| author | marks |
| Tue, 09 May 2006 09:51:11 -0700 | |
| changeset 1953 | 7d218c488035 |
| parent 1666 | 07697c578888 |
| child 4321 | a8930ec16e52 |
| permissions | -rw-r--r-- |
| 789 | 1 |
/* |
2 |
* CDDL HEADER START |
|
3 |
* |
|
4 |
* The contents of this file are subject to the terms of the |
|
| 1462 | 5 |
* Common Development and Distribution License (the "License"). |
6 |
* You may not use this file except in compliance with the License. |
|
| 789 | 7 |
* |
8 |
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
9 |
* or http://www.opensolaris.org/os/licensing. |
|
10 |
* See the License for the specific language governing permissions |
|
11 |
* and limitations under the License. |
|
12 |
* |
|
13 |
* When distributing Covered Code, include this CDDL HEADER in each |
|
14 |
* file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
15 |
* If applicable, add the following below this CDDL HEADER, with the |
|
16 |
* fields enclosed by brackets "[]" replaced with your own identifying |
|
17 |
* information: Portions Copyright [yyyy] [name of copyright owner] |
|
18 |
* |
|
19 |
* CDDL HEADER END |
|
20 |
*/ |
|
21 |
/* |
|
|
1231
64215f768e86
6354804 The file's ACL was changed when cp it from one ZFS file system to another one.
marks
parents:
789
diff
changeset
|
22 |
* Copyright 2006 Sun Microsystems, Inc. All rights reserved. |
| 789 | 23 |
* Use is subject to license terms. |
24 |
*/ |
|
25 |
||
26 |
#pragma ident "%Z%%M% %I% %E% SMI" |
|
27 |
||
28 |
#include <stdlib.h> |
|
29 |
#include <string.h> |
|
30 |
#include <unistd.h> |
|
31 |
#include <limits.h> |
|
32 |
#include <grp.h> |
|
33 |
#include <pwd.h> |
|
| 1462 | 34 |
#include <strings.h> |
| 789 | 35 |
#include <sys/types.h> |
36 |
#include <sys/acl.h> |
|
37 |
#include <errno.h> |
|
38 |
#include <sys/stat.h> |
|
| 1420 | 39 |
#include <sys/varargs.h> |
| 789 | 40 |
#include <locale.h> |
41 |
#include <aclutils.h> |
|
42 |
#include <acl_common.h> |
|
| 1462 | 43 |
#include <sys/avl.h> |
44 |
||
45 |
#define offsetof(s, m) ((size_t)(&(((s *)0)->m))) |
|
| 789 | 46 |
|
47 |
#define ACL_PATH 0 |
|
48 |
#define ACL_FD 1 |
|
49 |
||
50 |
#define ACE_POSIX_SUPPORTED_BITS (ACE_READ_DATA | \ |
|
51 |
ACE_WRITE_DATA | ACE_APPEND_DATA | ACE_EXECUTE | \ |
|
52 |
ACE_READ_ATTRIBUTES | ACE_READ_ACL | ACE_WRITE_ACL) |
|
53 |
||
54 |
||
| 1462 | 55 |
#define ACL_SYNCHRONIZE_SET_DENY 0x0000001 |
| 789 | 56 |
#define ACL_SYNCHRONIZE_SET_ALLOW 0x0000002 |
| 1462 | 57 |
#define ACL_SYNCHRONIZE_ERR_DENY 0x0000004 |
58 |
#define ACL_SYNCHRONIZE_ERR_ALLOW 0x0000008 |
|
| 789 | 59 |
|
| 1462 | 60 |
#define ACL_WRITE_OWNER_SET_DENY 0x0000010 |
| 789 | 61 |
#define ACL_WRITE_OWNER_SET_ALLOW 0x0000020 |
| 1462 | 62 |
#define ACL_WRITE_OWNER_ERR_DENY 0x0000040 |
63 |
#define ACL_WRITE_OWNER_ERR_ALLOW 0x0000080 |
|
| 789 | 64 |
|
| 1462 | 65 |
#define ACL_DELETE_SET_DENY 0x0000100 |
66 |
#define ACL_DELETE_SET_ALLOW 0x0000200 |
|
67 |
#define ACL_DELETE_ERR_DENY 0x0000400 |
|
68 |
#define ACL_DELETE_ERR_ALLOW 0x0000800 |
|
69 |
||
70 |
#define ACL_WRITE_ATTRS_OWNER_SET_DENY 0x0001000 |
|
| 789 | 71 |
#define ACL_WRITE_ATTRS_OWNER_SET_ALLOW 0x0002000 |
| 1462 | 72 |
#define ACL_WRITE_ATTRS_OWNER_ERR_DENY 0x0004000 |
73 |
#define ACL_WRITE_ATTRS_OWNER_ERR_ALLOW 0x0008000 |
|
| 789 | 74 |
|
75 |
#define ACL_WRITE_ATTRS_WRITER_SET_DENY 0x0010000 |
|
| 1462 | 76 |
#define ACL_WRITE_ATTRS_WRITER_SET_ALLOW 0x0020000 |
77 |
#define ACL_WRITE_ATTRS_WRITER_ERR_DENY 0x0040000 |
|
78 |
#define ACL_WRITE_ATTRS_WRITER_ERR_ALLOW 0x0080000 |
|
| 789 | 79 |
|
| 1462 | 80 |
#define ACL_WRITE_NAMED_WRITER_SET_DENY 0x0100000 |
| 789 | 81 |
#define ACL_WRITE_NAMED_WRITER_SET_ALLOW 0x0200000 |
| 1462 | 82 |
#define ACL_WRITE_NAMED_WRITER_ERR_DENY 0x0400000 |
83 |
#define ACL_WRITE_NAMED_WRITER_ERR_ALLOW 0x0800000 |
|
84 |
||
85 |
#define ACL_READ_NAMED_READER_SET_DENY 0x1000000 |
|
86 |
#define ACL_READ_NAMED_READER_SET_ALLOW 0x2000000 |
|
87 |
#define ACL_READ_NAMED_READER_ERR_DENY 0x4000000 |
|
88 |
#define ACL_READ_NAMED_READER_ERR_ALLOW 0x8000000 |
|
89 |
||
90 |
||
91 |
#define ACE_VALID_MASK_BITS (\ |
|
92 |
ACE_READ_DATA | \ |
|
93 |
ACE_LIST_DIRECTORY | \ |
|
94 |
ACE_WRITE_DATA | \ |
|
95 |
ACE_ADD_FILE | \ |
|
96 |
ACE_APPEND_DATA | \ |
|
97 |
ACE_ADD_SUBDIRECTORY | \ |
|
98 |
ACE_READ_NAMED_ATTRS | \ |
|
99 |
ACE_WRITE_NAMED_ATTRS | \ |
|
100 |
ACE_EXECUTE | \ |
|
101 |
ACE_DELETE_CHILD | \ |
|
102 |
ACE_READ_ATTRIBUTES | \ |
|
103 |
ACE_WRITE_ATTRIBUTES | \ |
|
104 |
ACE_DELETE | \ |
|
105 |
ACE_READ_ACL | \ |
|
106 |
ACE_WRITE_ACL | \ |
|
107 |
ACE_WRITE_OWNER | \ |
|
108 |
ACE_SYNCHRONIZE) |
|
109 |
||
110 |
#define ACE_MASK_UNDEFINED 0x80000000 |
|
111 |
||
112 |
#define ACE_VALID_FLAG_BITS (ACE_FILE_INHERIT_ACE | \ |
|
113 |
ACE_DIRECTORY_INHERIT_ACE | \ |
|
114 |
ACE_NO_PROPAGATE_INHERIT_ACE | ACE_INHERIT_ONLY_ACE | \ |
|
115 |
ACE_SUCCESSFUL_ACCESS_ACE_FLAG | ACE_FAILED_ACCESS_ACE_FLAG | \ |
|
116 |
ACE_IDENTIFIER_GROUP | ACE_OWNER | ACE_GROUP | ACE_EVERYONE) |
|
| 789 | 117 |
|
| 1462 | 118 |
/* |
119 |
* ACL conversion helpers |
|
120 |
*/ |
|
121 |
||
122 |
typedef enum {
|
|
123 |
ace_unused, |
|
124 |
ace_user_obj, |
|
125 |
ace_user, |
|
126 |
ace_group, /* includes GROUP and GROUP_OBJ */ |
|
127 |
ace_other_obj |
|
128 |
} ace_to_aent_state_t; |
|
| 789 | 129 |
|
| 1462 | 130 |
typedef struct acevals {
|
131 |
uid_t key; |
|
132 |
avl_node_t avl; |
|
133 |
uint32_t mask; |
|
134 |
uint32_t allowed; |
|
135 |
uint32_t denied; |
|
136 |
int aent_type; |
|
137 |
} acevals_t; |
|
138 |
||
139 |
typedef struct ace_list {
|
|
140 |
acevals_t user_obj; |
|
141 |
avl_tree_t user; |
|
142 |
int numusers; |
|
143 |
acevals_t group_obj; |
|
144 |
avl_tree_t group; |
|
145 |
int numgroups; |
|
146 |
acevals_t other_obj; |
|
147 |
uint32_t acl_mask; |
|
148 |
int hasmask; |
|
149 |
int dfacl_flag; |
|
150 |
ace_to_aent_state_t state; |
|
151 |
int seen; /* bitmask of all aclent_t a_type values seen */ |
|
152 |
} ace_list_t; |
|
|
1231
64215f768e86
6354804 The file's ACL was changed when cp it from one ZFS file system to another one.
marks
parents:
789
diff
changeset
|
153 |
|
| 789 | 154 |
typedef union {
|
155 |
const char *file; |
|
156 |
int fd; |
|
157 |
} acl_inp; |
|
158 |
||
159 |
acl_t * |
|
160 |
acl_alloc(enum acl_type type) |
|
161 |
{
|
|
162 |
acl_t *aclp; |
|
163 |
||
164 |
aclp = malloc(sizeof (acl_t)); |
|
165 |
||
166 |
if (aclp == NULL) |
|
167 |
return (NULL); |
|
168 |
||
169 |
aclp->acl_aclp = NULL; |
|
170 |
aclp->acl_cnt = 0; |
|
171 |
||
172 |
switch (type) {
|
|
173 |
case ACE_T: |
|
174 |
aclp->acl_type = ACE_T; |
|
175 |
aclp->acl_entry_size = sizeof (ace_t); |
|
176 |
break; |
|
177 |
case ACLENT_T: |
|
178 |
aclp->acl_type = ACLENT_T; |
|
179 |
aclp->acl_entry_size = sizeof (aclent_t); |
|
180 |
break; |
|
181 |
default: |
|
182 |
acl_free(aclp); |
|
183 |
aclp = NULL; |
|
184 |
} |
|
185 |
return (aclp); |
|
186 |
} |
|
187 |
||
188 |
/* |
|
189 |
* Free acl_t structure |
|
190 |
*/ |
|
191 |
void |
|
192 |
acl_free(acl_t *aclp) |
|
193 |
{
|
|
194 |
if (aclp == NULL) |
|
195 |
return; |
|
196 |
||
197 |
if (aclp->acl_aclp) |
|
198 |
free(aclp->acl_aclp); |
|
199 |
free(aclp); |
|
200 |
} |
|
201 |
||
202 |
/* |
|
203 |
* Determine whether a file has a trivial ACL |
|
204 |
* returns: 0 = trivial |
|
205 |
* 1 = nontrivial |
|
206 |
* <0 some other system failure, such as ENOENT or EPERM |
|
207 |
*/ |
|
208 |
int |
|
209 |
acl_trivial(const char *filename) |
|
210 |
{
|
|
211 |
int acl_flavor; |
|
212 |
int aclcnt; |
|
213 |
int cntcmd; |
|
214 |
int val = 0; |
|
215 |
ace_t *acep; |
|
216 |
||
217 |
acl_flavor = pathconf(filename, _PC_ACL_ENABLED); |
|
218 |
||
219 |
if (acl_flavor == _ACL_ACE_ENABLED) |
|
220 |
cntcmd = ACE_GETACLCNT; |
|
221 |
else |
|
222 |
cntcmd = GETACLCNT; |
|
223 |
||
224 |
aclcnt = acl(filename, cntcmd, 0, NULL); |
|
225 |
if (aclcnt > 0) {
|
|
226 |
if (acl_flavor == _ACL_ACE_ENABLED) {
|
|
|
1231
64215f768e86
6354804 The file's ACL was changed when cp it from one ZFS file system to another one.
marks
parents:
789
diff
changeset
|
227 |
acep = malloc(sizeof (ace_t) * aclcnt); |
|
64215f768e86
6354804 The file's ACL was changed when cp it from one ZFS file system to another one.
marks
parents:
789
diff
changeset
|
228 |
if (acep == NULL) |
|
64215f768e86
6354804 The file's ACL was changed when cp it from one ZFS file system to another one.
marks
parents:
789
diff
changeset
|
229 |
return (-1); |
|
64215f768e86
6354804 The file's ACL was changed when cp it from one ZFS file system to another one.
marks
parents:
789
diff
changeset
|
230 |
if (acl(filename, ACE_GETACL, |
|
64215f768e86
6354804 The file's ACL was changed when cp it from one ZFS file system to another one.
marks
parents:
