4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
26 #include <sys/types.h>
27 #include <sys/param.h>
29 #include <sys/systm.h>
30 #include <sys/sysmacros.h>
31 #include <sys/resource.h>
33 #include <sys/vnode.h>
37 #include <sys/cmn_err.h>
38 #include <sys/errno.h>
39 #include <sys/unistd.h>
41 #include <sys/fs/zfs.h>
42 #include <sys/policy.h>
43 #include <sys/zfs_znode.h>
44 #include <sys/zfs_fuid.h>
45 #include <sys/zfs_acl.h>
46 #include <sys/zfs_dir.h>
47 #include <sys/zfs_vfsops.h>
49 #include <sys/dnode.h>
51 #include <acl/acl_common.h>
53 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE
54 #define DENY ACE_ACCESS_DENIED_ACE_TYPE
55 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE
56 #define MIN_ACE_TYPE ALLOW
58 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP)
59 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \
60 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE)
61 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \
62 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
63 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \
64 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
65 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS)
67 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \
68 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \
69 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \
70 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE)
72 #define WRITE_MASK (WRITE_MASK_DATA|ACE_WRITE_ATTRIBUTES|ACE_WRITE_ACL|\
73 ACE_WRITE_OWNER|ACE_DELETE|ACE_DELETE_CHILD)
75 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
76 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
78 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
79 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
81 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \
82 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE)
84 #define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER)
86 #define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\
89 #define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\
93 zfs_ace_v0_get_type(void *acep)
95 return (((zfs_oldace_t *)acep)->z_type);
99 zfs_ace_v0_get_flags(void *acep)
101 return (((zfs_oldace_t *)acep)->z_flags);
105 zfs_ace_v0_get_mask(void *acep)
107 return (((zfs_oldace_t *)acep)->z_access_mask);
111 zfs_ace_v0_get_who(void *acep)
113 return (((zfs_oldace_t *)acep)->z_fuid);
117 zfs_ace_v0_set_type(void *acep, uint16_t type)
119 ((zfs_oldace_t *)acep)->z_type = type;
123 zfs_ace_v0_set_flags(void *acep, uint16_t flags)
125 ((zfs_oldace_t *)acep)->z_flags = flags;
129 zfs_ace_v0_set_mask(void *acep, uint32_t mask)
131 ((zfs_oldace_t *)acep)->z_access_mask = mask;
135 zfs_ace_v0_set_who(void *acep, uint64_t who)
137 ((zfs_oldace_t *)acep)->z_fuid = who;
142 zfs_ace_v0_size(void *acep)
144 return (sizeof (zfs_oldace_t));
148 zfs_ace_v0_abstract_size(void)
150 return (sizeof (zfs_oldace_t));
154 zfs_ace_v0_mask_off(void)
156 return (offsetof(zfs_oldace_t, z_access_mask));
161 zfs_ace_v0_data(void *acep, void **datap)
167 static acl_ops_t zfs_acl_v0_ops = {
170 zfs_ace_v0_get_flags,
171 zfs_ace_v0_set_flags,
177 zfs_ace_v0_abstract_size,
183 zfs_ace_fuid_get_type(void *acep)
185 return (((zfs_ace_hdr_t *)acep)->z_type);
189 zfs_ace_fuid_get_flags(void *acep)
191 return (((zfs_ace_hdr_t *)acep)->z_flags);
195 zfs_ace_fuid_get_mask(void *acep)
197 return (((zfs_ace_hdr_t *)acep)->z_access_mask);
201 zfs_ace_fuid_get_who(void *args)
204 zfs_ace_t *acep = args;
206 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS;
208 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP ||
209 entry_type == ACE_EVERYONE)
211 return (((zfs_ace_t *)acep)->z_fuid);
215 zfs_ace_fuid_set_type(void *acep, uint16_t type)
217 ((zfs_ace_hdr_t *)acep)->z_type = type;
221 zfs_ace_fuid_set_flags(void *acep, uint16_t flags)
223 ((zfs_ace_hdr_t *)acep)->z_flags = flags;
227 zfs_ace_fuid_set_mask(void *acep, uint32_t mask)
229 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask;
233 zfs_ace_fuid_set_who(void *arg, uint64_t who)
235 zfs_ace_t *acep = arg;
237 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS;
239 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP ||
240 entry_type == ACE_EVERYONE)
246 zfs_ace_fuid_size(void *acep)
248 zfs_ace_hdr_t *zacep = acep;
251 switch (zacep->z_type) {
252 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
253 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
254 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
255 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
256 return (sizeof (zfs_object_ace_t));
260 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS);
261 if (entry_type == ACE_OWNER ||
262 entry_type == OWNING_GROUP ||
263 entry_type == ACE_EVERYONE)
264 return (sizeof (zfs_ace_hdr_t));
267 return (sizeof (zfs_ace_t));
272 zfs_ace_fuid_abstract_size(void)
274 return (sizeof (zfs_ace_hdr_t));
278 zfs_ace_fuid_mask_off(void)
280 return (offsetof(zfs_ace_hdr_t, z_access_mask));
284 zfs_ace_fuid_data(void *acep, void **datap)
286 zfs_ace_t *zacep = acep;
287 zfs_object_ace_t *zobjp;
289 switch (zacep->z_hdr.z_type) {
290 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
291 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
292 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
293 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
295 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t);
296 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t));
303 static acl_ops_t zfs_acl_fuid_ops = {
304 zfs_ace_fuid_get_mask,
305 zfs_ace_fuid_set_mask,
306 zfs_ace_fuid_get_flags,
307 zfs_ace_fuid_set_flags,
308 zfs_ace_fuid_get_type,
309 zfs_ace_fuid_set_type,
310 zfs_ace_fuid_get_who,
311 zfs_ace_fuid_set_who,
313 zfs_ace_fuid_abstract_size,
314 zfs_ace_fuid_mask_off,
319 zfs_acl_version(int version)
321 if (version < ZPL_VERSION_FUID)
322 return (ZFS_ACL_VERSION_INITIAL);
324 return (ZFS_ACL_VERSION_FUID);
328 zfs_acl_version_zp(znode_t *zp)
330 return (zfs_acl_version(zp->z_zfsvfs->z_version));
334 zfs_acl_alloc(int vers)
338 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP);
339 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t),
340 offsetof(zfs_acl_node_t, z_next));
341 aclp->z_version = vers;
342 if (vers == ZFS_ACL_VERSION_FUID)
343 aclp->z_ops = zfs_acl_fuid_ops;
345 aclp->z_ops = zfs_acl_v0_ops;
349 static zfs_acl_node_t *
350 zfs_acl_node_alloc(size_t bytes)
352 zfs_acl_node_t *aclnode;
354 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP);
356 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP);
357 aclnode->z_allocdata = aclnode->z_acldata;
358 aclnode->z_allocsize = bytes;
359 aclnode->z_size = bytes;
366 zfs_acl_node_free(zfs_acl_node_t *aclnode)
368 if (aclnode->z_allocsize)
369 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize);
370 kmem_free(aclnode, sizeof (zfs_acl_node_t));
374 zfs_acl_release_nodes(zfs_acl_t *aclp)
376 zfs_acl_node_t *aclnode;
378 while (aclnode = list_head(&aclp->z_acl)) {
379 list_remove(&aclp->z_acl, aclnode);
380 zfs_acl_node_free(aclnode);
382 aclp->z_acl_count = 0;
383 aclp->z_acl_bytes = 0;
387 zfs_acl_free(zfs_acl_t *aclp)
389 zfs_acl_release_nodes(aclp);
390 list_destroy(&aclp->z_acl);
391 kmem_free(aclp, sizeof (zfs_acl_t));
395 zfs_acl_valid_ace_type(uint_t type, uint_t flags)
402 case ACE_SYSTEM_AUDIT_ACE_TYPE:
403 case ACE_SYSTEM_ALARM_ACE_TYPE:
404 entry_type = flags & ACE_TYPE_FLAGS;
405 return (entry_type == ACE_OWNER ||
406 entry_type == OWNING_GROUP ||
407 entry_type == ACE_EVERYONE || entry_type == 0 ||
408 entry_type == ACE_IDENTIFIER_GROUP);
410 if (type >= MIN_ACE_TYPE && type <= MAX_ACE_TYPE)
417 zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags)
420 * first check type of entry
423 if (!zfs_acl_valid_ace_type(type, iflags))
427 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
428 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
429 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
430 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
431 if (aclp->z_version < ZFS_ACL_VERSION_FUID)
433 aclp->z_hints |= ZFS_ACL_OBJ_ACE;
437 * next check inheritance level flags
440 if (obj_type == VDIR &&
441 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE)))
442 aclp->z_hints |= ZFS_INHERIT_ACE;
444 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) {
445 if ((iflags & (ACE_FILE_INHERIT_ACE|
446 ACE_DIRECTORY_INHERIT_ACE)) == 0) {
455 zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who,
456 uint32_t *access_mask, uint16_t *iflags, uint16_t *type)
458 zfs_acl_node_t *aclnode;
461 aclnode = list_head(&aclp->z_acl);
465 aclp->z_next_ace = aclnode->z_acldata;
466 aclp->z_curr_node = aclnode;
467 aclnode->z_ace_idx = 0;
470 aclnode = aclp->z_curr_node;
475 if (aclnode->z_ace_idx >= aclnode->z_ace_count) {
476 aclnode = list_next(&aclp->z_acl, aclnode);
480 aclp->z_curr_node = aclnode;
481 aclnode->z_ace_idx = 0;
482 aclp->z_next_ace = aclnode->z_acldata;
486 if (aclnode->z_ace_idx < aclnode->z_ace_count) {
487 void *acep = aclp->z_next_ace;
491 * Make sure we don't overstep our bounds
493 ace_size = aclp->z_ops.ace_size(acep);
495 if (((caddr_t)acep + ace_size) >
496 ((caddr_t)aclnode->z_acldata + aclnode->z_size)) {
500 *iflags = aclp->z_ops.ace_flags_get(acep);
501 *type = aclp->z_ops.ace_type_get(acep);
502 *access_mask = aclp->z_ops.ace_mask_get(acep);
503 *who = aclp->z_ops.ace_who_get(acep);
504 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size;
505 aclnode->z_ace_idx++;
506 return ((void *)acep);
513 zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt,
514 uint16_t *flags, uint16_t *type, uint32_t *mask)
516 zfs_acl_t *aclp = datap;
517 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie;
520 acep = zfs_acl_next_ace(aclp, acep, &who, mask,
522 return ((uint64_t)(uintptr_t)acep);
525 static zfs_acl_node_t *
526 zfs_acl_curr_node(zfs_acl_t *aclp)
528 ASSERT(aclp->z_curr_node);
529 return (aclp->z_curr_node);
533 * Copy ACE to internal ZFS format.
