| Current Path : /usr/src/sys/ufs/ufs/ |
FreeBSD hs32.drive.ne.jp 9.1-RELEASE FreeBSD 9.1-RELEASE #1: Wed Jan 14 12:18:08 JST 2015 root@hs32.drive.ne.jp:/sys/amd64/compile/hs32 amd64 |
| Current File : //usr/src/sys/ufs/ufs/ufs_acl.c |
/*-
* Copyright (c) 1999-2003 Robert N. M. Watson
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* Support for POSIX.1e access control lists: UFS-specific support functions.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD: release/9.1.0/sys/ufs/ufs/ufs_acl.c 231951 2012-02-21 01:27:23Z kib $");
#include "opt_ufs.h"
#include "opt_quota.h"
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/stat.h>
#include <sys/mount.h>
#include <sys/vnode.h>
#include <sys/types.h>
#include <sys/acl.h>
#include <sys/event.h>
#include <sys/extattr.h>
#include <ufs/ufs/quota.h>
#include <ufs/ufs/inode.h>
#include <ufs/ufs/acl.h>
#include <ufs/ufs/extattr.h>
#include <ufs/ufs/dir.h>
#include <ufs/ufs/ufsmount.h>
#include <ufs/ufs/ufs_extern.h>
#include <ufs/ffs/fs.h>
#ifdef UFS_ACL
FEATURE(ufs_acl, "ACL support for UFS");
/*
* Synchronize an ACL and an inode by copying over appropriate inode fields
* to the passed ACL. Assumes an ACL that would satisfy acl_posix1e_check(),
* and may panic if not.
*/
void
ufs_sync_acl_from_inode(struct inode *ip, struct acl *acl)
{
struct acl_entry *acl_mask, *acl_group_obj;
int i;
/*
* Update ACL_USER_OBJ, ACL_OTHER, but simply identify ACL_MASK
* and ACL_GROUP_OBJ for use after we know whether ACL_MASK is
* present.
*/
acl_mask = NULL;
acl_group_obj = NULL;
for (i = 0; i < acl->acl_cnt; i++) {
switch (acl->acl_entry[i].ae_tag) {
case ACL_USER_OBJ:
acl->acl_entry[i].ae_perm = acl_posix1e_mode_to_perm(
ACL_USER_OBJ, ip->i_mode);
acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
break;
case ACL_GROUP_OBJ:
acl_group_obj = &acl->acl_entry[i];
acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
break;
case ACL_OTHER:
acl->acl_entry[i].ae_perm = acl_posix1e_mode_to_perm(
ACL_OTHER, ip->i_mode);
acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
break;
case ACL_MASK:
acl_mask = &acl->acl_entry[i];
acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
break;
case ACL_USER:
case ACL_GROUP:
break;
default:
panic("ufs_sync_acl_from_inode(): bad ae_tag");
}
}
if (acl_group_obj == NULL)
panic("ufs_sync_acl_from_inode(): no ACL_GROUP_OBJ");
if (acl_mask == NULL) {
/*
* There is no ACL_MASK, so update ACL_GROUP_OBJ.
*/
acl_group_obj->ae_perm = acl_posix1e_mode_to_perm(
ACL_GROUP_OBJ, ip->i_mode);
} else {
/*
* Update the ACL_MASK entry instead of ACL_GROUP_OBJ.
*/
acl_mask->ae_perm = acl_posix1e_mode_to_perm(ACL_GROUP_OBJ,
ip->i_mode);
}
}
/*
* Calculate what the inode mode should look like based on an authoritative
* ACL for the inode. Replace only the fields in the inode that the ACL
* can represent.
*/
void
ufs_sync_inode_from_acl(struct acl *acl, struct inode *ip)
{
ip->i_mode &= ACL_PRESERVE_MASK;
ip->i_mode |= acl_posix1e_acl_to_mode(acl);
DIP_SET(ip, i_mode, ip->i_mode);
}
/*
* Retrieve NFSv4 ACL, skipping access checks. Must be used in UFS code
* instead of VOP_GETACL() when we don't want to be restricted by the user
* not having ACL_READ_ACL permission, e.g. when calculating inherited ACL
* or in ufs_vnops.c:ufs_accessx().
*/
int
ufs_getacl_nfs4_internal(struct vnode *vp, struct acl *aclp, struct thread *td)
{
int error, len;
struct inode *ip = VTOI(vp);
len = sizeof(*aclp);
bzero(aclp, len);
error = vn_extattr_get(vp, IO_NODELOCKED,
NFS4_ACL_EXTATTR_NAMESPACE, NFS4_ACL_EXTATTR_NAME,
&len, (char *) aclp, td);
aclp->acl_maxcnt = ACL_MAX_ENTRIES;
if (error == ENOATTR) {
/*
* Legitimately no ACL set on object, purely
* emulate it through the inode.
*/
acl_nfs4_sync_acl_from_mode(aclp, ip->i_mode, ip->i_uid);
return (0);
}
if (error)
return (error);
if (len != sizeof(*aclp)) {
/*
* A short (or long) read, meaning that for
* some reason the ACL is corrupted. Return
* EPERM since the object DAC protections
* are unsafe.
*/
printf("ufs_getacl_nfs4(): Loaded invalid ACL ("
"%d bytes), inumber %d on %s\n", len,
ip->i_number, ip->i_fs->fs_fsmnt);
return (EPERM);
}
error = acl_nfs4_check(aclp, vp->v_type == VDIR);
if (error) {
printf("ufs_getacl_nfs4(): Loaded invalid ACL "
"(failed acl_nfs4_check), inumber %d on %s\n",
ip->i_number, ip->i_fs->fs_fsmnt);
return (EPERM);
}
return (0);
}
static int
ufs_getacl_nfs4(struct vop_getacl_args *ap)
{
int error;
if ((ap->a_vp->v_mount->mnt_flag & MNT_NFS4ACLS) == 0)
return (EINVAL);
error = VOP_ACCESSX(ap->a_vp, VREAD_ACL, ap->a_td->td_ucred, ap->a_td);
if (error)
return (error);
error = ufs_getacl_nfs4_internal(ap->a_vp, ap->a_aclp, ap->a_td);
return (error);
}
/*
* Read POSIX.1e ACL from an EA. Return error if its not found
* or if any other error has occured.
*/
static int
ufs_get_oldacl(acl_type_t type, struct oldacl *old, struct vnode *vp,
struct thread *td)
{
int error, len;
struct inode *ip = VTOI(vp);
len = sizeof(*old);
switch (type) {
case ACL_TYPE_ACCESS:
error = vn_extattr_get(vp, IO_NODELOCKED,
POSIX1E_ACL_ACCESS_EXTATTR_NAMESPACE,
POSIX1E_ACL_ACCESS_EXTATTR_NAME, &len, (char *) old,
td);
break;
case ACL_TYPE_DEFAULT:
if (vp->v_type != VDIR)
return (EINVAL);
error = vn_extattr_get(vp, IO_NODELOCKED,
POSIX1E_ACL_DEFAULT_EXTATTR_NAMESPACE,
POSIX1E_ACL_DEFAULT_EXTATTR_NAME, &len, (char *) old,
td);
break;
default:
return (EINVAL);
}
if (error != 0)
return (error);
if (len != sizeof(*old)) {
/*
* A short (or long) read, meaning that for some reason
* the ACL is corrupted. Return EPERM since the object
* DAC protections are unsafe.
*/
printf("ufs_get_oldacl(): Loaded invalid ACL "
"(len = %d), inumber %d on %s\n", len,
ip->i_number, ip->i_fs->fs_fsmnt);
return (EPERM);
}
return (0);
}
/*
* Retrieve the ACL on a file.
*
* As part of the ACL is stored in the inode, and the rest in an EA,
* assemble both into a final ACL product. Right now this is not done
* very efficiently.
*/
static int
ufs_getacl_posix1e(struct vop_getacl_args *ap)
{
struct inode *ip = VTOI(ap->a_vp);
int error;
struct oldacl *old;
/*
* XXX: If ufs_getacl() should work on file systems not supporting
* ACLs, remove this check.
*/
if ((ap->a_vp->v_mount->mnt_flag & MNT_ACLS) == 0)
return (EINVAL);
old = malloc(sizeof(*old), M_ACL, M_WAITOK | M_ZERO);
/*
* Attempt to retrieve the ACL from the extended attributes.
*/
error = ufs_get_oldacl(ap->a_type, old, ap->a_vp, ap->a_td);
switch (error) {
/*
* XXX: If ufs_getacl() should work on filesystems
* without the EA configured, add case EOPNOTSUPP here.
*/
case ENOATTR:
switch (ap->a_type) {
case ACL_TYPE_ACCESS:
/*
* Legitimately no ACL set on object, purely
* emulate it through the inode. These fields will
* be updated when the ACL is synchronized with
* the inode later.
*/
old->acl_cnt = 3;
old->acl_entry[0].ae_tag = ACL_USER_OBJ;
old->acl_entry[0].ae_id = ACL_UNDEFINED_ID;
old->acl_entry[0].ae_perm = ACL_PERM_NONE;
old->acl_entry[1].ae_tag = ACL_GROUP_OBJ;
old->acl_entry[1].ae_id = ACL_UNDEFINED_ID;
old->acl_entry[1].ae_perm = ACL_PERM_NONE;
old->acl_entry[2].ae_tag = ACL_OTHER;
old->acl_entry[2].ae_id = ACL_UNDEFINED_ID;
old->acl_entry[2].ae_perm = ACL_PERM_NONE;
break;
case ACL_TYPE_DEFAULT:
/*
* Unlike ACL_TYPE_ACCESS, there is no relationship
* between the inode contents and the ACL, and it is
* therefore possible for the request for the ACL
* to fail since the ACL is undefined. In this
* situation, return success and an empty ACL,
* as required by POSIX.1e.
*/
old->acl_cnt = 0;
break;
}
/* FALLTHROUGH */
case 0:
error = acl_copy_oldacl_into_acl(old, ap->a_aclp);
if (error != 0)
break;
if (ap->a_type == ACL_TYPE_ACCESS)
ufs_sync_acl_from_inode(ip, ap->a_aclp);
default:
break;
}
free(old, M_ACL);
return (error);
}
int
ufs_getacl(ap)
struct vop_getacl_args /* {
struct vnode *vp;
acl_type_t type;
struct acl *aclp;
struct ucred *cred;
struct thread *td;
} */ *ap;
{
if ((ap->a_vp->v_mount->mnt_flag & (MNT_ACLS | MNT_NFS4ACLS)) == 0)
return (EOPNOTSUPP);
if (ap->a_type == ACL_TYPE_NFS4)
return (ufs_getacl_nfs4(ap));
return (ufs_getacl_posix1e(ap));
}
/*
* Set NFSv4 ACL without doing any access checking. This is required
* e.g. by the UFS code that implements ACL inheritance, or from
* ufs_vnops.c:ufs_chmod(), as some of the checks have to be skipped
* in that case, and others are redundant.
*/
int
ufs_setacl_nfs4_internal(struct vnode *vp, struct acl *aclp, struct thread *td)
{
int error;
mode_t mode;
struct inode *ip = VTOI(vp);
KASSERT(acl_nfs4_check(aclp, vp->v_type == VDIR) == 0,
("invalid ACL passed to ufs_setacl_nfs4_internal"));
if (acl_nfs4_is_trivial(aclp, ip->i_uid)) {
error = vn_extattr_rm(vp, IO_NODELOCKED,
NFS4_ACL_EXTATTR_NAMESPACE, NFS4_ACL_EXTATTR_NAME, td);
/*
* An attempt to remove ACL from a file that didn't have
* any extended entries is not an error.
*/
if (error == ENOATTR)
error = 0;
} else {
error = vn_extattr_set(vp, IO_NODELOCKED,
NFS4_ACL_EXTATTR_NAMESPACE, NFS4_ACL_EXTATTR_NAME,
sizeof(*aclp), (char *) aclp, td);
}
/*
* Map lack of attribute definition in UFS_EXTATTR into lack of
* support for ACLs on the filesystem.