789
diff
changeset
|
231 |
aclcnt, acep) < 0) {
|
|
64215f768e86
6354804 The file's ACL was changed when cp it from one ZFS file system to another one.
marks
parents:
789
diff
changeset
|
232 |
free(acep); |
|
64215f768e86
6354804 The file's ACL was changed when cp it from one ZFS file system to another one.
marks
parents:
789
diff
changeset
|
233 |
return (-1); |
|
64215f768e86
6354804 The file's ACL was changed when cp it from one ZFS file system to another one.
marks
parents:
789
diff
changeset
|
234 |
} |
| 789 | 235 |
|
|
1231
64215f768e86
6354804 The file's ACL was changed when cp it from one ZFS file system to another one.
marks
parents:
789
diff
changeset
|
236 |
val = ace_trivial(acep, aclcnt); |
|
64215f768e86
6354804 The file's ACL was changed when cp it from one ZFS file system to another one.
marks
parents:
789
diff
changeset
|
237 |
free(acep); |
|
64215f768e86
6354804 The file's ACL was changed when cp it from one ZFS file system to another one.
marks
parents:
789
diff
changeset
|
238 |
|
| 789 | 239 |
} else if (aclcnt > MIN_ACL_ENTRIES) |
240 |
val = 1; |
|
241 |
} |
|
242 |
return (val); |
|
243 |
} |
|
244 |
||
245 |
static uint32_t |
|
246 |
access_mask_set(int haswriteperm, int hasreadperm, int isowner, int isallow) |
|
247 |
{
|
|
248 |
uint32_t access_mask = 0; |
|
249 |
int acl_produce; |
|
250 |
int synchronize_set = 0, write_owner_set = 0; |
|
251 |
int delete_set = 0, write_attrs_set = 0; |
|
252 |
int read_named_set = 0, write_named_set = 0; |
|
253 |
||
254 |
acl_produce = (ACL_SYNCHRONIZE_SET_ALLOW | |
|
255 |
ACL_WRITE_ATTRS_OWNER_SET_ALLOW | |
|
256 |
ACL_WRITE_ATTRS_WRITER_SET_DENY); |
|
257 |
||
258 |
if (isallow) {
|
|
259 |
synchronize_set = ACL_SYNCHRONIZE_SET_ALLOW; |
|
260 |
write_owner_set = ACL_WRITE_OWNER_SET_ALLOW; |
|
261 |
delete_set = ACL_DELETE_SET_ALLOW; |
|
262 |
if (hasreadperm) |
|
263 |
read_named_set = ACL_READ_NAMED_READER_SET_ALLOW; |
|
264 |
if (haswriteperm) |
|
265 |
write_named_set = ACL_WRITE_NAMED_WRITER_SET_ALLOW; |
|
266 |
if (isowner) |
|
267 |
write_attrs_set = ACL_WRITE_ATTRS_OWNER_SET_ALLOW; |
|
268 |
else if (haswriteperm) |
|
269 |
write_attrs_set = ACL_WRITE_ATTRS_WRITER_SET_ALLOW; |
|
270 |
} else {
|
|
271 |
||
272 |
synchronize_set = ACL_SYNCHRONIZE_SET_DENY; |
|
273 |
write_owner_set = ACL_WRITE_OWNER_SET_DENY; |
|
274 |
delete_set = ACL_DELETE_SET_DENY; |
|
275 |
if (hasreadperm) |
|
276 |
read_named_set = ACL_READ_NAMED_READER_SET_DENY; |
|
277 |
if (haswriteperm) |
|
278 |
write_named_set = ACL_WRITE_NAMED_WRITER_SET_DENY; |
|
279 |
if (isowner) |
|
280 |
write_attrs_set = ACL_WRITE_ATTRS_OWNER_SET_DENY; |
|
281 |
else if (haswriteperm) |
|
282 |
write_attrs_set = ACL_WRITE_ATTRS_WRITER_SET_DENY; |
|
283 |
else |
|
284 |
/* |
|
285 |
* If the entity is not the owner and does not |
|
286 |
* have write permissions ACE_WRITE_ATTRIBUTES will |
|
287 |
* always go in the DENY ACE. |
|
288 |
*/ |
|
289 |
access_mask |= ACE_WRITE_ATTRIBUTES; |
|
290 |
} |
|
291 |
||
292 |
if (acl_produce & synchronize_set) |
|
293 |
access_mask |= ACE_SYNCHRONIZE; |
|
294 |
if (acl_produce & write_owner_set) |
|
295 |
access_mask |= ACE_WRITE_OWNER; |
|
296 |
if (acl_produce & delete_set) |
|
297 |
access_mask |= ACE_DELETE; |
|
298 |
if (acl_produce & write_attrs_set) |
|
299 |
access_mask |= ACE_WRITE_ATTRIBUTES; |
|
300 |
if (acl_produce & read_named_set) |
|
301 |
access_mask |= ACE_READ_NAMED_ATTRS; |
|
302 |
if (acl_produce & write_named_set) |
|
303 |
access_mask |= ACE_WRITE_NAMED_ATTRS; |
|
304 |
||
305 |
return (access_mask); |
|
306 |
} |
|
307 |
||
308 |
/* |
|
309 |
* Given an mode_t, convert it into an access_mask as used |
|
310 |
* by nfsace, assuming aclent_t -> nfsace semantics. |
|
311 |
*/ |
|
312 |
static uint32_t |
|
313 |
mode_to_ace_access(mode_t mode, int isdir, int isowner, int isallow) |
|
314 |
{
|
|
315 |
uint32_t access = 0; |
|
316 |
int haswriteperm = 0; |
|
317 |
int hasreadperm = 0; |
|
318 |
||
319 |
if (isallow) {
|
|
320 |
haswriteperm = (mode & 02); |
|
321 |
hasreadperm = (mode & 04); |
|
322 |
} else {
|
|
323 |
haswriteperm = !(mode & 02); |
|
324 |
hasreadperm = !(mode & 04); |
|
325 |
} |
|
326 |
||
327 |
/* |
|
328 |
* The following call takes care of correctly setting the following |
|
329 |
* mask bits in the access_mask: |
|
330 |
* ACE_SYNCHRONIZE, ACE_WRITE_OWNER, ACE_DELETE, |
|
331 |
* ACE_WRITE_ATTRIBUTES, ACE_WRITE_NAMED_ATTRS, ACE_READ_NAMED_ATTRS |
|
332 |
*/ |
|
333 |
access = access_mask_set(haswriteperm, hasreadperm, isowner, isallow); |
|
334 |
||
335 |
if (isallow) {
|
|
336 |
access |= ACE_READ_ACL | ACE_READ_ATTRIBUTES; |
|
337 |
if (isowner) |
|
338 |
access |= ACE_WRITE_ACL; |
|
339 |
} else {
|
|
340 |
if (! isowner) |
|
341 |
access |= ACE_WRITE_ACL; |
|
342 |
} |
|
343 |
||
344 |
/* read */ |
|
345 |
if (mode & 04) {
|
|
346 |
access |= ACE_READ_DATA; |
|
347 |
} |
|
348 |
/* write */ |
|
349 |
if (mode & 02) {
|
|
350 |
access |= ACE_WRITE_DATA | |
|
351 |
ACE_APPEND_DATA; |
|
352 |
if (isdir) |
|
353 |
access |= ACE_DELETE_CHILD; |
|
354 |
} |
|
355 |
/* exec */ |
|
356 |
if (mode & 01) {
|
|
357 |
access |= ACE_EXECUTE; |
|
358 |
} |
|
359 |
||
360 |
return (access); |
|
361 |
} |
|
362 |
||
363 |
/* |
|
364 |
* Given an nfsace (presumably an ALLOW entry), make a |
|
365 |
* corresponding DENY entry at the address given. |
|
366 |
*/ |
|
367 |
static void |
|
368 |
ace_make_deny(ace_t *allow, ace_t *deny, int isdir, int isowner) |
|
369 |
{
|
|
370 |
(void) memcpy(deny, allow, sizeof (ace_t)); |
|
371 |
||
372 |
deny->a_who = allow->a_who; |
|
373 |
||
374 |
deny->a_type = ACE_ACCESS_DENIED_ACE_TYPE; |
|
375 |
deny->a_access_mask ^= ACE_POSIX_SUPPORTED_BITS; |
|
376 |
if (isdir) |
|
377 |
deny->a_access_mask ^= ACE_DELETE_CHILD; |
|
378 |
||
379 |
deny->a_access_mask &= ~(ACE_SYNCHRONIZE | ACE_WRITE_OWNER | |
|
380 |
ACE_DELETE | ACE_WRITE_ATTRIBUTES | ACE_READ_NAMED_ATTRS | |
|
381 |
ACE_WRITE_NAMED_ATTRS); |
|
382 |
deny->a_access_mask |= access_mask_set((allow->a_access_mask & |
|
383 |
ACE_WRITE_DATA), (allow->a_access_mask & ACE_READ_DATA), isowner, |
|
384 |
B_FALSE); |
|
385 |
} |
|
386 |
/* |
|
387 |
* Make an initial pass over an array of aclent_t's. Gather |
|
388 |
* information such as an ACL_MASK (if any), number of users, |
|
389 |
* number of groups, and whether the array needs to be sorted. |
|
390 |
*/ |
|
391 |
static int |
|
392 |
ln_aent_preprocess(aclent_t *aclent, int n, |
|
393 |
int *hasmask, mode_t *mask, |
|
394 |
int *numuser, int *numgroup, int *needsort) |
|
395 |
{
|
|
396 |
int error = 0; |
|
397 |
int i; |
|
398 |
int curtype = 0; |
|
399 |
||
400 |
*hasmask = 0; |
|
401 |
*mask = 07; |
|
402 |
*needsort = 0; |
|
403 |
*numuser = 0; |
|
404 |
*numgroup = 0; |
|
405 |
||
406 |
for (i = 0; i < n; i++) {
|
|
407 |
if (aclent[i].a_type < curtype) |
|
408 |
*needsort = 1; |
|
409 |
else if (aclent[i].a_type > curtype) |
|
410 |
curtype = aclent[i].a_type; |
|
411 |
if (aclent[i].a_type & USER) |
|
412 |
(*numuser)++; |
|
413 |
if (aclent[i].a_type & (GROUP | GROUP_OBJ)) |
|
414 |
(*numgroup)++; |
|
415 |
if (aclent[i].a_type & CLASS_OBJ) {
|
|
416 |
if (*hasmask) {
|
|
417 |
error = EINVAL; |
|
418 |
goto out; |
|
419 |
} else {
|
|
420 |
*hasmask = 1; |
|
421 |
*mask = aclent[i].a_perm; |
|
422 |
} |
|
423 |
} |
|
424 |
} |
|
425 |
||
426 |
if ((! *hasmask) && (*numuser + *numgroup > 1)) {
|
|
427 |
error = EINVAL; |
|
428 |
goto out; |
|
429 |
} |
|
430 |
||
431 |
out: |
|
432 |
return (error); |
|
433 |
} |
|
434 |
||
435 |
/* |
|
436 |
* Convert an array of aclent_t into an array of nfsace entries, |
|
437 |
* following POSIX draft -> nfsv4 conversion semantics as outlined in |
|
438 |
* the IETF draft. |
|
439 |
*/ |
|
440 |
static int |
|
441 |
ln_aent_to_ace(aclent_t *aclent, int n, ace_t **acepp, int *rescount, int isdir) |
|
442 |
{
|
|
443 |
int error = 0; |
|
444 |
mode_t mask; |
|
445 |
int numuser, numgroup, needsort; |
|
446 |
int resultsize = 0; |
|
447 |
int i, groupi = 0, skip; |
|
448 |
ace_t *acep, *result = NULL; |
|
449 |
int hasmask; |
|
450 |
||
451 |
error = ln_aent_preprocess(aclent, n, &hasmask, &mask, |
|
452 |
&numuser, &numgroup, &needsort); |
|
453 |
if (error != 0) |
|
454 |
goto out; |
|
455 |
||
456 |
/* allow + deny for each aclent */ |
|
457 |
resultsize = n * 2; |
|
458 |
if (hasmask) {
|
|
459 |
/* |
|
460 |
* stick extra deny on the group_obj and on each |
|
461 |
* user|group for the mask (the group_obj was added |
|
462 |
* into the count for numgroup) |
|
463 |
*/ |
|
464 |
resultsize += numuser + numgroup; |
|
465 |
/* ... and don't count the mask itself */ |
|
466 |
resultsize -= 2; |
|
467 |
} |
|
468 |
||
469 |
/* sort the source if necessary */ |
|
470 |
if (needsort) |
|
471 |
ksort((caddr_t)aclent, n, sizeof (aclent_t), cmp2acls); |
|
472 |
||
473 |
result = acep = calloc(1, resultsize * sizeof (ace_t)); |
|
474 |
if (result == NULL) |
|
475 |
goto out; |
|
476 |
||
477 |
for (i = 0; i < n; i++) {
|
|
478 |
/* |
|
479 |
* don't process CLASS_OBJ (mask); mask was grabbed in |
|
480 |
