39#include <sys/kernel.h>
40#include <sys/module.h>
47#include <sys/sysctl.h>
54#define KASSERT(a, b) assert(a)
72 {VWRITE, ACL_WRITE_DATA},
73 {VAPPEND, ACL_APPEND_DATA},
75 {VREAD_NAMED_ATTRS, ACL_READ_NAMED_ATTRS},
76 {VWRITE_NAMED_ATTRS, ACL_WRITE_NAMED_ATTRS},
77 {VDELETE_CHILD, ACL_DELETE_CHILD},
78 {VREAD_ATTRIBUTES, ACL_READ_ATTRIBUTES},
79 {VWRITE_ATTRIBUTES, ACL_WRITE_ATTRIBUTES},
80 {VDELETE, ACL_DELETE},
81 {VREAD_ACL, ACL_READ_ACL},
82 {VWRITE_ACL, ACL_WRITE_ACL},
83 {VWRITE_OWNER, ACL_WRITE_OWNER},
84 {VSYNCHRONIZE, ACL_SYNCHRONIZE},
90 int access_mask = 0, i;
101 if (access_mask & ACL_APPEND_DATA)
102 access_mask &= ~ACL_WRITE_DATA;
104 return (access_mask);
111_acl_denies(
const struct acl *aclp,
int access_mask,
struct ucred *cred,
112 int file_uid,
int file_gid,
int *denied_explicitly)
115 const struct acl_entry *entry;
117 if (denied_explicitly != NULL)
118 *denied_explicitly = 0;
120 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES,
121 (
"aclp->acl_cnt <= ACL_MAX_ENTRIES"));
123 for (i = 0; i < aclp->acl_cnt; i++) {
124 entry = &(aclp->acl_entry[i]);
126 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
127 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
129 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY)
131 switch (entry->ae_tag) {
133 if (file_uid != cred->cr_uid)
137 if (entry->ae_id != cred->cr_uid)
149 KASSERT(entry->ae_tag == ACL_EVERYONE,
150 (
"entry->ae_tag == ACL_EVERYONE"));
153 if (entry->ae_entry_type == ACL_ENTRY_TYPE_DENY) {
154 if (entry->ae_perm & access_mask) {
155 if (denied_explicitly != NULL)
156 *denied_explicitly = 1;
161 access_mask &= ~(entry->ae_perm);
162 if (access_mask == 0)
166 if (access_mask == 0)
174 struct acl *aclp, accmode_t
accmode,
struct ucred *cred)
176 accmode_t priv_granted = 0;
177 int denied, explicitly_denied, access_mask, is_directory,
179 mode_t file_mode = 0;
181 KASSERT((
accmode & ~(VEXEC | VWRITE | VREAD | VADMIN | VAPPEND |
182 VEXPLICIT_DENY | VREAD_NAMED_ATTRS | VWRITE_NAMED_ATTRS |
183 VDELETE_CHILD | VREAD_ATTRIBUTES | VWRITE_ATTRIBUTES | VDELETE |
184 VREAD_ACL | VWRITE_ACL | VWRITE_OWNER | VSYNCHRONIZE)) == 0,
185 (
"invalid bit in accmode"));
187 (
"VAPPEND without VWRITE"));
210 if (file_uid == cred->cr_uid)
211 access_mask &= ~(ACL_READ_ACL | ACL_WRITE_ACL |
212 ACL_READ_ATTRIBUTES | ACL_WRITE_ATTRIBUTES);
218 if (!is_directory && (access_mask & ACL_APPEND_DATA)) {
219 access_mask &= ~ACL_APPEND_DATA;
220 access_mask |= ACL_WRITE_DATA;
223 denied =
_acl_denies(aclp, access_mask, cred, file_uid, file_gid,
227 if (file_uid != cred->cr_uid)
238 if (!denied && !is_directory && (
accmode & VEXEC) &&
239 (file_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)
249 if ((
accmode & VEXPLICIT_DENY) && explicitly_denied == 0)
259 priv_granted |= VEXEC;
266 if ((
accmode & VEXEC) && (file_mode &
267 (S_IXUSR | S_IXGRP | S_IXOTH)) != 0 &&
269 priv_granted |= VEXEC;
273 priv_granted |= VREAD;
275 if ((
accmode & (VWRITE | VAPPEND | VDELETE_CHILD)) &&
277 priv_granted |= (VWRITE | VAPPEND | VDELETE_CHILD);
279 if ((
accmode & VADMIN_PERMS) &&
281 priv_granted |= VADMIN_PERMS;
285 priv_granted |= VSTAT_PERMS;
291 if (
accmode & (VADMIN_PERMS | VDELETE_CHILD | VDELETE))
302 acl_entry_type_t entry_type)
304 if (entry->ae_tag != tag)
307 if (entry->ae_id != ACL_UNDEFINED_ID)
310 if (entry->ae_perm != perm)
313 if (entry->ae_entry_type != entry_type)
316 if (entry->ae_flags != 0)
322static struct acl_entry *
324 acl_entry_type_t entry_type)
326 struct acl_entry *entry;
