| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 05 Jul 2016 10:22:17 -0400
From: Jeff Layton <jlayton@...hat.com>
To: Andreas Gruenbacher <agruenba@...hat.com>,
Alexander Viro <viro@...iv.linux.org.uk>
Cc: Christoph Hellwig <hch@...radead.org>,
Theodore Ts'o <tytso@....edu>,
Andreas Dilger <adilger.kernel@...ger.ca>,
"J. Bruce Fields" <bfields@...ldses.org>,
Trond Myklebust <trond.myklebust@...marydata.com>,
Anna Schumaker <anna.schumaker@...app.com>,
Dave Chinner <david@...morbit.com>, linux-ext4@...r.kernel.org,
xfs@....sgi.com, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-nfs@...r.kernel.org,
linux-cifs@...r.kernel.org, linux-api@...r.kernel.org
Subject: Re: [PATCH v23 08/22] richacl: Compute maximum file masks from an
acl
On Thu, 2016-06-30 at 15:46 +0200, Andreas Gruenbacher wrote:
> Compute upper bound owner, group, and other file masks with as few
> permissions as possible without denying any permissions that the NFSv4
> acl in a richacl grants.
>
> This algorithm is used when a file inherits an acl at create time and
> when an acl is set via a mechanism that does not provide file masks
> (such as setting an acl via nfsd). When user-space sets an acl via
> setxattr, the extended attribute already includes the file masks.
>
> Setting an acl also sets the file mode permission bits: they are
> determined by the file masks; see richacl_masks_to_mode().
>
> Signed-off-by: Andreas Gruenbacher <agruenba@...hat.com>
> Reviewed-by: J. Bruce Fields <bfields@...hat.com>
> ---
> fs/richacl.c | 157 ++++++++++++++++++++++++++++++++++++++++++++++++
> include/linux/richacl.h | 1 +
> 2 files changed, 158 insertions(+)
>
> diff --git a/fs/richacl.c b/fs/richacl.c
> index d0a4135..056228f 100644
> --- a/fs/richacl.c
> +++ b/fs/richacl.c
> @@ -181,3 +181,160 @@ richacl_want_to_mask(unsigned int want)
> return mask;
> }
> EXPORT_SYMBOL_GPL(richacl_want_to_mask);
> +
> +/*
> + * Note: functions like richacl_allowed_to_who(), richacl_group_class_allowed(),
> + * and richacl_compute_max_masks() iterate through the entire acl in reverse
> + * order as an optimization.
> + *
> + * In the standard algorithm, aces are considered in forward order. When a
> + * process matches an ace, the permissions in the ace are either allowed or
> + * denied depending on the ace type. Once a permission has been allowed or
> + * denied, it is no longer considered in further aces.
> + *
> + * By iterating through the acl in reverse order, we can compute the same
> + * result without having to keep track of which permissions have been allowed
> + * and denied already.
> + */
>
Clever!
> +
> +/**
> + * richacl_allowed_to_who - permissions allowed to a specific who value
> + *
> + * Compute the maximum mask values allowed to a specific who value, taking
> + * everyone@ aces into account.
> + */
> +static unsigned int richacl_allowed_to_who(struct richacl *acl,
> + struct richace *who)
> +{
> + struct richace *ace;
> + unsigned int allowed = 0;
> +
> + richacl_for_each_entry_reverse(ace, acl) {
> + if (richace_is_inherit_only(ace))
> + continue;
> + if (richace_is_same_identifier(ace, who) ||
> + richace_is_everyone(ace)) {
> + if (richace_is_allow(ace))
> + allowed |= ace->e_mask;
> + else if (richace_is_deny(ace))
> + allowed &= ~ace->e_mask;
> + }
> + }
> + return allowed;
> +}
> +
> +/**
> + * richacl_group_class_allowed - maximum permissions of the group class
> + *
> + * Compute the maximum mask values allowed to a process in the group class
> + * (i.e., a process which is not the owner but is in the owning group or
> + * matches a user or group acl entry). This includes permissions granted or
> + * denied by everyone@ aces.
> + *
> + * See richacl_compute_max_masks().
> + */
> +static unsigned int richacl_group_class_allowed(struct richacl *acl)
> +{
> + struct richace *ace;
> + unsigned int everyone_allowed = 0, group_class_allowed = 0;
> + int had_group_ace = 0;
> +
> + richacl_for_each_entry_reverse(ace, acl) {
> + if (richace_is_inherit_only(ace) ||
> + richace_is_owner(ace))
> + continue;
> +
> + if (richace_is_everyone(ace)) {
> + if (richace_is_allow(ace))
> + everyone_allowed |= ace->e_mask;
> + else if (richace_is_deny(ace))
> + everyone_allowed &= ~ace->e_mask;
> + } else {
> + group_class_allowed |=
> + richacl_allowed_to_who(acl, ace);
> +
> + if (richace_is_group(ace))
> + had_group_ace = 1;
> + }
> + }
> + /*
> + * If the acl doesn't contain any group@ aces, richacl_allowed_to_who()
> + * wasn't called for the owning group. We could make that call now, but
> + * we already know the result (everyone_allowed).
> + */
> + if (!had_group_ace)
> + group_class_allowed |= everyone_allowed;
> + return group_class_allowed;
> +}
> +
> +/**
> + * richacl_compute_max_masks - compute upper bound masks
> + *
> + * Computes upper bound owner, group, and other masks so that none of the
> + * permissions allowed by the acl are disabled.
> + *
> + * We don't make assumptions about who the owner is so that the owner can
> + * change with no effect on the file masks or file mode permission bits; this
> + * means that we must assume that all entries can match the owner.
> + */
> +void richacl_compute_max_masks(struct richacl *acl)
> +{
> + unsigned int gmask = ~0;
> + struct richace *ace;
> +
> + /*
> + * @gmask contains all permissions which the group class is ever
> + * allowed. We use it to avoid adding permissions to the group mask
> + * from everyone@ allow aces which the group class is always denied
> + * through other aces. For example, the following acl would otherwise
> + * result in a group mask of rw:
> + *
> + * group@:w::deny
> + * everyone@:rw::allow
> + *
> + * Avoid computing @gmask for acls which do not include any group class
> + * deny aces: in such acls, the group class is never denied any
> + * permissions from everyone@ allow aces, and the group class cannot
> + * have fewer permissions than the other class.
> + */
> +
> +restart:
> + acl->a_owner_mask = 0;
> + acl->a_group_mask = 0;
> + acl->a_other_mask = 0;
> +
> + richacl_for_each_entry_reverse(ace, acl) {
> + if (richace_is_inherit_only(ace))
> + continue;
> +
> + if (richace_is_owner(ace)) {
> + if (richace_is_allow(ace))
> + acl->a_owner_mask |= ace->e_mask;
> + else if (richace_is_deny(ace))
> + acl->a_owner_mask &= ~ace->e_mask;
> + } else if (richace_is_everyone(ace)) {
> + if (richace_is_allow(ace)) {
> + acl->a_owner_mask |= ace->e_mask;
> + acl->a_group_mask |= ace->e_mask & gmask;
> + acl->a_other_mask |= ace->e_mask;
> + } else if (richace_is_deny(ace)) {
> + acl->a_owner_mask &= ~ace->e_mask;
> + acl->a_group_mask &= ~ace->e_mask;
> + acl->a_other_mask &= ~ace->e_mask;
> + }
> + } else {
> + if (richace_is_allow(ace)) {
> + acl->a_owner_mask |= ace->e_mask & gmask;
> + acl->a_group_mask |= ace->e_mask & gmask;
> + } else if (richace_is_deny(ace) && gmask == ~0) {
> + gmask = richacl_group_class_allowed(acl);
> + if (likely(gmask != ~0))
> + /* should always be true */
> + goto restart;
> + }
> + }
> + }
> +
> + acl->a_flags &= ~(RICHACL_WRITE_THROUGH | RICHACL_MASKED);
> +}
> +EXPORT_SYMBOL_GPL(richacl_compute_max_masks);
> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
> index 9102ef0..3559b2c 100644
> --- a/include/linux/richacl.h
> +++ b/include/linux/richacl.h
> @@ -178,5 +178,6 @@ extern void richace_copy(struct richace *, const struct richace *);
> extern int richacl_masks_to_mode(const struct richacl *);
> extern unsigned int richacl_mode_to_mask(umode_t);
> extern unsigned int richacl_want_to_mask(unsigned int);
> +extern void richacl_compute_max_masks(struct richacl *);
>
> #endif /* __RICHACL_H */
Reviewed-by: Jeff Layton <jlayton@...hat.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists