From owner-svn-src-head@FreeBSD.ORG Mon Nov 26 12:24:40 2012 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F08ADA29; Mon, 26 Nov 2012 12:24:39 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id D32848FC08; Mon, 26 Nov 2012 12:24:39 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id qAQCOdxR082857; Mon, 26 Nov 2012 12:24:39 GMT (envelope-from mm@svn.freebsd.org) Received: (from mm@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id qAQCOd0a082854; Mon, 26 Nov 2012 12:24:39 GMT (envelope-from mm@svn.freebsd.org) Message-Id: <201211261224.qAQCOd0a082854@svn.freebsd.org> From: Martin Matuska Date: Mon, 26 Nov 2012 12:24:39 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r243560 - in head: cddl/contrib/opensolaris/cmd/zfs sys/cddl/contrib/opensolaris/common/zfs sys/cddl/contrib/opensolaris/uts/common/fs/zfs X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2012 12:24:40 -0000 Author: mm Date: Mon Nov 26 12:24:39 2012 New Revision: 243560 URL: http://svnweb.freebsd.org/changeset/base/243560 Log: MFV r243395: Introduce a new dataset aclmode setting "restricted" to protect ACL's being destroyed or corrupted by a drive-by chmod. illumos-gate 13889:a67716f16746 3254 add support in zfs for aclmode=restricted References: https://www.illumos.org/issues/3254 MFC after: 2 weeks Modified: head/cddl/contrib/opensolaris/cmd/zfs/zfs.8 head/sys/cddl/contrib/opensolaris/common/zfs/zfs_prop.c head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c Directory Properties: head/cddl/contrib/opensolaris/ (props changed) head/sys/cddl/contrib/opensolaris/ (props changed) Modified: head/cddl/contrib/opensolaris/cmd/zfs/zfs.8 ============================================================================== --- head/cddl/contrib/opensolaris/cmd/zfs/zfs.8 Mon Nov 26 09:03:21 2012 (r243559) +++ head/cddl/contrib/opensolaris/cmd/zfs/zfs.8 Mon Nov 26 12:24:39 2012 (r243560) @@ -760,7 +760,7 @@ If no inheritable .Tn ACE Ns s exist that affect the mode, then the mode is set in accordance to the requested mode from the application. -.It Sy aclmode Ns = Ns Cm discard | groupmask | passthrough +.It Sy aclmode Ns = Ns Cm discard | groupmask | passthrough | restricted Controls how an .Tn ACL is modified during @@ -790,6 +790,32 @@ indicates that no changes are made to th other than creating or updating the necessary .Tn ACL entries to represent the new mode of the file or directory. +An +.Sy aclmode +property of +.Cm restricted +will cause the +.Xr chmod 2 +operation to return an error when used on any file or directory which has +a non-trivial +.Tn ACL +whose entries can not be represented by a mode. +.Xr chmod 2 +is required to change the set user ID, set group ID, or sticky bits on a file +or directory, as they do not have equivalent +.Tn ACL +entries. +In order to use +.Xr chmod 2 +on a file or directory with a non-trivial +.Tn ACL +when +.Sy aclmode +is set to +.Cm restricted , +you must first remove all +.Tn ACL +entries which do not represent the current mode. .It Sy atime Ns = Ns Cm on | off Controls whether the access time for files is updated when they are read. Turning this property off avoids producing write traffic when reading files and Modified: head/sys/cddl/contrib/opensolaris/common/zfs/zfs_prop.c ============================================================================== --- head/sys/cddl/contrib/opensolaris/common/zfs/zfs_prop.c Mon Nov 26 09:03:21 2012 (r243559) +++ head/sys/cddl/contrib/opensolaris/common/zfs/zfs_prop.c Mon Nov 26 12:24:39 2012 (r243560) @@ -109,6 +109,7 @@ zfs_prop_init(void) { "discard", ZFS_ACL_DISCARD }, { "groupmask", ZFS_ACL_GROUPMASK }, { "passthrough", ZFS_ACL_PASSTHROUGH }, + { "restricted", ZFS_ACL_RESTRICTED }, { NULL } }; @@ -217,7 +218,8 @@ zfs_prop_init(void) "hidden | visible", "SNAPDIR", snapdir_table); zprop_register_index(ZFS_PROP_ACLMODE, "aclmode", ZFS_ACL_DISCARD, PROP_INHERIT, ZFS_TYPE_FILESYSTEM, - "discard | groupmask | passthrough", "ACLMODE", acl_mode_table); + "discard | groupmask | passthrough | restricted", "ACLMODE", + acl_mode_table); zprop_register_index(ZFS_PROP_ACLINHERIT, "aclinherit", ZFS_ACL_RESTRICTED, PROP_INHERIT, ZFS_TYPE_FILESYSTEM, "discard | noallow | restricted | passthrough | passthrough-x", Modified: head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c ============================================================================== --- head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c Mon Nov 26 09:03:21 2012 (r243559) +++ head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c Mon Nov 26 12:24:39 2012 (r243560) @@ -3257,6 +3257,12 @@ top: uint64_t acl_obj; new_mode = (pmode & S_IFMT) | (vap->va_mode & ~S_IFMT); + if (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_RESTRICTED && + !(zp->z_pflags & ZFS_ACL_TRIVIAL)) { + err = EPERM; + goto out; + } + if (err = zfs_acl_chmod_setattr(zp, &aclp, new_mode)) goto out;