+ /* if we have an ACL, evaluate it */
+ if (VATTR_IS_NOT(vap, va_acl, NULL)) {
+ eval.ae_requested = acl_rights;
+ eval.ae_acl = &vap->va_acl->acl_ace[0];
+ eval.ae_count = vap->va_acl->acl_entrycount;
+ eval.ae_options = 0;
+ if (vauth_file_owner(vcp))
+ eval.ae_options |= KAUTH_AEVAL_IS_OWNER;
+ /*
+ * We use ENOENT as a marker to indicate we could not get
+ * information in order to delay evaluation until after we
+ * have the ACL evaluation answer. Previously, we would
+ * always deny the operation at this point.
+ */
+ if ((error = vauth_file_ingroup(vcp, &ismember, ENOENT)) != 0 && error != ENOENT)
+ return(error);
+ if (error == ENOENT)
+ eval.ae_options |= KAUTH_AEVAL_IN_GROUP_UNKNOWN;
+ else if (ismember)
+ eval.ae_options |= KAUTH_AEVAL_IN_GROUP;
+ eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS;
+ eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS;
+ eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS;
+ eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS;
+
+ if ((error = kauth_acl_evaluate(cred, &eval)) != 0) {
+ KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error);
+ return(error);
+ }
+
+ switch(eval.ae_result) {
+ case KAUTH_RESULT_DENY:
+ KAUTH_DEBUG("%p DENIED - by ACL", vcp->vp);
+ return(EACCES); /* deny, deny, counter-allege */
+ case KAUTH_RESULT_ALLOW:
+ KAUTH_DEBUG("%p ALLOWED - all rights granted by ACL", vcp->vp);
+ return(0);
+ case KAUTH_RESULT_DEFER:
+ default:
+ /* Effectively the same as !delete_child_denied */
+ KAUTH_DEBUG("%p DEFERRED - directory ACL", vcp->vp);
+ break;
+ }
+
+ *found_deny = eval.ae_found_deny;
+
+ /* fall through and evaluate residual rights */
+ } else {
+ /* no ACL, everything is residual */
+ eval.ae_residual = acl_rights;
+ }
+
+ /*
+ * Grant residual rights that have been pre-authorized.
+ */
+ eval.ae_residual &= ~preauth_rights;
+
+ /*
+ * We grant WRITE_ATTRIBUTES to the owner if it hasn't been denied.
+ */
+ if (vauth_file_owner(vcp))
+ eval.ae_residual &= ~KAUTH_VNODE_WRITE_ATTRIBUTES;
+
+ if (eval.ae_residual == 0) {
+ KAUTH_DEBUG("%p ALLOWED - rights already authorized", vcp->vp);
+ return(0);
+ }
+
+ /*
+ * Bail if we have residual rights that can't be granted by posix permissions,
+ * or aren't presumed granted at this point.
+ *
+ * XXX these can be collapsed for performance
+ */
+ if (eval.ae_residual & KAUTH_VNODE_CHANGE_OWNER) {
+ KAUTH_DEBUG("%p DENIED - CHANGE_OWNER not permitted", vcp->vp);
+ return(EACCES);
+ }
+ if (eval.ae_residual & KAUTH_VNODE_WRITE_SECURITY) {
+ KAUTH_DEBUG("%p DENIED - WRITE_SECURITY not permitted", vcp->vp);
+ return(EACCES);
+ }
+
+#if DIAGNOSTIC
+ if (eval.ae_residual & KAUTH_VNODE_DELETE)
+ panic("vnode_authorize: can't be checking delete permission here");
+#endif
+
+ /*
+ * Compute the fallback posix permissions that will satisfy the remaining
+ * rights.
+ */
+ posix_action = 0;
+ if (eval.ae_residual & (KAUTH_VNODE_READ_DATA |
+ KAUTH_VNODE_LIST_DIRECTORY |
+ KAUTH_VNODE_READ_EXTATTRIBUTES))
+ posix_action |= VREAD;
+ if (eval.ae_residual & (KAUTH_VNODE_WRITE_DATA |
+ KAUTH_VNODE_ADD_FILE |
+ KAUTH_VNODE_ADD_SUBDIRECTORY |
+ KAUTH_VNODE_DELETE_CHILD |
+ KAUTH_VNODE_WRITE_ATTRIBUTES |
+ KAUTH_VNODE_WRITE_EXTATTRIBUTES))
+ posix_action |= VWRITE;
+ if (eval.ae_residual & (KAUTH_VNODE_EXECUTE |
+ KAUTH_VNODE_SEARCH))
+ posix_action |= VEXEC;
+
+ if (posix_action != 0) {
+ return(vnode_authorize_posix(vcp, posix_action, 0 /* !on_dir */));
+ } else {
+ KAUTH_DEBUG("%p ALLOWED - residual rights %s%s%s%s%s%s%s%s%s%s%s%s%s%s granted due to no posix mapping",
+ vcp->vp,
+ (eval.ae_residual & KAUTH_VNODE_READ_DATA)
+ ? vnode_isdir(vcp->vp) ? " LIST_DIRECTORY" : " READ_DATA" : "",
+ (eval.ae_residual & KAUTH_VNODE_WRITE_DATA)
+ ? vnode_isdir(vcp->vp) ? " ADD_FILE" : " WRITE_DATA" : "",
+ (eval.ae_residual & KAUTH_VNODE_EXECUTE)
+ ? vnode_isdir(vcp->vp) ? " SEARCH" : " EXECUTE" : "",
+ (eval.ae_residual & KAUTH_VNODE_DELETE)
+ ? " DELETE" : "",
+ (eval.ae_residual & KAUTH_VNODE_APPEND_DATA)
+ ? vnode_isdir(vcp->vp) ? " ADD_SUBDIRECTORY" : " APPEND_DATA" : "",
+ (eval.ae_residual & KAUTH_VNODE_DELETE_CHILD)
+ ? " DELETE_CHILD" : "",
+ (eval.ae_residual & KAUTH_VNODE_READ_ATTRIBUTES)
+ ? " READ_ATTRIBUTES" : "",
+ (eval.ae_residual & KAUTH_VNODE_WRITE_ATTRIBUTES)
+ ? " WRITE_ATTRIBUTES" : "",
+ (eval.ae_residual & KAUTH_VNODE_READ_EXTATTRIBUTES)
+ ? " READ_EXTATTRIBUTES" : "",
+ (eval.ae_residual & KAUTH_VNODE_WRITE_EXTATTRIBUTES)
+ ? " WRITE_EXTATTRIBUTES" : "",
+ (eval.ae_residual & KAUTH_VNODE_READ_SECURITY)
+ ? " READ_SECURITY" : "",
+ (eval.ae_residual & KAUTH_VNODE_WRITE_SECURITY)
+ ? " WRITE_SECURITY" : "",
+ (eval.ae_residual & KAUTH_VNODE_CHECKIMMUTABLE)
+ ? " CHECKIMMUTABLE" : "",
+ (eval.ae_residual & KAUTH_VNODE_CHANGE_OWNER)
+ ? " CHANGE_OWNER" : "");
+ }
+
+ /*
+ * Lack of required Posix permissions implies no reason to deny access.
