xref: /illumos-gate/usr/src/uts/common/fs/zfs/zfs_acl.c (revision ea8dc4b6d2251b437950c0056bc626b311c73c27)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/types.h>
29 #include <sys/param.h>
30 #include <sys/time.h>
31 #include <sys/systm.h>
32 #include <sys/sysmacros.h>
33 #include <sys/resource.h>
34 #include <sys/vfs.h>
35 #include <sys/vnode.h>
36 #include <sys/file.h>
37 #include <sys/stat.h>
38 #include <sys/kmem.h>
39 #include <sys/cmn_err.h>
40 #include <sys/errno.h>
41 #include <sys/unistd.h>
42 #include <sys/fs/zfs.h>
43 #include <sys/mode.h>
44 #include <sys/policy.h>
45 #include <sys/zfs_znode.h>
46 #include <sys/zfs_acl.h>
47 #include <sys/zfs_dir.h>
48 #include <sys/zfs_vfsops.h>
49 #include <sys/dmu.h>
50 #include <sys/zap.h>
51 #include <util/qsort.h>
52 #include "fs/fs_subr.h"
53 #include <acl/acl_common.h>
54 
55 #define	ALLOW	ACE_ACCESS_ALLOWED_ACE_TYPE
56 #define	DENY	ACE_ACCESS_DENIED_ACE_TYPE
57 
58 #define	OWNING_GROUP		(ACE_GROUP|ACE_IDENTIFIER_GROUP)
59 #define	EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \
60     ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE)
61 #define	EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \
62     ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
63 #define	OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \
64     ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
65 #define	WRITE_MASK (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS| \
66     ACE_WRITE_ATTRIBUTES|ACE_WRITE_ACL|ACE_WRITE_OWNER)
67 
68 #define	OGE_CLEAR	(ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
69     ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
70 
71 #define	OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
72     ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
73 
74 #define	ALL_INHERIT	(ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \
75     ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE)
76 
77 #define	SECURE_NO_INHERIT	(ACE_WRITE_ACL|ACE_WRITE_OWNER)
78 
79 #define	OGE_PAD	6		/* traditional owner/group/everyone ACES */
80 
81 static int zfs_ace_can_use(znode_t *zp, ace_t *);
82 
83 static zfs_acl_t *
84 zfs_acl_alloc(int slots)
85 {
86 	zfs_acl_t *aclp;
87 
88 	aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP);
89 	if (slots != 0) {
90 		aclp->z_acl = kmem_alloc(ZFS_ACL_SIZE(slots), KM_SLEEP);
91 		aclp->z_acl_count = 0;
92 		aclp->z_state = ACL_DATA_ALLOCED;
93 	} else {
94 		aclp->z_state = 0;
95 	}
96 	aclp->z_slots = slots;
97 	return (aclp);
98 }
99 
100 void
101 zfs_acl_free(zfs_acl_t *aclp)
102 {
103 	if (aclp->z_state == ACL_DATA_ALLOCED) {
104 		kmem_free(aclp->z_acl, ZFS_ACL_SIZE(aclp->z_slots));
105 	}
106 	kmem_free(aclp, sizeof (zfs_acl_t));
107 }
108 
109 static uint32_t
110 zfs_v4_to_unix(uint32_t access_mask)
111 {
112 	uint32_t new_mask = 0;
113 
114 	if (access_mask & (ACE_READ_DATA | ACE_LIST_DIRECTORY))
115 		new_mask |= S_IROTH;
116 	if (access_mask & (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_ADD_FILE))
117 		new_mask |= S_IWOTH;
118 	if (access_mask & (ACE_EXECUTE|ACE_READ_NAMED_ATTRS))
119 		new_mask |= S_IXOTH;
120 
121 	return (new_mask);
122 }
123 
124 /*
125  * Convert unix access mask to v4 access mask
126  */
127 static uint32_t
128 zfs_unix_to_v4(uint32_t access_mask)
129 {
130 	uint32_t new_mask = 0;
131 
132 	if (access_mask & 01)
133 		new_mask |= (ACE_EXECUTE);
134 	if (access_mask & 02) {
135 		new_mask |= (ACE_WRITE_DATA);
136 	} if (access_mask & 04) {
137 		new_mask |= ACE_READ_DATA;
138 	}
139 	return (new_mask);
140 }
141 
142 static void
143 zfs_set_ace(ace_t *zacep, uint32_t access_mask, int access_type,
144     uid_t uid, int entry_type)
145 {
146 	zacep->a_access_mask = access_mask;
147 	zacep->a_type = access_type;
148 	zacep->a_who = uid;
149 	zacep->a_flags = entry_type;
150 }
151 
152 static uint64_t
153 zfs_mode_compute(znode_t *zp, zfs_acl_t *aclp)
154 {
155 	int 	i;
156 	int	entry_type;
157 	mode_t	mode = (zp->z_phys->zp_mode &
158 	    (S_IFMT | S_ISUID | S_ISGID | S_ISVTX));
159 	mode_t	 seen = 0;
160 	ace_t 	*acep;
161 
162 	for (i = 0, acep = aclp->z_acl;
163 	    i != aclp->z_acl_count; i++, acep++) {
164 		entry_type = (acep->a_flags & 0xf040);
165 		if (entry_type == ACE_OWNER) {
166 			if ((acep->a_access_mask & ACE_READ_DATA) &&
167 			    (!(seen & S_IRUSR))) {
168 				seen |= S_IRUSR;
169 				if (acep->a_type == ALLOW) {
170 					mode |= S_IRUSR;
171 				}
172 			}
173 			if ((acep->a_access_mask & ACE_WRITE_DATA) &&
174 			    (!(seen & S_IWUSR))) {
175 				seen |= S_IWUSR;
176 				if (acep->a_type == ALLOW) {
177 					mode |= S_IWUSR;
178 				}
179 			}
180 			if ((acep->a_access_mask & ACE_EXECUTE) &&
181 			    (!(seen & S_IXUSR))) {
182 				seen |= S_IXUSR;
183 				if (acep->a_type == ALLOW) {
184 					mode |= S_IXUSR;
185 				}
186 			}
187 		} else if (entry_type == OWNING_GROUP) {
188 			if ((acep->a_access_mask & ACE_READ_DATA) &&
189 			    (!(seen & S_IRGRP))) {
190 				seen |= S_IRGRP;
191 				if (acep->a_type == ALLOW) {
192 					mode |= S_IRGRP;
193 				}
194 			}
195 			if ((acep->a_access_mask & ACE_WRITE_DATA) &&
196 			    (!(seen & S_IWGRP))) {
197 				seen |= S_IWGRP;
198 				if (acep->a_type == ALLOW) {
199 					mode |= S_IWGRP;
200 				}
201 			}
202 			if ((acep->a_access_mask & ACE_EXECUTE) &&
203 			    (!(seen & S_IXGRP))) {
204 				seen |= S_IXGRP;
205 				if (acep->a_type == ALLOW) {
206 					mode |= S_IXGRP;
207 				}
208 			}
209 		} else if (entry_type == ACE_EVERYONE) {
210 			if ((acep->a_access_mask & ACE_READ_DATA)) {
211 				if (!(seen & S_IRUSR)) {
212 					seen |= S_IRUSR;
213 					if (acep->a_type == ALLOW) {
214 						mode |= S_IRUSR;
215 					}
216 				}
217 				if (!(seen & S_IRGRP)) {
218 					seen |= S_IRGRP;
219 					if (acep->a_type == ALLOW) {
220 						mode |= S_IRGRP;
221 					}
222 				}
223 				if (!(seen & S_IROTH)) {
224 					seen |= S_IROTH;
225 					if (acep->a_type == ALLOW) {
226 						mode |= S_IROTH;
227 					}
228 				}
229 			}
230 			if ((acep->a_access_mask & ACE_WRITE_DATA)) {
231 				if (!(seen & S_IWUSR)) {
232 					seen |= S_IWUSR;
233 					if (acep->a_type == ALLOW) {
234 						mode |= S_IWUSR;
235 					}
236 				}
237 				if (!(seen & S_IWGRP)) {
238 					seen |= S_IWGRP;
239 					if (acep->a_type == ALLOW) {
240 						mode |= S_IWGRP;
241 					}
242 				}
243 				if (!(seen & S_IWOTH)) {
244 					seen |= S_IWOTH;
245 					if (acep->a_type == ALLOW) {
246 						mode |= S_IWOTH;
247 					}
248 				}
249 			}
250 			if ((acep->a_access_mask & ACE_EXECUTE)) {
251 				if (!(seen & S_IXUSR)) {
252 					seen |= S_IXUSR;
253 					if (acep->a_type == ALLOW) {
254 						mode |= S_IXUSR;
255 					}
256 				}
257 				if (!(seen & S_IXGRP)) {
258 					seen |= S_IXGRP;
259 					if (acep->a_type == ALLOW) {
260 						mode |= S_IXGRP;
261 					}
262 				}
263 				if (!(seen & S_IXOTH)) {
264 					seen |= S_IXOTH;
265 					if (acep->a_type == ALLOW) {
266 						mode |= S_IXOTH;
267 					}
268 				}
269 			}
270 		}
271 	}
272 	return (mode);
273 }
274 
275 static zfs_acl_t *
276 zfs_acl_node_read_internal(znode_t *zp)
277 {
278 	zfs_acl_t	*aclp;
279 
280 	aclp = zfs_acl_alloc(0);
281 	aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count;
282 	aclp->z_acl = &zp->z_phys->zp_acl.z_ace_data[0];
283 
284 	return (aclp);
285 }
286 
287 /*
288  * Read an external acl object.
289  */
290 static int
291 zfs_acl_node_read(znode_t *zp, zfs_acl_t **aclpp)
292 {
293 	uint64_t extacl = zp->z_phys->zp_acl.z_acl_extern_obj;
294 	zfs_acl_t	*aclp;
295 	int error;
296 
297 	ASSERT(MUTEX_HELD(&zp->z_acl_lock));
298 
299 	if (zp->z_phys->zp_acl.z_acl_extern_obj == 0) {
300 		*aclpp = zfs_acl_node_read_internal(zp);
301 		return (0);
302 	}
303 
304 	aclp = zfs_acl_alloc(zp->z_phys->zp_acl.z_acl_count);
305 
306 	error = dmu_read(zp->z_zfsvfs->z_os, extacl, 0,
307 	    ZFS_ACL_SIZE(zp->z_phys->zp_acl.z_acl_count), aclp->z_acl);
308 	if (error != 0) {
309 		zfs_acl_free(aclp);
310 		return (error);
311 	}
312 
313 	aclp->z_acl_count = zp->z_phys->zp_acl.z_acl_count;
314 
315 	*aclpp = aclp;
316 	return (0);
317 }
318 
319 static boolean_t
320 zfs_acl_valid(znode_t *zp, ace_t *uace, int aclcnt, int *inherit)
321 {
322 	ace_t 	*acep;
323 	int i;
324 
325 	*inherit = 0;
326 
327 	if (aclcnt > MAX_ACL_ENTRIES || aclcnt <= 0) {
328 		return (B_FALSE);
329 	}
330 
331 	for (i = 0, acep = uace; i != aclcnt; i++, acep++) {
332 
333 		/*
334 		 * first check type of entry
335 		 */
336 
337 		switch (acep->a_flags & 0xf040) {
338 		case ACE_OWNER:
339 			acep->a_who = -1;
340 			break;
341 		case (ACE_IDENTIFIER_GROUP | ACE_GROUP):
342 		case ACE_IDENTIFIER_GROUP:
343 			if (acep->a_flags & ACE_GROUP) {
344 				acep->a_who = -1;
345 			}
346 			break;
347 		case ACE_EVERYONE:
348 			acep->a_who = -1;
349 			break;
350 		}
351 
352 		/*
353 		 * next check inheritance level flags
354 		 */
355 
356 		if (acep->a_type != ALLOW && acep->a_type != DENY)
357 			return (B_FALSE);
358 
359 		/*
360 		 * Only directories should have inheritance flags.
361 		 */
362 		if (ZTOV(zp)->v_type != VDIR && (acep->a_flags &
363 		    (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE|
364 		    ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE))) {
365 			return (B_FALSE);
366 		}
367 
368 		if (acep->a_flags &
369 		    (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE))
370 			*inherit = 1;
371 
372 		if (acep->a_flags &
373 		    (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) {
374 			if ((acep->a_flags & (ACE_FILE_INHERIT_ACE|
375 			    ACE_DIRECTORY_INHERIT_ACE)) == 0) {
376 				return (B_FALSE);
377 			}
378 		}
379 	}
380 
381 	return (B_TRUE);
382 }
383 /*
384  * common code for setting acl's.
385  *
386  * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl.
387  * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's
388  * already checked the acl and knows whether to inherit.
389  */
390 int
391 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, dmu_tx_t *tx, int *ihp)
392 {
393 	int 		inherit = 0;
394 	int		error;
395 	znode_phys_t	*zphys = zp->z_phys;
396 	zfs_znode_acl_t	*zacl = &zphys->zp_acl;
397 	uint32_t	acl_phys_size = ZFS_ACL_SIZE(aclp->z_acl_count);
398 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
399 	uint64_t	aoid = zphys->zp_acl.z_acl_extern_obj;
400 
401 	ASSERT(MUTEX_HELD(&zp->z_lock));
402 	ASSERT(MUTEX_HELD(&zp->z_acl_lock));
403 
404 	if (ihp)
405 		inherit = *ihp;		/* already determined by caller */
406 	else if (!zfs_acl_valid(zp, aclp->z_acl,
407 	    aclp->z_acl_count, &inherit)) {
408 		return (EINVAL);
409 	}
410 
411 	dmu_buf_will_dirty(zp->z_dbuf, tx);
412 
413 	/*
414 	 * Will ACL fit internally?
415 	 */
416 	if (aclp->z_acl_count > ACE_SLOT_CNT) {
417 		if (aoid == 0) {
418 			aoid = dmu_object_alloc(zfsvfs->z_os,
419 			    DMU_OT_ACL, acl_phys_size, DMU_OT_NONE, 0, tx);
420 		} else {
421 			(void) dmu_object_set_blocksize(zfsvfs->z_os, aoid,
422 			    acl_phys_size, 0, tx);
423 		}
424 		zphys->zp_acl.z_acl_extern_obj = aoid;
425 		zphys->zp_acl.z_acl_count = aclp->z_acl_count;
426 		dmu_write(zfsvfs->z_os, aoid, 0,
427 		    acl_phys_size, aclp->z_acl, tx);
428 	} else {
429 		/*
430 		 * Migrating back embedded?
