*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; If not, see
- * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
+ * http://www.gnu.org/licenses/gpl-2.0.html
*
* GPL HEADER END
*/
#include <lustre_acl.h>
#include <lustre_eacl.h>
#include <obd_support.h>
-#ifdef HAVE_SERVER_SUPPORT
-# include <lustre_idmap.h>
-# include <md_object.h>
-#endif /* HAVE_SERVER_SUPPORT */
+#include <lustre_idmap.h>
+#include <md_object.h>
-#ifdef CONFIG_FS_POSIX_ACL
+#ifdef CONFIG_LUSTRE_FS_POSIX_ACL
static inline void lustre_posix_acl_le_to_cpu(posix_acl_xattr_entry *d,
- posix_acl_xattr_entry *s)
+ posix_acl_xattr_entry *s)
{
- d->e_tag = le16_to_cpu(s->e_tag);
- d->e_perm = le16_to_cpu(s->e_perm);
- d->e_id = le32_to_cpu(s->e_id);
+ d->e_tag = le16_to_cpu(s->e_tag);
+ d->e_perm = le16_to_cpu(s->e_perm);
+ d->e_id = le32_to_cpu(s->e_id);
}
-/*static inline void lustre_posix_acl_cpu_to_le(posix_acl_xattr_entry *d,
- posix_acl_xattr_entry *s)
+#if 0
+static inline void lustre_posix_acl_cpu_to_le(posix_acl_xattr_entry *d,
+ posix_acl_xattr_entry *s)
{
- d->e_tag = cpu_to_le16(s->e_tag);
- d->e_perm = cpu_to_le16(s->e_perm);
- d->e_id = cpu_to_le32(s->e_id);
-}*/
+ d->e_tag = cpu_to_le16(s->e_tag);
+ d->e_perm = cpu_to_le16(s->e_perm);
+ d->e_id = cpu_to_le32(s->e_id);
+}
+#endif
/*
* Check permission based on POSIX ACL.
*/
int lustre_posix_acl_permission(struct lu_ucred *mu, const struct lu_attr *la,
- int want, posix_acl_xattr_entry *entry,
- int count)
+ unsigned int may_mask,
+ posix_acl_xattr_entry *entry, int count)
{
- posix_acl_xattr_entry *pa, *pe, *mask_obj;
- posix_acl_xattr_entry ae, me;
- int found = 0;
+ posix_acl_xattr_entry *pa, *pe, *mask_obj;
+ posix_acl_xattr_entry ae, me;
+ __u16 acl_want;
+ int found = 0;
+
+ if (count <= 0)
+ return -EACCES;
- if (count <= 0)
- return -EACCES;
+ /* There is implicit conversion between MAY_* modes and ACL_* modes.
+ * Don't bother explicitly converting them unless they actually change.
+ */
+ if (0) {
+ acl_want = (may_mask & MAY_READ ? ACL_READ : 0) |
+ (may_mask & MAY_WRITE ? ACL_WRITE : 0) |
+ (may_mask & MAY_EXEC ? ACL_EXECUTE : 0);
+ } else {
+ BUILD_BUG_ON(MAY_READ != ACL_READ);
+ BUILD_BUG_ON(MAY_WRITE != ACL_WRITE);
+ BUILD_BUG_ON(MAY_EXEC != ACL_EXECUTE);
- for (pa = &entry[0], pe = &entry[count - 1]; pa <= pe; pa++) {
- lustre_posix_acl_le_to_cpu(&ae, pa);
- switch (ae.e_tag) {
- case ACL_USER_OBJ:
- /* (May have been checked already) */
+ acl_want = may_mask;
+ }
+
+ for (pa = &entry[0], pe = &entry[count - 1]; pa <= pe; pa++) {
+ lustre_posix_acl_le_to_cpu(&ae, pa);
+ switch (ae.e_tag) {
+ case ACL_USER_OBJ:
+ /* (May have been checked already) */
if (la->la_uid == mu->uc_fsuid)
goto check_perm;
- break;
- case ACL_USER:
+ break;
+ case ACL_USER:
if (ae.e_id == mu->uc_fsuid)
goto mask;
- break;
- case ACL_GROUP_OBJ:
- if (lustre_in_group_p(mu, la->la_gid)) {
- found = 1;
- if ((ae.e_perm & want) == want)
- goto mask;
- }
- break;
- case ACL_GROUP:
- if (lustre_in_group_p(mu, ae.e_id)) {
- found = 1;
- if ((ae.e_perm & want) == want)
- goto mask;
- }
- break;
- case ACL_MASK:
- break;
- case ACL_OTHER:
- if (found)
- return -EACCES;
- else
- goto check_perm;
- default:
- return -EIO;
- }
- }
- return -EIO;
+ break;
+ case ACL_GROUP_OBJ:
+ if (lustre_in_group_p(mu, la->la_gid)) {
+ found = 1;
+ if ((ae.e_perm & acl_want) == acl_want)
+ goto mask;
+ }
+ break;
+ case ACL_GROUP:
+ if (lustre_in_group_p(mu, ae.e_id)) {
+ found = 1;
+ if ((ae.e_perm & acl_want) == acl_want)
+ goto mask;
+ }
+ break;
+ case ACL_MASK:
+ break;
+ case ACL_OTHER:
+ if (found)
+ return -EACCES;
+ goto check_perm;
+ default:
+ return -EIO;
+}
+ }
+ return -EIO;
mask:
- for (mask_obj = pa + 1; mask_obj <= pe; mask_obj++) {
- lustre_posix_acl_le_to_cpu(&me, mask_obj);
- if (me.e_tag == ACL_MASK) {
- if ((ae.e_perm & me.e_perm & want) == want)
- return 0;
+ for (mask_obj = pa + 1; mask_obj <= pe; mask_obj++) {
+ lustre_posix_acl_le_to_cpu(&me, mask_obj);
+ if (me.e_tag == ACL_MASK) {
+ if ((ae.e_perm & me.e_perm & acl_want) == acl_want)
+ return 0;
- return -EACCES;
- }
- }
+ return -EACCES;
+ }
+ }
check_perm:
- if ((ae.e_perm & want) == want)
- return 0;
+ if ((ae.e_perm & acl_want) == acl_want)
+ return 0;
- return -EACCES;
+ return -EACCES;
}
EXPORT_SYMBOL(lustre_posix_acl_permission);
/*
* Modify the ACL for the chmod.
*/
-int lustre_posix_acl_chmod_masq(posix_acl_xattr_entry *entry, __u32 mode,
- int count)
+int lustre_posix_acl_chmod_masq(posix_acl_xattr_entry *entry, u32 mode,
+ int count)
{
posix_acl_xattr_entry *group_obj = NULL, *mask_obj = NULL, *pa, *pe;
- for (pa = &entry[0], pe = &entry[count - 1]; pa <= pe; pa++) {
+ /* There is implicit conversion between S_IRWX modes and ACL_* modes.
+ * Don't bother explicitly converting them unless they actually change.
+ */
+ BUILD_BUG_ON(S_IROTH != ACL_READ);
+ BUILD_BUG_ON(S_IWOTH != ACL_WRITE);
+ BUILD_BUG_ON(S_IXOTH != ACL_EXECUTE);
+
+ for (pa = &entry[0], pe = &entry[count - 1]; pa <= pe; pa++) {
switch (le16_to_cpu(pa->e_tag)) {
case ACL_USER_OBJ:
pa->e_perm = cpu_to_le16((mode & S_IRWXU) >> 6);
int count)
{
posix_acl_xattr_entry *pa, *pe;
- mode_t mode = 0;
- int not_equiv = 0;
+ mode_t mode = 0;
+ int not_equiv = 0;
for (pa = &entry[0], pe = &entry[count - 1]; pa <= pe; pa++) {
__u16 perm = le16_to_cpu(pa->e_perm);
/*
* Modify acl when creating a new object.
*/
-int lustre_posix_acl_create_masq(posix_acl_xattr_entry *entry, __u32 *pmode,
- int count)
+int lustre_posix_acl_create_masq(posix_acl_xattr_entry *entry, u32 *pmode,
+ int count)
{
- posix_acl_xattr_entry *group_obj = NULL, *mask_obj = NULL, *pa, *pe;
- posix_acl_xattr_entry ae;
- __u32 mode = *pmode;
+ posix_acl_xattr_entry *group_obj = NULL, *mask_obj = NULL, *pa, *pe;
+ posix_acl_xattr_entry ae;
+ u32 mode = *pmode;
int not_equiv = 0;
- for (pa = &entry[0], pe = &entry[count - 1]; pa <= pe; pa++) {
- lustre_posix_acl_le_to_cpu(&ae, pa);
- switch (ae.e_tag) {
- case ACL_USER_OBJ:
- ae.e_perm &= (mode >> 6) | ~S_IRWXO;
+ for (pa = &entry[0], pe = &entry[count - 1]; pa <= pe; pa++) {
+ lustre_posix_acl_le_to_cpu(&ae, pa);
+ switch (ae.e_tag) {
+ case ACL_USER_OBJ:
+ ae.e_perm &= (mode >> 6) | ~(0007);
pa->e_perm = cpu_to_le16(ae.e_perm);
mode &= (ae.e_perm << 6) | ~S_IRWXU;
break;
case ACL_GROUP:
not_equiv = 1;
break;
- case ACL_GROUP_OBJ:
+ case ACL_GROUP_OBJ:
group_obj = pa;
- break;
- case ACL_OTHER:
- ae.e_perm &= mode | ~S_IRWXO;
+ break;
+ case ACL_OTHER:
+ ae.e_perm &= mode | ~(0007);
pa->e_perm = cpu_to_le16(ae.e_perm);
- mode &= ae.e_perm | ~S_IRWXO;
- break;
- case ACL_MASK:
+ mode &= ae.e_perm | ~(0007);
+ break;
+ case ACL_MASK:
mask_obj = pa;
not_equiv = 1;
- break;
+ break;
default:
return -EIO;
- }
- }
+ }
+ }
if (mask_obj) {
ae.e_perm = le16_to_cpu(mask_obj->e_perm) &
- ((mode >> 3) | ~S_IRWXO);
+ ((mode >> 3) | ~(0007));
mode &= (ae.e_perm << 3) | ~S_IRWXG;
- mask_obj->e_perm = cpu_to_le16(ae.e_perm);
+ mask_obj->e_perm = cpu_to_le16(ae.e_perm);
} else {
if (!group_obj)
return -EIO;
ae.e_perm = le16_to_cpu(group_obj->e_perm) &
- ((mode >> 3) | ~S_IRWXO);
+ ((mode >> 3) | ~(0007));
mode &= (ae.e_perm << 3) | ~S_IRWXG;
- group_obj->e_perm = cpu_to_le16(ae.e_perm);
+ group_obj->e_perm = cpu_to_le16(ae.e_perm);
}
*pmode = (*pmode & ~S_IRWXUGO) | mode;
- return not_equiv;
+ return not_equiv;
}
EXPORT_SYMBOL(lustre_posix_acl_create_masq);
#endif