1
/*-
2
 * Copyright (c) 2003-2009 Tim Kientzle
3
 * Copyright (c) 2010-2012 Michihiro NAKAJIMA
4
 * Copyright (c) 2017 Martin Matuska
5
 * All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 *
16
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
17
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19
 * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
20
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26
 */
27

28
#include "archive_platform.h"
29

30
#if ARCHIVE_ACL_LIBACL || ARCHIVE_ACL_LIBRICHACL
31

32
#ifdef HAVE_ERRNO_H
33
#include <errno.h>
34
#endif
35
#ifdef HAVE_FCNTL_H
36
#include <fcntl.h>
37
#endif
38
#if HAVE_ACL_LIBACL_H
39
#include <acl/libacl.h>
40
#endif
41
#ifdef HAVE_SYS_ACL_H
42
#include <sys/acl.h>
43
#endif
44
#ifdef HAVE_SYS_RICHACL_H
45
#include <sys/richacl.h>
46
#endif
47

48
#include "archive_entry.h"
49
#include "archive_private.h"
50
#include "archive_read_disk_private.h"
51
#include "archive_write_disk_private.h"
52

53
typedef struct {
54
	const int a_perm;	/* Libarchive permission or flag */
55
	const int p_perm;	/* Platform permission or flag */
56
} acl_perm_map_t;
57

58
#if ARCHIVE_ACL_LIBACL
59
static const acl_perm_map_t acl_posix_perm_map[] = {
60
	{ARCHIVE_ENTRY_ACL_EXECUTE, ACL_EXECUTE},
61
	{ARCHIVE_ENTRY_ACL_WRITE, ACL_WRITE},
62
	{ARCHIVE_ENTRY_ACL_READ, ACL_READ},
63
};
64

65
static const int acl_posix_perm_map_size =
66
    (int)(sizeof(acl_posix_perm_map)/sizeof(acl_posix_perm_map[0]));
67
#endif /* ARCHIVE_ACL_LIBACL */
68

69
#if ARCHIVE_ACL_LIBRICHACL
70
static const acl_perm_map_t acl_nfs4_perm_map[] = {
71
	{ARCHIVE_ENTRY_ACL_EXECUTE, RICHACE_EXECUTE},
72
	{ARCHIVE_ENTRY_ACL_READ_DATA, RICHACE_READ_DATA},
73
	{ARCHIVE_ENTRY_ACL_LIST_DIRECTORY, RICHACE_LIST_DIRECTORY},
74
	{ARCHIVE_ENTRY_ACL_WRITE_DATA, RICHACE_WRITE_DATA},
75
	{ARCHIVE_ENTRY_ACL_ADD_FILE, RICHACE_ADD_FILE},
76
	{ARCHIVE_ENTRY_ACL_APPEND_DATA, RICHACE_APPEND_DATA},
77
	{ARCHIVE_ENTRY_ACL_ADD_SUBDIRECTORY, RICHACE_ADD_SUBDIRECTORY},
78
	{ARCHIVE_ENTRY_ACL_READ_NAMED_ATTRS, RICHACE_READ_NAMED_ATTRS},
79
	{ARCHIVE_ENTRY_ACL_WRITE_NAMED_ATTRS, RICHACE_WRITE_NAMED_ATTRS},
80
	{ARCHIVE_ENTRY_ACL_DELETE_CHILD, RICHACE_DELETE_CHILD},
81
	{ARCHIVE_ENTRY_ACL_READ_ATTRIBUTES, RICHACE_READ_ATTRIBUTES},
82
	{ARCHIVE_ENTRY_ACL_WRITE_ATTRIBUTES, RICHACE_WRITE_ATTRIBUTES},
83
	{ARCHIVE_ENTRY_ACL_DELETE, RICHACE_DELETE},
84
	{ARCHIVE_ENTRY_ACL_READ_ACL, RICHACE_READ_ACL},
85
	{ARCHIVE_ENTRY_ACL_WRITE_ACL, RICHACE_WRITE_ACL},
86
	{ARCHIVE_ENTRY_ACL_WRITE_OWNER, RICHACE_WRITE_OWNER},
87
	{ARCHIVE_ENTRY_ACL_SYNCHRONIZE, RICHACE_SYNCHRONIZE}
88
};
89

90
static const int acl_nfs4_perm_map_size =
91
    (int)(sizeof(acl_nfs4_perm_map)/sizeof(acl_nfs4_perm_map[0]));
92

93
static const acl_perm_map_t acl_nfs4_flag_map[] = {
94
	{ARCHIVE_ENTRY_ACL_ENTRY_FILE_INHERIT, RICHACE_FILE_INHERIT_ACE},
95
	{ARCHIVE_ENTRY_ACL_ENTRY_DIRECTORY_INHERIT, RICHACE_DIRECTORY_INHERIT_ACE},
96
	{ARCHIVE_ENTRY_ACL_ENTRY_NO_PROPAGATE_INHERIT, RICHACE_NO_PROPAGATE_INHERIT_ACE},
97
	{ARCHIVE_ENTRY_ACL_ENTRY_INHERIT_ONLY, RICHACE_INHERIT_ONLY_ACE},
98
	{ARCHIVE_ENTRY_ACL_ENTRY_INHERITED, RICHACE_INHERITED_ACE}
99
};
100

101
static const int acl_nfs4_flag_map_size =
102
    (int)(sizeof(acl_nfs4_flag_map)/sizeof(acl_nfs4_flag_map[0]));
103
#endif /* ARCHIVE_ACL_LIBRICHACL */
104

105
#if ARCHIVE_ACL_LIBACL
106
/*
107
 * Translate POSIX.1e ACLs into libarchive internal structure
108
 */
109
static int
110
translate_acl(struct archive_read_disk *a,
111
    struct archive_entry *entry, acl_t acl, int default_entry_acl_type)
112
{
113
	acl_tag_t	 acl_tag;
114
	acl_entry_t	 acl_entry;
115
	acl_permset_t	 acl_permset;
116
	int		 i, entry_acl_type;
117
	int		 r, s, ae_id, ae_tag, ae_perm;
118
	void		*q;
119
	const char	*ae_name;
120

121
	s = acl_get_entry(acl, ACL_FIRST_ENTRY, &acl_entry);
122
	if (s == -1) {
123
		archive_set_error(&a->archive, errno,
124
		    "Failed to get first ACL entry");
125
		return (ARCHIVE_WARN);
126
	}
127

128
	while (s == 1) {
129
		ae_id = -1;
130
		ae_name = NULL;
131
		ae_perm = 0;
132

133
		if (acl_get_tag_type(acl_entry, &acl_tag) != 0) {
134
			archive_set_error(&a->archive, errno,
135
			    "Failed to get ACL tag type");
136
			return (ARCHIVE_WARN);
137
		}
138
		switch (acl_tag) {
139
		case ACL_USER:
140
			q = acl_get_qualifier(acl_entry);
141
			if (q != NULL) {
142
				ae_id = (int)*(uid_t *)q;
143
				acl_free(q);
144
				ae_name = archive_read_disk_uname(&a->archive,
145
				    ae_id);
146
			}
147
			ae_tag = ARCHIVE_ENTRY_ACL_USER;
148
			break;
149
		case ACL_GROUP:
150
			q = acl_get_qualifier(acl_entry);
151
			if (q != NULL) {
152
				ae_id = (int)*(gid_t *)q;
153
				acl_free(q);
154
				ae_name = archive_read_disk_gname(&a->archive,
155
				    ae_id);
156
			}
157
			ae_tag = ARCHIVE_ENTRY_ACL_GROUP;
158
			break;
159
		case ACL_MASK:
160
			ae_tag = ARCHIVE_ENTRY_ACL_MASK;
161
			break;
162
		case ACL_USER_OBJ:
163
			ae_tag = ARCHIVE_ENTRY_ACL_USER_OBJ;
164
			break;
165
		case ACL_GROUP_OBJ:
166
			ae_tag = ARCHIVE_ENTRY_ACL_GROUP_OBJ;
167
			break;
168
		case ACL_OTHER:
169
			ae_tag = ARCHIVE_ENTRY_ACL_OTHER;
170
			break;
171
		default:
172
			/* Skip types that libarchive can't support. */
173
			s = acl_get_entry(acl, ACL_NEXT_ENTRY, &acl_entry);
174
			continue;
175
		}
176

177
		// XXX acl_type maps to allow/deny/audit/YYYY bits
178
		entry_acl_type = default_entry_acl_type;
179

180
		if (acl_get_permset(acl_entry, &acl_permset) != 0) {
181
			archive_set_error(&a->archive, errno,
182
			    "Failed to get ACL permission set");
183
			return (ARCHIVE_WARN);
184
		}
185

186
		for (i = 0; i < acl_posix_perm_map_size; ++i) {
187
			r = acl_get_perm(acl_permset,
188
			    acl_posix_perm_map[i].p_perm);
189
			if (r == -1) {
190
				archive_set_error(&a->archive, errno,
191
				    "Failed to check permission in an ACL "
192
				    "permission set");
193
				return (ARCHIVE_WARN);
194
			} else if (r)
195
				ae_perm |= acl_posix_perm_map[i].a_perm;
196
		}
197

198
		archive_entry_acl_add_entry(entry, entry_acl_type,
199
					    ae_perm, ae_tag,
200
					    ae_id, ae_name);
201

202
		s = acl_get_entry(acl, ACL_NEXT_ENTRY, &acl_entry);
203
		if (s == -1) {
204
			archive_set_error(&a->archive, errno,
205
			    "Failed to get next ACL entry");
206
			return (ARCHIVE_WARN);
207
		}
208
	}
209
	return (ARCHIVE_OK);
210
}
211
#endif /* ARCHIVE_ACL_LIBACL */
212

213
#if ARCHIVE_ACL_LIBRICHACL
214
/*
215
 * Translate RichACL into libarchive internal ACL
216
 */
217
static int
218
translate_richacl(struct archive_read_disk *a, struct archive_entry *entry,
219
    struct richacl *richacl)
220
{
221
	int ae_id, ae_tag, ae_perm;
222
	int entry_acl_type, i;
223
	const char *ae_name;
224

225
	struct richace *richace;
226

227
	richacl_for_each_entry(richace, richacl) {
228
		ae_name = NULL;
229
		ae_tag = 0;
230
		ae_perm = 0;
231
		ae_id = -1;
232

233
		switch (richace->e_type) {
234
		case RICHACE_ACCESS_ALLOWED_ACE_TYPE:
235
			entry_acl_type = ARCHIVE_ENTRY_ACL_TYPE_ALLOW;
236
			break;
237
		case RICHACE_ACCESS_DENIED_ACE_TYPE:
238
			entry_acl_type = ARCHIVE_ENTRY_ACL_TYPE_DENY;
239
			break;
240
		default: /* Unknown entry type, skip */
241
			continue;
242
		}
243

244
		/* Unsupported */
245
		if (richace->e_flags & RICHACE_UNMAPPED_WHO)
246
			continue;
247

248
		if (richace->e_flags & RICHACE_SPECIAL_WHO) {
249
			switch (richace->e_id) {
250
			case RICHACE_OWNER_SPECIAL_ID:
251
				ae_tag = ARCHIVE_ENTRY_ACL_USER_OBJ;
252
				break;
253
			case RICHACE_GROUP_SPECIAL_ID:
254
				ae_tag = ARCHIVE_ENTRY_ACL_GROUP_OBJ;
255
				break;
256
			case RICHACE_EVERYONE_SPECIAL_ID:
257
				ae_tag = ARCHIVE_ENTRY_ACL_EVERYONE;
258
				break;
259
			default: /* Unknown special ID type */
260
				continue;
261
			}
262
		} else {
263
			ae_id = richace->e_id;
264
			if (richace->e_flags & RICHACE_IDENTIFIER_GROUP) {
265
				ae_tag = ARCHIVE_ENTRY_ACL_GROUP;
266
				ae_name = archive_read_disk_gname(&a->archive,
267
				    (gid_t)(richace->e_id));
268
			} else {
269
				ae_tag = ARCHIVE_ENTRY_ACL_USER;
270
				ae_name = archive_read_disk_uname(&a->archive,
271
				    (uid_t)(richace->e_id));
272
			}
273
		}
274
		for (i = 0; i < acl_nfs4_flag_map_size; ++i) {
275
			if ((richace->e_flags &
276
			    acl_nfs4_flag_map[i].p_perm) != 0)
277
				ae_perm |= acl_nfs4_flag_map[i].a_perm;
278
		}
279
		for (i = 0; i < acl_nfs4_perm_map_size; ++i) {
280
			if ((richace->e_mask &
281
			    acl_nfs4_perm_map[i].p_perm) != 0)
282
				ae_perm |=
283
				    acl_nfs4_perm_map[i].a_perm;
284
		}
285

286
		archive_entry_acl_add_entry(entry, entry_acl_type,
287
		    ae_perm, ae_tag, ae_id, ae_name);
288
	}
289
	return (ARCHIVE_OK);
290
}
291
#endif	/* ARCHIVE_ACL_LIBRICHACL */
292

293
#if ARCHIVE_ACL_LIBRICHACL
294
static int
295
_richacl_mode_to_mask(short mode)
296
{
297
	int mask = 0;
298

299
	if (mode & S_IROTH)
300
		mask |= RICHACE_POSIX_MODE_READ;
301
	if (mode & S_IWOTH)
302
		mask |= RICHACE_POSIX_MODE_WRITE;
303
	if (mode & S_IXOTH)
304
		mask |= RICHACE_POSIX_MODE_EXEC;
305

306
	return (mask);
307
}
308

309
static void
310
_richacl_mode_to_masks(struct richacl *richacl, __LA_MODE_T mode)
311
{
312
	richacl->a_owner_mask = _richacl_mode_to_mask((mode & 0700) >> 6);
313
	richacl->a_group_mask = _richacl_mode_to_mask((mode & 0070) >> 3);
314
	richacl->a_other_mask = _richacl_mode_to_mask(mode & 0007);
315
}
316
#endif /* ARCHIVE_ACL_LIBRICHACL */
317

318
#if ARCHIVE_ACL_LIBRICHACL
319
static int
320
set_richacl(struct archive *a, int fd, const char *name,
321
    struct archive_acl *abstract_acl, __LA_MODE_T mode,
322
    int ae_requested_type, const char *tname)
323
{
324
	int		 ae_type, ae_permset, ae_tag, ae_id;
325
	uid_t		 ae_uid;
326
	gid_t		 ae_gid;
327
	const char	*ae_name;
328
	int		 entries;
329
	int		 i;
330
	int		 ret;
331
	int		 e = 0;
332
	struct richacl  *richacl = NULL;
333
	struct richace  *richace;
334

335
	ret = ARCHIVE_OK;
336
	entries = archive_acl_reset(abstract_acl, ae_requested_type);
337
	if (entries == 0)
338
		return (ARCHIVE_OK);
339

340
	if (ae_requested_type != ARCHIVE_ENTRY_ACL_TYPE_NFS4) {
341
		errno = ENOENT;
342
		archive_set_error(a, errno, "Unsupported ACL type");
343
		return (ARCHIVE_FAILED);
344
	}
345

346
	if (S_ISLNK(mode)) {
347
		/* Linux does not support RichACLs on symbolic links */
348
		return (ARCHIVE_OK);
349
	}
350

351
	richacl = richacl_alloc(entries);
352
	if (richacl == NULL) {
353
		archive_set_error(a, errno,
354
			"Failed to initialize RichACL working storage");
355
		return (ARCHIVE_FAILED);
356
	}
357

358
	e = 0;
359

360
	while (archive_acl_next(a, abstract_acl, ae_requested_type, &ae_type,
361
		   &ae_permset, &ae_tag, &ae_id, &ae_name) == ARCHIVE_OK) {
362
		richace = &(richacl->a_entries[e]);
363

364
		richace->e_flags = 0;
365
		richace->e_mask = 0;
366

367
		switch (ae_tag) {
368
		case ARCHIVE_ENTRY_ACL_USER:
369
			ae_uid = archive_write_disk_uid(a, ae_name, ae_id);
370
			richace->e_id = ae_uid;
371
			break;
372
		case ARCHIVE_ENTRY_ACL_GROUP:
373
			ae_gid = archive_write_disk_gid(a, ae_name, ae_id);
374
			richace->e_id = ae_gid;
375
			richace->e_flags |= RICHACE_IDENTIFIER_GROUP;
376
			break;
377
		case ARCHIVE_ENTRY_ACL_USER_OBJ:
378
			richace->e_flags |= RICHACE_SPECIAL_WHO;
379
			richace->e_id = RICHACE_OWNER_SPECIAL_ID;
380
			break;
381
		case ARCHIVE_ENTRY_ACL_GROUP_OBJ:
382
			richace->e_flags |= RICHACE_SPECIAL_WHO;
383
			richace->e_id = RICHACE_GROUP_SPECIAL_ID;
384
			break;
385
		case ARCHIVE_ENTRY_ACL_EVERYONE:
386
			richace->e_flags |= RICHACE_SPECIAL_WHO;
387
			richace->e_id = RICHACE_EVERYONE_SPECIAL_ID;
388
			break;
389
		default:
390
			archive_set_error(a, ARCHIVE_ERRNO_MISC,
391
			    "Unsupported ACL tag");
392
			ret = ARCHIVE_FAILED;
393
			goto exit_free;
394
		}
395

396
		switch (ae_type) {
397
			case ARCHIVE_ENTRY_ACL_TYPE_ALLOW:
398
				richace->e_type =
399
				    RICHACE_ACCESS_ALLOWED_ACE_TYPE;
400
				break;
401
			case ARCHIVE_ENTRY_ACL_TYPE_DENY:
402
				richace->e_type =
403
				    RICHACE_ACCESS_DENIED_ACE_TYPE;
404
				break;
405
			case ARCHIVE_ENTRY_ACL_TYPE_AUDIT:
406
			case ARCHIVE_ENTRY_ACL_TYPE_ALARM:
407
				break;
408
		default:
409
			archive_set_error(a, ARCHIVE_ERRNO_MISC,
410
			    "Unsupported ACL entry type");
411
			ret = ARCHIVE_FAILED;
412
			goto exit_free;
413
		}
414

415
		for (i = 0; i < acl_nfs4_perm_map_size; ++i) {
416
			if (ae_permset & acl_nfs4_perm_map[i].a_perm)
417
				richace->e_mask |= acl_nfs4_perm_map[i].p_perm;
418
		}
419

420
		for (i = 0; i < acl_nfs4_flag_map_size; ++i) {
421
			if (ae_permset &
422
			    acl_nfs4_flag_map[i].a_perm)
423
				richace->e_flags |= acl_nfs4_flag_map[i].p_perm;
424
		}
425
	e++;
426
	}
427

428
	/* Fill RichACL masks */
429
	_richacl_mode_to_masks(richacl, mode);
430

431
	if (fd >= 0) {
432
		if (richacl_set_fd(fd, richacl) == 0)
433
			ret = ARCHIVE_OK;
434
		else {
435
			if (errno == EOPNOTSUPP) {
436
				/* Filesystem doesn't support ACLs */
437
				ret = ARCHIVE_OK;
438
			} else {
439
				archive_set_error(a, errno,
440
				    "Failed to set richacl on fd: %s", tname);
441
				ret = ARCHIVE_WARN;
442
			}
443
		}
444
	} else if (richacl_set_file(name, richacl) != 0) {
445
		if (errno == EOPNOTSUPP) {
446
			/* Filesystem doesn't support ACLs */
447
			ret = ARCHIVE_OK;
448
		} else {
449
			archive_set_error(a, errno, "Failed to set richacl: %s",
450
			    tname);
451
			ret = ARCHIVE_WARN;
452
		}
453
	}
454
exit_free:
455
	richacl_free(richacl);
456
	return (ret);
457
}
458
#endif /* ARCHIVE_ACL_RICHACL */
459

460
#if ARCHIVE_ACL_LIBACL
461
static int
462
set_acl(struct archive *a, int fd, const char *name,
463
    struct archive_acl *abstract_acl, __LA_MODE_T mode,
464
    int ae_requested_type, const char *tname)
465
{
466
	int		 acl_type = 0;
467
	int		 ae_type, ae_permset, ae_tag, ae_id;
468
	uid_t		 ae_uid;
469
	gid_t		 ae_gid;
470
	const char	*ae_name;
471
	int		 entries;
472
	int		 i;
473
	int		 ret;
474
	acl_t		 acl = NULL;
475
	acl_entry_t	 acl_entry;
476
	acl_permset_t	 acl_permset;
477

478
	ret = ARCHIVE_OK;
479
	entries = archive_acl_reset(abstract_acl, ae_requested_type);
480
	if (entries == 0)
481
		return (ARCHIVE_OK);
482

483
	switch (ae_requested_type) {
484
	case ARCHIVE_ENTRY_ACL_TYPE_ACCESS:
485
		acl_type = ACL_TYPE_ACCESS;
486
		break;
487
	case ARCHIVE_ENTRY_ACL_TYPE_DEFAULT:
488
		acl_type = ACL_TYPE_DEFAULT;
489
		break;
490
	default:
491
		errno = ENOENT;
492
		archive_set_error(a, errno, "Unsupported ACL type");
493
		return (ARCHIVE_FAILED);
494
	}
495

496
	if (S_ISLNK(mode)) {
497
		/* Linux does not support ACLs on symbolic links */
498
		return (ARCHIVE_OK);
499
	}
500

501
	if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) {
502
		errno = EINVAL;
503
		archive_set_error(a, errno,
504
		    "Cannot set default ACL on non-directory");
505
		return (ARCHIVE_WARN);
506
	}
507

508
	acl = acl_init(entries);
509
	if (acl == (acl_t)NULL) {
510
		archive_set_error(a, errno,
511
		    "Failed to initialize ACL working storage");
512
		return (ARCHIVE_FAILED);
513
	}
514

515
	while (archive_acl_next(a, abstract_acl, ae_requested_type, &ae_type,
516
		   &ae_permset, &ae_tag, &ae_id, &ae_name) == ARCHIVE_OK) {
517

518
		if (acl_create_entry(&acl, &acl_entry) != 0) {
519
			archive_set_error(a, errno,
520
			    "Failed to create a new ACL entry");
521
			ret = ARCHIVE_FAILED;
522
			goto exit_free;
523
		}
524

525
		switch (ae_tag) {
526
		case ARCHIVE_ENTRY_ACL_USER:
527
			ae_uid = archive_write_disk_uid(a, ae_name, ae_id);
528
			acl_set_tag_type(acl_entry, ACL_USER);
529
			acl_set_qualifier(acl_entry, &ae_uid);
530
			break;
531
		case ARCHIVE_ENTRY_ACL_GROUP:
532
			ae_gid = archive_write_disk_gid(a, ae_name, ae_id);
533
			acl_set_tag_type(acl_entry, ACL_GROUP);
534
			acl_set_qualifier(acl_entry, &ae_gid);
535
			break;
536
		case ARCHIVE_ENTRY_ACL_USER_OBJ:
537
			acl_set_tag_type(acl_entry, ACL_USER_OBJ);
538
			break;
539
		case ARCHIVE_ENTRY_ACL_GROUP_OBJ:
540
			acl_set_tag_type(acl_entry, ACL_GROUP_OBJ);
541
			break;
542
		case ARCHIVE_ENTRY_ACL_MASK:
543
			acl_set_tag_type(acl_entry, ACL_MASK);
544
			break;
545
		case ARCHIVE_ENTRY_ACL_OTHER:
546
			acl_set_tag_type(acl_entry, ACL_OTHER);
547
			break;
548
		default:
549
			archive_set_error(a, ARCHIVE_ERRNO_MISC,
550
			    "Unsupported ACL tag");
551
			ret = ARCHIVE_FAILED;
552
			goto exit_free;
553
		}
554

