[ceph.git] / ceph / src / client / posix_acl.cc

#include "include/types.h"
#include <sys/stat.h>
#include "posix_acl.h"
#include "UserPerm.h"

#ifndef ACCESSPERMS
#define ACCESSPERMS (S_IRWXU|S_IRWXG|S_IRWXO)
#endif

int posix_acl_check(const void *xattr, size_t size)
{
  const acl_ea_header *header;
  if (size < sizeof(*header))
    return -1;
  header = reinterpret_cast<const acl_ea_header*>(xattr);
  ceph_le32 expected_version;
  expected_version = ACL_EA_VERSION;
  if (header->a_version != expected_version)
    return -1;

  const acl_ea_entry *entry = header->a_entries;
  size -= sizeof(*header);
  if (size % sizeof(*entry))
    return -1;

  int count = size / sizeof(*entry);
  if (count == 0)
    return 0;

  int state = ACL_USER_OBJ;
  int needs_mask = 0;
  for (int i = 0; i < count; ++i) {
    __u16 tag = entry->e_tag;
    switch(tag) {
    case ACL_USER_OBJ:
      if (state == ACL_USER_OBJ) {
        state = ACL_USER;
        break;
      }
      return -1;
    case ACL_USER:
      if (state != ACL_USER)
        return -1;
      needs_mask = 1;
      break;
    case ACL_GROUP_OBJ:
      if (state == ACL_USER) {
        state = ACL_GROUP;
        break;
      }
      return -1;
    case ACL_GROUP:
      if (state != ACL_GROUP)
        return -1;
      needs_mask = 1;
      break;
    case ACL_MASK:
      if (state != ACL_GROUP)
        return -1;
      state = ACL_OTHER;
      break;
    case ACL_OTHER:
      if (state == ACL_OTHER ||
          (state == ACL_GROUP && !needs_mask)) {
        state = 0;
        break;
      }
      // fall-thru
    default:
      return -1;
    }
    ++entry;
  }

  return state == 0 ? count : -1;
}

int posix_acl_equiv_mode(const void *xattr, size_t size, mode_t *mode_p)
{
  if (posix_acl_check(xattr, size) < 0)
    return -EINVAL;

  int not_equiv = 0;
  mode_t mode = 0;

  const acl_ea_header *header = reinterpret_cast<const acl_ea_header*>(xattr);
  const acl_ea_entry *entry = header->a_entries;
  int count = (size - sizeof(*header)) / sizeof(*entry);
  for (int i = 0; i < count; ++i) {
    __u16 tag = entry->e_tag;
    __u16 perm = entry->e_perm;
    switch(tag) {
      case ACL_USER_OBJ:
	mode |= (perm & S_IRWXO) << 6;
	break;
      case ACL_GROUP_OBJ:
	mode |= (perm & S_IRWXO) << 3;
	break;
      case ACL_OTHER:
	mode |= perm & S_IRWXO;
	break;
      case ACL_MASK:
	mode = (mode & ~S_IRWXG) | ((perm & S_IRWXO) << 3);
	/* fall through */
      case ACL_USER:
      case ACL_GROUP:
	not_equiv = 1;
	break;
      default:
	return -EINVAL;
    }
    ++entry;
  }
  if (mode_p)
    *mode_p = (*mode_p & ~ACCESSPERMS) | mode;
  return not_equiv;
}

int posix_acl_inherit_mode(bufferptr& acl, mode_t *mode_p)
{
  if (posix_acl_check(acl.c_str(), acl.length()) <= 0)
    return -EIO;

  acl_ea_entry *group_entry = NULL, *mask_entry = NULL;
  mode_t mode = *mode_p;
  int not_equiv = 0;

  acl_ea_header *header = reinterpret_cast<acl_ea_header*>(acl.c_str());
  acl_ea_entry *entry = header->a_entries;
  int count = (acl.length() - sizeof(*header)) / sizeof(*entry);
  for (int i = 0; i < count; ++i) {
    __u16 tag = entry->e_tag;
    __u16 perm = entry->e_perm;
    switch(tag) {
      case ACL_USER_OBJ:
	perm &= (mode >> 6) | ~S_IRWXO;
	mode &= (perm << 6) | ~S_IRWXU;
	entry->e_perm = perm;
	break;
      case ACL_USER:
      case ACL_GROUP:
	not_equiv = 1;
	break;
      case ACL_GROUP_OBJ:
	group_entry = entry;
	break;
      case ACL_OTHER:
	perm &= mode | ~S_IRWXO;
	mode &= perm | ~S_IRWXO;
	entry->e_perm = perm;
	break;
      case ACL_MASK:
	mask_entry = entry;
	not_equiv = 1;
	break;
      default:
	return -EIO;

    }
    ++entry;
  }

  if (mask_entry) {
    __u16 perm = mask_entry->e_perm;
    perm &= (mode >> 3) | ~S_IRWXO;
    mode &= (perm << 3) | ~S_IRWXG;
    mask_entry->e_perm = perm;
  } else {
    if (!group_entry)
      return -EIO;
    __u16 perm = group_entry->e_perm;
    perm &= (mode >> 3) | ~S_IRWXO;
    mode &= (perm << 3) | ~S_IRWXG;
    group_entry->e_perm = perm;
  }

  *mode_p = (*mode_p & ~ACCESSPERMS) | mode;
  return not_equiv;
}

int posix_acl_access_chmod(bufferptr& acl, mode_t mode)
{
  if (posix_acl_check(acl.c_str(), acl.length()) <= 0)
    return -EIO;

  acl_ea_entry *group_entry = NULL, *mask_entry = NULL;

  acl_ea_header *header = reinterpret_cast<acl_ea_header*>(acl.c_str());
  acl_ea_entry *entry = header->a_entries;
  int count = (acl.length() - sizeof(*header)) / sizeof(*entry);
  for (int i = 0; i < count; ++i) {
    __u16 tag = entry->e_tag;
    switch(tag) {
      case ACL_USER_OBJ:
	entry->e_perm = (mode & S_IRWXU) >> 6;
	break;
      case ACL_GROUP_OBJ:
	group_entry = entry;
	break;
      case ACL_MASK:
	mask_entry = entry;
	break;
      case ACL_OTHER:
	entry->e_perm = mode & S_IRWXO;
	break;
      default:
	break;
    }
    ++entry;
  }

  if (mask_entry) {
    mask_entry->e_perm = (mode & S_IRWXG) >> 3;
  } else {
    if (!group_entry)
      return -EIO;
    group_entry->e_perm = (mode & S_IRWXG) >> 3;
  }
  return 0;
}

int posix_acl_permits(const bufferptr& acl, uid_t i_uid, gid_t i_gid,
			 const UserPerm& perms, unsigned want)
{
  if (posix_acl_check(acl.c_str(), acl.length()) < 0)
    return -EIO;

  const acl_ea_header *header = reinterpret_cast<const acl_ea_header*>(acl.c_str());
  const acl_ea_entry *entry = header->a_entries;
  const acl_ea_entry *next_entry;
  __u16 perm, tag;
  __u32 id;
  int group_found = 0;
  int idx;
  int count = (acl.length() - sizeof(*header)) / sizeof(*entry);
  for (idx = 0; idx < count; ++idx) {
    tag = entry->e_tag;
    perm = entry->e_perm;
    switch(tag) {
      case ACL_USER_OBJ:
	if (i_uid == perms.uid())
	  goto check_perm;
	break;
      case ACL_USER:
	id = entry->e_id;
	if (id == perms.uid())
	  goto check_mask;
	break;
      case ACL_GROUP_OBJ:
	/* fall through */
      case ACL_GROUP:
	id = (tag == ACL_GROUP_OBJ) ? i_gid : entry->e_id;
	if (perms.gid_in_groups(id)) {
	  group_found = 1;
	  if ((perm & want) == want)
	    goto check_mask;
	}
	break;
      case ACL_MASK:
	break;
      case ACL_OTHER:
	if (group_found)
	  return -EACCES;
	else
	  goto check_perm;
	break;
      default:
	return -EIO;
    }
    ++entry;
  }
  return -EIO;

check_mask:
  next_entry = entry + 1;
  for (++idx; idx < count; ++idx) {
    tag = next_entry->e_tag;
    if (tag == ACL_MASK) {
      __u16 mask = next_entry->e_perm;
      if ((perm & mask & want) == want)
	return 0;
      return -EACCES;
    }
    ++next_entry;
  }
check_perm:
  if ((perm & want) == want)
    return 0;
  return -EACCES;
}
Commit	Line	Data
7c673cae FG	1	#include "include/types.h"
	2	#include <sys/stat.h>
	3	#include "posix_acl.h"
	4	#include "UserPerm.h"
	5
	6	#ifndef ACCESSPERMS
	7	#define ACCESSPERMS (S_IRWXU\|S_IRWXG\|S_IRWXO)
	8	#endif
	9
	10	int posix_acl_check(const void *xattr, size_t size)
	11	{
	12	const acl_ea_header *header;
	13	if (size < sizeof(*header))
	14	return -1;
	15	header = reinterpret_cast<const acl_ea_header*>(xattr);
	16	ceph_le32 expected_version;
	17	expected_version = ACL_EA_VERSION;
	18	if (header->a_version != expected_version)
	19	return -1;
	20
	21	const acl_ea_entry *entry = header->a_entries;
	22	size -= sizeof(*header);
	23	if (size % sizeof(*entry))
	24	return -1;
	25
	26	int count = size / sizeof(*entry);
	27	if (count == 0)
	28	return 0;
	29
	30	int state = ACL_USER_OBJ;
	31	int needs_mask = 0;
	32	for (int i = 0; i < count; ++i) {
	33	__u16 tag = entry->e_tag;
	34	switch(tag) {
	35	case ACL_USER_OBJ:
	36	if (state == ACL_USER_OBJ) {
	37	state = ACL_USER;
	38	break;
	39	}
	40	return -1;
	41	case ACL_USER:
	42	if (state != ACL_USER)
	43	return -1;
	44	needs_mask = 1;
	45	break;
	46	case ACL_GROUP_OBJ:
	47	if (state == ACL_USER) {
	48	state = ACL_GROUP;
	49	break;
	50	}
	51	return -1;
	52	case ACL_GROUP:
	53	if (state != ACL_GROUP)
	54	return -1;
	55	needs_mask = 1;
	56	break;
	57	case ACL_MASK:
	58	if (state != ACL_GROUP)
	59	return -1;
	60	state = ACL_OTHER;
	61	break;
	62	case ACL_OTHER:
	63	if (state == ACL_OTHER \|\|
	64	(state == ACL_GROUP && !needs_mask)) {
65	state = 0;
66	break;
67	}
68	// fall-thru
69	default:
70	return -1;
71	}
72	++entry;
73	}
74
75	return state == 0 ? count : -1;
76	}
77
78	int posix_acl_equiv_mode(const void xattr, size_t size, mode_t mode_p)
79	{
80	if (posix_acl_check(xattr, size) < 0)
81	return -EINVAL;
82
83	int not_equiv = 0;
84	mode_t mode = 0;
85
86	const acl_ea_header header = reinterpret_cast<const acl_ea_header>(xattr);
87	const acl_ea_entry *entry = header->a_entries;
88	int count = (size - sizeof(header)) / sizeof(entry);
89	for (int i = 0; i < count; ++i) {
90	__u16 tag = entry->e_tag;
91	__u16 perm = entry->e_perm;
92	switch(tag) {
93	case ACL_USER_OBJ:
94	mode \|= (perm & S_IRWXO) << 6;
95	break;
96	case ACL_GROUP_OBJ:
97	mode \|= (perm & S_IRWXO) << 3;
98	break;
99	case ACL_OTHER:
100	mode \|= perm & S_IRWXO;
101	break;
102	case ACL_MASK:
103	mode = (mode & ~S_IRWXG) \| ((perm & S_IRWXO) << 3);
104	/* fall through */
105	case ACL_USER:
106	case ACL_GROUP:
107	not_equiv = 1;
108	break;
109	default:
110	return -EINVAL;
111	}
112	++entry;
113	}
114	if (mode_p)
115	mode_p = (mode_p & ~ACCESSPERMS) \| mode;
116	return not_equiv;
117	}
118
119	int posix_acl_inherit_mode(bufferptr& acl, mode_t *mode_p)
120	{
121	if (posix_acl_check(acl.c_str(), acl.length()) <= 0)
122	return -EIO;
123
124	acl_ea_entry group_entry = NULL, mask_entry = NULL;
125	mode_t mode = *mode_p;
126	int not_equiv = 0;
127
128	acl_ea_header header = reinterpret_cast<acl_ea_header>(acl.c_str());
129	acl_ea_entry *entry = header->a_entries;
130	int count = (acl.length() - sizeof(header)) / sizeof(entry);
131	for (int i = 0; i < count; ++i) {
132	__u16 tag = entry->e_tag;
133	__u16 perm = entry->e_perm;
134	switch(tag) {
135	case ACL_USER_OBJ:
136	perm &= (mode >> 6) \| ~S_IRWXO;
137	mode &= (perm << 6) \| ~S_IRWXU;
138	entry->e_perm = perm;
139	break;
140	case ACL_USER:
141	case ACL_GROUP:
142	not_equiv = 1;
143	break;
144	case ACL_GROUP_OBJ:
145	group_entry = entry;
146	break;
147	case ACL_OTHER:
148	perm &= mode \| ~S_IRWXO;
149	mode &= perm \| ~S_IRWXO;
150	entry->e_perm = perm;
151	break;
152	case ACL_MASK:
153	mask_entry = entry;
154	not_equiv = 1;
155	break;
156	default:
157	return -EIO;
158
159	}
160	++entry;
161	}
162
163	if (mask_entry) {
164	__u16 perm = mask_entry->e_perm;
165	perm &= (mode >> 3) \| ~S_IRWXO;
166	mode &= (perm << 3) \| ~S_IRWXG;
167	mask_entry->e_perm = perm;
168	} else {
169	if (!group_entry)
170	return -EIO;
171	__u16 perm = group_entry->e_perm;
172	perm &= (mode >> 3) \| ~S_IRWXO;
173	mode &= (perm << 3) \| ~S_IRWXG;
174	group_entry->e_perm = perm;
175	}
176
177	mode_p = (mode_p & ~ACCESSPERMS) \| mode;
178	return not_equiv;
179	}
180
181	int posix_acl_access_chmod(bufferptr& acl, mode_t mode)
182	{
183	if (posix_acl_check(acl.c_str(), acl.length()) <= 0)
184	return -EIO;
185
186	acl_ea_entry group_entry = NULL, mask_entry = NULL;
187
188	acl_ea_header header = reinterpret_cast<acl_ea_header>(acl.c_str());
189	acl_ea_entry *entry = header->a_entries;
190	int count = (acl.length() - sizeof(header)) / sizeof(entry);
191	for (int i = 0; i < count; ++i) {
192	__u16 tag = entry->e_tag;
193	switch(tag) {
194	case ACL_USER_OBJ:
195	entry->e_perm = (mode & S_IRWXU) >> 6;
196	break;
197	case ACL_GROUP_OBJ:
198	group_entry = entry;
199	break;
200	case ACL_MASK:
201	mask_entry = entry;
202	break;
203	case ACL_OTHER:
204	entry->e_perm = mode & S_IRWXO;
205	break;
206	default:
207	break;
208	}
209	++entry;
210	}
211
212	if (mask_entry) {
213	mask_entry->e_perm = (mode & S_IRWXG) >> 3;
214	} else {
215	if (!group_entry)
216	return -EIO;
217	group_entry->e_perm = (mode & S_IRWXG) >> 3;
218	}
219	return 0;
220	}
221
222	int posix_acl_permits(const bufferptr& acl, uid_t i_uid, gid_t i_gid,
223	const UserPerm& perms, unsigned want)
224	{
225	if (posix_acl_check(acl.c_str(), acl.length()) < 0)
226	return -EIO;
227
228	const acl_ea_header header = reinterpret_cast<const acl_ea_header>(acl.c_str());
229	const acl_ea_entry *entry = header->a_entries;
230	const acl_ea_entry *next_entry;
231	__u16 perm, tag;
232	__u32 id;
233	int group_found = 0;
234	int idx;
235	int count = (acl.length() - sizeof(header)) / sizeof(entry);
236	for (idx = 0; idx < count; ++idx) {
237	tag = entry->e_tag;
238	perm = entry->e_perm;
239	switch(tag) {
240	case ACL_USER_OBJ:
241	if (i_uid == perms.uid())
242	goto check_perm;
243	break;
244	case ACL_USER:
245	id = entry->e_id;
246	if (id == perms.uid())
247	goto check_mask;
248	break;
249	case ACL_GROUP_OBJ:
250	/* fall through */
251	case ACL_GROUP:
252	id = (tag == ACL_GROUP_OBJ) ? i_gid : entry->e_id;
253	if (perms.gid_in_groups(id)) {
254	group_found = 1;
255	if ((perm & want) == want)
256	goto check_mask;
257	}
258	break;
259	case ACL_MASK:
260	break;
261	case ACL_OTHER:
262	if (group_found)
263	return -EACCES;
264	else
265	goto check_perm;
266	break;
267	default:
268	return -EIO;
269	}
270	++entry;
271	}
272	return -EIO;
273
274	check_mask:
275	next_entry = entry + 1;
276	for (++idx; idx < count; ++idx) {
277	tag = next_entry->e_tag;
278	if (tag == ACL_MASK) {
279	__u16 mask = next_entry->e_perm;
280	if ((perm & mask & want) == want)
281	return 0;
282	return -EACCES;
283	}
284	++next_entry;
285	}
286	check_perm:
287	if ((perm & want) == want)
288	return 0;
289	return -EACCES;
290	}