1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/param.h> 30 #include <sys/time.h> 31 #include <sys/systm.h> 32 #include <sys/sysmacros.h> 33 #include <sys/resource.h> 34 #include <sys/vfs.h> 35 #include <sys/vnode.h> 36 #include <sys/file.h> 37 #include <sys/stat.h> 38 #include <sys/kmem.h> 39 #include <sys/cmn_err.h> 40 #include <sys/errno.h> 41 #include <sys/unistd.h> 42 #include <sys/fs/zfs.h> 43 #include <sys/mode.h> 44 #include <sys/policy.h> 45 #include <sys/zfs_znode.h> 46 #include <sys/zfs_acl.h> 47 #include <sys/zfs_dir.h> 48 #include <sys/zfs_vfsops.h> 49 #include <sys/dmu.h> 50 #include <sys/zap.h> 51 #include <util/qsort.h> 52 #include "fs/fs_subr.h" 53 #include <acl/acl_common.h> 54 55 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE 56 #define DENY ACE_ACCESS_DENIED_ACE_TYPE 57 58 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) 59 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ 60 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) 61 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ 62 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 63 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ 64 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 65 #define WRITE_MASK (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS| \ 66 ACE_WRITE_ATTRIBUTES|ACE_WRITE_ACL|ACE_WRITE_OWNER) 67 68 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 69 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 70 71 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 72 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 73 74 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ 75 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE) 76 77 #define SECURE_NO_INHERIT (ACE_WRITE_ACL|ACE_WRITE_OWNER) 78 79 #define OGE_PAD 6 /* traditional owner/group/everyone ACES */ 80 81 static int zfs_ace_can_use(znode_t *zp, ace_t *); 82 83 static zfs_acl_t * 84 zfs_acl_alloc(int slots) 85 { 86 zfs_acl_t *aclp; 87 88 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); 89 if (slots != 0) { 90 aclp->z_acl = kmem_alloc(ZFS_ACL_SIZE(slots), KM_SLEEP); 91 aclp->z_acl_count = 0; 92 aclp->z_state = ACL_DATA_ALLOCED; 93 } else { 94 aclp->z_state = 0; 95 } 96 aclp->z_slots = slots; 97 return (aclp); 98 } 99 100 void 101 zfs_acl_free(zfs_acl_t *aclp) 102 { 103 if (aclp->z_state == ACL_DATA_ALLOCED) { 104 kmem_free(aclp->z_acl, ZFS_ACL_SIZE(aclp->z_slots)); 105 } 106 kmem_free(aclp, sizeof (zfs_acl_t)); 107 } 108 109 static uint32_t 110 zfs_v4_to_unix(uint32_t access_mask) 111 { 112 uint32_t new_mask = 0; 113 114 if (access_mask & (ACE_READ_DATA | ACE_LIST_DIRECTORY)) 115 new_mask |= S_IROTH; 116 if (access_mask & (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_ADD_FILE)) 117 new_mask |= S_IWOTH; 118 if (access_mask & (ACE_EXECUTE|ACE_READ_NAMED_ATTRS)) 119 new_mask |= S_IXOTH; 120 121 return (new_mask); 122 } 123 124 /* 125 * Convert unix access mask to v4 access mask 126 */ 127 static uint32_t 128 zfs_unix_to_v4(uint32_t access_mask) 129 { 130 uint32_t new_mask = 0; 131 132 if (access_mask & 01) 133 new_mask |= (ACE_EXECUTE); 134 if (access_mask & 02) { 135 new_mask |= (ACE_WRITE_DATA); 136 } if (access_mask & 04) { 137 new_mask |= ACE_READ_DATA; 138 } 139 return (new_mask); 140 } 141 142 static void 143 zfs_set_ace(ace_t *zacep, uint32_t access_mask, int access_type, 144 uid_t uid, int entry_type) 145 { 146 zacep->a_access_mask = access_mask; 147 zacep->a_type = access_type; 148 zacep->a_who = uid; 149 zacep->a_flags = entry_type; 150 } 151 152 static uint64_t 153 zfs_mode_compute(znode_t *zp, zfs_acl_t *aclp) 154 { 155 int i; 156 int entry_type; 157 mode_t mode = (zp->z_phys->zp_mode & 158 (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); 159 mode_t seen = 0; 160 ace_t *acep; 161 162 for (i = 0, acep = aclp->z_acl; 163 i != aclp->z_acl_count; i++, acep++) { 164 entry_type = (acep->a_flags & 0xf040); 165 if (entry_type == ACE_OWNER) { 166 if ((acep->a_access_mask & ACE_READ_DATA) && 167 (!(seen & S_IRUSR))) { 168 seen |= S_IRUSR; 169 if (acep->a_type == ALLOW) { 170 mode |= S_IRUSR; 171 } 172 } 173 if ((acep->a_access_mask & ACE_WRITE_DATA) && 174 (!(seen & S_IWUSR))) { 175 seen |= S_IWUSR; 176 if (acep->a_type == ALLOW) { 177 mode |= S_IWUSR; 178 } 179 } 180 if ((acep->a_access_mask & ACE_EXECUTE) && 181 (!(seen & S_IXUSR))) { 182 seen |= S_IXUSR; 183 if (acep->a_type == ALLOW) { 184 mode |= S_IXUSR; 185 } 186 } 187 } else if (entry_type == OWNING_GROUP) { 188 if ((acep->a_access_mask & ACE_READ_DATA) && 189 (!(seen & S_IRGRP))) { 190 seen |= S_IRGRP; 191 if (acep->a_type == ALLOW) { 192 mode |= S_IRGRP; 193 } 194 } 195 if ((acep->a_access_mask & ACE_WRITE_DATA) && 196 (!(seen & S_IWGRP))) { 197 seen |= S_IWGRP; 198 if (acep->a_type == ALLOW) { 199 mode |= S_IWGRP; 200 } 201 } 202 if ((acep->a_access_mask & ACE_EXECUTE) && 203 (!