From: Andreas Gruenbacher <agruenba@redhat.com>
To: Jeff Layton <jlayton@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Christoph Hellwig <hch@infradead.org>,
"Theodore Ts'o" <tytso@mit.edu>,
Andreas Dilger <adilger.kernel@dilger.ca>,
"J. Bruce Fields" <bfields@fieldses.org>,
Trond Myklebust <trond.myklebust@primarydata.com>,
Anna Schumaker <anna.schumaker@netapp.com>,
Dave Chinner <david@fromorbit.com>,
linux-ext4 <linux-ext4@vger.kernel.org>,
XFS Developers <xfs@oss.sgi.com>,
LKML <linux-kernel@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
linux-cifs@vger.kernel.org, Linux API <linux-api@vger.kernel.org>
Subject: Re: [PATCH v23 09/22] richacl: Permission check algorithm
Date: Mon, 11 Jul 2016 15:28:40 +0200 [thread overview]
Message-ID: <CAHc6FU4QnNub8wxLtMKNjEZJjg1sr-+=OqsrB+T9AVnOSWDEnA@mail.gmail.com> (raw)
In-Reply-To: <1467730747.3800.34.camel@redhat.com>
On Tue, Jul 5, 2016 at 4:59 PM, Jeff Layton <jlayton@redhat.com> wrote:
> On Thu, 2016-06-30 at 15:47 +0200, Andreas Gruenbacher wrote:
>> A richacl roughly grants a requested access if the NFSv4 acl in the
>> richacl grants the requested permissions according to the NFSv4
>> permission check algorithm and the file mask that applies to the process
>> includes the requested permissions.
>>
>> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
>> Reviewed-by: J. Bruce Fields <bfields@fieldses.org>
>> ---
>> fs/richacl.c | 128 ++++++++++++++++++++++++++++++++++++++++++++++++
>> include/linux/richacl.h | 1 +
>> 2 files changed, 129 insertions(+)
>>
>> diff --git a/fs/richacl.c b/fs/richacl.c
>> index 056228f..cb0ef3f 100644
>> --- a/fs/richacl.c
>> +++ b/fs/richacl.c
>> @@ -338,3 +338,131 @@ restart:
>> acl->a_flags &= ~(RICHACL_WRITE_THROUGH | RICHACL_MASKED);
>> }
>> EXPORT_SYMBOL_GPL(richacl_compute_max_masks);
>> +
>> +/**
>> + * richacl_permission - richacl permission check algorithm
>> + * @inode: inode to check
>> + * @acl: rich acl of the inode
>> + * @want: requested access (MAY_* flags)
>> + *
>> + * Checks if the current process is granted @mask flags in @acl.
>> + */
>
> nit: there is no @mask parm here. Do you mean @want ?
Yes, thanks.
>> +int
>> +richacl_permission(struct inode *inode, const struct richacl *acl,
>> + int want)
>> +{
>> + const struct richace *ace;
>> + unsigned int mask = richacl_want_to_mask(want);
>> + unsigned int requested = mask, denied = 0;
>> + int in_owning_group = in_group_p(inode->i_gid);
>> + int in_owner_or_group_class = in_owning_group;
>> +
>> + /*
>> + * A process is
>> + * - in the owner file class if it owns the file,
>> + * - in the group file class if it is in the file's owning group or
>> + * it matches any of the user or group entries, and
>> + * - in the other file class otherwise.
>> + * The file class is only relevant for determining which file mask to
>> + * apply, which only happens for masked acls.
>> + */
>> + if (acl->a_flags & RICHACL_MASKED) {
>> + if ((acl->a_flags & RICHACL_WRITE_THROUGH) &&
>> + uid_eq(current_fsuid(), inode->i_uid)) {
>> + denied = requested & ~acl->a_owner_mask;
>> + goto out;
>> + }
>> + } else {
>> + /*
>> + * When the acl is not masked, there is no need to determine if
>> + * the process is in the group class and we can break out
>> + * earlier of the loop below.
>> + */
>> + in_owner_or_group_class = 1;
>> + }
>> +
>> + /*
>> + * Check if the acl grants the requested access and determine which
>> + * file class the process is in.
>> + */
>> + richacl_for_each_entry(ace, acl) {
>> + unsigned int ace_mask = ace->e_mask;
>> +
>> + if (richace_is_inherit_only(ace))
>> + continue;
>> + if (richace_is_owner(ace)) {
>> + if (!uid_eq(current_fsuid(), inode->i_uid))
>> + continue;
>> + goto entry_matches_owner;
>> + } else if (richace_is_group(ace)) {
>> + if (!in_owning_group)
>> + continue;
>> + } else if (richace_is_unix_user(ace)) {
>> + if (!uid_eq(current_fsuid(), ace->e_id.uid))
>> + continue;
>> + if (uid_eq(current_fsuid(), inode->i_uid))
>> + goto entry_matches_owner;
>> + } else if (richace_is_unix_group(ace)) {
>> + if (!in_group_p(ace->e_id.gid))
>> + continue;
>> + } else
>> + goto entry_matches_everyone;
>> +
>> + /*
>> + * Apply the group file mask to entries other than owner@ and
>> + * everyone@ or user entries matching the owner. This ensures
>> + * that we grant the same permissions as the acl computed by
>> + * richacl_apply_masks().
>> + *
>> + * Without this restriction, the following richacl would grant
>> + * rw access to processes which are both the owner and in the
>> + * owning group, but not to other users in the owning group,
>> + * which could not be represented without masks:
>> + *
>> + * owner:rw::mask
>> + * group@:rw::allow
>> + */
>> + if ((acl->a_flags & RICHACL_MASKED) && richace_is_allow(ace))
>> + ace_mask &= acl->a_group_mask;
>> +
>> +entry_matches_owner:
>> + /* The process is in the owner or group file class. */
>> + in_owner_or_group_class = 1;
>> +
>> +entry_matches_everyone:
>> + /* Check which mask flags the ACE allows or denies. */
>> + if (richace_is_deny(ace))
>> + denied |= ace_mask & mask;
>> + mask &= ~ace_mask;
>> +
>> + /*
>> + * Keep going until we know which file class
>> + * the process is in.
>> + */
>> + if (!mask && in_owner_or_group_class)
>> + break;
>> + }
>> + denied |= mask;
>> +
>> + if (acl->a_flags & RICHACL_MASKED) {
>> + /*
>> + * The file class a process is in determines which file mask
>> + * applies. Check if that file mask also grants the requested
>> + * access.
>> + */
>> + if (uid_eq(current_fsuid(), inode->i_uid))
>> + denied |= requested & ~acl->a_owner_mask;
>> + else if (in_owner_or_group_class)
>> + denied |= requested & ~acl->a_group_mask;
>> + else {
>> + if (acl->a_flags & RICHACL_WRITE_THROUGH)
>> + denied = requested & ~acl->a_other_mask;
>> + else
>> + denied |= requested & ~acl->a_other_mask;
>> + }
>> + }
>> +
>> +out:
>> + return denied ? -EACCES : 0;
>> +}
>> +EXPORT_SYMBOL_GPL(richacl_permission);
>> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
>> index 3559b2c..be9fb65 100644
>> --- a/include/linux/richacl.h
>> +++ b/include/linux/richacl.h
>> @@ -179,5 +179,6 @@ extern int richacl_masks_to_mode(const struct richacl *);
>> extern unsigned int richacl_mode_to_mask(umode_t);
>> extern unsigned int richacl_want_to_mask(unsigned int);
>> extern void richacl_compute_max_masks(struct richacl *);
>> +extern int richacl_permission(struct inode *, const struct richacl *, int);
>>
>> #endif /* __RICHACL_H */
>
> Reviewed-by: Jeff Layton <jlayton@redhat.com>
Thanks,
Andreas
next prev parent reply other threads:[~2016-07-11 13:28 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-30 13:46 [PATCH v23 00/22] Richacls (Core and Ext4) Andreas Gruenbacher
2016-06-30 13:46 ` [PATCH v23 01/22] vfs: Add IS_ACL() and IS_RICHACL() tests Andreas Gruenbacher
2016-07-05 11:00 ` Jeff Layton
2016-06-30 13:46 ` [PATCH v23 02/22] vfs: Add MAY_CREATE_FILE and MAY_CREATE_DIR permission flags Andreas Gruenbacher
2016-07-05 11:02 ` Jeff Layton
2016-06-30 13:46 ` [PATCH v23 03/22] vfs: Add MAY_DELETE_SELF and MAY_DELETE_CHILD " Andreas Gruenbacher
2016-07-05 11:07 ` Jeff Layton
2016-06-30 13:46 ` [PATCH v23 04/22] vfs: Make the inode passed to inode_change_ok non-const Andreas Gruenbacher
2016-07-05 11:12 ` Jeff Layton
2016-06-30 13:46 ` [PATCH v23 05/22] vfs: Add permission flags for setting file attributes Andreas Gruenbacher
2016-07-05 11:18 ` Jeff Layton
2016-06-30 13:46 ` [PATCH v23 06/22] richacl: In-memory representation and helper functions Andreas Gruenbacher
2016-07-05 11:34 ` Jeff Layton
2016-07-11 10:11 ` Andreas Gruenbacher
2016-06-30 13:46 ` [PATCH v23 07/22] richacl: Permission mapping functions Andreas Gruenbacher
2016-07-05 13:39 ` Jeff Layton
2016-07-11 13:26 ` Andreas Gruenbacher
2016-06-30 13:46 ` [PATCH v23 08/22] richacl: Compute maximum file masks from an acl Andreas Gruenbacher
2016-07-05 14:22 ` Jeff Layton
2016-07-05 17:08 ` Frank Filz
2016-07-13 12:34 ` Andreas Gruenbacher
2016-07-13 19:38 ` Frank Filz
2016-06-30 13:47 ` [PATCH v23 09/22] richacl: Permission check algorithm Andreas Gruenbacher
2016-07-05 14:59 ` Jeff Layton
2016-07-11 13:28 ` Andreas Gruenbacher [this message]
2016-06-30 13:47 ` [PATCH v23 10/22] posix_acl: Improve xattr fixup code Andreas Gruenbacher
2016-07-05 15:38 ` Jeff Layton
2016-06-30 13:47 ` [PATCH v23 11/22] vfs: Cache base_acl objects in inodes Andreas Gruenbacher
2016-07-05 15:56 ` Jeff Layton
2016-06-30 13:47 ` [PATCH v23 12/22] vfs: Add get_richacl and set_richacl inode operations Andreas Gruenbacher
2016-07-06 18:31 ` Jeff Layton
2016-06-30 13:47 ` [PATCH v23 13/22] vfs: Cache richacl in struct inode Andreas Gruenbacher
2016-07-06 18:57 ` Jeff Layton
2016-07-14 20:02 ` Andreas Gruenbacher
2016-07-07 14:14 ` David Howells
2016-06-30 13:47 ` [PATCH v23 14/22] richacl: Update the file masks in chmod() Andreas Gruenbacher
2016-07-12 11:36 ` Jeff Layton
2016-06-30 13:47 ` [PATCH v23 15/22] richacl: Check if an acl is equivalent to a file mode Andreas Gruenbacher
2016-07-12 11:39 ` Jeff Layton
2016-06-30 13:47 ` [PATCH v23 16/22] richacl: Create-time inheritance Andreas Gruenbacher
2016-07-12 11:41 ` Jeff Layton
2016-06-30 13:47 ` [PATCH v23 17/22] richacl: Automatic Inheritance Andreas Gruenbacher
2016-07-12 11:56 ` Jeff Layton
2016-07-12 19:11 ` J. Bruce Fields
2016-07-12 20:28 ` Andreas Gruenbacher
2016-06-30 13:47 ` [PATCH v23 18/22] richacl: xattr mapping functions Andreas Gruenbacher
2016-07-12 12:02 ` Jeff Layton
2016-07-14 20:33 ` Andreas Gruenbacher
2016-06-30 13:47 ` [PATCH v23 19/22] richacl: Add richacl xattr handler Andreas Gruenbacher
2016-07-12 12:13 ` Jeff Layton
2016-06-30 13:47 ` [PATCH v23 20/22] vfs: Add richacl permission checking Andreas Gruenbacher
2016-07-12 12:13 ` Jeff Layton
2016-07-14 20:59 ` Andreas Gruenbacher
2016-06-30 13:47 ` [PATCH v23 21/22] ext4: Add richacl support Andreas Gruenbacher
2016-06-30 13:47 ` [PATCH v23 22/22] ext4: Add richacl feature flag Andreas Gruenbacher
2016-06-30 14:11 ` [PATCH v23 00/22] Richacls (Core and Ext4) Volker Lendecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHc6FU4QnNub8wxLtMKNjEZJjg1sr-+=OqsrB+T9AVnOSWDEnA@mail.gmail.com' \
--to=agruenba@redhat.com \
--cc=adilger.kernel@dilger.ca \
--cc=anna.schumaker@netapp.com \
--cc=bfields@fieldses.org \
--cc=david@fromorbit.com \
--cc=hch@infradead.org \
--cc=jlayton@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=trond.myklebust@primarydata.com \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).