328 KASSERT(aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES,
329 (
"aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES"));
331 entry = &(aclp->acl_entry[aclp->acl_cnt]);
335 entry->ae_id = ACL_UNDEFINED_ID;
336 entry->ae_perm = perm;
337 entry->ae_entry_type = entry_type;
343static struct acl_entry *
348 KASSERT(aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES,
349 (
"aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES"));
351 for (i = aclp->acl_cnt; i > entry_index; i--)
352 aclp->acl_entry[i] = aclp->acl_entry[i - 1];
356 return (&(aclp->acl_entry[entry_index + 1]));
363 int meets, must_append;
365 struct acl_entry *entry, *copy, *previous,
366 *a1, *a2, *a3, *a4, *a5, *a6;
369 const int WRITE = 02;
372 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES,
373 (
"aclp->acl_cnt <= ACL_MAX_ENTRIES"));
384 for (i = 0; i < aclp->acl_cnt; i++) {
385 entry = &(aclp->acl_entry[i]);
390 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
391 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
397 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY)
404 if (entry->ae_flags &
405 (ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT)) {
417 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY;
426 copy->ae_flags &= ~(ACL_ENTRY_FILE_INHERIT |
427 ACL_ENTRY_DIRECTORY_INHERIT |
428 ACL_ENTRY_NO_PROPAGATE_INHERIT);
442 if (entry->ae_tag == ACL_USER_OBJ ||
443 entry->ae_tag == ACL_GROUP_OBJ ||
444 entry->ae_tag == ACL_EVERYONE) {
445 entry->ae_perm &= ~(ACL_READ_DATA | ACL_WRITE_DATA |
446 ACL_APPEND_DATA | ACL_EXECUTE);
457 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW)
463 previous = &(aclp->acl_entry[i - 1]);
468 if (previous->ae_entry_type != ACL_ENTRY_TYPE_DENY)
479 if (previous->ae_id != entry->ae_id ||
480 previous->ae_tag != entry->ae_tag)
483 if (previous->ae_flags)
492 if (previous->ae_perm & ~(entry->ae_perm))
495 if (previous->ae_perm & ~(ACL_READ_DATA |
496 ACL_WRITE_DATA | ACL_APPEND_DATA | ACL_EXECUTE))
513 previous->ae_tag = entry->ae_tag;
514 previous->ae_id = entry->ae_id;
515 previous->ae_flags = entry->ae_flags;
516 previous->ae_perm = 0;
517 previous->ae_entry_type = ACL_ENTRY_TYPE_DENY;
538 if (entry->ae_tag == ACL_USER && entry->ae_id == file_owner_id)
541 if (entry->ae_perm & ACL_READ_DATA) {
543 previous->ae_perm &= ~ACL_READ_DATA;
545 previous->ae_perm |= ACL_READ_DATA;
548 if (entry->ae_perm & ACL_WRITE_DATA) {
550 previous->ae_perm &= ~ACL_WRITE_DATA;
552 previous->ae_perm |= ACL_WRITE_DATA;
555 if (entry->ae_perm & ACL_APPEND_DATA) {
557 previous->ae_perm &= ~ACL_APPEND_DATA;
559 previous->ae_perm |= ACL_APPEND_DATA;
562 if (entry->ae_perm & ACL_EXECUTE) {
564 previous->ae_perm &= ~ACL_EXECUTE;
566 previous->ae_perm |= ACL_EXECUTE;
575 if (entry->ae_tag == ACL_GROUP &&
576 entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) {
577 mode_t extramode, ownermode;
578 extramode = (
mode >> 3) & 07;
579 ownermode =
mode >> 6;
580 extramode &= ~ownermode;
583 if (extramode & READ) {
584 entry->ae_perm &= ~ACL_READ_DATA;
585 previous->ae_perm &= ~ACL_READ_DATA;
588 if (extramode & WRITE) {
590 ~(ACL_WRITE_DATA | ACL_APPEND_DATA);
592 ~(ACL_WRITE_DATA | ACL_APPEND_DATA);
595 if (extramode & EXEC) {
596 entry->ae_perm &= ~ACL_EXECUTE;
597 previous->ae_perm &= ~ACL_EXECUTE;
608 if (aclp->acl_cnt < 6) {
611 a6 = &(aclp->acl_entry[aclp->acl_cnt - 1]);
612 a5 = &(aclp->acl_entry[aclp->acl_cnt - 2]);
613 a4 = &(aclp->acl_entry[aclp->acl_cnt - 3]);
614 a3 = &(aclp->acl_entry[aclp->acl_cnt - 4]);
615 a2 = &(aclp->acl_entry[aclp->acl_cnt - 5]);
616 a1 = &(aclp->acl_entry[aclp->acl_cnt - 6]);
619 ACL_ENTRY_TYPE_DENY))
622 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES |
623 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_ALLOW))
626 ACL_ENTRY_TYPE_DENY))
629 ACL_ENTRY_TYPE_ALLOW))
632 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES |
633 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_DENY))
636 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS |
637 ACL_SYNCHRONIZE, ACL_ENTRY_TYPE_ALLOW))
642 KASSERT(aclp->acl_cnt + 6 <= ACL_MAX_ENTRIES,
643 (
"aclp->acl_cnt <= ACL_MAX_ENTRIES"));
645 a1 =
_acl_append(aclp, ACL_USER_OBJ, 0, ACL_ENTRY_TYPE_DENY);
646 a2 =
_acl_append(aclp, ACL_USER_OBJ, ACL_WRITE_ACL |
647 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES |
648 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_ALLOW);
649 a3 =
_acl_append(aclp, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_DENY);
650 a4 =
_acl_append(aclp, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_ALLOW);
651 a5 =
_acl_append(aclp, ACL_EVERYONE, ACL_WRITE_ACL |
652 ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES |
653 ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_DENY);
654 a6 =
_acl_append(aclp, ACL_EVERYONE, ACL_READ_ACL |
655 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS |
656 ACL_SYNCHRONIZE, ACL_ENTRY_TYPE_ALLOW);
658 KASSERT(a1 != NULL && a2 != NULL && a3 != NULL && a4 != NULL &&
659 a5 != NULL && a6 != NULL, (
"couldn't append to ACL."));
666 a2->ae_perm |= ACL_READ_DATA;
668 a1->ae_perm |= ACL_READ_DATA;
670 a2->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
672 a1->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
674 a2->ae_perm |= ACL_EXECUTE;
676 a1->ae_perm |= ACL_EXECUTE;
679 a4->ae_perm |= ACL_READ_DATA;
681 a3->ae_perm |= ACL_READ_DATA;
683 a4->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
685 a3->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
687 a4->ae_perm |= ACL_EXECUTE;
689 a3->ae_perm |= ACL_EXECUTE;
692 a6->ae_perm |= ACL_READ_DATA;
694 a5->ae_perm |= ACL_READ_DATA;
696 a6->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
698 a5->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
700 a6->ae_perm |= ACL_EXECUTE;
702 a5->ae_perm |= ACL_EXECUTE;
722 mode_t old_mode = *_mode,
mode = 0, seen = 0;
723 const struct acl_entry *entry;
725 KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES,
726 (
"aclp->acl_cnt <= ACL_MAX_ENTRIES"));
734 for (i = 0; i < aclp->acl_cnt; i++) {
735 entry = &(aclp->acl_entry[i]);
737 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
738 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
741 if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY)
744 if (entry->ae_tag == ACL_USER_OBJ) {
745 if ((entry->ae_perm & ACL_READ_DATA) &&
746 ((seen & S_IRUSR) == 0)) {
748 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
751 if ((entry->ae_perm & ACL_WRITE_DATA) &&
752 ((seen & S_IWUSR) == 0)) {
754 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
757 if ((entry->ae_perm & ACL_EXECUTE) &&
758 ((seen & S_IXUSR) == 0)) {
760 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
763 }
else if (entry->ae_tag == ACL_GROUP_OBJ) {
764 if ((entry->ae_perm & ACL_READ_DATA) &&
765 ((seen & S_IRGRP) == 0)) {
767 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
770 if ((entry->ae_perm & ACL_WRITE_DATA) &&
771 ((seen & S_IWGRP) == 0)) {
773 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
776 if ((entry->ae_perm & ACL_EXECUTE) &&
777 ((seen & S_IXGRP) == 0)) {
779 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
782 }
