aboutsummaryrefslogtreecommitdiffstats
path: root/fs/xfs/xfs_acl.c
diff options
context:
space:
mode:
Diffstat (limited to 'fs/xfs/xfs_acl.c')
-rw-r--r--fs/xfs/xfs_acl.c30
1 files changed, 2 insertions, 28 deletions
diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c
index 5bfb66f33caf..7272fe39a92d 100644
--- a/fs/xfs/xfs_acl.c
+++ b/fs/xfs/xfs_acl.c
@@ -392,32 +392,6 @@ xfs_acl_allow_set(
392} 392}
393 393
394/* 394/*
395 * The access control process to determine the access permission:
396 * if uid == file owner id, use the file owner bits.
397 * if gid == file owner group id, use the file group bits.
398 * scan ACL for a matching user or group, and use matched entry
399 * permission. Use total permissions of all matching group entries,
400 * until all acl entries are exhausted. The final permission produced
401 * by matching acl entry or entries needs to be & with group permission.
402 * if not owner, owning group, or matching entry in ACL, use file
403 * other bits.
404 */
405STATIC int
406xfs_acl_capability_check(
407 mode_t mode,
408 cred_t *cr)
409{
410 if ((mode & ACL_READ) && !capable_cred(cr, CAP_DAC_READ_SEARCH))
411 return EACCES;
412 if ((mode & ACL_WRITE) && !capable_cred(cr, CAP_DAC_OVERRIDE))
413 return EACCES;
414 if ((mode & ACL_EXECUTE) && !capable_cred(cr, CAP_DAC_OVERRIDE))
415 return EACCES;
416
417 return 0;
418}
419
420/*
421 * Note: cr is only used here for the capability check if the ACL test fails. 395 * Note: cr is only used here for the capability check if the ACL test fails.
422 * It is not used to find out the credentials uid or groups etc, as was 396 * It is not used to find out the credentials uid or groups etc, as was
423 * done in IRIX. It is assumed that the uid and groups for the current 397 * done in IRIX. It is assumed that the uid and groups for the current
@@ -438,7 +412,6 @@ xfs_acl_access(
438 412
439 matched.ae_tag = 0; /* Invalid type */ 413 matched.ae_tag = 0; /* Invalid type */
440 matched.ae_perm = 0; 414 matched.ae_perm = 0;
441 md >>= 6; /* Normalize the bits for comparison */
442 415
443 for (i = 0; i < fap->acl_cnt; i++) { 416 for (i = 0; i < fap->acl_cnt; i++) {
444 /* 417 /*
@@ -520,7 +493,8 @@ xfs_acl_access(
520 break; 493 break;
521 } 494 }
522 495
523 return xfs_acl_capability_check(md, cr); 496 /* EACCES tells generic_permission to check for capability overrides */
497 return EACCES;
524} 498}
525 499
526/* 500/*