fsal_status_t fsal_check_access(fsal_op_context_t * p_context, /* IN */
fsal_accessflags_t access_type, /* IN */
struct stat *p_buffstat, /* IN */
fsal_attrib_list_t * p_object_attributes /* IN */ )
{
/* sanity checks. */
if((!p_object_attributes && !p_buffstat) || !p_context)
ReturnCode(ERR_FSAL_FAULT, 0);
/* The root user ignores the mode/uid/gid of the file */
#ifdef _USE_HPSS
if(p_context->credential.hpss_usercred.Uid == 0)
ReturnCode(ERR_FSAL_NO_ERROR, 0);
#else
if(p_context->credential.user == 0)
ReturnCode(ERR_FSAL_NO_ERROR, 0);
#endif
#ifdef _USE_NFS4_ACL
/* If ACL exists and given access type is ace4 mask, use ACL to check access. */
LogDebug(COMPONENT_FSAL, "fsal_check_access: pattr=%p, pacl=%p, is_ace4_mask=%d",
p_object_attributes, p_object_attributes ? p_object_attributes->acl : 0,
IS_FSAL_ACE4_MASK_VALID(access_type));
if(p_object_attributes && p_object_attributes->acl &&
IS_FSAL_ACE4_MASK_VALID(access_type))
{
return fsal_check_access_acl(p_context, FSAL_ACE4_MASK(access_type),
p_object_attributes);
}
#endif
/* Use mode to check access. */
return fsal_check_access_no_acl(p_context, FSAL_MODE_MASK(access_type),
p_buffstat, p_object_attributes);
LogDebug(COMPONENT_FSAL, "fsal_check_access: invalid access_type = 0X%x",
access_type);
ReturnCode(ERR_FSAL_ACCESS, 0);
}
/* XXX : ACL */
fsal_status_t fsal_internal_testAccess(fsal_op_context_t * p_context, /* IN */
fsal_accessflags_t access_type, /* IN */
struct stat * p_buffstat, /* IN */
fsal_attrib_list_t * p_object_attributes /* IN */ )
{
fsal_accessflags_t missing_access;
unsigned int is_grp, i;
fsal_uid_t uid;
fsal_gid_t gid;
fsal_accessmode_t mode;
fsal_uid_t userid = ((vfsfsal_op_context_t *)p_context)->credential.user;
fsal_uid_t groupid = ((vfsfsal_op_context_t *)p_context)->credential.group;
/* sanity checks. */
if((!p_object_attributes && !p_buffstat) || !p_context)
ReturnCode(ERR_FSAL_FAULT, 0);
/* If the FSAL_F_OK flag is set, returns ERR INVAL */
if(access_type & FSAL_F_OK)
ReturnCode(ERR_FSAL_INVAL, 0);
/* test root access */
if(userid == 0)
ReturnCode(ERR_FSAL_NO_ERROR, 0);
/* unsatisfied flags */
missing_access = FSAL_MODE_MASK(access_type); /* only modes, no ACLs here */
if(p_object_attributes)
{
uid = p_object_attributes->owner;
gid = p_object_attributes->group;
mode = p_object_attributes->mode;
}
else
{
uid = p_buffstat->st_uid;
gid = p_buffstat->st_gid;
mode = unix2fsal_mode(p_buffstat->st_mode);
}
/* Test if file belongs to user. */
if(userid == uid)
{
LogFullDebug(COMPONENT_FSAL, "File belongs to user %d", uid);
if(mode & FSAL_MODE_RUSR)
missing_access &= ~FSAL_R_OK;
if(mode & FSAL_MODE_WUSR)
missing_access &= ~FSAL_W_OK;
if(mode & FSAL_MODE_XUSR)
missing_access &= ~FSAL_X_OK;
/* handle the creation of a new 500 file correctly */
if((missing_access & FSAL_OWNER_OK) != 0)
missing_access = 0;
if(missing_access == 0)
ReturnCode(ERR_FSAL_NO_ERROR, 0);
else
{
LogFullDebug(COMPONENT_FSAL,
"Mode=%#o, Access=%#o, Rights missing: %#o", mode,
access_type, missing_access);
ReturnCode(ERR_FSAL_ACCESS, 0);
}
}
/* missing_access will be nonzero triggering a failure
* even though FSAL_OWNER_OK is not even a real posix file
* permission */
missing_access &= ~FSAL_OWNER_OK;
/* Test if the file belongs to user's group. */
is_grp = (groupid == gid);
if(is_grp)
