From patchwork Tue Aug  1 14:12:52 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kara <jack@suse.cz>
X-Patchwork-Id: 9874703
Return-Path: <ocfs2-devel-bounces@oss.oracle.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	39CD86037D for <patchwork-ocfs2-devel@patchwork.kernel.org>;
	Tue,  1 Aug 2017 14:14:28 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2B287286D5
	for <patchwork-ocfs2-devel@patchwork.kernel.org>;
	Tue,  1 Aug 2017 14:14:28 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 1F6E0286DA; Tue,  1 Aug 2017 14:14:28 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 73F64286C7
	for <patchwork-ocfs2-devel@patchwork.kernel.org>;
	Tue,  1 Aug 2017 14:14:27 +0000 (UTC)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233])
	by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2)
	with ESMTP id v71EDgO8013389
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK); Tue, 1 Aug 2017 14:13:42 GMT
Received: from oss.oracle.com (oss-old-reserved.oracle.com [137.254.22.2])
	by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v71EDglE025145
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 1 Aug 2017 14:13:42 GMT
Received: from localhost ([127.0.0.1] helo=lb-oss.oracle.com)
	by oss.oracle.com with esmtp (Exim 4.63)
	(envelope-from <ocfs2-devel-bounces@oss.oracle.com>)
	id 1dcXva-0008KV-9A; Tue, 01 Aug 2017 07:13:42 -0700
Received: from userv0022.oracle.com ([156.151.31.74])
	by oss.oracle.com with esmtp (Exim 4.63)
	(envelope-from <jack@suse.cz>) id 1dcXuu-0008IB-3k
	for ocfs2-devel@oss.oracle.com; Tue, 01 Aug 2017 07:13:00 -0700
Received: from userp2030.oracle.com (userp2030.oracle.com [156.151.31.89])
	by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v71ECx7k027260
	(version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO)
	for <ocfs2-devel@oss.oracle.com>; Tue, 1 Aug 2017 14:12:59 GMT
Received: from pps.filterd (userp2030.oracle.com [127.0.0.1])
	by userp2030.oracle.com (8.16.0.20/8.16.0.20) with SMTP id
	v71E9kHW017451
	for <ocfs2-devel@oss.oracle.com>; Tue, 1 Aug 2017 14:12:59 GMT
Authentication-Results: oracle.com;
	spf=pass smtp.mailfrom=jack@suse.cz
Received: from mx1.suse.de (mx2.suse.de [195.135.220.15])
	by userp2030.oracle.com with ESMTP id 2c2mda92dr-1
	(version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <ocfs2-devel@oss.oracle.com>; Tue, 01 Aug 2017 14:12:59 +0000
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254])
	by mx1.suse.de (Postfix) with ESMTP id A64FBAC37;
	Tue,  1 Aug 2017 14:12:56 +0000 (UTC)
Received: by quack2.suse.cz (Postfix, from userid 1000)
	id 00A561E340D; Tue,  1 Aug 2017 16:12:55 +0200 (CEST)
From: Jan Kara <jack@suse.cz>
To: Andrew Morton <akpm@linux-foundation.org>
Date: Tue,  1 Aug 2017 16:12:52 +0200
Message-Id: <20170801141252.19675-3-jack@suse.cz>
X-Mailer: git-send-email 2.12.3
In-Reply-To: <20170801141252.19675-1-jack@suse.cz>
References: <20170801141252.19675-1-jack@suse.cz>
X-CLX-Shades: MLX
X-CLX-Response: 1TFkXGB4eEQpMehceEhEKWU0XZ2ZyEQpZSRcacRoQGncGGBgecRsdGRAadwY
	YGgYaEQpZXhdoY3kRCklGF0VYS0lGT3VaWEVOX0leQ0VEHhEKQ04XHlxvTEFaf1xCbFl6aEJkQ1
	97U0EeWWRAX01ZHGBDbFkRClhcFx8EGgQbGx4HHExOExhOG0kFGxoEGxoaBB4SBB8QGx4aHxoRC
	l5ZF3teQG9tEQpNXBcZEhwRCkxaF2hpTU1dEQpMRhdsa2sRCkNaFxsTHwQbGR8EGBgaBBsfEQpC
	XhcbEQpESRceEQpCRhdiaX1lRRhaHE0TZhEKQlwXGhEKQkUXYAFhe1tae0ABYm0RCkJOF2UaeBs
	FBXBze1NZEQpCTBdtZHhifE97YUNfXxEKQmwXaX4YfEBfSBxOa1IRCkJAF2UFch5iQFJ5BXpYEQ
	pCWBdifW95AU8YGXBwexEKcGcXZWBFUGhhfRhtZXMQHRoRCnBoF2VmeGN5QXBEe2sSEBoRCnBoF
	20cXRlZbXxEfUZaEBoRCnBoF2sTeWBtXG9jbGhjEBoRCnBoF2FwWl9LfE9dS0RgEBoRCnBoF2wS
	eX1tRW1JBV1JEBoRCnBnF2d+HRIfTE9IS3lyEBkaEQpwbBdiQFptUEFDY3BfbRAeEhEKbX4XGhE
	KWE0XSxEg
X-PDR: PASS
X-ServerName: mx2.suse.de
X-Proofpoint-SPF-Result: pass
X-Proofpoint-SPF-Record: v=spf1 ip4:137.65.0.0/16 ip4:151.155.28.0/17
	ip4:149.44.0.0/16
	ip4:147.2.0.0/16 ip4:164.99.0.0/16 ip4:130.57.0.0/16
	ip4:192.31.114.0/24
	ip4:195.135.221.0/24 ip4:195.135.220.0/24 ip4:69.7.179.0/24
	ip4:150.215.214.0/24 include:mailcontrol.com ~all
X-Proofpoint-Virus-Version: vendor=nai engine=5800 definitions=8608
	signatures=668532
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
	priorityscore=48 malwarescore=0
	suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=244
	lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam
	adjust=0
	reason=mlx scancount=1 engine=8.0.1-1706020000
	definitions=main-1708010233
Cc: stable@vger.kernel.org, Jan Kara <jack@suse.cz>,
	ocfs2-devel@oss.oracle.com
Subject: [Ocfs2-devel] [PATCH 2/2] ocfs2: Don't clear SGID when inheriting
	ACLs
X-BeenThere: ocfs2-devel@oss.oracle.com
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <ocfs2-devel.oss.oracle.com>
List-Unsubscribe: <https://oss.oracle.com/mailman/listinfo/ocfs2-devel>,
	<mailto:ocfs2-devel-request@oss.oracle.com?subject=unsubscribe>
List-Archive: <http://oss.oracle.com/pipermail/ocfs2-devel>
List-Post: <mailto:ocfs2-devel@oss.oracle.com>
List-Help: <mailto:ocfs2-devel-request@oss.oracle.com?subject=help>
List-Subscribe: <https://oss.oracle.com/mailman/listinfo/ocfs2-devel>,
	<mailto:ocfs2-devel-request@oss.oracle.com?subject=subscribe>
MIME-Version: 1.0
Sender: ocfs2-devel-bounces@oss.oracle.com
Errors-To: ocfs2-devel-bounces@oss.oracle.com
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
X-Virus-Scanned: ClamAV using ClamSMTP

When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
set, DIR1 is expected to have SGID bit set (and owning group equal to
the owning group of 'DIR0'). However when 'DIR0' also has some default
ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
'DIR1' to get cleared if user is not member of the owning group.

Fix the problem by moving posix_acl_update_mode() out of ocfs2_set_acl()
into ocfs2_iop_set_acl(). That way the function will not be called when
inheriting ACLs which is what we want as it prevents SGID bit clearing
and the mode has been properly set by posix_acl_create() anyway. Also
posix_acl_chmod() that is calling ocfs2_set_acl() takes care of updating
mode itself.

Fixes: 073931017b49d9458aa351605b43a7e34598caef
CC: stable@vger.kernel.org
CC: Joel Becker <jlbec@evilplan.org>
CC: ocfs2-devel@oss.oracle.com
Signed-off-by: Jan Kara <jack@suse.cz>
---
 fs/ocfs2/acl.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/fs/ocfs2/acl.c b/fs/ocfs2/acl.c
index 3b9c3638a381..40b5cc97f7b0 100644
--- a/fs/ocfs2/acl.c
+++ b/fs/ocfs2/acl.c
@@ -240,18 +240,6 @@ static int ocfs2_set_acl(handle_t *handle,
 	switch (type) {
 	case ACL_TYPE_ACCESS:
 		name_index = OCFS2_XATTR_INDEX_POSIX_ACL_ACCESS;
-		if (acl) {
-			umode_t mode;
-
-			ret = posix_acl_update_mode(inode, &mode, &acl);
-			if (ret)
-				return ret;
-
-			ret = ocfs2_acl_set_mode(inode, di_bh,
-						 handle, mode);
-			if (ret)
-				return ret;
-		}
 		break;
 	case ACL_TYPE_DEFAULT:
 		name_index = OCFS2_XATTR_INDEX_POSIX_ACL_DEFAULT;
@@ -289,7 +277,19 @@ int ocfs2_iop_set_acl(struct inode *inode, struct posix_acl *acl, int type)
 	had_lock = ocfs2_inode_lock_tracker(inode, &bh, 1, &oh);
 	if (had_lock < 0)
 		return had_lock;
+	if (type == ACL_TYPE_ACCESS && acl) {
+		umode_t mode;
+
+		status = posix_acl_update_mode(inode, &mode, &acl);
+		if (status)
+			goto unlock;
+
+		status = ocfs2_acl_set_mode(inode, bh, NULL, mode);
+		if (status)
+			goto unlock;
+	}
 	status = ocfs2_set_acl(NULL, inode, bh, type, acl, NULL, NULL);
+unlock:
 	ocfs2_inode_unlock_tracker(inode, 1, &oh, had_lock);
 	brelse(bh);
 	return status;