From: Andreas Gruenbacher <agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org (J. Bruce Fields)
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH] richacl: Possible other write-through fix
Date: Fri, 25 Sep 2015 18:45:59 +0200 [thread overview]
Message-ID: <1443199559-4870-1-git-send-email-agruenba@redhat.com> (raw)
In-Reply-To: <20150924183310.GE3823-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-24 20:33 GMT+02:00 J. Bruce Fields <bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>:
> On Sat, Sep 05, 2015 at 12:27:21PM +0200, Andreas Gruenbacher wrote:
>> +int
>> +richacl_apply_masks(struct richacl **acl, kuid_t owner)
>> +{
>> + if ((*acl)->a_flags & RICHACL_MASKED) {
>> + struct richacl_alloc alloc = {
>> + .acl = richacl_clone(*acl, GFP_KERNEL),
>> + .count = (*acl)->a_count,
>> + };
>> + if (!alloc.acl)
>> + return -ENOMEM;
>> +
>> + if (richacl_move_everyone_aces_down(&alloc) ||
>> + richacl_propagate_everyone(&alloc) ||
>> + __richacl_apply_masks(&alloc, owner) ||
>> + richacl_set_owner_permissions(&alloc) ||
>> + richacl_set_other_permissions(&alloc) ||
>
> Hm, I'm a little unsure about this step: it seems like the one step that
> can actually change the permissions (making them more permissive, in
> this case), whereas the others are neutral.
>
> The following two steps should fix that, but I'm not sure they do.
>
> E.g. if I have an ACL like
>
> mask 0777, WRITE_THROUGH
> GROUP@:r--::allow
>
> I think it should result in
>
> OWNER@: rwx::allow
> GROUP@: -wx::deny
> GROUP@: r--::allow
> EVERYONE@:rwx::allow
>
> But does the GROUP@ deny actually get in there? It looks to me like the
> denies inserted by richacl_isolate_group_class only take into account
> the group mask, not the actual permissions granted to any group class
> user.
>
> I may be mising something.
Thanks for the test case and analysis. The group@ deny ace that should be
inserted here actually doesn't get inserted. I'm attaching a fix.
---
By the way, all those scenarios can easily be tries out using the test
suite in the user-space richacl package, even without a richacl enabled
kernel. In this case, without the fix, we get:
$ make tests/richacl-apply-masks
$ tests/richacl-apply-masks -m 777 group@:r::allow
group@:r::allow
everyone@:rwpx::allow
With the fix, we are now getting:
$ tests/richacl-apply-masks -m 777 group@:r::allow
owner@:rwpx::allow
group@:r::allow
group@:wpx::deny
everyone@:rwpx::allow
Thanks,
Andreas
diff --git a/fs/richacl_compat.c b/fs/richacl_compat.c
index 726d796..bc0bcfe 100644
--- a/fs/richacl_compat.c
+++ b/fs/richacl_compat.c
@@ -463,23 +463,28 @@ richacl_set_owner_permissions(struct richacl_alloc *alloc)
/**
* richacl_set_other_permissions - set the other permissions to the other mask
+ * @alloc: acl and number of allocated entries
+ * @added: permissions added for everyone@
*
* Change the acl so that everyone@ is granted the permissions set in the other
* mask. This leaves at most one efective everyone@ allow entry at the end of
- * the acl.
+ * the acl. If everyone@ end up being granted additional permissions, these
+ * permissions are returned in @added.
