]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
f4b47811 | 2 | |
f4b47811 LP |
3 | #include <errno.h> |
4 | #include <stdbool.h> | |
ca78ad1d ZJS |
5 | #include <sys/stat.h> |
6 | #include <sys/types.h> | |
f4b47811 | 7 | |
b1d4f8e1 | 8 | #include "acl-util.h" |
cf0fbc49 | 9 | #include "alloc-util.h" |
07630cea | 10 | #include "string-util.h" |
478c8269 | 11 | #include "strv.h" |
b1d4f8e1 | 12 | #include "user-util.h" |
07630cea | 13 | #include "util.h" |
f4b47811 LP |
14 | |
15 | int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry) { | |
16 | acl_entry_t i; | |
dd4105b0 | 17 | int r; |
f4b47811 LP |
18 | |
19 | assert(acl); | |
20 | assert(entry); | |
21 | ||
dd4105b0 ZJS |
22 | for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i); |
23 | r > 0; | |
24 | r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) { | |
f4b47811 LP |
25 | |
26 | acl_tag_t tag; | |
27 | uid_t *u; | |
28 | bool b; | |
29 | ||
30 | if (acl_get_tag_type(i, &tag) < 0) | |
31 | return -errno; | |
32 | ||
33 | if (tag != ACL_USER) | |
34 | continue; | |
35 | ||
36 | u = acl_get_qualifier(i); | |
37 | if (!u) | |
38 | return -errno; | |
39 | ||
40 | b = *u == uid; | |
41 | acl_free(u); | |
42 | ||
43 | if (b) { | |
44 | *entry = i; | |
45 | return 1; | |
46 | } | |
47 | } | |
dd4105b0 | 48 | if (r < 0) |
f4b47811 LP |
49 | return -errno; |
50 | ||
51 | return 0; | |
52 | } | |
478c8269 | 53 | |
23ad4dd8 JAS |
54 | int calc_acl_mask_if_needed(acl_t *acl_p) { |
55 | acl_entry_t i; | |
dd4105b0 | 56 | int r; |
6debb398 | 57 | bool need = false; |
23ad4dd8 JAS |
58 | |
59 | assert(acl_p); | |
60 | ||
dd4105b0 ZJS |
61 | for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i); |
62 | r > 0; | |
63 | r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) { | |
23ad4dd8 JAS |
64 | acl_tag_t tag; |
65 | ||
66 | if (acl_get_tag_type(i, &tag) < 0) | |
67 | return -errno; | |
68 | ||
69 | if (tag == ACL_MASK) | |
70 | return 0; | |
e346512c | 71 | |
6debb398 ZJS |
72 | if (IN_SET(tag, ACL_USER, ACL_GROUP)) |
73 | need = true; | |
23ad4dd8 | 74 | } |
dd4105b0 | 75 | if (r < 0) |
23ad4dd8 JAS |
76 | return -errno; |
77 | ||
6debb398 ZJS |
78 | if (need && acl_calc_mask(acl_p) < 0) |
79 | return -errno; | |
80 | ||
81 | return need; | |
dd4105b0 ZJS |
82 | } |
83 | ||
84 | int add_base_acls_if_needed(acl_t *acl_p, const char *path) { | |
85 | acl_entry_t i; | |
86 | int r; | |
87 | bool have_user_obj = false, have_group_obj = false, have_other = false; | |
88 | struct stat st; | |
89 | _cleanup_(acl_freep) acl_t basic = NULL; | |
90 | ||
91 | assert(acl_p); | |
92 | ||
93 | for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i); | |
94 | r > 0; | |
95 | r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) { | |
96 | acl_tag_t tag; | |
97 | ||
98 | if (acl_get_tag_type(i, &tag) < 0) | |
99 | return -errno; | |
100 | ||
101 | if (tag == ACL_USER_OBJ) | |
102 | have_user_obj = true; | |
103 | else if (tag == ACL_GROUP_OBJ) | |
104 | have_group_obj = true; | |
105 | else if (tag == ACL_OTHER) | |
106 | have_other = true; | |
107 | if (have_user_obj && have_group_obj && have_other) | |
108 | return 0; | |
109 | } | |
110 | if (r < 0) | |
111 | return -errno; | |
23ad4dd8 | 112 | |
dd4105b0 ZJS |
113 | r = stat(path, &st); |
114 | if (r < 0) | |
115 | return -errno; | |
116 | ||
117 | basic = acl_from_mode(st.st_mode); | |
118 | if (!basic) | |
119 | return -errno; | |
120 | ||
121 | for (r = acl_get_entry(basic, ACL_FIRST_ENTRY, &i); | |
122 | r > 0; | |
123 | r = acl_get_entry(basic, ACL_NEXT_ENTRY, &i)) { | |
124 | acl_tag_t tag; | |
125 | acl_entry_t dst; | |
126 | ||
127 | if (acl_get_tag_type(i, &tag) < 0) | |
128 | return -errno; | |
129 | ||
130 | if ((tag == ACL_USER_OBJ && have_user_obj) || | |
131 | (tag == ACL_GROUP_OBJ && have_group_obj) || | |
132 | (tag == ACL_OTHER && have_other)) | |
133 | continue; | |
134 | ||
135 | r = acl_create_entry(acl_p, &dst); | |
136 | if (r < 0) | |
137 | return -errno; | |
138 | ||
139 | r = acl_copy_entry(dst, i); | |
140 | if (r < 0) | |
141 | return -errno; | |
142 | } | |
143 | if (r < 0) | |
144 | return -errno; | |
23ad4dd8 JAS |
145 | return 0; |
146 | } | |
147 | ||
e346512c LP |
148 | int acl_search_groups(const char *path, char ***ret_groups) { |
149 | _cleanup_strv_free_ char **g = NULL; | |
29d87223 | 150 | _cleanup_(acl_freep) acl_t acl = NULL; |
e346512c LP |
151 | bool ret = false; |
152 | acl_entry_t entry; | |
153 | int r; | |
478c8269 ZJS |
154 | |
155 | assert(path); | |
478c8269 ZJS |
156 | |
157 | acl = acl_get_file(path, ACL_TYPE_DEFAULT); | |
e346512c LP |
158 | if (!acl) |
159 | return -errno; | |
478c8269 | 160 | |
e346512c LP |
161 | r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); |
162 | for (;;) { | |
163 | _cleanup_(acl_free_gid_tpp) gid_t *gid = NULL; | |
164 | acl_tag_t tag; | |
478c8269 | 165 | |
e346512c LP |
166 | if (r < 0) |
167 | return -errno; | |
168 | if (r == 0) | |
169 | break; | |
478c8269 | 170 | |
e346512c LP |
171 | if (acl_get_tag_type(entry, &tag) < 0) |
172 | return -errno; | |
173 | ||
174 | if (tag != ACL_GROUP) | |
175 | goto next; | |
176 | ||
177 | gid = acl_get_qualifier(entry); | |
178 | if (!gid) | |
179 | return -errno; | |
478c8269 | 180 | |
e346512c LP |
181 | if (in_gid(*gid) > 0) { |
182 | if (!ret_groups) | |
183 | return true; | |
184 | ||
185 | ret = true; | |
186 | } | |
187 | ||
188 | if (ret_groups) { | |
189 | char *name; | |
478c8269 ZJS |
190 | |
191 | name = gid_to_name(*gid); | |
e346512c LP |
192 | if (!name) |
193 | return -ENOMEM; | |
194 | ||
195 | r = strv_consume(&g, name); | |
196 | if (r < 0) | |
197 | return r; | |
478c8269 ZJS |
198 | } |
199 | ||
e346512c LP |
200 | next: |
201 | r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry); | |
478c8269 ZJS |
202 | } |
203 | ||
1cc6c93a YW |
204 | if (ret_groups) |
205 | *ret_groups = TAKE_PTR(g); | |
e346512c LP |
206 | |
207 | return ret; | |
478c8269 | 208 | } |
f8eeeaf9 | 209 | |
e738c945 | 210 | int parse_acl(const char *text, acl_t *acl_access, acl_t *acl_default, bool want_mask) { |
