1
// SPDX-License-Identifier: CDDL-1.0
2
/*
3
 * CDDL HEADER START
4
 *
5
 * The contents of this file are subject to the terms of the
6
 * Common Development and Distribution License (the "License").
7
 * You may not use this file except in compliance with the License.
8
 *
9
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10
 * or https://opensource.org/licenses/CDDL-1.0.
11
 * See the License for the specific language governing permissions
12
 * and limitations under the License.
13
 *
14
 * When distributing Covered Code, include this CDDL HEADER in each
15
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16
 * If applicable, add the following below this CDDL HEADER, with the
17
 * fields enclosed by brackets "[]" replaced with your own identifying
18
 * information: Portions Copyright [yyyy] [name of copyright owner]
19
 *
20
 * CDDL HEADER END
21
 */
22
/*
23
 * Copyright (c) 2011, Lawrence Livermore National Security, LLC.
24
 *
25
 * Extended attributes (xattr) on Solaris are implemented as files
26
 * which exist in a hidden xattr directory.  These extended attributes
27
 * can be accessed using the attropen() system call which opens
28
 * the extended attribute.  It can then be manipulated just like
29
 * a standard file descriptor.  This has a couple advantages such
30
 * as practically no size limit on the file, and the extended
31
 * attributes permissions may differ from those of the parent file.
32
 * This interface is really quite clever, but it's also completely
33
 * different than what is supported on Linux.  It also comes with a
34
 * steep performance penalty when accessing small xattrs because they
35
 * are not stored with the parent file.
36
 *
37
 * Under Linux extended attributes are manipulated by the system
38
 * calls getxattr(2), setxattr(2), and listxattr(2).  They consider
39
 * extended attributes to be name/value pairs where the name is a
40
 * NULL terminated string.  The name must also include one of the
41
 * following namespace prefixes:
42
 *
43
 *   user     - No restrictions and is available to user applications.
44
 *   trusted  - Restricted to kernel and root (CAP_SYS_ADMIN) use.
45
 *   system   - Used for access control lists (system.nfs4_acl, etc).
46
 *   security - Used by SELinux to store a files security context.
47
 *
48
 * The value under Linux to limited to 65536 bytes of binary data.
49
 * In practice, individual xattrs tend to be much smaller than this
50
 * and are typically less than 100 bytes.  A good example of this
51
 * are the security.selinux xattrs which are less than 100 bytes and
52
 * exist for every file when xattr labeling is enabled.
53
 *
54
 * The Linux xattr implementation has been written to take advantage of
55
 * this typical usage.  When the dataset property 'xattr=sa' is set,
56
 * then xattrs will be preferentially stored as System Attributes (SA).
57
 * This allows tiny xattrs (~100 bytes) to be stored with the dnode and
58
 * up to 64k of xattrs to be stored in the spill block.  If additional
59
 * xattr space is required, which is unlikely under Linux, they will
60
 * be stored using the traditional directory approach.
61
 *
62
 * This optimization results in roughly a 3x performance improvement
63
 * when accessing xattrs because it avoids the need to perform a seek
64
 * for every xattr value.  When multiple xattrs are stored per-file
65
 * the performance improvements are even greater because all of the
66
 * xattrs stored in the spill block will be cached.
67
 *
68
 * However, by default SA based xattrs are disabled in the Linux port
69
 * to maximize compatibility with other implementations.  If you do
70
 * enable SA based xattrs then they will not be visible on platforms
71
 * which do not support this feature.
72
 *
73
 * NOTE: One additional consequence of the xattr directory implementation
74
 * is that when an extended attribute is manipulated an inode is created.
75
 * This inode will exist in the Linux inode cache but there will be no
76
 * associated entry in the dentry cache which references it.  This is
77
 * safe but it may result in some confusion.  Enabling SA based xattrs
78
 * largely avoids the issue except in the overflow case.
79
 */
80

81
#include <sys/zfs_znode.h>
82
#include <sys/zfs_vfsops.h>
83
#include <sys/zfs_vnops.h>
84
#include <sys/zap.h>
85
#include <sys/vfs.h>
86
#include <sys/zpl.h>
87
#include <linux/vfs_compat.h>
88

89
enum xattr_permission {
90
	XAPERM_DENY,
91
	XAPERM_ALLOW,
92
	XAPERM_COMPAT,
93
};
94

95
typedef struct xattr_filldir {
96
	size_t size;
97
	size_t offset;
98
	char *buf;
99
	struct dentry *dentry;
100
} xattr_filldir_t;
101

102
static enum xattr_permission zpl_xattr_permission(xattr_filldir_t *,
103
    const char *, int);
104

105
static int zfs_xattr_compat = 0;
106

107
/*
108
 * Determine is a given xattr name should be visible and if so copy it
109
 * in to the provided buffer (xf->buf).
110
 */
111
static int
112
zpl_xattr_filldir(xattr_filldir_t *xf, const char *name, int name_len)
113
{
114
	enum xattr_permission perm;
115

116
	/* Check permissions using the per-namespace list xattr handler. */
117
	perm = zpl_xattr_permission(xf, name, name_len);
118
	if (perm == XAPERM_DENY)
119
		return (0);
120

121
	/* Prefix the name with "user." if it does not have a namespace. */
122
	if (perm == XAPERM_COMPAT) {
123
		if (xf->buf) {
124
			if (xf->offset + XATTR_USER_PREFIX_LEN + 1 > xf->size)
125
				return (-ERANGE);
126

127
			memcpy(xf->buf + xf->offset, XATTR_USER_PREFIX,
128
			    XATTR_USER_PREFIX_LEN);
129
			xf->buf[xf->offset + XATTR_USER_PREFIX_LEN] = '\0';
130
		}
131

132
		xf->offset += XATTR_USER_PREFIX_LEN;
133
	}
134

135
	/* When xf->buf is NULL only calculate the required size. */
136
	if (xf->buf) {
137
		if (xf->offset + name_len + 1 > xf->size)
138
			return (-ERANGE);
139

140
		memcpy(xf->buf + xf->offset, name, name_len);
141
		xf->buf[xf->offset + name_len] = '\0';
142
	}
143

144
	xf->offset += (name_len + 1);
145

146
	return (0);
147
}
148

149
/*
150
 * Read as many directory entry names as will fit in to the provided buffer,
151
 * or when no buffer is provided calculate the required buffer size.
152
 */
153
static int
154
zpl_xattr_readdir(struct inode *dxip, xattr_filldir_t *xf)
155
{
156
	zap_cursor_t zc;
157
	zap_attribute_t	*zap = zap_attribute_alloc();
158
	int error;
159

160
	zap_cursor_init(&zc, ITOZSB(dxip)->z_os, ITOZ(dxip)->z_id);
161

162
	while ((error = -zap_cursor_retrieve(&zc, zap)) == 0) {
163

164
		if (zap->za_integer_length != 8 || zap->za_num_integers != 1) {
165
			error = -ENXIO;
166
			break;
167
		}
168

169
		error = zpl_xattr_filldir(xf, zap->za_name,
170
		    strlen(zap->za_name));
171
		if (error)
172
			break;
173

174
		zap_cursor_advance(&zc);
175
	}
176

177
	zap_cursor_fini(&zc);
178
	zap_attribute_free(zap);
179

180
	if (error == -ENOENT)
181
		error = 0;
182

183
	return (error);
184
}
185

186
static ssize_t
187
zpl_xattr_list_dir(xattr_filldir_t *xf, cred_t *cr)
188
{
189
	struct inode *ip = xf->dentry->d_inode;
190
	struct inode *dxip = NULL;
191
	znode_t *dxzp;
192
	int error;
193

