Enable ACL support for libfuse3

Author: vimist

configure.ac

@@ -36,7 +36,7 @@ AM_CONDITIONAL(BUILD_OS_IS_DARWIN, [test x"$build_os" = darwin])
 my_CPPFLAGS="-D_REENTRANT -D_FILE_OFFSET_BITS=64 -D_XOPEN_SOURCE=700 -D__BSD_VISIBLE=1 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_DARWIN_BETTER_REALPATH"
 
 my_CFLAGS="-std=c99 -Wall -Wpedantic -fno-common"
-my_LDFLAGS="-pthread"
+my_LDFLAGS="-pthread -lacl"
 AC_SUBST([my_CPPFLAGS])
 AC_SUBST([my_CFLAGS])
 AC_SUBST([my_LDFLAGS])

src/bindfs.c

@@ -63,6 +63,8 @@
 #ifdef HAVE_SETXATTR
 #include <sys/xattr.h>
 #endif
+#include <sys/acl.h>
+#include <acl/libacl.h>
 
 #ifdef HAVE_FUSE_3
 #ifndef __NR_renameat2
@@ -769,6 +771,234 @@ static int bindfs_fgetattr(const char *path, struct stat *stbuf,
 }
 #endif
 
+/**
+ * Convert an ACL permset to a bitmask.
+ *
+ * @param permset The permset to convert.
+ *
+ * @return The permset represented as an `access(2)` compatible bitmask.
+ */
+unsigned int permset_to_bits(acl_permset_t permset) {
+    unsigned int bits = 0;
+
+    if (acl_get_perm(permset, ACL_READ) == 1)
+        bits |= R_OK;
+
+    if (acl_get_perm(permset, ACL_WRITE) == 1)
+        bits |= W_OK;
+
+    if (acl_get_perm(permset, ACL_EXECUTE) == 1)
+        bits |= X_OK;
+
+    return bits;
+}
+
+/**
+ * Determine whether the effective user has access to a given file system
+ * object.
+ *
+ * Access check algorithm documented here: https://www.usenix.org/legacy/publications/library/proceedings/usenix03/tech/freenix03/full_papers/gruenbacher/gruenbacher_html/main.html
+ *
+ * This function performs POSIX ACL access checking, which is a superset of the
+ * standard Unix permissions.
+ *
+ * @param path The path to the file system object.
+ * @param wants The bitwise-inclusive OR of the access permissions to be
+ *     checked (R_OK, W_OK, X_OK).
+ *
+ * @return 0 if the effective user has access, -EACCES otherwise.
+ *
+ * */
+static int bindfs_access(const char *path, int wants)
+{
+    DPRINTF("Performing access check for '%s'", path);
+
+    char *real_path = process_path(path, true);
+
+    struct stat st;
+    if (lstat(real_path, &st) == -1) {
+        DPRINTF("Could not lstat '%s': %s", real_path, strerror(errno));
+        free(real_path);
+        return -errno;
+    }
+
+    uid_t euid = geteuid();
+    gid_t egid = getegid();
+
+    // TODO: There are `root` cases still needing to be accounted for.
+    //       This is not the correct implementation!
+    //if (euid == 0)
+    //    return 0;
+
+    struct passwd *pwd = getpwuid(euid);
+
+    // We can perform this check early, Unsubstantiated, but I would imagine
+    // it's one of the more likely cases, so it makes sense to optimise for it.
+    //
+    // If the user ID of the process is the owner, the owner entry determines
+    // access.
+    if (euid == st.st_uid) {
+        return (((st.st_mode & 0700) >> 6) & wants) == wants
+            ? 0
+            : -EACCES;
+    }
+
+    // Get the groups the effective user is a part of
+    int ngroups = 8;
+    gid_t *groups = malloc(sizeof(*groups) * ngroups);
+
+    while (getgrouplist(pwd->pw_name, egid, groups, &ngroups) == -1) {
+        DPRINTF("Reallocating space for groups to %d entries", ngroups);
+        groups = realloc(groups, sizeof(*groups) * ngroups);
+    }
+
+    // Notes on the below variables:
+    // We do not need to store the owner permissions as we can exit immediately
+    // if we find them and do not need to do further processing.
+
+    // We do not need to store group ACL permissions separately from the
+    // standard group permissions. We can merge all the group permissions
+    // together and treat them as one. TODO: I think, need to thoroughly test.
+    // NOTE: This only holds if an object that has ACLs where `group_a = r--`,
+    // `group_b = --x` and the request is for `r-x` (`wants` = 5) we should
+    // grant access, if we should disallow access, we can't aggregate
+    // permissions in this way.
+
+    unsigned int group_perms = 0;
+    unsigned int other_perms = 0;
+
+    unsigned int user_acl_perms = 0;
+    unsigned int acl_mask = 0;
+
+    unsigned int has_user_acl = 0;
+    unsigned int has_group = 0;
+    unsigned int has_mask = 0;
+
+    acl_t acl = acl_get_file(real_path, ACL_TYPE_ACCESS);
+    acl_entry_t acl_entry;
+    for (
+        int result = acl_get_entry(acl, ACL_FIRST_ENTRY, &acl_entry);
+        result > 0;
+        result = acl_get_entry(acl, ACL_NEXT_ENTRY, &acl_entry)
+    ) {
+        acl_tag_t acl_tag;
+        if (acl_get_tag_type(acl_entry, &acl_tag) != 0) {
+            DPRINTF("Could not get ACL tag type: %s", strerror(errno));
+            continue;
+        }
+
+        acl_permset_t acl_permset;
+        if (acl_get_permset(acl_entry, &acl_permset) != 0) {
+            DPRINTF("Could not get ACL permset: %s", strerror(errno));
+            continue;
+        }
+
+        unsigned int permset_as_bits = permset_to_bits(acl_permset);
+
+        void *acl_qualifier = acl_get_qualifier(acl_entry);
+        switch(acl_tag) {
+            case ACL_USER_OBJ:
+                if (euid == st.st_uid) {
+                    acl_free(acl_qualifier);
+                    acl_free(acl);
+                    free(real_path);
+
+                    return (permset_as_bits & wants) == wants
+                        ? 0
+                        : -EACCES;
+                }
+                break;
+
+            case ACL_USER:
+                if (euid == *(uid_t*)acl_qualifier) {
+                    has_user_acl = 1;
+                    user_acl_perms = permset_as_bits;
+                }
+                break;
+
+            case ACL_GROUP_OBJ:
+                for (int i = 0; i < ngroups; i++) {
+                    // Aggregate all group permissions, we only care if we have
+                    // the permissions, not where they come from
+                    if (st.st_gid == groups[i]) {
+                        DPRINTF("Has ACL_GROUP_OBJ of %d", groups[i]);
+                        has_group = 1;
+                        group_perms |= permset_as_bits;
+                    }
+                }
+                break;
+
+            case ACL_GROUP:
+                for (int i = 0; i < ngroups; i++) {
+                    // Aggregate all group permissions, we only care if we have
+                    // the permissions, not where they come from
+                    if (*(gid_t*)acl_qualifier == groups[i]) {
+                        DPRINTF("Has ACL_GROUP of %d", groups[i]);
+                        has_group = 1;
+                        group_perms |= permset_as_bits;
+                    }
+                }
+                break;
+
+            case ACL_MASK:
+                has_mask = 1;
+                acl_mask = permset_as_bits;
+                break;
+
+            case ACL_OTHER:
+                other_perms = permset_as_bits;
+                break;
+        }
+        acl_free(acl_qualifier);
+    }
+
+    acl_free(acl);
+    free(real_path);
+
+    // If there is no mask entry, it doesn't restrict anything.
+    if (has_mask == 0) {
+        DPRINTF("ACL has no ACL_MASK entry, setting mask to rwx");
+        acl_mask = R_OK | W_OK | X_OK;
+    }
+
+    //If the user ID of the process is the owner, the owner entry determines
+    //access - This check is performed above, very early in the function.
+
+    // If the user ID of the process matches the qualifier in one
+    // of the named user entries, this entry determines access
+    if (has_user_acl == 1) {
+        DPRINTF("Using ACL_USER entry to determine access");
+        return (user_acl_perms & acl_mask & wants) == wants
+            ? 0
+            : -EACCES;
+    }
+
+    // If one of the group IDs of the process matches the owning group and the
+    // owning group entry contains the requested permissions, this entry
+    // determines access
+
+    // If one of the group IDs of the process matches the qualifier of one of
+    // the named group entries and this entry contains the requested
+    // permissions, this entry determines access
+
+    // If one of the group IDs of the process matches the owning group or any
+    // of the named group entries, but neither the owning group entry nor any
+    // of the matching named group entries contains the requested permissions,
+    // this determines that access is denied
+    if (has_group == 1) {
+        DPRINTF("Using ACL_GROUP_OBJ or ACL_GROUP entry to determine access");
+        return (group_perms & acl_mask & wants) == wants
+            ? 0
+            : -EACCES;
+    }
+
+    // Else the other entry determines access.
+    DPRINTF("Using ACL_OTHER entry to determine access");
+    return (other_perms & wants) == wants
+        ? 0
+        : -EACCES;
+}
+
 static int bindfs_readlink(const char *path, char *buf, size_t size)
 {
     int res;
@@ -1643,7 +1873,7 @@ static struct fuse_operations bindfs_oper = {
     #ifndef HAVE_FUSE_3
     .fgetattr   = bindfs_fgetattr,
     #endif
-    /* no access() since we always use -o default_permissions */
+    .access     = bindfs_access,
     .readlink   = bindfs_readlink,
     .readdir    = bindfs_readdir,
     .mknod      = bindfs_mknod,
@@ -2750,9 +2980,6 @@ int main(int argc, char *argv[])
         fuse_opt_add_arg(&args, "-oallow_other");
     }
 
-    /* We want the kernel to do our access checks for us based on what getattr gives it. */
-    fuse_opt_add_arg(&args, "-odefault_permissions");
-
     // With FUSE 3 we set this in bindfs_init
 #ifndef HAVE_FUSE_3
     /* We want to mirror inodes. */