zfs_acl.c revision 297077
1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21/* 22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2011 Nexenta Systems, Inc. All rights reserved. 24 * Copyright (c) 2013 by Delphix. All rights reserved. 25 */ 26 27#include <sys/types.h> 28#include <sys/param.h> 29#include <sys/time.h> 30#include <sys/systm.h> 31#include <sys/sysmacros.h> 32#include <sys/resource.h> 33#include <sys/vfs.h> 34#include <sys/vnode.h> 35#include <sys/file.h> 36#include <sys/stat.h> 37#include <sys/kmem.h> 38#include <sys/cmn_err.h> 39#include <sys/errno.h> 40#include <sys/unistd.h> 41#include <sys/sdt.h> 42#include <sys/fs/zfs.h> 43#include <sys/policy.h> 44#include <sys/zfs_znode.h> 45#include <sys/zfs_fuid.h> 46#include <sys/zfs_acl.h> 47#include <sys/zfs_dir.h> 48#include <sys/zfs_vfsops.h> 49#include <sys/dmu.h> 50#include <sys/dnode.h> 51#include <sys/zap.h> 52#include <sys/sa.h> 53#include <acl/acl_common.h> 54 55#define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE 56#define DENY ACE_ACCESS_DENIED_ACE_TYPE 57#define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 58#define MIN_ACE_TYPE ALLOW 59 60#define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) 61#define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ 62 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) 63#define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ 64 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 65#define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ 66 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 67 68#define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \ 69 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \ 70 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \ 71 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE) 72 73#define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS) 74#define WRITE_MASK_ATTRS (ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES| \ 75 ACE_DELETE|ACE_DELETE_CHILD) 76#define WRITE_MASK (WRITE_MASK_DATA|WRITE_MASK_ATTRS) 77 78#define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 79 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 80 81#define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 82 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 83 84#define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ 85 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE) 86 87#define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER) 88 89#define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\ 90 ZFS_ACL_PROTECTED) 91 92#define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\ 93 ZFS_ACL_OBJ_ACE) 94 95#define ALL_MODE_EXECS (S_IXUSR | S_IXGRP | S_IXOTH) 96 97static uint16_t 98zfs_ace_v0_get_type(void *acep) 99{ 100 return (((zfs_oldace_t *)acep)->z_type); 101} 102 103static uint16_t 104zfs_ace_v0_get_flags(void *acep) 105{ 106 return (((zfs_oldace_t *)acep)->z_flags); 107} 108 109static uint32_t 110zfs_ace_v0_get_mask(void *acep) 111{ 112 return (((zfs_oldace_t *)acep)->z_access_mask); 113} 114 115static uint64_t 116zfs_ace_v0_get_who(void *acep) 117{ 118 return (((zfs_oldace_t *)acep)->z_fuid); 119} 120 121static void 122zfs_ace_v0_set_type(void *acep, uint16_t type) 123{ 124 ((zfs_oldace_t *)acep)->z_type = type; 125} 126 127static void 128zfs_ace_v0_set_flags(void *acep, uint16_t flags) 129{ 130 ((zfs_oldace_t *)acep)->z_flags = flags; 131} 132 133static void 134zfs_ace_v0_set_mask(void *acep, uint32_t mask) 135{ 136 ((zfs_oldace_t *)acep)->z_access_mask = mask; 137} 138 139static void 140zfs_ace_v0_set_who(void *acep, uint64_t who) 141{ 142 ((zfs_oldace_t *)acep)->z_fuid = who; 143} 144 145/*ARGSUSED*/ 146static size_t 147zfs_ace_v0_size(void *acep) 148{ 149 return (sizeof (zfs_oldace_t)); 150} 151 152static size_t 153zfs_ace_v0_abstract_size(void) 154{ 155 return (sizeof (zfs_oldace_t)); 156} 157 158static int 159zfs_ace_v0_mask_off(void) 160{ 161 return (offsetof(zfs_oldace_t, z_access_mask)); 162} 163 164/*ARGSUSED*/ 165static int 166zfs_ace_v0_data(void *acep, void **datap) 167{ 168 *datap = NULL; 169 return (0); 170} 171 172static acl_ops_t zfs_acl_v0_ops = { 173 zfs_ace_v0_get_mask, 174 zfs_ace_v0_set_mask, 175 zfs_ace_v0_get_flags, 176 zfs_ace_v0_set_flags, 177 zfs_ace_v0_get_type, 178 zfs_ace_v0_set_type, 179 zfs_ace_v0_get_who, 180 zfs_ace_v0_set_who, 181 zfs_ace_v0_size, 182 zfs_ace_v0_abstract_size, 183 zfs_ace_v0_mask_off, 184 zfs_ace_v0_data 185}; 186 187static uint16_t 188zfs_ace_fuid_get_type(void *acep) 189{ 190 return (((zfs_ace_hdr_t *)acep)->z_type); 191} 192 193static uint16_t 194zfs_ace_fuid_get_flags(void *acep) 195{ 196 return (((zfs_ace_hdr_t *)acep)->z_flags); 197} 198 199static uint32_t 200zfs_ace_fuid_get_mask(void *acep) 201{ 202 return (((zfs_ace_hdr_t *)acep)->z_access_mask); 203} 204 205static uint64_t 206zfs_ace_fuid_get_who(void *args) 207{ 208 uint16_t entry_type; 209 zfs_ace_t *acep = args; 210 211 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 212 213 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 214 entry_type == ACE_EVERYONE) 215 return (-1); 216 return (((zfs_ace_t *)acep)->z_fuid); 217} 218 219static void 220zfs_ace_fuid_set_type(void *acep, uint16_t type) 221{ 222 ((zfs_ace_hdr_t *)acep)->z_type = type; 223} 224 225static void 226zfs_ace_fuid_set_flags(void *acep, uint16_t flags) 227{ 228 ((zfs_ace_hdr_t *)acep)->z_flags = flags; 229} 230 231static void 232zfs_ace_fuid_set_mask(void *acep, uint32_t mask) 233{ 234 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask; 235} 236 237static void 238zfs_ace_fuid_set_who(void *arg, uint64_t who) 239{ 240 zfs_ace_t *acep = arg; 241 242 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 243 244 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 245 entry_type == ACE_EVERYONE) 246 return; 247 acep->z_fuid = who; 248} 249 250static size_t 251zfs_ace_fuid_size(void *acep) 252{ 253 zfs_ace_hdr_t *zacep = acep; 254 uint16_t entry_type; 255 256 switch (zacep->z_type) { 257 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 258 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 259 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 260 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 261 return (sizeof (zfs_object_ace_t)); 262 case ALLOW: 263 case DENY: 264 entry_type = 265 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS); 266 if (entry_type == ACE_OWNER || 267 entry_type == OWNING_GROUP || 268 entry_type == ACE_EVERYONE) 269 return (sizeof (zfs_ace_hdr_t)); 270 /*FALLTHROUGH*/ 271 default: 272 return (sizeof (zfs_ace_t)); 273 } 274} 275 276static size_t 277zfs_ace_fuid_abstract_size(void) 278{ 279 return (sizeof (zfs_ace_hdr_t)); 280} 281 282static int 283zfs_ace_fuid_mask_off(void) 284{ 285 return (offsetof(zfs_ace_hdr_t, z_access_mask)); 286} 287 288static int 289zfs_ace_fuid_data(void *acep, void **datap) 290{ 291 zfs_ace_t *zacep = acep; 292 zfs_object_ace_t *zobjp; 293 294 switch (zacep->z_hdr.z_type) { 295 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 296 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 297 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 298 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 299 zobjp = acep; 300 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t); 301 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t)); 302 default: 303 *datap = NULL; 304 return (0); 305 } 306} 307 308static acl_ops_t zfs_acl_fuid_ops = { 309 zfs_ace_fuid_get_mask, 310 zfs_ace_fuid_set_mask, 311 zfs_ace_fuid_get_flags, 312 zfs_ace_fuid_set_flags, 313 zfs_ace_fuid_get_type, 314 zfs_ace_fuid_set_type, 315 zfs_ace_fuid_get_who, 316 zfs_ace_fuid_set_who, 317 zfs_ace_fuid_size, 318 zfs_ace_fuid_abstract_size, 319 zfs_ace_fuid_mask_off, 320 zfs_ace_fuid_data 321}; 322 323/* 324 * The following three functions are provided for compatibility with 325 * older ZPL version in order to determine if the file use to have 326 * an external ACL and what version of ACL previously existed on the 327 * file. Would really be nice to not need this, sigh. 328 */ 329uint64_t 330zfs_external_acl(znode_t *zp) 331{ 332 zfs_acl_phys_t acl_phys; 333 int error; 334 335 if (zp->z_is_sa) 336 return (0); 337 338 /* 339 * Need to deal with a potential 340 * race where zfs_sa_upgrade could cause 341 * z_isa_sa to change. 342 * 343 * If the lookup fails then the state of z_is_sa should have 344 * changed. 345 */ 346 347 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zp->z_zfsvfs), 348 &acl_phys, sizeof (acl_phys))) == 0) 349 return (acl_phys.z_acl_extern_obj); 350 else { 351 /* 352 * after upgrade the SA_ZPL_ZNODE_ACL should have been 353 * removed 354 */ 355 VERIFY(zp->z_is_sa && error == ENOENT); 356 return (0); 357 } 358} 359 360/* 361 * Determine size of ACL in bytes 362 * 363 * This is more complicated than it should be since we have to deal 364 * with old external ACLs. 365 */ 366static int 367zfs_acl_znode_info(znode_t *zp, int *aclsize, int *aclcount, 368 zfs_acl_phys_t *aclphys) 369{ 370 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 371 uint64_t acl_count; 372 int size; 373 int error; 374 375 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 376 if (zp->z_is_sa) { 377 if ((error = sa_size(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zfsvfs), 378 &size)) != 0) 379 return (error); 380 *aclsize = size; 381 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_COUNT(zfsvfs), 382 &acl_count, sizeof (acl_count))) != 0) 383 return (error); 384 *aclcount = acl_count; 385 } else { 386 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs), 387 aclphys, sizeof (*aclphys))) != 0) 388 return (error); 389 390 if (aclphys->z_acl_version == ZFS_ACL_VERSION_INITIAL) { 391 *aclsize = ZFS_ACL_SIZE(aclphys->z_acl_size); 392 *aclcount = aclphys->z_acl_size; 393 } else { 394 *aclsize = aclphys->z_acl_size; 395 *aclcount = aclphys->z_acl_count; 396 } 397 } 398 return (0); 399} 400 401int 402zfs_znode_acl_version(znode_t *zp) 403{ 404 zfs_acl_phys_t acl_phys; 405 406 if (zp->z_is_sa) 407 return (ZFS_ACL_VERSION_FUID); 408 else { 409 int error; 410 411 /* 412 * Need to deal with a potential 413 * race where zfs_sa_upgrade could cause 414 * z_isa_sa to change. 