2 * Copyright (C) 2006, 2010 Novell, Inc.
3 * Written by Andreas Gruenbacher <agruen@suse.de>
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2, or (at your option) any
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License for more details.
16 #include <linux/sched.h>
17 #include <linux/module.h>
19 #include <linux/richacl.h>
21 MODULE_LICENSE("GPL");
24 * Special e_who identifiers: ACEs which have ACE4_SPECIAL_WHO set in
25 * ace->e_flags use these constants in ace->u.e_who.
27 * For efficiency, we compare pointers instead of comparing strings.
29 const char richace_owner_who[] = "OWNER@";
30 EXPORT_SYMBOL_GPL(richace_owner_who);
31 const char richace_group_who[] = "GROUP@";
32 EXPORT_SYMBOL_GPL(richace_group_who);
33 const char richace_everyone_who[] = "EVERYONE@";
34 EXPORT_SYMBOL_GPL(richace_everyone_who);
37 * richacl_alloc - allocate a richacl
38 * @count: number of entries
41 richacl_alloc(int count)
43 size_t size = sizeof(struct richacl) + count * sizeof(struct richace);
44 struct richacl *acl = kzalloc(size, GFP_KERNEL);
47 atomic_set(&acl->a_refcount, 1);
52 EXPORT_SYMBOL_GPL(richacl_alloc);
55 * richacl_clone - create a copy of a richacl
57 static struct richacl *
58 richacl_clone(const struct richacl *acl)
60 int count = acl->a_count;
61 size_t size = sizeof(struct richacl) + count * sizeof(struct richace);
62 struct richacl *dup = kmalloc(size, GFP_KERNEL);
65 memcpy(dup, acl, size);
66 atomic_set(&dup->a_refcount, 1);
72 * richacl_mask_to_mode - compute the file permission bits which correspond to @mask
73 * @mask: %ACE4_* permission mask
75 * See richacl_masks_to_mode().
78 richacl_mask_to_mode(unsigned int mask)
82 if (mask & ACE4_POSIX_MODE_READ)
84 if (mask & ACE4_POSIX_MODE_WRITE)
86 if (mask & ACE4_POSIX_MODE_EXEC)
93 * richacl_masks_to_mode - compute the file permission bits from the file masks
95 * When setting a richacl, we set the file permission bits to indicate maximum
96 * permissions: for example, we set the Write permission when a mask contains
97 * ACE4_APPEND_DATA even if it does not also contain ACE4_WRITE_DATA.
99 * Permissions which are not in ACE4_POSIX_MODE_READ, ACE4_POSIX_MODE_WRITE, or
100 * ACE4_POSIX_MODE_EXEC cannot be represented in the file permission bits.
101 * Such permissions can still be effective, but not for new files or after a
102 * chmod(), and only if they were set explicitly, for example, by setting a
106 richacl_masks_to_mode(const struct richacl *acl)
108 return richacl_mask_to_mode(acl->a_owner_mask) << 6 |
109 richacl_mask_to_mode(acl->a_group_mask) << 3 |
110 richacl_mask_to_mode(acl->a_other_mask);
112 EXPORT_SYMBOL_GPL(richacl_masks_to_mode);
115 * richacl_mode_to_mask - compute a file mask from the lowest three mode bits
117 * When the file permission bits of a file are set with chmod(), this specifies
118 * the maximum permissions that processes will get. All permissions beyond
119 * that will be removed from the file masks, and become ineffective.
121 * We also add in the permissions which are always allowed no matter what the
125 richacl_mode_to_mask(mode_t mode)
127 unsigned int mask = ACE4_POSIX_ALWAYS_ALLOWED;
130 mask |= ACE4_POSIX_MODE_READ;
131 if (mode & MAY_WRITE)
132 mask |= ACE4_POSIX_MODE_WRITE;
134 mask |= ACE4_POSIX_MODE_EXEC;
140 * richacl_want_to_mask - convert the iop->permission want argument to a mask
141 * @want: @want argument of the permission inode operation
143 * When checking for append, @want is (MAY_WRITE | MAY_APPEND).
145 * Richacls use the iop->may_create and iop->may_delete hooks which are
146 * used for checking if creating and deleting files is allowed. These hooks do
147 * not use richacl_want_to_mask(), so we do not have to deal with mapping
148 * MAY_WRITE to ACE4_ADD_FILE, ACE4_ADD_SUBDIRECTORY, and ACE4_DELETE_CHILD
152 richacl_want_to_mask(int want)
154 unsigned int mask = 0;
157 mask |= ACE4_READ_DATA;
158 if (want & MAY_APPEND)
159 mask |= ACE4_APPEND_DATA;
160 else if (want & MAY_WRITE)
161 mask |= ACE4_WRITE_DATA;
163 mask |= ACE4_EXECUTE;
167 EXPORT_SYMBOL_GPL(richacl_want_to_mask);
170 * richace_is_same_identifier - are both identifiers the same?
