From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com> To: agruen@kernel.org, bfields@fieldses.org, akpm@linux-foundation.org, dhowells@redhat.com Cc: aneesh.kumar@linux.vnet.ibm.com, linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH -V6 11/26] vfs: Add permission flags for setting file attributes Date: Mon, 5 Sep 2011 22:55:33 +0530 [thread overview] Message-ID: <1315243548-18664-12-git-send-email-aneesh.kumar@linux.vnet.ibm.com> (raw) In-Reply-To: <1315243548-18664-1-git-send-email-aneesh.kumar@linux.vnet.ibm.com> From: Andreas Gruenbacher <agruen@kernel.org> Some permission models can allow processes to take ownership of a file, change the file permissions, and set the file timestamps. Introduce new permission mask flags and check for those permissions in inode_change_ok(). Signed-off-by: Andreas Gruenbacher <agruen@kernel.org> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> --- fs/attr.c | 70 +++++++++++++++++++++++++++++++++++++++++++-------- fs/namei.c | 2 +- include/linux/fs.h | 4 +++ 3 files changed, 64 insertions(+), 12 deletions(-) diff --git a/fs/attr.c b/fs/attr.c index f15e9e3..00578b9 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -14,6 +14,55 @@ #include <linux/fcntl.h> #include <linux/security.h> +static int richacl_change_ok(struct inode *inode, int mask) +{ + if (!IS_RICHACL(inode)) + return -EPERM; + + if (inode->i_op->permission) + return inode->i_op->permission(inode, mask); + + return check_acl(inode, mask); +} + +static bool inode_uid_change_ok(struct inode *inode, uid_t ia_uid) +{ + if (current_fsuid() == inode->i_uid && ia_uid == inode->i_uid) + return true; + if (current_fsuid() == ia_uid && + richacl_change_ok(inode, MAY_TAKE_OWNERSHIP) == 0) + return true; + if (capable(CAP_CHOWN)) + return true; + return false; +} + +static bool inode_gid_change_ok(struct inode *inode, gid_t ia_gid) +{ + int in_group = in_group_p(ia_gid); + if (current_fsuid() == inode->i_uid && + (in_group || ia_gid == inode->i_gid)) + return true; + if (in_group && richacl_change_ok(inode, MAY_TAKE_OWNERSHIP) == 0) + return true; + if (capable(CAP_CHOWN)) + return true; + return false; +} + +static bool inode_owner_permitted_or_capable(struct inode *inode, int mask) +{ + struct user_namespace *ns = inode_userns(inode); + + if (current_user_ns() == ns && current_fsuid() == inode->i_uid) + return true; + if (richacl_change_ok(inode, mask) == 0) + return true; + if (ns_capable(ns, CAP_FOWNER)) + return true; + return false; +} + /** * inode_change_ok - check if attribute changes to an inode are allowed * @inode: inode to check @@ -45,21 +94,20 @@ int inode_change_ok(struct inode *inode, struct iattr *attr) return 0; /* Make sure a caller can chown. */ - if ((ia_valid & ATTR_UID) && - (current_fsuid() != inode->i_uid || - attr->ia_uid != inode->i_uid) && !capable(CAP_CHOWN)) - return -EPERM; + if (ia_valid & ATTR_UID) { + if (!inode_uid_change_ok(inode, attr->ia_uid)) + return -EPERM; + } /* Make sure caller can chgrp. */ - if ((ia_valid & ATTR_GID) && - (current_fsuid() != inode->i_uid || - (!in_group_p(attr->ia_gid) && attr->ia_gid != inode->i_gid)) && - !capable(CAP_CHOWN)) - return -EPERM; + if (ia_valid & ATTR_GID) { + if (!inode_gid_change_ok(inode, attr->ia_gid)) + return -EPERM; + } /* Make sure a caller can chmod. */ if (ia_valid & ATTR_MODE) { - if (!inode_owner_or_capable(inode)) + if (!inode_owner_permitted_or_capable(inode, MAY_CHMOD)) return -EPERM; /* Also check the setgid bit! */ if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid : @@ -69,7 +117,7 @@ int inode_change_ok(struct inode *inode, struct iattr *attr) /* Check for setting the inode time. */ if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) { - if (!inode_owner_or_capable(inode)) + if (!inode_owner_permitted_or_capable(inode, MAY_SET_TIMES)) return -EPERM; } diff --git a/fs/namei.c b/fs/namei.c index eacb530..a4d61d1 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -174,7 +174,7 @@ void putname(const char *name) EXPORT_SYMBOL(putname); #endif -static int check_acl(struct inode *inode, int mask) +int check_acl(struct inode *inode, int mask) { #ifdef CONFIG_FS_POSIX_ACL struct posix_acl *acl; diff --git a/include/linux/fs.h b/include/linux/fs.h index 8afb054..8d5d6e4 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -71,6 +71,9 @@ struct inodes_stat_t { #define MAY_CREATE_DIR 0x00000200 #define MAY_DELETE_CHILD 0x00000400 #define MAY_DELETE_SELF 0x00000800 +#define MAY_TAKE_OWNERSHIP 0x00001000 +#define MAY_CHMOD 0x00002000 +#define MAY_SET_TIMES 0x00004000 /* * flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond @@ -2234,6 +2237,7 @@ extern sector_t bmap(struct inode *, sector_t); extern int notify_change(struct dentry *, struct iattr *); extern int inode_permission(struct inode *, int); extern int generic_permission(struct inode *, int); +extern int check_acl(struct inode *, int); static inline bool execute_ok(struct inode *inode) { -- 1.7.4.1
WARNING: multiple messages have this Message-ID (diff)
From: "Aneesh Kumar K.V" <aneesh.kumar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> To: agruen-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org, bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org, akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org, dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org Cc: aneesh.kumar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Subject: [PATCH -V6 11/26] vfs: Add permission flags for setting file attributes Date: Mon, 5 Sep 2011 22:55:33 +0530 [thread overview] Message-ID: <1315243548-18664-12-git-send-email-aneesh.kumar@linux.vnet.ibm.com> (raw) In-Reply-To: <1315243548-18664-1-git-send-email-aneesh.kumar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> From: Andreas Gruenbacher <agruen-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> Some permission models can allow processes to take ownership of a file, change the file permissions, and set the file timestamps. Introduce new permission mask flags and check for those permissions in inode_change_ok(). Signed-off-by: Andreas Gruenbacher <agruen-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> --- fs/attr.c | 70 +++++++++++++++++++++++++++++++++++++++++++-------- fs/namei.c | 2 +- include/linux/fs.h | 4 +++ 3 files changed, 64 insertions(+), 12 deletions(-) diff --git a/fs/attr.c b/fs/attr.c index f15e9e3..00578b9 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -14,6 +14,55 @@ #include <linux/fcntl.h> #include <linux/security.h> +static int richacl_change_ok(struct inode *inode, int mask) +{ + if (!IS_RICHACL(inode)) + return -EPERM; + + if (inode->i_op->permission) + return inode->i_op->permission(inode, mask); + + return check_acl(inode, mask); +} + +static bool inode_uid_change_ok(struct inode *inode, uid_t ia_uid) +{ + if (current_fsuid() == inode->i_uid && ia_uid == inode->i_uid) + return