1b3b94faaSDavid Teigland /* 2b3b94faaSDavid Teigland * Copyright (C) Sistina Software, Inc. 1997-2003 All rights reserved. 3b3b94faaSDavid Teigland * Copyright (C) 2004-2005 Red Hat, Inc. All rights reserved. 4b3b94faaSDavid Teigland * 5b3b94faaSDavid Teigland * This copyrighted material is made available to anyone wishing to use, 6b3b94faaSDavid Teigland * modify, copy, or redistribute it subject to the terms and conditions 7b3b94faaSDavid Teigland * of the GNU General Public License v.2. 8b3b94faaSDavid Teigland */ 9b3b94faaSDavid Teigland 10b3b94faaSDavid Teigland #include <linux/sched.h> 11b3b94faaSDavid Teigland #include <linux/slab.h> 12b3b94faaSDavid Teigland #include <linux/spinlock.h> 13b3b94faaSDavid Teigland #include <linux/completion.h> 14b3b94faaSDavid Teigland #include <linux/buffer_head.h> 15b3b94faaSDavid Teigland #include <linux/posix_acl.h> 16b3b94faaSDavid Teigland #include <linux/posix_acl_xattr.h> 17b3b94faaSDavid Teigland #include <asm/semaphore.h> 185c676f6dSSteven Whitehouse #include <linux/gfs2_ondisk.h> 19b3b94faaSDavid Teigland 20b3b94faaSDavid Teigland #include "gfs2.h" 215c676f6dSSteven Whitehouse #include "lm_interface.h" 225c676f6dSSteven Whitehouse #include "incore.h" 23b3b94faaSDavid Teigland #include "acl.h" 24b3b94faaSDavid Teigland #include "eaops.h" 25b3b94faaSDavid Teigland #include "eattr.h" 26b3b94faaSDavid Teigland #include "glock.h" 27b3b94faaSDavid Teigland #include "inode.h" 28b3b94faaSDavid Teigland #include "meta_io.h" 29b3b94faaSDavid Teigland #include "trans.h" 305c676f6dSSteven Whitehouse #include "util.h" 31b3b94faaSDavid Teigland 32b3b94faaSDavid Teigland #define ACL_ACCESS 1 33b3b94faaSDavid Teigland #define ACL_DEFAULT 0 34b3b94faaSDavid Teigland 35b3b94faaSDavid Teigland int gfs2_acl_validate_set(struct gfs2_inode *ip, int access, 36b3b94faaSDavid Teigland struct gfs2_ea_request *er, 37b3b94faaSDavid Teigland int *remove, mode_t *mode) 38b3b94faaSDavid Teigland { 39b3b94faaSDavid Teigland struct posix_acl *acl; 40b3b94faaSDavid Teigland int error; 41b3b94faaSDavid Teigland 42b3b94faaSDavid Teigland error = gfs2_acl_validate_remove(ip, access); 43b3b94faaSDavid Teigland if (error) 44b3b94faaSDavid Teigland return error; 45b3b94faaSDavid Teigland 46b3b94faaSDavid Teigland if (!er->er_data) 47b3b94faaSDavid Teigland return -EINVAL; 48b3b94faaSDavid Teigland 49b3b94faaSDavid Teigland acl = posix_acl_from_xattr(er->er_data, er->er_data_len); 50b3b94faaSDavid Teigland if (IS_ERR(acl)) 51b3b94faaSDavid Teigland return PTR_ERR(acl); 52b3b94faaSDavid Teigland if (!acl) { 53b3b94faaSDavid Teigland *remove = 1; 54b3b94faaSDavid Teigland return 0; 55b3b94faaSDavid Teigland } 56b3b94faaSDavid Teigland 57b3b94faaSDavid Teigland error = posix_acl_valid(acl); 58b3b94faaSDavid Teigland if (error) 59b3b94faaSDavid Teigland goto out; 60b3b94faaSDavid Teigland 61b3b94faaSDavid Teigland if (access) { 62b3b94faaSDavid Teigland error = posix_acl_equiv_mode(acl, mode); 63b3b94faaSDavid Teigland if (!error) 64b3b94faaSDavid Teigland *remove = 1; 65b3b94faaSDavid Teigland else if (error > 0) 66b3b94faaSDavid Teigland error = 0; 67b3b94faaSDavid Teigland } 68b3b94faaSDavid Teigland 69b3b94faaSDavid Teigland out: 70b3b94faaSDavid Teigland posix_acl_release(acl); 71b3b94faaSDavid Teigland 72b3b94faaSDavid Teigland return error; 73b3b94faaSDavid Teigland } 74b3b94faaSDavid Teigland 75b3b94faaSDavid Teigland int gfs2_acl_validate_remove(struct gfs2_inode *ip, int access) 76b3b94faaSDavid Teigland { 77b3b94faaSDavid Teigland if (!ip->i_sbd->sd_args.ar_posix_acl) 78b3b94faaSDavid Teigland return -EOPNOTSUPP; 79b3b94faaSDavid Teigland if (current->fsuid != ip->i_di.di_uid && !capable(CAP_FOWNER)) 80b3b94faaSDavid Teigland return -EPERM; 81b3b94faaSDavid Teigland if (S_ISLNK(ip->i_di.di_mode)) 82b3b94faaSDavid Teigland return -EOPNOTSUPP; 83b3b94faaSDavid Teigland if (!access && !S_ISDIR(ip->i_di.di_mode)) 84b3b94faaSDavid Teigland return -EACCES; 85b3b94faaSDavid Teigland 86b3b94faaSDavid Teigland return 0; 87b3b94faaSDavid Teigland } 88b3b94faaSDavid Teigland 89b3b94faaSDavid Teigland static int acl_get(struct gfs2_inode *ip, int access, struct posix_acl **acl, 90b3b94faaSDavid Teigland struct gfs2_ea_location *el, char **data, unsigned int *len) 91b3b94faaSDavid Teigland { 92b3b94faaSDavid Teigland struct gfs2_ea_request er; 93b3b94faaSDavid Teigland struct gfs2_ea_location el_this; 94b3b94faaSDavid Teigland int error; 95b3b94faaSDavid Teigland 96b3b94faaSDavid Teigland if (!ip->i_di.di_eattr) 97b3b94faaSDavid Teigland return 0; 98b3b94faaSDavid Teigland 99b3b94faaSDavid Teigland memset(&er, 0, sizeof(struct gfs2_ea_request)); 100b3b94faaSDavid Teigland if (access) { 101b3b94faaSDavid Teigland er.er_name = GFS2_POSIX_ACL_ACCESS; 102b3b94faaSDavid Teigland er.er_name_len = GFS2_POSIX_ACL_ACCESS_LEN; 103b3b94faaSDavid Teigland } else { 104b3b94faaSDavid Teigland er.er_name = GFS2_POSIX_ACL_DEFAULT; 105b3b94faaSDavid Teigland er.er_name_len = GFS2_POSIX_ACL_DEFAULT_LEN; 106b3b94faaSDavid Teigland } 107b3b94faaSDavid Teigland er.er_type = GFS2_EATYPE_SYS; 108b3b94faaSDavid Teigland 109b3b94faaSDavid Teigland if (!el) 110b3b94faaSDavid Teigland el = &el_this; 111b3b94faaSDavid Teigland 112b3b94faaSDavid Teigland error = gfs2_ea_find(ip, &er, el); 113b3b94faaSDavid Teigland if (error) 114b3b94faaSDavid Teigland return error; 115b3b94faaSDavid Teigland if (!el->el_ea) 116b3b94faaSDavid Teigland return 0; 117b3b94faaSDavid Teigland if (!GFS2_EA_DATA_LEN(el->el_ea)) 118b3b94faaSDavid Teigland goto out; 119b3b94faaSDavid Teigland 120b3b94faaSDavid Teigland er.er_data_len = GFS2_EA_DATA_LEN(el->el_ea); 121b3b94faaSDavid Teigland er.er_data = kmalloc(er.er_data_len, GFP_KERNEL); 122b3b94faaSDavid Teigland error = -ENOMEM; 123b3b94faaSDavid Teigland if (!er.er_data) 124b3b94faaSDavid Teigland goto out; 125b3b94faaSDavid Teigland 126b3b94faaSDavid Teigland error = gfs2_ea_get_copy(ip, el, er.er_data); 127b3b94faaSDavid Teigland if (error) 128b3b94faaSDavid Teigland goto out_kfree; 129b3b94faaSDavid Teigland 130b3b94faaSDavid Teigland if (acl) { 131b3b94faaSDavid Teigland *acl = posix_acl_from_xattr(er.er_data, er.er_data_len); 132b3b94faaSDavid Teigland if (IS_ERR(*acl)) 133b3b94faaSDavid Teigland error = PTR_ERR(*acl); 134b3b94faaSDavid Teigland } 135b3b94faaSDavid Teigland 136b3b94faaSDavid Teigland out_kfree: 137b3b94faaSDavid Teigland if (error || !data) 138b3b94faaSDavid Teigland kfree(er.er_data); 139b3b94faaSDavid Teigland else { 140b3b94faaSDavid Teigland *data = er.er_data; 141b3b94faaSDavid Teigland *len = er.er_data_len; 142b3b94faaSDavid Teigland } 143b3b94faaSDavid Teigland 144b3b94faaSDavid Teigland out: 145b3b94faaSDavid Teigland if (error || el == &el_this) 146b3b94faaSDavid Teigland brelse(el->el_bh); 147b3b94faaSDavid Teigland 148b3b94faaSDavid Teigland return error; 149b3b94faaSDavid Teigland } 150b3b94faaSDavid Teigland 151b3b94faaSDavid Teigland /** 152b3b94faaSDavid Teigland * gfs2_check_acl_locked - Check an ACL to see if we're allowed to do something 153b3b94faaSDavid Teigland * @inode: the file we want to do something to 154b3b94faaSDavid Teigland * @mask: what we want to do 155b3b94faaSDavid Teigland * 156b3b94faaSDavid Teigland * Returns: errno 157b3b94faaSDavid Teigland */ 158b3b94faaSDavid Teigland 159b3b94faaSDavid Teigland int gfs2_check_acl_locked(struct inode *inode, int mask) 160b3b94faaSDavid Teigland { 161b3b94faaSDavid Teigland struct posix_acl *acl = NULL; 162b3b94faaSDavid Teigland int error; 163b3b94faaSDavid Teigland 1645c676f6dSSteven Whitehouse error = acl_get(inode->u.generic_ip, ACL_ACCESS, &acl, NULL, NULL, NULL); 165b3b94faaSDavid Teigland if (error) 166b3b94faaSDavid Teigland return error; 167b3b94faaSDavid Teigland 168b3b94faaSDavid Teigland if (acl) { 169b3b94faaSDavid Teigland error = posix_acl_permission(inode, acl, mask); 170b3b94faaSDavid Teigland posix_acl_release(acl); 171b3b94faaSDavid Teigland return error; 172b3b94faaSDavid Teigland } 173b3b94faaSDavid Teigland 174b3b94faaSDavid Teigland return -EAGAIN; 175b3b94faaSDavid Teigland } 176b3b94faaSDavid Teigland 177b3b94faaSDavid Teigland int gfs2_check_acl(struct inode *inode, int mask) 178b3b94faaSDavid Teigland { 1795c676f6dSSteven Whitehouse struct gfs2_inode *ip = inode->u.generic_ip; 180b3b94faaSDavid Teigland struct gfs2_holder i_gh; 181b3b94faaSDavid Teigland int error; 182b3b94faaSDavid Teigland 183b3b94faaSDavid Teigland error = gfs2_glock_nq_init(ip->i_gl, 184b3b94faaSDavid Teigland LM_ST_SHARED, LM_FLAG_ANY, 185b3b94faaSDavid Teigland &i_gh); 186b3b94faaSDavid Teigland if (!error) { 187b3b94faaSDavid Teigland error = gfs2_check_acl_locked(inode, mask); 188b3b94faaSDavid Teigland gfs2_glock_dq_uninit(&i_gh); 189b3b94faaSDavid Teigland } 190b3b94faaSDavid Teigland 191b3b94faaSDavid Teigland return error; 192b3b94faaSDavid Teigland } 193b3b94faaSDavid Teigland 194b3b94faaSDavid Teigland static int munge_mode(struct gfs2_inode *ip, mode_t mode) 195b3b94faaSDavid Teigland { 196b3b94faaSDavid Teigland struct gfs2_sbd *sdp = ip->i_sbd; 197b3b94faaSDavid Teigland struct buffer_head *dibh; 198b3b94faaSDavid Teigland int error; 199b3b94faaSDavid Teigland 200b3b94faaSDavid Teigland error = gfs2_trans_begin(sdp, RES_DINODE, 0); 201b3b94faaSDavid Teigland if (error) 202b3b94faaSDavid Teigland return error; 203b3b94faaSDavid Teigland 204b3b94faaSDavid Teigland error = gfs2_meta_inode_buffer(ip, &dibh); 205b3b94faaSDavid Teigland if (!error) { 206b3b94faaSDavid Teigland gfs2_assert_withdraw(sdp, 207b3b94faaSDavid Teigland (ip->i_di.di_mode & S_IFMT) == (mode & S_IFMT)); 208b3b94faaSDavid Teigland ip->i_di.di_mode = mode; 209d4e9c4c3SSteven Whitehouse gfs2_trans_add_bh(ip->i_gl, dibh, 1); 210b3b94faaSDavid Teigland gfs2_dinode_out(&ip->i_di, dibh->b_data); 211b3b94faaSDavid Teigland brelse(dibh); 212b3b94faaSDavid Teigland } 213b3b94faaSDavid Teigland 214b3b94faaSDavid Teigland gfs2_trans_end(sdp); 215b3b94faaSDavid Teigland 216b3b94faaSDavid Teigland return 0; 217b3b94faaSDavid Teigland } 218b3b94faaSDavid Teigland 219b3b94faaSDavid Teigland int gfs2_acl_create(struct gfs2_inode *dip, struct gfs2_inode *ip) 220b3b94faaSDavid Teigland { 221b3b94faaSDavid Teigland struct gfs2_sbd *sdp = dip->i_sbd; 222b3b94faaSDavid Teigland struct posix_acl *acl = NULL, *clone; 223b3b94faaSDavid Teigland struct gfs2_ea_request er; 224b3b94faaSDavid Teigland mode_t mode = ip->i_di.di_mode; 225b3b94faaSDavid Teigland int error; 226b3b94faaSDavid Teigland 227b3b94faaSDavid Teigland if (!sdp->sd_args.ar_posix_acl) 228b3b94faaSDavid Teigland return 0; 229b3b94faaSDavid Teigland if (S_ISLNK(ip->i_di.di_mode)) 230b3b94faaSDavid Teigland return 0; 231b3b94faaSDavid Teigland 232b3b94faaSDavid Teigland memset(&er, 0, sizeof(struct gfs2_ea_request)); 233b3b94faaSDavid Teigland er.er_type = GFS2_EATYPE_SYS; 234b3b94faaSDavid Teigland 235b3b94faaSDavid Teigland error = acl_get(dip, ACL_DEFAULT, &acl, NULL, 236b3b94faaSDavid Teigland &er.er_data, &er.er_data_len); 237b3b94faaSDavid Teigland if (error) 238b3b94faaSDavid Teigland return error; 239b3b94faaSDavid Teigland if (!acl) { 240b3b94faaSDavid Teigland mode &= ~current->fs->umask; 241b3b94faaSDavid Teigland if (mode != ip->i_di.di_mode) 242b3b94faaSDavid Teigland error = munge_mode(ip, mode); 243b3b94faaSDavid Teigland return error; 244b3b94faaSDavid Teigland } 245b3b94faaSDavid Teigland 246b3b94faaSDavid Teigland clone = posix_acl_clone(acl, GFP_KERNEL); 247b3b94faaSDavid Teigland error = -ENOMEM; 248b3b94faaSDavid Teigland if (!clone) 249b3b94faaSDavid Teigland goto out; 250b3b94faaSDavid Teigland posix_acl_release(acl); 251b3b94faaSDavid Teigland acl = clone; 252b3b94faaSDavid Teigland 253b3b94faaSDavid Teigland if (S_ISDIR(ip->i_di.di_mode)) { 254b3b94faaSDavid Teigland er.er_name = GFS2_POSIX_ACL_DEFAULT; 255b3b94faaSDavid Teigland er.er_name_len = GFS2_POSIX_ACL_DEFAULT_LEN; 256b3b94faaSDavid Teigland error = gfs2_system_eaops.eo_set(ip, &er); 257b3b94faaSDavid Teigland if (error) 258b3b94faaSDavid Teigland goto out; 259b3b94faaSDavid Teigland } 260b3b94faaSDavid Teigland 261b3b94faaSDavid Teigland error = posix_acl_create_masq(acl, &mode); 262b3b94faaSDavid Teigland if (error < 0) 263b3b94faaSDavid Teigland goto out; 264b3b94faaSDavid Teigland if (error > 0) { 265b3b94faaSDavid Teigland er.er_name = GFS2_POSIX_ACL_ACCESS; 266b3b94faaSDavid Teigland er.er_name_len = GFS2_POSIX_ACL_ACCESS_LEN; 267b3b94faaSDavid Teigland posix_acl_to_xattr(acl, er.er_data, er.er_data_len); 268b3b94faaSDavid Teigland er.er_mode = mode; 269b3b94faaSDavid Teigland er.er_flags = GFS2_ERF_MODE; 270b3b94faaSDavid Teigland error = gfs2_system_eaops.eo_set(ip, &er); 271b3b94faaSDavid Teigland if (error) 272b3b94faaSDavid Teigland goto out; 273b3b94faaSDavid Teigland } else 274b3b94faaSDavid Teigland munge_mode(ip, mode); 275b3b94faaSDavid Teigland 276b3b94faaSDavid Teigland out: 277b3b94faaSDavid Teigland posix_acl_release(acl); 278b3b94faaSDavid Teigland kfree(er.er_data); 279b3b94faaSDavid Teigland return error; 280b3b94faaSDavid Teigland } 281b3b94faaSDavid Teigland 282b3b94faaSDavid Teigland int gfs2_acl_chmod(struct gfs2_inode *ip, struct iattr *attr) 283b3b94faaSDavid Teigland { 284b3b94faaSDavid Teigland struct posix_acl *acl = NULL, *clone; 285b3b94faaSDavid Teigland struct gfs2_ea_location el; 286b3b94faaSDavid Teigland char *data; 287b3b94faaSDavid Teigland unsigned int len; 288b3b94faaSDavid Teigland int error; 289b3b94faaSDavid Teigland 290b3b94faaSDavid Teigland error = acl_get(ip, ACL_ACCESS, &acl, &el, &data, &len); 291b3b94faaSDavid Teigland if (error) 292b3b94faaSDavid Teigland return error; 293b3b94faaSDavid Teigland if (!acl) 294b3b94faaSDavid Teigland return gfs2_setattr_simple(ip, attr); 295b3b94faaSDavid Teigland 296b3b94faaSDavid Teigland clone = posix_acl_clone(acl, GFP_KERNEL); 297b3b94faaSDavid Teigland error = -ENOMEM; 298b3b94faaSDavid Teigland if (!clone) 299b3b94faaSDavid Teigland goto out; 300b3b94faaSDavid Teigland posix_acl_release(acl); 301b3b94faaSDavid Teigland acl = clone; 302b3b94faaSDavid Teigland 303b3b94faaSDavid Teigland error = posix_acl_chmod_masq(acl, attr->ia_mode); 304b3b94faaSDavid Teigland if (!error) { 305b3b94faaSDavid Teigland posix_acl_to_xattr(acl, data, len); 306b3b94faaSDavid Teigland error = gfs2_ea_acl_chmod(ip, &el, attr, data); 307b3b94faaSDavid Teigland } 308b3b94faaSDavid Teigland 309b3b94faaSDavid Teigland out: 310b3b94faaSDavid Teigland posix_acl_release(acl); 311b3b94faaSDavid Teigland brelse(el.el_bh); 312b3b94faaSDavid Teigland kfree(data); 313b3b94faaSDavid Teigland 314b3b94faaSDavid Teigland return error; 315b3b94faaSDavid Teigland } 316b3b94faaSDavid Teigland 317