[systemd.git] / src / shared / acl-util.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2011,2013 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <stdbool.h>

#include "acl-util.h"
#include "util.h"
#include "strv.h"

int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry) {
        acl_entry_t i;
        int r;

        assert(acl);
        assert(entry);

        for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {

                acl_tag_t tag;
                uid_t *u;
                bool b;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag != ACL_USER)
                        continue;

                u = acl_get_qualifier(i);
                if (!u)
                        return -errno;

                b = *u == uid;
                acl_free(u);

                if (b) {
                        *entry = i;
                        return 1;
                }
        }
        if (r < 0)
                return -errno;

        return 0;
}

int calc_acl_mask_if_needed(acl_t *acl_p) {
        acl_entry_t i;
        int r;

        assert(acl_p);

        for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
                acl_tag_t tag;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag == ACL_MASK)
                        return 0;

                if (IN_SET(tag, ACL_USER, ACL_GROUP)) {
                        if (acl_calc_mask(acl_p) < 0)
                                return -errno;

                        return 1;
                }
        }
        if (r < 0)
                return -errno;

        return 0;
}

int add_base_acls_if_needed(acl_t *acl_p, const char *path) {
        acl_entry_t i;
        int r;
        bool have_user_obj = false, have_group_obj = false, have_other = false;
        struct stat st;
        _cleanup_(acl_freep) acl_t basic = NULL;

        assert(acl_p);

        for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
                acl_tag_t tag;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if (tag == ACL_USER_OBJ)
                        have_user_obj = true;
                else if (tag == ACL_GROUP_OBJ)
                        have_group_obj = true;
                else if (tag == ACL_OTHER)
                        have_other = true;
                if (have_user_obj && have_group_obj && have_other)
                        return 0;
        }
        if (r < 0)
                return -errno;

        r = stat(path, &st);
        if (r < 0)
                return -errno;

        basic = acl_from_mode(st.st_mode);
        if (!basic)
                return -errno;

        for (r = acl_get_entry(basic, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(basic, ACL_NEXT_ENTRY, &i)) {
                acl_tag_t tag;
                acl_entry_t dst;

                if (acl_get_tag_type(i, &tag) < 0)
                        return -errno;

                if ((tag == ACL_USER_OBJ && have_user_obj) ||
                    (tag == ACL_GROUP_OBJ && have_group_obj) ||
                    (tag == ACL_OTHER && have_other))
                        continue;

                r = acl_create_entry(acl_p, &dst);
                if (r < 0)
                        return -errno;

                r = acl_copy_entry(dst, i);
                if (r < 0)
                        return -errno;
        }
        if (r < 0)
                return -errno;
        return 0;
}

int acl_search_groups(const char *path, char ***ret_groups) {
        _cleanup_strv_free_ char **g = NULL;
        _cleanup_(acl_free) acl_t acl = NULL;
        bool ret = false;
        acl_entry_t entry;
        int r;

        assert(path);

        acl = acl_get_file(path, ACL_TYPE_DEFAULT);
        if (!acl)
                return -errno;

        r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
        for (;;) {
                _cleanup_(acl_free_gid_tpp) gid_t *gid = NULL;
                acl_tag_t tag;

                if (r < 0)
                        return -errno;
                if (r == 0)
                        break;

                if (acl_get_tag_type(entry, &tag) < 0)
                        return -errno;

                if (tag != ACL_GROUP)
                        goto next;

                gid = acl_get_qualifier(entry);
                if (!gid)
                        return -errno;

                if (in_gid(*gid) > 0) {
                        if (!ret_groups)
                                return true;

                        ret = true;
                }

                if (ret_groups) {
                        char *name;

                        name = gid_to_name(*gid);
                        if (!name)
                                return -ENOMEM;

                        r = strv_consume(&g, name);
                        if (r < 0)
                                return r;
                }

        next:
                r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry);
        }

        if (ret_groups) {
                *ret_groups = g;
                g = NULL;
        }

        return ret;
}

int parse_acl(const char *text, acl_t *acl_access, acl_t *acl_default, bool want_mask) {
        _cleanup_free_ char **a = NULL, **d = NULL; /* strings are not be freed */
        _cleanup_strv_free_ char **split;
        char **entry;
        int r = -EINVAL;
        _cleanup_(acl_freep) acl_t a_acl = NULL, d_acl = NULL;

        split = strv_split(text, ",");
        if (!split)
                return -ENOMEM;

        STRV_FOREACH(entry, split) {
                char *p;

                p = startswith(*entry, "default:");
                if (!p)
                        p = startswith(*entry, "d:");

                if (p)
                        r = strv_push(&d, p);
                else
                        r = strv_push(&a, *entry);
                if (r < 0)
                        return r;
        }

        if (!strv_isempty(a)) {
                _cleanup_free_ char *join;

                join = strv_join(a, ",");
                if (!join)
                        return -ENOMEM;

                a_acl = acl_from_text(join);
                if (!a_acl)
                        return -errno;

                if (want_mask) {
                        r = calc_acl_mask_if_needed(&a_acl);
                        if (r < 0)
                                return r;
                }
        }

        if (!strv_isempty(d)) {
                _cleanup_free_ char *join;

                join = strv_join(d, ",");
                if (!join)
                        return -ENOMEM;

                d_acl = acl_from_text(join);
                if (!d_acl)
                        return -errno;

                if (want_mask) {
                        r = calc_acl_mask_if_needed(&d_acl);
                        if (r < 0)
                                return r;
                }
        }

        *acl_access = a_acl;
        *acl_default = d_acl;
        a_acl = d_acl = NULL;

        return 0;
}

static int acl_entry_equal(acl_entry_t a, acl_entry_t b) {
        acl_tag_t tag_a, tag_b;

        if (acl_get_tag_type(a, &tag_a) < 0)
                return -errno;

        if (acl_get_tag_type(b, &tag_b) < 0)
                return -errno;

        if (tag_a != tag_b)
                return false;

        switch (tag_a) {
        case ACL_USER_OBJ:
        case ACL_GROUP_OBJ:
        case ACL_MASK:
        case ACL_OTHER:
                /* can have only one of those */
                return true;
        case ACL_USER: {
                _cleanup_(acl_free_uid_tpp) uid_t *uid_a = NULL, *uid_b = NULL;

                uid_a = acl_get_qualifier(a);
                if (!uid_a)
                        return -errno;

                uid_b = acl_get_qualifier(b);
                if (!uid_b)
                        return -errno;

                return *uid_a == *uid_b;
        }
        case ACL_GROUP: {
                _cleanup_(acl_free_gid_tpp) gid_t *gid_a = NULL, *gid_b = NULL;

                gid_a = acl_get_qualifier(a);
                if (!gid_a)
                        return -errno;

                gid_b = acl_get_qualifier(b);
                if (!gid_b)
                        return -errno;

                return *gid_a == *gid_b;
        }
        default:
                assert_not_reached("Unknown acl tag type");
        }
}

static int find_acl_entry(acl_t acl, acl_entry_t entry, acl_entry_t *out) {
        acl_entry_t i;
        int r;

        for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {

                r = acl_entry_equal(i, entry);
                if (r < 0)
                        return r;
                if (r > 0) {
                        *out = i;
                        return 1;
                }
        }
        if (r < 0)
                return -errno;
        return 0;
}

int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl) {
        _cleanup_(acl_freep) acl_t old;
        acl_entry_t i;
        int r;

        old = acl_get_file(path, type);
        if (!old)
                return -errno;

        for (r = acl_get_entry(new, ACL_FIRST_ENTRY, &i);
             r > 0;
             r = acl_get_entry(new, ACL_NEXT_ENTRY, &i)) {

                acl_entry_t j;

                r = find_acl_entry(old, i, &j);
                if (r < 0)
                        return r;
                if (r == 0)
                        if (acl_create_entry(&old, &j) < 0)
                                return -errno;

                if (acl_copy_entry(j, i) < 0)
                        return -errno;
        }
        if (r < 0)
                return -errno;

        *acl = old;
        old = NULL;
        return 0;
}
Commit	Line	Data
663996b3 MS	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2011,2013 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
	9	under the terms of the GNU Lesser General Public License as published by
	10	the Free Software Foundation; either version 2.1 of the License, or
	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	Lesser General Public License for more details.
	17
	18	You should have received a copy of the GNU Lesser General Public License
	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
663996b3 MS	22	#include <errno.h>
	23	#include <stdbool.h>
	24
	25	#include "acl-util.h"
	26	#include "util.h"
	27	#include "strv.h"
	28
	29	int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry) {
	30	acl_entry_t i;
e735f4d4	31	int r;
663996b3 MS	32
	33	assert(acl);
	34	assert(entry);
	35
e735f4d4 MP	36	for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
	37	r > 0;
	38	r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
663996b3 MS	39
	40	acl_tag_t tag;
	41	uid_t *u;
	42	bool b;
	43
	44	if (acl_get_tag_type(i, &tag) < 0)
	45	return -errno;
	46
	47	if (tag != ACL_USER)
	48	continue;
	49
	50	u = acl_get_qualifier(i);
	51	if (!u)
	52	return -errno;
	53
	54	b = *u == uid;
	55	acl_free(u);
	56
	57	if (b) {
	58	*entry = i;
	59	return 1;
	60	}
	61	}
e735f4d4	62	if (r < 0)
663996b3 MS	63	return -errno;
	64
	65	return 0;
	66	}
	67
14228c0d MB	68	int calc_acl_mask_if_needed(acl_t *acl_p) {
14228c0d MB	69	acl_entry_t i;
e735f4d4	70	int r;
14228c0d MB	71
	72	assert(acl_p);
	73
e735f4d4 MP	74	for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
	75	r > 0;
	76	r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
14228c0d MB	77	acl_tag_t tag;
	78
	79	if (acl_get_tag_type(i, &tag) < 0)
	80	return -errno;
	81
	82	if (tag == ACL_MASK)
	83	return 0;
e3bff60a MP	84
	85	if (IN_SET(tag, ACL_USER, ACL_GROUP)) {
	86	if (acl_calc_mask(acl_p) < 0)
	87	return -errno;
	88
	89	return 1;
	90	}
14228c0d	91	}
e735f4d4	92	if (r < 0)
14228c0d MB	93	return -errno;
14228c0d MB	94
e3bff60a	95	return 0;
e735f4d4 MP	96	}
	97
	98	int add_base_acls_if_needed(acl_t acl_p, const char path) {
	99	acl_entry_t i;
	100	int r;
	101	bool have_user_obj = false, have_group_obj = false, have_other = false;
	102	struct stat st;
	103	_cleanup_(acl_freep) acl_t basic = NULL;
	104
	105	assert(acl_p);
	106
	107	for (r = acl_get_entry(*acl_p, ACL_FIRST_ENTRY, &i);
	108	r > 0;
	109	r = acl_get_entry(*acl_p, ACL_NEXT_ENTRY, &i)) {
	110	acl_tag_t tag;
	111
	112	if (acl_get_tag_type(i, &tag) < 0)
	113	return -errno;
	114
	115	if (tag == ACL_USER_OBJ)
	116	have_user_obj = true;
	117	else if (tag == ACL_GROUP_OBJ)
	118	have_group_obj = true;
	119	else if (tag == ACL_OTHER)
	120	have_other = true;
	121	if (have_user_obj && have_group_obj && have_other)
	122	return 0;
	123	}
	124	if (r < 0)
	125	return -errno;
14228c0d	126
e735f4d4 MP	127	r = stat(path, &st);
	128	if (r < 0)
	129	return -errno;
	130
	131	basic = acl_from_mode(st.st_mode);
	132	if (!basic)
	133	return -errno;
	134
	135	for (r = acl_get_entry(basic, ACL_FIRST_ENTRY, &i);
	136	r > 0;
	137	r = acl_get_entry(basic, ACL_NEXT_ENTRY, &i)) {
	138	acl_tag_t tag;
	139	acl_entry_t dst;
	140
	141	if (acl_get_tag_type(i, &tag) < 0)
	142	return -errno;
	143
	144	if ((tag == ACL_USER_OBJ && have_user_obj) \|\|
	145	(tag == ACL_GROUP_OBJ && have_group_obj) \|\|
	146	(tag == ACL_OTHER && have_other))
	147	continue;
	148
	149	r = acl_create_entry(acl_p, &dst);
	150	if (r < 0)
	151	return -errno;
	152
	153	r = acl_copy_entry(dst, i);
	154	if (r < 0)
	155	return -errno;
	156	}
	157	if (r < 0)
	158	return -errno;
14228c0d MB	159	return 0;
	160	}
	161
e3bff60a MP	162	int acl_search_groups(const char path, char **ret_groups) {
	163	_cleanup_strv_free_ char **g = NULL;
	164	_cleanup_(acl_free) acl_t acl = NULL;
	165	bool ret = false;
	166	acl_entry_t entry;
	167	int r;
663996b3 MS	168
663996b3 MS	169	assert(path);
663996b3 MS	170
663996b3 MS	171	acl = acl_get_file(path, ACL_TYPE_DEFAULT);
e3bff60a MP	172	if (!acl)
e3bff60a MP	173	return -errno;
663996b3	174
e3bff60a MP	175	r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
	176	for (;;) {
	177	_cleanup_(acl_free_gid_tpp) gid_t *gid = NULL;
	178	acl_tag_t tag;
	179
	180	if (r < 0)
	181	return -errno;
	182	if (r == 0)
	183	break;
663996b3	184
e3bff60a MP	185	if (acl_get_tag_type(entry, &tag) < 0)
e3bff60a MP	186	return -errno;
663996b3	187
e3bff60a MP	188	if (tag != ACL_GROUP)
e3bff60a MP	189	goto next;
663996b3	190
e3bff60a MP	191	gid = acl_get_qualifier(entry);
	192	if (!gid)
	193	return -errno;
	194
	195	if (in_gid(*gid) > 0) {
	196	if (!ret_groups)
	197	return true;
	198
	199	ret = true;
	200	}
	201
	202	if (ret_groups) {
	203	char *name;
663996b3 MS	204
663996b3 MS	205	name = gid_to_name(*gid);
e3bff60a MP	206	if (!name)
	207	return -ENOMEM;
	208
	209	r = strv_consume(&g, name);
	210	if (r < 0)
	211	return r;
663996b3 MS	212	}
663996b3 MS	213
e3bff60a MP	214	next:
e3bff60a MP	215	r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry);
663996b3 MS	216	}
663996b3 MS	217
e3bff60a MP	218	if (ret_groups) {
	219	*ret_groups = g;
	220	g = NULL;
	221	}
	222
	223	return ret;
663996b3	224	}
e735f4d4	225
86f210e9	226	int parse_acl(const char text, acl_t acl_access, acl_t *acl_default, bool want_mask) {
e735f4d4 MP	227	_cleanup_free_ char a = NULL, d = NULL; /* strings are not be freed */
	228	_cleanup_strv_free_ char **split;
	229	char **entry;
	230	int r = -EINVAL;
	231	_cleanup_(acl_freep) acl_t a_acl = NULL, d_acl = NULL;
	232
	233	split = strv_split(text, ",");
	234	if (!split)
86f210e9	235	return -ENOMEM;
e735f4d4 MP	236
	237	STRV_FOREACH(entry, split) {
	238	char *p;
	239
	240	p = startswith(*entry, "default:");
	241	if (!p)
	242	p = startswith(*entry, "d:");
	243
	244	if (p)
	245	r = strv_push(&d, p);
	246	else
	247	r = strv_push(&a, *entry);
86f210e9 MP	248	if (r < 0)
86f210e9 MP	249	return r;
e735f4d4	250	}
e735f4d4 MP	251
	252	if (!strv_isempty(a)) {
	253	_cleanup_free_ char *join;
	254
	255	join = strv_join(a, ",");
	256	if (!join)
	257	return -ENOMEM;
	258
	259	a_acl = acl_from_text(join);
	260	if (!a_acl)
86f210e9	261	return -errno;
e735f4d4 MP	262
	263	if (want_mask) {
	264	r = calc_acl_mask_if_needed(&a_acl);
	265	if (r < 0)
	266	return r;
	267	}
	268	}
	269
	270	if (!strv_isempty(d)) {
	271	_cleanup_free_ char *join;
	272
	273	join = strv_join(d, ",");
	274	if (!join)
	275	return -ENOMEM;
	276
	277	d_acl = acl_from_text(join);
	278	if (!d_acl)
86f210e9	279	return -errno;
e735f4d4 MP	280
	281	if (want_mask) {
	282	r = calc_acl_mask_if_needed(&d_acl);
	283	if (r < 0)
	284	return r;
	285	}
	286	}
	287
	288	*acl_access = a_acl;
	289	*acl_default = d_acl;
	290	a_acl = d_acl = NULL;
86f210e9	291
e735f4d4 MP	292	return 0;
	293	}
	294
e3bff60a MP	295	static int acl_entry_equal(acl_entry_t a, acl_entry_t b) {
	296	acl_tag_t tag_a, tag_b;
	297
	298	if (acl_get_tag_type(a, &tag_a) < 0)
	299	return -errno;
	300
	301	if (acl_get_tag_type(b, &tag_b) < 0)
	302	return -errno;
	303
	304	if (tag_a != tag_b)
	305	return false;
	306
	307	switch (tag_a) {
	308	case ACL_USER_OBJ:
	309	case ACL_GROUP_OBJ:
	310	case ACL_MASK:
	311	case ACL_OTHER:
	312	/* can have only one of those */
	313	return true;
	314	case ACL_USER: {
	315	_cleanup_(acl_free_uid_tpp) uid_t uid_a = NULL, uid_b = NULL;
	316
	317	uid_a = acl_get_qualifier(a);
	318	if (!uid_a)
	319	return -errno;
	320
	321	uid_b = acl_get_qualifier(b);
	322	if (!uid_b)
	323	return -errno;
	324
	325	return uid_a == uid_b;
	326	}
	327	case ACL_GROUP: {
	328	_cleanup_(acl_free_gid_tpp) gid_t gid_a = NULL, gid_b = NULL;
	329
	330	gid_a = acl_get_qualifier(a);
	331	if (!gid_a)
	332	return -errno;
	333
	334	gid_b = acl_get_qualifier(b);
	335	if (!gid_b)
	336	return -errno;
	337
	338	return gid_a == gid_b;
	339	}
	340	default:
	341	assert_not_reached("Unknown acl tag type");
	342	}
	343	}
	344
	345	static int find_acl_entry(acl_t acl, acl_entry_t entry, acl_entry_t *out) {
	346	acl_entry_t i;
	347	int r;
	348
	349	for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i);
	350	r > 0;
	351	r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) {
	352
	353	r = acl_entry_equal(i, entry);
	354	if (r < 0)
	355	return r;
	356	if (r > 0) {
	357	*out = i;
	358	return 1;
359	}
360	}
361	if (r < 0)
362	return -errno;
363	return 0;
364	}
365
e735f4d4 MP	366	int acls_for_file(const char path, acl_type_t type, acl_t new, acl_t acl) {
	367	_cleanup_(acl_freep) acl_t old;
	368	acl_entry_t i;
	369	int r;
	370
	371	old = acl_get_file(path, type);
	372	if (!old)
	373	return -errno;
	374
	375	for (r = acl_get_entry(new, ACL_FIRST_ENTRY, &i);
	376	r > 0;
	377	r = acl_get_entry(new, ACL_NEXT_ENTRY, &i)) {
	378
	379	acl_entry_t j;
	380
e3bff60a MP	381	r = find_acl_entry(old, i, &j);
	382	if (r < 0)
	383	return r;
	384	if (r == 0)
	385	if (acl_create_entry(&old, &j) < 0)
	386	return -errno;
e735f4d4 MP	387
	388	if (acl_copy_entry(j, i) < 0)
	389	return -errno;
	390	}
	391	if (r < 0)
	392	return -errno;
	393
	394	*acl = old;
	395	old = NULL;
	396	return 0;
	397	}