search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
MOXA linux-2.6.x / linux-2.6.9-uc0 from sdlinux-moxaart.tgz
[linux-2.6.9-moxart.git] / fs / posix_acl.c
blobc802d5a2f16abcdcdcf04cbe6272e59bc604cb5a
1 /*
2 * linux/fs/posix_acl.c
3 *
4 * Copyright (C) 2002 by Andreas Gruenbacher <a.gruenbacher@computer.org>
5 *
6 * Fixes from William Schumacher incorporated on 15 March 2001.
7 * (Reported by Charles Bertsch, <CBertsch@microtest.com>).
8 */
9
10 /*
11 * This file contains generic functions for manipulating
12 * POSIX 1003.1e draft standard 17 ACLs.
13 */
14
15 #include <linux/kernel.h>
16 #include <linux/slab.h>
17 #include <asm/atomic.h>
18 #include <linux/fs.h>
19 #include <linux/sched.h>
20 #include <linux/posix_acl.h>
21 #include <linux/module.h>
22
23 #include <linux/errno.h>
24
25 EXPORT_SYMBOL(posix_acl_alloc);
26 EXPORT_SYMBOL(posix_acl_clone);
27 EXPORT_SYMBOL(posix_acl_valid);
28 EXPORT_SYMBOL(posix_acl_equiv_mode);
29 EXPORT_SYMBOL(posix_acl_from_mode);
30 EXPORT_SYMBOL(posix_acl_create_masq);
31 EXPORT_SYMBOL(posix_acl_chmod_masq);
32 EXPORT_SYMBOL(posix_acl_masq_nfs_mode);
33 EXPORT_SYMBOL(posix_acl_permission);
34
35 /*
36 * Allocate a new ACL with the specified number of entries.
37 */
38 struct posix_acl *
39 posix_acl_alloc(int count, int flags)
40 {
41 const size_t size = sizeof(struct posix_acl) +
42 count * sizeof(struct posix_acl_entry);
43 struct posix_acl *acl = kmalloc(size, flags);
44 if (acl) {
45 atomic_set(&acl->a_refcount, 1);
46 acl->a_count = count;
47 }
48 return acl;
49 }
50
51 /*
52 * Clone an ACL.
53 */
54 struct posix_acl *
55 posix_acl_clone(const struct posix_acl *acl, int flags)
56 {
57 struct posix_acl *clone = NULL;
58
59 if (acl) {
60 int size = sizeof(struct posix_acl) + acl->a_count *
61 sizeof(struct posix_acl_entry);
62 clone = kmalloc(size, flags);
63 if (clone) {
64 memcpy(clone, acl, size);
65 atomic_set(&clone->a_refcount, 1);
66 }
67 }
68 return clone;
69 }
70
71 /*
72 * Check if an acl is valid. Returns 0 if it is, or -E... otherwise.
73 */
74 int
75 posix_acl_valid(const struct posix_acl *acl)
76 {
77 const struct posix_acl_entry *pa, *pe;
78 int state = ACL_USER_OBJ;
79 unsigned int id = 0; /* keep gcc happy */
80 int needs_mask = 0;
81
82 FOREACH_ACL_ENTRY(pa, acl, pe) {
83 if (pa->e_perm & ~(ACL_READ|ACL_WRITE|ACL_EXECUTE))
84 return -EINVAL;
85 switch (pa->e_tag) {
86 case ACL_USER_OBJ:
87 if (state == ACL_USER_OBJ) {
88 id = 0;
89 state = ACL_USER;
90 break;
91 }
92 return -EINVAL;
93
94 case ACL_USER:
95 if (state != ACL_USER)
96 return -EINVAL;
97 if (pa->e_id == ACL_UNDEFINED_ID ||
98 pa->e_id < id)
99 return -EINVAL;
100 id = pa->e_id + 1;
101 needs_mask = 1;
102 break;
103
104 case ACL_GROUP_OBJ:
105 if (state == ACL_USER) {
106 id = 0;
107 state = ACL_GROUP;
108 break;
109 }
110 return -EINVAL;
111
112 case ACL_GROUP:
113 if (state != ACL_GROUP)
114 return -EINVAL;
115 if (pa->e_id == ACL_UNDEFINED_ID ||
116 pa->e_id < id)
117 return -EINVAL;
118 id = pa->e_id + 1;
119 needs_mask = 1;
120 break;
121
122 case ACL_MASK:
123 if (state != ACL_GROUP)
124 return -EINVAL;
125 state = ACL_OTHER;
126 break;
127
128 case ACL_OTHER:
129 if (state == ACL_OTHER ||
130 (state == ACL_GROUP && !needs_mask)) {
131 state = 0;
132 break;
133 }
134 return -EINVAL;
135
136 default:
137 return -EINVAL;
138 }
139 }
140 if (state == 0)
141 return 0;
142 return -EINVAL;
143 }
144
145 /*
146 * Returns 0 if the acl can be exactly represented in the traditional
147 * file mode permission bits, or else 1. Returns -E... on error.
