Module Name: src
Committed By: christos
Date: Mon Jan 17 19:08:07 UTC 2022
Modified Files:
src/share/man/man9: Makefile acl.9 genfs.9 vnode.9
Added Files:
src/share/man/man9: genfs_can_access.9 genfs_can_access_acl_nfs4.9
genfs_can_access_acl_posix1e.9
Log Message:
Add acl related changes; there is no more vaccess; document the genfs functions
instead.
To generate a diff of this commit:
cvs rdiff -u -r1.460 -r1.461 src/share/man/man9/Makefile
cvs rdiff -u -r1.1 -r1.2 src/share/man/man9/acl.9
cvs rdiff -u -r1.6 -r1.7 src/share/man/man9/genfs.9
cvs rdiff -u -r0 -r1.1 src/share/man/man9/genfs_can_access.9 \
src/share/man/man9/genfs_can_access_acl_nfs4.9 \
src/share/man/man9/genfs_can_access_acl_posix1e.9
cvs rdiff -u -r1.82 -r1.83 src/share/man/man9/vnode.9
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/share/man/man9/Makefile
diff -u src/share/man/man9/Makefile:1.460 src/share/man/man9/Makefile:1.461
--- src/share/man/man9/Makefile:1.460 Wed Dec 22 12:28:17 2021
+++ src/share/man/man9/Makefile Mon Jan 17 14:08:06 2022
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.460 2021/12/22 17:28:17 thorpej Exp $
+# $NetBSD: Makefile,v 1.461 2022/01/17 19:08:06 christos Exp $
# Makefile for section 9 (kernel function and variable) manual pages.
-MAN= accept_filter.9 accf_data.9 accf_http.9 \
+MAN= accept_filter.9 accf_data.9 accf_http.9 acl.9 \
altq.9 arp.9 audio.9 autoconf.9 \
bcdtobin.9 bcmp.9 bcopy.9 bintime_add.9 bluetooth.9 boothowto.9 bpf.9 \
buffercache.9 bufferio.9 bufq.9 bus_dma.9 bus_space.9 byteorder.9 \
@@ -22,7 +22,8 @@ MAN= accept_filter.9 accf_data.9 accf_ht
edid.9 errno.9 ethersubr.9 evcnt.9 extattr.9 extent.9 \
file.9 fileassoc.9 filedesc.9 firmload.9 flash.9 \
fork1.9 fsetown.9 fstrans.9 \
- genfs.9 genfs_rename.9 \
+ genfs.9 genfs_can_access.9 genfs_can_access_acl_nfs4.9 \
+ genfs_can_access_acl_posix1e.9 genfs_rename.9 \
hash.9 hashinit.9 hardclock.9 humanize_number.9 hz.9 \
ieee80211.9 ieee80211_crypto.9 ieee80211_input.9 ieee80211_ioctl.9 \
ieee80211_node.9 ieee80211_output.9 ieee80211_proto.9 \
@@ -1059,7 +1060,6 @@ MLINKS+=vnode.9 vref.9 \
vnode.9 vgonel.9 \
vnode.9 vdead_check.9 \
vnode.9 vflush.9 \
- vnode.9 vaccess.9 \
vnode.9 bdevvp.9 \
vnode.9 cdevvp.9 \
vnode.9 vfinddev.9 \
Index: src/share/man/man9/acl.9
diff -u src/share/man/man9/acl.9:1.1 src/share/man/man9/acl.9:1.2
--- src/share/man/man9/acl.9:1.1 Thu Jun 18 16:38:42 2020
+++ src/share/man/man9/acl.9 Mon Jan 17 14:08:06 2022
@@ -1,4 +1,4 @@
-.\" $NetBSD: acl.9,v 1.1 2020/06/18 20:38:42 wiz Exp $
+.\" $NetBSD: acl.9,v 1.2 2022/01/17 19:08:06 christos Exp $
.\"-
.\" Copyright (c) 1999-2001 Robert N. M. Watson
.\" All rights reserved.
@@ -26,7 +26,7 @@
.\"
.\" $FreeBSD: head/share/man/man9/acl.9 287445 2015-09-04 00:14:20Z delphij $
.\"
-.Dd September 4, 2015
+.Dd January 17, 2022
.Dt ACL 9
.Os
.Sh NAME
@@ -214,13 +214,7 @@ and directories.
