2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 1999-2003 Robert N. M. Watson
7 * This software was developed by Robert Watson for the TrustedBSD Project.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * Support for POSIX.1e access control lists: UFS-specific support functions.
35 #include <sys/cdefs.h>
36 __FBSDID("$FreeBSD$");
39 #include "opt_quota.h"
41 #include <sys/param.h>
42 #include <sys/systm.h>
44 #include <sys/mount.h>
45 #include <sys/vnode.h>
46 #include <sys/types.h>
48 #include <sys/event.h>
49 #include <sys/extattr.h>
52 #include <ufs/ufs/quota.h>
53 #include <ufs/ufs/inode.h>
54 #include <ufs/ufs/acl.h>
55 #include <ufs/ufs/extattr.h>
56 #include <ufs/ufs/dir.h>
57 #include <ufs/ufs/ufsmount.h>
58 #include <ufs/ufs/ufs_extern.h>
59 #include <ufs/ffs/fs.h>
63 FEATURE(ufs_acl, "ACL support for UFS");
66 * Synchronize an ACL and an inode by copying over appropriate inode fields
67 * to the passed ACL. Assumes an ACL that would satisfy acl_posix1e_check(),
68 * and may panic if not.
71 ufs_sync_acl_from_inode(struct inode *ip, struct acl *acl)
73 struct acl_entry *acl_mask, *acl_group_obj;
77 * Update ACL_USER_OBJ, ACL_OTHER, but simply identify ACL_MASK
78 * and ACL_GROUP_OBJ for use after we know whether ACL_MASK is
83 for (i = 0; i < acl->acl_cnt; i++) {
84 switch (acl->acl_entry[i].ae_tag) {
86 acl->acl_entry[i].ae_perm = acl_posix1e_mode_to_perm(
87 ACL_USER_OBJ, ip->i_mode);
88 acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
92 acl_group_obj = &acl->acl_entry[i];
93 acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
97 acl->acl_entry[i].ae_perm = acl_posix1e_mode_to_perm(
98 ACL_OTHER, ip->i_mode);
99 acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
103 acl_mask = &acl->acl_entry[i];
104 acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
112 panic("ufs_sync_acl_from_inode(): bad ae_tag");
116 if (acl_group_obj == NULL)
117 panic("ufs_sync_acl_from_inode(): no ACL_GROUP_OBJ");
119 if (acl_mask == NULL) {
121 * There is no ACL_MASK, so update ACL_GROUP_OBJ.
123 acl_group_obj->ae_perm = acl_posix1e_mode_to_perm(
124 ACL_GROUP_OBJ, ip->i_mode);
127 * Update the ACL_MASK entry instead of ACL_GROUP_OBJ.
129 acl_mask->ae_perm = acl_posix1e_mode_to_perm(ACL_GROUP_OBJ,
135 * Calculate what the inode mode should look like based on an authoritative
136 * ACL for the inode. Replace only the fields in the inode that the ACL
140 ufs_sync_inode_from_acl(struct acl *acl, struct inode *ip)
143 ip->i_mode &= ACL_PRESERVE_MASK;
144 ip->i_mode |= acl_posix1e_acl_to_mode(acl);
145 DIP_SET(ip, i_mode, ip->i_mode);
149 * Retrieve NFSv4 ACL, skipping access checks. Must be used in UFS code
150 * instead of VOP_GETACL() when we don't want to be restricted by the user
151 * not having ACL_READ_ACL permission, e.g. when calculating inherited ACL
152 * or in ufs_vnops.c:ufs_accessx().
155 ufs_getacl_nfs4_internal(struct vnode *vp, struct acl *aclp, struct thread *td)
158 struct inode *ip = VTOI(vp);
163 error = vn_extattr_get(vp, IO_NODELOCKED,
164 NFS4_ACL_EXTATTR_NAMESPACE, NFS4_ACL_EXTATTR_NAME,
165 &len, (char *) aclp, td);
166 aclp->acl_maxcnt = ACL_MAX_ENTRIES;
167 if (error == ENOATTR) {
169 * Legitimately no ACL set on object, purely
170 * emulate it through the inode.
172 acl_nfs4_sync_acl_from_mode(aclp, ip->i_mode, ip->i_uid);
180 if (len != sizeof(*aclp)) {
182 * A short (or long) read, meaning that for
183 * some reason the ACL is corrupted. Return
184 * EPERM since the object DAC protections
187 printf("ufs_getacl_nfs4(): Loaded invalid ACL ("
188 "%d bytes), inumber %ju on %s\n", len,
189 (uintmax_t)ip->i_number, ITOFS(ip)->fs_fsmnt);
194 error = acl_nfs4_check(aclp, vp->v_type == VDIR);
196 printf("ufs_getacl_nfs4(): Loaded invalid ACL "
197 "(failed acl_nfs4_check), inumber %ju on %s\n",
198 (uintmax_t)ip->i_number, ITOFS(ip)->fs_fsmnt);
207 ufs_getacl_nfs4(struct vop_getacl_args *ap)
211 if ((ap->a_vp->v_mount->mnt_flag & MNT_NFS4ACLS) == 0)
214 error = VOP_ACCESSX(ap->a_vp, VREAD_ACL, ap->a_td->td_ucred, ap->a_td);
218 error = ufs_getacl_nfs4_internal(ap->a_vp, ap->a_aclp, ap->a_td);
224 * Read POSIX.1e ACL from an EA. Return error if its not found
225 * or if any other error has occurred.
228 ufs_get_oldacl(acl_type_t type, struct oldacl *old, struct vnode *vp,
232 struct inode *ip = VTOI(vp);
237 case ACL_TYPE_ACCESS:
238 error = vn_extattr_get(vp, IO_NODELOCKED,
239 POSIX1E_ACL_ACCESS_EXTATTR_NAMESPACE,
240 POSIX1E_ACL_ACCESS_EXTATTR_NAME, &len, (char *) old,
243 case ACL_TYPE_DEFAULT:
244 if (vp->v_type != VDIR)
246 error = vn_extattr_get(vp, IO_NODELOCKED,
247 POSIX1E_ACL_DEFAULT_EXTATTR_NAMESPACE,
248 POSIX1E_ACL_DEFAULT_EXTATTR_NAME, &len, (char *) old,
258 if (len != sizeof(*old)) {
260 * A short (or long) read, meaning that for some reason
261 * the ACL is corrupted. Return EPERM since the object
262 * DAC protections are unsafe.
264 printf("ufs_get_oldacl(): Loaded invalid ACL "
265 "(len = %d), inumber %ju on %s\n", len,
266 (uintmax_t)ip->i_number, ITOFS(ip)->fs_fsmnt);
274 * Retrieve the ACL on a file.
276 * As part of the ACL is stored in the inode, and the rest in an EA,
277 * assemble both into a final ACL product. Right now this is not done
281 ufs_getacl_posix1e(struct vop_getacl_args *ap)
283 struct inode *ip = VTOI(ap->a_vp);
288 * XXX: If ufs_getacl() should work on file systems not supporting
289 * ACLs, remove this check.
291 if ((ap->a_vp->v_mount->mnt_flag & MNT_ACLS) == 0)
294 old = malloc(sizeof(*old), M_ACL, M_WAITOK | M_ZERO);
297 * Attempt to retrieve the ACL from the extended attributes.
299 error = ufs_get_oldacl(ap->a_type, old, ap->a_vp, ap->a_td);
302 * XXX: If ufs_getacl() should work on filesystems
303 * without the EA configured, add case EOPNOTSUPP here.
306 switch (ap->a_type) {
307 case ACL_TYPE_ACCESS:
309 * Legitimately no ACL set on object, purely
310 * emulate it through the inode. These fields will
311 * be updated when the ACL is synchronized with
315 old->acl_entry[0].ae_tag = ACL_USER_OBJ;
316 old->acl_entry[0].ae_id = ACL_UNDEFINED_ID;
317 old->acl_entry[0].ae_perm = ACL_PERM_NONE;
318 old->acl_entry[1].ae_tag = ACL_GROUP_OBJ;
319 old->acl_entry[1].ae_id = ACL_UNDEFINED_ID;
320 old->acl_entry[1].ae_perm = ACL_PERM_NONE;
321 old->acl_entry[2].ae_tag = ACL_OTHER;
322 old->acl_entry[2].ae_id = ACL_UNDEFINED_ID;
323 old->acl_entry[2].ae_perm = ACL_PERM_NONE;
326 case ACL_TYPE_DEFAULT:
328 * Unlike ACL_TYPE_ACCESS, there is no relationship
329 * between the inode contents and the ACL, and it is
330 * therefore possible for the request for the ACL
331 * to fail since the ACL is undefined. In this
332 * situation, return success and an empty ACL,
333 * as required by POSIX.1e.
340 error = acl_copy_oldacl_into_acl(old, ap->a_aclp);
344 if (ap->a_type == ACL_TYPE_ACCESS)
345 ufs_sync_acl_from_inode(ip, ap->a_aclp);
356 struct vop_getacl_args /* {
365 if ((ap->a_vp->v_mount->mnt_flag & (MNT_ACLS | MNT_NFS4ACLS)) == 0)
368 if (ap->a_type == ACL_TYPE_NFS4)
369 return (ufs_getacl_nfs4(ap));
371 return (ufs_getacl_posix1e(ap));
375 * Set NFSv4 ACL without doing any access checking. This is required
376 * e.g. by the UFS code that implements ACL inheritance, or from
377 * ufs_vnops.c:ufs_chmod(), as some of the checks have to be skipped
378 * in that case, and others are redundant.
381 ufs_setacl_nfs4_internal(struct vnode *vp, struct acl *aclp, struct thread *td)
385 struct inode *ip = VTOI(vp);
387 KASSERT(acl_nfs4_check(aclp, vp->v_type == VDIR) == 0,
388 ("invalid ACL passed to ufs_setacl_nfs4_internal"));
390 if (acl_nfs4_is_trivial(aclp, ip->i_uid)) {
391 error = vn_extattr_rm(vp, IO_NODELOCKED,
392 NFS4_ACL_EXTATTR_NAMESPACE, NFS4_ACL_EXTATTR_NAME, td);
395 * An attempt to remove ACL from a file that didn't have
396 * any extended entries is not an error.
398 if (error == ENOATTR)
402 error = vn_extattr_set(vp, IO_NODELOCKED,
403 NFS4_ACL_EXTATTR_NAMESPACE, NFS4_ACL_EXTATTR_NAME,
404 sizeof(*aclp), (char *) aclp, td);
408 * Map lack of attribute definition in UFS_EXTATTR into lack of
409 * support for ACLs on the filesystem.
411 if (error == ENOATTR)
419 acl_nfs4_sync_mode_from_acl(&mode, aclp);
421 ip->i_mode &= ACL_PRESERVE_MASK;
423 DIP_SET(ip, i_mode, ip->i_mode);
424 ip->i_flag |= IN_CHANGE;
426 VN_KNOTE_UNLOCKED(vp, NOTE_ATTRIB);
428 error = UFS_UPDATE(vp, 0);
433 ufs_setacl_nfs4(struct vop_setacl_args *ap)
436 struct inode *ip = VTOI(ap->a_vp);
438 if ((ap->a_vp->v_mount->mnt_flag & MNT_NFS4ACLS) == 0)
441 if (ap->a_vp->v_mount->mnt_flag & MNT_RDONLY)
444 if (ap->a_aclp == NULL)
447 error = VOP_ACLCHECK(ap->a_vp, ap->a_type, ap->a_aclp, ap->a_cred,
453 * Authorize the ACL operation.
455 if (ip->i_flags & (IMMUTABLE | APPEND))
459 * Must hold VWRITE_ACL or have appropriate privilege.
461 if ((error = VOP_ACCESSX(ap->a_vp, VWRITE_ACL, ap->a_cred, ap->a_td)))
465 * With NFSv4 ACLs, chmod(2) may need to add additional entries.
466 * Make sure it has enough room for that - splitting every entry
467 * into two and appending "canonical six" entries at the end.
469 if (ap->a_aclp->acl_cnt > (ACL_MAX_ENTRIES - 6) / 2)
472 error = ufs_setacl_nfs4_internal(ap->a_vp, ap->a_aclp, ap->a_td);
478 * Set the ACL on a file.
480 * As part of the ACL is stored in the inode, and the rest in an EA,
481 * this is necessarily non-atomic, and has complex authorization.
482 * As ufs_setacl() includes elements of ufs_chown() and ufs_chmod(),
483 * a fair number of different access checks may be required to go ahead
484 * with the operation at all.
487 ufs_setacl_posix1e(struct vop_setacl_args *ap)
489 struct inode *ip = VTOI(ap->a_vp);
493 if ((ap->a_vp->v_mount->mnt_flag & MNT_ACLS) == 0)
497 * If this is a set operation rather than a delete operation,
498 * invoke VOP_ACLCHECK() on the passed ACL to determine if it is
499 * valid for the target. This will include a check on ap->a_type.
501 if (ap->a_aclp != NULL) {
505 error = VOP_ACLCHECK(ap->a_vp, ap->a_type, ap->a_aclp,
506 ap->a_cred, ap->a_td);
512 * POSIX.1e allows only deletion of the default ACL on a
513 * directory (ACL_TYPE_DEFAULT).
515 if (ap->a_type != ACL_TYPE_DEFAULT)
517 if (ap->a_vp->v_type != VDIR)
521 if (ap->a_vp->v_mount->mnt_flag & MNT_RDONLY)
525 * Authorize the ACL operation.
527 if (ip->i_flags & (IMMUTABLE | APPEND))
531 * Must hold VADMIN (be file owner) or have appropriate privilege.
533 if ((error = VOP_ACCESS(ap->a_vp, VADMIN, ap->a_cred, ap->a_td)))
537 case ACL_TYPE_ACCESS:
538 old = malloc(sizeof(*old), M_ACL, M_WAITOK | M_ZERO);
539 error = acl_copy_acl_into_oldacl(ap->a_aclp, old);
541 error = vn_extattr_set(ap->a_vp, IO_NODELOCKED,
542 POSIX1E_ACL_ACCESS_EXTATTR_NAMESPACE,
543 POSIX1E_ACL_ACCESS_EXTATTR_NAME, sizeof(*old),
544 (char *) old, ap->a_td);
549 case ACL_TYPE_DEFAULT:
550 if (ap->a_aclp == NULL) {
551 error = vn_extattr_rm(ap->a_vp, IO_NODELOCKED,
552 POSIX1E_ACL_DEFAULT_EXTATTR_NAMESPACE,
553 POSIX1E_ACL_DEFAULT_EXTATTR_NAME, ap->a_td);
555 * Attempting to delete a non-present default ACL
556 * will return success for portability purposes.
559 * XXX: Note that since we can't distinguish
560 * "that EA is not supported" from "that EA is not
561 * defined", the success case here overlaps the
562 * the ENOATTR->EOPNOTSUPP case below.
564 if (error == ENOATTR)
567 old = malloc(sizeof(*old), M_ACL, M_WAITOK | M_ZERO);
568 error = acl_copy_acl_into_oldacl(ap->a_aclp, old);
570 error = vn_extattr_set(ap->a_vp, IO_NODELOCKED,
571 POSIX1E_ACL_DEFAULT_EXTATTR_NAMESPACE,
572 POSIX1E_ACL_DEFAULT_EXTATTR_NAME,
573 sizeof(*old), (char *) old, ap->a_td);
583 * Map lack of attribute definition in UFS_EXTATTR into lack of
584 * support for ACLs on the filesystem.
586 if (error == ENOATTR)
591 if (ap->a_type == ACL_TYPE_ACCESS) {
593 * Now that the EA is successfully updated, update the
594 * inode and mark it as changed.
596 ufs_sync_inode_from_acl(ap->a_aclp, ip);
597 ip->i_flag |= IN_CHANGE;
598 error = UFS_UPDATE(ap->a_vp, 0);
601 VN_KNOTE_UNLOCKED(ap->a_vp, NOTE_ATTRIB);
607 struct vop_setacl_args /* {
615 if ((ap->a_vp->v_mount->mnt_flag & (MNT_ACLS | MNT_NFS4ACLS)) == 0)
618 if (ap->a_type == ACL_TYPE_NFS4)
619 return (ufs_setacl_nfs4(ap));
621 return (ufs_setacl_posix1e(ap));
625 ufs_aclcheck_nfs4(struct vop_aclcheck_args *ap)
627 int is_directory = 0;
629 if ((ap->a_vp->v_mount->mnt_flag & MNT_NFS4ACLS) == 0)
633 * With NFSv4 ACLs, chmod(2) may need to add additional entries.
634 * Make sure it has enough room for that - splitting every entry
635 * into two and appending "canonical six" entries at the end.
637 if (ap->a_aclp->acl_cnt > (ACL_MAX_ENTRIES - 6) / 2)
640 if (ap->a_vp->v_type == VDIR)
643 return (acl_nfs4_check(ap->a_aclp, is_directory));
647 ufs_aclcheck_posix1e(struct vop_aclcheck_args *ap)
650 if ((ap->a_vp->v_mount->mnt_flag & MNT_ACLS) == 0)
654 * Verify we understand this type of ACL, and that it applies
655 * to this kind of object.
656 * Rely on the acl_posix1e_check() routine to verify the contents.
659 case ACL_TYPE_ACCESS:
662 case ACL_TYPE_DEFAULT:
663 if (ap->a_vp->v_type != VDIR)
671 if (ap->a_aclp->acl_cnt > OLDACL_MAX_ENTRIES)
674 return (acl_posix1e_check(ap->a_aclp));
678 * Check the validity of an ACL for a file.
682 struct vop_aclcheck_args /* {
691 if ((ap->a_vp->v_mount->mnt_flag & (MNT_ACLS | MNT_NFS4ACLS)) == 0)
694 if (ap->a_type == ACL_TYPE_NFS4)
695 return (ufs_aclcheck_nfs4(ap));
697 return (ufs_aclcheck_posix1e(ap));
700 #endif /* !UFS_ACL */
projects / freebsd.git / blob