upstream/illumos/illumos-gate: comparison usr/src/uts/common/fs/zfs/zfs

equal deleted inserted replaced

-:13d7f3eec672
+:b4907297e740
 	mode_t		seen = 0;
 	zfs_ace_hdr_t 	*acep = NULL;
 	uint64_t	who;
 	uint16_t	iflags, type;
 	uint32_t	access_mask;
+	boolean_t	an_exec_denied = B_FALSE;
 	mode = (zp->z_phys->zp_mode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX));
 	while (acep = zfs_acl_next_ace(aclp, acep, &who,
 	    &access_mask, &iflags, &type)) {
 					if (type == ALLOW) {
 						mode |= S_IXOTH;
 					}
 				}
 			}
-		}
+		} else {
-	}
+			/*
+			 * Only care if this IDENTIFIER_GROUP or
+			 * USER ACE denies execute access to someone,
+			 * mode is not affected
+			 */
+			if ((access_mask & ACE_EXECUTE) && type == DENY)
+				an_exec_denied = B_TRUE;
+		}
+	}
+	if (!an_exec_denied && !(seen & (S_IXUSR | S_IXGRP | S_IXOTH)) ||
+	    !(mode & (S_IXUSR | S_IXGRP | S_IXOTH)))
+		an_exec_denied = B_TRUE;
+	if (an_exec_denied)
+		zp->z_phys->zp_flags &= ~ZFS_NO_EXECS_DENIED;
+	else
+		zp->z_phys->zp_flags |= ZFS_NO_EXECS_DENIED;
 	return (mode);
 }
 static zfs_acl_t *
 zfs_acl_node_read_internal(znode_t *zp, boolean_t will_modify)
 	zfs_acl_node_t	*aclnode;
 	int error;
 	ASSERT(MUTEX_HELD(&zp->z_acl_lock));
+	if (zp->z_acl_cached) {
+		*aclpp = zp->z_acl_cached;
+		return (0);
+	}
 	if (zp->z_phys->zp_acl.z_acl_extern_obj == 0) {
 		*aclpp = zfs_acl_node_read_internal(zp, will_modify);
+		zp->z_acl_cached = *aclpp;
 		return (0);
 	}
 	aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_version);
 	if (zp->z_phys->zp_acl.z_acl_version == ZFS_ACL_VERSION_INITIAL) {
 		if (error == ECKSUM)
 			error = EIO;
 		return (error);
 	}
-	*aclpp = aclp;
+	zp->z_acl_cached = *aclpp = aclp;
 	return (0);
 }
 /*
 * common code for setting ACLs.
 	uint64_t	off = 0;
 	dmu_object_type_t otype;
 	zfs_acl_node_t	*aclnode;
 	dmu_buf_will_dirty(zp->z_dbuf, tx);
+	if (zp->z_acl_cached != aclp && zp->z_acl_cached) {
+		zfs_acl_free(zp->z_acl_cached);
+		zp->z_acl_cached = NULL;
+	}
 	zphys->zp_mode = zfs_mode_compute(zp, aclp);
 	/*
 	 * Decide which opbject type to use.  If we are forced to
 	*aclp = NULL;
 	error = zfs_acl_node_read(zp, aclp, B_TRUE);
 	if (error == 0) {
 		(*aclp)->z_hints = zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS;
 		zfs_acl_chmod(zp->z_zfsvfs, zp->z_phys->zp_uid, mode, *aclp);
+		zp->z_acl_cached = *aclp;
 	}
 	mutex_exit(&zp->z_acl_lock);
 	mutex_exit(&zp->z_lock);
 	return (error);
 }
 			mutex_enter(&dzp->z_acl_lock);
 			VERIFY(0 == zfs_acl_node_read(dzp, &paclp, B_FALSE));
 			mutex_exit(&dzp->z_acl_lock);
 			acl_ids->z_aclp = zfs_acl_inherit(zfsvfs,
 			    vap->va_type, paclp, acl_ids->z_mode, &need_chmod);
-			zfs_acl_free(paclp);
 		} else {
 			acl_ids->z_aclp =
 			    zfs_acl_alloc(zfs_acl_version_zp(dzp));
 		}
 		mutex_exit(&dzp->z_lock);
 			vsecp->vsa_aclflags |= ACL_AUTO_INHERIT;
 	}
 	mutex_exit(&zp->z_acl_lock);
-	zfs_acl_free(aclp);