848f0178 | 211 | _cleanup_free_ char **a = NULL, **d = NULL; /* strings are not freed */ |
f8eeeaf9 ZJS |
212 | _cleanup_strv_free_ char **split; |
213 | char **entry; | |
214 | int r = -EINVAL; | |
215 | _cleanup_(acl_freep) acl_t a_acl = NULL, d_acl = NULL; | |
216 | ||
217 | split = strv_split(text, ","); | |
218 | if (!split) | |
e738c945 | 219 | return -ENOMEM; |
f8eeeaf9 ZJS |
220 | |
221 | STRV_FOREACH(entry, split) { | |
222 | char *p; | |
223 | ||
49fe5c09 | 224 | p = STARTSWITH_SET(*entry, "default:", "d:"); |
f2ea9cc7 Y |
225 | if (p) |
226 | r = strv_push(&d, p); | |
227 | else | |
228 | r = strv_push(&a, *entry); | |
e738c945 LP |
229 | if (r < 0) |
230 | return r; | |
f8eeeaf9 | 231 | } |
f8eeeaf9 ZJS |
232 | |
233 | if (!strv_isempty(a)) { | |
234 | _cleanup_free_ char *join; | |
235 | ||
236 | join = strv_join(a, ","); | |
237 | if (!join) | |
238 | return -ENOMEM; | |
239 | ||
240 | a_acl = acl_from_text(join); | |
241 | if (!a_acl) | |
e738c945 | 242 | return -errno; |
f8eeeaf9 | 243 | |
50d9e46d ZJS |
244 | if (want_mask) { |
245 | r = calc_acl_mask_if_needed(&a_acl); | |
246 | if (r < 0) | |
247 | return r; | |
248 | } | |
f8eeeaf9 ZJS |
249 | } |
250 | ||
251 | if (!strv_isempty(d)) { | |
252 | _cleanup_free_ char *join; | |
253 | ||
254 | join = strv_join(d, ","); | |
255 | if (!join) | |
256 | return -ENOMEM; | |
257 | ||
258 | d_acl = acl_from_text(join); | |
259 | if (!d_acl) | |
e738c945 | 260 | return -errno; |
f8eeeaf9 | 261 | |
50d9e46d ZJS |
262 | if (want_mask) { |
263 | r = calc_acl_mask_if_needed(&d_acl); | |
264 | if (r < 0) | |
265 | return r; | |
266 | } | |
f8eeeaf9 ZJS |
267 | } |
268 | ||
1cc6c93a YW |
269 | *acl_access = TAKE_PTR(a_acl); |
270 | *acl_default = TAKE_PTR(d_acl); | |
e738c945 | 271 | |
f8eeeaf9 ZJS |
272 | return 0; |
273 | } | |
50d9e46d | 274 | |
1c73f3bc ZJS |
275 | static int acl_entry_equal(acl_entry_t a, acl_entry_t b) { |
276 | acl_tag_t tag_a, tag_b; | |
277 | ||
278 | if (acl_get_tag_type(a, &tag_a) < 0) | |
279 | return -errno; | |
280 | ||
281 | if (acl_get_tag_type(b, &tag_b) < 0) | |
282 | return -errno; | |
283 | ||
284 | if (tag_a != tag_b) | |
285 | return false; | |
286 | ||
287 | switch (tag_a) { | |
288 | case ACL_USER_OBJ: | |
289 | case ACL_GROUP_OBJ: | |
290 | case ACL_MASK: | |
291 | case ACL_OTHER: | |
292 | /* can have only one of those */ | |
293 | return true; | |
294 | case ACL_USER: { | |
76dcbc49 | 295 | _cleanup_(acl_free_uid_tpp) uid_t *uid_a = NULL, *uid_b = NULL; |
1c73f3bc ZJS |
296 | |
297 | uid_a = acl_get_qualifier(a); | |
298 | if (!uid_a) | |
299 | return -errno; | |
300 | ||
301 | uid_b = acl_get_qualifier(b); | |
302 | if (!uid_b) | |
303 | return -errno; | |
304 | ||
305 | return *uid_a == *uid_b; | |
306 | } | |
307 | case ACL_GROUP: { | |
76dcbc49 | 308 | _cleanup_(acl_free_gid_tpp) gid_t *gid_a = NULL, *gid_b = NULL; |
1c73f3bc ZJS |
309 | |
310 | gid_a = acl_get_qualifier(a); | |
311 | if (!gid_a) | |
312 | return -errno; | |
313 | ||
314 | gid_b = acl_get_qualifier(b); | |
315 | if (!gid_b) | |
316 | return -errno; | |
317 | ||
318 | return *gid_a == *gid_b; | |
319 | } | |
320 | default: | |
321 | assert_not_reached("Unknown acl tag type"); | |
322 | } | |
323 | } | |
324 | ||
325 | static int find_acl_entry(acl_t acl, acl_entry_t entry, acl_entry_t *out) { | |
326 | acl_entry_t i; | |
327 | int r; | |
328 | ||
329 | for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i); | |
330 | r > 0; | |
331 | r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) { | |
332 | ||
333 | r = acl_entry_equal(i, entry); | |
334 | if (r < 0) | |
335 | return r; | |
336 | if (r > 0) { | |
337 | *out = i; | |
338 | return 1; | |
339 | } | |
340 | } | |
341 | if (r < 0) | |
342 | return -errno; | |
343 | return 0; | |
344 | } | |
345 | ||
50d9e46d ZJS |
346 | int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl) { |
347 | _cleanup_(acl_freep) acl_t old; | |
348 | acl_entry_t i; | |
dd4105b0 | 349 | int r; |
50d9e46d ZJS |
350 | |
351 | old = acl_get_file(path, type); | |
352 | if (!old) | |
353 | return -errno; | |
354 | ||
dd4105b0 ZJS |
355 | for (r = acl_get_entry(new, ACL_FIRST_ENTRY, &i); |
356 | r > 0; | |
357 | r = acl_get_entry(new, ACL_NEXT_ENTRY, &i)) { | |
50d9e46d ZJS |
358 | |
359 | acl_entry_t j; | |
360 | ||
1c73f3bc ZJS |
361 | r = find_acl_entry(old, i, &j); |
362 | if (r < 0) | |
363 | return r; | |
364 | if (r == 0) | |
365 | if (acl_create_entry(&old, &j) < 0) | |
366 | return -errno; | |
50d9e46d ZJS |
367 | |
368 | if (acl_copy_entry(j, i) < 0) | |
369 | return -errno; | |
370 | } | |
50d9e46d | 371 | if (r < 0) |
dd4105b0 | 372 | return -errno; |
50d9e46d | 373 | |
1cc6c93a YW |
374 | *acl = TAKE_PTR(old); |
375 | ||
50d9e46d ZJS |
376 | return 0; |
377 | } | |
5c3bde3f ZJS |
378 | |
379 | int add_acls_for_user(int fd, uid_t uid) { | |
380 | _cleanup_(acl_freep) acl_t acl = NULL; | |
5c3bde3f | 381 | acl_permset_t permset; |
2ea6247e | 382 | acl_entry_t entry; |
5c3bde3f ZJS |
383 | int r; |
384 | ||
2ea6247e LP |
385 | assert(fd >= 0); |
386 | assert(uid_is_valid(uid)); | |
387 | ||
5c3bde3f ZJS |
388 | acl = acl_get_fd(fd); |
389 | if (!acl) | |
390 | return -errno; | |
391 | ||
392 | r = acl_find_uid(acl, uid, &entry); | |
393 | if (r <= 0) { | |
394 | if (acl_create_entry(&acl, &entry) < 0 || | |
395 | acl_set_tag_type(entry, ACL_USER) < 0 || | |
396 | acl_set_qualifier(entry, &uid) < 0) | |
397 | return -errno; | |
398 | } | |
399 | ||
2ea6247e LP |
400 | /* We do not recalculate the mask unconditionally here, so that the fchmod() mask above stays |
401 | * intact. */ | |
5c3bde3f ZJS |
402 | if (acl_get_permset(entry, &permset) < 0 || |
403 | acl_add_perm(permset, ACL_READ) < 0) | |
404 | return -errno; | |
405 | ||
406 | r = calc_acl_mask_if_needed(&acl); | |
407 | if (r < 0) | |
408 | return r; | |
409 | ||
2ea6247e LP |
410 | if (acl_set_fd(fd, acl) < 0) |
411 | return -errno; | |
412 | ||
413 | return 0; | |
5c3bde3f | 414 | } |