(seen & S_IXGRP))) { 204 seen |= S_IXGRP; 205 if (acep->a_type == ALLOW) { 206 mode |= S_IXGRP; 207 } 208 } 209 } else if (entry_type == ACE_EVERYONE) { 210 if ((acep->a_access_mask & ACE_READ_DATA)) { 211 if (!(seen & S_IRUSR)) { 212 seen |= S_IRUSR; 213 if (acep->a_type == ALLOW) { 214 mode |= S_IRUSR; 215 } 216 } 217 if (!(seen & S_IRGRP)) { 218 seen |= S_IRGRP; 219 if (acep->a_type == ALLOW) { 220 mode |= S_IRGRP; 221 } 222 } 223 if (!(seen & S_IROTH)) { 224 seen |= S_IROTH; 225 if (acep->a_type == ALLOW) { 226 mode |= S_IROTH; 227 } 228 } 229 } 230 if ((acep->a_access_mask & ACE_WRITE_DATA)) { 231 if (!(seen & S_IWUSR)) { 232 seen |= S_IWUSR; 233 if (acep->a_type == ALLOW) { 234 mode |= S_IWUSR; 235 } 236 } 237 if (!(seen & S_IWGRP)) { 238 seen |= S_IWGRP; 239 if (acep->a_type == ALLOW) { 240 mode |= S_IWGRP; 241 } 242 } 243 if (!(seen & S_IWOTH)) { 244 seen |= S_IWOTH; 245 if (acep->a_type == ALLOW) { 246 mode |= S_IWOTH; 247 } 248 } 249 } 250 if ((acep->a_access_mask & ACE_EXECUTE)) { 251 if (!(seen & S_IXUSR)) { 252 seen |= S_IXUSR; 253 if (acep->a_type == ALLOW) { 254 mode |= S_IXUSR; 255 } 256 } 257 if (!(seen & S_IXGRP)) { 258 seen |= S_IXGRP; 259 if (acep->a_type == ALLOW) { 260 mode |= S_IXGRP; 261 } 262 } 263 if (!(seen & S_IXOTH)) { 264 seen |= S_IXOTH; 265 if (acep->a_type == ALLOW) { 266 mode |= S_IXOTH; 267 } 268 } 269 } 270 } 271 } 272 return (mode); 273 } 274 275 static zfs_acl_t * 276 zfs_acl_node_read_internal(znode_t *zp) 277 { 278 zfs_acl_t *aclp; 279 280 aclp = zfs_acl_alloc(0); 281 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count; 282 aclp->z_acl = &zp->z_phys->zp_acl.z_ace_data[0]; 283 284 return (aclp); 285 } 286 287 /* 288 * Read an external acl object. 289 */ 290 static int 291 zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp) 292 { 293 uint64_t extacl = zp->z_phys->zp_acl.z_acl_extern_obj; 294 zfs_acl_t *aclp; 295 int error; 296 297 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 298 299 if (zp->z_phys->zp_acl.z_acl_extern_obj == 0) { 300 *aclpp = zfs_acl_node_read_internal(zp); 301 return (0); 302 } 303 304 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_count); 305 306 error = dmu_read(zp->z_zfsvfs->z_os, extacl, 0, 307 ZFS_ACL_SIZE(zp->z_phys->zp_acl.z_acl_count), aclp->z_acl); 308 if (error != 0) { 309 zfs_acl_free(aclp); 310 return (error); 311 } 312 313 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count; 314 315 *aclpp = aclp; 316 return (0); 317 } 318 319 static boolean_t 320 zfs_acl_valid(znode_t *zp, ace_t *uace, int aclcnt, int *inherit) 321 { 322 ace_t *acep; 323 int i; 324 325 *inherit = 0; 326 327 if (aclcnt > MAX_ACL_ENTRIES || aclcnt <= 0) { 328 return (B_FALSE); 329 } 330 331 for (i = 0, acep = uace; i != aclcnt; i++, acep++) { 332 333 /* 334 * first check type of entry 335 */ 336 337 switch (acep->a_flags & 0xf040) { 338 case ACE_OWNER: 339 acep->a_who = -1; 340 break; 341 case (ACE_IDENTIFIER_GROUP | ACE_GROUP): 342 case ACE_IDENTIFIER_GROUP: 343 if (acep->a_flags & ACE_GROUP) { 344 acep->a_who = -1; 345 } 346 break; 347 case ACE_EVERYONE: 348 acep->a_who = -1; 349 break; 350 } 351 352 /* 353 * next check inheritance level flags 354 */ 355 356 if (acep->a_type != ALLOW && acep->a_type != DENY) 357 return (B_FALSE); 358 359 /* 360 * Only directories should have inheritance flags. 361 */ 362 if (ZTOV(zp)->v_type != VDIR && (acep->a_flags & 363 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE| 364 ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE))) { 365 return (B_FALSE); 366 } 367 368 if (acep->a_flags & 369 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE)) 370 *inherit = 1; 371 372 if (acep->a_flags & 373 (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { 374 if ((acep->a_flags & (ACE_FILE_INHERIT_ACE| 375 ACE_DIRECTORY_INHERIT_ACE)) == 0) { 376 return (B_FALSE); 377 } 378 } 379 } 380 381 return (B_TRUE); 382 } 383 /* 384 * common code for setting acl's. 385 * 386 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. 387 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's 388 * already checked the acl and knows whether to inherit. 389 */ 390 int 391 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, dmu_tx_t *tx, int *ihp) 392 { 393 int inherit = 0; 394 int error; 395 znode_phys_t *zphys = zp->z_phys; 396 zfs_znode_acl_t *zacl = &zphys->zp_acl; 397 uint32_t acl_phys_size = ZFS_ACL_SIZE(aclp->z_acl_count); 398 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 399 uint64_t aoid = zphys->zp_acl.z_acl_extern_obj; 400 401 ASSERT(MUTEX_HELD(&zp->z_lock)); 402 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 403 404 if (ihp) 405 inherit = *ihp; /* already determined by caller */ 406 else if (!zfs_acl_valid(zp, aclp->z_acl, 407 aclp->z_acl_count, &inherit)) { 408 return (EINVAL); 409 } 410 411 dmu_buf_will_dirty(zp->z_dbuf, tx); 412 413 /* 414 * Will ACL fit internally? 415 */ 416 if (aclp->z_acl_count > ACE_SLOT_CNT) { 417 if (aoid == 0) { 418 aoid = dmu_object_alloc(zfsvfs->z_os, 419 DMU_OT_ACL, acl_phys_size, DMU_OT_NONE, 0, tx); 420 } else { 421 (void) dmu_object_set_blocksize(zfsvfs->z_os, aoid, 422 acl_phys_size, 0, tx); 423 } 424 zphys->zp_acl.z_acl_extern_obj = aoid; 425 zphys->zp_acl.z_acl_count = aclp->z_acl_count; 426 dmu_write(zfsvfs->z_os, aoid, 0, 427 acl_phys_size, aclp->z_acl, tx); 428 } else { 429 /* 430 * Migrating back embedded? 431 */ 432 if (zphys->zp_acl.z_acl_extern_obj) { 433 error = dmu_object_free(zfsvfs->z_os, 434 zp->z_phys->zp_acl.z_acl_extern_obj, tx); 435 if (error) 436 return (error); 437 zphys->zp_acl.z_acl_extern_obj = 0; 438 } 439 bcopy(aclp->z_acl, zacl->z_ace_data, 440 aclp->z_acl_count * sizeof (ace_t)); 441 zacl->z_acl_count = aclp->z_acl_count; 442 } 443 444 zp->z_phys->zp_flags &= ~(ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE); 445 if (inherit) { 446 zp->z_phys->zp_flags |= ZFS_INHERIT_ACE; 447 } else if (ace_trivial(zacl->z_ace_data, zacl->z_acl_count) == 0) { 448 zp->z_phys->zp_flags |= ZFS_ACL_TRIVIAL; 449 } 450 451 zphys->zp_mode = zfs_mode_compute(zp, aclp); 452 zfs_time_stamper_locked(zp, STATE_CHANGED, tx); 453 454 return (0); 455 } 456 457 /* 458 * Create space for slots_needed ACEs to be append 459 * to aclp. 460 */ 461 static void 462 zfs_acl_append(zfs_acl_t *aclp, int slots_needed) 463 { 464 ace_t *newacep; 465 ace_t *oldaclp; 466 int slot_cnt; 467 int slots_left = aclp->z_slots - aclp->z_acl_count; 468 469 if (aclp->z_state == ACL_DATA_ALLOCED) 470 ASSERT(aclp->z_slots >= aclp->z_acl_count); 471 if (slots_left < slots_needed || aclp->z_state != ACL_DATA_ALLOCED) { 472 slot_cnt = aclp->z_slots + 1 + (slots_needed - slots_left); 473 newacep = kmem_alloc(ZFS_ACL_SIZE(slot_cnt), KM_SLEEP); 474 bcopy(aclp->z_acl, newacep, 475 ZFS_ACL_SIZE(aclp->z_acl_count)); 476 oldaclp = aclp->z_acl; 477 if (aclp->z_state == ACL_DATA_ALLOCED) 478 kmem_free(oldaclp, ZFS_ACL_SIZE(aclp->z_slots)); 479 aclp->z_acl = newacep; 480 aclp->z_slots = slot_cnt; 481 aclp->z_state = ACL_DATA_ALLOCED; 482 } 483 } 484 485 /* 486 * Remove "slot" ACE from aclp 487 */ 488 static void 489 zfs_ace_remove(zfs_acl_t *aclp, int slot) 490 { 491 if (aclp->z_acl_count > 1) { 492 (void) memmove(&aclp->z_acl[slot], 493 &aclp->z_acl[slot +1], sizeof (ace_t) * 494 (--aclp->z_acl_count - slot)); 495 } else 496 aclp->z_acl_count--; 497 } 498 499 /* 500 * Update access mask for prepended ACE 501 * 502 * This applies the "groupmask" value for aclmode property. 503 */ 504 static void 505 zfs_acl_prepend_fixup(ace_t *acep, ace_t *origacep, mode_t mode, uid_t owner) 506 { 507 508 int rmask, wmask, xmask; 509 int user_ace; 510 511 user_ace = (!(acep->a_flags & 512 (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP))); 513 514 if (user_ace && (acep->a_who == owner)) { 515 rmask = S_IRUSR; 516 wmask = S_IWUSR; 517 xmask = S_IXUSR; 518 } else { 519 rmask = S_IRGRP; 520 wmask = S_IWGRP; 521 xmask = S_IXGRP; 522 } 523 524 if (origacep->a_access_mask & ACE_READ_DATA) { 525 if (mode & rmask) 526 acep->a_access_mask &= ~ACE_READ_DATA; 527 else 528 acep->a_access_mask |= ACE_READ_DATA; 529 } 530 531 if (origacep->a_access_mask & ACE_WRITE_DATA) { 532 if (mode & wmask) 533 acep->a_access_mask &= ~ACE_WRITE_DATA; 534 else 535 acep->a_access_mask |= ACE_WRITE_DATA; 536 } 537 538 if (origacep->a_access_mask & ACE_APPEND_DATA) { 539 if (mode & wmask) 540 acep->a_access_mask &= ~ACE_APPEND_DATA; 541 else 542 acep->a_access_mask |= ACE_APPEND_DATA; 543 } 544 545 if (origacep->a_access_mask & ACE_EXECUTE) { 546 if (mode & xmask) 547 acep->a_access_mask &= ~ACE_EXECUTE; 548 else 549 acep->a_access_mask |= ACE_EXECUTE; 550 } 551 } 552 553 /* 554 * Apply mode to canonical six ACEs. 555 */ 556 static void 557 zfs_acl_fixup_canonical_six(zfs_acl_t *aclp, mode_t mode) 558 { 559 int cnt; 560 ace_t *acep; 561 562 cnt = aclp->z_acl_count -1; 563 acep = aclp->z_acl; 564 565 /* 566 * Fixup final ACEs to match the mode 567 */ 568 569 ASSERT(cnt >= 5); 570 adjust_ace_pair(&acep[cnt - 1], mode); /* everyone@ */ 571 adjust_ace_pair(&acep[cnt - 3], (mode & 0070) >> 3); /* group@ */ 572 adjust_ace_pair(&acep[cnt - 5], (mode & 0700) >> 6); /* owner@ */ 573 } 574 575 576 static int 577 zfs_acl_ace_match(ace_t *acep, int allow_deny, int type, int mask) 578 { 579 return (acep->a_access_mask == mask && acep->a_type == allow_deny && 580 ((acep->a_flags & 0xf040) == type)); 581 } 582 583 /* 584 * Can prepended ACE be reused? 585 */ 586 static int 587 zfs_reuse_deny(ace_t *acep, int i) 588 { 589 int okay_masks; 590 591 if (i < 1) 592 return (B_FALSE); 593 594 if (acep[i-1].a_type != DENY) 595 return (B_FALSE); 596 597 if (acep[i-1].a_flags != (acep[i].a_flags & ACE_IDENTIFIER_GROUP)) 598 return (B_FALSE); 599 600 okay_masks = (acep[i].a_access_mask & OKAY_MASK_BITS); 601 602 if (acep[i-1].a_access_mask & ~okay_masks) 603 return (B_FALSE); 604 605 return (B_TRUE); 606 } 607 608 /* 609 * Create space to prepend an ACE 610 */ 611 static void 612 zfs_acl_prepend(zfs_acl_t *aclp, int i) 613 { 614 ace_t *oldaclp = NULL; 615 ace_t *to, *from; 616 int slots_left = aclp->z_slots - aclp->z_acl_count; 617 int oldslots; 618 int need_free = 0; 619 620 if (aclp->z_state == ACL_DATA_ALLOCED) 621 ASSERT(aclp->z_slots >= aclp->z_acl_count); 622 623 if (slots_left == 0 || aclp->z_state != ACL_DATA_ALLOCED) { 624 625 to = kmem_alloc(ZFS_ACL_SIZE(aclp->z_acl_count + 626 OGE_PAD), KM_SLEEP); 627 if (aclp->z_state == ACL_DATA_ALLOCED) 628 need_free++; 629 from = aclp->z_acl; 630 oldaclp = aclp->z_acl; 631 (void) memmove(to, from, 632 sizeof (ace_t) * aclp->z_acl_count); 633 aclp->z_state = ACL_DATA_ALLOCED; 634 } else { 635 from = aclp->z_acl; 636 to = aclp->z_acl; 637 } 638 639 640 (void) memmove(&to[i + 1], &from[i], 641 sizeof (ace_t) * (aclp->z_acl_count - i)); 642 643 if (oldaclp) { 644 aclp->z_acl = to; 645 oldslots = aclp->z_slots; 646 aclp->z_slots = aclp->z_acl_count + OGE_PAD; 647 if (need_free) 648 kmem_free(oldaclp, ZFS_ACL_SIZE(oldslots)); 649 } 650 651 } 652 653 /* 654 * Prepend deny ACE 655 */ 656 static void 657 zfs_acl_prepend_deny(znode_t *zp, zfs_acl_t *aclp, int i, 658 mode_t mode) 659 { 660 ace_t *acep; 661 662 zfs_acl_prepend(aclp, i); 663 664 acep = aclp->z_acl; 665 zfs_set_ace(&acep[i], 0, DENY, acep[i + 1].a_who, 666 (acep[i + 1].a_flags & 0xf040)); 667 zfs_acl_prepend_fixup(&acep[i], &acep[i+1], mode, zp->z_phys->zp_uid); 668 aclp->z_acl_count++; 669 } 670 671 /* 672 * Split an inherited ACE into inherit_only ACE 673 * and original ACE with inheritance flags stripped off. 674 */ 675 static void 676 zfs_acl_split_ace(zfs_acl_t *aclp, int i) 677 { 678 ace_t *acep = aclp->z_acl; 679 680 zfs_acl_prepend(aclp, i); 681 acep = aclp->z_acl; 682 acep[i] = acep[i + 1]; 683 acep[i].a_flags |= ACE_INHERIT_ONLY_ACE; 684 acep[i + 1].a_flags &= ~ALL_INHERIT; 685 aclp->z_acl_count++; 686 } 687 688 /* 689 * Are ACES started at index i, the canonical six ACES? 690 */ 691 static int 692 zfs_have_canonical_six(zfs_acl_t *aclp, int i) 693 { 694 ace_t *acep = aclp->z_acl; 695 696 if ((zfs_acl_ace_match(&acep[i], 697 DENY, ACE_OWNER, 0) && 698 zfs_acl_ace_match(&acep[i + 1], ALLOW, ACE_OWNER, 699 OWNER_ALLOW_MASK) && zfs_acl_ace_match(&acep[i + 2], 700 DENY, OWNING_GROUP, 0) && zfs_acl_ace_match(&acep[i + 3], 701 ALLOW, OWNING_GROUP, 0) && zfs_acl_ace_match(&acep[i + 4], 702 DENY, ACE_EVERYONE, EVERYONE_DENY_MASK) && 703 zfs_acl_ace_match(&acep[i + 5], ALLOW, ACE_EVERYONE, 704 EVERYONE_ALLOW_MASK))) { 705 return (1); 706 } else { 707 return (0); 708 } 709 } 710 711 /* 712 * Apply step 1g, to group entries 713 * 714 * Need to deal with corner case where group may have 715 * greater permissions than owner. If so then limit 716 * group permissions, based on what extra permissions 717 * group has. 718 */ 719 static void 720 zfs_fixup_group_entries(ace_t *acep, mode_t mode) 721 { 722 mode_t extramode = (mode >> 3) & 07; 723 mode_t ownermode = (mode >> 6); 724 725 if (acep[0].a_flags & ACE_IDENTIFIER_GROUP) { 726 727 extramode &= ~ownermode; 728 729 if (extramode) { 730 if (extramode & 04) { 731 acep[0].a_access_mask &= ~ACE_READ_DATA; 732 acep[1].a_access_mask &= ~ACE_READ_DATA; 733 } 734 if (extramode & 02) { 735 acep[0].a_access_mask &= 736 ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 737 acep[1].a_access_mask &= 738 ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 739 } 740 if (extramode & 01) { 741 acep[0].a_access_mask &= ~ACE_EXECUTE; 742 acep[1].a_access_mask &= ~ACE_EXECUTE; 743 } 744 } 745 } 746 } 747 748 /* 749 * Apply the chmod algorithm as described 750 * in PSARC/2002/240 751 */ 752 static int 753 zfs_acl_chmod(znode_t *zp, uint64_t mode, zfs_acl_t *aclp, 754 dmu_tx_t *tx) 755 { 756 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 757 ace_t *acep; 758 int i; 759 int error; 760 int entry_type; 761 int reuse_deny; 762 int need_canonical_six = 1; 763 int inherit = 0; 764 int iflags; 765 766 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 767 ASSERT(MUTEX_HELD(&zp->z_lock)); 768 769 i = 0; 770 while (i < aclp->z_acl_count) { 771 acep = aclp->z_acl; 772 entry_type = (acep[i].a_flags & 0xf040); 773 iflags = (acep[i].a_flags & ALL_INHERIT); 774 775 if ((acep[i].a_type != ALLOW && acep[i].a_type != DENY) || 776 (iflags & ACE_INHERIT_ONLY_ACE)) { 777 i++; 778 if (iflags) 779 inherit = 1; 780 continue; 781 } 782 783 784 if (zfsvfs->z_acl_mode == DISCARD) { 785 zfs_ace_remove(aclp, i); 786 continue; 787 } 788 789 /* 790 * Need to split ace into two? 791 */ 792 if ((iflags & (ACE_FILE_INHERIT_ACE| 793 ACE_DIRECTORY_INHERIT_ACE)) && 794 (!(iflags & ACE_INHERIT_ONLY_ACE))) { 795 zfs_acl_split_ace(aclp, i); 796 i++; 797 inherit = 1; 798 continue; 799 } 800 801 if (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 802 (entry_type == OWNING_GROUP)) { 803 acep[i].a_access_mask &= ~OGE_CLEAR; 804 i++; 805 continue; 806 807 } else { 808 if (acep[i].a_type == ALLOW) { 809 810 /* 811 * Check preceding ACE if any, to see 812 * if we need to prepend a DENY ACE. 813 * This is only applicable when the acl_mode 814 * property == groupmask. 815 */ 816 if (zfsvfs->z_acl_mode == GROUPMASK) { 817 818 reuse_deny = zfs_reuse_deny(acep, i); 819 820 if (reuse_deny == B_FALSE) { 821 zfs_acl_prepend_deny(zp, aclp, 822 i, mode); 823 i++; 824 acep = aclp->z_acl; 825 } else { 826 zfs_acl_prepend_fixup( 827 &acep[i - 1], 828 &acep[i], mode, 829 zp->z_phys->zp_uid); 830 } 831 zfs_fixup_group_entries(&acep[i - 1], 832 mode); 833 } 834 } 835 i++; 836 } 837 } 838 839 /* 840 * Check out last six aces, if we have six. 841 */ 842 843 if (aclp->z_acl_count >= 6) { 844 i = aclp->z_acl_count - 6; 845 846 if (zfs_have_canonical_six(aclp, i)) { 847 need_canonical_six = 0; 848 } 849 } 850 851 if (need_canonical_six) { 852 853 zfs_acl_append(aclp, 6); 854 i = aclp->z_acl_count; 855 acep = aclp->z_acl; 856 zfs_set_ace(&acep[i++], 0, DENY, -1, ACE_OWNER); 857 zfs_set_ace(&acep[i++], OWNER_ALLOW_MASK, ALLOW, -1, ACE_OWNER); 858 zfs_set_ace(&acep[i++], 0, DENY, -1, OWNING_GROUP); 859 zfs_set_ace(&acep[i++], 0, ALLOW, -1, OWNING_GROUP); 860 zfs_set_ace(&acep[i++], EVERYONE_DENY_MASK, 861 DENY, -1, ACE_EVERYONE); 862 zfs_set_ace(&acep[i++], EVERYONE_ALLOW_MASK, 863 ALLOW, -1, ACE_EVERYONE); 864 aclp->z_acl_count += 6; 865 } 866 867 zfs_acl_fixup_canonical_six(aclp, mode); 868 869 zp->z_phys->zp_mode = mode; 870 error = zfs_aclset_common(zp, aclp, tx, &inherit); 871 return (error); 872 } 873 874 875 int 876 zfs_acl_chmod_setattr(znode_t *zp, uint64_t mode, dmu_tx_t *tx) 877 { 878 zfs_acl_t *aclp = NULL; 879 int error; 880 881 ASSERT(MUTEX_HELD(&zp->z_lock)); 882 mutex_enter(&zp->z_acl_lock); 883 error = zfs_acl_node_read(zp, &aclp); 884 if (error == 0) 885 error = zfs_acl_chmod(zp, mode, aclp, tx); 886 mutex_exit(&zp->z_acl_lock); 887 if (aclp) 888 zfs_acl_free(aclp); 889 return (error); 890 } 891 892 /* 893 * strip off write_owner and write_acl 894 */ 895 static void 896 zfs_securemode_update(zfsvfs_t *zfsvfs, ace_t *acep) 897 { 898 if ((zfsvfs->z_acl_inherit == SECURE) && 899 acep->a_type == ALLOW) 900 acep->a_access_mask &= ~SECURE_NO_INHERIT; 901 } 902 903 /* 904 * inherit inheritable ACEs from parent 905 */ 906 static zfs_acl_t * 907 zfs_acl_inherit(znode_t *zp, zfs_acl_t *paclp) 908 { 909 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 910 ace_t *pacep; 911 ace_t *acep; 912 int ace_cnt = 0; 913 int pace_cnt; 914 int i, j; 915 zfs_acl_t *aclp = NULL; 916 917 i = j = 0; 918 pace_cnt = paclp->z_acl_count; 919 pacep = paclp->z_acl; 920 if (zfsvfs->z_acl_inherit != DISCARD) { 921 for (i = 0; i != pace_cnt; i++) { 922 923 if (zfsvfs->z_acl_inherit == NOALLOW && 924 pacep[i].a_type == ALLOW) 925 continue; 926 927 if (zfs_ace_can_use(zp, &pacep[i])) { 928 ace_cnt++; 929 if (!(pacep[i].a_flags & 930 ACE_NO_PROPAGATE_INHERIT_ACE)) 931 ace_cnt++; 932 } 933 } 934 } 935 936 aclp = zfs_acl_alloc(ace_cnt + OGE_PAD); 937 if (ace_cnt && zfsvfs->z_acl_inherit != DISCARD) { 938 acep = aclp->z_acl; 939 pacep = paclp->z_acl; 940 for (i = 0; i != pace_cnt; i++) { 941 942 if (zfsvfs->z_acl_inherit == NOALLOW && 943 pacep[i].a_type == ALLOW) 944 continue; 945 946 if (zfs_ace_can_use(zp, &pacep[i])) { 947 /* 948 * Now create entry for inherited ace 949 */ 950 acep[j] = pacep[i]; 951 952 if (pacep[i].a_flags & 953 ACE_NO_PROPAGATE_INHERIT_ACE) { 954 acep[j].a_flags &= ~ALL_INHERIT; 955 j++; 956 continue; 957 } 958 959 if (pacep[i].a_type != ALLOW && 960 pacep[i].a_type != DENY) { 961 zfs_securemode_update(zfsvfs, &acep[j]); 962 j++; 963 continue; 964 } 965 966 if (ZTOV(zp)->v_type != VDIR) { 967 acep[j].a_flags &= ~ALL_INHERIT; 968 zfs_securemode_update(zfsvfs, &acep[j]); 969 j++; 970 continue; 971 } 972 973 ASSERT(ZTOV(zp)->v_type == VDIR); 974 975 /* 976 * If we are inheriting an ACE targeted for 977 * only files, then make sure inherit_only 978 * is on for future propagation. 979 */ 980 if ((acep[j].a_flags & (ACE_FILE_INHERIT_ACE | 981 ACE_DIRECTORY_INHERIT_ACE)) == 982 ACE_FILE_INHERIT_ACE) { 983 acep[j].a_flags |= ACE_INHERIT_ONLY_ACE; 984 } else { 985 acep[j].a_flags &= 986 ~ACE_INHERIT_ONLY_ACE; 987 } 988 989 zfs_securemode_update(zfsvfs, &acep[j]); 990 j++; 991 } 992 } 993 } 994 aclp->z_acl_count = j; 995 ASSERT(aclp->z_slots >= aclp->z_acl_count); 996 997 return (aclp); 998 } 999 1000 /* 1001 * Create file system object initial permissions 1002 * including inheritable ACEs. 1003 */ 1004 void 1005 zfs_perm_init(znode_t *zp, znode_t *parent, int flag, 1006 vattr_t *vap, dmu_tx_t *tx, cred_t *cr) 1007 { 1008 uint64_t mode; 1009 uid_t uid; 1010 gid_t gid; 1011 int error; 1012 int pull_down; 1013 zfs_acl_t *aclp, *paclp; 1014 1015 mode = MAKEIMODE(vap->va_type, vap->va_mode); 1016 1017 /* 1018 * Determine uid and gid. 1019 */ 1020 if ((flag & (IS_ROOT_NODE | IS_REPLAY)) || 1021 ((flag & IS_XATTR) && (vap->va_type == VDIR))) { 1022 uid = vap->va_uid; 1023 gid = vap->va_gid; 1024 } else { 1025 uid = crgetuid(cr); 1026 if ((vap->va_mask & AT_GID) && 1027 ((vap->va_gid == parent->z_phys->zp_gid) || 1028 groupmember(vap->va_gid, cr) || 1029 secpolicy_vnode_create_gid(cr))) 1030 gid = vap->va_gid; 1031 else 1032 gid = (parent->z_phys->zp_mode & S_ISGID) ? 