nfs4_acl.c revision ffc5b0313a60d884cda98d494aa8a01074bee03b
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
/*
* The following naming convention is used in function names.
*
* If an argument is one or more aclent_t, we use "aent".
* If an argument is one or more nfsace4, we use "ace4".
* If an argument is one or more ace_t, we use "acet".
*
* If there is an aggregate of the one above...
* If it's contained in a vsecattr_t, we prepend "vs_".
* If it's contained in an "array" (pointer) and length, we prepend "ln_".
*
* Thus, for example, suppose you have a function that converts an
* array of aclent_t structures into an array of nfsace4 structures,
* it's name would be "ln_aent_to_ace4".
*/
#include <nfs/nfs4_kprot.h>
#define ACE4_POSIX_SUPPORTED_BITS (ACE4_READ_DATA | \
ACE4_WRITE_DATA | \
ACE4_APPEND_DATA | \
ACE4_EXECUTE | \
ACE4_READ_ACL | \
static int ace4vals_compare(const void *, const void *);
static int nfs4_ace4_list_construct(void *, void *, int);
static void nfs4_ace4_list_destroy(void *, void *);
static void ace4_list_free(ace4_list_t *);
static void ace4_list_init(ace4_list_t *, int);
static int ln_aent_preprocess(aclent_t *, int,
int *, o_mode_t *, int *, int *, int *);
static int ace4_to_aent_legal(nfsace4 *, int);
int, int, int);
/*
* The following two functions check and set ACE4_SYNCRONIZE, ACE4_WRITE_OWNER,
* ACE4_DELETE and ACE4_WRITE_ATTRIBUTES.
*/
static int access_mask_check(nfsace4 *, int, int, int);
static acemask4 access_mask_set(int, int, int, int, int);
static int nfs4_acl_debug = 0;
#define ACL_SYNCHRONIZE_SET_DENY 0x0000001
#define ACL_SYNCHRONIZE_SET_ALLOW 0x0000002
#define ACL_SYNCHRONIZE_ERR_DENY 0x0000004
#define ACL_SYNCHRONIZE_ERR_ALLOW 0x0000008
#define ACL_WRITE_OWNER_SET_DENY 0x0000010
#define ACL_WRITE_OWNER_SET_ALLOW 0x0000020
#define ACL_WRITE_OWNER_ERR_DENY 0x0000040
#define ACL_WRITE_OWNER_ERR_ALLOW 0x0000080
#define ACL_DELETE_SET_DENY 0x0000100
#define ACL_DELETE_SET_ALLOW 0x0000200
#define ACL_DELETE_ERR_DENY 0x0000400
#define ACL_DELETE_ERR_ALLOW 0x0000800
#define ACL_WRITE_ATTRS_OWNER_SET_DENY 0x0001000
#define ACL_WRITE_ATTRS_OWNER_SET_ALLOW 0x0002000
#define ACL_WRITE_ATTRS_OWNER_ERR_DENY 0x0004000
#define ACL_WRITE_ATTRS_OWNER_ERR_ALLOW 0x0008000
#define ACL_WRITE_ATTRS_WRITER_SET_DENY 0x0010000
#define ACL_WRITE_ATTRS_WRITER_SET_ALLOW 0x0020000
#define ACL_WRITE_ATTRS_WRITER_ERR_DENY 0x0040000
#define ACL_WRITE_ATTRS_WRITER_ERR_ALLOW 0x0080000
#define ACL_WRITE_NAMED_WRITER_SET_DENY 0x0100000
#define ACL_WRITE_NAMED_WRITER_SET_ALLOW 0x0200000
#define ACL_WRITE_NAMED_WRITER_ERR_DENY 0x0400000
#define ACL_WRITE_NAMED_WRITER_ERR_ALLOW 0x0800000
#define ACL_READ_NAMED_READER_SET_DENY 0x1000000
#define ACL_READ_NAMED_READER_SET_ALLOW 0x2000000
#define ACL_READ_NAMED_READER_ERR_DENY 0x4000000
