2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2008-2010 Edward Tomasz NapieraĆa <trasz@FreeBSD.org>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * ACL support routines specific to NFSv4 access control lists. These are
31 * utility routines for code common across file systems implementing NFSv4
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
39 #include <sys/param.h>
40 #include <sys/kernel.h>
41 #include <sys/module.h>
42 #include <sys/systm.h>
43 #include <sys/mount.h>
45 #include <sys/vnode.h>
46 #include <sys/errno.h>
48 #include <sys/sysctl.h>
55 #define KASSERT(a, b) assert(a)
62 static void acl_nfs4_trivial_from_mode(struct acl *aclp, mode_t mode);
64 static int acl_nfs4_old_semantics = 0;
66 SYSCTL_INT(_vfs, OID_AUTO, acl_nfs4_old_semantics, CTLFLAG_RW,
67 &acl_nfs4_old_semantics, 0, "Use pre-PSARC/2010/029 NFSv4 ACL semantics");
72 } accmode2mask[] = {{VREAD, ACL_READ_DATA},
73 {VWRITE, ACL_WRITE_DATA},
74 {VAPPEND, ACL_APPEND_DATA},
76 {VREAD_NAMED_ATTRS, ACL_READ_NAMED_ATTRS},
77 {VWRITE_NAMED_ATTRS, ACL_WRITE_NAMED_ATTRS},
78 {VDELETE_CHILD, ACL_DELETE_CHILD},
79 {VREAD_ATTRIBUTES, ACL_READ_ATTRIBUTES},
80 {VWRITE_ATTRIBUTES, ACL_WRITE_ATTRIBUTES},
81 {VDELETE, ACL_DELETE},
82 {VREAD_ACL, ACL_READ_ACL},
83 {VWRITE_ACL, ACL_WRITE_ACL},
84 {VWRITE_OWNER, ACL_WRITE_OWNER},
85 {VSYNCHRONIZE, ACL_SYNCHRONIZE},
89 _access_mask_from_accmode(accmode_t accmode)
91 int access_mask = 0, i;
93 for (i = 0; accmode2mask[i].accmode != 0; i++) {
94 if (accmode & accmode2mask[i].accmode)
95 access_mask |= accmode2mask[i].mask;
99 * VAPPEND is just a modifier for VWRITE; if the caller asked
100 * for 'VAPPEND | VWRITE', we want to check for ACL_APPEND_DATA only.
102 if (access_mask & ACL_APPEND_DATA)
103 access_mask &= ~ACL_WRITE_DATA;
105 return (access_mask);
109 * Return 0, iff access is allowed, 1 otherwise.
112 _acl_denies(const struct acl *aclp, int access_mask, struct ucred *cred,
113 int file_uid, int file_gid, int *denied_explicitly)
116 const struct acl_entry *entry;
118 if (denied_explicitly != NULL)
119 *denied_explicitly = 0;
121 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES,
122 ("aclp->acl_cnt <= ACL_MAX_ENTRIES"));
124 for (i = 0; i < aclp->acl_cnt; i++) {
125 entry = &(aclp->acl_entry[i]);
127 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
128 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
130 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY)
132 switch (entry->ae_tag) {
134 if (file_uid != cred->cr_uid)
138 if (entry->ae_id != cred->cr_uid)
142 if (!groupmember(file_gid, cred))
146 if (!groupmember(entry->ae_id, cred))
150 KASSERT(entry->ae_tag == ACL_EVERYONE,
151 ("entry->ae_tag == ACL_EVERYONE"));
154 if (entry->ae_entry_type == ACL_ENTRY_TYPE_DENY) {
155 if (entry->ae_perm & access_mask) {
156 if (denied_explicitly != NULL)
157 *denied_explicitly = 1;
162 access_mask &= ~(entry->ae_perm);
163 if (access_mask == 0)
167 if (access_mask == 0)
174 vaccess_acl_nfs4(enum vtype type, uid_t file_uid, gid_t file_gid,
175 struct acl *aclp, accmode_t accmode, struct ucred *cred)
177 accmode_t priv_granted = 0;
178 int denied, explicitly_denied, access_mask, is_directory,
180 mode_t file_mode = 0;
182 KASSERT((accmode & ~(VEXEC | VWRITE | VREAD | VADMIN | VAPPEND |
183 VEXPLICIT_DENY | VREAD_NAMED_ATTRS | VWRITE_NAMED_ATTRS |
184 VDELETE_CHILD | VREAD_ATTRIBUTES | VWRITE_ATTRIBUTES | VDELETE |
185 VREAD_ACL | VWRITE_ACL | VWRITE_OWNER | VSYNCHRONIZE)) == 0,
186 ("invalid bit in accmode"));
187 KASSERT((accmode & VAPPEND) == 0 || (accmode & VWRITE),
188 ("VAPPEND without VWRITE"));
190 if (accmode & VADMIN)
194 * Ignore VSYNCHRONIZE permission.