555
		if (acl_get_permset(acl_entry, &acl_permset) != 0) {
556
			archive_set_error(a, errno,
557
			    "Failed to get ACL permission set");
558
			ret = ARCHIVE_FAILED;
559
			goto exit_free;
560
		}
561
		if (acl_clear_perms(acl_permset) != 0) {
562
			archive_set_error(a, errno,
563
			    "Failed to clear ACL permissions");
564
			ret = ARCHIVE_FAILED;
565
			goto exit_free;
566
		}
567

568
		for (i = 0; i < acl_posix_perm_map_size; ++i) {
569
			if (ae_permset & acl_posix_perm_map[i].a_perm) {
570
				if (acl_add_perm(acl_permset,
571
				    acl_posix_perm_map[i].p_perm) != 0) {
572
					archive_set_error(a, errno,
573
					    "Failed to add ACL permission");
574
					ret = ARCHIVE_FAILED;
575
					goto exit_free;
576
				}
577
			}
578
		}
579

580
	}
581

582
	if (fd >= 0 && ae_requested_type == ARCHIVE_ENTRY_ACL_TYPE_ACCESS) {
583
		if (acl_set_fd(fd, acl) == 0)
584
			ret = ARCHIVE_OK;
585
		else {
586
			if (errno == EOPNOTSUPP) {
587
				/* Filesystem doesn't support ACLs */
588
				ret = ARCHIVE_OK;
589
			} else {
590
				archive_set_error(a, errno,
591
				    "Failed to set acl on fd: %s", tname);
592
				ret = ARCHIVE_WARN;
593
			}
594
		}
595
	} else if (acl_set_file(name, acl_type, acl) != 0) {
596
		if (errno == EOPNOTSUPP) {
597
			/* Filesystem doesn't support ACLs */
598
			ret = ARCHIVE_OK;
599
		} else {
600
			archive_set_error(a, errno, "Failed to set acl: %s",
601
			    tname);
602
			ret = ARCHIVE_WARN;
603
		}
604
	}
605
exit_free:
606
	acl_free(acl);
607
	return (ret);
608
}
609
#endif /* ARCHIVE_ACL_LIBACL */
610

611
int
612
archive_read_disk_entry_setup_acls(struct archive_read_disk *a,
613
    struct archive_entry *entry, int *fd)
614
{
615
	const char	*accpath;
616
	int		r;
617
#if ARCHIVE_ACL_LIBACL
618
	acl_t		acl;
619
#endif
620
#if ARCHIVE_ACL_LIBRICHACL
621
	struct richacl *richacl;
622
	mode_t		mode;
623
#endif
624

625
	accpath = NULL;
626
	r = ARCHIVE_OK;
627

628
	/* For default ACLs we need reachable accpath */
629
	if (*fd < 0 || S_ISDIR(archive_entry_mode(entry))) {
630
		accpath = archive_read_disk_entry_setup_path(a, entry, fd);
631
		if (accpath == NULL)
632
			return (ARCHIVE_WARN);
633
	}
634

635
	archive_entry_acl_clear(entry);
636

637
#if ARCHIVE_ACL_LIBACL
638
	acl = NULL;
639
#endif
640
#if ARCHIVE_ACL_LIBRICHACL
641
	richacl = NULL;
642
#endif
643

644
#if ARCHIVE_ACL_LIBRICHACL
645
	/* Try NFSv4 ACL first. */
646
	if (*fd >= 0)
647
		richacl = richacl_get_fd(*fd);
648
	else if ((!a->follow_symlinks)
649
	    && (archive_entry_filetype(entry) == AE_IFLNK))
650
		/* We can't get the ACL of a symlink, so we assume it can't
651
		   have one */
652
		richacl = NULL;
653
	else
654
		richacl = richacl_get_file(accpath);
655

656
	/* Ignore "trivial" ACLs that just mirror the file mode. */
657
	if (richacl != NULL) {
658
		mode = archive_entry_mode(entry);
659
		if (richacl_equiv_mode(richacl, &mode) == 0) {
660
			richacl_free(richacl);
661
			richacl = NULL;
662
			return (ARCHIVE_OK);
663
		}
664
	}
665

666
	if (richacl != NULL) {
667
		r = translate_richacl(a, entry, richacl);
668
		richacl_free(richacl);
669
		richacl = NULL;
670

671
		if (r != ARCHIVE_OK) {
672
			archive_set_error(&a->archive, errno,
673
			"Couldn't translate NFSv4 ACLs");
674
		}
675

676
		return (r);
677
	}
678
#endif	/* ARCHIVE_ACL_LIBRICHACL */
679

680
#if ARCHIVE_ACL_LIBACL
681
	/* Retrieve access ACL from file. */
682
	if (*fd >= 0)
683
		acl = acl_get_fd(*fd);
684
	else if ((!a->follow_symlinks)
685
	    && (archive_entry_filetype(entry) == AE_IFLNK))
686
		/* We can't get the ACL of a symlink, so we assume it can't
687
		   have one. */
688
		acl = NULL;
689
	else
690
		acl = acl_get_file(accpath, ACL_TYPE_ACCESS);
691

692
	if (acl != NULL) {
693
		r = translate_acl(a, entry, acl, ARCHIVE_ENTRY_ACL_TYPE_ACCESS);
694
		acl_free(acl);
695
		acl = NULL;
696

697
		if (r != ARCHIVE_OK) {
698
			archive_set_error(&a->archive, errno,
699
			    "Couldn't translate access ACLs");
700
			return (r);
701
		}
702
	}
703

704
	/* Only directories can have default ACLs. */
705
	if (S_ISDIR(archive_entry_mode(entry))) {
706
		acl = acl_get_file(accpath, ACL_TYPE_DEFAULT);
707
		if (acl != NULL) {
708
			r = translate_acl(a, entry, acl,
709
			    ARCHIVE_ENTRY_ACL_TYPE_DEFAULT);
710
			acl_free(acl);
711
			if (r != ARCHIVE_OK) {
712
				archive_set_error(&a->archive, errno,
713
				    "Couldn't translate default ACLs");
714
				return (r);
715
			}
716
		}
717
	}
718
#endif	/* ARCHIVE_ACL_LIBACL */
719
	return (r);
720
}
721

722
int
723
archive_write_disk_set_acls(struct archive *a, int fd, const char *name,
724
    struct archive_acl *abstract_acl, __LA_MODE_T mode)
725
{
726
	int		ret = ARCHIVE_OK;
727

728
#if !ARCHIVE_ACL_LIBRICHACL
729
	(void)mode;	/* UNUSED */
730
#endif
731

732
#if ARCHIVE_ACL_LIBRICHACL
733
	if ((archive_acl_types(abstract_acl)
734
	    & ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) {
735
		ret = set_richacl(a, fd, name, abstract_acl, mode,
736
		    ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4");
737
	}
738
#if ARCHIVE_ACL_LIBACL
739
	else
740
#endif
741
#endif	/* ARCHIVE_ACL_LIBRICHACL */
742
#if ARCHIVE_ACL_LIBACL
743
	if ((archive_acl_types(abstract_acl)
744
	    & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) {
745
		if ((archive_acl_types(abstract_acl)
746
		    & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) {
747
			ret = set_acl(a, fd, name, abstract_acl, mode,
748
			    ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access");
749
			if (ret != ARCHIVE_OK)
750
				return (ret);
751
		}
752
		if ((archive_acl_types(abstract_acl)
753
		    & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0)
754
			ret = set_acl(a, fd, name, abstract_acl, mode,
755
			    ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default");
756
	}
757
#endif	/* ARCHIVE_ACL_LIBACL */
758
	return (ret);
759
}
760
#endif /* ARCHIVE_ACL_LIBACL || ARCHIVE_ACL_LIBRICHACL */
761

762