1033 parent->z_phys->zp_gid : crgetgid(cr); 1034 } 1035 1036 /* 1037 * If we're creating a directory, and the parent directory has the 1038 * set-GID bit set, set in on the new directory. 1039 * Otherwise, if the user is neither privileged nor a member of the 1040 * file's new group, clear the file's set-GID bit. 1041 */ 1042 1043 if ((parent->z_phys->zp_mode & S_ISGID) && (vap->va_type == VDIR)) 1044 mode |= S_ISGID; 1045 else { 1046 if ((mode & S_ISGID) && 1047 secpolicy_vnode_setids_setgids(cr, gid) != 0) 1048 mode &= ~S_ISGID; 1049 } 1050 1051 zp->z_phys->zp_uid = uid; 1052 zp->z_phys->zp_gid = gid; 1053 zp->z_phys->zp_mode = mode; 1054 1055 mutex_enter(&parent->z_lock); 1056 pull_down = (parent->z_phys->zp_flags & ZFS_INHERIT_ACE); 1057 if (pull_down) { 1058 mutex_enter(&parent->z_acl_lock); 1059 VERIFY(0 == zfs_acl_node_read(parent, &paclp)); 1060 mutex_exit(&parent->z_acl_lock); 1061 aclp = zfs_acl_inherit(zp, paclp); 1062 zfs_acl_free(paclp); 1063 } else { 1064 aclp = zfs_acl_alloc(6); 1065 } 1066 mutex_exit(&parent->z_lock); 1067 mutex_enter(&zp->z_lock); 1068 mutex_enter(&zp->z_acl_lock); 1069 error = zfs_acl_chmod(zp, mode, aclp, tx); 1070 mutex_exit(&zp->z_lock); 1071 mutex_exit(&zp->z_acl_lock); 1072 ASSERT3U(error, ==, 0); 1073 zfs_acl_free(aclp); 1074 } 1075 1076 /* 1077 * Should ACE be inherited? 1078 */ 1079 static int 1080 zfs_ace_can_use(znode_t *zp, ace_t *acep) 1081 { 1082 int vtype = ZTOV(zp)->v_type; 1083 1084 int iflags = (acep->a_flags & 0xf); 1085 1086 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) 1087 return (1); 1088 else if (iflags & ACE_FILE_INHERIT_ACE) 1089 return (!((vtype == VDIR) && 1090 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); 1091 return (0); 1092 } 1093 1094 /* 1095 * Retrieve a files ACL 1096 */ 1097 int 1098 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, cred_t *cr) 1099 { 1100 zfs_acl_t *aclp; 1101 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 1102 int error; 1103 1104 if (error = zfs_zaccess(zp, ACE_READ_ACL, cr)) { 1105 /* 1106 * If owner of file then allow reading of the 1107 * ACL. 1108 */ 1109 if (crgetuid(cr) != zp->z_phys->zp_uid) 1110 return (error); 1111 } 1112 1113 if (mask == 0) 1114 return (ENOSYS); 1115 1116 mutex_enter(&zp->z_acl_lock); 1117 1118 error = zfs_acl_node_read(zp, &aclp); 1119 if (error != 0) { 1120 mutex_exit(&zp->z_acl_lock); 1121 return (error); 1122 } 1123 1124 1125 if (mask & VSA_ACECNT) { 1126 vsecp->vsa_aclcnt = aclp->z_acl_count; 1127 } 1128 1129 if (mask & VSA_ACE) { 1130 vsecp->vsa_aclentp = kmem_alloc(aclp->z_acl_count * 1131 sizeof (ace_t), KM_SLEEP); 1132 bcopy(aclp->z_acl, vsecp->vsa_aclentp, 1133 aclp->z_acl_count * sizeof (ace_t)); 1134 } 1135 1136 mutex_exit(&zp->z_acl_lock); 1137 1138 zfs_acl_free(aclp); 1139 1140 return (0); 1141 } 1142 1143 /* 1144 * Set a files ACL 1145 */ 1146 int 1147 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, cred_t *cr) 1148 { 1149 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1150 zilog_t *zilog = zfsvfs->z_log; 1151 ace_t *acep = vsecp->vsa_aclentp; 1152 int aclcnt = vsecp->vsa_aclcnt; 1153 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 1154 dmu_tx_t *tx; 1155 int error; 1156 int inherit; 1157 zfs_acl_t *aclp; 1158 uint64_t seq = 0; 1159 1160 if (mask == 0) 1161 return (EINVAL); 1162 1163 if (!zfs_acl_valid(zp, acep, aclcnt, &inherit)) 1164 return (EINVAL); 1165 top: 1166 error = zfs_zaccess_v4_perm(zp, ACE_WRITE_ACL, cr); 1167 if (error == EACCES || error == ACCESS_UNDETERMINED) { 1168 if ((error = secpolicy_vnode_setdac(cr, 1169 zp->z_phys->zp_uid)) != 0) { 1170 return (error); 1171 } 1172 } else if (error) { 1173 return (error == EROFS ? error : EPERM); 1174 } 1175 1176 mutex_enter(&zp->z_lock); 1177 mutex_enter(&zp->z_acl_lock); 1178 1179 tx = dmu_tx_create(zfsvfs->z_os); 1180 dmu_tx_hold_bonus(tx, zp->z_id); 1181 1182 if (zp->z_phys->zp_acl.z_acl_extern_obj) { 1183 dmu_tx_hold_write(tx, zp->z_phys->zp_acl.z_acl_extern_obj, 1184 0, ZFS_ACL_SIZE(aclcnt)); 1185 } else if (aclcnt > ACE_SLOT_CNT) { 1186 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, ZFS_ACL_SIZE(aclcnt)); 1187 } 1188 1189 error = dmu_tx_assign(tx, zfsvfs->z_assign); 1190 if (error) { 1191 dmu_tx_abort(tx); 1192 1193 mutex_exit(&zp->z_acl_lock); 1194 mutex_exit(&zp->z_lock); 1195 1196 if (error == ERESTART && zfsvfs->z_assign == TXG_NOWAIT) { 1197 txg_wait_open(dmu_objset_pool(zfsvfs->z_os), 0); 1198 goto top; 1199 } 1200 return (error); 1201 } 1202 1203 aclp = zfs_acl_alloc(aclcnt); 1204 bcopy(acep, aclp->z_acl, sizeof (ace_t) * aclcnt); 1205 aclp->z_acl_count = aclcnt; 1206 error = zfs_aclset_common(zp, aclp, tx, &inherit); 1207 ASSERT(error == 0); 1208 1209 zfs_acl_free(aclp); 1210 seq = zfs_log_acl(zilog, tx, TX_ACL, zp, aclcnt, acep); 1211 dmu_tx_commit(tx); 1212 done: 1213 mutex_exit(&zp->z_acl_lock); 1214 mutex_exit(&zp->z_lock); 1215 1216 zil_commit(zilog, seq, 0); 1217 1218 return (error); 1219 } 1220 1221 static int 1222 zfs_ace_access(ace_t *zacep, int mode_wanted, int *working_mode) 1223 { 1224 if ((*working_mode & mode_wanted) == mode_wanted) { 1225 return (0); 1226 } 1227 1228 if (zacep->a_access_mask & mode_wanted) { 1229 if (zacep->a_type == ALLOW) { 1230 *working_mode |= (mode_wanted & zacep->a_access_mask); 1231 if ((*working_mode & mode_wanted) == mode_wanted) 1232 return (0); 1233 } else if (zacep->a_type == DENY) { 1234 return (EACCES); 1235 } 1236 } 1237 1238 /* 1239 * haven't been specifcally denied at this point 1240 * so return UNDETERMINED. 1241 */ 1242 1243 return (ACCESS_UNDETERMINED); 1244 } 1245 1246 1247 static int 1248 zfs_zaccess_common(znode_t *zp, int v4_mode, int *working_mode, cred_t *cr) 1249 { 1250 zfs_acl_t *aclp; 1251 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1252 ace_t *zacep; 1253 gid_t gid; 1254 int mode_wanted = v4_mode; 1255 int cnt; 1256 int i; 1257 int error; 1258 int access_deny = ACCESS_UNDETERMINED; 1259 uint_t entry_type; 1260 uid_t uid = crgetuid(cr); 1261 1262 *working_mode = 0; 1263 1264 if (zfsvfs->z_assign >= TXG_INITIAL) /* ZIL replay */ 1265 return (0); 1266 1267 if ((v4_mode & WRITE_MASK) && 1268 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && 1269 (!IS_DEVVP(ZTOV(zp)))) { 1270 return (EROFS); 1271 } 1272 1273 mutex_enter(&zp->z_acl_lock); 1274 1275 error = zfs_acl_node_read(zp, &aclp); 1276 if (error != 0) { 1277 mutex_exit(&zp->z_acl_lock); 1278 return (error); 1279 } 1280 1281 1282 zacep = aclp->z_acl; 1283 cnt = aclp->z_acl_count; 1284 1285 for (i = 0; i != cnt; i++) { 1286 1287 if (zacep[i].a_flags & ACE_INHERIT_ONLY_ACE) 1288 continue; 1289 1290 entry_type = (zacep[i].a_flags & 0xf040); 1291 switch (entry_type) { 1292 case ACE_OWNER: 1293 if (uid == zp->z_phys->zp_uid) { 1294 access_deny = zfs_ace_access(&zacep[i], 1295 mode_wanted, working_mode); 1296 } 1297 break; 1298 case (ACE_IDENTIFIER_GROUP | ACE_GROUP): 1299 case ACE_IDENTIFIER_GROUP: 1300 /* 1301 * Owning group gid is in znode not ACL 1302 */ 1303 if (entry_type == (ACE_IDENTIFIER_GROUP | ACE_GROUP)) 1304 gid = zp->z_phys->zp_gid; 1305 else 1306 gid = zacep[i].a_who; 1307 1308 if (groupmember(gid, cr)) { 1309 access_deny = zfs_ace_access(&zacep[i], 1310 mode_wanted, working_mode); 1311 } 1312 break; 1313 case ACE_EVERYONE: 1314 access_deny = zfs_ace_access(&zacep[i], 1315 mode_wanted, working_mode); 1316 break; 1317 1318 /* USER Entry */ 1319 default: 1320 if (entry_type == 0) { 1321 if (uid == zacep[i].a_who) { 1322 access_deny = zfs_ace_access(&zacep[i], 1323 mode_wanted, working_mode); 1324 } 1325 break; 1326 } 1327 zfs_acl_free(aclp); 1328 mutex_exit(&zp->z_acl_lock); 1329 return (EIO); 1330 } 1331 1332 if (access_deny != ACCESS_UNDETERMINED) 1333 break; 1334 1335 } 1336 1337 mutex_exit(&zp->z_acl_lock); 1338 zfs_acl_free(aclp); 1339 1340 return (access_deny); 1341 } 1342 1343 1344 /* 1345 * Determine whether Access should be granted/denied, invoking least 1346 * priv subsytem when a deny is determined. 1347 */ 1348 int 1349 zfs_zaccess(znode_t *zp, int mode, cred_t *cr) 1350 { 1351 int working_mode = 0; 1352 int error; 1353 int is_attr; 1354 znode_t *xzp; 1355 znode_t *check_zp = zp; 1356 1357 is_attr = ((zp->z_phys->zp_flags & ZFS_XATTR) && 1358 (ZTOV(zp)->v_type == VDIR)); 1359 1360 /* 1361 * If attribute then validate against base file 1362 */ 1363 if (is_attr) { 1364 if ((error = zfs_zget(zp->z_zfsvfs, 1365 zp->z_phys->zp_parent, &xzp)) != 0) { 1366 return (error); 1367 } 1368 check_zp = xzp; 1369 /* 1370 * fixup mode to map to xattr perms 1371 */ 1372 1373 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { 1374 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1375 mode |= ACE_WRITE_NAMED_ATTRS; 1376 } 1377 1378 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { 1379 mode &= ~(ACE_READ_DATA|ACE_EXECUTE); 1380 mode |= ACE_READ_NAMED_ATTRS; 1381 } 1382 } 1383 1384 error = zfs_zaccess_common(check_zp, mode, &working_mode, cr); 1385 1386 if (error == EROFS) { 1387 if (is_attr) 1388 VN_RELE(ZTOV(xzp)); 1389 return (error); 1390 } 1391 1392 if (error || (working_mode != mode)) { 1393 error = secpolicy_vnode_access(cr, ZTOV(check_zp), 1394 check_zp->z_phys->zp_uid, ~zfs_v4_to_unix(working_mode)); 1395 } 1396 1397 if (is_attr) 1398 VN_RELE(ZTOV(xzp)); 1399 1400 return (error); 1401 } 1402 1403 /* 1404 * Special zaccess function to check for special nfsv4 perm. 1405 * doesn't call secpolicy_vnode_access() for failure, since that 1406 * would probably be the wrong policy function to call. 1407 * instead its up to the caller to handle that situation. 1408 */ 1409 1410 int 1411 zfs_zaccess_v4_perm(znode_t *zp, int mode, cred_t *cr) 1412 { 1413 int working_mode = 0; 1414 return (zfs_zaccess_common(zp, mode, &working_mode, cr)); 1415 } 1416 1417 /* 1418 * Translate tradition unix VREAD/VWRITE/VEXEC mode into 1419 * native ACL format and call zfs_zaccess() 1420 */ 1421 int 1422 zfs_zaccess_rwx(znode_t *zp, mode_t mode, cred_t *cr) 1423 { 1424 int v4_mode = zfs_unix_to_v4(mode >> 6); 1425 1426 return (zfs_zaccess(zp, v4_mode, cr)); 1427 } 1428 1429 /* 1430 * Determine whether Access should be granted/deny, without 1431 * consulting least priv subsystem. 1432 * 1433 * 1434 * The following chart is the recommended NFSv4 enforcement for 1435 * ability to delete an object. 1436 * 1437 * ------------------------------------------------------- 1438 * | Parent Dir | Target Object Permissions | 1439 * | permissions | | 1440 * ------------------------------------------------------- 1441 * | | ACL Allows | ACL Denies| Delete | 1442 * | | Delete | Delete | unspecified| 1443 * ------------------------------------------------------- 1444 * | ACL Allows | Permit | Permit | Permit | 1445 * | DELETE_CHILD | | 1446 * ------------------------------------------------------- 1447 * | ACL Denies | Permit | Deny | Deny | 1448 * | DELETE_CHILD | | | | 1449 * ------------------------------------------------------- 1450 * | ACL specifies | | | | 1451 * | only allow | Permit | Permit | Permit | 1452 * | write and | | | | 1453 * | execute | | | | 1454 * ------------------------------------------------------- 1455 * | ACL denies | | | | 1456 * | write and | Permit | Deny | Deny | 1457 * | execute | | | | 1458 * ------------------------------------------------------- 1459 * ^ 1460 * | 1461 * No search privilege, can't even look up file? 1462 * 1463 */ 1464 int 1465 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) 1466 { 1467 int dzp_working_mode = 0; 1468 int zp_working_mode = 0; 1469 int dzp_error, zp_error; 1470 int error; 1471 1472 /* 1473 * Arghh, this check is going to require a couple of questions 1474 * to be asked. We want specific DELETE permissions to 1475 * take precedence over WRITE/EXECUTE. We don't 1476 * want an ACL such as this to mess us up. 1477 * user:sloar:write_data:deny,user:sloar:delete:allow 1478 * 1479 * However, deny permissions may ultimately be overridden 1480 * by secpolicy_vnode_access(). 1481 */ 1482 1483 dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD, 1484 &dzp_working_mode, cr); 1485 zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, cr); 1486 1487 if (dzp_error == EROFS || zp_error == EROFS) 1488 return (dzp_error); 1489 1490 /* 1491 * First handle the first row 1492 */ 1493 if (dzp_working_mode & ACE_DELETE_CHILD) 1494 return (0); 1495 1496 /* 1497 * Second row 1498 */ 1499 1500 if (zp_working_mode & ACE_DELETE) 1501 return (0); 1502 1503 /* 1504 * Third Row 1505 */ 1506 1507 dzp_error = zfs_zaccess_common(dzp, ACE_WRITE_DATA|ACE_EXECUTE, 1508 &dzp_working_mode, cr); 1509 1510 if (dzp_error == EROFS) 1511 return (dzp_error); 1512 1513 if (dzp_working_mode & (ACE_WRITE_DATA|ACE_EXECUTE)) 1514 goto sticky; 1515 1516 /* 1517 * Fourth Row 1518 */ 1519 1520 if (((dzp_working_mode & (ACE_WRITE_DATA|ACE_EXECUTE)) == 0) && 1521 (zp_working_mode & ACE_DELETE)) 1522 goto sticky; 1523 1524 error = secpolicy_vnode_access(cr, ZTOV(zp), 1525 dzp->z_phys->zp_uid, S_IWRITE|S_IEXEC); 1526 1527 if (error) 1528 return (error); 1529 1530 sticky: 1531 error = zfs_sticky_remove_access(dzp, zp, cr); 1532 1533 return (error); 1534 } 1535 1536 int 1537 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, 1538 znode_t *tzp, cred_t *cr) 1539 { 1540 int add_perm; 1541 int error; 1542 1543 add_perm = (ZTOV(szp)->v_type == VDIR) ? 1544 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; 1545 1546 /* 1547 * Rename permissions are combination of delete permission + 1548 * add file/subdir permission. 1549 */ 1550 1551 /* 1552 * first make sure we do the delete portion. 1553 * 1554 * If that succeeds then check for add_file/add_subdir permissions 1555 */ 1556 1557 if (error = zfs_zaccess_delete(sdzp, szp, cr)) 1558 return (error); 1559 1560 /* 1561 * If we have a tzp, see if we can delete it? 1562 */ 1563 if (tzp) { 1564 if (error = zfs_zaccess_delete(tdzp, tzp, cr)) 1565 return (error); 1566 } 1567 1568 /* 1569 * Now check for add permissions 1570 */ 1571 error = zfs_zaccess(tdzp, add_perm, cr); 1572 1573 return (error); 1574 } 1575