include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit...
[linux-2.6.git] / fs / nfsd / nfs4acl.c
index 2797051..e480526 100644 (file)
@@ -1,6 +1,4 @@
 /*
- *  fs/nfs4acl/acl.c
- *
  *  Common NFSv4 ACL handling code.
  *
  *  Copyright (c) 2002, 2003 The Regents of the University of Michigan.
  *  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#include <linux/string.h>
 #include <linux/slab.h>
-#include <linux/list.h>
-#include <linux/types.h>
-#include <linux/fs.h>
-#include <linux/module.h>
 #include <linux/nfs_fs.h>
-#include <linux/posix_acl.h>
-#include <linux/nfs4.h>
 #include <linux/nfs4_acl.h>
 
 
@@ -89,12 +80,19 @@ mask_from_posix(unsigned short perm, unsigned int flags)
 }
 
 static u32
-deny_mask(u32 allow_mask, unsigned int flags)
+deny_mask_from_posix(unsigned short perm, u32 flags)
 {
-       u32 ret = ~allow_mask & ~NFS4_MASK_UNSUPP;
-       if (!(flags & NFS4_ACL_DIR))
-               ret &= ~NFS4_ACE_DELETE_CHILD;
-       return ret;
+       u32 mask = 0;
+
+       if (perm & ACL_READ)
+               mask |= NFS4_READ_MODE;
+       if (perm & ACL_WRITE)
+               mask |= NFS4_WRITE_MODE;
+       if ((perm & ACL_WRITE) && (flags & NFS4_ACL_DIR))
+               mask |= NFS4_ACE_DELETE_CHILD;
+       if (perm & ACL_EXECUTE)
+               mask |= NFS4_EXECUTE_MODE;
+       return mask;
 }
 
 /* XXX: modify functions to return NFS errors; they're only ever
@@ -130,7 +128,6 @@ struct ace_container {
 static short ace2type(struct nfs4_ace *);
 static void _posix_to_nfsv4_one(struct posix_acl *, struct nfs4_acl *,
                                unsigned int);
-void nfs4_acl_add_ace(struct nfs4_acl *, u32, u32, u32, int, uid_t);
 
 struct nfs4_acl *
 nfs4_acl_posix_to_nfsv4(struct posix_acl *pacl, struct posix_acl *dpacl,
@@ -164,14 +161,56 @@ nfs4_acl_posix_to_nfsv4(struct posix_acl *pacl, struct posix_acl *dpacl,
        return acl;
 }
 
+struct posix_acl_summary {
+       unsigned short owner;
+       unsigned short users;
+       unsigned short group;
+       unsigned short groups;
+       unsigned short other;
+       unsigned short mask;
+};
+
 static void
-nfs4_acl_add_pair(struct nfs4_acl *acl, int eflag, u32 mask, int whotype,
-               uid_t owner, unsigned int flags)
+summarize_posix_acl(struct posix_acl *acl, struct posix_acl_summary *pas)
 {
-       nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE,
-                                eflag, mask, whotype, owner);
-       nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_DENIED_ACE_TYPE,
-                               eflag, deny_mask(mask, flags), whotype, owner);
+       struct posix_acl_entry *pa, *pe;
+
+       /*
+        * Only pas.users and pas.groups need initialization; previous
+        * posix_acl_valid() calls ensure that the other fields will be
+        * initialized in the following loop.  But, just to placate gcc:
+        */
+       memset(pas, 0, sizeof(*pas));
+       pas->mask = 07;
+
+       pe = acl->a_entries + acl->a_count;
+
+       FOREACH_ACL_ENTRY(pa, acl, pe) {
+               switch (pa->e_tag) {
+                       case ACL_USER_OBJ:
+                               pas->owner = pa->e_perm;
+                               break;
+                       case ACL_GROUP_OBJ:
+                               pas->group = pa->e_perm;
+                               break;
+                       case ACL_USER:
+                               pas->users |= pa->e_perm;
+                               break;
+                       case ACL_GROUP:
+                               pas->groups |= pa->e_perm;
+                               break;
+                       case ACL_OTHER:
+                               pas->other = pa->e_perm;
+                               break;
+                       case ACL_MASK:
+                               pas->mask = pa->e_perm;
+                               break;
+               }
+       }
+       /* We'll only care about effective permissions: */
+       pas->users &= pas->mask;
+       pas->group &= pas->mask;
+       pas->groups &= pas->mask;
 }
 
 /* We assume the acl has been verified with posix_acl_valid. */
@@ -179,32 +218,63 @@ static void
 _posix_to_nfsv4_one(struct posix_acl *pacl, struct nfs4_acl *acl,
                                                unsigned int flags)
 {
-       struct posix_acl_entry *pa, *pe, *group_owner_entry;
-       u32 mask, mask_mask;
+       struct posix_acl_entry *pa, *group_owner_entry;
+       struct nfs4_ace *ace;
+       struct posix_acl_summary pas;
+       unsigned short deny;
        int eflag = ((flags & NFS4_ACL_TYPE_DEFAULT) ?
-                                       NFS4_INHERITANCE_FLAGS : 0);
+               NFS4_INHERITANCE_FLAGS | NFS4_ACE_INHERIT_ONLY_ACE : 0);
 
        BUG_ON(pacl->a_count < 3);
-       pe = pacl->a_entries + pacl->a_count;
-       pa = pe - 2; /* if mask entry exists, it's second from the last. */
-       if (pa->e_tag == ACL_MASK)
-               mask_mask = deny_mask(mask_from_posix(pa->e_perm, flags), flags);
-       else
-               mask_mask = 0;
+       summarize_posix_acl(pacl, &pas);
 
        pa = pacl->a_entries;
-       BUG_ON(pa->e_tag != ACL_USER_OBJ);
-       mask = mask_from_posix(pa->e_perm, flags | NFS4_ACL_OWNER);
-       nfs4_acl_add_pair(acl, eflag, mask, NFS4_ACL_WHO_OWNER, 0, flags);
+       ace = acl->aces + acl->naces;
+
+       /* We could deny everything not granted by the owner: */
+       deny = ~pas.owner;
+       /*
+        * but it is equivalent (and simpler) to deny only what is not
+        * granted by later entries:
+        */
+       deny &= pas.users | pas.group | pas.groups | pas.other;
+       if (deny) {
+               ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE;
+               ace->flag = eflag;
+               ace->access_mask = deny_mask_from_posix(deny, flags);
+               ace->whotype = NFS4_ACL_WHO_OWNER;
+               ace++;
+               acl->naces++;
+       }
+
+       ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE;
+       ace->flag = eflag;
+       ace->access_mask = mask_from_posix(pa->e_perm, flags | NFS4_ACL_OWNER);
+       ace->whotype = NFS4_ACL_WHO_OWNER;
+       ace++;
+       acl->naces++;
        pa++;
 
        while (pa->e_tag == ACL_USER) {
-               mask = mask_from_posix(pa->e_perm, flags);
-               nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_DENIED_ACE_TYPE,
-                               eflag,  mask_mask, NFS4_ACL_WHO_NAMED, pa->e_id);
-
-               nfs4_acl_add_pair(acl, eflag, mask,
-                               NFS4_ACL_WHO_NAMED, pa->e_id, flags);
+               deny = ~(pa->e_perm & pas.mask);
+               deny &= pas.groups | pas.group | pas.other;
+               if (deny) {
+                       ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE;
+                       ace->flag = eflag;
+                       ace->access_mask = deny_mask_from_posix(deny, flags);
+                       ace->whotype = NFS4_ACL_WHO_NAMED;
+                       ace->who = pa->e_id;
+                       ace++;
+                       acl->naces++;
+               }
+               ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE;
+               ace->flag = eflag;
+               ace->access_mask = mask_from_posix(pa->e_perm & pas.mask,
+                                                  flags);
+               ace->whotype = NFS4_ACL_WHO_NAMED;
+               ace->who = pa->e_id;
+               ace++;
+               acl->naces++;
                pa++;
        }
 
@@ -213,51 +283,65 @@ _posix_to_nfsv4_one(struct posix_acl *pacl, struct nfs4_acl *acl,
 
        /* allow ACEs */
 
-       if (pacl->a_count > 3) {
-               BUG_ON(pa->e_tag != ACL_GROUP_OBJ);
-               nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_DENIED_ACE_TYPE,
-                               NFS4_ACE_IDENTIFIER_GROUP | eflag, mask_mask,
-                               NFS4_ACL_WHO_GROUP, 0);
-       }
        group_owner_entry = pa;
-       mask = mask_from_posix(pa->e_perm, flags);
-       nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE,
-                       NFS4_ACE_IDENTIFIER_GROUP | eflag, mask,
-                       NFS4_ACL_WHO_GROUP, 0);
+
+       ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE;
+       ace->flag = eflag;
+       ace->access_mask = mask_from_posix(pas.group, flags);
+       ace->whotype = NFS4_ACL_WHO_GROUP;
+       ace++;
+       acl->naces++;
        pa++;
 
        while (pa->e_tag == ACL_GROUP) {
-               mask = mask_from_posix(pa->e_perm, flags);
-               nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_DENIED_ACE_TYPE,
-                               NFS4_ACE_IDENTIFIER_GROUP | eflag, mask_mask,
-                               NFS4_ACL_WHO_NAMED, pa->e_id);
-               nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE,
-                               NFS4_ACE_IDENTIFIER_GROUP | eflag, mask,
-                               NFS4_ACL_WHO_NAMED, pa->e_id);
+               ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE;
+               ace->flag = eflag | NFS4_ACE_IDENTIFIER_GROUP;
+               ace->access_mask = mask_from_posix(pa->e_perm & pas.mask,
+                                                  flags);
+               ace->whotype = NFS4_ACL_WHO_NAMED;
+               ace->who = pa->e_id;
+               ace++;
+               acl->naces++;
                pa++;
        }
 
        /* deny ACEs */
 
        pa = group_owner_entry;
-       mask = mask_from_posix(pa->e_perm, flags);
-       nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_DENIED_ACE_TYPE,
-                       NFS4_ACE_IDENTIFIER_GROUP | eflag,
-                       deny_mask(mask, flags), NFS4_ACL_WHO_GROUP, 0);
+
+       deny = ~pas.group & pas.other;
+       if (deny) {
+               ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE;
+               ace->flag = eflag;
+               ace->access_mask = deny_mask_from_posix(deny, flags);
+               ace->whotype = NFS4_ACL_WHO_GROUP;
+               ace++;
+               acl->naces++;
+       }
        pa++;
+
        while (pa->e_tag == ACL_GROUP) {
-               mask = mask_from_posix(pa->e_perm, flags);
-               nfs4_acl_add_ace(acl, NFS4_ACE_ACCESS_DENIED_ACE_TYPE,
-                               NFS4_ACE_IDENTIFIER_GROUP | eflag,
-                               deny_mask(mask, flags), NFS4_ACL_WHO_NAMED, pa->e_id);
+               deny = ~(pa->e_perm & pas.mask);
+               deny &= pas.other;
+               if (deny) {
+                       ace->type = NFS4_ACE_ACCESS_DENIED_ACE_TYPE;
+                       ace->flag = eflag | NFS4_ACE_IDENTIFIER_GROUP;
+                       ace->access_mask = deny_mask_from_posix(deny, flags);
+                       ace->whotype = NFS4_ACL_WHO_NAMED;
+                       ace->who = pa->e_id;
+                       ace++;
+                       acl->naces++;
+               }
                pa++;
        }
 
        if (pa->e_tag == ACL_MASK)
                pa++;
-       BUG_ON(pa->e_tag != ACL_OTHER);
-       mask = mask_from_posix(pa->e_perm, flags);
-       nfs4_acl_add_pair(acl, eflag, mask, NFS4_ACL_WHO_EVERYONE, 0, flags);
+       ace->type = NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE;
+       ace->flag = eflag;
+       ace->access_mask = mask_from_posix(pa->e_perm, flags);
+       ace->whotype = NFS4_ACL_WHO_EVERYONE;
+       acl->naces++;
 }
 
 static void
@@ -296,7 +380,7 @@ sort_pacl(struct posix_acl *pacl)
        sort_pacl_range(pacl, 1, i-1);
 
        BUG_ON(pacl->a_entries[i].e_tag != ACL_GROUP_OBJ);
-       j = i++;
+       j = ++i;
        while (pacl->a_entries[j].e_tag == ACL_GROUP)
                j++;
        sort_pacl_range(pacl, i, j-1);
@@ -327,6 +411,7 @@ struct posix_ace_state_array {
  * calculated so far: */
 
 struct posix_acl_state {
+       int empty;
        struct posix_ace_state owner;
        struct posix_ace_state group;
        struct posix_ace_state other;
@@ -342,13 +427,14 @@ init_state(struct posix_acl_state *state, int cnt)
        int alloc;
 
        memset(state, 0, sizeof(struct posix_acl_state));
+       state->empty = 1;
        /*
         * In the worst case, each individual acl could be for a distinct
         * named user or group, but we don't no which, so we allocate
         * enough space for either:
         */
        alloc = sizeof(struct posix_ace_state_array)
-               + cnt*sizeof(struct posix_ace_state);
+               + cnt*sizeof(struct posix_user_ace_state);
        state->users = kzalloc(alloc, GFP_KERNEL);
        if (!state->users)
                return -ENOMEM;
@@ -409,6 +495,20 @@ posix_state_to_acl(struct posix_acl_state *state, unsigned int flags)
        int nace;
        int i, error = 0;
 
+       /*
+        * ACLs with no ACEs are treated differently in the inheritable
+        * and effective cases: when there are no inheritable ACEs, we
+        * set a zero-length default posix acl:
+        */
+       if (state->empty && (flags & NFS4_ACL_TYPE_DEFAULT)) {
+               pacl = posix_acl_alloc(0, GFP_KERNEL);
+               return pacl ? pacl : ERR_PTR(-ENOMEM);
+       }
+       /*
+        * When there are no effective ACEs, the following will end
+        * up setting a 3-element effective posix ACL with all
+        * permissions zero.
+        */
        nace = 4 + state->users->n + state->groups->n;
        pacl = posix_acl_alloc(nace, GFP_KERNEL);
        if (!pacl)
@@ -524,6 +624,8 @@ static void process_one_v4_ace(struct posix_acl_state *state,
        u32 mask = ace->access_mask;
        int i;
 
+       state->empty = 0;
+
        switch (ace2type(ace)) {
        case ACL_USER_OBJ:
                if (ace->type == NFS4_ACE_ACCESS_ALLOWED_ACE_TYPE) {
@@ -626,12 +728,16 @@ int nfs4_acl_nfsv4_to_posix(struct nfs4_acl *acl, struct posix_acl **pacl,
        *pacl = posix_state_to_acl(&effective_acl_state, flags);
        if (IS_ERR(*pacl)) {
                ret = PTR_ERR(*pacl);
+               *pacl = NULL;
                goto out_dstate;
        }
-       *dpacl = posix_state_to_acl(&default_acl_state, flags);
+       *dpacl = posix_state_to_acl(&default_acl_state,
+                                               flags | NFS4_ACL_TYPE_DEFAULT);
        if (IS_ERR(*dpacl)) {
                ret = PTR_ERR(*dpacl);
+               *dpacl = NULL;
                posix_acl_release(*pacl);
+               *pacl = NULL;
                goto out_dstate;
        }
        sort_pacl(*pacl);
@@ -677,21 +783,6 @@ nfs4_acl_new(int n)
        return acl;
 }
 
-void
-nfs4_acl_add_ace(struct nfs4_acl *acl, u32 type, u32 flag, u32 access_mask,
-               int whotype, uid_t who)
-{
-       struct nfs4_ace *ace = acl->aces + acl->naces;
-
-       ace->type = type;
-       ace->flag = flag;
-       ace->access_mask = access_mask;
-       ace->whotype = whotype;
-       ace->who = who;
-
-       acl->naces++;
-}
-
 static struct {
        char *string;
        int   stringlen;
@@ -743,6 +834,5 @@ nfs4_acl_write_who(int who, char *p)
 }
 
 EXPORT_SYMBOL(nfs4_acl_new);
-EXPORT_SYMBOL(nfs4_acl_add_ace);
 EXPORT_SYMBOL(nfs4_acl_get_whotype);
 EXPORT_SYMBOL(nfs4_acl_write_who);