CoCalc -- nfs_commonacl.c

GitHub Repository: freebsd/freebsd-src
Path: blob/main/sys/fs/nfs/nfs_commonacl.c
³⁹⁴⁸³ views
1
/*-
2
 * SPDX-License-Identifier: BSD-2-Clause
3
 *
4
 * Copyright (c) 2009 Rick Macklem, University of Guelph
5
 * All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 *
16
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26
 * SUCH DAMAGE.
27
 *
28
 */
29

30
#include <sys/cdefs.h>
31
#include <fs/nfs/nfsport.h>
32

33
extern int nfsrv_useacl;
34

35
static int nfsrv_acemasktoperm(u_int32_t acetype, u_int32_t mask, int owner,
36
    __enum_uint8(vtype) type, acl_perm_t *permp);
37

38
/*
39
 * Handle xdr for an ace.
40
 */
41
int
42
nfsrv_dissectace(struct nfsrv_descript *nd, struct acl_entry *acep,
43
    bool server, int *aceerrp, int *acesizep, NFSPROC_T *p)
44
{
45
	u_int32_t *tl;
46
	int len, gotid = 0, owner = 0, error = 0, aceerr = 0;
47
	u_char *name, namestr[NFSV4_SMALLSTR + 1];
48
	u_int32_t flag, mask, acetype;
49
	gid_t gid;
50
	uid_t uid;
51

52
	*aceerrp = 0;
53
	acep->ae_flags = 0;
54
	NFSM_DISSECT(tl, u_int32_t *, 4 * NFSX_UNSIGNED);
55
	acetype = fxdr_unsigned(u_int32_t, *tl++);
56
	flag = fxdr_unsigned(u_int32_t, *tl++);
57
	mask = fxdr_unsigned(u_int32_t, *tl++);
58
	len = fxdr_unsigned(int, *tl);
59
	/*
60
	 * The RFCs do not specify a limit to the length of the "who", but
61
	 * NFSV4_OPAQUELIMIT (1024) should be sufficient.
62
	 */
63
	if (len < 0 || len > NFSV4_OPAQUELIMIT) {
64
		error = NFSERR_BADXDR;
65
		goto nfsmout;
66
	} else if (len == 0) {
67
		/* Netapp filers return a 0 length who for nil users */
68
		acep->ae_tag = ACL_EVERYONE;	/* Avoid panics. */
69
		acep->ae_id = ACL_UNDEFINED_ID;
70
		acep->ae_perm = (acl_perm_t)0;
71
		acep->ae_entry_type = ACL_ENTRY_TYPE_DENY;
72
		if (acesizep)
73
			*acesizep = 4 * NFSX_UNSIGNED;
74
		error = 0;
75
		goto nfsmout;
76
	}
77
	if (len > NFSV4_SMALLSTR)
78
		name = malloc(len + 1, M_NFSSTRING, M_WAITOK);
79
	else
80
		name = namestr;
81
	error = nfsrv_mtostr(nd, name, len);
82
	if (error) {
83
		if (len > NFSV4_SMALLSTR)
84
			free(name, M_NFSSTRING);
85
		goto nfsmout;
86
	}
87
	if (len == 6) {
88
		if (!NFSBCMP(name, "OWNER@", 6)) {
89
			acep->ae_tag = ACL_USER_OBJ;
90
			acep->ae_id = ACL_UNDEFINED_ID;
91
			owner = 1;
92
			gotid = 1;
93
		} else if (!NFSBCMP(name, "GROUP@", 6)) {
94
			acep->ae_tag = ACL_GROUP_OBJ;
95
			acep->ae_id = ACL_UNDEFINED_ID;
96
			gotid = 1;
97
		}
98
	} else if (len == 9 && !NFSBCMP(name, "EVERYONE@", 9)) {
99
		acep->ae_tag = ACL_EVERYONE;
100
		acep->ae_id = ACL_UNDEFINED_ID;
101
		gotid = 1;
102
	}
103
	if (gotid == 0) {
104
		if (flag & NFSV4ACE_IDENTIFIERGROUP) {
105
			acep->ae_tag = ACL_GROUP;
106
			aceerr = nfsv4_strtogid(nd, name, len, &gid);
107
			if (aceerr == 0)
108
				acep->ae_id = (uid_t)gid;
109
		} else {
110
			acep->ae_tag = ACL_USER;
111
			aceerr = nfsv4_strtouid(nd, name, len, &uid);
112
			if (aceerr == 0)
113
				acep->ae_id = uid;
114
		}
115
	}
116
	if (len > NFSV4_SMALLSTR)
117
		free(name, M_NFSSTRING);
118

