1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #include <sys/types.h> 26 #include <sys/param.h> 27 #include <sys/time.h> 28 #include <sys/systm.h> 29 #include <sys/sysmacros.h> 30 #include <sys/resource.h> 31 #include <sys/vfs.h> 32 #include <sys/vnode.h> 33 #include <sys/sid.h> 34 #include <sys/file.h> 35 #include <sys/stat.h> 36 #include <sys/kmem.h> 37 #include <sys/cmn_err.h> 38 #include <sys/errno.h> 39 #include <sys/unistd.h> 40 #include <sys/sdt.h> 41 #include <sys/fs/zfs.h> 42 #include <sys/mode.h> 43 #include <sys/policy.h> 44 #include <sys/zfs_znode.h> 45 #include <sys/zfs_fuid.h> 46 #include <sys/zfs_acl.h> 47 #include <sys/zfs_dir.h> 48 #include <sys/zfs_vfsops.h> 49 #include <sys/dmu.h> 50 #include <sys/dnode.h> 51 #include <sys/zap.h> 52 #include <sys/sa.h> 53 #include "fs/fs_subr.h" 54 #include <acl/acl_common.h> 55 56 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE 57 #define DENY ACE_ACCESS_DENIED_ACE_TYPE 58 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE 59 #define MIN_ACE_TYPE ALLOW 60 61 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) 62 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ 63 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) 64 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ 65 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 66 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ 67 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) 68 69 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \ 70 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \ 71 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \ 72 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE) 73 74 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS) 75 #define WRITE_MASK_ATTRS (ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES| \ 76 ACE_DELETE|ACE_DELETE_CHILD) 77 #define WRITE_MASK (WRITE_MASK_DATA|WRITE_MASK_ATTRS) 78 79 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 80 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 81 82 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ 83 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) 84 85 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ 86 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE) 87 88 #define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER) 89 90 #define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\ 91 ZFS_ACL_PROTECTED) 92 93 #define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\ 94 ZFS_ACL_OBJ_ACE) 95 96 #define ALL_MODE_EXECS (S_IXUSR | S_IXGRP | S_IXOTH) 97 98 static uint16_t 99 zfs_ace_v0_get_type(void *acep) 100 { 101 return (((zfs_oldace_t *)acep)->z_type); 102 } 103 104 static uint16_t 105 zfs_ace_v0_get_flags(void *acep) 106 { 107 return (((zfs_oldace_t *)acep)->z_flags); 108 } 109 110 static uint32_t 111 zfs_ace_v0_get_mask(void *acep) 112 { 113 return (((zfs_oldace_t *)acep)->z_access_mask); 114 } 115 116 static uint64_t 117 zfs_ace_v0_get_who(void *acep) 118 { 119 return (((zfs_oldace_t *)acep)->z_fuid); 120 } 121 122 static void 123 zfs_ace_v0_set_type(void *acep, uint16_t type) 124 { 125 ((zfs_oldace_t *)acep)->z_type = type; 126 } 127 128 static void 129 zfs_ace_v0_set_flags(void *acep, uint16_t flags) 130 { 131 ((zfs_oldace_t *)acep)->z_flags = flags; 132 } 133 134 static void 135 zfs_ace_v0_set_mask(void *acep, uint32_t mask) 136 { 137 ((zfs_oldace_t *)acep)->z_access_mask = mask; 138 } 139 140 static void 141 zfs_ace_v0_set_who(void *acep, uint64_t who) 142 { 143 ((zfs_oldace_t *)acep)->z_fuid = who; 144 } 145 146 /*ARGSUSED*/ 147 static size_t 148 zfs_ace_v0_size(void *acep) 149 { 150 return (sizeof (zfs_oldace_t)); 151 } 152 153 static size_t 154 zfs_ace_v0_abstract_size(void) 155 { 156 return (sizeof (zfs_oldace_t)); 157 } 158 159 static int 160 zfs_ace_v0_mask_off(void) 161 { 162 return (offsetof(zfs_oldace_t, z_access_mask)); 163 } 164 165 /*ARGSUSED*/ 166 static int 167 zfs_ace_v0_data(void *acep, void **datap) 168 { 169 *datap = NULL; 170 return (0); 171 } 172 173 static acl_ops_t zfs_acl_v0_ops = { 174 zfs_ace_v0_get_mask, 175 zfs_ace_v0_set_mask, 176 zfs_ace_v0_get_flags, 177 zfs_ace_v0_set_flags, 178 zfs_ace_v0_get_type, 179 zfs_ace_v0_set_type, 180 zfs_ace_v0_get_who, 181 zfs_ace_v0_set_who, 182 zfs_ace_v0_size, 183 zfs_ace_v0_abstract_size, 184 zfs_ace_v0_mask_off, 185 zfs_ace_v0_data 186 }; 187 188 static uint16_t 189 zfs_ace_fuid_get_type(void *acep) 190 { 191 return (((zfs_ace_hdr_t *)acep)->z_type); 192 } 193 194 static uint16_t 195 zfs_ace_fuid_get_flags(void *acep) 196 { 197 return (((zfs_ace_hdr_t *)acep)->z_flags); 198 } 199 200 static uint32_t 201 zfs_ace_fuid_get_mask(void *acep) 202 { 203 return (((zfs_ace_hdr_t *)acep)->z_access_mask); 204 } 205 206 static uint64_t 207 zfs_ace_fuid_get_who(void *args) 208 { 209 uint16_t entry_type; 210 zfs_ace_t *acep = args; 211 212 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 213 214 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 215 entry_type == ACE_EVERYONE) 216 return (-1); 217 return (((zfs_ace_t *)acep)->z_fuid); 218 } 219 220 static void 221 zfs_ace_fuid_set_type(void *acep, uint16_t type) 222 { 223 ((zfs_ace_hdr_t *)acep)->z_type = type; 224 } 225 226 static void 227 zfs_ace_fuid_set_flags(void *acep, uint16_t flags) 228 { 229 ((zfs_ace_hdr_t *)acep)->z_flags = flags; 230 } 231 232 static void 233 zfs_ace_fuid_set_mask(void *acep, uint32_t mask) 234 { 235 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask; 236 } 237 238 static void 239 zfs_ace_fuid_set_who(void *arg, uint64_t who) 240 { 241 zfs_ace_t *acep = arg; 242 243 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; 244 245 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || 246 entry_type == ACE_EVERYONE) 247 return; 248 acep->z_fuid = who; 249 } 250 251 static size_t 252 zfs_ace_fuid_size(void *acep) 253 { 254 zfs_ace_hdr_t *zacep = acep; 255 uint16_t entry_type; 256 257 switch (zacep->z_type) { 258 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 259 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 260 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 261 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 262 return (sizeof (zfs_object_ace_t)); 263 case ALLOW: 264 case DENY: 265 entry_type = 266 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS); 267 if (entry_type == ACE_OWNER || 268 entry_type == OWNING_GROUP || 269 entry_type == ACE_EVERYONE) 270 return (sizeof (zfs_ace_hdr_t)); 271 /*FALLTHROUGH*/ 272 default: 273 return (sizeof (zfs_ace_t)); 274 } 275 } 276 277 static size_t 278 zfs_ace_fuid_abstract_size(void) 279 { 280 return (sizeof (zfs_ace_hdr_t)); 281 } 282 283 static int 284 zfs_ace_fuid_mask_off(void) 285 { 286 return (offsetof(zfs_ace_hdr_t, z_access_mask)); 287 } 288 289 static int 290 zfs_ace_fuid_data(void *acep, void **datap) 291 { 292 zfs_ace_t *zacep = acep; 293 zfs_object_ace_t *zobjp; 294 295 switch (zacep->z_hdr.z_type) { 296 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 297 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 298 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 299 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 300 zobjp = acep; 301 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t); 302 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t)); 303 default: 304 *datap = NULL; 305 return (0); 306 } 307 } 308 309 static acl_ops_t zfs_acl_fuid_ops = { 310 zfs_ace_fuid_get_mask, 311 zfs_ace_fuid_set_mask, 312 zfs_ace_fuid_get_flags, 313 zfs_ace_fuid_set_flags, 314 zfs_ace_fuid_get_type, 315 zfs_ace_fuid_set_type, 316 zfs_ace_fuid_get_who, 317 zfs_ace_fuid_set_who, 318 zfs_ace_fuid_size, 319 zfs_ace_fuid_abstract_size, 320 zfs_ace_fuid_mask_off, 321 zfs_ace_fuid_data 322 }; 323 324 /* 325 * The following three functions are provided for compatibility with 326 * older ZPL version in order to determine if the file use to have 327 * an external ACL and what version of ACL previously existed on the 328 * file. Would really be nice to not need this, sigh. 329 */ 330 uint64_t 331 zfs_external_acl(znode_t *zp) 332 { 333 zfs_acl_phys_t acl_phys; 334 int error; 335 336 if (zp->z_is_sa) 337 return (0); 338 339 /* 340 * Need to deal with a potential 341 * race where zfs_sa_upgrade could cause 342 * z_isa_sa to change. 343 * 344 * If the lookup fails then the state of z_is_sa should have 345 * changed. 346 */ 347 348 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zp->z_zfsvfs), 349 &acl_phys, sizeof (acl_phys))) == 0) 350 return (acl_phys.z_acl_extern_obj); 351 else { 352 /* 353 * after upgrade the SA_ZPL_ZNODE_ACL should have been 354 * removed 355 */ 356 VERIFY(zp->z_is_sa && error == ENOENT); 357 return (0); 358 } 359 } 360 361 /* 362 * Determine size of ACL in bytes 363 * 364 * This is more complicated than it should be since we have to deal 365 * with old external ACLs. 366 */ 367 static int 368 zfs_acl_znode_info(znode_t *zp, int *aclsize, int *aclcount, 369 zfs_acl_phys_t *aclphys) 370 { 371 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 372 uint64_t acl_count; 373 int size; 374 int error; 375 376 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 377 if (zp->z_is_sa) { 378 if ((error = sa_size(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zfsvfs), 379 &size)) != 0) 380 return (error); 381 *aclsize = size; 382 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_COUNT(zfsvfs), 383 &acl_count, sizeof (acl_count))) != 0) 384 return (error); 385 *aclcount = acl_count; 386 } else { 387 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs), 388 aclphys, sizeof (*aclphys))) != 0) 389 return (error); 390 391 if (aclphys->z_acl_version == ZFS_ACL_VERSION_INITIAL) { 392 *aclsize = ZFS_ACL_SIZE(aclphys->z_acl_size); 393 *aclcount = aclphys->z_acl_size; 394 } else { 395 *aclsize = aclphys->z_acl_size; 396 *aclcount = aclphys->z_acl_count; 397 } 398 } 399 return (0); 400 } 401 402 int 403 zfs_znode_acl_version(znode_t *zp) 404 { 405 zfs_acl_phys_t acl_phys; 406 407 if (zp->z_is_sa) 408 return (ZFS_ACL_VERSION_FUID); 409 else { 410 int error; 411 412 /* 413 * Need to deal with a potential 414 * race where zfs_sa_upgrade could cause 415 * z_isa_sa to change. 416 * 417 * If the lookup fails then the state of z_is_sa should have 418 * changed. 419 */ 420 if ((error = sa_lookup(zp->z_sa_hdl, 421 SA_ZPL_ZNODE_ACL(zp->z_zfsvfs), 422 &acl_phys, sizeof (acl_phys))) == 0) 423 return (acl_phys.z_acl_version); 424 else { 425 /* 426 * After upgrade SA_ZPL_ZNODE_ACL should have 427 * been removed. 428 */ 429 VERIFY(zp->z_is_sa && error == ENOENT); 430 return (ZFS_ACL_VERSION_FUID); 431 } 432 } 433 } 434 435 static int 436 zfs_acl_version(int version) 437 { 438 if (version < ZPL_VERSION_FUID) 439 return (ZFS_ACL_VERSION_INITIAL); 440 else 441 return (ZFS_ACL_VERSION_FUID); 442 } 443 444 static int 445 zfs_acl_version_zp(znode_t *zp) 446 { 447 return (zfs_acl_version(zp->z_zfsvfs->z_version)); 448 } 449 450 zfs_acl_t * 451 zfs_acl_alloc(int vers) 452 { 453 zfs_acl_t *aclp; 454 455 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); 456 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t), 457 offsetof(zfs_acl_node_t, z_next)); 458 aclp->z_version = vers; 459 if (vers == ZFS_ACL_VERSION_FUID) 460 aclp->z_ops = zfs_acl_fuid_ops; 461 else 462 aclp->z_ops = zfs_acl_v0_ops; 463 return (aclp); 464 } 465 466 zfs_acl_node_t * 467 zfs_acl_node_alloc(size_t bytes) 468 { 469 zfs_acl_node_t *aclnode; 470 471 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP); 472 if (bytes) { 473 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP); 474 aclnode->z_allocdata = aclnode->z_acldata; 475 aclnode->z_allocsize = bytes; 476 aclnode->z_size = bytes; 477 } 478 479 return (aclnode); 480 } 481 482 static void 483 zfs_acl_node_free(zfs_acl_node_t *aclnode) 484 { 485 if (aclnode->z_allocsize) 486 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize); 487 kmem_free(aclnode, sizeof (zfs_acl_node_t)); 488 } 489 490 static void 491 zfs_acl_release_nodes(zfs_acl_t *aclp) 492 { 493 zfs_acl_node_t *aclnode; 494 495 while (aclnode = list_head(&aclp->z_acl)) { 496 list_remove(&aclp->z_acl, aclnode); 497 zfs_acl_node_free(aclnode); 498 } 499 aclp->z_acl_count = 0; 500 aclp->z_acl_bytes = 0; 501 } 502 503 void 504 zfs_acl_free(zfs_acl_t *aclp) 505 { 506 zfs_acl_release_nodes(aclp); 507 list_destroy(&aclp->z_acl); 508 kmem_free(aclp, sizeof (zfs_acl_t)); 509 } 510 511 static boolean_t 512 zfs_acl_valid_ace_type(uint_t type, uint_t flags) 513 { 514 uint16_t entry_type; 515 516 switch (type) { 517 case ALLOW: 518 case DENY: 519 case ACE_SYSTEM_AUDIT_ACE_TYPE: 520 case ACE_SYSTEM_ALARM_ACE_TYPE: 521 entry_type = flags & ACE_TYPE_FLAGS; 522 return (entry_type == ACE_OWNER || 523 entry_type == OWNING_GROUP || 524 entry_type == ACE_EVERYONE || entry_type == 0 || 525 entry_type == ACE_IDENTIFIER_GROUP); 526 default: 527 if (type >= MIN_ACE_TYPE && type <= MAX_ACE_TYPE) 528 return (B_TRUE); 529 } 530 return (B_FALSE); 531 } 532 533 static boolean_t 534 zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags) 535 { 536 /* 537 * first check type of entry 538 */ 539 540 if (!zfs_acl_valid_ace_type(type, iflags)) 541 return (B_FALSE); 542 543 switch (type) { 544 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 545 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 546 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 547 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 548 if (aclp->z_version < ZFS_ACL_VERSION_FUID) 549 return (B_FALSE); 550 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 551 } 552 553 /* 554 * next check inheritance level flags 555 */ 556 557 if (obj_type == VDIR && 558 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) 559 aclp->z_hints |= ZFS_INHERIT_ACE; 560 561 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { 562 if ((iflags & (ACE_FILE_INHERIT_ACE| 563 ACE_DIRECTORY_INHERIT_ACE)) == 0) { 564 return (B_FALSE); 565 } 566 } 567 568 return (B_TRUE); 569 } 570 571 static void * 572 zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who, 573 uint32_t *access_mask, uint16_t *iflags, uint16_t *type) 574 { 575 zfs_acl_node_t *aclnode; 576 577 ASSERT(aclp); 578 579 if (start == NULL) { 580 aclnode = list_head(&aclp->z_acl); 581 if (aclnode == NULL) 582 return (NULL); 583 584 aclp->z_next_ace = aclnode->z_acldata; 585 aclp->z_curr_node = aclnode; 586 aclnode->z_ace_idx = 0; 587 } 588 589 aclnode = aclp->z_curr_node; 590 591 if (aclnode == NULL) 592 return (NULL); 593 594 if (aclnode->z_ace_idx >= aclnode->z_ace_count) { 595 aclnode = list_next(&aclp->z_acl, aclnode); 596 if (aclnode == NULL) 597 return (NULL); 598 else { 599 aclp->z_curr_node = aclnode; 600 aclnode->z_ace_idx = 0; 601 aclp->z_next_ace = aclnode->z_acldata; 602 } 603 } 604 605 if (aclnode->z_ace_idx < aclnode->z_ace_count) { 606 void *acep = aclp->z_next_ace; 607 size_t ace_size; 608 609 /* 610 * Make sure we don't overstep our bounds 611 */ 612 ace_size = aclp->z_ops.ace_size(acep); 613 614 if (((caddr_t)acep + ace_size) > 615 ((caddr_t)aclnode->z_acldata + aclnode->z_size)) { 616 return (NULL); 617 } 618 619 *iflags = aclp->z_ops.ace_flags_get(acep); 620 *type = aclp->z_ops.ace_type_get(acep); 621 *access_mask = aclp->z_ops.ace_mask_get(acep); 622 *who = aclp->z_ops.ace_who_get(acep); 623 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size; 624 aclnode->z_ace_idx++; 625 626 return ((void *)acep); 627 } 628 return (NULL); 629 } 630 631 /*ARGSUSED*/ 632 static uint64_t 633 zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt, 634 uint16_t *flags, uint16_t *type, uint32_t *mask) 635 { 636 zfs_acl_t *aclp = datap; 637 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie; 638 uint64_t who; 639 640 acep = zfs_acl_next_ace(aclp, acep, &who, mask, 641 flags, type); 642 return ((uint64_t)(uintptr_t)acep); 643 } 644 645 static zfs_acl_node_t * 646 zfs_acl_curr_node(zfs_acl_t *aclp) 647 { 648 ASSERT(aclp->z_curr_node); 649 return (aclp->z_curr_node); 650 } 651 652 /* 653 * Copy ACE to internal ZFS format. 654 * While processing the ACL each ACE will be validated for correctness. 655 * ACE FUIDs will be created later. 656 */ 657 int 658 zfs_copy_ace_2_fuid(zfsvfs_t *zfsvfs, vtype_t obj_type, zfs_acl_t *aclp, 659 void *datap, zfs_ace_t *z_acl, uint64_t aclcnt, size_t *size, 660 zfs_fuid_info_t **fuidp, cred_t *cr) 661 { 662 int i; 663 uint16_t entry_type; 664 zfs_ace_t *aceptr = z_acl; 665 ace_t *acep = datap; 666 zfs_object_ace_t *zobjacep; 667 ace_object_t *aceobjp; 668 669 for (i = 0; i != aclcnt; i++) { 670 aceptr->z_hdr.z_access_mask = acep->a_access_mask; 671 aceptr->z_hdr.z_flags = acep->a_flags; 672 aceptr->z_hdr.z_type = acep->a_type; 673 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS; 674 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP && 675 entry_type != ACE_EVERYONE) { 676 aceptr->z_fuid = zfs_fuid_create(zfsvfs, acep->a_who, 677 cr, (entry_type == 0) ? 678 ZFS_ACE_USER : ZFS_ACE_GROUP, fuidp); 679 } 680 681 /* 682 * Make sure ACE is valid 683 */ 684 if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type, 685 aceptr->z_hdr.z_flags) != B_TRUE) 686 return (EINVAL); 687 688 switch (acep->a_type) { 689 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 690 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 691 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 692 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 693 zobjacep = (zfs_object_ace_t *)aceptr; 694 aceobjp = (ace_object_t *)acep; 695 696 bcopy(aceobjp->a_obj_type, zobjacep->z_object_type, 697 sizeof (aceobjp->a_obj_type)); 698 bcopy(aceobjp->a_inherit_obj_type, 699 zobjacep->z_inherit_type, 700 sizeof (aceobjp->a_inherit_obj_type)); 701 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t)); 702 break; 703 default: 704 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t)); 705 } 706 707 aceptr = (zfs_ace_t *)((caddr_t)aceptr + 708 aclp->z_ops.ace_size(aceptr)); 709 } 710 711 *size = (caddr_t)aceptr - (caddr_t)z_acl; 712 713 return (0); 714 } 715 716 /* 717 * Copy ZFS ACEs to fixed size ace_t layout 718 */ 719 static void 720 zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr, 721 void *datap, int filter) 722 { 723 uint64_t who; 724 uint32_t access_mask; 725 uint16_t iflags, type; 726 zfs_ace_hdr_t *zacep = NULL; 727 ace_t *acep = datap; 728 ace_object_t *objacep; 729 zfs_object_ace_t *zobjacep; 730 size_t ace_size; 731 uint16_t entry_type; 732 733 while (zacep = zfs_acl_next_ace(aclp, zacep, 734 &who, &access_mask, &iflags, &type)) { 735 736 switch (type) { 737 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 738 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 739 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 740 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 741 if (filter) { 742 continue; 743 } 744 zobjacep = (zfs_object_ace_t *)zacep; 745 objacep = (ace_object_t *)acep; 746 bcopy(zobjacep->z_object_type, 747 objacep->a_obj_type, 748 sizeof (zobjacep->z_object_type)); 749 bcopy(zobjacep->z_inherit_type, 750 objacep->a_inherit_obj_type, 751 sizeof (zobjacep->z_inherit_type)); 752 ace_size = sizeof (ace_object_t); 753 break; 754 default: 755 ace_size = sizeof (ace_t); 756 break; 757 } 758 759 entry_type = (iflags & ACE_TYPE_FLAGS); 760 if ((entry_type != ACE_OWNER && 761 entry_type != OWNING_GROUP && 762 entry_type != ACE_EVERYONE)) { 763 acep->a_who = zfs_fuid_map_id(zfsvfs, who, 764 cr, (entry_type & ACE_IDENTIFIER_GROUP) ? 