From: Andreas Gruenbacher <agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Alexander Viro
<viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>,
"Theodore Ts'o" <tytso-3s7WtUTddSA@public.gmane.org>,
Andreas Dilger
<adilger.kernel-m1MBpc4rdrD3fQ9qLvQP4Q@public.gmane.org>,
"J. Bruce Fields"
<bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>,
Jeff Layton <jlayton-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org>,
Trond Myklebust
<trond.myklebust-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org>,
Anna Schumaker
<anna.schumaker-HgOvQuBEEgTQT0dZR+AlfA@public.gmane.org>,
Dave Chinner <david-FqsqvQoI3Ljby3iVrkZq2A@public.gmane.org>,
linux-ext4-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
xfs-VZNHf3L845pBDgjK7y7TUQ@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: Andreas Gruenbacher <agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: [PATCH v12 31/49] richacl: Isolate the owner and group classes
Date: Fri, 23 Oct 2015 20:41:44 +0200 [thread overview]
Message-ID: <1445625722-13791-32-git-send-email-agruenba@redhat.com> (raw)
In-Reply-To: <1445625722-13791-1-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
When applying the file masks to an acl, we need to ensure that no
process gets more permissions than allowed by its file mask.
This may require inserting an owner@ deny ace to ensure this if the
owner mask contains fewer permissions than the group or other mask. For
example, when applying mode 0446 to the following acl:
everyone@:rw::allow
A deny ace needs to be inserted so that the owner won't get elevated
write access:
owner@:w::deny
everyone@:rw::allow
Likewise, we may need to insert group class deny aces if the group mask
contains fewer permissions than the other mask. For example, when
applying mode 0646 to the following acl:
owner@:rw::allow
everyone@:rw::allow
A deny ace needs to be inserted so that the owning group won't get
elevated write access:
owner@:rw::allow
group@:w::deny
everyone@:rw::allow
Signed-off-by: Andreas Gruenbacher <agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Reviewed-by: J. Bruce Fields <bfields-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
---
fs/richacl_compat.c | 223 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 223 insertions(+)
diff --git a/fs/richacl_compat.c b/fs/richacl_compat.c
index 76183c9..7553f1a 100644
--- a/fs/richacl_compat.c
+++ b/fs/richacl_compat.c
@@ -503,3 +503,226 @@ richacl_set_other_permissions(struct richacl_alloc *alloc, unsigned int *added)
}
return 0;
}
+
+/**
+ * richacl_max_allowed - maximum permissions that anybody is allowed
+ */
+static unsigned int
+richacl_max_allowed(struct richacl *acl)
+{
+ struct richace *ace;
+ unsigned int allowed = 0;
+
+ richacl_for_each_entry_reverse(ace, acl) {
+ if (richace_is_inherit_only(ace))
+ continue;
+ if (richace_is_allow(ace))
+ allowed |= ace->e_mask;
+ else if (richace_is_deny(ace)) {
+ if (richace_is_everyone(ace))
+ allowed &= ~ace->e_mask;
+ }
+ }
+ return allowed;
+}
+
+/**
+ * richacl_isolate_owner_class - limit the owner class to the owner file mask
+ * @alloc: acl and number of allocated entries
+ *
+ * POSIX requires that after a chmod, the owner class is granted no more
+ * permissions than the owner file permission bits. For richacls, this
+ * means that the owner class must not be granted any permissions that the
+ * owner mask does not include.
+ *
+ * When we apply file masks to an acl which grant more permissions to the group
+ * or other class than to the owner class, we may end up in a situation where
+ * the owner is granted additional permissions from other aces. For example,
+ * given this acl:
+ *
+ * everyone@:rwx::allow
+ *
+ * when file masks corresponding to mode 0406 are applied, after
+ * richacl_propagate_everyone() and __richacl_apply_masks(), we end up with:
+ *
+ * owner@:r::allow
+ * everyone@:rw::allow
+ *
+ * This acl still grants the owner rw access through the everyone@ allow ace.
+ * To fix this, we must deny the owner w access:
+ *
+ * owner@:w::deny
+ * owner@:r::allow
+ * everyone@:rw::allow
+ */
+static int
+richacl_isolate_owner_class(struct richacl_alloc *alloc)
+{
+ struct richacl *acl = alloc->acl;
+ struct richace *ace;
+ unsigned int deny;
+
+ deny = richacl_max_allowed(acl) & ~acl->a_owner_mask;
+ if (!deny)
+ return 0;
+
+ /*
+ * Figure out if we can update an existig OWNER@ DENY entry.
