vserver 2.0 rc7

[linux-2.6.git] / fs / xfs / xfs_acl.c

diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c
index ad9f5de..8d01dce 100644 (file)
--- a/fs/xfs/xfs_acl.c
+++ b/fs/xfs/xfs_acl.c
@@ -231,8 +231,6 @@ xfs_acl_vget(
        int                     flags = 0;
 
        VN_HOLD(vp);
-       if ((error = _MAC_VACCESS(vp, NULL, VREAD)))
-               goto out;
        if(size) {
                if (!(_ACL_ALLOC(xfs_acl))) {
                        error = ENOMEM;
@@ -395,8 +393,6 @@ xfs_acl_allow_set(
                return ENOTDIR;
        if (vp->v_vfsp->vfs_flag & VFS_RDONLY)
                return EROFS;
-       if ((error = _MAC_VACCESS(vp, NULL, VWRITE)))
-               return error;
        va.va_mask = XFS_AT_UID;
        VOP_GETATTR(vp, &va, 0, NULL, error);
        if (error)
@@ -406,38 +402,6 @@ xfs_acl_allow_set(
        return error;
 }
 
-/*
- * Look for any effective exec access, to allow CAP_DAC_OVERRIDE for exec.
- * Ignore checking for exec in USER_OBJ when there is no mask, because
- * in this "minimal acl" case we don't have any actual acls, and we
- * won't even be here.
- */
-STATIC int
-xfs_acl_find_any_exec(
-       xfs_acl_t       *fap)
-{
-       int             i;
-       int             masked_aces = 0;
-       int             mask = 0;
-
-       for (i = 0; i < fap->acl_cnt; i++) {
-               if (fap->acl_entry[i].ae_perm & ACL_EXECUTE) {
-                       if (fap->acl_entry[i].ae_tag & (ACL_USER_OBJ|ACL_OTHER))
-                               return 1;
-
-                       if (fap->acl_entry[i].ae_tag == ACL_MASK)
-                               mask = fap->acl_entry[i].ae_perm;
-                       else
-                               masked_aces |= fap->acl_entry[i].ae_perm;
-
-                       if ((mask & masked_aces) & ACL_EXECUTE)
-                               return 1;
-               }
-       }
-
-       return 0;
-}
-
 /*
  * The access control process to determine the access permission:
  *     if uid == file owner id, use the file owner bits.
@@ -447,24 +411,19 @@ xfs_acl_find_any_exec(
  *     until all acl entries are exhausted. The final permission produced
  *     by matching acl entry or entries needs to be & with group permission.
  *     if not owner, owning group, or matching entry in ACL, use file
- *     other bits.  Don't allow CAP_DAC_OVERRIDE on exec access unless
- *     there is some effective exec access somewhere.
+ *     other bits.  
  */
 STATIC int
 xfs_acl_capability_check(
        mode_t          mode,
-       cred_t          *cr,
-       xfs_acl_t       *fap)
+       cred_t          *cr)
 {
        if ((mode & ACL_READ) && !capable_cred(cr, CAP_DAC_READ_SEARCH))
                return EACCES;
        if ((mode & ACL_WRITE) && !capable_cred(cr, CAP_DAC_OVERRIDE))
                return EACCES;
-       if ((mode & ACL_EXECUTE) &&
-           (!capable_cred(cr, CAP_DAC_OVERRIDE) ||
-            !xfs_acl_find_any_exec(fap))) {
+       if ((mode & ACL_EXECUTE) && !capable_cred(cr, CAP_DAC_OVERRIDE))
                return EACCES;
-       }
 
        return 0;
 }
@@ -571,7 +530,7 @@ xfs_acl_access(
                break;
        }
 
-       return xfs_acl_capability_check(md, cr, fap);
+       return xfs_acl_capability_check(md, cr);
 }
 
 /*