Make it possible to use permission sets (full_set, modify_set, read_set

and write_set) with setfacl(1).

PR:		kern/154113
Submitted by:	Shawn Webb <lattera at gmail dot com> (earlier version)
MFC after:	1 month

bin/setfacl/setfacl.1

@@ -1,5 +1,6 @@
 .\"-
 .\" Copyright (c) 2001 Chris D. Faulhaber
+.\" Copyright (c) 2011 Edward Tomasz Napierała
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -25,7 +26,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 27, 2010
+.Dd April 9, 2011
 .Dt SETFACL 1
 .Os
 .Sh NAME
@@ -307,7 +308,7 @@ Permissions in long form are separated by the
 .Ql /
 character; in short form, they are concatenated together.
 Valid permissions are:
-.Bl -tag -width ".Dv short"
+.Bl -tag -width ".Dv modify_set"
 .It Short
 Long
 .It r
@@ -339,6 +340,20 @@ write_owner
 .It S
 synchronize
 .El
+.Pp
+In addition, the following permission sets may be used:
+.Bl -tag -width ".Dv modify_set"
+.It Set
+Permissions
+.It full_set
+all permissions, as shown above
+.It modify_set
+all permissions except write_acl and write_owner
+.It read_set
+read_data, read_attributes, read_xattr and read_acl
+.It write_set
+write_data, append_data, write_attributes and write_xattr
+.El
 .It Ar "ACL inheritance flags"
 Inheritance flags may be specified in either short or long form.
 Short and long forms may not be mixed.

lib/libc/posix1e/acl_support_nfs4.c

@@ -70,6 +70,10 @@ struct flagnames_struct a_access_masks[] =
      { ACL_WRITE_ACL, "write_acl", 'C'},
      { ACL_WRITE_OWNER, "write_owner", 'o'},
      { ACL_SYNCHRONIZE, "synchronize", 's'},
+     { ACL_FULL_SET, "full_set", '\0'},
+     { ACL_MODIFY_SET, "modify_set", '\0'},
+     { ACL_READ_SET, "read_set", '\0'},
+     { ACL_WRITE_SET, "write_set", '\0'},
      { 0, 0, 0}};
 
 static const char *
@@ -117,7 +121,7 @@ format_flags_compact(char *str, size_t size, uint32_t var,
 {
 	size_t i;
 
-	for (i = 0; flags[i].name != NULL; i++) {
+	for (i = 0; flags[i].letter != '\0'; i++) {
 		assert(i < size);
 		if ((flags[i].flag & var) == 0)
 			str[i] = '-';

sys/sys/acl.h

@@ -217,12 +217,23 @@ typedef void *acl_t;
 #define	ACL_WRITE_OWNER		0x00004000
 #define	ACL_SYNCHRONIZE		0x00008000
 
-#define	ACL_NFS4_PERM_BITS	(ACL_READ_DATA | ACL_WRITE_DATA | \
+#define	ACL_FULL_SET		(ACL_READ_DATA | ACL_WRITE_DATA | \
     ACL_APPEND_DATA | ACL_READ_NAMED_ATTRS | ACL_WRITE_NAMED_ATTRS | \
     ACL_EXECUTE | ACL_DELETE_CHILD | ACL_READ_ATTRIBUTES | \
     ACL_WRITE_ATTRIBUTES | ACL_DELETE | ACL_READ_ACL | ACL_WRITE_ACL | \
     ACL_WRITE_OWNER | ACL_SYNCHRONIZE)
 
+#define	ACL_MODIFY_SET		(ACL_FULL_SET & \
+    ~(ACL_WRITE_ACL | ACL_WRITE_OWNER))
+
+#define	ACL_READ_SET		(ACL_READ_DATA | ACL_READ_NAMED_ATTRS | \
+    ACL_READ_ATTRIBUTES | ACL_READ_ACL)
+
+#define	ACL_WRITE_SET		(ACL_WRITE_DATA | ACL_APPEND_DATA | \
+    ACL_WRITE_NAMED_ATTRS | ACL_WRITE_ATTRIBUTES)
+
+#define	ACL_NFS4_PERM_BITS	ACL_FULL_SET
+
 /*
  * Possible entry_id values for acl_get_entry(3).
  */