Commit | Line | Data |
---|---|---|
1da177e4 | 1 | /* |
7b718769 NS |
2 | * Copyright (c) 2001-2002,2005 Silicon Graphics, Inc. |
3 | * All Rights Reserved. | |
1da177e4 | 4 | * |
7b718769 NS |
5 | * This program is free software; you can redistribute it and/or |
6 | * modify it under the terms of the GNU General Public License as | |
1da177e4 LT |
7 | * published by the Free Software Foundation. |
8 | * | |
7b718769 NS |
9 | * This program is distributed in the hope that it would be useful, |
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
12 | * GNU General Public License for more details. | |
1da177e4 | 13 | * |
7b718769 NS |
14 | * You should have received a copy of the GNU General Public License |
15 | * along with this program; if not, write the Free Software Foundation, | |
16 | * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA | |
1da177e4 | 17 | */ |
1da177e4 | 18 | #include "xfs.h" |
a844f451 NS |
19 | #include "xfs_fs.h" |
20 | #include "xfs_types.h" | |
21 | #include "xfs_bit.h" | |
1da177e4 | 22 | #include "xfs_inum.h" |
a844f451 | 23 | #include "xfs_ag.h" |
1da177e4 LT |
24 | #include "xfs_dir.h" |
25 | #include "xfs_dir2.h" | |
1da177e4 | 26 | #include "xfs_bmap_btree.h" |
a844f451 | 27 | #include "xfs_alloc_btree.h" |
1da177e4 | 28 | #include "xfs_ialloc_btree.h" |
1da177e4 LT |
29 | #include "xfs_dir_sf.h" |
30 | #include "xfs_dir2_sf.h" | |
a844f451 | 31 | #include "xfs_attr_sf.h" |
1da177e4 LT |
32 | #include "xfs_dinode.h" |
33 | #include "xfs_inode.h" | |
a844f451 | 34 | #include "xfs_btree.h" |
1da177e4 LT |
35 | #include "xfs_acl.h" |
36 | #include "xfs_mac.h" | |
37 | #include "xfs_attr.h" | |
38 | ||
39 | #include <linux/posix_acl_xattr.h> | |
40 | ||
41 | STATIC int xfs_acl_setmode(vnode_t *, xfs_acl_t *, int *); | |
42 | STATIC void xfs_acl_filter_mode(mode_t, xfs_acl_t *); | |
43 | STATIC void xfs_acl_get_endian(xfs_acl_t *); | |
44 | STATIC int xfs_acl_access(uid_t, gid_t, xfs_acl_t *, mode_t, cred_t *); | |
45 | STATIC int xfs_acl_invalid(xfs_acl_t *); | |
46 | STATIC void xfs_acl_sync_mode(mode_t, xfs_acl_t *); | |
47 | STATIC void xfs_acl_get_attr(vnode_t *, xfs_acl_t *, int, int, int *); | |
48 | STATIC void xfs_acl_set_attr(vnode_t *, xfs_acl_t *, int, int *); | |
49 | STATIC int xfs_acl_allow_set(vnode_t *, int); | |
50 | ||
51 | kmem_zone_t *xfs_acl_zone; | |
52 | ||
53 | ||
54 | /* | |
55 | * Test for existence of access ACL attribute as efficiently as possible. | |
56 | */ | |
57 | int | |
58 | xfs_acl_vhasacl_access( | |
59 | vnode_t *vp) | |
60 | { | |
61 | int error; | |
62 | ||
63 | xfs_acl_get_attr(vp, NULL, _ACL_TYPE_ACCESS, ATTR_KERNOVAL, &error); | |
64 | return (error == 0); | |
65 | } | |
66 | ||
67 | /* | |
68 | * Test for existence of default ACL attribute as efficiently as possible. | |
69 | */ | |
70 | int | |
71 | xfs_acl_vhasacl_default( | |
72 | vnode_t *vp) | |
73 | { | |
74 | int error; | |
75 | ||
0432dab2 | 76 | if (!VN_ISDIR(vp)) |
1da177e4 LT |
77 | return 0; |
78 | xfs_acl_get_attr(vp, NULL, _ACL_TYPE_DEFAULT, ATTR_KERNOVAL, &error); | |
79 | return (error == 0); | |
80 | } | |
81 | ||
82 | /* | |
83 | * Convert from extended attribute representation to in-memory for XFS. | |
84 | */ | |
85 | STATIC int | |
86 | posix_acl_xattr_to_xfs( | |
87 | posix_acl_xattr_header *src, | |
88 | size_t size, | |
89 | xfs_acl_t *dest) | |
90 | { | |
91 | posix_acl_xattr_entry *src_entry; | |
92 | xfs_acl_entry_t *dest_entry; | |
93 | int n; | |
94 | ||
95 | if (!src || !dest) | |
96 | return EINVAL; | |
97 | ||
98 | if (size < sizeof(posix_acl_xattr_header)) | |
99 | return EINVAL; | |
100 | ||
101 | if (src->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION)) | |
102 | return EOPNOTSUPP; | |
103 | ||
104 | memset(dest, 0, sizeof(xfs_acl_t)); | |
105 | dest->acl_cnt = posix_acl_xattr_count(size); | |
106 | if (dest->acl_cnt < 0 || dest->acl_cnt > XFS_ACL_MAX_ENTRIES) | |
107 | return EINVAL; | |
108 | ||
109 | /* | |
110 | * acl_set_file(3) may request that we set default ACLs with | |
111 | * zero length -- defend (gracefully) against that here. | |
112 | */ | |
113 | if (!dest->acl_cnt) | |
114 | return 0; | |
115 | ||
116 | src_entry = (posix_acl_xattr_entry *)((char *)src + sizeof(*src)); | |
117 | dest_entry = &dest->acl_entry[0]; | |
118 | ||
119 | for (n = 0; n < dest->acl_cnt; n++, src_entry++, dest_entry++) { | |
120 | dest_entry->ae_perm = le16_to_cpu(src_entry->e_perm); | |
121 | if (_ACL_PERM_INVALID(dest_entry->ae_perm)) | |
122 | return EINVAL; | |
123 | dest_entry->ae_tag = le16_to_cpu(src_entry->e_tag); | |
124 | switch(dest_entry->ae_tag) { | |
125 | case ACL_USER: | |
126 | case ACL_GROUP: | |
127 | dest_entry->ae_id = le32_to_cpu(src_entry->e_id); | |
128 | break; | |
129 | case ACL_USER_OBJ: | |
130 | case ACL_GROUP_OBJ: | |
131 | case ACL_MASK: | |
132 | case ACL_OTHER: | |
133 | dest_entry->ae_id = ACL_UNDEFINED_ID; | |
134 | break; | |
135 | default: | |
136 | return EINVAL; | |
137 | } | |
138 | } | |
139 | if (xfs_acl_invalid(dest)) | |
140 | return EINVAL; | |
141 | ||
142 | return 0; | |
143 | } | |
144 | ||
145 | /* | |
380b5dc0 | 146 | * Comparison function called from xfs_sort(). |
1da177e4 LT |
147 | * Primary key is ae_tag, secondary key is ae_id. |
148 | */ | |
149 | STATIC int | |
150 | xfs_acl_entry_compare( | |
151 | const void *va, | |
152 | const void *vb) | |
153 | { | |
154 | xfs_acl_entry_t *a = (xfs_acl_entry_t *)va, | |
155 | *b = (xfs_acl_entry_t *)vb; | |
156 | ||
157 | if (a->ae_tag == b->ae_tag) | |
158 | return (a->ae_id - b->ae_id); | |
159 | return (a->ae_tag - b->ae_tag); | |
160 | } | |
161 | ||
162 | /* | |
163 | * Convert from in-memory XFS to extended attribute representation. | |
164 | */ | |
165 | STATIC int | |
166 | posix_acl_xfs_to_xattr( | |
167 | xfs_acl_t *src, | |
168 | posix_acl_xattr_header *dest, | |
169 | size_t size) | |
170 | { | |
171 | int n; | |
172 | size_t new_size = posix_acl_xattr_size(src->acl_cnt); | |
173 | posix_acl_xattr_entry *dest_entry; | |
174 | xfs_acl_entry_t *src_entry; | |
175 | ||
176 | if (size < new_size) | |
177 | return -ERANGE; | |
178 | ||
179 | /* Need to sort src XFS ACL by <ae_tag,ae_id> */ | |
380b5dc0 NS |
180 | xfs_sort(src->acl_entry, src->acl_cnt, sizeof(src->acl_entry[0]), |
181 | xfs_acl_entry_compare); | |
1da177e4 LT |
182 | |
183 | dest->a_version = cpu_to_le32(POSIX_ACL_XATTR_VERSION); | |
184 | dest_entry = &dest->a_entries[0]; | |
185 | src_entry = &src->acl_entry[0]; | |
186 | for (n = 0; n < src->acl_cnt; n++, dest_entry++, src_entry++) { | |
187 | dest_entry->e_perm = cpu_to_le16(src_entry->ae_perm); | |
188 | if (_ACL_PERM_INVALID(src_entry->ae_perm)) | |
189 | return -EINVAL; | |
190 | dest_entry->e_tag = cpu_to_le16(src_entry->ae_tag); | |
191 | switch (src_entry->ae_tag) { | |
192 | case ACL_USER: | |
193 | case ACL_GROUP: | |
194 | dest_entry->e_id = cpu_to_le32(src_entry->ae_id); | |
195 | break; | |
196 | case ACL_USER_OBJ: | |
197 | case ACL_GROUP_OBJ: | |
198 | case ACL_MASK: | |
199 | case ACL_OTHER: | |
200 | dest_entry->e_id = cpu_to_le32(ACL_UNDEFINED_ID); | |
201 | break; | |
202 | default: | |
203 | return -EINVAL; | |
204 | } | |
205 | } | |
206 | return new_size; | |
207 | } | |
208 | ||
209 | int | |
210 | xfs_acl_vget( | |
211 | vnode_t *vp, | |
212 | void *acl, | |
213 | size_t size, | |
214 | int kind) | |
215 | { | |
216 | int error; | |
217 | xfs_acl_t *xfs_acl = NULL; | |
218 | posix_acl_xattr_header *ext_acl = acl; | |
219 | int flags = 0; | |
220 | ||
221 | VN_HOLD(vp); | |
222 | if(size) { | |
223 | if (!(_ACL_ALLOC(xfs_acl))) { | |