+ */
+ return(0);
+}
+
+/*
+ * Check for file immutability.
+ */
+static int
+vnode_authorize_checkimmutable(mount_t mp, struct vnode_attr *vap, int rights, int ignore)
+{
+ int error;
+ int append;
+
+ /*
+ * Perform immutability checks for operations that change data.
+ *
+ * Sockets, fifos and devices require special handling.
+ */
+ switch(vap->va_type) {
+ case VSOCK:
+ case VFIFO:
+ case VBLK:
+ case VCHR:
+ /*
+ * Writing to these nodes does not change the filesystem data,
+ * so forget that it's being tried.
+ */
+ rights &= ~KAUTH_VNODE_WRITE_DATA;
+ break;
+ default:
+ break;
+ }
+
+ error = 0;
+ if (rights & KAUTH_VNODE_WRITE_RIGHTS) {
+
+ /* check per-filesystem options if possible */
+ if (mp != NULL) {
+
+ /* check for no-EA filesystems */
+ if ((rights & KAUTH_VNODE_WRITE_EXTATTRIBUTES) &&
+ (vfs_flags(mp) & MNT_NOUSERXATTR)) {
+ KAUTH_DEBUG("%p DENIED - filesystem disallowed extended attributes", vp);
+ error = EACCES; /* User attributes disabled */
+ goto out;
+ }
+ }
+
+ /*
+ * check for file immutability. first, check if the requested rights are
+ * allowable for a UF_APPEND file.
+ */
+ append = 0;
+ if (vap->va_type == VDIR) {
+ if ((rights & (KAUTH_VNODE_ADD_FILE | KAUTH_VNODE_ADD_SUBDIRECTORY | KAUTH_VNODE_WRITE_EXTATTRIBUTES)) == rights)
+ append = 1;
+ } else {
+ if ((rights & (KAUTH_VNODE_APPEND_DATA | KAUTH_VNODE_WRITE_EXTATTRIBUTES)) == rights)
+ append = 1;
+ }
+ if ((error = vnode_immutable(vap, append, ignore)) != 0) {
+ KAUTH_DEBUG("%p DENIED - file is immutable", vp);
+ goto out;
+ }
+ }
+out:
+ return(error);
+}
+
+/*
+ * Handle authorization actions for filesystems that advertise that the
+ * server will be enforcing.
+ *
+ * Returns: 0 Authorization should be handled locally
+ * 1 Authorization was handled by the FS
+ *
+ * Note: Imputed returns will only occur if the authorization request
+ * was handled by the FS.
+ *
+ * Imputed: *resultp, modified Return code from FS when the request is
+ * handled by the FS.
+ * VNOP_ACCESS:???
+ * VNOP_OPEN:???
+ */
+static int
+vnode_authorize_opaque(vnode_t vp, int *resultp, kauth_action_t action, vfs_context_t ctx)
+{
+ int error;
+
+ /*
+ * If the vp is a device node, socket or FIFO it actually represents a local
+ * endpoint, so we need to handle it locally.
+ */
+ switch(vp->v_type) {
+ case VBLK:
+ case VCHR:
+ case VSOCK:
+ case VFIFO:
+ return(0);
+ default:
+ break;
+ }
+
+ /*
+ * In the advisory request case, if the filesystem doesn't think it's reliable
+ * we will attempt to formulate a result ourselves based on VNOP_GETATTR data.
+ */
+ if ((action & KAUTH_VNODE_ACCESS) && !vfs_authopaqueaccess(vp->v_mount))
+ return(0);
+
+ /*
+ * Let the filesystem have a say in the matter. It's OK for it to not implemnent
+ * VNOP_ACCESS, as most will authorise inline with the actual request.
+ */
+ if ((error = VNOP_ACCESS(vp, action, ctx)) != ENOTSUP) {
+ *resultp = error;
+ KAUTH_DEBUG("%p DENIED - opaque filesystem VNOP_ACCESS denied access", vp);
+ return(1);
+ }
+
+ /*
+ * Typically opaque filesystems do authorisation in-line, but exec is a special case. In
+ * order to be reasonably sure that exec will be permitted, we try a bit harder here.
+ */
+ if ((action & KAUTH_VNODE_EXECUTE) && (vp->v_type == VREG)) {
+ /* try a VNOP_OPEN for readonly access */
+ if ((error = VNOP_OPEN(vp, FREAD, ctx)) != 0) {
+ *resultp = error;
+ KAUTH_DEBUG("%p DENIED - EXECUTE denied because file could not be opened readonly", vp);
+ return(1);
+ }
+ VNOP_CLOSE(vp, FREAD, ctx);
+ }
+
+ /*
+ * We don't have any reason to believe that the request has to be denied at this point,
+ * so go ahead and allow it.
+ */
+ *resultp = 0;
+ KAUTH_DEBUG("%p ALLOWED - bypassing access check for non-local filesystem", vp);
+ return(1);
+}
+
+
+
+
+/*
+ * Returns: KAUTH_RESULT_ALLOW
+ * KAUTH_RESULT_DENY
+ *
+ * Imputed: *arg3, modified Error code in the deny case
+ * EROFS Read-only file system
+ * EACCES Permission denied
+ * EPERM Operation not permitted [no execute]
+ * vnode_getattr:ENOMEM Not enough space [only if has filesec]
+ * vnode_getattr:???
+ * vnode_authorize_opaque:*arg2 ???
+ * vnode_authorize_checkimmutable:???
+ * vnode_authorize_delete:???
+ * vnode_authorize_simple:???
+ */
+
+
+static int
+vnode_authorize_callback(__unused kauth_cred_t cred, __unused void *idata,
+ kauth_action_t action, uintptr_t arg0, uintptr_t arg1, uintptr_t arg2,
+ uintptr_t arg3)
+{
+ vfs_context_t ctx;
+ vnode_t cvp = NULLVP;
+ vnode_t vp, dvp;
+ int result = KAUTH_RESULT_DENY;
+ int parent_iocount = 0;
+ int parent_action; /* In case we need to use namedstream's data fork for cached rights*/
+
+ ctx = (vfs_context_t)arg0;
+ vp = (vnode_t)arg1;
+ dvp = (vnode_t)arg2;
+
+ /*
+ * if there are 2 vnodes passed in, we don't know at
+ * this point which rights to look at based on the
+ * combined action being passed in... defer until later...
+ * otherwise check the kauth 'rights' cache hung
+ * off of the vnode we're interested in... if we've already
+ * been granted the right we're currently interested in,
+ * we can just return success... otherwise we'll go through
+ * the process of authorizing the requested right(s)... if that
+ * succeeds, we'll add the right(s) to the cache.
+ * VNOP_SETATTR and VNOP_SETXATTR will invalidate this cache
+ */
+ if (dvp && vp)
+ goto defer;
+ if (dvp) {
+ cvp = dvp;
+ } else {
+ /*
+ * For named streams on local-authorization volumes, rights are cached on the parent;
+ * authorization is determined by looking at the parent's properties anyway, so storing
+ * on the parent means that we don't recompute for the named stream and that if
+ * we need to flush rights (e.g. on VNOP_SETATTR()) we don't need to track down the
+ * stream to flush its cache separately. If we miss in the cache, then we authorize
+ * as if there were no cached rights (passing the named stream vnode and desired rights to
+ * vnode_authorize_callback_int()).
+ *
+ * On an opaquely authorized volume, we don't know the relationship between the
+ * data fork's properties and the rights granted on a stream. Thus, named stream vnodes
+ * on such a volume are authorized directly (rather than using the parent) and have their
+ * own caches. When a named stream vnode is created, we mark the parent as having a named
+ * stream. On a VNOP_SETATTR() for the parent that may invalidate cached authorization, we
+ * find the stream and flush its cache.
+ */
+ if (vnode_isnamedstream(vp) && (!vfs_authopaque(vp->v_mount))) {
+ cvp = vnode_getparent(vp);
+ if (cvp != NULLVP) {
+ parent_iocount = 1;
+ } else {
+ cvp = NULL;
+ goto defer; /* If we can't use the parent, take the slow path */
+ }
+
+ /* Have to translate some actions */
+ parent_action = action;
+ if (parent_action & KAUTH_VNODE_READ_DATA) {
+ parent_action &= ~KAUTH_VNODE_READ_DATA;
+ parent_action |= KAUTH_VNODE_READ_EXTATTRIBUTES;
+ }
+ if (parent_action & KAUTH_VNODE_WRITE_DATA) {
+ parent_action &= ~KAUTH_VNODE_WRITE_DATA;
+ parent_action |= KAUTH_VNODE_WRITE_EXTATTRIBUTES;
+ }
+
+ } else {
+ cvp = vp;
+ }
+ }
+
+ if (vnode_cache_is_authorized(cvp, ctx, parent_iocount ? parent_action : action) == TRUE) {
+ result = KAUTH_RESULT_ALLOW;
+ goto out;
+ }
+defer:
+ result = vnode_authorize_callback_int(action, ctx, vp, dvp, (int *)arg3);
+
+ if (result == KAUTH_RESULT_ALLOW && cvp != NULLVP) {
+ KAUTH_DEBUG("%p - caching action = %x", cvp, action);
+ vnode_cache_authorized_action(cvp, ctx, action);
+ }
+
+out:
+ if (parent_iocount) {
+ vnode_put(cvp);
+ }
+
+ return result;
+}
+
+static int
+vnode_attr_authorize_internal(vauth_ctx vcp, mount_t mp,
+ kauth_ace_rights_t rights, int is_suser, boolean_t *found_deny,
+ int noimmutable, int parent_authorized_for_delete_child)
+{
+ int result;
+
+ /*
+ * Check for immutability.
+ *
+ * In the deletion case, parent directory immutability vetoes specific
+ * file rights.
+ */
+ if ((result = vnode_authorize_checkimmutable(mp, vcp->vap, rights,
+ noimmutable)) != 0)
+ goto out;
+
+ if ((rights & KAUTH_VNODE_DELETE) &&
+ !parent_authorized_for_delete_child) {
+ result = vnode_authorize_checkimmutable(mp, vcp->dvap,
+ KAUTH_VNODE_DELETE_CHILD, 0);
+ if (result)
+ goto out;
+ }
+
+ /*
+ * Clear rights that have been authorized by reaching this point, bail if nothing left to
+ * check.
+ */
+ rights &= ~(KAUTH_VNODE_LINKTARGET | KAUTH_VNODE_CHECKIMMUTABLE);
+ if (rights == 0)
+ goto out;
+
+ /*
+ * If we're not the superuser, authorize based on file properties;
+ * note that even if parent_authorized_for_delete_child is TRUE, we
+ * need to check on the node itself.
+ */
+ if (!is_suser) {
+ /* process delete rights */
+ if ((rights & KAUTH_VNODE_DELETE) &&
+ ((result = vnode_authorize_delete(vcp, parent_authorized_for_delete_child)) != 0))
+ goto out;
+
+ /* process remaining rights */
+ if ((rights & ~KAUTH_VNODE_DELETE) &&
+ (result = vnode_authorize_simple(vcp, rights, rights & KAUTH_VNODE_DELETE, found_deny)) != 0)
+ goto out;
+ } else {
+ /*
+ * Execute is only granted to root if one of the x bits is set. This check only
+ * makes sense if the posix mode bits are actually supported.
+ */
+ if ((rights & KAUTH_VNODE_EXECUTE) &&
+ (vcp->vap->va_type == VREG) &&
+ VATTR_IS_SUPPORTED(vcp->vap, va_mode) &&
+ !(vcp->vap->va_mode & (S_IXUSR | S_IXGRP | S_IXOTH))) {
+ result = EPERM;
+ KAUTH_DEBUG("%p DENIED - root execute requires at least one x bit in 0x%x", vp, va.va_mode);
+ goto out;
+ }
+
+ /* Assume that there were DENYs so we don't wrongly cache KAUTH_VNODE_SEARCHBYANYONE */
+ *found_deny = TRUE;
+
+ KAUTH_DEBUG("%p ALLOWED - caller is superuser", vp);
+ }
+out:
+ return (result);
+}
+
+static int
+vnode_authorize_callback_int(kauth_action_t action, vfs_context_t ctx,
+ vnode_t vp, vnode_t dvp, int *errorp)
+{
+ struct _vnode_authorize_context auth_context;
+ vauth_ctx vcp;
+ kauth_cred_t cred;
+ kauth_ace_rights_t rights;
+ struct vnode_attr va, dva;
+ int result;
+ int noimmutable;
+ boolean_t parent_authorized_for_delete_child = FALSE;
+ boolean_t found_deny = FALSE;
+ boolean_t parent_ref= FALSE;
+ boolean_t is_suser = FALSE;
+
+ vcp = &auth_context;
+ vcp->ctx = ctx;
+ vcp->vp = vp;
+ vcp->dvp = dvp;
+ /*
+ * Note that we authorize against the context, not the passed cred
+ * (the same thing anyway)
+ */
+ cred = ctx->vc_ucred;
+
+ VATTR_INIT(&va);
+ vcp->vap = &va;
+ VATTR_INIT(&dva);
+ vcp->dvap = &dva;
+
+ vcp->flags = vcp->flags_valid = 0;
+
+#if DIAGNOSTIC
+ if ((ctx == NULL) || (vp == NULL) || (cred == NULL))
+ panic("vnode_authorize: bad arguments (context %p vp %p cred %p)", ctx, vp, cred);
+#endif
+
+ KAUTH_DEBUG("%p AUTH - %s %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s on %s '%s' (0x%x:%p/%p)",
+ vp, vfs_context_proc(ctx)->p_comm,
+ (action & KAUTH_VNODE_ACCESS) ? "access" : "auth",
+ (action & KAUTH_VNODE_READ_DATA) ? vnode_isdir(vp) ? " LIST_DIRECTORY" : " READ_DATA" : "",
+ (action & KAUTH_VNODE_WRITE_DATA) ? vnode_isdir(vp) ? " ADD_FILE" : " WRITE_DATA" : "",
+ (action & KAUTH_VNODE_EXECUTE) ? vnode_isdir(vp) ? " SEARCH" : " EXECUTE" : "",
+ (action & KAUTH_VNODE_DELETE) ? " DELETE" : "",
+ (action & KAUTH_VNODE_APPEND_DATA) ? vnode_isdir(vp) ? " ADD_SUBDIRECTORY" : " APPEND_DATA" : "",
+ (action & KAUTH_VNODE_DELETE_CHILD) ? " DELETE_CHILD" : "",
+ (action & KAUTH_VNODE_READ_ATTRIBUTES) ? " READ_ATTRIBUTES" : "",
+ (action & KAUTH_VNODE_WRITE_ATTRIBUTES) ? " WRITE_ATTRIBUTES" : "",
+ (action & KAUTH_VNODE_READ_EXTATTRIBUTES) ? " READ_EXTATTRIBUTES" : "",
+ (action & KAUTH_VNODE_WRITE_EXTATTRIBUTES) ? " WRITE_EXTATTRIBUTES" : "",
+ (action & KAUTH_VNODE_READ_SECURITY) ? " READ_SECURITY" : "",
+ (action & KAUTH_VNODE_WRITE_SECURITY) ? " WRITE_SECURITY" : "",
+ (action & KAUTH_VNODE_CHANGE_OWNER) ? " CHANGE_OWNER" : "",
+ (action & KAUTH_VNODE_NOIMMUTABLE) ? " (noimmutable)" : "",
+ vnode_isdir(vp) ? "directory" : "file",
+ vp->v_name ? vp->v_name : "<NULL>", action, vp, dvp);
+
+ /*
+ * Extract the control bits from the action, everything else is
+ * requested rights.
+ */
+ noimmutable = (action & KAUTH_VNODE_NOIMMUTABLE) ? 1 : 0;
+ rights = action & ~(KAUTH_VNODE_ACCESS | KAUTH_VNODE_NOIMMUTABLE);
+
+ if (rights & KAUTH_VNODE_DELETE) {
+#if DIAGNOSTIC
+ if (dvp == NULL)
+ panic("vnode_authorize: KAUTH_VNODE_DELETE test requires a directory");
+#endif
+ /*
+ * check to see if we've already authorized the parent
+ * directory for deletion of its children... if so, we
+ * can skip a whole bunch of work... we will still have to
+ * authorize that this specific child can be removed
+ */
+ if (vnode_cache_is_authorized(dvp, ctx, KAUTH_VNODE_DELETE_CHILD) == TRUE)
+ parent_authorized_for_delete_child = TRUE;
+ } else {
+ vcp->dvp = NULLVP;
+ vcp->dvap = NULL;
+ }
+
+ /*
+ * Check for read-only filesystems.
+ */
+ if ((rights & KAUTH_VNODE_WRITE_RIGHTS) &&
+ (vp->v_mount->mnt_flag & MNT_RDONLY) &&
+ ((vp->v_type == VREG) || (vp->v_type == VDIR) ||
+ (vp->v_type == VLNK) || (vp->v_type == VCPLX) ||
+ (rights & KAUTH_VNODE_DELETE) || (rights & KAUTH_VNODE_DELETE_CHILD))) {
+ result = EROFS;
+ goto out;
+ }
+
+ /*
+ * Check for noexec filesystems.
+ */
+ if ((rights & KAUTH_VNODE_EXECUTE) && (vp->v_type == VREG) && (vp->v_mount->mnt_flag & MNT_NOEXEC)) {
+ result = EACCES;
+ goto out;
+ }
+
+ /*
+ * Handle cases related to filesystems with non-local enforcement.
+ * This call can return 0, in which case we will fall through to perform a
+ * check based on VNOP_GETATTR data. Otherwise it returns 1 and sets
+ * an appropriate result, at which point we can return immediately.
+ */
+ if ((vp->v_mount->mnt_kern_flag & MNTK_AUTH_OPAQUE) && vnode_authorize_opaque(vp, &result, action, ctx))
+ goto out;
+
+ /*
+ * If the vnode is a namedstream (extended attribute) data vnode (eg.
+ * a resource fork), *_DATA becomes *_EXTATTRIBUTES.
+ */
+ if (vnode_isnamedstream(vp)) {
+ if (rights & KAUTH_VNODE_READ_DATA) {
+ rights &= ~KAUTH_VNODE_READ_DATA;
+ rights |= KAUTH_VNODE_READ_EXTATTRIBUTES;
+ }
+ if (rights & KAUTH_VNODE_WRITE_DATA) {
+ rights &= ~KAUTH_VNODE_WRITE_DATA;
+ rights |= KAUTH_VNODE_WRITE_EXTATTRIBUTES;
+ }
+
+ /*
+ * Point 'vp' to the namedstream's parent for ACL checking
+ */
+ if ((vp->v_parent != NULL) &&
+ (vget_internal(vp->v_parent, 0, VNODE_NODEAD | VNODE_DRAINO) == 0)) {
+ parent_ref = TRUE;
+ vcp->vp = vp = vp->v_parent;
+ }
+ }
+
+ if (vfs_context_issuser(ctx)) {
+ /*
+ * if we're not asking for execute permissions or modifications,
+ * then we're done, this action is authorized.
+ */
+ if (!(rights & (KAUTH_VNODE_EXECUTE | KAUTH_VNODE_WRITE_RIGHTS)))
+ goto success;
+
+ is_suser = TRUE;
+ }
+
+ /*
+ * Get vnode attributes and extended security information for the vnode
+ * and directory if required.
+ *
+ * If we're root we only want mode bits and flags for checking
+ * execute and immutability.
+ */
+ VATTR_WANTED(&va, va_mode);
+ VATTR_WANTED(&va, va_flags);
+ if (!is_suser) {
+ VATTR_WANTED(&va, va_uid);
+ VATTR_WANTED(&va, va_gid);
+ VATTR_WANTED(&va, va_acl);
+ }
+ if ((result = vnode_getattr(vp, &va, ctx)) != 0) {
+ KAUTH_DEBUG("%p ERROR - failed to get vnode attributes - %d", vp, result);
+ goto out;
+ }
+ VATTR_WANTED(&va, va_type);
+ VATTR_RETURN(&va, va_type, vnode_vtype(vp));
+
+ if (vcp->dvp) {
+ VATTR_WANTED(&dva, va_mode);
+ VATTR_WANTED(&dva, va_flags);
+ if (!is_suser) {
+ VATTR_WANTED(&dva, va_uid);
+ VATTR_WANTED(&dva, va_gid);
+ VATTR_WANTED(&dva, va_acl);
+ }
+ if ((result = vnode_getattr(vcp->dvp, &dva, ctx)) != 0) {
+ KAUTH_DEBUG("%p ERROR - failed to get directory vnode attributes - %d", vp, result);
+ goto out;
+ }
+ VATTR_WANTED(&dva, va_type);
+ VATTR_RETURN(&dva, va_type, vnode_vtype(vcp->dvp));
+ }
+
+ result = vnode_attr_authorize_internal(vcp, vp->v_mount, rights, is_suser,
+ &found_deny, noimmutable, parent_authorized_for_delete_child);
+out:
+ if (VATTR_IS_SUPPORTED(&va, va_acl) && (va.va_acl != NULL))
+ kauth_acl_free(va.va_acl);
+ if (VATTR_IS_SUPPORTED(&dva, va_acl) && (dva.va_acl != NULL))
+ kauth_acl_free(dva.va_acl);
+
+ if (result) {
+ if (parent_ref)
+ vnode_put(vp);
+ *errorp = result;
+ KAUTH_DEBUG("%p DENIED - auth denied", vp);
+ return(KAUTH_RESULT_DENY);
+ }
+ if ((rights & KAUTH_VNODE_SEARCH) && found_deny == FALSE && vp->v_type == VDIR) {
+ /*
+ * if we were successfully granted the right to search this directory
+ * and there were NO ACL DENYs for search and the posix permissions also don't
+ * deny execute, we can synthesize a global right that allows anyone to
+ * traverse this directory during a pathname lookup without having to
+ * match the credential associated with this cache of rights.
+ *
+ * Note that we can correctly cache KAUTH_VNODE_SEARCHBYANYONE
+ * only if we actually check ACLs which we don't for root. As
+ * a workaround, the lookup fast path checks for root.
+ */
+ if (!VATTR_IS_SUPPORTED(&va, va_mode) ||
+ ((va.va_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) ==
+ (S_IXUSR | S_IXGRP | S_IXOTH))) {
+ vnode_cache_authorized_action(vp, ctx, KAUTH_VNODE_SEARCHBYANYONE);
+ }
+ }
+success:
+ if (parent_ref)
+ vnode_put(vp);
+
+ /*
+ * Note that this implies that we will allow requests for no rights, as well as
+ * for rights that we do not recognise. There should be none of these.
+ */
+ KAUTH_DEBUG("%p ALLOWED - auth granted", vp);
+ return(KAUTH_RESULT_ALLOW);
+}
+
+int
+vnode_attr_authorize_init(struct vnode_attr *vap, struct vnode_attr *dvap,
+ kauth_action_t action, vfs_context_t ctx)
+{
+ VATTR_INIT(vap);
+ VATTR_WANTED(vap, va_type);
+ VATTR_WANTED(vap, va_mode);
+ VATTR_WANTED(vap, va_flags);
+ if (dvap) {
+ VATTR_INIT(dvap);
+ if (action & KAUTH_VNODE_DELETE) {
+ VATTR_WANTED(dvap, va_type);
+ VATTR_WANTED(dvap, va_mode);
+ VATTR_WANTED(dvap, va_flags);
+ }
+ } else if (action & KAUTH_VNODE_DELETE) {
+ return (EINVAL);
+ }
+
+ if (!vfs_context_issuser(ctx)) {
+ VATTR_WANTED(vap, va_uid);
+ VATTR_WANTED(vap, va_gid);
+ VATTR_WANTED(vap, va_acl);
+ if (dvap && (action & KAUTH_VNODE_DELETE)) {
+ VATTR_WANTED(dvap, va_uid);
+ VATTR_WANTED(dvap, va_gid);
+ VATTR_WANTED(dvap, va_acl);
+ }
+ }
+
+ return (0);
+}
+
+int
+vnode_attr_authorize(struct vnode_attr *vap, struct vnode_attr *dvap, mount_t mp,
+ kauth_action_t action, vfs_context_t ctx)
+{
+ struct _vnode_authorize_context auth_context;
+ vauth_ctx vcp;
+ kauth_ace_rights_t rights;
+ int noimmutable;
+ boolean_t found_deny;
+ boolean_t is_suser = FALSE;
+ int result = 0;
+
+ vcp = &auth_context;
+ vcp->ctx = ctx;
+ vcp->vp = NULLVP;
+ vcp->vap = vap;
+ vcp->dvp = NULLVP;
+ vcp->dvap = dvap;
+ vcp->flags = vcp->flags_valid = 0;
+
+ noimmutable = (action & KAUTH_VNODE_NOIMMUTABLE) ? 1 : 0;
+ rights = action & ~(KAUTH_VNODE_ACCESS | KAUTH_VNODE_NOIMMUTABLE);
+
+ /*
+ * Check for read-only filesystems.
+ */
+ if ((rights & KAUTH_VNODE_WRITE_RIGHTS) &&
+ mp && (mp->mnt_flag & MNT_RDONLY) &&
+ ((vap->va_type == VREG) || (vap->va_type == VDIR) ||
+ (vap->va_type == VLNK) || (rights & KAUTH_VNODE_DELETE) ||
+ (rights & KAUTH_VNODE_DELETE_CHILD))) {
+ result = EROFS;
+ goto out;
+ }
+
+ /*
+ * Check for noexec filesystems.
+ */
+ if ((rights & KAUTH_VNODE_EXECUTE) &&
+ (vap->va_type == VREG) && mp && (mp->mnt_flag & MNT_NOEXEC)) {
+ result = EACCES;
+ goto out;
+ }
+
+ if (vfs_context_issuser(ctx)) {
+ /*
+ * if we're not asking for execute permissions or modifications,
+ * then we're done, this action is authorized.
+ */
+ if (!(rights & (KAUTH_VNODE_EXECUTE | KAUTH_VNODE_WRITE_RIGHTS)))
+ goto out;
+ is_suser = TRUE;
+ } else {
+ if (!VATTR_IS_SUPPORTED(vap, va_uid) ||
+ !VATTR_IS_SUPPORTED(vap, va_gid) ||
+ (mp && vfs_extendedsecurity(mp) && !VATTR_IS_SUPPORTED(vap, va_acl))) {
+ panic("vnode attrs not complete for vnode_attr_authorize\n");
+ }
+ }
+
+ result = vnode_attr_authorize_internal(vcp, mp, rights, is_suser,
+ &found_deny, noimmutable, FALSE);
+
+ if (result == EPERM)
+ result = EACCES;
+out:
+ return (result);
+}
+
+
+int
+vnode_authattr_new(vnode_t dvp, struct vnode_attr *vap, int noauth, vfs_context_t ctx)
+{
+ return vnode_authattr_new_internal(dvp, vap, noauth, NULL, ctx);
+}
+
+/*
+ * Check that the attribute information in vattr can be legally applied to
+ * a new file by the context.
+ */
+static int
+vnode_authattr_new_internal(vnode_t dvp, struct vnode_attr *vap, int noauth, uint32_t *defaulted_fieldsp, vfs_context_t ctx)
+{
+ int error;
+ int has_priv_suser, ismember, defaulted_owner, defaulted_group, defaulted_mode;
+ uint32_t inherit_flags;
+ kauth_cred_t cred;
+ guid_t changer;
+ mount_t dmp;
+ struct vnode_attr dva;
+
+ error = 0;
+
+ if (defaulted_fieldsp) {
+ *defaulted_fieldsp = 0;
+ }
+
+ defaulted_owner = defaulted_group = defaulted_mode = 0;
+
+ inherit_flags = 0;
+
+ /*
+ * Require that the filesystem support extended security to apply any.
+ */
+ if (!vfs_extendedsecurity(dvp->v_mount) &&
+ (VATTR_IS_ACTIVE(vap, va_acl) || VATTR_IS_ACTIVE(vap, va_uuuid) || VATTR_IS_ACTIVE(vap, va_guuid))) {
+ error = EINVAL;
+ goto out;
+ }
+
+ /*
+ * Default some fields.
+ */
+ dmp = dvp->v_mount;
+
+ /*
+ * If the filesystem is mounted IGNORE_OWNERSHIP and an explicit owner is set, that
+ * owner takes ownership of all new files.
+ */
+ if ((dmp->mnt_flag & MNT_IGNORE_OWNERSHIP) && (dmp->mnt_fsowner != KAUTH_UID_NONE)) {
+ VATTR_SET(vap, va_uid, dmp->mnt_fsowner);
+ defaulted_owner = 1;
+ } else {
+ if (!VATTR_IS_ACTIVE(vap, va_uid)) {
+ /* default owner is current user */
+ VATTR_SET(vap, va_uid, kauth_cred_getuid(vfs_context_ucred(ctx)));
+ defaulted_owner = 1;
+ }
+ }
+
+ /*
+ * We need the dvp's va_flags and *may* need the gid of the directory,
+ * we ask for both here.
+ */
+ VATTR_INIT(&dva);
+ VATTR_WANTED(&dva, va_gid);
+ VATTR_WANTED(&dva, va_flags);
+ if ((error = vnode_getattr(dvp, &dva, ctx)) != 0)
+ goto out;
+
+ /*
+ * If the filesystem is mounted IGNORE_OWNERSHIP and an explicit grouo is set, that
+ * group takes ownership of all new files.
+ */
+ if ((dmp->mnt_flag & MNT_IGNORE_OWNERSHIP) && (dmp->mnt_fsgroup != KAUTH_GID_NONE)) {
+ VATTR_SET(vap, va_gid, dmp->mnt_fsgroup);
+ defaulted_group = 1;
+ } else {
+ if (!VATTR_IS_ACTIVE(vap, va_gid)) {
+ /* default group comes from parent object, fallback to current user */
+ if (VATTR_IS_SUPPORTED(&dva, va_gid)) {
+ VATTR_SET(vap, va_gid, dva.va_gid);
+ } else {
+ VATTR_SET(vap, va_gid, kauth_cred_getgid(vfs_context_ucred(ctx)));
+ }
+ defaulted_group = 1;
+ }
+ }
+
+ if (!VATTR_IS_ACTIVE(vap, va_flags))
+ VATTR_SET(vap, va_flags, 0);
+
+ /* Determine if SF_RESTRICTED should be inherited from the parent
+ * directory. */
+ if (VATTR_IS_SUPPORTED(&dva, va_flags)) {
+ inherit_flags = dva.va_flags & (UF_DATAVAULT | SF_RESTRICTED);
+ }
+
+ /* default mode is everything, masked with current umask */
+ if (!VATTR_IS_ACTIVE(vap, va_mode)) {
+ VATTR_SET(vap, va_mode, ACCESSPERMS & ~vfs_context_proc(ctx)->p_fd->fd_cmask);
+ KAUTH_DEBUG("ATTR - defaulting new file mode to %o from umask %o", vap->va_mode, vfs_context_proc(ctx)->p_fd->fd_cmask);
+ defaulted_mode = 1;
+ }
+ /* set timestamps to now */
+ if (!VATTR_IS_ACTIVE(vap, va_create_time)) {
+ nanotime(&vap->va_create_time);
+ VATTR_SET_ACTIVE(vap, va_create_time);
+ }
+
+ /*
+ * Check for attempts to set nonsensical fields.
+ */
+ if (vap->va_active & ~VNODE_ATTR_NEWOBJ) {
+ error = EINVAL;
+ KAUTH_DEBUG("ATTR - ERROR - attempt to set unsupported new-file attributes %llx",
+ vap->va_active & ~VNODE_ATTR_NEWOBJ);
+ goto out;
+ }
+
+ /*
+ * Quickly check for the applicability of any enforcement here.
+ * Tests below maintain the integrity of the local security model.
+ */
+ if (vfs_authopaque(dvp->v_mount))
+ goto out;
+
+ /*
+ * We need to know if the caller is the superuser, or if the work is
+ * otherwise already authorised.