.El
.Sh SEE ALSO
.Xr acl 3 ,
-.Xr vaccess 9 ,
-.Xr vaccess_acl_nfs4 9 ,
-.Xr vaccess_acl_posix1e 9 ,
-.Xr VFS 9 ,
-.Xr VOP_ACLCHECK 9 ,
-.Xr VOP_GETACL 9 ,
-.Xr VOP_SETACL 9
+.Xr genfs 9 ,
.Sh AUTHORS
This manual page was written by
.An Robert Watson .
Index: src/share/man/man9/genfs.9
diff -u src/share/man/man9/genfs.9:1.6 src/share/man/man9/genfs.9:1.7
--- src/share/man/man9/genfs.9:1.6 Fri Aug 7 16:17:59 2020
+++ src/share/man/man9/genfs.9 Mon Jan 17 14:08:06 2022
@@ -1,4 +1,4 @@
-.\" $NetBSD: genfs.9,v 1.6 2020/08/07 20:17:59 wiz Exp $
+.\" $NetBSD: genfs.9,v 1.7 2022/01/17 19:08:06 christos Exp $
.\"
.\" Copyright 2012 Elad Efrat <[email protected]>
.\" All rights reserved.
@@ -26,7 +26,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd August 7, 2020
+.Dd January 17, 2022
.Dt GENFS 9
.Os
.Sh NAME
@@ -35,9 +35,6 @@
.Sh SYNOPSIS
.In miscfs/genfs/genfs.h
.Ft int
-.Fn genfs_can_access "vnode_t *vp" "kauth_cred_t cred" "uid_t uid" \
-"gid_t gid" "mode_t file_mode" "struct acl *acl" "accmode_t accmode"
-.Ft int
.Fn genfs_can_chflags "vnode_t *vp" kauth_cred_t cred" "uid_t owner_uid" \
"bool changing_sysflags"
.Ft int
@@ -79,9 +76,6 @@ error = kauth_authorize_vnode(..., genfs
.Ed
.Sh FUNCTIONS
.Bl -tag -width compact
-.It Fn genfs_can_access "vnode_t *vp" "kauth_cred_t cred" "uid_t uid" \
-"gid_t gid" "mode_t file_mode" "struct acl *" "accmode_t accmode"
-Implements file access checking based on traditional Unix permissions.
.It Fn genfs_can_chflags "vnode_t *vp" "kauth_cred_t cred"
"uid_t owner_uid" "bool changing_sysflags"
Implements
@@ -111,6 +105,10 @@ Implements rename and delete policy from
.El
.Sh SEE ALSO
.Xr kauth 9
+.Xr genfs_rename 9
+.Xr genfs_can_access 9
+.Xr genfs_can_access_acl_posix1e 9
+.Xr genfs_can_access_acl_nfs4 9
.Sh AUTHORS
.An Elad Efrat Aq Mt [email protected]
wrote this manual page.
Index: src/share/man/man9/vnode.9
diff -u src/share/man/man9/vnode.9:1.82 src/share/man/man9/vnode.9:1.83
--- src/share/man/man9/vnode.9:1.82 Tue Jan 1 05:06:54 2019
+++ src/share/man/man9/vnode.9 Mon Jan 17 14:08:06 2022
@@ -1,4 +1,4 @@
-.\" $NetBSD: vnode.9,v 1.82 2019/01/01 10:06:54 hannken Exp $
+.\" $NetBSD: vnode.9,v 1.83 2022/01/17 19:08:06 christos Exp $
.\"
.\" Copyright (c) 2001, 2005, 2006 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd January 1, 2019
+.Dd January 17, 2022
.Dt VNODE 9
.Os
.Sh NAME
@@ -47,7 +47,6 @@
.Nm vgonel ,
.Nm vdead_check ,
.Nm vflush ,
-.Nm vaccess ,
.Nm bdevvp ,
.Nm cdevvp ,
.Nm vfinddev ,
@@ -92,8 +91,6 @@
.Ft int
.Fn vflush "struct mount *mp" "struct vnode *skipvp" "int flags"
.Ft int
-.Fn vaccess "enum vtype type" "mode_t file_mode" "uid_t uid" "gid_t gid" "mode_t acc_mode" "kauth_cred_t cred"
-.Ft int
.Fn bdevvp "dev_t dev" "struct vnode **vpp"
.Ft int
.Fn cdevvp "dev_t dev" "struct vnode **vpp"
@@ -674,12 +671,6 @@ is set, only flush out regular file vnod
SKIPSYSTEM causes any vnodes marked
.Dv V_SYSTEM
to be skipped.
-.It Fn vaccess "type" "file_mode" "uid" "gid" "acc_mode" "cred"
-Do access checking by comparing the file's permissions to the caller's
-desired access type
-.Fa acc_mode
-and credentials
-.Fa cred .
.It Fn bdevvp "dev" "vpp"
Create a vnode for a block device.
.Fn bdevvp
Added files:
Index: src/share/man/man9/genfs_can_access.9
diff -u /dev/null src/share/man/man9/genfs_can_access.9:1.1
--- /dev/null Mon Jan 17 14:08:07 2022
+++ src/share/man/man9/genfs_can_access.9 Mon Jan 17 14:08:06 2022
@@ -0,0 +1,122 @@
+.\" $NetBSD: genfs_can_access.9,v 1.1 2022/01/17 19:08:06 christos Exp $
+.\"-
+.\" Copyright (c) 2001 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD: head/share/man/man9/vaccess.9 206622 2010-04-14 19:08:06Z uqs $
+.\"
+.Dd January 17, 2022
+.Dt GENFS_CAN_ACCESS 9
+.Os
+.Sh NAME
+.Nm genfs_can_access
+.Nd generate an access control decision using vnode parameters
+.Sh SYNOPSIS
+.In miscfs/genfs/genfs.h
+.Ft int
+.Fo genfs_can_access
+.Fa "vnode_t *vp"
+.Fa "kauth_cred_t cred"
+.Fa "uid_t file_uid"
+.Fa "gid_t file_gid"
+.Fa "mode_t file_mode"
+.Fa "struct acl *acl"
+.Fa "accmode_t accmode"
+.Fc
+.Sh DESCRIPTION
+This call implements the logic for the
+.Ux
+discretionary file security model
+common to many file systems in
+.Fx .
+It accepts the vnode
+.Fa vp ,
+requesting credential
+.Fa cred ,
+permissions via
+owning UID
+.Fa file_uid ,
+owning GID
+.Fa file_gid ,
+file permissions
+.Fa file_mode ,
+access ACL for the file
+.Fa acl ,
+desired access mode
+.Fa accmode ,
+.Pp
+.This call is intended to support implementations of
+.Xr VOP_ACCESS 9 ,
+which will use their own access methods to retrieve the vnode properties,
+and then invoke
+.Fn vaccess
+in order to perform the actual check.
+Implementations of
+.Xr VOP_ACCESS 9
+may choose to implement additional security mechanisms whose results will
+be composed with the return value.
+.Pp
+The algorithm used by
+.Fn genfs_can_access
+selects a component of the file permission bits based on comparing the
+passed credential, file owner, and file group.
+If the credential's effective UID matches the file owner, then the
+owner component of the permission bits is selected.
+If the UID does not match, then the credential's effective GID, followed
+by additional groups, are compared with the file group\[em]if there is
+a match, then the group component of the permission bits is selected.
+If neither the credential UID or GIDs match the passed file owner and
+group, then the other component of the permission bits is selected.
+.Pp
+Once appropriate protections are selected for the current credential,
+the requested access mode, in combination with the vnode type, will be
+compared with the discretionary rights available for the credential.
+If the rights granted by discretionary protections are insufficient,
+then super-user privilege, if available for the credential, will also be
+considered.
+.Sh RETURN VALUES
+.Fn genfs_can_access
+will return 0 on success, or a non-zero error value on failure.
+.Sh ERRORS
+.Bl -tag -width Er
+.It Bq Er EACCES
+Permission denied.
+An attempt was made to access a file in a way forbidden by its file access
+permissions.
+.It Bq Er EPERM
+Operation not permitted.
+An attempt was made to perform an operation limited to processes with
+appropriate privileges or to the owner of a file or other resource.
