From: "Stefan (metze) Metzmacher" <metze@samba.org>
To: Andreas Gruenbacher <andreas.gruenbacher@gmail.com>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-nfs@vger.kernel.org, linux-api@vger.kernel.org,
samba-technical@lists.samba.org,
linux-security-module@vger.kernel.org
Subject: Re: [RFC v4 06/31] richacl: In-memory representation and helper functions
Date: Thu, 25 Jun 2015 21:58:45 +0200 [thread overview]
Message-ID: <558C5D75.6050608@samba.org> (raw)
In-Reply-To: <1435183040-22726-7-git-send-email-agruenba@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 1578 bytes --]
Hi Andreas,
> +#define RICHACE_OWNER_SPECIAL_ID 0
> +#define RICHACE_GROUP_SPECIAL_ID 1
> +#define RICHACE_EVERYONE_SPECIAL_ID 2
> +
> +struct richace {
> + unsigned short e_type;
> + unsigned short e_flags;
> + unsigned int e_mask;
> + union {
> + kuid_t uid;
> + kgid_t gid;
> + unsigned int special;
> + } e_id;
> +};
> +
> +struct richacl {
> + atomic_t a_refcount;
> + unsigned int a_owner_mask;
> + unsigned int a_group_mask;
> + unsigned int a_other_mask;
> + unsigned short a_count;
> + unsigned short a_flags;
> + struct richace a_entries[0];
> +};
Is that also the on disk representation?
I'm wondering if the size of an ace should be dynamic,
which might make it possible to support other ace types
in future. E.g. supporting other identities like 128-bit values
to make it easier to map Windows SIDS.
Even without 128-bit ids, it would be very useful to mark an
ace so that it applies to a uid or gid at the same time.
This would reduce the size of the ace list when Samba uses
IDMAP_TYPE_BOTH, which means a SID is mapped to a unix id, which
is user (uid) and group (gid) at the same time. This feature is required
in order to support SID-Histories on accounts.
Currently Samba needs to add two aces (one uid and one gid)
in order to represent one Windows ace.
I haven't looked at the claims based acls on Windows, but it would be
good if the new infrastructure is dynamic enough to support something
like that in a future version.
Thanks very much on your persistent to bring richacls forward!
metze
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2015-06-25 20:05 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-24 21:56 [RFC v4 00/31] Richacls Andreas Gruenbacher
2015-06-24 21:56 ` Andreas Gruenbacher
2015-06-24 21:56 ` [RFC v4 01/31] vfs: Add IS_ACL() and IS_RICHACL() tests Andreas Gruenbacher
2015-06-24 21:56 ` [RFC v4 02/31] vfs: Add MAY_CREATE_FILE and MAY_CREATE_DIR permission flags Andreas Gruenbacher
2015-06-24 21:56 ` Andreas Gruenbacher
2015-06-24 21:56 ` [RFC v4 03/31] vfs: Add MAY_DELETE_SELF and MAY_DELETE_CHILD " Andreas Gruenbacher
2015-06-24 21:56 ` Andreas Gruenbacher
2015-06-24 21:56 ` [RFC v4 04/31] vfs: Make the inode passed to inode_change_ok non-const Andreas Gruenbacher
2015-06-24 21:56 ` [RFC v4 05/31] vfs: Add permission flags for setting file attributes Andreas Gruenbacher
2015-06-24 21:56 ` [RFC v4 06/31] richacl: In-memory representation and helper functions Andreas Gruenbacher
2015-06-25 19:58 ` Stefan (metze) Metzmacher [this message]
2015-06-25 21:06 ` Andreas Grünbacher
2015-06-25 21:40 ` Stefan (metze) Metzmacher
2015-06-25 21:40 ` Stefan (metze) Metzmacher
2015-06-26 7:55 ` Andreas Grünbacher
2015-06-26 7:55 ` Andreas Grünbacher
2015-06-24 21:56 ` [RFC v4 07/31] richacl: Permission mapping functions Andreas Gruenbacher
2015-06-24 21:56 ` [RFC v4 08/31] richacl: Compute maximum file masks from an acl Andreas Gruenbacher
2015-06-24 21:56 ` [RFC v4 09/31] richacl: Update the file masks in chmod() Andreas Gruenbacher
2015-06-24 21:56 ` Andreas Gruenbacher
2015-06-24 21:56 ` [RFC v4 10/31] richacl: Permission check algorithm Andreas Gruenbacher
2015-06-24 21:56 ` Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 11/31] vfs: Cache base_acl objects in inodes Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 12/31] vfs: Cache richacl in struct inode Andreas Gruenbacher
2015-06-24 21:57 ` Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 13/31] richacl: Check if an acl is equivalent to a file mode Andreas Gruenbacher
2015-06-24 21:57 ` Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 14/31] richacl: Create-time inheritance Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 15/31] richacl: Automatic Inheritance Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 16/31] richacl: xattr mapping functions Andreas Gruenbacher
2015-06-24 21:57 ` Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 17/31] vfs: Add richacl permission checking Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 18/31] ext4: Add richacl support Andreas Gruenbacher
2015-06-24 21:57 ` Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 19/31] ext4: Add richacl feature flag Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 20/31] richacl: acl editing helper functions Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 21/31] richacl: Move everyone@ aces down the acl Andreas Gruenbacher
2015-06-24 21:57 ` Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 22/31] richacl: Propagate everyone@ permissions to other aces Andreas Gruenbacher
2015-06-24 21:57 ` Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 23/31] richacl: Set the owner permissions to the owner mask Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 24/31] richacl: Set the other permissions to the other mask Andreas Gruenbacher
2015-06-24 21:57 ` Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 25/31] richacl: Isolate the owner and group classes Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 26/31] richacl: Apply the file masks to a richacl Andreas Gruenbacher
2015-06-24 21:57 ` Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 27/31] richacl: Create richacl from mode values Andreas Gruenbacher
2015-06-24 21:57 ` Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 28/31] nfsd: Keep list of acls to dispose of in compoundargs Andreas Gruenbacher
2015-06-24 21:57 ` Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 29/31] nfsd: Use richacls as internal acl representation Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 30/31] nfsd: Add richacl support Andreas Gruenbacher
2015-06-24 21:57 ` [RFC v4 31/31] nfsd: Add support for the v4.1 dacl attribute Andreas Gruenbacher
2015-06-24 21:57 ` Andreas Gruenbacher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=558C5D75.6050608@samba.org \
--to=metze@samba.org \
--cc=andreas.gruenbacher@gmail.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=samba-technical@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.