+ */
+ cred = vfs_context_ucred(ctx);
+ if (noauth) {
+ /* doing work for the kernel */
+ has_priv_suser = 1;
+ } else {
+ has_priv_suser = vfs_context_issuser(ctx);
+ }
+
+
+ if (VATTR_IS_ACTIVE(vap, va_flags)) {
+ if (has_priv_suser) {
+ if ((vap->va_flags & (UF_SETTABLE | SF_SETTABLE)) != vap->va_flags) {
+ error = EPERM;
+ KAUTH_DEBUG(" DENIED - superuser attempt to set illegal flag(s)");
+ goto out;
+ }
+ } else {
+ if ((vap->va_flags & UF_SETTABLE) != vap->va_flags) {
+ error = EPERM;
+ KAUTH_DEBUG(" DENIED - user attempt to set illegal flag(s)");
+ goto out;
+ }
+ }
+ }
+
+ /* if not superuser, validate legality of new-item attributes */
+ if (!has_priv_suser) {
+ if (!defaulted_mode && VATTR_IS_ACTIVE(vap, va_mode)) {
+ /* setgid? */
+ if (vap->va_mode & S_ISGID) {
+ if ((error = kauth_cred_ismember_gid(cred, vap->va_gid, &ismember)) != 0) {
+ KAUTH_DEBUG("ATTR - ERROR: got %d checking for membership in %d", error, vap->va_gid);
+ goto out;
+ }
+ if (!ismember) {
+ KAUTH_DEBUG(" DENIED - can't set SGID bit, not a member of %d", vap->va_gid);
+ error = EPERM;
+ goto out;
+ }
+ }
+
+ /* setuid? */
+ if ((vap->va_mode & S_ISUID) && (vap->va_uid != kauth_cred_getuid(cred))) {
+ KAUTH_DEBUG("ATTR - ERROR: illegal attempt to set the setuid bit");
+ error = EPERM;
+ goto out;
+ }
+ }
+ if (!defaulted_owner && (vap->va_uid != kauth_cred_getuid(cred))) {
+ KAUTH_DEBUG(" DENIED - cannot create new item owned by %d", vap->va_uid);
+ error = EPERM;
+ goto out;
+ }
+ if (!defaulted_group) {
+ if ((error = kauth_cred_ismember_gid(cred, vap->va_gid, &ismember)) != 0) {
+ KAUTH_DEBUG(" ERROR - got %d checking for membership in %d", error, vap->va_gid);
+ goto out;
+ }
+ if (!ismember) {
+ KAUTH_DEBUG(" DENIED - cannot create new item with group %d - not a member", vap->va_gid);
+ error = EPERM;
+ goto out;
+ }
+ }
+
+ /* initialising owner/group UUID */
+ if (VATTR_IS_ACTIVE(vap, va_uuuid)) {
+ if ((error = kauth_cred_getguid(cred, &changer)) != 0) {
+ KAUTH_DEBUG(" ERROR - got %d trying to get caller UUID", error);
+ /* XXX ENOENT here - no GUID - should perhaps become EPERM */
+ goto out;
+ }
+ if (!kauth_guid_equal(&vap->va_uuuid, &changer)) {
+ KAUTH_DEBUG(" ERROR - cannot create item with supplied owner UUID - not us");
+ error = EPERM;
+ goto out;
+ }
+ }
+ if (VATTR_IS_ACTIVE(vap, va_guuid)) {
+ if ((error = kauth_cred_ismember_guid(cred, &vap->va_guuid, &ismember)) != 0) {
+ KAUTH_DEBUG(" ERROR - got %d trying to check group membership", error);
+ goto out;
+ }
+ if (!ismember) {
+ KAUTH_DEBUG(" ERROR - cannot create item with supplied group UUID - not a member");
+ error = EPERM;
+ goto out;
+ }
+ }
+ }
+out:
+ if (inherit_flags) {
+ /* Apply SF_RESTRICTED to the file if its parent directory was
+ * restricted. This is done at the end so that root is not
+ * required if this flag is only set due to inheritance. */
+ VATTR_SET(vap, va_flags, (vap->va_flags | inherit_flags));
+ }
+ if (defaulted_fieldsp) {
+ if (defaulted_mode) {
+ *defaulted_fieldsp |= VATTR_PREPARE_DEFAULTED_MODE;
+ }
+ if (defaulted_group) {
+ *defaulted_fieldsp |= VATTR_PREPARE_DEFAULTED_GID;
+ }
+ if (defaulted_owner) {
+ *defaulted_fieldsp |= VATTR_PREPARE_DEFAULTED_UID;
+ }
+ }
+ return(error);
+}
+
+/*
+ * Check that the attribute information in vap can be legally written by the
+ * context.
+ *
+ * Call this when you're not sure about the vnode_attr; either its contents
+ * have come from an unknown source, or when they are variable.
+ *
+ * Returns errno, or zero and sets *actionp to the KAUTH_VNODE_* actions that
+ * must be authorized to be permitted to write the vattr.
+ */
+int
+vnode_authattr(vnode_t vp, struct vnode_attr *vap, kauth_action_t *actionp, vfs_context_t ctx)
+{
+ struct vnode_attr ova;
+ kauth_action_t required_action;
+ int error, has_priv_suser, ismember, chowner, chgroup, clear_suid, clear_sgid;
+ guid_t changer;
+ gid_t group;
+ uid_t owner;
+ mode_t newmode;
+ kauth_cred_t cred;
+ uint32_t fdelta;
+
+ VATTR_INIT(&ova);
+ required_action = 0;
+ error = 0;
+
+ /*
+ * Quickly check for enforcement applicability.
+ */
+ if (vfs_authopaque(vp->v_mount))
+ goto out;
+
+ /*
+ * Check for attempts to set nonsensical fields.
+ */
+ if (vap->va_active & VNODE_ATTR_RDONLY) {
+ KAUTH_DEBUG("ATTR - ERROR: attempt to set readonly attribute(s)");
+ error = EINVAL;
+ goto out;
+ }
+
+ /*
+ * We need to know if the caller is the superuser.
+ */
+ cred = vfs_context_ucred(ctx);
+ has_priv_suser = kauth_cred_issuser(cred);
+
+ /*
+ * If any of the following are changing, we need information from the old file:
+ * va_uid
+ * va_gid
+ * va_mode
+ * va_uuuid
+ * va_guuid
+ */
+ if (VATTR_IS_ACTIVE(vap, va_uid) ||
+ VATTR_IS_ACTIVE(vap, va_gid) ||
+ VATTR_IS_ACTIVE(vap, va_mode) ||
+ VATTR_IS_ACTIVE(vap, va_uuuid) ||
+ VATTR_IS_ACTIVE(vap, va_guuid)) {
+ VATTR_WANTED(&ova, va_mode);
+ VATTR_WANTED(&ova, va_uid);
+ VATTR_WANTED(&ova, va_gid);
+ VATTR_WANTED(&ova, va_uuuid);
+ VATTR_WANTED(&ova, va_guuid);
+ KAUTH_DEBUG("ATTR - security information changing, fetching existing attributes");
+ }
+
+ /*
+ * If timestamps are being changed, we need to know who the file is owned
+ * by.
