diff options
Diffstat (limited to 'static/netbsd/man9/genfs_can_access_acl_posix1e.9')
| -rw-r--r-- | static/netbsd/man9/genfs_can_access_acl_posix1e.9 | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/static/netbsd/man9/genfs_can_access_acl_posix1e.9 b/static/netbsd/man9/genfs_can_access_acl_posix1e.9 new file mode 100644 index 00000000..780e84cb --- /dev/null +++ b/static/netbsd/man9/genfs_can_access_acl_posix1e.9 @@ -0,0 +1,120 @@ +.\" $NetBSD: genfs_can_access_acl_posix1e.9,v 1.1 2022/01/17 19:08:06 christos Exp $ +.\"- +.\" Copyright (c) 2001 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD: head/share/man/man9/genfs_can_access_acl_posix1e.9 206622 2010-04-14 19:08:06Z uqs $ +.\" +.Dd January 17, 2022 +.Dt GENFS_CAN_ACCESS_ACL_POSIX1E 9 +.Os +.Sh NAME +.Nm genfs_can_access_acl_posix1e +.Nd generate a POSIX.1e ACL access control decision using vnode parameters +.Sh SYNOPSIS +.In miscfs/genfs/genfs.h +.Ft int +.Fo genfs_can_access_acl_posix1e +.Fa "struct vnode *vp" +.Fa "kauth_cred_t cred" +.Fa "uid_t file_uid" +.Fa "gid_t file_gid" +.Fa "mode_t file_mode" +.Fa "struct acl *acl" +.Fa "accmode_t accmode" +.Fc +.Sh DESCRIPTION +This call implements the logic for the +.Ux +discretionary file security model +with POSIX.1e ACL extensions. +It accepts the vnode +.Fa vp , +requesting credential +.Fa cred , +owning UID +.Fa file_uid , +owning GID +.Fa file_gid , +file permissions +.Fa file_mode , +access ACL for the file +.Fa acl , +and +desired access mode +.Fa accmode . +.Pp +This call is intended to support implementations of +.Xr VOP_ACCESS 9 , +which will use their own access methods to retrieve the vnode properties, +and then invoke +.Fn genfs_can_access_acl_posix1e +in order to perform the actual check. +Implementations of +.Xr VOP_ACCESS 9 +may choose to implement additional security mechanisms whose results will +be composed with the return value. +.Pp +The algorithm used by +.Fn genfs_can_access_acl_posix1e +is based on the POSIX.1e ACL evaluation algorithm. +The algorithm selects a +.Em matching +entry from the access ACL, which may +then be composed with an available ACL mask entry, providing +.Ux +security compatibility. +.Pp +Once appropriate protections are selected for the current credential, +the requested access mode, in combination with the vnode type, will be +compared with the discretionary rights available for the credential. +If the rights granted by discretionary protections are insufficient, +then super-user privilege, if available for the credential, will also be +considered. +.Sh RETURN VALUES +.Fn genfs_can_access_acl_posix1e +will return 0 on success, or a non-zero error value on failure. +.Sh ERRORS +.Bl -tag -width Er +.It Bq Er EACCES +Permission denied. +An attempt was made to access a file in a way forbidden by its file access +permissions. +.It Bq Er EPERM +Operation not permitted. +An attempt was made to perform an operation limited to processes with +appropriate privileges or to the owner of a file or other resource. +.El +.Sh SEE ALSO +.Xr genfs_can_access 9 , +.Xr vnode 9 , +.Xr VOP_ACCESS 9 +.Sh AUTHORS +This manual page and the current implementation of +.Fn genfs_can_access_acl_posix1e +were written by +.An Robert Watson . +.Sh BUGS +This manual page should include a full description of the POSIX.1e ACL +evaluation algorithm, or cross reference another page that does. |