1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/param.h> 28 #include <sys/time.h> 29 #include <sys/systm.h> 30 #include <sys/sysmacros.h> 31 #include <sys/resource.h> 32 #include <sys/vfs.h> 33 #include <sys/vnode.h> 34 #include <sys/sid.h> 35 #include <sys/file.h> 36 #include <sys/stat.h> 37 #include <sys/kmem.h> 38 #include <sys/cmn_err.h> 39 #include <sys/errno.h> 40 #include <sys/unistd.h> 41 #include <sys/sdt.h> 42 #include <sys/fs/zfs.h> 43 #include <sys/mode.h> 44 #include <sys/policy.h> 45 #include <sys/zfs_znode.h> 46 #include <sys/zfs_fuid.h> 47 #include <sys/zfs_acl.h> 48 #include <sys/zfs_dir.h> 49 #include <sys/zfs_vfsops.h> 50 #include <sys/dmu.h> 51 #include <sys/dnode.h> 52 #include <sys/zap.h> 53 #include "fs/fs_subr.h" 54 #include <acl/acl_common.h> 55 56 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE 57 #define DENY ACE_ACCESS_DENIED_ACE_TYPE 58 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 59 60 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) 61 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ 62 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) 63 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ 64 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 65 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ 66 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 67 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS) 68 69 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \ 70 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \ 71 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \ 72 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE) 73 74 #define WRITE_MASK (WRITE_MASK_DATA|ACE_WRITE_ATTRIBUTES|ACE_WRITE_ACL|\ 75 ACE_WRITE_OWNER|ACE_DELETE|ACE_DELETE_CHILD) 76 77 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 78 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 79 80 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 81 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 82 83 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ 84 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE) 85 86 #define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER) 87 88 #define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\ 89 ZFS_ACL_PROTECTED) 90 91 #define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\ 92 ZFS_ACL_OBJ_ACE) 93 94 static uint16_t 95 zfs_ace_v0_get_type(void *acep) 96 { 97 return (((zfs_oldace_t *)acep)->z_type); 98 } 99 100 static uint16_t 101 zfs_ace_v0_get_flags(void *acep) 102 { 103 return (((zfs_oldace_t *)acep)->z_flags); 104 } 105 106 static uint32_t 107 zfs_ace_v0_get_mask(void *acep) 108 { 109 return (((zfs_oldace_t *)acep)->z_access_mask); 110 } 111 112 static uint64_t 113 zfs_ace_v0_get_who(void *acep) 114 { 115 return (((zfs_oldace_t *)acep)->z_fuid); 116 } 117 118 static void 119 zfs_ace_v0_set_type(void *acep, uint16_t type) 120 { 121 ((zfs_oldace_t *)acep)->z_type = type; 122 } 123 124 static void 125 zfs_ace_v0_set_flags(void *acep, uint16_t flags) 126 { 127 ((zfs_oldace_t *)acep)->z_flags = flags; 128 } 129 130 static void 131 zfs_ace_v0_set_mask(void *acep, uint32_t mask) 132 { 133 ((zfs_oldace_t *)acep)->z_access_mask = mask; 134 } 135 136 static void 137 zfs_ace_v0_set_who(void *acep, uint64_t who) 138 { 139 ((zfs_oldace_t *)acep)->z_fuid = who; 140 } 141 142 /*ARGSUSED*/ 143 static size_t 144 zfs_ace_v0_size(void *acep) 145 { 146 return (sizeof (zfs_oldace_t)); 147 } 148 149 static size_t 150 zfs_ace_v0_abstract_size(void) 151 { 152 return (sizeof (zfs_oldace_t)); 153 } 154 155 static int 156 zfs_ace_v0_mask_off(void) 157 { 158 return (offsetof(zfs_oldace_t, z_access_mask)); 159 } 160 161 /*ARGSUSED*/ 162 static int 163 zfs_ace_v0_data(void *acep, void **datap) 164 { 165 *datap = NULL; 166 return (0); 167 } 168 169 static acl_ops_t zfs_acl_v0_ops = { 170 zfs_ace_v0_get_mask, 171 zfs_ace_v0_set_mask, 172 zfs_ace_v0_get_flags, 173 zfs_ace_v0_set_flags, 174 zfs_ace_v0_get_type, 175 zfs_ace_v0_set_type, 176 zfs_ace_v0_get_who, 177 zfs_ace_v0_set_who, 178 zfs_ace_v0_size, 179 zfs_ace_v0_abstract_size, 180 zfs_ace_v0_mask_off, 181 zfs_ace_v0_data 182 }; 183 184 static uint16_t 185 zfs_ace_fuid_get_type(void *acep) 186 { 187 return (((zfs_ace_hdr_t *)acep)->z_type); 188 } 189 190 static uint16_t 191 zfs_ace_fuid_get_flags(void *acep) 192 { 193 return (((zfs_ace_hdr_t *)acep)->z_flags); 194 } 195 196 static uint32_t 197 zfs_ace_fuid_get_mask(void *acep) 198 { 199 return (((zfs_ace_hdr_t *)acep)->z_access_mask); 200 } 201 202 static uint64_t 203 zfs_ace_fuid_get_who(void *args) 204 { 205 uint16_t entry_type; 206 zfs_ace_t *acep = args; 207 208 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 209 210 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 211 entry_type == ACE_EVERYONE) 212 return (-1); 213 return (((zfs_ace_t *)acep)->z_fuid); 214 } 215 216 static void 217 zfs_ace_fuid_set_type(void *acep, uint16_t type) 218 { 219 ((zfs_ace_hdr_t *)acep)->z_type = type; 220 } 221 222 static void 223 zfs_ace_fuid_set_flags(void *acep, uint16_t flags) 224 { 225 ((zfs_ace_hdr_t *)acep)->z_flags = flags; 226 } 227 228 static void 229 zfs_ace_fuid_set_mask(void *acep, uint32_t mask) 230 { 231 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask; 232 } 233 234 static void 235 zfs_ace_fuid_set_who(void *arg, uint64_t who) 236 { 237 zfs_ace_t *acep = arg; 238 239 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 240 241 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 242 entry_type == ACE_EVERYONE) 243 return; 244 acep->z_fuid = who; 245 } 246 247 static size_t 248 zfs_ace_fuid_size(void *acep) 249 { 250 zfs_ace_hdr_t *zacep = acep; 251 uint16_t entry_type; 252 253 switch (zacep->z_type) { 254 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 255 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 256 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 257 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 258 return (sizeof (zfs_object_ace_t)); 259 case ALLOW: 260 case DENY: 261 entry_type = 262 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS); 263 if (entry_type == ACE_OWNER || 264 entry_type == OWNING_GROUP || 265 entry_type == ACE_EVERYONE) 266 return (sizeof (zfs_ace_hdr_t)); 267 /*FALLTHROUGH*/ 268 default: 269 return (sizeof (zfs_ace_t)); 270 } 271 } 272 273 static size_t 274 zfs_ace_fuid_abstract_size(void) 275 { 276 return (sizeof (zfs_ace_hdr_t)); 277 } 278 279 static int 280 zfs_ace_fuid_mask_off(void) 281 { 282 return (offsetof(zfs_ace_hdr_t, z_access_mask)); 283 } 284 285 static int 286 zfs_ace_fuid_data(void *acep, void **datap) 287 { 288 zfs_ace_t *zacep = acep; 289 zfs_object_ace_t *zobjp; 290 291 switch (zacep->z_hdr.z_type) { 292 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 293 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 294 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 295 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 296 zobjp = acep; 297 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t); 298 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t)); 299 default: 300 *datap = NULL; 301 return (0); 302 } 303 } 304 305 static acl_ops_t zfs_acl_fuid_ops = { 306 zfs_ace_fuid_get_mask, 307 zfs_ace_fuid_set_mask, 308 zfs_ace_fuid_get_flags, 309 zfs_ace_fuid_set_flags, 310 zfs_ace_fuid_get_type, 311 zfs_ace_fuid_set_type, 312 zfs_ace_fuid_get_who, 313 zfs_ace_fuid_set_who, 314 zfs_ace_fuid_size, 315 zfs_ace_fuid_abstract_size, 316 zfs_ace_fuid_mask_off, 317 zfs_ace_fuid_data 318 }; 319 320 static int 321 zfs_acl_version(int version) 322 { 323 if (version < ZPL_VERSION_FUID) 324 return (ZFS_ACL_VERSION_INITIAL); 325 else 326 return (ZFS_ACL_VERSION_FUID); 327 } 328 329 static int 330 zfs_acl_version_zp(znode_t *zp) 331 { 332 return (zfs_acl_version(zp->z_zfsvfs->z_version)); 333 } 334 335 static zfs_acl_t * 336 zfs_acl_alloc(int vers) 337 { 338 zfs_acl_t *aclp; 339 340 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); 341 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t), 342 offsetof(zfs_acl_node_t, z_next)); 343 aclp->z_version = vers; 344 if (vers == ZFS_ACL_VERSION_FUID) 345 aclp->z_ops = zfs_acl_fuid_ops; 346 else 347 aclp->z_ops = zfs_acl_v0_ops; 348 return (aclp); 349 } 350 351 static zfs_acl_node_t * 352 zfs_acl_node_alloc(size_t bytes) 353 { 354 zfs_acl_node_t *aclnode; 355 356 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP); 357 if (bytes) { 358 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP); 359 aclnode->z_allocdata = aclnode->z_acldata; 360 aclnode->z_allocsize = bytes; 361 aclnode->z_size = bytes; 362 } 363 364 return (aclnode); 365 } 366 367 static void 368 zfs_acl_node_free(zfs_acl_node_t *aclnode) 369 { 370 if (aclnode->z_allocsize) 371 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize); 372 kmem_free(aclnode, sizeof (zfs_acl_node_t)); 373 } 374 375 static void 376 zfs_acl_release_nodes(zfs_acl_t *aclp) 377 { 378 zfs_acl_node_t *aclnode; 379 380 while (aclnode = list_head(&aclp->z_acl)) { 381 list_remove(&aclp->z_acl, aclnode); 382 zfs_acl_node_free(aclnode); 383 } 384 aclp->z_acl_count = 0; 385 aclp->z_acl_bytes = 0; 386 } 387 388 void 389 zfs_acl_free(zfs_acl_t *aclp) 390 { 391 zfs_acl_release_nodes(aclp); 392 list_destroy(&aclp->z_acl); 393 kmem_free(aclp, sizeof (zfs_acl_t)); 394 } 395 396 static boolean_t 397 zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags) 398 { 399 /* 400 * first check type of entry 401 */ 402 403 switch (iflags & ACE_TYPE_FLAGS) { 404 case ACE_OWNER: 405 case OWNING_GROUP: 406 case ACE_IDENTIFIER_GROUP: 407 case ACE_EVERYONE: 408 case 0: /* User entry */ 409 break; 410 default: 411 return (B_FALSE); 412 413 } 414 415 /* 416 * next check inheritance level flags 417 */ 418 419 if (type != ALLOW && type > MAX_ACE_TYPE) { 420 return (B_FALSE); 421 } 422 423 switch (type) { 424 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 425 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 426 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 427 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 428 if (aclp->z_version < ZFS_ACL_VERSION_FUID) 429 return (B_FALSE); 430 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 431 } 432 433 if (obj_type == VDIR && 434 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 435 aclp->z_hints |= ZFS_INHERIT_ACE; 436 437 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { 438 if ((iflags & (ACE_FILE_INHERIT_ACE| 439 ACE_DIRECTORY_INHERIT_ACE)) == 0) { 440 return (B_FALSE); 441 } 442 } 443 444 return (B_TRUE); 445 } 446 447 static void * 448 zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who, 449 uint32_t *access_mask, uint16_t *iflags, uint16_t *type) 450 { 451 zfs_acl_node_t *aclnode; 452 453 if (start == NULL) { 454 aclnode = list_head(&aclp->z_acl); 455 if (aclnode == NULL) 456 return (NULL); 457 458 aclp->z_next_ace = aclnode->z_acldata; 459 aclp->z_curr_node = aclnode; 460 aclnode->z_ace_idx = 0; 461 } 462 463 aclnode = aclp->z_curr_node; 464 465 if (aclnode == NULL) 466 return (NULL); 467 468 if (aclnode->z_ace_idx >= aclnode->z_ace_count) { 469 aclnode = list_next(&aclp->z_acl, aclnode); 470 if (aclnode == NULL) 471 return (NULL); 472 else { 473 aclp->z_curr_node = aclnode; 474 aclnode->z_ace_idx = 0; 475 aclp->z_next_ace = aclnode->z_acldata; 476 } 477 } 478 479 if (aclnode->z_ace_idx < aclnode->z_ace_count) { 480 void *acep = aclp->z_next_ace; 481 *iflags = aclp->z_ops.ace_flags_get(acep); 482 *type = aclp->z_ops.ace_type_get(acep); 483 *access_mask = aclp->z_ops.ace_mask_get(acep); 484 *who = aclp->z_ops.ace_who_get(acep); 485 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + 486 aclp->z_ops.ace_size(acep); 487 aclnode->z_ace_idx++; 488 return ((void *)acep); 489 } 490 return (NULL); 491 } 492 493 /*ARGSUSED*/ 494 static uint64_t 495 zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt, 496 uint16_t *flags, uint16_t *type, uint32_t *mask) 497 { 498 zfs_acl_t *aclp = datap; 499 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie; 500 uint64_t who; 501 502 acep = zfs_acl_next_ace(aclp, acep, &who, mask, 503 flags, type); 504 return ((uint64_t)(uintptr_t)acep); 505 } 506 507 static zfs_acl_node_t * 508 zfs_acl_curr_node(zfs_acl_t *aclp) 509 { 510 ASSERT(aclp->z_curr_node); 511 return (aclp->z_curr_node); 512 } 513 514 /* 515 * Copy ACE to internal ZFS format. 516 * While processing the ACL each ACE will be validated for correctness. 517 * ACE FUIDs will be created later. 518 */ 519 int 520 zfs_copy_ace_2_fuid(vtype_t obj_type, zfs_acl_t *aclp, void *datap, 521 zfs_ace_t *z_acl, int aclcnt, size_t *size) 522 { 523 int i; 524 uint16_t entry_type; 525 zfs_ace_t *aceptr = z_acl; 526 ace_t *acep = datap; 527 zfs_object_ace_t *zobjacep; 528 ace_object_t *aceobjp; 529 530 for (i = 0; i != aclcnt; i++) { 531 aceptr->z_hdr.z_access_mask = acep->a_access_mask; 532 aceptr->z_hdr.z_flags = acep->a_flags; 533 aceptr->z_hdr.z_type = acep->a_type; 534 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS; 535 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP && 536 entry_type != ACE_EVERYONE) { 537 if (!aclp->z_has_fuids) 538 aclp->z_has_fuids = IS_EPHEMERAL(acep->a_who); 539 aceptr->z_fuid = (uint64_t)acep->a_who; 540 } 541 542 /* 543 * Make sure ACE is valid 544 */ 545 if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type, 546 aceptr->z_hdr.z_flags) != B_TRUE) 547 return (EINVAL); 548 549 switch (acep->a_type) { 550 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 551 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 552 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 553 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 554 zobjacep = (zfs_object_ace_t *)aceptr; 555 aceobjp = (ace_object_t *)acep; 556 557 bcopy(aceobjp->a_obj_type, zobjacep->z_object_type, 558 sizeof (aceobjp->a_obj_type)); 559 bcopy(aceobjp->a_inherit_obj_type, 560 zobjacep->z_inherit_type, 561 sizeof (aceobjp->a_inherit_obj_type)); 562 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t)); 563 break; 564 default: 565 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t)); 566 } 567 568 aceptr = (zfs_ace_t *)((caddr_t)aceptr + 569 aclp->z_ops.ace_size(aceptr)); 570 } 571 572 *size = (caddr_t)aceptr - (caddr_t)z_acl; 573 574 return (0); 575 } 576 577 /* 578 * Copy ZFS ACEs to fixed size ace_t layout 579 */ 580 static void 581 zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr, 582 void *datap, int filter) 583 { 584 uint64_t who; 585 uint32_t access_mask; 586 uint16_t iflags, type; 587 zfs_ace_hdr_t *zacep = NULL; 588 ace_t *acep = datap; 589 ace_object_t *objacep; 590 zfs_object_ace_t *zobjacep; 591 size_t ace_size; 592 uint16_t entry_type; 593 594 while (zacep = zfs_acl_next_ace(aclp, zacep, 595 &who, &access_mask, &iflags, &type)) { 596 597 switch (type) { 598 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 599 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 600 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 601 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 602 if (filter) { 603 continue; 604 } 605 zobjacep = (zfs_object_ace_t *)zacep; 606 objacep = (ace_object_t *)acep; 607 bcopy(zobjacep->z_object_type, 608 objacep->a_obj_type, 609 sizeof (zobjacep->z_object_type)); 610 bcopy(zobjacep->z_inherit_type, 611 objacep->a_inherit_obj_type, 612 sizeof (zobjacep->z_inherit_type)); 613 ace_size = sizeof (ace_object_t); 614 break; 615 default: 616 ace_size = sizeof (ace_t); 617 break; 618 } 619 620 entry_type = (iflags & ACE_TYPE_FLAGS); 621 if ((entry_type != ACE_OWNER && 622 entry_type != OWNING_GROUP && 623 entry_type != ACE_EVERYONE)) { 624 acep->a_who = zfs_fuid_map_id(zfsvfs, who, 625 cr, (entry_type & ACE_IDENTIFIER_GROUP) ? 626 ZFS_ACE_GROUP : ZFS_ACE_USER); 627 } else { 628 acep->a_who = (uid_t)(int64_t)who; 629 } 630 acep->a_access_mask = access_mask; 631 acep->a_flags = iflags; 632 acep->a_type = type; 633 acep = (ace_t *)((caddr_t)acep + ace_size); 634 } 635 } 636 637 static int 638 zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep, 639 zfs_oldace_t *z_acl, int aclcnt, size_t *size) 640 { 641 int i; 642 zfs_oldace_t *aceptr = z_acl; 643 644 for (i = 0; i != aclcnt; i++, aceptr++) { 645 aceptr->z_access_mask = acep[i].a_access_mask; 646 aceptr->z_type = acep[i].a_type; 647 aceptr->z_flags = acep[i].a_flags; 648 aceptr->z_fuid = acep[i].a_who; 649 /* 650 * Make sure ACE is valid 651 */ 652 if (zfs_ace_valid(obj_type, aclp, aceptr->z_type, 653 aceptr->z_flags) != B_TRUE) 654 return (EINVAL); 655 } 656 *size = (caddr_t)aceptr - (caddr_t)z_acl; 657 return (0); 658 } 659 660 /* 661 * convert old ACL format to new 662 */ 663 void 664 zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp) 665 { 666 zfs_oldace_t *oldaclp; 667 int i; 668 uint16_t type, iflags; 669 uint32_t access_mask; 670 uint64_t who; 671 void *cookie = NULL; 672 zfs_acl_node_t *newaclnode; 673 674 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL); 675 /* 676 * First create the ACE in a contiguous piece of memory 677 * for zfs_copy_ace_2_fuid(). 678 * 679 * We only convert an ACL once, so this won't happen 680 * everytime. 681 */ 682 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count, 683 KM_SLEEP); 684 i = 0; 685 while (cookie = zfs_acl_next_ace(aclp, cookie, &who, 686 &access_mask, &iflags, &type)) { 687 oldaclp[i].z_flags = iflags; 688 oldaclp[i].z_type = type; 689 oldaclp[i].z_fuid = who; 690 oldaclp[i++].z_access_mask = access_mask; 691 } 692 693 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count * 694 sizeof (zfs_object_ace_t)); 695 aclp->z_ops = zfs_acl_fuid_ops; 696 VERIFY(zfs_copy_ace_2_fuid(ZTOV(zp)->v_type, aclp, oldaclp, 697 newaclnode->z_acldata, aclp->z_acl_count, 698 &newaclnode->z_size) == 0); 699 newaclnode->z_ace_count = aclp->z_acl_count; 700 aclp->z_version = ZFS_ACL_VERSION; 701 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t)); 702 703 /* 704 * Release all previous ACL nodes 705 */ 706 707 zfs_acl_release_nodes(aclp); 708 709 list_insert_head(&aclp->z_acl, newaclnode); 710 711 aclp->z_acl_bytes = newaclnode->z_size; 712 aclp->z_acl_count = newaclnode->z_ace_count; 713 714 } 715 716 /* 717 * Convert unix access mask to v4 access mask 718 */ 719 static uint32_t 720 zfs_unix_to_v4(uint32_t access_mask) 721 { 722 uint32_t new_mask = 0; 723 724 if (access_mask & S_IXOTH) 725 new_mask |= ACE_EXECUTE; 726 if (access_mask & S_IWOTH) 727 new_mask |= ACE_WRITE_DATA; 728 if (access_mask & S_IROTH) 729 new_mask |= ACE_READ_DATA; 730 return (new_mask); 731 } 732 733 static void 734 zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask, 735 uint16_t access_type, uint64_t fuid, uint16_t entry_type) 736 { 737 uint16_t type = entry_type & ACE_TYPE_FLAGS; 738 739 aclp->z_ops.ace_mask_set(acep, access_mask); 740 aclp->z_ops.ace_type_set(acep, access_type); 741 aclp->z_ops.ace_flags_set(acep, entry_type); 742 if ((type != ACE_OWNER && type != OWNING_GROUP && 743 type != ACE_EVERYONE)) 744 aclp->z_ops.ace_who_set(acep, fuid); 745 } 746 747 /* 748 * Determine mode of file based on ACL. 749 * Also, create FUIDs for any User/Group ACEs 750 */ 751 static uint64_t 752 zfs_mode_fuid_compute(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, 753 zfs_fuid_info_t **fuidp, dmu_tx_t *tx) 754 { 755 int entry_type; 756 mode_t mode; 757 mode_t seen = 0; 758 zfs_ace_hdr_t *acep = NULL; 759 uint64_t who; 760 uint16_t iflags, type; 761 uint32_t access_mask; 762 763 mode = (zp->z_phys->zp_mode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); 764 765 while (acep = zfs_acl_next_ace(aclp, acep, &who, 766 &access_mask, &iflags, &type)) { 767 768 entry_type = (iflags & ACE_TYPE_FLAGS); 769 770 /* 771 * Skip over owner@, group@ or everyone@ inherit only ACEs 772 */ 773 if ((iflags & ACE_INHERIT_ONLY_ACE) && 774 (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 775 entry_type == OWNING_GROUP)) 776 continue; 777 778 if (entry_type == ACE_OWNER) { 779 if ((access_mask & ACE_READ_DATA) && 780 (!(seen & S_IRUSR))) { 781 seen |= S_IRUSR; 782 if (type == ALLOW) { 783 mode |= S_IRUSR; 784 } 785 } 786 if ((access_mask & ACE_WRITE_DATA) && 787 (!(seen & S_IWUSR))) { 788 seen |= S_IWUSR; 789 if (type == ALLOW) { 790 mode |= S_IWUSR; 791 } 792 } 793 if ((access_mask & ACE_EXECUTE) && 794 (!(seen & S_IXUSR))) { 795 seen |= S_IXUSR; 796 if (type == ALLOW) { 797 mode |= S_IXUSR; 798 } 799 } 800 } else if (entry_type == OWNING_GROUP) { 801 if ((access_mask & ACE_READ_DATA) && 802 (!(seen & S_IRGRP))) { 803 seen |= S_IRGRP; 804 if (type == ALLOW) { 805 mode |= S_IRGRP; 806 } 807 } 808 if ((access_mask & ACE_WRITE_DATA) && 809 (!(seen & S_IWGRP))) { 810 seen |= S_IWGRP; 811 if (type == ALLOW) { 812 mode |= S_IWGRP; 813 } 814 } 815 if ((access_mask & ACE_EXECUTE) && 816 (!(seen & S_IXGRP))) { 817 seen |= S_IXGRP; 818 if (type == ALLOW) { 819 mode |= S_IXGRP; 820 } 821 } 822 } else if (entry_type == ACE_EVERYONE) { 823 if ((access_mask & ACE_READ_DATA)) { 824 if (!(seen & S_IRUSR)) { 825 seen |= S_IRUSR; 826 if (type == ALLOW) { 827 mode |= S_IRUSR; 828 } 829 } 830 if (!(seen & S_IRGRP)) { 831 seen |= S_IRGRP; 832 if (type == ALLOW) { 833 mode |= S_IRGRP; 834 } 835 } 836 if (!(seen & S_IROTH)) { 837 seen |= S_IROTH; 838 if (type == ALLOW) { 839 mode |= S_IROTH; 840 } 841 } 842 } 843 if ((access_mask & ACE_WRITE_DATA)) { 844 if (!(seen & S_IWUSR)) { 845 seen |= S_IWUSR; 846 if (type == ALLOW) { 847 mode |= S_IWUSR; 848 } 849 } 850 if (!(seen & S_IWGRP)) { 851 seen |= S_IWGRP; 852 if (type == ALLOW) { 853 mode |= S_IWGRP; 854 } 855 } 856 if (!(seen & S_IWOTH)) { 857 seen |= S_IWOTH; 858 if (type == ALLOW) { 859 mode |= S_IWOTH; 860 } 861 } 862 } 863 if ((access_mask & ACE_EXECUTE)) { 864 if (!(seen & S_IXUSR)) { 865 seen |= S_IXUSR; 866 if (type == ALLOW) { 867 mode |= S_IXUSR; 868 } 869 } 870 if (!(seen & S_IXGRP)) { 871 seen |= S_IXGRP; 872 if (type == ALLOW) { 873 mode |= S_IXGRP; 874 } 875 } 876 if (!(seen & S_IXOTH)) { 877 seen |= S_IXOTH; 878 if (type == ALLOW) { 879 mode |= S_IXOTH; 880 } 881 } 882 } 883 } 884 /* 885 * Now handle FUID create for user/group ACEs 886 */ 887 if (entry_type == 0 || entry_type == ACE_IDENTIFIER_GROUP) { 888 aclp->z_ops.ace_who_set(acep, 889 zfs_fuid_create(zp->z_zfsvfs, who, cr, 890 (entry_type == 0) ? ZFS_ACE_USER : ZFS_ACE_GROUP, 891 tx, fuidp)); 892 } 893 } 894 return (mode); 895 } 896 897 static zfs_acl_t * 898 zfs_acl_node_read_internal(znode_t *zp, boolean_t will_modify) 899 { 900 zfs_acl_t *aclp; 901 zfs_acl_node_t *aclnode; 902 903 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version); 904 905 /* 906 * Version 0 to 1 znode_acl_phys has the size/count fields swapped. 907 * Version 0 didn't have a size field, only a count. 908 */ 909 if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) { 910 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_size; 911 aclp->z_acl_bytes = ZFS_ACL_SIZE(aclp->z_acl_count); 912 } else { 913 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count; 914 aclp->z_acl_bytes = zp->z_phys->zp_acl.z_acl_size; 915 } 916 917 aclnode = zfs_acl_node_alloc(will_modify ? aclp->z_acl_bytes : 0); 918 aclnode->z_ace_count = aclp->z_acl_count; 919 if (will_modify) { 920 bcopy(zp->z_phys->zp_acl.z_ace_data, aclnode->z_acldata, 921 aclp->z_acl_bytes); 922 } else { 923 aclnode->z_size = aclp->z_acl_bytes; 924 aclnode->z_acldata = &zp->z_phys->zp_acl.z_ace_data[0]; 925 } 926 927 list_insert_head(&aclp->z_acl, aclnode); 928 929 return (aclp); 930 } 931 932 /* 933 * Read an external acl object. 934 */ 935 static int 936 zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp, boolean_t will_modify) 937 { 938 uint64_t extacl = zp->z_phys->zp_acl.z_acl_extern_obj; 939 zfs_acl_t *aclp; 940 size_t aclsize; 941 size_t acl_count; 942 zfs_acl_node_t *aclnode; 943 int error; 944 945 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 946 947 if (zp->z_phys->zp_acl.z_acl_extern_obj == 0) { 948 *aclpp = zfs_acl_node_read_internal(zp, will_modify); 949 return (0); 950 } 951 952 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version); 953 if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) { 954 zfs_acl_phys_v0_t *zacl0 = 955 (zfs_acl_phys_v0_t *)&zp->z_phys->zp_acl; 956 957 aclsize = ZFS_ACL_SIZE(zacl0->z_acl_count); 958 acl_count = zacl0->z_acl_count; 959 } else { 960 aclsize = zp->z_phys->zp_acl.z_acl_size; 961 acl_count = zp->z_phys->zp_acl.z_acl_count; 962 if (aclsize == 0) 963 aclsize = acl_count * sizeof (zfs_ace_t); 964 } 965 aclnode = zfs_acl_node_alloc(aclsize); 966 list_insert_head(&aclp->z_acl, aclnode); 967 error = dmu_read(zp->z_zfsvfs->z_os, extacl, 0, 968 aclsize, aclnode->z_acldata); 969 aclnode->z_ace_count = acl_count; 970 aclp->z_acl_count = acl_count; 971 aclp->z_acl_bytes = aclsize; 972 973 if (error != 0) { 974 zfs_acl_free(aclp); 975 /* convert checksum errors into IO errors */ 976 if (error == ECKSUM) 977 error = EIO; 978 return (error); 979 } 980 981 *aclpp = aclp; 982 return (0); 983 } 984 985 /* 986 * common code for setting ACLs. 987 * 988 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. 989 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's 990 * already checked the acl and knows whether to inherit. 991 */ 992 int 993 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, 994 zfs_fuid_info_t **fuidp, dmu_tx_t *tx) 995 { 996 int error; 997 znode_phys_t *zphys = zp->z_phys; 998 zfs_acl_phys_t *zacl = &zphys->zp_acl; 999 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1000 uint64_t aoid = zphys->zp_acl.z_acl_extern_obj; 1001 uint64_t off = 0; 1002 dmu_object_type_t otype; 1003 zfs_acl_node_t *aclnode; 1004 1005 ASSERT(MUTEX_HELD(&zp->z_lock)); 1006 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1007 1008 dmu_buf_will_dirty(zp->z_dbuf, tx); 1009 1010 zphys->zp_mode = zfs_mode_fuid_compute(zp, aclp, cr, fuidp, tx); 1011 1012 /* 1013 * Decide which opbject type to use. If we are forced to 1014 * use old ACL format than transform ACL into zfs_oldace_t 1015 * layout. 1016 */ 1017 if (!zfsvfs->z_use_fuids) { 1018 otype = DMU_OT_OLDACL; 1019 } else { 1020 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) && 1021 (zfsvfs->z_version >= ZPL_VERSION_FUID)) 1022 zfs_acl_xform(zp, aclp); 1023 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID); 1024 otype = DMU_OT_ACL; 1025 } 1026 1027 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 1028 /* 1029 * If ACL was previously external and we are now 1030 * converting to new ACL format then release old 1031 * ACL object and create a new one. 1032 */ 1033 if (aoid && aclp->z_version != zacl->z_acl_version) { 1034 error = dmu_object_free(zfsvfs->z_os, 1035 zp->z_phys->zp_acl.z_acl_extern_obj, tx); 1036 if (error) 1037 return (error); 1038 aoid = 0; 1039 } 1040 if (aoid == 0) { 1041 aoid = dmu_object_alloc(zfsvfs->z_os, 1042 otype, aclp->z_acl_bytes, 1043 otype == DMU_OT_ACL ? DMU_OT_SYSACL : DMU_OT_NONE, 1044 otype == DMU_OT_ACL ? DN_MAX_BONUSLEN : 0, tx); 1045 } else { 1046 (void) dmu_object_set_blocksize(zfsvfs->z_os, aoid, 1047 aclp->z_acl_bytes, 0, tx); 1048 } 1049 zphys->zp_acl.z_acl_extern_obj = aoid; 1050 for (aclnode = list_head(&aclp->z_acl); aclnode; 1051 aclnode = list_next(&aclp->z_acl, aclnode)) { 1052 if (aclnode->z_ace_count == 0) 1053 continue; 1054 dmu_write(zfsvfs->z_os, aoid, off, 1055 aclnode->z_size, aclnode->z_acldata, tx); 1056 off += aclnode->z_size; 1057 } 1058 } else { 1059 void *start = zacl->z_ace_data; 1060 /* 1061 * Migrating back embedded? 1062 */ 1063 if (zphys->zp_acl.z_acl_extern_obj) { 1064 error = dmu_object_free(zfsvfs->z_os, 1065 zp->z_phys->zp_acl.z_acl_extern_obj, tx); 1066 if (error) 1067 return (error); 1068 zphys->zp_acl.z_acl_extern_obj = 0; 1069 } 1070 1071 for (aclnode = list_head(&aclp->z_acl); aclnode; 1072 aclnode = list_next(&aclp->z_acl, aclnode)) { 1073 if (aclnode->z_ace_count == 0) 1074 continue; 1075 bcopy(aclnode->z_acldata, start, aclnode->z_size); 1076 start = (caddr_t)start + aclnode->z_size; 1077 } 1078 } 1079 1080 /* 1081 * If Old version then swap count/bytes to match old 1082 * layout of znode_acl_phys_t. 1083 */ 1084 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1085 zphys->zp_acl.z_acl_size = aclp->z_acl_count; 1086 zphys->zp_acl.z_acl_count = aclp->z_acl_bytes; 1087 } else { 1088 zphys->zp_acl.z_acl_size = aclp->z_acl_bytes; 1089 zphys->zp_acl.z_acl_count = aclp->z_acl_count; 1090 } 1091 1092 zphys->zp_acl.z_acl_version = aclp->z_version; 1093 1094 /* 1095 * Replace ACL wide bits, but first clear them. 1096 */ 1097 zp->z_phys->zp_flags &= ~ZFS_ACL_WIDE_FLAGS; 1098 1099 zp->z_phys->zp_flags |= aclp->z_hints; 1100 1101 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0) 1102 zp->z_phys->zp_flags |= ZFS_ACL_TRIVIAL; 1103 1104 zfs_time_stamper_locked(zp, STATE_CHANGED, tx); 1105 return (0); 1106 } 1107 1108 /* 1109 * Update access mask for prepended ACE 1110 * 1111 * This applies the "groupmask" value for aclmode property. 1112 */ 1113 static void 1114 zfs_acl_prepend_fixup(zfs_acl_t *aclp, void *acep, void *origacep, 1115 mode_t mode, uint64_t owner) 1116 { 1117 int rmask, wmask, xmask; 1118 int user_ace; 1119 uint16_t aceflags; 1120 uint32_t origmask, acepmask; 1121 uint64_t fuid; 1122 1123 aceflags = aclp->z_ops.ace_flags_get(acep); 1124 fuid = aclp->z_ops.ace_who_get(acep); 1125 origmask = aclp->z_ops.ace_mask_get(origacep); 1126 acepmask = aclp->z_ops.ace_mask_get(acep); 1127 1128 user_ace = (!(aceflags & 1129 (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP))); 1130 1131 if (user_ace && (fuid == owner)) { 1132 rmask = S_IRUSR; 1133 wmask = S_IWUSR; 1134 xmask = S_IXUSR; 1135 } else { 1136 rmask = S_IRGRP; 1137 wmask = S_IWGRP; 1138 xmask = S_IXGRP; 1139 } 1140 1141 if (origmask & ACE_READ_DATA) { 1142 if (mode & rmask) { 1143 acepmask &= ~ACE_READ_DATA; 1144 } else { 1145 acepmask |= ACE_READ_DATA; 1146 } 1147 } 1148 1149 if (origmask & ACE_WRITE_DATA) { 1150 if (mode & wmask) { 1151 acepmask &= ~ACE_WRITE_DATA; 1152 } else { 1153 acepmask |= ACE_WRITE_DATA; 1154 } 1155 } 1156 1157 if (origmask & ACE_APPEND_DATA) { 1158 if (mode & wmask) { 1159 acepmask &= ~ACE_APPEND_DATA; 1160 } else { 1161 acepmask |= ACE_APPEND_DATA; 1162 } 1163 } 1164 1165 if (origmask & ACE_EXECUTE) { 1166 if (mode & xmask) { 1167 acepmask &= ~ACE_EXECUTE; 1168 } else { 1169 acepmask |= ACE_EXECUTE; 1170 } 1171 } 1172 aclp->z_ops.ace_mask_set(acep, acepmask); 1173 } 1174 1175 /* 1176 * Apply mode to canonical six ACEs. 1177 */ 1178 static void 1179 zfs_acl_fixup_canonical_six(zfs_acl_t *aclp, mode_t mode) 1180 { 1181 zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl); 1182 void *acep; 1183 int maskoff = aclp->z_ops.ace_mask_off(); 1184 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1185 1186 ASSERT(aclnode != NULL); 1187 1188 acep = (void *)((caddr_t)aclnode->z_acldata + 1189 aclnode->z_size - (abstract_size * 6)); 1190 1191 /* 1192 * Fixup final ACEs to match the mode 1193 */ 1194 1195 adjust_ace_pair_common(acep, maskoff, abstract_size, 1196 (mode & 0700) >> 6); /* owner@ */ 1197 1198 acep = (caddr_t)acep + (abstract_size * 2); 1199 1200 adjust_ace_pair_common(acep, maskoff, abstract_size, 1201 (mode & 0070) >> 3); /* group@ */ 1202 1203 acep = (caddr_t)acep + (abstract_size * 2); 1204 adjust_ace_pair_common(acep, maskoff, 1205 abstract_size, mode); /* everyone@ */ 1206 } 1207 1208 1209 static int 1210 zfs_acl_ace_match(zfs_acl_t *aclp, void *acep, int allow_deny, 1211 int entry_type, int accessmask) 1212 { 1213 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1214 uint16_t type = aclp->z_ops.ace_type_get(acep); 1215 uint16_t flags = aclp->z_ops.ace_flags_get(acep); 1216 1217 return (mask == accessmask && type == allow_deny && 1218 ((flags & ACE_TYPE_FLAGS) == entry_type)); 1219 } 1220 1221 /* 1222 * Can prepended ACE be reused? 1223 */ 1224 static int 1225 zfs_reuse_deny(zfs_acl_t *aclp, void *acep, void *prevacep) 1226 { 1227 int okay_masks; 1228 uint16_t prevtype; 1229 uint16_t prevflags; 1230 uint16_t flags; 1231 uint32_t mask, prevmask; 1232 1233 if (prevacep == NULL) 1234 return (B_FALSE); 1235 1236 prevtype = aclp->z_ops.ace_type_get(prevacep); 1237 prevflags = aclp->z_ops.ace_flags_get(prevacep); 1238 flags = aclp->z_ops.ace_flags_get(acep); 1239 mask = aclp->z_ops.ace_mask_get(acep); 1240 prevmask = aclp->z_ops.ace_mask_get(prevacep); 1241 1242 if (prevtype != DENY) 1243 return (B_FALSE); 1244 1245 if (prevflags != (flags & ACE_IDENTIFIER_GROUP)) 1246 return (B_FALSE); 1247 1248 okay_masks = (mask & OKAY_MASK_BITS); 1249 1250 if (prevmask & ~okay_masks) 1251 return (B_FALSE); 1252 1253 return (B_TRUE); 1254 } 1255 1256 1257 /* 1258 * Insert new ACL node into chain of zfs_acl_node_t's 1259 * 1260 * This will result in two possible results. 1261 * 1. If the ACL is currently just a single zfs_acl_node and 1262 * we are prepending the entry then current acl node will have 1263 * a new node inserted above it. 1264 * 1265 * 2. If we are inserting in the middle of current acl node then 1266 * the current node will be split in two and new node will be inserted 1267 * in between the two split nodes. 1268 */ 1269 static zfs_acl_node_t * 1270 zfs_acl_ace_insert(zfs_acl_t *aclp, void *acep) 1271 { 1272 zfs_acl_node_t *newnode; 1273 zfs_acl_node_t *trailernode = NULL; 1274 zfs_acl_node_t *currnode = zfs_acl_curr_node(aclp); 1275 int curr_idx = aclp->z_curr_node->z_ace_idx; 1276 int trailer_count; 1277 size_t oldsize; 1278 1279 newnode = zfs_acl_node_alloc(aclp->z_ops.ace_size(acep)); 1280 newnode->z_ace_count = 1; 1281 1282 oldsize = currnode->z_size; 1283 1284 if (curr_idx != 1) { 1285 trailernode = zfs_acl_node_alloc(0); 1286 trailernode->z_acldata = acep; 1287 1288 trailer_count = currnode->z_ace_count - curr_idx + 1; 1289 currnode->z_ace_count = curr_idx - 1; 1290 currnode->z_size = (caddr_t)acep - (caddr_t)currnode->z_acldata; 1291 trailernode->z_size = oldsize - currnode->z_size; 1292 trailernode->z_ace_count = trailer_count; 1293 } 1294 1295 aclp->z_acl_count += 1; 1296 aclp->z_acl_bytes += aclp->z_ops.ace_size(acep); 1297 1298 if (curr_idx == 1) 1299 list_insert_before(&aclp->z_acl, currnode, newnode); 1300 else 1301 list_insert_after(&aclp->z_acl, currnode, newnode); 1302 if (trailernode) { 1303 list_insert_after(&aclp->z_acl, newnode, trailernode); 1304 aclp->z_curr_node = trailernode; 1305 trailernode->z_ace_idx = 1; 1306 } 1307 1308 return (newnode); 1309 } 1310 1311 /* 1312 * Prepend deny ACE 1313 */ 1314 static void * 1315 zfs_acl_prepend_deny(znode_t *zp, zfs_acl_t *aclp, void *acep, 1316 mode_t mode) 1317 { 1318 zfs_acl_node_t *aclnode; 1319 void *newacep; 1320 uint64_t fuid; 1321 uint16_t flags; 1322 1323 aclnode = zfs_acl_ace_insert(aclp, acep); 1324 newacep = aclnode->z_acldata; 1325 fuid = aclp->z_ops.ace_who_get(acep); 1326 flags = aclp->z_ops.ace_flags_get(acep); 1327 zfs_set_ace(aclp, newacep, 0, DENY, fuid, (flags & ACE_TYPE_FLAGS)); 1328 zfs_acl_prepend_fixup(aclp, newacep, acep, mode, zp->z_phys->zp_uid); 1329 1330 return (newacep); 1331 } 1332 1333 /* 1334 * Split an inherited ACE into inherit_only ACE 1335 * and original ACE with inheritance flags stripped off. 1336 */ 1337 static void 1338 zfs_acl_split_ace(zfs_acl_t *aclp, zfs_ace_hdr_t *acep) 1339 { 1340 zfs_acl_node_t *aclnode; 1341 zfs_acl_node_t *currnode; 1342 void *newacep; 1343 uint16_t type, flags; 1344 uint32_t mask; 1345 uint64_t fuid; 1346 1347 type = aclp->z_ops.ace_type_get(acep); 1348 flags = aclp->z_ops.ace_flags_get(acep); 1349 mask = aclp->z_ops.ace_mask_get(acep); 1350 fuid = aclp->z_ops.ace_who_get(acep); 1351 1352 aclnode = zfs_acl_ace_insert(aclp, acep); 1353 newacep = aclnode->z_acldata; 1354 1355 aclp->z_ops.ace_type_set(newacep, type); 1356 aclp->z_ops.ace_flags_set(newacep, flags | ACE_INHERIT_ONLY_ACE); 1357 aclp->z_ops.ace_mask_set(newacep, mask); 1358 aclp->z_ops.ace_type_set(newacep, type); 1359 aclp->z_ops.ace_who_set(newacep, fuid); 1360 aclp->z_next_ace = acep; 1361 flags &= ~ALL_INHERIT; 1362 aclp->z_ops.ace_flags_set(acep, flags); 1363 currnode = zfs_acl_curr_node(aclp); 1364 ASSERT(currnode->z_ace_idx >= 1); 1365 currnode->z_ace_idx -= 1; 1366 } 1367 1368 /* 1369 * Are ACES started at index i, the canonical six ACES? 1370 */ 1371 static int 1372 zfs_have_canonical_six(zfs_acl_t *aclp) 1373 { 1374 void *acep; 1375 zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl); 1376 int i = 0; 1377 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1378 1379 ASSERT(aclnode != NULL); 1380 1381 if (aclnode->z_ace_count < 6) 1382 return (0); 1383 1384 acep = (void *)((caddr_t)aclnode->z_acldata + 1385 aclnode->z_size - (aclp->z_ops.ace_abstract_size() * 6)); 1386 1387 if ((zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1388 DENY, ACE_OWNER, 0) && 1389 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1390 ALLOW, ACE_OWNER, OWNER_ALLOW_MASK) && 1391 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), DENY, 1392 OWNING_GROUP, 0) && zfs_acl_ace_match(aclp, (caddr_t)acep + 1393 (abstract_size * i++), 1394 ALLOW, OWNING_GROUP, 0) && 1395 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1396 DENY, ACE_EVERYONE, EVERYONE_DENY_MASK) && 1397 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1398 ALLOW, ACE_EVERYONE, EVERYONE_ALLOW_MASK))) { 1399 return (1); 1400 } else { 1401 return (0); 1402 } 1403 } 1404 1405 1406 /* 1407 * Apply step 1g, to group entries 1408 * 1409 * Need to deal with corner case where group may have 1410 * greater permissions than owner. If so then limit 1411 * group permissions, based on what extra permissions 1412 * group has. 1413 */ 1414 static void 1415 zfs_fixup_group_entries(zfs_acl_t *aclp, void *acep, void *prevacep, 1416 mode_t mode) 1417 { 1418 uint32_t prevmask = aclp->z_ops.ace_mask_get(prevacep); 1419 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1420 uint16_t prevflags = aclp->z_ops.ace_flags_get(prevacep); 1421 mode_t extramode = (mode >> 3) & 07; 1422 mode_t ownermode = (mode >> 6); 1423 1424 if (prevflags & ACE_IDENTIFIER_GROUP) { 1425 1426 extramode &= ~ownermode; 1427 1428 if (extramode) { 1429 if (extramode & S_IROTH) { 1430 prevmask &= ~ACE_READ_DATA; 1431 mask &= ~ACE_READ_DATA; 1432 } 1433 if (extramode & S_IWOTH) { 1434 prevmask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1435 mask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1436 } 1437 if (extramode & S_IXOTH) { 1438 prevmask &= ~ACE_EXECUTE; 1439 mask &= ~ACE_EXECUTE; 1440 } 1441 } 1442 } 1443 aclp->z_ops.ace_mask_set(acep, mask); 1444 aclp->z_ops.ace_mask_set(prevacep, prevmask); 1445 } 1446 1447 /* 1448 * Apply the chmod algorithm as described 1449 * in PSARC/2002/240 1450 */ 1451 static void 1452 zfs_acl_chmod(znode_t *zp, uint64_t mode, zfs_acl_t *aclp) 1453 { 1454 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1455 void *acep = NULL, *prevacep = NULL; 1456 uint64_t who; 1457 int i; 1458 int entry_type; 1459 int reuse_deny; 1460 int need_canonical_six = 1; 1461 uint16_t iflags, type; 1462 uint32_t access_mask; 1463 1464 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1465 ASSERT(MUTEX_HELD(&zp->z_lock)); 1466 1467 aclp->z_hints = (zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS); 1468 1469 /* 1470 * If discard then just discard all ACL nodes which 1471 * represent the ACEs. 1472 * 1473 * New owner@/group@/everone@ ACEs will be added 1474 * later. 1475 */ 1476 if (zfsvfs->z_acl_mode == ZFS_ACL_DISCARD) 1477 zfs_acl_release_nodes(aclp); 1478 1479 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 1480 &iflags, &type)) { 1481 1482 entry_type = (iflags & ACE_TYPE_FLAGS); 1483 iflags = (iflags & ALL_INHERIT); 1484 1485 if ((type != ALLOW && type != DENY) || 1486 (iflags & ACE_INHERIT_ONLY_ACE)) { 1487 if (iflags) 1488 aclp->z_hints |= ZFS_INHERIT_ACE; 1489 switch (type) { 1490 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1491 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1492 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1493 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1494 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 1495 break; 1496 } 1497 goto nextace; 1498 } 1499 1500 /* 1501 * Need to split ace into two? 1502 */ 1503 if ((iflags & (ACE_FILE_INHERIT_ACE| 1504 ACE_DIRECTORY_INHERIT_ACE)) && 1505 (!(iflags & ACE_INHERIT_ONLY_ACE))) { 1506 zfs_acl_split_ace(aclp, acep); 1507 aclp->z_hints |= ZFS_INHERIT_ACE; 1508 goto nextace; 1509 } 1510 1511 if (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 1512 (entry_type == OWNING_GROUP)) { 1513 access_mask &= ~OGE_CLEAR; 1514 aclp->z_ops.ace_mask_set(acep, access_mask); 1515 goto nextace; 1516 } else { 1517 reuse_deny = B_TRUE; 1518 if (type == ALLOW) { 1519 1520 /* 1521 * Check preceding ACE if any, to see 1522 * if we need to prepend a DENY ACE. 1523 * This is only applicable when the acl_mode 1524 * property == groupmask. 1525 */ 1526 if (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK) { 1527 1528 reuse_deny = zfs_reuse_deny(aclp, acep, 1529 prevacep); 1530 1531 if (!reuse_deny) { 1532 prevacep = 1533 zfs_acl_prepend_deny(zp, 1534 aclp, acep, mode); 1535 } else { 1536 zfs_acl_prepend_fixup( 1537 aclp, prevacep, 1538 acep, mode, 1539 zp->z_phys->zp_uid); 1540 } 1541 zfs_fixup_group_entries(aclp, acep, 1542 prevacep, mode); 1543 1544 } 1545 } 1546 } 1547 nextace: 1548 prevacep = acep; 1549 } 1550 1551 /* 1552 * Check out last six aces, if we have six. 1553 */ 1554 1555 if (aclp->z_acl_count >= 6) { 1556 if (zfs_have_canonical_six(aclp)) { 1557 need_canonical_six = 0; 1558 } 1559 } 1560 1561 if (need_canonical_six) { 1562 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1563 void *zacep; 1564 zfs_acl_node_t *aclnode = 1565 zfs_acl_node_alloc(abstract_size * 6); 1566 1567 aclnode->z_size = abstract_size * 6; 1568 aclnode->z_ace_count = 6; 1569 aclp->z_acl_bytes += aclnode->z_size; 1570 list_insert_tail(&aclp->z_acl, aclnode); 1571 1572 zacep = aclnode->z_acldata; 1573 1574 i = 0; 1575 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1576 0, DENY, -1, ACE_OWNER); 1577 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1578 OWNER_ALLOW_MASK, ALLOW, -1, ACE_OWNER); 1579 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0, 1580 DENY, -1, OWNING_GROUP); 1581 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0, 1582 ALLOW, -1, OWNING_GROUP); 1583 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1584 EVERYONE_DENY_MASK, DENY, -1, ACE_EVERYONE); 1585 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1586 EVERYONE_ALLOW_MASK, ALLOW, -1, ACE_EVERYONE); 1587 aclp->z_acl_count += 6; 1588 } 1589 1590 zfs_acl_fixup_canonical_six(aclp, mode); 1591 } 1592 1593 int 1594 zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode) 1595 { 1596 int error; 1597 1598 mutex_enter(&zp->z_lock); 1599 mutex_enter(&zp->z_acl_lock); 1600 *aclp = NULL; 1601 error = zfs_acl_node_read(zp, aclp, B_TRUE); 1602 if (error == 0) 1603 zfs_acl_chmod(zp, mode, *aclp); 1604 mutex_exit(&zp->z_acl_lock); 1605 mutex_exit(&zp->z_lock); 1606 return (error); 1607 } 1608 1609 /* 1610 * strip off write_owner and write_acl 1611 */ 1612 static void 1613 zfs_restricted_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep) 1614 { 1615 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1616 1617 if ((zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) && 1618 (aclp->z_ops.ace_type_get(acep) == ALLOW)) { 1619 mask &= ~RESTRICTED_CLEAR; 1620 aclp->z_ops.ace_mask_set(acep, mask); 1621 } 1622 } 1623 1624 /* 1625 * Should ACE be inherited? 1626 */ 1627 static int 1628 zfs_ace_can_use(znode_t *zp, uint16_t acep_flags) 1629 { 1630 int vtype = ZTOV(zp)->v_type; 1631 int iflags = (acep_flags & 0xf); 1632 1633 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) 1634 return (1); 1635 else if (iflags & ACE_FILE_INHERIT_ACE) 1636 return (!((vtype == VDIR) && 1637 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); 1638 return (0); 1639 } 1640 1641 /* 1642 * inherit inheritable ACEs from parent 1643 */ 1644 static zfs_acl_t * 1645 zfs_acl_inherit(znode_t *zp, zfs_acl_t *paclp, boolean_t *need_chmod) 1646 { 1647 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1648 void *pacep; 1649 void *acep, *acep2; 1650 zfs_acl_node_t *aclnode, *aclnode2; 1651 zfs_acl_t *aclp = NULL; 1652 uint64_t who; 1653 uint32_t access_mask; 1654 uint16_t iflags, newflags, type; 1655 size_t ace_size; 1656 void *data1, *data2; 1657 size_t data1sz, data2sz; 1658 enum vtype vntype = ZTOV(zp)->v_type; 1659 1660 *need_chmod = B_TRUE; 1661 pacep = NULL; 1662 aclp = zfs_acl_alloc(zfs_acl_version_zp(zp)); 1663 if (zfsvfs->z_acl_inherit != ZFS_ACL_DISCARD) { 1664 while (pacep = zfs_acl_next_ace(paclp, pacep, &who, 1665 &access_mask, &iflags, &type)) { 1666 1667 if (zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW && 1668 type == ALLOW) 1669 continue; 1670 1671 ace_size = aclp->z_ops.ace_size(pacep); 1672 1673 if (!zfs_ace_can_use(zp, iflags)) 1674 continue; 1675 1676 /* 1677 * If owner@, group@, or everyone@ inheritable 1678 * then zfs_acl_chmod() isn't needed. 1679 */ 1680 if (zfsvfs->z_acl_inherit == 1681 ZFS_ACL_PASSTHROUGH && 1682 ((iflags & (ACE_OWNER|ACE_EVERYONE)) || 1683 ((iflags & OWNING_GROUP) == 1684 OWNING_GROUP)) && (vntype == VREG || 1685 (vntype == VDIR && 1686 (iflags & ACE_DIRECTORY_INHERIT_ACE)))) 1687 *need_chmod = B_FALSE; 1688 1689 aclnode = zfs_acl_node_alloc(ace_size); 1690 list_insert_tail(&aclp->z_acl, aclnode); 1691 acep = aclnode->z_acldata; 1692 zfs_set_ace(aclp, acep, access_mask, type, 1693 who, iflags|ACE_INHERITED_ACE); 1694 1695 /* 1696 * Copy special opaque data if any 1697 */ 1698 if ((data1sz = paclp->z_ops.ace_data(pacep, 1699 &data1)) != 0) { 1700 VERIFY((data2sz = aclp->z_ops.ace_data(acep, 1701 &data2)) == data1sz); 1702 bcopy(data1, data2, data2sz); 1703 } 1704 aclp->z_acl_count++; 1705 aclnode->z_ace_count++; 1706 aclp->z_acl_bytes += aclnode->z_size; 1707 newflags = aclp->z_ops.ace_flags_get(acep); 1708 1709 if (vntype == VDIR) 1710 aclp->z_hints |= ZFS_INHERIT_ACE; 1711 1712 if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || 1713 (vntype != VDIR)) { 1714 newflags &= ~ALL_INHERIT; 1715 aclp->z_ops.ace_flags_set(acep, 1716 newflags|ACE_INHERITED_ACE); 1717 zfs_restricted_update(zfsvfs, aclp, acep); 1718 continue; 1719 } 1720 1721 ASSERT(vntype == VDIR); 1722 1723 newflags = aclp->z_ops.ace_flags_get(acep); 1724 if ((iflags & (ACE_FILE_INHERIT_ACE | 1725 ACE_DIRECTORY_INHERIT_ACE)) != 1726 ACE_FILE_INHERIT_ACE) { 1727 aclnode2 = zfs_acl_node_alloc(ace_size); 1728 list_insert_tail(&aclp->z_acl, aclnode2); 1729 acep2 = aclnode2->z_acldata; 1730 zfs_set_ace(aclp, acep2, 1731 access_mask, type, who, 1732 iflags|ACE_INHERITED_ACE); 1733 newflags |= ACE_INHERIT_ONLY_ACE; 1734 aclp->z_ops.ace_flags_set(acep, newflags); 1735 newflags &= ~ALL_INHERIT; 1736 aclp->z_ops.ace_flags_set(acep2, 1737 newflags|ACE_INHERITED_ACE); 1738 1739 /* 1740 * Copy special opaque data if any 1741 */ 1742 if ((data1sz = aclp->z_ops.ace_data(acep, 1743 &data1)) != 0) { 1744 VERIFY((data2sz = 1745 aclp->z_ops.ace_data(acep2, 1746 &data2)) == data1sz); 1747 bcopy(data1, data2, data1sz); 1748 } 1749 aclp->z_acl_count++; 1750 aclnode2->z_ace_count++; 1751 aclp->z_acl_bytes += aclnode->z_size; 1752 zfs_restricted_update(zfsvfs, aclp, acep2); 1753 } else { 1754 newflags |= ACE_INHERIT_ONLY_ACE; 1755 aclp->z_ops.ace_flags_set(acep, 1756 newflags|ACE_INHERITED_ACE); 1757 } 1758 } 1759 } 1760 return (aclp); 1761 } 1762 1763 /* 1764 * Create file system object initial permissions 1765 * including inheritable ACEs. 1766 */ 1767 void 1768 zfs_perm_init(znode_t *zp, znode_t *parent, int flag, 1769 vattr_t *vap, dmu_tx_t *tx, cred_t *cr, 1770 zfs_acl_t *setaclp, zfs_fuid_info_t **fuidp) 1771 { 1772 uint64_t mode, fuid, fgid; 1773 int error; 1774 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1775 zfs_acl_t *aclp = NULL; 1776 zfs_acl_t *paclp; 1777 xvattr_t *xvap = (xvattr_t *)vap; 1778 gid_t gid; 1779 boolean_t need_chmod = B_TRUE; 1780 1781 if (setaclp) 1782 aclp = setaclp; 1783 1784 mode = MAKEIMODE(vap->va_type, vap->va_mode); 1785 1786 /* 1787 * Determine uid and gid. 1788 */ 1789 if ((flag & (IS_ROOT_NODE | IS_REPLAY)) || 1790 ((flag & IS_XATTR) && (vap->va_type == VDIR))) { 1791 fuid = zfs_fuid_create(zfsvfs, vap->va_uid, cr, 1792 ZFS_OWNER, tx, fuidp); 1793 fgid = zfs_fuid_create(zfsvfs, vap->va_gid, cr, 1794 ZFS_GROUP, tx, fuidp); 1795 gid = vap->va_gid; 1796 } else { 1797 fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER, tx, cr, fuidp); 1798 fgid = 0; 1799 if (vap->va_mask & AT_GID) { 1800 fgid = zfs_fuid_create(zfsvfs, vap->va_gid, cr, 1801 ZFS_GROUP, tx, fuidp); 1802 gid = vap->va_gid; 1803 if (fgid != parent->z_phys->zp_gid && 1804 !groupmember(vap->va_gid, cr) && 1805 secpolicy_vnode_create_gid(cr) != 0) 1806 fgid = 0; 1807 } 1808 if (fgid == 0) { 1809 if (parent->z_phys->zp_mode & S_ISGID) { 1810 fgid = parent->z_phys->zp_gid; 1811 gid = zfs_fuid_map_id(zfsvfs, fgid, 1812 cr, ZFS_GROUP); 1813 } else { 1814 fgid = zfs_fuid_create_cred(zfsvfs, 1815 ZFS_GROUP, tx, cr, fuidp); 1816 gid = crgetgid(cr); 1817 } 1818 } 1819 } 1820 1821 /* 1822 * If we're creating a directory, and the parent directory has the 1823 * set-GID bit set, set in on the new directory. 1824 * Otherwise, if the user is neither privileged nor a member of the 1825 * file's new group, clear the file's set-GID bit. 1826 */ 1827 1828 if ((parent->z_phys->zp_mode & S_ISGID) && (vap->va_type == VDIR)) { 1829 mode |= S_ISGID; 1830 } else { 1831 if ((mode & S_ISGID) && 1832 secpolicy_vnode_setids_setgids(cr, gid) != 0) 1833 mode &= ~S_ISGID; 1834 } 1835 1836 zp->z_phys->zp_uid = fuid; 1837 zp->z_phys->zp_gid = fgid; 1838 zp->z_phys->zp_mode = mode; 1839 1840 if (aclp == NULL) { 1841 mutex_enter(&parent->z_lock); 1842 if ((ZTOV(parent)->v_type == VDIR && 1843 (parent->z_phys->zp_flags & ZFS_INHERIT_ACE)) && 1844 !(zp->z_phys->zp_flags & ZFS_XATTR)) { 1845 mutex_enter(&parent->z_acl_lock); 1846 VERIFY(0 == zfs_acl_node_read(parent, &paclp, B_FALSE)); 1847 mutex_exit(&parent->z_acl_lock); 1848 aclp = zfs_acl_inherit(zp, paclp, &need_chmod); 1849 zfs_acl_free(paclp); 1850 } else { 1851 aclp = zfs_acl_alloc(zfs_acl_version_zp(zp)); 1852 } 1853 mutex_exit(&parent->z_lock); 1854 mutex_enter(&zp->z_lock); 1855 mutex_enter(&zp->z_acl_lock); 1856 if (need_chmod) 1857 zfs_acl_chmod(zp, mode, aclp); 1858 } else { 1859 mutex_enter(&zp->z_lock); 1860 mutex_enter(&zp->z_acl_lock); 1861 } 1862 1863 /* Force auto_inherit on all new directory objects */ 1864 if (vap->va_type == VDIR) 1865 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 1866 1867 error = zfs_aclset_common(zp, aclp, cr, fuidp, tx); 1868 1869 /* Set optional attributes if any */ 1870 if (vap->va_mask & AT_XVATTR) 1871 zfs_xvattr_set(zp, xvap); 1872 1873 mutex_exit(&zp->z_lock); 1874 mutex_exit(&zp->z_acl_lock); 1875 ASSERT3U(error, ==, 0); 1876 1877 if (aclp != setaclp) 1878 zfs_acl_free(aclp); 1879 } 1880 1881 /* 1882 * Retrieve a files ACL 1883 */ 1884 int 1885 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1886 { 1887 zfs_acl_t *aclp; 1888 ulong_t mask; 1889 int error; 1890 int count = 0; 1891 int largeace = 0; 1892 1893 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT | 1894 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES); 1895 1896 if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr)) 1897 return (error); 1898 1899 if (mask == 0) 1900 return (ENOSYS); 1901 1902 mutex_enter(&zp->z_acl_lock); 1903 1904 error = zfs_acl_node_read(zp, &aclp, B_FALSE); 1905 if (error != 0) { 1906 mutex_exit(&zp->z_acl_lock); 1907 return (error); 1908 } 1909 1910 /* 1911 * Scan ACL to determine number of ACEs 1912 */ 1913 if ((zp->z_phys->zp_flags & ZFS_ACL_OBJ_ACE) && 1914 !(mask & VSA_ACE_ALLTYPES)) { 1915 void *zacep = NULL; 1916 uint64_t who; 1917 uint32_t access_mask; 1918 uint16_t type, iflags; 1919 1920 while (zacep = zfs_acl_next_ace(aclp, zacep, 1921 &who, &access_mask, &iflags, &type)) { 1922 switch (type) { 1923 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1924 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1925 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1926 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1927 largeace++; 1928 continue; 1929 default: 1930 count++; 1931 } 1932 } 1933 vsecp->vsa_aclcnt = count; 1934 } else 1935 count = aclp->z_acl_count; 1936 1937 if (mask & VSA_ACECNT) { 1938 vsecp->vsa_aclcnt = count; 1939 } 1940 1941 if (mask & VSA_ACE) { 1942 size_t aclsz; 1943 1944 zfs_acl_node_t *aclnode = list_head(&aclp->z_acl); 1945 1946 aclsz = count * sizeof (ace_t) + 1947 sizeof (ace_object_t) * largeace; 1948 1949 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP); 1950 vsecp->vsa_aclentsz = aclsz; 1951 1952 if (aclp->z_version == ZFS_ACL_VERSION_FUID) 1953 zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr, 1954 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES)); 1955 else { 1956 bcopy(aclnode->z_acldata, vsecp->vsa_aclentp, 1957 count * sizeof (ace_t)); 1958 } 1959 } 1960 if (mask & VSA_ACE_ACLFLAGS) { 1961 vsecp->vsa_aclflags = 0; 1962 if (zp->z_phys->zp_flags & ZFS_ACL_DEFAULTED) 1963 vsecp->vsa_aclflags |= ACL_DEFAULTED; 1964 if (zp->z_phys->zp_flags & ZFS_ACL_PROTECTED) 1965 vsecp->vsa_aclflags |= ACL_PROTECTED; 1966 if (zp->z_phys->zp_flags & ZFS_ACL_AUTO_INHERIT) 1967 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT; 1968 } 1969 1970 mutex_exit(&zp->z_acl_lock); 1971 1972 zfs_acl_free(aclp); 1973 1974 return (0); 1975 } 1976 1977 int 1978 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type, 1979 vsecattr_t *vsecp, zfs_acl_t **zaclp) 1980 { 1981 zfs_acl_t *aclp; 1982 zfs_acl_node_t *aclnode; 1983 int aclcnt = vsecp->vsa_aclcnt; 1984 int error; 1985 1986 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0) 1987 return (EINVAL); 1988 1989 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version)); 1990 1991 aclp->z_hints = 0; 1992 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t)); 1993 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1994 if ((error = zfs_copy_ace_2_oldace(obj_type, aclp, 1995 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata, 1996 aclcnt, &aclnode->z_size)) != 0) { 1997 zfs_acl_free(aclp); 1998 zfs_acl_node_free(aclnode); 1999 return (error); 2000 } 2001 } else { 2002 if ((error = zfs_copy_ace_2_fuid(obj_type, aclp, 2003 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt, 2004 &aclnode->z_size)) != 0) { 2005 zfs_acl_free(aclp); 2006 zfs_acl_node_free(aclnode); 2007 return (error); 2008 } 2009 } 2010 aclp->z_acl_bytes = aclnode->z_size; 2011 aclnode->z_ace_count = aclcnt; 2012 aclp->z_acl_count = aclcnt; 2013 list_insert_head(&aclp->z_acl, aclnode); 2014 2015 /* 2016 * If flags are being set then add them to z_hints 2017 */ 2018 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) { 2019 if (vsecp->vsa_aclflags & ACL_PROTECTED) 2020 aclp->z_hints |= ZFS_ACL_PROTECTED; 2021 if (vsecp->vsa_aclflags & ACL_DEFAULTED) 2022 aclp->z_hints |= ZFS_ACL_DEFAULTED; 2023 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT) 2024 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 2025 } 2026 2027 *zaclp = aclp; 2028 2029 return (0); 2030 } 2031 2032 /* 2033 * Set a files ACL 2034 */ 2035 int 2036 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 2037 { 2038 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2039 zilog_t *zilog = zfsvfs->z_log; 2040 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 2041 dmu_tx_t *tx; 2042 int error; 2043 zfs_acl_t *aclp; 2044 zfs_fuid_info_t *fuidp = NULL; 2045 2046 if (mask == 0) 2047 return (ENOSYS); 2048 2049 if (zp->z_phys->zp_flags & ZFS_IMMUTABLE) 2050 return (EPERM); 2051 2052 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) 2053 return (error); 2054 2055 error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, &aclp); 2056 if (error) 2057 return (error); 2058 2059 /* 2060 * If ACL wide flags aren't being set then preserve any 2061 * existing flags. 2062 */ 2063 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) { 2064 aclp->z_hints |= (zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS); 2065 } 2066 top: 2067 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) { 2068 zfs_acl_free(aclp); 2069 return (error); 2070 } 2071 2072 mutex_enter(&zp->z_lock); 2073 mutex_enter(&zp->z_acl_lock); 2074 2075 tx = dmu_tx_create(zfsvfs->z_os); 2076 dmu_tx_hold_bonus(tx, zp->z_id); 2077 2078 if (zp->z_phys->zp_acl.z_acl_extern_obj) { 2079 /* Are we upgrading ACL? */ 2080 if (zfsvfs->z_version <= ZPL_VERSION_FUID && 2081 zp->z_phys->zp_acl.z_acl_version == 2082 ZFS_ACL_VERSION_INITIAL) { 2083 dmu_tx_hold_free(tx, 2084 zp->z_phys->zp_acl.z_acl_extern_obj, 2085 0, DMU_OBJECT_END); 2086 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 2087 0, aclp->z_acl_bytes); 2088 } else { 2089 dmu_tx_hold_write(tx, 2090 zp->z_phys->zp_acl.z_acl_extern_obj, 2091 0, aclp->z_acl_bytes); 2092 } 2093 } else if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 2094 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes); 2095 } 2096 if (aclp->z_has_fuids) { 2097 if (zfsvfs->z_fuid_obj == 0) { 2098 dmu_tx_hold_bonus(tx, DMU_NEW_OBJECT); 2099 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, 2100 FUID_SIZE_ESTIMATE(zfsvfs)); 2101 dmu_tx_hold_zap(tx, MASTER_NODE_OBJ, FALSE, NULL); 2102 } else { 2103 dmu_tx_hold_bonus(tx, zfsvfs->z_fuid_obj); 2104 dmu_tx_hold_write(tx, zfsvfs->z_fuid_obj, 0, 2105 FUID_SIZE_ESTIMATE(zfsvfs)); 2106 } 2107 } 2108 2109 error = dmu_tx_assign(tx, zfsvfs->z_assign); 2110 if (error) { 2111 mutex_exit(&zp->z_acl_lock); 2112 mutex_exit(&zp->z_lock); 2113 2114 if (error == ERESTART && zfsvfs->z_assign == TXG_NOWAIT) { 2115 dmu_tx_wait(tx); 2116 dmu_tx_abort(tx); 2117 goto top; 2118 } 2119 dmu_tx_abort(tx); 2120 zfs_acl_free(aclp); 2121 return (error); 2122 } 2123 2124 error = zfs_aclset_common(zp, aclp, cr, &fuidp, tx); 2125 ASSERT(error == 0); 2126 2127 zfs_log_acl(zilog, tx, zp, vsecp, fuidp); 2128 2129 if (fuidp) 2130 zfs_fuid_info_free(fuidp); 2131 zfs_acl_free(aclp); 2132 dmu_tx_commit(tx); 2133 done: 2134 mutex_exit(&zp->z_acl_lock); 2135 mutex_exit(&zp->z_lock); 2136 2137 return (error); 2138 } 2139 2140 /* 2141 * working_mode returns the permissions that were not granted 2142 */ 2143 static int 2144 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode, 2145 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr) 2146 { 2147 zfs_acl_t *aclp; 2148 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2149 int error; 2150 uid_t uid = crgetuid(cr); 2151 uint64_t who; 2152 uint16_t type, iflags; 2153 uint16_t entry_type; 2154 uint32_t access_mask; 2155 uint32_t deny_mask = 0; 2156 zfs_ace_hdr_t *acep = NULL; 2157 boolean_t checkit; 2158 uid_t fowner; 2159 uid_t gowner; 2160 2161 /* 2162 * Short circuit empty requests 2163 */ 2164 if (v4_mode == 0) 2165 return (0); 2166 2167 *check_privs = B_TRUE; 2168 2169 if (zfsvfs->z_assign >= TXG_INITIAL) { /* ZIL replay */ 2170 *working_mode = 0; 2171 return (0); 2172 } 2173 2174 *working_mode = v4_mode; 2175 2176 if ((v4_mode & WRITE_MASK) && 2177 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && 2178 (!IS_DEVVP(ZTOV(zp)))) { 2179 *check_privs = B_FALSE; 2180 return (EROFS); 2181 } 2182 2183 /* 2184 * Only check for READONLY on non-directories. 2185 */ 2186 if ((v4_mode & WRITE_MASK_DATA) && 2187 (((ZTOV(zp)->v_type != VDIR) && 2188 (zp->z_phys->zp_flags & (ZFS_READONLY | ZFS_IMMUTABLE))) || 2189 (ZTOV(zp)->v_type == VDIR && 2190 (zp->z_phys->zp_flags & ZFS_IMMUTABLE)))) { 2191 *check_privs = B_FALSE; 2192 return (EPERM); 2193 } 2194 2195 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) && 2196 (zp->z_phys->zp_flags & ZFS_NOUNLINK)) { 2197 *check_privs = B_FALSE; 2198 return (EPERM); 2199 } 2200 2201 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) && 2202 (zp->z_phys->zp_flags & ZFS_AV_QUARANTINED))) { 2203 *check_privs = B_FALSE; 2204 return (EACCES); 2205 } 2206 2207 /* 2208 * The caller requested that the ACL check be skipped. This 2209 * would only happen if the caller checked VOP_ACCESS() with a 2210 * 32 bit ACE mask and already had the appropriate permissions. 2211 */ 2212 if (skipaclchk) { 2213 *working_mode = 0; 2214 return (0); 2215 } 2216 2217 zfs_fuid_map_ids(zp, cr, &fowner, &gowner); 2218 2219 mutex_enter(&zp->z_acl_lock); 2220 2221 error = zfs_acl_node_read(zp, &aclp, B_FALSE); 2222 if (error != 0) { 2223 mutex_exit(&zp->z_acl_lock); 2224 return (error); 2225 } 2226 2227 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 2228 &iflags, &type)) { 2229 2230 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE)) 2231 continue; 2232 2233 entry_type = (iflags & ACE_TYPE_FLAGS); 2234 2235 checkit = B_FALSE; 2236 2237 switch (entry_type) { 2238 case ACE_OWNER: 2239 if (uid == fowner) 2240 checkit = B_TRUE; 2241 break; 2242 case OWNING_GROUP: 2243 who = gowner; 2244 /*FALLTHROUGH*/ 2245 case ACE_IDENTIFIER_GROUP: 2246 checkit = zfs_groupmember(zfsvfs, who, cr); 2247 break; 2248 case ACE_EVERYONE: 2249 checkit = B_TRUE; 2250 break; 2251 2252 /* USER Entry */ 2253 default: 2254 if (entry_type == 0) { 2255 uid_t newid; 2256 2257 newid = zfs_fuid_map_id(zfsvfs, who, cr, 2258 ZFS_ACE_USER); 2259 if (newid != IDMAP_WK_CREATOR_OWNER_UID && 2260 uid == newid) 2261 checkit = B_TRUE; 2262 break; 2263 } else { 2264 zfs_acl_free(aclp); 2265 mutex_exit(&zp->z_acl_lock); 2266 return (EIO); 2267 } 2268 } 2269 2270 if (checkit) { 2271 uint32_t mask_matched = (access_mask & *working_mode); 2272 2273 if (mask_matched) { 2274 if (type == DENY) 2275 deny_mask |= mask_matched; 2276 2277 *working_mode &= ~mask_matched; 2278 } 2279 } 2280 2281 /* Are we done? */ 2282 if (*working_mode == 0) 2283 break; 2284 } 2285 2286 mutex_exit(&zp->z_acl_lock); 2287 zfs_acl_free(aclp); 2288 2289 /* Put the found 'denies' back on the working mode */ 2290 if (deny_mask) { 2291 *working_mode |= deny_mask; 2292 return (EACCES); 2293 } else if (*working_mode) { 2294 return (-1); 2295 } 2296 2297 return (0); 2298 } 2299 2300 static int 2301 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs, 2302 cred_t *cr) 2303 { 2304 if (*working_mode != ACE_WRITE_DATA) 2305 return (EACCES); 2306 2307 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode, 2308 check_privs, B_FALSE, cr)); 2309 } 2310 2311 /* 2312 * Determine whether Access should be granted/denied, invoking least 2313 * priv subsytem when a deny is determined. 2314 */ 2315 int 2316 zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr) 2317 { 2318 uint32_t working_mode; 2319 int error; 2320 int is_attr; 2321 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2322 boolean_t check_privs; 2323 znode_t *xzp; 2324 znode_t *check_zp = zp; 2325 2326 is_attr = ((zp->z_phys->zp_flags & ZFS_XATTR) && 2327 (ZTOV(zp)->v_type == VDIR)); 2328 2329 /* 2330 * If attribute then validate against base file 2331 */ 2332 if (is_attr) { 2333 if ((error = zfs_zget(zp->z_zfsvfs, 2334 zp->z_phys->zp_parent, &xzp)) != 0) { 2335 return (error); 2336 } 2337 2338 check_zp = xzp; 2339 2340 /* 2341 * fixup mode to map to xattr perms 2342 */ 2343 2344 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { 2345 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 2346 mode |= ACE_WRITE_NAMED_ATTRS; 2347 } 2348 2349 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { 2350 mode &= ~(ACE_READ_DATA|ACE_EXECUTE); 2351 mode |= ACE_READ_NAMED_ATTRS; 2352 } 2353 } 2354 2355 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode, 2356 &check_privs, skipaclchk, cr)) == 0) { 2357 if (is_attr) 2358 VN_RELE(ZTOV(xzp)); 2359 return (0); 2360 } 2361 2362 if (error && !check_privs) { 2363 if (is_attr) 2364 VN_RELE(ZTOV(xzp)); 2365 return (error); 2366 } 2367 2368 if (error && (flags & V_APPEND)) { 2369 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr); 2370 } 2371 2372 if (error && check_privs) { 2373 uid_t owner; 2374 mode_t checkmode = 0; 2375 2376 owner = zfs_fuid_map_id(zfsvfs, check_zp->z_phys->zp_uid, cr, 2377 ZFS_OWNER); 2378 2379 /* 2380 * First check for implicit owner permission on 2381 * read_acl/read_attributes 2382 */ 2383 2384 error = 0; 2385 ASSERT(working_mode != 0); 2386 2387 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) && 2388 owner == crgetuid(cr))) 2389 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2390 2391 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2392 ACE_READ_ACL|ACE_READ_ATTRIBUTES)) 2393 checkmode |= VREAD; 2394 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2395 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES)) 2396 checkmode |= VWRITE; 2397 if (working_mode & ACE_EXECUTE) 2398 checkmode |= VEXEC; 2399 2400 if (checkmode) 2401 error = secpolicy_vnode_access(cr, ZTOV(check_zp), 2402 owner, checkmode); 2403 2404 if (error == 0 && (working_mode & ACE_WRITE_OWNER)) 2405 error = secpolicy_vnode_create_gid(cr); 2406 if (error == 0 && (working_mode & ACE_WRITE_ACL)) 2407 error = secpolicy_vnode_setdac(cr, owner); 2408 2409 if (error == 0 && (working_mode & 2410 (ACE_DELETE|ACE_DELETE_CHILD))) 2411 error = secpolicy_vnode_remove(cr); 2412 2413 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) 2414 error = secpolicy_vnode_owner(cr, owner); 2415 2416 if (error == 0) { 2417 /* 2418 * See if any bits other than those already checked 2419 * for are still present. If so then return EACCES 2420 */ 2421 if (working_mode & ~(ZFS_CHECKED_MASKS)) { 2422 error = EACCES; 2423 } 2424 } 2425 } 2426 2427 if (is_attr) 2428 VN_RELE(ZTOV(xzp)); 2429 2430 return (error); 2431 } 2432 2433 /* 2434 * Translate traditional unix VREAD/VWRITE/VEXEC mode into 2435 * native ACL format and call zfs_zaccess() 2436 */ 2437 int 2438 zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr) 2439 { 2440 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr)); 2441 } 2442 2443 /* 2444 * Access function for secpolicy_vnode_setattr 2445 */ 2446 int 2447 zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr) 2448 { 2449 int v4_mode = zfs_unix_to_v4(mode >> 6); 2450 2451 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr)); 2452 } 2453 2454 static int 2455 zfs_delete_final_check(znode_t *zp, znode_t *dzp, 2456 mode_t missing_perms, cred_t *cr) 2457 { 2458 int error; 2459 uid_t downer; 2460 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2461 2462 downer = zfs_fuid_map_id(zfsvfs, dzp->z_phys->zp_uid, cr, ZFS_OWNER); 2463 2464 error = secpolicy_vnode_access(cr, ZTOV(dzp), downer, missing_perms); 2465 2466 if (error == 0) 2467 error = zfs_sticky_remove_access(dzp, zp, cr); 2468 2469 return (error); 2470 } 2471 2472 /* 2473 * Determine whether Access should be granted/deny, without 2474 * consulting least priv subsystem. 2475 * 2476 * 2477 * The following chart is the recommended NFSv4 enforcement for 2478 * ability to delete an object. 2479 * 2480 * ------------------------------------------------------- 2481 * | Parent Dir | Target Object Permissions | 2482 * | permissions | | 2483 * ------------------------------------------------------- 2484 * | | ACL Allows | ACL Denies| Delete | 2485 * | | Delete | Delete | unspecified| 2486 * ------------------------------------------------------- 2487 * | ACL Allows | Permit | Permit | Permit | 2488 * | DELETE_CHILD | | 2489 * ------------------------------------------------------- 2490 * | ACL Denies | Permit | Deny | Deny | 2491 * | DELETE_CHILD | | | | 2492 * ------------------------------------------------------- 2493 * | ACL specifies | | | | 2494 * | only allow | Permit | Permit | Permit | 2495 * | write and | | | | 2496 * | execute | | | | 2497 * ------------------------------------------------------- 2498 * | ACL denies | | | | 2499 * | write and | Permit | Deny | Deny | 2500 * | execute | | | | 2501 * ------------------------------------------------------- 2502 * ^ 2503 * | 2504 * No search privilege, can't even look up file? 2505 * 2506 */ 2507 int 2508 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) 2509 { 2510 uint32_t dzp_working_mode = 0; 2511 uint32_t zp_working_mode = 0; 2512 int dzp_error, zp_error; 2513 mode_t missing_perms; 2514 boolean_t dzpcheck_privs = B_TRUE; 2515 boolean_t zpcheck_privs = B_TRUE; 2516 2517 /* 2518 * We want specific DELETE permissions to 2519 * take precedence over WRITE/EXECUTE. We don't 2520 * want an ACL such as this to mess us up. 2521 * user:joe:write_data:deny,user:joe:delete:allow 2522 * 2523 * However, deny permissions may ultimately be overridden 2524 * by secpolicy_vnode_access(). 2525 * 2526 * We will ask for all of the necessary permissions and then 2527 * look at the working modes from the directory and target object 2528 * to determine what was found. 2529 */ 2530 2531 if (zp->z_phys->zp_flags & (ZFS_IMMUTABLE | ZFS_NOUNLINK)) 2532 return (EPERM); 2533 2534 /* 2535 * First row 2536 * If the directory permissions allow the delete, we are done. 2537 */ 2538 if ((dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD, 2539 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) 2540 return (0); 2541 2542 /* 2543 * If target object has delete permission then we are done 2544 */ 2545 if ((zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, 2546 &zpcheck_privs, B_FALSE, cr)) == 0) 2547 return (0); 2548 2549 ASSERT(dzp_error && zp_error); 2550 2551 if (!dzpcheck_privs) 2552 return (dzp_error); 2553 if (!zpcheck_privs) 2554 return (zp_error); 2555 2556 /* 2557 * Second row 2558 * 2559 * If directory returns EACCES then delete_child was denied 2560 * due to deny delete_child. In this case send the request through 2561 * secpolicy_vnode_remove(). We don't use zfs_delete_final_check() 2562 * since that *could* allow the delete based on write/execute permission 2563 * and we want delete permissions to override write/execute. 2564 */ 2565 2566 if (dzp_error == EACCES) 2567 return (secpolicy_vnode_remove(cr)); 2568 2569 /* 2570 * Third Row 2571 * only need to see if we have write/execute on directory. 2572 */ 2573 2574 if ((dzp_error = zfs_zaccess_common(dzp, ACE_EXECUTE|ACE_WRITE_DATA, 2575 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) 2576 return (zfs_sticky_remove_access(dzp, zp, cr)); 2577 2578 if (!dzpcheck_privs) 2579 return (dzp_error); 2580 2581 /* 2582 * Fourth row 2583 */ 2584 2585 missing_perms = (dzp_working_mode & ACE_WRITE_DATA) ? VWRITE : 0; 2586 missing_perms |= (dzp_working_mode & ACE_EXECUTE) ? VEXEC : 0; 2587 2588 ASSERT(missing_perms); 2589 2590 return (zfs_delete_final_check(zp, dzp, missing_perms, cr)); 2591 2592 } 2593 2594 int 2595 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, 2596 znode_t *tzp, cred_t *cr) 2597 { 2598 int add_perm; 2599 int error; 2600 2601 if (szp->z_phys->zp_flags & ZFS_AV_QUARANTINED) 2602 return (EACCES); 2603 2604 add_perm = (ZTOV(szp)->v_type == VDIR) ? 2605 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; 2606 2607 /* 2608 * Rename permissions are combination of delete permission + 2609 * add file/subdir permission. 2610 */ 2611 2612 /* 2613 * first make sure we do the delete portion. 2614 * 2615 * If that succeeds then check for add_file/add_subdir permissions 2616 */ 2617 2618 if (error = zfs_zaccess_delete(sdzp, szp, cr)) 2619 return (error); 2620 2621 /* 2622 * If we have a tzp, see if we can delete it? 2623 */ 2624 if (tzp) { 2625 if (error = zfs_zaccess_delete(tdzp, tzp, cr)) 2626 return (error); 2627 } 2628 2629 /* 2630 * Now check for add permissions 2631 */ 2632 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr); 2633 2634 return (error); 2635 } 2636