xref: /titanic_41/usr/src/uts/common/fs/zfs/zfs_acl.c (revision 60405de4d8688d96dd05157c28db3ade5c9bc234)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/types.h>
29 #include <sys/param.h>
30 #include <sys/time.h>
31 #include <sys/systm.h>
32 #include <sys/sysmacros.h>
33 #include <sys/resource.h>
34 #include <sys/vfs.h>
35 #include <sys/vnode.h>
36 #include <sys/file.h>
37 #include <sys/stat.h>
38 #include <sys/kmem.h>
39 #include <sys/cmn_err.h>
40 #include <sys/errno.h>
41 #include <sys/unistd.h>
42 #include <sys/sdt.h>
43 #include <sys/fs/zfs.h>
44 #include <sys/mode.h>
45 #include <sys/policy.h>
46 #include <sys/zfs_znode.h>
47 #include <sys/zfs_acl.h>
48 #include <sys/zfs_dir.h>
49 #include <sys/zfs_vfsops.h>
50 #include <sys/dmu.h>
51 #include <sys/zap.h>
52 #include <util/qsort.h>
53 #include "fs/fs_subr.h"
54 #include <acl/acl_common.h>
55 
56 #define	ALLOW	ACE_ACCESS_ALLOWED_ACE_TYPE
57 #define	DENY	ACE_ACCESS_DENIED_ACE_TYPE
58 
59 #define	OWNING_GROUP		(ACE_GROUP|ACE_IDENTIFIER_GROUP)
60 #define	EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \
61     ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE)
62 #define	EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \
63     ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
64 #define	OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \
65     ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
66 #define	WRITE_MASK (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS| \
67     ACE_WRITE_ATTRIBUTES|ACE_WRITE_ACL|ACE_WRITE_OWNER)
68 
69 #define	OGE_CLEAR	(ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
70     ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
71 
72 #define	OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
73     ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
74 
75 #define	ALL_INHERIT	(ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \
76     ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE)
77 
78 #define	SECURE_CLEAR	(ACE_WRITE_ACL|ACE_WRITE_OWNER)
79 
80 #define	OGE_PAD	6		/* traditional owner/group/everyone ACES */
81 
82 static int zfs_ace_can_use(znode_t *zp, ace_t *);
83 
84 static zfs_acl_t *
85 zfs_acl_alloc(int slots)
86 {
87 	zfs_acl_t *aclp;
88 
89 	aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP);
90 	if (slots != 0) {
91 		aclp->z_acl = kmem_alloc(ZFS_ACL_SIZE(slots), KM_SLEEP);
92 		aclp->z_acl_count = 0;
93 		aclp->z_state = ACL_DATA_ALLOCED;
94 	} else {
95 		aclp->z_state = 0;
96 	}
97 	aclp->z_slots = slots;
98 	return (aclp);
99 }
100 
101 void
102 zfs_acl_free(zfs_acl_t *aclp)
103 {
104 	if (aclp->z_state == ACL_DATA_ALLOCED) {
105 		kmem_free(aclp->z_acl, ZFS_ACL_SIZE(aclp->z_slots));
106 	}
107 	kmem_free(aclp, sizeof (zfs_acl_t));
108 }
109 
110 static uint32_t
111 zfs_v4_to_unix(uint32_t access_mask)
112 {
113 	uint32_t new_mask = 0;
114 
115 	/*
116 	 * This is used for mapping v4 permissions into permissions
117 	 * that can be passed to secpolicy_vnode_access()
118 	 */
119 	if (access_mask & (ACE_READ_DATA | ACE_LIST_DIRECTORY |
120 	    ACE_READ_ATTRIBUTES | ACE_READ_ACL))
121 		new_mask |= S_IROTH;
122 	if (access_mask & (ACE_WRITE_DATA | ACE_APPEND_DATA |
123 	    ACE_WRITE_ATTRIBUTES | ACE_ADD_FILE | ACE_WRITE_NAMED_ATTRS))
124 		new_mask |= S_IWOTH;
125 	if (access_mask & (ACE_EXECUTE | ACE_READ_NAMED_ATTRS))
126 		new_mask |= S_IXOTH;
127 
128 	return (new_mask);
129 }
130 
131 /*
132  * Convert unix access mask to v4 access mask
133  */
134 static uint32_t
135 zfs_unix_to_v4(uint32_t access_mask)
136 {
137 	uint32_t new_mask = 0;
138 
139 	if (access_mask & 01)
140 		new_mask |= (ACE_EXECUTE);
141 	if (access_mask & 02) {
142 		new_mask |= (ACE_WRITE_DATA);
143 	} if (access_mask & 04) {
144 		new_mask |= ACE_READ_DATA;
145 	}
146 	return (new_mask);
147 }
148 
149 static void
150 zfs_set_ace(ace_t *zacep, uint32_t access_mask, int access_type,
151     uid_t uid, int entry_type)
152 {
153 	zacep->a_access_mask = access_mask;
154 	zacep->a_type = access_type;
155 	zacep->a_who = uid;
156 	zacep->a_flags = entry_type;
157 }
158 
159 static uint64_t
160 zfs_mode_compute(znode_t *zp, zfs_acl_t *aclp)
161 {
162 	int 	i;
163 	int	entry_type;
164 	mode_t	mode = (zp->z_phys->zp_mode &
165 	    (S_IFMT | S_ISUID | S_ISGID | S_ISVTX));
166 	mode_t	 seen = 0;
167 	ace_t 	*acep;
168 
169 	for (i = 0, acep = aclp->z_acl;
170 	    i != aclp->z_acl_count; i++, acep++) {
171 		entry_type = (acep->a_flags & ACE_TYPE_FLAGS);
172 		if (entry_type == ACE_OWNER) {
173 			if ((acep->a_access_mask & ACE_READ_DATA) &&
174 			    (!(seen & S_IRUSR))) {
175 				seen |= S_IRUSR;
176 				if (acep->a_type == ALLOW) {
177 					mode |= S_IRUSR;
178 				}
179 			}
180 			if ((acep->a_access_mask & ACE_WRITE_DATA) &&
181 			    (!(seen & S_IWUSR))) {
182 				seen |= S_IWUSR;
183 				if (acep->a_type == ALLOW) {
184 					mode |= S_IWUSR;
185 				}
186 			}
187 			if ((acep->a_access_mask & ACE_EXECUTE) &&
188 			    (!(seen & S_IXUSR))) {
189 				seen |= S_IXUSR;
190 				if (acep->a_type == ALLOW) {
191 					mode |= S_IXUSR;
192 				}
193 			}
194 		} else if (entry_type == OWNING_GROUP) {
195 			if ((acep->a_access_mask & ACE_READ_DATA) &&
196 			    (!(seen & S_IRGRP))) {
197 				seen |= S_IRGRP;
198 				if (acep->a_type == ALLOW) {
199 					mode |= S_IRGRP;
200 				}
201 			}
202 			if ((acep->a_access_mask & ACE_WRITE_DATA) &&
203 			    (!(seen & S_IWGRP))) {
204 				seen |= S_IWGRP;
205 				if (acep->a_type == ALLOW) {
206 					mode |= S_IWGRP;
207 				}
208 			}
209 			if ((acep->a_access_mask & ACE_EXECUTE) &&
210 			    (!(seen & S_IXGRP))) {
211 				seen |= S_IXGRP;
212 				if (acep->a_type == ALLOW) {
213 					mode |= S_IXGRP;
214 				}
215 			}
216 		} else if (entry_type == ACE_EVERYONE) {
