Skip to content

Commit

Permalink
Cross-platform acltype
Browse files Browse the repository at this point in the history
The acltype property is currently hidden on FreeBSD and does not
reflect the NFSv4 style ZFS ACLs used on the platform.  This makes it
difficult to observe that a pool imported from FreeBSD on Linux has a
different type of ACL that is being ignored, and vice versa.

Add an nfsv4 acltype and expose the property on FreeBSD.

Make the default acltype nfsv4 on FreeBSD.

Setting acltype to an unhandled style is treated the same as setting
it to off.  The ACLs will not be removed, but they will be ignored.

Rename posixacl to posix and prefer off to noacl throughout.  The
Linux mount options remain named posixacl and noacl to avoid ambiguity
and breaking existing configurations.  To the latter end, also retain
posixacl and noacl values for acltype as aliases.

Signed-off-by: Ryan Moeller <[email protected]>
  • Loading branch information
Ryan Moeller authored and Ryan Moeller committed Sep 1, 2020
1 parent 88d19d7 commit 1447e85
Show file tree
Hide file tree
Showing 20 changed files with 148 additions and 76 deletions.
1 change: 1 addition & 0 deletions include/os/freebsd/zfs/sys/zfs_vfsops.h
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ struct zfsvfs {
boolean_t z_fuid_dirty; /* need to sync fuid table ? */
struct zfs_fuid_info *z_fuid_replay; /* fuid info for replay */
zilog_t *z_log; /* intent log pointer */
uint_t z_acl_type; /* type of acl usable on this fs */
uint_t z_acl_mode; /* acl chmod/mode behavior */
uint_t z_acl_inherit; /* acl inheritance behavior */
zfs_case_t z_case; /* case-sense */
Expand Down
3 changes: 2 additions & 1 deletion include/sys/zfs_ioctl.h
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,8 @@ extern "C" {
* Property values for acltype
*/
#define ZFS_ACLTYPE_OFF 0
#define ZFS_ACLTYPE_POSIXACL 1
#define ZFS_ACLTYPE_POSIX 1
#define ZFS_ACLTYPE_NFSV4 2

/*
* Field manipulation macros for the drr_versioninfo field of the
Expand Down
66 changes: 41 additions & 25 deletions lib/libspl/include/sys/acl.h
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,12 @@
* CDDL HEADER END
*/
/*
* Copyright 2007 Sun Microsystems, Inc. All rights reserved.
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*
* Copyright 2014 Garrett D'Amore <[email protected]>
* Copyright 2014 Nexenta Systems, Inc. All rights reserved.
* Copyright 2017 RackTop Systems.
*/

#ifndef _SYS_ACL_H
Expand Down Expand Up @@ -75,23 +79,24 @@ typedef struct acl_info acl_t;
/*
* The following are defined for ace_t.
*/
#define ACE_READ_DATA 0x00000001
#define ACE_LIST_DIRECTORY 0x00000001
#define ACE_WRITE_DATA 0x00000002
#define ACE_ADD_FILE 0x00000002
#define ACE_APPEND_DATA 0x00000004
#define ACE_ADD_SUBDIRECTORY 0x00000004
#define ACE_READ_NAMED_ATTRS 0x00000008
#define ACE_WRITE_NAMED_ATTRS 0x00000010
#define ACE_EXECUTE 0x00000020
#define ACE_DELETE_CHILD 0x00000040
#define ACE_READ_ATTRIBUTES 0x00000080
#define ACE_WRITE_ATTRIBUTES 0x00000100
#define ACE_DELETE 0x00010000
#define ACE_READ_ACL 0x00020000
#define ACE_WRITE_ACL 0x00040000
#define ACE_WRITE_OWNER 0x00080000
#define ACE_SYNCHRONIZE 0x00100000
#define ACE_READ_DATA 0x00000001 /* file: read data */
#define ACE_LIST_DIRECTORY 0x00000001 /* dir: list files */
#define ACE_WRITE_DATA 0x00000002 /* file: write data */
#define ACE_ADD_FILE 0x00000002 /* dir: create file */
#define ACE_APPEND_DATA 0x00000004 /* file: append data */
#define ACE_ADD_SUBDIRECTORY 0x00000004 /* dir: create subdir */
#define ACE_READ_NAMED_ATTRS 0x00000008 /* FILE_READ_EA */
#define ACE_WRITE_NAMED_ATTRS 0x00000010 /* FILE_WRITE_EA */
#define ACE_EXECUTE 0x00000020 /* file: execute */
#define ACE_TRAVERSE 0x00000020 /* dir: lookup name */
#define ACE_DELETE_CHILD 0x00000040 /* dir: unlink child */
#define ACE_READ_ATTRIBUTES 0x00000080 /* (all) stat, etc. */
#define ACE_WRITE_ATTRIBUTES 0x00000100 /* (all) utimes, etc. */
#define ACE_DELETE 0x00010000 /* (all) unlink self */
#define ACE_READ_ACL 0x00020000 /* (all) getsecattr */
#define ACE_WRITE_ACL 0x00040000 /* (all) setsecattr */
#define ACE_WRITE_OWNER 0x00080000 /* (all) chown */
#define ACE_SYNCHRONIZE 0x00100000 /* (all) */

#define ACE_FILE_INHERIT_ACE 0x0001
#define ACE_DIRECTORY_INHERIT_ACE 0x0002
Expand All @@ -116,8 +121,6 @@ typedef struct acl_info acl_t;
#define ACL_FLAGS_ALL (ACL_AUTO_INHERIT|ACL_PROTECTED| \
ACL_DEFAULTED)

#ifdef _KERNEL

/*
* These are only applicable in a CIFS context.
*/
Expand All @@ -137,6 +140,8 @@ typedef struct acl_info acl_t;

#define ACE_ALL_TYPES 0x001F

#if defined(_KERNEL)

typedef struct ace_object {
uid_t a_who; /* uid or gid */
uint32_t a_access_mask; /* read,write,... */
Expand All @@ -154,6 +159,21 @@ typedef struct ace_object {
ACE_WRITE_ATTRIBUTES|ACE_DELETE|ACE_READ_ACL|ACE_WRITE_ACL| \
ACE_WRITE_OWNER|ACE_SYNCHRONIZE)

#define ACE_ALL_WRITE_PERMS (ACE_WRITE_DATA|ACE_APPEND_DATA| \
ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS|ACE_WRITE_ACL| \
ACE_WRITE_OWNER|ACE_DELETE|ACE_DELETE_CHILD)

#define ACE_READ_PERMS (ACE_READ_DATA|ACE_READ_ACL|ACE_READ_ATTRIBUTES| \
ACE_READ_NAMED_ATTRS)

#define ACE_WRITE_PERMS (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES| \
ACE_WRITE_NAMED_ATTRS)

#define ACE_MODIFY_PERMS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_READ_NAMED_ATTRS| \
ACE_WRITE_NAMED_ATTRS|ACE_EXECUTE|ACE_DELETE_CHILD|ACE_READ_ATTRIBUTES| \
ACE_WRITE_ATTRIBUTES|ACE_DELETE|ACE_READ_ACL|ACE_SYNCHRONIZE)

/*
* The following flags are supported by both NFSv4 ACLs and ace_t.
*/
Expand Down Expand Up @@ -217,6 +237,7 @@ typedef struct ace_object {
#define ACL_APPEND_ID 0x1 /* append uid/gid to user/group entries */
#define ACL_COMPACT_FMT 0x2 /* build ACL in ls -V format */
#define ACL_NORESOLVE 0x4 /* don't do name service lookups */
#define ACL_SID_FMT 0x8 /* use usersid/groupsid when appropriate */

/*
* Legacy aclcheck errors for aclent_t ACLs
Expand Down Expand Up @@ -272,13 +293,8 @@ extern int cmp2acls(void *, void *);

#endif /* !defined(_KERNEL) */

#if defined(__STDC__)
extern int acl(const char *path, int cmd, int cnt, void *buf);
extern int facl(int fd, int cmd, int cnt, void *buf);
#else /* !__STDC__ */
extern int acl();
extern int facl();
#endif /* defined(__STDC__) */

#ifdef __cplusplus
}
Expand Down
24 changes: 19 additions & 5 deletions man/man8/zfsprops.8
Original file line number Diff line number Diff line change
Expand Up @@ -651,26 +651,40 @@ you must first remove all
.Tn ACL
entries which do not represent the current mode.
.El
.It Sy acltype Ns = Ns Sy off Ns | Ns Sy noacl Ns | Ns Sy posixacl
.It Sy acltype Ns = Ns Sy off Ns | Ns Sy nfsv4 Ns | Ns Sy posix
Controls whether ACLs are enabled and if so what type of ACL to use.
This property is not visible on FreeBSD yet.
When this property is set to a type of ACL not supported by the current
platform, the behavior is the same as if it were set to
.Sy off .
.Bl -tag -width "posixacl"
.It Sy off
default, when a file system has the
default on Linux, when a file system has the
.Sy acltype
property set to off then ACLs are disabled.
.It Sy noacl
an alias for
.Sy off
.It Sy posixacl
.It Sy nfsv4
default on FreeBSD, indicates that NFSv4-style ZFS ACLs should be used.
These ACLs can be managed with the
.Xr getfacl 1
and
.Xr setfacl 1
commands on FreeBSD. The
.Sy nfsv4
ZFS ACL type is not yet supported on Linux.
.It Sy posix
indicates POSIX ACLs should be used. POSIX ACLs are specific to Linux and are
not functional on other platforms. POSIX ACLs are stored as an extended
attribute and therefore will not overwrite any existing NFSv4 ACLs which
may be set.
.It Sy posixacl
an alias for
.Sy posix
.El
.Pp
To obtain the best performance when setting
.Sy posixacl
.Sy posix
users are strongly encouraged to set the
.Sy xattr=sa
property. This will result in the POSIX ACL being stored more efficiently on
Expand Down
2 changes: 1 addition & 1 deletion module/os/freebsd/zfs/zfs_acl.c
Original file line number Diff line number Diff line change
Expand Up @@ -2494,7 +2494,7 @@ zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr)

/*
* Translate traditional unix VREAD/VWRITE/VEXEC mode into
* native ACL format and call zfs_zaccess()
* NFSv4-style ZFS ACL format and call zfs_zaccess()
*/
int
zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr)
Expand Down
22 changes: 22 additions & 0 deletions module/os/freebsd/zfs/zfs_vfsops.c
Original file line number Diff line number Diff line change
Expand Up @@ -592,6 +592,14 @@ acl_inherit_changed_cb(void *arg, uint64_t newval)
zfsvfs->z_acl_inherit = newval;
}

static void
acl_type_changed_cb(void *arg, uint64_t newval)
{
zfsvfs_t *zfsvfs = arg;

zfsvfs->z_acl_type = newval;
}

static int
zfs_register_callbacks(vfs_t *vfsp)
{
Expand Down Expand Up @@ -722,6 +730,8 @@ zfs_register_callbacks(vfs_t *vfsp)
zfs_prop_to_name(ZFS_PROP_EXEC), exec_changed_cb, zfsvfs);
error = error ? error : dsl_prop_register(ds,
zfs_prop_to_name(ZFS_PROP_SNAPDIR), snapdir_changed_cb, zfsvfs);
error = error ? error : dsl_prop_register(ds,
zfs_prop_to_name(ZFS_PROP_ACLTYPE), acl_type_changed_cb, zfsvfs);
error = error ? error : dsl_prop_register(ds,
zfs_prop_to_name(ZFS_PROP_ACLMODE), acl_mode_changed_cb, zfsvfs);
error = error ? error : dsl_prop_register(ds,
Expand Down Expand Up @@ -797,6 +807,11 @@ zfsvfs_init(zfsvfs_t *zfsvfs, objset_t *os)
return (error);
zfsvfs->z_case = (uint_t)val;

error = zfs_get_zplprop(os, ZFS_PROP_ACLTYPE, &val);
if (error != 0)
return (error);
zfsvfs->z_acl_type = (uint_t)val;

/*
* Fold case on file systems that are always or sometimes case
* insensitive.
Expand Down Expand Up @@ -1232,6 +1247,10 @@ zfs_domount(vfs_t *vfsp, char *osname)
"xattr", &pval, NULL)))
goto out;
xattr_changed_cb(zfsvfs, pval);
if ((error = dsl_prop_get_integer(osname,
"acltype", &pval, NULL)))
goto out;
acl_type_changed_cb(zfsvfs, pval);
zfsvfs->z_issnap = B_TRUE;
zfsvfs->z_os->os_sync = ZFS_SYNC_DISABLED;

Expand Down Expand Up @@ -2216,6 +2235,9 @@ zfs_get_zplprop(objset_t *os, zfs_prop_t prop, uint64_t *value)
case ZFS_PROP_CASE:
*value = ZFS_CASE_SENSITIVE;
break;
case ZFS_PROP_ACLTYPE:
*value = ZFS_ACLTYPE_NFSV4;
break;
default:
return (error);
}
Expand Down
18 changes: 17 additions & 1 deletion module/os/freebsd/zfs/zfs_vnops.c
Original file line number Diff line number Diff line change
Expand Up @@ -4741,6 +4741,8 @@ static int
zfs_pathconf(vnode_t *vp, int cmd, ulong_t *valp, cred_t *cr,
caller_context_t *ct)
{
znode_t *zp;
zfsvfs_t *zfsvfs;

switch (cmd) {
case _PC_LINK_MAX:
Expand All @@ -4754,11 +4756,25 @@ zfs_pathconf(vnode_t *vp, int cmd, ulong_t *valp, cred_t *cr,
*valp = (int)SPA_MINBLOCKSIZE;
return (0);
case _PC_ACL_EXTENDED:
#ifdef notyet
zp = VTOZ(vp);
zfsvfs = zp->z_zfsvfs;
ZFS_ENTER(zfsvfs);
ZFS_VERIFY_ZP(zp);
*valp = zfsvfs->z_acl_type == ZFSACLTYPE_POSIX ? 1 : 0;
ZFS_EXIT(zfsvfs);
#else
*valp = 0;
#endif
return (0);

case _PC_ACL_NFS4:
*valp = 1;
zp = VTOZ(vp);
zfsvfs = zp->z_zfsvfs;
ZFS_ENTER(zfsvfs);
ZFS_VERIFY_ZP(zp);
*valp = zfsvfs->z_acl_type == ZFS_ACLTYPE_NFSV4 ? 1 : 0;
ZFS_EXIT(zfsvfs);
return (0);

case _PC_ACL_PATH_MAX:
Expand Down
4 changes: 2 additions & 2 deletions module/os/linux/zfs/zfs_acl.c
Original file line number Diff line number Diff line change
Expand Up @@ -1153,7 +1153,7 @@ zfs_acl_chown_setattr(znode_t *zp)
int error;
zfs_acl_t *aclp;

if (ZTOZSB(zp)->z_acl_type == ZFS_ACLTYPE_POSIXACL)
if (ZTOZSB(zp)->z_acl_type == ZFS_ACLTYPE_POSIX)
return (0);

ASSERT(MUTEX_HELD(&zp->z_lock));
Expand Down Expand Up @@ -2666,7 +2666,7 @@ zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr)

/*
* Translate traditional unix S_IRUSR/S_IWUSR/S_IXUSR mode into
* native ACL format and call zfs_zaccess()
* NFSv4-style ZFS ACL format and call zfs_zaccess()
*/
int
zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr)
Expand Down
5 changes: 3 additions & 2 deletions module/os/linux/zfs/zfs_vfsops.c
Original file line number Diff line number Diff line change
Expand Up @@ -352,13 +352,14 @@ acltype_changed_cb(void *arg, uint64_t newval)
zfsvfs_t *zfsvfs = arg;

switch (newval) {
case ZFS_ACLTYPE_NFSV4:
case ZFS_ACLTYPE_OFF:
zfsvfs->z_acl_type = ZFS_ACLTYPE_OFF;
zfsvfs->z_sb->s_flags &= ~SB_POSIXACL;
break;
case ZFS_ACLTYPE_POSIXACL:
case ZFS_ACLTYPE_POSIX:
#ifdef CONFIG_FS_POSIX_ACL
zfsvfs->z_acl_type = ZFS_ACLTYPE_POSIXACL;
zfsvfs->z_acl_type = ZFS_ACLTYPE_POSIX;
zfsvfs->z_sb->s_flags |= SB_POSIXACL;
#else
zfsvfs->z_acl_type = ZFS_ACLTYPE_OFF;
Expand Down
2 changes: 1 addition & 1 deletion module/os/linux/zfs/zpl_super.c
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ __zpl_show_options(struct seq_file *seq, zfsvfs_t *zfsvfs)

#ifdef CONFIG_FS_POSIX_ACL
switch (zfsvfs->z_acl_type) {
case ZFS_ACLTYPE_POSIXACL:
case ZFS_ACLTYPE_POSIX:
seq_puts(seq, ",posixacl");
break;
default:
Expand Down
16 changes: 8 additions & 8 deletions module/os/linux/zfs/zpl_xattr.c
Original file line number Diff line number Diff line change
Expand Up @@ -1058,7 +1058,7 @@ zpl_init_acl(struct inode *ip, struct inode *dir)
struct posix_acl *acl = NULL;
int error = 0;

if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIXACL)
if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
return (0);

if (!S_ISLNK(ip->i_mode)) {
Expand Down Expand Up @@ -1103,7 +1103,7 @@ zpl_chmod_acl(struct inode *ip)
struct posix_acl *acl;
int error;

if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIXACL)
if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
return (0);

if (S_ISLNK(ip->i_mode))
Expand All @@ -1129,7 +1129,7 @@ __zpl_xattr_acl_list_access(struct inode *ip, char *list, size_t list_size,
char *xattr_name = XATTR_NAME_POSIX_ACL_ACCESS;
size_t xattr_size = sizeof (XATTR_NAME_POSIX_ACL_ACCESS);

if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIXACL)
if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
return (0);

if (list && xattr_size <= list_size)
Expand All @@ -1146,7 +1146,7 @@ __zpl_xattr_acl_list_default(struct inode *ip, char *list, size_t list_size,
char *xattr_name = XATTR_NAME_POSIX_ACL_DEFAULT;
size_t xattr_size = sizeof (XATTR_NAME_POSIX_ACL_DEFAULT);

if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIXACL)
if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
return (0);

if (list && xattr_size <= list_size)
Expand All @@ -1168,7 +1168,7 @@ __zpl_xattr_acl_get_access(struct inode *ip, const char *name,
if (strcmp(name, "") != 0)
return (-EINVAL);
#endif
if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIXACL)
if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
return (-EOPNOTSUPP);

acl = zpl_get_acl(ip, type);
Expand Down Expand Up @@ -1196,7 +1196,7 @@ __zpl_xattr_acl_get_default(struct inode *ip, const char *name,
if (strcmp(name, "") != 0)
return (-EINVAL);
#endif
if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIXACL)
if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
return (-EOPNOTSUPP);

acl = zpl_get_acl(ip, type);
Expand Down Expand Up @@ -1224,7 +1224,7 @@ __zpl_xattr_acl_set_access(struct inode *ip, const char *name,
if (strcmp(name, "") != 0)
return (-EINVAL);
#endif
if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIXACL)
if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
return (-EOPNOTSUPP);

if (!inode_owner_or_capable(ip))
Expand Down Expand Up @@ -1264,7 +1264,7 @@ __zpl_xattr_acl_set_default(struct inode *ip, const char *name,
if (strcmp(name, "") != 0)
return (-EINVAL);
#endif
if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIXACL)
if (ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_POSIX)
return (-EOPNOTSUPP);

if (!inode_owner_or_capable(ip))
Expand Down
Loading

0 comments on commit 1447e85

Please sign in to comment.