linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Andreas Gruenbacher <agruenba@redhat.com>
To: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Andreas Gruenbacher <agruenba@redhat.com>,
	Christoph Hellwig <hch@infradead.org>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Andreas Dilger <adilger.kernel@dilger.ca>,
	"J. Bruce Fields" <bfields@fieldses.org>,
	Jeff Layton <jlayton@poochiereds.net>,
	Trond Myklebust <trond.myklebust@primarydata.com>,
	Anna Schumaker <anna.schumaker@netapp.com>,
	Dave Chinner <david@fromorbit.com>,
	linux-ext4@vger.kernel.org, xfs@oss.sgi.com,
	linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org,
	linux-api@vger.kernel.org
Subject: [PATCH v27 07/21] richacl: Permission check algorithm
Date: Tue, 11 Oct 2016 14:50:42 +0200	[thread overview]
Message-ID: <1476190256-1677-8-git-send-email-agruenba@redhat.com> (raw)
In-Reply-To: <1476190256-1677-1-git-send-email-agruenba@redhat.com>

A richacl roughly grants a requested access if the NFSv4 acl in the
richacl grants the requested permissions according to the NFSv4
permission check algorithm and the file mask that applies to the process
includes the requested permissions.

Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Reviewed-by: J. Bruce Fields <bfields@fieldses.org>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
---
 fs/richacl.c            | 128 ++++++++++++++++++++++++++++++++++++++++++++++++
 include/linux/richacl.h |   1 +
 2 files changed, 129 insertions(+)

diff --git a/fs/richacl.c b/fs/richacl.c
index 2072cf4..b7e96d0 100644
--- a/fs/richacl.c
+++ b/fs/richacl.c
@@ -175,3 +175,131 @@ richacl_want_to_mask(unsigned int want)
 		mask |= RICHACE_WRITE_DATA;
 	return mask;
 }
+
+/**
+ * richacl_permission  -  richacl permission check algorithm
+ * @inode:	inode to check
+ * @acl:	rich acl of the inode
+ * @want:	requested access (MAY_* flags)
+ *
+ * Checks if the current process is granted @want flags in @acl.
+ */
+int
+richacl_permission(struct inode *inode, const struct richacl *acl,
+		   int want)
+{
+	const struct richace *ace;
+	unsigned int mask = richacl_want_to_mask(want);
+	unsigned int requested = mask, denied = 0;
+	int in_owning_group = in_group_p(inode->i_gid);
+	int in_owner_or_group_class = in_owning_group;
+
+	/*
+	 * A process is
+	 *   - in the owner file class if it owns the file,
+	 *   - in the group file class if it is in the file's owning group or
+	 *     it matches any of the user or group entries, and
+	 *   - in the other file class otherwise.
+	 * The file class is only relevant for determining which file mask to
+	 * apply, which only happens for masked acls.
+	 */
+	if (acl->a_flags & RICHACL_MASKED) {
+		if ((acl->a_flags & RICHACL_WRITE_THROUGH) &&
+		    uid_eq(current_fsuid(), inode->i_uid)) {
+			denied = requested & ~acl->a_owner_mask;
+			goto out;
+		}
+	} else {
+		/*
+		 * When the acl is not masked, there is no need to determine if
+		 * the process is in the group class and we can break out
+		 * earlier of the loop below.
+		 */
+		in_owner_or_group_class = 1;
+	}
+
+	/*
+	 * Check if the acl grants the requested access and determine which
+	 * file class the process is in.
+	 */
+	richacl_for_each_entry(ace, acl) {
+		unsigned int ace_mask = ace->e_mask;
+
+		if (richace_is_inherit_only(ace))
+			continue;
+		if (richace_is_owner(ace)) {
+			if (!uid_eq(current_fsuid(), inode->i_uid))
+				continue;
+			goto entry_matches_owner;
+		} else if (richace_is_group(ace)) {
+			if (!in_owning_group)
+				continue;
+		} else if (richace_is_unix_user(ace)) {
+			if (!uid_eq(current_fsuid(), ace->e_id.uid))
+				continue;
+			if (uid_eq(current_fsuid(), inode->i_uid))
+				goto entry_matches_owner;
+		} else if (richace_is_unix_group(ace)) {
+			if (!in_group_p(ace->e_id.gid))
+				continue;
+		} else
+			goto entry_matches_everyone;
+
+		/*
+		 * Apply the group file mask to entries other than owner@ and
+		 * everyone@ or user entries matching the owner.  This ensures
+		 * that we grant the same permissions as the acl computed by
+		 * richacl_apply_masks().
+		 *
+		 * Without this restriction, the following richacl would grant
+		 * rw access to processes which are both the owner and in the
+		 * owning group, but not to other users in the owning group,
+		 * which could not be represented without masks:
+		 *
+		 *  owner:rw::mask
+		 *  group@:rw::allow
+		 */
+		if ((acl->a_flags & RICHACL_MASKED) && richace_is_allow(ace))
+			ace_mask &= acl->a_group_mask;
+
+entry_matches_owner:
+		/* The process is in the owner or group file class. */
+		in_owner_or_group_class = 1;
+
+entry_matches_everyone:
+		/* Check which mask flags the ACE allows or denies. */
+		if (richace_is_deny(ace))
+			denied |= ace_mask & mask;
+		mask &= ~ace_mask;
+
+		/*
+		 * Keep going until we know which file class
+		 * the process is in.
+		 */
+		if (!mask && in_owner_or_group_class)
+			break;
+	}
+	denied |= mask;
+
+	if (acl->a_flags & RICHACL_MASKED) {
+		/*
+		 * The file class a process is in determines which file mask
+		 * applies.  Check if that file mask also grants the requested
+		 * access.
+		 */
+		if (uid_eq(current_fsuid(), inode->i_uid))
+			denied |= requested & ~acl->a_owner_mask;
+		else if (in_owner_or_group_class)
+			denied |= requested & ~acl->a_group_mask;
+		else {
+			if (acl->a_flags & RICHACL_WRITE_THROUGH)
+				denied = requested & ~acl->a_other_mask;
+			else
+				denied |= requested & ~acl->a_other_mask;
+		}
+	}
+
+out:
+	return denied ? -EACCES : 0;
+}
+EXPORT_SYMBOL_GPL(richacl_permission);
diff --git a/include/linux/richacl.h b/include/linux/richacl.h
index 70923f8..beeec35 100644
--- a/include/linux/richacl.h
+++ b/include/linux/richacl.h
@@ -177,5 +177,6 @@ extern struct richacl *richacl_clone(const struct richacl *, gfp_t);
 extern void richace_copy(struct richace *, const struct richace *);
 extern int richacl_masks_to_mode(const struct richacl *);
 extern unsigned int richacl_mode_to_mask(umode_t);
+extern int richacl_permission(struct inode *, const struct richacl *, int);
 
 #endif /* __RICHACL_H */
-- 
2.7.4

  parent reply	other threads:[~2016-10-11 12:51 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-11 12:50 [PATCH v27 00/21] Richacls (Core and Ext4) Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 01/21] vfs: Add IS_ACL() and IS_RICHACL() tests Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 02/21] vfs: Add MAY_CREATE_FILE and MAY_CREATE_DIR permission flags Andreas Gruenbacher
2016-12-02  9:22   ` Miklos Szeredi
2017-02-13 15:34     ` Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 03/21] vfs: Add MAY_DELETE_SELF and MAY_DELETE_CHILD " Andreas Gruenbacher
2016-12-02  9:57   ` Miklos Szeredi
2016-12-06 20:15     ` J. Bruce Fields
2016-12-06 21:13       ` Jeremy Allison
2016-12-06 21:25         ` Miklos Szeredi
2016-12-06 21:36           ` Jeremy Allison
2017-02-13 15:40           ` Andreas Gruenbacher
2017-02-13 15:42     ` Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 04/21] vfs: Add permission flags for setting file attributes Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 05/21] richacl: In-memory representation and helper functions Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 06/21] richacl: Permission mapping functions Andreas Gruenbacher
2016-10-11 12:50 ` Andreas Gruenbacher [this message]
2016-10-11 12:50 ` [PATCH v27 08/21] richacl: Compute maximum file masks from an acl Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 09/21] vfs: Cache base_acl objects in inodes Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 10/21] vfs: Add get_richacl and set_richacl inode operations Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 11/21] vfs: Cache richacl in struct inode Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 12/21] richacl: Update the file masks in chmod() Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 13/21] richacl: Check if an acl is equivalent to a file mode Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 14/21] richacl: Create-time inheritance Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 15/21] richacl: Automatic Inheritance Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 16/21] richacl: xattr mapping functions Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 17/21] richacl: Add richacl xattr handler Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 18/21] vfs: Add richacl permission checking Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 19/21] vfs: Move check_posix_acl and check_richacl out of fs/namei.c Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 20/21] ext4: Add richacl support Andreas Gruenbacher
2016-10-11 12:50 ` [PATCH v27 21/21] ext4: Add richacl feature flag Andreas Gruenbacher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1476190256-1677-8-git-send-email-agruenba@redhat.com \
    --to=agruenba@redhat.com \
    --cc=adilger.kernel@dilger.ca \
    --cc=anna.schumaker@netapp.com \
    --cc=bfields@fieldses.org \
    --cc=david@fromorbit.com \
    --cc=hch@infradead.org \
    --cc=jlayton@poochiereds.net \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-cifs@vger.kernel.org \
    --cc=linux-ext4@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=trond.myklebust@primarydata.com \
    --cc=tytso@mit.edu \
    --cc=viro@zeniv.linux.org.uk \
    --cc=xfs@oss.sgi.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).