search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix O_APPEND for Linux 3.15 and older kernels
[zfs.git] / module / os / linux / zfs / zfs_acl.c
blobb70691ab31c12b2843ac666c662cb236b56e7736
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright (c) 2013 by Delphix. All rights reserved.
24 * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
25 */
26
27
28 #include <sys/types.h>
29 #include <sys/param.h>
30 #include <sys/time.h>
31 #include <sys/sysmacros.h>
32 #include <sys/vfs.h>
33 #include <sys/vnode.h>
34 #include <sys/sid.h>
35 #include <sys/file.h>
36 #include <sys/stat.h>
37 #include <sys/kmem.h>
38 #include <sys/cmn_err.h>
39 #include <sys/errno.h>
40 #include <sys/fs/zfs.h>
41 #include <sys/policy.h>
42 #include <sys/zfs_znode.h>
43 #include <sys/zfs_fuid.h>
44 #include <sys/zfs_acl.h>
45 #include <sys/zfs_dir.h>
46 #include <sys/zfs_quota.h>
47 #include <sys/zfs_vfsops.h>
48 #include <sys/dmu.h>
49 #include <sys/dnode.h>
50 #include <sys/zap.h>
51 #include <sys/sa.h>
52 #include <sys/trace_acl.h>
53 #include <sys/zpl.h>
54
55 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE
56 #define DENY ACE_ACCESS_DENIED_ACE_TYPE
57 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE
58 #define MIN_ACE_TYPE ALLOW
59
60 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP)
61 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \
62 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE)
63 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \
64 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
65 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \
66 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
67
68 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \
69 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \
70 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \
71 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE)
72
73 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS)
74 #define WRITE_MASK_ATTRS (ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES| \
75 ACE_DELETE|ACE_DELETE_CHILD)
76 #define WRITE_MASK (WRITE_MASK_DATA|WRITE_MASK_ATTRS)
77
78 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
79 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
80
81 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
82 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
83
84 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \
85 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE)
86
87 #define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER)
88
89 #define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\
90 ZFS_ACL_PROTECTED)
91
92 #define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\
93 ZFS_ACL_OBJ_ACE)
94
95 #define ALL_MODE_EXECS (S_IXUSR | S_IXGRP | S_IXOTH)
96
97 #define IDMAP_WK_CREATOR_OWNER_UID 2147483648U
98
99 static uint16_t
100 zfs_ace_v0_get_type(void *acep)
101 {
102 return (((zfs_oldace_t *)acep)->z_type);
103 }
104
105 static uint16_t
106 zfs_ace_v0_get_flags(void *acep)
107 {
108 return (((zfs_oldace_t *)acep)->z_flags);
109 }
110
111 static uint32_t
112 zfs_ace_v0_get_mask(void *acep)
113 {
114 return (((zfs_oldace_t *)acep)->z_access_mask);
115 }
116
117 static uint64_t
118 zfs_ace_v0_get_who(void *acep)
119 {
120 return (((zfs_oldace_t *)acep)->z_fuid);
121 }
122
123 static void
124 zfs_ace_v0_set_type(void *acep, uint16_t type)
125 {
126 ((zfs_oldace_t *)acep)->z_type = type;
127 }
128
129 static void
130 zfs_ace_v0_set_flags(void *acep, uint16_t flags)
131 {
132 ((zfs_oldace_t *)acep)->z_flags = flags;
133 }
134
135 static void
136 zfs_ace_v0_set_mask(void *acep, uint32_t mask)
137 {
138 ((zfs_oldace_t *)acep)->z_access_mask = mask;
139 }
140
141 static void
142 zfs_ace_v0_set_who(void *acep, uint64_t who)
143 {
144 ((zfs_oldace_t *)acep)->z_fuid = who;
145 }
146
147 static size_t
148 zfs_ace_v0_size(void *acep)
149 {
150 (void) acep;
151 return (sizeof (zfs_oldace_t));
152 }
153
154 static size_t
155 zfs_ace_v0_abstract_size(void)
156 {
157 return (sizeof (zfs_oldace_t));
158 }
159
160 static int
161 zfs_ace_v0_mask_off(void)
162 {
163 return (offsetof(zfs_oldace_t, z_access_mask));
164 }
165
166 static int
167 zfs_ace_v0_data(void *acep, void **datap)
168 {
169 (void) acep;
170 *datap = NULL;
171 return (0);
172 }
173
174 static const acl_ops_t zfs_acl_v0_ops = {
175 .ace_mask_get = zfs_ace_v0_get_mask,
176 .ace_mask_set = zfs_ace_v0_set_mask,
177 .ace_flags_get = zfs_ace_v0_get_flags,
178 .ace_flags_set = zfs_ace_v0_set_flags,
179 .ace_type_get = zfs_ace_v0_get_type,
180 .ace_type_set = zfs_ace_v0_set_type,
181 .ace_who_get = zfs_ace_v0_get_who,
182 .ace_who_set = zfs_ace_v0_set_who,
183 .ace_size = zfs_ace_v0_size,
184 .ace_abstract_size = zfs_ace_v0_abstract_size,
185 .ace_mask_off = zfs_ace_v0_mask_off,
186 .ace_data = zfs_ace_v0_data
187 };
188
189 static uint16_t
190 zfs_ace_fuid_get_type(void *acep)
191 {
192 return (((zfs_ace_hdr_t *)acep)->z_type);
193 }
194
195 static uint16_t
196 zfs_ace_fuid_get_flags(void *acep)
197 {
198 return (((zfs_ace_hdr_t *)acep)->z_flags);
199 }
200
201 static uint32_t
202 zfs_ace_fuid_get_mask(void *acep)
203 {
204 return (((zfs_ace_hdr_t *)acep)->z_access_mask);
205 }
206
207 static uint64_t
208 zfs_ace_fuid_get_who(void *args)
209 {
210 uint16_t entry_type;
211 zfs_ace_t *acep = args;
212
213 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS;
214
215 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP ||
216 entry_type == ACE_EVERYONE)
217 return (-1);
218 return (((zfs_ace_t *)acep)->z_fuid);
219 }
220
221 static void
222 zfs_ace_fuid_set_type(void *acep, uint16_t type)
223 {
224 ((zfs_ace_hdr_t *)acep)->z_type = type;
225 }
226
227 static void
228 zfs_ace_fuid_set_flags(void *acep, uint16_t flags)
229 {
230 ((zfs_ace_hdr_t *)acep)->z_flags = flags;
231 }
232
233 static void
234 zfs_ace_fuid_set_mask(void *acep, uint32_t mask)
235 {
236 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask;
237 }
238
239 static void
240 zfs_ace_fuid_set_who(void *arg, uint64_t who)
241 {
242 zfs_ace_t *acep = arg;
243
244 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS;
245
246 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP ||
247 entry_type == ACE_EVERYONE)
248 return;
249 acep->z_fuid = who;
250 }
251
252 static size_t
253 zfs_ace_fuid_size(void *acep)
254 {
255 zfs_ace_hdr_t *zacep = acep;
256 uint16_t entry_type;
257
258 switch (zacep->z_type) {
259 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
260 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
261 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
262 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
263 return (sizeof (zfs_object_ace_t));
264 case ALLOW:
265 case DENY:
266 entry_type =
267 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS);
268 if (entry_type == ACE_OWNER ||
269 entry_type == OWNING_GROUP ||
270 entry_type == ACE_EVERYONE)
271 return (sizeof (zfs_ace_hdr_t));
272 zfs_fallthrough;
273 default:
274 return (sizeof (zfs_ace_t));
275 }
276 }
277
278 static size_t
279 zfs_ace_fuid_abstract_size(void)
280 {
281 return (sizeof (zfs_ace_hdr_t));
282 }
283
284 static int
285 zfs_ace_fuid_mask_off(void)
286 {
287 return (offsetof(zfs_ace_hdr_t, z_access_mask));
288 }
289
290 static int
291 zfs_ace_fuid_data(void *acep, void **datap)
292 {
293 zfs_ace_t *zacep = acep;
294 zfs_object_ace_t *zobjp;
295
296 switch (zacep->z_hdr.z_type) {
297 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
298 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
299 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
300 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
301 zobjp = acep;
302 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t);
303 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t));
304 default:
305 *datap = NULL;
306 return (0);
307 }
308 }
309
310 static const acl_ops_t zfs_acl_fuid_ops = {
311 .ace_mask_get = zfs_ace_fuid_get_mask,
312 .ace_mask_set = zfs_ace_fuid_set_mask,
313 .ace_flags_get = zfs_ace_fuid_get_flags,
314 .ace_flags_set = zfs_ace_fuid_set_flags,
315 .ace_type_get = zfs_ace_fuid_get_type,
316 .ace_type_set = zfs_ace_fuid_set_type,
317 .ace_who_get = zfs_ace_fuid_get_who,
318 .ace_who_set = zfs_ace_fuid_set_who,
319 .ace_size = zfs_ace_fuid_size,
320 .ace_abstract_size = zfs_ace_fuid_abstract_size,
321 .ace_mask_off = zfs_ace_fuid_mask_off,
322 .ace_data = zfs_ace_fuid_data
323 };
324
325 /*
326 * The following three functions are provided for compatibility with
327 * older ZPL version in order to determine if the file use to have
328 * an external ACL and what version of ACL previously existed on the
329 * file. Would really be nice to not need this, sigh.
330 */
331 uint64_t
332 zfs_external_acl(znode_t *zp)
333 {
334 zfs_acl_phys_t acl_phys;
335 int error;
336
337 if (zp->z_is_sa)
338 return (0);
339
340 /*
341 * Need to deal with a potential
342 * race where zfs_sa_upgrade could cause
343 * z_isa_sa to change.
344 *
345 * If the lookup fails then the state of z_is_sa should have
346 * changed.
347 */
348
349 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(ZTOZSB(zp)),
350 &acl_phys, sizeof (acl_phys))) == 0)
351 return (acl_phys.z_acl_extern_obj);
352 else {
353 /*
354 * after upgrade the SA_ZPL_ZNODE_ACL should have been
355 * removed
356 */
357 VERIFY(zp->z_is_sa && error == ENOENT);
358 return (0);
359 }
360 }
361
362 /*
363 * Determine size of ACL in bytes
364 *
365 * This is more complicated than it should be since we have to deal
366 * with old external ACLs.
367 */
368 static int
369 zfs_acl_znode_info(znode_t *zp, int *aclsize, int *aclcount,
370 zfs_acl_phys_t *aclphys)
371 {
372 zfsvfs_t *zfsvfs = ZTOZSB(zp);
373 uint64_t acl_count;
374 int size;
375 int error;
376
377 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
378 if (zp->z_is_sa) {
379 if ((error = sa_size(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zfsvfs),
380 &size)) != 0)
381 return (error);
382 *aclsize = size;
383 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_COUNT(zfsvfs),
384 &acl_count, sizeof (acl_count))) != 0)
385 return (error);
386 *aclcount = acl_count;
387 } else {
388 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs),
389 aclphys, sizeof (*aclphys))) != 0)
390 return (error);
391
392 if (aclphys->z_acl_version == ZFS_ACL_VERSION_INITIAL) {
393 *aclsize = ZFS_ACL_SIZE(aclphys->z_acl_size);
394 *aclcount = aclphys->z_acl_size;
395 } else {
396 *aclsize = aclphys->z_acl_size;
397 *aclcount = aclphys->z_acl_count;
398 }
399 }
400 return (0);
401 }
402
403 int
404 zfs_znode_acl_version(znode_t *zp)
405 {
406 zfs_acl_phys_t acl_phys;
407
408 if (zp->z_is_sa)
409 return (ZFS_ACL_VERSION_FUID);
410 else {
411 int error;
412
413 /*
414 * Need to deal with a potential
415 * race where zfs_sa_upgrade could cause
416 * z_isa_sa to change.
417 *
418 * If the lookup fails then the state of z_is_sa should have
419 * changed.
420 */
421 if ((error = sa_lookup(zp->z_sa_hdl,
422 SA_ZPL_ZNODE_ACL(ZTOZSB(zp)),
423 &acl_phys, sizeof (acl_phys))) == 0)
424 return (acl_phys.z_acl_version);
425 else {
426 /*
427 * After upgrade SA_ZPL_ZNODE_ACL should have
428 * been removed.
429 */
430 VERIFY(zp->z_is_sa && error == ENOENT);
431 return (ZFS_ACL_VERSION_FUID);
432 }
433 }
434 }
435
436 static int
437 zfs_acl_version(int version)
438 {
439 if (version < ZPL_VERSION_FUID)
440 return (ZFS_ACL_VERSION_INITIAL);
441 else
442 return (ZFS_ACL_VERSION_FUID);
443 }
444
445 static int
446 zfs_acl_version_zp(znode_t *zp)
447 {
448 return (zfs_acl_version(ZTOZSB(zp)->z_version));
449 }
450
451 zfs_acl_t *
452 zfs_acl_alloc(int vers)
453 {
454 zfs_acl_t *aclp;
455
456 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP);
457 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t),
458 offsetof(zfs_acl_node_t, z_next));
459 aclp->z_version = vers;
460 if (vers == ZFS_ACL_VERSION_FUID)
461 aclp->z_ops = &zfs_acl_fuid_ops;
462 else
463 aclp->z_ops = &zfs_acl_v0_ops;
464 return (aclp);
465 }
466
467 zfs_acl_node_t *
468 zfs_acl_node_alloc(size_t bytes)
469 {
470 zfs_acl_node_t *aclnode;
471
472 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP);
473 if (bytes) {
474 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP);
475 aclnode->z_allocdata = aclnode->z_acldata;
476 aclnode->z_allocsize = bytes;
477 aclnode->z_size = bytes;
478 }
479
480 return (aclnode);
481 }
482
483 static void
484 zfs_acl_node_free(zfs_acl_node_t *aclnode)
485 {
486 if (aclnode->z_allocsize)
487 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize);
488 kmem_free(aclnode, sizeof (zfs_acl_node_t));
489 }
490
491 static void
492 zfs_acl_release_nodes(zfs_acl_t *aclp)
493 {
494 zfs_acl_node_t *aclnode;
495
496 while ((aclnode = list_head(&aclp->z_acl))) {
497 list_remove(&aclp->z_acl, aclnode);
498 zfs_acl_node_free(aclnode);
499 }
500 aclp->z_acl_count = 0;
501 aclp->z_acl_bytes = 0;
502 }
503
504 void
505 zfs_acl_free(zfs_acl_t *aclp)
506 {
507 zfs_acl_release_nodes(aclp);
508 list_destroy(&aclp->z_acl);
509 kmem_free(aclp, sizeof (zfs_acl_t));
510 }
511
512 static boolean_t
513 zfs_acl_valid_ace_type(uint_t type, uint_t flags)
514 {
515 uint16_t entry_type;
516
517 switch (type) {
518 case ALLOW:
519 case DENY:
520 case ACE_SYSTEM_AUDIT_ACE_TYPE:
521 case ACE_SYSTEM_ALARM_ACE_TYPE:
522 entry_type = flags & ACE_TYPE_FLAGS;
523 return (entry_type == ACE_OWNER ||
524 entry_type == OWNING_GROUP ||
525 entry_type == ACE_EVERYONE || entry_type == 0 ||
526 entry_type == ACE_IDENTIFIER_GROUP);
527 default:
528 if (type >= MIN_ACE_TYPE && type <= MAX_ACE_TYPE)
529 return (B_TRUE);
530 }
531 return (B_FALSE);
532 }
533
534 static boolean_t
535 zfs_ace_valid(umode_t obj_mode, zfs_acl_t *aclp, uint16_t type, uint16_t iflags)
536 {
537 /*
538 * first check type of entry
539 */
540
541 if (!zfs_acl_valid_ace_type(type, iflags))
542 return (B_FALSE);
543
544 switch (type) {
545 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
546 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
547 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
548 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
549 if (aclp->z_version < ZFS_ACL_VERSION_FUID)
550 return (B_FALSE);
551 aclp->z_hints |= ZFS_ACL_OBJ_ACE;
552 }
553
554 /*
555 * next check inheritance level flags
556 */
557
558 if (S_ISDIR(obj_mode) &&
559 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE)))
560 aclp->z_hints |= ZFS_INHERIT_ACE;
561
562 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) {
563 if ((iflags & (ACE_FILE_INHERIT_ACE|
564 ACE_DIRECTORY_INHERIT_ACE)) == 0) {
565 return (B_FALSE);
566 }
567 }
568
569 return (B_TRUE);
570 }
571
572 static void *
573 zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who,
574 uint32_t *access_mask, uint16_t *iflags, uint16_t *type)
575 {
576 zfs_acl_node_t *aclnode;
577
578 ASSERT(aclp);
579
580 if (start == NULL) {
581 aclnode = list_head(&aclp->z_acl);
582 if (aclnode == NULL)
583 return (NULL);
584
585 aclp->z_next_ace = aclnode->z_acldata;
586 aclp->z_curr_node = aclnode;
587 aclnode->z_ace_idx = 0;
588 }
589
590 aclnode = aclp->z_curr_node;
591
592 if (aclnode == NULL)
593 return (NULL);
594
595 if (aclnode->z_ace_idx >= aclnode->z_ace_count) {
596 aclnode = list_next(&aclp->z_acl, aclnode);
597 if (aclnode == NULL)
598 return (NULL);
599 else {
600 aclp->z_curr_node = aclnode;
601 aclnode->z_ace_idx = 0;
602 aclp->z_next_ace = aclnode->z_acldata;
603 }
604 }
605
606 if (aclnode->z_ace_idx < aclnode->z_ace_count) {
607 void *acep = aclp->z_next_ace;
608 size_t ace_size;
609
610 /*
611 * Make sure we don't overstep our bounds
612 */
613 ace_size = aclp->z_ops->ace_size(acep);
614
615 if (((caddr_t)acep + ace_size) >
616 ((caddr_t)aclnode->z_acldata + aclnode->z_size)) {
617 return (NULL);
618 }
619
620 *iflags = aclp->z_ops->ace_flags_get(acep);
621 *type = aclp->z_ops->ace_type_get(acep);
622 *access_mask = aclp->z_ops->ace_mask_get(acep);
623 *who = aclp->z_ops->ace_who_get(acep);
624 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size;
625 aclnode->z_ace_idx++;
626
627 return ((void *)acep);
628 }
629 return (NULL);
630 }
631
632 static uint64_t
633 zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt,
634 uint16_t *flags, uint16_t *type, uint32_t *mask)
635 {
636 (void) aclcnt;
637 zfs_acl_t *aclp = datap;
638 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie;
639 uint64_t who;
640
641 acep = zfs_acl_next_ace(aclp, acep, &who, mask,
642 flags, type);
643 return ((uint64_t)(uintptr_t)acep);
644 }
645
646 /*
647 * Copy ACE to internal ZFS format.
648 * While processing the ACL each ACE will be validated for correctness.
649 * ACE FUIDs will be created later.
650 */
651 static int
652 zfs_copy_ace_2_fuid(zfsvfs_t *zfsvfs, umode_t obj_mode, zfs_acl_t *aclp,
653 void *datap, zfs_ace_t *z_acl, uint64_t aclcnt, size_t *size,
654 zfs_fuid_info_t **fuidp, cred_t *cr)
655 {
656 int i;
657 uint16_t entry_type;
658 zfs_ace_t *aceptr = z_acl;
659 ace_t *acep = datap;
660 zfs_object_ace_t *zobjacep;
661 ace_object_t *aceobjp;
662
663 for (i = 0; i != aclcnt; i++) {
664 aceptr->z_hdr.z_access_mask = acep->a_access_mask;
665 aceptr->z_hdr.z_flags = acep->a_flags;
666 aceptr->z_hdr.z_type = acep->a_type;
667 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS;
668 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP &&
669 entry_type != ACE_EVERYONE) {
670 aceptr->z_fuid = zfs_fuid_create(zfsvfs, acep->a_who,
671 cr, (entry_type == 0) ?
672 ZFS_ACE_USER : ZFS_ACE_GROUP, fuidp);
673 }
674
675 /*
676 * Make sure ACE is valid
677 */
678 if (zfs_ace_valid(obj_mode, aclp, aceptr->z_hdr.z_type,
679 aceptr->z_hdr.z_flags) != B_TRUE)
680 return (SET_ERROR(EINVAL));
681
682 switch (acep->a_type) {
683 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
684 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
685 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
686 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
687 zobjacep = (zfs_object_ace_t *)aceptr;
688 aceobjp = (ace_object_t *)acep;
689
690 memcpy(zobjacep->z_object_type, aceobjp->a_obj_type,
691 sizeof (aceobjp->a_obj_type));
692 memcpy(zobjacep->z_inherit_type,
693 aceobjp->a_inherit_obj_type,
694 sizeof (aceobjp->a_inherit_obj_type));
695 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t));
696 break;
697 default:
698 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t));
699 }
700
701 aceptr = (zfs_ace_t *)((caddr_t)aceptr +
702 aclp->z_ops->ace_size(aceptr));
703 }
704
705 *size = (caddr_t)aceptr - (caddr_t)z_acl;
706
707 return (0);
708 }
709
710 /*
711 * Copy ZFS ACEs to fixed size ace_t layout
712 */
713 static void
714 zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr,
715 void *datap, int filter)
716 {
717 uint64_t who;
718 uint32_t access_mask;
719 uint16_t iflags, type;
720 zfs_ace_hdr_t *zacep = NULL;
721 ace_t *acep = datap;
722 ace_object_t *objacep;
723 zfs_object_ace_t *zobjacep;
724 size_t ace_size;
725 uint16_t entry_type;
726
727 while ((zacep = zfs_acl_next_ace(aclp, zacep,
728 &who, &access_mask, &iflags, &type))) {
729
730 switch (type) {
731 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
732 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
733 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
734 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
735 if (filter) {
736 continue;
737 }
738 zobjacep = (zfs_object_ace_t *)zacep;
739 objacep = (ace_object_t *)acep;
740 memcpy(objacep->a_obj_type,
741 zobjacep->z_object_type,
742 sizeof (zobjacep->z_object_type));
743 memcpy(objacep->a_inherit_obj_type,
744 zobjacep->z_inherit_type,
745 sizeof (zobjacep->z_inherit_type));
746 ace_size = sizeof (ace_object_t);
747 break;
748 default:
749 ace_size = sizeof (ace_t);
750 break;
751 }
752
753 entry_type = (iflags & ACE_TYPE_FLAGS);
754 if ((entry_type != ACE_OWNER &&
755 entry_type != OWNING_GROUP &&
756 entry_type != ACE_EVERYONE)) {
757 acep->a_who = zfs_fuid_map_id(zfsvfs, who,
758 cr, (entry_type & ACE_IDENTIFIER_GROUP) ?
759 ZFS_ACE_GROUP : ZFS_ACE_USER);
760 } else {
761 acep->a_who = (uid_t)(int64_t)who;
762 }
763 acep->a_access_mask = access_mask;
764 acep->a_flags = iflags;
765 acep->a_type = type;
766 acep = (ace_t *)((caddr_t)acep + ace_size);
767 }
768 }
769
770 static int
771 zfs_copy_ace_2_oldace(umode_t obj_mode, zfs_acl_t *aclp, ace_t *acep,
772 zfs_oldace_t *z_acl, int aclcnt, size_t *size)
773 {
774 int i;
775 zfs_oldace_t *aceptr = z_acl;
776
777 for (i = 0; i != aclcnt; i++, aceptr++) {
778 aceptr->z_access_mask = acep[i].a_access_mask;
779 aceptr->z_type = acep[i].a_type;
780 aceptr->z_flags = acep[i].a_flags;
781 aceptr->z_fuid = acep[i].a_who;
782 /*
783 * Make sure ACE is valid
784 */
785 if (zfs_ace_valid(obj_mode, aclp, aceptr->z_type,
786 aceptr->z_flags) != B_TRUE)
787 return (SET_ERROR(EINVAL));
788 }
789 *size = (caddr_t)aceptr - (caddr_t)z_acl;
790 return (0);
791 }
792
793 /*
794 * convert old ACL format to new
795 */
796 void
797 zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp, cred_t *cr)
798 {
799 zfs_oldace_t *oldaclp;
800 int i;
801 uint16_t type, iflags;
802 uint32_t access_mask;
803 uint64_t who;
804 void *cookie = NULL;
805 zfs_acl_node_t *newaclnode;
806
807 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL);
808 /*
809 * First create the ACE in a contiguous piece of memory
810 * for zfs_copy_ace_2_fuid().
811 *
812 * We only convert an ACL once, so this won't happen
813 * every time.
814 */
815 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count,
816 KM_SLEEP);
817 i = 0;
818 while ((cookie = zfs_acl_next_ace(aclp, cookie, &who,
819 &access_mask, &iflags, &type))) {
820 oldaclp[i].z_flags = iflags;
821 oldaclp[i].z_type = type;
822 oldaclp[i].z_fuid = who;
823 oldaclp[i++].z_access_mask = access_mask;
824 }
825
826 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count *
827 sizeof (zfs_object_ace_t));
828 aclp->z_ops = &zfs_acl_fuid_ops;
829 VERIFY(zfs_copy_ace_2_fuid(ZTOZSB(zp), ZTOI(zp)->i_mode,
830 aclp, oldaclp, newaclnode->z_acldata, aclp->z_acl_count,
831 &newaclnode->z_size, NULL, cr) == 0);
832 newaclnode->z_ace_count = aclp->z_acl_count;
833 aclp->z_version = ZFS_ACL_VERSION;
834 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t));
835
836 /*
837 * Release all previous ACL nodes
838 */
839
840 zfs_acl_release_nodes(aclp);
841
842 list_insert_head(&aclp->z_acl, newaclnode);
843
844 aclp->z_acl_bytes = newaclnode->z_size;
845 aclp->z_acl_count = newaclnode->z_ace_count;
846
847 }
848
849 /*
850 * Convert unix access mask to v4 access mask
851 */
852 static uint32_t
853 zfs_unix_to_v4(uint32_t access_mask)
854 {
855 uint32_t new_mask = 0;
856
857 if (access_mask & S_IXOTH)
858 new_mask |= ACE_EXECUTE;
859 if (access_mask & S_IWOTH)
860 new_mask |= ACE_WRITE_DATA;
861 if (access_mask & S_IROTH)
862 new_mask |= ACE_READ_DATA;
863 return (new_mask);
864 }
865
866
867 static int
868 zfs_v4_to_unix(uint32_t access_mask, int *unmapped)
869 {
870 int new_mask = 0;
871
872 *unmapped = access_mask &
873 (ACE_WRITE_OWNER | ACE_WRITE_ACL | ACE_DELETE);
874
875 if (access_mask & WRITE_MASK)
876 new_mask |= S_IWOTH;
877 if (access_mask & ACE_READ_DATA)
878 new_mask |= S_IROTH;
879 if (access_mask & ACE_EXECUTE)
880 new_mask |= S_IXOTH;
881
882 return (new_mask);
883 }
884
885
886 static void
887 zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask,
888 uint16_t access_type, uint64_t fuid, uint16_t entry_type)
889 {
890 uint16_t type = entry_type & ACE_TYPE_FLAGS;
891
892 aclp->z_ops->ace_mask_set(acep, access_mask);
893 aclp->z_ops->ace_type_set(acep, access_type);
894 aclp->z_ops->ace_flags_set(acep, entry_type);
895 if ((type != ACE_OWNER && type != OWNING_GROUP &&
896 type != ACE_EVERYONE))
897 aclp->z_ops->ace_who_set(acep, fuid);
898 }
899
900 /*
901 * Determine mode of file based on ACL.
902 */
903 uint64_t
904 zfs_mode_compute(uint64_t fmode, zfs_acl_t *aclp,
905 uint64_t *pflags, uint64_t fuid, uint64_t fgid)
906 {
907 int entry_type;
908 mode_t mode;
909 mode_t seen = 0;
910 zfs_ace_hdr_t *acep = NULL;
911 uint64_t who;
912 uint16_t iflags, type;
913 uint32_t access_mask;
914 boolean_t an_exec_denied = B_FALSE;
915
916 mode = (fmode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX));
917
918 while ((acep = zfs_acl_next_ace(aclp, acep, &who,
919 &access_mask, &iflags, &type))) {
920
921 if (!zfs_acl_valid_ace_type(type, iflags))
922 continue;
923
924 entry_type = (iflags & ACE_TYPE_FLAGS);
925
926 /*
927 * Skip over any inherit_only ACEs
928 */
929 if (iflags & ACE_INHERIT_ONLY_ACE)
930 continue;
931
932 if (entry_type == ACE_OWNER || (entry_type == 0 &&
933 who == fuid)) {
934 if ((access_mask & ACE_READ_DATA) &&
935 (!(seen & S_IRUSR))) {
936 seen |= S_IRUSR;
937 if (type == ALLOW) {
938 mode |= S_IRUSR;
939 }
940 }
941 if ((access_mask & ACE_WRITE_DATA) &&
942 (!(seen & S_IWUSR))) {
943 seen |= S_IWUSR;
944 if (type == ALLOW) {
945 mode |= S_IWUSR;
946 }
947 }
948 if ((access_mask & ACE_EXECUTE) &&
949 (!(seen & S_IXUSR))) {
950 seen |= S_IXUSR;
951 if (type == ALLOW) {
952 mode |= S_IXUSR;
953 }
954 }
955 } else if (entry_type == OWNING_GROUP ||
956 (entry_type == ACE_IDENTIFIER_GROUP && who == fgid)) {
957 if ((access_mask & ACE_READ_DATA) &&
958 (!(seen & S_IRGRP))) {
959 seen |= S_IRGRP;
960 if (type == ALLOW) {
961 mode |= S_IRGRP;
962 }
963 }
964 if ((access_mask & ACE_WRITE_DATA) &&
965 (!(seen & S_IWGRP))) {
966 seen |= S_IWGRP;
967 if (type == ALLOW) {
968 mode |= S_IWGRP;
969 }
970 }
971 if ((access_mask & ACE_EXECUTE) &&
972 (!(seen & S_IXGRP))) {
973 seen |= S_IXGRP;
974 if (type == ALLOW) {
975 mode |= S_IXGRP;
976 }
977 }
978 } else if (entry_type == ACE_EVERYONE) {
979 if ((access_mask & ACE_READ_DATA)) {
980 if (!(seen & S_IRUSR)) {
981 seen |= S_IRUSR;
982 if (type == ALLOW) {
983 mode |= S_IRUSR;
984 }
985 }
986 if (!(seen & S_IRGRP)) {
987 seen |= S_IRGRP;
988 if (type == ALLOW) {
989 mode |= S_IRGRP;
990 }
991 }
992 if (!(seen & S_IROTH)) {
993 seen |= S_IROTH;
994 if (type == ALLOW) {
995 mode |= S_IROTH;
996 }
997 }
998 }
999 if ((access_mask & ACE_WRITE_DATA)) {
1000 if (!(seen & S_IWUSR)) {
1001 seen |= S_IWUSR;
1002 if (type == ALLOW) {
1003 mode |= S_IWUSR;
1004 }
1005 }
1006 if (!(seen & S_IWGRP)) {
1007 seen |= S_IWGRP;
1008 if (type == ALLOW) {
1009 mode |= S_IWGRP;
1010 }
1011 }
1012 if (!(seen & S_IWOTH)) {
1013 seen |= S_IWOTH;
1014 if (type == ALLOW) {
1015 mode |= S_IWOTH;
1016 }
1017 }
1018 }
1019 if ((access_mask & ACE_EXECUTE)) {
1020 if (!(seen & S_IXUSR)) {
1021 seen |= S_IXUSR;
1022 if (type == ALLOW) {
1023 mode |= S_IXUSR;
1024 }
1025 }
1026 if (!(seen & S_IXGRP)) {
1027 seen |= S_IXGRP;
1028 if (type == ALLOW) {
1029 mode |= S_IXGRP;
1030 }
1031 }
1032 if (!(seen & S_IXOTH)) {
1033 seen |= S_IXOTH;
1034 if (type == ALLOW) {
1035 mode |= S_IXOTH;
1036 }
1037 }
1038 }
1039 } else {
1040 /*
1041 * Only care if this IDENTIFIER_GROUP or
1042 * USER ACE denies execute access to someone,
1043 * mode is not affected
1044 */
1045 if ((access_mask & ACE_EXECUTE) && type == DENY)
1046 an_exec_denied = B_TRUE;
1047 }
1048 }
1049
1050 /*
1051 * Failure to allow is effectively a deny, so execute permission
1052 * is denied if it was never mentioned or if we explicitly
1053 * weren't allowed it.
1054 */
1055 if (!an_exec_denied &&
1056 ((seen & ALL_MODE_EXECS) != ALL_MODE_EXECS ||
1057 (mode & ALL_MODE_EXECS) != ALL_MODE_EXECS))
1058 an_exec_denied = B_TRUE;
1059
1060 if (an_exec_denied)
1061 *pflags &= ~ZFS_NO_EXECS_DENIED;
1062 else
1063 *pflags |= ZFS_NO_EXECS_DENIED;
1064
1065 return (mode);
1066 }
1067
1068 /*
1069 * Read an external acl object. If the intent is to modify, always
1070 * create a new acl and leave any cached acl in place.
1071 */
1072 int
1073 zfs_acl_node_read(struct znode *zp, boolean_t have_lock, zfs_acl_t **aclpp,
1074 boolean_t will_modify)
1075 {
1076 zfs_acl_t *aclp;
1077 int aclsize = 0;
1078 int acl_count = 0;
1079 zfs_acl_node_t *aclnode;
1080 zfs_acl_phys_t znode_acl;
1081 int version;
1082 int error;
1083 boolean_t drop_lock = B_FALSE;
1084
1085 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
1086
1087 if (zp->z_acl_cached && !will_modify) {
1088 *aclpp = zp->z_acl_cached;
1089 return (0);
1090 }
1091
1092 /*
1093 * close race where znode could be upgrade while trying to
1094 * read the znode attributes.
1095 *
1096 * But this could only happen if the file isn't already an SA
1097 * znode
1098 */
1099 if (!zp->z_is_sa && !have_lock) {
1100 mutex_enter(&zp->z_lock);
1101 drop_lock = B_TRUE;
1102 }
1103 version = zfs_znode_acl_version(zp);
1104
1105 if ((error = zfs_acl_znode_info(zp, &aclsize,
1106 &acl_count, &znode_acl)) != 0) {
1107 goto done;
1108 }
1109
1110 aclp = zfs_acl_alloc(version);
1111
1112 aclp->z_acl_count = acl_count;
1113 aclp->z_acl_bytes = aclsize;
1114
1115 aclnode = zfs_acl_node_alloc(aclsize);
1116 aclnode->z_ace_count = aclp->z_acl_count;
1117 aclnode->z_size = aclsize;
1118
1119 if (!zp->z_is_sa) {
1120 if (znode_acl.z_acl_extern_obj) {
1121 error = dmu_read(ZTOZSB(zp)->z_os,
1122 znode_acl.z_acl_extern_obj, 0, aclnode->z_size,
1123 aclnode->z_acldata, DMU_READ_PREFETCH);
1124 } else {
1125 memcpy(aclnode->z_acldata, znode_acl.z_ace_data,
1126 aclnode->z_size);
1127 }
1128 } else {
1129 error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_ACES(ZTOZSB(zp)),
1130 aclnode->z_acldata, aclnode->z_size);
1131 }
1132
1133 if (error != 0) {
1134 zfs_acl_free(aclp);
1135 zfs_acl_node_free(aclnode);
1136 /* convert checksum errors into IO errors */
1137 if (error == ECKSUM)
1138 error = SET_ERROR(EIO);
1139 goto done;
1140 }
1141
1142 list_insert_head(&aclp->z_acl, aclnode);
1143
1144 *aclpp = aclp;
1145 if (!will_modify)
1146 zp->z_acl_cached = aclp;
1147 done:
1148 if (drop_lock)
1149 mutex_exit(&zp->z_lock);
1150 return (error);
1151 }
1152
1153 void
1154 zfs_acl_data_locator(void **dataptr, uint32_t *length, uint32_t buflen,
1155 boolean_t start, void *userdata)
1156 {
1157 (void) buflen;
1158 zfs_acl_locator_cb_t *cb = (zfs_acl_locator_cb_t *)userdata;
1159
1160 if (start) {
1161 cb->cb_acl_node = list_head(&cb->cb_aclp->z_acl);
1162 } else {
1163 cb->cb_acl_node = list_next(&cb->cb_aclp->z_acl,
1164 cb->cb_acl_node);
1165 }
1166 *dataptr = cb->cb_acl_node->z_acldata;
1167 *length = cb->cb_acl_node->z_size;
1168 }
1169
1170 int
1171 zfs_acl_chown_setattr(znode_t *zp)
1172 {
1173 int error;
1174 zfs_acl_t *aclp;
1175
1176 if (ZTOZSB(zp)->z_acl_type == ZFS_ACLTYPE_POSIX)
1177 return (0);
1178
1179 ASSERT(MUTEX_HELD(&zp->z_lock));
1180 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
1181
1182 error = zfs_acl_node_read(zp, B_TRUE, &aclp, B_FALSE);
1183 if (error == 0 && aclp->z_acl_count > 0)
1184 zp->z_mode = ZTOI(zp)->i_mode =
1185 zfs_mode_compute(zp->z_mode, aclp,
1186 &zp->z_pflags, KUID_TO_SUID(ZTOI(zp)->i_uid),
1187 KGID_TO_SGID(ZTOI(zp)->i_gid));
1188
1189 /*
1190 * Some ZFS implementations (ZEVO) create neither a ZNODE_ACL
1191 * nor a DACL_ACES SA in which case ENOENT is returned from
1192 * zfs_acl_node_read() when the SA can't be located.
1193 * Allow chown/chgrp to succeed in these cases rather than
1194 * returning an error that makes no sense in the context of
1195 * the caller.
1196 */
1197 if (error == ENOENT)
1198 return (0);
1199
1200 return (error);
1201 }
1202
1203 typedef struct trivial_acl {
1204 uint32_t allow0; /* allow mask for bits only in owner */
1205 uint32_t deny1; /* deny mask for bits not in owner */
1206 uint32_t deny2; /* deny mask for bits not in group */
1207 uint32_t owner; /* allow mask matching mode */
1208 uint32_t group; /* allow mask matching mode */
1209 uint32_t everyone; /* allow mask matching mode */
1210 } trivial_acl_t;
1211
1212 static void
1213 acl_trivial_access_masks(mode_t mode, boolean_t isdir, trivial_acl_t *masks)
1214 {
1215 uint32_t read_mask = ACE_READ_DATA;
1216 uint32_t write_mask = ACE_WRITE_DATA|ACE_APPEND_DATA;
1217 uint32_t execute_mask = ACE_EXECUTE;
1218
1219 if (isdir)
1220 write_mask |= ACE_DELETE_CHILD;
1221
1222 masks->deny1 = 0;
1223
1224 if (!(mode & S_IRUSR) && (mode & (S_IRGRP|S_IROTH)))
1225 masks->deny1 |= read_mask;
1226 if (!(mode & S_IWUSR) && (mode & (S_IWGRP|S_IWOTH)))
1227 masks->deny1 |= write_mask;
1228 if (!(mode & S_IXUSR) && (mode & (S_IXGRP|S_IXOTH)))
1229 masks->deny1 |= execute_mask;
1230
1231 masks->deny2 = 0;
1232 if (!(mode & S_IRGRP) && (mode & S_IROTH))
1233 masks->deny2 |= read_mask;
1234 if (!(mode & S_IWGRP) && (mode & S_IWOTH))
1235 masks->deny2 |= write_mask;
1236 if (!(mode & S_IXGRP) && (mode & S_IXOTH))
1237 masks->deny2 |= execute_mask;
1238
1239 masks->allow0 = 0;
1240 if ((mode & S_IRUSR) && (!(mode & S_IRGRP) && (mode & S_IROTH)))
1241 masks->allow0 |= read_mask;
1242 if ((mode & S_IWUSR) && (!(mode & S_IWGRP) && (mode & S_IWOTH)))
1243 masks->allow0 |= write_mask;
1244 if ((mode & S_IXUSR) && (!(mode & S_IXGRP) && (mode & S_IXOTH)))
1245 masks->allow0 |= execute_mask;
1246
1247 masks->owner = ACE_WRITE_ATTRIBUTES|ACE_WRITE_OWNER|ACE_WRITE_ACL|
1248 ACE_WRITE_NAMED_ATTRS|ACE_READ_ACL|ACE_READ_ATTRIBUTES|
1249 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE;
1250 if (mode & S_IRUSR)
1251 masks->owner |= read_mask;
1252 if (mode & S_IWUSR)
1253 masks->owner |= write_mask;
1254 if (mode & S_IXUSR)
1255 masks->owner |= execute_mask;
1256
1257 masks->group = ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_NAMED_ATTRS|
1258 ACE_SYNCHRONIZE;
1259 if (mode & S_IRGRP)
1260 masks->group |= read_mask;
1261 if (mode & S_IWGRP)
1262 masks->group |= write_mask;
1263 if (mode & S_IXGRP)
1264 masks->group |= execute_mask;
1265
1266 masks->everyone = ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_NAMED_ATTRS|
1267 ACE_SYNCHRONIZE;
1268 if (mode & S_IROTH)
1269 masks->everyone |= read_mask;
1270 if (mode & S_IWOTH)
1271 masks->everyone |= write_mask;
1272 if (mode & S_IXOTH)
1273 masks->everyone |= execute_mask;
1274 }
1275
1276 /*
1277 * ace_trivial:
1278 * determine whether an ace_t acl is trivial
1279 *
1280 * Trivialness implies that the acl is composed of only
1281 * owner, group, everyone entries. ACL can't
1282 * have read_acl denied, and write_owner/write_acl/write_attributes
1283 * can only be owner@ entry.
