[thirdparty/systemd.git] / src / shared / acl-util.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2011,2013 Lennart Poettering
***/

#include <errno.h>
#include <stdbool.h>

#include "acl-util.h"
#include "alloc-util.h"
#include "string-util.h"
#include "strv.h"
#include "user-util.h"
#include "util.h"

int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry) {
        acl_entry_t i;
        int r;

        assert(acl);
        assert(entry);

        for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {

                acl_tag_t tag;
                uid_t *u;
                bool b;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag != ACL_USER)
                        continue;

                u = acl_get_qualifier(i);
                if (!u)
                        return -errno;

                b = *u == uid;
                acl_free(u);

                if (b) {
                        *entry = i;
                        return 1;
                }
        }
        if (r < 0)
                return -errno;

        return 0;
}

int calc_acl_mask_if_needed(acl_t *acl_p) {
        acl_entry_t i;
        int r;
        bool need = false;

        assert(acl_p);

        for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
                acl_tag_t tag;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag == ACL_MASK)
                        return 0;

                if (IN_SET(tag, ACL_USER, ACL_GROUP))
                        need = true;
        }
        if (r < 0)
                return -errno;

        if (need && acl_calc_mask(acl_p) < 0)
                return -errno;

        return need;
}

int add_base_acls_if_needed(acl_t *acl_p, const char *path) {
        acl_entry_t i;
        int r;
        bool have_user_obj = false, have_group_obj = false, have_other = false;
        struct stat st;
        _cleanup_(acl_freep) acl_t basic = NULL;

        assert(acl_p);

        for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
                acl_tag_t tag;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag == ACL_USER_OBJ)
                        have_user_obj = true;
                else if (tag == ACL_GROUP_OBJ)
                        have_group_obj = true;
                else if (tag == ACL_OTHER)
                        have_other = true;
                if (have_user_obj && have_group_obj && have_other)
                        return 0;
        }
        if (r < 0)
                return -errno;

        r = stat(path, &st);
        if (r < 0)
                return -errno;

        basic = acl_from_mode(st.st_mode);
        if (!basic)
                return -errno;

        for (r = acl_get_entry(basic, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(basic, ACL_NEXT_ENTRY, &i)) {
                acl_tag_t tag;
                acl_entry_t dst;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if ((tag == ACL_USER_OBJ && have_user_obj) ||
                    (tag == ACL_GROUP_OBJ && have_group_obj) ||
                    (tag == ACL_OTHER && have_other))
                        continue;

                r = acl_create_entry(acl_p, &dst);
                if (r < 0)
                        return -errno;

                r = acl_copy_entry(dst, i);
                if (r < 0)
                        return -errno;
        }
        if (r < 0)
                return -errno;
        return 0;
}

int acl_search_groups(const char *path, char ***ret_groups) {
        _cleanup_strv_free_ char **g = NULL;
        _cleanup_(acl_freep) acl_t acl = NULL;
        bool ret = false;
        acl_entry_t entry;
        int r;

        assert(path);

        acl = acl_get_file(path, ACL_TYPE_DEFAULT);
        if (!acl)
                return -errno;

        r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
        for (;;) {
                _cleanup_(acl_free_gid_tpp) gid_t *gid = NULL;
                acl_tag_t tag;

                if (r < 0)
                        return -errno;
                if (r == 0)
                        break;

                if (acl_get_tag_type(entry, &tag) < 0)
                        return -errno;

                if (tag != ACL_GROUP)
                        goto next;

                gid = acl_get_qualifier(entry);
                if (!gid)
                        return -errno;

                if (in_gid(*gid) > 0) {
                        if (!ret_groups)
                                return true;

                        ret = true;
                }

                if (ret_groups) {
                        char *name;

                        name = gid_to_name(*gid);
                        if (!name)
                                return -ENOMEM;

                        r = strv_consume(&g, name);
                        if (r < 0)
                                return r;
                }

        next:
                r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry);
        }

        if (ret_groups)
                *ret_groups = TAKE_PTR(g);

        return ret;
}

int parse_acl(const char *text, acl_t *acl_access, acl_t *acl_default, bool want_mask) {
        _cleanup_free_ char **a = NULL, **d = NULL; /* strings are not freed */
        _cleanup_strv_free_ char **split;
        char **entry;
        int r = -EINVAL;
        _cleanup_(acl_freep) acl_t a_acl = NULL, d_acl = NULL;

        split = strv_split(text, ",");
        if (!split)
                return -ENOMEM;

        STRV_FOREACH(entry, split) {
                char *p;

                p = startswith(*entry, "default:");
                if (!p)
                        p = startswith(*entry, "d:");

                if (p)
                        r = strv_push(&d, p);
                else
                        r = strv_push(&a, *entry);
                if (r < 0)
                        return r;
        }

        if (!strv_isempty(a)) {
                _cleanup_free_ char *join;

                join = strv_join(a, ",");
                if (!join)
                        return -ENOMEM;

                a_acl = acl_from_text(join);
                if (!a_acl)
                        return -errno;

                if (want_mask) {
                        r = calc_acl_mask_if_needed(&a_acl);
                        if (r < 0)
                                return r;
                }
        }

        if (!strv_isempty(d)) {
                _cleanup_free_ char *join;

                join = strv_join(d, ",");
                if (!join)
                        return -ENOMEM;

                d_acl = acl_from_text(join);
                if (!d_acl)
                        return -errno;

                if (want_mask) {
                        r = calc_acl_mask_if_needed(&d_acl);
                        if (r < 0)
                                return r;
                }
        }

        *acl_access = TAKE_PTR(a_acl);
        *acl_default = TAKE_PTR(d_acl);

        return 0;
}

static int acl_entry_equal(acl_entry_t a, acl_entry_t b) {
        acl_tag_t tag_a, tag_b;

        if (acl_get_tag_type(a, &tag_a) < 0)
                return -errno;

        if (acl_get_tag_type(b, &tag_b) < 0)
                return -errno;

        if (tag_a != tag_b)
                return false;

        switch (tag_a) {
        case ACL_USER_OBJ:
        case ACL_GROUP_OBJ:
        case ACL_MASK:
        case ACL_OTHER:
                /* can have only one of those */
                return true;
        case ACL_USER: {
                _cleanup_(acl_free_uid_tpp) uid_t *uid_a = NULL, *uid_b = NULL;

                uid_a = acl_get_qualifier(a);
                if (!uid_a)
                        return -errno;

                uid_b = acl_get_qualifier(b);
                if (!uid_b)
                        return -errno;

                return *uid_a == *uid_b;
        }
        case ACL_GROUP: {
                _cleanup_(acl_free_gid_tpp) gid_t *gid_a = NULL, *gid_b = NULL;

                gid_a = acl_get_qualifier(a);
                if (!gid_a)
                        return -errno;

                gid_b = acl_get_qualifier(b);
                if (!gid_b)
                        return -errno;

                return *gid_a == *gid_b;
        }
        default:
                assert_not_reached("Unknown acl tag type");
        }
}

static int find_acl_entry(acl_t acl, acl_entry_t entry, acl_entry_t *out) {
        acl_entry_t i;
        int r;

        for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {

                r = acl_entry_equal(i, entry);
                if (r < 0)
                        return r;
                if (r > 0) {
                        *out = i;
                        return 1;
                }
        }
        if (r < 0)
                return -errno;
        return 0;
}

int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl) {
        _cleanup_(acl_freep) acl_t old;
        acl_entry_t i;
        int r;

        old = acl_get_file(path, type);
        if (!old)
                return -errno;

        for (r = acl_get_entry(new, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(new, ACL_NEXT_ENTRY, &i)) {

                acl_entry_t j;

                r = find_acl_entry(old, i, &j);
                if (r < 0)
                        return r;
                if (r == 0)
                        if (acl_create_entry(&old, &j) < 0)
                                return -errno;

                if (acl_copy_entry(j, i) < 0)
                        return -errno;
        }
        if (r < 0)
                return -errno;

        *acl = TAKE_PTR(old);

        return 0;
}

int add_acls_for_user(int fd, uid_t uid) {
        _cleanup_(acl_freep) acl_t acl = NULL;
        acl_entry_t entry;
        acl_permset_t permset;
        int r;

        acl = acl_get_fd(fd);
        if (!acl)
                return -errno;

        r = acl_find_uid(acl, uid, &entry);
        if (r <= 0) {
                if (acl_create_entry(&acl, &entry) < 0 ||
                    acl_set_tag_type(entry, ACL_USER) < 0 ||
                    acl_set_qualifier(entry, &uid) < 0)
                        return -errno;
        }

        /* We do not recalculate the mask unconditionally here,
         * so that the fchmod() mask above stays intact. */
        if (acl_get_permset(entry, &permset) < 0 ||
            acl_add_perm(permset, ACL_READ) < 0)
                return -errno;

        r = calc_acl_mask_if_needed(&acl);
        if (r < 0)
                return r;

        return acl_set_fd(fd, acl);
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
f4b47811 LP	2	/***
	3	This file is part of systemd.
	4
478c8269	5	Copyright 2011,2013 Lennart Poettering
f4b47811 LP	6	***/
f4b47811 LP	7
f4b47811 LP	8	#include <errno.h>
	9	#include <stdbool.h>
	10
b1d4f8e1	11	#include "acl-util.h"
cf0fbc49	12	#include "alloc-util.h"
07630cea	13	#include "string-util.h"
478c8269	14	#include "strv.h"
b1d4f8e1	15	#include "user-util.h"
07630cea	16	#include "util.h"
f4b47811 LP	17
	18	int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry) {
	19	acl_entry_t i;
dd4105b0	20	int r;
f4b47811 LP	21
	22	assert(acl);
	23	assert(entry);
	24
dd4105b0 ZJS	25	for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
	26	r > 0;
	27	r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
f4b47811 LP	28
	29	acl_tag_t tag;
	30	uid_t *u;
	31	bool b;
	32
	33	if (acl_get_tag_type(i, &tag) < 0)
	34	return -errno;
	35
	36	if (tag != ACL_USER)
	37	continue;
	38
	39	u = acl_get_qualifier(i);
	40	if (!u)
	41	return -errno;
	42
	43	b = *u == uid;
	44	acl_free(u);
	45
	46	if (b) {
	47	*entry = i;
	48	return 1;
	49	}
	50	}
dd4105b0	51	if (r < 0)
f4b47811 LP	52	return -errno;
	53
	54	return 0;
	55	}
478c8269	56
23ad4dd8 JAS	57	int calc_acl_mask_if_needed(acl_t *acl_p) {
23ad4dd8 JAS	58	acl_entry_t i;
dd4105b0	59	int r;
6debb398	60	bool need = false;
23ad4dd8 JAS	61
	62	assert(acl_p);
	63
dd4105b0 ZJS	64	for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
	65	r > 0;
	66	r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
23ad4dd8 JAS	67	acl_tag_t tag;
	68
	69	if (acl_get_tag_type(i, &tag) < 0)
	70	return -errno;
	71
	72	if (tag == ACL_MASK)
	73	return 0;
e346512c	74
6debb398 ZJS	75	if (IN_SET(tag, ACL_USER, ACL_GROUP))
6debb398 ZJS	76	need = true;
23ad4dd8	77	}
dd4105b0	78	if (r < 0)
23ad4dd8 JAS	79	return -errno;
23ad4dd8 JAS	80
6debb398 ZJS	81	if (need && acl_calc_mask(acl_p) < 0)
	82	return -errno;
	83
	84	return need;
dd4105b0 ZJS	85	}
	86
	87	int add_base_acls_if_needed(acl_t acl_p, const char path) {
	88	acl_entry_t i;
	89	int r;
	90	bool have_user_obj = false, have_group_obj = false, have_other = false;
	91	struct stat st;
	92	_cleanup_(acl_freep) acl_t basic = NULL;
	93
	94	assert(acl_p);
	95
	96	for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
	97	r > 0;
	98	r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
	99	acl_tag_t tag;
	100
	101	if (acl_get_tag_type(i, &tag) < 0)
	102	return -errno;
	103
	104	if (tag == ACL_USER_OBJ)
	105	have_user_obj = true;
	106	else if (tag == ACL_GROUP_OBJ)
	107	have_group_obj = true;
	108	else if (tag == ACL_OTHER)
	109	have_other = true;
	110	if (have_user_obj && have_group_obj && have_other)
	111	return 0;
	112	}
	113	if (r < 0)
	114	return -errno;
23ad4dd8	115
dd4105b0 ZJS	116	r = stat(path, &st);
	117	if (r < 0)
	118	return -errno;
	119
	120	basic = acl_from_mode(st.st_mode);
	121	if (!basic)
	122	return -errno;
	123
	124	for (r = acl_get_entry(basic, ACL_FIRST_ENTRY, &i);
	125	r > 0;
	126	r = acl_get_entry(basic, ACL_NEXT_ENTRY, &i)) {
	127	acl_tag_t tag;
	128	acl_entry_t dst;
	129
	130	if (acl_get_tag_type(i, &tag) < 0)
	131	return -errno;
	132
	133	if ((tag == ACL_USER_OBJ && have_user_obj) \|\|
	134	(tag == ACL_GROUP_OBJ && have_group_obj) \|\|
	135	(tag == ACL_OTHER && have_other))
	136	continue;
	137
	138	r = acl_create_entry(acl_p, &dst);
	139	if (r < 0)
	140	return -errno;
	141
	142	r = acl_copy_entry(dst, i);
	143	if (r < 0)
	144	return -errno;
	145	}
	146	if (r < 0)
	147	return -errno;
23ad4dd8 JAS	148	return 0;
	149	}
	150
e346512c LP	151	int acl_search_groups(const char path, char **ret_groups) {
e346512c LP	152	_cleanup_strv_free_ char **g = NULL;
29d87223	153	_cleanup_(acl_freep) acl_t acl = NULL;
e346512c LP	154	bool ret = false;
	155	acl_entry_t entry;
	156	int r;
478c8269 ZJS	157
478c8269 ZJS	158	assert(path);
478c8269 ZJS	159
478c8269 ZJS	160	acl = acl_get_file(path, ACL_TYPE_DEFAULT);
e346512c LP	161	if (!acl)
e346512c LP	162	return -errno;
478c8269	163
e346512c LP	164	r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
	165	for (;;) {
	166	_cleanup_(acl_free_gid_tpp) gid_t *gid = NULL;
	167	acl_tag_t tag;
478c8269	168
e346512c LP	169	if (r < 0)
	170	return -errno;
	171	if (r == 0)
	172	break;
478c8269	173
e346512c LP	174	if (acl_get_tag_type(entry, &tag) < 0)
	175	return -errno;
	176
	177	if (tag != ACL_GROUP)
	178	goto next;
	179
	180	gid = acl_get_qualifier(entry);
	181	if (!gid)
	182	return -errno;
478c8269	183
e346512c LP	184	if (in_gid(*gid) > 0) {
	185	if (!ret_groups)
	186	return true;
	187