196 accmode &= ~VSYNCHRONIZE;
198 access_mask = _access_mask_from_accmode(accmode);
206 * File owner is always allowed to read and write the ACL
207 * and basic attributes. This is to prevent a situation
208 * where user would change ACL in a way that prevents him
209 * from undoing the change.
211 if (file_uid == cred->cr_uid)
212 access_mask &= ~(ACL_READ_ACL | ACL_WRITE_ACL |
213 ACL_READ_ATTRIBUTES | ACL_WRITE_ATTRIBUTES);
216 * Ignore append permission for regular files; use write
217 * permission instead.
219 if (!is_directory && (access_mask & ACL_APPEND_DATA)) {
220 access_mask &= ~ACL_APPEND_DATA;
221 access_mask |= ACL_WRITE_DATA;
224 denied = _acl_denies(aclp, access_mask, cred, file_uid, file_gid,
228 if (file_uid != cred->cr_uid)
233 * For VEXEC, ensure that at least one execute bit is set for
234 * non-directories. We have to check the mode here to stay
235 * consistent with execve(2). See the test in
236 * exec_check_permissions().
238 acl_nfs4_sync_mode_from_acl(&file_mode, aclp);
239 if (!denied && !is_directory && (accmode & VEXEC) &&
240 (file_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)
247 * Access failed. Iff it was not denied explicitly and
248 * VEXPLICIT_DENY flag was specified, allow access.
250 if ((accmode & VEXPLICIT_DENY) && explicitly_denied == 0)
253 accmode &= ~VEXPLICIT_DENY;
256 * No match. Try to use privileges, if there are any.
259 if ((accmode & VEXEC) && !priv_check_cred(cred, PRIV_VFS_LOOKUP))
260 priv_granted |= VEXEC;
263 * Ensure that at least one execute bit is on. Otherwise,
264 * a privileged user will always succeed, and we don't want
265 * this to happen unless the file really is executable.
267 if ((accmode & VEXEC) && (file_mode &
268 (S_IXUSR | S_IXGRP | S_IXOTH)) != 0 &&
269 !priv_check_cred(cred, PRIV_VFS_EXEC))
270 priv_granted |= VEXEC;
273 if ((accmode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ))
274 priv_granted |= VREAD;
276 if ((accmode & (VWRITE | VAPPEND | VDELETE_CHILD)) &&
277 !priv_check_cred(cred, PRIV_VFS_WRITE))
278 priv_granted |= (VWRITE | VAPPEND | VDELETE_CHILD);
280 if ((accmode & VADMIN_PERMS) &&
281 !priv_check_cred(cred, PRIV_VFS_ADMIN))
282 priv_granted |= VADMIN_PERMS;
284 if ((accmode & VSTAT_PERMS) &&
285 !priv_check_cred(cred, PRIV_VFS_STAT))
286 priv_granted |= VSTAT_PERMS;
288 if ((accmode & priv_granted) == accmode) {
292 if (accmode & (VADMIN_PERMS | VDELETE_CHILD | VDELETE))
302 _acl_entry_matches(struct acl_entry *entry, acl_tag_t tag, acl_perm_t perm,
303 acl_entry_type_t entry_type)
305 if (entry->ae_tag != tag)
308 if (entry->ae_id != ACL_UNDEFINED_ID)
311 if (entry->ae_perm != perm)
314 if (entry->ae_entry_type != entry_type)
317 if (entry->ae_flags != 0)
323 static struct acl_entry *
324 _acl_append(struct acl *aclp, acl_tag_t tag, acl_perm_t perm,
325 acl_entry_type_t entry_type)
327 struct acl_entry *entry;
329 KASSERT(aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES,
330 ("aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES"));
332 entry = &(aclp->acl_entry[aclp->acl_cnt]);
336 entry->ae_id = ACL_UNDEFINED_ID;
337 entry->ae_perm = perm;
338 entry->ae_entry_type = entry_type;
344 static struct acl_entry *
345 _acl_duplicate_entry(struct acl *aclp, unsigned entry_index)
349 KASSERT(aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES,
350 ("aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES"));
352 for (i = aclp->acl_cnt; i > entry_index; i--)
353 aclp->acl_entry[i] = aclp->acl_entry[i - 1];
357 return (&(aclp->acl_entry[entry_index + 1]));
361 acl_nfs4_sync_acl_from_mode_draft(struct acl *aclp, mode_t mode,
364 int meets, must_append;
366 struct acl_entry *entry, *copy, *previous,
367 *a1, *a2, *a3, *a4, *a5, *a6;
370 const int WRITE = 02;
373 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES,
374 ("aclp->acl_cnt <= ACL_MAX_ENTRIES"));
377 * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt
379 * 3.16.6.3. Applying a Mode to an Existing ACL
385 for (i = 0; i < aclp->acl_cnt; i++) {
386 entry = &(aclp->acl_entry[i]);
389 * 1.1. If the type is neither ALLOW or DENY - skip.
