From: "J. Bruce Fields" <bfields@fieldses.org>
To: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: agruen@kernel.org, akpm@linux-foundation.org,
dhowells@redhat.com, linux-fsdevel@vger.kernel.org,
linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH -V6 17/26] richacl: Permission check algorithm
Date: Wed, 7 Sep 2011 17:50:22 -0400 [thread overview]
Message-ID: <20110907215022.GI8074@fieldses.org> (raw)
In-Reply-To: <1315243548-18664-18-git-send-email-aneesh.kumar@linux.vnet.ibm.com>
On Mon, Sep 05, 2011 at 10:55:39PM +0530, Aneesh Kumar K.V wrote:
> From: Andreas Gruenbacher <agruen@kernel.org>
>
> As in the standard POSIX file permission model, each process is the
> owner, group, or other file class. A process is
>
> - in the owner file class if it owns the file,
> - in the group file class if it is in the file's owning group or it
> matches any of the user or group entries, and
> - in the other file class otherwise.
>
> Each file class is associated with a file mask.
>
> A richacl grants a requested access if the NFSv4 acl in the richacl
> grants the requested permissions (according to the NFSv4 permission
> check algorithm) and the file mask that applies to the process includes
> the requested permissions.
I assume that by default any ui normally recalculates an upper-bound
mask automatically when you add an ace, as the posix setfacl does, so
the user doesn't have to think about masks too much?
Patch looks right.
--b.
>
> Signed-off-by: Andreas Gruenbacher <agruen@kernel.org>
> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
> ---
> fs/richacl_base.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++
> include/linux/richacl.h | 2 +
> 2 files changed, 101 insertions(+), 0 deletions(-)
>
> diff --git a/fs/richacl_base.c b/fs/richacl_base.c
> index 60a65d7..1f885ad 100644
> --- a/fs/richacl_base.c
> +++ b/fs/richacl_base.c
> @@ -393,3 +393,102 @@ richacl_chmod(struct richacl *acl, mode_t mode)
> return clone;
> }
> EXPORT_SYMBOL_GPL(richacl_chmod);
> +
> +/**
> + * richacl_permission - richacl permission check algorithm
> + * @inode: inode to check
> + * @acl: rich acl of the inode
> + * @mask: requested access (ACE4_* bitmask)
> + *
> + * Checks if the current process is granted @mask flags in @acl.
> + */
> +int
> +richacl_permission(struct inode *inode, const struct richacl *acl,
> + unsigned int mask)
> +{
> + const struct richace *ace;
> + unsigned int requested = mask, denied = 0;
> + int in_owning_group = in_group_p(inode->i_gid);
> + int in_owner_or_group_class = in_owning_group;
> +
> + /*
> + * We don't need to know which class the process is in when the acl is
> + * not masked.
> + */
> + if (!(acl->a_flags & ACL4_MASKED))
> + in_owner_or_group_class = 1;
> +
> + /*
> + * A process is
> + * - in the owner file class if it owns the file,
> + * - in the group file class if it is in the file's owning group or
> + * it matches any of the user or group entries, and
> + * - in the other file class otherwise.
> + */
> +
> + /*
> + * Check if the acl grants the requested access and determine which
> + * file class the process is in.
> + */
> + richacl_for_each_entry(ace, acl) {
> + unsigned int ace_mask = ace->e_mask;
> +
> + if (richace_is_inherit_only(ace))
> + continue;
> + if (richace_is_owner(ace)) {
> + if (current_fsuid() != inode->i_uid)
> + continue;
> + goto is_owner;
> + } else if (richace_is_group(ace)) {
> + if (!in_owning_group)
> + continue;
> + } else if (richace_is_unix_id(ace)) {
> + if (ace->e_flags & ACE4_IDENTIFIER_GROUP) {
> + if (!in_group_p(ace->u.e_id))
> + continue;
> + } else {
> + if (current_fsuid() != ace->u.e_id)
> + continue;
> + }
> + } else
> + goto is_everyone;
> +
> +is_owner:
> + /* The process is in the owner or group file class. */
> + in_owner_or_group_class = 1;
> +
> +is_everyone:
> + /* Check which mask flags the ACE allows or denies. */
> + if (richace_is_deny(ace))
> + denied |= ace_mask & mask;
> + mask &= ~ace_mask;
> +
> + /*
> + * Keep going until we know which file class
> + * the process is in.
> + */
> + if (!mask && in_owner_or_group_class)
> + break;
> + }
> + denied |= mask;
> +
> + if (acl->a_flags & ACL4_MASKED) {
> + unsigned int file_mask;
> +
> + /*
> + * The file class a process is in determines which file mask
> + * applies. Check if that file mask also grants the requested
> + * access.