194
	/* Lookup the xattr directory */
195
	error = -zfs_lookup(ITOZ(ip), NULL, &dxzp, LOOKUP_XATTR,
196
	    cr, NULL, NULL);
197
	if (error) {
198
		if (error == -ENOENT)
199
			error = 0;
200

201
		return (error);
202
	}
203

204
	dxip = ZTOI(dxzp);
205
	error = zpl_xattr_readdir(dxip, xf);
206
	iput(dxip);
207

208
	return (error);
209
}
210

211
static ssize_t
212
zpl_xattr_list_sa(xattr_filldir_t *xf)
213
{
214
	znode_t *zp = ITOZ(xf->dentry->d_inode);
215
	nvpair_t *nvp = NULL;
216
	int error = 0;
217

218
	mutex_enter(&zp->z_lock);
219
	if (zp->z_xattr_cached == NULL)
220
		error = -zfs_sa_get_xattr(zp);
221
	mutex_exit(&zp->z_lock);
222

223
	if (error)
224
		return (error);
225

226
	ASSERT(zp->z_xattr_cached);
227

228
	while ((nvp = nvlist_next_nvpair(zp->z_xattr_cached, nvp)) != NULL) {
229
		ASSERT3U(nvpair_type(nvp), ==, DATA_TYPE_BYTE_ARRAY);
230

231
		error = zpl_xattr_filldir(xf, nvpair_name(nvp),
232
		    strlen(nvpair_name(nvp)));
233
		if (error)
234
			return (error);
235
	}
236

237
	return (0);
238
}
239

240
ssize_t
241
zpl_xattr_list(struct dentry *dentry, char *buffer, size_t buffer_size)
242
{
243
	znode_t *zp = ITOZ(dentry->d_inode);
244
	zfsvfs_t *zfsvfs = ZTOZSB(zp);
245
	xattr_filldir_t xf = { buffer_size, 0, buffer, dentry };
246
	cred_t *cr = CRED();
247
	fstrans_cookie_t cookie;
248
	int error = 0;
249

250
	crhold(cr);
251
	cookie = spl_fstrans_mark();
252
	if ((error = zpl_enter_verify_zp(zfsvfs, zp, FTAG)) != 0)
253
		goto out1;
254
	rw_enter(&zp->z_xattr_lock, RW_READER);
255

256
	if (zfsvfs->z_use_sa && zp->z_is_sa) {
257
		error = zpl_xattr_list_sa(&xf);
258
		if (error)
259
			goto out;
260
	}
261

262
	error = zpl_xattr_list_dir(&xf, cr);
263
	if (error)
264
		goto out;
265

266
	error = xf.offset;
267
out:
268

269
	rw_exit(&zp->z_xattr_lock);
270
	zpl_exit(zfsvfs, FTAG);
271
out1:
272
	spl_fstrans_unmark(cookie);
273
	crfree(cr);
274

275
	return (error);
276
}
277

278
static int
279
zpl_xattr_get_dir(struct inode *ip, const char *name, void *value,
280
    size_t size, cred_t *cr)
281
{
282
	fstrans_cookie_t cookie;
283
	struct inode *xip = NULL;
284
	znode_t *dxzp = NULL;
285
	znode_t *xzp = NULL;
286
	int error;
287

288
	/* Lookup the xattr directory */
289
	error = -zfs_lookup(ITOZ(ip), NULL, &dxzp, LOOKUP_XATTR,
290
	    cr, NULL, NULL);
291
	if (error)
292
		goto out;
293

294
	/* Lookup a specific xattr name in the directory */
295
	error = -zfs_lookup(dxzp, (char *)name, &xzp, 0, cr, NULL, NULL);
296
	if (error)
297
		goto out;
298

299
	xip = ZTOI(xzp);
300
	if (!size) {
301
		error = i_size_read(xip);
302
		goto out;
303
	}
304

305
	if (size < i_size_read(xip)) {
306
		error = -ERANGE;
307
		goto out;
308
	}
309

310
	struct iovec iov;
311
	iov.iov_base = (void *)value;
312
	iov.iov_len = size;
313

314
	zfs_uio_t uio;
315
	zfs_uio_iovec_init(&uio, &iov, 1, 0, UIO_SYSSPACE, size, 0);
316

317
	cookie = spl_fstrans_mark();
318
	error = -zfs_read(ITOZ(xip), &uio, 0, cr);
319
	spl_fstrans_unmark(cookie);
320

321
	if (error == 0)
322
		error = size - zfs_uio_resid(&uio);
323
out:
324
	if (xzp)
325
		zrele(xzp);
326

327
	if (dxzp)
328
		zrele(dxzp);
329

330
	return (error);
331
}
332

333
static int
334
zpl_xattr_get_sa(struct inode *ip, const char *name, void *value, size_t size)
335
{
336
	znode_t *zp = ITOZ(ip);
337
	uchar_t *nv_value;
338
	uint_t nv_size;
339
	int error = 0;
340

341
	ASSERT(RW_LOCK_HELD(&zp->z_xattr_lock));
342

343
	mutex_enter(&zp->z_lock);
344
	if (zp->z_xattr_cached == NULL)
345
		error = -zfs_sa_get_xattr(zp);
346
	mutex_exit(&zp->z_lock);
347

348
	if (error)
349
		return (error);
350

351
	ASSERT(zp->z_xattr_cached);
352
	error = -nvlist_lookup_byte_array(zp->z_xattr_cached, name,
353
	    &nv_value, &nv_size);
354
	if (error)
355
		return (error);
356

357
	if (size == 0 || value == NULL)
358
		return (nv_size);
359

360
	if (size < nv_size)
361
		return (-ERANGE);
362

363
	memcpy(value, nv_value, nv_size);
364

365
	return (nv_size);
366
}
367

368
static int
369
__zpl_xattr_get(struct inode *ip, const char *name, void *value, size_t size,
370
    cred_t *cr)
371
{
372
	znode_t *zp = ITOZ(ip);
373
	zfsvfs_t *zfsvfs = ZTOZSB(zp);
374
	int error;
375

376
	ASSERT(RW_LOCK_HELD(&zp->z_xattr_lock));
377

378
	if (zfsvfs->z_use_sa && zp->z_is_sa) {
379
		error = zpl_xattr_get_sa(ip, name, value, size);
380
		if (error != -ENOENT)
381
			goto out;
382
	}
383

384
	error = zpl_xattr_get_dir(ip, name, value, size, cr);
385
out:
386
	if (error == -ENOENT)
387
		error = -ENODATA;
388

389
	return (error);
390
}
391

392
#define	XATTR_NOENT	0x0
393
#define	XATTR_IN_SA	0x1
394
#define	XATTR_IN_DIR	0x2
395
/* check where the xattr resides */
396
static int
397
__zpl_xattr_where(struct inode *ip, const char *name, int *where, cred_t *cr)
398
{
399
	znode_t *zp = ITOZ(ip);
400
	zfsvfs_t *zfsvfs = ZTOZSB(zp);
401
	int error;
402

403
	ASSERT(where);
404
	ASSERT(RW_LOCK_HELD(&zp->z_xattr_lock));
405

406
	*where = XATTR_NOENT;
407
	if (zfsvfs->z_use_sa && zp->z_is_sa) {
408
		error = zpl_xattr_get_sa(ip, name, NULL, 0);
409
		if (error >= 0)
410
			*where |= XATTR_IN_SA;
411
		else if (error != -ENOENT)
412
			return (error);
413
	}
414