534 * While processing the ACL each ACE will be validated for correctness.
535 * ACE FUIDs will be created later.
538 zfs_copy_ace_2_fuid(vtype_t obj_type, zfs_acl_t *aclp, void *datap,
539 zfs_ace_t *z_acl, int aclcnt, size_t *size)
543 zfs_ace_t *aceptr = z_acl;
545 zfs_object_ace_t *zobjacep;
546 ace_object_t *aceobjp;
548 for (i = 0; i != aclcnt; i++) {
549 aceptr->z_hdr.z_access_mask = acep->a_access_mask;
550 aceptr->z_hdr.z_flags = acep->a_flags;
551 aceptr->z_hdr.z_type = acep->a_type;
552 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS;
553 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP &&
554 entry_type != ACE_EVERYONE) {
555 if (!aclp->z_has_fuids)
556 aclp->z_has_fuids = IS_EPHEMERAL(acep->a_who);
557 aceptr->z_fuid = (uint64_t)acep->a_who;
561 * Make sure ACE is valid
563 if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type,
564 aceptr->z_hdr.z_flags) != B_TRUE)
567 switch (acep->a_type) {
568 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
569 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
570 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
571 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
572 zobjacep = (zfs_object_ace_t *)aceptr;
573 aceobjp = (ace_object_t *)acep;
575 bcopy(aceobjp->a_obj_type, zobjacep->z_object_type,
576 sizeof (aceobjp->a_obj_type));
577 bcopy(aceobjp->a_inherit_obj_type,
578 zobjacep->z_inherit_type,
579 sizeof (aceobjp->a_inherit_obj_type));
580 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t));
583 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t));
586 aceptr = (zfs_ace_t *)((caddr_t)aceptr +
587 aclp->z_ops.ace_size(aceptr));
590 *size = (caddr_t)aceptr - (caddr_t)z_acl;
596 * Copy ZFS ACEs to fixed size ace_t layout
599 zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr,
600 void *datap, int filter)
603 uint32_t access_mask;
604 uint16_t iflags, type;
605 zfs_ace_hdr_t *zacep = NULL;
607 ace_object_t *objacep;
608 zfs_object_ace_t *zobjacep;
612 while (zacep = zfs_acl_next_ace(aclp, zacep,
613 &who, &access_mask, &iflags, &type)) {
616 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
617 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
618 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
619 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
623 zobjacep = (zfs_object_ace_t *)zacep;
624 objacep = (ace_object_t *)acep;
625 bcopy(zobjacep->z_object_type,
627 sizeof (zobjacep->z_object_type));
628 bcopy(zobjacep->z_inherit_type,
629 objacep->a_inherit_obj_type,
630 sizeof (zobjacep->z_inherit_type));
631 ace_size = sizeof (ace_object_t);
634 ace_size = sizeof (ace_t);
638 entry_type = (iflags & ACE_TYPE_FLAGS);
639 if ((entry_type != ACE_OWNER &&
640 entry_type != OWNING_GROUP &&
641 entry_type != ACE_EVERYONE)) {
642 acep->a_who = zfs_fuid_map_id(zfsvfs, who,
643 cr, (entry_type & ACE_IDENTIFIER_GROUP) ?
644 ZFS_ACE_GROUP : ZFS_ACE_USER);
646 acep->a_who = (uid_t)(int64_t)who;
648 acep->a_access_mask = access_mask;
649 acep->a_flags = iflags;
651 acep = (ace_t *)((caddr_t)acep + ace_size);
656 zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep,
657 zfs_oldace_t *z_acl, int aclcnt, size_t *size)
660 zfs_oldace_t *aceptr = z_acl;
662 for (i = 0; i != aclcnt; i++, aceptr++) {
663 aceptr->z_access_mask = acep[i].a_access_mask;
664 aceptr->z_type = acep[i].a_type;
665 aceptr->z_flags = acep[i].a_flags;
666 aceptr->z_fuid = acep[i].a_who;
668 * Make sure ACE is valid
670 if (zfs_ace_valid(obj_type, aclp, aceptr->z_type,
671 aceptr->z_flags) != B_TRUE)
674 *size = (caddr_t)aceptr - (caddr_t)z_acl;
679 * convert old ACL format to new
682 zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp)
684 zfs_oldace_t *oldaclp;
686 uint16_t type, iflags;
687 uint32_t access_mask;
690 zfs_acl_node_t *newaclnode;
692 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL);
694 * First create the ACE in a contiguous piece of memory
695 * for zfs_copy_ace_2_fuid().
697 * We only convert an ACL once, so this won't happen
700 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count,
703 while (cookie = zfs_acl_next_ace(aclp, cookie, &who,
704 &access_mask, &iflags, &type)) {
705 oldaclp[i].z_flags = iflags;
706 oldaclp[i].z_type = type;
707 oldaclp[i].z_fuid = who;
708 oldaclp[i++].z_access_mask = access_mask;
711 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count *
712 sizeof (zfs_object_ace_t));
713 aclp->z_ops = zfs_acl_fuid_ops;
714 VERIFY(zfs_copy_ace_2_fuid(ZTOV(zp)->v_type, aclp, oldaclp,
715 newaclnode->z_acldata, aclp->z_acl_count,
716 &newaclnode->z_size) == 0);
717 newaclnode->z_ace_count = aclp->z_acl_count;
718 aclp->z_version = ZFS_ACL_VERSION;
719 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t));
722 * Release all previous ACL nodes
725 zfs_acl_release_nodes(aclp);
727 list_insert_head(&aclp->z_acl, newaclnode);
729 aclp->z_acl_bytes = newaclnode->z_size;
730 aclp->z_acl_count = newaclnode->z_ace_count;
735 * Convert unix access mask to v4 access mask
738 zfs_unix_to_v4(uint32_t access_mask)
740 uint32_t new_mask = 0;
742 if (access_mask & S_IXOTH)
743 new_mask |= ACE_EXECUTE;
744 if (access_mask & S_IWOTH)
745 new_mask |= ACE_WRITE_DATA;
746 if (access_mask & S_IROTH)
747 new_mask |= ACE_READ_DATA;
752 zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask,
753 uint16_t access_type, uint64_t fuid, uint16_t entry_type)
755 uint16_t type = entry_type & ACE_TYPE_FLAGS;
757 aclp->z_ops.ace_mask_set(acep, access_mask);
758 aclp->z_ops.ace_type_set(acep, access_type);
759 aclp->z_ops.ace_flags_set(acep, entry_type);
760 if ((type != ACE_OWNER && type != OWNING_GROUP &&
761 type != ACE_EVERYONE))
762 aclp->z_ops.ace_who_set(acep, fuid);
766 * Determine mode of file based on ACL.
767 * Also, create FUIDs for any User/Group ACEs
770 zfs_mode_fuid_compute(znode_t *zp, zfs_acl_t *aclp, cred_t *cr,
771 zfs_fuid_info_t **fuidp, dmu_tx_t *tx)
776 zfs_ace_hdr_t *acep = NULL;
778 uint16_t iflags, type;
779 uint32_t access_mask;
781 mode = (zp->z_phys->zp_mode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX));
783 while (acep = zfs_acl_next_ace(aclp, acep, &who,
784 &access_mask, &iflags, &type)) {
786 if (!zfs_acl_valid_ace_type(type, iflags))
789 entry_type = (iflags & ACE_TYPE_FLAGS);
792 * Skip over owner@, group@ or everyone@ inherit only ACEs
794 if ((iflags & ACE_INHERIT_ONLY_ACE) &&
795 (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE ||
796 entry_type == OWNING_GROUP))
799 if (entry_type == ACE_OWNER) {
800 if ((access_mask & ACE_READ_DATA) &&
801 (!(seen & S_IRUSR))) {
807 if ((access_mask & ACE_WRITE_DATA) &&
808 (!(seen & S_IWUSR))) {
814 if ((access_mask & ACE_EXECUTE) &&
815 (!(seen & S_IXUSR))) {
821 } else if (entry_type == OWNING_GROUP) {
822 if ((access_mask & ACE_READ_DATA) &&
823 (!(seen & S_IRGRP))) {
829 if ((access_mask & ACE_WRITE_DATA) &&
830 (!(seen & S_IWGRP))) {
836 if ((access_mask & ACE_EXECUTE) &&
837 (!(seen & S_IXGRP))) {
843 } else if (entry_type == ACE_EVERYONE) {
844 if ((access_mask & ACE_READ_DATA)) {
845 if (!(seen & S_IRUSR)) {
851 if (!(seen & S_IRGRP)) {
857 if (!(seen & S_IROTH)) {
864 if ((access_mask & ACE_WRITE_DATA)) {
865 if (!(seen & S_IWUSR)) {
871 if (!(seen & S_IWGRP)) {
877 if (!(seen & S_IWOTH)) {
884 if ((access_mask & ACE_EXECUTE)) {
885 if (!(seen & S_IXUSR)) {
891 if (!(seen & S_IXGRP)) {
897 if (!(seen & S_IXOTH)) {
906 * Now handle FUID create for user/group ACEs
908 if (entry_type == 0 || entry_type == ACE_IDENTIFIER_GROUP) {
909 aclp->z_ops.ace_who_set(acep,
910 zfs_fuid_create(zp->z_zfsvfs, who, cr,
911 (entry_type == 0) ? ZFS_ACE_USER : ZFS_ACE_GROUP,
919 zfs_acl_node_read_internal(znode_t *zp, boolean_t will_modify)
922 zfs_acl_node_t *aclnode;
924 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version);
927 * Version 0 to 1 znode_acl_phys has the size/count fields swapped.
928 * Version 0 didn't have a size field, only a count.
930 if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) {
931 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_size;
932 aclp->z_acl_bytes = ZFS_ACL_SIZE(aclp->z_acl_count);
934 aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count;
935 aclp->z_acl_bytes = zp->z_phys->zp_acl.z_acl_size;
938 aclnode = zfs_acl_node_alloc(will_modify ? aclp->z_acl_bytes : 0);
939 aclnode->z_ace_count = aclp->z_acl_count;
941 bcopy(zp->z_phys->zp_acl.z_ace_data, aclnode->z_acldata,
944 aclnode->z_size = aclp->z_acl_bytes;
945 aclnode->z_acldata = &zp->z_phys->zp_acl.z_ace_data[0];
948 list_insert_head(&aclp->z_acl, aclnode);
954 * Read an external acl object.
957 zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp, boolean_t will_modify)
959 uint64_t extacl = zp->z_phys->zp_acl.z_acl_extern_obj;
963 zfs_acl_node_t *aclnode;
966 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
968 if (zp->z_phys->zp_acl.z_acl_extern_obj == 0) {
969 *aclpp = zfs_acl_node_read_internal(zp, will_modify);
973 aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version);
974 if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) {
975 zfs_acl_phys_v0_t *zacl0 =
976 (zfs_acl_phys_v0_t *)&zp->z_phys->zp_acl;
978 aclsize = ZFS_ACL_SIZE(zacl0->z_acl_count);
979 acl_count = zacl0->z_acl_count;
981 aclsize = zp->z_phys->zp_acl.z_acl_size;
982 acl_count = zp->z_phys->zp_acl.z_acl_count;
984 aclsize = acl_count * sizeof (zfs_ace_t);
986 aclnode = zfs_acl_node_alloc(aclsize);
987 list_insert_head(&aclp->z_acl, aclnode);
988 error = dmu_read(zp->z_zfsvfs->z_os, extacl, 0,
989 aclsize, aclnode->z_acldata);
990 aclnode->z_ace_count = acl_count;
991 aclp->z_acl_count = acl_count;
992 aclp->z_acl_bytes = aclsize;
996 /* convert checksum errors into IO errors */
1007 * common code for setting ACLs.
1009 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl.
1010 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's
1011 * already checked the acl and knows whether to inherit.
1014 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr,
1015 zfs_fuid_info_t **fuidp, dmu_tx_t *tx)
1018 znode_phys_t *zphys = zp->z_phys;
1019 zfs_acl_phys_t *zacl = &zphys->zp_acl;
1020 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
1021 uint64_t aoid = zphys->zp_acl.z_acl_extern_obj;
1023 dmu_object_type_t otype;
1024 zfs_acl_node_t *aclnode;
1026 ASSERT(MUTEX_HELD(&zp->z_lock));
1027 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
1029 dmu_buf_will_dirty(zp->z_dbuf, tx);
1031 zphys->zp_mode = zfs_mode_fuid_compute(zp, aclp, cr, fuidp, tx);
1034 * Decide which opbject type to use. If we are forced to
1035 * use old ACL format than transform ACL into zfs_oldace_t
1038 if (!zfsvfs->z_use_fuids) {
1039 otype = DMU_OT_OLDACL;
1041 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) &&
1042 (zfsvfs->z_version >= ZPL_VERSION_FUID))
1043 zfs_acl_xform(zp, aclp);
1044 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID);
1048 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) {
1050 * If ACL was previously external and we are now
1051 * converting to new ACL format then release old
1052 * ACL object and create a new one.
1054 if (aoid && aclp->z_version != zacl->z_acl_version) {
1055 error = dmu_object_free(zfsvfs->z_os,
1056 zp->z_phys->zp_acl.z_acl_extern_obj, tx);
1062 aoid = dmu_object_alloc(zfsvfs->z_os,
1063 otype, aclp->z_acl_bytes,
1064 otype == DMU_OT_ACL ? DMU_OT_SYSACL : DMU_OT_NONE,
1065 otype == DMU_OT_ACL ? DN_MAX_BONUSLEN : 0, tx);
1067 (void) dmu_object_set_blocksize(zfsvfs->z_os, aoid,
1068 aclp->z_acl_bytes, 0, tx);
1070 zphys->zp_acl.z_acl_extern_obj = aoid;
1071 for (aclnode = list_head(&aclp->z_acl); aclnode;
1072 aclnode = list_next(&aclp->z_acl, aclnode)) {
1073 if (aclnode->z_ace_count == 0)
1075 dmu_write(zfsvfs->z_os, aoid, off,
1076 aclnode->z_size, aclnode->z_acldata, tx);
1077 off += aclnode->z_size;
1080 void *start = zacl->z_ace_data;
1082 * Migrating back embedded?
1084 if (zphys->zp_acl.z_acl_extern_obj) {
1085 error = dmu_object_free(zfsvfs->z_os,
1086 zp->z_phys->zp_acl.z_acl_extern_obj, tx);
1089 zphys->zp_acl.z_acl_extern_obj = 0;
1092 for (aclnode = list_head(&aclp->z_acl); aclnode;
1093 aclnode = list_next(&aclp->z_acl, aclnode)) {
1094 if (aclnode->z_ace_count == 0)
1096 bcopy(aclnode->z_acldata, start, aclnode->z_size);
1097 start = (caddr_t)start + aclnode->z_size;
1102 * If Old version then swap count/bytes to match old
1103 * layout of znode_acl_phys_t.
1105 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) {
1106 zphys->zp_acl.z_acl_size = aclp->z_acl_count;
1107 zphys->zp_acl.z_acl_count = aclp->z_acl_bytes;
1109 zphys->zp_acl.z_acl_size = aclp->z_acl_bytes;
1110 zphys->zp_acl.z_acl_count = aclp->z_acl_count;
1113 zphys->zp_acl.z_acl_version = aclp->z_version;
1116 * Replace ACL wide bits, but first clear them.
1118 zp->z_phys->zp_flags &= ~ZFS_ACL_WIDE_FLAGS;
1120 zp->z_phys->zp_flags |= aclp->z_hints;
1122 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0)
1123 zp->z_phys->zp_flags |= ZFS_ACL_TRIVIAL;
1125 zfs_time_stamper_locked(zp, STATE_CHANGED, tx);
1130 * Update access mask for prepended ACE
1132 * This applies the "groupmask" value for aclmode property.
1135 zfs_acl_prepend_fixup(zfs_acl_t *aclp, void *acep, void *origacep,
1136 mode_t mode, uint64_t owner)
1138 int rmask, wmask, xmask;
1141 uint32_t origmask, acepmask;
1144 aceflags = aclp->z_ops.ace_flags_get(acep);
1145 fuid = aclp->z_ops.ace_who_get(acep);
1146 origmask = aclp->z_ops.ace_mask_get(origacep);
1147 acepmask = aclp->z_ops.ace_mask_get(acep);
1149 user_ace = (!(aceflags &
1150 (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP)));
1152 if (user_ace && (fuid == owner)) {
1162 if (origmask & ACE_READ_DATA) {
1164 acepmask &= ~ACE_READ_DATA;
1166 acepmask |= ACE_READ_DATA;
1170 if (origmask & ACE_WRITE_DATA) {
1172 acepmask &= ~ACE_WRITE_DATA;
1174 acepmask |= ACE_WRITE_DATA;
1178 if (origmask & ACE_APPEND_DATA) {
1180 acepmask &= ~ACE_APPEND_DATA;
1182 acepmask |= ACE_APPEND_DATA;
1186 if (origmask & ACE_EXECUTE) {
1188 acepmask &= ~ACE_EXECUTE;
1190 acepmask |= ACE_EXECUTE;
1193 aclp->z_ops.ace_mask_set(acep, acepmask);
1197 * Apply mode to canonical six ACEs.
1200 zfs_acl_fixup_canonical_six(zfs_acl_t *aclp, mode_t mode)
1202 zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl);
1204 int maskoff = aclp->z_ops.ace_mask_off();
1205 size_t abstract_size = aclp->z_ops.ace_abstract_size();
1207 ASSERT(aclnode != NULL);
1209 acep = (void *)((caddr_t)aclnode->z_acldata +
1210 aclnode->z_size - (abstract_size * 6));
1213 * Fixup final ACEs to match the mode
1216 adjust_ace_pair_common(acep, maskoff, abstract_size,
1217 (mode & 0700) >> 6); /* owner@ */
1219 acep = (caddr_t)acep + (abstract_size * 2);
1221 adjust_ace_pair_common(acep, maskoff, abstract_size,
1222 (mode & 0070) >> 3); /* group@ */
1224 acep = (caddr_t)acep + (abstract_size * 2);
1225 adjust_ace_pair_common(acep, maskoff,
1226 abstract_size, mode); /* everyone@ */
1231 zfs_acl_ace_match(zfs_acl_t *aclp, void *acep, int allow_deny,
1232 int entry_type, int accessmask)
1234 uint32_t mask = aclp->z_ops.ace_mask_get(acep);
1235 uint16_t type = aclp->z_ops.ace_type_get(acep);
1236 uint16_t flags = aclp->z_ops.ace_flags_get(acep);
1238 return (mask == accessmask && type == allow_deny &&
1239 ((flags & ACE_TYPE_FLAGS) == entry_type));
1243 * Can prepended ACE be reused?
1246 zfs_reuse_deny(zfs_acl_t *aclp, void *acep, void *prevacep)
1252 uint32_t mask, prevmask;
1254 if (prevacep == NULL)
1257 prevtype = aclp->z_ops.ace_type_get(prevacep);
1258 prevflags = aclp->z_ops.ace_flags_get(prevacep);
1259 flags = aclp->z_ops.ace_flags_get(acep);
1260 mask = aclp->z_ops.ace_mask_get(acep);
1261 prevmask = aclp->z_ops.ace_mask_get(prevacep);
1263 if (prevtype != DENY)
1266 if (prevflags != (flags & ACE_IDENTIFIER_GROUP))
1269 okay_masks = (mask & OKAY_MASK_BITS);
1271 if (prevmask & ~okay_masks)
1279 * Insert new ACL node into chain of zfs_acl_node_t's
1281 * This will result in two possible results.
1282 * 1. If the ACL is currently just a single zfs_acl_node and
1283 * we are prepending the entry then current acl node will have
1284 * a new node inserted above it.
1286 * 2. If we are inserting in the middle of current acl node then
1287 * the current node will be split in two and new node will be inserted
1288 * in between the two split nodes.
1290 static zfs_acl_node_t *
1291 zfs_acl_ace_insert(zfs_acl_t *aclp, void *acep)
1293 zfs_acl_node_t *newnode;
1294 zfs_acl_node_t *trailernode = NULL;
1295 zfs_acl_node_t *currnode = zfs_acl_curr_node(aclp);
1296 int curr_idx = aclp->z_curr_node->z_ace_idx;
1300 newnode = zfs_acl_node_alloc(aclp->z_ops.ace_size(acep));
1301 newnode->z_ace_count = 1;
1303 oldsize = currnode->z_size;
1305 if (curr_idx != 1) {
1306 trailernode = zfs_acl_node_alloc(0);
1307 trailernode->z_acldata = acep;
1309 trailer_count = currnode->z_ace_count - curr_idx + 1;
1310 currnode->z_ace_count = curr_idx - 1;
1311 currnode->z_size = (caddr_t)acep - (caddr_t)currnode->z_acldata;
1312 trailernode->z_size = oldsize - currnode->z_size;
1313 trailernode->z_ace_count = trailer_count;
1316 aclp->z_acl_count += 1;
1317 aclp->z_acl_bytes += aclp->z_ops.ace_size(acep);
1320 list_insert_before(&aclp->z_acl, currnode, newnode);
1322 list_insert_after(&aclp->z_acl, currnode, newnode);
1324 list_insert_after(&aclp->z_acl, newnode, trailernode);
1325 aclp->z_curr_node = trailernode;
1326 trailernode->z_ace_idx = 1;
1336 zfs_acl_prepend_deny(znode_t *zp, zfs_acl_t *aclp, void *acep,
1339 zfs_acl_node_t *aclnode;
1344 aclnode = zfs_acl_ace_insert(aclp, acep);
1345 newacep = aclnode->z_acldata;
1346 fuid = aclp->z_ops.ace_who_get(acep);
1347 flags = aclp->z_ops.ace_flags_get(acep);
1348 zfs_set_ace(aclp, newacep, 0, DENY, fuid, (flags & ACE_TYPE_FLAGS));
1349 zfs_acl_prepend_fixup(aclp, newacep, acep, mode, zp->z_phys->zp_uid);
1355 * Split an inherited ACE into inherit_only ACE
1356 * and original ACE with inheritance flags stripped off.
1359 zfs_acl_split_ace(zfs_acl_t *aclp, zfs_ace_hdr_t *acep)
1361 zfs_acl_node_t *aclnode;
1362 zfs_acl_node_t *currnode;
1364 uint16_t type, flags;
1368 type = aclp->z_ops.ace_type_get(acep);
1369 flags = aclp->z_ops.ace_flags_get(acep);
1370 mask = aclp->z_ops.ace_mask_get(acep);
1371 fuid = aclp->z_ops.ace_who_get(acep);
1373 aclnode = zfs_acl_ace_insert(aclp, acep);
1374 newacep = aclnode->z_acldata;
1376 aclp->z_ops.ace_type_set(newacep, type);
1377 aclp->z_ops.ace_flags_set(newacep, flags | ACE_INHERIT_ONLY_ACE);
1378 aclp->z_ops.ace_mask_set(newacep, mask);
1379 aclp->z_ops.ace_type_set(newacep, type);
1380 aclp->z_ops.ace_who_set(newacep, fuid);
1381 aclp->z_next_ace = acep;
1382 flags &= ~ALL_INHERIT;
1383 aclp->z_ops.ace_flags_set(acep, flags);
1384 currnode = zfs_acl_curr_node(aclp);
1385 ASSERT(currnode->z_ace_idx >= 1);
1386 currnode->z_ace_idx -= 1;
1390 * Are ACES started at index i, the canonical six ACES?
1393 zfs_have_canonical_six(zfs_acl_t *aclp)
1396 zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl);
1398 size_t abstract_size = aclp->z_ops.ace_abstract_size();
1400 ASSERT(aclnode != NULL);
1402 if (aclnode->z_ace_count < 6)
1405 acep = (void *)((caddr_t)aclnode->z_acldata +
1406 aclnode->z_size - (aclp->z_ops.ace_abstract_size() * 6));
1408 if ((zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++),
1409 DENY, ACE_OWNER, 0) &&
1410 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++),
1411 ALLOW, ACE_OWNER, OWNER_ALLOW_MASK) &&
1412 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), DENY,
1413 OWNING_GROUP, 0) && zfs_acl_ace_match(aclp, (caddr_t)acep +
1414 (abstract_size * i++),
1415 ALLOW, OWNING_GROUP, 0) &&
1416 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++),
1417 DENY, ACE_EVERYONE, EVERYONE_DENY_MASK) &&
1418 zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++),
1419 ALLOW, ACE_EVERYONE, EVERYONE_ALLOW_MASK))) {
1428 * Apply step 1g, to group entries
1430 * Need to deal with corner case where group may have
1431 * greater permissions than owner. If so then limit
1432 * group permissions, based on what extra permissions
1436 zfs_fixup_group_entries(zfs_acl_t *aclp, void *acep, void *prevacep,
1439 uint32_t prevmask = aclp->z_ops.ace_mask_get(prevacep);
1440 uint32_t mask = aclp->z_ops.ace_mask_get(acep);
1441 uint16_t prevflags = aclp->z_ops.ace_flags_get(prevacep);
1442 mode_t extramode = (mode >> 3) & 07;
1443 mode_t ownermode = (mode >> 6);
1445 if (prevflags & ACE_IDENTIFIER_GROUP) {
1447 extramode &= ~ownermode;
1450 if (extramode & S_IROTH) {
1451 prevmask &= ~ACE_READ_DATA;
1452 mask &= ~ACE_READ_DATA;
1454 if (extramode & S_IWOTH) {
1455 prevmask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
1456 mask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
1458 if (extramode & S_IXOTH) {
1459 prevmask &= ~ACE_EXECUTE;
1460 mask &= ~ACE_EXECUTE;
1464 aclp->z_ops.ace_mask_set(acep, mask);
1465 aclp->z_ops.ace_mask_set(prevacep, prevmask);
1469 * Apply the chmod algorithm as described
1473 zfs_acl_chmod(znode_t *zp, uint64_t mode, zfs_acl_t *aclp)
1475 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
1476 void *acep = NULL, *prevacep = NULL;
1481 int need_canonical_six = 1;
1482 uint16_t iflags, type;
1483 uint32_t access_mask;
1485 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
1486 ASSERT(MUTEX_HELD(&zp->z_lock));
1488 aclp->z_hints = (zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS);
1491 * If discard then just discard all ACL nodes which
1492 * represent the ACEs.
1494 * New owner@/group@/everone@ ACEs will be added
1497 if (zfsvfs->z_acl_mode == ZFS_ACL_DISCARD)
1498 zfs_acl_release_nodes(aclp);
1500 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask,
1503 entry_type = (iflags & ACE_TYPE_FLAGS);
1504 iflags = (iflags & ALL_INHERIT);
1506 if ((type != ALLOW && type != DENY) ||
1507 (iflags & ACE_INHERIT_ONLY_ACE)) {
1509 aclp->z_hints |= ZFS_INHERIT_ACE;
1511 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
1512 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
1513 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
1514 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
1515 aclp->z_hints |= ZFS_ACL_OBJ_ACE;
1522 * Need to split ace into two?
1524 if ((iflags & (ACE_FILE_INHERIT_ACE|
1525 ACE_DIRECTORY_INHERIT_ACE)) &&
1526 (!(iflags & ACE_INHERIT_ONLY_ACE))) {
1527 zfs_acl_split_ace(aclp, acep);
1528 aclp->z_hints |= ZFS_INHERIT_ACE;
1532 if (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE ||
1533 (entry_type == OWNING_GROUP)) {
1534 access_mask &= ~OGE_CLEAR;
1535 aclp->z_ops.ace_mask_set(acep, access_mask);
1538 reuse_deny = B_TRUE;
1539 if (type == ALLOW) {
1542 * Check preceding ACE if any, to see
1543 * if we need to prepend a DENY ACE.
1544 * This is only applicable when the acl_mode
1545 * property == groupmask.
1547 if (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK) {
1549 reuse_deny = zfs_reuse_deny(aclp, acep,
1554 zfs_acl_prepend_deny(zp,
1557 zfs_acl_prepend_fixup(
1560 zp->z_phys->zp_uid);
1562 zfs_fixup_group_entries(aclp, acep,
1573 * Check out last six aces, if we have six.
1576 if (aclp->z_acl_count >= 6) {
1577 if (zfs_have_canonical_six(aclp)) {
1578 need_canonical_six = 0;
1582 if (need_canonical_six) {
1583 size_t abstract_size = aclp->z_ops.ace_abstract_size();
1585 zfs_acl_node_t *aclnode =
1586 zfs_acl_node_alloc(abstract_size * 6);
1588 aclnode->z_size = abstract_size * 6;
1589 aclnode->z_ace_count = 6;
1590 aclp->z_acl_bytes += aclnode->z_size;
1591 list_insert_tail(&aclp->z_acl, aclnode);
1593 zacep = aclnode->z_acldata;
1596 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++),
1597 0, DENY, -1, ACE_OWNER);
1598 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++),
1599 OWNER_ALLOW_MASK, ALLOW, -1, ACE_OWNER);
1600 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0,
1601 DENY, -1, OWNING_GROUP);
1602 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0,
1603 ALLOW, -1, OWNING_GROUP);
1604 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++),
1605 EVERYONE_DENY_MASK, DENY, -1, ACE_EVERYONE);
1606 zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++),
1607 EVERYONE_ALLOW_MASK, ALLOW, -1, ACE_EVERYONE);
1608 aclp->z_acl_count += 6;
1611 zfs_acl_fixup_canonical_six(aclp, mode);
1615 zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode)
1619 mutex_enter(&zp->z_lock);
1620 mutex_enter(&zp->z_acl_lock);
1622 error = zfs_acl_node_read(zp, aclp, B_TRUE);
1624 zfs_acl_chmod(zp, mode, *aclp);
1625 mutex_exit(&zp->z_acl_lock);
1626 mutex_exit(&zp->z_lock);
1631 * strip off write_owner and write_acl
1634 zfs_restricted_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep)
1636 uint32_t mask = aclp->z_ops.ace_mask_get(acep);
1638 if ((zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) &&
1639 (aclp->z_ops.ace_type_get(acep) == ALLOW)) {
1640 mask &= ~RESTRICTED_CLEAR;
1641 aclp->z_ops.ace_mask_set(acep, mask);
1646 * Should ACE be inherited?
1649 zfs_ace_can_use(znode_t *zp, uint16_t acep_flags)
1651 int vtype = ZTOV(zp)->v_type;
1652 int iflags = (acep_flags & 0xf);
1654 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE))
1656 else if (iflags & ACE_FILE_INHERIT_ACE)
1657 return (!((vtype == VDIR) &&
1658 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE)));
1663 * inherit inheritable ACEs from parent
1666 zfs_acl_inherit(znode_t *zp, zfs_acl_t *paclp, uint64_t mode,
1667 boolean_t *need_chmod)
1669 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
1672 zfs_acl_node_t *aclnode, *aclnode2;
1673 zfs_acl_t *aclp = NULL;
1675 uint32_t access_mask;
1676 uint16_t iflags, newflags, type;
1678 void *data1, *data2;
1679 size_t data1sz, data2sz;
1680 boolean_t vdir = ZTOV(zp)->v_type == VDIR;
1681 boolean_t vreg = ZTOV(zp)->v_type == VREG;
1682 boolean_t passthrough, passthrough_x, noallow;
1685 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH_X;
1686 passthrough = passthrough_x ||
1687 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH;
1689 zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW;
1691 *need_chmod = B_TRUE;
1693 aclp = zfs_acl_alloc(paclp->z_version);
1694 if (zfsvfs->z_acl_inherit == ZFS_ACL_DISCARD)
1696 while (pacep = zfs_acl_next_ace(paclp, pacep, &who,
1697 &access_mask, &iflags, &type)) {
1700 * don't inherit bogus ACEs
1702 if (!zfs_acl_valid_ace_type(type, iflags))
1705 if (noallow && type == ALLOW)
1708 ace_size = aclp->z_ops.ace_size(pacep);
1710 if (!zfs_ace_can_use(zp, iflags))
1714 * If owner@, group@, or everyone@ inheritable
1715 * then zfs_acl_chmod() isn't needed.
