summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@citi.umich.edu>2007-02-16 01:28:28 -0800
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-02-16 08:14:01 -0800
commit7bdfa68c5e70b815e85dab0bdd9f48ec103c4002 (patch)
tree0cb4068ea5f0281a624a4d259407243407bdaa24
parentf534a257acfd9dae0a689be64397919907b283ba (diff)
downloadkernel-crypto-7bdfa68c5e70b815e85dab0bdd9f48ec103c4002.tar.gz
kernel-crypto-7bdfa68c5e70b815e85dab0bdd9f48ec103c4002.tar.xz
kernel-crypto-7bdfa68c5e70b815e85dab0bdd9f48ec103c4002.zip
[PATCH] knfsd: nfsd4: relax checking of ACL inheritance bits
The rfc allows us to be more permissive about the ACL inheritance bits we accept: "If the server supports a single "inherit ACE" flag that applies to both files and directories, the server may reject the request (i.e., requiring the client to set both the file and directory inheritance flags). The server may also accept the request and silently turn on the ACE4_DIRECTORY_INHERIT_ACE flag." Let's take the latter option--the ACL is a complex attribute that could be rejected for a wide variety of reasons, and the protocol gives us little ability to explain the reason for the rejection, so erroring out is a user-unfriendly last resort. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--fs/nfsd/nfs4acl.c23
1 files changed, 13 insertions, 10 deletions
diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c
index 5d94555cdc8..785418b0b79 100644
--- a/fs/nfsd/nfs4acl.c
+++ b/fs/nfsd/nfs4acl.c
@@ -61,9 +61,11 @@
/* flags used to simulate posix default ACLs */
#define NFS4_INHERITANCE_FLAGS (NFS4_ACE_FILE_INHERIT_ACE \
- | NFS4_ACE_DIRECTORY_INHERIT_ACE | NFS4_ACE_INHERIT_ONLY_ACE)
+ | NFS4_ACE_DIRECTORY_INHERIT_ACE)
-#define NFS4_SUPPORTED_FLAGS (NFS4_INHERITANCE_FLAGS | NFS4_ACE_IDENTIFIER_GROUP)
+#define NFS4_SUPPORTED_FLAGS (NFS4_INHERITANCE_FLAGS \
+ | NFS4_ACE_INHERIT_ONLY_ACE \
+ | NFS4_ACE_IDENTIFIER_GROUP)
#define MASK_EQUAL(mask1, mask2) \
( ((mask1) & NFS4_ACE_MASK_ALL) == ((mask2) & NFS4_ACE_MASK_ALL) )
@@ -707,11 +709,16 @@ nfs4_acl_split(struct nfs4_acl *acl, struct nfs4_acl *dacl)
if (ace->flag & ~NFS4_SUPPORTED_FLAGS)
return -EINVAL;
- switch (ace->flag & NFS4_INHERITANCE_FLAGS) {
- case 0:
+ if ((ace->flag & NFS4_INHERITANCE_FLAGS) == 0) {
/* Leave this ace in the effective acl: */
continue;
- case NFS4_INHERITANCE_FLAGS:
+ }
+ /*
+ * Note that when only one of FILE_INHERIT or DIRECTORY_INHERIT
+ * is set, we're effectively turning on the other. That's OK,
+ * according to rfc 3530.
+ */
+ if (ace->flag & NFS4_ACE_INHERIT_ONLY_ACE) {
/* Add this ace to the default acl and remove it
* from the effective acl: */
error = nfs4_acl_add_ace(dacl, ace->type, ace->flag,
@@ -721,17 +728,13 @@ nfs4_acl_split(struct nfs4_acl *acl, struct nfs4_acl *dacl)
list_del(h);
kfree(ace);
acl->naces--;
- break;
- case NFS4_INHERITANCE_FLAGS & ~NFS4_ACE_INHERIT_ONLY_ACE:
+ } else {
/* Add this ace to the default, but leave it in
* the effective acl as well: */
error = nfs4_acl_add_ace(dacl, ace->type, ace->flag,
ace->access_mask, ace->whotype, ace->who);
if (error)
return error;
- break;
- default:
- return -EINVAL;
}
}
return 0;