#define ACL_READ_NAMED_READER_ERR_ALLOW 0x8000000
/*
* What we will send the server upon setting an ACL on our client
*/
static int nfs4_acl_client_produce =
/*
* What we will accept upon getting an ACL on our client
*/
static int nfs4_acl_client_consume =
/*
* What we will produce as an ACL on a newly created file
*/
static int nfs4_acl_server_produce =
/*
* What we will accept upon setting an ACL on our server
*/
static int nfs4_acl_server_consume =
static int
{
return (0);
return (-1);
return (1);
}
/*ARGSUSED*/
static int
{
return (0);
}
/*ARGSUSED*/
static void
{
}
void
nfs4_acl_init(void)
{
sizeof (ace4vals_t), 0,
NULL,
0);
sizeof (ace4_list_t), 0,
NULL,
0);
}
void
{
return;
(vsp->vsa_aclcnt > 0) &&
vsp->vsa_aclcnt = 0;
}
void
{
int i;
return;
(vsp->vsa_aclcnt > 0) &&
for (i = 0; i < vsp->vsa_aclcnt; i++) {
}
}
vsp->vsa_aclcnt = 0;
}
void
{
return;
(vsp->vsa_aclcnt > 0) &&
(vsp->vsa_dfaclcnt > 0) &&
vsp->vsa_aclcnt = 0;
vsp->vsa_aclcnt = 0;
}
/*
* free all data associated with an ace4_list
*/
static void
{
void *cookie;
return;
/* free all nodes, but don't destroy the trees themselves */
/* free the container itself */
}
static void
{
}
static void
{
}
/*
* Make an initial pass over an array of aclent_t's. Gather
* information such as an ACL_MASK (if any), number of users,
* number of groups, and whether the array needs to be sorted.
*/
static int
{
int error = 0;
int i;
int curtype = 0;
*hasmask = 0;
*mask = 07;
*needsort = 0;
*numuser = 0;
*numgroup = 0;
for (i = 0; i < n; i++) {
*needsort = 1;
(*numuser)++;
(*numgroup)++;
if (*hasmask) {
"ln_aent_preprocess: multiple CLASS_OBJs "
"(masks) found"));
goto out;
} else {
*hasmask = 1;
}
}
}
"ln_aent_preprocess: no CLASS_OBJs "
"(masks) found"));
goto out;
}
out:
return (error);
}
static acemask4
int isserver)
{
acemask4 access_mask = 0;
int nfs4_acl_produce;
int synchronize_set = 0, write_owner_set = 0;
int delete_set = 0, write_attrs_set = 0;
int read_named_set = 0, write_named_set = 0;
if (isserver)
else
if (isallow) {
if (hasreadperm)
if (haswriteperm)
if (isowner)
else if (haswriteperm)
} else {
if (hasreadperm)
if (haswriteperm)
if (isowner)
else if (haswriteperm)
else
/*
* If the entity is not the owner and does not
* have write permissions ACE4_WRITE_ATTRIBUTES will
* always go in the DENY ACE.
*/
}
if (nfs4_acl_produce & synchronize_set)
if (nfs4_acl_produce & write_owner_set)
if (nfs4_acl_produce & delete_set)
if (nfs4_acl_produce & write_attrs_set)
if (nfs4_acl_produce & read_named_set)
if (nfs4_acl_produce & write_named_set)
return (access_mask);
}
/*
* Given an nfsace4 (presumably an ALLOW entry), make a
* corresponding DENY entry at the address given.
*/
static void
int isserver)
{
if (isdir)
}
/*
* Given an o_mode_t, convert it into an access_mask as used
* by nfsace4, assuming aclent_t -> nfsace4 semantics.
*/
static acemask4
int isserver)
{
int haswriteperm = 0;
int hasreadperm = 0;
if (isallow) {
} else {
}
/*
* The following call takes care of correctly setting the following
* mask bits in the access_mask:
* ACE4_SYNCHRONIZE, ACE4_WRITE_OWNER, ACE4_DELETE,
* ACE4_WRITE_ATTRIBUTES, ACE4_WRITE_NAMED_ATTRS, ACE4_READ_NAMED_ATTRS
*/
isserver);
if (isallow) {
if (isowner)
access |= ACE4_WRITE_ACL;
} else {
if (! isowner)
access |= ACE4_WRITE_ACL;
}
/* read */
if (mode & 04) {
access |= ACE4_READ_DATA;
}
/* write */
if (mode & 02) {
access |= ACE4_WRITE_DATA |
if (isdir)
}
/* exec */
if (mode & 01) {
access |= ACE4_EXECUTE;
}
return (access);
}
/*
* Convert an array of aclent_t into an array of nfsace4 entries,
* following POSIX draft -> nfsv4 conversion semantics as outlined in
* the IETF draft.
*/
static int
{
int error = 0;
int resultsize = 0;
int hasmask;
if (error != 0)
goto out;
/* allow + deny for each aclent */
resultsize = n * 2;
if (hasmask) {
/*
* stick extra deny on the group_obj and on each
* user|group for the mask (the group_obj was added
* into the count for numgroup)
*/
/* ... and don't count the mask itself */
resultsize -= 2;
}
/* sort the source if necessary */
if (needsort)
for (i = 0; i < n; i++) {
/*
* don't process CLASS_OBJ (mask); mask was grabbed in
* ln_aent_preprocess()
*/
continue;
/* If we need an ACL_MASK emulator, prepend it now */
if ((hasmask) &&
error = 0;
} else {
}
if (error != 0) {
"ln_aent_to_ace4: idmap translate "
"failed with %d", error));
goto out;
}
}
/*
* Set the access mask for the prepended deny
* ace. To do this, we invert the mask (found
* in ln_aent_preprocess()) then convert it to an
* DENY ace access_mask.
*/
acep += 1;
}
/* handle a_perm -> access_mask */
/* emulate a default aclent */
}
/*
* handle a_perm and a_id
*
* this must be done last, since it involves the
* corresponding deny aces, which are handled
* differently for each different a_type.
*/
acep += 2;
isserver);
if (error != 0) {
"ln_aent_to_ace4: uid idmap failed "
"with error %d", error));
goto out;
}
acep += 2;
error = 0;
} else {
}
if (error != 0) {
"ln_aent_to_ace4: gid idmap failed "
"with error %d", error));
goto out;
}
/*
* Set the corresponding deny for the group ace.
*
* The deny aces go after all of the groups, unlike
* everything else, where they immediately follow
* the allow ace.
*
* We calculate "skip", the number of slots to
* skip ahead for the deny ace, here.
*
* The pattern is:
* MD1 A1 MD2 A2 MD3 A3 D1 D2 D3
* thus, skip is
* (2 * numgroup) - 1 - groupi
* (2 * numgroup) to account for MD + A
* - 1 to account for the fact that we're on the
* access (A), not the mask (MD)
* - groupi to account for the fact that we have
* passed up groupi number of MD's.
*/
isserver);
/*
* If we just did the last group, skip acep past
* all of the denies; else, just move ahead one.
*/
else
acep += 1;
acep += 2;
} else {
"ln_aent_to_ace4: aclent_t with invalid type: %x",
goto out;
}
}
*rescount = resultsize;
out:
if (error != 0) {
/* free any embedded "who" strings */
for (i = 0; i < resultsize; i++) {
}
}
/* free the nfsace4 block */
}
}
return (error);
}
/*
* Convert a POSIX draft ACL (in a vsecattr_t) to an NFSv4 ACL, following
* the semantics of the IETF draft, draft-ietf-nfsv4-acl-mapping-01.txt.
