1 files changed, 145 insertions, 45 deletions
diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c
index 8daa3f8bb303..0a69cce33efe 100644
--- a/fs/nfsd/nfs4acl.c
+++ b/fs/nfsd/nfs4acl.c
@@ -89,12 +89,19 @@ mask_from_posix(unsigned short perm, unsigned int flags)
 }
 static u32
-deny_mask(u32 allow_mask, unsigned int flags)
+deny_mask_from_posix(unsigned short perm, u32 flags)
 {
-        u32 ret = ~allow_mask & ~NFS4_MASK_UNSUPP;
+        u32 mask = 0;
-        if (!(flags & NFS4_ACL_DIR))
-                ret &= ~NFS4_ACE_DELETE_CHILD;
+        if (perm & ACL_READ)
-        return ret;
+                mask |= NFS4_READ_MODE;
+        if (perm & ACL_WRITE)
+                mask |= NFS4_WRITE_MODE;
+        if ((perm & ACL_WRITE) && (flags & NFS4_ACL_DIR))
+                mask |= NFS4_ACE_DELETE_CHILD;
+        if (perm & ACL_EXECUTE)
+                mask |= NFS4_EXECUTE_MODE;
+        return mask;
 }
 /* XXX: modify functions to return NFS errors; they're only ever
@@ -164,14 +171,51 @@ nfs4_acl_posix_to_nfsv4(struct posix_acl *pacl, struct posix_acl *dpacl,
        return acl;
 }
+struct posix_acl_summary {
+        unsigned short owner;
+        unsigned short users;
+        unsigned short group;
+        unsigned short groups;
+        unsigned short other;
+        unsigned short mask;
+};
 static void
-nfs4_acl_add_pair(struct nfs4_acl *acl, int eflag, u32 mask, int whotype,
+summarize_posix_acl(struct posix_acl *acl, struct posix_acl_summary *pas)
-                uid_t owner, unsigned int flags)
 {
-        nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE,
+        struct posix_acl_entry *pa, *pe;
-                                 eflag, mask, whotype, owner);
+        pas->users = 0;
-        nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_DENIED_ACE_TYPE,
+        pas->groups = 0;
-                                eflag, deny_mask(mask, flags), whotype, owner);
+        pas->mask = 07;
+        pe = acl->a_entries + acl->a_count;
+        FOREACH_ACL_ENTRY(pa, acl, pe) {
+                switch (pa->e_tag) {
+                        case ACL_USER_OBJ:
+                                pas->owner = pa->e_perm;
+                                break;
+                        case ACL_GROUP_OBJ:
+                                pas->group = pa->e_perm;
+                                break;
+                        case ACL_USER:
+                                pas->users |= pa->e_perm;
+                                break;
+                        case ACL_GROUP:
+                                pas->groups |= pa->e_perm;
+                                break;
+                        case ACL_OTHER:
+                                pas->other = pa->e_perm;
+                                break;
+                        case ACL_MASK:
+                                pas->mask = pa->e_perm;
+                                break;
+                }
+        }
+        /* We'll only care about effective permissions: */
+        pas->users &= pas->mask;
+        pas->group &= pas->mask;
+        pas->groups &= pas->mask;
 }
 /* We assume the acl has been verified with posix_acl_valid. */
@@ -179,30 +223,63 @@ static void
 _posix_to_nfsv4_one(struct posix_acl *pacl, struct nfs4_acl *acl,
                                                unsigned int flags)
 {
-        struct posix_acl_entry *pa, *pe, *group_owner_entry;
+        struct posix_acl_entry *pa, *group_owner_entry;
-        u32 mask;
+        struct nfs4_ace *ace;
-        unsigned short mask_mask;
+        struct posix_acl_summary pas;
+        unsigned short deny;
        int eflag = ((flags & NFS4_ACL_TYPE_DEFAULT) ?
                                        NFS4_INHERITANCE_FLAGS : 0);
        BUG_ON(pacl->a_count < 3);
-        pe = pacl->a_entries + pacl->a_count;
+        summarize_posix_acl(pacl, &pas);
-        pa = pe - 2; /* if mask entry exists, it's second from the last. */
-        if (pa->e_tag == ACL_MASK)
-                mask_mask = pa->e_perm;
-        else
-                mask_mask = S_IRWXO;
        pa = pacl->a_entries;
-        BUG_ON(pa->e_tag != ACL_USER_OBJ);
+        ace = acl->aces + acl->naces;
-        mask = mask_from_posix(pa->e_perm, flags | NFS4_ACL_OWNER);
-        nfs4_acl_add_pair(acl, eflag, mask, NFS4_ACL_WHO_OWNER, 0, flags);
+        /* We could deny everything not granted by the owner: */
+        deny = ~pas.owner;
+        /*
+         * but it is equivalent (and simpler) to deny only what is not
+         * granted by later entries:
+         */
+        deny &= pas.users | pas.group | pas.groups | pas.other;
+        if (deny) {
+                ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE;
+                ace->flag = eflag;
+                ace->access_mask = deny_mask_from_posix(deny, flags);
+                ace->whotype = NFS4_ACL_WHO_OWNER;
+                ace++;
+                acl->naces++;
+        }
+        ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE;
+        ace->flag = eflag;
+        ace->access_mask = mask_from_posix(pa->e_perm, flags | NFS4_ACL_OWNER);
+        ace->whotype = NFS4_ACL_WHO_OWNER;
+        ace++;
+        acl->naces++;
        pa++;
        while (pa->e_tag == ACL_USER) {
-                mask = mask_from_posix(pa->e_perm & mask_mask, flags);
+                deny = ~(pa->e_perm & pas.mask);
-                nfs4_acl_add_pair(acl, eflag, mask,
+                deny &= pas.groups | pas.group | pas.other;
-                                NFS4_ACL_WHO_NAMED, pa->e_id, flags);
+                if (deny) {
+                        ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE;
+                        ace->flag = eflag;
+                        ace->access_mask = deny_mask_from_posix(deny, flags);
+                        ace->whotype = NFS4_ACL_WHO_NAMED;
+                        ace->who = pa->e_id;
+                        ace++;
+                        acl->naces++;
+                }
+                ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE;
+                ace->flag = eflag;
+                ace->access_mask = mask_from_posix(pa->e_perm & pas.mask,
+                                                   flags);
+                ace->whotype = NFS4_ACL_WHO_NAMED;
+                ace->who = pa->e_id;
+                ace++;
+                acl->naces++;
                pa++;
        }
@@ -212,41 +289,64 @@ _posix_to_nfsv4_one(struct posix_acl *pacl, struct nfs4_acl *acl,
        /* allow ACEs */
        group_owner_entry = pa;
-        mask = mask_from_posix(pa->e_perm & mask_mask, flags);
-        nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE,
+        ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE;
-                        NFS4_ACE_IDENTIFIER_GROUP | eflag, mask,
+        ace->flag = eflag;
-                        NFS4_ACL_WHO_GROUP, 0);
+        ace->access_mask = mask_from_posix(pas.group, flags);
+        ace->whotype = NFS4_ACL_WHO_GROUP;
+        ace++;
+        acl->naces++;
        pa++;
        while (pa->e_tag == ACL_GROUP) {
-                mask = mask_from_posix(pa->e_perm & mask_mask, flags);
+                ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE;
-                nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE,
+                ace->flag = eflag | NFS4_ACE_IDENTIFIER_GROUP;
-                                NFS4_ACE_IDENTIFIER_GROUP | eflag, mask,
+                ace->access_mask = mask_from_posix(pa->e_perm & pas.mask,
-                                NFS4_ACL_WHO_NAMED, pa->e_id);
+                                                   flags);
+                ace->whotype = NFS4_ACL_WHO_NAMED;
+                ace->who = pa->e_id;
+                ace++;
+                acl->naces++;
                pa++;
        }
        /* deny ACEs */
        pa = group_owner_entry;
-        mask = mask_from_posix(pa->e_perm, flags);
-        nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_DENIED_ACE_TYPE,
+        deny = ~pas.group & pas.other;
-                        NFS4_ACE_IDENTIFIER_GROUP | eflag,
+        if (deny) {
-                        deny_mask(mask, flags), NFS4_ACL_WHO_GROUP, 0);
+                ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE;
+                ace->flag = eflag | NFS4_ACE_IDENTIFIER_GROUP;
+                ace->access_mask = deny_mask_from_posix(deny, flags);
+                ace->whotype = NFS4_ACL_WHO_GROUP;
+                ace++;
+                acl->naces++;
+        }
        pa++;
        while (pa->e_tag == ACL_GROUP) {
-                mask = mask_from_posix(pa->e_perm, flags);
+                deny = ~(pa->e_perm & pas.mask);
-                nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_DENIED_ACE_TYPE,
+                deny &= pas.other;
-                                NFS4_ACE_IDENTIFIER_GROUP | eflag,
+                if (deny) {
-                                deny_mask(mask, flags), NFS4_ACL_WHO_NAMED, pa->e_id);
+                        ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE;
+                        ace->flag = eflag | NFS4_ACE_IDENTIFIER_GROUP;
+                        ace->access_mask = mask_from_posix(deny, flags);
+                        ace->whotype = NFS4_ACL_WHO_NAMED;
+                        ace->who = pa->e_id;
+                        ace++;
+                        acl->naces++;
+                }
                pa++;
        }
        if (pa->e_tag == ACL_MASK)
                pa++;
-        BUG_ON(pa->e_tag != ACL_OTHER);
+        ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE;
-        mask = mask_from_posix(pa->e_perm, flags);
+        ace->flag = eflag;
-        nfs4_acl_add_pair(acl, eflag, mask, NFS4_ACL_WHO_EVERYONE, 0, flags);
+        ace->access_mask = mask_from_posix(pa->e_perm, flags);
+        ace->whotype = NFS4_ACL_WHO_EVERYONE;
+        acl->naces++;
 }
 static void

diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c index 8daa3f8bb303..0a69cce33efe 100644 --- a/fs/nfsd/nfs4acl.c +++ b/fs/nfsd/nfs4acl.c
@@ -89,12 +89,19 @@ mask_from_posix(unsigned short perm, unsigned int flags)
89	}	89	}
90		90
91	static u32	91	static u32
92	deny_mask(u32 allow_mask, unsigned int flags)	92	deny_mask_from_posix(unsigned short perm, u32 flags)
93	{	93	{
94	u32 ret = ~allow_mask & ~NFS4_MASK_UNSUPP;	94	u32 mask = 0;
95	if (!(flags & NFS4_ACL_DIR))	95
96	ret &= ~NFS4_ACE_DELETE_CHILD;	96	if (perm & ACL_READ)
97	return ret;	97	mask \|= NFS4_READ_MODE;
		98	if (perm & ACL_WRITE)
		99	mask \|= NFS4_WRITE_MODE;
		100	if ((perm & ACL_WRITE) && (flags & NFS4_ACL_DIR))
		101	mask \|= NFS4_ACE_DELETE_CHILD;
		102	if (perm & ACL_EXECUTE)
		103	mask \|= NFS4_EXECUTE_MODE;
		104	return mask;
98	}	105	}
99		106
100	/* XXX: modify functions to return NFS errors; they're only ever	107	/* XXX: modify functions to return NFS errors; they're only ever
@@ -164,14 +171,51 @@ nfs4_acl_posix_to_nfsv4(struct posix_acl pacl, struct posix_acl dpacl,
164	return acl;	171	return acl;
165	}	172	}
166		173
		174	struct posix_acl_summary {
		175	unsigned short owner;
		176	unsigned short users;
		177	unsigned short group;
