MFC r197405, missing part:

Add pieces of infrastructure required for NFSv4 ACL support in UFS.

Reviewed by:	rwatson

5 files changed, 136 insertions, 3 deletions

diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
index 8af826c..65d9e8d 100644
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -255,6 +255,7 @@ MAN=	accept_filter.9 \
 	usbdi.9 \
 	utopia.9 \
 	vaccess.9 \
+	vaccess_acl_nfs4.9 \
 	vaccess_acl_posix1e.9 \
 	vcount.9 \
 	vflush.9 \
diff --git a/share/man/man9/VOP_ACCESS.9 b/share/man/man9/VOP_ACCESS.9
index 533cd50a..927c118 100644
--- a/share/man/man9/VOP_ACCESS.9
+++ b/share/man/man9/VOP_ACCESS.9
@@ -29,7 +29,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd June 1, 2009
+.Dd September 18, 2009
 .Os
 .Dt VOP_ACCESS 9
 .Sh NAME
@@ -95,6 +95,7 @@ requested access.
 .El
 .Sh SEE ALSO
 .Xr vaccess 9 ,
+.Xr vaccess_acl_nfs4 9 ,
 .Xr vaccess_acl_posix1e 9 ,
 .Xr vnode 9
 .Sh AUTHORS
diff --git a/share/man/man9/acl.9 b/share/man/man9/acl.9
index c7ba840..c5192fc 100644
--- a/share/man/man9/acl.9
+++ b/share/man/man9/acl.9
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd December 23, 1999
+.Dd September 18, 2009
 .Os
 .Dt ACL 9
 .Sh NAME
@@ -207,6 +207,7 @@ The following values are valid:
 .El
 .Sh SEE ALSO
 .Xr acl 3 ,
+.Xr vaccess_acl_nfs4 9 ,
 .Xr vaccess_acl_posix1e 9 ,
 .Xr VFS 9 ,
 .Xr vnaccess 9 ,
diff --git a/share/man/man9/vaccess.9 b/share/man/man9/vaccess.9
index 5315d98..a2e2ec5 100644
--- a/share/man/man9/vaccess.9
+++ b/share/man/man9/vaccess.9
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd August 22, 2001
+.Dd September 18, 2009
 .Os
 .Dt VACCESS 9
 .Sh NAME
@@ -117,6 +117,7 @@ An attempt was made to perform an operation limited to processes with
 appropriate privileges or to the owner of a file or other resource.
 .El
 .Sh SEE ALSO
+.Xr vaccess_acl_nfs4 9 ,
 .Xr vaccess_acl_posix1e 9 ,
 .Xr vnode 9 ,
 .Xr VOP_ACCESS 9
diff --git a/share/man/man9/vaccess_acl_nfs4.9 b/share/man/man9/vaccess_acl_nfs4.9
new file mode 100644
index 0000000..32cbdb3
--- /dev/null
+++ b/share/man/man9/vaccess_acl_nfs4.9
@@ -0,0 +1,129 @@
+.\"-
+.\" Copyright (c) 2001 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd September 18, 2009
+.Os
+.Dt VACCESS_ACL_NFS4 9
+.Sh NAME
+.Nm vaccess_acl_nfs4
+.Nd generate a NFSv4 ACL access control decision using vnode parameters
+.Sh SYNOPSIS
+.In sys/param.h
+.In sys/vnode.h
+.In sys/acl.h
+.Ft int
+.Fo vaccess_acl_nfs4
+.Fa "enum vtype type"
+.Fa "uid_t file_uid"
+.Fa "gid_t file_gid"
+.Fa "struct acl *acl"
+.Fa "accmode_t accmode"
+.Fa "struct ucred *cred"
+.Fa "int *privused"
+.Fc
+.Sh DESCRIPTION
+This call implements the logic for the
+.Ux
+discretionary file security model
+with NFSv4 ACL extensions.
+It accepts the vnodes type
+.Fa type ,
+owning UID
+.Fa file_uid ,
+owning GID
+.Fa file_gid ,
+access ACL for the file
+.Fa acl ,
+desired access mode
+.Fa accmode ,
+requesting credential
+.Fa cred ,
+and an optional call-by-reference
+.Vt int
+pointer returning whether or not
+privilege was required for successful evaluation of the call; the
+.Fa privused
+pointer may be set to
+.Dv NULL
+by the caller in order not to be informed of
+privilege information, or it may point to an integer that will be set to
+1 if privilege is used, and 0 otherwise.
+.Pp
+This call is intended to support implementations of
+.Xr VOP_ACCESS 9 ,
+which will use their own access methods to retrieve the vnode properties,
+and then invoke
+.Fn vaccess_acl_nfs4
+in order to perform the actual check.
+Implementations of
+.Xr VOP_ACCESS 9
+may choose to implement additional security mechanisms whose results will
+be composed with the return value.
+.Pp
+The algorithm used by
+.Fn vaccess_acl_nfs4
+is based on the NFSv4 ACL evaluation algorithm, as described in
+NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-21.txt.
+The algorithm selects a
+.Em matching
+entry from the access ACL, which may
+then be composed with an available ACL mask entry, providing
+.Ux
+security compatibility.
+.Pp
+Once appropriate protections are selected for the current credential,
+the requested access mode, in combination with the vnode type, will be
+compared with the discretionary rights available for the credential.
+If the rights granted by discretionary protections are insufficient,
+then super-user privilege, if available for the credential, will also be
+considered.
+.Sh RETURN VALUES
+.Fn vaccess_acl_nfs4
+will return 0 on success, or a non-zero error value on failure.
+.Sh ERRORS
+.Bl -tag -width Er
+.It Bq Er EACCES
+Permission denied.
+An attempt was made to access a file in a way forbidden by its file access
+permissions.
+.It Bq Er EPERM
+Operation not permitted.
+An attempt was made to perform an operation limited to processes with
+appropriate privileges or to the owner of a file or other resource.
+.El
+.Sh SEE ALSO
+.Xr vaccess 9 ,
+.Xr vnode 9 ,
+.Xr VOP_ACCESS 9
+.Sh AUTHORS
+Current implementation of
+.Fn vaccess_acl_nfs4
+was written by
+.An Edward Tomasz Napierala Aq trasz@FreeBSD.org .
+.Sh BUGS
+This manual page should include a full description of the NFSv4 ACL
+evaluation algorithm, or cross reference another page that does.