Mercurial > illumos > illumos-gate
changeset 13889:a67716f16746
3254 add support in zfs for aclmode=restricted
Reviewed by: Albert Lee <trisk@nexenta.com>
Reviewed by: Gordon Ross <gwr@nexenta.com>
Approved by: Richard Lowe <richlowe@richlowe.net>
| author | Paul B. Henson <henson@acm.org> |
|---|---|
| date | Fri, 26 Oct 2012 13:33:52 -0700 |
| parents | 7204b3392a58 |
| children | dbad2fa7c9bb |
| files | usr/src/common/zfs/zfs_prop.c usr/src/man/man1m/zfs.1m usr/src/uts/common/fs/zfs/zfs_vnops.c |
| diffstat | 3 files changed, 22 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/common/zfs/zfs_prop.c Tue Nov 13 23:04:01 2012 -0800 +++ b/usr/src/common/zfs/zfs_prop.c Fri Oct 26 13:33:52 2012 -0700 @@ -109,6 +109,7 @@ { "discard", ZFS_ACL_DISCARD }, { "groupmask", ZFS_ACL_GROUPMASK }, { "passthrough", ZFS_ACL_PASSTHROUGH }, + { "restricted", ZFS_ACL_RESTRICTED }, { NULL } }; @@ -217,7 +218,8 @@ "hidden | visible", "SNAPDIR", snapdir_table); zprop_register_index(ZFS_PROP_ACLMODE, "aclmode", ZFS_ACL_DISCARD, PROP_INHERIT, ZFS_TYPE_FILESYSTEM, - "discard | groupmask | passthrough", "ACLMODE", acl_mode_table); + "discard | groupmask | passthrough | restricted", "ACLMODE", + acl_mode_table); zprop_register_index(ZFS_PROP_ACLINHERIT, "aclinherit", ZFS_ACL_RESTRICTED, PROP_INHERIT, ZFS_TYPE_FILESYSTEM, "discard | noallow | restricted | passthrough | passthrough-x",
--- a/usr/src/man/man1m/zfs.1m Tue Nov 13 23:04:01 2012 -0800 +++ b/usr/src/man/man1m/zfs.1m Fri Oct 26 13:33:52 2012 -0700 @@ -830,7 +830,7 @@ .sp .ne 2 .na -\fB\fBaclmode\fR=\fBdiscard\fR | \fBgroupmask\fR | \fBpassthrough\fR\fR +\fB\fBaclmode\fR=\fBdiscard\fR | \fBgroupmask\fR | \fBpassthrough\fR\fR | \fBrestricted\fR\fR .ad .sp .6 .RS 4n @@ -839,10 +839,18 @@ entries that do not represent the mode of the file. An \fBaclmode\fR property of \fBgroupmask\fR reduces permissions granted in all \fBALLOW\fR entries found in the \fBACL\fR such that they are no greater than the group permissions -specified by \fBchmod\fR. A file system with an \fBaclmode\fR property of +specified by \fBchmod\fR(2). A file system with an \fBaclmode\fR property of \fBpassthrough\fR indicates that no changes are made to the \fBACL\fR other -than creating or updating the necessary \fBACL\fR entries to -represent the new mode of the file or directory. +than creating or updating the necessary \fBACL\fR entries to represent the new +mode of the file or directory. An \fBaclmode\fR property of \fBrestricted\fR +will cause the \fBchmod\fR(2) operation to return an error when used on any +file or directory which has a non-trivial \fBACL\fR whose entries can not be +represented by a mode. \fBchmod\fR(2) is required to change the set user ID, +set group ID, or sticky bits on a file or directory, as they do not have +equivalent \fBACL\fR entries. In order to use \fBchmod\fR(2) on a file or +directory with a non-trivial \fBACL\fR when \fBaclmode\fR is set to +\fBrestricted\fR, you must first remove all \fBACL\fR entries which do not +represent the current mode. .RE .sp @@ -3939,7 +3947,7 @@ \fBssh\fR(1), \fBiscsitadm\fR(1M), \fBmount\fR(1M), \fBshare\fR(1M), \fBsharemgr\fR(1M), \fBunshare\fR(1M), \fBzonecfg\fR(1M), \fBzpool\fR(1M), \fBchmod\fR(2), \fBstat\fR(2), \fBwrite\fR(2), \fBfsync\fR(3C), -\fBdfstab\fR(4), \fBattributes\fR(5) +\fBdfstab\fR(4), \fBacl\fR(5), \fBattributes\fR(5) .sp .LP See the \fBgzip\fR(1) man page, which is not part of the SunOS man page
--- a/usr/src/uts/common/fs/zfs/zfs_vnops.c Tue Nov 13 23:04:01 2012 -0800 +++ b/usr/src/uts/common/fs/zfs/zfs_vnops.c Fri Oct 26 13:33:52 2012 -0700 @@ -2982,6 +2982,12 @@ uint64_t acl_obj; new_mode = (pmode & S_IFMT) | (vap->va_mode & ~S_IFMT); + if (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_RESTRICTED && + !(zp->z_pflags & ZFS_ACL_TRIVIAL)) { + err = EPERM; + goto out; + } + if (err = zfs_acl_chmod_setattr(zp, &aclp, new_mode)) goto out;