FreeBSD ZFS
The Zettabyte File System
Data Structures | Defines | Typedefs | Functions

sys/zfs_acl.h File Reference

ZFS Access Control Lists. More...

#include <sys/cred.h>
#include <sys/acl.h>
#include <sys/dmu.h>
#include <sys/zfs_fuid.h>
#include <sys/sa.h>
#include <sys/zfs_fuid.h>
Include dependency graph for zfs_acl.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  zfs_ace_hdr
 All ACEs have a common hdr. More...
struct  zfs_ace
 Standard ACE. More...
struct  zfs_object_ace
 The following type only applies to ACE_ACCESS_ALLOWED|DENIED_OBJECT_ACE_TYPE and will only be set/retrieved in a CIFS context. More...
struct  zfs_oldace
struct  zfs_acl_phys_v0
struct  zfs_acl_phys
struct  acl_ops
struct  zfs_acl_node
struct  zfs_acl
 A zfs_acl_t structure is composed of a list of zfs_acl_node_t's. More...
struct  acl_locator_cb
struct  zfs_acl_ids

Defines

#define ACE_SLOT_CNT   6
#define ZFS_ACL_VERSION_INITIAL   0ULL
#define ZFS_ACL_VERSION_FUID   1ULL
#define ZFS_ACL_VERSION   ZFS_ACL_VERSION_FUID
#define ZFS_ACE_SPACE   (sizeof (zfs_oldace_t) * ACE_SLOT_CNT)
#define ZFS_ACL_COUNT_SIZE   (sizeof (uint16_t))
 Size of ACL count is always 2 bytes.
#define ACL_DATA_ALLOCED   0x1
#define ZFS_ACL_SIZE(aclcnt)   (sizeof (ace_t) * (aclcnt))
#define ZFS_ACL_DISCARD   0
#define ZFS_ACL_NOALLOW   1
#define ZFS_ACL_GROUPMASK   2
#define ZFS_ACL_PASSTHROUGH   3
#define ZFS_ACL_RESTRICTED   4
#define ZFS_ACL_PASSTHROUGH_X   5

Typedefs

typedef struct zfs_ace_hdr zfs_ace_hdr_t
 All ACEs have a common hdr.
typedef zfs_ace_hdr_t zfs_ace_abstract_t
typedef struct zfs_ace zfs_ace_t
 Standard ACE.
typedef struct zfs_object_ace zfs_object_ace_t
 The following type only applies to ACE_ACCESS_ALLOWED|DENIED_OBJECT_ACE_TYPE and will only be set/retrieved in a CIFS context.
typedef struct zfs_oldace zfs_oldace_t
typedef struct zfs_acl_phys_v0 zfs_acl_phys_v0_t
typedef struct zfs_acl_phys zfs_acl_phys_t
typedef struct acl_ops acl_ops_t
typedef struct zfs_acl_node zfs_acl_node_t
typedef struct zfs_acl zfs_acl_t
 A zfs_acl_t structure is composed of a list of zfs_acl_node_t's.
typedef struct acl_locator_cb zfs_acl_locator_cb_t
typedef struct zfs_acl_ids zfs_acl_ids_t

Functions

int zfs_acl_ids_create (struct znode *, int, vattr_t *, cred_t *, vsecattr_t *, zfs_acl_ids_t *)
 Create file system object initial permissions including inheritable ACEs.
void zfs_acl_ids_free (zfs_acl_ids_t *)
 Free ACL and fuid_infop, but not the acl_ids structure.
boolean_t zfs_acl_ids_overquota (struct zfsvfs *, zfs_acl_ids_t *)
int zfs_getacl (struct znode *, vsecattr_t *, boolean_t, cred_t *)
 Retrieve a files ACL.
int zfs_setacl (struct znode *, vsecattr_t *, boolean_t, cred_t *)
 Set a file's ACL.
void zfs_acl_rele (void *)
void zfs_oldace_byteswap (ace_t *, int)
void zfs_ace_byteswap (void *, size_t, boolean_t)
 swap ace_t and ace_oject_t
boolean_t zfs_has_access (struct znode *zp, cred_t *cr)
 Return true if any access whatsoever granted, we don't actually care what access is granted.
int zfs_zaccess (struct znode *, int, int, boolean_t, cred_t *)
 Determine whether Access should be granted/denied.
int zfs_fastaccesschk_execute (struct znode *, cred_t *)
int zfs_zaccess_rwx (struct znode *, mode_t, int, cred_t *)
 Translate traditional unix VREAD/VWRITE/VEXEC mode into native ACL format and call zfs_zaccess()
int zfs_zaccess_unix (struct znode *, mode_t, cred_t *)
 Access function for secpolicy_vnode_setattr.
int zfs_acl_access (struct znode *, int, cred_t *)
int zfs_acl_chmod_setattr (struct znode *, zfs_acl_t **, uint64_t)
int zfs_zaccess_delete (struct znode *, struct znode *, cred_t *)
 Determine whether Access should be granted/deny, without consulting least priv subsystem.
int zfs_zaccess_rename (struct znode *, struct znode *, struct znode *, struct znode *, cred_t *cr)
void zfs_acl_free (zfs_acl_t *)
int zfs_vsec_2_aclp (struct zfsvfs *, vtype_t, vsecattr_t *, cred_t *, struct zfs_fuid_info **, zfs_acl_t **)
int zfs_aclset_common (struct znode *, zfs_acl_t *, cred_t *, dmu_tx_t *)
 Common code for setting ACLs.
uint64_t zfs_external_acl (struct znode *)
int zfs_znode_acl_version (struct znode *)
int zfs_acl_size (struct znode *, int *)
zfs_acl_tzfs_acl_alloc (int)
zfs_acl_node_tzfs_acl_node_alloc (size_t)
void zfs_acl_xform (struct znode *, zfs_acl_t *, cred_t *)
 Convert old ACL format to new.
void zfs_acl_data_locator (void **, uint32_t *, uint32_t, boolean_t, void *)
uint64_t zfs_mode_compute (uint64_t, zfs_acl_t *, uint64_t *, uint64_t, uint64_t)
 Determine mode of file based on ACL.
int zfs_acl_chown_setattr (struct znode *)

Detailed Description

ZFS Access Control Lists.

ZFS ACLs are stored in various forms. Files created with ACL version ZFS_ACL_VERSION_INITIAL will all be created with fixed length ACEs of type zfs_oldace_t.

Files with ACL version ZFS_ACL_VERSION_FUID will be created with various sized ACEs. The abstraction entries will utilize zfs_ace_hdr_t, normal user/group entries will use zfs_ace_t and some specialized CIFS ACEs will use zfs_object_ace_t.

Definition in file zfs_acl.h.

Define Documentation

#define ACE_SLOT_CNT   6

Definition at line 42 of file zfs_acl.h.

#define ACL_DATA_ALLOCED   0x1

Definition at line 180 of file zfs_acl.h.

#define ZFS_ACE_SPACE   (sizeof (zfs_oldace_t) * ACE_SLOT_CNT)

Definition at line 109 of file zfs_acl.h.

#define ZFS_ACL_COUNT_SIZE   (sizeof (uint16_t))

Size of ACL count is always 2 bytes.

Necessary to for dealing with both V0 ACL and V1 ACL layout

Definition at line 115 of file zfs_acl.h.

#define ZFS_ACL_DISCARD   0

Definition at line 201 of file zfs_acl.h.

#define ZFS_ACL_GROUPMASK   2

Definition at line 203 of file zfs_acl.h.

#define ZFS_ACL_NOALLOW   1

Definition at line 202 of file zfs_acl.h.

#define ZFS_ACL_PASSTHROUGH   3

Definition at line 204 of file zfs_acl.h.

#define ZFS_ACL_PASSTHROUGH_X   5

Definition at line 206 of file zfs_acl.h.

#define ZFS_ACL_RESTRICTED   4

Definition at line 205 of file zfs_acl.h.

#define ZFS_ACL_SIZE (   aclcnt)    (sizeof (ace_t) * (aclcnt))

Definition at line 181 of file zfs_acl.h.

