From: Andreas Gruenbacher <agruenba@redhat.com>
To: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-nfs@vger.kernel.org, linux-api@vger.kernel.org,
linux-cifs@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [RFC v7 08/41] richacl: Compute maximum file masks from an acl
Date: Sat, 5 Sep 2015 12:27:03 +0200 [thread overview]
Message-ID: <1441448856-13478-9-git-send-email-agruenba@redhat.com> (raw)
In-Reply-To: <1441448856-13478-1-git-send-email-agruenba@redhat.com>
Compute upper bound owner, group, and other file masks with as few
permissions as possible without denying any permissions that the NFSv4
acl in a richacl grants.
This algorithm is used when a file inherits an acl at create time and
when an acl is set via a mechanism that does not provide file masks
(such as setting an acl via nfsd). When user-space sets an acl via
setxattr, the extended attribute already includes the file masks.
Setting an acl also sets the file mode permission bits: they are
determined by the file masks; see richacl_masks_to_mode().
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Reviewed-by: J. Bruce Fields <bfields@redhat.com>
---
fs/richacl_base.c | 157 ++++++++++++++++++++++++++++++++++++++++++++++++
include/linux/richacl.h | 1 +
2 files changed, 158 insertions(+)
diff --git a/fs/richacl_base.c b/fs/richacl_base.c
index 063dbe4..fc544f7 100644
--- a/fs/richacl_base.c
+++ b/fs/richacl_base.c
@@ -182,3 +182,160 @@ richacl_want_to_mask(unsigned int want)
return mask;
}
EXPORT_SYMBOL_GPL(richacl_want_to_mask);
+
+/*
+ * Note: functions like richacl_allowed_to_who(), richacl_group_class_allowed(),
+ * and richacl_compute_max_masks() iterate through the entire acl in reverse
+ * order as an optimization.
+ *
+ * In the standard algorithm, aces are considered in forward order. When a
+ * process matches an ace, the permissions in the ace are either allowed or
+ * denied depending on the ace type. Once a permission has been allowed or
+ * denied, it is no longer considered in further aces.
+ *
+ * By iterating through the acl in reverse order, we can compute the same
+ * result without having to keep track of which permissions have been allowed
+ * and denied already.
+ */
+
+/**
+ * richacl_allowed_to_who - permissions allowed to a specific who value
+ *
+ * Compute the maximum mask values allowed to a specific who value, taking
+ * everyone@ aces into account.
+ */
+static unsigned int richacl_allowed_to_who(struct richacl *acl,
+ struct richace *who)
+{
+ struct richace *ace;
+ unsigned int allowed = 0;
+
+ richacl_for_each_entry_reverse(ace, acl) {
+ if (richace_is_inherit_only(ace))
+ continue;
+ if (richace_is_same_identifier(ace, who) ||
+ richace_is_everyone(ace)) {
+ if (richace_is_allow(ace))
+ allowed |= ace->e_mask;
+ else if (richace_is_deny(ace))
+ allowed &= ~ace->e_mask;
+ }
+ }
+ return allowed;
+}
+
+/**
+ * richacl_group_class_allowed - maximum permissions of the group class
+ *
+ * Compute the maximum mask values allowed to a process in the group class
+ * (i.e., a process which is not the owner but is in the owning group or
+ * matches a user or group acl entry). This includes permissions granted or
+ * denied by everyone@ aces.
+ *
+ * See richacl_compute_max_masks().