224 | error = ENOMEM; | |
225 | goto out; | |
226 | } | |
227 | memset(xfs_acl, 0, sizeof(xfs_acl_t)); | |
228 | } else | |
229 | flags = ATTR_KERNOVAL; | |
230 | ||
231 | xfs_acl_get_attr(vp, xfs_acl, kind, flags, &error); | |
232 | if (error) | |
233 | goto out; | |
234 | ||
235 | if (!size) { | |
236 | error = -posix_acl_xattr_size(XFS_ACL_MAX_ENTRIES); | |
237 | } else { | |
238 | if (xfs_acl_invalid(xfs_acl)) { | |
239 | error = EINVAL; | |
240 | goto out; | |
241 | } | |
242 | if (kind == _ACL_TYPE_ACCESS) { | |
243 | vattr_t va; | |
244 | ||
245 | va.va_mask = XFS_AT_MODE; | |
246 | VOP_GETATTR(vp, &va, 0, sys_cred, error); | |
247 | if (error) | |
248 | goto out; | |
249 | xfs_acl_sync_mode(va.va_mode, xfs_acl); | |
250 | } | |
251 | error = -posix_acl_xfs_to_xattr(xfs_acl, ext_acl, size); | |
252 | } | |
253 | out: | |
254 | VN_RELE(vp); | |
255 | if(xfs_acl) | |
256 | _ACL_FREE(xfs_acl); | |
257 | return -error; | |
258 | } | |
259 | ||
260 | int | |
261 | xfs_acl_vremove( | |
262 | vnode_t *vp, | |
263 | int kind) | |
264 | { | |
265 | int error; | |
266 | ||
267 | VN_HOLD(vp); | |
268 | error = xfs_acl_allow_set(vp, kind); | |
269 | if (!error) { | |
270 | VOP_ATTR_REMOVE(vp, kind == _ACL_TYPE_DEFAULT? | |
271 | SGI_ACL_DEFAULT: SGI_ACL_FILE, | |
272 | ATTR_ROOT, sys_cred, error); | |
273 | if (error == ENOATTR) | |
274 | error = 0; /* 'scool */ | |
275 | } | |
276 | VN_RELE(vp); | |
277 | return -error; | |
278 | } | |
279 | ||
280 | int | |
281 | xfs_acl_vset( | |
282 | vnode_t *vp, | |
283 | void *acl, | |
284 | size_t size, | |
285 | int kind) | |
286 | { | |
287 | posix_acl_xattr_header *ext_acl = acl; | |
288 | xfs_acl_t *xfs_acl; | |
289 | int error; | |
290 | int basicperms = 0; /* more than std unix perms? */ | |
291 | ||
292 | if (!acl) | |
293 | return -EINVAL; | |
294 | ||
295 | if (!(_ACL_ALLOC(xfs_acl))) | |
296 | return -ENOMEM; | |
297 | ||
298 | error = posix_acl_xattr_to_xfs(ext_acl, size, xfs_acl); | |
299 | if (error) { | |
300 | _ACL_FREE(xfs_acl); | |
301 | return -error; | |
302 | } | |
303 | if (!xfs_acl->acl_cnt) { | |
304 | _ACL_FREE(xfs_acl); | |
305 | return 0; | |
306 | } | |
307 | ||
308 | VN_HOLD(vp); | |
309 | error = xfs_acl_allow_set(vp, kind); | |
310 | if (error) | |
311 | goto out; | |
312 | ||
313 | /* Incoming ACL exists, set file mode based on its value */ | |
314 | if (kind == _ACL_TYPE_ACCESS) | |
315 | xfs_acl_setmode(vp, xfs_acl, &basicperms); | |
316 | ||
317 | /* | |
318 | * If we have more than std unix permissions, set up the actual attr. | |
319 | * Otherwise, delete any existing attr. This prevents us from | |
320 | * having actual attrs for permissions that can be stored in the | |
321 | * standard permission bits. | |
322 | */ | |
323 | if (!basicperms) { | |
324 | xfs_acl_set_attr(vp, xfs_acl, kind, &error); | |
325 | } else { | |
326 | xfs_acl_vremove(vp, _ACL_TYPE_ACCESS); | |
327 | } | |
328 | ||
329 | out: | |
330 | VN_RELE(vp); | |
331 | _ACL_FREE(xfs_acl); | |
332 | return -error; | |
333 | } | |
334 | ||
335 | int | |
336 | xfs_acl_iaccess( | |
337 | xfs_inode_t *ip, | |
338 | mode_t mode, | |
339 | cred_t *cr) | |
340 | { | |
341 | xfs_acl_t *acl; | |
342 | int rval; | |
343 | ||
344 | if (!(_ACL_ALLOC(acl))) | |
345 | return -1; | |
346 | ||
347 | /* If the file has no ACL return -1. */ | |
348 | rval = sizeof(xfs_acl_t); | |
349 | if (xfs_attr_fetch(ip, SGI_ACL_FILE, SGI_ACL_FILE_SIZE, | |
350 | (char *)acl, &rval, ATTR_ROOT | ATTR_KERNACCESS, cr)) { | |
351 | _ACL_FREE(acl); | |
352 | return -1; | |
353 | } | |
354 | xfs_acl_get_endian(acl); | |
355 | ||
356 | /* If the file has an empty ACL return -1. */ | |
357 | if (acl->acl_cnt == XFS_ACL_NOT_PRESENT) { | |
358 | _ACL_FREE(acl); | |
359 | return -1; | |
360 | } | |
361 | ||
362 | /* Synchronize ACL with mode bits */ | |