119
	if (aceerr == 0) {
120
		/*
121
		 * Handle the flags.
122
		 */
123
		flag &= ~NFSV4ACE_IDENTIFIERGROUP;
124
		if (flag & NFSV4ACE_FILEINHERIT) {
125
			flag &= ~NFSV4ACE_FILEINHERIT;
126
			acep->ae_flags |= ACL_ENTRY_FILE_INHERIT;
127
		}
128
		if (flag & NFSV4ACE_DIRECTORYINHERIT) {
129
			flag &= ~NFSV4ACE_DIRECTORYINHERIT;
130
			acep->ae_flags |= ACL_ENTRY_DIRECTORY_INHERIT;
131
		}
132
		if (flag & NFSV4ACE_NOPROPAGATEINHERIT) {
133
			flag &= ~NFSV4ACE_NOPROPAGATEINHERIT;
134
			acep->ae_flags |= ACL_ENTRY_NO_PROPAGATE_INHERIT;
135
		}
136
		if (flag & NFSV4ACE_INHERITONLY) {
137
			flag &= ~NFSV4ACE_INHERITONLY;
138
			acep->ae_flags |= ACL_ENTRY_INHERIT_ONLY;
139
		}
140
		if (flag & NFSV4ACE_SUCCESSFULACCESS) {
141
			flag &= ~NFSV4ACE_SUCCESSFULACCESS;
142
			acep->ae_flags |= ACL_ENTRY_SUCCESSFUL_ACCESS;
143
		}
144
		if (flag & NFSV4ACE_FAILEDACCESS) {
145
			flag &= ~NFSV4ACE_FAILEDACCESS;
146
			acep->ae_flags |= ACL_ENTRY_FAILED_ACCESS;
147
		}
148
		/*
149
		 * Set ae_entry_type.
150
		 */
151
		if (acetype == NFSV4ACE_ALLOWEDTYPE)
152
			acep->ae_entry_type = ACL_ENTRY_TYPE_ALLOW;
153
		else if (acetype == NFSV4ACE_DENIEDTYPE)
154
			acep->ae_entry_type = ACL_ENTRY_TYPE_DENY;
155
		else if (!server && acetype == NFSV4ACE_AUDITTYPE)
156
			acep->ae_entry_type = ACL_ENTRY_TYPE_AUDIT;
157
		else if (!server && acetype == NFSV4ACE_ALARMTYPE)
158
			acep->ae_entry_type = ACL_ENTRY_TYPE_ALARM;
159
		else
160
			aceerr = NFSERR_ATTRNOTSUPP;
161
	}
162

163
	/*
164
	 * Now, check for unsupported flag bits.
165
	 */
166
	if (aceerr == 0 && flag != 0)
167
		aceerr = NFSERR_ATTRNOTSUPP;
168

169
	/*
170
	 * And turn the mask into perm bits.
171
	 */
172
	if (aceerr == 0)
173
		aceerr = nfsrv_acemasktoperm(acetype, mask, owner, VREG,
174
		    &acep->ae_perm);
175
	*aceerrp = aceerr;
176
	if (acesizep)
177
		*acesizep = NFSM_RNDUP(len) + (4 * NFSX_UNSIGNED);
178
	error = 0;
179
nfsmout:
180
	NFSEXITCODE(error);
181
	return (error);
182
}
183

184
/*
185
 * Turn an NFSv4 ace mask into R/W/X flag bits.
186
 */
187
static int
188
nfsrv_acemasktoperm(u_int32_t acetype, u_int32_t mask, int owner,
189
    __enum_uint8(vtype) type, acl_perm_t *permp)
190
{
191
	acl_perm_t perm = 0x0;
192
	int error = 0;
193

194
	if (mask & NFSV4ACE_READDATA) {
195
		mask &= ~NFSV4ACE_READDATA;
196
		perm |= ACL_READ_DATA;
197
	}
198
	if (mask & NFSV4ACE_LISTDIRECTORY) {
199
		mask &= ~NFSV4ACE_LISTDIRECTORY;
200
		perm |= ACL_LIST_DIRECTORY;
201
	}
202
	if (mask & NFSV4ACE_WRITEDATA) {
203
		mask &= ~NFSV4ACE_WRITEDATA;
204
		perm |= ACL_WRITE_DATA;
205
	}
206
	if (mask & NFSV4ACE_ADDFILE) {
207
		mask &= ~NFSV4ACE_ADDFILE;
208
		perm |= ACL_ADD_FILE;
209
	}
210
	if (mask & NFSV4ACE_APPENDDATA) {
211
		mask &= ~NFSV4ACE_APPENDDATA;
212
		perm |= ACL_APPEND_DATA;
213
	}
214
	if (mask & NFSV4ACE_ADDSUBDIRECTORY) {
215
		mask &= ~NFSV4ACE_ADDSUBDIRECTORY;
216
		perm |= ACL_ADD_SUBDIRECTORY;
217
	}
218
	if (mask & NFSV4ACE_READNAMEDATTR) {
219
		mask &= ~NFSV4ACE_READNAMEDATTR;
220
		perm |= ACL_READ_NAMED_ATTRS;
221
	}
222
	if (mask & NFSV4ACE_WRITENAMEDATTR) {
223
		mask &= ~NFSV4ACE_WRITENAMEDATTR;
224
		perm |= ACL_WRITE_NAMED_ATTRS;
225
	}
226
	if (mask & NFSV4ACE_EXECUTE) {
227
		mask &= ~NFSV4ACE_EXECUTE;
228
		perm |= ACL_EXECUTE;
229
	}
230
	if (mask & NFSV4ACE_SEARCH) {
231
		mask &= ~NFSV4ACE_SEARCH;
232
		perm |= ACL_EXECUTE;
233
	}
234
	if (mask & NFSV4ACE_DELETECHILD) {
235
		mask &= ~NFSV4ACE_DELETECHILD;
236
		perm |= ACL_DELETE_CHILD;
237
	}
238
	if (mask & NFSV4ACE_READATTRIBUTES) {
239
		mask &= ~NFSV4ACE_READATTRIBUTES;
240
		perm |= ACL_READ_ATTRIBUTES;
241
	}
242
	if (mask & NFSV4ACE_WRITEATTRIBUTES) {
243
		mask &= ~NFSV4ACE_WRITEATTRIBUTES;
244
		perm |= ACL_WRITE_ATTRIBUTES;
245
	}
246
	if (mask & NFSV4ACE_DELETE) {
247
		mask &= ~NFSV4ACE_DELETE;
248
		perm |= ACL_DELETE;
249
	}
250
	if (mask & NFSV4ACE_READACL) {
251
		mask &= ~NFSV4ACE_READACL;
252
		perm |= ACL_READ_ACL;
253
	}
254
	if (mask & NFSV4ACE_WRITEACL) {
255
		mask &= ~NFSV4ACE_WRITEACL;
256
		perm |= ACL_WRITE_ACL;
257
	}
258
	if (mask & NFSV4ACE_WRITEOWNER) {
259
		mask &= ~NFSV4ACE_WRITEOWNER;
260
		perm |= ACL_WRITE_OWNER;
261
	}
262
	if (mask & NFSV4ACE_SYNCHRONIZE) {
263
		mask &= ~NFSV4ACE_SYNCHRONIZE;
264
		perm |= ACL_SYNCHRONIZE;
265
	}
266
	if (mask != 0) {
267
		error = NFSERR_ATTRNOTSUPP;
268
		goto out;
269
	}
270
	*permp = perm;
271

272
out:
273
	NFSEXITCODE(error);
274
	return (error);
275
}
276

277
/* local functions */
278
static int nfsrv_buildace(struct nfsrv_descript *, u_char *, int,
279
    __enum_uint8(vtype), int, int, struct acl_entry *);
280

281
/*
282
 * This function builds an NFS ace.
283
 */
284
static int
285
nfsrv_buildace(struct nfsrv_descript *nd, u_char *name, int namelen,
286
    __enum_uint8(vtype) type, int group, int owner, struct acl_entry *ace)
287
{
288
	u_int32_t *tl, aceflag = 0x0, acemask = 0x0, acetype;
289
	int full_len;
290

291
	full_len = NFSM_RNDUP(namelen);
292
	NFSM_BUILD(tl, u_int32_t *, 4 * NFSX_UNSIGNED + full_len);
293

294
	/*
295
	 * Fill in the ace type.
296
	 */
297
	if (ace->ae_entry_type & ACL_ENTRY_TYPE_ALLOW)
298
		acetype = NFSV4ACE_ALLOWEDTYPE;
299
	else if (ace->ae_entry_type & ACL_ENTRY_TYPE_DENY)
300
		acetype = NFSV4ACE_DENIEDTYPE;
301
	else if (ace->ae_entry_type & ACL_ENTRY_TYPE_AUDIT)
302
		acetype = NFSV4ACE_AUDITTYPE;
303
	else
304
		acetype = NFSV4ACE_ALARMTYPE;
305
	*tl++ = txdr_unsigned(acetype);
306

