Move Unix domain utilities and access control utilites,

as well as the accessrules library, from s6-networking to here

9 files changed, 219 insertions, 0 deletions

diff --git a/src/libs6/deps-lib/s6 b/src/libs6/deps-lib/s6
index 502694e..579d844 100644
--- a/src/libs6/deps-lib/s6
+++ b/src/libs6/deps-lib/s6
@@ -13,6 +13,14 @@ ftrigw_clean.o
 ftrigw_fifodir_make.o
 ftrigw_notify.o
 ftrigw_notifyb.o
+s6_accessrules_backend_cdb.o
+s6_accessrules_backend_fs.o
+s6_accessrules_keycheck_ip4.o
+s6_accessrules_keycheck_ip6.o
+s6_accessrules_keycheck_reversedns.o
+s6_accessrules_keycheck_uidgid.o
+s6_accessrules_uidgid_cdb.o
+s6_accessrules_uidgid_fs.o
 s6_supervise_lock.o
 s6_supervise_lock_mode.o
 s6_svc_main.o
diff --git a/src/libs6/s6_accessrules_backend_cdb.c b/src/libs6/s6_accessrules_backend_cdb.c
new file mode 100644
index 0000000..fc564bb
--- /dev/null
+++ b/src/libs6/s6_accessrules_backend_cdb.c
@@ -0,0 +1,38 @@
+/* ISC license. */
+
+#include <unistd.h>
+#include <errno.h>
+#include <skalibs/bytestr.h>
+#include <skalibs/uint16.h>
+#include <skalibs/cdb.h>
+#include <skalibs/stralloc.h>
+#include <s6/accessrules.h>
+
+s6_accessrules_result_t s6_accessrules_backend_cdb (char const *key, unsigned int keylen, void *data, s6_accessrules_params_t *params)
+{
+  struct cdb *c = data ;
+  unsigned int execbase, n ;
+  uint16 envlen, execlen ;
+  register int r = cdb_find(c, key, keylen) ;
+  if (r < 0) return S6_ACCESSRULES_ERROR ;
+  else if (!r) return S6_ACCESSRULES_NOTFOUND ;
+  n = cdb_datalen(c) ;
+  if ((n < 5U) || (n > 8197U)) return (errno = EINVAL, S6_ACCESSRULES_ERROR) ;
+  if (!stralloc_readyplus(&params->exec, n)) return S6_ACCESSRULES_ERROR ;
+  execbase = params->exec.len ;
+  if (cdb_read(c, params->exec.s + execbase, n, cdb_datapos(c)) < 0) return S6_ACCESSRULES_ERROR ;
+  if (params->exec.s[execbase] == 'D') return S6_ACCESSRULES_DENY ;
+  else if (params->exec.s[execbase] != 'A') return S6_ACCESSRULES_NOTFOUND ;
+  uint16_unpack_big(params->exec.s + execbase + 1U, &envlen) ;
+  if ((envlen > 4096U) || (envlen+5U > n)) return (errno = EINVAL, S6_ACCESSRULES_ERROR) ;
+  uint16_unpack_big(params->exec.s + execbase + 3 + envlen, &execlen) ;
+  if ((execlen > 4096U) || (5U + envlen + execlen != n)) return (errno = EINVAL, S6_ACCESSRULES_ERROR) ;
+  if (!stralloc_catb(&params->env, params->exec.s + execbase + 3U, envlen)) return S6_ACCESSRULES_ERROR ;
+  byte_copy(params->exec.s + execbase, execlen, params->exec.s + execbase + 5U + envlen) ;
+  if (execlen)
+  {
+    params->exec.len += execlen ;
+    params->exec.s[params->exec.len++] = 0 ;
+  }
+  return S6_ACCESSRULES_ALLOW ;
+}
diff --git a/src/libs6/s6_accessrules_backend_fs.c b/src/libs6/s6_accessrules_backend_fs.c
new file mode 100644
index 0000000..5723db6
--- /dev/null
+++ b/src/libs6/s6_accessrules_backend_fs.c
@@ -0,0 +1,58 @@
+/* ISC license. */
+
+#include <unistd.h>
+#include <errno.h>
+#include <skalibs/bytestr.h>
+#include <skalibs/fmtscan.h>
+#include <skalibs/stralloc.h>
+#include <skalibs/djbunix.h>
+#include <s6/accessrules.h>
+
+s6_accessrules_result_t s6_accessrules_backend_fs (char const *key, unsigned int keylen, void *data, s6_accessrules_params_t *params)
+{
+  char *dir = data ;
+  unsigned int dirlen = str_len(dir) ;
+  unsigned int envbase = params->env.len ;
+  int wasnull = !params->env.s ;
+  {
