search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CI: Automate some GitHub PR status labels manipulations
[zfs.git] / module / os / linux / zfs / zfs_acl.c
blob206bc22095969834257c7c7c16b5ebd50228fffc
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or https://opensource.org/licenses/CDDL-1.0.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright (c) 2013 by Delphix. All rights reserved.
24 * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
25 */
26
27
28 #include <sys/types.h>
29 #include <sys/param.h>
30 #include <sys/time.h>
31 #include <sys/sysmacros.h>
32 #include <sys/vfs.h>
33 #include <sys/vnode.h>
34 #include <sys/sid.h>
35 #include <sys/file.h>
36 #include <sys/stat.h>
37 #include <sys/kmem.h>
38 #include <sys/cmn_err.h>
39 #include <sys/errno.h>
40 #include <sys/fs/zfs.h>
41 #include <sys/policy.h>
42 #include <sys/zfs_znode.h>
43 #include <sys/zfs_fuid.h>
44 #include <sys/zfs_acl.h>
45 #include <sys/zfs_dir.h>
46 #include <sys/zfs_quota.h>
47 #include <sys/zfs_vfsops.h>
48 #include <sys/dmu.h>
49 #include <sys/dnode.h>
50 #include <sys/zap.h>
51 #include <sys/sa.h>
52 #include <sys/trace_acl.h>
53 #include <sys/zpl.h>
54
55 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE
56 #define DENY ACE_ACCESS_DENIED_ACE_TYPE
57 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE
58 #define MIN_ACE_TYPE ALLOW
59
60 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP)
61 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \
62 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE)
63 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \
64 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
65 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \
66 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
67
68 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \
69 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \
70 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \
71 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE)
72
73 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS)
74 #define WRITE_MASK_ATTRS (ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES| \
75 ACE_DELETE|ACE_DELETE_CHILD)
76 #define WRITE_MASK (WRITE_MASK_DATA|WRITE_MASK_ATTRS)
77
78 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
79 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
80
81 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
82 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
83
84 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \
85 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE)
86
87 #define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER)
88
89 #define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\
90 ZFS_ACL_PROTECTED)
91
92 #define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\
93 ZFS_ACL_OBJ_ACE)
94
95 #define ALL_MODE_EXECS (S_IXUSR | S_IXGRP | S_IXOTH)
96
97 #define IDMAP_WK_CREATOR_OWNER_UID 2147483648U
98
99 static uint16_t
100 zfs_ace_v0_get_type(void *acep)
101 {
102 return (((zfs_oldace_t *)acep)->z_type);
103 }
104
105 static uint16_t
106 zfs_ace_v0_get_flags(void *acep)
107 {
108 return (((zfs_oldace_t *)acep)->z_flags);
109 }
110
111 static uint32_t
112 zfs_ace_v0_get_mask(void *acep)
113 {
114 return (((zfs_oldace_t *)acep)->z_access_mask);
115 }
116
117 static uint64_t
118 zfs_ace_v0_get_who(void *acep)
119 {
120 return (((zfs_oldace_t *)acep)->z_fuid);
121 }
122
123 static void
124 zfs_ace_v0_set_type(void *acep, uint16_t type)
125 {
126 ((zfs_oldace_t *)acep)->z_type = type;
127 }
128
129 static void
130 zfs_ace_v0_set_flags(void *acep, uint16_t flags)
131 {
132 ((zfs_oldace_t *)acep)->z_flags = flags;
133 }
134
135 static void
136 zfs_ace_v0_set_mask(void *acep, uint32_t mask)
137 {
138 ((zfs_oldace_t *)acep)->z_access_mask = mask;
139 }
140
141 static void
142 zfs_ace_v0_set_who(void *acep, uint64_t who)
143 {
144 ((zfs_oldace_t *)acep)->z_fuid = who;
145 }
146
147 static size_t
148 zfs_ace_v0_size(void *acep)
149 {
150 (void) acep;
151 return (sizeof (zfs_oldace_t));
152 }
153
154 static size_t
155 zfs_ace_v0_abstract_size(void)
156 {
157 return (sizeof (zfs_oldace_t));
158 }
159
160 static int
161 zfs_ace_v0_mask_off(void)
162 {
163 return (offsetof(zfs_oldace_t, z_access_mask));
164 }
165
166 static int
167 zfs_ace_v0_data(void *acep, void **datap)
168 {
169 (void) acep;
170 *datap = NULL;
171 return (0);
172 }
173
174 static const acl_ops_t zfs_acl_v0_ops = {
175 .ace_mask_get = zfs_ace_v0_get_mask,
176 .ace_mask_set = zfs_ace_v0_set_mask,
177 .ace_flags_get = zfs_ace_v0_get_flags,
178 .ace_flags_set = zfs_ace_v0_set_flags,
179 .ace_type_get = zfs_ace_v0_get_type,
180 .ace_type_set = zfs_ace_v0_set_type,
181 .ace_who_get = zfs_ace_v0_get_who,
182 .ace_who_set = zfs_ace_v0_set_who,
183 .ace_size = zfs_ace_v0_size,
184 .ace_abstract_size = zfs_ace_v0_abstract_size,
185 .ace_mask_off = zfs_ace_v0_mask_off,
186 .ace_data = zfs_ace_v0_data
187 };
188
189 static uint16_t
190 zfs_ace_fuid_get_type(void *acep)
191 {
192 return (((zfs_ace_hdr_t *)acep)->z_type);
193 }
194
195 static uint16_t
196 zfs_ace_fuid_get_flags(void *acep)
197 {
198 return (((zfs_ace_hdr_t *)acep)->z_flags);
199 }
200
201 static uint32_t
202 zfs_ace_fuid_get_mask(void *acep)
203 {
204 return (((zfs_ace_hdr_t *)acep)->z_access_mask);
205 }
206
207 static uint64_t
208 zfs_ace_fuid_get_who(void *args)
209 {
210 uint16_t entry_type;
211 zfs_ace_t *acep = args;
212
213 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS;
214
215 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP ||
216 entry_type == ACE_EVERYONE)
217 return (-1);
218 return (((zfs_ace_t *)acep)->z_fuid);
219 }
220
221 static void
222 zfs_ace_fuid_set_type(void *acep, uint16_t type)
223 {
224 ((zfs_ace_hdr_t *)acep)->z_type = type;
225 }
226
227 static void
228 zfs_ace_fuid_set_flags(void *acep, uint16_t flags)
229 {
230 ((zfs_ace_hdr_t *)acep)->z_flags = flags;
231 }
232
233 static void
234 zfs_ace_fuid_set_mask(void *acep, uint32_t mask)
235 {
236 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask;
237 }
238
239 static void
240 zfs_ace_fuid_set_who(void *arg, uint64_t who)
241 {
242 zfs_ace_t *acep = arg;
243
244 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS;
245
246 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP ||
247 entry_type == ACE_EVERYONE)
248 return;
249 acep->z_fuid = who;
250 }
251
252 static size_t
253 zfs_ace_fuid_size(void *acep)
254 {
255 zfs_ace_hdr_t *zacep = acep;
256 uint16_t entry_type;
257
258 switch (zacep->z_type) {
259 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
260 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
261 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
262 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
263 return (sizeof (zfs_object_ace_t));
264 case ALLOW:
265 case DENY:
266 entry_type =
267 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS);
268 if (entry_type == ACE_OWNER ||
269 entry_type == OWNING_GROUP ||
270 entry_type == ACE_EVERYONE)
271 return (sizeof (zfs_ace_hdr_t));
272 zfs_fallthrough;
273 default:
274 return (sizeof (zfs_ace_t));
275 }
276 }
277
278 static size_t
279 zfs_ace_fuid_abstract_size(void)
280 {
281 return (sizeof (zfs_ace_hdr_t));
282 }
283
284 static int
285 zfs_ace_fuid_mask_off(void)
286 {
287 return (offsetof(zfs_ace_hdr_t, z_access_mask));
288 }
289
290 static int
291 zfs_ace_fuid_data(void *acep, void **datap)
292 {
293 zfs_ace_t *zacep = acep;
294 zfs_object_ace_t *zobjp;
295
296 switch (zacep->z_hdr.z_type) {
297 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
298 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
299 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
300 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
301 zobjp = acep;
302 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t);
303 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t));
304 default:
305 *datap = NULL;
306 return (0);
307 }
308 }
309
310 static const acl_ops_t zfs_acl_fuid_ops = {
311 .ace_mask_get = zfs_ace_fuid_get_mask,
312 .ace_mask_set = zfs_ace_fuid_set_mask,
313 .ace_flags_get = zfs_ace_fuid_get_flags,
314 .ace_flags_set = zfs_ace_fuid_set_flags,
315 .ace_type_get = zfs_ace_fuid_get_type,
316 .ace_type_set = zfs_ace_fuid_set_type,
317 .ace_who_get = zfs_ace_fuid_get_who,
318 .ace_who_set = zfs_ace_fuid_set_who,
319 .ace_size = zfs_ace_fuid_size,
320 .ace_abstract_size = zfs_ace_fuid_abstract_size,
321 .ace_mask_off = zfs_ace_fuid_mask_off,
322 .ace_data = zfs_ace_fuid_data
323 };
324
325 /*
326 * The following three functions are provided for compatibility with
327 * older ZPL version in order to determine if the file use to have
328 * an external ACL and what version of ACL previously existed on the
329 * file. Would really be nice to not need this, sigh.
330 */
331 uint64_t
332 zfs_external_acl(znode_t *zp)
333 {
334 zfs_acl_phys_t acl_phys;
335 int error;
336
337 if (zp->z_is_sa)
338 return (0);
339
340 /*
341 * Need to deal with a potential
342 * race where zfs_sa_upgrade could cause
343 * z_isa_sa to change.
344 *
345 * If the lookup fails then the state of z_is_sa should have
346 * changed.
347 */
348
349 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(ZTOZSB(zp)),
350 &acl_phys, sizeof (acl_phys))) == 0)
351 return (acl_phys.z_acl_extern_obj);
352 else {
353 /*
354 * after upgrade the SA_ZPL_ZNODE_ACL should have been
355 * removed
356 */
357 VERIFY(zp->z_is_sa && error == ENOENT);
358 return (0);
359 }
360 }
361
362 /*
363 * Determine size of ACL in bytes
364 *
365 * This is more complicated than it should be since we have to deal
366 * with old external ACLs.
367 */
368 static int
369 zfs_acl_znode_info(znode_t *zp, int *aclsize, int *aclcount,
370 zfs_acl_phys_t *aclphys)
371 {
372 zfsvfs_t *zfsvfs = ZTOZSB(zp);
373 uint64_t acl_count;
374 int size;
375 int error;
376
377 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
378 if (zp->z_is_sa) {
379 if ((error = sa_size(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zfsvfs),
380 &size)) != 0)
381 return (error);
382 *aclsize = size;
383 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_COUNT(zfsvfs),
384 &acl_count, sizeof (acl_count))) != 0)
385 return (error);
386 *aclcount = acl_count;
387 } else {
388 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs),
389 aclphys, sizeof (*aclphys))) != 0)
390 return (error);
391
392 if (aclphys->z_acl_version == ZFS_ACL_VERSION_INITIAL) {
393 *aclsize = ZFS_ACL_SIZE(aclphys->z_acl_size);
394 *aclcount = aclphys->z_acl_size;
395 } else {
396 *aclsize = aclphys->z_acl_size;
397 *aclcount = aclphys->z_acl_count;
398 }
399 }
400 return (0);
401 }
402
403 int
404 zfs_znode_acl_version(znode_t *zp)
405 {
406 zfs_acl_phys_t acl_phys;
407
408 if (zp->z_is_sa)
409 return (ZFS_ACL_VERSION_FUID);
410 else {
411 int error;
412
413 /*
414 * Need to deal with a potential
415 * race where zfs_sa_upgrade could cause
416 * z_isa_sa to change.
417 *
418 * If the lookup fails then the state of z_is_sa should have
419 * changed.
420 */
421 if ((error = sa_lookup(zp->z_sa_hdl,
422 SA_ZPL_ZNODE_ACL(ZTOZSB(zp)),
423 &acl_phys, sizeof (acl_phys))) == 0)
424 return (acl_phys.z_acl_version);
425 else {
426 /*
427 * After upgrade SA_ZPL_ZNODE_ACL should have
428 * been removed.
429 */
430 VERIFY(zp->z_is_sa && error == ENOENT);
431 return (ZFS_ACL_VERSION_FUID);
432 }
433 }
434 }
435
436 static int
437 zfs_acl_version(int version)
438 {
439 if (version < ZPL_VERSION_FUID)
440 return (ZFS_ACL_VERSION_INITIAL);
441 else
442 return (ZFS_ACL_VERSION_FUID);
443 }
444
445 static int
446 zfs_acl_version_zp(znode_t *zp)
447 {
448 return (zfs_acl_version(ZTOZSB(zp)->z_version));
449 }
450
451 zfs_acl_t *
452 zfs_acl_alloc(int vers)
453 {
454 zfs_acl_t *aclp;
455
456 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP);
457 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t),
458 offsetof(zfs_acl_node_t, z_next));
459 aclp->z_version = vers;
460 if (vers == ZFS_ACL_VERSION_FUID)
461 aclp->z_ops = &zfs_acl_fuid_ops;
462 else
463 aclp->z_ops = &zfs_acl_v0_ops;
464 return (aclp);
465 }
466
467 zfs_acl_node_t *
468 zfs_acl_node_alloc(size_t bytes)
469 {
470 zfs_acl_node_t *aclnode;
471
472 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP);
473 if (bytes) {
474 aclnode->z_acldata = kmem_zalloc(bytes, KM_SLEEP);
475 aclnode->z_allocdata = aclnode->z_acldata;
476 aclnode->z_allocsize = bytes;
477 aclnode->z_size = bytes;
478 }
479
480 return (aclnode);
481 }
482
483 static void
484 zfs_acl_node_free(zfs_acl_node_t *aclnode)
485 {
486 if (aclnode->z_allocsize)
487 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize);
488 kmem_free(aclnode, sizeof (zfs_acl_node_t));
489 }
490
491 static void
492 zfs_acl_release_nodes(zfs_acl_t *aclp)
493 {
494 zfs_acl_node_t *aclnode;
495
496 while ((aclnode = list_remove_head(&aclp->z_acl)))
497 zfs_acl_node_free(aclnode);
498 aclp->z_acl_count = 0;
499 aclp->z_acl_bytes = 0;
500 }
501
502 void
503 zfs_acl_free(zfs_acl_t *aclp)
504 {
505 zfs_acl_release_nodes(aclp);
506 list_destroy(&aclp->z_acl);
507 kmem_free(aclp, sizeof (zfs_acl_t));
508 }
509
510 static boolean_t
511 zfs_acl_valid_ace_type(uint_t type, uint_t flags)
512 {
513 uint16_t entry_type;
514
515 switch (type) {
516 case ALLOW:
517 case DENY:
518 case ACE_SYSTEM_AUDIT_ACE_TYPE:
519 case ACE_SYSTEM_ALARM_ACE_TYPE:
520 entry_type = flags & ACE_TYPE_FLAGS;
521 return (entry_type == ACE_OWNER ||
522 entry_type == OWNING_GROUP ||
523 entry_type == ACE_EVERYONE || entry_type == 0 ||
524 entry_type == ACE_IDENTIFIER_GROUP);
525 default:
526 if (type <= MAX_ACE_TYPE)
527 return (B_TRUE);
528 }
529 return (B_FALSE);
530 }
531
532 static boolean_t
533 zfs_ace_valid(umode_t obj_mode, zfs_acl_t *aclp, uint16_t type, uint16_t iflags)
534 {
535 /*
536 * first check type of entry
537 */
538
539 if (!zfs_acl_valid_ace_type(type, iflags))
540 return (B_FALSE);
541
542 switch (type) {
543 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
544 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
545 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
546 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
547 if (aclp->z_version < ZFS_ACL_VERSION_FUID)
548 return (B_FALSE);
549 aclp->z_hints |= ZFS_ACL_OBJ_ACE;
550 }
551
552 /*
553 * next check inheritance level flags
554 */
555
556 if (S_ISDIR(obj_mode) &&
557 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE)))
558 aclp->z_hints |= ZFS_INHERIT_ACE;
559
560 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) {
561 if ((iflags & (ACE_FILE_INHERIT_ACE|
562 ACE_DIRECTORY_INHERIT_ACE)) == 0) {
563 return (B_FALSE);
564 }
565 }
566
567 return (B_TRUE);
568 }
569
570 static void *
571 zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who,
572 uint32_t *access_mask, uint16_t *iflags, uint16_t *type)
573 {
574 zfs_acl_node_t *aclnode;
575
576 ASSERT(aclp);
577
578 if (start == NULL) {
579 aclnode = list_head(&aclp->z_acl);
580 if (aclnode == NULL)
581 return (NULL);
582
583 aclp->z_next_ace = aclnode->z_acldata;
584 aclp->z_curr_node = aclnode;
585 aclnode->z_ace_idx = 0;
586 }
587
588 aclnode = aclp->z_curr_node;
589
590 if (aclnode == NULL)
591 return (NULL);
592
593 if (aclnode->z_ace_idx >= aclnode->z_ace_count) {
594 aclnode = list_next(&aclp->z_acl, aclnode);
595 if (aclnode == NULL)
596 return (NULL);
597 else {
598 aclp->z_curr_node = aclnode;
599 aclnode->z_ace_idx = 0;
600 aclp->z_next_ace = aclnode->z_acldata;
601 }
602 }
603
604 if (aclnode->z_ace_idx < aclnode->z_ace_count) {
605 void *acep = aclp->z_next_ace;
606 size_t ace_size;
607
608 /*
609 * Make sure we don't overstep our bounds
610 */
611 ace_size = aclp->z_ops->ace_size(acep);
612
613 if (((caddr_t)acep + ace_size) >
614 ((caddr_t)aclnode->z_acldata + aclnode->z_size)) {
615 return (NULL);
616 }
617
618 *iflags = aclp->z_ops->ace_flags_get(acep);
619 *type = aclp->z_ops->ace_type_get(acep);
620 *access_mask = aclp->z_ops->ace_mask_get(acep);
621 *who = aclp->z_ops->ace_who_get(acep);
622 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size;
623 aclnode->z_ace_idx++;
624
625 return ((void *)acep);
626 }
627 return (NULL);
628 }
629
630 static uintptr_t
631 zfs_ace_walk(void *datap, uintptr_t cookie, int aclcnt,
632 uint16_t *flags, uint16_t *type, uint32_t *mask)
633 {
634 (void) aclcnt;
635 zfs_acl_t *aclp = datap;
636 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)cookie;
637 uint64_t who;
638
639 acep = zfs_acl_next_ace(aclp, acep, &who, mask,
640 flags, type);
641 return ((uintptr_t)acep);
642 }
643
644 /*
645 * Copy ACE to internal ZFS format.
646 * While processing the ACL each ACE will be validated for correctness.
647 * ACE FUIDs will be created later.
648 */
649 static int
650 zfs_copy_ace_2_fuid(zfsvfs_t *zfsvfs, umode_t obj_mode, zfs_acl_t *aclp,
651 void *datap, zfs_ace_t *z_acl, uint64_t aclcnt, size_t *size,
652 zfs_fuid_info_t **fuidp, cred_t *cr)
653 {
654 int i;
655 uint16_t entry_type;
656 zfs_ace_t *aceptr = z_acl;
657 ace_t *acep = datap;
658 zfs_object_ace_t *zobjacep;
659 ace_object_t *aceobjp;
660
661 for (i = 0; i != aclcnt; i++) {
662 aceptr->z_hdr.z_access_mask = acep->a_access_mask;
663 aceptr->z_hdr.z_flags = acep->a_flags;
664 aceptr->z_hdr.z_type = acep->a_type;
665 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS;
666 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP &&
667 entry_type != ACE_EVERYONE) {
668 aceptr->z_fuid = zfs_fuid_create(zfsvfs, acep->a_who,
669 cr, (entry_type == 0) ?
670 ZFS_ACE_USER : ZFS_ACE_GROUP, fuidp);
671 }
672
673 /*
674 * Make sure ACE is valid
675 */
676 if (zfs_ace_valid(obj_mode, aclp, aceptr->z_hdr.z_type,
677 aceptr->z_hdr.z_flags) != B_TRUE)
678 return (SET_ERROR(EINVAL));
679
680 switch (acep->a_type) {
681 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
682 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
683 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
684 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
685 zobjacep = (zfs_object_ace_t *)aceptr;
686 aceobjp = (ace_object_t *)acep;
687
688 memcpy(zobjacep->z_object_type, aceobjp->a_obj_type,
689 sizeof (aceobjp->a_obj_type));
690 memcpy(zobjacep->z_inherit_type,
691 aceobjp->a_inherit_obj_type,
692 sizeof (aceobjp->a_inherit_obj_type));
693 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t));
694 break;
695 default:
696 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t));
697 }
698
699 aceptr = (zfs_ace_t *)((caddr_t)aceptr +
700 aclp->z_ops->ace_size(aceptr));
701 }
702
703 *size = (caddr_t)aceptr - (caddr_t)z_acl;
704
705 return (0);
706 }
707
708 /*
709 * Copy ZFS ACEs to fixed size ace_t layout
710 */
711 static void
712 zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr,
713 void *datap, int filter)
714 {
715 uint64_t who;
716 uint32_t access_mask;
717 uint16_t iflags, type;
718 zfs_ace_hdr_t *zacep = NULL;
719 ace_t *acep = datap;
720 ace_object_t *objacep;
721 zfs_object_ace_t *zobjacep;
722 size_t ace_size;
723 uint16_t entry_type;
724
725 while ((zacep = zfs_acl_next_ace(aclp, zacep,
726 &who, &access_mask, &iflags, &type))) {
727
728 switch (type) {
729 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
730 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
731 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
732 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
733 if (filter) {
734 continue;
735 }
736 zobjacep = (zfs_object_ace_t *)zacep;
737 objacep = (ace_object_t *)acep;
738 memcpy(objacep->a_obj_type,
739 zobjacep->z_object_type,
740 sizeof (zobjacep->z_object_type));
741 memcpy(objacep->a_inherit_obj_type,
742 zobjacep->z_inherit_type,
743 sizeof (zobjacep->z_inherit_type));
744 ace_size = sizeof (ace_object_t);
745 break;
746 default:
747 ace_size = sizeof (ace_t);
748 break;
749 }
750
751 entry_type = (iflags & ACE_TYPE_FLAGS);
752 if ((entry_type != ACE_OWNER &&
753 entry_type != OWNING_GROUP &&
754 entry_type != ACE_EVERYONE)) {
755 acep->a_who = zfs_fuid_map_id(zfsvfs, who,
756 cr, (entry_type & ACE_IDENTIFIER_GROUP) ?
757 ZFS_ACE_GROUP : ZFS_ACE_USER);
758 } else {
759 acep->a_who = (uid_t)(int64_t)who;
760 }
761 acep->a_access_mask = access_mask;
762 acep->a_flags = iflags;
763 acep->a_type = type;
764 acep = (ace_t *)((caddr_t)acep + ace_size);
765 }
766 }
767
768 static int
769 zfs_copy_ace_2_oldace(umode_t obj_mode, zfs_acl_t *aclp, ace_t *acep,
770 zfs_oldace_t *z_acl, int aclcnt, size_t *size)
771 {
772 int i;
773 zfs_oldace_t *aceptr = z_acl;
774
775 for (i = 0; i != aclcnt; i++, aceptr++) {
776 aceptr->z_access_mask = acep[i].a_access_mask;
777 aceptr->z_type = acep[i].a_type;
778 aceptr->z_flags = acep[i].a_flags;
779 aceptr->z_fuid = acep[i].a_who;
780 /*
781 * Make sure ACE is valid
782 */
783 if (zfs_ace_valid(obj_mode, aclp, aceptr->z_type,
784 aceptr->z_flags) != B_TRUE)
785 return (SET_ERROR(EINVAL));
786 }
787 *size = (caddr_t)aceptr - (caddr_t)z_acl;
788 return (0);
789 }
790
791 /*
792 * convert old ACL format to new
793 */
794 void
795 zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp, cred_t *cr)
796 {
797 zfs_oldace_t *oldaclp;
798 int i;
799 uint16_t type, iflags;
800 uint32_t access_mask;
801 uint64_t who;
802 void *cookie = NULL;
803 zfs_acl_node_t *newaclnode;
804
805 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL);
806 /*
807 * First create the ACE in a contiguous piece of memory
808 * for zfs_copy_ace_2_fuid().
809 *
810 * We only convert an ACL once, so this won't happen
811 * every time.
812 */
813 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count,
814 KM_SLEEP);
815 i = 0;
816 while ((cookie = zfs_acl_next_ace(aclp, cookie, &who,
817 &access_mask, &iflags, &type))) {
818 oldaclp[i].z_flags = iflags;
819 oldaclp[i].z_type = type;
820 oldaclp[i].z_fuid = who;
821 oldaclp[i++].z_access_mask = access_mask;
822 }
823
824 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count *
825 sizeof (zfs_object_ace_t));
826 aclp->z_ops = &zfs_acl_fuid_ops;
827 VERIFY(zfs_copy_ace_2_fuid(ZTOZSB(zp), ZTOI(zp)->i_mode,
828 aclp, oldaclp, newaclnode->z_acldata, aclp->z_acl_count,
829 &newaclnode->z_size, NULL, cr) == 0);
830 newaclnode->z_ace_count = aclp->z_acl_count;
831 aclp->z_version = ZFS_ACL_VERSION;
832 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t));
833
834 /*
835 * Release all previous ACL nodes
836 */
837
838 zfs_acl_release_nodes(aclp);
839
840 list_insert_head(&aclp->z_acl, newaclnode);
841
842 aclp->z_acl_bytes = newaclnode->z_size;
843 aclp->z_acl_count = newaclnode->z_ace_count;
844
845 }
846
847 /*
848 * Convert unix access mask to v4 access mask
849 */
850 static uint32_t
851 zfs_unix_to_v4(uint32_t access_mask)
852 {
853 uint32_t new_mask = 0;
854
855 if (access_mask & S_IXOTH)
856 new_mask |= ACE_EXECUTE;
857 if (access_mask & S_IWOTH)
858 new_mask |= ACE_WRITE_DATA;
859 if (access_mask & S_IROTH)
860 new_mask |= ACE_READ_DATA;
861 return (new_mask);
862 }
863
864
865 static int
866 zfs_v4_to_unix(uint32_t access_mask, int *unmapped)
867 {
868 int new_mask = 0;
869
870 *unmapped = access_mask &
871 (ACE_WRITE_OWNER | ACE_WRITE_ACL | ACE_DELETE);
872
873 if (access_mask & WRITE_MASK)
874 new_mask |= S_IWOTH;
875 if (access_mask & ACE_READ_DATA)
876 new_mask |= S_IROTH;
877 if (access_mask & ACE_EXECUTE)
878 new_mask |= S_IXOTH;
879
880 return (new_mask);
881 }
882
883
884 static void
885 zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask,
886 uint16_t access_type, uint64_t fuid, uint16_t entry_type)
887 {
888 uint16_t type = entry_type & ACE_TYPE_FLAGS;
889
890 aclp->z_ops->ace_mask_set(acep, access_mask);
891 aclp->z_ops->ace_type_set(acep, access_type);
892 aclp->z_ops->ace_flags_set(acep, entry_type);
893 if ((type != ACE_OWNER && type != OWNING_GROUP &&
894 type != ACE_EVERYONE))
895 aclp->z_ops->ace_who_set(acep, fuid);
896 }
897
898 /*
899 * Determine mode of file based on ACL.
900 */
901 uint64_t
902 zfs_mode_compute(uint64_t fmode, zfs_acl_t *aclp,
903 uint64_t *pflags, uint64_t fuid, uint64_t fgid)
904 {
905 int entry_type;
906 mode_t mode;
907 mode_t seen = 0;
908 zfs_ace_hdr_t *acep = NULL;
909 uint64_t who;
910 uint16_t iflags, type;
911 uint32_t access_mask;
912 boolean_t an_exec_denied = B_FALSE;
913
914 mode = (fmode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX));
915
916 while ((acep = zfs_acl_next_ace(aclp, acep, &who,
917 &access_mask, &iflags, &type))) {
918
919 if (!zfs_acl_valid_ace_type(type, iflags))
920 continue;
921
922 entry_type = (iflags & ACE_TYPE_FLAGS);
923
924 /*
925 * Skip over any inherit_only ACEs
926 */
927 if (iflags & ACE_INHERIT_ONLY_ACE)
928 continue;
929
930 if (entry_type == ACE_OWNER || (entry_type == 0 &&
931 who == fuid)) {
932 if ((access_mask & ACE_READ_DATA) &&
933 (!(seen & S_IRUSR))) {
934 seen |= S_IRUSR;
935 if (type == ALLOW) {
936 mode |= S_IRUSR;
937 }
938 }
939 if ((access_mask & ACE_WRITE_DATA) &&
940 (!(seen & S_IWUSR))) {
941 seen |= S_IWUSR;
942 if (type == ALLOW) {
943 mode |= S_IWUSR;
944 }
945 }
946 if ((access_mask & ACE_EXECUTE) &&
947 (!(seen & S_IXUSR))) {
948 seen |= S_IXUSR;
949 if (type == ALLOW) {
950 mode |= S_IXUSR;
951 }
952 }
953 } else if (entry_type == OWNING_GROUP ||
954 (entry_type == ACE_IDENTIFIER_GROUP && who == fgid)) {
955 if ((access_mask & ACE_READ_DATA) &&
956 (!(seen & S_IRGRP))) {
957 seen |= S_IRGRP;
958 if (type == ALLOW) {
959 mode |= S_IRGRP;
960 }
961 }
962 if ((access_mask & ACE_WRITE_DATA) &&
963 (!(seen & S_IWGRP))) {
964 seen |= S_IWGRP;
965 if (type == ALLOW) {
966 mode |= S_IWGRP;
967 }
968 }
969 if ((access_mask & ACE_EXECUTE) &&
970 (!(seen & S_IXGRP))) {
971 seen |= S_IXGRP;
972 if (type == ALLOW) {
973 mode |= S_IXGRP;
974 }
975 }
976 } else if (entry_type == ACE_EVERYONE) {
977 if ((access_mask & ACE_READ_DATA)) {
978 if (!(seen & S_IRUSR)) {
979 seen |= S_IRUSR;
980 if (type == ALLOW) {
981 mode |= S_IRUSR;
982 }
983 }
984 if (!(seen & S_IRGRP)) {
985 seen |= S_IRGRP;
986 if (type == ALLOW) {
987 mode |= S_IRGRP;
988 }
989 }
990 if (!(seen & S_IROTH)) {
991 seen |= S_IROTH;
992 if (type == ALLOW) {
993 mode |= S_IROTH;
994 }
995 }
996 }
997 if ((access_mask & ACE_WRITE_DATA)) {
998 if (!(seen & S_IWUSR)) {
999 seen |= S_IWUSR;
1000 if (type == ALLOW) {
1001 mode |= S_IWUSR;
1002 }
1003 }
1004 if (!(seen & S_IWGRP)) {
1005 seen |= S_IWGRP;
1006 if (type == ALLOW) {
1007 mode |= S_IWGRP;
1008 }
1009 }
1010 if (!(seen & S_IWOTH)) {
1011 seen |= S_IWOTH;
1012 if (type == ALLOW) {
1013 mode |= S_IWOTH;
1014 }
1015 }
1016 }
1017 if ((access_mask & ACE_EXECUTE)) {
1018 if (!(seen & S_IXUSR)) {
1019 seen |= S_IXUSR;
1020 if (type == ALLOW) {
1021 mode |= S_IXUSR;
1022 }
1023 }
1024 if (!(seen & S_IXGRP)) {
1025 seen |= S_IXGRP;
1026 if (type == ALLOW) {
1027 mode |= S_IXGRP;
1028 }
1029 }
1030 if (!(seen & S_IXOTH)) {
1031 seen |= S_IXOTH;
1032 if (type == ALLOW) {
1033 mode |= S_IXOTH;
1034 }
1035 }
1036 }
1037 } else {
1038 /*
1039 * Only care if this IDENTIFIER_GROUP or
1040 * USER ACE denies execute access to someone,
1041 * mode is not affected
1042 */
1043 if ((access_mask & ACE_EXECUTE) && type == DENY)
1044 an_exec_denied = B_TRUE;
1045 }
1046 }
1047
1048 /*
1049 * Failure to allow is effectively a deny, so execute permission
1050 * is denied if it was never mentioned or if we explicitly
1051 * weren't allowed it.
1052 */
1053 if (!an_exec_denied &&
1054 ((seen & ALL_MODE_EXECS) != ALL_MODE_EXECS ||
1055 (mode & ALL_MODE_EXECS) != ALL_MODE_EXECS))
1056 an_exec_denied = B_TRUE;
1057
1058 if (an_exec_denied)
1059 *pflags &= ~ZFS_NO_EXECS_DENIED;
1060 else
1061 *pflags |= ZFS_NO_EXECS_DENIED;
1062
1063 return (mode);
1064 }
1065
1066 /*
1067 * Read an external acl object. If the intent is to modify, always
1068 * create a new acl and leave any cached acl in place.
1069 */
1070 int
1071 zfs_acl_node_read(struct znode *zp, boolean_t have_lock, zfs_acl_t **aclpp,
1072 boolean_t will_modify)
1073 {
1074 zfs_acl_t *aclp;
1075 int aclsize = 0;
1076 int acl_count = 0;
1077 zfs_acl_node_t *aclnode;
1078 zfs_acl_phys_t znode_acl;
1079 int version;
1080 int error;
1081 boolean_t drop_lock = B_FALSE;
1082
1083 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
1084
1085 if (zp->z_acl_cached && !will_modify) {
1086 *aclpp = zp->z_acl_cached;
1087 return (0);
1088 }
1089
1090 /*
1091 * close race where znode could be upgrade while trying to
1092 * read the znode attributes.
1093 *
1094 * But this could only happen if the file isn't already an SA
1095 * znode
1096 */
1097 if (!zp->z_is_sa && !have_lock) {
1098 mutex_enter(&zp->z_lock);
1099 drop_lock = B_TRUE;
1100 }
1101 version = zfs_znode_acl_version(zp);
1102
1103 if ((error = zfs_acl_znode_info(zp, &aclsize,
1104 &acl_count, &znode_acl)) != 0) {
1105 goto done;
1106 }
1107
1108 aclp = zfs_acl_alloc(version);
1109
1110 aclp->z_acl_count = acl_count;
1111 aclp->z_acl_bytes = aclsize;
1112
1113 aclnode = zfs_acl_node_alloc(aclsize);
1114 aclnode->z_ace_count = aclp->z_acl_count;
1115 aclnode->z_size = aclsize;
1116
1117 if (!zp->z_is_sa) {
1118 if (znode_acl.z_acl_extern_obj) {
1119 error = dmu_read(ZTOZSB(zp)->z_os,
1120 znode_acl.z_acl_extern_obj, 0, aclnode->z_size,
1121 aclnode->z_acldata, DMU_READ_PREFETCH);
1122 } else {
1123 memcpy(aclnode->z_acldata, znode_acl.z_ace_data,
1124 aclnode->z_size);
1125 }
1126 } else {
1127 error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_ACES(ZTOZSB(zp)),
1128 aclnode->z_acldata, aclnode->z_size);
1129 }
1130
1131 if (error != 0) {
1132 zfs_acl_free(aclp);
1133 zfs_acl_node_free(aclnode);
1134 /* convert checksum errors into IO errors */
1135 if (error == ECKSUM)
1136 error = SET_ERROR(EIO);
1137 goto done;
1138 }
1139
1140 list_insert_head(&aclp->z_acl, aclnode);
1141
1142 *aclpp = aclp;
1143 if (!will_modify)
1144 zp->z_acl_cached = aclp;
1145 done:
1146 if (drop_lock)
1147 mutex_exit(&zp->z_lock);
1148 return (error);
1149 }
1150
1151 void
1152 zfs_acl_data_locator(void **dataptr, uint32_t *length, uint32_t buflen,
1153 boolean_t start, void *userdata)
1154 {
1155 (void) buflen;
1156 zfs_acl_locator_cb_t *cb = (zfs_acl_locator_cb_t *)userdata;
1157
1158 if (start) {
1159 cb->cb_acl_node = list_head(&cb->cb_aclp->z_acl);
1160 } else {
1161 cb->cb_acl_node = list_next(&cb->cb_aclp->z_acl,
1162 cb->cb_acl_node);
1163 }
1164 ASSERT3P(cb->cb_acl_node, !=, NULL);
1165 *dataptr = cb->cb_acl_node->z_acldata;
1166 *length = cb->cb_acl_node->z_size;
1167 }
1168
1169 int
1170 zfs_acl_chown_setattr(znode_t *zp)
1171 {
1172 int error;
1173 zfs_acl_t *aclp;
1174
1175 if (ZTOZSB(zp)->z_acl_type == ZFS_ACLTYPE_POSIX)
1176 return (0);
1177
1178 ASSERT(MUTEX_HELD(&zp->z_lock));
1179 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
1180
1181 error = zfs_acl_node_read(zp, B_TRUE, &aclp, B_FALSE);
1182 if (error == 0 && aclp->z_acl_count > 0)
1183 zp->z_mode = ZTOI(zp)->i_mode =
1184 zfs_mode_compute(zp->z_mode, aclp,
1185 &zp->z_pflags, KUID_TO_SUID(ZTOI(zp)->i_uid),
1186 KGID_TO_SGID(ZTOI(zp)->i_gid));
1187
1188 /*
1189 * Some ZFS implementations (ZEVO) create neither a ZNODE_ACL
1190 * nor a DACL_ACES SA in which case ENOENT is returned from
1191 * zfs_acl_node_read() when the SA can't be located.
1192 * Allow chown/chgrp to succeed in these cases rather than
1193 * returning an error that makes no sense in the context of
1194 * the caller.
1195 */
1196 if (error == ENOENT)
1197 return (0);
1198
1199 return (error);
1200 }
1201
1202 typedef struct trivial_acl {
1203 uint32_t allow0; /* allow mask for bits only in owner */
1204 uint32_t deny1; /* deny mask for bits not in owner */
1205 uint32_t deny2; /* deny mask for bits not in group */
1206 uint32_t owner; /* allow mask matching mode */
1207 uint32_t group; /* allow mask matching mode */
1208 uint32_t everyone; /* allow mask matching mode */
1209 } trivial_acl_t;
1210
1211 static void
1212 acl_trivial_access_masks(mode_t mode, boolean_t isdir, trivial_acl_t *masks)
1213 {
1214 uint32_t read_mask = ACE_READ_DATA;
1215 uint32_t write_mask = ACE_WRITE_DATA|ACE_APPEND_DATA;
1216 uint32_t execute_mask = ACE_EXECUTE;
1217
1218 if (isdir)
1219 write_mask |= ACE_DELETE_CHILD;
1220
1221 masks->deny1 = 0;
1222
1223 if (!(mode & S_IRUSR) && (mode & (S_IRGRP|S_IROTH)))
1224 masks->deny1 |= read_mask;
1225 if (!(mode & S_IWUSR) && (mode & (S_IWGRP|S_IWOTH)))
1226 masks->deny1 |= write_mask;
1227 if (!(mode & S_IXUSR) && (mode & (S_IXGRP|S_IXOTH)))
1228 masks->deny1 |= execute_mask;
1229
1230 masks->deny2 = 0;
1231 if (!(mode & S_IRGRP) && (mode & S_IROTH))
1232 masks->deny2 |= read_mask;
1233 if (!(mode & S_IWGRP) && (mode & S_IWOTH))
1234 masks->deny2 |= write_mask;
1235 if (!(mode & S_IXGRP) && (mode & S_IXOTH))
1236 masks->deny2 |= execute_mask;
1237
1238 masks->allow0 = 0;
1239 if ((mode & S_IRUSR) && (!(mode & S_IRGRP) && (mode & S_IROTH)))
1240 masks->allow0 |= read_mask;
1241 if ((mode & S_IWUSR) && (!(mode & S_IWGRP) && (mode & S_IWOTH)))
1242 masks->allow0 |= write_mask;
1243 if ((mode & S_IXUSR) && (!(mode & S_IXGRP) && (mode & S_IXOTH)))
1244 masks->allow0 |= execute_mask;
1245
1246 masks->owner = ACE_WRITE_ATTRIBUTES|ACE_WRITE_OWNER|ACE_WRITE_ACL|
1247 ACE_WRITE_NAMED_ATTRS|ACE_READ_ACL|ACE_READ_ATTRIBUTES|
1248 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE;
1249 if (mode & S_IRUSR)
1250 masks->owner |= read_mask;
1251 if (mode & S_IWUSR)
1252 masks->owner |= write_mask;
1253 if (mode & S_IXUSR)
1254 masks->owner |= execute_mask;
1255
1256 masks->group = ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_NAMED_ATTRS|
1257 ACE_SYNCHRONIZE;
1258 if (mode & S_IRGRP)
1259 masks->group |= read_mask;
1260 if (mode & S_IWGRP)
1261 masks->group |= write_mask;
1262 if (mode & S_IXGRP)
1263 masks->group |= execute_mask;
1264
1265 masks->everyone = ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_NAMED_ATTRS|
1266 ACE_SYNCHRONIZE;
1267 if (mode & S_IROTH)
1268 masks->everyone |= read_mask;
1269 if (mode & S_IWOTH)
1270 masks->everyone |= write_mask;
1271 if (mode & S_IXOTH)
1272 masks->everyone |= execute_mask;
1273 }
1274
1275 /*
1276 * ace_trivial:
1277 * determine whether an ace_t acl is trivial
1278 *
1279 * Trivialness implies that the acl is composed of only
1280 * owner, group, everyone entries. ACL can't
1281 * have read_acl denied, and write_owner/write_acl/write_attributes
1282 * can only be owner@ entry.
1283 */
1284 static int
1285 ace_trivial_common(void *acep, int aclcnt,
1286 uintptr_t (*walk)(void *, uintptr_t, int,
1287 uint16_t *, uint16_t *, uint32_t *))
1288 {
1289 uint16_t flags;
1290 uint32_t mask;
1291 uint16_t type;
1292 uint64_t cookie = 0;
1293
1294 while ((cookie = walk(acep, cookie, aclcnt, &flags, &type, &mask))) {
1295 switch (flags & ACE_TYPE_FLAGS) {
1296 case ACE_OWNER:
1297 case ACE_GROUP|ACE_IDENTIFIER_GROUP:
1298 case ACE_EVERYONE:
1299 break;
1300 default:
1301 return (1);
1302 }
1303
1304 if (flags & (ACE_FILE_INHERIT_ACE|
1305 ACE_DIRECTORY_INHERIT_ACE|ACE_NO_PROPAGATE_INHERIT_ACE|
1306 ACE_INHERIT_ONLY_ACE))
1307 return (1);
1308
1309 /*
1310 * Special check for some special bits
1311 *
1312 * Don't allow anybody to deny reading basic
1313 * attributes or a files ACL.
1314 */
1315 if ((mask & (ACE_READ_ACL|ACE_READ_ATTRIBUTES)) &&
1316 (type == ACE_ACCESS_DENIED_ACE_TYPE))
1317 return (1);
1318
1319 /*
1320 * Delete permission is never set by default
1321 */
1322 if (mask & ACE_DELETE)
1323 return (1);
1324
1325 /*
1326 * Child delete permission should be accompanied by write
1327 */
1328 if ((mask & ACE_DELETE_CHILD) && !(mask & ACE_WRITE_DATA))
1329 return (1);
1330
1331 /*
1332 * only allow owner@ to have
1333 * write_acl/write_owner/write_attributes/write_xattr/
1334 */
1335 if (type == ACE_ACCESS_ALLOWED_ACE_TYPE &&
1336 (!(flags & ACE_OWNER) && (mask &
1337 (ACE_WRITE_OWNER|ACE_WRITE_ACL| ACE_WRITE_ATTRIBUTES|
1338 ACE_WRITE_NAMED_ATTRS))))
1339 return (1);
1340
1341 }
1342
1343 return (0);
1344 }
1345
1346 /*
1347 * common code for setting ACLs.
1348 *
1349 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl.
1350 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's
1351 * already checked the acl and knows whether to inherit.
1352 */
1353 int
1354 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, dmu_tx_t *tx)
1355 {
1356 int error;
1357 zfsvfs_t *zfsvfs = ZTOZSB(zp);
1358 dmu_object_type_t otype;
1359 zfs_acl_locator_cb_t locate = { 0 };
1360 uint64_t mode;
1361 sa_bulk_attr_t bulk[5];
1362 uint64_t ctime[2];
1363 int count = 0;
1364 zfs_acl_phys_t acl_phys;
1365
1366 mode = zp->z_mode;
1367
1368 mode = zfs_mode_compute(mode, aclp, &zp->z_pflags,
1369 KUID_TO_SUID(ZTOI(zp)->i_uid), KGID_TO_SGID(ZTOI(zp)->i_gid));
1370
1371 zp->z_mode = ZTOI(zp)->i_mode = mode;
1372 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_MODE(zfsvfs), NULL,
1373 &mode, sizeof (mode));
1374 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_FLAGS(zfsvfs), NULL,
1375 &zp->z_pflags, sizeof (zp->z_pflags));
1376 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_CTIME(zfsvfs), NULL,
1377 &ctime, sizeof (ctime));
1378
1379 if (zp->z_acl_cached) {
1380 zfs_acl_free(zp->z_acl_cached);
1381 zp->z_acl_cached = NULL;
1382 }
1383
1384 /*
1385 * Upgrade needed?
1386 */
1387 if (!zfsvfs->z_use_fuids) {
1388 otype = DMU_OT_OLDACL;
1389 } else {
1390 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) &&
1391 (zfsvfs->z_version >= ZPL_VERSION_FUID))
1392 zfs_acl_xform(zp, aclp, cr);
1393 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID);
1394 otype = DMU_OT_ACL;
1395 }
1396
1397 /*
1398 * Arrgh, we have to handle old on disk format
1399 * as well as newer (preferred) SA format.
1400 */
1401
1402 if (zp->z_is_sa) { /* the easy case, just update the ACL attribute */
1403 locate.cb_aclp = aclp;
1404 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_ACES(zfsvfs),
1405 zfs_acl_data_locator, &locate, aclp->z_acl_bytes);
1406 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_COUNT(zfsvfs),
1407 NULL, &aclp->z_acl_count, sizeof (uint64_t));
1408 } else { /* Painful legacy way */
1409 zfs_acl_node_t *aclnode;
1410 uint64_t off = 0;
1411 uint64_t aoid;
1412
1413 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs),
1414 &acl_phys, sizeof (acl_phys))) != 0)
1415 return (error);
1416
1417 aoid = acl_phys.z_acl_extern_obj;
1418
1419 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) {
1420 /*
1421 * If ACL was previously external and we are now
1422 * converting to new ACL format then release old
1423 * ACL object and create a new one.
1424 */
1425 if (aoid &&
1426 aclp->z_version != acl_phys.z_acl_version) {
1427 error = dmu_object_free(zfsvfs->z_os, aoid, tx);
1428 if (error)
1429 return (error);
1430 aoid = 0;
1431 }
1432 if (aoid == 0) {
1433 aoid = dmu_object_alloc(zfsvfs->z_os,
1434 otype, aclp->z_acl_bytes,
1435 otype == DMU_OT_ACL ?
1436 DMU_OT_SYSACL : DMU_OT_NONE,
1437 otype == DMU_OT_ACL ?
1438 DN_OLD_MAX_BONUSLEN : 0, tx);
1439 } else {
1440 (void) dmu_object_set_blocksize(zfsvfs->z_os,
1441 aoid, aclp->z_acl_bytes, 0, tx);
1442 }
1443 acl_phys.z_acl_extern_obj = aoid;
1444 for (aclnode = list_head(&aclp->z_acl); aclnode;
1445 aclnode = list_next(&aclp->z_acl, aclnode)) {
1446 if (aclnode->z_ace_count == 0)
1447 continue;
1448 dmu_write(zfsvfs->z_os, aoid, off,
1449 aclnode->z_size, aclnode->z_acldata, tx);
1450 off += aclnode->z_size;
1451 }
1452 } else {
1453 void *start = acl_phys.z_ace_data;
1454 /*
1455 * Migrating back embedded?
1456 */
1457 if (acl_phys.z_acl_extern_obj) {
1458 error = dmu_object_free(zfsvfs->z_os,
1459 acl_phys.z_acl_extern_obj, tx);
1460 if (error)
1461 return (error);
1462 acl_phys.z_acl_extern_obj = 0;
1463 }
1464
1465 for (aclnode = list_head(&aclp->z_acl); aclnode;
1466 aclnode = list_next(&aclp->z_acl, aclnode)) {
1467 if (aclnode->z_ace_count == 0)
1468 continue;
1469 memcpy(start, aclnode->z_acldata,
1470 aclnode->z_size);
1471 start = (caddr_t)start + aclnode->z_size;
1472 }
1473 }
1474 /*
1475 * If Old version then swap count/bytes to match old
1476 * layout of znode_acl_phys_t.
1477 */
1478 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) {
1479 acl_phys.z_acl_size = aclp->z_acl_count;
1480 acl_phys.z_acl_count = aclp->z_acl_bytes;
1481 } else {
1482 acl_phys.z_acl_size = aclp->z_acl_bytes;
1483 acl_phys.z_acl_count = aclp->z_acl_count;
1484 }
1485 acl_phys.z_acl_version = aclp->z_version;
1486
1487 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_ZNODE_ACL(zfsvfs), NULL,
1488 &acl_phys, sizeof (acl_phys));
1489 }
1490
1491 /*
1492 * Replace ACL wide bits, but first clear them.
1493 */
1494 zp->z_pflags &= ~ZFS_ACL_WIDE_FLAGS;
1495
1496 zp->z_pflags |= aclp->z_hints;
1497
1498 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0)
1499 zp->z_pflags |= ZFS_ACL_TRIVIAL;
1500
1501 zfs_tstamp_update_setup(zp, STATE_CHANGED, NULL, ctime);
1502 return (sa_bulk_update(zp->z_sa_hdl, bulk, count, tx));
1503 }
1504
1505 static void
1506 zfs_acl_chmod(boolean_t isdir, uint64_t mode, boolean_t split, boolean_t trim,
1507 zfs_acl_t *aclp)
1508 {
1509 void *acep = NULL;
1510 uint64_t who;
1511 int new_count, new_bytes;
1512 int ace_size;
1513 int entry_type;
1514 uint16_t iflags, type;
1515 uint32_t access_mask;
1516 zfs_acl_node_t *newnode;
1517 size_t abstract_size = aclp->z_ops->ace_abstract_size();
1518 void *zacep;
1519 trivial_acl_t masks;
1520
1521 new_count = new_bytes = 0;
1522
1523 acl_trivial_access_masks((mode_t)mode, isdir, &masks);
1524
1525 newnode = zfs_acl_node_alloc((abstract_size * 6) + aclp->z_acl_bytes);
1526
1527 zacep = newnode->z_acldata;
1528 if (masks.allow0) {
1529 zfs_set_ace(aclp, zacep, masks.allow0, ALLOW, -1, ACE_OWNER);
1530 zacep = (void *)((uintptr_t)zacep + abstract_size);
1531 new_count++;
1532 new_bytes += abstract_size;
1533 }
1534 if (masks.deny1) {
1535 zfs_set_ace(aclp, zacep, masks.deny1, DENY, -1, ACE_OWNER);
1536 zacep = (void *)((uintptr_t)zacep + abstract_size);
1537 new_count++;
1538 new_bytes += abstract_size;
1539 }
1540 if (masks.deny2) {
1541 zfs_set_ace(aclp, zacep, masks.deny2, DENY, -1, OWNING_GROUP);
1542 zacep = (void *)((uintptr_t)zacep + abstract_size);
1543 new_count++;
1544 new_bytes += abstract_size;
1545 }
1546
1547 while ((acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask,
1548 &iflags, &type))) {
1549 entry_type = (iflags & ACE_TYPE_FLAGS);
1550 /*
1551 * ACEs used to represent the file mode may be divided
1552 * into an equivalent pair of inherit-only and regular
1553 * ACEs, if they are inheritable.
1554 * Skip regular ACEs, which are replaced by the new mode.
1555 */
1556 if (split && (entry_type == ACE_OWNER ||
1557 entry_type == OWNING_GROUP ||
1558 entry_type == ACE_EVERYONE)) {
1559 if (!isdir || !(iflags &
1560 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE)))
1561 continue;
1562 /*
1563 * We preserve owner@, group@, or @everyone
1564 * permissions, if they are inheritable, by
1565 * copying them to inherit_only ACEs. This
1566 * prevents inheritable permissions from being
1567 * altered along with the file mode.
1568 */
1569 iflags |= ACE_INHERIT_ONLY_ACE;
1570 }
1571
1572 /*
1573 * If this ACL has any inheritable ACEs, mark that in
1574 * the hints (which are later masked into the pflags)
1575 * so create knows to do inheritance.
1576 */
1577 if (isdir && (iflags &
1578 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE)))
1579 aclp->z_hints |= ZFS_INHERIT_ACE;
1580
1581 if ((type != ALLOW && type != DENY) ||
1582 (iflags & ACE_INHERIT_ONLY_ACE)) {
1583 switch (type) {
1584 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
1585 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
1586 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
1587 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
1588 aclp->z_hints |= ZFS_ACL_OBJ_ACE;
1589 break;
1590 }
1591 } else {
1592 /*
1593 * Limit permissions to be no greater than
1594 * group permissions.
1595 * The "aclinherit" and "aclmode" properties
1596 * affect policy for create and chmod(2),
1597 * respectively.
1598 */
1599 if ((type == ALLOW) && trim)
1600 access_mask &= masks.group;
1601 }
1602 zfs_set_ace(aclp, zacep, access_mask, type, who, iflags);
1603 ace_size = aclp->z_ops->ace_size(acep);
1604 zacep = (void *)((uintptr_t)zacep + ace_size);
1605 new_count++;
1606 new_bytes += ace_size;
1607 }
1608 zfs_set_ace(aclp, zacep, masks.owner, ALLOW, -1, ACE_OWNER);
1609 zacep = (void *)((uintptr_t)zacep + abstract_size);
1610 zfs_set_ace(aclp, zacep, masks.group, ALLOW, -1, OWNING_GROUP);
1611 zacep = (void *)((uintptr_t)zacep + abstract_size);
1612 zfs_set_ace(aclp, zacep, masks.everyone, ALLOW, -1, ACE_EVERYONE);
1613
1614 new_count += 3;
1615 new_bytes += abstract_size * 3;
1616 zfs_acl_release_nodes(aclp);
1617 aclp->z_acl_count = new_count;
1618 aclp->z_acl_bytes = new_bytes;
1619 newnode->z_ace_count = new_count;
1620 newnode->z_size = new_bytes;
1621 list_insert_tail(&aclp->z_acl, newnode);
1622 }
1623
1624 int
1625 zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode)
1626 {
1627 int error = 0;
1628
1629 mutex_enter(&zp->z_acl_lock);
1630 mutex_enter(&zp->z_lock);
1631 if (ZTOZSB(zp)->z_acl_mode == ZFS_ACL_DISCARD)
1632 *aclp = zfs_acl_alloc(zfs_acl_version_zp(zp));
1633 else
1634 error = zfs_acl_node_read(zp, B_TRUE, aclp, B_TRUE);
1635
1636 if (error == 0) {
1637 (*aclp)->z_hints = zp->z_pflags & V4_ACL_WIDE_FLAGS;
1638 zfs_acl_chmod(S_ISDIR(ZTOI(zp)->i_mode), mode, B_TRUE,
1639 (ZTOZSB(zp)->z_acl_mode == ZFS_ACL_GROUPMASK), *aclp);
1640 }
1641 mutex_exit(&zp->z_lock);
1642 mutex_exit(&zp->z_acl_lock);
1643
1644 return (error);
1645 }
1646
1647 /*
1648 * Should ACE be inherited?
1649 */
1650 static int
1651 zfs_ace_can_use(umode_t obj_mode, uint16_t acep_flags)
1652 {
1653 int iflags = (acep_flags & 0xf);
1654
1655 if (S_ISDIR(obj_mode) && (iflags & ACE_DIRECTORY_INHERIT_ACE))
1656 return (1);
1657 else if (iflags & ACE_FILE_INHERIT_ACE)
1658 return (!(S_ISDIR(obj_mode) &&
1659 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE)));
1660 return (0);
1661 }
1662
1663 /*
1664 * inherit inheritable ACEs from parent
1665 */
1666 static zfs_acl_t *
1667 zfs_acl_inherit(zfsvfs_t *zfsvfs, umode_t va_mode, zfs_acl_t *paclp,
1668 uint64_t mode, boolean_t *need_chmod)
1669 {
1670 void *pacep = NULL;
1671 void *acep;
1672 zfs_acl_node_t *aclnode;
1673 zfs_acl_t *aclp = NULL;
1674 uint64_t who;
1675 uint32_t access_mask;
1676 uint16_t iflags, newflags, type;
1677 size_t ace_size;
1678 void *data1, *data2;
1679 size_t data1sz, data2sz;
1680 uint_t aclinherit;
1681 boolean_t isdir = S_ISDIR(va_mode);
1682 boolean_t isreg = S_ISREG(va_mode);
1683
1684 *need_chmod = B_TRUE;
1685
1686 aclp = zfs_acl_alloc(paclp->z_version);
1687 aclinherit = zfsvfs->z_acl_inherit;
1688 if (aclinherit == ZFS_ACL_DISCARD || S_ISLNK(va_mode))
1689 return (aclp);
1690
1691 while ((pacep = zfs_acl_next_ace(paclp, pacep, &who,
1692 &access_mask, &iflags, &type))) {
1693
1694 /*
1695 * don't inherit bogus ACEs
1696 */
1697 if (!zfs_acl_valid_ace_type(type, iflags))
1698 continue;
1699
1700 /*
1701 * Check if ACE is inheritable by this vnode
1702 */
1703 if ((aclinherit == ZFS_ACL_NOALLOW && type == ALLOW) ||
1704 !zfs_ace_can_use(va_mode, iflags))
1705 continue;
1706
1707 /*
1708 * If owner@, group@, or everyone@ inheritable
1709 * then zfs_acl_chmod() isn't needed.
1710 */
1711 if ((aclinherit == ZFS_ACL_PASSTHROUGH ||
1712 aclinherit == ZFS_ACL_PASSTHROUGH_X) &&
1713 ((iflags & (ACE_OWNER|ACE_EVERYONE)) ||
1714 ((iflags & OWNING_GROUP) == OWNING_GROUP)) &&
1715 (isreg || (isdir && (iflags & ACE_DIRECTORY_INHERIT_ACE))))
1716 *need_chmod = B_FALSE;
1717
1718 /*
1719 * Strip inherited execute permission from file if
1720 * not in mode
1721 */
1722 if (aclinherit == ZFS_ACL_PASSTHROUGH_X && type == ALLOW &&
1723 !isdir && ((mode & (S_IXUSR|S_IXGRP|S_IXOTH)) == 0)) {
1724 access_mask &= ~ACE_EXECUTE;
1725 }
1726
1727 /*
1728 * Strip write_acl and write_owner from permissions
1729 * when inheriting an ACE
1730 */
1731 if (aclinherit == ZFS_ACL_RESTRICTED && type == ALLOW) {
1732 access_mask &= ~RESTRICTED_CLEAR;
1733 }
1734
1735 ace_size = aclp->z_ops->ace_size(pacep);
1736 aclnode = zfs_acl_node_alloc(ace_size);
1737 list_insert_tail(&aclp->z_acl, aclnode);
1738 acep = aclnode->z_acldata;
1739
1740 zfs_set_ace(aclp, acep, access_mask, type,
1741 who, iflags|ACE_INHERITED_ACE);
1742
1743 /*
1744 * Copy special opaque data if any
1745 */
1746 if ((data1sz = paclp->z_ops->ace_data(pacep, &data1)) != 0) {
1747 VERIFY((data2sz = aclp->z_ops->ace_data(acep,
1748 &data2)) == data1sz);
1749 memcpy(data2, data1, data2sz);
1750 }
1751
1752 aclp->z_acl_count++;
1753 aclnode->z_ace_count++;
1754 aclp->z_acl_bytes += aclnode->z_size;
1755 newflags = aclp->z_ops->ace_flags_get(acep);
1756
1757 /*
1758 * If ACE is not to be inherited further, or if the vnode is
1759 * not a directory, remove all inheritance flags
1760 */
1761 if (!isdir || (iflags & ACE_NO_PROPAGATE_INHERIT_ACE)) {
1762 newflags &= ~ALL_INHERIT;
1763 aclp->z_ops->ace_flags_set(acep,
1764 newflags|ACE_INHERITED_ACE);
1765 continue;
1766 }
1767
1768 /*
1769 * This directory has an inheritable ACE
1770 */
1771 aclp->z_hints |= ZFS_INHERIT_ACE;
1772
1773 /*
1774 * If only FILE_INHERIT is set then turn on
1775 * inherit_only
1776 */
1777 if ((iflags & (ACE_FILE_INHERIT_ACE |
1778 ACE_DIRECTORY_INHERIT_ACE)) == ACE_FILE_INHERIT_ACE) {
1779 newflags |= ACE_INHERIT_ONLY_ACE;
1780 aclp->z_ops->ace_flags_set(acep,
1781 newflags|ACE_INHERITED_ACE);
1782 } else {
1783 newflags &= ~ACE_INHERIT_ONLY_ACE;
1784 aclp->z_ops->ace_flags_set(acep,
1785 newflags|ACE_INHERITED_ACE);
1786 }
1787 }
1788 if (zfsvfs->z_acl_mode == ZFS_ACL_RESTRICTED &&
1789 aclp->z_acl_count != 0) {
1790 *need_chmod = B_FALSE;
1791 }
1792
1793 return (aclp);
1794 }
1795
1796 /*
1797 * Create file system object initial permissions
1798 * including inheritable ACEs.
1799 * Also, create FUIDs for owner and group.
1800 */
1801 int
1802 zfs_acl_ids_create(znode_t *dzp, int flag, vattr_t *vap, cred_t *cr,
1803 vsecattr_t *vsecp, zfs_acl_ids_t *acl_ids, zidmap_t *mnt_ns)
1804 {
1805 int error;
1806 zfsvfs_t *zfsvfs = ZTOZSB(dzp);
1807 zfs_acl_t *paclp;
1808 gid_t gid = vap->va_gid;
1809 boolean_t need_chmod = B_TRUE;
1810 boolean_t trim = B_FALSE;
1811 boolean_t inherited = B_FALSE;
1812
1813 memset(acl_ids, 0, sizeof (zfs_acl_ids_t));
1814 acl_ids->z_mode = vap->va_mode;
1815
1816 if (vsecp)
1817 if ((error = zfs_vsec_2_aclp(zfsvfs, vap->va_mode, vsecp,
1818 cr, &acl_ids->z_fuidp, &acl_ids->z_aclp)) != 0)
1819 return (error);
1820
1821 acl_ids->z_fuid = vap->va_uid;
1822 acl_ids->z_fgid = vap->va_gid;
1823 #ifdef HAVE_KSID
1824 /*
1825 * Determine uid and gid.
1826 */
1827 if ((flag & IS_ROOT_NODE) || zfsvfs->z_replay ||
1828 ((flag & IS_XATTR) && (S_ISDIR(vap->va_mode)))) {
1829 acl_ids->z_fuid = zfs_fuid_create(zfsvfs, (uint64_t)vap->va_uid,
1830 cr, ZFS_OWNER, &acl_ids->z_fuidp);
1831 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, (uint64_t)vap->va_gid,
1832 cr, ZFS_GROUP, &acl_ids->z_fuidp);
1833 gid = vap->va_gid;
1834 } else {
1835 acl_ids->z_fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER,
1836 cr, &acl_ids->z_fuidp);
1837 acl_ids->z_fgid = 0;
1838 if (vap->va_mask & AT_GID) {
1839 acl_ids->z_fgid = zfs_fuid_create(zfsvfs,
1840 (uint64_t)vap->va_gid,
1841 cr, ZFS_GROUP, &acl_ids->z_fuidp);
1842 gid = vap->va_gid;
1843 if (acl_ids->z_fgid != KGID_TO_SGID(ZTOI(dzp)->i_gid) &&
1844 !groupmember(vap->va_gid, cr) &&
1845 secpolicy_vnode_create_gid(cr) != 0)
1846 acl_ids->z_fgid = 0;
1847 }
1848 if (acl_ids->z_fgid == 0) {
1849 if (dzp->z_mode & S_ISGID) {
1850 char *domain;
1851 uint32_t rid;
1852
1853 acl_ids->z_fgid = KGID_TO_SGID(
1854 ZTOI(dzp)->i_gid);
1855 gid = zfs_fuid_map_id(zfsvfs, acl_ids->z_fgid,
1856 cr, ZFS_GROUP);
1857
1858 if (zfsvfs->z_use_fuids &&
1859 IS_EPHEMERAL(acl_ids->z_fgid)) {
1860 domain = zfs_fuid_idx_domain(
1861 &zfsvfs->z_fuid_idx,
1862 FUID_INDEX(acl_ids->z_fgid));
1863 rid = FUID_RID(acl_ids->z_fgid);
1864 zfs_fuid_node_add(&acl_ids->z_fuidp,
1865 domain, rid,
1866 FUID_INDEX(acl_ids->z_fgid),
1867 acl_ids->z_fgid, ZFS_GROUP);
1868 }
1869 } else {
1870 acl_ids->z_fgid = zfs_fuid_create_cred(zfsvfs,
1871 ZFS_GROUP, cr, &acl_ids->z_fuidp);
1872 gid = crgetgid(cr);
1873 }
1874 }
1875 }
1876 #endif /* HAVE_KSID */
1877
1878 /*
1879 * If we're creating a directory, and the parent directory has the
1880 * set-GID bit set, set in on the new directory.
1881 * Otherwise, if the user is neither privileged nor a member of the
1882 * file's new group, clear the file's set-GID bit.
