2 * Copyright (c) 2008 Edward Tomasz NapieraĆa <trasz@FreeBSD.org>
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * ACL support routines specific to NFSv4 access control lists. These are
29 * utility routines for code common across file systems implementing NFSv4
34 #include <sys/cdefs.h>
35 __FBSDID("$FreeBSD$");
37 #include <sys/param.h>
38 #include <sys/systm.h>
39 #include <sys/mount.h>
41 #include <sys/vnode.h>
42 #include <sys/errno.h>
50 #define KASSERT(a, b) assert(a)
55 _acl_entry_matches(struct acl_entry *entry, acl_tag_t tag, acl_perm_t perm,
56 acl_entry_type_t entry_type)
58 if (entry->ae_tag != tag)
61 if (entry->ae_id != ACL_UNDEFINED_ID)
64 if (entry->ae_perm != perm)
67 if (entry->ae_entry_type != entry_type)
70 if (entry->ae_flags != 0)
76 static struct acl_entry *
77 _acl_append(struct acl *aclp, acl_tag_t tag, acl_perm_t perm,
78 acl_entry_type_t entry_type)
80 struct acl_entry *entry;
82 KASSERT(aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES,
83 ("aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES"));
85 entry = &(aclp->acl_entry[aclp->acl_cnt]);
89 entry->ae_id = ACL_UNDEFINED_ID;
90 entry->ae_perm = perm;
91 entry->ae_entry_type = entry_type;
97 static struct acl_entry *
98 _acl_duplicate_entry(struct acl *aclp, int entry_index)
102 KASSERT(aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES,
103 ("aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES"));
105 for (i = aclp->acl_cnt; i > entry_index; i--)
106 aclp->acl_entry[i] = aclp->acl_entry[i - 1];
110 return (&(aclp->acl_entry[entry_index + 1]));
114 acl_nfs4_sync_acl_from_mode(struct acl *aclp, mode_t mode, int file_owner_id)
116 int i, meets, must_append;
117 struct acl_entry *entry, *copy, *previous,
118 *a1, *a2, *a3, *a4, *a5, *a6;
121 const int WRITE = 02;
124 KASSERT(aclp->acl_cnt >= 0, ("aclp->acl_cnt >= 0"));
125 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES,
126 ("aclp->acl_cnt <= ACL_MAX_ENTRIES"));
129 * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt
131 * 3.16.6.3. Applying a Mode to an Existing ACL
137 for (i = 0; i < aclp->acl_cnt; i++) {
138 entry = &(aclp->acl_entry[i]);
141 * 1.1. If the type is neither ALLOW or DENY - skip.
143 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
144 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
148 * 1.2. If ACL_ENTRY_INHERIT_ONLY is set - skip.
150 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY)
154 * 1.3. If ACL_ENTRY_FILE_INHERIT or ACL_ENTRY_DIRECTORY_INHERIT
157 if (entry->ae_flags &
158 (ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT)) {
160 * 1.3.1. A copy of the current ACE is made, and placed
161 * in the ACL immediately following the current
164 copy = _acl_duplicate_entry(aclp, i);
167 * 1.3.2. In the first ACE, the flag
168 * ACL_ENTRY_INHERIT_ONLY is set.
170 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY;
173 * 1.3.3. In the second ACE, the following flags
175 * ACL_ENTRY_FILE_INHERIT,
176 * ACL_ENTRY_DIRECTORY_INHERIT,
177 * ACL_ENTRY_NO_PROPAGATE_INHERIT.
179 copy->ae_flags &= ~(ACL_ENTRY_FILE_INHERIT |
180 ACL_ENTRY_DIRECTORY_INHERIT |
181 ACL_ENTRY_NO_PROPAGATE_INHERIT);
184 * The algorithm continues on with the second ACE.
191 * 1.4. If it's owner@, group@ or everyone@ entry, clear
192 * ACL_READ_DATA, ACL_WRITE_DATA, ACL_APPEND_DATA
193 * and ACL_EXECUTE. Continue to the next entry.
195 if (entry->ae_tag == ACL_USER_OBJ ||
196 entry->ae_tag == ACL_GROUP_OBJ ||
197 entry->ae_tag == ACL_EVERYONE) {
198 entry->ae_perm &= ~(ACL_READ_DATA | ACL_WRITE_DATA |
199 ACL_APPEND_DATA | ACL_EXECUTE);
204 * 1.5. Otherwise, if the "who" field did not match one
205 * of OWNER@, GROUP@, EVERYONE@:
207 * 1.5.1. If the type is ALLOW, check the preceding ACE.
208 * If it does not meet all of the following criteria:
210 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW)
216 previous = &(aclp->acl_entry[i - 1]);
219 * 1.5.1.1. The type field is DENY,
221 if (previous->ae_entry_type != ACL_ENTRY_TYPE_DENY)
225 * 1.5.1.2. The "who" field is the same as the current
228 * 1.5.1.3. The flag bit ACE4_IDENTIFIER_GROUP
229 * is the same as it is in the current ACE,
230 * and no other flag bits are set,
232 if (previous->ae_id != entry->ae_id ||
233 previous->ae_tag != entry->ae_tag)
236 if (previous->ae_flags)
240 * 1.5.1.4. The mask bits are a subset of the mask bits
241 * of the current ACE, and are also subset of
242 * the following: ACL_READ_DATA,
243 * ACL_WRITE_DATA, ACL_APPEND_DATA, ACL_EXECUTE
245 if (previous->ae_perm & ~(entry->ae_perm))
248 if (previous->ae_perm & ~(ACL_READ_DATA |
249 ACL_WRITE_DATA | ACL_APPEND_DATA | ACL_EXECUTE))
255 * Then the ACE of type DENY, with a who equal
256 * to the current ACE, flag bits equal to
257 * (<current ACE flags> & <ACE_IDENTIFIER_GROUP>)
258 * and no mask bits, is prepended.
261 entry = _acl_duplicate_entry(aclp, i);
263 /* Adjust counter, as we've just added an entry. */
266 previous->ae_tag = entry->ae_tag;
267 previous->ae_id = entry->ae_id;
268 previous->ae_flags = entry->ae_flags;
269 previous->ae_perm = 0;
270 previous->ae_entry_type = ACL_ENTRY_TYPE_DENY;
274 * 1.5.2. The following modifications are made to the prepended
275 * ACE. The intent is to mask the following ACE
276 * to disallow ACL_READ_DATA, ACL_WRITE_DATA,
277 * ACL_APPEND_DATA, or ACL_EXECUTE, based upon the group
278 * permissions of the new mode. As a special case,
279 * if the ACE matches the current owner of the file,
280 * the owner bits are used, rather than the group bits.
281 * This is reflected in the algorithm below.
286 * If ACE4_IDENTIFIER_GROUP is not set, and the "who" field
287 * in ACE matches the owner of the file, we shift amode three
288 * more bits, in order to have the owner permission bits
289 * placed in the three low order bits of amode.
291 if (entry->ae_tag == ACL_USER && entry->ae_id == file_owner_id)
294 if (entry->ae_perm & ACL_READ_DATA) {
296 previous->ae_perm &= ~ACL_READ_DATA;
298 previous->ae_perm |= ACL_READ_DATA;
301 if (entry->ae_perm & ACL_WRITE_DATA) {
303 previous->ae_perm &= ~ACL_WRITE_DATA;
305 previous->ae_perm |= ACL_WRITE_DATA;
308 if (entry->ae_perm & ACL_APPEND_DATA) {
310 previous->ae_perm &= ~ACL_APPEND_DATA;
312 previous->ae_perm |= ACL_APPEND_DATA;
315 if (entry->ae_perm & ACL_EXECUTE) {
317 previous->ae_perm &= ~ACL_EXECUTE;
319 previous->ae_perm |= ACL_EXECUTE;
323 * 1.5.3. If ACE4_IDENTIFIER_GROUP is set in the flags
326 * XXX: This point is not there in the Falkner's draft.
328 if (entry->ae_tag == ACL_GROUP &&
329 entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) {
330 mode_t extramode, ownermode;
331 extramode = (mode >> 3) & 07;
332 ownermode = mode >> 6;
333 extramode &= ~ownermode;
336 if (extramode & READ) {
337 entry->ae_perm &= ~ACL_READ_DATA;
338 previous->ae_perm &= ~ACL_READ_DATA;
341 if (extramode & WRITE) {
343 ~(ACL_WRITE_DATA | ACL_APPEND_DATA);
345 ~(ACL_WRITE_DATA | ACL_APPEND_DATA);
348 if (extramode & EXEC) {
349 entry->ae_perm &= ~ACL_EXECUTE;
350 previous->ae_perm &= ~ACL_EXECUTE;
357 * 2. If there at least six ACEs, the final six ACEs are examined.
358 * If they are not equal to what we want, append six ACEs.
361 if (aclp->acl_cnt < 6) {
364 a6 = &(aclp->acl_entry[aclp->acl_cnt - 1]);
365 a5 = &(aclp->acl_entry[aclp->acl_cnt - 2]);
366 a4 = &(aclp->acl_entry[aclp->acl_cnt - 3]);
367 a3 = &(aclp->acl_entry[aclp->acl_cnt - 4]);
368 a2 = &(aclp->acl_entry[aclp->acl_cnt - 5]);
369 a1 = &(aclp->acl_entry[aclp->acl_cnt - 6]);
371 if (!_acl_entry_matches(a1, ACL_USER_OBJ, 0,
372 ACL_ENTRY_TYPE_DENY))
374 if (!_acl_entry_matches(a2, ACL_USER_OBJ, ACL_WRITE_ACL |
375 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES |
376 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_ALLOW))
378 if (!_acl_entry_matches(a3, ACL_GROUP_OBJ, 0,
379 ACL_ENTRY_TYPE_DENY))
381 if (!_acl_entry_matches(a4, ACL_GROUP_OBJ, 0,
382 ACL_ENTRY_TYPE_ALLOW))
384 if (!_acl_entry_matches(a5, ACL_EVERYONE, ACL_WRITE_ACL |
385 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES |
386 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_DENY))
388 if (!_acl_entry_matches(a6, ACL_EVERYONE, ACL_READ_ACL |
389 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS |
390 ACL_SYNCHRONIZE, ACL_ENTRY_TYPE_ALLOW))
395 KASSERT(aclp->acl_cnt + 6 <= ACL_MAX_ENTRIES,
396 ("aclp->acl_cnt <= ACL_MAX_ENTRIES"));
398 a1 = _acl_append(aclp, ACL_USER_OBJ, 0, ACL_ENTRY_TYPE_DENY);
399 a2 = _acl_append(aclp, ACL_USER_OBJ, ACL_WRITE_ACL |
400 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES |
401 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_ALLOW);
402 a3 = _acl_append(aclp, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_DENY);
403 a4 = _acl_append(aclp, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_ALLOW);
404 a5 = _acl_append(aclp, ACL_EVERYONE, ACL_WRITE_ACL |
405 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES |
406 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_DENY);
407 a6 = _acl_append(aclp, ACL_EVERYONE, ACL_READ_ACL |
408 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS |
409 ACL_SYNCHRONIZE, ACL_ENTRY_TYPE_ALLOW);
411 KASSERT(a1 != NULL && a2 != NULL && a3 != NULL && a4 != NULL &&
412 a5 != NULL && a6 != NULL, ("couldn't append to ACL."));
416 * 3. The final six ACEs are adjusted according to the incoming mode.
419 a2->ae_perm |= ACL_READ_DATA;
421 a1->ae_perm |= ACL_READ_DATA;
423 a2->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
425 a1->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
427 a2->ae_perm |= ACL_EXECUTE;
429 a1->ae_perm |= ACL_EXECUTE;
432 a4->ae_perm |= ACL_READ_DATA;
434 a3->ae_perm |= ACL_READ_DATA;
436 a4->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
438 a3->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
440 a4->ae_perm |= ACL_EXECUTE;
442 a3->ae_perm |= ACL_EXECUTE;
445 a6->ae_perm |= ACL_READ_DATA;
447 a5->ae_perm |= ACL_READ_DATA;
449 a6->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
451 a5->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
453 a6->ae_perm |= ACL_EXECUTE;
455 a5->ae_perm |= ACL_EXECUTE;
459 acl_nfs4_sync_mode_from_acl(mode_t *_mode, const struct acl *aclp)
462 mode_t old_mode = *_mode, mode = 0, seen = 0;
463 const struct acl_entry *entry;
465 KASSERT(aclp->acl_cnt > 0, ("aclp->acl_cnt > 0"));
466 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES,
467 ("aclp->acl_cnt <= ACL_MAX_ENTRIES"));
470 * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt
472 * 3.16.6.1. Recomputing mode upon SETATTR of ACL
475 for (i = 0; i < aclp->acl_cnt; i++) {
476 entry = &(aclp->acl_entry[i]);
478 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
479 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
482 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY)
485 if (entry->ae_tag == ACL_USER_OBJ) {
486 if ((entry->ae_perm & ACL_READ_DATA) &&
487 ((seen & S_IRUSR) == 0)) {
489 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
492 if ((entry->ae_perm & ACL_WRITE_DATA) &&
493 ((seen & S_IWUSR) == 0)) {
495 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
498 if ((entry->ae_perm & ACL_EXECUTE) &&
499 ((seen & S_IXUSR) == 0)) {
501 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
504 } else if (entry->ae_tag == ACL_GROUP_OBJ) {
505 if ((entry->ae_perm & ACL_READ_DATA) &&
506 ((seen & S_IRGRP) == 0)) {
508 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
511 if ((entry->ae_perm & ACL_WRITE_DATA) &&
512 ((seen & S_IWGRP) == 0)) {
514 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
517 if ((entry->ae_perm & ACL_EXECUTE) &&
518 ((seen & S_IXGRP) == 0)) {
520 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
523 } else if (entry->ae_tag == ACL_EVERYONE) {
524 if (entry->ae_perm & ACL_READ_DATA) {
525 if ((seen & S_IRUSR) == 0) {
527 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
530 if ((seen & S_IRGRP) == 0) {
532 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
535 if ((seen & S_IROTH) == 0) {
537 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
541 if (entry->ae_perm & ACL_WRITE_DATA) {
542 if ((seen & S_IWUSR) == 0) {
544 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
547 if ((seen & S_IWGRP) == 0) {
549 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
552 if ((seen & S_IWOTH) == 0) {
554 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
558 if (entry->ae_perm & ACL_EXECUTE) {
559 if ((seen & S_IXUSR) == 0) {
561 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
564 if ((seen & S_IXGRP) == 0) {
566 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
569 if ((seen & S_IXOTH) == 0) {
571 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
578 *_mode = mode | (old_mode & ACL_PRESERVE_MASK);