391 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
392 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
396 * 1.2. If ACL_ENTRY_INHERIT_ONLY is set - skip.
398 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY)
402 * 1.3. If ACL_ENTRY_FILE_INHERIT or ACL_ENTRY_DIRECTORY_INHERIT
405 if (entry->ae_flags &
406 (ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT)) {
408 * 1.3.1. A copy of the current ACE is made, and placed
409 * in the ACL immediately following the current
412 copy = _acl_duplicate_entry(aclp, i);
415 * 1.3.2. In the first ACE, the flag
416 * ACL_ENTRY_INHERIT_ONLY is set.
418 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY;
421 * 1.3.3. In the second ACE, the following flags
423 * ACL_ENTRY_FILE_INHERIT,
424 * ACL_ENTRY_DIRECTORY_INHERIT,
425 * ACL_ENTRY_NO_PROPAGATE_INHERIT.
427 copy->ae_flags &= ~(ACL_ENTRY_FILE_INHERIT |
428 ACL_ENTRY_DIRECTORY_INHERIT |
429 ACL_ENTRY_NO_PROPAGATE_INHERIT);
432 * The algorithm continues on with the second ACE.
439 * 1.4. If it's owner@, group@ or everyone@ entry, clear
440 * ACL_READ_DATA, ACL_WRITE_DATA, ACL_APPEND_DATA
441 * and ACL_EXECUTE. Continue to the next entry.
443 if (entry->ae_tag == ACL_USER_OBJ ||
444 entry->ae_tag == ACL_GROUP_OBJ ||
445 entry->ae_tag == ACL_EVERYONE) {
446 entry->ae_perm &= ~(ACL_READ_DATA | ACL_WRITE_DATA |
447 ACL_APPEND_DATA | ACL_EXECUTE);
452 * 1.5. Otherwise, if the "who" field did not match one
453 * of OWNER@, GROUP@, EVERYONE@:
455 * 1.5.1. If the type is ALLOW, check the preceding ACE.
456 * If it does not meet all of the following criteria:
458 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW)
464 previous = &(aclp->acl_entry[i - 1]);
467 * 1.5.1.1. The type field is DENY,
469 if (previous->ae_entry_type != ACL_ENTRY_TYPE_DENY)
473 * 1.5.1.2. The "who" field is the same as the current
476 * 1.5.1.3. The flag bit ACE4_IDENTIFIER_GROUP
477 * is the same as it is in the current ACE,
478 * and no other flag bits are set,
480 if (previous->ae_id != entry->ae_id ||
481 previous->ae_tag != entry->ae_tag)
484 if (previous->ae_flags)
488 * 1.5.1.4. The mask bits are a subset of the mask bits
489 * of the current ACE, and are also subset of
490 * the following: ACL_READ_DATA,
491 * ACL_WRITE_DATA, ACL_APPEND_DATA, ACL_EXECUTE
493 if (previous->ae_perm & ~(entry->ae_perm))
496 if (previous->ae_perm & ~(ACL_READ_DATA |
497 ACL_WRITE_DATA | ACL_APPEND_DATA | ACL_EXECUTE))
503 * Then the ACE of type DENY, with a who equal
504 * to the current ACE, flag bits equal to
505 * (<current ACE flags> & <ACE_IDENTIFIER_GROUP>)
506 * and no mask bits, is prepended.
509 entry = _acl_duplicate_entry(aclp, i);
511 /* Adjust counter, as we've just added an entry. */
514 previous->ae_tag = entry->ae_tag;
515 previous->ae_id = entry->ae_id;
516 previous->ae_flags = entry->ae_flags;
517 previous->ae_perm = 0;
518 previous->ae_entry_type = ACL_ENTRY_TYPE_DENY;
522 * 1.5.2. The following modifications are made to the prepended
523 * ACE. The intent is to mask the following ACE
524 * to disallow ACL_READ_DATA, ACL_WRITE_DATA,
525 * ACL_APPEND_DATA, or ACL_EXECUTE, based upon the group
526 * permissions of the new mode. As a special case,
527 * if the ACE matches the current owner of the file,
528 * the owner bits are used, rather than the group bits.
529 * This is reflected in the algorithm below.
534 * If ACE4_IDENTIFIER_GROUP is not set, and the "who" field
535 * in ACE matches the owner of the file, we shift amode three
536 * more bits, in order to have the owner permission bits
537 * placed in the three low order bits of amode.
539 if (entry->ae_tag == ACL_USER && entry->ae_id == file_owner_id)
542 if (entry->ae_perm & ACL_READ_DATA) {
544 previous->ae_perm &= ~ACL_READ_DATA;
546 previous->ae_perm |= ACL_READ_DATA;
549 if (entry->ae_perm & ACL_WRITE_DATA) {
551 previous->ae_perm &= ~ACL_WRITE_DATA;
553 previous->ae_perm |= ACL_WRITE_DATA;
556 if (entry->ae_perm & ACL_APPEND_DATA) {
558 previous->ae_perm &= ~ACL_APPEND_DATA;
560 previous->ae_perm |= ACL_APPEND_DATA;
563 if (entry->ae_perm & ACL_EXECUTE) {
565 previous->ae_perm &= ~ACL_EXECUTE;
567 previous->ae_perm |= ACL_EXECUTE;
571 * 1.5.3. If ACE4_IDENTIFIER_GROUP is set in the flags
574 * XXX: This point is not there in the Falkner's draft.
576 if (entry->ae_tag == ACL_GROUP &&
577 entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) {
578 mode_t extramode, ownermode;
579 extramode = (mode >> 3) & 07;
580 ownermode = mode >> 6;
581 extramode &= ~ownermode;
584 if (extramode & READ) {
585 entry->ae_perm &= ~ACL_READ_DATA;
586 previous->ae_perm &= ~ACL_READ_DATA;
589 if (extramode & WRITE) {
591 ~(ACL_WRITE_DATA | ACL_APPEND_DATA);
593 ~(ACL_WRITE_DATA | ACL_APPEND_DATA);
596 if (extramode & EXEC) {
597 entry->ae_perm &= ~ACL_EXECUTE;
598 previous->ae_perm &= ~ACL_EXECUTE;
605 * 2. If there at least six ACEs, the final six ACEs are examined.
606 * If they are not equal to what we want, append six ACEs.
609 if (aclp->acl_cnt < 6) {
612 a6 = &(aclp->acl_entry[aclp->acl_cnt - 1]);
613 a5 = &(aclp->acl_entry[aclp->acl_cnt - 2]);
614 a4 = &(aclp->acl_entry[aclp->acl_cnt - 3]);
615 a3 = &(aclp->acl_entry[aclp->acl_cnt - 4]);
616 a2 = &(aclp->acl_entry[aclp->acl_cnt - 5]);
617 a1 = &(aclp->acl_entry[aclp->acl_cnt - 6]);
619 if (!_acl_entry_matches(a1, ACL_USER_OBJ, 0,
620 ACL_ENTRY_TYPE_DENY))
622 if (!_acl_entry_matches(a2, ACL_USER_OBJ, ACL_WRITE_ACL |
623 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES |
624 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_ALLOW))
626 if (!_acl_entry_matches(a3, ACL_GROUP_OBJ, 0,
627 ACL_ENTRY_TYPE_DENY))
629 if (!_acl_entry_matches(a4, ACL_GROUP_OBJ, 0,
630 ACL_ENTRY_TYPE_ALLOW))
632 if (!_acl_entry_matches(a5, ACL_EVERYONE, ACL_WRITE_ACL |
633 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES |
634 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_DENY))
636 if (!_acl_entry_matches(a6, ACL_EVERYONE, ACL_READ_ACL |
637 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS |
638 ACL_SYNCHRONIZE, ACL_ENTRY_TYPE_ALLOW))
643 KASSERT(aclp->acl_cnt + 6 <= ACL_MAX_ENTRIES,
644 ("aclp->acl_cnt <= ACL_MAX_ENTRIES"));
646 a1 = _acl_append(aclp, ACL_USER_OBJ, 0, ACL_ENTRY_TYPE_DENY);
647 a2 = _acl_append(aclp, ACL_USER_OBJ, ACL_WRITE_ACL |
648 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES |
649 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_ALLOW);
650 a3 = _acl_append(aclp, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_DENY);
651 a4 = _acl_append(aclp, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_ALLOW);
652 a5 = _acl_append(aclp, ACL_EVERYONE, ACL_WRITE_ACL |
653 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES |
654 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_DENY);
655 a6 = _acl_append(aclp, ACL_EVERYONE, ACL_READ_ACL |
656 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS |
657 ACL_SYNCHRONIZE, ACL_ENTRY_TYPE_ALLOW);
659 KASSERT(a1 != NULL && a2 != NULL && a3 != NULL && a4 != NULL &&
660 a5 != NULL && a6 != NULL, ("couldn't append to ACL."));
664 * 3. The final six ACEs are adjusted according to the incoming mode.
667 a2->ae_perm |= ACL_READ_DATA;
669 a1->ae_perm |= ACL_READ_DATA;
671 a2->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
673 a1->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
675 a2->ae_perm |= ACL_EXECUTE;
677 a1->ae_perm |= ACL_EXECUTE;
680 a4->ae_perm |= ACL_READ_DATA;
682 a3->ae_perm |= ACL_READ_DATA;
684 a4->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
686 a3->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
688 a4->ae_perm |= ACL_EXECUTE;
690 a3->ae_perm |= ACL_EXECUTE;
693 a6->ae_perm |= ACL_READ_DATA;
695 a5->ae_perm |= ACL_READ_DATA;
697 a6->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
699 a5->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
701 a6->ae_perm |= ACL_EXECUTE;
703 a5->ae_perm |= ACL_EXECUTE;
708 acl_nfs4_sync_acl_from_mode(struct acl *aclp, mode_t mode,
712 if (acl_nfs4_old_semantics)
713 acl_nfs4_sync_acl_from_mode_draft(aclp, mode, file_owner_id);
715 acl_nfs4_trivial_from_mode(aclp, mode);
720 acl_nfs4_sync_mode_from_acl(mode_t *_mode, const struct acl *aclp)
723 mode_t old_mode = *_mode, mode = 0, seen = 0;
724 const struct acl_entry *entry;
726 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES,
727 ("aclp->acl_cnt <= ACL_MAX_ENTRIES"));
730 * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt
732 * 3.16.6.1. Recomputing mode upon SETATTR of ACL
735 for (i = 0; i < aclp->acl_cnt; i++) {
736 entry = &(aclp->acl_entry[i]);
738 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
739 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
742 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY)
745 if (entry->ae_tag == ACL_USER_OBJ) {
746 if ((entry->ae_perm & ACL_READ_DATA) &&
747 ((seen & S_IRUSR) == 0)) {
749 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
752 if ((entry->ae_perm & ACL_WRITE_DATA) &&
753 ((seen & S_IWUSR) == 0)) {
755 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
758 if ((entry->ae_perm & ACL_EXECUTE) &&
759 ((seen & S_IXUSR) == 0)) {
761 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
764 } else if (entry->ae_tag == ACL_GROUP_OBJ) {
765 if ((entry->ae_perm & ACL_READ_DATA) &&
766 ((seen & S_IRGRP) == 0)) {
768 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
771 if ((entry->ae_perm & ACL_WRITE_DATA) &&
772 ((seen & S_IWGRP) == 0)) {
774 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
777 if ((entry->ae_perm & ACL_EXECUTE) &&
778 ((seen & S_IXGRP) == 0)) {
780 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
783 } else if (entry->ae_tag == ACL_EVERYONE) {
784 if (entry->ae_perm & ACL_READ_DATA) {
785 if ((seen & S_IRUSR) == 0) {
787 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
790 if ((seen & S_IRGRP) == 0) {
792 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
795 if ((seen & S_IROTH) == 0) {
797 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
801 if (entry->ae_perm & ACL_WRITE_DATA) {
802 if ((seen & S_IWUSR) == 0) {
804 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
807 if ((seen & S_IWGRP) == 0) {
809 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
812 if ((seen & S_IWOTH) == 0) {
814 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
818 if (entry->ae_perm & ACL_EXECUTE) {
819 if ((seen & S_IXUSR) == 0) {
821 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
824 if ((seen & S_IXGRP) == 0) {
826 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
829 if ((seen & S_IXOTH) == 0) {
831 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
838 *_mode = mode | (old_mode & ACL_PRESERVE_MASK);
843 * Calculate inherited ACL in a manner compatible with NFSv4 Minor Version 1,
844 * draft-ietf-nfsv4-minorversion1-03.txt.
847 acl_nfs4_compute_inherited_acl_draft(const struct acl *parent_aclp,
848 struct acl *child_aclp, mode_t mode, int file_owner_id,
852 const struct acl_entry *parent_entry;
853 struct acl_entry *entry, *copy;
855 KASSERT(child_aclp->acl_cnt == 0, ("child_aclp->acl_cnt == 0"));
856 KASSERT(parent_aclp->acl_cnt <= ACL_MAX_ENTRIES,
857 ("parent_aclp->acl_cnt <= ACL_MAX_ENTRIES"));
860 * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt
862 * 3.16.6.2. Applying the mode given to CREATE or OPEN
863 * to an inherited ACL
867 * 1. Form an ACL that is the concatenation of all inheritable ACEs.
869 for (i = 0; i < parent_aclp->acl_cnt; i++) {
870 parent_entry = &(parent_aclp->acl_entry[i]);
871 flags = parent_entry->ae_flags;
874 * Entry is not inheritable at all.
876 if ((flags & (ACL_ENTRY_DIRECTORY_INHERIT |
877 ACL_ENTRY_FILE_INHERIT)) == 0)
881 * We're creating a file, but entry is not inheritable
884 if (!is_directory && (flags & ACL_ENTRY_FILE_INHERIT) == 0)
888 * Entry is inheritable only by files, but has NO_PROPAGATE
889 * flag set, and we're creating a directory, so it wouldn't
890 * propagate to any file in that directory anyway.
893 (flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0 &&
894 (flags & ACL_ENTRY_NO_PROPAGATE_INHERIT))
897 KASSERT(child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES,
898 ("child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES"));
899 child_aclp->acl_entry[child_aclp->acl_cnt] = *parent_entry;
900 child_aclp->acl_cnt++;
904 * 2. For each entry in the new ACL, adjust its flags, possibly
905 * creating two entries in place of one.
907 for (i = 0; i < child_aclp->acl_cnt; i++) {
908 entry = &(child_aclp->acl_entry[i]);
911 * This is not in the specification, but SunOS
912 * apparently does that.
914 if (((entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT) ||
916 entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
917 entry->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER);
920 * 2.A. If the ACL_ENTRY_NO_PROPAGATE_INHERIT is set, or if the object
921 * being created is not a directory, then clear the
922 * following flags: ACL_ENTRY_NO_PROPAGATE_INHERIT,
923 * ACL_ENTRY_FILE_INHERIT, ACL_ENTRY_DIRECTORY_INHERIT,
924 * ACL_ENTRY_INHERIT_ONLY.
926 if (entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT ||
928 entry->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT |
929 ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT |
930 ACL_ENTRY_INHERIT_ONLY);
933 * Continue on to the next ACE.
939 * 2.B. If the object is a directory and ACL_ENTRY_FILE_INHERIT
940 * is set, but ACL_ENTRY_NO_PROPAGATE_INHERIT is not set, ensure
941 * that ACL_ENTRY_INHERIT_ONLY is set. Continue to the
942 * next ACE. Otherwise...
945 * XXX: Read it again and make sure what does the "otherwise"
949 (entry->ae_flags & ACL_ENTRY_FILE_INHERIT) &&
950 ((entry->ae_flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0)) {
951 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY;
956 * 2.C. If the type of the ACE is neither ALLOW nor deny,
959 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
960 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
964 * 2.D. Copy the original ACE into a second, adjacent ACE.
966 copy = _acl_duplicate_entry(child_aclp, i);
969 * 2.E. On the first ACE, ensure that ACL_ENTRY_INHERIT_ONLY
972 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY;
975 * 2.F. On the second ACE, clear the following flags:
976 * ACL_ENTRY_NO_PROPAGATE_INHERIT, ACL_ENTRY_FILE_INHERIT,
977 * ACL_ENTRY_DIRECTORY_INHERIT, ACL_ENTRY_INHERIT_ONLY.
979 copy->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT |
980 ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT |
981 ACL_ENTRY_INHERIT_ONLY);
984 * 2.G. On the second ACE, if the type is ALLOW,
985 * an implementation MAY clear the following
986 * mask bits: ACL_WRITE_ACL, ACL_WRITE_OWNER.
988 if (copy->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
989 copy->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER);
992 * Increment the counter to skip the copied entry.
998 * 3. To ensure that the mode is honored, apply the algorithm describe
999 * in Section 2.16.6.3, using the mode that is to be used for file
1002 acl_nfs4_sync_acl_from_mode(child_aclp, mode, file_owner_id);
1004 #endif /* _KERNEL */
1007 * Populate the ACL with entries inherited from parent_aclp.
1010 acl_nfs4_inherit_entries(const struct acl *parent_aclp,
1011 struct acl *child_aclp, mode_t mode, int file_owner_id,
1015 const struct acl_entry *parent_entry;
1016 struct acl_entry *entry;
1018 KASSERT(parent_aclp->acl_cnt <= ACL_MAX_ENTRIES,
1019 ("parent_aclp->acl_cnt <= ACL_MAX_ENTRIES"));
1021 for (i = 0; i < parent_aclp->acl_cnt; i++) {
1022 parent_entry = &(parent_aclp->acl_entry[i]);
1023 flags = parent_entry->ae_flags;
1024 tag = parent_entry->ae_tag;
1027 * Don't inherit owner@, group@, or everyone@ entries.
1029 if (tag == ACL_USER_OBJ || tag == ACL_GROUP_OBJ ||
1030 tag == ACL_EVERYONE)
1034 * Entry is not inheritable at all.
1036 if ((flags & (ACL_ENTRY_DIRECTORY_INHERIT |
1037 ACL_ENTRY_FILE_INHERIT)) == 0)
1041 * We're creating a file, but entry is not inheritable
1044 if (!is_directory && (flags & ACL_ENTRY_FILE_INHERIT) == 0)
1048 * Entry is inheritable only by files, but has NO_PROPAGATE
1049 * flag set, and we're creating a directory, so it wouldn't
1050 * propagate to any file in that directory anyway.
1053 (flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0 &&
1054 (flags & ACL_ENTRY_NO_PROPAGATE_INHERIT))
1058 * Entry qualifies for being inherited.
1060 KASSERT(child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES,
1061 ("child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES"));
1062 entry = &(child_aclp->acl_entry[child_aclp->acl_cnt]);
1063 *entry = *parent_entry;
1064 child_aclp->acl_cnt++;
1066 entry->ae_flags &= ~ACL_ENTRY_INHERIT_ONLY;
1067 entry->ae_flags |= ACL_ENTRY_INHERITED;
1070 * If the type of the ACE is neither ALLOW nor DENY,
1071 * then leave it as it is and proceed to the next one.
