[thirdparty/systemd.git] / src / shared / acl-util.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2011,2013 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <stdbool.h>

#include "acl-util.h"
#include "string-util.h"
#include "strv.h"
#include "user-util.h"
#include "util.h"

int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry) {
        acl_entry_t i;
        int r;

        assert(acl);
        assert(entry);

        for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {

                acl_tag_t tag;
                uid_t *u;
                bool b;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag != ACL_USER)
                        continue;

                u = acl_get_qualifier(i);
                if (!u)
                        return -errno;

                b = *u == uid;
                acl_free(u);

                if (b) {
                        *entry = i;
                        return 1;
                }
        }
        if (r < 0)
                return -errno;

        return 0;
}

int calc_acl_mask_if_needed(acl_t *acl_p) {
        acl_entry_t i;
        int r;

        assert(acl_p);

        for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
                acl_tag_t tag;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag == ACL_MASK)
                        return 0;

                if (IN_SET(tag, ACL_USER, ACL_GROUP)) {
                        if (acl_calc_mask(acl_p) < 0)
                                return -errno;

                        return 1;
                }
        }
        if (r < 0)
                return -errno;

        return 0;
}

int add_base_acls_if_needed(acl_t *acl_p, const char *path) {
        acl_entry_t i;
        int r;
        bool have_user_obj = false, have_group_obj = false, have_other = false;
        struct stat st;
        _cleanup_(acl_freep) acl_t basic = NULL;

        assert(acl_p);

        for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
                acl_tag_t tag;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag == ACL_USER_OBJ)
                        have_user_obj = true;
                else if (tag == ACL_GROUP_OBJ)
                        have_group_obj = true;
                else if (tag == ACL_OTHER)
                        have_other = true;
                if (have_user_obj && have_group_obj && have_other)
                        return 0;
        }
        if (r < 0)
                return -errno;

        r = stat(path, &st);
        if (r < 0)
                return -errno;

        basic = acl_from_mode(st.st_mode);
        if (!basic)
                return -errno;

        for (r = acl_get_entry(basic, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(basic, ACL_NEXT_ENTRY, &i)) {
                acl_tag_t tag;
                acl_entry_t dst;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if ((tag == ACL_USER_OBJ && have_user_obj) ||
                    (tag == ACL_GROUP_OBJ && have_group_obj) ||
                    (tag == ACL_OTHER && have_other))
                        continue;

                r = acl_create_entry(acl_p, &dst);
                if (r < 0)
                        return -errno;

                r = acl_copy_entry(dst, i);
                if (r < 0)
                        return -errno;
        }
        if (r < 0)
                return -errno;
        return 0;
}

int acl_search_groups(const char *path, char ***ret_groups) {
        _cleanup_strv_free_ char **g = NULL;
        _cleanup_(acl_free) acl_t acl = NULL;
        bool ret = false;
        acl_entry_t entry;
        int r;

        assert(path);

        acl = acl_get_file(path, ACL_TYPE_DEFAULT);
        if (!acl)
                return -errno;

        r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
        for (;;) {
                _cleanup_(acl_free_gid_tpp) gid_t *gid = NULL;
                acl_tag_t tag;

                if (r < 0)
                        return -errno;
                if (r == 0)
                        break;

                if (acl_get_tag_type(entry, &tag) < 0)
                        return -errno;

                if (tag != ACL_GROUP)
                        goto next;

                gid = acl_get_qualifier(entry);
                if (!gid)
                        return -errno;

                if (in_gid(*gid) > 0) {
                        if (!ret_groups)
                                return true;

                        ret = true;
                }

                if (ret_groups) {
                        char *name;

                        name = gid_to_name(*gid);
                        if (!name)
                                return -ENOMEM;

                        r = strv_consume(&g, name);
                        if (r < 0)
                                return r;
                }

        next:
                r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry);
        }

        if (ret_groups) {
                *ret_groups = g;
                g = NULL;
        }

        return ret;
}

int parse_acl(const char *text, acl_t *acl_access, acl_t *acl_default, bool want_mask) {
        _cleanup_free_ char **a = NULL, **d = NULL; /* strings are not be freed */
        _cleanup_strv_free_ char **split;
        char **entry;
        int r = -EINVAL;
        _cleanup_(acl_freep) acl_t a_acl = NULL, d_acl = NULL;

        split = strv_split(text, ",");
        if (!split)
                return -ENOMEM;