*/
if (error == ENOATTR)
return (EOPNOTSUPP);
if (error)
return (error);
mode = ip->i_mode;
acl_nfs4_sync_mode_from_acl(&mode, aclp);
ip->i_mode &= ACL_PRESERVE_MASK;
ip->i_mode |= mode;
DIP_SET(ip, i_mode, ip->i_mode);
ip->i_flag |= IN_CHANGE;
VN_KNOTE_UNLOCKED(vp, NOTE_ATTRIB);
error = UFS_UPDATE(vp, 0);
return (error);
}
static int
ufs_setacl_nfs4(struct vop_setacl_args *ap)
{
int error;
struct inode *ip = VTOI(ap->a_vp);
if ((ap->a_vp->v_mount->mnt_flag & MNT_NFS4ACLS) == 0)
return (EINVAL);
if (ap->a_vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
if (ap->a_aclp == NULL)
return (EINVAL);
error = VOP_ACLCHECK(ap->a_vp, ap->a_type, ap->a_aclp, ap->a_cred,
ap->a_td);
if (error)
return (error);
/*
* Authorize the ACL operation.
*/
if (ip->i_flags & (IMMUTABLE | APPEND))
return (EPERM);
/*
* Must hold VWRITE_ACL or have appropriate privilege.
*/
if ((error = VOP_ACCESSX(ap->a_vp, VWRITE_ACL, ap->a_cred, ap->a_td)))
return (error);
/*
* With NFSv4 ACLs, chmod(2) may need to add additional entries.
* Make sure it has enough room for that - splitting every entry
* into two and appending "canonical six" entries at the end.
*/
if (ap->a_aclp->acl_cnt > (ACL_MAX_ENTRIES - 6) / 2)
return (ENOSPC);
error = ufs_setacl_nfs4_internal(ap->a_vp, ap->a_aclp, ap->a_td);
return (error);
}
/*
* Set the ACL on a file.
*
* As part of the ACL is stored in the inode, and the rest in an EA,
* this is necessarily non-atomic, and has complex authorization.
* As ufs_setacl() includes elements of ufs_chown() and ufs_chmod(),
* a fair number of different access checks may be required to go ahead
* with the operation at all.
*/
static int
ufs_setacl_posix1e(struct vop_setacl_args *ap)
{
struct inode *ip = VTOI(ap->a_vp);
int error;
struct oldacl *old;
if ((ap->a_vp->v_mount->mnt_flag & MNT_ACLS) == 0)
return (EINVAL);
/*
* If this is a set operation rather than a delete operation,
* invoke VOP_ACLCHECK() on the passed ACL to determine if it is
* valid for the target. This will include a check on ap->a_type.
*/
if (ap->a_aclp != NULL) {
/*
* Set operation.
*/
error = VOP_ACLCHECK(ap->a_vp, ap->a_type, ap->a_aclp,
ap->a_cred, ap->a_td);
if (error != 0)
return (error);
} else {
/*
* Delete operation.
* POSIX.1e allows only deletion of the default ACL on a
* directory (ACL_TYPE_DEFAULT).
*/
if (ap->a_type != ACL_TYPE_DEFAULT)
return (EINVAL);
if (ap->a_vp->v_type != VDIR)
return (ENOTDIR);
}
if (ap->a_vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
/*
* Authorize the ACL operation.
*/
if (ip->i_flags & (IMMUTABLE | APPEND))
return (EPERM);
/*
* Must hold VADMIN (be file owner) or have appropriate privilege.
*/
if ((error = VOP_ACCESS(ap->a_vp, VADMIN, ap->a_cred, ap->a_td)))
return (error);
switch(ap->a_type) {
case ACL_TYPE_ACCESS:
old = malloc(sizeof(*old), M_ACL, M_WAITOK | M_ZERO);
error = acl_copy_acl_into_oldacl(ap->a_aclp, old);
if (error == 0) {
error = vn_extattr_set(ap->a_vp, IO_NODELOCKED,
POSIX1E_ACL_ACCESS_EXTATTR_NAMESPACE,
POSIX1E_ACL_ACCESS_EXTATTR_NAME, sizeof(*old),
(char *) old, ap->a_td);
}
free(old, M_ACL);
break;
case ACL_TYPE_DEFAULT:
if (ap->a_aclp == NULL) {
error = vn_extattr_rm(ap->a_vp, IO_NODELOCKED,
POSIX1E_ACL_DEFAULT_EXTATTR_NAMESPACE,
POSIX1E_ACL_DEFAULT_EXTATTR_NAME, ap->a_td);
/*
* Attempting to delete a non-present default ACL
* will return success for portability purposes.
* (TRIX)
*
* XXX: Note that since we can't distinguish
* "that EA is not supported" from "that EA is not
* defined", the success case here overlaps the
* the ENOATTR->EOPNOTSUPP case below.
*/
if (error == ENOATTR)
error = 0;
} else {
old = malloc(sizeof(*old), M_ACL, M_WAITOK | M_ZERO);
error = acl_copy_acl_into_oldacl(ap->a_aclp, old);
if (error == 0) {
error = vn_extattr_set(ap->a_vp, IO_NODELOCKED,
POSIX1E_ACL_DEFAULT_EXTATTR_NAMESPACE,
POSIX1E_ACL_DEFAULT_EXTATTR_NAME,
sizeof(*old), (char *) old, ap->a_td);
}
free(old, M_ACL);
}
break;
default:
error = EINVAL;
}
/*
* Map lack of attribute definition in UFS_EXTATTR into lack of
* support for ACLs on the filesystem.
*/
if (error == ENOATTR)
return (EOPNOTSUPP);
if (error != 0)
return (error);
if (ap->a_type == ACL_TYPE_ACCESS) {
/*
* Now that the EA is successfully updated, update the
* inode and mark it as changed.
*/
ufs_sync_inode_from_acl(ap->a_aclp, ip);
ip->i_flag |= IN_CHANGE;
error = UFS_UPDATE(ap->a_vp, 0);
}
VN_KNOTE_UNLOCKED(ap->a_vp, NOTE_ATTRIB);
return (error);
}
int
ufs_setacl(ap)
struct vop_setacl_args /* {
struct vnode *vp;
acl_type_t type;
struct acl *aclp;
struct ucred *cred;
struct thread *td;
} */ *ap;
{
if ((ap->a_vp->v_mount->mnt_flag & (MNT_ACLS | MNT_NFS4ACLS)) == 0)
return (EOPNOTSUPP);
if (ap->a_type == ACL_TYPE_NFS4)
return (ufs_setacl_nfs4(ap));
return (ufs_setacl_posix1e(ap));
}
static int
ufs_aclcheck_nfs4(struct vop_aclcheck_args *ap)
{
int is_directory = 0;
if ((ap->a_vp->v_mount->mnt_flag & MNT_NFS4ACLS) == 0)
return (EINVAL);
/*
* With NFSv4 ACLs, chmod(2) may need to add additional entries.
* Make sure it has enough room for that - splitting every entry
* into two and appending "canonical six" entries at the end.
*/
if (ap->a_aclp->acl_cnt > (ACL_MAX_ENTRIES - 6) / 2)
return (ENOSPC);
if (ap->a_vp->v_type == VDIR)
is_directory = 1;
return (acl_nfs4_check(ap->a_aclp, is_directory));
}
static int
ufs_aclcheck_posix1e(struct vop_aclcheck_args *ap)
{
if ((ap->a_vp->v_mount->mnt_flag & MNT_ACLS) == 0)
return (EINVAL);
/*
* Verify we understand this type of ACL, and that it applies
* to this kind of object.
* Rely on the acl_posix1e_check() routine to verify the contents.
*/
switch(ap->a_type) {
case ACL_TYPE_ACCESS:
break;
case ACL_TYPE_DEFAULT:
if (ap->a_vp->v_type != VDIR)
return (EINVAL);
break;
default:
return (EINVAL);
}
if (ap->a_aclp->acl_cnt > OLDACL_MAX_ENTRIES)
return (EINVAL);
return (acl_posix1e_check(ap->a_aclp));
}
/*
* Check the validity of an ACL for a file.
*/
int
ufs_aclcheck(ap)
struct vop_aclcheck_args /* {
struct vnode *vp;
acl_type_t type;
struct acl *aclp;
struct ucred *cred;
struct thread *td;
} */ *ap;
{
if ((ap->a_vp->v_mount->mnt_flag & (MNT_ACLS | MNT_NFS4ACLS)) == 0)
return (EOPNOTSUPP);
if (ap->a_type == ACL_TYPE_NFS4)
return (ufs_aclcheck_nfs4(ap));
return (ufs_aclcheck_posix1e(ap));
}
#endif /* !UFS_ACL */