diff options
author | Linus Torvalds <torvalds@ppc970.osdl.org> | 2005-04-16 18:20:36 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@ppc970.osdl.org> | 2005-04-16 18:20:36 -0400 |
commit | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (patch) | |
tree | 0bba044c4ce775e45a88a51686b5d9f90697ea9d /fs/xfs/xfs_acl.c |
Linux-2.6.12-rc2v2.6.12-rc2
Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.
Let it rip!
Diffstat (limited to 'fs/xfs/xfs_acl.c')
-rw-r--r-- | fs/xfs/xfs_acl.c | 937 |
1 files changed, 937 insertions, 0 deletions
diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c new file mode 100644 index 000000000000..8d01dce8c532 --- /dev/null +++ b/fs/xfs/xfs_acl.c | |||
@@ -0,0 +1,937 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2001-2002 Silicon Graphics, Inc. All Rights Reserved. | ||
3 | * | ||
4 | * This program is free software; you can redistribute it and/or modify it | ||
5 | * under the terms of version 2 of the GNU General Public License as | ||
6 | * published by the Free Software Foundation. | ||
7 | * | ||
8 | * This program is distributed in the hope that it would be useful, but | ||
9 | * WITHOUT ANY WARRANTY; without even the implied warranty of | ||
10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | ||
11 | * | ||
12 | * Further, this software is distributed without any warranty that it is | ||
13 | * free of the rightful claim of any third person regarding infringement | ||
14 | * or the like. Any license provided herein, whether implied or | ||
15 | * otherwise, applies only to this software file. Patent licenses, if | ||
16 | * any, provided herein do not apply to combinations of this program with | ||
17 | * other software, or any other product whatsoever. | ||
18 | * | ||
19 | * You should have received a copy of the GNU General Public License along | ||
20 | * with this program; if not, write the Free Software Foundation, Inc., 59 | ||
21 | * Temple Place - Suite 330, Boston MA 02111-1307, USA. | ||
22 | * | ||
23 | * Contact information: Silicon Graphics, Inc., 1600 Amphitheatre Pkwy, | ||
24 | * Mountain View, CA 94043, or: | ||
25 | * | ||
26 | * http://www.sgi.com | ||
27 | * | ||
28 | * For further information regarding this notice, see: | ||
29 | * | ||
30 | * http://oss.sgi.com/projects/GenInfo/SGIGPLNoticeExplan/ | ||
31 | */ | ||
32 | |||
33 | #include "xfs.h" | ||
34 | |||
35 | #include "xfs_inum.h" | ||
36 | #include "xfs_dir.h" | ||
37 | #include "xfs_dir2.h" | ||
38 | #include "xfs_alloc_btree.h" | ||
39 | #include "xfs_bmap_btree.h" | ||
40 | #include "xfs_ialloc_btree.h" | ||
41 | #include "xfs_btree.h" | ||
42 | #include "xfs_attr_sf.h" | ||
43 | #include "xfs_dir_sf.h" | ||
44 | #include "xfs_dir2_sf.h" | ||
45 | #include "xfs_dinode.h" | ||
46 | #include "xfs_inode.h" | ||
47 | #include "xfs_acl.h" | ||
48 | #include "xfs_mac.h" | ||
49 | #include "xfs_attr.h" | ||
50 | |||
51 | #include <linux/posix_acl_xattr.h> | ||
52 | |||
53 | STATIC int xfs_acl_setmode(vnode_t *, xfs_acl_t *, int *); | ||
54 | STATIC void xfs_acl_filter_mode(mode_t, xfs_acl_t *); | ||
55 | STATIC void xfs_acl_get_endian(xfs_acl_t *); | ||
56 | STATIC int xfs_acl_access(uid_t, gid_t, xfs_acl_t *, mode_t, cred_t *); | ||
57 | STATIC int xfs_acl_invalid(xfs_acl_t *); | ||
58 | STATIC void xfs_acl_sync_mode(mode_t, xfs_acl_t *); | ||
59 | STATIC void xfs_acl_get_attr(vnode_t *, xfs_acl_t *, int, int, int *); | ||
60 | STATIC void xfs_acl_set_attr(vnode_t *, xfs_acl_t *, int, int *); | ||
61 | STATIC int xfs_acl_allow_set(vnode_t *, int); | ||
62 | |||
63 | kmem_zone_t *xfs_acl_zone; | ||
64 | |||
65 | |||
66 | /* | ||
67 | * Test for existence of access ACL attribute as efficiently as possible. | ||
68 | */ | ||
69 | int | ||
70 | xfs_acl_vhasacl_access( | ||
71 | vnode_t *vp) | ||
72 | { | ||
73 | int error; | ||
74 | |||
75 | xfs_acl_get_attr(vp, NULL, _ACL_TYPE_ACCESS, ATTR_KERNOVAL, &error); | ||
76 | return (error == 0); | ||
77 | } | ||
78 | |||
79 | /* | ||
80 | * Test for existence of default ACL attribute as efficiently as possible. | ||
81 | */ | ||
82 | int | ||
83 | xfs_acl_vhasacl_default( | ||
84 | vnode_t *vp) | ||
85 | { | ||
86 | int error; | ||
87 | |||
88 | if (vp->v_type != VDIR) | ||
89 | return 0; | ||
90 | xfs_acl_get_attr(vp, NULL, _ACL_TYPE_DEFAULT, ATTR_KERNOVAL, &error); | ||
91 | return (error == 0); | ||
92 | } | ||
93 | |||
94 | /* | ||
95 | * Convert from extended attribute representation to in-memory for XFS. | ||
96 | */ | ||
97 | STATIC int | ||
98 | posix_acl_xattr_to_xfs( | ||
99 | posix_acl_xattr_header *src, | ||
100 | size_t size, | ||
101 | xfs_acl_t *dest) | ||
102 | { | ||
103 | posix_acl_xattr_entry *src_entry; | ||
104 | xfs_acl_entry_t *dest_entry; | ||
105 | int n; | ||
106 | |||
107 | if (!src || !dest) | ||
108 | return EINVAL; | ||
109 | |||
110 | if (size < sizeof(posix_acl_xattr_header)) | ||
111 | return EINVAL; | ||
112 | |||
113 | if (src->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION)) | ||
114 | return EOPNOTSUPP; | ||
115 | |||
116 | memset(dest, 0, sizeof(xfs_acl_t)); | ||
117 | dest->acl_cnt = posix_acl_xattr_count(size); | ||
118 | if (dest->acl_cnt < 0 || dest->acl_cnt > XFS_ACL_MAX_ENTRIES) | ||
119 | return EINVAL; | ||
120 | |||
121 | /* | ||
122 | * acl_set_file(3) may request that we set default ACLs with | ||
123 | * zero length -- defend (gracefully) against that here. | ||
124 | */ | ||
125 | if (!dest->acl_cnt) | ||
126 | return 0; | ||
127 | |||
128 | src_entry = (posix_acl_xattr_entry *)((char *)src + sizeof(*src)); | ||
129 | dest_entry = &dest->acl_entry[0]; | ||
130 | |||
131 | for (n = 0; n < dest->acl_cnt; n++, src_entry++, dest_entry++) { | ||
132 | dest_entry->ae_perm = le16_to_cpu(src_entry->e_perm); | ||
133 | if (_ACL_PERM_INVALID(dest_entry->ae_perm)) | ||
134 | return EINVAL; | ||
135 | dest_entry->ae_tag = le16_to_cpu(src_entry->e_tag); | ||
136 | switch(dest_entry->ae_tag) { | ||
137 | case ACL_USER: | ||
138 | case ACL_GROUP: | ||
139 | dest_entry->ae_id = le32_to_cpu(src_entry->e_id); | ||
140 | break; | ||
141 | case ACL_USER_OBJ: | ||
142 | case ACL_GROUP_OBJ: | ||
143 | case ACL_MASK: | ||
144 | case ACL_OTHER: | ||
145 | dest_entry->ae_id = ACL_UNDEFINED_ID; | ||
146 | break; | ||
147 | default: | ||
148 | return EINVAL; | ||
149 | } | ||
150 | } | ||
151 | if (xfs_acl_invalid(dest)) | ||
152 | return EINVAL; | ||
153 | |||
154 | return 0; | ||
155 | } | ||
156 | |||
157 | /* | ||
158 | * Comparison function called from qsort(). | ||
159 | * Primary key is ae_tag, secondary key is ae_id. | ||
160 | */ | ||
161 | STATIC int | ||
162 | xfs_acl_entry_compare( | ||
163 | const void *va, | ||
164 | const void *vb) | ||
165 | { | ||
166 | xfs_acl_entry_t *a = (xfs_acl_entry_t *)va, | ||
167 | *b = (xfs_acl_entry_t *)vb; | ||
168 | |||
169 | if (a->ae_tag == b->ae_tag) | ||
170 | return (a->ae_id - b->ae_id); | ||
171 | return (a->ae_tag - b->ae_tag); | ||
172 | } | ||
173 | |||
174 | /* | ||
175 | * Convert from in-memory XFS to extended attribute representation. | ||
176 | */ | ||
177 | STATIC int | ||
178 | posix_acl_xfs_to_xattr( | ||
179 | xfs_acl_t *src, | ||
180 | posix_acl_xattr_header *dest, | ||
181 | size_t size) | ||
182 | { | ||
183 | int n; | ||
184 | size_t new_size = posix_acl_xattr_size(src->acl_cnt); | ||
185 | posix_acl_xattr_entry *dest_entry; | ||
186 | xfs_acl_entry_t *src_entry; | ||
187 | |||
188 | if (size < new_size) | ||
189 | return -ERANGE; | ||
190 | |||
191 | /* Need to sort src XFS ACL by <ae_tag,ae_id> */ | ||
192 | qsort(src->acl_entry, src->acl_cnt, sizeof(src->acl_entry[0]), | ||
193 | xfs_acl_entry_compare); | ||
194 | |||
195 | dest->a_version = cpu_to_le32(POSIX_ACL_XATTR_VERSION); | ||
196 | dest_entry = &dest->a_entries[0]; | ||
197 | src_entry = &src->acl_entry[0]; | ||
198 | for (n = 0; n < src->acl_cnt; n++, dest_entry++, src_entry++) { | ||
199 | dest_entry->e_perm = cpu_to_le16(src_entry->ae_perm); | ||
200 | if (_ACL_PERM_INVALID(src_entry->ae_perm)) | ||
201 | return -EINVAL; | ||
202 | dest_entry->e_tag = cpu_to_le16(src_entry->ae_tag); | ||
