Added policy function to get ACLs

larsewi · larsewi · commit a11697c59e5d · 2025-06-03T10:40:25.000+02:00
Ticket: CFE-4529 Changelog: Title Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
diff --git a/libpromises/acl_tools.h b/libpromises/acl_tools.h
@@ -25,6 +25,19 @@
 #ifndef CFENGINE_ACL_TOOLS_H
 #define CFENGINE_ACL_TOOLS_H
 
+#include <stdbool.h>
+#include <rlist.h>
+
+
+/**
+ * @brief Get ACLs from a file or directory
+ * @param Path to file or directory
+ * @param access Get access ACLs if true, otherwise default ACLs
+ * @return List of ACLs. On error, NULL is returned and errno is set to
+ * indicate the error.
+ */
+Rlist *GetACLs(const char *path, bool access);
+
 bool CopyACLs(const char *src, const char *dst, bool *change);
 
 /**
diff --git a/libpromises/acl_tools_posix.c b/libpromises/acl_tools_posix.c
@@ -259,8 +259,39 @@ bool AllowAccessForUsers(const char *path, StringSet *users, bool allow_writes,
     return true;
 }
 
+Rlist *GetACLs(const char *path, bool access)
+{
+    assert(path != NULL);
+
+    acl_t acl = acl_get_file(path, access ? ACL_TYPE_ACCESS : ACL_TYPE_DEFAULT);
+    if (acl == NULL)
+    {
+        return NULL;
+    }
+
+    char *text = acl_to_any_text(acl, NULL, ',', 0);
+    if (text == NULL)
+    {
+        acl_free(acl);
+        return NULL;
+    }
+
+    Rlist *lst = RlistFromSplitString(text, ',');
+
+    acl_free(text);
+    acl_free(acl);
+    return lst;
+}
+
 #elif !defined(__MINGW32__) /* !HAVE_LIBACL */
 
+Rlist *GetACLs(ARG_UNUSED const char *path, ARG_UNUSED bool access)
+{
+    /* TODO: Handle Windows ACLs (see ENT-13019) */
+    errno = ENOTSUP;
+    return NULL;
+}
+
 bool CopyACLs(ARG_UNUSED const char *src, ARG_UNUSED const char *dst, bool *change)
 {
     if (change != NULL)
diff --git a/libpromises/evalfunction.c b/libpromises/evalfunction.c
@@ -82,6 +82,10 @@
 #include <libgen.h>
 
 #include <ctype.h>
+#include <cf3.defs.h>
+#include <compiler.h>
+#include <rlist.h>
+#include <acl_tools.h>
 
 #ifdef HAVE_LIBCURL
 #include <curl/curl.h>
@@ -654,6 +658,37 @@ static Rlist *GetHostsFromLastseenDB(Seq *host_data, time_t horizon, HostsSeenFi
 
 /*********************************************************************/
 
+static FnCallResult FnCallGetACLs(ARG_UNUSED EvalContext *ctx,
+    ARG_UNUSED const Policy *policy,
+    const FnCall *fp,
+    const Rlist *final_args)
+{
+    assert(fp != NULL);
+    assert(final_args != NULL);
+    assert(final_args->next != NULL);
+
+    const char *path = RlistScalarValue(final_args);
+    const char *type = RlistScalarValue(final_args->next);
+    assert(StringEqual(type, "default") || StringEqual(type, "access"));
+
+    Rlist *acls = GetACLs(path, StringEqual(type, "access"));
+    if (acls == NULL)
+    {
+        Log((errno != ENOTSUPP) ? LOG_LEVEL_ERR : LOG_LEVEL_VERBOSE,
+            "Function %s failed to get ACLs for '%s': %s",
+            fp->name, path, GetErrorStr());
+
+        if (errno != ENOTSUPP)
+        {
+            return FnFailure();
+        } /* else we'll just return an empty list instead */
+    }
+
+    return (FnCallResult) { FNCALL_SUCCESS, { acls, RVAL_TYPE_LIST } };
+}
+
+/*********************************************************************/
+
 static FnCallResult FnCallAnd(EvalContext *ctx,
                               ARG_UNUSED const Policy *policy,
                               ARG_UNUSED const FnCall *fp,
@@ -9754,6 +9789,13 @@ static const FnCallArg AND_ARGS[] =
     {NULL, CF_DATA_TYPE_NONE, NULL}
 };
 
+static const FnCallArg GET_ACLS_ARGS[] =
+{
+    {CF_ABSPATHRANGE, CF_DATA_TYPE_STRING, "Path to file or directory"},
+    {"default,access", CF_DATA_TYPE_OPTION, "Whether to get default- or access ACL"},
+    {NULL, CF_DATA_TYPE_NONE, NULL},
+};
+
 static const FnCallArg AGO_ARGS[] =
 {
     {"0,1000", CF_DATA_TYPE_INT, "Years"},
@@ -10791,6 +10833,8 @@ const FnCallType CF_FNCALL_TYPES[] =
                   FNCALL_OPTION_NONE, FNCALL_CATEGORY_FILES, SYNTAX_STATUS_NORMAL),
     FnCallTypeNew("accumulated", CF_DATA_TYPE_INT, ACCUM_ARGS, &FnCallAccumulatedDate, "Convert an accumulated amount of time into a system representation",
                   FNCALL_OPTION_NONE, FNCALL_CATEGORY_DATA, SYNTAX_STATUS_NORMAL),
+    FnCallTypeNew("getacls", CF_DATA_TYPE_STRING_LIST, GET_ACLS_ARGS, &FnCallGetACLs, "Get ACLs of a given file",
+                  FNCALL_OPTION_NONE, FNCALL_CATEGORY_FILES, SYNTAX_STATUS_NORMAL),
     FnCallTypeNew("ago", CF_DATA_TYPE_INT, AGO_ARGS, &FnCallAgoDate, "Convert a time relative to now to an integer system representation",
                   FNCALL_OPTION_NONE, FNCALL_CATEGORY_DATA, SYNTAX_STATUS_NORMAL),
     FnCallTypeNew("and", CF_DATA_TYPE_CONTEXT, AND_ARGS, &FnCallAnd, "Calculate whether all arguments evaluate to true",
