search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
4943 NFS server: Generic uid and gid remapping for AUTH_SYS
[illumos-gate.git] / usr / src / uts / common / fs / nfs / nfs_acl_srv.c
blob8a3077c80f17b0413c8347f864f706de78feb0cc
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 *
25 * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
26 */
27
28 #include <sys/param.h>
29 #include <sys/types.h>
30 #include <sys/systm.h>
31 #include <sys/cred.h>
32 #include <sys/proc.h>
33 #include <sys/user.h>
34 #include <sys/buf.h>
35 #include <sys/vfs.h>
36 #include <sys/vnode.h>
37 #include <sys/pathname.h>
38 #include <sys/uio.h>
39 #include <sys/file.h>
40 #include <sys/stat.h>
41 #include <sys/errno.h>
42 #include <sys/socket.h>
43 #include <sys/sysmacros.h>
44 #include <sys/siginfo.h>
45 #include <sys/tiuser.h>
46 #include <sys/statvfs.h>
47 #include <sys/t_kuser.h>
48 #include <sys/kmem.h>
49 #include <sys/kstat.h>
50 #include <sys/acl.h>
51 #include <sys/dirent.h>
52 #include <sys/cmn_err.h>
53 #include <sys/debug.h>
54 #include <sys/unistd.h>
55 #include <sys/vtrace.h>
56 #include <sys/mode.h>
57
58 #include <rpc/types.h>
59 #include <rpc/auth.h>
60 #include <rpc/svc.h>
61 #include <rpc/xdr.h>
62
63 #include <nfs/nfs.h>
64 #include <nfs/export.h>
65 #include <nfs/nfssys.h>
66 #include <nfs/nfs_clnt.h>
67 #include <nfs/nfs_acl.h>
68
69 #include <fs/fs_subr.h>
70
71 /*
72 * These are the interface routines for the server side of the
73 * NFS ACL server. See the NFS ACL protocol specification
74 * for a description of this interface.
75 */
76
77 /* ARGSUSED */
78 void
79 acl2_getacl(GETACL2args *args, GETACL2res *resp, struct exportinfo *exi,
80 struct svc_req *req, cred_t *cr, bool_t ro)
81 {
82 int error;
83 vnode_t *vp;
84 vattr_t va;
85
86 vp = nfs_fhtovp(&args->fh, exi);
87 if (vp == NULL) {
88 resp->status = NFSERR_STALE;
89 return;
90 }
91
92 bzero((caddr_t)&resp->resok.acl, sizeof (resp->resok.acl));
93
94 resp->resok.acl.vsa_mask = args->mask;
95
96 error = VOP_GETSECATTR(vp, &resp->resok.acl, 0, cr, NULL);
97
98 if ((error == ENOSYS) && !(exi->exi_export.ex_flags & EX_NOACLFAB)) {
99 /*
100 * If the underlying file system doesn't support
101 * aclent_t type acls, fabricate an acl. This is
102 * required in order to to support existing clients
103 * that require the call to VOP_GETSECATTR to
104 * succeed while making the assumption that all
105 * file systems support aclent_t type acls. This
106 * causes problems for servers exporting ZFS file
107 * systems because ZFS supports ace_t type acls,
108 * and fails (with ENOSYS) when asked for aclent_t
109 * type acls.
110 *
111 * Note: if the fs_fab_acl() fails, we have other problems.
112 * This error should be returned to the caller.