*/
static int
-richacl_set_other_permissions(struct richacl_alloc *alloc)
+richacl_set_other_permissions(struct richacl_alloc *alloc, unsigned int *added)
{
struct richacl *acl = alloc->acl;
unsigned int x = RICHACE_POSIX_ALWAYS_ALLOWED;
unsigned int other_mask = acl->a_other_mask & ~x;
- struct richace *ace = acl->a_entries + acl->a_count - 1;
+ struct richace *ace;
if (!(other_mask &&
(acl->a_flags & RICHACL_WRITE_THROUGH)))
return 0;
+ *added = other_mask;
+ ace = acl->a_entries + acl->a_count - 1;
if (acl->a_count == 0 ||
!richace_is_everyone(ace) ||
richace_is_inherit_only(ace)) {
@@ -490,8 +495,10 @@ richacl_set_other_permissions(struct richacl_alloc *alloc)
ace->e_flags = RICHACE_SPECIAL_WHO;
ace->e_mask = other_mask;
ace->e_id.special = RICHACE_EVERYONE_SPECIAL_ID;
- } else
+ } else {
+ *added &= ~ace->e_mask;
richace_change_mask(alloc, &ace, other_mask);
+ }
return 0;
}
@@ -645,6 +652,7 @@ __richacl_isolate_who(struct richacl_alloc *alloc, struct richace *who,
/**
* richacl_isolate_group_class - limit the group class to the group file mask
* @alloc: acl and number of allocated entries
+ * @deny: additional permissions to deny
*
* POSIX requires that after a chmod, the group class is granted no more
* permissions than the group file permission bits. For richacls, this
@@ -679,21 +687,20 @@ __richacl_isolate_who(struct richacl_alloc *alloc, struct richace *who,
* everyone@:rw::allow
*/
static int
-richacl_isolate_group_class(struct richacl_alloc *alloc)
+richacl_isolate_group_class(struct richacl_alloc *alloc, unsigned int deny)
{
struct richace who = {
.e_flags = RICHACE_SPECIAL_WHO,
.e_id.special = RICHACE_GROUP_SPECIAL_ID,
};
struct richace *ace;
- unsigned int deny;
if (!alloc->acl->a_count)
return 0;
ace = alloc->acl->a_entries + alloc->acl->a_count - 1;
if (richace_is_inherit_only(ace) || !richace_is_everyone(ace))
return 0;
- deny = ace->e_mask & ~alloc->acl->a_group_mask;
+ deny |= ace->e_mask & ~alloc->acl->a_group_mask;
if (deny) {
unsigned int n;
@@ -806,16 +813,17 @@ richacl_apply_masks(struct richacl **acl, kuid_t owner)
.acl = richacl_clone(*acl, GFP_KERNEL),
.count = (*acl)->a_count,
};
+ unsigned int added = 0;
+
if (!alloc.acl)
return -ENOMEM;
-
if (richacl_move_everyone_aces_down(&alloc) ||
richacl_propagate_everyone(&alloc) ||
__richacl_apply_masks(&alloc, owner) ||
+ richacl_set_other_permissions(&alloc, &added) ||
+ richacl_isolate_group_class(&alloc, added) ||
richacl_set_owner_permissions(&alloc) ||
- richacl_set_other_permissions(&alloc) ||
- richacl_isolate_owner_class(&alloc) ||
- richacl_isolate_group_class(&alloc)) {
+ richacl_isolate_owner_class(&alloc)) {
richacl_put(alloc.acl);
return -ENOMEM;
}
--
2.4.3
WARNING: multiple messages have this Message-ID (diff)
From: Andreas Gruenbacher <agruenba@redhat.com>
To: bfields@fieldses.org (J. Bruce Fields)
Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-nfs@vger.kernel.org, linux-api@vger.kernel.org,
linux-cifs@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH] richacl: Possible other write-through fix
Date: Fri, 25 Sep 2015 18:45:59 +0200 [thread overview]
Message-ID: <1443199559-4870-1-git-send-email-agruenba@redhat.com> (raw)
In-Reply-To: <20150924183310.GE3823@fieldses.org>
2015-09-24 20:33 GMT+02:00 J. Bruce Fields <bfields@fieldses.org>:
> On Sat, Sep 05, 2015 at 12:27:21PM +0200, Andreas Gruenbacher wrote:
>> +int
>> +richacl_apply_masks(struct richacl **acl, kuid_t owner)
>> +{
>> + if ((*acl)->a_flags & RICHACL_MASKED) {
>> + struct richacl_alloc alloc = {
>> + .acl = richacl_clone(*acl, GFP_KERNEL),
>> + .count = (*acl)->a_count,
>> + };
>> + if (!alloc.acl)
>> + return -ENOMEM;
>> +
>> + if (richacl_move_everyone_aces_down(&alloc) ||
>> + richacl_propagate_everyone(&alloc) ||
>> + __richacl_apply_masks(&alloc, owner) ||
>> + richacl_set_owner_permissions(&alloc) ||
>> + richacl_set_other_permissions(&alloc) ||
>
> Hm, I'm a little unsure about this step: it seems like the one step that
> can actually change the permissions (making them more permissive, in
> this case), whereas the others are neutral.
>
> The following two steps should fix that, but I'm not sure they do.
>
> E.g. if I have an ACL like
>
> mask 0777, WRITE_THROUGH
> GROUP@:r--::allow
>
> I think it should result in
>
> OWNER@: rwx::allow
> GROUP@: -wx::deny
> GROUP@: r--::allow
> EVERYONE@:rwx::allow
>
> But does the GROUP@ deny actually get in there? It looks to me like the
> denies inserted by richacl_isolate_group_class only take into account
> the group mask, not the actual permissions granted to any group class
> user.
>
> I may be mising something.
Thanks for the test case and analysis. The group@ deny ace that should be
inserted here actually doesn't get inserted. I'm attaching a fix.
---
By the way, all those scenarios can easily be tries out using the test
suite in the user-space richacl package, even without a richacl enabled
kernel. In this case, without the fix, we get:
$ make tests/richacl-apply-masks
$ tests/richacl-apply-masks -m 777 group@:r::allow
group@:r::allow
everyone@:rwpx::allow
With the fix, we are now getting:
$ tests/richacl-apply-masks -m 777 group@:r::allow
owner@:rwpx::allow
group@:r::allow
group@:wpx::deny
everyone@:rwpx::allow
Thanks,
Andreas
diff --git a/fs/richacl_compat.c b/fs/richacl_compat.c
index 726d796..bc0bcfe 100644
--- a/fs/richacl_compat.c
+++ b/fs/richacl_compat.c
@@ -463,23 +463,28 @@ richacl_set_owner_permissions(struct richacl_alloc *alloc)
/**
* richacl_set_other_permissions - set the other permissions to the other mask
+ * @alloc: acl and number of allocated entries
+ * @added: permissions added for everyone@
*
* Change the acl so that everyone@ is granted the permissions set in the other
* mask. This leaves at most one efective everyone@ allow entry at the end of
- * the acl.
+ * the acl. If everyone@ end up being granted additional permissions, these
+ * permissions are returned in @added.
*/
static int
-richacl_set_other_permissions(struct richacl_alloc *alloc)
+richacl_set_other_permissions(struct richacl_alloc *alloc, unsigned int *added)
{
struct richacl *acl = alloc->acl;
unsigned int x = RICHACE_POSIX_ALWAYS_ALLOWED;
unsigned int other_mask = acl->a_other_mask & ~x;
- struct richace *ace = acl->a_entries + acl->a_count - 1;
+ struct richace *ace;
if (!(other_mask &&
(acl->a_flags & RICHACL_WRITE_THROUGH)))
return 0;
+ *added = other_mask;
+ ace = acl->a_entries + acl->a_count - 1;
if (acl->a_count == 0 ||
!richace_is_everyone(ace) ||
richace_is_inherit_only(ace)) {
@@ -490,8 +495,10 @@ richacl_set_other_permissions(struct richacl_alloc *alloc)
ace->e_flags = RICHACE_SPECIAL_WHO;
ace->e_mask = other_mask;
ace->e_id.special = RICHACE_EVERYONE_SPECIAL_ID;
- } else
+ } else {
+ *added &= ~ace->e_mask;
richace_change_mask(alloc, &ace, other_mask);
+ }
return 0;
}
@@ -645,6 +652,7 @@ __richacl_isolate_who(struct richacl_alloc *alloc, struct richace *who,
/**
* richacl_isolate_group_class - limit the group class to the group file mask
* @alloc: acl and number of allocated entries
+ * @deny: additional permissions to deny
*
* POSIX requires that after a chmod, the group class is granted no more
* permissions than the group file permission bits. For richacls, this
@@ -679,21 +687,20 @@ __richacl_isolate_who(struct richacl_alloc *alloc, struct richace *who,
* everyone@:rw::allow
*/
static int
