PERFORCE change 148127 for review

Edward Tomasz Napierala trasz at FreeBSD.org
Fri Aug 22 19:58:15 UTC 2008 

http://perforce.freebsd.org/chv.cgi?CH=148127

Change 148127 by trasz at trasz_traszkan on 2008/08/22 19:57:41

	Fix a bug where explicit DELETE_CHILD would still apply to root.
	(No regression test for this, sorry.)  Also, clean up stuff in
	sys/vnode.h.  It won't get any better than this.  ;-)

Affected files ...

.. //depot/projects/soc2008/trasz_nfs4acl/sys/kern/subr_acl_nfs4.c#27 edit
.. //depot/projects/soc2008/trasz_nfs4acl/sys/kern/vfs_subr.c#10 edit
.. //depot/projects/soc2008/trasz_nfs4acl/sys/sys/vnode.h#8 edit

Differences ...

==== //depot/projects/soc2008/trasz_nfs4acl/sys/kern/subr_acl_nfs4.c#27 (text+ko) ====

@@ -233,9 +233,9 @@
 	if ((acc_mode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ, 0))
 		priv_granted |= VREAD;
 
-	if (((acc_mode & VWRITE) || (acc_mode & VAPPEND)) &&
+	if ((acc_mode & (VWRITE | VAPPEND | VDELETE_CHILD)) &&
 	    !priv_check_cred(cred, PRIV_VFS_WRITE, 0))
-		priv_granted |= (VWRITE | VAPPEND);
+		priv_granted |= (VWRITE | VAPPEND | VDELETE_CHILD);
 
 	if ((acc_mode & VADMIN_PERMS) && !priv_check_cred(cred, PRIV_VFS_ADMIN, 0))
 		priv_granted |= VADMIN_PERMS;

==== //depot/projects/soc2008/trasz_nfs4acl/sys/kern/vfs_subr.c#10 (text+ko) ====

@@ -4214,12 +4214,12 @@
 		return (1);
 	}
 
-	if (*mode & (VWRITE_NAMED_ATTRS | VWRITE_ATTRIBUTES | VWRITE_ACL | VWRITE_OWNER)) {
-		*mode &= ~(VWRITE_NAMED_ATTRS | VWRITE_ATTRIBUTES | VWRITE_ACL | VWRITE_OWNER);
+	if (*mode & VADMIN_PERMS) {
+		*mode &= ~VADMIN_PERMS;
 		*mode |= VADMIN;
 	}
 
-	*mode &= ~(VREAD_NAMED_ATTRS | VREAD_ATTRIBUTES | VREAD_ACL | VSYNCHRONIZE);
+	*mode &= ~VSTAT_PERMS;
 
 	if (*mode == 0) {
 		*error = 0;

==== //depot/projects/soc2008/trasz_nfs4acl/sys/sys/vnode.h#8 (text+ko) ====

@@ -310,20 +310,26 @@
 #define vaccess_t	int
 
 /*
- *  Modes.  Some values same as Ixxx entries from inode.h for now.
+ * Flags for vaccess_t.
  */
 #define	VEXEC			000000000100	/* execute/search permission */
 #define	VWRITE			000000000200	/* write permission */
 #define	VREAD			000000000400	/* read permission */
-#define	VSVTX			000000001000	/* save swapped text even after use */
+#define	VSVTX			000000001000	/* sticky bit */
 #define	VSGID			000000002000	/* set group id on execution */
 #define	VSUID			000000004000	/* set user id on execution */
-#define	VADMIN			000000010000	/* permission to administer */
+#define	VADMIN			000000010000	/* being the file owner */
 #define	VSTAT			000000020000	/* permission to retrieve attrs */
 #define	VAPPEND			000000040000	/* permission to write/append */
-#define	VEXPLICIT_DENY		000000100000	/* return EPERM only if permission was denied explicitly */
-#define	VREAD_NAMED_ATTRS 	000000200000
-#define	VWRITE_NAMED_ATTRS 	000000400000
+/*
+ * Return EPERM or EACCES only if permission was denied explicitly,
+ * by a "deny" rule in NFS4 ACL.  This never happens with ordinary
+ * unix access rights or POSIX.1e ACLs.  Obviously, VEXPLICIT_DENY
+ * must be OR-ed with some other Vflag.
+ */
+#define	VEXPLICIT_DENY		000000100000
+#define	VREAD_NAMED_ATTRS 	000000200000	/* not used */
+#define	VWRITE_NAMED_ATTRS 	000000400000	/* not used */
 #define	VDELETE_CHILD	 	000001000000
 #define	VREAD_ATTRIBUTES 	000002000000
 #define	VWRITE_ATTRIBUTES 	000004000000
@@ -331,10 +337,28 @@
 #define	VREAD_ACL	 	000020000000
 #define	VWRITE_ACL	 	000040000000 
 #define	VWRITE_OWNER	 	000100000000
-#define	VSYNCHRONIZE	 	000200000000
-#define	VALLPERM	(VEXEC | VWRITE | VREAD | VADMIN | VSTAT | VAPPEND)
-#define VADMIN_PERMS	(VADMIN | VWRITE_NAMED_ATTRS | VWRITE_ATTRIBUTES | VWRITE_ACL | VWRITE_OWNER)
-#define VSTAT_PERMS	(VSTAT | VREAD_NAMED_ATTRS | VREAD_ATTRIBUTES | VREAD_ACL | VSYNCHRONIZE)
+#define	VSYNCHRONIZE	 	000200000000	/* not used */
+#define	VALLPERM	(VEXEC | VWRITE | VREAD | VADMIN | VSTAT | VAPPEND \
+    VEXPLICIT_DENY | VREAD_NAMED_ATTRS | VWRITE_NAMED_ATTRS | VDELETE_CHILD \
+    VREAD_ATTRIBUTES | VWRITE_ATTRIBUTES | VDELETE | VREAD_ACL | VWRITE_ACL \
+    VWRITE_OWNER | VSYNCHRONIZE)
+
+/*
+ * Permissions that were traditionally granted only to the file owner.
+ */
+#define VADMIN_PERMS	(VADMIN | VWRITE_ATTRIBUTES | VWRITE_ACL | \
+    VWRITE_OWNER)
+
+/*
+ * Permissions that were traditionally granted to everyone.
+ */
+#define VSTAT_PERMS	(VSTAT | VREAD_ATTRIBUTES | VREAD_ACL | VSYNCHRONIZE)
+
+/*
+ * Permissions that allow to change the state of the file in any way.
+ */
+#define VMODIFY_PERMS	(VWRITE | VAPPEND | VADMIN_PERMS | VDELETE_CHILD | \
+    VDELETE)
 
 /*
  * Token indicating no attribute value yet assigned.

More information about the p4-projects mailing list