cr); 1262 1263 if (zfsvfs->z_assign >= TXG_INITIAL) { /* ZIL replay */ 1264 *working_mode = 0; 1265 return (0); 1266 } 1267 1268 *working_mode = v4_mode; 1269 1270 if ((v4_mode & WRITE_MASK) && 1271 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && 1272 (!IS_DEVVP(ZTOV(zp)))) { 1273 return (EROFS); 1274 } 1275 1276 mutex_enter(&zp->z_acl_lock); 1277 1278 error = zfs_acl_node_read(zp, &aclp); 1279 if (error != 0) { 1280 mutex_exit(&zp->z_acl_lock); 1281 return (error); 1282 } 1283 1284 1285 zacep = aclp->z_acl; 1286 cnt = aclp->z_acl_count; 1287 1288 for (i = 0; i != cnt; i++) { 1289 1290 DTRACE_PROBE2(zfs__access__common, 1291 ace_t *, &zacep[i], int, *working_mode); 1292 1293 if (zacep[i].a_flags & ACE_INHERIT_ONLY_ACE) 1294 continue; 1295 1296 entry_type = (zacep[i].a_flags & ACE_TYPE_FLAGS); 1297 switch (entry_type) { 1298 case ACE_OWNER: 1299 if (uid == zp->z_phys->zp_uid) { 1300 access_deny = zfs_ace_access(&zacep[i], 1301 working_mode); 1302 } 1303 break; 1304 case (ACE_IDENTIFIER_GROUP | ACE_GROUP): 1305 case ACE_IDENTIFIER_GROUP: 1306 /* 1307 * Owning group gid is in znode not ACL 1308 */ 1309 if (entry_type == (ACE_IDENTIFIER_GROUP | ACE_GROUP)) 1310 gid = zp->z_phys->zp_gid; 1311 else 1312 gid = zacep[i].a_who; 1313 1314 if (groupmember(gid, cr)) { 1315 access_deny = zfs_ace_access(&zacep[i], 1316 working_mode); 1317 } 1318 break; 1319 case ACE_EVERYONE: 1320 access_deny = zfs_ace_access(&zacep[i], working_mode); 1321 break; 1322 1323 /* USER Entry */ 1324 default: 1325 if (entry_type == 0) { 1326 if (uid == zacep[i].a_who) { 1327 access_deny = zfs_ace_access(&zacep[i], 1328 working_mode); 1329 } 1330 break; 1331 } 1332 zfs_acl_free(aclp); 1333 mutex_exit(&zp->z_acl_lock); 1334 return (EIO); 1335 } 1336 1337 if (access_deny != ACCESS_UNDETERMINED) 1338 break; 1339 } 1340 1341 mutex_exit(&zp->z_acl_lock); 1342 zfs_acl_free(aclp); 1343 1344 return (access_deny); 1345 } 1346 1347 1348 /* 1349 * Determine whether Access should be granted/denied, invoking least 1350 * priv subsytem when a deny is determined. 1351 */ 1352 int 1353 zfs_zaccess(znode_t *zp, int mode, cred_t *cr) 1354 { 1355 int working_mode; 1356 int error; 1357 int is_attr; 1358 znode_t *xzp; 1359 znode_t *check_zp = zp; 1360 1361 is_attr = ((zp->z_phys->zp_flags & ZFS_XATTR) && 1362 (ZTOV(zp)->v_type == VDIR)); 1363 1364 /* 1365 * If attribute then validate against base file 1366 */ 1367 if (is_attr) { 1368 if ((error = zfs_zget(zp->z_zfsvfs, 1369 zp->z_phys->zp_parent, &xzp)) != 0) { 1370 return (error); 1371 } 1372 check_zp = xzp; 1373 /* 1374 * fixup mode to map to xattr perms 1375 */ 1376 1377 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { 1378 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1379 mode |= ACE_WRITE_NAMED_ATTRS; 1380 } 1381 1382 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { 1383 mode &= ~(ACE_READ_DATA|ACE_EXECUTE); 1384 mode |= ACE_READ_NAMED_ATTRS; 1385 } 1386 } 1387 1388 error = zfs_zaccess_common(check_zp, mode, &working_mode, cr); 1389 1390 if (error == EROFS) { 1391 if (is_attr) 1392 VN_RELE(ZTOV(xzp)); 1393 return (error); 1394 } 1395 1396 if (error || working_mode) { 1397 working_mode = (zfs_v4_to_unix(working_mode) << 6); 1398 error = secpolicy_vnode_access(cr, ZTOV(check_zp), 1399 check_zp->z_phys->zp_uid, working_mode); 1400 } 1401 1402 if (is_attr) 1403 VN_RELE(ZTOV(xzp)); 1404 1405 return (error); 1406 } 1407 1408 /* 1409 * Special zaccess function to check for special nfsv4 perm. 1410 * doesn't call secpolicy_vnode_access() for failure, since that 1411 * would probably be the wrong policy function to call. 1412 * instead its up to the caller to handle that situation. 1413 */ 1414 1415 int 1416 zfs_zaccess_v4_perm(znode_t *zp, int mode, cred_t *cr) 1417 { 1418 int working_mode = 0; 1419 return (zfs_zaccess_common(zp, mode, &working_mode, cr)); 1420 } 1421 1422 /* 1423 * Translate tradition unix VREAD/VWRITE/VEXEC mode into 1424 * native ACL format and call zfs_zaccess() 1425 */ 1426 int 1427 zfs_zaccess_rwx(znode_t *zp, mode_t mode, cred_t *cr) 1428 { 1429 int v4_mode = zfs_unix_to_v4(mode >> 6); 1430 1431 return (zfs_zaccess(zp, v4_mode, cr)); 1432 } 1433 1434 static int 1435 zfs_delete_final_check(znode_t *zp, znode_t *dzp, cred_t *cr) 1436 { 1437 int error; 1438 1439 error = secpolicy_vnode_access(cr, ZTOV(zp), 1440 dzp->z_phys->zp_uid, S_IWRITE|S_IEXEC); 1441 1442 if (error == 0) 1443 error = zfs_sticky_remove_access(dzp, zp, cr); 1444 1445 return (error); 1446 } 1447 1448 /* 1449 * Determine whether Access should be granted/deny, without 1450 * consulting least priv subsystem. 