root/source3/modules/vfs_zfsacl.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. zfs_get_nt_acl_common
  2. zfs_process_smbacl
  3. zfs_set_nt_acl
  4. zfsacl_fget_nt_acl
  5. zfsacl_get_nt_acl
  6. zfsacl_fset_nt_acl
  7. zfsacl_fail__sys_acl_get_file
  8. zfsacl_fail__sys_acl_get_fd
  9. zfsacl_fail__sys_acl_set_file
  10. zfsacl_fail__sys_acl_set_fd
  11. zfsacl_fail__sys_acl_delete_def_file
  12. vfs_zfsacl_init

   1 /*
   2  * Convert ZFS/NFSv4 acls to NT acls and vice versa.
   3  *
   4  * Copyright (C) Jiri Sasek, 2007
   5  * based on the foobar.c module which is copyrighted by Volker Lendecke
   6  *
   7  * Many thanks to Axel Apitz for help to fix the special ace's handling
   8  * issues.
   9  *
  10  * This program is free software; you can redistribute it and/or modify
  11  * it under the terms of the GNU General Public License as published by
  12  * the Free Software Foundation; either version 3 of the License, or
  13  * (at your option) any later version.
  14  *
  15  * This program is distributed in the hope that it will be useful,
  16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18  * GNU General Public License for more details.
  19  *
  20  * You should have received a copy of the GNU General Public License
  21  * along with this program; if not, see <http://www.gnu.org/licenses/>.
  22  *
  23  */
  24 
  25 #include "includes.h"
  26 #include "nfs4_acls.h"
  27 
  28 #undef DBGC_CLASS
  29 #define DBGC_CLASS DBGC_VFS
  30 
  31 #define ZFSACL_MODULE_NAME "zfsacl"
  32 
  33 /* zfs_get_nt_acl()
  34  * read the local file's acls and return it in NT form
  35  * using the NFSv4 format conversion
  36  */
  37 static NTSTATUS zfs_get_nt_acl_common(const char *name,
     /* [<][>][^][v][top][bottom][index][help] */
  38                                       uint32 security_info,
  39                                       SMB4ACL_T **ppacl)
  40 {
  41         int naces, i;
  42         ace_t *acebuf;
  43         SMB4ACL_T *pacl;
  44         TALLOC_CTX      *mem_ctx;
  45 
  46         /* read the number of file aces */
  47         if((naces = acl(name, ACE_GETACLCNT, 0, NULL)) == -1) {
  48                 if(errno == ENOSYS) {
  49                         DEBUG(9, ("acl(ACE_GETACLCNT, %s): Operation is not "
  50                                   "supported on the filesystem where the file "
  51                                   "reside", name));
  52                 } else {
  53                         DEBUG(9, ("acl(ACE_GETACLCNT, %s): %s ", name,
  54                                         strerror(errno)));
  55                 }
  56                 return map_nt_error_from_unix(errno);
  57         }
  58         /* allocate the field of ZFS aces */
  59         mem_ctx = talloc_tos();
  60         acebuf = (ace_t *) talloc_size(mem_ctx, sizeof(ace_t)*naces);
  61         if(acebuf == NULL) {
  62                 return NT_STATUS_NO_MEMORY;
  63         }
  64         /* read the aces into the field */
  65         if(acl(name, ACE_GETACL, naces, acebuf) < 0) {
  66                 DEBUG(9, ("acl(ACE_GETACL, %s): %s ", name,
  67                                 strerror(errno)));
  68                 return map_nt_error_from_unix(errno);
  69         }
  70         /* create SMB4ACL data */
  71         if((pacl = smb_create_smb4acl()) == NULL) {
  72                 return NT_STATUS_NO_MEMORY;
  73         }
  74         for(i=0; i<naces; i++) {
  75                 SMB_ACE4PROP_T aceprop;
  76 
  77                 aceprop.aceType  = (uint32) acebuf[i].a_type;
  78                 aceprop.aceFlags = (uint32) acebuf[i].a_flags;
  79                 aceprop.aceMask  = (uint32) acebuf[i].a_access_mask;
  80                 aceprop.who.id   = (uint32) acebuf[i].a_who;
  81 
  82                 if(aceprop.aceFlags & ACE_OWNER) {
  83                         aceprop.flags = SMB_ACE4_ID_SPECIAL;
  84                         aceprop.who.special_id = SMB_ACE4_WHO_OWNER;
  85                 } else if(aceprop.aceFlags & ACE_GROUP) {
  86                         aceprop.flags = SMB_ACE4_ID_SPECIAL;
  87                         aceprop.who.special_id = SMB_ACE4_WHO_GROUP;
  88                 } else if(aceprop.aceFlags & ACE_EVERYONE) {
  89                         aceprop.flags = SMB_ACE4_ID_SPECIAL;
  90                         aceprop.who.special_id = SMB_ACE4_WHO_EVERYONE;
  91                 } else {
  92                         aceprop.flags   = 0;
  93                 }
  94                 if(smb_add_ace4(pacl, &aceprop) == NULL)
  95                         return NT_STATUS_NO_MEMORY;
  96         }
  97 
  98         *ppacl = pacl;
  99         return NT_STATUS_OK;
 100 }
 101 
 102 /* call-back function processing the NT acl -> ZFS acl using NFSv4 conv. */
 103 static bool zfs_process_smbacl(files_struct *fsp, SMB4ACL_T *smbacl)
     /* [<][>][^][v][top][bottom][index][help] */
 104 {
 105         int naces = smb_get_naces(smbacl), i;
 106         ace_t *acebuf;
 107         SMB4ACE_T *smbace;
 108         TALLOC_CTX      *mem_ctx;
 109 
 110         /* allocate the field of ZFS aces */
 111         mem_ctx = talloc_tos();
 112         acebuf = (ace_t *) talloc_size(mem_ctx, sizeof(ace_t)*naces);
 113         if(acebuf == NULL) {
 114                 errno = ENOMEM;
 115                 return False;
 116         }
 117         /* handle all aces */
 118         for(smbace = smb_first_ace4(smbacl), i = 0;
 119                         smbace!=NULL;
 120                         smbace = smb_next_ace4(smbace), i++) {
 121                 SMB_ACE4PROP_T *aceprop = smb_get_ace4(smbace);
 122 
 123                 acebuf[i].a_type        = aceprop->aceType;
 124                 acebuf[i].a_flags       = aceprop->aceFlags;
 125                 acebuf[i].a_access_mask = aceprop->aceMask;
 126                 acebuf[i].a_who         = aceprop->who.id;
 127                 if(aceprop->flags & SMB_ACE4_ID_SPECIAL) {
 128                         switch(aceprop->who.special_id) {
 129                         case SMB_ACE4_WHO_EVERYONE:
 130                                 acebuf[i].a_flags |= ACE_EVERYONE;
 131                                 break;
 132                         case SMB_ACE4_WHO_OWNER:
 133                                 acebuf[i].a_flags |= ACE_OWNER;
 134                                 break;
 135                         case SMB_ACE4_WHO_GROUP:
 136                                 acebuf[i].a_flags |= ACE_GROUP;
 137                                 break;
 138                         default:
 139                                 DEBUG(8, ("unsupported special_id %d\n", \
 140                                         aceprop->who.special_id));
 141                                 continue; /* don't add it !!! */
 142                         }
 143                 }
 144         }
 145         SMB_ASSERT(i == naces);
 146 
 147         /* store acl */
 148         if(acl(fsp->fsp_name, ACE_SETACL, naces, acebuf)) {
 149                 if(errno == ENOSYS) {
 150                         DEBUG(9, ("acl(ACE_SETACL, %s): Operation is not "
 151                                   "supported on the filesystem where the file "
 152                                   "reside", fsp->fsp_name));
 153                 } else {
 154                         DEBUG(9, ("acl(ACE_SETACL, %s): %s ", fsp->fsp_name,
 155                                         strerror(errno)));
 156                 }
 157                 return 0;
 158         }
 159 
 160         return True;
 161 }
 162 
 163 /* zfs_set_nt_acl()
 164  * set the local file's acls obtaining it in NT form
 165  * using the NFSv4 format conversion
 166  */
 167 static NTSTATUS zfs_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
     /* [<][>][^][v][top][bottom][index][help] */
 168                            uint32 security_info_sent,
 169                            const struct security_descriptor *psd)
 170 {
 171         return smb_set_nt_acl_nfs4(fsp, security_info_sent, psd,
 172                         zfs_process_smbacl);
 173 }
 174 
 175 static NTSTATUS zfsacl_fget_nt_acl(struct vfs_handle_struct *handle,
     /* [<][>][^][v][top][bottom][index][help] */
 176                                  struct files_struct *fsp,
 177                                  uint32 security_info,
 178                                  struct security_descriptor **ppdesc)
 179 {
 180         SMB4ACL_T *pacl;
 181         NTSTATUS status;
 182 
 183         status = zfs_get_nt_acl_common(fsp->fsp_name, security_info, &pacl);
 184         if (!NT_STATUS_IS_OK(status)) {
 185                 return status;
 186         }
 187 
 188         return smb_fget_nt_acl_nfs4(fsp, security_info, ppdesc, pacl);
 189 }
 190 
 191 static NTSTATUS zfsacl_get_nt_acl(struct vfs_handle_struct *handle,
     /* [<][>][^][v][top][bottom][index][help] */
 192                                 const char *name,  uint32 security_info,
 193                                 struct security_descriptor **ppdesc)
 194 {
 195         SMB4ACL_T *pacl;
 196         NTSTATUS status;
 197 
 198         status = zfs_get_nt_acl_common(name, security_info, &pacl);
 199         if (!NT_STATUS_IS_OK(status)) {
 200                 return status;
 201         }
 202 
 203         return smb_get_nt_acl_nfs4(handle->conn, name, security_info, ppdesc,
 204                                    pacl);
 205 }
 206 
 207 static NTSTATUS zfsacl_fset_nt_acl(vfs_handle_struct *handle,
     /* [<][>][^][v][top][bottom][index][help] */
 208                          files_struct *fsp,
 209                          uint32 security_info_sent,
 210                          const SEC_DESC *psd)
 211 {
 212         return zfs_set_nt_acl(handle, fsp, security_info_sent, psd);
 213 }
 214 
 215 /* nils.goroll@hamburg.de 2008-06-16 :
 216 
 217    See also
 218    - https://bugzilla.samba.org/show_bug.cgi?id=5446
 219    - http://bugs.opensolaris.org/view_bug.do?bug_id=6688240
 220 
 221    Solaris supports NFSv4 and ZFS ACLs through a common system call, acl(2)
 222    with ACE_SETACL / ACE_GETACL / ACE_GETACLCNT, which is being wrapped for
 223    use by samba in this module.
 224 
 225    As the acl(2) interface is identical for ZFS and for NFS, this module,
 226    vfs_zfsacl, can not only be used for ZFS, but also for sharing NFSv4
 227    mounts on Solaris.
 228 
 229    But while "traditional" POSIX DRAFT ACLs (using acl(2) with SETACL
 230    / GETACL / GETACLCNT) fail for ZFS, the Solaris NFS client
 231    implemets a compatibility wrapper, which will make calls to
 232    traditional ACL calls though vfs_solarisacl succeed. As the
 233    compatibility wrapper's implementation is (by design) incomplete,
 234    we want to make sure that it is never being called.
 235 
 236    As long as Samba does not support an exiplicit method for a module
 237    to define conflicting vfs methods, we should override all conflicting
 238    methods here.
 239 
 240    For this to work, we need to make sure that this module is initialised
 241    *after* vfs_solarisacl
 242 
 243    Function declarations taken from vfs_solarisacl
 244 */
 245 
 246 SMB_ACL_T zfsacl_fail__sys_acl_get_file(vfs_handle_struct *handle,
     /* [<][>][^][v][top][bottom][index][help] */
 247                                         const char *path_p,
 248                                         SMB_ACL_TYPE_T type)
 249 {
 250         return (SMB_ACL_T)NULL;
 251 }
 252 SMB_ACL_T zfsacl_fail__sys_acl_get_fd(vfs_handle_struct *handle,
     /* [<][>][^][v][top][bottom][index][help] */
 253                                       files_struct *fsp,
 254                                       int fd)
 255 {
 256         return (SMB_ACL_T)NULL;
 257 }
 258 
 259 int zfsacl_fail__sys_acl_set_file(vfs_handle_struct *handle,
     /* [<][>][^][v][top][bottom][index][help] */
 260                                   const char *name,
 261                                   SMB_ACL_TYPE_T type,
 262                                   SMB_ACL_T theacl)
 263 {
 264         return -1;
 265 }
 266 
 267 int zfsacl_fail__sys_acl_set_fd(vfs_handle_struct *handle,
     /* [<][>][^][v][top][bottom][index][help] */
 268                                 files_struct *fsp,
 269                                 int fd, SMB_ACL_T theacl)
 270 {
 271         return -1;
 272 }
 273 
 274 int zfsacl_fail__sys_acl_delete_def_file(vfs_handle_struct *handle,
     /* [<][>][^][v][top][bottom][index][help] */
 275                                          const char *path)
 276 {
 277         return -1;
 278 }
 279 
 280 /* VFS operations structure */
 281 
 282 static vfs_op_tuple zfsacl_ops[] = {
 283         /* invalidate conflicting VFS methods */
 284         {SMB_VFS_OP(zfsacl_fail__sys_acl_get_file),
 285          SMB_VFS_OP_SYS_ACL_GET_FILE,
 286          SMB_VFS_LAYER_OPAQUE},
 287         {SMB_VFS_OP(zfsacl_fail__sys_acl_get_fd),
 288          SMB_VFS_OP_SYS_ACL_GET_FD,
 289          SMB_VFS_LAYER_OPAQUE},
 290         {SMB_VFS_OP(zfsacl_fail__sys_acl_set_file),
 291          SMB_VFS_OP_SYS_ACL_SET_FILE,
 292          SMB_VFS_LAYER_OPAQUE},
 293         {SMB_VFS_OP(zfsacl_fail__sys_acl_set_fd),
 294          SMB_VFS_OP_SYS_ACL_SET_FD,
 295          SMB_VFS_LAYER_OPAQUE},
 296         {SMB_VFS_OP(zfsacl_fail__sys_acl_delete_def_file),
 297          SMB_VFS_OP_SYS_ACL_DELETE_DEF_FILE,
 298          SMB_VFS_LAYER_OPAQUE},
 299 
 300         /* actual methods */
 301         {SMB_VFS_OP(zfsacl_fget_nt_acl), SMB_VFS_OP_FGET_NT_ACL,
 302          SMB_VFS_LAYER_OPAQUE},
 303         {SMB_VFS_OP(zfsacl_get_nt_acl), SMB_VFS_OP_GET_NT_ACL,
 304          SMB_VFS_LAYER_OPAQUE},
 305         {SMB_VFS_OP(zfsacl_fset_nt_acl), SMB_VFS_OP_FSET_NT_ACL,
 306          SMB_VFS_LAYER_OPAQUE},
 307         {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
 308 };
 309 
 310 NTSTATUS vfs_zfsacl_init(void);
 311 NTSTATUS vfs_zfsacl_init(void)
     /* [<][>][^][v][top][bottom][index][help] */
 312 {
 313         return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "zfsacl",
 314                                 zfsacl_ops);
 315 }

/* [<][>][^][v][top][bottom][index][help] */