fs/gfs2/acl.c

   1 /*
   2  * Copyright (C) Sistina Software, Inc.  1997-2003 All rights reserved.
   3  * Copyright (C) 2004-2006 Red Hat, Inc.  All rights reserved.
   4  *
   5  * This copyrighted material is made available to anyone wishing to use,
   6  * modify, copy, or redistribute it subject to the terms and conditions
   7  * of the GNU General Public License version 2.
   8  */
   9
  10 #include <linux/sched.h>
  11 #include <linux/slab.h>
  12 #include <linux/spinlock.h>
  13 #include <linux/completion.h>
  14 #include <linux/buffer_head.h>
  15 #include <linux/posix_acl.h>
  16 #include <linux/posix_acl_xattr.h>
  17 #include <linux/gfs2_ondisk.h>
  18
  19 #include "gfs2.h"
  20 #include "incore.h"
  21 #include "acl.h"
  22 #include "xattr.h"
  23 #include "glock.h"
  24 #include "inode.h"
  25 #include "meta_io.h"
  26 #include "trans.h"
  27 #include "util.h"
  28
  29 #define ACL_ACCESS 1
  30 #define ACL_DEFAULT 0
  31
  32 int gfs2_acl_validate_set(struct gfs2_inode *ip, int access,
  33                           struct gfs2_ea_request *er, int *remove, mode_t *mode)
  34 {
  35         struct posix_acl *acl;
  36         int error;
  37
  38         error = gfs2_acl_validate_remove(ip, access);
  39         if (error)
  40                 return error;
  41
  42         if (!er->er_data)
  43                 return -EINVAL;
  44
  45         acl = posix_acl_from_xattr(er->er_data, er->er_data_len);
  46         if (IS_ERR(acl))
  47                 return PTR_ERR(acl);
  48         if (!acl) {
  49                 *remove = 1;
  50                 return 0;
  51         }
  52
  53         error = posix_acl_valid(acl);
  54         if (error)
  55                 goto out;
  56
  57         if (access) {
  58                 error = posix_acl_equiv_mode(acl, mode);
  59                 if (!error)
  60                         *remove = 1;
  61                 else if (error > 0)
  62                         error = 0;
  63         }
  64
  65 out:
  66         posix_acl_release(acl);
  67         return error;
  68 }
  69
  70 int gfs2_acl_validate_remove(struct gfs2_inode *ip, int access)
  71 {
  72         if (!GFS2_SB(&ip->i_inode)->sd_args.ar_posix_acl)
  73                 return -EOPNOTSUPP;
  74         if (!is_owner_or_cap(&ip->i_inode))
  75                 return -EPERM;
  76         if (S_ISLNK(ip->i_inode.i_mode))
  77                 return -EOPNOTSUPP;
  78         if (!access && !S_ISDIR(ip->i_inode.i_mode))
  79                 return -EACCES;
  80
  81         return 0;
  82 }
  83
  84 static int acl_get(struct gfs2_inode *ip, const char *name,
  85                    struct posix_acl **acl, struct gfs2_ea_location *el,
  86                    char **datap, unsigned int *lenp)
  87 {
  88         char *data;
  89         unsigned int len;
  90         int error;
  91
  92         el->el_bh = NULL;
  93
  94         if (!ip->i_eattr)
  95                 return 0;
  96
  97         error = gfs2_ea_find(ip, GFS2_EATYPE_SYS, name, el);
  98         if (error)
  99                 return error;
 100         if (!el->el_ea)
 101                 return 0;
 102         if (!GFS2_EA_DATA_LEN(el->el_ea))
 103                 goto out;
 104
 105         len = GFS2_EA_DATA_LEN(el->el_ea);
 106         data = kmalloc(len, GFP_NOFS);
 107         error = -ENOMEM;
 108         if (!data)
 109                 goto out;
 110
 111         error = gfs2_ea_get_copy(ip, el, data, len);
 112         if (error < 0)
 113                 goto out_kfree;
 114         error = 0;
 115
 116         if (acl) {
 117                 *acl = posix_acl_from_xattr(data, len);
 118                 if (IS_ERR(*acl))
 119                         error = PTR_ERR(*acl);
 120         }
 121
 122 out_kfree:
 123         if (error || !datap) {
 124                 kfree(data);
 125         } else {
 126                 *datap = data;
 127                 *lenp = len;
 128         }
 129 out:
 130         return error;
 131 }
 132
 133 /**
 134  * gfs2_check_acl - Check an ACL to see if we're allowed to do something
 135  * @inode: the file we want to do something to
 136  * @mask: what we want to do
 137  *
 138  * Returns: errno
 139  */
 140
 141 int gfs2_check_acl(struct inode *inode, int mask)
 142 {
 143         struct gfs2_ea_location el;
 144         struct posix_acl *acl = NULL;
 145         int error;
 146
 147         error = acl_get(GFS2_I(inode), GFS2_POSIX_ACL_ACCESS, &acl, &el, NULL, NULL);
 148         brelse(el.el_bh);
 149         if (error)
 150                 return error;
 151
 152         if (acl) {
 153                 error = posix_acl_permission(inode, acl, mask);
 154                 posix_acl_release(acl);
 155                 return error;
 156         }
 157
 158         return -EAGAIN;
 159 }
 160
 161 static int munge_mode(struct gfs2_inode *ip, mode_t mode)
 162 {
 163         struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode);
 164         struct buffer_head *dibh;
 165         int error;
 166
 167         error = gfs2_trans_begin(sdp, RES_DINODE, 0);
 168         if (error)
 169                 return error;
 170
 171         error = gfs2_meta_inode_buffer(ip, &dibh);
 172         if (!error) {
 173                 gfs2_assert_withdraw(sdp,
 174                                 (ip->i_inode.i_mode & S_IFMT) == (mode & S_IFMT));
 175                 ip->i_inode.i_mode = mode;
 176                 gfs2_trans_add_bh(ip->i_gl, dibh, 1);
 177                 gfs2_dinode_out(ip, dibh->b_data);
 178                 brelse(dibh);
 179         }
 180
 181         gfs2_trans_end(sdp);
 182
 183         return 0;
 184 }
 185
 186 int gfs2_acl_create(struct gfs2_inode *dip, struct gfs2_inode *ip)
 187 {
 188         struct gfs2_ea_location el;
 189         struct gfs2_sbd *sdp = GFS2_SB(&dip->i_inode);
 190         struct posix_acl *acl = NULL, *clone;
 191         mode_t mode = ip->i_inode.i_mode;
 192         char *data = NULL;
 193         unsigned int len;
 194         int error;
 195
 196         if (!sdp->sd_args.ar_posix_acl)
 197                 return 0;
 198         if (S_ISLNK(ip->i_inode.i_mode))
 199                 return 0;
 200
 201         error = acl_get(dip, GFS2_POSIX_ACL_DEFAULT, &acl, &el, &data, &len);
 202         brelse(el.el_bh);
 203         if (error)
 204                 return error;
 205         if (!acl) {
 206                 mode &= ~current_umask();
 207                 if (mode != ip->i_inode.i_mode)
 208                         error = munge_mode(ip, mode);
 209                 return error;
 210         }
 211
 212         clone = posix_acl_clone(acl, GFP_NOFS);
 213         error = -ENOMEM;
 214         if (!clone)
 215                 goto out;
 216         posix_acl_release(acl);
 217         acl = clone;
 218
 219         if (S_ISDIR(ip->i_inode.i_mode)) {
 220                 error = gfs2_xattr_set(&ip->i_inode, GFS2_EATYPE_SYS,
 221                                        GFS2_POSIX_ACL_DEFAULT, data, len, 0);
 222                 if (error)
 223                         goto out;
 224         }
 225
 226         error = posix_acl_create_masq(acl, &mode);
 227         if (error < 0)
 228                 goto out;
 229         if (error == 0)
 230                 goto munge;
 231
 232         posix_acl_to_xattr(acl, data, len);
 233         error = gfs2_xattr_set(&ip->i_inode, GFS2_EATYPE_SYS,
 234                                GFS2_POSIX_ACL_ACCESS, data, len, 0);
 235         if (error)
 236                 goto out;
 237 munge:
 238         error = munge_mode(ip, mode);
 239 out:
 240         posix_acl_release(acl);
 241         kfree(data);
 242         return error;
 243 }
 244
 245 int gfs2_acl_chmod(struct gfs2_inode *ip, struct iattr *attr)
 246 {
 247         struct posix_acl *acl = NULL, *clone;
 248         struct gfs2_ea_location el;
 249         char *data;
 250         unsigned int len;
 251         int error;
 252
 253         error = acl_get(ip, GFS2_POSIX_ACL_ACCESS, &acl, &el, &data, &len);
 254         if (error)
 255                 goto out_brelse;
 256         if (!acl)
 257                 return gfs2_setattr_simple(ip, attr);
 258
 259         clone = posix_acl_clone(acl, GFP_NOFS);
 260         error = -ENOMEM;
 261         if (!clone)
 262                 goto out;
 263         posix_acl_release(acl);
 264         acl = clone;
 265
 266         error = posix_acl_chmod_masq(acl, attr->ia_mode);
 267         if (!error) {
 268                 posix_acl_to_xattr(acl, data, len);
 269                 error = gfs2_ea_acl_chmod(ip, &el, attr, data);
 270         }
 271
 272 out:
 273         posix_acl_release(acl);
 274         kfree(data);
 275 out_brelse:
 276         brelse(el.el_bh);
 277         return error;
 278 }
 279