diff options
author | mm <mm@FreeBSD.org> | 2012-11-26 12:24:39 +0000 |
---|---|---|
committer | mm <mm@FreeBSD.org> | 2012-11-26 12:24:39 +0000 |
commit | f906bfd159c71ea043e936996ec3293b31526451 (patch) | |
tree | 389030d4b2e59bfc70c9aeaefa1e9714ce00c789 | |
parent | 6c15e1ad42a2d21abd42d20103bdc940ca0f971a (diff) | |
download | FreeBSD-src-f906bfd159c71ea043e936996ec3293b31526451.zip FreeBSD-src-f906bfd159c71ea043e936996ec3293b31526451.tar.gz |
MFV r243395:
Introduce a new dataset aclmode setting "restricted" to protect ACL's
being destroyed or corrupted by a drive-by chmod.
illumos-gate 13889:a67716f16746
3254 add support in zfs for aclmode=restricted
References:
https://www.illumos.org/issues/3254
MFC after: 2 weeks
-rw-r--r-- | cddl/contrib/opensolaris/cmd/zfs/zfs.8 | 28 | ||||
-rw-r--r-- | sys/cddl/contrib/opensolaris/common/zfs/zfs_prop.c | 4 | ||||
-rw-r--r-- | sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c | 6 |
3 files changed, 36 insertions, 2 deletions
diff --git a/cddl/contrib/opensolaris/cmd/zfs/zfs.8 b/cddl/contrib/opensolaris/cmd/zfs/zfs.8 index 10e6ae3..a09aa77 100644 --- a/cddl/contrib/opensolaris/cmd/zfs/zfs.8 +++ b/cddl/contrib/opensolaris/cmd/zfs/zfs.8 @@ -760,7 +760,7 @@ If no inheritable .Tn ACE Ns s exist that affect the mode, then the mode is set in accordance to the requested mode from the application. -.It Sy aclmode Ns = Ns Cm discard | groupmask | passthrough +.It Sy aclmode Ns = Ns Cm discard | groupmask | passthrough | restricted Controls how an .Tn ACL is modified during @@ -790,6 +790,32 @@ indicates that no changes are made to the other than creating or updating the necessary .Tn ACL entries to represent the new mode of the file or directory. +An +.Sy aclmode +property of +.Cm restricted +will cause the +.Xr chmod 2 +operation to return an error when used on any file or directory which has +a non-trivial +.Tn ACL +whose entries can not be represented by a mode. +.Xr chmod 2 +is required to change the set user ID, set group ID, or sticky bits on a file +or directory, as they do not have equivalent +.Tn ACL +entries. +In order to use +.Xr chmod 2 +on a file or directory with a non-trivial +.Tn ACL +when +.Sy aclmode +is set to +.Cm restricted , +you must first remove all +.Tn ACL +entries which do not represent the current mode. .It Sy atime Ns = Ns Cm on | off Controls whether the access time for files is updated when they are read. Turning this property off avoids producing write traffic when reading files and diff --git a/sys/cddl/contrib/opensolaris/common/zfs/zfs_prop.c b/sys/cddl/contrib/opensolaris/common/zfs/zfs_prop.c index 398963a..5f5b8da 100644 --- a/sys/cddl/contrib/opensolaris/common/zfs/zfs_prop.c +++ b/sys/cddl/contrib/opensolaris/common/zfs/zfs_prop.c @@ -109,6 +109,7 @@ zfs_prop_init(void) { "discard", ZFS_ACL_DISCARD }, { "groupmask", ZFS_ACL_GROUPMASK }, { "passthrough", ZFS_ACL_PASSTHROUGH }, + { "restricted", ZFS_ACL_RESTRICTED }, { NULL } }; @@ -217,7 +218,8 @@ zfs_prop_init(void) "hidden | visible", "SNAPDIR", snapdir_table); zprop_register_index(ZFS_PROP_ACLMODE, "aclmode", ZFS_ACL_DISCARD, PROP_INHERIT, ZFS_TYPE_FILESYSTEM, - "discard | groupmask | passthrough", "ACLMODE", acl_mode_table); + "discard | groupmask | passthrough | restricted", "ACLMODE", + acl_mode_table); zprop_register_index(ZFS_PROP_ACLINHERIT, "aclinherit", ZFS_ACL_RESTRICTED, PROP_INHERIT, ZFS_TYPE_FILESYSTEM, "discard | noallow | restricted | passthrough | passthrough-x", diff --git a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c index b998e38..c07400d 100644 --- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c +++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c @@ -3257,6 +3257,12 @@ top: uint64_t acl_obj; new_mode = (pmode & S_IFMT) | (vap->va_mode & ~S_IFMT); + if (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_RESTRICTED && + !(zp->z_pflags & ZFS_ACL_TRIVIAL)) { + err = EPERM; + goto out; + } + if (err = zfs_acl_chmod_setattr(zp, &aclp, new_mode)) goto out; |