+.El
+.Sh SEE ALSO
+.Xr genfs_can_access_acl_nfs4 9 ,
+.Xr genfs_can_access_acl_posix1e 9 ,
+.Xr vnode 9 ,
+.Xr genfs 9 ,
+.Xr VOP_ACCESS 9
+.Sh AUTHORS
+This manual page and the current implementation of
+.Fn vaccess
+were written by
+.An Robert Watson .
Index: src/share/man/man9/genfs_can_access_acl_nfs4.9
diff -u /dev/null src/share/man/man9/genfs_can_access_acl_nfs4.9:1.1
--- /dev/null Mon Jan 17 14:08:07 2022
+++ src/share/man/man9/genfs_can_access_acl_nfs4.9 Mon Jan 17 14:08:06 2022
@@ -0,0 +1,122 @@
+.\" $NetBSD: genfs_can_access_acl_nfs4.9,v 1.1 2022/01/17 19:08:06 christos Exp $
+.\"-
+.\" Copyright (c) 2001 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD: head/share/man/man9/genfs_can_access_acl_nfs4.9 267936 2014-06-26 21:44:30Z bapt $
+.\"
+.Dd September 18, 2009
+.Dt GENFS_CAN_ACCESS_ACL_NFS4 9
+.Os
+.Sh NAME
+.Nm genfs_can_access_acl_nfs4
+.Nd generate a NFSv4 ACL access control decision using vnode parameters
+.Sh SYNOPSIS
+.In miscfs/genfs/genfs.h
+.Ft int
+.Fo genfs_can_access_acl_nfs4
+ genfs_can_access_acl_nfs4(struct vnode *, kauth_cred_t, uid_t, gid_t,
+ mode_t, struct acl *, accmode_t)
+.Fa "struct vnode *vp"
+.Fa "kath_cred_t cred"
+.Fa "uid_t file_uid"
+.Fa "gid_t file_gid"
+.Fa "mode_t file_mode"
+.Fa "struct acl *acl"
+.Fa "accmode_t accmode"
+.Fc
+.Sh DESCRIPTION
+This call implements the logic for the
+.Ux
+discretionary file security model
+with NFSv4 ACL extensions.
+It accepts the vnode
+.Fa vp ,
+requesting credential
+.Fa cred ,
+owning UID
+.Fa file_uid ,
+owning GID
+.Fa file_gid ,
+file permissions
+.Fa file_mode ,
+access ACL for the file
+.Fa acl ,
+desired access mode
+.Fa accmode ,
+.Pp
+This call is intended to support implementations of
+.Xr VOP_ACCESS 9 ,
+which will use their own access methods to retrieve the vnode properties,
+and then invoke
+.Fn genfs_can_access_acl_nfs4
+in order to perform the actual check.
+Implementations of
+.Xr VOP_ACCESS 9
+may choose to implement additional security mechanisms whose results will
+be composed with the return value.
+.Pp
+The algorithm used by
+.Fn genfs_can_access_acl_nfs4
+is based on the NFSv4 ACL evaluation algorithm, as described in
+NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-21.txt.
+The algorithm selects a
+.Em matching
+entry from the access ACL, which may
+then be composed with an available ACL mask entry, providing
+.Ux
+security compatibility.
+.Pp
+Once appropriate protections are selected for the current credential,
+the requested access mode, in combination with the vnode type, will be
+compared with the discretionary rights available for the credential.
+If the rights granted by discretionary protections are insufficient,
+then super-user privilege, if available for the credential, will also be
+considered.
+.Sh RETURN VALUES
+.Fn genfs_can_access_acl_nfs4
+will return 0 on success, or a non-zero error value on failure.
+.Sh ERRORS
+.Bl -tag -width Er
+.It Bq Er EACCES
+Permission denied.
+An attempt was made to access a file in a way forbidden by its file access
+permissions.
+.It Bq Er EPERM
+Operation not permitted.
+An attempt was made to perform an operation limited to processes with
+appropriate privileges or to the owner of a file or other resource.
