+ /* Check for a cached answer first, to avoid the check if possible */
+ if (vcp->flags_valid & _VAC_IN_DIR_GROUP) {
+ *ismember = (vcp->flags & _VAC_IN_DIR_GROUP) ? 1 : 0;
+ error = 0;
+ } else {
+ /* Otherwise, go look for it */
+ error = vauth_node_group(vcp->dvap, vcp->ctx->vc_ucred, ismember, idontknow);
+
+ if (!error) {
+ /* cache our result */
+ vcp->flags_valid |= _VAC_IN_DIR_GROUP;
+ if (*ismember) {
+ vcp->flags |= _VAC_IN_DIR_GROUP;
+ } else {
+ vcp->flags &= ~_VAC_IN_DIR_GROUP;
+ }
+ }
+ }
+ return(error);
+}
+
+/*
+ * Test the posix permissions in (vap) to determine whether (credential)
+ * may perform (action)
+ */
+static int
+vnode_authorize_posix(vauth_ctx vcp, int action, int on_dir)
+{
+ struct vnode_attr *vap;
+ int needed, error, owner_ok, group_ok, world_ok, ismember;
+#ifdef KAUTH_DEBUG_ENABLE
+ const char *where = "uninitialized";
+# define _SETWHERE(c) where = c;
+#else
+# define _SETWHERE(c)
+#endif
+
+ /* checking file or directory? */
+ if (on_dir) {
+ vap = vcp->dvap;
+ } else {
+ vap = vcp->vap;
+ }
+
+ error = 0;
+
+ /*
+ * We want to do as little work here as possible. So first we check
+ * which sets of permissions grant us the access we need, and avoid checking
+ * whether specific permissions grant access when more generic ones would.
+ */
+
+ /* owner permissions */
+ needed = 0;
+ if (action & VREAD)
+ needed |= S_IRUSR;
+ if (action & VWRITE)
+ needed |= S_IWUSR;
+ if (action & VEXEC)
+ needed |= S_IXUSR;
+ owner_ok = (needed & vap->va_mode) == needed;
+
+ /* group permissions */
+ needed = 0;
+ if (action & VREAD)
+ needed |= S_IRGRP;
+ if (action & VWRITE)
+ needed |= S_IWGRP;
+ if (action & VEXEC)
+ needed |= S_IXGRP;
+ group_ok = (needed & vap->va_mode) == needed;
+
+ /* world permissions */
+ needed = 0;
+ if (action & VREAD)
+ needed |= S_IROTH;
+ if (action & VWRITE)
+ needed |= S_IWOTH;
+ if (action & VEXEC)
+ needed |= S_IXOTH;
+ world_ok = (needed & vap->va_mode) == needed;
+
+ /* If granted/denied by all three, we're done */
+ if (owner_ok && group_ok && world_ok) {
+ _SETWHERE("all");
+ goto out;
+ }
+ if (!owner_ok && !group_ok && !world_ok) {
+ _SETWHERE("all");
+ error = EACCES;
+ goto out;
+ }
+
+ /* Check ownership (relatively cheap) */
+ if ((on_dir && vauth_dir_owner(vcp)) ||
+ (!on_dir && vauth_file_owner(vcp))) {
+ _SETWHERE("user");
+ if (!owner_ok)
+ error = EACCES;
+ goto out;
+ }
+
+ /* Not owner; if group and world both grant it we're done */
+ if (group_ok && world_ok) {
+ _SETWHERE("group/world");
+ goto out;
+ }
+ if (!group_ok && !world_ok) {
+ _SETWHERE("group/world");
+ error = EACCES;
+ goto out;
+ }
+
+ /* Check group membership (most expensive) */
+ ismember = 0; /* Default to allow, if the target has no group owner */
+
+ /*
+ * In the case we can't get an answer about the user from the call to
+ * vauth_dir_ingroup() or vauth_file_ingroup(), we want to fail on
+ * the side of caution, rather than simply granting access, or we will
+ * fail to correctly implement exclusion groups, so we set the third
+ * parameter on the basis of the state of 'group_ok'.
+ */
+ if (on_dir) {
+ error = vauth_dir_ingroup(vcp, &ismember, (!group_ok ? EACCES : 0));
+ } else {
+ error = vauth_file_ingroup(vcp, &ismember, (!group_ok ? EACCES : 0));
+ }
+ if (error) {
+ if (!group_ok)
+ ismember = 1;
+ error = 0;
+ }
+ if (ismember) {
+ _SETWHERE("group");
+ if (!group_ok)
+ error = EACCES;
+ goto out;
+ }
+
+ /* Not owner, not in group, use world result */
+ _SETWHERE("world");
+ if (!world_ok)
+ error = EACCES;
+
+ /* FALLTHROUGH */
+
+out:
+ KAUTH_DEBUG("%p %s - posix %s permissions : need %s%s%s %x have %s%s%s%s%s%s%s%s%s UID = %d file = %d,%d",
+ vcp->vp, (error == 0) ? "ALLOWED" : "DENIED", where,
+ (action & VREAD) ? "r" : "-",
+ (action & VWRITE) ? "w" : "-",
+ (action & VEXEC) ? "x" : "-",
+ needed,
+ (vap->va_mode & S_IRUSR) ? "r" : "-",
+ (vap->va_mode & S_IWUSR) ? "w" : "-",
+ (vap->va_mode & S_IXUSR) ? "x" : "-",
+ (vap->va_mode & S_IRGRP) ? "r" : "-",
+ (vap->va_mode & S_IWGRP) ? "w" : "-",
+ (vap->va_mode & S_IXGRP) ? "x" : "-",
+ (vap->va_mode & S_IROTH) ? "r" : "-",
+ (vap->va_mode & S_IWOTH) ? "w" : "-",
+ (vap->va_mode & S_IXOTH) ? "x" : "-",
+ kauth_cred_getuid(vcp->ctx->vc_ucred),
+ on_dir ? vcp->dvap->va_uid : vcp->vap->va_uid,
+ on_dir ? vcp->dvap->va_gid : vcp->vap->va_gid);
+ return(error);
+}
+
+/*
+ * Authorize the deletion of the node vp from the directory dvp.
+ *
+ * We assume that:
+ * - Neither the node nor the directory are immutable.
+ * - The user is not the superuser.
+ *
+ * The precedence of factors for authorizing or denying delete for a credential
+ *
+ * 1) Explicit ACE on the node. (allow or deny DELETE)
+ * 2) Explicit ACE on the directory (allow or deny DELETE_CHILD).
+ *
+ * If there are conflicting ACEs on the node and the directory, the node
+ * ACE wins.
+ *
+ * 3) Sticky bit on the directory.
+ * Deletion is not permitted if the directory is sticky and the caller is
+ * not owner of the node or directory. The sticky bit rules are like a deny
+ * delete ACE except lower in priority than ACL's either allowing or denying
+ * delete.
+ *
+ * 4) POSIX permisions on the directory.
+ *
+ * As an optimization, we cache whether or not delete child is permitted
+ * on directories. This enables us to skip directory ACL and POSIX checks
+ * as we already have the result from those checks. However, we always check the
+ * node ACL and, if the directory has the sticky bit set, we always check its
+ * ACL (even for a directory with an authorized delete child). Furthermore,
+ * caching the delete child authorization is independent of the sticky bit
+ * being set as it is only applicable in determining whether the node can be
+ * deleted or not.
+ */
+static int
+vnode_authorize_delete(vauth_ctx vcp, boolean_t cached_delete_child)
+{
+ struct vnode_attr *vap = vcp->vap;
+ struct vnode_attr *dvap = vcp->dvap;
+ kauth_cred_t cred = vcp->ctx->vc_ucred;
+ struct kauth_acl_eval eval;
+ int error, ismember;
+
+ /* Check the ACL on the node first */
+ if (VATTR_IS_NOT(vap, va_acl, NULL)) {
+ eval.ae_requested = KAUTH_VNODE_DELETE;
+ eval.ae_acl = &vap->va_acl->acl_ace[0];
+ eval.ae_count = vap->va_acl->acl_entrycount;
+ eval.ae_options = 0;
+ if (vauth_file_owner(vcp))
+ eval.ae_options |= KAUTH_AEVAL_IS_OWNER;
+ /*
+ * We use ENOENT as a marker to indicate we could not get
+ * information in order to delay evaluation until after we
+ * have the ACL evaluation answer. Previously, we would
+ * always deny the operation at this point.
+ */
+ if ((error = vauth_file_ingroup(vcp, &ismember, ENOENT)) != 0 && error != ENOENT)
+ return (error);
+ if (error == ENOENT)
+ eval.ae_options |= KAUTH_AEVAL_IN_GROUP_UNKNOWN;
+ else if (ismember)
+ eval.ae_options |= KAUTH_AEVAL_IN_GROUP;
+ eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS;
+ eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS;
+ eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS;
+ eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS;
+
+ if ((error = kauth_acl_evaluate(cred, &eval)) != 0) {
+ KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error);
+ return (error);
+ }
+
+ switch(eval.ae_result) {
+ case KAUTH_RESULT_DENY:
+ KAUTH_DEBUG("%p DENIED - denied by ACL", vcp->vp);
+ return (EACCES);
+ case KAUTH_RESULT_ALLOW:
+ KAUTH_DEBUG("%p ALLOWED - granted by ACL", vcp->vp);
+ return (0);
+ case KAUTH_RESULT_DEFER:
+ default:
+ /* Defer to directory */
+ KAUTH_DEBUG("%p DEFERRED - by file ACL", vcp->vp);
+ break;
+ }
+ }
+
+ /*
+ * Without a sticky bit, a previously authorized delete child is
+ * sufficient to authorize this delete.
+ *
+ * If the sticky bit is set, a directory ACL which allows delete child
+ * overrides a (potential) sticky bit deny. The authorized delete child
+ * cannot tell us if it was authorized because of an explicit delete
+ * child allow ACE or because of POSIX permisions so we have to check
+ * the directory ACL everytime if the directory has a sticky bit.
+ */
+ if (!(dvap->va_mode & S_ISTXT) && cached_delete_child) {
+ KAUTH_DEBUG("%p ALLOWED - granted by directory ACL or POSIX permissions and no sticky bit on directory", vcp->vp);
+ return (0);
+ }
+
+ /* check the ACL on the directory */
+ if (VATTR_IS_NOT(dvap, va_acl, NULL)) {
+ eval.ae_requested = KAUTH_VNODE_DELETE_CHILD;
+ eval.ae_acl = &dvap->va_acl->acl_ace[0];
+ eval.ae_count = dvap->va_acl->acl_entrycount;
+ eval.ae_options = 0;
+ if (vauth_dir_owner(vcp))
+ eval.ae_options |= KAUTH_AEVAL_IS_OWNER;
+ /*
+ * We use ENOENT as a marker to indicate we could not get
+ * information in order to delay evaluation until after we
+ * have the ACL evaluation answer. Previously, we would
+ * always deny the operation at this point.
+ */
+ if ((error = vauth_dir_ingroup(vcp, &ismember, ENOENT)) != 0 && error != ENOENT)
+ return(error);
+ if (error == ENOENT)
+ eval.ae_options |= KAUTH_AEVAL_IN_GROUP_UNKNOWN;
+ else if (ismember)
+ eval.ae_options |= KAUTH_AEVAL_IN_GROUP;
+ eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS;
+ eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS;
+ eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS;
+ eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS;
+
+ /*
+ * If there is no entry, we are going to defer to other
+ * authorization mechanisms.
+ */
+ error = kauth_acl_evaluate(cred, &eval);
+
+ if (error != 0) {
+ KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error);
+ return (error);
+ }
+ switch(eval.ae_result) {
+ case KAUTH_RESULT_DENY:
+ KAUTH_DEBUG("%p DENIED - denied by directory ACL", vcp->vp);
+ return (EACCES);
+ case KAUTH_RESULT_ALLOW:
+ KAUTH_DEBUG("%p ALLOWED - granted by directory ACL", vcp->vp);
+ if (!cached_delete_child && vcp->dvp) {
+ vnode_cache_authorized_action(vcp->dvp,
+ vcp->ctx, KAUTH_VNODE_DELETE_CHILD);
+ }
+ return (0);
+ case KAUTH_RESULT_DEFER:
+ default:
+ /* Deferred by directory ACL */
+ KAUTH_DEBUG("%p DEFERRED - directory ACL", vcp->vp);
+ break;
+ }
+ }
+
+ /*
+ * From this point, we can't explicitly allow and if we reach the end
+ * of the function without a denial, then the delete is authorized.
+ */
+ if (!cached_delete_child) {
+ if (vnode_authorize_posix(vcp, VWRITE, 1 /* on_dir */) != 0) {
+ KAUTH_DEBUG("%p DENIED - denied by posix permisssions", vcp->vp);
+ return (EACCES);
+ }
+ /*
+ * Cache the authorized action on the vnode if allowed by the
+ * directory ACL or POSIX permissions. It is correct to cache
+ * this action even if sticky bit would deny deleting the node.
+ */
+ if (vcp->dvp) {
+ vnode_cache_authorized_action(vcp->dvp, vcp->ctx,
+ KAUTH_VNODE_DELETE_CHILD);
+ }
+ }
+
+ /* enforce sticky bit behaviour */
+ if ((dvap->va_mode & S_ISTXT) && !vauth_file_owner(vcp) && !vauth_dir_owner(vcp)) {
+ KAUTH_DEBUG("%p DENIED - sticky bit rules (user %d file %d dir %d)",
+ vcp->vp, cred->cr_posix.cr_uid, vap->va_uid, dvap->va_uid);
+ return (EACCES);
+ }
+
+ /* not denied, must be OK */
+ return (0);
+}
+
+
+/*
+ * Authorize an operation based on the node's attributes.
+ */
+static int
+vnode_authorize_simple(vauth_ctx vcp, kauth_ace_rights_t acl_rights, kauth_ace_rights_t preauth_rights, boolean_t *found_deny)
+{
+ struct vnode_attr *vap = vcp->vap;
+ kauth_cred_t cred = vcp->ctx->vc_ucred;
+ struct kauth_acl_eval eval;
+ int error, ismember;
+ mode_t posix_action;
+
+ /*
+ * If we are the file owner, we automatically have some rights.
+ *
+ * Do we need to expand this to support group ownership?
+ */
+ if (vauth_file_owner(vcp))
+ acl_rights &= ~(KAUTH_VNODE_WRITE_SECURITY);
+
+ /*
+ * If we are checking both TAKE_OWNERSHIP and WRITE_SECURITY, we can
+ * mask the latter. If TAKE_OWNERSHIP is requested the caller is about to
+ * change ownership to themselves, and WRITE_SECURITY is implicitly
+ * granted to the owner. We need to do this because at this point
+ * WRITE_SECURITY may not be granted as the caller is not currently
+ * the owner.
+ */
+ if ((acl_rights & KAUTH_VNODE_TAKE_OWNERSHIP) &&
+ (acl_rights & KAUTH_VNODE_WRITE_SECURITY))
+ acl_rights &= ~KAUTH_VNODE_WRITE_SECURITY;
+
+ if (acl_rights == 0) {
+ KAUTH_DEBUG("%p ALLOWED - implicit or no rights required", vcp->vp);
+ return(0);
+ }
+
+ /* if we have an ACL, evaluate it */
+ if (VATTR_IS_NOT(vap, va_acl, NULL)) {
+ eval.ae_requested = acl_rights;
+ eval.ae_acl = &vap->va_acl->acl_ace[0];
+ eval.ae_count = vap->va_acl->acl_entrycount;
+ eval.ae_options = 0;
+ if (vauth_file_owner(vcp))
+ eval.ae_options |= KAUTH_AEVAL_IS_OWNER;
+ /*
+ * We use ENOENT as a marker to indicate we could not get
+ * information in order to delay evaluation until after we
+ * have the ACL evaluation answer. Previously, we would
+ * always deny the operation at this point.
+ */
+ if ((error = vauth_file_ingroup(vcp, &ismember, ENOENT)) != 0 && error != ENOENT)
+ return(error);
+ if (error == ENOENT)
+ eval.ae_options |= KAUTH_AEVAL_IN_GROUP_UNKNOWN;
+ else if (ismember)
+ eval.ae_options |= KAUTH_AEVAL_IN_GROUP;
+ eval.ae_exp_gall = KAUTH_VNODE_GENERIC_ALL_BITS;
+ eval.ae_exp_gread = KAUTH_VNODE_GENERIC_READ_BITS;
+ eval.ae_exp_gwrite = KAUTH_VNODE_GENERIC_WRITE_BITS;
+ eval.ae_exp_gexec = KAUTH_VNODE_GENERIC_EXECUTE_BITS;
+
+ if ((error = kauth_acl_evaluate(cred, &eval)) != 0) {
+ KAUTH_DEBUG("%p ERROR during ACL processing - %d", vcp->vp, error);
+ return(error);
+ }
+
+ switch(eval.ae_result) {
+ case KAUTH_RESULT_DENY:
+ KAUTH_DEBUG("%p DENIED - by ACL", vcp->vp);
+ return(EACCES); /* deny, deny, counter-allege */
+ case KAUTH_RESULT_ALLOW:
+ KAUTH_DEBUG("%p ALLOWED - all rights granted by ACL", vcp->vp);
+ return(0);
+ case KAUTH_RESULT_DEFER:
+ default:
+ /* Effectively the same as !delete_child_denied */
+ KAUTH_DEBUG("%p DEFERRED - directory ACL", vcp->vp);
+ break;
+ }
+
+ *found_deny = eval.ae_found_deny;
+
+ /* fall through and evaluate residual rights */
+ } else {
+ /* no ACL, everything is residual */
+ eval.ae_residual = acl_rights;
+ }
+
+ /*
+ * Grant residual rights that have been pre-authorized.
+ */
+ eval.ae_residual &= ~preauth_rights;
+
+ /*
+ * We grant WRITE_ATTRIBUTES to the owner if it hasn't been denied.
+ */
+ if (vauth_file_owner(vcp))
+ eval.ae_residual &= ~KAUTH_VNODE_WRITE_ATTRIBUTES;
+
+ if (eval.ae_residual == 0) {
+ KAUTH_DEBUG("%p ALLOWED - rights already authorized", vcp->vp);
+ return(0);
+ }
+
+ /*
+ * Bail if we have residual rights that can't be granted by posix permissions,
+ * or aren't presumed granted at this point.
+ *
+ * XXX these can be collapsed for performance
+ */
+ if (eval.ae_residual & KAUTH_VNODE_CHANGE_OWNER) {
+ KAUTH_DEBUG("%p DENIED - CHANGE_OWNER not permitted", vcp->vp);
+ return(EACCES);
+ }
+ if (eval.ae_residual & KAUTH_VNODE_WRITE_SECURITY) {
+ KAUTH_DEBUG("%p DENIED - WRITE_SECURITY not permitted", vcp->vp);
+ return(EACCES);
+ }
+
+#if DIAGNOSTIC
+ if (eval.ae_residual & KAUTH_VNODE_DELETE)
+ panic("vnode_authorize: can't be checking delete permission here");
+#endif
+
+ /*
+ * Compute the fallback posix permissions that will satisfy the remaining
+ * rights.
+ */
+ posix_action = 0;
+ if (eval.ae_residual & (KAUTH_VNODE_READ_DATA |
+ KAUTH_VNODE_LIST_DIRECTORY |
+ KAUTH_VNODE_READ_EXTATTRIBUTES))
+ posix_action |= VREAD;
+ if (eval.ae_residual & (KAUTH_VNODE_WRITE_DATA |
+ KAUTH_VNODE_ADD_FILE |
+ KAUTH_VNODE_ADD_SUBDIRECTORY |
+ KAUTH_VNODE_DELETE_CHILD |
+ KAUTH_VNODE_WRITE_ATTRIBUTES |
+ KAUTH_VNODE_WRITE_EXTATTRIBUTES))
+ posix_action |= VWRITE;
+ if (eval.ae_residual & (KAUTH_VNODE_EXECUTE |
+ KAUTH_VNODE_SEARCH))
+ posix_action |= VEXEC;
+
+ if (posix_action != 0) {
+ return(vnode_authorize_posix(vcp, posix_action, 0 /* !on_dir */));
+ } else {
+ KAUTH_DEBUG("%p ALLOWED - residual rights %s%s%s%s%s%s%s%s%s%s%s%s%s%s granted due to no posix mapping",
+ vcp->vp,
+ (eval.ae_residual & KAUTH_VNODE_READ_DATA)
+ ? vnode_isdir(vcp->vp) ? " LIST_DIRECTORY" : " READ_DATA" : "",
+ (eval.ae_residual & KAUTH_VNODE_WRITE_DATA)
+ ? vnode_isdir(vcp->vp) ? " ADD_FILE" : " WRITE_DATA" : "",
+ (eval.ae_residual & KAUTH_VNODE_EXECUTE)
+ ? vnode_isdir(vcp->vp) ? " SEARCH" : " EXECUTE" : "",
+ (eval.ae_residual & KAUTH_VNODE_DELETE)
+ ? " DELETE" : "",
+ (eval.ae_residual & KAUTH_VNODE_APPEND_DATA)
+ ? vnode_isdir(vcp->vp) ? " ADD_SUBDIRECTORY" : " APPEND_DATA" : "",
+ (eval.ae_residual & KAUTH_VNODE_DELETE_CHILD)
+ ? " DELETE_CHILD" : "",
+ (eval.ae_residual & KAUTH_VNODE_READ_ATTRIBUTES)
+ ? " READ_ATTRIBUTES" : "",
+ (eval.ae_residual & KAUTH_VNODE_WRITE_ATTRIBUTES)
+ ? " WRITE_ATTRIBUTES" : "",
+ (eval.ae_residual & KAUTH_VNODE_READ_EXTATTRIBUTES)
+ ? " READ_EXTATTRIBUTES" : "",
+ (eval.ae_residual & KAUTH_VNODE_WRITE_EXTATTRIBUTES)
+ ? " WRITE_EXTATTRIBUTES" : "",
+ (eval.ae_residual & KAUTH_VNODE_READ_SECURITY)
+ ? " READ_SECURITY" : "",
+ (eval.ae_residual & KAUTH_VNODE_WRITE_SECURITY)
+ ? " WRITE_SECURITY" : "",
+ (eval.ae_residual & KAUTH_VNODE_CHECKIMMUTABLE)
+ ? " CHECKIMMUTABLE" : "",
+ (eval.ae_residual & KAUTH_VNODE_CHANGE_OWNER)
+ ? " CHANGE_OWNER" : "");
+ }
+
+ /*
+ * Lack of required Posix permissions implies no reason to deny access.
+ */
+ return(0);
+}
+
+/*
+ * Check for file immutability.
+ */
+static int
+vnode_authorize_checkimmutable(mount_t mp, struct vnode_attr *vap, int rights, int ignore)
+{
+ int error;
+ int append;
+
+ /*
+ * Perform immutability checks for operations that change data.
+ *
+ * Sockets, fifos and devices require special handling.
+ */
+ switch(vap->va_type) {
+ case VSOCK:
+ case VFIFO:
+ case VBLK:
+ case VCHR:
+ /*
+ * Writing to these nodes does not change the filesystem data,
+ * so forget that it's being tried.
+ */
+ rights &= ~KAUTH_VNODE_WRITE_DATA;
+ break;
+ default:
+ break;
+ }
+
+ error = 0;
+ if (rights & KAUTH_VNODE_WRITE_RIGHTS) {
+
+ /* check per-filesystem options if possible */
+ if (mp != NULL) {
+
+ /* check for no-EA filesystems */
+ if ((rights & KAUTH_VNODE_WRITE_EXTATTRIBUTES) &&
+ (vfs_flags(mp) & MNT_NOUSERXATTR)) {
+ KAUTH_DEBUG("%p DENIED - filesystem disallowed extended attributes", vp);
+ error = EACCES; /* User attributes disabled */
+ goto out;
+ }
+ }
+
+ /*
+ * check for file immutability. first, check if the requested rights are
+ * allowable for a UF_APPEND file.
+ */
+ append = 0;
+ if (vap->va_type == VDIR) {
+ if ((rights & (KAUTH_VNODE_ADD_FILE | KAUTH_VNODE_ADD_SUBDIRECTORY | KAUTH_VNODE_WRITE_EXTATTRIBUTES)) == rights)
+ append = 1;
+ } else {
+ if ((rights & (KAUTH_VNODE_APPEND_DATA | KAUTH_VNODE_WRITE_EXTATTRIBUTES)) == rights)
+ append = 1;
+ }
+ if ((error = vnode_immutable(vap, append, ignore)) != 0) {
+ KAUTH_DEBUG("%p DENIED - file is immutable", vp);
+ goto out;
+ }
+ }
+out:
+ return(error);
+}
+
+/*
+ * Handle authorization actions for filesystems that advertise that the
+ * server will be enforcing.
+ *
+ * Returns: 0 Authorization should be handled locally
+ * 1 Authorization was handled by the FS
+ *
+ * Note: Imputed returns will only occur if the authorization request
+ * was handled by the FS.
+ *
+ * Imputed: *resultp, modified Return code from FS when the request is
+ * handled by the FS.
+ * VNOP_ACCESS:???
+ * VNOP_OPEN:???
+ */
+static int
+vnode_authorize_opaque(vnode_t vp, int *resultp, kauth_action_t action, vfs_context_t ctx)
+{
+ int error;
+
+ /*
+ * If the vp is a device node, socket or FIFO it actually represents a local
projects / apple / xnu.git / blobdiff