-richacl_isolate_group_class(struct richacl_alloc *alloc)
+richacl_isolate_group_class(struct richacl_alloc *alloc, unsigned int deny)
{
struct richace who = {
.e_flags = RICHACE_SPECIAL_WHO,
.e_id.special = RICHACE_GROUP_SPECIAL_ID,
};
struct richace *ace;
- unsigned int deny;
if (!alloc->acl->a_count)
return 0;
ace = alloc->acl->a_entries + alloc->acl->a_count - 1;
if (richace_is_inherit_only(ace) || !richace_is_everyone(ace))
return 0;
- deny = ace->e_mask & ~alloc->acl->a_group_mask;
+ deny |= ace->e_mask & ~alloc->acl->a_group_mask;
if (deny) {
unsigned int n;
@@ -806,16 +813,17 @@ richacl_apply_masks(struct richacl **acl, kuid_t owner)
.acl = richacl_clone(*acl, GFP_KERNEL),
.count = (*acl)->a_count,
};
+ unsigned int added = 0;
+
if (!alloc.acl)
return -ENOMEM;
-
if (richacl_move_everyone_aces_down(&alloc) ||
richacl_propagate_everyone(&alloc) ||
__richacl_apply_masks(&alloc, owner) ||
+ richacl_set_other_permissions(&alloc, &added) ||
+ richacl_isolate_group_class(&alloc, added) ||
richacl_set_owner_permissions(&alloc) ||
- richacl_set_other_permissions(&alloc) ||
- richacl_isolate_owner_class(&alloc) ||
- richacl_isolate_group_class(&alloc)) {
+ richacl_isolate_owner_class(&alloc)) {
richacl_put(alloc.acl);
return -ENOMEM;
}
--
2.4.3
WARNING: multiple messages have this Message-ID (diff)
From: Andreas Gruenbacher <agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: "J. Bruce Fields" <bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH] richacl: Possible other write-through fix
Date: Fri, 25 Sep 2015 18:45:59 +0200 [thread overview]
Message-ID: <1443199559-4870-1-git-send-email-agruenba@redhat.com> (raw)
In-Reply-To: <20150924183310.GE3823-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-24 20:33 GMT+02:00 J. Bruce Fields <bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>:
> On Sat, Sep 05, 2015 at 12:27:21PM +0200, Andreas Gruenbacher wrote:
>> +int
>> +richacl_apply_masks(struct richacl **acl, kuid_t owner)
>> +{
>> + if ((*acl)->a_flags & RICHACL_MASKED) {
>> + struct richacl_alloc alloc = {
>> + .acl = richacl_clone(*acl, GFP_KERNEL),
>> + .count = (*acl)->a_count,
>> + };
>> + if (!alloc.acl)
>> + return -ENOMEM;
>> +
>> + if (richacl_move_everyone_aces_down(&alloc) ||
>> + richacl_propagate_everyone(&alloc) ||
>> + __richacl_apply_masks(&alloc, owner) ||
>> + richacl_set_owner_permissions(&alloc) ||
>> + richacl_set_other_permissions(&alloc) ||
>
> Hm, I'm a little unsure about this step: it seems like the one step that
> can actually change the permissions (making them more permissive, in
> this case), whereas the others are neutral.
>
> The following two steps should fix that, but I'm not sure they do.
>
> E.g. if I have an ACL like
>
> mask 0777, WRITE_THROUGH
> GROUP@:r--::allow
>
> I think it should result in
>
> OWNER@: rwx::allow
> GROUP@: -wx::deny
> GROUP@: r--::allow
> EVERYONE@:rwx::allow
>
> But does the GROUP@ deny actually get in there? It looks to me like the
> denies inserted by richacl_isolate_group_class only take into account
> the group mask, not the actual permissions granted to any group class
> user.
>
> I may be mising something.
Thanks for the test case and analysis. The group@ deny ace that should be
inserted here actually doesn't get inserted. I'm attaching a fix.
