From: Andreas Gruenbacher <andreas.gruenbacher@gmail.com> To: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org, linux-api@vger.kernel.org, samba-technical@lists.samba.org, linux-security-module@vger.kernel.org Subject: [RFC v4 10/31] richacl: Permission check algorithm Date: Wed, 24 Jun 2015 23:56:59 +0200 [thread overview] Message-ID: <1435183040-22726-11-git-send-email-agruenba@redhat.com> (raw) In-Reply-To: <1435183040-22726-1-git-send-email-agruenba@redhat.com> A richacl roughly grants a requested access if the NFSv4 acl in the richacl grants the requested permissions according to the NFSv4 permission check algorithm and the file mask that applies to the process includes the requested permissions. Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> --- fs/Makefile | 2 +- fs/richacl_inode.c | 122 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/richacl.h | 3 ++ 3 files changed, 126 insertions(+), 1 deletion(-) create mode 100644 fs/richacl_inode.c diff --git a/fs/Makefile b/fs/Makefile index 654e716..c3602b7 100644 --- a/fs/Makefile +++ b/fs/Makefile @@ -48,7 +48,7 @@ obj-$(CONFIG_SYSCTL) += drop_caches.o obj-$(CONFIG_FHANDLE) += fhandle.o obj-$(CONFIG_FS_RICHACL) += richacl.o -richacl-y := richacl_base.o +richacl-y := richacl_base.o richacl_inode.o obj-y += quota/ diff --git a/fs/richacl_inode.c b/fs/richacl_inode.c new file mode 100644 index 0000000..159510b --- /dev/null +++ b/fs/richacl_inode.c @@ -0,0 +1,122 @@ +/* + * Copyright (C) 2010 Novell, Inc. + * Copyright (C) 2015 Red Hat, Inc. + * Written by Andreas Gruenbacher <agruen@kernel.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + */ + +#include <linux/sched.h> +#include <linux/module.h> +#include <linux/fs.h> +#include <linux/slab.h> +#include <linux/richacl.h> + +/** + * richacl_permission - richacl permission check algorithm + * @inode: inode to check + * @acl: rich acl of the inode + * @want: requested access (MAY_* flags) + * + * Checks if the current process is granted @mask flags in @acl. + */ +int +richacl_permission(struct inode *inode, const struct richacl *acl, + int want) +{ + const struct richace *ace; + unsigned int mask = richacl_want_to_mask(want); + unsigned int requested = mask, denied = 0; + int in_owning_group = in_group_p(inode->i_gid); + int in_owner_or_group_class = in_owning_group; + + /* + * A process is + * - in the owner file class if it owns the file, + * - in the group file class if it is in the file's owning group or + * it matches any of the user or group entries, and + * - in the other file class otherwise. + * The file class is only relevant for determining which file mask to + * apply, which only happens for masked acls. + */ + if (acl->a_flags & RICHACL_MASKED) { + if (uid_eq(current_fsuid(), inode->i_uid)) { + denied = requested & ~acl->a_owner_mask; + goto out; + } + } else { + /* + * We don't care which class the process is in when the acl is + * not masked. + */ + in_owner_or_group_class = 1; + } + + /* + * Check if the acl grants the requested access and determine which + * file class the process is in. + */ + richacl_for_each_entry(ace, acl) { + unsigned int ace_mask = ace->e_mask; + + if (richace_is_inherit_only(ace)) + continue; + if (richace_is_owner(ace)) { + if (!uid_eq(current_fsuid(), inode->i_uid)) + continue; + } else if (richace_is_group(ace)) { + if (!in_owning_group) + continue; + } else if (richace_is_unix_user(ace)) { + kuid_t uid = current_fsuid(); + + if (!uid_eq(uid, ace->e_id.uid)) + continue; + } else if (richace_is_unix_group(ace)) { + if (!in_group_p(ace->e_id.gid)) + continue; + } else + goto entry_matches_everyone; + + /* The process is in the owner or group file class. */ + in_owner_or_group_class = 1; + +entry_matches_everyone: + /* Check which mask flags the ACE allows or denies. */ + if (richace_is_deny(ace)) + denied |= ace_mask & mask; + mask &= ~ace_mask; + + /* + * Keep going until we know which file class + * the process is in. + */ + if (!mask && in_owner_or_group_class) + break; + } + denied |= mask; + + if (acl->a_flags & RICHACL_MASKED) { + /* + * The file class a process is in determines which file mask + * applies. Check if that file mask also grants the requested + * access. + */ + if (in_owner_or_group_class) + denied |= requested & ~acl->a_group_mask; + else + denied = requested & ~acl->a_other_mask; + } + +out: + return denied ? -EACCES : 0; +} +EXPORT_SYMBOL_GPL(richacl_permission); diff --git a/include/linux/richacl.h b/include/linux/richacl.h index c2a10b5..b828615 100644 --- a/include/linux/richacl.h +++ b/include/linux/richacl.h @@ -303,4 +303,7 @@ extern unsigned int richacl_want_to_mask(unsigned int); extern void richacl_compute_max_masks(struct richacl *, kuid_t); extern struct richacl *richacl_chmod(struct richacl *, mode_t); +/* richacl_inode.c */ +extern int richacl_permission(struct inode *, const struct richacl *, int); + #endif /* __RICHACL_H */ -- 2.4.2
WARNING: multiple messages have this Message-ID (diff)
From: Andreas Gruenbacher <andreas.gruenbacher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> To: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org, linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Subject: [RFC v4 10/31] richacl: Permission check algorithm Date: Wed, 24 Jun 2015 23:56:59 +0200 [thread overview] Message-ID: <1435183040-22726-11-git-send-email-agruenba@redhat.com> (raw) In-Reply-To: <1435183040-22726-1-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> A richacl roughly grants a requested access if the NFSv4 acl in the richacl grants the requested permissions according to the NFSv4 permission check algorithm and the file mask that applies to the process includes the requested permissions. Signed-off-by: Andreas Gruenbacher <agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> --- fs/Makefile | 2 +- fs/richacl_inode.c | 122 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/richacl.h | 3 ++ 3 files changed, 126 insertions(+), 1 deletion(-) create mode 100644 fs/richacl_inode.c diff --git a/fs/Makefile b/fs/Makefile index 654e716..c3602b7 100644 --- a/fs/Makefile +++ b/fs/Makefile @@ -48,7 +48,7 @@ obj-$(CONFIG_SYSCTL) += drop_caches.o obj-$(CONFIG_FHANDLE) += fhandle.o obj-$(CONFIG_FS_RICHACL) += richacl.o -richacl-y := richacl_base.o +richacl-y := richacl_base.o richacl_inode.o obj-y += quota/ diff --git a/fs/richacl_inode.c b/fs/richacl_inode.c new file mode 100644 index 0000000..159510b --- /dev/null +++ b/fs/richacl_inode.c @@ -0,0 +1,122 @@ +/* + * Copyright (C) 2010 Novell, Inc. + * Copyright (C) 2015 Red Hat, Inc. + * Written by Andreas Gruenbacher <agruen-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + */ + +#include <linux/sched.h> +#include <linux/module.h> +#include <linux/fs.h> +#include <linux/slab.h> +#include <linux/richacl.h> + +/** + * richacl_permission - richacl permission check algorithm + * @inode: inode to check + * @acl: rich acl of the inode + * @want: requested access (MAY_* flags) + * + * Checks if the current process is granted @mask flags in @acl. + */ +int +richacl_permission(struct inode *inode, const struct richacl *acl, + int want) +{ + const struct richace *ace; + unsigned int mask = richacl_want_to_mask(want); + unsigned int requested = mask, denied = 0; + int in_owning_group = in_group_p(inode->i_gid); + int in_owner_or_group_class = in_owning_group; + + /* + * A process is + * - in the owner file class if it owns the file, + * - in the group file class if it is in the file's owning group or + * it matches any of the user or group entries, and + * - in the other file class otherwise. + * The file class is only relevant for determining which file mask to + * apply, which only happens for masked acls. + */ + if (acl->a_flags & RICHACL_MASKED) { + if (uid_eq(current_fsuid(), inode->i_uid)) { + denied = requested & ~acl->a_owner_mask; + goto out; + } + } else { + /* + * We don't care which class the process is in when the acl is + * not masked. + */ + in_owner_or_group_class = 1; + } + + /* + * Check if the acl grants the requested access and determine which + * file class the process is in. + */ + richacl_for_each_entry(ace, acl) { + unsigned int ace_mask = ace->e_mask; + + if (richace_is_inherit_only(ace)) + continue; + if (richace_is_owner(ace)) { + if (!uid_eq(current_fsuid(), inode->i_uid)) + continue; + } else if (richace_is_group(ace)) { + if (!in_owning_group) + continue; + } else if (richace_is_unix_user(ace)) { + kuid_t uid = current_fsuid(); + + if (!uid_eq(uid, ace->e_id.uid)) + continue; + } else if (richace_is_unix_group(ace)) { + if (!in_group_p(ace->e_id.gid)) + continue; + } else + goto entry_matches_everyone; + + /* The process is in the owner or group file class. */ + in_owner_or_group_class = 1; + +entry_matches_everyone: + /* Check which mask flags the ACE allows or denies. */ + if (richace_is_deny(ace)) + denied |= ace_mask & mask; + mask &= ~ace_mask; + + /* + * Keep going until we know which file class + * the process is in. + */ + if (!mask && in_owner_or_group_class) + break; + } + denied |= mask; + + if (acl->a_flags & RICHACL_MASKED) { + /* + * The file class a process is in determines which file mask + * applies. Check if that file mask also grants the requested + * access. + */ + if (in_owner_or_group_class) + denied |= requested & ~acl->a_group_mask; + else + denied = requested & ~acl->a_other_mask; + } + +out: + return denied ? -EACCES : 0; +} +EXPORT_SYMBOL_GPL(richacl_permission); diff --git a/include/linux/richacl.h b/include/linux/richacl.h index c2a10b5..b828615 100644 --- a/include/linux/richacl.h +++ b/include/linux/richacl.h @@ -303,4 +303,7 @@ extern unsigned int richacl_want_to_mask(unsigned int); extern void richacl_compute_max_masks(struct richacl *, kuid_t); extern struct richacl *richacl_chmod(struct richacl *, mode_t); +/* richacl_inode.c */ +extern int richacl_permission(struct inode *, const struct richacl *, int); + #endif /* __RICHACL_H */ -- 2.4.2 -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2015-06-24 21:58 UTC|newest] Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-06-24 21:56 [RFC v4 00/31] Richacls Andreas Gruenbacher 2015-06-24 21:56 ` Andreas Gruenbacher 2015-06-24 21:56 ` [RFC v4 01/31] vfs: Add IS_ACL() and IS_RICHACL() tests Andreas Gruenbacher 2015-06-24 21:56 ` [RFC v4 02/31] vfs: Add MAY_CREATE_FILE and MAY_CREATE_DIR permission flags Andreas Gruenbacher 2015-06-24 21:56 ` Andreas Gruenbacher 2015-06-24 21:56 ` [RFC v4 03/31] vfs: Add MAY_DELETE_SELF and MAY_DELETE_CHILD " Andreas Gruenbacher 2015-06-24 21:56 ` Andreas Gruenbacher 2015-06-24 21:56 ` [RFC v4 04/31] vfs: Make the inode passed to inode_change_ok non-const Andreas Gruenbacher 2015-06-24 21:56 ` [RFC v4 05/31] vfs: Add permission flags for setting file attributes Andreas Gruenbacher 2015-06-24 21:56 ` [RFC v4 06/31] richacl: In-memory representation and helper functions Andreas Gruenbacher 2015-06-25 19:58 ` Stefan (metze) Metzmacher 2015-06-25 21:06 ` Andreas Grünbacher 2015-06-25 21:40 ` Stefan (metze) Metzmacher 2015-06-25 21:40 ` Stefan (metze) Metzmacher 2015-06-26 7:55 ` Andreas Grünbacher 2015-06-26 7:55 ` Andreas Grünbacher 2015-06-24 21:56 ` [RFC v4 07/31] richacl: Permission mapping functions Andreas Gruenbacher 2015-06-24 21:56 ` [RFC v4 08/31] richacl: Compute maximum file masks from an acl Andreas Gruenbacher 2015-06-24 21:56 ` [RFC v4 09/31] richacl: Update the file masks in chmod() Andreas Gruenbacher 2015-06-24 21:56 ` Andreas Gruenbacher 2015-06-24 21:56 ` Andreas Gruenbacher [this message] 2015-06-24 21:56 ` [RFC v4 10/31] richacl: Permission check algorithm Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 11/31] vfs: Cache base_acl objects in inodes Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 12/31] vfs: Cache richacl in struct inode Andreas Gruenbacher 2015-06-24 21:57 ` Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 13/31] richacl: Check if an acl is equivalent to a file mode Andreas Gruenbacher 2015-06-24 21:57 ` Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 14/31] richacl: Create-time inheritance Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 15/31] richacl: Automatic Inheritance Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 16/31] richacl: xattr mapping functions Andreas Gruenbacher 2015-06-24 21:57 ` Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 17/31] vfs: Add richacl permission checking Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 18/31] ext4: Add richacl support Andreas Gruenbacher 2015-06-24 21:57 ` Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 19/31] ext4: Add richacl feature flag Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 20/31] richacl: acl editing helper functions Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 21/31] richacl: Move everyone@ aces down the acl Andreas Gruenbacher 2015-06-24 21:57 ` Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 22/31] richacl: Propagate everyone@ permissions to other aces Andreas Gruenbacher 2015-06-24 21:57 ` Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 23/31] richacl: Set the owner permissions to the owner mask Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 24/31] richacl: Set the other permissions to the other mask Andreas Gruenbacher 2015-06-24 21:57 ` Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 25/31] richacl: Isolate the owner and group classes Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 26/31] richacl: Apply the file masks to a richacl Andreas Gruenbacher 2015-06-24 21:57 ` Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 27/31] richacl: Create richacl from mode values Andreas Gruenbacher 2015-06-24 21:57 ` Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 28/31] nfsd: Keep list of acls to dispose of in compoundargs Andreas Gruenbacher 2015-06-24 21:57 ` Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 29/31] nfsd: Use richacls as internal acl representation Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 30/31] nfsd: Add richacl support Andreas Gruenbacher 2015-06-24 21:57 ` [RFC v4 31/31] nfsd: Add support for the v4.1 dacl attribute Andreas Gruenbacher 2015-06-24 21:57 ` Andreas Gruenbacher
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1435183040-22726-11-git-send-email-agruenba@redhat.com \ --to=andreas.gruenbacher@gmail.com \ --cc=linux-api@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-nfs@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=samba-technical@lists.samba.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.