libs6
s6
Software
skarnet.org

The accessrules library interface

The following functions and structures are declared in the s6/accessrules.h header, and implemented in the libs6.a or libs6.so library.

General information

accessrules is an access control library. It looks up a key in a user-specified database, then returns a code depending on whether the database allows access (in which case additional information can also be returned), denies access, or does not contain the key.

accessrules has been designed to be easily extensible to any database format and any key format.

Check the s6/accessrules.h header for the exact definitions.

Data structures

Function types

Backend lookups

A s6_accessrules_backend_func_t is the type of a function that takes a single key, looks it up in a database, and returns the result. Namely:

s6_accessrules_result_t f (char const *key, size_t keylen, void *handle, s6_accessrules_params_t *params)

f looks up key key of length keylen in the database represented by handle in an implementation-defined way. It returns a number that says the key has been allowed, denied or not found, or an error occurred. If the key has been allowed, f stores additional information from the database into *params.

Two s6_accessrules_backend_func_t functions are natively implemented:

Frontend key checking

A s6_accessrules_keycheck_func_t is the type of a function that takes a user-level key, makes a list of corresponding backend-level keys and calls a s6_accessrules_backend_func_t function until it finds a match. Namely:

s6_accessrules_result_t f (void const *key, void *handle, s6_accessrules_params_t *params, s6_accessrules_backend_func_t *backend)

f derives a list of low-level keys to check from key. Then, for each key k of length klen in this list, it calls (*backend)(k, klen, handle, params), returning *backend's result if it is not S6_ACCESSRULES_NOTFOUND. If no match can be found in the whole list, f finally returns S6_ACCESSRULES_NOTFOUND.

Five s6_accessrules_keycheck_func_t functions are natively implemented:

Ready-to-use functions

Those functions are mostly macros; they're built by associating a frontend function with a backend function.

s6_accessrules_result_t s6_accessrules_uidgid_cdb (uid_t u, gid_t g, struct cdb *c, s6_accessrules_params_t *params)
Checks the *c CDB database for an authorization for uid u and gid g. If the result is S6_ACCESSRULES_ALLOW, additional information may be stored into params.

s6_accessrules_result_t s6_accessrules_uidgid_fs (uid_t u, gid_t g, char const *dir, s6_accessrules_params_t *params)
Checks the dir base directory for an authorization for uid u and gid g. If the result is S6_ACCESSRULES_ALLOW, additional information may be stored into params.

s6_accessrules_result_t s6_accessrules_reversedns_cdb (char const *name, struct cdb *c, s6_accessrules_params_t *params)
Checks the *c CDB database for an authorization for the name FQDN. If the result is S6_ACCESSRULES_ALLOW, additional information may be stored into params.

s6_accessrules_result_t s6_accessrules_reversedns_fs (char const *name, char const *dir, s6_accessrules_params_t *params)
Checks the dir base directory for an authorization for the name FQDN. If the result is S6_ACCESSRULES_ALLOW, additional information may be stored into params.

s6_accessrules_result_t s6_accessrules_ip4_cdb (char const *ip4, struct cdb *c, s6_accessrules_params_t *params)
Checks the *c CDB database for an authorization for the ip4 IPv4 address (4 network byte order characters). If the result is S6_ACCESSRULES_ALLOW, additional information may be stored into params.

s6_accessrules_result_t s6_accessrules_ip4_fs (char const *ip4, char const *dir, s6_accessrules_params_t *params)
Checks the dir base directory for an authorization for the ip4 IPv4 address (4 network byte order characters). If the result is S6_ACCESSRULES_ALLOW, additional information may be stored into params.

s6_accessrules_result_t s6_accessrules_ip6_cdb (char const *ip6, struct cdb *c, s6_accessrules_params_t *params)
Checks the *c CDB database for an authorization for the ip6 IPv6 address (16 network byte order characters). If the result is S6_ACCESSRULES_ALLOW, additional information may be stored into params.

s6_accessrules_result_t s6_accessrules_ip6_fs (char const *ip6, char const *dir, s6_accessrules_params_t *params)
Checks the dir base directory for an authorization for the ip6 IPv6 address (16 network byte order characters). If the result is S6_ACCESSRULES_ALLOW, additional information may be stored into params.

s6_accessrules_result_t s6_accessrules_ip46_cdb (ip46_t *ip, struct cdb *c, s6_accessrules_params_t *params)
Checks the *c CDB database for an authorization for the ip IP address. If the result is S6_ACCESSRULES_ALLOW, additional information may be stored into params.

s6_accessrules_result_t s6_accessrules_ip46_fs (ip46_t const *ip, char const *dir, s6_accessrules_params_t *params)
Checks the dir base directory for an authorization for the ip IP address. If the result is S6_ACCESSRULES_ALLOW, additional information may be stored into params.