From 181b4eebb9c61b015b050e9c07982dbac25f7937 Mon Sep 17 00:00:00 2001 From: Edward Tomasz Napierala Date: Sat, 9 Apr 2011 07:42:25 +0000 Subject: [PATCH] Make it possible to use permission sets (full_set, modify_set, read_set and write_set) with setfacl(1). PR: kern/154113 Submitted by: Shawn Webb (earlier version) MFC after: 1 month --- bin/setfacl/setfacl.1 | 19 +++++++++++++++++-- lib/libc/posix1e/acl_support_nfs4.c | 6 +++++- sys/sys/acl.h | 13 ++++++++++++- 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/bin/setfacl/setfacl.1 b/bin/setfacl/setfacl.1 index 49ccf9f36b9..bf505ca2afd 100644 --- a/bin/setfacl/setfacl.1 +++ b/bin/setfacl/setfacl.1 @@ -1,5 +1,6 @@ .\"- .\" Copyright (c) 2001 Chris D. Faulhaber +.\" Copyright (c) 2011 Edward Tomasz NapieraƂa .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -25,7 +26,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 27, 2010 +.Dd April 9, 2011 .Dt SETFACL 1 .Os .Sh NAME @@ -307,7 +308,7 @@ Permissions in long form are separated by the .Ql / character; in short form, they are concatenated together. Valid permissions are: -.Bl -tag -width ".Dv short" +.Bl -tag -width ".Dv modify_set" .It Short Long .It r @@ -339,6 +340,20 @@ write_owner .It S synchronize .El +.Pp +In addition, the following permission sets may be used: +.Bl -tag -width ".Dv modify_set" +.It Set +Permissions +.It full_set +all permissions, as shown above +.It modify_set +all permissions except write_acl and write_owner +.It read_set +read_data, read_attributes, read_xattr and read_acl +.It write_set +write_data, append_data, write_attributes and write_xattr +.El .It Ar "ACL inheritance flags" Inheritance flags may be specified in either short or long form. Short and long forms may not be mixed. diff --git a/lib/libc/posix1e/acl_support_nfs4.c b/lib/libc/posix1e/acl_support_nfs4.c index c5be3d15ae2..4878b4387a8 100644 --- a/lib/libc/posix1e/acl_support_nfs4.c +++ b/lib/libc/posix1e/acl_support_nfs4.c @@ -70,6 +70,10 @@ struct flagnames_struct a_access_masks[] = { ACL_WRITE_ACL, "write_acl", 'C'}, { ACL_WRITE_OWNER, "write_owner", 'o'}, { ACL_SYNCHRONIZE, "synchronize", 's'}, + { ACL_FULL_SET, "full_set", '\0'}, + { ACL_MODIFY_SET, "modify_set", '\0'}, + { ACL_READ_SET, "read_set", '\0'}, + { ACL_WRITE_SET, "write_set", '\0'}, { 0, 0, 0}}; static const char * @@ -117,7 +121,7 @@ format_flags_compact(char *str, size_t size, uint32_t var, { size_t i; - for (i = 0; flags[i].name != NULL; i++) { + for (i = 0; flags[i].letter != '\0'; i++) { assert(i < size); if ((flags[i].flag & var) == 0) str[i] = '-'; diff --git a/sys/sys/acl.h b/sys/sys/acl.h index 80a3fe61637..2f8715d380f 100644 --- a/sys/sys/acl.h +++ b/sys/sys/acl.h @@ -217,12 +217,23 @@ typedef void *acl_t; #define ACL_WRITE_OWNER 0x00004000 #define ACL_SYNCHRONIZE 0x00008000 -#define ACL_NFS4_PERM_BITS (ACL_READ_DATA | ACL_WRITE_DATA | \ +#define ACL_FULL_SET (ACL_READ_DATA | ACL_WRITE_DATA | \ ACL_APPEND_DATA | ACL_READ_NAMED_ATTRS | ACL_WRITE_NAMED_ATTRS | \ ACL_EXECUTE | ACL_DELETE_CHILD | ACL_READ_ATTRIBUTES | \ ACL_WRITE_ATTRIBUTES | ACL_DELETE | ACL_READ_ACL | ACL_WRITE_ACL | \ ACL_WRITE_OWNER | ACL_SYNCHRONIZE) +#define ACL_MODIFY_SET (ACL_FULL_SET & \ + ~(ACL_WRITE_ACL | ACL_WRITE_OWNER)) + +#define ACL_READ_SET (ACL_READ_DATA | ACL_READ_NAMED_ATTRS | \ + ACL_READ_ATTRIBUTES | ACL_READ_ACL) + +#define ACL_WRITE_SET (ACL_WRITE_DATA | ACL_APPEND_DATA | \ + ACL_WRITE_NAMED_ATTRS | ACL_WRITE_ATTRIBUTES) + +#define ACL_NFS4_PERM_BITS ACL_FULL_SET + /* * Possible entry_id values for acl_get_entry(3). */