X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=fs%2Fxfs%2Fxfs_acl.c;h=8d01dce8c532fd2d1fd3093128ff9e4607d08e52;hb=f7f1b0f1e2fbadeab12d24236000e778aa9b1ead;hp=ad9f5de3ae5756ce2e0790119fe3a00c72e0401b;hpb=9213980e6a70d8473e0ffd4b39ab5b6caaba9ff5;p=linux-2.6.git diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c index ad9f5de3a..8d01dce8c 100644 --- a/fs/xfs/xfs_acl.c +++ b/fs/xfs/xfs_acl.c @@ -231,8 +231,6 @@ xfs_acl_vget( int flags = 0; VN_HOLD(vp); - if ((error = _MAC_VACCESS(vp, NULL, VREAD))) - goto out; if(size) { if (!(_ACL_ALLOC(xfs_acl))) { error = ENOMEM; @@ -395,8 +393,6 @@ xfs_acl_allow_set( return ENOTDIR; if (vp->v_vfsp->vfs_flag & VFS_RDONLY) return EROFS; - if ((error = _MAC_VACCESS(vp, NULL, VWRITE))) - return error; va.va_mask = XFS_AT_UID; VOP_GETATTR(vp, &va, 0, NULL, error); if (error) @@ -406,38 +402,6 @@ xfs_acl_allow_set( return error; } -/* - * Look for any effective exec access, to allow CAP_DAC_OVERRIDE for exec. - * Ignore checking for exec in USER_OBJ when there is no mask, because - * in this "minimal acl" case we don't have any actual acls, and we - * won't even be here. - */ -STATIC int -xfs_acl_find_any_exec( - xfs_acl_t *fap) -{ - int i; - int masked_aces = 0; - int mask = 0; - - for (i = 0; i < fap->acl_cnt; i++) { - if (fap->acl_entry[i].ae_perm & ACL_EXECUTE) { - if (fap->acl_entry[i].ae_tag & (ACL_USER_OBJ|ACL_OTHER)) - return 1; - - if (fap->acl_entry[i].ae_tag == ACL_MASK) - mask = fap->acl_entry[i].ae_perm; - else - masked_aces |= fap->acl_entry[i].ae_perm; - - if ((mask & masked_aces) & ACL_EXECUTE) - return 1; - } - } - - return 0; -} - /* * The access control process to determine the access permission: * if uid == file owner id, use the file owner bits. @@ -447,24 +411,19 @@ xfs_acl_find_any_exec( * until all acl entries are exhausted. The final permission produced * by matching acl entry or entries needs to be & with group permission. * if not owner, owning group, or matching entry in ACL, use file - * other bits. Don't allow CAP_DAC_OVERRIDE on exec access unless - * there is some effective exec access somewhere. + * other bits. */ STATIC int xfs_acl_capability_check( mode_t mode, - cred_t *cr, - xfs_acl_t *fap) + cred_t *cr) { if ((mode & ACL_READ) && !capable_cred(cr, CAP_DAC_READ_SEARCH)) return EACCES; if ((mode & ACL_WRITE) && !capable_cred(cr, CAP_DAC_OVERRIDE)) return EACCES; - if ((mode & ACL_EXECUTE) && - (!capable_cred(cr, CAP_DAC_OVERRIDE) || - !xfs_acl_find_any_exec(fap))) { + if ((mode & ACL_EXECUTE) && !capable_cred(cr, CAP_DAC_OVERRIDE)) return EACCES; - } return 0; } @@ -571,7 +530,7 @@ xfs_acl_access( break; } - return xfs_acl_capability_check(md, cr, fap); + return xfs_acl_capability_check(md, cr); } /*