4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright (c) 2013 by Delphix. All rights reserved.
24 * Copyright 2017 Nexenta Systems, Inc. All rights reserved.
25 */
26
27 #include <sys/types.h>
28 #include <sys/param.h>
29 #include <sys/time.h>
30 #include <sys/systm.h>
31 #include <sys/sysmacros.h>
32 #include <sys/resource.h>
33 #include <sys/vfs.h>
34 #include <sys/vnode.h>
35 #include <sys/sid.h>
36 #include <sys/file.h>
37 #include <sys/stat.h>
38 #include <sys/kmem.h>
39 #include <sys/cmn_err.h>
40 #include <sys/errno.h>
41 #include <sys/unistd.h>
42 #include <sys/sdt.h>
43 #include <sys/fs/zfs.h>
44 #include <sys/mode.h>
45 #include <sys/policy.h>
46 #include <sys/zfs_znode.h>
47 #include <sys/zfs_fuid.h>
48 #include <sys/zfs_acl.h>
49 #include <sys/zfs_dir.h>
50 #include <sys/zfs_vfsops.h>
51 #include <sys/dmu.h>
52 #include <sys/dnode.h>
53 #include <sys/zap.h>
54 #include <sys/sa.h>
55 #include "fs/fs_subr.h"
56 #include <acl/acl_common.h>
57
58 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE
59 #define DENY ACE_ACCESS_DENIED_ACE_TYPE
60 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE
61 #define MIN_ACE_TYPE ALLOW
62
63 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP)
64 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \
65 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE)
66 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \
67 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
68 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \
69 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
70
71 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \
72 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \
73 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \
74 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE)
75
76 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS)
1171 }
1172
1173 /*
1174 * common code for setting ACLs.
1175 *
1176 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl.
1177 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's
1178 * already checked the acl and knows whether to inherit.
1179 */
1180 int
1181 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, dmu_tx_t *tx)
1182 {
1183 int error;
1184 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
1185 dmu_object_type_t otype;
1186 zfs_acl_locator_cb_t locate = { 0 };
1187 uint64_t mode;
1188 sa_bulk_attr_t bulk[5];
1189 uint64_t ctime[2];
1190 int count = 0;
1191 zfs_acl_phys_t acl_phys;
1192
1193 mode = zp->z_mode;
1194
1195 mode = zfs_mode_compute(mode, aclp, &zp->z_pflags,
1196 zp->z_uid, zp->z_gid);
1197
1198 zp->z_mode = mode;
1199 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_MODE(zfsvfs), NULL,
1200 &mode, sizeof (mode));
1201 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_FLAGS(zfsvfs), NULL,
1202 &zp->z_pflags, sizeof (zp->z_pflags));
1203 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_CTIME(zfsvfs), NULL,
1204 &ctime, sizeof (ctime));
1205
1206 if (zp->z_acl_cached) {
1207 zfs_acl_free(zp->z_acl_cached);
1208 zp->z_acl_cached = NULL;
1209 }
1210
1211 /*
1218 (zfsvfs->z_version >= ZPL_VERSION_FUID))
1219 zfs_acl_xform(zp, aclp, cr);
1220 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID);
1221 otype = DMU_OT_ACL;
1222 }
1223
1224 /*
1225 * Arrgh, we have to handle old on disk format
1226 * as well as newer (preferred) SA format.
1227 */
1228
1229 if (zp->z_is_sa) { /* the easy case, just update the ACL attribute */
1230 locate.cb_aclp = aclp;
1231 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_ACES(zfsvfs),
1232 zfs_acl_data_locator, &locate, aclp->z_acl_bytes);
1233 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_COUNT(zfsvfs),
1234 NULL, &aclp->z_acl_count, sizeof (uint64_t));
1235 } else { /* Painful legacy way */
1236 zfs_acl_node_t *aclnode;
1237 uint64_t off = 0;
1238 uint64_t aoid;
1239
1240 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs),
1241 &acl_phys, sizeof (acl_phys))) != 0)
1242 return (error);
1243
1244 aoid = acl_phys.z_acl_extern_obj;
1245
1246 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) {
1247 /*
1248 * If ACL was previously external and we are now
1249 * converting to new ACL format then release old
1250 * ACL object and create a new one.
1251 */
1252 if (aoid &&
1253 aclp->z_version != acl_phys.z_acl_version) {
1254 error = dmu_object_free(zfsvfs->z_os, aoid, tx);
1255 if (error)
1256 return (error);
1257 aoid = 0;
2066 * empty (= 0), we know we've looked at all the AoI. The second is
2067 * that the ACE interpretation rules don't allow a later ACE to undo
2068 * something granted or denied by an earlier ACE. Removing the
2069 * discovered access or denial enforces this rule. At the end of
2070 * processing the ACEs, all AoI that were found to be denied are
2071 * placed into the working_mode, giving the caller a mask of denied
2072 * accesses. Returns:
2073 * 0 if all AoI granted
2074 * EACCES if the denied mask is non-zero
2075 * other error if abnormal failure (e.g., IO error)
2076 *
2077 * A secondary usage of the function is to determine if any of the
2078 * AoI are granted. If an ACE grants any access in
2079 * the working_mode, we immediately short circuit out of the function.
2080 * This mode is chosen by setting anyaccess to B_TRUE. The
2081 * working_mode is not a denied access mask upon exit if the function
2082 * is used in this manner.
2083 */
2084 static int
2085 zfs_zaccess_aces_check(znode_t *zp, uint32_t *working_mode,
2086 boolean_t anyaccess, cred_t *cr)
2087 {
2088 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
2089 zfs_acl_t *aclp;
2090 int error;
2091 uid_t uid = crgetuid(cr);
2092 uint64_t who;
2093 uint16_t type, iflags;
2094 uint16_t entry_type;
2095 uint32_t access_mask;
2096 uint32_t deny_mask = 0;
2097 zfs_ace_hdr_t *acep = NULL;
2098 boolean_t checkit;
2099 uid_t gowner;
2100 uid_t fowner;
2101
2102 zfs_fuid_map_ids(zp, cr, &fowner, &gowner);
2103
2104 mutex_enter(&zp->z_acl_lock);
2105
2106 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE);
2107 if (error != 0) {
2108 mutex_exit(&zp->z_acl_lock);
2109 return (error);
2110 }
2111
2112 ASSERT(zp->z_acl_cached);
2113
2114 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask,
2115 &iflags, &type)) {
2116 uint32_t mask_matched;
2117
2118 if (!zfs_acl_valid_ace_type(type, iflags))
2119 continue;
2120
2121 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE))
2122 continue;
2123
2124 /* Skip ACE if it does not affect any AoI */
2125 mask_matched = (access_mask & *working_mode);
2126 if (!mask_matched)
2127 continue;
2128
2129 entry_type = (iflags & ACE_TYPE_FLAGS);
2130
2131 checkit = B_FALSE;
2132
2133 switch (entry_type) {
2134 case ACE_OWNER:
2135 if (uid == fowner)
2136 checkit = B_TRUE;
2137 break;
2138 case OWNING_GROUP:
2139 who = gowner;
2140 /*FALLTHROUGH*/
2141 case ACE_IDENTIFIER_GROUP:
2142 checkit = zfs_groupmember(zfsvfs, who, cr);
2143 break;
2144 case ACE_EVERYONE:
2145 checkit = B_TRUE;
2146 break;
2147
2148 /* USER Entry */
2149 default:
2150 if (entry_type == 0) {
2151 uid_t newid;
2152
2153 newid = zfs_fuid_map_id(zfsvfs, who, cr,
2154 ZFS_ACE_USER);
2155 if (newid != IDMAP_WK_CREATOR_OWNER_UID &&
2156 uid == newid)
2157 checkit = B_TRUE;
2158 break;
2159 } else {
2160 mutex_exit(&zp->z_acl_lock);
2161 return (SET_ERROR(EIO));
2162 }
2163 }
2164
2165 if (checkit) {
2166 if (type == DENY) {
2167 DTRACE_PROBE3(zfs__ace__denies,
2168 znode_t *, zp,
2169 zfs_ace_hdr_t *, acep,
2170 uint32_t, mask_matched);
2171 deny_mask |= mask_matched;
2172 } else {
2173 DTRACE_PROBE3(zfs__ace__allows,
2174 znode_t *, zp,
2175 zfs_ace_hdr_t *, acep,
2176 uint32_t, mask_matched);
2177 if (anyaccess) {
2178 mutex_exit(&zp->z_acl_lock);
2179 return (0);
2180 }
2181 }
2182 *working_mode &= ~mask_matched;
2183 }
2184
2185 /* Are we done? */
2186 if (*working_mode == 0)
2187 break;
2188 }
2189
2190 mutex_exit(&zp->z_acl_lock);
2191
2192 /* Put the found 'denies' back on the working mode */
2193 if (deny_mask) {
2194 *working_mode |= deny_mask;
2195 return (SET_ERROR(EACCES));
2196 } else if (*working_mode) {
2197 return (-1);
2198 }
2199
2200 return (0);
2201 }
2202
2203 /*
2204 * Return true if any access whatsoever granted, we don't actually
2205 * care what access is granted.
2206 */
2207 boolean_t
2208 zfs_has_access(znode_t *zp, cred_t *cr)
2209 {
2210 uint32_t have = ACE_ALL_PERMS;
2211
2212 if (zfs_zaccess_aces_check(zp, &have, B_TRUE, cr) != 0) {
2213 uid_t owner;
2214
2215 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER);
2216 return (secpolicy_vnode_any_access(cr, ZTOV(zp), owner) == 0);
2217 }
2218 return (B_TRUE);
2219 }
2220
2221 static int
2222 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode,
2223 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr)
2224 {
2225 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
2226 int err;
2227
2228 *working_mode = v4_mode;
2229 *check_privs = B_TRUE;
2230
2231 /*
2232 * Short circuit empty requests
2233 */
2234 if (v4_mode == 0 || zfsvfs->z_replay) {
2235 *working_mode = 0;
2236 return (0);
2237 }
2238
2239 if ((err = zfs_zaccess_dataset_check(zp, v4_mode)) != 0) {
2240 *check_privs = B_FALSE;
2241 return (err);
2242 }
2243
2244 /*
2245 * The caller requested that the ACL check be skipped. This
2246 * would only happen if the caller checked VOP_ACCESS() with a
2252 }
2253
2254 /*
2255 * Note: ZFS_READONLY represents the "DOS R/O" attribute.