765 ZFS_ACE_GROUP : ZFS_ACE_USER); 766 } else { 767 acep->a_who = (uid_t)(int64_t)who; 768 } 769 acep->a_access_mask = access_mask; 770 acep->a_flags = iflags; 771 acep->a_type = type; 772 acep = (ace_t *)((caddr_t)acep + ace_size); 773 } 774 } 775 776 static int 777 zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep, 778 zfs_oldace_t *z_acl, int aclcnt, size_t *size) 779 { 780 int i; 781 zfs_oldace_t *aceptr = z_acl; 782 783 for (i = 0; i != aclcnt; i++, aceptr++) { 784 aceptr->z_access_mask = acep[i].a_access_mask; 785 aceptr->z_type = acep[i].a_type; 786 aceptr->z_flags = acep[i].a_flags; 787 aceptr->z_fuid = acep[i].a_who; 788 /* 789 * Make sure ACE is valid 790 */ 791 if (zfs_ace_valid(obj_type, aclp, aceptr->z_type, 792 aceptr->z_flags) != B_TRUE) 793 return (EINVAL); 794 } 795 *size = (caddr_t)aceptr - (caddr_t)z_acl; 796 return (0); 797 } 798 799 /* 800 * convert old ACL format to new 801 */ 802 void 803 zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp, cred_t *cr) 804 { 805 zfs_oldace_t *oldaclp; 806 int i; 807 uint16_t type, iflags; 808 uint32_t access_mask; 809 uint64_t who; 810 void *cookie = NULL; 811 zfs_acl_node_t *newaclnode; 812 813 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL); 814 /* 815 * First create the ACE in a contiguous piece of memory 816 * for zfs_copy_ace_2_fuid(). 817 * 818 * We only convert an ACL once, so this won't happen 819 * everytime. 820 */ 821 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count, 822 KM_SLEEP); 823 i = 0; 824 while (cookie = zfs_acl_next_ace(aclp, cookie, &who, 825 &access_mask, &iflags, &type)) { 826 oldaclp[i].z_flags = iflags; 827 oldaclp[i].z_type = type; 828 oldaclp[i].z_fuid = who; 829 oldaclp[i++].z_access_mask = access_mask; 830 } 831 832 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count * 833 sizeof (zfs_object_ace_t)); 834 aclp->z_ops = zfs_acl_fuid_ops; 835 VERIFY(zfs_copy_ace_2_fuid(zp->z_zfsvfs, ZTOV(zp)->v_type, aclp, 836 oldaclp, newaclnode->z_acldata, aclp->z_acl_count, 837 &newaclnode->z_size, NULL, cr) == 0); 838 newaclnode->z_ace_count = aclp->z_acl_count; 839 aclp->z_version = ZFS_ACL_VERSION; 840 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t)); 841 842 /* 843 * Release all previous ACL nodes 844 */ 845 846 zfs_acl_release_nodes(aclp); 847 848 list_insert_head(&aclp->z_acl, newaclnode); 849 850 aclp->z_acl_bytes = newaclnode->z_size; 851 aclp->z_acl_count = newaclnode->z_ace_count; 852 853 } 854 855 /* 856 * Convert unix access mask to v4 access mask 857 */ 858 static uint32_t 859 zfs_unix_to_v4(uint32_t access_mask) 860 { 861 uint32_t new_mask = 0; 862 863 if (access_mask & S_IXOTH) 864 new_mask |= ACE_EXECUTE; 865 if (access_mask & S_IWOTH) 866 new_mask |= ACE_WRITE_DATA; 867 if (access_mask & S_IROTH) 868 new_mask |= ACE_READ_DATA; 869 return (new_mask); 870 } 871 872 static void 873 zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask, 874 uint16_t access_type, uint64_t fuid, uint16_t entry_type) 875 { 876 uint16_t type = entry_type & ACE_TYPE_FLAGS; 877 878 aclp->z_ops.ace_mask_set(acep, access_mask); 879 aclp->z_ops.ace_type_set(acep, access_type); 880 aclp->z_ops.ace_flags_set(acep, entry_type); 881 if ((type != ACE_OWNER && type != OWNING_GROUP && 882 type != ACE_EVERYONE)) 883 aclp->z_ops.ace_who_set(acep, fuid); 884 } 885 886 /* 887 * Determine mode of file based on ACL. 888 * Also, create FUIDs for any User/Group ACEs 889 */ 890 uint64_t 891 zfs_mode_compute(uint64_t fmode, zfs_acl_t *aclp, 892 uint64_t *pflags, uint64_t fuid, uint64_t fgid) 893 { 894 int entry_type; 895 mode_t mode; 896 mode_t seen = 0; 897 zfs_ace_hdr_t *acep = NULL; 898 uint64_t who; 899 uint16_t iflags, type; 900 uint32_t access_mask; 901 boolean_t an_exec_denied = B_FALSE; 902 903 mode = (fmode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); 904 905 while (acep = zfs_acl_next_ace(aclp, acep, &who, 906 &access_mask, &iflags, &type)) { 907 908 if (!zfs_acl_valid_ace_type(type, iflags)) 909 continue; 910 911 entry_type = (iflags & ACE_TYPE_FLAGS); 912 913 /* 914 * Skip over owner@, group@ or everyone@ inherit only ACEs 915 */ 916 if ((iflags & ACE_INHERIT_ONLY_ACE) && 917 (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 918 entry_type == OWNING_GROUP)) 919 continue; 920 921 if (entry_type == ACE_OWNER || (entry_type == 0 && 922 who == fuid)) { 923 if ((access_mask & ACE_READ_DATA) && 924 (!(seen & S_IRUSR))) { 925 seen |= S_IRUSR; 926 if (type == ALLOW) { 927 mode |= S_IRUSR; 928 } 929 } 930 if ((access_mask & ACE_WRITE_DATA) && 931 (!(seen & S_IWUSR))) { 932 seen |= S_IWUSR; 933 if (type == ALLOW) { 934 mode |= S_IWUSR; 935 } 936 } 937 if ((access_mask & ACE_EXECUTE) && 938 (!(seen & S_IXUSR))) { 939 seen |= S_IXUSR; 940 if (type == ALLOW) { 941 mode |= S_IXUSR; 942 } 943 } 944 } else if (entry_type == OWNING_GROUP || 945 (entry_type == ACE_IDENTIFIER_GROUP && who == fgid)) { 946 if ((access_mask & ACE_READ_DATA) && 947 (!(seen & S_IRGRP))) { 948 seen |= S_IRGRP; 949 if (type == ALLOW) { 950 mode |= S_IRGRP; 951 } 952 } 953 if ((access_mask & ACE_WRITE_DATA) && 954 (!(seen & S_IWGRP))) { 955 seen |= S_IWGRP; 956 if (type == ALLOW) { 957 mode |= S_IWGRP; 958 } 959 } 960 if ((access_mask & ACE_EXECUTE) && 961 (!(seen & S_IXGRP))) { 962 seen |= S_IXGRP; 963 if (type == ALLOW) { 964 mode |= S_IXGRP; 965 } 966 } 967 } else if (entry_type == ACE_EVERYONE) { 968 if ((access_mask & ACE_READ_DATA)) { 969 if (!(seen & S_IRUSR)) { 970 seen |= S_IRUSR; 971 if (type == ALLOW) { 972 mode |= S_IRUSR; 973 } 974 } 975 if (!(seen & S_IRGRP)) { 976 seen |= S_IRGRP; 977 if (type == ALLOW) { 978 mode |= S_IRGRP; 979 } 980 } 981 if (!(seen & S_IROTH)) { 982 seen |= S_IROTH; 983 if (type == ALLOW) { 984 mode |= S_IROTH; 985 } 986 } 987 } 988 if ((access_mask & ACE_WRITE_DATA)) { 989 if (!(seen & S_IWUSR)) { 990 seen |= S_IWUSR; 991 if (type == ALLOW) { 992 mode |= S_IWUSR; 993 } 994 } 995 if (!(seen & S_IWGRP)) { 996 seen |= S_IWGRP; 997 if (type == ALLOW) { 998 mode |= S_IWGRP; 999 } 1000 } 1001 if (!(seen & S_IWOTH)) { 1002 seen |= S_IWOTH; 1003 if (type == ALLOW) { 1004 mode |= S_IWOTH; 1005 } 1006 } 1007 } 1008 if ((access_mask & ACE_EXECUTE)) { 1009 if (!(seen & S_IXUSR)) { 1010 seen |= S_IXUSR; 1011 if (type == ALLOW) { 1012 mode |= S_IXUSR; 1013 } 1014 } 1015 if (!(seen & S_IXGRP)) { 1016 seen |= S_IXGRP; 1017 if (type == ALLOW) { 1018 mode |= S_IXGRP; 1019 } 1020 } 1021 if (!(seen & S_IXOTH)) { 1022 seen |= S_IXOTH; 1023 if (type == ALLOW) { 1024 mode |= S_IXOTH; 1025 } 1026 } 1027 } 1028 } else { 1029 /* 1030 * Only care if this IDENTIFIER_GROUP or 1031 * USER ACE denies execute access to someone, 1032 * mode is not affected 1033 */ 1034 if ((access_mask & ACE_EXECUTE) && type == DENY) 1035 an_exec_denied = B_TRUE; 1036 } 1037 } 1038 1039 /* 1040 * Failure to allow is effectively a deny, so execute permission 1041 * is denied if it was never mentioned or if we explicitly 1042 * weren't allowed it. 1043 */ 1044 if (!an_exec_denied && 1045 ((seen & ALL_MODE_EXECS) != ALL_MODE_EXECS || 1046 (mode & ALL_MODE_EXECS) != ALL_MODE_EXECS)) 1047 an_exec_denied = B_TRUE; 1048 1049 if (an_exec_denied) 1050 *pflags &= ~ZFS_NO_EXECS_DENIED; 1051 else 1052 *pflags |= ZFS_NO_EXECS_DENIED; 1053 1054 return (mode); 1055 } 1056 1057 /* 1058 * Read an external acl object. If the intent is to modify, always 1059 * create a new acl and leave any cached acl in place. 1060 */ 1061 static int 1062 zfs_acl_node_read(znode_t *zp, boolean_t have_lock, zfs_acl_t **aclpp, 1063 boolean_t will_modify) 1064 { 1065 zfs_acl_t *aclp; 1066 int aclsize; 1067 int acl_count; 1068 zfs_acl_node_t *aclnode; 1069 zfs_acl_phys_t znode_acl; 1070 int version; 1071 int error; 1072 boolean_t drop_lock = B_FALSE; 1073 1074 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1075 1076 if (zp->z_acl_cached && !will_modify) { 1077 *aclpp = zp->z_acl_cached; 1078 return (0); 1079 } 1080 1081 /* 1082 * close race where znode could be upgrade while trying to 1083 * read the znode attributes. 