]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/acl-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #4536 from poettering/seccomp-namespaces
[thirdparty/systemd.git] / src / shared / acl-util.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2011,2013 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <stdbool.h>
22
23 #include "acl-util.h"
24 #include "alloc-util.h"
25 #include "string-util.h"
26 #include "strv.h"
27 #include "user-util.h"
28 #include "util.h"
29
30 int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry) {
31 acl_entry_t i;
32 int r;
33
34 assert(acl);
35 assert(entry);
36
37 for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
38 r > 0;
39 r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
40
41 acl_tag_t tag;
42 uid_t *u;
43 bool b;
44
45 if (acl_get_tag_type(i, &tag) < 0)
46 return -errno;
47
48 if (tag != ACL_USER)
49 continue;
50
51 u = acl_get_qualifier(i);
52 if (!u)
53 return -errno;
54
55 b = *u == uid;
56 acl_free(u);
57
58 if (b) {
59 *entry = i;
60 return 1;
61 }
62 }
63 if (r < 0)
64 return -errno;
65
66 return 0;
67 }
68
69 int calc_acl_mask_if_needed(acl_t *acl_p) {
70 acl_entry_t i;
71 int r;
72 bool need = false;
73
74 assert(acl_p);
75
76 for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
77 r > 0;
78 r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
79 acl_tag_t tag;
80
81 if (acl_get_tag_type(i, &tag) < 0)
82 return -errno;
83
84 if (tag == ACL_MASK)
85 return 0;
86
87 if (IN_SET(tag, ACL_USER, ACL_GROUP))
88 need = true;
89 }
90 if (r < 0)
91 return -errno;
92
93 if (need && acl_calc_mask(acl_p) < 0)
94 return -errno;
95
96 return need;
97 }
98
99 int add_base_acls_if_needed(acl_t *acl_p, const char *path) {
100 acl_entry_t i;
101 int r;
102 bool have_user_obj = false, have_group_obj = false, have_other = false;
103 struct stat st;
104 _cleanup_(acl_freep) acl_t basic = NULL;
105
106 assert(acl_p);
107
108 for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
109 r > 0;
110 r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
111 acl_tag_t tag;
112
113 if (acl_get_tag_type(i, &tag) < 0)
114 return -errno;
115
116 if (tag == ACL_USER_OBJ)
117 have_user_obj = true;
118 else if (tag == ACL_GROUP_OBJ)
119 have_group_obj = true;
120 else if (tag == ACL_OTHER)
121 have_other = true;
122 if (have_user_obj && have_group_obj && have_other)
123 return 0;
124 }
125 if (r < 0)
126 return -errno;
127
128 r = stat(path, &st);
129 if (r < 0)
130 return -errno;
131
132 basic = acl_from_mode(st.st_mode);
133 if (!basic)
134 return -errno;
135
136 for (r = acl_get_entry(basic, ACL_FIRST_ENTRY, &i);
137 r > 0;
138 r = acl_get_entry(basic, ACL_NEXT_ENTRY, &i)) {
139 acl_tag_t tag;
140 acl_entry_t dst;
141
142 if (acl_get_tag_type(i, &tag) < 0)
143 return -errno;
144
145 if ((tag == ACL_USER_OBJ && have_user_obj) ||
146 (tag == ACL_GROUP_OBJ && have_group_obj) ||
147 (tag == ACL_OTHER && have_other))
148 continue;
149
150 r = acl_create_entry(acl_p, &dst);
151 if (r < 0)
152 return -errno;
153
154 r = acl_copy_entry(dst, i);
155 if (r < 0)
156 return -errno;
157 }
158 if (r < 0)
159 return -errno;
160 return 0;
161 }
162
163 int acl_search_groups(const char *path, char ***ret_groups) {
164 _cleanup_strv_free_ char **g = NULL;
165 _cleanup_(acl_freep) acl_t acl = NULL;
166 bool ret = false;
167 acl_entry_t entry;
168 int r;
169
170 assert(path);
171
172 acl = acl_get_file(path, ACL_TYPE_DEFAULT);
173 if (!acl)
174 return -errno;
175
176 r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
177 for (;;) {
178 _cleanup_(acl_free_gid_tpp) gid_t *gid = NULL;
179 acl_tag_t tag;
180
181 if (r < 0)
182 return -errno;
183 if (r == 0)
184 break;
185
186 if (acl_get_tag_type(entry, &tag) < 0)
187 return -errno;
188
189 if (tag != ACL_GROUP)
190 goto next;
191
192 gid = acl_get_qualifier(entry);
193 if (!gid)
194 return -errno;
195
196 if (in_gid(*gid) > 0) {
197 if (!ret_groups)
198 return true;
199
200 ret = true;
201 }
202
203 if (ret_groups) {
204 char *name;
205
206 name = gid_to_name(*gid);
207 if (!name)
208 return -ENOMEM;
209
210 r = strv_consume(&g, name);
211 if (r < 0)
212 return r;
213 }
214
215 next:
216 r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry);
217 }
218
219 if (ret_groups) {
220 *ret_groups = g;
221 g = NULL;
222 }
223
224 return ret;
225 }
226
227 int parse_acl(const char *text, acl_t *acl_access, acl_t *acl_default, bool want_mask) {
228 _cleanup_free_ char **a = NULL, **d = NULL; /* strings are not be freed */
229 _cleanup_strv_free_ char **split;
230 char **entry;
231 int r = -EINVAL;
232 _cleanup_(acl_freep) acl_t a_acl = NULL, d_acl = NULL;
233
234 split = strv_split(text, ",");
235 if (!split)
236 return -ENOMEM;
237
238 STRV_FOREACH(entry, split) {
239 char *p;
240
241 p = startswith(*entry, "default:");
242 if (!p)
243 p = startswith(*entry, "d:");
244
245 if (p)
246 r = strv_push(&d, p);
247 else
248 r = strv_push(&a, *entry);
249 if (r < 0)
250 return r;
251 }
252
253 if (!strv_isempty(a)) {
254 _cleanup_free_ char *join;
255
256 join = strv_join(a, ",");
257 if (!join)
258 return -ENOMEM;
259
260 a_acl = acl_from_text(join);
261 if (!a_acl)
262 return -errno;
263
264 if (want_mask) {
265 r = calc_acl_mask_if_needed(&a_acl);
266 if (r < 0)
267 return r;
268 }
269 }
270
271 if (!strv_isempty(d)) {
272 _cleanup_free_ char *join;
273
274 join = strv_join(d, ",");
275 if (!join)
276 return -ENOMEM;
277
278 d_acl = acl_from_text(join);
279 if (!d_acl)
280 return -errno;
281
282 if (want_mask) {
283 r = calc_acl_mask_if_needed(&d_acl);
284 if (r < 0)
285 return r;
286 }
287 }
288
289 *acl_access = a_acl;
290 *acl_default = d_acl;
291 a_acl = d_acl = NULL;
292
293 return 0;
294 }
295
296 static int acl_entry_equal(acl_entry_t a, acl_entry_t b) {
297 acl_tag_t tag_a, tag_b;
298
299 if (acl_get_tag_type(a, &tag_a) < 0)
300 return -errno;
301
302 if (acl_get_tag_type(b, &tag_b) < 0)
303 return -errno;
304
305 if (tag_a != tag_b)
306 return false;
307
308 switch (tag_a) {
309 case ACL_USER_OBJ:
310 case ACL_GROUP_OBJ:
311 case ACL_MASK:
312 case ACL_OTHER:
313 /* can have only one of those */
314 return true;
315 case ACL_USER: {
316 _cleanup_(acl_free_uid_tpp) uid_t *uid_a = NULL, *uid_b = NULL;
317
318 uid_a = acl_get_qualifier(a);
319 if (!uid_a)
320 return -errno;
321
322 uid_b = acl_get_qualifier(b);
323 if (!uid_b)
324 return -errno;
325
326 return *uid_a == *uid_b;
327 }
328 case ACL_GROUP: {
329 _cleanup_(acl_free_gid_tpp) gid_t *gid_a = NULL, *gid_b = NULL;
330
331 gid_a = acl_get_qualifier(a);
332 if (!gid_a)
333 return -errno;
334
335 gid_b = acl_get_qualifier(b);
336 if (!gid_b)
337 return -errno;
338
339 return *gid_a == *gid_b;
340 }
341 default:
342 assert_not_reached("Unknown acl tag type");
343 }
344 }
345
346 static int find_acl_entry(acl_t acl, acl_entry_t entry, acl_entry_t *out) {
347 acl_entry_t i;
348 int r;
349
350 for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
351 r > 0;
352 r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
353
354 r = acl_entry_equal(i, entry);
355 if (r < 0)
356 return r;
357 if (r > 0) {
358 *out = i;
359 return 1;
360 }
361 }
362 if (r < 0)
363 return -errno;
364 return 0;
365 }
366
367 int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl) {
368 _cleanup_(acl_freep) acl_t old;
369 acl_entry_t i;
370 int r;
371
372 old = acl_get_file(path, type);
373 if (!old)
374 return -errno;
375
376 for (r = acl_get_entry(new, ACL_FIRST_ENTRY, &i);
377 r > 0;
378 r = acl_get_entry(new, ACL_NEXT_ENTRY, &i)) {
379
380 acl_entry_t j;
381
382 r = find_acl_entry(old, i, &j);
383 if (r < 0)
384 return r;
385 if (r == 0)
386 if (acl_create_entry(&old, &j) < 0)
387 return -errno;
388
389 if (acl_copy_entry(j, i) < 0)
390 return -errno;
391 }
392 if (r < 0)
393 return -errno;
394
395 *acl = old;
396 old = NULL;
397 return 0;
398 }
399
400 int add_acls_for_user(int fd, uid_t uid) {
401 _cleanup_(acl_freep) acl_t acl = NULL;
402 acl_entry_t entry;
403 acl_permset_t permset;
404 int r;
405
406 acl = acl_get_fd(fd);
407 if (!acl)
408 return -errno;
409
410 r = acl_find_uid(acl, uid, &entry);
411 if (r <= 0) {
412 if (acl_create_entry(&acl, &entry) < 0 ||
413 acl_set_tag_type(entry, ACL_USER) < 0 ||
414 acl_set_qualifier(entry, &uid) < 0)
415 return -errno;
416 }
417
418 /* We do not recalculate the mask unconditionally here,
419 * so that the fchmod() mask above stays intact. */
420 if (acl_get_permset(entry, &permset) < 0 ||
421 acl_add_perm(permset, ACL_READ) < 0)
422 return -errno;
423
424 r = calc_acl_mask_if_needed(&acl);
425 if (r < 0)
426 return r;
427
428 return acl_set_fd(fd, acl);
429 }
Unnamed repository; edit this file 'description' to name the repository.