*/
int
{
int error = 0;
int acecnt = 0;
int dfacecnt = 0;
/* initialize vs_ace4 in case we can't complete our work */
vs_ace4->vsa_aclcnt = 0;
vs_ace4->vsa_dfaclcnt = 0;
VSA_DFACL | VSA_DFACLCNT))) {
"vs_aent_to_ace4: vsa_mask lacking proper mask"));
goto out;
}
"vs_aent_to_ace4: too small vsa_aclcnt, %d",
aclentacl->vsa_aclcnt));
goto out;
}
"vs_aent_to_ace4: too small vsa_dfaclcnt, %d",
goto out;
}
if (aclentacl->vsa_aclcnt > 0) {
if (error != 0)
goto out;
}
if (aclentacl->vsa_dfaclcnt > 0) {
if (error != 0)
goto out;
}
/* on error, this is freed by vs_ace4_destroy() */
if (vs_ace4->vsa_aclcnt > 0)
/*
* When we bcopy the nfsace4's, the result (in vsa_aclentp)
* will have its "who.utf8string_val" pointer pointing to the
* allocated strings. Thus, when we free acebuf and dbacebuf,
* we don't need to free these strings.
*/
if (acecnt > 0)
if (dfacecnt > 0)
out:
if (error != 0)
return (error);
}
static int
{
int error = 0;
/* read */
if (mask & ACE4_READ_DATA)
mode |= 04;
/* write */
wantbits = (ACE4_WRITE_DATA |
if (isdir)
if (bits != 0) {
"ace4_mask_to_mode: bad subset of write flags "
"%x", bits));
goto out;
}
mode |= 02;
}
/* exec */
if (mask & ACE4_EXECUTE) {
mode |= 01;
}
out:
return (error);
}
static int
{
/* ACE4_READ_ACL and ACE4_READ_ATTRIBUTES must both be set */
return (ENOTSUP);
}
}
/*
* Find or create an ace4vals holder for a given id and avl tree.
*
* Note that only one thread will ever touch these avl trees, so
* there is no need for locking.
*/
static ace4vals_t *
{
return (rc);
/* this memory is freed by ln_ace4_to_aent()->ace4_list_free() */
(*num)++;
return (rc);
}
static int
{
int nfs4_acl_consume;
int haswriteperm, hasreadperm;
} else {
}
if (isserver)
else
if (mask_bit == ACE4_SYNCHRONIZE) {
} else if (mask_bit == ACE4_WRITE_OWNER) {
} else if (mask_bit == ACE4_DELETE) {
} else if (mask_bit == ACE4_WRITE_ATTRIBUTES) {
if (isowner) {
} else if (haswriteperm) {
} else {
return (ENOTSUP);
}
return (0);
}
} else if (mask_bit == ACE4_READ_NAMED_ATTRS) {
if (!hasreadperm)
return (0);
} else if (mask_bit == ACE4_WRITE_NAMED_ATTRS) {
if (!haswriteperm)
return (0);
} else
return (EINVAL);
if (nfs4_acl_consume & set_deny) {
return (ENOTSUP);
}
} else if (nfs4_acl_consume & err_deny) {
return (ENOTSUP);
}
}
} else {
/* ACE4_ACCESS_ALLOWED_ACE_TYPE */
if (nfs4_acl_consume & set_allow) {
return (ENOTSUP);
}
} else if (nfs4_acl_consume & err_allow) {
return (ENOTSUP);
}
}
}
return (0);
}
static int
{
int error = 0;
int isowner;
/* check for NULL who string */
"ace4_to_aent_legal: NULL who string"));
goto out;
}
/* only ALLOW or DENY */
"ace4_to_aent_legal: neither allow nor deny"));
goto out;
}
/* check for invalid flags */
goto out;
}
/* some flags are illegal */
goto out;
}
/* check for invalid masks */
"ace4_to_aent_legal: invalid mask: %x",
ace4p->access_mask));
goto out;
}
isowner = 1;
} else {
isowner = 0;
}
if (error)
goto out;
if (error)
goto out;
if (error)
goto out;
isowner);
if (error)
goto out;
isowner);
if (error)
goto out;
isowner);
if (error)
goto out;
/* more detailed checking of masks */
goto out;
}
goto out;
}
goto out;
}
}
/* ACL enforcement */
goto out;
}
(isowner)) {
goto out;
}
(! isowner)) {
goto out;
}
}
out:
return (error);
}
static int
{
int error;
if (isdir)
goto out;
}
"ace4vals_to_aent: entry is missing mask"));
goto out;
}
if (error != 0)
goto out;
isserver);
else
isserver);
if (error != 0) {
"ace4vals_to_aent: idmap failed with %d", error));
goto out;
}
if (error != 0) {
goto out;
}
} else {
"ace4vals_to_aent: dest->a_type invalid: %x "
goto out;
}
out:
return (error);
}
static int
{
int error = 0;
int resultcount;
"ace4_list_to_aent: required aclent_t entites "
"missing"));
goto out;
}
"ace4_list_to_aent: CLASS_OBJ (mask) missing"));
goto out;
}
/*
* This must be the same condition as below, when we add the CLASS_OBJ
* (aka ACL mask)
*/
resultcount += 1;
/* USER_OBJ */
if (error != 0)
goto out;
++aent;
/* USER */
if (error != 0)
goto out;
++aent;
}
/* GROUP_OBJ */
if (error != 0)
goto out;
++aent;
/* GROUP */
if (error != 0)
goto out;
++aent;
}
/*
* CLASS_OBJ (aka ACL_MASK)
*
* An ACL_MASK is not fabricated if the ACL is a default ACL.
