On Nov 5, 2015, at 4:39 AM, Andreas Gruenbacher wrote: > > Normally, deleting a file requires MAY_WRITE access to the parent > directory. With richacls, a file may be deleted with MAY_DELETE_CHILD access > to the parent directory or with MAY_DELETE_SELF access to the file. > > To support that, pass the MAY_DELETE_CHILD mask flag to inode_permission() > when checking for delete access inside a directory, and MAY_DELETE_SELF > when checking for delete access to a file itelf. > > The MAY_DELETE_SELF permission overrides the sticky directory check. > > Signed-off-by: Andreas Gruenbacher > Reviewed-by: J. Bruce Fields > --- > fs/namei.c | 21 ++++++++++++--------- > include/linux/fs.h | 2 ++ > 2 files changed, 14 insertions(+), 9 deletions(-) > > diff --git a/fs/namei.c b/fs/namei.c > index 0259392..2eab19e 100644 > --- a/fs/namei.c > +++ b/fs/namei.c > @@ -453,9 +453,9 @@ static int sb_permission(struct super_block *sb, struct inode *inode, int mask) > * this, letting us set arbitrary permissions for filesystem access without > * changing the "normal" UIDs which are used for other things. > * > - * MAY_WRITE must be set in @mask whenever MAY_APPEND, MAY_CREATE_FILE, or > - * MAY_CREATE_DIR are set. That way, file systems that don't support these > - * permissions will check for MAY_WRITE instead. > + * MAY_WRITE must be set in @mask whenever MAY_APPEND, MAY_CREATE_FILE, > + * MAY_CREATE_DIR, or MAY_DELETE_CHILD are set. That way, file systems that > + * don't support these permissions will check for MAY_WRITE instead. > */ > int inode_permission(struct inode *inode, int mask) > { > @@ -2555,7 +2555,7 @@ static int may_delete(struct inode *dir, struct dentry *victim, > bool isdir, bool replace) > { > struct inode *inode = d_backing_inode(victim); > - int error, mask = MAY_WRITE | MAY_EXEC; > + int error, mask = MAY_EXEC; > > if (d_is_negative(victim)) > return -ENOENT; > @@ -2565,15 +2565,18 @@ static int may_delete(struct inode *dir, struct dentry *victim, > audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE); > > if (replace) > - mask |= isdir ? MAY_CREATE_DIR : MAY_CREATE_FILE; > - error = inode_permission(dir, mask); > + mask |= MAY_WRITE | (isdir ? MAY_CREATE_DIR : MAY_CREATE_FILE); > + error = inode_permission(dir, mask | MAY_WRITE | MAY_DELETE_CHILD); > + if (!error && check_sticky(dir, inode)) > + error = -EPERM; > + if (error && IS_RICHACL(inode) && > + inode_permission(inode, MAY_DELETE_SELF) == 0) > + error = 0; This looks like a serious bug, as it is overriding other errors returned from inode_permission() such as -EROFS from sb_permission() or even from generic_permission->acl_permission_check(). Clearing the error returned by an earlier check doesn't seem safe, only new errors should be added. The call to inode_permission(inode) is also duplicating the sb_permission() check from inode_permission(dir), so at most should be __inode_permission(). It looks like this would be correct if you check MAY_DELETE_SELF together with check_sticky(): if (!error && check_sticky(dir, inode) && !__inode_permission(inode, MAY_DELETE_SELF)) error = -EPERM; I ommitted the IS_RICHACL() check here, since that should probably be in __inode_permission() when MAY_DELETE_SELF is passed? Cheers, Andreas > if (error) > return error; > if (IS_APPEND(dir)) > return -EPERM; > - > - if (check_sticky(dir, inode) || IS_APPEND(inode) || > - IS_IMMUTABLE(inode) || IS_SWAPFILE(inode)) > + if (IS_APPEND(inode) || IS_IMMUTABLE(inode) || IS_SWAPFILE(inode)) > return -EPERM; > if (isdir) { > if (!d_is_dir(victim)) > diff --git a/include/linux/fs.h b/include/linux/fs.h > index d6e2330..402acd7 100644 > --- a/include/linux/fs.h > +++ b/include/linux/fs.h > @@ -84,6 +84,8 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate); > #define MAY_NOT_BLOCK 0x00000080 > #define MAY_CREATE_FILE 0x00000100 > #define MAY_CREATE_DIR 0x00000200 > +#define MAY_DELETE_CHILD 0x00000400 > +#define MAY_DELETE_SELF 0x00000800 > > /* > * flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond > -- > 2.5.0 > Cheers, Andreas