summaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
authorngie <ngie@FreeBSD.org>2015-10-13 17:28:11 +0000
committerngie <ngie@FreeBSD.org>2015-10-13 17:28:11 +0000
commita628dafc861c1a90cc8c102efb32fddb53905dca (patch)
tree61d234ccad2c765160a41f699543b292d0d8ba1c /tests
parent5d430003c819997e598b5958c8c0838f897a015d (diff)
parent7f1b3a0b6809a66c4a0742fbdd1c8fe2db90852f (diff)
downloadFreeBSD-src-a628dafc861c1a90cc8c102efb32fddb53905dca.zip
FreeBSD-src-a628dafc861c1a90cc8c102efb32fddb53905dca.tar.gz
Integrate tools/regression/acltools into tests/sys/acl
Apply patches I've been running for months on my GitHub project
Diffstat (limited to 'tests')
-rw-r--r--tests/sys/Makefile1
-rw-r--r--tests/sys/acl/00.sh88
-rw-r--r--tests/sys/acl/01.sh87
-rw-r--r--tests/sys/acl/02.sh93
-rw-r--r--tests/sys/acl/03.sh117
-rw-r--r--tests/sys/acl/04.sh73
-rwxr-xr-xtests/sys/acl/aclfuzzer.sh225
-rwxr-xr-xtests/sys/acl/mktrivial.sh53
-rw-r--r--tests/sys/acl/run329
-rw-r--r--tests/sys/acl/tools-crossfs.test323
-rw-r--r--tests/sys/acl/tools-nfs4-psarc.test562
-rw-r--r--tests/sys/acl/tools-nfs4-trivial.test82
-rw-r--r--tests/sys/acl/tools-nfs4.test828
-rw-r--r--tests/sys/acl/tools-posix.test453
14 files changed, 3314 insertions, 0 deletions
diff --git a/tests/sys/Makefile b/tests/sys/Makefile
index a22214a..f559e20 100644
--- a/tests/sys/Makefile
+++ b/tests/sys/Makefile
@@ -4,6 +4,7 @@
TESTSDIR= ${TESTSBASE}/sys
+TESTS_SUBDIRS+= acl
TESTS_SUBDIRS+= aio
TESTS_SUBDIRS+= fifo
TESTS_SUBDIRS+= file
diff --git a/tests/sys/acl/00.sh b/tests/sys/acl/00.sh
new file mode 100644
index 0000000..61e8115
--- /dev/null
+++ b/tests/sys/acl/00.sh
@@ -0,0 +1,88 @@
+#!/bin/sh
+#
+# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# This is a wrapper script to run tools-posix.test on UFS filesystem.
+#
+# If any of the tests fails, here is how to debug it: go to
+# the directory with problematic filesystem mounted on it,
+# and do /path/to/test run /path/to/test tools-posix.test, e.g.
+#
+# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-posix.test
+#
+# Output should be obvious.
+
+if [ $(sysctl -n kern.features.ufs_acl 2>/dev/null || echo 0) -eq 0 ]; then
+ echo "1..0 # SKIP system does not have UFS ACL support"
+ exit 0
+fi
+if [ $(id -u) -ne 0 ]; then
+ echo "1..0 # SKIP you must be root"
+ exit 0
+fi
+
+echo "1..4"
+
+TESTDIR=$(dirname $(realpath $0))
+
+# Set up the test filesystem.
+MD=`mdconfig -at swap -s 10m`
+MNT=`mktemp -dt acltools`
+newfs /dev/$MD > /dev/null
+trap "cd /; umount -f $MNT; rmdir $MNT; mdconfig -d -u $MD" EXIT
+mount -o acls /dev/$MD $MNT
+if [ $? -ne 0 ]; then
+ echo "not ok 1 - mount failed."
+ echo 'Bail out!'
+ exit 1
+fi
+
+echo "ok 1"
+
+cd $MNT
+
+# First, check whether we can crash the kernel by creating too many
+# entries. For some reason this won't work in the test file.
+touch xxx
+i=0;
+while :; do i=$(($i+1)); setfacl -m u:$i:rwx xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done
+chmod 600 xxx
+rm xxx
+echo "ok 2"
+
+perl $TESTDIR/run $TESTDIR/tools-posix.test > /dev/null
+
+if [ $? -eq 0 ]; then
+ echo "ok 3"
+else
+ echo "not ok 3"
+fi
+
+cd /
+
+echo "ok 4"
diff --git a/tests/sys/acl/01.sh b/tests/sys/acl/01.sh
new file mode 100644
index 0000000..93487a7
--- /dev/null
+++ b/tests/sys/acl/01.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+#
+# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# This is a wrapper script to run tools-nfs4.test on ZFS filesystem.
+#
+# WARNING: It uses hardcoded ZFS pool name "acltools"
+#
+# If any of the tests fails, here is how to debug it: go to
+# the directory with problematic filesystem mounted on it,
+# and do /path/to/test run /path/to/test tools-nfs4.test, e.g.
+#
+# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test
+#
+# Output should be obvious.
+
+if ! sysctl vfs.zfs.version.spa >/dev/null 2>&1; then
+ echo "1..0 # SKIP system doesn't have ZFS loaded"
+ exit 0
+fi
+if [ $(id -u) -ne 0 ]; then
+ echo "1..0 # SKIP you must be root"
+ exit 0
+fi
+
+echo "1..4"
+
+TESTDIR=$(dirname $(realpath $0))
+
+# Set up the test filesystem.
+MD=`mdconfig -at swap -s 64m`
+MNT=`mktemp -dt acltools`
+trap "cd /; zpool destroy -f acltools; rmdir $MNT; mdconfig -d -u $MD" EXIT
+zpool create -m $MNT acltools /dev/$MD
+if [ $? -ne 0 ]; then
+ echo "not ok 1 - 'zpool create' failed."
+ echo 'Bail out!'
+ exit 1
+fi
+
+echo "ok 1"
+
+cd $MNT
+
+# First, check whether we can crash the kernel by creating too many
+# entries. For some reason this won't work in the test file.
+touch xxx
+setfacl -x2 xxx
+while :; do setfacl -a0 u:42:rwx:allow xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done
+chmod 600 xxx
+rm xxx
+echo "ok 2"
+
+perl $TESTDIR/run $TESTDIR/tools-nfs4-psarc.test > /dev/null
+
+if [ $? -eq 0 ]; then
+ echo "ok 3"
+else
+ echo "not ok 3"
+fi
+
+echo "ok 4"
diff --git a/tests/sys/acl/02.sh b/tests/sys/acl/02.sh
new file mode 100644
index 0000000..8fbb39d
--- /dev/null
+++ b/tests/sys/acl/02.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+#
+# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# This is a wrapper script to run tools-nfs4.test on UFS filesystem.
+#
+# If any of the tests fails, here is how to debug it: go to
+# the directory with problematic filesystem mounted on it,
+# and do /path/to/test run /path/to/test tools-nfs4.test, e.g.
+#
+# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test
+#
+# Output should be obvious.
+
+if [ $(sysctl -n kern.features.ufs_acl 2>/dev/null || echo 0) -eq 0 ]; then
+ echo "1..0 # SKIP system does not have UFS ACL support"
+ exit 0
+fi
+if [ $(id -u) -ne 0 ]; then
+ echo "1..0 # SKIP you must be root"
+ exit 0
+fi
+
+echo "1..4"
+
+TESTDIR=$(dirname $(realpath $0))
+
+# Set up the test filesystem.
+MD=`mdconfig -at swap -s 10m`
+MNT=`mktemp -dt acltools`
+newfs /dev/$MD > /dev/null
+trap "cd /; umount -f $MNT; rmdir $MNT; mdconfig -d -u $MD" EXIT
+mount -o nfsv4acls /dev/$MD $MNT
+if [ $? -ne 0 ]; then
+ echo "not ok 1 - mount failed."
+ echo 'Bail out!'
+ exit 1
+fi
+
+echo "ok 1"
+
+cd $MNT
+
+# First, check whether we can crash the kernel by creating too many
+# entries. For some reason this won't work in the test file.
+touch xxx
+setfacl -x2 xxx
+while :; do setfacl -a0 u:42:rwx:allow xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done
+chmod 600 xxx
+rm xxx
+echo "ok 2"
+
+if [ `sysctl -n vfs.acl_nfs4_old_semantics` = 0 ]; then
+ perl $TESTDIR/run $TESTDIR/tools-nfs4-psarc.test > /dev/null
+else
+ perl $TESTDIR/run $TESTDIR/tools-nfs4.test > /dev/null
+fi
+
+if [ $? -eq 0 ]; then
+ echo "ok 3"
+else
+ echo "not ok 3"
+fi
+
+cd /
+
+echo "ok 4"
+
diff --git a/tests/sys/acl/03.sh b/tests/sys/acl/03.sh
new file mode 100644
index 0000000..2b81b26
--- /dev/null
+++ b/tests/sys/acl/03.sh
@@ -0,0 +1,117 @@
+#!/bin/sh
+#
+# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# This is a wrapper script to run tools-crossfs.test between UFS without
+# ACLs, UFS with POSIX.1e ACLs, and ZFS with NFSv4 ACLs.
+#
+# WARNING: It uses hardcoded ZFS pool name "acltools"
+#
+# Output should be obvious.
+
+if ! sysctl vfs.zfs.version.spa >/dev/null 2>&1; then
+ echo "1..0 # SKIP system doesn't have ZFS loaded"
+ exit 0
+fi
+if [ $(id -u) -ne 0 ]; then
+ echo "1..0 # SKIP you must be root"
+ exit 0
+fi
+
+echo "1..5"
+
+TESTDIR=$(dirname $(realpath $0))
+MNTROOT=`mktemp -dt acltools`
+
+# Set up the test filesystems.
+MD1=`mdconfig -at swap -s 64m`
+MNT1=$MNTROOT/nfs4
+mkdir $MNT1
+zpool create -m $MNT1 acltools /dev/$MD1
+if [ $? -ne 0 ]; then
+ echo "not ok 1 - 'zpool create' failed."
+ echo 'Bail out!'
+ exit 1
+fi
+
+echo "ok 1"
+
+MD2=`mdconfig -at swap -s 10m`
+MNT2=$MNTROOT/posix
+mkdir $MNT2
+newfs /dev/$MD2 > /dev/null
+mount -o acls /dev/$MD2 $MNT2
+if [ $? -ne 0 ]; then
+ echo "not ok 2 - mount failed."
+ echo 'Bail out!'
+ exit 1
+fi
+
+echo "ok 2"
+
+MD3=`mdconfig -at swap -s 10m`
+MNT3=$MNTROOT/none
+mkdir $MNT3
+newfs /dev/$MD3 > /dev/null
+mount /dev/$MD3 $MNT3
+if [ $? -ne 0 ]; then
+ echo "not ok 3 - mount failed."
+ echo 'Bail out!'
+ exit 1
+fi
+
+echo "ok 3"
+
+cd $MNTROOT
+
+perl $TESTDIR/run $TESTDIR/tools-crossfs.test > /dev/null
+
+if [ $? -eq 0 ]; then
+ echo "ok 4"
+else
+ echo "not ok 4"
+fi
+
+cd /
+
+umount -f $MNT3
+rmdir $MNT3
+mdconfig -du $MD3
+
+umount -f $MNT2
+rmdir $MNT2
+mdconfig -du $MD2
+
+zpool destroy -f acltools
+rmdir $MNT1
+mdconfig -du $MD1
+
+rmdir $MNTROOT
+
+echo "ok 5"
+
diff --git a/tests/sys/acl/04.sh b/tests/sys/acl/04.sh
new file mode 100644
index 0000000..5669c5a
--- /dev/null
+++ b/tests/sys/acl/04.sh
@@ -0,0 +1,73 @@
+#!/bin/sh
+#
+# Copyright (c) 2011 Edward Tomasz Napierała <trasz@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# This is a wrapper script to run tools-nfs4-trivial.test on ZFS filesystem.