        STRV_FOREACH(entry, split) {
                char *p;

                p = startswith(*entry, "default:");
                if (!p)
                        p = startswith(*entry, "d:");

                if (p)
                        r = strv_push(&d, p);
                else
                        r = strv_push(&a, *entry);
                if (r < 0)
                        return r;
        }

        if (!strv_isempty(a)) {
                _cleanup_free_ char *join;

                join = strv_join(a, ",");
                if (!join)
                        return -ENOMEM;

                a_acl = acl_from_text(join);
                if (!a_acl)
                        return -errno;

                if (want_mask) {
                        r = calc_acl_mask_if_needed(&a_acl);
                        if (r < 0)
                                return r;
                }
        }

        if (!strv_isempty(d)) {
                _cleanup_free_ char *join;

                join = strv_join(d, ",");
                if (!join)
                        return -ENOMEM;

                d_acl = acl_from_text(join);
                if (!d_acl)
                        return -errno;

                if (want_mask) {
                        r = calc_acl_mask_if_needed(&d_acl);
                        if (r < 0)
                                return r;
                }
        }

        *acl_access = a_acl;
        *acl_default = d_acl;
        a_acl = d_acl = NULL;

        return 0;
}

static int acl_entry_equal(acl_entry_t a, acl_entry_t b) {
        acl_tag_t tag_a, tag_b;

        if (acl_get_tag_type(a, &tag_a) < 0)
                return -errno;

        if (acl_get_tag_type(b, &tag_b) < 0)
                return -errno;

        if (tag_a != tag_b)
                return false;

        switch (tag_a) {
        case ACL_USER_OBJ:
        case ACL_GROUP_OBJ:
        case ACL_MASK:
        case ACL_OTHER:
                /* can have only one of those */
                return true;
        case ACL_USER: {
                _cleanup_(acl_free_uid_tpp) uid_t *uid_a = NULL, *uid_b = NULL;

                uid_a = acl_get_qualifier(a);
                if (!uid_a)
                        return -errno;

                uid_b = acl_get_qualifier(b);
                if (!uid_b)
                        return -errno;

                return *uid_a == *uid_b;
        }
        case ACL_GROUP: {
                _cleanup_(acl_free_gid_tpp) gid_t *gid_a = NULL, *gid_b = NULL;

                gid_a = acl_get_qualifier(a);
                if (!gid_a)
                        return -errno;

                gid_b = acl_get_qualifier(b);
                if (!gid_b)
                        return -errno;

                return *gid_a == *gid_b;
        }
        default:
                assert_not_reached("Unknown acl tag type");
        }
}

static int find_acl_entry(acl_t acl, acl_entry_t entry, acl_entry_t *out) {
        acl_entry_t i;
        int r;

        for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {

                r = acl_entry_equal(i, entry);
                if (r < 0)
                        return r;
                if (r > 0) {
                        *out = i;
                        return 1;
                }
        }
        if (r < 0)
                return -errno;
        return 0;
}

int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl) {
        _cleanup_(acl_freep) acl_t old;
        acl_entry_t i;
        int r;

        old = acl_get_file(path, type);
        if (!old)
                return -errno;

        for (r = acl_get_entry(new, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(new, ACL_NEXT_ENTRY, &i)) {

                acl_entry_t j;

                r = find_acl_entry(old, i, &j);
                if (r < 0)
                        return r;
                if (r == 0)
                        if (acl_create_entry(&old, &j) < 0)
                                return -errno;

                if (acl_copy_entry(j, i) < 0)
                        return -errno;
        }
        if (r < 0)
                return -errno;

