1 /*- 2 * Copyright (c) 2017 Martin Matuska 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 #include "test.h" 26 __FBSDID("$FreeBSD$"); 27 28 #if ARCHIVE_ACL_FREEBSD || ARCHIVE_ACL_DARWIN || ARCHIVE_ACL_LIBACL 29 static const acl_perm_t acl_perms[] = { 30 #if ARCHIVE_ACL_DARWIN 31 ACL_READ_DATA, 32 ACL_LIST_DIRECTORY, 33 ACL_WRITE_DATA, 34 ACL_ADD_FILE, 35 ACL_EXECUTE, 36 ACL_SEARCH, 37 ACL_DELETE, 38 ACL_APPEND_DATA, 39 ACL_ADD_SUBDIRECTORY, 40 ACL_DELETE_CHILD, 41 ACL_READ_ATTRIBUTES, 42 ACL_WRITE_ATTRIBUTES, 43 ACL_READ_EXTATTRIBUTES, 44 ACL_WRITE_EXTATTRIBUTES, 45 ACL_READ_SECURITY, 46 ACL_WRITE_SECURITY, 47 ACL_CHANGE_OWNER, 48 ACL_SYNCHRONIZE 49 #else /* !ARCHIVE_ACL_DARWIN */ 50 ACL_EXECUTE, 51 ACL_WRITE, 52 ACL_READ, 53 #if ARCHIVE_ACL_FREEBSD_NFS4 54 ACL_READ_DATA, 55 ACL_LIST_DIRECTORY, 56 ACL_WRITE_DATA, 57 ACL_ADD_FILE, 58 ACL_APPEND_DATA, 59 ACL_ADD_SUBDIRECTORY, 60 ACL_READ_NAMED_ATTRS, 61 ACL_WRITE_NAMED_ATTRS, 62 ACL_DELETE_CHILD, 63 ACL_READ_ATTRIBUTES, 64 ACL_WRITE_ATTRIBUTES, 65 ACL_DELETE, 66 ACL_READ_ACL, 67 ACL_WRITE_ACL, 68 ACL_WRITE_OWNER, 69 ACL_SYNCHRONIZE 70 #endif /* ARCHIVE_ACL_FREEBSD_NFS4 */ 71 #endif /* !ARCHIVE_ACL_DARWIN */ 72 }; 73 #if ARCHIVE_ACL_DARWIN || ARCHIVE_ACL_FREEBSD_NFS4 74 static const acl_flag_t acl_flags[] = { 75 #if ARCHIVE_ACL_DARWIN 76 ACL_ENTRY_INHERITED, 77 ACL_ENTRY_FILE_INHERIT, 78 ACL_ENTRY_DIRECTORY_INHERIT, 79 ACL_ENTRY_LIMIT_INHERIT, 80 ACL_ENTRY_ONLY_INHERIT 81 #else /* ARCHIVE_ACL_FREEBSD_NFS4 */ 82 ACL_ENTRY_FILE_INHERIT, 83 ACL_ENTRY_DIRECTORY_INHERIT, 84 ACL_ENTRY_NO_PROPAGATE_INHERIT, 85 ACL_ENTRY_INHERIT_ONLY, 86 ACL_ENTRY_SUCCESSFUL_ACCESS, 87 ACL_ENTRY_FAILED_ACCESS, 88 #ifdef ACL_ENTRY_INHERITED 89 ACL_ENTRY_INHERITED 90 #endif 91 #endif /* ARCHIVE_ACL_FREEBSD_NFS4 */ 92 }; 93 #endif /* ARCHIVE_ACL_DARWIN || ARCHIVE_ACL_FREEBSD_NFS4 */ 94 95 /* 96 * Compare two ACL entries on FreeBSD or on Mac OS X 97 */ 98 static int 99 compare_acl_entry(acl_entry_t ae_a, acl_entry_t ae_b, int is_nfs4) 100 { 101 acl_tag_t tag_a, tag_b; 102 acl_permset_t permset_a, permset_b; 103 int perm_a, perm_b, perm_start, perm_end; 104 void *qual_a, *qual_b; 105 #if ARCHIVE_ACL_FREEBSD_NFS4 106 acl_entry_type_t type_a, type_b; 107 #endif 108 #if ARCHIVE_ACL_FREEBSD_NFS4 || ARCHIVE_ACL_DARWIN 109 acl_flagset_t flagset_a, flagset_b; 110 int flag_a, flag_b; 111 #endif 112 int i, r; 113 114 115 /* Compare ACL tag */ 116 r = acl_get_tag_type(ae_a, &tag_a); 117 failure("acl_get_tag_type() error: %s", strerror(errno)); 118 if (assertEqualInt(r, 0) == 0) 119 return (-1); 120 r = acl_get_tag_type(ae_b, &tag_b); 121 failure("acl_get_tag_type() error: %s", strerror(errno)); 122 if (assertEqualInt(r, 0) == 0) 123 return (-1); 124 if (tag_a != tag_b) 125 return (0); 126 127 /* Compare ACL qualifier */ 128 #if ARCHIVE_ACL_DARWIN 