> + */
> + if (current_fsuid() == inode->i_uid)
> + file_mask = acl->a_owner_mask;
> + else if (in_owner_or_group_class)
> + file_mask = acl->a_group_mask;
> + else
> + file_mask = acl->a_other_mask;
> + denied |= requested & ~file_mask;
> + }
> +
> + return denied ? -EACCES : 0;
> +}
> +EXPORT_SYMBOL_GPL(richacl_permission);
> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
> index 6dd8eb2..f46e797 100644
> --- a/include/linux/richacl.h
> +++ b/include/linux/richacl.h
> @@ -289,5 +289,7 @@ extern unsigned int richacl_mode_to_mask(mode_t);
> extern unsigned int richacl_want_to_mask(int);
> extern void richacl_compute_max_masks(struct richacl *);
> extern struct richacl *richacl_chmod(struct richacl *, mode_t);
> +extern int richacl_permission(struct inode *, const struct richacl *,
> + unsigned int);
>
> #endif /* __RICHACL_H */
> --
> 1.7.4.1
>
WARNING: multiple messages have this Message-ID (diff)
From: "J. Bruce Fields" <bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
To: "Aneesh Kumar K.V"
<aneesh.kumar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
Cc: agruen-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org,
akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org,
dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH -V6 17/26] richacl: Permission check algorithm
Date: Wed, 7 Sep 2011 17:50:22 -0400 [thread overview]
Message-ID: <20110907215022.GI8074@fieldses.org> (raw)
In-Reply-To: <1315243548-18664-18-git-send-email-aneesh.kumar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
On Mon, Sep 05, 2011 at 10:55:39PM +0530, Aneesh Kumar K.V wrote:
> From: Andreas Gruenbacher <agruen-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
>
> As in the standard POSIX file permission model, each process is the
> owner, group, or other file class. A process is
>
> - in the owner file class if it owns the file,
> - in the group file class if it is in the file's owning group or it
> matches any of the user or group entries, and
> - in the other file class otherwise.
>
> Each file class is associated with a file mask.
>
> A richacl grants a requested access if the NFSv4 acl in the richacl
> grants the requested permissions (according to the NFSv4 permission
> check algorithm) and the file mask that applies to the process includes
> the requested permissions.
I assume that by default any ui normally recalculates an upper-bound
mask automatically when you add an ace, as the posix setfacl does, so
the user doesn't have to think about masks too much?
Patch looks right.
--b.
>
> Signed-off-by: Andreas Gruenbacher <agruen-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
> ---
> fs/richacl_base.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++
> include/linux/richacl.h | 2 +
> 2 files changed, 101 insertions(+), 0 deletions(-)
>
> diff --git a/fs/richacl_base.c b/fs/richacl_base.c
> index 60a65d7..1f885ad 100644
> --- a/fs/richacl_base.c
> +++ b/fs/richacl_base.c
> @@ -393,3 +393,102 @@ richacl_chmod(struct richacl *acl, mode_t mode)
> return clone;
> }
> EXPORT_SYMBOL_GPL(richacl_chmod);
> +
> +/**
> + * richacl_permission - richacl permission check algorithm
> + * @inode: inode to check
> + * @acl: rich acl of the inode
> + * @mask: requested access (ACE4_* bitmask)
> + *
> + * Checks if the current process is granted @mask flags in @acl.
> + */
> +int
> +richacl_permission(struct inode *inode, const struct richacl *acl,
> + unsigned int mask)
> +{
> + const struct richace *ace;
> + unsigned int requested = mask, denied = 0;
> + int in_owning_group = in_group_p(inode->i_gid);
> + int in_owner_or_group_class = in_owning_group;
> +
> + /*
> + * We don't need to know which class the process is in when the acl is
> + * not masked.
> + */
> + if (!(acl->a_flags & ACL4_MASKED))
> + in_owner_or_group_class = 1;
> +
> + /*
> + * A process is
> + * - in the owner file class if it owns the file,
> + * - in the group file class if it is in the file's owning group or
> + * it matches any of the user or group entries, and
> + * - in the other file class otherwise.
> + */
> +
> + /*
> + * Check if the acl grants the requested access and determine which
> + * file class the process is in.
> + */
> + richacl_for_each_entry(ace, acl) {
> + unsigned int ace_mask = ace->e_mask;
> +
> + if (richace_is_inherit_only(ace))
> + continue;
> + if (richace_is_owner(ace)) {
> + if (current_fsuid() != inode->i_uid)
> + continue;
> + goto is_owner;
> + } else if (richace_is_group(ace)) {
> + if (!in_owning_group)
> + continue;
> + } else if (richace_is_unix_id(ace)) {
> + if (ace->e_flags & ACE4_IDENTIFIER_GROUP) {
> + if (!in_group_p(ace->u.e_id))
> + continue;
> + } else {
> + if (current_fsuid() != ace->u.e_id)
> + continue;
> + }
> + } else
> + goto is_everyone;
> +
> +is_owner:
> + /* The process is in the owner or group file class. */
> + in_owner_or_group_class = 1;
> +
> +is_everyone:
> + /* Check which mask flags the ACE allows or denies. */
> + if (richace_is_deny(ace))
> + denied |= ace_mask & mask;
> + mask &= ~ace_mask;
> +
> + /*
> + * Keep going until we know which file class
> + * the process is in.