#define ZFS_ACL_VERSION   ZFS_ACL_VERSION_FUID

Definition at line 45 of file zfs_acl.h.

#define ZFS_ACL_VERSION_FUID   1ULL

Definition at line 44 of file zfs_acl.h.

#define ZFS_ACL_VERSION_INITIAL   0ULL

Definition at line 43 of file zfs_acl.h.

Typedef Documentation

typedef struct acl_ops acl_ops_t
typedef zfs_ace_hdr_t zfs_ace_abstract_t

Definition at line 73 of file zfs_acl.h.

typedef struct zfs_ace_hdr zfs_ace_hdr_t

All ACEs have a common hdr.

For owner@, group@, and everyone@ this is all thats needed.

typedef struct zfs_ace zfs_ace_t

Standard ACE.

typedef struct zfs_acl_ids zfs_acl_ids_t
typedef struct acl_locator_cb zfs_acl_locator_cb_t
typedef struct zfs_acl_node zfs_acl_node_t
typedef struct zfs_acl_phys zfs_acl_phys_t
typedef struct zfs_acl_phys_v0 zfs_acl_phys_v0_t
typedef struct zfs_acl zfs_acl_t

A zfs_acl_t structure is composed of a list of zfs_acl_node_t's.

Each node will have one or more ACEs associated with it. You will only have multiple nodes during a chmod operation. Normally only one node is required.

typedef struct zfs_object_ace zfs_object_ace_t

The following type only applies to ACE_ACCESS_ALLOWED|DENIED_OBJECT_ACE_TYPE and will only be set/retrieved in a CIFS context.

typedef struct zfs_oldace zfs_oldace_t

Function Documentation

void zfs_ace_byteswap ( void *  ,
size_t  ,
boolean_t   
)

swap ace_t and ace_oject_t

Definition at line 50 of file zfs_byteswap.c.

int zfs_acl_access ( struct znode ,
int  ,
cred_t *   
)
zfs_acl_t* zfs_acl_alloc ( int  )

Definition at line 453 of file zfs_acl.c.

int zfs_acl_chmod_setattr ( struct znode ,
zfs_acl_t **  ,
uint64_t   
)

Definition at line 1446 of file zfs_acl.c.

int zfs_acl_chown_setattr ( struct znode )

Definition at line 1163 of file zfs_acl.c.

void zfs_acl_data_locator ( void **  ,
uint32_t *  ,
uint32_t  ,
boolean_t  ,
void *   
)

Definition at line 1147 of file zfs_acl.c.

void zfs_acl_free ( zfs_acl_t )

Definition at line 506 of file zfs_acl.c.

int zfs_acl_ids_create ( struct znode ,
int  ,
vattr_t *  ,
cred_t *  ,
vsecattr_t *  ,
zfs_acl_ids_t  
)

Create file system object initial permissions including inheritable ACEs.

Definition at line 1623 of file zfs_acl.c.

void zfs_acl_ids_free ( zfs_acl_ids_t )

Free ACL and fuid_infop, but not the acl_ids structure.

Definition at line 1756 of file zfs_acl.c.

boolean_t zfs_acl_ids_overquota ( struct zfsvfs ,
zfs_acl_ids_t  
)

Definition at line 1767 of file zfs_acl.c.

zfs_acl_node_t* zfs_acl_node_alloc ( size_t  )

Definition at line 469 of file zfs_acl.c.

void zfs_acl_rele ( void *  )
int zfs_acl_size ( struct znode ,
int *   
)
void zfs_acl_xform ( struct znode ,
zfs_acl_t ,
cred_t *   
)

Convert old ACL format to new.

Definition at line 806 of file zfs_acl.c.

int zfs_aclset_common ( znode_t zp,
zfs_acl_t aclp,
cred_t *  cr,
dmu_tx_t tx 
)

Common code for setting ACLs.

This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl. zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's already checked the acl and knows whether to inherit.

Definition at line 1185 of file zfs_acl.c.

uint64_t zfs_external_acl ( struct znode )

Definition at line 332 of file zfs_acl.c.

int zfs_fastaccesschk_execute ( struct znode ,
cred_t *   
)

Definition at line 2296 of file zfs_acl.c.

int zfs_getacl ( struct znode ,
vsecattr_t *  ,
boolean_t  ,
cred_t *   
)

Retrieve a files ACL.

Definition at line 1777 of file zfs_acl.c.

boolean_t zfs_has_access ( struct znode zp,
cred_t *  cr 
)

Return true if any access whatsoever granted, we don't actually care what access is granted.

Definition at line 2235 of file zfs_acl.c.

uint64_t zfs_mode_compute ( uint64_t  fmode,
zfs_acl_t aclp,
uint64_t *  pflags,
uint64_t  fuid,
uint64_t  fgid 
)

Determine mode of file based on ACL.

Also, create FUIDs for any User/Group ACEs

Definition at line 894 of file zfs_acl.c.

void zfs_oldace_byteswap ( ace_t *  ,
int   
)

Definition at line 34 of file zfs_byteswap.c.

int zfs_setacl ( struct znode ,
vsecattr_t *  ,
boolean_t  ,
cred_t *   
)

Set a file's ACL.

Definition at line 1932 of file zfs_acl.c.

int zfs_vsec_2_aclp ( struct zfsvfs ,
vtype_t  ,
vsecattr_t *  ,
cred_t *  ,
struct zfs_fuid_info **  ,
zfs_acl_t **   
)

Definition at line 1874 of file zfs_acl.c.

int zfs_zaccess ( znode_t zp,
int  mode,
int  flags,
boolean_t  skipaclchk,
cred_t *  cr 
)

Determine whether Access should be granted/denied.

The least priv subsytem is always consulted as a basic privilege can define any form of access.

Definition at line 2369 of file zfs_acl.c.

int zfs_zaccess_delete ( znode_t dzp,
znode_t zp,
cred_t *  cr 
)

Determine whether Access should be granted/deny, without consulting least priv subsystem.

The following chart is the recommended NFSv4 enforcement for ability to delete an object.

        -------------------------------------------------------
        |   Parent Dir  |           Target Object Permissions |
        |  permissions  |                                     |
        -------------------------------------------------------
        |               | ACL Allows | ACL Denies| Delete     |
        |               |  Delete    |  Delete   | unspecified|
        -------------------------------------------------------
        |  ACL Allows   | Permit     | Permit    | Permit     |
        |  DELETE_CHILD |                                     |
        -------------------------------------------------------
        |  ACL Denies   | Permit     | Deny      | Deny       |
        |  DELETE_CHILD |            |           |            |
        -------------------------------------------------------
        | ACL specifies |            |           |            |
        | only allow    | Permit     | Permit    | Permit     |
        | write and     |            |           |            |
        | execute       |            |           |            |
        -------------------------------------------------------
        | ACL denies    |            |           |            |
        | write and     | Permit     | Deny      | Deny       |
        | execute       |            |           |            |
        -------------------------------------------------------
           ^
           |
           No search privilege, can't even look up file?
Note:
If the parent dir's ACL denies write and execute permissions, then it may be impossible to even lookup the file

Definition at line 2606 of file zfs_acl.c.

int zfs_zaccess_rename ( struct znode ,
struct znode ,
struct znode ,
struct znode ,
cred_t *  cr 
)

Definition at line 2690 of file zfs_acl.c.

int zfs_zaccess_rwx ( struct znode ,
mode_t  ,
int  ,
cred_t *   
)

Translate traditional unix VREAD/VWRITE/VEXEC mode into native ACL format and call zfs_zaccess()

Definition at line 2532 of file zfs_acl.c.

int zfs_zaccess_unix ( struct znode ,
mode_t  ,
cred_t *   
)

Access function for secpolicy_vnode_setattr.

Definition at line 2541 of file zfs_acl.c.

int zfs_znode_acl_version ( struct znode )

Definition at line 404 of file zfs_acl.c.

 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Defines
Generated on Sat Nov 17 2012 21:17:24 for FreeBSD ZFS by  doxygen 1.7.3