Chapter 11: Extended Attributes and Access Control Lists
struct posix_acl_entry *pa, *pe;
/* assert(atomic_read(acl->a_refcount) == 1); */
FOREACH_ACL_ENTRY(pa, acl, pe) {
switch(pa->e_tag) {
case ACL_USER_OBJ:
pa->e_perm = (mode & S_IRWXU) >> 6;
break;
case ACL_USER:
case ACL_GROUP:
break;
case ACL_GROUP_OBJ:
group_obj = pa;
break;
case ACL_MASK:
mask_obj = pa;
break;
case ACL_OTHER:
pa->e_perm = (mode & S_IRWXO);
break;
default:
return -EIO;
}
}
if (mask_obj) {
mask_obj->e_perm = (mode & S_IRWXG) >> 3;
} else {
if (!group_obj)
return -EIO;
group_obj->e_perm = (mode & S_IRWXG) >> 3;
}
return 0;
}
Permission Checks
Recall that the kernel provides the generic permission checking functiongeneric_permission,which
allows for integration of a filesystem-specific handler for ACL checks. Indeed, Ext3 makes use of this
option: The functionext3_permission(which is, in turn, called by the VFS layer when a permission
check is requested) instructsgeneric_permissionto useext3_check_aclfor the ACL-related work:
fs/ext3/acl.c
int
ext3_permission(struct inode *inode, int mask, struct nameidata *nd)
{
return generic_permission(inode, mask, ext3_check_acl);
}