Re: [PATCH v23 07/22] richacl: Permission mapping functions
From: Jeff Layton
Date: Tue Jul 05 2016 - 09:39:58 EST
On Thu, 2016-06-30 at 15:46 +0200, Andreas Gruenbacher wrote:
> We need to map from POSIX permissions to NFSv4 permissions when a
> chmod() is done, from NFSv4 permissions to POSIX permissions when an acl
> is set (which implicitly sets the file permission bits), and from the
> MAY_READ/MAY_WRITE/MAY_EXEC/MAY_APPEND flags to NFSv4 permissions when
> doing an access check in a richacl.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Reviewed-by: J. Bruce Fields <bfields@xxxxxxxxxx>
> ---
> Âfs/richacl.cÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ| 118 +++++++++++++++++++++++++++++++++++++++++++
> Âinclude/linux/richacl.hÂÂÂÂÂÂ|ÂÂÂ3 ++
> Âinclude/uapi/linux/richacl.h |ÂÂ44 ++++++++++++++++
> Â3 files changed, 165 insertions(+)
>
> diff --git a/fs/richacl.c b/fs/richacl.c
> index bcc6591..d0a4135 100644
> --- a/fs/richacl.c
> +++ b/fs/richacl.c
> @@ -63,3 +63,121 @@ richace_copy(struct richace *to, const struct richace *from)
> Â{
> Â memcpy(to, from, sizeof(struct richace));
> Â}
> +
> +/*
> + * richacl_mask_to_modeÂÂ-ÂÂcompute the file permission bits from mask
> + * @mask: %RICHACE_* permission mask
> + *
> + * Compute the file permission bits corresponding to a particular set of
> + * richacl permissions.
> + *
> + * See richacl_masks_to_mode().
> + */
> +static int
> +richacl_mask_to_mode(unsigned int mask)
> +{
> + int mode = 0;
> +
> + if (mask & RICHACE_POSIX_MODE_READ)
> + mode |= S_IROTH;
> + if (mask & RICHACE_POSIX_MODE_WRITE)
> + mode |= S_IWOTH;
> + if (mask & RICHACE_POSIX_MODE_EXEC)
> + mode |= S_IXOTH;
> +
> + return mode;
> +}
> +
> +/**
> + * richacl_masks_to_modeÂÂ-ÂÂcompute file permission bits from file masks
> + *
> + * When setting a richacl, we set the file permission bits to indicate maximum
> + * permissions: for example, we set the Write permission when a mask contains
> + * RICHACE_APPEND_DATA even if it does not also contain RICHACE_WRITE_DATA.
> + *
> + * Permissions which are not in RICHACE_POSIX_MODE_READ,
> + * RICHACE_POSIX_MODE_WRITE, or RICHACE_POSIX_MODE_EXEC cannot be represented
> + * in the file permission bits.ÂÂSuch permissions can still be effective, but
> + * not for new files or after a chmod(); they must be explicitly enabled in the
> + * richacl.
> + */
> +int
> +richacl_masks_to_mode(const struct richacl *acl)
> +{
> + return richacl_mask_to_mode(acl->a_owner_mask) << 6 |
> + ÂÂÂÂÂÂÂrichacl_mask_to_mode(acl->a_group_mask) << 3 |
> + ÂÂÂÂÂÂÂrichacl_mask_to_mode(acl->a_other_mask);
> +}
> +EXPORT_SYMBOL_GPL(richacl_masks_to_mode);
> +
> +/**
> + * richacl_mode_to_maskÂÂ- compute a file mask from the lowest three mode bits
> + * @mode: mode to convert to richacl permissions
> + *
> + * When the file permission bits of a file are set with chmod(), this specifies
> + * the maximum permissions that processes will get.ÂÂAll permissions beyond
> + * that will be removed from the file masks, and become ineffective.
> + */
> +unsigned int
> +richacl_mode_to_mask(umode_t mode)
> +{
> + unsigned int mask = 0;
> +
> + if (mode & S_IROTH)
> + mask |= RICHACE_POSIX_MODE_READ;
> + if (mode & S_IWOTH)
> + mask |= RICHACE_POSIX_MODE_WRITE;
> + if (mode & S_IXOTH)
> + mask |= RICHACE_POSIX_MODE_EXEC;
> +
> + return mask;
> +}
> +
> +/**
> + * richacl_want_to_maskÂÂ- convert the iop->permission want argument to a mask
> + * @want: @want argument of the permission inode operation
> + *
> + * When checking for append, @want is (MAY_WRITE | MAY_APPEND).
> + *
> + * Richacls use the iop->may_create and iop->may_delete hooks which are used
> + * for checking if creating and deleting files is allowed.ÂÂThese hooks do not
> + * use richacl_want_to_mask(), so we do not have to deal with mapping MAY_WRITE
> + * to RICHACE_ADD_FILE, RICHACE_ADD_SUBDIRECTORY, and RICHACE_DELETE_CHILD
> + * here.
> + */
This comment is confusing as I don't see any may_create or may_delete
iops in the final patchset. Do you mean may_create() and may_delete()
here?