 	return (0);
 }
 int
 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type,
 	 */
 	if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) {
 		aclp->z_hints |= (zp->z_phys->zp_flags & V4_ACL_WIDE_FLAGS);
 	}
 top:
-	if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr)) {
-		zfs_acl_free(aclp);
-		return (error);
-	}
 	mutex_enter(&zp->z_lock);
 	mutex_enter(&zp->z_acl_lock);
 	tx = dmu_tx_create(zfsvfs->z_os);
 	dmu_tx_hold_bonus(tx, zp->z_id);
 	zfs_time_stamper_locked(zp, STATE_CHANGED, tx);
 	zfs_log_acl(zilog, tx, zp, vsecp, fuidp);
 	if (fuidp)
 		zfs_fuid_info_free(fuidp);
-	zfs_acl_free(aclp);
+	zp->z_acl_cached = aclp;
 	dmu_tx_commit(tx);
 done:
 	mutex_exit(&zp->z_acl_lock);
 	mutex_exit(&zp->z_lock);
 				if (newid != IDMAP_WK_CREATOR_OWNER_UID &&
 				    uid == newid)
 					checkit = B_TRUE;
 				break;
 			} else {
-				zfs_acl_free(aclp);
 				mutex_exit(&zp->z_acl_lock);
 				return (EIO);
 			}
 		}
 		if (*working_mode == 0)
 			break;
 	}
 	mutex_exit(&zp->z_acl_lock);
-	zfs_acl_free(aclp);
 	/* Put the found 'denies' back on the working mode */
 	if (deny_mask) {
 		*working_mode |= deny_mask;
 		return (EACCES);
 	if (*working_mode != ACE_WRITE_DATA)
 		return (EACCES);
 	return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode,
 	    check_privs, B_FALSE, cr));
+}
+int
+zfs_fastaccesschk_execute(znode_t *zdp, cred_t *cr)
+{
+	boolean_t owner = B_FALSE;
+	boolean_t groupmbr = B_FALSE;
+	boolean_t is_attr;
+	uid_t fowner;
+	uid_t gowner;
+	uid_t uid = crgetuid(cr);
+	int error;
+	if (zdp->z_phys->zp_flags & ZFS_AV_QUARANTINED)
+		return (EACCES);
+	is_attr = ((zdp->z_phys->zp_flags & ZFS_XATTR) &&
+	    (ZTOV(zdp)->v_type == VDIR));
+	if (is_attr)
+		goto slow;
+	mutex_enter(&zdp->z_acl_lock);
+	if (zdp->z_phys->zp_flags & ZFS_NO_EXECS_DENIED) {
+		mutex_exit(&zdp->z_acl_lock);
+		return (0);
+	}
+	if (FUID_INDEX(zdp->z_phys->zp_uid) != 0 ||
+	    FUID_INDEX(zdp->z_phys->zp_gid) != 0) {
+		mutex_exit(&zdp->z_acl_lock);
+		goto slow;
+	}
+	fowner = (uid_t)zdp->z_phys->zp_uid;
+	gowner = (uid_t)zdp->z_phys->zp_gid;
+	if (uid == fowner) {
+		owner = B_TRUE;
+		if (zdp->z_phys->zp_mode & S_IXUSR) {
+			mutex_exit(&zdp->z_acl_lock);
+			return (0);
+		}
+	}
+	if (groupmember(gowner, cr)) {
+		groupmbr = B_TRUE;
+		if (zdp->z_phys->zp_mode & S_IXGRP) {
+			mutex_exit(&zdp->z_acl_lock);
+			return (0);
+		}
+	}
+	if (!owner && !groupmbr) {
+		if (zdp->z_phys->zp_mode & S_IXOTH) {
+			mutex_exit(&zdp->z_acl_lock);
+			return (0);
+		}
+	}
+	mutex_exit(&zdp->z_acl_lock);
+slow:
+	DTRACE_PROBE(zfs__fastpath__execute__access__miss);
+	ZFS_ENTER(zdp->z_zfsvfs);
+	error = zfs_zaccess(zdp, ACE_EXECUTE, 0, B_FALSE, cr);
+	ZFS_EXIT(zdp->z_zfsvfs);
+	return (error);
 }
 /*
 * Determine whether Access should be granted/denied, invoking least
 * priv subsytem when a deny is determined.

changeset 9981	b4907297e740
parent 9866	ddc5f1d8eb4e
child 10143	d2d432dfe597