415 * 416 * If the lookup fails then the state of z_is_sa should have 417 * changed. 418 */ 419 if ((error = sa_lookup(zp->z_sa_hdl, 420 SA_ZPL_ZNODE_ACL(zp->z_zfsvfs), 421 &acl_phys, sizeof (acl_phys))) == 0) 422 return (acl_phys.z_acl_version); 423 else { 424 /* 425 * After upgrade SA_ZPL_ZNODE_ACL should have 426 * been removed. 427 */ 428 VERIFY(zp->z_is_sa && error == ENOENT); 429 return (ZFS_ACL_VERSION_FUID); 430 } 431 } 432} 433 434static int 435zfs_acl_version(int version) 436{ 437 if (version < ZPL_VERSION_FUID) 438 return (ZFS_ACL_VERSION_INITIAL); 439 else 440 return (ZFS_ACL_VERSION_FUID); 441} 442 443static int 444zfs_acl_version_zp(znode_t *zp) 445{ 446 return (zfs_acl_version(zp->z_zfsvfs->z_version)); 447} 448 449zfs_acl_t * 450zfs_acl_alloc(int vers) 451{ 452 zfs_acl_t *aclp; 453 454 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); 455 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t), 456 offsetof(zfs_acl_node_t, z_next)); 457 aclp->z_version = vers; 458 if (vers == ZFS_ACL_VERSION_FUID) 459 aclp->z_ops = zfs_acl_fuid_ops; 460 else 461 aclp->z_ops = zfs_acl_v0_ops; 462 return (aclp); 463} 464 465zfs_acl_node_t * 466zfs_acl_node_alloc(size_t bytes) 467{ 468 zfs_acl_node_t *aclnode; 469 470 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP); 471 if (bytes) { 472 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP); 473 aclnode->z_allocdata = aclnode->z_acldata; 474 aclnode->z_allocsize = bytes; 475 aclnode->z_size = bytes; 476 } 477 478 return (aclnode); 479} 480 481static void 482zfs_acl_node_free(zfs_acl_node_t *aclnode) 483{ 484 if (aclnode->z_allocsize) 485 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize); 486 kmem_free(aclnode, sizeof (zfs_acl_node_t)); 487} 488 489static void 490zfs_acl_release_nodes(zfs_acl_t *aclp) 491{ 492 zfs_acl_node_t *aclnode; 493 494 while (aclnode = list_head(&aclp->z_acl)) { 495 list_remove(&aclp->z_acl, aclnode); 496 zfs_acl_node_free(aclnode); 497 } 498 aclp->z_acl_count = 0; 499 aclp->z_acl_bytes = 0; 500} 501 502void 503zfs_acl_free(zfs_acl_t *aclp) 504{ 505 zfs_acl_release_nodes(aclp); 506 list_destroy(&aclp->z_acl); 507 kmem_free(aclp, sizeof (zfs_acl_t)); 508} 509 510static boolean_t 511zfs_acl_valid_ace_type(uint_t type, uint_t flags) 512{ 513 uint16_t entry_type; 514 515 switch (type) { 516 case ALLOW: 517 case DENY: 518 case ACE_SYSTEM_AUDIT_ACE_TYPE: 519 case ACE_SYSTEM_ALARM_ACE_TYPE: 520 entry_type = flags & ACE_TYPE_FLAGS; 521 return (entry_type == ACE_OWNER || 522 entry_type == OWNING_GROUP || 523 entry_type == ACE_EVERYONE || entry_type == 0 || 524 entry_type == ACE_IDENTIFIER_GROUP); 525 default: 526 if (type >= MIN_ACE_TYPE && type <= MAX_ACE_TYPE) 527 return (B_TRUE); 528 } 529 return (B_FALSE); 530} 531 532static boolean_t 533zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags) 534{ 535 /* 536 * first check type of entry 537 */ 538 539 if (!zfs_acl_valid_ace_type(type, iflags)) 540 return (B_FALSE); 541 542 switch (type) { 543 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 544 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 545 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 546 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 547 if (aclp->z_version < ZFS_ACL_VERSION_FUID) 548 return (B_FALSE); 549 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 550 } 551 552 /* 553 * next check inheritance level flags 554 */ 555 556 if (obj_type == VDIR && 557 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 558 aclp->z_hints |= ZFS_INHERIT_ACE; 559 560 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { 561 if ((iflags & (ACE_FILE_INHERIT_ACE| 562 ACE_DIRECTORY_INHERIT_ACE)) == 0) { 563 return (B_FALSE); 564 } 565 } 566 567 return (B_TRUE); 568} 569 570static void * 571zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who, 572 uint32_t *access_mask, uint16_t *iflags, uint16_t *type) 573{ 574 zfs_acl_node_t *aclnode; 575 576 ASSERT(aclp); 577 578 if (start == NULL) { 579 aclnode = list_head(&aclp->z_acl); 580 if (aclnode == NULL) 581 return (NULL); 582 583 aclp->z_next_ace = aclnode->z_acldata; 584 aclp->z_curr_node = aclnode; 585 aclnode->z_ace_idx = 0; 586 } 587 588 aclnode = aclp->z_curr_node; 589 590 if (aclnode == NULL) 591 return (NULL); 592 593 if (aclnode->z_ace_idx >= aclnode->z_ace_count) { 594 aclnode = list_next(&aclp->z_acl, aclnode); 595 if (aclnode == NULL) 596 return (NULL); 597 else { 598 aclp->z_curr_node = aclnode; 599 aclnode->z_ace_idx = 0; 600 aclp->z_next_ace = aclnode->z_acldata; 601 } 602 } 603 604 if (aclnode->z_ace_idx < aclnode->z_ace_count) { 605 void *acep = aclp->z_next_ace; 606 size_t ace_size; 607 608 /* 609 * Make sure we don't overstep our bounds 610 */ 611 ace_size = aclp->z_ops.ace_size(acep); 612 613 if (((caddr_t)acep + ace_size) > 614 ((caddr_t)aclnode->z_acldata + aclnode->z_size)) { 615 return (NULL); 616 } 617 618 *iflags = aclp->z_ops.ace_flags_get(acep); 619 *type = aclp->z_ops.ace_type_get(acep); 620 *access_mask = aclp->z_ops.ace_mask_get(acep); 621 *who = aclp->z_ops.ace_who_get(acep); 622 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size; 623 aclnode->z_ace_idx++; 624 625 return ((void *)acep); 626 } 627 return (NULL); 628} 629 630/*ARGSUSED*/ 631static uint64_t 632zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt, 633 uint16_t *flags, uint16_t *type, uint32_t *mask) 634{ 635 zfs_acl_t *aclp = datap; 636 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie; 637 uint64_t who; 638 639 acep = zfs_acl_next_ace(aclp, acep, &who, mask, 640 flags, type); 641 return ((uint64_t)(uintptr_t)acep); 642} 643 644static zfs_acl_node_t * 645zfs_acl_curr_node(zfs_acl_t *aclp) 646{ 647 ASSERT(aclp->z_curr_node); 648 return (aclp->z_curr_node); 649} 650 651/* 652 * Copy ACE to internal ZFS format. 653 * While processing the ACL each ACE will be validated for correctness. 654 * ACE FUIDs will be created later. 655 */ 656int 657zfs_copy_ace_2_fuid(zfsvfs_t *zfsvfs, vtype_t obj_type, zfs_acl_t *aclp, 658 void *datap, zfs_ace_t *z_acl, uint64_t aclcnt, size_t *size, 659 zfs_fuid_info_t **fuidp, cred_t *cr) 660{ 661 int i; 662 uint16_t entry_type; 663 zfs_ace_t *aceptr = z_acl; 664 ace_t *acep = datap; 665 zfs_object_ace_t *zobjacep; 666 ace_object_t *aceobjp; 667 668 for (i = 0; i != aclcnt; i++) { 669 aceptr->z_hdr.z_access_mask = acep->a_access_mask; 670 aceptr->z_hdr.z_flags = acep->a_flags; 671 aceptr->z_hdr.z_type = acep->a_type; 672 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS; 673 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP && 674 entry_type != ACE_EVERYONE) { 675 aceptr->z_fuid = zfs_fuid_create(zfsvfs, acep->a_who, 676 cr, (entry_type == 0) ? 677 ZFS_ACE_USER : ZFS_ACE_GROUP, fuidp); 678 } 679 680 /* 681 * Make sure ACE is valid 682 */ 683 if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type, 684 aceptr->z_hdr.z_flags) != B_TRUE) 685 return (SET_ERROR(EINVAL)); 686 687 switch (acep->a_type) { 688 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 689 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 690 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 691 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 692 zobjacep = (zfs_object_ace_t *)aceptr; 693 aceobjp = (ace_object_t *)acep; 694 695 bcopy(aceobjp->a_obj_type, zobjacep->z_object_type, 696 sizeof (aceobjp->a_obj_type)); 697 bcopy(aceobjp->a_inherit_obj_type, 698 zobjacep->z_inherit_type, 699 sizeof (aceobjp->a_inherit_obj_type)); 700 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t)); 701 break; 702 default: 703 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t)); 704 } 705 706 aceptr = (zfs_ace_t *)((caddr_t)aceptr + 707 aclp->z_ops.ace_size(aceptr)); 708 } 709 710 *size = (caddr_t)aceptr - (caddr_t)z_acl; 711 712 return (0); 713} 714 715/* 716 * Copy ZFS ACEs to fixed size ace_t layout 717 */ 718static void 719zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr, 720 void *datap, int filter) 721{ 722 uint64_t who; 723 uint32_t access_mask; 724 uint16_t iflags, type; 725 zfs_ace_hdr_t *zacep = NULL; 726 ace_t *acep = datap; 727 ace_object_t *objacep; 728 zfs_object_ace_t *zobjacep; 729 size_t ace_size; 730 uint16_t entry_type; 731 732 while (zacep = zfs_acl_next_ace(aclp, zacep, 733 &who, &access_mask, &iflags, &type)) { 734 735 switch (type) { 736 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 737 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 738 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 739 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 740 if (filter) { 741 continue; 742 } 743 zobjacep = (zfs_object_ace_t *)zacep; 744 objacep = (ace_object_t *)acep; 745 bcopy(zobjacep->z_object_type, 746 objacep->a_obj_type, 747 sizeof (zobjacep->z_object_type)); 748 bcopy(zobjacep->z_inherit_type, 749 objacep->a_inherit_obj_type, 750 sizeof (zobjacep->z_inherit_type)); 751 ace_size = sizeof (ace_object_t); 752 break; 753 default: 754 ace_size = sizeof (ace_t); 755 break; 756 } 757 758 entry_type = (iflags & ACE_TYPE_FLAGS); 759 if ((entry_type != ACE_OWNER && 760 entry_type != OWNING_GROUP && 761 entry_type != ACE_EVERYONE)) { 762 acep->a_who = zfs_fuid_map_id(zfsvfs, who, 763 cr, (entry_type & ACE_IDENTIFIER_GROUP) ? 764 ZFS_ACE_GROUP : ZFS_ACE_USER); 765 } else { 766 acep->a_who = (uid_t)(int64_t)who; 767 } 768 acep->a_access_mask = access_mask; 769 acep->a_flags = iflags; 770 acep->a_type = type; 771 acep = (ace_t *)((caddr_t)acep + ace_size); 772 } 773} 774 775static int 776zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep, 777 zfs_oldace_t *z_acl, int aclcnt, size_t *size) 778{ 779 int i; 780 zfs_oldace_t *aceptr = z_acl; 781 782 for (i = 0; i != aclcnt; i++, aceptr++) { 783 aceptr->z_access_mask = acep[i].a_access_mask; 784 aceptr->z_type = acep[i].a_type; 785 aceptr->z_flags = acep[i].a_flags; 786 aceptr->z_fuid = acep[i].a_who; 787 /* 788 * Make sure ACE is valid 789 */ 790 if (zfs_ace_valid(obj_type, aclp, aceptr->z_type, 791 aceptr->z_flags) != B_TRUE) 792 return (SET_ERROR(EINVAL)); 793 } 794 *size = (caddr_t)aceptr - (caddr_t)z_acl; 795 return (0); 796} 797 798/* 799 * convert old ACL format to new 800 */ 801void 802zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp, cred_t *cr) 803{ 804 zfs_oldace_t *oldaclp; 805 int i; 806 uint16_t type, iflags; 807 uint32_t access_mask; 808 uint64_t who; 809 void *cookie = NULL; 810 zfs_acl_node_t *newaclnode; 811 812 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL); 813 /* 814 * First create the ACE in a contiguous piece of memory 815 * for zfs_copy_ace_2_fuid(). 816 * 817 * We only convert an ACL once, so this won't happen 818 * everytime. 819 */ 820 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count, 821 KM_SLEEP); 822 i = 0; 823 while (cookie = zfs_acl_next_ace(aclp, cookie, &who, 824 &access_mask, &iflags, &type)) { 825 oldaclp[i].z_flags = iflags; 826 oldaclp[i].z_type = type; 827 oldaclp[i].z_fuid = who; 828 oldaclp[i++].z_access_mask = access_mask; 829 } 830 831 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count * 832 sizeof (zfs_object_ace_t)); 833 aclp->z_ops = zfs_acl_fuid_ops; 834 VERIFY(zfs_copy_ace_2_fuid(zp->z_zfsvfs, ZTOV(zp)->v_type, aclp, 835 oldaclp, newaclnode->z_acldata, aclp->z_acl_count, 836 &newaclnode->z_size, NULL, cr) == 0); 837 newaclnode->z_ace_count = aclp->z_acl_count; 838 aclp->z_version = ZFS_ACL_VERSION; 839 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t)); 840 841 /* 842 * Release all previous ACL nodes 843 */ 844 845 zfs_acl_release_nodes(aclp); 846 847 list_insert_head(&aclp->z_acl, newaclnode); 848 849 aclp->z_acl_bytes = newaclnode->z_size; 850 aclp->z_acl_count = newaclnode->z_ace_count; 851 852} 853 854/* 855 * Convert unix access mask to v4 access mask 856 */ 857static uint32_t 858zfs_unix_to_v4(uint32_t access_mask) 859{ 860 uint32_t new_mask = 0; 861 862 if (access_mask & S_IXOTH) 863 new_mask |= ACE_EXECUTE; 864 if (access_mask & S_IWOTH) 865 new_mask |= ACE_WRITE_DATA; 866 if (access_mask & S_IROTH) 867 new_mask |= ACE_READ_DATA; 868 return (new_mask); 869} 870 871static void 872zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask, 873 uint16_t access_type, uint64_t fuid, uint16_t entry_type) 874{ 875 uint16_t type = entry_type & ACE_TYPE_FLAGS; 876 877 aclp->z_ops.ace_mask_set(acep, access_mask); 878 aclp->z_ops.ace_type_set(acep, access_type); 879 aclp->z_ops.ace_flags_set(acep, entry_type); 880 if ((type != ACE_OWNER && type != OWNING_GROUP && 881 type != ACE_EVERYONE)) 882 aclp->z_ops.ace_who_set(acep, fuid); 883} 884 885/* 886 * Determine mode of file based on ACL. 887 * Also, create FUIDs for any User/Group ACEs 888 */ 889uint64_t 890zfs_mode_compute(uint64_t fmode, zfs_acl_t *aclp, 891 uint64_t *pflags, uint64_t fuid, uint64_t fgid) 892{ 893 int entry_type; 894 mode_t mode; 895 mode_t seen = 0; 896 zfs_ace_hdr_t *acep = NULL; 897 uint64_t who; 898 uint16_t iflags, type; 899 uint32_t access_mask; 900 boolean_t an_exec_denied = B_FALSE; 901 902 mode = (fmode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); 903 904 while (acep = zfs_acl_next_ace(aclp, acep, &who, 905 &access_mask, &iflags, &type)) { 906 907 if (!zfs_acl_valid_ace_type(type, iflags)) 908 continue; 909 910 entry_type = (iflags & ACE_TYPE_FLAGS); 911 912 /* 913 * Skip over owner@, group@ or everyone@ inherit only ACEs 914 */ 915 if ((iflags & ACE_INHERIT_ONLY_ACE) && 916 (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 917 entry_type == OWNING_GROUP)) 918 continue; 919 920 if (entry_type == ACE_OWNER || (entry_type == 0 && 921 who == fuid)) { 922 if ((access_mask & ACE_READ_DATA) && 923 (!(seen & S_IRUSR))) { 924 seen |= S_IRUSR; 925 if (type == ALLOW) { 926 mode |= S_IRUSR; 927 } 928 } 929 if ((access_mask & ACE_WRITE_DATA) && 930 (!(seen & S_IWUSR))) { 931 seen |= S_IWUSR; 932 if (type == ALLOW) { 933 mode |= S_IWUSR; 934 } 935 } 936 if ((access_mask & ACE_EXECUTE) && 937 (!(seen & S_IXUSR))) { 938 seen |= S_IXUSR; 939 if (type == ALLOW) { 940 mode |= S_IXUSR; 941 } 942 } 943 } else if (entry_type == OWNING_GROUP || 944 (entry_type == ACE_IDENTIFIER_GROUP && who == fgid)) { 945 if ((access_mask & ACE_READ_DATA) && 946 (!(seen & S_IRGRP))) { 947 seen |= S_IRGRP; 948 if (type == ALLOW) { 949 mode |= S_IRGRP; 950 } 951 } 952 if ((access_mask & ACE_WRITE_DATA) && 953 (!(seen & S_IWGRP))) { 954 seen |= S_IWGRP; 955 if (type == ALLOW) { 956 mode |= S_IWGRP; 957 } 958 } 959 if ((access_mask & ACE_EXECUTE) && 960 (!(seen & S_IXGRP))) { 961 seen |= S_IXGRP; 962 if (type == ALLOW) { 963 mode |= S_IXGRP; 964 } 965 } 966 } else if (entry_type == ACE_EVERYONE) { 967 if ((access_mask & ACE_READ_DATA)) { 968 if (!(seen & S_IRUSR)) { 969 seen |= S_IRUSR; 970 if (type == ALLOW) { 971 mode |= S_IRUSR; 972 } 973 } 974 if (!(seen & S_IRGRP)) { 975 seen |= S_IRGRP; 976 if (type == ALLOW) { 977 mode |= S_IRGRP; 978 } 979 } 980 if (!(seen & S_IROTH)) { 981 seen |= S_IROTH; 982 if (type == ALLOW) { 983 mode |= S_IROTH; 984 } 985 } 986 } 987 if ((access_mask & ACE_WRITE_DATA)) { 988 if (!(seen & S_IWUSR)) { 989 seen |= S_IWUSR; 990 if (type == ALLOW) { 991 mode |= S_IWUSR; 992 } 993 } 994 if (!(seen & S_IWGRP)) { 995 seen |= S_IWGRP; 996 if (type == ALLOW) { 997 mode |= S_IWGRP; 998 } 999 } 1000 if (!(seen & S_IWOTH)) { 1001 seen |= S_IWOTH; 1002 if (type == ALLOW) { 1003 mode |= S_IWOTH; 1004 } 1005 } 1006 } 1007 if ((access_mask & ACE_EXECUTE)) { 1008 if (!(seen & S_IXUSR)) { 1009 seen |= S_IXUSR; 1010 if (type == ALLOW) { 1011 mode |= S_IXUSR; 1012 } 1013 } 1014 if (!(seen & S_IXGRP)) { 1015 seen |= S_IXGRP; 1016 if (type == ALLOW) { 1017 mode |= S_IXGRP; 1018 } 1019 } 1020 if (!(seen & S_IXOTH)) { 1021 seen |= S_IXOTH; 1022 if (type == ALLOW) { 1023 mode |= S_IXOTH; 1024 } 1025 } 1026 } 1027 } else { 1028 /* 1029 * Only care if this IDENTIFIER_GROUP or 1030 * USER ACE denies execute access to someone, 1031 * mode is not affected 1032 */ 1033 if ((access_mask & ACE_EXECUTE) && type == DENY) 1034 an_exec_denied = B_TRUE; 1035 } 1036 } 1037 1038 /* 1039 * Failure to allow is effectively a deny, so execute permission 1040 * is denied if it was never mentioned or if we explicitly 1041 * weren't allowed it. 1042 */ 1043 if (!an_exec_denied && 1044 ((seen & ALL_MODE_EXECS) != ALL_MODE_EXECS || 1045 (mode & ALL_MODE_EXECS) != ALL_MODE_EXECS)) 1046 an_exec_denied = B_TRUE; 1047 1048 if (an_exec_denied) 1049 *pflags &= ~ZFS_NO_EXECS_DENIED; 1050 else 1051 *pflags |= ZFS_NO_EXECS_DENIED; 1052 1053 return (mode); 1054} 1055 1056/* 1057 * Read an external acl object. If the intent is to modify, always 1058 * create a new acl and leave any cached acl in place. 1059 */ 1060static int 1061zfs_acl_node_read(znode_t *zp, boolean_t have_lock, zfs_acl_t **aclpp, 1062 boolean_t will_modify) 1063{ 1064 zfs_acl_t *aclp; 1065 int aclsize; 1066 int acl_count; 1067 zfs_acl_node_t *aclnode; 1068 zfs_acl_phys_t znode_acl; 1069 int version; 1070 int error; 1071 boolean_t drop_lock = B_FALSE; 1072 1073 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1074 1075 if (zp->z_acl_cached && !will_modify) { 1076 *aclpp = zp->z_acl_cached; 1077 return (0); 1078 } 1079 1080 /* 1081 * close race where znode could be upgrade while trying to 1082 * read the znode attributes. 