LogFullDebug(COMPONENT_FSAL, "File belongs to user's group %d",
groupid);
/* Test if file belongs to alt user's groups */
if(!is_grp)
{
for(i = 0; i < ((vfsfsal_op_context_t *)p_context)->credential.nbgroups; i++)
{
is_grp = (((vfsfsal_op_context_t *)p_context)->credential.alt_groups[i] == gid);
if(is_grp)
LogFullDebug(COMPONENT_FSAL,
"File belongs to user's alt group %d",
((vfsfsal_op_context_t *)p_context)->credential.alt_groups[i]);
// exits loop if found
if(is_grp)
break;
}
}
/* finally apply group rights */
if(is_grp)
{
if(mode & FSAL_MODE_RGRP)
missing_access &= ~FSAL_R_OK;
if(mode & FSAL_MODE_WGRP)
missing_access &= ~FSAL_W_OK;
if(mode & FSAL_MODE_XGRP)
missing_access &= ~FSAL_X_OK;
if(missing_access == 0)
ReturnCode(ERR_FSAL_NO_ERROR, 0);
else
ReturnCode(ERR_FSAL_ACCESS, 0);
}
/* test other perms */
if(mode & FSAL_MODE_ROTH)
missing_access &= ~FSAL_R_OK;
if(mode & FSAL_MODE_WOTH)
missing_access &= ~FSAL_W_OK;
if(mode & FSAL_MODE_XOTH)
missing_access &= ~FSAL_X_OK;
/* XXX ACLs. */
if(missing_access == 0)
ReturnCode(ERR_FSAL_NO_ERROR, 0);
else
ReturnCode(ERR_FSAL_ACCESS, 0);
}
/* XXX : ACL */
fsal_status_t fsal_internal_testAccess(posixfsal_op_context_t * p_context, /* IN */
fsal_accessflags_t access_type, /* IN */
struct stat * p_buffstat, /* IN */
fsal_attrib_list_t * p_object_attributes /* IN */ )
{
fsal_accessflags_t missing_access;
unsigned int is_grp, i;
fsal_uid_t uid;
fsal_gid_t gid;
fsal_accessmode_t mode;
/* sanity checks. */
if((!p_object_attributes && !p_buffstat) || !p_context)
ReturnCode(ERR_FSAL_FAULT, 0);
/* If the FSAL_F_OK flag is set, returns ERR INVAL */
if(access_type & FSAL_F_OK)
ReturnCode(ERR_FSAL_INVAL, 0);
/* test root access */
if(p_context->credential.user == 0)
ReturnCode(ERR_FSAL_NO_ERROR, 0);
/* unsatisfied flags */
missing_access = FSAL_MODE_MASK(access_type); /* only modes, no ACLs here */
if(p_object_attributes)
{
uid = p_object_attributes->owner;
gid = p_object_attributes->group;
mode = p_object_attributes->mode;
}
else
{
uid = p_buffstat->st_uid;
gid = p_buffstat->st_gid;
mode = unix2fsal_mode(p_buffstat->st_mode);
}
/* Test if file belongs to user. */
if(p_context->credential.user == uid)
{
LogFullDebug(COMPONENT_FSAL, "File belongs to user %d", uid);
if(mode & FSAL_MODE_RUSR)
missing_access &= ~FSAL_R_OK;
if(mode & FSAL_MODE_WUSR)
missing_access &= ~FSAL_W_OK;
if(mode & FSAL_MODE_XUSR)
missing_access &= ~FSAL_X_OK;
if((missing_access & FSAL_OWNER_OK) != 0)
missing_access = 0;
if(missing_access == 0)
ReturnCode(ERR_FSAL_NO_ERROR, 0);
else
ReturnCode(ERR_FSAL_ACCESS, 0);
}
/* FSAL_OWNER_OK allows overriding checks if the file is owned by the
* requester. It shouldn't take part in any further tests */
missing_access &= ~FSAL_OWNER_OK;
/* Test if the file belongs to user's group. */
is_grp = (p_context->credential.group == gid);
if(is_grp)
LogFullDebug(COMPONENT_FSAL, "File belongs to user's group %d",
p_context->credential.group);
/* Test if file belongs to alt user's groups */
if(!is_grp)
{
for(i = 0; i < p_context->credential.nbgroups; i++)
{
is_grp = (p_context->credential.alt_groups[i] == gid);
if(is_grp)
LogFullDebug(COMPONENT_FSAL,
"File belongs to user's alt group %d",
p_context->credential.alt_groups[i]);
// exits loop if found
if(is_grp)
break;
}
}
/* finally apply group rights */
if(is_grp)
{
if(mode & FSAL_MODE_RGRP)
missing_access &= ~FSAL_R_OK;
if(mode & FSAL_MODE_WGRP)
missing_access &= ~FSAL_W_OK;
if(mode & FSAL_MODE_XGRP)
missing_access &= ~FSAL_X_OK;
if(missing_access == 0)
ReturnCode(ERR_FSAL_NO_ERROR, 0);
else
ReturnCode(ERR_FSAL_ACCESS, 0);
}
/* test other perms */
if(mode & FSAL_MODE_ROTH)
missing_access &= ~FSAL_R_OK;
if(mode & FSAL_MODE_WOTH)
missing_access &= ~FSAL_W_OK;
if(mode & FSAL_MODE_XOTH)
missing_access &= ~FSAL_X_OK;
/* XXX ACLs. */
if(missing_access == 0)
ReturnCode(ERR_FSAL_NO_ERROR, 0);
else
ReturnCode(ERR_FSAL_ACCESS, 0);
}
/*
Check the access from an existing fsal_attrib_list_t or struct stat
*/
fsal_status_t fsal_internal_testAccess(cephfsal_op_context_t* context,
fsal_accessflags_t access_type,
struct stat * st,
fsal_attrib_list_t * object_attributes)
{
fsal_accessflags_t missing_access;
unsigned int is_grp, i;
fsal_uid_t uid;
fsal_gid_t gid;
fsal_accessmode_t mode;
fsal_uid_t userid = context->credential.user;
fsal_uid_t groupid = context->credential.group;
/* sanity checks. */
if((!object_attributes && !st) || !context)
ReturnCode(ERR_FSAL_FAULT, 0);
/* If the FSAL_F_OK flag is set, returns ERR INVAL */
if(access_type & FSAL_F_OK)
ReturnCode(ERR_FSAL_INVAL, 0);
/* test root access */
if(userid == 0)
ReturnCode(ERR_FSAL_NO_ERROR, 0);
/* unsatisfied flags */
missing_access = FSAL_MODE_MASK(access_type); /* only modes, no ACLs here */
if(object_attributes)
{
uid = object_attributes->owner;
gid = object_attributes->group;
mode = object_attributes->mode;
}
else
{
uid = st->st_uid;
gid = st->st_gid;
mode = unix2fsal_mode(st->st_mode);
}
/* Test if file belongs to user. */
if(userid == uid)
{
LogFullDebug(COMPONENT_FSAL, "File belongs to user %d", uid);
if(mode & FSAL_MODE_RUSR)
missing_access &= ~FSAL_R_OK;
if(mode & FSAL_MODE_WUSR)
missing_access &= ~FSAL_W_OK;
if(mode & FSAL_MODE_XUSR)
missing_access &= ~FSAL_X_OK;
if((missing_access & FSAL_OWNER_OK) != 0)
missing_access = 0;
if(missing_access == 0)
ReturnCode(ERR_FSAL_NO_ERROR, 0);
else
{
LogFullDebug(COMPONENT_FSAL,
"Mode=%#o, Access=%#o, Rights missing: %#o", mode,
access_type, missing_access);
ReturnCode(ERR_FSAL_ACCESS, 0);
}
}
/* Test if the file belongs to user's group. */
is_grp = (groupid == gid);
if(is_grp)
LogFullDebug(COMPONENT_FSAL, "File belongs to user's group %d",
groupid);
/* Test if file belongs to alt user's groups */
if(!is_grp)
{
for(i = 0; i < context->credential.nbgroups; i++)
{
is_grp = context->credential.alt_groups[i] == gid;
if(is_grp)
LogFullDebug(COMPONENT_FSAL,
"File belongs to user's alt group %d",
context->credential.alt_groups[i]);
// exits loop if found
if(is_grp)
break;
}
}
/* finally apply group rights */
if(is_grp)
{
if(mode & FSAL_MODE_RGRP)
missing_access &= ~FSAL_R_OK;
if(mode & FSAL_MODE_WGRP)
missing_access &= ~FSAL_W_OK;
if(mode & FSAL_MODE_XGRP)
missing_access &= ~FSAL_X_OK;
if(missing_access == 0)
ReturnCode(ERR_FSAL_NO_ERROR, 0);
else
ReturnCode(ERR_FSAL_ACCESS, 0);
}
/* test other perms */
if(mode & FSAL_MODE_ROTH)
missing_access &= ~FSAL_R_OK;
if(mode & FSAL_MODE_WOTH)
missing_access &= ~FSAL_W_OK;
if(mode & FSAL_MODE_XOTH)
missing_access &= ~FSAL_X_OK;
if(missing_access == 0)
ReturnCode(ERR_FSAL_NO_ERROR, 0);
else
ReturnCode(ERR_FSAL_ACCESS, 0);
}