129 if (tag_a == ACL_EXTENDED_ALLOW || tag_b == ACL_EXTENDED_DENY) 130 #else 131 if (tag_a == ACL_USER || tag_a == ACL_GROUP) 132 #endif 133 { 134 qual_a = acl_get_qualifier(ae_a); 135 failure("acl_get_qualifier() error: %s", strerror(errno)); 136 if (assert(qual_a != NULL) == 0) 137 return (-1); 138 qual_b = acl_get_qualifier(ae_b); 139 failure("acl_get_qualifier() error: %s", strerror(errno)); 140 if (assert(qual_b != NULL) == 0) { 141 acl_free(qual_a); 142 return (-1); 143 } 144 #if ARCHIVE_ACL_DARWIN 145 if (memcmp(((guid_t *)qual_a)->g_guid, 146 ((guid_t *)qual_b)->g_guid, KAUTH_GUID_SIZE) != 0) 147 #else 148 if ((tag_a == ACL_USER && 149 (*(uid_t *)qual_a != *(uid_t *)qual_b)) || 150 (tag_a == ACL_GROUP && 151 (*(gid_t *)qual_a != *(gid_t *)qual_b))) 152 #endif 153 { 154 acl_free(qual_a); 155 acl_free(qual_b); 156 return (0); 157 } 158 acl_free(qual_a); 159 acl_free(qual_b); 160 } 161 162 #if ARCHIVE_ACL_FREEBSD_NFS4 163 if (is_nfs4) { 164 /* Compare NFS4 ACL type */ 165 r = acl_get_entry_type_np(ae_a, &type_a); 166 failure("acl_get_entry_type_np() error: %s", strerror(errno)); 167 if (assertEqualInt(r, 0) == 0) 168 return (-1); 169 r = acl_get_entry_type_np(ae_b, &type_b); 170 failure("acl_get_entry_type_np() error: %s", strerror(errno)); 171 if (assertEqualInt(r, 0) == 0) 172 return (-1); 173 if (type_a != type_b) 174 return (0); 175 } 176 #endif 177 178 /* Compare ACL perms */ 179 r = acl_get_permset(ae_a, &permset_a); 180 failure("acl_get_permset() error: %s", strerror(errno)); 181 if (assertEqualInt(r, 0) == 0) 182 return (-1); 183 r = acl_get_permset(ae_b, &permset_b); 184 failure("acl_get_permset() error: %s", strerror(errno)); 185 if (assertEqualInt(r, 0) == 0) 186 return (-1); 187 188 perm_start = 0; 189 perm_end = (int)(sizeof(acl_perms) / sizeof(acl_perms[0])); 190 #if ARCHIVE_ACL_FREEBSD_NFS4 191 if (is_nfs4) 192 perm_start = 3; 193 else 194 perm_end = 3; 195 #endif 196 /* Cycle through all perms and compare their value */ 197 for (i = perm_start; i < perm_end; i++) { 198 #if ARCHIVE_ACL_LIBACL 199 perm_a = acl_get_perm(permset_a, acl_perms[i]); 200 perm_b = acl_get_perm(permset_b, acl_perms[i]); 201 #else 202 perm_a = acl_get_perm_np(permset_a, acl_perms[i]); 203 perm_b = acl_get_perm_np(permset_b, acl_perms[i]); 204 #endif 205 if (perm_a == -1 || perm_b == -1) 206 return (-1); 207 if (perm_a != perm_b) 208 return (0); 209 } 210 211 #if ARCHIVE_ACL_FREEBSD_NFS4 || ARCHIVE_ACL_DARWIN 212 if (is_nfs4) { 213 r = acl_get_flagset_np(ae_a, &flagset_a); 214 failure("acl_get_flagset_np() error: %s", strerror(errno)); 215 if (assertEqualInt(r, 0) == 0) 216 return (-1); 217 r = acl_get_flagset_np(ae_b, &flagset_b); 218 failure("acl_get_flagset_np() error: %s", strerror(errno)); 219 if (assertEqualInt(r, 0) == 0) 220 return (-1); 221 /* Cycle through all flags and compare their status */ 222 for (i = 0; i < (int)(sizeof(acl_flags) / sizeof(acl_flags[0])); 223 i++) { 224 flag_a = acl_get_flag_np(flagset_a, acl_flags[i]); 225 flag_b = acl_get_flag_np(flagset_b, acl_flags[i]); 226 if (flag_a == -1 || flag_b == -1) 227 return (-1); 228 if (flag_a != flag_b) 229 return (0); 230 } 231 } 232 #else /* ARCHIVE_ACL_FREEBSD_NFS4 || ARCHIVE_ACL_DARWIN */ 233 (void)is_nfs4; /* UNUSED */ 234 #endif 235 return (1); 236 } 237 #endif /* ARCHIVE_ACL_FREEBSD || ARCHIVE_ACL_DARWIN || ARCHIVE_ACL_LIBACL */ 238 239 #if ARCHIVE_ACL_SUPPORT 240 /* 241 * Clear default ACLs or inheritance flags 242 */ 243 static void 244 clear_inheritance_flags(const char *path, int type) 245 { 246 switch (type) { 247 case ARCHIVE_TEST_ACL_TYPE_POSIX1E: 248 #if ARCHIVE_ACL_POSIX1E 249 #if !ARCHIVE_ACL_SUNOS 250 acl_delete_def_file(path); 251 #else 252 /* Solaris */ 253 setTestAcl(path); 254 #endif 255 #endif /* ARCHIVE_ACL_POSIX1E */ 256 break; 257 case ARCHIVE_TEST_ACL_TYPE_NFS4: 258 #if ARCHIVE_ACL_NFS4 259 setTestAcl(path); 260 #endif 261 break; 262 default: 263 (void)path; /* UNUSED */ 264 break; 265 } 266 } 267 268 static int 269 compare_acls(const char *path_a, const char *path_b) 270 { 271 int ret = 1; 272 int is_nfs4 = 0; 273 #if ARCHIVE_ACL_SUNOS 274 void *acl_a, *acl_b; 275 int aclcnt_a, aclcnt_b; 276 aclent_t *aclent_a, *aclent_b; 277 ace_t *ace_a, *ace_b; 278 int e; 279 #elif ARCHIVE_ACL_DARWIN || ARCHIVE_ACL_FREEBSD || ARCHIVE_ACL_LIBACL 280 acl_t acl_a, acl_b; 281 acl_entry_t aclent_a, aclent_b; 282 int a, b, r; 283 #endif 284 #if ARCHIVE_ACL_LIBRICHACL 285 struct richacl *richacl_a, *richacl_b; 286 287 richacl_a = NULL; 288 richacl_b = NULL; 289 #endif 290 291 #if ARCHIVE_ACL_DARWIN || ARCHIVE_ACL_FREEBSD || ARCHIVE_ACL_LIBACL || \ 292 ARCHIVE_ACL_SUNOS 293 acl_a = NULL; 294 acl_b = NULL; 295 #endif 296 #if ARCHIVE_ACL_SUNOS 297 acl_a = sunacl_get(GETACL, &aclcnt_a, 0, path_a); 298 if (acl_a == NULL) { 299 #if ARCHIVE_ACL_SUNOS_NFS4 300 is_nfs4 = 1; 301 acl_a = sunacl_get(ACE_GETACL, &aclcnt_a, 0, path_a); 302 #endif 303 failure("acl_get() error: %s", strerror(errno)); 304 if (assert(acl_a != NULL) == 0) 305 return (-1); 306 #if ARCHIVE_ACL_SUNOS_NFS4 307 acl_b = sunacl_get(ACE_GETACL, &aclcnt_b, 0, path_b); 308 #endif 309 } else 310 acl_b = sunacl_get(GETACL, &aclcnt_b, 0, path_b); 311 if (acl_b == NULL && (errno == ENOSYS || errno == ENOTSUP)) { 312 free(acl_a); 313 return (0); 314 } 315 failure("acl_get() error: %s", strerror(errno)); 316 if (assert(acl_b != NULL) == 0) { 317 free(acl_a); 318 return (-1); 319 } 320 321 if (aclcnt_a != aclcnt_b) { 322 ret = 0; 323 goto exit_free; 324 } 325 326 for (e = 0; e < aclcnt_a; e++) { 327 if (!is_nfs4) { 328 aclent_a = &((aclent_t *)acl_a)[e]; 329 aclent_b = &((aclent_t *)acl_b)[e]; 330 if (aclent_a->a_type != aclent_b->a_type || 331 aclent_a->a_id != aclent_b->a_id || 332 aclent_a->a_perm != aclent_b->a_perm) { 333 ret = 0; 334 goto exit_free; 335 } 336 } 337 #if ARCHIVE_ACL_SUNOS_NFS4 338 else { 339 ace_a = &((ace_t *)acl_a)[e]; 340 ace_b = &((ace_t *)acl_b)[e]; 341 if (ace_a->a_who != ace_b->a_who || 342 ace_a->a_access_mask != ace_b->a_access_mask || 343 ace_a->a_flags != ace_b->a_flags || 344 ace_a->a_type != ace_b->a_type) { 345 ret = 0; 346 goto exit_free; 347 } 348 } 349 #endif 350 } 351 #else /* !ARCHIVE_ACL_SUNOS */ 352 #if ARCHIVE_ACL_LIBRICHACL 353 richacl_a = richacl_get_file(path_a); 354 #if !ARCHIVE_ACL_LIBACL 355 if (richacl_a == NULL && 356 (errno == ENODATA || errno == ENOTSUP || errno == ENOSYS)) 357 return (0); 358 failure("richacl_get_file() error: %s (%s)", path_a, strerror(errno)); 359 if (assert(richacl_a != NULL) == 0) 360 return (-1); 361 #endif 362 if (richacl_a != NULL) { 363 richacl_b = richacl_get_file(path_b); 364 if (richacl_b == NULL && 365 (errno == ENODATA || errno == ENOTSUP || errno == ENOSYS)) { 366 richacl_free(richacl_a); 367 return (0); 368 } 369 failure("richacl_get_file() error: %s (%s)", path_b, 370 strerror(errno)); 371 if (assert(richacl_b != NULL) == 0) { 372 richacl_free(richacl_a); 373 return (-1); 374 } 375 if (richacl_compare(richacl_a, richacl_b) == 0) 376 ret = 0; 377 richacl_free(richacl_a); 378 richacl_free(richacl_b); 379 return (ret); 380 } 381 #endif /* ARCHIVE_ACL_LIBRICHACL */ 382 #if ARCHIVE_ACL_DARWIN || ARCHIVE_ACL_FREEBSD || ARCHIVE_ACL_LIBACL 383 #if ARCHIVE_ACL_DARWIN 384 is_nfs4 = 1; 385 acl_a = acl_get_file(path_a, ACL_TYPE_EXTENDED); 386 #elif ARCHIVE_ACL_FREEBSD_NFS4 387 acl_a = acl_get_file(path_a, ACL_TYPE_NFS4); 388 if (acl_a != NULL) 389 is_nfs4 = 1; 390 #endif 391 if (acl_a == NULL) 392 acl_a = acl_get_file(path_a, ACL_TYPE_ACCESS); 393 failure("acl_get_file() error: %s (%s)", path_a, strerror(errno)); 394 if (assert(acl_a != NULL) == 0) 395 return (-1); 396 #if ARCHIVE_ACL_DARWIN 397 acl_b = acl_get_file(path_b, ACL_TYPE_EXTENDED); 398 #elif ARCHIVE_ACL_FREEBSD_NFS4 399 acl_b = acl_get_file(path_b, ACL_TYPE_NFS4); 400 #endif 401 #if !ARCHIVE_ACL_DARWIN 402 if (acl_b == NULL) { 403 #if ARCHIVE_ACL_FREEBSD_NFS4 404 if (is_nfs4) { 405 acl_free(acl_a); 406 return (0); 407 } 408 #endif 409 acl_b = acl_get_file(path_b, ACL_TYPE_ACCESS); 410 } 411 failure("acl_get_file() error: %s (%s)", path_b, strerror(errno)); 412 if (assert(acl_b != NULL) == 0) { 413 acl_free(acl_a); 414 return (-1); 415 } 416 #endif 417 a = acl_get_entry(acl_a, ACL_FIRST_ENTRY, &aclent_a); 418 if (a == -1) { 419 ret = 0; 420 goto exit_free; 421 } 422 b = acl_get_entry(acl_b, ACL_FIRST_ENTRY, &aclent_b); 423 if (b == -1) { 424 ret = 0; 425 goto exit_free; 426 } 427 #if ARCHIVE_ACL_DARWIN 428 while (a == 0 && b == 0) 429 #else /* FreeBSD, Linux */ 430 while (a == 1 && b == 1) 431 #endif 432 { 433 r = compare_acl_entry(aclent_a, aclent_b, is_nfs4); 434 if (r != 1) { 435 ret = r; 436 goto exit_free; 437 } 438 a = acl_get_entry(acl_a, ACL_NEXT_ENTRY, &aclent_a); 439 b = acl_get_entry(acl_b, ACL_NEXT_ENTRY, &aclent_b); 440 } 441 /* Entry count must match */ 442 if (a != b) 443 ret = 0; 444 #endif /* ARCHIVE_ACL_DARWIN || ARCHIVE_ACL_FREEBSD || ARCHIVE_ACL_LIBACL */ 445 #endif /* !ARCHIVE_ACL_SUNOS */ 446 exit_free: 447 #if ARCHIVE_ACL_SUNOS 448 free(acl_a); 449 free(acl_b); 450 #else 451 acl_free(acl_a); 452 acl_free(acl_b); 453 #endif 454 return (ret); 455 } 456 #endif /* ARCHIVE_ACL_SUPPORT */ 457 458 DEFINE_TEST(test_option_acls) 459 { 460 #if !ARCHIVE_ACL_SUPPORT 461 skipping("ACLs are not supported on this platform"); 462 #else /* ARCHIVE_ACL_SUPPORT */ 463 int acltype, r; 464 465 assertMakeFile("f", 0644, "a"); 466 acltype = setTestAcl("f"); 467 if (acltype == 0) { 468 skipping("Can't write ACLs on the filesystem"); 469 return; 470 } 471 472 /* Archive it with acls */ 473 r = systemf("%s -c --no-mac-metadata --acls -f acls.tar f >acls.out 2>acls.err", testprog); 474 assertEqualInt(r, 0); 475 476 /* Archive it without acls */ 477 r = systemf("%s -c --no-mac-metadata --no-acls -f noacls.tar f >noacls.out 2>noacls.err", testprog); 478 assertEqualInt(r, 0); 479 480 /* Extract acls with acls */ 481 assertMakeDir("acls_acls", 0755); 482 clear_inheritance_flags("acls_acls", acltype); 483 r = systemf("%s -x -C acls_acls --no-same-permissions --acls -f acls.tar >acls_acls.out 2>acls_acls.err", testprog); 484 assertEqualInt(r, 0); 485 r = compare_acls("f", "acls_acls/f"); 486 assertEqualInt(r, 1); 487 488 /* Extract acls without acls */ 489 assertMakeDir("acls_noacls", 0755); 490 clear_inheritance_flags("acls_noacls", acltype); 491 r = systemf("%s -x -C acls_noacls -p --no-acls -f acls.tar >acls_noacls.out 2>acls_noacls.err", testprog); 492 assertEqualInt(r, 0); 493 r = compare_acls("f", "acls_noacls/f"); 494 assertEqualInt(r, 0); 495 496 /* Extract noacls with acls flag */ 497 assertMakeDir("noacls_acls", 0755); 498 clear_inheritance_flags("noacls_acls", acltype); 499 r = systemf("%s -x -C noacls_acls --no-same-permissions --acls -f noacls.tar >noacls_acls.out 2>noacls_acls.err", testprog); 500 assertEqualInt(r, 0); 501 r = compare_acls("f", "noacls_acls/f"); 502 assertEqualInt(r, 0); 503 504 /* Extract noacls with noacls */ 505 assertMakeDir("noacls_noacls", 0755); 506 clear_inheritance_flags("noacls_noacls", acltype); 507 r = systemf("%s -x -C noacls_noacls -p --no-acls -f noacls.tar >noacls_noacls.out 2>noacls_noacls.err", testprog); 508 assertEqualInt(r, 0); 509 r = compare_acls("f", "noacls_noacls/f"); 510 assertEqualInt(r, 0); 511 #endif /* ARCHIVE_ACL_SUPPORT */ 512 } 513