Chapter 11: Extended Attributes and Access Control Lists
break;
case ACL_USER:
if (pa->e_id == current->fsuid)
goto mask;
break;
case ACL_GROUP_OBJ:
if (in_group_p(inode->i_gid)) {
found = 1;
if ((pa->e_perm & want) == want)
goto mask;
}
break;
case ACL_GROUP:
if (in_group_p(pa->e_id)) {
found = 1;
if ((pa->e_perm & want) == want)
goto mask;
}
break;
case ACL_MASK:
break;
case ACL_OTHER:
if (found)
return -EACCES;
else
goto check_perm;
default:
return -EIO;
}
}
return -EIO;
...
}ThecodeusesthemacroFOREACH_ACL_ENTRYto iterate over all ACL entries. For each entry, a suitable
comparison between the file system UID (FSUID) and the appropriate part of the current process cre-
dentials (the UID/GID of the inode for_OBJtype entries and the ID specified in the ACL entry for other
types). Obviously, the logic needs to be exactly as defined in the manual pageacl(5).
The code involves two jump labels that are located behind the loop. The code flow ends up atmaskonce
access has basically been granted. It still needs to be ensured, however, that no declaration ofACL_MASK
follows the granting entry and denies the access right:
fs/posix_acl.c
...
mask:
for (mask_obj = pa+1; mask_obj != pe; mask_obj++) {
if (mask_obj->e_tag == ACL_MASK) {
if ((pa->e_perm & mask_obj->e_perm & want) == want)
return 0;
return -EACCES;
}
}
...