else if (entry->ae_tag == ACL_EVERYONE) {
783 if (entry->ae_perm & ACL_READ_DATA) {
784 if ((seen & S_IRUSR) == 0) {
786 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
789 if ((seen & S_IRGRP) == 0) {
791 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
794 if ((seen & S_IROTH) == 0) {
796 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
800 if (entry->ae_perm & ACL_WRITE_DATA) {
801 if ((seen & S_IWUSR) == 0) {
803 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
806 if ((seen & S_IWGRP) == 0) {
808 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
811 if ((seen & S_IWOTH) == 0) {
813 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
817 if (entry->ae_perm & ACL_EXECUTE) {
818 if ((seen & S_IXUSR) == 0) {
820 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
823 if ((seen & S_IXGRP) == 0) {
825 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
828 if ((seen & S_IXOTH) == 0) {
830 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
837 *_mode =
mode | (old_mode & ACL_PRESERVE_MASK);
847 struct acl *child_aclp, mode_t
mode,
int file_owner_id,
851 const struct acl_entry *parent_entry;
852 struct acl_entry *entry, *copy;
854 KASSERT(child_aclp->acl_cnt == 0, (
"child_aclp->acl_cnt == 0"));
855 KASSERT(parent_aclp->acl_cnt <= ACL_MAX_ENTRIES,
856 (
"parent_aclp->acl_cnt <= ACL_MAX_ENTRIES"));
868 for (i = 0; i < parent_aclp->acl_cnt; i++) {
869 parent_entry = &(parent_aclp->acl_entry[i]);
870 flags = parent_entry->ae_flags;
875 if ((
flags & (ACL_ENTRY_DIRECTORY_INHERIT |
876 ACL_ENTRY_FILE_INHERIT)) == 0)
883 if (!is_directory && (
flags & ACL_ENTRY_FILE_INHERIT) == 0)
892 (
flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0 &&
893 (
flags & ACL_ENTRY_NO_PROPAGATE_INHERIT))
896 KASSERT(child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES,
897 (
"child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES"));
898 child_aclp->acl_entry[child_aclp->acl_cnt] = *parent_entry;
899 child_aclp->acl_cnt++;
906 for (i = 0; i < child_aclp->acl_cnt; i++) {
907 entry = &(child_aclp->acl_entry[i]);
913 if (((entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT) ||
915 entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
916 entry->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER);
925 if (entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT ||
927 entry->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT |
928 ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT |
929 ACL_ENTRY_INHERIT_ONLY);
948 (entry->ae_flags & ACL_ENTRY_FILE_INHERIT) &&
949 ((entry->ae_flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0)) {
950 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY;
958 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
959 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
971 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY;
978 copy->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT |
979 ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT |
980 ACL_ENTRY_INHERIT_ONLY);
987 if (copy->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
988 copy->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER);
1010 struct acl *child_aclp, mode_t
mode,
int file_owner_id,
1014 const struct acl_entry *parent_entry;
1015 struct acl_entry *entry;
1017 KASSERT(parent_aclp->acl_cnt <= ACL_MAX_ENTRIES,
1018 (
"parent_aclp->acl_cnt <= ACL_MAX_ENTRIES"));
1020 for (i = 0; i < parent_aclp->acl_cnt; i++) {
1021 parent_entry = &(parent_aclp->acl_entry[i]);
1022 flags = parent_entry->ae_flags;
1023 tag = parent_entry->ae_tag;
1028 if (tag == ACL_USER_OBJ || tag == ACL_GROUP_OBJ ||
1029 tag == ACL_EVERYONE)
1035 if ((
flags & (ACL_ENTRY_DIRECTORY_INHERIT |
1036 ACL_ENTRY_FILE_INHERIT)) == 0)
1043 if (!is_directory && (
flags & ACL_ENTRY_FILE_INHERIT) == 0)
1052 (
flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0 &&
1053 (
flags & ACL_ENTRY_NO_PROPAGATE_INHERIT))
1059 KASSERT(child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES,
1060 (
"child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES"));
1061 entry = &(child_aclp->acl_entry[child_aclp->acl_cnt]);
1062 *entry = *parent_entry;
1063 child_aclp->acl_cnt++;
1065 entry->ae_flags &= ~ACL_ENTRY_INHERIT_ONLY;
1066 entry->ae_flags |= ACL_ENTRY_INHERITED;
1072 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
1073 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
1083 if (entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT ||
1085 entry->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT |
1086 ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT |
1087 ACL_ENTRY_INHERIT_ONLY);
1096 (entry->ae_flags & ACL_ENTRY_FILE_INHERIT) &&
1097 ((entry->ae_flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0)) {
1098 entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY;
1101 if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW &&
1102 (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY) == 0) {
1106 entry->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER |
1107 ACL_WRITE_NAMED_ATTRS | ACL_WRITE_ATTRIBUTES);
1112 if ((
mode & S_IRGRP) == 0)
1113 entry->ae_perm &= ~ACL_READ_DATA;
1114 if ((
mode & S_IWGRP) == 0)
1116 ~(ACL_WRITE_DATA | ACL_APPEND_DATA);
1117 if ((
mode & S_IXGRP) == 0)
1118 entry->ae_perm &= ~ACL_EXECUTE;
1130 struct acl *aclp, mode_t
mode,
int file_owner_id,
int is_directory)
1132 acl_perm_t user_allow_first = 0, user_deny = 0, group_deny = 0;
1133 acl_perm_t user_allow, group_allow, everyone_allow;
1135 KASSERT(aclp->acl_cnt == 0, (
"aclp->acl_cnt == 0"));
1137 user_allow = group_allow = everyone_allow = ACL_READ_ACL |
1138 ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS | ACL_SYNCHRONIZE;
1139 user_allow |= ACL_WRITE_ACL | ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES |
1140 ACL_WRITE_NAMED_ATTRS;
1143 user_allow |= ACL_READ_DATA;
1145 user_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
1147 user_allow |= ACL_EXECUTE;
1150 group_allow |= ACL_READ_DATA;
1152 group_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
1154 group_allow |= ACL_EXECUTE;
1157 everyone_allow |= ACL_READ_DATA;
1159 everyone_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA);
1161 everyone_allow |= ACL_EXECUTE;
1163 user_deny = ((group_allow | everyone_allow) & ~user_allow);
1164 group_deny = everyone_allow & ~group_allow;
1165 user_allow_first = group_deny & ~user_deny;
1167 if (user_allow_first != 0)
1169 ACL_ENTRY_TYPE_ALLOW);
1172 ACL_ENTRY_TYPE_DENY);
1173 if (group_deny != 0)
1175 ACL_ENTRY_TYPE_DENY);
1177 if (parent_aclp != NULL)
1179 file_owner_id, is_directory);
1181 _acl_append(aclp, ACL_USER_OBJ, user_allow, ACL_ENTRY_TYPE_ALLOW);
1182 _acl_append(aclp, ACL_GROUP_OBJ, group_allow, ACL_ENTRY_TYPE_ALLOW);
1183 _acl_append(aclp, ACL_EVERYONE, everyone_allow, ACL_ENTRY_TYPE_ALLOW);
1189 struct acl *child_aclp, mode_t
mode,
int file_owner_id,
1195 mode, file_owner_id, is_directory);
1198 mode, file_owner_id, is_directory);
1222acl_nfs4_trivial_from_mode_libc(
struct acl *aclp,
int mode,
int canonical_six)
1238 const struct acl_entry *entrya, *entryb;
1240 if (a->acl_cnt != b->acl_cnt)
1243 for (i = 0; i < b->acl_cnt; i++) {
1244 entrya = &(a->acl_entry[i]);
1245 entryb = &(b->acl_entry[i]);
1247 if (entrya->ae_tag != entryb->ae_tag ||
1248 entrya->ae_id != entryb->ae_id ||
1249 entrya->ae_perm != entryb->ae_perm ||
1250 entrya->ae_entry_type != entryb->ae_entry_type ||
1251 entrya->ae_flags != entryb->ae_flags)
1267 struct acl *tmpaclp;
1269 if (aclp->acl_cnt > 6)
1295 tmpaclp->acl_cnt = 0;
1308 const struct acl_entry *entry;
1318 if (aclp->acl_cnt > ACL_MAX_ENTRIES || aclp->acl_cnt <= 0)
1321 for (i = 0; i < aclp->acl_cnt; i++) {
1322 entry = &(aclp->acl_entry[i]);
1324 switch (entry->ae_tag) {
1328 if (entry->ae_id != ACL_UNDEFINED_ID)
1334 if (entry->ae_id == ACL_UNDEFINED_ID)
1342 if ((entry->ae_perm | ACL_NFS4_PERM_BITS) != ACL_NFS4_PERM_BITS)
1348 if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
1349 entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
1352 if ((entry->ae_flags | ACL_FLAGS_BITS) != ACL_FLAGS_BITS)
1356 if (entry->ae_flags & (ACL_ENTRY_SUCCESSFUL_ACCESS |
1357 ACL_ENTRY_FAILED_ACCESS))
1361 if (!is_directory) {
1362 if (entry->ae_flags & (ACL_ENTRY_FILE_INHERIT |
1363 ACL_ENTRY_DIRECTORY_INHERIT |
1364 ACL_ENTRY_NO_PROPAGATE_INHERIT | ACL_ENTRY_INHERIT_ONLY))
device_property_type_t type
int priv_check_cred(struct ucred *cred, int priv)
int groupmember(gid_t gid, struct ucred *cred)
static void acl_nfs4_inherit_entries(const struct acl *parent_aclp, struct acl *child_aclp, mode_t mode, int file_owner_id, int is_directory)
static int _acl_entry_matches(struct acl_entry *entry, acl_tag_t tag, acl_perm_t perm, acl_entry_type_t entry_type)
static int _access_mask_from_accmode(accmode_t accmode)
static int acl_nfs4_old_semantics
static moduledata_t acl_nfs4_mod
MODULE_VERSION(acl_nfs4, 1)
void acl_nfs4_sync_acl_from_mode(struct acl *aclp, mode_t mode, int file_owner_id)
void acl_nfs4_compute_inherited_acl(const struct acl *parent_aclp, struct acl *child_aclp, mode_t mode, int file_owner_id, int is_directory)
SYSCTL_INT(_vfs, OID_AUTO, acl_nfs4_old_semantics, CTLFLAG_RW, &acl_nfs4_old_semantics, 0, "Use pre-PSARC/2010/029 NFSv4 ACL semantics")
void acl_nfs4_sync_mode_from_acl(mode_t *_mode, const struct acl *aclp)
static struct acl_entry * _acl_duplicate_entry(struct acl *aclp, unsigned entry_index)
static int _acl_denies(const struct acl *aclp, int access_mask, struct ucred *cred, int file_uid, int file_gid, int *denied_explicitly)
static int acl_nfs4_modload(module_t module, int what, void *arg)
int acl_nfs4_is_trivial(const struct acl *aclp, int file_owner_id)
static void acl_nfs4_trivial_from_mode(struct acl *aclp, mode_t mode)
DECLARE_MODULE(acl_nfs4, acl_nfs4_mod, SI_SUB_VFS, SI_ORDER_FIRST)
static void acl_nfs4_sync_acl_from_mode_draft(struct acl *aclp, mode_t mode, int file_owner_id)
static void acl_nfs4_compute_inherited_acl_draft(const struct acl *parent_aclp, struct acl *child_aclp, mode_t mode, int file_owner_id, int is_directory)
int acl_nfs4_check(const struct acl *aclp, int is_directory)
int vaccess_acl_nfs4(enum vtype type, uid_t file_uid, gid_t file_gid, struct acl *aclp, accmode_t accmode, struct ucred *cred)
static void acl_nfs4_compute_inherited_acl_psarc(const struct acl *parent_aclp, struct acl *aclp, mode_t mode, int file_owner_id, int is_directory)
static struct @7 accmode2mask[]
static struct acl_entry * _acl_append(struct acl *aclp, acl_tag_t tag, acl_perm_t perm, acl_entry_type_t entry_type)
static int _acls_are_equal(const struct acl *a, const struct acl *b)
void acl_free(struct acl *aclp)
struct acl * acl_alloc(int flags)