* ln_aent_preprocess() |
|
481 |
*/ |
|
482 |
if (aclent[i].a_type & CLASS_OBJ) |
|
483 |
continue; |
|
484 |
||
485 |
/* If we need an ACL_MASK emulator, prepend it now */ |
|
486 |
if ((hasmask) && |
|
487 |
(aclent[i].a_type & (USER | GROUP | GROUP_OBJ))) {
|
|
488 |
acep->a_type = ACE_ACCESS_DENIED_ACE_TYPE; |
|
489 |
acep->a_flags = 0; |
|
490 |
if (aclent[i].a_type & GROUP_OBJ) {
|
|
491 |
acep->a_who = -1; |
|
492 |
acep->a_flags |= |
|
493 |
(ACE_IDENTIFIER_GROUP|ACE_GROUP); |
|
494 |
} else if (aclent[i].a_type & USER) {
|
|
495 |
acep->a_who = aclent[i].a_id; |
|
496 |
} else {
|
|
497 |
acep->a_who = aclent[i].a_id; |
|
498 |
acep->a_flags |= ACE_IDENTIFIER_GROUP; |
|
499 |
} |
|
500 |
if (aclent[i].a_type & ACL_DEFAULT) {
|
|
501 |
acep->a_flags |= ACE_INHERIT_ONLY_ACE | |
|
502 |
ACE_FILE_INHERIT_ACE | |
|
503 |
ACE_DIRECTORY_INHERIT_ACE; |
|
504 |
} |
|
505 |
/* |
|
506 |
* Set the access mask for the prepended deny |
|
507 |
* ace. To do this, we invert the mask (found |
|
508 |
* in ln_aent_preprocess()) then convert it to an |
|
509 |
* DENY ace access_mask. |
|
510 |
*/ |
|
511 |
acep->a_access_mask = mode_to_ace_access((mask ^ 07), |
|
512 |
isdir, 0, 0); |
|
513 |
acep += 1; |
|
514 |
} |
|
515 |
||
516 |
/* handle a_perm -> access_mask */ |
|
517 |
acep->a_access_mask = mode_to_ace_access(aclent[i].a_perm, |
|
518 |
isdir, aclent[i].a_type & USER_OBJ, 1); |
|
519 |
||
520 |
/* emulate a default aclent */ |
|
521 |
if (aclent[i].a_type & ACL_DEFAULT) {
|
|
522 |
acep->a_flags |= ACE_INHERIT_ONLY_ACE | |
|
523 |
ACE_FILE_INHERIT_ACE | |
|
524 |
ACE_DIRECTORY_INHERIT_ACE; |
|
525 |
} |
|
526 |
||
527 |
/* |
|
528 |
* handle a_perm and a_id |
|
529 |
* |
|
530 |
* this must be done last, since it involves the |
|
531 |
* corresponding deny aces, which are handled |
|
532 |
* differently for each different a_type. |
|
533 |
*/ |
|
534 |
if (aclent[i].a_type & USER_OBJ) {
|
|
535 |
acep->a_who = -1; |
|
536 |
acep->a_flags |= ACE_OWNER; |
|
537 |
ace_make_deny(acep, acep + 1, isdir, B_TRUE); |
|
538 |
acep += 2; |
|
539 |
} else if (aclent[i].a_type & USER) {
|
|
540 |
acep->a_who = aclent[i].a_id; |
|
541 |
ace_make_deny(acep, acep + 1, isdir, B_FALSE); |
|
542 |
acep += 2; |
|
543 |
} else if (aclent[i].a_type & (GROUP_OBJ | GROUP)) {
|
|
544 |
if (aclent[i].a_type & GROUP_OBJ) {
|
|
545 |
acep->a_who = -1; |
|
546 |
acep->a_flags |= ACE_GROUP; |
|
547 |
} else {
|
|
548 |
acep->a_who = aclent[i].a_id; |
|
549 |
} |
|
550 |
acep->a_flags |= ACE_IDENTIFIER_GROUP; |
|
551 |
/* |
|
552 |
* Set the corresponding deny for the group ace. |
|
553 |
* |
|
554 |
* The deny aces go after all of the groups, unlike |
|
555 |
* everything else, where they immediately follow |
|
556 |
* the allow ace. |
|
557 |
* |
|
558 |
* We calculate "skip", the number of slots to |
|
559 |
* skip ahead for the deny ace, here. |
|
560 |
* |
|
561 |
* The pattern is: |
|
562 |
* MD1 A1 MD2 A2 MD3 A3 D1 D2 D3 |
|
563 |
* thus, skip is |
|
564 |
* (2 * numgroup) - 1 - groupi |
|
565 |
* (2 * numgroup) to account for MD + A |
|
566 |
* - 1 to account for the fact that we're on the |
|
567 |
* access (A), not the mask (MD) |
|
568 |
* - groupi to account for the fact that we have |
|
569 |
* passed up groupi number of MD's. |
|
570 |
*/ |
|
571 |
skip = (2 * numgroup) - 1 - groupi; |
|
572 |
ace_make_deny(acep, acep + skip, isdir, B_FALSE); |
|
573 |
/* |
|
574 |
* If we just did the last group, skip acep past |
|
575 |
* all of the denies; else, just move ahead one. |
|
576 |
*/ |
|
577 |
if (++groupi >= numgroup) |
|
578 |
acep += numgroup + 1; |
|
579 |
else |
|
580 |
acep += 1; |
|
581 |
} else if (aclent[i].a_type & OTHER_OBJ) {
|
|
582 |
acep->a_who = -1; |
|
583 |
acep->a_flags |= ACE_EVERYONE; |
|
584 |
ace_make_deny(acep, acep + 1, isdir, B_FALSE); |
|
585 |
acep += 2; |
|
586 |
} else {
|
|
587 |
error = EINVAL; |
|
588 |
goto out; |
|
589 |
} |
|
590 |
} |
|
591 |
||
592 |
*acepp = result; |
|
593 |
*rescount = resultsize; |
|
594 |
||
595 |
out: |
|
596 |
if (error != 0) {
|
|
597 |
if ((result != NULL) && (resultsize > 0)) {
|
|
598 |
free(result); |
|
599 |
} |
|
600 |
} |
|
601 |
||
602 |
return (error); |
|
603 |
} |
|
604 |
||
605 |
static int |
|
606 |
convert_aent_to_ace(aclent_t *aclentp, int aclcnt, int isdir, |
|
607 |
ace_t **retacep, int *retacecnt) |
|
608 |
{
|
|
609 |
ace_t *acep; |
|
610 |
ace_t *dfacep; |
|
611 |
int acecnt = 0; |
|
612 |
int dfacecnt = 0; |
|
613 |
int dfaclstart = 0; |
|
614 |
int dfaclcnt = 0; |
|
615 |
aclent_t *aclp; |
|
616 |
int i; |
|
617 |
int error; |
|
618 |
||
619 |
ksort((caddr_t)aclentp, aclcnt, sizeof (aclent_t), cmp2acls); |
|
620 |
||
621 |
for (i = 0, aclp = aclentp; i < aclcnt; aclp++, i++) {
|
|
622 |
if (aclp->a_type & ACL_DEFAULT) |
|
623 |
break; |
|
624 |
} |
|
625 |
||
626 |
if (i < aclcnt) {
|
|
| 1462 | 627 |
dfaclstart = i; |
628 |
dfaclcnt = aclcnt - i; |
|
| 789 | 629 |
} |
630 |
||
631 |
if (dfaclcnt && isdir == 0) {
|
|
632 |
return (-1); |
|
633 |
} |
|
634 |
||
635 |
error = ln_aent_to_ace(aclentp, i, &acep, &acecnt, isdir); |
|
636 |
if (error) |
|
637 |
return (-1); |
|
638 |
||
639 |
if (dfaclcnt) {
|
|
640 |
error = ln_aent_to_ace(&aclentp[dfaclstart], dfaclcnt, |
|
641 |
&dfacep, &dfacecnt, isdir); |
|
642 |
if (error) {
|
|
643 |
if (acep) {
|
|
644 |
free(acep); |
|
645 |
} |
|
646 |
return (-1); |
|
647 |
} |
|
648 |
} |
|
649 |
||
| 1462 | 650 |
if (dfacecnt != 0) {
|
651 |
acep = realloc(acep, sizeof (ace_t) * (acecnt + dfacecnt)); |
|
652 |
if (acep == NULL) |
|
653 |
return (-1); |
|
654 |
if (dfaclcnt) {
|
|
655 |
(void) memcpy(acep + acecnt, dfacep, |
|
656 |
sizeof (ace_t) * dfacecnt); |
|
657 |
} |
|
| 789 | 658 |
} |
659 |
if (dfaclcnt) |
|
660 |
free(dfacep); |
|
661 |
||
662 |
*retacecnt = acecnt + dfacecnt; |
|
| 1462 | 663 |
*retacep = acep; |
664 |
return (0); |
|
665 |
} |
|
666 |
||
667 |
static void |
|
668 |
acevals_init(acevals_t *vals, uid_t key) |
|
669 |
{
|
|
670 |
bzero(vals, sizeof (*vals)); |
|
671 |
vals->allowed = ACE_MASK_UNDEFINED; |
|
672 |
vals->denied = ACE_MASK_UNDEFINED; |
|
673 |
vals->mask = ACE_MASK_UNDEFINED; |
|
674 |
vals->key = key; |
|
675 |
} |
|
676 |
||
677 |
static void |
|
678 |
ace_list_init(ace_list_t *al, int dfacl_flag) |
|
679 |
{
|
|
680 |
acevals_init(&al->user_obj, NULL); |
|
681 |
acevals_init(&al->group_obj, NULL); |
|
682 |
acevals_init(&al->other_obj, NULL); |
|
683 |
al->numusers = 0; |
|
684 |
al->numgroups = 0; |
|
685 |
al->acl_mask = 0; |
|
686 |
al->hasmask = 0; |
|
687 |
al->state = ace_unused; |
|
688 |
al->seen = 0; |
|
689 |
al->dfacl_flag = dfacl_flag; |
|
690 |
} |
|
691 |
||
692 |
/* |
|
693 |
* Find or create an acevals holder for a given id and avl tree. |
|
694 |
* |
|
695 |
* Note that only one thread will ever touch these avl trees, so |
|
696 |
* there is no need for locking. |
|
697 |
*/ |
|
698 |
static acevals_t * |
|
699 |
acevals_find(ace_t *ace, avl_tree_t *avl, int *num) |
|
700 |
{
|
|
701 |
acevals_t key, *rc; |
|
702 |
avl_index_t where; |
|
703 |
||
704 |
key.key = ace->a_who; |
|
705 |
rc = avl_find(avl, &key, &where); |
|
706 |
if (rc != NULL) |
|
707 |
return (rc); |
|
708 |
||
709 |
/* this memory is freed by ln_ace_to_aent()->ace_list_free() */ |
|
710 |
rc = calloc(1, sizeof (acevals_t)); |
|
711 |
if (rc == NULL) |
|
712 |
return (rc); |
|
713 |
acevals_init(rc, ace->a_who); |
|
714 |
avl_insert(avl, rc, where); |
|
715 |
(*num)++; |
|
716 |
||
717 |
return (rc); |
|
718 |
} |
|
719 |
||
720 |
static int |
|
721 |
access_mask_check(ace_t *acep, int mask_bit, int isowner) |
|
722 |
{
|
|
723 |
int set_deny, err_deny; |
|
724 |
int set_allow, err_allow; |
|
725 |
int acl_consume; |
|
726 |
int haswriteperm, hasreadperm; |
|
727 |
||
728 |
if (acep->a_type == ACE_ACCESS_DENIED_ACE_TYPE) {
|
|
729 |
haswriteperm = (acep->a_access_mask & ACE_WRITE_DATA) ? 0 : 1; |
|
730 |
hasreadperm = (acep->a_access_mask & ACE_READ_DATA) ? 0 : 1; |
|
731 |
} else {
|
|
732 |
haswriteperm = (acep->a_access_mask & ACE_WRITE_DATA) ? 1 : 0; |
|
733 |
hasreadperm = (acep->a_access_mask & ACE_READ_DATA) ? 1 : 0; |
|
734 |
} |
|
735 |
||
736 |
acl_consume = (ACL_SYNCHRONIZE_ERR_DENY | |
|
737 |
ACL_DELETE_ERR_DENY | |
|
738 |
ACL_WRITE_OWNER_ERR_DENY | |
|
739 |
ACL_WRITE_OWNER_ERR_ALLOW | |
|
740 |
ACL_WRITE_ATTRS_OWNER_SET_ALLOW | |
|
741 |
ACL_WRITE_ATTRS_OWNER_ERR_DENY | |
|
742 |
ACL_WRITE_ATTRS_WRITER_SET_DENY | |
|
743 |
ACL_WRITE_ATTRS_WRITER_ERR_ALLOW | |
|
744 |
ACL_WRITE_NAMED_WRITER_ERR_DENY | |
|
745 |
ACL_READ_NAMED_READER_ERR_DENY); |
|
746 |
||
747 |
if (mask_bit == ACE_SYNCHRONIZE) {
|
|
748 |
set_deny = ACL_SYNCHRONIZE_SET_DENY; |
|
749 |
err_deny = ACL_SYNCHRONIZE_ERR_DENY; |
|
750 |
set_allow = ACL_SYNCHRONIZE_SET_ALLOW; |
|
751 |
err_allow = ACL_SYNCHRONIZE_ERR_ALLOW; |
|
752 |
} else if (mask_bit == ACE_WRITE_OWNER) {
|
|
753 |
set_deny = ACL_WRITE_OWNER_SET_DENY; |
|
754 |
err_deny = ACL_WRITE_OWNER_ERR_DENY; |
|
755 |
set_allow = ACL_WRITE_OWNER_SET_ALLOW; |
|
756 |
err_allow = ACL_WRITE_OWNER_ERR_ALLOW; |
|
757 |
} else if (mask_bit == ACE_DELETE) {
|
|
758 |
set_deny = ACL_DELETE_SET_DENY; |
|
759 |
err_deny = ACL_DELETE_ERR_DENY; |
|
760 |
set_allow = ACL_DELETE_SET_ALLOW; |
|
761 |
err_allow = ACL_DELETE_ERR_ALLOW; |
|
762 |
} else if (mask_bit == ACE_WRITE_ATTRIBUTES) {
|
|
763 |
if (isowner) {
|
|
764 |
set_deny = ACL_WRITE_ATTRS_OWNER_SET_DENY; |
|
765 |
err_deny = ACL_WRITE_ATTRS_OWNER_ERR_DENY; |
|
766 |
set_allow = ACL_WRITE_ATTRS_OWNER_SET_ALLOW; |
|
767 |
err_allow = ACL_WRITE_ATTRS_OWNER_ERR_ALLOW; |
|
768 |
} else if (haswriteperm) {
|
|
769 |
set_deny = ACL_WRITE_ATTRS_WRITER_SET_DENY; |
|
770 |
err_deny = ACL_WRITE_ATTRS_WRITER_ERR_DENY; |
|
771 |
set_allow = ACL_WRITE_ATTRS_WRITER_SET_ALLOW; |
|
772 |
err_allow = ACL_WRITE_ATTRS_WRITER_ERR_ALLOW; |
|
773 |
} else {
|
|
774 |
if ((acep->a_access_mask & mask_bit) && |
|
775 |
(acep->a_type & ACE_ACCESS_ALLOWED_ACE_TYPE)) {
|
|
776 |
return (ENOTSUP); |
|
777 |
} |
|
778 |
return (0); |
|
779 |
} |
|
780 |
} else if (mask_bit == ACE_READ_NAMED_ATTRS) {
|
|
781 |
if (!hasreadperm) |
|
782 |
return (0); |
|
783 |
||
784 |
set_deny = ACL_READ_NAMED_READER_SET_DENY; |
|
785 |
err_deny = ACL_READ_NAMED_READER_ERR_DENY; |
|
786 |
set_allow = ACL_READ_NAMED_READER_SET_ALLOW; |
|
787 |
err_allow = ACL_READ_NAMED_READER_ERR_ALLOW; |
|
788 |
} else if (mask_bit == ACE_WRITE_NAMED_ATTRS) {
|
|
789 |
if (!haswriteperm) |
|
790 |
return (0); |
|
791 |
||
792 |
set_deny = ACL_WRITE_NAMED_WRITER_SET_DENY; |
|
793 |
err_deny = ACL_WRITE_NAMED_WRITER_ERR_DENY; |
|
794 |
set_allow = ACL_WRITE_NAMED_WRITER_SET_ALLOW; |
|
795 |
err_allow = ACL_WRITE_NAMED_WRITER_ERR_ALLOW; |
|
796 |
} else {
|
|
797 |
return (EINVAL); |
|
798 |
} |
|
799 |
||
800 |
if (acep->a_type == ACE_ACCESS_DENIED_ACE_TYPE) {
|
|
801 |
if (acl_consume & set_deny) {
|
|
802 |
if (!(acep->a_access_mask & mask_bit)) {
|
|
803 |
return (ENOTSUP); |
|
804 |
} |
|
805 |
} else if (acl_consume & err_deny) {
|
|
806 |
if (acep->a_access_mask & mask_bit) {
|
|
807 |
return (ENOTSUP); |
|
808 |
} |
|
809 |
} |
|
810 |
} else {
|
|
811 |
/* ACE_ACCESS_ALLOWED_ACE_TYPE */ |
|
812 |
if (acl_consume & set_allow) {
|
|
813 |
if (!(acep->a_access_mask & mask_bit)) {
|
|
814 |
return (ENOTSUP); |
|
815 |
} |
|
816 |
} else if (acl_consume & err_allow) {
|
|
817 |
if (acep->a_access_mask & mask_bit) {
|
|
818 |
return (ENOTSUP); |
|
819 |
} |
|
820 |
} |
|
821 |
} |
|
| 789 | 822 |
return (0); |
823 |
} |
|
824 |
||
| 1462 | 825 |
static int |
826 |
ace_to_aent_legal(ace_t *acep) |
|
827 |
{
|
|
828 |
int error = 0; |
|
829 |
int isowner; |
|
830 |
||
831 |
/* only ALLOW or DENY */ |
|
832 |
if ((acep->a_type != ACE_ACCESS_ALLOWED_ACE_TYPE) && |
|
833 |
(acep->a_type != ACE_ACCESS_DENIED_ACE_TYPE)) {
|
|
834 |
error = ENOTSUP; |
|
835 |
goto out; |
|
836 |
} |
|
837 |
||
838 |
/* check for invalid flags */ |
|
839 |
if (acep->a_flags & ~(ACE_VALID_FLAG_BITS)) {
|
|
840 |
error = EINVAL; |
|
841 |
goto out; |
|
842 |
} |
|
843 |
||
844 |
/* some flags are illegal */ |
|
845 |
if (acep->a_flags & (ACE_SUCCESSFUL_ACCESS_ACE_FLAG | |
|
846 |
ACE_FAILED_ACCESS_ACE_FLAG | |
|
847 |
ACE_NO_PROPAGATE_INHERIT_ACE)) {
|
|
848 |
error = ENOTSUP; |
|
849 |
goto out; |
|
850 |
} |
|
851 |
||
852 |
/* check for invalid masks */ |
|
853 |
if (acep->a_access_mask & ~(ACE_VALID_MASK_BITS)) {
|
|
854 |
error = EINVAL; |
|
855 |
goto out; |
|
856 |
} |
|
857 |
||
858 |
if ((acep->a_flags & ACE_OWNER)) {
|
|
859 |
isowner = 1; |
|
860 |
} else {
|
|
861 |
isowner = 0; |
|
862 |
} |
|
863 |
||
864 |
error = access_mask_check(acep, ACE_SYNCHRONIZE, isowner); |
|
865 |
if (error) |
|
866 |
goto out; |
|
867 |
||
868 |
error = access_mask_check(acep, ACE_WRITE_OWNER, isowner); |
|
869 |
if (error) |
|
870 |
goto out; |
|
871 |
||
872 |
error = access_mask_check(acep, ACE_DELETE, isowner); |
|
873 |
if (error) |
|
874 |
goto out; |
|
875 |
||
876 |
error = access_mask_check(acep, ACE_WRITE_ATTRIBUTES, isowner); |
|
877 |
if (error) |
|
878 |
goto out; |
|
879 |
||
880 |
error = access_mask_check(acep, ACE_READ_NAMED_ATTRS, isowner); |
|
881 |
if (error) |
|
882 |
goto out; |
|
883 |
||
884 |
error = access_mask_check(acep, ACE_WRITE_NAMED_ATTRS, isowner); |
|
885 |
if (error) |
|
886 |
goto out; |
|
887 |
||
888 |
/* more detailed checking of masks */ |
|
889 |
if (acep->a_type == ACE_ACCESS_ALLOWED_ACE_TYPE) {
|
|
890 |
if (! (acep->a_access_mask & ACE_READ_ATTRIBUTES)) {
|
|
891 |
error = ENOTSUP; |
|
892 |
goto out; |
|
893 |
} |
|
894 |
if ((acep->a_access_mask & ACE_WRITE_DATA) && |
|
895 |
(! (acep->a_access_mask & ACE_APPEND_DATA))) {
|
|
896 |
error = ENOTSUP; |
|
897 |
goto out; |
|
898 |
} |
|
899 |
if ((! (acep->a_access_mask & ACE_WRITE_DATA)) && |
|
900 |
(acep->a_access_mask & ACE_APPEND_DATA)) {
|
|
901 |
error = ENOTSUP; |
|
902 |
goto out; |
|
903 |
} |
|
904 |
} |
|
905 |
||
906 |
/* ACL enforcement */ |
|
907 |
if ((acep->a_access_mask & ACE_READ_ACL) && |
|
908 |
(acep->a_type != ACE_ACCESS_ALLOWED_ACE_TYPE)) {
|
|
909 |
error = ENOTSUP; |
|
910 |
goto out; |
|
911 |
} |
|
912 |
if (acep->a_access_mask & ACE_WRITE_ACL) {
|
|
913 |
if ((acep->a_type == ACE_ACCESS_DENIED_ACE_TYPE) && |
|
914 |
(isowner)) {
|
|
915 |
error = ENOTSUP; |
|
916 |
goto out; |
|
917 |
} |
|
918 |
if ((acep->a_type == ACE_ACCESS_ALLOWED_ACE_TYPE) && |
|
919 |
(! isowner)) {
|
|
920 |
error = ENOTSUP; |
|
921 |
goto out; |
|
922 |
} |
|
923 |
} |
|
924 |
||
925 |
out: |
|
926 |
return (error); |
|
927 |
} |
|
928 |
||
929 |
static int |
|
930 |
ace_mask_to_mode(uint32_t mask, o_mode_t *modep, int isdir) |
|
931 |
{
|
|
932 |
int error = 0; |
|
933 |
o_mode_t mode = 0; |
|
934 |
uint32_t bits, wantbits; |
|
935 |
||
936 |
/* read */ |
|
937 |
if (mask & ACE_READ_DATA) |
|
938 |
mode |= 04; |
|
939 |
||
940 |
/* write */ |
|
941 |
wantbits = (ACE_WRITE_DATA | ACE_APPEND_DATA); |
|
942 |
if (isdir) |
|
943 |
wantbits |= ACE_DELETE_CHILD; |
|
944 |
bits = mask & wantbits; |
|
945 |
if (bits != 0) {
|
|
946 |
if (bits != wantbits) {
|
|
947 |
error = ENOTSUP; |
|
948 |
goto out; |
|
949 |
} |
|
950 |
mode |= 02; |
|
951 |
} |
|
952 |
||
953 |
/* exec */ |
|
954 |
if (mask & ACE_EXECUTE) {
|
|
955 |
mode |= 01; |
|
956 |
} |
|
957 |
||
958 |
*modep = mode; |
|
959 |
||
960 |
out: |
|
961 |
return (error); |
|
962 |
} |
|
963 |
||
964 |
static int |
|
965 |
ace_allow_to_mode(uint32_t mask, o_mode_t *modep, int isdir) |
|
966 |
{
|
|
967 |
/* ACE_READ_ACL and ACE_READ_ATTRIBUTES must both be set */ |
|
968 |
if ((mask & (ACE_READ_ACL | ACE_READ_ATTRIBUTES)) != |
|
969 |
(ACE_READ_ACL | ACE_READ_ATTRIBUTES)) {
|
|
970 |
return (ENOTSUP); |
|
971 |
} |
|
972 |
||
973 |
return (ace_mask_to_mode(mask, modep, isdir)); |
|
974 |
} |
|
975 |
||
976 |
static int |
|
977 |
acevals_to_aent(acevals_t *vals, aclent_t *dest, ace_list_t *list, |
|
978 |
uid_t owner, gid_t group, int isdir) |
|
979 |
{
|
|
980 |
int error; |
|
981 |
uint32_t flips = ACE_POSIX_SUPPORTED_BITS; |
|
982 |
||
983 |
if (isdir) |
|
984 |
flips |= ACE_DELETE_CHILD; |
|
985 |
if (vals->allowed != (vals->denied ^ flips)) {
|
|
986 |
error = ENOTSUP; |
|
987 |
goto out; |
|
988 |
} |
|
989 |
if ((list->hasmask) && (list->acl_mask != vals->mask) && |
|
990 |
(vals->aent_type & (USER | GROUP | GROUP_OBJ))) {
|
|
991 |
error = ENOTSUP; |
|
992 |
goto out; |
|
993 |
} |
|
994 |
error = ace_allow_to_mode(vals->allowed, &dest->a_perm, isdir); |
|
995 |
if (error != 0) |
|
996 |
goto out; |
|
997 |
dest->a_type = vals->aent_type; |
|
998 |
if (dest->a_type & (USER | GROUP)) {
|
|
999 |
dest->a_id = vals->key; |
|
1000 |
} else if (dest->a_type & USER_OBJ) {
|
|
1001 |
dest->a_id = owner; |
|
1002 |
} else if (dest->a_type & GROUP_OBJ) {
|
|
1003 |
dest->a_id = group; |
|
1004 |
} else if (dest->a_type & OTHER_OBJ) {
|
|
1005 |
dest->a_id = 0; |
|
1006 |
} else {
|
|
1007 |
error = EINVAL; |
|
1008 |
goto out; |
|
1009 |
} |
|
1010 |
||
1011 |
out: |
|
1012 |
return (error); |
|
1013 |
} |
|
| 789 | 1014 |
|
1015 |
static int |
|
| 1462 | 1016 |
ace_list_to_aent(ace_list_t *list, aclent_t **aclentp, int *aclcnt, |
1017 |
uid_t owner, gid_t group, int isdir) |
|
1018 |
{
|
|
1019 |
int error = 0; |
|
1020 |
aclent_t *aent, *result = NULL; |
|
1021 |
acevals_t *vals; |
|
1022 |
int resultcount; |
|
1023 |
||
1024 |
if ((list->seen & (USER_OBJ | GROUP_OBJ | OTHER_OBJ)) != |
|
1025 |
(USER_OBJ | GROUP_OBJ | OTHER_OBJ)) {
|
|
1026 |
error = ENOTSUP; |
|
1027 |
goto out; |
|
1028 |
} |
|
1029 |
if ((! list->hasmask) && (list->numusers + list->numgroups > 0)) {
|
|
1030 |
error = ENOTSUP; |
|
1031 |
goto out; |
|
1032 |
} |
|
1033 |
||
1034 |
resultcount = 3 + list->numusers + list->numgroups; |
|
1035 |
/* |
|
1036 |
* This must be the same condition as below, when we add the CLASS_OBJ |
|
1037 |
* (aka ACL mask) |
|
1038 |
*/ |
|
1039 |
if ((list->hasmask) || (! list->dfacl_flag)) |
|
1040 |
resultcount += 1; |
|
1041 |
||
1042 |
result = aent = calloc(1, resultcount * sizeof (aclent_t)); |
|
1043 |
||
1044 |
if (result == NULL) {
|
|
1045 |
error = ENOMEM; |
|
1046 |
goto out; |
|
1047 |
} |
|
1048 |
||
1049 |
/* USER_OBJ */ |
|
1050 |
if (!(list->user_obj.aent_type & USER_OBJ)) {
|
|
1051 |
error = EINVAL; |
|
1052 |
goto out; |
|
1053 |
} |
|
1054 |
||
1055 |
error = acevals_to_aent(&list->user_obj, aent, list, owner, group, |
|
1056 |
isdir); |
|
1057 |
||
1058 |
if (error != 0) |
|
1059 |
goto out; |
|
1060 |
++aent; |
|
1061 |
/* USER */ |
|
1062 |
vals = NULL; |
|
1063 |
for (vals = avl_first(&list->user); vals != NULL; |
|
1064 |
vals = AVL_NEXT(&list->user, vals)) {
|
|
1065 |
if (!(vals->aent_type & USER)) {
|
|
1066 |
error = EINVAL; |
|
1067 |
goto out; |
|
1068 |
} |
|
1069 |
error = acevals_to_aent(vals, aent, list, owner, group, |
|
1070 |
isdir); |
|
1071 |
if (error != 0) |
|
1072 |
goto out; |
|
1073 |
++aent; |
|
1074 |
} |
|
1075 |
/* GROUP_OBJ */ |
|
1076 |
if (!(list->group_obj.aent_type & GROUP_OBJ)) {
|
|
1077 |
error = EINVAL; |
|
1078 |
goto out; |
|
1079 |
} |
|
1080 |
error = acevals_to_aent(&list->group_obj, aent, list, owner, group, |
|
1081 |
isdir); |
|
1082 |
if (error != 0) |
|
1083 |
goto out; |
|
1084 |
++aent; |
|
1085 |
/* GROUP */ |
|
1086 |
vals = NULL; |
|
1087 |
for (vals = avl_first(&list->group); vals != NULL; |
|
1088 |
vals = AVL_NEXT(&list->group, vals)) {
|
|
1089 |
if (!(vals->aent_type & GROUP)) {
|
|
1090 |
error = EINVAL; |
|
1091 |
goto out; |
|
1092 |
} |
|
1093 |
error = acevals_to_aent(vals, aent, list, owner, group, |
|
1094 |
isdir); |
|
1095 |
if (error != 0) |
|
1096 |
goto out; |
|
1097 |
++aent; |
|
1098 |
} |
|
1099 |
/* |
|
1100 |
* CLASS_OBJ (aka ACL_MASK) |
|
1101 |
* |
|
1102 |
* An ACL_MASK is not fabricated if the ACL is a default ACL. |
|
1103 |
* This is to follow UFS's behavior. |
|
1104 |
*/ |
|
1105 |
if ((list->hasmask) || (! list->dfacl_flag)) {
|
|
1106 |
if (list->hasmask) {
|
|
1107 |
uint32_t flips = ACE_POSIX_SUPPORTED_BITS; |
|
1108 |
if (isdir) |
|
1109 |
flips |= ACE_DELETE_CHILD; |
|
1110 |
error = ace_mask_to_mode(list->acl_mask ^ flips, |
|
1111 |
&aent->a_perm, isdir); |
|
1112 |
if (error != 0) |
|
1113 |
goto out; |
|
1114 |
} else {
|
|
1115 |
/* fabricate the ACL_MASK from the group permissions */ |
|
1116 |
error = ace_mask_to_mode(list->group_obj.allowed, |
|
1117 |
&aent->a_perm, isdir); |
|
1118 |
if (error != 0) |
|
1119 |
goto out; |
|
1120 |
} |
|
1121 |
aent->a_id = 0; |
|
1122 |
aent->a_type = CLASS_OBJ | list->dfacl_flag; |
|
1123 |
++aent; |
|
1124 |
} |
|
1125 |
/* OTHER_OBJ */ |
|
1126 |
if (!(list->other_obj.aent_type & OTHER_OBJ)) {
|
|
1127 |
error = EINVAL; |
|
1128 |
goto out; |
|
1129 |
} |
|
1130 |
error = acevals_to_aent(&list->other_obj, aent, list, owner, group, |
|
1131 |
isdir); |
|
1132 |
if (error != 0) |
|
1133 |
goto out; |
|
1134 |
++aent; |
|
1135 |
||
1136 |
*aclentp = result; |
|
1137 |
*aclcnt = resultcount; |
|
1138 |
||
1139 |
out: |
|
1140 |
if (error != 0) {
|
|
1141 |
if (result != NULL) |
|
1142 |
free(result); |
|
1143 |
} |
|
1144 |
||
1145 |
return (error); |
|
1146 |
} |
|
1147 |
||
1148 |
/* |
|
1149 |
* free all data associated with an ace_list |
|
1150 |
*/ |
|
1151 |
static void |
|
1152 |
ace_list_free(ace_list_t *al) |
|
1153 |
{
|
|
1154 |
acevals_t *node; |
|
1155 |
void *cookie; |
|
1156 |
||
1157 |
if (al == NULL) |
|
1158 |
return; |
|
1159 |
||
1160 |
cookie = NULL; |
|
1161 |
while ((node = avl_destroy_nodes(&al->user, &cookie)) != NULL) |
|
1162 |
free(node); |
|
1163 |
cookie = NULL; |
|
1164 |
while ((node = avl_destroy_nodes(&al->group, &cookie)) != NULL) |
|
1165 |
free(node); |
|
1166 |
||
1167 |
avl_destroy(&al->user); |
|
1168 |
avl_destroy(&al->group); |
|
1169 |
||
1170 |
/* free the container itself */ |
|
1171 |
free(al); |
|
1172 |
} |
|
1173 |
||
1174 |
static int |
|
1175 |
acevals_compare(const void *va, const void *vb) |
|
1176 |
{
|
|
1177 |
const acevals_t *a = va, *b = vb; |
|
1178 |
||
1179 |
if (a->key == b->key) |
|
1180 |
return (0); |
|
1181 |
||
1182 |
if (a->key > b->key) |
|
1183 |
return (1); |
|
1184 |
||
1185 |
else |
|
1186 |
return (-1); |
|
1187 |
} |
|
1188 |
||
1189 |
/* |
|
1190 |
* Convert a list of ace_t entries to equivalent regular and default |
|
1191 |
* aclent_t lists. Return error (ENOTSUP) when conversion is not possible. |
|
1192 |
*/ |
|
1193 |
static int |
|
1194 |
ln_ace_to_aent(ace_t *ace, int n, uid_t owner, gid_t group, |
|
1195 |
aclent_t **aclentp, int *aclcnt, aclent_t **dfaclentp, int *dfaclcnt, |
|
1196 |
int isdir) |
|
1197 |
{
|
|
1198 |
int error = 0; |
|
1199 |
ace_t *acep; |
|
1200 |
uint32_t bits; |
|
1201 |
int i; |
|
1202 |
ace_list_t *normacl = NULL, *dfacl = NULL, *acl; |
|
1203 |
acevals_t *vals; |
|
1204 |
||
1205 |
*aclentp = NULL; |
|
1206 |
*aclcnt = 0; |
|
1207 |
*dfaclentp = NULL; |
|
1208 |
*dfaclcnt = 0; |
|
1209 |
||
1210 |
/* we need at least user_obj, group_obj, and other_obj */ |
|
1211 |
if (n < 6) {
|
|
1212 |
error = ENOTSUP; |
|
1213 |
goto out; |
|
1214 |
} |
|
1215 |
if (ace == NULL) {
|
|
1216 |
error = EINVAL; |
|
1217 |
goto out; |
|
1218 |
} |
|
1219 |
||
1220 |
normacl = calloc(1, sizeof (ace_list_t)); |
|
1221 |
||
1222 |
if (normacl == NULL) {
|
|
1223 |
error = errno; |
|
1224 |
goto out; |
|
1225 |
} |
|
1226 |
||
1227 |
avl_create(&normacl->user, acevals_compare, sizeof (acevals_t), |
|
1228 |
offsetof(acevals_t, avl)); |
|
1229 |
avl_create(&normacl->group, acevals_compare, sizeof (acevals_t), |
|
1230 |
offsetof(acevals_t, avl)); |
|
1231 |
||
1232 |
ace_list_init(normacl, 0); |
|
1233 |
||
1234 |
dfacl = calloc(1, sizeof (ace_list_t)); |
|
1235 |
if (dfacl == NULL) {
|
|
1236 |
error = errno; |
|
1237 |
goto out; |
|
1238 |
} |
|
1239 |
avl_create(&dfacl->user, acevals_compare, sizeof (acevals_t), |
|
1240 |
offsetof(acevals_t, avl)); |
|
1241 |
avl_create(&dfacl->group, acevals_compare, sizeof (acevals_t), |
|
1242 |
offsetof(acevals_t, avl)); |
|
1243 |
ace_list_init(dfacl, ACL_DEFAULT); |
|
1244 |
||
1245 |
/* process every ace_t... */ |
|
1246 |
for (i = 0; i < n; i++) {
|
|
1247 |
acep = &ace[i]; |
|
1248 |
||
1249 |
/* rule out certain cases quickly */ |
|
1250 |
error = ace_to_aent_legal(acep); |
|
1251 |
if (error != 0) |
|
1252 |
goto out; |
|
1253 |
||
1254 |
/* |
|
1255 |
* Turn off these bits in order to not have to worry about |
|
1256 |
* them when doing the checks for compliments. |
|
1257 |
*/ |
|
1258 |
acep->a_access_mask &= ~(ACE_WRITE_OWNER | ACE_DELETE | |
|
1259 |
ACE_SYNCHRONIZE | ACE_WRITE_ATTRIBUTES | |
|
1260 |
ACE_READ_NAMED_ATTRS | ACE_WRITE_NAMED_ATTRS); |
|
1261 |
||
1262 |
/* see if this should be a regular or default acl */ |
|
1263 |
bits = acep->a_flags & |
|
1264 |
(ACE_INHERIT_ONLY_ACE | |
|
1265 |
ACE_FILE_INHERIT_ACE | |
|
1266 |
ACE_DIRECTORY_INHERIT_ACE); |
|
1267 |
if (bits != 0) {
|
|
1268 |
/* all or nothing on these inherit bits */ |
|
1269 |
if (bits != (ACE_INHERIT_ONLY_ACE | |
|
1270 |
ACE_FILE_INHERIT_ACE | |
|
1271 |
ACE_DIRECTORY_INHERIT_ACE)) {
|
|
1272 |
error = ENOTSUP; |
|
1273 |
goto out; |
|
1274 |
} |
|
1275 |
acl = dfacl; |
|
1276 |
} else {
|
|
1277 |
acl = normacl; |
|
1278 |
} |
|
1279 |
||
1280 |
if ((acep->a_flags & ACE_OWNER)) {
|
|
1281 |
if (acl->state > ace_user_obj) {
|
|
1282 |
error = ENOTSUP; |
|
1283 |
goto out; |
|
1284 |
} |
|
1285 |
acl->state = ace_user_obj; |
|
1286 |
acl->seen |= USER_OBJ; |
|
1287 |
vals = &acl->user_obj; |
|
1288 |
vals->aent_type = USER_OBJ | acl->dfacl_flag; |
|
1289 |
} else if ((acep->a_flags & ACE_EVERYONE)) {
|
|
1290 |
acl->state = ace_other_obj; |
|
1291 |
acl->seen |= OTHER_OBJ; |
|
1292 |
vals = &acl->other_obj; |
|
1293 |
vals->aent_type = OTHER_OBJ | acl->dfacl_flag; |
|
1294 |
} else if (acep->a_flags & ACE_IDENTIFIER_GROUP) {
|
|
1295 |
if (acl->state > ace_group) {
|
|
1296 |
error = ENOTSUP; |
|
1297 |
goto out; |
|
1298 |
} |
|
1299 |
if ((acep->a_flags & ACE_GROUP)) {
|
|
1300 |
acl->seen |= GROUP_OBJ; |
|
1301 |
vals = &acl->group_obj; |
|
1302 |
vals->aent_type = GROUP_OBJ | acl->dfacl_flag; |
|
1303 |
} else {
|
|
1304 |
acl->seen |= GROUP; |
|
1305 |
vals = acevals_find(acep, &acl->group, |
|
1306 |
&acl->numgroups); |
|
1307 |
if (vals == NULL) {
|
|
1308 |
error = ENOMEM; |
|
1309 |
goto out; |
|
1310 |
} |
|
1311 |
vals->aent_type = GROUP | acl->dfacl_flag; |
|
1312 |
} |
|
1313 |
acl->state = ace_group; |
|
1314 |
} else {
|
|
1315 |
if (acl->state > ace_user) {
|
|
1316 |
error = ENOTSUP; |
|
1317 |
goto out; |
|
1318 |
} |
|
1319 |
acl->state = ace_user; |
|
1320 |
acl->seen |= USER; |
|
1321 |
vals = acevals_find(acep, &acl->user, |
|
1322 |
&acl->numusers); |
|
1323 |
if (vals == NULL) {
|
|
1324 |
error = ENOMEM; |
|
1325 |
goto out; |
|
1326 |
} |
|
1327 |
vals->aent_type = USER | acl->dfacl_flag; |
|
1328 |
} |
|
1329 |
||
1330 |
if (!(acl->state > ace_unused)) {
|
|
1331 |
error = EINVAL; |
|
1332 |
goto out; |
|
1333 |
} |
|
1334 |
||
1335 |
if (acep->a_type == ACE_ACCESS_ALLOWED_ACE_TYPE) {
|
|
1336 |
/* no more than one allowed per aclent_t */ |
|
1337 |
if (vals->allowed != ACE_MASK_UNDEFINED) {
|
|
1338 |
error = ENOTSUP; |
|
1339 |
goto out; |
|
1340 |
} |
|
1341 |
vals->allowed = acep->a_access_mask; |
|
1342 |
} else {
|
|
1343 |
/* |
|
1344 |
* it's a DENY; if there was a previous DENY, it |
|
1345 |
* must have been an ACL_MASK. |
|
1346 |
*/ |
|
1347 |
if (vals->denied != ACE_MASK_UNDEFINED) {
|
|
1348 |
/* ACL_MASK is for USER and GROUP only */ |
|
1349 |
if ((acl->state != ace_user) && |
|
1350 |
(acl->state != ace_group)) {
|
|
1351 |
error = ENOTSUP; |
|
1352 |
goto out; |
|
1353 |
} |
|
1354 |
||
1355 |
if (! acl->hasmask) {
|
|
1356 |
acl->hasmask = 1; |
|
1357 |
acl->acl_mask = vals->denied; |
|
1358 |
/* check for mismatched ACL_MASK emulations */ |
|
1359 |
} else if (acl->acl_mask != vals->denied) {
|
|
1360 |
error = ENOTSUP; |
|
1361 |
goto out; |
|
1362 |
} |
|
1363 |
vals->mask = vals->denied; |
|
1364 |
} |
|
1365 |
vals->denied = acep->a_access_mask; |
|
1366 |
} |
|
1367 |
} |
|
1368 |
||
1369 |
/* done collating; produce the aclent_t lists */ |
|
1370 |
if (normacl->state != ace_unused) {
|
|
1371 |
error = ace_list_to_aent(normacl, aclentp, aclcnt, |
|
1372 |
owner, group, isdir); |
|
1373 |
if (error != 0) {
|
|
1374 |
goto out; |
|
1375 |
} |
|
1376 |
} |
|
1377 |
if (dfacl->state != ace_unused) {
|
|
1378 |
error = ace_list_to_aent(dfacl, dfaclentp, dfaclcnt, |
|
1379 |
owner, group, isdir); |
|
1380 |
if (error != 0) {
|
|
1381 |
goto out; |
|
1382 |
} |
|
1383 |
} |
|
1384 |
||
1385 |
out: |
|
1386 |
if (normacl != NULL) |
|
1387 |
ace_list_free(normacl); |
|
1388 |
if (dfacl != NULL) |
|
1389 |
ace_list_free(dfacl); |
|
1390 |
||
1391 |
return (error); |
|
1392 |
} |
|
1393 |
||
1394 |
static int |
|
1395 |
convert_ace_to_aent(ace_t *acebufp, int acecnt, int isdir, |
|
1396 |
uid_t owner, gid_t group, aclent_t **retaclentp, int *retaclcnt) |
|
1397 |
{
|
|
1398 |
int error; |
|
1399 |
aclent_t *aclentp, *dfaclentp; |
|
1400 |
int aclcnt, dfaclcnt; |
|
1401 |
||
1402 |
error = ln_ace_to_aent(acebufp, acecnt, owner, group, |
|
1403 |
&aclentp, &aclcnt, &dfaclentp, &dfaclcnt, isdir); |
|
1404 |
||
1405 |
if (error) |
|
1406 |
return (error); |
|
1407 |
||
1408 |
||
1409 |
if (dfaclcnt != 0) {
|
|
1410 |
/* |
|
1411 |
* Slap aclentp and dfaclentp into a single array. |
|
1412 |
*/ |
|
1413 |
aclentp = realloc(aclentp, (sizeof (aclent_t) * aclcnt) + |
|
1414 |
(sizeof (aclent_t) * dfaclcnt)); |
|
1415 |
if (aclentp != NULL) {
|
|
1416 |
(void) memcpy(aclentp + aclcnt, |
|
1417 |
dfaclentp, sizeof (aclent_t) * dfaclcnt); |
|
1418 |
} else {
|
|
1419 |
error = -1; |
|
1420 |
} |
|
1421 |
} |
|
1422 |
||
1423 |
if (aclentp) {
|
|
1424 |
*retaclentp = aclentp; |
|
1425 |
*retaclcnt = aclcnt + dfaclcnt; |
|
1426 |
} |
|
1427 |
||
1428 |
if (dfaclentp) |
|
1429 |
free(dfaclentp); |
|
1430 |
||
1431 |
return (error); |
|
1432 |
} |
|
1433 |
||
| 1477 | 1434 |
static int |
| 789 | 1435 |
cacl_get(acl_inp inp, int get_flag, int type, acl_t **aclp) |
1436 |
{
|
|
1437 |
const char *fname; |
|
1438 |
int fd; |
|
1439 |
int ace_acl = 0; |
|
1440 |
int error; |
|
1441 |
int getcmd, cntcmd; |
|
1442 |
acl_t *acl_info; |
|
1443 |
int save_errno; |
|
1444 |
int stat_error; |
|
1445 |
struct stat64 statbuf; |
|
1446 |
||
1447 |
*aclp = NULL; |
|
1448 |
if (type == ACL_PATH) {
|
|
1449 |
fname = inp.file; |
|
1450 |
ace_acl = pathconf(fname, _PC_ACL_ENABLED); |
|
1451 |
} else {
|
|
1452 |
fd = inp.fd; |
|
1453 |
ace_acl = fpathconf(fd, _PC_ACL_ENABLED); |
|
1454 |
} |
|
1455 |
||
1456 |
/* |
|
1457 |
* if acl's aren't supported then |
|
1458 |
* send it through the old GETACL interface |
|
1459 |
*/ |
|
|
1666
07697c578888
6401243 ZFS ACLs should not break third party filesystems
marks
parents:
1477
diff
changeset
|
1460 |
if (ace_acl == 0 || ace_acl == -1) {
|
| 789 | 1461 |
ace_acl = _ACL_ACLENT_ENABLED; |
1462 |
} |
|
1463 |
||
1464 |
if (ace_acl & _ACL_ACE_ENABLED) {
|
|
1465 |
cntcmd = ACE_GETACLCNT; |
|
1466 |
getcmd = ACE_GETACL; |
|
1467 |
acl_info = acl_alloc(ACE_T); |
|
1468 |
} else {
|
|
1469 |
cntcmd = GETACLCNT; |
|
1470 |
getcmd = GETACL; |
|
1471 |
acl_info = acl_alloc(ACLENT_T); |
|
1472 |
} |
|
1473 |
||
1474 |
if (acl_info == NULL) |
|
1475 |
return (-1); |
|
1476 |
||
1477 |
if (type == ACL_PATH) {
|
|
1478 |
acl_info->acl_cnt = acl(fname, cntcmd, 0, NULL); |
|
1479 |
} else {
|
|
1480 |
acl_info->acl_cnt = facl(fd, cntcmd, 0, NULL); |
|
1481 |
} |
|
1482 |
||
1483 |
save_errno = errno; |
|
1484 |
if (acl_info->acl_cnt < 0) {
|
|
1485 |
acl_free(acl_info); |
|
1486 |
errno = save_errno; |
|
1487 |
return (-1); |
|
1488 |
} |
|
1489 |
||
1490 |
if (acl_info->acl_cnt == 0) {
|
|
1491 |
acl_free(acl_info); |
|
1492 |
errno = save_errno; |
|
1493 |
return (0); |
|
1494 |
} |
|
1495 |
||
1496 |
acl_info->acl_aclp = |
|
1497 |
malloc(acl_info->acl_cnt * acl_info->acl_entry_size); |
|
1498 |
save_errno = errno; |
|
1499 |
||
1500 |
if (acl_info->acl_aclp == NULL) {
|
|
1501 |
acl_free(acl_info); |
|
1502 |
errno = save_errno; |
|
1503 |
return (-1); |
|
1504 |
} |
|
1505 |
||
1506 |
if (type == ACL_PATH) {
|
|
1507 |
stat_error = stat64(fname, &statbuf); |
|
1508 |
error = acl(fname, getcmd, acl_info->acl_cnt, |
|
1509 |
acl_info->acl_aclp); |
|
1510 |
} else {
|
|
1511 |
stat_error = fstat64(fd, &statbuf); |
|
1512 |
error = facl(fd, getcmd, acl_info->acl_cnt, |
|
1513 |
acl_info->acl_aclp); |
|
1514 |
} |
|
1515 |
||
1516 |
save_errno = errno; |
|
1517 |
if (error == -1) {
|
|
1518 |
acl_free(acl_info); |
|
1519 |
errno = save_errno; |
|
1520 |
return (-1); |
|
1521 |
} |
|
1522 |
||
1523 |
||
1524 |
if (stat_error == 0) {
|
|
1525 |
acl_info->acl_flags = |
|
1526 |
(S_ISDIR(statbuf.st_mode) ? ACL_IS_DIR : 0); |
|
1527 |
} else |
|
1528 |
acl_info->acl_flags = 0; |
|
1529 |
||
1530 |
switch (acl_info->acl_type) {
|
|
1531 |
case ACLENT_T: |
|
1532 |
if (acl_info->acl_cnt <= MIN_ACL_ENTRIES) |
|
1533 |
acl_info->acl_flags |= ACL_IS_TRIVIAL; |
|
1534 |
break; |
|
1535 |
case ACE_T: |
|
1536 |
if (ace_trivial(acl_info->acl_aclp, acl_info->acl_cnt) == 0) |
|
1537 |
acl_info->acl_flags |= ACL_IS_TRIVIAL; |
|
1538 |
break; |
|
1539 |
default: |
|
1540 |
errno = EINVAL; |
|
1541 |
acl_free(acl_info); |
|
1542 |
return (-1); |
|
1543 |
} |
|
1544 |
||
1545 |
if ((acl_info->acl_flags & ACL_IS_TRIVIAL) && |
|
1546 |
(get_flag & ACL_NO_TRIVIAL)) {
|
|
1547 |
acl_free(acl_info); |
|
1548 |
errno = 0; |
|
1549 |
return (0); |
|
1550 |
} |
|
1551 |
||
1552 |
*aclp = acl_info; |
|
1553 |
return (0); |
|
1554 |
} |
|
1555 |
||
1556 |
/* |
|
1557 |
* return -1 on failure, otherwise the number of acl |
|
1558 |
* entries is returned |
|
1559 |
*/ |
|
1560 |
int |
|
1561 |
acl_get(const char *path, int get_flag, acl_t **aclp) |
|
1562 |
{
|
|
1563 |
acl_inp acl_inp; |
|
1564 |
acl_inp.file = path; |
|
1565 |
||
1566 |
return (cacl_get(acl_inp, get_flag, ACL_PATH, aclp)); |
|
1567 |
} |
|
1568 |
||
1569 |
int |
|
1570 |
facl_get(int fd, int get_flag, acl_t **aclp) |
|
1571 |
{
|
|
1572 |
||
1573 |
acl_inp acl_inp; |
|
1574 |
acl_inp.fd = fd; |
|
1575 |
||
1576 |
return (cacl_get(acl_inp, get_flag, ACL_FD, aclp)); |
|
1577 |
} |
|
1578 |
||
| 1462 | 1579 |
static int |
1580 |
acl_translate(acl_t *aclp, int target_flavor, int isdir, uid_t owner, |
|
1581 |
gid_t group) |
|
1582 |
{
|
|
1583 |
int aclcnt; |
|
1584 |
void *acldata; |
|
1585 |
int error; |
|
1586 |
||
1587 |
/* |
|
1588 |
* See if we need to translate |
|
1589 |
*/ |
|
1590 |
if ((target_flavor == _ACL_ACE_ENABLED && aclp->acl_type == ACE_T) || |
|
1591 |
(target_flavor == _ACL_ACLENT_ENABLED && |
|
1592 |
aclp->acl_type == ACLENT_T)) |
|
1593 |
return (0); |
|
1594 |
||
1595 |
if (target_flavor == -1) |
|
1596 |
return (-1); |
|
1597 |
||
1598 |
if (target_flavor == _ACL_ACE_ENABLED && |
|
1599 |
aclp->acl_type == ACLENT_T) {
|
|
1600 |
error = convert_aent_to_ace(aclp->acl_aclp, |
|
1601 |
aclp->acl_cnt, isdir, (ace_t **)&acldata, &aclcnt); |
|
1602 |
if (error) {
|
|
1603 |
errno = error; |
|
1604 |
return (-1); |
|
1605 |
} |
|
1606 |
} else if (target_flavor == _ACL_ACLENT_ENABLED && |
|
1607 |
aclp->acl_type == ACE_T) {
|
|
1608 |
error = convert_ace_to_aent(aclp->acl_aclp, aclp->acl_cnt, |
|
1609 |
isdir, owner, group, (aclent_t **)&acldata, &aclcnt); |
|
1610 |
if (error) {
|
|
1611 |
errno = error; |
|
1612 |
return (-1); |
|
1613 |
} |
|
1614 |
} else {
|
|
1615 |
errno = ENOTSUP; |
|
1616 |
return (-1); |
|
1617 |
} |
|
1618 |
||
1619 |
/* |
|
1620 |
* replace old acl with newly translated acl |
|
1621 |
*/ |
|
1622 |
free(aclp->acl_aclp); |
|
1623 |
aclp->acl_aclp = acldata; |
|
1624 |
aclp->acl_cnt = aclcnt; |
|
1625 |
aclp->acl_type = (target_flavor == _ACL_ACE_ENABLED) ? ACE_T : ACLENT_T; |
|
1626 |
return (0); |
|
1627 |
} |
|
1628 |
||
| 789 | 1629 |
/* |
1630 |
* Set an ACL, translates acl to ace_t when appropriate. |
|
1631 |
*/ |
|
1632 |
static int |
|
1633 |
cacl_set(acl_inp *acl_inp, acl_t *aclp, int type) |
|
1634 |
{
|
|
1635 |
int error = 0; |
|
1636 |
int acl_flavor_target; |
|
1637 |
struct stat64 statbuf; |
|
1638 |
int stat_error; |
|
1639 |
int isdir; |
|
1640 |
||
1641 |
||
1642 |
if (type == ACL_PATH) {
|
|
1643 |
stat_error = stat64(acl_inp->file, &statbuf); |
|
1644 |
if (stat_error) |
|
1645 |
return (-1); |
|
1646 |
acl_flavor_target = pathconf(acl_inp->file, _PC_ACL_ENABLED); |
|
1647 |
} else {
|
|
1648 |
stat_error = fstat64(acl_inp->fd, &statbuf); |
|
1649 |
if (stat_error) |
|
1650 |
return (-1); |
|
1651 |
acl_flavor_target = fpathconf(acl_inp->fd, _PC_ACL_ENABLED); |
|
1652 |
} |
|
1653 |
||
|
1666
07697c578888
6401243 ZFS ACLs should not break third party filesystems
marks
parents:
1477
diff
changeset
|
1654 |
/* |
|
07697c578888
6401243 ZFS ACLs should not break third party filesystems
marks
parents:
1477
diff
changeset
|
1655 |
* If target returns an error or 0 from pathconf call then |
|
07697c578888
6401243 ZFS ACLs should not break third party filesystems
marks
parents:
1477
diff
changeset
|
1656 |
* fall back to UFS/POSIX Draft interface. |
|
07697c578888
6401243 ZFS ACLs should not break third party filesystems
marks
parents:
1477
diff
changeset
|
1657 |
* In the case of 0 we will then fail in either acl(2) or |
|
07697c578888
6401243 ZFS ACLs should not break third party filesystems
marks
parents:
1477
diff
changeset
|
1658 |
* acl_translate(). We could erroneously get 0 back from |
|
07697c578888
6401243 ZFS ACLs should not break third party filesystems
marks
parents:
1477
diff
changeset
|
1659 |
* a file system that is using fs_pathconf() and not answering |
|
07697c578888
6401243 ZFS ACLs should not break third party filesystems
marks
parents:
1477
diff
changeset
|
1660 |
* the _PC_ACL_ENABLED question itself. |
|
07697c578888
6401243 ZFS ACLs should not break third party filesystems
marks
parents:
1477
diff
changeset
|
1661 |
*/ |
|
07697c578888
6401243 ZFS ACLs should not break third party filesystems
marks
parents:
1477
diff
changeset
|
1662 |
if (acl_flavor_target == 0 || acl_flavor_target == -1) |
|
07697c578888
6401243 ZFS ACLs should not break third party filesystems
marks
parents:
1477
diff
changeset
|
1663 |
acl_flavor_target = _ACL_ACLENT_ENABLED; |
|
07697c578888
6401243 ZFS ACLs should not break third party filesystems
marks
parents:
1477
diff
changeset
|
1664 |
|
| 789 | 1665 |
isdir = S_ISDIR(statbuf.st_mode); |
1666 |
||
| 1462 | 1667 |
if ((error = acl_translate(aclp, acl_flavor_target, isdir, |
1668 |
statbuf.st_uid, statbuf.st_gid)) != 0) {
|
|
1669 |
return (error); |
|
| 789 | 1670 |
} |
1671 |
||
1672 |
if (type == ACL_PATH) {
|
|
1673 |
error = acl(acl_inp->file, |
|
1674 |
(aclp->acl_type == ACE_T) ? ACE_SETACL : SETACL, |
|
1675 |
aclp->acl_cnt, aclp->acl_aclp); |
|
1676 |
} else {
|
|
1677 |
error = facl(acl_inp->fd, |
|
1678 |
(aclp->acl_type == ACE_T) ? ACE_SETACL : SETACL, |
|
1679 |
aclp->acl_cnt, aclp->acl_aclp); |
|
1680 |
} |
|
1681 |
||
1682 |
return (error); |
|
1683 |
} |
|
1684 |
||
1685 |
int |
|
1686 |
acl_set(const char *path, acl_t *aclp) |
|
1687 |
{
|
|
1688 |
acl_inp acl_inp; |
|
1689 |
||
1690 |
acl_inp.file = path; |
|
1691 |
||
1692 |
return (cacl_set(&acl_inp, aclp, ACL_PATH)); |
|
1693 |
} |
|
1694 |
||
1695 |
int |
|
1696 |
facl_set(int fd, acl_t *aclp) |
|
1697 |
{
|
|
1698 |
acl_inp acl_inp; |
|
1699 |
||
1700 |
acl_inp.fd = fd; |
|
1701 |
||
1702 |
return (cacl_set(&acl_inp, aclp, ACL_FD)); |
|
1703 |
} |
|
1704 |
||
1705 |
int |
|
1706 |
acl_cnt(acl_t *aclp) |
|
1707 |
{
|
|
1708 |
return (aclp->acl_cnt); |
|
1709 |
} |
|
1710 |
||
1711 |
int |
|
1712 |
acl_type(acl_t *aclp) |
|
1713 |
{
|
|
1714 |
return (aclp->acl_type); |
|
1715 |
} |
|
1716 |
||
1717 |
acl_t * |
|
1718 |
acl_dup(acl_t *aclp) |
|
1719 |
{
|
|
1720 |
acl_t *newaclp; |
|
1721 |
||
1722 |
newaclp = acl_alloc(aclp->acl_type); |
|
1723 |
if (newaclp == NULL) |
|
1724 |
return (NULL); |
|
1725 |
||
1726 |
newaclp->acl_aclp = malloc(aclp->acl_entry_size * aclp->acl_cnt); |
|
1727 |
if (newaclp->acl_aclp == NULL) {
|
|
1728 |
acl_free(newaclp); |
|
1729 |
return (NULL); |
|
1730 |
} |
|
1731 |
||
1732 |
(void) memcpy(newaclp->acl_aclp, |
|
1733 |
aclp->acl_aclp, aclp->acl_entry_size * aclp->acl_cnt); |
|
1734 |
newaclp->acl_cnt = aclp->acl_cnt; |
|
1735 |
||
1736 |
return (newaclp); |
|
1737 |
} |
|
1738 |
||
1739 |
int |
|
1740 |
acl_flags(acl_t *aclp) |
|
1741 |
{
|
|
1742 |
return (aclp->acl_flags); |
|
1743 |
} |
|
1744 |
||
1745 |
void * |
|
1746 |
acl_data(acl_t *aclp) |
|
1747 |
{
|
|
1748 |
return (aclp->acl_aclp); |
|
1749 |
} |
|
1750 |
||
1751 |
/* |
|
|
1953
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1752 |
* Take an acl array and build an acl_t. |
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1753 |
*/ |
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1754 |
acl_t * |
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1755 |
acl_to_aclp(enum acl_type type, void *acl, int count) |
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1756 |
{
|
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1757 |
acl_t *aclp; |
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1758 |
|
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1759 |
|
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1760 |
aclp = acl_alloc(type); |
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1761 |
if (aclp == NULL) |
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1762 |
return (aclp); |
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1763 |
|
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1764 |
aclp->acl_aclp = acl; |
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1765 |
aclp->acl_cnt = count; |
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1766 |
|
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1767 |
return (aclp); |
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1768 |
} |
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1769 |
|
|
7d218c488035
6421216 ufsrestore should use acl_set() for setting ACLs
marks
parents:
1666
diff
changeset
|
1770 |
/* |
| 789 | 1771 |
* Remove an ACL from a file and create a trivial ACL based |
1772 |
* off of the mode argument. After acl has been set owner/group |
|
1773 |
* are updated to match owner,group arguments |
|
1774 |
*/ |
|
1775 |
int |
|
1776 |
acl_strip(const char *file, uid_t owner, gid_t group, mode_t mode) |
|
1777 |
{
|
|
1778 |
int error = 0; |
|
1779 |
aclent_t min_acl[MIN_ACL_ENTRIES]; |
|
1780 |
ace_t min_ace_acl[6]; /* owner, group, everyone + complement denies */ |
|
1781 |
int acl_flavor; |
|
1782 |
int aclcnt; |
|
1783 |
||
1784 |
acl_flavor = pathconf(file, _PC_ACL_ENABLED); |
|
1785 |
||
1786 |
/* |
|
1787 |
* force it through aclent flavor when file system doesn't |
|
1788 |
* understand question |
|
1789 |
*/ |
|
|
1666
07697c578888
6401243 ZFS ACLs should not break third party filesystems
marks
parents:
1477
diff
changeset
|
1790 |
if (acl_flavor == 0 || acl_flavor == -1) |
| 789 | 1791 |
acl_flavor = _ACL_ACLENT_ENABLED; |
1792 |
||
1793 |
if (acl_flavor & _ACL_ACLENT_ENABLED) {
|
|
1794 |
min_acl[0].a_type = USER_OBJ; |
|
1795 |
min_acl[0].a_id = owner; |
|
1796 |
min_acl[0].a_perm = ((mode & 0700) >> 6); |
|
1797 |
min_acl[1].a_type = GROUP_OBJ; |
|
1798 |
min_acl[1].a_id = group; |
|
1799 |
min_acl[1].a_perm = ((mode & 0070) >> 3); |
|
1800 |
min_acl[2].a_type = CLASS_OBJ; |
|
1801 |
min_acl[2].a_id = (uid_t)-1; |
|
1802 |
min_acl[2].a_perm = ((mode & 0070) >> 3); |
|
1803 |
min_acl[3].a_type = OTHER_OBJ; |
|
1804 |
min_acl[3].a_id = (uid_t)-1; |
|
1805 |
min_acl[3].a_perm = (mode & 0007); |
|
1806 |
aclcnt = 4; |
|
1807 |
error = acl(file, SETACL, aclcnt, min_acl); |
|
1808 |
} else if (acl_flavor & _ACL_ACE_ENABLED) {
|
|
1809 |
(void) memcpy(min_ace_acl, trivial_acl, sizeof (ace_t) * 6); |
|
1810 |
||
1811 |
/* |
|
1812 |
* Make aces match request mode |
|
1813 |
*/ |
|
1814 |
adjust_ace_pair(&min_ace_acl[0], (mode & 0700) >> 6); |
|
1815 |
adjust_ace_pair(&min_ace_acl[2], (mode & 0070) >> 3); |
|
1816 |
adjust_ace_pair(&min_ace_acl[4], mode & 0007); |
|
1817 |
||
1818 |
error = acl(file, ACE_SETACL, 6, min_ace_acl); |
|
1819 |
} else {
|
|
1820 |
errno = EINVAL; |
|
1821 |
error = 1; |
|
1822 |
} |
|
1823 |
||
1824 |
if (error == 0) |
|
1825 |
error = chown(file, owner, group); |
|
1826 |
return (error); |
|
1827 |
} |
|
1828 |
||
1829 |
static int |
|
1830 |
ace_match(void *entry1, void *entry2) |
|
1831 |
{
|
|
1832 |
ace_t *p1 = (ace_t *)entry1; |
|
1833 |
ace_t *p2 = (ace_t *)entry2; |
|
1834 |
ace_t ace1, ace2; |
|
1835 |
||
1836 |
ace1 = *p1; |
|
1837 |
ace2 = *p2; |
|
1838 |
||
1839 |
/* |
|
1840 |
* Need to fixup who field for abstrations for |
|
1841 |
* accurate comparison, since field is undefined. |
|
1842 |
*/ |
|
1843 |
if (ace1.a_flags & (ACE_OWNER|ACE_GROUP|ACE_EVERYONE)) |
|
1844 |
ace1.a_who = -1; |
|
1845 |
if (ace2.a_flags & (ACE_OWNER|ACE_GROUP|ACE_EVERYONE)) |
|
1846 |
ace2.a_who = -1; |
|
1847 |
return (memcmp(&ace1, &ace2, sizeof (ace_t))); |
|
1848 |
} |
|
1849 |
||
1850 |
static int |
|
1851 |
aclent_match(void *entry1, void *entry2) |
|
1852 |
{
|
|
1853 |
aclent_t *aclent1 = (aclent_t *)entry1; |
|
1854 |
aclent_t *aclent2 = (aclent_t *)entry2; |
|
1855 |
||
1856 |
return (memcmp(aclent1, aclent2, sizeof (aclent_t))); |
|
1857 |
} |
|
1858 |
||
1859 |
/* |
|
1860 |
* Find acl entries in acl that correspond to removeacl. Search |
|
1861 |
* is started from slot. The flag argument indicates whether to |
|
1862 |
* remove all matches or just the first match. |
|
1863 |
*/ |
|
1864 |
int |
|
1865 |
acl_removeentries(acl_t *acl, acl_t *removeacl, int start_slot, int flag) |
|
1866 |
{
|
|
1867 |
int i, j; |
|
1868 |
int match; |
|
1869 |
int (*acl_match)(void *acl1, void *acl2); |
|
1870 |
void *acl_entry, *remove_entry; |
|
1871 |
void *start; |
|
1872 |
int found = 0; |
|
1873 |
||
1874 |
if (flag != ACL_REMOVE_ALL && flag != ACL_REMOVE_FIRST) |
|
1875 |
flag = ACL_REMOVE_FIRST; |
|
1876 |
||
1877 |
if (acl == NULL || removeacl == NULL) |
|
1878 |
return (EACL_NO_ACL_ENTRY); |
|
1879 |
||
1880 |
if (acl->acl_type != removeacl->acl_type) |
|
1881 |
return (EACL_DIFF_TYPE); |
|
1882 |
||
1883 |
if (acl->acl_type == ACLENT_T) |
|
1884 |
acl_match = aclent_match; |
|
1885 |
else |
|
1886 |
acl_match = ace_match; |
|
1887 |
||
1888 |
for (i = 0, remove_entry = removeacl->acl_aclp; |
|
1889 |
i != removeacl->acl_cnt; i++) {
|
|
1890 |
||
1891 |
j = 0; |
|
1892 |
acl_entry = (char *)acl->acl_aclp + |
|
1893 |
(acl->acl_entry_size * start_slot); |
|
1894 |
for (;;) {
|
|
1895 |
match = acl_match(acl_entry, remove_entry); |
|
1896 |
if (match == 0) {
|
|
1897 |
found++; |
|
1898 |
start = (char *)acl_entry + |
|
1899 |
acl->acl_entry_size; |
|
1900 |
(void) memmove(acl_entry, start, |
|
1901 |
acl->acl_entry_size * |
|
1902 |
acl->acl_cnt-- - (j + 1)); |
|
1903 |
||
1904 |
if (flag == ACL_REMOVE_FIRST) |
|
1905 |
break; |
|
1906 |
/* |
|
1907 |
* List has changed, restart search from |
|
1908 |
* beginning. |
|
1909 |
*/ |
|
1910 |
acl_entry = acl->acl_aclp; |
|
1911 |
j = 0; |
|
1912 |
continue; |
|
1913 |
} |
|
1914 |
acl_entry = ((char *)acl_entry + acl->acl_entry_size); |
|
1915 |
if (++j >= acl->acl_cnt) {
|
|
1916 |
break; |
|
1917 |
} |
|
1918 |
} |
|
1919 |
} |
|
1920 |
||
1921 |
return ((found == 0) ? EACL_NO_ACL_ENTRY : 0); |
|
1922 |
} |
|
1923 |
||
1924 |
/* |
|
1925 |
* Replace entires entries in acl1 with the corresponding entries |
|
1926 |
* in newentries. The where argument specifies where to begin |
|
1927 |
* the replacement. If the where argument is 1 greater than the |
|
1928 |
* number of acl entries in acl1 then they are appended. If the |
|
1929 |
* where argument is 2+ greater than the number of acl entries then |
|
1930 |
* EACL_INVALID_SLOT is returned. |
|
1931 |
*/ |
|
1932 |
int |
|
1933 |
acl_modifyentries(acl_t *acl1, acl_t *newentries, int where) |
|
1934 |
{
|
|
1935 |
||
1936 |
int slot; |
|
1937 |
int slots_needed; |
|
1938 |
int slots_left; |
|
1939 |
int newsize; |
|
1940 |
||
1941 |
if (acl1 == NULL || newentries == NULL) |
|
1942 |
return (EACL_NO_ACL_ENTRY); |
|
1943 |
||
1944 |
if (where < 0 || where >= acl1->acl_cnt) |
|
1945 |
return (EACL_INVALID_SLOT); |
|
1946 |
||
1947 |
if (acl1->acl_type != newentries->acl_type) |
|
1948 |
return (EACL_DIFF_TYPE); |
|
1949 |
||
1950 |
slot = where; |
|
1951 |
||
1952 |
slots_left = acl1->acl_cnt - slot + 1; |
|
1953 |
if (slots_left < newentries->acl_cnt) {
|
|
1954 |
slots_needed = newentries->acl_cnt - slots_left; |
|
1955 |
newsize = (acl1->acl_entry_size * acl1->acl_cnt) + |
|
1956 |
(acl1->acl_entry_size * slots_needed); |
|
1957 |
acl1->acl_aclp = realloc(acl1->acl_aclp, newsize); |
|
1958 |
if (acl1->acl_aclp == NULL) |
|
1959 |
return (-1); |
|
1960 |
} |
|
1961 |
(void) memcpy((char *)acl1->acl_aclp + (acl1->acl_entry_size * slot), |
|
1962 |
newentries->acl_aclp, |
|
1963 |
newentries->acl_entry_size * newentries->acl_cnt); |
|
1964 |
||
1965 |
/* |
|
1966 |
* Did ACL grow? |
|
1967 |
*/ |
|
1968 |
||
1969 |
if ((slot + newentries->acl_cnt) > acl1->acl_cnt) {
|
|
1970 |
acl1->acl_cnt = slot + newentries->acl_cnt; |
|
1971 |
} |
|
1972 |
||
1973 |
return (0); |
|
1974 |
} |
|
1975 |
||
1976 |
/* |
|
1977 |
* Add acl2 entries into acl1. The where argument specifies where |
|
1978 |
* to add the entries. |
|
1979 |
*/ |
|
1980 |
int |
|
1981 |
acl_addentries(acl_t *acl1, acl_t *acl2, int where) |
|
1982 |
{
|
|
1983 |
||
1984 |
int newsize; |
|
1985 |
int len; |
|
1986 |
void *start; |
|
1987 |
void *to; |
|
1988 |
||
1989 |
if (acl1 == NULL || acl2 == NULL) |
|
1990 |
return (EACL_NO_ACL_ENTRY); |
|
1991 |
||
1992 |
if (acl1->acl_type != acl2->acl_type) |
|
1993 |
return (EACL_DIFF_TYPE); |
|
1994 |
||
1995 |
/* |
|
1996 |
* allow where to specify 1 past last slot for an append operation |
|
1997 |
* but anything greater is an error. |
|
1998 |
*/ |
|
1999 |
if (where < 0 || where > acl1->acl_cnt) |
|
2000 |
return (EACL_INVALID_SLOT); |
|
2001 |
||
2002 |
newsize = (acl2->acl_entry_size * acl2->acl_cnt) + |
|
2003 |
(acl1->acl_entry_size * acl1->acl_cnt); |
|
2004 |
acl1->acl_aclp = realloc(acl1->acl_aclp, newsize); |
|
2005 |
if (acl1->acl_aclp == NULL) |
|
2006 |
return (-1); |
|
2007 |
||
2008 |
/* |
|
2009 |
* first push down entries where new ones will be inserted |
|
2010 |
*/ |
|
2011 |
||
2012 |
to = (void *)((char *)acl1->acl_aclp + |
|
2013 |
((where + acl2->acl_cnt) * acl1->acl_entry_size)); |
|
2014 |
||
2015 |
start = (void *)((char *)acl1->acl_aclp + |
|
2016 |
where * acl1->acl_entry_size); |
|
2017 |
||
2018 |
if (where < acl1->acl_cnt) {
|
|
2019 |
len = (acl1->acl_cnt - where) * acl1->acl_entry_size; |
|
2020 |
(void) memmove(to, start, len); |
|
2021 |
} |
|
2022 |
||
2023 |
/* |
|
2024 |
* now stick in new entries. |
|
2025 |
*/ |
|
2026 |
||
2027 |
(void) memmove(start, acl2->acl_aclp, |
|
2028 |
acl2->acl_cnt * acl2->acl_entry_size); |
|
2029 |
||
2030 |
acl1->acl_cnt += acl2->acl_cnt; |
|
2031 |
return (0); |
|
2032 |
} |
|
2033 |
||
2034 |
/* |
|
2035 |
* return text for an ACL error. |
|
2036 |
*/ |
|
2037 |
char * |
|
2038 |
acl_strerror(int errnum) |
|
2039 |
{
|
|
2040 |
switch (errnum) {
|
|
2041 |
case EACL_GRP_ERROR: |
|
2042 |
return (dgettext(TEXT_DOMAIN, |
|
| 1420 | 2043 |
"There is more than one group or default group entry")); |
| 789 | 2044 |
case EACL_USER_ERROR: |
2045 |
return (dgettext(TEXT_DOMAIN, |
|
| 1420 | 2046 |
"There is more than one user or default user entry")); |
| 789 | 2047 |
case EACL_OTHER_ERROR: |
2048 |
return (dgettext(TEXT_DOMAIN, |
|
2049 |
"There is more than one other entry")); |
|
2050 |
case EACL_CLASS_ERROR: |
|
2051 |
return (dgettext(TEXT_DOMAIN, |
|
2052 |
"There is more than one mask entry")); |
|
2053 |
case EACL_DUPLICATE_ERROR: |
|
2054 |
return (dgettext(TEXT_DOMAIN, |
|
2055 |
"Duplicate user or group entries")); |
|
2056 |
case EACL_MISS_ERROR: |
|
2057 |
return (dgettext(TEXT_DOMAIN, |
|
2058 |
"Missing user/group owner, other, mask entry")); |
|
2059 |
case EACL_MEM_ERROR: |
|
2060 |
return (dgettext(TEXT_DOMAIN, |
|
2061 |
"Memory error")); |
|
2062 |
case EACL_ENTRY_ERROR: |
|
2063 |
return (dgettext(TEXT_DOMAIN, |
|
2064 |
"Unrecognized entry type")); |
|
2065 |
case EACL_INHERIT_ERROR: |
|
2066 |
return (dgettext(TEXT_DOMAIN, |
|
2067 |
"Invalid inheritance flags")); |
|
2068 |
case EACL_FLAGS_ERROR: |
|
2069 |
return (dgettext(TEXT_DOMAIN, |
|
2070 |
"Unrecognized entry flags")); |
|
2071 |
case EACL_PERM_MASK_ERROR: |
|
2072 |
return (dgettext(TEXT_DOMAIN, |
|
2073 |
"Invalid ACL permissions")); |
|
2074 |
case EACL_COUNT_ERROR: |
|
2075 |
return (dgettext(TEXT_DOMAIN, |
|
2076 |
"Invalid ACL count")); |
|
2077 |
case EACL_INVALID_SLOT: |
|
2078 |
return (dgettext(TEXT_DOMAIN, |
|
2079 |
"Invalid ACL entry number specified")); |
|
2080 |
case EACL_NO_ACL_ENTRY: |
|
2081 |
return (dgettext(TEXT_DOMAIN, |
|
2082 |
"ACL entry doesn't exist")); |
|
2083 |
case EACL_DIFF_TYPE: |
|
2084 |
return (dgettext(TEXT_DOMAIN, |
|
2085 |
"ACL type's are different")); |
|
2086 |
case EACL_INVALID_USER_GROUP: |
|
2087 |
return (dgettext(TEXT_DOMAIN, "Invalid user or group")); |
|
2088 |
case EACL_INVALID_STR: |
|
2089 |
return (dgettext(TEXT_DOMAIN, "ACL string is invalid")); |
|
2090 |
case EACL_FIELD_NOT_BLANK: |
|
2091 |
return (dgettext(TEXT_DOMAIN, "Field expected to be blank")); |
|
2092 |
case EACL_INVALID_ACCESS_TYPE: |
|
2093 |
return (dgettext(TEXT_DOMAIN, "Invalid access type")); |
|
2094 |
case EACL_UNKNOWN_DATA: |
|
2095 |
return (dgettext(TEXT_DOMAIN, "Unrecognized entry")); |
|
2096 |
case EACL_MISSING_FIELDS: |
|
2097 |
return (dgettext(TEXT_DOMAIN, |
|
2098 |
"ACL specification missing required fields")); |
|
2099 |
case EACL_INHERIT_NOTDIR: |
|
2100 |
return (dgettext(TEXT_DOMAIN, |
|
2101 |
"Inheritance flags are only allowed on directories")); |
|
2102 |
case -1: |
|
2103 |
return (strerror(errno)); |
|
2104 |
default: |
|
2105 |
errno = EINVAL; |
|
2106 |
return (dgettext(TEXT_DOMAIN, "Unknown error")); |
|
2107 |
} |
|
2108 |
} |
|
| 1420 | 2109 |
|
2110 |
extern int yyinteractive; |
|
2111 |
||
2112 |
/* PRINTFLIKE1 */ |
|
2113 |
void |
|
2114 |
acl_error(const char *fmt, ...) |
|
2115 |
{
|
|
2116 |
va_list va; |
|
2117 |
||
2118 |
if (yyinteractive == 0) |
|
2119 |
return; |
|
2120 |
||
2121 |
va_start(va, fmt); |
|
2122 |
(void) vfprintf(stderr, fmt, va); |
|
2123 |
va_end(va); |
|
2124 |
} |