1 /* 2 * Copyright (C) 2002,2003 by Andreas Gruenbacher <a.gruenbacher@computer.org> 3 * 4 * Fixes from William Schumacher incorporated on 15 March 2001. 5 * (Reported by Charles Bertsch, <CBertsch@microtest.com>). 6 */ 7 8 /* 9 * This file contains generic functions for manipulating 10 * POSIX 1003.1e draft standard 17 ACLs. 11 */ 12 13 #include <linux/kernel.h> 14 #include <linux/slab.h> 15 #include <linux/atomic.h> 16 #include <linux/fs.h> 17 #include <linux/sched.h> 18 #include <linux/posix_acl.h> 19 #include <linux/posix_acl_xattr.h> 20 #include <linux/xattr.h> 21 #include <linux/export.h> 22 #include <linux/user_namespace.h> 23 24 struct posix_acl **acl_by_type(struct inode *inode, int type) 25 { 26 switch (type) { 27 case ACL_TYPE_ACCESS: 28 return &inode->i_acl; 29 case ACL_TYPE_DEFAULT: 30 return &inode->i_default_acl; 31 default: 32 BUG(); 33 } 34 } 35 EXPORT_SYMBOL(acl_by_type); 36 37 struct posix_acl *get_cached_acl(struct inode *inode, int type) 38 { 39 struct posix_acl **p = acl_by_type(inode, type); 40 struct posix_acl *acl = ACCESS_ONCE(*p); 41 if (acl) { 42 spin_lock(&inode->i_lock); 43 acl = *p; 44 if (acl != ACL_NOT_CACHED) 45 acl = posix_acl_dup(acl); 46 spin_unlock(&inode->i_lock); 47 } 48 return acl; 49 } 50 EXPORT_SYMBOL(get_cached_acl); 51 52 struct posix_acl *get_cached_acl_rcu(struct inode *inode, int type) 53 { 54 return rcu_dereference(*acl_by_type(inode, type)); 55 } 56 EXPORT_SYMBOL(get_cached_acl_rcu); 57 58 void set_cached_acl(struct inode *inode, int type, struct posix_acl *acl) 59 { 60 struct posix_acl **p = acl_by_type(inode, type); 61 struct posix_acl *old; 62 spin_lock(&inode->i_lock); 63 old = *p; 64 rcu_assign_pointer(*p, posix_acl_dup(acl)); 65 spin_unlock(&inode->i_lock); 66 if (old != ACL_NOT_CACHED) 67 posix_acl_release(old); 68 } 69 EXPORT_SYMBOL(set_cached_acl); 70 71 void forget_cached_acl(struct inode *inode, int type) 72 { 73 struct posix_acl **p = acl_by_type(inode, type); 74 struct posix_acl *old; 75 spin_lock(&inode->i_lock); 76 old = *p; 77 *p = ACL_NOT_CACHED; 78 spin_unlock(&inode->i_lock); 79 if (old != ACL_NOT_CACHED) 80 posix_acl_release(old); 81 } 82 EXPORT_SYMBOL(forget_cached_acl); 83 84 void forget_all_cached_acls(struct inode *inode) 85 { 86 struct posix_acl *old_access, *old_default; 87 spin_lock(&inode->i_lock); 88 old_access = inode->i_acl; 89 old_default = inode->i_default_acl; 90 inode->i_acl = inode->i_default_acl = ACL_NOT_CACHED; 91 spin_unlock(&inode->i_lock); 92 if (old_access != ACL_NOT_CACHED) 93 posix_acl_release(old_access); 94 if (old_default != ACL_NOT_CACHED) 95 posix_acl_release(old_default); 96 } 97 EXPORT_SYMBOL(forget_all_cached_acls); 98 99 struct posix_acl *get_acl(struct inode *inode, int type) 100 { 101 struct posix_acl *acl; 102 103 acl = get_cached_acl(inode, type); 104 if (acl != ACL_NOT_CACHED) 105 return acl; 106 107 if (!IS_POSIXACL(inode)) 108 return NULL; 109 110 /* 111 * A filesystem can force a ACL callback by just never filling the 112 * ACL cache. But normally you'd fill the cache either at inode 113 * instantiation time, or on the first ->get_acl call. 114 * 115 * If the filesystem doesn't have a get_acl() function at all, we'll 116 * just create the negative cache entry. 117 */ 118 if (!inode->i_op->get_acl) { 119 set_cached_acl(inode, type, NULL); 120 return NULL; 121 } 122 return inode->i_op->get_acl(inode, type); 123 } 124 EXPORT_SYMBOL(get_acl); 125 126 /* 127 * Init a fresh posix_acl 128 */ 129 void 130 posix_acl_init(struct posix_acl *acl, int count) 131 { 132 atomic_set(&acl->a_refcount, 1); 133 acl->a_count = count; 134 } 135 EXPORT_SYMBOL(posix_acl_init); 136 137 /* 138 * Allocate a new ACL with the specified number of entries. 139 */ 140 struct posix_acl * 141 posix_acl_alloc(int count, gfp_t flags) 142 { 143 const size_t size = sizeof(struct posix_acl) + 144 count * sizeof(struct posix_acl_entry); 145 struct posix_acl *acl = kmalloc(size, flags); 146 if (acl) 147 posix_acl_init(acl, count); 148 return acl; 149 } 150 EXPORT_SYMBOL(posix_acl_alloc); 151 152 /* 153 * Clone an ACL. 154 */ 155 static struct posix_acl * 156 posix_acl_clone(const struct posix_acl *acl, gfp_t flags) 157 { 158 struct posix_acl *clone = NULL; 159 160 if (acl) { 161 int size = sizeof(struct posix_acl) + acl->a_count * 162 sizeof(struct posix_acl_entry); 163 clone = kmemdup(acl, size, flags); 164 if (clone) 165 atomic_set(&clone->a_refcount, 1); 166 } 167 return clone; 168 } 169 170 /* 171 * Check if an acl is valid. Returns 0 if it is, or -E... otherwise. 172 */ 173 int 174 posix_acl_valid(const struct posix_acl *acl) 175 { 176 const struct posix_acl_entry *pa, *pe; 177 int state = ACL_USER_OBJ; 178 int needs_mask = 0; 179 180 FOREACH_ACL_ENTRY(pa, acl, pe) { 181 if (pa->e_perm & ~(ACL_READ|ACL_WRITE|ACL_EXECUTE)) 182 return -EINVAL; 183 switch (pa->e_tag) { 184 case ACL_USER_OBJ: 185 if (state == ACL_USER_OBJ) { 186 state = ACL_USER; 187 break; 188 } 189 return -EINVAL; 190 191 case ACL_USER: 192 if (state != ACL_USER) 193 return -EINVAL; 194 if (!uid_valid(pa->e_uid)) 195 return -EINVAL; 196 needs_mask = 1; 197 break; 198 199 case ACL_GROUP_OBJ: 200 if (state == ACL_USER) { 201 state = ACL_GROUP; 202 break; 203 } 204 return -EINVAL; 205 206 case ACL_GROUP: 207 if (state != ACL_GROUP) 208 return -EINVAL; 209 if (!gid_valid(pa->e_gid)) 210 return -EINVAL; 211 needs_mask = 1; 212 break; 213 214 case ACL_MASK: 215 if (state != ACL_GROUP) 216 return -EINVAL; 217 state = ACL_OTHER; 218 break; 219 220 case ACL_OTHER: 221 if (state == ACL_OTHER || 222 (state == ACL_GROUP && !needs_mask)) { 223 state = 0; 224 break; 225 } 226 return -EINVAL; 227 228 default: 229 return -EINVAL; 230 } 231 } 232 if (state == 0) 233 return 0; 234 return -EINVAL; 235 } 236 EXPORT_SYMBOL(posix_acl_valid); 237 238 /* 239 * Returns 0 if the acl can be exactly represented in the traditional 240 * file mode permission bits, or else 1. Returns -E... on error. 241 */ 242 int 243 posix_acl_equiv_mode(const struct posix_acl *acl, umode_t *mode_p) 244 { 245 const struct posix_acl_entry *pa, *pe; 246 umode_t mode = 0; 247 int not_equiv = 0; 248 249 FOREACH_ACL_ENTRY(pa, acl, pe) { 250 switch (pa->e_tag) { 251 case ACL_USER_OBJ: 252 mode |= (pa->e_perm & S_IRWXO) << 6; 253 break; 254 case ACL_GROUP_OBJ: 255 mode |= (pa->e_perm & S_IRWXO) << 3; 256 break; 257 case ACL_OTHER: 258 mode |= pa->e_perm & S_IRWXO; 259 break; 260 case ACL_MASK: 261 mode = (mode & ~S_IRWXG) | 262 ((pa->e_perm & S_IRWXO) << 3); 263 not_equiv = 1; 264 break; 265 case ACL_USER: 266 case ACL_GROUP: 267 not_equiv = 1; 268 break; 269 default: 270 return -EINVAL; 271 } 272 } 273 if (mode_p) 274 *mode_p = (*mode_p & ~S_IRWXUGO) | mode; 275 return not_equiv; 276 } 277 EXPORT_SYMBOL(posix_acl_equiv_mode); 278 279 /* 280 * Create an ACL representing the file mode permission bits of an inode. 281 */ 282 struct posix_acl * 283 posix_acl_from_mode(umode_t mode, gfp_t flags) 284 { 285 struct posix_acl *acl = posix_acl_alloc(3, flags); 286 if (!acl) 287 return ERR_PTR(-ENOMEM); 288 289 acl->a_entries[0].e_tag = ACL_USER_OBJ; 290 acl->a_entries[0].e_perm = (mode & S_IRWXU) >> 6; 291 292 acl->a_entries[1].e_tag = ACL_GROUP_OBJ; 293 acl->a_entries[1].e_perm = (mode & S_IRWXG) >> 3; 294 295 acl->a_entries[2].e_tag = ACL_OTHER; 296 acl->a_entries[2].e_perm = (mode & S_IRWXO); 297 return acl; 298 } 299 EXPORT_SYMBOL(posix_acl_from_mode); 300 301 /* 302 * Return 0 if current is granted want access to the inode 303 * by the acl. Returns -E... otherwise. 304 */ 305 int 306 posix_acl_permission(struct inode *inode, const struct posix_acl *acl, int want) 307 { 308 const struct posix_acl_entry *pa, *pe, *mask_obj; 309 int found = 0; 310 311 want &= MAY_READ | MAY_WRITE | MAY_EXEC | MAY_NOT_BLOCK; 312 313 FOREACH_ACL_ENTRY(pa, acl, pe) { 314 switch(pa->e_tag) { 315 case ACL_USER_OBJ: 316 /* (May have been checked already) */ 317 if (uid_eq(inode->i_uid, current_fsuid())) 318 goto check_perm; 319 break; 320 case ACL_USER: 321 if (uid_eq(pa->e_uid, current_fsuid())) 322 goto mask; 323 break; 324 case ACL_GROUP_OBJ: 325 if (in_group_p(inode->i_gid)) { 326 found = 1; 327 if ((pa->e_perm & want) == want) 328 goto mask; 329 } 330 break; 331 case ACL_GROUP: 332 if (in_group_p(pa->e_gid)) { 333 found = 1; 334 if ((pa->e_perm & want) == want) 335 goto mask; 336 } 337 break; 338 case ACL_MASK: 339 break; 340 case ACL_OTHER: 341 if (found) 342 return -EACCES; 343 else 344 goto check_perm; 345 default: 346 return -EIO; 347 } 348 } 349 return -EIO; 350 351 mask: 352 for (mask_obj = pa+1; mask_obj != pe; mask_obj++) { 353 if (mask_obj->e_tag == ACL_MASK) { 354 if ((pa->e_perm & mask_obj->e_perm & want) == want) 355 return 0; 356 return -EACCES; 357 } 358 } 359 360 check_perm: 361 if ((pa->e_perm & want) == want) 362 return 0; 363 return -EACCES; 364 } 365 366 /* 367 * Modify acl when creating a new inode. The caller must ensure the acl is 368 * only referenced once. 369 * 370 * mode_p initially must contain the mode parameter to the open() / creat() 371 * system calls. All permissions that are not granted by the acl are removed. 372 * The permissions in the acl are changed to reflect the mode_p parameter. 373 */ 374 static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p) 375 { 376 struct posix_acl_entry *pa, *pe; 377 struct posix_acl_entry *group_obj = NULL, *mask_obj = NULL; 378 umode_t mode = *mode_p; 379 int not_equiv = 0; 380 381 /* assert(atomic_read(acl->a_refcount) == 1); */ 382 383 FOREACH_ACL_ENTRY(pa, acl, pe) { 384 switch(pa->e_tag) { 385 case ACL_USER_OBJ: 386 pa->e_perm &= (mode >> 6) | ~S_IRWXO; 387 mode &= (pa->e_perm << 6) | ~S_IRWXU; 388 break; 389 390 case ACL_USER: 391 case ACL_GROUP: 392 not_equiv = 1; 393 break; 394 395 case ACL_GROUP_OBJ: 396 group_obj = pa; 397 break; 398 399 case ACL_OTHER: 400 pa->e_perm &= mode | ~S_IRWXO; 401 mode &= pa->e_perm | ~S_IRWXO; 402 break; 403 404 case ACL_MASK: 405 mask_obj = pa; 406 not_equiv = 1; 407 break; 408 409 default: 410 return -EIO; 411 } 412 } 413 414 if (mask_obj) { 415 mask_obj->e_perm &= (mode >> 3) | ~S_IRWXO; 416 mode &= (mask_obj->e_perm << 3) | ~S_IRWXG; 417 } else { 418 if (!group_obj) 419 return -EIO; 420 group_obj->e_perm &= (mode >> 3) | ~S_IRWXO; 421 mode &= (group_obj->e_perm << 3) | ~S_IRWXG; 422 } 423 424 *mode_p = (*mode_p & ~S_IRWXUGO) | mode; 425 return not_equiv; 426 } 427 428 /* 429 * Modify the ACL for the chmod syscall. 430 */ 431 static int __posix_acl_chmod_masq(struct posix_acl *acl, umode_t mode) 432 { 433 struct posix_acl_entry *group_obj = NULL, *mask_obj = NULL; 434 struct posix_acl_entry *pa, *pe; 435 436 /* assert(atomic_read(acl->a_refcount) == 1); */ 437 438 FOREACH_ACL_ENTRY(pa, acl, pe) { 439 switch(pa->e_tag) { 440 case ACL_USER_OBJ: 441 pa->e_perm = (mode & S_IRWXU) >> 6; 442 break; 443 444 case ACL_USER: 445 case ACL_GROUP: 446 break; 447 448 case ACL_GROUP_OBJ: 449 group_obj = pa; 450 break; 451 452 case ACL_MASK: 453 mask_obj = pa; 454 break; 455 456 case ACL_OTHER: 457 pa->e_perm = (mode & S_IRWXO); 458 break; 459 460 default: 461 return -EIO; 462 } 463 } 464 465 if (mask_obj) { 466 mask_obj->e_perm = (mode & S_IRWXG) >> 3; 467 } else { 468 if (!group_obj) 469 return -EIO; 470 group_obj->e_perm = (mode & S_IRWXG) >> 3; 471 } 472 473 return 0; 474 } 475 476 int 477 __posix_acl_create(struct posix_acl **acl, gfp_t gfp, umode_t *mode_p) 478 { 479 struct posix_acl *clone = posix_acl_clone(*acl, gfp); 480 int err = -ENOMEM; 481 if (clone) { 482 err = posix_acl_create_masq(clone, mode_p); 483 if (err < 0) { 484 posix_acl_release(clone); 485 clone = NULL; 486 } 487 } 488 posix_acl_release(*acl); 489 *acl = clone; 490 return err; 491 } 492 EXPORT_SYMBOL(__posix_acl_create); 493 494 int 495 __posix_acl_chmod(struct posix_acl **acl, gfp_t gfp, umode_t mode) 496 { 497 struct posix_acl *clone = posix_acl_clone(*acl, gfp); 498 int err = -ENOMEM; 499 if (clone) { 500 err = __posix_acl_chmod_masq(clone, mode); 501 if (err) { 502 posix_acl_release(clone); 503 clone = NULL; 504 } 505 } 506 posix_acl_release(*acl); 507 *acl = clone; 508 return err; 509 } 510 EXPORT_SYMBOL(__posix_acl_chmod); 511 512 int 513 posix_acl_chmod(struct inode *inode, umode_t mode) 514 { 515 struct posix_acl *acl; 516 int ret = 0; 517 518 if (!IS_POSIXACL(inode)) 519 return 0; 520 if (!inode->i_op->set_acl) 521 return -EOPNOTSUPP; 522 523 acl = get_acl(inode, ACL_TYPE_ACCESS); 524 if (IS_ERR_OR_NULL(acl)) 525 return PTR_ERR(acl); 526 527 ret = __posix_acl_chmod(&acl, GFP_KERNEL, mode); 528 if (ret) 529 return ret; 530 ret = inode->i_op->set_acl(inode, acl, ACL_TYPE_ACCESS); 531 posix_acl_release(acl); 532 return ret; 533 } 534 EXPORT_SYMBOL(posix_acl_chmod); 535 536 int 537 posix_acl_create(struct inode *dir, umode_t *mode, 538 struct posix_acl **default_acl, struct posix_acl **acl) 539 { 540 struct posix_acl *p; 541 int ret; 542 543 if (S_ISLNK(*mode) || !IS_POSIXACL(dir)) 544 goto no_acl; 545 546 p = get_acl(dir, ACL_TYPE_DEFAULT); 547 if (IS_ERR(p)) 548 return PTR_ERR(p); 549 550 if (!p) { 551 *mode &= ~current_umask(); 552 goto no_acl; 553 } 554 555 *acl = posix_acl_clone(p, GFP_NOFS); 556 if (!*acl) 557 return -ENOMEM; 558 559 ret = posix_acl_create_masq(*acl, mode); 560 if (ret < 0) { 561 posix_acl_release(*acl); 562 return -ENOMEM; 563 } 564 565 if (ret == 0) { 566 posix_acl_release(*acl); 567 *acl = NULL; 568 } 569 570 if (!S_ISDIR(*mode)) { 571 posix_acl_release(p); 572 *default_acl = NULL; 573 } else { 574 *default_acl = p; 575 } 576 return 0; 577 578 no_acl: 579 *default_acl = NULL; 580 *acl = NULL; 581 return 0; 582 } 583 EXPORT_SYMBOL_GPL(posix_acl_create); 584 585 /* 586 * Fix up the uids and gids in posix acl extended attributes in place. 587 */ 588 static void posix_acl_fix_xattr_userns( 589 struct user_namespace *to, struct user_namespace *from, 590 void *value, size_t size) 591 { 592 posix_acl_xattr_header *header = (posix_acl_xattr_header *)value; 593 posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end; 594 int count; 595 kuid_t uid; 596 kgid_t gid; 597 598 if (!value) 599 return; 600 if (size < sizeof(posix_acl_xattr_header)) 601 return; 602 if (header->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION)) 603 return; 604 605 count = posix_acl_xattr_count(size); 606 if (count < 0) 607 return; 608 if (count == 0) 609 return; 610 611 for (end = entry + count; entry != end; entry++) { 612 switch(le16_to_cpu(entry->e_tag)) { 613 case ACL_USER: 614 uid = make_kuid(from, le32_to_cpu(entry->e_id)); 615 entry->e_id = cpu_to_le32(from_kuid(to, uid)); 616 break; 617 case ACL_GROUP: 618 gid = make_kgid(from, le32_to_cpu(entry->e_id)); 619 entry->e_id = cpu_to_le32(from_kgid(to, gid)); 620 break; 621 default: 622 break; 623 } 624 } 625 } 626 627 void posix_acl_fix_xattr_from_user(void *value, size_t size) 628 { 629 struct user_namespace *user_ns = current_user_ns(); 630 if (user_ns == &init_user_ns) 631 return; 632 posix_acl_fix_xattr_userns(&init_user_ns, user_ns, value, size); 633 } 634 635 void posix_acl_fix_xattr_to_user(void *value, size_t size) 636 { 637 struct user_namespace *user_ns = current_user_ns(); 638 if (user_ns == &init_user_ns) 639 return; 640 posix_acl_fix_xattr_userns(user_ns, &init_user_ns, value, size); 641 } 642 643 /* 644 * Convert from extended attribute to in-memory representation. 645 */ 646 struct posix_acl * 647 posix_acl_from_xattr(struct user_namespace *user_ns, 648 const void *value, size_t size) 649 { 650 posix_acl_xattr_header *header = (posix_acl_xattr_header *)value; 651 posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end; 652 int count; 653 struct posix_acl *acl; 654 struct posix_acl_entry *acl_e; 655 656 if (!value) 657 return NULL; 658 if (size < sizeof(posix_acl_xattr_header)) 659 return ERR_PTR(-EINVAL); 660 if (header->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION)) 661 return ERR_PTR(-EOPNOTSUPP); 662 663 count = posix_acl_xattr_count(size); 664 if (count < 0) 665 return ERR_PTR(-EINVAL); 666 if (count == 0) 667 return NULL; 668 669 acl = posix_acl_alloc(count, GFP_NOFS); 670 if (!acl) 671 return ERR_PTR(-ENOMEM); 672 acl_e = acl->a_entries; 673 674 for (end = entry + count; entry != end; acl_e++, entry++) { 675 acl_e->e_tag = le16_to_cpu(entry->e_tag); 676 acl_e->e_perm = le16_to_cpu(entry->e_perm); 677 678 switch(acl_e->e_tag) { 679 case ACL_USER_OBJ: 680 case ACL_GROUP_OBJ: 681 case ACL_MASK: 682 case ACL_OTHER: 683 break; 684 685 case ACL_USER: 686 acl_e->e_uid = 687 make_kuid(user_ns, 688 le32_to_cpu(entry->e_id)); 689 if (!uid_valid(acl_e->e_uid)) 690 goto fail; 691 break; 692 case ACL_GROUP: 693 acl_e->e_gid = 694 make_kgid(user_ns, 695 le32_to_cpu(entry->e_id)); 696 if (!gid_valid(acl_e->e_gid)) 697 goto fail; 698 break; 699 700 default: 701 goto fail; 702 } 703 } 704 return acl; 705 706 fail: 707 posix_acl_release(acl); 708 return ERR_PTR(-EINVAL); 709 } 710 EXPORT_SYMBOL (posix_acl_from_xattr); 711 712 /* 713 * Convert from in-memory to extended attribute representation. 714 */ 715 int 716 posix_acl_to_xattr(struct user_namespace *user_ns, const struct posix_acl *acl, 717 void *buffer, size_t size) 718 { 719 posix_acl_xattr_header *ext_acl = (posix_acl_xattr_header *)buffer; 720 posix_acl_xattr_entry *ext_entry = ext_acl->a_entries; 721 int real_size, n; 722 723 real_size = posix_acl_xattr_size(acl->a_count); 724 if (!buffer) 725 return real_size; 726 if (real_size > size) 727 return -ERANGE; 728 729 ext_acl->a_version = cpu_to_le32(POSIX_ACL_XATTR_VERSION); 730 731 for (n=0; n < acl->a_count; n++, ext_entry++) { 732 const struct posix_acl_entry *acl_e = &acl->a_entries[n]; 733 ext_entry->e_tag = cpu_to_le16(acl_e->e_tag); 734 ext_entry->e_perm = cpu_to_le16(acl_e->e_perm); 735 switch(acl_e->e_tag) { 736 case ACL_USER: 737 ext_entry->e_id = 738 cpu_to_le32(from_kuid(user_ns, acl_e->e_uid)); 739 break; 740 case ACL_GROUP: 741 ext_entry->e_id = 742 cpu_to_le32(from_kgid(user_ns, acl_e->e_gid)); 743 break; 744 default: 745 ext_entry->e_id = cpu_to_le32(ACL_UNDEFINED_ID); 746 break; 747 } 748 } 749 return real_size; 750 } 751 EXPORT_SYMBOL (posix_acl_to_xattr); 752 753 static int 754 posix_acl_xattr_get(struct dentry *dentry, const char *name, 755 void *value, size_t size, int type) 756 { 757 struct posix_acl *acl; 758 int error; 759 760 if (!IS_POSIXACL(dentry->d_inode)) 761 return -EOPNOTSUPP; 762 if (S_ISLNK(dentry->d_inode->i_mode)) 763 return -EOPNOTSUPP; 764 765 acl = get_acl(dentry->d_inode, type); 766 if (IS_ERR(acl)) 767 return PTR_ERR(acl); 768 if (acl == NULL) 769 return -ENODATA; 770 771 error = posix_acl_to_xattr(&init_user_ns, acl, value, size); 772 posix_acl_release(acl); 773 774 return error; 775 } 776 777 static int 778 posix_acl_xattr_set(struct dentry *dentry, const char *name, 779 const void *value, size_t size, int flags, int type) 780 { 781 struct inode *inode = dentry->d_inode; 782 struct posix_acl *acl = NULL; 783 int ret; 784 785 if (!IS_POSIXACL(inode)) 786 return -EOPNOTSUPP; 787 if (!inode->i_op->set_acl) 788 return -EOPNOTSUPP; 789 790 if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) 791 return value ? -EACCES : 0; 792 if (!inode_owner_or_capable(inode)) 793 return -EPERM; 794 795 if (value) { 796 acl = posix_acl_from_xattr(&init_user_ns, value, size); 797 if (IS_ERR(acl)) 798 return PTR_ERR(acl); 799 800 if (acl) { 801 ret = posix_acl_valid(acl); 802 if (ret) 803 goto out; 804 } 805 } 806 807 ret = inode->i_op->set_acl(inode, acl, type); 808 out: 809 posix_acl_release(acl); 810 return ret; 811 } 812 813 static size_t 814 posix_acl_xattr_list(struct dentry *dentry, char *list, size_t list_size, 815 const char *name, size_t name_len, int type) 816 { 817 const char *xname; 818 size_t size; 819 820 if (!IS_POSIXACL(dentry->d_inode)) 821 return -EOPNOTSUPP; 822 if (S_ISLNK(dentry->d_inode->i_mode)) 823 return -EOPNOTSUPP; 824 825 if (type == ACL_TYPE_ACCESS) 826 xname = POSIX_ACL_XATTR_ACCESS; 827 else 828 xname = POSIX_ACL_XATTR_DEFAULT; 829 830 size = strlen(xname) + 1; 831 if (list && size <= list_size) 832 memcpy(list, xname, size); 833 return size; 834 } 835 836 const struct xattr_handler posix_acl_access_xattr_handler = { 837 .prefix = POSIX_ACL_XATTR_ACCESS, 838 .flags = ACL_TYPE_ACCESS, 839 .list = posix_acl_xattr_list, 840 .get = posix_acl_xattr_get, 841 .set = posix_acl_xattr_set, 842 }; 843 EXPORT_SYMBOL_GPL(posix_acl_access_xattr_handler); 844 845 const struct xattr_handler posix_acl_default_xattr_handler = { 846 .prefix = POSIX_ACL_XATTR_DEFAULT, 847 .flags = ACL_TYPE_DEFAULT, 848 .list = posix_acl_xattr_list, 849 .get = posix_acl_xattr_get, 850 .set = posix_acl_xattr_set, 851 }; 852 EXPORT_SYMBOL_GPL(posix_acl_default_xattr_handler); 853 854 int simple_set_acl(struct inode *inode, struct posix_acl *acl, int type) 855 { 856 int error; 857 858 if (type == ACL_TYPE_ACCESS) { 859 error = posix_acl_equiv_mode(acl, &inode->i_mode); 860 if (error < 0) 861 return 0; 862 if (error == 0) 863 acl = NULL; 864 } 865 866 inode->i_ctime = CURRENT_TIME; 867 set_cached_acl(inode, type, acl); 868 return 0; 869 } 870 871 int simple_acl_create(struct inode *dir, struct inode *inode) 872 { 873 struct posix_acl *default_acl, *acl; 874 int error; 875 876 error = posix_acl_create(dir, &inode->i_mode, &default_acl, &acl); 877 if (error) 878 return error; 879 880 set_cached_acl(inode, ACL_TYPE_DEFAULT, default_acl); 881 set_cached_acl(inode, ACL_TYPE_ACCESS, acl); 882 883 if (default_acl) 884 posix_acl_release(default_acl); 885 if (acl) 886 posix_acl_release(acl); 887 return 0; 888 } 889