148 */
149 int
150 posix_acl_equiv_mode(const struct posix_acl *acl, mode_t *mode_p)
151 {
152 const struct posix_acl_entry *pa, *pe;
153 mode_t mode = 0;
154 int not_equiv = 0;
155
156 FOREACH_ACL_ENTRY(pa, acl, pe) {
157 switch (pa->e_tag) {
158 case ACL_USER_OBJ:
159 mode |= (pa->e_perm & S_IRWXO) << 6;
160 break;
161 case ACL_GROUP_OBJ:
162 mode |= (pa->e_perm & S_IRWXO) << 3;
163 break;
164 case ACL_OTHER:
165 mode |= pa->e_perm & S_IRWXO;
166 break;
167 case ACL_MASK:
168 mode = (mode & ~S_IRWXG) |
169 ((pa->e_perm & S_IRWXO) << 3);
170 not_equiv = 1;
171 break;
172 case ACL_USER:
173 case ACL_GROUP:
174 not_equiv = 1;
175 break;
176 default:
177 return -EINVAL;
178 }
179 }
180 if (mode_p)
181 *mode_p = (*mode_p & ~S_IRWXUGO) | mode;
182 return not_equiv;
183 }
184
185 /*
186 * Create an ACL representing the file mode permission bits of an inode.
187 */
188 struct posix_acl *
189 posix_acl_from_mode(mode_t mode, int flags)
190 {
191 struct posix_acl *acl = posix_acl_alloc(3, flags);
192 if (!acl)
193 return ERR_PTR(-ENOMEM);
194
195 acl->a_entries[0].e_tag = ACL_USER_OBJ;
196 acl->a_entries[0].e_id = ACL_UNDEFINED_ID;
197 acl->a_entries[0].e_perm = (mode & S_IRWXU) >> 6;
198
199 acl->a_entries[1].e_tag = ACL_GROUP_OBJ;
200 acl->a_entries[1].e_id = ACL_UNDEFINED_ID;
201 acl->a_entries[1].e_perm = (mode & S_IRWXG) >> 3;
202
203 acl->a_entries[2].e_tag = ACL_OTHER;
204 acl->a_entries[2].e_id = ACL_UNDEFINED_ID;
205 acl->a_entries[2].e_perm = (mode & S_IRWXO);
206 return acl;
207 }
208
209 /*
210 * Return 0 if current is granted want access to the inode
211 * by the acl. Returns -E... otherwise.
212 */
213 int
214 posix_acl_permission(struct inode *inode, const struct posix_acl *acl, int want)
215 {
216 const struct posix_acl_entry *pa, *pe, *mask_obj;
217 int found = 0;
218
219 FOREACH_ACL_ENTRY(pa, acl, pe) {
220 switch(pa->e_tag) {
221 case ACL_USER_OBJ:
222 /* (May have been checked already) */
223 if (inode->i_uid == current->fsuid)
224 goto check_perm;
225 break;
226 case ACL_USER:
227 if (pa->e_id == current->fsuid)
228 goto mask;
229 break;
230 case ACL_GROUP_OBJ:
231 if (in_group_p(inode->i_gid)) {
232 found = 1;
233 if ((pa->e_perm & want) == want)
234 goto mask;
235 }
236 break;
237 case ACL_GROUP:
238 if (in_group_p(pa->e_id)) {
239 found = 1;
240 if ((pa->e_perm & want) == want)
241 goto mask;
242 }
243 break;
244 case ACL_MASK:
245 break;
246 case ACL_OTHER:
247 if (found)
248 return -EACCES;
249 else
250 goto check_perm;
251 default:
252 return -EIO;
253 }
254 }
255 return -EIO;
256
257 mask:
258 for (mask_obj = pa+1; mask_obj != pe; mask_obj++) {
259 if (mask_obj->e_tag == ACL_MASK) {
260 if ((pa->e_perm & mask_obj->e_perm & want) == want)
261 return 0;
262 return -EACCES;
263 }
264 }
265
266 check_perm:
267 if ((pa->e_perm & want) == want)
268 return 0;
269 return -EACCES;
270 }
271
272 /*
273 * Modify acl when creating a new inode. The caller must ensure the acl is
274 * only referenced once.
275 *
276 * mode_p initially must contain the mode parameter to the open() / creat()
277 * system calls. All permissions that are not granted by the acl are removed.
278 * The permissions in the acl are changed to reflect the mode_p parameter.
279 */
280 int
281 posix_acl_create_masq(struct posix_acl *acl, mode_t *mode_p)
282 {
283 struct posix_acl_entry *pa, *pe;
284 struct posix_acl_entry *group_obj = NULL, *mask_obj = NULL;
285 mode_t mode = *mode_p;
286 int not_equiv = 0;
287
288 /* assert(atomic_read(acl->a_refcount) == 1); */
289
290 FOREACH_ACL_ENTRY(pa, acl, pe) {
291 switch(pa->e_tag) {
292 case ACL_USER_OBJ:
293 pa->e_perm &= (mode >> 6) | ~S_IRWXO;
294 mode &= (pa->e_perm << 6) | ~S_IRWXU;
295 break;
296
297 case ACL_USER:
298 case ACL_GROUP:
299 not_equiv = 1;
300 break;
301
302 case ACL_GROUP_OBJ:
303 group_obj = pa;
304 break;
305
306 case ACL_OTHER:
307 pa->e_perm &= mode | ~S_IRWXO;
308 mode &= pa->e_perm | ~S_IRWXO;
309 break;
310
311 case ACL_MASK:
312 mask_obj = pa;
313 not_equiv = 1;
314 break;
315
316 default:
317 return -EIO;
318 }
319 }
320
321 if (mask_obj) {
322 mask_obj->e_perm &= (mode >> 3) | ~S_IRWXO;
323 mode &= (mask_obj->e_perm << 3) | ~S_IRWXG;
324 } else {
325 if (!group_obj)
326 return -EIO;
327 group_obj->e_perm &= (mode >> 3) | ~S_IRWXO;
328 mode &= (group_obj->e_perm << 3) | ~S_IRWXG;
329 }
330
331 *mode_p = (*mode_p & ~S_IRWXUGO) | mode;
332 return not_equiv;
333 }
334
335 /*
336 * Modify the ACL for the chmod syscall.
337 */
338 int
339 posix_acl_chmod_masq(struct posix_acl *acl, mode_t mode)
340 {
341 struct posix_acl_entry *group_obj = NULL, *mask_obj = NULL;
342 struct posix_acl_entry *pa, *pe;
343
344 /* assert(atomic_read(acl->a_refcount) == 1); */
345
346 FOREACH_ACL_ENTRY(pa, acl, pe) {
347 switch(pa->e_tag) {
348 case ACL_USER_OBJ:
349 pa->e_perm = (mode & S_IRWXU) >> 6;
350 break;
351
352 case ACL_USER:
353 case ACL_GROUP:
354 break;
355
356 case ACL_GROUP_OBJ:
357 group_obj = pa;
358 break;
359
360 case ACL_MASK:
361 mask_obj = pa;
362 break;
363
364 case ACL_OTHER:
365 pa->e_perm = (mode & S_IRWXO);
366 break;
367
368 default:
369 return -EIO;
370 }
371 }
372
373 if (mask_obj) {
374 mask_obj->e_perm = (mode & S_IRWXG) >> 3;
375 } else {
376 if (!group_obj)
377 return -EIO;
378 group_obj->e_perm = (mode & S_IRWXG) >> 3;
379 }
380
381 return 0;
382 }
383
384 /*
385 * Adjust the mode parameter so that NFSv2 grants nobody permissions
386 * that may not be granted by the ACL. This is necessary because NFSv2
387 * may compute access permissions on the client side, and may serve cached
388 * data whenever it assumes access would be granted. Since ACLs may also
389 * be used to deny access to specific users, the minimal permissions
390 * for secure operation over NFSv2 are very restrictive. Permissions
391 * granted to users via Access Control Lists will not be effective over
392 * NFSv2.
393 *
394 * Privilege escalation can only happen for read operations, as writes are
395 * always carried out on the NFS server, where the proper access checks are
396 * implemented.
397 */
398 int
399 posix_acl_masq_nfs_mode(struct posix_acl *acl, mode_t *mode_p)
400 {
401 struct posix_acl_entry *pa, *pe; int min_perm = S_IRWXO;
402
403 FOREACH_ACL_ENTRY(pa, acl, pe) {
404 switch(pa->e_tag) {
405 case ACL_USER_OBJ:
406 break;
407
408 case ACL_USER:
409 case ACL_GROUP_OBJ:
410 case ACL_GROUP:
411 case ACL_MASK:
412 case ACL_OTHER:
413 min_perm &= pa->e_perm;
414 break;
415
416 default:
417 return -EIO;
418 }
419 }
420 *mode_p = (*mode_p & ~(S_IRWXG|S_IRWXO)) | (min_perm << 3) | min_perm;
421
422 return 0;
423 }
MOXA 2.6.9 from sdlinux-moxaart.tgz