From ee6378dc7a78301aec786204f12d0d009e16fcf7 Mon Sep 17 00:00:00 2001 From: "Paul B. Henson" Date: Thu, 5 Dec 2019 00:45:14 +0000 Subject: [PATCH] OpenZFS 3254 - add support in zfs for aclmode=restricted Authored-by: Paul B. Henson Reviewed by: Albert Lee Reviewed by: Gordon Ross Reviewed by: Brian Behlendorf Approved by: Richard Lowe Ported-by: Paul B. Henson OpenZFS-issue: https://www.illumos.org/issues/3254 OpenZFS-commit: https://github.com/openzfs/openzfs/commit/71dbfc287c Closes #10266 (cherry picked from commit 7bf3e1fa0f2f49f0e55bbe4eb5334addd5395570) --- man/man8/zfsprops.8 | 2 +- module/os/linux/zfs/zfs_vnops.c | 6 ++++++ module/zcommon/zfs_prop.c | 9 ++------- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/man/man8/zfsprops.8 b/man/man8/zfsprops.8 index 269e9e7d939c..139198db0c48 100644 --- a/man/man8/zfsprops.8 +++ b/man/man8/zfsprops.8 @@ -601,7 +601,7 @@ The property does not apply to POSIX ACLs. .It Xo .Sy aclmode Ns = Ns Sy discard Ns | Ns Sy groupmask Ns | Ns -.Sy passthrough Ns +.Sy passthrough Ns | Ns Sy restricted Ns .Xc Controls how an ACL is modified during chmod(2) and how inherited ACEs are modified by the file creation mode. diff --git a/module/os/linux/zfs/zfs_vnops.c b/module/os/linux/zfs/zfs_vnops.c index aba125f3b7a5..cf5d406a20e4 100644 --- a/module/os/linux/zfs/zfs_vnops.c +++ b/module/os/linux/zfs/zfs_vnops.c @@ -3077,6 +3077,12 @@ zfs_setattr(znode_t *zp, vattr_t *vap, int flags, cred_t *cr) uint64_t acl_obj; new_mode = (pmode & S_IFMT) | (vap->va_mode & ~S_IFMT); + if (ZTOZSB(zp)->z_acl_mode == ZFS_ACL_RESTRICTED && + !(zp->z_pflags & ZFS_ACL_TRIVIAL)) { + err = EPERM; + goto out; + } + if ((err = zfs_acl_chmod_setattr(zp, &aclp, new_mode))) goto out; diff --git a/module/zcommon/zfs_prop.c b/module/zcommon/zfs_prop.c index 0d0b2fc72ee3..d62eec3f0236 100644 --- a/module/zcommon/zfs_prop.c +++ b/module/zcommon/zfs_prop.c @@ -176,13 +176,6 @@ zfs_prop_init(void) { NULL } }; - static zprop_index_t acl_mode_table[] = { - { "discard", ZFS_ACL_DISCARD }, - { "groupmask", ZFS_ACL_GROUPMASK }, - { "passthrough", ZFS_ACL_PASSTHROUGH }, - { NULL } - }; - static zprop_index_t acl_inherit_table[] = { { "discard", ZFS_ACL_DISCARD }, { "noallow", ZFS_ACL_NOALLOW }, @@ -349,9 +342,11 @@ zfs_prop_init(void) PROP_INHERIT, ZFS_TYPE_FILESYSTEM, "discard | groupmask | passthrough | restricted", "ACLMODE", acl_mode_table); +#ifndef __FreeBSD__ zprop_register_index(ZFS_PROP_ACLTYPE, "acltype", ZFS_ACLTYPE_OFF, PROP_INHERIT, ZFS_TYPE_FILESYSTEM | ZFS_TYPE_SNAPSHOT, "noacl | posixacl", "ACLTYPE", acltype_table); +#endif zprop_register_index(ZFS_PROP_ACLINHERIT, "aclinherit", ZFS_ACL_RESTRICTED, PROP_INHERIT, ZFS_TYPE_FILESYSTEM, "discard | noallow | restricted | passthrough | passthrough-x",