1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <sys/types.h> 29 #include <sys/param.h> 30 #include <sys/time.h> 31 #include <sys/systm.h> 32 #include <sys/sysmacros.h> 33 #include <sys/resource.h> 34 #include <sys/vfs.h> 35 #include <sys/vnode.h> 36 #include <sys/sid.h> 37 #include <sys/file.h> 38 #include <sys/stat.h> 39 #include <sys/kmem.h> 40 #include <sys/cmn_err.h> 41 #include <sys/errno.h> 42 #include <sys/unistd.h> 43 #include <sys/sdt.h> 44 #include <sys/fs/zfs.h> 45 #include <sys/mode.h> 46 #include <sys/policy.h> 47 #include <sys/zfs_znode.h> 48 #include <sys/zfs_fuid.h> 49 #include <sys/zfs_acl.h> 50 #include <sys/zfs_dir.h> 51 #include <sys/zfs_vfsops.h> 52 #include <sys/dmu.h> 53 #include <sys/dnode.h> 54 #include <sys/zap.h> 55 #include "fs/fs_subr.h" 56 #include <acl/acl_common.h> 57 58 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE 59 #define DENY ACE_ACCESS_DENIED_ACE_TYPE 60 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 61 62 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) 63 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ 64 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) 65 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ 66 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 67 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ 68 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 69 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS) 70 71 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \ 72 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \ 73 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \ 74 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE) 75 76 #define WRITE_MASK (WRITE_MASK_DATA|ACE_WRITE_ATTRIBUTES|ACE_WRITE_ACL|\ 77 ACE_WRITE_OWNER) 78 79 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 80 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 81 82 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 83 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 84 85 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ 86 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE) 87 88 #define SECURE_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER) 89 90 #define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\ 91 ZFS_ACL_PROTECTED) 92 93 #define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\ 94 ZFS_ACL_OBJ_ACE) 95 96 static uint16_t 97 zfs_ace_v0_get_type(void *acep) 98 { 99 return (((zfs_oldace_t *)acep)->z_type); 100 } 101 102 static uint16_t 103 zfs_ace_v0_get_flags(void *acep) 104 { 105 return (((zfs_oldace_t *)acep)->z_flags); 106 } 107 108 static uint32_t 109 zfs_ace_v0_get_mask(void *acep) 110 { 111 return (((zfs_oldace_t *)acep)->z_access_mask); 112 } 113 114 static uint64_t 115 zfs_ace_v0_get_who(void *acep) 116 { 117 return (((zfs_oldace_t *)acep)->z_fuid); 118 } 119 120 static void 121 zfs_ace_v0_set_type(void *acep, uint16_t type) 122 { 123 ((zfs_oldace_t *)acep)->z_type = type; 124 } 125 126 static void 127 zfs_ace_v0_set_flags(void *acep, uint16_t flags) 128 { 129 ((zfs_oldace_t *)acep)->z_flags = flags; 130 } 131 132 static void 133 zfs_ace_v0_set_mask(void *acep, uint32_t mask) 134 { 135 ((zfs_oldace_t *)acep)->z_access_mask = mask; 136 } 137 138 static void 139 zfs_ace_v0_set_who(void *acep, uint64_t who) 140 { 141 ((zfs_oldace_t *)acep)->z_fuid = who; 142 } 143 144 /*ARGSUSED*/ 145 static size_t 146 zfs_ace_v0_size(void *acep) 147 { 148 return (sizeof (zfs_oldace_t)); 149 } 150 151 static size_t 152 zfs_ace_v0_abstract_size(void) 153 { 154 return (sizeof (zfs_oldace_t)); 155 } 156 157 static int 158 zfs_ace_v0_mask_off(void) 159 { 160 return (offsetof(zfs_oldace_t, z_access_mask)); 161 } 162 163 /*ARGSUSED*/ 164 static int 165 zfs_ace_v0_data(void *acep, void **datap) 166 { 167 *datap = NULL; 168 return (0); 169 } 170 171 static acl_ops_t zfs_acl_v0_ops = { 172 zfs_ace_v0_get_mask, 173 zfs_ace_v0_set_mask, 174 zfs_ace_v0_get_flags, 175 zfs_ace_v0_set_flags, 176 zfs_ace_v0_get_type, 177 zfs_ace_v0_set_type, 178 zfs_ace_v0_get_who, 179 zfs_ace_v0_set_who, 180 zfs_ace_v0_size, 181 zfs_ace_v0_abstract_size, 182 zfs_ace_v0_mask_off, 183 zfs_ace_v0_data 184 }; 185 186 static uint16_t 187 zfs_ace_fuid_get_type(void *acep) 188 { 189 return (((zfs_ace_hdr_t *)acep)->z_type); 190 } 191 192 static uint16_t 193 zfs_ace_fuid_get_flags(void *acep) 194 { 195 return (((zfs_ace_hdr_t *)acep)->z_flags); 196 } 197 198 static uint32_t 199 zfs_ace_fuid_get_mask(void *acep) 200 { 201 return (((zfs_ace_hdr_t *)acep)->z_access_mask); 202 } 203 204 static uint64_t 205 zfs_ace_fuid_get_who(void *args) 206 { 207 uint16_t entry_type; 208 zfs_ace_t *acep = args; 209 210 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 211 212 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 213 entry_type == ACE_EVERYONE) 214 return (-1); 215 return (((zfs_ace_t *)acep)->z_fuid); 216 } 217 218 static void 219 zfs_ace_fuid_set_type(void *acep, uint16_t type) 220 { 221 ((zfs_ace_hdr_t *)acep)->z_type = type; 222 } 223 224 static void 225 zfs_ace_fuid_set_flags(void *acep, uint16_t flags) 226 { 227 ((zfs_ace_hdr_t *)acep)->z_flags = flags; 228 } 229 230 static void 231 zfs_ace_fuid_set_mask(void *acep, uint32_t mask) 232 { 233 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask; 234 } 235 236 static void 237 zfs_ace_fuid_set_who(void *arg, uint64_t who) 238 { 239 zfs_ace_t *acep = arg; 240 241 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 242 243 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 244 entry_type == ACE_EVERYONE) 245 return; 246 acep->z_fuid = who; 247 } 248 249 static size_t 250 zfs_ace_fuid_size(void *acep) 251 { 252 zfs_ace_hdr_t *zacep = acep; 253 uint16_t entry_type; 254 255 switch (zacep->z_type) { 256 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 257 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 258 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 259 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 260 return (sizeof (zfs_object_ace_t)); 261 case ALLOW: 262 case DENY: 263 entry_type = 264 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS); 265 if (entry_type == ACE_OWNER || 266 entry_type == (ACE_GROUP | ACE_IDENTIFIER_GROUP) || 267 entry_type == ACE_EVERYONE) 268 return (sizeof (zfs_ace_hdr_t)); 269 /*FALLTHROUGH*/ 270 default: 271 return (sizeof (zfs_ace_t)); 272 } 273 } 274 275 static size_t 276 zfs_ace_fuid_abstract_size(void) 277 { 278 return (sizeof (zfs_ace_hdr_t)); 279 } 280 281 static int 282 zfs_ace_fuid_mask_off(void) 283 { 284 return (offsetof(zfs_ace_hdr_t, z_access_mask)); 285 } 286 287 static int 288 zfs_ace_fuid_data(void *acep, void **datap) 289 { 290 zfs_ace_t *zacep = acep; 291 zfs_object_ace_t *zobjp; 292 293 switch (zacep->z_hdr.z_type) { 294 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 295 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 296 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 297 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 298 zobjp = acep; 299 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t); 300 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t)); 301 default: 302 *datap = NULL; 303 return (0); 304 } 305 } 306 307 static acl_ops_t zfs_acl_fuid_ops = { 308 zfs_ace_fuid_get_mask, 309 zfs_ace_fuid_set_mask, 310 zfs_ace_fuid_get_flags, 311 zfs_ace_fuid_set_flags, 312 zfs_ace_fuid_get_type, 313 zfs_ace_fuid_set_type, 314 zfs_ace_fuid_get_who, 315 zfs_ace_fuid_set_who, 316 zfs_ace_fuid_size, 317 zfs_ace_fuid_abstract_size, 318 zfs_ace_fuid_mask_off, 319 zfs_ace_fuid_data 320 }; 321 322 static int 323 zfs_acl_version(int version) 324 { 325 if (version < ZPL_VERSION_FUID) 326 return (ZFS_ACL_VERSION_INITIAL); 327 else 328 return (ZFS_ACL_VERSION_FUID); 329 } 330 331 static int 332 zfs_acl_version_zp(znode_t *zp) 333 { 334 return (zfs_acl_version(zp->z_zfsvfs->z_version)); 335 } 336 337 static zfs_acl_t * 338 zfs_acl_alloc(int vers) 339 { 340 zfs_acl_t *aclp; 341 342 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); 343 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t), 344 offsetof(zfs_acl_node_t, z_next)); 345 aclp->z_version = vers; 346 if (vers == ZFS_ACL_VERSION_FUID) 347 aclp->z_ops = zfs_acl_fuid_ops; 348 else 349 aclp->z_ops = zfs_acl_v0_ops; 350 return (aclp); 351 } 352 353 static zfs_acl_node_t * 354 zfs_acl_node_alloc(size_t bytes) 355 { 356 zfs_acl_node_t *aclnode; 357 358 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP); 359 if (bytes) { 360 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP); 361 aclnode->z_allocdata = aclnode->z_acldata; 362 aclnode->z_allocsize = bytes; 363 aclnode->z_size = bytes; 364 } 365 366 return (aclnode); 367 } 368 369 static void 370 zfs_acl_node_free(zfs_acl_node_t *aclnode) 371 { 372 if (aclnode->z_allocsize) 373 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize); 374 kmem_free(aclnode, sizeof (zfs_acl_node_t)); 375 } 376 377 static void 378 zfs_acl_release_nodes(zfs_acl_t *aclp) 379 { 380 zfs_acl_node_t *aclnode; 381 382 while (aclnode = list_head(&aclp->z_acl)) { 383 list_remove(&aclp->z_acl, aclnode); 384 zfs_acl_node_free(aclnode); 385 } 386 aclp->z_acl_count = 0; 387 aclp->z_acl_bytes = 0; 388 } 389 390 void 391 zfs_acl_free(zfs_acl_t *aclp) 392 { 393 zfs_acl_release_nodes(aclp); 394 list_destroy(&aclp->z_acl); 395 kmem_free(aclp, sizeof (zfs_acl_t)); 396 } 397 398 static boolean_t 399 zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags) 400 { 401 /* 402 * first check type of entry 403 */ 404 405 switch (iflags & ACE_TYPE_FLAGS) { 406 case ACE_OWNER: 407 case (ACE_IDENTIFIER_GROUP | ACE_GROUP): 408 case ACE_IDENTIFIER_GROUP: 409 case ACE_EVERYONE: 410 case 0: /* User entry */ 411 break; 412 default: 413 return (B_FALSE); 414 415 } 416 417 /* 418 * next check inheritance level flags 419 */ 420 421 if (type != ALLOW && type > MAX_ACE_TYPE) { 422 return (B_FALSE); 423 } 424 425 switch (type) { 426 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 427 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 428 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 429 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 430 if (aclp->z_version < ZFS_ACL_VERSION_FUID) 431 return (B_FALSE); 432 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 433 } 434 435 /* 436 * Only directories should have inheritance flags. 437 */ 438 if (obj_type != VDIR && (iflags & 439 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE| 440 ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE))) { 441 return (B_FALSE); 442 } 443 444 if (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE)) 445 aclp->z_hints |= ZFS_INHERIT_ACE; 446 447 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { 448 if ((iflags & (ACE_FILE_INHERIT_ACE| 449 ACE_DIRECTORY_INHERIT_ACE)) == 0) { 450 return (B_FALSE); 451 } 452 } 453 454 return (B_TRUE); 455 } 456 457 static void * 458 zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who, 459 uint32_t *access_mask, uint16_t *iflags, uint16_t *type) 460 { 461 zfs_acl_node_t *aclnode; 462 463 if (start == NULL) { 464 aclnode = list_head(&aclp->z_acl); 465 if (aclnode == NULL) 466 return (NULL); 467 468 aclp->z_next_ace = aclnode->z_acldata; 469 aclp->z_curr_node = aclnode; 470 aclnode->z_ace_idx = 0; 471 } 472 473 aclnode = aclp->z_curr_node; 474 475 if (aclnode == NULL) 476 return (NULL); 477 478 if (aclnode->z_ace_idx >= aclnode->z_ace_count) { 479 aclnode = list_next(&aclp->z_acl, aclnode); 480 if (aclnode == NULL) 481 return (NULL); 482 else { 483 aclp->z_curr_node = aclnode; 484 aclnode->z_ace_idx = 0; 485 aclp->z_next_ace = aclnode->z_acldata; 486 } 487 } 488 489 if (aclnode->z_ace_idx < aclnode->z_ace_count) { 490 void *acep = aclp->z_next_ace; 491 *iflags = aclp->z_ops.ace_flags_get(acep); 492 *type = aclp->z_ops.ace_type_get(acep); 493 *access_mask = aclp->z_ops.ace_mask_get(acep); 494 *who = aclp->z_ops.ace_who_get(acep); 495 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + 496 aclp->z_ops.ace_size(acep); 497 aclnode->z_ace_idx++; 498 return ((void *)acep); 499 } 500 return (NULL); 501 } 502 503 /*ARGSUSED*/ 504 static uint64_t 505 zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt, 506 uint16_t *flags, uint16_t *type, uint32_t *mask) 507 { 508 zfs_acl_t *aclp = datap; 509 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie; 510 uint64_t who; 511 512 acep = zfs_acl_next_ace(aclp, acep, &who, mask, 513 flags, type); 514 return ((uint64_t)(uintptr_t)acep); 515 } 516 517 static zfs_acl_node_t * 518 zfs_acl_curr_node(zfs_acl_t *aclp) 519 { 520 ASSERT(aclp->z_curr_node); 521 return (aclp->z_curr_node); 522 } 523 524 /* 525 * Copy ACE to internal ZFS format. 526 * While processing the ACL each ACE will be validated for correctness. 527 * ACE FUIDs will be created later. 528 */ 529 int 530 zfs_copy_ace_2_fuid(vtype_t obj_type, zfs_acl_t *aclp, void *datap, 531 zfs_ace_t *z_acl, int aclcnt, size_t *size) 532 { 533 int i; 534 uint16_t entry_type; 535 zfs_ace_t *aceptr = z_acl; 536 ace_t *acep = datap; 537 zfs_object_ace_t *zobjacep; 538 ace_object_t *aceobjp; 539 540 for (i = 0; i != aclcnt; i++) { 541 aceptr->z_hdr.z_access_mask = acep->a_access_mask; 542 aceptr->z_hdr.z_flags = acep->a_flags; 543 aceptr->z_hdr.z_type = acep->a_type; 544 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS; 545 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP && 546 entry_type != ACE_EVERYONE) { 547 if (!aclp->z_has_fuids) 548 aclp->z_has_fuids = IS_EPHEMERAL(acep->a_who) ? 549 B_TRUE : B_FALSE; 550 aceptr->z_fuid = (uint64_t)acep->a_who; 551 } 552 553 /* 554 * Make sure ACE is valid 555 */ 556 if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type, 557 aceptr->z_hdr.z_flags) != B_TRUE) 558 return (EINVAL); 559 560 switch (acep->a_type) { 561 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 562 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 563 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 564 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 565 zobjacep = (zfs_object_ace_t *)aceptr; 566 aceobjp = (ace_object_t *)acep; 567 568 bcopy(aceobjp->a_obj_type, zobjacep->z_object_type, 569 sizeof (aceobjp->a_obj_type)); 570 bcopy(aceobjp->a_inherit_obj_type, 571 zobjacep->z_inherit_type, 572 sizeof (aceobjp->a_inherit_obj_type)); 573 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t)); 574 break; 575 default: 576 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t)); 577 } 578 579 aceptr = (zfs_ace_t *)((caddr_t)aceptr + 580 aclp->z_ops.ace_size(aceptr)); 581 } 582 583 *size = (caddr_t)aceptr - (caddr_t)z_acl; 584 585 return (0); 586 } 587 588 /* 589 * Copy ZFS ACEs to fixed size ace_t layout 590 */ 591 static void 592 zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr, 593 void *datap, int filter) 594 { 595 uint64_t who; 596 uint32_t access_mask; 597 uint16_t iflags, type; 598 zfs_ace_hdr_t *zacep = NULL; 599 ace_t *acep = datap; 600 ace_object_t *objacep; 601 zfs_object_ace_t *zobjacep; 602 zfs_fuid_hdl_t hdl = { 0 }; 603 size_t ace_size; 604 uint16_t entry_type; 605 606 while (zacep = zfs_acl_next_ace(aclp, zacep, 607 &who, &access_mask, &iflags, &type)) { 608 609 switch (type) { 610 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 611 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 612 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 613 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 614 if (filter) { 615 continue; 616 } 617 zobjacep = (zfs_object_ace_t *)zacep; 618 objacep = (ace_object_t *)acep; 619 bcopy(zobjacep->z_object_type, 620 objacep->a_obj_type, 621 sizeof (zobjacep->z_object_type)); 622 bcopy(zobjacep->z_inherit_type, 623 objacep->a_inherit_obj_type, 624 sizeof (zobjacep->z_inherit_type)); 625 ace_size = sizeof (ace_object_t); 626 break; 627 default: 628 ace_size = sizeof (ace_t); 629 break; 630 } 631 632 entry_type = (iflags & ACE_TYPE_FLAGS); 633 if ((entry_type != ACE_OWNER && 634 entry_type != (ACE_GROUP | ACE_IDENTIFIER_GROUP) && 635 entry_type != ACE_EVERYONE)) 636 zfs_fuid_queue_map_id(zfsvfs, &hdl, who, cr, 637 (entry_type & ACE_IDENTIFIER_GROUP) ? 638 ZFS_ACE_GROUP : ZFS_ACE_USER, &acep->a_who); 639 else 640 acep->a_who = (uid_t)(int64_t)who; 641 acep->a_access_mask = access_mask; 642 acep->a_flags = iflags; 643 acep->a_type = type; 644 acep = (ace_t *)((caddr_t)acep + ace_size); 645 } 646 zfs_fuid_get_mappings(&hdl); 647 } 648 649 static int 650 zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep, 651 zfs_oldace_t *z_acl, int aclcnt, size_t *size) 652 { 653 int i; 654 zfs_oldace_t *aceptr = z_acl; 655 656 for (i = 0; i != aclcnt; i++, aceptr++) { 657 aceptr->z_access_mask = acep[i].a_access_mask; 658 aceptr->z_type = acep[i].a_type; 659 aceptr->z_flags = acep[i].a_flags; 660 aceptr->z_fuid = acep[i].a_who; 661 /* 662 * Make sure ACE is valid 663 */ 664 if (zfs_ace_valid(obj_type, aclp, aceptr->z_type, 665 aceptr->z_flags) != B_TRUE) 666 return (EINVAL); 667 } 668 *size = (caddr_t)aceptr - (caddr_t)z_acl; 669 return (0); 670 } 671 672 /* 673 * convert old ACL format to new 674 */ 675 void 676 zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp) 677 { 678 zfs_oldace_t *oldaclp; 679 int i; 680 uint16_t type, iflags; 681 uint32_t access_mask; 682 uint64_t who; 683 void *cookie = NULL; 684 zfs_acl_node_t *newaclnode; 685 686 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL); 687 /* 688 * First create the ACE in a contiguous piece of memory 689 * for zfs_copy_ace_2_fuid(). 690 * 691 * We only convert an ACL once, so this won't happen 692 * everytime. 