+ */
+ richacl_for_each_entry(ace, acl) {
+ if (richace_is_inherit_only(ace))
+ continue;
+ if (richace_is_allow(ace))
+ break;
+ if (richace_is_owner(ace))
+ return richace_change_mask(alloc, &ace,
+ ace->e_mask | deny);
+ }
+
+ /* Insert an owner@ deny entry at the front. */
+ ace = acl->a_entries;
+ if (richacl_insert_entry(alloc, &ace))
+ return -1;
+ ace->e_type = RICHACE_ACCESS_DENIED_ACE_TYPE;
+ ace->e_flags = RICHACE_SPECIAL_WHO;
+ ace->e_mask = deny;
+ ace->e_id.special = RICHACE_OWNER_SPECIAL_ID;
+ return 0;
+}
+
+/**
+ * __richacl_isolate_who - isolate entry from everyone@ allow entry
+ * @alloc: acl and number of allocated entries
+ * @who: identifier to isolate
+ * @deny: permissions this identifier should not be allowed
+ *
+ * See richacl_isolate_group_class().
+ */
+static int
+__richacl_isolate_who(struct richacl_alloc *alloc, struct richace *who,
+ unsigned int deny)
+{
+ struct richacl *acl = alloc->acl;
+ struct richace *ace, who_copy;
+ int n;
+
+ /*
+ * Compute the permissions already defined for @who. There are no
+ * everyone@ deny aces left in the acl at this stage.
+ */
+ richacl_for_each_entry(ace, acl) {
+ if (richace_is_inherit_only(ace))
+ continue;
+ if (richace_is_same_identifier(ace, who))
+ deny &= ~ace->e_mask;
+ }
+ if (!deny)
+ return 0;
+
+ /*
+ * Figure out if we can update an existig deny entry. Start from the
+ * entry before the trailing everyone@ allow entry. We will not hit
+ * everyone@ entries in the loop.
+ */
+ for (n = acl->a_count - 2; n != -1; n--) {
+ ace = acl->a_entries + n;
+ if (richace_is_inherit_only(ace))
+ continue;
+ if (richace_is_deny(ace)) {
+ if (richace_is_same_identifier(ace, who))
+ return richace_change_mask(alloc, &ace,
+ ace->e_mask | deny);
+ } else if (richace_is_allow(ace) &&
+ (ace->e_mask & deny))
+ break;
+ }
+
+ /*
+ * Insert a new entry before the trailing everyone@ deny entry.
+ */
+ richace_copy(&who_copy, who);
+ ace = acl->a_entries + acl->a_count - 1;
+ if (richacl_insert_entry(alloc, &ace))
+ return -1;
+ richace_copy(ace, &who_copy);
+ ace->e_type = RICHACE_ACCESS_DENIED_ACE_TYPE;
+ ace->e_flags &= ~RICHACE_INHERITANCE_FLAGS;
+ ace->e_mask = deny;
+ return 0;
+}
+
+/**
+ * richacl_isolate_group_class - limit the group class to the group file mask
+ * @alloc: acl and number of allocated entries
+ * @deny: additional permissions to deny
+ *
+ * POSIX requires that after a chmod, the group class is granted no more
+ * permissions than the group file permission bits. For richacls, this
+ * means that the group class must not be granted any permissions that the
+ * group mask does not include.
+ *
+ * When we apply file masks to an acl which grant more permissions to the other
+ * class than to the group class, we may end up in a situation where processes
+ * in the group class are granted additional permission from other aces. For
+ * example, given this acl:
+ *
+ * joe:rwx::allow
+ * everyone@:rwx::allow
+ *
+ * when file masks corresponding to mode 0646 are applied, after
+ * richacl_propagate_everyone() and __richacl_apply_masks(), we end up with:
+ *
+ * joe:r::allow
+ * owner@:rw::allow
+ * group@:r::allow
+ * everyone@:rw::allow
+ *
+ * This acl still grants joe and group@ rw access through the everyone@ allow
+ * ace. To fix this, we must deny w access to group class aces before the
+ * everyone@ allow ace at the end of the acl:
+ *
+ * joe:r::allow
+ * owner@:rw::allow
+ * group@:r::allow
+ * joe:w::deny
+ * group@:w::deny
+ * everyone@:rw::allow
+ */
+static int
+richacl_isolate_group_class(struct richacl_alloc *alloc, unsigned int deny)
+{
+ struct richace who = {
+ .e_flags = RICHACE_SPECIAL_WHO,
+ .e_id.special = RICHACE_GROUP_SPECIAL_ID,
+ };
+ struct richace *ace;
+
+ if (!alloc->acl->a_count)
+ return 0;
+ ace = alloc->acl->a_entries + alloc->acl->a_count - 1;
+ if (richace_is_inherit_only(ace) || !richace_is_everyone(ace))
+ return 0;
+ deny |= ace->e_mask & ~alloc->acl->a_group_mask;
+
+ if (deny) {
+ unsigned int n;
+
+ if (__richacl_isolate_who(alloc, &who, deny))
+ return -1;
+ /*
+ * Start from the entry before the trailing everyone@ allow
+ * entry. We will not hit everyone@ entries in the loop.
+ */
+ for (n = alloc->acl->a_count - 2; n != -1; n--) {
+ ace = alloc->acl->a_entries + n;
+
+ if (richace_is_inherit_only(ace) ||
+ richace_is_owner(ace) ||
+ richace_is_group(ace))
+ continue;
+ if (__richacl_isolate_who(alloc, ace, deny))
+ return -1;
+ }
+ }
+ return 0;
+}
--
2.5.0
WARNING: multiple messages have this Message-ID (diff)
From: Andreas Gruenbacher <agruenba@redhat.com>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Andreas Dilger <adilger.kernel@dilger.ca>,
"J. Bruce Fields" <bfields@fieldses.org>,
Jeff Layton <jlayton@poochiereds.net>,
Trond Myklebust <trond.myklebust@primarydata.com>,
Anna Schumaker <anna.schumaker@netapp.com>,
Dave Chinner <david@fromorbit.com>,
linux-ext4@vger.kernel.org, xfs@oss.sgi.com,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org,
linux-api@vger.kernel.org
Cc: Andreas Gruenbacher <agruenba@redhat.com>
Subject: [PATCH v12 31/49] richacl: Isolate the owner and group classes
Date: Fri, 23 Oct 2015 20:41:44 +0200 [thread overview]
Message-ID: <1445625722-13791-32-git-send-email-agruenba@redhat.com> (raw)
In-Reply-To: <1445625722-13791-1-git-send-email-agruenba@redhat.com>
When applying the file masks to an acl, we need to ensure that no
process gets more permissions than allowed by its file mask.
This may require inserting an owner@ deny ace to ensure this if the
owner mask contains fewer permissions than the group or other mask. For
example, when applying mode 0446 to the following acl:
everyone@:rw::allow
A deny ace needs to be inserted so that the owner won't get elevated
write access:
owner@:w::deny
everyone@:rw::allow
Likewise, we may need to insert group class deny aces if the group mask
contains fewer permissions than the other mask. For example, when
applying mode 0646 to the following acl:
owner@:rw::allow
everyone@:rw::allow
A deny ace needs to be inserted so that the owning group won't get
elevated write access:
owner@:rw::allow
group@:w::deny
everyone@:rw::allow
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Reviewed-by: J. Bruce Fields <bfields@redhat.com>
---
fs/richacl_compat.c | 223 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 223 insertions(+)
diff --git a/fs/richacl_compat.c b/fs/richacl_compat.c
index 76183c9..7553f1a 100644
--- a/fs/richacl_compat.c
+++ b/fs/richacl_compat.c
@@ -503,3 +503,226 @@ richacl_set_other_permissions(struct richacl_alloc *alloc, unsigned int *added)
}
return 0;
}
+
+/**
+ * richacl_max_allowed - maximum permissions that anybody is allowed
+ */
+static unsigned int
+richacl_max_allowed(struct richacl *acl)
+{
+ struct richace *ace;
+ unsigned int allowed = 0;
+
+ richacl_for_each_entry_reverse(ace, acl) {
+ if (richace_is_inherit_only(ace))
+ continue;
+ if (richace_is_allow(ace))
+ allowed |= ace->e_mask;
+ else if (richace_is_deny(ace)) {
+ if (richace_is_everyone(ace))
+ allowed &= ~ace->e_mask;
+ }
+ }
+ return allowed;
+}
+
+/**
+ * richacl_isolate_owner_class - limit the owner class to the owner file mask
+ * @alloc: acl and number of allocated entries
+ *
+ * POSIX requires that after a chmod, the owner class is granted no more
+ * permissions than the owner file permission bits. For richacls, this
+ * means that the owner class must not be granted any permissions that the
+ * owner mask does not include.
