From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from mail-it1-f177.google.com ([209.85.166.177]:35464 "EHLO
        mail-it1-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727808AbeJLQlS (ORCPT
        <rfc822;linux-fsdevel@vger.kernel.org>);
        Fri, 12 Oct 2018 12:41:18 -0400
Received: by mail-it1-f177.google.com with SMTP id p64-v6so17283245itp.0
        for <linux-fsdevel@vger.kernel.org>; Fri, 12 Oct 2018 02:09:50 -0700 (PDT)
MIME-Version: 1.0
References: <1254FD78-8392-4B97-A191-EDA01B719635@whamcloud.com> <ADCDD815-9330-4BF2-B3BB-67F7AA223098@dilger.ca>
In-Reply-To: <ADCDD815-9330-4BF2-B3BB-67F7AA223098@dilger.ca>
From: =?UTF-8?Q?Andreas_Gr=C3=BCnbacher?= <andreas.gruenbacher@gmail.com>
Date: Fri, 12 Oct 2018 11:09:38 +0200
Message-ID: <CAHpGcMKV8MnKNovt4H7ZfjJtQ5AAaD+hC5L65mAWtV5MeKu_kA@mail.gmail.com>
Subject: Re: posix_acl_permission() and MAY_* flags
To: Andreas Dilger <adilger@dilger.ca>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
        Andreas Gruenbacher <agruenba@redhat.com>,
        Linux FS-devel Mailing List <linux-fsdevel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

Am Fr., 12. Okt. 2018 um 02:44 Uhr schrieb Andreas Dilger <adilger@dilger.ca>:
> I was looking at POSIX ACL on-disk and in-memory code and it looks like
> there is a subtle dependency between the on-disk format and what (IMHO)
> would be considered in-memory declarations.
>
> When a POSIX ACL is read from disk, posix_acl_from_mode() copies the file
> mode (S_I[RWX][UGO]) into the e_perm fields of the ACL default entries.
> Similarly, in posix_acl_equiv_mode() and posix_acl_create_masq() it uses
> S_IRWXO to mask the e_perm flags.
>
> However, later on in posix_acl_permission() it directly uses the "want"
> flag contains MAY_{READ,WRITE,EXEC} flags and compares those to e_perm of
> each ACL entry.

As far as I can tell, this practice even goes back to before POSIX
ACLs. For example, if you look at function vfs_permission in
fs/namei.c in a v2.4 tree, you'll find something like this:

    if (((mode & mask & (MAY_READ|MAY_WRITE|MAY_EXEC)) == mask))
        return 0;

Here, mode is inode->i_mode shifted so that the bits that matter are
the lowest three (S_IRWXO) and mask is a combination of MAY_ flags.

> In posix_acl_valid() it compares e_perm with ACL_{READ,WRITE,EXECUTE}.
>
> While the MAY_[RWX] and ACL_[RWX] currently have the same value as
> S_I[RWX]OTH, it isn't very clear that these flags MUST all have the same
> values or POSIX ACLs will break.
>
> This definitely doesn't seem quite right.  Are the ACL_* constants the
> values to be used, with "conversion" in between the flags/modes?  Should
> there be a BUILD_BUG_ON() that trips if those values ever differ?

The ACL_{READ,WRITE,EXECUTE} and MAY_{READ,WRITE,EXEC} values must
definitely have the same values. This wouldn't be true for higher
bits, but POSIX ACLs don't support anything beyond rwx.

Andreas