---
By the way, all those scenarios can easily be tries out using the test
suite in the user-space richacl package, even without a richacl enabled
kernel. In this case, without the fix, we get:
$ make tests/richacl-apply-masks
$ tests/richacl-apply-masks -m 777 group@:r::allow
group@:r::allow
everyone@:rwpx::allow
With the fix, we are now getting:
$ tests/richacl-apply-masks -m 777 group@:r::allow
owner@:rwpx::allow
group@:r::allow
group@:wpx::deny
everyone@:rwpx::allow
Thanks,
Andreas
diff --git a/fs/richacl_compat.c b/fs/richacl_compat.c
index 726d796..bc0bcfe 100644
--- a/fs/richacl_compat.c
+++ b/fs/richacl_compat.c
@@ -463,23 +463,28 @@ richacl_set_owner_permissions(struct richacl_alloc *alloc)
/**
* richacl_set_other_permissions - set the other permissions to the other mask
+ * @alloc: acl and number of allocated entries
+ * @added: permissions added for everyone@
*
* Change the acl so that everyone@ is granted the permissions set in the other
* mask. This leaves at most one efective everyone@ allow entry at the end of
- * the acl.
+ * the acl. If everyone@ end up being granted additional permissions, these
+ * permissions are returned in @added.
*/
static int
-richacl_set_other_permissions(struct richacl_alloc *alloc)
+richacl_set_other_permissions(struct richacl_alloc *alloc, unsigned int *added)
{
struct richacl *acl = alloc->acl;
unsigned int x = RICHACE_POSIX_ALWAYS_ALLOWED;
unsigned int other_mask = acl->a_other_mask & ~x;
- struct richace *ace = acl->a_entries + acl->a_count - 1;
+ struct richace *ace;
if (!(other_mask &&
(acl->a_flags & RICHACL_WRITE_THROUGH)))
return 0;
+ *added = other_mask;
+ ace = acl->a_entries + acl->a_count - 1;
if (acl->a_count == 0 ||
!richace_is_everyone(ace) ||
richace_is_inherit_only(ace)) {
@@ -490,8 +495,10 @@ richacl_set_other_permissions(struct richacl_alloc *alloc)
ace->e_flags = RICHACE_SPECIAL_WHO;
ace->e_mask = other_mask;
ace->e_id.special = RICHACE_EVERYONE_SPECIAL_ID;
- } else
+ } else {
+ *added &= ~ace->e_mask;
richace_change_mask(alloc, &ace, other_mask);
+ }
return 0;
}
@@ -645,6 +652,7 @@ __richacl_isolate_who(struct richacl_alloc *alloc, struct richace *who,
/**
* richacl_isolate_group_class - limit the group class to the group file mask
* @alloc: acl and number of allocated entries
+ * @deny: additional permissions to deny
*
* POSIX requires that after a chmod, the group class is granted no more
* permissions than the group file permission bits. For richacls, this
@@ -679,21 +687,20 @@ __richacl_isolate_who(struct richacl_alloc *alloc, struct richace *who,
* everyone@:rw::allow
*/
static int
-richacl_isolate_group_class(struct richacl_alloc *alloc)
+richacl_isolate_group_class(struct richacl_alloc *alloc, unsigned int deny)
{
struct richace who = {
.e_flags = RICHACE_SPECIAL_WHO,
.e_id.special = RICHACE_GROUP_SPECIAL_ID,
};
struct richace *ace;
- unsigned int deny;
if (!alloc->acl->a_count)
return 0;
ace = alloc->acl->a_entries + alloc->acl->a_count - 1;
if (richace_is_inherit_only(ace) || !richace_is_everyone(ace))
return 0;
- deny = ace->e_mask & ~alloc->acl->a_group_mask;
+ deny |= ace->e_mask & ~alloc->acl->a_group_mask;
if (deny) {
unsigned int n;
@@ -806,16 +813,17 @@ richacl_apply_masks(struct richacl **acl, kuid_t owner)
.acl = richacl_clone(*acl, GFP_KERNEL),
.count = (*acl)->a_count,
};
+ unsigned int added = 0;
+
if (!alloc.acl)
return -ENOMEM;
-
if (richacl_move_everyone_aces_down(&alloc) ||
richacl_propagate_everyone(&alloc) ||
__richacl_apply_masks(&alloc, owner) ||
+ richacl_set_other_permissions(&alloc, &added) ||
+ richacl_isolate_group_class(&alloc, added) ||
richacl_set_owner_permissions(&alloc) ||
- richacl_set_other_permissions(&alloc) ||
- richacl_isolate_owner_class(&alloc) ||
- richacl_isolate_group_class(&alloc)) {
+ richacl_isolate_owner_class(&alloc)) {
richacl_put(alloc.acl);
return -ENOMEM;
}
--
2.4.3
next prev parent reply other threads:[~2015-09-25 16:45 UTC|newest]
Thread overview: 188+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-05 10:26 [RFC v7 00/41] Richacls Andreas Gruenbacher
2015-09-05 10:26 ` Andreas Gruenbacher