1083 * 1084 * But this could only happen if the file isn't already an SA 1085 * znode 1086 */ 1087 if (!zp->z_is_sa && !have_lock) { 1088 mutex_enter(&zp->z_lock); 1089 drop_lock = B_TRUE; 1090 } 1091 version = zfs_znode_acl_version(zp); 1092 1093 if ((error = zfs_acl_znode_info(zp, &aclsize, 1094 &acl_count, &znode_acl)) != 0) { 1095 goto done; 1096 } 1097 1098 aclp = zfs_acl_alloc(version); 1099 1100 aclp->z_acl_count = acl_count; 1101 aclp->z_acl_bytes = aclsize; 1102 1103 aclnode = zfs_acl_node_alloc(aclsize); 1104 aclnode->z_ace_count = aclp->z_acl_count; 1105 aclnode->z_size = aclsize; 1106 1107 if (!zp->z_is_sa) { 1108 if (znode_acl.z_acl_extern_obj) { 1109 error = dmu_read(zp->z_zfsvfs->z_os, 1110 znode_acl.z_acl_extern_obj, 0, aclnode->z_size, 1111 aclnode->z_acldata, DMU_READ_PREFETCH); 1112 } else { 1113 bcopy(znode_acl.z_ace_data, aclnode->z_acldata, 1114 aclnode->z_size); 1115 } 1116 } else { 1117 error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zp->z_zfsvfs), 1118 aclnode->z_acldata, aclnode->z_size); 1119 } 1120 1121 if (error != 0) { 1122 zfs_acl_free(aclp); 1123 zfs_acl_node_free(aclnode); 1124 /* convert checksum errors into IO errors */ 1125 if (error == ECKSUM) 1126 error = SET_ERROR(EIO); 1127 goto done; 1128 } 1129 1130 list_insert_head(&aclp->z_acl, aclnode); 1131 1132 *aclpp = aclp; 1133 if (!will_modify) 1134 zp->z_acl_cached = aclp; 1135done: 1136 if (drop_lock) 1137 mutex_exit(&zp->z_lock); 1138 return (error); 1139} 1140 1141/*ARGSUSED*/ 1142void 1143zfs_acl_data_locator(void **dataptr, uint32_t *length, uint32_t buflen, 1144 boolean_t start, void *userdata) 1145{ 1146 zfs_acl_locator_cb_t *cb = (zfs_acl_locator_cb_t *)userdata; 1147 1148 if (start) { 1149 cb->cb_acl_node = list_head(&cb->cb_aclp->z_acl); 1150 } else { 1151 cb->cb_acl_node = list_next(&cb->cb_aclp->z_acl, 1152 cb->cb_acl_node); 1153 } 1154 *dataptr = cb->cb_acl_node->z_acldata; 1155 *length = cb->cb_acl_node->z_size; 1156} 1157 1158int 1159zfs_acl_chown_setattr(znode_t *zp) 1160{ 1161 int error; 1162 zfs_acl_t *aclp; 1163 1164 ASSERT(MUTEX_HELD(&zp->z_lock)); 1165 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1166 1167 if ((error = zfs_acl_node_read(zp, B_TRUE, &aclp, B_FALSE)) == 0) 1168 zp->z_mode = zfs_mode_compute(zp->z_mode, aclp, 1169 &zp->z_pflags, zp->z_uid, zp->z_gid); 1170 return (error); 1171} 1172 1173/* 1174 * common code for setting ACLs. 1175 * 1176 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. 1177 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's 1178 * already checked the acl and knows whether to inherit. 1179 */ 1180int 1181zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, dmu_tx_t *tx) 1182{ 1183 int error; 1184 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1185 dmu_object_type_t otype; 1186 zfs_acl_locator_cb_t locate = { 0 }; 1187 uint64_t mode; 1188 sa_bulk_attr_t bulk[5]; 1189 uint64_t ctime[2]; 1190 int count = 0; 1191 1192 mode = zp->z_mode; 1193 1194 mode = zfs_mode_compute(mode, aclp, &zp->z_pflags, 1195 zp->z_uid, zp->z_gid); 1196 1197 zp->z_mode = mode; 1198 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_MODE(zfsvfs), NULL, 1199 &mode, sizeof (mode)); 1200 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_FLAGS(zfsvfs), NULL, 1201 &zp->z_pflags, sizeof (zp->z_pflags)); 1202 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_CTIME(zfsvfs), NULL, 1203 &ctime, sizeof (ctime)); 1204 1205 if (zp->z_acl_cached) { 1206 zfs_acl_free(zp->z_acl_cached); 1207 zp->z_acl_cached = NULL; 1208 } 1209 1210 /* 1211 * Upgrade needed? 1212 */ 1213 if (!zfsvfs->z_use_fuids) { 1214 otype = DMU_OT_OLDACL; 1215 } else { 1216 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) && 1217 (zfsvfs->z_version >= ZPL_VERSION_FUID)) 1218 zfs_acl_xform(zp, aclp, cr); 1219 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID); 1220 otype = DMU_OT_ACL; 1221 } 1222 1223 /* 1224 * Arrgh, we have to handle old on disk format 1225 * as well as newer (preferred) SA format. 1226 */ 1227 1228 if (zp->z_is_sa) { /* the easy case, just update the ACL attribute */ 1229 locate.cb_aclp = aclp; 1230 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_ACES(zfsvfs), 1231 zfs_acl_data_locator, &locate, aclp->z_acl_bytes); 1232 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_COUNT(zfsvfs), 1233 NULL, &aclp->z_acl_count, sizeof (uint64_t)); 1234 } else { /* Painful legacy way */ 1235 zfs_acl_node_t *aclnode; 1236 uint64_t off = 0; 1237 zfs_acl_phys_t acl_phys; 1238 uint64_t aoid; 1239 1240 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs), 1241 &acl_phys, sizeof (acl_phys))) != 0) 1242 return (error); 1243 1244 aoid = acl_phys.z_acl_extern_obj; 1245 1246 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 1247 /* 1248 * If ACL was previously external and we are now 1249 * converting to new ACL format then release old 1250 * ACL object and create a new one. 1251 */ 1252 if (aoid && 1253 aclp->z_version != acl_phys.z_acl_version) { 1254 error = dmu_object_free(zfsvfs->z_os, aoid, tx); 1255 if (error) 1256 return (error); 1257 aoid = 0; 1258 } 1259 if (aoid == 0) { 1260 aoid = dmu_object_alloc(zfsvfs->z_os, 1261 otype, aclp->z_acl_bytes, 1262 otype == DMU_OT_ACL ? 1263 DMU_OT_SYSACL : DMU_OT_NONE, 1264 otype == DMU_OT_ACL ? 1265 DN_MAX_BONUSLEN : 0, tx); 1266 } else { 1267 (void) dmu_object_set_blocksize(zfsvfs->z_os, 1268 aoid, aclp->z_acl_bytes, 0, tx); 1269 } 1270 acl_phys.z_acl_extern_obj = aoid; 1271 for (aclnode = list_head(&aclp->z_acl); aclnode; 1272 aclnode = list_next(&aclp->z_acl, aclnode)) { 1273 if (aclnode->z_ace_count == 0) 1274 continue; 1275 dmu_write(zfsvfs->z_os, aoid, off, 1276 aclnode->z_size, aclnode->z_acldata, tx); 1277 off += aclnode->z_size; 1278 } 1279 } else { 1280 void *start = acl_phys.z_ace_data; 1281 /* 1282 * Migrating back embedded? 1283 */ 1284 if (acl_phys.z_acl_extern_obj) { 1285 error = dmu_object_free(zfsvfs->z_os, 1286 acl_phys.z_acl_extern_obj, tx); 1287 if (error) 1288 return (error); 1289 acl_phys.z_acl_extern_obj = 0; 1290 } 1291 1292 for (aclnode = list_head(&aclp->z_acl); aclnode; 1293 aclnode = list_next(&aclp->z_acl, aclnode)) { 1294 if (aclnode->z_ace_count == 0) 1295 continue; 1296 bcopy(aclnode->z_acldata, start, 1297 aclnode->z_size); 1298 start = (caddr_t)start + aclnode->z_size; 1299 } 1300 } 1301 /* 1302 * If Old version then swap count/bytes to match old 1303 * layout of znode_acl_phys_t. 1304 */ 1305 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1306 acl_phys.z_acl_size = aclp->z_acl_count; 1307 acl_phys.z_acl_count = aclp->z_acl_bytes; 1308 } else { 1309 acl_phys.z_acl_size = aclp->z_acl_bytes; 1310 acl_phys.z_acl_count = aclp->z_acl_count; 1311 } 1312 acl_phys.z_acl_version = aclp->z_version; 1313 1314 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_ZNODE_ACL(zfsvfs), NULL, 1315 &acl_phys, sizeof (acl_phys)); 1316 } 1317 1318 /* 1319 * Replace ACL wide bits, but first clear them. 1320 */ 1321 zp->z_pflags &= ~ZFS_ACL_WIDE_FLAGS; 1322 1323 zp->z_pflags |= aclp->z_hints; 1324 1325 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0) 1326 zp->z_pflags |= ZFS_ACL_TRIVIAL; 1327 1328 zfs_tstamp_update_setup(zp, STATE_CHANGED, NULL, ctime, B_TRUE); 1329 return (sa_bulk_update(zp->z_sa_hdl, bulk, count, tx)); 1330} 1331 1332static void 1333zfs_acl_chmod(vtype_t vtype, uint64_t mode, boolean_t trim, zfs_acl_t *aclp) 1334{ 1335 void *acep = NULL; 1336 uint64_t who; 1337 int new_count, new_bytes; 1338 int ace_size; 1339 int entry_type; 1340 uint16_t iflags, type; 1341 uint32_t access_mask; 1342 zfs_acl_node_t *newnode; 1343 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1344 void *zacep; 1345 boolean_t isdir; 1346 trivial_acl_t masks; 1347 1348 new_count = new_bytes = 0; 1349 1350 isdir = (vtype == VDIR); 1351 1352 acl_trivial_access_masks((mode_t)mode, isdir, &masks); 1353 1354 newnode = zfs_acl_node_alloc((abstract_size * 6) + aclp->z_acl_bytes); 1355 1356 zacep = newnode->z_acldata; 1357 if (masks.allow0) { 1358 zfs_set_ace(aclp, zacep, masks.allow0, ALLOW, -1, ACE_OWNER); 1359 zacep = (void *)((uintptr_t)zacep + abstract_size); 1360 new_count++; 1361 new_bytes += abstract_size; 1362 } 1363 if (masks.deny1) { 1364 zfs_set_ace(aclp, zacep, masks.deny1, DENY, -1, ACE_OWNER); 1365 zacep = (void *)((uintptr_t)zacep + abstract_size); 1366 new_count++; 1367 new_bytes += abstract_size; 1368 } 1369 if (masks.deny2) { 1370 zfs_set_ace(aclp, zacep, masks.deny2, DENY, -1, OWNING_GROUP); 1371 zacep = (void *)((uintptr_t)zacep + abstract_size); 1372 new_count++; 1373 new_bytes += abstract_size; 1374 } 1375 1376 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 1377 &iflags, &type)) { 1378 uint16_t inherit_flags; 1379 1380 entry_type = (iflags & ACE_TYPE_FLAGS); 1381 inherit_flags = (iflags & ALL_INHERIT); 1382 1383 if ((entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 1384 (entry_type == OWNING_GROUP)) && 1385 ((inherit_flags & ACE_INHERIT_ONLY_ACE) == 0)) { 1386 continue; 1387 } 1388 1389 /* 1390 * If this ACL has any inheritable ACEs, mark that in 1391 * the hints (which are later masked into the pflags) 1392 * so create knows to do inheritance. 1393 */ 1394 if (isdir && (inherit_flags & 1395 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 1396 aclp->z_hints |= ZFS_INHERIT_ACE; 1397 1398 if ((type != ALLOW && type != DENY) || 1399 (inherit_flags & ACE_INHERIT_ONLY_ACE)) { 1400 switch (type) { 1401 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1402 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1403 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1404 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1405 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 1406 break; 1407 } 1408 } else { 1409 1410 /* 1411 * Limit permissions to be no greater than 1412 * group permissions. 1413 * The "aclinherit" and "aclmode" properties 1414 * affect policy for create and chmod(2), 1415 * respectively. 1416 */ 1417 if ((type == ALLOW) && trim) 1418 access_mask &= masks.group; 1419 } 1420 zfs_set_ace(aclp, zacep, access_mask, type, who, iflags); 1421 ace_size = aclp->z_ops.ace_size(acep); 1422 zacep = (void *)((uintptr_t)zacep + ace_size); 1423 new_count++; 1424 new_bytes += ace_size; 1425 } 1426 zfs_set_ace(aclp, zacep, masks.owner, 0, -1, ACE_OWNER); 1427 zacep = (void *)((uintptr_t)zacep + abstract_size); 1428 zfs_set_ace(aclp, zacep, masks.group, 0, -1, OWNING_GROUP); 1429 zacep = (void *)((uintptr_t)zacep + abstract_size); 1430 zfs_set_ace(aclp, zacep, masks.everyone, 0, -1, ACE_EVERYONE); 1431 1432 new_count += 3; 1433 new_bytes += abstract_size * 3; 1434 zfs_acl_release_nodes(aclp); 1435 aclp->z_acl_count = new_count; 1436 aclp->z_acl_bytes = new_bytes; 1437 newnode->z_ace_count = new_count; 1438 newnode->z_size = new_bytes; 1439 list_insert_tail(&aclp->z_acl, newnode); 1440} 1441 1442int 1443zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode) 1444{ 1445 int error = 0; 1446 1447 mutex_enter(&zp->z_acl_lock); 1448 mutex_enter(&zp->z_lock); 1449 if (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_DISCARD) 1450 *aclp = zfs_acl_alloc(zfs_acl_version_zp(zp)); 1451 else 1452 error = zfs_acl_node_read(zp, B_TRUE, aclp, B_TRUE); 1453 1454 if (error == 0) { 1455 (*aclp)->z_hints = zp->z_pflags & V4_ACL_WIDE_FLAGS; 1456 zfs_acl_chmod(ZTOV(zp)->v_type, mode, 1457 (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK), *aclp); 1458 } 1459 mutex_exit(&zp->z_lock); 1460 mutex_exit(&zp->z_acl_lock); 1461 1462 return (error); 1463} 1464 1465/* 1466 * strip off write_owner and write_acl 1467 */ 1468static void 1469zfs_restricted_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep) 1470{ 1471 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1472 1473 if ((zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) && 1474 (aclp->z_ops.ace_type_get(acep) == ALLOW)) { 1475 mask &= ~RESTRICTED_CLEAR; 1476 aclp->z_ops.ace_mask_set(acep, mask); 1477 } 1478} 1479 1480/* 1481 * Should ACE be inherited? 1482 */ 1483static int 1484zfs_ace_can_use(vtype_t vtype, uint16_t acep_flags) 1485{ 1486 int iflags = (acep_flags & 0xf); 1487 1488 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) 1489 return (1); 1490 else if (iflags & ACE_FILE_INHERIT_ACE) 1491 return (!((vtype == VDIR) && 1492 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); 1493 return (0); 1494} 1495 1496/* 1497 * inherit inheritable ACEs from parent 1498 */ 1499static zfs_acl_t * 1500zfs_acl_inherit(zfsvfs_t *zfsvfs, vtype_t vtype, zfs_acl_t *paclp, 1501 uint64_t mode, boolean_t *need_chmod) 1502{ 1503 void *pacep; 1504 void *acep; 1505 zfs_acl_node_t *aclnode; 1506 zfs_acl_t *aclp = NULL; 1507 uint64_t who; 1508 uint32_t access_mask; 1509 uint16_t iflags, newflags, type; 1510 size_t ace_size; 1511 void *data1, *data2; 1512 size_t data1sz, data2sz; 1513 boolean_t vdir = vtype == VDIR; 1514 boolean_t vreg = vtype == VREG; 1515 boolean_t passthrough, passthrough_x, noallow; 1516 1517 passthrough_x = 1518 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH_X; 1519 passthrough = passthrough_x || 1520 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH; 1521 noallow = 1522 zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW; 1523 1524 *need_chmod = B_TRUE; 1525 pacep = NULL; 1526 aclp = zfs_acl_alloc(paclp->z_version); 1527 if (zfsvfs->z_acl_inherit == ZFS_ACL_DISCARD || vtype == VLNK) 1528 return (aclp); 1529 while (pacep = zfs_acl_next_ace(paclp, pacep, &who, 1530 &access_mask, &iflags, &type)) { 1531 1532 /* 1533 * don't inherit bogus ACEs 1534 */ 1535 if (!zfs_acl_valid_ace_type(type, iflags)) 1536 continue; 1537 1538 if (noallow && type == ALLOW) 1539 continue; 1540 1541 ace_size = aclp->z_ops.ace_size(pacep); 1542 1543 if (!zfs_ace_can_use(vtype, iflags)) 1544 continue; 1545 1546 /* 1547 * If owner@, group@, or everyone@ inheritable 1548 * then zfs_acl_chmod() isn't needed. 1549 */ 1550 if (passthrough && 1551 ((iflags & (ACE_OWNER|ACE_EVERYONE)) || 1552 ((iflags & OWNING_GROUP) == 1553 OWNING_GROUP)) && (vreg || (vdir && (iflags & 1554 ACE_DIRECTORY_INHERIT_ACE)))) { 1555 *need_chmod = B_FALSE; 1556 } 1557 1558 if (!vdir && passthrough_x && 1559 ((mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) { 1560 access_mask &= ~ACE_EXECUTE; 1561 } 1562 1563 aclnode = zfs_acl_node_alloc(ace_size); 1564 list_insert_tail(&aclp->z_acl, aclnode); 1565 acep = aclnode->z_acldata; 1566 1567 zfs_set_ace(aclp, acep, access_mask, type, 1568 who, iflags|ACE_INHERITED_ACE); 1569 1570 /* 1571 * Copy special opaque data if any 1572 */ 1573 if ((data1sz = paclp->z_ops.ace_data(pacep, &data1)) != 0) { 1574 VERIFY((data2sz = aclp->z_ops.ace_data(acep, 1575 &data2)) == data1sz); 1576 bcopy(data1, data2, data2sz); 1577 } 1578 1579 aclp->z_acl_count++; 1580 aclnode->z_ace_count++; 1581 aclp->z_acl_bytes += aclnode->z_size; 1582 newflags = aclp->z_ops.ace_flags_get(acep); 1583 1584 if (vdir) 1585 aclp->z_hints |= ZFS_INHERIT_ACE; 1586 1587 if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || !vdir) { 1588 newflags &= ~ALL_INHERIT; 1589 aclp->z_ops.ace_flags_set(acep, 1590 newflags|ACE_INHERITED_ACE); 1591 zfs_restricted_update(zfsvfs, aclp, acep); 1592 continue; 1593 } 1594 1595 ASSERT(vdir); 1596 1597 /* 1598 * If only FILE_INHERIT is set then turn on 1599 * inherit_only 1600 */ 1601 if ((iflags & (ACE_FILE_INHERIT_ACE | 1602 ACE_DIRECTORY_INHERIT_ACE)) == ACE_FILE_INHERIT_ACE) { 1603 newflags |= ACE_INHERIT_ONLY_ACE; 1604 aclp->z_ops.ace_flags_set(acep, 1605 newflags|ACE_INHERITED_ACE); 1606 } else { 1607 newflags &= ~ACE_INHERIT_ONLY_ACE; 1608 aclp->z_ops.ace_flags_set(acep, 1609 newflags|ACE_INHERITED_ACE); 1610 } 1611 } 1612 return (aclp); 1613} 1614 1615/* 1616 * Create file system object initial permissions 1617 * including inheritable ACEs. 1618 */ 1619int 1620zfs_acl_ids_create(znode_t *dzp, int flag, vattr_t *vap, cred_t *cr, 1621 vsecattr_t *vsecp, zfs_acl_ids_t *acl_ids) 1622{ 1623 int error; 1624 zfsvfs_t *zfsvfs = dzp->z_zfsvfs; 1625 zfs_acl_t *paclp; 1626 gid_t gid; 1627 boolean_t need_chmod = B_TRUE; 1628 boolean_t inherited = B_FALSE; 1629 1630 bzero(acl_ids, sizeof (zfs_acl_ids_t)); 1631 acl_ids->z_mode = MAKEIMODE(vap->va_type, vap->va_mode); 1632 1633 if (vsecp) 1634 if ((error = zfs_vsec_2_aclp(zfsvfs, vap->va_type, vsecp, cr, 1635 &acl_ids->z_fuidp, &acl_ids->z_aclp)) != 0) 1636 return (error); 1637 /* 1638 * Determine uid and gid. 1639 */ 1640 if ((flag & IS_ROOT_NODE) || zfsvfs->z_replay || 1641 ((flag & IS_XATTR) && (vap->va_type == VDIR))) { 1642 acl_ids->z_fuid = zfs_fuid_create(zfsvfs, 1643 (uint64_t)vap->va_uid, cr, 1644 ZFS_OWNER, &acl_ids->z_fuidp); 1645 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1646 (uint64_t)vap->va_gid, cr, 1647 ZFS_GROUP, &acl_ids->z_fuidp); 1648 gid = vap->va_gid; 1649 } else { 1650 acl_ids->z_fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER, 1651 cr, &acl_ids->z_fuidp); 1652 acl_ids->z_fgid = 0; 1653 if (vap->va_mask & AT_GID) { 1654 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1655 (uint64_t)vap->va_gid, 1656 cr, ZFS_GROUP, &acl_ids->z_fuidp); 1657 gid = vap->va_gid; 1658 if (acl_ids->z_fgid != dzp->z_gid && 1659 !groupmember(vap->va_gid, cr) && 1660 secpolicy_vnode_create_gid(cr) != 0) 1661 acl_ids->z_fgid = 0; 1662 } 1663 if (acl_ids->z_fgid == 0) { 1664 if (dzp->z_mode & S_ISGID) { 1665 char *domain; 1666 uint32_t rid; 1667 1668 acl_ids->z_fgid = dzp->z_gid; 1669 gid = zfs_fuid_map_id(zfsvfs, acl_ids->z_fgid, 1670 cr, ZFS_GROUP); 1671 1672 if (zfsvfs->z_use_fuids && 1673 IS_EPHEMERAL(acl_ids->z_fgid)) { 1674 domain = zfs_fuid_idx_domain( 1675 &zfsvfs->z_fuid_idx, 1676 FUID_INDEX(acl_ids->z_fgid)); 1677 rid = FUID_RID(acl_ids->z_fgid); 1678 zfs_fuid_node_add(&acl_ids->z_fuidp, 1679 domain, rid, 1680 FUID_INDEX(acl_ids->z_fgid), 1681 acl_ids->z_fgid, ZFS_GROUP); 1682 } 1683 } else { 1684 acl_ids->z_fgid = zfs_fuid_create_cred(zfsvfs, 1685 ZFS_GROUP, cr, &acl_ids->z_fuidp); 1686#ifdef __FreeBSD_kernel__ 1687 gid = acl_ids->z_fgid = dzp->z_gid; 1688#else 1689 gid = crgetgid(cr); 1690#endif 1691 } 1692 } 1693 } 1694 1695 /* 1696 * If we're creating a directory, and the parent directory has the 1697 * set-GID bit set, set in on the new directory. 1698 * Otherwise, if the user is neither privileged nor a member of the 1699 * file's new group, clear the file's set-GID bit. 1700 */ 1701 1702 if (!(flag & IS_ROOT_NODE) && (dzp->z_mode & S_ISGID) && 1703 (vap->va_type == VDIR)) { 1704 acl_ids->z_mode |= S_ISGID; 1705 } else { 1706 if ((acl_ids->z_mode & S_ISGID) && 1707 secpolicy_vnode_setids_setgids(ZTOV(dzp), cr, gid) != 0) 1708 acl_ids->z_mode &= ~S_ISGID; 1709 } 1710 1711 if (acl_ids->z_aclp == NULL) { 1712 mutex_enter(&dzp->z_acl_lock); 1713 mutex_enter(&dzp->z_lock); 1714 if (!(flag & IS_ROOT_NODE) && 1715 (dzp->z_pflags & ZFS_INHERIT_ACE) && 1716 !(dzp->z_pflags & ZFS_XATTR)) { 1717 VERIFY(0 == zfs_acl_node_read(dzp, B_TRUE, 1718 &paclp, B_FALSE)); 1719 acl_ids->z_aclp = zfs_acl_inherit(zfsvfs, 1720 vap->va_type, paclp, acl_ids->z_mode, &need_chmod); 1721 inherited = B_TRUE; 1722 } else { 1723 acl_ids->z_aclp = 1724 zfs_acl_alloc(zfs_acl_version_zp(dzp)); 1725 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL; 1726 } 1727 mutex_exit(&dzp->z_lock); 1728 mutex_exit(&dzp->z_acl_lock); 1729 if (need_chmod) { 1730 acl_ids->z_aclp->z_hints |= (vap->va_type == VDIR) ? 1731 ZFS_ACL_AUTO_INHERIT : 0; 1732 zfs_acl_chmod(vap->va_type, acl_ids->z_mode, 1733 (zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED), 1734 acl_ids->z_aclp); 1735 } 1736 } 1737 1738 if (inherited || vsecp) { 1739 acl_ids->z_mode = zfs_mode_compute(acl_ids->z_mode, 1740 acl_ids->z_aclp, &acl_ids->z_aclp->z_hints, 1741 acl_ids->z_fuid, acl_ids->z_fgid); 1742 if (ace_trivial_common(acl_ids->z_aclp, 0, zfs_ace_walk) == 0) 1743 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL; 1744 } 1745 1746 return (0); 1747} 1748 1749/* 1750 * Free ACL and fuid_infop, but not the acl_ids structure 1751 */ 1752void 1753zfs_acl_ids_free(zfs_acl_ids_t *acl_ids) 1754{ 1755 if (acl_ids->z_aclp) 1756 zfs_acl_free(acl_ids->z_aclp); 1757 if (acl_ids->z_fuidp) 1758 zfs_fuid_info_free(acl_ids->z_fuidp); 1759 acl_ids->z_aclp = NULL; 1760 acl_ids->z_fuidp = NULL; 1761} 1762 1763boolean_t 1764zfs_acl_ids_overquota(zfsvfs_t *zfsvfs, zfs_acl_ids_t *acl_ids) 1765{ 1766 return (zfs_fuid_overquota(zfsvfs, B_FALSE, acl_ids->z_fuid) || 1767 zfs_fuid_overquota(zfsvfs, B_TRUE, acl_ids->z_fgid)); 1768} 1769 1770/* 1771 * Retrieve a file's ACL 1772 */ 1773int 1774zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1775{ 1776 zfs_acl_t *aclp; 1777 ulong_t mask; 1778 int error; 1779 int count = 0; 1780 int largeace = 0; 1781 1782 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT | 1783 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES); 1784 1785 if (mask == 0) 1786 return (SET_ERROR(ENOSYS)); 1787 1788 if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr)) 1789 return (error); 1790 1791 mutex_enter(&zp->z_acl_lock); 1792 1793 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE); 1794 if (error != 0) { 1795 mutex_exit(&zp->z_acl_lock); 1796 return (error); 1797 } 1798 1799 /* 1800 * Scan ACL to determine number of ACEs 1801 */ 1802 if ((zp->z_pflags & ZFS_ACL_OBJ_ACE) && !(mask & VSA_ACE_ALLTYPES)) { 1803 void *zacep = NULL; 1804 uint64_t who; 1805 uint32_t access_mask; 1806 uint16_t type, iflags; 1807 1808 while (zacep = zfs_acl_next_ace(aclp, zacep, 1809 &who, &access_mask, &iflags, &type)) { 1810 switch (type) { 1811 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1812 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1813 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1814 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1815 largeace++; 1816 continue; 1817 default: 1818 count++; 1819 } 1820 } 1821 vsecp->vsa_aclcnt = count; 1822 } else 1823 count = (int)aclp->z_acl_count; 1824 1825 if (mask & VSA_ACECNT) { 1826 vsecp->vsa_aclcnt = count; 1827 } 1828 1829 if (mask & VSA_ACE) { 1830 size_t aclsz; 1831 1832 aclsz = count * sizeof (ace_t) + 1833 sizeof (ace_object_t) * largeace; 1834 1835 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP); 1836 vsecp->vsa_aclentsz = aclsz; 1837 1838 if (aclp->z_version == ZFS_ACL_VERSION_FUID) 1839 zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr, 1840 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES)); 1841 else { 1842 zfs_acl_node_t *aclnode; 1843 void *start = vsecp->vsa_aclentp; 1844 1845 for (aclnode = list_head(&aclp->z_acl); aclnode; 1846 aclnode = list_next(&aclp->z_acl, aclnode)) { 1847 bcopy(aclnode->z_acldata, start, 1848 aclnode->z_size); 1849 start = (caddr_t)start + aclnode->z_size; 1850 } 1851 ASSERT((caddr_t)start - (caddr_t)vsecp->vsa_aclentp == 1852 aclp->z_acl_bytes); 1853 } 1854 } 1855 if (mask & VSA_ACE_ACLFLAGS) { 1856 vsecp->vsa_aclflags = 0; 1857 if (zp->z_pflags & ZFS_ACL_DEFAULTED) 1858 vsecp->vsa_aclflags |= ACL_DEFAULTED; 1859 if (zp->z_pflags & ZFS_ACL_PROTECTED) 1860 vsecp->vsa_aclflags |= ACL_PROTECTED; 1861 if (zp->z_pflags & ZFS_ACL_AUTO_INHERIT) 1862 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT; 1863 } 1864 1865 mutex_exit(&zp->z_acl_lock); 1866 1867 return (0); 1868} 1869 1870int 1871zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type, 1872 vsecattr_t *vsecp, cred_t *cr, zfs_fuid_info_t **fuidp, zfs_acl_t **zaclp) 1873{ 1874 zfs_acl_t *aclp; 1875 zfs_acl_node_t *aclnode; 1876 int aclcnt = vsecp->vsa_aclcnt; 1877 int error; 1878 1879 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0) 1880 return (SET_ERROR(EINVAL)); 1881 1882 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version)); 1883 1884 aclp->z_hints = 0; 1885 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t)); 1886 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1887 if ((error = zfs_copy_ace_2_oldace(obj_type, aclp, 1888 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata, 1889 aclcnt, &aclnode->z_size)) != 0) { 1890 zfs_acl_free(aclp); 1891 zfs_acl_node_free(aclnode); 1892 return (error); 1893 } 1894 } else { 1895 if ((error = zfs_copy_ace_2_fuid(zfsvfs, obj_type, aclp, 1896 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt, 1897 &aclnode->z_size, fuidp, cr)) != 0) { 1898 zfs_acl_free(aclp); 1899 zfs_acl_node_free(aclnode); 1900 return (error); 1901 } 1902 } 1903 aclp->z_acl_bytes = aclnode->z_size; 1904 aclnode->z_ace_count = aclcnt; 1905 aclp->z_acl_count = aclcnt; 1906 list_insert_head(&aclp->z_acl, aclnode); 1907 1908 /* 1909 * If flags are being set then add them to z_hints 1910 */ 1911 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) { 1912 if (vsecp->vsa_aclflags & ACL_PROTECTED) 1913 aclp->z_hints |= ZFS_ACL_PROTECTED; 1914 if (vsecp->vsa_aclflags & ACL_DEFAULTED) 1915 aclp->z_hints |= ZFS_ACL_DEFAULTED; 1916 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT) 1917 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 1918 } 1919 1920 *zaclp = aclp; 1921 1922 return (0); 1923} 1924 1925/* 1926 * Set a file's ACL 1927 */ 1928int 1929zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1930{ 1931 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1932 zilog_t *zilog = zfsvfs->z_log; 1933 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 1934 dmu_tx_t *tx; 1935 int error; 1936 zfs_acl_t *aclp; 1937 zfs_fuid_info_t *fuidp = NULL; 1938 boolean_t fuid_dirtied; 1939 uint64_t acl_obj; 1940 1941 if (mask == 0) 1942 return (SET_ERROR(ENOSYS)); 1943 1944 if (zp->z_pflags & ZFS_IMMUTABLE) 1945 return (SET_ERROR(EPERM)); 1946 1947 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) 1948 return (error); 1949 1950 error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, cr, &fuidp, 1951 &aclp); 1952 if (error) 1953 return (error); 1954 1955 /* 1956 * If ACL wide flags aren't being set then preserve any 1957 * existing flags. 1958 */ 1959 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) { 1960 aclp->z_hints |= 1961 (zp->z_pflags & V4_ACL_WIDE_FLAGS); 1962 } 1963top: 1964 mutex_enter(&zp->z_acl_lock); 1965 mutex_enter(&zp->z_lock); 1966 1967 tx = dmu_tx_create(zfsvfs->z_os); 1968 1969 dmu_tx_hold_sa(tx, zp->z_sa_hdl, B_TRUE); 1970 1971 fuid_dirtied = zfsvfs->z_fuid_dirty; 1972 if (fuid_dirtied) 1973 zfs_fuid_txhold(zfsvfs, tx); 1974 1975 /* 1976 * If old version and ACL won't fit in bonus and we aren't 1977 * upgrading then take out necessary DMU holds 1978 */ 1979 1980 if ((acl_obj = zfs_external_acl(zp)) != 0) { 1981 if (zfsvfs->z_version >= ZPL_VERSION_FUID && 1982 zfs_znode_acl_version(zp) <= ZFS_ACL_VERSION_INITIAL) { 1983 dmu_tx_hold_free(tx, acl_obj, 0, 1984 DMU_OBJECT_END); 1985 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, 1986 aclp->z_acl_bytes); 1987 } else { 1988 dmu_tx_hold_write(tx, acl_obj, 0, aclp->z_acl_bytes); 1989 } 1990 } else if (!zp->z_is_sa && aclp->z_acl_bytes > ZFS_ACE_SPACE) { 1991 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes); 1992 } 1993 1994 zfs_sa_upgrade_txholds(tx, zp); 1995 error = dmu_tx_assign(tx, TXG_NOWAIT); 1996 if (error) { 1997 mutex_exit(&zp->z_acl_lock); 1998 mutex_exit(&zp->z_lock); 1999 2000 if (error == ERESTART) { 2001 dmu_tx_wait(tx); 2002 dmu_tx_abort(tx); 2003 goto top; 2004 } 2005 dmu_tx_abort(tx); 2006 zfs_acl_free(aclp); 2007 return (error); 2008 } 2009 2010 error = zfs_aclset_common(zp, aclp, cr, tx); 2011 ASSERT(error == 0); 2012 ASSERT(zp->z_acl_cached == NULL); 2013 zp->z_acl_cached = aclp; 2014 2015 if (fuid_dirtied) 2016 zfs_fuid_sync(zfsvfs, tx); 2017 2018 zfs_log_acl(zilog, tx, zp, vsecp, fuidp); 2019 2020 if (fuidp) 2021 zfs_fuid_info_free(fuidp); 2022 dmu_tx_commit(tx); 2023done: 2024 mutex_exit(&zp->z_lock); 2025 mutex_exit(&zp->z_acl_lock); 2026 2027 return (error); 2028} 2029 2030/* 2031 * Check accesses of interest (AoI) against attributes of the dataset 2032 * such as read-only. Returns zero if no AoI conflict with dataset 2033 * attributes, otherwise an appropriate errno is returned. 2034 */ 2035static int 2036zfs_zaccess_dataset_check(znode_t *zp, uint32_t v4_mode) 2037{ 2038 if ((v4_mode & WRITE_MASK) && 2039 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && 2040 (!IS_DEVVP(ZTOV(zp)) || 2041 (IS_DEVVP(ZTOV(zp)) && (v4_mode & WRITE_MASK_ATTRS)))) { 2042 return (SET_ERROR(EROFS)); 2043 } 2044 2045 /* 2046 * Only check for READONLY on non-directories. 2047 */ 2048 if ((v4_mode & WRITE_MASK_DATA) && 2049 (((ZTOV(zp)->v_type != VDIR) && 2050 (zp->z_pflags & (ZFS_READONLY | ZFS_IMMUTABLE))) || 2051 (ZTOV(zp)->v_type == VDIR && 2052 (zp->z_pflags & ZFS_IMMUTABLE)))) { 2053 return (SET_ERROR(EPERM)); 2054 } 2055 2056#ifdef illumos 2057 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) && 2058 (zp->z_pflags & ZFS_NOUNLINK)) { 2059 return (SET_ERROR(EPERM)); 2060 } 2061#else 2062 /* 2063 * In FreeBSD we allow to modify directory's content is ZFS_NOUNLINK 2064 * (sunlnk) is set. We just don't allow directory removal, which is 2065 * handled in zfs_zaccess_delete(). 2066 */ 2067 if ((v4_mode & ACE_DELETE) && 2068 (zp->z_pflags & ZFS_NOUNLINK)) { 2069 return (EPERM); 2070 } 2071#endif 2072 2073 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) && 2074 (zp->z_pflags & ZFS_AV_QUARANTINED))) { 2075 return (SET_ERROR(EACCES)); 2076 } 2077 2078 return (0); 2079} 2080 2081/* 2082 * The primary usage of this function is to loop through all of the 2083 * ACEs in the znode, determining what accesses of interest (AoI) to 2084 * the caller are allowed or denied. The AoI are expressed as bits in 2085 * the working_mode parameter. As each ACE is processed, bits covered 2086 * by that ACE are removed from the working_mode. This removal 2087 * facilitates two things. The first is that when the working mode is 2088 * empty (= 0), we know we've looked at all the AoI. The second is 2089 * that the ACE interpretation rules don't allow a later ACE to undo 2090 * something granted or denied by an earlier ACE. Removing the 2091 * discovered access or denial enforces this rule. At the end of 2092 * processing the ACEs, all AoI that were found to be denied are 2093 * placed into the working_mode, giving the caller a mask of denied 2094 * accesses. Returns: 2095 * 0 if all AoI granted 2096 * EACCESS if the denied mask is non-zero 2097 * other error if abnormal failure (e.g., IO error) 2098 * 2099 * A secondary usage of the function is to determine if any of the 2100 * AoI are granted. If an ACE grants any access in 2101 * the working_mode, we immediately short circuit out of the function. 2102 * This mode is chosen by setting anyaccess to B_TRUE. The 2103 * working_mode is not a denied access mask upon exit if the function 2104 * is used in this manner. 2105 */ 2106static int 2107zfs_zaccess_aces_check(znode_t *zp, uint32_t *working_mode, 2108 boolean_t anyaccess, cred_t *cr) 2109{ 2110 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2111 zfs_acl_t *aclp; 2112 int error; 2113 uid_t uid = crgetuid(cr); 2114 uint64_t who; 2115 uint16_t type, iflags; 2116 uint16_t entry_type; 2117 uint32_t access_mask; 2118 uint32_t deny_mask = 0; 2119 zfs_ace_hdr_t *acep = NULL; 2120 boolean_t checkit; 2121 uid_t gowner; 2122 uid_t fowner; 2123 2124 zfs_fuid_map_ids(zp, cr, &fowner, &gowner); 2125 2126 mutex_enter(&zp->z_acl_lock); 2127 2128 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE); 2129 if (error != 0) { 2130 mutex_exit(&zp->z_acl_lock); 2131 return (error); 2132 } 2133 2134 ASSERT(zp->z_acl_cached); 2135 2136 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 2137 &iflags, &type)) { 2138 uint32_t mask_matched; 2139 2140 if (!zfs_acl_valid_ace_type(type, iflags)) 2141 continue; 2142 2143 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE)) 2144 continue; 2145 2146 /* Skip ACE if it does not affect any AoI */ 2147 mask_matched = (access_mask & *working_mode); 2148 if (!mask_matched) 2149 continue; 2150 2151 entry_type = (iflags & ACE_TYPE_FLAGS); 2152 2153 checkit = B_FALSE; 2154 2155 switch (entry_type) { 2156 case ACE_OWNER: 2157 if (uid == fowner) 2158 checkit = B_TRUE; 2159 break; 2160 case OWNING_GROUP: 2161 who = gowner; 2162 /*FALLTHROUGH*/ 2163 case ACE_IDENTIFIER_GROUP: 2164 checkit = zfs_groupmember(zfsvfs, who, cr); 2165 break; 2166 case ACE_EVERYONE: 2167 checkit = B_TRUE; 2168 break; 2169 2170 /* USER Entry */ 2171 default: 2172 if (entry_type == 0) { 2173 uid_t newid; 2174 2175 newid = zfs_fuid_map_id(zfsvfs, who, cr, 2176 ZFS_ACE_USER); 2177 if (newid != IDMAP_WK_CREATOR_OWNER_UID && 2178 uid == newid) 2179 checkit = B_TRUE; 2180 break; 2181 } else { 2182 mutex_exit(&zp->z_acl_lock); 2183 return (SET_ERROR(EIO)); 2184 } 2185 } 2186 2187 if (checkit) { 2188 if (type == DENY) { 2189 DTRACE_PROBE3(zfs__ace__denies, 2190 znode_t *, zp, 2191 zfs_ace_hdr_t *, acep, 2192 uint32_t, mask_matched); 2193 deny_mask |= mask_matched; 2194 } else { 2195 DTRACE_PROBE3(zfs__ace__allows, 2196 znode_t *, zp, 2197 zfs_ace_hdr_t *, acep, 2198 uint32_t, mask_matched); 2199 if (anyaccess) { 2200 mutex_exit(&zp->z_acl_lock); 2201 return (0); 2202 } 2203 } 2204 *working_mode &= ~mask_matched; 2205 } 2206 2207 /* Are we done? */ 2208 if (*working_mode == 0) 2209 break; 2210 } 2211 2212 mutex_exit(&zp->z_acl_lock); 2213 2214 /* Put the found 'denies' back on the working mode */ 2215 if (deny_mask) { 2216 *working_mode |= deny_mask; 2217 return (SET_ERROR(EACCES)); 2218 } else if (*working_mode) { 2219 return (-1); 2220 } 2221 2222 return (0); 2223} 2224 2225/* 2226 * Return true if any access whatsoever granted, we don't actually 2227 * care what access is granted. 2228 */ 2229boolean_t 2230zfs_has_access(znode_t *zp, cred_t *cr) 2231{ 2232 uint32_t have = ACE_ALL_PERMS; 2233 2234 if (zfs_zaccess_aces_check(zp, &have, B_TRUE, cr) != 0) { 2235 uid_t owner; 2236 2237 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER); 2238 return (secpolicy_vnode_any_access(cr, ZTOV(zp), owner) == 0); 2239 } 2240 return (B_TRUE); 2241} 2242 2243static int 2244zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode, 2245 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr) 2246{ 2247 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2248 int err; 2249 2250 *working_mode = v4_mode; 2251 *check_privs = B_TRUE; 2252 2253 /* 2254 * Short circuit empty requests 2255 */ 2256 if (v4_mode == 0 || zfsvfs->z_replay) { 2257 *working_mode = 0; 2258 return (0); 2259 } 2260 2261 if ((err = zfs_zaccess_dataset_check(zp, v4_mode)) != 0) { 2262 *check_privs = B_FALSE; 2263 return (err); 2264 } 2265 2266 /* 2267 * The caller requested that the ACL check be skipped. This 2268 * would only happen if the caller checked VOP_ACCESS() with a 2269 * 32 bit ACE mask and already had the appropriate permissions. 2270 */ 2271 if (skipaclchk) { 2272 *working_mode = 0; 2273 return (0); 2274 } 2275 2276 return (zfs_zaccess_aces_check(zp, working_mode, B_FALSE, cr)); 2277} 2278 2279static int 2280zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs, 2281 cred_t *cr) 2282{ 2283 if (*working_mode != ACE_WRITE_DATA) 2284 return (SET_ERROR(EACCES)); 2285 2286 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode, 2287 check_privs, B_FALSE, cr)); 2288} 2289 2290int 2291zfs_fastaccesschk_execute(znode_t *zdp, cred_t *cr) 2292{ 2293 boolean_t owner = B_FALSE; 2294 boolean_t groupmbr = B_FALSE; 2295 boolean_t is_attr; 2296 uid_t uid = crgetuid(cr); 2297 int error; 2298 2299 if (zdp->z_pflags & ZFS_AV_QUARANTINED) 2300 return (SET_ERROR(EACCES)); 2301 2302 is_attr = ((zdp->z_pflags & ZFS_XATTR) && 2303 (ZTOV(zdp)->v_type == VDIR)); 2304 if (is_attr) 2305 goto slow; 2306 2307 2308 mutex_enter(&zdp->z_acl_lock); 2309 2310 if (zdp->z_pflags & ZFS_NO_EXECS_DENIED) { 2311 mutex_exit(&zdp->z_acl_lock); 2312 return (0); 2313 } 2314 2315 if (FUID_INDEX(zdp->z_uid) != 0 || FUID_INDEX(zdp->z_gid) != 0) { 2316 mutex_exit(&zdp->z_acl_lock); 2317 goto slow; 2318 } 2319 2320 if (uid == zdp->z_uid) { 2321 owner = B_TRUE; 2322 if (zdp->z_mode & S_IXUSR) { 2323 mutex_exit(&zdp->z_acl_lock); 2324 return (0); 2325 } else { 2326 mutex_exit(&zdp->z_acl_lock); 2327 goto slow; 2328 } 2329 } 2330 if (groupmember(zdp->z_gid, cr)) { 2331 groupmbr = B_TRUE; 2332 if (zdp->z_mode & S_IXGRP) { 2333 mutex_exit(&zdp->z_acl_lock); 2334 return (0); 2335 } else { 2336 mutex_exit(&zdp->z_acl_lock); 2337 goto slow; 2338 } 2339 } 2340 if (!owner && !groupmbr) { 2341 if (zdp->z_mode & S_IXOTH) { 2342 mutex_exit(&zdp->z_acl_lock); 2343 return (0); 2344 } 2345 } 2346 2347 mutex_exit(&zdp->z_acl_lock); 2348 2349slow: 2350 DTRACE_PROBE(zfs__fastpath__execute__access__miss); 2351 ZFS_ENTER(zdp->z_zfsvfs); 2352 error = zfs_zaccess(zdp, ACE_EXECUTE, 0, B_FALSE, cr); 2353 ZFS_EXIT(zdp->z_zfsvfs); 2354 return (error); 2355} 2356 2357/* 2358 * Determine whether Access should be granted/denied. 2359 * 2360 * The least priv subsytem is always consulted as a basic privilege 2361 * can define any form of access. 2362 */ 2363int 2364zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr) 2365{ 2366 uint32_t working_mode; 2367 int error; 2368 int is_attr; 2369 boolean_t check_privs; 2370 znode_t *xzp; 2371 znode_t *check_zp = zp; 2372 mode_t needed_bits; 2373 uid_t owner; 2374 2375 is_attr = ((zp->z_pflags & ZFS_XATTR) && (ZTOV(zp)->v_type == VDIR)); 2376 2377#ifdef __FreeBSD_kernel__ 2378 /* 2379 * In FreeBSD, we don't care about permissions of individual ADS. 2380 * Note that not checking them is not just an optimization - without 2381 * this shortcut, EA operations may bogusly fail with EACCES. 