xref: /illumos-gate/usr/src/common/acl/acl_common.c (revision de122929)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include <sys/types.h>
30 #include <sys/acl.h>
31 #include <sys/stat.h>
32 #if defined(_KERNEL)
33 #include <sys/systm.h>
34 #else
35 #include <errno.h>
36 #include <stdlib.h>
37 #include <strings.h>
38 #include <assert.h>
39 #define	ASSERT	assert
40 #endif
41 
42 
43 ace_t trivial_acl[] = {
44 	{-1, 0, ACE_OWNER, ACE_ACCESS_DENIED_ACE_TYPE},
45 	{-1, ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES|
46 	    ACE_WRITE_NAMED_ATTRS, ACE_OWNER, ACE_ACCESS_ALLOWED_ACE_TYPE},
47 	{-1, 0, ACE_GROUP|ACE_IDENTIFIER_GROUP, ACE_ACCESS_DENIED_ACE_TYPE},
48 	{-1, 0, ACE_GROUP|ACE_IDENTIFIER_GROUP, ACE_ACCESS_ALLOWED_ACE_TYPE},
49 	{-1, ACE_WRITE_ACL|ACE_WRITE_OWNER| ACE_WRITE_ATTRIBUTES|
50 	    ACE_WRITE_NAMED_ATTRS, ACE_EVERYONE, ACE_ACCESS_DENIED_ACE_TYPE},
51 	{-1, ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_NAMED_ATTRS|
52 	    ACE_SYNCHRONIZE, ACE_EVERYONE, ACE_ACCESS_ALLOWED_ACE_TYPE}
53 };
54 
55 
56 void
57 adjust_ace_pair(ace_t *pair, mode_t mode)
58 {
59 	if (mode & S_IROTH)
60 		pair[1].a_access_mask |= ACE_READ_DATA;
61 	else
62 		pair[0].a_access_mask |= ACE_READ_DATA;
63 	if (mode & S_IWOTH)
64 		pair[1].a_access_mask |=
65 		    ACE_WRITE_DATA|ACE_APPEND_DATA;
66 	else
67 		pair[0].a_access_mask |=
68 		    ACE_WRITE_DATA|ACE_APPEND_DATA;
69 	if (mode & S_IXOTH)
70 		pair[1].a_access_mask |= ACE_EXECUTE;
71 	else
72 		pair[0].a_access_mask |= ACE_EXECUTE;
73 }
74 
75 /*
76  * ace_trivial:
77  * determine whether an ace_t acl is trivial
78  *
79  * Trivialness implys that the acl is composed of only
80  * owner, group, everyone entries.  ACL can't
81  * have read_acl denied, and write_owner/write_acl/write_attributes
82  * can only be owner@ entry.
83  */
84 int
85 ace_trivial(ace_t *acep, int aclcnt)
86 {
87 	int i;
88 	int owner_seen = 0;
89 	int group_seen = 0;
90 	int everyone_seen = 0;
91 
92 	for (i = 0; i != aclcnt; i++) {
93 		switch (acep[i].a_flags & 0xf040) {
94 		case ACE_OWNER:
95 			if (group_seen || everyone_seen)
96 				return (1);
97 			owner_seen++;
98 			break;
99 		case ACE_GROUP|ACE_IDENTIFIER_GROUP:
100 			if (everyone_seen || owner_seen == 0)
101 				return (1);
102 			group_seen++;
103 			break;
104 
105 		case ACE_EVERYONE:
106 			if (owner_seen == 0 || group_seen == 0)
107 				return (1);
108 			everyone_seen++;
109 			break;
110 		default:
111 			return (1);
112 
113 		}
114 
115 		if (acep[i].a_flags & (ACE_FILE_INHERIT_ACE|
116 		    ACE_DIRECTORY_INHERIT_ACE|ACE_NO_PROPAGATE_INHERIT_ACE|
117 		    ACE_INHERIT_ONLY_ACE))
118 			return (1);
119 
120 		/*
121 		 * Special check for some special bits
122 		 *
123 		 * Don't allow anybody to deny reading basic
124 		 * attributes or a files ACL.
125 		 */
126 		if ((acep[i].a_access_mask &
127 		    (ACE_READ_ACL|ACE_READ_ATTRIBUTES)) &&
128 		    (acep[i].a_type == ACE_ACCESS_DENIED_ACE_TYPE))
129 			return (1);
130 
131 		/*
132 		 * Allow on owner@ to allow
133 		 * write_acl/write_owner/write_attributes
134 		 */
135 		if (acep[i].a_type == ACE_ACCESS_ALLOWED_ACE_TYPE &&
136 		    (!(acep[i].a_flags & ACE_OWNER) && (acep[i].a_access_mask &
137 		    (ACE_WRITE_OWNER|ACE_WRITE_ACL|ACE_WRITE_ATTRIBUTES))))
138 			return (1);
139 	}
140 
141 	if ((owner_seen == 0) || (group_seen == 0) || (everyone_seen == 0))
142 	    return (1);
143 
144 	return (0);
145 }
146 
147 
148 /*
149  * Generic shellsort, from K&R (1st ed, p 58.), somewhat modified.
150  * v = Ptr to array/vector of objs
151  * n = # objs in the array
152  * s = size of each obj (must be multiples of a word size)
153  * f = ptr to function to compare two objs
154  *	returns (-1 = less than, 0 = equal, 1 = greater than
155  */
156 void
157 ksort(caddr_t v, int n, int s, int (*f)())
158 {
159 	int g, i, j, ii;
160 	unsigned int *p1, *p2;
161 	unsigned int tmp;
162 
163 	/* No work to do */
164 	if (v == NULL || n <= 1)
165 		return;
166 
167 	/* Sanity check on arguments */
168 	ASSERT(((uintptr_t)v & 0x3) == 0 && (s & 0x3) == 0);
169 	ASSERT(s > 0);
170 	for (g = n / 2; g > 0; g /= 2) {
171 		for (i = g; i < n; i++) {
172 			for (j = i - g; j >= 0 &&
173 				(*f)(v + j * s, v + (j + g) * s) == 1;
174 					j -= g) {
175 				p1 = (void *)(v + j * s);
176 				p2 = (void *)(v + (j + g) * s);
177 				for (ii = 0; ii < s / 4; ii++) {
178 					tmp = *p1;
179 					*p1++ = *p2;
180 					*p2++ = tmp;
181 				}
182 			}
183 		}
184 	}
185 }
186 
187 /*
188  * Compare two acls, all fields.  Returns:
189  * -1 (less than)
190  *  0 (equal)
191  * +1 (greater than)
192  */
193 int
194 cmp2acls(void *a, void *b)
195 {
196 	aclent_t *x = (aclent_t *)a;
197 	aclent_t *y = (aclent_t *)b;
198 
199 	/* Compare types */
200 	if (x->a_type < y->a_type)
201 		return (-1);
202 	if (x->a_type > y->a_type)
203 		return (1);
204 	/* Equal types; compare id's */
205 	if (x->a_id < y->a_id)
206 		return (-1);
207 	if (x->a_id > y->a_id)
208 		return (1);
209 	/* Equal ids; compare perms */
210 	if (x->a_perm < y->a_perm)
211 		return (-1);
212 	if (x->a_perm > y->a_perm)
213 		return (1);
214 	/* Totally equal */
215 	return (0);
216 }
217