NAME

       vaccess_acl_nfs4 — generate a NFSv4 ACL access control decision using vnode parameters

SYNOPSIS

       #include <sys/param.h>
       #include <sys/vnode.h>
       #include <sys/acl.h>

       int
       vaccess_acl_nfs4(enum vtype type,  uid_t file_uid,  gid_t file_gid,  struct acl *acl,  accmode_t accmode,
           struct ucred *cred, int *privused);

DESCRIPTION

       This call implements the logic for the Unix discretionary file security model with NFSv4 ACL  extensions.
       It  accepts  the vnodes type type, owning UID file_uid, owning GID file_gid, access ACL for the file acl,
       desired access mode accmode, requesting credential cred, and an optional  call-by-reference  int  pointer
       returning  whether  or  not  privilege  was  required for successful evaluation of the call; the privused
       pointer may be set to NULL by the caller in order not to be informed of privilege information, or it  may
       point to an integer that will be set to 1 if privilege is used, and 0 otherwise.

       This  call  is  intended  to  support  implementations  of VOP_ACCESS(9), which will use their own access
       methods to retrieve the vnode properties, and then invoke vaccess_acl_nfs4()  in  order  to  perform  the
       actual  check.   Implementations  of VOP_ACCESS(9) may choose to implement additional security mechanisms
       whose results will be composed with the return value.

       The algorithm used by vaccess_acl_nfs4() is based on the NFSv4 ACL evaluation algorithm, as described  in
       NFSv4  Minor  Version  1,  draft-ietf-nfsv4-minorversion1-21.txt.  The algorithm selects a matching entry
       from the access ACL, which may then be composed with an available ACL mask entry, providing Unix security
       compatibility.

       Once appropriate protections are selected for the current  credential,  the  requested  access  mode,  in
       combination  with  the  vnode  type,  will  be  compared  with the discretionary rights available for the
       credential.  If the rights  granted  by  discretionary  protections  are  insufficient,  then  super-user
       privilege, if available for the credential, will also be considered.

RETURN VALUES

       vaccess_acl_nfs4() will return 0 on success, or a non-zero error value on failure.

ERRORS

       [EACCES]           Permission  denied.   An  attempt  was made to access a file in a way forbidden by its
                          file access permissions.

       [EPERM]            Operation not permitted.  An attempt was made  to  perform  an  operation  limited  to
                          processes with appropriate privileges or to the owner of a file or other resource.

SEE ALSO

       vaccess(9), vnode(9), VOP_ACCESS(9)

AUTHORS

       Current implementation of vaccess_acl_nfs4() was written by Edward Tomasz Napierala <trasz@FreeBSD.org>.

BUGS

       This  manual  page  should  include  a  full  description of the NFSv4 ACL evaluation algorithm, or cross
       reference another page that does.

Debian                                         September 18, 2009                            VACCESS_ACL_NFS4(9)