1084 * 1085 * But this could only happen if the file isn't already an SA 1086 * znode 1087 */ 1088 if (!zp->z_is_sa && !have_lock) { 1089 mutex_enter(&zp->z_lock); 1090 drop_lock = B_TRUE; 1091 } 1092 version = zfs_znode_acl_version(zp); 1093 1094 if ((error = zfs_acl_znode_info(zp, &aclsize, 1095 &acl_count, &znode_acl)) != 0) { 1096 goto done; 1097 } 1098 1099 aclp = zfs_acl_alloc(version); 1100 1101 aclp->z_acl_count = acl_count; 1102 aclp->z_acl_bytes = aclsize; 1103 1104 aclnode = zfs_acl_node_alloc(aclsize); 1105 aclnode->z_ace_count = aclp->z_acl_count; 1106 aclnode->z_size = aclsize; 1107 1108 if (!zp->z_is_sa) { 1109 if (znode_acl.z_acl_extern_obj) { 1110 error = dmu_read(zp->z_zfsvfs->z_os, 1111 znode_acl.z_acl_extern_obj, 0, aclnode->z_size, 1112 aclnode->z_acldata, DMU_READ_PREFETCH); 1113 } else { 1114 bcopy(znode_acl.z_ace_data, aclnode->z_acldata, 1115 aclnode->z_size); 1116 } 1117 } else { 1118 error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zp->z_zfsvfs), 1119 aclnode->z_acldata, aclnode->z_size); 1120 } 1121 1122 if (error != 0) { 1123 zfs_acl_free(aclp); 1124 zfs_acl_node_free(aclnode); 1125 /* convert checksum errors into IO errors */ 1126 if (error == ECKSUM) 1127 error = EIO; 1128 goto done; 1129 } 1130 1131 list_insert_head(&aclp->z_acl, aclnode); 1132 1133 *aclpp = aclp; 1134 if (!will_modify) 1135 zp->z_acl_cached = aclp; 1136 done: 1137 if (drop_lock) 1138 mutex_exit(&zp->z_lock); 1139 return (error); 1140 } 1141 1142 /*ARGSUSED*/ 1143 void 1144 zfs_acl_data_locator(void **dataptr, uint32_t *length, uint32_t buflen, 1145 boolean_t start, void *userdata) 1146 { 1147 zfs_acl_locator_cb_t *cb = (zfs_acl_locator_cb_t *)userdata; 1148 1149 if (start) { 1150 cb->cb_acl_node = list_head(&cb->cb_aclp->z_acl); 1151 } else { 1152 cb->cb_acl_node = list_next(&cb->cb_aclp->z_acl, 1153 cb->cb_acl_node); 1154 } 1155 *dataptr = cb->cb_acl_node->z_acldata; 1156 *length = cb->cb_acl_node->z_size; 1157 } 1158 1159 int 1160 zfs_acl_chown_setattr(znode_t *zp) 1161 { 1162 int error; 1163 zfs_acl_t *aclp; 1164 1165 ASSERT(MUTEX_HELD(&zp->z_lock)); 1166 ASSERT(MUTEX_HELD(&zp->z_acl_lock)); 1167 1168 if ((error = zfs_acl_node_read(zp, B_TRUE, &aclp, B_FALSE)) == 0) 1169 zp->z_mode = zfs_mode_compute(zp->z_mode, aclp, 1170 &zp->z_pflags, zp->z_uid, zp->z_gid); 1171 return (error); 1172 } 1173 1174 /* 1175 * common code for setting ACLs. 1176 * 1177 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. 1178 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's 1179 * already checked the acl and knows whether to inherit. 1180 */ 1181 int 1182 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, dmu_tx_t *tx) 1183 { 1184 int error; 1185 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1186 dmu_object_type_t otype; 1187 zfs_acl_locator_cb_t locate = { 0 }; 1188 uint64_t mode; 1189 sa_bulk_attr_t bulk[5]; 1190 uint64_t ctime[2]; 1191 int count = 0; 1192 1193 mode = zp->z_mode; 1194 1195 mode = zfs_mode_compute(mode, aclp, &zp->z_pflags, 1196 zp->z_uid, zp->z_gid); 1197 1198 zp->z_mode = mode; 1199 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_MODE(zfsvfs), NULL, 1200 &mode, sizeof (mode)); 1201 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_FLAGS(zfsvfs), NULL, 1202 &zp->z_pflags, sizeof (zp->z_pflags)); 1203 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_CTIME(zfsvfs), NULL, 1204 &ctime, sizeof (ctime)); 1205 1206 if (zp->z_acl_cached) { 1207 zfs_acl_free(zp->z_acl_cached); 1208 zp->z_acl_cached = NULL; 1209 } 1210 1211 /* 1212 * Upgrade needed? 1213 */ 1214 if (!zfsvfs->z_use_fuids) { 1215 otype = DMU_OT_OLDACL; 1216 } else { 1217 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) && 1218 (zfsvfs->z_version >= ZPL_VERSION_FUID)) 1219 zfs_acl_xform(zp, aclp, cr); 1220 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID); 1221 otype = DMU_OT_ACL; 1222 } 1223 1224 /* 1225 * Arrgh, we have to handle old on disk format 1226 * as well as newer (preferred) SA format. 1227 */ 1228 1229 if (zp->z_is_sa) { /* the easy case, just update the ACL attribute */ 1230 locate.cb_aclp = aclp; 1231 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_ACES(zfsvfs), 1232 zfs_acl_data_locator, &locate, aclp->z_acl_bytes); 1233 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_COUNT(zfsvfs), 1234 NULL, &aclp->z_acl_count, sizeof (uint64_t)); 1235 } else { /* Painful legacy way */ 1236 zfs_acl_node_t *aclnode; 1237 uint64_t off = 0; 1238 zfs_acl_phys_t acl_phys; 1239 uint64_t aoid; 1240 1241 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs), 1242 &acl_phys, sizeof (acl_phys))) != 0) 1243 return (error); 1244 1245 aoid = acl_phys.z_acl_extern_obj; 1246 1247 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { 1248 /* 1249 * If ACL was previously external and we are now 1250 * converting to new ACL format then release old 1251 * ACL object and create a new one. 1252 */ 1253 if (aoid && 1254 aclp->z_version != acl_phys.z_acl_version) { 1255 error = dmu_object_free(zfsvfs->z_os, aoid, tx); 1256 if (error) 1257 return (error); 1258 aoid = 0; 1259 } 1260 if (aoid == 0) { 1261 aoid = dmu_object_alloc(zfsvfs->z_os, 1262 otype, aclp->z_acl_bytes, 1263 otype == DMU_OT_ACL ? 1264 DMU_OT_SYSACL : DMU_OT_NONE, 1265 otype == DMU_OT_ACL ? 1266 DN_MAX_BONUSLEN : 0, tx); 1267 } else { 1268 (void) dmu_object_set_blocksize(zfsvfs->z_os, 1269 aoid, aclp->z_acl_bytes, 0, tx); 1270 } 1271 acl_phys.z_acl_extern_obj = aoid; 1272 for (aclnode = list_head(&aclp->z_acl); aclnode; 1273 aclnode = list_next(&aclp->z_acl, aclnode)) { 1274 if (aclnode->z_ace_count == 0) 1275 continue; 1276 dmu_write(zfsvfs->z_os, aoid, off, 1277 aclnode->z_size, aclnode->z_acldata, tx); 1278 off += aclnode->z_size; 1279 } 1280 } else { 1281 void *start = acl_phys.z_ace_data; 1282 /* 1283 * Migrating back embedded? 1284 */ 1285 if (acl_phys.z_acl_extern_obj) { 1286 error = dmu_object_free(zfsvfs->z_os, 1287 acl_phys.z_acl_extern_obj, tx); 1288 if (error) 1289 return (error); 1290 acl_phys.z_acl_extern_obj = 0; 1291 } 1292 1293 for (aclnode = list_head(&aclp->z_acl); aclnode; 1294 aclnode = list_next(&aclp->z_acl, aclnode)) { 1295 if (aclnode->z_ace_count == 0) 1296 continue; 1297 bcopy(aclnode->z_acldata, start, 1298 aclnode->z_size); 1299 start = (caddr_t)start + aclnode->z_size; 1300 } 1301 } 1302 /* 1303 * If Old version then swap count/bytes to match old 1304 * layout of znode_acl_phys_t. 1305 */ 1306 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1307 acl_phys.z_acl_size = aclp->z_acl_count; 1308 acl_phys.z_acl_count = aclp->z_acl_bytes; 1309 } else { 1310 acl_phys.z_acl_size = aclp->z_acl_bytes; 1311 acl_phys.z_acl_count = aclp->z_acl_count; 1312 } 1313 acl_phys.z_acl_version = aclp->z_version; 1314 1315 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_ZNODE_ACL(zfsvfs), NULL, 1316 &acl_phys, sizeof (acl_phys)); 1317 } 1318 1319 /* 1320 * Replace ACL wide bits, but first clear them. 1321 */ 1322 zp->z_pflags &= ~ZFS_ACL_WIDE_FLAGS; 1323 1324 zp->z_pflags |= aclp->z_hints; 1325 1326 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0) 1327 zp->z_pflags |= ZFS_ACL_TRIVIAL; 1328 1329 zfs_tstamp_update_setup(zp, STATE_CHANGED, NULL, ctime, B_TRUE); 1330 return (sa_bulk_update(zp->z_sa_hdl, bulk, count, tx)); 1331 } 1332 1333 /* 1334 * Update access mask for prepended ACE 1335 * 1336 * This applies the "groupmask" value for aclmode property. 1337 */ 1338 static void 1339 zfs_acl_prepend_fixup(zfs_acl_t *aclp, void *acep, void *origacep, 1340 mode_t mode, uint64_t owner) 1341 { 1342 int rmask, wmask, xmask; 1343 int user_ace; 1344 uint16_t aceflags; 1345 uint32_t origmask, acepmask; 1346 uint64_t fuid; 1347 1348 aceflags = aclp->z_ops.ace_flags_get(acep); 1349 fuid = aclp->z_ops.ace_who_get(acep); 1350 origmask = aclp->z_ops.ace_mask_get(origacep); 1351 acepmask = aclp->z_ops.ace_mask_get(acep); 1352 1353 user_ace = (!(aceflags & 1354 (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP))); 1355 1356 if (user_ace && (fuid == owner)) { 1357 rmask = S_IRUSR; 1358 wmask = S_IWUSR; 1359 xmask = S_IXUSR; 1360 } else { 1361 rmask = S_IRGRP; 1362 wmask = S_IWGRP; 1363 xmask = S_IXGRP; 1364 } 1365 1366 if (origmask & ACE_READ_DATA) { 1367 if (mode & rmask) { 1368 acepmask &= ~ACE_READ_DATA; 1369 } else { 1370 acepmask |= ACE_READ_DATA; 1371 } 1372 } 1373 1374 if (origmask & ACE_WRITE_DATA) { 1375 if (mode & wmask) { 1376 acepmask &= ~ACE_WRITE_DATA; 1377 } else { 1378 acepmask |= ACE_WRITE_DATA; 1379 } 1380 } 1381 1382 if (origmask & ACE_APPEND_DATA) { 1383 if (mode & wmask) { 1384 acepmask &= ~ACE_APPEND_DATA; 1385 } else { 1386 acepmask |= ACE_APPEND_DATA; 1387 } 1388 } 1389 1390 if (origmask & ACE_EXECUTE) { 1391 if (mode & xmask) { 1392 acepmask &= ~ACE_EXECUTE; 1393 } else { 1394 acepmask |= ACE_EXECUTE; 1395 } 1396 } 1397 aclp->z_ops.ace_mask_set(acep, acepmask); 1398 } 1399 1400 static void 1401 zfs_acl_chmod(zfsvfs_t *zfsvfs, uint64_t mode, zfs_acl_t *aclp) 1402 { 1403 void *acep = NULL; 1404 uint64_t who; 1405 int new_count, new_bytes; 1406 int ace_size; 1407 int entry_type; 1408 uint16_t iflags, type; 1409 uint32_t access_mask; 1410 zfs_acl_node_t *newnode; 1411 size_t abstract_size = aclp->z_ops.ace_abstract_size(); 1412 void *zacep; 1413 uint32_t owner, group, everyone; 1414 uint32_t deny1, deny2, allow0; 1415 1416 new_count = new_bytes = 0; 1417 1418 acl_trivial_access_masks((mode_t)mode, &allow0, &deny1, &deny2, 1419 &owner, &group, &everyone); 1420 1421 newnode = zfs_acl_node_alloc((abstract_size * 6) + aclp->z_acl_bytes); 1422 1423 zacep = newnode->z_acldata; 1424 if (allow0) { 1425 zfs_set_ace(aclp, zacep, allow0, ALLOW, -1, ACE_OWNER); 1426 zacep = (void *)((uintptr_t)zacep + abstract_size); 1427 new_count++; 1428 new_bytes += abstract_size; 1429 } if (deny1) { 1430 zfs_set_ace(aclp, zacep, deny1, DENY, -1, ACE_OWNER); 1431 zacep = (void *)((uintptr_t)zacep + abstract_size); 1432 new_count++; 1433 new_bytes += abstract_size; 1434 } 1435 if (deny2) { 1436 zfs_set_ace(aclp, zacep, deny2, DENY, -1, OWNING_GROUP); 1437 zacep = (void *)((uintptr_t)zacep + abstract_size); 1438 new_count++; 1439 new_bytes += abstract_size; 1440 } 1441 1442 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 1443 &iflags, &type)) { 1444 uint16_t inherit_flags; 1445 1446 entry_type = (iflags & ACE_TYPE_FLAGS); 1447 inherit_flags = (iflags & ALL_INHERIT); 1448 1449 if ((entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || 1450 (entry_type == OWNING_GROUP)) && 1451 ((inherit_flags & ACE_INHERIT_ONLY_ACE) == 0)) { 1452 continue; 1453 } 1454 1455 if ((type != ALLOW && type != DENY) || 1456 (inherit_flags & ACE_INHERIT_ONLY_ACE)) { 1457 if (inherit_flags) 1458 aclp->z_hints |= ZFS_INHERIT_ACE; 1459 switch (type) { 1460 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1461 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1462 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1463 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1464 aclp->z_hints |= ZFS_ACL_OBJ_ACE; 1465 break; 1466 } 1467 } else { 1468 1469 /* 1470 * Limit permissions to be no greater than 1471 * group permissions 1472 */ 1473 if (zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) { 1474 if (!(mode & S_IRGRP)) 1475 access_mask &= ~ACE_READ_DATA; 1476 if (!(mode & S_IWGRP)) 1477 access_mask &= 1478 ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 1479 if (!(mode & S_IXGRP)) 1480 access_mask &= ~ACE_EXECUTE; 1481 access_mask &= 1482 ~(ACE_WRITE_OWNER|ACE_WRITE_ACL| 1483 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS); 1484 } 1485 } 1486 zfs_set_ace(aclp, zacep, access_mask, type, who, iflags); 1487 ace_size = aclp->z_ops.ace_size(acep); 1488 zacep = (void *)((uintptr_t)zacep + ace_size); 1489 new_count++; 1490 new_bytes += ace_size; 1491 } 1492 zfs_set_ace(aclp, zacep, owner, 0, -1, ACE_OWNER); 1493 zacep = (void *)((uintptr_t)zacep + abstract_size); 1494 zfs_set_ace(aclp, zacep, group, 0, -1, OWNING_GROUP); 1495 zacep = (void *)((uintptr_t)zacep + abstract_size); 1496 zfs_set_ace(aclp, zacep, everyone, 0, -1, ACE_EVERYONE); 1497 1498 new_count += 3; 1499 new_bytes += abstract_size * 3; 1500 zfs_acl_release_nodes(aclp); 1501 aclp->z_acl_count = new_count; 1502 aclp->z_acl_bytes = new_bytes; 1503 newnode->z_ace_count = new_count; 1504 newnode->z_size = new_bytes; 1505 list_insert_tail(&aclp->z_acl, newnode); 1506 } 1507 1508 void 1509 zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode) 1510 { 1511 mutex_enter(&zp->z_acl_lock); 1512 mutex_enter(&zp->z_lock); 1513 *aclp = zfs_acl_alloc(zfs_acl_version_zp(zp)); 1514 (*aclp)->z_hints = zp->z_pflags & V4_ACL_WIDE_FLAGS; 1515 zfs_acl_chmod(zp->z_zfsvfs, mode, *aclp); 1516 mutex_exit(&zp->z_lock); 1517 mutex_exit(&zp->z_acl_lock); 1518 ASSERT(*aclp); 1519 } 1520 1521 /* 1522 * strip off write_owner and write_acl 1523 */ 1524 static void 1525 zfs_restricted_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep) 1526 { 1527 uint32_t mask = aclp->z_ops.ace_mask_get(acep); 1528 1529 if ((zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) && 1530 (aclp->z_ops.ace_type_get(acep) == ALLOW)) { 1531 mask &= ~RESTRICTED_CLEAR; 1532 aclp->z_ops.ace_mask_set(acep, mask); 1533 } 1534 } 1535 1536 /* 1537 * Should ACE be inherited? 1538 */ 1539 static int 1540 zfs_ace_can_use(vtype_t vtype, uint16_t acep_flags) 1541 { 1542 int iflags = (acep_flags & 0xf); 1543 1544 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) 1545 return (1); 1546 else if (iflags & ACE_FILE_INHERIT_ACE) 1547 return (!((vtype == VDIR) && 1548 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); 1549 return (0); 1550 } 1551 1552 /* 1553 * inherit inheritable ACEs from parent 1554 */ 1555 static zfs_acl_t * 1556 zfs_acl_inherit(zfsvfs_t *zfsvfs, vtype_t vtype, zfs_acl_t *paclp, 1557 uint64_t mode, boolean_t *need_chmod) 1558 { 1559 void *pacep; 1560 void *acep; 1561 zfs_acl_node_t *aclnode; 1562 zfs_acl_t *aclp = NULL; 1563 uint64_t who; 1564 uint32_t access_mask; 1565 uint16_t iflags, newflags, type; 1566 size_t ace_size; 1567 void *data1, *data2; 1568 size_t data1sz, data2sz; 1569 boolean_t vdir = vtype == VDIR; 1570 boolean_t vreg = vtype == VREG; 1571 boolean_t passthrough, passthrough_x, noallow; 1572 1573 passthrough_x = 1574 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH_X; 1575 passthrough = passthrough_x || 1576 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH; 1577 noallow = 1578 zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW; 1579 1580 *need_chmod = B_TRUE; 1581 pacep = NULL; 1582 aclp = zfs_acl_alloc(paclp->z_version); 1583 if (zfsvfs->z_acl_inherit == ZFS_ACL_DISCARD || vtype == VLNK) 1584 return (aclp); 1585 while (pacep = zfs_acl_next_ace(paclp, pacep, &who, 1586 &access_mask, &iflags, &type)) { 1587 1588 /* 1589 * don't inherit bogus ACEs 1590 */ 1591 if (!zfs_acl_valid_ace_type(type, iflags)) 1592 continue; 1593 1594 if (noallow && type == ALLOW) 1595 continue; 1596 1597 ace_size = aclp->z_ops.ace_size(pacep); 1598 1599 if (!zfs_ace_can_use(vtype, iflags)) 1600 continue; 1601 1602 /* 1603 * If owner@, group@, or everyone@ inheritable 1604 * then zfs_acl_chmod() isn't needed. 1605 */ 1606 if (passthrough && 1607 ((iflags & (ACE_OWNER|ACE_EVERYONE)) || 1608 ((iflags & OWNING_GROUP) == 1609 OWNING_GROUP)) && (vreg || (vdir && (iflags & 1610 ACE_DIRECTORY_INHERIT_ACE)))) { 1611 *need_chmod = B_FALSE; 1612 } 1613 1614 if (!vdir && passthrough_x && 1615 ((mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) { 1616 access_mask &= ~ACE_EXECUTE; 1617 } 1618 1619 aclnode = zfs_acl_node_alloc(ace_size); 1620 list_insert_tail(&aclp->z_acl, aclnode); 1621 acep = aclnode->z_acldata; 1622 1623 zfs_set_ace(aclp, acep, access_mask, type, 1624 who, iflags|ACE_INHERITED_ACE); 1625 1626 /* 1627 * Copy special opaque data if any 1628 */ 1629 if ((data1sz = paclp->z_ops.ace_data(pacep, &data1)) != 0) { 1630 VERIFY((data2sz = aclp->z_ops.ace_data(acep, 1631 &data2)) == data1sz); 1632 bcopy(data1, data2, data2sz); 1633 } 1634 1635 aclp->z_acl_count++; 1636 aclnode->z_ace_count++; 1637 aclp->z_acl_bytes += aclnode->z_size; 1638 newflags = aclp->z_ops.ace_flags_get(acep); 1639 1640 if (vdir) 1641 aclp->z_hints |= ZFS_INHERIT_ACE; 1642 1643 if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || !vdir) { 1644 newflags &= ~ALL_INHERIT; 1645 aclp->z_ops.ace_flags_set(acep, 1646 newflags|ACE_INHERITED_ACE); 1647 zfs_restricted_update(zfsvfs, aclp, acep); 1648 continue; 1649 } 1650 1651 ASSERT(vdir); 1652 1653 /* 1654 * If only FILE_INHERIT is set then turn on 1655 * inherit_only 1656 */ 1657 if ((iflags & (ACE_FILE_INHERIT_ACE | 1658 ACE_DIRECTORY_INHERIT_ACE)) == ACE_FILE_INHERIT_ACE) { 1659 newflags |= ACE_INHERIT_ONLY_ACE; 1660 aclp->z_ops.ace_flags_set(acep, 1661 newflags|ACE_INHERITED_ACE); 1662 } else { 1663 newflags &= ~ACE_INHERIT_ONLY_ACE; 1664 aclp->z_ops.ace_flags_set(acep, 1665 newflags|ACE_INHERITED_ACE); 1666 } 1667 } 1668 return (aclp); 1669 } 1670 1671 /* 1672 * Create file system object initial permissions 1673 * including inheritable ACEs. 1674 */ 1675 int 1676 zfs_acl_ids_create(znode_t *dzp, int flag, vattr_t *vap, cred_t *cr, 1677 vsecattr_t *vsecp, zfs_acl_ids_t *acl_ids) 1678 { 1679 int error; 1680 zfsvfs_t *zfsvfs = dzp->z_zfsvfs; 1681 zfs_acl_t *paclp; 1682 gid_t gid; 1683 boolean_t need_chmod = B_TRUE; 1684 boolean_t inherited = B_FALSE; 1685 1686 bzero(acl_ids, sizeof (zfs_acl_ids_t)); 1687 acl_ids->z_mode = MAKEIMODE(vap->va_type, vap->va_mode); 1688 1689 if (vsecp) 1690 if ((error = zfs_vsec_2_aclp(zfsvfs, vap->va_type, vsecp, cr, 1691 &acl_ids->z_fuidp, &acl_ids->z_aclp)) != 0) 1692 return (error); 1693 /* 1694 * Determine uid and gid. 1695 */ 1696 if ((flag & IS_ROOT_NODE) || zfsvfs->z_replay || 1697 ((flag & IS_XATTR) && (vap->va_type == VDIR))) { 1698 acl_ids->z_fuid = zfs_fuid_create(zfsvfs, 1699 (uint64_t)vap->va_uid, cr, 1700 ZFS_OWNER, &acl_ids->z_fuidp); 1701 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1702 (uint64_t)vap->va_gid, cr, 1703 ZFS_GROUP, &acl_ids->z_fuidp); 1704 gid = vap->va_gid; 1705 } else { 1706 acl_ids->z_fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER, 1707 cr, &acl_ids->z_fuidp); 1708 acl_ids->z_fgid = 0; 1709 if (vap->va_mask & AT_GID) { 1710 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, 1711 (uint64_t)vap->va_gid, 1712 cr, ZFS_GROUP, &acl_ids->z_fuidp); 1713 gid = vap->va_gid; 1714 if (acl_ids->z_fgid != dzp->z_gid && 1715 !groupmember(vap->va_gid, cr) && 1716 secpolicy_vnode_create_gid(cr) != 0) 1717 acl_ids->z_fgid = 0; 1718 } 1719 if (acl_ids->z_fgid == 0) { 1720 if (dzp->z_mode & S_ISGID) { 1721 char *domain; 1722 uint32_t rid; 1723 1724 acl_ids->z_fgid = dzp->z_gid; 1725 gid = zfs_fuid_map_id(zfsvfs, acl_ids->z_fgid, 1726 cr, ZFS_GROUP); 1727 1728 if (zfsvfs->z_use_fuids && 1729 IS_EPHEMERAL(acl_ids->z_fgid)) { 1730 domain = zfs_fuid_idx_domain( 1731 &zfsvfs->z_fuid_idx, 1732 FUID_INDEX(acl_ids->z_fgid)); 1733 rid = FUID_RID(acl_ids->z_fgid); 1734 zfs_fuid_node_add(&acl_ids->z_fuidp, 1735 domain, rid, 1736 FUID_INDEX(acl_ids->z_fgid), 1737 acl_ids->z_fgid, ZFS_GROUP); 1738 } 1739 } else { 1740 acl_ids->z_fgid = zfs_fuid_create_cred(zfsvfs, 1741 ZFS_GROUP, cr, &acl_ids->z_fuidp); 1742 gid = crgetgid(cr); 1743 } 1744 } 1745 } 1746 1747 /* 1748 * If we're creating a directory, and the parent directory has the 1749 * set-GID bit set, set in on the new directory. 1750 * Otherwise, if the user is neither privileged nor a member of the 1751 * file's new group, clear the file's set-GID bit. 1752 */ 1753 1754 if (!