2015-09-05 10:26 ` [RFC v7 04/41] vfs: Make the inode passed to inode_change_ok non-const Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 05/41] vfs: Add permission flags for setting file attributes Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 06/41] richacl: In-memory representation and helper functions Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 07/41] richacl: Permission mapping functions Andreas Gruenbacher
[not found] ` <1441448856-13478-1-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-05 10:26 ` [RFC v7 01/41] vfs: Add IS_ACL() and IS_RICHACL() tests Andreas Gruenbacher
2015-09-05 10:26 ` Andreas Gruenbacher
2015-09-05 10:26 ` [RFC v7 02/41] vfs: Add MAY_CREATE_FILE and MAY_CREATE_DIR permission flags Andreas Gruenbacher
2015-09-05 10:26 ` Andreas Gruenbacher
2015-09-05 10:26 ` [RFC v7 03/41] vfs: Add MAY_DELETE_SELF and MAY_DELETE_CHILD " Andreas Gruenbacher
2015-09-05 10:26 ` Andreas Gruenbacher
2015-09-06 8:14 ` [PATCH] " Andreas Gruenbacher
[not found] ` <1441527246-18189-1-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-11 20:30 ` J. Bruce Fields
2015-09-11 20:30 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 08/41] richacl: Compute maximum file masks from an acl Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 09/41] richacl: Update the file masks in chmod() Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
[not found] ` <1441448856-13478-10-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-11 20:35 ` J. Bruce Fields
2015-09-11 20:35 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 10/41] richacl: Permission check algorithm Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
[not found] ` <1441448856-13478-11-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-11 21:16 ` J. Bruce Fields
2015-09-11 21:16 ` J. Bruce Fields
[not found] ` <20150911211617.GF11677-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-11 22:12 ` Andreas Grünbacher
2015-09-11 22:12 ` Andreas Grünbacher
2015-09-17 17:30 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 11/41] vfs: Cache base_acl objects in inodes Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 13/41] richacl: Check if an acl is equivalent to a file mode Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
2015-09-17 18:22 ` J. Bruce Fields
[not found] ` <20150917182219.GB13825-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-18 0:56 ` J. Bruce Fields
2015-09-18 0:56 ` J. Bruce Fields
[not found] ` <20150918005607.GB16699-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-21 13:59 ` Austin S Hemmelgarn
2015-09-21 13:59 ` Austin S Hemmelgarn
[not found] ` <56000D2B.6000705-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-09-21 14:38 ` J. Bruce Fields
2015-09-21 14:38 ` J. Bruce Fields
[not found] ` <20150921143817.GA11256-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-21 17:00 ` Austin S Hemmelgarn
2015-09-21 17:00 ` Austin S Hemmelgarn
2015-09-21 17:48 ` J. Bruce Fields
2015-09-21 15:31 ` J. Bruce Fields
2015-09-21 15:31 ` J. Bruce Fields
2015-09-21 23:26 ` Andreas Gruenbacher
2015-09-21 23:26 ` Andreas Gruenbacher
2015-09-21 23:20 ` Andreas Gruenbacher
2015-09-17 18:37 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 14/41] richacl: Create-time inheritance Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
[not found] ` <1441448856-13478-15-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-18 17:58 ` J. Bruce Fields
2015-09-18 17:58 ` J. Bruce Fields
[not found] ` <20150918175840.GA21506-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-21 20:37 ` Andreas Gruenbacher
2015-09-21 20:37 ` Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 17/41] vfs: Add richacl permission checking Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 19/41] ext4: Add richacl feature flag Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
2015-09-23 2:31 ` Aneesh Kumar K.V
2015-09-05 10:27 ` [RFC v7 20/41] richacl: acl editing helper functions Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
[not found] ` <1441448856-13478-21-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-18 18:54 ` J. Bruce Fields
2015-09-18 18:54 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 22/41] richacl: Propagate everyone@ permissions to other aces Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
[not found] ` <1441448856-13478-23-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-18 21:36 ` J. Bruce Fields
2015-09-18 21:36 ` J. Bruce Fields