217 			if ((acep->a_access_mask & ACE_READ_DATA)) {
218 				if (!(seen & S_IRUSR)) {
219 					seen |= S_IRUSR;
220 					if (acep->a_type == ALLOW) {
221 						mode |= S_IRUSR;
222 					}
223 				}
224 				if (!(seen & S_IRGRP)) {
225 					seen |= S_IRGRP;
226 					if (acep->a_type == ALLOW) {
227 						mode |= S_IRGRP;
228 					}
229 				}
230 				if (!(seen & S_IROTH)) {
231 					seen |= S_IROTH;
232 					if (acep->a_type == ALLOW) {
233 						mode |= S_IROTH;
234 					}
235 				}
236 			}
237 			if ((acep->a_access_mask & ACE_WRITE_DATA)) {
238 				if (!(seen & S_IWUSR)) {
239 					seen |= S_IWUSR;
240 					if (acep->a_type == ALLOW) {
241 						mode |= S_IWUSR;
242 					}
243 				}
244 				if (!(seen & S_IWGRP)) {
245 					seen |= S_IWGRP;
246 					if (acep->a_type == ALLOW) {
247 						mode |= S_IWGRP;
248 					}
249 				}
250 				if (!(seen & S_IWOTH)) {
251 					seen |= S_IWOTH;
252 					if (acep->a_type == ALLOW) {
253 						mode |= S_IWOTH;
254 					}
255 				}
256 			}
257 			if ((acep->a_access_mask & ACE_EXECUTE)) {
258 				if (!(seen & S_IXUSR)) {
259 					seen |= S_IXUSR;
260 					if (acep->a_type == ALLOW) {
261 						mode |= S_IXUSR;
262 					}
263 				}
264 				if (!(seen & S_IXGRP)) {
265 					seen |= S_IXGRP;
266 					if (acep->a_type == ALLOW) {
267 						mode |= S_IXGRP;
268 					}
269 				}
270 				if (!(seen & S_IXOTH)) {
271 					seen |= S_IXOTH;
272 					if (acep->a_type == ALLOW) {
273 						mode |= S_IXOTH;
274 					}
275 				}
276 			}
277 		}
278 	}
279 	return (mode);
280 }
281 
282 static zfs_acl_t *
283 zfs_acl_node_read_internal(znode_t *zp)
284 {
285 	zfs_acl_t	*aclp;
286 
287 	aclp = zfs_acl_alloc(0);
288 	aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count;
289 	aclp->z_acl = &zp->z_phys->zp_acl.z_ace_data[0];
290 
291 	return (aclp);
292 }
293 
294 /*
295  * Read an external acl object.
296  */
297 static int
298 zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp)
299 {
300 	uint64_t extacl = zp->z_phys->zp_acl.z_acl_extern_obj;
301 	zfs_acl_t	*aclp;
302 	int error;
303 
304 	ASSERT(MUTEX_HELD(&zp->z_acl_lock));
305 
306 	if (zp->z_phys->zp_acl.z_acl_extern_obj == 0) {
307 		*aclpp = zfs_acl_node_read_internal(zp);
308 		return (0);
309 	}
310 
311 	aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_count);
312 
313 	error = dmu_read(zp->z_zfsvfs->z_os, extacl, 0,
314 	    ZFS_ACL_SIZE(zp->z_phys->zp_acl.z_acl_count), aclp->z_acl);
315 	if (error != 0) {
316 		zfs_acl_free(aclp);
317 		return (error);
318 	}
319 
320 	aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count;
321 
322 	*aclpp = aclp;
323 	return (0);
324 }
325 
326 static boolean_t
327 zfs_acl_valid(znode_t *zp, ace_t *uace, int aclcnt, int *inherit)
328 {
329 	ace_t 	*acep;
330 	int i;
331 
332 	*inherit = 0;
333 
334 	if (aclcnt > MAX_ACL_ENTRIES || aclcnt <= 0) {
335 		return (B_FALSE);
336 	}
337 
338 	for (i = 0, acep = uace; i != aclcnt; i++, acep++) {
339 
340 		/*
341 		 * first check type of entry
342 		 */
343 
344 		switch (acep->a_flags & ACE_TYPE_FLAGS) {
345 		case ACE_OWNER:
346 			acep->a_who = -1;
347 			break;
348 		case (ACE_IDENTIFIER_GROUP | ACE_GROUP):
349 		case ACE_IDENTIFIER_GROUP:
350 			if (acep->a_flags & ACE_GROUP) {
351 				acep->a_who = -1;
352 			}
353 			break;
354 		case ACE_EVERYONE:
355 			acep->a_who = -1;
356 			break;
357 		}
358 
359 		/*
360 		 * next check inheritance level flags
361 		 */
362 
363 		if (acep->a_type != ALLOW && acep->a_type != DENY)
364 			return (B_FALSE);
365 
366 		/*
367 		 * Only directories should have inheritance flags.
368 		 */
369 		if (ZTOV(zp)->v_type != VDIR && (acep->a_flags &
370 		    (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE|
371 		    ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE))) {
372 			return (B_FALSE);
373 		}
374 
375 		if (acep->a_flags &
376 		    (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))
377 			*inherit = 1;
378 
379 		if (acep->a_flags &
380 		    (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) {
381 			if ((acep->a_flags & (ACE_FILE_INHERIT_ACE|
382 			    ACE_DIRECTORY_INHERIT_ACE)) == 0) {
383 				return (B_FALSE);
384 			}
385 		}
386 	}
387 
388 	return (B_TRUE);
389 }
390 /*
391  * common code for setting acl's.
392  *
393  * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl.
394  * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's
395  * already checked the acl and knows whether to inherit.
396  */
397 int
398 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, dmu_tx_t *tx, int *ihp)
399 {
400 	int 		inherit = 0;
401 	int		error;
402 	znode_phys_t	*zphys = zp->z_phys;
403 	zfs_znode_acl_t	*zacl = &zphys->zp_acl;
404 	uint32_t	acl_phys_size = ZFS_ACL_SIZE(aclp->z_acl_count);
405 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
406 	uint64_t	aoid = zphys->zp_acl.z_acl_extern_obj;
407 
408 	ASSERT(MUTEX_HELD(&zp->z_lock));
409 	ASSERT(MUTEX_HELD(&zp->z_acl_lock));
410 
411 	if (ihp)
412 		inherit = *ihp;		/* already determined by caller */
413 	else if (!zfs_acl_valid(zp, aclp->z_acl,
414 	    aclp->z_acl_count, &inherit)) {
415 		return (EINVAL);
416 	}
417 
418 	dmu_buf_will_dirty(zp->z_dbuf, tx);
419 
420 	/*
421 	 * Will ACL fit internally?
422 	 */
423 	if (aclp->z_acl_count > ACE_SLOT_CNT) {
424 		if (aoid == 0) {
425 			aoid = dmu_object_alloc(zfsvfs->z_os,
426 			    DMU_OT_ACL, acl_phys_size, DMU_OT_NONE, 0, tx);
427 		} else {
428 			(void) dmu_object_set_blocksize(zfsvfs->z_os, aoid,
429 			    acl_phys_size, 0, tx);
430 		}
431 		zphys->zp_acl.z_acl_extern_obj = aoid;
432 		zphys->zp_acl.z_acl_count = aclp->z_acl_count;
433 		dmu_write(zfsvfs->z_os, aoid, 0,
434 		    acl_phys_size, aclp->z_acl, tx);
435 	} else {
436 		/*
437 		 * Migrating back embedded?
438 		 */
439 		if (zphys->zp_acl.z_acl_extern_obj) {
440 			error = dmu_object_free(zfsvfs->z_os,
441 				zp->z_phys->zp_acl.z_acl_extern_obj, tx);
442 			if (error)
443 				return (error);
444 			zphys->zp_acl.z_acl_extern_obj = 0;
445 		}
446 		bcopy(aclp->z_acl, zacl->z_ace_data,
447 		    aclp->z_acl_count * sizeof (ace_t));
448 		zacl->z_acl_count = aclp->z_acl_count;
449 	}
450 
451 	zp->z_phys->zp_flags &= ~(ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE);
452 	if (inherit) {
453 		zp->z_phys->zp_flags |= ZFS_INHERIT_ACE;
454 	} else if (ace_trivial(zacl->z_ace_data, zacl->z_acl_count) == 0) {
455 		zp->z_phys->zp_flags |= ZFS_ACL_TRIVIAL;
456 	}
457 
458 	zphys->zp_mode = zfs_mode_compute(zp, aclp);
459 	zfs_time_stamper_locked(zp, STATE_CHANGED, tx);
460 
461 	return (0);
462 }
463 
464 /*
465  * Create space for slots_needed ACEs to be append
466  * to aclp.
467  */
468 static void
469 zfs_acl_append(zfs_acl_t *aclp, int slots_needed)
470 {
471 	ace_t	*newacep;
472 	ace_t	*oldaclp;
473 	int	slot_cnt;
474 	int 	slots_left = aclp->z_slots - aclp->z_acl_count;
475 
476 	if (aclp->z_state == ACL_DATA_ALLOCED)
477 		ASSERT(aclp->z_slots >= aclp->z_acl_count);
478 	if (slots_left < slots_needed || aclp->z_state != ACL_DATA_ALLOCED) {
479 		slot_cnt = aclp->z_slots +  1 + (slots_needed - slots_left);
480 		newacep = kmem_alloc(ZFS_ACL_SIZE(slot_cnt), KM_SLEEP);
481 		bcopy(aclp->z_acl, newacep,
482 		    ZFS_ACL_SIZE(aclp->z_acl_count));
483 		oldaclp = aclp->z_acl;
484 		if (aclp->z_state == ACL_DATA_ALLOCED)
485 			kmem_free(oldaclp, ZFS_ACL_SIZE(aclp->z_slots));
486 		aclp->z_acl = newacep;
487 		aclp->z_slots = slot_cnt;
488 		aclp->z_state = ACL_DATA_ALLOCED;
489 	}
490 }
491 
492 /*
493  * Remove "slot" ACE from aclp
494  */
495 static void
496 zfs_ace_remove(zfs_acl_t *aclp, int slot)
497 {
498 	if (aclp->z_acl_count > 1) {
499 		(void) memmove(&aclp->z_acl[slot],
500 		    &aclp->z_acl[slot +1], sizeof (ace_t) *
501 		    (--aclp->z_acl_count - slot));
502 	} else
503 		aclp->z_acl_count--;
504 }
505 
506 /*
507  * Update access mask for prepended ACE
508  *
509  * This applies the "groupmask" value for aclmode property.
510  */
511 static void
512 zfs_acl_prepend_fixup(ace_t *acep, ace_t *origacep, mode_t mode, uid_t owner)
513 {
514 
515 	int	rmask, wmask, xmask;
516 	int	user_ace;
517 
518 	user_ace = (!(acep->a_flags &
519 	    (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP)));
520 
521 	if (user_ace && (acep->a_who == owner)) {
522 		rmask = S_IRUSR;
523 		wmask = S_IWUSR;
524 		xmask = S_IXUSR;
525 	} else {
526 		rmask = S_IRGRP;
527 		wmask = S_IWGRP;
528 		xmask = S_IXGRP;
529 	}
530 
531 	if (origacep->a_access_mask & ACE_READ_DATA) {
532 		if (mode & rmask)
533 			acep->a_access_mask &= ~ACE_READ_DATA;
534 		else
535 			acep->a_access_mask |= ACE_READ_DATA;
536 	}
537 
538 	if (origacep->a_access_mask & ACE_WRITE_DATA) {
539 		if (mode & wmask)
540 			acep->a_access_mask &= ~ACE_WRITE_DATA;
541 		else
542 			acep->a_access_mask |= ACE_WRITE_DATA;
543 	}
544 
545 	if (origacep->a_access_mask & ACE_APPEND_DATA) {
546 		if (mode & wmask)
547 			acep->a_access_mask &= ~ACE_APPEND_DATA;
548 		else
549 			acep->a_access_mask |= ACE_APPEND_DATA;
550 	}
551 
552 	if (origacep->a_access_mask & ACE_EXECUTE) {
553 		if (mode & xmask)
554 			acep->a_access_mask &= ~ACE_EXECUTE;
555 		else
556 			acep->a_access_mask |= ACE_EXECUTE;
557 	}
558 }
559 
560 /*
561  * Apply mode to canonical six ACEs.
562  */
563 static void
564 zfs_acl_fixup_canonical_six(zfs_acl_t *aclp, mode_t mode)
565 {
566 	int	cnt;
567 	ace_t	*acep;
568 
569 	cnt = aclp->z_acl_count -1;
570 	acep = aclp->z_acl;
571 
572 	/*
573 	 * Fixup final ACEs to match the mode
574 	 */
575 
576 	ASSERT(cnt >= 5);
577 	adjust_ace_pair(&acep[cnt - 1], mode);	/* everyone@ */
578 	adjust_ace_pair(&acep[cnt - 3], (mode & 0070) >> 3);	/* group@ */
579 	adjust_ace_pair(&acep[cnt - 5], (mode & 0700) >> 6);	/* owner@ */
580 }
581 
582 
583 static int
584 zfs_acl_ace_match(ace_t *acep, int allow_deny, int type, int mask)
585 {
586 	return (acep->a_access_mask == mask && acep->a_type == allow_deny &&
587 	    ((acep->a_flags & ACE_TYPE_FLAGS) == type));
588 }
589 
590 /*
591  * Can prepended ACE be reused?