* This is to follow UFS's behavior.
*/
if (isdir)
if (error != 0)
goto out;
} else {
/* fabricate the ACL_MASK from the group permissions */
if (error != 0)
goto out;
}
++aent;
}
/* OTHER_OBJ */
if (error != 0)
goto out;
++aent;
*aclcnt = resultcount;
out:
if (error != 0) {
}
return (error);
}
/*
* Convert a list of nfsace4 entries to equivalent regular and default
* aclent_t lists. Return error (ENOTSUP) when conversion is not possible.
*/
static int
{
int error = 0;
int i;
*aclcnt = 0;
*dfaclcnt = 0;
/* we need at least user_obj, group_obj, and other_obj */
if (n < 6) {
"ln_ace4_to_aent: too few nfsace4 entries: %d", n));
goto out;
}
"ln_ace4_to_aent: NULL source"));
goto out;
}
ace4_list_init(normacl, 0);
/* process every nfsace4... */
for (i = 0; i < n; i++) {
/* rule out certain cases quickly */
if (error != 0)
goto out;
/*
* Turn off these bits in order to not have to worry about
* them when doing the checks for compliments.
*/
/* see if this should be a regular or default acl */
if (bits != 0) {
/* all or nothing on these inherit bits */
if (bits != (ACE4_INHERIT_ONLY_ACE |
"ln_ace4_to_aent: bad inherit flags "
"%x", bits));
goto out;
}
} else {
}
"ln_ace4_to_aent: OWNER@ found "
"out of order"));
goto out;
}
== 0)) {
"ln_ace4_to_aent: group entry found "
"out of order"));
goto out;
}
} else {
}
} else {
"ln_ace4_to_aent: user entry found "
"out of order"));
goto out;
}
}
/* no more than one allowed per aclent_t */
"ln_ace4_to_aent: too many ALLOWs "
"for one entity"));
goto out;
}
} else {
/*
* it's a DENY; if there was a previous DENY, it
* must have been an ACL_MASK.
*/
/* ACL_MASK is for USER and GROUP only */
"ln_ace4_to_aent: ACL_MASK-like "
"entity"));
goto out;
}
/* check for mismatched ACL_MASK emulations */
"ln_ace4_to_aent: ACL_MASK "
"mismatch"));
goto out;
}
}
}
}
/* done collating; produce the aclent_t lists */
if (error != 0)
goto out;
}
if (error != 0)
goto out;
}
out:
return (error);
}
/*
* Convert an NFSv4 ACL (in a vsecattr_t) to a POSIX draft ACL, following
* the semantics of NFSv4_to_POSIX.html. Contact fsh-group@sun.com to
* obtain this document.
*/
int
{
int error = 0;
if (error != 0)
goto out;
"vs_ace4_to_aent: neither ACL nor default ACL found"));
goto out;
}
out:
if (error != 0) {
}
return (error);
}
/*
* compare two ace4 acls
*/
static int
{
return (-1);
return (1);
return (-1);
return (1);
if (a->access_mask < b->access_mask)
return (-1);
if (a->access_mask > b->access_mask)
return (1);
}
int
{
int rc;
int i;
for (i = 0; i < n; i++) {
if (rc != 0)
return (rc);
}
return (0);
}
/*
* Convert an ace_t to an nfsace4; the primary difference being
*/
static int
{
int error = 0;
"acet_to_ace4: NULL source"));
goto out;
}
"acet_to_ace4: NULL destination"));
goto out;
}
break;
break;
default:
break;
}
if (error != 0)
goto out;
if (error != 0)
"acet_to_ace4: idmap failed with %d", error));
} else {
if (error != 0)
"acet_to_ace4: idmap failed with %d", error));
}
out:
return (error);
}
/*
* Convert an nfsace4 to an ace_t, the primary difference being
*/
static int
int isserver, int just_count)
{
int error = 0;
"ace4_to_acet: NULL source"));
return (EINVAL);
}
"ace4_to_acet: NULL destination"));
return (EINVAL);
}
break;
break;
default:
break;
}
if (error != 0)
goto out;
goto out;
}
/* check for invalid masks */
goto out;
}
goto out;
}
error = 0;
} else {
if (error != 0) {
"ace4_to_acet: idmap failed with %d",
error));
goto out;
}
if (error != 0) {
goto out;
}
}
} else {
error = 0;
} else {
if (error != 0) {
"ace4_to_acet: idmap failed with %d",
error));
goto out;
}
if (error != 0) {
goto out;
}
}
}
out:
return (error);
}
static void
{
*acet_mask = 0;
if (ace4_mask & ACE4_READ_DATA)
*acet_mask |= ACE_READ_DATA;
if (ace4_mask & ACE4_WRITE_DATA)
*acet_mask |= ACE_WRITE_DATA;
if (ace4_mask & ACE4_APPEND_DATA)
*acet_mask |= ACE_APPEND_DATA;
if (ace4_mask & ACE4_READ_NAMED_ATTRS)
if (ace4_mask & ACE4_WRITE_NAMED_ATTRS)
if (ace4_mask & ACE4_EXECUTE)
*acet_mask |= ACE_EXECUTE;
if (ace4_mask & ACE4_DELETE_CHILD)
if (ace4_mask & ACE4_READ_ATTRIBUTES)
if (ace4_mask & ACE4_WRITE_ATTRIBUTES)
if (ace4_mask & ACE4_DELETE)
*acet_mask |= ACE_DELETE;
if (ace4_mask & ACE4_READ_ACL)
*acet_mask |= ACE_READ_ACL;
if (ace4_mask & ACE4_WRITE_ACL)
*acet_mask |= ACE_WRITE_ACL;
if (ace4_mask & ACE4_WRITE_OWNER)
*acet_mask |= ACE_WRITE_OWNER;
if (ace4_mask & ACE4_SYNCHRONIZE)
*acet_mask |= ACE_SYNCHRONIZE;
}
static void
{
*ace4_mask = 0;
if (acet_mask & ACE_READ_DATA)
*ace4_mask |= ACE4_READ_DATA;
if (acet_mask & ACE_WRITE_DATA)
*ace4_mask |= ACE4_WRITE_DATA;
if (acet_mask & ACE_APPEND_DATA)
*ace4_mask |= ACE_APPEND_DATA;
if (acet_mask & ACE4_READ_NAMED_ATTRS)
if (acet_mask & ACE_WRITE_NAMED_ATTRS)
if (acet_mask & ACE_EXECUTE)
*ace4_mask |= ACE4_EXECUTE;
if (acet_mask & ACE_DELETE_CHILD)
if (acet_mask & ACE_READ_ATTRIBUTES)
if (acet_mask & ACE_WRITE_ATTRIBUTES)
if (acet_mask & ACE_DELETE)
*ace4_mask |= ACE4_DELETE;
if (acet_mask & ACE_READ_ACL)
*ace4_mask |= ACE4_READ_ACL;
if (acet_mask & ACE_WRITE_ACL)
*ace4_mask |= ACE4_WRITE_ACL;
if (acet_mask & ACE_WRITE_OWNER)
if (acet_mask & ACE_SYNCHRONIZE)
}
static void
{
*acet_flags = 0;
if (ace4_flags & ACE4_FILE_INHERIT_ACE)
if (ace4_flags & ACE4_INHERIT_ONLY_ACE)