(flag & IS_ROOT_NODE) && (dzp->z_mode & S_ISGID) && 1755 (vap->va_type == VDIR)) { 1756 acl_ids->z_mode |= S_ISGID; 1757 } else { 1758 if ((acl_ids->z_mode & S_ISGID) && 1759 secpolicy_vnode_setids_setgids(cr, gid) != 0) 1760 acl_ids->z_mode &= ~S_ISGID; 1761 } 1762 1763 if (acl_ids->z_aclp == NULL) { 1764 mutex_enter(&dzp->z_acl_lock); 1765 mutex_enter(&dzp->z_lock); 1766 if (!(flag & IS_ROOT_NODE) && (ZTOV(dzp)->v_type == VDIR && 1767 (dzp->z_pflags & ZFS_INHERIT_ACE)) && 1768 !(dzp->z_pflags & ZFS_XATTR)) { 1769 VERIFY(0 == zfs_acl_node_read(dzp, B_TRUE, 1770 &paclp, B_FALSE)); 1771 acl_ids->z_aclp = zfs_acl_inherit(zfsvfs, 1772 vap->va_type, paclp, acl_ids->z_mode, &need_chmod); 1773 inherited = B_TRUE; 1774 } else { 1775 acl_ids->z_aclp = 1776 zfs_acl_alloc(zfs_acl_version_zp(dzp)); 1777 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL; 1778 } 1779 mutex_exit(&dzp->z_lock); 1780 mutex_exit(&dzp->z_acl_lock); 1781 if (need_chmod) { 1782 acl_ids->z_aclp->z_hints |= (vap->va_type == VDIR) ? 1783 ZFS_ACL_AUTO_INHERIT : 0; 1784 zfs_acl_chmod(zfsvfs, acl_ids->z_mode, acl_ids->z_aclp); 1785 } 1786 } 1787 1788 if (inherited || vsecp) { 1789 acl_ids->z_mode = zfs_mode_compute(acl_ids->z_mode, 1790 acl_ids->z_aclp, &acl_ids->z_aclp->z_hints, 1791 acl_ids->z_fuid, acl_ids->z_fgid); 1792 if (ace_trivial_common(acl_ids->z_aclp, 0, zfs_ace_walk) == 0) 1793 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL; 1794 } 1795 1796 return (0); 1797 } 1798 1799 /* 1800 * Free ACL and fuid_infop, but not the acl_ids structure 1801 */ 1802 void 1803 zfs_acl_ids_free(zfs_acl_ids_t *acl_ids) 1804 { 1805 if (acl_ids->z_aclp) 1806 zfs_acl_free(acl_ids->z_aclp); 1807 if (acl_ids->z_fuidp) 1808 zfs_fuid_info_free(acl_ids->z_fuidp); 1809 acl_ids->z_aclp = NULL; 1810 acl_ids->z_fuidp = NULL; 1811 } 1812 1813 boolean_t 1814 zfs_acl_ids_overquota(zfsvfs_t *zfsvfs, zfs_acl_ids_t *acl_ids) 1815 { 1816 return (zfs_fuid_overquota(zfsvfs, B_FALSE, acl_ids->z_fuid) || 1817 zfs_fuid_overquota(zfsvfs, B_TRUE, acl_ids->z_fgid)); 1818 } 1819 1820 /* 1821 * Retrieve a files ACL 1822 */ 1823 int 1824 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1825 { 1826 zfs_acl_t *aclp; 1827 ulong_t mask; 1828 int error; 1829 int count = 0; 1830 int largeace = 0; 1831 1832 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT | 1833 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES); 1834 1835 if (mask == 0) 1836 return (ENOSYS); 1837 1838 if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr)) 1839 return (error); 1840 1841 mutex_enter(&zp->z_acl_lock); 1842 1843 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE); 1844 if (error != 0) { 1845 mutex_exit(&zp->z_acl_lock); 1846 return (error); 1847 } 1848 1849 /* 1850 * Scan ACL to determine number of ACEs 1851 */ 1852 if ((zp->z_pflags & ZFS_ACL_OBJ_ACE) && !(mask & VSA_ACE_ALLTYPES)) { 1853 void *zacep = NULL; 1854 uint64_t who; 1855 uint32_t access_mask; 1856 uint16_t type, iflags; 1857 1858 while (zacep = zfs_acl_next_ace(aclp, zacep, 1859 &who, &access_mask, &iflags, &type)) { 1860 switch (type) { 1861 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: 1862 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: 1863 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: 1864 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: 1865 largeace++; 1866 continue; 1867 default: 1868 count++; 1869 } 1870 } 1871 vsecp->vsa_aclcnt = count; 1872 } else 1873 count = (int)aclp->z_acl_count; 1874 1875 if (mask & VSA_ACECNT) { 1876 vsecp->vsa_aclcnt = count; 1877 } 1878 1879 if (mask & VSA_ACE) { 1880 size_t aclsz; 1881 1882 aclsz = count * sizeof (ace_t) + 1883 sizeof (ace_object_t) * largeace; 1884 1885 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP); 1886 vsecp->vsa_aclentsz = aclsz; 1887 1888 if (aclp->z_version == ZFS_ACL_VERSION_FUID) 1889 zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr, 1890 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES)); 1891 else { 1892 zfs_acl_node_t *aclnode; 1893 void *start = vsecp->vsa_aclentp; 1894 1895 for (aclnode = list_head(&aclp->z_acl); aclnode; 1896 aclnode = list_next(&aclp->z_acl, aclnode)) { 1897 bcopy(aclnode->z_acldata, start, 1898 aclnode->z_size); 1899 start = (caddr_t)start + aclnode->z_size; 1900 } 1901 ASSERT((caddr_t)start - (caddr_t)vsecp->vsa_aclentp == 1902 aclp->z_acl_bytes); 1903 } 1904 } 1905 if (mask & VSA_ACE_ACLFLAGS) { 1906 vsecp->vsa_aclflags = 0; 1907 if (zp->z_pflags & ZFS_ACL_DEFAULTED) 1908 vsecp->vsa_aclflags |= ACL_DEFAULTED; 1909 if (zp->z_pflags & ZFS_ACL_PROTECTED) 1910 vsecp->vsa_aclflags |= ACL_PROTECTED; 1911 if (zp->z_pflags & ZFS_ACL_AUTO_INHERIT) 1912 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT; 1913 } 1914 1915 mutex_exit(&zp->z_acl_lock); 1916 1917 return (0); 1918 } 1919 1920 int 1921 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type, 1922 vsecattr_t *vsecp, cred_t *cr, zfs_fuid_info_t **fuidp, zfs_acl_t **zaclp) 1923 { 1924 zfs_acl_t *aclp; 1925 zfs_acl_node_t *aclnode; 1926 int aclcnt = vsecp->vsa_aclcnt; 1927 int error; 1928 1929 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0) 1930 return (EINVAL); 1931 1932 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version)); 1933 1934 aclp->z_hints = 0; 1935 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t)); 1936 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { 1937 if ((error = zfs_copy_ace_2_oldace(obj_type, aclp, 1938 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata, 1939 aclcnt, &aclnode->z_size)) != 0) { 1940 zfs_acl_free(aclp); 1941 zfs_acl_node_free(aclnode); 1942 return (error); 1943 } 1944 } else { 1945 if ((error = zfs_copy_ace_2_fuid(zfsvfs, obj_type, aclp, 1946 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt, 1947 &aclnode->z_size, fuidp, cr)) != 0) { 1948 zfs_acl_free(aclp); 1949 zfs_acl_node_free(aclnode); 1950 return (error); 1951 } 1952 } 1953 aclp->z_acl_bytes = aclnode->z_size; 1954 aclnode->z_ace_count = aclcnt; 1955 aclp->z_acl_count = aclcnt; 1956 list_insert_head(&aclp->z_acl, aclnode); 1957 1958 /* 1959 * If flags are being set then add them to z_hints 1960 */ 1961 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) { 1962 if (vsecp->vsa_aclflags & ACL_PROTECTED) 1963 aclp->z_hints |= ZFS_ACL_PROTECTED; 1964 if (vsecp->vsa_aclflags & ACL_DEFAULTED) 1965 aclp->z_hints |= ZFS_ACL_DEFAULTED; 1966 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT) 1967 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; 1968 } 1969 1970 *zaclp = aclp; 1971 1972 return (0); 1973 } 1974 1975 /* 1976 * Set a files ACL 1977 */ 1978 int 1979 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) 1980 { 1981 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 1982 zilog_t *zilog = zfsvfs->z_log; 1983 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); 1984 dmu_tx_t *tx; 1985 int error; 1986 zfs_acl_t *aclp; 1987 zfs_fuid_info_t *fuidp = NULL; 1988 boolean_t fuid_dirtied; 1989 uint64_t acl_obj; 1990 1991 if (mask == 0) 1992 return (ENOSYS); 1993 1994 if (zp->z_pflags & ZFS_IMMUTABLE) 1995 return (EPERM); 1996 1997 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) 1998 return (error); 1999 2000 error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, cr, &fuidp, 2001 &aclp); 2002 if (error) 2003 return (error); 2004 2005 /* 2006 * If ACL wide flags aren't being set then preserve any 2007 * existing flags. 2008 */ 2009 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) { 2010 aclp->z_hints |= 2011 (zp->z_pflags & V4_ACL_WIDE_FLAGS); 2012 } 2013 top: 2014 mutex_enter(&zp->z_acl_lock); 2015 mutex_enter(&zp->z_lock); 2016 2017 tx = dmu_tx_create(zfsvfs->z_os); 2018 2019 dmu_tx_hold_sa(tx, zp->z_sa_hdl, B_TRUE); 2020 2021 fuid_dirtied = zfsvfs->z_fuid_dirty; 2022 if (fuid_dirtied) 2023 zfs_fuid_txhold(zfsvfs, tx); 2024 2025 /* 2026 * If old version and ACL won't fit in bonus and we aren't 2027 * upgrading then take out necessary DMU holds 2028 */ 2029 2030 if ((acl_obj = zfs_external_acl(zp)) != 0) { 2031 if (zfsvfs->z_version >= ZPL_VERSION_FUID && 2032 zfs_znode_acl_version(zp) <= ZFS_ACL_VERSION_INITIAL) { 2033 dmu_tx_hold_free(tx, acl_obj, 0, 2034 DMU_OBJECT_END); 2035 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, 2036 aclp->z_acl_bytes); 2037 } else { 2038 dmu_tx_hold_write(tx, acl_obj, 0, aclp->z_acl_bytes); 2039 } 2040 } else if (!zp->z_is_sa && aclp->z_acl_bytes > ZFS_ACE_SPACE) { 2041 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes); 2042 } 2043 2044 zfs_sa_upgrade_txholds(tx, zp); 2045 error = dmu_tx_assign(tx, TXG_NOWAIT); 2046 if (error) { 2047 mutex_exit(&zp->z_acl_lock); 2048 mutex_exit(&zp->z_lock); 2049 2050 if (error == ERESTART) { 2051 dmu_tx_wait(tx); 2052 dmu_tx_abort(tx); 2053 goto top; 2054 } 2055 dmu_tx_abort(tx); 2056 zfs_acl_free(aclp); 2057 return (error); 2058 } 2059 2060 error = zfs_aclset_common(zp, aclp, cr, tx); 2061 ASSERT(error == 0); 2062 ASSERT(zp->z_acl_cached == NULL); 2063 zp->z_acl_cached = aclp; 2064 2065 if (fuid_dirtied) 2066 zfs_fuid_sync(zfsvfs, tx); 2067 2068 zfs_log_acl(zilog, tx, zp, vsecp, fuidp); 2069 2070 if (fuidp) 2071 zfs_fuid_info_free(fuidp); 2072 dmu_tx_commit(tx); 2073 done: 2074 mutex_exit(&zp->z_lock); 2075 mutex_exit(&zp->z_acl_lock); 2076 2077 return (error); 2078 } 2079 2080 /* 2081 * Check accesses of interest (AoI) against attributes of the dataset 2082 * such as read-only. Returns zero if no AoI conflict with dataset 2083 * attributes, otherwise an appropriate errno is returned. 2084 */ 2085 static int 2086 zfs_zaccess_dataset_check(znode_t *zp, uint32_t v4_mode) 2087 { 2088 if ((v4_mode & WRITE_MASK) && 2089 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && 2090 (!IS_DEVVP(ZTOV(zp)) || 2091 (IS_DEVVP(ZTOV(zp)) && (v4_mode & WRITE_MASK_ATTRS)))) { 2092 return (EROFS); 2093 } 2094 2095 /* 2096 * Only check for READONLY on non-directories. 2097 */ 2098 if ((v4_mode & WRITE_MASK_DATA) && 2099 (((ZTOV(zp)->v_type != VDIR) && 2100 (zp->z_pflags & (ZFS_READONLY | ZFS_IMMUTABLE))) || 2101 (ZTOV(zp)->v_type == VDIR && 2102 (zp->z_pflags & ZFS_IMMUTABLE)))) { 2103 return (EPERM); 2104 } 2105 2106 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) && 2107 (zp->z_pflags & ZFS_NOUNLINK)) { 2108 return (EPERM); 2109 } 2110 2111 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) && 2112 (zp->z_pflags & ZFS_AV_QUARANTINED))) { 2113 return (EACCES); 2114 } 2115 2116 return (0); 2117 } 2118 2119 /* 2120 * The primary usage of this function is to loop through all of the 2121 * ACEs in the znode, determining what accesses of interest (AoI) to 2122 * the caller are allowed or denied. The AoI are expressed as bits in 2123 * the working_mode parameter. As each ACE is processed, bits covered 2124 * by that ACE are removed from the working_mode. This removal 2125 * facilitates two things. The first is that when the working mode is 2126 * empty (= 0), we know we've looked at all the AoI. The second is 2127 * that the ACE interpretation rules don't allow a later ACE to undo 2128 * something granted or denied by an earlier ACE. Removing the 2129 * discovered access or denial enforces this rule. At the end of 2130 * processing the ACEs, all AoI that were found to be denied are 2131 * placed into the working_mode, giving the caller a mask of denied 2132 * accesses. Returns: 2133 * 0 if all AoI granted 2134 * EACCESS if the denied mask is non-zero 2135 * other error if abnormal failure (e.g., IO error) 2136 * 2137 * A secondary usage of the function is to determine if any of the 2138 * AoI are granted. If an ACE grants any access in 2139 * the working_mode, we immediately short circuit out of the function. 2140 * This mode is chosen by setting anyaccess to B_TRUE. The 2141 * working_mode is not a denied access mask upon exit if the function 2142 * is used in this manner. 2143 */ 2144 static int 2145 zfs_zaccess_aces_check(znode_t *zp, uint32_t *working_mode, 2146 boolean_t anyaccess, cred_t *cr) 2147 { 2148 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2149 zfs_acl_t *aclp; 2150 int error; 2151 uid_t uid = crgetuid(cr); 2152 uint64_t who; 2153 uint16_t type, iflags; 2154 uint16_t entry_type; 2155 uint32_t access_mask; 2156 uint32_t deny_mask = 0; 2157 zfs_ace_hdr_t *acep = NULL; 2158 boolean_t checkit; 2159 uid_t gowner; 2160 uid_t fowner; 2161 2162 zfs_fuid_map_ids(zp, cr, &fowner, &gowner); 2163 2164 mutex_enter(&zp->z_acl_lock); 2165 2166 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE); 2167 if (error != 0) { 2168 mutex_exit(&zp->z_acl_lock); 2169 return (error); 2170 } 2171 2172 ASSERT(zp->z_acl_cached); 2173 2174 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, 2175 &iflags, &type)) { 2176 uint32_t mask_matched; 2177 2178 if (!zfs_acl_valid_ace_type(type, iflags)) 2179 continue; 2180 2181 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE)) 2182 continue; 2183 2184 /* Skip ACE if it does not affect any AoI */ 2185 mask_matched = (access_mask & *working_mode); 2186 if (!mask_matched) 2187 continue; 2188 2189 entry_type = (iflags & ACE_TYPE_FLAGS); 2190 2191 checkit = B_FALSE; 2192 2193 switch (entry_type) { 2194 case ACE_OWNER: 2195 if (uid == fowner) 2196 checkit = B_TRUE; 2197 break; 2198 case OWNING_GROUP: 2199 who = gowner; 2200 /*FALLTHROUGH*/ 2201 case ACE_IDENTIFIER_GROUP: 2202 checkit = zfs_groupmember(zfsvfs, who, cr); 2203 break; 2204 case ACE_EVERYONE: 2205 checkit = B_TRUE; 2206 break; 2207 2208 /* USER Entry */ 2209 default: 2210 if (entry_type == 0) { 2211 uid_t newid; 2212 2213 newid = zfs_fuid_map_id(zfsvfs, who, cr, 2214 ZFS_ACE_USER); 2215 if (newid != IDMAP_WK_CREATOR_OWNER_UID && 2216 uid == newid) 2217 checkit = B_TRUE; 2218 break; 2219 } else { 2220 mutex_exit(&zp->z_acl_lock); 2221 return (EIO); 2222 } 2223 } 2224 2225 if (checkit) { 2226 if (type == DENY) { 2227 DTRACE_PROBE3(zfs__ace__denies, 2228 znode_t *, zp, 2229 zfs_ace_hdr_t *, acep, 2230 uint32_t, mask_matched); 2231 deny_mask |= mask_matched; 2232 } else { 2233 DTRACE_PROBE3(zfs__ace__allows, 2234 znode_t *, zp, 2235 zfs_ace_hdr_t *, acep, 2236 uint32_t, mask_matched); 2237 if (anyaccess) { 2238 mutex_exit(&zp->z_acl_lock); 2239 return (0); 2240 } 2241 } 2242 *working_mode &= ~mask_matched; 2243 } 2244 2245 /* Are we done? */ 2246 if (*working_mode == 0) 2247 break; 2248 } 2249 2250 mutex_exit(&zp->z_acl_lock); 2251 2252 /* Put the found 'denies' back on the working mode */ 2253 if (deny_mask) { 2254 *working_mode |= deny_mask; 2255 return (EACCES); 2256 } else if (*working_mode) { 2257 return (-1); 2258 } 2259 2260 return (0); 2261 } 2262 2263 /* 2264 * Return true if any access whatsoever granted, we don't actually 2265 * care what access is granted. 2266 */ 2267 boolean_t 2268 zfs_has_access(znode_t *zp, cred_t *cr) 2269 { 2270 uint32_t have = ACE_ALL_PERMS; 2271 2272 if (zfs_zaccess_aces_check(zp, &have, B_TRUE, cr) != 0) { 2273 uid_t owner; 2274 2275 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER); 2276 return (secpolicy_vnode_any_access(cr, ZTOV(zp), owner) == 0); 2277 } 2278 return (B_TRUE); 2279 } 2280 2281 static int 2282 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode, 2283 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr) 2284 { 2285 zfsvfs_t *zfsvfs = zp->z_zfsvfs; 2286 int err; 2287 2288 *working_mode = v4_mode; 2289 *check_privs = B_TRUE; 2290 2291 /* 2292 * Short circuit empty requests 2293 */ 2294 if (v4_mode == 0 || zfsvfs->z_replay) { 2295 *working_mode = 0; 2296 return (0); 2297 } 2298 2299 if ((err = zfs_zaccess_dataset_check(zp, v4_mode)) != 0) { 2300 *check_privs = B_FALSE; 2301 return (err); 2302 } 2303 2304 /* 2305 * The caller requested that the ACL check be skipped. This 2306 * would only happen if the caller checked VOP_ACCESS() with a 2307 * 32 bit ACE mask and already had the appropriate permissions. 2308 */ 2309 if (skipaclchk) { 2310 *working_mode = 0; 2311 return (0); 2312 } 2313 2314 return (zfs_zaccess_aces_check(zp, working_mode, B_FALSE, cr)); 2315 } 2316 2317 static int 2318 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs, 2319 cred_t *cr) 2320 { 2321 if (*working_mode != ACE_WRITE_DATA) 2322 return (EACCES); 2323 2324 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode, 2325 check_privs, B_FALSE, cr)); 2326 } 2327 2328 int 2329 zfs_fastaccesschk_execute(znode_t *zdp, cred_t *cr) 2330 { 2331 boolean_t owner = B_FALSE; 2332 boolean_t groupmbr = B_FALSE; 2333 boolean_t is_attr; 2334 uid_t uid = crgetuid(cr); 2335 int error; 2336 2337 if (zdp->z_pflags & ZFS_AV_QUARANTINED) 2338 return (EACCES); 2339 2340 is_attr = ((zdp->z_pflags & ZFS_XATTR) && 2341 (ZTOV(zdp)->v_type == VDIR)); 2342 if (is_attr) 2343 goto slow; 2344 2345 2346 mutex_enter(&zdp->z_acl_lock); 2347 2348 if (zdp->z_pflags & ZFS_NO_EXECS_DENIED) { 2349 mutex_exit(&zdp->z_acl_lock); 2350 return (0); 2351 } 2352 2353 if (FUID_INDEX(zdp->z_uid) != 0 || FUID_INDEX(zdp->z_gid) != 0) { 2354 mutex_exit(&zdp->z_acl_lock); 2355 goto slow; 2356 } 2357 2358 if (uid == zdp->z_uid) { 2359 owner = B_TRUE; 2360 if (zdp->z_mode & S_IXUSR) { 2361 mutex_exit(&zdp->z_acl_lock); 2362 return (0); 2363 } else { 2364 mutex_exit(&zdp->z_acl_lock); 2365 goto slow; 2366 } 2367 } 2368 if (groupmember(zdp->z_gid, cr)) { 2369 groupmbr = B_TRUE; 2370 if (zdp->z_mode & S_IXGRP) { 2371 mutex_exit(&zdp->z_acl_lock); 2372 return (0); 2373 } else { 2374 mutex_exit(&zdp->z_acl_lock); 2375 goto slow; 2376 } 2377 } 2378 if (!owner && !groupmbr) { 2379 if (zdp->z_mode & S_IXOTH) { 2380 mutex_exit(&zdp->z_acl_lock); 2381 return (0); 2382 } 2383 } 2384 2385 mutex_exit(&zdp->z_acl_lock); 2386 2387 slow: 2388 DTRACE_PROBE(zfs__fastpath__execute__access__miss); 2389 ZFS_ENTER(zdp->z_zfsvfs); 2390 error = zfs_zaccess(zdp, ACE_EXECUTE, 0, B_FALSE, cr); 2391 ZFS_EXIT(zdp->z_zfsvfs); 2392 return (error); 2393 } 2394 2395 /* 2396 * Determine whether Access should be granted/denied. 2397 * The least priv subsytem is always consulted as a basic privilege 2398 * can define any form of access. 