307
	/*
308
	 * Set the flag bits from the ACL.
309
	 */
310
	if (ace->ae_flags & ACL_ENTRY_FILE_INHERIT)
311
		aceflag |= NFSV4ACE_FILEINHERIT;
312
	if (ace->ae_flags & ACL_ENTRY_DIRECTORY_INHERIT)
313
		aceflag |= NFSV4ACE_DIRECTORYINHERIT;
314
	if (ace->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT)
315
		aceflag |= NFSV4ACE_NOPROPAGATEINHERIT;
316
	if (ace->ae_flags & ACL_ENTRY_INHERIT_ONLY)
317
		aceflag |= NFSV4ACE_INHERITONLY;
318
	if (ace->ae_flags & ACL_ENTRY_SUCCESSFUL_ACCESS)
319
		aceflag |= NFSV4ACE_SUCCESSFULACCESS;
320
	if (ace->ae_flags & ACL_ENTRY_FAILED_ACCESS)
321
		aceflag |= NFSV4ACE_FAILEDACCESS;
322
	if (group)
323
		aceflag |= NFSV4ACE_IDENTIFIERGROUP;
324
	*tl++ = txdr_unsigned(aceflag);
325
	if (type == VDIR) {
326
		if (ace->ae_perm & ACL_LIST_DIRECTORY)
327
			acemask |= NFSV4ACE_LISTDIRECTORY;
328
		if (ace->ae_perm & ACL_ADD_FILE)
329
			acemask |= NFSV4ACE_ADDFILE;
330
		if (ace->ae_perm & ACL_ADD_SUBDIRECTORY)
331
			acemask |= NFSV4ACE_ADDSUBDIRECTORY;
332
		if (ace->ae_perm & ACL_READ_NAMED_ATTRS)
333
			acemask |= NFSV4ACE_READNAMEDATTR;
334
		if (ace->ae_perm & ACL_WRITE_NAMED_ATTRS)
335
			acemask |= NFSV4ACE_WRITENAMEDATTR;
336
		if (ace->ae_perm & ACL_EXECUTE)
337
			acemask |= NFSV4ACE_SEARCH;
338
		if (ace->ae_perm & ACL_DELETE_CHILD)
339
			acemask |= NFSV4ACE_DELETECHILD;
340
		if (ace->ae_perm & ACL_READ_ATTRIBUTES)
341
			acemask |= NFSV4ACE_READATTRIBUTES;
342
		if (ace->ae_perm & ACL_WRITE_ATTRIBUTES)
343
			acemask |= NFSV4ACE_WRITEATTRIBUTES;
344
		if (ace->ae_perm & ACL_DELETE)
345
			acemask |= NFSV4ACE_DELETE;
346
		if (ace->ae_perm & ACL_READ_ACL)
347
			acemask |= NFSV4ACE_READACL;
348
		if (ace->ae_perm & ACL_WRITE_ACL)
349
			acemask |= NFSV4ACE_WRITEACL;
350
		if (ace->ae_perm & ACL_WRITE_OWNER)
351
			acemask |= NFSV4ACE_WRITEOWNER;
352
		if (ace->ae_perm & ACL_SYNCHRONIZE)
353
			acemask |= NFSV4ACE_SYNCHRONIZE;
354
	} else {
355
		acemask = nfs_aceperm(ace->ae_perm);
356
	}
357
	*tl++ = txdr_unsigned(acemask);
358
	*tl++ = txdr_unsigned(namelen);
359
	if (full_len - namelen)
360
		*(tl + (namelen / NFSX_UNSIGNED)) = 0x0;
361
	NFSBCOPY(name, (caddr_t)tl, namelen);
362
	return (full_len + 4 * NFSX_UNSIGNED);
363
}
364

365
/*
366
 * Convert ae_perm to NFSv4 ACL acemask4 for regular files.
367
 */
368
uint32_t
369
nfs_aceperm(acl_perm_t ae_perm)
370
{
371
	uint32_t acemask = 0x0;
372

373
	if (ae_perm & ACL_READ_DATA)
374
		acemask |= NFSV4ACE_READDATA;
375
	if (ae_perm & ACL_WRITE_DATA)
376
		acemask |= NFSV4ACE_WRITEDATA;
377
	if (ae_perm & ACL_APPEND_DATA)
378
		acemask |= NFSV4ACE_APPENDDATA;
379
	if (ae_perm & ACL_READ_NAMED_ATTRS)
380
		acemask |= NFSV4ACE_READNAMEDATTR;
381
	if (ae_perm & ACL_WRITE_NAMED_ATTRS)
382
		acemask |= NFSV4ACE_WRITENAMEDATTR;
383
	if (ae_perm & ACL_EXECUTE)
384
		acemask |= NFSV4ACE_EXECUTE;
385
	if (ae_perm & ACL_READ_ATTRIBUTES)
386
		acemask |= NFSV4ACE_READATTRIBUTES;
387
	if (ae_perm & ACL_WRITE_ATTRIBUTES)
388
		acemask |= NFSV4ACE_WRITEATTRIBUTES;
389
	if (ae_perm & ACL_DELETE)
390
		acemask |= NFSV4ACE_DELETE;
391
	if (ae_perm & ACL_READ_ACL)
392
		acemask |= NFSV4ACE_READACL;
393
	if (ae_perm & ACL_WRITE_ACL)
394
		acemask |= NFSV4ACE_WRITEACL;
395
	if (ae_perm & ACL_WRITE_OWNER)
396
		acemask |= NFSV4ACE_WRITEOWNER;
397
	if (ae_perm & ACL_SYNCHRONIZE)
398
		acemask |= NFSV4ACE_SYNCHRONIZE;
399
	return (acemask);
400
}
401

402
/*
403
 * Build an NFSv4 ACL.
404
 */
405
int
406
nfsrv_buildacl(struct nfsrv_descript *nd, NFSACL_T *aclp, __enum_uint8(vtype) type,
407
    NFSPROC_T *p)
408
{
409
	int i, entrycnt = 0, retlen;
410
	u_int32_t *entrycntp;
411
	int isowner, isgroup, namelen, malloced;
412
	u_char *name, namestr[NFSV4_SMALLSTR];
413

414
	NFSM_BUILD(entrycntp, u_int32_t *, NFSX_UNSIGNED);
415
	retlen = NFSX_UNSIGNED;
416
	/*
417
	 * Loop through the acl entries, building each one.
418
	 */
419
	for (i = 0; i < aclp->acl_cnt; i++) {
420
		isowner = isgroup = malloced = 0;
421
		switch (aclp->acl_entry[i].ae_tag) {
422
		case ACL_USER_OBJ:
423
			isowner = 1;
424
			name = "OWNER@";
425
			namelen = 6;
426
			break;
427
		case ACL_GROUP_OBJ:
428
			isgroup = 1;
429
			name = "GROUP@";
430
			namelen = 6;
431
			break;
432
		case ACL_EVERYONE:
433
			name = "EVERYONE@";
434
			namelen = 9;
435
			break;
436
		case ACL_USER:
437
			name = namestr;
438
			nfsv4_uidtostr(aclp->acl_entry[i].ae_id, &name,
439
			    &namelen);
440
			if (name != namestr)
441
				malloced = 1;
442
			break;
443
		case ACL_GROUP:
444
			isgroup = 1;
445
			name = namestr;
446
			nfsv4_gidtostr((gid_t)aclp->acl_entry[i].ae_id, &name,
447
			    &namelen);
448
			if (name != namestr)
449
				malloced = 1;
450
			break;
451
		default:
452
			continue;
453
		}
454
		retlen += nfsrv_buildace(nd, name, namelen, type, isgroup,
455
		    isowner, &aclp->acl_entry[i]);
456
		entrycnt++;
457
		if (malloced)
458
			free(name, M_NFSSTRING);
459
	}
460
	*entrycntp = txdr_unsigned(entrycnt);
461
	return (retlen);
462
}
463

464
/*
465
 * Compare two NFSv4 acls.
466
 * Return 0 if they are the same, 1 if not the same.
467
 */
468
int
469
nfsrv_compareacl(NFSACL_T *aclp1, NFSACL_T *aclp2)
470
{
471
	int i;
472
	struct acl_entry *acep1, *acep2;
473

474
	if (aclp1->acl_cnt != aclp2->acl_cnt)
475
		return (1);
476
	acep1 = aclp1->acl_entry;
477
	acep2 = aclp2->acl_entry;
478
	for (i = 0; i < aclp1->acl_cnt; i++) {
479
		if (acep1->ae_tag != acep2->ae_tag)
480
			return (1);
481
		switch (acep1->ae_tag) {
482
		case ACL_GROUP:
483
		case ACL_USER:
484
			if (acep1->ae_id != acep2->ae_id)
485
				return (1);
486
			/* fall through */
487
		case ACL_USER_OBJ:
488
		case ACL_GROUP_OBJ:
489
		case ACL_OTHER:
490
			if (acep1->ae_perm != acep2->ae_perm)
491
				return (1);
492
		}
493
		acep1++;
494
		acep2++;
495
	}
496
	return (0);
497
}
498

499
Product

Resources

Company