if (ace4_flags & ACE4_IDENTIFIER_GROUP)
}
static void
{
*ace4_flags = 0;
if (acet_flags & ACE_FILE_INHERIT_ACE)
if (acet_flags & ACE_INHERIT_ONLY_ACE)
if (acet_flags & ACE_IDENTIFIER_GROUP)
}
int
{
int error;
int i;
(VSA_ACE | VSA_ACECNT))
return (EINVAL);
if (vs_ace4->vsa_aclcnt < 0)
return (EINVAL);
return (0);
if (vs_ace4->vsa_aclcnt > 0)
else
for (i = 0; i < vs_ace4->vsa_aclcnt; i++) {
if (error != 0)
goto out;
}
out:
if (error != 0)
return (error);
}
int
int isserver)
{
int error = 0;
int i;
"vs_acet_to_ace4: VSA_ACE missing from mask"));
return (EINVAL);
}
if (vs_acet->vsa_aclcnt > 0)
else
for (i = 0; i < vs_acet->vsa_aclcnt; i++) {
if (error != 0)
goto out;
}
out:
if (error != 0)
return (error);
}
void
{
int i;
else {
return;
}
}
} else {
/*
* The counts are equal so we don't have to
* destroy the acl entries because we'd only
* have to re-allocate them, but we do have to
* destroy all of the who utf8strings.
* The acl that we are now filling the cache
* with may have the same amount of entries as
* what is currently cached, but those entries
* may not be the same.
*/
for (i = 0; i < rvsap->vsa_aclcnt; i++) {
}
}
}
if (vsap->vsa_aclcnt > 0) {
KM_SLEEP);
}
for (i = 0; i < vsap->vsa_aclcnt; i++) {
}
}
}
/*
* If the caller requested to only cache the
* count, get rid of the acl whether or not the
* counts are equal because it may be invalid.
*/
}
}
}
}
/*
* This should ONLY be called on the ACL cache (rnode4_t.r_secattr). The cache
* is stored as a nfsv4 acl meaning the vsecattr_t.vsa_aclentp is a list of
* nfsace4 entries and vsecattr_t.vsa_dfaclentp is NULL or not populated.
*/
void
{
return;
}
static int
int isserver, int just_count)
{
if (isserver) {
/*
* This code path gets executed on the server
* in the case that we are setting an ACL.
*
* We silently got our who value (who@domain)
* mapped to "nobody" (possibly because the
* nfsmapid daemon was unresponsive).
* We NEVER want to silently map the user or
* group to "nobody" as this could end up
* wrongly giving access to user or group
* "nobody" rather than the entity it was
* meant for.
*/
return (NFS4ERR_BADOWNER);
} else {
/* CLIENT */
/*
* This code path gets executed on the client
* when we are getting an ACL.
*
* If the caller just requested the count
* don't fail the request just because we
* failed mapping the other portions of the
* ACL. Things such as vn_createat expect it's
* call to VOP_GETSECATTR (to get the
* default acl count) to succeed in order to
* create a file.
*
* If the caller requested more than the count,
* return an error as we will not want to
* silently map user or group to "nobody"
* because of the semantics that an ACL
* modification interface (i.e. - setfacl -m)
* may use to modify an ACL (i.e. - get the ACL
* then use it as a basis for setting the
* modified ACL).
*/
if (just_count) {
return (0);
} else {
return (EACCES);
}
}
}
return (0);
}
/*
* Returns 1 if the who, utf8string was mapped to UID_NOBODY or GID_NOBODY.
* Returns 0 if the who, utf8string was mapped correctly.
*/
static int
{
return (0);
if (isuser)
return (mapped_id == UID_NOBODY);
return (mapped_id == GID_NOBODY);
}