2399 */ 2400 int 2401 zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr) 2402 { 2403 uint32_t working_mode; 2404 int error; 2405 int is_attr; 2406 boolean_t check_privs; 2407 znode_t *xzp; 2408 znode_t *check_zp = zp; 2409 mode_t needed_bits; 2410 uid_t owner; 2411 2412 is_attr = ((zp->z_pflags & ZFS_XATTR) && (ZTOV(zp)->v_type == VDIR)); 2413 2414 /* 2415 * If attribute then validate against base file 2416 */ 2417 if (is_attr) { 2418 uint64_t parent; 2419 2420 if ((error = sa_lookup(zp->z_sa_hdl, 2421 SA_ZPL_PARENT(zp->z_zfsvfs), &parent, 2422 sizeof (parent))) != 0) 2423 return (error); 2424 2425 if ((error = zfs_zget(zp->z_zfsvfs, 2426 parent, &xzp)) != 0) { 2427 return (error); 2428 } 2429 2430 check_zp = xzp; 2431 2432 /* 2433 * fixup mode to map to xattr perms 2434 */ 2435 2436 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { 2437 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); 2438 mode |= ACE_WRITE_NAMED_ATTRS; 2439 } 2440 2441 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { 2442 mode &= ~(ACE_READ_DATA|ACE_EXECUTE); 2443 mode |= ACE_READ_NAMED_ATTRS; 2444 } 2445 } 2446 2447 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER); 2448 /* 2449 * Map the bits required to the standard vnode flags VREAD|VWRITE|VEXEC 2450 * in needed_bits. Map the bits mapped by working_mode (currently 2451 * missing) in missing_bits. 2452 * Call secpolicy_vnode_access2() with (needed_bits & ~checkmode), 2453 * needed_bits. 2454 */ 2455 needed_bits = 0; 2456 2457 working_mode = mode; 2458 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES)) && 2459 owner == crgetuid(cr)) 2460 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2461 2462 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2463 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2464 needed_bits |= VREAD; 2465 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2466 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2467 needed_bits |= VWRITE; 2468 if (working_mode & ACE_EXECUTE) 2469 needed_bits |= VEXEC; 2470 2471 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode, 2472 &check_privs, skipaclchk, cr)) == 0) { 2473 if (is_attr) 2474 VN_RELE(ZTOV(xzp)); 2475 return (secpolicy_vnode_access2(cr, ZTOV(zp), owner, 2476 needed_bits, needed_bits)); 2477 } 2478 2479 if (error && !check_privs) { 2480 if (is_attr) 2481 VN_RELE(ZTOV(xzp)); 2482 return (error); 2483 } 2484 2485 if (error && (flags & V_APPEND)) { 2486 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr); 2487 } 2488 2489 if (error && check_privs) { 2490 mode_t checkmode = 0; 2491 2492 /* 2493 * First check for implicit owner permission on 2494 * read_acl/read_attributes 2495 */ 2496 2497 error = 0; 2498 ASSERT(working_mode != 0); 2499 2500 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) && 2501 owner == crgetuid(cr))) 2502 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); 2503 2504 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| 2505 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) 2506 checkmode |= VREAD; 2507 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| 2508 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) 2509 checkmode |= VWRITE; 2510 if (working_mode & ACE_EXECUTE) 2511 checkmode |= VEXEC; 2512 2513 error = secpolicy_vnode_access2(cr, ZTOV(check_zp), owner, 2514 needed_bits & ~checkmode, needed_bits); 2515 2516 if (error == 0 && (working_mode & ACE_WRITE_OWNER)) 2517 error = secpolicy_vnode_chown(cr, owner); 2518 if (error == 0 && (working_mode & ACE_WRITE_ACL)) 2519 error = secpolicy_vnode_setdac(cr, owner); 2520 2521 if (error == 0 && (working_mode & 2522 (ACE_DELETE|ACE_DELETE_CHILD))) 2523 error = secpolicy_vnode_remove(cr); 2524 2525 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) { 2526 error = secpolicy_vnode_chown(cr, owner); 2527 } 2528 if (error == 0) { 2529 /* 2530 * See if any bits other than those already checked 2531 * for are still present. If so then return EACCES 2532 */ 2533 if (working_mode & ~(ZFS_CHECKED_MASKS)) { 2534 error = EACCES; 2535 } 2536 } 2537 } else if (error == 0) { 2538 error = secpolicy_vnode_access2(cr, ZTOV(zp), owner, 2539 needed_bits, needed_bits); 2540 } 2541 2542 2543 if (is_attr) 2544 VN_RELE(ZTOV(xzp)); 2545 2546 return (error); 2547 } 2548 2549 /* 2550 * Translate traditional unix VREAD/VWRITE/VEXEC mode into 2551 * native ACL format and call zfs_zaccess() 2552 */ 2553 int 2554 zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr) 2555 { 2556 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr)); 2557 } 2558 2559 /* 2560 * Access function for secpolicy_vnode_setattr 2561 */ 2562 int 2563 zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr) 2564 { 2565 int v4_mode = zfs_unix_to_v4(mode >> 6); 2566 2567 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr)); 2568 } 2569 2570 static int 2571 zfs_delete_final_check(znode_t *zp, znode_t *dzp, 2572 mode_t available_perms, cred_t *cr) 2573 { 2574 int error; 2575 uid_t downer; 2576 2577 downer = zfs_fuid_map_id(dzp->z_zfsvfs, dzp->z_uid, cr, ZFS_OWNER); 2578 2579 error = secpolicy_vnode_access2(cr, ZTOV(dzp), 2580 downer, available_perms, VWRITE|VEXEC); 2581 2582 if (error == 0) 2583 error = zfs_sticky_remove_access(dzp, zp, cr); 2584 2585 return (error); 2586 } 2587 2588 /* 2589 * Determine whether Access should be granted/deny, without 2590 * consulting least priv subsystem. 2591 * 2592 * 2593 * The following chart is the recommended NFSv4 enforcement for 2594 * ability to delete an object. 2595 * 2596 * ------------------------------------------------------- 2597 * | Parent Dir | Target Object Permissions | 2598 * | permissions | | 2599 * ------------------------------------------------------- 2600 * | | ACL Allows | ACL Denies| Delete | 2601 * | | Delete | Delete | unspecified| 2602 * ------------------------------------------------------- 2603 * | ACL Allows | Permit | Permit | Permit | 2604 * | DELETE_CHILD | | 2605 * ------------------------------------------------------- 2606 * | ACL Denies | Permit | Deny | Deny | 2607 * | DELETE_CHILD | | | | 2608 * ------------------------------------------------------- 2609 * | ACL specifies | | | | 2610 * | only allow | Permit | Permit | Permit | 2611 * | write and | | | | 2612 * | execute | | | | 2613 * ------------------------------------------------------- 2614 * | ACL denies | | | | 2615 * | write and | Permit | Deny | Deny | 2616 * | execute | | | | 2617 * ------------------------------------------------------- 2618 * ^ 2619 * | 2620 * No search privilege, can't even look up file? 2621 * 2622 */ 2623 int 2624 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) 2625 { 2626 uint32_t dzp_working_mode = 0; 2627 uint32_t zp_working_mode = 0; 2628 int dzp_error, zp_error; 2629 mode_t available_perms; 2630 boolean_t dzpcheck_privs = B_TRUE; 2631 boolean_t zpcheck_privs = B_TRUE; 2632 2633 /* 2634 * We want specific DELETE permissions to 2635 * take precedence over WRITE/EXECUTE. We don't 2636 * want an ACL such as this to mess us up. 2637 * user:joe:write_data:deny,user:joe:delete:allow 2638 * 2639 * However, deny permissions may ultimately be overridden 2640 * by secpolicy_vnode_access(). 2641 * 2642 * We will ask for all of the necessary permissions and then 2643 * look at the working modes from the directory and target object 2644 * to determine what was found. 2645 */ 2646 2647 if (zp->z_pflags & (ZFS_IMMUTABLE | ZFS_NOUNLINK)) 2648 return (EPERM); 2649 2650 /* 2651 * First row 2652 * If the directory permissions allow the delete, we are done. 2653 */ 2654 if ((dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD, 2655 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) 2656 return (0); 2657 2658 /* 2659 * If target object has delete permission then we are done 2660 */ 2661 if ((zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, 2662 &zpcheck_privs, B_FALSE, cr)) == 0) 2663 return (0); 2664 2665 ASSERT(dzp_error && zp_error); 2666 2667 if (!dzpcheck_privs) 2668 return (dzp_error); 2669 if (!zpcheck_privs) 2670 return (zp_error); 2671 2672 /* 2673 * Second row 2674 * 2675 * If directory returns EACCES then delete_child was denied 2676 * due to deny delete_child. In this case send the request through 2677 * secpolicy_vnode_remove(). We don't use zfs_delete_final_check() 2678 * since that *could* allow the delete based on write/execute permission 2679 * and we want delete permissions to override write/execute. 2680 */ 2681 2682 if (dzp_error == EACCES) 2683 return (secpolicy_vnode_remove(cr)); 2684 2685 /* 2686 * Third Row 2687 * only need to see if we have write/execute on directory. 2688 */ 2689 2690 dzp_error = zfs_zaccess_common(dzp, ACE_EXECUTE|ACE_WRITE_DATA, 2691 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr); 2692 2693 if (dzp_error != 0 && !dzpcheck_privs) 2694 return (dzp_error); 2695 2696 /* 2697 * Fourth row 2698 */ 2699 2700 available_perms = (dzp_working_mode & ACE_WRITE_DATA) ? 0 : VWRITE; 2701 available_perms |= (dzp_working_mode & ACE_EXECUTE) ? 0 : VEXEC; 2702 2703 return (zfs_delete_final_check(zp, dzp, available_perms, cr)); 2704 2705 } 2706 2707 int 2708 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, 2709 znode_t *tzp, cred_t *cr) 2710 { 2711 int add_perm; 2712 int error; 2713 2714 if (szp->z_pflags & ZFS_AV_QUARANTINED) 2715 return (EACCES); 2716 2717 add_perm = (ZTOV(szp)->v_type == VDIR) ? 2718 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; 2719 2720 /* 2721 * Rename permissions are combination of delete permission + 2722 * add file/subdir permission. 2723 */ 2724 2725 /* 2726 * first make sure we do the delete portion. 2727 * 2728 * If that succeeds then check for add_file/add_subdir permissions 2729 */ 2730 2731 if (error = zfs_zaccess_delete(sdzp, szp, cr)) 2732 return (error); 2733 2734 /* 2735 * If we have a tzp, see if we can delete it? 2736 */ 2737 if (tzp) { 2738 if (error = zfs_zaccess_delete(tdzp, tzp, cr)) 2739 return (error); 2740 } 2741 2742 /* 2743 * Now check for add permissions 2744 */ 2745 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr); 2746 2747 return (error); 2748 } 2749
Indexes created Thu May 17 00:40:56 UTC 2012
Terms of Use
|
Privacy
|
Trademarks
|
Copyright Policy
|
Site Guidelines
|
Site Map
|
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
© 2012, Oracle Corporation and/or its affiliates.