diff options
Diffstat (limited to 'fs/xfs/xfs_acl.c')
-rw-r--r-- | fs/xfs/xfs_acl.c | 30 |
1 files changed, 2 insertions, 28 deletions
diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c index 5bfb66f33caf..7272fe39a92d 100644 --- a/fs/xfs/xfs_acl.c +++ b/fs/xfs/xfs_acl.c | |||
@@ -392,32 +392,6 @@ xfs_acl_allow_set( | |||
392 | } | 392 | } |
393 | 393 | ||
394 | /* | 394 | /* |
395 | * The access control process to determine the access permission: | ||
396 | * if uid == file owner id, use the file owner bits. | ||
397 | * if gid == file owner group id, use the file group bits. | ||
398 | * scan ACL for a matching user or group, and use matched entry | ||
399 | * permission. Use total permissions of all matching group entries, | ||
400 | * until all acl entries are exhausted. The final permission produced | ||
401 | * by matching acl entry or entries needs to be & with group permission. | ||
402 | * if not owner, owning group, or matching entry in ACL, use file | ||
403 | * other bits. | ||
404 | */ | ||
405 | STATIC int | ||
406 | xfs_acl_capability_check( | ||
407 | mode_t mode, | ||
408 | cred_t *cr) | ||
409 | { | ||
410 | if ((mode & ACL_READ) && !capable_cred(cr, CAP_DAC_READ_SEARCH)) | ||
411 | return EACCES; | ||
412 | if ((mode & ACL_WRITE) && !capable_cred(cr, CAP_DAC_OVERRIDE)) | ||
413 | return EACCES; | ||
414 | if ((mode & ACL_EXECUTE) && !capable_cred(cr, CAP_DAC_OVERRIDE)) | ||
415 | return EACCES; | ||
416 | |||
417 | return 0; | ||
418 | } | ||
419 | |||
420 | /* | ||
421 | * Note: cr is only used here for the capability check if the ACL test fails. | 395 | * Note: cr is only used here for the capability check if the ACL test fails. |
422 | * It is not used to find out the credentials uid or groups etc, as was | 396 | * It is not used to find out the credentials uid or groups etc, as was |
423 | * done in IRIX. It is assumed that the uid and groups for the current | 397 | * done in IRIX. It is assumed that the uid and groups for the current |
@@ -438,7 +412,6 @@ xfs_acl_access( | |||
438 | 412 | ||
439 | matched.ae_tag = 0; /* Invalid type */ | 413 | matched.ae_tag = 0; /* Invalid type */ |
440 | matched.ae_perm = 0; | 414 | matched.ae_perm = 0; |
441 | md >>= 6; /* Normalize the bits for comparison */ | ||
442 | 415 | ||
443 | for (i = 0; i < fap->acl_cnt; i++) { | 416 | for (i = 0; i < fap->acl_cnt; i++) { |
444 | /* | 417 | /* |
@@ -520,7 +493,8 @@ xfs_acl_access( | |||
520 | break; | 493 | break; |
521 | } | 494 | } |
522 | 495 | ||
523 | return xfs_acl_capability_check(md, cr); | 496 | /* EACCES tells generic_permission to check for capability overrides */ |
497 | return EACCES; | ||
524 | } | 498 | } |
525 | 499 | ||
526 | /* | 500 | /* |