1284 */
1285 static int
1286 ace_trivial_common(void *acep, int aclcnt,
1287 uint64_t (*walk)(void *, uint64_t, int aclcnt,
1288 uint16_t *, uint16_t *, uint32_t *))
1289 {
1290 uint16_t flags;
1291 uint32_t mask;
1292 uint16_t type;
1293 uint64_t cookie = 0;
1294
1295 while ((cookie = walk(acep, cookie, aclcnt, &flags, &type, &mask))) {
1296 switch (flags & ACE_TYPE_FLAGS) {
1297 case ACE_OWNER:
1298 case ACE_GROUP|ACE_IDENTIFIER_GROUP:
1299 case ACE_EVERYONE:
1300 break;
1301 default:
1302 return (1);
1303 }
1304
1305 if (flags & (ACE_FILE_INHERIT_ACE|
1306 ACE_DIRECTORY_INHERIT_ACE|ACE_NO_PROPAGATE_INHERIT_ACE|
1307 ACE_INHERIT_ONLY_ACE))
1308 return (1);
1309
1310 /*
1311 * Special check for some special bits
1312 *
1313 * Don't allow anybody to deny reading basic
1314 * attributes or a files ACL.
1315 */
1316 if ((mask & (ACE_READ_ACL|ACE_READ_ATTRIBUTES)) &&
1317 (type == ACE_ACCESS_DENIED_ACE_TYPE))
1318 return (1);
1319
1320 /*
1321 * Delete permission is never set by default
1322 */
1323 if (mask & ACE_DELETE)
1324 return (1);
1325
1326 /*
1327 * Child delete permission should be accompanied by write
1328 */
1329 if ((mask & ACE_DELETE_CHILD) && !(mask & ACE_WRITE_DATA))
1330 return (1);
1331
1332 /*
1333 * only allow owner@ to have
1334 * write_acl/write_owner/write_attributes/write_xattr/
1335 */
1336 if (type == ACE_ACCESS_ALLOWED_ACE_TYPE &&
1337 (!(flags & ACE_OWNER) && (mask &
1338 (ACE_WRITE_OWNER|ACE_WRITE_ACL| ACE_WRITE_ATTRIBUTES|
1339 ACE_WRITE_NAMED_ATTRS))))
1340 return (1);
1341
1342 }
1343
1344 return (0);
1345 }
1346
1347 /*
1348 * common code for setting ACLs.
1349 *
1350 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl.
1351 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's
1352 * already checked the acl and knows whether to inherit.
1353 */
1354 int
1355 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, dmu_tx_t *tx)
1356 {
1357 int error;
1358 zfsvfs_t *zfsvfs = ZTOZSB(zp);
1359 dmu_object_type_t otype;
1360 zfs_acl_locator_cb_t locate = { 0 };
1361 uint64_t mode;
1362 sa_bulk_attr_t bulk[5];
1363 uint64_t ctime[2];
1364 int count = 0;
1365 zfs_acl_phys_t acl_phys;
1366
1367 mode = zp->z_mode;
1368
1369 mode = zfs_mode_compute(mode, aclp, &zp->z_pflags,
1370 KUID_TO_SUID(ZTOI(zp)->i_uid), KGID_TO_SGID(ZTOI(zp)->i_gid));
1371
1372 zp->z_mode = ZTOI(zp)->i_mode = mode;
1373 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_MODE(zfsvfs), NULL,
1374 &mode, sizeof (mode));
1375 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_FLAGS(zfsvfs), NULL,
1376 &zp->z_pflags, sizeof (zp->z_pflags));
1377 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_CTIME(zfsvfs), NULL,
1378 &ctime, sizeof (ctime));
1379
1380 if (zp->z_acl_cached) {
1381 zfs_acl_free(zp->z_acl_cached);
1382 zp->z_acl_cached = NULL;
1383 }
1384
1385 /*
1386 * Upgrade needed?
1387 */
1388 if (!zfsvfs->z_use_fuids) {
1389 otype = DMU_OT_OLDACL;
1390 } else {
1391 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) &&
1392 (zfsvfs->z_version >= ZPL_VERSION_FUID))
1393 zfs_acl_xform(zp, aclp, cr);
1394 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID);
1395 otype = DMU_OT_ACL;
1396 }
1397
1398 /*
1399 * Arrgh, we have to handle old on disk format
1400 * as well as newer (preferred) SA format.
1401 */
1402
1403 if (zp->z_is_sa) { /* the easy case, just update the ACL attribute */
1404 locate.cb_aclp = aclp;
1405 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_ACES(zfsvfs),
1406 zfs_acl_data_locator, &locate, aclp->z_acl_bytes);
1407 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_COUNT(zfsvfs),
1408 NULL, &aclp->z_acl_count, sizeof (uint64_t));
1409 } else { /* Painful legacy way */
1410 zfs_acl_node_t *aclnode;
1411 uint64_t off = 0;
1412 uint64_t aoid;
1413
1414 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs),
1415 &acl_phys, sizeof (acl_phys))) != 0)
1416 return (error);
1417
1418 aoid = acl_phys.z_acl_extern_obj;
1419
1420 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) {
1421 /*
1422 * If ACL was previously external and we are now
1423 * converting to new ACL format then release old
1424 * ACL object and create a new one.
1425 */
1426 if (aoid &&
1427 aclp->z_version != acl_phys.z_acl_version) {
1428 error = dmu_object_free(zfsvfs->z_os, aoid, tx);
1429 if (error)
1430 return (error);
1431 aoid = 0;
1432 }
1433 if (aoid == 0) {
1434 aoid = dmu_object_alloc(zfsvfs->z_os,
1435 otype, aclp->z_acl_bytes,
1436 otype == DMU_OT_ACL ?
1437 DMU_OT_SYSACL : DMU_OT_NONE,
1438 otype == DMU_OT_ACL ?
1439 DN_OLD_MAX_BONUSLEN : 0, tx);
1440 } else {
1441 (void) dmu_object_set_blocksize(zfsvfs->z_os,
1442 aoid, aclp->z_acl_bytes, 0, tx);
1443 }
1444 acl_phys.z_acl_extern_obj = aoid;
1445 for (aclnode = list_head(&aclp->z_acl); aclnode;
1446 aclnode = list_next(&aclp->z_acl, aclnode)) {
1447 if (aclnode->z_ace_count == 0)
1448 continue;
1449 dmu_write(zfsvfs->z_os, aoid, off,
1450 aclnode->z_size, aclnode->z_acldata, tx);
1451 off += aclnode->z_size;
1452 }
1453 } else {
1454 void *start = acl_phys.z_ace_data;
1455 /*
1456 * Migrating back embedded?
1457 */
1458 if (acl_phys.z_acl_extern_obj) {
1459 error = dmu_object_free(zfsvfs->z_os,
1460 acl_phys.z_acl_extern_obj, tx);
1461 if (error)
1462 return (error);
1463 acl_phys.z_acl_extern_obj = 0;
1464 }
1465
1466 for (aclnode = list_head(&aclp->z_acl); aclnode;
1467 aclnode = list_next(&aclp->z_acl, aclnode)) {
1468 if (aclnode->z_ace_count == 0)
1469 continue;
1470 memcpy(start, aclnode->z_acldata,
1471 aclnode->z_size);
1472 start = (caddr_t)start + aclnode->z_size;
1473 }
1474 }
1475 /*
1476 * If Old version then swap count/bytes to match old
1477 * layout of znode_acl_phys_t.
1478 */
1479 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) {
1480 acl_phys.z_acl_size = aclp->z_acl_count;
1481 acl_phys.z_acl_count = aclp->z_acl_bytes;
1482 } else {
1483 acl_phys.z_acl_size = aclp->z_acl_bytes;
1484 acl_phys.z_acl_count = aclp->z_acl_count;
1485 }
1486 acl_phys.z_acl_version = aclp->z_version;
1487
1488 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_ZNODE_ACL(zfsvfs), NULL,
1489 &acl_phys, sizeof (acl_phys));
1490 }
1491
1492 /*
1493 * Replace ACL wide bits, but first clear them.
1494 */
1495 zp->z_pflags &= ~ZFS_ACL_WIDE_FLAGS;
1496
1497 zp->z_pflags |= aclp->z_hints;
1498
1499 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0)
1500 zp->z_pflags |= ZFS_ACL_TRIVIAL;
1501
1502 zfs_tstamp_update_setup(zp, STATE_CHANGED, NULL, ctime);
1503 return (sa_bulk_update(zp->z_sa_hdl, bulk, count, tx));
1504 }
1505
1506 static void
1507 zfs_acl_chmod(boolean_t isdir, uint64_t mode, boolean_t split, boolean_t trim,
1508 zfs_acl_t *aclp)
1509 {
1510 void *acep = NULL;
1511 uint64_t who;
1512 int new_count, new_bytes;
1513 int ace_size;
1514 int entry_type;
1515 uint16_t iflags, type;
1516 uint32_t access_mask;
1517 zfs_acl_node_t *newnode;
1518 size_t abstract_size = aclp->z_ops->ace_abstract_size();
1519 void *zacep;
1520 trivial_acl_t masks;
1521
1522 new_count = new_bytes = 0;
1523
1524 acl_trivial_access_masks((mode_t)mode, isdir, &masks);
1525
1526 newnode = zfs_acl_node_alloc((abstract_size * 6) + aclp->z_acl_bytes);
1527
1528 zacep = newnode->z_acldata;
1529 if (masks.allow0) {
1530 zfs_set_ace(aclp, zacep, masks.allow0, ALLOW, -1, ACE_OWNER);
1531 zacep = (void *)((uintptr_t)zacep + abstract_size);
1532 new_count++;
1533 new_bytes += abstract_size;
1534 }
1535 if (masks.deny1) {
1536 zfs_set_ace(aclp, zacep, masks.deny1, DENY, -1, ACE_OWNER);
1537 zacep = (void *)((uintptr_t)zacep + abstract_size);
1538 new_count++;
1539 new_bytes += abstract_size;
1540 }
1541 if (masks.deny2) {
1542 zfs_set_ace(aclp, zacep, masks.deny2, DENY, -1, OWNING_GROUP);
1543 zacep = (void *)((uintptr_t)zacep + abstract_size);
1544 new_count++;
1545 new_bytes += abstract_size;
1546 }
1547
1548 while ((acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask,
1549 &iflags, &type))) {
1550 entry_type = (iflags & ACE_TYPE_FLAGS);
1551 /*
1552 * ACEs used to represent the file mode may be divided
1553 * into an equivalent pair of inherit-only and regular
1554 * ACEs, if they are inheritable.
1555 * Skip regular ACEs, which are replaced by the new mode.
1556 */
1557 if (split && (entry_type == ACE_OWNER ||
1558 entry_type == OWNING_GROUP ||
1559 entry_type == ACE_EVERYONE)) {
1560 if (!isdir || !(iflags &
1561 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE)))
1562 continue;
1563 /*
1564 * We preserve owner@, group@, or @everyone
1565 * permissions, if they are inheritable, by
1566 * copying them to inherit_only ACEs. This
1567 * prevents inheritable permissions from being
1568 * altered along with the file mode.
1569 */
1570 iflags |= ACE_INHERIT_ONLY_ACE;
1571 }
1572
1573 /*
1574 * If this ACL has any inheritable ACEs, mark that in
1575 * the hints (which are later masked into the pflags)
1576 * so create knows to do inheritance.
1577 */
1578 if (isdir && (iflags &
1579 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE)))
1580 aclp->z_hints |= ZFS_INHERIT_ACE;
1581
1582 if ((type != ALLOW && type != DENY) ||
1583 (iflags & ACE_INHERIT_ONLY_ACE)) {
1584 switch (type) {
1585 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
1586 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
1587 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
1588 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
1589 aclp->z_hints |= ZFS_ACL_OBJ_ACE;
1590 break;
1591 }
1592 } else {
1593 /*
1594 * Limit permissions to be no greater than
1595 * group permissions.
1596 * The "aclinherit" and "aclmode" properties
1597 * affect policy for create and chmod(2),
1598 * respectively.