203 | switch (src_entry->ae_tag) { | ||
204 | case ACL_USER: | ||
205 | case ACL_GROUP: | ||
206 | dest_entry->e_id = cpu_to_le32(src_entry->ae_id); | ||
207 | break; | ||
208 | case ACL_USER_OBJ: | ||
209 | case ACL_GROUP_OBJ: | ||
210 | case ACL_MASK: | ||
211 | case ACL_OTHER: | ||
212 | dest_entry->e_id = cpu_to_le32(ACL_UNDEFINED_ID); | ||
213 | break; | ||
214 | default: | ||
215 | return -EINVAL; | ||
216 | } | ||
217 | } | ||
218 | return new_size; | ||
219 | } | ||
220 | |||
221 | int | ||
222 | xfs_acl_vget( | ||
223 | vnode_t *vp, | ||
224 | void *acl, | ||
225 | size_t size, | ||
226 | int kind) | ||
227 | { | ||
228 | int error; | ||
229 | xfs_acl_t *xfs_acl = NULL; | ||
230 | posix_acl_xattr_header *ext_acl = acl; | ||
231 | int flags = 0; | ||
232 | |||
233 | VN_HOLD(vp); | ||
234 | if(size) { | ||
235 | if (!(_ACL_ALLOC(xfs_acl))) { | ||
236 | error = ENOMEM; | ||
237 | goto out; | ||
238 | } | ||
239 | memset(xfs_acl, 0, sizeof(xfs_acl_t)); | ||
240 | } else | ||
241 | flags = ATTR_KERNOVAL; | ||
242 | |||
243 | xfs_acl_get_attr(vp, xfs_acl, kind, flags, &error); | ||
244 | if (error) | ||
245 | goto out; | ||
246 | |||
247 | if (!size) { | ||
248 | error = -posix_acl_xattr_size(XFS_ACL_MAX_ENTRIES); | ||
249 | } else { | ||
250 | if (xfs_acl_invalid(xfs_acl)) { | ||
251 | error = EINVAL; | ||
252 | goto out; | ||
253 | } | ||
254 | if (kind == _ACL_TYPE_ACCESS) { | ||
255 | vattr_t va; | ||
256 | |||
257 | va.va_mask = XFS_AT_MODE; | ||
258 | VOP_GETATTR(vp, &va, 0, sys_cred, error); | ||
259 | if (error) | ||
260 | goto out; | ||
261 | xfs_acl_sync_mode(va.va_mode, xfs_acl); | ||
262 | } | ||
263 | error = -posix_acl_xfs_to_xattr(xfs_acl, ext_acl, size); | ||
264 | } | ||
265 | out: | ||
266 | VN_RELE(vp); | ||
267 | if(xfs_acl) | ||
268 | _ACL_FREE(xfs_acl); | ||
269 | return -error; | ||
270 | } | ||
271 | |||
272 | int | ||
273 | xfs_acl_vremove( | ||
274 | vnode_t *vp, | ||
275 | int kind) | ||
276 | { | ||
277 | int error; | ||
278 | |||
279 | VN_HOLD(vp); | ||
280 | error = xfs_acl_allow_set(vp, kind); | ||
281 | if (!error) { | ||
282 | VOP_ATTR_REMOVE(vp, kind == _ACL_TYPE_DEFAULT? | ||
283 | SGI_ACL_DEFAULT: SGI_ACL_FILE, | ||
284 | ATTR_ROOT, sys_cred, error); | ||
285 | if (error == ENOATTR) | ||
286 | error = 0; /* 'scool */ | ||
287 | } | ||
288 | VN_RELE(vp); | ||
289 | return -error; | ||
290 | } | ||
291 | |||
292 | int | ||
293 | xfs_acl_vset( | ||
294 | vnode_t *vp, | ||
295 | void *acl, | ||
296 | size_t size, | ||
297 | int kind) | ||
298 | { | ||
299 | posix_acl_xattr_header *ext_acl = acl; | ||
300 | xfs_acl_t *xfs_acl; | ||
301 | int error; | ||
302 | int basicperms = 0; /* more than std unix perms? */ | ||
303 | |||
304 | if (!acl) | ||
305 | return -EINVAL; | ||
306 | |||
307 | if (!(_ACL_ALLOC(xfs_acl))) | ||
308 | return -ENOMEM; | ||
309 | |||
310 | error = posix_acl_xattr_to_xfs(ext_acl, size, xfs_acl); | ||
311 | if (error) { | ||
312 | _ACL_FREE(xfs_acl); | ||
313 | return -error; | ||
314 | } | ||
315 | if (!xfs_acl->acl_cnt) { | ||
316 | _ACL_FREE(xfs_acl); | ||
317 | return 0; | ||
318 | } | ||
319 | |||
320 | VN_HOLD(vp); | ||
321 | error = xfs_acl_allow_set(vp, kind); | ||
322 | if (error) | ||
323 | goto out; | ||
324 | |||
325 | /* Incoming ACL exists, set file mode based on its value */ | ||
326 | if (kind == _ACL_TYPE_ACCESS) | ||
327 | xfs_acl_setmode(vp, xfs_acl, &basicperms); | ||
328 | |||
329 | /* | ||
330 | * If we have more than std unix permissions, set up the actual attr. | ||
331 | * Otherwise, delete any existing attr. This prevents us from | ||
332 | * having actual attrs for permissions that can be stored in the | ||
333 | * standard permission bits. | ||
334 | */ | ||
335 | if (!basicperms) { | ||
336 | xfs_acl_set_attr(vp, xfs_acl, kind, &error); | ||
337 | } else { | ||
338 | xfs_acl_vremove(vp, _ACL_TYPE_ACCESS); | ||
339 | } | ||
340 | |||
341 | out: | ||
342 | VN_RELE(vp); | ||
343 | _ACL_FREE(xfs_acl); | ||
344 | return -error; | ||
345 | } | ||
346 | |||
347 | int | ||
348 | xfs_acl_iaccess( | ||