113 */
114 error = fs_fab_acl(vp, &resp->resok.acl, 0, cr, NULL);
115 }
116
117 if (error) {
118 VN_RELE(vp);
119 resp->status = puterrno(error);
120 return;
121 }
122
123 va.va_mask = AT_ALL;
124 error = rfs4_delegated_getattr(vp, &va, 0, cr);
125
126 VN_RELE(vp);
127
128 /* check for overflowed values */
129 if (!error) {
130 error = vattr_to_nattr(&va, &resp->resok.attr);
131 }
132 if (error) {
133 resp->status = puterrno(error);
134 if (resp->resok.acl.vsa_aclcnt > 0 &&
135 resp->resok.acl.vsa_aclentp != NULL) {
136 kmem_free((caddr_t)resp->resok.acl.vsa_aclentp,
137 resp->resok.acl.vsa_aclcnt * sizeof (aclent_t));
138 }
139 if (resp->resok.acl.vsa_dfaclcnt > 0 &&
140 resp->resok.acl.vsa_dfaclentp != NULL) {
141 kmem_free((caddr_t)resp->resok.acl.vsa_dfaclentp,
142 resp->resok.acl.vsa_dfaclcnt * sizeof (aclent_t));
143 }
144 return;
145 }
146
147 resp->status = NFS_OK;
148 if (!(args->mask & NA_ACL)) {
149 if (resp->resok.acl.vsa_aclcnt > 0 &&
150 resp->resok.acl.vsa_aclentp != NULL) {
151 kmem_free((caddr_t)resp->resok.acl.vsa_aclentp,
152 resp->resok.acl.vsa_aclcnt * sizeof (aclent_t));
153 }
154 resp->resok.acl.vsa_aclentp = NULL;
155 }
156 if (!(args->mask & NA_DFACL)) {
157 if (resp->resok.acl.vsa_dfaclcnt > 0 &&
158 resp->resok.acl.vsa_dfaclentp != NULL) {
159 kmem_free((caddr_t)resp->resok.acl.vsa_dfaclentp,
160 resp->resok.acl.vsa_dfaclcnt * sizeof (aclent_t));
161 }
162 resp->resok.acl.vsa_dfaclentp = NULL;
163 }
164 }
165
166 void *
167 acl2_getacl_getfh(GETACL2args *args)
168 {
169
170 return (&args->fh);
171 }
172
173 void
174 acl2_getacl_free(GETACL2res *resp)
175 {
176
177 if (resp->status == NFS_OK) {
178 if (resp->resok.acl.vsa_aclcnt > 0 &&
179 resp->resok.acl.vsa_aclentp != NULL) {
180 kmem_free((caddr_t)resp->resok.acl.vsa_aclentp,
181 resp->resok.acl.vsa_aclcnt * sizeof (aclent_t));
182 }
183 if (resp->resok.acl.vsa_dfaclcnt > 0 &&
184 resp->resok.acl.vsa_dfaclentp != NULL) {
185 kmem_free((caddr_t)resp->resok.acl.vsa_dfaclentp,
186 resp->resok.acl.vsa_dfaclcnt * sizeof (aclent_t));
187 }
188 }
189 }
190
191 /* ARGSUSED */
192 void
193 acl2_setacl(SETACL2args *args, SETACL2res *resp, struct exportinfo *exi,
194 struct svc_req *req, cred_t *cr, bool_t ro)
195 {
196 int error;
197 vnode_t *vp;
198 vattr_t va;
199
200 vp = nfs_fhtovp(&args->fh, exi);
201 if (vp == NULL) {
202 resp->status = NFSERR_STALE;
203 return;
204 }
205
206 if (rdonly(ro, vp)) {
207 VN_RELE(vp);
208 resp->status = NFSERR_ROFS;
209 return;
210 }
211
212 (void) VOP_RWLOCK(vp, V_WRITELOCK_TRUE, NULL);
213 error = VOP_SETSECATTR(vp, &args->acl, 0, cr, NULL);
214 if (error) {
215 VOP_RWUNLOCK(vp, V_WRITELOCK_TRUE, NULL);
216 VN_RELE(vp);
217 resp->status = puterrno(error);
218 return;
219 }
220
221 va.va_mask = AT_ALL;
222 error = rfs4_delegated_getattr(vp, &va, 0, cr);
223
224 VOP_RWUNLOCK(vp, V_WRITELOCK_TRUE, NULL);
225 VN_RELE(vp);
226
227 /* check for overflowed values */
228 if (!error) {
229 error = vattr_to_nattr(&va, &resp->resok.attr);
230 }
231 if (error) {
232 resp->status = puterrno(error);
233 return;
234 }
235
236 resp->status = NFS_OK;
237 }
238
239 void *
240 acl2_setacl_getfh(SETACL2args *args)
241 {
242
243 return (&args->fh);
244 }
245
246 /* ARGSUSED */
247 void
248 acl2_getattr(GETATTR2args *args, GETATTR2res *resp, struct exportinfo *exi,
249 struct svc_req *req, cred_t *cr, bool_t ro)
250 {
251 int error;
252 vnode_t *vp;
253 vattr_t va;
254
255 vp = nfs_fhtovp(&args->fh, exi);
256 if (vp == NULL) {
257 resp->status = NFSERR_STALE;
258 return;
259 }
260
261 va.va_mask = AT_ALL;
262 error = rfs4_delegated_getattr(vp, &va, 0, cr);
263
264 VN_RELE(vp);
265
266 /* check for overflowed values */
267 if (!error) {
268 error = vattr_to_nattr(&va, &resp->resok.attr);
269 }
270 if (error) {
271 resp->status = puterrno(error);
272 return;
273 }
274
275 resp->status = NFS_OK;
276 }
277
278 void *
279 acl2_getattr_getfh(GETATTR2args *args)
280 {
281
282 return (&args->fh);
283 }
284
285 /* ARGSUSED */
286 void
287 acl2_access(ACCESS2args *args, ACCESS2res *resp, struct exportinfo *exi,
288 struct svc_req *req, cred_t *cr, bool_t ro)
289 {
290 int error;
291 vnode_t *vp;
292 vattr_t va;
293 int checkwriteperm;
294
295 vp = nfs_fhtovp(&args->fh, exi);
296 if (vp == NULL) {
297 resp->status = NFSERR_STALE;
298 return;
299 }
300
301 /*
302 * If the file system is exported read only, it is not appropriate
303 * to check write permissions for regular files and directories.
304 * Special files are interpreted by the client, so the underlying
305 * permissions are sent back to the client for interpretation.
306 */
307 if (rdonly(ro, vp) && (vp->v_type == VREG || vp->v_type == VDIR))
308 checkwriteperm = 0;
309 else
310 checkwriteperm = 1;
311
312 /*
313 * We need the mode so that we can correctly determine access
314 * permissions relative to a mandatory lock file. Access to
315 * mandatory lock files is denied on the server, so it might
316 * as well be reflected to the server during the open.
317 */
318 va.va_mask = AT_MODE;
319 error = VOP_GETATTR(vp, &va, 0, cr, NULL);
320 if (error) {
321 VN_RELE(vp);
322 resp->status = puterrno(error);
323 return;
324 }
325
326 resp->resok.access = 0;
327
328 if (args->access & ACCESS2_READ) {
329 error = VOP_ACCESS(vp, VREAD, 0, cr, NULL);
330 if (!error && !MANDLOCK(vp, va.va_mode))
331 resp->resok.access |= ACCESS2_READ;
332 }
333 if ((args->access & ACCESS2_LOOKUP) && vp->v_type == VDIR) {
334 error = VOP_ACCESS(vp, VEXEC, 0, cr, NULL);
335 if (!error)
336 resp->resok.access |= ACCESS2_LOOKUP;
337 }
338 if (checkwriteperm &&
339 (args->access & (ACCESS2_MODIFY|ACCESS2_EXTEND))) {
340 error = VOP_ACCESS(vp, VWRITE, 0, cr, NULL);
341 if (!error && !MANDLOCK(vp, va.va_mode))
342 resp->resok.access |=
343 (args->access & (ACCESS2_MODIFY|ACCESS2_EXTEND));
344 }
345 if (checkwriteperm &&
346 (args->access & ACCESS2_DELETE) && (vp->v_type == VDIR)) {
347 error = VOP_ACCESS(vp, VWRITE, 0, cr, NULL);
348 if (!error)
349 resp->resok.access |= ACCESS2_DELETE;
350 }
351 if (args->access & ACCESS2_EXECUTE) {
352 error = VOP_ACCESS(vp, VEXEC, 0, cr, NULL);
353 if (!error && !MANDLOCK(vp, va.va_mode))
354 resp->resok.access |= ACCESS2_EXECUTE;
355 }
356
357 va.va_mask = AT_ALL;
358 error = rfs4_delegated_getattr(vp, &va, 0, cr);
359
360 VN_RELE(vp);
361
362 /* check for overflowed values */
363 if (!error) {
364 error = vattr_to_nattr(&va, &resp->resok.attr);
365 }
366 if (error) {
367 resp->status = puterrno(error);
368 return;
369 }
370
371 resp->status = NFS_OK;
372 }
373
374 void *
375 acl2_access_getfh(ACCESS2args *args)
376 {
377
378 return (&args->fh);
379 }
380
381 /* ARGSUSED */
382 void
383 acl2_getxattrdir(GETXATTRDIR2args *args, GETXATTRDIR2res *resp,
384 struct exportinfo *exi, struct svc_req *req, cred_t *cr, bool_t ro)
385 {
386 int error;
387 int flags;
388 vnode_t *vp, *avp;
389
390 vp = nfs_fhtovp(&args->fh, exi);
391 if (vp == NULL) {
392 resp->status = NFSERR_STALE;
393 return;
394 }
395
396 flags = LOOKUP_XATTR;
397 if (args->create)
398 flags |= CREATE_XATTR_DIR;
399 else {
400 ulong_t val = 0;
401 error = VOP_PATHCONF(vp, _PC_SATTR_EXISTS, &val, cr, NULL);
402 if (!error && val == 0) {
403 error = VOP_PATHCONF(vp, _PC_XATTR_EXISTS,
404 &val, cr, NULL);
405 if (!error && val == 0) {
406 VN_RELE(vp);
407 resp->status = NFSERR_NOENT;
408 return;
409 }
410 }
411 }
412
413 error = VOP_LOOKUP(vp, "", &avp, NULL, flags, NULL, cr,
414 NULL, NULL, NULL);
415 if (!error && avp == vp) { /* lookup of "" on old FS? */
416 error = EINVAL;
417 VN_RELE(avp);
418 }
419 if (!error) {
420 struct vattr va;
421 va.va_mask = AT_ALL;
422 error = rfs4_delegated_getattr(avp, &va, 0, cr);
423 if (!error) {
424 error = vattr_to_nattr(&va, &resp->resok.attr);
425 if (!error)
426 error = makefh(&resp->resok.fh, avp, exi);
427 }
428 VN_RELE(avp);
429 }
430
431 VN_RELE(vp);
432
433 if (error) {
434 resp->status = puterrno(error);
435 return;
436 }
437 resp->status = NFS_OK;
438 }
439
440 void *
441 acl2_getxattrdir_getfh(GETXATTRDIR2args *args)
442 {
443 return (&args->fh);
444 }
445
446 /* ARGSUSED */
447 void
448 acl3_getacl(GETACL3args *args, GETACL3res *resp, struct exportinfo *exi,
449 struct svc_req *req, cred_t *cr, bool_t ro)
450 {
451 int error;
452 vnode_t *vp;
453 vattr_t *vap;
454 vattr_t va;
455
456 vap = NULL;
457
458 vp = nfs3_fhtovp(&args->fh, exi);
459 if (vp == NULL) {
460 error = ESTALE;
461 goto out;
462 }
463
464 va.va_mask = AT_ALL;
465 vap = rfs4_delegated_getattr(vp, &va, 0, cr) ? NULL : &va;
466
467 bzero((caddr_t)&resp->resok.acl, sizeof (resp->resok.acl));
468
469 resp->resok.acl.vsa_mask = args->mask;
470
471 error = VOP_GETSECATTR(vp, &resp->resok.acl, 0, cr, NULL);
472
473 if ((error == ENOSYS) && !(exi->exi_export.ex_flags & EX_NOACLFAB)) {
474 /*
475 * If the underlying file system doesn't support
476 * aclent_t type acls, fabricate an acl. This is
477 * required in order to to support existing clients
478 * that require the call to VOP_GETSECATTR to
479 * succeed while making the assumption that all
480 * file systems support aclent_t type acls. This
481 * causes problems for servers exporting ZFS file
482 * systems because ZFS supports ace_t type acls,
483 * and fails (with ENOSYS) when asked for aclent_t
484 * type acls.
485 *
486 * Note: if the fs_fab_acl() fails, we have other problems.
487 * This error should be returned to the caller.
488 */
489 error = fs_fab_acl(vp, &resp->resok.acl, 0, cr, NULL);
490 }
491
492 if (error)
493 goto out;
494
495 va.va_mask = AT_ALL;
496 vap = rfs4_delegated_getattr(vp, &va, 0, cr) ? NULL : &va;
497
498 VN_RELE(vp);
499
500 resp->status = NFS3_OK;
501 vattr_to_post_op_attr(vap, &resp->resok.attr);
502 if (!(args->mask & NA_ACL)) {
503 if (resp->resok.acl.vsa_aclcnt > 0 &&
504 resp->resok.acl.vsa_aclentp != NULL) {
505 kmem_free((caddr_t)resp->resok.acl.vsa_aclentp,
506 resp->resok.acl.vsa_aclcnt * sizeof (aclent_t));
507 }
508 resp->resok.acl.vsa_aclentp = NULL;
509 }
510 if (!(args->mask & NA_DFACL)) {
511 if (resp->resok.acl.vsa_dfaclcnt > 0 &&
512 resp->resok.acl.vsa_dfaclentp != NULL) {
513 kmem_free((caddr_t)resp->resok.acl.vsa_dfaclentp,
514 resp->resok.acl.vsa_dfaclcnt * sizeof (aclent_t));
515 }
516 resp->resok.acl.vsa_dfaclentp = NULL;
517 }
518 return;
519
520 out:
521 if (curthread->t_flag & T_WOULDBLOCK) {
522 curthread->t_flag &= ~T_WOULDBLOCK;
523 resp->status = NFS3ERR_JUKEBOX;
524 } else
525 resp->status = puterrno3(error);
526 out1:
527 if (vp != NULL)
528 VN_RELE(vp);
529 vattr_to_post_op_attr(vap, &resp->resfail.attr);
530 }
531
532 void *
533 acl3_getacl_getfh(GETACL3args *args)
534 {
535
536 return (&args->fh);
537 }
538
539 void
540 acl3_getacl_free(GETACL3res *resp)
541 {
542
543 if (resp->status == NFS3_OK) {
544 if (resp->resok.acl.vsa_aclcnt > 0 &&
545 resp->resok.acl.vsa_aclentp != NULL) {
546 kmem_free((caddr_t)resp->resok.acl.vsa_aclentp,
547 resp->resok.acl.vsa_aclcnt * sizeof (aclent_t));
548 }
549 if (resp->resok.acl.vsa_dfaclcnt > 0 &&
550 resp->resok.acl.vsa_dfaclentp != NULL) {
551 kmem_free((caddr_t)resp->resok.acl.vsa_dfaclentp,
552 resp->resok.acl.vsa_dfaclcnt * sizeof (aclent_t));
553 }
554 }
555 }
556
557 /* ARGSUSED */
558 void
559 acl3_setacl(SETACL3args *args, SETACL3res *resp, struct exportinfo *exi,
560 struct svc_req *req, cred_t *cr, bool_t ro)
561 {
562 int error;
563 vnode_t *vp;
564 vattr_t *vap;
565 vattr_t va;
566
567 vap = NULL;
568
569 vp = nfs3_fhtovp(&args->fh, exi);
570 if (vp == NULL) {
571 error = ESTALE;
572 goto out1;
573 }
574
575 (void) VOP_RWLOCK(vp, V_WRITELOCK_TRUE, NULL);
576
577 va.va_mask = AT_ALL;
578 vap = rfs4_delegated_getattr(vp, &va, 0, cr) ? NULL : &va;
579
580 if (rdonly(ro, vp)) {
581 resp->status = NFS3ERR_ROFS;
582 goto out1;
583 }
584
585 error = VOP_SETSECATTR(vp, &args->acl, 0, cr, NULL);
586
587 va.va_mask = AT_ALL;
588 vap = rfs4_delegated_getattr(vp, &va, 0, cr) ? NULL : &va;
589
590 if (error)
591 goto out;
592
593 VOP_RWUNLOCK(vp, V_WRITELOCK_TRUE, NULL);
594 VN_RELE(vp);
595
596 resp->status = NFS3_OK;
597 vattr_to_post_op_attr(vap, &resp->resok.attr);
598 return;
599
600 out:
601 if (curthread->t_flag & T_WOULDBLOCK) {
602 curthread->t_flag &= ~T_WOULDBLOCK;
603 resp->status = NFS3ERR_JUKEBOX;
604 } else
605 resp->status = puterrno3(error);
606 out1:
607 if (vp != NULL) {
608 VOP_RWUNLOCK(vp, V_WRITELOCK_TRUE, NULL);
609 VN_RELE(vp);
610 }
611 vattr_to_post_op_attr(vap, &resp->resfail.attr);
612 }
613
614 void *
615 acl3_setacl_getfh(SETACL3args *args)
616 {
617
618 return (&args->fh);
619 }
620
621 /* ARGSUSED */
622 void
623 acl3_getxattrdir(GETXATTRDIR3args *args, GETXATTRDIR3res *resp,
624 struct exportinfo *exi, struct svc_req *req, cred_t *cr, bool_t ro)
625 {
626 int error;
627 int flags;
628 vnode_t *vp, *avp;
629
630 vp = nfs3_fhtovp(&args->fh, exi);
631 if (vp == NULL) {
632 resp->status = NFS3ERR_STALE;
633 return;
634 }
635
636 flags = LOOKUP_XATTR;
637 if (args->create)
638 flags |= CREATE_XATTR_DIR;
639 else {
640 ulong_t val = 0;
641
642 error = VOP_PATHCONF(vp, _PC_SATTR_EXISTS, &val, cr, NULL);
643 if (!error && val == 0) {
644 error = VOP_PATHCONF(vp, _PC_XATTR_EXISTS,
645 &val, cr, NULL);
646 if (!error && val == 0) {
647 VN_RELE(vp);
648 resp->status = NFS3ERR_NOENT;
649 return;
650 }
651 }
652 }
653
654 error = VOP_LOOKUP(vp, "", &avp, NULL, flags, NULL, cr,
655 NULL, NULL, NULL);
656 if (!error && avp == vp) { /* lookup of "" on old FS? */
657 error = EINVAL;
658 VN_RELE(avp);
659 }
660 if (!error) {
661 struct vattr va;
662 va.va_mask = AT_ALL;
663 error = rfs4_delegated_getattr(avp, &va, 0, cr);
664 if (!error) {
665 vattr_to_post_op_attr(&va, &resp->resok.attr);
666 error = makefh3(&resp->resok.fh, avp, exi);
667 }
668 VN_RELE(avp);
669 }
670
671 VN_RELE(vp);
672
673 if (error) {
674 resp->status = puterrno3(error);
675 return;
676 }
677 resp->status = NFS3_OK;
678 }
679
680 void *
681 acl3_getxattrdir_getfh(GETXATTRDIR3args *args)
682 {
683 return (&args->fh);
684 }
Community developed and maintained version of the OS/Net consolidation