+ *
+ * When we apply file masks to an acl which grant more permissions to the group
+ * or other class than to the owner class, we may end up in a situation where
+ * the owner is granted additional permissions from other aces. For example,
+ * given this acl:
+ *
+ * everyone@:rwx::allow
+ *
+ * when file masks corresponding to mode 0406 are applied, after
+ * richacl_propagate_everyone() and __richacl_apply_masks(), we end up with:
+ *
+ * owner@:r::allow
+ * everyone@:rw::allow
+ *
+ * This acl still grants the owner rw access through the everyone@ allow ace.
+ * To fix this, we must deny the owner w access:
+ *
+ * owner@:w::deny
+ * owner@:r::allow
+ * everyone@:rw::allow
+ */
+static int
+richacl_isolate_owner_class(struct richacl_alloc *alloc)
+{
+ struct richacl *acl = alloc->acl;
+ struct richace *ace;
+ unsigned int deny;
+
+ deny = richacl_max_allowed(acl) & ~acl->a_owner_mask;
+ if (!deny)
+ return 0;
+
+ /*
+ * Figure out if we can update an existig OWNER@ DENY entry.
+ */
+ richacl_for_each_entry(ace, acl) {
+ if (richace_is_inherit_only(ace))
+ continue;
+ if (richace_is_allow(ace))
+ break;
+ if (richace_is_owner(ace))
+ return richace_change_mask(alloc, &ace,
+ ace->e_mask | deny);
+ }
+
+ /* Insert an owner@ deny entry at the front. */
+ ace = acl->a_entries;
+ if (richacl_insert_entry(alloc, &ace))
+ return -1;
+ ace->e_type = RICHACE_ACCESS_DENIED_ACE_TYPE;
+ ace->e_flags = RICHACE_SPECIAL_WHO;
+ ace->e_mask = deny;
+ ace->e_id.special = RICHACE_OWNER_SPECIAL_ID;
+ return 0;
+}
+
+/**
+ * __richacl_isolate_who - isolate entry from everyone@ allow entry
+ * @alloc: acl and number of allocated entries
+ * @who: identifier to isolate
+ * @deny: permissions this identifier should not be allowed
+ *
+ * See richacl_isolate_group_class().
+ */
+static int
+__richacl_isolate_who(struct richacl_alloc *alloc, struct richace *who,
+ unsigned int deny)
+{
+ struct richacl *acl = alloc->acl;
+ struct richace *ace, who_copy;
+ int n;
+
+ /*
+ * Compute the permissions already defined for @who. There are no
+ * everyone@ deny aces left in the acl at this stage.
+ */
+ richacl_for_each_entry(ace, acl) {
+ if (richace_is_inherit_only(ace))
+ continue;
+ if (richace_is_same_identifier(ace, who))
+ deny &= ~ace->e_mask;
+ }
+ if (!deny)
+ return 0;
+
+ /*
+ * Figure out if we can update an existig deny entry. Start from the
+ * entry before the trailing everyone@ allow entry. We will not hit
+ * everyone@ entries in the loop.
+ */
+ for (n = acl->a_count - 2; n != -1; n--) {
+ ace = acl->a_entries + n;
+ if (richace_is_inherit_only(ace))
+ continue;
+ if (richace_is_deny(ace)) {
+ if (richace_is_same_identifier(ace, who))
+ return richace_change_mask(alloc, &ace,
+ ace->e_mask | deny);
+ } else if (richace_is_allow(ace) &&
+ (ace->e_mask & deny))
+ break;
+ }
+
+ /*
+ * Insert a new entry before the trailing everyone@ deny entry.
+ */
+ richace_copy(&who_copy, who);
+ ace = acl->a_entries + acl->a_count - 1;
+ if (richacl_insert_entry(alloc, &ace))
+ return -1;
+ richace_copy(ace, &who_copy);
+ ace->e_type = RICHACE_ACCESS_DENIED_ACE_TYPE;
+ ace->e_flags &= ~RICHACE_INHERITANCE_FLAGS;
+ ace->e_mask = deny;
+ return 0;
+}
+
+/**
+ * richacl_isolate_group_class - limit the group class to the group file mask
+ * @alloc: acl and number of allocated entries
+ * @deny: additional permissions to deny
+ *
+ * POSIX requires that after a chmod, the group class is granted no more
+ * permissions than the group file permission bits. For richacls, this
+ * means that the group class must not be granted any permissions that the
+ * group mask does not include.
+ *
+ * When we apply file masks to an acl which grant more permissions to the other
+ * class than to the group class, we may end up in a situation where processes
+ * in the group class are granted additional permission from other aces. For
+ * example, given this acl:
+ *
+ * joe:rwx::allow
+ * everyone@:rwx::allow
+ *
+ * when file masks corresponding to mode 0646 are applied, after
+ * richacl_propagate_everyone() and __richacl_apply_masks(), we end up with:
+ *
+ * joe:r::allow
+ * owner@:rw::allow
+ * group@:r::allow
+ * everyone@:rw::allow
+ *
+ * This acl still grants joe and group@ rw access through the everyone@ allow
+ * ace. To fix this, we must deny w access to group class aces before the
+ * everyone@ allow ace at the end of the acl:
+ *
+ * joe:r::allow
+ * owner@:rw::allow
+ * group@:r::allow
+ * joe:w::deny
+ * group@:w::deny
+ * everyone@:rw::allow
+ */
+static int
+richacl_isolate_group_class(struct richacl_alloc *alloc, unsigned int deny)
+{
+ struct richace who = {
+ .e_flags = RICHACE_SPECIAL_WHO,
+ .e_id.special = RICHACE_GROUP_SPECIAL_ID,
+ };
+ struct richace *ace;
+
+ if (!alloc->acl->a_count)
+ return 0;
+ ace = alloc->acl->a_entries + alloc->acl->a_count - 1;
+ if (richace_is_inherit_only(ace) || !richace_is_everyone(ace))
+ return 0;
+ deny |= ace->e_mask & ~alloc->acl->a_group_mask;
+
+ if (deny) {
+ unsigned int n;
+
+ if (__richacl_isolate_who(alloc, &who, deny))
+ return -1;
+ /*
+ * Start from the entry before the trailing everyone@ allow
+ * entry. We will not hit everyone@ entries in the loop.
+ */
+ for (n = alloc->acl->a_count - 2; n != -1; n--) {
+ ace = alloc->acl->a_entries + n;
+
+ if (richace_is_inherit_only(ace) ||
+ richace_is_owner(ace) ||
+ richace_is_group(ace))
+ continue;
+ if (__richacl_isolate_who(alloc, ace, deny))
+ return -1;
+ }
+ }
+ return 0;
+}
--
2.5.0
WARNING: multiple messages have this Message-ID (diff)
From: Andreas Gruenbacher <agruenba@redhat.com>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Andreas Dilger <adilger.kernel@dilger.ca>,
"J. Bruce Fields" <bfields@fieldses.org>,
Jeff Layton <jlayton@poochiereds.net>,
Trond Myklebust <trond.myklebust@primarydata.com>,
Anna Schumaker <anna.schumaker@netapp.com>,
Dave Chinner <david@fromorbit.com>,
linux-ext4@vger.kernel.org, xfs@oss.sgi.com,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org,
linux-api@vger.kernel.org
Cc: Andreas Gruenbacher <agruenba@redhat.com>
Subject: [PATCH v12 31/49] richacl: Isolate the owner and group classes
Date: Fri, 23 Oct 2015 20:41:44 +0200 [thread overview]
Message-ID: <1445625722-13791-32-git-send-email-agruenba@redhat.com> (raw)
In-Reply-To: <1445625722-13791-1-git-send-email-agruenba@redhat.com>
When applying the file masks to an acl, we need to ensure that no
process gets more permissions than allowed by its file mask.
This may require inserting an owner@ deny ace to ensure this if the
owner mask contains fewer permissions than the group or other mask. For
example, when applying mode 0446 to the following acl:
everyone@:rw::allow
A deny ace needs to be inserted so that the owner won't get elevated
write access:
owner@:w::deny
everyone@:rw::allow
Likewise, we may need to insert group class deny aces if the group mask
contains fewer permissions than the other mask. For example, when
applying mode 0646 to the following acl:
owner@:rw::allow
everyone@:rw::allow
A deny ace needs to be inserted so that the owning group won't get
elevated write access:
owner@:rw::allow
group@:w::deny
everyone@:rw::allow
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Reviewed-by: J. Bruce Fields <bfields@redhat.com>
---
fs/richacl_compat.c | 223 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 223 insertions(+)
diff --git a/fs/richacl_compat.c b/fs/richacl_compat.c
index 76183c9..7553f1a 100644
--- a/fs/richacl_compat.c
+++ b/fs/richacl_compat.c
@@ -503,3 +503,226 @@ richacl_set_other_permissions(struct richacl_alloc *alloc, unsigned int *added)
}
return 0;
}
+
+/**
+ * richacl_max_allowed - maximum permissions that anybody is allowed
+ */
+static unsigned int
+richacl_max_allowed(struct richacl *acl)
+{
+ struct richace *ace;
+ unsigned int allowed = 0;
+
+ richacl_for_each_entry_reverse(ace, acl) {
+ if (richace_is_inherit_only(ace))
+ continue;
+ if (richace_is_allow(ace))
+ allowed |= ace->e_mask;
+ else if (richace_is_deny(ace)) {
+ if (richace_is_everyone(ace))
+ allowed &= ~ace->e_mask;
+ }
+ }
+ return allowed;
+}
+
+/**
+ * richacl_isolate_owner_class - limit the owner class to the owner file mask
+ * @alloc: acl and number of allocated entries
+ *
+ * POSIX requires that after a chmod, the owner class is granted no more
+ * permissions than the owner file permission bits. For richacls, this
+ * means that the owner class must not be granted any permissions that the
+ * owner mask does not include.
+ *
+ * When we apply file masks to an acl which grant more permissions to the group
+ * or other class than to the owner class, we may end up in a situation where
+ * the owner is granted additional permissions from other aces. For example,
+ * given this acl:
+ *
+ * everyone@:rwx::allow
+ *
+ * when file masks corresponding to mode 0406 are applied, after
+ * richacl_propagate_everyone() and __richacl_apply_masks(), we end up with:
+ *
+ * owner@:r::allow
+ * everyone@:rw::allow
+ *
+ * This acl still grants the owner rw access through the everyone@ allow ace.
+ * To fix this, we must deny the owner w access:
+ *
+ * owner@:w::deny
+ * owner@:r::allow
+ * everyone@:rw::allow
+ */
+static int
+richacl_isolate_owner_class(struct richacl_alloc *alloc)
+{
+ struct richacl *acl = alloc->acl;
+ struct richace *ace;
+ unsigned int deny;
+
+ deny = richacl_max_allowed(acl) & ~acl->a_owner_mask;
+ if (!deny)
+ return 0;
+
+ /*
+ * Figure out if we can update an existig OWNER@ DENY entry.
+ */
+ richacl_for_each_entry(ace, acl) {
+ if (richace_is_inherit_only(ace))
+ continue;
+ if (richace_is_allow(ace))
+ break;
+ if (richace_is_owner(ace))
+ return richace_change_mask(alloc, &ace,
+ ace->e_mask | deny);
+ }
+
+ /* Insert an owner@ deny entry at the front. */
+ ace = acl->a_entries;
+ if (richacl_insert_entry(alloc, &ace))
+ return -1;
+ ace->e_type = RICHACE_ACCESS_DENIED_ACE_TYPE;
+ ace->e_flags = RICHACE_SPECIAL_WHO;
+ ace->e_mask = deny;
+ ace->e_id.special = RICHACE_OWNER_SPECIAL_ID;
+ return 0;
+}
+
+/**
+ * __richacl_isolate_who - isolate entry from everyone@ allow entry
+ * @alloc: acl and number of allocated entries
+ * @who: identifier to isolate
+ * @deny: permissions this identifier should not be allowed
+ *
+ * See richacl_isolate_group_class().
+ */
+static int
+__richacl_isolate_who(struct richacl_alloc *alloc, struct richace *who,
+ unsigned int deny)
+{
+ struct richacl *acl = alloc->acl;
+ struct richace *ace, who_copy;
+ int n;
+
+ /*
+ * Compute the permissions already defined for @who. There are no
+ * everyone@ deny aces left in the acl at this stage.
+ */
+ richacl_for_each_entry(ace, acl) {
+ if (richace_is_inherit_only(ace))
+ continue;
+ if (richace_is_same_identifier(ace, who))
+ deny &= ~ace->e_mask;
+ }
+ if (!deny)
+ return 0;
+
+ /*
+ * Figure out if we can update an existig deny entry. Start from the
+ * entry before the trailing everyone@ allow entry. We will not hit
+ * everyone@ entries in the loop.
+ */
+ for (n = acl->a_count - 2; n != -1; n--) {
+ ace = acl->a_entries + n;
+ if (richace_is_inherit_only(ace))
+ continue;
+ if (richace_is_deny(ace)) {
+ if (richace_is_same_identifier(ace, who))
+ return richace_change_mask(alloc, &ace,
+ ace->e_mask | deny);
+ } else if (richace_is_allow(ace) &&
+ (ace->e_mask & deny))
+ break;
+ }
+
+ /*
+ * Insert a new entry before the trailing everyone@ deny entry.
+ */
+ richace_copy(&who_copy, who);
+ ace = acl->a_entries + acl->a_count - 1;
+ if (richacl_insert_entry(alloc, &ace))
+ return -1;
+ richace_copy(ace, &who_copy);
+ ace->e_type = RICHACE_ACCESS_DENIED_ACE_TYPE;
+ ace->e_flags &= ~RICHACE_INHERITANCE_FLAGS;
+ ace->e_mask = deny;
+ return 0;
+}
+
+/**
+ * richacl_isolate_group_class - limit the group class to the group file mask
+ * @alloc: acl and number of allocated entries
+ * @deny: additional permissions to deny
+ *
+ * POSIX requires that after a chmod, the group class is granted no more
+ * permissions than the group file permission bits. For richacls, this
+ * means that the group class must not be granted any permissions that the
+ * group mask does not include.
+ *
+ * When we apply file masks to an acl which grant more permissions to the other
+ * class than to the group class, we may end up in a situation where processes
+ * in the group class are granted additional permission from other aces. For
+ * example, given this acl:
+ *
+ * joe:rwx::allow
+ * everyone@:rwx::allow
+ *
+ * when file masks corresponding to mode 0646 are applied, after
+ * richacl_propagate_everyone() and __richacl_apply_masks(), we end up with:
+ *
+ * joe:r::allow
+ * owner@:rw::allow
+ * group@:r::allow
+ * everyone@:rw::allow
+ *
+ * This acl still grants joe and group@ rw access through the everyone@ allow
+ * ace. To fix this, we must deny w access to group class aces before the
+ * everyone@ allow ace at the end of the acl:
+ *
+ * joe:r::allow
+ * owner@:rw::allow
+ * group@:r::allow
+ * joe:w::deny
+ * group@:w::deny
+ * everyone@:rw::allow
+ */
+static int
+richacl_isolate_group_class(struct richacl_alloc *alloc, unsigned int deny)
+{
+ struct richace who = {
+ .e_flags = RICHACE_SPECIAL_WHO,
+ .e_id.special = RICHACE_GROUP_SPECIAL_ID,
+ };
+ struct richace *ace;
+
+ if (!alloc->acl->a_count)
+ return 0;
+ ace = alloc->acl->a_entries + alloc->acl->a_count - 1;
+ if (richace_is_inherit_only(ace) || !richace_is_everyone(ace))
+ return 0;
+ deny |= ace->e_mask & ~alloc->acl->a_group_mask;
+
+ if (deny) {
+ unsigned int n;
+
+ if (__richacl_isolate_who(alloc, &who, deny))
+ return -1;
+ /*
+ * Start from the entry before the trailing everyone@ allow
+ * entry. We will not hit everyone@ entries in the loop.
