Index: tools/regression/acltools/02.t =================================================================== --- tools/regression/acltools/02.t (revision 214369) +++ tools/regression/acltools/02.t (working copy) @@ -69,7 +69,11 @@ chmod 600 xxx rm xxx echo "ok 2" -perl $TESTDIR/run $TESTDIR/tools-nfs4.test > /dev/null +if [ `sysctl -n vfs.acl_nfs4_old_semantics` = 0 ]; then + perl $TESTDIR/run $TESTDIR/tools-nfs4-psarc.test > /dev/null +else + perl $TESTDIR/run $TESTDIR/tools-nfs4.test > /dev/null +fi if [ $? -eq 0 ]; then echo "ok 3" Index: tools/regression/acltools/tools-nfs4-psarc.test =================================================================== --- tools/regression/acltools/tools-nfs4-psarc.test (revision 214369) +++ tools/regression/acltools/tools-nfs4-psarc.test (working copy) @@ -28,7 +28,7 @@ # This is a tools-level test for NFSv4 ACL functionality. Run it as root # using ACL-enabled kernel: # -# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4-psarc.test # # WARNING: Creates files in unsafe way. @@ -42,19 +42,13 @@ $ getfacl xxx > # file: xxx > # owner: root > # group: wheel -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow -> group@:-wxp----------:------:deny -> group@:r-------------:------:allow -> everyone@:-wxp---A-W-Co-:------:deny +> owner@:rw-p--aARWcCos:------:allow +> group@:r-----a-R-c--s:------:allow > everyone@:r-----a-R-c--s:------:allow $ getfacl -q xxx -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow -> group@:-wxp----------:------:deny -> group@:r-------------:------:allow -> everyone@:-wxp---A-W-Co-:------:deny +> owner@:rw-p--aARWcCos:------:allow +> group@:r-----a-R-c--s:------:allow > everyone@:r-----a-R-c--s:------:allow # Check verbose mode formatting. @@ -62,11 +56,8 @@ $ getfacl -v xxx > # file: xxx > # owner: root > # group: wheel -> owner@:execute::deny -> owner@:read_data/write_data/append_data/write_attributes/write_xattr/write_acl/write_owner::allow -> group@:write_data/execute/append_data::deny -> group@:read_data::allow -> everyone@:write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::deny +> owner@:read_data/write_data/append_data/read_attributes/write_attributes/read_xattr/write_xattr/read_acl/write_acl/write_owner/synchronize::allow +> group@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow > everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow # Test setfacl -a. @@ -75,13 +66,10 @@ $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow +> owner@:rw-p--aARWcCos:------:allow +> group@:r-----a-R-c--s:------:allow > user:0:-----------C--:------:allow > group:1:----------c---:------:deny -> group@:-wxp----------:------:deny -> group@:r-------------:------:allow -> everyone@:-wxp---A-W-Co-:------:deny > everyone@:r-----a-R-c--s:------:allow # Test user and group name resolving. @@ -92,13 +80,10 @@ $ getfacl xxx > # file: xxx > # owner: root > # group: wheel -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow +> owner@:rw-p--aARWcCos:------:allow +> group@:r-----a-R-c--s:------:allow > user:root:-----------C--:------:allow > group:daemon:----------c---:------:deny -> group@:-wxp----------:------:deny -> group@:r-------------:------:allow -> everyone@:-wxp---A-W-Co-:------:deny > everyone@:r-----a-R-c--s:------:allow # Check whether ls correctly marks files with "+". @@ -106,17 +91,14 @@ $ ls -l xxx | cut -d' ' -f1 > -rw-r--r--+ # Test removing entries by number. -$ setfacl -x 4 xxx -$ setfacl -x 4 xxx +$ setfacl -x 1 xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow +> owner@:rw-p--aARWcCos:------:allow > user:0:-----------C--:------:allow > group:1:----------c---:------:deny -> everyone@:-wxp---A-W-Co-:------:deny > everyone@:r-----a-R-c--s:------:allow # Test setfacl -m. @@ -131,11 +113,9 @@ $ getfacl -n xxx > everyone@:--------------:------:deny > everyone@:--------------:------:deny > everyone@:--------------:------:deny -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow +> owner@:rw-p--aARWcCos:------:allow > user:0:-----------C--:------:allow > group:1:----------c---:------:deny -> everyone@:--------------:------:deny > everyone@:r-----a-R-c--s:------:allow # Test getfacl -i. @@ -146,11 +126,9 @@ $ getfacl -i xxx > everyone@:--------------:------:deny > everyone@:--------------:------:deny > everyone@:--------------:------:deny -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow +> owner@:rw-p--aARWcCos:------:allow > user:root:-----------C--:------:allow:0 > group:daemon:----------c---:------:deny:1 -> everyone@:--------------:------:deny > everyone@:r-----a-R-c--s:------:allow # Make sure cp without any flags does not copy copy the ACL. @@ -168,11 +146,9 @@ $ getfacl -n yyy > everyone@:--------------:------:deny > everyone@:--------------:------:deny > everyone@:--------------:------:deny -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow +> owner@:rw-p--aARWcCos:------:allow > user:0:-----------C--:------:allow > group:1:----------c---:------:deny -> everyone@:--------------:------:deny > everyone@:r-----a-R-c--s:------:allow $ rm yyy @@ -183,8 +159,7 @@ $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow +> owner@:rw-p--aARWcCos:------:allow > user:0:-----------C--:------:allow > group:1:----------c---:------:deny > everyone@:r-----a-R-c--s:------:allow @@ -195,11 +170,8 @@ $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow -> group@:-wxp----------:------:deny -> group@:r-------------:------:allow -> everyone@:-wxp---A-W-Co-:------:deny +> owner@:rw-p--aARWcCos:------:allow +> group@:r-----a-R-c--s:------:allow > everyone@:r-----a-R-c--s:------:allow $ ls -l xxx | cut -d' ' -f1 @@ -226,29 +198,20 @@ $ getfacl -nq nnn xxx yyy zzz > getfacl: nnn: stat() failed: No such file or directory > user:42:--x-----------:------:allow > group:43:-w------------:------:allow -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow -> group@:-wxp----------:------:deny -> group@:r-------------:------:allow -> everyone@:-wxp---A-W-Co-:------:deny +> owner@:rw-p--aARWcCos:------:allow +> group@:r-----a-R-c--s:------:allow > everyone@:r-----a-R-c--s:------:allow > > user:42:--x-----------:------:allow > group:43:-w------------:------:allow -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow -> group@:-wxp----------:------:deny -> group@:r-------------:------:allow -> everyone@:-wxp---A-W-Co-:------:deny +> owner@:rw-p--aARWcCos:------:allow +> group@:r-----a-R-c--s:------:allow > everyone@:r-----a-R-c--s:------:allow > > user:42:--x-----------:------:allow > group:43:-w------------:------:allow -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow -> group@:-wxp----------:------:deny -> group@:r-------------:------:allow -> everyone@:-wxp---A-W-Co-:------:deny +> owner@:rw-p--aARWcCos:------:allow +> group@:r-----a-R-c--s:------:allow > everyone@:r-----a-R-c--s:------:allow $ setfacl -b nnn xxx yyy zzz @@ -270,25 +233,12 @@ $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel -> user:42:r-------------:------:deny -> user:42:r-------------:------:allow -> user:43:-w------------:------:deny -> user:43:-w------------:------:allow -> user:44:--x-----------:------:deny -> user:44:--x-----------:------:allow -> owner@:--------------:------:deny -> owner@:-------A-W-Co-:------:allow -> group@:--------------:------:deny -> group@:--------------:------:allow -> everyone@:-------A-W-Co-:------:deny -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow -> group@:rwxp----------:------:deny -> group@:--------------:------:allow -> everyone@:rwxp---A-W-Co-:------:deny +> owner@:rw-p--aARWcCos:------:allow +> group@:------a-R-c--s:------:allow > everyone@:------a-R-c--s:------:allow + $ ls -l xxx | cut -d' ' -f1 -> -rw-------+ +> -rw------- $ rm xxx $ touch xxx @@ -299,20 +249,11 @@ $ getfacl -n xxx > # file: xxx > # owner: 42 > # group: wheel -> user:42:--------------:------:deny -> user:42:r-------------:------:allow -> user:43:-w------------:------:deny -> user:43:-w------------:------:allow -> user:44:--x-----------:------:deny -> user:44:--x-----------:------:allow -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow -> group@:rwxp----------:------:deny -> group@:--------------:------:allow -> everyone@:rwxp---A-W-Co-:------:deny +> owner@:rw-p--aARWcCos:------:allow +> group@:------a-R-c--s:------:allow > everyone@:------a-R-c--s:------:allow $ ls -l xxx | cut -d' ' -f1 -> -rw-------+ +> -rw------- $ rm xxx $ touch xxx @@ -323,20 +264,13 @@ $ getfacl -n xxx > # file: xxx > # owner: 43 > # group: wheel -> user:42:r-------------:------:deny -> user:42:r-------------:------:allow -> user:43:-w------------:------:deny -> user:43:-w------------:------:allow -> user:44:--x-----------:------:deny -> user:44:--x-----------:------:allow > owner@:rw-p----------:------:deny -> owner@:--x----A-W-Co-:------:allow -> group@:r-x-----------:------:deny -> group@:-w-p----------:------:allow -> everyone@:-wxp---A-W-Co-:------:deny +> group@:r-------------:------:deny +> owner@:--x---aARWcCos:------:allow +> group@:-w-p--a-R-c--s:------:allow > everyone@:r-----a-R-c--s:------:allow $ ls -l xxx | cut -d' ' -f1 -> ---x-w-r--+ +> ---x-w-r-- $ rm xxx $ touch xxx @@ -347,20 +281,13 @@ $ getfacl -n xxx > # file: xxx > # owner: 43 > # group: wheel -> user:42:r-------------:------:deny -> user:42:r-------------:------:allow -> user:43:-w------------:------:deny -> user:43:-w------------:------:allow -> user:44:--------------:------:deny -> user:44:--x-----------:------:allow > owner@:-wxp----------:------:deny -> owner@:r------A-W-Co-:------:allow -> group@:rw-p----------:------:deny -> group@:--x-----------:------:allow -> everyone@:r-x----A-W-Co-:------:deny +> group@:-w-p----------:------:deny +> owner@:r-----aARWcCos:------:allow +> group@:--x---a-R-c--s:------:allow > everyone@:-w-p--a-R-c--s:------:allow $ ls -l xxx | cut -d' ' -f1 -> -r----x-w-+ +> -r----x-w- $ mkdir ddd $ setfacl -a0 group:44:rwapd:allow ddd @@ -376,143 +303,19 @@ $ getfacl -n ddd > group:43:-w--D---------:-d----:deny > group@:-----da-------:------:allow > group:44:rw-p-da-------:------:allow -> owner@:--------------:------:deny -> owner@:rwxp---A-W-Co-:------:allow -> group@:-w-p----------:------:deny -> group@:r-x-----------:------:allow -> everyone@:-w-p---A-W-Co-:------:deny +> owner@:rwxp--aARWcCos:------:allow +> group@:r-x---a-R-c--s:------:allow > everyone@:-w-p--a-R-c--s:f-i---:allow + $ chmod 777 ddd $ getfacl -n ddd > # file: ddd > # owner: root > # group: wheel -> user:42:r-x-----------:f-i---:allow -> group:42:-w--D---------:-di---:allow -> group:42:--------------:------:deny -> group:42:-w--D---------:------:allow -> group:43:-w--D---------:-di---:deny -> group:43:-w--D---------:------:deny -> group@:-----da-------:------:allow -> group:44:--------------:------:deny -> group:44:rw-p-da-------:------:allow -> owner@:--------------:------:deny -> owner@:-------A-W-Co-:------:allow -> group@:--------------:------:deny -> group@:--------------:------:allow -> everyone@:-------A-W-Co-:------:deny -> everyone@:-w-p--a-R-c--s:f-i---:allow -> owner@:--------------:------:deny -> owner@:rwxp---A-W-Co-:------:allow -> group@:--------------:------:deny -> group@:rwxp----------:------:allow -> everyone@:-------A-W-Co-:------:deny +> owner@:rwxp--aARWcCos:------:allow +> group@:rwxp--a-R-c--s:------:allow > everyone@:rwxp--a-R-c--s:------:allow -$ rmdir ddd -$ mkdir ddd -$ setfacl -a0 group:44:rwapd:allow ddd -$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd -$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd -$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd -$ chmod 124 ddd -$ getfacl -n ddd -> # file: ddd -> # owner: root -> # group: wheel -> user:42:r-x-----------:f-i---:allow -> group:42:-w--D---------:-di---:allow -> group:42:--------------:------:deny -> group:42:----D---------:------:allow -> group:43:-w--D---------:-di---:deny -> group:43:-w--D---------:------:deny -> group@:-----da-------:------:allow -> group:44:r-------------:------:deny -> group:44:r----da-------:------:allow -> owner@:--------------:------:deny -> owner@:-------A-W-Co-:------:allow -> group@:--------------:------:deny -> group@:--------------:------:allow -> everyone@:-------A-W-Co-:------:deny -> everyone@:-w-p--a-R-c--s:f-i---:allow -> owner@:rw-p----------:------:deny -> owner@:--x----A-W-Co-:------:allow -> group@:r-x-----------:------:deny -> group@:-w-p----------:------:allow -> everyone@:-wxp---A-W-Co-:------:deny -> everyone@:r-----a-R-c--s:------:allow - -$ rmdir ddd -$ mkdir ddd -$ setfacl -a0 group:44:rwapd:allow ddd -$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd -$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd -$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd -$ chmod 412 ddd -$ getfacl -n ddd -> # file: ddd -> # owner: root -> # group: wheel -> user:42:r-------------:------:deny -> user:42:r-x-----------:------:allow -> user:42:r-x-----------:f-i---:allow -> group:42:-w--D---------:-di---:allow -> group:42:-w------------:------:deny -> group:42:-w--D---------:------:allow -> group:43:-w--D---------:-di---:deny -> group:43:-w--D---------:------:deny -> group@:-----da-------:------:allow -> group:44:rw-p----------:------:deny -> group:44:rw-p-da-------:------:allow -> owner@:--------------:------:deny -> owner@:-------A-W-Co-:------:allow -> group@:--------------:------:deny -> group@:--------------:------:allow -> everyone@:-------A-W-Co-:------:deny -> everyone@:-w-p--a-R-c--s:f-i---:allow -> owner@:-wxp----------:------:deny -> owner@:r------A-W-Co-:------:allow -> group@:rw-p----------:------:deny -> group@:--x-----------:------:allow -> everyone@:r-x----A-W-Co-:------:deny -> everyone@:-w-p--a-R-c--s:------:allow - -$ rmdir ddd -$ mkdir ddd -$ setfacl -a0 group:44:rwapd:allow ddd -$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd -$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd -$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd -$ chown 42 ddd -$ chmod 412 ddd -$ getfacl -n ddd -> # file: ddd -> # owner: 42 -> # group: wheel -> user:42:--x-----------:------:deny -> user:42:r-x-----------:------:allow -> user:42:r-x-----------:f-i---:allow -> group:42:-w--D---------:-di---:allow -> group:42:-w------------:------:deny -> group:42:-w--D---------:------:allow -> group:43:-w--D---------:-di---:deny -> group:43:-w--D---------:------:deny -> group@:-----da-------:------:allow -> group:44:rw-p----------:------:deny -> group:44:rw-p-da-------:------:allow -> owner@:--------------:------:deny -> owner@:-------A-W-Co-:------:allow -> group@:--------------:------:deny -> group@:--------------:------:allow -> everyone@:-------A-W-Co-:------:deny -> everyone@:-w-p--a-R-c--s:f-i---:allow -> owner@:-wxp----------:------:deny -> owner@:r------A-W-Co-:------:allow -> group@:rw-p----------:------:deny -> group@:--x-----------:------:allow -> everyone@:r-x----A-W-Co-:------:deny -> everyone@:-w-p--a-R-c--s:------:allow - # Test applying ACL to mode. $ rmdir ddd $ mkdir ddd @@ -527,7 +330,6 @@ $ setfacl -a0 owner@:r:allow,group@:w:deny,group@: $ ls -ld ddd | cut -d' ' -f1 > dr----x---+ -# XXX: This one is fishy. Shouldn't it be "dr---wx---+"? $ rmdir ddd $ mkdir ddd $ chmod 0 ddd @@ -565,129 +367,96 @@ $ getfacl -qn ddd > group:42:-w--D---------:-d-n--:deny > group:43:-w---------C--:f-in--:deny > user:43:rwxp----------:------:allow -> owner@:--------------:------:deny -> owner@:rwxp---A-W-Co-:------:allow -> group@:-w-p----------:------:deny -> group@:r-x-----------:------:allow -> everyone@:-w-p---A-W-Co-:------:deny +> owner@:rwxp--aARWcCos:------:allow +> group@:r-x---a-R-c--s:------:allow > everyone@:r-x---a-R-c--s:------:allow $ cd ddd $ touch xxx $ getfacl -qn xxx -> user:41:-w------------:------:deny -> user:41:-w-----A------:------:allow -> user:42:--------------:------:deny +> user:41:--------------:------:allow > user:42:--------------:------:allow -> user:42:--x-----------:------:deny -> user:42:r-x-----------:------:allow +> user:42:r-------------:------:allow > group:43:-w---------C--:------:deny -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow -> group@:-wxp----------:------:deny -> group@:r-------------:------:allow -> everyone@:-wxp---A-W-Co-:------:deny +> owner@:rw-p--aARWcCos:------:allow +> group@:r-----a-R-c--s:------:allow > everyone@:r-----a-R-c--s:------:allow $ rm xxx $ umask 077 $ touch xxx $ getfacl -qn xxx -> user:41:-w------------:------:deny -> user:41:-w-----A------:------:allow -> user:42:--------------:------:deny +> user:41:--------------:------:allow > user:42:--------------:------:allow -> user:42:r-x-----------:------:deny -> user:42:r-x-----------:------:allow +> user:42:--------------:------:allow > group:43:-w---------C--:------:deny -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow -> group@:rwxp----------:------:deny -> group@:--------------:------:allow -> everyone@:rwxp---A-W-Co-:------:deny +> owner@:rw-p--aARWcCos:------:allow +> group@:------a-R-c--s:------:allow > everyone@:------a-R-c--s:------:allow $ rm xxx $ umask 770 $ touch xxx $ getfacl -qn xxx -> user:41:-w------------:------:deny -> user:41:-w-----A------:------:allow -> user:42:--------------:------:deny +> owner@:rw-p----------:------:deny +> group@:rw-p----------:------:deny +> user:41:--------------:------:allow > user:42:--------------:------:allow -> user:42:r-x-----------:------:deny -> user:42:r-x-----------:------:allow +> user:42:--------------:------:allow > group:43:-w---------C--:------:deny -> owner@:rwxp----------:------:deny -> owner@:-------A-W-Co-:------:allow -> group@:rwxp----------:------:deny -> group@:--------------:------:allow -> everyone@:--x----A-W-Co-:------:deny +> owner@:------aARWcCos:------:allow +> group@:------a-R-c--s:------:allow > everyone@:rw-p--a-R-c--s:------:allow $ rm xxx $ umask 707 $ touch xxx $ getfacl -qn xxx -> user:41:--------------:------:deny -> user:41:-w-----A------:------:allow -> user:42:--------------:------:deny +> owner@:rw-p----------:------:deny +> user:41:-w------------:------:allow > user:42:--------------:------:allow -> user:42:--x-----------:------:deny -> user:42:r-x-----------:------:allow +> user:42:r-------------:------:allow > group:43:-w---------C--:------:deny -> owner@:rwxp----------:------:deny -> owner@:-------A-W-Co-:------:allow -> group@:--x-----------:------:deny -> group@:rw-p----------:------:allow -> everyone@:rwxp---A-W-Co-:------:deny +> owner@:------aARWcCos:------:allow +> group@:rw-p--a-R-c--s:------:allow > everyone@:------a-R-c--s:------:allow $ umask 077 $ mkdir yyy $ getfacl -qn yyy -> group:41:r-------------:------:deny -> group:41:r-----a-------:------:allow -> user:42:-----------Co-:f-i---:allow -> user:42:r-x-----------:f-i---:allow +> group:41:------a-------:------:allow +> user:42:--------------:f-i---:allow +> user:42:--------------:f-i---:allow > group:42:-w--D---------:------:deny -> owner@:--------------:------:deny -> owner@:rwxp---A-W-Co-:------:allow -> group@:rwxp----------:------:deny -> group@:--------------:------:allow -> everyone@:rwxp---A-W-Co-:------:deny +> owner@:rwxp--aARWcCos:------:allow +> group@:------a-R-c--s:------:allow > everyone@:------a-R-c--s:------:allow $ rmdir yyy $ umask 770 $ mkdir yyy $ getfacl -qn yyy -> group:41:r-------------:------:deny -> group:41:r-----a-------:------:allow -> user:42:-----------Co-:f-i---:allow -> user:42:r-x-----------:f-i---:allow -> group:42:-w--D---------:------:deny > owner@:rwxp----------:------:deny -> owner@:-------A-W-Co-:------:allow > group@:rwxp----------:------:deny -> group@:--------------:------:allow -> everyone@:-------A-W-Co-:------:deny +> group:41:------a-------:------:allow +> user:42:--------------:f-i---:allow +> user:42:--------------:f-i---:allow +> group:42:-w--D---------:------:deny +> owner@:------aARWcCos:------:allow +> group@:------a-R-c--s:------:allow > everyone@:rwxp--a-R-c--s:------:allow $ rmdir yyy $ umask 707 $ mkdir yyy $ getfacl -qn yyy -> group:41:--------------:------:deny -> group:41:------a-------:------:allow -> user:42:-----------Co-:f-i---:allow +> owner@:rwxp----------:------:deny +> group:41:r-----a-------:------:allow +> user:42:--------------:f-i---:allow > user:42:r-x-----------:f-i---:allow > group:42:-w--D---------:------:deny -> owner@:rwxp----------:------:deny -> owner@:-------A-W-Co-:------:allow -> group@:--------------:------:deny -> group@:rwxp----------:------:allow -> everyone@:rwxp---A-W-Co-:------:deny +> owner@:------aARWcCos:------:allow +> group@:rwxp--a-R-c--s:------:allow > everyone@:------a-R-c--s:------:allow # There is some complication regarding how write_acl and write_owner flags @@ -709,59 +478,33 @@ $ umask 022 $ rm xxx $ touch xxx $ getfacl -nq xxx -> user:53:--------------:------:deny > user:53:--------------:------:allow -> user:51:--------------:------:deny > user:51:--------------:------:allow -> user:50:--------------:------:deny > user:50:--------------:------:allow -> user:48:--------------:------:deny > user:48:--------------:------:allow -> user:47:--------------:------:deny > user:47:--------------:------:allow -> user:45:--------------:------:deny > user:45:--------------:------:allow -> user:44:--------------:------:deny > user:44:--------------:------:allow -> user:42:--------------:------:deny > user:42:--------------:------:allow -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow -> group@:-wxp----------:------:deny -> group@:r-------------:------:allow -> everyone@:-wxp---A-W-Co-:------:deny +> owner@:rw-p--aARWcCos:------:allow +> group@:r-----a-R-c--s:------:allow > everyone@:r-----a-R-c--s:------:allow $ rmdir yyy $ mkdir yyy $ getfacl -nq yyy -> user:53:--------------:------:deny > user:53:--------------:------:allow -> user:52:--------------:------:deny > user:52:--------------:------:allow -> user:50:--------------:------:deny > user:50:--------------:------:allow -> user:49:--------------:------:deny > user:49:--------------:------:allow -> user:47:-----------Co-:fdi---:allow -> user:47:--------------:------:deny -> user:47:--------------:------:allow -> user:46:-----------Co-:-di---:allow -> user:46:--------------:------:deny -> user:46:--------------:------:allow -> user:45:-----------Co-:f-i---:allow -> user:44:-----------Co-:fdi---:allow -> user:44:--------------:------:deny -> user:44:--------------:------:allow -> user:43:-----------Co-:-di---:allow -> user:43:--------------:------:deny -> user:43:--------------:------:allow -> user:42:-----------Co-:f-i---:allow -> owner@:--------------:------:deny -> owner@:rwxp---A-W-Co-:------:allow -> group@:-w-p----------:------:deny -> group@:r-x-----------:------:allow -> everyone@:-w-p---A-W-Co-:------:deny +> user:47:--------------:fdi---:allow +> user:46:--------------:-di---:allow +> user:45:--------------:f-i---:allow +> user:44:--------------:fd----:allow +> user:43:--------------:-d----:allow +> user:42:--------------:f-i---:allow +> owner@:rwxp--aARWcCos:------:allow +> group@:r-x---a-R-c--s:------:allow > everyone@:r-x---a-R-c--s:------:allow $ setfacl -b . @@ -789,11 +532,8 @@ $ getfacl -nq xxx > user:45:-----------Co-:------:deny > user:44:-----------Co-:------:deny > user:42:-----------Co-:------:deny -> owner@:--x-----------:------:deny -> owner@:rw-p---A-W-Co-:------:allow -> group@:-wxp----------:------:deny -> group@:r-------------:------:allow -> everyone@:-wxp---A-W-Co-:------:deny +> owner@:rw-p--aARWcCos:------:allow +> group@:r-----a-R-c--s:------:allow > everyone@:r-----a-R-c--s:------:allow $ rmdir yyy @@ -804,20 +544,13 @@ $ getfacl -nq yyy > user:50:-----------Co-:------:deny > user:49:-----------Co-:------:deny > user:47:-----------Co-:fdi---:deny -> user:47:-----------Co-:------:deny > user:46:-----------Co-:-di---:deny -> user:46:-----------Co-:------:deny > user:45:-----------Co-:f-i---:deny -> user:44:-----------Co-:fdi---:deny -> user:44:-----------Co-:------:deny -> user:43:-----------Co-:-di---:deny -> user:43:-----------Co-:------:deny +> user:44:-----------Co-:fd----:deny +> user:43:-----------Co-:-d----:deny > user:42:-----------Co-:f-i---:deny -> owner@:--------------:------:deny -> owner@:rwxp---A-W-Co-:------:allow -> group@:-w-p----------:------:deny -> group@:r-x-----------:------:allow -> everyone@:-w-p---A-W-Co-:------:deny +> owner@:rwxp--aARWcCos:------:allow +> group@:r-x---a-R-c--s:------:allow > everyone@:r-x---a-R-c--s:------:allow $ rmdir yyy Index: lib/libc/posix1e/acl_is_trivial_np.3 =================================================================== --- lib/libc/posix1e/acl_is_trivial_np.3 (revision 214369) +++ lib/libc/posix1e/acl_is_trivial_np.3 (working copy) @@ -56,7 +56,9 @@ ACL is trivial if it can be fully expressed as a f any access rules. For POSIX.1e ACLs, ACL is trivial if it has the three required entries, one for owner, one for owning group, and one for other. -For NFSv4 ACLs, ACL is trivial if it has the "canonical six" entries. +For NFSv4 ACLs, ACL is trivial if is identical to the ACL generated by +.Fn acl_strip_np 3 +from the file mode. Files that have non-trivial ACL have a plus sign appended after mode bits in "ls -l" output. .Sh RETURN VALUES Index: lib/libc/posix1e/acl_strip.c =================================================================== --- lib/libc/posix1e/acl_strip.c (revision 214369) +++ lib/libc/posix1e/acl_strip.c (working copy) @@ -141,7 +141,7 @@ acl_strip_np(const acl_t aclp, int recalculate_mas { switch (_acl_brand(aclp)) { case ACL_BRAND_NFS4: - return (_nfs4_acl_strip_np(aclp, 1)); + return (_nfs4_acl_strip_np(aclp, 0)); case ACL_BRAND_POSIX: return (_posix1e_acl_strip_np(aclp, recalculate_mask)); Index: sys/kern/subr_acl_nfs4.c =================================================================== --- sys/kern/subr_acl_nfs4.c (revision 214369) +++ sys/kern/subr_acl_nfs4.c (working copy) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2008-2009 Edward Tomasz Napierała + * Copyright (c) 2008-2010 Edward Tomasz Napierała * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #else #include @@ -49,10 +50,18 @@ __FBSDID("$FreeBSD$"); #include #define KASSERT(a, b) assert(a) #define CTASSERT(a) -#endif /* _KERNEL */ +void acl_nfs4_trivial_from_mode(struct acl *aclp, mode_t mode); + +#endif /* !_KERNEL */ + +static int acl_nfs4_old_semantics = 1; + #ifdef _KERNEL +SYSCTL_INT(_vfs, OID_AUTO, acl_nfs4_old_semantics, CTLFLAG_RW, + &acl_nfs4_old_semantics, 1, "Use pre-PSARC/2010/029 NFSv4 ACL semantics"); + static struct { accmode_t accmode; int mask; @@ -349,64 +358,10 @@ _acl_duplicate_entry(struct acl *aclp, int entry_i return (&(aclp->acl_entry[entry_index + 1])); } -/* - * Calculate trivial ACL in a manner compatible with PSARC/2010/029. - * Note that this results in an ACL different from (but semantically - * equal to) the "canonical six" trivial ACL computed using algorithm - * described in draft-ietf-nfsv4-minorversion1-03.txt, 3.16.6.2. - */ -void -acl_nfs4_trivial_from_mode(struct acl *aclp, mode_t mode) +static void +acl_nfs4_sync_acl_from_mode_draft(struct acl *aclp, mode_t mode, + int file_owner_id) { - acl_perm_t user_allow_first = 0, user_deny = 0, group_deny = 0; - acl_perm_t user_allow, group_allow, everyone_allow; - - KASSERT(aclp->acl_cnt == 0, ("aclp->acl_cnt == 0")); - - user_allow = group_allow = everyone_allow = ACL_READ_ACL | - ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS | ACL_SYNCHRONIZE; - user_allow |= ACL_WRITE_ACL | ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | - ACL_WRITE_NAMED_ATTRS; - - if (mode & S_IRUSR) - user_allow |= ACL_READ_DATA; - if (mode & S_IWUSR) - user_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA); - if (mode & S_IXUSR) - user_allow |= ACL_EXECUTE; - - if (mode & S_IRGRP) - group_allow |= ACL_READ_DATA; - if (mode & S_IWGRP) - group_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA); - if (mode & S_IXGRP) - group_allow |= ACL_EXECUTE; - - if (mode & S_IROTH) - everyone_allow |= ACL_READ_DATA; - if (mode & S_IWOTH) - everyone_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA); - if (mode & S_IXOTH) - everyone_allow |= ACL_EXECUTE; - - user_deny = ((group_allow | everyone_allow) & ~user_allow); - group_deny = everyone_allow & ~group_allow; - user_allow_first = group_deny & ~user_deny; - - if (user_allow_first != 0) - _acl_append(aclp, ACL_USER_OBJ, user_allow_first, ACL_ENTRY_TYPE_ALLOW); - if (user_deny != 0) - _acl_append(aclp, ACL_USER_OBJ, user_deny, ACL_ENTRY_TYPE_DENY); - if (group_deny != 0) - _acl_append(aclp, ACL_GROUP_OBJ, group_deny, ACL_ENTRY_TYPE_DENY); - _acl_append(aclp, ACL_USER_OBJ, user_allow, ACL_ENTRY_TYPE_ALLOW); - _acl_append(aclp, ACL_GROUP_OBJ, group_allow, ACL_ENTRY_TYPE_ALLOW); - _acl_append(aclp, ACL_EVERYONE, everyone_allow, ACL_ENTRY_TYPE_ALLOW); -} - -void -acl_nfs4_sync_acl_from_mode(struct acl *aclp, mode_t mode, int file_owner_id) -{ int i, meets, must_append; struct acl_entry *entry, *copy, *previous, *a1, *a2, *a3, *a4, *a5, *a6; @@ -749,6 +704,17 @@ _acl_duplicate_entry(struct acl *aclp, int entry_i } void +acl_nfs4_sync_acl_from_mode(struct acl *aclp, mode_t mode, + int file_owner_id) +{ + + if (acl_nfs4_old_semantics) + acl_nfs4_sync_acl_from_mode_draft(aclp, mode, file_owner_id); + else + acl_nfs4_trivial_from_mode(aclp, mode); +} + +void acl_nfs4_sync_mode_from_acl(mode_t *_mode, const struct acl *aclp) { int i; @@ -871,8 +837,12 @@ acl_nfs4_sync_mode_from_acl(mode_t *_mode, const s *_mode = mode | (old_mode & ACL_PRESERVE_MASK); } -void -acl_nfs4_compute_inherited_acl(const struct acl *parent_aclp, +/* + * Calculate inherited ACL in a manner compatible with NFSv4 Minor Version 1, + * draft-ietf-nfsv4-minorversion1-03.txt. + */ +static void +acl_nfs4_compute_inherited_acl_draft(const struct acl *parent_aclp, struct acl *child_aclp, mode_t mode, int file_owner_id, int is_directory) { @@ -1031,6 +1001,213 @@ acl_nfs4_sync_mode_from_acl(mode_t *_mode, const s acl_nfs4_sync_acl_from_mode(child_aclp, mode, file_owner_id); } +/* + * Populate the ACL with entries inherited from parent_aclp. + */ +static void +acl_nfs4_inherit_entries(const struct acl *parent_aclp, + struct acl *child_aclp, mode_t mode, int file_owner_id, + int is_directory) +{ + int i, flags, tag; + const struct acl_entry *parent_entry; + struct acl_entry *entry; + + KASSERT(parent_aclp->acl_cnt > 0, ("parent_aclp->acl_cnt > 0")); + KASSERT(parent_aclp->acl_cnt <= ACL_MAX_ENTRIES, + ("parent_aclp->acl_cnt <= ACL_MAX_ENTRIES")); + + for (i = 0; i < parent_aclp->acl_cnt; i++) { + parent_entry = &(parent_aclp->acl_entry[i]); + flags = parent_entry->ae_flags; + tag = parent_entry->ae_tag; + + /* + * Don't inherit owner@, group@, or everyone@ entries. + */ + if (tag == ACL_USER_OBJ || tag == ACL_GROUP_OBJ || + tag == ACL_EVERYONE) + continue; + + /* + * Entry is not inheritable at all. + */ + if ((flags & (ACL_ENTRY_DIRECTORY_INHERIT | + ACL_ENTRY_FILE_INHERIT)) == 0) + continue; + + /* + * We're creating a file, but entry is not inheritable + * by files. + */ + if (!is_directory && (flags & ACL_ENTRY_FILE_INHERIT) == 0) + continue; + + /* + * Entry is inheritable only by files, but has NO_PROPAGATE + * flag set, and we're creating a directory, so it wouldn't + * propagate to any file in that directory anyway. + */ + if (is_directory && + (flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0 && + (flags & ACL_ENTRY_NO_PROPAGATE_INHERIT)) + continue; + + /* + * Entry qualifies for being inherited. + */ + KASSERT(child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES, + ("child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES")); + entry = &(child_aclp->acl_entry[child_aclp->acl_cnt]); + *entry = *parent_entry; + child_aclp->acl_cnt++; + + /* + * If the type of the ACE is neither ALLOW nor DENY, + * then leave it as it is and proceed to the next one. + */ + if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && + entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) + continue; + + if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) { + /* + * Some permissions must never be inherited. + */ + entry->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER | + ACL_WRITE_NAMED_ATTRS | ACL_WRITE_ATTRIBUTES); + + /* + * Others must be masked according to the file mode. + */ + if ((mode & S_IRGRP) == 0) + entry->ae_perm &= ~ACL_READ_DATA; + if ((mode & S_IWGRP) == 0) + entry->ae_perm &= + ~(ACL_WRITE_DATA | ACL_APPEND_DATA); + if ((mode & S_IXGRP) == 0) + entry->ae_perm &= ~ACL_EXECUTE; + } + + /* + * If the ACL_ENTRY_NO_PROPAGATE_INHERIT is set, or if + * the object being created is not a directory, then clear + * the following flags: ACL_ENTRY_NO_PROPAGATE_INHERIT, + * ACL_ENTRY_FILE_INHERIT, ACL_ENTRY_DIRECTORY_INHERIT, + * ACL_ENTRY_INHERIT_ONLY. + */ + if (entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT || + !is_directory) { + entry->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT | + ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT | + ACL_ENTRY_INHERIT_ONLY); + } + + /* + * If the object is a directory and ACL_ENTRY_FILE_INHERIT + * is set, but ACL_ENTRY_DIRECTORY_INHERIT is not set, ensure + * that ACL_ENTRY_INHERIT_ONLY is set. + */ + if (is_directory && + (entry->ae_flags & ACL_ENTRY_FILE_INHERIT) && + ((entry->ae_flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0)) { + entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY; + } + } +} + +/* + * Calculate inherited ACL in a manner compatible with PSARC/2010/029. + * It's also being used to calculate a trivial ACL, by inheriting from + * a NULL ACL. + */ +static void +acl_nfs4_compute_inherited_acl_psarc(const struct acl *parent_aclp, + struct acl *aclp, mode_t mode, int file_owner_id, int is_directory) +{ + acl_perm_t user_allow_first = 0, user_deny = 0, group_deny = 0; + acl_perm_t user_allow, group_allow, everyone_allow; + + KASSERT(aclp->acl_cnt == 0, ("aclp->acl_cnt == 0")); + + user_allow = group_allow = everyone_allow = ACL_READ_ACL | + ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS | ACL_SYNCHRONIZE; + user_allow |= ACL_WRITE_ACL | ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | + ACL_WRITE_NAMED_ATTRS; + + if (mode & S_IRUSR) + user_allow |= ACL_READ_DATA; + if (mode & S_IWUSR) + user_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA); + if (mode & S_IXUSR) + user_allow |= ACL_EXECUTE; + + if (mode & S_IRGRP) + group_allow |= ACL_READ_DATA; + if (mode & S_IWGRP) + group_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA); + if (mode & S_IXGRP) + group_allow |= ACL_EXECUTE; + + if (mode & S_IROTH) + everyone_allow |= ACL_READ_DATA; + if (mode & S_IWOTH) + everyone_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA); + if (mode & S_IXOTH) + everyone_allow |= ACL_EXECUTE; + + user_deny = ((group_allow | everyone_allow) & ~user_allow); + group_deny = everyone_allow & ~group_allow; + user_allow_first = group_deny & ~user_deny; + + if (user_allow_first != 0) + _acl_append(aclp, ACL_USER_OBJ, user_allow_first, + ACL_ENTRY_TYPE_ALLOW); + if (user_deny != 0) + _acl_append(aclp, ACL_USER_OBJ, user_deny, + ACL_ENTRY_TYPE_DENY); + if (group_deny != 0) + _acl_append(aclp, ACL_GROUP_OBJ, group_deny, + ACL_ENTRY_TYPE_DENY); + if (parent_aclp != NULL) + acl_nfs4_inherit_entries(parent_aclp, aclp, mode, + file_owner_id, is_directory); + _acl_append(aclp, ACL_USER_OBJ, user_allow, ACL_ENTRY_TYPE_ALLOW); + _acl_append(aclp, ACL_GROUP_OBJ, group_allow, ACL_ENTRY_TYPE_ALLOW); + _acl_append(aclp, ACL_EVERYONE, everyone_allow, ACL_ENTRY_TYPE_ALLOW); +} + +void +acl_nfs4_compute_inherited_acl(const struct acl *parent_aclp, + struct acl *child_aclp, mode_t mode, int file_owner_id, + int is_directory) +{ + + if (acl_nfs4_old_semantics) + acl_nfs4_compute_inherited_acl_draft(parent_aclp, child_aclp, + mode, file_owner_id, is_directory); + else + acl_nfs4_compute_inherited_acl_psarc(parent_aclp, child_aclp, + mode, file_owner_id, is_directory); +} + +/* + * Calculate trivial ACL in a manner compatible with PSARC/2010/029. + * Note that this results in an ACL different from (but semantically + * equal to) the "canonical six" trivial ACL computed using algorithm + * described in draft-ietf-nfsv4-minorversion1-03.txt, 3.16.6.2. + * + * This routine is not static only because the code is being used in libc. + * Kernel code should call acl_nfs4_sync_acl_from_mode() instead. + */ +void +acl_nfs4_trivial_from_mode(struct acl *aclp, mode_t mode) +{ + + aclp->acl_cnt = 0; + acl_nfs4_compute_inherited_acl_psarc(NULL, aclp, mode, -1, -1); +} + #ifdef _KERNEL static int _acls_are_equal(const struct acl *a, const struct acl *b) @@ -1067,7 +1244,7 @@ acl_nfs4_is_trivial(const struct acl *aclp, int fi mode_t tmpmode = 0; struct acl *tmpaclp; - if (aclp->acl_cnt != 6) + if (aclp->acl_cnt > 6) return (0); /* @@ -1078,11 +1255,24 @@ acl_nfs4_is_trivial(const struct acl *aclp, int fi * this slow implementation significantly speeds things up * for files that don't have non-trivial ACLs - it's critical * for performance to not use EA when they are not needed. + * + * First try the PSARC/2010/029 semantics. */ tmpaclp = acl_alloc(M_WAITOK | M_ZERO); acl_nfs4_sync_mode_from_acl(&tmpmode, aclp); - acl_nfs4_sync_acl_from_mode(tmpaclp, tmpmode, file_owner_id); + acl_nfs4_trivial_from_mode(tmpaclp, tmpmode); trivial = _acls_are_equal(aclp, tmpaclp); + if (trivial) { + acl_free(tmpaclp); + return (trivial); + } + + /* + * Check if it's a draft-ietf-nfsv4-minorversion1-03.txt trivial ACL. + */ + tmpaclp->acl_cnt = 0; + acl_nfs4_sync_acl_from_mode_draft(tmpaclp, tmpmode, file_owner_id); + trivial = _acls_are_equal(aclp, tmpaclp); acl_free(tmpaclp); return (trivial);