Author: trasz
Date: Sat Mar 27 16:31:49 2010
New Revision: 205737
URL: http://svn.freebsd.org/changeset/base/205737

Log:
  MFC r197405:
  
  Add pieces of infrastructure required for NFSv4 ACL support in UFS.
  
  Reviewed by:  rwatson

Modified:
  stable/8/sys/conf/files
  stable/8/sys/kern/subr_acl_nfs4.c
  stable/8/sys/sys/vnode.h
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)
  stable/8/sys/dev/xen/xenpci/   (props changed)

Modified: stable/8/sys/conf/files
==============================================================================
--- stable/8/sys/conf/files     Sat Mar 27 15:45:11 2010        (r205736)
+++ stable/8/sys/conf/files     Sat Mar 27 16:31:49 2010        (r205737)
@@ -2098,6 +2098,7 @@ kern/sched_ule.c          optional sched_ule
 kern/serdev_if.m               standard
 kern/stack_protector.c         standard \
        compile-with "${NORMAL_C:N-fstack-protector*}"
+kern/subr_acl_nfs4.c           standard
 kern/subr_acl_posix1e.c                standard
 kern/subr_autoconf.c           standard
 kern/subr_blist.c              standard

Modified: stable/8/sys/kern/subr_acl_nfs4.c
==============================================================================
--- stable/8/sys/kern/subr_acl_nfs4.c   Sat Mar 27 15:45:11 2010        
(r205736)
+++ stable/8/sys/kern/subr_acl_nfs4.c   Sat Mar 27 16:31:49 2010        
(r205737)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2008 Edward Tomasz Napierała <tr...@freebsd.org>
+ * Copyright (c) 2008-2009 Edward Tomasz Napierała <tr...@freebsd.org>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -49,7 +49,213 @@ __FBSDID("$FreeBSD$");
 #include <sys/stat.h>
 #define KASSERT(a, b) assert(a)
 #define CTASSERT(a)
-#endif
+#endif /* _KERNEL */
+
+#ifdef _KERNEL
+
+static struct {
+       accmode_t accmode;
+       int mask;
+} accmode2mask[] = {{VREAD, ACL_READ_DATA},
+                   {VWRITE, ACL_WRITE_DATA},
+                   {VAPPEND, ACL_APPEND_DATA},
+                   {VEXEC, ACL_EXECUTE},
+                   {VREAD_NAMED_ATTRS, ACL_READ_NAMED_ATTRS},
+                   {VWRITE_NAMED_ATTRS, ACL_WRITE_NAMED_ATTRS},
+                   {VDELETE_CHILD, ACL_DELETE_CHILD},
+                   {VREAD_ATTRIBUTES, ACL_READ_ATTRIBUTES},
+                   {VWRITE_ATTRIBUTES, ACL_WRITE_ATTRIBUTES},
+                   {VDELETE, ACL_DELETE},
+                   {VREAD_ACL, ACL_READ_ACL},
+                   {VWRITE_ACL, ACL_WRITE_ACL},
+                   {VWRITE_OWNER, ACL_WRITE_OWNER},
+                   {VSYNCHRONIZE, ACL_SYNCHRONIZE},
+                   {0, 0}};
+
+static int
+_access_mask_from_accmode(accmode_t accmode)
+{
+       int access_mask = 0, i;
+
+       for (i = 0; accmode2mask[i].accmode != 0; i++) {
+               if (accmode & accmode2mask[i].accmode)
+                       access_mask |= accmode2mask[i].mask;
+       }
+
+       return (access_mask);
+}
+
+/*
+ * Return 0, iff access is allowed, 1 otherwise.
+ */
+static int
+_acl_denies(const struct acl *aclp, int access_mask, struct ucred *cred,
+    int file_uid, int file_gid, int *denied_explicitly)
+{
+       int i;
+       const struct acl_entry *entry;
+
+       if (denied_explicitly != NULL)
+               *denied_explicitly = 0;
+
+       KASSERT(aclp->acl_cnt > 0, ("aclp->acl_cnt > 0"));
+       KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES,
+           ("aclp->acl_cnt <= ACL_MAX_ENTRIES"));
+
+       for (i = 0; i < aclp->acl_cnt; i++) {
+               entry = &(aclp->acl_entry[i]);
+
+               if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
+                   entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
+                       continue;
+               if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY)
+                       continue;
+               switch (entry->ae_tag) {
+               case ACL_USER_OBJ:
+                       if (file_uid != cred->cr_uid)
+                               continue;
+                       break;
+               case ACL_USER:
+                       if (entry->ae_id != cred->cr_uid)
+                               continue;
+                       break;
+               case ACL_GROUP_OBJ:
+                       if (!groupmember(file_gid, cred))
+                               continue;
+                       break;
+               case ACL_GROUP:
+                       if (!groupmember(entry->ae_id, cred))
+                               continue;
+                       break;
+               default:
+                       KASSERT(entry->ae_tag == ACL_EVERYONE,
+                           ("entry->ae_tag == ACL_EVERYONE"));
+               }
+
+               if (entry->ae_entry_type == ACL_ENTRY_TYPE_DENY) {
+                       if (entry->ae_perm & access_mask) {
+                               if (denied_explicitly != NULL)
+                                       *denied_explicitly = 1;
+                               return (1);
+                       }
+               }
+
+               access_mask &= ~(entry->ae_perm);
+               if (access_mask == 0)
+                       return (0);
+       }
+
+       return (1);
+}
+
+int
+vaccess_acl_nfs4(enum vtype type, uid_t file_uid, gid_t file_gid,
+    struct acl *aclp, accmode_t accmode, struct ucred *cred, int *privused)
+{
+       accmode_t priv_granted = 0;
+       int denied, explicitly_denied, access_mask, is_directory,
+           must_be_owner = 0;
+
+       if (privused != NULL)
+               *privused = 0;
+
+       if (accmode & VADMIN)
+               must_be_owner = 1;
+
+       /*
+        * Ignore VSYNCHRONIZE permission.
+        */
+       accmode &= ~VSYNCHRONIZE;
+
+       access_mask = _access_mask_from_accmode(accmode);
+
+       if (type == VDIR)
+               is_directory = 1;
+       else
+               is_directory = 0;
+
+       /*
+        * File owner is always allowed to read and write the ACL
+        * and basic attributes.  This is to prevent a situation
+        * where user would change ACL in a way that prevents him
+        * from undoing the change.
+        */
+       if (file_uid == cred->cr_uid)
+               access_mask &= ~(ACL_READ_ACL | ACL_WRITE_ACL |
+                   ACL_READ_ATTRIBUTES | ACL_WRITE_ATTRIBUTES);
+
+       /*
+        * Ignore append permission for regular files; use write
+        * permission instead.
+        */
+       if (!is_directory && (access_mask & ACL_APPEND_DATA)) {
+               access_mask &= ~ACL_APPEND_DATA;
+               access_mask |= ACL_WRITE_DATA;
+       }
+
+       denied = _acl_denies(aclp, access_mask, cred, file_uid, file_gid,
+           &explicitly_denied);
+
+       if (must_be_owner) {
+               if (file_uid != cred->cr_uid)
+                       denied = EPERM;
+       }
+
+       if (!denied)
+               return (0);
+
+       /*
+        * Access failed.  Iff it was not denied explicitly and
+        * VEXPLICIT_DENY flag was specified, allow access.
+        */
+       if ((accmode & VEXPLICIT_DENY) && explicitly_denied == 0)
+               return (0);
+
+       accmode &= ~VEXPLICIT_DENY;
+
+       /*
+        * No match.  Try to use privileges, if there are any.
+        */
+       if (is_directory) {
+               if ((accmode & VEXEC) && !priv_check_cred(cred,
+                   PRIV_VFS_LOOKUP, 0))
+                       priv_granted |= VEXEC;
+       } else {
+               if ((accmode & VEXEC) && !priv_check_cred(cred,
+                   PRIV_VFS_EXEC, 0))
+                       priv_granted |= VEXEC;
+       }
+
+       if ((accmode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ, 0))
+               priv_granted |= VREAD;
+
+       if ((accmode & (VWRITE | VAPPEND | VDELETE_CHILD)) &&
+           !priv_check_cred(cred, PRIV_VFS_WRITE, 0))
+               priv_granted |= (VWRITE | VAPPEND | VDELETE_CHILD);
+
+       if ((accmode & VADMIN_PERMS) &&
+           !priv_check_cred(cred, PRIV_VFS_ADMIN, 0))
+               priv_granted |= VADMIN_PERMS;
+
+       if ((accmode & VSTAT_PERMS) &&
+           !priv_check_cred(cred, PRIV_VFS_STAT, 0))
+               priv_granted |= VSTAT_PERMS;
+
+       if ((accmode & priv_granted) == accmode) {
+               if (privused != NULL)
+                       *privused = 1;
+
+               return (0);
+       }
+
+       if (accmode & (VADMIN_PERMS | VDELETE_CHILD | VDELETE))
+               denied = EPERM;
+       else
+               denied = EACCES;
+
+       return (denied);
+}
+#endif /* _KERNEL */
 
