Re: [PATCH v23 20/22] vfs: Add richacl permission checking

From: Jeff Layton
Date: Tue Jul 12 2016 - 08:14:13 EST


On Thu, 2016-06-30 at 15:47 +0200, Andreas Gruenbacher wrote:
> Hook the richacl permission checking function into the vfs.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
> Âfs/namei.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
> Â1 file changed, 52 insertions(+), 2 deletions(-)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index 7a822d0..48c9958 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -34,6 +34,7 @@
> Â#include
> Â#include
> Â#include
> +#include
> Â#include
> Â#include
> Â#include
> @@ -256,7 +257,43 @@ void putname(struct filename *name)
> Â __putname(name);
> Â}
> Â
> -static int check_acl(struct inode *inode, int mask)
> +static int check_richacl(struct inode *inode, int mask)
> +{
> +#ifdef CONFIG_FS_RICHACL
> + if (mask & MAY_NOT_BLOCK) {
> + struct base_acl *base_acl;
> +
> + base_acl = rcu_dereference(inode->i_acl);
> + if (!base_acl)
> + goto no_acl;
> + /* no ->get_richacl() calls in RCU mode... */
> + if (is_uncached_acl(base_acl))
> + return -ECHILD;
> + return richacl_permission(inode, richacl(base_acl),
> + ÂÂmask & ~MAY_NOT_BLOCK);
> + } else {
> + struct richacl *acl;
> +
> + acl = get_richacl(inode);
> + if (IS_ERR(acl))
> + return PTR_ERR(acl);
> + if (acl) {
> + int error = richacl_permission(inode, acl, mask);
> + richacl_put(acl);
> + return error;
> + }
> + }
> +no_acl:
> +#endif

nit: Can you move the above to a static inline or something that becomes a noop when the config var is turned off?

> + if (mask & (MAY_DELETE_SELF | MAY_TAKE_OWNERSHIP |
> + ÂÂÂÂMAY_CHMOD | MAY_SET_TIMES)) {
> + /* File permission bits cannot grant this. */
> + return -EACCES;
> + }
> + return -EAGAIN;
> +}
> +
> +static int check_posix_acl(struct inode *inode, int mask)
> Â{
> Â#ifdef CONFIG_FS_POSIX_ACL
> Â if (mask & MAY_NOT_BLOCK) {
> @@ -294,11 +331,24 @@ static int acl_permission_check(struct inode *inode, int mask)
> Â{
> Â unsigned int mode = inode->i_mode;
> Â
> + /*
> + Â* With POSIX ACLs, the (mode & S_IRWXU) bits exactly match the owner
> + Â* permissions, and we can skip checking posix acls for the owner.
> + Â* With richacls, the owner may be granted fewer permissions than the
> + Â* mode bits seem to suggest (for example, append but not write), and
> + Â* we always need to check the richacl.
> + Â*/
> +
> + if (IS_RICHACL(inode)) {
> + int error = check_richacl(inode, mask);
> + if (error != -EAGAIN)
> + return error;
> + }
> Â if (likely(uid_eq(current_fsuid(), inode->i_uid)))
> Â mode >>= 6;
> Â else {
> Â if (IS_POSIXACL(inode) && (mode & S_IRWXG)) {
> - int error = check_acl(inode, mask);
> + int error = check_posix_acl(inode, mask);
> Â if (error != -EAGAIN)
> Â return error;
> Â }

Looks fine other than the nit above:

Reviewed-by: Jeff Layton <jlayton@xxxxxxxxxx>