2256 * When that flag is set, we should behave as if write access
2257 * were not granted by anything in the ACL. In particular:
2258 * We _must_ allow writes after opening the file r/w, then
2259 * setting the DOS R/O attribute, and writing some more.
2260 * (Similar to how you can write after fchmod(fd, 0444).)
2261 *
2262 * Therefore ZFS_READONLY is ignored in the dataset check
2263 * above, and checked here as if part of the ACL check.
2264 * Also note: DOS R/O is ignored for directories.
2265 */
2266 if ((v4_mode & WRITE_MASK_DATA) &&
2267 (ZTOV(zp)->v_type != VDIR) &&
2268 (zp->z_pflags & ZFS_READONLY)) {
2269 return (SET_ERROR(EPERM));
2270 }
2271
2272 return (zfs_zaccess_aces_check(zp, working_mode, B_FALSE, cr));
2273 }
2274
2275 static int
2276 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs,
2277 cred_t *cr)
2278 {
2279 if (*working_mode != ACE_WRITE_DATA)
2280 return (SET_ERROR(EACCES));
2281
2282 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode,
2283 check_privs, B_FALSE, cr));
2284 }
2285
2286 int
2287 zfs_fastaccesschk_execute(znode_t *zdp, cred_t *cr)
2288 {
2289 boolean_t owner = B_FALSE;
2290 boolean_t groupmbr = B_FALSE;
2291 boolean_t is_attr;
2292 uid_t uid = crgetuid(cr);
2425 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE))
2426 needed_bits |= VWRITE;
2427 if (working_mode & ACE_EXECUTE)
2428 needed_bits |= VEXEC;
2429
2430 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode,
2431 &check_privs, skipaclchk, cr)) == 0) {
2432 if (is_attr)
2433 VN_RELE(ZTOV(xzp));
2434 return (secpolicy_vnode_access2(cr, ZTOV(zp), owner,
2435 needed_bits, needed_bits));
2436 }
2437
2438 if (error && !check_privs) {
2439 if (is_attr)
2440 VN_RELE(ZTOV(xzp));
2441 return (error);
2442 }
2443
2444 if (error && (flags & V_APPEND)) {
2445 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr);
2446 }
2447
2448 if (error && check_privs) {
2449 mode_t checkmode = 0;
2450
2451 /*
2452 * First check for implicit owner permission on
2453 * read_acl/read_attributes
2454 */
2455
2456 error = 0;
2457 ASSERT(working_mode != 0);
2458
2459 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) &&
2460 owner == crgetuid(cr)))
2461 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES);
2462
2463 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS|
2464 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE))
2591 * 2a: "sticky" bit on a directory adds restrictions, and
2592 * 2b: existing ACEs from previous versions of ZFS may
2593 * not carry ACE_DELETE_CHILD where they should, so we
2594 * also allow delete when ACE_WRITE_DATA is granted.
2595 *
2596 * Note: 2b is technically a work-around for a prior bug,
2597 * which hopefully can go away some day. For those who
2598 * no longer need the work around, and for testing, this
2599 * work-around is made conditional via the tunable:
2600 * zfs_write_implies_delete_child
2601 */
2602 int
2603 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr)
2604 {
2605 uint32_t wanted_dirperms;
2606 uint32_t dzp_working_mode = 0;
2607 uint32_t zp_working_mode = 0;
2608 int dzp_error, zp_error;
2609 boolean_t dzpcheck_privs;
2610 boolean_t zpcheck_privs;
2611
2612 if (zp->z_pflags & (ZFS_IMMUTABLE | ZFS_NOUNLINK))
2613 return (SET_ERROR(EPERM));
2614
2615 /*
2616 * Case 1:
2617 * If target object grants ACE_DELETE then we are done. This is
2618 * indicated by a return value of 0. For this case we don't worry
2619 * about the sticky bit because sticky only applies to the parent
2620 * directory and this is the child access result.
2621 *
2622 * If we encounter a DENY ACE here, we're also done (EACCES).
2623 * Note that if we hit a DENY ACE here (on the target) it should
2624 * take precedence over a DENY ACE on the container, so that when
2625 * we have more complete auditing support we will be able to
2626 * report an access failure against the specific target.
2627 * (This is part of why we're checking the target first.)