+    char tmp[dirlen + keylen + 10] ;
+    byte_copy(tmp, dirlen, dir) ;
+    tmp[dirlen] = '/' ;
+    byte_copy(tmp + dirlen + 1, keylen, key) ;
+    byte_copy(tmp + dirlen + keylen + 1, 7, "/allow") ;
+    if (access(tmp, R_OK) < 0)
+    {
+      if ((errno != EACCES) && (errno != ENOENT))
+        return S6_ACCESSRULES_ERROR ;
+      byte_copy(tmp + dirlen + keylen + 2, 5, "deny") ;
+      return (access(tmp, R_OK) == 0) ? S6_ACCESSRULES_DENY :
+       (errno != EACCES) && (errno != ENOENT) ? S6_ACCESSRULES_ERROR :
+       S6_ACCESSRULES_NOTFOUND ;
+    }
+    byte_copy(tmp + dirlen + keylen + 2, 4, "env") ;
+    if ((envdir(tmp, &params->env) < 0) && (errno != ENOENT))
+      return S6_ACCESSRULES_ERROR ;
+    if (!stralloc_readyplus(&params->exec, 4097))
+    {
+      if (wasnull) stralloc_free(&params->env) ;
+      else params->env.len = envbase ;
+      return S6_ACCESSRULES_ERROR ;
+    }
+    byte_copy(tmp + dirlen + keylen + 2, 5, "exec") ;
+    {
+      register int r = openreadnclose(tmp, params->exec.s + params->exec.len, 4096) ;
+      if ((r < 0) && (errno != EACCES) && (errno != ENOENT))
+      {
+        if (wasnull) stralloc_free(&params->env) ;
+        else params->env.len = envbase ;
+        return S6_ACCESSRULES_ERROR ;
+      }
+      if (r > 0)
+      {
+        params->exec.len += r ;
+        params->exec.s[params->exec.len++] = 0 ;
+      }
+    }
+  }
+  return S6_ACCESSRULES_ALLOW ;
+}
diff --git a/src/libs6/s6_accessrules_keycheck_ip4.c b/src/libs6/s6_accessrules_keycheck_ip4.c
new file mode 100644
index 0000000..66ace93
--- /dev/null
+++ b/src/libs6/s6_accessrules_keycheck_ip4.c
@@ -0,0 +1,24 @@
+/* ISC license. */
+
+#include <skalibs/uint32.h>
+#include <skalibs/uint.h>
+#include <skalibs/fmtscan.h>
+#include <s6/accessrules.h>
+
+s6_accessrules_result_t s6_accessrules_keycheck_ip4 (void const *key, void *data, s6_accessrules_params_t *params, s6_accessrules_backend_func_t_ref check1)
+{
+  char fmt[IP4_FMT + UINT_FMT + 6] = "ip4/" ;
+  uint32 ip ;
+  unsigned int i = 0 ;
+  uint32_unpack_big((char const *)key, &ip) ;
+  for (; i <= 32 ; i++)
+  {
+    register s6_accessrules_result_t r ;
+    register unsigned int len = 4 + ip4_fmtu32(fmt+4, (i == 32) ? 0 : ip & ~((1U << i) - 1)) ;
+    fmt[len++] = '_' ;
+    len += uint_fmt(fmt + len, 32 - i) ;
+    r = (*check1)(fmt, len, data, params) ;
+    if (r != S6_ACCESSRULES_NOTFOUND) return r ;
+  }
+  return S6_ACCESSRULES_NOTFOUND ;
+}
diff --git a/src/libs6/s6_accessrules_keycheck_ip6.c b/src/libs6/s6_accessrules_keycheck_ip6.c
new file mode 100644
index 0000000..a476f3d
--- /dev/null
+++ b/src/libs6/s6_accessrules_keycheck_ip6.c
@@ -0,0 +1,27 @@
+/* ISC license. */
+
+#include <skalibs/uint.h>
+#include <skalibs/bytestr.h>
+#include <skalibs/bitarray.h>
+#include <skalibs/fmtscan.h>
+#include <s6/accessrules.h>
+
+s6_accessrules_result_t s6_accessrules_keycheck_ip6 (void const *key, void *data, s6_accessrules_params_t *params, s6_accessrules_backend_func_t_ref check1)
+{
+  char fmt[IP6_FMT + UINT_FMT + 6] = "ip6/" ;
+  char ip6[16] ;
+  unsigned int i = 0 ;
+  byte_copy(ip6, 16, (char const *)key) ;
+  for (; i <= 128 ; i++)
+  {
+    unsigned int len ;
+    register s6_accessrules_result_t r ;
+    if (i) bitarray_clear(ip6, 128 - i) ;
+    len = 4 + ip6_fmt(fmt+4, ip6) ;
+    fmt[len++] = '_' ;
+    len += uint_fmt(fmt + len, 128 - i) ;
+    r = (*check1)(fmt, len, data, params) ;
+    if (r != S6_ACCESSRULES_NOTFOUND) return r ;
+  }
+  return S6_ACCESSRULES_NOTFOUND ;
+}
diff --git a/src/libs6/s6_accessrules_keycheck_reversedns.c b/src/libs6/s6_accessrules_keycheck_reversedns.c
new file mode 100644
index 0000000..00d7e21
--- /dev/null
+++ b/src/libs6/s6_accessrules_keycheck_reversedns.c
@@ -0,0 +1,27 @@
+/* ISC license. */
+
+#include <errno.h>
+#include <skalibs/bytestr.h>
+#include <s6/accessrules.h>
+
+s6_accessrules_result_t s6_accessrules_keycheck_reversedns (void const *key, void *data, s6_accessrules_params_t *params, s6_accessrules_backend_func_t_ref check1)
+{
+  char const *name = key ;
+  unsigned int len = str_len(name) ;
+  if (!len) return (errno = EINVAL, S6_ACCESSRULES_ERROR) ;
+  if (name[len-1] == '.') len-- ;
+  {
+    unsigned int i = 0 ;
+    char tmp[len + 11] ;
+    byte_copy(tmp, 11, "reversedns/") ;
+    while (i < len)
+    {
+      register s6_accessrules_result_t r ;
+      byte_copy(tmp+11, len-i, name+i) ;
+      r = (*check1)(tmp, 11+len-i, data, params) ;
+      if (r != S6_ACCESSRULES_NOTFOUND) return r ;
+      i += byte_chr(name+i, len-i, '.') + 1 ;
+    }
+  }
+  return (*check1)("reversedns/@", 12, data, params) ;
+}
diff --git a/src/libs6/s6_accessrules_keycheck_uidgid.c b/src/libs6/s6_accessrules_keycheck_uidgid.c
new file mode 100644
index 0000000..08f0f9c
--- /dev/null
+++ b/src/libs6/s6_accessrules_keycheck_uidgid.c
@@ -0,0 +1,16 @@
+/* ISC license. */
+
+#include <skalibs/uint.h>
+#include <skalibs/diuint.h>
+#include <s6/accessrules.h>
+
+s6_accessrules_result_t s6_accessrules_keycheck_uidgid (void const *key, void *data, s6_accessrules_params_t *params, s6_accessrules_backend_func_t_ref check1)
+{
+  char fmt[4 + UINT_FMT] = "uid/" ;
+  register s6_accessrules_result_t r = (*check1)(fmt, 4 + uint_fmt(fmt+4, ((diuint const *)key)->left), data, params) ;
+  if (r != S6_ACCESSRULES_NOTFOUND) return r ;
+  fmt[0] = 'g' ;
+  r = (*check1)(fmt, 4 + uint_fmt(fmt+4, ((diuint const *)key)->right), data, params) ;
+  return (r != S6_ACCESSRULES_NOTFOUND) ? r :
+   (*check1)("uid/default", 11, data, params) ;
+}
diff --git a/src/libs6/s6_accessrules_uidgid_cdb.c b/src/libs6/s6_accessrules_uidgid_cdb.c
new file mode 100644
index 0000000..a1a83d6
--- /dev/null
+++ b/src/libs6/s6_accessrules_uidgid_cdb.c
@@ -0,0 +1,11 @@
+/* ISC license. */
+
+#include <skalibs/diuint.h>
+#include <skalibs/cdb.h>
+#include <s6/accessrules.h>
+
+s6_accessrules_result_t s6_accessrules_uidgid_cdb (unsigned int uid, unsigned int gid, struct cdb *c, s6_accessrules_params_t *params)
+{
+  diuint uidgid = { .left = uid, .right = gid } ;
+  return s6_accessrules_keycheck_uidgid(&uidgid, c, params, &s6_accessrules_backend_cdb) ;
+}
diff --git a/src/libs6/s6_accessrules_uidgid_fs.c b/src/libs6/s6_accessrules_uidgid_fs.c
new file mode 100644
index 0000000..848fa89
--- /dev/null
+++ b/src/libs6/s6_accessrules_uidgid_fs.c
@@ -0,0 +1,10 @@
+/* ISC license. */
+
+#include <skalibs/diuint.h>
+#include <s6/accessrules.h>
+
+s6_accessrules_result_t s6_accessrules_uidgid_fs (unsigned int uid, unsigned int gid, char const *rulesdir, s6_accessrules_params_t *params)
+{
+  diuint uidgid = { .left = uid, .right = gid } ;
+  return s6_accessrules_keycheck_uidgid(&uidgid, (void *)rulesdir, params, &s6_accessrules_backend_fs) ;
+}