From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: agruen@kernel.org, akpm@linux-foundation.org,
viro@zeniv.linux.org.uk, dhowells@redhat.com,
linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH -V7 09/26] vfs: Add delete child and delete self permission flags
Date: Thu, 20 Oct 2011 13:05:26 +0530 [thread overview]
Message-ID: <87mxcw5d4x.fsf@linux.vnet.ibm.com> (raw)
In-Reply-To: <20111019220915.GA1874@fieldses.org>
On Wed, 19 Oct 2011 18:09:15 -0400, "J. Bruce Fields" <bfields@fieldses.org> wrote:
> Maybe I'm dense, but that big if-else-if is still giving me a headache.
>
> The point is just to delay the ns_capable() check to avoid setting
> PF_SUPERPRIV in cases where we weren't before?
>
> How about putting using a helper function for the richacl check, and
> calling it from check_sticky instead? That makes the above:
>
> error = inode_permission(dir, mask | replace_mask);
> if (error && !richacl_may_delete(dir, inode, replace_mask))
> return error;
> if (check_sticky(dir, inode, replace_mask))
> return -EPERM;
>
> (As in the following--totally untested and possibly wrong.)
>
> Also: the comment before may_delete() needs updating.
>
Thanks for the suggestion. That made the code simpler. Updated patch
below.
commit 3c92363ce2dee22aa174327c21726f8f02cbcd6e
Author: Andreas Gruenbacher <agruen@kernel.org>
Date: Tue Oct 18 15:17:50 2011 +0530
vfs: Add delete child and delete self permission flags
Normally, deleting a file requires write access to the parent directory.
Some permission models use a different permission on the parent
directory to indicate delete access. In addition, a process can have
per-file delete access even without delete access on the parent
directory.
Introduce two new inode_permission() mask flags and use them in
may_delete()
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruen@kernel.org>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
diff --git a/fs/namei.c b/fs/namei.c
index f6184b8..044b6d1 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -337,7 +337,7 @@ static inline int do_inode_permission(struct inode *inode, int mask)
* are used for other things.
*
* When checking for MAY_APPEND, MAY_CREATE_FILE, MAY_CREATE_DIR,
- * MAY_WRITE must also be set in @mask.
+ * MAY_DELETE_CHILD, MAY_DELETE_SELF, MAY_WRITE must also be set in @mask.
*/
int inode_permission(struct inode *inode, int mask)
{
@@ -1835,11 +1835,25 @@ static int user_path_parent(int dfd, const char __user *path,
return error;
}
+
+/*
+ * We should have exec permission on directory and MAY_DELETE_SELF
+ * on the object being deleted.
+ */
+static int richacl_may_selfdelete(struct inode *dir,
+ struct inode *inode, int replace_mask)
+{
+ return (IS_RICHACL(inode) &&
+ (inode_permission(dir, MAY_EXEC | replace_mask) == 0) &&
+ (inode_permission(inode, MAY_DELETE_SELF) == 0));
+}
+
/*
* It's inline, so penalty for filesystems that don't use sticky bit is
* minimal.
*/
-static inline int check_sticky(struct inode *dir, struct inode *inode)
+static inline int check_sticky(struct inode *dir,
+ struct inode *inode, int replace_mask)
{
uid_t fsuid = current_fsuid();
@@ -1851,7 +1865,8 @@ static inline int check_sticky(struct inode *dir, struct inode *inode)
return 0;
if (dir->i_uid == fsuid)
return 0;
-
+ if (richacl_may_selfdelete(dir, inode, replace_mask))
+ return 0;
other_userns:
return !ns_capable(inode_userns(inode), CAP_FOWNER);
}
@@ -1875,30 +1890,38 @@ other_userns:
* 10. We don't allow removal of NFS sillyrenamed files; it's handled by
* nfs_async_unlink().
*/
-static int may_delete(struct inode *dir,struct dentry *victim,int isdir)
+static int may_delete(struct inode *dir, struct dentry *victim,
+ int isdir, int replace)
{
- int error;
+ int mask, replace_mask = 0, error;
+ struct inode *inode = victim->d_inode;
- if (!victim->d_inode)
+ if (!inode)
return -ENOENT;
BUG_ON(victim->d_parent->d_inode != dir);
audit_inode_child(victim, dir);
- error = inode_permission(dir, MAY_WRITE | MAY_EXEC);
+ mask = MAY_WRITE | MAY_EXEC | MAY_DELETE_CHILD;
+ if (replace)
+ replace_mask = S_ISDIR(inode->i_mode) ?
+ MAY_CREATE_DIR : MAY_CREATE_FILE;
+ error = inode_permission(dir, mask | replace_mask);
+ if (error && richacl_may_selfdelete(dir, inode, replace_mask))
+ error = 0;
if (error)
return error;
if (IS_APPEND(dir))
return -EPERM;
- if (check_sticky(dir, victim->d_inode)||IS_APPEND(victim->d_inode)||
- IS_IMMUTABLE(victim->d_inode) || IS_SWAPFILE(victim->d_inode))
+ if (check_sticky(dir, inode, replace_mask) || IS_APPEND(inode) ||
+ IS_IMMUTABLE(inode) || IS_SWAPFILE(inode))
return -EPERM;
if (isdir) {
- if (!S_ISDIR(victim->d_inode->i_mode))
+ if (!S_ISDIR(inode->i_mode))
return -ENOTDIR;
if (IS_ROOT(victim))
return -EBUSY;
- } else if (S_ISDIR(victim->d_inode->i_mode))
+ } else if (S_ISDIR(inode->i_mode))
return -EISDIR;
if (IS_DEADDIR(dir))
return -ENOENT;
@@ -2605,7 +2628,7 @@ void dentry_unhash(struct dentry *dentry)
int vfs_rmdir(struct inode *dir, struct dentry *dentry)
{
- int error = may_delete(dir, dentry, 1);
+ int error = may_delete(dir, dentry, 1, 0);
if (error)
return error;
@@ -2700,7 +2723,7 @@ SYSCALL_DEFINE1(rmdir, const char __user *, pathname)
int vfs_unlink(struct inode *dir, struct dentry *dentry)
{
- int error = may_delete(dir, dentry, 0);
+ int error = may_delete(dir, dentry, 0, 0);
if (error)
return error;
@@ -3096,14 +3119,14 @@ int vfs_rename(struct inode *old_dir, struct dentry *old_dentry,
if (old_dentry->d_inode == new_dentry->d_inode)
return 0;
- error = may_delete(old_dir, old_dentry, is_dir);
+ error = may_delete(old_dir, old_dentry, is_dir, 0);
if (error)
return error;
if (!new_dentry->d_inode)
error = may_create(new_dir, new_dentry, is_dir);
else
- error = may_delete(new_dir, new_dentry, is_dir);
+ error = may_delete(new_dir, new_dentry, is_dir, 1);
if (error)
return error;
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 60361c6..ccece40 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -69,6 +69,8 @@ struct inodes_stat_t {
#define MAY_NOT_BLOCK 0x00000080
#define MAY_CREATE_FILE 0x00000100
#define MAY_CREATE_DIR 0x00000200
+#define MAY_DELETE_CHILD 0x00000400
+#define MAY_DELETE_SELF 0x00000800
/*
* flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond
WARNING: multiple messages have this Message-ID (diff)
From: "Aneesh Kumar K.V" <aneesh.kumar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
To: "J. Bruce Fields" <bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
Cc: agruen-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org,
akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org,
viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org,
dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH -V7 09/26] vfs: Add delete child and delete self permission flags
Date: Thu, 20 Oct 2011 13:05:26 +0530 [thread overview]
Message-ID: <87mxcw5d4x.fsf@linux.vnet.ibm.com> (raw)
In-Reply-To: <20111019220915.GA1874-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
On Wed, 19 Oct 2011 18:09:15 -0400, "J. Bruce Fields" <bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org> wrote:
> Maybe I'm dense, but that big if-else-if is still giving me a headache.
