VN_HOLD(vp);
error = xfs_acl_allow_set(vp, kind);
- if (error)
- goto out;
/* Incoming ACL exists, set file mode based on its value */
- if (kind == _ACL_TYPE_ACCESS)
- xfs_acl_setmode(vp, xfs_acl, &basicperms);
+ if (!error && kind == _ACL_TYPE_ACCESS)
+ error = xfs_acl_setmode(vp, xfs_acl, &basicperms);
+
+ if (error)
+ goto out;
/*
* If we have more than std unix permissions, set up the actual attr.
if (!basicperms) {
xfs_acl_set_attr(vp, xfs_acl, kind, &error);
} else {
- xfs_acl_vremove(vp, _ACL_TYPE_ACCESS);
+ error = -xfs_acl_vremove(vp, _ACL_TYPE_ACCESS);
}
out:
return error;
}
-/*
- * The access control process to determine the access permission:
- * if uid == file owner id, use the file owner bits.
- * if gid == file owner group id, use the file group bits.
- * scan ACL for a matching user or group, and use matched entry
- * permission. Use total permissions of all matching group entries,
- * until all acl entries are exhausted. The final permission produced
- * by matching acl entry or entries needs to be & with group permission.
- * if not owner, owning group, or matching entry in ACL, use file
- * other bits.
- */
-STATIC int
-xfs_acl_capability_check(
- mode_t mode,
- cred_t *cr)
-{
- if ((mode & ACL_READ) && !capable_cred(cr, CAP_DAC_READ_SEARCH))
- return EACCES;
- if ((mode & ACL_WRITE) && !capable_cred(cr, CAP_DAC_OVERRIDE))
- return EACCES;
- if ((mode & ACL_EXECUTE) && !capable_cred(cr, CAP_DAC_OVERRIDE))
- return EACCES;
-
- return 0;
-}
-
/*
* Note: cr is only used here for the capability check if the ACL test fails.
* It is not used to find out the credentials uid or groups etc, as was
matched.ae_tag = 0; /* Invalid type */
matched.ae_perm = 0;
- md >>= 6; /* Normalize the bits for comparison */
for (i = 0; i < fap->acl_cnt; i++) {
/*
break;
}
- return xfs_acl_capability_check(md, cr);
+ /* EACCES tells generic_permission to check for capability overrides */
+ return EACCES;
}
/*
int
xfs_acl_inherit(
bhv_vnode_t *vp,
- bhv_vattr_t *vap,
+ mode_t mode,
xfs_acl_t *pdaclp)
{
xfs_acl_t *cacl;
return ENOMEM;
memcpy(cacl, pdaclp, sizeof(xfs_acl_t));
- xfs_acl_filter_mode(vap->va_mode, cacl);
- xfs_acl_setmode(vp, cacl, &basicperms);
+ xfs_acl_filter_mode(mode, cacl);
+ error = xfs_acl_setmode(vp, cacl, &basicperms);
+ if (error)
+ goto out_error;
/*
* Set the Default and Access ACL on the file. The mode is already
xfs_acl_set_attr(vp, pdaclp, _ACL_TYPE_DEFAULT, &error);
if (!error && !basicperms)
xfs_acl_set_attr(vp, cacl, _ACL_TYPE_ACCESS, &error);
+out_error:
_ACL_FREE(cacl);
return error;
}