author | Neil Perrin <Neil.Perrin@Sun.COM> |
Wed, 29 Apr 2009 23:01:43 -0600 | |
changeset 9512 | 64cafcbcc337 |
parent 9396 | f41cf682d0d3 |
child 9749 | 105f407a2680 |
permissions | -rw-r--r-- |
789 | 1 |
/* |
2 |
* CDDL HEADER START |
|
3 |
* |
|
4 |
* The contents of this file are subject to the terms of the |
|
1544 | 5 |
* Common Development and Distribution License (the "License"). |
6 |
* You may not use this file except in compliance with the License. |
|
789 | 7 |
* |
8 |
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
9 |
* or http://www.opensolaris.org/os/licensing. |
|
10 |
* See the License for the specific language governing permissions |
|
11 |
* and limitations under the License. |
|
12 |
* |
|
13 |
* When distributing Covered Code, include this CDDL HEADER in each |
|
14 |
* file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
15 |
* If applicable, add the following below this CDDL HEADER, with the |
|
16 |
* fields enclosed by brackets "[]" replaced with your own identifying |
|
17 |
* information: Portions Copyright [yyyy] [name of copyright owner] |
|
18 |
* |
|
19 |
* CDDL HEADER END |
|
20 |
*/ |
|
21 |
/* |
|
8952
c2f95230b0ff
6809529 dirtying snapshot! rears its head again
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8227
diff
changeset
|
22 |
* Copyright 2009 Sun Microsystems, Inc. All rights reserved. |
789 | 23 |
* Use is subject to license terms. |
24 |
*/ |
|
25 |
||
26 |
#include <sys/types.h> |
|
27 |
#include <sys/param.h> |
|
28 |
#include <sys/time.h> |
|
29 |
#include <sys/systm.h> |
|
30 |
#include <sys/sysmacros.h> |
|
31 |
#include <sys/resource.h> |
|
32 |
#include <sys/vfs.h> |
|
33 |
#include <sys/vnode.h> |
|
5331 | 34 |
#include <sys/sid.h> |
789 | 35 |
#include <sys/file.h> |
36 |
#include <sys/stat.h> |
|
37 |
#include <sys/kmem.h> |
|
38 |
#include <sys/cmn_err.h> |
|
39 |
#include <sys/errno.h> |
|
40 |
#include <sys/unistd.h> |
|
1576
0364d1928a7f
6380036 zfs does not clear S_ISUID and S_ISGID bits on successful writes
marks
parents:
1544
diff
changeset
|
41 |
#include <sys/sdt.h> |
789 | 42 |
#include <sys/fs/zfs.h> |
43 |
#include <sys/mode.h> |
|
44 |
#include <sys/policy.h> |
|
45 |
#include <sys/zfs_znode.h> |
|
5331 | 46 |
#include <sys/zfs_fuid.h> |
789 | 47 |
#include <sys/zfs_acl.h> |
48 |
#include <sys/zfs_dir.h> |
|
49 |
#include <sys/zfs_vfsops.h> |
|
50 |
#include <sys/dmu.h> |
|
5331 | 51 |
#include <sys/dnode.h> |
789 | 52 |
#include <sys/zap.h> |
53 |
#include "fs/fs_subr.h" |
|
54 |
#include <acl/acl_common.h> |
|
55 |
||
56 |
#define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE |
|
57 |
#define DENY ACE_ACCESS_DENIED_ACE_TYPE |
|
5331 | 58 |
#define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE |
7559
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
59 |
#define MIN_ACE_TYPE ALLOW |
789 | 60 |
|
61 |
#define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP) |
|
62 |
#define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \ |
|
63 |
ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE) |
|
64 |
#define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \ |
|
65 |
ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) |
|
66 |
#define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \ |
|
67 |
ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS) |
|
5331 | 68 |
|
69 |
#define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \ |
|
70 |
ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \ |
|
71 |
ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \ |
|
72 |
ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE) |
|
73 |
||
8952
c2f95230b0ff
6809529 dirtying snapshot! rears its head again
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8227
diff
changeset
|
74 |
#define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS) |
c2f95230b0ff
6809529 dirtying snapshot! rears its head again
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8227
diff
changeset
|
75 |
#define WRITE_MASK_ATTRS (ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES| \ |
c2f95230b0ff
6809529 dirtying snapshot! rears its head again
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8227
diff
changeset
|
76 |
ACE_DELETE|ACE_DELETE_CHILD) |
c2f95230b0ff
6809529 dirtying snapshot! rears its head again
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8227
diff
changeset
|
77 |
#define WRITE_MASK (WRITE_MASK_DATA|WRITE_MASK_ATTRS) |
789 | 78 |
|
79 |
#define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ |
|
80 |
ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) |
|
81 |
||
82 |
#define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \ |
|
83 |
ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE) |
|
84 |
||
85 |
#define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \ |
|
5331 | 86 |
ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE) |
789 | 87 |
|
6385
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
88 |
#define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER) |
789 | 89 |
|
5331 | 90 |
#define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\ |
91 |
ZFS_ACL_PROTECTED) |
|
92 |
||
93 |
#define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\ |
|
94 |
ZFS_ACL_OBJ_ACE) |
|
95 |
||
96 |
static uint16_t |
|
97 |
zfs_ace_v0_get_type(void *acep) |
|
98 |
{ |
|
99 |
return (((zfs_oldace_t *)acep)->z_type); |
|
100 |
} |
|
101 |
||
102 |
static uint16_t |
|
103 |
zfs_ace_v0_get_flags(void *acep) |
|
104 |
{ |
|
105 |
return (((zfs_oldace_t *)acep)->z_flags); |
|
106 |
} |
|
107 |
||
108 |
static uint32_t |
|
109 |
zfs_ace_v0_get_mask(void *acep) |
|
110 |
{ |
|
111 |
return (((zfs_oldace_t *)acep)->z_access_mask); |
|
112 |
} |
|
113 |
||
114 |
static uint64_t |
|
115 |
zfs_ace_v0_get_who(void *acep) |
|
116 |
{ |
|
117 |
return (((zfs_oldace_t *)acep)->z_fuid); |
|
118 |
} |
|
119 |
||
120 |
static void |
|
121 |
zfs_ace_v0_set_type(void *acep, uint16_t type) |
|
122 |
{ |
|
123 |
((zfs_oldace_t *)acep)->z_type = type; |
|
124 |
} |
|
125 |
||
126 |
static void |
|
127 |
zfs_ace_v0_set_flags(void *acep, uint16_t flags) |
|
128 |
{ |
|
129 |
((zfs_oldace_t *)acep)->z_flags = flags; |
|
130 |
} |
|
131 |
||
132 |
static void |
|
133 |
zfs_ace_v0_set_mask(void *acep, uint32_t mask) |
|
134 |
{ |
|
135 |
((zfs_oldace_t *)acep)->z_access_mask = mask; |
|
136 |
} |
|
137 |
||
138 |
static void |
|
139 |
zfs_ace_v0_set_who(void *acep, uint64_t who) |
|
140 |
{ |
|
141 |
((zfs_oldace_t *)acep)->z_fuid = who; |
|
142 |
} |
|
143 |
||
144 |
/*ARGSUSED*/ |
|
145 |
static size_t |
|
146 |
zfs_ace_v0_size(void *acep) |
|
147 |
{ |
|
148 |
return (sizeof (zfs_oldace_t)); |
|
149 |
} |
|
150 |
||
151 |
static size_t |
|
152 |
zfs_ace_v0_abstract_size(void) |
|
153 |
{ |
|
154 |
return (sizeof (zfs_oldace_t)); |
|
155 |
} |
|
156 |
||
157 |
static int |
|
158 |
zfs_ace_v0_mask_off(void) |
|
159 |
{ |
|
160 |
return (offsetof(zfs_oldace_t, z_access_mask)); |
|
161 |
} |
|
162 |
||
163 |
/*ARGSUSED*/ |
|
164 |
static int |
|
165 |
zfs_ace_v0_data(void *acep, void **datap) |
|
166 |
{ |
|
167 |
*datap = NULL; |
|
168 |
return (0); |
|
169 |
} |
|
170 |
||
171 |
static acl_ops_t zfs_acl_v0_ops = { |
|
172 |
zfs_ace_v0_get_mask, |
|
173 |
zfs_ace_v0_set_mask, |
|
174 |
zfs_ace_v0_get_flags, |
|
175 |
zfs_ace_v0_set_flags, |
|
176 |
zfs_ace_v0_get_type, |
|
177 |
zfs_ace_v0_set_type, |
|
178 |
zfs_ace_v0_get_who, |
|
179 |
zfs_ace_v0_set_who, |
|
180 |
zfs_ace_v0_size, |
|
181 |
zfs_ace_v0_abstract_size, |
|
182 |
zfs_ace_v0_mask_off, |
|
183 |
zfs_ace_v0_data |
|
184 |
}; |
|
185 |
||
186 |
static uint16_t |
|
187 |
zfs_ace_fuid_get_type(void *acep) |
|
188 |
{ |
|
189 |
return (((zfs_ace_hdr_t *)acep)->z_type); |
|
190 |
} |
|
191 |
||
192 |
static uint16_t |
|
193 |
zfs_ace_fuid_get_flags(void *acep) |
|
194 |
{ |
|
195 |
return (((zfs_ace_hdr_t *)acep)->z_flags); |
|
196 |
} |
|
197 |
||
198 |
static uint32_t |
|
199 |
zfs_ace_fuid_get_mask(void *acep) |
|
200 |
{ |
|
201 |
return (((zfs_ace_hdr_t *)acep)->z_access_mask); |
|
202 |
} |
|
203 |
||
204 |
static uint64_t |
|
205 |
zfs_ace_fuid_get_who(void *args) |
|
206 |
{ |
|
207 |
uint16_t entry_type; |
|
208 |
zfs_ace_t *acep = args; |
|
209 |
||
210 |
entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; |
|
789 | 211 |
|
5331 | 212 |
if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || |
213 |
entry_type == ACE_EVERYONE) |
|
214 |
return (-1); |
|
215 |
return (((zfs_ace_t *)acep)->z_fuid); |
|
216 |
} |
|
217 |
||
218 |
static void |
|
219 |
zfs_ace_fuid_set_type(void *acep, uint16_t type) |
|
220 |
{ |
|
221 |
((zfs_ace_hdr_t *)acep)->z_type = type; |
|
222 |
} |
|
223 |
||
224 |
static void |
|
225 |
zfs_ace_fuid_set_flags(void *acep, uint16_t flags) |
|
226 |
{ |
|
227 |
((zfs_ace_hdr_t *)acep)->z_flags = flags; |
|
228 |
} |
|
229 |
||
230 |
static void |
|
231 |
zfs_ace_fuid_set_mask(void *acep, uint32_t mask) |
|
232 |
{ |
|
233 |
((zfs_ace_hdr_t *)acep)->z_access_mask = mask; |
|
234 |
} |
|
235 |
||
236 |
static void |
|
237 |
zfs_ace_fuid_set_who(void *arg, uint64_t who) |
|
238 |
{ |
|
239 |
zfs_ace_t *acep = arg; |
|
240 |
||
241 |
uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS; |
|
242 |
||
243 |
if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP || |
|
244 |
entry_type == ACE_EVERYONE) |
|
245 |
return; |
|
246 |
acep->z_fuid = who; |
|
247 |
} |
|
248 |
||
249 |
static size_t |
|
250 |
zfs_ace_fuid_size(void *acep) |
|
251 |
{ |
|
252 |
zfs_ace_hdr_t *zacep = acep; |
|
253 |
uint16_t entry_type; |
|
254 |
||
255 |
switch (zacep->z_type) { |
|
256 |
case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: |
|
257 |
case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: |
|
258 |
case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: |
|
259 |
case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: |
|
260 |
return (sizeof (zfs_object_ace_t)); |
|
261 |
case ALLOW: |
|
262 |
case DENY: |
|
263 |
entry_type = |
|
264 |
(((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS); |
|
265 |
if (entry_type == ACE_OWNER || |
|
7328
6bdcaa4505ac
6736457 dmu_tx_dirty_buf+297 panic while Win2003 is copying i386 folder from win2003 CD-ROM to Nevada
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7294
diff
changeset
|
266 |
entry_type == OWNING_GROUP || |
5331 | 267 |
entry_type == ACE_EVERYONE) |
268 |
return (sizeof (zfs_ace_hdr_t)); |
|
269 |
/*FALLTHROUGH*/ |
|
270 |
default: |
|
271 |
return (sizeof (zfs_ace_t)); |
|
272 |
} |
|
273 |
} |
|
274 |
||
275 |
static size_t |
|
276 |
zfs_ace_fuid_abstract_size(void) |
|
277 |
{ |
|
278 |
return (sizeof (zfs_ace_hdr_t)); |
|
279 |
} |
|
280 |
||
281 |
static int |
|
282 |
zfs_ace_fuid_mask_off(void) |
|
283 |
{ |
|
284 |
return (offsetof(zfs_ace_hdr_t, z_access_mask)); |
|
285 |
} |
|
286 |
||
287 |
static int |
|
288 |
zfs_ace_fuid_data(void *acep, void **datap) |
|
289 |
{ |
|
290 |
zfs_ace_t *zacep = acep; |
|
291 |
zfs_object_ace_t *zobjp; |
|
292 |
||
293 |
switch (zacep->z_hdr.z_type) { |
|
294 |
case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: |
|
295 |
case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: |
|
296 |
case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: |
|
297 |
case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: |
|
298 |
zobjp = acep; |
|
299 |
*datap = (caddr_t)zobjp + sizeof (zfs_ace_t); |
|
300 |
return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t)); |
|
301 |
default: |
|
302 |
*datap = NULL; |
|
303 |
return (0); |
|
304 |
} |
|
305 |
} |
|
306 |
||
307 |
static acl_ops_t zfs_acl_fuid_ops = { |
|
308 |
zfs_ace_fuid_get_mask, |
|
309 |
zfs_ace_fuid_set_mask, |
|
310 |
zfs_ace_fuid_get_flags, |
|
311 |
zfs_ace_fuid_set_flags, |
|
312 |
zfs_ace_fuid_get_type, |
|
313 |
zfs_ace_fuid_set_type, |
|
314 |
zfs_ace_fuid_get_who, |
|
315 |
zfs_ace_fuid_set_who, |
|
316 |
zfs_ace_fuid_size, |
|
317 |
zfs_ace_fuid_abstract_size, |
|
318 |
zfs_ace_fuid_mask_off, |
|
319 |
zfs_ace_fuid_data |
|
320 |
}; |
|
321 |
||
322 |
static int |
|
323 |
zfs_acl_version(int version) |
|
324 |
{ |
|
325 |
if (version < ZPL_VERSION_FUID) |
|
326 |
return (ZFS_ACL_VERSION_INITIAL); |
|
327 |
else |
|
328 |
return (ZFS_ACL_VERSION_FUID); |
|
329 |
} |
|
330 |
||
331 |
static int |
|
332 |
zfs_acl_version_zp(znode_t *zp) |
|
333 |
{ |
|
334 |
return (zfs_acl_version(zp->z_zfsvfs->z_version)); |
|
335 |
} |
|
789 | 336 |
|
337 |
static zfs_acl_t * |
|
5331 | 338 |
zfs_acl_alloc(int vers) |
789 | 339 |
{ |
340 |
zfs_acl_t *aclp; |
|
341 |
||
342 |
aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP); |
|
5331 | 343 |
list_create(&aclp->z_acl, sizeof (zfs_acl_node_t), |
344 |
offsetof(zfs_acl_node_t, z_next)); |
|
345 |
aclp->z_version = vers; |
|
346 |
if (vers == ZFS_ACL_VERSION_FUID) |
|
347 |
aclp->z_ops = zfs_acl_fuid_ops; |
|
348 |
else |
|
349 |
aclp->z_ops = zfs_acl_v0_ops; |
|
350 |
return (aclp); |
|
351 |
} |
|
352 |
||
353 |
static zfs_acl_node_t * |
|
354 |
zfs_acl_node_alloc(size_t bytes) |
|
355 |
{ |
|
356 |
zfs_acl_node_t *aclnode; |
|
357 |
||
358 |
aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP); |
|
359 |
if (bytes) { |
|
360 |
aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP); |
|
361 |
aclnode->z_allocdata = aclnode->z_acldata; |
|
362 |
aclnode->z_allocsize = bytes; |
|
363 |
aclnode->z_size = bytes; |
|
789 | 364 |
} |
5331 | 365 |
|
366 |
return (aclnode); |
|
367 |
} |
|
368 |
||
369 |
static void |
|
370 |
zfs_acl_node_free(zfs_acl_node_t *aclnode) |
|
371 |
{ |
|
372 |
if (aclnode->z_allocsize) |
|
373 |
kmem_free(aclnode->z_allocdata, aclnode->z_allocsize); |
|
374 |
kmem_free(aclnode, sizeof (zfs_acl_node_t)); |
|
789 | 375 |
} |
376 |
||
5489
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
377 |
static void |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
378 |
zfs_acl_release_nodes(zfs_acl_t *aclp) |
789 | 379 |
{ |
5331 | 380 |
zfs_acl_node_t *aclnode; |
381 |
||
382 |
while (aclnode = list_head(&aclp->z_acl)) { |
|
383 |
list_remove(&aclp->z_acl, aclnode); |
|
384 |
zfs_acl_node_free(aclnode); |
|
789 | 385 |
} |
5489
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
386 |
aclp->z_acl_count = 0; |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
387 |
aclp->z_acl_bytes = 0; |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
388 |
} |
5331 | 389 |
|
5489
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
390 |
void |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
391 |
zfs_acl_free(zfs_acl_t *aclp) |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
392 |
{ |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
393 |
zfs_acl_release_nodes(aclp); |
5331 | 394 |
list_destroy(&aclp->z_acl); |
789 | 395 |
kmem_free(aclp, sizeof (zfs_acl_t)); |
396 |
} |
|
397 |
||
5331 | 398 |
static boolean_t |
7559
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
399 |
zfs_acl_valid_ace_type(uint_t type, uint_t flags) |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
400 |
{ |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
401 |
uint16_t entry_type; |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
402 |
|
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
403 |
switch (type) { |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
404 |
case ALLOW: |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
405 |
case DENY: |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
406 |
case ACE_SYSTEM_AUDIT_ACE_TYPE: |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
407 |
case ACE_SYSTEM_ALARM_ACE_TYPE: |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
408 |
entry_type = flags & ACE_TYPE_FLAGS; |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
409 |
return (entry_type == ACE_OWNER || |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
410 |
entry_type == OWNING_GROUP || |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
411 |
entry_type == ACE_EVERYONE || entry_type == 0 || |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
412 |
entry_type == ACE_IDENTIFIER_GROUP); |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
413 |
default: |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
414 |
if (type >= MIN_ACE_TYPE && type <= MAX_ACE_TYPE) |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
415 |
return (B_TRUE); |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
416 |
} |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
417 |
return (B_FALSE); |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
418 |
} |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
419 |
|
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
420 |
static boolean_t |
5331 | 421 |
zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags) |
789 | 422 |
{ |
5331 | 423 |
/* |
424 |
* first check type of entry |
|
425 |
*/ |
|
426 |
||
7559
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
427 |
if (!zfs_acl_valid_ace_type(type, iflags)) |
5331 | 428 |
return (B_FALSE); |
429 |
||
430 |
switch (type) { |
|
431 |
case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: |
|
432 |
case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: |
|
433 |
case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: |
|
434 |
case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: |
|
435 |
if (aclp->z_version < ZFS_ACL_VERSION_FUID) |
|
436 |
return (B_FALSE); |
|
437 |
aclp->z_hints |= ZFS_ACL_OBJ_ACE; |
|
438 |
} |
|
789 | 439 |
|
7559
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
440 |
/* |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
441 |
* next check inheritance level flags |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
442 |
*/ |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
443 |
|
7057 | 444 |
if (obj_type == VDIR && |
445 |
(iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))) |
|
5331 | 446 |
aclp->z_hints |= ZFS_INHERIT_ACE; |
447 |
||
448 |
if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) { |
|
449 |
if ((iflags & (ACE_FILE_INHERIT_ACE| |
|
450 |
ACE_DIRECTORY_INHERIT_ACE)) == 0) { |
|
451 |
return (B_FALSE); |
|
452 |
} |
|
453 |
} |
|
454 |
||
455 |
return (B_TRUE); |
|
456 |
} |
|
457 |
||
458 |
static void * |
|
459 |
zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who, |
|
460 |
uint32_t *access_mask, uint16_t *iflags, uint16_t *type) |
|
461 |
{ |
|
462 |
zfs_acl_node_t *aclnode; |
|
463 |
||
464 |
if (start == NULL) { |
|
465 |
aclnode = list_head(&aclp->z_acl); |
|
466 |
if (aclnode == NULL) |
|
467 |
return (NULL); |
|
468 |
||
469 |
aclp->z_next_ace = aclnode->z_acldata; |
|
470 |
aclp->z_curr_node = aclnode; |
|
471 |
aclnode->z_ace_idx = 0; |
|
472 |
} |
|
473 |
||
474 |
aclnode = aclp->z_curr_node; |
|
475 |
||
476 |
if (aclnode == NULL) |
|
477 |
return (NULL); |
|
478 |
||
479 |
if (aclnode->z_ace_idx >= aclnode->z_ace_count) { |
|
480 |
aclnode = list_next(&aclp->z_acl, aclnode); |
|
481 |
if (aclnode == NULL) |
|
482 |
return (NULL); |
|
483 |
else { |
|
484 |
aclp->z_curr_node = aclnode; |
|
485 |
aclnode->z_ace_idx = 0; |
|
486 |
aclp->z_next_ace = aclnode->z_acldata; |
|
487 |
} |
|
488 |
} |
|
489 |
||
490 |
if (aclnode->z_ace_idx < aclnode->z_ace_count) { |
|
491 |
void *acep = aclp->z_next_ace; |
|
7559
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
492 |
size_t ace_size; |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
493 |
|
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
494 |
/* |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
495 |
* Make sure we don't overstep our bounds |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
496 |
*/ |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
497 |
ace_size = aclp->z_ops.ace_size(acep); |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
498 |
|
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
499 |
if (((caddr_t)acep + ace_size) > |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
500 |
((caddr_t)aclnode->z_acldata + aclnode->z_size)) { |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
501 |
return (NULL); |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
502 |
} |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
503 |
|
5331 | 504 |
*iflags = aclp->z_ops.ace_flags_get(acep); |
505 |
*type = aclp->z_ops.ace_type_get(acep); |
|
506 |
*access_mask = aclp->z_ops.ace_mask_get(acep); |
|
507 |
*who = aclp->z_ops.ace_who_get(acep); |
|
7559
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
508 |
aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size; |
5331 | 509 |
aclnode->z_ace_idx++; |
510 |
return ((void *)acep); |
|
511 |
} |
|
512 |
return (NULL); |
|
513 |
} |
|
514 |
||
515 |
/*ARGSUSED*/ |
|
516 |
static uint64_t |
|
517 |
zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt, |
|
518 |
uint16_t *flags, uint16_t *type, uint32_t *mask) |
|
519 |
{ |
|
520 |
zfs_acl_t *aclp = datap; |
|
521 |
zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie; |
|
522 |
uint64_t who; |
|
523 |
||
524 |
acep = zfs_acl_next_ace(aclp, acep, &who, mask, |
|
525 |
flags, type); |
|
526 |
return ((uint64_t)(uintptr_t)acep); |
|
527 |
} |
|
528 |
||
529 |
static zfs_acl_node_t * |
|
530 |
zfs_acl_curr_node(zfs_acl_t *aclp) |
|
531 |
{ |
|
532 |
ASSERT(aclp->z_curr_node); |
|
533 |
return (aclp->z_curr_node); |
|
534 |
} |
|
535 |
||
536 |
/* |
|
537 |
* Copy ACE to internal ZFS format. |
|
538 |
* While processing the ACL each ACE will be validated for correctness. |
|
539 |
* ACE FUIDs will be created later. |
|
540 |
*/ |
|
541 |
int |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
542 |
zfs_copy_ace_2_fuid(zfsvfs_t *zfsvfs, vtype_t obj_type, zfs_acl_t *aclp, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
543 |
void *datap, zfs_ace_t *z_acl, int aclcnt, size_t *size, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
544 |
zfs_fuid_info_t **fuidp, cred_t *cr) |
5331 | 545 |
{ |
546 |
int i; |
|
547 |
uint16_t entry_type; |
|
548 |
zfs_ace_t *aceptr = z_acl; |
|
549 |
ace_t *acep = datap; |
|
550 |
zfs_object_ace_t *zobjacep; |
|
551 |
ace_object_t *aceobjp; |
|
552 |
||
553 |
for (i = 0; i != aclcnt; i++) { |
|
554 |
aceptr->z_hdr.z_access_mask = acep->a_access_mask; |
|
555 |
aceptr->z_hdr.z_flags = acep->a_flags; |
|
556 |
aceptr->z_hdr.z_type = acep->a_type; |
|
557 |
entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS; |
|
558 |
if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP && |
|
5824 | 559 |
entry_type != ACE_EVERYONE) { |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
560 |
aceptr->z_fuid = zfs_fuid_create(zfsvfs, acep->a_who, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
561 |
cr, (entry_type == 0) ? |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
562 |
ZFS_ACE_USER : ZFS_ACE_GROUP, fuidp); |
5824 | 563 |
} |
564 |
||
5331 | 565 |
/* |
566 |
* Make sure ACE is valid |
|
567 |
*/ |
|
568 |
if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type, |
|
569 |
aceptr->z_hdr.z_flags) != B_TRUE) |
|
570 |
return (EINVAL); |
|
571 |
||
572 |
switch (acep->a_type) { |
|
573 |
case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: |
|
574 |
case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: |
|
575 |
case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: |
|
576 |
case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: |
|
577 |
zobjacep = (zfs_object_ace_t *)aceptr; |
|
578 |
aceobjp = (ace_object_t *)acep; |
|
579 |
||
580 |
bcopy(aceobjp->a_obj_type, zobjacep->z_object_type, |
|
581 |
sizeof (aceobjp->a_obj_type)); |
|
582 |
bcopy(aceobjp->a_inherit_obj_type, |
|
583 |
zobjacep->z_inherit_type, |
|
584 |
sizeof (aceobjp->a_inherit_obj_type)); |
|
585 |
acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t)); |
|
586 |
break; |
|
587 |
default: |
|
588 |
acep = (ace_t *)((caddr_t)acep + sizeof (ace_t)); |
|
589 |
} |
|
590 |
||
591 |
aceptr = (zfs_ace_t *)((caddr_t)aceptr + |
|
592 |
aclp->z_ops.ace_size(aceptr)); |
|
593 |
} |
|
594 |
||
595 |
*size = (caddr_t)aceptr - (caddr_t)z_acl; |
|
789 | 596 |
|
5331 | 597 |
return (0); |
598 |
} |
|
599 |
||
600 |
/* |
|
601 |
* Copy ZFS ACEs to fixed size ace_t layout |
|
602 |
*/ |
|
603 |
static void |
|
5771 | 604 |
zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr, |
605 |
void *datap, int filter) |
|
5331 | 606 |
{ |
607 |
uint64_t who; |
|
608 |
uint32_t access_mask; |
|
609 |
uint16_t iflags, type; |
|
610 |
zfs_ace_hdr_t *zacep = NULL; |
|
611 |
ace_t *acep = datap; |
|
612 |
ace_object_t *objacep; |
|
613 |
zfs_object_ace_t *zobjacep; |
|
614 |
size_t ace_size; |
|
615 |
uint16_t entry_type; |
|
616 |
||
617 |
while (zacep = zfs_acl_next_ace(aclp, zacep, |
|
618 |
&who, &access_mask, &iflags, &type)) { |
|
619 |
||
620 |
switch (type) { |
|
621 |
case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: |
|
622 |
case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: |
|
623 |
case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: |
|
624 |
case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: |
|
625 |
if (filter) { |
|
626 |
continue; |
|
627 |
} |
|
628 |
zobjacep = (zfs_object_ace_t *)zacep; |
|
629 |
objacep = (ace_object_t *)acep; |
|
630 |
bcopy(zobjacep->z_object_type, |
|
631 |
objacep->a_obj_type, |
|
632 |
sizeof (zobjacep->z_object_type)); |
|
633 |
bcopy(zobjacep->z_inherit_type, |
|
634 |
objacep->a_inherit_obj_type, |
|
635 |
sizeof (zobjacep->z_inherit_type)); |
|
636 |
ace_size = sizeof (ace_object_t); |
|
637 |
break; |
|
638 |
default: |
|
639 |
ace_size = sizeof (ace_t); |
|
640 |
break; |
|
641 |
} |
|
642 |
||
643 |
entry_type = (iflags & ACE_TYPE_FLAGS); |
|
644 |
if ((entry_type != ACE_OWNER && |
|
7328
6bdcaa4505ac
6736457 dmu_tx_dirty_buf+297 panic while Win2003 is copying i386 folder from win2003 CD-ROM to Nevada
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7294
diff
changeset
|
645 |
entry_type != OWNING_GROUP && |
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
646 |
entry_type != ACE_EVERYONE)) { |
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
647 |
acep->a_who = zfs_fuid_map_id(zfsvfs, who, |
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
648 |
cr, (entry_type & ACE_IDENTIFIER_GROUP) ? |
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
649 |
ZFS_ACE_GROUP : ZFS_ACE_USER); |
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
650 |
} else { |
5331 | 651 |
acep->a_who = (uid_t)(int64_t)who; |
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
652 |
} |
5331 | 653 |
acep->a_access_mask = access_mask; |
654 |
acep->a_flags = iflags; |
|
655 |
acep->a_type = type; |
|
656 |
acep = (ace_t *)((caddr_t)acep + ace_size); |
|
657 |
} |
|
658 |
} |
|
659 |
||
660 |
static int |
|
661 |
zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep, |
|
662 |
zfs_oldace_t *z_acl, int aclcnt, size_t *size) |
|
663 |
{ |
|
664 |
int i; |
|
665 |
zfs_oldace_t *aceptr = z_acl; |
|
666 |
||
667 |
for (i = 0; i != aclcnt; i++, aceptr++) { |
|
668 |
aceptr->z_access_mask = acep[i].a_access_mask; |
|
669 |
aceptr->z_type = acep[i].a_type; |
|
670 |
aceptr->z_flags = acep[i].a_flags; |
|
671 |
aceptr->z_fuid = acep[i].a_who; |
|
672 |
/* |
|
673 |
* Make sure ACE is valid |
|
674 |
*/ |
|
675 |
if (zfs_ace_valid(obj_type, aclp, aceptr->z_type, |
|
676 |
aceptr->z_flags) != B_TRUE) |
|
677 |
return (EINVAL); |
|
678 |
} |
|
679 |
*size = (caddr_t)aceptr - (caddr_t)z_acl; |
|
680 |
return (0); |
|
681 |
} |
|
682 |
||
683 |
/* |
|
684 |
* convert old ACL format to new |
|
685 |
*/ |
|
686 |
void |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
687 |
zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp, cred_t *cr) |
5331 | 688 |
{ |
689 |
zfs_oldace_t *oldaclp; |
|
690 |
int i; |
|
691 |
uint16_t type, iflags; |
|
692 |
uint32_t access_mask; |
|
693 |
uint64_t who; |
|
694 |
void *cookie = NULL; |
|
5489
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
695 |
zfs_acl_node_t *newaclnode; |
5331 | 696 |
|
697 |
ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL); |
|
698 |
/* |
|
699 |
* First create the ACE in a contiguous piece of memory |
|
700 |
* for zfs_copy_ace_2_fuid(). |
|
701 |
* |
|
702 |
* We only convert an ACL once, so this won't happen |
|
703 |
* everytime. |
|
704 |
*/ |
|
705 |
oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count, |
|
706 |
KM_SLEEP); |
|
707 |
i = 0; |
|
708 |
while (cookie = zfs_acl_next_ace(aclp, cookie, &who, |
|
709 |
&access_mask, &iflags, &type)) { |
|
710 |
oldaclp[i].z_flags = iflags; |
|
711 |
oldaclp[i].z_type = type; |
|
712 |
oldaclp[i].z_fuid = who; |
|
713 |
oldaclp[i++].z_access_mask = access_mask; |
|
714 |
} |
|
715 |
||
716 |
newaclnode = zfs_acl_node_alloc(aclp->z_acl_count * |
|
717 |
sizeof (zfs_object_ace_t)); |
|
718 |
aclp->z_ops = zfs_acl_fuid_ops; |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
719 |
VERIFY(zfs_copy_ace_2_fuid(zp->z_zfsvfs, ZTOV(zp)->v_type, aclp, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
720 |
oldaclp, newaclnode->z_acldata, aclp->z_acl_count, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
721 |
&newaclnode->z_size, NULL, cr) == 0); |
5331 | 722 |
newaclnode->z_ace_count = aclp->z_acl_count; |
723 |
aclp->z_version = ZFS_ACL_VERSION; |
|
724 |
kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t)); |
|
725 |
||
726 |
/* |
|
727 |
* Release all previous ACL nodes |
|
728 |
*/ |
|
729 |
||
5489
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
730 |
zfs_acl_release_nodes(aclp); |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
731 |
|
5331 | 732 |
list_insert_head(&aclp->z_acl, newaclnode); |
5489
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
733 |
|
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
734 |
aclp->z_acl_bytes = newaclnode->z_size; |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
735 |
aclp->z_acl_count = newaclnode->z_ace_count; |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
736 |
|
789 | 737 |
} |
738 |
||
739 |
/* |
|
740 |
* Convert unix access mask to v4 access mask |
|
741 |
*/ |
|
742 |
static uint32_t |
|
743 |
zfs_unix_to_v4(uint32_t access_mask) |
|
744 |
{ |
|
745 |
uint32_t new_mask = 0; |
|
746 |
||
5331 | 747 |
if (access_mask & S_IXOTH) |
748 |
new_mask |= ACE_EXECUTE; |
|
749 |
if (access_mask & S_IWOTH) |
|
750 |
new_mask |= ACE_WRITE_DATA; |
|
751 |
if (access_mask & S_IROTH) |
|
789 | 752 |
new_mask |= ACE_READ_DATA; |
753 |
return (new_mask); |
|
754 |
} |
|
755 |
||
756 |
static void |
|
5331 | 757 |
zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask, |
758 |
uint16_t access_type, uint64_t fuid, uint16_t entry_type) |
|
789 | 759 |
{ |
5331 | 760 |
uint16_t type = entry_type & ACE_TYPE_FLAGS; |
761 |
||
762 |
aclp->z_ops.ace_mask_set(acep, access_mask); |
|
763 |
aclp->z_ops.ace_type_set(acep, access_type); |
|
764 |
aclp->z_ops.ace_flags_set(acep, entry_type); |
|
7328
6bdcaa4505ac
6736457 dmu_tx_dirty_buf+297 panic while Win2003 is copying i386 folder from win2003 CD-ROM to Nevada
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7294
diff
changeset
|
765 |
if ((type != ACE_OWNER && type != OWNING_GROUP && |
5331 | 766 |
type != ACE_EVERYONE)) |
767 |
aclp->z_ops.ace_who_set(acep, fuid); |
|
789 | 768 |
} |
769 |
||
5331 | 770 |
/* |
771 |
* Determine mode of file based on ACL. |
|
772 |
* Also, create FUIDs for any User/Group ACEs |
|
773 |
*/ |
|
789 | 774 |
static uint64_t |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
775 |
zfs_mode_compute(znode_t *zp, zfs_acl_t *aclp) |
789 | 776 |
{ |
5331 | 777 |
int entry_type; |
778 |
mode_t mode; |
|
779 |
mode_t seen = 0; |
|
780 |
zfs_ace_hdr_t *acep = NULL; |
|
781 |
uint64_t who; |
|
782 |
uint16_t iflags, type; |
|
783 |
uint32_t access_mask; |
|
789 | 784 |
|
5331 | 785 |
mode = (zp->z_phys->zp_mode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX)); |
786 |
||
787 |
while (acep = zfs_acl_next_ace(aclp, acep, &who, |
|
788 |
&access_mask, &iflags, &type)) { |
|
4869
f123f22fc641
6590376 Fails to chmod on a zfs volume with windows ACL
marks
parents:
4321
diff
changeset
|
789 |
|
7559
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
790 |
if (!zfs_acl_valid_ace_type(type, iflags)) |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
791 |
continue; |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
792 |
|
7328
6bdcaa4505ac
6736457 dmu_tx_dirty_buf+297 panic while Win2003 is copying i386 folder from win2003 CD-ROM to Nevada
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7294
diff
changeset
|
793 |
entry_type = (iflags & ACE_TYPE_FLAGS); |
6bdcaa4505ac
6736457 dmu_tx_dirty_buf+297 panic while Win2003 is copying i386 folder from win2003 CD-ROM to Nevada
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7294
diff
changeset
|
794 |
|
4869
f123f22fc641
6590376 Fails to chmod on a zfs volume with windows ACL
marks
parents:
4321
diff
changeset
|
795 |
/* |
7328
6bdcaa4505ac
6736457 dmu_tx_dirty_buf+297 panic while Win2003 is copying i386 folder from win2003 CD-ROM to Nevada
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7294
diff
changeset
|
796 |
* Skip over owner@, group@ or everyone@ inherit only ACEs |
4869
f123f22fc641
6590376 Fails to chmod on a zfs volume with windows ACL
marks
parents:
4321
diff
changeset
|
797 |
*/ |
7328
6bdcaa4505ac
6736457 dmu_tx_dirty_buf+297 panic while Win2003 is copying i386 folder from win2003 CD-ROM to Nevada
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7294
diff
changeset
|
798 |
if ((iflags & ACE_INHERIT_ONLY_ACE) && |
6bdcaa4505ac
6736457 dmu_tx_dirty_buf+297 panic while Win2003 is copying i386 folder from win2003 CD-ROM to Nevada
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7294
diff
changeset
|
799 |
(entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || |
6bdcaa4505ac
6736457 dmu_tx_dirty_buf+297 panic while Win2003 is copying i386 folder from win2003 CD-ROM to Nevada
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7294
diff
changeset
|
800 |
entry_type == OWNING_GROUP)) |
4869
f123f22fc641
6590376 Fails to chmod on a zfs volume with windows ACL
marks
parents:
4321
diff
changeset
|
801 |
continue; |
f123f22fc641
6590376 Fails to chmod on a zfs volume with windows ACL
marks
parents:
4321
diff
changeset
|
802 |
|
789 | 803 |
if (entry_type == ACE_OWNER) { |
5331 | 804 |
if ((access_mask & ACE_READ_DATA) && |
789 | 805 |
(!(seen & S_IRUSR))) { |
806 |
seen |= S_IRUSR; |
|
5331 | 807 |
if (type == ALLOW) { |
789 | 808 |
mode |= S_IRUSR; |
809 |
} |
|
810 |
} |
|
5331 | 811 |
if ((access_mask & ACE_WRITE_DATA) && |
789 | 812 |
(!(seen & S_IWUSR))) { |
813 |
seen |= S_IWUSR; |
|
5331 | 814 |
if (type == ALLOW) { |
789 | 815 |
mode |= S_IWUSR; |
816 |
} |
|
817 |
} |
|
5331 | 818 |
if ((access_mask & ACE_EXECUTE) && |
789 | 819 |
(!(seen & S_IXUSR))) { |
820 |
seen |= S_IXUSR; |
|
5331 | 821 |
if (type == ALLOW) { |
789 | 822 |
mode |= S_IXUSR; |
823 |
} |
|
824 |
} |
|
825 |
} else if (entry_type == OWNING_GROUP) { |
|
5331 | 826 |
if ((access_mask & ACE_READ_DATA) && |
789 | 827 |
(!(seen & S_IRGRP))) { |
828 |
seen |= S_IRGRP; |
|
5331 | 829 |
if (type == ALLOW) { |
789 | 830 |
mode |= S_IRGRP; |
831 |
} |
|
832 |
} |
|
5331 | 833 |
if ((access_mask & ACE_WRITE_DATA) && |
789 | 834 |
(!(seen & S_IWGRP))) { |
835 |
seen |= S_IWGRP; |
|
5331 | 836 |
if (type == ALLOW) { |
789 | 837 |
mode |= S_IWGRP; |
838 |
} |
|
839 |
} |
|
5331 | 840 |
if ((access_mask & ACE_EXECUTE) && |
789 | 841 |
(!(seen & S_IXGRP))) { |
842 |
seen |= S_IXGRP; |
|
5331 | 843 |
if (type == ALLOW) { |
789 | 844 |
mode |= S_IXGRP; |
845 |
} |
|
846 |
} |
|
847 |
} else if (entry_type == ACE_EVERYONE) { |
|
5331 | 848 |
if ((access_mask & ACE_READ_DATA)) { |
789 | 849 |
if (!(seen & S_IRUSR)) { |
850 |
seen |= S_IRUSR; |
|
5331 | 851 |
if (type == ALLOW) { |
789 | 852 |
mode |= S_IRUSR; |
853 |
} |
|
854 |
} |
|
855 |
if (!(seen & S_IRGRP)) { |
|
856 |
seen |= S_IRGRP; |
|
5331 | 857 |
if (type == ALLOW) { |
789 | 858 |
mode |= S_IRGRP; |
859 |
} |
|
860 |
} |
|
861 |
if (!(seen & S_IROTH)) { |
|
862 |
seen |= S_IROTH; |
|
5331 | 863 |
if (type == ALLOW) { |
789 | 864 |
mode |= S_IROTH; |
865 |
} |
|
866 |
} |
|
867 |
} |
|
5331 | 868 |
if ((access_mask & ACE_WRITE_DATA)) { |
789 | 869 |
if (!(seen & S_IWUSR)) { |
870 |
seen |= S_IWUSR; |
|
5331 | 871 |
if (type == ALLOW) { |
789 | 872 |
mode |= S_IWUSR; |
873 |
} |
|
874 |
} |
|
875 |
if (!(seen & S_IWGRP)) { |
|
876 |
seen |= S_IWGRP; |
|
5331 | 877 |
if (type == ALLOW) { |
789 | 878 |
mode |= S_IWGRP; |
879 |
} |
|
880 |
} |
|
881 |
if (!(seen & S_IWOTH)) { |
|
882 |
seen |= S_IWOTH; |
|
5331 | 883 |
if (type == ALLOW) { |
789 | 884 |
mode |= S_IWOTH; |
885 |
} |
|
886 |
} |
|
887 |
} |
|
5331 | 888 |
if ((access_mask & ACE_EXECUTE)) { |
789 | 889 |
if (!(seen & S_IXUSR)) { |
890 |
seen |= S_IXUSR; |
|
5331 | 891 |
if (type == ALLOW) { |
789 | 892 |
mode |= S_IXUSR; |
893 |
} |
|
894 |
} |
|
895 |
if (!(seen & S_IXGRP)) { |
|
896 |
seen |= S_IXGRP; |
|
5331 | 897 |
if (type == ALLOW) { |
789 | 898 |
mode |= S_IXGRP; |
899 |
} |
|
900 |
} |
|
901 |
if (!(seen & S_IXOTH)) { |
|
902 |
seen |= S_IXOTH; |
|
5331 | 903 |
if (type == ALLOW) { |
789 | 904 |
mode |= S_IXOTH; |
905 |
} |
|
906 |
} |
|
907 |
} |
|
908 |
} |
|
909 |
} |
|
910 |
return (mode); |
|
911 |
} |
|
912 |
||
913 |
static zfs_acl_t * |
|
5331 | 914 |
zfs_acl_node_read_internal(znode_t *zp, boolean_t will_modify) |
789 | 915 |
{ |
916 |
zfs_acl_t *aclp; |
|
5331 | 917 |
zfs_acl_node_t *aclnode; |
789 | 918 |
|
5331 | 919 |
aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version); |
920 |
||
921 |
/* |
|
922 |
* Version 0 to 1 znode_acl_phys has the size/count fields swapped. |
|
923 |
* Version 0 didn't have a size field, only a count. |
|
924 |
*/ |
|
925 |
if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) { |
|
926 |
aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_size; |
|
927 |
aclp->z_acl_bytes = ZFS_ACL_SIZE(aclp->z_acl_count); |
|
928 |
} else { |
|
929 |
aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count; |
|
930 |
aclp->z_acl_bytes = zp->z_phys->zp_acl.z_acl_size; |
|
931 |
} |
|
932 |
||
933 |
aclnode = zfs_acl_node_alloc(will_modify ? aclp->z_acl_bytes : 0); |
|
934 |
aclnode->z_ace_count = aclp->z_acl_count; |
|
935 |
if (will_modify) { |
|
936 |
bcopy(zp->z_phys->zp_acl.z_ace_data, aclnode->z_acldata, |
|
937 |
aclp->z_acl_bytes); |
|
938 |
} else { |
|
939 |
aclnode->z_size = aclp->z_acl_bytes; |
|
940 |
aclnode->z_acldata = &zp->z_phys->zp_acl.z_ace_data[0]; |
|
941 |
} |
|
942 |
||
943 |
list_insert_head(&aclp->z_acl, aclnode); |
|
789 | 944 |
|
945 |
return (aclp); |
|
946 |
} |
|
947 |
||
948 |
/* |
|
949 |
* Read an external acl object. |
|
950 |
*/ |
|
1544 | 951 |
static int |
5331 | 952 |
zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp, boolean_t will_modify) |
789 | 953 |
{ |
954 |
uint64_t extacl = zp->z_phys->zp_acl.z_acl_extern_obj; |
|
955 |
zfs_acl_t *aclp; |
|
5331 | 956 |
size_t aclsize; |
957 |
size_t acl_count; |
|
958 |
zfs_acl_node_t *aclnode; |
|
1544 | 959 |
int error; |
789 | 960 |
|
961 |
ASSERT(MUTEX_HELD(&zp->z_acl_lock)); |
|
962 |
||
1544 | 963 |
if (zp->z_phys->zp_acl.z_acl_extern_obj == 0) { |
5331 | 964 |
*aclpp = zfs_acl_node_read_internal(zp, will_modify); |
1544 | 965 |
return (0); |
966 |
} |
|
789 | 967 |
|
5331 | 968 |
aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version); |
969 |
if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) { |
|
970 |
zfs_acl_phys_v0_t *zacl0 = |
|
971 |
(zfs_acl_phys_v0_t *)&zp->z_phys->zp_acl; |
|
789 | 972 |
|
5331 | 973 |
aclsize = ZFS_ACL_SIZE(zacl0->z_acl_count); |
974 |
acl_count = zacl0->z_acl_count; |
|
975 |
} else { |
|
976 |
aclsize = zp->z_phys->zp_acl.z_acl_size; |
|
977 |
acl_count = zp->z_phys->zp_acl.z_acl_count; |
|
978 |
if (aclsize == 0) |
|
979 |
aclsize = acl_count * sizeof (zfs_ace_t); |
|
980 |
} |
|
981 |
aclnode = zfs_acl_node_alloc(aclsize); |
|
982 |
list_insert_head(&aclp->z_acl, aclnode); |
|
1544 | 983 |
error = dmu_read(zp->z_zfsvfs->z_os, extacl, 0, |
9512
64cafcbcc337
6801810 Commit of aligned streaming rewrites to ZIL device causes unwanted disk reads
Neil Perrin <Neil.Perrin@Sun.COM>
parents:
9396
diff
changeset
|
984 |
aclsize, aclnode->z_acldata, DMU_READ_PREFETCH); |
5331 | 985 |
aclnode->z_ace_count = acl_count; |
986 |
aclp->z_acl_count = acl_count; |
|
987 |
aclp->z_acl_bytes = aclsize; |
|
988 |
||
1544 | 989 |
if (error != 0) { |
990 |
zfs_acl_free(aclp); |
|
7294 | 991 |
/* convert checksum errors into IO errors */ |
992 |
if (error == ECKSUM) |
|
993 |
error = EIO; |
|
1544 | 994 |
return (error); |
995 |
} |
|
789 | 996 |
|
1544 | 997 |
*aclpp = aclp; |
998 |
return (0); |
|
789 | 999 |
} |
1000 |
||
1001 |
/* |
|
5331 | 1002 |
* common code for setting ACLs. |
789 | 1003 |
* |
1004 |
* This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. |
|
1005 |
* zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's |
|
1006 |
* already checked the acl and knows whether to inherit. |
|
1007 |
*/ |
|
1008 |
int |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1009 |
zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, dmu_tx_t *tx) |
789 | 1010 |
{ |
1011 |
int error; |
|
1012 |
znode_phys_t *zphys = zp->z_phys; |
|
5331 | 1013 |
zfs_acl_phys_t *zacl = &zphys->zp_acl; |
789 | 1014 |
zfsvfs_t *zfsvfs = zp->z_zfsvfs; |
1015 |
uint64_t aoid = zphys->zp_acl.z_acl_extern_obj; |
|
5331 | 1016 |
uint64_t off = 0; |
1017 |
dmu_object_type_t otype; |
|
1018 |
zfs_acl_node_t *aclnode; |
|
789 | 1019 |
|
5331 | 1020 |
dmu_buf_will_dirty(zp->z_dbuf, tx); |
789 | 1021 |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1022 |
zphys->zp_mode = zfs_mode_compute(zp, aclp); |
789 | 1023 |
|
1024 |
/* |
|
5331 | 1025 |
* Decide which opbject type to use. If we are forced to |
1026 |
* use old ACL format than transform ACL into zfs_oldace_t |
|
1027 |
* layout. |
|
789 | 1028 |
*/ |
5331 | 1029 |
if (!zfsvfs->z_use_fuids) { |
1030 |
otype = DMU_OT_OLDACL; |
|
1031 |
} else { |
|
1032 |
if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) && |
|
1033 |
(zfsvfs->z_version >= ZPL_VERSION_FUID)) |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1034 |
zfs_acl_xform(zp, aclp, cr); |
5331 | 1035 |
ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID); |
1036 |
otype = DMU_OT_ACL; |
|
1037 |
} |
|
1038 |
||
1039 |
if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { |
|
1040 |
/* |
|
1041 |
* If ACL was previously external and we are now |
|
1042 |
* converting to new ACL format then release old |
|
1043 |
* ACL object and create a new one. |
|
1044 |
*/ |
|
1045 |
if (aoid && aclp->z_version != zacl->z_acl_version) { |
|
1046 |
error = dmu_object_free(zfsvfs->z_os, |
|
1047 |
zp->z_phys->zp_acl.z_acl_extern_obj, tx); |
|
1048 |
if (error) |
|
1049 |
return (error); |
|
1050 |
aoid = 0; |
|
1051 |
} |
|
789 | 1052 |
if (aoid == 0) { |
1053 |
aoid = dmu_object_alloc(zfsvfs->z_os, |
|
5331 | 1054 |
otype, aclp->z_acl_bytes, |
1055 |
otype == DMU_OT_ACL ? DMU_OT_SYSACL : DMU_OT_NONE, |
|
1056 |
otype == DMU_OT_ACL ? DN_MAX_BONUSLEN : 0, tx); |
|
789 | 1057 |
} else { |
1058 |
(void) dmu_object_set_blocksize(zfsvfs->z_os, aoid, |
|
5331 | 1059 |
aclp->z_acl_bytes, 0, tx); |
789 | 1060 |
} |
1061 |
zphys->zp_acl.z_acl_extern_obj = aoid; |
|
5331 | 1062 |
for (aclnode = list_head(&aclp->z_acl); aclnode; |
1063 |
aclnode = list_next(&aclp->z_acl, aclnode)) { |
|
1064 |
if (aclnode->z_ace_count == 0) |
|
1065 |
continue; |
|
1066 |
dmu_write(zfsvfs->z_os, aoid, off, |
|
1067 |
aclnode->z_size, aclnode->z_acldata, tx); |
|
1068 |
off += aclnode->z_size; |
|
1069 |
} |
|
789 | 1070 |
} else { |
5331 | 1071 |
void *start = zacl->z_ace_data; |
789 | 1072 |
/* |
1073 |
* Migrating back embedded? |
|
1074 |
*/ |
|
1075 |
if (zphys->zp_acl.z_acl_extern_obj) { |
|
1076 |
error = dmu_object_free(zfsvfs->z_os, |
|
4300
d74de773d6e6
6528189 cp -p invalid argument issue on Redhat linux AS 3.0 NFS client against ZFS NFS directory
marks
parents:
2676
diff
changeset
|
1077 |
zp->z_phys->zp_acl.z_acl_extern_obj, tx); |
789 | 1078 |
if (error) |
1079 |
return (error); |
|
1080 |
zphys->zp_acl.z_acl_extern_obj = 0; |
|
1081 |
} |
|
5331 | 1082 |
|
1083 |
for (aclnode = list_head(&aclp->z_acl); aclnode; |
|
1084 |
aclnode = list_next(&aclp->z_acl, aclnode)) { |
|
1085 |
if (aclnode->z_ace_count == 0) |
|
1086 |
continue; |
|
1087 |
bcopy(aclnode->z_acldata, start, aclnode->z_size); |
|
1088 |
start = (caddr_t)start + aclnode->z_size; |
|
1089 |
} |
|
789 | 1090 |
} |
905
920e9b2e0899
6347134 zfs_zaccess() is killing ZFS stat() performance
marks
parents:
865
diff
changeset
|
1091 |
|
5331 | 1092 |
/* |
1093 |
* If Old version then swap count/bytes to match old |
|
1094 |
* layout of znode_acl_phys_t. |
|
1095 |
*/ |
|
1096 |
if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { |
|
1097 |
zphys->zp_acl.z_acl_size = aclp->z_acl_count; |
|
1098 |
zphys->zp_acl.z_acl_count = aclp->z_acl_bytes; |
|
1099 |
} else { |
|
1100 |
zphys->zp_acl.z_acl_size = aclp->z_acl_bytes; |
|
1101 |
zphys->zp_acl.z_acl_count = aclp->z_acl_count; |
|
905
920e9b2e0899
6347134 zfs_zaccess() is killing ZFS stat() performance
marks
parents:
865
diff
changeset
|
1102 |
} |
789 | 1103 |
|
5331 | 1104 |
zphys->zp_acl.z_acl_version = aclp->z_version; |
1105 |
||
1106 |
/* |
|
1107 |
* Replace ACL wide bits, but first clear them. |
|
1108 |
*/ |
|
1109 |
zp->z_phys->zp_flags &= ~ZFS_ACL_WIDE_FLAGS; |
|
1110 |
||
1111 |
zp->z_phys->zp_flags |= aclp->z_hints; |
|
1112 |
||
1113 |
if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0) |
|
1114 |
zp->z_phys->zp_flags |= ZFS_ACL_TRIVIAL; |
|
1115 |
||
789 | 1116 |
return (0); |
1117 |
} |
|
1118 |
||
1119 |
/* |
|
1120 |
* Update access mask for prepended ACE |
|
1121 |
* |
|
1122 |
* This applies the "groupmask" value for aclmode property. |
|
1123 |
*/ |
|
1124 |
static void |
|
5331 | 1125 |
zfs_acl_prepend_fixup(zfs_acl_t *aclp, void *acep, void *origacep, |
1126 |
mode_t mode, uint64_t owner) |
|
789 | 1127 |
{ |
1128 |
int rmask, wmask, xmask; |
|
1129 |
int user_ace; |
|
5331 | 1130 |
uint16_t aceflags; |
1131 |
uint32_t origmask, acepmask; |
|
1132 |
uint64_t fuid; |
|
789 | 1133 |
|
5331 | 1134 |
aceflags = aclp->z_ops.ace_flags_get(acep); |
1135 |
fuid = aclp->z_ops.ace_who_get(acep); |
|
1136 |
origmask = aclp->z_ops.ace_mask_get(origacep); |
|
1137 |
acepmask = aclp->z_ops.ace_mask_get(acep); |
|
1138 |
||
1139 |
user_ace = (!(aceflags & |
|
789 | 1140 |
(ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP))); |
1141 |
||
5331 | 1142 |
if (user_ace && (fuid == owner)) { |
789 | 1143 |
rmask = S_IRUSR; |
1144 |
wmask = S_IWUSR; |
|
1145 |
xmask = S_IXUSR; |
|
1146 |
} else { |
|
1147 |
rmask = S_IRGRP; |
|
1148 |
wmask = S_IWGRP; |
|
1149 |
xmask = S_IXGRP; |
|
1150 |
} |
|
1151 |
||
5331 | 1152 |
if (origmask & ACE_READ_DATA) { |
1153 |
if (mode & rmask) { |
|
1154 |
acepmask &= ~ACE_READ_DATA; |
|
1155 |
} else { |
|
1156 |
acepmask |= ACE_READ_DATA; |
|
1157 |
} |
|
789 | 1158 |
} |
1159 |
||
5331 | 1160 |
if (origmask & ACE_WRITE_DATA) { |
1161 |
if (mode & wmask) { |
|
1162 |
acepmask &= ~ACE_WRITE_DATA; |
|
1163 |
} else { |
|
1164 |
acepmask |= ACE_WRITE_DATA; |
|
1165 |
} |
|
789 | 1166 |
} |
1167 |
||
5331 | 1168 |
if (origmask & ACE_APPEND_DATA) { |
1169 |
if (mode & wmask) { |
|
1170 |
acepmask &= ~ACE_APPEND_DATA; |
|
1171 |
} else { |
|
1172 |
acepmask |= ACE_APPEND_DATA; |
|
1173 |
} |
|
789 | 1174 |
} |
1175 |
||
5331 | 1176 |
if (origmask & ACE_EXECUTE) { |
1177 |
if (mode & xmask) { |
|
1178 |
acepmask &= ~ACE_EXECUTE; |
|
1179 |
} else { |
|
1180 |
acepmask |= ACE_EXECUTE; |
|
1181 |
} |
|
789 | 1182 |
} |
5331 | 1183 |
aclp->z_ops.ace_mask_set(acep, acepmask); |
789 | 1184 |
} |
1185 |
||
1186 |
/* |
|
1187 |
* Apply mode to canonical six ACEs. |
|
1188 |
*/ |
|
1189 |
static void |
|
1190 |
zfs_acl_fixup_canonical_six(zfs_acl_t *aclp, mode_t mode) |
|
1191 |
{ |
|
5331 | 1192 |
zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl); |
1193 |
void *acep; |
|
1194 |
int maskoff = aclp->z_ops.ace_mask_off(); |
|
1195 |
size_t abstract_size = aclp->z_ops.ace_abstract_size(); |
|
789 | 1196 |
|
5331 | 1197 |
ASSERT(aclnode != NULL); |
1198 |
||
1199 |
acep = (void *)((caddr_t)aclnode->z_acldata + |
|
1200 |
aclnode->z_size - (abstract_size * 6)); |
|
789 | 1201 |
|
1202 |
/* |
|
1203 |
* Fixup final ACEs to match the mode |
|
1204 |
*/ |
|
1205 |
||
5331 | 1206 |
adjust_ace_pair_common(acep, maskoff, abstract_size, |
1207 |
(mode & 0700) >> 6); /* owner@ */ |
|
1208 |
||
1209 |
acep = (caddr_t)acep + (abstract_size * 2); |
|
1210 |
||
1211 |
adjust_ace_pair_common(acep, maskoff, abstract_size, |
|
1212 |
(mode & 0070) >> 3); /* group@ */ |
|
1213 |
||
1214 |
acep = (caddr_t)acep + (abstract_size * 2); |
|
1215 |
adjust_ace_pair_common(acep, maskoff, |
|
1216 |
abstract_size, mode); /* everyone@ */ |
|
789 | 1217 |
} |
1218 |
||
1219 |
||
1220 |
static int |
|
5331 | 1221 |
zfs_acl_ace_match(zfs_acl_t *aclp, void *acep, int allow_deny, |
1222 |
int entry_type, int accessmask) |
|
789 | 1223 |
{ |
5331 | 1224 |
uint32_t mask = aclp->z_ops.ace_mask_get(acep); |
1225 |
uint16_t type = aclp->z_ops.ace_type_get(acep); |
|
1226 |
uint16_t flags = aclp->z_ops.ace_flags_get(acep); |
|
1227 |
||
1228 |
return (mask == accessmask && type == allow_deny && |
|
1229 |
((flags & ACE_TYPE_FLAGS) == entry_type)); |
|
789 | 1230 |
} |
1231 |
||
1232 |
/* |
|
1233 |
* Can prepended ACE be reused? |
|
1234 |
*/ |
|
1235 |
static int |
|
5331 | 1236 |
zfs_reuse_deny(zfs_acl_t *aclp, void *acep, void *prevacep) |
789 | 1237 |
{ |
1238 |
int okay_masks; |
|
5331 | 1239 |
uint16_t prevtype; |
1240 |
uint16_t prevflags; |
|
1241 |
uint16_t flags; |
|
1242 |
uint32_t mask, prevmask; |
|
789 | 1243 |
|
5331 | 1244 |
if (prevacep == NULL) |
789 | 1245 |
return (B_FALSE); |
1246 |
||
5331 | 1247 |
prevtype = aclp->z_ops.ace_type_get(prevacep); |
1248 |
prevflags = aclp->z_ops.ace_flags_get(prevacep); |
|
1249 |
flags = aclp->z_ops.ace_flags_get(acep); |
|
1250 |
mask = aclp->z_ops.ace_mask_get(acep); |
|
1251 |
prevmask = aclp->z_ops.ace_mask_get(prevacep); |
|
1252 |
||
1253 |
if (prevtype != DENY) |
|
789 | 1254 |
return (B_FALSE); |
1255 |
||
5331 | 1256 |
if (prevflags != (flags & ACE_IDENTIFIER_GROUP)) |
789 | 1257 |
return (B_FALSE); |
1258 |
||
5331 | 1259 |
okay_masks = (mask & OKAY_MASK_BITS); |
789 | 1260 |
|
5331 | 1261 |
if (prevmask & ~okay_masks) |
789 | 1262 |
return (B_FALSE); |
1263 |
||
1264 |
return (B_TRUE); |
|
1265 |
} |
|
1266 |
||
1267 |
||
5331 | 1268 |
/* |
1269 |
* Insert new ACL node into chain of zfs_acl_node_t's |
|
1270 |
* |
|
1271 |
* This will result in two possible results. |
|
1272 |
* 1. If the ACL is currently just a single zfs_acl_node and |
|
1273 |
* we are prepending the entry then current acl node will have |
|
1274 |
* a new node inserted above it. |
|
1275 |
* |
|
1276 |
* 2. If we are inserting in the middle of current acl node then |
|
1277 |
* the current node will be split in two and new node will be inserted |
|
1278 |
* in between the two split nodes. |
|
1279 |
*/ |
|
1280 |
static zfs_acl_node_t * |
|
1281 |
zfs_acl_ace_insert(zfs_acl_t *aclp, void *acep) |
|
1282 |
{ |
|
1283 |
zfs_acl_node_t *newnode; |
|
1284 |
zfs_acl_node_t *trailernode = NULL; |
|
1285 |
zfs_acl_node_t *currnode = zfs_acl_curr_node(aclp); |
|
1286 |
int curr_idx = aclp->z_curr_node->z_ace_idx; |
|
1287 |
int trailer_count; |
|
1288 |
size_t oldsize; |
|
789 | 1289 |
|
5331 | 1290 |
newnode = zfs_acl_node_alloc(aclp->z_ops.ace_size(acep)); |
1291 |
newnode->z_ace_count = 1; |
|
1292 |
||
1293 |
oldsize = currnode->z_size; |
|
1294 |
||
1295 |
if (curr_idx != 1) { |
|
1296 |
trailernode = zfs_acl_node_alloc(0); |
|
1297 |
trailernode->z_acldata = acep; |
|
1298 |
||
1299 |
trailer_count = currnode->z_ace_count - curr_idx + 1; |
|
1300 |
currnode->z_ace_count = curr_idx - 1; |
|
1301 |
currnode->z_size = (caddr_t)acep - (caddr_t)currnode->z_acldata; |
|
1302 |
trailernode->z_size = oldsize - currnode->z_size; |
|
1303 |
trailernode->z_ace_count = trailer_count; |
|
789 | 1304 |
} |
1305 |
||
5331 | 1306 |
aclp->z_acl_count += 1; |
1307 |
aclp->z_acl_bytes += aclp->z_ops.ace_size(acep); |
|
789 | 1308 |
|
5331 | 1309 |
if (curr_idx == 1) |
1310 |
list_insert_before(&aclp->z_acl, currnode, newnode); |
|
1311 |
else |
|
1312 |
list_insert_after(&aclp->z_acl, currnode, newnode); |
|
1313 |
if (trailernode) { |
|
1314 |
list_insert_after(&aclp->z_acl, newnode, trailernode); |
|
1315 |
aclp->z_curr_node = trailernode; |
|
1316 |
trailernode->z_ace_idx = 1; |
|
789 | 1317 |
} |
1318 |
||
5331 | 1319 |
return (newnode); |
789 | 1320 |
} |
1321 |
||
1322 |
/* |
|
1323 |
* Prepend deny ACE |
|
1324 |
*/ |
|
5331 | 1325 |
static void * |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1326 |
zfs_acl_prepend_deny(uint64_t uid, zfs_acl_t *aclp, void *acep, |
789 | 1327 |
mode_t mode) |
1328 |
{ |
|
5331 | 1329 |
zfs_acl_node_t *aclnode; |
1330 |
void *newacep; |
|
1331 |
uint64_t fuid; |
|
1332 |
uint16_t flags; |
|
789 | 1333 |
|
5331 | 1334 |
aclnode = zfs_acl_ace_insert(aclp, acep); |
1335 |
newacep = aclnode->z_acldata; |
|
1336 |
fuid = aclp->z_ops.ace_who_get(acep); |
|
1337 |
flags = aclp->z_ops.ace_flags_get(acep); |
|
1338 |
zfs_set_ace(aclp, newacep, 0, DENY, fuid, (flags & ACE_TYPE_FLAGS)); |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1339 |
zfs_acl_prepend_fixup(aclp, newacep, acep, mode, uid); |
5331 | 1340 |
|
1341 |
return (newacep); |
|
789 | 1342 |
} |
1343 |
||
1344 |
/* |
|
1345 |
* Split an inherited ACE into inherit_only ACE |
|
1346 |
* and original ACE with inheritance flags stripped off. |
|
1347 |
*/ |
|
1348 |
static void |
|
5331 | 1349 |
zfs_acl_split_ace(zfs_acl_t *aclp, zfs_ace_hdr_t *acep) |
789 | 1350 |
{ |
5331 | 1351 |
zfs_acl_node_t *aclnode; |
5435 | 1352 |
zfs_acl_node_t *currnode; |
5331 | 1353 |
void *newacep; |
1354 |
uint16_t type, flags; |
|
1355 |
uint32_t mask; |
|
1356 |
uint64_t fuid; |
|
789 | 1357 |
|
5331 | 1358 |
type = aclp->z_ops.ace_type_get(acep); |
1359 |
flags = aclp->z_ops.ace_flags_get(acep); |
|
1360 |
mask = aclp->z_ops.ace_mask_get(acep); |
|
1361 |
fuid = aclp->z_ops.ace_who_get(acep); |
|
1362 |
||
1363 |
aclnode = zfs_acl_ace_insert(aclp, acep); |
|
1364 |
newacep = aclnode->z_acldata; |
|
1365 |
||
1366 |
aclp->z_ops.ace_type_set(newacep, type); |
|
1367 |
aclp->z_ops.ace_flags_set(newacep, flags | ACE_INHERIT_ONLY_ACE); |
|
1368 |
aclp->z_ops.ace_mask_set(newacep, mask); |
|
1369 |
aclp->z_ops.ace_type_set(newacep, type); |
|
1370 |
aclp->z_ops.ace_who_set(newacep, fuid); |
|
1371 |
aclp->z_next_ace = acep; |
|
1372 |
flags &= ~ALL_INHERIT; |
|
1373 |
aclp->z_ops.ace_flags_set(acep, flags); |
|
5435 | 1374 |
currnode = zfs_acl_curr_node(aclp); |
1375 |
ASSERT(currnode->z_ace_idx >= 1); |
|
5331 | 1376 |
currnode->z_ace_idx -= 1; |
789 | 1377 |
} |
1378 |
||
1379 |
/* |
|
1380 |
* Are ACES started at index i, the canonical six ACES? |
|
1381 |
*/ |
|
1382 |
static int |
|
5331 | 1383 |
zfs_have_canonical_six(zfs_acl_t *aclp) |
789 | 1384 |
{ |
5331 | 1385 |
void *acep; |
1386 |
zfs_acl_node_t *aclnode = list_tail(&aclp->z_acl); |
|
1387 |
int i = 0; |
|
1388 |
size_t abstract_size = aclp->z_ops.ace_abstract_size(); |
|
1389 |
||
1390 |
ASSERT(aclnode != NULL); |
|
789 | 1391 |
|
5331 | 1392 |
if (aclnode->z_ace_count < 6) |
1393 |
return (0); |
|
1394 |
||
1395 |
acep = (void *)((caddr_t)aclnode->z_acldata + |
|
1396 |
aclnode->z_size - (aclp->z_ops.ace_abstract_size() * 6)); |
|
1397 |
||
1398 |
if ((zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), |
|
789 | 1399 |
DENY, ACE_OWNER, 0) && |
5331 | 1400 |
zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), |
1401 |
ALLOW, ACE_OWNER, OWNER_ALLOW_MASK) && |
|
1402 |
zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), DENY, |
|
1403 |
OWNING_GROUP, 0) && zfs_acl_ace_match(aclp, (caddr_t)acep + |
|
1404 |
(abstract_size * i++), |
|
1405 |
ALLOW, OWNING_GROUP, 0) && |
|
1406 |
zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), |
|
789 | 1407 |
DENY, ACE_EVERYONE, EVERYONE_DENY_MASK) && |
5331 | 1408 |
zfs_acl_ace_match(aclp, (caddr_t)acep + (abstract_size * i++), |
1409 |
ALLOW, ACE_EVERYONE, EVERYONE_ALLOW_MASK))) { |
|
789 | 1410 |
return (1); |
1411 |
} else { |
|
1412 |
return (0); |
|
1413 |
} |
|
1414 |
} |
|
1415 |
||
5331 | 1416 |
|
789 | 1417 |
/* |
1418 |
* Apply step 1g, to group entries |
|
1419 |
* |
|
1420 |
* Need to deal with corner case where group may have |
|
1421 |
* greater permissions than owner. If so then limit |
|
1422 |
* group permissions, based on what extra permissions |
|
1423 |
* group has. |
|
1424 |
*/ |
|
1425 |
static void |
|
5331 | 1426 |
zfs_fixup_group_entries(zfs_acl_t *aclp, void *acep, void *prevacep, |
1427 |
mode_t mode) |
|
789 | 1428 |
{ |
5331 | 1429 |
uint32_t prevmask = aclp->z_ops.ace_mask_get(prevacep); |
1430 |
uint32_t mask = aclp->z_ops.ace_mask_get(acep); |
|
1431 |
uint16_t prevflags = aclp->z_ops.ace_flags_get(prevacep); |
|
789 | 1432 |
mode_t extramode = (mode >> 3) & 07; |
1433 |
mode_t ownermode = (mode >> 6); |
|
1434 |
||
5331 | 1435 |
if (prevflags & ACE_IDENTIFIER_GROUP) { |
789 | 1436 |
|
1437 |
extramode &= ~ownermode; |
|
1438 |
||
1439 |
if (extramode) { |
|
5331 | 1440 |
if (extramode & S_IROTH) { |
1441 |
prevmask &= ~ACE_READ_DATA; |
|
1442 |
mask &= ~ACE_READ_DATA; |
|
789 | 1443 |
} |
5331 | 1444 |
if (extramode & S_IWOTH) { |
1445 |
prevmask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); |
|
1446 |
mask &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); |
|
789 | 1447 |
} |
5331 | 1448 |
if (extramode & S_IXOTH) { |
1449 |
prevmask &= ~ACE_EXECUTE; |
|
1450 |
mask &= ~ACE_EXECUTE; |
|
789 | 1451 |
} |
1452 |
} |
|
1453 |
} |
|
5331 | 1454 |
aclp->z_ops.ace_mask_set(acep, mask); |
1455 |
aclp->z_ops.ace_mask_set(prevacep, prevmask); |
|
789 | 1456 |
} |
1457 |
||
1458 |
/* |
|
1459 |
* Apply the chmod algorithm as described |
|
1460 |
* in PSARC/2002/240 |
|
1461 |
*/ |
|
5824 | 1462 |
static void |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1463 |
zfs_acl_chmod(zfsvfs_t *zfsvfs, uint64_t uid, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1464 |
uint64_t mode, zfs_acl_t *aclp) |
789 | 1465 |
{ |
5331 | 1466 |
void *acep = NULL, *prevacep = NULL; |
1467 |
uint64_t who; |
|
789 | 1468 |
int i; |
1469 |
int entry_type; |
|
1470 |
int reuse_deny; |
|
1471 |
int need_canonical_six = 1; |
|
5331 | 1472 |
uint16_t iflags, type; |
1473 |
uint32_t access_mask; |
|
789 | 1474 |
|
5489
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
1475 |
/* |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
1476 |
* If discard then just discard all ACL nodes which |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
1477 |
* represent the ACEs. |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
1478 |
* |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
1479 |
* New owner@/group@/everone@ ACEs will be added |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
1480 |
* later. |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
1481 |
*/ |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
1482 |
if (zfsvfs->z_acl_mode == ZFS_ACL_DISCARD) |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
1483 |
zfs_acl_release_nodes(aclp); |
25bfaf065197
6601830 mismatch between zfs_mount() behavior and comment
marks
parents:
5435
diff
changeset
|
1484 |
|
5331 | 1485 |
while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, |
1486 |
&iflags, &type)) { |
|
1487 |
||
1488 |
entry_type = (iflags & ACE_TYPE_FLAGS); |
|
1489 |
iflags = (iflags & ALL_INHERIT); |
|
789 | 1490 |
|
5331 | 1491 |
if ((type != ALLOW && type != DENY) || |
905
920e9b2e0899
6347134 zfs_zaccess() is killing ZFS stat() performance
marks
parents:
865
diff
changeset
|
1492 |
(iflags & ACE_INHERIT_ONLY_ACE)) { |
920e9b2e0899
6347134 zfs_zaccess() is killing ZFS stat() performance
marks
parents:
865
diff
changeset
|
1493 |
if (iflags) |
5331 | 1494 |
aclp->z_hints |= ZFS_INHERIT_ACE; |
1495 |
switch (type) { |
|
1496 |
case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: |
|
1497 |
case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: |
|
1498 |
case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: |
|
1499 |
case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: |
|
1500 |
aclp->z_hints |= ZFS_ACL_OBJ_ACE; |
|
1501 |
break; |
|
1502 |
} |
|
1503 |
goto nextace; |
|
789 | 1504 |
} |
1505 |
||
1506 |
/* |
|
1507 |
* Need to split ace into two? |
|
1508 |
*/ |
|
905
920e9b2e0899
6347134 zfs_zaccess() is killing ZFS stat() performance
marks
parents:
865
diff
changeset
|
1509 |
if ((iflags & (ACE_FILE_INHERIT_ACE| |
789 | 1510 |
ACE_DIRECTORY_INHERIT_ACE)) && |
905
920e9b2e0899
6347134 zfs_zaccess() is killing ZFS stat() performance
marks
parents:
865
diff
changeset
|
1511 |
(!(iflags & ACE_INHERIT_ONLY_ACE))) { |
5331 | 1512 |
zfs_acl_split_ace(aclp, acep); |
1513 |
aclp->z_hints |= ZFS_INHERIT_ACE; |
|
1514 |
goto nextace; |
|
789 | 1515 |
} |
1516 |
||
1517 |
if (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE || |
|
1518 |
(entry_type == OWNING_GROUP)) { |
|
5331 | 1519 |
access_mask &= ~OGE_CLEAR; |
1520 |
aclp->z_ops.ace_mask_set(acep, access_mask); |
|
1521 |
goto nextace; |
|
789 | 1522 |
} else { |
5331 | 1523 |
reuse_deny = B_TRUE; |
1524 |
if (type == ALLOW) { |
|
789 | 1525 |
|
1526 |
/* |
|
1527 |
* Check preceding ACE if any, to see |
|
1528 |
* if we need to prepend a DENY ACE. |
|
1529 |
* This is only applicable when the acl_mode |
|
1530 |
* property == groupmask. |
|
1531 |
*/ |
|
2676 | 1532 |
if (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK) { |
789 | 1533 |
|
5331 | 1534 |
reuse_deny = zfs_reuse_deny(aclp, acep, |
1535 |
prevacep); |
|
789 | 1536 |
|
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
1537 |
if (!reuse_deny) { |
5331 | 1538 |
prevacep = |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1539 |
zfs_acl_prepend_deny(uid, |
5331 | 1540 |
aclp, acep, mode); |
789 | 1541 |
} else { |
1542 |
zfs_acl_prepend_fixup( |
|
5331 | 1543 |
aclp, prevacep, |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1544 |
acep, mode, uid); |
789 | 1545 |
} |
5331 | 1546 |
zfs_fixup_group_entries(aclp, acep, |
1547 |
prevacep, mode); |
|
789 | 1548 |
} |
1549 |
} |
|
1550 |
} |
|
5331 | 1551 |
nextace: |
1552 |
prevacep = acep; |
|
789 | 1553 |
} |
1554 |
||
1555 |
/* |
|
1556 |
* Check out last six aces, if we have six. |
|
1557 |
*/ |
|
1558 |
||
1559 |
if (aclp->z_acl_count >= 6) { |
|
5331 | 1560 |
if (zfs_have_canonical_six(aclp)) { |
789 | 1561 |
need_canonical_six = 0; |
1562 |
} |
|
1563 |
} |
|
1564 |
||
1565 |
if (need_canonical_six) { |
|
5331 | 1566 |
size_t abstract_size = aclp->z_ops.ace_abstract_size(); |
1567 |
void *zacep; |
|
1568 |
zfs_acl_node_t *aclnode = |
|
1569 |
zfs_acl_node_alloc(abstract_size * 6); |
|
789 | 1570 |
|
5331 | 1571 |
aclnode->z_size = abstract_size * 6; |
1572 |
aclnode->z_ace_count = 6; |
|
1573 |
aclp->z_acl_bytes += aclnode->z_size; |
|
1574 |
list_insert_tail(&aclp->z_acl, aclnode); |
|
1575 |
||
1576 |
zacep = aclnode->z_acldata; |
|
1577 |
||
1578 |
i = 0; |
|
1579 |
zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), |
|
1580 |
0, DENY, -1, ACE_OWNER); |
|
1581 |
zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), |
|
1582 |
OWNER_ALLOW_MASK, ALLOW, -1, ACE_OWNER); |
|
1583 |
zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0, |
|
1584 |
DENY, -1, OWNING_GROUP); |
|
1585 |
zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), 0, |
|
1586 |
ALLOW, -1, OWNING_GROUP); |
|
1587 |
zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), |
|
1588 |
EVERYONE_DENY_MASK, DENY, -1, ACE_EVERYONE); |
|
1589 |
zfs_set_ace(aclp, (caddr_t)zacep + (abstract_size * i++), |
|
1590 |
EVERYONE_ALLOW_MASK, ALLOW, -1, ACE_EVERYONE); |
|
789 | 1591 |
aclp->z_acl_count += 6; |
1592 |
} |
|
1593 |
||
1594 |
zfs_acl_fixup_canonical_six(aclp, mode); |
|
1595 |
} |
|
1596 |
||
1597 |
int |
|
5824 | 1598 |
zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode) |
789 | 1599 |
{ |
1600 |
int error; |
|
1601 |
||
5824 | 1602 |
mutex_enter(&zp->z_lock); |
789 | 1603 |
mutex_enter(&zp->z_acl_lock); |
5824 | 1604 |
*aclp = NULL; |
1605 |
error = zfs_acl_node_read(zp, aclp, B_TRUE); |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1606 |
if (error == 0) { |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1607 |
(*aclp)->z_hints = zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS; |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1608 |
zfs_acl_chmod(zp->z_zfsvfs, zp->z_phys->zp_uid, mode, *aclp); |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1609 |
} |
789 | 1610 |
mutex_exit(&zp->z_acl_lock); |
5824 | 1611 |
mutex_exit(&zp->z_lock); |
789 | 1612 |
return (error); |
1613 |
} |
|
1614 |
||
1615 |
/* |
|
1616 |
* strip off write_owner and write_acl |
|
1617 |
*/ |
|
1618 |
static void |
|
6385
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
1619 |
zfs_restricted_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep) |
789 | 1620 |
{ |
5331 | 1621 |
uint32_t mask = aclp->z_ops.ace_mask_get(acep); |
1622 |
||
6385
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
1623 |
if ((zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) && |
5331 | 1624 |
(aclp->z_ops.ace_type_get(acep) == ALLOW)) { |
6385
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
1625 |
mask &= ~RESTRICTED_CLEAR; |
5331 | 1626 |
aclp->z_ops.ace_mask_set(acep, mask); |
1627 |
} |
|
1628 |
} |
|
1629 |
||
1630 |
/* |
|
1631 |
* Should ACE be inherited? |
|
1632 |
*/ |
|
1633 |
static int |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1634 |
zfs_ace_can_use(vtype_t vtype, uint16_t acep_flags) |
5331 | 1635 |
{ |
1636 |
int iflags = (acep_flags & 0xf); |
|
1637 |
||
1638 |
if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE)) |
|
1639 |
return (1); |
|
1640 |
else if (iflags & ACE_FILE_INHERIT_ACE) |
|
1641 |
return (!((vtype == VDIR) && |
|
1642 |
(iflags & ACE_NO_PROPAGATE_INHERIT_ACE))); |
|
1643 |
return (0); |
|
789 | 1644 |
} |
1645 |
||
1646 |
/* |
|
1647 |
* inherit inheritable ACEs from parent |
|
1648 |
*/ |
|
1649 |
static zfs_acl_t * |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1650 |
zfs_acl_inherit(zfsvfs_t *zfsvfs, vtype_t vtype, zfs_acl_t *paclp, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1651 |
uint64_t mode, boolean_t *need_chmod) |
789 | 1652 |
{ |
5331 | 1653 |
void *pacep; |
1654 |
void *acep, *acep2; |
|
1655 |
zfs_acl_node_t *aclnode, *aclnode2; |
|
789 | 1656 |
zfs_acl_t *aclp = NULL; |
5331 | 1657 |
uint64_t who; |
1658 |
uint32_t access_mask; |
|
1659 |
uint16_t iflags, newflags, type; |
|
1660 |
size_t ace_size; |
|
1661 |
void *data1, *data2; |
|
1662 |
size_t data1sz, data2sz; |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1663 |
boolean_t vdir = vtype == VDIR; |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1664 |
boolean_t vreg = vtype == VREG; |
8053
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1665 |
boolean_t passthrough, passthrough_x, noallow; |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1666 |
|
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1667 |
passthrough_x = |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1668 |
zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH_X; |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1669 |
passthrough = passthrough_x || |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1670 |
zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH; |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1671 |
noallow = |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1672 |
zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW; |
789 | 1673 |
|
6385
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
1674 |
*need_chmod = B_TRUE; |
5331 | 1675 |
pacep = NULL; |
7559
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
1676 |
aclp = zfs_acl_alloc(paclp->z_version); |
8053
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1677 |
if (zfsvfs->z_acl_inherit == ZFS_ACL_DISCARD) |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1678 |
return (aclp); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1679 |
while (pacep = zfs_acl_next_ace(paclp, pacep, &who, |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1680 |
&access_mask, &iflags, &type)) { |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1681 |
|
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1682 |
/* |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1683 |
* don't inherit bogus ACEs |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1684 |
*/ |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1685 |
if (!zfs_acl_valid_ace_type(type, iflags)) |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1686 |
continue; |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1687 |
|
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1688 |
if (noallow && type == ALLOW) |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1689 |
continue; |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1690 |
|
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1691 |
ace_size = aclp->z_ops.ace_size(pacep); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1692 |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1693 |
if (!zfs_ace_can_use(vtype, iflags)) |
8053
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1694 |
continue; |
789 | 1695 |
|
8053
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1696 |
/* |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1697 |
* If owner@, group@, or everyone@ inheritable |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1698 |
* then zfs_acl_chmod() isn't needed. |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1699 |
*/ |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1700 |
if (passthrough && |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1701 |
((iflags & (ACE_OWNER|ACE_EVERYONE)) || |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1702 |
((iflags & OWNING_GROUP) == |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1703 |
OWNING_GROUP)) && (vreg || (vdir && (iflags & |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1704 |
ACE_DIRECTORY_INHERIT_ACE)))) { |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1705 |
*need_chmod = B_FALSE; |
7559
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
1706 |
|
8053
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1707 |
if (!vdir && passthrough_x && |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1708 |
((mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) { |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1709 |
access_mask &= ~ACE_EXECUTE; |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1710 |
} |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1711 |
} |
789 | 1712 |
|
8053
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1713 |
aclnode = zfs_acl_node_alloc(ace_size); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1714 |
list_insert_tail(&aclp->z_acl, aclnode); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1715 |
acep = aclnode->z_acldata; |
6385
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
1716 |
|
8053
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1717 |
zfs_set_ace(aclp, acep, access_mask, type, |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1718 |
who, iflags|ACE_INHERITED_ACE); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1719 |
|
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1720 |
/* |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1721 |
* Copy special opaque data if any |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1722 |
*/ |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1723 |
if ((data1sz = paclp->z_ops.ace_data(pacep, &data1)) != 0) { |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1724 |
VERIFY((data2sz = aclp->z_ops.ace_data(acep, |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1725 |
&data2)) == data1sz); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1726 |
bcopy(data1, data2, data2sz); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1727 |
} |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1728 |
aclp->z_acl_count++; |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1729 |
aclnode->z_ace_count++; |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1730 |
aclp->z_acl_bytes += aclnode->z_size; |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1731 |
newflags = aclp->z_ops.ace_flags_get(acep); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1732 |
|
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1733 |
if (vdir) |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1734 |
aclp->z_hints |= ZFS_INHERIT_ACE; |
6385
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
1735 |
|
8053
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1736 |
if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || !vdir) { |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1737 |
newflags &= ~ALL_INHERIT; |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1738 |
aclp->z_ops.ace_flags_set(acep, |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1739 |
newflags|ACE_INHERITED_ACE); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1740 |
zfs_restricted_update(zfsvfs, aclp, acep); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1741 |
continue; |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1742 |
} |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1743 |
|
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1744 |
ASSERT(vdir); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1745 |
|
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1746 |
newflags = aclp->z_ops.ace_flags_get(acep); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1747 |
if ((iflags & (ACE_FILE_INHERIT_ACE | |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1748 |
ACE_DIRECTORY_INHERIT_ACE)) != |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1749 |
ACE_FILE_INHERIT_ACE) { |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1750 |
aclnode2 = zfs_acl_node_alloc(ace_size); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1751 |
list_insert_tail(&aclp->z_acl, aclnode2); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1752 |
acep2 = aclnode2->z_acldata; |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1753 |
zfs_set_ace(aclp, acep2, |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1754 |
access_mask, type, who, |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1755 |
iflags|ACE_INHERITED_ACE); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1756 |
newflags |= ACE_INHERIT_ONLY_ACE; |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1757 |
aclp->z_ops.ace_flags_set(acep, newflags); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1758 |
newflags &= ~ALL_INHERIT; |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1759 |
aclp->z_ops.ace_flags_set(acep2, |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1760 |
newflags|ACE_INHERITED_ACE); |
789 | 1761 |
|
6385
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
1762 |
/* |
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
1763 |
* Copy special opaque data if any |
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
1764 |
*/ |
8053
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1765 |
if ((data1sz = aclp->z_ops.ace_data(acep, |
6385
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
1766 |
&data1)) != 0) { |
8053
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1767 |
VERIFY((data2sz = |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1768 |
aclp->z_ops.ace_data(acep2, |
6385
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
1769 |
&data2)) == data1sz); |
8053
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1770 |
bcopy(data1, data2, data1sz); |
6385
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
1771 |
} |
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
1772 |
aclp->z_acl_count++; |
8053
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1773 |
aclnode2->z_ace_count++; |
6385
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
1774 |
aclp->z_acl_bytes += aclnode->z_size; |
8053
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1775 |
zfs_restricted_update(zfsvfs, aclp, acep2); |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1776 |
} else { |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1777 |
newflags |= ACE_INHERIT_ONLY_ACE; |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1778 |
aclp->z_ops.ace_flags_set(acep, |
271f44d3de11
PSARC/2008/659 New ZFS "passthrough-x" ACL inheritance rules
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7624
diff
changeset
|
1779 |
newflags|ACE_INHERITED_ACE); |
789 | 1780 |
} |
1781 |
} |
|
1782 |
return (aclp); |
|
1783 |
} |
|
1784 |
||
1785 |
/* |
|
1786 |
* Create file system object initial permissions |
|
1787 |
* including inheritable ACEs. |
|
1788 |
*/ |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1789 |
int |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1790 |
zfs_acl_ids_create(znode_t *dzp, int flag, vattr_t *vap, cred_t *cr, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1791 |
vsecattr_t *vsecp, zfs_acl_ids_t *acl_ids) |
789 | 1792 |
{ |
1793 |
int error; |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1794 |
zfsvfs_t *zfsvfs = dzp->z_zfsvfs; |
5331 | 1795 |
zfs_acl_t *paclp; |
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
1796 |
gid_t gid; |
6385
5437941ec5a1
PSARC/2008/231 New ZFS "passthrough" ACL inheritance rules
marks
parents:
6257
diff
changeset
|
1797 |
boolean_t need_chmod = B_TRUE; |
5331 | 1798 |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1799 |
bzero(acl_ids, sizeof (zfs_acl_ids_t)); |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1800 |
acl_ids->z_mode = MAKEIMODE(vap->va_type, vap->va_mode); |
789 | 1801 |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1802 |
if (vsecp) |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1803 |
if ((error = zfs_vsec_2_aclp(zfsvfs, vap->va_type, vsecp, cr, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1804 |
&acl_ids->z_fuidp, &acl_ids->z_aclp)) != 0) |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1805 |
return (error); |
789 | 1806 |
|
1807 |
/* |
|
1808 |
* Determine uid and gid. |
|
1809 |
*/ |
|
1810 |
if ((flag & (IS_ROOT_NODE | IS_REPLAY)) || |
|
1811 |
((flag & IS_XATTR) && (vap->va_type == VDIR))) { |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1812 |
acl_ids->z_fuid = zfs_fuid_create(zfsvfs, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1813 |
(uint64_t)vap->va_uid, cr, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1814 |
ZFS_OWNER, &acl_ids->z_fuidp); |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1815 |
acl_ids->z_fgid = zfs_fuid_create(zfsvfs, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1816 |
(uint64_t)vap->va_gid, cr, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1817 |
ZFS_GROUP, &acl_ids->z_fuidp); |
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
1818 |
gid = vap->va_gid; |
789 | 1819 |
} else { |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1820 |
acl_ids->z_fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1821 |
cr, &acl_ids->z_fuidp); |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1822 |
acl_ids->z_fgid = 0; |
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
1823 |
if (vap->va_mask & AT_GID) { |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1824 |
acl_ids->z_fgid = zfs_fuid_create(zfsvfs, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1825 |
(uint64_t)vap->va_gid, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1826 |
cr, ZFS_GROUP, &acl_ids->z_fuidp); |
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
1827 |
gid = vap->va_gid; |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1828 |
if (acl_ids->z_fgid != dzp->z_phys->zp_gid && |
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
1829 |
!groupmember(vap->va_gid, cr) && |
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
1830 |
secpolicy_vnode_create_gid(cr) != 0) |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1831 |
acl_ids->z_fgid = 0; |
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
1832 |
} |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1833 |
if (acl_ids->z_fgid == 0) { |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1834 |
if (dzp->z_phys->zp_mode & S_ISGID) { |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1835 |
acl_ids->z_fgid = dzp->z_phys->zp_gid; |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1836 |
gid = zfs_fuid_map_id(zfsvfs, acl_ids->z_fgid, |
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
1837 |
cr, ZFS_GROUP); |
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
1838 |
} else { |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1839 |
acl_ids->z_fgid = zfs_fuid_create_cred(zfsvfs, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1840 |
ZFS_GROUP, cr, &acl_ids->z_fuidp); |
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
1841 |
gid = crgetgid(cr); |
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
1842 |
} |
5331 | 1843 |
} |
789 | 1844 |
} |
1845 |
||
1846 |
/* |
|
1847 |
* If we're creating a directory, and the parent directory has the |
|
1848 |
* set-GID bit set, set in on the new directory. |
|
1849 |
* Otherwise, if the user is neither privileged nor a member of the |
|
1850 |
* file's new group, clear the file's set-GID bit. |
|
1851 |
*/ |
|
1852 |
||
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1853 |
if (!(flag & IS_ROOT_NODE) && (dzp->z_phys->zp_mode & S_ISGID) && |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1854 |
(vap->va_type == VDIR)) { |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1855 |
acl_ids->z_mode |= S_ISGID; |
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
1856 |
} else { |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1857 |
if ((acl_ids->z_mode & S_ISGID) && |
789 | 1858 |
secpolicy_vnode_setids_setgids(cr, gid) != 0) |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1859 |
acl_ids->z_mode &= ~S_ISGID; |
789 | 1860 |
} |
1861 |
||
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1862 |
if (acl_ids->z_aclp == NULL) { |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1863 |
mutex_enter(&dzp->z_lock); |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1864 |
if (!(flag & IS_ROOT_NODE) && (ZTOV(dzp)->v_type == VDIR && |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1865 |
(dzp->z_phys->zp_flags & ZFS_INHERIT_ACE)) && |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1866 |
!(dzp->z_phys->zp_flags & ZFS_XATTR)) { |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1867 |
mutex_enter(&dzp->z_acl_lock); |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1868 |
VERIFY(0 == zfs_acl_node_read(dzp, &paclp, B_FALSE)); |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1869 |
mutex_exit(&dzp->z_acl_lock); |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1870 |
acl_ids->z_aclp = zfs_acl_inherit(zfsvfs, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1871 |
vap->va_type, paclp, acl_ids->z_mode, &need_chmod); |
5331 | 1872 |
zfs_acl_free(paclp); |
1873 |
} else { |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1874 |
acl_ids->z_aclp = |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1875 |
zfs_acl_alloc(zfs_acl_version_zp(dzp)); |
5331 | 1876 |
} |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1877 |
mutex_exit(&dzp->z_lock); |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1878 |
if (need_chmod) { |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1879 |
acl_ids->z_aclp->z_hints = (vap->va_type == VDIR) ? |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1880 |
ZFS_ACL_AUTO_INHERIT : 0; |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1881 |
zfs_acl_chmod(zfsvfs, acl_ids->z_fuid, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1882 |
acl_ids->z_mode, acl_ids->z_aclp); |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1883 |
} |
789 | 1884 |
} |
5331 | 1885 |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1886 |
return (0); |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1887 |
} |
5331 | 1888 |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1889 |
/* |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1890 |
* Free ACL and fuid_infop, but not the acl_ids structure |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1891 |
*/ |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1892 |
void |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1893 |
zfs_acl_ids_free(zfs_acl_ids_t *acl_ids) |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1894 |
{ |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1895 |
if (acl_ids->z_aclp) |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1896 |
zfs_acl_free(acl_ids->z_aclp); |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1897 |
if (acl_ids->z_fuidp) |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1898 |
zfs_fuid_info_free(acl_ids->z_fuidp); |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1899 |
acl_ids->z_aclp = NULL; |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1900 |
acl_ids->z_fuidp = NULL; |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
1901 |
} |
5331 | 1902 |
|
9396
f41cf682d0d3
PSARC/2009/204 ZFS user/group quotas & space accounting
Matthew Ahrens <Matthew.Ahrens@Sun.COM>
parents:
9179
diff
changeset
|
1903 |
boolean_t |
f41cf682d0d3
PSARC/2009/204 ZFS user/group quotas & space accounting
Matthew Ahrens <Matthew.Ahrens@Sun.COM>
parents:
9179
diff
changeset
|
1904 |
zfs_acl_ids_overquota(zfsvfs_t *zfsvfs, zfs_acl_ids_t *acl_ids) |
f41cf682d0d3
PSARC/2009/204 ZFS user/group quotas & space accounting
Matthew Ahrens <Matthew.Ahrens@Sun.COM>
parents:
9179
diff
changeset
|
1905 |
{ |
f41cf682d0d3
PSARC/2009/204 ZFS user/group quotas & space accounting
Matthew Ahrens <Matthew.Ahrens@Sun.COM>
parents:
9179
diff
changeset
|
1906 |
return (zfs_usergroup_overquota(zfsvfs, B_FALSE, acl_ids->z_fuid) || |
f41cf682d0d3
PSARC/2009/204 ZFS user/group quotas & space accounting
Matthew Ahrens <Matthew.Ahrens@Sun.COM>
parents:
9179
diff
changeset
|
1907 |
zfs_usergroup_overquota(zfsvfs, B_TRUE, acl_ids->z_fgid)); |
f41cf682d0d3
PSARC/2009/204 ZFS user/group quotas & space accounting
Matthew Ahrens <Matthew.Ahrens@Sun.COM>
parents:
9179
diff
changeset
|
1908 |
} |
789 | 1909 |
|
1910 |
/* |
|
1911 |
* Retrieve a files ACL |
|
1912 |
*/ |
|
1913 |
int |
|
5331 | 1914 |
zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) |
789 | 1915 |
{ |
1916 |
zfs_acl_t *aclp; |
|
5331 | 1917 |
ulong_t mask; |
789 | 1918 |
int error; |
5331 | 1919 |
int count = 0; |
1920 |
int largeace = 0; |
|
789 | 1921 |
|
5331 | 1922 |
mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT | |
1923 |
VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES); |
|
1924 |
||
1925 |
if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr)) |
|
1926 |
return (error); |
|
789 | 1927 |
|
1928 |
if (mask == 0) |
|
1929 |
return (ENOSYS); |
|
1930 |
||
1931 |
mutex_enter(&zp->z_acl_lock); |
|
1932 |
||
5331 | 1933 |
error = zfs_acl_node_read(zp, &aclp, B_FALSE); |
1544 | 1934 |
if (error != 0) { |
1935 |
mutex_exit(&zp->z_acl_lock); |
|
1936 |
return (error); |
|
1937 |
} |
|
1938 |
||
5331 | 1939 |
/* |
1940 |
* Scan ACL to determine number of ACEs |
|
1941 |
*/ |
|
1942 |
if ((zp->z_phys->zp_flags & ZFS_ACL_OBJ_ACE) && |
|
1943 |
!(mask & VSA_ACE_ALLTYPES)) { |
|
1944 |
void *zacep = NULL; |
|
1945 |
uint64_t who; |
|
1946 |
uint32_t access_mask; |
|
1947 |
uint16_t type, iflags; |
|
1948 |
||
1949 |
while (zacep = zfs_acl_next_ace(aclp, zacep, |
|
1950 |
&who, &access_mask, &iflags, &type)) { |
|
1951 |
switch (type) { |
|
1952 |
case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE: |
|
1953 |
case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE: |
|
1954 |
case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE: |
|
1955 |
case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE: |
|
1956 |
largeace++; |
|
1957 |
continue; |
|
1958 |
default: |
|
1959 |
count++; |
|
1960 |
} |
|
1961 |
} |
|
1962 |
vsecp->vsa_aclcnt = count; |
|
1963 |
} else |
|
1964 |
count = aclp->z_acl_count; |
|
789 | 1965 |
|
1966 |
if (mask & VSA_ACECNT) { |
|
5331 | 1967 |
vsecp->vsa_aclcnt = count; |
789 | 1968 |
} |
1969 |
||
1970 |
if (mask & VSA_ACE) { |
|
5331 | 1971 |
size_t aclsz; |
1972 |
||
1973 |
zfs_acl_node_t *aclnode = list_head(&aclp->z_acl); |
|
1974 |
||
1975 |
aclsz = count * sizeof (ace_t) + |
|
1976 |
sizeof (ace_object_t) * largeace; |
|
1977 |
||
1978 |
vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP); |
|
1979 |
vsecp->vsa_aclentsz = aclsz; |
|
1980 |
||
1981 |
if (aclp->z_version == ZFS_ACL_VERSION_FUID) |
|
5771 | 1982 |
zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr, |
5331 | 1983 |
vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES)); |
1984 |
else { |
|
1985 |
bcopy(aclnode->z_acldata, vsecp->vsa_aclentp, |
|
1986 |
count * sizeof (ace_t)); |
|
1987 |
} |
|
1988 |
} |
|
1989 |
if (mask & VSA_ACE_ACLFLAGS) { |
|
1990 |
vsecp->vsa_aclflags = 0; |
|
1991 |
if (zp->z_phys->zp_flags & ZFS_ACL_DEFAULTED) |
|
1992 |
vsecp->vsa_aclflags |= ACL_DEFAULTED; |
|
1993 |
if (zp->z_phys->zp_flags & ZFS_ACL_PROTECTED) |
|
1994 |
vsecp->vsa_aclflags |= ACL_PROTECTED; |
|
1995 |
if (zp->z_phys->zp_flags & ZFS_ACL_AUTO_INHERIT) |
|
1996 |
vsecp->vsa_aclflags |= ACL_AUTO_INHERIT; |
|
789 | 1997 |
} |
1998 |
||
1999 |
mutex_exit(&zp->z_acl_lock); |
|
2000 |
||
2001 |
zfs_acl_free(aclp); |
|
2002 |
||
2003 |
return (0); |
|
2004 |
} |
|
2005 |
||
5331 | 2006 |
int |
2007 |
zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type, |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
2008 |
vsecattr_t *vsecp, cred_t *cr, zfs_fuid_info_t **fuidp, zfs_acl_t **zaclp) |
5331 | 2009 |
{ |
2010 |
zfs_acl_t *aclp; |
|
2011 |
zfs_acl_node_t *aclnode; |
|
2012 |
int aclcnt = vsecp->vsa_aclcnt; |
|
2013 |
int error; |
|
2014 |
||
2015 |
if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0) |
|
2016 |
return (EINVAL); |
|
2017 |
||
2018 |
aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version)); |
|
2019 |
||
2020 |
aclp->z_hints = 0; |
|
2021 |
aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t)); |
|
2022 |
if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) { |
|
2023 |
if ((error = zfs_copy_ace_2_oldace(obj_type, aclp, |
|
2024 |
(ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata, |
|
2025 |
aclcnt, &aclnode->z_size)) != 0) { |
|
2026 |
zfs_acl_free(aclp); |
|
2027 |
zfs_acl_node_free(aclnode); |
|
2028 |
return (error); |
|
2029 |
} |
|
2030 |
} else { |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
2031 |
if ((error = zfs_copy_ace_2_fuid(zfsvfs, obj_type, aclp, |
5331 | 2032 |
vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt, |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
2033 |
&aclnode->z_size, fuidp, cr)) != 0) { |
5331 | 2034 |
zfs_acl_free(aclp); |
2035 |
zfs_acl_node_free(aclnode); |
|
2036 |
return (error); |
|
2037 |
} |
|
2038 |
} |
|
2039 |
aclp->z_acl_bytes = aclnode->z_size; |
|
2040 |
aclnode->z_ace_count = aclcnt; |
|
2041 |
aclp->z_acl_count = aclcnt; |
|
2042 |
list_insert_head(&aclp->z_acl, aclnode); |
|
2043 |
||
2044 |
/* |
|
2045 |
* If flags are being set then add them to z_hints |
|
2046 |
*/ |
|
2047 |
if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) { |
|
2048 |
if (vsecp->vsa_aclflags & ACL_PROTECTED) |
|
2049 |
aclp->z_hints |= ZFS_ACL_PROTECTED; |
|
2050 |
if (vsecp->vsa_aclflags & ACL_DEFAULTED) |
|
2051 |
aclp->z_hints |= ZFS_ACL_DEFAULTED; |
|
2052 |
if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT) |
|
2053 |
aclp->z_hints |= ZFS_ACL_AUTO_INHERIT; |
|
2054 |
} |
|
2055 |
||
2056 |
*zaclp = aclp; |
|
2057 |
||
2058 |
return (0); |
|
2059 |
} |
|
2060 |
||
789 | 2061 |
/* |
2062 |
* Set a files ACL |
|
2063 |
*/ |
|
2064 |
int |
|
5331 | 2065 |
zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr) |
789 | 2066 |
{ |
2067 |
zfsvfs_t *zfsvfs = zp->z_zfsvfs; |
|
2068 |
zilog_t *zilog = zfsvfs->z_log; |
|
2069 |
ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT); |
|
2070 |
dmu_tx_t *tx; |
|
2071 |
int error; |
|
2072 |
zfs_acl_t *aclp; |
|
5331 | 2073 |
zfs_fuid_info_t *fuidp = NULL; |
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
2074 |
boolean_t fuid_dirtied; |
789 | 2075 |
|
2076 |
if (mask == 0) |
|
4300
d74de773d6e6
6528189 cp -p invalid argument issue on Redhat linux AS 3.0 NFS client against ZFS NFS directory
marks
parents:
2676
diff
changeset
|
2077 |
return (ENOSYS); |
789 | 2078 |
|
5331 | 2079 |
if (zp->z_phys->zp_flags & ZFS_IMMUTABLE) |
2080 |
return (EPERM); |
|
2081 |
||
2082 |
if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) |
|
2083 |
return (error); |
|
2084 |
||
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
2085 |
error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, cr, &fuidp, |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
2086 |
&aclp); |
5331 | 2087 |
if (error) |
2088 |
return (error); |
|
2089 |
||
2090 |
/* |
|
2091 |
* If ACL wide flags aren't being set then preserve any |
|
2092 |
* existing flags. |
|
2093 |
*/ |
|
2094 |
if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) { |
|
2095 |
aclp->z_hints |= (zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS); |
|
2096 |
} |
|
789 | 2097 |
top: |
5331 | 2098 |
if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) { |
2099 |
zfs_acl_free(aclp); |
|
2100 |
return (error); |
|
789 | 2101 |
} |
2102 |
||
2103 |
mutex_enter(&zp->z_lock); |
|
2104 |
mutex_enter(&zp->z_acl_lock); |
|
2105 |
||
2106 |
tx = dmu_tx_create(zfsvfs->z_os); |
|
2107 |
dmu_tx_hold_bonus(tx, zp->z_id); |
|
2108 |
||
2109 |
if (zp->z_phys->zp_acl.z_acl_extern_obj) { |
|
5331 | 2110 |
/* Are we upgrading ACL? */ |
2111 |
if (zfsvfs->z_version <= ZPL_VERSION_FUID && |
|
2112 |
zp->z_phys->zp_acl.z_acl_version == |
|
2113 |
ZFS_ACL_VERSION_INITIAL) { |
|
2114 |
dmu_tx_hold_free(tx, |
|
2115 |
zp->z_phys->zp_acl.z_acl_extern_obj, |
|
2116 |
0, DMU_OBJECT_END); |
|
2117 |
dmu_tx_hold_write(tx, DMU_NEW_OBJECT, |
|
5824 | 2118 |
0, aclp->z_acl_bytes); |
5331 | 2119 |
} else { |
2120 |
dmu_tx_hold_write(tx, |
|
2121 |
zp->z_phys->zp_acl.z_acl_extern_obj, |
|
2122 |
0, aclp->z_acl_bytes); |
|
2123 |
} |
|
2124 |
} else if (aclp->z_acl_bytes > ZFS_ACE_SPACE) { |
|
2125 |
dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes); |
|
2126 |
} |
|
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
2127 |
fuid_dirtied = zfsvfs->z_fuid_dirty; |
9396
f41cf682d0d3
PSARC/2009/204 ZFS user/group quotas & space accounting
Matthew Ahrens <Matthew.Ahrens@Sun.COM>
parents:
9179
diff
changeset
|
2128 |
if (fuid_dirtied) |
f41cf682d0d3
PSARC/2009/204 ZFS user/group quotas & space accounting
Matthew Ahrens <Matthew.Ahrens@Sun.COM>
parents:
9179
diff
changeset
|
2129 |
zfs_fuid_txhold(zfsvfs, tx); |
789 | 2130 |
|
8227 | 2131 |
error = dmu_tx_assign(tx, TXG_NOWAIT); |
789 | 2132 |
if (error) { |
2133 |
mutex_exit(&zp->z_acl_lock); |
|
2134 |
mutex_exit(&zp->z_lock); |
|
2135 |
||
8227 | 2136 |
if (error == ERESTART) { |
2113
0510bb40c993
6430121 3-way deadlock involving tc_lock within zfs
ahrens
parents:
2058
diff
changeset
|
2137 |
dmu_tx_wait(tx); |
0510bb40c993
6430121 3-way deadlock involving tc_lock within zfs
ahrens
parents:
2058
diff
changeset
|
2138 |
dmu_tx_abort(tx); |
789 | 2139 |
goto top; |
2140 |
} |
|
2113
0510bb40c993
6430121 3-way deadlock involving tc_lock within zfs
ahrens
parents:
2058
diff
changeset
|
2141 |
dmu_tx_abort(tx); |
5331 | 2142 |
zfs_acl_free(aclp); |
789 | 2143 |
return (error); |
2144 |
} |
|
2145 |
||
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
2146 |
error = zfs_aclset_common(zp, aclp, cr, tx); |
789 | 2147 |
ASSERT(error == 0); |
2148 |
||
9179
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
2149 |
if (fuid_dirtied) |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
2150 |
zfs_fuid_sync(zfsvfs, tx); |
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
2151 |
|
d8fbd96b79b3
6790064 zfs needs to determine uid and gid earlier in create process
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8952
diff
changeset
|
2152 |
zfs_time_stamper_locked(zp, STATE_CHANGED, tx); |
5331 | 2153 |
zfs_log_acl(zilog, tx, zp, vsecp, fuidp); |
2154 |
||
2155 |
if (fuidp) |
|
2156 |
zfs_fuid_info_free(fuidp); |
|
789 | 2157 |
zfs_acl_free(aclp); |
2158 |
dmu_tx_commit(tx); |
|
2159 |
done: |
|
2160 |
mutex_exit(&zp->z_acl_lock); |
|
2161 |
mutex_exit(&zp->z_lock); |
|
2162 |
||
2163 |
return (error); |
|
2164 |
} |
|
2165 |
||
5331 | 2166 |
/* |
2167 |
* working_mode returns the permissions that were not granted |
|
2168 |
*/ |
|
789 | 2169 |
static int |
5331 | 2170 |
zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode, |
2171 |
boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr) |
|
789 | 2172 |
{ |
2173 |
zfs_acl_t *aclp; |
|
2174 |
zfsvfs_t *zfsvfs = zp->z_zfsvfs; |
|
1544 | 2175 |
int error; |
789 | 2176 |
uid_t uid = crgetuid(cr); |
5331 | 2177 |
uint64_t who; |
2178 |
uint16_t type, iflags; |
|
2179 |
uint16_t entry_type; |
|
2180 |
uint32_t access_mask; |
|
6056
37f30782c577
6664536 zfs O_RDWR access check more stringent than tmpfs or ufs
marks
parents:
5959
diff
changeset
|
2181 |
uint32_t deny_mask = 0; |
5331 | 2182 |
zfs_ace_hdr_t *acep = NULL; |
2183 |
boolean_t checkit; |
|
2184 |
uid_t fowner; |
|
2185 |
uid_t gowner; |
|
2186 |
||
2187 |
/* |
|
2188 |
* Short circuit empty requests |
|
2189 |
*/ |
|
2190 |
if (v4_mode == 0) |
|
2191 |
return (0); |
|
2192 |
||
2193 |
*check_privs = B_TRUE; |
|
789 | 2194 |
|
8227 | 2195 |
if (zfsvfs->z_replay) { |
2638
4f583dfeae92
6413510 zfs: writing to ZFS filesystem slows down fsync() on other files in the same FS
perrin
parents:
2604
diff
changeset
|
2196 |
*working_mode = 0; |
4f583dfeae92
6413510 zfs: writing to ZFS filesystem slows down fsync() on other files in the same FS
perrin
parents:
2604
diff
changeset
|
2197 |
return (0); |
4f583dfeae92
6413510 zfs: writing to ZFS filesystem slows down fsync() on other files in the same FS
perrin
parents:
2604
diff
changeset
|
2198 |
} |
789 | 2199 |
|
2638
4f583dfeae92
6413510 zfs: writing to ZFS filesystem slows down fsync() on other files in the same FS
perrin
parents:
2604
diff
changeset
|
2200 |
*working_mode = v4_mode; |
789 | 2201 |
|
2202 |
if ((v4_mode & WRITE_MASK) && |
|
2203 |
(zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) && |
|
8952
c2f95230b0ff
6809529 dirtying snapshot! rears its head again
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8227
diff
changeset
|
2204 |
(!IS_DEVVP(ZTOV(zp)) || |
c2f95230b0ff
6809529 dirtying snapshot! rears its head again
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
8227
diff
changeset
|
2205 |
(IS_DEVVP(ZTOV(zp)) && (v4_mode & WRITE_MASK_ATTRS)))) { |
5331 | 2206 |
*check_privs = B_FALSE; |
789 | 2207 |
return (EROFS); |
2208 |
} |
|
2209 |
||
5331 | 2210 |
/* |
2211 |
* Only check for READONLY on non-directories. |
|
2212 |
*/ |
|
2213 |
if ((v4_mode & WRITE_MASK_DATA) && |
|
2214 |
(((ZTOV(zp)->v_type != VDIR) && |
|
2215 |
(zp->z_phys->zp_flags & (ZFS_READONLY | ZFS_IMMUTABLE))) || |
|
2216 |
(ZTOV(zp)->v_type == VDIR && |
|
2217 |
(zp->z_phys->zp_flags & ZFS_IMMUTABLE)))) { |
|
2218 |
*check_privs = B_FALSE; |
|
2219 |
return (EPERM); |
|
2220 |
} |
|
2221 |
||
2222 |
if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) && |
|
2223 |
(zp->z_phys->zp_flags & ZFS_NOUNLINK)) { |
|
2224 |
*check_privs = B_FALSE; |
|
2225 |
return (EPERM); |
|
2226 |
} |
|
2227 |
||
2228 |
if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) && |
|
2229 |
(zp->z_phys->zp_flags & ZFS_AV_QUARANTINED))) { |
|
2230 |
*check_privs = B_FALSE; |
|
2231 |
return (EACCES); |
|
2232 |
} |
|
2233 |
||
2234 |
/* |
|
2235 |
* The caller requested that the ACL check be skipped. This |
|
2236 |
* would only happen if the caller checked VOP_ACCESS() with a |
|
2237 |
* 32 bit ACE mask and already had the appropriate permissions. |
|
2238 |
*/ |
|
2239 |
if (skipaclchk) { |
|
2240 |
*working_mode = 0; |
|
2241 |
return (0); |
|
2242 |
} |
|
2243 |
||
5771 | 2244 |
zfs_fuid_map_ids(zp, cr, &fowner, &gowner); |
5331 | 2245 |
|
789 | 2246 |
mutex_enter(&zp->z_acl_lock); |
2247 |
||
5331 | 2248 |
error = zfs_acl_node_read(zp, &aclp, B_FALSE); |
1544 | 2249 |
if (error != 0) { |
2250 |
mutex_exit(&zp->z_acl_lock); |
|
2251 |
return (error); |
|
2252 |
} |
|
2253 |
||
5331 | 2254 |
while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask, |
2255 |
&iflags, &type)) { |
|
789 | 2256 |
|
7559
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
2257 |
if (!zfs_acl_valid_ace_type(type, iflags)) |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
2258 |
continue; |
a2e9a3201169
6746456 ZFS doesn't inherit old ACLs correctly on upgraded file system
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7328
diff
changeset
|
2259 |
|
7057 | 2260 |
if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE)) |
789 | 2261 |
continue; |
2262 |
||
5331 | 2263 |
entry_type = (iflags & ACE_TYPE_FLAGS); |
2264 |
||
2265 |
checkit = B_FALSE; |
|
2266 |
||
789 | 2267 |
switch (entry_type) { |
2268 |
case ACE_OWNER: |
|
5331 | 2269 |
if (uid == fowner) |
2270 |
checkit = B_TRUE; |
|
789 | 2271 |
break; |
5331 | 2272 |
case OWNING_GROUP: |
2273 |
who = gowner; |
|
2274 |
/*FALLTHROUGH*/ |
|
789 | 2275 |
case ACE_IDENTIFIER_GROUP: |
5331 | 2276 |
checkit = zfs_groupmember(zfsvfs, who, cr); |
789 | 2277 |
break; |
2278 |
case ACE_EVERYONE: |
|
5331 | 2279 |
checkit = B_TRUE; |
789 | 2280 |
break; |
2281 |
||
2282 |
/* USER Entry */ |
|
2283 |
default: |
|
2284 |
if (entry_type == 0) { |
|
5331 | 2285 |
uid_t newid; |
2286 |
||
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
2287 |
newid = zfs_fuid_map_id(zfsvfs, who, cr, |
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
2288 |
ZFS_ACE_USER); |
5331 | 2289 |
if (newid != IDMAP_WK_CREATOR_OWNER_UID && |
2290 |
uid == newid) |
|
2291 |
checkit = B_TRUE; |
|
789 | 2292 |
break; |
5331 | 2293 |
} else { |
2294 |
zfs_acl_free(aclp); |
|
2295 |
mutex_exit(&zp->z_acl_lock); |
|
2296 |
return (EIO); |
|
789 | 2297 |
} |
5331 | 2298 |
} |
2299 |
||
2300 |
if (checkit) { |
|
6056
37f30782c577
6664536 zfs O_RDWR access check more stringent than tmpfs or ufs
marks
parents:
5959
diff
changeset
|
2301 |
uint32_t mask_matched = (access_mask & *working_mode); |
37f30782c577
6664536 zfs O_RDWR access check more stringent than tmpfs or ufs
marks
parents:
5959
diff
changeset
|
2302 |
|
37f30782c577
6664536 zfs O_RDWR access check more stringent than tmpfs or ufs
marks
parents:
5959
diff
changeset
|
2303 |
if (mask_matched) { |
37f30782c577
6664536 zfs O_RDWR access check more stringent than tmpfs or ufs
marks
parents:
5959
diff
changeset
|
2304 |
if (type == DENY) |
37f30782c577
6664536 zfs O_RDWR access check more stringent than tmpfs or ufs
marks
parents:
5959
diff
changeset
|
2305 |
deny_mask |= mask_matched; |
37f30782c577
6664536 zfs O_RDWR access check more stringent than tmpfs or ufs
marks
parents:
5959
diff
changeset
|
2306 |
|
37f30782c577
6664536 zfs O_RDWR access check more stringent than tmpfs or ufs
marks
parents:
5959
diff
changeset
|
2307 |
*working_mode &= ~mask_matched; |
5331 | 2308 |
} |
789 | 2309 |
} |
2310 |
||
6056
37f30782c577
6664536 zfs O_RDWR access check more stringent than tmpfs or ufs
marks
parents:
5959
diff
changeset
|
2311 |
/* Are we done? */ |
37f30782c577
6664536 zfs O_RDWR access check more stringent than tmpfs or ufs
marks
parents:
5959
diff
changeset
|
2312 |
if (*working_mode == 0) |
789 | 2313 |
break; |
2314 |
} |
|
2315 |
||
2316 |
mutex_exit(&zp->z_acl_lock); |
|
2317 |
zfs_acl_free(aclp); |
|
6056
37f30782c577
6664536 zfs O_RDWR access check more stringent than tmpfs or ufs
marks
parents:
5959
diff
changeset
|
2318 |
|
37f30782c577
6664536 zfs O_RDWR access check more stringent than tmpfs or ufs
marks
parents:
5959
diff
changeset
|
2319 |
/* Put the found 'denies' back on the working mode */ |
7163 | 2320 |
if (deny_mask) { |
2321 |
*working_mode |= deny_mask; |
|
6056
37f30782c577
6664536 zfs O_RDWR access check more stringent than tmpfs or ufs
marks
parents:
5959
diff
changeset
|
2322 |
return (EACCES); |
7163 | 2323 |
} else if (*working_mode) { |
2324 |
return (-1); |
|
2325 |
} |
|
6056
37f30782c577
6664536 zfs O_RDWR access check more stringent than tmpfs or ufs
marks
parents:
5959
diff
changeset
|
2326 |
|
37f30782c577
6664536 zfs O_RDWR access check more stringent than tmpfs or ufs
marks
parents:
5959
diff
changeset
|
2327 |
return (0); |
789 | 2328 |
} |
2329 |
||
5331 | 2330 |
static int |
2331 |
zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs, |
|
2332 |
cred_t *cr) |
|
2333 |
{ |
|
2334 |
if (*working_mode != ACE_WRITE_DATA) |
|
2335 |
return (EACCES); |
|
2336 |
||
2337 |
return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode, |
|
2338 |
check_privs, B_FALSE, cr)); |
|
2339 |
} |
|
789 | 2340 |
|
2341 |
/* |
|
2342 |
* Determine whether Access should be granted/denied, invoking least |
|
2343 |
* priv subsytem when a deny is determined. |
|
2344 |
*/ |
|
2345 |
int |
|
5331 | 2346 |
zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr) |
789 | 2347 |
{ |
5331 | 2348 |
uint32_t working_mode; |
2349 |
int error; |
|
2350 |
int is_attr; |
|
2351 |
zfsvfs_t *zfsvfs = zp->z_zfsvfs; |
|
2352 |
boolean_t check_privs; |
|
2353 |
znode_t *xzp; |
|
2354 |
znode_t *check_zp = zp; |
|
789 | 2355 |
|
2356 |
is_attr = ((zp->z_phys->zp_flags & ZFS_XATTR) && |
|
2357 |
(ZTOV(zp)->v_type == VDIR)); |
|
2358 |
||
2359 |
/* |
|
2360 |
* If attribute then validate against base file |
|
2361 |
*/ |
|
2362 |
if (is_attr) { |
|
2363 |
if ((error = zfs_zget(zp->z_zfsvfs, |
|
2364 |
zp->z_phys->zp_parent, &xzp)) != 0) { |
|
2365 |
return (error); |
|
2366 |
} |
|
5331 | 2367 |
|
789 | 2368 |
check_zp = xzp; |
5331 | 2369 |
|
789 | 2370 |
/* |
2371 |
* fixup mode to map to xattr perms |
|
2372 |
*/ |
|
2373 |
||
2374 |
if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) { |
|
2375 |
mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA); |
|
2376 |
mode |= ACE_WRITE_NAMED_ATTRS; |
|
2377 |
} |
|
2378 |
||
2379 |
if (mode & (ACE_READ_DATA|ACE_EXECUTE)) { |
|
2380 |
mode &= ~(ACE_READ_DATA|ACE_EXECUTE); |
|
2381 |
mode |= ACE_READ_NAMED_ATTRS; |
|
2382 |
} |
|
2383 |
} |
|
2384 |
||
5331 | 2385 |
if ((error = zfs_zaccess_common(check_zp, mode, &working_mode, |
2386 |
&check_privs, skipaclchk, cr)) == 0) { |
|
2387 |
if (is_attr) |
|
2388 |
VN_RELE(ZTOV(xzp)); |
|
2389 |
return (0); |
|
2390 |
} |
|
789 | 2391 |
|
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
2392 |
if (error && !check_privs) { |
789 | 2393 |
if (is_attr) |
2394 |
VN_RELE(ZTOV(xzp)); |
|
2395 |
return (error); |
|
2396 |
} |
|
2397 |
||
5331 | 2398 |
if (error && (flags & V_APPEND)) { |
2399 |
error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr); |
|
2400 |
} |
|
2401 |
||
2402 |
if (error && check_privs) { |
|
2403 |
uid_t owner; |
|
2404 |
mode_t checkmode = 0; |
|
2405 |
||
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
2406 |
owner = zfs_fuid_map_id(zfsvfs, check_zp->z_phys->zp_uid, cr, |
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
2407 |
ZFS_OWNER); |
5331 | 2408 |
|
2409 |
/* |
|
2410 |
* First check for implicit owner permission on |
|
2411 |
* read_acl/read_attributes |
|
2412 |
*/ |
|
2413 |
||
2414 |
error = 0; |
|
2415 |
ASSERT(working_mode != 0); |
|
2416 |
||
2417 |
if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) && |
|
2418 |
owner == crgetuid(cr))) |
|
2419 |
working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES); |
|
2420 |
||
2421 |
if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS| |
|
7624
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7559
diff
changeset
|
2422 |
ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE)) |
5331 | 2423 |
checkmode |= VREAD; |
2424 |
if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS| |
|
7624
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7559
diff
changeset
|
2425 |
ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE)) |
5331 | 2426 |
checkmode |= VWRITE; |
2427 |
if (working_mode & ACE_EXECUTE) |
|
2428 |
checkmode |= VEXEC; |
|
2429 |
||
2430 |
if (checkmode) |
|
2431 |
error = secpolicy_vnode_access(cr, ZTOV(check_zp), |
|
2432 |
owner, checkmode); |
|
2433 |
||
2434 |
if (error == 0 && (working_mode & ACE_WRITE_OWNER)) |
|
7624
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7559
diff
changeset
|
2435 |
error = secpolicy_vnode_chown(cr, B_TRUE); |
5331 | 2436 |
if (error == 0 && (working_mode & ACE_WRITE_ACL)) |
2437 |
error = secpolicy_vnode_setdac(cr, owner); |
|
2438 |
||
2439 |
if (error == 0 && (working_mode & |
|
2440 |
(ACE_DELETE|ACE_DELETE_CHILD))) |
|
2441 |
error = secpolicy_vnode_remove(cr); |
|
2442 |
||
7624
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7559
diff
changeset
|
2443 |
if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) { |
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7559
diff
changeset
|
2444 |
error = secpolicy_vnode_chown(cr, B_FALSE); |
0a59f685e81b
6744510 Should not allow to rename a file/folder when a user does not have permission
Mark Shellenbaum <Mark.Shellenbaum@Sun.COM>
parents:
7559
diff
changeset
|
2445 |
} |
5331 | 2446 |
if (error == 0) { |
2447 |
/* |
|
2448 |
* See if any bits other than those already checked |
|
2449 |
* for are still present. If so then return EACCES |
|
2450 |
*/ |
|
2451 |
if (working_mode & ~(ZFS_CHECKED_MASKS)) { |
|
2452 |
error = EACCES; |
|
2453 |
} |
|
2454 |
} |
|
789 | 2455 |
} |
2456 |
||
2457 |
if (is_attr) |
|
2458 |
VN_RELE(ZTOV(xzp)); |
|
2459 |
||
2460 |
return (error); |
|
2461 |
} |
|
2462 |
||
2463 |
/* |
|
5331 | 2464 |
* Translate traditional unix VREAD/VWRITE/VEXEC mode into |
2465 |
* native ACL format and call zfs_zaccess() |
|
789 | 2466 |
*/ |
2467 |
int |
|
5331 | 2468 |
zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr) |
789 | 2469 |
{ |
5331 | 2470 |
return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr)); |
789 | 2471 |
} |
2472 |
||
2473 |
/* |
|
5331 | 2474 |
* Access function for secpolicy_vnode_setattr |
789 | 2475 |
*/ |
2476 |
int |
|
5331 | 2477 |
zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr) |
789 | 2478 |
{ |
2479 |
int v4_mode = zfs_unix_to_v4(mode >> 6); |
|
2480 |
||
5331 | 2481 |
return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr)); |
789 | 2482 |
} |
2483 |
||
2604
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2484 |
static int |
6257
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2485 |
zfs_delete_final_check(znode_t *zp, znode_t *dzp, |
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2486 |
mode_t missing_perms, cred_t *cr) |
2604
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2487 |
{ |
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2488 |
int error; |
5331 | 2489 |
uid_t downer; |
2490 |
zfsvfs_t *zfsvfs = zp->z_zfsvfs; |
|
2604
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2491 |
|
5959
1e1904b8526d
6650192 zfs ACL/fuid code could use some minor cleanup
marks
parents:
5824
diff
changeset
|
2492 |
downer = zfs_fuid_map_id(zfsvfs, dzp->z_phys->zp_uid, cr, ZFS_OWNER); |
5331 | 2493 |
|
6257
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2494 |
error = secpolicy_vnode_access(cr, ZTOV(dzp), downer, missing_perms); |
2604
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2495 |
|
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2496 |
if (error == 0) |
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2497 |
error = zfs_sticky_remove_access(dzp, zp, cr); |
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2498 |
|
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2499 |
return (error); |
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2500 |
} |
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2501 |
|
789 | 2502 |
/* |
2503 |
* Determine whether Access should be granted/deny, without |
|
2504 |
* consulting least priv subsystem. |
|
2505 |
* |
|
2506 |
* |
|
2507 |
* The following chart is the recommended NFSv4 enforcement for |
|
2508 |
* ability to delete an object. |
|
2509 |
* |
|
2510 |
* ------------------------------------------------------- |
|
2511 |
* | Parent Dir | Target Object Permissions | |
|
2512 |
* | permissions | | |
|
2513 |
* ------------------------------------------------------- |
|
2514 |
* | | ACL Allows | ACL Denies| Delete | |
|
2515 |
* | | Delete | Delete | unspecified| |
|
2516 |
* ------------------------------------------------------- |
|
2517 |
* | ACL Allows | Permit | Permit | Permit | |
|
2518 |
* | DELETE_CHILD | | |
|
2519 |
* ------------------------------------------------------- |
|
2520 |
* | ACL Denies | Permit | Deny | Deny | |
|
2521 |
* | DELETE_CHILD | | | | |
|
2522 |
* ------------------------------------------------------- |
|
2523 |
* | ACL specifies | | | | |
|
2524 |
* | only allow | Permit | Permit | Permit | |
|
2525 |
* | write and | | | | |
|
2526 |
* | execute | | | | |
|
2527 |
* ------------------------------------------------------- |
|
2528 |
* | ACL denies | | | | |
|
2529 |
* | write and | Permit | Deny | Deny | |
|
2530 |
* | execute | | | | |
|
2531 |
* ------------------------------------------------------- |
|
2532 |
* ^ |
|
2533 |
* | |
|
2534 |
* No search privilege, can't even look up file? |
|
2535 |
* |
|
2536 |
*/ |
|
2537 |
int |
|
2538 |
zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr) |
|
2539 |
{ |
|
5331 | 2540 |
uint32_t dzp_working_mode = 0; |
2541 |
uint32_t zp_working_mode = 0; |
|
789 | 2542 |
int dzp_error, zp_error; |
6257
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2543 |
mode_t missing_perms; |
5331 | 2544 |
boolean_t dzpcheck_privs = B_TRUE; |
2545 |
boolean_t zpcheck_privs = B_TRUE; |
|
789 | 2546 |
|
2547 |
/* |
|
6257
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2548 |
* We want specific DELETE permissions to |
789 | 2549 |
* take precedence over WRITE/EXECUTE. We don't |
2550 |
* want an ACL such as this to mess us up. |
|
2604
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2551 |
* user:joe:write_data:deny,user:joe:delete:allow |
789 | 2552 |
* |
2553 |
* However, deny permissions may ultimately be overridden |
|
2554 |
* by secpolicy_vnode_access(). |
|
6257
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2555 |
* |
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2556 |
* We will ask for all of the necessary permissions and then |
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2557 |
* look at the working modes from the directory and target object |
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2558 |
* to determine what was found. |
789 | 2559 |
*/ |
2560 |
||
5331 | 2561 |
if (zp->z_phys->zp_flags & (ZFS_IMMUTABLE | ZFS_NOUNLINK)) |
2562 |
return (EPERM); |
|
2563 |
||
6257
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2564 |
/* |
7163 | 2565 |
* First row |
6257
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2566 |
* If the directory permissions allow the delete, we are done. |
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2567 |
*/ |
7163 | 2568 |
if ((dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD, |
6257
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2569 |
&dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) |
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2570 |
return (0); |
789 | 2571 |
|
6257
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2572 |
/* |
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2573 |
* If target object has delete permission then we are done |
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2574 |
*/ |
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2575 |
if ((zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, |
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2576 |
&zpcheck_privs, B_FALSE, cr)) == 0) |
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2577 |
return (0); |
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2578 |
|
7163 | 2579 |
ASSERT(dzp_error && zp_error); |
2580 |
||
6257
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2581 |
if (!dzpcheck_privs) |
789 | 2582 |
return (dzp_error); |
7163 | 2583 |
if (!zpcheck_privs) |
6257
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2584 |
return (zp_error); |
789 | 2585 |
|
2586 |
/* |
|
2587 |
* Second row |
|
7163 | 2588 |
* |
2589 |
* If directory returns EACCES then delete_child was denied |
|
2590 |
* due to deny delete_child. In this case send the request through |
|
2591 |
* secpolicy_vnode_remove(). We don't use zfs_delete_final_check() |
|
2592 |
* since that *could* allow the delete based on write/execute permission |
|
2593 |
* and we want delete permissions to override write/execute. |
|
789 | 2594 |
*/ |
2595 |
||
2604
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2596 |
if (dzp_error == EACCES) |
7163 | 2597 |
return (secpolicy_vnode_remove(cr)); |
2604
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2598 |
|
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2599 |
/* |
789 | 2600 |
* Third Row |
6257
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2601 |
* only need to see if we have write/execute on directory. |
789 | 2602 |
*/ |
2603 |
||
7163 | 2604 |
if ((dzp_error = zfs_zaccess_common(dzp, ACE_EXECUTE|ACE_WRITE_DATA, |
2605 |
&dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0) |
|
2604
b2fb13f56fe7
6461609 zfs delete permissions are not working correctly
marks
parents:
2113
diff
changeset
|
2606 |
return (zfs_sticky_remove_access(dzp, zp, cr)); |
789 | 2607 |
|
7163 | 2608 |
if (!dzpcheck_privs) |
2609 |
return (dzp_error); |
|
2610 |
||
789 | 2611 |
/* |
7163 | 2612 |
* Fourth row |
789 | 2613 |
*/ |
2614 |
||
7163 | 2615 |
missing_perms = (dzp_working_mode & ACE_WRITE_DATA) ? VWRITE : 0; |
2616 |
missing_perms |= (dzp_working_mode & ACE_EXECUTE) ? VEXEC : 0; |
|
2617 |
||
2618 |
ASSERT(missing_perms); |
|
789 | 2619 |
|
6257
0c7475fa4852
6674548 zfs_delete_final_check calls secpolicy_vnode_access on wrong vnode
marks
parents:
6056
diff
changeset
|
2620 |
return (zfs_delete_final_check(zp, dzp, missing_perms, cr)); |
7163 | 2621 |
|
789 | 2622 |
} |
2623 |
||
2624 |
int |
|
2625 |
zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp, |
|
2626 |
znode_t *tzp, cred_t *cr) |
|
2627 |
{ |
|
2628 |
int add_perm; |
|
2629 |
int error; |
|
2630 |
||
5331 | 2631 |
if (szp->z_phys->zp_flags & ZFS_AV_QUARANTINED) |
2632 |
return (EACCES); |
|
2633 |
||
789 | 2634 |
add_perm = (ZTOV(szp)->v_type == VDIR) ? |
2635 |
ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE; |
|
2636 |
||
2637 |
/* |
|
2638 |
* Rename permissions are combination of delete permission + |
|
2639 |
* add file/subdir permission. |
|
2640 |
*/ |
|
2641 |
||
2642 |
/* |
|
2643 |
* first make sure we do the delete portion. |
|
2644 |
* |
|
2645 |
* If that succeeds then check for add_file/add_subdir permissions |
|
2646 |
*/ |
|
2647 |
||
2648 |
if (error = zfs_zaccess_delete(sdzp, szp, cr)) |
|
2649 |
return (error); |
|
2650 |
||
2651 |
/* |
|
2652 |
* If we have a tzp, see if we can delete it? |
|
2653 |
*/ |
|
2654 |
if (tzp) { |
|
2655 |
if (error = zfs_zaccess_delete(tdzp, tzp, cr)) |
|
2656 |
return (error); |
|
2657 |
} |
|
2658 |
||
2659 |
/* |
|
2660 |
* Now check for add permissions |
|
2661 |
*/ |
|
5331 | 2662 |
error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr); |
789 | 2663 |
|
2664 |
return (error); |
|
2665 |
} |