2 * Copyright (c) 1999-2003 Robert N. M. Watson
5 * This software was developed by Robert Watson for the TrustedBSD Project.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * Support for POSIX.1e access control lists: UFS-specific support functions.
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
37 #include "opt_quota.h"
39 #include <sys/param.h>
40 #include <sys/systm.h>
42 #include <sys/mount.h>
43 #include <sys/vnode.h>
44 #include <sys/types.h>
46 #include <sys/event.h>
47 #include <sys/extattr.h>
49 #include <ufs/ufs/quota.h>
50 #include <ufs/ufs/inode.h>
51 #include <ufs/ufs/acl.h>
52 #include <ufs/ufs/extattr.h>
53 #include <ufs/ufs/dir.h>
54 #include <ufs/ufs/ufsmount.h>
55 #include <ufs/ufs/ufs_extern.h>
56 #include <ufs/ffs/fs.h>
61 * Synchronize an ACL and an inode by copying over appropriate inode fields
62 * to the passed ACL. Assumes an ACL that would satisfy acl_posix1e_check(),
63 * and may panic if not.
66 ufs_sync_acl_from_inode(struct inode *ip, struct acl *acl)
68 struct acl_entry *acl_mask, *acl_group_obj;
72 * Update ACL_USER_OBJ, ACL_OTHER, but simply identify ACL_MASK
73 * and ACL_GROUP_OBJ for use after we know whether ACL_MASK is
78 for (i = 0; i < acl->acl_cnt; i++) {
79 switch (acl->acl_entry[i].ae_tag) {
81 acl->acl_entry[i].ae_perm = acl_posix1e_mode_to_perm(
82 ACL_USER_OBJ, ip->i_mode);
83 acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
87 acl_group_obj = &acl->acl_entry[i];
88 acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
92 acl->acl_entry[i].ae_perm = acl_posix1e_mode_to_perm(
93 ACL_OTHER, ip->i_mode);
94 acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
98 acl_mask = &acl->acl_entry[i];
99 acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
107 panic("ufs_sync_acl_from_inode(): bad ae_tag");
111 if (acl_group_obj == NULL)
112 panic("ufs_sync_acl_from_inode(): no ACL_GROUP_OBJ");
114 if (acl_mask == NULL) {
116 * There is no ACL_MASK, so update ACL_GROUP_OBJ.
118 acl_group_obj->ae_perm = acl_posix1e_mode_to_perm(
119 ACL_GROUP_OBJ, ip->i_mode);
122 * Update the ACL_MASK entry instead of ACL_GROUP_OBJ.
124 acl_mask->ae_perm = acl_posix1e_mode_to_perm(ACL_GROUP_OBJ,
130 * Calculate what the inode mode should look like based on an authoritative
131 * ACL for the inode. Replace only the fields in the inode that the ACL
135 ufs_sync_inode_from_acl(struct acl *acl, struct inode *ip)
138 ip->i_mode &= ACL_PRESERVE_MASK;
139 ip->i_mode |= acl_posix1e_acl_to_mode(acl);
140 DIP_SET(ip, i_mode, ip->i_mode);
144 * Read POSIX.1e ACL from an EA. Return error if its not found
145 * or if any other error has occured.
148 ufs_get_oldacl(acl_type_t type, struct oldacl *old, struct vnode *vp,
152 struct inode *ip = VTOI(vp);
157 case ACL_TYPE_ACCESS:
158 error = vn_extattr_get(vp, IO_NODELOCKED,
159 POSIX1E_ACL_ACCESS_EXTATTR_NAMESPACE,
160 POSIX1E_ACL_ACCESS_EXTATTR_NAME, &len, (char *) old,
163 case ACL_TYPE_DEFAULT:
164 if (vp->v_type != VDIR)
166 error = vn_extattr_get(vp, IO_NODELOCKED,
167 POSIX1E_ACL_DEFAULT_EXTATTR_NAMESPACE,
168 POSIX1E_ACL_DEFAULT_EXTATTR_NAME, &len, (char *) old,
178 if (len != sizeof(*old)) {
180 * A short (or long) read, meaning that for some reason
181 * the ACL is corrupted. Return EPERM since the object
182 * DAC protections are unsafe.
184 printf("ufs_get_oldacl(): Loaded invalid ACL "
185 "(len = %d), inumber %d on %s\n", len,
186 ip->i_number, ip->i_fs->fs_fsmnt);
194 * Retrieve the ACL on a file.
196 * As part of the ACL is stored in the inode, and the rest in an EA,
197 * assemble both into a final ACL product. Right now this is not done
201 ufs_getacl_posix1e(struct vop_getacl_args *ap)
203 struct inode *ip = VTOI(ap->a_vp);
208 * XXX: If ufs_getacl() should work on file systems not supporting
209 * ACLs, remove this check.
211 if ((ap->a_vp->v_mount->mnt_flag & MNT_ACLS) == 0)
214 old = malloc(sizeof(*old), M_ACL, M_WAITOK | M_ZERO);
217 * Attempt to retrieve the ACL from the extended attributes.
219 error = ufs_get_oldacl(ap->a_type, old, ap->a_vp, ap->a_td);
222 * XXX: If ufs_getacl() should work on filesystems
223 * without the EA configured, add case EOPNOTSUPP here.
226 switch (ap->a_type) {
227 case ACL_TYPE_ACCESS:
229 * Legitimately no ACL set on object, purely
230 * emulate it through the inode. These fields will
231 * be updated when the ACL is synchronized with
235 old->acl_entry[0].ae_tag = ACL_USER_OBJ;
236 old->acl_entry[0].ae_id = ACL_UNDEFINED_ID;
237 old->acl_entry[0].ae_perm = ACL_PERM_NONE;
238 old->acl_entry[1].ae_tag = ACL_GROUP_OBJ;
239 old->acl_entry[1].ae_id = ACL_UNDEFINED_ID;
240 old->acl_entry[1].ae_perm = ACL_PERM_NONE;
241 old->acl_entry[2].ae_tag = ACL_OTHER;
242 old->acl_entry[2].ae_id = ACL_UNDEFINED_ID;
243 old->acl_entry[2].ae_perm = ACL_PERM_NONE;
246 case ACL_TYPE_DEFAULT:
248 * Unlike ACL_TYPE_ACCESS, there is no relationship
249 * between the inode contents and the ACL, and it is
250 * therefore possible for the request for the ACL
251 * to fail since the ACL is undefined. In this
252 * situation, return success and an empty ACL,
253 * as required by POSIX.1e.
263 error = acl_copy_oldacl_into_acl(old, ap->a_aclp);
267 if (ap->a_type == ACL_TYPE_ACCESS)
268 ufs_sync_acl_from_inode(ip, ap->a_aclp);
279 struct vop_getacl_args /* {
288 return (ufs_getacl_posix1e(ap));
292 * Set the ACL on a file.
294 * As part of the ACL is stored in the inode, and the rest in an EA,
295 * this is necessarily non-atomic, and has complex authorization.
296 * As ufs_setacl() includes elements of ufs_chown() and ufs_chmod(),
297 * a fair number of different access checks may be required to go ahead
298 * with the operation at all.
301 ufs_setacl_posix1e(struct vop_setacl_args *ap)
303 struct inode *ip = VTOI(ap->a_vp);
307 if ((ap->a_vp->v_mount->mnt_flag & MNT_ACLS) == 0)
311 * If this is a set operation rather than a delete operation,
312 * invoke VOP_ACLCHECK() on the passed ACL to determine if it is
313 * valid for the target. This will include a check on ap->a_type.