363 | xfs_acl_sync_mode(ip->i_d.di_mode, acl); | |
364 | ||
365 | rval = xfs_acl_access(ip->i_d.di_uid, ip->i_d.di_gid, acl, mode, cr); | |
366 | _ACL_FREE(acl); | |
367 | return rval; | |
368 | } | |
369 | ||
370 | STATIC int | |
371 | xfs_acl_allow_set( | |
372 | vnode_t *vp, | |
373 | int kind) | |
374 | { | |
375 | vattr_t va; | |
376 | int error; | |
377 | ||
378 | if (vp->v_inode.i_flags & (S_IMMUTABLE|S_APPEND)) | |
379 | return EPERM; | |
0432dab2 | 380 | if (kind == _ACL_TYPE_DEFAULT && !VN_ISDIR(vp)) |
1da177e4 LT |
381 | return ENOTDIR; |
382 | if (vp->v_vfsp->vfs_flag & VFS_RDONLY) | |
383 | return EROFS; | |
384 | va.va_mask = XFS_AT_UID; | |
385 | VOP_GETATTR(vp, &va, 0, NULL, error); | |
386 | if (error) | |
387 | return error; | |
388 | if (va.va_uid != current->fsuid && !capable(CAP_FOWNER)) | |
389 | return EPERM; | |
390 | return error; | |
391 | } | |
392 | ||
393 | /* | |
394 | * The access control process to determine the access permission: | |
395 | * if uid == file owner id, use the file owner bits. | |
396 | * if gid == file owner group id, use the file group bits. | |
397 | * scan ACL for a maching user or group, and use matched entry | |
398 | * permission. Use total permissions of all matching group entries, | |
399 | * until all acl entries are exhausted. The final permission produced | |
400 | * by matching acl entry or entries needs to be & with group permission. | |
401 | * if not owner, owning group, or matching entry in ACL, use file | |
402 | * other bits. | |
403 | */ | |
404 | STATIC int | |
405 | xfs_acl_capability_check( | |
406 | mode_t mode, | |
407 | cred_t *cr) | |
408 | { | |
409 | if ((mode & ACL_READ) && !capable_cred(cr, CAP_DAC_READ_SEARCH)) | |
410 | return EACCES; | |
411 | if ((mode & ACL_WRITE) && !capable_cred(cr, CAP_DAC_OVERRIDE)) | |
412 | return EACCES; | |
413 | if ((mode & ACL_EXECUTE) && !capable_cred(cr, CAP_DAC_OVERRIDE)) | |
414 | return EACCES; | |
415 | ||
416 | return 0; | |
417 | } | |
418 | ||
419 | /* | |
420 | * Note: cr is only used here for the capability check if the ACL test fails. | |
421 | * It is not used to find out the credentials uid or groups etc, as was | |
422 | * done in IRIX. It is assumed that the uid and groups for the current | |
423 | * thread are taken from "current" instead of the cr parameter. | |
424 | */ | |
425 | STATIC int | |
426 | xfs_acl_access( | |
427 | uid_t fuid, | |
428 | gid_t fgid, | |
429 | xfs_acl_t *fap, | |
430 | mode_t md, | |
431 | cred_t *cr) | |
432 | { | |
433 | xfs_acl_entry_t matched; | |
434 | int i, allows; | |
435 | int maskallows = -1; /* true, but not 1, either */ | |
436 | int seen_userobj = 0; | |
437 | ||
438 | matched.ae_tag = 0; /* Invalid type */ | |
439 | md >>= 6; /* Normalize the bits for comparison */ | |
440 | ||
441 | for (i = 0; i < fap->acl_cnt; i++) { | |
442 | /* | |
443 | * Break out if we've got a user_obj entry or | |
444 | * a user entry and the mask (and have processed USER_OBJ) | |
445 | */ | |
446 | if (matched.ae_tag == ACL_USER_OBJ) | |
447 | break; | |
448 | if (matched.ae_tag == ACL_USER) { | |
449 | if (maskallows != -1 && seen_userobj) | |
450 | break; | |
451 | if (fap->acl_entry[i].ae_tag != ACL_MASK && | |
452 | fap->acl_entry[i].ae_tag != ACL_USER_OBJ) | |
453 | continue; | |
454 | } | |
455 | /* True if this entry allows the requested access */ | |
456 | allows = ((fap->acl_entry[i].ae_perm & md) == md); | |
457 | ||
458 | switch (fap->acl_entry[i].ae_tag) { | |
459 | case ACL_USER_OBJ: | |
460 | seen_userobj = 1; | |
461 | if (fuid != current->fsuid) | |
462 | continue; | |
463 | matched.ae_tag = ACL_USER_OBJ; | |
464 | matched.ae_perm = allows; | |
465 | break; | |
466 | case ACL_USER: | |
467 | if (fap->acl_entry[i].ae_id != current->fsuid) | |
468 | continue; | |
469 | matched.ae_tag = ACL_USER; | |
470 | matched.ae_perm = allows; | |
471 | break; | |
472 | case ACL_GROUP_OBJ: | |
473 | if ((matched.ae_tag == ACL_GROUP_OBJ || | |
474 | matched.ae_tag == ACL_GROUP) && !allows) | |
475 | continue; | |
476 | if (!in_group_p(fgid)) | |
477 | continue; | |
478 | matched.ae_tag = ACL_GROUP_OBJ; | |
479 | matched.ae_perm = allows; | |
480 | break; | |
481 | case ACL_GROUP: | |
482 | if ((matched.ae_tag == ACL_GROUP_OBJ || | |
483 | matched.ae_tag == ACL_GROUP) && !allows) | |
484 | continue; | |
485 | if (!in_group_p(fap->acl_entry[i].ae_id)) | |
486 | continue; | |
487 | matched.ae_tag = ACL_GROUP; | |
488 | matched.ae_perm = allows; | |
489 | break; | |
490 | case ACL_MASK: | |
491 | maskallows = allows; | |
492 | break; | |
493 | case ACL_OTHER: | |
494 | if (matched.ae_tag != 0) | |
495 | continue; | |
496 | matched.ae_tag = ACL_OTHER; | |
497 | matched.ae_perm = allows; | |
498 | break; | |
499 | } | |
500 | } | |
501 | /* | |
502 | * First possibility is that no matched entry allows access. | |
503 | * The capability to override DAC may exist, so check for it. | |
504 | */ | |
505 | switch (matched.ae_tag) { | |
506 | case ACL_OTHER: | |
507 | case ACL_USER_OBJ: | |
508 | if (matched.ae_perm) | |
509 | return 0; | |
510 | break; | |
511 | case ACL_USER: | |
512 | case ACL_GROUP_OBJ: | |
513 | case ACL_GROUP: | |
514 | if (maskallows && matched.ae_perm) | |
515 | return 0; | |
516 | break; | |
517 | case 0: | |
518 | break; | |
519 | } | |
520 | ||
521 | return xfs_acl_capability_check(md, cr); | |
522 | } | |
523 | ||
524 | /* | |
525 | * ACL validity checker. | |
526 | * This acl validation routine checks each ACL entry read in makes sense. | |
527 | */ | |
528 | STATIC int | |
529 | xfs_acl_invalid( | |
530 | xfs_acl_t *aclp) | |
531 | { | |
532 | xfs_acl_entry_t *entry, *e; | |
533 | int user = 0, group = 0, other = 0, mask = 0; | |
534 | int mask_required = 0; | |
535 | int i, j; | |
536 | ||
537 | if (!aclp) | |
538 | goto acl_invalid; | |
539 | ||
540 | if (aclp->acl_cnt > XFS_ACL_MAX_ENTRIES) | |
541 | goto acl_invalid; | |
542 | ||
543 | for (i = 0; i < aclp->acl_cnt; i++) { | |
544 | entry = &aclp->acl_entry[i]; | |
545 | switch (entry->ae_tag) { | |
546 | case ACL_USER_OBJ: | |
547 | if (user++) | |
548 | goto acl_invalid; | |
549 | break; | |
550 | case ACL_GROUP_OBJ: | |
551 | if (group++) | |
552 | goto acl_invalid; | |
553 | break; | |
554 | case ACL_OTHER: | |
555 | if (other++) | |
556 | goto acl_invalid; | |
557 | break; | |
558 | case ACL_USER: | |
559 | case ACL_GROUP: | |
560 | for (j = i + 1; j < aclp->acl_cnt; j++) { | |
561 | e = &aclp->acl_entry[j]; | |
562 | if (e->ae_id == entry->ae_id && | |
563 | e->ae_tag == entry->ae_tag) | |
564 | goto acl_invalid; | |
565 | } | |
566 | mask_required++; | |
567 | break; | |
568 | case ACL_MASK: | |
569 | if (mask++) | |
570 | goto acl_invalid; | |
571 | break; | |
572 | default: | |
573 | goto acl_invalid; | |
574 | } | |
575 | } | |
576 | if (!user || !group || !other || (mask_required && !mask)) | |
577 | goto acl_invalid; | |
578 | else | |
579 | return 0; | |
580 | acl_invalid: | |
581 | return EINVAL; | |
582 | } | |
583 | ||
584 | /* | |
585 | * Do ACL endian conversion. | |
586 | */ | |
587 | STATIC void | |
588 | xfs_acl_get_endian( | |
589 | xfs_acl_t *aclp) | |
590 | { | |
591 | xfs_acl_entry_t *ace, *end; | |
592 | ||
593 | INT_SET(aclp->acl_cnt, ARCH_CONVERT, aclp->acl_cnt); | |
594 | end = &aclp->acl_entry[0]+aclp->acl_cnt; | |
595 | for (ace = &aclp->acl_entry[0]; ace < end; ace++) { | |
596 | INT_SET(ace->ae_tag, ARCH_CONVERT, ace->ae_tag); | |
597 | INT_SET(ace->ae_id, ARCH_CONVERT, ace->ae_id); | |
598 | INT_SET(ace->ae_perm, ARCH_CONVERT, ace->ae_perm); | |
599 | } | |
600 | } | |
601 | ||
602 | /* | |
603 | * Get the ACL from the EA and do endian conversion. | |
604 | */ | |
605 | STATIC void | |
606 | xfs_acl_get_attr( | |
607 | vnode_t *vp, | |
608 | xfs_acl_t *aclp, | |
609 | int kind, | |
610 | int flags, | |
611 | int *error) | |
612 | { | |
613 | int len = sizeof(xfs_acl_t); | |
614 | ||
615 | ASSERT((flags & ATTR_KERNOVAL) ? (aclp == NULL) : 1); | |
616 | flags |= ATTR_ROOT; | |
617 | VOP_ATTR_GET(vp, | |
618 | kind == _ACL_TYPE_ACCESS ? SGI_ACL_FILE : SGI_ACL_DEFAULT, | |
619 | (char *)aclp, &len, flags, sys_cred, *error); | |
620 | if (*error || (flags & ATTR_KERNOVAL)) | |
621 | return; | |
622 | xfs_acl_get_endian(aclp); | |
623 | } | |
624 | ||
625 | /* | |
626 | * Set the EA with the ACL and do endian conversion. | |
627 | */ | |
628 | STATIC void | |
629 | xfs_acl_set_attr( | |
630 | vnode_t *vp, | |
631 | xfs_acl_t *aclp, | |
632 | int kind, | |
633 | int *error) | |
634 | { | |
635 | xfs_acl_entry_t *ace, *newace, *end; | |
636 | xfs_acl_t *newacl; | |
637 | int len; | |
638 | ||
639 | if (!(_ACL_ALLOC(newacl))) { | |
640 | *error = ENOMEM; | |
641 | return; | |
642 | } | |
643 | ||
644 | len = sizeof(xfs_acl_t) - | |
645 | (sizeof(xfs_acl_entry_t) * (XFS_ACL_MAX_ENTRIES - aclp->acl_cnt)); | |
646 | end = &aclp->acl_entry[0]+aclp->acl_cnt; | |
647 | for (ace = &aclp->acl_entry[0], newace = &newacl->acl_entry[0]; | |
648 | ace < end; | |
649 | ace++, newace++) { | |
650 | INT_SET(newace->ae_tag, ARCH_CONVERT, ace->ae_tag); | |
651 | INT_SET(newace->ae_id, ARCH_CONVERT, ace->ae_id); | |
652 | INT_SET(newace->ae_perm, ARCH_CONVERT, ace->ae_perm); | |
653 | } | |
654 | INT_SET(newacl->acl_cnt, ARCH_CONVERT, aclp->acl_cnt); | |
655 | VOP_ATTR_SET(vp, | |
656 | kind == _ACL_TYPE_ACCESS ? SGI_ACL_FILE: SGI_ACL_DEFAULT, | |
657 | (char *)newacl, len, ATTR_ROOT, sys_cred, *error); | |
658 | _ACL_FREE(newacl); | |
659 | } | |
660 | ||
661 | int | |
662 | xfs_acl_vtoacl( | |
663 | vnode_t *vp, | |
664 | xfs_acl_t *access_acl, | |
665 | xfs_acl_t *default_acl) | |
666 | { | |
667 | vattr_t va; | |
668 | int error = 0; | |
669 | ||
670 | if (access_acl) { | |
671 | /* | |
672 | * Get the Access ACL and the mode. If either cannot | |
673 | * be obtained for some reason, invalidate the access ACL. | |
674 | */ | |
675 | xfs_acl_get_attr(vp, access_acl, _ACL_TYPE_ACCESS, 0, &error); | |
676 | if (!error) { | |
677 | /* Got the ACL, need the mode... */ | |
678 | va.va_mask = XFS_AT_MODE; | |
679 | VOP_GETATTR(vp, &va, 0, sys_cred, error); | |
680 | } | |
681 | ||
682 | if (error) | |
683 | access_acl->acl_cnt = XFS_ACL_NOT_PRESENT; | |
684 | else /* We have a good ACL and the file mode, synchronize. */ | |
685 | xfs_acl_sync_mode(va.va_mode, access_acl); | |
686 | } | |
687 | ||
688 | if (default_acl) { | |
689 | xfs_acl_get_attr(vp, default_acl, _ACL_TYPE_DEFAULT, 0, &error); | |
690 | if (error) | |
691 | default_acl->acl_cnt = XFS_ACL_NOT_PRESENT; | |
692 | } | |
693 | return error; | |
694 | } | |
695 | ||
696 | /* | |
697 | * This function retrieves the parent directory's acl, processes it | |
698 | * and lets the child inherit the acl(s) that it should. | |
699 | */ | |
700 | int | |
701 | xfs_acl_inherit( | |
702 | vnode_t *vp, | |
703 | vattr_t *vap, | |
704 | xfs_acl_t *pdaclp) | |
705 | { | |
706 | xfs_acl_t *cacl; | |
707 | int error = 0; | |
708 | int basicperms = 0; | |
709 | ||
710 | /* | |
711 | * If the parent does not have a default ACL, or it's an | |
712 | * invalid ACL, we're done. | |
713 | */ | |
714 | if (!vp) | |
715 | return 0; | |
716 | if (!pdaclp || xfs_acl_invalid(pdaclp)) | |
717 | return 0; | |
718 | ||
719 | /* | |
720 | * Copy the default ACL of the containing directory to | |
721 | * the access ACL of the new file and use the mode that | |