415
	error = zpl_xattr_get_dir(ip, name, NULL, 0, cr);
416
	if (error >= 0)
417
		*where |= XATTR_IN_DIR;
418
	else if (error != -ENOENT)
419
		return (error);
420

421
	if (*where == (XATTR_IN_SA|XATTR_IN_DIR))
422
		cmn_err(CE_WARN, "ZFS: inode %p has xattr \"%s\""
423
		    " in both SA and dir", ip, name);
424
	if (*where == XATTR_NOENT)
425
		error = -ENODATA;
426
	else
427
		error = 0;
428
	return (error);
429
}
430

431
static int
432
zpl_xattr_get(struct inode *ip, const char *name, void *value, size_t size)
433
{
434
	znode_t *zp = ITOZ(ip);
435
	zfsvfs_t *zfsvfs = ZTOZSB(zp);
436
	cred_t *cr = CRED();
437
	fstrans_cookie_t cookie;
438
	int error;
439

440
	crhold(cr);
441
	cookie = spl_fstrans_mark();
442
	if ((error = zpl_enter_verify_zp(zfsvfs, zp, FTAG)) != 0)
443
		goto out;
444
	rw_enter(&zp->z_xattr_lock, RW_READER);
445
	error = __zpl_xattr_get(ip, name, value, size, cr);
446
	rw_exit(&zp->z_xattr_lock);
447
	zpl_exit(zfsvfs, FTAG);
448
out:
449
	spl_fstrans_unmark(cookie);
450
	crfree(cr);
451

452
	return (error);
453
}
454

455
static int
456
zpl_xattr_set_dir(struct inode *ip, const char *name, const void *value,
457
    size_t size, int flags, cred_t *cr)
458
{
459
	znode_t *dxzp = NULL;
460
	znode_t *xzp = NULL;
461
	vattr_t *vap = NULL;
462
	int lookup_flags, error;
463
	const int xattr_mode = S_IFREG | 0644;
464
	loff_t pos = 0;
465

466
	/*
467
	 * Lookup the xattr directory.  When we're adding an entry pass
468
	 * CREATE_XATTR_DIR to ensure the xattr directory is created.
469
	 * When removing an entry this flag is not passed to avoid
470
	 * unnecessarily creating a new xattr directory.
471
	 */
472
	lookup_flags = LOOKUP_XATTR;
473
	if (value != NULL)
474
		lookup_flags |= CREATE_XATTR_DIR;
475

476
	error = -zfs_lookup(ITOZ(ip), NULL, &dxzp, lookup_flags,
477
	    cr, NULL, NULL);
478
	if (error)
479
		goto out;
480

481
	/* Lookup a specific xattr name in the directory */
482
	error = -zfs_lookup(dxzp, (char *)name, &xzp, 0, cr, NULL, NULL);
483
	if (error && (error != -ENOENT))
484
		goto out;
485

486
	error = 0;
487

488
	/* Remove a specific name xattr when value is set to NULL. */
489
	if (value == NULL) {
490
		if (xzp)
491
			error = -zfs_remove(dxzp, (char *)name, cr, 0);
492

493
		goto out;
494
	}
495

496
	/* Lookup failed create a new xattr. */
497
	if (xzp == NULL) {
498
		vap = kmem_zalloc(sizeof (vattr_t), KM_SLEEP);
499
		vap->va_mode = xattr_mode;
500
		vap->va_mask = ATTR_MODE;
501
		vap->va_uid = crgetuid(cr);
502
		vap->va_gid = crgetgid(cr);
503

504
		error = -zfs_create(dxzp, (char *)name, vap, 0, 0644, &xzp,
505
		    cr, ATTR_NOACLCHECK, NULL, zfs_init_idmap);
506
		if (error)
507
			goto out;
508
	}
509

510
	ASSERT(xzp != NULL);
511

512
	error = -zfs_freesp(xzp, 0, 0, xattr_mode, TRUE);
513
	if (error)
514
		goto out;
515

516
	error = -zfs_write_simple(xzp, value, size, pos, NULL);
517
out:
518
	if (error == 0) {
519
		zpl_inode_set_ctime_to_ts(ip, current_time(ip));
520
		zfs_mark_inode_dirty(ip);
521
	}
522

523
	if (vap)
524
		kmem_free(vap, sizeof (vattr_t));
525

526
	if (xzp)
527
		zrele(xzp);
528

529
	if (dxzp)
530
		zrele(dxzp);
531

532
	if (error == -ENOENT)
533
		error = -ENODATA;
534

535
	ASSERT3S(error, <=, 0);
536

537
	return (error);
538
}
539

540
static int
541
zpl_xattr_set_sa(struct inode *ip, const char *name, const void *value,
542
    size_t size, int flags, cred_t *cr)
543
{
544
	znode_t *zp = ITOZ(ip);
545
	nvlist_t *nvl;
546
	size_t sa_size;
547
	int error = 0;
548

549
	mutex_enter(&zp->z_lock);
550
	if (zp->z_xattr_cached == NULL)
551
		error = -zfs_sa_get_xattr(zp);
552
	mutex_exit(&zp->z_lock);
553

554
	if (error)
555
		return (error);
556

557
	ASSERT(zp->z_xattr_cached);
558
	nvl = zp->z_xattr_cached;
559

560
	if (value == NULL) {
561
		error = -nvlist_remove(nvl, name, DATA_TYPE_BYTE_ARRAY);
562
		if (error == -ENOENT)
563
			error = zpl_xattr_set_dir(ip, name, NULL, 0, flags, cr);
564
	} else {
565
		/* Limited to 32k to keep nvpair memory allocations small */
566
		if (size > DXATTR_MAX_ENTRY_SIZE)
567
			return (-EFBIG);
568

569
		/* Prevent the DXATTR SA from consuming the entire SA region */
570
		error = -nvlist_size(nvl, &sa_size, NV_ENCODE_XDR);
571
		if (error)
572
			return (error);
573

574
		if (sa_size > DXATTR_MAX_SA_SIZE)
575
			return (-EFBIG);
576

577
		error = -nvlist_add_byte_array(nvl, name,
578
		    (uchar_t *)value, size);
579
	}
580

581
	/*
582
	 * Update the SA for additions, modifications, and removals. On
583
	 * error drop the inconsistent cached version of the nvlist, it
584
	 * will be reconstructed from the ARC when next accessed.
585
	 */
586
	if (error == 0)
587
		error = -zfs_sa_set_xattr(zp, name, value, size);
588

589
	if (error) {
590
		nvlist_free(nvl);
591
		zp->z_xattr_cached = NULL;
592
	}
593

594
	ASSERT3S(error, <=, 0);
595

596
	return (error);
597
}
598

599
static int
600
zpl_xattr_set(struct inode *ip, const char *name, const void *value,
601
    size_t size, int flags)
602
{
603
	znode_t *zp = ITOZ(ip);
604
	zfsvfs_t *zfsvfs = ZTOZSB(zp);
605
	cred_t *cr = CRED();
606
	fstrans_cookie_t cookie;
607
	int where;
608
	int error;
609

610
	crhold(cr);
611
	cookie = spl_fstrans_mark();
612
	if ((error = zpl_enter_verify_zp(zfsvfs, zp, FTAG)) != 0)
613
		goto out1;
614
	rw_enter(&zp->z_xattr_lock, RW_WRITER);
615

