From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jeff Layton Subject: Re: [PATCH v23 05/22] vfs: Add permission flags for setting file attributes Date: Tue, 05 Jul 2016 07:18:41 -0400 Message-ID: <1467717521.3800.11.camel@redhat.com> References: <1467294433-3222-1-git-send-email-agruenba@redhat.com> <1467294433-3222-6-git-send-email-agruenba@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <1467294433-3222-6-git-send-email-agruenba@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: xfs-bounces@oss.sgi.com Sender: xfs-bounces@oss.sgi.com To: Andreas Gruenbacher , Alexander Viro Cc: "J. Bruce Fields" , linux-nfs@vger.kernel.org, Theodore Ts'o , linux-cifs@vger.kernel.org, linux-api@vger.kernel.org, Trond Myklebust , linux-kernel@vger.kernel.org, xfs@oss.sgi.com, Christoph Hellwig , Andreas Dilger , linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, Anna Schumaker List-Id: linux-api@vger.kernel.org T24gVGh1LCAyMDE2LTA2LTMwIGF0IDE1OjQ2ICswMjAwLCBBbmRyZWFzIEdydWVuYmFjaGVyIHdy b3RlOgo+IFJpY2hhY2xzIHN1cHBvcnQgcGVybWlzc2lvbnMgdGhhdCBhbGxvdyB0byB0YWtlIG93 bmVyc2hpcCBvZiBhIGZpbGUsCj4gY2hhbmdlIHRoZSBmaWxlIHBlcm1pc3Npb25zLCBhbmQgc2V0 IHRoZSBmaWxlIHRpbWVzdGFtcHMuwqDCoFN1cHBvcnQgdGhhdAo+IGJ5IGludHJvZHVjaW5nIG5l dyBwZXJtaXNzaW9uIG1hc2sgZmxhZ3MgYW5kIGJ5IGNoZWNraW5nIGZvciB0aG9zZSBtYXNrCj4g ZmxhZ3MgaW4gaW5vZGVfY2hhbmdlX29rKCkuCj4gCj4gU2lnbmVkLW9mZi1ieTogQW5kcmVhcyBH cnVlbmJhY2hlciA8YWdydWVuYmFAcmVkaGF0LmNvbT4KPiBSZXZpZXdlZC1ieTogSi4gQnJ1Y2Ug RmllbGRzIDxiZmllbGRzQHJlZGhhdC5jb20+Cj4gUmV2aWV3ZWQtYnk6IFN0ZXZlIEZyZW5jaCA8 c3RldmUuZnJlbmNoQHByaW1hcnlkYXRhLmNvbT4KPiAtLS0KPiDCoGZzL2F0dHIuY8KgwqDCoMKg wqDCoMKgwqDCoMKgfCA3OSArKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysr KysrKystLS0tLS0tLS0KPiDCoGluY2x1ZGUvbGludXgvZnMuaCB8wqDCoDMgKysrCj4gwqAyIGZp bGVzIGNoYW5nZWQsIDcwIGluc2VydGlvbnMoKyksIDEyIGRlbGV0aW9ucygtKQo+IAo+IGRpZmYg LS1naXQgYS9mcy9hdHRyLmMgYi9mcy9hdHRyLmMKPiBpbmRleCA3Y2E3ZmEwLi4yYThjNDljIDEw MDY0NAo+IC0tLSBhL2ZzL2F0dHIuYwo+ICsrKyBiL2ZzL2F0dHIuYwo+IEBAIC0xNyw2ICsxNyw2 NSBAQAo+IMKgI2luY2x1ZGUgCj4gwqAKPiDCoC8qKgo+ICsgKiBpbm9kZV9leHRlbmRlZF9wZXJt aXNzaW9uwqDCoC3CoMKgcGVybWlzc2lvbnMgYmV5b25kIHJlYWQvd3JpdGUvZXhlY3V0ZQo+ICsg Kgo+ICsgKiBDaGVjayBmb3IgcGVybWlzc2lvbnMgdGhhdCBvbmx5IHJpY2hhY2xzIGNhbiBjdXJy