		178	unsigned short groups;
		179	unsigned short other;
		180	unsigned short mask;
		181	};
		182
167	static void	183	static void
168	nfs4_acl_add_pair(struct nfs4_acl *acl, int eflag, u32 mask, int whotype,	184	summarize_posix_acl(struct posix_acl acl, struct posix_acl_summary pas)
169	uid_t owner, unsigned int flags)
170	{	185	{
171	nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE,	186	struct posix_acl_entry pa, pe;
172	eflag, mask, whotype, owner);	187	pas->users = 0;
173	nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_DENIED_ACE_TYPE,	188	pas->groups = 0;
174	eflag, deny_mask(mask, flags), whotype, owner);	189	pas->mask = 07;
		190
		191	pe = acl->a_entries + acl->a_count;
		192
		193	FOREACH_ACL_ENTRY(pa, acl, pe) {
		194	switch (pa->e_tag) {
		195	case ACL_USER_OBJ:
		196	pas->owner = pa->e_perm;
		197	break;
		198	case ACL_GROUP_OBJ:
		199	pas->group = pa->e_perm;
		200	break;
		201	case ACL_USER:
		202	pas->users \|= pa->e_perm;
		203	break;
		204	case ACL_GROUP:
		205	pas->groups \|= pa->e_perm;
		206	break;
		207	case ACL_OTHER:
		208	pas->other = pa->e_perm;
		209	break;
		210	case ACL_MASK:
		211	pas->mask = pa->e_perm;
		212	break;
		213	}
		214	}
		215	/* We'll only care about effective permissions: */
		216	pas->users &= pas->mask;
		217	pas->group &= pas->mask;
		218	pas->groups &= pas->mask;
175	}	219	}
176		220
177	/* We assume the acl has been verified with posix_acl_valid. */	221	/* We assume the acl has been verified with posix_acl_valid. */
@@ -179,30 +223,63 @@ static void
179	_posix_to_nfsv4_one(struct posix_acl pacl, struct nfs4_acl acl,	223	_posix_to_nfsv4_one(struct posix_acl pacl, struct nfs4_acl acl,
180	unsigned int flags)	224	unsigned int flags)
181	{	225	{
182	struct posix_acl_entry pa, pe, *group_owner_entry;	226	struct posix_acl_entry pa, group_owner_entry;
183	u32 mask;	227	struct nfs4_ace *ace;
184	unsigned short mask_mask;	228	struct posix_acl_summary pas;
		229	unsigned short deny;
185	int eflag = ((flags & NFS4_ACL_TYPE_DEFAULT) ?	230	int eflag = ((flags & NFS4_ACL_TYPE_DEFAULT) ?
186	NFS4_INHERITANCE_FLAGS : 0);	231	NFS4_INHERITANCE_FLAGS : 0);
187		232
188	BUG_ON(pacl->a_count < 3);	233	BUG_ON(pacl->a_count < 3);
189	pe = pacl->a_entries + pacl->a_count;	234	summarize_posix_acl(pacl, &pas);
190	pa = pe - 2; /* if mask entry exists, it's second from the last. */
191	if (pa->e_tag == ACL_MASK)
192	mask_mask = pa->e_perm;
193	else
194	mask_mask = S_IRWXO;
195		235
196	pa = pacl->a_entries;	236	pa = pacl->a_entries;
197	BUG_ON(pa->e_tag != ACL_USER_OBJ);	237	ace = acl->aces + acl->naces;
198	mask = mask_from_posix(pa->e_perm, flags \| NFS4_ACL_OWNER);	238
199	nfs4_acl_add_pair(acl, eflag, mask, NFS4_ACL_WHO_OWNER, 0, flags);	239	/* We could deny everything not granted by the owner: */
		240	deny = ~pas.owner;
		241	/*
		242	* but it is equivalent (and simpler) to deny only what is not
		243	* granted by later entries:
		244	*/
		245	deny &= pas.users \| pas.group \| pas.groups \| pas.other;
		246	if (deny) {
		247	ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE;
		248	ace->flag = eflag;
		249	ace->access_mask = deny_mask_from_posix(deny, flags);
		250	ace->whotype = NFS4_ACL_WHO_OWNER;
		251	ace++;
		252	acl->naces++;
		253	}
		254
		255	ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE;
		256	ace->flag = eflag;
		257	ace->access_mask = mask_from_posix(pa->e_perm, flags \| NFS4_ACL_OWNER);
		258	ace->whotype = NFS4_ACL_WHO_OWNER;
		259	ace++;
		260	acl->naces++;
200	pa++;	261	pa++;
201		262
202	while (pa->e_tag == ACL_USER) {	263	while (pa->e_tag == ACL_USER) {
203	mask = mask_from_posix(pa->e_perm & mask_mask, flags);	264	deny = ~(pa->e_perm & pas.mask);
204	nfs4_acl_add_pair(acl, eflag, mask,	265	deny &= pas.groups \| pas.group \| pas.other;
