From 2ea6247e0188c3fb9194c5319e707f6a591d62fd Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 21 Jul 2020 22:19:17 +0200 Subject: [PATCH 1/2] acl-util: fix error handling in add_acls_for_user() --- src/shared/acl-util.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/shared/acl-util.c b/src/shared/acl-util.c index 1ccb4f8295..dd2b1efb11 100644 --- a/src/shared/acl-util.c +++ b/src/shared/acl-util.c @@ -378,10 +378,13 @@ int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl) { int add_acls_for_user(int fd, uid_t uid) { _cleanup_(acl_freep) acl_t acl = NULL; - acl_entry_t entry; acl_permset_t permset; + acl_entry_t entry; int r; + assert(fd >= 0); + assert(uid_is_valid(uid)); + acl = acl_get_fd(fd); if (!acl) return -errno; @@ -394,8 +397,8 @@ int add_acls_for_user(int fd, uid_t uid) { return -errno; } - /* We do not recalculate the mask unconditionally here, - * so that the fchmod() mask above stays intact. */ + /* We do not recalculate the mask unconditionally here, so that the fchmod() mask above stays + * intact. */ if (acl_get_permset(entry, &permset) < 0 || acl_add_perm(permset, ACL_READ) < 0) return -errno; @@ -404,5 +407,8 @@ int add_acls_for_user(int fd, uid_t uid) { if (r < 0) return r; - return acl_set_fd(fd, acl); + if (acl_set_fd(fd, acl) < 0) + return -errno; + + return 0; } From d81be4e752f15ef2c894ae0b05eaa709af09b28a Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 21 Jul 2020 22:21:28 +0200 Subject: [PATCH 2/2] coredump: port to use common add_acls_for_user() It's line-by-line the same logic, hence use the common implementation. --- src/coredump/coredump.c | 28 ++++------------------------ 1 file changed, 4 insertions(+), 24 deletions(-) diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c index 1a41f26049..8b052dac26 100644 --- a/src/coredump/coredump.c +++ b/src/coredump/coredump.c @@ -177,38 +177,18 @@ static uint64_t storage_size_max(void) { static int fix_acl(int fd, uid_t uid) { #if HAVE_ACL - _cleanup_(acl_freep) acl_t acl = NULL; - acl_entry_t entry; - acl_permset_t permset; int r; assert(fd >= 0); + assert(uid_is_valid(uid)); if (uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY) return 0; - /* Make sure normal users can read (but not write or delete) - * their own coredumps */ - - acl = acl_get_fd(fd); - if (!acl) - return log_error_errno(errno, "Failed to get ACL: %m"); - - if (acl_create_entry(&acl, &entry) < 0 || - acl_set_tag_type(entry, ACL_USER) < 0 || - acl_set_qualifier(entry, &uid) < 0) - return log_error_errno(errno, "Failed to patch ACL: %m"); - - if (acl_get_permset(entry, &permset) < 0 || - acl_add_perm(permset, ACL_READ) < 0) - return log_warning_errno(errno, "Failed to patch ACL: %m"); - - r = calc_acl_mask_if_needed(&acl); + /* Make sure normal users can read (but not write or delete) their own coredumps */ + r = add_acls_for_user(fd, uid); if (r < 0) - return log_warning_errno(r, "Failed to patch ACL: %m"); - - if (acl_set_fd(fd, acl) < 0) - return log_error_errno(errno, "Failed to apply ACL: %m"); + return log_error_errno(r, "Failed to adjust ACL of coredump: %m"); #endif return 0;