349 | xfs_inode_t *ip, | ||
350 | mode_t mode, | ||
351 | cred_t *cr) | ||
352 | { | ||
353 | xfs_acl_t *acl; | ||
354 | int rval; | ||
355 | |||
356 | if (!(_ACL_ALLOC(acl))) | ||
357 | return -1; | ||
358 | |||
359 | /* If the file has no ACL return -1. */ | ||
360 | rval = sizeof(xfs_acl_t); | ||
361 | if (xfs_attr_fetch(ip, SGI_ACL_FILE, SGI_ACL_FILE_SIZE, | ||
362 | (char *)acl, &rval, ATTR_ROOT | ATTR_KERNACCESS, cr)) { | ||
363 | _ACL_FREE(acl); | ||
364 | return -1; | ||
365 | } | ||
366 | xfs_acl_get_endian(acl); | ||
367 | |||
368 | /* If the file has an empty ACL return -1. */ | ||
369 | if (acl->acl_cnt == XFS_ACL_NOT_PRESENT) { | ||
370 | _ACL_FREE(acl); | ||
371 | return -1; | ||
372 | } | ||
373 | |||
374 | /* Synchronize ACL with mode bits */ | ||
375 | xfs_acl_sync_mode(ip->i_d.di_mode, acl); | ||
376 | |||
377 | rval = xfs_acl_access(ip->i_d.di_uid, ip->i_d.di_gid, acl, mode, cr); | ||
378 | _ACL_FREE(acl); | ||
379 | return rval; | ||
380 | } | ||
381 | |||
382 | STATIC int | ||
383 | xfs_acl_allow_set( | ||
384 | vnode_t *vp, | ||
385 | int kind) | ||
386 | { | ||
387 | vattr_t va; | ||
388 | int error; | ||
389 | |||
390 | if (vp->v_inode.i_flags & (S_IMMUTABLE|S_APPEND)) | ||
391 | return EPERM; | ||
392 | if (kind == _ACL_TYPE_DEFAULT && vp->v_type != VDIR) | ||
393 | return ENOTDIR; | ||
394 | if (vp->v_vfsp->vfs_flag & VFS_RDONLY) | ||
395 | return EROFS; | ||
396 | va.va_mask = XFS_AT_UID; | ||
397 | VOP_GETATTR(vp, &va, 0, NULL, error); | ||
398 | if (error) | ||
399 | return error; | ||
400 | if (va.va_uid != current->fsuid && !capable(CAP_FOWNER)) | ||
401 | return EPERM; | ||
402 | return error; | ||
403 | } | ||
404 | |||
405 | /* | ||
406 | * The access control process to determine the access permission: | ||
407 | * if uid == file owner id, use the file owner bits. | ||
408 | * if gid == file owner group id, use the file group bits. | ||
409 | * scan ACL for a maching user or group, and use matched entry | ||
410 | * permission. Use total permissions of all matching group entries, | ||
411 | * until all acl entries are exhausted. The final permission produced | ||
412 | * by matching acl entry or entries needs to be & with group permission. | ||
413 | * if not owner, owning group, or matching entry in ACL, use file | ||
414 | * other bits. | ||
415 | */ | ||
416 | STATIC int | ||
417 | xfs_acl_capability_check( | ||
418 | mode_t mode, | ||
419 | cred_t *cr) | ||
420 | { | ||
421 | if ((mode & ACL_READ) && !capable_cred(cr, CAP_DAC_READ_SEARCH)) | ||
422 | return EACCES; | ||
423 | if ((mode & ACL_WRITE) && !capable_cred(cr, CAP_DAC_OVERRIDE)) | ||
424 | return EACCES; | ||
425 | if ((mode & ACL_EXECUTE) && !capable_cred(cr, CAP_DAC_OVERRIDE)) | ||
426 | return EACCES; | ||
427 | |||
428 | return 0; | ||
429 | } | ||
430 | |||
431 | /* | ||
432 | * Note: cr is only used here for the capability check if the ACL test fails. | ||
433 | * It is not used to find out the credentials uid or groups etc, as was | ||
434 | * done in IRIX. It is assumed that the uid and groups for the current | ||
435 | * thread are taken from "current" instead of the cr parameter. | ||
436 | */ | ||
437 | STATIC int | ||
438 | xfs_acl_access( | ||
439 | uid_t fuid, | ||
440 | gid_t fgid, | ||
441 | xfs_acl_t *fap, | ||
442 | mode_t md, | ||
443 | cred_t *cr) | ||
444 | { | ||
445 | xfs_acl_entry_t matched; | ||
446 | int i, allows; | ||
447 | int maskallows = -1; /* true, but not 1, either */ | ||
448 | int seen_userobj = 0; | ||
449 | |||
450 | matched.ae_tag = 0; /* Invalid type */ | ||
451 | md >>= 6; /* Normalize the bits for comparison */ | ||
452 | |||
453 | for (i = 0; i < fap->acl_cnt; i++) { | ||
454 | /* | ||
455 | * Break out if we've got a user_obj entry or | ||
456 | * a user entry and the mask (and have processed USER_OBJ) | ||
457 | */ | ||
458 | if (matched.ae_tag == ACL_USER_OBJ) | ||
459 | break; | ||
460 | if (matched.ae_tag == ACL_USER) { | ||
461 | if (maskallows != -1 && seen_userobj) | ||
462 | break; | ||
463 | if (fap->acl_entry[i].ae_tag != ACL_MASK && | ||