[not found] ` <20150918213611.GC22671-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-21 23:44 ` Andreas Gruenbacher
2015-09-21 23:44 ` Andreas Gruenbacher
2015-09-18 21:56 ` J. Bruce Fields
2015-09-18 21:56 ` J. Bruce Fields
[not found] ` <20150918215611.GD22671-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-21 19:24 ` J. Bruce Fields
2015-09-21 19:24 ` J. Bruce Fields
[not found] ` <20150921192441.GA12968-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-23 1:24 ` Andreas Gruenbacher
2015-09-23 1:24 ` Andreas Gruenbacher
[not found] ` <CAHc6FU5Ug3rN2-znFeABpdn+LCHgvzOnSRB4BCepNS6mToJVZg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-09-23 1:39 ` Andreas Gruenbacher
2015-09-23 1:39 ` Andreas Gruenbacher
[not found] ` <1442972384-22757-1-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-23 1:46 ` J. Bruce Fields
2015-09-23 1:46 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 24/41] richacl: Set the other permissions to the other mask Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
2015-09-23 14:03 ` J. Bruce Fields
[not found] ` <20150923140307.GB27083-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-23 14:12 ` Andreas Grünbacher
2015-09-23 14:12 ` Andreas Grünbacher
2015-09-05 10:27 ` [RFC v7 25/41] richacl: Isolate the owner and group classes Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
[not found] ` <1441448856-13478-26-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-22 16:06 ` J. Bruce Fields
2015-09-22 16:06 ` J. Bruce Fields
[not found] ` <20150922160637.GC15838-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-23 13:11 ` Andreas Gruenbacher
2015-09-23 13:11 ` Andreas Gruenbacher
[not found] ` <CAHc6FU6gnPK5vdJynv0ze=mNju6V_1WuR99oXWC4Fdh2GFMVgA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-09-23 13:15 ` J. Bruce Fields
2015-09-23 13:15 ` J. Bruce Fields
2015-09-22 19:02 ` J. Bruce Fields
[not found] ` <20150922190224.GA19127-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-23 13:33 ` Andreas Gruenbacher
2015-09-23 13:33 ` Andreas Gruenbacher
[not found] ` <CAHc6FU7_+fbyG0mEu3pUkfaV72AM0DzJnBES=b--koXJgo0a2g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-09-25 11:25 ` Andreas Gruenbacher
2015-09-25 11:25 ` Andreas Gruenbacher
[not found] ` <1443180341-22911-1-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-25 20:17 ` J. Bruce Fields
2015-09-25 20:17 ` J. Bruce Fields
2015-09-22 19:02 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 26/41] richacl: Apply the file masks to a richacl Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
2015-09-22 19:11 ` J. Bruce Fields
[not found] ` <20150922191108.GC19127-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-23 19:18 ` J. Bruce Fields
2015-09-23 19:18 ` J. Bruce Fields
[not found] ` <20150923191832.GA29577-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-23 20:29 ` Andreas Gruenbacher
2015-09-23 20:29 ` Andreas Gruenbacher
[not found] ` <CAHc6FU4YkLJUAQEfH7CG8sAzXYbGzg_ibyT7m26Fc1p26v1=VQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-09-23 20:33 ` J. Bruce Fields
2015-09-23 20:33 ` J. Bruce Fields
[not found] ` <20150923203357.GC30521-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-23 20:40 ` Andreas Gruenbacher
2015-09-23 20:40 ` Andreas Gruenbacher
2015-09-23 21:05 ` J. Bruce Fields
[not found] ` <20150923210531.GC29349-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-23 22:14 ` Andreas Gruenbacher
2015-09-23 22:14 ` Andreas Gruenbacher
2015-09-24 15:28 ` J. Bruce Fields
[not found] ` <20150924152851.GC3823-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-24 15:48 ` Andreas Gruenbacher
2015-09-24 15:48 ` Andreas Gruenbacher
[not found] ` <1441448856-13478-27-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-22 20:50 ` J. Bruce Fields
2015-09-22 20:50 ` J. Bruce Fields
2015-09-24 18:33 ` J. Bruce Fields
2015-09-24 18:33 ` J. Bruce Fields
[not found] ` <20150924183310.GE3823-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-25 16:21 ` [PATCH] richacl: Possible other write-through fix Andreas Gruenbacher
2015-09-25 16:21 ` Andreas Gruenbacher
2015-09-25 16:21 ` Andreas Gruenbacher
2015-09-25 16:45 ` Andreas Gruenbacher [this message]
2015-09-25 16:45 ` Andreas Gruenbacher
2015-09-25 16:45 ` Andreas Gruenbacher