616
	/*
617
	 * Before setting the xattr check to see if it already exists.
618
	 * This is done to ensure the following optional flags are honored.
619
	 *
620
	 *   XATTR_CREATE: fail if xattr already exists
621
	 *   XATTR_REPLACE: fail if xattr does not exist
622
	 *
623
	 * We also want to know if it resides in sa or dir, so we can make
624
	 * sure we don't end up with duplicate in both places.
625
	 */
626
	error = __zpl_xattr_where(ip, name, &where, cr);
627
	if (error < 0) {
628
		if (error != -ENODATA)
629
			goto out;
630
		if (flags & XATTR_REPLACE)
631
			goto out;
632

633
		/* The xattr to be removed already doesn't exist */
634
		error = 0;
635
		if (value == NULL)
636
			goto out;
637
	} else {
638
		error = -EEXIST;
639
		if (flags & XATTR_CREATE)
640
			goto out;
641
	}
642

643
	/* Preferentially store the xattr as a SA for better performance */
644
	if (zfsvfs->z_use_sa && zp->z_is_sa &&
645
	    (zfsvfs->z_xattr_sa || (value == NULL && where & XATTR_IN_SA))) {
646
		error = zpl_xattr_set_sa(ip, name, value, size, flags, cr);
647
		if (error == 0) {
648
			/*
649
			 * Successfully put into SA, we need to clear the one
650
			 * in dir.
651
			 */
652
			if (where & XATTR_IN_DIR)
653
				zpl_xattr_set_dir(ip, name, NULL, 0, 0, cr);
654
			goto out;
655
		}
656
	}
657

658
	error = zpl_xattr_set_dir(ip, name, value, size, flags, cr);
659
	/*
660
	 * Successfully put into dir, we need to clear the one in SA.
661
	 */
662
	if (error == 0 && (where & XATTR_IN_SA))
663
		zpl_xattr_set_sa(ip, name, NULL, 0, 0, cr);
664
out:
665
	rw_exit(&zp->z_xattr_lock);
666
	zpl_exit(zfsvfs, FTAG);
667
out1:
668
	spl_fstrans_unmark(cookie);
669
	crfree(cr);
670
	ASSERT3S(error, <=, 0);
671

672
	return (error);
673
}
674

675
/*
676
 * Extended user attributes
677
 *
678
 * "Extended user attributes may be assigned to files and directories for
679
 * storing arbitrary additional information such as the mime type,
680
 * character set or encoding of a file.  The access permissions for user
681
 * attributes are defined by the file permission bits: read permission
682
 * is required to retrieve the attribute value, and writer permission is
683
 * required to change it.
684
 *
685
 * The file permission bits of regular files and directories are
686
 * interpreted differently from the file permission bits of special
687
 * files and symbolic links.  For regular files and directories the file
688
 * permission bits define access to the file's contents, while for
689
 * device special files they define access to the device described by
690
 * the special file.  The file permissions of symbolic links are not
691
 * used in access checks.  These differences would allow users to
692
 * consume filesystem resources in a way not controllable by disk quotas
693
 * for group or world writable special files and directories.
694
 *
695
 * For this reason, extended user attributes are allowed only for
696
 * regular files and directories, and access to extended user attributes
697
 * is restricted to the owner and to users with appropriate capabilities
698
 * for directories with the sticky bit set (see the chmod(1) manual page
699
 * for an explanation of the sticky bit)." - xattr(7)
700
 *
701
 * ZFS allows extended user attributes to be disabled administratively
702
 * by setting the 'xattr=off' property on the dataset.
703
 */
704
static int
705
__zpl_xattr_user_list(struct inode *ip, char *list, size_t list_size,
706
    const char *name, size_t name_len)
707
{
708
	return (ITOZSB(ip)->z_flags & ZSB_XATTR);
709
}
710
ZPL_XATTR_LIST_WRAPPER(zpl_xattr_user_list);
711

712
static int
713
__zpl_xattr_user_get(struct inode *ip, const char *name,
714
    void *value, size_t size)
715
{
716
	int error;
717
	/* xattr_resolve_name will do this for us if this is defined */
718
	if (ZFS_XA_NS_PREFIX_FORBIDDEN(name))
719
		return (-EINVAL);
720
	if (!(ITOZSB(ip)->z_flags & ZSB_XATTR))
721
		return (-EOPNOTSUPP);
722

723
	/*
724
	 * Try to look up the name with the namespace prefix first for
725
	 * compatibility with xattrs from this platform.  If that fails,
726
	 * try again without the namespace prefix for compatibility with
727
	 * other platforms.
728
	 */
729
	char *xattr_name = kmem_asprintf("%s%s", XATTR_USER_PREFIX, name);
730
	error = zpl_xattr_get(ip, xattr_name, value, size);
731
	kmem_strfree(xattr_name);
732
	if (error == -ENODATA)
733
		error = zpl_xattr_get(ip, name, value, size);
734

735
	return (error);
736
}
737
ZPL_XATTR_GET_WRAPPER(zpl_xattr_user_get);
738

739
static int
740
__zpl_xattr_user_set(zidmap_t *user_ns,
741
    struct inode *ip, const char *name,
742
    const void *value, size_t size, int flags)
743
{
744
	(void) user_ns;
745
	int error = 0;
746
	/* xattr_resolve_name will do this for us if this is defined */
747
	if (ZFS_XA_NS_PREFIX_FORBIDDEN(name))
748
		return (-EINVAL);
749
	if (!(ITOZSB(ip)->z_flags & ZSB_XATTR))
750
		return (-EOPNOTSUPP);
751

752
	/*
753
	 * Remove alternate compat version of the xattr so we only set the
754
	 * version specified by the zfs_xattr_compat tunable.
755
	 *
756
	 * The following flags must be handled correctly:
757
	 *
758
	 *   XATTR_CREATE: fail if xattr already exists
759
	 *   XATTR_REPLACE: fail if xattr does not exist
760
	 */
761
	char *prefixed_name = kmem_asprintf("%s%s", XATTR_USER_PREFIX, name);
762
	const char *clear_name, *set_name;
763
	if (zfs_xattr_compat) {
764
		clear_name = prefixed_name;
765
		set_name = name;
766
	} else {
767
		clear_name = name;
768
		set_name = prefixed_name;
769
	}
770
	/*
771
	 * Clear the old value with the alternative name format, if it exists.
772
	 */
773
	error = zpl_xattr_set(ip, clear_name, NULL, 0, flags);
774
	/*
775
	 * XATTR_CREATE was specified and we failed to clear the xattr
776
	 * because it already exists.  Stop here.
777
	 */
778
	if (error == -EEXIST)
779
		goto out;
780
	/*
781
	 * If XATTR_REPLACE was specified and we succeeded to clear
782
	 * an xattr, we don't need to replace anything when setting
783
	 * the new value.  If we failed with -ENODATA that's fine,
784
	 * there was nothing to be cleared and we can ignore the error.
785
	 */
786
	if (error == 0)
787
		flags &= ~XATTR_REPLACE;
788
	/*
789
	 * Set the new value with the configured name format.
790
	 */
791
	error = zpl_xattr_set(ip, set_name, value, size, flags);
792
out:
793
	kmem_strfree(prefixed_name);
794
	return (error);
795
}
796
ZPL_XATTR_SET_WRAPPER(zpl_xattr_user_set);
797

