Re: [RFC 00/21] Richacls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[CC += linux-api]

Hi Andreas,

Since this patch series implements kernel-user-space API changes,
could you please CC linux-api@ on future iterations. (The kernel
source file Documentation/SubmitChecklist notes that all Linux kernel
patches that change userspace interfaces should be CCed to
linux-api@xxxxxxxxxxxxxxx, so that the various parties who are
interested in API changes are informed. See
https://www.kernel.org/doc/man-pages/linux-api-ml.html )

Cheers,

Michael

On Thu, Feb 26, 2015 at 12:31 AM, Andreas Gruenbacher
<andreas.gruenbacher@xxxxxxxxx> wrote:
> Hello,
>
> here is an updated richacl patch queue, also available in git [1].  For those
> who might not know, richacls are an implementation of NFSv4 ACLs that cleanly
> integrates into the POSIX file permission model.  The goal is to improve
> interoperability between Linux and other systems, mainly across the NFSv4 and
> CIFS/SMB protocols.  A file system can either contain posix acls or richacls,
> but not both.
>
> This patch queue includes the vfs and ext4 changes needed for local richacl
> support.  A previous version of this patch queue was last posted about a year
> ago [2]; I have updated the patches to v4.0-rc1 and tried to incorporate the
> feedback from the previous discussion.  The changes include:
>
>  * Introduction of a base_acl object type so that an inode can either cache
>    a posix acl or a richacl largely without caring which of the two kinds
>    it is dealing with.
>
>  * RCU support as for posix acls.
>
>  * Various cleanups and more documentation.
>
> Things I'm not entirely happy with:
>
>  * A new get_richacl inode operation is introduced.  This is needed because
>    we need to perform permission checks in contexts where the dentry of the
>    inode to check is not available and we cannot use the getxattr inode
>    operation.  It would be nice if we could either convert the getxattr inode
>    operation to take an inode instead, or pass the dentries down to where
>    the get_richacl inode operation is currently used.
>
>  * The base_acl code is rather ugly; maybe the previous version which was
>    criticized wasn't so bad after all.
>
>  * It would be nice if the MAY_DELETE_SELF flag could override the sticky
>    directory check as it did in the previous version of this patch queue.  I
>    couldn't come up with a clean way of achieving that, though.
>
> Because the code has changed quite a bit since the last posting, I have removed
> the previous sign-offs.
>
> At this point, I would like to ask for your feedback as to what should be
> changed before these patches can be merged, even if merging these patches alone
> doesn't make a while lot of sense.  I will follow up with additional pieces to
> the puzzle like the nfsv4 support as I get them into shape again.
>
> --
>
> Which kind of acls an ext4 file system supports is determined by the "richacl"
> ext4 feature (mkfs.ext4 -O richacl or tune2fs -O richacl).  The file system
> also needs to be mounted with the "acl" mount option, which is the default
> nowadays.
>
> A version of e2fsprogs with support for the "richacl" feature can be found on
> github [3], but the feature can also be enabled "hard" in debugfs.  Note that
> unpatched versions of e2fsck will not check file systems with the feature
> enabled though.
>
> The acls themselves can be manipulated with the richacl command-line utility
> [4].  Some details on the permission model and examples of its use can be found
> at the richacl page, http://acl.bestbits.at/richacl/.
>
>  [1] git://git.kernel.org/pub/scm/linux/kernel/git/agruen/linux-richacl.git richacl
>  [2] http://lwn.net/Articles/596517/
>  [3] https://github.com/andreas-gruenbacher/e2fsprogs
>  [4] https://github.com/andreas-gruenbacher/richacl
>
> Thanks,
> Andreas
>
> --
>
> Andreas Gruenbacher (19):
>   vfs: Minor documentation fix
>   vfs: Shrink struct posix_acl
>   vfs: Add IS_ACL() and IS_RICHACL() tests
>   vfs: Add MAY_CREATE_FILE and MAY_CREATE_DIR permission flags
>   vfs: Add MAY_DELETE_SELF and MAY_DELETE_CHILD permission flags
>   vfs: Make the inode passed to inode_change_ok non-const
>   vfs: Add permission flags for setting file attributes
>   richacl: In-memory representation and helper functions
>   richacl: Permission mapping functions
>   richacl: Compute maximum file masks from an acl
>   richacl: Update the file masks in chmod()
>   richacl: Permission check algorithm
>   richacl: Create-time inheritance
>   richacl: Check if an acl is equivalent to a file mode
>   richacl: Automatic Inheritance
>   richacl: xattr mapping functions
>   vfs: Cache base_acl objects in inodes
>   vfs: Cache richacl in struct inode
>   vfs: Add richacl permission checking
>
> Aneesh Kumar K.V (2):
>   ext4: Implement rich acl for ext4
>   ext4: Add richacl feature flag
>
>  Documentation/filesystems/porting               |   8 +-
>  Documentation/filesystems/vfs.txt               |   3 +
>  drivers/staging/lustre/lustre/llite/llite_lib.c |   2 +-
>  fs/Kconfig                                      |   3 +
>  fs/Makefile                                     |   2 +
>  fs/attr.c                                       |  81 ++-
>  fs/ext4/Kconfig                                 |  15 +
>  fs/ext4/Makefile                                |   1 +
>  fs/ext4/acl.c                                   |   7 +-
>  fs/ext4/acl.h                                   |  12 +-
>  fs/ext4/ext4.h                                  |   6 +-
>  fs/ext4/file.c                                  |   6 +-
>  fs/ext4/ialloc.c                                |   7 +-
>  fs/ext4/inode.c                                 |  10 +-
>  fs/ext4/namei.c                                 |  11 +-
>  fs/ext4/richacl.c                               | 229 ++++++++
>  fs/ext4/richacl.h                               |  47 ++
>  fs/ext4/super.c                                 |  41 +-
>  fs/ext4/xattr.c                                 |   6 +
>  fs/ext4/xattr.h                                 |   1 +
>  fs/f2fs/acl.c                                   |   4 +-
>  fs/inode.c                                      |  15 +-
>  fs/namei.c                                      | 108 +++-
>  fs/posix_acl.c                                  |  31 +-
>  fs/richacl_base.c                               | 660 ++++++++++++++++++++++++
>  fs/richacl_inode.c                              |  67 +++
>  fs/richacl_xattr.c                              | 131 +++++
>  include/linux/fs.h                              |  47 +-
>  include/linux/posix_acl.h                       |  12 +-
>  include/linux/richacl.h                         | 329 ++++++++++++
>  include/linux/richacl_xattr.h                   |  47 ++
>  include/uapi/linux/fs.h                         |   3 +-
>  32 files changed, 1844 insertions(+), 108 deletions(-)
>  create mode 100644 fs/ext4/richacl.c
>  create mode 100644 fs/ext4/richacl.h
>  create mode 100644 fs/richacl_base.c
>  create mode 100644 fs/richacl_inode.c
>  create mode 100644 fs/richacl_xattr.c
>  create mode 100644 include/linux/richacl.h
>  create mode 100644 include/linux/richacl_xattr.h
>
> --
> 2.1.0
>
> From a7ae9dc44b9772622cb5d17b142a43cea2d18d10 Mon Sep 17 00:00:00 2001
> Message-Id: <a7ae9dc44b9772622cb5d17b142a43cea2d18d10.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Wed, 4 Feb 2015 15:47:36 +0100
> Subject: [RFC 01/21] vfs: Minor documentation fix
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> The check_acl inode operation and the IPERM_FLAG_RCU are long gone.
> Document what get_acl does instead.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  Documentation/filesystems/porting | 8 ++++----
>  Documentation/filesystems/vfs.txt | 3 +++
>  2 files changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/Documentation/filesystems/porting b/Documentation/filesystems/porting
> index fa2db08..d6f9ab4 100644
> --- a/Documentation/filesystems/porting
> +++ b/Documentation/filesystems/porting
> @@ -379,10 +379,10 @@ may now be called in rcu-walk mode (nd->flags & LOOKUP_RCU). -ECHILD should be
>  returned if the filesystem cannot handle rcu-walk. See
>  Documentation/filesystems/vfs.txt for more details.
>
> -       permission and check_acl are inode permission checks that are called
> -on many or all directory inodes on the way down a path walk (to check for
> -exec permission). These must now be rcu-walk aware (flags & IPERM_FLAG_RCU).
> -See Documentation/filesystems/vfs.txt for more details.
> +       permission is an inode permission check that is called on many or all
> +directory inodes on the way down a path walk (to check for exec permission). It
> +must now be rcu-walk aware (mask & MAY_NOT_BLOCK).  See
> +Documentation/filesystems/vfs.txt for more details.
>
>  --
>  [mandatory]
> diff --git a/Documentation/filesystems/vfs.txt b/Documentation/filesystems/vfs.txt
> index 966b228..700cdf6 100644
> --- a/Documentation/filesystems/vfs.txt
> +++ b/Documentation/filesystems/vfs.txt
> @@ -457,6 +457,9 @@ otherwise noted.
>         If a situation is encountered that rcu-walk cannot handle, return
>         -ECHILD and it will be called again in ref-walk mode.
>
> +  get_acl: called by the VFS to get the posix acl of an inode. Called during
> +       permission checks. The returned acl is cached in the inode.
> +
>    setattr: called by the VFS to set attributes for a file. This method
>         is called by chmod(2) and related system calls.
>
> --
> 2.1.0
>
>
> From d89155579f576fbe07756462212365f678afdb75 Mon Sep 17 00:00:00 2001
> Message-Id: <d89155579f576fbe07756462212365f678afdb75.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Wed, 4 Feb 2015 14:46:15 +0100
> Subject: [RFC 02/21] vfs: Shrink struct posix_acl
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> There is a hole in struct posix_acl because its struct rcu_head member is too
> large; at least on on 64-bit architectures, the hole cannot be closed by
> changing the definition of struct posix_acl. So instead, remove the struct
> rcu_head member from struct posix_acl, make sure that acls are always big
> enough to fit a struct rcu_head, and cast to struct rcu_head * when disposing
> of an acl.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/posix_acl.c            | 5 +++--
>  include/linux/posix_acl.h | 7 ++-----
>  2 files changed, 5 insertions(+), 7 deletions(-)
>
> diff --git a/fs/posix_acl.c b/fs/posix_acl.c
> index 3a48bb7..efe983e 100644
> --- a/fs/posix_acl.c
> +++ b/fs/posix_acl.c
> @@ -140,8 +140,9 @@ EXPORT_SYMBOL(posix_acl_init);
>  struct posix_acl *
>  posix_acl_alloc(int count, gfp_t flags)
>  {
> -       const size_t size = sizeof(struct posix_acl) +
> -                           count * sizeof(struct posix_acl_entry);
> +       const size_t size = max(sizeof(struct rcu_head),
> +               sizeof(struct posix_acl) +
> +               count * sizeof(struct posix_acl_entry));
>         struct posix_acl *acl = kmalloc(size, flags);
>         if (acl)
>                 posix_acl_init(acl, count);
> diff --git a/include/linux/posix_acl.h b/include/linux/posix_acl.h
> index 3e96a6a..66cf477 100644
> --- a/include/linux/posix_acl.h
> +++ b/include/linux/posix_acl.h
> @@ -43,10 +43,7 @@ struct posix_acl_entry {
>  };
>
>  struct posix_acl {
> -       union {
> -               atomic_t                a_refcount;
> -               struct rcu_head         a_rcu;
> -       };
> +       atomic_t                a_refcount;
>         unsigned int            a_count;
>         struct posix_acl_entry  a_entries[0];
>  };
> @@ -73,7 +70,7 @@ static inline void
>  posix_acl_release(struct posix_acl *acl)
>  {
>         if (acl && atomic_dec_and_test(&acl->a_refcount))
> -               kfree_rcu(acl, a_rcu);
> +               __kfree_rcu((struct rcu_head *)acl, 0);
>  }
>
>
> --
> 2.1.0
>
>
> From 611a0b6fe640f6d4ff7bb98931edf8c2fe81471c Mon Sep 17 00:00:00 2001
> Message-Id: <611a0b6fe640f6d4ff7bb98931edf8c2fe81471c.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Tue, 1 Apr 2014 00:19:53 +0530
> Subject: [RFC 03/21] vfs: Add IS_ACL() and IS_RICHACL() tests
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> The vfs does not apply the umask for file systems that support acls. The test
> used for this used to be called IS_POSIXACL(). Switch to a new IS_ACL() test to
> check for either posix acls or richacls instead. Add a new MS_RICHACL flag and
> IS_RICHACL() test for richacls alone. The IS_POSIXACL() test is still needed
> by file systems that specifically support POSIX ACLs, like nfsd.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/Kconfig              |  3 +++
>  fs/namei.c              |  8 ++++----
>  include/linux/fs.h      | 12 ++++++++++++
>  include/uapi/linux/fs.h |  3 ++-
>  4 files changed, 21 insertions(+), 5 deletions(-)
>
> diff --git a/fs/Kconfig b/fs/Kconfig
> index ec35851..8b84f99 100644
> --- a/fs/Kconfig
> +++ b/fs/Kconfig
> @@ -58,6 +58,9 @@ endif # BLOCK
>  config FS_POSIX_ACL
>         def_bool n
>
> +config FS_RICHACL
> +       def_bool n
> +
>  config EXPORTFS
>         tristate
>
> diff --git a/fs/namei.c b/fs/namei.c
> index c83145a..0ba4bbc 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -2696,7 +2696,7 @@ static int atomic_open(struct nameidata *nd, struct dentry *dentry,
>         }
>
>         mode = op->mode;
> -       if ((open_flag & O_CREAT) && !IS_POSIXACL(dir))
> +       if ((open_flag & O_CREAT) && !IS_ACL(dir))
>                 mode &= ~current_umask();
>
>         excl = (open_flag & (O_EXCL | O_CREAT)) == (O_EXCL | O_CREAT);
> @@ -2880,7 +2880,7 @@ static int lookup_open(struct nameidata *nd, struct path *path,
>         /* Negative dentry, just create the file */
>         if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
>                 umode_t mode = op->mode;
> -               if (!IS_POSIXACL(dir->d_inode))
> +               if (!IS_ACL(dir->d_inode))
>                         mode &= ~current_umask();
>                 /*
>                  * This write is needed to ensure that a
> @@ -3481,7 +3481,7 @@ retry:
>         if (IS_ERR(dentry))
>                 return PTR_ERR(dentry);
>
> -       if (!IS_POSIXACL(path.dentry->d_inode))
> +       if (!IS_ACL(path.dentry->d_inode))
>                 mode &= ~current_umask();
>         error = security_path_mknod(&path, dentry, mode, dev);
>         if (error)
> @@ -3550,7 +3550,7 @@ retry:
>         if (IS_ERR(dentry))
>                 return PTR_ERR(dentry);
>
> -       if (!IS_POSIXACL(path.dentry->d_inode))
> +       if (!IS_ACL(path.dentry->d_inode))
>                 mode &= ~current_umask();
>         error = security_path_mkdir(&path, dentry, mode);
>         if (!error)
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index b4d71b5..f64eb45 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -1708,6 +1708,12 @@ struct super_operations {
>  #define IS_IMMUTABLE(inode)    ((inode)->i_flags & S_IMMUTABLE)
>  #define IS_POSIXACL(inode)     __IS_FLG(inode, MS_POSIXACL)
>
> +#ifdef CONFIG_FS_RICHACL
> +#define IS_RICHACL(inode)      __IS_FLG(inode, MS_RICHACL)
> +#else
> +#define IS_RICHACL(inode)      0
> +#endif
> +
>  #define IS_DEADDIR(inode)      ((inode)->i_flags & S_DEAD)
>  #define IS_NOCMTIME(inode)     ((inode)->i_flags & S_NOCMTIME)
>  #define IS_SWAPFILE(inode)     ((inode)->i_flags & S_SWAPFILE)
> @@ -1721,6 +1727,12 @@ struct super_operations {
>                                  (inode)->i_rdev == WHITEOUT_DEV)
>
>  /*
> + * IS_ACL() tells the VFS to not apply the umask
> + * and use check_acl for acl permission checks when defined.
> + */
> +#define IS_ACL(inode)          __IS_FLG(inode, MS_POSIXACL | MS_RICHACL)
> +
> +/*
>   * Inode state bits.  Protected by inode->i_lock
>   *
>   * Three bits determine the dirty state of the inode, I_DIRTY_SYNC,
> diff --git a/include/uapi/linux/fs.h b/include/uapi/linux/fs.h
> index 9b964a5..6ac6bc9 100644
> --- a/include/uapi/linux/fs.h
> +++ b/include/uapi/linux/fs.h
> @@ -81,7 +81,7 @@ struct inodes_stat_t {
>  #define MS_VERBOSE     32768   /* War is peace. Verbosity is silence.
>                                    MS_VERBOSE is deprecated. */
>  #define MS_SILENT      32768
> -#define MS_POSIXACL    (1<<16) /* VFS does not apply the umask */
> +#define MS_POSIXACL    (1<<16) /* Supports POSIX ACLs */
>  #define MS_UNBINDABLE  (1<<17) /* change to unbindable */
>  #define MS_PRIVATE     (1<<18) /* change to private */
>  #define MS_SLAVE       (1<<19) /* change to slave */
> @@ -91,6 +91,7 @@ struct inodes_stat_t {
>  #define MS_I_VERSION   (1<<23) /* Update inode I_version field */
>  #define MS_STRICTATIME (1<<24) /* Always perform atime updates */
>  #define MS_LAZYTIME    (1<<25) /* Update the on-disk [acm]times lazily */
> +#define MS_RICHACL     (1<<26) /* Supports richacls */
>
>  /* These sb flags are internal to the kernel */
>  #define MS_NOSEC       (1<<28)
> --
> 2.1.0
>
>
> From f8b04df08a0dd950d47e17c901773258f0653eed Mon Sep 17 00:00:00 2001
> Message-Id: <f8b04df08a0dd950d47e17c901773258f0653eed.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Wed, 28 Jan 2015 20:23:15 +0100
> Subject: [RFC 04/21] vfs: Add MAY_CREATE_FILE and MAY_CREATE_DIR
>  permission flags
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> Richacls distinguish between creating non-directories and directories. To
> support that, add an isdir parameter to may_create(). When checking
> inode_permission() for create permission, pass in an additional MAY_CREATE_FILE
> or MAY_CREATE_DIR mask flag.
>
> To allow checking for delete *and* create access when replacing an existing
> file via vfs_rename(), add a replace parameter to may_delete().
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/namei.c         | 42 ++++++++++++++++++++++++------------------
>  include/linux/fs.h |  2 ++
>  2 files changed, 26 insertions(+), 18 deletions(-)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index 0ba4bbc..a8bc030 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -454,7 +454,8 @@ static int sb_permission(struct super_block *sb, struct inode *inode, int mask)
>   * this, letting us set arbitrary permissions for filesystem access without
>   * changing the "normal" UIDs which are used for other things.
>   *
> - * When checking for MAY_APPEND, MAY_WRITE must also be set in @mask.
> + * When checking for MAY_APPEND, MAY_CREATE_FILE, MAY_CREATE_DIR,
> + * MAY_WRITE must also be set in @mask.
>   */
>  int inode_permission(struct inode *inode, int mask)
>  {
> @@ -2447,10 +2448,11 @@ EXPORT_SYMBOL(__check_sticky);
>   * 10. We don't allow removal of NFS sillyrenamed files; it's handled by
>   *     nfs_async_unlink().
>   */
> -static int may_delete(struct inode *dir, struct dentry *victim, bool isdir)
> +static int may_delete(struct inode *dir, struct dentry *victim,
> +                     bool isdir, bool replace)
>  {
>         struct inode *inode = victim->d_inode;
> -       int error;
> +       int error, mask = MAY_WRITE | MAY_EXEC;
>
>         if (d_is_negative(victim))
>                 return -ENOENT;
> @@ -2459,7 +2461,9 @@ static int may_delete(struct inode *dir, struct dentry *victim, bool isdir)
>         BUG_ON(victim->d_parent->d_inode != dir);
>         audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE);
>
> -       error = inode_permission(dir, MAY_WRITE | MAY_EXEC);
> +       if (replace)
> +               mask |= isdir ? MAY_CREATE_DIR : MAY_CREATE_FILE;
> +       error = inode_permission(dir, mask);
>         if (error)
>                 return error;
>         if (IS_APPEND(dir))
> @@ -2490,14 +2494,16 @@ static int may_delete(struct inode *dir, struct dentry *victim, bool isdir)
>   *  3. We should have write and exec permissions on dir
>   *  4. We can't do it if dir is immutable (done in permission())
>   */
> -static inline int may_create(struct inode *dir, struct dentry *child)
> +static inline int may_create(struct inode *dir, struct dentry *child, bool isdir)
>  {
> +       int mask = isdir ? MAY_CREATE_DIR : MAY_CREATE_FILE;
> +
>         audit_inode_child(dir, child, AUDIT_TYPE_CHILD_CREATE);
>         if (child->d_inode)
>                 return -EEXIST;
>         if (IS_DEADDIR(dir))
>                 return -ENOENT;
> -       return inode_permission(dir, MAY_WRITE | MAY_EXEC);
> +       return inode_permission(dir, MAY_WRITE | MAY_EXEC | mask);
>  }
>
>  /*
> @@ -2547,7 +2553,7 @@ EXPORT_SYMBOL(unlock_rename);
>  int vfs_create(struct inode *dir, struct dentry *dentry, umode_t mode,
>                 bool want_excl)
>  {
> -       int error = may_create(dir, dentry);
> +       int error = may_create(dir, dentry, false);
>         if (error)
>                 return error;
>
> @@ -3422,7 +3428,7 @@ EXPORT_SYMBOL(user_path_create);
>
>  int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
>  {
> -       int error = may_create(dir, dentry);
> +       int error = may_create(dir, dentry, false);
>
>         if (error)
>                 return error;
> @@ -3514,7 +3520,7 @@ SYSCALL_DEFINE3(mknod, const char __user *, filename, umode_t, mode, unsigned, d
>
>  int vfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
>  {
> -       int error = may_create(dir, dentry);
> +       int error = may_create(dir, dentry, true);
>         unsigned max_links = dir->i_sb->s_max_links;
>
>         if (error)
> @@ -3595,7 +3601,7 @@ EXPORT_SYMBOL(dentry_unhash);
>
>  int vfs_rmdir(struct inode *dir, struct dentry *dentry)
>  {
> -       int error = may_delete(dir, dentry, 1);
> +       int error = may_delete(dir, dentry, true, false);
>
>         if (error)
>                 return error;
> @@ -3715,7 +3721,7 @@ SYSCALL_DEFINE1(rmdir, const char __user *, pathname)
>  int vfs_unlink(struct inode *dir, struct dentry *dentry, struct inode **delegated_inode)
>  {
>         struct inode *target = dentry->d_inode;
> -       int error = may_delete(dir, dentry, 0);
> +       int error = may_delete(dir, dentry, false, false);
>
>         if (error)
>                 return error;
> @@ -3847,7 +3853,7 @@ SYSCALL_DEFINE1(unlink, const char __user *, pathname)
>
>  int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname)
>  {
> -       int error = may_create(dir, dentry);
> +       int error = may_create(dir, dentry, false);
>
>         if (error)
>                 return error;
> @@ -3930,7 +3936,7 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de
>         if (!inode)
>                 return -ENOENT;
>
> -       error = may_create(dir, new_dentry);
> +       error = may_create(dir, new_dentry, false);
>         if (error)
>                 return error;
>
> @@ -4118,19 +4124,19 @@ int vfs_rename(struct inode *old_dir, struct dentry *old_dentry,
>         if (source == target)
>                 return 0;
>
> -       error = may_delete(old_dir, old_dentry, is_dir);
> +       error = may_delete(old_dir, old_dentry, is_dir, false);
>         if (error)
>                 return error;
>
>         if (!target) {
> -               error = may_create(new_dir, new_dentry);
> +               error = may_create(new_dir, new_dentry, is_dir);
>         } else {
>                 new_is_dir = d_is_dir(new_dentry);
>
>                 if (!(flags & RENAME_EXCHANGE))
> -                       error = may_delete(new_dir, new_dentry, is_dir);
> +                       error = may_delete(new_dir, new_dentry, is_dir, true);
>                 else
> -                       error = may_delete(new_dir, new_dentry, new_is_dir);
> +                       error = may_delete(new_dir, new_dentry, new_is_dir, true);
>         }
>         if (error)
>                 return error;
> @@ -4394,7 +4400,7 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
>
>  int vfs_whiteout(struct inode *dir, struct dentry *dentry)
>  {
> -       int error = may_create(dir, dentry);
> +       int error = may_create(dir, dentry, false);
>         if (error)
>                 return error;
>
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index f64eb45..bbe1d26 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -80,6 +80,8 @@ typedef void (dio_iodone_t)(struct kiocb *iocb, loff_t offset,
>  #define MAY_CHDIR              0x00000040
>  /* called from RCU mode, don't block */
>  #define MAY_NOT_BLOCK          0x00000080
> +#define MAY_CREATE_FILE                0x00000100
> +#define MAY_CREATE_DIR         0x00000200
>
>  /*
>   * flags in file.f_mode.  Note that FMODE_READ and FMODE_WRITE must correspond
> --
> 2.1.0
>
>
> From a858d4a82fe74516f5036cb0b8ff8f177830025f Mon Sep 17 00:00:00 2001
> Message-Id: <a858d4a82fe74516f5036cb0b8ff8f177830025f.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Tue, 1 Apr 2014 05:06:26 +0530
> Subject: [RFC 05/21] vfs: Add MAY_DELETE_SELF and MAY_DELETE_CHILD
>  permission flags
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> Normally, deleting a file requires write and execute access to the parent
> directory.  With Richacls, a process with MAY_DELETE_SELF access to a file may
> delete the file even without write access to the parent directory.
>
> To support that, pass the MAY_DELETE_CHILD mask flag to inode_permission() when
> checking for delete access inside a directory, and MAY_DELETE_SELF when
> checking for delete access to a file itelf.
>
> The MAY_DELETE_SELF permission does not override the sticky directory check.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/namei.c         | 15 +++++++++++----
>  include/linux/fs.h |  2 ++
>  2 files changed, 13 insertions(+), 4 deletions(-)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index a8bc030..a8d1674 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -455,7 +455,7 @@ static int sb_permission(struct super_block *sb, struct inode *inode, int mask)
>   * changing the "normal" UIDs which are used for other things.
>   *
>   * When checking for MAY_APPEND, MAY_CREATE_FILE, MAY_CREATE_DIR,
> - * MAY_WRITE must also be set in @mask.
> + * MAY_DELETE_CHILD, MAY_DELETE_SELF, MAY_WRITE must also be set in @mask.
>   */
>  int inode_permission(struct inode *inode, int mask)
>  {
> @@ -2452,7 +2452,7 @@ static int may_delete(struct inode *dir, struct dentry *victim,
>                       bool isdir, bool replace)
>  {
>         struct inode *inode = victim->d_inode;
> -       int error, mask = MAY_WRITE | MAY_EXEC;
> +       int error, mask = MAY_EXEC;
>
>         if (d_is_negative(victim))
>                 return -ENOENT;
> @@ -2462,8 +2462,15 @@ static int may_delete(struct inode *dir, struct dentry *victim,
>         audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE);
>
>         if (replace)
> -               mask |= isdir ? MAY_CREATE_DIR : MAY_CREATE_FILE;
> -       error = inode_permission(dir, mask);
> +               mask |= MAY_WRITE | (isdir ? MAY_CREATE_DIR : MAY_CREATE_FILE);
> +       error = inode_permission(dir, mask | MAY_WRITE | MAY_DELETE_CHILD);
> +       if (error && IS_RICHACL(inode)) {
> +               /* Deleting is also permitted with MAY_EXEC on the directory
> +                * and MAY_DELETE_SELF on the inode.  */
> +               if (!inode_permission(inode, MAY_DELETE_SELF) &&
> +                   !inode_permission(dir, mask))
> +                       error = 0;
> +       }
>         if (error)
>                 return error;
>         if (IS_APPEND(dir))
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index bbe1d26..101abcf 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -82,6 +82,8 @@ typedef void (dio_iodone_t)(struct kiocb *iocb, loff_t offset,
>  #define MAY_NOT_BLOCK          0x00000080
>  #define MAY_CREATE_FILE                0x00000100
>  #define MAY_CREATE_DIR         0x00000200
> +#define MAY_DELETE_CHILD       0x00000400
> +#define MAY_DELETE_SELF                0x00000800
>
>  /*
>   * flags in file.f_mode.  Note that FMODE_READ and FMODE_WRITE must correspond
> --
> 2.1.0
>
>
> From 19510de7d710a34c47eadb9b8f71881b5621574a Mon Sep 17 00:00:00 2001
> Message-Id: <19510de7d710a34c47eadb9b8f71881b5621574a.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Tue, 1 Apr 2014 05:13:56 +0530
> Subject: [RFC 06/21] vfs: Make the inode passed to inode_change_ok
>  non-const
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> We will need to call iop->permission and iop->get_acl from
> inode_change_ok() for additional permission checks, and both take a
> non-const inode.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/attr.c          | 2 +-
>  include/linux/fs.h | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/attr.c b/fs/attr.c
> index 6530ced..328be71 100644
> --- a/fs/attr.c
> +++ b/fs/attr.c
> @@ -28,7 +28,7 @@
>   * Should be called as the first thing in ->setattr implementations,
>   * possibly after taking additional locks.
>   */
> -int inode_change_ok(const struct inode *inode, struct iattr *attr)
> +int inode_change_ok(struct inode *inode, struct iattr *attr)
>  {
>         unsigned int ia_valid = attr->ia_valid;
>
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 101abcf..f688ea6 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -2760,7 +2760,7 @@ extern int buffer_migrate_page(struct address_space *,
>  #define buffer_migrate_page NULL
>  #endif
>
> -extern int inode_change_ok(const struct inode *, struct iattr *);
> +extern int inode_change_ok(struct inode *, struct iattr *);
>  extern int inode_newsize_ok(const struct inode *, loff_t offset);
>  extern void setattr_copy(struct inode *inode, const struct iattr *attr);
>
> --
> 2.1.0
>
>
> From e710237138b0ee9012bc616012d1f8511cf6af4a Mon Sep 17 00:00:00 2001
> Message-Id: <e710237138b0ee9012bc616012d1f8511cf6af4a.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Tue, 1 Apr 2014 05:29:34 +0530
> Subject: [RFC 07/21] vfs: Add permission flags for setting file
>  attributes
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> Richacls support permissions that allow to take ownership of a file, change the
> file permissions, and set the file timestamps.  Support that by introducing new
> permission mask flags and by checking for those mask flags in
> inode_change_ok().
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/attr.c          | 79 +++++++++++++++++++++++++++++++++++++++++++++---------
>  include/linux/fs.h |  3 +++
>  2 files changed, 70 insertions(+), 12 deletions(-)
>
> diff --git a/fs/attr.c b/fs/attr.c
> index 328be71..85483e0 100644
> --- a/fs/attr.c
> +++ b/fs/attr.c
> @@ -17,6 +17,65 @@
>  #include <linux/ima.h>
>
>  /**
> + * inode_extended_permission  -  permissions beyond read/write/execute
> + *
> + * Check for permissions that only richacls can currently grant.
> + */
> +static int inode_extended_permission(struct inode *inode, int mask)
> +{
> +       if (!IS_RICHACL(inode))
> +               return -EPERM;
> +       return inode_permission(inode, mask);
> +}
> +
> +static bool inode_uid_change_ok(struct inode *inode, kuid_t ia_uid)
> +{
> +       if (uid_eq(current_fsuid(), inode->i_uid) &&
> +           uid_eq(ia_uid, inode->i_uid))
> +               return true;
> +       if (uid_eq(current_fsuid(), ia_uid) &&
> +           inode_extended_permission(inode, MAY_TAKE_OWNERSHIP) == 0)
> +               return true;
> +       if (capable_wrt_inode_uidgid(inode, CAP_CHOWN))
> +               return true;
> +       return false;
> +}
> +
> +static bool inode_gid_change_ok(struct inode *inode, kgid_t ia_gid)
> +{
> +       int in_group = in_group_p(ia_gid);
> +       if (uid_eq(current_fsuid(), inode->i_uid) &&
> +           (in_group || gid_eq(ia_gid, inode->i_gid)))
> +               return true;
> +       if (in_group && inode_extended_permission(inode, MAY_TAKE_OWNERSHIP) == 0)
> +               return true;
> +       if (capable_wrt_inode_uidgid(inode, CAP_CHOWN))
> +               return true;
> +       return false;
> +}
> +
> +/**
> + * inode_owner_permitted_or_capable
> + *
> + * Check for permissions implicitly granted to the owner, like MAY_CHMOD or
> + * MAY_SET_TIMES.  Equivalent to inode_owner_or_capable for file systems
> + * without support for those permissions.
> + */
> +static bool inode_owner_permitted_or_capable(struct inode *inode, int mask)
> +{
> +       struct user_namespace *ns;
> +
> +       if (uid_eq(current_fsuid(), inode->i_uid))
> +               return true;
> +       if (inode_extended_permission(inode, mask) == 0)
> +               return true;
> +       ns = current_user_ns();
> +       if (ns_capable(ns, CAP_FOWNER) && kuid_has_mapping(ns, inode->i_uid))
> +               return true;
> +       return false;
> +}
> +
> +/**
>   * inode_change_ok - check if attribute changes to an inode are allowed
>   * @inode:     inode to check
>   * @attr:      attributes to change
> @@ -47,22 +106,18 @@ int inode_change_ok(struct inode *inode, struct iattr *attr)
>                 return 0;
>
>         /* Make sure a caller can chown. */
> -       if ((ia_valid & ATTR_UID) &&
> -           (!uid_eq(current_fsuid(), inode->i_uid) ||
> -            !uid_eq(attr->ia_uid, inode->i_uid)) &&
> -           !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
> -               return -EPERM;
> +       if (ia_valid & ATTR_UID)
> +               if (!inode_uid_change_ok(inode, attr->ia_uid))
> +                       return -EPERM;
>
>         /* Make sure caller can chgrp. */
> -       if ((ia_valid & ATTR_GID) &&
> -           (!uid_eq(current_fsuid(), inode->i_uid) ||
> -           (!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) &&
> -           !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
> -               return -EPERM;
> +       if (ia_valid & ATTR_GID)
> +               if (!inode_gid_change_ok(inode, attr->ia_gid))
> +                       return -EPERM;
>
>         /* Make sure a caller can chmod. */
>         if (ia_valid & ATTR_MODE) {
> -               if (!inode_owner_or_capable(inode))
> +               if (!inode_owner_permitted_or_capable(inode, MAY_CHMOD))
>                         return -EPERM;
>                 /* Also check the setgid bit! */
>                 if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid :
> @@ -73,7 +128,7 @@ int inode_change_ok(struct inode *inode, struct iattr *attr)
>
>         /* Check for setting the inode time. */
>         if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) {
> -               if (!inode_owner_or_capable(inode))
> +               if (!inode_owner_permitted_or_capable(inode, MAY_SET_TIMES))
>                         return -EPERM;
>         }
>
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index f688ea6..e3e1e42 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -84,6 +84,9 @@ typedef void (dio_iodone_t)(struct kiocb *iocb, loff_t offset,
>  #define MAY_CREATE_DIR         0x00000200
>  #define MAY_DELETE_CHILD       0x00000400
>  #define MAY_DELETE_SELF                0x00000800
> +#define MAY_TAKE_OWNERSHIP     0x00001000
> +#define MAY_CHMOD              0x00002000
> +#define MAY_SET_TIMES          0x00004000
>
>  /*
>   * flags in file.f_mode.  Note that FMODE_READ and FMODE_WRITE must correspond
> --
> 2.1.0
>
>
> From a47d85681cea868d4e34794982297950533c2930 Mon Sep 17 00:00:00 2001
> Message-Id: <a47d85681cea868d4e34794982297950533c2930.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Tue, 1 Apr 2014 18:10:17 +0530
> Subject: [RFC 08/21] richacl: In-memory representation and helper
>  functions
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> A richacl consists of an NFSv4 acl and an owner, group, and other mask.
> These three masks correspond to the owner, group, and other file
> permission bits, but they contain NFSv4 permissions instead of POSIX
> permissions.
>
> Each entry in the NFSv4 acl applies to the file owner (OWNER@), the owning
> group (GROUP@), everyone (EVERYONE@), or to a specific uid or gid.
>
> As in the standard POSIX file permission model, each process is the
> owner, group, or other file class.  A richacl grants a requested access
> only if the NFSv4 acl in the richacl grants the access (according to the
> NFSv4 permission check algorithm), and the file mask that applies to the
> process includes the requested permissions.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/Makefile             |   2 +
>  fs/richacl_base.c       |  57 +++++++++++
>  include/linux/richacl.h | 248 ++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 307 insertions(+)
>  create mode 100644 fs/richacl_base.c
>  create mode 100644 include/linux/richacl.h
>
> diff --git a/fs/Makefile b/fs/Makefile
> index a88ac48..8f0a59c 100644
> --- a/fs/Makefile
> +++ b/fs/Makefile
> @@ -47,6 +47,8 @@ obj-$(CONFIG_COREDUMP)                += coredump.o
>  obj-$(CONFIG_SYSCTL)           += drop_caches.o
>
>  obj-$(CONFIG_FHANDLE)          += fhandle.o
> +obj-$(CONFIG_FS_RICHACL)       += richacl.o
> +richacl-y                      := richacl_base.o
>
>  obj-y                          += quota/
>
> diff --git a/fs/richacl_base.c b/fs/richacl_base.c
> new file mode 100644
> index 0000000..abf8bce
> --- /dev/null
> +++ b/fs/richacl_base.c
> @@ -0,0 +1,57 @@
> +/*
> + * Copyright (C) 2006, 2010  Novell, Inc.
> + * Copyright (C) 2015  Red Hat, Inc.
> + * Written by Andreas Gruenbacher <agruen@xxxxxxxxxx>
> + *
> + * This program is free software; you can redistribute it and/or modify it
> + * under the terms of the GNU General Public License as published by the
> + * Free Software Foundation; either version 2, or (at your option) any
> + * later version.
> + *
> + * This program is distributed in the hope that it will be useful, but
> + * WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * General Public License for more details.
> + */
> +
> +#include <linux/sched.h>
> +#include <linux/module.h>
> +#include <linux/fs.h>
> +#include <linux/richacl.h>
> +
> +MODULE_LICENSE("GPL");
> +
> +/**
> + * richacl_alloc  -  allocate a richacl
> + * @count:     number of entries
> + */
> +struct richacl *
> +richacl_alloc(int count)
> +{
> +       size_t size = sizeof(struct richacl) + count * sizeof(struct richace);
> +       struct richacl *acl = kzalloc(size, GFP_KERNEL);
> +
> +       if (acl) {
> +               atomic_set(&acl->a_refcount, 1);
> +               acl->a_count = count;
> +       }
> +       return acl;
> +}
> +EXPORT_SYMBOL_GPL(richacl_alloc);
> +
> +/**
> + * richacl_clone  -  create a copy of a richacl
> + */
> +static struct richacl *
> +richacl_clone(const struct richacl *acl)
> +{
> +       int count = acl->a_count;
> +       size_t size = sizeof(struct richacl) + count * sizeof(struct richace);
> +       struct richacl *dup = kmalloc(size, GFP_KERNEL);
> +
> +       if (dup) {
> +               memcpy(dup, acl, size);
> +               atomic_set(&dup->a_refcount, 1);
> +       }
> +       return dup;
> +}
> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
> new file mode 100644
> index 0000000..b16d865
> --- /dev/null
> +++ b/include/linux/richacl.h
> @@ -0,0 +1,248 @@
> +/*
> + * Copyright (C) 2006, 2010  Novell, Inc.
> + * Copyright (C) 2015  Red Hat, Inc.
> + * Written by Andreas Gruenbacher <agruen@xxxxxxxxxx>
> + *
> + * This program is free software; you can redistribute it and/or modify it
> + * under the terms of the GNU General Public License as published by the
> + * Free Software Foundation; either version 2, or (at your option) any
> + * later version.
> + *
> + * This program is distributed in the hope that it will be useful, but
> + * WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * General Public License for more details.
> + */
> +
> +#ifndef __RICHACL_H
> +#define __RICHACL_H
> +#include <linux/slab.h>
> +
> +#define ACE_OWNER_ID           130
> +#define ACE_GROUP_ID           131
> +#define ACE_EVERYONE_ID                110
> +
> +struct richace {
> +       unsigned short  e_type;
> +       unsigned short  e_flags;
> +       unsigned int    e_mask;
> +       unsigned int    e_id;
> +};
> +
> +struct richacl {
> +       atomic_t        a_refcount;
> +       unsigned int    a_owner_mask;
> +       unsigned int    a_group_mask;
> +       unsigned int    a_other_mask;
> +       unsigned short  a_count;
> +       unsigned short  a_flags;
> +       struct richace  a_entries[0];
> +};
> +
> +#define richacl_for_each_entry(_ace, _acl) \
> +       for (_ace = (_acl)->a_entries; \
> +            _ace != (_acl)->a_entries + (_acl)->a_count; \
> +            _ace++)
> +
> +#define richacl_for_each_entry_reverse(_ace, _acl) \
> +       for (_ace = (_acl)->a_entries + (_acl)->a_count - 1; \
> +            _ace != (_acl)->a_entries - 1; \
> +            _ace--)
> +
> +/* Flag values defined by richacls */
> +#define ACL4_MASKED                    0x80
> +
> +#define ACL4_VALID_FLAGS (                     \
> +               ACL4_MASKED)
> +
> +/* e_type values */
> +#define ACE4_ACCESS_ALLOWED_ACE_TYPE   0x0000
> +#define ACE4_ACCESS_DENIED_ACE_TYPE    0x0001
> +/*#define ACE4_SYSTEM_AUDIT_ACE_TYPE   0x0002*/
> +/*#define ACE4_SYSTEM_ALARM_ACE_TYPE   0x0003*/
> +
> +/* e_flags bitflags */
> +#define ACE4_FILE_INHERIT_ACE          0x0001
> +#define ACE4_DIRECTORY_INHERIT_ACE     0x0002
> +#define ACE4_NO_PROPAGATE_INHERIT_ACE  0x0004
> +#define ACE4_INHERIT_ONLY_ACE          0x0008
> +/*#define ACE4_SUCCESSFUL_ACCESS_ACE_FLAG      0x0010*/
> +/*#define ACE4_FAILED_ACCESS_ACE_FLAG  0x0020*/
> +#define ACE4_IDENTIFIER_GROUP          0x0040
> +/* richacl specific flag values */
> +#define ACE4_SPECIAL_WHO               0x4000
> +
> +#define ACE4_VALID_FLAGS (                     \
> +       ACE4_FILE_INHERIT_ACE |                 \
> +       ACE4_DIRECTORY_INHERIT_ACE |            \
> +       ACE4_NO_PROPAGATE_INHERIT_ACE |         \
> +       ACE4_INHERIT_ONLY_ACE |                 \
> +       ACE4_IDENTIFIER_GROUP |                 \
> +       ACE4_SPECIAL_WHO)
> +
> +/* e_mask bitflags */
> +#define ACE4_READ_DATA                 0x00000001
> +#define ACE4_LIST_DIRECTORY            0x00000001
> +#define ACE4_WRITE_DATA                        0x00000002
> +#define ACE4_ADD_FILE                  0x00000002
> +#define ACE4_APPEND_DATA               0x00000004
> +#define ACE4_ADD_SUBDIRECTORY          0x00000004
> +#define ACE4_READ_NAMED_ATTRS          0x00000008
> +#define ACE4_WRITE_NAMED_ATTRS         0x00000010
> +#define ACE4_EXECUTE                   0x00000020
> +#define ACE4_DELETE_CHILD              0x00000040
> +#define ACE4_READ_ATTRIBUTES           0x00000080
> +#define ACE4_WRITE_ATTRIBUTES          0x00000100
> +#define ACE4_WRITE_RETENTION           0x00000200
> +#define ACE4_WRITE_RETENTION_HOLD      0x00000400
> +#define ACE4_DELETE                    0x00010000
> +#define ACE4_READ_ACL                  0x00020000
> +#define ACE4_WRITE_ACL                 0x00040000
> +#define ACE4_WRITE_OWNER               0x00080000
> +#define ACE4_SYNCHRONIZE               0x00100000
> +
> +/* Valid ACE4_* flags for directories and non-directories */
> +#define ACE4_VALID_MASK (                              \
> +       ACE4_READ_DATA | ACE4_LIST_DIRECTORY |          \
> +       ACE4_WRITE_DATA | ACE4_ADD_FILE |               \
> +       ACE4_APPEND_DATA | ACE4_ADD_SUBDIRECTORY |      \
> +       ACE4_READ_NAMED_ATTRS |                         \
> +       ACE4_WRITE_NAMED_ATTRS |                        \
> +       ACE4_EXECUTE |                                  \
> +       ACE4_DELETE_CHILD |                             \
> +       ACE4_READ_ATTRIBUTES |                          \
> +       ACE4_WRITE_ATTRIBUTES |                         \
> +       ACE4_WRITE_RETENTION |                          \
> +       ACE4_WRITE_RETENTION_HOLD |                     \
> +       ACE4_DELETE |                                   \
> +       ACE4_READ_ACL |                                 \
> +       ACE4_WRITE_ACL |                                \
> +       ACE4_WRITE_OWNER |                              \
> +       ACE4_SYNCHRONIZE)
> +
> +/**
> + * richacl_get  -  grab another reference to a richacl handle
> + */
> +static inline struct richacl *
> +richacl_get(struct richacl *acl)
> +{
> +       if (acl)
> +               atomic_inc(&acl->a_refcount);
> +       return acl;
> +}
> +
> +/**
> + * richacl_put  -  free a richacl handle
> + */
> +static inline void
> +richacl_put(struct richacl *acl)
> +{
> +       if (acl && atomic_dec_and_test(&acl->a_refcount))
> +               kfree(acl);
> +}
> +
> +/**
> + * richace_is_owner  -  check if @ace is an OWNER@ entry
> + */
> +static inline bool
> +richace_is_owner(const struct richace *ace)
> +{
> +       return (ace->e_flags & ACE4_SPECIAL_WHO) &&
> +              ace->e_id == ACE_OWNER_ID;
> +}
> +
> +/**
> + * richace_is_group  -  check if @ace is a GROUP@ entry
> + */
> +static inline bool
> +richace_is_group(const struct richace *ace)
> +{
> +       return (ace->e_flags & ACE4_SPECIAL_WHO) &&
> +              ace->e_id == ACE_GROUP_ID;
> +}
> +
> +/**
> + * richace_is_everyone  -  check if @ace is an EVERYONE@ entry
> + */
> +static inline bool
> +richace_is_everyone(const struct richace *ace)
> +{
> +       return (ace->e_flags & ACE4_SPECIAL_WHO) &&
> +              ace->e_id == ACE_EVERYONE_ID;
> +}
> +
> +/**
> + * richace_is_unix_id  -  check if @ace applies to a specific uid or gid
> + */
> +static inline bool
> +richace_is_unix_id(const struct richace *ace)
> +{
> +       return !(ace->e_flags & ACE4_SPECIAL_WHO);
> +}
> +
> +/**
> + * richace_is_inherit_only  -  check if @ace is for inheritance only
> + *
> + * ACEs with the %ACE4_INHERIT_ONLY_ACE flag set have no effect during
> + * permission checking.
> + */
> +static inline bool
> +richace_is_inherit_only(const struct richace *ace)
> +{
> +       return ace->e_flags & ACE4_INHERIT_ONLY_ACE;
> +}
> +
> +/**
> + * richace_is_inheritable  -  check if @ace is inheritable
> + */
> +static inline bool
> +richace_is_inheritable(const struct richace *ace)
> +{
> +       return ace->e_flags & (ACE4_FILE_INHERIT_ACE |
> +                              ACE4_DIRECTORY_INHERIT_ACE);
> +}
> +
> +/**
> + * richace_clear_inheritance_flags  - clear all inheritance flags in @ace
> + */
> +static inline void
> +richace_clear_inheritance_flags(struct richace *ace)
> +{
> +       ace->e_flags &= ~(ACE4_FILE_INHERIT_ACE |
> +                         ACE4_DIRECTORY_INHERIT_ACE |
> +                         ACE4_NO_PROPAGATE_INHERIT_ACE |
> +                         ACE4_INHERIT_ONLY_ACE);
> +}
> +
> +/**
> + * richace_is_allow  -  check if @ace is an %ALLOW type entry
> + */
> +static inline bool
> +richace_is_allow(const struct richace *ace)
> +{
> +       return ace->e_type == ACE4_ACCESS_ALLOWED_ACE_TYPE;
> +}
> +
> +/**
> + * richace_is_deny  -  check if @ace is a %DENY type entry
> + */
> +static inline bool
> +richace_is_deny(const struct richace *ace)
> +{
> +       return ace->e_type == ACE4_ACCESS_DENIED_ACE_TYPE;
> +}
> +
> +/**
> + * richace_is_same_identifier  -  are both identifiers the same?
> + */
> +static inline bool
> +richace_is_same_identifier(const struct richace *a, const struct richace *b)
> +{
> +       return !((a->e_flags ^ b->e_flags) &
> +                (ACE4_SPECIAL_WHO | ACE4_IDENTIFIER_GROUP)) &&
> +              a->e_id == b->e_id;
> +}
> +
> +extern struct richacl *richacl_alloc(int);
> +
> +#endif /* __RICHACL_H */
> --
> 2.1.0
>
>
> From fe15273975043bc6064de8395e41ba3066f8d5d4 Mon Sep 17 00:00:00 2001
> Message-Id: <fe15273975043bc6064de8395e41ba3066f8d5d4.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Tue, 1 Apr 2014 18:11:56 +0530
> Subject: [RFC 09/21] richacl: Permission mapping functions
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> We need to map from POSIX permissions to NFSv4 permissions when a
> chmod() is done, from NFSv4 permissions to POSIX permissions when an acl
> is set (which implicitly sets the file permission bits), and from the
> MAY_READ/MAY_WRITE/MAY_EXEC/MAY_APPEND flags to NFSv4 permissions when
> doing an access check in a richacl.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/richacl_base.c       | 117 ++++++++++++++++++++++++++++++++++++++++++++++++
>  include/linux/richacl.h |  46 +++++++++++++++++++
>  2 files changed, 163 insertions(+)
>
> diff --git a/fs/richacl_base.c b/fs/richacl_base.c
> index abf8bce..83731c7 100644
> --- a/fs/richacl_base.c
> +++ b/fs/richacl_base.c
> @@ -55,3 +55,120 @@ richacl_clone(const struct richacl *acl)
>         }
>         return dup;
>  }
> +
> +/**
> + * richacl_mask_to_mode  -  compute the file permission bits which correspond to @mask
> + * @mask:      %ACE4_* permission mask
> + *
> + * See richacl_masks_to_mode().
> + */
> +static int
> +richacl_mask_to_mode(unsigned int mask)
> +{
> +       int mode = 0;
> +
> +       if (mask & ACE4_POSIX_MODE_READ)
> +               mode |= S_IROTH;
> +       if (mask & ACE4_POSIX_MODE_WRITE)
> +               mode |= S_IWOTH;
> +       if (mask & ACE4_POSIX_MODE_EXEC)
> +               mode |= S_IXOTH;
> +
> +       return mode;
> +}
> +
> +/**
> + * richacl_masks_to_mode  -  compute the file permission bits from the file masks
> + *
> + * When setting a richacl, we set the file permission bits to indicate maximum
> + * permissions: for example, we set the Write permission when a mask contains
> + * ACE4_APPEND_DATA even if it does not also contain ACE4_WRITE_DATA.
> + *
> + * Permissions which are not in ACE4_POSIX_MODE_READ, ACE4_POSIX_MODE_WRITE, or
> + * ACE4_POSIX_MODE_EXEC cannot be represented in the file permission bits.
> + * Such permissions can still be effective, but not for new files or after a
> + * chmod(), and only if they were set explicitly, for example, by setting a
> + * richacl.
> + */
> +int
> +richacl_masks_to_mode(const struct richacl *acl)
> +{
> +       return richacl_mask_to_mode(acl->a_owner_mask) << 6 |
> +              richacl_mask_to_mode(acl->a_group_mask) << 3 |
> +              richacl_mask_to_mode(acl->a_other_mask);
> +}
> +EXPORT_SYMBOL_GPL(richacl_masks_to_mode);
> +
> +/**
> + * richacl_mode_to_mask  - compute a file mask from the lowest three mode bits
> + *
> + * When the file permission bits of a file are set with chmod(), this specifies
> + * the maximum permissions that processes will get.  All permissions beyond
> + * that will be removed from the file masks, and become ineffective.
> + *
> + * We also add in the permissions which are always allowed no matter what the
> + * acl says.
> + */
> +unsigned int
> +richacl_mode_to_mask(mode_t mode)
> +{
> +       unsigned int mask = ACE4_POSIX_ALWAYS_ALLOWED;
> +
> +       if (mode & S_IROTH)
> +               mask |= ACE4_POSIX_MODE_READ;
> +       if (mode & S_IWOTH)
> +               mask |= ACE4_POSIX_MODE_WRITE;
> +       if (mode & S_IXOTH)
> +               mask |= ACE4_POSIX_MODE_EXEC;
> +
> +       return mask;
> +}
> +
> +/**
> + * richacl_want_to_mask  - convert the iop->permission want argument to a mask
> + * @want:      @want argument of the permission inode operation
> + *
> + * When checking for append, @want is (MAY_WRITE | MAY_APPEND).
> + *
> + * Richacls use the iop->may_create and iop->may_delete hooks which are
> + * used for checking if creating and deleting files is allowed.  These hooks do
> + * not use richacl_want_to_mask(), so we do not have to deal with mapping
> + * MAY_WRITE to ACE4_ADD_FILE, ACE4_ADD_SUBDIRECTORY, and ACE4_DELETE_CHILD
> + * here.
> + */
> +unsigned int
> +richacl_want_to_mask(unsigned int want)
> +{
> +       unsigned int mask = 0;
> +
> +       if (want & MAY_READ)
> +               mask |= ACE4_READ_DATA;
> +       if (want & MAY_DELETE_SELF)
> +               mask |= ACE4_DELETE;
> +       if (want & MAY_TAKE_OWNERSHIP)
> +               mask |= ACE4_WRITE_OWNER;
> +       if (want & MAY_CHMOD)
> +               mask |= ACE4_WRITE_ACL;
> +       if (want & MAY_SET_TIMES)
> +               mask |= ACE4_WRITE_ATTRIBUTES;
> +       if (want & MAY_EXEC)
> +               mask |= ACE4_EXECUTE;
> +       /*
> +        * differentiate MAY_WRITE from these request
> +        */
> +       if (want & (MAY_APPEND |
> +                   MAY_CREATE_FILE | MAY_CREATE_DIR |
> +                   MAY_DELETE_CHILD)) {
> +               if (want & MAY_APPEND)
> +                       mask |= ACE4_APPEND_DATA;
> +               if (want & MAY_CREATE_FILE)
> +                       mask |= ACE4_ADD_FILE;
> +               if (want & MAY_CREATE_DIR)
> +                       mask |= ACE4_ADD_SUBDIRECTORY;
> +               if (want & MAY_DELETE_CHILD)
> +                       mask |= ACE4_DELETE_CHILD;
> +       } else if (want & MAY_WRITE)
> +               mask |= ACE4_WRITE_DATA;
> +       return mask;
> +}
> +EXPORT_SYMBOL_GPL(richacl_want_to_mask);
> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
> index b16d865..41819f4 100644
> --- a/include/linux/richacl.h
> +++ b/include/linux/richacl.h
> @@ -120,6 +120,49 @@ struct richacl {
>         ACE4_WRITE_OWNER |                              \
>         ACE4_SYNCHRONIZE)
>
> +/*
> + * The POSIX permissions are supersets of the following NFSv4 permissions:
> + *
> + *  - MAY_READ maps to READ_DATA or LIST_DIRECTORY, depending on the type
> + *    of the file system object.
> + *
> + *  - MAY_WRITE maps to WRITE_DATA or ACE4_APPEND_DATA for files, and to
> + *    ADD_FILE, ACE4_ADD_SUBDIRECTORY, or ACE4_DELETE_CHILD for directories.
> + *
> + *  - MAY_EXECUTE maps to ACE4_EXECUTE.
> + *
> + *  (Some of these NFSv4 permissions have the same bit values.)
> + */
> +#define ACE4_POSIX_MODE_READ (                 \
> +               ACE4_READ_DATA |                \
> +               ACE4_LIST_DIRECTORY)
> +#define ACE4_POSIX_MODE_WRITE (                        \
> +               ACE4_WRITE_DATA |               \
> +               ACE4_ADD_FILE |                 \
> +               ACE4_APPEND_DATA |              \
> +               ACE4_ADD_SUBDIRECTORY |         \
> +               ACE4_DELETE_CHILD)
> +#define ACE4_POSIX_MODE_EXEC ACE4_EXECUTE
> +#define ACE4_POSIX_MODE_ALL (                  \
> +               ACE4_POSIX_MODE_READ |          \
> +               ACE4_POSIX_MODE_WRITE |         \
> +               ACE4_POSIX_MODE_EXEC)
> +/*
> + * These permissions are always allowed
> + * no matter what the acl says.
> + */
> +#define ACE4_POSIX_ALWAYS_ALLOWED (    \
> +               ACE4_SYNCHRONIZE |      \
> +               ACE4_READ_ATTRIBUTES |  \
> +               ACE4_READ_ACL)
> +/*
> + * The owner is implicitly granted
> + * these permissions under POSIX.
> + */
> +#define ACE4_POSIX_OWNER_ALLOWED (             \
> +               ACE4_WRITE_ATTRIBUTES |         \
> +               ACE4_WRITE_OWNER |              \
> +               ACE4_WRITE_ACL)
>  /**
>   * richacl_get  -  grab another reference to a richacl handle
>   */
> @@ -244,5 +287,8 @@ richace_is_same_identifier(const struct richace *a, const struct richace *b)
>  }
>
>  extern struct richacl *richacl_alloc(int);
> +extern int richacl_masks_to_mode(const struct richacl *);
> +extern unsigned int richacl_mode_to_mask(mode_t);
> +extern unsigned int richacl_want_to_mask(unsigned int);
>
>  #endif /* __RICHACL_H */
> --
> 2.1.0
>
>
> From ae4e31aeac1c56249ae7092c84fe554ccb34df41 Mon Sep 17 00:00:00 2001
> Message-Id: <ae4e31aeac1c56249ae7092c84fe554ccb34df41.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Tue, 1 Apr 2014 18:13:16 +0530
> Subject: [RFC 10/21] richacl: Compute maximum file masks from an acl
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> Compute upper bound owner, group, and other file masks with as few
> permissions as possible without denying any permissions that the NFSv4
> acl in a richacl grants.
>
> This algorithm is used when a file inherits an acl at create time and
> when an acl is set via a mechanism that does not specify file modes
> (such as via nfsd).  When user-space sets an acl, the file masks are
> passed in as part of the xattr.
>
> When setting a richacl, the file masks determine what the file
> permission bits will be set to; see richacl_masks_to_mode().
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/richacl_base.c       | 128 ++++++++++++++++++++++++++++++++++++++++++++++++
>  include/linux/richacl.h |   1 +
>  2 files changed, 129 insertions(+)
>
> diff --git a/fs/richacl_base.c b/fs/richacl_base.c
> index 83731c7..683bde2 100644
> --- a/fs/richacl_base.c
> +++ b/fs/richacl_base.c
> @@ -172,3 +172,131 @@ richacl_want_to_mask(unsigned int want)
>         return mask;
>  }
>  EXPORT_SYMBOL_GPL(richacl_want_to_mask);
> +
> +/**
> + * richacl_allowed_to_who  -  mask flags allowed to a specific who value
> + *
> + * Computes the mask values allowed to a specific who value, taking
> + * EVERYONE@ entries into account.
> + */
> +static unsigned int richacl_allowed_to_who(struct richacl *acl,
> +                                          struct richace *who)
> +{
> +       struct richace *ace;
> +       unsigned int allowed = 0;
> +
> +       richacl_for_each_entry_reverse(ace, acl) {
> +               if (richace_is_inherit_only(ace))
> +                       continue;
> +               if (richace_is_same_identifier(ace, who) ||
> +                   richace_is_everyone(ace)) {
> +                       if (richace_is_allow(ace))
> +                               allowed |= ace->e_mask;
> +                       else if (richace_is_deny(ace))
> +                               allowed &= ~ace->e_mask;
> +               }
> +       }
> +       return allowed;
> +}
> +
> +/**
> + * richacl_group_class_allowed  -  maximum permissions the group class is allowed
> + *
> + * See richacl_compute_max_masks().
> + */
> +static unsigned int richacl_group_class_allowed(struct richacl *acl)
> +{
> +       struct richace *ace;
> +       unsigned int everyone_allowed = 0, group_class_allowed = 0;
> +       int had_group_ace = 0;
> +
> +       richacl_for_each_entry_reverse(ace, acl) {
> +               if (richace_is_inherit_only(ace) ||
> +                   richace_is_owner(ace))
> +                       continue;
> +
> +               if (richace_is_everyone(ace)) {
> +                       if (richace_is_allow(ace))
> +                               everyone_allowed |= ace->e_mask;
> +                       else if (richace_is_deny(ace))
> +                               everyone_allowed &= ~ace->e_mask;
> +               } else {
> +                       group_class_allowed |=
> +                               richacl_allowed_to_who(acl, ace);
> +
> +                       if (richace_is_group(ace))
> +                               had_group_ace = 1;
> +               }
> +       }
> +       if (!had_group_ace)
> +               group_class_allowed |= everyone_allowed;
> +       return group_class_allowed;
> +}
> +
> +/**
> + * richacl_compute_max_masks  -  compute upper bound masks
> + *
> + * Computes upper bound owner, group, and other masks so that none of
> + * the mask flags allowed by the acl are disabled (for any choice of the
> + * file owner or group membership).
> + */
> +void richacl_compute_max_masks(struct richacl *acl)
> +{
> +       unsigned int gmask = ~0;
> +       struct richace *ace;
> +
> +       /*
> +        * @gmask contains all permissions which the group class is ever
> +        * allowed.  We use it to avoid adding permissions to the group mask
> +        * from everyone@ allow aces which the group class is always denied
> +        * through other aces.  For example, the following acl would otherwise
> +        * result in a group mask or rw:
> +        *
> +        *      group@:w::deny
> +        *      everyone@:rw::allow
> +        *
> +        * Avoid computing @gmask for acls which do not include any group class
> +        * deny aces: in such acls, the group class is never denied any
> +        * permissions from everyone@ allow aces.
> +        */
> +
> +restart:
> +       acl->a_owner_mask = 0;
> +       acl->a_group_mask = 0;
> +       acl->a_other_mask = 0;
> +
> +       richacl_for_each_entry_reverse(ace, acl) {
> +               if (richace_is_inherit_only(ace))
> +                       continue;
> +
> +               if (richace_is_owner(ace)) {
> +                       if (richace_is_allow(ace))
> +                               acl->a_owner_mask |= ace->e_mask;
> +                       else if (richace_is_deny(ace))
> +                               acl->a_owner_mask &= ~ace->e_mask;
> +               } else if (richace_is_everyone(ace)) {
> +                       if (richace_is_allow(ace)) {
> +                               acl->a_owner_mask |= ace->e_mask;
> +                               acl->a_group_mask |= ace->e_mask & gmask;
> +                               acl->a_other_mask |= ace->e_mask;
> +                       } else if (richace_is_deny(ace)) {
> +                               acl->a_owner_mask &= ~ace->e_mask;
> +                               acl->a_group_mask &= ~ace->e_mask;
> +                               acl->a_other_mask &= ~ace->e_mask;
> +                       }
> +               } else {
> +                       if (richace_is_allow(ace)) {
> +                               acl->a_owner_mask |= ace->e_mask & gmask;
> +                               acl->a_group_mask |= ace->e_mask & gmask;
> +                       } else if (richace_is_deny(ace) && gmask == ~0) {
> +                               gmask = richacl_group_class_allowed(acl);
> +                               if (likely(gmask != ~0))
> +                                       /* should always be true */
> +                                       goto restart;
> +                       }
> +               }
> +       }
> +
> +       acl->a_flags &= ~ACL4_MASKED;
> +}
> +EXPORT_SYMBOL_GPL(richacl_compute_max_masks);
> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
> index 41819f4..05d79ac 100644
> --- a/include/linux/richacl.h
> +++ b/include/linux/richacl.h
> @@ -290,5 +290,6 @@ extern struct richacl *richacl_alloc(int);
>  extern int richacl_masks_to_mode(const struct richacl *);
>  extern unsigned int richacl_mode_to_mask(mode_t);
>  extern unsigned int richacl_want_to_mask(unsigned int);
> +extern void richacl_compute_max_masks(struct richacl *);
>
>  #endif /* __RICHACL_H */
> --
> 2.1.0
>
>
> From ae450198a6c8cb199f43005757598a41cc50937d Mon Sep 17 00:00:00 2001
> Message-Id: <ae450198a6c8cb199f43005757598a41cc50937d.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Tue, 1 Apr 2014 18:14:18 +0530
> Subject: [RFC 11/21] richacl: Update the file masks in chmod()
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> Doing a chmod() sets the file mode, which includes the file permission
> bits.  When a file has a richacl, the permissions that the richacl
> grants need to be limited to what the new file permission bits allow.
>
> This is done by setting the file masks in the richacl to what the file
> permission bits map to.  The richacl access check algorithm takes the
> file masks into account, which ensures that the richacl cannot grant too
> many permissions.
>
> It is possible to explicitly add permissions to the file masks which go
> beyond what the file permission bits can grant (like the ACE4_WRITE_ACL
> permission).  The POSIX.1 standard calls this an alternate file access
> control mechanism.  A subsequent chmod() would ensure that those
> permissions are disabled again.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/richacl_base.c       | 40 ++++++++++++++++++++++++++++++++++++++++
>  include/linux/richacl.h |  1 +
>  2 files changed, 41 insertions(+)
>
> diff --git a/fs/richacl_base.c b/fs/richacl_base.c
> index 683bde2..7de2e9e 100644
> --- a/fs/richacl_base.c
> +++ b/fs/richacl_base.c
> @@ -300,3 +300,43 @@ restart:
>         acl->a_flags &= ~ACL4_MASKED;
>  }
>  EXPORT_SYMBOL_GPL(richacl_compute_max_masks);
> +
> +/**
> + * richacl_chmod  -  update the file masks to reflect the new mode
> + * @mode:      new file permission bits
> + *
> + * Return a copy of @acl where the file masks have been replaced by the file
> + * masks corresponding to the file permission bits in @mode, or returns @acl
> + * itself if the file masks are already up to date.  Takes over a reference
> + * to @acl.
> + */
> +struct richacl *
> +richacl_chmod(struct richacl *acl, mode_t mode)
> +{
> +       unsigned int owner_mask, group_mask, other_mask;
> +       struct richacl *clone;
> +
> +       owner_mask = richacl_mode_to_mask(mode >> 6) |
> +                    ACE4_POSIX_OWNER_ALLOWED;
> +       group_mask = richacl_mode_to_mask(mode >> 3);
> +       other_mask = richacl_mode_to_mask(mode);
> +
> +       if (acl->a_owner_mask == owner_mask &&
> +           acl->a_group_mask == group_mask &&
> +           acl->a_other_mask == other_mask &&
> +           (acl->a_flags & ACL4_MASKED))
> +               return acl;
> +
> +       clone = richacl_clone(acl);
> +       richacl_put(acl);
> +       if (!clone)
> +               return ERR_PTR(-ENOMEM);
> +
> +       clone->a_flags |= ACL4_MASKED;
> +       clone->a_owner_mask = owner_mask;
> +       clone->a_group_mask = group_mask;
> +       clone->a_other_mask = other_mask;
> +
> +       return clone;
> +}
> +EXPORT_SYMBOL_GPL(richacl_chmod);
> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
> index 05d79ac..f347125 100644
> --- a/include/linux/richacl.h
> +++ b/include/linux/richacl.h
> @@ -291,5 +291,6 @@ extern int richacl_masks_to_mode(const struct richacl *);
>  extern unsigned int richacl_mode_to_mask(mode_t);
>  extern unsigned int richacl_want_to_mask(unsigned int);
>  extern void richacl_compute_max_masks(struct richacl *);
> +extern struct richacl *richacl_chmod(struct richacl *, mode_t);
>
>  #endif /* __RICHACL_H */
> --
> 2.1.0
>
>
> From 516c44e08972125aee20a90e0399aaefe8e6d553 Mon Sep 17 00:00:00 2001
> Message-Id: <516c44e08972125aee20a90e0399aaefe8e6d553.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Tue, 1 Apr 2014 18:15:22 +0530
> Subject: [RFC 12/21] richacl: Permission check algorithm
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> A richacl grants a requested access if the NFSv4 acl in the richacl grants the
> requested permissions (according to the NFSv4 permission check algorithm) and
> the file mask that applies to the process includes the requested permissions.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/richacl_base.c       | 112 ++++++++++++++++++++++++++++++++++++++++++++++++
>  include/linux/richacl.h |   1 +
>  2 files changed, 113 insertions(+)
>
> diff --git a/fs/richacl_base.c b/fs/richacl_base.c
> index 7de2e9e..7723bc8 100644
> --- a/fs/richacl_base.c
> +++ b/fs/richacl_base.c
> @@ -340,3 +340,115 @@ richacl_chmod(struct richacl *acl, mode_t mode)
>         return clone;
>  }
>  EXPORT_SYMBOL_GPL(richacl_chmod);
> +
> +/**
> + * richacl_permission  -  richacl permission check algorithm
> + * @inode:     inode to check
> + * @acl:       rich acl of the inode
> + * @want:      requested access (MAY_* flags)
> + *
> + * Checks if the current process is granted @mask flags in @acl.
> + */
> +int
> +richacl_permission(struct inode *inode, const struct richacl *acl,
> +                  int want)
> +{
> +       const struct richace *ace;
> +       unsigned int mask = richacl_want_to_mask(want);
> +       unsigned int requested = mask, denied = 0;
> +       int in_owning_group = in_group_p(inode->i_gid);
> +       int in_owner_or_group_class = in_owning_group;
> +
> +       /*
> +        * We don't need to know which class the process is in when the acl is
> +        * not masked.
> +        */
> +       if (!(acl->a_flags & ACL4_MASKED))
> +               in_owner_or_group_class = 1;
> +
> +       /*
> +        * A process is
> +        *   - in the owner file class if it owns the file,
> +        *   - in the group file class if it is in the file's owning group or
> +        *     it matches any of the user or group entries, and
> +        *   - in the other file class otherwise.
> +        */
> +
> +       /*
> +        * Check if the acl grants the requested access and determine which
> +        * file class the process is in.
> +        */
> +       richacl_for_each_entry(ace, acl) {
> +               unsigned int ace_mask = ace->e_mask;
> +
> +               if (richace_is_inherit_only(ace))
> +                       continue;
> +               if (richace_is_owner(ace)) {
> +                       if (!uid_eq(current_fsuid(), inode->i_uid))
> +                               continue;
> +                       goto is_owner;
> +               } else if (richace_is_group(ace)) {
> +                       if (!in_owning_group)
> +                               continue;
> +               } else if (richace_is_unix_id(ace)) {
> +                       if (ace->e_flags & ACE4_IDENTIFIER_GROUP) {
> +                               if (!in_group_p(make_kgid(current_user_ns(),
> +                                                         ace->e_id)))
> +                                       continue;
> +                       } else {
> +                               if (!uid_eq(current_fsuid(),
> +                                           make_kuid(current_user_ns(),
> +                                                    ace->e_id)))
> +                                       continue;
> +                       }
> +               } else
> +                       goto is_everyone;
> +
> +               /*
> +                * Apply the group file mask to entries other than OWNER@ and
> +                * EVERYONE@. This is not required for correct access checking
> +                * but ensures that we grant the same permissions as the acl
> +                * computed by richacl_apply_masks() would grant.
> +                */
> +               if ((acl->a_flags & ACL4_MASKED) && richace_is_allow(ace))
> +                       ace_mask &= acl->a_group_mask;
> +
> +is_owner:
> +               /* The process is in the owner or group file class. */
> +               in_owner_or_group_class = 1;
> +
> +is_everyone:
> +               /* Check which mask flags the ACE allows or denies. */
> +               if (richace_is_deny(ace))
> +                       denied |= ace_mask & mask;
> +               mask &= ~ace_mask;
> +
> +               /*
> +                * Keep going until we know which file class
> +                * the process is in.
> +                */
> +               if (!mask && in_owner_or_group_class)
> +                       break;
> +       }
> +       denied |= mask;
> +
> +       if (acl->a_flags & ACL4_MASKED) {
> +               unsigned int file_mask;
> +
> +               /*
> +                * The file class a process is in determines which file mask
> +                * applies.  Check if that file mask also grants the requested
> +                * access.
> +                */
> +               if (uid_eq(current_fsuid(), inode->i_uid))
> +                       file_mask = acl->a_owner_mask;
> +               else if (in_owner_or_group_class)
> +                       file_mask = acl->a_group_mask;
> +               else
> +                       file_mask = acl->a_other_mask;
> +               denied |= requested & ~file_mask;
> +       }
> +
> +       return denied ? -EACCES : 0;
> +}
> +EXPORT_SYMBOL_GPL(richacl_permission);
> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
> index f347125..d92e1c2 100644
> --- a/include/linux/richacl.h
> +++ b/include/linux/richacl.h
> @@ -292,5 +292,6 @@ extern unsigned int richacl_mode_to_mask(mode_t);
>  extern unsigned int richacl_want_to_mask(unsigned int);
>  extern void richacl_compute_max_masks(struct richacl *);
>  extern struct richacl *richacl_chmod(struct richacl *, mode_t);
> +extern int richacl_permission(struct inode *, const struct richacl *, int);
>
>  #endif /* __RICHACL_H */
> --
> 2.1.0
>
>
> From 213ba5b03fffbcf6a7ff78a3585568eff7b43527 Mon Sep 17 00:00:00 2001
> Message-Id: <213ba5b03fffbcf6a7ff78a3585568eff7b43527.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Tue, 1 Apr 2014 18:17:22 +0530
> Subject: [RFC 13/21] richacl: Create-time inheritance
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> When a new file is created, it can inherit an acl from its parent
> directory; this is similar to how default acls work in POSIX (draft)
> ACLs.
>
> As with POSIX ACLs, if a file inherits an acl from its parent directory,
> the intersection between the create mode and the permissions granted by
> the inherited acl determines the file masks and file permission bits,
> and the umask is ignored.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/Makefile             |  2 +-
>  fs/richacl_base.c       | 69 +++++++++++++++++++++++++++++++++++++++++++++++++
>  fs/richacl_inode.c      | 62 ++++++++++++++++++++++++++++++++++++++++++++
>  include/linux/richacl.h |  4 +++
>  4 files changed, 136 insertions(+), 1 deletion(-)
>  create mode 100644 fs/richacl_inode.c
>
> diff --git a/fs/Makefile b/fs/Makefile
> index 8f0a59c..bb96ad7 100644
> --- a/fs/Makefile
> +++ b/fs/Makefile
> @@ -48,7 +48,7 @@ obj-$(CONFIG_SYSCTL)          += drop_caches.o
>
>  obj-$(CONFIG_FHANDLE)          += fhandle.o
>  obj-$(CONFIG_FS_RICHACL)       += richacl.o
> -richacl-y                      := richacl_base.o
> +richacl-y                      := richacl_base.o richacl_inode.o
>
>  obj-y                          += quota/
>
> diff --git a/fs/richacl_base.c b/fs/richacl_base.c
> index 7723bc8..8d9dc2c 100644
> --- a/fs/richacl_base.c
> +++ b/fs/richacl_base.c
> @@ -452,3 +452,72 @@ is_everyone:
>         return denied ? -EACCES : 0;
>  }
>  EXPORT_SYMBOL_GPL(richacl_permission);
> +
> +/**
> + * richacl_inherit  -  compute the inherited acl of a new file
> + * @dir_acl:   acl of the containing directory
> + * @isdir:     inherit by a directory or non-directory?
> + *
> + * A directory can have acl entries which files and/or directories created
> + * inside the directory will inherit.  This function computes the acl for such
> + * a new file.  If there is no inheritable acl, it will return %NULL.
> + */
> +struct richacl *
> +richacl_inherit(const struct richacl *dir_acl, int isdir)
> +{
> +       const struct richace *dir_ace;
> +       struct richacl *acl = NULL;
> +       struct richace *ace;
> +       int count = 0;
> +
> +       if (isdir) {
> +               richacl_for_each_entry(dir_ace, dir_acl) {
> +                       if (!richace_is_inheritable(dir_ace))
> +                               continue;
> +                       count++;
> +               }
> +               if (!count)
> +                       return NULL;
> +               acl = richacl_alloc(count);
> +               if (!acl)
> +                       return ERR_PTR(-ENOMEM);
> +               ace = acl->a_entries;
> +               richacl_for_each_entry(dir_ace, dir_acl) {
> +                       if (!richace_is_inheritable(dir_ace))
> +                               continue;
> +                       memcpy(ace, dir_ace, sizeof(struct richace));
> +                       if (dir_ace->e_flags & ACE4_NO_PROPAGATE_INHERIT_ACE)
> +                               richace_clear_inheritance_flags(ace);
> +                       if ((dir_ace->e_flags & ACE4_FILE_INHERIT_ACE) &&
> +                           !(dir_ace->e_flags & ACE4_DIRECTORY_INHERIT_ACE))
> +                               ace->e_flags |= ACE4_INHERIT_ONLY_ACE;
> +                       ace++;
> +               }
> +       } else {
> +               richacl_for_each_entry(dir_ace, dir_acl) {
> +                       if (!(dir_ace->e_flags & ACE4_FILE_INHERIT_ACE))
> +                               continue;
> +                       count++;
> +               }
> +               if (!count)
> +                       return NULL;
> +               acl = richacl_alloc(count);
> +               if (!acl)
> +                       return ERR_PTR(-ENOMEM);
> +               ace = acl->a_entries;
> +               richacl_for_each_entry(dir_ace, dir_acl) {
> +                       if (!(dir_ace->e_flags & ACE4_FILE_INHERIT_ACE))
> +                               continue;
> +                       memcpy(ace, dir_ace, sizeof(struct richace));
> +                       richace_clear_inheritance_flags(ace);
> +                       /*
> +                        * ACE4_DELETE_CHILD is meaningless for
> +                        * non-directories, so clear it.
> +                        */
> +                       ace->e_mask &= ~ACE4_DELETE_CHILD;
> +                       ace++;
> +               }
> +       }
> +
> +       return acl;
> +}
> diff --git a/fs/richacl_inode.c b/fs/richacl_inode.c
> new file mode 100644
> index 0000000..b95a584
> --- /dev/null
> +++ b/fs/richacl_inode.c
> @@ -0,0 +1,62 @@
> +/*
> + * Copyright (C) 2010  Novell, Inc.
> + * Copyright (C) 2015  Red Hat, Inc.
> + * Written by Andreas Gruenbacher <agruen@xxxxxxxxxx>
> + *
> + * This program is free software; you can redistribute it and/or modify it
> + * under the terms of the GNU General Public License as published by the
> + * Free Software Foundation; either version 2, or (at your option) any
> + * later version.
> + *
> + * This program is distributed in the hope that it will be useful, but
> + * WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * General Public License for more details.
> + */
> +
> +#include <linux/sched.h>
> +#include <linux/module.h>
> +#include <linux/fs.h>
> +#include <linux/richacl.h>
> +
> +/**
> + * richacl_inherit_inode  -  compute inherited acl and file mode
> + * @dir_acl:   acl of the containing directory
> + * @inode:     inode of the new file (create mode in i_mode)
> + *
> + * The file permission bits in inode->i_mode must be set to the create mode by
> + * the caller.
> + *
> + * If there is an inheritable acl, the maximum permissions that the acl grants
> + * will be computed and permissions not granted by the acl will be removed from
> + * inode->i_mode.  If there is no inheritable acl, the umask will be applied
> + * instead.
> + */
> +struct richacl *
> +richacl_inherit_inode(const struct richacl *dir_acl, struct inode *inode)
> +{
> +       struct richacl *acl;
> +       mode_t mask;
> +
> +       acl = richacl_inherit(dir_acl, S_ISDIR(inode->i_mode));
> +       if (acl) {
> +
> +               richacl_compute_max_masks(acl);
> +
> +               /*
> +                * Ensure that the acl will not grant any permissions beyond
> +                * the create mode.
> +                */
> +               acl->a_flags |= ACL4_MASKED;
> +               acl->a_owner_mask &= richacl_mode_to_mask(inode->i_mode >> 6) |
> +                                    ACE4_POSIX_OWNER_ALLOWED;
> +               acl->a_group_mask &= richacl_mode_to_mask(inode->i_mode >> 3);
> +               acl->a_other_mask &= richacl_mode_to_mask(inode->i_mode);
> +               mask = ~S_IRWXUGO | richacl_masks_to_mode(acl);
> +       } else
> +               mask = ~current_umask();
> +
> +       inode->i_mode &= mask;
> +       return acl;
> +}
> +EXPORT_SYMBOL_GPL(richacl_inherit_inode);
> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
> index d92e1c2..fd3eeb4 100644
> --- a/include/linux/richacl.h
> +++ b/include/linux/richacl.h
> @@ -293,5 +293,9 @@ extern unsigned int richacl_want_to_mask(unsigned int);
>  extern void richacl_compute_max_masks(struct richacl *);
>  extern struct richacl *richacl_chmod(struct richacl *, mode_t);
>  extern int richacl_permission(struct inode *, const struct richacl *, int);
> +extern struct richacl *richacl_inherit(const struct richacl *, int);
>
> +/* richacl_inode.c */
> +extern struct richacl *richacl_inherit_inode(const struct richacl *,
> +                                            struct inode *);
>  #endif /* __RICHACL_H */
> --
> 2.1.0
>
>
> From 410d49744f16fb757be06a4c2a9e97b9eb760d70 Mon Sep 17 00:00:00 2001
> Message-Id: <410d49744f16fb757be06a4c2a9e97b9eb760d70.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Tue, 1 Apr 2014 18:18:38 +0530
> Subject: [RFC 14/21] richacl: Check if an acl is equivalent to a file
>  mode
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> This function is used to avoid storing richacls if the acl can be computed from
> the file permission bits.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/richacl_base.c       | 54 +++++++++++++++++++++++++++++++++++++++++++++++++
>  include/linux/richacl.h |  1 +
>  2 files changed, 55 insertions(+)
>
> diff --git a/fs/richacl_base.c b/fs/richacl_base.c
> index 8d9dc2c..c853f7e 100644
> --- a/fs/richacl_base.c
> +++ b/fs/richacl_base.c
> @@ -521,3 +521,57 @@ richacl_inherit(const struct richacl *dir_acl, int isdir)
>
>         return acl;
>  }
> +
> +/**
> + * richacl_equiv_mode  -  check if @acl is equivalent to file permission bits
> + * @mode_p:    the file mode (including the file type)
> + *
> + * If @acl can be fully represented by file permission bits, this function
> + * returns 0, and the file permission bits in @mode_p are set to the equivalent
> + * of @acl.
> + *
> + * This function is used to avoid storing richacls on disk if the acl can be
> + * computed from the file permission bits.  It allows user-space to make sure
> + * that a file has no explicit richacl set.
> + */
> +int
> +richacl_equiv_mode(const struct richacl *acl, mode_t *mode_p)
> +{
> +       const struct richace *ace = acl->a_entries;
> +       unsigned int x;
> +       mode_t mode;
> +
> +       if (acl->a_count != 1 ||
> +           acl->a_flags != ACL4_MASKED ||
> +           !richace_is_everyone(ace) ||
> +           !richace_is_allow(ace) ||
> +           ace->e_flags & ~ACE4_SPECIAL_WHO)
> +               return -1;
> +
> +       /*
> +        * Figure out the permissions we care about: ACE4_DELETE_CHILD is
> +        * meaningless for non-directories, so we ignore it.
> +        */
> +       x = ~ACE4_POSIX_ALWAYS_ALLOWED;
> +       if (!S_ISDIR(*mode_p))
> +               x &= ~ACE4_DELETE_CHILD;
> +
> +       mode = richacl_masks_to_mode(acl);
> +       if ((acl->a_group_mask & x) != (richacl_mode_to_mask(mode >> 3) & x) ||
> +           (acl->a_other_mask & x) != (richacl_mode_to_mask(mode) & x))
> +               return -1;
> +
> +       /*
> +        * Ignore permissions which the owner is always allowed.
> +        */
> +       x &= ~ACE4_POSIX_OWNER_ALLOWED;
> +       if ((acl->a_owner_mask & x) != (richacl_mode_to_mask(mode >> 6) & x))
> +               return -1;
> +
> +       if ((ace->e_mask & x) != (ACE4_POSIX_MODE_ALL & x))
> +               return -1;
> +
> +       *mode_p = (*mode_p & ~S_IRWXUGO) | mode;
> +       return 0;
> +}
> +EXPORT_SYMBOL_GPL(richacl_equiv_mode);
> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
> index fd3eeb4..39072a0 100644
> --- a/include/linux/richacl.h
> +++ b/include/linux/richacl.h
> @@ -294,6 +294,7 @@ extern void richacl_compute_max_masks(struct richacl *);
>  extern struct richacl *richacl_chmod(struct richacl *, mode_t);
>  extern int richacl_permission(struct inode *, const struct richacl *, int);
>  extern struct richacl *richacl_inherit(const struct richacl *, int);
> +extern int richacl_equiv_mode(const struct richacl *, mode_t *);
>
>  /* richacl_inode.c */
>  extern struct richacl *richacl_inherit_inode(const struct richacl *,
> --
> 2.1.0
>
>
> From 39c338514faf1b135b8515db11c58720f6897e9d Mon Sep 17 00:00:00 2001
> Message-Id: <39c338514faf1b135b8515db11c58720f6897e9d.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Tue, 1 Apr 2014 18:19:48 +0530
> Subject: [RFC 15/21] richacl: Automatic Inheritance
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> Automatic Inheritance (AI) allows changes to the acl of a directory to
> recursively propagate down to files and directories in the directory.
>
> To implement this, the kernel keeps track of which permissions have been
> inherited, and makes sure that permission propagation is turned off when the
> file permission bits of a file are changed (upon create or chmod).
>
> The actual permission propagation is implemented in user space.
>
> Automatic Inheritance works as follows:
>
>  - When the ACL4_AUTO_INHERIT flag in the acl of a file is not set, the
>    file is not affected by AI.
>
>  - When the ACL4_AUTO_INHERIT flag in the acl of a directory is set and
>    a file or subdirectory is created in that directory, files created in
>    the directory will have the ACL4_AUTO_INHERIT flag set, and all
>    inherited aces will have the ACE4_INHERITED_ACE flag set.  This
>    allows user space to distinguish between aces which have been
>    inherited and aces which have been explicitly added.
>
>  - When the ACL4_PROTECTED acl flag in the acl of a file is set, AI will
>    not modify the acl of the file.  This does not affect propagation of
>    permissions from the file to its children (if the file is a
>    directory).
>
> Linux does not have a way of creating files without setting the file permission
> bits, so all files created inside a directory with ACL4_AUTO_INHERIT set will
> also have the ACL4_PROTECTED flag set.  This effectively disables Automatic
> Inheritance.
>
> Protocols which support creating files without specifying permissions can
> explicitly clear the ACL4_PROTECTED flag after creating a file and reset the
> file masks to "undo" applying the create mode; see richacl_compute_max_masks().
> This is a workaround; a mechanism that would allow a process to indicate to the
> kernel to ignore the create mode when there are inherited permissions would fix
> this problem.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/richacl_base.c       | 10 +++++++++-
>  fs/richacl_inode.c      |  7 ++++++-
>  include/linux/richacl.h | 24 +++++++++++++++++++++++-
>  3 files changed, 38 insertions(+), 3 deletions(-)
>
> diff --git a/fs/richacl_base.c b/fs/richacl_base.c
> index c853f7e..ec570ef 100644
> --- a/fs/richacl_base.c
> +++ b/fs/richacl_base.c
> @@ -324,7 +324,8 @@ richacl_chmod(struct richacl *acl, mode_t mode)
>         if (acl->a_owner_mask == owner_mask &&
>             acl->a_group_mask == group_mask &&
>             acl->a_other_mask == other_mask &&
> -           (acl->a_flags & ACL4_MASKED))
> +           (acl->a_flags & ACL4_MASKED) &&
> +           (!richacl_is_auto_inherit(acl) || richacl_is_protected(acl)))
>                 return acl;
>
>         clone = richacl_clone(acl);
> @@ -336,6 +337,8 @@ richacl_chmod(struct richacl *acl, mode_t mode)
>         clone->a_owner_mask = owner_mask;
>         clone->a_group_mask = group_mask;
>         clone->a_other_mask = other_mask;
> +       if (richacl_is_auto_inherit(clone))
> +               clone->a_flags |= ACL4_PROTECTED;
>
>         return clone;
>  }
> @@ -518,6 +521,11 @@ richacl_inherit(const struct richacl *dir_acl, int isdir)
>                         ace++;
>                 }
>         }
> +       if (richacl_is_auto_inherit(dir_acl)) {
> +               acl->a_flags = ACL4_AUTO_INHERIT;
> +               richacl_for_each_entry(ace, acl)
> +                       ace->e_flags |= ACE4_INHERITED_ACE;
> +       }
>
>         return acl;
>  }
> diff --git a/fs/richacl_inode.c b/fs/richacl_inode.c
> index b95a584..9f96564 100644
> --- a/fs/richacl_inode.c
> +++ b/fs/richacl_inode.c
> @@ -40,9 +40,14 @@ richacl_inherit_inode(const struct richacl *dir_acl, struct inode *inode)
>
>         acl = richacl_inherit(dir_acl, S_ISDIR(inode->i_mode));
>         if (acl) {
> +               /*
> +                * We need to set ACL4_PROTECTED because we are
> +                * doing an implicit chmod
> +                */
> +               if (richacl_is_auto_inherit(acl))
> +                       acl->a_flags |= ACL4_PROTECTED;
>
>                 richacl_compute_max_masks(acl);
> -
>                 /*
>                  * Ensure that the acl will not grant any permissions beyond
>                  * the create mode.
> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
> index 39072a0..a607d6f 100644
> --- a/include/linux/richacl.h
> +++ b/include/linux/richacl.h
> @@ -49,10 +49,17 @@ struct richacl {
>              _ace != (_acl)->a_entries - 1; \
>              _ace--)
>
> +/* a_flags values */
> +#define ACL4_AUTO_INHERIT              0x01
> +#define ACL4_PROTECTED                 0x02
> +#define ACL4_DEFAULTED                 0x04
>  /* Flag values defined by richacls */
>  #define ACL4_MASKED                    0x80
>
>  #define ACL4_VALID_FLAGS (                     \
> +               ACL4_AUTO_INHERIT |             \
> +               ACL4_PROTECTED |                \
> +               ACL4_DEFAULTED |                \
>                 ACL4_MASKED)
>
>  /* e_type values */
> @@ -69,6 +76,7 @@ struct richacl {
>  /*#define ACE4_SUCCESSFUL_ACCESS_ACE_FLAG      0x0010*/
>  /*#define ACE4_FAILED_ACCESS_ACE_FLAG  0x0020*/
>  #define ACE4_IDENTIFIER_GROUP          0x0040
> +#define ACE4_INHERITED_ACE             0x0080
>  /* richacl specific flag values */
>  #define ACE4_SPECIAL_WHO               0x4000
>
> @@ -78,6 +86,7 @@ struct richacl {
>         ACE4_NO_PROPAGATE_INHERIT_ACE |         \
>         ACE4_INHERIT_ONLY_ACE |                 \
>         ACE4_IDENTIFIER_GROUP |                 \
> +       ACE4_INHERITED_ACE |                    \
>         ACE4_SPECIAL_WHO)
>
>  /* e_mask bitflags */
> @@ -184,6 +193,18 @@ richacl_put(struct richacl *acl)
>                 kfree(acl);
>  }
>
> +static inline int
> +richacl_is_auto_inherit(const struct richacl *acl)
> +{
> +       return acl->a_flags & ACL4_AUTO_INHERIT;
> +}
> +
> +static inline int
> +richacl_is_protected(const struct richacl *acl)
> +{
> +       return acl->a_flags & ACL4_PROTECTED;
> +}
> +
>  /**
>   * richace_is_owner  -  check if @ace is an OWNER@ entry
>   */
> @@ -254,7 +275,8 @@ richace_clear_inheritance_flags(struct richace *ace)
>         ace->e_flags &= ~(ACE4_FILE_INHERIT_ACE |
>                           ACE4_DIRECTORY_INHERIT_ACE |
>                           ACE4_NO_PROPAGATE_INHERIT_ACE |
> -                         ACE4_INHERIT_ONLY_ACE);
> +                         ACE4_INHERIT_ONLY_ACE |
> +                         ACE4_INHERITED_ACE);
>  }
>
>  /**
> --
> 2.1.0
>
>
> From 38f525822b15ec67c337cc90659fecb3737a0767 Mon Sep 17 00:00:00 2001
> Message-Id: <38f525822b15ec67c337cc90659fecb3737a0767.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Tue, 1 Apr 2014 18:20:43 +0530
> Subject: [RFC 16/21] richacl: xattr mapping functions
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> Map between "system.richacl" xattrs and the in-kernel representation.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/Makefile                   |   2 +-
>  fs/richacl_xattr.c            | 131 ++++++++++++++++++++++++++++++++++++++++++
>  include/linux/richacl_xattr.h |  47 +++++++++++++++
>  3 files changed, 179 insertions(+), 1 deletion(-)
>  create mode 100644 fs/richacl_xattr.c
>  create mode 100644 include/linux/richacl_xattr.h
>
> diff --git a/fs/Makefile b/fs/Makefile
> index bb96ad7..6155cc4 100644
> --- a/fs/Makefile
> +++ b/fs/Makefile
> @@ -48,7 +48,7 @@ obj-$(CONFIG_SYSCTL)          += drop_caches.o
>
>  obj-$(CONFIG_FHANDLE)          += fhandle.o
>  obj-$(CONFIG_FS_RICHACL)       += richacl.o
> -richacl-y                      := richacl_base.o richacl_inode.o
> +richacl-y                      := richacl_base.o richacl_inode.o richacl_xattr.o
>
>  obj-y                          += quota/
>
> diff --git a/fs/richacl_xattr.c b/fs/richacl_xattr.c
> new file mode 100644
> index 0000000..05e5e97
> --- /dev/null
> +++ b/fs/richacl_xattr.c
> @@ -0,0 +1,131 @@
> +/*
> + * Copyright (C) 2006, 2010  Novell, Inc.
> + * Copyright (C) 2015  Red Hat, Inc.
> + * Written by Andreas Gruenbacher <agruen@xxxxxxxxxx>
> + *
> + * This program is free software; you can redistribute it and/or modify it
> + * under the terms of the GNU General Public License as published by the
> + * Free Software Foundation; either version 2, or (at your option) any
> + * later version.
> + *
> + * This program is distributed in the hope that it will be useful, but
> + * WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * General Public License for more details.
> + */
> +
> +#include <linux/kernel.h>
> +#include <linux/fs.h>
> +#include <linux/slab.h>
> +#include <linux/module.h>
> +#include <linux/richacl_xattr.h>
> +
> +MODULE_LICENSE("GPL");
> +
> +/**
> + * richacl_from_xattr  -  convert a richacl xattr into the in-memory representation
> + */
> +struct richacl *
> +richacl_from_xattr(const void *value, size_t size)
> +{
> +       const struct richacl_xattr *xattr_acl = value;
> +       const struct richace_xattr *xattr_ace = (void *)(xattr_acl + 1);
> +       struct richacl *acl;
> +       struct richace *ace;
> +       int count;
> +
> +       if (size < sizeof(struct richacl_xattr) ||
> +           xattr_acl->a_version != ACL4_XATTR_VERSION ||
> +           (xattr_acl->a_flags & ~ACL4_VALID_FLAGS))
> +               return ERR_PTR(-EINVAL);
> +
> +       count = le16_to_cpu(xattr_acl->a_count);
> +       if (count > ACL4_XATTR_MAX_COUNT)
> +               return ERR_PTR(-EINVAL);
> +
> +       acl = richacl_alloc(count);
> +       if (!acl)
> +               return ERR_PTR(-ENOMEM);
> +
> +       acl->a_flags = xattr_acl->a_flags;
> +       acl->a_owner_mask = le32_to_cpu(xattr_acl->a_owner_mask);
> +       if (acl->a_owner_mask & ~ACE4_VALID_MASK)
> +               goto fail_einval;
> +       acl->a_group_mask = le32_to_cpu(xattr_acl->a_group_mask);
> +       if (acl->a_group_mask & ~ACE4_VALID_MASK)
> +               goto fail_einval;
> +       acl->a_other_mask = le32_to_cpu(xattr_acl->a_other_mask);
> +       if (acl->a_other_mask & ~ACE4_VALID_MASK)
> +               goto fail_einval;
> +
> +       if (((void *)xattr_ace + count * sizeof(*xattr_ace)) > (value + size))
> +               goto fail_einval;
> +
> +       richacl_for_each_entry(ace, acl) {
> +
> +               ace->e_type  = le16_to_cpu(xattr_ace->e_type);
> +               ace->e_flags = le16_to_cpu(xattr_ace->e_flags);
> +               ace->e_mask  = le32_to_cpu(xattr_ace->e_mask);
> +               ace->e_id    = le32_to_cpu(xattr_ace->e_id);
> +
> +               if (ace->e_flags & ~ACE4_VALID_FLAGS)
> +                       goto fail_einval;
> +               if (ace->e_type > ACE4_ACCESS_DENIED_ACE_TYPE ||
> +                   (ace->e_mask & ~ACE4_VALID_MASK))
> +                       goto fail_einval;
> +
> +               xattr_ace++;
> +       }
> +
> +       return acl;
> +
> +fail_einval:
> +       richacl_put(acl);
> +       return ERR_PTR(-EINVAL);
> +}
> +EXPORT_SYMBOL_GPL(richacl_from_xattr);
> +
> +/**
> + * richacl_xattr_size  -  compute the size of the xattr representation of @acl
> + */
> +size_t
> +richacl_xattr_size(const struct richacl *acl)
> +{
> +       size_t size = sizeof(struct richacl_xattr);
> +
> +       size += sizeof(struct richace_xattr) * acl->a_count;
> +       return size;
> +}
> +EXPORT_SYMBOL_GPL(richacl_xattr_size);
> +
> +/**
> + * richacl_to_xattr  -  convert @acl into its xattr representation
> + * @acl:       the richacl to convert
> + * @buffer:    buffer of size richacl_xattr_size(@acl) for the result
> + */
> +void
> +richacl_to_xattr(const struct richacl *acl, void *buffer)
> +{
> +       struct richacl_xattr *xattr_acl = buffer;
> +       struct richace_xattr *xattr_ace;
> +       const struct richace *ace;
> +
> +       xattr_acl->a_version = ACL4_XATTR_VERSION;
> +       xattr_acl->a_flags = acl->a_flags;
> +       xattr_acl->a_count = cpu_to_le16(acl->a_count);
> +
> +       xattr_acl->a_owner_mask = cpu_to_le32(acl->a_owner_mask);
> +       xattr_acl->a_group_mask = cpu_to_le32(acl->a_group_mask);
> +       xattr_acl->a_other_mask = cpu_to_le32(acl->a_other_mask);
> +
> +       xattr_ace = (void *)(xattr_acl + 1);
> +       richacl_for_each_entry(ace, acl) {
> +               xattr_ace->e_type = cpu_to_le16(ace->e_type);
> +               xattr_ace->e_flags = cpu_to_le16(ace->e_flags &
> +                                                ACE4_VALID_FLAGS);
> +               xattr_ace->e_mask = cpu_to_le32(ace->e_mask);
> +               xattr_ace->e_id = cpu_to_le32(ace->e_id);
> +               xattr_ace++;
> +       }
> +}
> +EXPORT_SYMBOL_GPL(richacl_to_xattr);
> diff --git a/include/linux/richacl_xattr.h b/include/linux/richacl_xattr.h
> new file mode 100644
> index 0000000..32ae512
> --- /dev/null
> +++ b/include/linux/richacl_xattr.h
> @@ -0,0 +1,47 @@
> +/*
> + * Copyright (C) 2006, 2010  Novell, Inc.
> + * Copyright (C) 2015  Red Hat, Inc.
> + * Written by Andreas Gruenbacher <agruen@xxxxxxxxxx>
> + *
> + * This program is free software; you can redistribute it and/or modify it
> + * under the terms of the GNU General Public License as published by the
> + * Free Software Foundation; either version 2, or (at your option) any
> + * later version.
> + *
> + * This program is distributed in the hope that it will be useful, but
> + * WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * General Public License for more details.
> + */
> +
> +#ifndef __RICHACL_XATTR_H
> +#define __RICHACL_XATTR_H
> +
> +#include <linux/richacl.h>
> +
> +#define RICHACL_XATTR "system.richacl"
> +
> +struct richace_xattr {
> +       __le16          e_type;
> +       __le16          e_flags;
> +       __le32          e_mask;
> +       __le32          e_id;
> +};
> +
> +struct richacl_xattr {
> +       unsigned char   a_version;
> +       unsigned char   a_flags;
> +       __le16          a_count;
> +       __le32          a_owner_mask;
> +       __le32          a_group_mask;
> +       __le32          a_other_mask;
> +};
> +
> +#define ACL4_XATTR_VERSION     0
> +#define ACL4_XATTR_MAX_COUNT   1024
> +
> +extern struct richacl *richacl_from_xattr(const void *, size_t);
> +extern size_t richacl_xattr_size(const struct richacl *acl);
> +extern void richacl_to_xattr(const struct richacl *, void *);
> +
> +#endif /* __RICHACL_XATTR_H */
> --
> 2.1.0
>
>
> From ae174bdfb12f44f592301bec7c0e69688bb4d3b7 Mon Sep 17 00:00:00 2001
> Message-Id: <ae174bdfb12f44f592301bec7c0e69688bb4d3b7.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Sat, 14 Feb 2015 19:31:38 +0100
> Subject: [RFC 17/21] vfs: Cache base_acl objects in inodes
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> POSIX ACLs and richacls are both objects allocated by kmalloc() with a
> reference count which are freed by kfree_rcu().  An inode can either cache an
> access and a default POSIX ACL, or a richacl.  (Richacls do not have default
> acls).  To allow an inode to cache either of the two kinds of acls, introduce a
> new base_acl type and convert i_acl and i_default_acl to that type. In most
> cases, the vfs then doesn't have to care which kind of acl an inode caches (if
> any).
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  drivers/staging/lustre/lustre/llite/llite_lib.c |  2 +-
>  fs/f2fs/acl.c                                   |  4 ++--
>  fs/inode.c                                      |  4 ++--
>  fs/posix_acl.c                                  | 18 +++++++++---------
>  include/linux/fs.h                              | 22 +++++++++++++++++++---
>  include/linux/posix_acl.h                       |  9 ++++-----
>  include/linux/richacl.h                         |  2 +-
>  7 files changed, 38 insertions(+), 23 deletions(-)
>
> diff --git a/drivers/staging/lustre/lustre/llite/llite_lib.c b/drivers/staging/lustre/lustre/llite/llite_lib.c
> index 0c1b583..c8cae33 100644
> --- a/drivers/staging/lustre/lustre/llite/llite_lib.c
> +++ b/drivers/staging/lustre/lustre/llite/llite_lib.c
> @@ -1145,7 +1145,7 @@ void ll_clear_inode(struct inode *inode)
>         }
>  #ifdef CONFIG_FS_POSIX_ACL
>         else if (lli->lli_posix_acl) {
> -               LASSERT(atomic_read(&lli->lli_posix_acl->a_refcount) == 1);
> +               LASSERT(atomic_read(&lli->lli_posix_acl->a_base.ba_refcount) == 1);
>                 LASSERT(lli->lli_remote_perms == NULL);
>                 posix_acl_release(lli->lli_posix_acl);
>                 lli->lli_posix_acl = NULL;
> diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
> index 7422027..ccb2c7c 100644
> --- a/fs/f2fs/acl.c
> +++ b/fs/f2fs/acl.c
> @@ -270,7 +270,7 @@ static struct posix_acl *f2fs_acl_clone(const struct posix_acl *acl,
>                                 sizeof(struct posix_acl_entry);
>                 clone = kmemdup(acl, size, flags);
>                 if (clone)
> -                       atomic_set(&clone->a_refcount, 1);
> +                       atomic_set(&clone->a_base.ba_refcount, 1);
>         }
>         return clone;
>  }
> @@ -282,7 +282,7 @@ static int f2fs_acl_create_masq(struct posix_acl *acl, umode_t *mode_p)
>         umode_t mode = *mode_p;
>         int not_equiv = 0;
>
> -       /* assert(atomic_read(acl->a_refcount) == 1); */
> +       /* assert(atomic_read(acl->a_base.ba_refcount) == 1); */
>
>         FOREACH_ACL_ENTRY(pa, acl, pe) {
>                 switch(pa->e_tag) {
> diff --git a/fs/inode.c b/fs/inode.c
> index f00b16f..555fe9c 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -233,9 +233,9 @@ void __destroy_inode(struct inode *inode)
>
>  #ifdef CONFIG_FS_POSIX_ACL
>         if (inode->i_acl && inode->i_acl != ACL_NOT_CACHED)
> -               posix_acl_release(inode->i_acl);
> +               put_base_acl(inode->i_acl);
>         if (inode->i_default_acl && inode->i_default_acl != ACL_NOT_CACHED)
> -               posix_acl_release(inode->i_default_acl);
> +               put_base_acl(inode->i_default_acl);
>  #endif
>         this_cpu_dec(nr_inodes);
>  }
> diff --git a/fs/posix_acl.c b/fs/posix_acl.c
> index efe983e..2fbfec8 100644
> --- a/fs/posix_acl.c
> +++ b/fs/posix_acl.c
> @@ -25,9 +25,9 @@ struct posix_acl **acl_by_type(struct inode *inode, int type)
>  {
>         switch (type) {
>         case ACL_TYPE_ACCESS:
> -               return &inode->i_acl;
> +               return (struct posix_acl **)&inode->i_acl;
>         case ACL_TYPE_DEFAULT:
> -               return &inode->i_default_acl;
> +               return (struct posix_acl **)&inode->i_default_acl;
>         default:
>                 BUG();
>         }
> @@ -83,16 +83,16 @@ EXPORT_SYMBOL(forget_cached_acl);
>
>  void forget_all_cached_acls(struct inode *inode)
>  {
> -       struct posix_acl *old_access, *old_default;
> +       struct base_acl *old_access, *old_default;
>         spin_lock(&inode->i_lock);
>         old_access = inode->i_acl;
>         old_default = inode->i_default_acl;
>         inode->i_acl = inode->i_default_acl = ACL_NOT_CACHED;
>         spin_unlock(&inode->i_lock);
>         if (old_access != ACL_NOT_CACHED)
> -               posix_acl_release(old_access);
> +               put_base_acl(old_access);
>         if (old_default != ACL_NOT_CACHED)
> -               posix_acl_release(old_default);
> +               put_base_acl(old_default);
>  }
>  EXPORT_SYMBOL(forget_all_cached_acls);
>
> @@ -129,7 +129,7 @@ EXPORT_SYMBOL(get_acl);
>  void
>  posix_acl_init(struct posix_acl *acl, int count)
>  {
> -       atomic_set(&acl->a_refcount, 1);
> +       atomic_set(&acl->a_base.ba_refcount, 1);
>         acl->a_count = count;
>  }
>  EXPORT_SYMBOL(posix_acl_init);
> @@ -163,7 +163,7 @@ posix_acl_clone(const struct posix_acl *acl, gfp_t flags)
>                            sizeof(struct posix_acl_entry);
>                 clone = kmemdup(acl, size, flags);
>                 if (clone)
> -                       atomic_set(&clone->a_refcount, 1);
> +                       atomic_set(&clone->a_base.ba_refcount, 1);
>         }
>         return clone;
>  }
> @@ -385,7 +385,7 @@ static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p)
>         umode_t mode = *mode_p;
>         int not_equiv = 0;
>
> -       /* assert(atomic_read(acl->a_refcount) == 1); */
> +       /* assert(atomic_read(acl->a_base.ba_refcount) == 1); */
>
>         FOREACH_ACL_ENTRY(pa, acl, pe) {
>                  switch(pa->e_tag) {
> @@ -440,7 +440,7 @@ static int __posix_acl_chmod_masq(struct posix_acl *acl, umode_t mode)
>         struct posix_acl_entry *group_obj = NULL, *mask_obj = NULL;
>         struct posix_acl_entry *pa, *pe;
>
> -       /* assert(atomic_read(acl->a_refcount) == 1); */
> +       /* assert(atomic_read(acl->a_base.ba_refcount) == 1); */
>
>         FOREACH_ACL_ENTRY(pa, acl, pe) {
>                 switch(pa->e_tag) {
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index e3e1e42..518b990 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -547,6 +547,9 @@ static inline void mapping_allow_writable(struct address_space *mapping)
>  #define i_size_ordered_init(inode) do { } while (0)
>  #endif
>
> +struct base_acl {
> +       atomic_t ba_refcount;
> +};
>  struct posix_acl;
>  #define ACL_NOT_CACHED ((void *)(-1))
>
> @@ -566,9 +569,9 @@ struct inode {
>         kgid_t                  i_gid;
>         unsigned int            i_flags;
>
> -#ifdef CONFIG_FS_POSIX_ACL
> -       struct posix_acl        *i_acl;
> -       struct posix_acl        *i_default_acl;
> +#if defined(CONFIG_FS_POSIX_ACL)
> +       struct base_acl *i_acl;
> +       struct base_acl *i_default_acl;
>  #endif
>
>         const struct inode_operations   *i_op;
> @@ -2936,4 +2939,17 @@ static inline bool dir_relax(struct inode *inode)
>         return !IS_DEADDIR(inode);
>  }
>
> +static inline struct base_acl *get_base_acl(struct base_acl *acl)
> +{
> +       if (acl)
> +               atomic_inc(&acl->ba_refcount);
> +       return acl;
> +}
> +
> +static inline void put_base_acl(struct base_acl *acl)
> +{
> +       if (acl && atomic_dec_and_test(&acl->ba_refcount))
> +               __kfree_rcu((struct rcu_head *)acl, 0);
> +}
> +
>  #endif /* _LINUX_FS_H */
> diff --git a/include/linux/posix_acl.h b/include/linux/posix_acl.h
> index 66cf477..2c46441 100644
> --- a/include/linux/posix_acl.h
> +++ b/include/linux/posix_acl.h
> @@ -43,7 +43,7 @@ struct posix_acl_entry {
>  };
>
>  struct posix_acl {
> -       atomic_t                a_refcount;
> +       struct base_acl         a_base;
>         unsigned int            a_count;
>         struct posix_acl_entry  a_entries[0];
>  };
> @@ -58,8 +58,7 @@ struct posix_acl {
>  static inline struct posix_acl *
>  posix_acl_dup(struct posix_acl *acl)
>  {
> -       if (acl)
> -               atomic_inc(&acl->a_refcount);
> +       get_base_acl(&acl->a_base);
>         return acl;
>  }
>
> @@ -69,8 +68,8 @@ posix_acl_dup(struct posix_acl *acl)
>  static inline void
>  posix_acl_release(struct posix_acl *acl)
>  {
> -       if (acl && atomic_dec_and_test(&acl->a_refcount))
> -               __kfree_rcu((struct rcu_head *)acl, 0);
> +       BUILD_BUG_ON(offsetof(struct posix_acl, a_base) != 0);
> +       put_base_acl(&acl->a_base);
>  }
>
>
> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
> index a607d6f..60568c5 100644
> --- a/include/linux/richacl.h
> +++ b/include/linux/richacl.h
> @@ -179,7 +179,7 @@ static inline struct richacl *
>  richacl_get(struct richacl *acl)
>  {
>         if (acl)
> -               atomic_inc(&acl->a_refcount);
> +               atomic_inc(&acl->a_base.ba_refcount);
>         return acl;
>  }
>
> --
> 2.1.0
>
>
> From 3f5c803548a9fc24f1b7f0be25524fb6bd41ccdd Mon Sep 17 00:00:00 2001
> Message-Id: <3f5c803548a9fc24f1b7f0be25524fb6bd41ccdd.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Tue, 1 Apr 2014 19:28:44 +0530
> Subject: [RFC 18/21] vfs: Cache richacl in struct inode
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> Cache richacls in struct inode so that this doesn't have to be done
> individually in each filesystem.  This is similar to POSIX ACLs.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/inode.c              | 11 +++++--
>  fs/posix_acl.c          |  2 +-
>  fs/richacl_base.c       | 81 +++++++++++++++++++++++++++++++++++++++++++++++--
>  include/linux/fs.h      |  6 +++-
>  include/linux/richacl.h | 15 ++++++---
>  5 files changed, 102 insertions(+), 13 deletions(-)
>
> diff --git a/fs/inode.c b/fs/inode.c
> index 555fe9c..5272412 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -175,8 +175,11 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
>         inode->i_private = NULL;
>         inode->i_mapping = mapping;
>         INIT_HLIST_HEAD(&inode->i_dentry);      /* buggered by rcu freeing */
> -#ifdef CONFIG_FS_POSIX_ACL
> -       inode->i_acl = inode->i_default_acl = ACL_NOT_CACHED;
> +#if defined(CONFIG_FS_POSIX_ACL) || defined(CONFIG_FS_RICHACL)
> +       inode->i_acl = ACL_NOT_CACHED;
> +# if defined(CONFIG_FS_POSIX_ACL)
> +       inode->i_default_acl = ACL_NOT_CACHED;
> +# endif
>  #endif
>
>  #ifdef CONFIG_FSNOTIFY
> @@ -231,11 +234,13 @@ void __destroy_inode(struct inode *inode)
>                 atomic_long_dec(&inode->i_sb->s_remove_count);
>         }
>
> -#ifdef CONFIG_FS_POSIX_ACL
> +#if defined(CONFIG_FS_POSIX_ACL) || defined(CONFIG_FS_RICHACL)
>         if (inode->i_acl && inode->i_acl != ACL_NOT_CACHED)
>                 put_base_acl(inode->i_acl);
> +# if defined(CONFIG_FS_POSIX_ACL)
>         if (inode->i_default_acl && inode->i_default_acl != ACL_NOT_CACHED)
>                 put_base_acl(inode->i_default_acl);
> +# endif
>  #endif
>         this_cpu_dec(nr_inodes);
>  }
> diff --git a/fs/posix_acl.c b/fs/posix_acl.c
> index 2fbfec8..ebf96b2 100644
> --- a/fs/posix_acl.c
> +++ b/fs/posix_acl.c
> @@ -38,7 +38,7 @@ struct posix_acl *get_cached_acl(struct inode *inode, int type)
>  {
>         struct posix_acl **p = acl_by_type(inode, type);
>         struct posix_acl *acl = ACCESS_ONCE(*p);
> -       if (acl) {
> +       if (acl && IS_POSIXACL(inode)) {
>                 spin_lock(&inode->i_lock);
>                 acl = *p;
>                 if (acl != ACL_NOT_CACHED)
> diff --git a/fs/richacl_base.c b/fs/richacl_base.c
> index ec570ef..ea53ad5 100644
> --- a/fs/richacl_base.c
> +++ b/fs/richacl_base.c
> @@ -21,6 +21,79 @@
>
>  MODULE_LICENSE("GPL");
>
> +struct richacl *get_cached_richacl(struct inode *inode)
> +{
> +       struct richacl *acl;
> +
> +       acl = (struct richacl *)ACCESS_ONCE(inode->i_acl);
> +       if (acl && IS_RICHACL(inode)) {
> +               spin_lock(&inode->i_lock);
> +               acl = (struct richacl *)inode->i_acl;
> +               if (acl != ACL_NOT_CACHED)
> +                       acl = richacl_get(acl);
> +               spin_unlock(&inode->i_lock);
> +       }
> +       return acl;
> +}
> +EXPORT_SYMBOL(get_cached_richacl);
> +
> +struct richacl *get_cached_richacl_rcu(struct inode *inode)
> +{
> +       return (struct richacl *)rcu_dereference(inode->i_acl);
> +}
> +EXPORT_SYMBOL(get_cached_richacl_rcu);
> +
> +void set_cached_richacl(struct inode *inode, struct richacl *acl)
> +{
> +       struct base_acl *old = NULL;
> +       spin_lock(&inode->i_lock);
> +       old = inode->i_acl;
> +       inode->i_acl = &(richacl_get(acl)->a_base);
> +       spin_unlock(&inode->i_lock);
> +       if (old != ACL_NOT_CACHED)
> +               put_base_acl(old);
> +}
> +EXPORT_SYMBOL(set_cached_richacl);
> +
> +void forget_cached_richacl(struct inode *inode)
> +{
> +       struct base_acl *old = NULL;
> +       spin_lock(&inode->i_lock);
> +       old = inode->i_acl;
> +       inode->i_acl = ACL_NOT_CACHED;
> +       spin_unlock(&inode->i_lock);
> +       if (old != ACL_NOT_CACHED)
> +               put_base_acl(old);
> +}
> +EXPORT_SYMBOL(forget_cached_richacl);
> +
> +struct richacl *get_richacl(struct inode *inode)
> +{
> +       struct richacl *acl;
> +
> +       acl = get_cached_richacl(inode);
> +       if (acl != ACL_NOT_CACHED)
> +               return acl;
> +
> +       if (!IS_RICHACL(inode))
> +               return NULL;
> +
> +       /*
> +        * A filesystem can force a ACL callback by just never filling the
> +        * ACL cache. But normally you'd fill the cache either at inode
> +        * instantiation time, or on the first ->get_richacl call.
> +        *
> +        * If the filesystem doesn't have a get_richacl() function at all,
> +        * we'll just create the negative cache entry.
> +        */
> +       if (!inode->i_op->get_richacl) {
> +               set_cached_richacl(inode, NULL);
> +               return NULL;
> +       }
> +       return inode->i_op->get_richacl(inode);
> +}
> +EXPORT_SYMBOL_GPL(get_richacl);
> +
>  /**
>   * richacl_alloc  -  allocate a richacl
>   * @count:     number of entries
> @@ -28,11 +101,13 @@ MODULE_LICENSE("GPL");
>  struct richacl *
>  richacl_alloc(int count)
>  {
> -       size_t size = sizeof(struct richacl) + count * sizeof(struct richace);
> +       size_t size = max(sizeof(struct rcu_head),
> +               sizeof(struct richacl) +
> +               count * sizeof(struct richace));
>         struct richacl *acl = kzalloc(size, GFP_KERNEL);
>
>         if (acl) {
> -               atomic_set(&acl->a_refcount, 1);
> +               atomic_set(&acl->a_base.ba_refcount, 1);
>                 acl->a_count = count;
>         }
>         return acl;
> @@ -51,7 +126,7 @@ richacl_clone(const struct richacl *acl)
>
>         if (dup) {
>                 memcpy(dup, acl, size);
> -               atomic_set(&dup->a_refcount, 1);
> +               atomic_set(&dup->a_base.ba_refcount, 1);
>         }
>         return dup;
>  }
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 518b990..e3f27b5 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -551,6 +551,7 @@ struct base_acl {
>         atomic_t ba_refcount;
>  };
>  struct posix_acl;
> +struct richacl;
>  #define ACL_NOT_CACHED ((void *)(-1))
>
>  #define IOP_FASTPERM   0x0001
> @@ -569,9 +570,11 @@ struct inode {
>         kgid_t                  i_gid;
>         unsigned int            i_flags;
>
> -#if defined(CONFIG_FS_POSIX_ACL)
> +#if defined(CONFIG_FS_POSIX_ACL) || defined(CONFIG_FS_RICHACL)
>         struct base_acl *i_acl;
> +# if defined(CONFIG_FS_POSIX_ACL)
>         struct base_acl *i_default_acl;
> +# endif
>  #endif
>
>         const struct inode_operations   *i_op;
> @@ -1586,6 +1589,7 @@ struct inode_operations {
>         void * (*follow_link) (struct dentry *, struct nameidata *);
>         int (*permission) (struct inode *, int);
>         struct posix_acl * (*get_acl)(struct inode *, int);
> +       struct richacl * (*get_richacl)(struct inode *);
>
>         int (*readlink) (struct dentry *, char __user *,int);
>         void (*put_link) (struct dentry *, struct nameidata *, void *);
> diff --git a/include/linux/richacl.h b/include/linux/richacl.h
> index 60568c5..b314643 100644
> --- a/include/linux/richacl.h
> +++ b/include/linux/richacl.h
> @@ -30,7 +30,7 @@ struct richace {
>  };
>
>  struct richacl {
> -       atomic_t        a_refcount;
> +       struct base_acl a_base;
>         unsigned int    a_owner_mask;
>         unsigned int    a_group_mask;
>         unsigned int    a_other_mask;
> @@ -178,8 +178,7 @@ struct richacl {
>  static inline struct richacl *
>  richacl_get(struct richacl *acl)
>  {
> -       if (acl)
> -               atomic_inc(&acl->a_base.ba_refcount);
> +       get_base_acl(&acl->a_base);
>         return acl;
>  }
>
> @@ -189,10 +188,16 @@ richacl_get(struct richacl *acl)
>  static inline void
>  richacl_put(struct richacl *acl)
>  {
> -       if (acl && atomic_dec_and_test(&acl->a_refcount))
> -               kfree(acl);
> +       BUILD_BUG_ON(offsetof(struct richacl, a_base) != 0);
> +       put_base_acl(&acl->a_base);
>  }
>
> +extern struct richacl *get_cached_richacl(struct inode *);
> +extern struct richacl *get_cached_richacl_rcu(struct inode *);
> +extern void set_cached_richacl(struct inode *, struct richacl *);
> +extern void forget_cached_richacl(struct inode *);
> +extern struct richacl *get_richacl(struct inode *);
> +
>  static inline int
>  richacl_is_auto_inherit(const struct richacl *acl)
>  {
> --
> 2.1.0
>
>
> From b467e4dcfbff041accd57839765468c4042a20c5 Mon Sep 17 00:00:00 2001
> Message-Id: <b467e4dcfbff041accd57839765468c4042a20c5.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> Date: Tue, 1 Apr 2014 18:08:42 +0530
> Subject: [RFC 19/21] vfs: Add richacl permission checking
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> Hook the richacl permission checking function into the vfs.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/namei.c     | 51 +++++++++++++++++++++++++++++++++++++++++++++++++--
>  fs/posix_acl.c |  6 +++---
>  2 files changed, 52 insertions(+), 5 deletions(-)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index a8d1674..d5b4fcd 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -35,6 +35,7 @@
>  #include <linux/fs_struct.h>
>  #include <linux/posix_acl.h>
>  #include <linux/hash.h>
> +#include <linux/richacl.h>
>  #include <asm/uaccess.h>
>
>  #include "internal.h"
> @@ -256,7 +257,40 @@ void putname(struct filename *name)
>                 __putname(name);
>  }
>
> -static int check_acl(struct inode *inode, int mask)
> +static int check_richacl(struct inode *inode, int mask)
> +{
> +#ifdef CONFIG_FS_RICHACL
> +       struct richacl *acl;
> +
> +       if (mask & MAY_NOT_BLOCK) {
> +               acl = get_cached_richacl_rcu(inode);
> +               if (!acl)
> +                       goto no_acl;
> +               /* no ->get_richacl() calls in RCU mode... */
> +               if (acl == ACL_NOT_CACHED)
> +                       return -ECHILD;
> +               return richacl_permission(inode, acl, mask & ~MAY_NOT_BLOCK);
> +       }
> +
> +       acl = get_richacl(inode);
> +       if (IS_ERR(acl))
> +               return PTR_ERR(acl);
> +       if (acl) {
> +               int error = richacl_permission(inode, acl, mask);
> +               richacl_put(acl);
> +               return error;
> +       }
> +no_acl:
> +#endif
> +       if (mask & (MAY_DELETE_SELF | MAY_TAKE_OWNERSHIP |
> +                   MAY_CHMOD | MAY_SET_TIMES)) {
> +               /* File permission bits cannot grant this. */
> +               return -EACCES;
> +       }
> +       return -EAGAIN;
> +}
> +
> +static int check_posix_acl(struct inode *inode, int mask)
>  {
>  #ifdef CONFIG_FS_POSIX_ACL
>         struct posix_acl *acl;
> @@ -291,11 +325,24 @@ static int acl_permission_check(struct inode *inode, int mask)
>  {
>         unsigned int mode = inode->i_mode;
>
> +       /*
> +        * With POSIX ACLs, the (mode & S_IRWXU) bits exactly match the owner
> +        * permissions, and we can skip checking posix acls for the owner.
> +        * With richacls, the owner may be granted fewer permissions than the
> +        * mode bits seem to suggest (for example, append but not write), and
> +        * we always need to check the richacl.
> +        */
> +
> +       if (IS_RICHACL(inode)) {
> +               int error = check_richacl(inode, mask);
> +               if (error != -EAGAIN)
> +                       return error;
> +       }
>         if (likely(uid_eq(current_fsuid(), inode->i_uid)))
>                 mode >>= 6;
>         else {
>                 if (IS_POSIXACL(inode) && (mode & S_IRWXG)) {
> -                       int error = check_acl(inode, mask);
> +                       int error = check_posix_acl(inode, mask);
>                         if (error != -EAGAIN)
>                                 return error;
>                 }
> diff --git a/fs/posix_acl.c b/fs/posix_acl.c
> index ebf96b2..16464f0 100644
> --- a/fs/posix_acl.c
> +++ b/fs/posix_acl.c
> @@ -100,13 +100,13 @@ struct posix_acl *get_acl(struct inode *inode, int type)
>  {
>         struct posix_acl *acl;
>
> +       if (!IS_POSIXACL(inode))
> +               return NULL;
> +
>         acl = get_cached_acl(inode, type);
>         if (acl != ACL_NOT_CACHED)
>                 return acl;
>
> -       if (!IS_POSIXACL(inode))
> -               return NULL;
> -
>         /*
>          * A filesystem can force a ACL callback by just never filling the
>          * ACL cache. But normally you'd fill the cache either at inode
> --
> 2.1.0
>
>
> From c6043a752cec38940291b0caca452826afb1fa04 Mon Sep 17 00:00:00 2001
> Message-Id: <c6043a752cec38940291b0caca452826afb1fa04.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: "Aneesh Kumar K.V" <aneesh.kumar@xxxxxxxxxxxxxxxxxx>
> Date: Wed, 23 Apr 2014 20:54:41 +0530
> Subject: [RFC 20/21] ext4: Implement rich acl for ext4
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> Support the richacl permission model in ext4.  The richacls are stored in
> "system.richacl" xattrs.  Richacls need to be enabled by tune2fs or at file
> system create time.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/ext4/Kconfig   |  15 ++++
>  fs/ext4/Makefile  |   1 +
>  fs/ext4/acl.c     |   7 +-
>  fs/ext4/acl.h     |  12 +--
>  fs/ext4/file.c    |   6 +-
>  fs/ext4/ialloc.c  |   7 +-
>  fs/ext4/inode.c   |  10 ++-
>  fs/ext4/namei.c   |  11 ++-
>  fs/ext4/richacl.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  fs/ext4/richacl.h |  47 +++++++++++
>  fs/ext4/xattr.c   |   6 ++
>  fs/ext4/xattr.h   |   1 +
>  12 files changed, 332 insertions(+), 20 deletions(-)
>  create mode 100644 fs/ext4/richacl.c
>  create mode 100644 fs/ext4/richacl.h
>
> diff --git a/fs/ext4/Kconfig b/fs/ext4/Kconfig
> index efea5d5..8c821d2 100644
> --- a/fs/ext4/Kconfig
> +++ b/fs/ext4/Kconfig
> @@ -73,3 +73,18 @@ config EXT4_DEBUG
>           If you select Y here, then you will be able to turn on debugging
>           with a command such as:
>                 echo 1 > /sys/module/ext4/parameters/mballoc_debug
> +
> +config EXT4_FS_RICHACL
> +       bool "Ext4 Rich Access Control Lists (EXPERIMENTAL)"
> +       depends on EXT4_FS
> +       select FS_RICHACL
> +       help
> +         Rich ACLs are an implementation of NFSv4 ACLs, extended by file masks
> +         to fit into the standard POSIX file permission model.  They are
> +         designed to work seamlessly locally as well as across the NFSv4 and
> +         CIFS/SMB2 network file system protocols.
> +
> +         To learn more about Rich ACL, visit
> +         http://acl.bestbits.at/richacl/
> +
> +         If you don't know what Rich ACLs are, say N
> diff --git a/fs/ext4/Makefile b/fs/ext4/Makefile
> index 0310fec..b9a3e2e 100644
> --- a/fs/ext4/Makefile
> +++ b/fs/ext4/Makefile
> @@ -12,3 +12,4 @@ ext4-y        := balloc.o bitmap.o dir.o file.o fsync.o ialloc.o inode.o page-io.o \
>
>  ext4-$(CONFIG_EXT4_FS_POSIX_ACL)       += acl.o
>  ext4-$(CONFIG_EXT4_FS_SECURITY)                += xattr_security.o
> +ext4-$(CONFIG_EXT4_FS_RICHACL)                 += richacl.o
> diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
> index d40c8db..7c508f7 100644
> --- a/fs/ext4/acl.c
> +++ b/fs/ext4/acl.c
> @@ -144,8 +144,7 @@ fail:
>   *
>   * inode->i_mutex: don't care
>   */
> -struct posix_acl *
> -ext4_get_acl(struct inode *inode, int type)
> +struct posix_acl *ext4_get_posix_acl(struct inode *inode, int type)
>  {
>         int name_index;
>         char *value = NULL;
> @@ -239,7 +238,7 @@ __ext4_set_acl(handle_t *handle, struct inode *inode, int type,
>  }
>
>  int
> -ext4_set_acl(struct inode *inode, struct posix_acl *acl, int type)
> +ext4_set_posix_acl(struct inode *inode, struct posix_acl *acl, int type)
>  {
>         handle_t *handle;
>         int error, retries = 0;
> @@ -264,7 +263,7 @@ retry:
>   * inode->i_mutex: up (access to inode is still exclusive)
>   */
>  int
> -ext4_init_acl(handle_t *handle, struct inode *inode, struct inode *dir)
> +ext4_init_posix_acl(handle_t *handle, struct inode *inode, struct inode *dir)
>  {
>         struct posix_acl *default_acl, *acl;
>         int error;
> diff --git a/fs/ext4/acl.h b/fs/ext4/acl.h
> index da2c795..450b4d1 100644
> --- a/fs/ext4/acl.h
> +++ b/fs/ext4/acl.h
> @@ -54,17 +54,17 @@ static inline int ext4_acl_count(size_t size)
>  #ifdef CONFIG_EXT4_FS_POSIX_ACL
>
>  /* acl.c */
> -struct posix_acl *ext4_get_acl(struct inode *inode, int type);
> -int ext4_set_acl(struct inode *inode, struct posix_acl *acl, int type);
> -extern int ext4_init_acl(handle_t *, struct inode *, struct inode *);
> +struct posix_acl *ext4_get_posix_acl(struct inode *inode, int type);
> +int ext4_set_posix_acl(struct inode *inode, struct posix_acl *acl, int type);
> +extern int ext4_init_posix_acl(handle_t *, struct inode *, struct inode *);
>
>  #else  /* CONFIG_EXT4_FS_POSIX_ACL */
>  #include <linux/sched.h>
> -#define ext4_get_acl NULL
> -#define ext4_set_acl NULL
> +#define ext4_get_posix_acl NULL
> +#define ext4_set_posix_acl NULL
>
>  static inline int
> -ext4_init_acl(handle_t *handle, struct inode *inode, struct inode *dir)
> +ext4_init_posix_acl(handle_t *handle, struct inode *inode, struct inode *dir)
>  {
>         return 0;
>  }
> diff --git a/fs/ext4/file.c b/fs/ext4/file.c
> index 33a09da..be466f7 100644
> --- a/fs/ext4/file.c
> +++ b/fs/ext4/file.c
> @@ -30,6 +30,7 @@
>  #include "ext4_jbd2.h"
>  #include "xattr.h"
>  #include "acl.h"
> +#include "richacl.h"
>
>  /*
>   * Called when an inode is released. Note that this is different
> @@ -651,8 +652,9 @@ const struct inode_operations ext4_file_inode_operations = {
>         .getxattr       = generic_getxattr,
>         .listxattr      = ext4_listxattr,
>         .removexattr    = generic_removexattr,
> -       .get_acl        = ext4_get_acl,
> -       .set_acl        = ext4_set_acl,
> +       .get_acl        = ext4_get_posix_acl,
> +       .set_acl        = ext4_set_posix_acl,
> +       .get_richacl    = ext4_get_richacl,
>         .fiemap         = ext4_fiemap,
>  };
>
> diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
> index ac644c3..97d1c4b 100644
> --- a/fs/ext4/ialloc.c
> +++ b/fs/ext4/ialloc.c
> @@ -28,6 +28,7 @@
>  #include "ext4_jbd2.h"
>  #include "xattr.h"
>  #include "acl.h"
> +#include "richacl.h"
>
>  #include <trace/events/ext4.h>
>
> @@ -1039,7 +1040,11 @@ got:
>         if (err)
>                 goto fail_drop;
>
> -       err = ext4_init_acl(handle, inode, dir);
> +       if (EXT4_IS_RICHACL(dir))
> +               err = ext4_init_richacl(handle, inode, dir);
> +       else
> +               err = ext4_init_posix_acl(handle, inode, dir);
> +
>         if (err)
>                 goto fail_free_drop;
>
> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
> index 5cb9a21..c379742 100644
> --- a/fs/ext4/inode.c
> +++ b/fs/ext4/inode.c
> @@ -44,6 +44,7 @@
>  #include "xattr.h"
>  #include "acl.h"
>  #include "truncate.h"
> +#include "richacl.h"
>
>  #include <trace/events/ext4.h>
>
> @@ -4657,9 +4658,12 @@ int ext4_setattr(struct dentry *dentry, struct iattr *attr)
>         if (orphan && inode->i_nlink)
>                 ext4_orphan_del(NULL, inode);
>
> -       if (!rc && (ia_valid & ATTR_MODE))
> -               rc = posix_acl_chmod(inode, inode->i_mode);
> -
> +       if (!rc && (ia_valid & ATTR_MODE)) {
> +               if (EXT4_IS_RICHACL(inode))
> +                       rc = ext4_richacl_chmod(inode);
> +               else
> +                       rc = posix_acl_chmod(inode, inode->i_mode);
> +       }
>  err_out:
>         ext4_std_error(inode->i_sb, error);
>         if (!error)
> diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
> index 28fe71a..da8f498 100644
> --- a/fs/ext4/namei.c
> +++ b/fs/ext4/namei.c
> @@ -39,6 +39,7 @@
>
>  #include "xattr.h"
>  #include "acl.h"
> +#include "richacl.h"
>
>  #include <trace/events/ext4.h>
>  /*
> @@ -3541,8 +3542,9 @@ const struct inode_operations ext4_dir_inode_operations = {
>         .getxattr       = generic_getxattr,
>         .listxattr      = ext4_listxattr,
>         .removexattr    = generic_removexattr,
> -       .get_acl        = ext4_get_acl,
> -       .set_acl        = ext4_set_acl,
> +       .get_acl        = ext4_get_posix_acl,
> +       .set_acl        = ext4_set_posix_acl,
> +       .get_richacl    = ext4_get_richacl,
>         .fiemap         = ext4_fiemap,
>  };
>
> @@ -3552,6 +3554,7 @@ const struct inode_operations ext4_special_inode_operations = {
>         .getxattr       = generic_getxattr,
>         .listxattr      = ext4_listxattr,
>         .removexattr    = generic_removexattr,
> -       .get_acl        = ext4_get_acl,
> -       .set_acl        = ext4_set_acl,
> +       .get_acl        = ext4_get_posix_acl,
> +       .set_acl        = ext4_set_posix_acl,
> +       .get_richacl    = ext4_get_richacl,
>  };
> diff --git a/fs/ext4/richacl.c b/fs/ext4/richacl.c
> new file mode 100644
> index 0000000..89c10ab
> --- /dev/null
> +++ b/fs/ext4/richacl.c
> @@ -0,0 +1,229 @@
> +/*
> + * Copyright IBM Corporation, 2010
> + * Copyright (C) 2015  Red Hat, Inc.
> + * Author Aneesh Kumar K.V <aneesh.kumar@xxxxxxxxxxxxxxxxxx>
> + *
> + * This program is free software; you can redistribute it and/or modify it
> + * under the terms of version 2.1 of the GNU Lesser General Public License
> + * as published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it would be useful, but
> + * WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
> + *
> + */
> +
> +#include <linux/kernel.h>
> +#include <linux/fs.h>
> +#include <linux/richacl_xattr.h>
> +
> +#include "ext4.h"
> +#include "ext4_jbd2.h"
> +#include "xattr.h"
> +#include "acl.h"
> +#include "richacl.h"
> +
> +struct richacl *
> +ext4_get_richacl(struct inode *inode)
> +{
> +       const int name_index = EXT4_XATTR_INDEX_RICHACL;
> +       void *value = NULL;
> +       struct richacl *acl;
> +       int retval;
> +
> +       if (!IS_RICHACL(inode))
> +               return ERR_PTR(-EOPNOTSUPP);
> +       acl = get_cached_richacl(inode);
> +       if (acl != ACL_NOT_CACHED)
> +               return acl;
> +       retval = ext4_xattr_get(inode, name_index, "", NULL, 0);
> +       if (retval > 0) {
> +               value = kmalloc(retval, GFP_KERNEL);
> +               if (!value)
> +                       return ERR_PTR(-ENOMEM);
> +               retval = ext4_xattr_get(inode, name_index, "", value, retval);
> +       }
> +       if (retval > 0) {
> +               acl = richacl_from_xattr(value, retval);
> +               if (acl == ERR_PTR(-EINVAL))
> +                       acl = ERR_PTR(-EIO);
> +       } else if (retval == -ENODATA || retval == -ENOSYS)
> +               acl = NULL;
> +       else
> +               acl = ERR_PTR(retval);
> +       kfree(value);
> +
> +       if (!IS_ERR_OR_NULL(acl))
> +               set_cached_richacl(inode, acl);
> +
> +       return acl;
> +}
> +
> +static int
> +ext4_set_richacl(handle_t *handle, struct inode *inode, struct richacl *acl)
> +{
> +       const int name_index = EXT4_XATTR_INDEX_RICHACL;
> +       size_t size = 0;
> +       void *value = NULL;
> +       int retval;
> +
> +       if (acl) {
> +               mode_t mode = inode->i_mode;
> +               if (richacl_equiv_mode(acl, &mode) == 0) {
> +                       inode->i_mode = mode;
> +                       ext4_mark_inode_dirty(handle, inode);
> +                       acl = NULL;
> +               }
> +       }
> +       if (acl) {
> +               size = richacl_xattr_size(acl);
> +               value = kmalloc(size, GFP_KERNEL);
> +               if (!value)
> +                       return -ENOMEM;
> +               richacl_to_xattr(acl, value);
> +       }
> +       if (handle)
> +               retval = ext4_xattr_set_handle(handle, inode, name_index, "",
> +                                              value, size, 0);
> +       else
> +               retval = ext4_xattr_set(inode, name_index, "", value, size, 0);
> +       kfree(value);
> +       if (!retval)
> +               set_cached_richacl(inode, acl);
> +
> +       return retval;
> +}
> +
> +int
> +ext4_init_richacl(handle_t *handle, struct inode *inode, struct inode *dir)
> +{
> +       struct richacl *dir_acl = NULL;
> +
> +       if (!S_ISLNK(inode->i_mode)) {
> +               dir_acl = ext4_get_richacl(dir);
> +               if (IS_ERR(dir_acl))
> +                       return PTR_ERR(dir_acl);
> +       }
> +       if (dir_acl) {
> +               struct richacl *acl;
> +               int retval;
> +
> +               acl = richacl_inherit_inode(dir_acl, inode);
> +               richacl_put(dir_acl);
> +
> +               retval = PTR_ERR(acl);
> +               if (acl && !IS_ERR(acl)) {
> +                       retval = ext4_set_richacl(handle, inode, acl);
> +                       richacl_put(acl);
> +               }
> +               return retval;
> +       } else {
> +               inode->i_mode &= ~current_umask();
> +               return 0;
> +       }
> +}
> +
> +int
> +ext4_richacl_chmod(struct inode *inode)
> +{
> +       struct richacl *acl;
> +       int retval;
> +
> +       if (S_ISLNK(inode->i_mode))
> +               return -EOPNOTSUPP;
> +       acl = ext4_get_richacl(inode);
> +       if (IS_ERR_OR_NULL(acl))
> +               return PTR_ERR(acl);
> +       acl = richacl_chmod(acl, inode->i_mode);
> +       if (IS_ERR(acl))
> +               return PTR_ERR(acl);
> +       retval = ext4_set_richacl(NULL, inode, acl);
> +       richacl_put(acl);
> +
> +       return retval;
> +}
> +
> +static size_t
> +ext4_xattr_list_richacl(struct dentry *dentry, char *list, size_t list_len,
> +                       const char *name, size_t name_len, int type)
> +{
> +       const size_t size = sizeof(RICHACL_XATTR);
> +       if (!IS_RICHACL(dentry->d_inode))
> +               return 0;
> +       if (list && size <= list_len)
> +               memcpy(list, RICHACL_XATTR, size);
> +       return size;
> +}
> +
> +static int
> +ext4_xattr_get_richacl(struct dentry *dentry, const char *name, void *buffer,
> +               size_t buffer_size, int type)
> +{
> +       struct richacl *acl;
> +       size_t size;
> +
> +       if (strcmp(name, "") != 0)
> +               return -EINVAL;
> +       acl = ext4_get_richacl(dentry->d_inode);
> +       if (IS_ERR(acl))
> +               return PTR_ERR(acl);
> +       if (acl == NULL)
> +               return -ENODATA;
> +       size = richacl_xattr_size(acl);
> +       if (buffer) {
> +               if (size > buffer_size)
> +                       return -ERANGE;
> +               richacl_to_xattr(acl, buffer);
> +       }
> +       richacl_put(acl);
> +
> +       return size;
> +}
> +
> +static int
> +ext4_xattr_set_richacl(struct dentry *dentry, const char *name,
> +               const void *value, size_t size, int flags, int type)
> +{
> +       handle_t *handle;
> +       struct richacl *acl = NULL;
> +       int retval, retries = 0;
> +       struct inode *inode = dentry->d_inode;
> +
> +       if (!IS_RICHACL(dentry->d_inode))
> +               return -EOPNOTSUPP;
> +       if (S_ISLNK(inode->i_mode))
> +               return -EOPNOTSUPP;
> +       if (strcmp(name, "") != 0)
> +               return -EINVAL;
> +       if (!uid_eq(current_fsuid(), inode->i_uid) &&
> +           inode_permission(inode, MAY_CHMOD) &&
> +           !capable(CAP_FOWNER))
> +               return -EPERM;
> +       if (value) {
> +               acl = richacl_from_xattr(value, size);
> +               if (IS_ERR(acl))
> +                       return PTR_ERR(acl);
> +
> +               inode->i_mode &= ~S_IRWXUGO;
> +               inode->i_mode |= richacl_masks_to_mode(acl);
> +       }
> +
> +retry:
> +       handle = ext4_journal_start(inode, EXT4_HT_XATTR,
> +                                   EXT4_DATA_TRANS_BLOCKS(inode->i_sb));
> +       if (IS_ERR(handle))
> +               return PTR_ERR(handle);
> +       retval = ext4_set_richacl(handle, inode, acl);
> +       ext4_journal_stop(handle);
> +       if (retval == -ENOSPC && ext4_should_retry_alloc(inode->i_sb, &retries))
> +               goto retry;
> +       richacl_put(acl);
> +       return retval;
> +}
> +
> +const struct xattr_handler ext4_richacl_xattr_handler = {
> +       .prefix = RICHACL_XATTR,
> +       .list   = ext4_xattr_list_richacl,
> +       .get    = ext4_xattr_get_richacl,
> +       .set    = ext4_xattr_set_richacl,
> +};
> diff --git a/fs/ext4/richacl.h b/fs/ext4/richacl.h
> new file mode 100644
> index 0000000..09a5cad
> --- /dev/null
> +++ b/fs/ext4/richacl.h
> @@ -0,0 +1,47 @@
> +/*
> + * Copyright IBM Corporation, 2010
> + * Copyright (C)  2015 Red Hat, Inc.
> + * Author Aneesh Kumar K.V <aneesh.kumar@xxxxxxxxxxxxxxxxxx>
> + *
> + * This program is free software; you can redistribute it and/or modify it
> + * under the terms of version 2.1 of the GNU Lesser General Public License
> + * as published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it would be useful, but
> + * WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
> + *
> + */
> +
> +#ifndef __FS_EXT4_RICHACL_H
> +#define __FS_EXT4_RICHACL_H
> +
> +#include <linux/richacl.h>
> +
> +#ifdef CONFIG_EXT4_FS_RICHACL
> +
> +#define EXT4_IS_RICHACL(inode) IS_RICHACL(inode)
> +
> +extern struct richacl *ext4_get_richacl(struct inode *);
> +extern int ext4_init_richacl(handle_t *, struct inode *, struct inode *);
> +extern int ext4_richacl_chmod(struct inode *);
> +
> +#else  /* CONFIG_FS_EXT4_RICHACL */
> +
> +#define EXT4_IS_RICHACL(inode) (0)
> +#define ext4_get_richacl   NULL
> +
> +static inline int
> +ext4_init_richacl(handle_t *handle, struct inode *inode, struct inode *dir)
> +{
> +       return 0;
> +}
> +
> +static inline int
> +ext4_richacl_chmod(struct inode *inode)
> +{
> +       return 0;
> +}
> +
> +#endif  /* CONFIG_FS_EXT4_RICHACL */
> +#endif  /* __FS_EXT4_RICHACL_H */
> diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
> index 1e09fc7..815a306 100644
> --- a/fs/ext4/xattr.c
> +++ b/fs/ext4/xattr.c
> @@ -100,6 +100,9 @@ static const struct xattr_handler *ext4_xattr_handler_map[] = {
>  #ifdef CONFIG_EXT4_FS_SECURITY
>         [EXT4_XATTR_INDEX_SECURITY]          = &ext4_xattr_security_handler,
>  #endif
> +#ifdef CONFIG_EXT4_FS_RICHACL
> +       [EXT4_XATTR_INDEX_RICHACL]           = &ext4_richacl_xattr_handler,
> +#endif
>  };
>
>  const struct xattr_handler *ext4_xattr_handlers[] = {
> @@ -112,6 +115,9 @@ const struct xattr_handler *ext4_xattr_handlers[] = {
>  #ifdef CONFIG_EXT4_FS_SECURITY
>         &ext4_xattr_security_handler,
>  #endif
> +#ifdef CONFIG_EXT4_FS_RICHACL
> +       &ext4_richacl_xattr_handler,
> +#endif
>         NULL
>  };
>
> diff --git a/fs/ext4/xattr.h b/fs/ext4/xattr.h
> index 29bedf5..065821e 100644
> --- a/fs/ext4/xattr.h
> +++ b/fs/ext4/xattr.h
> @@ -97,6 +97,7 @@ struct ext4_xattr_ibody_find {
>  extern const struct xattr_handler ext4_xattr_user_handler;
>  extern const struct xattr_handler ext4_xattr_trusted_handler;
>  extern const struct xattr_handler ext4_xattr_security_handler;
> +extern const struct xattr_handler ext4_richacl_xattr_handler;
>
>  extern ssize_t ext4_listxattr(struct dentry *, char *, size_t);
>
> --
> 2.1.0
>
>
> From 2743598850b5ac481b91b7fea5f6f00a04e8beae Mon Sep 17 00:00:00 2001
> Message-Id: <2743598850b5ac481b91b7fea5f6f00a04e8beae.1424900921.git.agruenba@xxxxxxxxxx>
> In-Reply-To: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> References: <cover.1424900921.git.agruenba@xxxxxxxxxx>
> From: "Aneesh Kumar K.V" <aneesh.kumar@xxxxxxxxxxxxxxxxxx>
> Date: Wed, 23 Apr 2014 20:54:54 +0530
> Subject: [RFC 21/21] ext4: Add richacl feature flag
> To: linux-kernel@xxxxxxxxxxxxxxx,
>     linux-fsdevel@xxxxxxxxxxxxxxx,
>     linux-nfs@xxxxxxxxxxxxxxx
>
> This feature flag selects richacl instead of posix acl support on the file
> system. In addition, the "acl" mount option is needed for enabling either of
> the two kinds of acls.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
> ---
>  fs/ext4/ext4.h  |  6 ++++--
>  fs/ext4/super.c | 41 ++++++++++++++++++++++++++++++++---------
>  2 files changed, 36 insertions(+), 11 deletions(-)
>
> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> index f63c3d5..64187cd 100644
> --- a/fs/ext4/ext4.h
> +++ b/fs/ext4/ext4.h
> @@ -978,7 +978,7 @@ struct ext4_inode_info {
>  #define EXT4_MOUNT_UPDATE_JOURNAL      0x01000 /* Update the journal format */
>  #define EXT4_MOUNT_NO_UID32            0x02000  /* Disable 32-bit UIDs */
>  #define EXT4_MOUNT_XATTR_USER          0x04000 /* Extended user attributes */
> -#define EXT4_MOUNT_POSIX_ACL           0x08000 /* POSIX Access Control Lists */
> +#define EXT4_MOUNT_ACL                 0x08000 /* Access Control Lists */
>  #define EXT4_MOUNT_NO_AUTO_DA_ALLOC    0x10000 /* No auto delalloc mapping */
>  #define EXT4_MOUNT_BARRIER             0x20000 /* Use block barriers */
>  #define EXT4_MOUNT_QUOTA               0x80000 /* Some quota option set */
> @@ -1552,6 +1552,7 @@ static inline void ext4_clear_state_flags(struct ext4_inode_info *ei)
>  #define EXT4_FEATURE_INCOMPAT_LARGEDIR         0x4000 /* >2GB or 3-lvl htree */
>  #define EXT4_FEATURE_INCOMPAT_INLINE_DATA      0x8000 /* data in inode */
>  #define EXT4_FEATURE_INCOMPAT_ENCRYPT          0x10000
> +#define EXT4_FEATURE_INCOMPAT_RICHACL          0x20000
>
>  #define EXT2_FEATURE_COMPAT_SUPP       EXT4_FEATURE_COMPAT_EXT_ATTR
>  #define EXT2_FEATURE_INCOMPAT_SUPP     (EXT4_FEATURE_INCOMPAT_FILETYPE| \
> @@ -1576,7 +1577,8 @@ static inline void ext4_clear_state_flags(struct ext4_inode_info *ei)
>                                          EXT4_FEATURE_INCOMPAT_64BIT| \
>                                          EXT4_FEATURE_INCOMPAT_FLEX_BG| \
>                                          EXT4_FEATURE_INCOMPAT_MMP |    \
> -                                        EXT4_FEATURE_INCOMPAT_INLINE_DATA)
> +                                        EXT4_FEATURE_INCOMPAT_INLINE_DATA | \
> +                                        EXT4_FEATURE_INCOMPAT_RICHACL)
>  #define EXT4_FEATURE_RO_COMPAT_SUPP    (EXT4_FEATURE_RO_COMPAT_SPARSE_SUPER| \
>                                          EXT4_FEATURE_RO_COMPAT_LARGE_FILE| \
>                                          EXT4_FEATURE_RO_COMPAT_GDT_CSUM| \
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index e061e66..4226898 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -1242,6 +1242,27 @@ static ext4_fsblk_t get_sb_block(void **data)
>         return sb_block;
>  }
>
> +static int enable_acl(struct super_block *sb)
> +{
> +       sb->s_flags &= ~(MS_POSIXACL | MS_RICHACL);
> +       if (test_opt(sb, ACL)) {
> +               if (EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RICHACL)) {
> +#ifdef CONFIG_EXT4_FS_RICHACL
> +                       sb->s_flags |= MS_RICHACL;
> +#else
> +                       return -EOPNOTSUPP;
> +#endif
> +               } else {
> +#ifdef CONFIG_EXT4_FS_POSIX_ACL
> +                       sb->s_flags |= MS_POSIXACL;
> +#else
> +                       return -EOPNOTSUPP;
> +#endif
> +               }
> +       }
> +       return 0;
> +}
> +
>  #define DEFAULT_JOURNAL_IOPRIO (IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 3))
>  static char deprecated_msg[] = "Mount option \"%s\" will be removed by %s\n"
>         "Contact linux-ext4@xxxxxxxxxxxxxxx if you think we should keep it.\n";
> @@ -1388,9 +1409,9 @@ static const struct mount_opts {
>          MOPT_NO_EXT2 | MOPT_DATAJ},
>         {Opt_user_xattr, EXT4_MOUNT_XATTR_USER, MOPT_SET},
>         {Opt_nouser_xattr, EXT4_MOUNT_XATTR_USER, MOPT_CLEAR},
> -#ifdef CONFIG_EXT4_FS_POSIX_ACL
> -       {Opt_acl, EXT4_MOUNT_POSIX_ACL, MOPT_SET},
> -       {Opt_noacl, EXT4_MOUNT_POSIX_ACL, MOPT_CLEAR},
> +#if defined(CONFIG_EXT4_FS_POSIX_ACL) || defined(CONFIG_EXT4_FS_RICHACL)
> +       {Opt_acl, EXT4_MOUNT_ACL, MOPT_SET},
> +       {Opt_noacl, EXT4_MOUNT_ACL, MOPT_CLEAR},
>  #else
>         {Opt_acl, 0, MOPT_NOSUPPORT},
>         {Opt_noacl, 0, MOPT_NOSUPPORT},
> @@ -3538,8 +3559,8 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
>                 set_opt(sb, NO_UID32);
>         /* xattr user namespace & acls are now defaulted on */
>         set_opt(sb, XATTR_USER);
> -#ifdef CONFIG_EXT4_FS_POSIX_ACL
> -       set_opt(sb, POSIX_ACL);
> +#if defined(CONFIG_EXT4_FS_POSIX_ACL) || defined(CONFIG_EXT4_FS_RICHACL)
> +       set_opt(sb, ACL);
>  #endif
>         /* don't forget to enable journal_csum when metadata_csum is enabled. */
>         if (ext4_has_metadata_csum(sb))
> @@ -3620,8 +3641,9 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
>                         clear_opt(sb, DELALLOC);
>         }
>
> -       sb->s_flags = (sb->s_flags & ~MS_POSIXACL) |
> -               (test_opt(sb, POSIX_ACL) ? MS_POSIXACL : 0);
> +       err = enable_acl(sb);
> +       if (err)
> +               goto failed_mount;
>
>         if (le32_to_cpu(es->s_rev_level) == EXT4_GOOD_OLD_REV &&
>             (EXT4_HAS_COMPAT_FEATURE(sb, ~0U) ||
> @@ -4913,8 +4935,9 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data)
>         if (sbi->s_mount_flags & EXT4_MF_FS_ABORTED)
>                 ext4_abort(sb, "Abort forced by user");
>
> -       sb->s_flags = (sb->s_flags & ~MS_POSIXACL) |
> -               (test_opt(sb, POSIX_ACL) ? MS_POSIXACL : 0);
> +       err = enable_acl(sb);
> +       if (err)
> +               goto restore_opts;
>
>         es = sbi->s_es;
>
> --
> 2.1.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/



-- 
Michael Kerrisk Linux man-pages maintainer;
http://www.kernel.org/doc/man-pages/
Author of "The Linux Programming Interface", http://blog.man7.org/
--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux