3254 add support in zfs for aclmode=restricted

Reviewed by: Albert Lee <trisk@nexenta.com> Reviewed by: Gordon Ross <gwr@nexenta.com> Approved by: Richard Lowe <richlowe@richlowe.net>
illumos · Nov 19, 2012 · 71dbfc2 · 71dbfc2
1 parent 7540df3
commit 71dbfc2
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 6 deletions.
diff --git a/usr/src/common/zfs/zfs_prop.c b/usr/src/common/zfs/zfs_prop.c
@@ -109,6 +109,7 @@ zfs_prop_init(void)
 		{ "discard",	ZFS_ACL_DISCARD },
 		{ "groupmask",	ZFS_ACL_GROUPMASK },
 		{ "passthrough", ZFS_ACL_PASSTHROUGH },
+		{ "restricted", ZFS_ACL_RESTRICTED },
 		{ NULL }
 	};
 
@@ -217,7 +218,8 @@ zfs_prop_init(void)
 	    "hidden | visible", "SNAPDIR", snapdir_table);
 	zprop_register_index(ZFS_PROP_ACLMODE, "aclmode", ZFS_ACL_DISCARD,
 	    PROP_INHERIT, ZFS_TYPE_FILESYSTEM,
-	    "discard | groupmask | passthrough", "ACLMODE", acl_mode_table);
+	    "discard | groupmask | passthrough | restricted", "ACLMODE",
+	    acl_mode_table);
 	zprop_register_index(ZFS_PROP_ACLINHERIT, "aclinherit",
 	    ZFS_ACL_RESTRICTED, PROP_INHERIT, ZFS_TYPE_FILESYSTEM,
 	    "discard | noallow | restricted | passthrough | passthrough-x",

diff --git a/usr/src/man/man1m/zfs.1m b/usr/src/man/man1m/zfs.1m
@@ -830,7 +830,7 @@ mode from the application.
 .sp
 .ne 2
 .na
-\fB\fBaclmode\fR=\fBdiscard\fR | \fBgroupmask\fR | \fBpassthrough\fR\fR
+\fB\fBaclmode\fR=\fBdiscard\fR | \fBgroupmask\fR | \fBpassthrough\fR\fR | \fBrestricted\fR\fR
 .ad
 .sp .6
 .RS 4n
@@ -839,10 +839,18 @@ an \fBaclmode\fR property of \fBdiscard\fR (the default) deletes all \fBACL\fR
 entries that do not represent the mode of the file. An \fBaclmode\fR property
 of \fBgroupmask\fR reduces permissions granted in all \fBALLOW\fR entries found
 in the \fBACL\fR such that they are no greater than the group permissions
-specified by \fBchmod\fR.  A file system with an \fBaclmode\fR property of
+specified by \fBchmod\fR(2).  A file system with an \fBaclmode\fR property of
 \fBpassthrough\fR indicates that no changes are made to the \fBACL\fR other
-than creating or updating the necessary \fBACL\fR entries to
-represent the new mode of the file or directory.
+than creating or updating the necessary \fBACL\fR entries to represent the new
+mode of the file or directory. An \fBaclmode\fR property of \fBrestricted\fR
+will cause the \fBchmod\fR(2) operation to return an error when used on any
+file or directory which has a non-trivial \fBACL\fR whose entries can not be
+represented by a mode. \fBchmod\fR(2) is required to change the set user ID,
+set group ID, or sticky bits on a file or directory, as they do not have
+equivalent \fBACL\fR entries. In order to use \fBchmod\fR(2) on a file or
+directory with a non-trivial \fBACL\fR when \fBaclmode\fR is set to
+\fBrestricted\fR, you must first remove all \fBACL\fR entries which do not
+represent the current mode.
 .RE
 
 .sp
@@ -3939,7 +3947,7 @@ Interface Stability	Committed
 \fBssh\fR(1), \fBiscsitadm\fR(1M), \fBmount\fR(1M), \fBshare\fR(1M),
 \fBsharemgr\fR(1M), \fBunshare\fR(1M), \fBzonecfg\fR(1M), \fBzpool\fR(1M),
 \fBchmod\fR(2), \fBstat\fR(2), \fBwrite\fR(2), \fBfsync\fR(3C),
-\fBdfstab\fR(4), \fBattributes\fR(5)
+\fBdfstab\fR(4), \fBacl\fR(5), \fBattributes\fR(5)
 .sp
 .LP
 See the \fBgzip\fR(1) man page, which is not part of the SunOS man page

diff --git a/usr/src/uts/common/fs/zfs/zfs_vnops.c b/usr/src/uts/common/fs/zfs/zfs_vnops.c
@@ -2982,6 +2982,12 @@ zfs_setattr(vnode_t *vp, vattr_t *vap, int flags, cred_t *cr,
 		uint64_t acl_obj;
 		new_mode = (pmode & S_IFMT) | (vap->va_mode & ~S_IFMT);
 
+		if (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_RESTRICTED &&
+		    !(zp->z_pflags & ZFS_ACL_TRIVIAL)) {
+			err = EPERM;
+			goto out;
+		}
+
 		if (err = zfs_acl_chmod_setattr(zp, &aclp, new_mode))
 			goto out;