Date: Fri, 22 Aug 2008 19:58:14 GMT From: Edward Tomasz Napierala <trasz@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 148127 for review Message-ID: <200808221958.m7MJwEA3015469@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=148127 Change 148127 by trasz@trasz_traszkan on 2008/08/22 19:57:41 Fix a bug where explicit DELETE_CHILD would still apply to root. (No regression test for this, sorry.) Also, clean up stuff in sys/vnode.h. It won't get any better than this. ;-) Affected files ... .. //depot/projects/soc2008/trasz_nfs4acl/sys/kern/subr_acl_nfs4.c#27 edit .. //depot/projects/soc2008/trasz_nfs4acl/sys/kern/vfs_subr.c#10 edit .. //depot/projects/soc2008/trasz_nfs4acl/sys/sys/vnode.h#8 edit Differences ... ==== //depot/projects/soc2008/trasz_nfs4acl/sys/kern/subr_acl_nfs4.c#27 (text+ko) ==== @@ -233,9 +233,9 @@ if ((acc_mode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ, 0)) priv_granted |= VREAD; - if (((acc_mode & VWRITE) || (acc_mode & VAPPEND)) && + if ((acc_mode & (VWRITE | VAPPEND | VDELETE_CHILD)) && !priv_check_cred(cred, PRIV_VFS_WRITE, 0)) - priv_granted |= (VWRITE | VAPPEND); + priv_granted |= (VWRITE | VAPPEND | VDELETE_CHILD); if ((acc_mode & VADMIN_PERMS) && !priv_check_cred(cred, PRIV_VFS_ADMIN, 0)) priv_granted |= VADMIN_PERMS; ==== //depot/projects/soc2008/trasz_nfs4acl/sys/kern/vfs_subr.c#10 (text+ko) ==== @@ -4214,12 +4214,12 @@ return (1); } - if (*mode & (VWRITE_NAMED_ATTRS | VWRITE_ATTRIBUTES | VWRITE_ACL | VWRITE_OWNER)) { - *mode &= ~(VWRITE_NAMED_ATTRS | VWRITE_ATTRIBUTES | VWRITE_ACL | VWRITE_OWNER); + if (*mode & VADMIN_PERMS) { + *mode &= ~VADMIN_PERMS; *mode |= VADMIN; } - *mode &= ~(VREAD_NAMED_ATTRS | VREAD_ATTRIBUTES | VREAD_ACL | VSYNCHRONIZE); + *mode &= ~VSTAT_PERMS; if (*mode == 0) { *error = 0; ==== //depot/projects/soc2008/trasz_nfs4acl/sys/sys/vnode.h#8 (text+ko) ==== @@ -310,20 +310,26 @@ #define vaccess_t int /* - * Modes. Some values same as Ixxx entries from inode.h for now. + * Flags for vaccess_t. */ #define VEXEC 000000000100 /* execute/search permission */ #define VWRITE 000000000200 /* write permission */ #define VREAD 000000000400 /* read permission */ -#define VSVTX 000000001000 /* save swapped text even after use */ +#define VSVTX 000000001000 /* sticky bit */ #define VSGID 000000002000 /* set group id on execution */ #define VSUID 000000004000 /* set user id on execution */ -#define VADMIN 000000010000 /* permission to administer */ +#define VADMIN 000000010000 /* being the file owner */ #define VSTAT 000000020000 /* permission to retrieve attrs */ #define VAPPEND 000000040000 /* permission to write/append */ -#define VEXPLICIT_DENY 000000100000 /* return EPERM only if permission was denied explicitly */ -#define VREAD_NAMED_ATTRS 000000200000 -#define VWRITE_NAMED_ATTRS 000000400000 +/* + * Return EPERM or EACCES only if permission was denied explicitly, + * by a "deny" rule in NFS4 ACL. This never happens with ordinary + * unix access rights or POSIX.1e ACLs. Obviously, VEXPLICIT_DENY + * must be OR-ed with some other Vflag. + */ +#define VEXPLICIT_DENY 000000100000 +#define VREAD_NAMED_ATTRS 000000200000 /* not used */ +#define VWRITE_NAMED_ATTRS 000000400000 /* not used */ #define VDELETE_CHILD 000001000000 #define VREAD_ATTRIBUTES 000002000000 #define VWRITE_ATTRIBUTES 000004000000 @@ -331,10 +337,28 @@ #define VREAD_ACL 000020000000 #define VWRITE_ACL 000040000000 #define VWRITE_OWNER 000100000000 -#define VSYNCHRONIZE 000200000000 -#define VALLPERM (VEXEC | VWRITE | VREAD | VADMIN | VSTAT | VAPPEND) -#define VADMIN_PERMS (VADMIN | VWRITE_NAMED_ATTRS | VWRITE_ATTRIBUTES | VWRITE_ACL | VWRITE_OWNER) -#define VSTAT_PERMS (VSTAT | VREAD_NAMED_ATTRS | VREAD_ATTRIBUTES | VREAD_ACL | VSYNCHRONIZE) +#define VSYNCHRONIZE 000200000000 /* not used */ +#define VALLPERM (VEXEC | VWRITE | VREAD | VADMIN | VSTAT | VAPPEND \ + VEXPLICIT_DENY | VREAD_NAMED_ATTRS | VWRITE_NAMED_ATTRS | VDELETE_CHILD \ + VREAD_ATTRIBUTES | VWRITE_ATTRIBUTES | VDELETE | VREAD_ACL | VWRITE_ACL \ + VWRITE_OWNER | VSYNCHRONIZE) + +/* + * Permissions that were traditionally granted only to the file owner. + */ +#define VADMIN_PERMS (VADMIN | VWRITE_ATTRIBUTES | VWRITE_ACL | \ + VWRITE_OWNER) + +/* + * Permissions that were traditionally granted to everyone. + */ +#define VSTAT_PERMS (VSTAT | VREAD_ATTRIBUTES | VREAD_ACL | VSYNCHRONIZE) + +/* + * Permissions that allow to change the state of the file in any way. + */ +#define VMODIFY_PERMS (VWRITE | VAPPEND | VADMIN_PERMS | VDELETE_CHILD | \ + VDELETE) /* * Token indicating no attribute value yet assigned.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808221958.m7MJwEA3015469>