From patchwork Tue Aug 4 11:53:23 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Andreas_Gr=C3=BCnbacher?= X-Patchwork-Id: 6937381 Return-Path: X-Original-To: patchwork-linux-nfs@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 659B1C05AC for ; Tue, 4 Aug 2015 12:02:34 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 462852045E for ; Tue, 4 Aug 2015 12:02:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 03D9820452 for ; Tue, 4 Aug 2015 12:02:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933735AbbHDLz2 (ORCPT ); Tue, 4 Aug 2015 07:55:28 -0400 Received: from mail-wi0-f179.google.com ([209.85.212.179]:37248 "EHLO mail-wi0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933712AbbHDLzZ (ORCPT ); Tue, 4 Aug 2015 07:55:25 -0400 Received: by wibud3 with SMTP id ud3so20344887wib.0; Tue, 04 Aug 2015 04:55:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=wJTX20wNaXQ4FrXmiem5/hOROt3gPC1Sv29BNsg/+F0=; b=FDsCehFa+zivuZlvxYm20F1EM2y+uWke+V4PghqOc12BQ8vT9tP2dF5wEr6qvBHTDd 9vprVSGeIGqAt4aQ9J55I/ybVLfA0xkgZdUyxPbAIdrZ9dhpx8v0vC0UN/uEBXgAkTsz qyk/5zTlsUxas+y65kADPgoeLabQQJEFukQUTMGChKwTsYWHZrouk3C8nFhyw5FnLbqm e+Qy/dvC4J3BUmN09qgH4ohp24xnfTion0wCYjpZT3TtyYtvCwc/lGA1Q42y7DYN73Mk ZeEObdkx6UN3iBKR4vs0lmHU8sNGsvqQJT6wr37mrb11pIuen1tlhexrRYQ4xF01HR0e DrHQ== X-Received: by 10.180.184.168 with SMTP id ev8mr7494710wic.28.1438689323261; Tue, 04 Aug 2015 04:55:23 -0700 (PDT) Received: from schleppi.home.com (p54980F84.dip0.t-ipconnect.de. [84.152.15.132]) by smtp.gmail.com with ESMTPSA id u7sm2018458wif.3.2015.08.04.04.55.21 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 04 Aug 2015 04:55:22 -0700 (PDT) From: Andreas Gruenbacher X-Google-Original-From: Andreas Gruenbacher To: linux-kernel@vger.kernel.org Cc: linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org, linux-api@vger.kernel.org, linux-cifs@vger.kernel.org, linux-security-module@vger.kernel.org, Andreas Gruenbacher , Andreas Gruenbacher Subject: [RFC v6 25/40] richacl: Isolate the owner and group classes Date: Tue, 4 Aug 2015 13:53:23 +0200 Message-Id: <1438689218-6921-26-git-send-email-agruenba@redhat.com> X-Mailer: git-send-email 2.5.0 In-Reply-To: <1438689218-6921-1-git-send-email-agruenba@redhat.com> References: <1438689218-6921-1-git-send-email-agruenba@redhat.com> Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When applying the file masks to an acl, we need to ensure that no process gets more permissions than allowed by its file mask. This may require inserting an owner@ deny ace to ensure this if the owner mask contains fewer permissions than the group or other mask. For example, when applying mode 0466 to the following acl: everyone@:rw::allow A deny ace needs to be inserted so that the owner won't get elevated write access: owner@:w::deny everyone@:rw::allow Likewise, we may need to insert group class deny aces if the group mask contains fewer permissions than the other mask. For example, when applying mode 0646 to the following acl: owner@:rw::allow everyone@:rw::allow A deny ace needs to be inserted so that the owning group won't get elevated write access: owner@:rw::allow group@:w::deny everyone@:rw::allow Signed-off-by: Andreas Gruenbacher --- fs/richacl_compat.c | 236 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 236 insertions(+) diff --git a/fs/richacl_compat.c b/fs/richacl_compat.c index 76d5ab9..d708603 100644 --- a/fs/richacl_compat.c +++ b/fs/richacl_compat.c @@ -493,3 +493,239 @@ richacl_set_other_permissions(struct richacl_alloc *alloc) richace_change_mask(alloc, &ace, other_mask); return 0; } + +/** + * richacl_max_allowed - maximum permissions that anybody is allowed + */ +static unsigned int +richacl_max_allowed(struct richacl *acl) +{ + struct richace *ace; + unsigned int allowed = 0; + + richacl_for_each_entry_reverse(ace, acl) { + if (richace_is_inherit_only(ace)) + continue; + if (richace_is_allow(ace)) + allowed |= ace->e_mask; + else if (richace_is_deny(ace)) { + if (richace_is_everyone(ace)) + allowed &= ~ace->e_mask; + } + } + return allowed; +} + +/** + * richacl_isolate_owner_class - limit the owner class to the owner file mask + * @alloc: acl and number of allocated entries + * + * POSIX requires that after a chmod, the owner class is granted no more + * permissions than the owner file permission bits. For richacls, this + * means that the owner class must not be granted any permissions that the + * owner mask does not include. + * + * When we apply file masks to an acl which grant more permissions to the group + * or other class than to the owner class, we may end up in a situation where + * the owner is granted additional permissions from other aces. For example, + * given this acl: + * + * everyone:rwx::allow + * + * when file masks corresponding to mode 0466 are applied, after + * richacl_propagate_everyone() and __richacl_apply_masks(), we end up with: + * + * owner@:r::allow + * everyone@:rw::allow + * + * This acl still grants the owner rw access through the everyone@ allow ace. + * To fix this, we must deny the owner w access: + * + * owner@:w::deny + * owner@:r::allow + * everyone@:rw::allow + */ +static int +richacl_isolate_owner_class(struct richacl_alloc *alloc) +{ + struct richace *ace; + unsigned int allowed = 0; + + allowed = richacl_max_allowed(alloc->acl); + if (allowed & ~alloc->acl->a_owner_mask) { + /* + * Figure out if we can update an existig OWNER@ DENY entry. + */ + richacl_for_each_entry(ace, alloc->acl) { + if (richace_is_inherit_only(ace)) + continue; + if (richace_is_deny(ace)) { + if (richace_is_owner(ace)) + break; + } else if (richace_is_allow(ace)) { + ace = alloc->acl->a_entries + + alloc->acl->a_count; + break; + } + } + if (ace != alloc->acl->a_entries + alloc->acl->a_count) { + if (richace_change_mask(alloc, &ace, ace->e_mask | + (allowed & ~alloc->acl->a_owner_mask))) + return -1; + } else { + /* Insert an owner@ deny entry at the front. */ + ace = alloc->acl->a_entries; + if (richacl_insert_entry(alloc, &ace)) + return -1; + ace->e_type = RICHACE_ACCESS_DENIED_ACE_TYPE; + ace->e_flags = RICHACE_SPECIAL_WHO; + ace->e_mask = allowed & ~alloc->acl->a_owner_mask; + ace->e_id.special = RICHACE_OWNER_SPECIAL_ID; + } + } + return 0; +} + +/** + * __richacl_isolate_who - isolate entry from everyone@ allow entry + * @alloc: acl and number of allocated entries + * @who: identifier to isolate + * @deny: permissions this identifier should not be allowed + * + * See richacl_isolate_group_class(). + */ +static int +__richacl_isolate_who(struct richacl_alloc *alloc, struct richace *who, + unsigned int deny) +{ + struct richacl *acl = alloc->acl; + struct richace *ace; + int n; + /* + * Compute the permissions already denied to @who. + */ + richacl_for_each_entry(ace, acl) { + if (richace_is_inherit_only(ace)) + continue; + if (richace_is_same_identifier(ace, who) && + richace_is_deny(ace)) + deny &= ~ace->e_mask; + } + if (!deny) + return 0; + + /* + * Figure out if we can update an existig deny entry. Start from the + * entry before the trailing everyone@ allow entry. We will not hit + * everyone@ entries in the loop. + */ + for (n = acl->a_count - 2; n != -1; n--) { + ace = acl->a_entries + n; + if (richace_is_inherit_only(ace)) + continue; + if (richace_is_deny(ace)) { + if (richace_is_same_identifier(ace, who)) + break; + } else if (richace_is_allow(ace) && + (ace->e_mask & deny)) { + n = -1; + break; + } + } + if (n != -1) { + if (richace_change_mask(alloc, &ace, ace->e_mask | deny)) + return -1; + } else { + /* + * Insert a new entry before the trailing everyone@ deny entry. + */ + struct richace who_copy; + + richace_copy(&who_copy, who); + ace = acl->a_entries + acl->a_count - 1; + if (richacl_insert_entry(alloc, &ace)) + return -1; + richace_copy(ace, &who_copy); + ace->e_type = RICHACE_ACCESS_DENIED_ACE_TYPE; + richace_clear_inheritance_flags(ace); + ace->e_mask = deny; + } + return 0; +} + +/** + * richacl_isolate_group_class - limit the group class to the group file mask + * @alloc: acl and number of allocated entries + * + * POSIX requires that after a chmod, the group class is granted no more + * permissions than the group file permission bits. For richacls, this + * means that the group class must not be granted any permissions that the + * group mask does not include. + * + * When we apply file masks to an acl which grant more permissions to the other + * class than to the group class, we may end up in a situation where processes + * in the group class are granted additional permission from other aces. For + * example, given this acl: + * + * joe:rwx::allow + * everyone:rwx::allow + * + * when file masks corresponding to mode 0646 are applied, after + * richacl_propagate_everyone() and __richacl_apply_masks(), we end up with: + * + * joe:r::allow + * owner@:rw::allow + * group@:r::allow + * everyone@:rw::allow + * + * This acl still grants joe and group@ rw access through the everyone@ allow + * ace. To fix this, we must deny w access to group class aces before the + * everyone@ allow ace at the end of the acl: + * + * joe:r::allow + * owner@:rw::allow + * group@:r::allow + * joe:w::deny + * group@:w::deny + * everyone@:rw::allow + */ +static int +richacl_isolate_group_class(struct richacl_alloc *alloc) +{ + struct richace who = { + .e_flags = RICHACE_SPECIAL_WHO, + .e_id.special = RICHACE_GROUP_SPECIAL_ID, + }; + struct richace *ace; + unsigned int deny; + + if (!alloc->acl->a_count) + return 0; + ace = alloc->acl->a_entries + alloc->acl->a_count - 1; + if (richace_is_inherit_only(ace) || !richace_is_everyone(ace)) + return 0; + deny = ace->e_mask & ~alloc->acl->a_group_mask; + + if (deny) { + unsigned int n; + + if (__richacl_isolate_who(alloc, &who, deny)) + return -1; + /* + * Start from the entry before the trailing everyone@ allow + * entry. We will not hit everyone@ entries in the loop. + */ + for (n = alloc->acl->a_count - 2; n != -1; n--) { + ace = alloc->acl->a_entries + n; + + if (richace_is_inherit_only(ace) || + richace_is_owner(ace) || + richace_is_group(ace) || + richace_is_everyone(ace)) + continue; + if (__richacl_isolate_who(alloc, ace, deny)) + return -1; + } + } + return 0; +}