205	NFS4_ACL_WHO_NAMED, pa->e_id, flags);	266	if (deny) {
		267	ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE;
		268	ace->flag = eflag;
		269	ace->access_mask = deny_mask_from_posix(deny, flags);
		270	ace->whotype = NFS4_ACL_WHO_NAMED;
		271	ace->who = pa->e_id;
		272	ace++;
		273	acl->naces++;
		274	}
		275	ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE;
		276	ace->flag = eflag;
		277	ace->access_mask = mask_from_posix(pa->e_perm & pas.mask,
		278	flags);
		279	ace->whotype = NFS4_ACL_WHO_NAMED;
		280	ace->who = pa->e_id;
		281	ace++;
		282	acl->naces++;
206	pa++;	283	pa++;
207	}	284	}
208		285
@@ -212,41 +289,64 @@ _posix_to_nfsv4_one(struct posix_acl pacl, struct nfs4_acl acl,
212	/* allow ACEs */	289	/* allow ACEs */
213		290
214	group_owner_entry = pa;	291	group_owner_entry = pa;
215	mask = mask_from_posix(pa->e_perm & mask_mask, flags);	292
216	nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE,	293	ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE;
217	NFS4_ACE_IDENTIFIER_GROUP \| eflag, mask,	294	ace->flag = eflag;
218	NFS4_ACL_WHO_GROUP, 0);	295	ace->access_mask = mask_from_posix(pas.group, flags);
		296	ace->whotype = NFS4_ACL_WHO_GROUP;
		297	ace++;
		298	acl->naces++;
219	pa++;	299	pa++;
220		300
221	while (pa->e_tag == ACL_GROUP) {	301	while (pa->e_tag == ACL_GROUP) {
222	mask = mask_from_posix(pa->e_perm & mask_mask, flags);	302	ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE;
223	nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE,	303	ace->flag = eflag \| NFS4_ACE_IDENTIFIER_GROUP;
224	NFS4_ACE_IDENTIFIER_GROUP \| eflag, mask,	304	ace->access_mask = mask_from_posix(pa->e_perm & pas.mask,
225	NFS4_ACL_WHO_NAMED, pa->e_id);	305	flags);
		306	ace->whotype = NFS4_ACL_WHO_NAMED;
		307	ace->who = pa->e_id;
		308	ace++;
		309	acl->naces++;
226	pa++;	310	pa++;
227	}	311	}
228		312
229	/* deny ACEs */	313	/* deny ACEs */
230		314
231	pa = group_owner_entry;	315	pa = group_owner_entry;
232	mask = mask_from_posix(pa->e_perm, flags);	316
233	nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_DENIED_ACE_TYPE,	317	deny = ~pas.group & pas.other;
234	NFS4_ACE_IDENTIFIER_GROUP \| eflag,	318	if (deny) {
235	deny_mask(mask, flags), NFS4_ACL_WHO_GROUP, 0);	319	ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE;
		320	ace->flag = eflag \| NFS4_ACE_IDENTIFIER_GROUP;
		321	ace->access_mask = deny_mask_from_posix(deny, flags);
		322	ace->whotype = NFS4_ACL_WHO_GROUP;
		323	ace++;
		324	acl->naces++;
		325	}
236	pa++;	326	pa++;
		327
237	while (pa->e_tag == ACL_GROUP) {	328	while (pa->e_tag == ACL_GROUP) {
238	mask = mask_from_posix(pa->e_perm, flags);	329	deny = ~(pa->e_perm & pas.mask);
239	nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_DENIED_ACE_TYPE,	330	deny &= pas.other;
240	NFS4_ACE_IDENTIFIER_GROUP \| eflag,	331	if (deny) {
241	deny_mask(mask, flags), NFS4_ACL_WHO_NAMED, pa->e_id);	332	ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE;
		333	ace->flag = eflag \| NFS4_ACE_IDENTIFIER_GROUP;
		334	ace->access_mask = mask_from_posix(deny, flags);
		335	ace->whotype = NFS4_ACL_WHO_NAMED;
		336	ace->who = pa->e_id;
		337	ace++;
		338	acl->naces++;
		339	}
242	pa++;	340	pa++;
243	}	341	}
244		342
245	if (pa->e_tag == ACL_MASK)	343	if (pa->e_tag == ACL_MASK)
246	pa++;	344	pa++;
247	BUG_ON(pa->e_tag != ACL_OTHER);	345	ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE;
248	mask = mask_from_posix(pa->e_perm, flags);	346	ace->flag = eflag;
249	nfs4_acl_add_pair(acl, eflag, mask, NFS4_ACL_WHO_EVERYONE, 0, flags);	347	ace->access_mask = mask_from_posix(pa->e_perm, flags);
		348	ace->whotype = NFS4_ACL_WHO_EVERYONE;
		349	acl->naces++;
250	}	350	}
251		351
252	static void	352	static void