2628 */
2629 zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode,
2630 &zpcheck_privs, B_FALSE, cr);
2631 if (zp_error == EACCES) {
2632 /* We hit a DENY ACE. */
2633 if (!zpcheck_privs)
2634 return (SET_ERROR(zp_error));
2635 return (secpolicy_vnode_remove(cr));
2636
2637 }
2638 if (zp_error == 0)
2639 return (0);
2640
2641 /*
2642 * Case 2:
2643 * If the containing directory grants ACE_DELETE_CHILD,
2644 * or we're in backward compatibility mode and the
2645 * containing directory has ACE_WRITE_DATA, allow.
2646 * Case 2b is handled with wanted_dirperms.
2647 */
2648 wanted_dirperms = ACE_DELETE_CHILD;
2649 if (zfs_write_implies_delete_child)
2650 wanted_dirperms |= ACE_WRITE_DATA;
2651 dzp_error = zfs_zaccess_common(dzp, wanted_dirperms,
2652 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr);
2653 if (dzp_error == EACCES) {
2654 /* We hit a DENY ACE. */
2655 if (!dzpcheck_privs)
2656 return (SET_ERROR(dzp_error));
2657 return (secpolicy_vnode_remove(cr));
2658 }
2659
2660 /*
2661 * Cases 2a, 2b (continued)
2662 *
2663 * Note: dzp_working_mode now contains any permissions
2664 * that were NOT granted. Therefore, if any of the
2665 * wanted_dirperms WERE granted, we will have:
2666 * dzp_working_mode != wanted_dirperms
2667 * We're really asking if ANY of those permissions
2668 * were granted, and if so, grant delete access.
2669 */
2670 if (dzp_working_mode != wanted_dirperms)
2717 * you're watching all of this with dtrace.
2718 */
2719 if ((dzp->z_mode & S_ISVTX) == 0)
2720 return (0);
2721
2722 /*
2723 * zfs_sticky_remove_access will succeed if:
2724 * 1. The sticky bit is absent.
2725 * 2. We pass the sticky bit restrictions.
2726 * 3. We have privileges that always allow file removal.
2727 */
2728 return (zfs_sticky_remove_access(dzp, zp, cr));
2729 }
2730
2731 int
2732 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp,
2733 znode_t *tzp, cred_t *cr)
2734 {
2735 int add_perm;
2736 int error;
2737
2738 if (szp->z_pflags & ZFS_AV_QUARANTINED)
2739 return (SET_ERROR(EACCES));
2740
2741 add_perm = (ZTOV(szp)->v_type == VDIR) ?
2742 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE;
2743
2744 /*
2745 * Rename permissions are combination of delete permission +
2746 * add file/subdir permission.
2747 */
2748
2749 /*
2750 * first make sure we do the delete portion.
2751 *
2752 * If that succeeds then check for add_file/add_subdir permissions
2753 */
2754
2755 if (error = zfs_zaccess_delete(sdzp, szp, cr))
2756 return (error);
2757
2758 /*
2759 * If we have a tzp, see if we can delete it?
2760 */
2761 if (tzp) {
2762 if (error = zfs_zaccess_delete(tdzp, tzp, cr))
2763 return (error);
2764 }
2765
2766 /*
2767 * Now check for add permissions
2768 */
2769 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr);
2770
2771 return (error);
2772 }
|
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright (c) 2013 by Delphix. All rights reserved.
24 * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
25 */
26
27 #include <sys/types.h>
28 #include <sys/param.h>
29 #include <sys/time.h>
30 #include <sys/systm.h>
31 #include <sys/sysmacros.h>
32 #include <sys/resource.h>
33 #include <sys/vfs.h>
34 #include <sys/vnode.h>
35 #include <sys/sid.h>
36 #include <sys/file.h>
37 #include <sys/stat.h>
38 #include <sys/kmem.h>
39 #include <sys/cmn_err.h>
40 #include <sys/errno.h>
41 #include <sys/unistd.h>
42 #include <sys/sdt.h>
43 #include <sys/fs/zfs.h>
44 #include <sys/mode.h>
45 #include <sys/policy.h>
46 #include <sys/zfs_znode.h>
47 #include <sys/zfs_fuid.h>
48 #include <sys/zfs_acl.h>
49 #include <sys/zfs_dir.h>
50 #include <sys/zfs_vfsops.h>
51 #include <sys/dmu.h>
52 #include <sys/dnode.h>
53 #include <sys/zap.h>
54 #include <sys/sa.h>
55 #include "fs/fs_subr.h"
56 #include <acl/acl_common.h>
57 #include <c2/audit.h>
58 #include <c2/audit_kernel.h>
59
60 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE
61 #define DENY ACE_ACCESS_DENIED_ACE_TYPE
62 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE
63 #define MIN_ACE_TYPE ALLOW
64
65 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP)
66 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \
67 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE)
68 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \
69 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
70 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \
71 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
72
73 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \
74 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \
75 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \
76 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE)
77
78 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS)
1173 }
1174
1175 /*
1176 * common code for setting ACLs.
1177 *
1178 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl.
