1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2011 Nexenta Systems, Inc. All rights reserved. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/param.h> 28 #include <sys/time.h> 29 #include <sys/systm.h> 30 #include <sys/sysmacros.h> 31 #include <sys/resource.h> 32 #include <sys/vfs.h> 33 #include <sys/vnode.h> 34 #include <sys/sid.h> 35 #include <sys/file.h> 36 #include <sys/stat.h> 37 #include <sys/kmem.h> 38 #include <sys/cmn_err.h> 39 #include <sys/errno.h> 40 #include <sys/unistd.h> 41 #include <sys/sdt.h> 42 #include <sys/fs/zfs.h> 43 #include <sys/mode.h> 44 #include <sys/policy.h> 45 #include <sys/zfs_znode.h> 46 #include <sys/zfs_fuid.h> 47 #include <sys/zfs_acl.h> 48 #include <sys/zfs_dir.h> 49 #include <sys/zfs_vfsops.h> 50 #include <sys/dmu.h> 51 #include <sys/dnode.h> 52 #include <sys/zap.h> 53 #include <sys/sa.h> 54 #include "fs/fs_subr.h" 55 #include <acl/acl_common.h> 56 57 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE 58 #define DENY ACE_ACCESS_DENIED_ACE_TYPE 59 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 60 #define MIN_ACE_TYPE ALLOW 61 62 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) 63 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ 64 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) 65 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ 66 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 67 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ 68 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 69 70 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \ 71 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \ 72 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \ 73 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE) 74 75 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS) 76 #define WRITE_MASK_ATTRS (ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES| \ 77 ACE_DELETE|ACE_DELETE_CHILD) 78 #define WRITE_MASK (WRITE_MASK_DATA|WRITE_MASK_ATTRS) 79 80 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 81 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 82 83 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 84 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 85 86 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ 87 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE) 88 89 #define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER) 90 91 #define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\ 92 ZFS_ACL_PROTECTED) 93 94 #define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\ 95 ZFS_ACL_OBJ_ACE) 96 97 #define ALL_MODE_EXECS (S_IXUSR | S_IXGRP | S_IXOTH) 98 99 static uint16_t 100 zfs_ace_v0_get_type(void *acep) 101 { 102 return (((zfs_oldace_t *)acep)->z_type); 103 } 104 105 static uint16_t 106 zfs_ace_v0_get_flags(void *acep) 107 { 108 return (((zfs_oldace_t *)acep)->z_flags); 109 } 110 111 static uint32_t 112 zfs_ace_v0_get_mask(void *acep) 113 { 114 return (((zfs_oldace_t *)acep)->z_access_mask); 115 } 116 117 static uint64_t 118 zfs_ace_v0_get_who(void *acep) 119 { 120 return (((zfs_oldace_t *)acep)->z_fuid); 121 } 122 123 static void 124 zfs_ace_v0_set_type(void *acep, uint16_t type) 125 { 126 ((zfs_oldace_t *)acep)->z_type = type; 127 } 128 129 static void 130 zfs_ace_v0_set_flags(void *acep, uint16_t flags) 131 { 132 ((zfs_oldace_t *)acep)->z_flags = flags; 133 } 134 135 static void 136 zfs_ace_v0_set_mask(void *acep, uint32_t mask) 137 { 138 ((zfs_oldace_t *)acep)->z_access_mask = mask; 139 } 140 141 static void 142 zfs_ace_v0_set_who(void *acep, uint64_t who) 143 { 144 ((zfs_oldace_t *)acep)->z_fuid = who; 145 } 146 147 /*ARGSUSED*/ 148 static size_t 149 zfs_ace_v0_size(void *acep) 150 { 151 return (sizeof (zfs_oldace_t)); 152 } 153 154 static size_t 155 zfs_ace_v0_abstract_size(void) 156 { 157 return (sizeof (zfs_oldace_t)); 158 } 159 160 static int 161 zfs_ace_v0_mask_off(void) 162 { 163 return (offsetof(zfs_oldace_t, z_access_mask)); 164 } 165 166 /*ARGSUSED*/ 167 static int 168 zfs_ace_v0_data(void *acep, void **datap) 169 { 170 *datap = NULL; 171 return (0); 172 } 173 174 static acl_ops_t zfs_acl_v0_ops = { 175 zfs_ace_v0_get_mask, 176 zfs_ace_v0_set_mask, 177 zfs_ace_v0_get_flags, 178 zfs_ace_v0_set_flags, 179 zfs_ace_v0_get_type, 180 zfs_ace_v0_set_type, 181 zfs_ace_v0_get_who, 182 zfs_ace_v0_set_who, 183 zfs_ace_v0_size, 184 zfs_ace_v0_abstract_size, 185 zfs_ace_v0_mask_off, 186 zfs_ace_v0_data 187 }; 188 189 static uint16_t 190 zfs_ace_fuid_get_type(void *acep) 191 { 192 return (((zfs_ace_hdr_t *)acep)->z_type); 193 } 194 195 static uint16_t 196 zfs_ace_fuid_get_flags(void *acep) 197 { 198 return (((zfs_ace_hdr_t *)acep)->z_flags); 199 } 200 201 static uint32_t 202 zfs_ace_fuid_get_mask(void *acep) 203 { 204 return (((zfs_ace_hdr_t *)acep)->z_access_mask); 205 } 206 207 static uint64_t 208 zfs_ace_fuid_get_who(void *args) 209 { 210 uint16_t entry_type; 211 zfs_ace_t *acep = args; 212 213 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 214 215 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 216 entry_type == ACE_EVERYONE) 217 return (-1); 218 return (((zfs_ace_t *)acep)->z_fuid); 219 } 220 221 static void 222 zfs_ace_fuid_set_type(void *acep, uint16_t type) 223 { 224 ((zfs_ace_hdr_t *)acep)->z_type = type; 225 } 226 227 static void 228 zfs_ace_fuid_set_flags(void *acep, uint16_t flags) 229 { 230 ((zfs_ace_hdr_t *)acep)->z_flags = flags; 231 } 232 233 static void 234 zfs_ace_fuid_set_mask(void *acep, uint32_t mask) 235 { 236 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask; 237 } 238 239 static void 240 zfs_ace_fuid_set_who(void *arg, uint64_t who) 241 { 242 zfs_ace_t *acep = arg; 243 244 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 245 246 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 247 entry_type == ACE_EVERYONE) 248 return; 249 acep->z_fuid = who; 250 } 251 252 static size_t 253 zfs_ace_fuid_size(void *acep) 254 { 255 zfs_ace_hdr_t *zacep = acep; 256 uint16_t entry_type; 257 258 switch (zacep->z_type) { 259 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 260 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 261 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 262 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 263 return (sizeof (zfs_object_ace_t)); 264 case ALLOW: 265 case DENY: 266 entry_type = 267 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS); 268 if (entry_type == ACE_OWNER || 269 entry_type == OWNING_GROUP || 270 entry_type == ACE_EVERYONE) 271 return (sizeof (zfs_ace_hdr_t)); 272 /*FALLTHROUGH*/ 273 default: 274 return (sizeof (zfs_ace_t)); 275 } 276 } 277 278 static size_t 279 zfs_ace_fuid_abstract_size(void) 280 { 281 return (sizeof (zfs_ace_hdr_t)); 282 } 283 284 static int 285 zfs_ace_fuid_mask_off(void) 286 { 287 return (offsetof(zfs_ace_hdr_t, z_access_mask)); 288 } 289 290 static int 291 zfs_ace_fuid_data(void *acep, void **datap) 292 { 293 zfs_ace_t *zacep = acep; 294 zfs_object_ace_t *zobjp; 295 296 switch (zacep->z_hdr.z_type) { 297 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 298 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 299 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 300 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 301 zobjp = acep; 302 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t); 303 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t)); 304 default: 305 *datap = NULL; 306 return (0); 307 } 308 } 309 310 static acl_ops_t zfs_acl_fuid_ops = { 311 zfs_ace_fuid_get_mask, 312 zfs_ace_fuid_set_mask, 313 zfs_ace_fuid_get_flags, 314 zfs_ace_fuid_set_flags, 315 zfs_ace_fuid_get_type, 316 zfs_ace_fuid_set_type, 317 zfs_ace_fuid_get_who, 318 zfs_ace_fuid_set_who, 319 zfs_ace_fuid_size, 320 zfs_ace_fuid_abstract_size, 321 zfs_ace_fuid_mask_off, 322 zfs_ace_fuid_data 323 }; 324 325 /* 326 * The following three functions are provided for compatibility with 327 * older ZPL version in order to determine if the file use to have 328 * an external ACL and what version of ACL previously existed on the 329 * file. Would really be nice to not need this, sigh. 330 */ 331 uint64_t 332 zfs_external_acl(znode_t *zp) 333 { 334 zfs_acl_phys_t acl_phys; 335 int error; 336 337 if (zp->z_is_sa) 338 return (0); 339 340 /* 341 * Need to deal with a potential 342 * race where zfs_sa_upgrade could cause 343 * z_isa_sa to change. 344 * 345 * If the lookup fails then the state of z_is_sa should have 346 * changed. 347 */ 348 349 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zp->z_zfsvfs), 350 &acl_phys, sizeof (acl_phys))) == 0) 351 return (acl_phys.z_acl_extern_obj); 352 else { 353 /* 354 * after upgrade the SA_ZPL_ZNODE_ACL should have been 355 * removed 356 */ 357 VERIFY(zp->z_is_sa && error == ENOENT); 358 return (0); 359 } 360 } 361 362 /* 363 * Determine size of ACL in bytes 364 * 365 * This is more complicated than it should be since we have to deal 366 * with old external ACLs. 367 */ 368 static int 369 zfs_acl_znode_info(znode_t *zp, int *aclsize, int *aclcount, 370 zfs_acl_phys_t *aclphys) 371 { 372 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 373 uint64_t acl_count; 374 int size; 375 int error; 376 377 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 378 if (zp->z_is_sa) { 379 if ((error = sa_size(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zfsvfs), 380 &size)) != 0) 381 return (error); 382 *aclsize = size; 383 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_COUNT(zfsvfs), 384 &acl_count, sizeof (acl_count))) != 0) 385 return (error); 386 *aclcount = acl_count; 387 } else { 388 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs), 389 aclphys, sizeof (*aclphys))) != 0) 390 return (error); 391 392 if (aclphys->z_acl_version == ZFS_ACL_VERSION_INITIAL) { 393 *aclsize = ZFS_ACL_SIZE(aclphys->z_acl_size); 394 *aclcount = aclphys->z_acl_size; 395 } else { 396 *aclsize = aclphys->z_acl_size; 397 *aclcount = aclphys->z_acl_count; 398 } 399 } 400 return (0); 401 } 402 403 int 404 zfs_znode_acl_version(znode_t *zp) 405 { 406 zfs_acl_phys_t acl_phys; 407 408 if (zp->z_is_sa) 409 return (ZFS_ACL_VERSION_FUID); 410 else { 411 int error; 412 413 /* 414 * Need to deal with a potential 415 * race where zfs_sa_upgrade could cause 416 * z_isa_sa to change. 417 * 418 * If the lookup fails then the state of z_is_sa should have 419 * changed. 420 */ 421 if ((error = sa_lookup(zp->z_sa_hdl, 422 SA_ZPL_ZNODE_ACL(zp->z_zfsvfs), 423 &acl_phys, sizeof (acl_phys))) == 0) 424 return (acl_phys.z_acl_version); 425 else { 426 /* 427 * After upgrade SA_ZPL_ZNODE_ACL should have 428 * been removed. 429 */ 430 VERIFY(zp->z_is_sa && error == ENOENT); 431 return (ZFS_ACL_VERSION_FUID); 432 } 433 } 434 } 435 436 static int 437 zfs_acl_version(int version) 438 { 439 if (version < ZPL_VERSION_FUID) 440 return (ZFS_ACL_VERSION_INITIAL); 441 else 442 return (ZFS_ACL_VERSION_FUID); 443 } 444 445 static int 446 zfs_acl_version_zp(znode_t *zp) 447 { 448 return (zfs_acl_version(zp->z_zfsvfs->z_version)); 449 } 450 451 zfs_acl_t * 452 zfs_acl_alloc(int vers) 453 { 454 zfs_acl_t *aclp; 455 456 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); 457 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t), 458 offsetof(zfs_acl_node_t, z_next)); 459 aclp->z_version = vers; 460 if (vers == ZFS_ACL_VERSION_FUID) 461 aclp->z_ops = zfs_acl_fuid_ops; 462 else 463 aclp->z_ops = zfs_acl_v0_ops; 464 return (aclp); 465 } 466 467 zfs_acl_node_t * 468 zfs_acl_node_alloc(size_t bytes) 469 { 470 zfs_acl_node_t *aclnode; 471 472 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP); 473 if (bytes) { 474 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP); 475 aclnode->z_allocdata = aclnode->z_acldata; 476 aclnode->z_allocsize = bytes; 477 aclnode->z_size = bytes; 478 } 479 480 return (aclnode); 481 } 482 483 static void 484 zfs_acl_node_free(zfs_acl_node_t *aclnode) 485 { 486 if (aclnode->z_allocsize) 487 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize); 488 kmem_free(aclnode, sizeof (zfs_acl_node_t)); 489 } 490 491 static void 492 zfs_acl_release_nodes(zfs_acl_t *aclp) 493 { 494 zfs_acl_node_t *aclnode; 495 496 while (aclnode = list_head(&aclp->z_acl)) { 497 list_remove(&aclp->z_acl, aclnode); 498 zfs_acl_node_free(aclnode); 499 } 500 aclp->z_acl_count = 0; 501 aclp->z_acl_bytes = 0; 502 } 503 504 void 505 zfs_acl_free(zfs_acl_t *aclp) 506 { 507 zfs_acl_release_nodes(aclp); 508 list_destroy(&aclp->z_acl); 509 kmem_free(aclp, sizeof (zfs_acl_t)); 510 } 511 512 static boolean_t 513 zfs_acl_valid_ace_type(uint_t type, uint_t flags) 514 { 515 uint16_t entry_type; 516 517 switch (type) { 518 case ALLOW: 519 case DENY: 520 case ACE_SYSTEM_AUDIT_ACE_TYPE: 521 case ACE_SYSTEM_ALARM_ACE_TYPE: 522 entry_type = flags & ACE_TYPE_FLAGS; 523 return (entry_type == ACE_OWNER || 524 entry_type == OWNING_GROUP || 525 entry_type == ACE_EVERYONE || entry_type == 0 || 526 entry_type == ACE_IDENTIFIER_GROUP); 527 default: 528 if (type >= MIN_ACE_TYPE && type <= MAX_ACE_TYPE) 529 return (B_TRUE); 530 } 531 return (B_FALSE); 532 } 533 534 static boolean_t 535 zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags) 536 { 537 /* 538 * first check type of entry 539 */ 540 541 if (!zfs_acl_valid_ace_type(type, iflags)) 542 return (B_FALSE); 543 544 switch (type) { 545 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 546 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 547 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 548 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 549 if (aclp->z_version < ZFS_ACL_VERSION_FUID) 550 return (B_FALSE); 551 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 552 } 553 554 /* 555 * next check inheritance level flags 556 */ 557 558 if (obj_type == VDIR && 559 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 560 aclp->z_hints |= ZFS_INHERIT_ACE; 561 562 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { 563 if ((iflags & (ACE_FILE_INHERIT_ACE| 564 ACE_DIRECTORY_INHERIT_ACE)) == 0) { 565 return (B_FALSE); 566 } 567 } 568 569 return (B_TRUE); 570 } 571 572 static void * 573 zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who, 574 uint32_t *access_mask, uint16_t *iflags, uint16_t *type) 575 { 576 zfs_acl_node_t *aclnode; 577 578 ASSERT(aclp); 579 580 if (start == NULL) { 581 aclnode = list_head(&aclp->z_acl); 582 if (aclnode == NULL) 583 return (NULL); 584 585 aclp->z_next_ace = aclnode->z_acldata; 586 aclp->z_curr_node = aclnode; 587 aclnode->z_ace_idx = 0; 588 } 589 590 aclnode = aclp->z_curr_node; 591 592 if (aclnode == NULL) 593 return (NULL); 594 595 if (aclnode->z_ace_idx >= aclnode->z_ace_count) { 596 aclnode = list_next(&aclp->z_acl, aclnode); 597 if (aclnode == NULL) 598 return (NULL); 599 else { 600 aclp->z_curr_node = aclnode; 601 aclnode->z_ace_idx = 0; 602 aclp->z_next_ace = aclnode->z_acldata; 603 } 604 } 605 606 if (aclnode->z_ace_idx < aclnode->z_ace_count) { 607 void *acep = aclp->z_next_ace; 608 size_t ace_size; 609 610 /* 611 * Make sure we don't overstep our bounds 612 */ 613 ace_size = aclp->z_ops.ace_size(acep); 614 615 if (((caddr_t)acep + ace_size) > 616 ((caddr_t)aclnode->z_acldata + aclnode->z_size)) { 617 return (NULL); 618 } 619 620 *iflags = aclp->z_ops.ace_flags_get(acep); 621 *type = aclp->z_ops.ace_type_get(acep); 622 *access_mask = aclp->z_ops.ace_mask_get(acep); 623 *who = aclp->z_ops.ace_who_get(acep); 624 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size; 625 aclnode->z_ace_idx++; 626 627 return ((void *)acep); 628 } 629 return (NULL); 630 } 631 632 /*ARGSUSED*/ 633 static uint64_t 634 zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt, 635 uint16_t *flags, uint16_t *type, uint32_t *mask) 636 { 637 zfs_acl_t *aclp = datap; 638 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie; 639 uint64_t who; 640 641 acep = zfs_acl_next_ace(aclp, acep, &who, mask, 642 flags, type); 643 return ((uint64_t)(uintptr_t)acep); 644 } 645 646 static zfs_acl_node_t * 647 zfs_acl_curr_node(zfs_acl_t *aclp) 648 { 649 ASSERT(aclp->z_curr_node); 650 return (aclp->z_curr_node); 651 } 652 653 /* 654 * Copy ACE to internal ZFS format. 655 * While processing the ACL each ACE will be validated for correctness. 656 * ACE FUIDs will be created later. 657 */ 658 int 659 zfs_copy_ace_2_fuid(zfsvfs_t *zfsvfs, vtype_t obj_type, zfs_acl_t *aclp, 660 void *datap, zfs_ace_t *z_acl, uint64_t aclcnt, size_t *size, 661 zfs_fuid_info_t **fuidp, cred_t *cr) 662 { 663 int i; 664 uint16_t entry_type; 665 zfs_ace_t *aceptr = z_acl; 666 ace_t *acep = datap; 667 zfs_object_ace_t *zobjacep; 668 ace_object_t *aceobjp; 669 670 for (i = 0; i != aclcnt; i++) { 671 aceptr->z_hdr.z_access_mask = acep->a_access_mask; 672 aceptr->z_hdr.z_flags = acep->a_flags; 673 aceptr->z_hdr.z_type = acep->a_type; 674 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS; 675 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP && 676 entry_type != ACE_EVERYONE) { 677 aceptr->z_fuid = zfs_fuid_create(zfsvfs, acep->a_who, 678 cr, (entry_type == 0) ? 679 ZFS_ACE_USER : ZFS_ACE_GROUP, fuidp); 680 } 681 682 /* 683 * Make sure ACE is valid 684 */ 685 if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type, 686 aceptr->z_hdr.z_flags) != B_TRUE) 687 return (EINVAL); 688 689 switch (acep->a_type) { 690 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 691 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 692 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 693 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 694 zobjacep = (zfs_object_ace_t *)aceptr; 695 aceobjp = (ace_object_t *)acep; 696 697 bcopy(aceobjp->a_obj_type, zobjacep->z_object_type, 698 sizeof (aceobjp->a_obj_type)); 699 bcopy(aceobjp->a_inherit_obj_type, 700 zobjacep->z_inherit_type, 701 sizeof (aceobjp->a_inherit_obj_type)); 702 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t)); 703 break; 704 default: 705 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t)); 706 } 707 708 aceptr = (zfs_ace_t *)((caddr_t)aceptr + 709 aclp->z_ops.ace_size(aceptr)); 710 } 711 712 *size = (caddr_t)aceptr - (caddr_t)z_acl; 713 714 return (0); 715 } 716 717 /* 718 * Copy ZFS ACEs to fixed size ace_t layout 719 */ 720 static void 721 zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr, 722 void *datap, int filter) 723 { 724 uint64_t who; 725 uint32_t access_mask; 726 uint16_t iflags, type; 727 zfs_ace_hdr_t *zacep = NULL; 728 ace_t *acep = datap; 729 ace_object_t *objacep; 730 zfs_object_ace_t *zobjacep; 731 size_t ace_size; 732 uint16_t entry_type; 733 734 while (zacep = zfs_acl_next_ace(aclp, zacep, 735 &who, &access_mask, &iflags, &type)) { 736 737 switch (type) { 738 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 739 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 740 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 741 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 742 if (filter) { 743 continue; 744 } 745 zobjacep = (zfs_object_ace_t *)zacep; 746 objacep = (ace_object_t *)acep; 747 bcopy(zobjacep->z_object_type, 748 objacep->a_obj_type, 749 sizeof (zobjacep->z_object_type)); 750 bcopy(zobjacep->z_inherit_type, 751 objacep->a_inherit_obj_type, 752 sizeof (zobjacep->z_inherit_type)); 753 ace_size = sizeof (ace_object_t); 754 break; 755 default: 756 ace_size = sizeof (ace_t); 757 break; 758 } 759 760 entry_type = (iflags & ACE_TYPE_FLAGS); 761 if ((entry_type != ACE_OWNER && 762 entry_type != OWNING_GROUP && 763 entry_type != ACE_EVERYONE)) { 764 acep->a_who = zfs_fuid_map_id(zfsvfs, who, 765 cr, (entry_type & ACE_IDENTIFIER_GROUP) ? 766 ZFS_ACE_GROUP : ZFS_ACE_USER); 767 } else { 768 acep->a_who = (uid_t)(int64_t)who; 769 } 770 acep->a_access_mask = access_mask; 771 acep->a_flags = iflags; 772 acep->a_type = type; 773 acep = (ace_t *)((caddr_t)acep + ace_size); 774 } 775 } 776 777 static int 778 zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep, 779 zfs_oldace_t *z_acl, int aclcnt, size_t *size) 780 { 781 int i; 782 zfs_oldace_t *aceptr = z_acl; 783 784 for (i = 0; i != aclcnt; i++, aceptr++) { 785 aceptr->z_access_mask = acep[i].a_access_mask; 786 aceptr->z_type = acep[i].a_type; 787 aceptr->z_flags = acep[i].a_flags; 788 aceptr->z_fuid = acep[i].a_who; 789 /* 790 * Make sure ACE is valid 791 */ 792 if (zfs_ace_valid(obj_type, aclp, aceptr->z_type, 793 aceptr->z_flags) != B_TRUE) 794 return (EINVAL); 795 } 796 *size = (caddr_t)aceptr - (caddr_t)z_acl; 797 return (0); 798 } 799 800 /* 801 * convert old ACL format to new 802 */ 803 void 804 zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp, cred_t *cr) 805 { 806 zfs_oldace_t *oldaclp; 807 int i; 808 uint16_t type, iflags; 809 uint32_t access_mask; 810 uint64_t who; 811 void *cookie = NULL; 812 zfs_acl_node_t *newaclnode; 813 814 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL); 815 /* 816 * First create the ACE in a contiguous piece of memory 817 * for zfs_copy_ace_2_fuid(). 818 * 819 * We only convert an ACL once, so this won't happen 820 * everytime. 821 */ 822 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count, 823 KM_SLEEP); 824 i = 0; 825 while (cookie = zfs_acl_next_ace(aclp, cookie, &who, 826 &access_mask, &iflags, &type)) { 827 oldaclp[i].z_flags = iflags; 828 oldaclp[i].z_type = type; 829 oldaclp[i].z_fuid = who; 830 oldaclp[i++].z_access_mask = access_mask; 831 } 832 833 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count * 834 sizeof (zfs_object_ace_t)); 835 aclp->z_ops = zfs_acl_fuid_ops; 836 VERIFY(zfs_copy_ace_2_fuid(zp->z_zfsvfs, ZTOV(zp)->v_type, aclp, 837 oldaclp, newaclnode->z_acldata, aclp->z_acl_count, 838 &newaclnode->z_size, NULL, cr) == 0); 839 newaclnode->z_ace_count = aclp->z_acl_count; 840 aclp->z_version = ZFS_ACL_VERSION; 841 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t)); 842 843 /* 844 * Release all previous ACL nodes 845 */ 846 847 zfs_acl_release_nodes(aclp); 848 849 list_insert_head(&aclp->z_acl, newaclnode); 850 851 aclp->z_acl_bytes = newaclnode->z_size; 852 aclp->z_acl_count = newaclnode->z_ace_count; 853 854 } 855 856 /* 857 * Convert unix access mask to v4 access mask 858 */ 859 static uint32_t 860 zfs_unix_to_v4(uint32_t access_mask) 861 { 862 uint32_t new_mask = 0; 863 864 if (access_mask & S_IXOTH) 865 new_mask |= ACE_EXECUTE; 866 if (access_mask & S_IWOTH) 867 new_mask |= ACE_WRITE_DATA; 868 if (access_mask & S_IROTH) 869 new_mask |= ACE_READ_DATA; 870 return (new_mask); 871 } 872 873 static void 874 zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask, 875 uint16_t access_type, uint64_t fuid, uint16_t entry_type) 876 { 877 uint16_t type = entry_type & ACE_TYPE_FLAGS; 878 879 aclp->z_ops.ace_mask_set(acep, access_mask); 880 aclp->z_ops.ace_type_set(acep, access_type); 881 aclp->z_ops.ace_flags_set(acep, entry_type); 882 if ((type != ACE_OWNER && type != OWNING_GROUP && 883 type != ACE_EVERYONE)) 884 aclp->z_ops.ace_who_set(acep, fuid); 885 } 886 887 /* 888 * Determine mode of file based on ACL. 889 * Also, create FUIDs for any User/Group ACEs 890 */ 891 uint64_t 892 zfs_mode_compute(uint64_t fmode, zfs_acl_t *aclp, 893 uint64_t *pflags, uint64_t fuid, uint64_t fgid) 894 { 895 int entry_type; 896 mode_t mode; 897 mode_t seen = 0; 898 zfs_ace_hdr_t *acep = NULL; 899 uint64_t who; 900 uint16_t iflags, type; 901 uint32_t access_mask; 902 boolean_t an_exec_denied = B_FALSE; 903 904 mode = (fmode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); 905 906 while (acep = zfs_acl_next_ace(aclp, acep, &who, 907 &access_mask, &iflags, &type)) { 908 909 if (!zfs_acl_valid_ace_type(type, iflags)) 910 continue; 911 912 entry_type = (iflags & ACE_TYPE_FLAGS); 913 914 /* 915 * Skip over owner@, group@ or everyone@ inherit only ACEs 916 */ 917 if ((iflags & ACE_INHERIT_ONLY_ACE) && 918 (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 919 entry_type == OWNING_GROUP)) 920 continue; 921 922 if (entry_type == ACE_OWNER || (entry_type == 0 && 923 who == fuid)) { 924 if ((access_mask & ACE_READ_DATA) && 925 (!(seen & S_IRUSR))) { 926 seen |= S_IRUSR; 927 if (type == ALLOW) { 928 mode |= S_IRUSR; 929 } 930 } 931 if ((access_mask & ACE_WRITE_DATA) && 932 (!(seen & S_IWUSR))) { 933 seen |= S_IWUSR; 934 if (type == ALLOW) { 935 mode |= S_IWUSR; 936 } 937 } 938 if ((access_mask & ACE_EXECUTE) && 939 (!(seen & S_IXUSR))) { 940 seen |= S_IXUSR; 941 if (type == ALLOW) { 942 mode |= S_IXUSR; 943 } 944 } 945 } else if (entry_type == OWNING_GROUP || 946 (entry_type == ACE_IDENTIFIER_GROUP && who == fgid)) { 947 if ((access_mask & ACE_READ_DATA) && 948 (!(seen & S_IRGRP))) { 949 seen |= S_IRGRP; 950 if (type == ALLOW) { 951 mode |= S_IRGRP; 952 } 953 } 954 if ((access_mask & ACE_WRITE_DATA) && 955 (!(seen & S_IWGRP))) { 956 seen |= S_IWGRP; 957 if (type == ALLOW) { 958 mode |= S_IWGRP; 959 } 960 } 961 if ((access_mask & ACE_EXECUTE) && 962 (!(seen & S_IXGRP))) { 963 seen |= S_IXGRP; 964 if (type == ALLOW) { 965 mode |= S_IXGRP; 966 } 967 } 968 } else if (entry_type == ACE_EVERYONE) { 969 if ((access_mask & ACE_READ_DATA)) { 970 if (!(seen & S_IRUSR)) { 971 seen |= S_IRUSR; 972 if (type == ALLOW) { 973 mode |= S_IRUSR; 974 } 975 } 976 if (!(seen & S_IRGRP)) { 977 seen |= S_IRGRP; 978 if (type == ALLOW) { 979 mode |= S_IRGRP; 980 } 981 } 982 if (!(seen & S_IROTH)) { 983 seen |= S_IROTH; 984 if (type == ALLOW) { 985 mode |= S_IROTH; 986 } 987 } 988 } 989 if ((access_mask & ACE_WRITE_DATA)) { 990 if (!(seen & S_IWUSR)) { 991 seen |= S_IWUSR; 992 if (type == ALLOW) { 993 mode |= S_IWUSR; 994 } 995 } 996 if (!(seen & S_IWGRP)) { 997 seen |= S_IWGRP; 998 if (type == ALLOW) { 999 mode |= S_IWGRP; 1000 } 1001 } 1002 if (!(seen & S_IWOTH)) { 1003 seen |= S_IWOTH; 1004 if (type == ALLOW) { 1005 mode |= S_IWOTH; 1006 } 1007 } 1008 } 1009 if ((access_mask & ACE_EXECUTE)) { 1010 if (!(seen & S_IXUSR)) { 1011 seen |= S_IXUSR; 1012 if (type == ALLOW) { 1013 mode |= S_IXUSR; 1014 } 1015 } 1016 if (!(seen & S_IXGRP)) { 1017 seen |= S_IXGRP; 1018 if (type == ALLOW) { 1019 mode |= S_IXGRP; 1020 } 1021 } 1022 if (!(seen & S_IXOTH)) { 1023 seen |= S_IXOTH; 1024 if (type == ALLOW) { 1025 mode |= S_IXOTH; 1026 } 1027 } 1028 } 1029 } else { 1030 /* 1031 * Only care if this IDENTIFIER_GROUP or 1032 * USER ACE denies execute access to someone, 1033 * mode is not affected 1034 */ 1035 if ((access_mask & ACE_EXECUTE) && type == DENY) 1036 an_exec_denied = B_TRUE; 1037 } 1038 } 1039 1040 /* 1041 * Failure to allow is effectively a deny, so execute permission 1042 * is denied if it was never mentioned or if we explicitly 1043 * weren't allowed it. 1044 */ 1045 if (!an_exec_denied && 1046 ((seen & ALL_MODE_EXECS) != ALL_MODE_EXECS || 1047 (mode & ALL_MODE_EXECS) != ALL_MODE_EXECS)) 1048 an_exec_denied = B_TRUE; 1049 1050 if (an_exec_denied) 1051 *pflags &= ~ZFS_NO_EXECS_DENIED; 1052 else 1053 *pflags |= ZFS_NO_EXECS_DENIED; 1054 1055 return (mode); 1056 } 1057 1058 /* 1059 * Read an external acl object. If the intent is to modify, always 1060 * create a new acl and leave any cached acl in place. 1061 */ 1062 static int 1063 zfs_acl_node_read(znode_t *zp, boolean_t have_lock, zfs_acl_t **aclpp, 1064 boolean_t will_modify) 1065 { 1066 zfs_acl_t *aclp; 1067 int aclsize; 1068 int acl_count; 1069 zfs_acl_node_t *aclnode; 1070 zfs_acl_phys_t znode_acl; 1071 int version; 1072 int error; 1073 boolean_t drop_lock = B_FALSE; 1074 1075 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1076 1077 if (zp->z_acl_cached && !will_modify) { 1078 *aclpp = zp->z_acl_cached; 1079 return (0); 1080 } 1081 1082 /* 1083 * close race where znode could be upgrade while trying to 1084 * read the znode attributes. 1085 * 1086 * But this could only happen if the file isn't already an SA 1087 * znode 1088 */ 1089 if (!zp->z_is_sa && !have_lock) { 1090 mutex_enter(&zp->z_lock); 1091 drop_lock = B_TRUE; 1092 } 1093 version = zfs_znode_acl_version(zp); 1094 1095 if ((error = zfs_acl_znode_info(zp, &aclsize, 1096 &acl_count, &znode_acl)) != 0) { 1097 goto done; 1098 } 1099 1100 aclp = zfs_acl_alloc(version); 1101 1102 aclp->z_acl_count = acl_count; 1103 aclp->z_acl_bytes = aclsize; 1104 1105 aclnode = zfs_acl_node_alloc(aclsize); 1106 aclnode->z_ace_count = aclp->z_acl_count; 1107 aclnode->z_size = aclsize; 1108 1109 if (!zp->z_is_sa) { 1110 if (znode_acl.z_acl_extern_obj) { 1111 error = dmu_read(zp->z_zfsvfs->z_os, 1112 znode_acl.z_acl_extern_obj, 0, aclnode->z_size, 1113 aclnode->z_acldata, DMU_READ_PREFETCH); 1114 } else { 1115 bcopy(znode_acl.z_ace_data, aclnode->z_acldata, 1116 aclnode->z_size); 1117 } 1118 } else { 1119 error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zp->z_zfsvfs), 1120 aclnode->z_acldata, aclnode->z_size); 1121 } 1122 1123 if (error != 0) { 1124 zfs_acl_free(aclp); 1125 zfs_acl_node_free(aclnode); 1126 /* convert checksum errors into IO errors */ 1127 if (error == ECKSUM) 1128 error = EIO; 1129 goto done; 1130 } 1131 1132 list_insert_head(&aclp->z_acl, aclnode); 1133 1134 *aclpp = aclp; 1135 if (!will_modify) 1136 zp->z_acl_cached = aclp; 1137 done: 1138 if (drop_lock) 1139 mutex_exit(&zp->z_lock); 1140 return (error); 1141 } 1142 1143 /*ARGSUSED*/ 1144 void 1145 zfs_acl_data_locator(void **dataptr, uint32_t *length, uint32_t buflen, 1146 boolean_t start, void *userdata) 1147 { 1148 zfs_acl_locator_cb_t *cb = (zfs_acl_locator_cb_t *)userdata; 1149 1150 if (start) { 1151 cb->cb_acl_node = list_head(&cb->cb_aclp->z_acl); 1152 } else { 1153 cb->cb_acl_node = list_next(&cb->cb_aclp->z_acl, 1154 cb->cb_acl_node); 1155 } 1156 *dataptr = cb->cb_acl_node->z_acldata; 1157 *length = cb->cb_acl_node->z_size; 1158 } 1159 1160 int 1161 zfs_acl_chown_setattr(znode_t *zp) 1162 { 1163 int error; 1164 zfs_acl_t *aclp; 1165 1166 ASSERT(MUTEX_HELD(&zp->z_lock)); 1167 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1168 1169 if ((error = zfs_acl_node_read(zp, B_TRUE, &aclp, B_FALSE)) == 0) 1170 zp->z_mode = zfs_mode_compute(zp->z_mode, aclp, 1171 &zp->z_pflags, zp->z_uid, zp->z_gid); 1172 return (error); 1173 } 1174 1175 /* 1176 * common code for setting ACLs. 1177 * 1178 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. 1179 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's 1180 * already checked the acl and knows whether to inherit. 1181 */ 1182 int 1183 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, dmu_tx_t *tx) 1184 { 1185 int error; 1186 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1187 dmu_object_type_t otype; 1188 zfs_acl_locator_cb_t locate = { 0 }; 1189 uint64_t mode; 1190 sa_bulk_attr_t bulk[5]; 1191 uint64_t ctime[2]; 1192 int count = 0; 1193 1194 mode = zp->z_mode; 1195 1196 mode = zfs_mode_compute(mode, aclp, &zp->z_pflags, 1197 zp->z_uid, zp->z_gid); 1198 1199 zp->z_mode = mode; 1200 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_MODE(zfsvfs), NULL, 1201 &mode, sizeof (mode)); 1202 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_FLAGS(zfsvfs), NULL, 1203 &zp->z_pflags, sizeof (zp->z_pflags)); 1204 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_CTIME(zfsvfs), NULL, 1205 &ctime, sizeof (ctime)); 1206 1207 if (zp->z_acl_cached) { 1208 zfs_acl_free(zp->z_acl_cached); 1209 zp->z_acl_cached = NULL; 1210 } 1211 1212 /* 1213 * Upgrade needed? 1214 */ 1215 if (!zfsvfs->z_use_fuids) { 1216 otype = DMU_OT_OLDACL; 1217 } else { 1218 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) && 1219 (zfsvfs->z_version >= ZPL_VERSION_FUID)) 1220 zfs_acl_xform(zp, aclp, cr); 1221 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID); 1222 otype = DMU_OT_ACL; 1223 } 1224 1225 /* 1226 * Arrgh, we have to handle old on disk format 1227 * as well as newer (preferred) SA format. 1228 */ 1229 1230 if (zp->z_is_sa) { /* the easy case, just update the ACL attribute */ 1231 locate.cb_aclp = aclp; 1232 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_ACES(zfsvfs), 1233 zfs_acl_data_locator, &locate, aclp->z_acl_bytes); 1234 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_COUNT(zfsvfs), 1235 NULL, &aclp->z_acl_count, sizeof (uint64_t)); 1236 } else { /* Painful legacy way */ 1237 zfs_acl_node_t *aclnode; 1238 uint64_t off = 0; 1239 zfs_acl_phys_t acl_phys; 1240 uint64_t aoid; 1241 1242 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs), 1243 &acl_phys, sizeof (acl_phys))) != 0) 1244 return (error); 1245 1246 aoid = acl_phys.z_acl_extern_obj; 1247 1248 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 1249 /* 1250 * If ACL was previously external and we are now 1251 * converting to new ACL format then release old 1252 * ACL object and create a new one. 1253 */ 1254 if (aoid && 1255 aclp->z_version != acl_phys.z_acl_version) { 1256 error = dmu_object_free(zfsvfs->z_os, aoid, tx); 1257 if (error) 1258 return (error); 1259 aoid = 0; 1260 } 1261 if (aoid == 0) { 1262 aoid = dmu_object_alloc(zfsvfs->z_os, 1263 otype, aclp->z_acl_bytes, 1264 otype == DMU_OT_ACL ? 1265 DMU_OT_SYSACL : DMU_OT_NONE, 1266 otype == DMU_OT_ACL ? 1267 DN_MAX_BONUSLEN : 0, tx); 1268 } else { 1269 (void) dmu_object_set_blocksize(zfsvfs->z_os, 1270 aoid, aclp->z_acl_bytes, 0, tx); 1271 } 1272 acl_phys.z_acl_extern_obj = aoid; 1273 for (aclnode = list_head(&aclp->z_acl); aclnode; 1274 aclnode = list_next(&aclp->z_acl, aclnode)) { 1275 if (aclnode->z_ace_count == 0) 1276 continue; 1277 dmu_write(zfsvfs->z_os, aoid, off, 1278 aclnode->z_size, aclnode->z_acldata, tx); 1279 off += aclnode->z_size; 1280 } 1281 } else { 1282 void *start = acl_phys.z_ace_data; 1283 /* 1284 * Migrating back embedded? 1285 */ 1286 if (acl_phys.z_acl_extern_obj) { 1287 error = dmu_object_free(zfsvfs->z_os, 1288 acl_phys.z_acl_extern_obj, tx); 1289 if (error) 1290 return (error); 1291 acl_phys.z_acl_extern_obj = 0; 1292 } 1293 1294 for (aclnode = list_head(&aclp->z_acl); aclnode; 1295 aclnode = list_next(&aclp->z_acl, aclnode)) { 1296 if (aclnode->z_ace_count == 0) 1297 continue; 1298 bcopy(aclnode->z_acldata, start, 1299 aclnode->z_size); 1300 start = (caddr_t)start + aclnode->z_size; 1301 } 1302 } 1303 /* 1304 * If Old version then swap count/bytes to match old 1305 * layout of znode_acl_phys_t. 1306 */ 1307 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1308 acl_phys.z_acl_size = aclp->z_acl_count; 1309 acl_phys.z_acl_count = aclp->z_acl_bytes; 1310 } else { 1311 acl_phys.z_acl_size = aclp->z_acl_bytes; 1312 acl_phys.z_acl_count = aclp->z_acl_count; 1313 } 1314 acl_phys.z_acl_version = aclp->z_version; 1315 1316 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_ZNODE_ACL(zfsvfs), NULL, 1317 &acl_phys, sizeof (acl_phys)); 1318 } 1319 1320 /* 1321 * Replace ACL wide bits, but first clear them. 1322 */ 1323 zp->z_pflags &= ~ZFS_ACL_WIDE_FLAGS; 1324 1325 zp->z_pflags |= aclp->z_hints; 1326 1327 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0) 1328 zp->z_pflags |= ZFS_ACL_TRIVIAL; 1329 1330 zfs_tstamp_update_setup(zp, STATE_CHANGED, NULL, ctime, B_TRUE); 1331 return (sa_bulk_update(zp->z_sa_hdl, bulk, count, tx)); 1332 } 1333 1334 static void 1335 zfs_acl_chmod(vtype_t vtype, uint64_t mode, boolean_t trim, zfs_acl_t *aclp) 1336 { 1337 void *acep = NULL; 1338 uint64_t who; 1339 int new_count, new_bytes; 1340 int ace_size; 1341 int entry_type; 1342 uint16_t iflags, type; 1343 uint32_t access_mask; 1344 zfs_acl_node_t *newnode; 1345 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1346 void *zacep; 1347 boolean_t isdir; 1348 trivial_acl_t masks; 1349 1350 new_count = new_bytes = 0; 1351 1352 isdir = (vtype == VDIR); 1353 1354 acl_trivial_access_masks((mode_t)mode, isdir, &masks); 1355 1356 newnode = zfs_acl_node_alloc((abstract_size * 6) + aclp->z_acl_bytes); 1357 1358 zacep = newnode->z_acldata; 1359 if (masks.allow0) { 1360 zfs_set_ace(aclp, zacep, masks.allow0, ALLOW, -1, ACE_OWNER); 1361 zacep = (void *)((uintptr_t)zacep + abstract_size); 1362 new_count++; 1363 new_bytes += abstract_size; 1364 } if (masks.deny1) { 1365 zfs_set_ace(aclp, zacep, masks.deny1, DENY, -1, ACE_OWNER); 1366 zacep = (void *)((uintptr_t)zacep + abstract_size); 1367 new_count++; 1368 new_bytes += abstract_size; 1369 } 1370 if (masks.deny2) { 1371 zfs_set_ace(aclp, zacep, masks.deny2, DENY, -1, OWNING_GROUP); 1372 zacep = (void *)((uintptr_t)zacep + abstract_size); 1373 new_count++; 1374 new_bytes += abstract_size; 1375 } 1376 1377 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 1378 &iflags, &type)) { 1379 uint16_t inherit_flags; 1380 1381 entry_type = (iflags & ACE_TYPE_FLAGS); 1382 inherit_flags = (iflags & ALL_INHERIT); 1383 1384 if ((entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 1385 (entry_type == OWNING_GROUP)) && 1386 ((inherit_flags & ACE_INHERIT_ONLY_ACE) == 0)) { 1387 continue; 1388 } 1389 1390 /* 1391 * If this ACL has any inheritable ACEs, mark that in 1392 * the hints (which are later masked into the pflags) 1393 * so create knows to do inheritance. 