431 		 */
432 		if (zphys->zp_acl.z_acl_extern_obj) {
433 			error = dmu_object_free(zfsvfs->z_os,
434 				zp->z_phys->zp_acl.z_acl_extern_obj, tx);
435 			if (error)
436 				return (error);
437 			zphys->zp_acl.z_acl_extern_obj = 0;
438 		}
439 		bcopy(aclp->z_acl, zacl->z_ace_data,
440 		    aclp->z_acl_count * sizeof (ace_t));
441 		zacl->z_acl_count = aclp->z_acl_count;
442 	}
443 
444 	zp->z_phys->zp_flags &= ~(ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE);
445 	if (inherit) {
446 		zp->z_phys->zp_flags |= ZFS_INHERIT_ACE;
447 	} else if (ace_trivial(zacl->z_ace_data, zacl->z_acl_count) == 0) {
448 		zp->z_phys->zp_flags |= ZFS_ACL_TRIVIAL;
449 	}
450 
451 	zphys->zp_mode = zfs_mode_compute(zp, aclp);
452 	zfs_time_stamper_locked(zp, STATE_CHANGED, tx);
453 
454 	return (0);
455 }
456 
457 /*
458  * Create space for slots_needed ACEs to be append
459  * to aclp.
460  */
461 static void
462 zfs_acl_append(zfs_acl_t *aclp, int slots_needed)
463 {
464 	ace_t	*newacep;
465 	ace_t	*oldaclp;
466 	int	slot_cnt;
467 	int 	slots_left = aclp->z_slots - aclp->z_acl_count;
468 
469 	if (aclp->z_state == ACL_DATA_ALLOCED)
470 		ASSERT(aclp->z_slots >= aclp->z_acl_count);
471 	if (slots_left < slots_needed || aclp->z_state != ACL_DATA_ALLOCED) {
472 		slot_cnt = aclp->z_slots +  1 + (slots_needed - slots_left);
473 		newacep = kmem_alloc(ZFS_ACL_SIZE(slot_cnt), KM_SLEEP);
474 		bcopy(aclp->z_acl, newacep,
475 		    ZFS_ACL_SIZE(aclp->z_acl_count));
476 		oldaclp = aclp->z_acl;
477 		if (aclp->z_state == ACL_DATA_ALLOCED)
478 			kmem_free(oldaclp, ZFS_ACL_SIZE(aclp->z_slots));
479 		aclp->z_acl = newacep;
480 		aclp->z_slots = slot_cnt;
481 		aclp->z_state = ACL_DATA_ALLOCED;
482 	}
483 }
484 
485 /*
486  * Remove "slot" ACE from aclp
487  */
488 static void
489 zfs_ace_remove(zfs_acl_t *aclp, int slot)
490 {
491 	if (aclp->z_acl_count > 1) {
492 		(void) memmove(&aclp->z_acl[slot],
493 		    &aclp->z_acl[slot +1], sizeof (ace_t) *
494 		    (--aclp->z_acl_count - slot));
495 	} else
496 		aclp->z_acl_count--;
497 }
498 
499 /*
500  * Update access mask for prepended ACE
501  *
502  * This applies the "groupmask" value for aclmode property.
503  */
504 static void
505 zfs_acl_prepend_fixup(ace_t *acep, ace_t *origacep, mode_t mode, uid_t owner)
506 {
507 
508 	int	rmask, wmask, xmask;
509 	int	user_ace;
510 
511 	user_ace = (!(acep->a_flags &
512 	    (ACE_OWNER|ACE_GROUP|ACE_IDENTIFIER_GROUP)));
513 
514 	if (user_ace && (acep->a_who == owner)) {
515 		rmask = S_IRUSR;
516 		wmask = S_IWUSR;
517 		xmask = S_IXUSR;
518 	} else {
519 		rmask = S_IRGRP;
520 		wmask = S_IWGRP;
521 		xmask = S_IXGRP;
522 	}
523 
524 	if (origacep->a_access_mask & ACE_READ_DATA) {
525 		if (mode & rmask)
526 			acep->a_access_mask &= ~ACE_READ_DATA;
527 		else
528 			acep->a_access_mask |= ACE_READ_DATA;
529 	}
530 
531 	if (origacep->a_access_mask & ACE_WRITE_DATA) {
532 		if (mode & wmask)
533 			acep->a_access_mask &= ~ACE_WRITE_DATA;
534 		else
535 			acep->a_access_mask |= ACE_WRITE_DATA;
536 	}
537 
538 	if (origacep->a_access_mask & ACE_APPEND_DATA) {
539 		if (mode & wmask)
540 			acep->a_access_mask &= ~ACE_APPEND_DATA;
541 		else
542 			acep->a_access_mask |= ACE_APPEND_DATA;
543 	}
544 
545 	if (origacep->a_access_mask & ACE_EXECUTE) {
546 		if (mode & xmask)
547 			acep->a_access_mask &= ~ACE_EXECUTE;
548 		else
549 			acep->a_access_mask |= ACE_EXECUTE;
550 	}
551 }
552 
553 /*
554  * Apply mode to canonical six ACEs.
555  */
556 static void
557 zfs_acl_fixup_canonical_six(zfs_acl_t *aclp, mode_t mode)
558 {
559 	int	cnt;
560 	ace_t	*acep;
561 
562 	cnt = aclp->z_acl_count -1;
563 	acep = aclp->z_acl;
564 
565 	/*
566 	 * Fixup final ACEs to match the mode
567 	 */
568 
569 	ASSERT(cnt >= 5);
570 	adjust_ace_pair(&acep[cnt - 1], mode);	/* everyone@ */
571 	adjust_ace_pair(&acep[cnt - 3], (mode & 0070) >> 3);	/* group@ */
572 	adjust_ace_pair(&acep[cnt - 5], (mode & 0700) >> 6);	/* owner@ */
573 }
574 
575 
576 static int
577 zfs_acl_ace_match(ace_t *acep, int allow_deny, int type, int mask)
578 {
579 	return (acep->a_access_mask == mask && acep->a_type == allow_deny &&
580 	    ((acep->a_flags & 0xf040) == type));
581 }
582 
583 /*
584  * Can prepended ACE be reused?
585  */
586 static int
587 zfs_reuse_deny(ace_t *acep, int i)
588 {
589 	int okay_masks;
590 
591 	if (i < 1)
592 		return (B_FALSE);
593 
594 	if (acep[i-1].a_type != DENY)
595 		return (B_FALSE);
596 
597 	if (acep[i-1].a_flags != (acep[i].a_flags & ACE_IDENTIFIER_GROUP))
598 		return (B_FALSE);
599 
600 	okay_masks = (acep[i].a_access_mask & OKAY_MASK_BITS);
601 
602 	if (acep[i-1].a_access_mask & ~okay_masks)
603 		return (B_FALSE);
604 
605 	return (B_TRUE);
606 }
607 
608 /*
609  * Create space to prepend an ACE
610  */
611 static void
612 zfs_acl_prepend(zfs_acl_t *aclp, int i)
613 {
614 	ace_t	*oldaclp = NULL;
615 	ace_t	*to, *from;
616 	int	slots_left = aclp->z_slots - aclp->z_acl_count;
617 	int	oldslots;
618 	int	need_free = 0;
619 
620 	if (aclp->z_state == ACL_DATA_ALLOCED)
621 		ASSERT(aclp->z_slots >= aclp->z_acl_count);
622 
623 	if (slots_left == 0 || aclp->z_state != ACL_DATA_ALLOCED) {
624 
625 		to = kmem_alloc(ZFS_ACL_SIZE(aclp->z_acl_count +
626 		    OGE_PAD), KM_SLEEP);
627 		if (aclp->z_state == ACL_DATA_ALLOCED)
628 			need_free++;
629 		from = aclp->z_acl;
630 		oldaclp = aclp->z_acl;
631 		(void) memmove(to, from,
632 		    sizeof (ace_t) * aclp->z_acl_count);
633 		aclp->z_state = ACL_DATA_ALLOCED;
634 	} else {
635 		from = aclp->z_acl;
636 		to = aclp->z_acl;
637 	}
638 
639 
640 	(void) memmove(&to[i + 1], &from[i],
641 	    sizeof (ace_t) * (aclp->z_acl_count - i));
642 
643 	if (oldaclp) {
644 		aclp->z_acl = to;
645 		oldslots = aclp->z_slots;
646 		aclp->z_slots = aclp->z_acl_count + OGE_PAD;
647 		if (need_free)
648 			kmem_free(oldaclp, ZFS_ACL_SIZE(oldslots));
649 	}
650 
651 }
652 
653 /*
654  * Prepend deny ACE
655  */
656 static void
657 zfs_acl_prepend_deny(znode_t *zp, zfs_acl_t *aclp, int i,
658     mode_t mode)
659 {
660 	ace_t	*acep;
661 
662 	zfs_acl_prepend(aclp, i);
663 
664 	acep = aclp->z_acl;
665 	zfs_set_ace(&acep[i], 0, DENY, acep[i + 1].a_who,
666 	    (acep[i + 1].a_flags & 0xf040));
667 	zfs_acl_prepend_fixup(&acep[i], &acep[i+1], mode, zp->z_phys->zp_uid);
668 	aclp->z_acl_count++;
669 }
670 
671 /*
672  * Split an inherited ACE into inherit_only ACE
673  * and original ACE with inheritance flags stripped off.
674  */
675 static void
676 zfs_acl_split_ace(zfs_acl_t *aclp, int i)
677 {
678 	ace_t *acep = aclp->z_acl;
679 
680 	zfs_acl_prepend(aclp, i);
681 	acep = aclp->z_acl;
682 	acep[i] = acep[i + 1];
683 	acep[i].a_flags |= ACE_INHERIT_ONLY_ACE;
684 	acep[i + 1].a_flags &= ~ALL_INHERIT;
685 	aclp->z_acl_count++;
686 }
687 
688 /*
689  * Are ACES started at index i, the canonical six ACES?
690  */
691 static int
692 zfs_have_canonical_six(zfs_acl_t *aclp, int i)
693 {
694 	ace_t *acep = aclp->z_acl;
695 
696 	if ((zfs_acl_ace_match(&acep[i],
697 	    DENY, ACE_OWNER, 0) &&
698 	    zfs_acl_ace_match(&acep[i + 1], ALLOW, ACE_OWNER,
699 	    OWNER_ALLOW_MASK) && zfs_acl_ace_match(&acep[i + 2],
700 	    DENY, OWNING_GROUP, 0) && zfs_acl_ace_match(&acep[i + 3],
701 	    ALLOW, OWNING_GROUP, 0) && zfs_acl_ace_match(&acep[i + 4],
702 	    DENY, ACE_EVERYONE, EVERYONE_DENY_MASK) &&
703 	    zfs_acl_ace_match(&acep[i + 5], ALLOW, ACE_EVERYONE,
704 	    EVERYONE_ALLOW_MASK))) {
705 		return (1);
706 	} else {
707 		return (0);
708 	}
709 }
710 
711 /*
712  * Apply step 1g, to group entries
713  *
714  * Need to deal with corner case where group may have
715  * greater permissions than owner.  If so then limit
716  * group permissions, based on what extra permissions
717  * group has.
718  */
719 static void
720 zfs_fixup_group_entries(ace_t *acep, mode_t mode)
721 {
722 	mode_t extramode = (mode >> 3) & 07;
723 	mode_t ownermode = (mode >> 6);
724 
725 	if (acep[0].a_flags & ACE_IDENTIFIER_GROUP) {
726 
727 		extramode &= ~ownermode;
728 
729 		if (extramode) {
730 			if (extramode & 04) {
731 				acep[0].a_access_mask &= ~ACE_READ_DATA;
732 				acep[1].a_access_mask &= ~ACE_READ_DATA;
733 			}
734 			if (extramode & 02) {
735 				acep[0].a_access_mask &=
736 				    ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
737 				acep[1].a_access_mask &=
738 				    ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
739 			}
740 			if (extramode & 01) {
741 				acep[0].a_access_mask &= ~ACE_EXECUTE;
742 				acep[1].a_access_mask &= ~ACE_EXECUTE;
743 			}
744 		}
745 	}
746 }
747 
748 /*
749  * Apply the chmod algorithm as described
750  * in PSARC/2002/240
751  */
752 static int
753 zfs_acl_chmod(znode_t *zp, uint64_t mode, zfs_acl_t *aclp,
754     dmu_tx_t *tx)
755 {
756 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
757 	ace_t 		*acep;
758 	int 		i;
759 	int		error;
760 	int 		entry_type;
761 	int 		reuse_deny;
762 	int 		need_canonical_six = 1;
763 	int		inherit = 0;
764 	int		iflags;
765 
766 	ASSERT(MUTEX_HELD(&zp->z_acl_lock));
767 	ASSERT(MUTEX_HELD(&zp->z_lock));
768 
769 	i = 0;
770 	while (i < aclp->z_acl_count) {
771 		acep = aclp->z_acl;
772 		entry_type = (acep[i].a_flags & 0xf040);
773 		iflags = (acep[i].a_flags & ALL_INHERIT);
774 
775 		if ((acep[i].a_type != ALLOW && acep[i].a_type != DENY) ||
776 		    (iflags & ACE_INHERIT_ONLY_ACE)) {
777 			i++;
778 			if (iflags)
779 				inherit = 1;
780 			continue;
781 		}
782 
783 
784 		if (zfsvfs->z_acl_mode == DISCARD) {
785 			zfs_ace_remove(aclp, i);
786 			continue;
787 		}
788 
789 		/*
790 		 * Need to split ace into two?
791 		 */
792 		if ((iflags & (ACE_FILE_INHERIT_ACE|
793 		    ACE_DIRECTORY_INHERIT_ACE)) &&
794 		    (!(iflags & ACE_INHERIT_ONLY_ACE))) {
795 			zfs_acl_split_ace(aclp, i);
796 			i++;
797 			inherit = 1;
798 			continue;
799 		}
800 
801 		if (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE ||
802 		    (entry_type == OWNING_GROUP)) {
803 			acep[i].a_access_mask &= ~OGE_CLEAR;
804 			i++;
805 			continue;
806 
807 		} else {
808 			if (acep[i].a_type == ALLOW) {
809 
810 				/*
811 				 * Check preceding ACE if any, to see
812 				 * if we need to prepend a DENY ACE.
813 				 * This is only applicable when the acl_mode
814 				 * property == groupmask.
815 				 */
816 				if (zfsvfs->z_acl_mode == GROUPMASK) {
817 
818 					reuse_deny = zfs_reuse_deny(acep, i);
819 
820 					if (reuse_deny == B_FALSE) {
821 						zfs_acl_prepend_deny(zp, aclp,
822 						    i, mode);
823 						i++;
824 						acep = aclp->z_acl;
825 					} else {
826 						zfs_acl_prepend_fixup(
827 						    &acep[i - 1],
828 						    &acep[i], mode,
829 						    zp->z_phys->zp_uid);
830 					}
831 					zfs_fixup_group_entries(&acep[i - 1],
832 					    mode);
833 				}
834 			}
835 			i++;
836 		}
837 	}
838 
839 	/*
840 	 * Check out last six aces, if we have six.
841 	 */
842 
843 	if (aclp->z_acl_count >= 6) {
844 		i = aclp->z_acl_count - 6;
845 
846 		if (zfs_have_canonical_six(aclp, i)) {
847 			need_canonical_six = 0;
848 		}
849 	}
850 
851 	if (need_canonical_six) {
852 
853 		zfs_acl_append(aclp, 6);
854 		i = aclp->z_acl_count;
855 		acep = aclp->z_acl;
856 		zfs_set_ace(&acep[i++], 0, DENY, -1, ACE_OWNER);
857 		zfs_set_ace(&acep[i++], OWNER_ALLOW_MASK, ALLOW, -1, ACE_OWNER);
858 		zfs_set_ace(&acep[i++], 0, DENY, -1, OWNING_GROUP);
859 		zfs_set_ace(&acep[i++], 0, ALLOW, -1, OWNING_GROUP);
860 		zfs_set_ace(&acep[i++], EVERYONE_DENY_MASK,
861 		    DENY, -1, ACE_EVERYONE);
862 		zfs_set_ace(&acep[i++], EVERYONE_ALLOW_MASK,
863 		    ALLOW, -1, ACE_EVERYONE);
864 		aclp->z_acl_count += 6;
865 	}
866 
867 	zfs_acl_fixup_canonical_six(aclp, mode);
868 
869 	zp->z_phys->zp_mode = mode;
870 	error = zfs_aclset_common(zp, aclp, tx, &inherit);
871 	return (error);
872 }
873 
874 
875 int
876 zfs_acl_chmod_setattr(znode_t *zp, uint64_t mode, dmu_tx_t *tx)
877 {
878 	zfs_acl_t *aclp = NULL;
879 	int error;
880 
881 	ASSERT(MUTEX_HELD(&zp->z_lock));
882 	mutex_enter(&zp->z_acl_lock);
883 	error = zfs_acl_node_read(zp, &aclp);
884 	if (error == 0)
885 		error = zfs_acl_chmod(zp, mode, aclp, tx);
886 	mutex_exit(&zp->z_acl_lock);
887 	if (aclp)
888 		zfs_acl_free(aclp);
889 	return (error);
890 }
891 
892 /*
893  * strip off write_owner and write_acl
894  */
895 static void
896 zfs_securemode_update(zfsvfs_t *zfsvfs, ace_t *acep)
897 {
898 	if ((zfsvfs->z_acl_inherit == SECURE) &&
899 	    acep->a_type == ALLOW)
900 		acep->a_access_mask &= ~SECURE_NO_INHERIT;
901 }
902 
903 /*
904  * inherit inheritable ACEs from parent
905  */
906 static zfs_acl_t *
907 zfs_acl_inherit(znode_t *zp, zfs_acl_t *paclp)
908 {
909 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
910 	ace_t 		*pacep;
911 	ace_t		*acep;
912 	int 		ace_cnt = 0;
913 	int		pace_cnt;
914 	int 		i, j;
915 	zfs_acl_t	*aclp = NULL;
916 
917 	i = j = 0;
918 	pace_cnt = paclp->z_acl_count;
919 	pacep = paclp->z_acl;
920 	if (zfsvfs->z_acl_inherit != DISCARD) {
921 		for (i = 0; i != pace_cnt; i++) {
922 
923 			if (zfsvfs->z_acl_inherit == NOALLOW &&
924 			    pacep[i].a_type == ALLOW)
925 				continue;
926 
927 			if (zfs_ace_can_use(zp, &pacep[i])) {
928 				ace_cnt++;
929 				if (!(pacep[i].a_flags &
930 				    ACE_NO_PROPAGATE_INHERIT_ACE))
931 					ace_cnt++;
932 			}
933 		}
934 	}
935 
936 	aclp = zfs_acl_alloc(ace_cnt + OGE_PAD);
937 	if (ace_cnt && zfsvfs->z_acl_inherit != DISCARD) {
938 		acep = aclp->z_acl;
939 		pacep = paclp->z_acl;
940 		for (i = 0; i != pace_cnt; i++) {
941 
942 			if (zfsvfs->z_acl_inherit == NOALLOW &&
943 			    pacep[i].a_type == ALLOW)
944 				continue;
945 
946 			if (zfs_ace_can_use(zp, &pacep[i])) {
947 				/*
948 				 * Now create entry for inherited ace
949 				 */
950 				acep[j] = pacep[i];
951 
952 				if (pacep[i].a_flags &
953 				    ACE_NO_PROPAGATE_INHERIT_ACE) {
954 					acep[j].a_flags &= ~ALL_INHERIT;
955 					j++;
956 					continue;
957 				}
958 
959 				if (pacep[i].a_type != ALLOW &&
960 				    pacep[i].a_type != DENY) {
961 					zfs_securemode_update(zfsvfs, &acep[j]);
962 					j++;
963 					continue;
964 				}
965 
966 				if (ZTOV(zp)->v_type != VDIR) {
967 					acep[j].a_flags &= ~ALL_INHERIT;
968 					zfs_securemode_update(zfsvfs, &acep[j]);
969 					j++;
970 					continue;
971 				}
972 
973 				ASSERT(ZTOV(zp)->v_type == VDIR);
974 
975 				/*
976 				 * If we are inheriting an ACE targeted for
977 				 * only files, then make sure inherit_only
978 				 * is on for future propagation.
979 				 */
980 				if ((acep[j].a_flags & (ACE_FILE_INHERIT_ACE |
981 				    ACE_DIRECTORY_INHERIT_ACE)) ==
982 				    ACE_FILE_INHERIT_ACE) {
983 					acep[j].a_flags |= ACE_INHERIT_ONLY_ACE;
984 				} else {
985 					acep[j].a_flags &=
986 					    ~ACE_INHERIT_ONLY_ACE;
987 				}
988 
989 				zfs_securemode_update(zfsvfs, &acep[j]);
990 				j++;
991 			}
992 		}
993 	}
994 	aclp->z_acl_count = j;
995 	ASSERT(aclp->z_slots >= aclp->z_acl_count);
996 
997 	return (aclp);
998 }
999 
1000 /*
1001  * Create file system object initial permissions
1002  * including inheritable ACEs.
1003  */
1004 void
1005 zfs_perm_init(znode_t *zp, znode_t *parent, int flag,
1006     vattr_t *vap, dmu_tx_t *tx, cred_t *cr)
1007 {
1008 	uint64_t	mode;
1009 	uid_t		uid;
1010 	gid_t		gid;
1011 	int		error;
1012 	int		pull_down;
1013 	zfs_acl_t	*aclp, *paclp;
1014 
1015 	mode = MAKEIMODE(vap->va_type, vap->va_mode);
1016 
1017 	/*
1018 	 * Determine uid and gid.
1019 	 */
1020 	if ((flag & (IS_ROOT_NODE | IS_REPLAY)) ||
1021 	    ((flag & IS_XATTR) && (vap->va_type == VDIR))) {
1022 		uid = vap->va_uid;
1023 		gid = vap->va_gid;
1024 	} else {
1025 		uid = crgetuid(cr);
1026 		if ((vap->va_mask & AT_GID) &&
1027 		    ((vap->va_gid == parent->z_phys->zp_gid) ||
1028 		    groupmember(vap->va_gid, cr) ||
1029 		    secpolicy_vnode_create_gid(cr)))
1030 			gid = vap->va_gid;
1031 		else
1032 			gid = (parent->z_phys->zp_mode & S_ISGID) ?
1033 			    parent->z_phys->zp_gid : crgetgid(cr);
1034 	}
1035 
1036 	/*
1037 	 * If we're creating a directory, and the parent directory has the
1038 	 * set-GID bit set, set in on the new directory.
1039 	 * Otherwise, if the user is neither privileged nor a member of the
1040 	 * file's new group, clear the file's set-GID bit.
1041 	 */
1042 
1043 	if ((parent->z_phys->zp_mode & S_ISGID) && (vap->va_type == VDIR))
1044 		mode |= S_ISGID;
1045 	else {
1046 		if ((mode & S_ISGID) &&
1047 		    secpolicy_vnode_setids_setgids(cr, gid) != 0)
1048 			mode &= ~S_ISGID;
1049 	}
1050 
1051 	zp->z_phys->zp_uid = uid;
1052 	zp->z_phys->zp_gid = gid;
1053 	zp->z_phys->zp_mode = mode;
1054 
1055 	mutex_enter(&parent->z_lock);
1056 	pull_down = (parent->z_phys->zp_flags & ZFS_INHERIT_ACE);
1057 	if (pull_down) {
1058 		mutex_enter(&parent->z_acl_lock);
1059 		VERIFY(0 == zfs_acl_node_read(parent, &paclp));
1060 		mutex_exit(&parent->z_acl_lock);
1061 		aclp = zfs_acl_inherit(zp, paclp);
1062 		zfs_acl_free(paclp);
1063 	} else {
1064 		aclp = zfs_acl_alloc(6);
1065 	}
1066 	mutex_exit(&parent->z_lock);
1067 	mutex_enter(&zp->z_lock);
1068 	mutex_enter(&zp->z_acl_lock);
1069 	error = zfs_acl_chmod(zp, mode, aclp, tx);
1070 	mutex_exit(&zp->z_lock);
1071 	mutex_exit(&zp->z_acl_lock);
1072 	ASSERT3U(error, ==, 0);
1073 	zfs_acl_free(aclp);
1074 }
1075 
1076 /*
1077  * Should ACE be inherited?
1078  */
1079 static int
1080 zfs_ace_can_use(znode_t *zp, ace_t *acep)
1081 {
1082 	int vtype = ZTOV(zp)->v_type;
1083 
1084 	int	iflags = (acep->a_flags & 0xf);
1085 
1086 	if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE))
1087 		return (1);
1088 	else if (iflags & ACE_FILE_INHERIT_ACE)
1089 		return (!((vtype == VDIR) &&
1090 		    (iflags & ACE_NO_PROPAGATE_INHERIT_ACE)));
1091 	return (0);
1092 }
1093 
1094 /*
1095  * Retrieve a files ACL
1096  */
1097 int
1098 zfs_getacl(znode_t *zp, vsecattr_t  *vsecp, cred_t *cr)
1099 {
1100 	zfs_acl_t	*aclp;
1101 	ulong_t		mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT);
1102 	int		error;
1103 
1104 	if (error = zfs_zaccess(zp, ACE_READ_ACL, cr)) {
1105 		/*
1106 		 * If owner of file then allow reading of the
1107 		 * ACL.
1108 		 */
1109 		if (crgetuid(cr) != zp->z_phys->zp_uid)
1110 			return (error);
1111 	}
1112 
1113 	if (mask == 0)
1114 		return (ENOSYS);
1115 
1116 	mutex_enter(&zp->z_acl_lock);
1117 
1118 	error = zfs_acl_node_read(zp, &aclp);
1119 	if (error != 0) {
1120 		mutex_exit(&zp->z_acl_lock);
1121 		return (error);
1122 	}
1123 
1124 
1125 	if (mask & VSA_ACECNT) {
1126 		vsecp->vsa_aclcnt = aclp->z_acl_count;
1127 	}
1128 
1129 	if (mask & VSA_ACE) {
1130 		vsecp->vsa_aclentp = kmem_alloc(aclp->z_acl_count *
1131 		    sizeof (ace_t), KM_SLEEP);
1132 		bcopy(aclp->z_acl, vsecp->vsa_aclentp,
1133 		    aclp->z_acl_count * sizeof (ace_t));
1134 	}
1135 
1136 	mutex_exit(&zp->z_acl_lock);
1137 
1138 	zfs_acl_free(aclp);
1139 
1140 	return (0);
1141 }
1142 
1143 /*
1144  * Set a files ACL
1145  */
1146 int
1147 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, cred_t *cr)
1148 {
1149 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
1150 	zilog_t		*zilog = zfsvfs->z_log;
1151 	ace_t		*acep = vsecp->vsa_aclentp;
1152 	int		aclcnt = vsecp->vsa_aclcnt;
1153 	ulong_t		mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT);
1154 	dmu_tx_t	*tx;
1155 	int		error;
1156 	int		inherit;
1157 	zfs_acl_t	*aclp;
1158 	uint64_t	seq = 0;
1159 
1160 	if (mask == 0)
1161 		return (EINVAL);
1162 
1163 	if (!zfs_acl_valid(zp, acep, aclcnt, &inherit))
1164 		return (EINVAL);
1165 top:
1166 	error = zfs_zaccess_v4_perm(zp, ACE_WRITE_ACL, cr);
1167 	if (error == EACCES || error == ACCESS_UNDETERMINED) {
1168 		if ((error = secpolicy_vnode_setdac(cr,
1169 		    zp->z_phys->zp_uid)) != 0) {
1170 			return (error);
1171 		}
1172 	} else if (error) {
1173 		return (error == EROFS ? error : EPERM);
1174 	}
1175 
1176 	mutex_enter(&zp->z_lock);
1177 	mutex_enter(&zp->z_acl_lock);
1178 
1179 	tx = dmu_tx_create(zfsvfs->z_os);
1180 	dmu_tx_hold_bonus(tx, zp->z_id);
1181 
1182 	if (zp->z_phys->zp_acl.z_acl_extern_obj) {
1183 		dmu_tx_hold_write(tx, zp->z_phys->zp_acl.z_acl_extern_obj,
1184 		    0, ZFS_ACL_SIZE(aclcnt));
1185 	} else if (aclcnt > ACE_SLOT_CNT) {
1186 		dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, ZFS_ACL_SIZE(aclcnt));
1187 	}
1188 
1189 	error = dmu_tx_assign(tx, zfsvfs->z_assign);
1190 	if (error) {
1191 		dmu_tx_abort(tx);
1192 
1193 		mutex_exit(&zp->z_acl_lock);
1194 		mutex_exit(&zp->z_lock);
1195 
1196 		if (error == ERESTART && zfsvfs->z_assign == TXG_NOWAIT) {
1197 			txg_wait_open(dmu_objset_pool(zfsvfs->z_os), 0);
1198 			goto top;
1199 		}
1200 		return (error);
1201 	}
1202 
1203 	aclp = zfs_acl_alloc(aclcnt);
1204 	bcopy(acep, aclp->z_acl, sizeof (ace_t) * aclcnt);
1205 	aclp->z_acl_count = aclcnt;
1206 	error = zfs_aclset_common(zp, aclp, tx, &inherit);
1207 	ASSERT(error == 0);
1208 
1209 	zfs_acl_free(aclp);
1210 	seq = zfs_log_acl(zilog, tx, TX_ACL, zp, aclcnt, acep);
1211 	dmu_tx_commit(tx);
1212 done:
1213 	mutex_exit(&zp->z_acl_lock);
1214 	mutex_exit(&zp->z_lock);
1215 
1216 	zil_commit(zilog, seq, 0);
1217 
1218 	return (error);
1219 }
1220 
1221 static int
1222 zfs_ace_access(ace_t *zacep, int mode_wanted, int *working_mode)
1223 {
1224 	if ((*working_mode & mode_wanted) == mode_wanted) {
1225 		return (0);
1226 	}
1227 
1228 	if (zacep->a_access_mask & mode_wanted) {
1229 		if (zacep->a_type == ALLOW) {
1230 			*working_mode |= (mode_wanted & zacep->a_access_mask);
1231 			if ((*working_mode & mode_wanted) == mode_wanted)
1232 				return (0);
1233 		} else if (zacep->a_type == DENY) {
1234 			return (EACCES);
1235 		}
1236 	}
1237 
1238 	/*
1239 	 * haven't been specifcally denied at this point
1240 	 * so return UNDETERMINED.
1241 	 */
1242 
1243 	return (ACCESS_UNDETERMINED);
1244 }
1245 
1246 
1247 static int
1248 zfs_zaccess_common(znode_t *zp, int v4_mode, int *working_mode, cred_t *cr)
1249 {
1250 	zfs_acl_t	*aclp;
1251 	zfsvfs_t	*zfsvfs = zp->z_zfsvfs;
1252 	ace_t		*zacep;
1253 	gid_t		gid;
1254 	int		mode_wanted = v4_mode;
1255 	int		cnt;
1256 	int		i;
1257 	int		error;
1258 	int		access_deny = ACCESS_UNDETERMINED;
1259 	uint_t		entry_type;
1260 	uid_t		uid = crgetuid(cr);
1261 
1262 	*working_mode = 0;
1263 
1264 	if (zfsvfs->z_assign >= TXG_INITIAL)		/* ZIL replay */
1265 		return (0);
1266 
1267 	if ((v4_mode & WRITE_MASK) &&
1268 	    (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) &&
1269 	    (!IS_DEVVP(ZTOV(zp)))) {
1270 		return (EROFS);
1271 	}
1272 
1273 	mutex_enter(&zp->z_acl_lock);
1274 
1275 	error = zfs_acl_node_read(zp, &aclp);
1276 	if (error != 0) {
1277 		mutex_exit(&zp->z_acl_lock);
1278 		return (error);
1279 	}
1280 
1281 
1282 	zacep = aclp->z_acl;
1283 	cnt = aclp->z_acl_count;
1284 
1285 	for (i = 0; i != cnt; i++) {
1286 
1287 		if (zacep[i].a_flags & ACE_INHERIT_ONLY_ACE)
1288 			continue;
1289 
1290 		entry_type = (zacep[i].a_flags & 0xf040);
1291 		switch (entry_type) {
1292 		case ACE_OWNER:
1293 			if (uid == zp->z_phys->zp_uid) {
1294 				access_deny = zfs_ace_access(&zacep[i],
1295 				    mode_wanted, working_mode);
1296 			}
1297 			break;
1298 		case (ACE_IDENTIFIER_GROUP | ACE_GROUP):
1299 		case ACE_IDENTIFIER_GROUP:
1300 			/*
1301 			 * Owning group gid is in znode not ACL
1302 			 */
1303 			if (entry_type == (ACE_IDENTIFIER_GROUP | ACE_GROUP))
1304 				gid = zp->z_phys->zp_gid;
1305 			else
1306 				gid = zacep[i].a_who;
1307 
1308 			if (groupmember(gid, cr)) {
1309 				access_deny = zfs_ace_access(&zacep[i],
1310 				    mode_wanted, working_mode);
1311 			}
1312 			break;
1313 		case ACE_EVERYONE:
1314 			access_deny = zfs_ace_access(&zacep[i],
1315 			    mode_wanted, working_mode);
1316 			break;
1317 
1318 		/* USER Entry */
1319 		default:
1320 			if (entry_type == 0) {
1321 				if (uid == zacep[i].a_who) {
1322 					access_deny = zfs_ace_access(&zacep[i],
1323 					    mode_wanted, working_mode);
1324 				}
1325 				break;
1326 			}
1327 			zfs_acl_free(aclp);
1328 			mutex_exit(&zp->z_acl_lock);
1329 			return (EIO);
1330 		}
1331 
1332 		if (access_deny != ACCESS_UNDETERMINED)
1333 			break;
1334 
1335 	}
1336 
1337 	mutex_exit(&zp->z_acl_lock);
1338 	zfs_acl_free(aclp);
1339 
1340 	return (access_deny);
1341 }
1342 
1343 
1344 /*
1345  * Determine whether Access should be granted/denied, invoking least
1346  * priv subsytem when a deny is determined.
1347  */
1348 int
1349 zfs_zaccess(znode_t *zp, int mode, cred_t *cr)
1350 {
1351 	int	working_mode = 0;
1352 	int	error;
1353 	int	is_attr;
1354 	znode_t	*xzp;
1355 	znode_t *check_zp = zp;
1356 
1357 	is_attr = ((zp->z_phys->zp_flags & ZFS_XATTR) &&
1358 	    (ZTOV(zp)->v_type == VDIR));
1359 
1360 	/*
1361 	 * If attribute then validate against base file
1362 	 */
1363 	if (is_attr) {
1364 		if ((error = zfs_zget(zp->z_zfsvfs,
1365 		    zp->z_phys->zp_parent, &xzp)) != 0)	{
1366 			return (error);
1367 		}
1368 		check_zp = xzp;
1369 		/*
1370 		 * fixup mode to map to xattr perms
1371 		 */
1372 
1373 		if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) {
1374 			mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
1375 			mode |= ACE_WRITE_NAMED_ATTRS;
1376 		}
1377 
1378 		if (mode & (ACE_READ_DATA|ACE_EXECUTE)) {
1379 			mode &= ~(ACE_READ_DATA|ACE_EXECUTE);
1380 			mode |= ACE_READ_NAMED_ATTRS;
1381 		}
1382 	}
1383 
1384 	error = zfs_zaccess_common(check_zp, mode, &working_mode, cr);
1385 
1386 	if (error == EROFS) {
1387 		if (is_attr)
1388 			VN_RELE(ZTOV(xzp));
1389 		return (error);
1390 	}
1391 
1392 	if (error || (working_mode != mode)) {
1393 		error = secpolicy_vnode_access(cr, ZTOV(check_zp),
1394 		    check_zp->z_phys->zp_uid, ~zfs_v4_to_unix(working_mode));
1395 	}
1396 
1397 	if (is_attr)
1398 		VN_RELE(ZTOV(xzp));
1399 
1400 	return (error);
1401 }
1402 
1403 /*
1404  * Special zaccess function to check for special nfsv4 perm.
1405  * doesn't call secpolicy_vnode_access() for failure, since that
1406  * would probably be the wrong policy function to call.
1407  * instead its up to the caller to handle that situation.
1408  */
1409 
1410 int
1411 zfs_zaccess_v4_perm(znode_t *zp, int mode, cred_t *cr)
1412 {
1413 	int working_mode = 0;
1414 	return (zfs_zaccess_common(zp, mode, &working_mode, cr));
1415 }
1416 
1417 /*
1418  * Translate tradition unix VREAD/VWRITE/VEXEC mode into
1419  * native ACL format and call zfs_zaccess()
1420  */
1421 int
1422 zfs_zaccess_rwx(znode_t *zp, mode_t mode, cred_t *cr)
1423 {
1424 	int v4_mode = zfs_unix_to_v4(mode >> 6);
1425 
1426 	return (zfs_zaccess(zp, v4_mode, cr));
1427 }
1428 
1429 /*
1430  * Determine whether Access should be granted/deny, without
1431  * consulting least priv subsystem.
1432  *
1433  *
1434  * The following chart is the recommended NFSv4 enforcement for
1435  * ability to delete an object.
1436  *
1437  *      -------------------------------------------------------
1438  *      |   Parent Dir  |           Target Object Permissions |
1439  *      |  permissions  |                                     |
1440  *      -------------------------------------------------------
1441  *      |               | ACL Allows | ACL Denies| Delete     |
1442  *      |               |  Delete    |  Delete   | unspecified|
1443  *      -------------------------------------------------------
1444  *      |  ACL Allows   | Permit     | Permit    | Permit     |
1445  *      |  DELETE_CHILD |                                     |
1446  *      -------------------------------------------------------
1447  *      |  ACL Denies   | Permit     | Deny      | Deny       |
1448  *      |  DELETE_CHILD |            |           |            |
1449  *      -------------------------------------------------------
1450  *      | ACL specifies |            |           |            |
1451  *      | only allow    | Permit     | Permit    | Permit     |
1452  *      | write and     |            |           |            |
1453  *      | execute       |            |           |            |
1454  *      -------------------------------------------------------
1455  *      | ACL denies    |            |           |            |
1456  *      | write and     | Permit     | Deny      | Deny       |
1457  *      | execute       |            |           |            |
1458  *      -------------------------------------------------------
1459  *         ^
1460  *         |
1461  *         No search privilege, can't even look up file?
1462  *
1463  */
1464 int
1465 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr)
1466 {
1467 	int dzp_working_mode = 0;
1468 	int zp_working_mode = 0;
1469 	int dzp_error, zp_error;
1470 	int error;
1471 
1472 	/*
1473 	 * Arghh, this check is going to require a couple of questions
1474 	 * to be asked.  We want specific DELETE permissions to
1475 	 * take precedence over WRITE/EXECUTE.  We don't
1476 	 * want an ACL such as this to mess us up.
1477 	 * user:sloar:write_data:deny,user:sloar:delete:allow
1478 	 *
1479 	 * However, deny permissions may ultimately be overridden
1480 	 * by secpolicy_vnode_access().
1481 	 */
1482 
1483 	dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD,
1484 	    &dzp_working_mode, cr);
1485 	zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode, cr);
1486 
1487 	if (dzp_error == EROFS || zp_error == EROFS)
1488 		return (dzp_error);
1489 
1490 	/*
1491 	 * First handle the first row
1492 	 */
1493 	if (dzp_working_mode & ACE_DELETE_CHILD)
1494 		return (0);
1495 
1496 	/*
1497 	 * Second row
1498 	 */
1499 
1500 	if (zp_working_mode & ACE_DELETE)
1501 		return (0);
1502 
1503 	/*
1504 	 * Third Row
1505 	 */
1506 
1507 	dzp_error = zfs_zaccess_common(dzp, ACE_WRITE_DATA|ACE_EXECUTE,
1508 	    &dzp_working_mode, cr);
1509 
1510 	if (dzp_error == EROFS)
1511 		return (dzp_error);
1512 
1513 	if (dzp_working_mode & (ACE_WRITE_DATA|ACE_EXECUTE))
1514 		goto sticky;
1515 
1516 	/*
1517 	 * Fourth Row
1518 	 */
1519 
1520 	if (((dzp_working_mode & (ACE_WRITE_DATA|ACE_EXECUTE)) == 0) &&
1521 	    (zp_working_mode & ACE_DELETE))
1522 		goto sticky;
1523 
1524 	error = secpolicy_vnode_access(cr, ZTOV(zp),
1525 	    dzp->z_phys->zp_uid, S_IWRITE|S_IEXEC);
1526 
1527 	if (error)
1528 		return (error);
1529 
1530 sticky:
1531 	error = zfs_sticky_remove_access(dzp, zp, cr);
1532 
1533 	return (error);
1534 }
1535 
1536 int
1537 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp,
1538     znode_t *tzp, cred_t *cr)
1539 {
1540 	int add_perm;
1541 	int error;
1542 
1543 	add_perm = (ZTOV(szp)->v_type == VDIR) ?
1544 	    ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE;
1545 
1546 	/*
1547 	 * Rename permissions are combination of delete permission +
1548 	 * add file/subdir permission.
1549 	 */
1550 
1551 	/*
1552 	 * first make sure we do the delete portion.
1553 	 *
1554 	 * If that succeeds then check for add_file/add_subdir permissions
1555 	 */
1556 
1557 	if (error = zfs_zaccess_delete(sdzp, szp, cr))
1558 		return (error);
1559 
1560 	/*
1561 	 * If we have a tzp, see if we can delete it?
1562 	 */
1563 	if (tzp) {
1564 		if (error = zfs_zaccess_delete(tdzp, tzp, cr))
1565 			return (error);
1566 	}
1567 
1568 	/*
1569 	 * Now check for add permissions
1570 	 */
1571 	error = zfs_zaccess(tdzp, add_perm, cr);
1572 
1573 	return (error);
1574 }
1575