464 | fap->acl_entry[i].ae_tag != ACL_USER_OBJ) | ||
465 | continue; | ||
466 | } | ||
467 | /* True if this entry allows the requested access */ | ||
468 | allows = ((fap->acl_entry[i].ae_perm & md) == md); | ||
469 | |||
470 | switch (fap->acl_entry[i].ae_tag) { | ||
471 | case ACL_USER_OBJ: | ||
472 | seen_userobj = 1; | ||
473 | if (fuid != current->fsuid) | ||
474 | continue; | ||
475 | matched.ae_tag = ACL_USER_OBJ; | ||
476 | matched.ae_perm = allows; | ||
477 | break; | ||
478 | case ACL_USER: | ||
479 | if (fap->acl_entry[i].ae_id != current->fsuid) | ||
480 | continue; | ||
481 | matched.ae_tag = ACL_USER; | ||
482 | matched.ae_perm = allows; | ||
483 | break; | ||
484 | case ACL_GROUP_OBJ: | ||
485 | if ((matched.ae_tag == ACL_GROUP_OBJ || | ||
486 | matched.ae_tag == ACL_GROUP) && !allows) | ||
487 | continue; | ||
488 | if (!in_group_p(fgid)) | ||
489 | continue; | ||
490 | matched.ae_tag = ACL_GROUP_OBJ; | ||
491 | matched.ae_perm = allows; | ||
492 | break; | ||
493 | case ACL_GROUP: | ||
494 | if ((matched.ae_tag == ACL_GROUP_OBJ || | ||
495 | matched.ae_tag == ACL_GROUP) && !allows) | ||
496 | continue; | ||
497 | if (!in_group_p(fap->acl_entry[i].ae_id)) | ||
498 | continue; | ||
499 | matched.ae_tag = ACL_GROUP; | ||
500 | matched.ae_perm = allows; | ||
501 | break; | ||
502 | case ACL_MASK: | ||
503 | maskallows = allows; | ||
504 | break; | ||
505 | case ACL_OTHER: | ||
506 | if (matched.ae_tag != 0) | ||
507 | continue; | ||
508 | matched.ae_tag = ACL_OTHER; | ||
509 | matched.ae_perm = allows; | ||
510 | break; | ||
511 | } | ||
512 | } | ||
513 | /* | ||
514 | * First possibility is that no matched entry allows access. | ||
515 | * The capability to override DAC may exist, so check for it. | ||
516 | */ | ||
517 | switch (matched.ae_tag) { | ||
518 | case ACL_OTHER: | ||
519 | case ACL_USER_OBJ: | ||
520 | if (matched.ae_perm) | ||
521 | return 0; | ||
522 | break; | ||
523 | case ACL_USER: | ||
524 | case ACL_GROUP_OBJ: | ||
525 | case ACL_GROUP: | ||
526 | if (maskallows && matched.ae_perm) | ||
527 | return 0; | ||
528 | break; | ||
529 | case 0: | ||
530 | break; | ||
531 | } | ||
532 | |||
533 | return xfs_acl_capability_check(md, cr); | ||
534 | } | ||
535 | |||
536 | /* | ||
537 | * ACL validity checker. | ||
538 | * This acl validation routine checks each ACL entry read in makes sense. | ||
539 | */ | ||
540 | STATIC int | ||
541 | xfs_acl_invalid( | ||
542 | xfs_acl_t *aclp) | ||
543 | { | ||
544 | xfs_acl_entry_t *entry, *e; | ||
545 | int user = 0, group = 0, other = 0, mask = 0; | ||
546 | int mask_required = 0; | ||
547 | int i, j; | ||
548 | |||
549 | if (!aclp) | ||
550 | goto acl_invalid; | ||
551 | |||
552 | if (aclp->acl_cnt > XFS_ACL_MAX_ENTRIES) | ||
553 | goto acl_invalid; | ||
554 | |||
555 | for (i = 0; i < aclp->acl_cnt; i++) { | ||
556 | entry = &aclp->acl_entry[i]; | ||
557 | switch (entry->ae_tag) { | ||
558 | case ACL_USER_OBJ: | ||
559 | if (user++) | ||
560 | goto acl_invalid; | ||
561 | break; | ||
562 | case ACL_GROUP_OBJ: | ||
563 | if (group++) | ||
564 | goto acl_invalid; | ||
565 | break; | ||
566 | case ACL_OTHER: | ||
567 | if (other++) | ||
568 | goto acl_invalid; | ||
569 | break; | ||
570 | case ACL_USER: | ||
571 | case ACL_GROUP: | ||
572 | for (j = i + 1; j < aclp->acl_cnt; j++) { | ||
573 | e = &aclp->acl_entry[j]; | ||
574 | if (e->ae_id == entry->ae_id && | ||
575 | e->ae_tag == entry->ae_tag) | ||
576 | goto acl_invalid; | ||
577 | } | ||
578 | mask_required++; | ||
579 | break; | ||
580 | case ACL_MASK: | ||
581 | if (mask++) | ||
582 | goto acl_invalid; | ||
583 | break; | ||
584 | default: | ||
585 | goto acl_invalid; | ||
586 | } | ||
587 | } | ||
588 | if (!user || !group || !other || (mask_required && !mask)) | ||
589 | goto acl_invalid; | ||
590 | else | ||
591 | return 0; | ||
592 | acl_invalid: | ||
593 | return EINVAL; | ||
594 | } | ||
595 | |||
596 | /* | ||
597 | * Do ACL endian conversion. | ||
598 | */ | ||
599 | STATIC void | ||
600 | xfs_acl_get_endian( | ||
601 | xfs_acl_t *aclp) | ||
602 | { | ||
603 | xfs_acl_entry_t *ace, *end; | ||
604 | |||
605 | INT_SET(aclp->acl_cnt, ARCH_CONVERT, aclp->acl_cnt); | ||
606 | end = &aclp->acl_entry[0]+aclp->acl_cnt; | ||
607 | for (ace = &aclp->acl_entry[0]; ace < end; ace++) { | ||
608 | INT_SET(ace->ae_tag, ARCH_CONVERT, ace->ae_tag); | ||
609 | INT_SET(ace->ae_id, ARCH_CONVERT, ace->ae_id); | ||
610 | INT_SET(ace->ae_perm, ARCH_CONVERT, ace->ae_perm); | ||
611 | } | ||
612 | } | ||
613 | |||
614 | /* | ||
615 | * Get the ACL from the EA and do endian conversion. | ||
616 | */ | ||
617 | STATIC void | ||
618 | xfs_acl_get_attr( | ||
619 | vnode_t *vp, | ||
620 | xfs_acl_t *aclp, | ||
621 | int kind, | ||
622 | int flags, | ||
623 | int *error) | ||
624 | { | ||
625 | int len = sizeof(xfs_acl_t); | ||
626 | |||
627 | ASSERT((flags & ATTR_KERNOVAL) ? (aclp == NULL) : 1); | ||
628 | flags |= ATTR_ROOT; | ||
629 | VOP_ATTR_GET(vp, | ||
630 | kind == _ACL_TYPE_ACCESS ? SGI_ACL_FILE : SGI_ACL_DEFAULT, | ||
631 | (char *)aclp, &len, flags, sys_cred, *error); | ||
632 | if (*error || (flags & ATTR_KERNOVAL)) | ||
633 | return; | ||
634 | xfs_acl_get_endian(aclp); | ||
635 | } | ||
636 | |||
637 | /* | ||
638 | * Set the EA with the ACL and do endian conversion. | ||
639 | */ | ||
640 | STATIC void | ||
641 | xfs_acl_set_attr( | ||
642 | vnode_t *vp, | ||
643 | xfs_acl_t *aclp, | ||
644 | int kind, | ||
645 | int *error) | ||
646 | { | ||
647 | xfs_acl_entry_t *ace, *newace, *end; | ||
648 | xfs_acl_t *newacl; | ||
649 | int len; | ||
650 | |||
651 | if (!(_ACL_ALLOC(newacl))) { | ||
652 | *error = ENOMEM; | ||
653 | return; | ||
654 | } | ||
655 | |||
656 | len = sizeof(xfs_acl_t) - | ||
657 | (sizeof(xfs_acl_entry_t) * (XFS_ACL_MAX_ENTRIES - aclp->acl_cnt)); | ||
658 | end = &aclp->acl_entry[0]+aclp->acl_cnt; | ||
659 | for (ace = &aclp->acl_entry[0], newace = &newacl->acl_entry[0]; | ||
660 | ace < end; | ||
661 | ace++, newace++) { | ||
662 | INT_SET(newace->ae_tag, ARCH_CONVERT, ace->ae_tag); | ||
663 | INT_SET(newace->ae_id, ARCH_CONVERT, ace->ae_id); | ||
664 | INT_SET(newace->ae_perm, ARCH_CONVERT, ace->ae_perm); | ||
665 | } | ||
666 | INT_SET(newacl->acl_cnt, ARCH_CONVERT, aclp->acl_cnt); | ||
667 | VOP_ATTR_SET(vp, | ||
668 | kind == _ACL_TYPE_ACCESS ? SGI_ACL_FILE: SGI_ACL_DEFAULT, | ||
669 | (char *)newacl, len, ATTR_ROOT, sys_cred, *error); | ||
670 | _ACL_FREE(newacl); | ||
671 | } | ||
672 | |||
673 | int | ||
674 | xfs_acl_vtoacl( | ||
675 | vnode_t *vp, | ||
676 | xfs_acl_t *access_acl, | ||
677 | xfs_acl_t *default_acl) | ||
678 | { | ||
679 | vattr_t va; | ||
680 | int error = 0; | ||
681 | |||
682 | if (access_acl) { | ||
683 | /* | ||
684 | * Get the Access ACL and the mode. If either cannot | ||
685 | * be obtained for some reason, invalidate the access ACL. | ||
686 | */ | ||
687 | xfs_acl_get_attr(vp, access_acl, _ACL_TYPE_ACCESS, 0, &error); | ||
688 | if (!error) { | ||
689 | /* Got the ACL, need the mode... */ | ||
690 | va.va_mask = XFS_AT_MODE; | ||
691 | VOP_GETATTR(vp, &va, 0, sys_cred, error); | ||
692 | } | ||
693 | |||
694 | if (error) | ||
695 | access_acl->acl_cnt = XFS_ACL_NOT_PRESENT; | ||
696 | else /* We have a good ACL and the file mode, synchronize. */ | ||
697 | xfs_acl_sync_mode(va.va_mode, access_acl); | ||
698 | } | ||
699 | |||
700 | if (default_acl) { | ||
701 | xfs_acl_get_attr(vp, default_acl, _ACL_TYPE_DEFAULT, 0, &error); | ||
702 | if (error) | ||
703 | default_acl->acl_cnt = XFS_ACL_NOT_PRESENT; | ||
704 | } | ||
705 | return error; | ||
706 | } | ||
707 | |||
708 | /* | ||
709 | * This function retrieves the parent directory's acl, processes it | ||
710 | * and lets the child inherit the acl(s) that it should. | ||
711 | */ | ||
712 | int | ||
713 | xfs_acl_inherit( | ||
714 | vnode_t *vp, | ||
715 | vattr_t *vap, | ||
716 | xfs_acl_t *pdaclp) | ||
717 | { | ||
718 | xfs_acl_t *cacl; | ||
719 | int error = 0; | ||
720 | int basicperms = 0; | ||
721 | |||
722 | /* | ||
723 | * If the parent does not have a default ACL, or it's an | ||
724 | * invalid ACL, we're done. | ||
725 | */ | ||
726 | if (!vp) | ||
727 | return 0; | ||
728 | if (!pdaclp || xfs_acl_invalid(pdaclp)) | ||
729 | return 0; | ||
730 | |||
731 | /* | ||
732 | * Copy the default ACL of the containing directory to | ||
733 | * the access ACL of the new file and use the mode that | ||
734 | * was passed in to set up the correct initial values for | ||
735 | * the u::,g::[m::], and o:: entries. This is what makes | ||
736 | * umask() "work" with ACL's. | ||
737 | */ | ||
738 | |||
739 | if (!(_ACL_ALLOC(cacl))) | ||
740 | return ENOMEM; | ||
741 | |||
742 | memcpy(cacl, pdaclp, sizeof(xfs_acl_t)); | ||
743 | xfs_acl_filter_mode(vap->va_mode, cacl); | ||
744 | xfs_acl_setmode(vp, cacl, &basicperms); | ||
745 | |||
746 | /* | ||
747 | * Set the Default and Access ACL on the file. The mode is already | ||
748 | * set on the file, so we don't need to worry about that. | ||
749 | * | ||
750 | * If the new file is a directory, its default ACL is a copy of | ||
751 | * the containing directory's default ACL. | ||
752 | */ | ||
753 | if (vp->v_type == VDIR) | ||
754 | xfs_acl_set_attr(vp, pdaclp, _ACL_TYPE_DEFAULT, &error); | ||
755 | if (!error && !basicperms) | ||
756 | xfs_acl_set_attr(vp, cacl, _ACL_TYPE_ACCESS, &error); | ||
757 | _ACL_FREE(cacl); | ||
758 | return error; | ||
759 | } | ||
760 | |||
761 | /* | ||
762 | * Set up the correct mode on the file based on the supplied ACL. This | ||
763 | * makes sure that the mode on the file reflects the state of the | ||
764 | * u::,g::[m::], and o:: entries in the ACL. Since the mode is where | ||
765 | * the ACL is going to get the permissions for these entries, we must | ||
766 | * synchronize the mode whenever we set the ACL on a file. | ||
767 | */ | ||
768 | STATIC int | ||
769 | xfs_acl_setmode( | ||
770 | vnode_t *vp, | ||
771 | xfs_acl_t *acl, | ||
772 | int *basicperms) | ||
773 | { | ||
774 | vattr_t va; | ||
775 | xfs_acl_entry_t *ap; | ||
776 | xfs_acl_entry_t *gap = NULL; | ||
777 | int i, error, nomask = 1; | ||
778 | |||
779 | *basicperms = 1; | ||
780 | |||
781 | if (acl->acl_cnt == XFS_ACL_NOT_PRESENT) | ||
782 | return 0; | ||
783 | |||
784 | /* | ||
785 | * Copy the u::, g::, o::, and m:: bits from the ACL into the | ||
786 | * mode. The m:: bits take precedence over the g:: bits. | ||
787 | */ | ||
788 | va.va_mask = XFS_AT_MODE; | ||
789 | VOP_GETATTR(vp, &va, 0, sys_cred, error); | ||
790 | if (error) | ||
791 | return error; | ||
792 | |||
793 | va.va_mask = XFS_AT_MODE; | ||
794 | va.va_mode &= ~(S_IRWXU|S_IRWXG|S_IRWXO); | ||
795 | ap = acl->acl_entry; | ||
796 | for (i = 0; i < acl->acl_cnt; ++i) { | ||
797 | switch (ap->ae_tag) { | ||
798 | case ACL_USER_OBJ: | ||
799 | va.va_mode |= ap->ae_perm << 6; | ||
800 | break; | ||
801 | case ACL_GROUP_OBJ: | ||
802 | gap = ap; | ||
803 | break; | ||
804 | case ACL_MASK: /* more than just standard modes */ | ||
805 | nomask = 0; | ||
806 | va.va_mode |= ap->ae_perm << 3; | ||
807 | *basicperms = 0; | ||
808 | break; | ||
809 | case ACL_OTHER: | ||
810 | va.va_mode |= ap->ae_perm; | ||
811 | break; | ||
812 | default: /* more than just standard modes */ | ||
813 | *basicperms = 0; | ||
814 | break; | ||
815 | } | ||
816 | ap++; | ||
817 | } | ||
818 | |||
819 | /* Set the group bits from ACL_GROUP_OBJ if there's no ACL_MASK */ | ||
820 | if (gap && nomask) | ||
821 | va.va_mode |= gap->ae_perm << 3; | ||
822 | |||
823 | VOP_SETATTR(vp, &va, 0, sys_cred, error); | ||
824 | return error; | ||
825 | } | ||
826 | |||
827 | /* | ||
828 | * The permissions for the special ACL entries (u::, g::[m::], o::) are | ||
829 | * actually stored in the file mode (if there is both a group and a mask, | ||
830 | * the group is stored in the ACL entry and the mask is stored on the file). | ||
831 | * This allows the mode to remain automatically in sync with the ACL without | ||
832 | * the need for a call-back to the ACL system at every point where the mode | ||
833 | * could change. This function takes the permissions from the specified mode | ||
834 | * and places it in the supplied ACL. | ||
835 | * | ||
836 | * This implementation draws its validity from the fact that, when the ACL | ||
837 | * was assigned, the mode was copied from the ACL. | ||
838 | * If the mode did not change, therefore, the mode remains exactly what was | ||
839 | * taken from the special ACL entries at assignment. | ||
840 | * If a subsequent chmod() was done, the POSIX spec says that the change in | ||
841 | * mode must cause an update to the ACL seen at user level and used for | ||
842 | * access checks. Before and after a mode change, therefore, the file mode | ||
843 | * most accurately reflects what the special ACL entries should permit/deny. | ||
844 | * | ||
845 | * CAVEAT: If someone sets the SGI_ACL_FILE attribute directly, | ||
846 | * the existing mode bits will override whatever is in the | ||
847 | * ACL. Similarly, if there is a pre-existing ACL that was | ||
848 | * never in sync with its mode (owing to a bug in 6.5 and | ||
849 | * before), it will now magically (or mystically) be | ||
850 | * synchronized. This could cause slight astonishment, but | ||
851 | * it is better than inconsistent permissions. | ||
852 | * | ||
853 | * The supplied ACL is a template that may contain any combination | ||
854 | * of special entries. These are treated as place holders when we fill | ||
855 | * out the ACL. This routine does not add or remove special entries, it | ||
856 | * simply unites each special entry with its associated set of permissions. | ||
857 | */ | ||
858 | STATIC void | ||
859 | xfs_acl_sync_mode( | ||
860 | mode_t mode, | ||
861 | xfs_acl_t *acl) | ||
862 | { | ||
863 | int i, nomask = 1; | ||
864 | xfs_acl_entry_t *ap; | ||
865 | xfs_acl_entry_t *gap = NULL; | ||
866 | |||
867 | /* | ||
868 | * Set ACL entries. POSIX1003.1eD16 requires that the MASK | ||
869 | * be set instead of the GROUP entry, if there is a MASK. | ||
870 | */ | ||
871 | for (ap = acl->acl_entry, i = 0; i < acl->acl_cnt; ap++, i++) { | ||
872 | switch (ap->ae_tag) { | ||
873 | case ACL_USER_OBJ: | ||
874 | ap->ae_perm = (mode >> 6) & 0x7; | ||
875 | break; | ||
876 | case ACL_GROUP_OBJ: | ||
877 | gap = ap; | ||
878 | break; | ||
879 | case ACL_MASK: | ||
880 | nomask = 0; | ||
881 | ap->ae_perm = (mode >> 3) & 0x7; | ||
882 | break; | ||
883 | case ACL_OTHER: | ||
884 | ap->ae_perm = mode & 0x7; | ||
885 | break; | ||
886 | default: | ||
887 | break; | ||
888 | } | ||
889 | } | ||
890 | /* Set the ACL_GROUP_OBJ if there's no ACL_MASK */ | ||
891 | if (gap && nomask) | ||
892 | gap->ae_perm = (mode >> 3) & 0x7; | ||
893 | } | ||
894 | |||
895 | /* | ||
896 | * When inheriting an Access ACL from a directory Default ACL, | ||
897 | * the ACL bits are set to the intersection of the ACL default | ||
898 | * permission bits and the file permission bits in mode. If there | ||
899 | * are no permission bits on the file then we must not give them | ||
900 | * the ACL. This is what what makes umask() work with ACLs. | ||
901 | */ | ||
902 | STATIC void | ||
903 | xfs_acl_filter_mode( | ||
904 | mode_t mode, | ||
905 | xfs_acl_t *acl) | ||
906 | { | ||
907 | int i, nomask = 1; | ||
908 | xfs_acl_entry_t *ap; | ||
909 | xfs_acl_entry_t *gap = NULL; | ||
910 | |||
911 | /* | ||
912 | * Set ACL entries. POSIX1003.1eD16 requires that the MASK | ||
913 | * be merged with GROUP entry, if there is a MASK. | ||
914 | */ | ||
915 | for (ap = acl->acl_entry, i = 0; i < acl->acl_cnt; ap++, i++) { | ||
916 | switch (ap->ae_tag) { | ||
917 | case ACL_USER_OBJ: | ||
918 | ap->ae_perm &= (mode >> 6) & 0x7; | ||
919 | break; | ||
920 | case ACL_GROUP_OBJ: | ||
921 | gap = ap; | ||
922 | break; | ||
923 | case ACL_MASK: | ||
924 | nomask = 0; | ||
925 | ap->ae_perm &= (mode >> 3) & 0x7; | ||
926 | break; | ||
927 | case ACL_OTHER: | ||
928 | ap->ae_perm &= mode & 0x7; | ||
929 | break; | ||
930 | default: | ||
931 | break; | ||
932 | } | ||
933 | } | ||
934 | /* Set the ACL_GROUP_OBJ if there's no ACL_MASK */ | ||
935 | if (gap && nomask) | ||
936 | gap->ae_perm &= (mode >> 3) & 0x7; | ||
937 | } | ||