1394 */ 1395 if (isdir && (inherit_flags & 1396 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 1397 aclp->z_hints |= ZFS_INHERIT_ACE; 1398 1399 if ((type != ALLOW && type != DENY) || 1400 (inherit_flags & ACE_INHERIT_ONLY_ACE)) { 1401 switch (type) { 1402 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1403 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1404 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1405 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1406 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 1407 break; 1408 } 1409 } else { 1410 1411 /* 1412 * Limit permissions to be no greater than 1413 * group permissions. 1414 * The "aclinherit" and "aclmode" properties 1415 * affect policy for create and chmod(2), 1416 * respectively. 1417 */ 1418 if ((type == ALLOW) && trim) 1419 access_mask &= masks.group; 1420 } 1421 zfs_set_ace(aclp, zacep, access_mask, type, who, iflags); 1422 ace_size = aclp->z_ops.ace_size(acep); 1423 zacep = (void *)((uintptr_t)zacep + ace_size); 1424 new_count++; 1425 new_bytes += ace_size; 1426 } 1427 zfs_set_ace(aclp, zacep, masks.owner, 0, -1, ACE_OWNER); 1428 zacep = (void *)((uintptr_t)zacep + abstract_size); 1429 zfs_set_ace(aclp, zacep, masks.group, 0, -1, OWNING_GROUP); 1430 zacep = (void *)((uintptr_t)zacep + abstract_size); 1431 zfs_set_ace(aclp, zacep, masks.everyone, 0, -1, ACE_EVERYONE); 1432 1433 new_count += 3; 1434 new_bytes += abstract_size * 3; 1435 zfs_acl_release_nodes(aclp); 1436 aclp->z_acl_count = new_count; 1437 aclp->z_acl_bytes = new_bytes; 1438 newnode->z_ace_count = new_count; 1439 newnode->z_size = new_bytes; 1440 list_insert_tail(&aclp->z_acl, newnode); 1441 } 1442 1443 int 1444 zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode) 1445 { 1446 int error = 0; 1447 1448 mutex_enter(&zp->z_acl_lock); 1449 mutex_enter(&zp->z_lock); 1450 if (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_DISCARD) 1451 *aclp = zfs_acl_alloc(zfs_acl_version_zp(zp)); 1452 else 1453 error = zfs_acl_node_read(zp, B_TRUE, aclp, B_TRUE); 1454 1455 if (error == 0) { 1456 (*aclp)->z_hints = zp->z_pflags & V4_ACL_WIDE_FLAGS; 1457 zfs_acl_chmod(ZTOV(zp)->v_type, mode, 1458 (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK), *aclp); 1459 } 1460 mutex_exit(&zp->z_lock); 1461 mutex_exit(&zp->z_acl_lock); 1462 1463 return (error); 1464 } 1465 1466 /* 1467 * strip off write_owner and write_acl 1468 */ 1469 static void 1470 zfs_restricted_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep) 1471 { 1472 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1473 1474 if ((zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) && 1475 (aclp->z_ops.ace_type_get(acep) == ALLOW)) { 1476 mask &= ~RESTRICTED_CLEAR; 1477 aclp->z_ops.ace_mask_set(acep, mask); 1478 } 1479 } 1480 1481 /* 1482 * Should ACE be inherited? 1483 */ 1484 static int 1485 zfs_ace_can_use(vtype_t vtype, uint16_t acep_flags) 1486 { 1487 int iflags = (acep_flags & 0xf); 1488 1489 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) 1490 return (1); 1491 else if (iflags & ACE_FILE_INHERIT_ACE) 1492 return (!((vtype == VDIR) && 1493 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); 1494 return (0); 1495 } 1496 1497 /* 1498 * inherit inheritable ACEs from parent 1499 */ 1500 static zfs_acl_t * 1501 zfs_acl_inherit(zfsvfs_t *zfsvfs, vtype_t vtype, zfs_acl_t *paclp, 1502 uint64_t mode, boolean_t *need_chmod) 1503 { 1504 void *pacep; 1505 void *acep; 1506 zfs_acl_node_t *aclnode; 1507 zfs_acl_t *aclp = NULL; 1508 uint64_t who; 1509 uint32_t access_mask; 1510 uint16_t iflags, newflags, type; 1511 size_t ace_size; 1512 void *data1, *data2; 1513 size_t data1sz, data2sz; 1514 boolean_t vdir = vtype == VDIR; 1515 boolean_t vreg = vtype == VREG; 1516 boolean_t passthrough, passthrough_x, noallow; 1517 1518 passthrough_x = 1519 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH_X; 1520 passthrough = passthrough_x || 1521 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH; 1522 noallow = 1523 zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW; 1524 1525 *need_chmod = B_TRUE; 1526 pacep = NULL; 1527 aclp = zfs_acl_alloc(paclp->z_version); 1528 if (zfsvfs->z_acl_inherit == ZFS_ACL_DISCARD || vtype == VLNK) 1529 return (aclp); 1530 while (pacep = zfs_acl_next_ace(paclp, pacep, &who, 1531 &access_mask, &iflags, &type)) { 1532 1533 /* 1534 * don't inherit bogus ACEs 1535 */ 1536 if (!zfs_acl_valid_ace_type(type, iflags)) 1537 continue; 1538 1539 if (noallow && type == ALLOW) 1540 continue; 1541 1542 ace_size = aclp->z_ops.ace_size(pacep); 1543 1544 if (!zfs_ace_can_use(vtype, iflags)) 1545 continue; 1546 1547 /* 1548 * If owner@, group@, or everyone@ inheritable 1549 * then zfs_acl_chmod() isn't needed. 1550 */ 1551 if (passthrough && 1552 ((iflags & (ACE_OWNER|ACE_EVERYONE)) || 1553 ((iflags & OWNING_GROUP) == 1554 OWNING_GROUP)) && (vreg || (vdir && (iflags & 1555 ACE_DIRECTORY_INHERIT_ACE)))) { 1556 *need_chmod = B_FALSE; 1557 } 1558 1559 if (!vdir && passthrough_x && 1560 ((mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) { 1561 access_mask &= ~ACE_EXECUTE; 1562 } 1563 1564 aclnode = zfs_acl_node_alloc(ace_size); 1565 list_insert_tail(&aclp->z_acl, aclnode); 1566 acep = aclnode->z_acldata; 1567 1568 zfs_set_ace(aclp, acep, access_mask, type, 1569 who, iflags|ACE_INHERITED_ACE); 1570 1571 /* 1572 * Copy special opaque data if any 1573 */ 1574 if ((data1sz = paclp->z_ops.ace_data(pacep, &data1)) != 0) { 1575 VERIFY((data2sz = aclp->z_ops.ace_data(acep, 1576 &data2)) == data1sz); 1577 bcopy(data1, data2, data2sz); 1578 } 1579 1580 aclp->z_acl_count++; 1581 aclnode->z_ace_count++; 1582 aclp->z_acl_bytes += aclnode->z_size; 1583 newflags = aclp->z_ops.ace_flags_get(acep); 1584 1585 if (vdir) 1586 aclp->z_hints |= ZFS_INHERIT_ACE; 1587 1588 if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || !vdir) { 1589 newflags &= ~ALL_INHERIT; 1590 aclp->z_ops.ace_flags_set(acep, 1591 newflags|ACE_INHERITED_ACE); 1592 zfs_restricted_update(zfsvfs, aclp, acep); 1593 continue; 1594 } 1595 1596 ASSERT(vdir); 1597 1598 /* 1599 * If only FILE_INHERIT is set then turn on 1600 * inherit_only 1601 */ 1602 if ((iflags & (ACE_FILE_INHERIT_ACE | 1603 ACE_DIRECTORY_INHERIT_ACE)) == ACE_FILE_INHERIT_ACE) { 1604 newflags |= ACE_INHERIT_ONLY_ACE; 1605 aclp->z_ops.ace_flags_set(acep, 1606 newflags|ACE_INHERITED_ACE); 1607 } else { 1608 newflags &= ~ACE_INHERIT_ONLY_ACE; 1609 aclp->z_ops.ace_flags_set(acep, 1610 newflags|ACE_INHERITED_ACE); 1611 } 1612 } 1613 return (aclp); 1614 } 1615 1616 /* 1617 * Create file system object initial permissions 1618 * including inheritable ACEs. 1619 */ 1620 int 1621 zfs_acl_ids_create(znode_t *dzp, int flag, vattr_t *vap, cred_t *cr, 1622 vsecattr_t *vsecp, zfs_acl_ids_t *acl_ids) 1623 { 1624 int error; 1625 zfsvfs_t *zfsvfs = dzp->z_zfsvfs; 1626 zfs_acl_t *paclp; 1627 gid_t gid; 1628 boolean_t need_chmod = B_TRUE; 1629 boolean_t inherited = B_FALSE; 1630 1631 bzero(acl_ids, sizeof (zfs_acl_ids_t)); 1632 acl_ids->z_mode = MAKEIMODE(vap->va_type, vap->va_mode); 1633 1634 if (vsecp) 1635 if ((error = zfs_vsec_2_aclp(zfsvfs, vap->va_type, vsecp, cr, 1636 &acl_ids->z_fuidp, &acl_ids->z_aclp)) != 0) 1637 return (error); 1638 /* 1639 * Determine uid and gid. 1640 */ 1641 if ((flag & IS_ROOT_NODE) || zfsvfs->z_replay || 1642 ((flag & IS_XATTR) && (vap->va_type == VDIR))) { 1643 acl_ids->z_fuid = zfs_fuid_create(zfsvfs, 1644 (uint64_t)vap->va_uid, cr, 1645 ZFS_OWNER, &acl_ids->z_fuidp); 1646 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1647 (uint64_t)vap->va_gid, cr, 1648 ZFS_GROUP, &acl_ids->z_fuidp); 1649 gid = vap->va_gid; 1650 } else { 1651 acl_ids->z_fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER, 1652 cr, &acl_ids->z_fuidp); 1653 acl_ids->z_fgid = 0; 1654 if (vap->va_mask & AT_GID) { 1655 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1656 (uint64_t)vap->va_gid, 1657 cr, ZFS_GROUP, &acl_ids->z_fuidp); 1658 gid = vap->va_gid; 1659 if (acl_ids->z_fgid != dzp->z_gid && 1660 !groupmember(vap->va_gid, cr) && 1661 secpolicy_vnode_create_gid(cr) != 0) 1662 acl_ids->z_fgid = 0; 1663 } 1664 if (acl_ids->z_fgid == 0) { 1665 if (dzp->z_mode & S_ISGID) { 1666 char *domain; 1667 uint32_t rid; 1668 1669 acl_ids->z_fgid = dzp->z_gid; 1670 gid = zfs_fuid_map_id(zfsvfs, acl_ids->z_fgid, 1671 cr, ZFS_GROUP); 1672 1673 if (zfsvfs->z_use_fuids && 1674 IS_EPHEMERAL(acl_ids->z_fgid)) { 1675 domain = zfs_fuid_idx_domain( 1676 &zfsvfs->z_fuid_idx, 1677 FUID_INDEX(acl_ids->z_fgid)); 1678 rid = FUID_RID(acl_ids->z_fgid); 1679 zfs_fuid_node_add(&acl_ids->z_fuidp, 1680 domain, rid, 1681 FUID_INDEX(acl_ids->z_fgid), 1682 acl_ids->z_fgid, ZFS_GROUP); 1683 } 1684 } else { 1685 acl_ids->z_fgid = zfs_fuid_create_cred(zfsvfs, 1686 ZFS_GROUP, cr, &acl_ids->z_fuidp); 1687 gid = crgetgid(cr); 1688 } 1689 } 1690 } 1691 1692 /* 1693 * If we're creating a directory, and the parent directory has the 1694 * set-GID bit set, set in on the new directory. 1695 * Otherwise, if the user is neither privileged nor a member of the 1696 * file's new group, clear the file's set-GID bit. 1697 */ 1698 1699 if (!(flag & IS_ROOT_NODE) && (dzp->z_mode & S_ISGID) && 1700 (vap->va_type == VDIR)) { 1701 acl_ids->z_mode |= S_ISGID; 1702 } else { 1703 if ((acl_ids->z_mode & S_ISGID) && 1704 secpolicy_vnode_setids_setgids(cr, gid) != 0) 1705 acl_ids->z_mode &= ~S_ISGID; 1706 } 1707 1708 if (acl_ids->z_aclp == NULL) { 1709 mutex_enter(&dzp->z_acl_lock); 1710 mutex_enter(&dzp->z_lock); 1711 if (!(flag & IS_ROOT_NODE) && 1712 (dzp->z_pflags & ZFS_INHERIT_ACE) && 1713 !(dzp->z_pflags & ZFS_XATTR)) { 1714 VERIFY(0 == zfs_acl_node_read(dzp, B_TRUE, 1715 &paclp, B_FALSE)); 1716 acl_ids->z_aclp = zfs_acl_inherit(zfsvfs, 1717 vap->va_type, paclp, acl_ids->z_mode, &need_chmod); 1718 inherited = B_TRUE; 1719 } else { 1720 acl_ids->z_aclp = 1721 zfs_acl_alloc(zfs_acl_version_zp(dzp)); 1722 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL; 1723 } 1724 mutex_exit(&dzp->z_lock); 1725 mutex_exit(&dzp->z_acl_lock); 1726 if (need_chmod) { 1727 acl_ids->z_aclp->z_hints |= (vap->va_type == VDIR) ? 1728 ZFS_ACL_AUTO_INHERIT : 0; 1729 zfs_acl_chmod(vap->va_type, acl_ids->z_mode, 1730 (zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED), 1731 acl_ids->z_aclp); 1732 } 1733 } 1734 1735 if (inherited || vsecp) { 1736 acl_ids->z_mode = zfs_mode_compute(acl_ids->z_mode, 1737 acl_ids->z_aclp, &acl_ids->z_aclp->z_hints, 1738 acl_ids->z_fuid, acl_ids->z_fgid); 1739 if (ace_trivial_common(acl_ids->z_aclp, 0, zfs_ace_walk) == 0) 1740 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL; 1741 } 1742 1743 return (0); 1744 } 1745 1746 /* 1747 * Free ACL and fuid_infop, but not the acl_ids structure 1748 */ 1749 void 1750 zfs_acl_ids_free(zfs_acl_ids_t *acl_ids) 1751 { 1752 if (acl_ids->z_aclp) 1753 zfs_acl_free(acl_ids->z_aclp); 1754 if (acl_ids->z_fuidp) 1755 zfs_fuid_info_free(acl_ids->z_fuidp); 1756 acl_ids->z_aclp = NULL; 1757 acl_ids->z_fuidp = NULL; 1758 } 1759 1760 boolean_t 1761 zfs_acl_ids_overquota(zfsvfs_t *zfsvfs, zfs_acl_ids_t *acl_ids) 1762 { 1763 return (zfs_fuid_overquota(zfsvfs, B_FALSE, acl_ids->z_fuid) || 1764 zfs_fuid_overquota(zfsvfs, B_TRUE, acl_ids->z_fgid)); 1765 } 1766 1767 /* 1768 * Retrieve a files ACL 1769 */ 1770 int 1771 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1772 { 1773 zfs_acl_t *aclp; 1774 ulong_t mask; 1775 int error; 1776 int count = 0; 1777 int largeace = 0; 1778 1779 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT | 1780 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES); 1781 1782 if (mask == 0) 1783 return (ENOSYS); 1784 1785 if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr)) 1786 return (error); 1787 1788 mutex_enter(&zp->z_acl_lock); 1789 1790 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE); 1791 if (error != 0) { 1792 mutex_exit(&zp->z_acl_lock); 1793 return (error); 1794 } 1795 1796 /* 1797 * Scan ACL to determine number of ACEs 1798 */ 1799 if ((zp->z_pflags & ZFS_ACL_OBJ_ACE) && !(mask & VSA_ACE_ALLTYPES)) { 1800 void *zacep = NULL; 1801 uint64_t who; 1802 uint32_t access_mask; 1803 uint16_t type, iflags; 1804 1805 while (zacep = zfs_acl_next_ace(aclp, zacep, 1806 &who, &access_mask, &iflags, &type)) { 1807 switch (type) { 1808 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1809 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1810 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1811 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1812 largeace++; 1813 continue; 1814 default: 1815 count++; 1816 } 1817 } 1818 vsecp->vsa_aclcnt = count; 1819 } else 1820 count = (int)aclp->z_acl_count; 1821 1822 if (mask & VSA_ACECNT) { 1823 vsecp->vsa_aclcnt = count; 1824 } 1825 1826 if (mask & VSA_ACE) { 1827 size_t aclsz; 1828 1829 aclsz = count * sizeof (ace_t) + 1830 sizeof (ace_object_t) * largeace; 1831 1832 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP); 1833 vsecp->vsa_aclentsz = aclsz; 1834 1835 if (aclp->z_version == ZFS_ACL_VERSION_FUID) 1836 zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr, 1837 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES)); 1838 else { 1839 zfs_acl_node_t *aclnode; 1840 void *start = vsecp->vsa_aclentp; 1841 1842 for (aclnode = list_head(&aclp->z_acl); aclnode; 1843 aclnode = list_next(&aclp->z_acl, aclnode)) { 1844 bcopy(aclnode->z_acldata, start, 1845 aclnode->z_size); 1846 start = (caddr_t)start + aclnode->z_size; 1847 } 1848 ASSERT((caddr_t)start - (caddr_t)vsecp->vsa_aclentp == 1849 aclp->z_acl_bytes); 1850 } 1851 } 1852 if (mask & VSA_ACE_ACLFLAGS) { 1853 vsecp->vsa_aclflags = 0; 1854 if (zp->z_pflags & ZFS_ACL_DEFAULTED) 1855 vsecp->vsa_aclflags |= ACL_DEFAULTED; 1856 if (zp->z_pflags & ZFS_ACL_PROTECTED) 1857 vsecp->vsa_aclflags |= ACL_PROTECTED; 1858 if (zp->z_pflags & ZFS_ACL_AUTO_INHERIT) 1859 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT; 1860 } 1861 1862 mutex_exit(&zp->z_acl_lock); 1863 1864 return (0); 1865 } 1866 1867 int 1868 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type, 1869 vsecattr_t *vsecp, cred_t *cr, zfs_fuid_info_t **fuidp, zfs_acl_t **zaclp) 1870 { 1871 zfs_acl_t *aclp; 1872 zfs_acl_node_t *aclnode; 1873 int aclcnt = vsecp->vsa_aclcnt; 1874 int error; 1875 1876 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0) 1877 return (EINVAL); 1878 1879 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version)); 1880 1881 aclp->z_hints = 0; 1882 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t)); 1883 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1884 if ((error = zfs_copy_ace_2_oldace(obj_type, aclp, 1885 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata, 1886 aclcnt, &aclnode->z_size)) != 0) { 1887 zfs_acl_free(aclp); 1888 zfs_acl_node_free(aclnode); 1889 return (error); 1890 } 1891 } else { 1892 if ((error = zfs_copy_ace_2_fuid(zfsvfs, obj_type, aclp, 1893 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt, 1894 &aclnode->z_size, fuidp, cr)) != 0) { 1895 zfs_acl_free(aclp); 1896 zfs_acl_node_free(aclnode); 1897 return (error); 1898 } 1899 } 1900 aclp->z_acl_bytes = aclnode->z_size; 1901 aclnode->z_ace_count = aclcnt; 1902 aclp->z_acl_count = aclcnt; 1903 list_insert_head(&aclp->z_acl, aclnode); 1904 1905 /* 1906 * If flags are being set then add them to z_hints 1907 */ 1908 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) { 1909 if (vsecp->vsa_aclflags & ACL_PROTECTED) 1910 aclp->z_hints |= ZFS_ACL_PROTECTED; 1911 if (vsecp->vsa_aclflags & ACL_DEFAULTED) 1912 aclp->z_hints |= ZFS_ACL_DEFAULTED; 1913 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT) 1914 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 1915 } 1916 1917 *zaclp = aclp; 1918 1919 return (0); 1920 } 1921 1922 /* 1923 * Set a files ACL 1924 */ 1925 int 1926 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1927 { 1928 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1929 zilog_t *zilog = zfsvfs->z_log; 1930 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 1931 dmu_tx_t *tx; 1932 int error; 1933 zfs_acl_t *aclp; 1934 zfs_fuid_info_t *fuidp = NULL; 1935 boolean_t fuid_dirtied; 1936 uint64_t acl_obj; 1937 1938 if (mask == 0) 1939 return (ENOSYS); 1940 1941 if (zp->z_pflags & ZFS_IMMUTABLE) 1942 return (EPERM); 1943 1944 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) 1945 return (error); 1946 1947 error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, cr, &fuidp, 1948 &aclp); 1949 if (error) 1950 return (error); 1951 1952 /* 1953 * If ACL wide flags aren't being set then preserve any 1954 * existing flags. 1955 */ 1956 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) { 1957 aclp->z_hints |= 1958 (zp->z_pflags & V4_ACL_WIDE_FLAGS); 1959 } 1960 top: 1961 mutex_enter(&zp->z_acl_lock); 1962 mutex_enter(&zp->z_lock); 1963 1964 tx = dmu_tx_create(zfsvfs->z_os); 1965 1966 dmu_tx_hold_sa(tx, zp->z_sa_hdl, B_TRUE); 1967 1968 fuid_dirtied = zfsvfs->z_fuid_dirty; 1969 if (fuid_dirtied) 1970 zfs_fuid_txhold(zfsvfs, tx); 1971 1972 /* 1973 * If old version and ACL won't fit in bonus and we aren't 1974 * upgrading then take out necessary DMU holds 1975 */ 1976 1977 if ((acl_obj = zfs_external_acl(zp)) != 0) { 1978 if (zfsvfs->z_version >= ZPL_VERSION_FUID && 1979 zfs_znode_acl_version(zp) <= ZFS_ACL_VERSION_INITIAL) { 1980 dmu_tx_hold_free(tx, acl_obj, 0, 1981 DMU_OBJECT_END); 1982 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, 1983 aclp->z_acl_bytes); 1984 } else { 1985 dmu_tx_hold_write(tx, acl_obj, 0, aclp->z_acl_bytes); 1986 } 1987 } else if (!zp->z_is_sa && aclp->z_acl_bytes > ZFS_ACE_SPACE) { 1988 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes); 1989 } 1990 1991 zfs_sa_upgrade_txholds(tx, zp); 1992 error = dmu_tx_assign(tx, TXG_NOWAIT); 1993 if (error) { 1994 mutex_exit(&zp->z_acl_lock); 1995 mutex_exit(&zp->z_lock); 1996 1997 if (error == ERESTART) { 1998 dmu_tx_wait(tx); 1999 dmu_tx_abort(tx); 2000 goto top; 2001 } 2002 dmu_tx_abort(tx); 2003 zfs_acl_free(aclp); 2004 return (error); 2005 } 2006 2007 error = zfs_aclset_common(zp, aclp, cr, tx); 2008 ASSERT(error == 0); 2009 ASSERT(zp->z_acl_cached == NULL); 2010 zp->z_acl_cached = aclp; 2011 2012 if (fuid_dirtied) 2013 zfs_fuid_sync(zfsvfs, tx); 2014 2015 zfs_log_acl(zilog, tx, zp, vsecp, fuidp); 2016 2017 if (fuidp) 2018 zfs_fuid_info_free(fuidp); 2019 dmu_tx_commit(tx); 2020 done: 2021 mutex_exit(&zp->z_lock); 2022 mutex_exit(&zp->z_acl_lock); 2023 2024 return (error); 2025 } 2026 2027 /* 2028 * Check accesses of interest (AoI) against attributes of the dataset 2029 * such as read-only. Returns zero if no AoI conflict with dataset 2030 * attributes, otherwise an appropriate errno is returned. 2031 */ 2032 static int 2033 zfs_zaccess_dataset_check(znode_t *zp, uint32_t v4_mode) 2034 { 2035 if ((v4_mode & WRITE_MASK) && 2036 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && 2037 (!IS_DEVVP(ZTOV(zp)) || 2038 (IS_DEVVP(ZTOV(zp)) && (v4_mode & WRITE_MASK_ATTRS)))) { 2039 return (EROFS); 2040 } 2041 2042 /* 2043 * Only check for READONLY on non-directories. 2044 */ 2045 if ((v4_mode & WRITE_MASK_DATA) && 2046 (((ZTOV(zp)->v_type != VDIR) && 2047 (zp->z_pflags & (ZFS_READONLY | ZFS_IMMUTABLE))) || 2048 (ZTOV(zp)->v_type == VDIR && 2049 (zp->z_pflags & ZFS_IMMUTABLE)))) { 2050 return (EPERM); 2051 } 2052 2053 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) && 2054 (zp->z_pflags & ZFS_NOUNLINK)) { 2055 return (EPERM); 2056 } 2057 2058 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) && 2059 (zp->z_pflags & ZFS_AV_QUARANTINED))) { 2060 return (EACCES); 2061 } 2062 2063 return (0); 2064 } 2065 2066 /* 2067 * The primary usage of this function is to loop through all of the 2068 * ACEs in the znode, determining what accesses of interest (AoI) to 2069 * the caller are allowed or denied. The AoI are expressed as bits in 2070 * the working_mode parameter. As each ACE is processed, bits covered 2071 * by that ACE are removed from the working_mode. This removal 2072 * facilitates two things. The first is that when the working mode is 2073 * empty (= 0), we know we've looked at all the AoI. The second is 2074 * that the ACE interpretation rules don't allow a later ACE to undo 2075 * something granted or denied by an earlier ACE. Removing the 2076 * discovered access or denial enforces this rule. At the end of 2077 * processing the ACEs, all AoI that were found to be denied are 2078 * placed into the working_mode, giving the caller a mask of denied 2079 * accesses. Returns: 2080 * 0 if all AoI granted 2081 * EACCESS if the denied mask is non-zero 2082 * other error if abnormal failure (e.g., IO error) 2083 * 2084 * A secondary usage of the function is to determine if any of the 2085 * AoI are granted. If an ACE grants any access in 2086 * the working_mode, we immediately short circuit out of the function. 2087 * This mode is chosen by setting anyaccess to B_TRUE. The 2088 * working_mode is not a denied access mask upon exit if the function 2089 * is used in this manner. 2090 */ 2091 static int 2092 zfs_zaccess_aces_check(znode_t *zp, uint32_t *working_mode, 2093 boolean_t anyaccess, cred_t *cr) 2094 { 2095 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2096 zfs_acl_t *aclp; 2097 int error; 2098 uid_t uid = crgetuid(cr); 2099 uint64_t who; 2100 uint16_t type, iflags; 2101 uint16_t entry_type; 2102 uint32_t access_mask; 2103 uint32_t deny_mask = 0; 2104 zfs_ace_hdr_t *acep = NULL; 2105 boolean_t checkit; 2106 uid_t gowner; 2107 uid_t fowner; 2108 2109 zfs_fuid_map_ids(zp, cr, &fowner, &gowner); 2110 2111 mutex_enter(&zp->z_acl_lock); 2112 2113 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE); 2114 if (error != 0) { 2115 mutex_exit(&zp->z_acl_lock); 2116 return (error); 2117 } 2118 2119 ASSERT(zp->z_acl_cached); 2120 2121 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 2122 &iflags, &type)) { 2123 uint32_t mask_matched; 2124 2125 if (!zfs_acl_valid_ace_type(type, iflags)) 2126 continue; 2127 2128 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE)) 2129 continue; 2130 2131 /* Skip ACE if it does not affect any AoI */ 2132 mask_matched = (access_mask & *working_mode); 2133 if (!mask_matched) 2134 continue; 2135 2136 entry_type = (iflags & ACE_TYPE_FLAGS); 2137 2138 checkit = B_FALSE; 2139 2140 switch (entry_type) { 2141 case ACE_OWNER: 2142 if (uid == fowner) 2143 checkit = B_TRUE; 2144 break; 2145 case OWNING_GROUP: 2146 who = gowner; 2147 /*FALLTHROUGH*/ 2148 case ACE_IDENTIFIER_GROUP: 2149 checkit = zfs_groupmember(zfsvfs, who, cr); 2150 break; 2151 case ACE_EVERYONE: 2152 checkit = B_TRUE; 2153 break; 2154 2155 /* USER Entry */ 2156 default: 2157 if (entry_type == 0) { 2158 uid_t newid; 2159 2160 newid = zfs_fuid_map_id(zfsvfs, who, cr, 2161 ZFS_ACE_USER); 2162 if (newid != IDMAP_WK_CREATOR_OWNER_UID && 2163 uid == newid) 2164 checkit = B_TRUE; 2165 break; 2166 } else { 2167 mutex_exit(&zp->z_acl_lock); 2168 return (EIO); 2169 } 2170 } 2171 2172 if (checkit) { 2173 if (type == DENY) { 2174 DTRACE_PROBE3(zfs__ace__denies, 2175 znode_t *, zp, 2176 zfs_ace_hdr_t *, acep, 2177 uint32_t, mask_matched); 2178 deny_mask |= mask_matched; 2179 } else { 2180 DTRACE_PROBE3(zfs__ace__allows, 2181 znode_t *, zp, 2182 zfs_ace_hdr_t *, acep, 2183 uint32_t, mask_matched); 2184 if (anyaccess) { 2185 mutex_exit(&zp->z_acl_lock); 2186 return (0); 2187 } 2188 } 2189 *working_mode &= ~mask_matched; 2190 } 2191 2192 /* Are we done? */ 2193 if (*working_mode == 0) 2194 break; 2195 } 2196 2197 mutex_exit(&zp->z_acl_lock); 2198 2199 /* Put the found 'denies' back on the working mode */ 2200 if (deny_mask) { 2201 *working_mode |= deny_mask; 2202 return (EACCES); 2203 } else if (*working_mode) { 2204 return (-1); 2205 } 2206 2207 return (0); 2208 } 2209 2210 /* 2211 * Return true if any access whatsoever granted, we don't actually 2212 * care what access is granted. 2213 */ 2214 boolean_t 2215 zfs_has_access(znode_t *zp, cred_t *cr) 2216 { 2217 uint32_t have = ACE_ALL_PERMS; 2218 2219 if (zfs_zaccess_aces_check(zp, &have, B_TRUE, cr) != 0) { 2220 uid_t owner; 2221 2222 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER); 2223 return (secpolicy_vnode_any_access(cr, ZTOV(zp), owner) == 0); 2224 } 2225 return (B_TRUE); 2226 } 2227 2228 static int 2229 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode, 2230 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr) 2231 { 2232 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2233 int err; 2234 2235 *working_mode = v4_mode; 2236 *check_privs = B_TRUE; 2237 2238 /* 2239 * Short circuit empty requests 2240 */ 2241 if (v4_mode == 0 || zfsvfs->z_replay) { 2242 *working_mode = 0; 2243 return (0); 2244 } 2245 2246 if ((err = zfs_zaccess_dataset_check(zp, v4_mode)) != 0) { 2247 *check_privs = B_FALSE; 2248 return (err); 2249 } 2250 2251 /* 2252 * The caller requested that the ACL check be skipped. This 2253 * would only happen if the caller checked VOP_ACCESS() with a 2254 * 32 bit ACE mask and already had the appropriate permissions. 2255 */ 2256 if (skipaclchk) { 2257 *working_mode = 0; 2258 return (0); 2259 } 2260 2261 return (zfs_zaccess_aces_check(zp, working_mode, B_FALSE, cr)); 2262 } 2263 2264 static int 2265 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs, 2266 cred_t *cr) 2267 { 2268 if (*working_mode != ACE_WRITE_DATA) 2269 return (EACCES); 2270 2271 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode, 2272 check_privs, B_FALSE, cr)); 2273 } 2274 2275 int 2276 zfs_fastaccesschk_execute(znode_t *zdp, cred_t *cr) 2277 { 2278 boolean_t owner = B_FALSE; 2279 boolean_t groupmbr = B_FALSE; 2280 boolean_t is_attr; 2281 uid_t uid = crgetuid(cr); 2282 int error; 2283 2284 if (zdp->z_pflags & ZFS_AV_QUARANTINED) 2285 return (EACCES); 2286 2287 is_attr = ((zdp->z_pflags & ZFS_XATTR) && 2288 (ZTOV(zdp)->v_type == VDIR)); 2289 if (is_attr) 2290 goto slow; 2291 2292 2293 mutex_enter(&zdp->z_acl_lock); 2294 2295 if (zdp->z_pflags & ZFS_NO_EXECS_DENIED) { 2296 mutex_exit(&zdp->z_acl_lock); 2297 return (0); 2298 } 2299 2300 if (FUID_INDEX(zdp->z_uid) != 0 || FUID_INDEX(zdp->z_gid) != 0) { 2301 mutex_exit(&zdp->z_acl_lock); 2302 goto slow; 2303 } 2304 2305 if (uid == zdp->z_uid) { 2306 owner = B_TRUE; 2307 if (zdp->z_mode & S_IXUSR) { 2308 mutex_exit(&zdp->z_acl_lock); 2309 return (0); 2310 } else { 2311 mutex_exit(&zdp->z_acl_lock); 2312 goto slow; 2313 } 2314 } 2315 if (groupmember(zdp->z_gid, cr)) { 2316 groupmbr = B_TRUE; 2317 if (zdp->z_mode & S_IXGRP) { 2318 mutex_exit(&zdp->z_acl_lock); 2319 return (0); 2320 } else { 2321 mutex_exit(&zdp->z_acl_lock); 2322 goto slow; 2323 } 2324 } 2325 if (!owner && !groupmbr) { 2326 if (zdp->z_mode & S_IXOTH) { 2327 mutex_exit(&zdp->z_acl_lock); 2328 return (0); 2329 } 2330 } 2331 2332 mutex_exit(&zdp->z_acl_lock); 2333 2334 slow: 2335 DTRACE_PROBE(zfs__fastpath__execute__access__miss); 2336 ZFS_ENTER(zdp->z_zfsvfs); 2337 error = zfs_zaccess(zdp, ACE_EXECUTE, 0, B_FALSE, cr); 2338 ZFS_EXIT(zdp->z_zfsvfs); 2339 return (error); 2340 } 2341 2342 /* 2343 * Determine whether Access should be granted/denied. 2344 * The least priv subsytem is always consulted as a basic privilege 2345 * can define any form of access. 2346 */ 2347 int 2348 zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr) 2349 { 2350 uint32_t working_mode; 2351 int error; 2352 int is_attr; 2353 boolean_t check_privs; 2354 znode_t *xzp; 2355 znode_t *check_zp = zp; 2356 mode_t needed_bits; 2357 uid_t owner; 2358 2359 is_attr = ((zp->z_pflags & ZFS_XATTR) && (ZTOV(zp)->v_type == VDIR)); 2360 2361 /* 2362 * If attribute then validate against base file 2363 */ 2364 if (is_attr) { 2365 uint64_t parent; 2366 2367 if ((error = sa_lookup(zp->z_sa_hdl, 2368 SA_ZPL_PARENT(zp->z_zfsvfs), &parent, 2369 sizeof (parent))) != 0) 2370 return (error); 2371 2372 if ((error = zfs_zget(zp->z_zfsvfs, 2373 parent, &xzp)) != 0) { 2374 return (error); 2375 } 2376 2377 check_zp = xzp; 2378 2379 /* 2380 * fixup mode to map to xattr perms 2381 */ 2382 2383 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { 2384 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 2385 mode |= ACE_WRITE_NAMED_ATTRS; 2386 } 2387 2388 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { 2389 mode &= ~(ACE_READ_DATA|ACE_EXECUTE); 2390 mode |= ACE_READ_NAMED_ATTRS; 2391 } 2392 } 2393 2394 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER); 2395 /* 2396 * Map the bits required to the standard vnode flags VREAD|VWRITE|VEXEC 2397 * in needed_bits. Map the bits mapped by working_mode (currently 2398 * missing) in missing_bits. 2399 * Call secpolicy_vnode_access2() with (needed_bits & ~checkmode), 2400 * needed_bits. 2401 */ 2402 needed_bits = 0; 2403 2404 working_mode = mode; 2405 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES)) && 2406 owner == crgetuid(cr)) 2407 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2408 2409 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2410 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2411 needed_bits |= VREAD; 2412 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2413 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2414 needed_bits |= VWRITE; 2415 if (working_mode & ACE_EXECUTE) 2416 needed_bits |= VEXEC; 2417 2418 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode, 2419 &check_privs, skipaclchk, cr)) == 0) { 2420 if (is_attr) 2421 VN_RELE(ZTOV(xzp)); 2422 return (secpolicy_vnode_access2(cr, ZTOV(zp), owner, 2423 needed_bits, needed_bits)); 2424 } 2425 2426 if (error && !check_privs) { 2427 if (is_attr) 2428 VN_RELE(ZTOV(xzp)); 2429 return (error); 2430 } 2431 2432 if (error && (flags & V_APPEND)) { 2433 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr); 2434 } 2435 2436 if (error && check_privs) { 2437 mode_t checkmode = 0; 2438 2439 /* 2440 * First check for implicit owner permission on 2441 * read_acl/read_attributes 2442 */ 2443 2444 error = 0; 2445 ASSERT(working_mode != 0); 2446 2447 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) && 2448 owner == crgetuid(cr))) 2449 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2450 2451 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2452 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2453 checkmode |= VREAD; 2454 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2455 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2456 checkmode |= VWRITE; 2457 if (working_mode & ACE_EXECUTE) 2458 checkmode |= VEXEC; 2459 2460 error = secpolicy_vnode_access2(cr, ZTOV(check_zp), owner, 2461 needed_bits & ~checkmode, needed_bits); 2462 2463 if (error == 0 && (working_mode & ACE_WRITE_OWNER)) 2464 error = secpolicy_vnode_chown(cr, owner); 2465 if (error == 0 && (working_mode & ACE_WRITE_ACL)) 2466 error = secpolicy_vnode_setdac(cr, owner); 2467 2468 if (error == 0 && (working_mode & 2469 (ACE_DELETE|ACE_DELETE_CHILD))) 2470 error = secpolicy_vnode_remove(cr); 2471 2472 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) { 2473 error = secpolicy_vnode_chown(cr, owner); 2474 } 2475 if (error == 0) { 2476 /* 2477 * See if any bits other than those already checked 2478 * for are still present. If so then return EACCES 2479 */ 2480 if (working_mode & ~(ZFS_CHECKED_MASKS)) { 2481 error = EACCES; 2482 } 2483 } 2484 } else if (error == 0) { 2485 error = secpolicy_vnode_access2(cr, ZTOV(zp), owner, 2486 needed_bits, needed_bits); 2487 } 2488 2489 2490 if (is_attr) 2491 VN_RELE(ZTOV(xzp)); 2492 2493 return (error); 2494 } 2495 2496 /* 2497 * Translate traditional unix VREAD/VWRITE/VEXEC mode into 2498 * native ACL format and call zfs_zaccess() 2499 */ 2500 int 2501 zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr) 2502 { 2503 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr)); 2504 } 2505 2506 /* 2507 * Access function for secpolicy_vnode_setattr 2508 */ 2509 int 2510 zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr) 2511 { 2512 int v4_mode = zfs_unix_to_v4(mode >> 6); 2513 2514 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr)); 2515 } 2516 2517 static int 2518 zfs_delete_final_check(znode_t *zp, znode_t *dzp, 2519 mode_t available_perms, cred_t *cr) 2520 { 2521 int error; 2522 uid_t downer; 2523 2524 downer = zfs_fuid_map_id(dzp->z_zfsvfs, dzp->z_uid, cr, ZFS_OWNER); 2525 2526 error = secpolicy_vnode_access2(cr, ZTOV(dzp), 2527 downer, available_perms, VWRITE|VEXEC); 2528 2529 if (error == 0) 2530 error = zfs_sticky_remove_access(dzp, zp, cr); 2531 2532 return (error); 2533 } 2534 2535 /* 2536 * Determine whether Access should be granted/deny, without 2537 * consulting least priv subsystem. 2538 * 2539 * 2540 * The following chart is the recommended NFSv4 enforcement for 2541 * ability to delete an object. 2542 * 2543 * ------------------------------------------------------- 2544 * | Parent Dir | Target Object Permissions | 2545 * | permissions | | 2546 * ------------------------------------------------------- 2547 * | | ACL Allows | ACL Denies| Delete | 2548 * | | Delete | Delete | unspecified| 2549 * ------------------------------------------------------- 2550 * | ACL Allows | Permit | Permit | Permit | 2551 * | DELETE_CHILD | | 2552 * ------------------------------------------------------- 2553 * | ACL Denies | Permit | Deny | Deny | 2554 * | DELETE_CHILD | | | | 2555 * ------------------------------------------------------- 2556 * | ACL specifies | | | | 2557 * | only allow | Permit | Permit | Permit | 2558 * | write and | | | | 2559 * | execute | | | | 2560 * ------------------------------------------------------- 2561 * | ACL denies | | | | 2562 * | write and | Permit | Deny | Deny | 2563 * | execute | | | | 2564 * ------------------------------------------------------- 2565 * ^ 2566 * | 2567 * No search privilege, can't even look up file? 2568 * 2569 */ 2570 int 2571 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) 2572 { 2573 uint32_t dzp_working_mode = 0; 2574 uint32_t zp_working_mode = 0; 2575 int dzp_error, zp_error; 2576 mode_t available_perms; 2577 boolean_t dzpcheck_privs = B_TRUE; 2578 boolean_t zpcheck_privs = B_TRUE; 2579 2580 /* 2581 * We want specific DELETE permissions to 2582 * take precedence over WRITE/EXECUTE. We don't 2583 * want an ACL such as this to mess us up. 2584 * user:joe:write_data:deny,user:joe:delete:allow 2585 * 2586 * However, deny permissions may ultimately be overridden 2587 * by secpolicy_vnode_access(). 2588 * 2589 * We will ask for all of the necessary permissions and then 2590 * look at the working modes from the directory and target object 2591 * to determine what was found. 2592 */ 2593 2594 if (zp->z_pflags & (ZFS_IMMUTABLE | ZFS_NOUNLINK)) 2595 return (EPERM); 2596 2597 /* 2598 * First row 2599 * If the directory permissions allow the delete, we are done. 2600 */ 2601 if ((dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD, 2602 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) 2603 return (0); 2604 2605 /* 2606 * If target object has delete permission then we are done 2607 */ 2608 if ((zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, 2609 &zpcheck_privs, B_FALSE, cr)) == 0) 2610 return (0); 2611 2612 ASSERT(dzp_error && zp_error); 2613 2614 if (!dzpcheck_privs) 2615 return (dzp_error); 2616 if (!zpcheck_privs) 2617 return (zp_error); 2618 2619 /* 2620 * Second row 2621 * 2622 * If directory returns EACCES then delete_child was denied 2623 * due to deny delete_child. In this case send the request through 2624 * secpolicy_vnode_remove(). We don't use zfs_delete_final_check() 2625 * since that *could* allow the delete based on write/execute permission 2626 * and we want delete permissions to override write/execute. 2627 */ 2628 2629 if (dzp_error == EACCES) 2630 return (secpolicy_vnode_remove(cr)); 2631 2632 /* 2633 * Third Row 2634 * only need to see if we have write/execute on directory. 2635 */ 2636 2637 dzp_error = zfs_zaccess_common(dzp, ACE_EXECUTE|ACE_WRITE_DATA, 2638 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr); 2639 2640 if (dzp_error != 0 && !dzpcheck_privs) 2641 return (dzp_error); 2642 2643 /* 2644 * Fourth row 2645 */ 2646 2647 available_perms = (dzp_working_mode & ACE_WRITE_DATA) ? 0 : VWRITE; 2648 available_perms |= (dzp_working_mode & ACE_EXECUTE) ? 0 : VEXEC; 2649 2650 return (zfs_delete_final_check(zp, dzp, available_perms, cr)); 2651 2652 } 2653 2654 int 2655 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, 2656 znode_t *tzp, cred_t *cr) 2657 { 2658 int add_perm; 2659 int error; 2660 2661 if (szp->z_pflags & ZFS_AV_QUARANTINED) 2662 return (EACCES); 2663 2664 add_perm = (ZTOV(szp)->v_type == VDIR) ? 2665 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; 2666 2667 /* 2668 * Rename permissions are combination of delete permission + 2669 * add file/subdir permission. 2670 */ 2671 2672 /* 2673 * first make sure we do the delete portion. 2674 * 2675 * If that succeeds then check for add_file/add_subdir permissions 2676 */ 2677 2678 if (error = zfs_zaccess_delete(sdzp, szp, cr)) 2679 return (error); 2680 2681 /* 2682 * If we have a tzp, see if we can delete it? 2683 */ 2684 if (tzp) { 2685 if (error = zfs_zaccess_delete(tdzp, tzp, cr)) 2686 return (error); 2687 } 2688 2689 /* 2690 * Now check for add permissions 2691 */ 2692 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr); 2693 2694 return (error); 2695 } 2696