# HG changeset patch # User Paul B. Henson # Date 1351283632 25200 # Node ID a67716f16746f73017b375562e917b20a1ea82ea # Parent 7204b3392a58eef8123d960d344d26f0e386f389 3254 add support in zfs for aclmode=restricted Reviewed by: Albert Lee Reviewed by: Gordon Ross Approved by: Richard Lowe diff -r 7204b3392a58 -r a67716f16746 usr/src/common/zfs/zfs_prop.c --- a/usr/src/common/zfs/zfs_prop.c Tue Nov 13 23:04:01 2012 -0800 +++ b/usr/src/common/zfs/zfs_prop.c Fri Oct 26 13:33:52 2012 -0700 @@ -109,6 +109,7 @@ { "discard", ZFS_ACL_DISCARD }, { "groupmask", ZFS_ACL_GROUPMASK }, { "passthrough", ZFS_ACL_PASSTHROUGH }, + { "restricted", ZFS_ACL_RESTRICTED }, { NULL } }; @@ -217,7 +218,8 @@ "hidden | visible", "SNAPDIR", snapdir_table); zprop_register_index(ZFS_PROP_ACLMODE, "aclmode", ZFS_ACL_DISCARD, PROP_INHERIT, ZFS_TYPE_FILESYSTEM, - "discard | groupmask | passthrough", "ACLMODE", acl_mode_table); + "discard | groupmask | passthrough | restricted", "ACLMODE", + acl_mode_table); zprop_register_index(ZFS_PROP_ACLINHERIT, "aclinherit", ZFS_ACL_RESTRICTED, PROP_INHERIT, ZFS_TYPE_FILESYSTEM, "discard | noallow | restricted | passthrough | passthrough-x", diff -r 7204b3392a58 -r a67716f16746 usr/src/man/man1m/zfs.1m --- a/usr/src/man/man1m/zfs.1m Tue Nov 13 23:04:01 2012 -0800 +++ b/usr/src/man/man1m/zfs.1m Fri Oct 26 13:33:52 2012 -0700 @@ -830,7 +830,7 @@ .sp .ne 2 .na -\fB\fBaclmode\fR=\fBdiscard\fR | \fBgroupmask\fR | \fBpassthrough\fR\fR +\fB\fBaclmode\fR=\fBdiscard\fR | \fBgroupmask\fR | \fBpassthrough\fR\fR | \fBrestricted\fR\fR .ad .sp .6 .RS 4n @@ -839,10 +839,18 @@ entries that do not represent the mode of the file. An \fBaclmode\fR property of \fBgroupmask\fR reduces permissions granted in all \fBALLOW\fR entries found in the \fBACL\fR such that they are no greater than the group permissions -specified by \fBchmod\fR. A file system with an \fBaclmode\fR property of +specified by \fBchmod\fR(2). A file system with an \fBaclmode\fR property of \fBpassthrough\fR indicates that no changes are made to the \fBACL\fR other -than creating or updating the necessary \fBACL\fR entries to -represent the new mode of the file or directory. +than creating or updating the necessary \fBACL\fR entries to represent the new +mode of the file or directory. An \fBaclmode\fR property of \fBrestricted\fR +will cause the \fBchmod\fR(2) operation to return an error when used on any +file or directory which has a non-trivial \fBACL\fR whose entries can not be +represented by a mode. \fBchmod\fR(2) is required to change the set user ID, +set group ID, or sticky bits on a file or directory, as they do not have +equivalent \fBACL\fR entries. In order to use \fBchmod\fR(2) on a file or +directory with a non-trivial \fBACL\fR when \fBaclmode\fR is set to +\fBrestricted\fR, you must first remove all \fBACL\fR entries which do not +represent the current mode. .RE .sp @@ -3939,7 +3947,7 @@ \fBssh\fR(1), \fBiscsitadm\fR(1M), \fBmount\fR(1M), \fBshare\fR(1M), \fBsharemgr\fR(1M), \fBunshare\fR(1M), \fBzonecfg\fR(1M), \fBzpool\fR(1M), \fBchmod\fR(2), \fBstat\fR(2), \fBwrite\fR(2), \fBfsync\fR(3C), -\fBdfstab\fR(4), \fBattributes\fR(5) +\fBdfstab\fR(4), \fBacl\fR(5), \fBattributes\fR(5) .sp .LP See the \fBgzip\fR(1) man page, which is not part of the SunOS man page diff -r 7204b3392a58 -r a67716f16746 usr/src/uts/common/fs/zfs/zfs_vnops.c --- a/usr/src/uts/common/fs/zfs/zfs_vnops.c Tue Nov 13 23:04:01 2012 -0800 +++ b/usr/src/uts/common/fs/zfs/zfs_vnops.c Fri Oct 26 13:33:52 2012 -0700 @@ -2982,6 +2982,12 @@ uint64_t acl_obj; new_mode = (pmode & S_IFMT) | (vap->va_mode & ~S_IFMT); + if (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_RESTRICTED && + !(zp->z_pflags & ZFS_ACL_TRIVIAL)) { + err = EPERM; + goto out; + } + if (err = zfs_acl_chmod_setattr(zp, &aclp, new_mode)) goto out;