1073 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
1074 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
1078 * If the ACL_ENTRY_NO_PROPAGATE_INHERIT is set, or if
1079 * the object being created is not a directory, then clear
1080 * the following flags: ACL_ENTRY_NO_PROPAGATE_INHERIT,
1081 * ACL_ENTRY_FILE_INHERIT, ACL_ENTRY_DIRECTORY_INHERIT,
1082 * ACL_ENTRY_INHERIT_ONLY.
1084 if (entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT ||
1086 entry->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT |
1087 ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT |
1088 ACL_ENTRY_INHERIT_ONLY);
1092 * If the object is a directory and ACL_ENTRY_FILE_INHERIT
1093 * is set, but ACL_ENTRY_DIRECTORY_INHERIT is not set, ensure
1094 * that ACL_ENTRY_INHERIT_ONLY is set.
1097 (entry->ae_flags & ACL_ENTRY_FILE_INHERIT) &&
1098 ((entry->ae_flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0)) {
1099 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY;
1102 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW &&
1103 (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY) == 0) {
1105 * Some permissions must never be inherited.
1107 entry->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER |
1108 ACL_WRITE_NAMED_ATTRS | ACL_WRITE_ATTRIBUTES);
1111 * Others must be masked according to the file mode.
1113 if ((mode & S_IRGRP) == 0)
1114 entry->ae_perm &= ~ACL_READ_DATA;
1115 if ((mode & S_IWGRP) == 0)
1117 ~(ACL_WRITE_DATA | ACL_APPEND_DATA);
1118 if ((mode & S_IXGRP) == 0)
1119 entry->ae_perm &= ~ACL_EXECUTE;
1125 * Calculate inherited ACL in a manner compatible with PSARC/2010/029.
1126 * It's also being used to calculate a trivial ACL, by inheriting from
1130 acl_nfs4_compute_inherited_acl_psarc(const struct acl *parent_aclp,
1131 struct acl *aclp, mode_t mode, int file_owner_id, int is_directory)
1133 acl_perm_t user_allow_first = 0, user_deny = 0, group_deny = 0;
1134 acl_perm_t user_allow, group_allow, everyone_allow;
1136 KASSERT(aclp->acl_cnt == 0, ("aclp->acl_cnt == 0"));
1138 user_allow = group_allow = everyone_allow = ACL_READ_ACL |
1139 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS | ACL_SYNCHRONIZE;
1140 user_allow |= ACL_WRITE_ACL | ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES |
1141 ACL_WRITE_NAMED_ATTRS;
1144 user_allow |= ACL_READ_DATA;
1146 user_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
1148 user_allow |= ACL_EXECUTE;
1151 group_allow |= ACL_READ_DATA;
1153 group_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
1155 group_allow |= ACL_EXECUTE;
1158 everyone_allow |= ACL_READ_DATA;
1160 everyone_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
1162 everyone_allow |= ACL_EXECUTE;
1164 user_deny = ((group_allow | everyone_allow) & ~user_allow);
1165 group_deny = everyone_allow & ~group_allow;
1166 user_allow_first = group_deny & ~user_deny;
1168 if (user_allow_first != 0)
1169 _acl_append(aclp, ACL_USER_OBJ, user_allow_first,
1170 ACL_ENTRY_TYPE_ALLOW);
1172 _acl_append(aclp, ACL_USER_OBJ, user_deny,
1173 ACL_ENTRY_TYPE_DENY);
1174 if (group_deny != 0)
1175 _acl_append(aclp, ACL_GROUP_OBJ, group_deny,
1176 ACL_ENTRY_TYPE_DENY);
1178 if (parent_aclp != NULL)
1179 acl_nfs4_inherit_entries(parent_aclp, aclp, mode,
1180 file_owner_id, is_directory);
1182 _acl_append(aclp, ACL_USER_OBJ, user_allow, ACL_ENTRY_TYPE_ALLOW);
1183 _acl_append(aclp, ACL_GROUP_OBJ, group_allow, ACL_ENTRY_TYPE_ALLOW);
1184 _acl_append(aclp, ACL_EVERYONE, everyone_allow, ACL_ENTRY_TYPE_ALLOW);
1189 acl_nfs4_compute_inherited_acl(const struct acl *parent_aclp,
1190 struct acl *child_aclp, mode_t mode, int file_owner_id,
1194 if (acl_nfs4_old_semantics)
1195 acl_nfs4_compute_inherited_acl_draft(parent_aclp, child_aclp,
1196 mode, file_owner_id, is_directory);
1198 acl_nfs4_compute_inherited_acl_psarc(parent_aclp, child_aclp,
1199 mode, file_owner_id, is_directory);
1201 #endif /* _KERNEL */
1204 * Calculate trivial ACL in a manner compatible with PSARC/2010/029.
1205 * Note that this results in an ACL different from (but semantically
1206 * equal to) the "canonical six" trivial ACL computed using algorithm
1207 * described in draft-ietf-nfsv4-minorversion1-03.txt, 3.16.6.2.
1210 acl_nfs4_trivial_from_mode(struct acl *aclp, mode_t mode)
1214 acl_nfs4_compute_inherited_acl_psarc(NULL, aclp, mode, -1, -1);
1219 * This routine is used by libc to implement acl_strip_np(3)
1220 * and acl_is_trivial_np(3).
1223 acl_nfs4_trivial_from_mode_libc(struct acl *aclp, int mode, int canonical_six)
1228 acl_nfs4_sync_acl_from_mode_draft(aclp, mode, -1);
1230 acl_nfs4_trivial_from_mode(aclp, mode);
1232 #endif /* !_KERNEL */
1236 _acls_are_equal(const struct acl *a, const struct acl *b)
1239 const struct acl_entry *entrya, *entryb;
1241 if (a->acl_cnt != b->acl_cnt)
1244 for (i = 0; i < b->acl_cnt; i++) {
1245 entrya = &(a->acl_entry[i]);
1246 entryb = &(b->acl_entry[i]);
1248 if (entrya->ae_tag != entryb->ae_tag ||
1249 entrya->ae_id != entryb->ae_id ||
1250 entrya->ae_perm != entryb->ae_perm ||
1251 entrya->ae_entry_type != entryb->ae_entry_type ||
1252 entrya->ae_flags != entryb->ae_flags)
1260 * This routine is used to determine whether to remove extended attribute
1261 * that stores ACL contents.
1264 acl_nfs4_is_trivial(const struct acl *aclp, int file_owner_id)
1268 struct acl *tmpaclp;
1270 if (aclp->acl_cnt > 6)
1274 * Compute the mode from the ACL, then compute new ACL from that mode.
1275 * If the ACLs are identical, then the ACL is trivial.
1277 * XXX: I guess there is a faster way to do this. However, even
1278 * this slow implementation significantly speeds things up
1279 * for files that don't have non-trivial ACLs - it's critical
1280 * for performance to not use EA when they are not needed.
1282 * First try the PSARC/2010/029 semantics.
1284 tmpaclp = acl_alloc(M_WAITOK | M_ZERO);
1285 acl_nfs4_sync_mode_from_acl(&tmpmode, aclp);
1286 acl_nfs4_trivial_from_mode(tmpaclp, tmpmode);
1287 trivial = _acls_are_equal(aclp, tmpaclp);
1294 * Check if it's a draft-ietf-nfsv4-minorversion1-03.txt trivial ACL.
1296 tmpaclp->acl_cnt = 0;
1297 acl_nfs4_sync_acl_from_mode_draft(tmpaclp, tmpmode, file_owner_id);
1298 trivial = _acls_are_equal(aclp, tmpaclp);
1303 #endif /* _KERNEL */
1306 acl_nfs4_check(const struct acl *aclp, int is_directory)
1309 const struct acl_entry *entry;
1312 * The spec doesn't seem to say anything about ACL validity.
1313 * It seems there is not much to do here. There is even no need
1314 * to count "owner@" or "everyone@" (ACL_USER_OBJ and ACL_EVERYONE)
1315 * entries, as there can be several of them and that's perfectly
1316 * valid. There can be none of them too. Really.
1319 if (aclp->acl_cnt > ACL_MAX_ENTRIES || aclp->acl_cnt <= 0)
1322 for (i = 0; i < aclp->acl_cnt; i++) {
1323 entry = &(aclp->acl_entry[i]);
1325 switch (entry->ae_tag) {
1329 if (entry->ae_id != ACL_UNDEFINED_ID)
1335 if (entry->ae_id == ACL_UNDEFINED_ID)
1343 if ((entry->ae_perm | ACL_NFS4_PERM_BITS) != ACL_NFS4_PERM_BITS)
1347 * Disallow ACL_ENTRY_TYPE_AUDIT and ACL_ENTRY_TYPE_ALARM for now.
1349 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
1350 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
1353 if ((entry->ae_flags | ACL_FLAGS_BITS) != ACL_FLAGS_BITS)
1356 /* Disallow unimplemented flags. */
1357 if (entry->ae_flags & (ACL_ENTRY_SUCCESSFUL_ACCESS |
1358 ACL_ENTRY_FAILED_ACCESS))
1361 /* Disallow flags not allowed for ordinary files. */
1362 if (!is_directory) {
1363 if (entry->ae_flags & (ACL_ENTRY_FILE_INHERIT |
1364 ACL_ENTRY_DIRECTORY_INHERIT |
1365 ACL_ENTRY_NO_PROPAGATE_INHERIT | ACL_ENTRY_INHERIT_ONLY))
1375 acl_nfs4_modload(module_t module, int what, void *arg)
1403 static moduledata_t acl_nfs4_mod = {
1410 * XXX TODO: which subsystem, order?
1412 DECLARE_MODULE(acl_nfs4, acl_nfs4_mod, SI_SUB_VFS, SI_ORDER_FIRST);
1413 MODULE_VERSION(acl_nfs4, 1);
1414 #endif /* _KERNEL */