 static int
 _acl_entry_matches(struct acl_entry *entry, acl_tag_t tag, acl_perm_t perm,
@@ -577,3 +783,290 @@ acl_nfs4_sync_mode_from_acl(mode_t *_mod
 
        *_mode = mode | (old_mode & ACL_PRESERVE_MASK);
 }
+
+void           
+acl_nfs4_compute_inherited_acl(const struct acl *parent_aclp,
+    struct acl *child_aclp, mode_t mode, int file_owner_id,
+    int is_directory)
+{
+       int i, flags;
+       const struct acl_entry *parent_entry;
+       struct acl_entry *entry, *copy;
+
+       KASSERT(child_aclp->acl_cnt == 0, ("child_aclp->acl_cnt == 0"));
+       KASSERT(parent_aclp->acl_cnt > 0, ("parent_aclp->acl_cnt > 0"));
+       KASSERT(parent_aclp->acl_cnt <= ACL_MAX_ENTRIES,
+           ("parent_aclp->acl_cnt <= ACL_MAX_ENTRIES"));
+
+       /*
+        * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt
+        *
+        * 3.16.6.2. Applying the mode given to CREATE or OPEN
+        *           to an inherited ACL
+        */
+
+       /*
+        * 1. Form an ACL that is the concatenation of all inheritable ACEs.
+        */
+       for (i = 0; i < parent_aclp->acl_cnt; i++) {
+               parent_entry = &(parent_aclp->acl_entry[i]);
+               flags = parent_entry->ae_flags;
+
+               /*
+                * Entry is not inheritable at all.
+                */
+               if ((flags & (ACL_ENTRY_DIRECTORY_INHERIT |
+                   ACL_ENTRY_FILE_INHERIT)) == 0)
+                       continue;
+
+               /*
+                * We're creating a file, but entry is not inheritable
+                * by files.
+                */
+               if (!is_directory && (flags & ACL_ENTRY_FILE_INHERIT) == 0)
+                       continue;
+
+               /*
+                * Entry is inheritable only by files, but has NO_PROPAGATE
+                * flag set, and we're creating a directory, so it wouldn't
+                * propagate to any file in that directory anyway.
+                */
+               if (is_directory &&
+                   (flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0 &&
+                   (flags & ACL_ENTRY_NO_PROPAGATE_INHERIT))
+                       continue;
+
+               KASSERT(child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES,
+                   ("child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES"));
+               child_aclp->acl_entry[child_aclp->acl_cnt] = *parent_entry;
+               child_aclp->acl_cnt++;
+       }
+
+       /*
+        * 2. For each entry in the new ACL, adjust its flags, possibly
+        *    creating two entries in place of one.
+        */
+       for (i = 0; i < child_aclp->acl_cnt; i++) {
+               entry = &(child_aclp->acl_entry[i]);
+
+               /*
+                * This is not in the specification, but SunOS
+                * apparently does that.
+                */
+               if (((entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT) ||
+                   !is_directory) &&
+                   entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
+                       entry->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER);
+
+               /*
+                * 2.A. If the ACL_ENTRY_NO_PROPAGATE_INHERIT is set, or if the 
object
+                *      being created is not a directory, then clear the
+                *      following flags: ACL_ENTRY_NO_PROPAGATE_INHERIT,
+                *      ACL_ENTRY_FILE_INHERIT, ACL_ENTRY_DIRECTORY_INHERIT,
+                *      ACL_ENTRY_INHERIT_ONLY.
+                */
+               if (entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT ||
+                   !is_directory) {
+                       entry->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT |
+                       ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT |
+                       ACL_ENTRY_INHERIT_ONLY);
+
+                       /*
+                        * Continue on to the next ACE.
+                        */
