Add native NFSv4 style ZFS ACL support for Linux #206
Commits on Jan 31, 2024
-
Implement NFSv41 ACLs through xattr
This implements NFSv41 (RFC 5661) ACLs in a manner compatible with vfs_nfs4acl_xattr in Samba. There are three key areas of change in this commit: 1) NFSv4 ACL management through system.nfs4_acl_xdr xattr. Install an xattr handler for "system.nfs4_acl_xdr" that presents an xattr containing full NFSv41 ACL structures generated through rpcgen using specification from the Samba project. This xattr is used by userspace programs to read and set permissions. 2) add an i_op->permissions endpoint: zpl_permissions(). This is used by the VFS in Linux to determine whether to allow / deny an operation. Wherever possible, we try to avoid having to call zfs_access(). If kernel has NFSv4 patch for VFS, then perform more complete check of avaiable access mask. 3) add capability-based overrides to secpolicy_vnode_access2(). There are various situations in which ACL may need to be overridden based on capabilities. This logic is almost directly copied from Linux VFS. Switch to using ns-aware checks rather than capable(). Expand optimization allow bypass of zfs_zaccess() in case of trivial ACL if MAY_OPEN is included in requested mask. This is commit was initially inspired by work from Paul B. Henson to implement NFSv4.0 (RFC3530) ACLs in ZFS on Linux. Key areas of divergence are as follows: - ACL specification, xattr format, xattr name - Addition of handling for NFSv4 masks from Linux VFS - Addition of ACL overrides based on capabilities Authored-by: Andrew Walker <awalker@ixsystems.com> Signed-off-by: Umer Saleem <usaleem@ixsystems.com>
-
Simplify and enhance NFSv4.1 ACLs
Adds ability for xattr handler to "strip" NFSv4.1 ACLs. Since there is no libc equivalent of strip operation in Linux for NFSv4 ACLs, as there are in POSIX ACLs and on FreeBSD, this commit handles the operation entirely in ZFS. Expose ACL_IS_TRIVIAL and ACL_IS_DIR flags as ACL-wide flags in the system.nfs4_acl_xdr generated on getxattr requests. This are non-RFC flags that are useful for userspace applications. ACL_IS_TRIVIAL helps to avoid relatively expensive ACL-related operations. Advertise support for large xattrs. SB_LARGEXATTR is used to indicate to the kernel that the filesystem supports large-size xattrs greater than 64KiB. This flag is used to evaluate whether to allow large xattr read or write requests (up to 2 MiB). Force BSD semantics for group ownership if NFSV4ACL. Since there is no hard-and-fast rule about creation semantics for NFSv4 ACLs on Linux, opt for what is least likely to break users permissions on change from FreeBSD to Linux. Improves zpl_permission performance. This function can be frequently called with MAY_EXEC|MAY_NOT_BLOCK during RCU path walk. Authored-by: Andrew Walker <awalker@ixsystems.com> Signed-off-by: Umer Saleem <usaleem@ixsystems.com>
-
Fix ZFS_READONLY and remove inode_owner_or_capable override for Linux
MS-FSCC 2.6 specifies that for a file, applications can read the file but cannot write to it or delete it. For a directory, applications cannot delete it, but applications can create and delete files from the directory. This commit also fixes a bug whereby owner@ ACL that limits WRITE_DATA access for the owner of a file was not being properly enforced. The owner of a file should be prevented from write access in this case, but being owner of file should still allow the file owner to chmod, chown, and setacl. Authored-by: Andrew Walker <awalker@ixsystems.com> Signed-off-by: Umer Saleem <usaleem@ixsystems.com>
-
This commit adds common ACL libraries, libzfsacl for Linux and FreeBSD to provide helper functions to access ACLs. On Linux, libsunacl provides acl() and facl() to be consumed by vfs_zfsacl.c in Samba. libpyzfsacl.c provides python bindings for libzfsacl. Python bindings are packaged in python3-libzfsacl. A new package is added for libzfsacl and libsunacl. Authored-by: Andrew Walker <awalker@ixsystems.com> Signed-off-by: Umer Saleem <usaleem@ixsystems.com>
-
This commit adds zfs_getnfs4facl and zfs_setnfs4facl. zfs_getnfs4facl will display the NFSv4 ACLs for a file or directory on a ZFS filesystem with acltype set to nfsv4 that exposes NFSv4 ACLs as a system.nfs4_acl_xdr xattr. zfs_setnfs4facl manipulates the NFSv4 ACLs of one or more files or directories, on a ZFS filesystem with acltype set to nfsv4. Both scripts provide output compatible with getfacl and setfacl on FreeBSD, and provides support for viewing and managing ACL features present in the NFSv4.1. Signed-off-by: Umer Saleem <usaleem@ixsystems.com>
-
Add test suite for validating NFSv4.1 ACLs
This commit adds test suite for NFSv4.1 ACLS. The test suite uses libzfsacl python bindings to validate functionality of NFS ACLs. The test suite validates the basic behavior of ACLs by verifying default ACEs and then moves to testing all the flags and permissions for deny and allow permissions. Test suite also verifies that allow ACEs don't work without setting the specific permission flag, i.e. to perform an operation, it's permission is required. Similarly, test suite also verifies that allow ACE for a specific permission only allows that perticular permission and user does not have access to other permissions. Signed-off-by: Umer Saleem <usaleem@ixsystems.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.