722 | * was passed in to set up the correct initial values for | |
723 | * the u::,g::[m::], and o:: entries. This is what makes | |
724 | * umask() "work" with ACL's. | |
725 | */ | |
726 | ||
727 | if (!(_ACL_ALLOC(cacl))) | |
728 | return ENOMEM; | |
729 | ||
730 | memcpy(cacl, pdaclp, sizeof(xfs_acl_t)); | |
731 | xfs_acl_filter_mode(vap->va_mode, cacl); | |
732 | xfs_acl_setmode(vp, cacl, &basicperms); | |
733 | ||
734 | /* | |
735 | * Set the Default and Access ACL on the file. The mode is already | |
736 | * set on the file, so we don't need to worry about that. | |
737 | * | |
738 | * If the new file is a directory, its default ACL is a copy of | |
739 | * the containing directory's default ACL. | |
740 | */ | |
0432dab2 | 741 | if (VN_ISDIR(vp)) |
1da177e4 LT |
742 | xfs_acl_set_attr(vp, pdaclp, _ACL_TYPE_DEFAULT, &error); |
743 | if (!error && !basicperms) | |
744 | xfs_acl_set_attr(vp, cacl, _ACL_TYPE_ACCESS, &error); | |
745 | _ACL_FREE(cacl); | |
746 | return error; | |
747 | } | |
748 | ||
749 | /* | |
750 | * Set up the correct mode on the file based on the supplied ACL. This | |
751 | * makes sure that the mode on the file reflects the state of the | |
752 | * u::,g::[m::], and o:: entries in the ACL. Since the mode is where | |
753 | * the ACL is going to get the permissions for these entries, we must | |
754 | * synchronize the mode whenever we set the ACL on a file. | |
755 | */ | |
756 | STATIC int | |
757 | xfs_acl_setmode( | |
758 | vnode_t *vp, | |
759 | xfs_acl_t *acl, | |
760 | int *basicperms) | |
761 | { | |
762 | vattr_t va; | |
763 | xfs_acl_entry_t *ap; | |
764 | xfs_acl_entry_t *gap = NULL; | |
765 | int i, error, nomask = 1; | |
766 | ||
767 | *basicperms = 1; | |
768 | ||
769 | if (acl->acl_cnt == XFS_ACL_NOT_PRESENT) | |
770 | return 0; | |
771 | ||
772 | /* | |
773 | * Copy the u::, g::, o::, and m:: bits from the ACL into the | |
774 | * mode. The m:: bits take precedence over the g:: bits. | |
775 | */ | |
776 | va.va_mask = XFS_AT_MODE; | |
777 | VOP_GETATTR(vp, &va, 0, sys_cred, error); | |
778 | if (error) | |
779 | return error; | |
780 | ||
781 | va.va_mask = XFS_AT_MODE; | |
782 | va.va_mode &= ~(S_IRWXU|S_IRWXG|S_IRWXO); | |
783 | ap = acl->acl_entry; | |
784 | for (i = 0; i < acl->acl_cnt; ++i) { | |
785 | switch (ap->ae_tag) { | |
786 | case ACL_USER_OBJ: | |
787 | va.va_mode |= ap->ae_perm << 6; | |
788 | break; | |
789 | case ACL_GROUP_OBJ: | |
790 | gap = ap; | |
791 | break; | |
792 | case ACL_MASK: /* more than just standard modes */ | |
793 | nomask = 0; | |
794 | va.va_mode |= ap->ae_perm << 3; | |
795 | *basicperms = 0; | |
796 | break; | |
797 | case ACL_OTHER: | |
798 | va.va_mode |= ap->ae_perm; | |
799 | break; | |
800 | default: /* more than just standard modes */ | |
801 | *basicperms = 0; | |
802 | break; | |
803 | } | |
804 | ap++; | |
805 | } | |
806 | ||
807 | /* Set the group bits from ACL_GROUP_OBJ if there's no ACL_MASK */ | |
808 | if (gap && nomask) | |
809 | va.va_mode |= gap->ae_perm << 3; | |
810 | ||
811 | VOP_SETATTR(vp, &va, 0, sys_cred, error); | |
812 | return error; | |
813 | } | |
814 | ||
815 | /* | |
816 | * The permissions for the special ACL entries (u::, g::[m::], o::) are | |
817 | * actually stored in the file mode (if there is both a group and a mask, | |
818 | * the group is stored in the ACL entry and the mask is stored on the file). | |
819 | * This allows the mode to remain automatically in sync with the ACL without | |
820 | * the need for a call-back to the ACL system at every point where the mode | |
821 | * could change. This function takes the permissions from the specified mode | |
822 | * and places it in the supplied ACL. | |
823 | * | |
824 | * This implementation draws its validity from the fact that, when the ACL | |
825 | * was assigned, the mode was copied from the ACL. | |
826 | * If the mode did not change, therefore, the mode remains exactly what was | |
827 | * taken from the special ACL entries at assignment. | |
828 | * If a subsequent chmod() was done, the POSIX spec says that the change in | |
829 | * mode must cause an update to the ACL seen at user level and used for | |
830 | * access checks. Before and after a mode change, therefore, the file mode | |
831 | * most accurately reflects what the special ACL entries should permit/deny. | |
832 | * | |
833 | * CAVEAT: If someone sets the SGI_ACL_FILE attribute directly, | |
834 | * the existing mode bits will override whatever is in the | |
835 | * ACL. Similarly, if there is a pre-existing ACL that was | |
836 | * never in sync with its mode (owing to a bug in 6.5 and | |
837 | * before), it will now magically (or mystically) be | |
838 | * synchronized. This could cause slight astonishment, but | |
839 | * it is better than inconsistent permissions. | |
840 | * | |
841 | * The supplied ACL is a template that may contain any combination | |
842 | * of special entries. These are treated as place holders when we fill | |
843 | * out the ACL. This routine does not add or remove special entries, it | |
844 | * simply unites each special entry with its associated set of permissions. | |
845 | */ | |
846 | STATIC void | |
847 | xfs_acl_sync_mode( | |
848 | mode_t mode, | |
849 | xfs_acl_t *acl) | |
850 | { | |
851 | int i, nomask = 1; | |
852 | xfs_acl_entry_t *ap; | |
853 | xfs_acl_entry_t *gap = NULL; | |
854 | ||
855 | /* | |
856 | * Set ACL entries. POSIX1003.1eD16 requires that the MASK | |
857 | * be set instead of the GROUP entry, if there is a MASK. | |
858 | */ | |
859 | for (ap = acl->acl_entry, i = 0; i < acl->acl_cnt; ap++, i++) { | |
860 | switch (ap->ae_tag) { | |
861 | case ACL_USER_OBJ: | |
862 | ap->ae_perm = (mode >> 6) & 0x7; | |
863 | break; | |
864 | case ACL_GROUP_OBJ: | |
865 | gap = ap; | |
866 | break; | |
867 | case ACL_MASK: | |
868 | nomask = 0; | |
869 | ap->ae_perm = (mode >> 3) & 0x7; | |
870 | break; | |
871 | case ACL_OTHER: | |
872 | ap->ae_perm = mode & 0x7; | |
873 | break; | |
874 | default: | |
875 | break; | |
876 | } | |
877 | } | |
878 | /* Set the ACL_GROUP_OBJ if there's no ACL_MASK */ | |
879 | if (gap && nomask) | |
880 | gap->ae_perm = (mode >> 3) & 0x7; | |
881 | } | |
882 | ||
883 | /* | |
884 | * When inheriting an Access ACL from a directory Default ACL, | |
885 | * the ACL bits are set to the intersection of the ACL default | |
886 | * permission bits and the file permission bits in mode. If there | |
887 | * are no permission bits on the file then we must not give them | |
888 | * the ACL. This is what what makes umask() work with ACLs. | |
889 | */ | |
890 | STATIC void | |
891 | xfs_acl_filter_mode( | |
892 | mode_t mode, | |
893 | xfs_acl_t *acl) | |
894 | { | |
895 | int i, nomask = 1; | |
896 | xfs_acl_entry_t *ap; | |
897 | xfs_acl_entry_t *gap = NULL; | |
898 | ||
899 | /* | |
900 | * Set ACL entries. POSIX1003.1eD16 requires that the MASK | |
901 | * be merged with GROUP entry, if there is a MASK. | |
902 | */ | |
903 | for (ap = acl->acl_entry, i = 0; i < acl->acl_cnt; ap++, i++) { | |
904 | switch (ap->ae_tag) { | |
905 | case ACL_USER_OBJ: | |
906 | ap->ae_perm &= (mode >> 6) & 0x7; | |
907 | break; | |
908 | case ACL_GROUP_OBJ: | |
909 | gap = ap; | |
910 | break; | |
911 | case ACL_MASK: | |
912 | nomask = 0; | |
913 | ap->ae_perm &= (mode >> 3) & 0x7; | |
914 | break; | |
915 | case ACL_OTHER: | |
916 | ap->ae_perm &= mode & 0x7; | |
917 | break; | |
918 | default: | |
919 | break; | |
920 | } | |
921 | } | |
922 | /* Set the ACL_GROUP_OBJ if there's no ACL_MASK */ | |
923 | if (gap && nomask) | |
924 | gap->ae_perm &= (mode >> 3) & 0x7; | |
925 | } |