+#
+# WARNING: It uses hardcoded ZFS pool name "acltools"
+
+if ! sysctl vfs.zfs.version.spa >/dev/null 2>&1; then
+ echo "1..0 # SKIP system doesn't have ZFS loaded"
+ exit 0
+fi
+if [ $(id -u) -ne 0 ]; then
+ echo "1..0 # SKIP you must be root"
+ exit 0
+fi
+
+echo "1..3"
+
+TESTDIR=$(dirname $(realpath $0))
+
+# Set up the test filesystem.
+MD=`mdconfig -at swap -s 64m`
+MNT=`mktemp -dt acltools`
+zpool create -m $MNT acltools /dev/$MD
+if [ $? -ne 0 ]; then
+ echo "not ok 1 - 'zpool create' failed."
+ exit 1
+fi
+
+echo "ok 1"
+
+cd $MNT
+
+perl $TESTDIR/run $TESTDIR/tools-nfs4-trivial.test > /dev/null
+
+if [ $? -eq 0 ]; then
+ echo "ok 2"
+else
+ echo "not ok 2"
+fi
+
+cd /
+zpool destroy -f acltools
+rmdir $MNT
+mdconfig -du $MD
+
+echo "ok 3"
diff --git a/tests/sys/acl/aclfuzzer.sh b/tests/sys/acl/aclfuzzer.sh
new file mode 100755
index 0000000..dff07d8
--- /dev/null
+++ b/tests/sys/acl/aclfuzzer.sh
@@ -0,0 +1,225 @@
+#!/bin/sh
+#
+# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# This is an NFSv4 ACL fuzzer. It expects to be run by non-root in a scratch
+# directory on a filesystem with NFSv4 ACLs support. Output it generates
+# is expected to be fed to /usr/src/tools/regression/acltools/run script.
+
+NUMBER_OF_COMMANDS=300
+
+run_command()
+{
+ echo "\$ $1"
+ eval $1 2>&1 | sed 's/^/> /'
+}
+
+rnd_from_0_to()
+{
+ max=`expr $1 + 1`
+ rnd=`jot -r 1`
+ rnd=`expr $rnd % $max`
+
+ echo $rnd
+}
+
+rnd_path()
+{
+ rnd=`rnd_from_0_to 3`
+ case $rnd in
+ 0) echo "$TMP/aaa" ;;
+ 1) echo "$TMP/bbb" ;;
+ 2) echo "$TMP/aaa/ccc" ;;
+ 3) echo "$TMP/bbb/ddd" ;;
+ esac
+}
+
+f_prepend_random_acl_on()
+{
+ rnd=`rnd_from_0_to 4`
+ case $rnd in
+ 0) u="owner@" ;;
+ 1) u="group@" ;;
+ 2) u="everyone@" ;;
+ 3) u="u:1138" ;;
+ 4) u="g:1138" ;;
+ esac
+
+ p=""
+ while :; do
+ rnd=`rnd_from_0_to 30`
+ if [ -n "$p" -a $rnd -ge 14 ]; then
+ break;
+ fi
+
+ case $rnd in
+ 0) p="${p}r" ;;
+ 1) p="${p}w" ;;
+ 2) p="${p}x" ;;
+ 3) p="${p}p" ;;
+ 4) p="${p}d" ;;
+ 5) p="${p}D" ;;
+ 6) p="${p}a" ;;
+ 7) p="${p}A" ;;
+ 8) p="${p}R" ;;
+ 9) p="${p}W" ;;
+ 10) p="${p}R" ;;
+ 11) p="${p}c" ;;
+ 12) p="${p}C" ;;
+ 13) p="${p}o" ;;
+ 14) p="${p}s" ;;
+ esac
+ done
+
+ f=""
+ while :; do
+ rnd=`rnd_from_0_to 10`
+ if [ $rnd -ge 6 ]; then
+ break;
+ fi
+
+ case $rnd in
+ 0) f="${f}f" ;;
+ 1) f="${f}d" ;;
+ 2) f="${f}n" ;;
+ 3) f="${f}i" ;;
+ esac
+ done
+
+ rnd=`rnd_from_0_to 1`
+ case $rnd in
+ 0) x="allow" ;;
+ 1) x="deny" ;;
+ esac
+
+ acl="$u:$p:$f:$x"
+
+ file=`rnd_path`
+ run_command "setfacl -a0 $acl $file"
+}
+
+f_getfacl()
+{
+ file=`rnd_path`
+ run_command "getfacl -qn $file"
+}
+
+f_ls_mode()
+{
+ file=`rnd_path`
+ run_command "ls -al $file | sed -n '2p' | cut -d' ' -f1"
+}
+
+f_chmod()
+{
+ b1=`rnd_from_0_to 7`
+ b2=`rnd_from_0_to 7`
+ b3=`rnd_from_0_to 7`
+ b4=`rnd_from_0_to 7`
+ file=`rnd_path`
+
+ run_command "chmod $b1$b2$b3$b4 $file $2"
+}
+
+f_touch()
+{
+ file=`rnd_path`
+ run_command "touch $file"
+}
+
+f_rm()
+{
+ file=`rnd_path`
+ run_command "rm -f $file"
+}
+
+f_mkdir()
+{
+ file=`rnd_path`
+ run_command "mkdir $file"
+}
+
+f_rmdir()
+{
+ file=`rnd_path`
+ run_command "rmdir $file"
+}
+
+f_mv()
+{
+ from=`rnd_path`
+ to=`rnd_path`
+ run_command "mv -f $from $to"
+}
+
+# XXX: To be implemented: chown(8), setting times with touch(1).
+
+switch_to_random_user()
+{
+ # XXX: To be implemented.
+}
+
+execute_random_command()
+{
+ rnd=`rnd_from_0_to 20`
+
+ case $rnd in
+ 0|10|11|12|13|15) cmd=f_prepend_random_acl_on ;;
+ 1) cmd=f_getfacl ;;
+ 2) cmd=f_ls_mode ;;
+ 3) cmd=f_chmod ;;
+ 4|18|19) cmd=f_touch ;;
+ 5) cmd=f_rm ;;
+ 6|16|17) cmd=f_mkdir ;;
+ 7) cmd=f_rmdir ;;
+ 8) cmd=f_mv ;;
+ esac
+
+ $cmd "XXX"
+}
+
+echo "# Fuzzing; will stop after $NUMBER_OF_COMMANDS commands."
+TMP="aclfuzzer_`dd if=/dev/random bs=1k count=1 2>/dev/null | openssl md5`"
+
+run_command "whoami"
+umask 022
+run_command "umask 022"
+run_command "mkdir $TMP"
+
+i=0;
+while [ "$i" -lt "$NUMBER_OF_COMMANDS" ]; do
+ switch_to_random_user
+ execute_random_command
+ i=`expr $i + 1`
+done
+
+run_command "find $TMP -exec setfacl -a0 everyone@:rxd:allow {} \;"
+run_command "rm -rfv $TMP"
+
+echo "# Fuzzed, thank you."
+
diff --git a/tests/sys/acl/mktrivial.sh b/tests/sys/acl/mktrivial.sh
new file mode 100755
index 0000000..99e3614
--- /dev/null
+++ b/tests/sys/acl/mktrivial.sh
@@ -0,0 +1,53 @@
+#!/bin/sh
+#
+# Copyright (c) 2010 Edward Tomasz Napierała <trasz@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# This shell script generates an input file for the "run" script, used
+# to verify generation of trivial ACLs.
+
+echo "$ touch f"
+touch f
+
+for s in `jot 7 0 7`; do
+ for u in `jot 7 0 7`; do
+ for g in `jot 7 0 7`; do
+ for o in `jot 7 0 7`; do
+ echo "$ chmod 0$s$u$g$o f"
+ chmod "0$s$u$g$o" f
+ echo "$ ls -l f | cut -d' ' -f1"
+ ls -l f | cut -d' ' -f1 | sed 's/^/> /'
+ echo "$ getfacl -q f"
+ getfacl -q f | sed 's/^/> /'
+ done
+ done
+ done
+done
+
+echo "$ rm f"
+rm f
+
diff --git a/tests/sys/acl/run b/tests/sys/acl/run
new file mode 100644
index 0000000..383f47e
--- /dev/null
+++ b/tests/sys/acl/run
@@ -0,0 +1,329 @@
+#!/usr/bin/perl -w -U
+
+# Copyright (c) 2007, 2008 Andreas Gruenbacher.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions, and the following disclaimer,
+# without modification, immediately at the beginning of the file.
+# 2. The name of the author may not be used to endorse or promote products
+# derived from this software without specific prior written permission.
+#
+# Alternatively, this software may be distributed under the terms of the
+# GNU Public License ("GPL").
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
+# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+#
+# Possible improvements:
+#
+# - distinguish stdout and stderr output
+# - add environment variable like assignments
+# - run up to a specific line
+# - resume at a specific line
+#
+
+use strict;
+use FileHandle;
+use Getopt::Std;
+use POSIX qw(isatty setuid getcwd);
+use vars qw($opt_l $opt_v);
+
+no warnings qw(taint);
+
+$opt_l = ~0; # a really huge number
+getopts('l:v');
+
+my ($OK, $FAILED) = ("ok", "failed");
+if (isatty(fileno(STDOUT))) {
+ $OK = "\033[32m" . $OK . "\033[m";
+ $FAILED = "\033[31m\033[1m" . $FAILED . "\033[m";
+}
+
+sub exec_test($$);
+sub process_test($$$$);
+
+my ($prog, $in, $out) = ([], [], []);
+my $prog_line = 0;
+my ($tests, $failed) = (0,0);
+my $lineno;
+my $width = ($ENV{COLUMNS} || 80) >> 1;
+
+for (;;) {
+ my $line = <>; $lineno++;
+ if (defined $line) {
+ # Substitute %VAR and %{VAR} with environment variables.
