Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * Copyright (c) 2001-2002 Silicon Graphics, Inc. All Rights Reserved. | |
3 | * | |
4 | * This program is free software; you can redistribute it and/or modify it | |
5 | * under the terms of version 2 of the GNU General Public License as | |
6 | * published by the Free Software Foundation. | |
7 | * | |
8 | * This program is distributed in the hope that it would be useful, but | |
9 | * WITHOUT ANY WARRANTY; without even the implied warranty of | |
10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | |
11 | * | |
12 | * Further, this software is distributed without any warranty that it is | |
13 | * free of the rightful claim of any third person regarding infringement | |
14 | * or the like. Any license provided herein, whether implied or | |
15 | * otherwise, applies only to this software file. Patent licenses, if | |
16 | * any, provided herein do not apply to combinations of this program with | |
17 | * other software, or any other product whatsoever. | |
18 | * | |
19 | * You should have received a copy of the GNU General Public License along | |
20 | * with this program; if not, write the Free Software Foundation, Inc., 59 | |
21 | * Temple Place - Suite 330, Boston MA 02111-1307, USA. | |
22 | * | |
23 | * Contact information: Silicon Graphics, Inc., 1600 Amphitheatre Pkwy, | |
24 | * Mountain View, CA 94043, or: | |
25 | * | |
26 | * http://www.sgi.com | |
27 | * | |
28 | * For further information regarding this notice, see: | |
29 | * | |
30 | * http://oss.sgi.com/projects/GenInfo/SGIGPLNoticeExplan/ | |
31 | */ | |
32 | ||
33 | #include "xfs.h" | |
34 | ||
35 | #include "xfs_inum.h" | |
36 | #include "xfs_dir.h" | |
37 | #include "xfs_dir2.h" | |
38 | #include "xfs_alloc_btree.h" | |
39 | #include "xfs_bmap_btree.h" | |
40 | #include "xfs_ialloc_btree.h" | |
41 | #include "xfs_btree.h" | |
42 | #include "xfs_attr_sf.h" | |
43 | #include "xfs_dir_sf.h" | |
44 | #include "xfs_dir2_sf.h" | |
45 | #include "xfs_dinode.h" | |
46 | #include "xfs_inode.h" | |
47 | #include "xfs_acl.h" | |
48 | #include "xfs_mac.h" | |
49 | #include "xfs_attr.h" | |
50 | ||
51 | #include <linux/posix_acl_xattr.h> | |
52 | ||
53 | STATIC int xfs_acl_setmode(vnode_t *, xfs_acl_t *, int *); | |
54 | STATIC void xfs_acl_filter_mode(mode_t, xfs_acl_t *); | |
55 | STATIC void xfs_acl_get_endian(xfs_acl_t *); | |
56 | STATIC int xfs_acl_access(uid_t, gid_t, xfs_acl_t *, mode_t, cred_t *); | |
57 | STATIC int xfs_acl_invalid(xfs_acl_t *); | |
58 | STATIC void xfs_acl_sync_mode(mode_t, xfs_acl_t *); | |
59 | STATIC void xfs_acl_get_attr(vnode_t *, xfs_acl_t *, int, int, int *); | |
60 | STATIC void xfs_acl_set_attr(vnode_t *, xfs_acl_t *, int, int *); | |
61 | STATIC int xfs_acl_allow_set(vnode_t *, int); | |
62 | ||
63 | kmem_zone_t *xfs_acl_zone; | |
64 | ||
65 | ||
66 | /* | |
67 | * Test for existence of access ACL attribute as efficiently as possible. | |
68 | */ | |
69 | int | |
70 | xfs_acl_vhasacl_access( | |
71 | vnode_t *vp) | |
72 | { | |
73 | int error; | |
74 | ||
75 | xfs_acl_get_attr(vp, NULL, _ACL_TYPE_ACCESS, ATTR_KERNOVAL, &error); | |
76 | return (error == 0); | |
77 | } | |
78 | ||
79 | /* | |
80 | * Test for existence of default ACL attribute as efficiently as possible. | |
81 | */ | |
82 | int | |
83 | xfs_acl_vhasacl_default( | |
84 | vnode_t *vp) | |
85 | { | |
86 | int error; | |
87 | ||
0432dab2 | 88 | if (!VN_ISDIR(vp)) |
1da177e4 LT |
89 | return 0; |
90 | xfs_acl_get_attr(vp, NULL, _ACL_TYPE_DEFAULT, ATTR_KERNOVAL, &error); | |
91 | return (error == 0); | |
92 | } | |
93 | ||
94 | /* | |
95 | * Convert from extended attribute representation to in-memory for XFS. | |
96 | */ | |
97 | STATIC int | |
98 | posix_acl_xattr_to_xfs( | |
99 | posix_acl_xattr_header *src, | |
100 | size_t size, | |
101 | xfs_acl_t *dest) | |
102 | { | |
103 | posix_acl_xattr_entry *src_entry; | |
104 | xfs_acl_entry_t *dest_entry; | |
105 | int n; | |
106 | ||
107 | if (!src || !dest) | |
108 | return EINVAL; | |
109 | ||
110 | if (size < sizeof(posix_acl_xattr_header)) | |
111 | return EINVAL; | |
112 | ||
113 | if (src->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION)) | |
114 | return EOPNOTSUPP; | |
115 | ||
116 | memset(dest, 0, sizeof(xfs_acl_t)); | |
117 | dest->acl_cnt = posix_acl_xattr_count(size); | |
118 | if (dest->acl_cnt < 0 || dest->acl_cnt > XFS_ACL_MAX_ENTRIES) | |
119 | return EINVAL; | |
120 | ||
121 | /* | |
122 | * acl_set_file(3) may request that we set default ACLs with | |
123 | * zero length -- defend (gracefully) against that here. | |
124 | */ | |
125 | if (!dest->acl_cnt) | |
126 | return 0; | |
127 | ||
128 | src_entry = (posix_acl_xattr_entry *)((char *)src + sizeof(*src)); | |
129 | dest_entry = &dest->acl_entry[0]; | |
130 | ||
131 | for (n = 0; n < dest->acl_cnt; n++, src_entry++, dest_entry++) { | |
132 | dest_entry->ae_perm = le16_to_cpu(src_entry->e_perm); | |
133 | if (_ACL_PERM_INVALID(dest_entry->ae_perm)) | |
134 | return EINVAL; | |
135 | dest_entry->ae_tag = le16_to_cpu(src_entry->e_tag); | |
136 | switch(dest_entry->ae_tag) { | |
137 | case ACL_USER: | |
138 | case ACL_GROUP: | |
139 | dest_entry->ae_id = le32_to_cpu(src_entry->e_id); | |
140 | break; | |
141 | case ACL_USER_OBJ: | |
142 | case ACL_GROUP_OBJ: | |
143 | case ACL_MASK: | |
144 | case ACL_OTHER: | |
145 | dest_entry->ae_id = ACL_UNDEFINED_ID; | |
146 | break; | |
147 | default: | |
148 | return EINVAL; | |
149 | } | |
150 | } | |
151 | if (xfs_acl_invalid(dest)) | |
152 | return EINVAL; | |
153 | ||
154 | return 0; | |
155 | } | |
156 | ||
157 | /* | |
158 | * Comparison function called from qsort(). | |
159 | * Primary key is ae_tag, secondary key is ae_id. | |
160 | */ | |
161 | STATIC int | |
162 | xfs_acl_entry_compare( | |
163 | const void *va, | |
164 | const void *vb) | |
165 | { | |
166 | xfs_acl_entry_t *a = (xfs_acl_entry_t *)va, | |
167 | *b = (xfs_acl_entry_t *)vb; | |
168 | ||
169 | if (a->ae_tag == b->ae_tag) | |
170 | return (a->ae_id - b->ae_id); | |
171 | return (a->ae_tag - b->ae_tag); | |
172 | } | |
173 | ||
174 | /* | |
175 | * Convert from in-memory XFS to extended attribute representation. | |
176 | */ | |
177 | STATIC int | |
178 | posix_acl_xfs_to_xattr( | |
179 | xfs_acl_t *src, | |
180 | posix_acl_xattr_header *dest, | |
181 | size_t size) | |
182 | { | |
183 | int n; | |
184 | size_t new_size = posix_acl_xattr_size(src->acl_cnt); | |
185 | posix_acl_xattr_entry *dest_entry; | |
186 | xfs_acl_entry_t *src_entry; | |
187 | ||
188 | if (size < new_size) | |
189 | return -ERANGE; | |
190 | ||
191 | /* Need to sort src XFS ACL by <ae_tag,ae_id> */ | |
192 | qsort(src->acl_entry, src->acl_cnt, sizeof(src->acl_entry[0]), | |
193 | xfs_acl_entry_compare); | |
194 | ||
195 | dest->a_version = cpu_to_le32(POSIX_ACL_XATTR_VERSION); | |
196 | dest_entry = &dest->a_entries[0]; | |
197 | src_entry = &src->acl_entry[0]; | |
198 | for (n = 0; n < src->acl_cnt; n++, dest_entry++, src_entry++) { | |
199 | dest_entry->e_perm = cpu_to_le16(src_entry->ae_perm); | |
200 | if (_ACL_PERM_INVALID(src_entry->ae_perm)) | |
201 | return -EINVAL; | |
202 | dest_entry->e_tag = cpu_to_le16(src_entry->ae_tag); | |
203 | switch (src_entry->ae_tag) { | |
204 | case ACL_USER: | |
205 | case ACL_GROUP: | |
206 | dest_entry->e_id = cpu_to_le32(src_entry->ae_id); | |
207 | break; | |
208 | case ACL_USER_OBJ: | |
209 | case ACL_GROUP_OBJ: | |
210 | case ACL_MASK: | |
211 | case ACL_OTHER: | |
212 | dest_entry->e_id = cpu_to_le32(ACL_UNDEFINED_ID); | |
213 | break; | |
214 | default: | |
215 | return -EINVAL; | |
216 | } | |
217 | } | |
218 | return new_size; | |
219 | } | |
220 | ||
221 | int | |
222 | xfs_acl_vget( | |
223 | vnode_t *vp, | |
224 | void *acl, | |
225 | size_t size, | |
226 | int kind) | |
227 | { | |
228 | int error; | |
229 | xfs_acl_t *xfs_acl = NULL; | |
230 | posix_acl_xattr_header *ext_acl = acl; | |
231 | int flags = 0; | |
232 | ||
233 | VN_HOLD(vp); | |
234 | if(size) { | |
235 | if (!(_ACL_ALLOC(xfs_acl))) { | |
236 | error = ENOMEM; | |
237 | goto out; | |
238 | } | |
239 | memset(xfs_acl, 0, sizeof(xfs_acl_t)); | |
240 | } else | |
241 | flags = ATTR_KERNOVAL; | |
242 | ||
243 | xfs_acl_get_attr(vp, xfs_acl, kind, flags, &error); | |
244 | if (error) | |
245 | goto out; | |
246 | ||
247 | if (!size) { | |
248 | error = -posix_acl_xattr_size(XFS_ACL_MAX_ENTRIES); | |
249 | } else { | |
250 | if (xfs_acl_invalid(xfs_acl)) { | |
251 | error = EINVAL; | |
252 | goto out; | |
253 | } | |
254 | if (kind == _ACL_TYPE_ACCESS) { | |
255 | vattr_t va; | |
256 | ||
257 | va.va_mask = XFS_AT_MODE; | |
258 | VOP_GETATTR(vp, &va, 0, sys_cred, error); | |
259 | if (error) | |
260 | goto out; | |
261 | xfs_acl_sync_mode(va.va_mode, xfs_acl); | |
262 | } | |
263 | error = -posix_acl_xfs_to_xattr(xfs_acl, ext_acl, size); | |
264 | } | |
265 | out: | |
266 | VN_RELE(vp); | |
267 | if(xfs_acl) | |
268 | _ACL_FREE(xfs_acl); | |
269 | return -error; | |
270 | } | |
271 | ||
272 | int | |
273 | xfs_acl_vremove( | |
274 | vnode_t *vp, | |
275 | int kind) | |
276 | { | |
277 | int error; | |
278 | ||
279 | VN_HOLD(vp); | |
280 | error = xfs_acl_allow_set(vp, kind); | |
281 | if (!error) { | |
282 | VOP_ATTR_REMOVE(vp, kind == _ACL_TYPE_DEFAULT? | |
283 | SGI_ACL_DEFAULT: SGI_ACL_FILE, | |
284 | ATTR_ROOT, sys_cred, error); | |
285 | if (error == ENOATTR) | |
286 | error = 0; /* 'scool */ | |
287 | } | |
288 | VN_RELE(vp); | |
289 | return -error; | |
290 | } | |
291 | ||
292 | int | |
293 | xfs_acl_vset( | |
294 | vnode_t *vp, | |
295 | void *acl, | |
296 | size_t size, | |
297 | int kind) | |
298 | { | |
299 | posix_acl_xattr_header *ext_acl = acl; | |
300 | xfs_acl_t *xfs_acl; | |
301 | int error; | |
302 | int basicperms = 0; /* more than std unix perms? */ | |
303 | ||
304 | if (!acl) | |
305 | return -EINVAL; | |
306 | ||
307 | if (!(_ACL_ALLOC(xfs_acl))) | |
308 | return -ENOMEM; | |
309 | ||
310 | error = posix_acl_xattr_to_xfs(ext_acl, size, xfs_acl); | |
311 | if (error) { | |
312 | _ACL_FREE(xfs_acl); | |
313 | return -error; | |
314 | } | |
315 | if (!xfs_acl->acl_cnt) { | |
316 | _ACL_FREE(xfs_acl); | |
317 | return 0; | |
318 | } | |
319 | ||
320 | VN_HOLD(vp); | |
321 | error = xfs_acl_allow_set(vp, kind); | |
322 | if (error) | |
323 | goto out; | |
324 | ||
325 | /* Incoming ACL exists, set file mode based on its value */ | |
326 | if (kind == _ACL_TYPE_ACCESS) | |
327 | xfs_acl_setmode(vp, xfs_acl, &basicperms); | |
328 | ||
329 | /* | |
330 | * If we have more than std unix permissions, set up the actual attr. | |
331 | * Otherwise, delete any existing attr. This prevents us from | |
332 | * having actual attrs for permissions that can be stored in the | |
333 | * standard permission bits. | |
334 | */ | |
335 | if (!basicperms) { | |
336 | xfs_acl_set_attr(vp, xfs_acl, kind, &error); | |
337 | } else { | |
338 | xfs_acl_vremove(vp, _ACL_TYPE_ACCESS); | |
339 | } | |
340 | ||
341 | out: | |
342 | VN_RELE(vp); | |
343 | _ACL_FREE(xfs_acl); | |
344 | return -error; | |
345 | } | |
346 | ||
347 | int | |
348 | xfs_acl_iaccess( | |
349 | xfs_inode_t *ip, | |
350 | mode_t mode, | |
351 | cred_t *cr) | |
352 | { | |
353 | xfs_acl_t *acl; | |
354 | int rval; | |
355 | ||
356 | if (!(_ACL_ALLOC(acl))) | |
357 | return -1; | |
358 | ||
359 | /* If the file has no ACL return -1. */ | |
360 | rval = sizeof(xfs_acl_t); | |
361 | if (xfs_attr_fetch(ip, SGI_ACL_FILE, SGI_ACL_FILE_SIZE, | |
362 | (char *)acl, &rval, ATTR_ROOT | ATTR_KERNACCESS, cr)) { | |
363 | _ACL_FREE(acl); | |
364 | return -1; | |
365 | } | |
366 | xfs_acl_get_endian(acl); | |
367 | ||
368 | /* If the file has an empty ACL return -1. */ | |
369 | if (acl->acl_cnt == XFS_ACL_NOT_PRESENT) { | |
370 | _ACL_FREE(acl); | |
371 | return -1; | |
372 | } | |
373 | ||
374 | /* Synchronize ACL with mode bits */ | |
375 | xfs_acl_sync_mode(ip->i_d.di_mode, acl); | |
376 | ||
377 | rval = xfs_acl_access(ip->i_d.di_uid, ip->i_d.di_gid, acl, mode, cr); | |
378 | _ACL_FREE(acl); | |
379 | return rval; | |
380 | } | |
381 | ||
382 | STATIC int | |
383 | xfs_acl_allow_set( | |
384 | vnode_t *vp, | |
385 | int kind) | |
386 | { | |
387 | vattr_t va; | |
388 | int error; | |
389 | ||
390 | if (vp->v_inode.i_flags & (S_IMMUTABLE|S_APPEND)) | |
391 | return EPERM; | |
0432dab2 | 392 | if (kind == _ACL_TYPE_DEFAULT && !VN_ISDIR(vp)) |
1da177e4 LT |
393 | return ENOTDIR; |
394 | if (vp->v_vfsp->vfs_flag & VFS_RDONLY) | |
395 | return EROFS; | |
396 | va.va_mask = XFS_AT_UID; | |
397 | VOP_GETATTR(vp, &va, 0, NULL, error); | |
398 | if (error) | |
399 | return error; | |
400 | if (va.va_uid != current->fsuid && !capable(CAP_FOWNER)) | |
401 | return EPERM; | |
402 | return error; | |
403 | } | |
404 | ||
405 | /* | |
406 | * The access control process to determine the access permission: | |
407 | * if uid == file owner id, use the file owner bits. | |
408 | * if gid == file owner group id, use the file group bits. | |
409 | * scan ACL for a maching user or group, and use matched entry | |
410 | * permission. Use total permissions of all matching group entries, | |
411 | * until all acl entries are exhausted. The final permission produced | |
412 | * by matching acl entry or entries needs to be & with group permission. | |
413 | * if not owner, owning group, or matching entry in ACL, use file | |
414 | * other bits. | |
415 | */ | |
416 | STATIC int | |
417 | xfs_acl_capability_check( | |
418 | mode_t mode, | |
419 | cred_t *cr) | |
420 | { | |
421 | if ((mode & ACL_READ) && !capable_cred(cr, CAP_DAC_READ_SEARCH)) | |
422 | return EACCES; | |
423 | if ((mode & ACL_WRITE) && !capable_cred(cr, CAP_DAC_OVERRIDE)) | |
424 | return EACCES; | |
425 | if ((mode & ACL_EXECUTE) && !capable_cred(cr, CAP_DAC_OVERRIDE)) | |
426 | return EACCES; | |
427 | ||
428 | return 0; | |
429 | } | |
430 | ||
431 | /* | |
432 | * Note: cr is only used here for the capability check if the ACL test fails. | |
433 | * It is not used to find out the credentials uid or groups etc, as was | |
434 | * done in IRIX. It is assumed that the uid and groups for the current | |
435 | * thread are taken from "current" instead of the cr parameter. | |
436 | */ | |
437 | STATIC int | |
438 | xfs_acl_access( | |
439 | uid_t fuid, | |
440 | gid_t fgid, | |
441 | xfs_acl_t *fap, | |
442 | mode_t md, | |
443 | cred_t *cr) | |
444 | { | |
445 | xfs_acl_entry_t matched; | |
446 | int i, allows; | |
447 | int maskallows = -1; /* true, but not 1, either */ | |
448 | int seen_userobj = 0; | |
449 | ||
450 | matched.ae_tag = 0; /* Invalid type */ | |
451 | md >>= 6; /* Normalize the bits for comparison */ | |
452 | ||
453 | for (i = 0; i < fap->acl_cnt; i++) { | |
454 | /* | |
455 | * Break out if we've got a user_obj entry or | |
456 | * a user entry and the mask (and have processed USER_OBJ) | |
457 | */ | |
458 | if (matched.ae_tag == ACL_USER_OBJ) | |
459 | break; | |
460 | if (matched.ae_tag == ACL_USER) { | |
461 | if (maskallows != -1 && seen_userobj) | |
462 | break; | |
463 | if (fap->acl_entry[i].ae_tag != ACL_MASK && | |
464 | fap->acl_entry[i].ae_tag != ACL_USER_OBJ) | |
465 | continue; | |
466 | } | |
467 | /* True if this entry allows the requested access */ | |
468 | allows = ((fap->acl_entry[i].ae_perm & md) == md); | |
469 | ||
470 | switch (fap->acl_entry[i].ae_tag) { | |
471 | case ACL_USER_OBJ: | |
472 | seen_userobj = 1; | |
473 | if (fuid != current->fsuid) | |
474 | continue; | |
475 | matched.ae_tag = ACL_USER_OBJ; | |
476 | matched.ae_perm = allows; | |
477 | break; | |
478 | case ACL_USER: | |
479 | if (fap->acl_entry[i].ae_id != current->fsuid) | |
480 | continue; | |
481 | matched.ae_tag = ACL_USER; | |
482 | matched.ae_perm = allows; | |
483 | break; | |
484 | case ACL_GROUP_OBJ: | |
485 | if ((matched.ae_tag == ACL_GROUP_OBJ || | |
486 | matched.ae_tag == ACL_GROUP) && !allows) | |
487 | continue; | |
488 | if (!in_group_p(fgid)) | |
489 | continue; | |
490 | matched.ae_tag = ACL_GROUP_OBJ; | |
491 | matched.ae_perm = allows; | |
492 | break; | |
493 | case ACL_GROUP: | |
494 | if ((matched.ae_tag == ACL_GROUP_OBJ || | |
495 | matched.ae_tag == ACL_GROUP) && !allows) | |
496 | continue; | |
497 | if (!in_group_p(fap->acl_entry[i].ae_id)) | |
498 | continue; | |
499 | matched.ae_tag = ACL_GROUP; | |
500 | matched.ae_perm = allows; | |
501 | break; | |
502 | case ACL_MASK: | |
503 | maskallows = allows; | |
504 | break; | |
505 | case ACL_OTHER: | |
506 | if (matched.ae_tag != 0) | |
507 | continue; | |
508 | matched.ae_tag = ACL_OTHER; | |
509 | matched.ae_perm = allows; | |
510 | break; | |
511 | } | |
512 | } | |
513 | /* | |
514 | * First possibility is that no matched entry allows access. | |
515 | * The capability to override DAC may exist, so check for it. | |
516 | */ | |
517 | switch (matched.ae_tag) { | |
518 | case ACL_OTHER: | |
519 | case ACL_USER_OBJ: | |
520 | if (matched.ae_perm) | |
521 | return 0; | |
522 | break; | |
523 | case ACL_USER: | |
524 | case ACL_GROUP_OBJ: | |
525 | case ACL_GROUP: | |
526 | if (maskallows && matched.ae_perm) | |
527 | return 0; | |
528 | break; | |
529 | case 0: | |
530 | break; | |
531 | } | |
532 | ||
533 | return xfs_acl_capability_check(md, cr); | |
534 | } | |
535 | ||
536 | /* | |
537 | * ACL validity checker. | |
538 | * This acl validation routine checks each ACL entry read in makes sense. | |
539 | */ | |
540 | STATIC int | |
541 | xfs_acl_invalid( | |
542 | xfs_acl_t *aclp) | |
543 | { | |
544 | xfs_acl_entry_t *entry, *e; | |
545 | int user = 0, group = 0, other = 0, mask = 0; | |
546 | int mask_required = 0; | |
547 | int i, j; | |
548 | ||
549 | if (!aclp) | |
550 | goto acl_invalid; | |
551 | ||
552 | if (aclp->acl_cnt > XFS_ACL_MAX_ENTRIES) | |
553 | goto acl_invalid; | |
554 | ||
555 | for (i = 0; i < aclp->acl_cnt; i++) { | |
556 | entry = &aclp->acl_entry[i]; | |
557 | switch (entry->ae_tag) { | |
558 | case ACL_USER_OBJ: | |
559 | if (user++) | |
560 | goto acl_invalid; | |
561 | break; | |
562 | case ACL_GROUP_OBJ: | |
563 | if (group++) | |
564 | goto acl_invalid; | |
565 | break; | |
566 | case ACL_OTHER: | |
567 | if (other++) | |
568 | goto acl_invalid; | |
569 | break; | |
570 | case ACL_USER: | |
571 | case ACL_GROUP: | |
572 | for (j = i + 1; j < aclp->acl_cnt; j++) { | |
573 | e = &aclp->acl_entry[j]; | |
574 | if (e->ae_id == entry->ae_id && | |
575 | e->ae_tag == entry->ae_tag) | |
576 | goto acl_invalid; | |
577 | } | |
578 | mask_required++; | |
579 | break; | |
580 | case ACL_MASK: | |
581 | if (mask++) | |
582 | goto acl_invalid; | |
583 | break; | |
584 | default: | |
585 | goto acl_invalid; | |
586 | } | |
587 | } | |
588 | if (!user || !group || !other || (mask_required && !mask)) | |
589 | goto acl_invalid; | |
590 | else | |
591 | return 0; | |
592 | acl_invalid: | |
593 | return EINVAL; | |
594 | } | |
595 | ||
596 | /* | |
597 | * Do ACL endian conversion. | |
598 | */ | |
599 | STATIC void | |
600 | xfs_acl_get_endian( | |
601 | xfs_acl_t *aclp) | |
602 | { | |
603 | xfs_acl_entry_t *ace, *end; | |
604 | ||
605 | INT_SET(aclp->acl_cnt, ARCH_CONVERT, aclp->acl_cnt); | |
606 | end = &aclp->acl_entry[0]+aclp->acl_cnt; | |
607 | for (ace = &aclp->acl_entry[0]; ace < end; ace++) { | |
608 | INT_SET(ace->ae_tag, ARCH_CONVERT, ace->ae_tag); | |
609 | INT_SET(ace->ae_id, ARCH_CONVERT, ace->ae_id); | |
610 | INT_SET(ace->ae_perm, ARCH_CONVERT, ace->ae_perm); | |
611 | } | |
612 | } | |
613 | ||
614 | /* | |
615 | * Get the ACL from the EA and do endian conversion. | |
616 | */ | |
617 | STATIC void | |
618 | xfs_acl_get_attr( | |
619 | vnode_t *vp, | |
620 | xfs_acl_t *aclp, | |
621 | int kind, | |
622 | int flags, | |
623 | int *error) | |
624 | { | |
625 | int len = sizeof(xfs_acl_t); | |
626 | ||
627 | ASSERT((flags & ATTR_KERNOVAL) ? (aclp == NULL) : 1); | |
628 | flags |= ATTR_ROOT; | |
629 | VOP_ATTR_GET(vp, | |
630 | kind == _ACL_TYPE_ACCESS ? SGI_ACL_FILE : SGI_ACL_DEFAULT, | |
631 | (char *)aclp, &len, flags, sys_cred, *error); | |
632 | if (*error || (flags & ATTR_KERNOVAL)) | |
633 | return; | |
634 | xfs_acl_get_endian(aclp); | |
635 | } | |
636 | ||
637 | /* | |
638 | * Set the EA with the ACL and do endian conversion. | |
639 | */ | |
640 | STATIC void | |
641 | xfs_acl_set_attr( | |
642 | vnode_t *vp, | |
643 | xfs_acl_t *aclp, | |
644 | int kind, | |
645 | int *error) | |
646 | { | |
647 | xfs_acl_entry_t *ace, *newace, *end; | |
648 | xfs_acl_t *newacl; | |
649 | int len; | |
650 | ||
651 | if (!(_ACL_ALLOC(newacl))) { | |
652 | *error = ENOMEM; | |
653 | return; | |
654 | } | |
655 | ||
656 | len = sizeof(xfs_acl_t) - | |
657 | (sizeof(xfs_acl_entry_t) * (XFS_ACL_MAX_ENTRIES - aclp->acl_cnt)); | |
658 | end = &aclp->acl_entry[0]+aclp->acl_cnt; | |
659 | for (ace = &aclp->acl_entry[0], newace = &newacl->acl_entry[0]; | |
660 | ace < end; | |
661 | ace++, newace++) { | |
662 | INT_SET(newace->ae_tag, ARCH_CONVERT, ace->ae_tag); | |
663 | INT_SET(newace->ae_id, ARCH_CONVERT, ace->ae_id); | |
664 | INT_SET(newace->ae_perm, ARCH_CONVERT, ace->ae_perm); | |
665 | } | |
666 | INT_SET(newacl->acl_cnt, ARCH_CONVERT, aclp->acl_cnt); | |
667 | VOP_ATTR_SET(vp, | |
668 | kind == _ACL_TYPE_ACCESS ? SGI_ACL_FILE: SGI_ACL_DEFAULT, | |
669 | (char *)newacl, len, ATTR_ROOT, sys_cred, *error); | |
670 | _ACL_FREE(newacl); | |
671 | } | |
672 | ||
673 | int | |
674 | xfs_acl_vtoacl( | |
675 | vnode_t *vp, | |
676 | xfs_acl_t *access_acl, | |
677 | xfs_acl_t *default_acl) | |
678 | { | |
679 | vattr_t va; | |
680 | int error = 0; | |
681 | ||
682 | if (access_acl) { | |
683 | /* | |
684 | * Get the Access ACL and the mode. If either cannot | |
685 | * be obtained for some reason, invalidate the access ACL. | |
686 | */ | |
687 | xfs_acl_get_attr(vp, access_acl, _ACL_TYPE_ACCESS, 0, &error); | |
688 | if (!error) { | |
689 | /* Got the ACL, need the mode... */ | |
690 | va.va_mask = XFS_AT_MODE; | |
691 | VOP_GETATTR(vp, &va, 0, sys_cred, error); | |
692 | } | |
693 | ||
694 | if (error) | |
695 | access_acl->acl_cnt = XFS_ACL_NOT_PRESENT; | |
696 | else /* We have a good ACL and the file mode, synchronize. */ | |
697 | xfs_acl_sync_mode(va.va_mode, access_acl); | |
698 | } | |
699 | ||
700 | if (default_acl) { | |
701 | xfs_acl_get_attr(vp, default_acl, _ACL_TYPE_DEFAULT, 0, &error); | |
702 | if (error) | |
703 | default_acl->acl_cnt = XFS_ACL_NOT_PRESENT; | |
704 | } | |
705 | return error; | |
706 | } | |
707 | ||
708 | /* | |
709 | * This function retrieves the parent directory's acl, processes it | |
710 | * and lets the child inherit the acl(s) that it should. | |
711 | */ | |
712 | int | |
713 | xfs_acl_inherit( | |
714 | vnode_t *vp, | |
715 | vattr_t *vap, | |
716 | xfs_acl_t *pdaclp) | |
717 | { | |
718 | xfs_acl_t *cacl; | |
719 | int error = 0; | |
720 | int basicperms = 0; | |
721 | ||
722 | /* | |
723 | * If the parent does not have a default ACL, or it's an | |
724 | * invalid ACL, we're done. | |
725 | */ | |
726 | if (!vp) | |
727 | return 0; | |
728 | if (!pdaclp || xfs_acl_invalid(pdaclp)) | |
729 | return 0; | |
730 | ||
731 | /* | |
732 | * Copy the default ACL of the containing directory to | |
733 | * the access ACL of the new file and use the mode that | |
734 | * was passed in to set up the correct initial values for | |
735 | * the u::,g::[m::], and o:: entries. This is what makes | |
736 | * umask() "work" with ACL's. | |
737 | */ | |
738 | ||
739 | if (!(_ACL_ALLOC(cacl))) | |
740 | return ENOMEM; | |
741 | ||
742 | memcpy(cacl, pdaclp, sizeof(xfs_acl_t)); | |
743 | xfs_acl_filter_mode(vap->va_mode, cacl); | |
744 | xfs_acl_setmode(vp, cacl, &basicperms); | |
745 | ||
746 | /* | |
747 | * Set the Default and Access ACL on the file. The mode is already | |
748 | * set on the file, so we don't need to worry about that. | |
749 | * | |
750 | * If the new file is a directory, its default ACL is a copy of | |
751 | * the containing directory's default ACL. | |
752 | */ | |
0432dab2 | 753 | if (VN_ISDIR(vp)) |
1da177e4 LT |
754 | xfs_acl_set_attr(vp, pdaclp, _ACL_TYPE_DEFAULT, &error); |
755 | if (!error && !basicperms) | |
756 | xfs_acl_set_attr(vp, cacl, _ACL_TYPE_ACCESS, &error); | |
757 | _ACL_FREE(cacl); | |
758 | return error; | |
759 | } | |
760 | ||
761 | /* | |
762 | * Set up the correct mode on the file based on the supplied ACL. This | |
763 | * makes sure that the mode on the file reflects the state of the | |
764 | * u::,g::[m::], and o:: entries in the ACL. Since the mode is where | |
765 | * the ACL is going to get the permissions for these entries, we must | |
766 | * synchronize the mode whenever we set the ACL on a file. | |
767 | */ | |
768 | STATIC int | |
769 | xfs_acl_setmode( | |
770 | vnode_t *vp, | |
771 | xfs_acl_t *acl, | |
772 | int *basicperms) | |
773 | { | |
774 | vattr_t va; | |
775 | xfs_acl_entry_t *ap; | |
776 | xfs_acl_entry_t *gap = NULL; | |
777 | int i, error, nomask = 1; | |
778 | ||
779 | *basicperms = 1; | |
780 | ||
781 | if (acl->acl_cnt == XFS_ACL_NOT_PRESENT) | |
782 | return 0; | |
783 | ||
784 | /* | |
785 | * Copy the u::, g::, o::, and m:: bits from the ACL into the | |
786 | * mode. The m:: bits take precedence over the g:: bits. | |
787 | */ | |
788 | va.va_mask = XFS_AT_MODE; | |
789 | VOP_GETATTR(vp, &va, 0, sys_cred, error); | |
790 | if (error) | |
791 | return error; | |
792 | ||
793 | va.va_mask = XFS_AT_MODE; | |
794 | va.va_mode &= ~(S_IRWXU|S_IRWXG|S_IRWXO); | |
795 | ap = acl->acl_entry; | |
796 | for (i = 0; i < acl->acl_cnt; ++i) { | |
797 | switch (ap->ae_tag) { | |
798 | case ACL_USER_OBJ: | |
799 | va.va_mode |= ap->ae_perm << 6; | |
800 | break; | |
801 | case ACL_GROUP_OBJ: | |
802 | gap = ap; | |
803 | break; | |
804 | case ACL_MASK: /* more than just standard modes */ | |
805 | nomask = 0; | |
806 | va.va_mode |= ap->ae_perm << 3; | |
807 | *basicperms = 0; | |
808 | break; | |
809 | case ACL_OTHER: | |
810 | va.va_mode |= ap->ae_perm; | |
811 | break; | |
812 | default: /* more than just standard modes */ | |
813 | *basicperms = 0; | |
814 | break; | |
815 | } | |
816 | ap++; | |
817 | } | |
818 | ||
819 | /* Set the group bits from ACL_GROUP_OBJ if there's no ACL_MASK */ | |
820 | if (gap && nomask) | |
821 | va.va_mode |= gap->ae_perm << 3; | |
822 | ||
823 | VOP_SETATTR(vp, &va, 0, sys_cred, error); | |
824 | return error; | |
825 | } | |
826 | ||
827 | /* | |
828 | * The permissions for the special ACL entries (u::, g::[m::], o::) are | |
829 | * actually stored in the file mode (if there is both a group and a mask, | |
830 | * the group is stored in the ACL entry and the mask is stored on the file). | |
831 | * This allows the mode to remain automatically in sync with the ACL without | |
832 | * the need for a call-back to the ACL system at every point where the mode | |
833 | * could change. This function takes the permissions from the specified mode | |
834 | * and places it in the supplied ACL. | |
835 | * | |
836 | * This implementation draws its validity from the fact that, when the ACL | |
837 | * was assigned, the mode was copied from the ACL. | |
838 | * If the mode did not change, therefore, the mode remains exactly what was | |
839 | * taken from the special ACL entries at assignment. | |
840 | * If a subsequent chmod() was done, the POSIX spec says that the change in | |
841 | * mode must cause an update to the ACL seen at user level and used for | |
842 | * access checks. Before and after a mode change, therefore, the file mode | |
843 | * most accurately reflects what the special ACL entries should permit/deny. | |
844 | * | |
845 | * CAVEAT: If someone sets the SGI_ACL_FILE attribute directly, | |
846 | * the existing mode bits will override whatever is in the | |
847 | * ACL. Similarly, if there is a pre-existing ACL that was | |
848 | * never in sync with its mode (owing to a bug in 6.5 and | |
849 | * before), it will now magically (or mystically) be | |
850 | * synchronized. This could cause slight astonishment, but | |
851 | * it is better than inconsistent permissions. | |
852 | * | |
853 | * The supplied ACL is a template that may contain any combination | |
854 | * of special entries. These are treated as place holders when we fill | |
855 | * out the ACL. This routine does not add or remove special entries, it | |
856 | * simply unites each special entry with its associated set of permissions. | |
857 | */ | |
858 | STATIC void | |
859 | xfs_acl_sync_mode( | |
860 | mode_t mode, | |
861 | xfs_acl_t *acl) | |
862 | { | |
863 | int i, nomask = 1; | |
864 | xfs_acl_entry_t *ap; | |
865 | xfs_acl_entry_t *gap = NULL; | |
866 | ||
867 | /* | |
868 | * Set ACL entries. POSIX1003.1eD16 requires that the MASK | |
869 | * be set instead of the GROUP entry, if there is a MASK. | |
870 | */ | |
871 | for (ap = acl->acl_entry, i = 0; i < acl->acl_cnt; ap++, i++) { | |
872 | switch (ap->ae_tag) { | |
873 | case ACL_USER_OBJ: | |
874 | ap->ae_perm = (mode >> 6) & 0x7; | |
875 | break; | |
876 | case ACL_GROUP_OBJ: | |
877 | gap = ap; | |
878 | break; | |
879 | case ACL_MASK: | |
880 | nomask = 0; | |
881 | ap->ae_perm = (mode >> 3) & 0x7; | |
882 | break; | |
883 | case ACL_OTHER: | |
884 | ap->ae_perm = mode & 0x7; | |
885 | break; | |
886 | default: | |
887 | break; | |
888 | } | |
889 | } | |
890 | /* Set the ACL_GROUP_OBJ if there's no ACL_MASK */ | |
891 | if (gap && nomask) | |
892 | gap->ae_perm = (mode >> 3) & 0x7; | |
893 | } | |
894 | ||
895 | /* | |
896 | * When inheriting an Access ACL from a directory Default ACL, | |
897 | * the ACL bits are set to the intersection of the ACL default | |
898 | * permission bits and the file permission bits in mode. If there | |
899 | * are no permission bits on the file then we must not give them | |
900 | * the ACL. This is what what makes umask() work with ACLs. | |
901 | */ | |
902 | STATIC void | |
903 | xfs_acl_filter_mode( | |
904 | mode_t mode, | |
905 | xfs_acl_t *acl) | |
906 | { | |
907 | int i, nomask = 1; | |
908 | xfs_acl_entry_t *ap; | |
909 | xfs_acl_entry_t *gap = NULL; | |
910 | ||
911 | /* | |
912 | * Set ACL entries. POSIX1003.1eD16 requires that the MASK | |
913 | * be merged with GROUP entry, if there is a MASK. | |
914 | */ | |
915 | for (ap = acl->acl_entry, i = 0; i < acl->acl_cnt; ap++, i++) { | |
916 | switch (ap->ae_tag) { | |
917 | case ACL_USER_OBJ: | |
918 | ap->ae_perm &= (mode >> 6) & 0x7; | |
919 | break; | |
920 | case ACL_GROUP_OBJ: | |
921 | gap = ap; | |
922 | break; | |
923 | case ACL_MASK: | |
924 | nomask = 0; | |
925 | ap->ae_perm &= (mode >> 3) & 0x7; | |
926 | break; | |
927 | case ACL_OTHER: | |
928 | ap->ae_perm &= mode & 0x7; | |
929 | break; | |
930 | default: | |
931 | break; | |
932 | } | |
933 | } | |
934 | /* Set the ACL_GROUP_OBJ if there's no ACL_MASK */ | |
935 | if (gap && nomask) | |
936 | gap->ae_perm &= (mode >> 3) & 0x7; | |
937 | } |