aboutsummaryrefslogtreecommitdiffstats
path: root/lib/libspl/include/sys/acl.h
blob: 31168421b088ab71d2a92e3e7db11d602e72c821 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 * Copyright 2014 Garrett D'Amore <garrett@damore.org>
 * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
 * Copyright 2017 RackTop Systems.
 */

#ifndef _SYS_ACL_H
#define	_SYS_ACL_H

#include <sys/types.h>
#include <sys/acl_impl.h>

#ifdef	__cplusplus
extern "C" {
#endif

#define	MAX_ACL_ENTRIES		(1024)	/* max entries of each type */
typedef struct acl {
	int		a_type;		/* the type of ACL entry */
	uid_t		a_id;		/* the entry in -uid or gid */
	o_mode_t	a_perm;		/* the permission field */
} aclent_t;

typedef struct ace {
	uid_t		a_who;		/* uid or gid */
	uint32_t	a_access_mask;	/* read,write,... */
	uint16_t	a_flags;	/* see below */
	uint16_t	a_type;		/* allow or deny */
} ace_t;

typedef struct acl_info acl_t;

/*
 * The following are Defined types for an aclent_t.
 */
#define	USER_OBJ	(0x01)		/* object owner */
#define	USER		(0x02)		/* additional users */
#define	GROUP_OBJ	(0x04)		/* owning group of the object */
#define	GROUP		(0x08)		/* additional groups */
#define	CLASS_OBJ	(0x10)		/* file group class and mask entry */
#define	OTHER_OBJ	(0x20)		/* other entry for the object */
#define	ACL_DEFAULT	(0x1000)	/* default flag */
/* default object owner */
#define	DEF_USER_OBJ	(ACL_DEFAULT | USER_OBJ)
/* default additional users */
#define	DEF_USER	(ACL_DEFAULT | USER)
/* default owning group */
#define	DEF_GROUP_OBJ	(ACL_DEFAULT | GROUP_OBJ)
/* default additional groups */
#define	DEF_GROUP	(ACL_DEFAULT | GROUP)
/* default mask entry */
#define	DEF_CLASS_OBJ	(ACL_DEFAULT | CLASS_OBJ)
/* default other entry */
#define	DEF_OTHER_OBJ	(ACL_DEFAULT | OTHER_OBJ)

/*
 * The following are defined for ace_t.
 */
#define	ACE_READ_DATA		0x00000001	/* file: read data */
#define	ACE_LIST_DIRECTORY	0x00000001	/* dir: list files */
#define	ACE_WRITE_DATA		0x00000002	/* file: write data */
#define	ACE_ADD_FILE		0x00000002	/* dir: create file */
#define	ACE_APPEND_DATA		0x00000004	/* file: append data */
#define	ACE_ADD_SUBDIRECTORY	0x00000004	/* dir: create subdir */
#define	ACE_READ_NAMED_ATTRS	0x00000008	/* FILE_READ_EA */
#define	ACE_WRITE_NAMED_ATTRS	0x00000010	/* FILE_WRITE_EA */
#define	ACE_EXECUTE		0x00000020	/* file: execute */
#define	ACE_TRAVERSE		0x00000020	/* dir: lookup name */
#define	ACE_DELETE_CHILD	0x00000040	/* dir: unlink child */
#define	ACE_READ_ATTRIBUTES	0x00000080	/* (all) stat, etc. */
#define	ACE_WRITE_ATTRIBUTES	0x00000100	/* (all) utimes, etc. */
#define	ACE_DELETE		0x00010000	/* (all) unlink self */
#define	ACE_READ_ACL		0x00020000	/* (all) getsecattr */
#define	ACE_WRITE_ACL		0x00040000	/* (all) setsecattr */
#define	ACE_WRITE_OWNER		0x00080000	/* (all) chown */
#define	ACE_SYNCHRONIZE		0x00100000	/* (all) */

#define	ACE_FILE_INHERIT_ACE		0x0001
#define	ACE_DIRECTORY_INHERIT_ACE	0x0002
#define	ACE_NO_PROPAGATE_INHERIT_ACE	0x0004
#define	ACE_INHERIT_ONLY_ACE		0x0008
#define	ACE_SUCCESSFUL_ACCESS_ACE_FLAG	0x0010
#define	ACE_FAILED_ACCESS_ACE_FLAG	0x0020
#define	ACE_IDENTIFIER_GROUP		0x0040
#define	ACE_INHERITED_ACE		0x0080
#define	ACE_OWNER			0x1000
#define	ACE_GROUP			0x2000
#define	ACE_EVERYONE			0x4000

#define	ACE_ACCESS_ALLOWED_ACE_TYPE	0x0000
#define	ACE_ACCESS_DENIED_ACE_TYPE	0x0001
#define	ACE_SYSTEM_AUDIT_ACE_TYPE	0x0002
#define	ACE_SYSTEM_ALARM_ACE_TYPE	0x0003

#define	ACL_AUTO_INHERIT		0x0001
#define	ACL_PROTECTED			0x0002
#define	ACL_DEFAULTED			0x0004
#define	ACL_FLAGS_ALL			(ACL_AUTO_INHERIT|ACL_PROTECTED| \
    ACL_DEFAULTED)

/*
 * These are only applicable in a CIFS context.
 */
#define	ACE_ACCESS_ALLOWED_COMPOUND_ACE_TYPE		0x04
#define	ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE		0x05
#define	ACE_ACCESS_DENIED_OBJECT_ACE_TYPE		0x06
#define	ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE		0x07
#define	ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE		0x08
#define	ACE_ACCESS_ALLOWED_CALLBACK_ACE_TYPE		0x09
#define	ACE_ACCESS_DENIED_CALLBACK_ACE_TYPE		0x0A
#define	ACE_ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE	0x0B
#define	ACE_ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE	0x0C
#define	ACE_SYSTEM_AUDIT_CALLBACK_ACE_TYPE		0x0D
#define	ACE_SYSTEM_ALARM_CALLBACK_ACE_TYPE		0x0E
#define	ACE_SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE	0x0F
#define	ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE	0x10

#define	ACE_ALL_TYPES	0x001F

#if defined(_KERNEL)

typedef struct ace_object {
	uid_t		a_who;		/* uid or gid */
	uint32_t	a_access_mask;	/* read,write,... */
	uint16_t	a_flags;	/* see below */
	uint16_t	a_type;		/* allow or deny */
	uint8_t		a_obj_type[16];	/* obj type */
	uint8_t		a_inherit_obj_type[16];  /* inherit obj */
} ace_object_t;

#endif

#define	ACE_ALL_PERMS	(ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
    ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_READ_NAMED_ATTRS| \
    ACE_WRITE_NAMED_ATTRS|ACE_EXECUTE|ACE_DELETE_CHILD|ACE_READ_ATTRIBUTES| \
    ACE_WRITE_ATTRIBUTES|ACE_DELETE|ACE_READ_ACL|ACE_WRITE_ACL| \
    ACE_WRITE_OWNER|ACE_SYNCHRONIZE)

#define	ACE_ALL_WRITE_PERMS (ACE_WRITE_DATA|ACE_APPEND_DATA| \
    ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS|ACE_WRITE_ACL| \
    ACE_WRITE_OWNER|ACE_DELETE|ACE_DELETE_CHILD)

#define	ACE_READ_PERMS	(ACE_READ_DATA|ACE_READ_ACL|ACE_READ_ATTRIBUTES| \
    ACE_READ_NAMED_ATTRS)

#define	ACE_WRITE_PERMS	(ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES| \
    ACE_WRITE_NAMED_ATTRS)

#define	ACE_MODIFY_PERMS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
    ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_READ_NAMED_ATTRS| \
    ACE_WRITE_NAMED_ATTRS|ACE_EXECUTE|ACE_DELETE_CHILD|ACE_READ_ATTRIBUTES| \
    ACE_WRITE_ATTRIBUTES|ACE_DELETE|ACE_READ_ACL|ACE_SYNCHRONIZE)

/*
 * The following flags are supported by both NFSv4 ACLs and ace_t.
 */
#define	ACE_NFSV4_SUP_FLAGS (ACE_FILE_INHERIT_ACE | \
    ACE_DIRECTORY_INHERIT_ACE | \
    ACE_NO_PROPAGATE_INHERIT_ACE | \
    ACE_INHERIT_ONLY_ACE | \
    ACE_IDENTIFIER_GROUP)

#define	ACE_TYPE_FLAGS		(ACE_OWNER|ACE_GROUP|ACE_EVERYONE| \
    ACE_IDENTIFIER_GROUP)
#define	ACE_INHERIT_FLAGS	(ACE_FILE_INHERIT_ACE| \
    ACE_DIRECTORY_INHERIT_ACE|ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE)

/* cmd args to acl(2) for aclent_t  */
#define	GETACL			1
#define	SETACL			2
#define	GETACLCNT		3

/* cmd's to manipulate ace acls. */
#define	ACE_GETACL		4
#define	ACE_SETACL		5
#define	ACE_GETACLCNT		6

/* minimal acl entries from GETACLCNT */
#define	MIN_ACL_ENTRIES		4

#if !defined(_KERNEL)

/* acl check errors */
#define	GRP_ERROR		1
#define	USER_ERROR		2
#define	OTHER_ERROR		3
#define	CLASS_ERROR		4
#define	DUPLICATE_ERROR		5
#define	MISS_ERROR		6
#define	MEM_ERROR		7
#define	ENTRY_ERROR		8


/*
 * similar to ufs_acl.h: changed to char type for user commands (tar, cpio)
 * Attribute types
 */
#define	UFSD_FREE	('0')	/* Free entry */
#define	UFSD_ACL	('1')	/* Access Control Lists */
#define	UFSD_DFACL	('2')	/* reserved for future use */
#define	ACE_ACL		('3')	/* ace_t style acls */

/*
 * flag to [f]acl_get()
 * controls whether a trivial acl should be returned.
 */
#define	ACL_NO_TRIVIAL	0x2


/*
 * Flags to control acl_totext()
 */

#define	ACL_APPEND_ID	0x1 	/* append uid/gid to user/group entries */
#define	ACL_COMPACT_FMT	0x2 	/* build ACL in ls -V format */
#define	ACL_NORESOLVE	0x4	/* don't do name service lookups */
#define	ACL_SID_FMT	0x8	/* use usersid/groupsid when appropriate */

/*
 * Legacy aclcheck errors for aclent_t ACLs
 */
#define	EACL_GRP_ERROR		GRP_ERROR
#define	EACL_USER_ERROR		USER_ERROR
#define	EACL_OTHER_ERROR	OTHER_ERROR
#define	EACL_CLASS_ERROR	CLASS_ERROR
#define	EACL_DUPLICATE_ERROR	DUPLICATE_ERROR
#define	EACL_MISS_ERROR		MISS_ERROR
#define	EACL_MEM_ERROR		MEM_ERROR
#define	EACL_ENTRY_ERROR	ENTRY_ERROR

#define	EACL_INHERIT_ERROR	9		/* invalid inherit flags */
#define	EACL_FLAGS_ERROR	10		/* unknown flag value */
#define	EACL_PERM_MASK_ERROR	11		/* unknown permission */
#define	EACL_COUNT_ERROR	12		/* invalid acl count */

#define	EACL_INVALID_SLOT	13		/* invalid acl slot */
#define	EACL_NO_ACL_ENTRY	14		/* Entry doesn't exist */
#define	EACL_DIFF_TYPE		15		/* acls aren't same type */

#define	EACL_INVALID_USER_GROUP	16		/* need user/group name */
#define	EACL_INVALID_STR	17		/* invalid acl string */
#define	EACL_FIELD_NOT_BLANK	18		/* can't have blank field */
#define	EACL_INVALID_ACCESS_TYPE 19		/* invalid access type */
#define	EACL_UNKNOWN_DATA	20		/* Unrecognized data in ACL */
#define	EACL_MISSING_FIELDS	21		/* missing fields in acl */

#define	EACL_INHERIT_NOTDIR	22		/* Need dir for inheritance */

extern int aclcheck(aclent_t *, int, int *);
extern int acltomode(aclent_t *, int, mode_t *);
extern int aclfrommode(aclent_t *, int, mode_t *);
extern int aclsort(int, int, aclent_t *);
extern char *acltotext(aclent_t *, int);
extern aclent_t *aclfromtext(char *, int *);
extern void acl_free(acl_t *);
extern int acl_get(const char *, int, acl_t **);
extern int facl_get(int, int, acl_t **);
extern int acl_set(const char *, acl_t *acl);
extern int facl_set(int, acl_t *acl);
extern int acl_strip(const char *, uid_t, gid_t, mode_t);
extern int acl_trivial(const char *);
extern char *acl_totext(acl_t *, int);
extern int acl_fromtext(const char *, acl_t **);
extern int acl_check(acl_t *, int);

#else	/* !defined(_KERNEL) */

extern void ksort(caddr_t, int, int, int (*)(void *, void *));
extern int cmp2acls(void *, void *);

#endif	/* !defined(_KERNEL) */

extern int acl(const char *path, int cmd, int cnt, void *buf);
extern int facl(int fd, int cmd, int cnt, void *buf);

#ifdef	__cplusplus
}
#endif

#endif /* _SYS_ACL_H */