[thirdparty/systemd.git] / src / shared / acl-util.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2011,2013 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <stdbool.h>

#include "acl-util.h"
#include "alloc-util.h"
#include "string-util.h"
#include "strv.h"
#include "user-util.h"
#include "util.h"

int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry) {
        acl_entry_t i;
        int r;

        assert(acl);
        assert(entry);

        for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {

                acl_tag_t tag;
                uid_t *u;
                bool b;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag != ACL_USER)
                        continue;

                u = acl_get_qualifier(i);
                if (!u)
                        return -errno;

                b = *u == uid;
                acl_free(u);

                if (b) {
                        *entry = i;
                        return 1;
                }
        }
        if (r < 0)
                return -errno;

        return 0;
}

int calc_acl_mask_if_needed(acl_t *acl_p) {
        acl_entry_t i;
        int r;
        bool need = false;

        assert(acl_p);

        for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
                acl_tag_t tag;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag == ACL_MASK)
                        return 0;

                if (IN_SET(tag, ACL_USER, ACL_GROUP))
                        need = true;
        }
        if (r < 0)
                return -errno;

        if (need && acl_calc_mask(acl_p) < 0)
                return -errno;

        return need;
}

int add_base_acls_if_needed(acl_t *acl_p, const char *path) {
        acl_entry_t i;
        int r;
        bool have_user_obj = false, have_group_obj = false, have_other = false;
        struct stat st;
        _cleanup_(acl_freep) acl_t basic = NULL;

        assert(acl_p);

        for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
                acl_tag_t tag;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag == ACL_USER_OBJ)
                        have_user_obj = true;
                else if (tag == ACL_GROUP_OBJ)
                        have_group_obj = true;
                else if (tag == ACL_OTHER)
                        have_other = true;
                if (have_user_obj && have_group_obj && have_other)
                        return 0;
        }
        if (r < 0)
                return -errno;

        r = stat(path, &st);
        if (r < 0)
                return -errno;

        basic = acl_from_mode(st.st_mode);
        if (!basic)
                return -errno;

        for (r = acl_get_entry(basic, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(basic, ACL_NEXT_ENTRY, &i)) {
                acl_tag_t tag;
                acl_entry_t dst;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if ((tag == ACL_USER_OBJ && have_user_obj) ||
                    (tag == ACL_GROUP_OBJ && have_group_obj) ||
                    (tag == ACL_OTHER && have_other))
                        continue;

                r = acl_create_entry(acl_p, &dst);
                if (r < 0)
                        return -errno;

                r = acl_copy_entry(dst, i);
                if (r < 0)
                        return -errno;
        }
        if (r < 0)
                return -errno;
        return 0;
}

int acl_search_groups(const char *path, char ***ret_groups) {
        _cleanup_strv_free_ char **g = NULL;
        _cleanup_(acl_freep) acl_t acl = NULL;
        bool ret = false;
        acl_entry_t entry;
        int r;

        assert(path);

        acl = acl_get_file(path, ACL_TYPE_DEFAULT);
        if (!acl)
                return -errno;

        r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
        for (;;) {
                _cleanup_(acl_free_gid_tpp) gid_t *gid = NULL;
                acl_tag_t tag;

                if (r < 0)
                        return -errno;
                if (r == 0)
                        break;

                if (acl_get_tag_type(entry, &tag) < 0)
                        return -errno;

                if (tag != ACL_GROUP)
                        goto next;

                gid = acl_get_qualifier(entry);
                if (!gid)
                        return -errno;

                if (in_gid(*gid) > 0) {
                        if (!ret_groups)
                                return true;

                        ret = true;
                }

                if (ret_groups) {
                        char *name;

                        name = gid_to_name(*gid);
                        if (!name)
                                return -ENOMEM;

                        r = strv_consume(&g, name);
                        if (r < 0)
                                return r;
                }

        next:
                r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry);
        }

        if (ret_groups)
                *ret_groups = TAKE_PTR(g);

        return ret;
}

int parse_acl(const char *text, acl_t *acl_access, acl_t *acl_default, bool want_mask) {
        _cleanup_free_ char **a = NULL, **d = NULL; /* strings are not freed */
        _cleanup_strv_free_ char **split;
        char **entry;
        int r = -EINVAL;
        _cleanup_(acl_freep) acl_t a_acl = NULL, d_acl = NULL;

        split = strv_split(text, ",");
        if (!split)
                return -ENOMEM;

        STRV_FOREACH(entry, split) {
                char *p;

                p = startswith(*entry, "default:");
                if (!p)
                        p = startswith(*entry, "d:");

                if (p)
                        r = strv_push(&d, p);
                else
                        r = strv_push(&a, *entry);
                if (r < 0)
                        return r;
        }

        if (!strv_isempty(a)) {
                _cleanup_free_ char *join;

                join = strv_join(a, ",");
                if (!join)
                        return -ENOMEM;

                a_acl = acl_from_text(join);
                if (!a_acl)
                        return -errno;

                if (want_mask) {
                        r = calc_acl_mask_if_needed(&a_acl);
                        if (r < 0)
                                return r;
                }
        }

        if (!strv_isempty(d)) {
                _cleanup_free_ char *join;

                join = strv_join(d, ",");
                if (!join)
                        return -ENOMEM;

                d_acl = acl_from_text(join);
                if (!d_acl)
                        return -errno;

                if (want_mask) {
                        r = calc_acl_mask_if_needed(&d_acl);
                        if (r < 0)
                                return r;
                }
        }

        *acl_access = TAKE_PTR(a_acl);
        *acl_default = TAKE_PTR(d_acl);

        return 0;
}

static int acl_entry_equal(acl_entry_t a, acl_entry_t b) {
        acl_tag_t tag_a, tag_b;

        if (acl_get_tag_type(a, &tag_a) < 0)
                return -errno;

        if (acl_get_tag_type(b, &tag_b) < 0)
                return -errno;

        if (tag_a != tag_b)
                return false;

        switch (tag_a) {
        case ACL_USER_OBJ:
        case ACL_GROUP_OBJ:
        case ACL_MASK:
        case ACL_OTHER:
                /* can have only one of those */
                return true;
        case ACL_USER: {
                _cleanup_(acl_free_uid_tpp) uid_t *uid_a = NULL, *uid_b = NULL;

                uid_a = acl_get_qualifier(a);
                if (!uid_a)
                        return -errno;

                uid_b = acl_get_qualifier(b);
                if (!uid_b)
                        return -errno;

                return *uid_a == *uid_b;
        }
        case ACL_GROUP: {
                _cleanup_(acl_free_gid_tpp) gid_t *gid_a = NULL, *gid_b = NULL;

                gid_a = acl_get_qualifier(a);
                if (!gid_a)
                        return -errno;

                gid_b = acl_get_qualifier(b);
                if (!gid_b)
                        return -errno;

                return *gid_a == *gid_b;
        }
        default:
                assert_not_reached("Unknown acl tag type");
        }
}

static int find_acl_entry(acl_t acl, acl_entry_t entry, acl_entry_t *out) {
        acl_entry_t i;
        int r;

        for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {

                r = acl_entry_equal(i, entry);
                if (r < 0)
                        return r;
                if (r > 0) {
                        *out = i;
                        return 1;
                }
        }
        if (r < 0)
                return -errno;
        return 0;
}

int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl) {
        _cleanup_(acl_freep) acl_t old;
        acl_entry_t i;
        int r;

        old = acl_get_file(path, type);
        if (!old)
                return -errno;

        for (r = acl_get_entry(new, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(new, ACL_NEXT_ENTRY, &i)) {

                acl_entry_t j;

                r = find_acl_entry(old, i, &j);
                if (r < 0)
                        return r;
                if (r == 0)
                        if (acl_create_entry(&old, &j) < 0)
                                return -errno;

                if (acl_copy_entry(j, i) < 0)
                        return -errno;
        }
        if (r < 0)
                return -errno;

        *acl = TAKE_PTR(old);

        return 0;
}

int add_acls_for_user(int fd, uid_t uid) {
        _cleanup_(acl_freep) acl_t acl = NULL;
        acl_entry_t entry;
        acl_permset_t permset;
        int r;

        acl = acl_get_fd(fd);
        if (!acl)
                return -errno;

        r = acl_find_uid(acl, uid, &entry);
        if (r <= 0) {
                if (acl_create_entry(&acl, &entry) < 0 ||
                    acl_set_tag_type(entry, ACL_USER) < 0 ||
                    acl_set_qualifier(entry, &uid) < 0)
                        return -errno;
        }

        /* We do not recalculate the mask unconditionally here,
         * so that the fchmod() mask above stays intact. */
        if (acl_get_permset(entry, &permset) < 0 ||
            acl_add_perm(permset, ACL_READ) < 0)
                return -errno;

        r = calc_acl_mask_if_needed(&acl);
        if (r < 0)
                return r;

        return acl_set_fd(fd, acl);
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
f4b47811 LP	2	/***
	3	This file is part of systemd.
	4
478c8269	5	Copyright 2011,2013 Lennart Poettering
f4b47811 LP	6
f4b47811 LP	7	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	8	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	9	the Free Software Foundation; either version 2.1 of the License, or
f4b47811 LP	10	(at your option) any later version.
	11
	12	systemd is distributed in the hope that it will be useful, but
	13	WITHOUT ANY WARRANTY; without even the implied warranty of
	14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	15	Lesser General Public License for more details.
f4b47811	16
5430f7f2	17	You should have received a copy of the GNU Lesser General Public License
f4b47811 LP	18	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	19	***/
	20
f4b47811 LP	21	#include <errno.h>
	22	#include <stdbool.h>
	23
b1d4f8e1	24	#include "acl-util.h"
cf0fbc49	25	#include "alloc-util.h"
07630cea	26	#include "string-util.h"
478c8269	27	#include "strv.h"
b1d4f8e1	28	#include "user-util.h"
07630cea	29	#include "util.h"
f4b47811 LP	30
	31	int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry) {
	32	acl_entry_t i;
dd4105b0	33	int r;
f4b47811 LP	34
	35	assert(acl);
	36	assert(entry);
	37
dd4105b0 ZJS	38	for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
	39	r > 0;
	40	r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
f4b47811 LP	41
	42	acl_tag_t tag;
	43	uid_t *u;
	44	bool b;
	45
	46	if (acl_get_tag_type(i, &tag) < 0)
	47	return -errno;
	48
	49	if (tag != ACL_USER)
	50	continue;
	51
	52	u = acl_get_qualifier(i);
	53	if (!u)
	54	return -errno;
	55
	56	b = *u == uid;
	57	acl_free(u);
	58
	59	if (b) {
	60	*entry = i;
	61	return 1;
	62	}
	63	}
dd4105b0	64	if (r < 0)
f4b47811 LP	65	return -errno;
	66
	67	return 0;
	68	}
478c8269	69
23ad4dd8 JAS	70	int calc_acl_mask_if_needed(acl_t *acl_p) {
23ad4dd8 JAS	71	acl_entry_t i;
dd4105b0	72	int r;
6debb398	73	bool need = false;
23ad4dd8 JAS	74
	75	assert(acl_p);
	76
dd4105b0 ZJS	77	for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
	78	r > 0;
	79	r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
23ad4dd8 JAS	80	acl_tag_t tag;
	81
	82	if (acl_get_tag_type(i, &tag) < 0)
	83	return -errno;
	84
	85	if (tag == ACL_MASK)
	86	return 0;
e346512c	87
6debb398 ZJS	88	if (IN_SET(tag, ACL_USER, ACL_GROUP))
6debb398 ZJS	89	need = true;
23ad4dd8	90	}
dd4105b0	91	if (r < 0)
23ad4dd8 JAS	92	return -errno;
23ad4dd8 JAS	93
6debb398 ZJS	94	if (need && acl_calc_mask(acl_p) < 0)
	95	return -errno;
	96
	97	return need;
dd4105b0 ZJS	98	}
	99
	100	int add_base_acls_if_needed(acl_t acl_p, const char path) {
	101	acl_entry_t i;
	102	int r;
	103	bool have_user_obj = false, have_group_obj = false, have_other = false;
	104	struct stat st;
	105	_cleanup_(acl_freep) acl_t basic = NULL;
	106
	107	assert(acl_p);
	108
	109	for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
	110	r > 0;
	111	r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
	112	acl_tag_t tag;
	113
	114	if (acl_get_tag_type(i, &tag) < 0)
	115	return -errno;
	116
	117	if (tag == ACL_USER_OBJ)
	118	have_user_obj = true;
	119	else if (tag == ACL_GROUP_OBJ)
	120	have_group_obj = true;
	121	else if (tag == ACL_OTHER)
	122	have_other = true;
	123	if (have_user_obj && have_group_obj && have_other)
	124	return 0;
	125	}
	126	if (r < 0)
	127	return -errno;
23ad4dd8	128
dd4105b0 ZJS	129	r = stat(path, &st);
	130	if (r < 0)
	131	return -errno;
	132
	133	basic = acl_from_mode(st.st_mode);
	134	if (!basic)
	135	return -errno;
	136
	137	for (r = acl_get_entry(basic, ACL_FIRST_ENTRY, &i);
	138	r > 0;
	139	r = acl_get_entry(basic, ACL_NEXT_ENTRY, &i)) {
	140	acl_tag_t tag;
	141	acl_entry_t dst;
	142
	143	if (acl_get_tag_type(i, &tag) < 0)
	144	return -errno;
	145
	146	if ((tag == ACL_USER_OBJ && have_user_obj) \|\|
	147	(tag == ACL_GROUP_OBJ && have_group_obj) \|\|
	148	(tag == ACL_OTHER && have_other))
	149	continue;
	150
	151	r = acl_create_entry(acl_p, &dst);
	152	if (r < 0)
	153	return -errno;
	154
	155	r = acl_copy_entry(dst, i);
	156	if (r < 0)
	157	return -errno;
	158	}
	159	if (r < 0)
	160	return -errno;
23ad4dd8 JAS	161	return 0;
	162	}
	163
e346512c LP	164	int acl_search_groups(const char path, char **ret_groups) {
e346512c LP	165	_cleanup_strv_free_ char **g = NULL;
29d87223	166	_cleanup_(acl_freep) acl_t acl = NULL;
e346512c LP	167	bool ret = false;
	168	acl_entry_t entry;
	169	int r;
478c8269 ZJS	170
478c8269 ZJS	171	assert(path);
478c8269 ZJS	172
478c8269 ZJS	173	acl = acl_get_file(path, ACL_TYPE_DEFAULT);
e346512c LP	174	if (!acl)
e346512c LP	175	return -errno;
478c8269	176
e346512c LP	177	r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
	178	for (;;) {
	179	_cleanup_(acl_free_gid_tpp) gid_t *gid = NULL;
	180	acl_tag_t tag;
478c8269	181
e346512c LP	182	if (r < 0)
	183	return -errno;
	184	if (r == 0)
	185	break;
478c8269	186
e346512c LP	187	if (acl_get_tag_type(entry, &tag) < 0)
	188	return -errno;
	189
	190	if (tag != ACL_GROUP)
	191	goto next;
	192
	193	gid = acl_get_qualifier(entry);
	194	if (!gid)
	195	return -errno;
478c8269	196
e346512c LP	197	if (in_gid(*gid) > 0) {
	198	if (!ret_groups)
	199	return true;
	200
	201	ret = true;
	202	}
	203
	204	if (ret_groups) {
	205	char *name;
478c8269 ZJS	206
478c8269 ZJS	207	name = gid_to_name(*gid);
e346512c LP	208	if (!name)
	209	return -ENOMEM;
	210
	211	r = strv_consume(&g, name);
	212	if (r < 0)
	213	return r;
478c8269 ZJS	214	}
478c8269 ZJS	215
e346512c LP	216	next:
e346512c LP	217	r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry);
478c8269 ZJS	218	}
478c8269 ZJS	219
1cc6c93a YW	220	if (ret_groups)
1cc6c93a YW	221	*ret_groups = TAKE_PTR(g);
e346512c LP	222
e346512c LP	223	return ret;
478c8269	224	}
f8eeeaf9	225
e738c945	226	int parse_acl(const char text, acl_t acl_access, acl_t *acl_default, bool want_mask) {
848f0178	227	_cleanup_free_ char a = NULL, d = NULL; /* strings are not freed */
f8eeeaf9 ZJS	228	_cleanup_strv_free_ char **split;
	229	char **entry;
	230	int r = -EINVAL;
	231	_cleanup_(acl_freep) acl_t a_acl = NULL, d_acl = NULL;
	232
	233	split = strv_split(text, ",");
	234	if (!split)
e738c945	235	return -ENOMEM;
f8eeeaf9 ZJS	236
	237	STRV_FOREACH(entry, split) {
	238	char *p;
	239
	240	p = startswith(*entry, "default:");
	241	if (!p)
	242	p = startswith(*entry, "d:");
	243
	244	if (p)
	245	r = strv_push(&d, p);
	246	else
	247	r = strv_push(&a, *entry);
e738c945 LP	248	if (r < 0)
e738c945 LP	249	return r;
f8eeeaf9	250	}
f8eeeaf9 ZJS	251
	252	if (!strv_isempty(a)) {
	253	_cleanup_free_ char *join;
	254
	255	join = strv_join(a, ",");
	256	if (!join)
	257	return -ENOMEM;
	258
	259	a_acl = acl_from_text(join);
	260	if (!a_acl)
e738c945	261	return -errno;
f8eeeaf9	262
50d9e46d ZJS	263	if (want_mask) {
	264	r = calc_acl_mask_if_needed(&a_acl);
	265	if (r < 0)
	266	return r;
	267	}
f8eeeaf9 ZJS	268	}
	269
	270	if (!strv_isempty(d)) {
	271	_cleanup_free_ char *join;
	272
	273	join = strv_join(d, ",");
	274	if (!join)
	275	return -ENOMEM;
	276
	277	d_acl = acl_from_text(join);
	278	if (!d_acl)
e738c945	279	return -errno;
f8eeeaf9	280
50d9e46d ZJS	281	if (want_mask) {
	282	r = calc_acl_mask_if_needed(&d_acl);
	283	if (r < 0)
	284	return r;
	285	}
f8eeeaf9 ZJS	286	}
f8eeeaf9 ZJS	287
1cc6c93a YW	288	*acl_access = TAKE_PTR(a_acl);
1cc6c93a YW	289	*acl_default = TAKE_PTR(d_acl);
e738c945	290
f8eeeaf9 ZJS	291	return 0;
f8eeeaf9 ZJS	292	}
50d9e46d	293
1c73f3bc ZJS	294	static int acl_entry_equal(acl_entry_t a, acl_entry_t b) {
	295	acl_tag_t tag_a, tag_b;
	296
	297	if (acl_get_tag_type(a, &tag_a) < 0)
	298	return -errno;
	299
	300	if (acl_get_tag_type(b, &tag_b) < 0)
	301	return -errno;
	302
	303	if (tag_a != tag_b)
	304	return false;
	305
	306	switch (tag_a) {
	307	case ACL_USER_OBJ:
	308	case ACL_GROUP_OBJ:
	309	case ACL_MASK:
	310	case ACL_OTHER:
	311	/* can have only one of those */
	312	return true;
	313	case ACL_USER: {
76dcbc49	314	_cleanup_(acl_free_uid_tpp) uid_t uid_a = NULL, uid_b = NULL;
1c73f3bc ZJS	315
	316	uid_a = acl_get_qualifier(a);
	317	if (!uid_a)
	318	return -errno;
	319
	320	uid_b = acl_get_qualifier(b);
	321	if (!uid_b)
	322	return -errno;
	323
	324	return uid_a == uid_b;
	325	}
	326	case ACL_GROUP: {
76dcbc49	327	_cleanup_(acl_free_gid_tpp) gid_t gid_a = NULL, gid_b = NULL;
1c73f3bc ZJS	328
	329	gid_a = acl_get_qualifier(a);
	330	if (!gid_a)
	331	return -errno;
	332
	333	gid_b = acl_get_qualifier(b);
	334	if (!gid_b)
	335	return -errno;
	336
	337	return gid_a == gid_b;
	338	}
	339	default:
	340	assert_not_reached("Unknown acl tag type");
	341	}
	342	}
	343
	344	static int find_acl_entry(acl_t acl, acl_entry_t entry, acl_entry_t *out) {
	345	acl_entry_t i;
	346	int r;
	347
	348	for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
	349	r > 0;
	350	r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
	351
	352	r = acl_entry_equal(i, entry);
	353	if (r < 0)
	354	return r;
	355	if (r > 0) {
	356	*out = i;
	357	return 1;
	358	}
	359	}
	360	if (r < 0)
	361	return -errno;
	362	return 0;
	363	}
	364
50d9e46d ZJS	365	int acls_for_file(const char path, acl_type_t type, acl_t new, acl_t acl) {
	366	_cleanup_(acl_freep) acl_t old;
	367	acl_entry_t i;
dd4105b0	368	int r;
50d9e46d ZJS	369
	370	old = acl_get_file(path, type);
	371	if (!old)
	372	return -errno;
	373
dd4105b0 ZJS	374	for (r = acl_get_entry(new, ACL_FIRST_ENTRY, &i);
	375	r > 0;
	376	r = acl_get_entry(new, ACL_NEXT_ENTRY, &i)) {
50d9e46d ZJS	377
	378	acl_entry_t j;
	379
1c73f3bc ZJS	380	r = find_acl_entry(old, i, &j);
	381	if (r < 0)
	382	return r;
	383	if (r == 0)
	384	if (acl_create_entry(&old, &j) < 0)
	385	return -errno;
50d9e46d ZJS	386
	387	if (acl_copy_entry(j, i) < 0)
	388	return -errno;
	389	}
50d9e46d	390	if (r < 0)
dd4105b0	391	return -errno;
50d9e46d	392
1cc6c93a YW	393	*acl = TAKE_PTR(old);
1cc6c93a YW	394
50d9e46d ZJS	395	return 0;
50d9e46d ZJS	396	}
5c3bde3f ZJS	397
	398	int add_acls_for_user(int fd, uid_t uid) {
	399	_cleanup_(acl_freep) acl_t acl = NULL;
	400	acl_entry_t entry;
	401	acl_permset_t permset;
	402	int r;
	403
	404	acl = acl_get_fd(fd);
	405	if (!acl)
	406	return -errno;
	407
	408	r = acl_find_uid(acl, uid, &entry);
	409	if (r <= 0) {
	410	if (acl_create_entry(&acl, &entry) < 0 \|\|
	411	acl_set_tag_type(entry, ACL_USER) < 0 \|\|
	412	acl_set_qualifier(entry, &uid) < 0)
	413	return -errno;
	414	}
	415
	416	/* We do not recalculate the mask unconditionally here,
	417	* so that the fchmod() mask above stays intact. */
	418	if (acl_get_permset(entry, &permset) < 0 \|\|
	419	acl_add_perm(permset, ACL_READ) < 0)
	420	return -errno;
	421
	422	r = calc_acl_mask_if_needed(&acl);
	423	if (r < 0)
	424	return r;
	425
	426	return acl_set_fd(fd, acl);
	427	}