From: Andreas Gruenbacher <andreas.gruenbacher@gmail.com>
To: linux-kernel@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org,
linux-api@vger.kernel.org, samba-technical@lists.samba.org,
linux-security-module@vger.kernel.org,
Andreas Gruenbacher <agruenba@redhat.com>
Subject: [PATCH v5 05/39] vfs: Add permission flags for setting file attributes
Date: Wed, 22 Jul 2015 15:02:55 +0200 [thread overview]
Message-ID: <1437570209-29832-6-git-send-email-andreas.gruenbacher@gmail.com> (raw)
In-Reply-To: <1437570209-29832-1-git-send-email-andreas.gruenbacher@gmail.com>
From: Andreas Gruenbacher <agruenba@redhat.com>
Richacls support permissions that allow to take ownership of a file, change the
file permissions, and set the file timestamps. Support that by introducing new
permission mask flags and by checking for those mask flags in
inode_change_ok().
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
---
fs/attr.c | 79 +++++++++++++++++++++++++++++++++++++++++++++---------
include/linux/fs.h | 3 +++
2 files changed, 70 insertions(+), 12 deletions(-)
diff --git a/fs/attr.c b/fs/attr.c
index 328be71..85483e0 100644
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -17,6 +17,65 @@
#include <linux/ima.h>
/**
+ * inode_extended_permission - permissions beyond read/write/execute
+ *
+ * Check for permissions that only richacls can currently grant.
+ */
+static int inode_extended_permission(struct inode *inode, int mask)
+{
+ if (!IS_RICHACL(inode))
+ return -EPERM;
+ return inode_permission(inode, mask);
+}
+
+static bool inode_uid_change_ok(struct inode *inode, kuid_t ia_uid)
+{
+ if (uid_eq(current_fsuid(), inode->i_uid) &&
+ uid_eq(ia_uid, inode->i_uid))
+ return true;
+ if (uid_eq(current_fsuid(), ia_uid) &&
+ inode_extended_permission(inode, MAY_TAKE_OWNERSHIP) == 0)
+ return true;
+ if (capable_wrt_inode_uidgid(inode, CAP_CHOWN))
+ return true;
+ return false;
+}
+
+static bool inode_gid_change_ok(struct inode *inode, kgid_t ia_gid)
+{
+ int in_group = in_group_p(ia_gid);
+ if (uid_eq(current_fsuid(), inode->i_uid) &&
+ (in_group || gid_eq(ia_gid, inode->i_gid)))
+ return true;
+ if (in_group && inode_extended_permission(inode, MAY_TAKE_OWNERSHIP) == 0)
+ return true;
+ if (capable_wrt_inode_uidgid(inode, CAP_CHOWN))
+ return true;
+ return false;
+}
+
+/**
+ * inode_owner_permitted_or_capable
+ *
+ * Check for permissions implicitly granted to the owner, like MAY_CHMOD or
+ * MAY_SET_TIMES. Equivalent to inode_owner_or_capable for file systems
+ * without support for those permissions.
+ */
+static bool inode_owner_permitted_or_capable(struct inode *inode, int mask)
+{
+ struct user_namespace *ns;
+
+ if (uid_eq(current_fsuid(), inode->i_uid))
+ return true;
+ if (inode_extended_permission(inode, mask) == 0)
+ return true;
+ ns = current_user_ns();
+ if (ns_capable(ns, CAP_FOWNER) && kuid_has_mapping(ns, inode->i_uid))
+ return true;
+ return false;
+}
+
+/**
* inode_change_ok - check if attribute changes to an inode are allowed
* @inode: inode to check
* @attr: attributes to change
@@ -47,22 +106,18 @@ int inode_change_ok(struct inode *inode, struct iattr *attr)
return 0;
/* Make sure a caller can chown. */
- if ((ia_valid & ATTR_UID) &&
- (!uid_eq(current_fsuid(), inode->i_uid) ||
- !uid_eq(attr->ia_uid, inode->i_uid)) &&
- !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
- return -EPERM;
+ if (ia_valid & ATTR_UID)
+ if (!inode_uid_change_ok(inode, attr->ia_uid))
+ return -EPERM;
/* Make sure caller can chgrp. */
- if ((ia_valid & ATTR_GID) &&
- (!uid_eq(current_fsuid(), inode->i_uid) ||
- (!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) &&
- !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
- return -EPERM;
+ if (ia_valid & ATTR_GID)
+ if (!inode_gid_change_ok(inode, attr->ia_gid))
+ return -EPERM;
/* Make sure a caller can chmod. */
if (ia_valid & ATTR_MODE) {
- if (!inode_owner_or_capable(inode))
+ if (!inode_owner_permitted_or_capable(inode, MAY_CHMOD))
return -EPERM;
/* Also check the setgid bit! */
if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid :
@@ -73,7 +128,7 @@ int inode_change_ok(struct inode *inode, struct iattr *attr)
/* Check for setting the inode time. */
if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) {
- if (!inode_owner_or_capable(inode))
+ if (!inode_owner_permitted_or_capable(inode, MAY_SET_TIMES))
return -EPERM;
}
diff --git a/include/linux/fs.h b/include/linux/fs.h
index aae46e0..cfffdaf 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -85,6 +85,9 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate);
#define MAY_CREATE_DIR 0x00000200
#define MAY_DELETE_CHILD 0x00000400
#define MAY_DELETE_SELF 0x00000800
+#define MAY_TAKE_OWNERSHIP 0x00001000
+#define MAY_CHMOD 0x00002000
+#define MAY_SET_TIMES 0x00004000
/*
* flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond
--
2.4.3
next prev parent reply other threads:[~2015-07-22 13:23 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-22 13:02 [PATCH v5 00/39] Richacls Andreas Gruenbacher
2015-07-22 13:02 ` [PATCH v5 01/39] vfs: Add IS_ACL() and IS_RICHACL() tests Andreas Gruenbacher
2015-07-22 13:02 ` [PATCH v5 02/39] vfs: Add MAY_CREATE_FILE and MAY_CREATE_DIR permission flags Andreas Gruenbacher
2015-07-22 13:02 ` Andreas Gruenbacher
2015-07-22 13:02 ` [PATCH v5 03/39] vfs: Add MAY_DELETE_SELF and MAY_DELETE_CHILD " Andreas Gruenbacher
2015-07-22 13:02 ` [PATCH v5 04/39] vfs: Make the inode passed to inode_change_ok non-const Andreas Gruenbacher
2015-07-22 13:02 ` Andreas Gruenbacher [this message]
2015-07-22 13:02 ` [PATCH v5 06/39] richacl: In-memory representation and helper functions Andreas Gruenbacher
2015-07-22 13:02 ` [PATCH v5 07/39] richacl: Permission mapping functions Andreas Gruenbacher
2015-07-22 13:02 ` [PATCH v5 08/39] richacl: Compute maximum file masks from an acl Andreas Gruenbacher
2015-07-22 13:02 ` [PATCH v5 09/39] richacl: Update the file masks in chmod() Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 10/39] richacl: Permission check algorithm Andreas Gruenbacher
2015-07-22 13:03 ` Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 11/39] vfs: Cache base_acl objects in inodes Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 12/39] vfs: Cache richacl in struct inode Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 13/39] richacl: Check if an acl is equivalent to a file mode Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 14/39] richacl: Create-time inheritance Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 15/39] richacl: Automatic Inheritance Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 16/39] richacl: xattr mapping functions Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 17/39] vfs: Add richacl permission checking Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 18/39] ext4: Add richacl support Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 19/39] ext4: Add richacl feature flag Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 20/39] richacl: acl editing helper functions Andreas Gruenbacher
2015-07-22 13:03 ` Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 21/39] richacl: Move everyone@ aces down the acl Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 22/39] richacl: Propagate everyone@ permissions to other aces Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 23/39] richacl: Set the owner permissions to the owner mask Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 24/39] richacl: Set the other permissions to the other mask Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 25/39] richacl: Isolate the owner and group classes Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 26/39] richacl: Apply the file masks to a richacl Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 27/39] richacl: Create richacl from mode values Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 28/39] nfsd: Keep list of acls to dispose of in compoundargs Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 29/39] nfsd: Use richacls as internal acl representation Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 30/39] nfsd: Add richacl support Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 31/39] nfsd: Add support for the v4.1 dacl attribute Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 32/39] richacl: Add support for unmapped identifiers Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 33/39] ext4: Don't allow unmapped identifiers in richacls Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 34/39] sunrpc: Allow to demand-allocate pages to encode into Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 35/39] sunrpc: Add xdr_init_encode_pages Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 36/39] nfs: Fix GETATTR bitmap verification Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 37/39] nfs: Remove unused xdr page offsets in getacl/setacl arguments Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 38/39] nfs: Add richacl support Andreas Gruenbacher
2015-07-22 13:03 ` [PATCH v5 39/39] nfs: Add support for the v4.1 dacl attribute Andreas Gruenbacher
2015-07-22 15:57 ` Anna Schumaker
2015-07-22 15:57 ` Anna Schumaker
2015-07-22 16:08 ` Andreas Grünbacher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1437570209-29832-6-git-send-email-andreas.gruenbacher@gmail.com \
--to=andreas.gruenbacher@gmail.com \
--cc=agruenba@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=samba-technical@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.