1 | /* |
2 | * Common NFSv4 ACL handling code. |
3 | * |
4 | * Copyright (c) 2002, 2003 The Regents of the University of Michigan. |
5 | * All rights reserved. |
6 | * |
7 | * Marius Aamodt Eriksen <marius@umich.edu> |
8 | * Jeff Sedlak <jsedlak@umich.edu> |
9 | * J. Bruce Fields <bfields@umich.edu> |
10 | * |
11 | * Redistribution and use in source and binary forms, with or without |
12 | * modification, are permitted provided that the following conditions |
13 | * are met: |
14 | * |
15 | * 1. Redistributions of source code must retain the above copyright |
16 | * notice, this list of conditions and the following disclaimer. |
17 | * 2. Redistributions in binary form must reproduce the above copyright |
18 | * notice, this list of conditions and the following disclaimer in the |
19 | * documentation and/or other materials provided with the distribution. |
20 | * 3. Neither the name of the University nor the names of its |
21 | * contributors may be used to endorse or promote products derived |
22 | * from this software without specific prior written permission. |
23 | * |
24 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED |
25 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
26 | * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
27 | * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE |
28 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
29 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
30 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR |
31 | * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF |
32 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING |
33 | * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
34 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | */ |
36 | |
37 | #include <linux/fs.h> |
38 | #include <linux/slab.h> |
39 | #include <linux/posix_acl.h> |
40 | |
41 | #include "nfsfh.h" |
42 | #include "nfsd.h" |
43 | #include "acl.h" |
44 | #include "vfs.h" |
45 | |
46 | #define NFS4_ACL_TYPE_DEFAULT 0x01 |
47 | #define NFS4_ACL_DIR 0x02 |
48 | #define NFS4_ACL_OWNER 0x04 |
49 | |
50 | /* mode bit translations: */ |
51 | #define NFS4_READ_MODE (NFS4_ACE_READ_DATA) |
52 | #define NFS4_WRITE_MODE (NFS4_ACE_WRITE_DATA | NFS4_ACE_APPEND_DATA) |
53 | #define NFS4_EXECUTE_MODE NFS4_ACE_EXECUTE |
54 | #define NFS4_ANYONE_MODE (NFS4_ACE_READ_ATTRIBUTES | NFS4_ACE_READ_ACL | NFS4_ACE_SYNCHRONIZE) |
55 | #define NFS4_OWNER_MODE (NFS4_ACE_WRITE_ATTRIBUTES | NFS4_ACE_WRITE_ACL) |
56 | |
57 | /* flags used to simulate posix default ACLs */ |
58 | #define NFS4_INHERITANCE_FLAGS (NFS4_ACE_FILE_INHERIT_ACE \ |
59 | | NFS4_ACE_DIRECTORY_INHERIT_ACE) |
60 | |
61 | #define NFS4_SUPPORTED_FLAGS (NFS4_INHERITANCE_FLAGS \ |
62 | | NFS4_ACE_INHERIT_ONLY_ACE \ |
63 | | NFS4_ACE_IDENTIFIER_GROUP) |
64 | |
65 | static u32 |
66 | mask_from_posix(unsigned short perm, unsigned int flags) |
67 | { |
68 | int mask = NFS4_ANYONE_MODE; |
69 | |
70 | if (flags & NFS4_ACL_OWNER) |
71 | mask |= NFS4_OWNER_MODE; |
72 | if (perm & ACL_READ) |
73 | mask |= NFS4_READ_MODE; |
74 | if (perm & ACL_WRITE) |
75 | mask |= NFS4_WRITE_MODE; |
76 | if ((perm & ACL_WRITE) && (flags & NFS4_ACL_DIR)) |
77 | mask |= NFS4_ACE_DELETE_CHILD; |
78 | if (perm & ACL_EXECUTE) |
79 | mask |= NFS4_EXECUTE_MODE; |
80 | return mask; |
81 | } |
82 | |
83 | static u32 |
84 | deny_mask_from_posix(unsigned short perm, u32 flags) |
85 | { |
86 | u32 mask = 0; |
87 | |
88 | if (perm & ACL_READ) |
89 | mask |= NFS4_READ_MODE; |
90 | if (perm & ACL_WRITE) |
91 | mask |= NFS4_WRITE_MODE; |
92 | if ((perm & ACL_WRITE) && (flags & NFS4_ACL_DIR)) |
93 | mask |= NFS4_ACE_DELETE_CHILD; |
94 | if (perm & ACL_EXECUTE) |
95 | mask |= NFS4_EXECUTE_MODE; |
96 | return mask; |
97 | } |
98 | |
99 | /* XXX: modify functions to return NFS errors; they're only ever |
100 | * used by nfs code, after all.... */ |
101 | |
102 | /* We only map from NFSv4 to POSIX ACLs when setting ACLs, when we err on the |
103 | * side of being more restrictive, so the mode bit mapping below is |
104 | * pessimistic. An optimistic version would be needed to handle DENY's, |
105 | * but we expect to coalesce all ALLOWs and DENYs before mapping to mode |
106 | * bits. */ |
107 | |
108 | static void |
109 | low_mode_from_nfs4(u32 perm, unsigned short *mode, unsigned int flags) |
110 | { |
111 | u32 write_mode = NFS4_WRITE_MODE; |
112 | |
113 | if (flags & NFS4_ACL_DIR) |
114 | write_mode |= NFS4_ACE_DELETE_CHILD; |
115 | *mode = 0; |
116 | if ((perm & NFS4_READ_MODE) == NFS4_READ_MODE) |
117 | *mode |= ACL_READ; |
118 | if ((perm & write_mode) == write_mode) |
119 | *mode |= ACL_WRITE; |
120 | if ((perm & NFS4_EXECUTE_MODE) == NFS4_EXECUTE_MODE) |
121 | *mode |= ACL_EXECUTE; |
122 | } |
123 | |
124 | static short ace2type(struct nfs4_ace *); |
125 | static void _posix_to_nfsv4_one(struct posix_acl *, struct nfs4_acl *, |
126 | unsigned int); |
127 | |
128 | int |
129 | nfsd4_get_nfs4_acl(struct svc_rqst *rqstp, struct dentry *dentry, |
130 | struct nfs4_acl **acl) |
131 | { |
132 | struct inode *inode = d_inode(dentry); |
133 | int error = 0; |
134 | struct posix_acl *pacl = NULL, *dpacl = NULL; |
135 | unsigned int flags = 0; |
136 | int size = 0; |
137 | |
138 | pacl = get_inode_acl(inode, ACL_TYPE_ACCESS); |
139 | if (!pacl) |
140 | pacl = posix_acl_from_mode(inode->i_mode, GFP_KERNEL); |
141 | |
142 | if (IS_ERR(ptr: pacl)) |
143 | return PTR_ERR(ptr: pacl); |
144 | |
145 | /* allocate for worst case: one (deny, allow) pair each: */ |
146 | size += 2 * pacl->a_count; |
147 | |
148 | if (S_ISDIR(inode->i_mode)) { |
149 | flags = NFS4_ACL_DIR; |
150 | dpacl = get_inode_acl(inode, ACL_TYPE_DEFAULT); |
151 | if (IS_ERR(ptr: dpacl)) { |
152 | error = PTR_ERR(ptr: dpacl); |
153 | goto rel_pacl; |
154 | } |
155 | |
156 | if (dpacl) |
157 | size += 2 * dpacl->a_count; |
158 | } |
159 | |
160 | *acl = kmalloc(size: nfs4_acl_bytes(entries: size), GFP_KERNEL); |
161 | if (*acl == NULL) { |
162 | error = -ENOMEM; |
163 | goto out; |
164 | } |
165 | (*acl)->naces = 0; |
166 | |
167 | _posix_to_nfsv4_one(pacl, *acl, flags & ~NFS4_ACL_TYPE_DEFAULT); |
168 | |
169 | if (dpacl) |
170 | _posix_to_nfsv4_one(dpacl, *acl, flags | NFS4_ACL_TYPE_DEFAULT); |
171 | |
172 | out: |
173 | posix_acl_release(acl: dpacl); |
174 | rel_pacl: |
175 | posix_acl_release(acl: pacl); |
176 | return error; |
177 | } |
178 | |
179 | struct posix_acl_summary { |
180 | unsigned short owner; |
181 | unsigned short users; |
182 | unsigned short group; |
183 | unsigned short groups; |
184 | unsigned short other; |
185 | unsigned short mask; |
186 | }; |
187 | |
188 | static void |
189 | summarize_posix_acl(struct posix_acl *acl, struct posix_acl_summary *pas) |
190 | { |
191 | struct posix_acl_entry *pa, *pe; |
192 | |
193 | /* |
194 | * Only pas.users and pas.groups need initialization; previous |
195 | * posix_acl_valid() calls ensure that the other fields will be |
196 | * initialized in the following loop. But, just to placate gcc: |
197 | */ |
198 | memset(pas, 0, sizeof(*pas)); |
199 | pas->mask = 07; |
200 | |
201 | pe = acl->a_entries + acl->a_count; |
202 | |
203 | FOREACH_ACL_ENTRY(pa, acl, pe) { |
204 | switch (pa->e_tag) { |
205 | case ACL_USER_OBJ: |
206 | pas->owner = pa->e_perm; |
207 | break; |
208 | case ACL_GROUP_OBJ: |
209 | pas->group = pa->e_perm; |
210 | break; |
211 | case ACL_USER: |
212 | pas->users |= pa->e_perm; |
213 | break; |
214 | case ACL_GROUP: |
215 | pas->groups |= pa->e_perm; |
216 | break; |
217 | case ACL_OTHER: |
218 | pas->other = pa->e_perm; |
219 | break; |
220 | case ACL_MASK: |
221 | pas->mask = pa->e_perm; |
222 | break; |
223 | } |
224 | } |
225 | /* We'll only care about effective permissions: */ |
226 | pas->users &= pas->mask; |
227 | pas->group &= pas->mask; |
228 | pas->groups &= pas->mask; |
229 | } |
230 | |
231 | /* We assume the acl has been verified with posix_acl_valid. */ |
232 | static void |
233 | _posix_to_nfsv4_one(struct posix_acl *pacl, struct nfs4_acl *acl, |
234 | unsigned int flags) |
235 | { |
236 | struct posix_acl_entry *pa, *group_owner_entry; |
237 | struct nfs4_ace *ace; |
238 | struct posix_acl_summary pas; |
239 | unsigned short deny; |
240 | int eflag = ((flags & NFS4_ACL_TYPE_DEFAULT) ? |
241 | NFS4_INHERITANCE_FLAGS | NFS4_ACE_INHERIT_ONLY_ACE : 0); |
242 | |
243 | BUG_ON(pacl->a_count < 3); |
244 | summarize_posix_acl(acl: pacl, pas: &pas); |
245 | |
246 | pa = pacl->a_entries; |
247 | ace = acl->aces + acl->naces; |
248 | |
249 | /* We could deny everything not granted by the owner: */ |
250 | deny = ~pas.owner; |
251 | /* |
252 | * but it is equivalent (and simpler) to deny only what is not |
253 | * granted by later entries: |
254 | */ |
255 | deny &= pas.users | pas.group | pas.groups | pas.other; |
256 | if (deny) { |
257 | ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE; |
258 | ace->flag = eflag; |
259 | ace->access_mask = deny_mask_from_posix(perm: deny, flags); |
260 | ace->whotype = NFS4_ACL_WHO_OWNER; |
261 | ace++; |
262 | acl->naces++; |
263 | } |
264 | |
265 | ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE; |
266 | ace->flag = eflag; |
267 | ace->access_mask = mask_from_posix(perm: pa->e_perm, flags: flags | NFS4_ACL_OWNER); |
268 | ace->whotype = NFS4_ACL_WHO_OWNER; |
269 | ace++; |
270 | acl->naces++; |
271 | pa++; |
272 | |
273 | while (pa->e_tag == ACL_USER) { |
274 | deny = ~(pa->e_perm & pas.mask); |
275 | deny &= pas.groups | pas.group | pas.other; |
276 | if (deny) { |
277 | ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE; |
278 | ace->flag = eflag; |
279 | ace->access_mask = deny_mask_from_posix(perm: deny, flags); |
280 | ace->whotype = NFS4_ACL_WHO_NAMED; |
281 | ace->who_uid = pa->e_uid; |
282 | ace++; |
283 | acl->naces++; |
284 | } |
285 | ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE; |
286 | ace->flag = eflag; |
287 | ace->access_mask = mask_from_posix(perm: pa->e_perm & pas.mask, |
288 | flags); |
289 | ace->whotype = NFS4_ACL_WHO_NAMED; |
290 | ace->who_uid = pa->e_uid; |
291 | ace++; |
292 | acl->naces++; |
293 | pa++; |
294 | } |
295 | |
296 | /* In the case of groups, we apply allow ACEs first, then deny ACEs, |
297 | * since a user can be in more than one group. */ |
298 | |
299 | /* allow ACEs */ |
300 | |
301 | group_owner_entry = pa; |
302 | |
303 | ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE; |
304 | ace->flag = eflag; |
305 | ace->access_mask = mask_from_posix(perm: pas.group, flags); |
306 | ace->whotype = NFS4_ACL_WHO_GROUP; |
307 | ace++; |
308 | acl->naces++; |
309 | pa++; |
310 | |
311 | while (pa->e_tag == ACL_GROUP) { |
312 | ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE; |
313 | ace->flag = eflag | NFS4_ACE_IDENTIFIER_GROUP; |
314 | ace->access_mask = mask_from_posix(perm: pa->e_perm & pas.mask, |
315 | flags); |
316 | ace->whotype = NFS4_ACL_WHO_NAMED; |
317 | ace->who_gid = pa->e_gid; |
318 | ace++; |
319 | acl->naces++; |
320 | pa++; |
321 | } |
322 | |
323 | /* deny ACEs */ |
324 | |
325 | pa = group_owner_entry; |
326 | |
327 | deny = ~pas.group & pas.other; |
328 | if (deny) { |
329 | ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE; |
330 | ace->flag = eflag; |
331 | ace->access_mask = deny_mask_from_posix(perm: deny, flags); |
332 | ace->whotype = NFS4_ACL_WHO_GROUP; |
333 | ace++; |
334 | acl->naces++; |
335 | } |
336 | pa++; |
337 | |
338 | while (pa->e_tag == ACL_GROUP) { |
339 | deny = ~(pa->e_perm & pas.mask); |
340 | deny &= pas.other; |
341 | if (deny) { |
342 | ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE; |
343 | ace->flag = eflag | NFS4_ACE_IDENTIFIER_GROUP; |
344 | ace->access_mask = deny_mask_from_posix(perm: deny, flags); |
345 | ace->whotype = NFS4_ACL_WHO_NAMED; |
346 | ace->who_gid = pa->e_gid; |
347 | ace++; |
348 | acl->naces++; |
349 | } |
350 | pa++; |
351 | } |
352 | |
353 | if (pa->e_tag == ACL_MASK) |
354 | pa++; |
355 | ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE; |
356 | ace->flag = eflag; |
357 | ace->access_mask = mask_from_posix(perm: pa->e_perm, flags); |
358 | ace->whotype = NFS4_ACL_WHO_EVERYONE; |
359 | acl->naces++; |
360 | } |
361 | |
362 | static bool |
363 | pace_gt(struct posix_acl_entry *pace1, struct posix_acl_entry *pace2) |
364 | { |
365 | if (pace1->e_tag != pace2->e_tag) |
366 | return pace1->e_tag > pace2->e_tag; |
367 | if (pace1->e_tag == ACL_USER) |
368 | return uid_gt(left: pace1->e_uid, right: pace2->e_uid); |
369 | if (pace1->e_tag == ACL_GROUP) |
370 | return gid_gt(left: pace1->e_gid, right: pace2->e_gid); |
371 | return false; |
372 | } |
373 | |
374 | static void |
375 | sort_pacl_range(struct posix_acl *pacl, int start, int end) { |
376 | int sorted = 0, i; |
377 | |
378 | /* We just do a bubble sort; easy to do in place, and we're not |
379 | * expecting acl's to be long enough to justify anything more. */ |
380 | while (!sorted) { |
381 | sorted = 1; |
382 | for (i = start; i < end; i++) { |
383 | if (pace_gt(pace1: &pacl->a_entries[i], |
384 | pace2: &pacl->a_entries[i+1])) { |
385 | sorted = 0; |
386 | swap(pacl->a_entries[i], |
387 | pacl->a_entries[i + 1]); |
388 | } |
389 | } |
390 | } |
391 | } |
392 | |
393 | static void |
394 | sort_pacl(struct posix_acl *pacl) |
395 | { |
396 | /* posix_acl_valid requires that users and groups be in order |
397 | * by uid/gid. */ |
398 | int i, j; |
399 | |
400 | /* no users or groups */ |
401 | if (!pacl || pacl->a_count <= 4) |
402 | return; |
403 | |
404 | i = 1; |
405 | while (pacl->a_entries[i].e_tag == ACL_USER) |
406 | i++; |
407 | sort_pacl_range(pacl, start: 1, end: i-1); |
408 | |
409 | BUG_ON(pacl->a_entries[i].e_tag != ACL_GROUP_OBJ); |
410 | j = ++i; |
411 | while (pacl->a_entries[j].e_tag == ACL_GROUP) |
412 | j++; |
413 | sort_pacl_range(pacl, start: i, end: j-1); |
414 | return; |
415 | } |
416 | |
417 | /* |
418 | * While processing the NFSv4 ACE, this maintains bitmasks representing |
419 | * which permission bits have been allowed and which denied to a given |
420 | * entity: */ |
421 | struct posix_ace_state { |
422 | u32 allow; |
423 | u32 deny; |
424 | }; |
425 | |
426 | struct posix_user_ace_state { |
427 | union { |
428 | kuid_t uid; |
429 | kgid_t gid; |
430 | }; |
431 | struct posix_ace_state perms; |
432 | }; |
433 | |
434 | struct posix_ace_state_array { |
435 | int n; |
436 | struct posix_user_ace_state aces[]; |
437 | }; |
438 | |
439 | /* |
440 | * While processing the NFSv4 ACE, this maintains the partial permissions |
441 | * calculated so far: */ |
442 | |
443 | struct posix_acl_state { |
444 | unsigned char valid; |
445 | struct posix_ace_state owner; |
446 | struct posix_ace_state group; |
447 | struct posix_ace_state other; |
448 | struct posix_ace_state everyone; |
449 | struct posix_ace_state mask; /* Deny unused in this case */ |
450 | struct posix_ace_state_array *users; |
451 | struct posix_ace_state_array *groups; |
452 | }; |
453 | |
454 | static int |
455 | init_state(struct posix_acl_state *state, int cnt) |
456 | { |
457 | int alloc; |
458 | |
459 | memset(state, 0, sizeof(struct posix_acl_state)); |
460 | /* |
461 | * In the worst case, each individual acl could be for a distinct |
462 | * named user or group, but we don't know which, so we allocate |
463 | * enough space for either: |
464 | */ |
465 | alloc = sizeof(struct posix_ace_state_array) |
466 | + cnt*sizeof(struct posix_user_ace_state); |
467 | state->users = kzalloc(size: alloc, GFP_KERNEL); |
468 | if (!state->users) |
469 | return -ENOMEM; |
470 | state->groups = kzalloc(size: alloc, GFP_KERNEL); |
471 | if (!state->groups) { |
472 | kfree(objp: state->users); |
473 | return -ENOMEM; |
474 | } |
475 | return 0; |
476 | } |
477 | |
478 | static void |
479 | free_state(struct posix_acl_state *state) { |
480 | kfree(objp: state->users); |
481 | kfree(objp: state->groups); |
482 | } |
483 | |
484 | static inline void add_to_mask(struct posix_acl_state *state, struct posix_ace_state *astate) |
485 | { |
486 | state->mask.allow |= astate->allow; |
487 | } |
488 | |
489 | static struct posix_acl * |
490 | posix_state_to_acl(struct posix_acl_state *state, unsigned int flags) |
491 | { |
492 | struct posix_acl_entry *pace; |
493 | struct posix_acl *pacl; |
494 | int nace; |
495 | int i; |
496 | |
497 | /* |
498 | * ACLs with no ACEs are treated differently in the inheritable |
499 | * and effective cases: when there are no inheritable ACEs, |
500 | * calls ->set_acl with a NULL ACL structure. |
501 | */ |
502 | if (!state->valid && (flags & NFS4_ACL_TYPE_DEFAULT)) |
503 | return NULL; |
504 | |
505 | /* |
506 | * When there are no effective ACEs, the following will end |
507 | * up setting a 3-element effective posix ACL with all |
508 | * permissions zero. |
509 | */ |
510 | if (!state->users->n && !state->groups->n) |
511 | nace = 3; |
512 | else /* Note we also include a MASK ACE in this case: */ |
513 | nace = 4 + state->users->n + state->groups->n; |
514 | pacl = posix_acl_alloc(nace, GFP_KERNEL); |
515 | if (!pacl) |
516 | return ERR_PTR(error: -ENOMEM); |
517 | |
518 | pace = pacl->a_entries; |
519 | pace->e_tag = ACL_USER_OBJ; |
520 | low_mode_from_nfs4(perm: state->owner.allow, mode: &pace->e_perm, flags); |
521 | |
522 | for (i=0; i < state->users->n; i++) { |
523 | pace++; |
524 | pace->e_tag = ACL_USER; |
525 | low_mode_from_nfs4(perm: state->users->aces[i].perms.allow, |
526 | mode: &pace->e_perm, flags); |
527 | pace->e_uid = state->users->aces[i].uid; |
528 | add_to_mask(state, astate: &state->users->aces[i].perms); |
529 | } |
530 | |
531 | pace++; |
532 | pace->e_tag = ACL_GROUP_OBJ; |
533 | low_mode_from_nfs4(perm: state->group.allow, mode: &pace->e_perm, flags); |
534 | add_to_mask(state, astate: &state->group); |
535 | |
536 | for (i=0; i < state->groups->n; i++) { |
537 | pace++; |
538 | pace->e_tag = ACL_GROUP; |
539 | low_mode_from_nfs4(perm: state->groups->aces[i].perms.allow, |
540 | mode: &pace->e_perm, flags); |
541 | pace->e_gid = state->groups->aces[i].gid; |
542 | add_to_mask(state, astate: &state->groups->aces[i].perms); |
543 | } |
544 | |
545 | if (state->users->n || state->groups->n) { |
546 | pace++; |
547 | pace->e_tag = ACL_MASK; |
548 | low_mode_from_nfs4(perm: state->mask.allow, mode: &pace->e_perm, flags); |
549 | } |
550 | |
551 | pace++; |
552 | pace->e_tag = ACL_OTHER; |
553 | low_mode_from_nfs4(perm: state->other.allow, mode: &pace->e_perm, flags); |
554 | |
555 | return pacl; |
556 | } |
557 | |
558 | static inline void allow_bits(struct posix_ace_state *astate, u32 mask) |
559 | { |
560 | /* Allow all bits in the mask not already denied: */ |
561 | astate->allow |= mask & ~astate->deny; |
562 | } |
563 | |
564 | static inline void deny_bits(struct posix_ace_state *astate, u32 mask) |
565 | { |
566 | /* Deny all bits in the mask not already allowed: */ |
567 | astate->deny |= mask & ~astate->allow; |
568 | } |
569 | |
570 | static int find_uid(struct posix_acl_state *state, kuid_t uid) |
571 | { |
572 | struct posix_ace_state_array *a = state->users; |
573 | int i; |
574 | |
575 | for (i = 0; i < a->n; i++) |
576 | if (uid_eq(left: a->aces[i].uid, right: uid)) |
577 | return i; |
578 | /* Not found: */ |
579 | a->n++; |
580 | a->aces[i].uid = uid; |
581 | a->aces[i].perms.allow = state->everyone.allow; |
582 | a->aces[i].perms.deny = state->everyone.deny; |
583 | |
584 | return i; |
585 | } |
586 | |
587 | static int find_gid(struct posix_acl_state *state, kgid_t gid) |
588 | { |
589 | struct posix_ace_state_array *a = state->groups; |
590 | int i; |
591 | |
592 | for (i = 0; i < a->n; i++) |
593 | if (gid_eq(left: a->aces[i].gid, right: gid)) |
594 | return i; |
595 | /* Not found: */ |
596 | a->n++; |
597 | a->aces[i].gid = gid; |
598 | a->aces[i].perms.allow = state->everyone.allow; |
599 | a->aces[i].perms.deny = state->everyone.deny; |
600 | |
601 | return i; |
602 | } |
603 | |
604 | static void deny_bits_array(struct posix_ace_state_array *a, u32 mask) |
605 | { |
606 | int i; |
607 | |
608 | for (i=0; i < a->n; i++) |
609 | deny_bits(astate: &a->aces[i].perms, mask); |
610 | } |
611 | |
612 | static void allow_bits_array(struct posix_ace_state_array *a, u32 mask) |
613 | { |
614 | int i; |
615 | |
616 | for (i=0; i < a->n; i++) |
617 | allow_bits(astate: &a->aces[i].perms, mask); |
618 | } |
619 | |
620 | static void process_one_v4_ace(struct posix_acl_state *state, |
621 | struct nfs4_ace *ace) |
622 | { |
623 | u32 mask = ace->access_mask; |
624 | short type = ace2type(ace); |
625 | int i; |
626 | |
627 | state->valid |= type; |
628 | |
629 | switch (type) { |
630 | case ACL_USER_OBJ: |
631 | if (ace->type == NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE) { |
632 | allow_bits(astate: &state->owner, mask); |
633 | } else { |
634 | deny_bits(astate: &state->owner, mask); |
635 | } |
636 | break; |
637 | case ACL_USER: |
638 | i = find_uid(state, uid: ace->who_uid); |
639 | if (ace->type == NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE) { |
640 | allow_bits(astate: &state->users->aces[i].perms, mask); |
641 | } else { |
642 | deny_bits(astate: &state->users->aces[i].perms, mask); |
643 | mask = state->users->aces[i].perms.deny; |
644 | deny_bits(astate: &state->owner, mask); |
645 | } |
646 | break; |
647 | case ACL_GROUP_OBJ: |
648 | if (ace->type == NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE) { |
649 | allow_bits(astate: &state->group, mask); |
650 | } else { |
651 | deny_bits(astate: &state->group, mask); |
652 | mask = state->group.deny; |
653 | deny_bits(astate: &state->owner, mask); |
654 | deny_bits(astate: &state->everyone, mask); |
655 | deny_bits_array(a: state->users, mask); |
656 | deny_bits_array(a: state->groups, mask); |
657 | } |
658 | break; |
659 | case ACL_GROUP: |
660 | i = find_gid(state, gid: ace->who_gid); |
661 | if (ace->type == NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE) { |
662 | allow_bits(astate: &state->groups->aces[i].perms, mask); |
663 | } else { |
664 | deny_bits(astate: &state->groups->aces[i].perms, mask); |
665 | mask = state->groups->aces[i].perms.deny; |
666 | deny_bits(astate: &state->owner, mask); |
667 | deny_bits(astate: &state->group, mask); |
668 | deny_bits(astate: &state->everyone, mask); |
669 | deny_bits_array(a: state->users, mask); |
670 | deny_bits_array(a: state->groups, mask); |
671 | } |
672 | break; |
673 | case ACL_OTHER: |
674 | if (ace->type == NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE) { |
675 | allow_bits(astate: &state->owner, mask); |
676 | allow_bits(astate: &state->group, mask); |
677 | allow_bits(astate: &state->other, mask); |
678 | allow_bits(astate: &state->everyone, mask); |
679 | allow_bits_array(a: state->users, mask); |
680 | allow_bits_array(a: state->groups, mask); |
681 | } else { |
682 | deny_bits(astate: &state->owner, mask); |
683 | deny_bits(astate: &state->group, mask); |
684 | deny_bits(astate: &state->other, mask); |
685 | deny_bits(astate: &state->everyone, mask); |
686 | deny_bits_array(a: state->users, mask); |
687 | deny_bits_array(a: state->groups, mask); |
688 | } |
689 | } |
690 | } |
691 | |
692 | static int nfs4_acl_nfsv4_to_posix(struct nfs4_acl *acl, |
693 | struct posix_acl **pacl, struct posix_acl **dpacl, |
694 | unsigned int flags) |
695 | { |
696 | struct posix_acl_state effective_acl_state, default_acl_state; |
697 | struct nfs4_ace *ace; |
698 | int ret; |
699 | |
700 | ret = init_state(state: &effective_acl_state, cnt: acl->naces); |
701 | if (ret) |
702 | return ret; |
703 | ret = init_state(state: &default_acl_state, cnt: acl->naces); |
704 | if (ret) |
705 | goto out_estate; |
706 | ret = -EINVAL; |
707 | for (ace = acl->aces; ace < acl->aces + acl->naces; ace++) { |
708 | if (ace->type != NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE && |
709 | ace->type != NFS4_ACE_ACCESS_DENIED_ACE_TYPE) |
710 | goto out_dstate; |
711 | if (ace->flag & ~NFS4_SUPPORTED_FLAGS) |
712 | goto out_dstate; |
713 | if ((ace->flag & NFS4_INHERITANCE_FLAGS) == 0) { |
714 | process_one_v4_ace(state: &effective_acl_state, ace); |
715 | continue; |
716 | } |
717 | if (!(flags & NFS4_ACL_DIR)) |
718 | goto out_dstate; |
719 | /* |
720 | * Note that when only one of FILE_INHERIT or DIRECTORY_INHERIT |
721 | * is set, we're effectively turning on the other. That's OK, |
722 | * according to rfc 3530. |
723 | */ |
724 | process_one_v4_ace(state: &default_acl_state, ace); |
725 | |
726 | if (!(ace->flag & NFS4_ACE_INHERIT_ONLY_ACE)) |
727 | process_one_v4_ace(state: &effective_acl_state, ace); |
728 | } |
729 | |
730 | /* |
731 | * At this point, the default ACL may have zeroed-out entries for owner, |
732 | * group and other. That usually results in a non-sensical resulting ACL |
733 | * that denies all access except to any ACE that was explicitly added. |
734 | * |
735 | * The setfacl command solves a similar problem with this logic: |
736 | * |
737 | * "If a Default ACL entry is created, and the Default ACL contains |
738 | * no owner, owning group, or others entry, a copy of the ACL |
739 | * owner, owning group, or others entry is added to the Default ACL." |
740 | * |
741 | * Copy any missing ACEs from the effective set, if any ACEs were |
742 | * explicitly set. |
743 | */ |
744 | if (default_acl_state.valid) { |
745 | if (!(default_acl_state.valid & ACL_USER_OBJ)) |
746 | default_acl_state.owner = effective_acl_state.owner; |
747 | if (!(default_acl_state.valid & ACL_GROUP_OBJ)) |
748 | default_acl_state.group = effective_acl_state.group; |
749 | if (!(default_acl_state.valid & ACL_OTHER)) |
750 | default_acl_state.other = effective_acl_state.other; |
751 | } |
752 | |
753 | *pacl = posix_state_to_acl(state: &effective_acl_state, flags); |
754 | if (IS_ERR(ptr: *pacl)) { |
755 | ret = PTR_ERR(ptr: *pacl); |
756 | *pacl = NULL; |
757 | goto out_dstate; |
758 | } |
759 | *dpacl = posix_state_to_acl(state: &default_acl_state, |
760 | flags: flags | NFS4_ACL_TYPE_DEFAULT); |
761 | if (IS_ERR(ptr: *dpacl)) { |
762 | ret = PTR_ERR(ptr: *dpacl); |
763 | *dpacl = NULL; |
764 | posix_acl_release(acl: *pacl); |
765 | *pacl = NULL; |
766 | goto out_dstate; |
767 | } |
768 | sort_pacl(pacl: *pacl); |
769 | sort_pacl(pacl: *dpacl); |
770 | ret = 0; |
771 | out_dstate: |
772 | free_state(state: &default_acl_state); |
773 | out_estate: |
774 | free_state(state: &effective_acl_state); |
775 | return ret; |
776 | } |
777 | |
778 | __be32 nfsd4_acl_to_attr(enum nfs_ftype4 type, struct nfs4_acl *acl, |
779 | struct nfsd_attrs *attr) |
780 | { |
781 | int host_error; |
782 | unsigned int flags = 0; |
783 | |
784 | if (!acl) |
785 | return nfs_ok; |
786 | |
787 | if (type == NF4DIR) |
788 | flags = NFS4_ACL_DIR; |
789 | |
790 | host_error = nfs4_acl_nfsv4_to_posix(acl, pacl: &attr->na_pacl, |
791 | dpacl: &attr->na_dpacl, flags); |
792 | if (host_error == -EINVAL) |
793 | return nfserr_attrnotsupp; |
794 | else |
795 | return nfserrno(errno: host_error); |
796 | } |
797 | |
798 | static short |
799 | ace2type(struct nfs4_ace *ace) |
800 | { |
801 | switch (ace->whotype) { |
802 | case NFS4_ACL_WHO_NAMED: |
803 | return (ace->flag & NFS4_ACE_IDENTIFIER_GROUP ? |
804 | ACL_GROUP : ACL_USER); |
805 | case NFS4_ACL_WHO_OWNER: |
806 | return ACL_USER_OBJ; |
807 | case NFS4_ACL_WHO_GROUP: |
808 | return ACL_GROUP_OBJ; |
809 | case NFS4_ACL_WHO_EVERYONE: |
810 | return ACL_OTHER; |
811 | } |
812 | BUG(); |
813 | return -1; |
814 | } |
815 | |
816 | /* |
817 | * return the size of the struct nfs4_acl required to represent an acl |
818 | * with @entries entries. |
819 | */ |
820 | int nfs4_acl_bytes(int entries) |
821 | { |
822 | return sizeof(struct nfs4_acl) + entries * sizeof(struct nfs4_ace); |
823 | } |
824 | |
825 | static struct { |
826 | char *string; |
827 | int stringlen; |
828 | int type; |
829 | } s2t_map[] = { |
830 | { |
831 | .string = "OWNER@" , |
832 | .stringlen = sizeof("OWNER@" ) - 1, |
833 | .type = NFS4_ACL_WHO_OWNER, |
834 | }, |
835 | { |
836 | .string = "GROUP@" , |
837 | .stringlen = sizeof("GROUP@" ) - 1, |
838 | .type = NFS4_ACL_WHO_GROUP, |
839 | }, |
840 | { |
841 | .string = "EVERYONE@" , |
842 | .stringlen = sizeof("EVERYONE@" ) - 1, |
843 | .type = NFS4_ACL_WHO_EVERYONE, |
844 | }, |
845 | }; |
846 | |
847 | int |
848 | nfs4_acl_get_whotype(char *p, u32 len) |
849 | { |
850 | int i; |
851 | |
852 | for (i = 0; i < ARRAY_SIZE(s2t_map); i++) { |
853 | if (s2t_map[i].stringlen == len && |
854 | 0 == memcmp(p: s2t_map[i].string, q: p, size: len)) |
855 | return s2t_map[i].type; |
856 | } |
857 | return NFS4_ACL_WHO_NAMED; |
858 | } |
859 | |
860 | __be32 nfs4_acl_write_who(struct xdr_stream *xdr, int who) |
861 | { |
862 | __be32 *p; |
863 | int i; |
864 | |
865 | for (i = 0; i < ARRAY_SIZE(s2t_map); i++) { |
866 | if (s2t_map[i].type != who) |
867 | continue; |
868 | p = xdr_reserve_space(xdr, nbytes: s2t_map[i].stringlen + 4); |
869 | if (!p) |
870 | return nfserr_resource; |
871 | p = xdr_encode_opaque(p, ptr: s2t_map[i].string, |
872 | len: s2t_map[i].stringlen); |
873 | return 0; |
874 | } |
875 | WARN_ON_ONCE(1); |
876 | return nfserr_serverfault; |
877 | } |
878 | |