| 1 | /* |
| 2 | * (The copyright below applies to ufs_access()) |
| 3 | * |
| 4 | * Copyright (c) 1982, 1986, 1989, 1993, 1995 |
| 5 | * The Regents of the University of California. All rights reserved. |
| 6 | * (c) UNIX System Laboratories, Inc. |
| 7 | * All or some portions of this file are derived from material licensed |
| 8 | * to the University of California by American Telephone and Telegraph |
| 9 | * Co. or Unix System Laboratories, Inc. and are reproduced herein with |
| 10 | * the permission of UNIX System Laboratories, Inc. |
| 11 | * |
| 12 | * Redistribution and use in source and binary forms, with or without |
| 13 | * modification, are permitted provided that the following conditions |
| 14 | * are met: |
| 15 | * 1. Redistributions of source code must retain the above copyright |
| 16 | * notice, this list of conditions and the following disclaimer. |
| 17 | * 2. Redistributions in binary form must reproduce the above copyright |
| 18 | * notice, this list of conditions and the following disclaimer in the |
| 19 | * documentation and/or other materials provided with the distribution. |
| 20 | * 3. All advertising materials mentioning features or use of this software |
| 21 | * must display the following acknowledgement: |
| 22 | * This product includes software developed by the University of |
| 23 | * California, Berkeley and its contributors. |
| 24 | * 4. Neither the name of the University nor the names of its contributors |
| 25 | * may be used to endorse or promote products derived from this software |
| 26 | * without specific prior written permission. |
| 27 | * |
| 28 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND |
| 29 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 30 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 31 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE |
| 32 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 33 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 34 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 35 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 36 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 37 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 38 | * SUCH DAMAGE. |
| 39 | * |
| 40 | * @(#)ufs_vnops.c 8.27 (Berkeley) 5/27/95 |
| 41 | * $DragonFly: src/sys/kern/vfs_helper.c,v 1.5 2008/05/25 18:34:46 dillon Exp $ |
| 42 | */ |
| 43 | |
| 44 | #include "opt_quota.h" |
| 45 | #include "opt_suiddir.h" |
| 46 | |
| 47 | #include <sys/param.h> |
| 48 | #include <sys/systm.h> |
| 49 | #include <sys/kernel.h> |
| 50 | #include <sys/fcntl.h> |
| 51 | #include <sys/stat.h> |
| 52 | #include <sys/mount.h> |
| 53 | #include <sys/unistd.h> |
| 54 | #include <sys/vnode.h> |
| 55 | #include <sys/file.h> /* XXX */ |
| 56 | #include <sys/proc.h> |
| 57 | #include <sys/priv.h> |
| 58 | #include <sys/jail.h> |
| 59 | |
| 60 | /* |
| 61 | * vop_helper_access() |
| 62 | * |
| 63 | * Provide standard UNIX semanics for VOP_ACCESS, but without the quota |
| 64 | * code. This procedure was basically pulled out of UFS. |
| 65 | */ |
| 66 | int |
| 67 | vop_helper_access(struct vop_access_args *ap, uid_t ino_uid, gid_t ino_gid, |
| 68 | mode_t ino_mode, u_int32_t ino_flags) |
| 69 | { |
| 70 | struct vnode *vp = ap->a_vp; |
| 71 | struct ucred *cred = ap->a_cred; |
| 72 | mode_t mask, mode = ap->a_mode; |
| 73 | gid_t *gp; |
| 74 | int i; |
| 75 | #ifdef QUOTA |
| 76 | /*int error;*/ |
| 77 | #endif |
| 78 | |
| 79 | /* |
| 80 | * Disallow write attempts on read-only filesystems; |
| 81 | * unless the file is a socket, fifo, or a block or |
| 82 | * character device resident on the filesystem. |
| 83 | */ |
| 84 | if (mode & VWRITE) { |
| 85 | switch (vp->v_type) { |
| 86 | case VDIR: |
| 87 | case VLNK: |
| 88 | case VREG: |
| 89 | case VDATABASE: |
| 90 | if (vp->v_mount->mnt_flag & MNT_RDONLY) |
| 91 | return (EROFS); |
| 92 | #ifdef QUOTA |
| 93 | /* check quota here XXX */ |
| 94 | #endif |
| 95 | break; |
| 96 | default: |
| 97 | break; |
| 98 | } |
| 99 | } |
| 100 | |
| 101 | /* If immutable bit set, nobody gets to write it. */ |
| 102 | if ((mode & VWRITE) && (ino_flags & IMMUTABLE)) |
| 103 | return (EPERM); |
| 104 | |
| 105 | /* Otherwise, user id 0 always gets access. */ |
| 106 | if (cred->cr_uid == 0) |
| 107 | return (0); |
| 108 | |
| 109 | mask = 0; |
| 110 | |
| 111 | /* Otherwise, check the owner. */ |
| 112 | if (cred->cr_uid == ino_uid) { |
| 113 | if (mode & VOWN) |
| 114 | return (0); |
| 115 | if (mode & VEXEC) |
| 116 | mask |= S_IXUSR; |
| 117 | if (mode & VREAD) |
| 118 | mask |= S_IRUSR; |
| 119 | if (mode & VWRITE) |
| 120 | mask |= S_IWUSR; |
| 121 | return ((ino_mode & mask) == mask ? 0 : EACCES); |
| 122 | } |
| 123 | |
| 124 | /* Otherwise, check the groups. */ |
| 125 | for (i = 0, gp = cred->cr_groups; i < cred->cr_ngroups; i++, gp++) |
| 126 | if (ino_gid == *gp) { |
| 127 | if (mode & VEXEC) |
| 128 | mask |= S_IXGRP; |
| 129 | if (mode & VREAD) |
| 130 | mask |= S_IRGRP; |
| 131 | if (mode & VWRITE) |
| 132 | mask |= S_IWGRP; |
| 133 | return ((ino_mode & mask) == mask ? 0 : EACCES); |
| 134 | } |
| 135 | |
| 136 | /* Otherwise, check everyone else. */ |
| 137 | if (mode & VEXEC) |
| 138 | mask |= S_IXOTH; |
| 139 | if (mode & VREAD) |
| 140 | mask |= S_IROTH; |
| 141 | if (mode & VWRITE) |
| 142 | mask |= S_IWOTH; |
| 143 | return ((ino_mode & mask) == mask ? 0 : EACCES); |
| 144 | } |
| 145 | |
| 146 | int |
| 147 | vop_helper_setattr_flags(u_int32_t *ino_flags, u_int32_t vaflags, |
| 148 | uid_t uid, struct ucred *cred) |
| 149 | { |
| 150 | int error; |
| 151 | |
| 152 | /* |
| 153 | * If uid doesn't match only the super-user can change the flags |
| 154 | */ |
| 155 | if (cred->cr_uid != uid && |
| 156 | (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT))) { |
| 157 | return(error); |
| 158 | } |
| 159 | if (cred->cr_uid == 0 && |
| 160 | (!jailed(cred)|| jail_chflags_allowed)) { |
| 161 | if ((*ino_flags & (SF_NOUNLINK|SF_IMMUTABLE|SF_APPEND)) && |
| 162 | securelevel > 0) |
| 163 | return (EPERM); |
| 164 | *ino_flags = vaflags; |
| 165 | } else { |
| 166 | if (*ino_flags & (SF_NOUNLINK|SF_IMMUTABLE|SF_APPEND) || |
| 167 | (vaflags & UF_SETTABLE) != vaflags) |
| 168 | return (EPERM); |
| 169 | *ino_flags &= SF_SETTABLE; |
| 170 | *ino_flags |= vaflags & UF_SETTABLE; |
| 171 | } |
| 172 | return(0); |
| 173 | } |
| 174 | |
| 175 | /* |
| 176 | * This helper function may be used by VFSs to implement UNIX initial |
| 177 | * ownership semantics when creating new objects inside directories. |
| 178 | */ |
| 179 | uid_t |
| 180 | vop_helper_create_uid(struct mount *mp, mode_t dmode, uid_t duid, |
| 181 | struct ucred *cred, mode_t *modep) |
| 182 | { |
| 183 | #ifdef SUIDDIR |
| 184 | if ((mp->mnt_flag & MNT_SUIDDIR) && (dmode & S_ISUID) && |
| 185 | duid != cred->cr_uid && duid) { |
| 186 | *modep &= ~07111; |
| 187 | return(duid); |
| 188 | } |
| 189 | #endif |
| 190 | return(cred->cr_uid); |
| 191 | } |
| 192 | |
| 193 | /* |
| 194 | * This helper may be used by VFSs to implement unix chmod semantics. |
| 195 | */ |
| 196 | int |
| 197 | vop_helper_chmod(struct vnode *vp, mode_t new_mode, struct ucred *cred, |
| 198 | uid_t cur_uid, gid_t cur_gid, mode_t *cur_modep) |
| 199 | { |
| 200 | int error; |
| 201 | |
| 202 | if (cred->cr_uid != cur_uid) { |
| 203 | error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT); |
| 204 | if (error) |
| 205 | return (error); |
| 206 | } |
| 207 | if (cred->cr_uid) { |
| 208 | if (vp->v_type != VDIR && (*cur_modep & S_ISTXT)) |
| 209 | return (EFTYPE); |
| 210 | if (!groupmember(cur_gid, cred) && (*cur_modep & S_ISGID)) |
| 211 | return (EPERM); |
| 212 | } |
| 213 | *cur_modep &= ~ALLPERMS; |
| 214 | *cur_modep |= new_mode & ALLPERMS; |
| 215 | return(0); |
| 216 | } |
| 217 | |
| 218 | /* |
| 219 | * This helper may be used by VFSs to implement unix chown semantics. |
| 220 | */ |
| 221 | int |
| 222 | vop_helper_chown(struct vnode *vp, uid_t new_uid, gid_t new_gid, |
| 223 | struct ucred *cred, |
| 224 | uid_t *cur_uidp, gid_t *cur_gidp, mode_t *cur_modep) |
| 225 | { |
| 226 | gid_t ogid; |
| 227 | uid_t ouid; |
| 228 | int error; |
| 229 | |
| 230 | if (new_uid == (uid_t)VNOVAL) |
| 231 | new_uid = *cur_uidp; |
| 232 | if (new_gid == (gid_t)VNOVAL) |
| 233 | new_gid = *cur_gidp; |
| 234 | |
| 235 | /* |
| 236 | * If we don't own the file, are trying to change the owner |
| 237 | * of the file, or are not a member of the target group, |
| 238 | * the caller must be superuser or the call fails. |
| 239 | */ |
| 240 | if ((cred->cr_uid != *cur_uidp || new_uid != *cur_uidp || |
| 241 | (new_gid != *cur_gidp && !(cred->cr_gid == new_gid || |
| 242 | groupmember(new_gid, cred)))) && |
| 243 | (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT))) { |
| 244 | return (error); |
| 245 | } |
| 246 | ogid = *cur_gidp; |
| 247 | ouid = *cur_uidp; |
| 248 | /* XXX QUOTA CODE */ |
| 249 | *cur_uidp = new_uid; |
| 250 | *cur_gidp = new_gid; |
| 251 | /* XXX QUOTA CODE */ |
| 252 | |
| 253 | /* |
| 254 | * DragonFly clears both SUID and SGID if either the owner or |
| 255 | * group is changed and root isn't doing it. If root is doing |
| 256 | * it we do not clear SUID/SGID. |
| 257 | */ |
| 258 | if (cred->cr_uid != 0 && (ouid != new_uid || ogid != new_gid)) |
| 259 | *cur_modep &= ~(S_ISUID | S_ISGID); |
| 260 | return(0); |
| 261 | } |
| 262 | |