ZW50bHkgZ3JhbnQuCj4gKyAqLwo+ICtzdGF0aWMgaW50IGlub2RlX2V4dGVuZGVkX3Blcm1pc3Np b24oc3RydWN0IGlub2RlICppbm9kZSwgaW50IG1hc2spCj4gK3sKPiArCWlmICghSVNfUklDSEFD TChpbm9kZSkpCj4gKwkJcmV0dXJuIC1FUEVSTTsKPiArCXJldHVybiBpbm9kZV9wZXJtaXNzaW9u KGlub2RlLCBtYXNrKTsKPiArfQo+ICsKPiArc3RhdGljIGJvb2wgaW5vZGVfdWlkX2NoYW5nZV9v ayhzdHJ1Y3QgaW5vZGUgKmlub2RlLCBrdWlkX3QgaWFfdWlkKQo+ICt7Cj4gKwlpZiAodWlkX2Vx KGN1cnJlbnRfZnN1aWQoKSwgaW5vZGUtPmlfdWlkKSAmJgo+ICsJwqDCoMKgwqB1aWRfZXEoaWFf dWlkLCBpbm9kZS0+aV91aWQpKQo+ICsJCXJldHVybiB0cnVlOwo+ICsJaWYgKHVpZF9lcShjdXJy ZW50X2ZzdWlkKCksIGlhX3VpZCkgJiYKPiArCcKgwqDCoMKgaW5vZGVfZXh0ZW5kZWRfcGVybWlz c2lvbihpbm9kZSwgTUFZX1RBS0VfT1dORVJTSElQKSA9PSAwKQo+ICsJCXJldHVybiB0cnVlOwo+ ICsJaWYgKGNhcGFibGVfd3J0X2lub2RlX3VpZGdpZChpbm9kZSwgQ0FQX0NIT1dOKSkKPiArCQly ZXR1cm4gdHJ1ZTsKPiArCXJldHVybiBmYWxzZTsKPiArfQo+ICsKCgo+ICtzdGF0aWMgYm9vbCBp bm9kZV9naWRfY2hhbmdlX29rKHN0cnVjdCBpbm9kZSAqaW5vZGUsIGtnaWRfdCBpYV9naWQpCj4g K3sKPiArCWludCBpbl9ncm91cCA9IGluX2dyb3VwX3AoaWFfZ2lkKTsKPiArCWlmICh1aWRfZXEo Y3VycmVudF9mc3VpZCgpLCBpbm9kZS0+aV91aWQpICYmCj4gKwnCoMKgwqDCoChpbl9ncm91cCB8 fCBnaWRfZXEoaWFfZ2lkLCBpbm9kZS0+aV9naWQpKSkKPiArCQlyZXR1cm4gdHJ1ZTsKPiArCWlm IChpbl9ncm91cCAmJiBpbm9kZV9leHRlbmRlZF9wZXJtaXNzaW9uKGlub2RlLCBNQVlfVEFLRV9P V05FUlNISVApID09IDApCj4gKwkJcmV0dXJuIHRydWU7Cj4gKwlpZiAoY2FwYWJsZV93cnRfaW5v ZGVfdWlkZ2lkKGlub2RlLCBDQVBfQ0hPV04pKQo+ICsJCXJldHVybiB0cnVlOwo+ICsJcmV0dXJu IGZhbHNlOwo+ICt9Cj4gKwo+ICsvKioKPiArICogaW5vZGVfb3duZXJfcGVybWl0dGVkX29yX2Nh cGFibGUKPiArICoKPiArICogQ2hlY2sgZm9yIHBlcm1pc3Npb25zIGltcGxpY2l0bHkgZ3JhbnRl ZCB0byB0aGUgb3duZXIsIGxpa2UgTUFZX0NITU9EIG9yCj4gKyAqIE1BWV9TRVRfVElNRVMuwqDC oEVxdWl2YWxlbnQgdG8gaW5vZGVfb3duZXJfb3JfY2FwYWJsZSBmb3IgZmlsZSBzeXN0ZW1zCj4g KyAqIHdpdGhvdXQgc3VwcG9ydCBmb3IgdGhvc2UgcGVybWlzc2lvbnMuCj4gKyAqLwo+ICtzdGF0 aWMgYm9vbCBpbm9kZV9vd25lcl9wZXJtaXR0ZWRfb3JfY2FwYWJsZShzdHJ1Y3QgaW5vZGUgKmlu b2RlLCBpbnQgbWFzaykKPiArewo+ICsJc3RydWN0IHVzZXJfbmFtZXNwYWNlICpuczsKPiArCj4g KwlpZiAodWlkX2VxKGN1cnJlbnRfZnN1aWQoKSwgaW5vZGUtPmlfdWlkKSkKPiArCQlyZXR1cm4g dHJ1ZTsKPiArCWlmIChpbm9kZV9leHRlbmRlZF9wZXJtaXNzaW9uKGlub2RlLCBtYXNrKSA9PSAw KQo+ICsJCXJldHVybiB0cnVlOwo+ICsJbnMgPSBjdXJyZW50X3VzZXJfbnMoKTsKPiArCWlmIChu c19jYXBhYmxlKG5zLCBDQVBfRk9XTkVSKSAmJiBrdWlkX2hhc19tYXBwaW5nKG5zLCBpbm9kZS0+ aV91aWQpKQo+ICsJCXJldHVybiB0cnVlOwo+ICsJcmV0dXJuIGZhbHNlOwo+ICt9Cj4gKwo+ICsv KioKPiDCoCAqIGlub2RlX2NoYW5nZV9vayAtIGNoZWNrIGlmIGF0dHJpYnV0ZSBjaGFuZ2VzIHRv IGFuIGlub2RlIGFyZSBhbGxvd2VkCj4gwqAgKiBAaW5vZGU6CWlub2RlIHRvIGNoZWNrCj4gwqAg KiBAYXR0cjoJYXR0cmlidXRlcyB0byBjaGFuZ2UKPiBAQCAtNDcsMjIgKzEwNiwxOCBAQCBpbnQg aW5vZGVfY2hhbmdlX29rKHN0cnVjdCBpbm9kZSAqaW5vZGUsIHN0cnVjdCBpYXR0ciAqYXR0cikK PiDCoAkJcmV0dXJuIDA7Cj4gwqAKPiDCoAkvKiBNYWtlIHN1cmUgYSBjYWxsZXIgY2FuIGNob3du LiAqLwo+IC0JaWYgKChpYV92YWxpZCAmIEFUVFJfVUlEKSAmJgo+IC0JwqDCoMKgwqAoIXVpZF9l cShjdXJyZW50X2ZzdWlkKCksIGlub2RlLT5pX3VpZCkgfHwKPiAtCcKgwqDCoMKgwqAhdWlkX2Vx KGF0dHItPmlhX3VpZCwgaW5vZGUtPmlfdWlkKSkgJiYKPiAtCcKgwqDCoMKgIWNhcGFibGVfd3J0 X2lub2RlX3VpZGdpZChpbm9kZSwgQ0FQX0NIT1dOKSkKPiAtCQlyZXR1cm4gLUVQRVJNOwo+ICsJ aWYgKGlhX3ZhbGlkICYgQVRUUl9VSUQpCj4gKwkJaWYgKCFpbm9kZV91aWRfY2hhbmdlX29rKGlu b2RlLCBhdHRyLT5pYV91aWQpKQo+ICsJCQlyZXR1cm4gLUVQRVJNOwo+IMKgCj4gwqAJLyogTWFr ZSBzdXJlIGNhbGxlciBjYW4gY2hncnAuICovCj4gLQlpZiAoKGlhX3ZhbGlkICYgQVRUUl9HSUQp ICYmCj4gLQnCoMKgwqDCoCghdWlkX2VxKGN1cnJlbnRfZnN1aWQoKSwgaW5vZGUtPmlfdWlkKSB8 fAo+IC0JwqDCoMKgwqAoIWluX2dyb3VwX3AoYXR0ci0+aWFfZ2lkKSAmJiAhZ2lkX2VxKGF0dHIt PmlhX2dpZCwgaW5vZGUtPmlfZ2lkKSkpICYmCj4gLQnCoMKgwqDCoCFjYXBhYmxlX3dydF9pbm9k ZV91aWRnaWQoaW5vZGUsIENBUF9DSE9XTikpCj4gLQkJcmV0dXJuIC1FUEVSTTsKPiArCWlmIChp YV92YWxpZCAmIEFUVFJfR0lEKQo+ICsJCWlmICghaW5vZGVfZ2lkX2NoYW5nZV9vayhpbm9kZSwg YXR0ci0+aWFfZ2lkKSkKPiArCQkJcmV0dXJuIC1FUEVSTTsKPiDCoAo+IMKgCS8qIE1ha2Ugc3Vy ZSBhIGNhbGxlciBjYW4gY2htb2QuICovCj4gwqAJaWYgKGlhX3ZhbGlkICYgQVRUUl9NT0RFKSB7 Cj4gLQkJaWYgKCFpbm9kZV9vd25lcl9vcl9jYXBhYmxlKGlub2RlKSkKPiArCQlpZiAoIWlub2Rl X293bmVyX3Blcm1pdHRlZF9vcl9jYXBhYmxlKGlub2RlLCBNQVlfQ0hNT0QpKQo+IMKgCQkJcmV0 dXJuIC1FUEVSTTsKPiDCoAkJLyogQWxzbyBjaGVjayB0aGUgc2V0Z2lkIGJpdCEgKi8KPiDCoAkJ aWYgKCFpbl9ncm91cF9wKChpYV92YWxpZCAmIEFUVFJfR0lEKSA/IGF0dHItPmlhX2dpZCA6Cj4g QEAgLTczLDcgKzEyOCw3IEBAIGludCBpbm9kZV9jaGFuZ2Vfb2soc3RydWN0IGlub2RlICppbm9k ZSwgc3RydWN0IGlhdHRyICphdHRyKQo+IMKgCj4gwqAJLyogQ2hlY2sgZm9yIHNldHRpbmcgdGhl IGlub2RlIHRpbWUuICovCj4gwqAJaWYgKGlhX3ZhbGlkICYgKEFUVFJfTVRJTUVfU0VUIHwgQVRU Ul9BVElNRV9TRVQgfCBBVFRSX1RJTUVTX1NFVCkpIHsKPiAtCQlpZiAoIWlub2RlX293bmVyX29y X2NhcGFibGUoaW5vZGUpKQo+ICsJCWlmICghaW5vZGVfb3duZXJfcGVybWl0dGVkX29yX2NhcGFi bGUoaW5vZGUsIE1BWV9TRVRfVElNRVMpKQo+IMKgCQkJcmV0dXJuIC1FUEVSTTsKPiDCoAl9Cj4g wqAKPiBkaWZmIC0tZ2l0IGEvaW5jbHVkZS9saW51eC9mcy5oIGIvaW5jbHVkZS9saW51eC9mcy5o Cj4gaW5kZXggMjA4ZjczYi4uYmIzNjU2MSAxMDA2NDQKPiAtLS0gYS9pbmNsdWRlL2xpbnV4L2Zz LmgKPiArKysgYi9pbmNsdWRlL2xpbnV4L2ZzLmgKPiBAQCAtODgsNiArODgsOSBAQCB0eXBlZGVm IGludCAoZGlvX2lvZG9uZV90KShzdHJ1Y3Qga2lvY2IgKmlvY2IsIGxvZmZfdCBvZmZzZXQsCj4g wqAjZGVmaW5lIE1BWV9DUkVBVEVfRElSCQkweDAwMDAwMjAwCj4gwqAjZGVmaW5lIE1BWV9ERUxF VEVfQ0hJTEQJMHgwMDAwMDQwMAo+IMKgI2RlZmluZSBNQVlfREVMRVRFX1NFTEYJCTB4MDAwMDA4 MDAKPiArI2RlZmluZSBNQVlfVEFLRV9PV05FUlNISVAJMHgwMDAwMTAwMAo+ICsjZGVmaW5lIE1B WV9DSE1PRAkJMHgwMDAwMjAwMAo+ICsjZGVmaW5lIE1BWV9TRVRfVElNRVMJCTB4MDAwMDQwMDAK PiDCoAo+IMKgLyoKPiDCoCAqIGZsYWdzIGluIGZpbGUuZl9tb2RlLsKgwqBOb3RlIHRoYXQgRk1P REVfUkVBRCBhbmQgRk1PREVfV1JJVEUgbXVzdCBjb3JyZXNwb25kCgoKUmV2aWV3ZWQtYnk6IEpl ZmYgTGF5dG9uIDxqbGF5dG9uQHJlZGhhdC5jb20+CgpfX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fXwp4ZnMgbWFpbGluZyBsaXN0Cnhmc0Bvc3Muc2dpLmNvbQpo dHRwOi8vb3NzLnNnaS5jb20vbWFpbG1hbi9saXN0aW5mby94ZnMK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qk0-f178.google.com ([209.85.220.178]:36385 "EHLO mail-qk0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755033AbcGELSp (ORCPT ); Tue, 5 Jul 2016 07:18:45 -0400 Received: by mail-qk0-f178.google.com with SMTP id u68so8690420qkc.3 for ; Tue, 05 Jul 2016 04:18:44 -0700 (PDT) Message-ID: <1467717521.3800.11.camel@redhat.com> Subject: Re: [PATCH v23 05/22] vfs: Add permission flags for setting file attributes From: Jeff Layton To: Andreas Gruenbacher , Alexander Viro Cc: Christoph Hellwig , "Theodore Ts'o" , Andreas Dilger , "J. Bruce Fields" , Trond Myklebust , Anna Schumaker , Dave Chinner , linux-ext4@vger.kernel.org, xfs@oss.sgi.com, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org, linux-api@vger.kernel.org Date: Tue, 05 Jul 2016 07:18:41 -0400 In-Reply-To: <1467294433-3222-6-git-send-email-agruenba@redhat.com> References: <1467294433-3222-1-git-send-email-agruenba@redhat.com> <1467294433-3222-6-git-send-email-agruenba@redhat.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Sender: linux-nfs-owner@vger.kernel.org List-ID: On Thu, 2016-06-30 at 15:46 +0200, Andreas Gruenbacher wrote: > Richacls support permissions that allow to take ownership of a file, > change the file permissions, and set the file timestamps.  Support that > by introducing new permission mask flags and by checking for those mask > flags in inode_change_ok(). > > Signed-off-by: Andreas Gruenbacher > Reviewed-by: J. Bruce Fields > Reviewed-by: Steve French > --- >  fs/attr.c          | 79 +++++++++++++++++++++++++++++++++++++++++++++--------- >  include/linux/fs.h |  3 +++ >  2 files changed, 70 insertions(+), 12 deletions(-) > > diff --git a/fs/attr.c b/fs/attr.c > index 7ca7fa0..2a8c49c 100644 > --- a/fs/attr.c > +++ b/fs/attr.c > @@ -17,6 +17,65 @@ >  #include >   >  /** > + * inode_extended_permission  -  permissions beyond read/write/execute > + * > + * Check for permissions that only richacls can currently grant. > + */ > +static int inode_extended_permission(struct inode *inode, int mask) > +{ > + if (!IS_RICHACL(inode)) > + return -EPERM; > + return inode_permission(inode, mask); > +} > + > +static bool inode_uid_change_ok(struct inode *inode, kuid_t ia_uid) > +{ > + if (uid_eq(current_fsuid(), inode->i_uid) && > +     uid_eq(ia_uid, inode->i_uid)) > + return true; > + if (uid_eq(current_fsuid(), ia_uid) && > +     inode_extended_permission(inode, MAY_TAKE_OWNERSHIP) == 0) > + return true; > + if (capable_wrt_inode_uidgid(inode, CAP_CHOWN)) > + return true; > + return false; > +} > + > +static bool inode_gid_change_ok(struct inode *inode, kgid_t ia_gid) > +{ > + int in_group = in_group_p(ia_gid); > + if (uid_eq(current_fsuid(), inode->i_uid) && > +     (in_group || gid_eq(ia_gid, inode->i_gid))) > + return true; > + if (in_group && inode_extended_permission(inode, MAY_TAKE_OWNERSHIP) == 0) > + return true; > + if (capable_wrt_inode_uidgid(inode, CAP_CHOWN)) > + return true; > + return false; > +} > + > +/** > + * inode_owner_permitted_or_capable > + * > + * Check for permissions implicitly granted to the owner, like MAY_CHMOD or > + * MAY_SET_TIMES.  Equivalent to inode_owner_or_capable for file systems > + * without support for those permissions. > + */ > +static bool inode_owner_permitted_or_capable(struct inode *inode, int mask) > +{ > + struct user_namespace *ns; > + > + if (uid_eq(current_fsuid(), inode->i_uid)) > + return true; > + if (inode_extended_permission(inode, mask) == 0) > + return true; > + ns = current_user_ns(); > + if (ns_capable(ns, CAP_FOWNER) && kuid_has_mapping(ns, inode->i_uid)) > + return true; > + return false; > +} > + > +/** >   * inode_change_ok - check if attribute changes to an inode are allowed >   * @inode: inode to check >   * @attr: attributes to change > @@ -47,22 +106,18 @@ int inode_change_ok(struct inode *inode, struct iattr *attr) >   return 0; >   >   /* Make sure a caller can chown. */ > - if ((ia_valid & ATTR_UID) && > -     (!uid_eq(current_fsuid(), inode->i_uid) || > -      !uid_eq(attr->ia_uid, inode->i_uid)) && > -     !capable_wrt_inode_uidgid(inode, CAP_CHOWN)) > - return -EPERM; > + if (ia_valid & ATTR_UID) > + if (!inode_uid_change_ok(inode, attr->ia_uid)) > + return -EPERM; >   >   /* Make sure caller can chgrp. */ > - if ((ia_valid & ATTR_GID) && > -     (!uid_eq(current_fsuid(), inode->i_uid) || > -     (!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) && > -     !capable_wrt_inode_uidgid(inode, CAP_CHOWN)) > - return -EPERM; > + if (ia_valid & ATTR_GID) > + if (!inode_gid_change_ok(inode, attr->ia_gid)) > + return -EPERM; >   >   /* Make sure a caller can chmod. */ >   if (ia_valid & ATTR_MODE) { > - if (!inode_owner_or_capable(inode)) > + if (!inode_owner_permitted_or_capable(inode, MAY_CHMOD)) >   return -EPERM; >   /* Also check the setgid bit! */ >   if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid : > @@ -73,7 +128,7 @@ int inode_change_ok(struct inode *inode, struct iattr *attr) >   >   /* Check for setting the inode time. */ >   if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) { > - if (!inode_owner_or_capable(inode)) > + if (!inode_owner_permitted_or_capable(inode, MAY_SET_TIMES)) >   return -EPERM; >   } >   > diff --git a/include/linux/fs.h b/include/linux/fs.h > index 208f73b..bb36561 100644 > --- a/include/linux/fs.h > +++ b/include/linux/fs.h > @@ -88,6 +88,9 @@ typedef int (dio_iodone_t)(struct kiocb *iocb, loff_t offset, >  #define MAY_CREATE_DIR 0x00000200 >  #define MAY_DELETE_CHILD 0x00000400 >  #define MAY_DELETE_SELF 0x00000800 > +#define MAY_TAKE_OWNERSHIP 0x00001000 > +#define MAY_CHMOD 0x00002000 > +#define MAY_SET_TIMES 0x00004000 >   >  /* >   * flags in file.f_mode.  Note that FMODE_READ and FMODE_WRITE must correspond Reviewed-by: Jeff Layton