tmpfiles: do 'X' bit check in an ACL-aware manner

Follow-up for 26d98cdd78 I.e. stat() cannot be used here. Also, before this commit, the 'X' is only applied if the owner has execute bit set. Now it takes group and other into consideration too. setfacl(1) also has the same behavior.
2024-07-03 08:29:25 +00:00 · 2024-03-05 22:25:44 +08:00 · 2024-03-05 22:25:44 +08:00 · 29a438e764
commit 29a438e764
parent 83a5db202d
1 changed files with 28 additions and 18 deletions
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@ -1275,33 +1275,43 @@ static int parse_acl_cond_exec(
        assert(ret);

        if (!S_ISDIR(st->st_mode)) {
-                has_exec = st->st_mode & S_IXUSR;
+                _cleanup_(acl_freep) acl_t old = NULL;

-                if (!has_exec && append) {
-                        _cleanup_(acl_freep) acl_t old = NULL;
+                old = acl_get_file(path, ACL_TYPE_ACCESS);
+                if (!old)
+                        return -errno;

-                        old = acl_get_file(path, ACL_TYPE_ACCESS);
-                        if (!old)
+                has_exec = false;
+
+                for (r = acl_get_entry(old, ACL_FIRST_ENTRY, &entry);
+                     r > 0;
+                     r = acl_get_entry(old, ACL_NEXT_ENTRY, &entry)) {
+
+                        acl_tag_t tag;
+
+                        if (acl_get_tag_type(entry, &tag) < 0)
                                return -errno;

-                        for (r = acl_get_entry(old, ACL_FIRST_ENTRY, &entry);
-                             r > 0;
-                             r = acl_get_entry(old, ACL_NEXT_ENTRY, &entry)) {
+                        if (tag == ACL_MASK)
+                                continue;

-                                if (acl_get_permset(entry, &permset) < 0)
-                                        return -errno;
+                        /* If not appending, skip ACL definitions */
+                        if (!append && IN_SET(tag, ACL_USER, ACL_GROUP))
+                                continue;

-                                r = acl_get_perm(permset, ACL_EXECUTE);
-                                if (r < 0)
-                                        return -errno;
-                                if (r > 0) {
-                                        has_exec = true;
-                                        break;
-                                }
-                        }
+                        if (acl_get_permset(entry, &permset) < 0)
+                                return -errno;
+
+                        r = acl_get_perm(permset, ACL_EXECUTE);
                        if (r < 0)
                                return -errno;
+                        if (r > 0) {
+                                has_exec = true;
+                                break;
+                        }
                }
+                if (r < 0)
+                        return -errno;

                /* Check if we're about to set the execute bit in acl_access */
                if (!has_exec && access) {