From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
To: agruen@kernel.org, bfields@fieldses.org,
akpm@linux-foundation.org, viro@zeniv.linux.org.uk,
dhowells@redhat.com
Cc: aneesh.kumar@linux.vnet.ibm.com, linux-fsdevel@vger.kernel.org,
linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH -V7 23/26] vfs: Add richacl permission check
Date: Tue, 18 Oct 2011 21:02:58 +0530 [thread overview]
Message-ID: <1318951981-5508-24-git-send-email-aneesh.kumar@linux.vnet.ibm.com> (raw)
In-Reply-To: <1318951981-5508-1-git-send-email-aneesh.kumar@linux.vnet.ibm.com>
From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
---
fs/attr.c | 6 +++-
fs/namei.c | 13 ++++++++++-
fs/richacl_base.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++
include/linux/fs.h | 2 +-
include/linux/richacl.h | 2 +
5 files changed, 73 insertions(+), 4 deletions(-)
diff --git a/fs/attr.c b/fs/attr.c
index 00578b9..2b445ba 100644
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -13,6 +13,7 @@
#include <linux/fsnotify.h>
#include <linux/fcntl.h>
#include <linux/security.h>
+#include <linux/richacl.h>
static int richacl_change_ok(struct inode *inode, int mask)
{
@@ -21,8 +22,9 @@ static int richacl_change_ok(struct inode *inode, int mask)
if (inode->i_op->permission)
return inode->i_op->permission(inode, mask);
-
- return check_acl(inode, mask);
+ if (inode->i_op->get_richacl)
+ return check_richacl(inode, mask);
+ return -EPERM;
}
static bool inode_uid_change_ok(struct inode *inode, uid_t ia_uid)
diff --git a/fs/namei.c b/fs/namei.c
index 0c28f95..5d8f21e 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -33,6 +33,7 @@
#include <linux/device_cgroup.h>
#include <linux/fs_struct.h>
#include <linux/posix_acl.h>
+#include <linux/richacl.h>
#include <asm/uaccess.h>
#include "internal.h"
@@ -174,7 +175,7 @@ void putname(const char *name)
EXPORT_SYMBOL(putname);
#endif
-int check_acl(struct inode *inode, int mask)
+static int check_posix_acl(struct inode *inode, int mask)
{
#ifdef CONFIG_FS_POSIX_ACL
struct posix_acl *acl;
@@ -220,6 +221,16 @@ int check_acl(struct inode *inode, int mask)
return -EAGAIN;
}
+static int check_acl(struct inode *inode, int mask)
+{
+ if (IS_POSIXACL(inode))
+ return check_posix_acl(inode, mask);
+ else if (IS_RICHACL(inode))
+ return check_richacl(inode, mask);
+ else
+ return -EAGAIN;
+}
+
/*
* This does the basic permission checking
*/
diff --git a/fs/richacl_base.c b/fs/richacl_base.c
index bde2eea..9a57039 100644
--- a/fs/richacl_base.c
+++ b/fs/richacl_base.c
@@ -622,3 +622,57 @@ richacl_equiv_mode(const struct richacl *acl, mode_t *mode_p)
return 0;
}
EXPORT_SYMBOL_GPL(richacl_equiv_mode);
+
+int check_richacl(struct inode *inode, int want)
+{
+#ifdef CONFIG_FS_RICHACL
+ struct richacl *acl;
+ int richacl_mask = richacl_want_to_mask(want);
+
+ if (want & MAY_NOT_BLOCK) {
+ acl = rcu_dereference(inode->i_richacl);
+ if (!acl)
+ return -EAGAIN;
+ /* no ->get_acl() calls in RCU mode... */
+ if (acl == ACL_NOT_CACHED)
+ return -ECHILD;
+ return richacl_permission(inode, acl, richacl_mask);
+ }
+ return richacl_check_acl(inode, richacl_mask);
+#endif
+ return -EAGAIN;
+}
+
+int richacl_check_acl(struct inode *inode, int richacl_mask)
+{
+
+#ifdef CONFIG_FS_RICHACL
+ struct richacl *acl;
+ acl = get_cached_richacl(inode);
+ /*
+ * A filesystem can force a ACL callback by just never filling the
+ * ACL cache. But normally you'd fill the cache either at inode
+ * instantiation time, or on the first ->get_acl call.
+ *
+ * If the filesystem doesn't have a get_acl() function at all, we'll
+ * just create the negative cache entry.
+ */
+ if (acl == ACL_NOT_CACHED) {
+ if (inode->i_op->get_acl) {
+ acl = inode->i_op->get_richacl(inode);
+ if (IS_ERR(acl))
+ return PTR_ERR(acl);
+ } else {
+ set_cached_richacl(inode, NULL);
+ return -EAGAIN;
+ }
+ }
+ if (acl) {
+ int error = richacl_permission(inode, acl, richacl_mask);
+ richacl_put(acl);
+ return error;
+ }
+#endif
+ return -EAGAIN;
+}
+EXPORT_SYMBOL_GPL(richacl_check_acl);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 771955c..e01bad7 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1624,6 +1624,7 @@ struct inode_operations {
void * (*follow_link) (struct dentry *, struct nameidata *);
int (*permission) (struct inode *, int);
struct posix_acl * (*get_acl)(struct inode *, int);
+ struct richacl * (*get_richacl)(struct inode *);
int (*readlink) (struct dentry *, char __user *,int);
void (*put_link) (struct dentry *, struct nameidata *, void *);
@@ -2243,7 +2244,6 @@ extern sector_t bmap(struct inode *, sector_t);
extern int notify_change(struct dentry *, struct iattr *);
extern int inode_permission(struct inode *, int);
extern int generic_permission(struct inode *, int);
-extern int check_acl(struct inode *, int);
static inline bool execute_ok(struct inode *inode)
{
diff --git a/include/linux/richacl.h b/include/linux/richacl.h
index 694b7dc..4af6d22 100644
--- a/include/linux/richacl.h
+++ b/include/linux/richacl.h
@@ -367,6 +367,8 @@ extern int richacl_permission(struct inode *, const struct richacl *,
unsigned int);
extern struct richacl *richacl_inherit(const struct richacl *, int);
extern int richacl_equiv_mode(const struct richacl *, mode_t *);
+extern int check_richacl(struct inode *, int);
+extern int richacl_check_acl(struct inode *, int);
/* richacl_inode.c */
extern struct richacl *richacl_inherit_inode(const struct richacl *,
--
1.7.5.4
next prev parent reply other threads:[~2011-10-18 15:35 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-18 15:32 [PATCH -V7 00/26] New ACL format for better NFSv4 acl interoperability Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 01/26] vfs: Indicate that the permission functions take all the MAY_* flags Aneesh Kumar K.V
2011-10-18 15:32 ` Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 02/26] vfs: Add hex format for MAY_* flag values Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 03/26] vfs: Pass all mask flags down to iop->check_acl Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 04/26] vfs: Add a comment to inode_permission() Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 05/26] vfs: Add generic IS_ACL() test for acl support Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 06/26] vfs: Add IS_RICHACL() test for richacl support Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 07/26] vfs: Optimize out IS_RICHACL() if CONFIG_FS_RICHACL is not defined Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 08/26] vfs: Add new file and directory create permission flags Aneesh Kumar K.V
2011-10-19 16:42 ` J. Bruce Fields
2011-10-20 5:20 ` Aneesh Kumar K.V
2011-10-20 5:20 ` Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 09/26] vfs: Add delete child and delete self " Aneesh Kumar K.V
2011-10-19 22:09 ` J. Bruce Fields
2011-10-20 7:35 ` Aneesh Kumar K.V
2011-10-20 7:35 ` Aneesh Kumar K.V
2011-10-20 8:11 ` J. Bruce Fields
2011-10-18 15:32 ` [PATCH -V7 10/26] vfs: Make the inode passed to inode_change_ok non-const Aneesh Kumar K.V
2011-10-18 15:32 ` Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 11/26] vfs: Add permission flags for setting file attributes Aneesh Kumar K.V
2011-10-18 15:32 ` Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 12/26] vfs: Make acl_permission_check() work for richacls Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 13/26] richacl: In-memory representation and helper functions Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 14/26] richacl: Permission mapping functions Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 15/26] richacl: Compute maximum file masks from an acl Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 16/26] richacl: Update the file masks in chmod() Aneesh Kumar K.V
2011-10-18 15:32 ` Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 17/26] richacl: Permission check algorithm Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 18/26] richacl: Create-time inheritance Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 19/26] richacl: Check if an acl is equivalent to a file mode Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 20/26] richacl: Automatic Inheritance Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 21/26] richacl: xattr mapping functions Aneesh Kumar K.V
2011-10-18 15:32 ` Aneesh Kumar K.V
2011-10-19 22:20 ` J. Bruce Fields
2011-10-20 8:30 ` Aneesh Kumar K.V
2011-10-20 9:14 ` J. Bruce Fields
2011-10-20 9:19 ` Christoph Hellwig
2011-10-20 10:25 ` J. Bruce Fields
2011-10-20 10:25 ` J. Bruce Fields
2011-10-20 23:46 ` Andreas Gruenbacher
2011-10-20 23:46 ` Andreas Gruenbacher
2011-10-21 0:45 ` J. Bruce Fields
2011-10-21 9:40 ` Aneesh Kumar K.V
2011-10-21 9:40 ` Aneesh Kumar K.V
2011-10-21 10:52 ` Andreas Gruenbacher
2011-10-21 13:12 ` Aneesh Kumar K.V
2011-10-21 23:58 ` Andreas Gruenbacher
2011-10-20 11:02 ` Aneesh Kumar K.V
2011-10-20 11:02 ` Aneesh Kumar K.V
2011-10-20 17:49 ` J. Bruce Fields
2011-10-20 17:49 ` J. Bruce Fields
2011-10-20 19:49 ` Andreas Dilger
2011-11-19 9:35 ` Eric W. Biederman
2011-11-19 9:28 ` Eric W. Biederman
2011-11-21 13:35 ` J. Bruce Fields
2011-10-18 15:32 ` [PATCH -V7 22/26] vfs: Cache richacl in struct inode Aneesh Kumar K.V
2011-10-18 15:32 ` Aneesh Kumar K.V [this message]
2011-10-18 15:32 ` [PATCH -V7 24/26] ext4: Use IS_POSIXACL() to check for POSIX ACL support Aneesh Kumar K.V
2011-10-18 15:33 ` [PATCH -V7 25/26] ext4: Implement rich acl for ext4 Aneesh Kumar K.V
2011-10-18 18:41 ` Andreas Dilger
2011-10-19 5:43 ` Aneesh Kumar K.V
2011-10-18 15:33 ` [PATCH -V7 26/26] ext4: Add Ext4 compat richacl feature flag Aneesh Kumar K.V
2011-10-18 16:17 ` [PATCH -V7 00/26] New ACL format for better NFSv4 acl interoperability Shea Levy
2011-10-19 5:54 ` Aneesh Kumar K.V
2011-10-19 22:21 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1318951981-5508-24-git-send-email-aneesh.kumar@linux.vnet.ibm.com \
--to=aneesh.kumar@linux.vnet.ibm.com \
--cc=agruen@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=bfields@fieldses.org \
--cc=dhowells@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.