4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
26 #pragma ident "%Z%%M% %I% %E% SMI"
28 #include <sys/types.h>
29 #include <sys/param.h>
31 #include <sys/systm.h>
32 #include <sys/sysmacros.h>
33 #include <sys/resource.h>
35 #include <sys/vnode.h>
39 #include <sys/cmn_err.h>
40 #include <sys/errno.h>
41 #include <sys/unistd.h>
43 #include <sys/fs/zfs.h>
44 #include <sys/policy.h>
45 #include <sys/zfs_znode.h>
46 #include <sys/zfs_acl.h>
47 #include <sys/zfs_dir.h>
48 #include <sys/zfs_vfsops.h>
51 #include <acl/acl_common.h>
53 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE
54 #define DENY ACE_ACCESS_DENIED_ACE_TYPE
56 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP)
57 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \
58 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE)
59 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \
60 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
61 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \
62 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
63 #define WRITE_MASK (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS| \
64 ACE_WRITE_ATTRIBUTES|ACE_WRITE_ACL|ACE_WRITE_OWNER)
66 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
67 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
69 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
70 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
72 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \
73 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE)
75 #define SECURE_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER)
77 #define OGE_PAD 6 /* traditional owner/group/everyone ACES */
79 static int zfs_ace_can_use(znode_t *zp, ace_t *);
82 zfs_acl_alloc(int slots)
86 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP);
88 aclp->z_acl = kmem_alloc(ZFS_ACL_SIZE(slots), KM_SLEEP);
89 aclp->z_acl_count = 0;
90 aclp->z_state = ACL_DATA_ALLOCED;
94 aclp->z_slots = slots;
99 zfs_acl_free(zfs_acl_t *aclp)
101 if (aclp->z_state == ACL_DATA_ALLOCED) {
102 kmem_free(aclp->z_acl, ZFS_ACL_SIZE(aclp->z_slots));
104 kmem_free(aclp, sizeof (zfs_acl_t));
108 zfs_v4_to_unix(uint32_t access_mask)
110 uint32_t new_mask = 0;
113 * This is used for mapping v4 permissions into permissions
114 * that can be passed to secpolicy_vnode_access()
116 if (access_mask & (ACE_READ_DATA | ACE_LIST_DIRECTORY |
117 ACE_READ_ATTRIBUTES | ACE_READ_ACL))
119 if (access_mask & (ACE_WRITE_DATA | ACE_APPEND_DATA |
120 ACE_WRITE_ATTRIBUTES | ACE_ADD_FILE | ACE_WRITE_NAMED_ATTRS))
122 if (access_mask & (ACE_EXECUTE | ACE_READ_NAMED_ATTRS))
129 * Convert unix access mask to v4 access mask
132 zfs_unix_to_v4(uint32_t access_mask)
134 uint32_t new_mask = 0;
136 if (access_mask & 01)
137 new_mask |= (ACE_EXECUTE);
138 if (access_mask & 02) {
139 new_mask |= (ACE_WRITE_DATA);
140 } if (access_mask & 04) {
141 new_mask |= ACE_READ_DATA;
147 zfs_set_ace(ace_t *zacep, uint32_t access_mask, int access_type,
148 uid_t uid, int entry_type)
150 zacep->a_access_mask = access_mask;
151 zacep->a_type = access_type;
153 zacep->a_flags = entry_type;
157 zfs_mode_compute(znode_t *zp, zfs_acl_t *aclp)
161 mode_t mode = (zp->z_phys->zp_mode &
162 (S_IFMT | S_ISUID | S_ISGID | S_ISVTX));
166 for (i = 0, acep = aclp->z_acl;
167 i != aclp->z_acl_count; i++, acep++) {
168 entry_type = (acep->a_flags & ACE_TYPE_FLAGS);
169 if (entry_type == ACE_OWNER) {
170 if ((acep->a_access_mask & ACE_READ_DATA) &&
171 (!(seen & S_IRUSR))) {
173 if (acep->a_type == ALLOW) {
177 if ((acep->a_access_mask & ACE_WRITE_DATA) &&
178 (!(seen & S_IWUSR))) {
180 if (acep->a_type == ALLOW) {
184 if ((acep->a_access_mask & ACE_EXECUTE) &&
185 (!(seen & S_IXUSR))) {
187 if (acep->a_type == ALLOW) {
191 } else if (entry_type == OWNING_GROUP) {
192 if ((acep->a_access_mask & ACE_READ_DATA) &&
193 (!(seen & S_IRGRP))) {
195 if (acep->a_type == ALLOW) {
199 if ((acep->a_access_mask & ACE_WRITE_DATA) &&
200 (!(seen & S_IWGRP))) {
202 if (acep->a_type == ALLOW) {
206 if ((acep->a_access_mask & ACE_EXECUTE) &&
207 (!(seen & S_IXGRP))) {
209 if (acep->a_type == ALLOW) {
213 } else if (entry_type == ACE_EVERYONE) {
214 if ((acep->a_access_mask & ACE_READ_DATA)) {
215 if (!(seen & S_IRUSR)) {
217 if (acep->a_type == ALLOW) {
221 if (!(seen & S_IRGRP)) {
223 if (acep->a_type == ALLOW) {
227 if (!(seen & S_IROTH)) {
229 if (acep->a_type == ALLOW) {
234 if ((acep->a_access_mask & ACE_WRITE_DATA)) {
235 if (!(seen & S_IWUSR)) {
237 if (acep->a_type == ALLOW) {
241 if (!(seen & S_IWGRP)) {
243 if (acep->a_type == ALLOW) {
247 if (!(seen & S_IWOTH)) {
249 if (acep->a_type == ALLOW) {
254 if ((acep->a_access_mask & ACE_EXECUTE)) {
255 if (!(seen & S_IXUSR)) {
257 if (acep->a_type == ALLOW) {
261 if (!(seen & S_IXGRP)) {
263 if (acep->a_type == ALLOW) {
267 if (!(seen & S_IXOTH)) {
269 if (acep->a_type == ALLOW) {
280 zfs_acl_node_read_internal(znode_t *zp)
284 aclp = zfs_acl_alloc(0);
285 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count;
286 aclp->z_acl = &zp->z_phys->zp_acl.z_ace_data[0];
292 * Read an external acl object.
295 zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp)
297 uint64_t extacl = zp->z_phys->zp_acl.z_acl_extern_obj;
301 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
303 if (zp->z_phys->zp_acl.z_acl_extern_obj == 0) {
304 *aclpp = zfs_acl_node_read_internal(zp);
308 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_count);
310 error = dmu_read(zp->z_zfsvfs->z_os, extacl, 0,
311 ZFS_ACL_SIZE(zp->z_phys->zp_acl.z_acl_count), aclp->z_acl);
317 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count;
324 zfs_acl_valid(znode_t *zp, ace_t *uace, int aclcnt, int *inherit)
331 if (aclcnt > MAX_ACL_ENTRIES || aclcnt <= 0) {
335 for (i = 0, acep = uace; i != aclcnt; i++, acep++) {
338 * first check type of entry
341 switch (acep->a_flags & ACE_TYPE_FLAGS) {
345 case (ACE_IDENTIFIER_GROUP | ACE_GROUP):
346 case ACE_IDENTIFIER_GROUP:
347 if (acep->a_flags & ACE_GROUP) {
357 * next check inheritance level flags
360 if (acep->a_type != ALLOW && acep->a_type != DENY)
364 * Only directories should have inheritance flags.
366 if (ZTOV(zp)->v_type != VDIR && (acep->a_flags &
367 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE|
368 ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE))) {
373 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))
377 (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) {
378 if ((acep->a_flags & (ACE_FILE_INHERIT_ACE|
379 ACE_DIRECTORY_INHERIT_ACE)) == 0) {
388 * common code for setting acl's.
390 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl.
391 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's
392 * already checked the acl and knows whether to inherit.
395 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, dmu_tx_t *tx, int *ihp)
399 znode_phys_t *zphys = zp->z_phys;
400 zfs_znode_acl_t *zacl = &zphys->zp_acl;
401 uint32_t acl_phys_size = ZFS_ACL_SIZE(aclp->z_acl_count);
402 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
403 uint64_t aoid = zphys->zp_acl.z_acl_extern_obj;
405 ASSERT(MUTEX_HELD(&zp->z_lock));
406 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
409 inherit = *ihp; /* already determined by caller */
410 else if (!zfs_acl_valid(zp, aclp->z_acl,
411 aclp->z_acl_count, &inherit)) {
415 dmu_buf_will_dirty(zp->z_dbuf, tx);
418 * Will ACL fit internally?
420 if (aclp->z_acl_count > ACE_SLOT_CNT) {
422 aoid = dmu_object_alloc(zfsvfs->z_os,
423 DMU_OT_ACL, acl_phys_size, DMU_OT_NONE, 0, tx);
425 (void) dmu_object_set_blocksize(zfsvfs->z_os, aoid,
426 acl_phys_size, 0, tx);
428 zphys->zp_acl.z_acl_extern_obj = aoid;
429 zphys->zp_acl.z_acl_count = aclp->z_acl_count;
430 dmu_write(zfsvfs->z_os, aoid, 0,
431 acl_phys_size, aclp->z_acl, tx);
434 * Migrating back embedded?
436 if (zphys->zp_acl.z_acl_extern_obj) {
437 error = dmu_object_free(zfsvfs->z_os,
438 zp->z_phys->zp_acl.z_acl_extern_obj, tx);
441 zphys->zp_acl.z_acl_extern_obj = 0;
443 bcopy(aclp->z_acl, zacl->z_ace_data,
444 aclp->z_acl_count * sizeof (ace_t));
445 zacl->z_acl_count = aclp->z_acl_count;
448 zp->z_phys->zp_flags &= ~(ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE);
450 zp->z_phys->zp_flags |= ZFS_INHERIT_ACE;
451 } else if (ace_trivial(zacl->z_ace_data, zacl->z_acl_count) == 0) {
452 zp->z_phys->zp_flags |= ZFS_ACL_TRIVIAL;
455 zphys->zp_mode = zfs_mode_compute(zp, aclp);
456 zfs_time_stamper_locked(zp, STATE_CHANGED, tx);
462 * Create space for slots_needed ACEs to be append
466 zfs_acl_append(zfs_acl_t *aclp, int slots_needed)
471 int slots_left = aclp->z_slots - aclp->z_acl_count;
473 if (aclp->z_state == ACL_DATA_ALLOCED)
474 ASSERT(aclp->z_slots >= aclp->z_acl_count);
475 if (slots_left < slots_needed || aclp->z_state != ACL_DATA_ALLOCED) {
476 slot_cnt = aclp->z_slots + 1 + (slots_needed - slots_left);
477 newacep = kmem_alloc(ZFS_ACL_SIZE(slot_cnt), KM_SLEEP);
478 bcopy(aclp->z_acl, newacep,
479 ZFS_ACL_SIZE(aclp->z_acl_count));
480 oldaclp = aclp->z_acl;
481 if (aclp->z_state == ACL_DATA_ALLOCED)
482 kmem_free(oldaclp, ZFS_ACL_SIZE(aclp->z_slots));
483 aclp->z_acl = newacep;
484 aclp->z_slots = slot_cnt;
485 aclp->z_state = ACL_DATA_ALLOCED;
490 * Remove "slot" ACE from aclp
493 zfs_ace_remove(zfs_acl_t *aclp, int slot)
495 if (aclp->z_acl_count > 1) {
496 (void) memmove(&aclp->z_acl[slot],
497 &aclp->z_acl[slot +1], sizeof (ace_t) *
498 (--aclp->z_acl_count - slot));
504 * Update access mask for prepended ACE
506 * This applies the "groupmask" value for aclmode property.
509 zfs_acl_prepend_fixup(ace_t *acep, ace_t *origacep, mode_t mode, uid_t owner)
512 int rmask, wmask, xmask;
515 user_ace = (!(acep->a_flags &
516 (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP)));
518 if (user_ace && (acep->a_who == owner)) {
528 if (origacep->a_access_mask & ACE_READ_DATA) {
530 acep->a_access_mask &= ~ACE_READ_DATA;
532 acep->a_access_mask |= ACE_READ_DATA;
535 if (origacep->a_access_mask & ACE_WRITE_DATA) {
537 acep->a_access_mask &= ~ACE_WRITE_DATA;
539 acep->a_access_mask |= ACE_WRITE_DATA;
542 if (origacep->a_access_mask & ACE_APPEND_DATA) {
544 acep->a_access_mask &= ~ACE_APPEND_DATA;
546 acep->a_access_mask |= ACE_APPEND_DATA;
549 if (origacep->a_access_mask & ACE_EXECUTE) {
551 acep->a_access_mask &= ~ACE_EXECUTE;
553 acep->a_access_mask |= ACE_EXECUTE;
558 * Apply mode to canonical six ACEs.
561 zfs_acl_fixup_canonical_six(zfs_acl_t *aclp, mode_t mode)
566 cnt = aclp->z_acl_count -1;
570 * Fixup final ACEs to match the mode
574 adjust_ace_pair(&acep[cnt - 1], mode); /* everyone@ */
575 adjust_ace_pair(&acep[cnt - 3], (mode & 0070) >> 3); /* group@ */
576 adjust_ace_pair(&acep[cnt - 5], (mode & 0700) >> 6); /* owner@ */
581 zfs_acl_ace_match(ace_t *acep, int allow_deny, int type, int mask)
583 return (acep->a_access_mask == mask && acep->a_type == allow_deny &&
584 ((acep->a_flags & ACE_TYPE_FLAGS) == type));
588 * Can prepended ACE be reused?
591 zfs_reuse_deny(ace_t *acep, int i)
598 if (acep[i-1].a_type != DENY)
601 if (acep[i-1].a_flags != (acep[i].a_flags & ACE_IDENTIFIER_GROUP))
604 okay_masks = (acep[i].a_access_mask & OKAY_MASK_BITS);
606 if (acep[i-1].a_access_mask & ~okay_masks)
613 * Create space to prepend an ACE
616 zfs_acl_prepend(zfs_acl_t *aclp, int i)
618 ace_t *oldaclp = NULL;
620 int slots_left = aclp->z_slots - aclp->z_acl_count;
624 if (aclp->z_state == ACL_DATA_ALLOCED)
625 ASSERT(aclp->z_slots >= aclp->z_acl_count);
627 if (slots_left == 0 || aclp->z_state != ACL_DATA_ALLOCED) {
629 to = kmem_alloc(ZFS_ACL_SIZE(aclp->z_acl_count +
631 if (aclp->z_state == ACL_DATA_ALLOCED)
634 oldaclp = aclp->z_acl;
635 (void) memmove(to, from,
636 sizeof (ace_t) * aclp->z_acl_count);
637 aclp->z_state = ACL_DATA_ALLOCED;
644 (void) memmove(&to[i + 1], &from[i],
645 sizeof (ace_t) * (aclp->z_acl_count - i));
649 oldslots = aclp->z_slots;
650 aclp->z_slots = aclp->z_acl_count + OGE_PAD;
652 kmem_free(oldaclp, ZFS_ACL_SIZE(oldslots));
661 zfs_acl_prepend_deny(znode_t *zp, zfs_acl_t *aclp, int i,
666 zfs_acl_prepend(aclp, i);
669 zfs_set_ace(&acep[i], 0, DENY, acep[i + 1].a_who,
670 (acep[i + 1].a_flags & ACE_TYPE_FLAGS));
671 zfs_acl_prepend_fixup(&acep[i], &acep[i+1], mode, zp->z_phys->zp_uid);
676 * Split an inherited ACE into inherit_only ACE
677 * and original ACE with inheritance flags stripped off.
680 zfs_acl_split_ace(zfs_acl_t *aclp, int i)
682 ace_t *acep = aclp->z_acl;
684 zfs_acl_prepend(aclp, i);
686 acep[i] = acep[i + 1];
687 acep[i].a_flags |= ACE_INHERIT_ONLY_ACE;
688 acep[i + 1].a_flags &= ~ALL_INHERIT;
693 * Are ACES started at index i, the canonical six ACES?
696 zfs_have_canonical_six(zfs_acl_t *aclp, int i)
698 ace_t *acep = aclp->z_acl;
700 if ((zfs_acl_ace_match(&acep[i],
701 DENY, ACE_OWNER, 0) &&
702 zfs_acl_ace_match(&acep[i + 1], ALLOW, ACE_OWNER,
703 OWNER_ALLOW_MASK) && zfs_acl_ace_match(&acep[i + 2],
704 DENY, OWNING_GROUP, 0) && zfs_acl_ace_match(&acep[i + 3],
705 ALLOW, OWNING_GROUP, 0) && zfs_acl_ace_match(&acep[i + 4],
706 DENY, ACE_EVERYONE, EVERYONE_DENY_MASK) &&
707 zfs_acl_ace_match(&acep[i + 5], ALLOW, ACE_EVERYONE,
708 EVERYONE_ALLOW_MASK))) {
716 * Apply step 1g, to group entries
718 * Need to deal with corner case where group may have
719 * greater permissions than owner. If so then limit
720 * group permissions, based on what extra permissions
724 zfs_fixup_group_entries(ace_t *acep, mode_t mode)
726 mode_t extramode = (mode >> 3) & 07;
727 mode_t ownermode = (mode >> 6);
729 if (acep[0].a_flags & ACE_IDENTIFIER_GROUP) {
731 extramode &= ~ownermode;
734 if (extramode & 04) {
735 acep[0].a_access_mask &= ~ACE_READ_DATA;
736 acep[1].a_access_mask &= ~ACE_READ_DATA;
738 if (extramode & 02) {
739 acep[0].a_access_mask &=
740 ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
741 acep[1].a_access_mask &=
742 ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
744 if (extramode & 01) {
745 acep[0].a_access_mask &= ~ACE_EXECUTE;
746 acep[1].a_access_mask &= ~ACE_EXECUTE;
753 * Apply the chmod algorithm as described
757 zfs_acl_chmod(znode_t *zp, uint64_t mode, zfs_acl_t *aclp,
760 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
766 int need_canonical_six = 1;
770 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
771 ASSERT(MUTEX_HELD(&zp->z_lock));
774 while (i < aclp->z_acl_count) {
776 entry_type = (acep[i].a_flags & ACE_TYPE_FLAGS);
777 iflags = (acep[i].a_flags & ALL_INHERIT);
779 if ((acep[i].a_type != ALLOW && acep[i].a_type != DENY) ||
780 (iflags & ACE_INHERIT_ONLY_ACE)) {
788 if (zfsvfs->z_acl_mode == ZFS_ACL_DISCARD) {
789 zfs_ace_remove(aclp, i);
794 * Need to split ace into two?
796 if ((iflags & (ACE_FILE_INHERIT_ACE|
797 ACE_DIRECTORY_INHERIT_ACE)) &&
798 (!(iflags & ACE_INHERIT_ONLY_ACE))) {
799 zfs_acl_split_ace(aclp, i);
805 if (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE ||
806 (entry_type == OWNING_GROUP)) {
807 acep[i].a_access_mask &= ~OGE_CLEAR;
812 if (acep[i].a_type == ALLOW) {
815 * Check preceding ACE if any, to see
816 * if we need to prepend a DENY ACE.
817 * This is only applicable when the acl_mode
818 * property == groupmask.
820 if (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK) {
822 reuse_deny = zfs_reuse_deny(acep, i);
824 if (reuse_deny == B_FALSE) {
825 zfs_acl_prepend_deny(zp, aclp,
830 zfs_acl_prepend_fixup(
835 zfs_fixup_group_entries(&acep[i - 1],
844 * Check out last six aces, if we have six.
847 if (aclp->z_acl_count >= 6) {
848 i = aclp->z_acl_count - 6;
850 if (zfs_have_canonical_six(aclp, i)) {
851 need_canonical_six = 0;
855 if (need_canonical_six) {
857 zfs_acl_append(aclp, 6);
858 i = aclp->z_acl_count;
860 zfs_set_ace(&acep[i++], 0, DENY, -1, ACE_OWNER);
861 zfs_set_ace(&acep[i++], OWNER_ALLOW_MASK, ALLOW, -1, ACE_OWNER);
862 zfs_set_ace(&acep[i++], 0, DENY, -1, OWNING_GROUP);
863 zfs_set_ace(&acep[i++], 0, ALLOW, -1, OWNING_GROUP);
864 zfs_set_ace(&acep[i++], EVERYONE_DENY_MASK,
865 DENY, -1, ACE_EVERYONE);
866 zfs_set_ace(&acep[i++], EVERYONE_ALLOW_MASK,
867 ALLOW, -1, ACE_EVERYONE);
868 aclp->z_acl_count += 6;
871 zfs_acl_fixup_canonical_six(aclp, mode);
873 zp->z_phys->zp_mode = mode;
874 error = zfs_aclset_common(zp, aclp, tx, &inherit);
880 zfs_acl_chmod_setattr(znode_t *zp, uint64_t mode, dmu_tx_t *tx)
882 zfs_acl_t *aclp = NULL;
885 ASSERT(MUTEX_HELD(&zp->z_lock));
886 mutex_enter(&zp->z_acl_lock);
887 error = zfs_acl_node_read(zp, &aclp);
889 error = zfs_acl_chmod(zp, mode, aclp, tx);
890 mutex_exit(&zp->z_acl_lock);
897 * strip off write_owner and write_acl
900 zfs_securemode_update(zfsvfs_t *zfsvfs, ace_t *acep)
902 if ((zfsvfs->z_acl_inherit == ZFS_ACL_SECURE) &&
903 (acep->a_type == ALLOW))
904 acep->a_access_mask &= ~SECURE_CLEAR;
908 * inherit inheritable ACEs from parent
911 zfs_acl_inherit(znode_t *zp, zfs_acl_t *paclp)
913 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
919 zfs_acl_t *aclp = NULL;
922 pace_cnt = paclp->z_acl_count;
923 pacep = paclp->z_acl;
924 if (zfsvfs->z_acl_inherit != ZFS_ACL_DISCARD) {
925 for (i = 0; i != pace_cnt; i++) {
927 if (zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW &&
928 pacep[i].a_type == ALLOW)
931 if (zfs_ace_can_use(zp, &pacep[i])) {
933 if (!(pacep[i].a_flags &
934 ACE_NO_PROPAGATE_INHERIT_ACE))
940 aclp = zfs_acl_alloc(ace_cnt + OGE_PAD);
941 if (ace_cnt && zfsvfs->z_acl_inherit != ZFS_ACL_DISCARD) {
943 pacep = paclp->z_acl;
944 for (i = 0; i != pace_cnt; i++) {
946 if (zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW &&
947 pacep[i].a_type == ALLOW)
950 if (zfs_ace_can_use(zp, &pacep[i])) {
953 * Now create entry for inherited ace
959 * When AUDIT/ALARM a_types are supported
960 * they should be inherited here.
963 if ((pacep[i].a_flags &
964 ACE_NO_PROPAGATE_INHERIT_ACE) ||
965 (ZTOV(zp)->v_type != VDIR)) {
966 acep[j].a_flags &= ~ALL_INHERIT;
967 zfs_securemode_update(zfsvfs, &acep[j]);
972 ASSERT(ZTOV(zp)->v_type == VDIR);
975 * If we are inheriting an ACE targeted for
976 * only files, then make sure inherit_only
977 * is on for future propagation.
979 if ((pacep[i].a_flags & (ACE_FILE_INHERIT_ACE |
980 ACE_DIRECTORY_INHERIT_ACE)) !=
981 ACE_FILE_INHERIT_ACE) {
985 ACE_INHERIT_ONLY_ACE;
986 acep[j].a_flags &= ~ALL_INHERIT;
988 acep[j].a_flags |= ACE_INHERIT_ONLY_ACE;
990 zfs_securemode_update(zfsvfs, &acep[j]);
995 aclp->z_acl_count = j;
996 ASSERT(aclp->z_slots >= aclp->z_acl_count);
1002 * Create file system object initial permissions
1003 * including inheritable ACEs.
1006 zfs_perm_init(znode_t *zp, znode_t *parent, int flag,
1007 vattr_t *vap, dmu_tx_t *tx, cred_t *cr)
1014 zfs_acl_t *aclp, *paclp;
1016 mode = MAKEIMODE(vap->va_type, vap->va_mode);
1019 * Determine uid and gid.
1021 if ((flag & (IS_ROOT_NODE | IS_REPLAY)) ||
1022 ((flag & IS_XATTR) && (vap->va_type == VDIR))) {
1027 if ((vap->va_mask & AT_GID) &&
1028 ((vap->va_gid == parent->z_phys->zp_gid) ||
1029 groupmember(vap->va_gid, cr) ||
1030 secpolicy_vnode_create_gid(cr) == 0))
1034 gid = parent->z_phys->zp_gid;
1036 gid = (parent->z_phys->zp_mode & S_ISGID) ?
1037 parent->z_phys->zp_gid : crgetgid(cr);
1042 * If we're creating a directory, and the parent directory has the
1043 * set-GID bit set, set in on the new directory.
1044 * Otherwise, if the user is neither privileged nor a member of the
1045 * file's new group, clear the file's set-GID bit.
1048 if ((parent->z_phys->zp_mode & S_ISGID) && (vap->va_type == VDIR))
1051 if ((mode & S_ISGID) &&
1052 secpolicy_vnode_setids_setgids(cr, gid) != 0)
1056 zp->z_phys->zp_uid = uid;
1057 zp->z_phys->zp_gid = gid;
1058 zp->z_phys->zp_mode = mode;
1060 mutex_enter(&parent->z_lock);
1061 pull_down = (parent->z_phys->zp_flags & ZFS_INHERIT_ACE);
1063 mutex_enter(&parent->z_acl_lock);
1064 VERIFY(0 == zfs_acl_node_read(parent, &paclp));
1065 mutex_exit(&parent->z_acl_lock);
1066 aclp = zfs_acl_inherit(zp, paclp);
1067 zfs_acl_free(paclp);
1069 aclp = zfs_acl_alloc(6);
1071 mutex_exit(&parent->z_lock);
1072 mutex_enter(&zp->z_lock);
1073 mutex_enter(&zp->z_acl_lock);
1074 error = zfs_acl_chmod(zp, mode, aclp, tx);
1075 mutex_exit(&zp->z_lock);
1076 mutex_exit(&zp->z_acl_lock);
1077 ASSERT3U(error, ==, 0);
1082 * Should ACE be inherited?
1085 zfs_ace_can_use(znode_t *zp, ace_t *acep)
1087 int vtype = ZTOV(zp)->v_type;
1089 int iflags = (acep->a_flags & 0xf);
1091 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE))
1093 else if (iflags & ACE_FILE_INHERIT_ACE)
1094 return (!((vtype == VDIR) &&
1095 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE)));
1101 * Retrieve a files ACL
1104 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, cred_t *cr)
1107 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT);
1110 if (error = zfs_zaccess(zp, ACE_READ_ACL, cr)) {
1112 * If owner of file then allow reading of the
1115 if (crgetuid(cr) != zp->z_phys->zp_uid)
1122 mutex_enter(&zp->z_acl_lock);
1124 error = zfs_acl_node_read(zp, &aclp);
1126 mutex_exit(&zp->z_acl_lock);
1131 if (mask & VSA_ACECNT) {
1132 vsecp->vsa_aclcnt = aclp->z_acl_count;
1135 if (mask & VSA_ACE) {
1136 vsecp->vsa_aclentp = kmem_alloc(aclp->z_acl_count *
1137 sizeof (ace_t), KM_SLEEP);
1138 bcopy(aclp->z_acl, vsecp->vsa_aclentp,
1139 aclp->z_acl_count * sizeof (ace_t));
1142 mutex_exit(&zp->z_acl_lock);
1155 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, cred_t *cr)
1157 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
1158 zilog_t *zilog = zfsvfs->z_log;
1159 ace_t *acep = vsecp->vsa_aclentp;
1160 int aclcnt = vsecp->vsa_aclcnt;
1161 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT);
1170 if (!zfs_acl_valid(zp, acep, aclcnt, &inherit))
1173 error = zfs_zaccess_v4_perm(zp, ACE_WRITE_ACL, cr);
1174 if (error == EACCES || error == ACCESS_UNDETERMINED) {
1175 if ((error = secpolicy_vnode_setdac(cr,
1176 zp->z_phys->zp_uid)) != 0) {
1180 return (error == EROFS ? error : EPERM);
1183 mutex_enter(&zp->z_lock);
1184 mutex_enter(&zp->z_acl_lock);
1186 tx = dmu_tx_create(zfsvfs->z_os);
1187 dmu_tx_hold_bonus(tx, zp->z_id);
1189 if (zp->z_phys->zp_acl.z_acl_extern_obj) {
1190 dmu_tx_hold_write(tx, zp->z_phys->zp_acl.z_acl_extern_obj,
1191 0, ZFS_ACL_SIZE(aclcnt));
1192 } else if (aclcnt > ACE_SLOT_CNT) {
1193 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, ZFS_ACL_SIZE(aclcnt));
1196 error = dmu_tx_assign(tx, zfsvfs->z_assign);
1198 mutex_exit(&zp->z_acl_lock);
1199 mutex_exit(&zp->z_lock);
1201 if (error == ERESTART && zfsvfs->z_assign == TXG_NOWAIT) {
1210 aclp = zfs_acl_alloc(aclcnt);
1211 bcopy(acep, aclp->z_acl, sizeof (ace_t) * aclcnt);
1212 aclp->z_acl_count = aclcnt;
1213 error = zfs_aclset_common(zp, aclp, tx, &inherit);
1217 zfs_log_acl(zilog, tx, TX_ACL, zp, aclcnt, acep);
1220 mutex_exit(&zp->z_acl_lock);
1221 mutex_exit(&zp->z_lock);
1228 zfs_ace_access(ace_t *zacep, int *working_mode)
1230 if (*working_mode == 0) {
1234 if (zacep->a_access_mask & *working_mode) {
1235 if (zacep->a_type == ALLOW) {
1237 ~(*working_mode & zacep->a_access_mask);
1238 if (*working_mode == 0)
1240 } else if (zacep->a_type == DENY) {
1246 * haven't been specifcally denied at this point
1247 * so return UNDETERMINED.
1250 return (ACCESS_UNDETERMINED);
1255 zfs_zaccess_common(znode_t *zp, int v4_mode, int *working_mode, cred_t *cr)
1258 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
1264 int access_deny = ACCESS_UNDETERMINED;
1266 uid_t uid = crgetuid(cr);
1268 if (zfsvfs->z_assign >= TXG_INITIAL) { /* ZIL replay */
1273 *working_mode = v4_mode;
1275 if ((v4_mode & WRITE_MASK) &&
1276 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) &&
1277 (!IS_DEVVP(ZTOV(zp)))) {
1281 mutex_enter(&zp->z_acl_lock);
1283 error = zfs_acl_node_read(zp, &aclp);
1285 mutex_exit(&zp->z_acl_lock);
1290 zacep = aclp->z_acl;
1291 cnt = aclp->z_acl_count;
1293 for (i = 0; i != cnt; i++) {
1295 DTRACE_PROBE2(zfs__access__common,
1296 ace_t *, &zacep[i], int, *working_mode);
1298 if (zacep[i].a_flags & ACE_INHERIT_ONLY_ACE)
1301 entry_type = (zacep[i].a_flags & ACE_TYPE_FLAGS);
1302 switch (entry_type) {
1304 if (uid == zp->z_phys->zp_uid) {
1305 access_deny = zfs_ace_access(&zacep[i],
1309 case (ACE_IDENTIFIER_GROUP | ACE_GROUP):
1310 case ACE_IDENTIFIER_GROUP:
1312 * Owning group gid is in znode not ACL
1314 if (entry_type == (ACE_IDENTIFIER_GROUP | ACE_GROUP))
1315 gid = zp->z_phys->zp_gid;
1317 gid = zacep[i].a_who;
1319 if (groupmember(gid, cr)) {
1320 access_deny = zfs_ace_access(&zacep[i],
1325 access_deny = zfs_ace_access(&zacep[i], working_mode);
1330 if (entry_type == 0) {
1331 if (uid == zacep[i].a_who) {
1332 access_deny = zfs_ace_access(&zacep[i],
1338 mutex_exit(&zp->z_acl_lock);
1342 if (access_deny != ACCESS_UNDETERMINED)
1346 mutex_exit(&zp->z_acl_lock);
1349 return (access_deny);
1354 * Determine whether Access should be granted/denied, invoking least
1355 * priv subsytem when a deny is determined.
1358 zfs_zaccess(znode_t *zp, int mode, cred_t *cr)
1364 znode_t *check_zp = zp;
1366 is_attr = ((zp->z_phys->zp_flags & ZFS_XATTR) &&
1367 (ZTOV(zp)->v_type == VDIR));
1370 * If attribute then validate against base file
1373 if ((error = zfs_zget(zp->z_zfsvfs,
1374 zp->z_phys->zp_parent, &xzp)) != 0) {
1379 * fixup mode to map to xattr perms
1382 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) {
1383 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
1384 mode |= ACE_WRITE_NAMED_ATTRS;
1387 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) {
1388 mode &= ~(ACE_READ_DATA|ACE_EXECUTE);
1389 mode |= ACE_READ_NAMED_ATTRS;
1393 error = zfs_zaccess_common(check_zp, mode, &working_mode, cr);
1395 if (error == EROFS) {
1401 if (error || working_mode) {
1402 working_mode = (zfs_v4_to_unix(working_mode) << 6);
1403 error = secpolicy_vnode_access(cr, ZTOV(check_zp),
1404 check_zp->z_phys->zp_uid, working_mode);
1414 * Special zaccess function to check for special nfsv4 perm.
1415 * doesn't call secpolicy_vnode_access() for failure, since that
1416 * would probably be the wrong policy function to call.
1417 * instead its up to the caller to handle that situation.
1421 zfs_zaccess_v4_perm(znode_t *zp, int mode, cred_t *cr)
1423 int working_mode = 0;
1424 return (zfs_zaccess_common(zp, mode, &working_mode, cr));
1428 * Translate tradition unix VREAD/VWRITE/VEXEC mode into
1429 * native ACL format and call zfs_zaccess()
1432 zfs_zaccess_rwx(znode_t *zp, mode_t mode, cred_t *cr)
1434 int v4_mode = zfs_unix_to_v4(mode >> 6);
1436 return (zfs_zaccess(zp, v4_mode, cr));
1440 zfs_delete_final_check(znode_t *zp, znode_t *dzp, cred_t *cr)
1444 error = secpolicy_vnode_access(cr, ZTOV(zp),
1445 dzp->z_phys->zp_uid, S_IWRITE|S_IEXEC);
1448 error = zfs_sticky_remove_access(dzp, zp, cr);
1454 * Determine whether Access should be granted/deny, without
1455 * consulting least priv subsystem.
1458 * The following chart is the recommended NFSv4 enforcement for
1459 * ability to delete an object.
1461 * -------------------------------------------------------
1462 * | Parent Dir | Target Object Permissions |
1464 * -------------------------------------------------------
1465 * | | ACL Allows | ACL Denies| Delete |
1466 * | | Delete | Delete | unspecified|
1467 * -------------------------------------------------------
1468 * | ACL Allows | Permit | Permit | Permit |
1469 * | DELETE_CHILD | |
1470 * -------------------------------------------------------
1471 * | ACL Denies | Permit | Deny | Deny |
1472 * | DELETE_CHILD | | | |
1473 * -------------------------------------------------------
1474 * | ACL specifies | | | |
1475 * | only allow | Permit | Permit | Permit |
1476 * | write and | | | |
1478 * -------------------------------------------------------
1479 * | ACL denies | | | |
1480 * | write and | Permit | Deny | Deny |
1482 * -------------------------------------------------------
1485 * No search privilege, can't even look up file?
1489 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr)
1491 int dzp_working_mode = 0;
1492 int zp_working_mode = 0;
1493 int dzp_error, zp_error;
1496 * Arghh, this check is going to require a couple of questions
1497 * to be asked. We want specific DELETE permissions to
1498 * take precedence over WRITE/EXECUTE. We don't
1499 * want an ACL such as this to mess us up.
1500 * user:joe:write_data:deny,user:joe:delete:allow
1502 * However, deny permissions may ultimately be overridden
1503 * by secpolicy_vnode_access().
1506 dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD,
1507 &dzp_working_mode, cr);
1508 zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, cr);
1510 if (dzp_error == EROFS || zp_error == EROFS)
1514 * First check the first row.
1515 * We only need to see if parent Allows delete_child
1517 if ((dzp_working_mode & ACE_DELETE_CHILD) == 0)
1522 * we already have the necessary information in
1523 * zp_working_mode, zp_error and dzp_error.
1526 if ((zp_working_mode & ACE_DELETE) == 0)
1530 * Now zp_error should either be EACCES which indicates
1531 * a "deny" delete entry or ACCESS_UNDETERMINED if the "delete"
1532 * entry exists on the target.
1534 * dzp_error should be either EACCES which indicates a "deny"
1535 * entry for delete_child or ACCESS_UNDETERMINED if no delete_child
1536 * entry exists. If value is EACCES then we are done
1537 * and zfs_delete_final_check() will make the final decision
1538 * regarding to allow the delete.
1541 ASSERT(zp_error != 0 && dzp_error != 0);
1542 if (dzp_error == EACCES)
1543 return (zfs_delete_final_check(zp, dzp, cr));
1547 * Only need to check for write/execute on parent
1550 dzp_error = zfs_zaccess_common(dzp, ACE_WRITE_DATA|ACE_EXECUTE,
1551 &dzp_working_mode, cr);
1553 if (dzp_error == EROFS)
1556 if ((dzp_working_mode & (ACE_WRITE_DATA|ACE_EXECUTE)) == 0)
1557 return (zfs_sticky_remove_access(dzp, zp, cr));
1563 if (((dzp_working_mode & (ACE_WRITE_DATA|ACE_EXECUTE)) != 0) &&
1564 ((zp_working_mode & ACE_DELETE) == 0))
1565 return (zfs_sticky_remove_access(dzp, zp, cr));
1567 return (zfs_delete_final_check(zp, dzp, cr));
1571 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp,
1572 znode_t *tzp, cred_t *cr)
1577 add_perm = (ZTOV(szp)->v_type == VDIR) ?
1578 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE;
1581 * Rename permissions are combination of delete permission +
1582 * add file/subdir permission.
1586 * first make sure we do the delete portion.
1588 * If that succeeds then check for add_file/add_subdir permissions
1591 if (error = zfs_zaccess_delete(sdzp, szp, cr))
1595 * If we have a tzp, see if we can delete it?
1598 if (error = zfs_zaccess_delete(tdzp, tzp, cr))
1603 * Now check for add permissions
1605 error = zfs_zaccess(tdzp, add_perm, cr);