summaryrefslogtreecommitdiff
path: root/fs/cifs/cifsacl.c
AgeCommit message (Collapse)AuthorFilesLines
2011-05-27[CIFS] Rename three structures to avoid camel caseSteve French1-2/+2
secMode to sec_mode and cifsTconInfo to cifs_tcon and cifsSesInfo to cifs_ses Signed-off-by: Steve French <sfrench@us.ibm.com>
2011-05-19cifs: Change key name to cifs.idmap, misc. clean-upShirish Pargaonkar1-58/+1
Change idmap key name from cifs.cifs_idmap to cifs.idmap. Removed unused structure wksidarr and function match_sid(). Handle errors correctly in function init_cifs(). Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2011-05-19cifs: fix some unused variable warnings in id_rb_searchJeff Layton1-5/+0
fs/cifs/cifsacl.c: In function ‘id_rb_search’: fs/cifs/cifsacl.c:215:19: warning: variable ‘linkto’ set but not used [-Wunused-but-set-variable] fs/cifs/cifsacl.c:214:18: warning: variable ‘parent’ set but not used [-Wunused-but-set-variable] Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2011-05-19cifs: Invoke id mapping functions (try #17 repost)Shirish Pargaonkar1-24/+301
rb tree search and insertion routines. A SID which needs to be mapped, is looked up in one of the rb trees depending on whether SID is either owner or group SID. If found in the tree, a (mapped) id from that node is assigned to uid or gid as appropriate. If unmapped, an upcall is attempted to map the SID to an id. If upcall is successful, node is marked as mapped. If upcall fails, node stays marked as unmapped and a mapping is attempted again only after an arbitrary time period has passed. To map a SID, which can be either a Owner SID or a Group SID, key description starts with the string "os" or "gs" followed by SID converted to a string. Without "os" or "gs", cifs.upcall does not know whether SID needs to be mapped to either an uid or a gid. Nodes in rb tree have fields to prevent multiple upcalls for a SID. Searching, adding, and removing nodes is done within global locks. Whenever a node is either found or inserted in a tree, a reference is taken on that node. Shrinker routine prunes a node if it has expired but does not prune an expired node if its refcount is not zero (i.e. sid/id of that node is_being/will_be accessed). Thus a node, if its SID needs to be mapped by making an upcall, can safely stay and its fields accessed without shrinker pruning it. A reference (refcount) is put on the node without holding the spinlock but a reference is get on the node by holding the spinlock. Every time an existing mapped node is accessed or mapping is attempted, its timestamp is updated to prevent it from getting erased or a to prevent multiple unnecessary repeat mapping retries respectively. For now, cifs.upcall is only used to map a SID to an id (uid or gid) but it would be used to obtain an SID for an id. Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2011-05-19cifs: Add idmap key and related data structures and functions (try #17 repost)Shirish Pargaonkar1-0/+138
Define (global) data structures to store ids, uids and gids, to which a SID maps. There are two separate trees, one for SID/uid and another one for SID/gid. A new type of key, cifs_idmap_key_type, is used. Keys are instantiated and searched using credential of the root by overriding and restoring the credentials of the caller requesting the key. Id mapping functions are invoked under config option of cifs acl. Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2011-05-19[CIFS] Allow to set extended attribute cifs_acl (try #2)Steve French1-1/+1
Allow setting cifs_acl on the server. Pass on to the server the ACL blob generated by an application. cifs is just a pass-through, it does not monitor or inspect the contents of the blob, server decides whether to enforce/apply the ACL blob composed by an application. If setting of ACL is succeessful, mark the inode for revalidation. Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2011-02-06cifs: add check for kmalloc in parse_daclStanislav Fomichev1-0/+4
Exit from parse_dacl if no memory returned from the call to kmalloc. Signed-off-by: Stanislav Fomichev <kernel@fomichev.me> Signed-off-by: Steve French <sfrench@us.ibm.com>
2011-01-20cifs: Use mask of ACEs for SID Everyone to calculate all three permissions ↵Shirish Pargaonkar1-2/+11
user, group, and other If a DACL has entries for ACEs for SID Everyone and Authenticated Users, factor in mask in respective entries during calculation of permissions for all three, user, group, and other. http://technet.microsoft.com/en-us/library/bb463216.aspx Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2010-12-06cifs: fix use of CONFIG_CIFS_ACLJeff Layton1-3/+0
Some of the code under CONFIG_CIFS_ACL is dependent upon code under CONFIG_CIFS_EXPERIMENTAL, but the Kconfig options don't reflect that dependency. Move more of the ACL code out from under CONFIG_CIFS_EXPERIMENTAL and under CONFIG_CIFS_ACL. Also move find_readable_file out from other any sort of Kconfig option and make it a function normally compiled in. Reported-and-Acked-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2010-11-30cifs: Handle extended attribute name cifs_acl to generate cifs acl blob (try #4)Shirish Pargaonkar1-1/+1
Add extended attribute name system.cifs_acl Get/generate cifs/ntfs acl blob and hand over to the invoker however it wants to parse/process it under experimental configurable option CIFS_ACL. Do not get CIFS/NTFS ACL for xattr for attribute system.posix_acl_access Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2010-11-30cifs: Misc. cleanup in cifsacl handling [try #4]Shirish Pargaonkar1-1/+1
Change the name of function mode_to_acl to mode_to_cifs_acl. Handle return code in functions mode_to_cifs_acl and cifs_acl_to_fattr. Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2010-11-11cifs: Percolate error up to the caller during get/set acls [try #4]Shirish Pargaonkar1-18/+26
Modify get/set_cifs_acl* calls to reutrn error code and percolate the error code up to the caller. Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2010-10-06cifs: have find_readable/writable_file filter by fsuidJeff Layton1-2/+2
When we implement multiuser mounts, we'll need to filter filehandles by fsuid. Add a flag for multiuser mounts and code to filter by fsuid when it's set. Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2010-10-06cifs: add refcounted and timestamped container for holding tconsJeff Layton1-9/+33
Eventually, we'll need to track the use of tcons on a per-sb basis, so that we know when it's ok to tear them down. Begin this conversion by adding a new "tcon_link" struct and accessors that get it. For now, the core data structures are untouched -- cifs_sb still just points to a single tcon and the pointers are just cast to deal with the accessor functions. A later patch will flesh this out. Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2010-09-29cifs: add function to get a tcon from cifs_sbJeff Layton1-8/+8
When we convert cifs to do multiple sessions per mount, we'll need more than one tcon per superblock. At that point "cifs_sb->tcon" will make no sense. Add a new accessor function that gets a tcon given a cifs_sb. For now, it just returns cifs_sb->tcon. Later it'll do more. Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2010-04-21[CIFS] Neaten cERROR and cFYI macros, reduce text spaceJoe Perches1-38/+38
Neaten cERROR and cFYI macros, reduce text space ~2.5K Convert '__FILE__ ": " fmt' to '"%s: " fmt', __FILE__' to save text space Surround macros with do {} while Add parentheses to macros Make statement expression macro from macro with assign Remove now unnecessary parentheses from cFYI and cERROR uses defconfig with CIFS support old $ size fs/cifs/built-in.o text data bss dec hex filename 156012 1760 148 157920 268e0 fs/cifs/built-in.o defconfig with CIFS support old $ size fs/cifs/built-in.o text data bss dec hex filename 153508 1760 148 155416 25f18 fs/cifs/built-in.o allyesconfig old: $ size fs/cifs/built-in.o text data bss dec hex filename 309138 3864 74824 387826 5eaf2 fs/cifs/built-in.o allyesconfig new $ size fs/cifs/built-in.o text data bss dec hex filename 305655 3864 74824 384343 5dd57 fs/cifs/built-in.o Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2010-03-30include cleanup: Update gfp.h and slab.h includes to prepare for breaking ↵Tejun Heo1-0/+1
implicit slab.h inclusion from percpu.h percpu.h is included by sched.h and module.h and thus ends up being included when building most .c files. percpu.h includes slab.h which in turn includes gfp.h making everything defined by the two files universally available and complicating inclusion dependencies. percpu.h -> slab.h dependency is about to be removed. Prepare for this change by updating users of gfp and slab facilities include those headers directly instead of assuming availability. As this conversion needs to touch large number of source files, the following script is used as the basis of conversion. http://userweb.kernel.org/~tj/misc/slabh-sweep.py The script does the followings. * Scan files for gfp and slab usages and update includes such that only the necessary includes are there. ie. if only gfp is used, gfp.h, if slab is used, slab.h. * When the script inserts a new include, it looks at the include blocks and try to put the new include such that its order conforms to its surrounding. It's put in the include block which contains core kernel includes, in the same order that the rest are ordered - alphabetical, Christmas tree, rev-Xmas-tree or at the end if there doesn't seem to be any matching order. * If the script can't find a place to put a new include (mostly because the file doesn't have fitting include block), it prints out an error message indicating which .h file needs to be added to the file. The conversion was done in the following steps. 1. The initial automatic conversion of all .c files updated slightly over 4000 files, deleting around 700 includes and adding ~480 gfp.h and ~3000 slab.h inclusions. The script emitted errors for ~400 files. 2. Each error was manually checked. Some didn't need the inclusion, some needed manual addition while adding it to implementation .h or embedding .c file was more appropriate for others. This step added inclusions to around 150 files. 3. The script was run again and the output was compared to the edits from #2 to make sure no file was left behind. 4. Several build tests were done and a couple of problems were fixed. e.g. lib/decompress_*.c used malloc/free() wrappers around slab APIs requiring slab.h to be added manually. 5. The script was run on all .h files but without automatically editing them as sprinkling gfp.h and slab.h inclusions around .h files could easily lead to inclusion dependency hell. Most gfp.h inclusion directives were ignored as stuff from gfp.h was usually wildly available and often used in preprocessor macros. Each slab.h inclusion directive was examined and added manually as necessary. 6. percpu.h was updated not to include slab.h. 7. Build test were done on the following configurations and failures were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my distributed build env didn't work with gcov compiles) and a few more options had to be turned off depending on archs to make things build (like ipr on powerpc/64 which failed due to missing writeq). * x86 and x86_64 UP and SMP allmodconfig and a custom test config. * powerpc and powerpc64 SMP allmodconfig * sparc and sparc64 SMP allmodconfig * ia64 SMP allmodconfig * s390 SMP allmodconfig * alpha SMP allmodconfig * um on x86_64 SMP allmodconfig 8. percpu.h modifications were reverted so that it could be applied as a separate patch and serve as bisection point. Given the fact that I had only a couple of failures from tests on step 6, I'm fairly confident about the coverage of this conversion patch. If there is a breakage, it's likely to be something in one of the arch headers which should be easily discoverable easily on most builds of the specific arch. Signed-off-by: Tejun Heo <tj@kernel.org> Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org> Cc: Ingo Molnar <mingo@redhat.com> Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2009-09-02cifs: Replace wrtPending with a real reference countDave Kleikamp1-2/+2
Currently, cifs_close() tries to wait until all I/O is complete and then frees the file private data. If I/O does not completely in a reasonable amount of time it frees the structure anyway, leaving a potential use- after-free situation. This patch changes the wrtPending counter to a complete reference count and lets the last user free the structure. Signed-off-by: Dave Kleikamp <shaggy@linux.vnet.ibm.com> Reviewed-by: Jeff Layton <jlayton@redhat.com> Tested-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2009-07-10cifs: convert cifs_get_inode_info and non-posix readdir to use cifs_igetJeff Layton1-13/+13
cifs: convert cifs_get_inode_info and non-posix readdir to use cifs_iget Rather than allocating an inode and filling it out, have cifs_get_inode_info fill out a cifs_fattr and call cifs_iget. This means a pretty hefty reorganization of cifs_get_inode_info. For the readdir codepath, add a couple of new functions for filling out cifs_fattr's from different FindFile response infolevels. Finally, remove cifs_new_inode since there are no more callers. Signed-off-by: Jeff Layton <jlayton@redhat.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Steve French <sfrench@us.ibm.com>
2009-05-28cifs: clean up set_cifs_acl interfacesChristoph Hellwig1-37/+41
Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2009-05-28cifs: reorganize get_cifs_aclChristoph Hellwig1-48/+52
Thus spake Christoph: "But this whole set_cifs_acl function is a real mess anyway and needs some splitting up." With this change too, it's possible to call acl_to_uid_mode() with a NULL inode pointer. That (or something close to it) will eventually be necessary when cifs_get_inode_info is reorganized. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2008-07-24[CIFS] Fix warnings from checkpatchShirish Pargaonkar1-19/+19
Signed-off-by: Steve French <sfrench@us.ibm.com>
2008-07-24[CIFS] Fix improper endian conversion of ACL subauth fieldShirish Pargaonkar1-2/+1
In mode_to_acl when converting a Unix mode to a Windows ACL the subauth fields of the SID in the ACL were translated incorrectly on bigendian architectures Signed-off-by: Steve French <sfrench@us.ibm.com>
2008-07-13cifs: fix wksidarr declaration to be big-endian friendlyJeff Layton1-5/+5
The current definition of wksidarr works fine on little endian arches (since cpu_to_le32 is a no-op there), but on big-endian arches, it fails to compile with this error: error: braced-group within expression allowed only inside a function The problem is that this static declaration has cpu_to_le32 embedded within it, and that expands into a function macro. We need to use __constant_cpu_to_le32() instead. Signed-off-by: Jeff Layton <jlayton@redhat.com> Cc: Steven French <sfrench@us.ibm.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-05-09[CIFS] fix build warningSteve French1-1/+1
Signed-off-by: Steve French <sfrench@us.ibm.com>
2008-04-29[CIFS] convert usage of implicit booleans to boolSteve French1-8/+8
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2008-04-10[CIFS] Fix acl length when very short ACL being modified by chmodSteve French1-6/+8
Signed-off-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2008-03-31cifs: fix misannotationsAl Viro1-2/+2
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-03-15[CIFS] file create with acl support enabled is slowSteve French1-10/+15
Shirish Pargaonkar noted: With cifsacl mount option, when a file is created on the Windows server, exclusive oplock is broken right away because the get cifs acl code again opens the file to obtain security descriptor. The client does not have the newly created file handle or inode in any of its lists yet so it does not respond to oplock break and server waits for its duration and then responds to the second open. This slows down file creation signficantly. The fix is to pass the file descriptor to the get cifsacl code wherever available so that get cifs acl code does not send second open (NT Create ANDX) and oplock is not broken. CC: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2008-02-12[CIFS] patch to fix incorrect encoding of number of aces on set modeShirish Pargaonkar1-5/+1
This patch fixes an error in the experimental cifs acl code. During chmod, set security descriptor data (num aces) is not sent with little-endian encoding. Signed-off-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2008-02-12[CIFS] clean up some hard to read ifdefsSteve French1-33/+11
Christoph had noticed too many ifdefs in the CIFS code making it hard to read. This patch removes about a quarter of them from the C files in cifs by improving a few key ifdefs in the .h files. Signed-off-by: Steve French <sfrench@us.ibm.com>
2008-02-08[CIFS] reduce checkpatch warningsSteve French1-4/+3
Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-12-31[CIFS] Allow setting mode via cifs aclSteve French1-8/+232
Requires cifsacl mount flag to be on and CIFS_EXPERIMENTAL enabled CC: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-12-05regression: cifs endianness bugAl Viro1-16/+17
access_flags_to_mode() gets on-the-wire data (little-endian) and treats it as host-endian. Introduced in commit e01b64001359034d04c695388870936ed3d1b56b ("[CIFS] enable get mode from ACL when cifsacl mount option specified") Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-11-25[CIFS] Fix check after use error in ACL codeSteve French1-6/+7
Spotted by the coverity scanner. CC: Adrian Bunk <bunk@kernel.org> Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-11-09[CIFS] add mode to acl conversion helper functionSteve French1-2/+33
Acked-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-11-08[CIFS] Fix incorrect mode when ACL had deny access control entriesSteve French1-9/+46
When mounted with the cifsacl mount option, we were treating any deny ACEs found like allow ACEs and it turns out for SFU and SUA Windows set these type of access control entries often. The order of ACEs is important too. The canonical order that most ACL tools and Windows explorer consruct ACLs with is to begin with DENY entries then follow with ALLOW, otherwise an allow entry could be encountered first, making the subsequent deny entry like "dead code which would be superflous since Windows stops when a match is made for the operation you are trying to perform for your user We start with no permissions in the mode and build up as we find permissions (ie allow ACEs). This fixes deny ACEs so they affect the mask used to set the subsequent allow ACEs. Acked-by: Shirish Pargaonkar <shirishp@us.ibm.com> CC: Alexander Bokovoy <ab@samba.org> Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-11-06[CIFS] Fix walking out end of cifs daclSteve French1-2/+2
Acked-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-11-01[CIFS] If no Access Control Entries, set mode perm bits to zeroSteve French1-22/+55
Also clean up ACL code Acked-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-10-31[CIFS] Don't request too much permission when reading an ACLSteve French1-7/+25
We were requesting GENERIC_READ but that fails when we do not have read permission on the file (even if we could read the ACL). Also move the dump access control entry code into debug ifdef. Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-10-30[CIFS] enable get mode from ACL when cifsacl mount option specifiedShirish Pargaonkar1-7/+21
Part 9 of ACL patch series. getting mode from ACL now works in some cases (and requires CIFS_EXPERIMENTAL config option). Signed-off-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-10-27[CIFS] ACL support part 8Steve French1-63/+70
Now GetACL in getinodeinfo path when cifsacl mount option used, and ACL is parsed for SIDs. Missing only one piece now to be able to retrieve the mode Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-10-26[CIFS] acl support part 7Steve French1-3/+18
Also fixes typo, build break Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-10-26[CIFS] acl support part 6Steve French1-20/+71
Acked-by: Shirish Pargaonkar <shirishp@us.ibm.com> CC: Cyrill Gorcunov <gorcunov@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-10-24[CIFS] acl support part 6Steve French1-55/+24
CC: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-10-20[CIFS] ACL support part 5Steve French1-0/+23
Acked-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-10-18[CIFS] fix typoSteve French1-1/+1
Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-10-18[CIFS] acl support part 4Steve French1-9/+10
Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-10-17[CIFS] build breakSteve French1-1/+1
Signed-off-by: Steve French <sfrench@us.ibm.com>
2007-10-17[CIFS] endian fixesSteve French1-3/+3
Signed-off-by: Steve French <sfrench@us.ibm.com>