[proxmox-backup.git] / pbs-tools / src / xattr.rs

//! Wrapper functions for the libc xattr calls

use std::ffi::CStr;
use std::os::unix::io::RawFd;

use nix::errno::Errno;

use proxmox_io::vec;
use proxmox_lang::c_str;

/// `"security.capability"` as a CStr to avoid typos.
///
/// This cannot be `const` until `const_cstr_unchecked` is stable.
#[inline]
pub fn xattr_name_fcaps() -> &'static CStr {
    c_str!("security.capability")
}

/// `"system.posix_acl_access"` as a CStr to avoid typos.
///
/// This cannot be `const` until `const_cstr_unchecked` is stable.
#[inline]
pub fn xattr_acl_access() -> &'static CStr {
    c_str!("system.posix_acl_access")
}

/// `"system.posix_acl_default"` as a CStr to avoid typos.
///
/// This cannot be `const` until `const_cstr_unchecked` is stable.
#[inline]
pub fn xattr_acl_default() -> &'static CStr {
    c_str!("system.posix_acl_default")
}

/// Result of `flistxattr`, allows iterating over the attributes as a list of `&CStr`s.
///
/// Listing xattrs produces a list separated by zeroes, inherently making them available as `&CStr`
/// already, so we make use of this fact and reflect this in the interface.
pub struct ListXAttr {
    data: Vec<u8>,
}

impl ListXAttr {
    fn new(data: Vec<u8>) -> Self {
        Self { data }
    }
}

impl<'a> IntoIterator for &'a ListXAttr {
    type Item = &'a CStr;
    type IntoIter = ListXAttrIter<'a>;

    fn into_iter(self) -> Self::IntoIter {
        ListXAttrIter {
            data: &self.data,
            at: 0,
        }
    }
}

/// Iterator over the extended attribute entries in a `ListXAttr`.
pub struct ListXAttrIter<'a> {
    data: &'a [u8],
    at: usize,
}

impl<'a> Iterator for ListXAttrIter<'a> {
    type Item = &'a CStr;

    fn next(&mut self) -> Option<&'a CStr> {
        let data = &self.data[self.at..];
        let next = data.iter().position(|b| *b == 0)? + 1;
        self.at += next;
        Some(unsafe { CStr::from_bytes_with_nul_unchecked(&data[..next]) })
    }
}

/// Return a list of extended attributes accessible as an iterator over items of type `&CStr`.
pub fn flistxattr(fd: RawFd) -> Result<ListXAttr, nix::errno::Errno> {
    // Initial buffer size for the attribute list, if content does not fit
    // it gets dynamically increased until big enough.
    let mut size = 256;
    let mut buffer = vec::undefined(size);
    let mut bytes = unsafe {
        libc::flistxattr(fd, buffer.as_mut_ptr() as *mut libc::c_char, buffer.len())
    };
    while bytes < 0 {
        let err = Errno::last();
        match err {
            Errno::ERANGE => {
                // Buffer was not big enough to fit the list, retry with double the size
                size = size.checked_mul(2).ok_or(Errno::ENOMEM)?;
            },
            _ => return Err(err),
        }
        // Retry to read the list with new buffer
        buffer.resize(size, 0);
        bytes = unsafe {
            libc::flistxattr(fd, buffer.as_mut_ptr() as *mut libc::c_char, buffer.len())
        };
    }
    buffer.truncate(bytes as usize);

    Ok(ListXAttr::new(buffer))
}

/// Get an extended attribute by name.
///
/// Extended attributes may not contain zeroes, which we enforce in the API by using a `&CStr`
/// type.
pub fn fgetxattr(fd: RawFd, name: &CStr) -> Result<Vec<u8>, nix::errno::Errno> {
    let mut size = 256;
    let mut buffer = vec::undefined(size);
    let mut bytes = unsafe {
        libc::fgetxattr(fd, name.as_ptr(), buffer.as_mut_ptr() as *mut core::ffi::c_void, buffer.len())
    };
    while bytes < 0 {
        let err = Errno::last();
        match err {
            Errno::ERANGE => {
                // Buffer was not big enough to fit the value, retry with double the size
                size = size.checked_mul(2).ok_or(Errno::ENOMEM)?;
            },
            _ => return Err(err),
        }
        buffer.resize(size, 0);
        bytes = unsafe {
            libc::fgetxattr(fd, name.as_ptr() as *const libc::c_char, buffer.as_mut_ptr() as *mut core::ffi::c_void, buffer.len())
        };
    }
    buffer.resize(bytes as usize, 0);

    Ok(buffer)
}

/// Set an extended attribute on a file descriptor.
pub fn fsetxattr(fd: RawFd, name: &CStr, data: &[u8]) -> Result<(), nix::errno::Errno> {
    let flags = 0 as libc::c_int;
    let result = unsafe {
        libc::fsetxattr(fd, name.as_ptr(), data.as_ptr() as *const libc::c_void, data.len(), flags)
    };
    if result < 0 {
        return Err(Errno::last());
    }

    Ok(())
}

pub fn fsetxattr_fcaps(fd: RawFd, fcaps: &[u8]) -> Result<(), nix::errno::Errno> {
    // TODO casync checks and removes capabilities if they are set
    fsetxattr(fd, xattr_name_fcaps(), fcaps)
}

pub fn is_security_capability(name: &CStr) -> bool {
    name.to_bytes() == xattr_name_fcaps().to_bytes()
}

pub fn is_acl(name: &CStr) -> bool {
    name.to_bytes() == xattr_acl_access().to_bytes()
    || name.to_bytes() == xattr_acl_default().to_bytes()
}

/// Check if the passed name buffer starts with a valid xattr namespace prefix
/// and is within the length limit of 255 bytes
pub fn is_valid_xattr_name(c_name: &CStr) -> bool {
    let name = c_name.to_bytes();
    if name.is_empty() || name.len() > 255 {
        return false;
    }
    if name.starts_with(b"user.") || name.starts_with(b"trusted.") {
        return true;
    }
    // samba saves windows ACLs there
    if name == b"security.NTACL" {
        return true;
    }
    is_security_capability(c_name)
}

#[cfg(test)]
mod tests {
    use super::*;

    use std::ffi::CString;
    use std::fs::OpenOptions;
    use std::os::unix::io::AsRawFd;

    use nix::errno::Errno;

    use proxmox_lang::c_str;

    #[test]
    fn test_fsetxattr_fgetxattr() {
        let path = "./test-xattrs.txt";
        let file = OpenOptions::new()
            .write(true)
            .create(true)
            .open(&path)
            .unwrap();

        let fd = file.as_raw_fd();

        assert!(fsetxattr(fd, c_str!("user.attribute0"), b"value0").is_ok());
        assert!(fsetxattr(fd, c_str!("user.empty"), b"").is_ok());

        if nix::unistd::Uid::current() != nix::unistd::ROOT {
            assert_eq!(fsetxattr(fd, c_str!("trusted.attribute0"), b"value0"), Err(Errno::EPERM));
        }

        let v0 = fgetxattr(fd, c_str!("user.attribute0")).unwrap();
        let v1 = fgetxattr(fd, c_str!("user.empty")).unwrap();

        assert_eq!(v0, b"value0".as_ref());
        assert_eq!(v1, b"".as_ref());
        assert_eq!(fgetxattr(fd, c_str!("user.attribute1")), Err(Errno::ENODATA));

        std::fs::remove_file(&path).unwrap();
    }

    #[test]
    fn test_is_valid_xattr_name() {
        let too_long = CString::new(vec![b'a'; 265]).unwrap();

        assert!(!is_valid_xattr_name(&too_long));
        assert!(!is_valid_xattr_name(c_str!("system.attr")));
        assert!(is_valid_xattr_name(c_str!("user.attr")));
        assert!(is_valid_xattr_name(c_str!("trusted.attr")));
        assert!(is_valid_xattr_name(super::xattr_name_fcaps()));
    }
}
Commit	Line	Data
2dcdd3b4 CE	1	//! Wrapper functions for the libc xattr calls
2dcdd3b4 CE	2
27a3decb	3	use std::ffi::CStr;
2dcdd3b4	4	use std::os::unix::io::RawFd;
27a3decb	5
2dcdd3b4	6	use nix::errno::Errno;
f35197f4	7
6ef1b649 WB	8	use proxmox_io::vec;
6ef1b649 WB	9	use proxmox_lang::c_str;
f35197f4	10
1e3d9b10	11	/// `"security.capability"` as a CStr to avoid typos.
9094186a WB	12	///
	13	/// This cannot be `const` until `const_cstr_unchecked` is stable.
	14	#[inline]
1e3d9b10	15	pub fn xattr_name_fcaps() -> &'static CStr {
9094186a WB	16	c_str!("security.capability")
9094186a WB	17	}
2dcdd3b4	18
c443f58b WB	19	/// `"system.posix_acl_access"` as a CStr to avoid typos.
	20	///
	21	/// This cannot be `const` until `const_cstr_unchecked` is stable.
	22	#[inline]
	23	pub fn xattr_acl_access() -> &'static CStr {
	24	c_str!("system.posix_acl_access")
	25	}
	26
	27	/// `"system.posix_acl_default"` as a CStr to avoid typos.
	28	///
	29	/// This cannot be `const` until `const_cstr_unchecked` is stable.
	30	#[inline]
	31	pub fn xattr_acl_default() -> &'static CStr {
	32	c_str!("system.posix_acl_default")
	33	}
	34
27a3decb WB	35	/// Result of `flistxattr`, allows iterating over the attributes as a list of `&CStr`s.
	36	///
	37	/// Listing xattrs produces a list separated by zeroes, inherently making them available as `&CStr`
	38	/// already, so we make use of this fact and reflect this in the interface.
	39	pub struct ListXAttr {
	40	data: Vec<u8>,
	41	}
	42
	43	impl ListXAttr {
	44	fn new(data: Vec<u8>) -> Self {
	45	Self { data }
	46	}
	47	}
	48
	49	impl<'a> IntoIterator for &'a ListXAttr {
	50	type Item = &'a CStr;
	51	type IntoIter = ListXAttrIter<'a>;
	52
	53	fn into_iter(self) -> Self::IntoIter {
	54	ListXAttrIter {
	55	data: &self.data,
	56	at: 0,
	57	}
	58	}
	59	}
	60
	61	/// Iterator over the extended attribute entries in a `ListXAttr`.
	62	pub struct ListXAttrIter<'a> {
	63	data: &'a [u8],
	64	at: usize,
	65	}
	66
	67	impl<'a> Iterator for ListXAttrIter<'a> {
	68	type Item = &'a CStr;
	69
	70	fn next(&mut self) -> Option<&'a CStr> {
	71	let data = &self.data[self.at..];
	72	let next = data.iter().position(\|b\| *b == 0)? + 1;
	73	self.at += next;
	74	Some(unsafe { CStr::from_bytes_with_nul_unchecked(&data[..next]) })
	75	}
	76	}
	77
	78	/// Return a list of extended attributes accessible as an iterator over items of type `&CStr`.
	79	pub fn flistxattr(fd: RawFd) -> Result<ListXAttr, nix::errno::Errno> {
2dcdd3b4 CE	80	// Initial buffer size for the attribute list, if content does not fit
	81	// it gets dynamically increased until big enough.
	82	let mut size = 256;
8ea3b1d1	83	let mut buffer = vec::undefined(size);
2dcdd3b4	84	let mut bytes = unsafe {
449e4a66	85	libc::flistxattr(fd, buffer.as_mut_ptr() as *mut libc::c_char, buffer.len())
2dcdd3b4 CE	86	};
	87	while bytes < 0 {
	88	let err = Errno::last();
	89	match err {
	90	Errno::ERANGE => {
	91	// Buffer was not big enough to fit the list, retry with double the size
9af76ef0	92	size = size.checked_mul(2).ok_or(Errno::ENOMEM)?;
2dcdd3b4 CE	93	},
	94	_ => return Err(err),
	95	}
	96	// Retry to read the list with new buffer
	97	buffer.resize(size, 0);
	98	bytes = unsafe {
449e4a66	99	libc::flistxattr(fd, buffer.as_mut_ptr() as *mut libc::c_char, buffer.len())
2dcdd3b4 CE	100	};
2dcdd3b4 CE	101	}
27a3decb	102	buffer.truncate(bytes as usize);
2dcdd3b4	103
27a3decb	104	Ok(ListXAttr::new(buffer))
2dcdd3b4 CE	105	}
2dcdd3b4 CE	106
27a3decb WB	107	/// Get an extended attribute by name.
	108	///
	109	/// Extended attributes may not contain zeroes, which we enforce in the API by using a `&CStr`
	110	/// type.
	111	pub fn fgetxattr(fd: RawFd, name: &CStr) -> Result<Vec<u8>, nix::errno::Errno> {
2dcdd3b4	112	let mut size = 256;
8ea3b1d1	113	let mut buffer = vec::undefined(size);
2dcdd3b4	114	let mut bytes = unsafe {
27a3decb	115	libc::fgetxattr(fd, name.as_ptr(), buffer.as_mut_ptr() as *mut core::ffi::c_void, buffer.len())
2dcdd3b4 CE	116	};
	117	while bytes < 0 {
	118	let err = Errno::last();
	119	match err {
	120	Errno::ERANGE => {
	121	// Buffer was not big enough to fit the value, retry with double the size
9af76ef0	122	size = size.checked_mul(2).ok_or(Errno::ENOMEM)?;
2dcdd3b4 CE	123	},
	124	_ => return Err(err),
	125	}
	126	buffer.resize(size, 0);
	127	bytes = unsafe {
449e4a66	128	libc::fgetxattr(fd, name.as_ptr() as const libc::c_char, buffer.as_mut_ptr() as mut core::ffi::c_void, buffer.len())
2dcdd3b4 CE	129	};
	130	}
	131	buffer.resize(bytes as usize, 0);
	132
	133	Ok(buffer)
	134	}
	135
9094186a WB	136	/// Set an extended attribute on a file descriptor.
9094186a WB	137	pub fn fsetxattr(fd: RawFd, name: &CStr, data: &[u8]) -> Result<(), nix::errno::Errno> {
2dcdd3b4 CE	138	let flags = 0 as libc::c_int;
2dcdd3b4 CE	139	let result = unsafe {
9094186a	140	libc::fsetxattr(fd, name.as_ptr(), data.as_ptr() as *const libc::c_void, data.len(), flags)
2dcdd3b4 CE	141	};
2dcdd3b4 CE	142	if result < 0 {
9094186a	143	return Err(Errno::last());
2dcdd3b4 CE	144	}
	145
	146	Ok(())
	147	}
	148
9094186a	149	pub fn fsetxattr_fcaps(fd: RawFd, fcaps: &[u8]) -> Result<(), nix::errno::Errno> {
2dcdd3b4	150	// TODO casync checks and removes capabilities if they are set
9094186a	151	fsetxattr(fd, xattr_name_fcaps(), fcaps)
2dcdd3b4 CE	152	}
2dcdd3b4 CE	153
27a3decb	154	pub fn is_security_capability(name: &CStr) -> bool {
9094186a	155	name.to_bytes() == xattr_name_fcaps().to_bytes()
bee8d8ea CE	156	}
bee8d8ea CE	157
c443f58b WB	158	pub fn is_acl(name: &CStr) -> bool {
	159	name.to_bytes() == xattr_acl_access().to_bytes()
	160	\|\| name.to_bytes() == xattr_acl_default().to_bytes()
	161	}
	162
357e4614 CE	163	/// Check if the passed name buffer starts with a valid xattr namespace prefix
357e4614 CE	164	/// and is within the length limit of 255 bytes
27a3decb WB	165	pub fn is_valid_xattr_name(c_name: &CStr) -> bool {
27a3decb WB	166	let name = c_name.to_bytes();
357e4614 CE	167	if name.is_empty() \|\| name.len() > 255 {
	168	return false;
	169	}
	170	if name.starts_with(b"user.") \|\| name.starts_with(b"trusted.") {
	171	return true;
	172	}
fea23d03 DC	173	// samba saves windows ACLs there
	174	if name == b"security.NTACL" {
	175	return true;
	176	}
27a3decb	177	is_security_capability(c_name)
bee8d8ea	178	}
de61bc92 CE	179
	180	#[cfg(test)]
	181	mod tests {
	182	use super::*;
	183
9094186a	184	use std::ffi::CString;
de61bc92 CE	185	use std::fs::OpenOptions;
de61bc92 CE	186	use std::os::unix::io::AsRawFd;
9094186a	187
de61bc92 CE	188	use nix::errno::Errno;
de61bc92 CE	189
6ef1b649	190	use proxmox_lang::c_str;
9094186a	191
de61bc92 CE	192	#[test]
de61bc92 CE	193	fn test_fsetxattr_fgetxattr() {
a3399f43	194	let path = "./test-xattrs.txt";
de61bc92 CE	195	let file = OpenOptions::new()
	196	.write(true)
	197	.create(true)
	198	.open(&path)
	199	.unwrap();
	200
	201	let fd = file.as_raw_fd();
	202
9094186a WB	203	assert!(fsetxattr(fd, c_str!("user.attribute0"), b"value0").is_ok());
9094186a WB	204	assert!(fsetxattr(fd, c_str!("user.empty"), b"").is_ok());
44c54845 DM	205
44c54845 DM	206	if nix::unistd::Uid::current() != nix::unistd::ROOT {
9094186a	207	assert_eq!(fsetxattr(fd, c_str!("trusted.attribute0"), b"value0"), Err(Errno::EPERM));
44c54845 DM	208	}
44c54845 DM	209
27a3decb WB	210	let v0 = fgetxattr(fd, c_str!("user.attribute0")).unwrap();
27a3decb WB	211	let v1 = fgetxattr(fd, c_str!("user.empty")).unwrap();
de61bc92 CE	212
	213	assert_eq!(v0, b"value0".as_ref());
	214	assert_eq!(v1, b"".as_ref());
27a3decb	215	assert_eq!(fgetxattr(fd, c_str!("user.attribute1")), Err(Errno::ENODATA));
de61bc92 CE	216
	217	std::fs::remove_file(&path).unwrap();
	218	}
68740774 CE	219
	220	#[test]
	221	fn test_is_valid_xattr_name() {
27a3decb WB	222	let too_long = CString::new(vec![b'a'; 265]).unwrap();
	223
	224	assert!(!is_valid_xattr_name(&too_long));
	225	assert!(!is_valid_xattr_name(c_str!("system.attr")));
	226	assert!(is_valid_xattr_name(c_str!("user.attr")));
	227	assert!(is_valid_xattr_name(c_str!("trusted.attr")));
9094186a	228	assert!(is_valid_xattr_name(super::xattr_name_fcaps()));
68740774	229	}
de61bc92	230	}