+ $line =~ s[%(\w+)][$ENV{$1}]eg;
+ $line =~ s[%{(\w+)}][$ENV{$1}]eg;
+ }
+ if (defined $line) {
+ if ($line =~ s/^\s*< ?//) {
+ push @$in, $line;
+ } elsif ($line =~ s/^\s*> ?//) {
+ push @$out, $line;
+ } else {
+ process_test($prog, $prog_line, $in, $out);
+ last if $prog_line >= $opt_l;
+
+ $prog = [];
+ $prog_line = 0;
+ }
+ if ($line =~ s/^\s*\$ ?//) {
+ $prog = [ map { s/\\(.)/$1/g; $_ } split /(?<!\\)\s+/, $line ];
+ $prog_line = $lineno;
+ $in = [];
+ $out = [];
+ }
+ } else {
+ process_test($prog, $prog_line, $in, $out);
+ last;
+ }
+}
+
+my $status = sprintf("%d commands (%d passed, %d failed)",
+ $tests, $tests-$failed, $failed);
+if (isatty(fileno(STDOUT))) {
+ if ($failed) {
+ $status = "\033[31m\033[1m" . $status . "\033[m";
+ } else {
+ $status = "\033[32m" . $status . "\033[m";
+ }
+}
+print $status, "\n";
+exit $failed ? 1 : 0;
+
+
+sub process_test($$$$) {
+ my ($prog, $prog_line, $in, $out) = @_;
+
+ return unless @$prog;
+
+ my $p = [ @$prog ];
+ print "[$prog_line] \$ ", join(' ',
+ map { s/\s/\\$&/g; $_ } @$p), " -- ";
+ my $result = exec_test($prog, $in);
+ my @good = ();
+ my $nmax = (@$out > @$result) ? @$out : @$result;
+ for (my $n=0; $n < $nmax; $n++) {
+ my $use_re;
+ if (defined $out->[$n] && $out->[$n] =~ /^~ /) {
+ $use_re = 1;
+ $out->[$n] =~ s/^~ //g;
+ }
+
+ if (!defined($out->[$n]) || !defined($result->[$n]) ||
+ (!$use_re && $result->[$n] ne $out->[$n]) ||
+ ( $use_re && $result->[$n] !~ /^$out->[$n]/)) {
+ push @good, ($use_re ? '!~' : '!=');
+ }
+ else {
+ push @good, ($use_re ? '=~' : '==');
+ }
+ }
+ my $good = !(grep /!/, @good);
+ $tests++;
+ $failed++ unless $good;
+ print $good ? $OK : $FAILED, "\n";
+ if (!$good || $opt_v) {
+ for (my $n=0; $n < $nmax; $n++) {
+ my $l = defined($out->[$n]) ? $out->[$n] : "~";
+ chomp $l;
+ my $r = defined($result->[$n]) ? $result->[$n] : "~";
+ chomp $r;
+ print sprintf("%-" . ($width-3) . "s %s %s\n",
+ $r, $good[$n], $l);
+ }
+ }
+}
+
+
+sub su($) {
+ my ($user) = @_;
+
+ $user ||= "root";
+
+ my ($login, $pass, $uid, $gid) = getpwnam($user)
+ or return [ "su: user $user does not exist\n" ];
+ my @groups = ();
+ my $fh = new FileHandle("/etc/group")
+ or return [ "opening /etc/group: $!\n" ];
+ while (<$fh>) {
+ chomp;
+ my ($group, $passwd, $gid, $users) = split /:/;
+ foreach my $u (split /,/, $users) {
+ push @groups, $gid
+ if ($user eq $u);
+ }
+ }
+ $fh->close;
+
+ my $groups = join(" ", ($gid, $gid, @groups));
+ #print STDERR "[[$groups]]\n";
+ $! = 0; # reset errno
+ $> = 0;
+ $( = $gid;
+ $) = $groups;
+ if ($!) {
+ return [ "su: $!\n" ];
+ }
+ if ($uid != 0) {
+ $> = $uid;
+ #$< = $uid;
+ if ($!) {
+ return [ "su: $prog->[1]: $!\n" ];
+ }
+ }
+ #print STDERR "[($>,$<)($(,$))]";
+ return [];
+}
+
+
+sub sg($) {
+ my ($group) = @_;
+
+ my $gid = getgrnam($group)
+ or return [ "sg: group $group does not exist\n" ];
+ my %groups = map { $_ eq $gid ? () : ($_ => 1) } (split /\s/, $));
+
+ #print STDERR "<<", join("/", keys %groups), ">>\n";
+ my $groups = join(" ", ($gid, $gid, keys %groups));
+ #print STDERR "[[$groups]]\n";
+ $! = 0; # reset errno
+ if ($> != 0) {
+ my $uid = $>;
+ $> = 0;
+ $( = $gid;
+ $) = $groups;
+ $> = $uid;
+ } else {
+ $( = $gid;
+ $) = $groups;
+ }
+ if ($!) {
+ return [ "sg: $!\n" ];
+ }
+ print STDERR "[($>,$<)($(,$))]";
+ return [];
+}
+
+
+sub exec_test($$) {
+ my ($prog, $in) = @_;
+ local (*IN, *IN_DUP, *IN2, *OUT_DUP, *OUT, *OUT2);
+ my $needs_shell = (join('', @$prog) =~ /[][|<>"'`\$\*\?]/);
+
+ if ($prog->[0] eq "umask") {
+ umask oct $prog->[1];
+ return [];
+ } elsif ($prog->[0] eq "cd") {
+ if (!chdir $prog->[1]) {
+ return [ "chdir: $prog->[1]: $!\n" ];
+ }
+ $ENV{PWD} = getcwd;
+ return [];
+ } elsif ($prog->[0] eq "su") {
+ return su($prog->[1]);
+ } elsif ($prog->[0] eq "sg") {
+ return sg($prog->[1]);
+ } elsif ($prog->[0] eq "export") {
+ my ($name, $value) = split /=/, $prog->[1];
+ # FIXME: need to evaluate $value, so that things like this will work:
+ # export dir=$PWD/dir
+ $ENV{$name} = $value;
+ return [];
+ } elsif ($prog->[0] eq "unset") {
+ delete $ENV{$prog->[1]};
+ return [];
+ }
+
+ pipe *IN2, *OUT
+ or die "Can't create pipe for reading: $!";
+ open *IN_DUP, "<&STDIN"
+ or *IN_DUP = undef;
+ open *STDIN, "<&IN2"
+ or die "Can't duplicate pipe for reading: $!";
+ close *IN2;
+
+ open *OUT_DUP, ">&STDOUT"
+ or die "Can't duplicate STDOUT: $!";
+ pipe *IN, *OUT2
+ or die "Can't create pipe for writing: $!";
+ open *STDOUT, ">&OUT2"
+ or die "Can't duplicate pipe for writing: $!";
+ close *OUT2;
+
+ *STDOUT->autoflush();
+ *OUT->autoflush();
+
+ $SIG{CHLD} = 'IGNORE';
+
+ if (fork()) {
+ # Server
+ if (*IN_DUP) {
+ open *STDIN, "<&IN_DUP"
+ or die "Can't duplicate STDIN: $!";
+ close *IN_DUP
+ or die "Can't close STDIN duplicate: $!";
+ }
+ open *STDOUT, ">&OUT_DUP"
+ or die "Can't duplicate STDOUT: $!";
+ close *OUT_DUP
+ or die "Can't close STDOUT duplicate: $!";
+
+ foreach my $line (@$in) {
+ #print "> $line";
+ print OUT $line;
+ }
+ close *OUT
+ or die "Can't close pipe for writing: $!";
+
+ my $result = [];
+ while (<IN>) {
+ #print "< $_";
+ if ($needs_shell) {
+ s#^/bin/sh: line \d+: ##;
+ }
+ push @$result, $_;
+ }
+ return $result;
+ } else {
+ # Client
+ $< = $>;
+ close IN
+ or die "Can't close read end for input pipe: $!";
+ close OUT
+ or die "Can't close write end for output pipe: $!";
+ close OUT_DUP
+ or die "Can't close STDOUT duplicate: $!";
+ local *ERR_DUP;
+ open ERR_DUP, ">&STDERR"
+ or die "Can't duplicate STDERR: $!";
+ open STDERR, ">&STDOUT"
+ or die "Can't join STDOUT and STDERR: $!";
+
+ if ($needs_shell) {
+ exec ('/bin/sh', '-c', join(" ", @$prog));
+ } else {
+ exec @$prog;
+ }
+ print STDERR $prog->[0], ": $!\n";
+ exit;
+ }
+}
+
diff --git a/tests/sys/acl/tools-crossfs.test b/tests/sys/acl/tools-crossfs.test
new file mode 100644
index 0000000..1f59637
--- /dev/null
+++ b/tests/sys/acl/tools-crossfs.test
@@ -0,0 +1,323 @@
+# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# This is a tools-level test intended to verify that cp(1) and mv(1)
+# do the right thing with respect to ACLs. Run it as root using
+# ACL-enabled kernel:
+#
+# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test
+#
+# You need to have three subdirectories, named nfs4, posix and none,
+# with filesystems with NFSv4 ACLs, POSIX.1e ACLs and no ACLs enabled,
+# respectively, mounted on them, in your current directory.
+#
+# WARNING: Creates files in unsafe way.
+
+$ whoami
+> root
+$ umask 022
+
+$ touch nfs4/xxx
+$ getfacl -nq nfs4/xxx
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:r-----a-R-c--s:-------:allow
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ touch posix/xxx
+$ getfacl -nq posix/xxx
+> user::rw-
+> group::r--
+> other::r--
+
+# mv with POSIX.1e ACLs.
+$ rm -f posix/xxx
+$ rm -f posix/yyy
+$ touch posix/xxx
+$ chmod 456 posix/xxx
+$ ls -l posix/xxx | cut -d' ' -f1
+> -r--r-xrw-
+$ setfacl -m u:42:x,g:43:w posix/xxx
+$ mv posix/xxx posix/yyy
+$ getfacl -nq posix/yyy
+> user::r--
+> user:42:--x
+> group::r-x
+> group:43:-w-
+> mask::rwx
+> other::rw-
+$ ls -l posix/yyy | cut -d' ' -f1
+> -r--rwxrw-+
+
+# mv from POSIX.1e to none.
+$ rm -f posix/xxx
+$ rm -f none/xxx
+$ touch posix/xxx
+$ chmod 345 posix/xxx
+$ setfacl -m u:42:x,g:43:w posix/xxx
+$ ls -l posix/xxx | cut -d' ' -f1
+> --wxrwxr-x+
+$ mv posix/xxx none/xxx
+> mv: failed to set acl entries for none/xxx: Operation not supported
+$ ls -l none/xxx | cut -d' ' -f1
+> --wxrwxr-x
+
+# mv from POSIX.1e to NFSv4.
+$ rm -f posix/xxx
+$ rm -f nfs4/xxx
+$ touch posix/xxx
+$ chmod 456 posix/xxx
+$ setfacl -m u:42:x,g:43:w posix/xxx
+$ ls -l posix/xxx | cut -d' ' -f1
+> -r--rwxrw-+
+$ mv posix/yyy nfs4/xxx
+> mv: failed to set acl entries for nfs4/xxx: Invalid argument
+$ getfacl -nq nfs4/xxx
+> owner@:-wxp----------:-------:deny
+> owner@:r-----aARWcCos:-------:allow
+> group@:rwxp--a-R-c--s:-------:allow
+> everyone@:rw-p--a-R-c--s:-------:allow
+$ ls -l nfs4/xxx | cut -d' ' -f1
+> -r--rwxrw-
+
+# mv with NFSv4 ACLs.
+$ rm -f nfs4/xxx
+$ rm -f nfs4/yyy
+$ touch nfs4/xxx
+$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
+$ mv nfs4/xxx nfs4/yyy
+$ getfacl -nq nfs4/yyy
+> user:42:--x-----------:-------:allow
+> group:43:-w------------:-------:allow
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:r-----a-R-c--s:-------:allow
+> everyone@:r-----a-R-c--s:-------:allow
+$ ls -l nfs4/yyy | cut -d' ' -f1
+> -rw-r--r--+
+
+# mv from NFSv4 to POSIX.1e without any ACLs.
+$ rm -f nfs4/xxx
+$ rm -f posix/xxx
+$ touch nfs4/xxx
+$ chmod 456 nfs4/xxx
+$ ls -l nfs4/xxx | cut -d' ' -f1
+> -r--r-xrw-
+$ mv nfs4/xxx posix/xxx
+$ ls -l posix/xxx | cut -d' ' -f1
+> -r--r-xrw-
+
+# mv from NFSv4 to none.
+$ rm -f nfs4/xxx
+$ rm -f none/xxx
+$ touch nfs4/xxx
+$ chmod 345 nfs4/xxx
+$ ls -l nfs4/xxx | cut -d' ' -f1
+> --wxr--r-x
+$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
+$ ls -l nfs4/xxx | cut -d' ' -f1
+> --wxr--r-x+
+$ mv nfs4/xxx none/xxx
+> mv: failed to set acl entries for none/xxx: Operation not supported
+$ ls -l none/xxx | cut -d' ' -f1
+> --wxr--r-x
+
+# mv from NFSv4 to POSIX.1e.
+$ rm -f nfs4/xxx
+$ rm -f posix/xxx
+$ touch nfs4/xxx
+$ chmod 345 nfs4/xxx
+$ ls -l nfs4/xxx | cut -d' ' -f1
+> --wxr--r-x
+$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
+$ ls -l nfs4/xxx | cut -d' ' -f1
+> --wxr--r-x+
+$ mv nfs4/xxx posix/xxx
+> mv: failed to set acl entries for posix/xxx: Invalid argument
+$ ls -l posix/xxx | cut -d' ' -f1
+> --wxr--r-x
+
+# cp with POSIX.1e ACLs.
+$ rm -f posix/xxx
+$ rm -f posix/yyy
+$ touch posix/xxx
+$ setfacl -m u:42:x,g:43:w posix/xxx
+$ ls -l posix/xxx | cut -d' ' -f1
+> -rw-rwxr--+
+$ cp posix/xxx posix/yyy
+$ ls -l posix/yyy | cut -d' ' -f1
+> -rw-r-xr--
+
+# cp -p with POSIX.1e ACLs.
+$ rm -f posix/xxx
+$ rm -f posix/yyy
+$ touch posix/xxx
+$ setfacl -m u:42:x,g:43:w posix/xxx
+$ getfacl -nq posix/xxx
+> user::rw-
+> user:42:--x
+> group::r--
+> group:43:-w-
+> mask::rwx
+> other::r--
+$ ls -l posix/xxx | cut -d' ' -f1
+> -rw-rwxr--+
+$ cp -p posix/xxx posix/yyy
+$ getfacl -nq posix/yyy
+> user::rw-
+> user:42:--x
+> group::r--
+> group:43:-w-
+> mask::rwx
+> other::r--
+$ ls -l posix/yyy | cut -d' ' -f1
+> -rw-rwxr--+
+
+# cp from POSIX.1e to none.
+$ rm -f posix/xxx
+$ rm -f none/xxx
+$ touch posix/xxx
+$ setfacl -m u:42:x,g:43:w posix/xxx
+$ ls -l posix/xxx | cut -d' ' -f1
+> -rw-rwxr--+
+$ cp posix/xxx none/xxx
+$ ls -l none/xxx | cut -d' ' -f1
+> -rw-r-xr--
+
+# cp -p from POSIX.1e to none.
+$ rm -f posix/xxx
+$ rm -f none/xxx
+$ touch posix/xxx
+$ setfacl -m u:42:x,g:43:w posix/xxx
+$ ls -l posix/xxx | cut -d' ' -f1
+> -rw-rwxr--+
+$ cp -p posix/xxx none/xxx
+> cp: failed to set acl entries for none/xxx: Operation not supported
+$ ls -l none/xxx | cut -d' ' -f1
+> -rw-rwxr--
+
+# cp from POSIX.1e to NFSv4.
+$ rm -f posix/xxx
+$ rm -f nfs4/xxx
+$ touch posix/xxx
+$ setfacl -m u:42:x,g:43:w posix/xxx
+$ ls -l posix/xxx | cut -d' ' -f1
+> -rw-rwxr--+
+$ cp posix/xxx nfs4/xxx
+$ ls -l nfs4/xxx | cut -d' ' -f1
+> -rw-r-xr--
+
+# cp -p from POSIX.1e to NFSv4.
+$ rm -f posix/xxx
+$ rm -f nfs4/xxx
+$ touch posix/xxx
+$ setfacl -m u:42:x,g:43:w posix/xxx
+$ ls -l posix/xxx | cut -d' ' -f1
+> -rw-rwxr--+
+$ cp -p posix/xxx nfs4/xxx
+> cp: failed to set acl entries for nfs4/xxx: Invalid argument
+$ ls -l nfs4/xxx | cut -d' ' -f1
+> -rw-rwxr--
+
+# cp with NFSv4 ACLs.
+$ rm -f nfs4/xxx
+$ rm -f nfs4/yyy
+$ touch nfs4/xxx
+$ chmod 543 nfs4/xxx
+$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
+$ ls -l nfs4/xxx | cut -d' ' -f1
+> -r-xr---wx+
+$ cp nfs4/xxx nfs4/yyy
+$ ls -l nfs4/yyy | cut -d' ' -f1
+> -r-xr----x
+
+# cp -p with NFSv4 ACLs.
+$ rm -f nfs4/xxx
+$ rm -f nfs4/yyy
+$ touch nfs4/xxx
+$ chmod 543 nfs4/xxx
+$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
+$ cp -p nfs4/xxx nfs4/yyy
+$ getfacl -nq nfs4/yyy
+> user:42:--x-----------:-------:allow
+> group:43:-w------------:-------:allow
+> owner@:--x-----------:-------:allow
+> owner@:-w-p----------:-------:deny
+> group@:-wxp----------:-------:deny
+> owner@:r-x---aARWcCos:-------:allow
+> group@:r-----a-R-c--s:-------:allow
+> everyone@:-wxp--a-R-c--s:-------:allow
+$ ls -l nfs4/yyy | cut -d' ' -f1
+> -r-xr---wx+
+
+# cp from NFSv4 to none.
+$ rm -f nfs4/xxx
+$ rm -f none/xxx
+$ touch nfs4/xxx
+$ chmod 543 nfs4/xxx
+$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
+$ ls -l nfs4/xxx | cut -d' ' -f1
+> -r-xr---wx+
+$ cp nfs4/xxx none/xxx
+$ ls -l none/xxx | cut -d' ' -f1
+> -r-xr----x
+
+# cp -p from NFSv4 to none.
+$ rm -f nfs4/xxx
+$ rm -f none/xxx
+$ touch nfs4/xxx
+$ chmod 543 nfs4/xxx
+$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
+$ ls -l nfs4/xxx | cut -d' ' -f1
+> -r-xr---wx+
+$ cp -p nfs4/xxx none/xxx
+> cp: failed to set acl entries for none/xxx: Operation not supported
+$ ls -l none/xxx | cut -d' ' -f1
+> -r-xr---wx
+
+# cp from NFSv4 to POSIX.1e.
+$ rm -f nfs4/xxx
+$ rm -f posix/xxx
+$ touch nfs4/xxx
+$ chmod 543 nfs4/xxx
+$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
+$ ls -l nfs4/xxx | cut -d' ' -f1
+> -r-xr---wx+
+$ cp nfs4/xxx posix/xxx
+$ ls -l posix/xxx | cut -d' ' -f1
+> -r-xr----x
+
+# cp -p from NFSv4 to POSIX.1e.
+$ rm -f nfs4/xxx
+$ rm -f posix/xxx
+$ touch nfs4/xxx
+$ chmod 543 nfs4/xxx
+$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
+$ ls -l nfs4/xxx | cut -d' ' -f1
+> -r-xr---wx+
+$ cp -p nfs4/xxx posix/xxx
+> cp: failed to set acl entries for posix/xxx: Invalid argument
+$ ls -l posix/xxx | cut -d' ' -f1
+> -r-xr---wx
diff --git a/tests/sys/acl/tools-nfs4-psarc.test b/tests/sys/acl/tools-nfs4-psarc.test
new file mode 100644
index 0000000..9ab0b51
--- /dev/null
+++ b/tests/sys/acl/tools-nfs4-psarc.test
@@ -0,0 +1,562 @@
+# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# This is a tools-level test for NFSv4 ACL functionality with PSARC/2010/029
+# semantics. Run it as root using ACL-enabled kernel:
+#
+# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4-psarc.test
+#
+# WARNING: Creates files in unsafe way.
+
+$ whoami
+> root
+$ umask 022
+
+# Smoke test for getfacl(1).
+$ touch xxx
+$ getfacl xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:r-----a-R-c--s:-------:allow
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ getfacl -q xxx
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:r-----a-R-c--s:-------:allow
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Check verbose mode formatting.
+$ getfacl -v xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> owner@:read_data/write_data/append_data/read_attributes/write_attributes/read_xattr/write_xattr/read_acl/write_acl/write_owner/synchronize::allow
+> group@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow
+> everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow
+
+# Test setfacl -a.
+$ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:r-----a-R-c--s:-------:allow
+> user:0:-----------C--:-------:allow
+> group:1:----------c---:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Test user and group name resolving.
+$ rm xxx
+$ touch xxx
+$ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx
+$ getfacl xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:r-----a-R-c--s:-------:allow
+> user:root:-----------C--:-------:allow
+> group:daemon:----------c---:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Check whether ls correctly marks files with "+".
+$ ls -l xxx | cut -d' ' -f1
+> -rw-r--r--+
+
+# Test removing entries by number.
+$ setfacl -x 1 xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> owner@:rw-p--aARWcCos:-------:allow
+> user:0:-----------C--:-------:allow
+> group:1:----------c---:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Test setfacl -m.
+$ setfacl -a0 everyone@:rwx:deny xxx
+$ setfacl -a0 everyone@:rwx:deny xxx
+$ setfacl -a0 everyone@:rwx:deny xxx
+$ setfacl -m everyone@::deny xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> everyone@:--------------:-------:deny
+> everyone@:--------------:-------:deny
+> everyone@:--------------:-------:deny
+> owner@:rw-p--aARWcCos:-------:allow
+> user:0:-----------C--:-------:allow
+> group:1:----------c---:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Test getfacl -i.
+$ getfacl -i xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> everyone@:--------------:-------:deny
+> everyone@:--------------:-------:deny
+> everyone@:--------------:-------:deny
+> owner@:rw-p--aARWcCos:-------:allow
+> user:root:-----------C--:-------:allow:0
+> group:daemon:----------c---:-------:deny:1
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Make sure cp without any flags does not copy copy the ACL.
+$ cp xxx yyy
+$ ls -l yyy | cut -d' ' -f1
+> -rw-r--r--
+
+# Make sure it does with the "-p" flag.
+$ rm yyy
+$ cp -p xxx yyy
+$ getfacl -n yyy
+> # file: yyy
+> # owner: root
+> # group: wheel
+> everyone@:--------------:-------:deny
+> everyone@:--------------:-------:deny
+> everyone@:--------------:-------:deny
+> owner@:rw-p--aARWcCos:-------:allow
+> user:0:-----------C--:-------:allow
+> group:1:----------c---:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ rm yyy
+
+# Test removing entries by... by example?
+$ setfacl -x everyone@::deny xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> owner@:rw-p--aARWcCos:-------:allow
+> user:0:-----------C--:-------:allow
+> group:1:----------c---:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Test setfacl -b.
+$ setfacl -b xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:r-----a-R-c--s:-------:allow
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ ls -l xxx | cut -d' ' -f1
+> -rw-r--r--
+
+# Check setfacl(1) and getfacl(1) with multiple files.
+$ touch xxx yyy zzz
+
+$ ls -l xxx yyy zzz | cut -d' ' -f1
+> -rw-r--r--
+> -rw-r--r--
+> -rw-r--r--
+
+$ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz
+> setfacl: nnn: stat() failed: No such file or directory
+
+$ ls -l nnn xxx yyy zzz | cut -d' ' -f1
+> ls: nnn: No such file or directory
+> -rw-r--r--+
+> -rw-r--r--+
+> -rw-r--r--+
+
+$ getfacl -nq nnn xxx yyy zzz
+> getfacl: nnn: stat() failed: No such file or directory
+> user:42:--x-----------:-------:allow
+> group:43:-w------------:-------:allow
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:r-----a-R-c--s:-------:allow
+> everyone@:r-----a-R-c--s:-------:allow
+>
+> user:42:--x-----------:-------:allow
+> group:43:-w------------:-------:allow
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:r-----a-R-c--s:-------:allow
+> everyone@:r-----a-R-c--s:-------:allow
+>
+> user:42:--x-----------:-------:allow
+> group:43:-w------------:-------:allow
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:r-----a-R-c--s:-------:allow
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ setfacl -b nnn xxx yyy zzz
+> setfacl: nnn: stat() failed: No such file or directory
+
+$ ls -l nnn xxx yyy zzz | cut -d' ' -f1
+> ls: nnn: No such file or directory
+> -rw-r--r--
+> -rw-r--r--
+> -rw-r--r--
+
+$ rm xxx yyy zzz
+
+# Test applying mode to an ACL.
+$ touch xxx
+$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx
+$ chmod 600 xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:------a-R-c--s:-------:allow
+> everyone@:------a-R-c--s:-------:allow
+
+$ ls -l xxx | cut -d' ' -f1
+> -rw-------
+
+$ rm xxx
+$ touch xxx
+$ chown 42 xxx
+$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
+$ chmod 600 xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: 42
+> # group: wheel
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:------a-R-c--s:-------:allow
+> everyone@:------a-R-c--s:-------:allow
+$ ls -l xxx | cut -d' ' -f1
+> -rw-------
+
+$ rm xxx
+$ touch xxx
+$ chown 43 xxx
+$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
+$ chmod 124 xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: 43
+> # group: wheel
+> owner@:rw-p----------:-------:deny
+> group@:r-------------:-------:deny
+> owner@:--x---aARWcCos:-------:allow
+> group@:-w-p--a-R-c--s:-------:allow
+> everyone@:r-----a-R-c--s:-------:allow
+$ ls -l xxx | cut -d' ' -f1
+> ---x-w-r--
+
+$ rm xxx
+$ touch xxx
+$ chown 43 xxx
+$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
+$ chmod 412 xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: 43
+> # group: wheel
+> owner@:-wxp----------:-------:deny
+> group@:-w-p----------:-------:deny
+> owner@:r-----aARWcCos:-------:allow
+> group@:--x---a-R-c--s:-------:allow
+> everyone@:-w-p--a-R-c--s:-------:allow
+$ ls -l xxx | cut -d' ' -f1
+> -r----x-w-
+
+$ mkdir ddd
+$ setfacl -a0 group:44:rwapd:allow ddd
+$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
+$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
+$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
+$ getfacl -n ddd
+> # file: ddd
+> # owner: root
+> # group: wheel
+> user:42:r-x-----------:f-i----:allow
+> group:42:-w--D---------:-d-----:allow
+> group:43:-w--D---------:-d-----:deny
+> group@:-----da-------:-------:allow
+> group:44:rw-p-da-------:-------:allow
+> owner@:rwxp--aARWcCos:-------:allow
+> group@:r-x---a-R-c--s:-------:allow
+> everyone@:-w-p--a-R-c--s:f-i----:allow
+
+$ chmod 777 ddd
+$ getfacl -n ddd
+> # file: ddd
+> # owner: root
+> # group: wheel
+> owner@:rwxp--aARWcCos:-------:allow
+> group@:rwxp--a-R-c--s:-------:allow
+> everyone@:rwxp--a-R-c--s:-------:allow
+
+# Test applying ACL to mode.
+$ rmdir ddd
+$ mkdir ddd
+$ setfacl -a0 u:42:rwx:fi:allow ddd
+$ ls -ld ddd | cut -d' ' -f1
+> drwxr-xr-x+
+
+$ rmdir ddd
+$ mkdir ddd
+$ chmod 0 ddd
+$ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd
+$ ls -ld ddd | cut -d' ' -f1
+> dr----x---+
+
+$ rmdir ddd
+$ mkdir ddd
+$ chmod 0 ddd
+$ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd
+$ ls -ld ddd | cut -d' ' -f1
+> dr---wx---+
+
+$ rmdir ddd
+$ mkdir ddd
+$ chmod 0 ddd
+$ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd
+$ ls -ld ddd | cut -d' ' -f1
+> dr--------+
+
+$ rmdir ddd
+$ mkdir ddd
+$ chmod 0 ddd
+$ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd
+$ ls -ld ddd | cut -d' ' -f1
+> dr--------+
+
+# Test inheritance.
+$ rmdir ddd
+$ mkdir ddd
+$ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd
+$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd
+$ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd
+$ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd
+$ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd
+$ getfacl -qn ddd
+> user:41:-w-----A------:f--n---:allow
+> group:41:r-----a-------:-din---:allow
+> user:42:-----------Co-:f-i----:allow
+> user:42:r-x-----------:f-i----:allow
+> group:42:-w--D---------:-d-n---:deny
+> group:43:-w---------C--:f-in---:deny
+> user:43:rwxp----------:-------:allow
+> owner@:rwxp--aARWcCos:-------:allow
+> group@:r-x---a-R-c--s:-------:allow
+> everyone@:r-x---a-R-c--s:-------:allow
+
+$ cd ddd
+$ touch xxx
+$ getfacl -qn xxx
+> user:41:--------------:------I:allow
+> user:42:--------------:------I:allow
+> user:42:r-------------:------I:allow
+> group:43:-w---------C--:------I:deny
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:r-----a-R-c--s:-------:allow
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ rm xxx
+$ umask 077
+$ touch xxx
+$ getfacl -qn xxx
+> user:41:--------------:------I:allow
+> user:42:--------------:------I:allow
+> user:42:--------------:------I:allow
+> group:43:-w---------C--:------I:deny
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:------a-R-c--s:-------:allow
+> everyone@:------a-R-c--s:-------:allow
+
+$ rm xxx
+$ umask 770
+$ touch xxx
+$ getfacl -qn xxx
+> owner@:rw-p----------:-------:deny
+> group@:rw-p----------:-------:deny
+> user:41:--------------:------I:allow
+> user:42:--------------:------I:allow
+> user:42:--------------:------I:allow
+> group:43:-w---------C--:------I:deny
+> owner@:------aARWcCos:-------:allow
+> group@:------a-R-c--s:-------:allow
+> everyone@:rw-p--a-R-c--s:-------:allow
+
+$ rm xxx
+$ umask 707
+$ touch xxx
+$ getfacl -qn xxx
+> owner@:rw-p----------:-------:deny
+> user:41:-w------------:------I:allow
+> user:42:--------------:------I:allow
+> user:42:r-------------:------I:allow
+> group:43:-w---------C--:------I:deny
+> owner@:------aARWcCos:-------:allow
+> group@:rw-p--a-R-c--s:-------:allow
+> everyone@:------a-R-c--s:-------:allow
+
+$ umask 077
+$ mkdir yyy
+$ getfacl -qn yyy
+> group:41:------a-------:------I:allow
+> user:42:-----------Co-:f-i---I:allow
+> user:42:r-x-----------:f-i---I:allow
+> group:42:-w--D---------:------I:deny
+> owner@:rwxp--aARWcCos:-------:allow
+> group@:------a-R-c--s:-------:allow
+> everyone@:------a-R-c--s:-------:allow
+
+$ rmdir yyy
+$ umask 770
+$ mkdir yyy
+$ getfacl -qn yyy
+> owner@:rwxp----------:-------:deny
+> group@:rwxp----------:-------:deny
+> group:41:------a-------:------I:allow
+> user:42:-----------Co-:f-i---I:allow
+> user:42:r-x-----------:f-i---I:allow
+> group:42:-w--D---------:------I:deny
+> owner@:------aARWcCos:-------:allow
+> group@:------a-R-c--s:-------:allow
+> everyone@:rwxp--a-R-c--s:-------:allow
+
+$ rmdir yyy
+$ umask 707
+$ mkdir yyy
+$ getfacl -qn yyy
+> owner@:rwxp----------:-------:deny
+> group:41:r-----a-------:------I:allow
+> user:42:-----------Co-:f-i---I:allow
+> user:42:r-x-----------:f-i---I:allow
+> group:42:-w--D---------:------I:deny
+> owner@:------aARWcCos:-------:allow
+> group@:rwxp--a-R-c--s:-------:allow
+> everyone@:------a-R-c--s:-------:allow
+
+# There is some complication regarding how write_acl and write_owner flags
+# get inherited. Make sure we got it right.
+$ setfacl -b .
+$ setfacl -a0 u:42:Co:f:allow .
+$ setfacl -a0 u:43:Co:d:allow .
+$ setfacl -a0 u:44:Co:fd:allow .
+$ setfacl -a0 u:45:Co:fi:allow .
+$ setfacl -a0 u:46:Co:di:allow .
+$ setfacl -a0 u:47:Co:fdi:allow .
+$ setfacl -a0 u:48:Co:fn:allow .
+$ setfacl -a0 u:49:Co:dn:allow .
+$ setfacl -a0 u:50:Co:fdn:allow .
+$ setfacl -a0 u:51:Co:fni:allow .
+$ setfacl -a0 u:52:Co:dni:allow .
+$ setfacl -a0 u:53:Co:fdni:allow .
+$ umask 022
+$ rm xxx
+$ touch xxx
+$ getfacl -nq xxx
+> user:53:--------------:------I:allow
+> user:51:--------------:------I:allow
+> user:50:--------------:------I:allow
+> user:48:--------------:------I:allow
+> user:47:--------------:------I:allow
+> user:45:--------------:------I:allow
+> user:44:--------------:------I:allow
+> user:42:--------------:------I:allow
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:r-----a-R-c--s:-------:allow
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ rmdir yyy
+$ mkdir yyy
+$ getfacl -nq yyy
+> user:53:--------------:------I:allow
+> user:52:--------------:------I:allow
+> user:50:--------------:------I:allow
+> user:49:--------------:------I:allow
+> user:47:--------------:fd----I:allow
+> user:46:--------------:-d----I:allow
+> user:45:-----------Co-:f-i---I:allow
+> user:44:--------------:fd----I:allow
+> user:43:--------------:-d----I:allow
+> user:42:-----------Co-:f-i---I:allow
+> owner@:rwxp--aARWcCos:-------:allow
+> group@:r-x---a-R-c--s:-------:allow
+> everyone@:r-x---a-R-c--s:-------:allow
+
+$ setfacl -b .
+$ setfacl -a0 u:42:Co:f:deny .
+$ setfacl -a0 u:43:Co:d:deny .
+$ setfacl -a0 u:44:Co:fd:deny .
+$ setfacl -a0 u:45:Co:fi:deny .
+$ setfacl -a0 u:46:Co:di:deny .
+$ setfacl -a0 u:47:Co:fdi:deny .
+$ setfacl -a0 u:48:Co:fn:deny .
+$ setfacl -a0 u:49:Co:dn:deny .
+$ setfacl -a0 u:50:Co:fdn:deny .
+$ setfacl -a0 u:51:Co:fni:deny .
+$ setfacl -a0 u:52:Co:dni:deny .
+$ setfacl -a0 u:53:Co:fdni:deny .
+$ umask 022
+$ rm xxx
+$ touch xxx
+$ getfacl -nq xxx
+> user:53:-----------Co-:------I:deny
+> user:51:-----------Co-:------I:deny
+> user:50:-----------Co-:------I:deny
+> user:48:-----------Co-:------I:deny
+> user:47:-----------Co-:------I:deny
+> user:45:-----------Co-:------I:deny
+> user:44:-----------Co-:------I:deny
+> user:42:-----------Co-:------I:deny
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:r-----a-R-c--s:-------:allow
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ rmdir yyy
+$ mkdir yyy
+$ getfacl -nq yyy
+> user:53:-----------Co-:------I:deny
+> user:52:-----------Co-:------I:deny
+> user:50:-----------Co-:------I:deny
+> user:49:-----------Co-:------I:deny
+> user:47:-----------Co-:fd----I:deny
+> user:46:-----------Co-:-d----I:deny
+> user:45:-----------Co-:f-i---I:deny
+> user:44:-----------Co-:fd----I:deny
+> user:43:-----------Co-:-d----I:deny
+> user:42:-----------Co-:f-i---I:deny
+> owner@:rwxp--aARWcCos:-------:allow
+> group@:r-x---a-R-c--s:-------:allow
+> everyone@:r-x---a-R-c--s:-------:allow
+
+$ rmdir yyy
+$ rm xxx
+$ cd ..
+$ rmdir ddd
+
+$ rm xxx
+
diff --git a/tests/sys/acl/tools-nfs4-trivial.test b/tests/sys/acl/tools-nfs4-trivial.test
new file mode 100644
index 0000000..366b099
--- /dev/null
+++ b/tests/sys/acl/tools-nfs4-trivial.test
@@ -0,0 +1,82 @@
+# Copyright (c) 2011 Edward Tomasz Napierała <trasz@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# This is a tools-level test for acl_is_trivial_np(3). Run it as root on ZFS.
+# Note that this does not work on UFS with NFSv4 ACLs enabled - UFS recognizes
+# both kind of trivial ACLs and replaces it by the default one.
+#
+# WARNING: Creates files in unsafe way.
+
+$ whoami
+> root
+$ umask 022
+
+# Check whether ls(1) correctly recognizes PSARC/2010/029-style trivial ACLs.
+$ touch xxx
+
+$ ls -l xxx | cut -d' ' -f1
+> -rw-r--r--
+
+$ getfacl -q xxx
+> owner@:rw-p--aARWcCos:-------:allow
+> group@:r-----a-R-c--s:-------:allow
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Check whether ls(1) correctly recognizes draft-style trivial ACLs.
+$ rm xxx
+$ touch xxx
+$ setfacl -a0 owner@:x:deny,owner@:rwpAWCo:allow,group@:wxp:deny,group@:r:allow,everyone@:wxpAWCo:deny,everyone@:raRcs:allow xxx
+$ setfacl -x5 xxx
+$ setfacl -x5 xxx
+$ setfacl -x5 xxx
+
+$ ls -l xxx | cut -d' ' -f1
+> -rw-r--r--
+
+$ getfacl -q xxx
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> group@:-wxp----------:-------:deny
+> group@:r-------------:-------:allow
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Make sure ls(1) actually can recognize something as non-trivial.
+$ setfacl -x0 xxx
+
+$ ls -l xxx | cut -d' ' -f1
+> -rw-r--r--+
+
+$ getfacl -q xxx
+> owner@:rw-p---A-W-Co-:-------:allow
+> group@:-wxp----------:-------:deny
+> group@:r-------------:-------:allow
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ rm xxx
+
diff --git a/tests/sys/acl/tools-nfs4.test b/tests/sys/acl/tools-nfs4.test
new file mode 100644
index 0000000..e2ddc2b
--- /dev/null
+++ b/tests/sys/acl/tools-nfs4.test
@@ -0,0 +1,828 @@
+# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# This is a tools-level test for NFSv4 ACL functionality. Run it as root
+# using ACL-enabled kernel:
+#
+# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test
+#
+# WARNING: Creates files in unsafe way.
+
+$ whoami
+> root
+$ umask 022
+
+# Smoke test for getfacl(1).
+$ touch xxx
+$ getfacl xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> group@:-wxp----------:-------:deny
+> group@:r-------------:-------:allow
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ getfacl -q xxx
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> group@:-wxp----------:-------:deny
+> group@:r-------------:-------:allow
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Check verbose mode formatting.
+$ getfacl -v xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> owner@:execute::deny
+> owner@:read_data/write_data/append_data/write_attributes/write_xattr/write_acl/write_owner::allow
+> group@:write_data/execute/append_data::deny
+> group@:read_data::allow
+> everyone@:write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::deny
+> everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow
+
+# Test setfacl -a.
+$ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> user:0:-----------C--:-------:allow
+> group:1:----------c---:-------:deny
+> group@:-wxp----------:-------:deny
+> group@:r-------------:-------:allow
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Test user and group name resolving.
+$ rm xxx
+$ touch xxx
+$ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx
+$ getfacl xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> user:root:-----------C--:-------:allow
+> group:daemon:----------c---:-------:deny
+> group@:-wxp----------:-------:deny
+> group@:r-------------:-------:allow
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Check whether ls correctly marks files with "+".
+$ ls -l xxx | cut -d' ' -f1
+> -rw-r--r--+
+
+# Test removing entries by number.
+$ setfacl -x 4 xxx
+$ setfacl -x 4 xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> user:0:-----------C--:-------:allow
+> group:1:----------c---:-------:deny
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Test setfacl -m.
+$ setfacl -a0 everyone@:rwx:deny xxx
+$ setfacl -a0 everyone@:rwx:deny xxx
+$ setfacl -a0 everyone@:rwx:deny xxx
+$ setfacl -m everyone@::deny xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> everyone@:--------------:-------:deny
+> everyone@:--------------:-------:deny
+> everyone@:--------------:-------:deny
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> user:0:-----------C--:-------:allow
+> group:1:----------c---:-------:deny
+> everyone@:--------------:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Test getfacl -i.
+$ getfacl -i xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> everyone@:--------------:-------:deny
+> everyone@:--------------:-------:deny
+> everyone@:--------------:-------:deny
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> user:root:-----------C--:-------:allow:0
+> group:daemon:----------c---:-------:deny:1
+> everyone@:--------------:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Make sure cp without any flags does not copy copy the ACL.
+$ cp xxx yyy
+$ ls -l yyy | cut -d' ' -f1
+> -rw-r--r--
+
+# Make sure it does with the "-p" flag.
+$ rm yyy
+$ cp -p xxx yyy
+$ getfacl -n yyy
+> # file: yyy
+> # owner: root
+> # group: wheel
+> everyone@:--------------:-------:deny
+> everyone@:--------------:-------:deny
+> everyone@:--------------:-------:deny
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> user:0:-----------C--:-------:allow
+> group:1:----------c---:-------:deny
+> everyone@:--------------:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ rm yyy
+
+# Test removing entries by... by example?
+$ setfacl -x everyone@::deny xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> user:0:-----------C--:-------:allow
+> group:1:----------c---:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+# Test setfacl -b.
+$ setfacl -b xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> group@:-wxp----------:-------:deny
+> group@:r-------------:-------:allow
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ ls -l xxx | cut -d' ' -f1
+> -rw-r--r--
+
+# Check setfacl(1) and getfacl(1) with multiple files.
+$ touch xxx yyy zzz
+
+$ ls -l xxx yyy zzz | cut -d' ' -f1
+> -rw-r--r--
+> -rw-r--r--
+> -rw-r--r--
+
+$ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz
+> setfacl: nnn: stat() failed: No such file or directory
+
+$ ls -l nnn xxx yyy zzz | cut -d' ' -f1
+> ls: nnn: No such file or directory
+> -rw-r--r--+
+> -rw-r--r--+
+> -rw-r--r--+
+
+$ getfacl -nq nnn xxx yyy zzz
+> getfacl: nnn: stat() failed: No such file or directory
+> user:42:--x-----------:-------:allow
+> group:43:-w------------:-------:allow
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> group@:-wxp----------:-------:deny
+> group@:r-------------:-------:allow
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+>
+> user:42:--x-----------:-------:allow
+> group:43:-w------------:-------:allow
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> group@:-wxp----------:-------:deny
+> group@:r-------------:-------:allow
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+>
+> user:42:--x-----------:-------:allow
+> group:43:-w------------:-------:allow
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> group@:-wxp----------:-------:deny
+> group@:r-------------:-------:allow
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ setfacl -b nnn xxx yyy zzz
+> setfacl: nnn: stat() failed: No such file or directory
+
+$ ls -l nnn xxx yyy zzz | cut -d' ' -f1
+> ls: nnn: No such file or directory
+> -rw-r--r--
+> -rw-r--r--
+> -rw-r--r--
+
+$ rm xxx yyy zzz
+
+# Test applying mode to an ACL.
+$ touch xxx
+$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx
+$ chmod 600 xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> user:42:r-------------:-------:deny
+> user:42:r-------------:-------:allow
+> user:43:-w------------:-------:deny
+> user:43:-w------------:-------:allow
+> user:44:--x-----------:-------:deny
+> user:44:--x-----------:-------:allow
+> owner@:--------------:-------:deny
+> owner@:-------A-W-Co-:-------:allow
+> group@:--------------:-------:deny
+> group@:--------------:-------:allow
+> everyone@:-------A-W-Co-:-------:deny
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> group@:rwxp----------:-------:deny
+> group@:--------------:-------:allow
+> everyone@:rwxp---A-W-Co-:-------:deny
+> everyone@:------a-R-c--s:-------:allow
+$ ls -l xxx | cut -d' ' -f1
+> -rw-------+
+
+$ rm xxx
+$ touch xxx
+$ chown 42 xxx
+$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
+$ chmod 600 xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: 42
+> # group: wheel
+> user:42:--------------:-------:deny
+> user:42:r-------------:-------:allow
+> user:43:-w------------:-------:deny
+> user:43:-w------------:-------:allow
+> user:44:--x-----------:-------:deny
+> user:44:--x-----------:-------:allow
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> group@:rwxp----------:-------:deny
+> group@:--------------:-------:allow
+> everyone@:rwxp---A-W-Co-:-------:deny
+> everyone@:------a-R-c--s:-------:allow
+$ ls -l xxx | cut -d' ' -f1
+> -rw-------+
+
+$ rm xxx
+$ touch xxx
+$ chown 43 xxx
+$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
+$ chmod 124 xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: 43
+> # group: wheel
+> user:42:r-------------:-------:deny
+> user:42:r-------------:-------:allow
+> user:43:-w------------:-------:deny
+> user:43:-w------------:-------:allow
+> user:44:--x-----------:-------:deny
+> user:44:--x-----------:-------:allow
+> owner@:rw-p----------:-------:deny
+> owner@:--x----A-W-Co-:-------:allow
+> group@:r-x-----------:-------:deny
+> group@:-w-p----------:-------:allow
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+$ ls -l xxx | cut -d' ' -f1
+> ---x-w-r--+
+
+$ rm xxx
+$ touch xxx
+$ chown 43 xxx
+$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
+$ chmod 412 xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: 43
+> # group: wheel
+> user:42:r-------------:-------:deny
+> user:42:r-------------:-------:allow
+> user:43:-w------------:-------:deny
+> user:43:-w------------:-------:allow
+> user:44:--------------:-------:deny
+> user:44:--x-----------:-------:allow
+> owner@:-wxp----------:-------:deny
+> owner@:r------A-W-Co-:-------:allow
+> group@:rw-p----------:-------:deny
+> group@:--x-----------:-------:allow
+> everyone@:r-x----A-W-Co-:-------:deny
+> everyone@:-w-p--a-R-c--s:-------:allow
+$ ls -l xxx | cut -d' ' -f1
+> -r----x-w-+
+
+$ mkdir ddd
+$ setfacl -a0 group:44:rwapd:allow ddd
+$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
+$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
+$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
+$ getfacl -n ddd
+> # file: ddd
+> # owner: root
+> # group: wheel
+> user:42:r-x-----------:f-i----:allow
+> group:42:-w--D---------:-d-----:allow
+> group:43:-w--D---------:-d-----:deny
+> group@:-----da-------:-------:allow
+> group:44:rw-p-da-------:-------:allow
+> owner@:--------------:-------:deny
+> owner@:rwxp---A-W-Co-:-------:allow
+> group@:-w-p----------:-------:deny
+> group@:r-x-----------:-------:allow
+> everyone@:-w-p---A-W-Co-:-------:deny
+> everyone@:-w-p--a-R-c--s:f-i----:allow
+$ chmod 777 ddd
+$ getfacl -n ddd
+> # file: ddd
+> # owner: root
+> # group: wheel
+> user:42:r-x-----------:f-i----:allow
+> group:42:-w--D---------:-di----:allow
+> group:42:--------------:-------:deny
+> group:42:-w--D---------:-------:allow
+> group:43:-w--D---------:-di----:deny
+> group:43:-w--D---------:-------:deny
+> group@:-----da-------:-------:allow
+> group:44:--------------:-------:deny
+> group:44:rw-p-da-------:-------:allow
+> owner@:--------------:-------:deny
+> owner@:-------A-W-Co-:-------:allow
+> group@:--------------:-------:deny
+> group@:--------------:-------:allow
+> everyone@:-------A-W-Co-:-------:deny
+> everyone@:-w-p--a-R-c--s:f-i----:allow
+> owner@:--------------:-------:deny
+> owner@:rwxp---A-W-Co-:-------:allow
+> group@:--------------:-------:deny
+> group@:rwxp----------:-------:allow
+> everyone@:-------A-W-Co-:-------:deny
+> everyone@:rwxp--a-R-c--s:-------:allow
+
+$ rmdir ddd
+$ mkdir ddd
+$ setfacl -a0 group:44:rwapd:allow ddd
+$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
+$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
+$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
+$ chmod 124 ddd
+$ getfacl -n ddd
+> # file: ddd
+> # owner: root
+> # group: wheel
+> user:42:r-x-----------:f-i----:allow
+> group:42:-w--D---------:-di----:allow
+> group:42:--------------:-------:deny
+> group:42:----D---------:-------:allow
+> group:43:-w--D---------:-di----:deny
+> group:43:-w--D---------:-------:deny
+> group@:-----da-------:-------:allow
+> group:44:r-------------:-------:deny
+> group:44:r----da-------:-------:allow
+> owner@:--------------:-------:deny
+> owner@:-------A-W-Co-:-------:allow
+> group@:--------------:-------:deny
+> group@:--------------:-------:allow
+> everyone@:-------A-W-Co-:-------:deny
+> everyone@:-w-p--a-R-c--s:f-i----:allow
+> owner@:rw-p----------:-------:deny
+> owner@:--x----A-W-Co-:-------:allow
+> group@:r-x-----------:-------:deny
+> group@:-w-p----------:-------:allow
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ rmdir ddd
+$ mkdir ddd
+$ setfacl -a0 group:44:rwapd:allow ddd
+$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
+$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
+$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
+$ chmod 412 ddd
+$ getfacl -n ddd
+> # file: ddd
+> # owner: root
+> # group: wheel
+> user:42:r-------------:-------:deny
+> user:42:r-x-----------:-------:allow
+> user:42:r-x-----------:f-i----:allow
+> group:42:-w--D---------:-di----:allow
+> group:42:-w------------:-------:deny
+> group:42:-w--D---------:-------:allow
+> group:43:-w--D---------:-di----:deny
+> group:43:-w--D---------:-------:deny
+> group@:-----da-------:-------:allow
+> group:44:rw-p----------:-------:deny
+> group:44:rw-p-da-------:-------:allow
+> owner@:--------------:-------:deny
+> owner@:-------A-W-Co-:-------:allow
+> group@:--------------:-------:deny
+> group@:--------------:-------:allow
+> everyone@:-------A-W-Co-:-------:deny
+> everyone@:-w-p--a-R-c--s:f-i----:allow
+> owner@:-wxp----------:-------:deny
+> owner@:r------A-W-Co-:-------:allow
+> group@:rw-p----------:-------:deny
+> group@:--x-----------:-------:allow
+> everyone@:r-x----A-W-Co-:-------:deny
+> everyone@:-w-p--a-R-c--s:-------:allow
+
+$ rmdir ddd
+$ mkdir ddd
+$ setfacl -a0 group:44:rwapd:allow ddd
+$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
+$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
+$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
+$ chown 42 ddd
+$ chmod 412 ddd
+$ getfacl -n ddd
+> # file: ddd
+> # owner: 42
+> # group: wheel
+> user:42:--x-----------:-------:deny
+> user:42:r-x-----------:-------:allow
+> user:42:r-x-----------:f-i----:allow
+> group:42:-w--D---------:-di----:allow
+> group:42:-w------------:-------:deny
+> group:42:-w--D---------:-------:allow
+> group:43:-w--D---------:-di----:deny
+> group:43:-w--D---------:-------:deny
+> group@:-----da-------:-------:allow
+> group:44:rw-p----------:-------:deny
+> group:44:rw-p-da-------:-------:allow
+> owner@:--------------:-------:deny
+> owner@:-------A-W-Co-:-------:allow
+> group@:--------------:-------:deny
+> group@:--------------:-------:allow
+> everyone@:-------A-W-Co-:-------:deny
+> everyone@:-w-p--a-R-c--s:f-i----:allow
+> owner@:-wxp----------:-------:deny
+> owner@:r------A-W-Co-:-------:allow
+> group@:rw-p----------:-------:deny
+> group@:--x-----------:-------:allow
+> everyone@:r-x----A-W-Co-:-------:deny
+> everyone@:-w-p--a-R-c--s:-------:allow
+
+# Test applying ACL to mode.