+                       continue;
+               }
+
+               /*
+                * 2.B. If the object is a directory and ACL_ENTRY_FILE_INHERIT
+                *      is set, but ACL_ENTRY_NO_PROPAGATE_INHERIT is not set, 
ensure
+                *      that ACL_ENTRY_INHERIT_ONLY is set.  Continue to the
+                *      next ACE.  Otherwise...
+                */
+               /*
+                * XXX: Read it again and make sure what does the "otherwise"
+                *      apply to.
+                */
+               if (is_directory &&
+                   (entry->ae_flags & ACL_ENTRY_FILE_INHERIT) &&
+                   ((entry->ae_flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0)) {
+                       entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY;
+                       continue;
+               }
+
+               /*
+                * 2.C. If the type of the ACE is neither ALLOW nor deny,
+                *      then continue.
+                */
+               if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
+                   entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
+                       continue;
+
+               /*
+                * 2.D. Copy the original ACE into a second, adjacent ACE.
+                */
+               copy = _acl_duplicate_entry(child_aclp, i);
+
+               /*
+                * 2.E. On the first ACE, ensure that ACL_ENTRY_INHERIT_ONLY
+                *      is set.
+                */
+               entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY;
+
+               /*
+                * 2.F. On the second ACE, clear the following flags:
+                *      ACL_ENTRY_NO_PROPAGATE_INHERIT, ACL_ENTRY_FILE_INHERIT,
+                *      ACL_ENTRY_DIRECTORY_INHERIT, ACL_ENTRY_INHERIT_ONLY.
+                */
+               copy->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT |
+                   ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT |
+                   ACL_ENTRY_INHERIT_ONLY);
+
+               /*
+                * 2.G. On the second ACE, if the type is ALLOW,
+                *      an implementation MAY clear the following
+                *      mask bits: ACL_WRITE_ACL, ACL_WRITE_OWNER.
+                */
+               if (copy->ae_entry_type == ACL_ENTRY_TYPE_ALLOW)
+                       copy->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER);
+
+               /*
+                * Increment the counter to skip the copied entry.
+                */
+               i++;
+       }
+
+       /*
+        * 3. To ensure that the mode is honored, apply the algorithm describe
+        *    in Section 2.16.6.3, using the mode that is to be used for file
+        *    creation.
+        */
+       acl_nfs4_sync_acl_from_mode(child_aclp, mode, file_owner_id);
+}
+
+#ifdef _KERNEL
+static int
+_acls_are_equal(const struct acl *a, const struct acl *b)
+{
+       int i;
+       const struct acl_entry *entrya, *entryb;
+
+       if (a->acl_cnt != b->acl_cnt)
+               return (0);
+
+       for (i = 0; i < b->acl_cnt; i++) {
+               entrya = &(a->acl_entry[i]);
+               entryb = &(b->acl_entry[i]);
+
+               if (entrya->ae_tag != entryb->ae_tag ||
+                   entrya->ae_id != entryb->ae_id ||
+                   entrya->ae_perm != entryb->ae_perm ||
+                   entrya->ae_entry_type != entryb->ae_entry_type ||
+                   entrya->ae_flags != entryb->ae_flags)
+                       return (0);
+       }
+
+       return (1);
+}
+
+/*
+ * This routine is used to determine whether to remove entry_type attribute
+ * that stores ACL contents.
+ */
+int
+acl_nfs4_is_trivial(const struct acl *aclp, int file_owner_id)
+{
+       int trivial;
+       mode_t tmpmode = 0;
+       struct acl *tmpaclp;
+
+       if (aclp->acl_cnt != 6)
+               return (0);
+
+       /*
+        * Compute the mode from the ACL, then compute new ACL from that mode.