798
static xattr_handler_t zpl_xattr_user_handler =
799
{
800
	.prefix	= XATTR_USER_PREFIX,
801
	.list	= zpl_xattr_user_list,
802
	.get	= zpl_xattr_user_get,
803
	.set	= zpl_xattr_user_set,
804
};
805

806
/*
807
 * Trusted extended attributes
808
 *
809
 * "Trusted extended attributes are visible and accessible only to
810
 * processes that have the CAP_SYS_ADMIN capability.  Attributes in this
811
 * class are used to implement mechanisms in user space (i.e., outside
812
 * the kernel) which keep information in extended attributes to which
813
 * ordinary processes should not have access." - xattr(7)
814
 */
815
static int
816
__zpl_xattr_trusted_list(struct inode *ip, char *list, size_t list_size,
817
    const char *name, size_t name_len)
818
{
819
	return (capable(CAP_SYS_ADMIN));
820
}
821
ZPL_XATTR_LIST_WRAPPER(zpl_xattr_trusted_list);
822

823
static int
824
__zpl_xattr_trusted_get(struct inode *ip, const char *name,
825
    void *value, size_t size)
826
{
827
	char *xattr_name;
828
	int error;
829

830
	if (!capable(CAP_SYS_ADMIN))
831
		return (-EACCES);
832
	/* xattr_resolve_name will do this for us if this is defined */
833
	xattr_name = kmem_asprintf("%s%s", XATTR_TRUSTED_PREFIX, name);
834
	error = zpl_xattr_get(ip, xattr_name, value, size);
835
	kmem_strfree(xattr_name);
836

837
	return (error);
838
}
839
ZPL_XATTR_GET_WRAPPER(zpl_xattr_trusted_get);
840

841
static int
842
__zpl_xattr_trusted_set(zidmap_t *user_ns,
843
    struct inode *ip, const char *name,
844
    const void *value, size_t size, int flags)
845
{
846
	(void) user_ns;
847
	char *xattr_name;
848
	int error;
849

850
	if (!capable(CAP_SYS_ADMIN))
851
		return (-EACCES);
852
	/* xattr_resolve_name will do this for us if this is defined */
853
	xattr_name = kmem_asprintf("%s%s", XATTR_TRUSTED_PREFIX, name);
854
	error = zpl_xattr_set(ip, xattr_name, value, size, flags);
855
	kmem_strfree(xattr_name);
856

857
	return (error);
858
}
859
ZPL_XATTR_SET_WRAPPER(zpl_xattr_trusted_set);
860

861
static xattr_handler_t zpl_xattr_trusted_handler = {
862
	.prefix	= XATTR_TRUSTED_PREFIX,
863
	.list	= zpl_xattr_trusted_list,
864
	.get	= zpl_xattr_trusted_get,
865
	.set	= zpl_xattr_trusted_set,
866
};
867

868
/*
869
 * Extended security attributes
870
 *
871
 * "The security attribute namespace is used by kernel security modules,
872
 * such as Security Enhanced Linux, and also to implement file
873
 * capabilities (see capabilities(7)).  Read and write access
874
 * permissions to security attributes depend on the policy implemented
875
 * for each security attribute by the security module.  When no security
876
 * module is loaded, all processes have read access to extended security
877
 * attributes, and write access is limited to processes that have the
878
 * CAP_SYS_ADMIN capability." - xattr(7)
879
 */
880
static int
881
__zpl_xattr_security_list(struct inode *ip, char *list, size_t list_size,
882
    const char *name, size_t name_len)
883
{
884
	return (1);
885
}
886
ZPL_XATTR_LIST_WRAPPER(zpl_xattr_security_list);
887

888
static int
889
__zpl_xattr_security_get(struct inode *ip, const char *name,
890
    void *value, size_t size)
891
{
892
	char *xattr_name;
893
	int error;
894
	/* xattr_resolve_name will do this for us if this is defined */
895
	xattr_name = kmem_asprintf("%s%s", XATTR_SECURITY_PREFIX, name);
896
	error = zpl_xattr_get(ip, xattr_name, value, size);
897
	kmem_strfree(xattr_name);
898

899
	return (error);
900
}
901
ZPL_XATTR_GET_WRAPPER(zpl_xattr_security_get);
902

903
static int
904
__zpl_xattr_security_set(zidmap_t *user_ns,
905
    struct inode *ip, const char *name,
906
    const void *value, size_t size, int flags)
907
{
908
	(void) user_ns;
909
	char *xattr_name;
910
	int error;
911
	/* xattr_resolve_name will do this for us if this is defined */
912
	xattr_name = kmem_asprintf("%s%s", XATTR_SECURITY_PREFIX, name);
913
	error = zpl_xattr_set(ip, xattr_name, value, size, flags);
914
	kmem_strfree(xattr_name);
915

916
	return (error);
917
}
918
ZPL_XATTR_SET_WRAPPER(zpl_xattr_security_set);
919

920
static int
921
zpl_xattr_security_init_impl(struct inode *ip, const struct xattr *xattrs,
922
    void *fs_info)
923
{
924
	const struct xattr *xattr;
925
	int error = 0;
926

927
	for (xattr = xattrs; xattr->name != NULL; xattr++) {
928
		error = __zpl_xattr_security_set(NULL, ip,
929
		    xattr->name, xattr->value, xattr->value_len, 0);
930

931
		if (error < 0)
932
			break;
933
	}
934

935
	return (error);
936
}
937

938
int
939
zpl_xattr_security_init(struct inode *ip, struct inode *dip,
940
    const struct qstr *qstr)
941
{
942
	return security_inode_init_security(ip, dip, qstr,
943
	    &zpl_xattr_security_init_impl, NULL);
944
}
945

946
/*
947
 * Security xattr namespace handlers.
948
 */
949
static xattr_handler_t zpl_xattr_security_handler = {
950
	.prefix	= XATTR_SECURITY_PREFIX,
951
	.list	= zpl_xattr_security_list,
952
	.get	= zpl_xattr_security_get,
953
	.set	= zpl_xattr_security_set,
954
};
955

956
/*
957
 * Extended system attributes
958
 *
959
 * "Extended system attributes are used by the kernel to store system
960
 * objects such as Access Control Lists.  Read and write access permissions
961
 * to system attributes depend on the policy implemented for each system
962
 * attribute implemented by filesystems in the kernel." - xattr(7)
963
 */
964
#ifdef CONFIG_FS_POSIX_ACL
965
static int
966
zpl_set_acl_impl(struct inode *ip, struct posix_acl *acl, int type)
967
{
968
	char *name, *value = NULL;
969
	int error = 0;
970
	size_t size = 0;
971

972
	if (S_ISLNK(ip->i_mode))
973
		return (-EOPNOTSUPP);
974

975
	switch (type) {
976
	case ACL_TYPE_ACCESS:
977
		name = XATTR_NAME_POSIX_ACL_ACCESS;
978
		if (acl) {
979
			umode_t mode = ip->i_mode;
980
			error = posix_acl_equiv_mode(acl, &mode);
981
			if (error < 0) {
982
				return (error);
983
			} else {
984
				/*
985
				 * The mode bits will have been set by
986
				 * ->zfs_setattr()->zfs_acl_chmod_setattr()
987
				 * using the ZFS ACL conversion.  If they
988
				 * differ from the Posix ACL conversion dirty
989
				 * the inode to write the Posix mode bits.
990
				 */
991
				if (ip->i_mode != mode) {
992
					ip->i_mode = ITOZ(ip)->z_mode = mode;
993
					zpl_inode_set_ctime_to_ts(ip,
994
					    current_time(ip));
995
					zfs_mark_inode_dirty(ip);
996
				}
997

998
				if (error == 0)
999
					acl = NULL;
1000
			}
1001
		}
1002
		break;
1003

1004
	case ACL_TYPE_DEFAULT:
1005
		name = XATTR_NAME_POSIX_ACL_DEFAULT;
1006
		if (!S_ISDIR(ip->i_mode))
1007
			return (acl ? -EACCES : 0);
1008
		break;
1009

1010
	default:
1011
		return (-EINVAL);
1012
	}
1013

1014
	if (acl) {
1015
		size = posix_acl_xattr_size(acl->a_count);
1016
		value = kmem_alloc(size, KM_SLEEP);
1017

1018
		error = zpl_acl_to_xattr(acl, value, size);
1019
		if (error < 0) {
1020
			kmem_free(value, size);
1021
			return (error);
1022
		}
1023
	}
1024

1025
	error = zpl_xattr_set(ip, name, value, size, 0);
1026
	if (value)
1027
		kmem_free(value, size);
1028

1029
	if (!error) {
1030
		if (acl)
1031
			set_cached_acl(ip, type, acl);
1032
		else
1033
			forget_cached_acl(ip, type);
1034
	}
1035

1036
	return (error);
1037
}
1038

1039
int
1040
#ifdef HAVE_SET_ACL_USERNS
1041
zpl_set_acl(struct user_namespace *userns, struct inode *ip,
1042
    struct posix_acl *acl, int type)
1043
#elif defined(HAVE_SET_ACL_IDMAP_DENTRY)
1044
zpl_set_acl(struct mnt_idmap *userns, struct dentry *dentry,
1045
    struct posix_acl *acl, int type)
1046
#elif defined(HAVE_SET_ACL_USERNS_DENTRY_ARG2)
1047
zpl_set_acl(struct user_namespace *userns, struct dentry *dentry,
1048
    struct posix_acl *acl, int type)
1049
#else
1050
zpl_set_acl(struct inode *ip, struct posix_acl *acl, int type)
1051
#endif /* HAVE_SET_ACL_USERNS */
1052
{
1053
#ifdef HAVE_SET_ACL_USERNS_DENTRY_ARG2
1054
	return (zpl_set_acl_impl(d_inode(dentry), acl, type));
1055
#elif defined(HAVE_SET_ACL_IDMAP_DENTRY)
1056
	return (zpl_set_acl_impl(d_inode(dentry), acl, type));
1057
#else
1058
	return (zpl_set_acl_impl(ip, acl, type));
1059
#endif /* HAVE_SET_ACL_USERNS_DENTRY_ARG2 */
1060
}
1061

1062
static struct posix_acl *
1063
zpl_get_acl_impl(struct inode *ip, int type)
1064
{
1065
	struct posix_acl *acl;
1066
	void *value = NULL;
1067
	char *name;
1068

1069
	switch (type) {
1070
	case ACL_TYPE_ACCESS:
1071
		name = XATTR_NAME_POSIX_ACL_ACCESS;
1072
		break;
1073
	case ACL_TYPE_DEFAULT:
1074
		name = XATTR_NAME_POSIX_ACL_DEFAULT;
1075
		break;
1076
	default:
1077
		return (ERR_PTR(-EINVAL));
1078
	}
1079

1080
	int size = zpl_xattr_get(ip, name, NULL, 0);
1081
	if (size > 0) {
1082
		value = kmem_alloc(size, KM_SLEEP);
1083
		size = zpl_xattr_get(ip, name, value, size);
1084
	}
1085

1086
	if (size > 0) {
1087
		acl = zpl_acl_from_xattr(value, size);
1088
	} else if (size == -ENODATA || size == -ENOSYS) {
1089
		acl = NULL;
1090
	} else {
1091
		acl = ERR_PTR(-EIO);
1092
	}
1093

1094
	if (size > 0)
1095
		kmem_free(value, size);
1096

1097
	return (acl);
1098
}
1099

1100
#if defined(HAVE_GET_ACL_RCU) || defined(HAVE_GET_INODE_ACL)
1101
struct posix_acl *
1102
zpl_get_acl(struct inode *ip, int type, bool rcu)
1103
{
1104
	if (rcu)
1105
		return (ERR_PTR(-ECHILD));
1106

1107
	return (zpl_get_acl_impl(ip, type));
1108
}
1109
#elif defined(HAVE_GET_ACL)
1110
struct posix_acl *
1111
zpl_get_acl(struct inode *ip, int type)
1112
{
1113
	return (zpl_get_acl_impl(ip, type));
1114
}
1115
#else
1116
#error "Unsupported iops->get_acl() implementation"
1117
#endif /* HAVE_GET_ACL_RCU */
1118

1119
int
1120
zpl_init_acl(struct inode *ip, struct inode *dir)
1121
{
1122
	struct posix_acl *acl = NULL;
1123
	int error = 0;
1124

1125
	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1126
		return (0);
1127

1128
	if (!S_ISLNK(ip->i_mode)) {
1129
		acl = zpl_get_acl_impl(dir, ACL_TYPE_DEFAULT);
1130
		if (IS_ERR(acl))
1131
			return (PTR_ERR(acl));
1132
		if (!acl) {
1133
			ITOZ(ip)->z_mode = (ip->i_mode &= ~current_umask());
1134
			zpl_inode_set_ctime_to_ts(ip, current_time(ip));
1135
			zfs_mark_inode_dirty(ip);
1136
			return (0);
1137
		}
1138
	}
1139

1140
	if (acl) {
1141
		umode_t mode;
1142

1143
		if (S_ISDIR(ip->i_mode)) {
1144
			error = zpl_set_acl_impl(ip, acl, ACL_TYPE_DEFAULT);
1145
			if (error)
1146
				goto out;
1147
		}
1148

1149
		mode = ip->i_mode;
1150
		error = __posix_acl_create(&acl, GFP_KERNEL, &mode);
1151
		if (error >= 0) {
1152
			ip->i_mode = ITOZ(ip)->z_mode = mode;
1153
			zfs_mark_inode_dirty(ip);
1154
			if (error > 0) {
1155
				error = zpl_set_acl_impl(ip, acl,
1156
				    ACL_TYPE_ACCESS);
1157
			}
1158
		}
1159
	}
1160
out:
1161
	zpl_posix_acl_release(acl);
1162

1163
	return (error);
1164
}
1165

1166
int
1167
zpl_chmod_acl(struct inode *ip)
1168
{
1169
	struct posix_acl *acl;
1170
	int error;
1171

1172
	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1173
		return (0);
1174

1175
	if (S_ISLNK(ip->i_mode))
1176
		return (-EOPNOTSUPP);
1177

1178
	acl = zpl_get_acl_impl(ip, ACL_TYPE_ACCESS);
1179
	if (IS_ERR(acl) || !acl)
1180
		return (PTR_ERR(acl));
1181

1182
	error = __posix_acl_chmod(&acl, GFP_KERNEL, ip->i_mode);
1183
	if (!error)
1184
		error = zpl_set_acl_impl(ip, acl, ACL_TYPE_ACCESS);
1185

1186
	zpl_posix_acl_release(acl);
1187

1188
	return (error);
1189
}
1190

1191
static int
1192
__zpl_xattr_acl_list_access(struct inode *ip, char *list, size_t list_size,
1193
    const char *name, size_t name_len)
1194
{
1195
	char *xattr_name = XATTR_NAME_POSIX_ACL_ACCESS;
1196
	size_t xattr_size = sizeof (XATTR_NAME_POSIX_ACL_ACCESS);
1197

1198
	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1199
		return (0);
1200

1201
	if (list && xattr_size <= list_size)
1202
		memcpy(list, xattr_name, xattr_size);
1203

1204
	return (xattr_size);
1205
}
1206
ZPL_XATTR_LIST_WRAPPER(zpl_xattr_acl_list_access);
1207

1208
static int
1209
__zpl_xattr_acl_list_default(struct inode *ip, char *list, size_t list_size,
1210
    const char *name, size_t name_len)
1211
{
1212
	char *xattr_name = XATTR_NAME_POSIX_ACL_DEFAULT;
1213
	size_t xattr_size = sizeof (XATTR_NAME_POSIX_ACL_DEFAULT);
1214

1215
	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1216
		return (0);
1217

1218
	if (list && xattr_size <= list_size)
1219
		memcpy(list, xattr_name, xattr_size);
1220

1221
	return (xattr_size);
1222
}
1223
ZPL_XATTR_LIST_WRAPPER(zpl_xattr_acl_list_default);
1224

1225
static int
1226
__zpl_xattr_acl_get_access(struct inode *ip, const char *name,
1227
    void *buffer, size_t size)
1228
{
1229
	struct posix_acl *acl;
1230
	int type = ACL_TYPE_ACCESS;
1231
	int error;
1232
	/* xattr_resolve_name will do this for us if this is defined */
1233
	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1234
		return (-EOPNOTSUPP);
1235

1236
	acl = zpl_get_acl_impl(ip, type);
1237
	if (IS_ERR(acl))
1238
		return (PTR_ERR(acl));
1239
	if (acl == NULL)
1240
		return (-ENODATA);
1241

1242
	error = zpl_acl_to_xattr(acl, buffer, size);
1243
	zpl_posix_acl_release(acl);
1244

1245
	return (error);
1246
}
1247
ZPL_XATTR_GET_WRAPPER(zpl_xattr_acl_get_access);
1248

1249
static int
1250
__zpl_xattr_acl_get_default(struct inode *ip, const char *name,
1251
    void *buffer, size_t size)
1252
{
1253
	struct posix_acl *acl;
1254
	int type = ACL_TYPE_DEFAULT;
1255
	int error;
1256
	/* xattr_resolve_name will do this for us if this is defined */
1257
	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1258
		return (-EOPNOTSUPP);
1259

1260
	acl = zpl_get_acl_impl(ip, type);
1261
	if (IS_ERR(acl))
1262
		return (PTR_ERR(acl));
1263
	if (acl == NULL)
1264
		return (-ENODATA);
1265

1266
	error = zpl_acl_to_xattr(acl, buffer, size);
1267
	zpl_posix_acl_release(acl);
1268

1269
	return (error);
1270
}
1271
ZPL_XATTR_GET_WRAPPER(zpl_xattr_acl_get_default);
1272

1273
static int
1274
__zpl_xattr_acl_set_access(zidmap_t *mnt_ns,
1275
    struct inode *ip, const char *name,
1276
    const void *value, size_t size, int flags)
1277
{
1278
	struct posix_acl *acl;
1279
	int type = ACL_TYPE_ACCESS;
1280
	int error = 0;
1281
	/* xattr_resolve_name will do this for us if this is defined */
1282
	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1283
		return (-EOPNOTSUPP);
1284

1285
#if defined(HAVE_XATTR_SET_USERNS) || defined(HAVE_XATTR_SET_IDMAP)
1286
	if (!zpl_inode_owner_or_capable(mnt_ns, ip))
1287
		return (-EPERM);
1288
#else
1289
	(void) mnt_ns;
1290
	if (!zpl_inode_owner_or_capable(zfs_init_idmap, ip))
1291
		return (-EPERM);
1292
#endif
1293

1294
	if (value) {
1295
		acl = zpl_acl_from_xattr(value, size);
1296
		if (IS_ERR(acl))
1297
			return (PTR_ERR(acl));
1298
		else if (acl) {
1299
			error = posix_acl_valid(ip->i_sb->s_user_ns, acl);
1300
			if (error) {
1301
				zpl_posix_acl_release(acl);
1302
				return (error);
1303
			}
1304
		}
1305
	} else {
1306
		acl = NULL;
1307
	}
1308
	error = zpl_set_acl_impl(ip, acl, type);
1309
	zpl_posix_acl_release(acl);
1310

1311
	return (error);
1312
}
1313
ZPL_XATTR_SET_WRAPPER(zpl_xattr_acl_set_access);
1314

1315
static int
1316
__zpl_xattr_acl_set_default(zidmap_t *mnt_ns,
1317
    struct inode *ip, const char *name,
1318
    const void *value, size_t size, int flags)
1319
{
1320
	struct posix_acl *acl;
1321
	int type = ACL_TYPE_DEFAULT;
1322
	int error = 0;
1323
	/* xattr_resolve_name will do this for us if this is defined */
1324
	if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
1325
		return (-EOPNOTSUPP);
1326

1327
#if defined(HAVE_XATTR_SET_USERNS) || defined(HAVE_XATTR_SET_IDMAP)
1328
	if (!zpl_inode_owner_or_capable(mnt_ns, ip))
1329
		return (-EPERM);
1330
#else
1331
	(void) mnt_ns;
1332
	if (!zpl_inode_owner_or_capable(zfs_init_idmap, ip))
1333
		return (-EPERM);
1334
#endif
1335

1336
	if (value) {
1337
		acl = zpl_acl_from_xattr(value, size);
1338
		if (IS_ERR(acl))
1339
			return (PTR_ERR(acl));
1340
		else if (acl) {
1341
			error = posix_acl_valid(ip->i_sb->s_user_ns, acl);
1342
			if (error) {
1343
				zpl_posix_acl_release(acl);
1344
				return (error);
1345
			}
1346
		}
1347
	} else {
1348
		acl = NULL;
1349
	}
1350

1351
	error = zpl_set_acl_impl(ip, acl, type);
1352
	zpl_posix_acl_release(acl);
1353

1354
	return (error);
1355
}
1356
ZPL_XATTR_SET_WRAPPER(zpl_xattr_acl_set_default);
1357

1358
/*
1359
 * ACL access xattr namespace handlers.
1360
 *
1361
 * Use .name instead of .prefix when available. xattr_resolve_name will match
1362
 * whole name and reject anything that has .name only as prefix.
1363
 */
1364
static xattr_handler_t zpl_xattr_acl_access_handler = {
1365
	.name	= XATTR_NAME_POSIX_ACL_ACCESS,
1366
	.list	= zpl_xattr_acl_list_access,
1367
	.get	= zpl_xattr_acl_get_access,
1368
	.set	= zpl_xattr_acl_set_access,
1369
	.flags	= ACL_TYPE_ACCESS,
1370
};
1371

1372
/*
1373
 * ACL default xattr namespace handlers.
1374
 *
1375
 * Use .name instead of .prefix. xattr_resolve_name will match whole name and
1376
 * reject anything that has .name only as prefix.
1377
 */
1378
static xattr_handler_t zpl_xattr_acl_default_handler = {
1379
	.name	= XATTR_NAME_POSIX_ACL_DEFAULT,
1380
	.list	= zpl_xattr_acl_list_default,
1381
	.get	= zpl_xattr_acl_get_default,
1382
	.set	= zpl_xattr_acl_set_default,
1383
	.flags	= ACL_TYPE_DEFAULT,
1384
};
1385

1386
#endif /* CONFIG_FS_POSIX_ACL */
1387

1388
xattr_handler_t *zpl_xattr_handlers[] = {
1389
	&zpl_xattr_security_handler,
1390
	&zpl_xattr_trusted_handler,
1391
	&zpl_xattr_user_handler,
1392
#ifdef CONFIG_FS_POSIX_ACL
1393
	&zpl_xattr_acl_access_handler,
1394
	&zpl_xattr_acl_default_handler,
1395
#endif /* CONFIG_FS_POSIX_ACL */
1396
	NULL
1397
};
1398

1399
static const struct xattr_handler *
1400
zpl_xattr_handler(const char *name)
1401
{
1402
	if (strncmp(name, XATTR_USER_PREFIX,
1403
	    XATTR_USER_PREFIX_LEN) == 0)
1404
		return (&zpl_xattr_user_handler);
1405

1406
	if (strncmp(name, XATTR_TRUSTED_PREFIX,
1407
	    XATTR_TRUSTED_PREFIX_LEN) == 0)
1408
		return (&zpl_xattr_trusted_handler);
1409

1410
	if (strncmp(name, XATTR_SECURITY_PREFIX,
1411
	    XATTR_SECURITY_PREFIX_LEN) == 0)
1412
		return (&zpl_xattr_security_handler);
1413

1414
#ifdef CONFIG_FS_POSIX_ACL
1415
	if (strncmp(name, XATTR_NAME_POSIX_ACL_ACCESS,
1416
	    sizeof (XATTR_NAME_POSIX_ACL_ACCESS)) == 0)
1417
		return (&zpl_xattr_acl_access_handler);
1418

1419
	if (strncmp(name, XATTR_NAME_POSIX_ACL_DEFAULT,
1420
	    sizeof (XATTR_NAME_POSIX_ACL_DEFAULT)) == 0)
1421
		return (&zpl_xattr_acl_default_handler);
1422
#endif /* CONFIG_FS_POSIX_ACL */
1423

1424
	return (NULL);
1425
}
1426

1427
static enum xattr_permission
1428
zpl_xattr_permission(xattr_filldir_t *xf, const char *name, int name_len)
1429
{
1430
	const struct xattr_handler *handler;
1431
	struct dentry *d __maybe_unused = xf->dentry;
1432
	enum xattr_permission perm = XAPERM_ALLOW;
1433

1434
	handler = zpl_xattr_handler(name);
1435
	if (handler == NULL) {
1436
		/* Do not expose FreeBSD system namespace xattrs. */
1437
		if (ZFS_XA_NS_PREFIX_MATCH(FREEBSD, name))
1438
			return (XAPERM_DENY);
1439
		/*
1440
		 * Anything that doesn't match a known namespace gets put in the
1441
		 * user namespace for compatibility with other platforms.
1442
		 */
1443
		perm = XAPERM_COMPAT;
1444
		handler = &zpl_xattr_user_handler;
1445
	}
1446

1447
	if (handler->list) {
1448
		if (!handler->list(d))
1449
			return (XAPERM_DENY);
1450
	}
1451

1452
	return (perm);
1453
}
1454

1455
#ifdef CONFIG_FS_POSIX_ACL
1456

1457
struct acl_rel_struct {
1458
	struct acl_rel_struct *next;
1459
	struct posix_acl *acl;
1460
	clock_t time;
1461
};
1462

1463
#define	ACL_REL_GRACE	(60*HZ)
1464
#define	ACL_REL_WINDOW	(1*HZ)
1465
#define	ACL_REL_SCHED	(ACL_REL_GRACE+ACL_REL_WINDOW)
1466

1467
/*
1468
 * Lockless multi-producer single-consumer fifo list.
1469
 * Nodes are added to tail and removed from head. Tail pointer is our
1470
 * synchronization point. It always points to the next pointer of the last
1471
 * node, or head if list is empty.
1472
 */
1473
static struct acl_rel_struct *acl_rel_head = NULL;
1474
static struct acl_rel_struct **acl_rel_tail = &acl_rel_head;
1475

1476
static void
1477
zpl_posix_acl_free(void *arg)
1478
{
1479
	struct acl_rel_struct *freelist = NULL;
1480
	struct acl_rel_struct *a;
1481
	clock_t new_time;
1482
	boolean_t refire = B_FALSE;
1483

1484
	ASSERT3P(acl_rel_head, !=, NULL);
1485
	while (acl_rel_head) {
1486
		a = acl_rel_head;
1487
		if (ddi_get_lbolt() - a->time >= ACL_REL_GRACE) {
1488
			/*
1489
			 * If a is the last node we need to reset tail, but we
1490
			 * need to use cmpxchg to make sure it is still the
1491
			 * last node.
1492
			 */
1493
			if (acl_rel_tail == &a->next) {
1494
				acl_rel_head = NULL;
1495
				if (cmpxchg(&acl_rel_tail, &a->next,
1496
				    &acl_rel_head) == &a->next) {
1497
					ASSERT0P(a->next);
1498
					a->next = freelist;
1499
					freelist = a;
1500
					break;
1501
				}
1502
			}
1503
			/*
1504
			 * a is not last node, make sure next pointer is set
1505
			 * by the adder and advance the head.
1506
			 */
1507
			while (READ_ONCE(a->next) == NULL)
1508
				cpu_relax();
1509
			acl_rel_head = a->next;
1510
			a->next = freelist;
1511
			freelist = a;
1512
		} else {
1513
			/*
1514
			 * a is still in grace period. We are responsible to
1515
			 * reschedule the free task, since adder will only do
1516
			 * so if list is empty.
1517
			 */
1518
			new_time = a->time + ACL_REL_SCHED;
1519
			refire = B_TRUE;
1520
			break;
1521
		}
1522
	}
1523

1524
	if (refire)
1525
		taskq_dispatch_delay(system_delay_taskq, zpl_posix_acl_free,
1526
		    NULL, TQ_SLEEP, new_time);
1527

1528
	while (freelist) {
1529
		a = freelist;
1530
		freelist = a->next;
1531
		kfree(a->acl);
1532
		kmem_free(a, sizeof (struct acl_rel_struct));
1533
	}
1534
}
1535

1536
void
1537
zpl_posix_acl_release_impl(struct posix_acl *acl)
1538
{
1539
	struct acl_rel_struct *a, **prev;
1540

1541
	a = kmem_alloc(sizeof (struct acl_rel_struct), KM_SLEEP);
1542
	a->next = NULL;
1543
	a->acl = acl;
1544
	a->time = ddi_get_lbolt();
1545
	/* atomically points tail to us and get the previous tail */
1546
	prev = xchg(&acl_rel_tail, &a->next);
1547
	ASSERT0P(*prev);
1548
	*prev = a;
1549
	/* if it was empty before, schedule the free task */
1550
	if (prev == &acl_rel_head)
1551
		taskq_dispatch_delay(system_delay_taskq, zpl_posix_acl_free,
1552
		    NULL, TQ_SLEEP, ddi_get_lbolt() + ACL_REL_SCHED);
1553
}
1554
#endif
1555

1556
ZFS_MODULE_PARAM(zfs, zfs_, xattr_compat, INT, ZMOD_RW,
1557
	"Use legacy ZFS xattr naming for writing new user namespace xattrs");
1558

1559