[not found] ` <1443199559-4870-1-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-25 18:36 ` J. Bruce Fields
2015-09-25 18:36 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 27/41] richacl: Create richacl from mode values Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
[not found] ` <1441448856-13478-28-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-23 20:11 ` J. Bruce Fields
2015-09-23 20:11 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 28/41] nfsd: Keep list of acls to dispose of in compoundargs Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
[not found] ` <1441448856-13478-29-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-23 20:28 ` J. Bruce Fields
2015-09-23 20:28 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 29/41] nfsd: Use richacls as internal acl representation Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
[not found] ` <1441448856-13478-30-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-24 19:29 ` J. Bruce Fields
2015-09-24 19:29 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 30/41] nfsd: Add richacl support Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
2015-09-24 19:38 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 31/41] nfsd: Add support for the v4.1 dacl attribute Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
[not found] ` <1441448856-13478-32-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-24 19:59 ` J. Bruce Fields
2015-09-24 19:59 ` J. Bruce Fields
2015-09-25 16:37 ` Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 32/41] nfsd: Add support for the MAY_CREATE_{FILE,DIR} permissions Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
[not found] ` <1441448856-13478-33-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-24 20:01 ` J. Bruce Fields
2015-09-24 20:01 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 33/41] richacl: Add support for unmapped identifiers Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 35/41] sunrpc: Allow to demand-allocate pages to encode into Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 36/41] sunrpc: Add xdr_init_encode_pages Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 38/41] nfs: Remove unused xdr page offsets in getacl/setacl arguments Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 39/41] nfs: Add richacl support Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 40/41] nfs: Add support for the v4.1 dacl attribute Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 41/41] richacl: uapi header split Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 12/41] vfs: Cache richacl in struct inode Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 15/41] richacl: Automatic Inheritance Andreas Gruenbacher
2015-09-18 18:40 ` J. Bruce Fields
2015-09-21 21:19 ` Andreas Gruenbacher
2015-09-22 1:51 ` J. Bruce Fields
[not found] ` <20150922015146.GA15960-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-23 13:55 ` J. Bruce Fields
2015-09-23 13:55 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 16/41] richacl: xattr mapping functions Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 18/41] ext4: Add richacl support Andreas Gruenbacher
[not found] ` <1441448856-13478-19-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-09-23 2:30 ` Aneesh Kumar K.V
2015-09-23 2:30 ` Aneesh Kumar K.V
2015-09-05 10:27 ` [RFC v7 21/41] richacl: Move everyone@ aces down the acl Andreas Gruenbacher
2015-09-18 19:35 ` J. Bruce Fields
[not found] ` <20150918193524.GA22671-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-09-21 21:43 ` Andreas Gruenbacher
2015-09-21 21:43 ` Andreas Gruenbacher
[not found] ` <CAHc6FU5m8KKSsEg18UhRSnVdsAzoFSD9pdLRv1DdDA==ZCQmdw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-09-22 1:52 ` J. Bruce Fields
2015-09-22 1:52 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 23/41] richacl: Set the owner permissions to the owner mask Andreas Gruenbacher
2015-09-21 21:00 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 34/41] ext4: Don't allow unmapped identifiers in richacls Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 37/41] nfs: Fix GETATTR bitmap verification Andreas Gruenbacher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1443199559-4870-1-git-send-email-agruenba@redhat.com \
--to=agruenba-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.