+        * If the ACLs are identical, then the ACL is trivial.
+        *
+        * XXX: I guess there is a faster way to do this.  However, even
+        *      this slow implementation significantly speeds things up
+        *      for files that don't have any entry_type ACL entries - it's
+        *      critical for performance to not use EA when they are not
+        *      needed.
+        */
+       tmpaclp = acl_alloc(M_WAITOK | M_ZERO);
+       acl_nfs4_sync_mode_from_acl(&tmpmode, aclp);
+       acl_nfs4_sync_acl_from_mode(tmpaclp, tmpmode, file_owner_id);
+       trivial = _acls_are_equal(aclp, tmpaclp);
+       acl_free(tmpaclp);
+
+       return (trivial);
+}
+#endif /* _KERNEL */
+
+int
+acl_nfs4_check(const struct acl *aclp, int is_directory)
+{
+       int i;
+       const struct acl_entry *entry;
+
+       /*
+        * The spec doesn't seem to say anything about ACL validity.
+        * It seems there is not much to do here.  There is even no need
+        * to count "owner@" or "everyone@" (ACL_USER_OBJ and ACL_EVERYONE)
+        * entries, as there can be several of them and that's perfectly
+        * valid.  There can be none of them too.  Really.
+        */
+
+       if (aclp->acl_cnt > ACL_MAX_ENTRIES || aclp->acl_cnt <= 0)
+               return (EINVAL);
+
+       for (i = 0; i < aclp->acl_cnt; i++) {
+               entry = &(aclp->acl_entry[i]);
+
+               switch (entry->ae_tag) {
+               case ACL_USER_OBJ:
+               case ACL_GROUP_OBJ:
+               case ACL_EVERYONE:
+                       if (entry->ae_id != ACL_UNDEFINED_ID)
+                               return (EINVAL);
+                       break;
+
+               case ACL_USER:
+               case ACL_GROUP:
+                       if (entry->ae_id == ACL_UNDEFINED_ID)
+                               return (EINVAL);
+                       break;
+
+               default:
+                       return (EINVAL);
+               }
+
+               if ((entry->ae_perm | ACL_NFS4_PERM_BITS) != ACL_NFS4_PERM_BITS)
+                       return (EINVAL);
+
+               /*
+                * Disallow ACL_ENTRY_TYPE_AUDIT and ACL_ENTRY_TYPE_ALARM for 
now.
+                */
+               if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW &&
+                   entry->ae_entry_type != ACL_ENTRY_TYPE_DENY)
+                       return (EINVAL);
+
+               if ((entry->ae_flags | ACL_FLAGS_BITS) != ACL_FLAGS_BITS)
+                       return (EINVAL);
+
+               /* Disallow unimplemented flags. */
+               if (entry->ae_flags & (ACL_ENTRY_SUCCESSFUL_ACCESS |
+                   ACL_ENTRY_FAILED_ACCESS))
+                       return (EINVAL);
+
+               /* Disallow flags not allowed for ordinary files. */
+               if (!is_directory) {
+                       if (entry->ae_flags & (ACL_ENTRY_FILE_INHERIT |
+                           ACL_ENTRY_DIRECTORY_INHERIT |
+                           ACL_ENTRY_NO_PROPAGATE_INHERIT | 
ACL_ENTRY_INHERIT_ONLY))
+                               return (EINVAL);
+               }
+       }
+
+       return (0);
+}

Modified: stable/8/sys/sys/vnode.h
==============================================================================
--- stable/8/sys/sys/vnode.h    Sat Mar 27 15:45:11 2010        (r205736)
+++ stable/8/sys/sys/vnode.h    Sat Mar 27 16:31:49 2010        (r205737)
@@ -613,6 +613,9 @@ int vn_commname(struct vnode *vn, char *
 int    vaccess(enum vtype type, mode_t file_mode, uid_t file_uid,
            gid_t file_gid, accmode_t accmode, struct ucred *cred,
            int *privused);
+int    vaccess_acl_nfs4(enum vtype type, uid_t file_uid, gid_t file_gid,
+           struct acl *aclp, accmode_t accmode, struct ucred *cred,
+           int *privused);
 int    vaccess_acl_posix1e(enum vtype type, uid_t file_uid,
            gid_t file_gid, struct acl *acl, accmode_t accmode,
            struct ucred *cred, int *privused);
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to