693 */ 694 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count, 695 KM_SLEEP); 696 i = 0; 697 while (cookie = zfs_acl_next_ace(aclp, cookie, &who, 698 &access_mask, &iflags, &type)) { 699 oldaclp[i].z_flags = iflags; 700 oldaclp[i].z_type = type; 701 oldaclp[i].z_fuid = who; 702 oldaclp[i++].z_access_mask = access_mask; 703 } 704 705 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count * 706 sizeof (zfs_object_ace_t)); 707 aclp->z_ops = zfs_acl_fuid_ops; 708 VERIFY(zfs_copy_ace_2_fuid(ZTOV(zp)->v_type, aclp, oldaclp, 709 newaclnode->z_acldata, aclp->z_acl_count, 710 &newaclnode->z_size) == 0); 711 newaclnode->z_ace_count = aclp->z_acl_count; 712 aclp->z_version = ZFS_ACL_VERSION; 713 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t)); 714 715 /* 716 * Release all previous ACL nodes 717 */ 718 719 zfs_acl_release_nodes(aclp); 720 721 list_insert_head(&aclp->z_acl, newaclnode); 722 723 aclp->z_acl_bytes = newaclnode->z_size; 724 aclp->z_acl_count = newaclnode->z_ace_count; 725 726 } 727 728 /* 729 * Convert unix access mask to v4 access mask 730 */ 731 static uint32_t 732 zfs_unix_to_v4(uint32_t access_mask) 733 { 734 uint32_t new_mask = 0; 735 736 if (access_mask & S_IXOTH) 737 new_mask |= ACE_EXECUTE; 738 if (access_mask & S_IWOTH) 739 new_mask |= ACE_WRITE_DATA; 740 if (access_mask & S_IROTH) 741 new_mask |= ACE_READ_DATA; 742 return (new_mask); 743 } 744 745 static void 746 zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask, 747 uint16_t access_type, uint64_t fuid, uint16_t entry_type) 748 { 749 uint16_t type = entry_type & ACE_TYPE_FLAGS; 750 751 aclp->z_ops.ace_mask_set(acep, access_mask); 752 aclp->z_ops.ace_type_set(acep, access_type); 753 aclp->z_ops.ace_flags_set(acep, entry_type); 754 if ((type != ACE_OWNER && type != (ACE_GROUP | ACE_IDENTIFIER_GROUP) && 755 type != ACE_EVERYONE)) 756 aclp->z_ops.ace_who_set(acep, fuid); 757 } 758 759 /* 760 * Determine mode of file based on ACL. 761 * Also, create FUIDs for any User/Group ACEs 762 */ 763 static uint64_t 764 zfs_mode_fuid_compute(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, 765 zfs_fuid_info_t **fuidp, dmu_tx_t *tx) 766 { 767 int entry_type; 768 mode_t mode; 769 mode_t seen = 0; 770 zfs_ace_hdr_t *acep = NULL; 771 uint64_t who; 772 uint16_t iflags, type; 773 uint32_t access_mask; 774 775 mode = (zp->z_phys->zp_mode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); 776 777 while (acep = zfs_acl_next_ace(aclp, acep, &who, 778 &access_mask, &iflags, &type)) { 779 780 /* 781 * Skip over inherit only ACEs 782 */ 783 if (iflags & ACE_INHERIT_ONLY_ACE) 784 continue; 785 786 entry_type = (iflags & ACE_TYPE_FLAGS); 787 788 if (entry_type == ACE_OWNER) { 789 if ((access_mask & ACE_READ_DATA) && 790 (!(seen & S_IRUSR))) { 791 seen |= S_IRUSR; 792 if (type == ALLOW) { 793 mode |= S_IRUSR; 794 } 795 } 796 if ((access_mask & ACE_WRITE_DATA) && 797 (!(seen & S_IWUSR))) { 798 seen |= S_IWUSR; 799 if (type == ALLOW) { 800 mode |= S_IWUSR; 801 } 802 } 803 if ((access_mask & ACE_EXECUTE) && 804 (!(seen & S_IXUSR))) { 805 seen |= S_IXUSR; 806 if (type == ALLOW) { 807 mode |= S_IXUSR; 808 } 809 } 810 } else if (entry_type == OWNING_GROUP) { 811 if ((access_mask & ACE_READ_DATA) && 812 (!(seen & S_IRGRP))) { 813 seen |= S_IRGRP; 814 if (type == ALLOW) { 815 mode |= S_IRGRP; 816 } 817 } 818 if ((access_mask & ACE_WRITE_DATA) && 819 (!(seen & S_IWGRP))) { 820 seen |= S_IWGRP; 821 if (type == ALLOW) { 822 mode |= S_IWGRP; 823 } 824 } 825 if ((access_mask & ACE_EXECUTE) && 826 (!(seen & S_IXGRP))) { 827 seen |= S_IXGRP; 828 if (type == ALLOW) { 829 mode |= S_IXGRP; 830 } 831 } 832 } else if (entry_type == ACE_EVERYONE) { 833 if ((access_mask & ACE_READ_DATA)) { 834 if (!(seen & S_IRUSR)) { 835 seen |= S_IRUSR; 836 if (type == ALLOW) { 837 mode |= S_IRUSR; 838 } 839 } 840 if (!(seen & S_IRGRP)) { 841 seen |= S_IRGRP; 842 if (type == ALLOW) { 843 mode |= S_IRGRP; 844 } 845 } 846 if (!(seen & S_IROTH)) { 847 seen |= S_IROTH; 848 if (type == ALLOW) { 849 mode |= S_IROTH; 850 } 851 } 852 } 853 if ((access_mask & ACE_WRITE_DATA)) { 854 if (!(seen & S_IWUSR)) { 855 seen |= S_IWUSR; 856 if (type == ALLOW) { 857 mode |= S_IWUSR; 858 } 859 } 860 if (!(seen & S_IWGRP)) { 861 seen |= S_IWGRP; 862 if (type == ALLOW) { 863 mode |= S_IWGRP; 864 } 865 } 866 if (!(seen & S_IWOTH)) { 867 seen |= S_IWOTH; 868 if (type == ALLOW) { 869 mode |= S_IWOTH; 870 } 871 } 872 } 873 if ((access_mask & ACE_EXECUTE)) { 874 if (!(seen & S_IXUSR)) { 875 seen |= S_IXUSR; 876 if (type == ALLOW) { 877 mode |= S_IXUSR; 878 } 879 } 880 if (!(seen & S_IXGRP)) { 881 seen |= S_IXGRP; 882 if (type == ALLOW) { 883 mode |= S_IXGRP; 884 } 885 } 886 if (!(seen & S_IXOTH)) { 887 seen |= S_IXOTH; 888 if (type == ALLOW) { 889 mode |= S_IXOTH; 890 } 891 } 892 } 893 } 894 /* 895 * Now handle FUID create for user/group ACEs 896 */ 897 if (entry_type == 0 || entry_type == ACE_IDENTIFIER_GROUP) { 898 aclp->z_ops.ace_who_set(acep, 899 zfs_fuid_create(zp->z_zfsvfs, who, cr, 900 entry_type == 0 ? ZFS_ACE_USER : ZFS_ACE_GROUP, tx, 901 fuidp)); 902 } 903 } 904 return (mode); 905 } 906 907 static zfs_acl_t * 908 zfs_acl_node_read_internal(znode_t *zp, boolean_t will_modify) 909 { 910 zfs_acl_t *aclp; 911 zfs_acl_node_t *aclnode; 912 913 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version); 914 915 /* 916 * Version 0 to 1 znode_acl_phys has the size/count fields swapped. 917 * Version 0 didn't have a size field, only a count. 918 */ 919 if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) { 920 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_size; 921 aclp->z_acl_bytes = ZFS_ACL_SIZE(aclp->z_acl_count); 922 } else { 923 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count; 924 aclp->z_acl_bytes = zp->z_phys->zp_acl.z_acl_size; 925 } 926 927 aclnode = zfs_acl_node_alloc(will_modify ? aclp->z_acl_bytes : 0); 928 aclnode->z_ace_count = aclp->z_acl_count; 929 if (will_modify) { 930 bcopy(zp->z_phys->zp_acl.z_ace_data, aclnode->z_acldata, 931 aclp->z_acl_bytes); 932 } else { 933 aclnode->z_size = aclp->z_acl_bytes; 934 aclnode->z_acldata = &zp->z_phys->zp_acl.z_ace_data[0]; 935 } 936 937 list_insert_head(&aclp->z_acl, aclnode); 938 939 return (aclp); 940 } 941 942 /* 943 * Read an external acl object. 944 */ 945 static int 946 zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp, boolean_t will_modify) 947 { 948 uint64_t extacl = zp->z_phys->zp_acl.z_acl_extern_obj; 949 zfs_acl_t *aclp; 950 size_t aclsize; 951 size_t acl_count; 952 zfs_acl_node_t *aclnode; 953 int error; 954 955 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 956 957 if (zp->z_phys->zp_acl.z_acl_extern_obj == 0) { 958 *aclpp = zfs_acl_node_read_internal(zp, will_modify); 959 return (0); 960 } 961 962 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version); 963 if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) { 964 zfs_acl_phys_v0_t *zacl0 = 965 (zfs_acl_phys_v0_t *)&zp->z_phys->zp_acl; 966 967 aclsize = ZFS_ACL_SIZE(zacl0->z_acl_count); 968 acl_count = zacl0->z_acl_count; 969 } else { 970 aclsize = zp->z_phys->zp_acl.z_acl_size; 971 acl_count = zp->z_phys->zp_acl.z_acl_count; 972 if (aclsize == 0) 973 aclsize = acl_count * sizeof (zfs_ace_t); 974 } 975 aclnode = zfs_acl_node_alloc(aclsize); 976 list_insert_head(&aclp->z_acl, aclnode); 977 error = dmu_read(zp->z_zfsvfs->z_os, extacl, 0, 978 aclsize, aclnode->z_acldata); 979 aclnode->z_ace_count = acl_count; 980 aclp->z_acl_count = acl_count; 981 aclp->z_acl_bytes = aclsize; 982 983 if (error != 0) { 984 zfs_acl_free(aclp); 985 return (error); 986 } 987 988 *aclpp = aclp; 989 return (0); 990 } 991 992 /* 993 * common code for setting ACLs. 994 * 995 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. 996 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's 997 * already checked the acl and knows whether to inherit. 998 */ 999 int 1000 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, 1001 zfs_fuid_info_t **fuidp, dmu_tx_t *tx) 1002 { 1003 int error; 1004 znode_phys_t *zphys = zp->z_phys; 1005 zfs_acl_phys_t *zacl = &zphys->zp_acl; 1006 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1007 uint64_t aoid = zphys->zp_acl.z_acl_extern_obj; 1008 uint64_t off = 0; 1009 dmu_object_type_t otype; 1010 zfs_acl_node_t *aclnode; 1011 1012 ASSERT(MUTEX_HELD(&zp->z_lock)); 1013 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1014 1015 dmu_buf_will_dirty(zp->z_dbuf, tx); 1016 1017 zphys->zp_mode = zfs_mode_fuid_compute(zp, aclp, cr, fuidp, tx); 1018 1019 /* 1020 * Decide which opbject type to use. If we are forced to 1021 * use old ACL format than transform ACL into zfs_oldace_t 1022 * layout. 1023 */ 1024 if (!zfsvfs->z_use_fuids) { 1025 otype = DMU_OT_OLDACL; 1026 } else { 1027 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) && 1028 (zfsvfs->z_version >= ZPL_VERSION_FUID)) 1029 zfs_acl_xform(zp, aclp); 1030 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID); 1031 otype = DMU_OT_ACL; 1032 } 1033 1034 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 1035 /* 1036 * If ACL was previously external and we are now 1037 * converting to new ACL format then release old 1038 * ACL object and create a new one. 1039 */ 1040 if (aoid && aclp->z_version != zacl->z_acl_version) { 1041 error = dmu_object_free(zfsvfs->z_os, 1042 zp->z_phys->zp_acl.z_acl_extern_obj, tx); 1043 if (error) 1044 return (error); 1045 aoid = 0; 1046 } 1047 if (aoid == 0) { 1048 aoid = dmu_object_alloc(zfsvfs->z_os, 1049 otype, aclp->z_acl_bytes, 1050 otype == DMU_OT_ACL ? DMU_OT_SYSACL : DMU_OT_NONE, 1051 otype == DMU_OT_ACL ? DN_MAX_BONUSLEN : 0, tx); 1052 } else { 1053 (void) dmu_object_set_blocksize(zfsvfs->z_os, aoid, 1054 aclp->z_acl_bytes, 0, tx); 1055 } 1056 zphys->zp_acl.z_acl_extern_obj = aoid; 1057 for (aclnode = list_head(&aclp->z_acl); aclnode; 1058 aclnode = list_next(&aclp->z_acl, aclnode)) { 1059 if (aclnode->z_ace_count == 0) 1060 continue; 1061 dmu_write(zfsvfs->z_os, aoid, off, 1062 aclnode->z_size, aclnode->z_acldata, tx); 1063 off += aclnode->z_size; 1064 } 1065 } else { 1066 void *start = zacl->z_ace_data; 1067 /* 1068 * Migrating back embedded? 1069 */ 1070 if (zphys->zp_acl.z_acl_extern_obj) { 1071 error = dmu_object_free(zfsvfs->z_os, 1072 zp->z_phys->zp_acl.z_acl_extern_obj, tx); 1073 if (error) 1074 return (error); 1075 zphys->zp_acl.z_acl_extern_obj = 0; 1076 } 1077 1078 for (aclnode = list_head(&aclp->z_acl); aclnode; 1079 aclnode = list_next(&aclp->z_acl, aclnode)) { 1080 if (aclnode->z_ace_count == 0) 1081 continue; 1082 bcopy(aclnode->z_acldata, start, aclnode->z_size); 1083 start = (caddr_t)start + aclnode->z_size; 1084 } 1085 } 1086 1087 /* 1088 * If Old version then swap count/bytes to match old 1089 * layout of znode_acl_phys_t. 1090 */ 1091 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1092 zphys->zp_acl.z_acl_size = aclp->z_acl_count; 1093 zphys->zp_acl.z_acl_count = aclp->z_acl_bytes; 1094 } else { 1095 zphys->zp_acl.z_acl_size = aclp->z_acl_bytes; 1096 zphys->zp_acl.z_acl_count = aclp->z_acl_count; 1097 } 1098 1099 zphys->zp_acl.z_acl_version = aclp->z_version; 1100 1101 /* 1102 * Replace ACL wide bits, but first clear them. 1103 */ 1104 zp->z_phys->zp_flags &= ~ZFS_ACL_WIDE_FLAGS; 1105 1106 zp->z_phys->zp_flags |= aclp->z_hints; 1107 1108 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0) 1109 zp->z_phys->zp_flags |= ZFS_ACL_TRIVIAL; 1110 1111 zfs_time_stamper_locked(zp, STATE_CHANGED, tx); 1112 return (0); 1113 } 1114 1115 /* 1116 * Update access mask for prepended ACE 1117 * 1118 * This applies the "groupmask" value for aclmode property. 1119 */ 1120 static void 1121 zfs_acl_prepend_fixup(zfs_acl_t *aclp, void *acep, void *origacep, 1122 mode_t mode, uint64_t owner) 1123 { 1124 int rmask, wmask, xmask; 1125 int user_ace; 1126 uint16_t aceflags; 1127 uint32_t origmask, acepmask; 1128 uint64_t fuid; 1129 1130 aceflags = aclp->z_ops.ace_flags_get(acep); 1131 fuid = aclp->z_ops.ace_who_get(acep); 1132 origmask = aclp->z_ops.ace_mask_get(origacep); 1133 acepmask = aclp->z_ops.ace_mask_get(acep); 1134 1135 user_ace = (!(aceflags & 1136 (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP))); 1137 1138 if (user_ace && (fuid == owner)) { 1139 rmask = S_IRUSR; 1140 wmask = S_IWUSR; 1141 xmask = S_IXUSR; 1142 } else { 1143 rmask = S_IRGRP; 1144 wmask = S_IWGRP; 1145 xmask = S_IXGRP; 1146 } 1147 1148 if (origmask & ACE_READ_DATA) { 1149 if (mode & rmask) { 1150 acepmask &= ~ACE_READ_DATA; 1151 } else { 1152 acepmask |= ACE_READ_DATA; 1153 } 1154 } 1155 1156 if (origmask & ACE_WRITE_DATA) { 1157 if (mode & wmask) { 1158 acepmask &= ~ACE_WRITE_DATA; 1159 } else { 1160 acepmask |= ACE_WRITE_DATA; 1161 } 1162 } 1163 1164 if (origmask & ACE_APPEND_DATA) { 1165 if (mode & wmask) { 1166 acepmask &= ~ACE_APPEND_DATA; 1167 } else { 1168 acepmask |= ACE_APPEND_DATA; 1169 } 1170 } 1171 1172 if (origmask & ACE_EXECUTE) { 1173 if (mode & xmask) { 1174 acepmask &= ~ACE_EXECUTE; 1175 } else { 1176 acepmask |= ACE_EXECUTE; 1177 } 1178 } 1179 aclp->z_ops.ace_mask_set(acep, acepmask); 1180 } 1181 1182 /* 1183 * Apply mode to canonical six ACEs. 1184 */ 1185 static void 1186 zfs_acl_fixup_canonical_six(zfs_acl_t *aclp, mode_t mode) 1187 { 1188 zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl); 1189 void *acep; 1190 int maskoff = aclp->z_ops.ace_mask_off(); 1191 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1192 1193 ASSERT(aclnode != NULL); 1194 1195 acep = (void *)((caddr_t)aclnode->z_acldata + 1196 aclnode->z_size - (abstract_size * 6)); 1197 1198 /* 1199 * Fixup final ACEs to match the mode 1200 */ 1201 1202 adjust_ace_pair_common(acep, maskoff, abstract_size, 1203 (mode & 0700) >> 6); /* owner@ */ 1204 1205 acep = (caddr_t)acep + (abstract_size * 2); 1206 1207 adjust_ace_pair_common(acep, maskoff, abstract_size, 1208 (mode & 0070) >> 3); /* group@ */ 1209 1210 acep = (caddr_t)acep + (abstract_size * 2); 1211 adjust_ace_pair_common(acep, maskoff, 1212 abstract_size, mode); /* everyone@ */ 1213 } 1214 1215 1216 static int 1217 zfs_acl_ace_match(zfs_acl_t *aclp, void *acep, int allow_deny, 1218 int entry_type, int accessmask) 1219 { 1220 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1221 uint16_t type = aclp->z_ops.ace_type_get(acep); 1222 uint16_t flags = aclp->z_ops.ace_flags_get(acep); 1223 1224 return (mask == accessmask && type == allow_deny && 1225 ((flags & ACE_TYPE_FLAGS) == entry_type)); 1226 } 1227 1228 /* 1229 * Can prepended ACE be reused? 1230 */ 1231 static int 1232 zfs_reuse_deny(zfs_acl_t *aclp, void *acep, void *prevacep) 1233 { 1234 int okay_masks; 1235 uint16_t prevtype; 1236 uint16_t prevflags; 1237 uint16_t flags; 1238 uint32_t mask, prevmask; 1239 1240 if (prevacep == NULL) 1241 return (B_FALSE); 1242 1243 prevtype = aclp->z_ops.ace_type_get(prevacep); 1244 prevflags = aclp->z_ops.ace_flags_get(prevacep); 1245 flags = aclp->z_ops.ace_flags_get(acep); 1246 mask = aclp->z_ops.ace_mask_get(acep); 1247 prevmask = aclp->z_ops.ace_mask_get(prevacep); 1248 1249 if (prevtype != DENY) 1250 return (B_FALSE); 1251 1252 if (prevflags != (flags & ACE_IDENTIFIER_GROUP)) 1253 return (B_FALSE); 1254 1255 okay_masks = (mask & OKAY_MASK_BITS); 1256 1257 if (prevmask & ~okay_masks) 1258 return (B_FALSE); 1259 1260 return (B_TRUE); 1261 } 1262 1263 1264 /* 1265 * Insert new ACL node into chain of zfs_acl_node_t's 1266 * 1267 * This will result in two possible results. 1268 * 1. If the ACL is currently just a single zfs_acl_node and 1269 * we are prepending the entry then current acl node will have 1270 * a new node inserted above it. 1271 * 1272 * 2. If we are inserting in the middle of current acl node then 1273 * the current node will be split in two and new node will be inserted 1274 * in between the two split nodes. 1275 */ 1276 static zfs_acl_node_t * 1277 zfs_acl_ace_insert(zfs_acl_t *aclp, void *acep) 1278 { 1279 zfs_acl_node_t *newnode; 1280 zfs_acl_node_t *trailernode = NULL; 1281 zfs_acl_node_t *currnode = zfs_acl_curr_node(aclp); 1282 int curr_idx = aclp->z_curr_node->z_ace_idx; 1283 int trailer_count; 1284 size_t oldsize; 1285 1286 newnode = zfs_acl_node_alloc(aclp->z_ops.ace_size(acep)); 1287 newnode->z_ace_count = 1; 1288 1289 oldsize = currnode->z_size; 1290 1291 if (curr_idx != 1) { 1292 trailernode = zfs_acl_node_alloc(0); 1293 trailernode->z_acldata = acep; 1294 1295 trailer_count = currnode->z_ace_count - curr_idx + 1; 1296 currnode->z_ace_count = curr_idx - 1; 1297 currnode->z_size = (caddr_t)acep - (caddr_t)currnode->z_acldata; 1298 trailernode->z_size = oldsize - currnode->z_size; 1299 trailernode->z_ace_count = trailer_count; 1300 } 1301 1302 aclp->z_acl_count += 1; 1303 aclp->z_acl_bytes += aclp->z_ops.ace_size(acep); 1304 1305 if (curr_idx == 1) 1306 list_insert_before(&aclp->z_acl, currnode, newnode); 1307 else 1308 list_insert_after(&aclp->z_acl, currnode, newnode); 1309 if (trailernode) { 1310 list_insert_after(&aclp->z_acl, newnode, trailernode); 1311 aclp->z_curr_node = trailernode; 1312 trailernode->z_ace_idx = 1; 1313 } 1314 1315 return (newnode); 1316 } 1317 1318 /* 1319 * Prepend deny ACE 1320 */ 1321 static void * 1322 zfs_acl_prepend_deny(znode_t *zp, zfs_acl_t *aclp, void *acep, 1323 mode_t mode) 1324 { 1325 zfs_acl_node_t *aclnode; 1326 void *newacep; 1327 uint64_t fuid; 1328 uint16_t flags; 1329 1330 aclnode = zfs_acl_ace_insert(aclp, acep); 1331 newacep = aclnode->z_acldata; 1332 fuid = aclp->z_ops.ace_who_get(acep); 1333 flags = aclp->z_ops.ace_flags_get(acep); 1334 zfs_set_ace(aclp, newacep, 0, DENY, fuid, (flags & ACE_TYPE_FLAGS)); 1335 zfs_acl_prepend_fixup(aclp, newacep, acep, mode, zp->z_phys->zp_uid); 1336 1337 return (newacep); 1338 } 1339 1340 /* 1341 * Split an inherited ACE into inherit_only ACE 1342 * and original ACE with inheritance flags stripped off. 1343 */ 1344 static void 1345 zfs_acl_split_ace(zfs_acl_t *aclp, zfs_ace_hdr_t *acep) 1346 { 1347 zfs_acl_node_t *aclnode; 1348 zfs_acl_node_t *currnode; 1349 void *newacep; 1350 uint16_t type, flags; 1351 uint32_t mask; 1352 uint64_t fuid; 1353 1354 type = aclp->z_ops.ace_type_get(acep); 1355 flags = aclp->z_ops.ace_flags_get(acep); 1356 mask = aclp->z_ops.ace_mask_get(acep); 1357 fuid = aclp->z_ops.ace_who_get(acep); 1358 1359 aclnode = zfs_acl_ace_insert(aclp, acep); 1360 newacep = aclnode->z_acldata; 1361 1362 aclp->z_ops.ace_type_set(newacep, type); 1363 aclp->z_ops.ace_flags_set(newacep, flags | ACE_INHERIT_ONLY_ACE); 1364 aclp->z_ops.ace_mask_set(newacep, mask); 1365 aclp->z_ops.ace_type_set(newacep, type); 1366 aclp->z_ops.ace_who_set(newacep, fuid); 1367 aclp->z_next_ace = acep; 1368 flags &= ~ALL_INHERIT; 1369 aclp->z_ops.ace_flags_set(acep, flags); 1370 currnode = zfs_acl_curr_node(aclp); 1371 ASSERT(currnode->z_ace_idx >= 1); 1372 currnode->z_ace_idx -= 1; 1373 } 1374 1375 /* 1376 * Are ACES started at index i, the canonical six ACES? 1377 */ 1378 static int 1379 zfs_have_canonical_six(zfs_acl_t *aclp) 1380 { 1381 void *acep; 1382 zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl); 1383 int i = 0; 1384 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1385 1386 ASSERT(aclnode != NULL); 1387 1388 if (aclnode->z_ace_count < 6) 1389 return (0); 1390 1391 acep = (void *)((caddr_t)aclnode->z_acldata + 1392 aclnode->z_size - (aclp->z_ops.ace_abstract_size() * 6)); 1393 1394 if ((zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1395 DENY, ACE_OWNER, 0) && 1396 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1397 ALLOW, ACE_OWNER, OWNER_ALLOW_MASK) && 1398 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), DENY, 1399 OWNING_GROUP, 0) && zfs_acl_ace_match(aclp, (caddr_t)acep + 1400 (abstract_size * i++), 1401 ALLOW, OWNING_GROUP, 0) && 1402 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1403 DENY, ACE_EVERYONE, EVERYONE_DENY_MASK) && 1404 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), 1405 ALLOW, ACE_EVERYONE, EVERYONE_ALLOW_MASK))) { 1406 return (1); 1407 } else { 1408 return (0); 1409 } 1410 } 1411 1412 1413 /* 1414 * Apply step 1g, to group entries 1415 * 1416 * Need to deal with corner case where group may have 1417 * greater permissions than owner. If so then limit 1418 * group permissions, based on what extra permissions 1419 * group has. 1420 */ 1421 static void 1422 zfs_fixup_group_entries(zfs_acl_t *aclp, void *acep, void *prevacep, 1423 mode_t mode) 1424 { 1425 uint32_t prevmask = aclp->z_ops.ace_mask_get(prevacep); 1426 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1427 uint16_t prevflags = aclp->z_ops.ace_flags_get(prevacep); 1428 mode_t extramode = (mode >> 3) & 07; 1429 mode_t ownermode = (mode >> 6); 1430 1431 if (prevflags & ACE_IDENTIFIER_GROUP) { 1432 1433 extramode &= ~ownermode; 1434 1435 if (extramode) { 1436 if (extramode & S_IROTH) { 1437 prevmask &= ~ACE_READ_DATA; 1438 mask &= ~ACE_READ_DATA; 1439 } 1440 if (extramode & S_IWOTH) { 1441 prevmask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1442 mask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1443 } 1444 if (extramode & S_IXOTH) { 1445 prevmask &= ~ACE_EXECUTE; 1446 mask &= ~ACE_EXECUTE; 1447 } 1448 } 1449 } 1450 aclp->z_ops.ace_mask_set(acep, mask); 1451 aclp->z_ops.ace_mask_set(prevacep, prevmask); 1452 } 1453 1454 /* 1455 * Apply the chmod algorithm as described 1456 * in PSARC/2002/240 1457 */ 1458 static void 1459 zfs_acl_chmod(znode_t *zp, uint64_t mode, zfs_acl_t *aclp) 1460 { 1461 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1462 void *acep = NULL, *prevacep = NULL; 1463 uint64_t who; 1464 int i; 1465 int entry_type; 1466 int reuse_deny; 1467 int need_canonical_six = 1; 1468 uint16_t iflags, type; 1469 uint32_t access_mask; 1470 1471 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1472 ASSERT(MUTEX_HELD(&zp->z_lock)); 1473 1474 aclp->z_hints = (zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS); 1475 1476 /* 1477 * If discard then just discard all ACL nodes which 1478 * represent the ACEs. 1479 * 1480 * New owner@/group@/everone@ ACEs will be added 1481 * later. 1482 */ 1483 if (zfsvfs->z_acl_mode == ZFS_ACL_DISCARD) 1484 zfs_acl_release_nodes(aclp); 1485 1486 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 1487 &iflags, &type)) { 1488 1489 entry_type = (iflags & ACE_TYPE_FLAGS); 1490 iflags = (iflags & ALL_INHERIT); 1491 1492 if ((type != ALLOW && type != DENY) || 1493 (iflags & ACE_INHERIT_ONLY_ACE)) { 1494 if (iflags) 1495 aclp->z_hints |= ZFS_INHERIT_ACE; 1496 switch (type) { 1497 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1498 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1499 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1500 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1501 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 1502 break; 1503 } 1504 goto nextace; 1505 } 1506 1507 /* 1508 * Need to split ace into two? 1509 */ 1510 if ((iflags & (ACE_FILE_INHERIT_ACE| 1511 ACE_DIRECTORY_INHERIT_ACE)) && 1512 (!(iflags & ACE_INHERIT_ONLY_ACE))) { 1513 zfs_acl_split_ace(aclp, acep); 1514 aclp->z_hints |= ZFS_INHERIT_ACE; 1515 goto nextace; 1516 } 1517 1518 if (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 1519 (entry_type == OWNING_GROUP)) { 1520 access_mask &= ~OGE_CLEAR; 1521 aclp->z_ops.ace_mask_set(acep, access_mask); 1522 goto nextace; 1523 } else { 1524 reuse_deny = B_TRUE; 1525 if (type == ALLOW) { 1526 1527 /* 1528 * Check preceding ACE if any, to see 1529 * if we need to prepend a DENY ACE. 1530 * This is only applicable when the acl_mode 1531 * property == groupmask. 1532 */ 1533 if (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK) { 1534 1535 reuse_deny = zfs_reuse_deny(aclp, acep, 1536 prevacep); 1537 1538 if (reuse_deny == B_FALSE) { 1539 prevacep = 1540 zfs_acl_prepend_deny(zp, 1541 aclp, acep, mode); 1542 } else { 1543 zfs_acl_prepend_fixup( 1544 aclp, prevacep, 1545 acep, mode, 1546 zp->z_phys->zp_uid); 1547 } 1548 zfs_fixup_group_entries(aclp, acep, 1549 prevacep, mode); 1550 1551 } 1552 } 1553 } 1554 nextace: 1555 prevacep = acep; 1556 } 1557 1558 /* 1559 * Check out last six aces, if we have six. 1560 */ 1561 1562 if (aclp->z_acl_count >= 6) { 1563 if (zfs_have_canonical_six(aclp)) { 1564 need_canonical_six = 0; 1565 } 1566 } 1567 1568 if (need_canonical_six) { 1569 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1570 void *zacep; 1571 zfs_acl_node_t *aclnode = 1572 zfs_acl_node_alloc(abstract_size * 6); 1573 1574 aclnode->z_size = abstract_size * 6; 1575 aclnode->z_ace_count = 6; 1576 aclp->z_acl_bytes += aclnode->z_size; 1577 list_insert_tail(&aclp->z_acl, aclnode); 1578 1579 zacep = aclnode->z_acldata; 1580 1581 i = 0; 1582 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1583 0, DENY, -1, ACE_OWNER); 1584 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1585 OWNER_ALLOW_MASK, ALLOW, -1, ACE_OWNER); 1586 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0, 1587 DENY, -1, OWNING_GROUP); 1588 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0, 1589 ALLOW, -1, OWNING_GROUP); 1590 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1591 EVERYONE_DENY_MASK, DENY, -1, ACE_EVERYONE); 1592 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 1593 EVERYONE_ALLOW_MASK, ALLOW, -1, ACE_EVERYONE); 1594 aclp->z_acl_count += 6; 1595 } 1596 1597 zfs_acl_fixup_canonical_six(aclp, mode); 1598 } 1599 1600 int 1601 zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode) 1602 { 1603 int error; 1604 1605 mutex_enter(&zp->z_lock); 1606 mutex_enter(&zp->z_acl_lock); 1607 *aclp = NULL; 1608 error = zfs_acl_node_read(zp, aclp, B_TRUE); 1609 if (error == 0) 1610 zfs_acl_chmod(zp, mode, *aclp); 1611 mutex_exit(&zp->z_acl_lock); 1612 mutex_exit(&zp->z_lock); 1613 return (error); 1614 } 1615 1616 /* 1617 * strip off write_owner and write_acl 1618 */ 1619 static void 1620 zfs_securemode_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep) 1621 { 1622 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1623 1624 if ((zfsvfs->z_acl_inherit == ZFS_ACL_SECURE) && 1625 (aclp->z_ops.ace_type_get(acep) == ALLOW)) { 1626 mask &= ~SECURE_CLEAR; 1627 aclp->z_ops.ace_mask_set(acep, mask); 1628 } 1629 } 1630 1631 /* 1632 * Should ACE be inherited? 1633 */ 1634 static int 1635 zfs_ace_can_use(znode_t *zp, uint16_t acep_flags) 1636 { 1637 int vtype = ZTOV(zp)->v_type; 1638 int iflags = (acep_flags & 0xf); 1639 1640 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) 1641 return (1); 1642 else if (iflags & ACE_FILE_INHERIT_ACE) 1643 return (!((vtype == VDIR) && 1644 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); 1645 return (0); 1646 } 1647 1648 /* 1649 * inherit inheritable ACEs from parent 1650 */ 1651 static zfs_acl_t * 1652 zfs_acl_inherit(znode_t *zp, zfs_acl_t *paclp) 1653 { 1654 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1655 void *pacep; 1656 void *acep, *acep2; 1657 zfs_acl_node_t *aclnode, *aclnode2; 1658 zfs_acl_t *aclp = NULL; 1659 uint64_t who; 1660 uint32_t access_mask; 1661 uint16_t iflags, newflags, type; 1662 size_t ace_size; 1663 void *data1, *data2; 1664 size_t data1sz, data2sz; 1665 1666 pacep = NULL; 1667 aclp = zfs_acl_alloc(zfs_acl_version_zp(zp)); 1668 if (zfsvfs->z_acl_inherit != ZFS_ACL_DISCARD) { 1669 while (pacep = zfs_acl_next_ace(paclp, pacep, &who, 1670 &access_mask, &iflags, &type)) { 1671 1672 if (zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW && 1673 type == ALLOW) 1674 continue; 1675 1676 ace_size = aclp->z_ops.ace_size(pacep); 1677 1678 if (zfs_ace_can_use(zp, iflags)) { 1679 aclnode = 1680 zfs_acl_node_alloc(ace_size); 1681 1682 list_insert_tail(&aclp->z_acl, aclnode); 1683 acep = aclnode->z_acldata; 1684 zfs_set_ace(aclp, acep, access_mask, type, 1685 who, iflags|ACE_INHERITED_ACE); 1686 1687 /* 1688 * Copy special opaque data if any 1689 */ 1690 if ((data1sz = paclp->z_ops.ace_data(pacep, 1691 &data1)) != 0) { 1692 VERIFY((data2sz = 1693 aclp->z_ops.ace_data(acep, 1694 &data2)) == data1sz); 1695 bcopy(data1, data2, data2sz); 1696 } 1697 aclp->z_acl_count++; 1698 aclnode->z_ace_count++; 1699 aclp->z_acl_bytes += aclnode->z_size; 1700 newflags = aclp->z_ops.ace_flags_get(acep); 1701 if ((iflags & 1702 ACE_NO_PROPAGATE_INHERIT_ACE) || 1703 (ZTOV(zp)->v_type != VDIR)) { 1704 newflags &= ~ALL_INHERIT; 1705 aclp->z_ops.ace_flags_set(acep, 1706 newflags|ACE_INHERITED_ACE); 1707 zfs_securemode_update(zfsvfs, 1708 aclp, acep); 1709 continue; 1710 } 1711 1712 ASSERT(ZTOV(zp)->v_type == VDIR); 1713 1714 newflags = aclp->z_ops.ace_flags_get(acep); 1715 if ((iflags & (ACE_FILE_INHERIT_ACE | 1716 ACE_DIRECTORY_INHERIT_ACE)) != 1717 ACE_FILE_INHERIT_ACE) { 1718 aclnode2 = zfs_acl_node_alloc(ace_size); 1719 list_insert_tail(&aclp->z_acl, 1720 aclnode2); 1721 acep2 = aclnode2->z_acldata; 1722 zfs_set_ace(aclp, acep2, 1723 access_mask, type, who, 1724 iflags|ACE_INHERITED_ACE); 1725 newflags |= ACE_INHERIT_ONLY_ACE; 1726 aclp->z_ops.ace_flags_set(acep, 1727 newflags); 1728 newflags &= ~ALL_INHERIT; 1729 aclp->z_ops.ace_flags_set(acep2, 1730 newflags|ACE_INHERITED_ACE); 1731 1732 /* 1733 * Copy special opaque data if any 1734 */ 1735 if ((data1sz = 1736 aclp->z_ops.ace_data(acep, 1737 &data1)) != 0) { 1738 VERIFY((data2sz = 1739 aclp->z_ops.ace_data(acep2, 1740 &data2)) == data1sz); 1741 bcopy(data1, data2, data1sz); 1742 } 1743 aclp->z_acl_count++; 1744 aclnode2->z_ace_count++; 1745 aclp->z_acl_bytes += aclnode->z_size; 1746 zfs_securemode_update(zfsvfs, 1747 aclp, acep2); 1748 } else { 1749 newflags |= ACE_INHERIT_ONLY_ACE; 1750 aclp->z_ops.ace_flags_set(acep, 1751 newflags|ACE_INHERITED_ACE); 1752 } 1753 1754 } 1755 } 1756 } 1757 return (aclp); 1758 } 1759 1760 /* 1761 * Create file system object initial permissions 1762 * including inheritable ACEs. 1763 */ 1764 void 1765 zfs_perm_init(znode_t *zp, znode_t *parent, int flag, 1766 vattr_t *vap, dmu_tx_t *tx, cred_t *cr, 1767 zfs_acl_t *setaclp, zfs_fuid_info_t **fuidp) 1768 { 1769 uint64_t mode; 1770 uint64_t uid; 1771 uint64_t gid; 1772 int error; 1773 int pull_down; 1774 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1775 zfs_acl_t *aclp = NULL; 1776 zfs_acl_t *paclp; 1777 xvattr_t *xvap = (xvattr_t *)vap; 1778 1779 if (setaclp) 1780 aclp = setaclp; 1781 1782 mode = MAKEIMODE(vap->va_type, vap->va_mode); 1783 1784 /* 1785 * Determine uid and gid. 1786 */ 1787 if ((flag & (IS_ROOT_NODE | IS_REPLAY)) || 1788 ((flag & IS_XATTR) && (vap->va_type == VDIR))) { 1789 uid = zfs_fuid_create(zfsvfs, vap->va_uid, cr, 1790 ZFS_OWNER, tx, fuidp); 1791 gid = zfs_fuid_create(zfsvfs, vap->va_gid, cr, 1792 ZFS_GROUP, tx, fuidp); 1793 } else { 1794 uid = zfs_fuid_create_cred(zfsvfs, crgetuid(cr), 1795 ZFS_OWNER, tx, cr, fuidp); 1796 if ((vap->va_mask & AT_GID) && 1797 ((vap->va_gid == parent->z_phys->zp_gid) || 1798 groupmember(vap->va_gid, cr) || 1799 secpolicy_vnode_create_gid(cr) == 0)) { 1800 gid = zfs_fuid_create_cred(zfsvfs, vap->va_gid, 1801 ZFS_GROUP, tx, cr, fuidp); 1802 } else { 1803 gid = (parent->z_phys->zp_mode & S_ISGID) ? 1804 parent->z_phys->zp_gid : crgetgid(cr); 1805 gid = zfs_fuid_create_cred(zfsvfs, gid, 1806 ZFS_GROUP, tx, cr, fuidp); 1807 } 1808 } 1809 1810 /* 1811 * If we're creating a directory, and the parent directory has the 1812 * set-GID bit set, set in on the new directory. 1813 * Otherwise, if the user is neither privileged nor a member of the 1814 * file's new group, clear the file's set-GID bit. 1815 */ 1816 1817 if ((parent->z_phys->zp_mode & S_ISGID) && (vap->va_type == VDIR)) 1818 mode |= S_ISGID; 1819 else { 1820 if ((mode & S_ISGID) && 1821 secpolicy_vnode_setids_setgids(cr, gid) != 0) 1822 mode &= ~S_ISGID; 1823 } 1824 1825 zp->z_phys->zp_uid = uid; 1826 zp->z_phys->zp_gid = gid; 1827 zp->z_phys->zp_mode = mode; 1828 1829 if (aclp == NULL) { 1830 mutex_enter(&parent->z_lock); 1831 pull_down = (parent->z_phys->zp_flags & ZFS_INHERIT_ACE); 1832 if (pull_down) { 1833 mutex_enter(&parent->z_acl_lock); 1834 VERIFY(0 == zfs_acl_node_read(parent, &paclp, B_FALSE)); 1835 mutex_exit(&parent->z_acl_lock); 1836 aclp = zfs_acl_inherit(zp, paclp); 1837 zfs_acl_free(paclp); 1838 } else { 1839 aclp = zfs_acl_alloc(zfs_acl_version_zp(zp)); 1840 } 1841 mutex_exit(&parent->z_lock); 1842 mutex_enter(&zp->z_lock); 1843 mutex_enter(&zp->z_acl_lock); 1844 zfs_acl_chmod(zp, mode, aclp); 1845 } else { 1846 mutex_enter(&zp->z_lock); 1847 mutex_enter(&zp->z_acl_lock); 1848 } 1849 1850 /* Force auto_inherit on all new directory objects */ 1851 if (vap->va_type == VDIR) 1852 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 1853 1854 error = zfs_aclset_common(zp, aclp, cr, fuidp, tx); 1855 1856 /* Set optional attributes if any */ 1857 if (vap->va_mask & AT_XVATTR) 1858 zfs_xvattr_set(zp, xvap); 1859 1860 mutex_exit(&zp->z_lock); 1861 mutex_exit(&zp->z_acl_lock); 1862 ASSERT3U(error, ==, 0); 1863 1864 if (aclp != setaclp) { 1865 zfs_acl_free(aclp); 1866 } 1867 } 1868 1869 /* 1870 * Retrieve a files ACL 1871 */ 1872 int 1873 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1874 { 1875 zfs_acl_t *aclp; 1876 ulong_t mask; 1877 int error; 1878 int count = 0; 1879 int largeace = 0; 1880 1881 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT | 1882 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES); 1883 1884 if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr)) 1885 return (error); 1886 1887 if (mask == 0) 1888 return (ENOSYS); 1889 1890 mutex_enter(&zp->z_acl_lock); 1891 1892 error = zfs_acl_node_read(zp, &aclp, B_FALSE); 1893 if (error != 0) { 1894 mutex_exit(&zp->z_acl_lock); 1895 return (error); 1896 } 1897 1898 /* 1899 * Scan ACL to determine number of ACEs 1900 */ 1901 if ((zp->z_phys->zp_flags & ZFS_ACL_OBJ_ACE) && 1902 !(mask & VSA_ACE_ALLTYPES)) { 1903 void *zacep = NULL; 1904 uint64_t who; 1905 uint32_t access_mask; 1906 uint16_t type, iflags; 1907 1908 while (zacep = zfs_acl_next_ace(aclp, zacep, 1909 &who, &access_mask, &iflags, &type)) { 1910 switch (type) { 1911 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1912 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1913 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1914 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1915 largeace++; 1916 continue; 1917 default: 1918 count++; 1919 } 1920 } 1921 vsecp->vsa_aclcnt = count; 1922 } else 1923 count = aclp->z_acl_count; 1924 1925 if (mask & VSA_ACECNT) { 1926 vsecp->vsa_aclcnt = count; 1927 } 1928 1929 if (mask & VSA_ACE) { 1930 size_t aclsz; 1931 1932 zfs_acl_node_t *aclnode = list_head(&aclp->z_acl); 1933 1934 aclsz = count * sizeof (ace_t) + 1935 sizeof (ace_object_t) * largeace; 1936 1937 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP); 1938 vsecp->vsa_aclentsz = aclsz; 1939 1940 if (aclp->z_version == ZFS_ACL_VERSION_FUID) 1941 zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr, 1942 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES)); 1943 else { 1944 bcopy(aclnode->z_acldata, vsecp->vsa_aclentp, 1945 count * sizeof (ace_t)); 1946 } 1947 } 1948 if (mask & VSA_ACE_ACLFLAGS) { 1949 vsecp->vsa_aclflags = 0; 1950 if (zp->z_phys->zp_flags & ZFS_ACL_DEFAULTED) 1951 vsecp->vsa_aclflags |= ACL_DEFAULTED; 1952 if (zp->z_phys->zp_flags & ZFS_ACL_PROTECTED) 1953 vsecp->vsa_aclflags |= ACL_PROTECTED; 1954 if (zp->z_phys->zp_flags & ZFS_ACL_AUTO_INHERIT) 1955 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT; 1956 } 1957 1958 mutex_exit(&zp->z_acl_lock); 1959 1960 zfs_acl_free(aclp); 1961 1962 return (0); 1963 } 1964 1965 int 1966 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type, 1967 vsecattr_t *vsecp, zfs_acl_t **zaclp) 1968 { 1969 zfs_acl_t *aclp; 1970 zfs_acl_node_t *aclnode; 1971 int aclcnt = vsecp->vsa_aclcnt; 1972 int error; 1973 1974 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0) 1975 return (EINVAL); 1976 1977 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version)); 1978 1979 aclp->z_hints = 0; 1980 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t)); 1981 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1982 if ((error = zfs_copy_ace_2_oldace(obj_type, aclp, 1983 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata, 1984 aclcnt, &aclnode->z_size)) != 0) { 1985 zfs_acl_free(aclp); 1986 zfs_acl_node_free(aclnode); 1987 return (error); 1988 } 1989 } else { 1990 if ((error = zfs_copy_ace_2_fuid(obj_type, aclp, 1991 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt, 1992 &aclnode->z_size)) != 0) { 1993 zfs_acl_free(aclp); 1994 zfs_acl_node_free(aclnode); 1995 return (error); 1996 } 1997 } 1998 aclp->z_acl_bytes = aclnode->z_size; 1999 aclnode->z_ace_count = aclcnt; 2000 aclp->z_acl_count = aclcnt; 2001 list_insert_head(&aclp->z_acl, aclnode); 2002 2003 /* 2004 * If flags are being set then add them to z_hints 2005 */ 2006 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) { 2007 if (vsecp->vsa_aclflags & ACL_PROTECTED) 2008 aclp->z_hints |= ZFS_ACL_PROTECTED; 2009 if (vsecp->vsa_aclflags & ACL_DEFAULTED) 2010 aclp->z_hints |= ZFS_ACL_DEFAULTED; 2011 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT) 2012 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 2013 } 2014 2015 *zaclp = aclp; 2016 2017 return (0); 2018 } 2019 2020 /* 2021 * Set a files ACL 2022 */ 2023 int 2024 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 2025 { 2026 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2027 zilog_t *zilog = zfsvfs->z_log; 2028 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 2029 dmu_tx_t *tx; 2030 int error; 2031 zfs_acl_t *aclp; 2032 zfs_fuid_info_t *fuidp = NULL; 2033 2034 if (mask == 0) 2035 return (ENOSYS); 2036 2037 if (zp->z_phys->zp_flags & ZFS_IMMUTABLE) 2038 return (EPERM); 2039 2040 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) 2041 return (error); 2042 2043 error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, &aclp); 2044 if (error) 2045 return (error); 2046 2047 /* 2048 * If ACL wide flags aren't being set then preserve any 2049 * existing flags. 2050 */ 2051 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) { 2052 aclp->z_hints |= (zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS); 2053 } 2054 top: 2055 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) { 2056 zfs_acl_free(aclp); 2057 return (error); 2058 } 2059 2060 mutex_enter(&zp->z_lock); 2061 mutex_enter(&zp->z_acl_lock); 2062 2063 tx = dmu_tx_create(zfsvfs->z_os); 2064 dmu_tx_hold_bonus(tx, zp->z_id); 2065 2066 if (zp->z_phys->zp_acl.z_acl_extern_obj) { 2067 /* Are we upgrading ACL? */ 2068 if (zfsvfs->z_version <= ZPL_VERSION_FUID && 2069 zp->z_phys->zp_acl.z_acl_version == 2070 ZFS_ACL_VERSION_INITIAL) { 2071 dmu_tx_hold_free(tx, 2072 zp->z_phys->zp_acl.z_acl_extern_obj, 2073 0, DMU_OBJECT_END); 2074 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 2075 0, aclp->z_acl_bytes); 2076 } else { 2077 dmu_tx_hold_write(tx, 2078 zp->z_phys->zp_acl.z_acl_extern_obj, 2079 0, aclp->z_acl_bytes); 2080 } 2081 } else if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 2082 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes); 2083 } 2084 if (aclp->z_has_fuids) { 2085 if (zfsvfs->z_fuid_obj == 0) { 2086 dmu_tx_hold_bonus(tx, DMU_NEW_OBJECT); 2087 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, 2088 FUID_SIZE_ESTIMATE(zfsvfs)); 2089 dmu_tx_hold_zap(tx, MASTER_NODE_OBJ, FALSE, NULL); 2090 } else { 2091 dmu_tx_hold_bonus(tx, zfsvfs->z_fuid_obj); 2092 dmu_tx_hold_write(tx, zfsvfs->z_fuid_obj, 0, 2093 FUID_SIZE_ESTIMATE(zfsvfs)); 2094 } 2095 } 2096 2097 error = dmu_tx_assign(tx, zfsvfs->z_assign); 2098 if (error) { 2099 mutex_exit(&zp->z_acl_lock); 2100 mutex_exit(&zp->z_lock); 2101 2102 if (error == ERESTART && zfsvfs->z_assign == TXG_NOWAIT) { 2103 dmu_tx_wait(tx); 2104 dmu_tx_abort(tx); 2105 goto top; 2106 } 2107 dmu_tx_abort(tx); 2108 zfs_acl_free(aclp); 2109 return (error); 2110 } 2111 2112 error = zfs_aclset_common(zp, aclp, cr, &fuidp, tx); 2113 ASSERT(error == 0); 2114 2115 zfs_log_acl(zilog, tx, zp, vsecp, fuidp); 2116 2117 if (fuidp) 2118 zfs_fuid_info_free(fuidp); 2119 zfs_acl_free(aclp); 2120 dmu_tx_commit(tx); 2121 done: 2122 mutex_exit(&zp->z_acl_lock); 2123 mutex_exit(&zp->z_lock); 2124 2125 return (error); 2126 } 2127 2128 /* 2129 * working_mode returns the permissions that were not granted 2130 */ 2131 static int 2132 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode, 2133 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr) 2134 { 2135 zfs_acl_t *aclp; 2136 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2137 int error; 2138 int access_deny = ACCESS_UNDETERMINED; 2139 uid_t uid = crgetuid(cr); 2140 uint64_t who; 2141 uint16_t type, iflags; 2142 uint16_t entry_type; 2143 uint32_t access_mask; 2144 zfs_ace_hdr_t *acep = NULL; 2145 boolean_t checkit; 2146 uid_t fowner; 2147 uid_t gowner; 2148 2149 /* 2150 * Short circuit empty requests 2151 */ 2152 if (v4_mode == 0) 2153 return (0); 2154 2155 *check_privs = B_TRUE; 2156 2157 if (zfsvfs->z_assign >= TXG_INITIAL) { /* ZIL replay */ 2158 *working_mode = 0; 2159 return (0); 2160 } 2161 2162 *working_mode = v4_mode; 2163 2164 if ((v4_mode & WRITE_MASK) && 2165 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && 2166 (!IS_DEVVP(ZTOV(zp)))) { 2167 *check_privs = B_FALSE; 2168 return (EROFS); 2169 } 2170 2171 /* 2172 * Only check for READONLY on non-directories. 2173 */ 2174 if ((v4_mode & WRITE_MASK_DATA) && 2175 (((ZTOV(zp)->v_type != VDIR) && 2176 (zp->z_phys->zp_flags & (ZFS_READONLY | ZFS_IMMUTABLE))) || 2177 (ZTOV(zp)->v_type == VDIR && 2178 (zp->z_phys->zp_flags & ZFS_IMMUTABLE)))) { 2179 *check_privs = B_FALSE; 2180 return (EPERM); 2181 } 2182 2183 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) && 2184 (zp->z_phys->zp_flags & ZFS_NOUNLINK)) { 2185 *check_privs = B_FALSE; 2186 return (EPERM); 2187 } 2188 2189 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) && 2190 (zp->z_phys->zp_flags & ZFS_AV_QUARANTINED))) { 2191 *check_privs = B_FALSE; 2192 return (EACCES); 2193 } 2194 2195 /* 2196 * The caller requested that the ACL check be skipped. This 2197 * would only happen if the caller checked VOP_ACCESS() with a 2198 * 32 bit ACE mask and already had the appropriate permissions. 2199 */ 2200 if (skipaclchk) { 2201 *working_mode = 0; 2202 return (0); 2203 } 2204 2205 zfs_fuid_map_ids(zp, cr, &fowner, &gowner); 2206 2207 mutex_enter(&zp->z_acl_lock); 2208 2209 error = zfs_acl_node_read(zp, &aclp, B_FALSE); 2210 if (error != 0) { 2211 mutex_exit(&zp->z_acl_lock); 2212 return (error); 2213 } 2214 2215 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 2216 &iflags, &type)) { 2217 2218 if (iflags & ACE_INHERIT_ONLY_ACE) 2219 continue; 2220 2221 entry_type = (iflags & ACE_TYPE_FLAGS); 2222 2223 checkit = B_FALSE; 2224 2225 switch (entry_type) { 2226 case ACE_OWNER: 2227 if (uid == fowner) 2228 checkit = B_TRUE; 2229 break; 2230 case OWNING_GROUP: 2231 who = gowner; 2232 /*FALLTHROUGH*/ 2233 case ACE_IDENTIFIER_GROUP: 2234 checkit = zfs_groupmember(zfsvfs, who, cr); 2235 break; 2236 case ACE_EVERYONE: 2237 checkit = B_TRUE; 2238 break; 2239 2240 /* USER Entry */ 2241 default: 2242 if (entry_type == 0) { 2243 uid_t newid; 2244 2245 zfs_fuid_map_id(zfsvfs, who, cr, 2246 ZFS_ACE_USER, &newid); 2247 if (newid != IDMAP_WK_CREATOR_OWNER_UID && 2248 uid == newid) 2249 checkit = B_TRUE; 2250 break; 2251 } else { 2252 zfs_acl_free(aclp); 2253 mutex_exit(&zp->z_acl_lock); 2254 return (EIO); 2255 } 2256 } 2257 2258 if (checkit) { 2259 if (access_mask & *working_mode) { 2260 if (type == ALLOW) { 2261 *working_mode &= 2262 ~(*working_mode & access_mask); 2263 if (*working_mode == 0) { 2264 access_deny = 0; 2265 } 2266 } else if (type == DENY) { 2267 access_deny = EACCES; 2268 } 2269 } 2270 } 2271 2272 if (access_deny != ACCESS_UNDETERMINED) 2273 break; 2274 } 2275 2276 mutex_exit(&zp->z_acl_lock); 2277 zfs_acl_free(aclp); 2278 out: 2279 return (access_deny); 2280 } 2281 2282 static int 2283 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs, 2284 cred_t *cr) 2285 { 2286 if (*working_mode != ACE_WRITE_DATA) 2287 return (EACCES); 2288 2289 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode, 2290 check_privs, B_FALSE, cr)); 2291 } 2292 2293 /* 2294 * Determine whether Access should be granted/denied, invoking least 2295 * priv subsytem when a deny is determined. 2296 */ 2297 int 2298 zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr) 2299 { 2300 uint32_t working_mode; 2301 int error; 2302 int is_attr; 2303 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2304 boolean_t check_privs; 2305 znode_t *xzp; 2306 znode_t *check_zp = zp; 2307 2308 is_attr = ((zp->z_phys->zp_flags & ZFS_XATTR) && 2309 (ZTOV(zp)->v_type == VDIR)); 2310 2311 /* 2312 * If attribute then validate against base file 2313 */ 2314 if (is_attr) { 2315 if ((error = zfs_zget(zp->z_zfsvfs, 2316 zp->z_phys->zp_parent, &xzp)) != 0) { 2317 return (error); 2318 } 2319 2320 check_zp = xzp; 2321 2322 /* 2323 * fixup mode to map to xattr perms 2324 */ 2325 2326 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { 2327 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 2328 mode |= ACE_WRITE_NAMED_ATTRS; 2329 } 2330 2331 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { 2332 mode &= ~(ACE_READ_DATA|ACE_EXECUTE); 2333 mode |= ACE_READ_NAMED_ATTRS; 2334 } 2335 } 2336 2337 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode, 2338 &check_privs, skipaclchk, cr)) == 0) { 2339 if (is_attr) 2340 VN_RELE(ZTOV(xzp)); 2341 return (0); 2342 } 2343 2344 if (error && check_privs == B_FALSE) { 2345 if (is_attr) 2346 VN_RELE(ZTOV(xzp)); 2347 return (error); 2348 } 2349 2350 if (error && (flags & V_APPEND)) { 2351 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr); 2352 } 2353 2354 if (error && check_privs) { 2355 uid_t owner; 2356 mode_t checkmode = 0; 2357 2358 zfs_fuid_map_id(zfsvfs, check_zp->z_phys->zp_uid, cr, 2359 ZFS_OWNER, &owner); 2360 2361 /* 2362 * First check for implicit owner permission on 2363 * read_acl/read_attributes 2364 */ 2365 2366 error = 0; 2367 ASSERT(working_mode != 0); 2368 2369 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) && 2370 owner == crgetuid(cr))) 2371 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2372 2373 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2374 ACE_READ_ACL|ACE_READ_ATTRIBUTES)) 2375 checkmode |= VREAD; 2376 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2377 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES)) 2378 checkmode |= VWRITE; 2379 if (working_mode & ACE_EXECUTE) 2380 checkmode |= VEXEC; 2381 2382 if (checkmode) 2383 error = secpolicy_vnode_access(cr, ZTOV(check_zp), 2384 owner, checkmode); 2385 2386 if (error == 0 && (working_mode & ACE_WRITE_OWNER)) 2387 error = secpolicy_vnode_create_gid(cr); 2388 if (error == 0 && (working_mode & ACE_WRITE_ACL)) 2389 error = secpolicy_vnode_setdac(cr, owner); 2390 2391 if (error == 0 && (working_mode & 2392 (ACE_DELETE|ACE_DELETE_CHILD))) 2393 error = secpolicy_vnode_remove(cr); 2394 2395 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) 2396 error = secpolicy_vnode_owner(cr, owner); 2397 2398 if (error == 0) { 2399 /* 2400 * See if any bits other than those already checked 2401 * for are still present. If so then return EACCES 2402 */ 2403 if (working_mode & ~(ZFS_CHECKED_MASKS)) { 2404 error = EACCES; 2405 } 2406 } 2407 } 2408 2409 if (is_attr) 2410 VN_RELE(ZTOV(xzp)); 2411 2412 return (error); 2413 } 2414 2415 /* 2416 * Translate traditional unix VREAD/VWRITE/VEXEC mode into 2417 * native ACL format and call zfs_zaccess() 2418 */ 2419 int 2420 zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr) 2421 { 2422 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr)); 2423 } 2424 2425 /* 2426 * Access function for secpolicy_vnode_setattr 2427 */ 2428 int 2429 zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr) 2430 { 2431 int v4_mode = zfs_unix_to_v4(mode >> 6); 2432 2433 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr)); 2434 } 2435 2436 static int 2437 zfs_delete_final_check(znode_t *zp, znode_t *dzp, cred_t *cr) 2438 { 2439 int error; 2440 uid_t downer; 2441 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2442 2443 zfs_fuid_map_id(zfsvfs, dzp->z_phys->zp_uid, cr, ZFS_OWNER, &downer); 2444 2445 error = secpolicy_vnode_access(cr, ZTOV(zp), downer, S_IWRITE|S_IEXEC); 2446 2447 if (error == 0) 2448 error = zfs_sticky_remove_access(dzp, zp, cr); 2449 2450 return (error); 2451 } 2452 2453 /* 2454 * Determine whether Access should be granted/deny, without 2455 * consulting least priv subsystem. 2456 * 2457 * 2458 * The following chart is the recommended NFSv4 enforcement for 2459 * ability to delete an object. 2460 * 2461 * ------------------------------------------------------- 2462 * | Parent Dir | Target Object Permissions | 2463 * | permissions | | 2464 * ------------------------------------------------------- 2465 * | | ACL Allows | ACL Denies| Delete | 2466 * | | Delete | Delete | unspecified| 2467 * ------------------------------------------------------- 2468 * | ACL Allows | Permit | Permit | Permit | 2469 * | DELETE_CHILD | | 2470 * ------------------------------------------------------- 2471 * | ACL Denies | Permit | Deny | Deny | 2472 * | DELETE_CHILD | | | | 2473 * ------------------------------------------------------- 2474 * | ACL specifies | | | | 2475 * | only allow | Permit | Permit | Permit | 2476 * | write and | | | | 2477 * | execute | | | | 2478 * ------------------------------------------------------- 2479 * | ACL denies | | | | 2480 * | write and | Permit | Deny | Deny | 2481 * | execute | | | | 2482 * ------------------------------------------------------- 2483 * ^ 2484 * | 2485 * No search privilege, can't even look up file? 2486 * 2487 */ 2488 int 2489 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) 2490 { 2491 uint32_t dzp_working_mode = 0; 2492 uint32_t zp_working_mode = 0; 2493 int dzp_error, zp_error; 2494 boolean_t dzpcheck_privs = B_TRUE; 2495 boolean_t zpcheck_privs = B_TRUE; 2496 2497 /* 2498 * Arghh, this check is going to require a couple of questions 2499 * to be asked. We want specific DELETE permissions to 2500 * take precedence over WRITE/EXECUTE. We don't 2501 * want an ACL such as this to mess us up. 2502 * user:joe:write_data:deny,user:joe:delete:allow 2503 * 2504 * However, deny permissions may ultimately be overridden 2505 * by secpolicy_vnode_access(). 2506 */ 2507 2508 if (zp->z_phys->zp_flags & (ZFS_IMMUTABLE | ZFS_NOUNLINK)) 2509 return (EPERM); 2510 2511 dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD, 2512 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr); 2513 zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, 2514 &zpcheck_privs, B_FALSE, cr); 2515 2516 if ((dzp_error && dzpcheck_privs == B_FALSE) || 2517 (zp_error && zpcheck_privs == B_FALSE)) 2518 return (dzp_error); 2519 2520 /* 2521 * First check the first row. 2522 * We only need to see if parent Allows delete_child 2523 */ 2524 if ((dzp_working_mode & ACE_DELETE_CHILD) == 0) 2525 return (0); 2526 2527 /* 2528 * Second row 2529 * we already have the necessary information in 2530 * zp_working_mode, zp_error and dzp_error. 2531 */ 2532 2533 if ((zp_working_mode & ACE_DELETE) == 0) 2534 return (0); 2535 2536 /* 2537 * Now zp_error should either be EACCES which indicates 2538 * a "deny" delete entry or ACCESS_UNDETERMINED if the "delete" 2539 * entry exists on the target. 2540 * 2541 * dzp_error should be either EACCES which indicates a "deny" 2542 * entry for delete_child or ACCESS_UNDETERMINED if no delete_child 2543 * entry exists. If value is EACCES then we are done 2544 * and zfs_delete_final_check() will make the final decision 2545 * regarding to allow the delete. 2546 */ 2547 2548 ASSERT(zp_error != 0 && dzp_error != 0); 2549 if (dzp_error == EACCES) 2550 return (zfs_delete_final_check(zp, dzp, cr)); 2551 2552 /* 2553 * Third Row 2554 * Only need to check for write/execute on parent 2555 */ 2556 2557 dzp_error = zfs_zaccess_common(dzp, ACE_WRITE_DATA|ACE_EXECUTE, 2558 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr); 2559 2560 if (dzp_error && dzpcheck_privs == B_FALSE) 2561 return (dzp_error); 2562 2563 if ((dzp_working_mode & (ACE_WRITE_DATA|ACE_EXECUTE)) == 0) 2564 return (zfs_sticky_remove_access(dzp, zp, cr)); 2565 2566 /* 2567 * Fourth Row 2568 */ 2569 2570 if (((dzp_working_mode & (ACE_WRITE_DATA|ACE_EXECUTE)) != 0) && 2571 ((zp_working_mode & ACE_DELETE) == 0)) 2572 return (zfs_sticky_remove_access(dzp, zp, cr)); 2573 2574 return (zfs_delete_final_check(zp, dzp, cr)); 2575 } 2576 2577 int 2578 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, 2579 znode_t *tzp, cred_t *cr) 2580 { 2581 int add_perm; 2582 int error; 2583 2584 if (szp->z_phys->zp_flags & ZFS_AV_QUARANTINED) 2585 return (EACCES); 2586 2587 add_perm = (ZTOV(szp)->v_type == VDIR) ? 2588 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; 2589 2590 /* 2591 * Rename permissions are combination of delete permission + 2592 * add file/subdir permission. 2593 */ 2594 2595 /* 2596 * first make sure we do the delete portion. 2597 * 2598 * If that succeeds then check for add_file/add_subdir permissions 2599 */ 2600 2601 if (error = zfs_zaccess_delete(sdzp, szp, cr)) 2602 return (error); 2603 2604 /* 2605 * If we have a tzp, see if we can delete it? 2606 */ 2607 if (tzp) { 2608 if (error = zfs_zaccess_delete(tdzp, tzp, cr)) 2609 return (error); 2610 } 2611 2612 /* 2613 * Now check for add permissions 2614 */ 2615 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr); 2616 2617 return (error); 2618 } 2619