+ */
+ if (VATTR_IS_ACTIVE(vap, va_create_time) ||
+ VATTR_IS_ACTIVE(vap, va_change_time) ||
+ VATTR_IS_ACTIVE(vap, va_modify_time) ||
+ VATTR_IS_ACTIVE(vap, va_access_time) ||
+ VATTR_IS_ACTIVE(vap, va_backup_time) ||
+ VATTR_IS_ACTIVE(vap, va_addedtime)) {
+
+ VATTR_WANTED(&ova, va_uid);
+#if 0 /* enable this when we support UUIDs as official owners */
+ VATTR_WANTED(&ova, va_uuuid);
+#endif
+ KAUTH_DEBUG("ATTR - timestamps changing, fetching uid and GUID");
+ }
+
+ /*
+ * If flags are being changed, we need the old flags.
+ */
+ if (VATTR_IS_ACTIVE(vap, va_flags)) {
+ KAUTH_DEBUG("ATTR - flags changing, fetching old flags");
+ VATTR_WANTED(&ova, va_flags);
+ }
+
+ /*
+ * If ACLs are being changed, we need the old ACLs.
+ */
+ if (VATTR_IS_ACTIVE(vap, va_acl)) {
+ KAUTH_DEBUG("ATTR - acl changing, fetching old flags");
+ VATTR_WANTED(&ova, va_acl);
+ }
+
+ /*
+ * If the size is being set, make sure it's not a directory.
+ */
+ if (VATTR_IS_ACTIVE(vap, va_data_size)) {
+ /* size is only meaningful on regular files, don't permit otherwise */
+ if (!vnode_isreg(vp)) {
+ KAUTH_DEBUG("ATTR - ERROR: size change requested on non-file");
+ error = vnode_isdir(vp) ? EISDIR : EINVAL;
+ goto out;
+ }
+ }
+
+ /*
+ * Get old data.
+ */
+ KAUTH_DEBUG("ATTR - fetching old attributes %016llx", ova.va_active);
+ if ((error = vnode_getattr(vp, &ova, ctx)) != 0) {
+ KAUTH_DEBUG(" ERROR - got %d trying to get attributes", error);
+ goto out;
+ }
+
+ /*
+ * Size changes require write access to the file data.
+ */
+ if (VATTR_IS_ACTIVE(vap, va_data_size)) {
+ /* if we can't get the size, or it's different, we need write access */
+ KAUTH_DEBUG("ATTR - size change, requiring WRITE_DATA");
+ required_action |= KAUTH_VNODE_WRITE_DATA;
+ }
+
+ /*
+ * Changing timestamps?
+ *
+ * Note that we are only called to authorize user-requested time changes;
+ * side-effect time changes are not authorized. Authorisation is only
+ * required for existing files.
+ *
+ * Non-owners are not permitted to change the time on an existing
+ * file to anything other than the current time.
+ */
+ if (VATTR_IS_ACTIVE(vap, va_create_time) ||
+ VATTR_IS_ACTIVE(vap, va_change_time) ||
+ VATTR_IS_ACTIVE(vap, va_modify_time) ||
+ VATTR_IS_ACTIVE(vap, va_access_time) ||
+ VATTR_IS_ACTIVE(vap, va_backup_time) ||
+ VATTR_IS_ACTIVE(vap, va_addedtime)) {
+ /*
+ * The owner and root may set any timestamps they like,
+ * provided that the file is not immutable. The owner still needs
+ * WRITE_ATTRIBUTES (implied by ownership but still deniable).
+ */
+ if (has_priv_suser || vauth_node_owner(&ova, cred)) {
+ KAUTH_DEBUG("ATTR - root or owner changing timestamps");
+ required_action |= KAUTH_VNODE_CHECKIMMUTABLE | KAUTH_VNODE_WRITE_ATTRIBUTES;
+ } else {
+ /* just setting the current time? */
+ if (vap->va_vaflags & VA_UTIMES_NULL) {
+ KAUTH_DEBUG("ATTR - non-root/owner changing timestamps, requiring WRITE_ATTRIBUTES");
+ required_action |= KAUTH_VNODE_WRITE_ATTRIBUTES;
+ } else {
+ KAUTH_DEBUG("ATTR - ERROR: illegal timestamp modification attempted");
+ error = EACCES;
+ goto out;
+ }
+ }
+ }
+
+ /*
+ * Changing file mode?
+ */
+ if (VATTR_IS_ACTIVE(vap, va_mode) && VATTR_IS_SUPPORTED(&ova, va_mode) && (ova.va_mode != vap->va_mode)) {
+ KAUTH_DEBUG("ATTR - mode change from %06o to %06o", ova.va_mode, vap->va_mode);
+
+ /*
+ * Mode changes always have the same basic auth requirements.
+ */
+ if (has_priv_suser) {
+ KAUTH_DEBUG("ATTR - superuser mode change, requiring immutability check");
+ required_action |= KAUTH_VNODE_CHECKIMMUTABLE;
+ } else {
+ /* need WRITE_SECURITY */
+ KAUTH_DEBUG("ATTR - non-superuser mode change, requiring WRITE_SECURITY");
+ required_action |= KAUTH_VNODE_WRITE_SECURITY;
+ }
+
+ /*
+ * Can't set the setgid bit if you're not in the group and not root. Have to have
+ * existing group information in the case we're not setting it right now.
+ */
+ if (vap->va_mode & S_ISGID) {
+ required_action |= KAUTH_VNODE_CHECKIMMUTABLE; /* always required */
+ if (!has_priv_suser) {
+ if (VATTR_IS_ACTIVE(vap, va_gid)) {
+ group = vap->va_gid;
+ } else if (VATTR_IS_SUPPORTED(&ova, va_gid)) {
+ group = ova.va_gid;
+ } else {
+ KAUTH_DEBUG("ATTR - ERROR: setgid but no gid available");
+ error = EINVAL;
+ goto out;
+ }
+ /*
+ * This might be too restrictive; WRITE_SECURITY might be implied by
+ * membership in this case, rather than being an additional requirement.
+ */
+ if ((error = kauth_cred_ismember_gid(cred, group, &ismember)) != 0) {
+ KAUTH_DEBUG("ATTR - ERROR: got %d checking for membership in %d", error, vap->va_gid);
projects / apple / xnu.git / blobdiff