592  */
593 static int
594 zfs_reuse_deny(ace_t *acep, int i)
595 {
596 	int okay_masks;
597 
598 	if (i < 1)
599 		return (B_FALSE);
600 
601 	if (acep[i-1].a_type != DENY)
602 		return (B_FALSE);
603 
604 	if (acep[i-1].a_flags != (acep[i].a_flags & ACE_IDENTIFIER_GROUP))
605 		return (B_FALSE);
606 
607 	okay_masks = (acep[i].a_access_mask & OKAY_MASK_BITS);
608 
609 	if (acep[i-1].a_access_mask & ~okay_masks)
610 		return (B_FALSE);
611 
612 	return (B_TRUE);
613 }
614 
615 /*
616  * Create space to prepend an ACE
617  */
618 static void
619 zfs_acl_prepend(zfs_acl_t *aclp, int i)
620 {
621 	ace_t	*oldaclp = NULL;
622 	ace_t	*to, *from;
623 	int	slots_left = aclp->z_slots - aclp->z_acl_count;
624 	int	oldslots;
625 	int	need_free = 0;
626 
627 	if (aclp->z_state == ACL_DATA_ALLOCED)
628 		ASSERT(aclp->z_slots >= aclp->z_acl_count);
629 
630 	if (slots_left == 0 || aclp->z_state != ACL_DATA_ALLOCED) {
631 
632 		to = kmem_alloc(ZFS_ACL_SIZE(aclp->z_acl_count +
633 		    OGE_PAD), KM_SLEEP);
634 		if (aclp->z_state == ACL_DATA_ALLOCED)
635 			need_free++;
636 		from = aclp->z_acl;
637 		oldaclp = aclp->z_acl;
638 		(void) memmove(to, from,
639 		    sizeof (ace_t) * aclp->z_acl_count);
640 		aclp->z_state = ACL_DATA_ALLOCED;
641 	} else {
642 		from = aclp->z_acl;
643 		to = aclp->z_acl;
644 	}
645 
646 
647 	(void) memmove(&to[i + 1], &from[i],
648 	    sizeof (ace_t) * (aclp->z_acl_count - i));
649 
650 	if (oldaclp) {
651 		aclp->z_acl = to;
652 		oldslots = aclp->z_slots;
653 		aclp->z_slots = aclp->z_acl_count + OGE_PAD;
654 		if (need_free)
655 			kmem_free(oldaclp, ZFS_ACL_SIZE(oldslots));
656 	}
657 
658 }
659 
660 /*
661  * Prepend deny ACE
662  */
663 static void
664 zfs_acl_prepend_deny(znode_t *zp, zfs_acl_t *aclp, int i,
665     mode_t mode)
666 {
667 	ace_t	*acep;
668 
669 	zfs_acl_prepend(aclp, i);
670 
671 	acep = aclp->z_acl;
672 	zfs_set_ace(&acep[i], 0, DENY, acep[i + 1].a_who,
673 	    (acep[i + 1].a_flags & ACE_TYPE_FLAGS));
674 	zfs_acl_prepend_fixup(&acep[i], &acep[i+1], mode, zp->z_phys->zp_uid);
675 	aclp->z_acl_count++;
676 }
677 
678 /*
679  * Split an inherited ACE into inherit_only ACE
680  * and original ACE with inheritance flags stripped off.
681  */
682 static void
683 zfs_acl_split_ace(zfs_acl_t *aclp, int i)
684 {
685 	ace_t *acep = aclp->z_acl;
686 
687 	zfs_acl_prepend(aclp, i);
688 	acep = aclp->z_acl;
689 	acep[i] = acep[i + 1];
690 	acep[i].a_flags |= ACE_INHERIT_ONLY_ACE;
691 	acep[i + 1].a_flags &= ~ALL_INHERIT;
692 	aclp->z_acl_count++;
693 }
694 
695 /*
696  * Are ACES started at index i, the canonical six ACES?
697  */
698 static int
699 zfs_have_canonical_six(zfs_acl_t *aclp, int i)
700 {
701 	ace_t *acep = aclp->z_acl;
702 
703 	if ((zfs_acl_ace_match(&acep[i],
704 	    DENY, ACE_OWNER, 0) &&
705 	    zfs_acl_ace_match(&acep[i + 1], ALLOW, ACE_OWNER,
706 	    OWNER_ALLOW_MASK) && zfs_acl_ace_match(&acep[i + 2],
707 	    DENY, OWNING_GROUP, 0) && zfs_acl_ace_match(&acep[i + 3],
708 	    ALLOW, OWNING_GROUP, 0) && zfs_acl_ace_match(&acep[i + 4],
709 	    DENY, ACE_EVERYONE, EVERYONE_DENY_MASK) &&
710 	    zfs_acl_ace_match(&acep[i + 5], ALLOW, ACE_EVERYONE,
711 	    EVERYONE_ALLOW_MASK))) {
712 		return (1);
713 	} else {
714 		return (0);
715 	}
716 }
717 
718 /*
719  * Apply step 1g, to group entries
720  *
721  * Need to deal with corner case where group may have
722  * greater permissions than owner.  If so then limit
723  * group permissions, based on what extra permissions
724  * group has.
725  */
726 static void
727 zfs_fixup_group_entries(ace_t *acep, mode_t mode)
728 {
729 	mode_t extramode = (mode >> 3) & 07;
730 	mode_t ownermode = (mode >> 6);
731 
732 	if (acep[0].a_flags & ACE_IDENTIFIER_GROUP) {
733 
734 		extramode &= ~ownermode;
735 
736 		if (extramode) {
737 			if (extramode & 04) {
738 				acep[0].a_access_mask &= ~ACE_READ_DATA;
739 				acep[1].a_access_mask &= ~ACE_READ_DATA;
740 			}
741 			if (extramode & 02) {
742 				acep[0].a_access_mask &=
743 				    ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
744 				acep[1].a_access_mask &=
745 				    ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
746 			}
747 			if (extramode & 01) {
748 				acep[0].a_access_mask &= ~ACE_EXECUTE;
749 				acep[1].a_access_mask &= ~ACE_EXECUTE;
750 			}
751 		}
752 	}
753 }
754 
755 /*
756  * Apply the chmod algorithm as described
757  * in PSARC/2002/240
758  */
759 static int
760 zfs_acl_chmod(znode_t *zp, uint64_t mode, zfs_acl_t *aclp,
761     dmu_tx_t *tx)
762 {
763 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
764 	ace_t 		*acep;
765 	int 		i;
766 	int		error;
767 	int 		entry_type;
768 	int 		reuse_deny;
769 	int 		need_canonical_six = 1;
770 	int		inherit = 0;
771 	int		iflags;
772 
773 	ASSERT(MUTEX_HELD(&zp->z_acl_lock));
774 	ASSERT(MUTEX_HELD(&zp->z_lock));
775 
776 	i = 0;
777 	while (i < aclp->z_acl_count) {
778 		acep = aclp->z_acl;
779 		entry_type = (acep[i].a_flags & ACE_TYPE_FLAGS);
780 		iflags = (acep[i].a_flags & ALL_INHERIT);
781 
782 		if ((acep[i].a_type != ALLOW && acep[i].a_type != DENY) ||
783 		    (iflags & ACE_INHERIT_ONLY_ACE)) {
784 			i++;
785 			if (iflags)
786 				inherit = 1;
787 			continue;
788 		}
789 
790 
791 		if (zfsvfs->z_acl_mode == ZFS_ACL_DISCARD) {
792 			zfs_ace_remove(aclp, i);
793 			continue;
794 		}
795 
796 		/*
797 		 * Need to split ace into two?
798 		 */
799 		if ((iflags & (ACE_FILE_INHERIT_ACE|
800 		    ACE_DIRECTORY_INHERIT_ACE)) &&
801 		    (!(iflags & ACE_INHERIT_ONLY_ACE))) {
802 			zfs_acl_split_ace(aclp, i);
803 			i++;
804 			inherit = 1;
805 			continue;
806 		}
807 
808 		if (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE ||
809 		    (entry_type == OWNING_GROUP)) {
810 			acep[i].a_access_mask &= ~OGE_CLEAR;
811 			i++;
812 			continue;
813 
814 		} else {
815 			if (acep[i].a_type == ALLOW) {
816 
817 				/*
818 				 * Check preceding ACE if any, to see
819 				 * if we need to prepend a DENY ACE.
