| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Jul 2016 10:08:37 -0700
From: "Frank Filz" <ffilzlnx@...dspring.com>
To: "'Jeff Layton'" <jlayton@...hat.com>,
"'Andreas Gruenbacher'" <agruenba@...hat.com>,
"'Alexander Viro'" <viro@...iv.linux.org.uk>
Cc: "'Christoph Hellwig'" <hch@...radead.org>,
"'Theodore Ts'o'" <tytso@....edu>,
"'Andreas Dilger'" <adilger.kernel@...ger.ca>,
"'J. Bruce Fields'" <bfields@...ldses.org>,
"'Trond Myklebust'" <trond.myklebust@...marydata.com>,
"'Anna Schumaker'" <anna.schumaker@...app.com>,
"'Dave Chinner'" <david@...morbit.com>,
<linux-ext4@...r.kernel.org>, <xfs@....sgi.com>,
<linux-kernel@...r.kernel.org>, <linux-fsdevel@...r.kernel.org>,
<linux-nfs@...r.kernel.org>, <linux-cifs@...r.kernel.org>,
<linux-api@...r.kernel.org>
Subject: RE: [PATCH v23 08/22] richacl: Compute maximum file masks from an acl
> > + * Note: functions like richacl_allowed_to_who(),
> > +richacl_group_class_allowed(),
> > + * and richacl_compute_max_masks() iterate through the entire acl in
> > +reverse
> > + * order as an optimization.
> > + *
> > + * In the standard algorithm, aces are considered in forward order.
> > +When a
> > + * process matches an ace, the permissions in the ace are either
> > +allowed or
> > + * denied depending on the ace type. Once a permission has been
> > +allowed or
> > + * denied, it is no longer considered in further aces.
> > + *
> > + * By iterating through the acl in reverse order, we can compute the
> > +same
> > + * result without having to keep track of which permissions have been
> > +allowed
> > + * and denied already.
> > + */
> >
>
> Clever!
Hmm, but does that result in examining the whole ACL for most access checks, at least for files where most of the accesses are by the owner, or a member of a specific group (with perhaps a ton of special case users added on the end)?
Frank
> > +
> > +/**
> > + * richacl_allowed_to_who - permissions allowed to a specific who
> > +value
> > + *
> > + * Compute the maximum mask values allowed to a specific who value,
> > +taking
> > + * everyone@ aces into account.
> > + */
> > +static unsigned int richacl_allowed_to_who(struct richacl *acl,
> > + struct richace *who)
> > +{
> > + struct richace *ace;
> > + unsigned int allowed = 0;
> > +
> > + richacl_for_each_entry_reverse(ace, acl) {
> > + if (richace_is_inherit_only(ace))
> > + continue;
> > + if (richace_is_same_identifier(ace, who) ||
> > + richace_is_everyone(ace)) {
> > + if (richace_is_allow(ace))
> > + allowed |= ace->e_mask;
> > + else if (richace_is_deny(ace))
> > + allowed &= ~ace->e_mask;
> > + }
> > + }
> > + return allowed;
> > +}
> > +
> > +/**
> > + * richacl_group_class_allowed - maximum permissions of the group
> > +class
> > + *
> > + * Compute the maximum mask values allowed to a process in the group
> > +class
> > + * (i.e., a process which is not the owner but is in the owning group
> > +or
> > + * matches a user or group acl entry). This includes permissions
> > +granted or
> > + * denied by everyone@ aces.
> > + *
> > + * See richacl_compute_max_masks().
> > + */
> > +static unsigned int richacl_group_class_allowed(struct richacl *acl)
> > +{
> > + struct richace *ace;
> > + unsigned int everyone_allowed = 0, group_class_allowed = 0;
> > + int had_group_ace = 0;
> > +
> > + richacl_for_each_entry_reverse(ace, acl) {
> > + if (richace_is_inherit_only(ace) ||
> > + richace_is_owner(ace))
> > + continue;
> > +
> > + if (richace_is_everyone(ace)) {
> > + if (richace_is_allow(ace))
> > + everyone_allowed |= ace->e_mask;
> > + else if (richace_is_deny(ace))
> > + everyone_allowed &= ~ace->e_mask;
> > + } else {
> > + group_class_allowed |=
> > + richacl_allowed_to_who(acl, ace);
> > +
> > + if (richace_is_group(ace))
> > + had_group_ace = 1;
> > + }
> > + }
> > + /*
> > + * If the acl doesn't contain any group@ aces,
> richacl_allowed_to_who()
> > + * wasn't called for the owning group. We could make that call now,
> but
> > + * we already know the result (everyone_allowed).
> > + */
> > + if (!had_group_ace)
> > + group_class_allowed |= everyone_allowed;
> > + return group_class_allowed;
> > +}
> > +
> > +/**
> > + * richacl_compute_max_masks - compute upper bound masks
> > + *
> > + * Computes upper bound owner, group, and other masks so that none of
> > +the
> > + * permissions allowed by the acl are disabled.
> > + *
> > + * We don't make assumptions about who the owner is so that the owner
> > +can
> > + * change with no effect on the file masks or file mode permission
> > +bits; this
> > + * means that we must assume that all entries can match the owner.
> > + */
> > +void richacl_compute_max_masks(struct richacl *acl) {
> > + unsigned int gmask = ~0;
> > + struct richace *ace;
> > +
> > + /*
> > + * @gmask contains all permissions which the group class is ever
> > + * allowed. We use it to avoid adding permissions to the group mask
> > + * from everyone@ allow aces which the group class is always denied
> > + * through other aces. For example, the following acl would
> otherwise
> > + * result in a group mask of rw:
> > + *
> > + * group@:w::deny
> > + * everyone@:rw::allow
> > + *
> > + * Avoid computing @gmask for acls which do not include any group
> class
> > + * deny aces: in such acls, the group class is never denied any
> > + * permissions from everyone@ allow aces, and the group class
> cannot
> > + * have fewer permissions than the other class.
> > + */
> > +
> > +restart:
> > + acl->a_owner_mask = 0;
> > + acl->a_group_mask = 0;
> > + acl->a_other_mask = 0;
> > +
> > + richacl_for_each_entry_reverse(ace, acl) {
> > + if (richace_is_inherit_only(ace))
> > + continue;
> > +
> > + if (richace_is_owner(ace)) {
> > + if (richace_is_allow(ace))
> > + acl->a_owner_mask |= ace->e_mask;
> > + else if (richace_is_deny(ace))
> > + acl->a_owner_mask &= ~ace->e_mask;
> > + } else if (richace_is_everyone(ace)) {
> > + if (richace_is_allow(ace)) {
> > + acl->a_owner_mask |= ace->e_mask;
> > + acl->a_group_mask |= ace->e_mask &
> gmask;
> > + acl->a_other_mask |= ace->e_mask;
> > + } else if (richace_is_deny(ace)) {
> > + acl->a_owner_mask &= ~ace->e_mask;
> > + acl->a_group_mask &= ~ace->e_mask;
> > + acl->a_other_mask &= ~ace->e_mask;
> > + }
> > + } else {
> > + if (richace_is_allow(ace)) {
> > + acl->a_owner_mask |= ace->e_mask &
> gmask;
> > + acl->a_group_mask |= ace->e_mask &
> gmask;
> > + } else if (richace_is_deny(ace) && gmask == ~0) {
> > + gmask = richacl_group_class_allowed(acl);
> > + if (likely(gmask != ~0))
> > + /* should always be true */
> > + goto restart;
> > + }
> > + }
> > + }
> > +
> > + acl->a_flags &= ~(RICHACL_WRITE_THROUGH | RICHACL_MASKED); }
> > +EXPORT_SYMBOL_GPL(richacl_compute_max_masks);
> > diff --git a/include/linux/richacl.h b/include/linux/richacl.h index
> > 9102ef0..3559b2c 100644
> > --- a/include/linux/richacl.h
> > +++ b/include/linux/richacl.h
> > @@ -178,5 +178,6 @@ extern void richace_copy(struct richace *, const
> > struct richace *);
> > extern int richacl_masks_to_mode(const struct richacl *);
> > extern unsigned int richacl_mode_to_mask(umode_t);
> > extern unsigned int richacl_want_to_mask(unsigned int);
> > +extern void richacl_compute_max_masks(struct richacl *);
> >
> > #endif /* __RICHACL_H */
>
> Reviewed-by: Jeff Layton <jlayton@...hat.com>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the
> body of a message to majordomo@...r.kernel.org More majordomo info at
> http://vger.kernel.org/majordomo-info.html
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists