2 * Copyright (c) 1999-2001, 2008 Robert N. M. Watson
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * Support functionality for the POSIX.1e ACL interface
28 * These calls are intended only to be called within the library.
31 #include <sys/cdefs.h>
32 __FBSDID("$FreeBSD$");
34 #include <sys/types.h>
35 #include "namespace.h"
37 #include "un-namespace.h"
44 #include "acl_support.h"
46 #define ACL_STRING_PERM_WRITE 'w'
47 #define ACL_STRING_PERM_READ 'r'
48 #define ACL_STRING_PERM_EXEC 'x'
49 #define ACL_STRING_PERM_NONE '-'
52 * _posix1e_acl_entry_compare -- compare two acl_entry structures to
53 * determine the order they should appear in. Used by _posix1e_acl_sort to
54 * sort ACL entries into the kernel-desired order -- i.e., the order useful
55 * for evaluation and O(n) validity checking. Beter to have an O(nlogn) sort
56 * in userland and an O(n) in kernel than to have both in kernel.
58 typedef int (*compare)(const void *, const void *);
60 _posix1e_acl_entry_compare(struct acl_entry *a, struct acl_entry *b)
63 * First, sort between tags -- conveniently defined in the correct
64 * order for verification.
66 if (a->ae_tag < b->ae_tag)
68 if (a->ae_tag > b->ae_tag)
72 * Next compare uids/gids on appropriate types.
75 if (a->ae_tag == ACL_USER || a->ae_tag == ACL_GROUP) {
76 if (a->ae_id < b->ae_id)
78 if (a->ae_id > b->ae_id)
81 /* shouldn't be equal, fall through to the invalid case */
85 * Don't know how to sort multiple entries of the rest--either it's
86 * a bad entry, or there shouldn't be more than one. Ignore and the
87 * validity checker can get it later.
93 * _posix1e_acl_sort -- sort ACL entries in POSIX.1e-formatted ACLs
94 * Give the opportunity to fail, although we don't currently have a way
98 _posix1e_acl_sort(acl_t acl)
102 acl_int = &acl->ats_acl;
104 qsort(&acl_int->acl_entry[0], acl_int->acl_cnt,
105 sizeof(struct acl_entry), (compare) _posix1e_acl_entry_compare);
111 * acl_posix1e -- in what situations should we acl_sort before submission?
112 * We apply posix1e ACL semantics for any ACL of type ACL_TYPE_ACCESS or
116 _posix1e_acl(acl_t acl, acl_type_t type)
119 return ((type == ACL_TYPE_ACCESS) || (type == ACL_TYPE_DEFAULT));
123 * _posix1e_acl_check -- given an ACL, check its validity. This is mirrored
124 * from code in sys/kern/kern_acl.c, and if changes are made in one, they
125 * should be made in the other also. This copy of acl_check is made
126 * available * in userland for the benefit of processes wanting to check ACLs
127 * for validity before submitting them to the kernel, or for performing
128 * in userland file system checking. Needless to say, the kernel makes
129 * the real checks on calls to get/setacl.
131 * See the comments in kernel for explanation -- just briefly, it assumes
132 * an already sorted ACL, and checks based on that assumption. The
133 * POSIX.1e interface, acl_valid(), will perform the sort before calling
134 * this. Returns 0 on success, EINVAL on failure.
137 _posix1e_acl_check(acl_t acl)
140 struct acl_entry *entry; /* current entry */
141 uid_t highest_uid=0, highest_gid=0;
142 int stage = ACL_USER_OBJ;
144 int count_user_obj=0, count_user=0, count_group_obj=0,
145 count_group=0, count_mask=0, count_other=0;
147 acl_int = &acl->ats_acl;
149 /* printf("_posix1e_acl_check: checking acl with %d entries\n",
151 while (i < acl_int->acl_cnt) {
152 entry = &acl_int->acl_entry[i];
154 if ((entry->ae_perm | ACL_PERM_BITS) != ACL_PERM_BITS)
157 switch(entry->ae_tag) {
159 /* printf("_posix1e_acl_check: %d: ACL_USER_OBJ\n",
161 if (stage > ACL_USER_OBJ)
168 /* printf("_posix1e_acl_check: %d: ACL_USER\n", i); */
169 if (stage > ACL_USER)
172 if (count_user && (entry->ae_id <= highest_uid))
174 highest_uid = entry->ae_id;
179 /* printf("_posix1e_acl_check: %d: ACL_GROUP_OBJ\n",
181 if (stage > ACL_GROUP_OBJ)
188 /* printf("_posix1e_acl_check: %d: ACL_GROUP\n", i); */
189 if (stage > ACL_GROUP)
192 if (count_group && (entry->ae_id <= highest_gid))
194 highest_gid = entry->ae_id;
199 /* printf("_posix1e_acl_check: %d: ACL_MASK\n", i); */
200 if (stage > ACL_MASK)
207 /* printf("_posix1e_acl_check: %d: ACL_OTHER\n", i); */
208 if (stage > ACL_OTHER)
215 /* printf("_posix1e_acl_check: %d: INVALID\n", i); */
221 if (count_user_obj != 1)
224 if (count_group_obj != 1)
227 if (count_mask != 0 && count_mask != 1)
230 if (count_other != 1)
238 * Given a uid/gid, return a username/groupname for the text form of an ACL.
239 * Note that we truncate user and group names, rather than error out, as
240 * this is consistent with other tools manipulating user and group names.
241 * XXX NOT THREAD SAFE, RELIES ON GETPWUID, GETGRGID
242 * XXX USES *PW* AND *GR* WHICH ARE STATEFUL AND THEREFORE THIS ROUTINE
243 * MAY HAVE SIDE-EFFECTS
246 _posix1e_acl_id_to_name(acl_tag_t tag, uid_t id, ssize_t buf_len, char *buf)
256 i = snprintf(buf, buf_len, "%d", id);
258 i = snprintf(buf, buf_len, "%s", p->pw_name);
269 i = snprintf(buf, buf_len, "%d", id);
271 i = snprintf(buf, buf_len, "%s", g->gr_name);
285 * Given a right-shifted permission (i.e., direct ACL_PERM_* mask), fill
286 * in a string describing the permissions.
289 _posix1e_acl_perm_to_string(acl_perm_t perm, ssize_t buf_len, char *buf)
292 if (buf_len < _POSIX1E_ACL_STRING_PERM_MAXSIZE + 1) {
297 if ((perm | ACL_PERM_BITS) != ACL_PERM_BITS) {
302 buf[3] = 0; /* null terminate */
305 buf[0] = ACL_STRING_PERM_READ;
307 buf[0] = ACL_STRING_PERM_NONE;
309 if (perm & ACL_WRITE)
310 buf[1] = ACL_STRING_PERM_WRITE;
312 buf[1] = ACL_STRING_PERM_NONE;
314 if (perm & ACL_EXECUTE)
315 buf[2] = ACL_STRING_PERM_EXEC;
317 buf[2] = ACL_STRING_PERM_NONE;
323 * given a string, return a permission describing it
326 _posix1e_acl_string_to_perm(char *string, acl_perm_t *perm)
328 acl_perm_t myperm = ACL_PERM_NONE;
334 case ACL_STRING_PERM_READ:
337 case ACL_STRING_PERM_WRITE:
340 case ACL_STRING_PERM_EXEC:
341 myperm |= ACL_EXECUTE;
343 case ACL_STRING_PERM_NONE:
356 * Add an ACL entry without doing much checking, et al
359 _posix1e_acl_add_entry(acl_t acl, acl_tag_t tag, uid_t id, acl_perm_t perm)
364 acl_int = &acl->ats_acl;
366 if (acl_int->acl_cnt >= ACL_MAX_ENTRIES) {
371 e = &(acl_int->acl_entry[acl_int->acl_cnt]);