> +unsigned int
> +richacl_want_to_mask(unsigned int want)
> +{
> + unsigned int mask = 0;
> +
> + if (want & MAY_READ)
> + mask |= RICHACE_READ_DATA;
> + if (want & MAY_DELETE_SELF)
> + mask |= RICHACE_DELETE;
> + if (want & MAY_TAKE_OWNERSHIP)
> + mask |= RICHACE_WRITE_OWNER;
> + if (want & MAY_CHMOD)
> + mask |= RICHACE_WRITE_ACL;
> + if (want & MAY_SET_TIMES)
> + mask |= RICHACE_WRITE_ATTRIBUTES;
> + if (want & MAY_EXEC)
> + mask |= RICHACE_EXECUTE;
> + /*
> + Â* differentiate MAY_WRITE from these request
> + Â*/
> + if (want & (MAY_APPEND |
> + ÂÂÂÂMAY_CREATE_FILE | MAY_CREATE_DIR |
> + ÂÂÂÂMAY_DELETE_CHILD)) {
> + if (want & MAY_APPEND)
> + mask |= RICHACE_APPEND_DATA;
> + if (want & MAY_CREATE_FILE)
> + mask |= RICHACE_ADD_FILE;
> + if (want & MAY_CREATE_DIR)
> + mask |= RICHACE_ADD_SUBDIRECTORY;
> + if (want & MAY_DELETE_CHILD)
> + mask |= RICHACE_DELETE_CHILD;
> + } else if (want & MAY_WRITE)
> + mask |= RICHACE_WRITE_DATA;
> + return mask;
> +}
> +EXPORT_SYMBOL_GPL(richacl_want_to_mask);
> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
> index edb8480..9102ef0 100644
> --- a/include/linux/richacl.h
> +++ b/include/linux/richacl.h
> @@ -175,5 +175,8 @@ richace_is_same_identifier(const struct richace *a, const struct richace *b)
> Âextern struct richacl *richacl_alloc(int, gfp_t);
> Âextern struct richacl *richacl_clone(const struct richacl *, gfp_t);
> Âextern void richace_copy(struct richace *, const struct richace *);
> +extern int richacl_masks_to_mode(const struct richacl *);
> +extern unsigned int richacl_mode_to_mask(umode_t);
> +extern unsigned int richacl_want_to_mask(unsigned int);
> Â
> Â#endif /* __RICHACL_H */
> diff --git a/include/uapi/linux/richacl.h b/include/uapi/linux/richacl.h
> index 08856f8..1ed48ac 100644
> --- a/include/uapi/linux/richacl.h
> +++ b/include/uapi/linux/richacl.h
> @@ -96,4 +96,48 @@
> Â RICHACE_WRITE_OWNER | \
> Â RICHACE_SYNCHRONIZE )
> Â
> +/*
> + * The POSIX permissions are supersets of the following richacl permissions:
> + *
> + *ÂÂ- MAY_READ maps to READ_DATA or LIST_DIRECTORY, depending on the type
> + *ÂÂÂÂof the file system object.
> + *
> + *ÂÂ- MAY_WRITE maps to WRITE_DATA or RICHACE_APPEND_DATA for files, and to
> + *ÂÂÂÂADD_FILE, RICHACE_ADD_SUBDIRECTORY, or RICHACE_DELETE_CHILD for directories.
> + *
> + *ÂÂ- MAY_EXECUTE maps to RICHACE_EXECUTE.
> + *
> + *ÂÂ(Some of these richacl permissions have the same bit values.)
> + */
> +#define RICHACE_POSIX_MODE_READ ( \
> + RICHACE_READ_DATA | \
> + RICHACE_LIST_DIRECTORY)
> +#define RICHACE_POSIX_MODE_WRITE ( \
> + RICHACE_WRITE_DATA | \
> + RICHACE_ADD_FILE | \
> + RICHACE_APPEND_DATA | \
> + RICHACE_ADD_SUBDIRECTORY | \
> + RICHACE_DELETE_CHILD)
> +#define RICHACE_POSIX_MODE_EXEC RICHACE_EXECUTE
> +#define RICHACE_POSIX_MODE_ALL ( \
> + RICHACE_POSIX_MODE_READ | \
> + RICHACE_POSIX_MODE_WRITE | \
> + RICHACE_POSIX_MODE_EXEC)
> +
> +/*
> + * These permissions are always allowed no matter what the acl says.
> + */
> +#define RICHACE_POSIX_ALWAYS_ALLOWED ( \
> + RICHACE_SYNCHRONIZE | \
> + RICHACE_READ_ATTRIBUTES | \
> + RICHACE_READ_ACL)
> +
> +/*
> + * The owner is implicitly granted these permissions under POSIX.
> + */
> +#define RICHACE_POSIX_OWNER_ALLOWED ( \
> + RICHACE_WRITE_ATTRIBUTES | \
> + RICHACE_WRITE_OWNER | \
> + RICHACE_WRITE_ACL)
> +
> Â#endif /* __UAPI_RICHACL_H */
Other than the confusing comment, this looks ok.
Reviewed-by: Jeff Layton <jlayton@xxxxxxxxxx>