1599 */
1600 if ((type == ALLOW) && trim)
1601 access_mask &= masks.group;
1602 }
1603 zfs_set_ace(aclp, zacep, access_mask, type, who, iflags);
1604 ace_size = aclp->z_ops->ace_size(acep);
1605 zacep = (void *)((uintptr_t)zacep + ace_size);
1606 new_count++;
1607 new_bytes += ace_size;
1608 }
1609 zfs_set_ace(aclp, zacep, masks.owner, ALLOW, -1, ACE_OWNER);
1610 zacep = (void *)((uintptr_t)zacep + abstract_size);
1611 zfs_set_ace(aclp, zacep, masks.group, ALLOW, -1, OWNING_GROUP);
1612 zacep = (void *)((uintptr_t)zacep + abstract_size);
1613 zfs_set_ace(aclp, zacep, masks.everyone, ALLOW, -1, ACE_EVERYONE);
1614
1615 new_count += 3;
1616 new_bytes += abstract_size * 3;
1617 zfs_acl_release_nodes(aclp);
1618 aclp->z_acl_count = new_count;
1619 aclp->z_acl_bytes = new_bytes;
1620 newnode->z_ace_count = new_count;
1621 newnode->z_size = new_bytes;
1622 list_insert_tail(&aclp->z_acl, newnode);
1623 }
1624
1625 int
1626 zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode)
1627 {
1628 int error = 0;
1629
1630 mutex_enter(&zp->z_acl_lock);
1631 mutex_enter(&zp->z_lock);
1632 if (ZTOZSB(zp)->z_acl_mode == ZFS_ACL_DISCARD)
1633 *aclp = zfs_acl_alloc(zfs_acl_version_zp(zp));
1634 else
1635 error = zfs_acl_node_read(zp, B_TRUE, aclp, B_TRUE);
1636
1637 if (error == 0) {
1638 (*aclp)->z_hints = zp->z_pflags & V4_ACL_WIDE_FLAGS;
1639 zfs_acl_chmod(S_ISDIR(ZTOI(zp)->i_mode), mode, B_TRUE,
1640 (ZTOZSB(zp)->z_acl_mode == ZFS_ACL_GROUPMASK), *aclp);
1641 }
1642 mutex_exit(&zp->z_lock);
1643 mutex_exit(&zp->z_acl_lock);
1644
1645 return (error);
1646 }
1647
1648 /*
1649 * Should ACE be inherited?
1650 */
1651 static int
1652 zfs_ace_can_use(umode_t obj_mode, uint16_t acep_flags)
1653 {
1654 int iflags = (acep_flags & 0xf);
1655
1656 if (S_ISDIR(obj_mode) && (iflags & ACE_DIRECTORY_INHERIT_ACE))
1657 return (1);
1658 else if (iflags & ACE_FILE_INHERIT_ACE)
1659 return (!(S_ISDIR(obj_mode) &&
1660 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE)));
1661 return (0);
1662 }
1663
1664 /*
1665 * inherit inheritable ACEs from parent
1666 */
1667 static zfs_acl_t *
1668 zfs_acl_inherit(zfsvfs_t *zfsvfs, umode_t va_mode, zfs_acl_t *paclp,
1669 uint64_t mode, boolean_t *need_chmod)
1670 {
1671 void *pacep = NULL;
1672 void *acep;
1673 zfs_acl_node_t *aclnode;
1674 zfs_acl_t *aclp = NULL;
1675 uint64_t who;
1676 uint32_t access_mask;
1677 uint16_t iflags, newflags, type;
1678 size_t ace_size;
1679 void *data1, *data2;
1680 size_t data1sz, data2sz;
1681 uint_t aclinherit;
1682 boolean_t isdir = S_ISDIR(va_mode);
1683 boolean_t isreg = S_ISREG(va_mode);
1684
1685 *need_chmod = B_TRUE;
1686
1687 aclp = zfs_acl_alloc(paclp->z_version);
1688 aclinherit = zfsvfs->z_acl_inherit;
1689 if (aclinherit == ZFS_ACL_DISCARD || S_ISLNK(va_mode))
1690 return (aclp);
1691
1692 while ((pacep = zfs_acl_next_ace(paclp, pacep, &who,
1693 &access_mask, &iflags, &type))) {
1694
1695 /*
1696 * don't inherit bogus ACEs
1697 */
1698 if (!zfs_acl_valid_ace_type(type, iflags))
1699 continue;
1700
1701 /*
1702 * Check if ACE is inheritable by this vnode
1703 */
1704 if ((aclinherit == ZFS_ACL_NOALLOW && type == ALLOW) ||
1705 !zfs_ace_can_use(va_mode, iflags))
1706 continue;
1707
1708 /*
1709 * If owner@, group@, or everyone@ inheritable
1710 * then zfs_acl_chmod() isn't needed.
1711 */
1712 if ((aclinherit == ZFS_ACL_PASSTHROUGH ||
1713 aclinherit == ZFS_ACL_PASSTHROUGH_X) &&
1714 ((iflags & (ACE_OWNER|ACE_EVERYONE)) ||
1715 ((iflags & OWNING_GROUP) == OWNING_GROUP)) &&
1716 (isreg || (isdir && (iflags & ACE_DIRECTORY_INHERIT_ACE))))
1717 *need_chmod = B_FALSE;
1718
1719 /*
1720 * Strip inherited execute permission from file if
1721 * not in mode
1722 */
1723 if (aclinherit == ZFS_ACL_PASSTHROUGH_X && type == ALLOW &&
1724 !isdir && ((mode & (S_IXUSR|S_IXGRP|S_IXOTH)) == 0)) {
1725 access_mask &= ~ACE_EXECUTE;
1726 }
1727
1728 /*
1729 * Strip write_acl and write_owner from permissions
1730 * when inheriting an ACE
1731 */
1732 if (aclinherit == ZFS_ACL_RESTRICTED && type == ALLOW) {
1733 access_mask &= ~RESTRICTED_CLEAR;
1734 }
1735
1736 ace_size = aclp->z_ops->ace_size(pacep);
1737 aclnode = zfs_acl_node_alloc(ace_size);
1738 list_insert_tail(&aclp->z_acl, aclnode);
1739 acep = aclnode->z_acldata;
1740
1741 zfs_set_ace(aclp, acep, access_mask, type,
1742 who, iflags|ACE_INHERITED_ACE);
1743
1744 /*
1745 * Copy special opaque data if any
1746 */
1747 if ((data1sz = paclp->z_ops->ace_data(pacep, &data1)) != 0) {
1748 VERIFY((data2sz = aclp->z_ops->ace_data(acep,
1749 &data2)) == data1sz);
1750 memcpy(data2, data1, data2sz);
1751 }
1752
1753 aclp->z_acl_count++;
1754 aclnode->z_ace_count++;
1755 aclp->z_acl_bytes += aclnode->z_size;
1756 newflags = aclp->z_ops->ace_flags_get(acep);
1757
1758 /*
1759 * If ACE is not to be inherited further, or if the vnode is
1760 * not a directory, remove all inheritance flags
1761 */
1762 if (!isdir || (iflags & ACE_NO_PROPAGATE_INHERIT_ACE)) {
1763 newflags &= ~ALL_INHERIT;
1764 aclp->z_ops->ace_flags_set(acep,
1765 newflags|ACE_INHERITED_ACE);
1766 continue;
1767 }
1768
1769 /*
1770 * This directory has an inheritable ACE
1771 */
1772 aclp->z_hints |= ZFS_INHERIT_ACE;
1773
1774 /*
1775 * If only FILE_INHERIT is set then turn on
1776 * inherit_only
1777 */
1778 if ((iflags & (ACE_FILE_INHERIT_ACE |
1779 ACE_DIRECTORY_INHERIT_ACE)) == ACE_FILE_INHERIT_ACE) {
1780 newflags |= ACE_INHERIT_ONLY_ACE;
1781 aclp->z_ops->ace_flags_set(acep,
1782 newflags|ACE_INHERITED_ACE);
1783 } else {
1784 newflags &= ~ACE_INHERIT_ONLY_ACE;
1785 aclp->z_ops->ace_flags_set(acep,
1786 newflags|ACE_INHERITED_ACE);
1787 }
1788 }
1789 if (zfsvfs->z_acl_mode == ZFS_ACL_RESTRICTED &&
1790 aclp->z_acl_count != 0) {
1791 *need_chmod = B_FALSE;
1792 }
1793
1794 return (aclp);
1795 }
1796
1797 /*
1798 * Create file system object initial permissions
1799 * including inheritable ACEs.
1800 * Also, create FUIDs for owner and group.
1801 */
1802 int
1803 zfs_acl_ids_create(znode_t *dzp, int flag, vattr_t *vap, cred_t *cr,
1804 vsecattr_t *vsecp, zfs_acl_ids_t *acl_ids)
1805 {
1806 int error;
1807 zfsvfs_t *zfsvfs = ZTOZSB(dzp);
1808 zfs_acl_t *paclp;
1809 gid_t gid = vap->va_gid;
1810 boolean_t need_chmod = B_TRUE;
1811 boolean_t trim = B_FALSE;
1812 boolean_t inherited = B_FALSE;
1813
1814 memset(acl_ids, 0, sizeof (zfs_acl_ids_t));
1815 acl_ids->z_mode = vap->va_mode;
1816
1817 if (vsecp)
1818 if ((error = zfs_vsec_2_aclp(zfsvfs, vap->va_mode, vsecp,
1819 cr, &acl_ids->z_fuidp, &acl_ids->z_aclp)) != 0)
1820 return (error);
1821
1822 acl_ids->z_fuid = vap->va_uid;
1823 acl_ids->z_fgid = vap->va_gid;
1824 #ifdef HAVE_KSID
1825 /*
1826 * Determine uid and gid.
1827 */
1828 if ((flag & IS_ROOT_NODE) || zfsvfs->z_replay ||
1829 ((flag & IS_XATTR) && (S_ISDIR(vap->va_mode)))) {
1830 acl_ids->z_fuid = zfs_fuid_create(zfsvfs, (uint64_t)vap->va_uid,
1831 cr, ZFS_OWNER, &acl_ids->z_fuidp);
1832 acl_ids->z_fgid = zfs_fuid_create(zfsvfs, (uint64_t)vap->va_gid,
1833 cr, ZFS_GROUP, &acl_ids->z_fuidp);
1834 gid = vap->va_gid;
1835 } else {
1836 acl_ids->z_fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER,
1837 cr, &acl_ids->z_fuidp);
1838 acl_ids->z_fgid = 0;
1839 if (vap->va_mask & AT_GID) {
1840 acl_ids->z_fgid = zfs_fuid_create(zfsvfs,
1841 (uint64_t)vap->va_gid,
1842 cr, ZFS_GROUP, &acl_ids->z_fuidp);
1843 gid = vap->va_gid;
1844 if (acl_ids->z_fgid != KGID_TO_SGID(ZTOI(dzp)->i_gid) &&
1845 !groupmember(vap->va_gid, cr) &&
1846 secpolicy_vnode_create_gid(cr) != 0)
1847 acl_ids->z_fgid = 0;
1848 }
1849 if (acl_ids->z_fgid == 0) {
1850 if (dzp->z_mode & S_ISGID) {
1851 char *domain;
1852 uint32_t rid;
1853
1854 acl_ids->z_fgid = KGID_TO_SGID(
1855 ZTOI(dzp)->i_gid);
1856 gid = zfs_fuid_map_id(zfsvfs, acl_ids->z_fgid,
1857 cr, ZFS_GROUP);
1858
1859 if (zfsvfs->z_use_fuids &&
1860 IS_EPHEMERAL(acl_ids->z_fgid)) {
1861 domain = zfs_fuid_idx_domain(
1862 &zfsvfs->z_fuid_idx,
1863 FUID_INDEX(acl_ids->z_fgid));
1864 rid = FUID_RID(acl_ids->z_fgid);
1865 zfs_fuid_node_add(&acl_ids->z_fuidp,
1866 domain, rid,
1867 FUID_INDEX(acl_ids->z_fgid),
1868 acl_ids->z_fgid, ZFS_GROUP);
1869 }
1870 } else {
1871 acl_ids->z_fgid = zfs_fuid_create_cred(zfsvfs,
1872 ZFS_GROUP, cr, &acl_ids->z_fuidp);
1873 gid = crgetgid(cr);
1874 }
1875 }
1876 }
1877 #endif /* HAVE_KSID */
1878
1879 /*
1880 * If we're creating a directory, and the parent directory has the
1881 * set-GID bit set, set in on the new directory.
1882 * Otherwise, if the user is neither privileged nor a member of the
1883 * file's new group, clear the file's set-GID bit.
1884 */
1885
1886 if (!(flag & IS_ROOT_NODE) && (dzp->z_mode & S_ISGID) &&
1887 (S_ISDIR(vap->va_mode))) {
1888 acl_ids->z_mode |= S_ISGID;
1889 } else {
1890 if ((acl_ids->z_mode & S_ISGID) &&
1891 secpolicy_vnode_setids_setgids(cr, gid) != 0)
1892 acl_ids->z_mode &= ~S_ISGID;
1893 }
1894
1895 if (acl_ids->z_aclp == NULL) {
1896 mutex_enter(&dzp->z_acl_lock);
1897 mutex_enter(&dzp->z_lock);
1898 if (!(flag & IS_ROOT_NODE) &&
1899 (dzp->z_pflags & ZFS_INHERIT_ACE) &&
1900 !(dzp->z_pflags & ZFS_XATTR)) {
1901 VERIFY(0 == zfs_acl_node_read(dzp, B_TRUE,
1902 &paclp, B_FALSE));
1903 acl_ids->z_aclp = zfs_acl_inherit(zfsvfs,
1904 vap->va_mode, paclp, acl_ids->z_mode, &need_chmod);
1905 inherited = B_TRUE;
1906 } else {
1907 acl_ids->z_aclp =
1908 zfs_acl_alloc(zfs_acl_version_zp(dzp));
1909 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL;
1910 }
1911 mutex_exit(&dzp->z_lock);
1912 mutex_exit(&dzp->z_acl_lock);
1913
1914 if (need_chmod) {
1915 if (S_ISDIR(vap->va_mode))
1916 acl_ids->z_aclp->z_hints |=
1917 ZFS_ACL_AUTO_INHERIT;
1918
1919 if (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK &&
1920 zfsvfs->z_acl_inherit != ZFS_ACL_PASSTHROUGH &&
1921 zfsvfs->z_acl_inherit != ZFS_ACL_PASSTHROUGH_X)
1922 trim = B_TRUE;
1923 zfs_acl_chmod(vap->va_mode, acl_ids->z_mode, B_FALSE,
1924 trim, acl_ids->z_aclp);
1925 }
1926 }
1927
1928 if (inherited || vsecp) {
1929 acl_ids->z_mode = zfs_mode_compute(acl_ids->z_mode,
1930 acl_ids->z_aclp, &acl_ids->z_aclp->z_hints,
1931 acl_ids->z_fuid, acl_ids->z_fgid);
1932 if (ace_trivial_common(acl_ids->z_aclp, 0, zfs_ace_walk) == 0)
1933 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL;
1934 }
1935
1936 return (0);
1937 }
1938
1939 /*
1940 * Free ACL and fuid_infop, but not the acl_ids structure
1941 */
1942 void
1943 zfs_acl_ids_free(zfs_acl_ids_t *acl_ids)
1944 {
1945 if (acl_ids->z_aclp)
1946 zfs_acl_free(acl_ids->z_aclp);
1947 if (acl_ids->z_fuidp)
1948 zfs_fuid_info_free(acl_ids->z_fuidp);
1949 acl_ids->z_aclp = NULL;
1950 acl_ids->z_fuidp = NULL;
1951 }
1952
1953 boolean_t
1954 zfs_acl_ids_overquota(zfsvfs_t *zv, zfs_acl_ids_t *acl_ids, uint64_t projid)
1955 {
1956 return (zfs_id_overquota(zv, DMU_USERUSED_OBJECT, acl_ids->z_fuid) ||
1957 zfs_id_overquota(zv, DMU_GROUPUSED_OBJECT, acl_ids->z_fgid) ||
1958 (projid != ZFS_DEFAULT_PROJID && projid != ZFS_INVALID_PROJID &&
1959 zfs_id_overquota(zv, DMU_PROJECTUSED_OBJECT, projid)));
1960 }
1961
1962 /*
1963 * Retrieve a file's ACL
1964 */
1965 int
1966 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr)
1967 {
1968 zfs_acl_t *aclp;
1969 ulong_t mask;
1970 int error;
1971 int count = 0;
1972 int largeace = 0;
1973
1974 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT |
1975 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES);
1976
1977 if (mask == 0)
1978 return (SET_ERROR(ENOSYS));
1979
1980 if ((error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr)))
1981 return (error);
1982
1983 mutex_enter(&zp->z_acl_lock);
1984
1985 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE);
1986 if (error != 0) {
1987 mutex_exit(&zp->z_acl_lock);
1988 return (error);
1989 }
1990
1991 /*
1992 * Scan ACL to determine number of ACEs
1993 */
1994 if ((zp->z_pflags & ZFS_ACL_OBJ_ACE) && !(mask & VSA_ACE_ALLTYPES)) {
1995 void *zacep = NULL;
1996 uint64_t who;
1997 uint32_t access_mask;
1998 uint16_t type, iflags;
1999
2000 while ((zacep = zfs_acl_next_ace(aclp, zacep,
2001 &who, &access_mask, &iflags, &type))) {
2002 switch (type) {
2003 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
2004 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
2005 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
2006 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
2007 largeace++;
2008 continue;
2009 default:
2010 count++;
2011 }
2012 }
2013 vsecp->vsa_aclcnt = count;
2014 } else
2015 count = (int)aclp->z_acl_count;
2016
2017 if (mask & VSA_ACECNT) {
2018 vsecp->vsa_aclcnt = count;
2019 }
2020
2021 if (mask & VSA_ACE) {
2022 size_t aclsz;
2023
2024 aclsz = count * sizeof (ace_t) +
2025 sizeof (ace_object_t) * largeace;
2026
2027 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP);
2028 vsecp->vsa_aclentsz = aclsz;
2029
2030 if (aclp->z_version == ZFS_ACL_VERSION_FUID)
2031 zfs_copy_fuid_2_ace(ZTOZSB(zp), aclp, cr,
2032 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES));
2033 else {
2034 zfs_acl_node_t *aclnode;
2035 void *start = vsecp->vsa_aclentp;
2036
2037 for (aclnode = list_head(&aclp->z_acl); aclnode;
2038 aclnode = list_next(&aclp->z_acl, aclnode)) {
2039 memcpy(start, aclnode->z_acldata,
2040 aclnode->z_size);
2041 start = (caddr_t)start + aclnode->z_size;
2042 }
2043 ASSERT((caddr_t)start - (caddr_t)vsecp->vsa_aclentp ==
2044 aclp->z_acl_bytes);
2045 }
2046 }
2047 if (mask & VSA_ACE_ACLFLAGS) {
2048 vsecp->vsa_aclflags = 0;
2049 if (zp->z_pflags & ZFS_ACL_DEFAULTED)
2050 vsecp->vsa_aclflags |= ACL_DEFAULTED;
2051 if (zp->z_pflags & ZFS_ACL_PROTECTED)
2052 vsecp->vsa_aclflags |= ACL_PROTECTED;
2053 if (zp->z_pflags & ZFS_ACL_AUTO_INHERIT)
2054 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT;
2055 }
2056
2057 mutex_exit(&zp->z_acl_lock);
2058
2059 return (0);
2060 }
2061
2062 int
2063 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, umode_t obj_mode,
2064 vsecattr_t *vsecp, cred_t *cr, zfs_fuid_info_t **fuidp, zfs_acl_t **zaclp)
2065 {
2066 zfs_acl_t *aclp;
2067 zfs_acl_node_t *aclnode;
2068 int aclcnt = vsecp->vsa_aclcnt;
2069 int error;
2070
2071 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0)
2072 return (SET_ERROR(EINVAL));
2073
2074 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version));
2075
2076 aclp->z_hints = 0;
2077 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t));
2078 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) {
2079 if ((error = zfs_copy_ace_2_oldace(obj_mode, aclp,
2080 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata,
2081 aclcnt, &aclnode->z_size)) != 0) {
2082 zfs_acl_free(aclp);
2083 zfs_acl_node_free(aclnode);
2084 return (error);
2085 }
2086 } else {
2087 if ((error = zfs_copy_ace_2_fuid(zfsvfs, obj_mode, aclp,
2088 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt,
2089 &aclnode->z_size, fuidp, cr)) != 0) {
2090 zfs_acl_free(aclp);
2091 zfs_acl_node_free(aclnode);
2092 return (error);
2093 }
2094 }
2095 aclp->z_acl_bytes = aclnode->z_size;
2096 aclnode->z_ace_count = aclcnt;
2097 aclp->z_acl_count = aclcnt;
2098 list_insert_head(&aclp->z_acl, aclnode);
2099
2100 /*
2101 * If flags are being set then add them to z_hints
2102 */
2103 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) {
2104 if (vsecp->vsa_aclflags & ACL_PROTECTED)
2105 aclp->z_hints |= ZFS_ACL_PROTECTED;
2106 if (vsecp->vsa_aclflags & ACL_DEFAULTED)
2107 aclp->z_hints |= ZFS_ACL_DEFAULTED;
2108 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT)
2109 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT;
2110 }
2111
2112 *zaclp = aclp;
2113
2114 return (0);
2115 }
2116
2117 /*
2118 * Set a file's ACL
2119 */
2120 int
2121 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr)
2122 {
2123 zfsvfs_t *zfsvfs = ZTOZSB(zp);
2124 zilog_t *zilog = zfsvfs->z_log;
2125 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT);
2126 dmu_tx_t *tx;
2127 int error;
2128 zfs_acl_t *aclp;
2129 zfs_fuid_info_t *fuidp = NULL;
2130 boolean_t fuid_dirtied;
2131 uint64_t acl_obj;
2132
2133 if (mask == 0)
2134 return (SET_ERROR(ENOSYS));
2135
2136 if (zp->z_pflags & ZFS_IMMUTABLE)
2137 return (SET_ERROR(EPERM));
2138
2139 if ((error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)))
2140 return (error);
2141
2142 error = zfs_vsec_2_aclp(zfsvfs, ZTOI(zp)->i_mode, vsecp, cr, &fuidp,
2143 &aclp);
2144 if (error)
2145 return (error);
2146
2147 /*
2148 * If ACL wide flags aren't being set then preserve any
2149 * existing flags.
2150 */
2151 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) {
2152 aclp->z_hints |=
2153 (zp->z_pflags & V4_ACL_WIDE_FLAGS);
2154 }
2155 top:
2156 mutex_enter(&zp->z_acl_lock);
2157 mutex_enter(&zp->z_lock);
2158
2159 tx = dmu_tx_create(zfsvfs->z_os);
2160
2161 dmu_tx_hold_sa(tx, zp->z_sa_hdl, B_TRUE);
2162
2163 fuid_dirtied = zfsvfs->z_fuid_dirty;
2164 if (fuid_dirtied)
2165 zfs_fuid_txhold(zfsvfs, tx);
2166
2167 /*
2168 * If old version and ACL won't fit in bonus and we aren't
2169 * upgrading then take out necessary DMU holds
2170 */
2171
2172 if ((acl_obj = zfs_external_acl(zp)) != 0) {
2173 if (zfsvfs->z_version >= ZPL_VERSION_FUID &&
2174 zfs_znode_acl_version(zp) <= ZFS_ACL_VERSION_INITIAL) {
2175 dmu_tx_hold_free(tx, acl_obj, 0,
2176 DMU_OBJECT_END);
2177 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0,
2178 aclp->z_acl_bytes);
2179 } else {
2180 dmu_tx_hold_write(tx, acl_obj, 0, aclp->z_acl_bytes);
2181 }
2182 } else if (!zp->z_is_sa && aclp->z_acl_bytes > ZFS_ACE_SPACE) {
2183 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes);
2184 }
2185
2186 zfs_sa_upgrade_txholds(tx, zp);
2187 error = dmu_tx_assign(tx, TXG_NOWAIT);
2188 if (error) {
2189 mutex_exit(&zp->z_acl_lock);
2190 mutex_exit(&zp->z_lock);
2191
2192 if (error == ERESTART) {
2193 dmu_tx_wait(tx);
2194 dmu_tx_abort(tx);
2195 goto top;
2196 }
2197 dmu_tx_abort(tx);
2198 zfs_acl_free(aclp);
2199 return (error);
2200 }
2201
2202 error = zfs_aclset_common(zp, aclp, cr, tx);
2203 ASSERT(error == 0);
2204 ASSERT(zp->z_acl_cached == NULL);
2205 zp->z_acl_cached = aclp;
2206
2207 if (fuid_dirtied)
2208 zfs_fuid_sync(zfsvfs, tx);
2209
2210 zfs_log_acl(zilog, tx, zp, vsecp, fuidp);
2211
2212 if (fuidp)
2213 zfs_fuid_info_free(fuidp);
2214 dmu_tx_commit(tx);
2215
2216 mutex_exit(&zp->z_lock);
2217 mutex_exit(&zp->z_acl_lock);
2218
2219 return (error);
2220 }
2221
2222 /*
2223 * Check accesses of interest (AoI) against attributes of the dataset
2224 * such as read-only. Returns zero if no AoI conflict with dataset
2225 * attributes, otherwise an appropriate errno is returned.
2226 */
2227 static int
2228 zfs_zaccess_dataset_check(znode_t *zp, uint32_t v4_mode)
2229 {
2230 if ((v4_mode & WRITE_MASK) && (zfs_is_readonly(ZTOZSB(zp))) &&
2231 (!Z_ISDEV(ZTOI(zp)->i_mode) ||
2232 (Z_ISDEV(ZTOI(zp)->i_mode) && (v4_mode & WRITE_MASK_ATTRS)))) {
2233 return (SET_ERROR(EROFS));
2234 }
2235
2236 /*
2237 * Intentionally allow ZFS_READONLY through here.
2238 * See zfs_zaccess_common().
2239 */
2240 if ((v4_mode & WRITE_MASK_DATA) &&
2241 (zp->z_pflags & ZFS_IMMUTABLE)) {
2242 return (SET_ERROR(EPERM));
2243 }
2244
2245 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) &&
2246 (zp->z_pflags & ZFS_NOUNLINK)) {
2247 return (SET_ERROR(EPERM));
2248 }
2249
2250 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) &&
2251 (zp->z_pflags & ZFS_AV_QUARANTINED))) {
2252 return (SET_ERROR(EACCES));
2253 }
2254
2255 return (0);
2256 }
2257
2258 /*
2259 * The primary usage of this function is to loop through all of the
2260 * ACEs in the znode, determining what accesses of interest (AoI) to
2261 * the caller are allowed or denied. The AoI are expressed as bits in
2262 * the working_mode parameter. As each ACE is processed, bits covered
2263 * by that ACE are removed from the working_mode. This removal
2264 * facilitates two things. The first is that when the working mode is
2265 * empty (= 0), we know we've looked at all the AoI. The second is
2266 * that the ACE interpretation rules don't allow a later ACE to undo
2267 * something granted or denied by an earlier ACE. Removing the
2268 * discovered access or denial enforces this rule. At the end of
2269 * processing the ACEs, all AoI that were found to be denied are
2270 * placed into the working_mode, giving the caller a mask of denied
2271 * accesses. Returns:
2272 * 0 if all AoI granted
2273 * EACCES if the denied mask is non-zero
2274 * other error if abnormal failure (e.g., IO error)
2275 *
2276 * A secondary usage of the function is to determine if any of the
2277 * AoI are granted. If an ACE grants any access in
2278 * the working_mode, we immediately short circuit out of the function.
2279 * This mode is chosen by setting anyaccess to B_TRUE. The
2280 * working_mode is not a denied access mask upon exit if the function
2281 * is used in this manner.
2282 */
2283 static int
2284 zfs_zaccess_aces_check(znode_t *zp, uint32_t *working_mode,
2285 boolean_t anyaccess, cred_t *cr)
2286 {
2287 zfsvfs_t *zfsvfs = ZTOZSB(zp);
2288 zfs_acl_t *aclp;
2289 int error;
2290 uid_t uid = crgetuid(cr);
2291 uint64_t who;
2292 uint16_t type, iflags;
2293 uint16_t entry_type;
2294 uint32_t access_mask;
2295 uint32_t deny_mask = 0;
2296 zfs_ace_hdr_t *acep = NULL;
2297 boolean_t checkit;
2298 uid_t gowner;
2299 uid_t fowner;
2300
2301 zfs_fuid_map_ids(zp, cr, &fowner, &gowner);
2302
2303 mutex_enter(&zp->z_acl_lock);
2304
2305 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE);
2306 if (error != 0) {
2307 mutex_exit(&zp->z_acl_lock);
2308 return (error);
2309 }
2310
2311 ASSERT(zp->z_acl_cached);
2312
2313 while ((acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask,
2314 &iflags, &type))) {
2315 uint32_t mask_matched;
2316
2317 if (!zfs_acl_valid_ace_type(type, iflags))
2318 continue;
2319
2320 if (S_ISDIR(ZTOI(zp)->i_mode) &&
2321 (iflags & ACE_INHERIT_ONLY_ACE))
2322 continue;
2323
2324 /* Skip ACE if it does not affect any AoI */
2325 mask_matched = (access_mask & *working_mode);
2326 if (!mask_matched)
2327 continue;
2328
2329 entry_type = (iflags & ACE_TYPE_FLAGS);
2330
2331 checkit = B_FALSE;
2332
2333 switch (entry_type) {
2334 case ACE_OWNER:
2335 if (uid == fowner)
2336 checkit = B_TRUE;
2337 break;
2338 case OWNING_GROUP:
2339 who = gowner;
2340 zfs_fallthrough;
2341 case ACE_IDENTIFIER_GROUP:
2342 checkit = zfs_groupmember(zfsvfs, who, cr);
2343 break;
2344 case ACE_EVERYONE:
2345 checkit = B_TRUE;
2346 break;
2347
2348 /* USER Entry */
2349 default:
2350 if (entry_type == 0) {
2351 uid_t newid;
2352
2353 newid = zfs_fuid_map_id(zfsvfs, who, cr,
2354 ZFS_ACE_USER);
2355 if (newid != IDMAP_WK_CREATOR_OWNER_UID &&
2356 uid == newid)
2357 checkit = B_TRUE;
2358 break;
2359 } else {
2360 mutex_exit(&zp->z_acl_lock);
2361 return (SET_ERROR(EIO));
2362 }
2363 }
2364
2365 if (checkit) {
2366 if (type == DENY) {
2367 DTRACE_PROBE3(zfs__ace__denies,
2368 znode_t *, zp,
2369 zfs_ace_hdr_t *, acep,
2370 uint32_t, mask_matched);
2371 deny_mask |= mask_matched;
2372 } else {
2373 DTRACE_PROBE3(zfs__ace__allows,
2374 znode_t *, zp,
2375 zfs_ace_hdr_t *, acep,
2376 uint32_t, mask_matched);
2377 if (anyaccess) {
2378 mutex_exit(&zp->z_acl_lock);
2379 return (0);
2380 }
2381 }
2382 *working_mode &= ~mask_matched;
2383 }
2384
2385 /* Are we done? */
2386 if (*working_mode == 0)
2387 break;
2388 }
2389
2390 mutex_exit(&zp->z_acl_lock);
2391
2392 /* Put the found 'denies' back on the working mode */
2393 if (deny_mask) {
2394 *working_mode |= deny_mask;
2395 return (SET_ERROR(EACCES));
2396 } else if (*working_mode) {
2397 return (-1);
2398 }
2399
2400 return (0);
2401 }
2402
2403 /*
2404 * Return true if any access whatsoever granted, we don't actually
2405 * care what access is granted.
2406 */
2407 boolean_t
2408 zfs_has_access(znode_t *zp, cred_t *cr)
2409 {
2410 uint32_t have = ACE_ALL_PERMS;
2411
2412 if (zfs_zaccess_aces_check(zp, &have, B_TRUE, cr) != 0) {
2413 uid_t owner;
2414
2415 owner = zfs_fuid_map_id(ZTOZSB(zp),
2416 KUID_TO_SUID(ZTOI(zp)->i_uid), cr, ZFS_OWNER);
2417 return (secpolicy_vnode_any_access(cr, ZTOI(zp), owner) == 0);
2418 }
2419 return (B_TRUE);
2420 }
2421
2422 /*
2423 * Simplified access check for case where ACL is known to not contain
2424 * information beyond what is defined in the mode. In this case, we
2425 * can pass along to the kernel / vfs generic_permission() check, which
2426 * evaluates the mode and POSIX ACL.
2427 *
2428 * NFSv4 ACLs allow granting permissions that are usually relegated only
2429 * to the file owner or superuser. Examples are ACE_WRITE_OWNER (chown),
2430 * ACE_WRITE_ACL(chmod), and ACE_DELETE. ACE_DELETE requests must fail
2431 * because with conventional posix permissions, right to delete file
2432 * is determined by write bit on the parent dir.
2433 *
2434 * If unmappable perms are requested, then we must return EPERM
2435 * and include those bits in the working_mode so that the caller of
2436 * zfs_zaccess_common() can decide whether to perform additional
2437 * policy / capability checks. EACCES is used in zfs_zaccess_aces_check()
2438 * to indicate access check failed due to explicit DENY entry, and so
2439 * we want to avoid that here.
2440 */
2441 static int
2442 zfs_zaccess_trivial(znode_t *zp, uint32_t *working_mode, cred_t *cr)
2443 {
2444 int err, mask;
2445 int unmapped = 0;
2446
2447 ASSERT(zp->z_pflags & ZFS_ACL_TRIVIAL);
2448
2449 mask = zfs_v4_to_unix(*working_mode, &unmapped);
2450 if (mask == 0 || unmapped) {
2451 *working_mode = unmapped;
2452 return (unmapped ? SET_ERROR(EPERM) : 0);
2453 }
2454
2455 #if defined(HAVE_IOPS_PERMISSION_USERNS)
2456 err = generic_permission(cr->user_ns, ZTOI(zp), mask);
2457 #else
2458 err = generic_permission(ZTOI(zp), mask);
2459 #endif
2460 if (err != 0) {
2461 return (SET_ERROR(EPERM));
2462 }
2463
2464 *working_mode = unmapped;
2465
2466 return (0);
2467 }
2468
2469 static int
2470 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode,
2471 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr)
2472 {
2473 zfsvfs_t *zfsvfs = ZTOZSB(zp);
2474 int err;
2475
2476 *working_mode = v4_mode;
2477 *check_privs = B_TRUE;
2478
2479 /*
2480 * Short circuit empty requests
2481 */
2482 if (v4_mode == 0 || zfsvfs->z_replay) {
2483 *working_mode = 0;
2484 return (0);
2485 }
2486
2487 if ((err = zfs_zaccess_dataset_check(zp, v4_mode)) != 0) {
2488 *check_privs = B_FALSE;
2489 return (err);
2490 }
2491
2492 /*
2493 * The caller requested that the ACL check be skipped. This
2494 * would only happen if the caller checked VOP_ACCESS() with a
2495 * 32 bit ACE mask and already had the appropriate permissions.
2496 */
2497 if (skipaclchk) {
2498 *working_mode = 0;
2499 return (0);
2500 }
2501
2502 /*
2503 * Note: ZFS_READONLY represents the "DOS R/O" attribute.
2504 * When that flag is set, we should behave as if write access
2505 * were not granted by anything in the ACL. In particular:
2506 * We _must_ allow writes after opening the file r/w, then
2507 * setting the DOS R/O attribute, and writing some more.
2508 * (Similar to how you can write after fchmod(fd, 0444).)
2509 *
2510 * Therefore ZFS_READONLY is ignored in the dataset check
2511 * above, and checked here as if part of the ACL check.
2512 * Also note: DOS R/O is ignored for directories.
2513 */
2514 if ((v4_mode & WRITE_MASK_DATA) &&
2515 S_ISDIR(ZTOI(zp)->i_mode) &&
2516 (zp->z_pflags & ZFS_READONLY)) {
2517 return (SET_ERROR(EPERM));
2518 }
2519
2520 if (zp->z_pflags & ZFS_ACL_TRIVIAL)
2521 return (zfs_zaccess_trivial(zp, working_mode, cr));
2522
2523 return (zfs_zaccess_aces_check(zp, working_mode, B_FALSE, cr));
2524 }
2525
2526 static int
2527 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs,
2528 cred_t *cr)
2529 {
2530 if (*working_mode != ACE_WRITE_DATA)
2531 return (SET_ERROR(EACCES));
2532
2533 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode,
2534 check_privs, B_FALSE, cr));
2535 }
2536
2537 int
2538 zfs_fastaccesschk_execute(znode_t *zdp, cred_t *cr)
2539 {
2540 boolean_t owner = B_FALSE;
2541 boolean_t groupmbr = B_FALSE;
2542 boolean_t is_attr;
2543 uid_t uid = crgetuid(cr);
2544 int error;
2545
2546 if (zdp->z_pflags & ZFS_AV_QUARANTINED)
2547 return (SET_ERROR(EACCES));
2548
2549 is_attr = ((zdp->z_pflags & ZFS_XATTR) &&
2550 (S_ISDIR(ZTOI(zdp)->i_mode)));
2551 if (is_attr)
2552 goto slow;
2553
2554
2555 mutex_enter(&zdp->z_acl_lock);
2556
2557 if (zdp->z_pflags & ZFS_NO_EXECS_DENIED) {
2558 mutex_exit(&zdp->z_acl_lock);
2559 return (0);
2560 }
2561
2562 if (KUID_TO_SUID(ZTOI(zdp)->i_uid) != 0 ||
2563 KGID_TO_SGID(ZTOI(zdp)->i_gid) != 0) {
2564 mutex_exit(&zdp->z_acl_lock);
2565 goto slow;
2566 }
2567
2568 if (uid == KUID_TO_SUID(ZTOI(zdp)->i_uid)) {
2569 owner = B_TRUE;
2570 if (zdp->z_mode & S_IXUSR) {
2571 mutex_exit(&zdp->z_acl_lock);
2572 return (0);
2573 } else {
2574 mutex_exit(&zdp->z_acl_lock);
2575 goto slow;
2576 }
2577 }
2578 if (groupmember(KGID_TO_SGID(ZTOI(zdp)->i_gid), cr)) {
2579 groupmbr = B_TRUE;
2580 if (zdp->z_mode & S_IXGRP) {
2581 mutex_exit(&zdp->z_acl_lock);
2582 return (0);
2583 } else {
2584 mutex_exit(&zdp->z_acl_lock);
2585 goto slow;
2586 }
2587 }
2588 if (!owner && !groupmbr) {
2589 if (zdp->z_mode & S_IXOTH) {
2590 mutex_exit(&zdp->z_acl_lock);
2591 return (0);
2592 }
2593 }
2594
2595 mutex_exit(&zdp->z_acl_lock);
2596
2597 slow:
2598 DTRACE_PROBE(zfs__fastpath__execute__access__miss);
2599 ZFS_ENTER(ZTOZSB(zdp));
2600 error = zfs_zaccess(zdp, ACE_EXECUTE, 0, B_FALSE, cr);
2601 ZFS_EXIT(ZTOZSB(zdp));
2602 return (error);
2603 }
2604
2605 /*
2606 * Determine whether Access should be granted/denied.
2607 *
2608 * The least priv subsystem is always consulted as a basic privilege
2609 * can define any form of access.
2610 */
2611 int
2612 zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr)
2613 {
2614 uint32_t working_mode;
2615 int error;
2616 int is_attr;
2617 boolean_t check_privs;
2618 znode_t *xzp;
2619 znode_t *check_zp = zp;
2620 mode_t needed_bits;
2621 uid_t owner;
2622
2623 is_attr = ((zp->z_pflags & ZFS_XATTR) && S_ISDIR(ZTOI(zp)->i_mode));
2624
2625 /*
2626 * If attribute then validate against base file
2627 */
2628 if (is_attr) {
2629 if ((error = zfs_zget(ZTOZSB(zp),
2630 zp->z_xattr_parent, &xzp)) != 0) {
2631 return (error);
2632 }
2633
2634 check_zp = xzp;
2635
2636 /*
2637 * fixup mode to map to xattr perms
2638 */
2639
2640 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) {
2641 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
2642 mode |= ACE_WRITE_NAMED_ATTRS;
2643 }
2644
2645 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) {
2646 mode &= ~(ACE_READ_DATA|ACE_EXECUTE);
2647 mode |= ACE_READ_NAMED_ATTRS;
2648 }
2649 }
2650
2651 owner = zfs_fuid_map_id(ZTOZSB(zp), KUID_TO_SUID(ZTOI(zp)->i_uid),
2652 cr, ZFS_OWNER);
2653 /*
2654 * Map the bits required to the standard inode flags
2655 * S_IRUSR|S_IWUSR|S_IXUSR in the needed_bits. Map the bits
2656 * mapped by working_mode (currently missing) in missing_bits.
2657 * Call secpolicy_vnode_access2() with (needed_bits & ~checkmode),
2658 * needed_bits.
2659 */
2660 needed_bits = 0;
2661
2662 working_mode = mode;
2663 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES)) &&
2664 owner == crgetuid(cr))
2665 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES);
2666
2667 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS|
2668 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE))
2669 needed_bits |= S_IRUSR;
2670 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS|
2671 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE))
2672 needed_bits |= S_IWUSR;
2673 if (working_mode & ACE_EXECUTE)
2674 needed_bits |= S_IXUSR;
2675
2676 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode,
2677 &check_privs, skipaclchk, cr)) == 0) {
2678 if (is_attr)
2679 zrele(xzp);
2680 return (secpolicy_vnode_access2(cr, ZTOI(zp), owner,
2681 needed_bits, needed_bits));
2682 }
2683
2684 if (error && !check_privs) {
2685 if (is_attr)
2686 zrele(xzp);
2687 return (error);
2688 }
2689
2690 if (error && (flags & V_APPEND)) {
2691 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr);
2692 }
2693
2694 if (error && check_privs) {
2695 mode_t checkmode = 0;
2696
2697 /*
2698 * First check for implicit owner permission on
2699 * read_acl/read_attributes
2700 */
2701
2702 error = 0;
2703 ASSERT(working_mode != 0);
2704
2705 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) &&
2706 owner == crgetuid(cr)))
2707 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES);
2708
2709 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS|
2710 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE))
2711 checkmode |= S_IRUSR;
2712 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS|
2713 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE))
2714 checkmode |= S_IWUSR;
2715 if (working_mode & ACE_EXECUTE)
2716 checkmode |= S_IXUSR;
2717
2718 error = secpolicy_vnode_access2(cr, ZTOI(check_zp), owner,
2719 needed_bits & ~checkmode, needed_bits);
2720
2721 if (error == 0 && (working_mode & ACE_WRITE_OWNER))
2722 error = secpolicy_vnode_chown(cr, owner);
2723 if (error == 0 && (working_mode & ACE_WRITE_ACL))
2724 error = secpolicy_vnode_setdac(cr, owner);
2725
2726 if (error == 0 && (working_mode &
2727 (ACE_DELETE|ACE_DELETE_CHILD)))
2728 error = secpolicy_vnode_remove(cr);
2729
2730 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) {
2731 error = secpolicy_vnode_chown(cr, owner);
2732 }
2733 if (error == 0) {
2734 /*
2735 * See if any bits other than those already checked
2736 * for are still present. If so then return EACCES
2737 */
2738 if (working_mode & ~(ZFS_CHECKED_MASKS)) {
2739 error = SET_ERROR(EACCES);
2740 }
2741 }
2742 } else if (error == 0) {
2743 error = secpolicy_vnode_access2(cr, ZTOI(zp), owner,
2744 needed_bits, needed_bits);
2745 }
2746
2747 if (is_attr)
2748 zrele(xzp);
2749
2750 return (error);
2751 }
2752
2753 /*
2754 * Translate traditional unix S_IRUSR/S_IWUSR/S_IXUSR mode into
2755 * NFSv4-style ZFS ACL format and call zfs_zaccess()
2756 */
2757 int
2758 zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr)
2759 {
2760 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr));
2761 }
2762
2763 /*
2764 * Access function for secpolicy_vnode_setattr
2765 */
2766 int
2767 zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr)
2768 {
2769 int v4_mode = zfs_unix_to_v4(mode >> 6);
2770
2771 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr));
2772 }
2773
2774 /* See zfs_zaccess_delete() */
2775 static const boolean_t zfs_write_implies_delete_child = B_TRUE;
2776
2777 /*
2778 * Determine whether delete access should be granted.
2779 *
2780 * The following chart outlines how we handle delete permissions which is
2781 * how recent versions of windows (Windows 2008) handles it. The efficiency
2782 * comes from not having to check the parent ACL where the object itself grants
2783 * delete:
2784 *
2785 * -------------------------------------------------------
2786 * | Parent Dir | Target Object Permissions |
2787 * | permissions | |
2788 * -------------------------------------------------------
2789 * | | ACL Allows | ACL Denies| Delete |
2790 * | | Delete | Delete | unspecified|
2791 * -------------------------------------------------------
2792 * | ACL Allows | Permit | Deny * | Permit |
2793 * | DELETE_CHILD | | | |
2794 * -------------------------------------------------------
2795 * | ACL Denies | Permit | Deny | Deny |
2796 * | DELETE_CHILD | | | |
2797 * -------------------------------------------------------
2798 * | ACL specifies | | | |
2799 * | only allow | Permit | Deny * | Permit |
2800 * | write and | | | |
2801 * | execute | | | |
2802 * -------------------------------------------------------
2803 * | ACL denies | | | |
2804 * | write and | Permit | Deny | Deny |
2805 * | execute | | | |
2806 * -------------------------------------------------------
2807 * ^
2808 * |
2809 * Re. execute permission on the directory: if that's missing,
2810 * the vnode lookup of the target will fail before we get here.
2811 *
2812 * Re [*] in the table above: NFSv4 would normally Permit delete for
2813 * these two cells of the matrix.
2814 * See acl.h for notes on which ACE_... flags should be checked for which
2815 * operations. Specifically, the NFSv4 committee recommendation is in
2816 * conflict with the Windows interpretation of DENY ACEs, where DENY ACEs
2817 * should take precedence ahead of ALLOW ACEs.
2818 *
2819 * This implementation always consults the target object's ACL first.
2820 * If a DENY ACE is present on the target object that specifies ACE_DELETE,
2821 * delete access is denied. If an ALLOW ACE with ACE_DELETE is present on
2822 * the target object, access is allowed. If and only if no entries with
2823 * ACE_DELETE are present in the object's ACL, check the container's ACL
2824 * for entries with ACE_DELETE_CHILD.
2825 *
2826 * A summary of the logic implemented from the table above is as follows:
2827 *
2828 * First check for DENY ACEs that apply.
2829 * If either target or container has a deny, EACCES.
2830 *
2831 * Delete access can then be summarized as follows:
2832 * 1: The object to be deleted grants ACE_DELETE, or
2833 * 2: The containing directory grants ACE_DELETE_CHILD.
2834 * In a Windows system, that would be the end of the story.
2835 * In this system, (2) has some complications...
2836 * 2a: "sticky" bit on a directory adds restrictions, and
2837 * 2b: existing ACEs from previous versions of ZFS may
2838 * not carry ACE_DELETE_CHILD where they should, so we
2839 * also allow delete when ACE_WRITE_DATA is granted.
2840 *
2841 * Note: 2b is technically a work-around for a prior bug,
2842 * which hopefully can go away some day. For those who
2843 * no longer need the work around, and for testing, this
2844 * work-around is made conditional via the tunable:
2845 * zfs_write_implies_delete_child
2846 */
2847 int
2848 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr)
2849 {
2850 uint32_t wanted_dirperms;
2851 uint32_t dzp_working_mode = 0;
2852 uint32_t zp_working_mode = 0;
2853 int dzp_error, zp_error;
2854 boolean_t dzpcheck_privs;
2855 boolean_t zpcheck_privs;
2856
2857 if (zp->z_pflags & (ZFS_IMMUTABLE | ZFS_NOUNLINK))
2858 return (SET_ERROR(EPERM));
2859
2860 /*
2861 * Case 1:
2862 * If target object grants ACE_DELETE then we are done. This is
2863 * indicated by a return value of 0. For this case we don't worry
2864 * about the sticky bit because sticky only applies to the parent
2865 * directory and this is the child access result.
2866 *
2867 * If we encounter a DENY ACE here, we're also done (EACCES).
2868 * Note that if we hit a DENY ACE here (on the target) it should
2869 * take precedence over a DENY ACE on the container, so that when
2870 * we have more complete auditing support we will be able to
2871 * report an access failure against the specific target.
2872 * (This is part of why we're checking the target first.)
2873 */
2874 zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode,
2875 &zpcheck_privs, B_FALSE, cr);
2876 if (zp_error == EACCES) {
2877 /* We hit a DENY ACE. */
2878 if (!zpcheck_privs)
2879 return (SET_ERROR(zp_error));
2880 return (secpolicy_vnode_remove(cr));
2881
2882 }
2883 if (zp_error == 0)
2884 return (0);
2885
2886 /*
2887 * Case 2:
2888 * If the containing directory grants ACE_DELETE_CHILD,
2889 * or we're in backward compatibility mode and the
2890 * containing directory has ACE_WRITE_DATA, allow.
2891 * Case 2b is handled with wanted_dirperms.
2892 */
2893 wanted_dirperms = ACE_DELETE_CHILD;
2894 if (zfs_write_implies_delete_child)
2895 wanted_dirperms |= ACE_WRITE_DATA;
2896 dzp_error = zfs_zaccess_common(dzp, wanted_dirperms,
2897 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr);
2898 if (dzp_error == EACCES) {
2899 /* We hit a DENY ACE. */
2900 if (!dzpcheck_privs)
2901 return (SET_ERROR(dzp_error));
2902 return (secpolicy_vnode_remove(cr));
2903 }
2904
2905 /*
2906 * Cases 2a, 2b (continued)
2907 *
2908 * Note: dzp_working_mode now contains any permissions
2909 * that were NOT granted. Therefore, if any of the
2910 * wanted_dirperms WERE granted, we will have:
2911 * dzp_working_mode != wanted_dirperms
2912 * We're really asking if ANY of those permissions
2913 * were granted, and if so, grant delete access.
2914 */
2915 if (dzp_working_mode != wanted_dirperms)
2916 dzp_error = 0;
2917
2918 /*
2919 * dzp_error is 0 if the container granted us permissions to "modify".
2920 * If we do not have permission via one or more ACEs, our current
2921 * privileges may still permit us to modify the container.
2922 *
2923 * dzpcheck_privs is false when i.e. the FS is read-only.
2924 * Otherwise, do privilege checks for the container.
2925 */
2926 if (dzp_error != 0 && dzpcheck_privs) {
2927 uid_t owner;
2928
2929 /*
2930 * The secpolicy call needs the requested access and
2931 * the current access mode of the container, but it
2932 * only knows about Unix-style modes (VEXEC, VWRITE),
2933 * so this must condense the fine-grained ACE bits into
2934 * Unix modes.
2935 *
2936 * The VEXEC flag is easy, because we know that has
2937 * always been checked before we get here (during the
2938 * lookup of the target vnode). The container has not
2939 * granted us permissions to "modify", so we do not set
2940 * the VWRITE flag in the current access mode.
2941 */
2942 owner = zfs_fuid_map_id(ZTOZSB(dzp),
2943 KUID_TO_SUID(ZTOI(dzp)->i_uid), cr, ZFS_OWNER);
2944 dzp_error = secpolicy_vnode_access2(cr, ZTOI(dzp),
2945 owner, S_IXUSR, S_IWUSR|S_IXUSR);
2946 }
2947 if (dzp_error != 0) {
2948 /*
2949 * Note: We may have dzp_error = -1 here (from
2950 * zfs_zacess_common). Don't return that.
2951 */
2952 return (SET_ERROR(EACCES));
2953 }
2954
2955
2956 /*
2957 * At this point, we know that the directory permissions allow
2958 * us to modify, but we still need to check for the additional
2959 * restrictions that apply when the "sticky bit" is set.
2960 *
2961 * Yes, zfs_sticky_remove_access() also checks this bit, but
2962 * checking it here and skipping the call below is nice when
2963 * you're watching all of this with dtrace.
2964 */
2965 if ((dzp->z_mode & S_ISVTX) == 0)
2966 return (0);
2967
2968 /*
2969 * zfs_sticky_remove_access will succeed if:
2970 * 1. The sticky bit is absent.
2971 * 2. We pass the sticky bit restrictions.
2972 * 3. We have privileges that always allow file removal.
2973 */
2974 return (zfs_sticky_remove_access(dzp, zp, cr));
2975 }
2976
2977 int
2978 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp,
2979 znode_t *tzp, cred_t *cr)
2980 {
2981 int add_perm;
2982 int error;
2983
2984 if (szp->z_pflags & ZFS_AV_QUARANTINED)
2985 return (SET_ERROR(EACCES));
2986
2987 add_perm = S_ISDIR(ZTOI(szp)->i_mode) ?
2988 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE;
2989
2990 /*
2991 * Rename permissions are combination of delete permission +
2992 * add file/subdir permission.
2993 */
2994
2995 /*
2996 * first make sure we do the delete portion.
2997 *
2998 * If that succeeds then check for add_file/add_subdir permissions
2999 */
3000
3001 if ((error = zfs_zaccess_delete(sdzp, szp, cr)))
3002 return (error);
3003
3004 /*
3005 * If we have a tzp, see if we can delete it?
3006 */
3007 if (tzp) {
3008 if ((error = zfs_zaccess_delete(tdzp, tzp, cr)))
3009 return (error);
3010 }
3011
3012 /*
3013 * Now check for add permissions
3014 */
3015 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr);
3016
3017 return (error);
3018 }
OpenZFS on Linux and FreeBSD