[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150902195408.GC3319@fieldses.org>
Date: Wed, 2 Sep 2015 15:54:08 -0400
From: bfields@...ldses.org (J. Bruce Fields)
To: Andreas Gruenbacher <andreas.gruenbacher@...il.com>
Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-nfs@...r.kernel.org, linux-api@...r.kernel.org,
linux-cifs@...r.kernel.org, linux-security-module@...r.kernel.org,
Andreas Gruenbacher <agruenba@...hat.com>
Subject: Re: [RFC v6 08/40] richacl: Compute maximum file masks from an acl
On Tue, Aug 04, 2015 at 01:53:06PM +0200, Andreas Gruenbacher wrote:
> Compute upper bound owner, group, and other file masks with as few
> permissions as possible without denying any permissions that the NFSv4
> acl in a richacl grants.
>
> This algorithm is used when a file inherits an acl at create time and
> when an acl is set via a mechanism that does not provide file masks
> (such as setting an acl via nfsd). When user-space sets an acl via
> setxattr, the extended attribute already includes the file masks.
>
> Setting an acl also sets the file mode permission bits: they are
> determined by the file masks; see richacl_masks_to_mode().
>
> Signed-off-by: Andreas Gruenbacher <agruenba@...hat.com>
> Reviewed-by: J. Bruce Fields <bfields@...hat.com>
> ---
> fs/richacl_base.c | 156 ++++++++++++++++++++++++++++++++++++++++++++++++
> include/linux/richacl.h | 1 +
> 2 files changed, 157 insertions(+)
>
> diff --git a/fs/richacl_base.c b/fs/richacl_base.c
> index 063dbe4..8426600 100644
> --- a/fs/richacl_base.c
> +++ b/fs/richacl_base.c
> @@ -182,3 +182,159 @@ richacl_want_to_mask(unsigned int want)
> return mask;
> }
> EXPORT_SYMBOL_GPL(richacl_want_to_mask);
> +
> +/*
> + * Note: functions like richacl_allowed_to_who(), richacl_group_class_allowed(),
> + * and richacl_compute_max_masks() iterate through the entire acl in reverse
> + * order as an optimization.
> + *
> + * In the standard algorithm, aces are considered in forward order. When a
> + * process matches an ace, the permissions in the ace are either allowed or
> + * denied depending on the ace type. Once a permission has been allowed or
> + * denied, it is no longer considered in further aces.
> + *
> + * By iterating through the acl in reverse order, we can compute the same
> + * result without having to keep track of which permissions have been allowed
> + * and denied already.
> + */
> +
> +/**
> + * richacl_allowed_to_who - permissions allowed to a specific who value
> + *
> + * Compute the maximum mask values allowed to a specific who value, taking
> + * everyone@ aces into account.
> + */
> +static unsigned int richacl_allowed_to_who(struct richacl *acl,
> + struct richace *who)
> +{
> + struct richace *ace;
> + unsigned int allowed = 0;
> +
> + richacl_for_each_entry_reverse(ace, acl) {
> + if (richace_is_inherit_only(ace))
> + continue;
> + if (richace_is_same_identifier(ace, who) ||
> + richace_is_everyone(ace)) {
> + if (richace_is_allow(ace))
> + allowed |= ace->e_mask;
> + else if (richace_is_deny(ace))
> + allowed &= ~ace->e_mask;
> + }
> + }
> + return allowed;
> +}
> +
> +/**
> + * richacl_group_class_allowed - maximum permissions of the group class
> + *
> + * Compute the maximum mask values allowed to a process in the group class
> + * (i.e., a process which is not the owner but is in the owning group or
> + * matches a user or group acl entry). This includes permissions granted or
> + * denied by everyone@ aces.
> + *
> + * See richacl_compute_max_masks().
> + */
> +static unsigned int richacl_group_class_allowed(struct richacl *acl)
> +{
> + struct richace *ace;
> + unsigned int everyone_allowed = 0, group_class_allowed = 0;
> + int had_group_ace = 0;
> +
> + richacl_for_each_entry_reverse(ace, acl) {
> + if (richace_is_inherit_only(ace) ||
> + richace_is_owner(ace))
> + continue;
> +
> + if (richace_is_everyone(ace)) {
> + if (richace_is_allow(ace))
> + everyone_allowed |= ace->e_mask;
> + else if (richace_is_deny(ace))
> + everyone_allowed &= ~ace->e_mask;
> + } else {
> + group_class_allowed |=
> + richacl_allowed_to_who(acl, ace);
> +
> + if (richace_is_group(ace))
> + had_group_ace = 1;
> + }
> + }
> + /*
> + * If the acl doesn't contain any group@ aces, richacl_allowed_to_who()
> + * wasn't called for the owning group. We could make that call now, but
> + * we already know the result (everyone_allowed).
> + */
> + if (!had_group_ace)
> + group_class_allowed |= everyone_allowed;
> + return group_class_allowed;
> +}
> +
> +/**
> + * richacl_compute_max_masks - compute upper bound masks
> + *
> + * Computes upper bound owner, group, and other masks so that none of
> + * the mask flags allowed by the acl are disabled (for any user with any
> + * group membership).
> + */
> +void richacl_compute_max_masks(struct richacl *acl, kuid_t owner)
> +{
> + unsigned int gmask = ~0;
> + struct richace *ace;
> +
> + /*
> + * @gmask contains all permissions which the group class is ever
> + * allowed. We use it to avoid adding permissions to the group mask
> + * from everyone@ allow aces which the group class is always denied
> + * through other aces. For example, the following acl would otherwise
> + * result in a group mask of rw:
> + *
> + * group@:w::deny
> + * everyone@:rw::allow
> + *
> + * Avoid computing @gmask for acls which do not include any group class
> + * deny aces: in such acls, the group class is never denied any
> + * permissions from everyone@ allow aces, and the group class cannot
> + * have fewer permissions than the other class.
> + */
> +
> +restart:
> + acl->a_owner_mask = 0;
> + acl->a_group_mask = 0;
> + acl->a_other_mask = 0;
> +
> + richacl_for_each_entry_reverse(ace, acl) {
> + if (richace_is_inherit_only(ace))
> + continue;
> +
> + if (richace_is_owner(ace) ||
> + (richace_is_unix_user(ace) &&
> + uid_eq(ace->e_id.uid, owner))) {
> + if (richace_is_allow(ace))
> + acl->a_owner_mask |= ace->e_mask;
> + else if (richace_is_deny(ace))
> + acl->a_owner_mask &= ~ace->e_mask;
> + } else if (richace_is_everyone(ace)) {
> + if (richace_is_allow(ace)) {
> + acl->a_owner_mask |= ace->e_mask;
> + acl->a_group_mask |= ace->e_mask & gmask;
> + acl->a_other_mask |= ace->e_mask;
> + } else if (richace_is_deny(ace)) {
> + acl->a_owner_mask &= ~ace->e_mask;
> + acl->a_group_mask &= ~ace->e_mask;
> + acl->a_other_mask &= ~ace->e_mask;
> + }
> + } else {
> + if (richace_is_allow(ace)) {
> + acl->a_owner_mask |= ace->e_mask & gmask;
> + acl->a_group_mask |= ace->e_mask & gmask;
I think we do that because we don't (we can't) know whether the owner
might match this ace, so we assume that it will match, as that's what
gives us the maximum.
But on first glance this is a little counterintuitive and maybe worth a
comment.
--b.
> + } else if (richace_is_deny(ace) && gmask == ~0) {
> + gmask = richacl_group_class_allowed(acl);
> + if (likely(gmask != ~0))
> + /* should always be true */
> + goto restart;
> + }
> + }
> + }
> +
> + acl->a_flags &= ~(RICHACL_WRITE_THROUGH | RICHACL_MASKED);
> +}
> +EXPORT_SYMBOL_GPL(richacl_compute_max_masks);
> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
> index f4ba113..3d719db 100644
> --- a/include/linux/richacl.h
> +++ b/include/linux/richacl.h
> @@ -303,5 +303,6 @@ extern void richace_copy(struct richace *, const struct richace *);
> extern int richacl_masks_to_mode(const struct richacl *);
> extern unsigned int richacl_mode_to_mask(mode_t);
> extern unsigned int richacl_want_to_mask(unsigned int);
> +extern void richacl_compute_max_masks(struct richacl *, kuid_t);
>
> #endif /* __RICHACL_H */
> --
> 2.5.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists