4 * Copyright (C) 2002 by Andreas Gruenbacher <a.gruenbacher@computer.org>
6 * Fixes from William Schumacher incorporated on 15 March 2001.
7 * (Reported by Charles Bertsch, <CBertsch@microtest.com>).
11 * This file contains generic functions for manipulating
12 * POSIX 1003.1e draft standard 17 ACLs.
15 #include <linux/kernel.h>
16 #include <linux/slab.h>
17 #include <linux/atomic.h>
19 #include <linux/sched.h>
20 #include <linux/posix_acl.h>
21 #include <linux/export.h>
23 #include <linux/errno.h>
25 struct posix_acl
**acl_by_type(struct inode
*inode
, int type
)
30 case ACL_TYPE_DEFAULT
:
31 return &inode
->i_default_acl
;
36 EXPORT_SYMBOL(acl_by_type
);
38 struct posix_acl
*get_cached_acl(struct inode
*inode
, int type
)
40 struct posix_acl
**p
= acl_by_type(inode
, type
);
41 struct posix_acl
*acl
= ACCESS_ONCE(*p
);
43 spin_lock(&inode
->i_lock
);
45 if (acl
!= ACL_NOT_CACHED
)
46 acl
= posix_acl_dup(acl
);
47 spin_unlock(&inode
->i_lock
);
51 EXPORT_SYMBOL(get_cached_acl
);
53 struct posix_acl
*get_cached_acl_rcu(struct inode
*inode
, int type
)
55 return rcu_dereference(*acl_by_type(inode
, type
));
57 EXPORT_SYMBOL(get_cached_acl_rcu
);
59 void set_cached_acl(struct inode
*inode
, int type
, struct posix_acl
*acl
)
61 struct posix_acl
**p
= acl_by_type(inode
, type
);
62 struct posix_acl
*old
;
63 spin_lock(&inode
->i_lock
);
65 rcu_assign_pointer(*p
, posix_acl_dup(acl
));
66 spin_unlock(&inode
->i_lock
);
67 if (old
!= ACL_NOT_CACHED
)
68 posix_acl_release(old
);
70 EXPORT_SYMBOL(set_cached_acl
);
72 void forget_cached_acl(struct inode
*inode
, int type
)
74 struct posix_acl
**p
= acl_by_type(inode
, type
);
75 struct posix_acl
*old
;
76 spin_lock(&inode
->i_lock
);
79 spin_unlock(&inode
->i_lock
);
80 if (old
!= ACL_NOT_CACHED
)
81 posix_acl_release(old
);
83 EXPORT_SYMBOL(forget_cached_acl
);
85 void forget_all_cached_acls(struct inode
*inode
)
87 struct posix_acl
*old_access
, *old_default
;
88 spin_lock(&inode
->i_lock
);
89 old_access
= inode
->i_acl
;
90 old_default
= inode
->i_default_acl
;
91 inode
->i_acl
= inode
->i_default_acl
= ACL_NOT_CACHED
;
92 spin_unlock(&inode
->i_lock
);
93 if (old_access
!= ACL_NOT_CACHED
)
94 posix_acl_release(old_access
);
95 if (old_default
!= ACL_NOT_CACHED
)
96 posix_acl_release(old_default
);
98 EXPORT_SYMBOL(forget_all_cached_acls
);
101 * Init a fresh posix_acl
104 posix_acl_init(struct posix_acl
*acl
, int count
)
106 atomic_set(&acl
->a_refcount
, 1);
107 acl
->a_count
= count
;
109 EXPORT_SYMBOL(posix_acl_init
);
112 * Allocate a new ACL with the specified number of entries.
115 posix_acl_alloc(int count
, gfp_t flags
)
117 const size_t size
= sizeof(struct posix_acl
) +
118 count
* sizeof(struct posix_acl_entry
);
119 struct posix_acl
*acl
= kmalloc(size
, flags
);
121 posix_acl_init(acl
, count
);
124 EXPORT_SYMBOL(posix_acl_alloc
);
129 static struct posix_acl
*
130 posix_acl_clone(const struct posix_acl
*acl
, gfp_t flags
)
132 struct posix_acl
*clone
= NULL
;
135 int size
= sizeof(struct posix_acl
) + acl
->a_count
*
136 sizeof(struct posix_acl_entry
);
137 clone
= kmemdup(acl
, size
, flags
);
139 atomic_set(&clone
->a_refcount
, 1);
145 * Check if an acl is valid. Returns 0 if it is, or -E... otherwise.
148 posix_acl_valid(const struct posix_acl
*acl
)
150 const struct posix_acl_entry
*pa
, *pe
;
151 int state
= ACL_USER_OBJ
;
154 FOREACH_ACL_ENTRY(pa
, acl
, pe
) {
155 if (pa
->e_perm
& ~(ACL_READ
|ACL_WRITE
|ACL_EXECUTE
))
159 if (state
== ACL_USER_OBJ
) {
166 if (state
!= ACL_USER
)
168 if (!uid_valid(pa
->e_uid
))
174 if (state
== ACL_USER
) {
181 if (state
!= ACL_GROUP
)
183 if (!gid_valid(pa
->e_gid
))
189 if (state
!= ACL_GROUP
)
195 if (state
== ACL_OTHER
||
196 (state
== ACL_GROUP
&& !needs_mask
)) {
210 EXPORT_SYMBOL(posix_acl_valid
);
213 * Returns 0 if the acl can be exactly represented in the traditional
214 * file mode permission bits, or else 1. Returns -E... on error.
217 posix_acl_equiv_mode(const struct posix_acl
*acl
, umode_t
*mode_p
)
219 const struct posix_acl_entry
*pa
, *pe
;
223 FOREACH_ACL_ENTRY(pa
, acl
, pe
) {
226 mode
|= (pa
->e_perm
& S_IRWXO
) << 6;
229 mode
|= (pa
->e_perm
& S_IRWXO
) << 3;
232 mode
|= pa
->e_perm
& S_IRWXO
;
235 mode
= (mode
& ~S_IRWXG
) |
236 ((pa
->e_perm
& S_IRWXO
) << 3);
248 *mode_p
= (*mode_p
& ~S_IRWXUGO
) | mode
;
251 EXPORT_SYMBOL(posix_acl_equiv_mode
);
254 * Create an ACL representing the file mode permission bits of an inode.
257 posix_acl_from_mode(umode_t mode
, gfp_t flags
)
259 struct posix_acl
*acl
= posix_acl_alloc(3, flags
);
261 return ERR_PTR(-ENOMEM
);
263 acl
->a_entries
[0].e_tag
= ACL_USER_OBJ
;
264 acl
->a_entries
[0].e_perm
= (mode
& S_IRWXU
) >> 6;
266 acl
->a_entries
[1].e_tag
= ACL_GROUP_OBJ
;
267 acl
->a_entries
[1].e_perm
= (mode
& S_IRWXG
) >> 3;
269 acl
->a_entries
[2].e_tag
= ACL_OTHER
;
270 acl
->a_entries
[2].e_perm
= (mode
& S_IRWXO
);
273 EXPORT_SYMBOL(posix_acl_from_mode
);
276 * Return 0 if current is granted want access to the inode
277 * by the acl. Returns -E... otherwise.
280 posix_acl_permission(struct inode
*inode
, const struct posix_acl
*acl
, int want
)
282 const struct posix_acl_entry
*pa
, *pe
, *mask_obj
;
285 want
&= MAY_READ
| MAY_WRITE
| MAY_EXEC
| MAY_NOT_BLOCK
;
287 FOREACH_ACL_ENTRY(pa
, acl
, pe
) {
290 /* (May have been checked already) */
291 if (uid_eq(inode
->i_uid
, current_fsuid()))
295 if (uid_eq(pa
->e_uid
, current_fsuid()))
299 if (in_group_p(inode
->i_gid
)) {
301 if ((pa
->e_perm
& want
) == want
)
306 if (in_group_p(pa
->e_gid
)) {
308 if ((pa
->e_perm
& want
) == want
)
326 for (mask_obj
= pa
+1; mask_obj
!= pe
; mask_obj
++) {
327 if (mask_obj
->e_tag
== ACL_MASK
) {
328 if ((pa
->e_perm
& mask_obj
->e_perm
& want
) == want
)
335 if ((pa
->e_perm
& want
) == want
)
341 * Modify acl when creating a new inode. The caller must ensure the acl is
342 * only referenced once.
344 * mode_p initially must contain the mode parameter to the open() / creat()
345 * system calls. All permissions that are not granted by the acl are removed.
346 * The permissions in the acl are changed to reflect the mode_p parameter.
348 static int posix_acl_create_masq(struct posix_acl
*acl
, umode_t
*mode_p
)
350 struct posix_acl_entry
*pa
, *pe
;
351 struct posix_acl_entry
*group_obj
= NULL
, *mask_obj
= NULL
;
352 umode_t mode
= *mode_p
;
355 /* assert(atomic_read(acl->a_refcount) == 1); */
357 FOREACH_ACL_ENTRY(pa
, acl
, pe
) {
360 pa
->e_perm
&= (mode
>> 6) | ~S_IRWXO
;
361 mode
&= (pa
->e_perm
<< 6) | ~S_IRWXU
;
374 pa
->e_perm
&= mode
| ~S_IRWXO
;
375 mode
&= pa
->e_perm
| ~S_IRWXO
;
389 mask_obj
->e_perm
&= (mode
>> 3) | ~S_IRWXO
;
390 mode
&= (mask_obj
->e_perm
<< 3) | ~S_IRWXG
;
394 group_obj
->e_perm
&= (mode
>> 3) | ~S_IRWXO
;
395 mode
&= (group_obj
->e_perm
<< 3) | ~S_IRWXG
;
398 *mode_p
= (*mode_p
& ~S_IRWXUGO
) | mode
;
403 * Modify the ACL for the chmod syscall.
405 static int posix_acl_chmod_masq(struct posix_acl
*acl
, umode_t mode
)
407 struct posix_acl_entry
*group_obj
= NULL
, *mask_obj
= NULL
;
408 struct posix_acl_entry
*pa
, *pe
;
410 /* assert(atomic_read(acl->a_refcount) == 1); */
412 FOREACH_ACL_ENTRY(pa
, acl
, pe
) {
415 pa
->e_perm
= (mode
& S_IRWXU
) >> 6;
431 pa
->e_perm
= (mode
& S_IRWXO
);
440 mask_obj
->e_perm
= (mode
& S_IRWXG
) >> 3;
444 group_obj
->e_perm
= (mode
& S_IRWXG
) >> 3;
451 posix_acl_create(struct posix_acl
**acl
, gfp_t gfp
, umode_t
*mode_p
)
453 struct posix_acl
*clone
= posix_acl_clone(*acl
, gfp
);
456 err
= posix_acl_create_masq(clone
, mode_p
);
458 posix_acl_release(clone
);
462 posix_acl_release(*acl
);
466 EXPORT_SYMBOL(posix_acl_create
);
469 posix_acl_chmod(struct posix_acl
**acl
, gfp_t gfp
, umode_t mode
)
471 struct posix_acl
*clone
= posix_acl_clone(*acl
, gfp
);
474 err
= posix_acl_chmod_masq(clone
, mode
);
476 posix_acl_release(clone
);
480 posix_acl_release(*acl
);
484 EXPORT_SYMBOL(posix_acl_chmod
);
This page took 0.046291 seconds and 6 git commands to generate.