4 * Copyright (C) 2002 by Andreas Gruenbacher <a.gruenbacher@computer.org>
6 * Fixes from William Schumacher incorporated on 15 March 2001.
7 * (Reported by Charles Bertsch, <CBertsch@microtest.com>).
11 * This file contains generic functions for manipulating
12 * POSIX 1003.1e draft standard 17 ACLs.
15 #include <linux/kernel.h>
16 #include <linux/slab.h>
17 #include <linux/atomic.h>
19 #include <linux/sched.h>
20 #include <linux/posix_acl.h>
21 #include <linux/export.h>
23 #include <linux/errno.h>
25 struct posix_acl
**acl_by_type(struct inode
*inode
, int type
)
30 case ACL_TYPE_DEFAULT
:
31 return &inode
->i_default_acl
;
36 EXPORT_SYMBOL(acl_by_type
);
38 struct posix_acl
*get_cached_acl(struct inode
*inode
, int type
)
40 struct posix_acl
**p
= acl_by_type(inode
, type
);
41 struct posix_acl
*acl
= ACCESS_ONCE(*p
);
43 spin_lock(&inode
->i_lock
);
45 if (acl
!= ACL_NOT_CACHED
)
46 acl
= posix_acl_dup(acl
);
47 spin_unlock(&inode
->i_lock
);
51 EXPORT_SYMBOL(get_cached_acl
);
53 struct posix_acl
*get_cached_acl_rcu(struct inode
*inode
, int type
)
55 return rcu_dereference(*acl_by_type(inode
, type
));
57 EXPORT_SYMBOL(get_cached_acl_rcu
);
59 void set_cached_acl(struct inode
*inode
, int type
, struct posix_acl
*acl
)
61 struct posix_acl
**p
= acl_by_type(inode
, type
);
62 struct posix_acl
*old
;
63 spin_lock(&inode
->i_lock
);
65 rcu_assign_pointer(*p
, posix_acl_dup(acl
));
66 spin_unlock(&inode
->i_lock
);
67 if (old
!= ACL_NOT_CACHED
)
68 posix_acl_release(old
);
70 EXPORT_SYMBOL(set_cached_acl
);
72 void forget_cached_acl(struct inode
*inode
, int type
)
74 struct posix_acl
**p
= acl_by_type(inode
, type
);
75 struct posix_acl
*old
;
76 spin_lock(&inode
->i_lock
);
79 spin_unlock(&inode
->i_lock
);
80 if (old
!= ACL_NOT_CACHED
)
81 posix_acl_release(old
);
83 EXPORT_SYMBOL(forget_cached_acl
);
85 void forget_all_cached_acls(struct inode
*inode
)
87 struct posix_acl
*old_access
, *old_default
;
88 spin_lock(&inode
->i_lock
);
89 old_access
= inode
->i_acl
;
90 old_default
= inode
->i_default_acl
;
91 inode
->i_acl
= inode
->i_default_acl
= ACL_NOT_CACHED
;
92 spin_unlock(&inode
->i_lock
);
93 if (old_access
!= ACL_NOT_CACHED
)
94 posix_acl_release(old_access
);
95 if (old_default
!= ACL_NOT_CACHED
)
96 posix_acl_release(old_default
);
98 EXPORT_SYMBOL(forget_all_cached_acls
);
101 * Init a fresh posix_acl
104 posix_acl_init(struct posix_acl
*acl
, int count
)
106 atomic_set(&acl
->a_refcount
, 1);
107 acl
->a_count
= count
;
109 EXPORT_SYMBOL(posix_acl_init
);
112 * Allocate a new ACL with the specified number of entries.
115 posix_acl_alloc(int count
, gfp_t flags
)
117 const size_t size
= sizeof(struct posix_acl
) +
118 count
* sizeof(struct posix_acl_entry
);
119 struct posix_acl
*acl
= kmalloc(size
, flags
);
121 posix_acl_init(acl
, count
);
124 EXPORT_SYMBOL(posix_acl_alloc
);
129 static struct posix_acl
*
130 posix_acl_clone(const struct posix_acl
*acl
, gfp_t flags
)
132 struct posix_acl
*clone
= NULL
;
135 int size
= sizeof(struct posix_acl
) + acl
->a_count
*
136 sizeof(struct posix_acl_entry
);
137 clone
= kmemdup(acl
, size
, flags
);
139 atomic_set(&clone
->a_refcount
, 1);
145 * Check if an acl is valid. Returns 0 if it is, or -E... otherwise.
148 posix_acl_valid(const struct posix_acl
*acl
)
150 const struct posix_acl_entry
*pa
, *pe
;
151 int state
= ACL_USER_OBJ
;
152 kuid_t prev_uid
= INVALID_UID
;
153 kgid_t prev_gid
= INVALID_GID
;
156 FOREACH_ACL_ENTRY(pa
, acl
, pe
) {
157 if (pa
->e_perm
& ~(ACL_READ
|ACL_WRITE
|ACL_EXECUTE
))
161 if (state
== ACL_USER_OBJ
) {
168 if (state
!= ACL_USER
)
170 if (!uid_valid(pa
->e_uid
))
172 if (uid_valid(prev_uid
) &&
173 uid_lte(pa
->e_uid
, prev_uid
))
175 prev_uid
= pa
->e_uid
;
180 if (state
== ACL_USER
) {
187 if (state
!= ACL_GROUP
)
189 if (!gid_valid(pa
->e_gid
))
191 if (gid_valid(prev_gid
) &&
192 gid_lte(pa
->e_gid
, prev_gid
))
194 prev_gid
= pa
->e_gid
;
199 if (state
!= ACL_GROUP
)
205 if (state
== ACL_OTHER
||
206 (state
== ACL_GROUP
&& !needs_mask
)) {
220 EXPORT_SYMBOL(posix_acl_valid
);
223 * Returns 0 if the acl can be exactly represented in the traditional
224 * file mode permission bits, or else 1. Returns -E... on error.
227 posix_acl_equiv_mode(const struct posix_acl
*acl
, umode_t
*mode_p
)
229 const struct posix_acl_entry
*pa
, *pe
;
233 FOREACH_ACL_ENTRY(pa
, acl
, pe
) {
236 mode
|= (pa
->e_perm
& S_IRWXO
) << 6;
239 mode
|= (pa
->e_perm
& S_IRWXO
) << 3;
242 mode
|= pa
->e_perm
& S_IRWXO
;
245 mode
= (mode
& ~S_IRWXG
) |
246 ((pa
->e_perm
& S_IRWXO
) << 3);
258 *mode_p
= (*mode_p
& ~S_IRWXUGO
) | mode
;
261 EXPORT_SYMBOL(posix_acl_equiv_mode
);
264 * Create an ACL representing the file mode permission bits of an inode.
267 posix_acl_from_mode(umode_t mode
, gfp_t flags
)
269 struct posix_acl
*acl
= posix_acl_alloc(3, flags
);
271 return ERR_PTR(-ENOMEM
);
273 acl
->a_entries
[0].e_tag
= ACL_USER_OBJ
;
274 acl
->a_entries
[0].e_perm
= (mode
& S_IRWXU
) >> 6;
276 acl
->a_entries
[1].e_tag
= ACL_GROUP_OBJ
;
277 acl
->a_entries
[1].e_perm
= (mode
& S_IRWXG
) >> 3;
279 acl
->a_entries
[2].e_tag
= ACL_OTHER
;
280 acl
->a_entries
[2].e_perm
= (mode
& S_IRWXO
);
283 EXPORT_SYMBOL(posix_acl_from_mode
);
286 * Return 0 if current is granted want access to the inode
287 * by the acl. Returns -E... otherwise.
290 posix_acl_permission(struct inode
*inode
, const struct posix_acl
*acl
, int want
)
292 const struct posix_acl_entry
*pa
, *pe
, *mask_obj
;
295 want
&= MAY_READ
| MAY_WRITE
| MAY_EXEC
| MAY_NOT_BLOCK
;
297 FOREACH_ACL_ENTRY(pa
, acl
, pe
) {
300 /* (May have been checked already) */
301 if (uid_eq(inode
->i_uid
, current_fsuid()))
305 if (uid_eq(pa
->e_uid
, current_fsuid()))
309 if (in_group_p(inode
->i_gid
)) {
311 if ((pa
->e_perm
& want
) == want
)
316 if (in_group_p(pa
->e_gid
)) {
318 if ((pa
->e_perm
& want
) == want
)
336 for (mask_obj
= pa
+1; mask_obj
!= pe
; mask_obj
++) {
337 if (mask_obj
->e_tag
== ACL_MASK
) {
338 if ((pa
->e_perm
& mask_obj
->e_perm
& want
) == want
)
345 if ((pa
->e_perm
& want
) == want
)
351 * Modify acl when creating a new inode. The caller must ensure the acl is
352 * only referenced once.
354 * mode_p initially must contain the mode parameter to the open() / creat()
355 * system calls. All permissions that are not granted by the acl are removed.
356 * The permissions in the acl are changed to reflect the mode_p parameter.
358 static int posix_acl_create_masq(struct posix_acl
*acl
, umode_t
*mode_p
)
360 struct posix_acl_entry
*pa
, *pe
;
361 struct posix_acl_entry
*group_obj
= NULL
, *mask_obj
= NULL
;
362 umode_t mode
= *mode_p
;
365 /* assert(atomic_read(acl->a_refcount) == 1); */
367 FOREACH_ACL_ENTRY(pa
, acl
, pe
) {
370 pa
->e_perm
&= (mode
>> 6) | ~S_IRWXO
;
371 mode
&= (pa
->e_perm
<< 6) | ~S_IRWXU
;
384 pa
->e_perm
&= mode
| ~S_IRWXO
;
385 mode
&= pa
->e_perm
| ~S_IRWXO
;
399 mask_obj
->e_perm
&= (mode
>> 3) | ~S_IRWXO
;
400 mode
&= (mask_obj
->e_perm
<< 3) | ~S_IRWXG
;
404 group_obj
->e_perm
&= (mode
>> 3) | ~S_IRWXO
;
405 mode
&= (group_obj
->e_perm
<< 3) | ~S_IRWXG
;
408 *mode_p
= (*mode_p
& ~S_IRWXUGO
) | mode
;
413 * Modify the ACL for the chmod syscall.
415 static int posix_acl_chmod_masq(struct posix_acl
*acl
, umode_t mode
)
417 struct posix_acl_entry
*group_obj
= NULL
, *mask_obj
= NULL
;
418 struct posix_acl_entry
*pa
, *pe
;
420 /* assert(atomic_read(acl->a_refcount) == 1); */
422 FOREACH_ACL_ENTRY(pa
, acl
, pe
) {
425 pa
->e_perm
= (mode
& S_IRWXU
) >> 6;
441 pa
->e_perm
= (mode
& S_IRWXO
);
450 mask_obj
->e_perm
= (mode
& S_IRWXG
) >> 3;
454 group_obj
->e_perm
= (mode
& S_IRWXG
) >> 3;
461 posix_acl_create(struct posix_acl
**acl
, gfp_t gfp
, umode_t
*mode_p
)
463 struct posix_acl
*clone
= posix_acl_clone(*acl
, gfp
);
466 err
= posix_acl_create_masq(clone
, mode_p
);
468 posix_acl_release(clone
);
472 posix_acl_release(*acl
);
476 EXPORT_SYMBOL(posix_acl_create
);
479 posix_acl_chmod(struct posix_acl
**acl
, gfp_t gfp
, umode_t mode
)
481 struct posix_acl
*clone
= posix_acl_clone(*acl
, gfp
);
484 err
= posix_acl_chmod_masq(clone
, mode
);
486 posix_acl_release(clone
);
490 posix_acl_release(*acl
);
494 EXPORT_SYMBOL(posix_acl_chmod
);
This page took 0.039996 seconds and 6 git commands to generate.