42#include <sys/kernel.h>
43#include <sys/module.h>
60 struct acl *acl, accmode_t
accmode,
struct ucred *cred)
62 struct acl_entry *acl_other, *acl_mask;
63 accmode_t dac_granted;
64 accmode_t priv_granted;
65 accmode_t acl_mask_granted;
68 KASSERT((
accmode & ~(VEXEC | VWRITE | VREAD | VADMIN | VAPPEND)) == 0,
69 (
"invalid bit in accmode"));
71 (
"VAPPEND without VWRITE"));
92 priv_granted |= VEXEC;
100 (S_IXUSR | S_IXGRP | S_IXOTH)) != 0 &&
102 priv_granted |= VEXEC;
106 priv_granted |= VREAD;
110 priv_granted |= (VWRITE | VAPPEND);
113 priv_granted |= VADMIN;
121 acl_mask = acl_other = NULL;
122 for (i = 0; i < acl->acl_cnt; i++) {
123 switch (acl->acl_entry[i].ae_tag) {
125 if (file_uid != cred->cr_uid)
128 dac_granted |= VADMIN;
129 if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
130 dac_granted |= VEXEC;
131 if (acl->acl_entry[i].ae_perm & ACL_READ)
132 dac_granted |= VREAD;
133 if (acl->acl_entry[i].ae_perm & ACL_WRITE)
134 dac_granted |= (VWRITE | VAPPEND);
141 if ((
accmode & (dac_granted | priv_granted)) ==
148 acl_mask = &acl->acl_entry[i];
152 acl_other = &acl->acl_entry[i];
166 if (acl_other == NULL) {
170 printf(
"vaccess_acl_posix1e: ACL_OTHER missing\n");
181 if (acl_mask != NULL) {
182 acl_mask_granted = 0;
183 if (acl_mask->ae_perm & ACL_EXECUTE)
184 acl_mask_granted |= VEXEC;
185 if (acl_mask->ae_perm & ACL_READ)
186 acl_mask_granted |= VREAD;
187 if (acl_mask->ae_perm & ACL_WRITE)
188 acl_mask_granted |= (VWRITE | VAPPEND);
190 acl_mask_granted = VEXEC | VREAD | VWRITE | VAPPEND;
197 for (i = 0; i < acl->acl_cnt; i++) {
198 switch (acl->acl_entry[i].ae_tag) {
200 if (acl->acl_entry[i].ae_id != cred->cr_uid)
203 if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
204 dac_granted |= VEXEC;
205 if (acl->acl_entry[i].ae_perm & ACL_READ)
206 dac_granted |= VREAD;
207 if (acl->acl_entry[i].ae_perm & ACL_WRITE)
208 dac_granted |= (VWRITE | VAPPEND);
209 dac_granted &= acl_mask_granted;
215 if ((
accmode & (dac_granted | priv_granted)) !=
231 for (i = 0; i < acl->acl_cnt; i++) {
232 switch (acl->acl_entry[i].ae_tag) {
237 if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
238 dac_granted |= VEXEC;
239 if (acl->acl_entry[i].ae_perm & ACL_READ)
240 dac_granted |= VREAD;
241 if (acl->acl_entry[i].ae_perm & ACL_WRITE)
242 dac_granted |= (VWRITE | VAPPEND);
243 dac_granted &= acl_mask_granted;
255 if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
256 dac_granted |= VEXEC;
257 if (acl->acl_entry[i].ae_perm & ACL_READ)
258 dac_granted |= VREAD;
259 if (acl->acl_entry[i].ae_perm & ACL_WRITE)
260 dac_granted |= (VWRITE | VAPPEND);
261 dac_granted &= acl_mask_granted;
274 if (group_matched == 1) {
279 for (i = 0; i < acl->acl_cnt; i++) {
280 switch (acl->acl_entry[i].ae_tag) {
285 if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
286 dac_granted |= VEXEC;
287 if (acl->acl_entry[i].ae_perm & ACL_READ)
288 dac_granted |= VREAD;
289 if (acl->acl_entry[i].ae_perm & ACL_WRITE)
290 dac_granted |= (VWRITE | VAPPEND);
291 dac_granted &= acl_mask_granted;
296 if ((
accmode & (dac_granted | priv_granted))
307 if (acl->acl_entry[i].ae_perm & ACL_EXECUTE)
308 dac_granted |= VEXEC;
309 if (acl->acl_entry[i].ae_perm & ACL_READ)
310 dac_granted |= VREAD;
311 if (acl->acl_entry[i].ae_perm & ACL_WRITE)
312 dac_granted |= (VWRITE | VAPPEND);
313 dac_granted &= acl_mask_granted;
318 if ((
accmode & (dac_granted | priv_granted))
339 if (acl_other->ae_perm & ACL_EXECUTE)
340 dac_granted |= VEXEC;
341 if (acl_other->ae_perm & ACL_READ)
342 dac_granted |= VREAD;
343 if (acl_other->ae_perm & ACL_WRITE)
344 dac_granted |= (VWRITE | VAPPEND);
356 return ((