820 				 * This is only applicable when the acl_mode
821 				 * property == groupmask.
822 				 */
823 				if (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK) {
824 
825 					reuse_deny = zfs_reuse_deny(acep, i);
826 
827 					if (reuse_deny == B_FALSE) {
828 						zfs_acl_prepend_deny(zp, aclp,
829 						    i, mode);
830 						i++;
831 						acep = aclp->z_acl;
832 					} else {
833 						zfs_acl_prepend_fixup(
834 						    &acep[i - 1],
835 						    &acep[i], mode,
836 						    zp->z_phys->zp_uid);
837 					}
838 					zfs_fixup_group_entries(&acep[i - 1],
839 					    mode);
840 				}
841 			}
842 			i++;
843 		}
844 	}
845 
846 	/*
847 	 * Check out last six aces, if we have six.
848 	 */
849 
850 	if (aclp->z_acl_count >= 6) {
851 		i = aclp->z_acl_count - 6;
852 
853 		if (zfs_have_canonical_six(aclp, i)) {
854 			need_canonical_six = 0;
855 		}
856 	}
857 
858 	if (need_canonical_six) {
859 
860 		zfs_acl_append(aclp, 6);
861 		i = aclp->z_acl_count;
862 		acep = aclp->z_acl;
863 		zfs_set_ace(&acep[i++], 0, DENY, -1, ACE_OWNER);
864 		zfs_set_ace(&acep[i++], OWNER_ALLOW_MASK, ALLOW, -1, ACE_OWNER);
865 		zfs_set_ace(&acep[i++], 0, DENY, -1, OWNING_GROUP);
866 		zfs_set_ace(&acep[i++], 0, ALLOW, -1, OWNING_GROUP);
867 		zfs_set_ace(&acep[i++], EVERYONE_DENY_MASK,
868 		    DENY, -1, ACE_EVERYONE);
869 		zfs_set_ace(&acep[i++], EVERYONE_ALLOW_MASK,
870 		    ALLOW, -1, ACE_EVERYONE);
871 		aclp->z_acl_count += 6;
872 	}
873 
874 	zfs_acl_fixup_canonical_six(aclp, mode);
875 
876 	zp->z_phys->zp_mode = mode;
877 	error = zfs_aclset_common(zp, aclp, tx, &inherit);
878 	return (error);
879 }
880 
881 
882 int
883 zfs_acl_chmod_setattr(znode_t *zp, uint64_t mode, dmu_tx_t *tx)
884 {
885 	zfs_acl_t *aclp = NULL;
886 	int error;
887 
888 	ASSERT(MUTEX_HELD(&zp->z_lock));
889 	mutex_enter(&zp->z_acl_lock);
890 	error = zfs_acl_node_read(zp, &aclp);
891 	if (error == 0)
892 		error = zfs_acl_chmod(zp, mode, aclp, tx);
893 	mutex_exit(&zp->z_acl_lock);
894 	if (aclp)
895 		zfs_acl_free(aclp);
896 	return (error);
897 }
898 
899 /*
900  * strip off write_owner and write_acl
901  */
902 static void
903 zfs_securemode_update(zfsvfs_t *zfsvfs, ace_t *acep)
904 {
905 	if ((zfsvfs->z_acl_inherit == ZFS_ACL_SECURE) &&
906 	    (acep->a_type == ALLOW))
907 		acep->a_access_mask &= ~SECURE_CLEAR;
908 }
909 
910 /*
911  * inherit inheritable ACEs from parent
912  */
913 static zfs_acl_t *
914 zfs_acl_inherit(znode_t *zp, zfs_acl_t *paclp)
915 {
916 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
917 	ace_t 		*pacep;
918 	ace_t		*acep;
919 	int 		ace_cnt = 0;
920 	int		pace_cnt;
921 	int 		i, j;
922 	zfs_acl_t	*aclp = NULL;
923 
924 	i = j = 0;
925 	pace_cnt = paclp->z_acl_count;
926 	pacep = paclp->z_acl;
927 	if (zfsvfs->z_acl_inherit != ZFS_ACL_DISCARD) {
928 		for (i = 0; i != pace_cnt; i++) {
929 
930 			if (zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW &&
931 			    pacep[i].a_type == ALLOW)
932 				continue;
933 
934 			if (zfs_ace_can_use(zp, &pacep[i])) {
935 				ace_cnt++;
936 				if (!(pacep[i].a_flags &
937 				    ACE_NO_PROPAGATE_INHERIT_ACE))
938 					ace_cnt++;
939 			}
940 		}
941 	}
942 
943 	aclp = zfs_acl_alloc(ace_cnt + OGE_PAD);
944 	if (ace_cnt && zfsvfs->z_acl_inherit != ZFS_ACL_DISCARD) {
945 		acep = aclp->z_acl;
946 		pacep = paclp->z_acl;
947 		for (i = 0; i != pace_cnt; i++) {
948 
949 			if (zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW &&
950 			    pacep[i].a_type == ALLOW)
951 				continue;
952 
953 			if (zfs_ace_can_use(zp, &pacep[i])) {
954 
955 				/*
956 				 * Now create entry for inherited ace
957 				 */
958 
959 				acep[j] = pacep[i];
960 
961 				/*
962 				 * When AUDIT/ALARM a_types are supported
963 				 * they should be inherited here.
964 				 */
965 
966 				if ((pacep[i].a_flags &
967 				    ACE_NO_PROPAGATE_INHERIT_ACE) ||
968 				    (ZTOV(zp)->v_type != VDIR)) {
969 					acep[j].a_flags &= ~ALL_INHERIT;
970 					zfs_securemode_update(zfsvfs, &acep[j]);
971 					j++;
972 					continue;
973 				}
974 
975 				ASSERT(ZTOV(zp)->v_type == VDIR);
976 
977 				/*
978 				 * If we are inheriting an ACE targeted for
979 				 * only files, then make sure inherit_only
980 				 * is on for future propagation.
981 				 */
982 				if ((pacep[i].a_flags & (ACE_FILE_INHERIT_ACE |
983 				    ACE_DIRECTORY_INHERIT_ACE)) !=
984 				    ACE_FILE_INHERIT_ACE) {
985 					j++;
986 					acep[j] = acep[j-1];
987 					acep[j-1].a_flags |=
988 					    ACE_INHERIT_ONLY_ACE;
989 					acep[j].a_flags &= ~ALL_INHERIT;
990 				} else {
991 					acep[j].a_flags |= ACE_INHERIT_ONLY_ACE;
992 				}
993 				zfs_securemode_update(zfsvfs, &acep[j]);
994 				j++;
995 			}
996 		}
997 	}
998 	aclp->z_acl_count = j;
999 	ASSERT(aclp->z_slots >= aclp->z_acl_count);
1000 
1001 	return (aclp);
1002 }
1003 
1004 /*
1005  * Create file system object initial permissions
1006  * including inheritable ACEs.
1007  */
1008 void
1009 zfs_perm_init(znode_t *zp, znode_t *parent, int flag,
1010     vattr_t *vap, dmu_tx_t *tx, cred_t *cr)
1011 {
1012 	uint64_t	mode;
1013 	uid_t		uid;
1014 	gid_t		gid;
1015 	int		error;
1016 	int		pull_down;
1017 	zfs_acl_t	*aclp, *paclp;
1018 
1019 	mode = MAKEIMODE(vap->va_type, vap->va_mode);
1020 
1021 	/*
1022 	 * Determine uid and gid.
1023 	 */
1024 	if ((flag & (IS_ROOT_NODE | IS_REPLAY)) ||
1025 	    ((flag & IS_XATTR) && (vap->va_type == VDIR))) {
1026 		uid = vap->va_uid;
1027 		gid = vap->va_gid;
1028 	} else {
1029 		uid = crgetuid(cr);
1030 		if ((vap->va_mask & AT_GID) &&
1031 		    ((vap->va_gid == parent->z_phys->zp_gid) ||
1032 		    groupmember(vap->va_gid, cr) ||
1033 		    secpolicy_vnode_create_gid(cr) == 0))
1034 			gid = vap->va_gid;
1035 		else
1036 			gid = (parent->z_phys->zp_mode & S_ISGID) ?
1037 			    parent->z_phys->zp_gid : crgetgid(cr);
1038 	}
1039 
1040 	/*
1041 	 * If we're creating a directory, and the parent directory has the
1042 	 * set-GID bit set, set in on the new directory.
1043 	 * Otherwise, if the user is neither privileged nor a member of the
1044 	 * file's new group, clear the file's set-GID bit.
1045 	 */
1046 
1047 	if ((parent->z_phys->zp_mode & S_ISGID) && (vap->va_type == VDIR))
1048 		mode |= S_ISGID;
1049 	else {
1050 		if ((mode & S_ISGID) &&
1051 		    secpolicy_vnode_setids_setgids(cr, gid) != 0)
1052 			mode &= ~S_ISGID;
1053 	}
1054 
1055 	zp->z_phys->zp_uid = uid;
1056 	zp->z_phys->zp_gid = gid;
1057 	zp->z_phys->zp_mode = mode;
1058 
1059 	mutex_enter(&parent->z_lock);
1060 	pull_down = (parent->z_phys->zp_flags & ZFS_INHERIT_ACE);
1061 	if (pull_down) {
1062 		mutex_enter(&parent->z_acl_lock);
1063 		VERIFY(0 == zfs_acl_node_read(parent, &paclp));
1064 		mutex_exit(&parent->z_acl_lock);
1065 		aclp = zfs_acl_inherit(zp, paclp);
1066 		zfs_acl_free(paclp);
1067 	} else {
1068 		aclp = zfs_acl_alloc(6);
1069 	}
1070 	mutex_exit(&parent->z_lock);
1071 	mutex_enter(&zp->z_lock);
1072 	mutex_enter(&zp->z_acl_lock);
1073 	error = zfs_acl_chmod(zp, mode, aclp, tx);
1074 	mutex_exit(&zp->z_lock);
1075 	mutex_exit(&zp->z_acl_lock);
1076 	ASSERT3U(error, ==, 0);
1077 	zfs_acl_free(aclp);
1078 }
1079 
1080 /*
1081  * Should ACE be inherited?
1082  */
1083 static int
1084 zfs_ace_can_use(znode_t *zp, ace_t *acep)
1085 {
1086 	int vtype = ZTOV(zp)->v_type;
1087 
1088 	int	iflags = (acep->a_flags & 0xf);
1089 
1090 	if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE))
1091 		return (1);
1092 	else if (iflags & ACE_FILE_INHERIT_ACE)
1093 		return (!((vtype == VDIR) &&
1094 		    (iflags & ACE_NO_PROPAGATE_INHERIT_ACE)));
1095 	return (0);
1096 }
1097 
1098 /*
1099  * Retrieve a files ACL
1100  */
1101 int
1102 zfs_getacl(znode_t *zp, vsecattr_t  *vsecp, cred_t *cr)
1103 {
1104 	zfs_acl_t	*aclp;
1105 	ulong_t		mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT);
1106 	int		error;
1107 
1108 	if (error = zfs_zaccess(zp, ACE_READ_ACL, cr)) {
1109 		/*
1110 		 * If owner of file then allow reading of the
1111 		 * ACL.
1112 		 */
1113 		if (crgetuid(cr) != zp->z_phys->zp_uid)
1114 			return (error);
1115 	}
1116 
1117 	if (mask == 0)
1118 		return (ENOSYS);
1119 
1120 	mutex_enter(&zp->z_acl_lock);
1121 
1122 	error = zfs_acl_node_read(zp, &aclp);
1123 	if (error != 0) {
1124 		mutex_exit(&zp->z_acl_lock);
1125 		return (error);
1126 	}
1127 
1128 
1129 	if (mask & VSA_ACECNT) {
1130 		vsecp->vsa_aclcnt = aclp->z_acl_count;
1131 	}
1132 
1133 	if (mask & VSA_ACE) {
1134 		vsecp->vsa_aclentp = kmem_alloc(aclp->z_acl_count *
1135 		    sizeof (ace_t), KM_SLEEP);
1136 		bcopy(aclp->z_acl, vsecp->vsa_aclentp,
1137 		    aclp->z_acl_count * sizeof (ace_t));
1138 	}
1139 
1140 	mutex_exit(&zp->z_acl_lock);
1141 
1142 	zfs_acl_free(aclp);
1143 
1144 	return (0);
1145 }
1146 
1147 /*
1148  * Set a files ACL
1149  */
1150 int
1151 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, cred_t *cr)
1152 {
1153 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
1154 	zilog_t		*zilog = zfsvfs->z_log;
1155 	ace_t		*acep = vsecp->vsa_aclentp;
1156 	int		aclcnt = vsecp->vsa_aclcnt;
1157 	ulong_t		mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT);
1158 	dmu_tx_t	*tx;
1159 	int		error;
1160 	int		inherit;
1161 	zfs_acl_t	*aclp;
1162 
1163 	if (mask == 0)
1164 		return (EINVAL);
1165 
1166 	if (!zfs_acl_valid(zp, acep, aclcnt, &inherit))
1167 		return (EINVAL);
1168 top:
1169 	error = zfs_zaccess_v4_perm(zp, ACE_WRITE_ACL, cr);
1170 	if (error == EACCES || error == ACCESS_UNDETERMINED) {
1171 		if ((error = secpolicy_vnode_setdac(cr,
1172 		    zp->z_phys->zp_uid)) != 0) {
1173 			return (error);
1174 		}
1175 	} else if (error) {
1176 		return (error == EROFS ? error : EPERM);
1177 	}
1178 
1179 	mutex_enter(&zp->z_lock);
1180 	mutex_enter(&zp->z_acl_lock);
1181 
1182 	tx = dmu_tx_create(zfsvfs->z_os);
1183 	dmu_tx_hold_bonus(tx, zp->z_id);
1184 
1185 	if (zp->z_phys->zp_acl.z_acl_extern_obj) {
1186 		dmu_tx_hold_write(tx, zp->z_phys->zp_acl.z_acl_extern_obj,
1187 		    0, ZFS_ACL_SIZE(aclcnt));
1188 	} else if (aclcnt > ACE_SLOT_CNT) {
1189 		dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, ZFS_ACL_SIZE(aclcnt));
1190 	}
1191 
1192 	error = dmu_tx_assign(tx, zfsvfs->z_assign);
1193 	if (error) {
1194 		mutex_exit(&zp->z_acl_lock);
1195 		mutex_exit(&zp->z_lock);
1196 
1197 		if (error == ERESTART && zfsvfs->z_assign == TXG_NOWAIT) {
1198 			dmu_tx_wait(tx);
1199 			dmu_tx_abort(tx);
1200 			goto top;
1201 		}
1202 		dmu_tx_abort(tx);
1203 		return (error);
1204 	}
1205 
1206 	aclp = zfs_acl_alloc(aclcnt);
1207 	bcopy(acep, aclp->z_acl, sizeof (ace_t) * aclcnt);
1208 	aclp->z_acl_count = aclcnt;
1209 	error = zfs_aclset_common(zp, aclp, tx, &inherit);
1210 	ASSERT(error == 0);
1211 
1212 	zfs_acl_free(aclp);
1213 	zfs_log_acl(zilog, tx, TX_ACL, zp, aclcnt, acep);
1214 	dmu_tx_commit(tx);
1215 done:
1216 	mutex_exit(&zp->z_acl_lock);
1217 	mutex_exit(&zp->z_lock);
1218 
1219 	return (error);
1220 }
1221 
1222 static int
1223 zfs_ace_access(ace_t *zacep, int *working_mode)
1224 {
1225 	if (*working_mode == 0) {
1226 		return (0);
1227 	}
1228 
1229 	if (zacep->a_access_mask & *working_mode) {
1230 		if (zacep->a_type == ALLOW) {
1231 			*working_mode &=
1232 			    ~(*working_mode & zacep->a_access_mask);
1233 			if (*working_mode == 0)
1234 				return (0);
1235 		} else if (zacep->a_type == DENY) {
1236 			return (EACCES);
1237 		}
1238 	}
1239 
1240 	/*
1241 	 * haven't been specifcally denied at this point
1242 	 * so return UNDETERMINED.
1243 	 */
1244 
1245 	return (ACCESS_UNDETERMINED);
1246 }
1247 
1248 
1249 static int
1250 zfs_zaccess_common(znode_t *zp, int v4_mode, int *working_mode, cred_t *cr)
1251 {
1252 	zfs_acl_t	*aclp;
1253 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
1254 	ace_t		*zacep;
1255 	gid_t		gid;
1256 	int		cnt;
1257 	int		i;
1258 	int		error;
1259 	int		access_deny = ACCESS_UNDETERMINED;
1260 	uint_t		entry_type;
1261 	uid_t		uid = crgetuid(cr);
1262 
1263 	if (zfsvfs->z_assign >= TXG_INITIAL) {		/* ZIL replay */
1264 		*working_mode = 0;
1265 		return (0);
1266 	}
1267 
1268 	*working_mode = v4_mode;
1269 
1270 	if ((v4_mode & WRITE_MASK) &&
1271 	    (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) &&
1272 	    (!IS_DEVVP(ZTOV(zp)))) {
1273 		return (EROFS);
1274 	}
1275 
1276 	mutex_enter(&zp->z_acl_lock);
1277 
1278 	error = zfs_acl_node_read(zp, &aclp);
1279 	if (error != 0) {
1280 		mutex_exit(&zp->z_acl_lock);
1281 		return (error);
1282 	}
1283 
1284 
1285 	zacep = aclp->z_acl;
1286 	cnt = aclp->z_acl_count;
1287 
1288 	for (i = 0; i != cnt; i++) {
1289 
1290 		DTRACE_PROBE2(zfs__access__common,
1291 		    ace_t *, &zacep[i], int, *working_mode);
1292 
1293 		if (zacep[i].a_flags & ACE_INHERIT_ONLY_ACE)
1294 			continue;
1295 
1296 		entry_type = (zacep[i].a_flags & ACE_TYPE_FLAGS);
1297 		switch (entry_type) {
1298 		case ACE_OWNER:
1299 			if (uid == zp->z_phys->zp_uid) {
1300 				access_deny = zfs_ace_access(&zacep[i],
1301 				    working_mode);
1302 			}
1303 			break;
1304 		case (ACE_IDENTIFIER_GROUP | ACE_GROUP):
1305 		case ACE_IDENTIFIER_GROUP:
1306 			/*
1307 			 * Owning group gid is in znode not ACL
1308 			 */
1309 			if (entry_type == (ACE_IDENTIFIER_GROUP | ACE_GROUP))
1310 				gid = zp->z_phys->zp_gid;
1311 			else
1312 				gid = zacep[i].a_who;
1313 
1314 			if (groupmember(gid, cr)) {
1315 				access_deny = zfs_ace_access(&zacep[i],
1316 				    working_mode);
1317 			}
1318 			break;
1319 		case ACE_EVERYONE:
1320 			access_deny = zfs_ace_access(&zacep[i], working_mode);
1321 			break;
1322 
1323 		/* USER Entry */
1324 		default:
1325 			if (entry_type == 0) {
1326 				if (uid == zacep[i].a_who) {
1327 					access_deny = zfs_ace_access(&zacep[i],
1328 					    working_mode);
1329 				}
1330 				break;
1331 			}
1332 			zfs_acl_free(aclp);
1333 			mutex_exit(&zp->z_acl_lock);
1334 			return (EIO);
1335 		}
1336 
1337 		if (access_deny != ACCESS_UNDETERMINED)
1338 			break;
1339 	}
1340 
1341 	mutex_exit(&zp->z_acl_lock);
1342 	zfs_acl_free(aclp);
1343 
1344 	return (access_deny);
1345 }
1346 
1347 
1348 /*
1349  * Determine whether Access should be granted/denied, invoking least
1350  * priv subsytem when a deny is determined.
1351  */
1352 int
1353 zfs_zaccess(znode_t *zp, int mode, cred_t *cr)
1354 {
1355 	int	working_mode;
1356 	int	error;
1357 	int	is_attr;
1358 	znode_t	*xzp;
1359 	znode_t *check_zp = zp;
1360 
1361 	is_attr = ((zp->z_phys->zp_flags & ZFS_XATTR) &&
1362 	    (ZTOV(zp)->v_type == VDIR));
1363 
1364 	/*
1365 	 * If attribute then validate against base file
1366 	 */
1367 	if (is_attr) {
1368 		if ((error = zfs_zget(zp->z_zfsvfs,
1369 		    zp->z_phys->zp_parent, &xzp)) != 0)	{
1370 			return (error);
1371 		}
1372 		check_zp = xzp;
1373 		/*
1374 		 * fixup mode to map to xattr perms
1375 		 */
1376 
1377 		if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) {
1378 			mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
1379 			mode |= ACE_WRITE_NAMED_ATTRS;
1380 		}
1381 
1382 		if (mode & (ACE_READ_DATA|ACE_EXECUTE)) {
1383 			mode &= ~(ACE_READ_DATA|ACE_EXECUTE);
1384 			mode |= ACE_READ_NAMED_ATTRS;
1385 		}
1386 	}
1387 
1388 	error = zfs_zaccess_common(check_zp, mode, &working_mode, cr);
1389 
1390 	if (error == EROFS) {
1391 		if (is_attr)
1392 			VN_RELE(ZTOV(xzp));
1393 		return (error);
1394 	}
1395 
1396 	if (error || working_mode) {
1397 		working_mode = (zfs_v4_to_unix(working_mode) << 6);
1398 		error = secpolicy_vnode_access(cr, ZTOV(check_zp),
1399 		    check_zp->z_phys->zp_uid, working_mode);
1400 	}
1401 
1402 	if (is_attr)
1403 		VN_RELE(ZTOV(xzp));
1404 
1405 	return (error);
1406 }
1407 
1408 /*
1409  * Special zaccess function to check for special nfsv4 perm.
1410  * doesn't call secpolicy_vnode_access() for failure, since that
1411  * would probably be the wrong policy function to call.
1412  * instead its up to the caller to handle that situation.
1413  */
1414 
1415 int
1416 zfs_zaccess_v4_perm(znode_t *zp, int mode, cred_t *cr)
1417 {
1418 	int working_mode = 0;
1419 	return (zfs_zaccess_common(zp, mode, &working_mode, cr));
1420 }
1421 
1422 /*
1423  * Translate tradition unix VREAD/VWRITE/VEXEC mode into
1424  * native ACL format and call zfs_zaccess()
1425  */
1426 int
1427 zfs_zaccess_rwx(znode_t *zp, mode_t mode, cred_t *cr)
1428 {
1429 	int v4_mode = zfs_unix_to_v4(mode >> 6);
1430 
1431 	return (zfs_zaccess(zp, v4_mode, cr));
1432 }
1433 
1434 static int
1435 zfs_delete_final_check(znode_t *zp, znode_t *dzp, cred_t *cr)
1436 {
1437 	int error;
1438 
1439 	error = secpolicy_vnode_access(cr, ZTOV(zp),
1440 	    dzp->z_phys->zp_uid, S_IWRITE|S_IEXEC);
1441 
1442 	if (error == 0)
1443 		error = zfs_sticky_remove_access(dzp, zp, cr);
1444 
1445 	return (error);
1446 }
1447 
1448 /*
1449  * Determine whether Access should be granted/deny, without
1450  * consulting least priv subsystem.
1451  *
1452  *
1453  * The following chart is the recommended NFSv4 enforcement for
1454  * ability to delete an object.
1455  *
1456  *      -------------------------------------------------------
1457  *      |   Parent Dir  |           Target Object Permissions |
1458  *      |  permissions  |                                     |
1459  *      -------------------------------------------------------
1460  *      |               | ACL Allows | ACL Denies| Delete     |
1461  *      |               |  Delete    |  Delete   | unspecified|
1462  *      -------------------------------------------------------
1463  *      |  ACL Allows   | Permit     | Permit    | Permit     |
1464  *      |  DELETE_CHILD |                                     |
1465  *      -------------------------------------------------------
1466  *      |  ACL Denies   | Permit     | Deny      | Deny       |
1467  *      |  DELETE_CHILD |            |           |            |
1468  *      -------------------------------------------------------
1469  *      | ACL specifies |            |           |            |
1470  *      | only allow    | Permit     | Permit    | Permit     |
1471  *      | write and     |            |           |            |
1472  *      | execute       |            |           |            |
1473  *      -------------------------------------------------------
1474  *      | ACL denies    |            |           |            |
1475  *      | write and     | Permit     | Deny      | Deny       |
1476  *      | execute       |            |           |            |
1477  *      -------------------------------------------------------
1478  *         ^
1479  *         |
1480  *         No search privilege, can't even look up file?
1481  *
1482  */
1483 int
1484 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr)
1485 {
1486 	int dzp_working_mode = 0;
1487 	int zp_working_mode = 0;
1488 	int dzp_error, zp_error;
1489 
1490 	/*
1491 	 * Arghh, this check is going to require a couple of questions
1492 	 * to be asked.  We want specific DELETE permissions to
1493 	 * take precedence over WRITE/EXECUTE.  We don't
1494 	 * want an ACL such as this to mess us up.
1495 	 * user:joe:write_data:deny,user:joe:delete:allow
1496 	 *
1497 	 * However, deny permissions may ultimately be overridden
1498 	 * by secpolicy_vnode_access().
1499 	 */
1500 
1501 	dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD,
1502 	    &dzp_working_mode, cr);
1503 	zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, cr);
1504 
1505 	if (dzp_error == EROFS || zp_error == EROFS)
1506 		return (dzp_error);
1507 
1508 	/*
1509 	 * First check the first row.
1510 	 * We only need to see if parent Allows delete_child
1511 	 */
1512 	if ((dzp_working_mode & ACE_DELETE_CHILD) == 0)
1513 		return (0);
1514 
1515 	/*
1516 	 * Second row
1517 	 * we already have the necessary information in
1518 	 * zp_working_mode, zp_error and dzp_error.
1519 	 */
1520 
1521 	if ((zp_working_mode & ACE_DELETE) == 0)
1522 		return (0);
1523 
1524 	/*
1525 	 * Now zp_error should either be EACCES which indicates
1526 	 * a "deny" delete entry or ACCESS_UNDETERMINED if the "delete"
1527 	 * entry exists on the target.
1528 	 *
1529 	 * dzp_error should be either EACCES which indicates a "deny"
1530 	 * entry for delete_child or ACCESS_UNDETERMINED if no delete_child
1531 	 * entry exists.  If value is EACCES then we are done
1532 	 * and zfs_delete_final_check() will make the final decision
1533 	 * regarding to allow the delete.
1534 	 */
1535 
1536 	ASSERT(zp_error != 0 && dzp_error != 0);
1537 	if (dzp_error == EACCES)
1538 		return (zfs_delete_final_check(zp, dzp, cr));
1539 
1540 	/*
1541 	 * Third Row
1542 	 * Only need to check for write/execute on parent
1543 	 */
1544 
1545 	dzp_error = zfs_zaccess_common(dzp, ACE_WRITE_DATA|ACE_EXECUTE,
1546 	    &dzp_working_mode, cr);
1547 
1548 	if (dzp_error == EROFS)
1549 		return (dzp_error);
1550 
1551 	if ((dzp_working_mode & (ACE_WRITE_DATA|ACE_EXECUTE)) == 0)
1552 		return (zfs_sticky_remove_access(dzp, zp, cr));
1553 
1554 	/*
1555 	 * Fourth Row
1556 	 */
1557 
1558 	if (((dzp_working_mode & (ACE_WRITE_DATA|ACE_EXECUTE)) != 0) &&
1559 	    ((zp_working_mode & ACE_DELETE) == 0))
1560 		return (zfs_sticky_remove_access(dzp, zp, cr));
1561 
1562 	return (zfs_delete_final_check(zp, dzp, cr));
1563 }
1564 
1565 int
1566 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp,
1567     znode_t *tzp, cred_t *cr)
1568 {
1569 	int add_perm;
1570 	int error;
1571 
1572 	add_perm = (ZTOV(szp)->v_type == VDIR) ?
1573 	    ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE;
1574 
1575 	/*
1576 	 * Rename permissions are combination of delete permission +
1577 	 * add file/subdir permission.
1578 	 */
1579 
1580 	/*
1581 	 * first make sure we do the delete portion.
1582 	 *
1583 	 * If that succeeds then check for add_file/add_subdir permissions
1584 	 */
1585 
1586 	if (error = zfs_zaccess_delete(sdzp, szp, cr))
1587 		return (error);
1588 
1589 	/*
1590 	 * If we have a tzp, see if we can delete it?
1591 	 */
1592 	if (tzp) {
1593 		if (error = zfs_zaccess_delete(tdzp, tzp, cr))
1594 			return (error);
1595 	}
1596 
1597 	/*
1598 	 * Now check for add permissions
1599 	 */
1600 	error = zfs_zaccess(tdzp, add_perm, cr);
1601 
1602 	return (error);
1603 }
1604