/*
* acl_copy_entry() (23.4.4): copy the contents of ACL entry src_d to
* ACL entry dest_d
*/
int
acl_copy_entry(acl_entry_t dest_d, acl_entry_t src_d)
{
if (src_d == NULL || dest_d == NULL || src_d == dest_d) {
errno = EINVAL;
return (-1);
}
/*
* Can we brand the new entry the same as the source entry?
*/
if (!_entry_brand_may_be(dest_d, _entry_brand(src_d))) {
errno = EINVAL;
return (-1);
}
_entry_brand_as(dest_d, _entry_brand(src_d));
dest_d->ae_tag = src_d->ae_tag;
dest_d->ae_id = src_d->ae_id;
dest_d->ae_perm = src_d->ae_perm;
dest_d->ae_entry_type = src_d->ae_entry_type;
dest_d->ae_flags = src_d->ae_flags;
return (0);
}
static int
_entry_matches(const acl_entry_t a, const acl_entry_t b)
{
/*
* There is a semantical difference here between NFSv4 and POSIX
* draft ACLs. In POSIX, there may be only one entry for the particular
* user or group. In NFSv4 ACL, there may be any number of them. We're
* trying to be more specific here in that case.
*/
switch (_entry_brand(a)) {
case ACL_BRAND_NFS4:
if (a->ae_tag != b->ae_tag || a->ae_entry_type != b->ae_entry_type)
return (0);
/* If ae_ids matter, compare them as well. */
if (a->ae_tag == ACL_USER || a->ae_tag == ACL_GROUP) {
if (a->ae_id != b->ae_id)
return (0);
}
return (1);
default:
if ((a->ae_tag == b->ae_tag) && (a->ae_id == b->ae_id))
return (1);
}
return (0);
}
/*
* acl_delete_entry() (23.4.9): remove the ACL entry indicated by entry_d
* from acl.
*/
int
acl_delete_entry(acl_t acl, acl_entry_t entry_d)
{
struct acl *acl_int;
struct acl_entry entry_int;
int i, j, found = 0;
if (acl == NULL || entry_d == NULL) {
errno = EINVAL;
return (-1);
}
acl_int = &acl->ats_acl;
if (_entry_brand(entry_d) != _acl_brand(acl)) {
errno = EINVAL;
return (-1);
}
if ((acl->ats_acl.acl_cnt < 1) ||
(acl->ats_acl.acl_cnt > ACL_MAX_ENTRIES)) {
errno = EINVAL;
return (-1);
}
/* Use a local copy to prevent deletion of more than this entry */
entry_int = *entry_d;
for (i = 0; i < acl->ats_acl.acl_cnt;) {
if (_entry_matches(&(acl->ats_acl.acl_entry[i]), &entry_int)) {
/* ...shift the remaining entries... */
for (j = i; j < acl->ats_acl.acl_cnt - 1; ++j)
acl->ats_acl.acl_entry[j] =
acl->ats_acl.acl_entry[j+1];
/* ...drop the count and zero the unused entry... */
acl->ats_acl.acl_cnt--;
bzero(&acl->ats_acl.acl_entry[j],
sizeof(struct acl_entry));
acl->ats_cur_entry = 0;
/* Continue with the loop to remove all maching entries. */
found = 1;
} else
i++;
}
if (found)
return (0);
errno = EINVAL;
return (-1);
}
static int
_posix1e_acl_entry_compare(struct acl_entry *a, struct acl_entry *b)
{
assert(_entry_brand(a) == ACL_BRAND_POSIX);
assert(_entry_brand(b) == ACL_BRAND_POSIX);
/*
* First, sort between tags -- conveniently defined in the correct
* order for verification.
*/
if (a->ae_tag < b->ae_tag)
return (-1);
if (a->ae_tag > b->ae_tag)
return (1);
/*
* Next compare uids/gids on appropriate types.
*/
if (a->ae_tag == ACL_USER || a->ae_tag == ACL_GROUP) {
if (a->ae_id < b->ae_id)
return (-1);
if (a->ae_id > b->ae_id)
return (1);
/* shouldn't be equal, fall through to the invalid case */
}
/*
* Don't know how to sort multiple entries of the rest--either it's
* a bad entry, or there shouldn't be more than one. Ignore and the
* validity checker can get it later.
*/
return (0);
}
static acl_t
_posix1e_acl_strip_np(const acl_t aclp, int recalculate_mask)
{
acl_t acl_new, acl_old;
acl_entry_t entry, entry_new;
acl_permset_t perm;
acl_tag_t tag;
int entry_id, have_mask_entry;
assert(_acl_brand(aclp) == ACL_BRAND_POSIX);
acl_old = acl_dup(aclp);
if (acl_old == NULL)
return (NULL);
assert(_acl_brand(acl_old) == ACL_BRAND_POSIX);
have_mask_entry = 0;
acl_new = acl_init(ACL_MAX_ENTRIES);
if (acl_new == NULL)
return (NULL);
tag = ACL_UNDEFINED_TAG;
/* only save the default user/group/other entries */
entry_id = ACL_FIRST_ENTRY;
while (acl_get_entry(acl_old, entry_id, &entry) == 1) {
entry_id = ACL_NEXT_ENTRY;
assert(_entry_brand(entry) == ACL_BRAND_POSIX);
if (acl_get_tag_type(entry, &tag) == -1)
return (NULL);
switch(tag) {
case ACL_USER_OBJ:
case ACL_GROUP_OBJ:
case ACL_OTHER:
if (acl_get_tag_type(entry, &tag) == -1)
return (NULL);
if (acl_get_permset(entry, &perm) == -1)
return (NULL);
if (acl_create_entry(&acl_new, &entry_new) == -1)
return (NULL);
if (acl_set_tag_type(entry_new, tag) == -1)
return (NULL);
if (acl_set_permset(entry_new, perm) == -1)
return (NULL);
if (acl_copy_entry(entry_new, entry) == -1)
return (NULL);
assert(_entry_brand(entry_new) == ACL_BRAND_POSIX);
break;
case ACL_MASK:
have_mask_entry = 1;
break;
default:
break;
}
}
assert(_acl_brand(acl_new) == ACL_BRAND_POSIX);
if (have_mask_entry && recalculate_mask) {
if (acl_calc_mask(&acl_new) == -1)
return (NULL);
}
return (acl_new);
}