+.El
+.Sh SEE ALSO
+.Xr genfs_can_access 9 ,
+.Xr vnode 9 ,
+.Xr VOP_ACCESS 9
+.Sh AUTHORS
+Current implementation of
+.Fn genfs_can_access_acl_nfs4
+was written by
+.An Edward Tomasz Napierala Aq Mt [email protected] .
+.Sh BUGS
+This manual page should include a full description of the NFSv4 ACL
+evaluation algorithm, or cross reference another page that does.
Index: src/share/man/man9/genfs_can_access_acl_posix1e.9
diff -u /dev/null src/share/man/man9/genfs_can_access_acl_posix1e.9:1.1
--- /dev/null Mon Jan 17 14:08:07 2022
+++ src/share/man/man9/genfs_can_access_acl_posix1e.9 Mon Jan 17 14:08:06 2022
@@ -0,0 +1,120 @@
+.\" $NetBSD: genfs_can_access_acl_posix1e.9,v 1.1 2022/01/17 19:08:06 christos Exp $
+.\"-
+.\" Copyright (c) 2001 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD: head/share/man/man9/genfs_can_access_acl_posix1e.9 206622 2010-04-14 19:08:06Z uqs $
+.\"
+.Dd January 17, 2022
+.Dt GENFS_CAN_ACCESS_ACL_POSIX1E 9
+.Os
+.Sh NAME
+.Nm genfs_can_access_acl_posix1e
+.Nd generate a POSIX.1e ACL access control decision using vnode parameters
+.Sh SYNOPSIS
+.In miscfs/genfs/genfs.h
+.Ft int
+.Fo genfs_can_access_acl_posix1e
+.Fa "struct vnode *vp"
+.Fa "kauth_cred_t cred"
+.Fa "uid_t file_uid"
+.Fa "gid_t file_gid"
+.Fa "mode_t file_mode"
+.Fa "struct acl *acl"
+.Fa "accmode_t accmode"
+.Fc
+.Sh DESCRIPTION
+This call implements the logic for the
+.Ux
+discretionary file security model
+with POSIX.1e ACL extensions.
+It accepts the vnode
+.Fa vp ,
+requesting credential
+.Fa cred ,
+owning UID
+.Fa file_uid ,
+owning GID
+.Fa file_gid ,
+file permissions
+.Fa file_mode ,
+access ACL for the file
+.Fa acl ,
+and
+desired access mode
+.Fa accmode .
+.Pp
+This call is intended to support implementations of
+.Xr VOP_ACCESS 9 ,
+which will use their own access methods to retrieve the vnode properties,
+and then invoke
+.Fn genfs_can_access_acl_posix1e
+in order to perform the actual check.
+Implementations of
+.Xr VOP_ACCESS 9
+may choose to implement additional security mechanisms whose results will
+be composed with the return value.
+.Pp
+The algorithm used by
+.Fn genfs_can_access_acl_posix1e
+is based on the POSIX.1e ACL evaluation algorithm.
+The algorithm selects a
+.Em matching
+entry from the access ACL, which may
+then be composed with an available ACL mask entry, providing
+.Ux
+security compatibility.
+.Pp
+Once appropriate protections are selected for the current credential,
+the requested access mode, in combination with the vnode type, will be
+compared with the discretionary rights available for the credential.
+If the rights granted by discretionary protections are insufficient,
+then super-user privilege, if available for the credential, will also be
+considered.
+.Sh RETURN VALUES
+.Fn genfs_can_access_acl_posix1e
+will return 0 on success, or a non-zero error value on failure.
+.Sh ERRORS
+.Bl -tag -width Er
+.It Bq Er EACCES
+Permission denied.
+An attempt was made to access a file in a way forbidden by its file access
+permissions.
+.It Bq Er EPERM
+Operation not permitted.
+An attempt was made to perform an operation limited to processes with
+appropriate privileges or to the owner of a file or other resource.
+.El
+.Sh SEE ALSO
+.Xr genfs_can_access 9 ,
+.Xr vnode 9 ,
+.Xr VOP_ACCESS 9
+.Sh AUTHORS
+This manual page and the current implementation of
+.Fn genfs_can_access_acl_posix1e
+were written by
+.An Robert Watson .
+.Sh BUGS
+This manual page should include a full description of the POSIX.1e ACL
+evaluation algorithm, or cross reference another page that does.
