]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
f4b47811 | 2 | |
f4b47811 LP |
3 | #include <errno.h> |
4 | #include <stdbool.h> | |
5 | ||
b1d4f8e1 | 6 | #include "acl-util.h" |
cf0fbc49 | 7 | #include "alloc-util.h" |
07630cea | 8 | #include "string-util.h" |
478c8269 | 9 | #include "strv.h" |
b1d4f8e1 | 10 | #include "user-util.h" |
07630cea | 11 | #include "util.h" |
f4b47811 LP |
12 | |
13 | int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry) { | |
14 | acl_entry_t i; | |
dd4105b0 | 15 | int r; |
f4b47811 LP |
16 | |
17 | assert(acl); | |
18 | assert(entry); | |
19 | ||
dd4105b0 ZJS |
20 | for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i); |
21 | r > 0; | |
22 | r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) { | |
f4b47811 LP |
23 | |
24 | acl_tag_t tag; | |
25 | uid_t *u; | |
26 | bool b; | |
27 | ||
28 | if (acl_get_tag_type(i, &tag) < 0) | |
29 | return -errno; | |
30 | ||
31 | if (tag != ACL_USER) | |
32 | continue; | |
33 | ||
34 | u = acl_get_qualifier(i); | |
35 | if (!u) | |
36 | return -errno; | |
37 | ||
38 | b = *u == uid; | |
39 | acl_free(u); | |
40 | ||
41 | if (b) { | |
42 | *entry = i; | |
43 | return 1; | |
44 | } | |
45 | } | |
dd4105b0 | 46 | if (r < 0) |
f4b47811 LP |
47 | return -errno; |
48 | ||
49 | return 0; | |
50 | } | |
478c8269 | 51 | |
23ad4dd8 JAS |
52 | int calc_acl_mask_if_needed(acl_t *acl_p) { |
53 | acl_entry_t i; | |
dd4105b0 | 54 | int r; |
6debb398 | 55 | bool need = false; |
23ad4dd8 JAS |
56 | |
57 | assert(acl_p); | |
58 | ||
dd4105b0 ZJS |
59 | for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i); |
60 | r > 0; | |
61 | r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) { | |
23ad4dd8 JAS |
62 | acl_tag_t tag; |
63 | ||
64 | if (acl_get_tag_type(i, &tag) < 0) | |
65 | return -errno; | |
66 | ||
67 | if (tag == ACL_MASK) | |
68 | return 0; | |
e346512c | 69 | |
6debb398 ZJS |
70 | if (IN_SET(tag, ACL_USER, ACL_GROUP)) |
71 | need = true; | |
23ad4dd8 | 72 | } |
dd4105b0 | 73 | if (r < 0) |
23ad4dd8 JAS |
74 | return -errno; |
75 | ||
6debb398 ZJS |
76 | if (need && acl_calc_mask(acl_p) < 0) |
77 | return -errno; | |
78 | ||
79 | return need; | |
dd4105b0 ZJS |
80 | } |
81 | ||
82 | int add_base_acls_if_needed(acl_t *acl_p, const char *path) { | |
83 | acl_entry_t i; | |
84 | int r; | |
85 | bool have_user_obj = false, have_group_obj = false, have_other = false; | |
86 | struct stat st; | |
87 | _cleanup_(acl_freep) acl_t basic = NULL; | |
88 | ||
89 | assert(acl_p); | |
90 | ||
91 | for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i); | |
92 | r > 0; | |
93 | r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) { | |
94 | acl_tag_t tag; | |
95 | ||
96 | if (acl_get_tag_type(i, &tag) < 0) | |
97 | return -errno; | |
98 | ||
99 | if (tag == ACL_USER_OBJ) | |
100 | have_user_obj = true; | |
101 | else if (tag == ACL_GROUP_OBJ) | |
102 | have_group_obj = true; | |
103 | else if (tag == ACL_OTHER) | |
104 | have_other = true; | |
105 | if (have_user_obj && have_group_obj && have_other) | |
106 | return 0; | |
107 | } | |
108 | if (r < 0) | |
109 | return -errno; | |
23ad4dd8 | 110 | |
dd4105b0 ZJS |
111 | r = stat(path, &st); |
112 | if (r < 0) | |
113 | return -errno; | |
114 | ||
115 | basic = acl_from_mode(st.st_mode); | |
116 | if (!basic) | |
117 | return -errno; | |
118 | ||
119 | for (r = acl_get_entry(basic, ACL_FIRST_ENTRY, &i); | |
120 | r > 0; | |
121 | r = acl_get_entry(basic, ACL_NEXT_ENTRY, &i)) { | |
122 | acl_tag_t tag; | |
123 | acl_entry_t dst; | |
124 | ||
125 | if (acl_get_tag_type(i, &tag) < 0) | |
126 | return -errno; | |
127 | ||
128 | if ((tag == ACL_USER_OBJ && have_user_obj) || | |
129 | (tag == ACL_GROUP_OBJ && have_group_obj) || | |
130 | (tag == ACL_OTHER && have_other)) | |
131 | continue; | |
132 | ||
133 | r = acl_create_entry(acl_p, &dst); | |
134 | if (r < 0) | |
135 | return -errno; | |
136 | ||
137 | r = acl_copy_entry(dst, i); | |
138 | if (r < 0) | |
139 | return -errno; | |
140 | } | |
141 | if (r < 0) | |
142 | return -errno; | |
23ad4dd8 JAS |
143 | return 0; |
144 | } | |
145 | ||
e346512c LP |
146 | int acl_search_groups(const char *path, char ***ret_groups) { |
147 | _cleanup_strv_free_ char **g = NULL; | |
29d87223 | 148 | _cleanup_(acl_freep) acl_t acl = NULL; |
e346512c LP |
149 | bool ret = false; |
150 | acl_entry_t entry; | |
151 | int r; | |
478c8269 ZJS |
152 | |
153 | assert(path); | |
478c8269 ZJS |
154 | |
155 | acl = acl_get_file(path, ACL_TYPE_DEFAULT); | |
e346512c LP |
156 | if (!acl) |
157 | return -errno; | |
478c8269 | 158 | |
e346512c LP |
159 | r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); |
160 | for (;;) { | |
161 | _cleanup_(acl_free_gid_tpp) gid_t *gid = NULL; | |
162 | acl_tag_t tag; | |
478c8269 | 163 | |
e346512c LP |
164 | if (r < 0) |
165 | return -errno; | |
166 | if (r == 0) | |
167 | break; | |
478c8269 | 168 | |
e346512c LP |
169 | if (acl_get_tag_type(entry, &tag) < 0) |
170 | return -errno; | |
171 | ||
172 | if (tag != ACL_GROUP) | |
173 | goto next; | |
174 | ||
175 | gid = acl_get_qualifier(entry); | |
176 | if (!gid) | |
177 | return -errno; | |
478c8269 | 178 | |
e346512c LP |
179 | if (in_gid(*gid) > 0) { |
180 | if (!ret_groups) | |
181 | return true; | |
182 | ||
183 | ret = true; | |
184 | } | |
185 | ||
186 | if (ret_groups) { | |
187 | char *name; | |
478c8269 ZJS |
188 | |
189 | name = gid_to_name(*gid); | |
e346512c LP |
190 | if (!name) |
191 | return -ENOMEM; | |
192 | ||
193 | r = strv_consume(&g, name); | |
194 | if (r < 0) | |
195 | return r; | |
478c8269 ZJS |
196 | } |
197 | ||
e346512c LP |
198 | next: |
199 | r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry); | |
478c8269 ZJS |
200 | } |
201 | ||
1cc6c93a YW |
202 | if (ret_groups) |
203 | *ret_groups = TAKE_PTR(g); | |
e346512c LP |
204 | |
205 | return ret; | |
478c8269 | 206 | } |
f8eeeaf9 | 207 | |
e738c945 | 208 | int parse_acl(const char *text, acl_t *acl_access, acl_t *acl_default, bool want_mask) { |
848f0178 | 209 | _cleanup_free_ char **a = NULL, **d = NULL; /* strings are not freed */ |
f8eeeaf9 ZJS |
210 | _cleanup_strv_free_ char **split; |
211 | char **entry; | |
212 | int r = -EINVAL; | |
213 | _cleanup_(acl_freep) acl_t a_acl = NULL, d_acl = NULL; | |
214 | ||
215 | split = strv_split(text, ","); | |
216 | if (!split) | |
e738c945 | 217 | return -ENOMEM; |
f8eeeaf9 ZJS |
218 | |
219 | STRV_FOREACH(entry, split) { | |
220 | char *p; | |
221 | ||
49fe5c09 | 222 | p = STARTSWITH_SET(*entry, "default:", "d:"); |
f2ea9cc7 Y |
223 | if (p) |
224 | r = strv_push(&d, p); | |
225 | else | |
226 | r = strv_push(&a, *entry); | |
e738c945 LP |
227 | if (r < 0) |
228 | return r; | |
f8eeeaf9 | 229 | } |
f8eeeaf9 ZJS |
230 | |
231 | if (!strv_isempty(a)) { | |
232 | _cleanup_free_ char *join; | |
233 | ||
234 | join = strv_join(a, ","); | |
235 | if (!join) | |
236 | return -ENOMEM; | |
237 | ||
238 | a_acl = acl_from_text(join); | |
239 | if (!a_acl) | |
e738c945 | 240 | return -errno; |
f8eeeaf9 | 241 | |
50d9e46d ZJS |
242 | if (want_mask) { |
243 | r = calc_acl_mask_if_needed(&a_acl); | |
244 | if (r < 0) | |
245 | return r; | |
246 | } | |
f8eeeaf9 ZJS |
247 | } |
248 | ||
249 | if (!strv_isempty(d)) { | |
250 | _cleanup_free_ char *join; | |
251 | ||
252 | join = strv_join(d, ","); | |
253 | if (!join) | |
254 | return -ENOMEM; | |
255 | ||
256 | d_acl = acl_from_text(join); | |
257 | if (!d_acl) | |
e738c945 | 258 | return -errno; |
f8eeeaf9 | 259 | |
50d9e46d ZJS |
260 | if (want_mask) { |
261 | r = calc_acl_mask_if_needed(&d_acl); | |
262 | if (r < 0) | |
263 | return r; | |
264 | } | |
f8eeeaf9 ZJS |
265 | } |
266 | ||
1cc6c93a YW |
267 | *acl_access = TAKE_PTR(a_acl); |
268 | *acl_default = TAKE_PTR(d_acl); | |
e738c945 | 269 | |
f8eeeaf9 ZJS |
270 | return 0; |
271 | } | |
50d9e46d | 272 | |
1c73f3bc ZJS |
273 | static int acl_entry_equal(acl_entry_t a, acl_entry_t b) { |
274 | acl_tag_t tag_a, tag_b; | |
275 | ||
276 | if (acl_get_tag_type(a, &tag_a) < 0) | |
277 | return -errno; | |
278 | ||
279 | if (acl_get_tag_type(b, &tag_b) < 0) | |
280 | return -errno; | |
281 | ||
282 | if (tag_a != tag_b) | |
283 | return false; | |
284 | ||
285 | switch (tag_a) { | |
286 | case ACL_USER_OBJ: | |
287 | case ACL_GROUP_OBJ: | |
288 | case ACL_MASK: | |
289 | case ACL_OTHER: | |
290 | /* can have only one of those */ | |
291 | return true; | |
292 | case ACL_USER: { | |
76dcbc49 | 293 | _cleanup_(acl_free_uid_tpp) uid_t *uid_a = NULL, *uid_b = NULL; |
1c73f3bc ZJS |
294 | |
295 | uid_a = acl_get_qualifier(a); | |
296 | if (!uid_a) | |
297 | return -errno; | |
298 | ||
299 | uid_b = acl_get_qualifier(b); | |
300 | if (!uid_b) | |
301 | return -errno; | |
302 | ||
303 | return *uid_a == *uid_b; | |
304 | } | |
305 | case ACL_GROUP: { | |
76dcbc49 | 306 | _cleanup_(acl_free_gid_tpp) gid_t *gid_a = NULL, *gid_b = NULL; |
1c73f3bc ZJS |
307 | |
308 | gid_a = acl_get_qualifier(a); | |
309 | if (!gid_a) | |
310 | return -errno; | |
311 | ||
312 | gid_b = acl_get_qualifier(b); | |
313 | if (!gid_b) | |
314 | return -errno; | |
315 | ||
316 | return *gid_a == *gid_b; | |
317 | } | |
318 | default: | |
319 | assert_not_reached("Unknown acl tag type"); | |
320 | } | |
321 | } | |
322 | ||
323 | static int find_acl_entry(acl_t acl, acl_entry_t entry, acl_entry_t *out) { | |
324 | acl_entry_t i; | |
325 | int r; | |
326 | ||
327 | for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i); | |
328 | r > 0; | |
329 | r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) { | |
330 | ||
331 | r = acl_entry_equal(i, entry); | |
332 | if (r < 0) | |
333 | return r; | |
334 | if (r > 0) { | |
335 | *out = i; | |
336 | return 1; | |
337 | } | |
338 | } | |
339 | if (r < 0) | |
340 | return -errno; | |
341 | return 0; | |
342 | } | |
343 | ||
50d9e46d ZJS |
344 | int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl) { |
345 | _cleanup_(acl_freep) acl_t old; | |
346 | acl_entry_t i; | |
dd4105b0 | 347 | int r; |
50d9e46d ZJS |
348 | |
349 | old = acl_get_file(path, type); | |
350 | if (!old) | |
351 | return -errno; | |
352 | ||
dd4105b0 ZJS |
353 | for (r = acl_get_entry(new, ACL_FIRST_ENTRY, &i); |
354 | r > 0; | |
355 | r = acl_get_entry(new, ACL_NEXT_ENTRY, &i)) { | |
50d9e46d ZJS |
356 | |
357 | acl_entry_t j; | |
358 | ||
1c73f3bc ZJS |
359 | r = find_acl_entry(old, i, &j); |
360 | if (r < 0) | |
361 | return r; | |
362 | if (r == 0) | |
363 | if (acl_create_entry(&old, &j) < 0) | |
364 | return -errno; | |
50d9e46d ZJS |
365 | |
366 | if (acl_copy_entry(j, i) < 0) | |
367 | return -errno; | |
368 | } | |
50d9e46d | 369 | if (r < 0) |
dd4105b0 | 370 | return -errno; |
50d9e46d | 371 | |
1cc6c93a YW |
372 | *acl = TAKE_PTR(old); |
373 | ||
50d9e46d ZJS |
374 | return 0; |
375 | } | |
5c3bde3f ZJS |
376 | |
377 | int add_acls_for_user(int fd, uid_t uid) { | |
378 | _cleanup_(acl_freep) acl_t acl = NULL; | |
379 | acl_entry_t entry; | |
380 | acl_permset_t permset; | |
381 | int r; | |
382 | ||
383 | acl = acl_get_fd(fd); | |
384 | if (!acl) | |
385 | return -errno; | |
386 | ||
387 | r = acl_find_uid(acl, uid, &entry); | |
388 | if (r <= 0) { | |
389 | if (acl_create_entry(&acl, &entry) < 0 || | |
390 | acl_set_tag_type(entry, ACL_USER) < 0 || | |
391 | acl_set_qualifier(entry, &uid) < 0) | |
392 | return -errno; | |
393 | } | |
394 | ||
395 | /* We do not recalculate the mask unconditionally here, | |
396 | * so that the fchmod() mask above stays intact. */ | |
397 | if (acl_get_permset(entry, &permset) < 0 || | |
398 | acl_add_perm(permset, ACL_READ) < 0) | |
399 | return -errno; | |
400 | ||
401 | r = calc_acl_mask_if_needed(&acl); | |
402 | if (r < 0) | |
403 | return r; | |
404 | ||
405 | return acl_set_fd(fd, acl); | |
406 | } |