From owner-svn-src-stable@FreeBSD.ORG Sat Mar 27 16:41:23 2010 Return-Path: Delivered-To: svn-src-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 770731065672; Sat, 27 Mar 2010 16:41:23 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 63E048FC16; Sat, 27 Mar 2010 16:41:23 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o2RGfN8v040517; Sat, 27 Mar 2010 16:41:23 GMT (envelope-from trasz@svn.freebsd.org) Received: (from trasz@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o2RGfNA4040511; Sat, 27 Mar 2010 16:41:23 GMT (envelope-from trasz@svn.freebsd.org) Message-Id: <201003271641.o2RGfNA4040511@svn.freebsd.org> From: Edward Tomasz Napierala Date: Sat, 27 Mar 2010 16:41:23 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r205740 - stable/8/share/man/man9 X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Mar 2010 16:41:23 -0000 Author: trasz Date: Sat Mar 27 16:41:23 2010 New Revision: 205740 URL: http://svn.freebsd.org/changeset/base/205740 Log: MFC r197405, missing part: Add pieces of infrastructure required for NFSv4 ACL support in UFS. Reviewed by: rwatson Added: stable/8/share/man/man9/vaccess_acl_nfs4.9 - copied unchanged from r197405, head/share/man/man9/vaccess_acl_nfs4.9 Modified: stable/8/share/man/man9/Makefile stable/8/share/man/man9/VOP_ACCESS.9 stable/8/share/man/man9/acl.9 stable/8/share/man/man9/vaccess.9 Directory Properties: stable/8/share/man/man9/ (props changed) Modified: stable/8/share/man/man9/Makefile ============================================================================== --- stable/8/share/man/man9/Makefile Sat Mar 27 16:35:25 2010 (r205739) +++ stable/8/share/man/man9/Makefile Sat Mar 27 16:41:23 2010 (r205740) @@ -255,6 +255,7 @@ MAN= accept_filter.9 \ usbdi.9 \ utopia.9 \ vaccess.9 \ + vaccess_acl_nfs4.9 \ vaccess_acl_posix1e.9 \ vcount.9 \ vflush.9 \ Modified: stable/8/share/man/man9/VOP_ACCESS.9 ============================================================================== --- stable/8/share/man/man9/VOP_ACCESS.9 Sat Mar 27 16:35:25 2010 (r205739) +++ stable/8/share/man/man9/VOP_ACCESS.9 Sat Mar 27 16:41:23 2010 (r205740) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 1, 2009 +.Dd September 18, 2009 .Os .Dt VOP_ACCESS 9 .Sh NAME @@ -95,6 +95,7 @@ requested access. .El .Sh SEE ALSO .Xr vaccess 9 , +.Xr vaccess_acl_nfs4 9 , .Xr vaccess_acl_posix1e 9 , .Xr vnode 9 .Sh AUTHORS Modified: stable/8/share/man/man9/acl.9 ============================================================================== --- stable/8/share/man/man9/acl.9 Sat Mar 27 16:35:25 2010 (r205739) +++ stable/8/share/man/man9/acl.9 Sat Mar 27 16:41:23 2010 (r205740) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd December 23, 1999 +.Dd September 18, 2009 .Os .Dt ACL 9 .Sh NAME @@ -207,6 +207,7 @@ The following values are valid: .El .Sh SEE ALSO .Xr acl 3 , +.Xr vaccess_acl_nfs4 9 , .Xr vaccess_acl_posix1e 9 , .Xr VFS 9 , .Xr vnaccess 9 , Modified: stable/8/share/man/man9/vaccess.9 ============================================================================== --- stable/8/share/man/man9/vaccess.9 Sat Mar 27 16:35:25 2010 (r205739) +++ stable/8/share/man/man9/vaccess.9 Sat Mar 27 16:41:23 2010 (r205740) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 22, 2001 +.Dd September 18, 2009 .Os .Dt VACCESS 9 .Sh NAME @@ -117,6 +117,7 @@ An attempt was made to perform an operat appropriate privileges or to the owner of a file or other resource. .El .Sh SEE ALSO +.Xr vaccess_acl_nfs4 9 , .Xr vaccess_acl_posix1e 9 , .Xr vnode 9 , .Xr VOP_ACCESS 9 Copied: stable/8/share/man/man9/vaccess_acl_nfs4.9 (from r197405, head/share/man/man9/vaccess_acl_nfs4.9) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ stable/8/share/man/man9/vaccess_acl_nfs4.9 Sat Mar 27 16:41:23 2010 (r205740, copy of r197405, head/share/man/man9/vaccess_acl_nfs4.9) @@ -0,0 +1,129 @@ +.