2382 */ 2383 if (zp->z_pflags & ZFS_XATTR) 2384 return (0); 2385#else 2386 /* 2387 * If attribute then validate against base file 2388 */ 2389 if (is_attr) { 2390 uint64_t parent; 2391 2392 if ((error = sa_lookup(zp->z_sa_hdl, 2393 SA_ZPL_PARENT(zp->z_zfsvfs), &parent, 2394 sizeof (parent))) != 0) 2395 return (error); 2396 2397 if ((error = zfs_zget(zp->z_zfsvfs, 2398 parent, &xzp)) != 0) { 2399 return (error); 2400 } 2401 2402 check_zp = xzp; 2403 2404 /* 2405 * fixup mode to map to xattr perms 2406 */ 2407 2408 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { 2409 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 2410 mode |= ACE_WRITE_NAMED_ATTRS; 2411 } 2412 2413 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { 2414 mode &= ~(ACE_READ_DATA|ACE_EXECUTE); 2415 mode |= ACE_READ_NAMED_ATTRS; 2416 } 2417 } 2418#endif 2419 2420 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER); 2421 /* 2422 * Map the bits required to the standard vnode flags VREAD|VWRITE|VEXEC 2423 * in needed_bits. Map the bits mapped by working_mode (currently 2424 * missing) in missing_bits. 2425 * Call secpolicy_vnode_access2() with (needed_bits & ~checkmode), 2426 * needed_bits. 2427 */ 2428 needed_bits = 0; 2429 2430 working_mode = mode; 2431 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES)) && 2432 owner == crgetuid(cr)) 2433 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2434 2435 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2436 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2437 needed_bits |= VREAD; 2438 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2439 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2440 needed_bits |= VWRITE; 2441 if (working_mode & ACE_EXECUTE) 2442 needed_bits |= VEXEC; 2443 2444 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode, 2445 &check_privs, skipaclchk, cr)) == 0) { 2446 if (is_attr) 2447 VN_RELE(ZTOV(xzp)); 2448 return (secpolicy_vnode_access2(cr, ZTOV(zp), owner, 2449 needed_bits, needed_bits)); 2450 } 2451 2452 if (error && !check_privs) { 2453 if (is_attr) 2454 VN_RELE(ZTOV(xzp)); 2455 return (error); 2456 } 2457 2458 if (error && (flags & V_APPEND)) { 2459 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr); 2460 } 2461 2462 if (error && check_privs) { 2463 mode_t checkmode = 0; 2464 2465 /* 2466 * First check for implicit owner permission on 2467 * read_acl/read_attributes 2468 */ 2469 2470 error = 0; 2471 ASSERT(working_mode != 0); 2472 2473 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) && 2474 owner == crgetuid(cr))) 2475 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2476 2477 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2478 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2479 checkmode |= VREAD; 2480 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2481 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2482 checkmode |= VWRITE; 2483 if (working_mode & ACE_EXECUTE) 2484 checkmode |= VEXEC; 2485 2486 error = secpolicy_vnode_access2(cr, ZTOV(check_zp), owner, 2487 needed_bits & ~checkmode, needed_bits); 2488 2489 if (error == 0 && (working_mode & ACE_WRITE_OWNER)) 2490 error = secpolicy_vnode_chown(ZTOV(check_zp), cr, owner); 2491 if (error == 0 && (working_mode & ACE_WRITE_ACL)) 2492 error = secpolicy_vnode_setdac(ZTOV(check_zp), cr, owner); 2493 2494 if (error == 0 && (working_mode & 2495 (ACE_DELETE|ACE_DELETE_CHILD))) 2496 error = secpolicy_vnode_remove(ZTOV(check_zp), cr); 2497 2498 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) { 2499 error = secpolicy_vnode_chown(ZTOV(check_zp), cr, owner); 2500 } 2501 if (error == 0) { 2502 /* 2503 * See if any bits other than those already checked 2504 * for are still present. If so then return EACCES 2505 */ 2506 if (working_mode & ~(ZFS_CHECKED_MASKS)) { 2507 error = SET_ERROR(EACCES); 2508 } 2509 } 2510 } else if (error == 0) { 2511 error = secpolicy_vnode_access2(cr, ZTOV(zp), owner, 2512 needed_bits, needed_bits); 2513 } 2514 2515 2516 if (is_attr) 2517 VN_RELE(ZTOV(xzp)); 2518 2519 return (error); 2520} 2521 2522/* 2523 * Translate traditional unix VREAD/VWRITE/VEXEC mode into 2524 * native ACL format and call zfs_zaccess() 2525 */ 2526int 2527zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr) 2528{ 2529 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr)); 2530} 2531 2532/* 2533 * Access function for secpolicy_vnode_setattr 2534 */ 2535int 2536zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr) 2537{ 2538 int v4_mode = zfs_unix_to_v4(mode >> 6); 2539 2540 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr)); 2541} 2542 2543static int 2544zfs_delete_final_check(znode_t *zp, znode_t *dzp, 2545 mode_t available_perms, cred_t *cr) 2546{ 2547 int error; 2548 uid_t downer; 2549 2550 downer = zfs_fuid_map_id(dzp->z_zfsvfs, dzp->z_uid, cr, ZFS_OWNER); 2551 2552 error = secpolicy_vnode_access2(cr, ZTOV(dzp), 2553 downer, available_perms, VWRITE|VEXEC); 2554 2555 if (error == 0) 2556 error = zfs_sticky_remove_access(dzp, zp, cr); 2557 2558 return (error); 2559} 2560 2561/* 2562 * Determine whether Access should be granted/deny, without 2563 * consulting least priv subsystem. 2564 * 2565 * The following chart is the recommended NFSv4 enforcement for 2566 * ability to delete an object. 2567 * 2568 * ------------------------------------------------------- 2569 * | Parent Dir | Target Object Permissions | 2570 * | permissions | | 2571 * ------------------------------------------------------- 2572 * | | ACL Allows | ACL Denies| Delete | 2573 * | | Delete | Delete | unspecified| 2574 * ------------------------------------------------------- 2575 * | ACL Allows | Permit | Permit | Permit | 2576 * | DELETE_CHILD | | 2577 * ------------------------------------------------------- 2578 * | ACL Denies | Permit | Deny | Deny | 2579 * | DELETE_CHILD | | | | 2580 * ------------------------------------------------------- 2581 * | ACL specifies | | | | 2582 * | only allow | Permit | Permit | Permit | 2583 * | write and | | | | 2584 * | execute | | | | 2585 * ------------------------------------------------------- 2586 * | ACL denies | | | | 2587 * | write and | Permit | Deny | Deny | 2588 * | execute | | | | 2589 * ------------------------------------------------------- 2590 * ^ 2591 * | 2592 * No search privilege, can't even look up file? 2593 * 2594 */ 2595int 2596zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) 2597{ 2598 uint32_t dzp_working_mode = 0; 2599 uint32_t zp_working_mode = 0; 2600 int dzp_error, zp_error; 2601 mode_t available_perms; 2602 boolean_t dzpcheck_privs = B_TRUE; 2603 boolean_t zpcheck_privs = B_TRUE; 2604 2605 /* 2606 * We want specific DELETE permissions to 2607 * take precedence over WRITE/EXECUTE. We don't 2608 * want an ACL such as this to mess us up. 2609 * user:joe:write_data:deny,user:joe:delete:allow 2610 * 2611 * However, deny permissions may ultimately be overridden 2612 * by secpolicy_vnode_access(). 2613 * 2614 * We will ask for all of the necessary permissions and then 2615 * look at the working modes from the directory and target object 2616 * to determine what was found. 2617 */ 2618 2619 if (zp->z_pflags & (ZFS_IMMUTABLE | ZFS_NOUNLINK)) 2620 return (SET_ERROR(EPERM)); 2621 2622 /* 2623 * First row 2624 * If the directory permissions allow the delete, we are done. 2625 */ 2626 if ((dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD, 2627 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) 2628 return (0); 2629 2630 /* 2631 * If target object has delete permission then we are done 2632 */ 2633 if ((zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, 2634 &zpcheck_privs, B_FALSE, cr)) == 0) 2635 return (0); 2636 2637 ASSERT(dzp_error && zp_error); 2638 2639 if (!dzpcheck_privs) 2640 return (dzp_error); 2641 if (!zpcheck_privs) 2642 return (zp_error); 2643 2644 /* 2645 * Second row 2646 * 2647 * If directory returns EACCES then delete_child was denied 2648 * due to deny delete_child. In this case send the request through 2649 * secpolicy_vnode_remove(). We don't use zfs_delete_final_check() 2650 * since that *could* allow the delete based on write/execute permission 2651 * and we want delete permissions to override write/execute. 2652 */ 2653 2654 if (dzp_error == EACCES) 2655 return (secpolicy_vnode_remove(ZTOV(dzp), cr)); /* XXXPJD: s/dzp/zp/ ? */ 2656 2657 /* 2658 * Third Row 2659 * only need to see if we have write/execute on directory. 2660 */ 2661 2662 dzp_error = zfs_zaccess_common(dzp, ACE_EXECUTE|ACE_WRITE_DATA, 2663 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr); 2664 2665 if (dzp_error != 0 && !dzpcheck_privs) 2666 return (dzp_error); 2667 2668 /* 2669 * Fourth row 2670 */ 2671 2672 available_perms = (dzp_working_mode & ACE_WRITE_DATA) ? 0 : VWRITE; 2673 available_perms |= (dzp_working_mode & ACE_EXECUTE) ? 0 : VEXEC; 2674 2675 return (zfs_delete_final_check(zp, dzp, available_perms, cr)); 2676 2677} 2678 2679int 2680zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, 2681 znode_t *tzp, cred_t *cr) 2682{ 2683 int add_perm; 2684 int error; 2685 2686 if (szp->z_pflags & ZFS_AV_QUARANTINED) 2687 return (SET_ERROR(EACCES)); 2688 2689 add_perm = (ZTOV(szp)->v_type == VDIR) ? 2690 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; 2691 2692 /* 2693 * Rename permissions are combination of delete permission + 2694 * add file/subdir permission. 2695 * 2696 * BSD operating systems also require write permission 2697 * on the directory being moved from one parent directory 2698 * to another. 2699 */ 2700 if (ZTOV(szp)->v_type == VDIR && ZTOV(sdzp) != ZTOV(tdzp)) { 2701 if (error = zfs_zaccess(szp, ACE_WRITE_DATA, 0, B_FALSE, cr)) 2702 return (error); 2703 } 2704 2705 /* 2706 * first make sure we do the delete portion. 2707 * 2708 * If that succeeds then check for add_file/add_subdir permissions 2709 */ 2710 2711 if (error = zfs_zaccess_delete(sdzp, szp, cr)) 2712 return (error); 2713 2714 /* 2715 * If we have a tzp, see if we can delete it? 2716 */ 2717 if (tzp) { 2718 if (error = zfs_zaccess_delete(tdzp, tzp, cr)) 2719 return (error); 2720 } 2721 2722 /* 2723 * Now check for add permissions 2724 */ 2725 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr); 2726 2727 return (error); 2728} 2729