xref: /titanic_44/usr/src/common/acl/acl_common.c (revision fa9e4066f08beec538e775443c5be79dd423fcab) 
1*fa9e4066Sahrens /*
2*fa9e4066Sahrens  * CDDL HEADER START
3*fa9e4066Sahrens  *
4*fa9e4066Sahrens  * The contents of this file are subject to the terms of the
5*fa9e4066Sahrens  * Common Development and Distribution License, Version 1.0 only
6*fa9e4066Sahrens  * (the "License").  You may not use this file except in compliance
7*fa9e4066Sahrens  * with the License.
8*fa9e4066Sahrens  *
9*fa9e4066Sahrens  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10*fa9e4066Sahrens  * or http://www.opensolaris.org/os/licensing.
11*fa9e4066Sahrens  * See the License for the specific language governing permissions
12*fa9e4066Sahrens  * and limitations under the License.
13*fa9e4066Sahrens  *
14*fa9e4066Sahrens  * When distributing Covered Code, include this CDDL HEADER in each
15*fa9e4066Sahrens  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16*fa9e4066Sahrens  * If applicable, add the following below this CDDL HEADER, with the
17*fa9e4066Sahrens  * fields enclosed by brackets "[]" replaced with your own identifying
18*fa9e4066Sahrens  * information: Portions Copyright [yyyy] [name of copyright owner]
19*fa9e4066Sahrens  *
20*fa9e4066Sahrens  * CDDL HEADER END
21*fa9e4066Sahrens  */
22*fa9e4066Sahrens /*
23*fa9e4066Sahrens  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24*fa9e4066Sahrens  * Use is subject to license terms.
25*fa9e4066Sahrens  */
26*fa9e4066Sahrens 
27*fa9e4066Sahrens #pragma ident	"%Z%%M%	%I%	%E% SMI"
28*fa9e4066Sahrens 
29*fa9e4066Sahrens #include <sys/types.h>
30*fa9e4066Sahrens #include <sys/acl.h>
31*fa9e4066Sahrens #include <sys/stat.h>
32*fa9e4066Sahrens #if defined(_KERNEL)
33*fa9e4066Sahrens #include <sys/systm.h>
34*fa9e4066Sahrens #else
35*fa9e4066Sahrens #include <errno.h>
36*fa9e4066Sahrens #include <stdlib.h>
37*fa9e4066Sahrens #include <strings.h>
38*fa9e4066Sahrens #include <assert.h>
39*fa9e4066Sahrens #define	ASSERT	assert
40*fa9e4066Sahrens #endif
41*fa9e4066Sahrens 
42*fa9e4066Sahrens 
43*fa9e4066Sahrens ace_t trivial_acl[] = {
44*fa9e4066Sahrens 	{-1, 0, ACE_OWNER, ACE_ACCESS_DENIED_ACE_TYPE},
45*fa9e4066Sahrens 	{-1, ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES|
46*fa9e4066Sahrens 	    ACE_WRITE_NAMED_ATTRS, ACE_OWNER, ACE_ACCESS_ALLOWED_ACE_TYPE},
47*fa9e4066Sahrens 	{-1, 0, ACE_GROUP|ACE_IDENTIFIER_GROUP, ACE_ACCESS_DENIED_ACE_TYPE},
48*fa9e4066Sahrens 	{-1, 0, ACE_GROUP|ACE_IDENTIFIER_GROUP, ACE_ACCESS_ALLOWED_ACE_TYPE},
49*fa9e4066Sahrens 	{-1, ACE_WRITE_ACL|ACE_WRITE_OWNER| ACE_WRITE_ATTRIBUTES|
50*fa9e4066Sahrens 	    ACE_WRITE_NAMED_ATTRS, ACE_EVERYONE, ACE_ACCESS_DENIED_ACE_TYPE},
51*fa9e4066Sahrens 	{-1, ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_NAMED_ATTRS|
52*fa9e4066Sahrens 	    ACE_SYNCHRONIZE, ACE_EVERYONE, ACE_ACCESS_ALLOWED_ACE_TYPE}
53*fa9e4066Sahrens };
54*fa9e4066Sahrens 
55*fa9e4066Sahrens 
56*fa9e4066Sahrens void
57*fa9e4066Sahrens adjust_ace_pair(ace_t *pair, mode_t mode)
58*fa9e4066Sahrens {
59*fa9e4066Sahrens 	if (mode & S_IROTH)
60*fa9e4066Sahrens 		pair[1].a_access_mask |= ACE_READ_DATA;
61*fa9e4066Sahrens 	else
62*fa9e4066Sahrens 		pair[0].a_access_mask |= ACE_READ_DATA;
63*fa9e4066Sahrens 	if (mode & S_IWOTH)
64*fa9e4066Sahrens 		pair[1].a_access_mask |=
65*fa9e4066Sahrens 		    ACE_WRITE_DATA|ACE_APPEND_DATA;
66*fa9e4066Sahrens 	else
67*fa9e4066Sahrens 		pair[0].a_access_mask |=
68*fa9e4066Sahrens 		    ACE_WRITE_DATA|ACE_APPEND_DATA;
69*fa9e4066Sahrens 	if (mode & S_IXOTH)
70*fa9e4066Sahrens 		pair[1].a_access_mask |= ACE_EXECUTE;
71*fa9e4066Sahrens 	else
72*fa9e4066Sahrens 		pair[0].a_access_mask |= ACE_EXECUTE;
73*fa9e4066Sahrens }
74*fa9e4066Sahrens 
75*fa9e4066Sahrens /*
76*fa9e4066Sahrens  * ace_trivial:
77*fa9e4066Sahrens  * determine whether an ace_t acl is trivial
78*fa9e4066Sahrens  *
79*fa9e4066Sahrens  * Trivialness implys that the acl is composed of only
80*fa9e4066Sahrens  * owner, group, everyone entries.  ACL can't
81*fa9e4066Sahrens  * have read_acl denied, and write_owner/write_acl/write_attributes
82*fa9e4066Sahrens  * can only be owner@ entry.
83*fa9e4066Sahrens  */
84*fa9e4066Sahrens int
85*fa9e4066Sahrens ace_trivial(ace_t *acep, int aclcnt)
86*fa9e4066Sahrens {
87*fa9e4066Sahrens 	int i;
88*fa9e4066Sahrens 	int owner_seen = 0;
89*fa9e4066Sahrens 	int group_seen = 0;
90*fa9e4066Sahrens 	int everyone_seen = 0;
91*fa9e4066Sahrens 
92*fa9e4066Sahrens 	for (i = 0; i != aclcnt; i++) {
93*fa9e4066Sahrens 		switch (acep[i].a_flags & 0xf040) {
94*fa9e4066Sahrens 		case ACE_OWNER:
95*fa9e4066Sahrens 			if (group_seen || everyone_seen)
96*fa9e4066Sahrens 				return (1);
97*fa9e4066Sahrens 			owner_seen++;
98*fa9e4066Sahrens 			break;
99*fa9e4066Sahrens 		case ACE_GROUP|ACE_IDENTIFIER_GROUP:
100*fa9e4066Sahrens 			if (everyone_seen || owner_seen == 0)
101*fa9e4066Sahrens 				return (1);
102*fa9e4066Sahrens 			group_seen++;
103*fa9e4066Sahrens 			break;
104*fa9e4066Sahrens 
105*fa9e4066Sahrens 		case ACE_EVERYONE:
106*fa9e4066Sahrens 			if (owner_seen == 0 || group_seen == 0)
107*fa9e4066Sahrens 				return (1);
108*fa9e4066Sahrens 			everyone_seen++;
109*fa9e4066Sahrens 			break;
110*fa9e4066Sahrens 		default:
111*fa9e4066Sahrens 			return (1);
112*fa9e4066Sahrens 
113*fa9e4066Sahrens 		}
114*fa9e4066Sahrens 
115*fa9e4066Sahrens 		if (acep[i].a_flags & (ACE_FILE_INHERIT_ACE|
116*fa9e4066Sahrens 		    ACE_DIRECTORY_INHERIT_ACE|ACE_NO_PROPAGATE_INHERIT_ACE|
117*fa9e4066Sahrens 		    ACE_INHERIT_ONLY_ACE))
118*fa9e4066Sahrens 			return (1);
119*fa9e4066Sahrens 
120*fa9e4066Sahrens 		/*
121*fa9e4066Sahrens 		 * Special check for some special bits
122*fa9e4066Sahrens 		 *
123*fa9e4066Sahrens 		 * Don't allow anybody to deny reading an ACL
124*fa9e4066Sahrens 		 */
125*fa9e4066Sahrens 		if ((acep[i].a_access_mask & ACE_READ_ACL) &&
126*fa9e4066Sahrens 		    (acep[i].a_type == ACE_ACCESS_DENIED_ACE_TYPE))
127*fa9e4066Sahrens 			return (1);
128*fa9e4066Sahrens 
129*fa9e4066Sahrens 		/*
130*fa9e4066Sahrens 		 * Allow on owner@ to allow
131*fa9e4066Sahrens 		 * write_acl/write_owner/write_attributes
132*fa9e4066Sahrens 		 */
133*fa9e4066Sahrens 		if (acep[i].a_type == ACE_ACCESS_ALLOWED_ACE_TYPE &&
134*fa9e4066Sahrens 		    (!(acep[i].a_flags & ACE_OWNER) && (acep[i].a_access_mask &
135*fa9e4066Sahrens 		    (ACE_WRITE_OWNER|ACE_WRITE_ACL|ACE_WRITE_ATTRIBUTES))))
136*fa9e4066Sahrens 			return (1);
137*fa9e4066Sahrens 	}
138*fa9e4066Sahrens 
139*fa9e4066Sahrens 	if ((owner_seen == 0) || (group_seen == 0) || (everyone_seen == 0))
140*fa9e4066Sahrens 	    return (1);
141*fa9e4066Sahrens 
142*fa9e4066Sahrens 	return (0);
143*fa9e4066Sahrens }
144*fa9e4066Sahrens 
145*fa9e4066Sahrens 
146*fa9e4066Sahrens /*
147*fa9e4066Sahrens  * Generic shellsort, from K&R (1st ed, p 58.), somewhat modified.
148*fa9e4066Sahrens  * v = Ptr to array/vector of objs
149*fa9e4066Sahrens  * n = # objs in the array
150*fa9e4066Sahrens  * s = size of each obj (must be multiples of a word size)
151*fa9e4066Sahrens  * f = ptr to function to compare two objs
152*fa9e4066Sahrens  *	returns (-1 = less than, 0 = equal, 1 = greater than
153*fa9e4066Sahrens  */
154*fa9e4066Sahrens void
155*fa9e4066Sahrens ksort(caddr_t v, int n, int s, int (*f)())
156*fa9e4066Sahrens {
157*fa9e4066Sahrens 	int g, i, j, ii;
158*fa9e4066Sahrens 	unsigned int *p1, *p2;
159*fa9e4066Sahrens 	unsigned int tmp;
160*fa9e4066Sahrens 
161*fa9e4066Sahrens 	/* No work to do */
162*fa9e4066Sahrens 	if (v == NULL || n <= 1)
163*fa9e4066Sahrens 		return;
164*fa9e4066Sahrens 
165*fa9e4066Sahrens 	/* Sanity check on arguments */
166*fa9e4066Sahrens 	ASSERT(((uintptr_t)v & 0x3) == 0 && (s & 0x3) == 0);
167*fa9e4066Sahrens 	ASSERT(s > 0);
168*fa9e4066Sahrens 	for (g = n / 2; g > 0; g /= 2) {
169*fa9e4066Sahrens 		for (i = g; i < n; i++) {
170*fa9e4066Sahrens 			for (j = i - g; j >= 0 &&
171*fa9e4066Sahrens 				(*f)(v + j * s, v + (j + g) * s) == 1;
172*fa9e4066Sahrens 					j -= g) {
173*fa9e4066Sahrens 				p1 = (void *)(v + j * s);
174*fa9e4066Sahrens 				p2 = (void *)(v + (j + g) * s);
175*fa9e4066Sahrens 				for (ii = 0; ii < s / 4; ii++) {
176*fa9e4066Sahrens 					tmp = *p1;
177*fa9e4066Sahrens 					*p1++ = *p2;
178*fa9e4066Sahrens 					*p2++ = tmp;
179*fa9e4066Sahrens 				}
180*fa9e4066Sahrens 			}
181*fa9e4066Sahrens 		}
182*fa9e4066Sahrens 	}
183*fa9e4066Sahrens }
184*fa9e4066Sahrens 
185*fa9e4066Sahrens /*
186*fa9e4066Sahrens  * Compare two acls, all fields.  Returns:
187*fa9e4066Sahrens  * -1 (less than)
188*fa9e4066Sahrens  *  0 (equal)
189*fa9e4066Sahrens  * +1 (greater than)
190*fa9e4066Sahrens  */
191*fa9e4066Sahrens int
192*fa9e4066Sahrens cmp2acls(void *a, void *b)
193*fa9e4066Sahrens {
194*fa9e4066Sahrens 	aclent_t *x = (aclent_t *)a;
195*fa9e4066Sahrens 	aclent_t *y = (aclent_t *)b;
196*fa9e4066Sahrens 
197*fa9e4066Sahrens 	/* Compare types */
198*fa9e4066Sahrens 	if (x->a_type < y->a_type)
199*fa9e4066Sahrens 		return (-1);
200*fa9e4066Sahrens 	if (x->a_type > y->a_type)
201*fa9e4066Sahrens 		return (1);
202*fa9e4066Sahrens 	/* Equal types; compare id's */
203*fa9e4066Sahrens 	if (x->a_id < y->a_id)
204*fa9e4066Sahrens 		return (-1);
205*fa9e4066Sahrens 	if (x->a_id > y->a_id)
206*fa9e4066Sahrens 		return (1);
207*fa9e4066Sahrens 	/* Equal ids; compare perms */
208*fa9e4066Sahrens 	if (x->a_perm < y->a_perm)
209*fa9e4066Sahrens 		return (-1);
210*fa9e4066Sahrens 	if (x->a_perm > y->a_perm)
211*fa9e4066Sahrens 		return (1);
212*fa9e4066Sahrens 	/* Totally equal */
213*fa9e4066Sahrens 	return (0);
214*fa9e4066Sahrens }
215