Re: [PATCH -V6 09/26] vfs: Add delete child and delete self permission flags

From: Aneesh Kumar K.V
Date: Fri Sep 09 2011 - 01:16:00 EST

Next message: Aneesh Kumar K.V: "Re: [PATCH -V6 09/26] vfs: Add delete child and delete self permission flags"
Previous message: Donggeun Kim: "Re: [PATCH] misc: Add driver for GP2AP002 proximity/ambient lightsensor"
In reply to: J. Bruce Fields: "Re: [PATCH -V6 09/26] vfs: Add delete child and delete selfpermission flags"
Next in thread: David Howells: "Re: [PATCH -V6 09/26] vfs: Add delete child and delete self permission flags"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 8 Sep 2011 16:07:54 -0400, "J. Bruce Fields" <bfields@xxxxxxxxxxxx> wrote:
> On Thu, Sep 08, 2011 at 03:00:58PM +0530, Aneesh Kumar K.V wrote:
> > On Wed, 7 Sep 2011 16:39:16 -0400, "J. Bruce Fields" <bfields@xxxxxxxxxxxx> wrote:
> > > On Mon, Sep 05, 2011 at 10:55:31PM +0530, Aneesh Kumar K.V wrote:
> > > > From: Andreas Gruenbacher <agruen@xxxxxxxxxx>
> > > >
> > > > Normally, deleting a file requires write access to the parent directory.
> > > > Some permission models use a different permission on the parent
> > > > directory to indicate delete access. In addition, a process can have
> > > > per-file delete access even without delete access on the parent
> > > > directory.
> > > >
> > > > Introduce two new inode_permission() mask flags and use them in
> > > > may_delete()
> > > >
> > > > Signed-off-by: Andreas Gruenbacher <agruen@xxxxxxxxxx>
> > > > Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@xxxxxxxxxxxxxxxxxx>
> > > > ---
> > > > fs/namei.c | 41 +++++++++++++++++++++++++++--------------
> > > > include/linux/fs.h | 2 ++
> > > > 2 files changed, 29 insertions(+), 14 deletions(-)
> > > >
> > > > diff --git a/fs/namei.c b/fs/namei.c
> > > > index d52a4cd..eacb530 100644
> > > > --- a/fs/namei.c
> > > > +++ b/fs/namei.c
> > > > @@ -337,7 +337,7 @@ static inline int do_inode_permission(struct inode *inode, int mask)
> > > > * are used for other things.
> > > > *
> > > > * When checking for MAY_APPEND, MAY_CREATE_FILE, MAY_CREATE_DIR,
> > > > - * MAY_WRITE must also be set in @mask.
> > > > + * MAY_DELETE_CHILD, MAY_DELETE_SELF, MAY_WRITE must also be set in @mask.
> > > > */
> > > > int inode_permission(struct inode *inode, int mask)
> > > > {
> > > > @@ -1862,7 +1862,7 @@ static inline int check_sticky(struct inode *dir, struct inode *inode)
> > > > return 0;
> > > >
> > > > other_userns:
> > > > - return !ns_capable(inode_userns(inode), CAP_FOWNER);
> > > > + return 1;
> > > > }
> > > >
> > > > /*
> > > > @@ -1884,30 +1884,43 @@ other_userns:
> > > > * 10. We don't allow removal of NFS sillyrenamed files; it's handled by
> > > > * nfs_async_unlink().
> > > > */
> > > > -static int may_delete(struct inode *dir,struct dentry *victim,int isdir)
> > > > +static int may_delete(struct inode *dir, struct dentry *victim,
> > > > + int isdir, int replace)
> > > > {
> > > > - int error;
> > > > + int mask, error, is_sticky;
> > > > + struct inode *inode = victim->d_inode;
> > > >
> > > > - if (!victim->d_inode)
> > > > + if (!inode)
> > > > return -ENOENT;
> > > >
> > > > BUG_ON(victim->d_parent->d_inode != dir);
> > > > audit_inode_child(victim, dir);
> > > >
> > > > - error = inode_permission(dir, MAY_WRITE | MAY_EXEC);
> > > > + mask = MAY_WRITE | MAY_EXEC | MAY_DELETE_CHILD;
> > > > + if (replace)
> > > > + mask |= S_ISDIR(inode->i_mode) ?
> > > > + MAY_CREATE_DIR : MAY_CREATE_FILE;
> > >
> > > I'm having trouble understanding this next bit:
> > >
> > > > + is_sticky = check_sticky(dir, inode);
> > > > + error = inode_permission(dir, mask);
> > > > + if ((error || is_sticky) && IS_RICHACL(inode) &&
> > > > + !inode_permission(dir, mask & ~(MAY_WRITE | MAY_DELETE_CHILD)) &&
> > > > + !inode_permission(inode, MAY_DELETE_SELF))
> > > > + error = 0;
> > >
> > > OK, so we can ignore the lack of write or delete permissions on the
> > > parent if we have delete_self permissions on the child. I guess that's
> > > right.
> > >
> > > Why the "|| is_sticky" above?
> > >
> > > Is there some less complicated why to write this?
> >
> > we removed the ns_capable check out of check_sticky, because we don't
> > want to do capability check when richacl allows access. We also want to
> > make sure that even if mode bits allow access (inode_permission(dir, mask))
> > if sticky bit is set we do additional check.
>
> Why are the two inode_permissions ANDed? The windows semantics are that
> you can delete if you have MAY_DELETE_CHILD *or* MAY_DELETE_SELF.
>

error = inode_permission(dir, mask) check for whether we have MAY_EXEC and
MAY_DELETE_CHILD permission on the directory. If we don't have one then
we check whether directory have MAY_EXEC permission and (hence && ) the inode being
deleted have MAY_DELETE_SELF permission.

NOTE: if it is a replace, we need to add MAY_CREATE_DIR or
MAY_CREATE_FILE to the first two permission check.

-aneesh

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Aneesh Kumar K.V: "Re: [PATCH -V6 09/26] vfs: Add delete child and delete self permission flags"
Previous message: Donggeun Kim: "Re: [PATCH] misc: Add driver for GP2AP002 proximity/ambient lightsensor"
In reply to: J. Bruce Fields: "Re: [PATCH -V6 09/26] vfs: Add delete child and delete selfpermission flags"
Next in thread: David Howells: "Re: [PATCH -V6 09/26] vfs: Add delete child and delete self permission flags"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]