xref: /titanic_52/usr/src/uts/common/fs/zfs/zfs_acl.c (revision d2ec54f7875f7e05edd56195adbeb593c947763f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/types.h>
29 #include <sys/param.h>
30 #include <sys/time.h>
31 #include <sys/systm.h>
32 #include <sys/sysmacros.h>
33 #include <sys/resource.h>
34 #include <sys/vfs.h>
35 #include <sys/vnode.h>
36 #include <sys/sid.h>
37 #include <sys/file.h>
38 #include <sys/stat.h>
39 #include <sys/kmem.h>
40 #include <sys/cmn_err.h>
41 #include <sys/errno.h>
42 #include <sys/unistd.h>
43 #include <sys/sdt.h>
44 #include <sys/fs/zfs.h>
45 #include <sys/mode.h>
46 #include <sys/policy.h>
47 #include <sys/zfs_znode.h>
48 #include <sys/zfs_fuid.h>
49 #include <sys/zfs_acl.h>
50 #include <sys/zfs_dir.h>
51 #include <sys/zfs_vfsops.h>
52 #include <sys/dmu.h>
53 #include <sys/dnode.h>
54 #include <sys/zap.h>
55 #include "fs/fs_subr.h"
56 #include <acl/acl_common.h>
57 
58 #define	ALLOW	ACE_ACCESS_ALLOWED_ACE_TYPE
59 #define	DENY	ACE_ACCESS_DENIED_ACE_TYPE
60 #define	MAX_ACE_TYPE	ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE
61 
62 #define	OWNING_GROUP		(ACE_GROUP|ACE_IDENTIFIER_GROUP)
63 #define	EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \
64     ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE)
65 #define	EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \
66     ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
67 #define	OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \
68     ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
69 #define	WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS)
70 
71 #define	ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \
72     ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \
73     ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \
74     ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE)
75 
76 #define	WRITE_MASK (WRITE_MASK_DATA|ACE_WRITE_ATTRIBUTES|ACE_WRITE_ACL|\
77     ACE_WRITE_OWNER)
78 
79 #define	OGE_CLEAR	(ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
80     ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
81 
82 #define	OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
83     ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
84 
85 #define	ALL_INHERIT	(ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \
86     ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE)
87 
88 #define	RESTRICTED_CLEAR	(ACE_WRITE_ACL|ACE_WRITE_OWNER)
89 
90 #define	V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\
91     ZFS_ACL_PROTECTED)
92 
93 #define	ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\
94     ZFS_ACL_OBJ_ACE)
95 
96 static uint16_t
97 zfs_ace_v0_get_type(void *acep)
98 {
99 	return (((zfs_oldace_t *)acep)->z_type);
100 }
101 
102 static uint16_t
103 zfs_ace_v0_get_flags(void *acep)
104 {
105 	return (((zfs_oldace_t *)acep)->z_flags);
106 }
107 
108 static uint32_t
109 zfs_ace_v0_get_mask(void *acep)
110 {
111 	return (((zfs_oldace_t *)acep)->z_access_mask);
112 }
113 
114 static uint64_t
115 zfs_ace_v0_get_who(void *acep)
116 {
117 	return (((zfs_oldace_t *)acep)->z_fuid);
118 }
119 
120 static void
121 zfs_ace_v0_set_type(void *acep, uint16_t type)
122 {
123 	((zfs_oldace_t *)acep)->z_type = type;
124 }
125 
126 static void
127 zfs_ace_v0_set_flags(void *acep, uint16_t flags)
128 {
129 	((zfs_oldace_t *)acep)->z_flags = flags;
130 }
131 
132 static void
133 zfs_ace_v0_set_mask(void *acep, uint32_t mask)
134 {
135 	((zfs_oldace_t *)acep)->z_access_mask = mask;
136 }
137 
138 static void
139 zfs_ace_v0_set_who(void *acep, uint64_t who)
140 {
141 	((zfs_oldace_t *)acep)->z_fuid = who;
142 }
143 
144 /*ARGSUSED*/
145 static size_t
146 zfs_ace_v0_size(void *acep)
147 {
148 	return (sizeof (zfs_oldace_t));
149 }
150 
151 static size_t
152 zfs_ace_v0_abstract_size(void)
153 {
154 	return (sizeof (zfs_oldace_t));
155 }
156 
157 static int
158 zfs_ace_v0_mask_off(void)
159 {
160 	return (offsetof(zfs_oldace_t, z_access_mask));
161 }
162 
163 /*ARGSUSED*/
164 static int
165 zfs_ace_v0_data(void *acep, void **datap)
166 {
167 	*datap = NULL;
168 	return (0);
169 }
170 
171 static acl_ops_t zfs_acl_v0_ops = {
172 	zfs_ace_v0_get_mask,
173 	zfs_ace_v0_set_mask,
174 	zfs_ace_v0_get_flags,
175 	zfs_ace_v0_set_flags,
176 	zfs_ace_v0_get_type,
177 	zfs_ace_v0_set_type,
178 	zfs_ace_v0_get_who,
179 	zfs_ace_v0_set_who,
180 	zfs_ace_v0_size,
181 	zfs_ace_v0_abstract_size,
182 	zfs_ace_v0_mask_off,
183 	zfs_ace_v0_data
184 };
185 
186 static uint16_t
187 zfs_ace_fuid_get_type(void *acep)
188 {
189 	return (((zfs_ace_hdr_t *)acep)->z_type);
190 }
191 
192 static uint16_t
193 zfs_ace_fuid_get_flags(void *acep)
194 {
195 	return (((zfs_ace_hdr_t *)acep)->z_flags);
196 }
197 
198 static uint32_t
199 zfs_ace_fuid_get_mask(void *acep)
200 {
201 	return (((zfs_ace_hdr_t *)acep)->z_access_mask);
202 }
203 
204 static uint64_t
205 zfs_ace_fuid_get_who(void *args)
206 {
207 	uint16_t entry_type;
208 	zfs_ace_t *acep = args;
209 
210 	entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS;
211 
212 	if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP ||
213 	    entry_type == ACE_EVERYONE)
214 		return (-1);
215 	return (((zfs_ace_t *)acep)->z_fuid);
216 }
217 
218 static void
219 zfs_ace_fuid_set_type(void *acep, uint16_t type)
220 {
221 	((zfs_ace_hdr_t *)acep)->z_type = type;
222 }
223 
224 static void
225 zfs_ace_fuid_set_flags(void *acep, uint16_t flags)
226 {
227 	((zfs_ace_hdr_t *)acep)->z_flags = flags;
228 }
229 
230 static void
231 zfs_ace_fuid_set_mask(void *acep, uint32_t mask)
232 {
233 	((zfs_ace_hdr_t *)acep)->z_access_mask = mask;
234 }
235 
236 static void
237 zfs_ace_fuid_set_who(void *arg, uint64_t who)
238 {
239 	zfs_ace_t *acep = arg;
240 
241 	uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS;
242 
243 	if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP ||
244 	    entry_type == ACE_EVERYONE)
245 		return;
246 	acep->z_fuid = who;
247 }
248 
249 static size_t
250 zfs_ace_fuid_size(void *acep)
251 {
252 	zfs_ace_hdr_t *zacep = acep;
253 	uint16_t entry_type;
254 
255 	switch (zacep->z_type) {
256 	case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
257 	case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
258 	case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
259 	case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
260 		return (sizeof (zfs_object_ace_t));
261 	case ALLOW:
262 	case DENY:
263 		entry_type =
264 		    (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS);
265 		if (entry_type == ACE_OWNER ||
266 		    entry_type == (ACE_GROUP | ACE_IDENTIFIER_GROUP) ||
267 		    entry_type == ACE_EVERYONE)
268 			return (sizeof (zfs_ace_hdr_t));
269 		/*FALLTHROUGH*/
270 	default:
271 		return (sizeof (zfs_ace_t));
272 	}
273 }
274 
275 static size_t
276 zfs_ace_fuid_abstract_size(void)
277 {
278 	return (sizeof (zfs_ace_hdr_t));
279 }
280 
281 static int
282 zfs_ace_fuid_mask_off(void)
283 {
284 	return (offsetof(zfs_ace_hdr_t, z_access_mask));
285 }
286 
287 static int
288 zfs_ace_fuid_data(void *acep, void **datap)
289 {
290 	zfs_ace_t *zacep = acep;
291 	zfs_object_ace_t *zobjp;
292 
293 	switch (zacep->z_hdr.z_type) {
294 	case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
295 	case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
296 	case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
297 	case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
298 		zobjp = acep;
299 		*datap = (caddr_t)zobjp + sizeof (zfs_ace_t);
300 		return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t));
301 	default:
302 		*datap = NULL;
303 		return (0);
304 	}
305 }
306 
307 static acl_ops_t zfs_acl_fuid_ops = {
308 	zfs_ace_fuid_get_mask,
309 	zfs_ace_fuid_set_mask,
310 	zfs_ace_fuid_get_flags,
311 	zfs_ace_fuid_set_flags,
312 	zfs_ace_fuid_get_type,
313 	zfs_ace_fuid_set_type,
314 	zfs_ace_fuid_get_who,
315 	zfs_ace_fuid_set_who,
316 	zfs_ace_fuid_size,
317 	zfs_ace_fuid_abstract_size,
318 	zfs_ace_fuid_mask_off,
319 	zfs_ace_fuid_data
320 };
321 
322 static int
323 zfs_acl_version(int version)
324 {
325 	if (version < ZPL_VERSION_FUID)
326 		return (ZFS_ACL_VERSION_INITIAL);
327 	else
328 		return (ZFS_ACL_VERSION_FUID);
329 }
330 
331 static int
332 zfs_acl_version_zp(znode_t *zp)
333 {
334 	return (zfs_acl_version(zp->z_zfsvfs->z_version));
335 }
336 
337 static zfs_acl_t *
338 zfs_acl_alloc(int vers)
339 {
340 	zfs_acl_t *aclp;
341 
342 	aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP);
343 	list_create(&aclp->z_acl, sizeof (zfs_acl_node_t),
344 	    offsetof(zfs_acl_node_t, z_next));
345 	aclp->z_version = vers;
346 	if (vers == ZFS_ACL_VERSION_FUID)
347 		aclp->z_ops = zfs_acl_fuid_ops;
348 	else
349 		aclp->z_ops = zfs_acl_v0_ops;
350 	return (aclp);
351 }
352 
353 static zfs_acl_node_t *
354 zfs_acl_node_alloc(size_t bytes)
355 {
356 	zfs_acl_node_t *aclnode;
357 
358 	aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP);
359 	if (bytes) {
360 		aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP);
361 		aclnode->z_allocdata = aclnode->z_acldata;
362 		aclnode->z_allocsize = bytes;
363 		aclnode->z_size = bytes;
364 	}
365 
366 	return (aclnode);
367 }
368 
369 static void
370 zfs_acl_node_free(zfs_acl_node_t *aclnode)
371 {
372 	if (aclnode->z_allocsize)
373 		kmem_free(aclnode->z_allocdata, aclnode->z_allocsize);
374 	kmem_free(aclnode, sizeof (zfs_acl_node_t));
375 }
376 
377 static void
378 zfs_acl_release_nodes(zfs_acl_t *aclp)
379 {
380 	zfs_acl_node_t *aclnode;
381 
382 	while (aclnode = list_head(&aclp->z_acl)) {
383 		list_remove(&aclp->z_acl, aclnode);
384 		zfs_acl_node_free(aclnode);
385 	}
386 	aclp->z_acl_count = 0;
387 	aclp->z_acl_bytes = 0;
388 }
389 
390 void
391 zfs_acl_free(zfs_acl_t *aclp)
392 {
393 	zfs_acl_release_nodes(aclp);
394 	list_destroy(&aclp->z_acl);
395 	kmem_free(aclp, sizeof (zfs_acl_t));
396 }
397 
398 static boolean_t
399 zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags)
400 {
401 	/*
402 	 * first check type of entry
403 	 */
404 
405 	switch (iflags & ACE_TYPE_FLAGS) {
406 	case ACE_OWNER:
407 	case (ACE_IDENTIFIER_GROUP | ACE_GROUP):
408 	case ACE_IDENTIFIER_GROUP:
409 	case ACE_EVERYONE:
410 	case 0:	/* User entry */
411 		break;
412 	default:
413 		return (B_FALSE);
414 
415 	}
416 
417 	/*
418 	 * next check inheritance level flags
419 	 */
420 
421 	if (type != ALLOW && type > MAX_ACE_TYPE) {
422 		return (B_FALSE);
423 	}
424 
425 	switch (type) {
426 	case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
427 	case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
428 	case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
429 	case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
430 		if (aclp->z_version < ZFS_ACL_VERSION_FUID)
431 			return (B_FALSE);
432 		aclp->z_hints |= ZFS_ACL_OBJ_ACE;
433 	}
434 
435 	/*
436 	 * Only directories should have inheritance flags.
437 	 */
438 	if (obj_type != VDIR && (iflags &
439 	    (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE|
440 	    ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE))) {
441 		return (B_FALSE);
442 	}
443 
444 	if (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))
445 		aclp->z_hints |= ZFS_INHERIT_ACE;
446 
447 	if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) {
448 		if ((iflags & (ACE_FILE_INHERIT_ACE|
449 		    ACE_DIRECTORY_INHERIT_ACE)) == 0) {
450 			return (B_FALSE);
451 		}
452 	}
453 
454 	return (B_TRUE);
455 }
456 
457 static void *
458 zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who,
459     uint32_t *access_mask, uint16_t *iflags, uint16_t *type)
460 {
461 	zfs_acl_node_t *aclnode;
462 
463 	if (start == NULL) {
464 		aclnode = list_head(&aclp->z_acl);
465 		if (aclnode == NULL)
466 			return (NULL);
467 
468 		aclp->z_next_ace = aclnode->z_acldata;
469 		aclp->z_curr_node = aclnode;
470 		aclnode->z_ace_idx = 0;
471 	}
472 
473 	aclnode = aclp->z_curr_node;
474 
475 	if (aclnode == NULL)
476 		return (NULL);
477 
478 	if (aclnode->z_ace_idx >= aclnode->z_ace_count) {
479 		aclnode = list_next(&aclp->z_acl, aclnode);
480 		if (aclnode == NULL)
481 			return (NULL);
482 		else {
483 			aclp->z_curr_node = aclnode;
484 			aclnode->z_ace_idx = 0;
485 			aclp->z_next_ace = aclnode->z_acldata;
486 		}
487 	}
488 
489 	if (aclnode->z_ace_idx < aclnode->z_ace_count) {
490 		void *acep = aclp->z_next_ace;
491 		*iflags = aclp->z_ops.ace_flags_get(acep);
492 		*type = aclp->z_ops.ace_type_get(acep);
493 		*access_mask = aclp->z_ops.ace_mask_get(acep);
494 		*who = aclp->z_ops.ace_who_get(acep);
495 		aclp->z_next_ace = (caddr_t)aclp->z_next_ace +
496 		    aclp->z_ops.ace_size(acep);
497 		aclnode->z_ace_idx++;
498 		return ((void *)acep);
499 	}
500 	return (NULL);
501 }
502 
503 /*ARGSUSED*/
504 static uint64_t
505 zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt,
506     uint16_t *flags, uint16_t *type, uint32_t *mask)
507 {
508 	zfs_acl_t *aclp = datap;
509 	zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie;
510 	uint64_t who;
511 
512 	acep = zfs_acl_next_ace(aclp, acep, &who, mask,
513 	    flags, type);
514 	return ((uint64_t)(uintptr_t)acep);
515 }
516 
517 static zfs_acl_node_t *
518 zfs_acl_curr_node(zfs_acl_t *aclp)
519 {
520 	ASSERT(aclp->z_curr_node);
521 	return (aclp->z_curr_node);
522 }
523 
524 /*
525  * Copy ACE to internal ZFS format.
526  * While processing the ACL each ACE will be validated for correctness.
527  * ACE FUIDs will be created later.
528  */
529 int
530 zfs_copy_ace_2_fuid(vtype_t obj_type, zfs_acl_t *aclp, void *datap,
531     zfs_ace_t *z_acl, int aclcnt, size_t *size)
532 {
533 	int i;
534 	uint16_t entry_type;
535 	zfs_ace_t *aceptr = z_acl;
536 	ace_t *acep = datap;
537 	zfs_object_ace_t *zobjacep;
538 	ace_object_t *aceobjp;
539 
540 	for (i = 0; i != aclcnt; i++) {
541 		aceptr->z_hdr.z_access_mask = acep->a_access_mask;
542 		aceptr->z_hdr.z_flags = acep->a_flags;
543 		aceptr->z_hdr.z_type = acep->a_type;
544 		entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS;
545 		if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP &&
546 		    entry_type != ACE_EVERYONE) {
547 			if (!aclp->z_has_fuids)
548 				aclp->z_has_fuids = IS_EPHEMERAL(acep->a_who);
549 			aceptr->z_fuid = (uint64_t)acep->a_who;
550 		}
551 
552 		/*
553 		 * Make sure ACE is valid
554 		 */
555 		if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type,
556 		    aceptr->z_hdr.z_flags) != B_TRUE)
557 			return (EINVAL);
558 
559 		switch (acep->a_type) {
560 		case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
561 		case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
562 		case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
563 		case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
564 			zobjacep = (zfs_object_ace_t *)aceptr;
565 			aceobjp = (ace_object_t *)acep;
566 
567 			bcopy(aceobjp->a_obj_type, zobjacep->z_object_type,
568 			    sizeof (aceobjp->a_obj_type));
569 			bcopy(aceobjp->a_inherit_obj_type,
570 			    zobjacep->z_inherit_type,
571 			    sizeof (aceobjp->a_inherit_obj_type));
572 			acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t));
573 			break;
574 		default:
575 			acep = (ace_t *)((caddr_t)acep + sizeof (ace_t));
576 		}
577 
578 		aceptr = (zfs_ace_t *)((caddr_t)aceptr +
579 		    aclp->z_ops.ace_size(aceptr));
580 	}
581 
582 	*size = (caddr_t)aceptr - (caddr_t)z_acl;
583 
584 	return (0);
585 }
586 
587 /*
588  * Copy ZFS ACEs to fixed size ace_t layout
589  */
590 static void
591 zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr,
592     void *datap, int filter)
593 {
594 	uint64_t who;
595 	uint32_t access_mask;
596 	uint16_t iflags, type;
597 	zfs_ace_hdr_t *zacep = NULL;
598 	ace_t *acep = datap;
599 	ace_object_t *objacep;
600 	zfs_object_ace_t *zobjacep;
601 	size_t ace_size;
602 	uint16_t entry_type;
603 
604 	while (zacep = zfs_acl_next_ace(aclp, zacep,
605 	    &who, &access_mask, &iflags, &type)) {
606 
607 		switch (type) {
608 		case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
609 		case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
610 		case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
611 		case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
612 			if (filter) {
613 				continue;
614 			}
615 			zobjacep = (zfs_object_ace_t *)zacep;
616 			objacep = (ace_object_t *)acep;
617 			bcopy(zobjacep->z_object_type,
618 			    objacep->a_obj_type,
619 			    sizeof (zobjacep->z_object_type));
620 			bcopy(zobjacep->z_inherit_type,
621 			    objacep->a_inherit_obj_type,
622 			    sizeof (zobjacep->z_inherit_type));
623 			ace_size = sizeof (ace_object_t);
624 			break;
625 		default:
626 			ace_size = sizeof (ace_t);
627 			break;
628 		}
629 
630 		entry_type = (iflags & ACE_TYPE_FLAGS);
631 		if ((entry_type != ACE_OWNER &&
632 		    entry_type != (ACE_GROUP | ACE_IDENTIFIER_GROUP) &&
633 		    entry_type != ACE_EVERYONE)) {
634 			acep->a_who = zfs_fuid_map_id(zfsvfs, who,
635 			    cr, (entry_type & ACE_IDENTIFIER_GROUP) ?
636 			    ZFS_ACE_GROUP : ZFS_ACE_USER);
637 		} else {
638 			acep->a_who = (uid_t)(int64_t)who;
639 		}
640 		acep->a_access_mask = access_mask;
641 		acep->a_flags = iflags;
642 		acep->a_type = type;
643 		acep = (ace_t *)((caddr_t)acep + ace_size);
644 	}
645 }
646 
647 static int
648 zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep,
649     zfs_oldace_t *z_acl, int aclcnt, size_t *size)
650 {
651 	int i;
652 	zfs_oldace_t *aceptr = z_acl;
653 
654 	for (i = 0; i != aclcnt; i++, aceptr++) {
655 		aceptr->z_access_mask = acep[i].a_access_mask;
656 		aceptr->z_type = acep[i].a_type;
657 		aceptr->z_flags = acep[i].a_flags;
658 		aceptr->z_fuid = acep[i].a_who;
659 		/*
660 		 * Make sure ACE is valid
661 		 */
662 		if (zfs_ace_valid(obj_type, aclp, aceptr->z_type,
663 		    aceptr->z_flags) != B_TRUE)
664 			return (EINVAL);
665 	}
666 	*size = (caddr_t)aceptr - (caddr_t)z_acl;
667 	return (0);
668 }
669 
670 /*
671  * convert old ACL format to new
672  */
673 void
674 zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp)
675 {
676 	zfs_oldace_t *oldaclp;
677 	int i;
678 	uint16_t type, iflags;
679 	uint32_t access_mask;
680 	uint64_t who;
681 	void *cookie = NULL;
682 	zfs_acl_node_t *newaclnode;
683 
684 	ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL);
685 	/*
686 	 * First create the ACE in a contiguous piece of memory
687 	 * for zfs_copy_ace_2_fuid().
688 	 *
689 	 * We only convert an ACL once, so this won't happen
690 	 * everytime.
691 	 */
692 	oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count,
693 	    KM_SLEEP);
694 	i = 0;
695 	while (cookie = zfs_acl_next_ace(aclp, cookie, &who,
696 	    &access_mask, &iflags, &type)) {
697 		oldaclp[i].z_flags = iflags;
698 		oldaclp[i].z_type = type;
699 		oldaclp[i].z_fuid = who;
700 		oldaclp[i++].z_access_mask = access_mask;
701 	}
702 
703 	newaclnode = zfs_acl_node_alloc(aclp->z_acl_count *
704 	    sizeof (zfs_object_ace_t));
705 	aclp->z_ops = zfs_acl_fuid_ops;
706 	VERIFY(zfs_copy_ace_2_fuid(ZTOV(zp)->v_type, aclp, oldaclp,
707 	    newaclnode->z_acldata, aclp->z_acl_count,
708 	    &newaclnode->z_size) == 0);
709 	newaclnode->z_ace_count = aclp->z_acl_count;
710 	aclp->z_version = ZFS_ACL_VERSION;
711 	kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t));
712 
713 	/*
714 	 * Release all previous ACL nodes
715 	 */
716 
717 	zfs_acl_release_nodes(aclp);
718 
719 	list_insert_head(&aclp->z_acl, newaclnode);
720 
721 	aclp->z_acl_bytes = newaclnode->z_size;
722 	aclp->z_acl_count = newaclnode->z_ace_count;
723 
724 }
725 
726 /*
727  * Convert unix access mask to v4 access mask
728  */
729 static uint32_t
730 zfs_unix_to_v4(uint32_t access_mask)
731 {
732 	uint32_t new_mask = 0;
733 
734 	if (access_mask & S_IXOTH)
735 		new_mask |= ACE_EXECUTE;
736 	if (access_mask & S_IWOTH)
737 		new_mask |= ACE_WRITE_DATA;
738 	if (access_mask & S_IROTH)
739 		new_mask |= ACE_READ_DATA;
740 	return (new_mask);
741 }
742 
743 static void
744 zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask,
745     uint16_t access_type, uint64_t fuid, uint16_t entry_type)
746 {
747 	uint16_t type = entry_type & ACE_TYPE_FLAGS;
748 
749 	aclp->z_ops.ace_mask_set(acep, access_mask);
750 	aclp->z_ops.ace_type_set(acep, access_type);
751 	aclp->z_ops.ace_flags_set(acep, entry_type);
752 	if ((type != ACE_OWNER && type != (ACE_GROUP | ACE_IDENTIFIER_GROUP) &&
753 	    type != ACE_EVERYONE))
754 		aclp->z_ops.ace_who_set(acep, fuid);
755 }
756 
757 /*
758  * Determine mode of file based on ACL.
759  * Also, create FUIDs for any User/Group ACEs
760  */
761 static uint64_t
762 zfs_mode_fuid_compute(znode_t *zp, zfs_acl_t *aclp, cred_t *cr,
763     zfs_fuid_info_t **fuidp, dmu_tx_t *tx)
764 {
765 	int		entry_type;
766 	mode_t		mode;
767 	mode_t		seen = 0;
768 	zfs_ace_hdr_t 	*acep = NULL;
769 	uint64_t	who;
770 	uint16_t	iflags, type;
771 	uint32_t	access_mask;
772 
773 	mode = (zp->z_phys->zp_mode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX));
774 
775 	while (acep = zfs_acl_next_ace(aclp, acep, &who,
776 	    &access_mask, &iflags, &type)) {
777 
778 		/*
779 		 * Skip over inherit only ACEs
780 		 */
781 		if (iflags & ACE_INHERIT_ONLY_ACE)
782 			continue;
783 
784 		entry_type = (iflags & ACE_TYPE_FLAGS);
785 
786 		if (entry_type == ACE_OWNER) {
787 			if ((access_mask & ACE_READ_DATA) &&
788 			    (!(seen & S_IRUSR))) {
789 				seen |= S_IRUSR;
790 				if (type == ALLOW) {
791 					mode |= S_IRUSR;
792 				}
793 			}
794 			if ((access_mask & ACE_WRITE_DATA) &&
795 			    (!(seen & S_IWUSR))) {
796 				seen |= S_IWUSR;
797 				if (type == ALLOW) {
798 					mode |= S_IWUSR;
799 				}
800 			}
801 			if ((access_mask & ACE_EXECUTE) &&
802 			    (!(seen & S_IXUSR))) {
803 				seen |= S_IXUSR;
804 				if (type == ALLOW) {
805 					mode |= S_IXUSR;
806 				}
807 			}
808 		} else if (entry_type == OWNING_GROUP) {
809 			if ((access_mask & ACE_READ_DATA) &&
810 			    (!(seen & S_IRGRP))) {
811 				seen |= S_IRGRP;
812 				if (type == ALLOW) {
813 					mode |= S_IRGRP;
814 				}
815 			}
816 			if ((access_mask & ACE_WRITE_DATA) &&
817 			    (!(seen & S_IWGRP))) {
818 				seen |= S_IWGRP;
819 				if (type == ALLOW) {
820 					mode |= S_IWGRP;
821 				}
822 			}
823 			if ((access_mask & ACE_EXECUTE) &&
824 			    (!(seen & S_IXGRP))) {
825 				seen |= S_IXGRP;
826 				if (type == ALLOW) {
827 					mode |= S_IXGRP;
828 				}
829 			}
830 		} else if (entry_type == ACE_EVERYONE) {
831 			if ((access_mask & ACE_READ_DATA)) {
832 				if (!(seen & S_IRUSR)) {
833 					seen |= S_IRUSR;
834 					if (type == ALLOW) {
835 						mode |= S_IRUSR;
836 					}
837 				}
838 				if (!(seen & S_IRGRP)) {
839 					seen |= S_IRGRP;
840 					if (type == ALLOW) {
841 						mode |= S_IRGRP;
842 					}
843 				}
844 				if (!(seen & S_IROTH)) {
845 					seen |= S_IROTH;
846 					if (type == ALLOW) {
847 						mode |= S_IROTH;
848 					}
849 				}
850 			}
851 			if ((access_mask & ACE_WRITE_DATA)) {
852 				if (!(seen & S_IWUSR)) {
853 					seen |= S_IWUSR;
854 					if (type == ALLOW) {
855 						mode |= S_IWUSR;
856 					}
857 				}
858 				if (!(seen & S_IWGRP)) {
859 					seen |= S_IWGRP;
860 					if (type == ALLOW) {
861 						mode |= S_IWGRP;
862 					}
863 				}
864 				if (!(seen & S_IWOTH)) {
865 					seen |= S_IWOTH;
866 					if (type == ALLOW) {
867 						mode |= S_IWOTH;
868 					}
869 				}
870 			}
871 			if ((access_mask & ACE_EXECUTE)) {
872 				if (!(seen & S_IXUSR)) {
873 					seen |= S_IXUSR;
874 					if (type == ALLOW) {
875 						mode |= S_IXUSR;
876 					}
877 				}
878 				if (!(seen & S_IXGRP)) {
879 					seen |= S_IXGRP;
880 					if (type == ALLOW) {
881 						mode |= S_IXGRP;
882 					}
883 				}
884 				if (!(seen & S_IXOTH)) {
885 					seen |= S_IXOTH;
886 					if (type == ALLOW) {
887 						mode |= S_IXOTH;
888 					}
889 				}
890 			}
891 		}
892 		/*
893 		 * Now handle FUID create for user/group ACEs
894 		 */
895 		if (entry_type == 0 || entry_type == ACE_IDENTIFIER_GROUP) {
896 			aclp->z_ops.ace_who_set(acep,
897 			    zfs_fuid_create(zp->z_zfsvfs, who, cr,
898 			    (entry_type == 0) ? ZFS_ACE_USER : ZFS_ACE_GROUP,
899 			    tx, fuidp));
900 		}
901 	}
902 	return (mode);
903 }
904 
905 static zfs_acl_t *
906 zfs_acl_node_read_internal(znode_t *zp, boolean_t will_modify)
907 {
908 	zfs_acl_t	*aclp;
909 	zfs_acl_node_t	*aclnode;
910 
911 	aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version);
912 
913 	/*
914 	 * Version 0 to 1 znode_acl_phys has the size/count fields swapped.
915 	 * Version 0 didn't have a size field, only a count.
916 	 */
917 	if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) {
918 		aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_size;
919 		aclp->z_acl_bytes = ZFS_ACL_SIZE(aclp->z_acl_count);
920 	} else {
921 		aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count;
922 		aclp->z_acl_bytes = zp->z_phys->zp_acl.z_acl_size;
923 	}
924 
925 	aclnode = zfs_acl_node_alloc(will_modify ? aclp->z_acl_bytes : 0);
926 	aclnode->z_ace_count = aclp->z_acl_count;
927 	if (will_modify) {
928 		bcopy(zp->z_phys->zp_acl.z_ace_data, aclnode->z_acldata,
929 		    aclp->z_acl_bytes);
930 	} else {
931 		aclnode->z_size = aclp->z_acl_bytes;
932 		aclnode->z_acldata = &zp->z_phys->zp_acl.z_ace_data[0];
933 	}
934 
935 	list_insert_head(&aclp->z_acl, aclnode);
936 
937 	return (aclp);
938 }
939 
940 /*
941  * Read an external acl object.
942  */
943 static int
944 zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp, boolean_t will_modify)
945 {
946 	uint64_t extacl = zp->z_phys->zp_acl.z_acl_extern_obj;
947 	zfs_acl_t	*aclp;
948 	size_t		aclsize;
949 	size_t		acl_count;
950 	zfs_acl_node_t	*aclnode;
951 	int error;
952 
953 	ASSERT(MUTEX_HELD(&zp->z_acl_lock));
954 
955 	if (zp->z_phys->zp_acl.z_acl_extern_obj == 0) {
956 		*aclpp = zfs_acl_node_read_internal(zp, will_modify);
957 		return (0);
958 	}
959 
960 	aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version);
961 	if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) {
962 		zfs_acl_phys_v0_t *zacl0 =
963 		    (zfs_acl_phys_v0_t *)&zp->z_phys->zp_acl;
964 
965 		aclsize = ZFS_ACL_SIZE(zacl0->z_acl_count);
966 		acl_count = zacl0->z_acl_count;
967 	} else {
968 		aclsize = zp->z_phys->zp_acl.z_acl_size;
969 		acl_count = zp->z_phys->zp_acl.z_acl_count;
970 		if (aclsize == 0)
971 			aclsize = acl_count * sizeof (zfs_ace_t);
972 	}
973 	aclnode = zfs_acl_node_alloc(aclsize);
974 	list_insert_head(&aclp->z_acl, aclnode);
975 	error = dmu_read(zp->z_zfsvfs->z_os, extacl, 0,
976 	    aclsize, aclnode->z_acldata);
977 	aclnode->z_ace_count = acl_count;
978 	aclp->z_acl_count = acl_count;
979 	aclp->z_acl_bytes = aclsize;
980 
981 	if (error != 0) {
982 		zfs_acl_free(aclp);
983 		return (error);
984 	}
985 
986 	*aclpp = aclp;
987 	return (0);
988 }
989 
990 /*
991  * common code for setting ACLs.
992  *
993  * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl.
994  * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's
995  * already checked the acl and knows whether to inherit.
996  */
997 int
998 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr,
999     zfs_fuid_info_t **fuidp, dmu_tx_t *tx)
1000 {
1001 	int		error;
1002 	znode_phys_t	*zphys = zp->z_phys;
1003 	zfs_acl_phys_t	*zacl = &zphys->zp_acl;
1004 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
1005 	uint64_t	aoid = zphys->zp_acl.z_acl_extern_obj;
1006 	uint64_t	off = 0;
1007 	dmu_object_type_t otype;
1008 	zfs_acl_node_t	*aclnode;
1009 
1010 	ASSERT(MUTEX_HELD(&zp->z_lock));
1011 	ASSERT(MUTEX_HELD(&zp->z_acl_lock));
1012 
1013 	dmu_buf_will_dirty(zp->z_dbuf, tx);
1014 
1015 	zphys->zp_mode = zfs_mode_fuid_compute(zp, aclp, cr, fuidp, tx);
1016 
1017 	/*
1018 	 * Decide which opbject type to use.  If we are forced to
1019 	 * use old ACL format than transform ACL into zfs_oldace_t
1020 	 * layout.
1021 	 */
1022 	if (!zfsvfs->z_use_fuids) {
1023 		otype = DMU_OT_OLDACL;
1024 	} else {
1025 		if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) &&
1026 		    (zfsvfs->z_version >= ZPL_VERSION_FUID))
1027 			zfs_acl_xform(zp, aclp);
1028 		ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID);
1029 		otype = DMU_OT_ACL;
1030 	}
1031 
1032 	if (aclp->z_acl_bytes > ZFS_ACE_SPACE) {
1033 		/*
1034 		 * If ACL was previously external and we are now
1035 		 * converting to new ACL format then release old
1036 		 * ACL object and create a new one.
1037 		 */
1038 		if (aoid && aclp->z_version != zacl->z_acl_version) {
1039 			error = dmu_object_free(zfsvfs->z_os,
1040 			    zp->z_phys->zp_acl.z_acl_extern_obj, tx);
1041 			if (error)
1042 				return (error);
1043 			aoid = 0;
1044 		}
1045 		if (aoid == 0) {
1046 			aoid = dmu_object_alloc(zfsvfs->z_os,
1047 			    otype, aclp->z_acl_bytes,
1048 			    otype == DMU_OT_ACL ? DMU_OT_SYSACL : DMU_OT_NONE,
1049 			    otype == DMU_OT_ACL ? DN_MAX_BONUSLEN : 0, tx);
1050 		} else {
1051 			(void) dmu_object_set_blocksize(zfsvfs->z_os, aoid,
1052 			    aclp->z_acl_bytes, 0, tx);
1053 		}
1054 		zphys->zp_acl.z_acl_extern_obj = aoid;
1055 		for (aclnode = list_head(&aclp->z_acl); aclnode;
1056 		    aclnode = list_next(&aclp->z_acl, aclnode)) {
1057 			if (aclnode->z_ace_count == 0)
1058 				continue;
1059 			dmu_write(zfsvfs->z_os, aoid, off,
1060 			    aclnode->z_size, aclnode->z_acldata, tx);
1061 			off += aclnode->z_size;
1062 		}
1063 	} else {
1064 		void *start = zacl->z_ace_data;
1065 		/*
1066 		 * Migrating back embedded?
1067 		 */
1068 		if (zphys->zp_acl.z_acl_extern_obj) {
1069 			error = dmu_object_free(zfsvfs->z_os,
1070 			    zp->z_phys->zp_acl.z_acl_extern_obj, tx);
1071 			if (error)
1072 				return (error);
1073 			zphys->zp_acl.z_acl_extern_obj = 0;
1074 		}
1075 
1076 		for (aclnode = list_head(&aclp->z_acl); aclnode;
1077 		    aclnode = list_next(&aclp->z_acl, aclnode)) {
1078 			if (aclnode->z_ace_count == 0)
1079 				continue;
1080 			bcopy(aclnode->z_acldata, start, aclnode->z_size);
1081 			start = (caddr_t)start + aclnode->z_size;
1082 		}
1083 	}
1084 
1085 	/*
1086 	 * If Old version then swap count/bytes to match old
1087 	 * layout of znode_acl_phys_t.
1088 	 */
1089 	if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) {
1090 		zphys->zp_acl.z_acl_size = aclp->z_acl_count;
1091 		zphys->zp_acl.z_acl_count = aclp->z_acl_bytes;
1092 	} else {
1093 		zphys->zp_acl.z_acl_size = aclp->z_acl_bytes;
1094 		zphys->zp_acl.z_acl_count = aclp->z_acl_count;
1095 	}
1096 
1097 	zphys->zp_acl.z_acl_version = aclp->z_version;
1098 
1099 	/*
1100 	 * Replace ACL wide bits, but first clear them.
1101 	 */
1102 	zp->z_phys->zp_flags &= ~ZFS_ACL_WIDE_FLAGS;
1103 
1104 	zp->z_phys->zp_flags |= aclp->z_hints;
1105 
1106 	if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0)
1107 		zp->z_phys->zp_flags |= ZFS_ACL_TRIVIAL;
1108 
1109 	zfs_time_stamper_locked(zp, STATE_CHANGED, tx);
1110 	return (0);
1111 }
1112 
1113 /*
1114  * Update access mask for prepended ACE
1115  *
1116  * This applies the "groupmask" value for aclmode property.
1117  */
1118 static void
1119 zfs_acl_prepend_fixup(zfs_acl_t *aclp, void  *acep, void  *origacep,
1120     mode_t mode, uint64_t owner)
1121 {
1122 	int	rmask, wmask, xmask;
1123 	int	user_ace;
1124 	uint16_t aceflags;
1125 	uint32_t origmask, acepmask;
1126 	uint64_t fuid;
1127 
1128 	aceflags = aclp->z_ops.ace_flags_get(acep);
1129 	fuid = aclp->z_ops.ace_who_get(acep);
1130 	origmask = aclp->z_ops.ace_mask_get(origacep);
1131 	acepmask = aclp->z_ops.ace_mask_get(acep);
1132 
1133 	user_ace = (!(aceflags &
1134 	    (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP)));
1135 
1136 	if (user_ace && (fuid == owner)) {
1137 		rmask = S_IRUSR;
1138 		wmask = S_IWUSR;
1139 		xmask = S_IXUSR;
1140 	} else {
1141 		rmask = S_IRGRP;
1142 		wmask = S_IWGRP;
1143 		xmask = S_IXGRP;
1144 	}
1145 
1146 	if (origmask & ACE_READ_DATA) {
1147 		if (mode & rmask) {
1148 			acepmask &= ~ACE_READ_DATA;
1149 		} else {
1150 			acepmask |= ACE_READ_DATA;
1151 		}
1152 	}
1153 
1154 	if (origmask & ACE_WRITE_DATA) {
1155 		if (mode & wmask) {
1156 			acepmask &= ~ACE_WRITE_DATA;
1157 		} else {
1158 			acepmask |= ACE_WRITE_DATA;
1159 		}
1160 	}
1161 
1162 	if (origmask & ACE_APPEND_DATA) {
1163 		if (mode & wmask) {
1164 			acepmask &= ~ACE_APPEND_DATA;
1165 		} else {
1166 			acepmask |= ACE_APPEND_DATA;
1167 		}
1168 	}
1169 
1170 	if (origmask & ACE_EXECUTE) {
1171 		if (mode & xmask) {
1172 			acepmask &= ~ACE_EXECUTE;
1173 		} else {
1174 			acepmask |= ACE_EXECUTE;
1175 		}
1176 	}
1177 	aclp->z_ops.ace_mask_set(acep, acepmask);
1178 }
1179 
1180 /*
1181  * Apply mode to canonical six ACEs.
1182  */
1183 static void
1184 zfs_acl_fixup_canonical_six(zfs_acl_t *aclp, mode_t mode)
1185 {
1186 	zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl);
1187 	void	*acep;
1188 	int	maskoff = aclp->z_ops.ace_mask_off();
1189 	size_t abstract_size = aclp->z_ops.ace_abstract_size();
1190 
1191 	ASSERT(aclnode != NULL);
1192 
1193 	acep = (void *)((caddr_t)aclnode->z_acldata +
1194 	    aclnode->z_size - (abstract_size * 6));
1195 
1196 	/*
1197 	 * Fixup final ACEs to match the mode
1198 	 */
1199 
1200 	adjust_ace_pair_common(acep, maskoff, abstract_size,
1201 	    (mode & 0700) >> 6);	/* owner@ */
1202 
1203 	acep = (caddr_t)acep + (abstract_size * 2);
1204 
1205 	adjust_ace_pair_common(acep, maskoff, abstract_size,
1206 	    (mode & 0070) >> 3);	/* group@ */
1207 
1208 	acep = (caddr_t)acep + (abstract_size * 2);
1209 	adjust_ace_pair_common(acep, maskoff,
1210 	    abstract_size, mode);	/* everyone@ */
1211 }
1212 
1213 
1214 static int
1215 zfs_acl_ace_match(zfs_acl_t *aclp, void *acep, int allow_deny,
1216     int entry_type, int accessmask)
1217 {
1218 	uint32_t mask = aclp->z_ops.ace_mask_get(acep);
1219 	uint16_t type = aclp->z_ops.ace_type_get(acep);
1220 	uint16_t flags = aclp->z_ops.ace_flags_get(acep);
1221 
1222 	return (mask == accessmask && type == allow_deny &&
1223 	    ((flags & ACE_TYPE_FLAGS) == entry_type));
1224 }
1225 
1226 /*
1227  * Can prepended ACE be reused?
1228  */
1229 static int
1230 zfs_reuse_deny(zfs_acl_t *aclp, void *acep, void *prevacep)
1231 {
1232 	int okay_masks;
1233 	uint16_t prevtype;
1234 	uint16_t prevflags;
1235 	uint16_t flags;
1236 	uint32_t mask, prevmask;
1237 
1238 	if (prevacep == NULL)
1239 		return (B_FALSE);
1240 
1241 	prevtype = aclp->z_ops.ace_type_get(prevacep);
1242 	prevflags = aclp->z_ops.ace_flags_get(prevacep);
1243 	flags = aclp->z_ops.ace_flags_get(acep);
1244 	mask = aclp->z_ops.ace_mask_get(acep);
1245 	prevmask = aclp->z_ops.ace_mask_get(prevacep);
1246 
1247 	if (prevtype != DENY)
1248 		return (B_FALSE);
1249 
1250 	if (prevflags != (flags & ACE_IDENTIFIER_GROUP))
1251 		return (B_FALSE);
1252 
1253 	okay_masks = (mask & OKAY_MASK_BITS);
1254 
1255 	if (prevmask & ~okay_masks)
1256 		return (B_FALSE);
1257 
1258 	return (B_TRUE);
1259 }
1260 
1261 
1262 /*
1263  * Insert new ACL node into chain of zfs_acl_node_t's
1264  *
1265  * This will result in two possible results.
1266  * 1. If the ACL is currently just a single zfs_acl_node and
1267  *    we are prepending the entry then current acl node will have
1268  *    a new node inserted above it.
1269  *
1270  * 2. If we are inserting in the middle of current acl node then
1271  *    the current node will be split in two and new node will be inserted
1272  *    in between the two split nodes.
1273  */
1274 static zfs_acl_node_t *
1275 zfs_acl_ace_insert(zfs_acl_t *aclp, void  *acep)
1276 {
1277 	zfs_acl_node_t 	*newnode;
1278 	zfs_acl_node_t 	*trailernode = NULL;
1279 	zfs_acl_node_t 	*currnode = zfs_acl_curr_node(aclp);
1280 	int		curr_idx = aclp->z_curr_node->z_ace_idx;
1281 	int		trailer_count;
1282 	size_t		oldsize;
1283 
1284 	newnode = zfs_acl_node_alloc(aclp->z_ops.ace_size(acep));
1285 	newnode->z_ace_count = 1;
1286 
1287 	oldsize = currnode->z_size;
1288 
1289 	if (curr_idx != 1) {
1290 		trailernode = zfs_acl_node_alloc(0);
1291 		trailernode->z_acldata = acep;
1292 
1293 		trailer_count = currnode->z_ace_count - curr_idx + 1;
1294 		currnode->z_ace_count = curr_idx - 1;
1295 		currnode->z_size = (caddr_t)acep - (caddr_t)currnode->z_acldata;
1296 		trailernode->z_size = oldsize - currnode->z_size;
1297 		trailernode->z_ace_count = trailer_count;
1298 	}
1299 
1300 	aclp->z_acl_count += 1;
1301 	aclp->z_acl_bytes += aclp->z_ops.ace_size(acep);
1302 
1303 	if (curr_idx == 1)
1304 		list_insert_before(&aclp->z_acl, currnode, newnode);
1305 	else
1306 		list_insert_after(&aclp->z_acl, currnode, newnode);
1307 	if (trailernode) {
1308 		list_insert_after(&aclp->z_acl, newnode, trailernode);
1309 		aclp->z_curr_node = trailernode;
1310 		trailernode->z_ace_idx = 1;
1311 	}
1312 
1313 	return (newnode);
1314 }
1315 
1316 /*
1317  * Prepend deny ACE
1318  */
1319 static void *
1320 zfs_acl_prepend_deny(znode_t *zp, zfs_acl_t *aclp, void *acep,
1321     mode_t mode)
1322 {
1323 	zfs_acl_node_t *aclnode;
1324 	void  *newacep;
1325 	uint64_t fuid;
1326 	uint16_t flags;
1327 
1328 	aclnode = zfs_acl_ace_insert(aclp, acep);
1329 	newacep = aclnode->z_acldata;
1330 	fuid = aclp->z_ops.ace_who_get(acep);
1331 	flags = aclp->z_ops.ace_flags_get(acep);
1332 	zfs_set_ace(aclp, newacep, 0, DENY, fuid, (flags & ACE_TYPE_FLAGS));
1333 	zfs_acl_prepend_fixup(aclp, newacep, acep, mode, zp->z_phys->zp_uid);
1334 
1335 	return (newacep);
1336 }
1337 
1338 /*
1339  * Split an inherited ACE into inherit_only ACE
1340  * and original ACE with inheritance flags stripped off.
1341  */
1342 static void
1343 zfs_acl_split_ace(zfs_acl_t *aclp, zfs_ace_hdr_t *acep)
1344 {
1345 	zfs_acl_node_t *aclnode;
1346 	zfs_acl_node_t *currnode;
1347 	void  *newacep;
1348 	uint16_t type, flags;
1349 	uint32_t mask;
1350 	uint64_t fuid;
1351 
1352 	type = aclp->z_ops.ace_type_get(acep);
1353 	flags = aclp->z_ops.ace_flags_get(acep);
1354 	mask = aclp->z_ops.ace_mask_get(acep);
1355 	fuid = aclp->z_ops.ace_who_get(acep);
1356 
1357 	aclnode = zfs_acl_ace_insert(aclp, acep);
1358 	newacep = aclnode->z_acldata;
1359 
1360 	aclp->z_ops.ace_type_set(newacep, type);
1361 	aclp->z_ops.ace_flags_set(newacep, flags | ACE_INHERIT_ONLY_ACE);
1362 	aclp->z_ops.ace_mask_set(newacep, mask);
1363 	aclp->z_ops.ace_type_set(newacep, type);
1364 	aclp->z_ops.ace_who_set(newacep, fuid);
1365 	aclp->z_next_ace = acep;
1366 	flags &= ~ALL_INHERIT;
1367 	aclp->z_ops.ace_flags_set(acep, flags);
1368 	currnode = zfs_acl_curr_node(aclp);
1369 	ASSERT(currnode->z_ace_idx >= 1);
1370 	currnode->z_ace_idx -= 1;
1371 }
1372 
1373 /*
1374  * Are ACES started at index i, the canonical six ACES?
1375  */
1376 static int
1377 zfs_have_canonical_six(zfs_acl_t *aclp)
1378 {
1379 	void *acep;
1380 	zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl);
1381 	int		i = 0;
1382 	size_t abstract_size = aclp->z_ops.ace_abstract_size();
1383 
1384 	ASSERT(aclnode != NULL);
1385 
1386 	if (aclnode->z_ace_count < 6)
1387 		return (0);
1388 
1389 	acep = (void *)((caddr_t)aclnode->z_acldata +
1390 	    aclnode->z_size - (aclp->z_ops.ace_abstract_size() * 6));
1391 
1392 	if ((zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++),
1393 	    DENY, ACE_OWNER, 0) &&
1394 	    zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++),
1395 	    ALLOW, ACE_OWNER, OWNER_ALLOW_MASK) &&
1396 	    zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), DENY,
1397 	    OWNING_GROUP, 0) && zfs_acl_ace_match(aclp, (caddr_t)acep +
1398 	    (abstract_size * i++),
1399 	    ALLOW, OWNING_GROUP, 0) &&
1400 	    zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++),
1401 	    DENY, ACE_EVERYONE, EVERYONE_DENY_MASK) &&
1402 	    zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++),
1403 	    ALLOW, ACE_EVERYONE, EVERYONE_ALLOW_MASK))) {
1404 		return (1);
1405 	} else {
1406 		return (0);
1407 	}
1408 }
1409 
1410 
1411 /*
1412  * Apply step 1g, to group entries
1413  *
1414  * Need to deal with corner case where group may have
1415  * greater permissions than owner.  If so then limit
1416  * group permissions, based on what extra permissions
1417  * group has.
1418  */
1419 static void
1420 zfs_fixup_group_entries(zfs_acl_t *aclp, void *acep, void *prevacep,
1421     mode_t mode)
1422 {
1423 	uint32_t prevmask = aclp->z_ops.ace_mask_get(prevacep);
1424 	uint32_t mask = aclp->z_ops.ace_mask_get(acep);
1425 	uint16_t prevflags = aclp->z_ops.ace_flags_get(prevacep);
1426 	mode_t extramode = (mode >> 3) & 07;
1427 	mode_t ownermode = (mode >> 6);
1428 
1429 	if (prevflags & ACE_IDENTIFIER_GROUP) {
1430 
1431 		extramode &= ~ownermode;
1432 
1433 		if (extramode) {
1434 			if (extramode & S_IROTH) {
1435 				prevmask &= ~ACE_READ_DATA;
1436 				mask &= ~ACE_READ_DATA;
1437 			}
1438 			if (extramode & S_IWOTH) {
1439 				prevmask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
1440 				mask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
1441 			}
1442 			if (extramode & S_IXOTH) {
1443 				prevmask  &= ~ACE_EXECUTE;
1444 				mask &= ~ACE_EXECUTE;
1445 			}
1446 		}
1447 	}
1448 	aclp->z_ops.ace_mask_set(acep, mask);
1449 	aclp->z_ops.ace_mask_set(prevacep, prevmask);
1450 }
1451 
1452 /*
1453  * Apply the chmod algorithm as described
1454  * in PSARC/2002/240
1455  */
1456 static void
1457 zfs_acl_chmod(znode_t *zp, uint64_t mode, zfs_acl_t *aclp)
1458 {
1459 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
1460 	void		*acep = NULL, *prevacep = NULL;
1461 	uint64_t	who;
1462 	int 		i;
1463 	int 		entry_type;
1464 	int 		reuse_deny;
1465 	int 		need_canonical_six = 1;
1466 	uint16_t	iflags, type;
1467 	uint32_t	access_mask;
1468 
1469 	ASSERT(MUTEX_HELD(&zp->z_acl_lock));
1470 	ASSERT(MUTEX_HELD(&zp->z_lock));
1471 
1472 	aclp->z_hints = (zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS);
1473 
1474 	/*
1475 	 * If discard then just discard all ACL nodes which
1476 	 * represent the ACEs.
1477 	 *
1478 	 * New owner@/group@/everone@ ACEs will be added
1479 	 * later.
1480 	 */
1481 	if (zfsvfs->z_acl_mode == ZFS_ACL_DISCARD)
1482 		zfs_acl_release_nodes(aclp);
1483 
1484 	while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask,
1485 	    &iflags, &type)) {
1486 
1487 		entry_type = (iflags & ACE_TYPE_FLAGS);
1488 		iflags = (iflags & ALL_INHERIT);
1489 
1490 		if ((type != ALLOW && type != DENY) ||
1491 		    (iflags & ACE_INHERIT_ONLY_ACE)) {
1492 			if (iflags)
1493 				aclp->z_hints |= ZFS_INHERIT_ACE;
1494 			switch (type) {
1495 			case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
1496 			case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
1497 			case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
1498 			case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
1499 				aclp->z_hints |= ZFS_ACL_OBJ_ACE;
1500 				break;
1501 			}
1502 			goto nextace;
1503 		}
1504 
1505 		/*
1506 		 * Need to split ace into two?
1507 		 */
1508 		if ((iflags & (ACE_FILE_INHERIT_ACE|
1509 		    ACE_DIRECTORY_INHERIT_ACE)) &&
1510 		    (!(iflags & ACE_INHERIT_ONLY_ACE))) {
1511 			zfs_acl_split_ace(aclp, acep);
1512 			aclp->z_hints |= ZFS_INHERIT_ACE;
1513 			goto nextace;
1514 		}
1515 
1516 		if (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE ||
1517 		    (entry_type == OWNING_GROUP)) {
1518 			access_mask &= ~OGE_CLEAR;
1519 			aclp->z_ops.ace_mask_set(acep, access_mask);
1520 			goto nextace;
1521 		} else {
1522 			reuse_deny = B_TRUE;
1523 			if (type == ALLOW) {
1524 
1525 				/*
1526 				 * Check preceding ACE if any, to see
1527 				 * if we need to prepend a DENY ACE.
1528 				 * This is only applicable when the acl_mode
1529 				 * property == groupmask.
1530 				 */
1531 				if (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK) {
1532 
1533 					reuse_deny = zfs_reuse_deny(aclp, acep,
1534 					    prevacep);
1535 
1536 					if (!reuse_deny) {
1537 						prevacep =
1538 						    zfs_acl_prepend_deny(zp,
1539 						    aclp, acep, mode);
1540 					} else {
1541 						zfs_acl_prepend_fixup(
1542 						    aclp, prevacep,
1543 						    acep, mode,
1544 						    zp->z_phys->zp_uid);
1545 					}
1546 					zfs_fixup_group_entries(aclp, acep,
1547 					    prevacep, mode);
1548 
1549 				}
1550 			}
1551 		}
1552 nextace:
1553 		prevacep = acep;
1554 	}
1555 
1556 	/*
1557 	 * Check out last six aces, if we have six.
1558 	 */
1559 
1560 	if (aclp->z_acl_count >= 6) {
1561 		if (zfs_have_canonical_six(aclp)) {
1562 			need_canonical_six = 0;
1563 		}
1564 	}
1565 
1566 	if (need_canonical_six) {
1567 		size_t abstract_size = aclp->z_ops.ace_abstract_size();
1568 		void *zacep;
1569 		zfs_acl_node_t *aclnode =
1570 		    zfs_acl_node_alloc(abstract_size * 6);
1571 
1572 		aclnode->z_size = abstract_size * 6;
1573 		aclnode->z_ace_count = 6;
1574 		aclp->z_acl_bytes += aclnode->z_size;
1575 		list_insert_tail(&aclp->z_acl, aclnode);
1576 
1577 		zacep = aclnode->z_acldata;
1578 
1579 		i = 0;
1580 		zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++),
1581 		    0, DENY, -1, ACE_OWNER);
1582 		zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++),
1583 		    OWNER_ALLOW_MASK, ALLOW, -1, ACE_OWNER);
1584 		zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0,
1585 		    DENY, -1, OWNING_GROUP);
1586 		zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0,
1587 		    ALLOW, -1, OWNING_GROUP);
1588 		zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++),
1589 		    EVERYONE_DENY_MASK, DENY, -1, ACE_EVERYONE);
1590 		zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++),
1591 		    EVERYONE_ALLOW_MASK, ALLOW, -1, ACE_EVERYONE);
1592 		aclp->z_acl_count += 6;
1593 	}
1594 
1595 	zfs_acl_fixup_canonical_six(aclp, mode);
1596 }
1597 
1598 int
1599 zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode)
1600 {
1601 	int error;
1602 
1603 	mutex_enter(&zp->z_lock);
1604 	mutex_enter(&zp->z_acl_lock);
1605 	*aclp = NULL;
1606 	error = zfs_acl_node_read(zp, aclp, B_TRUE);
1607 	if (error == 0)
1608 		zfs_acl_chmod(zp, mode, *aclp);
1609 	mutex_exit(&zp->z_acl_lock);
1610 	mutex_exit(&zp->z_lock);
1611 	return (error);
1612 }
1613 
1614 /*
1615  * strip off write_owner and write_acl
1616  */
1617 static void
1618 zfs_restricted_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep)
1619 {
1620 	uint32_t mask = aclp->z_ops.ace_mask_get(acep);
1621 
1622 	if ((zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) &&
1623 	    (aclp->z_ops.ace_type_get(acep) == ALLOW)) {
1624 		mask &= ~RESTRICTED_CLEAR;
1625 		aclp->z_ops.ace_mask_set(acep, mask);
1626 	}
1627 }
1628 
1629 /*
1630  * Should ACE be inherited?
1631  */
1632 static int
1633 zfs_ace_can_use(znode_t *zp, uint16_t acep_flags)
1634 {
1635 	int vtype = ZTOV(zp)->v_type;
1636 	int	iflags = (acep_flags & 0xf);
1637 
1638 	if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE))
1639 		return (1);
1640 	else if (iflags & ACE_FILE_INHERIT_ACE)
1641 		return (!((vtype == VDIR) &&
1642 		    (iflags & ACE_NO_PROPAGATE_INHERIT_ACE)));
1643 	return (0);
1644 }
1645 
1646 /*
1647  * inherit inheritable ACEs from parent
1648  */
1649 static zfs_acl_t *
1650 zfs_acl_inherit(znode_t *zp, zfs_acl_t *paclp, boolean_t *need_chmod)
1651 {
1652 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
1653 	void		*pacep;
1654 	void		*acep, *acep2;
1655 	zfs_acl_node_t  *aclnode, *aclnode2;
1656 	zfs_acl_t	*aclp = NULL;
1657 	uint64_t	who;
1658 	uint32_t	access_mask;
1659 	uint16_t	iflags, newflags, type;
1660 	size_t		ace_size;
1661 	void		*data1, *data2;
1662 	size_t		data1sz, data2sz;
1663 	enum vtype	vntype = ZTOV(zp)->v_type;
1664 
1665 	*need_chmod = B_TRUE;
1666 	pacep = NULL;
1667 	aclp = zfs_acl_alloc(zfs_acl_version_zp(zp));
1668 	if (zfsvfs->z_acl_inherit != ZFS_ACL_DISCARD) {
1669 		while (pacep = zfs_acl_next_ace(paclp, pacep, &who,
1670 		    &access_mask, &iflags, &type)) {
1671 
1672 			if (zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW &&
1673 			    type == ALLOW)
1674 				continue;
1675 
1676 			ace_size = aclp->z_ops.ace_size(pacep);
1677 
1678 			if (!zfs_ace_can_use(zp, iflags))
1679 				continue;
1680 
1681 			/*
1682 			 * If owner@, group@, or everyone@ inheritable
1683 			 * then zfs_acl_chmod() isn't needed.
1684 			 */
1685 			if (zfsvfs->z_acl_inherit ==
1686 			    ZFS_ACL_PASSTHROUGH &&
1687 			    ((iflags & (ACE_OWNER|ACE_EVERYONE)) ||
1688 			    ((iflags & OWNING_GROUP) ==
1689 			    OWNING_GROUP)) && (vntype == VREG ||
1690 			    (vntype == VDIR &&
1691 			    (iflags & ACE_DIRECTORY_INHERIT_ACE))))
1692 				*need_chmod = B_FALSE;
1693 
1694 			aclnode = zfs_acl_node_alloc(ace_size);
1695 			list_insert_tail(&aclp->z_acl, aclnode);
1696 			acep = aclnode->z_acldata;
1697 			zfs_set_ace(aclp, acep, access_mask, type,
1698 			    who, iflags|ACE_INHERITED_ACE);
1699 
1700 			/*
1701 			 * Copy special opaque data if any
1702 			 */
1703 			if ((data1sz = paclp->z_ops.ace_data(pacep,
1704 			    &data1)) != 0) {
1705 				VERIFY((data2sz = aclp->z_ops.ace_data(acep,
1706 				    &data2)) == data1sz);
1707 				bcopy(data1, data2, data2sz);
1708 			}
1709 			aclp->z_acl_count++;
1710 			aclnode->z_ace_count++;
1711 			aclp->z_acl_bytes += aclnode->z_size;
1712 			newflags = aclp->z_ops.ace_flags_get(acep);
1713 
1714 			if (vntype == VDIR)
1715 				aclp->z_hints |= ZFS_INHERIT_ACE;
1716 
1717 			if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) ||
1718 			    (vntype != VDIR)) {
1719 				newflags &= ~ALL_INHERIT;
1720 				aclp->z_ops.ace_flags_set(acep,
1721 				    newflags|ACE_INHERITED_ACE);
1722 				zfs_restricted_update(zfsvfs, aclp, acep);
1723 				continue;
1724 			}
1725 
1726 			ASSERT(vntype == VDIR);
1727 
1728 			newflags = aclp->z_ops.ace_flags_get(acep);
1729 			if ((iflags & (ACE_FILE_INHERIT_ACE |
1730 			    ACE_DIRECTORY_INHERIT_ACE)) !=
1731 			    ACE_FILE_INHERIT_ACE) {
1732 				aclnode2 = zfs_acl_node_alloc(ace_size);
1733 				list_insert_tail(&aclp->z_acl, aclnode2);
1734 				acep2 = aclnode2->z_acldata;
1735 				zfs_set_ace(aclp, acep2,
1736 				    access_mask, type, who,
1737 				    iflags|ACE_INHERITED_ACE);
1738 				newflags |= ACE_INHERIT_ONLY_ACE;
1739 				aclp->z_ops.ace_flags_set(acep, newflags);
1740 				newflags &= ~ALL_INHERIT;
1741 				aclp->z_ops.ace_flags_set(acep2,
1742 				    newflags|ACE_INHERITED_ACE);
1743 
1744 				/*
1745 				 * Copy special opaque data if any
1746 				 */
1747 				if ((data1sz = aclp->z_ops.ace_data(acep,
1748 				    &data1)) != 0) {
1749 					VERIFY((data2sz =
1750 					    aclp->z_ops.ace_data(acep2,
1751 					    &data2)) == data1sz);
1752 					bcopy(data1, data2, data1sz);
1753 				}
1754 				aclp->z_acl_count++;
1755 				aclnode2->z_ace_count++;
1756 				aclp->z_acl_bytes += aclnode->z_size;
1757 				zfs_restricted_update(zfsvfs, aclp, acep2);
1758 			} else {
1759 				newflags |= ACE_INHERIT_ONLY_ACE;
1760 				aclp->z_ops.ace_flags_set(acep,
1761 				    newflags|ACE_INHERITED_ACE);
1762 			}
1763 		}
1764 	}
1765 	return (aclp);
1766 }
1767 
1768 /*
1769  * Create file system object initial permissions
1770  * including inheritable ACEs.
1771  */
1772 void
1773 zfs_perm_init(znode_t *zp, znode_t *parent, int flag,
1774     vattr_t *vap, dmu_tx_t *tx, cred_t *cr,
1775     zfs_acl_t *setaclp, zfs_fuid_info_t **fuidp)
1776 {
1777 	uint64_t	mode, fuid, fgid;
1778 	int		error;
1779 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
1780 	zfs_acl_t	*aclp = NULL;
1781 	zfs_acl_t	*paclp;
1782 	xvattr_t	*xvap = (xvattr_t *)vap;
1783 	gid_t		gid;
1784 	boolean_t	need_chmod = B_TRUE;
1785 
1786 	if (setaclp)
1787 		aclp = setaclp;
1788 
1789 	mode = MAKEIMODE(vap->va_type, vap->va_mode);
1790 
1791 	/*
1792 	 * Determine uid and gid.
1793 	 */
1794 	if ((flag & (IS_ROOT_NODE | IS_REPLAY)) ||
1795 	    ((flag & IS_XATTR) && (vap->va_type == VDIR))) {
1796 		fuid = zfs_fuid_create(zfsvfs, vap->va_uid, cr,
1797 		    ZFS_OWNER, tx, fuidp);
1798 		fgid = zfs_fuid_create(zfsvfs, vap->va_gid, cr,
1799 		    ZFS_GROUP, tx, fuidp);
1800 		gid = vap->va_gid;
1801 	} else {
1802 		fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER, tx, cr, fuidp);
1803 		fgid = 0;
1804 		if (vap->va_mask & AT_GID)  {
1805 			fgid = zfs_fuid_create(zfsvfs, vap->va_gid, cr,
1806 			    ZFS_GROUP, tx, fuidp);
1807 			gid = vap->va_gid;
1808 			if (fgid != parent->z_phys->zp_gid &&
1809 			    !groupmember(vap->va_gid, cr) &&
1810 			    secpolicy_vnode_create_gid(cr) != 0)
1811 				fgid = 0;
1812 		}
1813 		if (fgid == 0) {
1814 			if (parent->z_phys->zp_mode & S_ISGID) {
1815 				fgid = parent->z_phys->zp_gid;
1816 				gid = zfs_fuid_map_id(zfsvfs, fgid,
1817 				    cr, ZFS_GROUP);
1818 			} else {
1819 				fgid = zfs_fuid_create_cred(zfsvfs,
1820 				    ZFS_GROUP, tx, cr, fuidp);
1821 				gid = crgetgid(cr);
1822 			}
1823 		}
1824 	}
1825 
1826 	/*
1827 	 * If we're creating a directory, and the parent directory has the
1828 	 * set-GID bit set, set in on the new directory.
1829 	 * Otherwise, if the user is neither privileged nor a member of the
1830 	 * file's new group, clear the file's set-GID bit.
1831 	 */
1832 
1833 	if ((parent->z_phys->zp_mode & S_ISGID) && (vap->va_type == VDIR)) {
1834 		mode |= S_ISGID;
1835 	} else {
1836 		if ((mode & S_ISGID) &&
1837 		    secpolicy_vnode_setids_setgids(cr, gid) != 0)
1838 			mode &= ~S_ISGID;
1839 	}
1840 
1841 	zp->z_phys->zp_uid = fuid;
1842 	zp->z_phys->zp_gid = fgid;
1843 	zp->z_phys->zp_mode = mode;
1844 
1845 	if (aclp == NULL) {
1846 		mutex_enter(&parent->z_lock);
1847 		if (parent->z_phys->zp_flags & ZFS_INHERIT_ACE) {
1848 			mutex_enter(&parent->z_acl_lock);
1849 			VERIFY(0 == zfs_acl_node_read(parent, &paclp, B_FALSE));
1850 			mutex_exit(&parent->z_acl_lock);
1851 			aclp = zfs_acl_inherit(zp, paclp, &need_chmod);
1852 			zfs_acl_free(paclp);
1853 		} else {
1854 			aclp = zfs_acl_alloc(zfs_acl_version_zp(zp));
1855 		}
1856 		mutex_exit(&parent->z_lock);
1857 		mutex_enter(&zp->z_lock);
1858 		mutex_enter(&zp->z_acl_lock);
1859 		if (need_chmod)
1860 			zfs_acl_chmod(zp, mode, aclp);
1861 	} else {
1862 		mutex_enter(&zp->z_lock);
1863 		mutex_enter(&zp->z_acl_lock);
1864 	}
1865 
1866 	/* Force auto_inherit on all new directory objects */
1867 	if (vap->va_type == VDIR)
1868 		aclp->z_hints |= ZFS_ACL_AUTO_INHERIT;
1869 
1870 	error = zfs_aclset_common(zp, aclp, cr, fuidp, tx);
1871 
1872 	/* Set optional attributes if any */
1873 	if (vap->va_mask & AT_XVATTR)
1874 		zfs_xvattr_set(zp, xvap);
1875 
1876 	mutex_exit(&zp->z_lock);
1877 	mutex_exit(&zp->z_acl_lock);
1878 	ASSERT3U(error, ==, 0);
1879 
1880 	if (aclp != setaclp)
1881 		zfs_acl_free(aclp);
1882 }
1883 
1884 /*
1885  * Retrieve a files ACL
1886  */
1887 int
1888 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr)
1889 {
1890 	zfs_acl_t	*aclp;
1891 	ulong_t		mask;
1892 	int		error;
1893 	int 		count = 0;
1894 	int		largeace = 0;
1895 
1896 	mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT |
1897 	    VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES);
1898 
1899 	if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr))
1900 		return (error);
1901 
1902 	if (mask == 0)
1903 		return (ENOSYS);
1904 
1905 	mutex_enter(&zp->z_acl_lock);
1906 
1907 	error = zfs_acl_node_read(zp, &aclp, B_FALSE);
1908 	if (error != 0) {
1909 		mutex_exit(&zp->z_acl_lock);
1910 		return (error);
1911 	}
1912 
1913 	/*
1914 	 * Scan ACL to determine number of ACEs
1915 	 */
1916 	if ((zp->z_phys->zp_flags & ZFS_ACL_OBJ_ACE) &&
1917 	    !(mask & VSA_ACE_ALLTYPES)) {
1918 		void *zacep = NULL;
1919 		uint64_t who;
1920 		uint32_t access_mask;
1921 		uint16_t type, iflags;
1922 
1923 		while (zacep = zfs_acl_next_ace(aclp, zacep,
1924 		    &who, &access_mask, &iflags, &type)) {
1925 			switch (type) {
1926 			case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
1927 			case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
1928 			case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
1929 			case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
1930 				largeace++;
1931 				continue;
1932 			default:
1933 				count++;
1934 			}
1935 		}
1936 		vsecp->vsa_aclcnt = count;
1937 	} else
1938 		count = aclp->z_acl_count;
1939 
1940 	if (mask & VSA_ACECNT) {
1941 		vsecp->vsa_aclcnt = count;
1942 	}
1943 
1944 	if (mask & VSA_ACE) {
1945 		size_t aclsz;
1946 
1947 		zfs_acl_node_t *aclnode = list_head(&aclp->z_acl);
1948 
1949 		aclsz = count * sizeof (ace_t) +
1950 		    sizeof (ace_object_t) * largeace;
1951 
1952 		vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP);
1953 		vsecp->vsa_aclentsz = aclsz;
1954 
1955 		if (aclp->z_version == ZFS_ACL_VERSION_FUID)
1956 			zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr,
1957 			    vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES));
1958 		else {
1959 			bcopy(aclnode->z_acldata, vsecp->vsa_aclentp,
1960 			    count * sizeof (ace_t));
1961 		}
1962 	}
1963 	if (mask & VSA_ACE_ACLFLAGS) {
1964 		vsecp->vsa_aclflags = 0;
1965 		if (zp->z_phys->zp_flags & ZFS_ACL_DEFAULTED)
1966 			vsecp->vsa_aclflags |= ACL_DEFAULTED;
1967 		if (zp->z_phys->zp_flags & ZFS_ACL_PROTECTED)
1968 			vsecp->vsa_aclflags |= ACL_PROTECTED;
1969 		if (zp->z_phys->zp_flags & ZFS_ACL_AUTO_INHERIT)
1970 			vsecp->vsa_aclflags |= ACL_AUTO_INHERIT;
1971 	}
1972 
1973 	mutex_exit(&zp->z_acl_lock);
1974 
1975 	zfs_acl_free(aclp);
1976 
1977 	return (0);
1978 }
1979 
1980 int
1981 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type,
1982     vsecattr_t *vsecp, zfs_acl_t **zaclp)
1983 {
1984 	zfs_acl_t *aclp;
1985 	zfs_acl_node_t *aclnode;
1986 	int aclcnt = vsecp->vsa_aclcnt;
1987 	int error;
1988 
1989 	if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0)
1990 		return (EINVAL);
1991 
1992 	aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version));
1993 
1994 	aclp->z_hints = 0;
1995 	aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t));
1996 	if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) {
1997 		if ((error = zfs_copy_ace_2_oldace(obj_type, aclp,
1998 		    (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata,
1999 		    aclcnt, &aclnode->z_size)) != 0) {
2000 			zfs_acl_free(aclp);
2001 			zfs_acl_node_free(aclnode);
2002 			return (error);
2003 		}
2004 	} else {
2005 		if ((error = zfs_copy_ace_2_fuid(obj_type, aclp,
2006 		    vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt,
2007 		    &aclnode->z_size)) != 0) {
2008 			zfs_acl_free(aclp);
2009 			zfs_acl_node_free(aclnode);
2010 			return (error);
2011 		}
2012 	}
2013 	aclp->z_acl_bytes = aclnode->z_size;
2014 	aclnode->z_ace_count = aclcnt;
2015 	aclp->z_acl_count = aclcnt;
2016 	list_insert_head(&aclp->z_acl, aclnode);
2017 
2018 	/*
2019 	 * If flags are being set then add them to z_hints
2020 	 */
2021 	if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) {
2022 		if (vsecp->vsa_aclflags & ACL_PROTECTED)
2023 			aclp->z_hints |= ZFS_ACL_PROTECTED;
2024 		if (vsecp->vsa_aclflags & ACL_DEFAULTED)
2025 			aclp->z_hints |= ZFS_ACL_DEFAULTED;
2026 		if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT)
2027 			aclp->z_hints |= ZFS_ACL_AUTO_INHERIT;
2028 	}
2029 
2030 	*zaclp = aclp;
2031 
2032 	return (0);
2033 }
2034 
2035 /*
2036  * Set a files ACL
2037  */
2038 int
2039 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr)
2040 {
2041 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
2042 	zilog_t		*zilog = zfsvfs->z_log;
2043 	ulong_t		mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT);
2044 	dmu_tx_t	*tx;
2045 	int		error;
2046 	zfs_acl_t	*aclp;
2047 	zfs_fuid_info_t	*fuidp = NULL;
2048 
2049 	if (mask == 0)
2050 		return (ENOSYS);
2051 
2052 	if (zp->z_phys->zp_flags & ZFS_IMMUTABLE)
2053 		return (EPERM);
2054 
2055 	if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr))
2056 		return (error);
2057 
2058 	error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, &aclp);
2059 	if (error)
2060 		return (error);
2061 
2062 	/*
2063 	 * If ACL wide flags aren't being set then preserve any
2064 	 * existing flags.
2065 	 */
2066 	if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) {
2067 		aclp->z_hints |= (zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS);
2068 	}
2069 top:
2070 	if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) {
2071 		zfs_acl_free(aclp);
2072 		return (error);
2073 	}
2074 
2075 	mutex_enter(&zp->z_lock);
2076 	mutex_enter(&zp->z_acl_lock);
2077 
2078 	tx = dmu_tx_create(zfsvfs->z_os);
2079 	dmu_tx_hold_bonus(tx, zp->z_id);
2080 
2081 	if (zp->z_phys->zp_acl.z_acl_extern_obj) {
2082 		/* Are we upgrading ACL? */
2083 		if (zfsvfs->z_version <= ZPL_VERSION_FUID &&
2084 		    zp->z_phys->zp_acl.z_acl_version ==
2085 		    ZFS_ACL_VERSION_INITIAL) {
2086 			dmu_tx_hold_free(tx,
2087 			    zp->z_phys->zp_acl.z_acl_extern_obj,
2088 			    0, DMU_OBJECT_END);
2089 			dmu_tx_hold_write(tx, DMU_NEW_OBJECT,
2090 			    0, aclp->z_acl_bytes);
2091 		} else {
2092 			dmu_tx_hold_write(tx,
2093 			    zp->z_phys->zp_acl.z_acl_extern_obj,
2094 			    0, aclp->z_acl_bytes);
2095 		}
2096 	} else if (aclp->z_acl_bytes > ZFS_ACE_SPACE) {
2097 		dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes);
2098 	}
2099 	if (aclp->z_has_fuids) {
2100 		if (zfsvfs->z_fuid_obj == 0) {
2101 			dmu_tx_hold_bonus(tx, DMU_NEW_OBJECT);
2102 			dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0,
2103 			    FUID_SIZE_ESTIMATE(zfsvfs));
2104 			dmu_tx_hold_zap(tx, MASTER_NODE_OBJ, FALSE, NULL);
2105 		} else {
2106 			dmu_tx_hold_bonus(tx, zfsvfs->z_fuid_obj);
2107 			dmu_tx_hold_write(tx, zfsvfs->z_fuid_obj, 0,
2108 			    FUID_SIZE_ESTIMATE(zfsvfs));
2109 		}
2110 	}
2111 
2112 	error = dmu_tx_assign(tx, zfsvfs->z_assign);
2113 	if (error) {
2114 		mutex_exit(&zp->z_acl_lock);
2115 		mutex_exit(&zp->z_lock);
2116 
2117 		if (error == ERESTART && zfsvfs->z_assign == TXG_NOWAIT) {
2118 			dmu_tx_wait(tx);
2119 			dmu_tx_abort(tx);
2120 			goto top;
2121 		}
2122 		dmu_tx_abort(tx);
2123 		zfs_acl_free(aclp);
2124 		return (error);
2125 	}
2126 
2127 	error = zfs_aclset_common(zp, aclp, cr, &fuidp, tx);
2128 	ASSERT(error == 0);
2129 
2130 	zfs_log_acl(zilog, tx, zp, vsecp, fuidp);
2131 
2132 	if (fuidp)
2133 		zfs_fuid_info_free(fuidp);
2134 	zfs_acl_free(aclp);
2135 	dmu_tx_commit(tx);
2136 done:
2137 	mutex_exit(&zp->z_acl_lock);
2138 	mutex_exit(&zp->z_lock);
2139 
2140 	return (error);
2141 }
2142 
2143 /*
2144  * working_mode returns the permissions that were not granted
2145  */
2146 static int
2147 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode,
2148     boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr)
2149 {
2150 	zfs_acl_t	*aclp;
2151 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
2152 	int		error;
2153 	uid_t		uid = crgetuid(cr);
2154 	uint64_t 	who;
2155 	uint16_t	type, iflags;
2156 	uint16_t	entry_type;
2157 	uint32_t	access_mask;
2158 	uint32_t	deny_mask = 0;
2159 	zfs_ace_hdr_t	*acep = NULL;
2160 	boolean_t	checkit;
2161 	uid_t		fowner;
2162 	uid_t		gowner;
2163 
2164 	/*
2165 	 * Short circuit empty requests
2166 	 */
2167 	if (v4_mode == 0)
2168 		return (0);
2169 
2170 	*check_privs = B_TRUE;
2171 
2172 	if (zfsvfs->z_assign >= TXG_INITIAL) {		/* ZIL replay */
2173 		*working_mode = 0;
2174 		return (0);
2175 	}
2176 
2177 	*working_mode = v4_mode;
2178 
2179 	if ((v4_mode & WRITE_MASK) &&
2180 	    (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) &&
2181 	    (!IS_DEVVP(ZTOV(zp)))) {
2182 		*check_privs = B_FALSE;
2183 		return (EROFS);
2184 	}
2185 
2186 	/*
2187 	 * Only check for READONLY on non-directories.
2188 	 */
2189 	if ((v4_mode & WRITE_MASK_DATA) &&
2190 	    (((ZTOV(zp)->v_type != VDIR) &&
2191 	    (zp->z_phys->zp_flags & (ZFS_READONLY | ZFS_IMMUTABLE))) ||
2192 	    (ZTOV(zp)->v_type == VDIR &&
2193 	    (zp->z_phys->zp_flags & ZFS_IMMUTABLE)))) {
2194 		*check_privs = B_FALSE;
2195 		return (EPERM);
2196 	}
2197 
2198 	if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) &&
2199 	    (zp->z_phys->zp_flags & ZFS_NOUNLINK)) {
2200 		*check_privs = B_FALSE;
2201 		return (EPERM);
2202 	}
2203 
2204 	if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) &&
2205 	    (zp->z_phys->zp_flags & ZFS_AV_QUARANTINED))) {
2206 		*check_privs = B_FALSE;
2207 		return (EACCES);
2208 	}
2209 
2210 	/*
2211 	 * The caller requested that the ACL check be skipped.  This
2212 	 * would only happen if the caller checked VOP_ACCESS() with a
2213 	 * 32 bit ACE mask and already had the appropriate permissions.
2214 	 */
2215 	if (skipaclchk) {
2216 		*working_mode = 0;
2217 		return (0);
2218 	}
2219 
2220 	zfs_fuid_map_ids(zp, cr, &fowner, &gowner);
2221 
2222 	mutex_enter(&zp->z_acl_lock);
2223 
2224 	error = zfs_acl_node_read(zp, &aclp, B_FALSE);
2225 	if (error != 0) {
2226 		mutex_exit(&zp->z_acl_lock);
2227 		return (error);
2228 	}
2229 
2230 	while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask,
2231 	    &iflags, &type)) {
2232 
2233 		if (iflags & ACE_INHERIT_ONLY_ACE)
2234 			continue;
2235 
2236 		entry_type = (iflags & ACE_TYPE_FLAGS);
2237 
2238 		checkit = B_FALSE;
2239 
2240 		switch (entry_type) {
2241 		case ACE_OWNER:
2242 			if (uid == fowner)
2243 				checkit = B_TRUE;
2244 			break;
2245 		case OWNING_GROUP:
2246 			who = gowner;
2247 			/*FALLTHROUGH*/
2248 		case ACE_IDENTIFIER_GROUP:
2249 			checkit = zfs_groupmember(zfsvfs, who, cr);
2250 			break;
2251 		case ACE_EVERYONE:
2252 			checkit = B_TRUE;
2253 			break;
2254 
2255 		/* USER Entry */
2256 		default:
2257 			if (entry_type == 0) {
2258 				uid_t newid;
2259 
2260 				newid = zfs_fuid_map_id(zfsvfs, who, cr,
2261 				    ZFS_ACE_USER);
2262 				if (newid != IDMAP_WK_CREATOR_OWNER_UID &&
2263 				    uid == newid)
2264 					checkit = B_TRUE;
2265 				break;
2266 			} else {
2267 				zfs_acl_free(aclp);
2268 				mutex_exit(&zp->z_acl_lock);
2269 				return (EIO);
2270 			}
2271 		}
2272 
2273 		if (checkit) {
2274 			uint32_t mask_matched = (access_mask & *working_mode);
2275 
2276 			if (mask_matched) {
2277 				if (type == DENY)
2278 					deny_mask |= mask_matched;
2279 
2280 				*working_mode &= ~mask_matched;
2281 			}
2282 		}
2283 
2284 		/* Are we done? */
2285 		if (*working_mode == 0)
2286 			break;
2287 	}
2288 
2289 	mutex_exit(&zp->z_acl_lock);
2290 	zfs_acl_free(aclp);
2291 
2292 	/* Put the found 'denies' back on the working mode */
2293 	*working_mode |= deny_mask;
2294 
2295 	if (*working_mode)
2296 		return (EACCES);
2297 
2298 	return (0);
2299 }
2300 
2301 static int
2302 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs,
2303     cred_t *cr)
2304 {
2305 	if (*working_mode != ACE_WRITE_DATA)
2306 		return (EACCES);
2307 
2308 	return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode,
2309 	    check_privs, B_FALSE, cr));
2310 }
2311 
2312 /*
2313  * Determine whether Access should be granted/denied, invoking least
2314  * priv subsytem when a deny is determined.
2315  */
2316 int
2317 zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr)
2318 {
2319 	uint32_t	working_mode;
2320 	int		error;
2321 	int		is_attr;
2322 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
2323 	boolean_t 	check_privs;
2324 	znode_t		*xzp;
2325 	znode_t 	*check_zp = zp;
2326 
2327 	is_attr = ((zp->z_phys->zp_flags & ZFS_XATTR) &&
2328 	    (ZTOV(zp)->v_type == VDIR));
2329 
2330 	/*
2331 	 * If attribute then validate against base file
2332 	 */
2333 	if (is_attr) {
2334 		if ((error = zfs_zget(zp->z_zfsvfs,
2335 		    zp->z_phys->zp_parent, &xzp)) != 0)	{
2336 			return (error);
2337 		}
2338 
2339 		check_zp = xzp;
2340 
2341 		/*
2342 		 * fixup mode to map to xattr perms
2343 		 */
2344 
2345 		if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) {
2346 			mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
2347 			mode |= ACE_WRITE_NAMED_ATTRS;
2348 		}
2349 
2350 		if (mode & (ACE_READ_DATA|ACE_EXECUTE)) {
2351 			mode &= ~(ACE_READ_DATA|ACE_EXECUTE);
2352 			mode |= ACE_READ_NAMED_ATTRS;
2353 		}
2354 	}
2355 
2356 	if ((error = zfs_zaccess_common(check_zp, mode, &working_mode,
2357 	    &check_privs, skipaclchk, cr)) == 0) {
2358 		if (is_attr)
2359 			VN_RELE(ZTOV(xzp));
2360 		return (0);
2361 	}
2362 
2363 	if (error && !check_privs) {
2364 		if (is_attr)
2365 			VN_RELE(ZTOV(xzp));
2366 		return (error);
2367 	}
2368 
2369 	if (error && (flags & V_APPEND)) {
2370 		error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr);
2371 	}
2372 
2373 	if (error && check_privs) {
2374 		uid_t		owner;
2375 		mode_t		checkmode = 0;
2376 
2377 		owner = zfs_fuid_map_id(zfsvfs, check_zp->z_phys->zp_uid, cr,
2378 		    ZFS_OWNER);
2379 
2380 		/*
2381 		 * First check for implicit owner permission on
2382 		 * read_acl/read_attributes
2383 		 */
2384 
2385 		error = 0;
2386 		ASSERT(working_mode != 0);
2387 
2388 		if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) &&
2389 		    owner == crgetuid(cr)))
2390 			working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES);
2391 
2392 		if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS|
2393 		    ACE_READ_ACL|ACE_READ_ATTRIBUTES))
2394 			checkmode |= VREAD;
2395 		if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS|
2396 		    ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES))
2397 			checkmode |= VWRITE;
2398 		if (working_mode & ACE_EXECUTE)
2399 			checkmode |= VEXEC;
2400 
2401 		if (checkmode)
2402 			error = secpolicy_vnode_access(cr, ZTOV(check_zp),
2403 			    owner, checkmode);
2404 
2405 		if (error == 0 && (working_mode & ACE_WRITE_OWNER))
2406 			error = secpolicy_vnode_create_gid(cr);
2407 		if (error == 0 && (working_mode & ACE_WRITE_ACL))
2408 			error = secpolicy_vnode_setdac(cr, owner);
2409 
2410 		if (error == 0 && (working_mode &
2411 		    (ACE_DELETE|ACE_DELETE_CHILD)))
2412 			error = secpolicy_vnode_remove(cr);
2413 
2414 		if (error == 0 && (working_mode & ACE_SYNCHRONIZE))
2415 			error = secpolicy_vnode_owner(cr, owner);
2416 
2417 		if (error == 0) {
2418 			/*
2419 			 * See if any bits other than those already checked
2420 			 * for are still present.  If so then return EACCES
2421 			 */
2422 			if (working_mode & ~(ZFS_CHECKED_MASKS)) {
2423 				error = EACCES;
2424 			}
2425 		}
2426 	}
2427 
2428 	if (is_attr)
2429 		VN_RELE(ZTOV(xzp));
2430 
2431 	return (error);
2432 }
2433 
2434 /*
2435  * Translate traditional unix VREAD/VWRITE/VEXEC mode into
2436  * native ACL format and call zfs_zaccess()
2437  */
2438 int
2439 zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr)
2440 {
2441 	return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr));
2442 }
2443 
2444 /*
2445  * Access function for secpolicy_vnode_setattr
2446  */
2447 int
2448 zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr)
2449 {
2450 	int v4_mode = zfs_unix_to_v4(mode >> 6);
2451 
2452 	return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr));
2453 }
2454 
2455 static int
2456 zfs_delete_final_check(znode_t *zp, znode_t *dzp,
2457     mode_t missing_perms, cred_t *cr)
2458 {
2459 	int error;
2460 	uid_t downer;
2461 	zfsvfs_t *zfsvfs = zp->z_zfsvfs;
2462 
2463 	downer = zfs_fuid_map_id(zfsvfs, dzp->z_phys->zp_uid, cr, ZFS_OWNER);
2464 
2465 	error = secpolicy_vnode_access(cr, ZTOV(dzp), downer, missing_perms);
2466 
2467 	if (error == 0)
2468 		error = zfs_sticky_remove_access(dzp, zp, cr);
2469 
2470 	return (error);
2471 }
2472 
2473 /*
2474  * Determine whether Access should be granted/deny, without
2475  * consulting least priv subsystem.
2476  *
2477  *
2478  * The following chart is the recommended NFSv4 enforcement for
2479  * ability to delete an object.
2480  *
2481  *      -------------------------------------------------------
2482  *      |   Parent Dir  |           Target Object Permissions |
2483  *      |  permissions  |                                     |
2484  *      -------------------------------------------------------
2485  *      |               | ACL Allows | ACL Denies| Delete     |
2486  *      |               |  Delete    |  Delete   | unspecified|
2487  *      -------------------------------------------------------
2488  *      |  ACL Allows   | Permit     | Permit    | Permit     |
2489  *      |  DELETE_CHILD |                                     |
2490  *      -------------------------------------------------------
2491  *      |  ACL Denies   | Permit     | Deny      | Deny       |
2492  *      |  DELETE_CHILD |            |           |            |
2493  *      -------------------------------------------------------
2494  *      | ACL specifies |            |           |            |
2495  *      | only allow    | Permit     | Permit    | Permit     |
2496  *      | write and     |            |           |            |
2497  *      | execute       |            |           |            |
2498  *      -------------------------------------------------------
2499  *      | ACL denies    |            |           |            |
2500  *      | write and     | Permit     | Deny      | Deny       |
2501  *      | execute       |            |           |            |
2502  *      -------------------------------------------------------
2503  *         ^
2504  *         |
2505  *         No search privilege, can't even look up file?
2506  *
2507  */
2508 int
2509 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr)
2510 {
2511 	uint32_t dzp_working_mode = 0;
2512 	uint32_t zp_working_mode = 0;
2513 	int dzp_error, zp_error;
2514 	mode_t missing_perms;
2515 	boolean_t dzpcheck_privs = B_TRUE;
2516 	boolean_t zpcheck_privs = B_TRUE;
2517 
2518 	/*
2519 	 * We want specific DELETE permissions to
2520 	 * take precedence over WRITE/EXECUTE.  We don't
2521 	 * want an ACL such as this to mess us up.
2522 	 * user:joe:write_data:deny,user:joe:delete:allow
2523 	 *
2524 	 * However, deny permissions may ultimately be overridden
2525 	 * by secpolicy_vnode_access().
2526 	 *
2527 	 * We will ask for all of the necessary permissions and then
2528 	 * look at the working modes from the directory and target object
2529 	 * to determine what was found.
2530 	 */
2531 
2532 	if (zp->z_phys->zp_flags & (ZFS_IMMUTABLE | ZFS_NOUNLINK))
2533 		return (EPERM);
2534 
2535 	/*
2536 	 * If the directory permissions allow the delete, we are done.
2537 	 */
2538 	if ((dzp_error = zfs_zaccess_common(dzp,
2539 	    ACE_DELETE_CHILD|ACE_EXECUTE|ACE_WRITE_DATA,
2540 	    &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0)
2541 		return (0);
2542 
2543 	/*
2544 	 * If target object has delete permission then we are done
2545 	 */
2546 	if ((zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode,
2547 	    &zpcheck_privs, B_FALSE, cr)) == 0)
2548 		return (0);
2549 
2550 	if (!dzpcheck_privs)
2551 		return (dzp_error);
2552 	else if (!zpcheck_privs)
2553 		return (zp_error);
2554 
2555 	/*
2556 	 * First check the first row.
2557 	 * We only need to see if parent Allows delete_child
2558 	 */
2559 	if ((dzp_working_mode & ACE_DELETE_CHILD) == 0)
2560 		return (0);
2561 
2562 	/*
2563 	 * Second row
2564 	 * we already have the necessary information in
2565 	 * zp_working_mode, zp_error and dzp_error.
2566 	 */
2567 
2568 	if ((zp_working_mode & ACE_DELETE) == 0)
2569 		return (0);
2570 
2571 	/*
2572 	 * determine the needed permissions based off of the directories
2573 	 * working mode
2574 	 */
2575 
2576 	missing_perms = (dzp_working_mode & ACE_WRITE_DATA) ? VWRITE : 0;
2577 	missing_perms |= (dzp_working_mode & ACE_EXECUTE) ? VEXEC : 0;
2578 
2579 	if (dzp_error == EACCES)
2580 		return (zfs_delete_final_check(zp, dzp, missing_perms, cr));
2581 
2582 	/*
2583 	 * Third Row
2584 	 * only need to see if we have write/execute on directory.
2585 	 */
2586 
2587 	if (missing_perms == 0)
2588 		return (zfs_sticky_remove_access(dzp, zp, cr));
2589 
2590 	/*
2591 	 * Fourth Row
2592 	 */
2593 
2594 	if (missing_perms && ((zp_working_mode & ACE_DELETE) == 0))
2595 		return (zfs_sticky_remove_access(dzp, zp, cr));
2596 
2597 	return (zfs_delete_final_check(zp, dzp, missing_perms, cr));
2598 }
2599 
2600 int
2601 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp,
2602     znode_t *tzp, cred_t *cr)
2603 {
2604 	int add_perm;
2605 	int error;
2606 
2607 	if (szp->z_phys->zp_flags & ZFS_AV_QUARANTINED)
2608 		return (EACCES);
2609 
2610 	add_perm = (ZTOV(szp)->v_type == VDIR) ?
2611 	    ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE;
2612 
2613 	/*
2614 	 * Rename permissions are combination of delete permission +
2615 	 * add file/subdir permission.
2616 	 */
2617 
2618 	/*
2619 	 * first make sure we do the delete portion.
2620 	 *
2621 	 * If that succeeds then check for add_file/add_subdir permissions
2622 	 */
2623 
2624 	if (error = zfs_zaccess_delete(sdzp, szp, cr))
2625 		return (error);
2626 
2627 	/*
2628 	 * If we have a tzp, see if we can delete it?
2629 	 */
2630 	if (tzp) {
2631 		if (error = zfs_zaccess_delete(tdzp, tzp, cr))
2632 			return (error);
2633 	}
2634 
2635 	/*
2636 	 * Now check for add permissions
2637 	 */
2638 	error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr);
2639 
2640 	return (error);
2641 }
2642