>
> The point is just to delay the ns_capable() check to avoid setting
> PF_SUPERPRIV in cases where we weren't before?
>
> How about putting using a helper function for the richacl check, and
> calling it from check_sticky instead? That makes the above:
>
> error = inode_permission(dir, mask | replace_mask);
> if (error && !richacl_may_delete(dir, inode, replace_mask))
> return error;
> if (check_sticky(dir, inode, replace_mask))
> return -EPERM;
>
> (As in the following--totally untested and possibly wrong.)
>
> Also: the comment before may_delete() needs updating.
>
Thanks for the suggestion. That made the code simpler. Updated patch
below.
commit 3c92363ce2dee22aa174327c21726f8f02cbcd6e
Author: Andreas Gruenbacher <agruen-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Date: Tue Oct 18 15:17:50 2011 +0530
vfs: Add delete child and delete self permission flags
Normally, deleting a file requires write access to the parent directory.
Some permission models use a different permission on the parent
directory to indicate delete access. In addition, a process can have
per-file delete access even without delete access on the parent
directory.
Introduce two new inode_permission() mask flags and use them in
may_delete()
Acked-by: David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Signed-off-by: Andreas Gruenbacher <agruen-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
diff --git a/fs/namei.c b/fs/namei.c
index f6184b8..044b6d1 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -337,7 +337,7 @@ static inline int do_inode_permission(struct inode *inode, int mask)
* are used for other things.
*
* When checking for MAY_APPEND, MAY_CREATE_FILE, MAY_CREATE_DIR,
- * MAY_WRITE must also be set in @mask.
+ * MAY_DELETE_CHILD, MAY_DELETE_SELF, MAY_WRITE must also be set in @mask.
*/
int inode_permission(struct inode *inode, int mask)
{
@@ -1835,11 +1835,25 @@ static int user_path_parent(int dfd, const char __user *path,
return error;
}
+
+/*
+ * We should have exec permission on directory and MAY_DELETE_SELF
+ * on the object being deleted.
+ */
+static int richacl_may_selfdelete(struct inode *dir,
+ struct inode *inode, int replace_mask)
+{
+ return (IS_RICHACL(inode) &&
+ (inode_permission(dir, MAY_EXEC | replace_mask) == 0) &&
+ (inode_permission(inode, MAY_DELETE_SELF) == 0));
+}
+
/*
* It's inline, so penalty for filesystems that don't use sticky bit is
* minimal.
*/
-static inline int check_sticky(struct inode *dir, struct inode *inode)
+static inline int check_sticky(struct inode *dir,
+ struct inode *inode, int replace_mask)
{
uid_t fsuid = current_fsuid();
@@ -1851,7 +1865,8 @@ static inline int check_sticky(struct inode *dir, struct inode *inode)
return 0;
if (dir->i_uid == fsuid)
return 0;
-
+ if (richacl_may_selfdelete(dir, inode, replace_mask))
+ return 0;
other_userns:
return !ns_capable(inode_userns(inode), CAP_FOWNER);
}
@@ -1875,30 +1890,38 @@ other_userns:
* 10. We don't allow removal of NFS sillyrenamed files; it's handled by
* nfs_async_unlink().
*/
-static int may_delete(struct inode *dir,struct dentry *victim,int isdir)
+static int may_delete(struct inode *dir, struct dentry *victim,
+ int isdir, int replace)
{
- int error;
+ int mask, replace_mask = 0, error;
+ struct inode *inode = victim->d_inode;
- if (!victim->d_inode)
+ if (!inode)
return -ENOENT;
BUG_ON(victim->d_parent->d_inode != dir);
audit_inode_child(victim, dir);
- error = inode_permission(dir, MAY_WRITE | MAY_EXEC);
+ mask = MAY_WRITE | MAY_EXEC | MAY_DELETE_CHILD;
+ if (replace)
+ replace_mask = S_ISDIR(inode->i_mode) ?
+ MAY_CREATE_DIR : MAY_CREATE_FILE;
+ error = inode_permission(dir, mask | replace_mask);
+ if (error && richacl_may_selfdelete(dir, inode, replace_mask))
+ error = 0;
if (error)
return error;
if (IS_APPEND(dir))
return -EPERM;
- if (check_sticky(dir, victim->d_inode)||IS_APPEND(victim->d_inode)||
- IS_IMMUTABLE(victim->d_inode) || IS_SWAPFILE(victim->d_inode))
+ if (check_sticky(dir, inode, replace_mask) || IS_APPEND(inode) ||
+ IS_IMMUTABLE(inode) || IS_SWAPFILE(inode))
return -EPERM;
if (isdir) {
- if (!S_ISDIR(victim->d_inode->i_mode))
+ if (!S_ISDIR(inode->i_mode))
return -ENOTDIR;
if (IS_ROOT(victim))
return -EBUSY;
- } else if (S_ISDIR(victim->d_inode->i_mode))
+ } else if (S_ISDIR(inode->i_mode))
return -EISDIR;
if (IS_DEADDIR(dir))
return -ENOENT;
@@ -2605,7 +2628,7 @@ void dentry_unhash(struct dentry *dentry)
int vfs_rmdir(struct inode *dir, struct dentry *dentry)
{
- int error = may_delete(dir, dentry, 1);
+ int error = may_delete(dir, dentry, 1, 0);
if (error)
return error;
@@ -2700,7 +2723,7 @@ SYSCALL_DEFINE1(rmdir, const char __user *, pathname)
int vfs_unlink(struct inode *dir, struct dentry *dentry)
{
- int error = may_delete(dir, dentry, 0);
+ int error = may_delete(dir, dentry, 0, 0);
if (error)
return error;
@@ -3096,14 +3119,14 @@ int vfs_rename(struct inode *old_dir, struct dentry *old_dentry,
if (old_dentry->d_inode == new_dentry->d_inode)
return 0;
- error = may_delete(old_dir, old_dentry, is_dir);
+ error = may_delete(old_dir, old_dentry, is_dir, 0);
if (error)
return error;
if (!new_dentry->d_inode)
error = may_create(new_dir, new_dentry, is_dir);
else
- error = may_delete(new_dir, new_dentry, is_dir);
+ error = may_delete(new_dir, new_dentry, is_dir, 1);
if (error)
return error;
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 60361c6..ccece40 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -69,6 +69,8 @@ struct inodes_stat_t {
#define MAY_NOT_BLOCK 0x00000080
#define MAY_CREATE_FILE 0x00000100
#define MAY_CREATE_DIR 0x00000200
+#define MAY_DELETE_CHILD 0x00000400
+#define MAY_DELETE_SELF 0x00000800
/*
* flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2011-10-20 7:35 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-18 15:32 [PATCH -V7 00/26] New ACL format for better NFSv4 acl interoperability Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 01/26] vfs: Indicate that the permission functions take all the MAY_* flags Aneesh Kumar K.V
2011-10-18 15:32 ` Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 02/26] vfs: Add hex format for MAY_* flag values Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 03/26] vfs: Pass all mask flags down to iop->check_acl Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 04/26] vfs: Add a comment to inode_permission() Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 05/26] vfs: Add generic IS_ACL() test for acl support Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 06/26] vfs: Add IS_RICHACL() test for richacl support Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 07/26] vfs: Optimize out IS_RICHACL() if CONFIG_FS_RICHACL is not defined Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 08/26] vfs: Add new file and directory create permission flags Aneesh Kumar K.V
2011-10-19 16:42 ` J. Bruce Fields
2011-10-20 5:20 ` Aneesh Kumar K.V
2011-10-20 5:20 ` Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 09/26] vfs: Add delete child and delete self " Aneesh Kumar K.V
2011-10-19 22:09 ` J. Bruce Fields
2011-10-20 7:35 ` Aneesh Kumar K.V [this message]
2011-10-20 7:35 ` Aneesh Kumar K.V
2011-10-20 8:11 ` J. Bruce Fields
2011-10-18 15:32 ` [PATCH -V7 10/26] vfs: Make the inode passed to inode_change_ok non-const Aneesh Kumar K.V
2011-10-18 15:32 ` Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 11/26] vfs: Add permission flags for setting file attributes Aneesh Kumar K.V
2011-10-18 15:32 ` Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 12/26] vfs: Make acl_permission_check() work for richacls Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 13/26] richacl: In-memory representation and helper functions Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 14/26] richacl: Permission mapping functions Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 15/26] richacl: Compute maximum file masks from an acl Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 16/26] richacl: Update the file masks in chmod() Aneesh Kumar K.V
2011-10-18 15:32 ` Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 17/26] richacl: Permission check algorithm Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 18/26] richacl: Create-time inheritance Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 19/26] richacl: Check if an acl is equivalent to a file mode Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 20/26] richacl: Automatic Inheritance Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 21/26] richacl: xattr mapping functions Aneesh Kumar K.V
2011-10-18 15:32 ` Aneesh Kumar K.V
2011-10-19 22:20 ` J. Bruce Fields
2011-10-20 8:30 ` Aneesh Kumar K.V
2011-10-20 9:14 ` J. Bruce Fields
2011-10-20 9:19 ` Christoph Hellwig
2011-10-20 10:25 ` J. Bruce Fields
2011-10-20 10:25 ` J. Bruce Fields
2011-10-20 23:46 ` Andreas Gruenbacher
2011-10-20 23:46 ` Andreas Gruenbacher
2011-10-21 0:45 ` J. Bruce Fields
2011-10-21 9:40 ` Aneesh Kumar K.V
2011-10-21 9:40 ` Aneesh Kumar K.V
2011-10-21 10:52 ` Andreas Gruenbacher
2011-10-21 13:12 ` Aneesh Kumar K.V
2011-10-21 23:58 ` Andreas Gruenbacher
2011-10-20 11:02 ` Aneesh Kumar K.V
2011-10-20 11:02 ` Aneesh Kumar K.V
2011-10-20 17:49 ` J. Bruce Fields
2011-10-20 17:49 ` J. Bruce Fields
2011-10-20 19:49 ` Andreas Dilger
2011-11-19 9:35 ` Eric W. Biederman
2011-11-19 9:28 ` Eric W. Biederman
2011-11-21 13:35 ` J. Bruce Fields
2011-10-18 15:32 ` [PATCH -V7 22/26] vfs: Cache richacl in struct inode Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 23/26] vfs: Add richacl permission check Aneesh Kumar K.V
2011-10-18 15:32 ` [PATCH -V7 24/26] ext4: Use IS_POSIXACL() to check for POSIX ACL support Aneesh Kumar K.V
2011-10-18 15:33 ` [PATCH -V7 25/26] ext4: Implement rich acl for ext4 Aneesh Kumar K.V
2011-10-18 18:41 ` Andreas Dilger
2011-10-19 5:43 ` Aneesh Kumar K.V
2011-10-18 15:33 ` [PATCH -V7 26/26] ext4: Add Ext4 compat richacl feature flag Aneesh Kumar K.V
2011-10-18 16:17 ` [PATCH -V7 00/26] New ACL format for better NFSv4 acl interoperability Shea Levy
2011-10-19 5:54 ` Aneesh Kumar K.V
2011-10-19 22:21 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mxcw5d4x.fsf@linux.vnet.ibm.com \
--to=aneesh.kumar@linux.vnet.ibm.com \
--cc=agruen@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=bfields@fieldses.org \
--cc=dhowells@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.