        *acl = old;
        old = NULL;
        return 0;
}
Commit	Line	Data
f4b47811 LP	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
478c8269	6	Copyright 2011,2013 Lennart Poettering
f4b47811 LP	7
f4b47811 LP	8	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	9	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	10	the Free Software Foundation; either version 2.1 of the License, or
f4b47811 LP	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	16	Lesser General Public License for more details.
f4b47811	17
5430f7f2	18	You should have received a copy of the GNU Lesser General Public License
f4b47811 LP	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
f4b47811 LP	22	#include <errno.h>
	23	#include <stdbool.h>
	24
b1d4f8e1	25	#include "acl-util.h"
07630cea	26	#include "string-util.h"
478c8269	27	#include "strv.h"
b1d4f8e1	28	#include "user-util.h"
07630cea	29	#include "util.h"
f4b47811 LP	30
	31	int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry) {
	32	acl_entry_t i;
dd4105b0	33	int r;
f4b47811 LP	34
	35	assert(acl);
	36	assert(entry);
	37
dd4105b0 ZJS	38	for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
	39	r > 0;
	40	r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
f4b47811 LP	41
	42	acl_tag_t tag;
	43	uid_t *u;
	44	bool b;
	45
	46	if (acl_get_tag_type(i, &tag) < 0)
	47	return -errno;
	48
	49	if (tag != ACL_USER)
	50	continue;
	51
	52	u = acl_get_qualifier(i);
	53	if (!u)
	54	return -errno;
	55
	56	b = *u == uid;
	57	acl_free(u);
	58
	59	if (b) {
	60	*entry = i;
	61	return 1;
	62	}
	63	}
dd4105b0	64	if (r < 0)
f4b47811 LP	65	return -errno;
	66
	67	return 0;
	68	}
478c8269	69
23ad4dd8 JAS	70	int calc_acl_mask_if_needed(acl_t *acl_p) {
23ad4dd8 JAS	71	acl_entry_t i;
dd4105b0	72	int r;
23ad4dd8 JAS	73
	74	assert(acl_p);
	75
dd4105b0 ZJS	76	for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
	77	r > 0;
	78	r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
23ad4dd8 JAS	79	acl_tag_t tag;
	80
	81	if (acl_get_tag_type(i, &tag) < 0)
	82	return -errno;
	83
	84	if (tag == ACL_MASK)
	85	return 0;
e346512c LP	86
	87	if (IN_SET(tag, ACL_USER, ACL_GROUP)) {
	88	if (acl_calc_mask(acl_p) < 0)
	89	return -errno;
	90
	91	return 1;
	92	}
23ad4dd8	93	}
dd4105b0	94	if (r < 0)
23ad4dd8 JAS	95	return -errno;
23ad4dd8 JAS	96
e346512c	97	return 0;
dd4105b0 ZJS	98	}
	99
	100	int add_base_acls_if_needed(acl_t acl_p, const char path) {
	101	acl_entry_t i;
	102	int r;
	103	bool have_user_obj = false, have_group_obj = false, have_other = false;
	104	struct stat st;
	105	_cleanup_(acl_freep) acl_t basic = NULL;
	106
	107	assert(acl_p);
	108
	109	for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
	110	r > 0;
	111	r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
	112	acl_tag_t tag;
	113
	114	if (acl_get_tag_type(i, &tag) < 0)
	115	return -errno;
	116
	117	if (tag == ACL_USER_OBJ)
	118	have_user_obj = true;
	119	else if (tag == ACL_GROUP_OBJ)
	120	have_group_obj = true;
	121	else if (tag == ACL_OTHER)
	122	have_other = true;
	123	if (have_user_obj && have_group_obj && have_other)
	124	return 0;
	125	}
	126	if (r < 0)
	127	return -errno;
23ad4dd8	128
dd4105b0 ZJS	129	r = stat(path, &st);
	130	if (r < 0)
	131	return -errno;
	132
	133	basic = acl_from_mode(st.st_mode);
	134	if (!basic)
	135	return -errno;
	136
	137	for (r = acl_get_entry(basic, ACL_FIRST_ENTRY, &i);
	138	r > 0;
	139	r = acl_get_entry(basic, ACL_NEXT_ENTRY, &i)) {
	140	acl_tag_t tag;
	141	acl_entry_t dst;
	142
	143	if (acl_get_tag_type(i, &tag) < 0)
	144	return -errno;
	145
	146	if ((tag == ACL_USER_OBJ && have_user_obj) \|\|
	147	(tag == ACL_GROUP_OBJ && have_group_obj) \|\|
	148	(tag == ACL_OTHER && have_other))
	149	continue;
	150
	151	r = acl_create_entry(acl_p, &dst);
	152	if (r < 0)
	153	return -errno;
	154
	155	r = acl_copy_entry(dst, i);
	156	if (r < 0)
	157	return -errno;
	158	}
	159	if (r < 0)
	160	return -errno;
23ad4dd8 JAS	161	return 0;
	162	}
	163
e346512c LP	164	int acl_search_groups(const char path, char **ret_groups) {
	165	_cleanup_strv_free_ char **g = NULL;
	166	_cleanup_(acl_free) acl_t acl = NULL;
	167	bool ret = false;
	168	acl_entry_t entry;
	169	int r;
478c8269 ZJS	170
478c8269 ZJS	171	assert(path);
478c8269 ZJS	172
478c8269 ZJS	173	acl = acl_get_file(path, ACL_TYPE_DEFAULT);
e346512c LP	174	if (!acl)
e346512c LP	175	return -errno;
478c8269	176
e346512c LP	177	r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
	178	for (;;) {
	179	_cleanup_(acl_free_gid_tpp) gid_t *gid = NULL;
	180	acl_tag_t tag;
478c8269	181
e346512c LP	182	if (r < 0)
	183	return -errno;
	184	if (r == 0)
	185	break;
478c8269	186
e346512c LP	187	if (acl_get_tag_type(entry, &tag) < 0)
	188	return -errno;
	189
	190	if (tag != ACL_GROUP)
	191	goto next;
	192
	193	gid = acl_get_qualifier(entry);
	194	if (!gid)
	195	return -errno;
478c8269	196
e346512c LP	197	if (in_gid(*gid) > 0) {
	198	if (!ret_groups)
	199	return true;
	200
	201	ret = true;
	202	}
	203
	204	if (ret_groups) {
	205	char *name;
478c8269 ZJS	206
478c8269 ZJS	207	name = gid_to_name(*gid);
e346512c LP	208	if (!name)
	209	return -ENOMEM;
	210
	211	r = strv_consume(&g, name);
	212	if (r < 0)
	213	return r;
478c8269 ZJS	214	}
478c8269 ZJS	215
e346512c LP	216	next:
e346512c LP	217	r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry);
478c8269 ZJS	218	}
478c8269 ZJS	219
e346512c LP	220	if (ret_groups) {
	221	*ret_groups = g;
	222	g = NULL;
	223	}
	224
	225	return ret;
478c8269	226	}
f8eeeaf9	227
e738c945	228	int parse_acl(const char text, acl_t acl_access, acl_t *acl_default, bool want_mask) {
f8eeeaf9 ZJS	229	_cleanup_free_ char a = NULL, d = NULL; /* strings are not be freed */
	230	_cleanup_strv_free_ char **split;
	231	char **entry;
	232	int r = -EINVAL;
	233	_cleanup_(acl_freep) acl_t a_acl = NULL, d_acl = NULL;
	234
	235	split = strv_split(text, ",");
	236	if (!split)
e738c945	237	return -ENOMEM;
f8eeeaf9 ZJS	238
	239	STRV_FOREACH(entry, split) {
	240	char *p;
	241
	242	p = startswith(*entry, "default:");
	243	if (!p)
	244	p = startswith(*entry, "d:");
	245
	246	if (p)
	247	r = strv_push(&d, p);
	248	else
	249	r = strv_push(&a, *entry);
e738c945 LP	250	if (r < 0)
e738c945 LP	251	return r;
f8eeeaf9	252	}
f8eeeaf9 ZJS	253
	254	if (!strv_isempty(a)) {
	255	_cleanup_free_ char *join;
	256
	257	join = strv_join(a, ",");
	258	if (!join)
	259	return -ENOMEM;
	260
	261	a_acl = acl_from_text(join);
	262	if (!a_acl)
e738c945	263	return -errno;
f8eeeaf9	264
50d9e46d ZJS	265	if (want_mask) {
	266	r = calc_acl_mask_if_needed(&a_acl);
	267	if (r < 0)
	268	return r;
	269	}
f8eeeaf9 ZJS	270	}
	271
	272	if (!strv_isempty(d)) {
	273	_cleanup_free_ char *join;
	274
	275	join = strv_join(d, ",");
	276	if (!join)
	277	return -ENOMEM;
	278
	279	d_acl = acl_from_text(join);
	280	if (!d_acl)
e738c945	281	return -errno;
f8eeeaf9	282
50d9e46d ZJS	283	if (want_mask) {
	284	r = calc_acl_mask_if_needed(&d_acl);
	285	if (r < 0)
	286	return r;
	287	}
f8eeeaf9 ZJS	288	}
	289
	290	*acl_access = a_acl;
	291	*acl_default = d_acl;
	292	a_acl = d_acl = NULL;
e738c945	293
f8eeeaf9 ZJS	294	return 0;
f8eeeaf9 ZJS	295	}
50d9e46d	296
1c73f3bc ZJS	297	static int acl_entry_equal(acl_entry_t a, acl_entry_t b) {
	298	acl_tag_t tag_a, tag_b;
	299
	300	if (acl_get_tag_type(a, &tag_a) < 0)
	301	return -errno;
	302
	303	if (acl_get_tag_type(b, &tag_b) < 0)
	304	return -errno;
	305
	306	if (tag_a != tag_b)
	307	return false;
	308
	309	switch (tag_a) {
	310	case ACL_USER_OBJ:
	311	case ACL_GROUP_OBJ:
	312	case ACL_MASK:
	313	case ACL_OTHER:
	314	/* can have only one of those */
	315	return true;
	316	case ACL_USER: {
76dcbc49	317	_cleanup_(acl_free_uid_tpp) uid_t uid_a = NULL, uid_b = NULL;
1c73f3bc ZJS	318
	319	uid_a = acl_get_qualifier(a);
	320	if (!uid_a)
	321	return -errno;
	322
	323	uid_b = acl_get_qualifier(b);
	324	if (!uid_b)
	325	return -errno;
	326
	327	return uid_a == uid_b;
	328	}
	329	case ACL_GROUP: {
76dcbc49	330	_cleanup_(acl_free_gid_tpp) gid_t gid_a = NULL, gid_b = NULL;
1c73f3bc ZJS	331
	332	gid_a = acl_get_qualifier(a);
	333	if (!gid_a)
	334	return -errno;
	335
	336	gid_b = acl_get_qualifier(b);
	337	if (!gid_b)
	338	return -errno;
	339
	340	return gid_a == gid_b;
	341	}
	342	default:
	343	assert_not_reached("Unknown acl tag type");
	344	}
	345	}
	346
	347	static int find_acl_entry(acl_t acl, acl_entry_t entry, acl_entry_t *out) {
	348	acl_entry_t i;
	349	int r;
	350
	351	for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
	352	r > 0;
	353	r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
	354
	355	r = acl_entry_equal(i, entry);
	356	if (r < 0)
	357	return r;
	358	if (r > 0) {
	359	*out = i;
	360	return 1;
	361	}
	362	}
	363	if (r < 0)
	364	return -errno;
	365	return 0;
	366	}
	367
50d9e46d ZJS	368	int acls_for_file(const char path, acl_type_t type, acl_t new, acl_t acl) {
	369	_cleanup_(acl_freep) acl_t old;
	370	acl_entry_t i;
dd4105b0	371	int r;
50d9e46d ZJS	372
	373	old = acl_get_file(path, type);
	374	if (!old)
	375	return -errno;
	376
dd4105b0 ZJS	377	for (r = acl_get_entry(new, ACL_FIRST_ENTRY, &i);
	378	r > 0;
	379	r = acl_get_entry(new, ACL_NEXT_ENTRY, &i)) {
50d9e46d ZJS	380
	381	acl_entry_t j;
	382
1c73f3bc ZJS	383	r = find_acl_entry(old, i, &j);
	384	if (r < 0)
	385	return r;
	386	if (r == 0)
	387	if (acl_create_entry(&old, &j) < 0)
	388	return -errno;
50d9e46d ZJS	389
	390	if (acl_copy_entry(j, i) < 0)
	391	return -errno;
	392	}
50d9e46d	393	if (r < 0)
dd4105b0	394	return -errno;
50d9e46d ZJS	395
	396	*acl = old;
	397	old = NULL;
	398	return 0;
	399	}