[src/netbsd-10]: src/external/cddl/osnet/dist/uts/common/fs/zfs Pull up follo...

[martin <martin%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/16d05f68c636
branches:  netbsd-10
changeset: 373826:16d05f68c636
user:      martin <martin%NetBSD.org@localhost>
date:      Sun Mar 05 14:32:41 2023 +0000

description:
Pull up following revision(s) (requested by hannken in ticket #110):

        external/cddl/osnet/dist/uts/common/fs/zfs/zfs_vnops.c: revision 1.81

Adapt zfs_netbsd_access() to ACL support.  As ZFS itself only
handles VREAD, VWRITE, VEXEC and VAPPEND we use kauth_authorize_vnode()
to handle VADMIN.

>From FreeBSD.

diffstat:

 external/cddl/osnet/dist/uts/common/fs/zfs/zfs_vnops.c |  50 +++++++++++------
 1 files changed, 32 insertions(+), 18 deletions(-)

diffs (69 lines):

diff -r 696d015bc9de -r 16d05f68c636 external/cddl/osnet/dist/uts/common/fs/zfs/zfs_vnops.c
--- a/external/cddl/osnet/dist/uts/common/fs/zfs/zfs_vnops.c    Fri Mar 03 17:03:36 2023 +0000
+++ b/external/cddl/osnet/dist/uts/common/fs/zfs/zfs_vnops.c    Sun Mar 05 14:32:41 2023 +0000
@@ -5169,33 +5169,47 @@
                accmode_t a_accmode;
                kauth_cred_t a_cred;
        } */ *ap = v;
-       struct vnode *vp = ap->a_vp;
-       accmode_t accmode = ap->a_accmode;
-       mode_t zfs_mode = 0;
+       vnode_t *vp = ap->a_vp;
+       znode_t *zp = VTOZ(vp);
+       accmode_t accmode;
        kauth_cred_t cred = ap->a_cred;
-       int error;
+       int error = 0;
+
+       /*
+        * ZFS itself only knowns about VREAD, VWRITE, VEXEC and VAPPEND,
+        */
+       accmode = ap->a_accmode & (VREAD|VWRITE|VEXEC|VAPPEND);
+       if (accmode != 0)
+               error = zfs_access(vp, accmode, 0, cred, NULL);
 
        /*
-        * XXX This is really random, especially the left shift by six,
-        * and it exists only because of randomness in zfs_unix_to_v4
-        * and zfs_zaccess_rwx in zfs_acl.c.
+        * VADMIN has to be handled by kauth_authorize_vnode().
         */
-       if (accmode & VREAD)
-               zfs_mode |= S_IROTH;
-       if (accmode & VWRITE)
-               zfs_mode |= S_IWOTH;
-       if (accmode & VEXEC)
-               zfs_mode |= S_IXOTH;
-       zfs_mode <<= 6;
-
-       KASSERT(VOP_ISLOCKED(vp));
-       error = zfs_access(vp, zfs_mode, 0, cred, NULL);
+       if (error == 0) {
+               accmode = ap->a_accmode & ~(VREAD|VWRITE|VEXEC|VAPPEND);
+               if (accmode != 0) {
+                       error = kauth_authorize_vnode(cred,
+                           KAUTH_ACCESS_ACTION(accmode, vp->v_type,
+                           zp->z_mode & ALLPERMS), vp, NULL,
+                           genfs_can_access(vp, cred, zp->z_uid,
+                           zp->z_gid, zp->z_mode & ALLPERMS, NULL, accmode));
+               }
+       }
+
+       /*
+        * For VEXEC, ensure that at least one execute bit is set for
+        * non-directories.
+        */
+       if (error == 0 && (ap->a_accmode & VEXEC) != 0 && vp->v_type != VDIR &&
+           (zp->z_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0) {
+               error = EACCES;
+       }
 
        /* We expect EACCES as common error. */
        if (error == EPERM)
                error = EACCES;
 
-       return (error);
+       return error;
 }
 
 static int