Return-Path: Received: from fieldses.org ([173.255.197.46]:36408 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933897AbbI1Q3H (ORCPT ); Mon, 28 Sep 2015 12:29:07 -0400 Date: Mon, 28 Sep 2015 12:29:05 -0400 From: "J. Bruce Fields" To: Andreas =?utf-8?Q?Gr=C3=BCnbacher?= Cc: Andreas Gruenbacher , Alexander Viro , "Theodore Ts'o" , Andreas Dilger , Jeff Layton , Trond Myklebust , Anna Schumaker , linux-ext4@vger.kernel.org, Linux Kernel Mailing List , Linux FS-devel Mailing List , Linux NFS Mailing List , Linux API Mailing List Subject: Re: [PATCH v8 10/41] richacl: Permission check algorithm Message-ID: <20150928162905.GE1358@fieldses.org> References: <1443391772-10171-1-git-send-email-agruenba@redhat.com> <1443391772-10171-11-git-send-email-agruenba@redhat.com> <20150928160855.GD1358@fieldses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 In-Reply-To: Sender: linux-nfs-owner@vger.kernel.org List-ID: On Mon, Sep 28, 2015 at 06:25:23PM +0200, Andreas Grünbacher wrote: > 2015-09-28 18:08 GMT+02:00 J. Bruce Fields : > > On Mon, Sep 28, 2015 at 12:09:01AM +0200, Andreas Gruenbacher wrote: > >> + /* > >> + * Check if the acl grants the requested access and determine which > >> + * file class the process is in. > >> + */ > >> + richacl_for_each_entry(ace, acl) { > >> + unsigned int ace_mask = ace->e_mask; > >> + > >> + if (richace_is_inherit_only(ace)) > >> + continue; > >> + if (richace_is_owner(ace)) { > >> + if (!uid_eq(current_fsuid(), inode->i_uid)) > >> + continue; > >> + goto entry_matches_owner; > >> + } else if (richace_is_group(ace)) { > >> + if (!in_owning_group) > >> + continue; > >> + } else if (richace_is_unix_user(ace)) { > >> + if (!uid_eq(current_fsuid(), ace->e_id.uid)) > >> + continue; > >> + goto entry_matches_owner; > >> + } else if (richace_is_unix_group(ace)) { > >> + if (!in_group_p(ace->e_id.gid)) > >> + continue; > >> + } else > >> + goto entry_matches_everyone; > >> + > >> + /* > >> + * Apply the group file mask to entries other than owner@ and > >> + * everyone@ or user entries matching the owner. > > > > The above also skips the following group_mask application on any unix > > group. > > Really? How does it do that? Sorry, I meant "unix user", not "unix group"! --b.