315 if (ap->a_aclp != NULL) {
319 error = VOP_ACLCHECK(ap->a_vp, ap->a_type, ap->a_aclp,
320 ap->a_cred, ap->a_td);
326 * POSIX.1e allows only deletion of the default ACL on a
327 * directory (ACL_TYPE_DEFAULT).
329 if (ap->a_type != ACL_TYPE_DEFAULT)
331 if (ap->a_vp->v_type != VDIR)
335 if (ap->a_vp->v_mount->mnt_flag & MNT_RDONLY)
339 * Authorize the ACL operation.
341 if (ip->i_flags & (IMMUTABLE | APPEND))
345 * Must hold VADMIN (be file owner) or have appropriate privilege.
347 if ((error = VOP_ACCESS(ap->a_vp, VADMIN, ap->a_cred, ap->a_td)))
351 case ACL_TYPE_ACCESS:
352 old = malloc(sizeof(*old), M_ACL, M_WAITOK | M_ZERO);
353 error = acl_copy_acl_into_oldacl(ap->a_aclp, old);
355 error = vn_extattr_set(ap->a_vp, IO_NODELOCKED,
356 POSIX1E_ACL_ACCESS_EXTATTR_NAMESPACE,
357 POSIX1E_ACL_ACCESS_EXTATTR_NAME, sizeof(*old),
358 (char *) old, ap->a_td);
363 case ACL_TYPE_DEFAULT:
364 if (ap->a_aclp == NULL) {
365 error = vn_extattr_rm(ap->a_vp, IO_NODELOCKED,
366 POSIX1E_ACL_DEFAULT_EXTATTR_NAMESPACE,
367 POSIX1E_ACL_DEFAULT_EXTATTR_NAME, ap->a_td);
369 * Attempting to delete a non-present default ACL
370 * will return success for portability purposes.
373 * XXX: Note that since we can't distinguish
374 * "that EA is not supported" from "that EA is not
375 * defined", the success case here overlaps the
376 * the ENOATTR->EOPNOTSUPP case below.
378 if (error == ENOATTR)
381 old = malloc(sizeof(*old), M_ACL, M_WAITOK | M_ZERO);
382 error = acl_copy_acl_into_oldacl(ap->a_aclp, old);
384 error = vn_extattr_set(ap->a_vp, IO_NODELOCKED,
385 POSIX1E_ACL_DEFAULT_EXTATTR_NAMESPACE,
386 POSIX1E_ACL_DEFAULT_EXTATTR_NAME,
387 sizeof(*old), (char *) old, ap->a_td);
397 * Map lack of attribute definition in UFS_EXTATTR into lack of
398 * support for ACLs on the filesystem.
400 if (error == ENOATTR)
405 if (ap->a_type == ACL_TYPE_ACCESS) {
407 * Now that the EA is successfully updated, update the
408 * inode and mark it as changed.
410 ufs_sync_inode_from_acl(ap->a_aclp, ip);
411 ip->i_flag |= IN_CHANGE;
414 VN_KNOTE_UNLOCKED(ap->a_vp, NOTE_ATTRIB);
420 struct vop_setacl_args /* {
429 return (ufs_setacl_posix1e(ap));
433 ufs_aclcheck_posix1e(struct vop_aclcheck_args *ap)
436 if ((ap->a_vp->v_mount->mnt_flag & MNT_ACLS) == 0)
440 * Verify we understand this type of ACL, and that it applies
441 * to this kind of object.
442 * Rely on the acl_posix1e_check() routine to verify the contents.
445 case ACL_TYPE_ACCESS:
448 case ACL_TYPE_DEFAULT:
449 if (ap->a_vp->v_type != VDIR)
457 if (ap->a_aclp->acl_cnt > OLDACL_MAX_ENTRIES)
460 return (acl_posix1e_check(ap->a_aclp));
464 * Check the validity of an ACL for a file.
468 struct vop_aclcheck_args /* {
477 return (ufs_aclcheck_posix1e(ap));
480 #endif /* !UFS_ACL */