static int CheckACLSyntax(char *file, Acl acl, Promise *pp)
{
int valid = true;
int deny_support = false;
int mask_support = false;
char *valid_ops = NULL;
char *valid_nperms = NULL;
Rlist *rp;
// set unset fields to defautls
SetACLDefaults(file, &acl);
// find valid values for op
switch (acl.acl_method)
{
case cfacl_overwrite:
valid_ops = CF_VALID_OPS_METHOD_OVERWRITE;
break;
case cfacl_append:
valid_ops = CF_VALID_OPS_METHOD_APPEND;
break;
default:
// never executed: should be set to a default value by now
break;
}
switch (acl.acl_type)
{
case cfacl_generic: // generic ACL type: cannot include native or deny-type permissions
valid_nperms = "";
deny_support = false;
mask_support = false;
break;
case cfacl_posix:
valid_nperms = CF_VALID_NPERMS_POSIX;
deny_support = false; // posix does not support deny-type permissions
mask_support = true; // mask-ACE is allowed in POSIX
break;
case cfacl_ntfs:
valid_nperms = CF_VALID_NPERMS_NTFS;
deny_support = true;
mask_support = false;
break;
default:
// never executed: should be set to a default value by now
break;
}
// check that acl_directory_inherit is set to a valid value
if (!CheckDirectoryInherit(file, &acl, pp))
{
return false;
}
for (rp = acl.acl_entries; rp != NULL; rp = rp->next)
{
valid = CheckACESyntax(ScalarValue(rp), valid_ops, valid_nperms, deny_support, mask_support, pp);
if (!valid) // wrong syntax in this ace
{
CfOut(cf_error, "", "The ACE \"%s\" contains errors", ScalarValue(rp));
PromiseRef(cf_error, pp);
break;
}
}
for (rp = acl.acl_inherit_entries; rp != NULL; rp = rp->next)
{
valid = CheckACESyntax(rp->item, valid_ops, valid_nperms, deny_support, mask_support, pp);
if (!valid) // wrong syntax in this ace
{
CfOut(cf_error, "", "The ACE \"%s\" contains errors", ScalarValue(rp));
PromiseRef(cf_error, pp);
break;
}
}
return valid;
}
static int CheckACLSyntax(char *file, Acl acl, Promise *pp)
{
int valid = true;
int deny_support = false;
int mask_support = false;
char *valid_ops = NULL;
char *valid_nperms = NULL;
Rlist *rp;
// set unset fields to defautls
SetACLDefaults(file, &acl);
// find valid values for op
switch (acl.acl_method)
{
case ACL_METHOD_OVERWRITE:
valid_ops = CF_VALID_OPS_METHOD_OVERWRITE;
break;
case ACL_METHOD_APPEND:
valid_ops = CF_VALID_OPS_METHOD_APPEND;
break;
default:
// never executed: should be set to a default value by now
break;
}
switch (acl.acl_type)
{
case ACL_TYPE_GENERIC: // generic ACL type: cannot include native or deny-type permissions
valid_nperms = "";
deny_support = false;
mask_support = false;
break;
case ACL_TYPE_POSIX:
valid_nperms = CF_VALID_NPERMS_POSIX;
deny_support = false; // posix does not support deny-type permissions
mask_support = true; // mask-ACE is allowed in POSIX
break;
case ACL_TYPE_NTFS_:
valid_nperms = CF_VALID_NPERMS_NTFS;
deny_support = true;
mask_support = false;
break;
default:
// never executed: should be set to a default value by now
break;
}
// check that acl_default is set to a valid value
if (!CheckAclDefault(file, &acl, pp))
{
return false;
}
for (rp = acl.acl_entries; rp != NULL; rp = rp->next)
{
valid = CheckACESyntax(RlistScalarValue(rp), valid_ops, valid_nperms, deny_support, mask_support, pp);
if (!valid) // wrong syntax in this ace
{
Log(LOG_LEVEL_ERR, "The ACE '%s' contains errors", RlistScalarValue(rp));
PromiseRef(LOG_LEVEL_ERR, pp);
break;
}
}
for (rp = acl.acl_default_entries; rp != NULL; rp = rp->next)
{
valid = CheckACESyntax(rp->item, valid_ops, valid_nperms, deny_support, mask_support, pp);
if (!valid) // wrong syntax in this ace
{
Log(LOG_LEVEL_ERR, "The ACE '%s' contains errors", RlistScalarValue(rp));
PromiseRef(LOG_LEVEL_ERR, pp);
break;
}
}
return valid;
}