1179 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's
1180 * already checked the acl and knows whether to inherit.
1181 */
1182 int
1183 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, dmu_tx_t *tx)
1184 {
1185 int error;
1186 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
1187 dmu_object_type_t otype;
1188 zfs_acl_locator_cb_t locate = { 0 };
1189 uint64_t mode;
1190 sa_bulk_attr_t bulk[5];
1191 uint64_t ctime[2];
1192 int count = 0;
1193
1194 mode = zp->z_mode;
1195
1196 mode = zfs_mode_compute(mode, aclp, &zp->z_pflags,
1197 zp->z_uid, zp->z_gid);
1198
1199 zp->z_mode = mode;
1200 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_MODE(zfsvfs), NULL,
1201 &mode, sizeof (mode));
1202 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_FLAGS(zfsvfs), NULL,
1203 &zp->z_pflags, sizeof (zp->z_pflags));
1204 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_CTIME(zfsvfs), NULL,
1205 &ctime, sizeof (ctime));
1206
1207 if (zp->z_acl_cached) {
1208 zfs_acl_free(zp->z_acl_cached);
1209 zp->z_acl_cached = NULL;
1210 }
1211
1212 /*
1219 (zfsvfs->z_version >= ZPL_VERSION_FUID))
1220 zfs_acl_xform(zp, aclp, cr);
1221 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID);
1222 otype = DMU_OT_ACL;
1223 }
1224
1225 /*
1226 * Arrgh, we have to handle old on disk format
1227 * as well as newer (preferred) SA format.
1228 */
1229
1230 if (zp->z_is_sa) { /* the easy case, just update the ACL attribute */
1231 locate.cb_aclp = aclp;
1232 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_ACES(zfsvfs),
1233 zfs_acl_data_locator, &locate, aclp->z_acl_bytes);
1234 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_COUNT(zfsvfs),
1235 NULL, &aclp->z_acl_count, sizeof (uint64_t));
1236 } else { /* Painful legacy way */
1237 zfs_acl_node_t *aclnode;
1238 uint64_t off = 0;
1239 zfs_acl_phys_t acl_phys;
1240 uint64_t aoid;
1241
1242 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs),
1243 &acl_phys, sizeof (acl_phys))) != 0)
1244 return (error);
1245
1246 aoid = acl_phys.z_acl_extern_obj;
1247
1248 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) {
1249 /*
1250 * If ACL was previously external and we are now
1251 * converting to new ACL format then release old
1252 * ACL object and create a new one.
1253 */
1254 if (aoid &&
1255 aclp->z_version != acl_phys.z_acl_version) {
1256 error = dmu_object_free(zfsvfs->z_os, aoid, tx);
1257 if (error)
1258 return (error);
1259 aoid = 0;
2068 * empty (= 0), we know we've looked at all the AoI. The second is
2069 * that the ACE interpretation rules don't allow a later ACE to undo
2070 * something granted or denied by an earlier ACE. Removing the
2071 * discovered access or denial enforces this rule. At the end of
2072 * processing the ACEs, all AoI that were found to be denied are
2073 * placed into the working_mode, giving the caller a mask of denied
2074 * accesses. Returns:
2075 * 0 if all AoI granted
2076 * EACCES if the denied mask is non-zero
2077 * other error if abnormal failure (e.g., IO error)
2078 *
2079 * A secondary usage of the function is to determine if any of the
2080 * AoI are granted. If an ACE grants any access in
2081 * the working_mode, we immediately short circuit out of the function.
2082 * This mode is chosen by setting anyaccess to B_TRUE. The
2083 * working_mode is not a denied access mask upon exit if the function
2084 * is used in this manner.
2085 */
2086 static int
2087 zfs_zaccess_aces_check(znode_t *zp, uint32_t *working_mode,
2088 boolean_t anyaccess, cred_t *cr, boolean_t audit)
2089 {
2090 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
2091 zfs_acl_t *aclp;
2092 int error;
2093 uint64_t who; /* FUID from the ACE */
2094 uint16_t type, iflags;
2095 uint16_t entry_type;
2096 uint32_t access_mask;
2097 uint32_t deny_mask = 0;
2098 uint32_t sys_smask = 0;
2099 uint32_t sys_fmask = 0;
2100 zfs_ace_hdr_t *acep = NULL;
2101 boolean_t checkit; /* ACE ID matches */
2102 t_audit_data_t *tad;
2103
2104 mutex_enter(&zp->z_acl_lock);
2105
2106 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE);
2107 if (error != 0) {
2108 mutex_exit(&zp->z_acl_lock);
2109 return (error);
2110 }
2111
2112 ASSERT(zp->z_acl_cached);
2113
2114 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask,
2115 &iflags, &type)) {
2116 uint32_t mask_matched;
2117
2118 if (!zfs_acl_valid_ace_type(type, iflags))
2119 continue;
2120
2121 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE))
2122 continue;
2123
2124 /* Skip ACE if it does not affect any AoI */
2125 mask_matched = (access_mask & *working_mode);
2126 if ((type == DENY || type == ALLOW) && !mask_matched)
2127 continue;
2128 if (!audit && type != DENY && type != ALLOW)
2129 continue;
2130
2131 entry_type = (iflags & ACE_TYPE_FLAGS);
2132
2133 checkit = B_FALSE;
2134
2135 switch (entry_type) {
2136 case ACE_OWNER:
2137 who = zp->z_uid;
2138 /*FALLTHROUGH*/
2139 case 0: /* USER Entry */
2140 checkit = zfs_user_in_cred(zfsvfs, who, cr);
2141 break;
2142 case OWNING_GROUP:
2143 who = zp->z_gid;
2144 /*FALLTHROUGH*/
2145 case ACE_IDENTIFIER_GROUP:
2146 checkit = zfs_groupmember(zfsvfs, who, cr);
2147 break;
2148 case ACE_EVERYONE:
2149 checkit = B_TRUE;
2150 break;
2151
2152 default:
2153 /*
2154 * The zfs_acl_valid_ace_type check above
2155 * should make this case impossible.
2156 */
2157 mutex_exit(&zp->z_acl_lock);
2158 return (SET_ERROR(EIO));
2159 }
2160
2161 if (checkit) {
2162 switch (type) {
2163 case DENY:
2164 DTRACE_PROBE3(zfs__ace__denies,
2165 znode_t *, zp,
2166 zfs_ace_hdr_t *, acep,
2167 uint32_t, mask_matched);
2168 deny_mask |= mask_matched;
2169 *working_mode &= ~mask_matched;
2170 break;
2171 case ACE_SYSTEM_AUDIT_ACE_TYPE:
2172 case ACE_SYSTEM_ALARM_ACE_TYPE:
2173 DTRACE_PROBE3(zfs__ace__audit,
2174 znode_t *, zp,
2175 zfs_ace_hdr_t *, acep,
2176 uint32_t, access_mask);
2177 if ((iflags &
2178 ACE_SUCCESSFUL_ACCESS_ACE_FLAG) != 0)
2179 sys_smask |= access_mask;
2180 if ((iflags & ACE_FAILED_ACCESS_ACE_FLAG) != 0)
2181 sys_fmask |= access_mask;
2182 break;
2183 case ALLOW:
2184 default:
2185 DTRACE_PROBE3(zfs__ace__allows,
2186 znode_t *, zp,
2187 zfs_ace_hdr_t *, acep,
2188 uint32_t, mask_matched);
2189 if (anyaccess) {
2190 mutex_exit(&zp->z_acl_lock);
2191 return (0);
2192 }
2193 *working_mode &= ~mask_matched;
2194 break;
2195 }
2196 }
2197
2198 /*
2199 * Are we done? If auditing, process the entire list
2200 * to gather all audit ACEs
2201 */
2202 if (!audit && *working_mode == 0)
2203 break;
2204 }
2205
2206 mutex_exit(&zp->z_acl_lock);
2207
2208 if (audit) {
2209 tad = T2A(curthread);
2210 tad->tad_sacl_mask.tas_smask = sys_smask;
2211 tad->tad_sacl_mask.tas_fmask = sys_fmask;
2212 }
2213
2214 /* Put the found 'denies' back on the working mode */
2215 if (deny_mask) {
2216 *working_mode |= deny_mask;
2217 return (SET_ERROR(EACCES));
2218 } else if (*working_mode) {
2219 return (-1);
2220 }
2221
2222 return (0);
2223 }
2224
2225 /*
2226 * Return true if any access whatsoever granted, we don't actually
2227 * care what access is granted.
2228 */
2229 boolean_t
2230 zfs_has_access(znode_t *zp, cred_t *cr)
2231 {
2232 uint32_t have = ACE_ALL_PERMS;
2233
2234 if (zfs_zaccess_aces_check(zp, &have, B_TRUE, cr, B_FALSE) != 0) {
2235 uid_t owner;
2236
2237 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER);
2238 return (secpolicy_vnode_any_access(cr, ZTOV(zp), owner) == 0);
2239 }
2240 return (B_TRUE);
2241 }
2242
2243 static int
2244 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode,
2245 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr)
2246 {
2247 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
2248 int err;
2249 boolean_t audit = B_FALSE;
2250
2251 *working_mode = v4_mode;
2252 *check_privs = B_TRUE;
2253
2254 /*
2255 * Short circuit empty requests
2256 */
2257 if (v4_mode == 0 || zfsvfs->z_replay) {
2258 *working_mode = 0;
2259 return (0);
2260 }
2261
2262 if ((err = zfs_zaccess_dataset_check(zp, v4_mode)) != 0) {
2263 *check_privs = B_FALSE;
2264 return (err);
2265 }
2266
2267 /*
2268 * The caller requested that the ACL check be skipped. This
2269 * would only happen if the caller checked VOP_ACCESS() with a
2275 }
2276
2277 /*
2278 * Note: ZFS_READONLY represents the "DOS R/O" attribute.
2279 * When that flag is set, we should behave as if write access
2280 * were not granted by anything in the ACL. In particular:
2281 * We _must_ allow writes after opening the file r/w, then
2282 * setting the DOS R/O attribute, and writing some more.
2283 * (Similar to how you can write after fchmod(fd, 0444).)
2284 *
2285 * Therefore ZFS_READONLY is ignored in the dataset check
2286 * above, and checked here as if part of the ACL check.
2287 * Also note: DOS R/O is ignored for directories.
2288 */
2289 if ((v4_mode & WRITE_MASK_DATA) &&
2290 (ZTOV(zp)->v_type != VDIR) &&
2291 (zp->z_pflags & ZFS_READONLY)) {
2292 return (SET_ERROR(EPERM));
2293 }
2294
2295 if (cr != zone_kcred() && AU_ZONE_AUDITING(NULL)) {
2296 t_audit_data_t *tad = T2A(curthread);
2297 if (tad->tad_sacl_ctrl != SACL_AUDIT_NONE &&
2298 auditev(AUE_SACL, cr) != 0) {
2299 audit = B_TRUE;
2300 tad->tad_sacl_ctrl = SACL_AUDIT_NONE;
2301 }
2302 }
2303
2304 return (zfs_zaccess_aces_check(zp, working_mode, B_FALSE, cr, audit));
2305 }
2306
2307 static int
2308 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs,
2309 cred_t *cr)
2310 {
2311 if (*working_mode != ACE_WRITE_DATA)
2312 return (SET_ERROR(EACCES));
2313
2314 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode,
2315 check_privs, B_FALSE, cr));
2316 }
2317
2318 int
2319 zfs_fastaccesschk_execute(znode_t *zdp, cred_t *cr)
2320 {
2321 boolean_t owner = B_FALSE;
2322 boolean_t groupmbr = B_FALSE;
2323 boolean_t is_attr;
2324 uid_t uid = crgetuid(cr);
2457 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE))
2458 needed_bits |= VWRITE;
2459 if (working_mode & ACE_EXECUTE)
2460 needed_bits |= VEXEC;
2461
2462 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode,
2463 &check_privs, skipaclchk, cr)) == 0) {
2464 if (is_attr)
2465 VN_RELE(ZTOV(xzp));
2466 return (secpolicy_vnode_access2(cr, ZTOV(zp), owner,
2467 needed_bits, needed_bits));
2468 }
2469
2470 if (error && !check_privs) {
2471 if (is_attr)
2472 VN_RELE(ZTOV(xzp));
2473 return (error);
2474 }
2475
2476 if (error && (flags & V_APPEND)) {
2477 /*
2478 * If zfs_zaccess_common checked aces, then we won't audit here.
2479 * Otherwise, we'll try and get audit masks here.
2480 */
2481 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr);
2482 }
2483
2484 if (error && check_privs) {
2485 mode_t checkmode = 0;
2486
2487 /*
2488 * First check for implicit owner permission on
2489 * read_acl/read_attributes
2490 */
2491
2492 error = 0;
2493 ASSERT(working_mode != 0);
2494
2495 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) &&
2496 owner == crgetuid(cr)))
2497 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES);
2498
2499 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS|
2500 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE))
2627 * 2a: "sticky" bit on a directory adds restrictions, and
2628 * 2b: existing ACEs from previous versions of ZFS may
2629 * not carry ACE_DELETE_CHILD where they should, so we
2630 * also allow delete when ACE_WRITE_DATA is granted.
2631 *
2632 * Note: 2b is technically a work-around for a prior bug,
2633 * which hopefully can go away some day. For those who
2634 * no longer need the work around, and for testing, this
2635 * work-around is made conditional via the tunable:
2636 * zfs_write_implies_delete_child
2637 */
2638 int
2639 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr)
2640 {
2641 uint32_t wanted_dirperms;
2642 uint32_t dzp_working_mode = 0;
2643 uint32_t zp_working_mode = 0;
2644 int dzp_error, zp_error;
2645 boolean_t dzpcheck_privs;
2646 boolean_t zpcheck_privs;
2647 t_audit_data_t *tad;
2648
2649 if (zp->z_pflags & (ZFS_IMMUTABLE | ZFS_NOUNLINK))
2650 return (SET_ERROR(EPERM));
2651
2652 /*
2653 * Case 1:
2654 * If target object grants ACE_DELETE then we are done. This is
2655 * indicated by a return value of 0. For this case we don't worry
2656 * about the sticky bit because sticky only applies to the parent
2657 * directory and this is the child access result.
2658 *
2659 * If we encounter a DENY ACE here, we're also done (EACCES).
2660 * Note that if we hit a DENY ACE here (on the target) it should
2661 * take precedence over a DENY ACE on the container, so that when
2662 * we have more complete auditing support we will be able to
2663 * report an access failure against the specific target.
2664 * (This is part of why we're checking the target first.)
2665 */
2666 zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode,
2667 &zpcheck_privs, B_FALSE, cr);
2668 if (zp_error == EACCES) {
2669 /* We hit a DENY ACE. */
2670 if (!zpcheck_privs)
2671 return (SET_ERROR(zp_error));
2672 return (secpolicy_vnode_remove(cr));
2673
2674 }
2675 if (zp_error == 0)
2676 return (0);
2677
2678 /*
2679 * Case 2:
2680 * If the containing directory grants ACE_DELETE_CHILD,
2681 * or we're in backward compatibility mode and the
2682 * containing directory has ACE_WRITE_DATA, allow.
2683 * Case 2b is handled with wanted_dirperms.
2684 */
2685 wanted_dirperms = ACE_DELETE_CHILD;
2686 if (zfs_write_implies_delete_child)
2687 wanted_dirperms |= ACE_WRITE_DATA;
2688 /* never audit the parent directory access check */
2689 if (AU_ZONE_AUDITING(NULL)) {
2690 tad = T2A(curthread);
2691 tad->tad_sacl_ctrl = SACL_AUDIT_NONE;
2692 }
2693 dzp_error = zfs_zaccess_common(dzp, wanted_dirperms,
2694 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr);
2695 if (dzp_error == EACCES) {
2696 /* We hit a DENY ACE. */
2697 if (!dzpcheck_privs)
2698 return (SET_ERROR(dzp_error));
2699 return (secpolicy_vnode_remove(cr));
2700 }
2701
2702 /*
2703 * Cases 2a, 2b (continued)
2704 *
2705 * Note: dzp_working_mode now contains any permissions
2706 * that were NOT granted. Therefore, if any of the
2707 * wanted_dirperms WERE granted, we will have:
2708 * dzp_working_mode != wanted_dirperms
2709 * We're really asking if ANY of those permissions
2710 * were granted, and if so, grant delete access.
2711 */
2712 if (dzp_working_mode != wanted_dirperms)
2759 * you're watching all of this with dtrace.
2760 */
2761 if ((dzp->z_mode & S_ISVTX) == 0)
2762 return (0);
2763
2764 /*
2765 * zfs_sticky_remove_access will succeed if:
2766 * 1. The sticky bit is absent.
2767 * 2. We pass the sticky bit restrictions.
2768 * 3. We have privileges that always allow file removal.
2769 */
2770 return (zfs_sticky_remove_access(dzp, zp, cr));
2771 }
2772
2773 int
2774 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp,
2775 znode_t *tzp, cred_t *cr)
2776 {
2777 int add_perm;
2778 int error;
2779 t_audit_data_t *tad;
2780 sacl_audit_ctrl_t do_audit;
2781
2782 if (szp->z_pflags & ZFS_AV_QUARANTINED)
2783 return (SET_ERROR(EACCES));
2784
2785 add_perm = (ZTOV(szp)->v_type == VDIR) ?
2786 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE;
2787
2788 if (AU_ZONE_AUDITING(NULL)) {
2789 tad = T2A(curthread);
2790 do_audit = tad->tad_sacl_ctrl;
2791 } else {
2792 tad = NULL;
2793 do_audit = SACL_AUDIT_NONE;
2794 }
2795
2796 /*
2797 * Rename permissions are combination of delete permission +
2798 * add file/subdir permission.
2799 */
2800
2801 /*
2802 * first make sure we do the delete portion.
2803 *
2804 * If that succeeds then check for add_file/add_subdir permissions
2805 */
2806
2807 if (do_audit == SACL_AUDIT_NO_SRC)
2808 tad->tad_sacl_ctrl = SACL_AUDIT_NONE;
2809 error = zfs_zaccess_delete(sdzp, szp, cr);
2810
2811 if (do_audit == SACL_AUDIT_ALL) {
2812 tad->tad_sacl_mask_src = tad->tad_sacl_mask;
2813 tad->tad_sacl_mask.tas_smask = 0;
2814 tad->tad_sacl_mask.tas_fmask = 0;
2815 }
2816 if (error != 0)
2817 return (error);
2818
2819 if (do_audit != SACL_AUDIT_NONE)
2820 tad->tad_sacl_ctrl = do_audit;
2821
2822 /*
2823 * If we have a tzp, see if we can delete it?
2824 */
2825 if (tzp) {
2826 error = zfs_zaccess_delete(tdzp, tzp, cr);
2827 if (do_audit != SACL_AUDIT_NONE) {
2828 tad->tad_sacl_mask_dest = tad->tad_sacl_mask;
2829 tad->tad_sacl_mask.tas_smask = 0;
2830 tad->tad_sacl_mask.tas_fmask = 0;
2831 }
2832 if (error != 0)
2833 return (error);
2834 if (do_audit != SACL_AUDIT_NONE)
2835 tad->tad_sacl_ctrl = do_audit;
2836 }
2837
2838 /*
2839 * Now check for add permissions
2840 */
2841 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr);
2842
2843 /* do_audit: leave directory audit info in sacl_mask. */
2844
2845 return (error);
2846 }
|