acl_common.c revision 168404 
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License, Version 1.0 only
6 * (the "License").  You may not use this file except in compliance
7 * with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22/*
23 * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24 * Use is subject to license terms.
25 */
26
27#pragma ident	"%Z%%M%	%I%	%E% SMI"
28
29#include <sys/types.h>
30#include <sys/acl.h>
31#include <sys/stat.h>
32#if defined(_KERNEL)
33#include <sys/systm.h>
34#include <sys/debug.h>
35#else
36#include <errno.h>
37#include <stdlib.h>
38#include <strings.h>
39#include <assert.h>
40#define	ASSERT	assert
41#endif
42
43
44ace_t trivial_acl[] = {
45	{-1, 0, ACE_OWNER, ACE_ACCESS_DENIED_ACE_TYPE},
46	{-1, ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES|
47	    ACE_WRITE_NAMED_ATTRS, ACE_OWNER, ACE_ACCESS_ALLOWED_ACE_TYPE},
48	{-1, 0, ACE_GROUP|ACE_IDENTIFIER_GROUP, ACE_ACCESS_DENIED_ACE_TYPE},
49	{-1, 0, ACE_GROUP|ACE_IDENTIFIER_GROUP, ACE_ACCESS_ALLOWED_ACE_TYPE},
50	{-1, ACE_WRITE_ACL|ACE_WRITE_OWNER| ACE_WRITE_ATTRIBUTES|
51	    ACE_WRITE_NAMED_ATTRS, ACE_EVERYONE, ACE_ACCESS_DENIED_ACE_TYPE},
52	{-1, ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_NAMED_ATTRS|
53	    ACE_SYNCHRONIZE, ACE_EVERYONE, ACE_ACCESS_ALLOWED_ACE_TYPE}
54};
55
56
57void
58adjust_ace_pair(ace_t *pair, mode_t mode)
59{
60	if (mode & S_IROTH)
61		pair[1].a_access_mask |= ACE_READ_DATA;
62	else
63		pair[0].a_access_mask |= ACE_READ_DATA;
64	if (mode & S_IWOTH)
65		pair[1].a_access_mask |=
66		    ACE_WRITE_DATA|ACE_APPEND_DATA;
67	else
68		pair[0].a_access_mask |=
69		    ACE_WRITE_DATA|ACE_APPEND_DATA;
70	if (mode & S_IXOTH)
71		pair[1].a_access_mask |= ACE_EXECUTE;
72	else
73		pair[0].a_access_mask |= ACE_EXECUTE;
74}
75
76/*
77 * ace_trivial:
78 * determine whether an ace_t acl is trivial
79 *
80 * Trivialness implys that the acl is composed of only
81 * owner, group, everyone entries.  ACL can't
82 * have read_acl denied, and write_owner/write_acl/write_attributes
83 * can only be owner@ entry.
84 */
85int
86ace_trivial(ace_t *acep, int aclcnt)
87{
88	int i;
89	int owner_seen = 0;
90	int group_seen = 0;
91	int everyone_seen = 0;
92
93	for (i = 0; i != aclcnt; i++) {
94		switch (acep[i].a_flags & 0xf040) {
95		case ACE_OWNER:
96			if (group_seen || everyone_seen)
97				return (1);
98			owner_seen++;
99			break;
100		case ACE_GROUP|ACE_IDENTIFIER_GROUP:
101			if (everyone_seen || owner_seen == 0)
102				return (1);
103			group_seen++;
104			break;
105
106		case ACE_EVERYONE:
107			if (owner_seen == 0 || group_seen == 0)
108				return (1);
109			everyone_seen++;
110			break;
111		default:
112			return (1);
113
114		}
115
116		if (acep[i].a_flags & (ACE_FILE_INHERIT_ACE|
117		    ACE_DIRECTORY_INHERIT_ACE|ACE_NO_PROPAGATE_INHERIT_ACE|
118		    ACE_INHERIT_ONLY_ACE))
119			return (1);
120
121		/*
122		 * Special check for some special bits
123		 *
124		 * Don't allow anybody to deny reading basic
125		 * attributes or a files ACL.
126		 */
127		if ((acep[i].a_access_mask &
128		    (ACE_READ_ACL|ACE_READ_ATTRIBUTES)) &&
129		    (acep[i].a_type == ACE_ACCESS_DENIED_ACE_TYPE))
130			return (1);
131
132		/*
133		 * Allow on owner@ to allow
134		 * write_acl/write_owner/write_attributes
135		 */
136		if (acep[i].a_type == ACE_ACCESS_ALLOWED_ACE_TYPE &&
137		    (!(acep[i].a_flags & ACE_OWNER) && (acep[i].a_access_mask &
138		    (ACE_WRITE_OWNER|ACE_WRITE_ACL|ACE_WRITE_ATTRIBUTES))))
139			return (1);
140	}
141
142	if ((owner_seen == 0) || (group_seen == 0) || (everyone_seen == 0))
143	    return (1);
144
145	return (0);
146}
147
148
149/*
150 * Generic shellsort, from K&R (1st ed, p 58.), somewhat modified.
151 * v = Ptr to array/vector of objs
152 * n = # objs in the array
153 * s = size of each obj (must be multiples of a word size)
154 * f = ptr to function to compare two objs
155 *	returns (-1 = less than, 0 = equal, 1 = greater than
156 */
157void
158ksort(caddr_t v, int n, int s, int (*f)())
159{
160	int g, i, j, ii;
161	unsigned int *p1, *p2;
162	unsigned int tmp;
163
164	/* No work to do */
165	if (v == NULL || n <= 1)
166		return;
167
168	/* Sanity check on arguments */
169	ASSERT(((uintptr_t)v & 0x3) == 0 && (s & 0x3) == 0);
170	ASSERT(s > 0);
171	for (g = n / 2; g > 0; g /= 2) {
172		for (i = g; i < n; i++) {
173			for (j = i - g; j >= 0 &&
174				(*f)(v + j * s, v + (j + g) * s) == 1;
175					j -= g) {
176				p1 = (void *)(v + j * s);
177				p2 = (void *)(v + (j + g) * s);
178				for (ii = 0; ii < s / 4; ii++) {
179					tmp = *p1;
180					*p1++ = *p2;
181					*p2++ = tmp;
182				}
183			}
184		}
185	}
186}
187
188/*
189 * Compare two acls, all fields.  Returns:
190 * -1 (less than)
191 *  0 (equal)
192 * +1 (greater than)
193 */
194int
195cmp2acls(void *a, void *b)
196{
197	aclent_t *x = (aclent_t *)a;
198	aclent_t *y = (aclent_t *)b;
199
200	/* Compare types */
201	if (x->a_type < y->a_type)
202		return (-1);
203	if (x->a_type > y->a_type)
204		return (1);
205	/* Equal types; compare id's */
206	if (x->a_id < y->a_id)
207		return (-1);
208	if (x->a_id > y->a_id)
209		return (1);
210	/* Equal ids; compare perms */
211	if (x->a_perm < y->a_perm)
212		return (-1);
213	if (x->a_perm > y->a_perm)
214		return (1);
215	/* Totally equal */
216	return (0);
217}
218