1 /*- 2 * Copyright (c) 2017 Martin Matuska 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 #include "test.h" 26 __FBSDID("$FreeBSD$"); 27 28 #if HAVE_POSIX_ACL || HAVE_DARWIN_ACL 29 static const acl_perm_t acl_perms[] = { 30 #if HAVE_DARWIN_ACL 31 ACL_READ_DATA, 32 ACL_LIST_DIRECTORY, 33 ACL_WRITE_DATA, 34 ACL_ADD_FILE, 35 ACL_EXECUTE, 36 ACL_SEARCH, 37 ACL_DELETE, 38 ACL_APPEND_DATA, 39 ACL_ADD_SUBDIRECTORY, 40 ACL_DELETE_CHILD, 41 ACL_READ_ATTRIBUTES, 42 ACL_WRITE_ATTRIBUTES, 43 ACL_READ_EXTATTRIBUTES, 44 ACL_WRITE_EXTATTRIBUTES, 45 ACL_READ_SECURITY, 46 ACL_WRITE_SECURITY, 47 ACL_CHANGE_OWNER, 48 ACL_SYNCHRONIZE 49 #else /* !HAVE_DARWIN_ACL */ 50 ACL_EXECUTE, 51 ACL_WRITE, 52 ACL_READ, 53 #if HAVE_FREEBSD_NFS4_ACL 54 ACL_READ_DATA, 55 ACL_LIST_DIRECTORY, 56 ACL_WRITE_DATA, 57 ACL_ADD_FILE, 58 ACL_APPEND_DATA, 59 ACL_ADD_SUBDIRECTORY, 60 ACL_READ_NAMED_ATTRS, 61 ACL_WRITE_NAMED_ATTRS, 62 ACL_DELETE_CHILD, 63 ACL_READ_ATTRIBUTES, 64 ACL_WRITE_ATTRIBUTES, 65 ACL_DELETE, 66 ACL_READ_ACL, 67 ACL_WRITE_ACL, 68 ACL_WRITE_OWNER, 69 ACL_SYNCHRONIZE 70 #endif /* HAVE_FREEBSD_NFS4_ACL */ 71 #endif /* !HAVE_DARWIN_ACL */ 72 }; 73 #if HAVE_DARWIN_ACL || HAVE_FREEBSD_NFS4_ACL 74 static const acl_flag_t acl_flags[] = { 75 #if HAVE_DARWIN_ACL 76 ACL_ENTRY_INHERITED, 77 ACL_ENTRY_FILE_INHERIT, 78 ACL_ENTRY_DIRECTORY_INHERIT, 79 ACL_ENTRY_LIMIT_INHERIT, 80 ACL_ENTRY_ONLY_INHERIT 81 #else /* HAVE_FREEBSD_NFS4_ACL */ 82 ACL_ENTRY_FILE_INHERIT, 83 ACL_ENTRY_DIRECTORY_INHERIT, 84 ACL_ENTRY_NO_PROPAGATE_INHERIT, 85 ACL_ENTRY_INHERIT_ONLY, 86 ACL_ENTRY_SUCCESSFUL_ACCESS, 87 ACL_ENTRY_FAILED_ACCESS, 88 ACL_ENTRY_INHERITED 89 #endif /* HAVE_FREEBSD_NFS4_ACL */ 90 }; 91 #endif /* HAVE_DARWIN_ACL || HAVE_FREEBSD_NFS4_ACL */ 92 93 /* 94 * Compare two ACL entries on FreeBSD or on Mac OS X 95 */ 96 static int 97 compare_acl_entry(acl_entry_t ae_a, acl_entry_t ae_b, int is_nfs4) 98 { 99 acl_tag_t tag_a, tag_b; 100 acl_permset_t permset_a, permset_b; 101 int perm_a, perm_b, perm_start, perm_end; 102 void *qual_a, *qual_b; 103 #if HAVE_FREEBSD_NFS4_ACL 104 acl_entry_type_t type_a, type_b; 105 #endif 106 #if HAVE_FREEBSD_NFS4_ACL || HAVE_DARWIN_ACL 107 acl_flagset_t flagset_a, flagset_b; 108 int flag_a, flag_b; 109 #endif 110 int i, r; 111 112 113 /* Compare ACL tag */ 114 r = acl_get_tag_type(ae_a, &tag_a); 115 failure("acl_get_tag_type() error: %s", strerror(errno)); 116 if (assertEqualInt(r, 0) == 0) 117 return (-1); 118 r = acl_get_tag_type(ae_b, &tag_b); 119 failure("acl_get_tag_type() error: %s", strerror(errno)); 120 if (assertEqualInt(r, 0) == 0) 121 return (-1); 122 if (tag_a != tag_b) 123 return (0); 124 125 /* Compare ACL qualifier */ 126 #if HAVE_DARWIN_ACL 127 if (tag_a == ACL_EXTENDED_ALLOW || tag_b == ACL_EXTENDED_DENY) 128 #else 129 if (tag_a == ACL_USER || tag_a == ACL_GROUP) 130 #endif 131 { 132 qual_a = acl_get_qualifier(ae_a); 133 failure("acl_get_qualifier() error: %s", strerror(errno)); 134 if (assert(qual_a != NULL) == 0) 135 return (-1); 136 qual_b = acl_get_qualifier(ae_b); 137 failure("acl_get_qualifier() error: %s", strerror(errno)); 138 if (assert(qual_b != NULL) == 0) { 139 acl_free(qual_a); 140 return (-1); 141 } 142 #if HAVE_DARWIN_ACL 143 if (memcmp(((guid_t *)qual_a)->g_guid, 144 ((guid_t *)qual_b)->g_guid, KAUTH_GUID_SIZE) != 0) 145 #else 146 if ((tag_a == ACL_USER && 147 (*(uid_t *)qual_a != *(uid_t *)qual_b)) || 148 (tag_a == ACL_GROUP && 149 (*(gid_t *)qual_a != *(gid_t *)qual_b))) 150 #endif 151 { 152 acl_free(qual_a); 153 acl_free(qual_b); 154 return (0); 155 } 156 acl_free(qual_a); 157 acl_free(qual_b); 158 } 159 160 #if HAVE_FREEBSD_NFS4_ACL 161 if (is_nfs4) { 162 /* Compare NFS4 ACL type */ 163 r = acl_get_entry_type_np(ae_a, &type_a); 164 failure("acl_get_entry_type_np() error: %s", strerror(errno)); 165 if (assertEqualInt(r, 0) == 0) 166 return (-1); 167 r = acl_get_entry_type_np(ae_b, &type_b); 168 failure("acl_get_entry_type_np() error: %s", strerror(errno)); 169 if (assertEqualInt(r, 0) == 0) 170 return (-1); 171 if (type_a != type_b) 172 return (0); 173 } 174 #endif 175 176 /* Compare ACL perms */ 177 r = acl_get_permset(ae_a, &permset_a); 178 failure("acl_get_permset() error: %s", strerror(errno)); 179 if (assertEqualInt(r, 0) == 0) 180 return (-1); 181 r = acl_get_permset(ae_b, &permset_b); 182 failure("acl_get_permset() error: %s", strerror(errno)); 183 if (assertEqualInt(r, 0) == 0) 184 return (-1); 185 186 perm_start = 0; 187 perm_end = (int)(sizeof(acl_perms) / sizeof(acl_perms[0])); 188 #if HAVE_FREEBSD_NFS4_ACL 189 if (is_nfs4) 190 perm_start = 3; 191 else 192 perm_end = 3; 193 #endif 194 /* Cycle through all perms and compare their value */ 195 for (i = perm_start; i < perm_end; i++) { 196 #if HAVE_LIBACL 197 perm_a = acl_get_perm(permset_a, acl_perms[i]); 198 perm_b = acl_get_perm(permset_b, acl_perms[i]); 199 #else 200 perm_a = acl_get_perm_np(permset_a, acl_perms[i]); 201 perm_b = acl_get_perm_np(permset_b, acl_perms[i]); 202 #endif 203 if (perm_a == -1 || perm_b == -1) 204 return (-1); 205 if (perm_a != perm_b) 206 return (0); 207 } 208 209 #if HAVE_FREEBSD_NFS4_ACL || HAVE_DARWIN_ACL 210 if (is_nfs4) { 211 r = acl_get_flagset_np(ae_a, &flagset_a); 212 failure("acl_get_flagset_np() error: %s", strerror(errno)); 213 if (assertEqualInt(r, 0) == 0) 214 return (-1); 215 r = acl_get_flagset_np(ae_b, &flagset_b); 216 failure("acl_get_flagset_np() error: %s", strerror(errno)); 217 if (assertEqualInt(r, 0) == 0) 218 return (-1); 219 /* Cycle through all flags and compare their status */ 220 for (i = 0; i < (int)(sizeof(acl_flags) / sizeof(acl_flags[0])); 221 i++) { 222 flag_a = acl_get_flag_np(flagset_a, acl_flags[i]); 223 flag_b = acl_get_flag_np(flagset_b, acl_flags[i]); 224 if (flag_a == -1 || flag_b == -1) 225 return (-1); 226 if (flag_a != flag_b) 227 return (0); 228 } 229 } 230 #else /* HAVE_FREEBSD_NFS4_ACL || HAVE_DARWIN_ACL*/ 231 (void)is_nfs4; /* UNUSED */ 232 #endif 233 return (1); 234 } 235 #endif /* HAVE_POSIX_ACL || HAVE_DARWIN_ACL */ 236 237 #if HAVE_SUN_ACL || HAVE_DARWIN_ACL || HAVE_POSIX_ACL 238 /* 239 * Clear default ACLs or inheritance flags 240 */ 241 static void 242 clear_inheritance_flags(const char *path, int type) 243 { 244 switch (type) { 245 case ARCHIVE_TEST_ACL_TYPE_POSIX1E: 246 #if HAVE_POSIX_ACL 247 acl_delete_def_file(path); 248 #else 249 /* Solaris */ 250 setTestAcl(path); 251 #endif 252 break; 253 case ARCHIVE_TEST_ACL_TYPE_NFS4: 254 #if HAVE_NFS4_ACL 255 setTestAcl(path); 256 #endif 257 break; 258 default: 259 (void)path; /* UNUSED */ 260 break; 261 } 262 } 263 264 static int 265 compare_acls(const char *path_a, const char *path_b) 266 { 267 int ret = 1; 268 int is_nfs4 = 0; 269 #if HAVE_SUN_ACL 270 void *acl_a, *acl_b; 271 int aclcnt_a, aclcnt_b; 272 aclent_t *aclent_a, *aclent_b; 273 ace_t *ace_a, *ace_b; 274 int e; 275 #else 276 acl_t acl_a, acl_b; 277 acl_entry_t aclent_a, aclent_b; 278 int a, b, r; 279 #endif 280 281 acl_a = NULL; 282 acl_b = NULL; 283 #if HAVE_SUN_ACL 284 acl_a = sunacl_get(GETACL, &aclcnt_a, 0, path_a); 285 if (acl_a == NULL) { 286 #if HAVE_SUN_NFS4_ACL 287 is_nfs4 = 1; 288 acl_a = sunacl_get(ACE_GETACL, &aclcnt_a, 0, path_a); 289 #endif 290 failure("acl_get() error: %s", strerror(errno)); 291 if (assert(acl_a != NULL) == 0) 292 return (-1); 293 #if HAVE_SUN_NFS4_ACL 294 acl_b = sunacl_get(ACE_GETACL, &aclcnt_b, 0, path_b); 295 #endif 296 } else 297 acl_b = sunacl_get(GETACL, &aclcnt_b, 0, path_b); 298 if (acl_b == NULL && (errno == ENOSYS || errno == ENOTSUP)) { 299 free(acl_a); 300 return (0); 301 } 302 failure("acl_get() error: %s", strerror(errno)); 303 if (assert(acl_b != NULL) == 0) { 304 free(acl_a); 305 return (-1); 306 } 307 308 if (aclcnt_a != aclcnt_b) { 309 ret = 0; 310 goto exit_free; 311 } 312 313 for (e = 0; e < aclcnt_a; e++) { 314 if (!is_nfs4) { 315 aclent_a = &((aclent_t *)acl_a)[e]; 316 aclent_b = &((aclent_t *)acl_b)[e]; 317 if (aclent_a->a_type != aclent_b->a_type || 318 aclent_a->a_id != aclent_b->a_id || 319 aclent_a->a_perm != aclent_b->a_perm) { 320 ret = 0; 321 goto exit_free; 322 } 323 } 324 #if HAVE_SUN_NFS4_ACL 325 else { 326 ace_a = &((ace_t *)acl_a)[e]; 327 ace_b = &((ace_t *)acl_b)[e]; 328 if (ace_a->a_who != ace_b->a_who || 329 ace_a->a_access_mask != ace_b->a_access_mask || 330 ace_a->a_flags != ace_b->a_flags || 331 ace_a->a_type != ace_b->a_type) { 332 ret = 0; 333 goto exit_free; 334 } 335 } 336 #endif 337 } 338 #else /* !HAVE_SUN_ACL */ 339 #if HAVE_DARWIN_ACL 340 is_nfs4 = 1; 341 acl_a = acl_get_file(path_a, ACL_TYPE_EXTENDED); 342 #elif HAVE_FREEBSD_NFS4_ACL 343 acl_a = acl_get_file(path_a, ACL_TYPE_NFS4); 344 if (acl_a != NULL) 345 is_nfs4 = 1; 346 #endif 347 #if !HAVE_DARWIN_ACL 348 if (acl_a == NULL) 349 acl_a = acl_get_file(path_a, ACL_TYPE_ACCESS); 350 #endif 351 failure("acl_get_file() error: %s (%s)", path_a, strerror(errno)); 352 if (assert(acl_a != NULL) == 0) 353 return (-1); 354 #if HAVE_DARWIN_ACL 355 acl_b = acl_get_file(path_b, ACL_TYPE_EXTENDED); 356 #elif HAVE_FREEBSD_NFS4_ACL 357 acl_b = acl_get_file(path_b, ACL_TYPE_NFS4); 358 #endif 359 #if !HAVE_DARWIN_ACL 360 if (acl_b == NULL) { 361 #if HAVE_FREEBSD_NFS4_ACL 362 if (is_nfs4) { 363 acl_free(acl_a); 364 return (0); 365 } 366 #endif 367 acl_b = acl_get_file(path_b, ACL_TYPE_ACCESS); 368 } 369 failure("acl_get_file() error: %s (%s)", path_b, strerror(errno)); 370 if (assert(acl_b != NULL) == 0) { 371 acl_free(acl_a); 372 return (-1); 373 } 374 #endif 375 a = acl_get_entry(acl_a, ACL_FIRST_ENTRY, &aclent_a); 376 if (a == -1) { 377 ret = 0; 378 goto exit_free; 379 } 380 b = acl_get_entry(acl_b, ACL_FIRST_ENTRY, &aclent_b); 381 if (b == -1) { 382 ret = 0; 383 goto exit_free; 384 } 385 #if HAVE_DARWIN_ACL 386 while (a == 0 && b == 0) 387 #else /* FreeBSD, Linux */ 388 while (a == 1 && b == 1) 389 #endif 390 { 391 r = compare_acl_entry(aclent_a, aclent_b, is_nfs4); 392 if (r != 1) { 393 ret = r; 394 goto exit_free; 395 } 396 a = acl_get_entry(acl_a, ACL_NEXT_ENTRY, &aclent_a); 397 b = acl_get_entry(acl_b, ACL_NEXT_ENTRY, &aclent_b); 398 } 399 /* Entry count must match */ 400 if (a != b) 401 ret = 0; 402 #endif /* !HAVE_SUN_ACL */ 403 exit_free: 404 #if HAVE_SUN_ACL 405 free(acl_a); 406 free(acl_b); 407 #else 408 acl_free(acl_a); 409 acl_free(acl_b); 410 #endif 411 return (ret); 412 } 413 #endif /* HAVE_SUN_ACL || HAVE_DARWIN_ACL || HAVE_POSIX_ACL */ 414 415 DEFINE_TEST(test_option_acls) 416 { 417 #if !HAVE_SUN_ACL && !HAVE_DARWIN_ACL && !HAVE_POSIX_ACL 418 skipping("ACLs are not supported on this platform"); 419 #else /* HAVE_SUN_ACL || HAVE_DARWIN_ACL || HAVE_POSIX_ACL */ 420 int acltype, r; 421 422 assertMakeFile("f", 0644, "a"); 423 acltype = setTestAcl("f"); 424 if (acltype == 0) { 425 skipping("Can't write ACLs on the filesystem"); 426 return; 427 } 428 429 /* Archive it with acls */ 430 r = systemf("%s -c --no-mac-metadata --acls -f acls.tar f >acls.out 2>acls.err", testprog); 431 assertEqualInt(r, 0); 432 433 /* Archive it without acls */ 434 r = systemf("%s -c --no-mac-metadata --no-acls -f noacls.tar f >noacls.out 2>noacls.err", testprog); 435 assertEqualInt(r, 0); 436 437 /* Extract acls with acls */ 438 assertMakeDir("acls_acls", 0755); 439 clear_inheritance_flags("acls_acls", acltype); 440 r = systemf("%s -x -C acls_acls --no-same-permissions --acls -f acls.tar >acls_acls.out 2>acls_acls.err", testprog); 441 assertEqualInt(r, 0); 442 r = compare_acls("f", "acls_acls/f"); 443 assertEqualInt(r, 1); 444 445 /* Extractl acls without acls */ 446 assertMakeDir("acls_noacls", 0755); 447 clear_inheritance_flags("acls_noacls", acltype); 448 r = systemf("%s -x -C acls_noacls -p --no-acls -f acls.tar >acls_noacls.out 2>acls_noacls.err", testprog); 449 assertEqualInt(r, 0); 450 r = compare_acls("f", "acls_noacls/f"); 451 assertEqualInt(r, 0); 452 453 /* Extract noacls with acls flag */ 454 assertMakeDir("noacls_acls", 0755); 455 clear_inheritance_flags("noacls_acls", acltype); 456 r = systemf("%s -x -C noacls_acls --no-same-permissions --acls -f noacls.tar >noacls_acls.out 2>noacls_acls.err", testprog); 457 assertEqualInt(r, 0); 458 r = compare_acls("f", "noacls_acls/f"); 459 assertEqualInt(r, 0); 460 461 /* Extract noacls with noacls */ 462 assertMakeDir("noacls_noacls", 0755); 463 clear_inheritance_flags("noacls_noacls", acltype); 464 r = systemf("%s -x -C noacls_noacls -p --no-acls -f noacls.tar >noacls_noacls.out 2>noacls_noacls.err", testprog); 465 assertEqualInt(r, 0); 466 r = compare_acls("f", "noacls_noacls/f"); 467 assertEqualInt(r, 0); 468 #endif /* HAVE_SUN_ACL || HAVE_DARWIN_ACL || HAVE_POSIX_ACL */ 469 } 470