+ */
+static unsigned int richacl_group_class_allowed(struct richacl *acl)
+{
+ struct richace *ace;
+ unsigned int everyone_allowed = 0, group_class_allowed = 0;
+ int had_group_ace = 0;
+
+ richacl_for_each_entry_reverse(ace, acl) {
+ if (richace_is_inherit_only(ace) ||
+ richace_is_owner(ace))
+ continue;
+
+ if (richace_is_everyone(ace)) {
+ if (richace_is_allow(ace))
+ everyone_allowed |= ace->e_mask;
+ else if (richace_is_deny(ace))
+ everyone_allowed &= ~ace->e_mask;
+ } else {
+ group_class_allowed |=
+ richacl_allowed_to_who(acl, ace);
+
+ if (richace_is_group(ace))
+ had_group_ace = 1;
+ }
+ }
+ /*
+ * If the acl doesn't contain any group@ aces, richacl_allowed_to_who()
+ * wasn't called for the owning group. We could make that call now, but
+ * we already know the result (everyone_allowed).
+ */
+ if (!had_group_ace)
+ group_class_allowed |= everyone_allowed;
+ return group_class_allowed;
+}
+
+/**
+ * richacl_compute_max_masks - compute upper bound masks
+ *
+ * Computes upper bound owner, group, and other masks so that none of the
+ * permissions allowed by the acl are disabled.
+ *
+ * We don't make assumptions about who the owner is so that the owner can
+ * change with no effect on the file masks or file mode permission bits; this
+ * means that we must assume that all entries can match the owner.
+ */
+void richacl_compute_max_masks(struct richacl *acl)
+{
+ unsigned int gmask = ~0;
+ struct richace *ace;
+
+ /*
+ * @gmask contains all permissions which the group class is ever
+ * allowed. We use it to avoid adding permissions to the group mask
+ * from everyone@ allow aces which the group class is always denied
+ * through other aces. For example, the following acl would otherwise
+ * result in a group mask of rw:
+ *
+ * group@:w::deny
+ * everyone@:rw::allow
+ *
+ * Avoid computing @gmask for acls which do not include any group class
+ * deny aces: in such acls, the group class is never denied any
+ * permissions from everyone@ allow aces, and the group class cannot
+ * have fewer permissions than the other class.
+ */
+
+restart:
+ acl->a_owner_mask = 0;
+ acl->a_group_mask = 0;
+ acl->a_other_mask = 0;
+
+ richacl_for_each_entry_reverse(ace, acl) {
+ if (richace_is_inherit_only(ace))
+ continue;
+
+ if (richace_is_owner(ace)) {
+ if (richace_is_allow(ace))
+ acl->a_owner_mask |= ace->e_mask;
+ else if (richace_is_deny(ace))
+ acl->a_owner_mask &= ~ace->e_mask;
+ } else if (richace_is_everyone(ace)) {
+ if (richace_is_allow(ace)) {
+ acl->a_owner_mask |= ace->e_mask;
+ acl->a_group_mask |= ace->e_mask & gmask;
+ acl->a_other_mask |= ace->e_mask;
+ } else if (richace_is_deny(ace)) {
+ acl->a_owner_mask &= ~ace->e_mask;
+ acl->a_group_mask &= ~ace->e_mask;
+ acl->a_other_mask &= ~ace->e_mask;
+ }
+ } else {
+ if (richace_is_allow(ace)) {
+ acl->a_owner_mask |= ace->e_mask & gmask;
+ acl->a_group_mask |= ace->e_mask & gmask;
+ } else if (richace_is_deny(ace) && gmask == ~0) {
+ gmask = richacl_group_class_allowed(acl);
+ if (likely(gmask != ~0))
+ /* should always be true */
+ goto restart;
+ }
+ }
+ }
+
+ acl->a_flags &= ~(RICHACL_WRITE_THROUGH | RICHACL_MASKED);
+}
+EXPORT_SYMBOL_GPL(richacl_compute_max_masks);
diff --git a/include/linux/richacl.h b/include/linux/richacl.h
index 9c8f298..e81144a 100644
--- a/include/linux/richacl.h
+++ b/include/linux/richacl.h
@@ -297,5 +297,6 @@ extern void richace_copy(struct richace *, const struct richace *);
extern int richacl_masks_to_mode(const struct richacl *);
extern unsigned int richacl_mode_to_mask(mode_t);
extern unsigned int richacl_want_to_mask(unsigned int);
+extern void richacl_compute_max_masks(struct richacl *);
#endif /* __RICHACL_H */
--
2.4.3
next prev parent reply other threads:[~2015-09-05 10:30 UTC|newest]
Thread overview: 109+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-05 10:26 [RFC v7 00/41] Richacls Andreas Gruenbacher
2015-09-05 10:26 ` [RFC v7 01/41] vfs: Add IS_ACL() and IS_RICHACL() tests Andreas Gruenbacher
2015-09-05 10:26 ` [RFC v7 02/41] vfs: Add MAY_CREATE_FILE and MAY_CREATE_DIR permission flags Andreas Gruenbacher
2015-09-05 10:26 ` [RFC v7 03/41] vfs: Add MAY_DELETE_SELF and MAY_DELETE_CHILD " Andreas Gruenbacher
2015-09-06 8:14 ` [PATCH] " Andreas Gruenbacher
2015-09-11 20:30 ` J. Bruce Fields
2015-09-05 10:26 ` [RFC v7 04/41] vfs: Make the inode passed to inode_change_ok non-const Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 05/41] vfs: Add permission flags for setting file attributes Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 06/41] richacl: In-memory representation and helper functions Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 07/41] richacl: Permission mapping functions Andreas Gruenbacher
2015-09-05 10:27 ` Andreas Gruenbacher [this message]
2015-09-05 10:27 ` [RFC v7 09/41] richacl: Update the file masks in chmod() Andreas Gruenbacher
2015-09-11 20:35 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 10/41] richacl: Permission check algorithm Andreas Gruenbacher
2015-09-11 21:16 ` J. Bruce Fields
2015-09-11 22:12 ` Andreas Grünbacher
2015-09-17 17:30 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 11/41] vfs: Cache base_acl objects in inodes Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 12/41] vfs: Cache richacl in struct inode Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 13/41] richacl: Check if an acl is equivalent to a file mode Andreas Gruenbacher
2015-09-17 18:22 ` J. Bruce Fields
2015-09-18 0:56 ` J. Bruce Fields
2015-09-21 13:59 ` Austin S Hemmelgarn
2015-09-21 14:38 ` J. Bruce Fields
2015-09-21 17:00 ` Austin S Hemmelgarn
2015-09-21 17:48 ` J. Bruce Fields
2015-09-21 15:31 ` J. Bruce Fields
2015-09-21 23:26 ` Andreas Gruenbacher
2015-09-21 23:20 ` Andreas Gruenbacher
2015-09-17 18:37 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 14/41] richacl: Create-time inheritance Andreas Gruenbacher
2015-09-18 17:58 ` J. Bruce Fields
2015-09-21 20:37 ` Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 15/41] richacl: Automatic Inheritance Andreas Gruenbacher
2015-09-18 18:40 ` J. Bruce Fields
2015-09-21 21:19 ` Andreas Gruenbacher
2015-09-22 1:51 ` J. Bruce Fields
2015-09-23 13:55 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 16/41] richacl: xattr mapping functions Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 17/41] vfs: Add richacl permission checking Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 18/41] ext4: Add richacl support Andreas Gruenbacher
2015-09-23 2:30 ` Aneesh Kumar K.V
2015-09-05 10:27 ` [RFC v7 19/41] ext4: Add richacl feature flag Andreas Gruenbacher
2015-09-23 2:31 ` Aneesh Kumar K.V
2015-09-05 10:27 ` [RFC v7 20/41] richacl: acl editing helper functions Andreas Gruenbacher
2015-09-18 18:54 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 21/41] richacl: Move everyone@ aces down the acl Andreas Gruenbacher
2015-09-18 19:35 ` J. Bruce Fields
2015-09-21 21:43 ` Andreas Gruenbacher
2015-09-22 1:52 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 22/41] richacl: Propagate everyone@ permissions to other aces Andreas Gruenbacher
2015-09-18 21:36 ` J. Bruce Fields
2015-09-21 23:44 ` Andreas Gruenbacher
2015-09-18 21:56 ` J. Bruce Fields
2015-09-21 19:24 ` J. Bruce Fields
2015-09-23 1:24 ` Andreas Gruenbacher
2015-09-23 1:39 ` Andreas Gruenbacher
2015-09-23 1:46 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 23/41] richacl: Set the owner permissions to the owner mask Andreas Gruenbacher
2015-09-21 21:00 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 24/41] richacl: Set the other permissions to the other mask Andreas Gruenbacher
2015-09-23 14:03 ` J. Bruce Fields
2015-09-23 14:12 ` Andreas Grünbacher
2015-09-05 10:27 ` [RFC v7 25/41] richacl: Isolate the owner and group classes Andreas Gruenbacher
2015-09-22 16:06 ` J. Bruce Fields
2015-09-23 13:11 ` Andreas Gruenbacher
2015-09-23 13:15 ` J. Bruce Fields
2015-09-22 19:02 ` J. Bruce Fields
2015-09-23 13:33 ` Andreas Gruenbacher
2015-09-25 11:25 ` Andreas Gruenbacher
2015-09-25 20:17 ` J. Bruce Fields
2015-09-22 19:02 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 26/41] richacl: Apply the file masks to a richacl Andreas Gruenbacher
2015-09-22 19:11 ` J. Bruce Fields
2015-09-23 19:18 ` J. Bruce Fields
2015-09-23 20:29 ` Andreas Gruenbacher
2015-09-23 20:33 ` J. Bruce Fields
2015-09-23 20:40 ` Andreas Gruenbacher
2015-09-23 21:05 ` J. Bruce Fields
2015-09-23 22:14 ` Andreas Gruenbacher
2015-09-24 15:28 ` J. Bruce Fields
2015-09-24 15:48 ` Andreas Gruenbacher
2015-09-22 20:50 ` J. Bruce Fields
2015-09-24 18:33 ` J. Bruce Fields
2015-09-25 16:21 ` [PATCH] richacl: Possible other write-through fix Andreas Gruenbacher
2015-09-25 16:45 ` Andreas Gruenbacher
2015-09-25 18:36 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 27/41] richacl: Create richacl from mode values Andreas Gruenbacher
2015-09-23 20:11 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 28/41] nfsd: Keep list of acls to dispose of in compoundargs Andreas Gruenbacher
2015-09-23 20:28 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 29/41] nfsd: Use richacls as internal acl representation Andreas Gruenbacher
2015-09-24 19:29 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 30/41] nfsd: Add richacl support Andreas Gruenbacher
2015-09-24 19:38 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 31/41] nfsd: Add support for the v4.1 dacl attribute Andreas Gruenbacher
2015-09-24 19:59 ` J. Bruce Fields
2015-09-25 16:37 ` Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 32/41] nfsd: Add support for the MAY_CREATE_{FILE,DIR} permissions Andreas Gruenbacher
2015-09-24 20:01 ` J. Bruce Fields
2015-09-05 10:27 ` [RFC v7 33/41] richacl: Add support for unmapped identifiers Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 34/41] ext4: Don't allow unmapped identifiers in richacls Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 35/41] sunrpc: Allow to demand-allocate pages to encode into Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 36/41] sunrpc: Add xdr_init_encode_pages Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 37/41] nfs: Fix GETATTR bitmap verification Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 38/41] nfs: Remove unused xdr page offsets in getacl/setacl arguments Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 39/41] nfs: Add richacl support Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 40/41] nfs: Add support for the v4.1 dacl attribute Andreas Gruenbacher
2015-09-05 10:27 ` [RFC v7 41/41] richacl: uapi header split Andreas Gruenbacher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1441448856-13478-9-git-send-email-agruenba@redhat.com \
--to=agruenba@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).