+
+
+
+/*
+ * Returns: KAUTH_RESULT_ALLOW
+ * KAUTH_RESULT_DENY
+ *
+ * Imputed: *arg3, modified Error code in the deny case
+ * EROFS Read-only file system
+ * EACCES Permission denied
+ * EPERM Operation not permitted [no execute]
+ * vnode_getattr:ENOMEM Not enough space [only if has filesec]
+ * vnode_getattr:???
+ * vnode_authorize_opaque:*arg2 ???
+ * vnode_authorize_checkimmutable:???
+ * vnode_authorize_delete:???
+ * vnode_authorize_simple:???
+ */
+
+
+static int
+vnode_authorize_callback(kauth_cred_t cred, void *idata, kauth_action_t action,
+ uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3)
+{
+ vfs_context_t ctx;
+ vnode_t cvp = NULLVP;
+ vnode_t vp, dvp;
+ int result = KAUTH_RESULT_DENY;
+ int parent_iocount = 0;
+ int parent_action; /* In case we need to use namedstream's data fork for cached rights*/
+
+ ctx = (vfs_context_t)arg0;
+ vp = (vnode_t)arg1;
+ dvp = (vnode_t)arg2;
+
+ /*
+ * if there are 2 vnodes passed in, we don't know at
+ * this point which rights to look at based on the
+ * combined action being passed in... defer until later...
+ * otherwise check the kauth 'rights' cache hung
+ * off of the vnode we're interested in... if we've already
+ * been granted the right we're currently interested in,
+ * we can just return success... otherwise we'll go through
+ * the process of authorizing the requested right(s)... if that
+ * succeeds, we'll add the right(s) to the cache.
+ * VNOP_SETATTR and VNOP_SETXATTR will invalidate this cache
+ */
+ if (dvp && vp)
+ goto defer;
+ if (dvp) {
+ cvp = dvp;
+ } else {
+ /*
+ * For named streams on local-authorization volumes, rights are cached on the parent;
+ * authorization is determined by looking at the parent's properties anyway, so storing
+ * on the parent means that we don't recompute for the named stream and that if
+ * we need to flush rights (e.g. on VNOP_SETATTR()) we don't need to track down the
+ * stream to flush its cache separately. If we miss in the cache, then we authorize
+ * as if there were no cached rights (passing the named stream vnode and desired rights to
+ * vnode_authorize_callback_int()).
+ *
+ * On an opaquely authorized volume, we don't know the relationship between the
+ * data fork's properties and the rights granted on a stream. Thus, named stream vnodes
+ * on such a volume are authorized directly (rather than using the parent) and have their
+ * own caches. When a named stream vnode is created, we mark the parent as having a named
+ * stream. On a VNOP_SETATTR() for the parent that may invalidate cached authorization, we
+ * find the stream and flush its cache.
+ */
+ if (vnode_isnamedstream(vp) && (!vfs_authopaque(vp->v_mount))) {
+ cvp = vp->v_parent;
+ if ((cvp != NULLVP) && (vnode_getwithref(cvp) == 0)) {
+ parent_iocount = 1;
+ } else {
+ cvp = NULL;
+ goto defer; /* If we can't use the parent, take the slow path */
+ }
+
+ /* Have to translate some actions */
+ parent_action = action;
+ if (parent_action & KAUTH_VNODE_READ_DATA) {
+ parent_action &= ~KAUTH_VNODE_READ_DATA;
+ parent_action |= KAUTH_VNODE_READ_EXTATTRIBUTES;
+ }
+ if (parent_action & KAUTH_VNODE_WRITE_DATA) {
+ parent_action &= ~KAUTH_VNODE_WRITE_DATA;
+ parent_action |= KAUTH_VNODE_WRITE_EXTATTRIBUTES;
+ }
+
+ } else {
+ cvp = vp;
+ }
+ }
+
+ if (vnode_cache_is_authorized(cvp, ctx, parent_iocount ? parent_action : action) == TRUE) {
+ result = KAUTH_RESULT_ALLOW;
+ goto out;
+ }
+defer:
+ result = vnode_authorize_callback_int(cred, idata, action, arg0, arg1, arg2, arg3);
+
+ if (result == KAUTH_RESULT_ALLOW && cvp != NULLVP)
+ vnode_cache_authorized_action(cvp, ctx, action);
+
+out:
+ if (parent_iocount) {
+ vnode_put(cvp);
+ }
+
+ return result;
+}
+
+