	188	ret = true;
	189	}
	190
	191	if (ret_groups) {
	192	char *name;
478c8269 ZJS	193
478c8269 ZJS	194	name = gid_to_name(*gid);
e346512c LP	195	if (!name)
	196	return -ENOMEM;
	197
	198	r = strv_consume(&g, name);
	199	if (r < 0)
	200	return r;
478c8269 ZJS	201	}
478c8269 ZJS	202
e346512c LP	203	next:
e346512c LP	204	r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry);
478c8269 ZJS	205	}
478c8269 ZJS	206
1cc6c93a YW	207	if (ret_groups)
1cc6c93a YW	208	*ret_groups = TAKE_PTR(g);
e346512c LP	209
e346512c LP	210	return ret;
478c8269	211	}
f8eeeaf9	212
e738c945	213	int parse_acl(const char text, acl_t acl_access, acl_t *acl_default, bool want_mask) {
848f0178	214	_cleanup_free_ char a = NULL, d = NULL; /* strings are not freed */
f8eeeaf9 ZJS	215	_cleanup_strv_free_ char **split;
	216	char **entry;
	217	int r = -EINVAL;
	218	_cleanup_(acl_freep) acl_t a_acl = NULL, d_acl = NULL;
	219
	220	split = strv_split(text, ",");
	221	if (!split)
e738c945	222	return -ENOMEM;
f8eeeaf9 ZJS	223
	224	STRV_FOREACH(entry, split) {
	225	char *p;
	226
	227	p = startswith(*entry, "default:");
	228	if (!p)
	229	p = startswith(*entry, "d:");
	230
	231	if (p)
	232	r = strv_push(&d, p);
	233	else
	234	r = strv_push(&a, *entry);
e738c945 LP	235	if (r < 0)
e738c945 LP	236	return r;
f8eeeaf9	237	}
f8eeeaf9 ZJS	238
	239	if (!strv_isempty(a)) {
	240	_cleanup_free_ char *join;
	241
	242	join = strv_join(a, ",");
	243	if (!join)
	244	return -ENOMEM;
	245
	246	a_acl = acl_from_text(join);
	247	if (!a_acl)
e738c945	248	return -errno;
f8eeeaf9	249
50d9e46d ZJS	250	if (want_mask) {
	251	r = calc_acl_mask_if_needed(&a_acl);
	252	if (r < 0)
	253	return r;
	254	}
f8eeeaf9 ZJS	255	}
	256
	257	if (!strv_isempty(d)) {
	258	_cleanup_free_ char *join;
	259
	260	join = strv_join(d, ",");
	261	if (!join)
	262	return -ENOMEM;
	263
	264	d_acl = acl_from_text(join);
	265	if (!d_acl)
e738c945	266	return -errno;
f8eeeaf9	267
50d9e46d ZJS	268	if (want_mask) {
	269	r = calc_acl_mask_if_needed(&d_acl);
	270	if (r < 0)
	271	return r;
	272	}
f8eeeaf9 ZJS	273	}
f8eeeaf9 ZJS	274
1cc6c93a YW	275	*acl_access = TAKE_PTR(a_acl);
1cc6c93a YW	276	*acl_default = TAKE_PTR(d_acl);
e738c945	277
f8eeeaf9 ZJS	278	return 0;
f8eeeaf9 ZJS	279	}
50d9e46d	280
1c73f3bc ZJS	281	static int acl_entry_equal(acl_entry_t a, acl_entry_t b) {
	282	acl_tag_t tag_a, tag_b;
	283
	284	if (acl_get_tag_type(a, &tag_a) < 0)
	285	return -errno;
	286
	287	if (acl_get_tag_type(b, &tag_b) < 0)
	288	return -errno;
	289
	290	if (tag_a != tag_b)
	291	return false;
	292
	293	switch (tag_a) {
	294	case ACL_USER_OBJ:
	295	case ACL_GROUP_OBJ:
	296	case ACL_MASK:
	297	case ACL_OTHER:
	298	/* can have only one of those */
	299	return true;
	300	case ACL_USER: {
76dcbc49	301	_cleanup_(acl_free_uid_tpp) uid_t uid_a = NULL, uid_b = NULL;
1c73f3bc ZJS	302
	303	uid_a = acl_get_qualifier(a);
	304	if (!uid_a)
	305	return -errno;
	306
	307	uid_b = acl_get_qualifier(b);
	308	if (!uid_b)
	309	return -errno;
	310
	311	return uid_a == uid_b;
	312	}
	313	case ACL_GROUP: {
76dcbc49	314	_cleanup_(acl_free_gid_tpp) gid_t gid_a = NULL, gid_b = NULL;
1c73f3bc ZJS	315
	316	gid_a = acl_get_qualifier(a);
	317	if (!gid_a)
	318	return -errno;
	319
	320	gid_b = acl_get_qualifier(b);
	321	if (!gid_b)
	322	return -errno;
	323
	324	return gid_a == gid_b;
	325	}
	326	default:
	327	assert_not_reached("Unknown acl tag type");
	328	}
	329	}
	330
	331	static int find_acl_entry(acl_t acl, acl_entry_t entry, acl_entry_t *out) {
	332	acl_entry_t i;
	333	int r;
	334
	335	for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
	336	r > 0;
	337	r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
	338
	339	r = acl_entry_equal(i, entry);
	340	if (r < 0)
	341	return r;
	342	if (r > 0) {
	343	*out = i;
	344	return 1;
	345	}
	346	}
	347	if (r < 0)
	348	return -errno;
	349	return 0;
	350	}
	351
50d9e46d ZJS	352	int acls_for_file(const char path, acl_type_t type, acl_t new, acl_t acl) {
	353	_cleanup_(acl_freep) acl_t old;
	354	acl_entry_t i;
dd4105b0	355	int r;
50d9e46d ZJS	356
	357	old = acl_get_file(path, type);
	358	if (!old)
	359	return -errno;
	360
dd4105b0 ZJS	361	for (r = acl_get_entry(new, ACL_FIRST_ENTRY, &i);
	362	r > 0;
	363	r = acl_get_entry(new, ACL_NEXT_ENTRY, &i)) {
50d9e46d ZJS	364
	365	acl_entry_t j;
	366
1c73f3bc ZJS	367	r = find_acl_entry(old, i, &j);
	368	if (r < 0)
	369	return r;
	370	if (r == 0)
	371	if (acl_create_entry(&old, &j) < 0)
	372	return -errno;
50d9e46d ZJS	373
	374	if (acl_copy_entry(j, i) < 0)
	375	return -errno;
	376	}
50d9e46d	377	if (r < 0)
dd4105b0	378	return -errno;
50d9e46d	379
1cc6c93a YW	380	*acl = TAKE_PTR(old);
1cc6c93a YW	381
50d9e46d ZJS	382	return 0;
50d9e46d ZJS	383	}
5c3bde3f ZJS	384
	385	int add_acls_for_user(int fd, uid_t uid) {
	386	_cleanup_(acl_freep) acl_t acl = NULL;
	387	acl_entry_t entry;
	388	acl_permset_t permset;
	389	int r;
	390
	391	acl = acl_get_fd(fd);
	392	if (!acl)
	393	return -errno;
	394
	395	r = acl_find_uid(acl, uid, &entry);
	396	if (r <= 0) {
	397	if (acl_create_entry(&acl, &entry) < 0 \|\|
	398	acl_set_tag_type(entry, ACL_USER) < 0 \|\|
	399	acl_set_qualifier(entry, &uid) < 0)
	400	return -errno;
	401	}
	402
	403	/* We do not recalculate the mask unconditionally here,
	404	* so that the fchmod() mask above stays intact. */
	405	if (acl_get_permset(entry, &permset) < 0 \|\|
	406	acl_add_perm(permset, ACL_READ) < 0)
	407	return -errno;
	408
	409	r = calc_acl_mask_if_needed(&acl);
	410	if (r < 0)
	411	return r;
	412
	413	return acl_set_fd(fd, acl);
	414	}