\"- +.\" Copyright (c) 2001 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd September 18, 2009 +.Os +.Dt VACCESS_ACL_NFS4 9 +.Sh NAME +.Nm vaccess_acl_nfs4 +.Nd generate a NFSv4 ACL access control decision using vnode parameters +.Sh SYNOPSIS +.In sys/param.h +.In sys/vnode.h +.In sys/acl.h +.Ft int +.Fo vaccess_acl_nfs4 +.Fa "enum vtype type" +.Fa "uid_t file_uid" +.Fa "gid_t file_gid" +.Fa "struct acl *acl" +.Fa "accmode_t accmode" +.Fa "struct ucred *cred" +.Fa "int *privused" +.Fc +.Sh DESCRIPTION +This call implements the logic for the +.Ux +discretionary file security model +with NFSv4 ACL extensions. +It accepts the vnodes type +.Fa type , +owning UID +.Fa file_uid , +owning GID +.Fa file_gid , +access ACL for the file +.Fa acl , +desired access mode +.Fa accmode , +requesting credential +.Fa cred , +and an optional call-by-reference +.Vt int +pointer returning whether or not +privilege was required for successful evaluation of the call; the +.Fa privused +pointer may be set to +.Dv NULL +by the caller in order not to be informed of +privilege information, or it may point to an integer that will be set to +1 if privilege is used, and 0 otherwise. +.Pp +This call is intended to support implementations of +.Xr VOP_ACCESS 9 , +which will use their own access methods to retrieve the vnode properties, +and then invoke +.Fn vaccess_acl_nfs4 +in order to perform the actual check. +Implementations of +.Xr VOP_ACCESS 9 +may choose to implement additional security mechanisms whose results will +be composed with the return value. +.Pp +The algorithm used by +.Fn vaccess_acl_nfs4 +is based on the NFSv4 ACL evaluation algorithm, as described in +NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-21.txt. +The algorithm selects a +.Em matching +entry from the access ACL, which may +then be composed with an available ACL mask entry, providing +.Ux +security compatibility. +.Pp +Once appropriate protections are selected for the current credential, +the requested access mode, in combination with the vnode type, will be +compared with the discretionary rights available for the credential. +If the rights granted by discretionary protections are insufficient, +then super-user privilege, if available for the credential, will also be +considered. +.Sh RETURN VALUES +.Fn vaccess_acl_nfs4 +will return 0 on success, or a non-zero error value on failure. +.Sh ERRORS +.Bl -tag -width Er +.It Bq Er EACCES +Permission denied. +An attempt was made to access a file in a way forbidden by its file access +permissions. +.It Bq Er EPERM +Operation not permitted. +An attempt was made to perform an operation limited to processes with +appropriate privileges or to the owner of a file or other resource. +.El +.Sh SEE ALSO +.Xr vaccess 9 , +.Xr vnode 9 , +.Xr VOP_ACCESS 9 +.Sh AUTHORS +Current implementation of +.Fn vaccess_acl_nfs4 +was written by +.An Edward Tomasz Napierala Aq trasz@FreeBSD.org . +.Sh BUGS +This manual page should include a full description of the NFSv4 ACL +evaluation algorithm, or cross reference another page that does.