+$ rmdir ddd
+$ mkdir ddd
+$ setfacl -a0 u:42:rwx:fi:allow ddd
+$ ls -ld ddd | cut -d' ' -f1
+> drwxr-xr-x+
+
+$ rmdir ddd
+$ mkdir ddd
+$ chmod 0 ddd
+$ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd
+$ ls -ld ddd | cut -d' ' -f1
+> dr----x---+
+
+$ rmdir ddd
+$ mkdir ddd
+$ chmod 0 ddd
+$ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd
+$ ls -ld ddd | cut -d' ' -f1
+> dr---wx---+
+
+$ rmdir ddd
+$ mkdir ddd
+$ chmod 0 ddd
+$ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd
+$ ls -ld ddd | cut -d' ' -f1
+> dr--------+
+
+$ rmdir ddd
+$ mkdir ddd
+$ chmod 0 ddd
+$ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd
+$ ls -ld ddd | cut -d' ' -f1
+> dr--------+
+
+# Test inheritance.
+$ rmdir ddd
+$ mkdir ddd
+$ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd
+$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd
+$ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd
+$ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd
+$ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd
+$ getfacl -qn ddd
+> user:41:-w-----A------:f--n---:allow
+> group:41:r-----a-------:-din---:allow
+> user:42:-----------Co-:f-i----:allow
+> user:42:r-x-----------:f-i----:allow
+> group:42:-w--D---------:-d-n---:deny
+> group:43:-w---------C--:f-in---:deny
+> user:43:rwxp----------:-------:allow
+> owner@:--------------:-------:deny
+> owner@:rwxp---A-W-Co-:-------:allow
+> group@:-w-p----------:-------:deny
+> group@:r-x-----------:-------:allow
+> everyone@:-w-p---A-W-Co-:-------:deny
+> everyone@:r-x---a-R-c--s:-------:allow
+
+$ cd ddd
+$ touch xxx
+$ getfacl -qn xxx
+> user:41:-w------------:-------:deny
+> user:41:-w-----A------:-------:allow
+> user:42:--------------:-------:deny
+> user:42:--------------:-------:allow
+> user:42:--x-----------:-------:deny
+> user:42:r-x-----------:-------:allow
+> group:43:-w---------C--:-------:deny
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> group@:-wxp----------:-------:deny
+> group@:r-------------:-------:allow
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ rm xxx
+$ umask 077
+$ touch xxx
+$ getfacl -qn xxx
+> user:41:-w------------:-------:deny
+> user:41:-w-----A------:-------:allow
+> user:42:--------------:-------:deny
+> user:42:--------------:-------:allow
+> user:42:r-x-----------:-------:deny
+> user:42:r-x-----------:-------:allow
+> group:43:-w---------C--:-------:deny
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> group@:rwxp----------:-------:deny
+> group@:--------------:-------:allow
+> everyone@:rwxp---A-W-Co-:-------:deny
+> everyone@:------a-R-c--s:-------:allow
+
+$ rm xxx
+$ umask 770
+$ touch xxx
+$ getfacl -qn xxx
+> user:41:-w------------:-------:deny
+> user:41:-w-----A------:-------:allow
+> user:42:--------------:-------:deny
+> user:42:--------------:-------:allow
+> user:42:r-x-----------:-------:deny
+> user:42:r-x-----------:-------:allow
+> group:43:-w---------C--:-------:deny
+> owner@:rwxp----------:-------:deny
+> owner@:-------A-W-Co-:-------:allow
+> group@:rwxp----------:-------:deny
+> group@:--------------:-------:allow
+> everyone@:--x----A-W-Co-:-------:deny
+> everyone@:rw-p--a-R-c--s:-------:allow
+
+$ rm xxx
+$ umask 707
+$ touch xxx
+$ getfacl -qn xxx
+> user:41:--------------:-------:deny
+> user:41:-w-----A------:-------:allow
+> user:42:--------------:-------:deny
+> user:42:--------------:-------:allow
+> user:42:--x-----------:-------:deny
+> user:42:r-x-----------:-------:allow
+> group:43:-w---------C--:-------:deny
+> owner@:rwxp----------:-------:deny
+> owner@:-------A-W-Co-:-------:allow
+> group@:--x-----------:-------:deny
+> group@:rw-p----------:-------:allow
+> everyone@:rwxp---A-W-Co-:-------:deny
+> everyone@:------a-R-c--s:-------:allow
+
+$ umask 077
+$ mkdir yyy
+$ getfacl -qn yyy
+> group:41:r-------------:-------:deny
+> group:41:r-----a-------:-------:allow
+> user:42:-----------Co-:f-i----:allow
+> user:42:r-x-----------:f-i----:allow
+> group:42:-w--D---------:-------:deny
+> owner@:--------------:-------:deny
+> owner@:rwxp---A-W-Co-:-------:allow
+> group@:rwxp----------:-------:deny
+> group@:--------------:-------:allow
+> everyone@:rwxp---A-W-Co-:-------:deny
+> everyone@:------a-R-c--s:-------:allow
+
+$ rmdir yyy
+$ umask 770
+$ mkdir yyy
+$ getfacl -qn yyy
+> group:41:r-------------:-------:deny
+> group:41:r-----a-------:-------:allow
+> user:42:-----------Co-:f-i----:allow
+> user:42:r-x-----------:f-i----:allow
+> group:42:-w--D---------:-------:deny
+> owner@:rwxp----------:-------:deny
+> owner@:-------A-W-Co-:-------:allow
+> group@:rwxp----------:-------:deny
+> group@:--------------:-------:allow
+> everyone@:-------A-W-Co-:-------:deny
+> everyone@:rwxp--a-R-c--s:-------:allow
+
+$ rmdir yyy
+$ umask 707
+$ mkdir yyy
+$ getfacl -qn yyy
+> group:41:--------------:-------:deny
+> group:41:------a-------:-------:allow
+> user:42:-----------Co-:f-i----:allow
+> user:42:r-x-----------:f-i----:allow
+> group:42:-w--D---------:-------:deny
+> owner@:rwxp----------:-------:deny
+> owner@:-------A-W-Co-:-------:allow
+> group@:--------------:-------:deny
+> group@:rwxp----------:-------:allow
+> everyone@:rwxp---A-W-Co-:-------:deny
+> everyone@:------a-R-c--s:-------:allow
+
+# There is some complication regarding how write_acl and write_owner flags
+# get inherited. Make sure we got it right.
+$ setfacl -b .
+$ setfacl -a0 u:42:Co:f:allow .
+$ setfacl -a0 u:43:Co:d:allow .
+$ setfacl -a0 u:44:Co:fd:allow .
+$ setfacl -a0 u:45:Co:fi:allow .
+$ setfacl -a0 u:46:Co:di:allow .
+$ setfacl -a0 u:47:Co:fdi:allow .
+$ setfacl -a0 u:48:Co:fn:allow .
+$ setfacl -a0 u:49:Co:dn:allow .
+$ setfacl -a0 u:50:Co:fdn:allow .
+$ setfacl -a0 u:51:Co:fni:allow .
+$ setfacl -a0 u:52:Co:dni:allow .
+$ setfacl -a0 u:53:Co:fdni:allow .
+$ umask 022
+$ rm xxx
+$ touch xxx
+$ getfacl -nq xxx
+> user:53:--------------:-------:deny
+> user:53:--------------:-------:allow
+> user:51:--------------:-------:deny
+> user:51:--------------:-------:allow
+> user:50:--------------:-------:deny
+> user:50:--------------:-------:allow
+> user:48:--------------:-------:deny
+> user:48:--------------:-------:allow
+> user:47:--------------:-------:deny
+> user:47:--------------:-------:allow
+> user:45:--------------:-------:deny
+> user:45:--------------:-------:allow
+> user:44:--------------:-------:deny
+> user:44:--------------:-------:allow
+> user:42:--------------:-------:deny
+> user:42:--------------:-------:allow
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> group@:-wxp----------:-------:deny
+> group@:r-------------:-------:allow
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ rmdir yyy
+$ mkdir yyy
+$ getfacl -nq yyy
+> user:53:--------------:-------:deny
+> user:53:--------------:-------:allow
+> user:52:--------------:-------:deny
+> user:52:--------------:-------:allow
+> user:50:--------------:-------:deny
+> user:50:--------------:-------:allow
+> user:49:--------------:-------:deny
+> user:49:--------------:-------:allow
+> user:47:-----------Co-:fdi----:allow
+> user:47:--------------:-------:deny
+> user:47:--------------:-------:allow
+> user:46:-----------Co-:-di----:allow
+> user:46:--------------:-------:deny
+> user:46:--------------:-------:allow
+> user:45:-----------Co-:f-i----:allow
+> user:44:-----------Co-:fdi----:allow
+> user:44:--------------:-------:deny
+> user:44:--------------:-------:allow
+> user:43:-----------Co-:-di----:allow
+> user:43:--------------:-------:deny
+> user:43:--------------:-------:allow
+> user:42:-----------Co-:f-i----:allow
+> owner@:--------------:-------:deny
+> owner@:rwxp---A-W-Co-:-------:allow
+> group@:-w-p----------:-------:deny
+> group@:r-x-----------:-------:allow
+> everyone@:-w-p---A-W-Co-:-------:deny
+> everyone@:r-x---a-R-c--s:-------:allow
+
+$ setfacl -b .
+$ setfacl -a0 u:42:Co:f:deny .
+$ setfacl -a0 u:43:Co:d:deny .
+$ setfacl -a0 u:44:Co:fd:deny .
+$ setfacl -a0 u:45:Co:fi:deny .
+$ setfacl -a0 u:46:Co:di:deny .
+$ setfacl -a0 u:47:Co:fdi:deny .
+$ setfacl -a0 u:48:Co:fn:deny .
+$ setfacl -a0 u:49:Co:dn:deny .
+$ setfacl -a0 u:50:Co:fdn:deny .
+$ setfacl -a0 u:51:Co:fni:deny .
+$ setfacl -a0 u:52:Co:dni:deny .
+$ setfacl -a0 u:53:Co:fdni:deny .
+$ umask 022
+$ rm xxx
+$ touch xxx
+$ getfacl -nq xxx
+> user:53:-----------Co-:-------:deny
+> user:51:-----------Co-:-------:deny
+> user:50:-----------Co-:-------:deny
+> user:48:-----------Co-:-------:deny
+> user:47:-----------Co-:-------:deny
+> user:45:-----------Co-:-------:deny
+> user:44:-----------Co-:-------:deny
+> user:42:-----------Co-:-------:deny
+> owner@:--x-----------:-------:deny
+> owner@:rw-p---A-W-Co-:-------:allow
+> group@:-wxp----------:-------:deny
+> group@:r-------------:-------:allow
+> everyone@:-wxp---A-W-Co-:-------:deny
+> everyone@:r-----a-R-c--s:-------:allow
+
+$ rmdir yyy
+$ mkdir yyy
+$ getfacl -nq yyy
+> user:53:-----------Co-:-------:deny
+> user:52:-----------Co-:-------:deny
+> user:50:-----------Co-:-------:deny
+> user:49:-----------Co-:-------:deny
+> user:47:-----------Co-:fdi----:deny
+> user:47:-----------Co-:-------:deny
+> user:46:-----------Co-:-di----:deny
+> user:46:-----------Co-:-------:deny
+> user:45:-----------Co-:f-i----:deny
+> user:44:-----------Co-:fdi----:deny
+> user:44:-----------Co-:-------:deny
+> user:43:-----------Co-:-di----:deny
+> user:43:-----------Co-:-------:deny
+> user:42:-----------Co-:f-i----:deny
+> owner@:--------------:-------:deny
+> owner@:rwxp---A-W-Co-:-------:allow
+> group@:-w-p----------:-------:deny
+> group@:r-x-----------:-------:allow
+> everyone@:-w-p---A-W-Co-:-------:deny
+> everyone@:r-x---a-R-c--s:-------:allow
+
+$ rmdir yyy
+$ rm xxx
+$ cd ..
+$ rmdir ddd
+
+$ rm xxx
+
diff --git a/tests/sys/acl/tools-posix.test b/tests/sys/acl/tools-posix.test
new file mode 100644
index 0000000..4741db3
--- /dev/null
+++ b/tests/sys/acl/tools-posix.test
@@ -0,0 +1,453 @@
+# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# This is a tools-level test for POSIX.1e ACL functionality. Run it as root
+# using ACL-enabled kernel:
+#
+# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-posix.test
+#
+# WARNING: Creates files in unsafe way.
+
+$ whoami
+> root
+$ umask 022
+
+# Smoke test for getfacl(1).
+$ touch xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> user::rw-
+> group::r--
+> other::r--
+
+$ getfacl -q xxx
+> user::rw-
+> group::r--
+> other::r--
+
+$ setfacl -m u:42:r,g:43:w xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> user::rw-
+> user:42:r--
+> group::r--
+> group:43:-w-
+> mask::rw-
+> other::r--
+
+# Check whether ls correctly marks files with "+".
+$ ls -l xxx | cut -d' ' -f1
+> -rw-rw-r--+
+
+# Same as above, but for symlinks.
+$ ln -s xxx lll
+$ getfacl -h lll
+> # file: lll
+> # owner: root
+> # group: wheel
+> user::rwx
+> group::r-x
+> other::r-x
+
+$ getfacl -qh lll
+> user::rwx
+> group::r-x
+> other::r-x
+
+$ getfacl -q lll
+> user::rw-
+> user:42:r--
+> group::r--
+> group:43:-w-
+> mask::rw-
+> other::r--
+
+$ setfacl -hm u:44:x,g:45:w lll
+$ getfacl -h lll
+> # file: lll
+> # owner: root
+> # group: wheel
+> user::rwx
+> user:44:--x
+> group::r-x
+> group:45:-w-
+> mask::rwx
+> other::r-x
+
+$ ls -l lll | cut -d' ' -f1
+> lrwxrwxr-x+
+
+# Check whether the original file is left untouched.
+$ ls -l xxx | cut -d' ' -f1
+> -rw-rw-r--+
+
+$ rm lll
+
+# Test removing entries.
+$ setfacl -x user:42: xxx
+$ getfacl xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> user::rw-
+> group::r--
+> group:43:-w-
+> mask::rw-
+> other::r--
+
+$ setfacl -m u:42:r xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> user::rw-
+> user:42:r--
+> group::r--
+> group:43:-w-
+> mask::rw-
+> other::r--
+
+# Test removing entries by number.
+$ setfacl -x 1 xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> user::rw-
+> group::r--
+> group:43:-w-
+> mask::rw-
+> other::r--
+
+$ setfacl -m g:43:r xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> user::rw-
+> group::r--
+> group:43:r--
+> mask::r--
+> other::r--
+
+# Make sure cp without any flags does not copy the ACL.
+$ cp xxx yyy
+$ ls -l yyy | cut -d' ' -f1
+> -rw-r--r--
+
+# Make sure it does with the "-p" flag.
+$ rm yyy
+$ cp -p xxx yyy
+$ getfacl -n yyy
+> # file: yyy
+> # owner: root
+> # group: wheel
+> user::rw-
+> group::r--
+> group:43:r--
+> mask::r--
+> other::r--
+
+$ rm yyy
+
+# Test removing entries by... by example?
+$ setfacl -m u:42:r,g:43:w xxx
+$ setfacl -x u:42: xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> user::rw-
+> group::r--
+> group:43:-w-
+> mask::rw-
+> other::r--
+
+# Test setfacl -b.
+$ setfacl -b xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> user::rw-
+> group::r--
+> mask::r--
+> other::r--
+
+$ ls -l xxx | cut -d' ' -f1
+> -rw-r--r--+
+
+$ setfacl -nb xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> user::rw-
+> group::r--
+> other::r--
+
+$ ls -l xxx | cut -d' ' -f1
+> -rw-r--r--
+
+# Check setfacl(1) and getfacl(1) with multiple files.
+$ touch xxx yyy zzz
+
+$ ls -l xxx yyy zzz | cut -d' ' -f1
+> -rw-r--r--
+> -rw-r--r--
+> -rw-r--r--
+
+$ setfacl -m u:42:x,g:43:w nnn xxx yyy zzz
+> setfacl: nnn: stat() failed: No such file or directory
+
+$ ls -l nnn xxx yyy zzz | cut -d' ' -f1
+> ls: nnn: No such file or directory
+> -rw-rwxr--+
+> -rw-rwxr--+
+> -rw-rwxr--+
+
+$ getfacl -nq nnn xxx yyy zzz
+> getfacl: nnn: stat() failed: No such file or directory
+> user::rw-
+> user:42:--x
+> group::r--
+> group:43:-w-
+> mask::rwx
+> other::r--
+>
+> user::rw-
+> user:42:--x
+> group::r--
+> group:43:-w-
+> mask::rwx
+> other::r--
+>
+> user::rw-
+> user:42:--x
+> group::r--
+> group:43:-w-
+> mask::rwx
+> other::r--
+
+$ setfacl -b nnn xxx yyy zzz
+> setfacl: nnn: stat() failed: No such file or directory
+
+$ ls -l nnn xxx yyy zzz | cut -d' ' -f1
+> ls: nnn: No such file or directory
+> -rw-r--r--+
+> -rw-r--r--+
+> -rw-r--r--+
+
+$ setfacl -bn nnn xxx yyy zzz
+> setfacl: nnn: stat() failed: No such file or directory
+
+$ ls -l nnn xxx yyy zzz | cut -d' ' -f1
+> ls: nnn: No such file or directory
+> -rw-r--r--
+> -rw-r--r--
+> -rw-r--r--
+
+$ rm xxx yyy zzz
+
+# Check whether chmod actually does what it should do.
+$ touch xxx
+$ setfacl -m u:42:rwx,g:43:rwx xxx
+$ chmod 600 xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> user::rw-
+> user:42:rwx # effective: ---
+> group::r-- # effective: ---
+> group:43:rwx # effective: ---
+> mask::---
+> other::---
+
+$ chmod 060 xxx
+$ getfacl -n xxx
+> # file: xxx
+> # owner: root
+> # group: wheel
+> user::---
+> user:42:rwx # effective: rw-
+> group::r--
+> group:43:rwx # effective: rw-
+> mask::rw-
+> other::---
+
+# Test default ACLs.
+$ umask 022
+$ mkdir ddd
+$ getfacl -qn ddd
+> user::rwx
+> group::r-x
+> other::r-x
+
+$ ls -l | grep ddd | cut -d' ' -f1
+> drwxr-xr-x
+
+$ getfacl -dq ddd
+$ setfacl -dm u::rwx,g::rx,o::rx,mask::rwx ddd
+$ getfacl -dqn ddd
+> user::rwx
+> group::r-x
+> mask::rwx
+> other::r-x
+
+# No change - ls(1) output doesn't take into account default ACLs.
+$ ls -l | grep ddd | cut -d' ' -f1
+> drwxr-xr-x
+
+$ setfacl -dm g:42:rwx,u:42:r ddd
+$ setfacl -dm g::w ddd
+$ getfacl -dqn ddd
+> user::rwx
+> user:42:r--
+> group::-w-
+> group:42:rwx
+> mask::rwx
+> other::r-x
+
+$ setfacl -dx group:42: ddd
+$ getfacl -dqn ddd
+> user::rwx
+> user:42:r--
+> group::-w-
+> mask::rw-
+> other::r-x
+
+$ ls -l | grep ddd | cut -d' ' -f1
+> drwxr-xr-x
+
+$ rmdir ddd
+$ rm xxx
+
+# Test inheritance.
+$ mkdir ddd
+
+$ touch ddd/xxx
+$ getfacl -q ddd/xxx
+> user::rw-
+> group::r--
+> other::r--
+
+$ mkdir ddd/ddd
+$ getfacl -q ddd/ddd
+> user::rwx
+> group::r-x
+> other::r-x
+
+$ rmdir ddd/ddd
+$ rm ddd/xxx
+
+$ setfacl -dm u::rwx,g::rx,o::rx,mask::rwx ddd
+$ setfacl -dm g:42:rwx,u:43:r ddd
+$ getfacl -dq ddd
+> user::rwx
+> user:43:r--
+> group::r-x
+> group:42:rwx
+> mask::rwx
+> other::r-x
+
+$ touch ddd/xxx
+$ getfacl -q ddd/xxx
+> user::rw-
+> user:43:r--
+> group::r-x # effective: r--
+> group:42:rwx # effective: r--
+> mask::r--
+> other::r--
+
+$ mkdir ddd/ddd
+$ getfacl -q ddd/ddd
+> user::rwx
+> user:43:r--
+> group::r-x
+> group:42:rwx # effective: r-x
+> mask::r-x
+> other::r-x
+
+$ rmdir ddd/ddd
+$ rm ddd/xxx
+$ rmdir ddd
+
+# Test if we deal properly with fifos.
+$ mkfifo fff
+$ ls -l fff | cut -d' ' -f1
+> prw-r--r--
+
+$ setfacl -m u:42:r,g:43:w fff
+$ getfacl fff
+> # file: fff
+> # owner: root
+> # group: wheel
+> user::rw-
+> user:42:r--
+> group::r--
+> group:43:-w-
+> mask::rw-
+> other::r--
+
+$ ls -l fff | cut -d' ' -f1
+> prw-rw-r--+
+
+$ setfacl -bn fff
+$ getfacl fff
+> # file: fff
+> # owner: root
+> # group: wheel
+> user::rw-
+> group::r--
+> other::r--
+
+$ ls -l fff | cut -d' ' -f1
+> prw-r--r--
+
+$ rm fff
+
+# Test if we deal properly with device files.
+$ mknod bbb b 1 1
+$ setfacl -m u:42:r,g:43:w bbb
+> setfacl: bbb: acl_get_file() failed: Operation not supported
+$ ls -l bbb | cut -d' ' -f1
+> brw-r--r--
+
+$ rm bbb
+
+$ mknod ccc c 1 1
+$ setfacl -m u:42:r,g:43:w ccc
+> setfacl: ccc: acl_get_file() failed: Operation not supported
+$ ls -l ccc | cut -d' ' -f1
+> crw-r--r--
+
+$ rm ccc
OpenPOWER on IntegriCloud