1883 */
1884
1885 if (!(flag & IS_ROOT_NODE) && (dzp->z_mode & S_ISGID) &&
1886 (S_ISDIR(vap->va_mode))) {
1887 acl_ids->z_mode |= S_ISGID;
1888 } else {
1889 if ((acl_ids->z_mode & S_ISGID) &&
1890 secpolicy_vnode_setids_setgids(cr, gid, mnt_ns,
1891 zfs_i_user_ns(ZTOI(dzp))) != 0) {
1892 acl_ids->z_mode &= ~S_ISGID;
1893 }
1894 }
1895
1896 if (acl_ids->z_aclp == NULL) {
1897 mutex_enter(&dzp->z_acl_lock);
1898 mutex_enter(&dzp->z_lock);
1899 if (!(flag & IS_ROOT_NODE) &&
1900 (dzp->z_pflags & ZFS_INHERIT_ACE) &&
1901 !(dzp->z_pflags & ZFS_XATTR)) {
1902 VERIFY(0 == zfs_acl_node_read(dzp, B_TRUE,
1903 &paclp, B_FALSE));
1904 acl_ids->z_aclp = zfs_acl_inherit(zfsvfs,
1905 vap->va_mode, paclp, acl_ids->z_mode, &need_chmod);
1906 inherited = B_TRUE;
1907 } else {
1908 acl_ids->z_aclp =
1909 zfs_acl_alloc(zfs_acl_version_zp(dzp));
1910 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL;
1911 }
1912 mutex_exit(&dzp->z_lock);
1913 mutex_exit(&dzp->z_acl_lock);
1914
1915 if (need_chmod) {
1916 if (S_ISDIR(vap->va_mode))
1917 acl_ids->z_aclp->z_hints |=
1918 ZFS_ACL_AUTO_INHERIT;
1919
1920 if (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK &&
1921 zfsvfs->z_acl_inherit != ZFS_ACL_PASSTHROUGH &&
1922 zfsvfs->z_acl_inherit != ZFS_ACL_PASSTHROUGH_X)
1923 trim = B_TRUE;
1924 zfs_acl_chmod(S_ISDIR(vap->va_mode), acl_ids->z_mode,
1925 B_FALSE, trim, acl_ids->z_aclp);
1926 }
1927 }
1928
1929 if (inherited || vsecp) {
1930 acl_ids->z_mode = zfs_mode_compute(acl_ids->z_mode,
1931 acl_ids->z_aclp, &acl_ids->z_aclp->z_hints,
1932 acl_ids->z_fuid, acl_ids->z_fgid);
1933 if (ace_trivial_common(acl_ids->z_aclp, 0, zfs_ace_walk) == 0)
1934 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL;
1935 }
1936
1937 return (0);
1938 }
1939
1940 /*
1941 * Free ACL and fuid_infop, but not the acl_ids structure
1942 */
1943 void
1944 zfs_acl_ids_free(zfs_acl_ids_t *acl_ids)
1945 {
1946 if (acl_ids->z_aclp)
1947 zfs_acl_free(acl_ids->z_aclp);
1948 if (acl_ids->z_fuidp)
1949 zfs_fuid_info_free(acl_ids->z_fuidp);
1950 acl_ids->z_aclp = NULL;
1951 acl_ids->z_fuidp = NULL;
1952 }
1953
1954 boolean_t
1955 zfs_acl_ids_overquota(zfsvfs_t *zv, zfs_acl_ids_t *acl_ids, uint64_t projid)
1956 {
1957 return (zfs_id_overquota(zv, DMU_USERUSED_OBJECT, acl_ids->z_fuid) ||
1958 zfs_id_overquota(zv, DMU_GROUPUSED_OBJECT, acl_ids->z_fgid) ||
1959 (projid != ZFS_DEFAULT_PROJID && projid != ZFS_INVALID_PROJID &&
1960 zfs_id_overquota(zv, DMU_PROJECTUSED_OBJECT, projid)));
1961 }
1962
1963 /*
1964 * Retrieve a file's ACL
1965 */
1966 int
1967 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr)
1968 {
1969 zfs_acl_t *aclp;
1970 ulong_t mask;
1971 int error;
1972 int count = 0;
1973 int largeace = 0;
1974
1975 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT |
1976 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES);
1977
1978 if (mask == 0)
1979 return (SET_ERROR(ENOSYS));
1980
1981 if ((error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr,
1982 zfs_init_idmap)))
1983 return (error);
1984
1985 mutex_enter(&zp->z_acl_lock);
1986
1987 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE);
1988 if (error != 0) {
1989 mutex_exit(&zp->z_acl_lock);
1990 return (error);
1991 }
1992
1993 /*
1994 * Scan ACL to determine number of ACEs
1995 */
1996 if ((zp->z_pflags & ZFS_ACL_OBJ_ACE) && !(mask & VSA_ACE_ALLTYPES)) {
1997 void *zacep = NULL;
1998 uint64_t who;
1999 uint32_t access_mask;
2000 uint16_t type, iflags;
2001
2002 while ((zacep = zfs_acl_next_ace(aclp, zacep,
2003 &who, &access_mask, &iflags, &type))) {
2004 switch (type) {
2005 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
2006 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
2007 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
2008 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
2009 largeace++;
2010 continue;
2011 default:
2012 count++;
2013 }
2014 }
2015 vsecp->vsa_aclcnt = count;
2016 } else
2017 count = (int)aclp->z_acl_count;
2018
2019 if (mask & VSA_ACECNT) {
2020 vsecp->vsa_aclcnt = count;
2021 }
2022
2023 if (mask & VSA_ACE) {
2024 size_t aclsz;
2025
2026 aclsz = count * sizeof (ace_t) +
2027 sizeof (ace_object_t) * largeace;
2028
2029 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP);
2030 vsecp->vsa_aclentsz = aclsz;
2031
2032 if (aclp->z_version == ZFS_ACL_VERSION_FUID)
2033 zfs_copy_fuid_2_ace(ZTOZSB(zp), aclp, cr,
2034 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES));
2035 else {
2036 zfs_acl_node_t *aclnode;
2037 void *start = vsecp->vsa_aclentp;
2038
2039 for (aclnode = list_head(&aclp->z_acl); aclnode;
2040 aclnode = list_next(&aclp->z_acl, aclnode)) {
2041 memcpy(start, aclnode->z_acldata,
2042 aclnode->z_size);
2043 start = (caddr_t)start + aclnode->z_size;
2044 }
2045 ASSERT((caddr_t)start - (caddr_t)vsecp->vsa_aclentp ==
2046 aclp->z_acl_bytes);
2047 }
2048 }
2049 if (mask & VSA_ACE_ACLFLAGS) {
2050 vsecp->vsa_aclflags = 0;
2051 if (zp->z_pflags & ZFS_ACL_DEFAULTED)
2052 vsecp->vsa_aclflags |= ACL_DEFAULTED;
2053 if (zp->z_pflags & ZFS_ACL_PROTECTED)
2054 vsecp->vsa_aclflags |= ACL_PROTECTED;
2055 if (zp->z_pflags & ZFS_ACL_AUTO_INHERIT)
2056 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT;
2057 }
2058
2059 mutex_exit(&zp->z_acl_lock);
2060
2061 return (0);
2062 }
2063
2064 int
2065 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, umode_t obj_mode,
2066 vsecattr_t *vsecp, cred_t *cr, zfs_fuid_info_t **fuidp, zfs_acl_t **zaclp)
2067 {
2068 zfs_acl_t *aclp;
2069 zfs_acl_node_t *aclnode;
2070 int aclcnt = vsecp->vsa_aclcnt;
2071 int error;
2072
2073 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0)
2074 return (SET_ERROR(EINVAL));
2075
2076 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version));
2077
2078 aclp->z_hints = 0;
2079 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t));
2080 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) {
2081 if ((error = zfs_copy_ace_2_oldace(obj_mode, aclp,
2082 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata,
2083 aclcnt, &aclnode->z_size)) != 0) {
2084 zfs_acl_free(aclp);
2085 zfs_acl_node_free(aclnode);
2086 return (error);
2087 }
2088 } else {
2089 if ((error = zfs_copy_ace_2_fuid(zfsvfs, obj_mode, aclp,
2090 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt,
2091 &aclnode->z_size, fuidp, cr)) != 0) {
2092 zfs_acl_free(aclp);
2093 zfs_acl_node_free(aclnode);
2094 return (error);
2095 }
2096 }
2097 aclp->z_acl_bytes = aclnode->z_size;
2098 aclnode->z_ace_count = aclcnt;
2099 aclp->z_acl_count = aclcnt;
2100 list_insert_head(&aclp->z_acl, aclnode);
2101
2102 /*
2103 * If flags are being set then add them to z_hints
2104 */
2105 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) {
2106 if (vsecp->vsa_aclflags & ACL_PROTECTED)
2107 aclp->z_hints |= ZFS_ACL_PROTECTED;
2108 if (vsecp->vsa_aclflags & ACL_DEFAULTED)
2109 aclp->z_hints |= ZFS_ACL_DEFAULTED;
2110 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT)
2111 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT;
2112 }
2113
2114 *zaclp = aclp;
2115
2116 return (0);
2117 }
2118
2119 /*
2120 * Set a file's ACL
2121 */
2122 int
2123 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr)
2124 {
2125 zfsvfs_t *zfsvfs = ZTOZSB(zp);
2126 zilog_t *zilog = zfsvfs->z_log;
2127 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT);
2128 dmu_tx_t *tx;
2129 int error;
2130 zfs_acl_t *aclp;
2131 zfs_fuid_info_t *fuidp = NULL;
2132 boolean_t fuid_dirtied;
2133 uint64_t acl_obj;
2134
2135 if (mask == 0)
2136 return (SET_ERROR(ENOSYS));
2137
2138 if (zp->z_pflags & ZFS_IMMUTABLE)
2139 return (SET_ERROR(EPERM));
2140
2141 if ((error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr,
2142 zfs_init_idmap)))
2143 return (error);
2144
2145 error = zfs_vsec_2_aclp(zfsvfs, ZTOI(zp)->i_mode, vsecp, cr, &fuidp,
2146 &aclp);
2147 if (error)
2148 return (error);
2149
2150 /*
2151 * If ACL wide flags aren't being set then preserve any
2152 * existing flags.
2153 */
2154 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) {
2155 aclp->z_hints |=
2156 (zp->z_pflags & V4_ACL_WIDE_FLAGS);
2157 }
2158 top:
2159 mutex_enter(&zp->z_acl_lock);
2160 mutex_enter(&zp->z_lock);
2161
2162 tx = dmu_tx_create(zfsvfs->z_os);
2163
2164 dmu_tx_hold_sa(tx, zp->z_sa_hdl, B_TRUE);
2165
2166 fuid_dirtied = zfsvfs->z_fuid_dirty;
2167 if (fuid_dirtied)
2168 zfs_fuid_txhold(zfsvfs, tx);
2169
2170 /*
2171 * If old version and ACL won't fit in bonus and we aren't
2172 * upgrading then take out necessary DMU holds
2173 */
2174
2175 if ((acl_obj = zfs_external_acl(zp)) != 0) {
2176 if (zfsvfs->z_version >= ZPL_VERSION_FUID &&
2177 zfs_znode_acl_version(zp) <= ZFS_ACL_VERSION_INITIAL) {
2178 dmu_tx_hold_free(tx, acl_obj, 0,
2179 DMU_OBJECT_END);
2180 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0,
2181 aclp->z_acl_bytes);
2182 } else {
2183 dmu_tx_hold_write(tx, acl_obj, 0, aclp->z_acl_bytes);
2184 }
2185 } else if (!zp->z_is_sa && aclp->z_acl_bytes > ZFS_ACE_SPACE) {
2186 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes);
2187 }
2188
2189 zfs_sa_upgrade_txholds(tx, zp);
2190 error = dmu_tx_assign(tx, TXG_NOWAIT);
2191 if (error) {
2192 mutex_exit(&zp->z_acl_lock);
2193 mutex_exit(&zp->z_lock);
2194
2195 if (error == ERESTART) {
2196 dmu_tx_wait(tx);
2197 dmu_tx_abort(tx);
2198 goto top;
2199 }
2200 dmu_tx_abort(tx);
2201 zfs_acl_free(aclp);
2202 return (error);
2203 }
2204
2205 error = zfs_aclset_common(zp, aclp, cr, tx);
2206 ASSERT(error == 0);
2207 ASSERT(zp->z_acl_cached == NULL);
2208 zp->z_acl_cached = aclp;
2209
2210 if (fuid_dirtied)
2211 zfs_fuid_sync(zfsvfs, tx);
2212
2213 zfs_log_acl(zilog, tx, zp, vsecp, fuidp);
2214
2215 if (fuidp)
2216 zfs_fuid_info_free(fuidp);
2217 dmu_tx_commit(tx);
2218
2219 mutex_exit(&zp->z_lock);
2220 mutex_exit(&zp->z_acl_lock);
2221
2222 return (error);
2223 }
2224
2225 /*
2226 * Check accesses of interest (AoI) against attributes of the dataset
2227 * such as read-only. Returns zero if no AoI conflict with dataset
2228 * attributes, otherwise an appropriate errno is returned.
2229 */
2230 static int
2231 zfs_zaccess_dataset_check(znode_t *zp, uint32_t v4_mode)
2232 {
2233 if ((v4_mode & WRITE_MASK) && (zfs_is_readonly(ZTOZSB(zp))) &&
2234 (!Z_ISDEV(ZTOI(zp)->i_mode) || (v4_mode & WRITE_MASK_ATTRS))) {
2235 return (SET_ERROR(EROFS));
2236 }
2237
2238 /*
2239 * Intentionally allow ZFS_READONLY through here.
2240 * See zfs_zaccess_common().
2241 */
2242 if ((v4_mode & WRITE_MASK_DATA) &&
2243 (zp->z_pflags & ZFS_IMMUTABLE)) {
2244 return (SET_ERROR(EPERM));
2245 }
2246
2247 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) &&
2248 (zp->z_pflags & ZFS_NOUNLINK)) {
2249 return (SET_ERROR(EPERM));
2250 }
2251
2252 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) &&
2253 (zp->z_pflags & ZFS_AV_QUARANTINED))) {
2254 return (SET_ERROR(EACCES));
2255 }
2256
2257 return (0);
2258 }
2259
2260 /*
2261 * The primary usage of this function is to loop through all of the
2262 * ACEs in the znode, determining what accesses of interest (AoI) to
2263 * the caller are allowed or denied. The AoI are expressed as bits in
2264 * the working_mode parameter. As each ACE is processed, bits covered
2265 * by that ACE are removed from the working_mode. This removal
2266 * facilitates two things. The first is that when the working mode is
2267 * empty (= 0), we know we've looked at all the AoI. The second is
2268 * that the ACE interpretation rules don't allow a later ACE to undo
2269 * something granted or denied by an earlier ACE. Removing the
2270 * discovered access or denial enforces this rule. At the end of
2271 * processing the ACEs, all AoI that were found to be denied are
2272 * placed into the working_mode, giving the caller a mask of denied
2273 * accesses. Returns:
2274 * 0 if all AoI granted
2275 * EACCES if the denied mask is non-zero
2276 * other error if abnormal failure (e.g., IO error)
2277 *
2278 * A secondary usage of the function is to determine if any of the
2279 * AoI are granted. If an ACE grants any access in
2280 * the working_mode, we immediately short circuit out of the function.
2281 * This mode is chosen by setting anyaccess to B_TRUE. The
2282 * working_mode is not a denied access mask upon exit if the function
2283 * is used in this manner.
2284 */
2285 static int
2286 zfs_zaccess_aces_check(znode_t *zp, uint32_t *working_mode,
2287 boolean_t anyaccess, cred_t *cr, zidmap_t *mnt_ns)
2288 {
2289 zfsvfs_t *zfsvfs = ZTOZSB(zp);
2290 zfs_acl_t *aclp;
2291 int error;
2292 uid_t uid = crgetuid(cr);
2293 uint64_t who;
2294 uint16_t type, iflags;
2295 uint16_t entry_type;
2296 uint32_t access_mask;
2297 uint32_t deny_mask = 0;
2298 zfs_ace_hdr_t *acep = NULL;
2299 boolean_t checkit;
2300 uid_t gowner;
2301 uid_t fowner;
2302
2303 if (mnt_ns) {
2304 fowner = zfs_uid_to_vfsuid(mnt_ns, zfs_i_user_ns(ZTOI(zp)),
2305 KUID_TO_SUID(ZTOI(zp)->i_uid));
2306 gowner = zfs_gid_to_vfsgid(mnt_ns, zfs_i_user_ns(ZTOI(zp)),
2307 KGID_TO_SGID(ZTOI(zp)->i_gid));
2308 } else
2309 zfs_fuid_map_ids(zp, cr, &fowner, &gowner);
2310
2311 mutex_enter(&zp->z_acl_lock);
2312
2313 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE);
2314 if (error != 0) {
2315 mutex_exit(&zp->z_acl_lock);
2316 return (error);
2317 }
2318
2319 ASSERT(zp->z_acl_cached);
2320
2321 while ((acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask,
2322 &iflags, &type))) {
2323 uint32_t mask_matched;
2324
2325 if (!zfs_acl_valid_ace_type(type, iflags))
2326 continue;
2327
2328 if (S_ISDIR(ZTOI(zp)->i_mode) &&
2329 (iflags & ACE_INHERIT_ONLY_ACE))
2330 continue;
2331
2332 /* Skip ACE if it does not affect any AoI */
2333 mask_matched = (access_mask & *working_mode);
2334 if (!mask_matched)
2335 continue;
2336
2337 entry_type = (iflags & ACE_TYPE_FLAGS);
2338
2339 checkit = B_FALSE;
2340
2341 switch (entry_type) {
2342 case ACE_OWNER:
2343 if (uid == fowner)
2344 checkit = B_TRUE;
2345 break;
2346 case OWNING_GROUP:
2347 who = gowner;
2348 zfs_fallthrough;
2349 case ACE_IDENTIFIER_GROUP:
2350 checkit = zfs_groupmember(zfsvfs, who, cr);
2351 break;
2352 case ACE_EVERYONE:
2353 checkit = B_TRUE;
2354 break;
2355
2356 /* USER Entry */
2357 default:
2358 if (entry_type == 0) {
2359 uid_t newid;
2360
2361 newid = zfs_fuid_map_id(zfsvfs, who, cr,
2362 ZFS_ACE_USER);
2363 if (newid != IDMAP_WK_CREATOR_OWNER_UID &&
2364 uid == newid)
2365 checkit = B_TRUE;
2366 break;
2367 } else {
2368 mutex_exit(&zp->z_acl_lock);
2369 return (SET_ERROR(EIO));
2370 }
2371 }
2372
2373 if (checkit) {
2374 if (type == DENY) {
2375 DTRACE_PROBE3(zfs__ace__denies,
2376 znode_t *, zp,
2377 zfs_ace_hdr_t *, acep,
2378 uint32_t, mask_matched);
2379 deny_mask |= mask_matched;
2380 } else {
2381 DTRACE_PROBE3(zfs__ace__allows,
2382 znode_t *, zp,
2383 zfs_ace_hdr_t *, acep,
2384 uint32_t, mask_matched);
2385 if (anyaccess) {
2386 mutex_exit(&zp->z_acl_lock);
2387 return (0);
2388 }
2389 }
2390 *working_mode &= ~mask_matched;
2391 }
2392
2393 /* Are we done? */
2394 if (*working_mode == 0)
2395 break;
2396 }
2397
2398 mutex_exit(&zp->z_acl_lock);
2399
2400 /* Put the found 'denies' back on the working mode */
2401 if (deny_mask) {
2402 *working_mode |= deny_mask;
2403 return (SET_ERROR(EACCES));
2404 } else if (*working_mode) {
2405 return (-1);
2406 }
2407
2408 return (0);
2409 }
2410
2411 /*
2412 * Return true if any access whatsoever granted, we don't actually
2413 * care what access is granted.
2414 */
2415 boolean_t
2416 zfs_has_access(znode_t *zp, cred_t *cr)
2417 {
2418 uint32_t have = ACE_ALL_PERMS;
2419
2420 if (zfs_zaccess_aces_check(zp, &have, B_TRUE, cr,
2421 zfs_init_idmap) != 0) {
2422 uid_t owner;
2423
2424 owner = zfs_fuid_map_id(ZTOZSB(zp),
2425 KUID_TO_SUID(ZTOI(zp)->i_uid), cr, ZFS_OWNER);
2426 return (secpolicy_vnode_any_access(cr, ZTOI(zp), owner) == 0);
2427 }
2428 return (B_TRUE);
2429 }
2430
2431 /*
2432 * Simplified access check for case where ACL is known to not contain
2433 * information beyond what is defined in the mode. In this case, we
2434 * can pass along to the kernel / vfs generic_permission() check, which
2435 * evaluates the mode and POSIX ACL.
2436 *
2437 * NFSv4 ACLs allow granting permissions that are usually relegated only
2438 * to the file owner or superuser. Examples are ACE_WRITE_OWNER (chown),
2439 * ACE_WRITE_ACL(chmod), and ACE_DELETE. ACE_DELETE requests must fail
2440 * because with conventional posix permissions, right to delete file
2441 * is determined by write bit on the parent dir.
2442 *
2443 * If unmappable perms are requested, then we must return EPERM
2444 * and include those bits in the working_mode so that the caller of
2445 * zfs_zaccess_common() can decide whether to perform additional
2446 * policy / capability checks. EACCES is used in zfs_zaccess_aces_check()
2447 * to indicate access check failed due to explicit DENY entry, and so
2448 * we want to avoid that here.
2449 */
2450 static int
2451 zfs_zaccess_trivial(znode_t *zp, uint32_t *working_mode, cred_t *cr,
2452 zidmap_t *mnt_ns)
2453 {
2454 int err, mask;
2455 int unmapped = 0;
2456
2457 ASSERT(zp->z_pflags & ZFS_ACL_TRIVIAL);
2458
2459 mask = zfs_v4_to_unix(*working_mode, &unmapped);
2460 if (mask == 0 || unmapped) {
2461 *working_mode = unmapped;
2462 return (unmapped ? SET_ERROR(EPERM) : 0);
2463 }
2464
2465 #if (defined(HAVE_IOPS_PERMISSION_USERNS) || \
2466 defined(HAVE_IOPS_PERMISSION_IDMAP))
2467 err = generic_permission(mnt_ns, ZTOI(zp), mask);
2468 #else
2469 err = generic_permission(ZTOI(zp), mask);
2470 #endif
2471 if (err != 0) {
2472 return (SET_ERROR(EPERM));
2473 }
2474
2475 *working_mode = unmapped;
2476
2477 return (0);
2478 }
2479
2480 static int
2481 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode,
2482 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr, zidmap_t *mnt_ns)
2483 {
2484 zfsvfs_t *zfsvfs = ZTOZSB(zp);
2485 int err;
2486
2487 *working_mode = v4_mode;
2488 *check_privs = B_TRUE;
2489
2490 /*
2491 * Short circuit empty requests
2492 */
2493 if (v4_mode == 0 || zfsvfs->z_replay) {
2494 *working_mode = 0;
2495 return (0);
2496 }
2497
2498 if ((err = zfs_zaccess_dataset_check(zp, v4_mode)) != 0) {
2499 *check_privs = B_FALSE;
2500 return (err);
2501 }
2502
2503 /*
2504 * The caller requested that the ACL check be skipped. This
2505 * would only happen if the caller checked VOP_ACCESS() with a
2506 * 32 bit ACE mask and already had the appropriate permissions.
2507 */
2508 if (skipaclchk) {
2509 *working_mode = 0;
2510 return (0);
2511 }
2512
2513 /*
2514 * Note: ZFS_READONLY represents the "DOS R/O" attribute.
2515 * When that flag is set, we should behave as if write access
2516 * were not granted by anything in the ACL. In particular:
2517 * We _must_ allow writes after opening the file r/w, then
2518 * setting the DOS R/O attribute, and writing some more.
2519 * (Similar to how you can write after fchmod(fd, 0444).)
2520 *
2521 * Therefore ZFS_READONLY is ignored in the dataset check
2522 * above, and checked here as if part of the ACL check.
2523 * Also note: DOS R/O is ignored for directories.
2524 */
2525 if ((v4_mode & WRITE_MASK_DATA) &&
2526 S_ISDIR(ZTOI(zp)->i_mode) &&
2527 (zp->z_pflags & ZFS_READONLY)) {
2528 return (SET_ERROR(EPERM));
2529 }
2530
2531 if (zp->z_pflags & ZFS_ACL_TRIVIAL)
2532 return (zfs_zaccess_trivial(zp, working_mode, cr, mnt_ns));
2533
2534 return (zfs_zaccess_aces_check(zp, working_mode, B_FALSE, cr, mnt_ns));
2535 }
2536
2537 static int
2538 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs,
2539 cred_t *cr, zidmap_t *mnt_ns)
2540 {
2541 if (*working_mode != ACE_WRITE_DATA)
2542 return (SET_ERROR(EACCES));
2543
2544 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode,
2545 check_privs, B_FALSE, cr, mnt_ns));
2546 }
2547
2548 int
2549 zfs_fastaccesschk_execute(znode_t *zdp, cred_t *cr)
2550 {
2551 boolean_t owner = B_FALSE;
2552 boolean_t groupmbr = B_FALSE;
2553 boolean_t is_attr;
2554 uid_t uid = crgetuid(cr);
2555 int error;
2556
2557 if (zdp->z_pflags & ZFS_AV_QUARANTINED)
2558 return (SET_ERROR(EACCES));
2559
2560 is_attr = ((zdp->z_pflags & ZFS_XATTR) &&
2561 (S_ISDIR(ZTOI(zdp)->i_mode)));
2562 if (is_attr)
2563 goto slow;
2564
2565
2566 mutex_enter(&zdp->z_acl_lock);
2567
2568 if (zdp->z_pflags & ZFS_NO_EXECS_DENIED) {
2569 mutex_exit(&zdp->z_acl_lock);
2570 return (0);
2571 }
2572
2573 if (KUID_TO_SUID(ZTOI(zdp)->i_uid) != 0 ||
2574 KGID_TO_SGID(ZTOI(zdp)->i_gid) != 0) {
2575 mutex_exit(&zdp->z_acl_lock);
2576 goto slow;
2577 }
2578
2579 if (uid == KUID_TO_SUID(ZTOI(zdp)->i_uid)) {
2580 if (zdp->z_mode & S_IXUSR) {
2581 mutex_exit(&zdp->z_acl_lock);
2582 return (0);
2583 } else {
2584 mutex_exit(&zdp->z_acl_lock);
2585 goto slow;
2586 }
2587 }
2588 if (groupmember(KGID_TO_SGID(ZTOI(zdp)->i_gid), cr)) {
2589 if (zdp->z_mode & S_IXGRP) {
2590 mutex_exit(&zdp->z_acl_lock);
2591 return (0);
2592 } else {
2593 mutex_exit(&zdp->z_acl_lock);
2594 goto slow;
2595 }
2596 }
2597 if (!owner && !groupmbr) {
2598 if (zdp->z_mode & S_IXOTH) {
2599 mutex_exit(&zdp->z_acl_lock);
2600 return (0);
2601 }
2602 }
2603
2604 mutex_exit(&zdp->z_acl_lock);
2605
2606 slow:
2607 DTRACE_PROBE(zfs__fastpath__execute__access__miss);
2608 if ((error = zfs_enter(ZTOZSB(zdp), FTAG)) != 0)
2609 return (error);
2610 error = zfs_zaccess(zdp, ACE_EXECUTE, 0, B_FALSE, cr,
2611 zfs_init_idmap);
2612 zfs_exit(ZTOZSB(zdp), FTAG);
2613 return (error);
2614 }
2615
2616 /*
2617 * Determine whether Access should be granted/denied.
2618 *
2619 * The least priv subsystem is always consulted as a basic privilege
2620 * can define any form of access.
2621 */
2622 int
2623 zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr,
2624 zidmap_t *mnt_ns)
2625 {
2626 uint32_t working_mode;
2627 int error;
2628 int is_attr;
2629 boolean_t check_privs;
2630 znode_t *xzp;
2631 znode_t *check_zp = zp;
2632 mode_t needed_bits;
2633 uid_t owner;
2634
2635 is_attr = ((zp->z_pflags & ZFS_XATTR) && S_ISDIR(ZTOI(zp)->i_mode));
2636
2637 /*
2638 * If attribute then validate against base file
2639 */
2640 if (is_attr) {
2641 if ((error = zfs_zget(ZTOZSB(zp),
2642 zp->z_xattr_parent, &xzp)) != 0) {
2643 return (error);
2644 }
2645
2646 check_zp = xzp;
2647
2648 /*
2649 * fixup mode to map to xattr perms
2650 */
2651
2652 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) {
2653 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
2654 mode |= ACE_WRITE_NAMED_ATTRS;
2655 }
2656
2657 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) {
2658 mode &= ~(ACE_READ_DATA|ACE_EXECUTE);
2659 mode |= ACE_READ_NAMED_ATTRS;
2660 }
2661 }
2662
2663 owner = zfs_uid_to_vfsuid(mnt_ns, zfs_i_user_ns(ZTOI(zp)),
2664 KUID_TO_SUID(ZTOI(zp)->i_uid));
2665 owner = zfs_fuid_map_id(ZTOZSB(zp), owner, cr, ZFS_OWNER);
2666
2667 /*
2668 * Map the bits required to the standard inode flags
2669 * S_IRUSR|S_IWUSR|S_IXUSR in the needed_bits. Map the bits
2670 * mapped by working_mode (currently missing) in missing_bits.
2671 * Call secpolicy_vnode_access2() with (needed_bits & ~checkmode),
2672 * needed_bits.
2673 */
2674 needed_bits = 0;
2675
2676 working_mode = mode;
2677 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES)) &&
2678 owner == crgetuid(cr))
2679 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES);
2680
2681 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS|
2682 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE))
2683 needed_bits |= S_IRUSR;
2684 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS|
2685 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE))
2686 needed_bits |= S_IWUSR;
2687 if (working_mode & ACE_EXECUTE)
2688 needed_bits |= S_IXUSR;
2689
2690 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode,
2691 &check_privs, skipaclchk, cr, mnt_ns)) == 0) {
2692 if (is_attr)
2693 zrele(xzp);
2694 return (secpolicy_vnode_access2(cr, ZTOI(zp), owner,
2695 needed_bits, needed_bits));
2696 }
2697
2698 if (error && !check_privs) {
2699 if (is_attr)
2700 zrele(xzp);
2701 return (error);
2702 }
2703
2704 if (error && (flags & V_APPEND)) {
2705 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr,
2706 mnt_ns);
2707 }
2708
2709 if (error && check_privs) {
2710 mode_t checkmode = 0;
2711
2712 /*
2713 * First check for implicit owner permission on
2714 * read_acl/read_attributes
2715 */
2716
2717 ASSERT(working_mode != 0);
2718
2719 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) &&
2720 owner == crgetuid(cr)))
2721 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES);
2722
2723 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS|
2724 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE))
2725 checkmode |= S_IRUSR;
2726 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS|
2727 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE))
2728 checkmode |= S_IWUSR;
2729 if (working_mode & ACE_EXECUTE)
2730 checkmode |= S_IXUSR;
2731
2732 error = secpolicy_vnode_access2(cr, ZTOI(check_zp), owner,
2733 needed_bits & ~checkmode, needed_bits);
2734
2735 if (error == 0 && (working_mode & ACE_WRITE_OWNER))
2736 error = secpolicy_vnode_chown(cr, owner);
2737 if (error == 0 && (working_mode & ACE_WRITE_ACL))
2738 error = secpolicy_vnode_setdac(cr, owner);
2739
2740 if (error == 0 && (working_mode &
2741 (ACE_DELETE|ACE_DELETE_CHILD)))
2742 error = secpolicy_vnode_remove(cr);
2743
2744 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) {
2745 error = secpolicy_vnode_chown(cr, owner);
2746 }
2747 if (error == 0) {
2748 /*
2749 * See if any bits other than those already checked
2750 * for are still present. If so then return EACCES
2751 */
2752 if (working_mode & ~(ZFS_CHECKED_MASKS)) {
2753 error = SET_ERROR(EACCES);
2754 }
2755 }
2756 } else if (error == 0) {
2757 error = secpolicy_vnode_access2(cr, ZTOI(zp), owner,
2758 needed_bits, needed_bits);
2759 }
2760
2761 if (is_attr)
2762 zrele(xzp);
2763
2764 return (error);
2765 }
2766
2767 /*
2768 * Translate traditional unix S_IRUSR/S_IWUSR/S_IXUSR mode into
2769 * NFSv4-style ZFS ACL format and call zfs_zaccess()
2770 */
2771 int
2772 zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr,
2773 zidmap_t *mnt_ns)
2774 {
2775 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr,
2776 mnt_ns));
2777 }
2778
2779 /*
2780 * Access function for secpolicy_vnode_setattr
2781 */
2782 int
2783 zfs_zaccess_unix(void *zp, int mode, cred_t *cr)
2784 {
2785 int v4_mode = zfs_unix_to_v4(mode >> 6);
2786
2787 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr, zfs_init_idmap));
2788 }
2789
2790 /* See zfs_zaccess_delete() */
2791 static const boolean_t zfs_write_implies_delete_child = B_TRUE;
2792
2793 /*
2794 * Determine whether delete access should be granted.
2795 *
2796 * The following chart outlines how we handle delete permissions which is
2797 * how recent versions of windows (Windows 2008) handles it. The efficiency
2798 * comes from not having to check the parent ACL where the object itself grants
2799 * delete:
2800 *
2801 * -------------------------------------------------------
2802 * | Parent Dir | Target Object Permissions |
2803 * | permissions | |
2804 * -------------------------------------------------------
2805 * | | ACL Allows | ACL Denies| Delete |
2806 * | | Delete | Delete | unspecified|
2807 * -------------------------------------------------------
2808 * | ACL Allows | Permit | Deny * | Permit |
2809 * | DELETE_CHILD | | | |
2810 * -------------------------------------------------------
2811 * | ACL Denies | Permit | Deny | Deny |
2812 * | DELETE_CHILD | | | |
2813 * -------------------------------------------------------
2814 * | ACL specifies | | | |
2815 * | only allow | Permit | Deny * | Permit |
2816 * | write and | | | |
2817 * | execute | | | |
2818 * -------------------------------------------------------
2819 * | ACL denies | | | |
2820 * | write and | Permit | Deny | Deny |
2821 * | execute | | | |
2822 * -------------------------------------------------------
2823 * ^
2824 * |
2825 * Re. execute permission on the directory: if that's missing,
2826 * the vnode lookup of the target will fail before we get here.
2827 *
2828 * Re [*] in the table above: NFSv4 would normally Permit delete for
2829 * these two cells of the matrix.
2830 * See acl.h for notes on which ACE_... flags should be checked for which
2831 * operations. Specifically, the NFSv4 committee recommendation is in
2832 * conflict with the Windows interpretation of DENY ACEs, where DENY ACEs
2833 * should take precedence ahead of ALLOW ACEs.
2834 *
2835 * This implementation always consults the target object's ACL first.
2836 * If a DENY ACE is present on the target object that specifies ACE_DELETE,
2837 * delete access is denied. If an ALLOW ACE with ACE_DELETE is present on
2838 * the target object, access is allowed. If and only if no entries with
2839 * ACE_DELETE are present in the object's ACL, check the container's ACL
2840 * for entries with ACE_DELETE_CHILD.
2841 *
2842 * A summary of the logic implemented from the table above is as follows:
2843 *
2844 * First check for DENY ACEs that apply.
2845 * If either target or container has a deny, EACCES.
2846 *
2847 * Delete access can then be summarized as follows:
2848 * 1: The object to be deleted grants ACE_DELETE, or
2849 * 2: The containing directory grants ACE_DELETE_CHILD.
2850 * In a Windows system, that would be the end of the story.
2851 * In this system, (2) has some complications...
2852 * 2a: "sticky" bit on a directory adds restrictions, and
2853 * 2b: existing ACEs from previous versions of ZFS may
2854 * not carry ACE_DELETE_CHILD where they should, so we
2855 * also allow delete when ACE_WRITE_DATA is granted.
2856 *
2857 * Note: 2b is technically a work-around for a prior bug,
2858 * which hopefully can go away some day. For those who
2859 * no longer need the work around, and for testing, this
2860 * work-around is made conditional via the tunable:
2861 * zfs_write_implies_delete_child
2862 */
2863 int
2864 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr, zidmap_t *mnt_ns)
2865 {
2866 uint32_t wanted_dirperms;
2867 uint32_t dzp_working_mode = 0;
2868 uint32_t zp_working_mode = 0;
2869 int dzp_error, zp_error;
2870 boolean_t dzpcheck_privs;
2871 boolean_t zpcheck_privs;
2872
2873 if (zp->z_pflags & (ZFS_IMMUTABLE | ZFS_NOUNLINK))
2874 return (SET_ERROR(EPERM));
2875
2876 /*
2877 * Case 1:
2878 * If target object grants ACE_DELETE then we are done. This is
2879 * indicated by a return value of 0. For this case we don't worry
2880 * about the sticky bit because sticky only applies to the parent
2881 * directory and this is the child access result.
2882 *
2883 * If we encounter a DENY ACE here, we're also done (EACCES).
2884 * Note that if we hit a DENY ACE here (on the target) it should
2885 * take precedence over a DENY ACE on the container, so that when
2886 * we have more complete auditing support we will be able to
2887 * report an access failure against the specific target.
2888 * (This is part of why we're checking the target first.)
2889 */
2890 zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode,
2891 &zpcheck_privs, B_FALSE, cr, mnt_ns);
2892 if (zp_error == EACCES) {
2893 /* We hit a DENY ACE. */
2894 if (!zpcheck_privs)
2895 return (SET_ERROR(zp_error));
2896 return (secpolicy_vnode_remove(cr));
2897
2898 }
2899 if (zp_error == 0)
2900 return (0);
2901
2902 /*
2903 * Case 2:
2904 * If the containing directory grants ACE_DELETE_CHILD,
2905 * or we're in backward compatibility mode and the
2906 * containing directory has ACE_WRITE_DATA, allow.
2907 * Case 2b is handled with wanted_dirperms.
2908 */
2909 wanted_dirperms = ACE_DELETE_CHILD;
2910 if (zfs_write_implies_delete_child)
2911 wanted_dirperms |= ACE_WRITE_DATA;
2912 dzp_error = zfs_zaccess_common(dzp, wanted_dirperms,
2913 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr, mnt_ns);
2914 if (dzp_error == EACCES) {
2915 /* We hit a DENY ACE. */
2916 if (!dzpcheck_privs)
2917 return (SET_ERROR(dzp_error));
2918 return (secpolicy_vnode_remove(cr));
2919 }
2920
2921 /*
2922 * Cases 2a, 2b (continued)
2923 *
2924 * Note: dzp_working_mode now contains any permissions
2925 * that were NOT granted. Therefore, if any of the
2926 * wanted_dirperms WERE granted, we will have:
2927 * dzp_working_mode != wanted_dirperms
2928 * We're really asking if ANY of those permissions
2929 * were granted, and if so, grant delete access.
2930 */
2931 if (dzp_working_mode != wanted_dirperms)
2932 dzp_error = 0;
2933
2934 /*
2935 * dzp_error is 0 if the container granted us permissions to "modify".
2936 * If we do not have permission via one or more ACEs, our current
2937 * privileges may still permit us to modify the container.
2938 *
2939 * dzpcheck_privs is false when i.e. the FS is read-only.
2940 * Otherwise, do privilege checks for the container.
2941 */
2942 if (dzp_error != 0 && dzpcheck_privs) {
2943 uid_t owner;
2944
2945 /*
2946 * The secpolicy call needs the requested access and
2947 * the current access mode of the container, but it
2948 * only knows about Unix-style modes (VEXEC, VWRITE),
2949 * so this must condense the fine-grained ACE bits into
2950 * Unix modes.
2951 *
2952 * The VEXEC flag is easy, because we know that has
2953 * always been checked before we get here (during the
2954 * lookup of the target vnode). The container has not
2955 * granted us permissions to "modify", so we do not set
2956 * the VWRITE flag in the current access mode.
2957 */
2958 owner = zfs_fuid_map_id(ZTOZSB(dzp),
2959 KUID_TO_SUID(ZTOI(dzp)->i_uid), cr, ZFS_OWNER);
2960 dzp_error = secpolicy_vnode_access2(cr, ZTOI(dzp),
2961 owner, S_IXUSR, S_IWUSR|S_IXUSR);
2962 }
2963 if (dzp_error != 0) {
2964 /*
2965 * Note: We may have dzp_error = -1 here (from
2966 * zfs_zacess_common). Don't return that.
2967 */
2968 return (SET_ERROR(EACCES));
2969 }
2970
2971
2972 /*
2973 * At this point, we know that the directory permissions allow
2974 * us to modify, but we still need to check for the additional
2975 * restrictions that apply when the "sticky bit" is set.
2976 *
2977 * Yes, zfs_sticky_remove_access() also checks this bit, but
2978 * checking it here and skipping the call below is nice when
2979 * you're watching all of this with dtrace.
2980 */
2981 if ((dzp->z_mode & S_ISVTX) == 0)
2982 return (0);
2983
2984 /*
2985 * zfs_sticky_remove_access will succeed if:
2986 * 1. The sticky bit is absent.
2987 * 2. We pass the sticky bit restrictions.
2988 * 3. We have privileges that always allow file removal.
2989 */
2990 return (zfs_sticky_remove_access(dzp, zp, cr));
2991 }
2992
2993 int
2994 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp,
2995 znode_t *tzp, cred_t *cr, zidmap_t *mnt_ns)
2996 {
2997 int add_perm;
2998 int error;
2999
3000 if (szp->z_pflags & ZFS_AV_QUARANTINED)
3001 return (SET_ERROR(EACCES));
3002
3003 add_perm = S_ISDIR(ZTOI(szp)->i_mode) ?
3004 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE;
3005
3006 /*
3007 * Rename permissions are combination of delete permission +
3008 * add file/subdir permission.
3009 */
3010
3011 /*
3012 * first make sure we do the delete portion.
3013 *
3014 * If that succeeds then check for add_file/add_subdir permissions
3015 */
3016
3017 if ((error = zfs_zaccess_delete(sdzp, szp, cr, mnt_ns)))
3018 return (error);
3019
3020 /*
3021 * If we have a tzp, see if we can delete it?
3022 */
3023 if (tzp) {
3024 if ((error = zfs_zaccess_delete(tdzp, tzp, cr, mnt_ns)))
3025 return (error);
3026 }
3027
3028 /*
3029 * Now check for add permissions
3030 */
3031 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr, mnt_ns);
3032
3033 return (error);
3034 }
OpenZFS on Linux and FreeBSD