accmode & VADMIN) ? EPERM : EACCES);
398 printf(
"acl_posix1e_mode_to_perm: invalid tag (%d)\n", tag);
410 struct acl_entry acl_entry;
412 acl_entry.ae_tag = tag;
414 acl_entry.ae_entry_type = 0;
415 acl_entry.ae_flags = 0;
418 acl_entry.ae_id = uid;
422 acl_entry.ae_id = gid;
426 acl_entry.ae_id = ACL_UNDEFINED_ID;
430 acl_entry.ae_id = ACL_UNDEFINED_ID;
431 printf(
"acl_posix1e_mode_to_entry: invalid tag (%d)\n", tag);
442 struct acl_entry *acl_group_obj_entry,
struct acl_entry *acl_other_entry)
447 if (acl_user_obj_entry->ae_perm & ACL_EXECUTE)
449 if (acl_user_obj_entry->ae_perm & ACL_READ)
451 if (acl_user_obj_entry->ae_perm & ACL_WRITE)
453 if (acl_group_obj_entry->ae_perm & ACL_EXECUTE)
455 if (acl_group_obj_entry->ae_perm & ACL_READ)
457 if (acl_group_obj_entry->ae_perm & ACL_WRITE)
459 if (acl_other_entry->ae_perm & ACL_EXECUTE)
461 if (acl_other_entry->ae_perm & ACL_READ)
463 if (acl_other_entry->ae_perm & ACL_WRITE)
477 struct acl_entry *acl_mask, *acl_user_obj, *acl_group_obj, *acl_other;
483 acl_user_obj = acl_group_obj = acl_other = acl_mask = NULL;
484 for (i = 0; i < acl->acl_cnt; i++) {
485 switch (acl->acl_entry[i].ae_tag) {
487 acl_user_obj = &acl->acl_entry[i];
491 acl_group_obj = &acl->acl_entry[i];
495 acl_other = &acl->acl_entry[i];
499 acl_mask = &acl->acl_entry[i];
507 panic(
"acl_posix1e_acl_to_mode: bad ae_tag");
511 if (acl_user_obj == NULL || acl_group_obj == NULL || acl_other == NULL)
512 panic(
"acl_posix1e_acl_to_mode: missing base ae_tags");
519 if (acl_mask != NULL)
535 int num_acl_user_obj, num_acl_user, num_acl_group_obj, num_acl_group;
536 int num_acl_mask, num_acl_other, i;
556 num_acl_user_obj = num_acl_user = num_acl_group_obj = num_acl_group =
557 num_acl_mask = num_acl_other = 0;
558 if (acl->acl_cnt > ACL_MAX_ENTRIES)
560 for (i = 0; i < acl->acl_cnt; i++) {
564 switch(acl->acl_entry[i].ae_tag) {
566 acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
567 if (acl->acl_entry[i].ae_id != ACL_UNDEFINED_ID)
572 acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
573 if (acl->acl_entry[i].ae_id != ACL_UNDEFINED_ID)
578 if (acl->acl_entry[i].ae_id == ACL_UNDEFINED_ID)
583 if (acl->acl_entry[i].ae_id == ACL_UNDEFINED_ID)
588 acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
589 if (acl->acl_entry[i].ae_id != ACL_UNDEFINED_ID)
594 acl->acl_entry[i].ae_id = ACL_UNDEFINED_ID;
595 if (acl->acl_entry[i].ae_id != ACL_UNDEFINED_ID)
605 if ((acl->acl_entry[i].ae_perm | ACL_PERM_BITS) !=
609 if ((num_acl_user_obj != 1) || (num_acl_group_obj != 1) ||
610 (num_acl_other != 1) || (num_acl_mask != 0 && num_acl_mask != 1))
612 if (((num_acl_group != 0) || (num_acl_user != 0)) &&
637 mode &= ACL_PRESERVE_MASK;
device_property_type_t type
int priv_check_cred(struct ucred *cred, int priv)
int groupmember(gid_t gid, struct ucred *cred)
void panic(const char *fmt,...)
int vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, struct acl *acl, accmode_t accmode, struct ucred *cred)
int acl_posix1e_check(struct acl *acl)
MODULE_VERSION(acl_posix1e, 1)
mode_t acl_posix1e_newfilemode(mode_t cmode, struct acl *dacl)
mode_t acl_posix1e_perms_to_mode(struct acl_entry *acl_user_obj_entry, struct acl_entry *acl_group_obj_entry, struct acl_entry *acl_other_entry)
acl_perm_t acl_posix1e_mode_to_perm(acl_tag_t tag, mode_t mode)
static moduledata_t acl_posix1e_mod
DECLARE_MODULE(acl_posix1e, acl_posix1e_mod, SI_SUB_VFS, SI_ORDER_FIRST)
mode_t acl_posix1e_acl_to_mode(struct acl *acl)
static int acl_posix1e_modload(module_t mod, int what, void *arg)
struct acl_entry acl_posix1e_mode_to_entry(acl_tag_t tag, uid_t uid, gid_t gid, mode_t mode)
int printf(const char *fmt,...)