> + */
> + if (!mask && in_owner_or_group_class)
> + break;
> + }
> + denied |= mask;
> +
> + if (acl->a_flags & ACL4_MASKED) {
> + unsigned int file_mask;
> +
> + /*
> + * The file class a process is in determines which file mask
> + * applies. Check if that file mask also grants the requested
> + * access.
> + */
> + if (current_fsuid() == inode->i_uid)
> + file_mask = acl->a_owner_mask;
> + else if (in_owner_or_group_class)
> + file_mask = acl->a_group_mask;
> + else
> + file_mask = acl->a_other_mask;
> + denied |= requested & ~file_mask;
> + }
> +
> + return denied ? -EACCES : 0;
> +}
> +EXPORT_SYMBOL_GPL(richacl_permission);
> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
> index 6dd8eb2..f46e797 100644
> --- a/include/linux/richacl.h
> +++ b/include/linux/richacl.h
> @@ -289,5 +289,7 @@ extern unsigned int richacl_mode_to_mask(mode_t);
> extern unsigned int richacl_want_to_mask(int);
> extern void richacl_compute_max_masks(struct richacl *);
> extern struct richacl *richacl_chmod(struct richacl *, mode_t);
> +extern int richacl_permission(struct inode *, const struct richacl *,
> + unsigned int);
>
> #endif /* __RICHACL_H */
> --
> 1.7.4.1
>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2011-09-07 21:51 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-05 17:25 [PATCH -V6 00/26] New ACL format for better NFSv4 acl interoperability Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 01/26] vfs: Indicate that the permission functions take all the MAY_* flags Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 02/26] vfs: Add hex format for MAY_* flag values Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 03/26] vfs: Pass all mask flags down to iop->check_acl Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 04/26] vfs: Add a comment to inode_permission() Aneesh Kumar K.V
2011-09-05 17:25 ` Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 05/26] vfs: Add generic IS_ACL() test for acl support Aneesh Kumar K.V
2011-09-05 17:25 ` Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 06/26] vfs: Add IS_RICHACL() test for richacl support Aneesh Kumar K.V
2011-09-05 17:25 ` Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 07/26] vfs: Optimize out IS_RICHACL() if CONFIG_FS_RICHACL is not defined Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 08/26] vfs: Add new file and directory create permission flags Aneesh Kumar K.V
2011-09-05 17:25 ` Aneesh Kumar K.V
2011-09-09 10:02 ` David Howells
2011-09-09 11:59 ` Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 09/26] vfs: Add delete child and delete self " Aneesh Kumar K.V
2011-09-07 20:39 ` J. Bruce Fields
2011-09-07 20:39 ` J. Bruce Fields
2011-09-08 9:30 ` Aneesh Kumar K.V
2011-09-08 20:07 ` J. Bruce Fields
2011-09-08 22:02 ` J. Bruce Fields
2011-09-09 5:19 ` Aneesh Kumar K.V
2011-09-09 5:19 ` Aneesh Kumar K.V
2011-09-09 5:25 ` Aneesh Kumar K.V
2011-09-09 12:02 ` J. Bruce Fields
2011-09-09 5:14 ` Aneesh Kumar K.V
2011-09-09 5:14 ` Aneesh Kumar K.V
2011-09-09 10:12 ` David Howells
2011-09-09 10:12 ` David Howells
2011-09-09 11:55 ` Aneesh Kumar K.V
2011-09-09 11:55 ` Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 10/26] vfs: Make the inode passed to inode_change_ok non-const Aneesh Kumar K.V
2011-09-07 20:43 ` J. Bruce Fields
2011-09-08 9:32 ` Aneesh Kumar K.V
2011-09-08 9:32 ` Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 11/26] vfs: Add permission flags for setting file attributes Aneesh Kumar K.V
2011-09-05 17:25 ` Aneesh Kumar K.V
2011-09-07 20:55 ` J. Bruce Fields
2011-09-08 9:36 ` Aneesh Kumar K.V
2011-09-08 20:08 ` J. Bruce Fields
2011-09-05 17:25 ` [PATCH -V6 12/26] vfs: Make acl_permission_check() work for richacls Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 13/26] richacl: In-memory representation and helper functions Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 14/26] richacl: Permission mapping functions Aneesh Kumar K.V
2011-09-05 17:25 ` Aneesh Kumar K.V
2011-09-07 21:24 ` J. Bruce Fields
2011-09-08 10:27 ` Aneesh Kumar K.V
2011-09-09 10:36 ` David Howells
2011-09-09 11:54 ` Aneesh Kumar K.V
2011-09-09 11:54 ` Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 15/26] richacl: Compute maximum file masks from an acl Aneesh Kumar K.V
2011-09-05 17:25 ` Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 16/26] richacl: Update the file masks in chmod() Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 17/26] richacl: Permission check algorithm Aneesh Kumar K.V
2011-09-07 21:50 ` J. Bruce Fields [this message]
2011-09-07 21:50 ` J. Bruce Fields
2011-09-08 10:34 ` Aneesh Kumar K.V
2011-09-08 10:34 ` Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 18/26] richacl: Create-time inheritance Aneesh Kumar K.V
2011-09-09 12:14 ` David Howells
2011-09-09 12:14 ` David Howells
2011-09-05 17:25 ` [PATCH -V6 19/26] richacl: Check if an acl is equivalent to a file mode Aneesh Kumar K.V
2011-09-05 17:25 ` Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 20/26] richacl: Automatic Inheritance Aneesh Kumar K.V
2011-09-07 21:56 ` J. Bruce Fields
2011-09-07 21:56 ` J. Bruce Fields
2011-09-05 17:25 ` [PATCH -V6 21/26] richacl: xattr mapping functions Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 22/26] vfs: Cache richacl in struct inode Aneesh Kumar K.V
2011-09-09 12:37 ` David Howells
2011-09-09 12:37 ` David Howells
2011-09-05 17:25 ` [PATCH -V6 23/26] vfs: Add richacl permission check Aneesh Kumar K.V
2011-09-05 17:25 ` Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 24/26] ext4: Use IS_POSIXACL() to check for POSIX ACL support Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 25/26] ext4: Implement rich acl for ext4 Aneesh Kumar K.V
2011-09-09 12:45 ` David Howells
2011-09-13 4:25 ` Aneesh Kumar K.V
2011-09-13 4:25 ` Aneesh Kumar K.V
2011-09-05 17:25 ` [PATCH -V6 26/26] ext4: Add temporary richacl mount option " Aneesh Kumar K.V
2011-09-05 17:25 ` Aneesh Kumar K.V
2011-09-05 22:42 ` [PATCH -V6 00/26] New ACL format for better NFSv4 acl interoperability Casey Schaufler
2011-09-05 22:42 ` Casey Schaufler
2011-09-08 0:46 ` Valdis.Kletnieks
2011-09-08 0:46 ` Valdis.Kletnieks-PjAqaU27lzQ
2011-09-12 21:34 ` Casey Schaufler
2011-09-12 22:20 ` J. Bruce Fields
2011-09-12 22:38 ` Casey Schaufler
2011-09-12 22:38 ` Casey Schaufler
2011-09-12 22:43 ` J. Bruce Fields
2011-09-12 23:23 ` Casey Schaufler
2011-09-12 23:53 ` J. Bruce Fields
2011-09-12 23:53 ` J. Bruce Fields
2011-09-13 4:41 ` Aneesh Kumar K.V
2011-09-13 4:41 ` Aneesh Kumar K.V
2011-09-13 18:12 ` Valdis.Kletnieks
2011-09-06 9:41 ` Steven Whitehouse
2011-09-06 13:58 ` Aneesh Kumar K.V
2011-09-06 13:58 ` Aneesh Kumar K.V
2011-09-07 20:18 ` J. Bruce Fields
2011-09-07 23:44 ` J. Bruce Fields
2011-09-08 10:40 ` Aneesh Kumar K.V
2011-09-08 10:40 ` Aneesh Kumar K.V
2011-09-09 12:48 ` David Howells
2011-09-09 12:48 ` David Howells
2011-09-09 14:03 ` David Howells
2011-09-09 14:03 ` David Howells
2011-09-12 22:23 ` J. Bruce Fields
2011-09-12 22:23 ` J. Bruce Fields
2011-09-12 22:27 ` David Howells
2011-09-12 22:27 ` David Howells
2011-09-13 5:07 ` Aneesh Kumar K.V
2011-09-21 7:30 ` Aneesh Kumar K.V
2011-09-21 19:45 ` J. Bruce Fields
2011-09-21 19:45 ` J. Bruce Fields
2011-09-22 5:31 ` Aneesh Kumar K.V
2011-09-22 5:31 ` Aneesh Kumar K.V
2011-09-22 12:01 ` J. Bruce Fields
2011-09-22 12:01 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110907215022.GI8074@fieldses.org \
--to=bfields@fieldses.org \
--cc=agruen@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.