+ */
+ for (n = alloc->acl->a_count - 2; n != -1; n--) {
+ ace = alloc->acl->a_entries + n;
+
+ if (richace_is_inherit_only(ace) ||
+ richace_is_owner(ace) ||
+ richace_is_group(ace))
+ continue;
+ if (__richacl_isolate_who(alloc, ace, deny))
+ return -1;
+ }
+ }
+ return 0;
+}
--
2.5.0
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2015-10-23 18:41 UTC|newest]
Thread overview: 112+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-23 18:41 [PATCH v12 00/49] Richacls Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 01/49] vfs: Add IS_ACL() and IS_RICHACL() tests Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 02/49] vfs: Add MAY_CREATE_FILE and MAY_CREATE_DIR permission flags Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 03/49] vfs: Add MAY_DELETE_SELF and MAY_DELETE_CHILD " Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 04/49] vfs: Make the inode passed to inode_change_ok non-const Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 05/49] vfs: Add permission flags for setting file attributes Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 06/49] richacl: In-memory representation and helper functions Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 07/49] richacl: Permission mapping functions Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 08/49] richacl: Compute maximum file masks from an acl Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 09/49] richacl: Permission check algorithm Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 10/49] vfs: Cache base_acl objects in inodes Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 11/49] vfs: Add get_richacl and set_richacl inode operations Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 12/49] vfs: Cache richacl in struct inode Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 13/49] richacl: Update the file masks in chmod() Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 14/49] richacl: Check if an acl is equivalent to a file mode Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 15/49] richacl: Create-time inheritance Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 16/49] richacl: Automatic Inheritance Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 17/49] richacl: xattr mapping functions Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 18/49] richacl: Add richacl xattr handler Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 19/49] vfs: Add richacl permission checking Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 20/49] ext4: Add richacl support Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 21/49] ext4: Add richacl feature flag Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
[not found] ` <1445625722-13791-22-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-10-23 19:34 ` Austin S Hemmelgarn
2015-10-23 19:34 ` Austin S Hemmelgarn
2015-10-23 19:34 ` Austin S Hemmelgarn
2015-10-23 18:41 ` [PATCH v12 22/49] xfs: Fix error path in xfs_get_acl Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 23/49] xfs: Make xfs_set_mode non-static Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 25/49] xfs: Add richacl support Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 26/49] richacl: acl editing helper functions Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 27/49] richacl: Move everyone@ aces down the acl Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 28/49] richacl: Propagate everyone@ permissions to other aces Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 29/49] richacl: Set the owner permissions to the owner mask Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 32/49] richacl: Apply the file masks to a richacl Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 33/49] richacl: Create richacl from mode values Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 34/49] nfsd: Keep list of acls to dispose of in compoundargs Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 36/49] nfsd: Add richacl support Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 37/49] nfsd: Add support for the v4.1 dacl attribute Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 38/49] nfsd: Add support for the MAY_CREATE_{FILE,DIR} permissions Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 38/49] nfsd: Add support for the MAY_CREATE_{FILE, DIR} permissions Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 40/49] nfsd: Add support for unmapped richace identifiers Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 41/49] ext4: Don't allow unmapped identifiers in richacls Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 42/49] xfs: " Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 43/49] sunrpc: Allow to demand-allocate pages to encode into Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 44/49] sunrpc: Add xdr_init_encode_pages Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 45/49] nfs: Fix GETATTR bitmap verification Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 46/49] nfs: Remove unused xdr page offsets in getacl/setacl arguments Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:42 ` [PATCH v12 47/49] nfs: Distinguish missing users and groups from nobody Andreas Gruenbacher
2015-10-23 18:42 ` Andreas Gruenbacher
2015-10-23 18:42 ` [PATCH v12 48/49] nfs: Add richacl support Andreas Gruenbacher
2015-10-23 18:42 ` Andreas Gruenbacher
2015-10-23 18:42 ` [PATCH v12 49/49] nfs: Add support for the v4.1 dacl attribute Andreas Gruenbacher
2015-10-23 18:42 ` Andreas Gruenbacher
[not found] ` <1445625722-13791-1-git-send-email-agruenba-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-10-23 18:41 ` [PATCH v12 24/49] xfs: Change how listxattr generates synthetic attributes Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 30/49] richacl: Set the other permissions to the other mask Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher [this message]
2015-10-23 18:41 ` [PATCH v12 31/49] richacl: Isolate the owner and group classes Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 35/49] nfsd: Use richacls as internal acl representation Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` [PATCH v12 39/49] richacl: Add support for unmapped identifiers Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 18:41 ` Andreas Gruenbacher
2015-10-23 20:03 ` [PATCH v12 00/49] Richacls Frank Filz
2015-10-23 20:03 ` Frank Filz
2015-10-23 20:03 ` Frank Filz
2015-10-23 20:03 ` Frank Filz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1445625722-13791-32-git-send-email-agruenba@redhat.com \
--to=agruenba-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=adilger.kernel-m1MBpc4rdrD3fQ9qLvQP4Q@public.gmane.org \
--cc=anna.schumaker-HgOvQuBEEgTQT0dZR+AlfA@public.gmane.org \
--cc=bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org \
--cc=david-FqsqvQoI3Ljby3iVrkZq2A@public.gmane.org \
--cc=jlayton-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-ext4-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=trond.myklebust-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org \
--cc=tytso-3s7WtUTddSA@public.gmane.org \
--cc=viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
--cc=xfs-VZNHf3L845pBDgjK7y7TUQ@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.