true; + if (current_fsuid() == ia_uid && + richacl_change_ok(inode, MAY_TAKE_OWNERSHIP) == 0) + return true; + if (capable(CAP_CHOWN)) + return true; + return false; +} + +static bool inode_gid_change_ok(struct inode *inode, gid_t ia_gid) +{ + int in_group = in_group_p(ia_gid); + if (current_fsuid() == inode->i_uid && + (in_group || ia_gid == inode->i_gid)) + return true; + if (in_group && richacl_change_ok(inode, MAY_TAKE_OWNERSHIP) == 0) + return true; + if (capable(CAP_CHOWN)) + return true; + return false; +} + +static bool inode_owner_permitted_or_capable(struct inode *inode, int mask) +{ + struct user_namespace *ns = inode_userns(inode); + + if (current_user_ns() == ns && current_fsuid() == inode->i_uid) + return true; + if (richacl_change_ok(inode, mask) == 0) + return true; + if (ns_capable(ns, CAP_FOWNER)) + return true; + return false; +} + /** * inode_change_ok - check if attribute changes to an inode are allowed * @inode: inode to check @@ -45,21 +94,20 @@ int inode_change_ok(struct inode *inode, struct iattr *attr) return 0; /* Make sure a caller can chown. */ - if ((ia_valid & ATTR_UID) && - (current_fsuid() != inode->i_uid || - attr->ia_uid != inode->i_uid) && !capable(CAP_CHOWN)) - return -EPERM; + if (ia_valid & ATTR_UID) { + if (!inode_uid_change_ok(inode, attr->ia_uid)) + return -EPERM; + } /* Make sure caller can chgrp. */ - if ((ia_valid & ATTR_GID) && - (current_fsuid() != inode->i_uid || - (!in_group_p(attr->ia_gid) && attr->ia_gid != inode->i_gid)) && - !capable(CAP_CHOWN)) - return -EPERM; + if (ia_valid & ATTR_GID) { + if (!inode_gid_change_ok(inode, attr->ia_gid)) + return -EPERM; + } /* Make sure a caller can chmod. */ if (ia_valid & ATTR_MODE) { - if (!inode_owner_or_capable(inode)) + if (!inode_owner_permitted_or_capable(inode, MAY_CHMOD)) return -EPERM; /* Also check the setgid bit! */ if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid : @@ -69,7 +117,7 @@ int inode_change_ok(struct inode *inode, struct iattr *attr) /* Check for setting the inode time. */ if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) { - if (!inode_owner_or_capable(inode)) + if (!inode_owner_permitted_or_capable(inode, MAY_SET_TIMES)) return -EPERM; } diff --git a/fs/namei.c b/fs/namei.c index eacb530..a4d61d1 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -174,7 +174,7 @@ void putname(const char *name) EXPORT_SYMBOL(putname); #endif -static int check_acl(struct inode *inode, int mask) +int check_acl(struct inode *inode, int mask) { #ifdef CONFIG_FS_POSIX_ACL struct posix_acl *acl; diff --git a/include/linux/fs.h b/include/linux/fs.h index 8afb054..8d5d6e4 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -71,6 +71,9 @@ struct inodes_stat_t { #define MAY_CREATE_DIR 0x00000200 #define MAY_DELETE_CHILD 0x00000400 #define MAY_DELETE_SELF 0x00000800 +#define MAY_TAKE_OWNERSHIP 0x00001000 +#define MAY_CHMOD 0x00002000 +#define MAY_SET_TIMES 0x00004000 /* * flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond @@ -2234,6 +2237,7 @@ extern sector_t bmap(struct inode *, sector_t); extern int notify_change(struct dentry *, struct iattr *); extern int inode_permission(struct inode *, int); extern int generic_permission(struct inode *, int); +extern int check_acl(struct inode *, int); static inline bool execute_ok(struct inode *inode) { -- 1.7.4.1 -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2011-09-05 17:30 UTC|newest] Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top 2011-09-05 17:25 [PATCH -V6 00/26] New ACL format for better NFSv4 acl interoperability Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 01/26] vfs: Indicate that the permission functions take all the MAY_* flags Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 02/26] vfs: Add hex format for MAY_* flag values Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 03/26] vfs: Pass all mask flags down to iop->check_acl Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 04/26] vfs: Add a comment to inode_permission() Aneesh Kumar K.V 2011-09-05 17:25 ` Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 05/26] vfs: Add generic IS_ACL() test for acl support Aneesh Kumar K.V 2011-09-05 17:25 ` Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 06/26] vfs: Add IS_RICHACL() test for richacl support Aneesh Kumar K.V 2011-09-05 17:25 ` Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 07/26] vfs: Optimize out IS_RICHACL() if CONFIG_FS_RICHACL is not defined Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 08/26] vfs: Add new file and directory create permission flags Aneesh Kumar K.V 2011-09-05 17:25 ` Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 09/26] vfs: Add delete child and delete self " Aneesh Kumar K.V 2011-09-07 20:39 ` J. Bruce Fields 2011-09-07 20:39 ` J. Bruce Fields 2011-09-08 9:30 ` Aneesh Kumar K.V 2011-09-08 20:07 ` J. Bruce Fields 2011-09-08 22:02 ` J. Bruce Fields 2011-09-09 5:19 ` Aneesh Kumar K.V 2011-09-09 5:19 ` Aneesh Kumar K.V 2011-09-09 5:25 ` Aneesh Kumar K.V 2011-09-09 12:02 ` J. Bruce Fields 2011-09-09 5:14 ` Aneesh Kumar K.V 2011-09-09 5:14 ` Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 10/26] vfs: Make the inode passed to inode_change_ok non-const Aneesh Kumar K.V 2011-09-07 20:43 ` J. Bruce Fields 2011-09-08 9:32 ` Aneesh Kumar K.V 2011-09-08 9:32 ` Aneesh Kumar K.V 2011-09-05 17:25 ` Aneesh Kumar K.V [this message] 2011-09-05 17:25 ` [PATCH -V6 11/26] vfs: Add permission flags for setting file attributes Aneesh Kumar K.V 2011-09-07 20:55 ` J. Bruce Fields 2011-09-08 9:36 ` Aneesh Kumar K.V 2011-09-08 20:08 ` J. Bruce Fields 2011-09-05 17:25 ` [PATCH -V6 12/26] vfs: Make acl_permission_check() work for richacls Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 13/26] richacl: In-memory representation and helper functions Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 14/26] richacl: Permission mapping functions Aneesh Kumar K.V 2011-09-05 17:25 ` Aneesh Kumar K.V 2011-09-07 21:24 ` J. Bruce Fields 2011-09-08 10:27 ` Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 15/26] richacl: Compute maximum file masks from an acl Aneesh Kumar K.V 2011-09-05 17:25 ` Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 16/26] richacl: Update the file masks in chmod() Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 17/26] richacl: Permission check algorithm Aneesh Kumar K.V 2011-09-07 21:50 ` J. Bruce Fields 2011-09-07 21:50 ` J. Bruce Fields 2011-09-08 10:34 ` Aneesh Kumar K.V 2011-09-08 10:34 ` Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 18/26] richacl: Create-time inheritance Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 19/26] richacl: Check if an acl is equivalent to a file mode Aneesh Kumar K.V 2011-09-05 17:25 ` Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 20/26] richacl: Automatic Inheritance Aneesh Kumar K.V 2011-09-07 21:56 ` J. Bruce Fields 2011-09-07 21:56 ` J. Bruce Fields 2011-09-05 17:25 ` [PATCH -V6 21/26] richacl: xattr mapping functions Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 22/26] vfs: Cache richacl in struct inode Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 23/26] vfs: Add richacl permission check Aneesh Kumar K.V 2011-09-05 17:25 ` Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 24/26] ext4: Use IS_POSIXACL() to check for POSIX ACL support Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 25/26] ext4: Implement rich acl for ext4 Aneesh Kumar K.V 2011-09-05 17:25 ` [PATCH -V6 26/26] ext4: Add temporary richacl mount option " Aneesh Kumar K.V 2011-09-05 17:25 ` Aneesh Kumar K.V 2011-09-05 22:42 ` [PATCH -V6 00/26] New ACL format for better NFSv4 acl interoperability Casey Schaufler 2011-09-05 22:42 ` Casey Schaufler 2011-09-08 0:46 ` Valdis.Kletnieks 2011-09-08 0:46 ` Valdis.Kletnieks-PjAqaU27lzQ 2011-09-12 21:34 ` Casey Schaufler 2011-09-12 22:20 ` J. Bruce Fields 2011-09-12 22:38 ` Casey Schaufler 2011-09-12 22:38 ` Casey Schaufler 2011-09-12 22:43 ` J. Bruce Fields 2011-09-12 23:23 ` Casey Schaufler 2011-09-12 23:53 ` J. Bruce Fields 2011-09-12 23:53 ` J. Bruce Fields 2011-09-13 4:41 ` Aneesh Kumar K.V 2011-09-13 4:41 ` Aneesh Kumar K.V 2011-09-13 18:12 ` Valdis.Kletnieks 2011-09-06 9:41 ` Steven Whitehouse 2011-09-06 13:58 ` Aneesh Kumar K.V 2011-09-06 13:58 ` Aneesh Kumar K.V 2011-09-07 20:18 ` J. Bruce Fields 2011-09-07 23:44 ` J. Bruce Fields 2011-09-08 10:40 ` Aneesh Kumar K.V 2011-09-08 10:40 ` Aneesh Kumar K.V 2011-09-09 10:02 ` [PATCH -V6 08/26] vfs: Add new file and directory create permission flags David Howells 2011-09-09 11:59 ` Aneesh Kumar K.V 2011-09-09 10:12 ` [PATCH -V6 09/26] vfs: Add delete child and delete self " David Howells 2011-09-09 10:12 ` David Howells 2011-09-09 11:55 ` Aneesh Kumar K.V 2011-09-09 11:55 ` Aneesh Kumar K.V 2011-09-09 10:36 ` [PATCH -V6 14/26] richacl: Permission mapping functions David Howells 2011-09-09 11:54 ` Aneesh Kumar K.V 2011-09-09 11:54 ` Aneesh Kumar K.V 2011-09-09 12:14 ` [PATCH -V6 18/26] richacl: Create-time inheritance David Howells 2011-09-09 12:14 ` David Howells 2011-09-09 12:37 ` [PATCH -V6 22/26] vfs: Cache richacl in struct inode David Howells 2011-09-09 12:37 ` David Howells 2011-09-09 12:45 ` [PATCH -V6 25/26] ext4: Implement rich acl for ext4 David Howells 2011-09-13 4:25 ` Aneesh Kumar K.V 2011-09-13 4:25 ` Aneesh Kumar K.V 2011-09-09 12:48 ` [PATCH -V6 00/26] New ACL format for better NFSv4 acl interoperability David Howells 2011-09-09 12:48 ` David Howells 2011-09-09 14:03 ` David Howells 2011-09-09 14:03 ` David Howells 2011-09-12 22:23 ` J. Bruce Fields 2011-09-12 22:23 ` J. Bruce Fields 2011-09-12 22:27 ` David Howells 2011-09-12 22:27 ` David Howells 2011-09-13 5:07 ` Aneesh Kumar K.V 2011-09-21 7:30 ` Aneesh Kumar K.V 2011-09-21 19:45 ` J. Bruce Fields 2011-09-21 19:45 ` J. Bruce Fields 2011-09-22 5:31 ` Aneesh Kumar K.V 2011-09-22 5:31 ` Aneesh Kumar K.V 2011-09-22 12:01 ` J. Bruce Fields 2011-09-22 12:01 ` J. Bruce Fields
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1315243548-18664-12-git-send-email-aneesh.kumar@linux.vnet.ibm.com \ --to=aneesh.kumar@linux.vnet.ibm.com \ --cc=agruen@kernel.org \ --cc=akpm@linux-foundation.org \ --cc=bfields@fieldses.org \ --cc=dhowells@redhat.com \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-nfs@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.