1718 ((iflags & (ACE_OWNER|ACE_EVERYONE)) ||
1719 ((iflags & OWNING_GROUP) ==
1720 OWNING_GROUP)) && (vreg || (vdir && (iflags &
1721 ACE_DIRECTORY_INHERIT_ACE)))) {
1722 *need_chmod = B_FALSE;
1724 if (!vdir && passthrough_x &&
1725 ((mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) {
1726 access_mask &= ~ACE_EXECUTE;
1730 aclnode = zfs_acl_node_alloc(ace_size);
1731 list_insert_tail(&aclp->z_acl, aclnode);
1732 acep = aclnode->z_acldata;
1734 zfs_set_ace(aclp, acep, access_mask, type,
1735 who, iflags|ACE_INHERITED_ACE);
1738 * Copy special opaque data if any
1740 if ((data1sz = paclp->z_ops.ace_data(pacep, &data1)) != 0) {
1741 VERIFY((data2sz = aclp->z_ops.ace_data(acep,
1742 &data2)) == data1sz);
1743 bcopy(data1, data2, data2sz);
1745 aclp->z_acl_count++;
1746 aclnode->z_ace_count++;
1747 aclp->z_acl_bytes += aclnode->z_size;
1748 newflags = aclp->z_ops.ace_flags_get(acep);
1751 aclp->z_hints |= ZFS_INHERIT_ACE;
1753 if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || !vdir) {
1754 newflags &= ~ALL_INHERIT;
1755 aclp->z_ops.ace_flags_set(acep,
1756 newflags|ACE_INHERITED_ACE);
1757 zfs_restricted_update(zfsvfs, aclp, acep);
1763 newflags = aclp->z_ops.ace_flags_get(acep);
1764 if ((iflags & (ACE_FILE_INHERIT_ACE |
1765 ACE_DIRECTORY_INHERIT_ACE)) !=
1766 ACE_FILE_INHERIT_ACE) {
1767 aclnode2 = zfs_acl_node_alloc(ace_size);
1768 list_insert_tail(&aclp->z_acl, aclnode2);
1769 acep2 = aclnode2->z_acldata;
1770 zfs_set_ace(aclp, acep2,
1771 access_mask, type, who,
1772 iflags|ACE_INHERITED_ACE);
1773 newflags |= ACE_INHERIT_ONLY_ACE;
1774 aclp->z_ops.ace_flags_set(acep, newflags);
1775 newflags &= ~ALL_INHERIT;
1776 aclp->z_ops.ace_flags_set(acep2,
1777 newflags|ACE_INHERITED_ACE);
1780 * Copy special opaque data if any
1782 if ((data1sz = aclp->z_ops.ace_data(acep,
1785 aclp->z_ops.ace_data(acep2,
1786 &data2)) == data1sz);
1787 bcopy(data1, data2, data1sz);
1789 aclp->z_acl_count++;
1790 aclnode2->z_ace_count++;
1791 aclp->z_acl_bytes += aclnode->z_size;
1792 zfs_restricted_update(zfsvfs, aclp, acep2);
1794 newflags |= ACE_INHERIT_ONLY_ACE;
1795 aclp->z_ops.ace_flags_set(acep,
1796 newflags|ACE_INHERITED_ACE);
1803 * Create file system object initial permissions
1804 * including inheritable ACEs.
1807 zfs_perm_init(znode_t *zp, znode_t *parent, int flag,
1808 vattr_t *vap, dmu_tx_t *tx, cred_t *cr,
1809 zfs_acl_t *setaclp, zfs_fuid_info_t **fuidp)
1811 uint64_t mode, fuid, fgid;
1813 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
1814 zfs_acl_t *aclp = NULL;
1816 xvattr_t *xvap = (xvattr_t *)vap;
1818 boolean_t need_chmod = B_TRUE;
1823 mode = MAKEIMODE(vap->va_type, vap->va_mode);
1826 * Determine uid and gid.
1828 if ((flag & (IS_ROOT_NODE | IS_REPLAY)) ||
1829 ((flag & IS_XATTR) && (vap->va_type == VDIR))) {
1830 fuid = zfs_fuid_create(zfsvfs, vap->va_uid, cr,
1831 ZFS_OWNER, tx, fuidp);
1832 fgid = zfs_fuid_create(zfsvfs, vap->va_gid, cr,
1833 ZFS_GROUP, tx, fuidp);
1836 fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER, tx, cr, fuidp);
1838 if (vap->va_mask & AT_GID) {
1839 fgid = zfs_fuid_create(zfsvfs, vap->va_gid, cr,
1840 ZFS_GROUP, tx, fuidp);
1842 if (fgid != parent->z_phys->zp_gid &&
1843 !groupmember(vap->va_gid, cr) &&
1844 secpolicy_vnode_create_gid(cr) != 0)
1848 if (parent->z_phys->zp_mode & S_ISGID) {
1849 fgid = parent->z_phys->zp_gid;
1850 gid = zfs_fuid_map_id(zfsvfs, fgid,
1853 fgid = zfs_fuid_create_cred(zfsvfs,
1854 ZFS_GROUP, tx, cr, fuidp);
1856 gid = fgid = parent->z_phys->zp_gid;
1865 * If we're creating a directory, and the parent directory has the
1866 * set-GID bit set, set in on the new directory.
1867 * Otherwise, if the user is neither privileged nor a member of the
1868 * file's new group, clear the file's set-GID bit.
1871 if ((parent->z_phys->zp_mode & S_ISGID) && (vap->va_type == VDIR)) {
1874 if ((mode & S_ISGID) &&
1875 secpolicy_vnode_setids_setgids(ZTOV(zp), cr, gid) != 0)
1879 zp->z_phys->zp_uid = fuid;
1880 zp->z_phys->zp_gid = fgid;
1881 zp->z_phys->zp_mode = mode;
1884 mutex_enter(&parent->z_lock);
1885 if ((ZTOV(parent)->v_type == VDIR &&
1886 (parent->z_phys->zp_flags & ZFS_INHERIT_ACE)) &&
1887 !(zp->z_phys->zp_flags & ZFS_XATTR)) {
1888 mutex_enter(&parent->z_acl_lock);
1889 VERIFY(0 == zfs_acl_node_read(parent, &paclp, B_FALSE));
1890 mutex_exit(&parent->z_acl_lock);
1891 aclp = zfs_acl_inherit(zp, paclp, mode, &need_chmod);
1892 zfs_acl_free(paclp);
1894 aclp = zfs_acl_alloc(zfs_acl_version_zp(zp));
1896 mutex_exit(&parent->z_lock);
1897 mutex_enter(&zp->z_lock);
1898 mutex_enter(&zp->z_acl_lock);
1900 zfs_acl_chmod(zp, mode, aclp);
1902 mutex_enter(&zp->z_lock);
1903 mutex_enter(&zp->z_acl_lock);
1906 /* Force auto_inherit on all new directory objects */
1907 if (vap->va_type == VDIR)
1908 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT;
1910 error = zfs_aclset_common(zp, aclp, cr, fuidp, tx);
1912 /* Set optional attributes if any */
1913 if (vap->va_mask & AT_XVATTR)
1914 zfs_xvattr_set(zp, xvap);
1916 mutex_exit(&zp->z_lock);
1917 mutex_exit(&zp->z_acl_lock);
1918 ASSERT3U(error, ==, 0);
1920 if (aclp != setaclp)
1925 * Retrieve a files ACL
1928 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr)
1936 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT |
1937 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES);
1939 if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr))
1945 mutex_enter(&zp->z_acl_lock);
1947 error = zfs_acl_node_read(zp, &aclp, B_FALSE);
1949 mutex_exit(&zp->z_acl_lock);
1954 * Scan ACL to determine number of ACEs
1956 if ((zp->z_phys->zp_flags & ZFS_ACL_OBJ_ACE) &&
1957 !(mask & VSA_ACE_ALLTYPES)) {
1960 uint32_t access_mask;
1961 uint16_t type, iflags;
1963 while (zacep = zfs_acl_next_ace(aclp, zacep,
1964 &who, &access_mask, &iflags, &type)) {
1966 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
1967 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
1968 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
1969 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
1976 vsecp->vsa_aclcnt = count;
1978 count = aclp->z_acl_count;
1980 if (mask & VSA_ACECNT) {
1981 vsecp->vsa_aclcnt = count;
1984 if (mask & VSA_ACE) {
1987 zfs_acl_node_t *aclnode = list_head(&aclp->z_acl);
1989 aclsz = count * sizeof (ace_t) +
1990 sizeof (ace_object_t) * largeace;
1992 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP);
1993 vsecp->vsa_aclentsz = aclsz;
1995 if (aclp->z_version == ZFS_ACL_VERSION_FUID)
1996 zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr,
1997 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES));
1999 bcopy(aclnode->z_acldata, vsecp->vsa_aclentp,
2000 count * sizeof (ace_t));
2003 if (mask & VSA_ACE_ACLFLAGS) {
2004 vsecp->vsa_aclflags = 0;
2005 if (zp->z_phys->zp_flags & ZFS_ACL_DEFAULTED)
2006 vsecp->vsa_aclflags |= ACL_DEFAULTED;
2007 if (zp->z_phys->zp_flags & ZFS_ACL_PROTECTED)
2008 vsecp->vsa_aclflags |= ACL_PROTECTED;
2009 if (zp->z_phys->zp_flags & ZFS_ACL_AUTO_INHERIT)
2010 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT;
2013 mutex_exit(&zp->z_acl_lock);
2021 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type,
2022 vsecattr_t *vsecp, zfs_acl_t **zaclp)
2025 zfs_acl_node_t *aclnode;
2026 int aclcnt = vsecp->vsa_aclcnt;
2029 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0)
2032 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version));
2035 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t));
2036 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) {
2037 if ((error = zfs_copy_ace_2_oldace(obj_type, aclp,
2038 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata,
2039 aclcnt, &aclnode->z_size)) != 0) {
2041 zfs_acl_node_free(aclnode);
2045 if ((error = zfs_copy_ace_2_fuid(obj_type, aclp,
2046 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt,
2047 &aclnode->z_size)) != 0) {
2049 zfs_acl_node_free(aclnode);
2053 aclp->z_acl_bytes = aclnode->z_size;
2054 aclnode->z_ace_count = aclcnt;
2055 aclp->z_acl_count = aclcnt;
2056 list_insert_head(&aclp->z_acl, aclnode);
2059 * If flags are being set then add them to z_hints
2061 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) {
2062 if (vsecp->vsa_aclflags & ACL_PROTECTED)
2063 aclp->z_hints |= ZFS_ACL_PROTECTED;
2064 if (vsecp->vsa_aclflags & ACL_DEFAULTED)
2065 aclp->z_hints |= ZFS_ACL_DEFAULTED;
2066 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT)
2067 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT;
2079 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr)
2081 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
2082 zilog_t *zilog = zfsvfs->z_log;
2083 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT);
2087 zfs_fuid_info_t *fuidp = NULL;
2092 if (zp->z_phys->zp_flags & ZFS_IMMUTABLE)
2095 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr))
2098 error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, &aclp);
2103 * If ACL wide flags aren't being set then preserve any
2106 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) {
2107 aclp->z_hints |= (zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS);
2110 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) {
2115 mutex_enter(&zp->z_lock);
2116 mutex_enter(&zp->z_acl_lock);
2118 tx = dmu_tx_create(zfsvfs->z_os);
2119 dmu_tx_hold_bonus(tx, zp->z_id);
2121 if (zp->z_phys->zp_acl.z_acl_extern_obj) {
2122 /* Are we upgrading ACL? */
2123 if (zfsvfs->z_version <= ZPL_VERSION_FUID &&
2124 zp->z_phys->zp_acl.z_acl_version ==
2125 ZFS_ACL_VERSION_INITIAL) {
2126 dmu_tx_hold_free(tx,
2127 zp->z_phys->zp_acl.z_acl_extern_obj,
2129 dmu_tx_hold_write(tx, DMU_NEW_OBJECT,
2130 0, aclp->z_acl_bytes);
2132 dmu_tx_hold_write(tx,
2133 zp->z_phys->zp_acl.z_acl_extern_obj,
2134 0, aclp->z_acl_bytes);
2136 } else if (aclp->z_acl_bytes > ZFS_ACE_SPACE) {
2137 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes);
2139 if (aclp->z_has_fuids) {
2140 if (zfsvfs->z_fuid_obj == 0) {
2141 dmu_tx_hold_bonus(tx, DMU_NEW_OBJECT);
2142 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0,
2143 FUID_SIZE_ESTIMATE(zfsvfs));
2144 dmu_tx_hold_zap(tx, MASTER_NODE_OBJ, FALSE, NULL);
2146 dmu_tx_hold_bonus(tx, zfsvfs->z_fuid_obj);
2147 dmu_tx_hold_write(tx, zfsvfs->z_fuid_obj, 0,
2148 FUID_SIZE_ESTIMATE(zfsvfs));
2152 error = dmu_tx_assign(tx, zfsvfs->z_assign);
2154 mutex_exit(&zp->z_acl_lock);
2155 mutex_exit(&zp->z_lock);
2157 if (error == ERESTART && zfsvfs->z_assign == TXG_NOWAIT) {
2167 error = zfs_aclset_common(zp, aclp, cr, &fuidp, tx);
2170 zfs_log_acl(zilog, tx, zp, vsecp, fuidp);
2173 zfs_fuid_info_free(fuidp);
2177 mutex_exit(&zp->z_acl_lock);
2178 mutex_exit(&zp->z_lock);
2184 * working_mode returns the permissions that were not granted
2187 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode,
2188 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr)
2191 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
2193 uid_t uid = crgetuid(cr);
2195 uint16_t type, iflags;
2196 uint16_t entry_type;
2197 uint32_t access_mask;
2198 uint32_t deny_mask = 0;
2199 zfs_ace_hdr_t *acep = NULL;
2205 * Short circuit empty requests
2210 *check_privs = B_TRUE;
2212 if (zfsvfs->z_assign >= TXG_INITIAL) { /* ZIL replay */
2217 *working_mode = v4_mode;
2219 if ((v4_mode & WRITE_MASK) &&
2220 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) &&
2221 (!IS_DEVVP(ZTOV(zp)))) {
2222 *check_privs = B_FALSE;
2227 * Only check for READONLY on non-directories.
2229 if ((v4_mode & WRITE_MASK_DATA) &&
2230 (((ZTOV(zp)->v_type != VDIR) &&
2231 (zp->z_phys->zp_flags & (ZFS_READONLY | ZFS_IMMUTABLE))) ||
2232 (ZTOV(zp)->v_type == VDIR &&
2233 (zp->z_phys->zp_flags & ZFS_IMMUTABLE)))) {
2234 *check_privs = B_FALSE;
2239 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) &&
2240 (zp->z_phys->zp_flags & ZFS_NOUNLINK)) {
2241 *check_privs = B_FALSE;
2246 * In FreeBSD we allow to modify directory's content is ZFS_NOUNLINK
2247 * (sunlnk) is set. We just don't allow directory removal, which is
2248 * handled in zfs_zaccess_delete().
2250 if ((v4_mode & ACE_DELETE) &&
2251 (zp->z_phys->zp_flags & ZFS_NOUNLINK)) {
2252 *check_privs = B_FALSE;
2257 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) &&
2258 (zp->z_phys->zp_flags & ZFS_AV_QUARANTINED))) {
2259 *check_privs = B_FALSE;
2264 * The caller requested that the ACL check be skipped. This
2265 * would only happen if the caller checked VOP_ACCESS() with a
2266 * 32 bit ACE mask and already had the appropriate permissions.
2273 zfs_fuid_map_ids(zp, cr, &fowner, &gowner);
2275 mutex_enter(&zp->z_acl_lock);
2277 error = zfs_acl_node_read(zp, &aclp, B_FALSE);
2279 mutex_exit(&zp->z_acl_lock);
2283 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask,
2286 if (!zfs_acl_valid_ace_type(type, iflags))
2289 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE))
2292 entry_type = (iflags & ACE_TYPE_FLAGS);
2296 switch (entry_type) {
2304 case ACE_IDENTIFIER_GROUP:
2305 checkit = zfs_groupmember(zfsvfs, who, cr);
2313 if (entry_type == 0) {
2316 newid = zfs_fuid_map_id(zfsvfs, who, cr,
2318 if (newid != IDMAP_WK_CREATOR_OWNER_UID &&
2324 mutex_exit(&zp->z_acl_lock);
2330 uint32_t mask_matched = (access_mask & *working_mode);
2334 deny_mask |= mask_matched;
2336 *working_mode &= ~mask_matched;
2341 if (*working_mode == 0)
2345 mutex_exit(&zp->z_acl_lock);
2348 /* Put the found 'denies' back on the working mode */
2350 *working_mode |= deny_mask;
2352 } else if (*working_mode) {
2360 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs,
2363 if (*working_mode != ACE_WRITE_DATA)
2366 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode,
2367 check_privs, B_FALSE, cr));
2371 * Determine whether Access should be granted/denied, invoking least
2372 * priv subsytem when a deny is determined.
2375 zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr)
2377 uint32_t working_mode;
2380 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
2381 boolean_t check_privs;
2383 znode_t *check_zp = zp;
2385 is_attr = ((zp->z_phys->zp_flags & ZFS_XATTR) &&
2386 (ZTOV(zp)->v_type == VDIR));
2390 * In FreeBSD, we don't care about permissions of individual ADS.
2391 * Note that not checking them is not just an optimization - without
2392 * this shortcut, EA operations may bogusly fail with EACCES.
2394 if (zp->z_phys->zp_flags & ZFS_XATTR)
2398 * If attribute then validate against base file
2401 if ((error = zfs_zget(zp->z_zfsvfs,
2402 zp->z_phys->zp_parent, &xzp)) != 0) {
2409 * fixup mode to map to xattr perms
2412 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) {
2413 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
2414 mode |= ACE_WRITE_NAMED_ATTRS;
2417 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) {
2418 mode &= ~(ACE_READ_DATA|ACE_EXECUTE);
2419 mode |= ACE_READ_NAMED_ATTRS;
2424 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode,
2425 &check_privs, skipaclchk, cr)) == 0) {
2431 if (error && !check_privs) {
2437 if (error && (flags & V_APPEND)) {
2438 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr);
2441 if (error && check_privs) {
2443 mode_t checkmode = 0;
2445 owner = zfs_fuid_map_id(zfsvfs, check_zp->z_phys->zp_uid, cr,
2449 * First check for implicit owner permission on
2450 * read_acl/read_attributes
2454 ASSERT(working_mode != 0);
2456 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) &&
2457 owner == crgetuid(cr)))
2458 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES);
2460 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS|
2461 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE))
2463 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS|
2464 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE))
2465 checkmode |= VWRITE;
2466 if (working_mode & ACE_EXECUTE)
2470 error = secpolicy_vnode_access(cr, ZTOV(check_zp),
2473 if (error == 0 && (working_mode & ACE_WRITE_OWNER))
2474 error = secpolicy_vnode_chown(ZTOV(check_zp), cr, B_TRUE);
2475 if (error == 0 && (working_mode & ACE_WRITE_ACL))
2476 error = secpolicy_vnode_setdac(ZTOV(check_zp), cr, owner);
2478 if (error == 0 && (working_mode &
2479 (ACE_DELETE|ACE_DELETE_CHILD)))
2480 error = secpolicy_vnode_remove(ZTOV(check_zp), cr);
2482 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) {
2483 error = secpolicy_vnode_chown(ZTOV(check_zp), cr, B_FALSE);
2487 * See if any bits other than those already checked
2488 * for are still present. If so then return EACCES
2490 if (working_mode & ~(ZFS_CHECKED_MASKS)) {
2503 * Translate traditional unix VREAD/VWRITE/VEXEC mode into
2504 * native ACL format and call zfs_zaccess()
2507 zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr)
2509 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr));
2513 * Access function for secpolicy_vnode_setattr
2516 zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr)
2518 int v4_mode = zfs_unix_to_v4(mode >> 6);
2520 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr));
2524 zfs_delete_final_check(znode_t *zp, znode_t *dzp,
2525 mode_t missing_perms, cred_t *cr)
2529 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
2531 downer = zfs_fuid_map_id(zfsvfs, dzp->z_phys->zp_uid, cr, ZFS_OWNER);
2533 error = secpolicy_vnode_access(cr, ZTOV(dzp), downer, missing_perms);
2536 error = zfs_sticky_remove_access(dzp, zp, cr);
2542 * Determine whether Access should be granted/deny, without
2543 * consulting least priv subsystem.
2546 * The following chart is the recommended NFSv4 enforcement for
2547 * ability to delete an object.
2549 * -------------------------------------------------------
2550 * | Parent Dir | Target Object Permissions |
2552 * -------------------------------------------------------
2553 * | | ACL Allows | ACL Denies| Delete |
2554 * | | Delete | Delete | unspecified|
2555 * -------------------------------------------------------
2556 * | ACL Allows | Permit | Permit | Permit |
2557 * | DELETE_CHILD | |
2558 * -------------------------------------------------------
2559 * | ACL Denies | Permit | Deny | Deny |
2560 * | DELETE_CHILD | | | |
2561 * -------------------------------------------------------
2562 * | ACL specifies | | | |
2563 * | only allow | Permit | Permit | Permit |
2564 * | write and | | | |
2566 * -------------------------------------------------------
2567 * | ACL denies | | | |
2568 * | write and | Permit | Deny | Deny |
2570 * -------------------------------------------------------
2573 * No search privilege, can't even look up file?
2577 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr)
2579 uint32_t dzp_working_mode = 0;
2580 uint32_t zp_working_mode = 0;
2581 int dzp_error, zp_error;
2582 mode_t missing_perms;
2583 boolean_t dzpcheck_privs = B_TRUE;
2584 boolean_t zpcheck_privs = B_TRUE;
2587 * We want specific DELETE permissions to
2588 * take precedence over WRITE/EXECUTE. We don't
2589 * want an ACL such as this to mess us up.
2590 * user:joe:write_data:deny,user:joe:delete:allow
2592 * However, deny permissions may ultimately be overridden
2593 * by secpolicy_vnode_access().
2595 * We will ask for all of the necessary permissions and then
2596 * look at the working modes from the directory and target object
2597 * to determine what was found.
2600 if (zp->z_phys->zp_flags & (ZFS_IMMUTABLE | ZFS_NOUNLINK))
2605 * If the directory permissions allow the delete, we are done.
2607 if ((dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD,
2608 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0)
2612 * If target object has delete permission then we are done
2614 if ((zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode,
2615 &zpcheck_privs, B_FALSE, cr)) == 0)
2618 ASSERT(dzp_error && zp_error);
2620 if (!dzpcheck_privs)
2628 * If directory returns EACCES then delete_child was denied
2629 * due to deny delete_child. In this case send the request through
2630 * secpolicy_vnode_remove(). We don't use zfs_delete_final_check()
2631 * since that *could* allow the delete based on write/execute permission
2632 * and we want delete permissions to override write/execute.
2635 if (dzp_error == EACCES)
2636 return (secpolicy_vnode_remove(ZTOV(dzp), cr)); /* XXXPJD: s/dzp/zp/ ? */
2640 * only need to see if we have write/execute on directory.
2643 if ((dzp_error = zfs_zaccess_common(dzp, ACE_EXECUTE|ACE_WRITE_DATA,
2644 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0)
2645 return (zfs_sticky_remove_access(dzp, zp, cr));
2647 if (!dzpcheck_privs)
2654 missing_perms = (dzp_working_mode & ACE_WRITE_DATA) ? VWRITE : 0;
2655 missing_perms |= (dzp_working_mode & ACE_EXECUTE) ? VEXEC : 0;
2657 ASSERT(missing_perms);
2659 return (zfs_delete_final_check(zp, dzp, missing_perms, cr));
2664 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp,
2665 znode_t *tzp, cred_t *cr)
2670 if (szp->z_phys->zp_flags & ZFS_AV_QUARANTINED)
2673 add_perm = (ZTOV(szp)->v_type == VDIR) ?
2674 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE;
2677 * Rename permissions are combination of delete permission +
2678 * add file/subdir permission.
2680 * BSD operating systems also require write permission
2681 * on the directory being moved from one parent directory
2684 if (ZTOV(szp)->v_type == VDIR && ZTOV(sdzp) != ZTOV(tdzp)) {
2685 if (error = zfs_zaccess(szp, ACE_WRITE_DATA, 0, B_FALSE, cr))
2690 * first make sure we do the delete portion.
2692 * If that succeeds then check for add_file/add_subdir permissions
2695 if (error = zfs_zaccess_delete(sdzp, szp, cr))
2699 * If we have a tzp, see if we can delete it?
2702 if (error = zfs_zaccess_delete(tdzp, tzp, cr))
2707 * Now check for add permissions
2709 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr);