Frank, On Tue, Jul 5, 2016 at 7:08 PM, Frank Filz <ffilzlnx@xxxxxxxxxxxxxx> wrote: >> > + * Note: functions like richacl_allowed_to_who(), >> > +richacl_group_class_allowed(), >> > + * and richacl_compute_max_masks() iterate through the entire acl in >> > +reverse >> > + * order as an optimization. >> > + * >> > + * In the standard algorithm, aces are considered in forward order. >> > +When a >> > + * process matches an ace, the permissions in the ace are either >> > +allowed or >> > + * denied depending on the ace type. Once a permission has been >> > +allowed or >> > + * denied, it is no longer considered in further aces. >> > + * >> > + * By iterating through the acl in reverse order, we can compute the >> > +same >> > + * result without having to keep track of which permissions have been >> > +allowed >> > + * and denied already. >> > + */ >> > >> >> Clever! > > Hmm, but does that result in examining the whole ACL for most access checks, at least for files where most of the accesses are by the owner, or a member of a specific group (with perhaps a ton of special case users added on the end)? I don't understand -- what does this algorithm have to do with access checks? Thanks, Andreas -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html