173 richace_is_same_identifier(const struct richace *a, const struct richace *b)
175 #define WHO_FLAGS (ACE4_SPECIAL_WHO | ACE4_IDENTIFIER_GROUP)
176 if ((a->e_flags & WHO_FLAGS) != (b->e_flags & WHO_FLAGS))
178 if (a->e_flags & ACE4_SPECIAL_WHO)
179 return a->u.e_who == b->u.e_who;
181 return a->u.e_id == b->u.e_id;
186 * richacl_set_who - set a special who value
188 * @who: who value to use
191 richace_set_who(struct richace *ace, const char *who)
193 if (!strcmp(who, richace_owner_who))
194 who = richace_owner_who;
195 else if (!strcmp(who, richace_group_who))
196 who = richace_group_who;
197 else if (!strcmp(who, richace_everyone_who))
198 who = richace_everyone_who;
203 ace->e_flags |= ACE4_SPECIAL_WHO;
204 ace->e_flags &= ~ACE4_IDENTIFIER_GROUP;
207 EXPORT_SYMBOL_GPL(richace_set_who);
210 * richacl_allowed_to_who - mask flags allowed to a specific who value
212 * Computes the mask values allowed to a specific who value, taking
213 * EVERYONE@ entries into account.
215 static unsigned int richacl_allowed_to_who(struct richacl *acl,
219 unsigned int allowed = 0;
221 richacl_for_each_entry_reverse(ace, acl) {
222 if (richace_is_inherit_only(ace))
224 if (richace_is_same_identifier(ace, who) ||
225 richace_is_everyone(ace)) {
226 if (richace_is_allow(ace))
227 allowed |= ace->e_mask;
228 else if (richace_is_deny(ace))
229 allowed &= ~ace->e_mask;
236 * richacl_group_class_allowed - maximum permissions the group class is allowed
238 * See richacl_compute_max_masks().
240 static unsigned int richacl_group_class_allowed(struct richacl *acl)
243 unsigned int everyone_allowed = 0, group_class_allowed = 0;
244 int had_group_ace = 0;
246 richacl_for_each_entry_reverse(ace, acl) {
247 if (richace_is_inherit_only(ace) ||
248 richace_is_owner(ace))
251 if (richace_is_everyone(ace)) {
252 if (richace_is_allow(ace))
253 everyone_allowed |= ace->e_mask;
254 else if (richace_is_deny(ace))
255 everyone_allowed &= ~ace->e_mask;
257 group_class_allowed |=
258 richacl_allowed_to_who(acl, ace);
260 if (richace_is_group(ace))
265 group_class_allowed |= everyone_allowed;
266 return group_class_allowed;
270 * richacl_compute_max_masks - compute upper bound masks
272 * Computes upper bound owner, group, and other masks so that none of
273 * the mask flags allowed by the acl are disabled (for any choice of the
274 * file owner or group membership).
276 void richacl_compute_max_masks(struct richacl *acl)
278 unsigned int gmask = ~0;
282 * @gmask contains all permissions which the group class is ever
283 * allowed. We use it to avoid adding permissions to the group mask
284 * from everyone@ allow aces which the group class is always denied
285 * through other aces. For example, the following acl would otherwise
286 * result in a group mask or rw:
289 * everyone@:rw::allow
291 * Avoid computing @gmask for acls which do not include any group class
292 * deny aces: in such acls, the group class is never denied any
293 * permissions from everyone@ allow aces.
297 acl->a_owner_mask = 0;
298 acl->a_group_mask = 0;
299 acl->a_other_mask = 0;
301 richacl_for_each_entry_reverse(ace, acl) {
302 if (richace_is_inherit_only(ace))
305 if (richace_is_owner(ace)) {
306 if (richace_is_allow(ace))
307 acl->a_owner_mask |= ace->e_mask;
308 else if (richace_is_deny(ace))
309 acl->a_owner_mask &= ~ace->e_mask;
310 } else if (richace_is_everyone(ace)) {
311 if (richace_is_allow(ace)) {
312 acl->a_owner_mask |= ace->e_mask;
313 acl->a_group_mask |= ace->e_mask & gmask;
314 acl->a_other_mask |= ace->e_mask;
315 } else if (richace_is_deny(ace)) {
316 acl->a_owner_mask &= ~ace->e_mask;
317 acl->a_group_mask &= ~ace->e_mask;
318 acl->a_other_mask &= ~ace->e_mask;
321 if (richace_is_allow(ace)) {
322 acl->a_owner_mask |= ace->e_mask & gmask;
323 acl->a_group_mask |= ace->e_mask & gmask;
324 } else if (richace_is_deny(ace) && gmask == ~0) {
325 gmask = richacl_group_class_allowed(acl);
326 if (likely(gmask != ~0)) /* should always be true */
332 EXPORT_SYMBOL_GPL(richacl_compute_max_masks);
335 * richacl_chmod - update the file masks to reflect the new mode
336 * @mode: new file permission bits
338 * Return a copy of @acl where the file masks have been replaced by the file
339 * masks corresponding to the file permission bits in @mode, or returns @acl
340 * itself if the file masks are already up to date. Takes over a reference
344 richacl_chmod(struct richacl *acl, mode_t mode)
346 unsigned int owner_mask, group_mask, other_mask;
347 struct richacl *clone;
349 owner_mask = richacl_mode_to_mask(mode >> 6);
350 group_mask = richacl_mode_to_mask(mode >> 3);
351 other_mask = richacl_mode_to_mask(mode);
353 if (acl->a_owner_mask == owner_mask &&
354 acl->a_group_mask == group_mask &&
355 acl->a_other_mask == other_mask &&
356 (!richacl_is_auto_inherit(acl) || richacl_is_protected(acl)))
359 clone = richacl_clone(acl);
362 return ERR_PTR(-ENOMEM);
364 clone->a_owner_mask = owner_mask;
365 clone->a_group_mask = group_mask;
366 clone->a_other_mask = other_mask;
367 if (richacl_is_auto_inherit(clone))
368 clone->a_flags |= ACL4_PROTECTED;
372 EXPORT_SYMBOL_GPL(richacl_chmod);
375 * richacl_permission - richacl permission check algorithm
376 * @inode: inode to check
377 * @acl: rich acl of the inode
378 * @mask: requested access (ACE4_* bitmask)
380 * Checks if the current process is granted @mask flags in @acl.
383 richacl_permission(struct inode *inode, const struct richacl *acl,
386 const struct richace *ace;
387 unsigned int file_mask, requested = mask, denied = 0;
388 int in_owning_group = in_group_p(inode->i_gid);
389 int in_owner_or_group_class = in_owning_group;
393 * - in the owner file class if it owns the file,
394 * - in the group file class if it is in the file's owning group or
395 * it matches any of the user or group entries, and
396 * - in the other file class otherwise.
400 * Check if the acl grants the requested access and determine which
401 * file class the process is in.
403 richacl_for_each_entry(ace, acl) {
404 unsigned int ace_mask = ace->e_mask;
406 if (richace_is_inherit_only(ace))
408 if (richace_is_owner(ace)) {
409 if (current_fsuid() != inode->i_uid)
412 } else if (richace_is_group(ace)) {
413 if (!in_owning_group)
415 } else if (richace_is_unix_id(ace)) {
416 if (ace->e_flags & ACE4_IDENTIFIER_GROUP) {
417 if (!in_group_p(ace->u.e_id))
420 if (current_fsuid() != ace->u.e_id)
427 * Apply the group file mask to entries other than OWNER@ and
428 * EVERYONE@. This is not required for correct access checking
429 * but ensures that we grant the same permissions as the acl
430 * computed by richacl_apply_masks() would grant. See
431 * richacl_apply_masks() for a more detailed explanation.
433 if (richace_is_allow(ace))
434 ace_mask &= acl->a_group_mask;
437 /* The process is in the owner or group file class. */
438 in_owner_or_group_class = 1;
441 /* Check which mask flags the ACE allows or denies. */
442 if (richace_is_deny(ace))
443 denied |= ace_mask & mask;
447 * Keep going until we know which file class
450 if (!mask && in_owner_or_group_class)
456 * The file class a process is in determines which file mask applies.
457 * Check if that file mask also grants the requested access.
459 if (current_fsuid() == inode->i_uid)
460 file_mask = acl->a_owner_mask;
461 else if (in_owner_or_group_class)
462 file_mask = acl->a_group_mask;
464 file_mask = acl->a_other_mask;
465 denied |= requested & ~file_mask;
467 return denied ? -EACCES : 0;
469 EXPORT_SYMBOL_GPL(richacl_permission);
472 * richacl_inherit - compute the inherited acl of a new file
473 * @dir_acl: acl of the containing direcory
474 * @inode: inode of the new file (create mode in i_mode)
476 * A directory can have acl entries which files and/or directories created
477 * inside the directory will inherit. This function computes the acl for such
478 * a new file. If there is no inheritable acl, it will return %NULL.
480 * The file permission bits in inode->i_mode must be set to the create mode.
481 * If there is an inheritable acl, the maximum permissions that the acl grants
482 * will be computed and permissions not granted by the acl will be removed from
483 * inode->i_mode. If there is no inheritable acl, the umask will be applied
487 richacl_inherit(const struct richacl *dir_acl, struct inode *inode)
489 const struct richace *dir_ace;
490 struct richacl *acl = NULL;
493 mode_t mask = ~current_umask();
495 if (S_ISDIR(inode->i_mode)) {
496 richacl_for_each_entry(dir_ace, dir_acl) {
497 if (!richace_is_inheritable(dir_ace))
503 acl = richacl_alloc(count);
505 return ERR_PTR(-ENOMEM);
506 ace = acl->a_entries;
507 richacl_for_each_entry(dir_ace, dir_acl) {
508 if (!richace_is_inheritable(dir_ace))
510 memcpy(ace, dir_ace, sizeof(struct richace));
511 if (dir_ace->e_flags & ACE4_NO_PROPAGATE_INHERIT_ACE)
512 richace_clear_inheritance_flags(ace);
513 if ((dir_ace->e_flags & ACE4_FILE_INHERIT_ACE) &&
514 !(dir_ace->e_flags & ACE4_DIRECTORY_INHERIT_ACE))
515 ace->e_flags |= ACE4_INHERIT_ONLY_ACE;
519 richacl_for_each_entry(dir_ace, dir_acl) {
520 if (!(dir_ace->e_flags & ACE4_FILE_INHERIT_ACE))
526 acl = richacl_alloc(count);
528 return ERR_PTR(-ENOMEM);
529 ace = acl->a_entries;
530 richacl_for_each_entry(dir_ace, dir_acl) {
531 if (!(dir_ace->e_flags & ACE4_FILE_INHERIT_ACE))
533 memcpy(ace, dir_ace, sizeof(struct richace));
534 richace_clear_inheritance_flags(ace);
536 * ACE4_DELETE_CHILD is meaningless for
537 * non-directories, so clear it.
539 ace->e_mask &= ~ACE4_DELETE_CHILD;
544 richacl_compute_max_masks(acl);
547 * Ensure that the acl will not grant any permissions beyond the create
550 acl->a_owner_mask &= richacl_mode_to_mask(inode->i_mode >> 6);
551 acl->a_group_mask &= richacl_mode_to_mask(inode->i_mode >> 3);
552 acl->a_other_mask &= richacl_mode_to_mask(inode->i_mode);
553 mask = ~S_IRWXUGO | richacl_masks_to_mode(acl);
555 if (richacl_is_auto_inherit(dir_acl)) {
557 * We need to set ACL4_PROTECTED because we are
558 * doing an implicit chmod
560 acl->a_flags = ACL4_AUTO_INHERIT | ACL4_PROTECTED;
561 richacl_for_each_entry(ace, acl)
562 ace->e_flags |= ACE4_INHERITED_ACE;
566 inode->i_mode &= mask;
569 EXPORT_SYMBOL_GPL(richacl_inherit);
572 * richacl_equiv_mode - check if @acl is equivalent to file permission bits
573 * @mode_p: the file mode (including the file type)
575 * If @acl can be fully represented by file permission bits, this function
576 * returns 0, and the file permission bits in @mode_p are set to the equivalent
579 * This function is used to avoid storing richacls on disk if the acl can be
580 * computed from the file permission bits. It allows user-space to make sure
581 * that a file has no explicit richacl set.
584 richacl_equiv_mode(const struct richacl *acl, mode_t *mode_p)
586 const struct richace *ace = acl->a_entries;
590 if (acl->a_count != 1 ||
592 !richace_is_everyone(ace) ||
593 !richace_is_allow(ace) ||
594 ace->e_flags & ~ACE4_SPECIAL_WHO)
598 * Figure out the permissions we care about: ACE4_DELETE_CHILD is
599 * meaningless for non-directories, so we ignore it.
601 x = ~ACE4_POSIX_ALWAYS_ALLOWED;
602 if (!S_ISDIR(*mode_p))
603 x &= ~ACE4_DELETE_CHILD;
605 if ((ace->e_mask & x) != (ACE4_POSIX_MODE_ALL & x))
608 mode = richacl_masks_to_mode(acl);
609 if ((acl->a_owner_mask & x) != (richacl_mode_to_mask(mode >> 6) & x) ||
610 (acl->a_group_mask & x) != (richacl_mode_to_mask(mode >> 3) & x) ||
611 (acl->a_other_mask & x) != (richacl_mode_to_mask(mode) & x))
614 *mode_p = (*mode_p & ~S_IRWXUGO) | mode;
617 EXPORT_SYMBOL_GPL(richacl_equiv_mode);