1451 * 1452 * 1453 * The following chart is the recommended NFSv4 enforcement for 1454 * ability to delete an object. 1455 * 1456 * ------------------------------------------------------- 1457 * | Parent Dir | Target Object Permissions | 1458 * | permissions | | 1459 * ------------------------------------------------------- 1460 * | | ACL Allows | ACL Denies| Delete | 1461 * | | Delete | Delete | unspecified| 1462 * ------------------------------------------------------- 1463 * | ACL Allows | Permit | Permit | Permit | 1464 * | DELETE_CHILD | | 1465 * ------------------------------------------------------- 1466 * | ACL Denies | Permit | Deny | Deny | 1467 * | DELETE_CHILD | | | | 1468 * ------------------------------------------------------- 1469 * | ACL specifies | | | | 1470 * | only allow | Permit | Permit | Permit | 1471 * | write and | | | | 1472 * | execute | | | | 1473 * ------------------------------------------------------- 1474 * | ACL denies | | | | 1475 * | write and | Permit | Deny | Deny | 1476 * | execute | | | | 1477 * ------------------------------------------------------- 1478 * ^ 1479 * | 1480 * No search privilege, can't even look up file? 1481 * 1482 */ 1483 int 1484 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) 1485 { 1486 int dzp_working_mode = 0; 1487 int zp_working_mode = 0; 1488 int dzp_error, zp_error; 1489 1490 /* 1491 * Arghh, this check is going to require a couple of questions 1492 * to be asked. We want specific DELETE permissions to 1493 * take precedence over WRITE/EXECUTE. We don't 1494 * want an ACL such as this to mess us up. 1495 * user:joe:write_data:deny,user:joe:delete:allow 1496 * 1497 * However, deny permissions may ultimately be overridden 1498 * by secpolicy_vnode_access(). 1499 */ 1500 1501 dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD, 1502 &dzp_working_mode, cr); 1503 zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, cr); 1504 1505 if (dzp_error == EROFS || zp_error == EROFS) 1506 return (dzp_error); 1507 1508 /* 1509 * First check the first row. 1510 * We only need to see if parent Allows delete_child 1511 */ 1512 if ((dzp_working_mode & ACE_DELETE_CHILD) == 0) 1513 return (0); 1514 1515 /* 1516 * Second row 1517 * we already have the necessary information in 1518 * zp_working_mode, zp_error and dzp_error. 1519 */ 1520 1521 if ((zp_working_mode & ACE_DELETE) == 0) 1522 return (0); 1523 1524 /* 1525 * Now zp_error should either be EACCES which indicates 1526 * a "deny" delete entry or ACCESS_UNDETERMINED if the "delete" 1527 * entry exists on the target. 1528 * 1529 * dzp_error should be either EACCES which indicates a "deny" 1530 * entry for delete_child or ACCESS_UNDETERMINED if no delete_child 1531 * entry exists. If value is EACCES then we are done 1532 * and zfs_delete_final_check() will make the final decision 1533 * regarding to allow the delete. 1534 */ 1535 1536 ASSERT(zp_error != 0 && dzp_error != 0); 1537 if (dzp_error == EACCES) 1538 return (zfs_delete_final_check(zp, dzp, cr)); 1539 1540 /* 1541 * Third Row 1542 * Only need to check for write/execute on parent 1543 */ 1544 1545 dzp_error = zfs_zaccess_common(dzp, ACE_WRITE_DATA|ACE_EXECUTE, 1546 &dzp_working_mode, cr); 1547 1548 if (dzp_error == EROFS) 1549 return (dzp_error); 1550 1551 if ((dzp_working_mode & (ACE_WRITE_DATA|ACE_EXECUTE)) == 0) 1552 return (zfs_sticky_remove_access(dzp, zp, cr)); 1553 1554 /* 1555 * Fourth Row 1556 */ 1557 1558 if (((dzp_working_mode & (ACE_WRITE_DATA|ACE_EXECUTE)) != 0) && 1559 ((zp_working_mode & ACE_DELETE) == 0)) 1560 return (zfs_sticky_remove_access(dzp, zp, cr)); 1561 1562 return (zfs_delete_final_check(zp, dzp, cr)); 1563 } 1564 1565 int 1566 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, 1567 znode_t *tzp, cred_t *cr) 1568 { 1569 int add_perm; 1570 int error; 1571 1572 add_perm = (ZTOV(szp)->v_type == VDIR) ? 1573 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; 1574 1575 /* 1576 * Rename permissions are combination of delete permission + 1577 * add file/subdir permission. 1578 */ 1579 1580 /* 1581 * first make sure we do the delete portion. 1582 * 1583 * If that succeeds then check for add_file/add_subdir permissions 1584 */ 1585 1586 if (error = zfs_zaccess_delete(sdzp, szp, cr)) 1587 return (error); 1588 1589 /* 1590 * If we have a tzp, see if we can delete it? 1591 */ 1592 if (tzp) { 1593 if (error = zfs_zaccess_delete(tdzp, tzp, cr)) 1594 return (error); 1595 } 1596 1597 /* 1598 * Now check for add permissions 1599 */ 1600 error = zfs_zaccess(tdzp, add_perm, cr); 1601 1602 return (error); 1603 } 1604