Date: Tue, 27 Apr 2021 13:58:37 -0400 From: Ryan Moeller <ryan@ixsystems.com> To: Gleb Popov <arrowd@freebsd.org> Cc: freebsd-hackers <freebsd-hackers@freebsd.org> Subject: Re: ACLs are not reflected in FS extended attributes Message-ID: <CAGuotKB3-oLP05syFpQ%2B7%2B6ixeuSqBO5MC1ZpiAb%2BMNKyarh2g@mail.gmail.com> In-Reply-To: <CALH631m8bC5SoRhC1Q1X1%2BmN7tgT3Ti%2BTwhronSNZeX3Qn%2Bg-g@mail.gmail.com> References: <CALH631m8bC5SoRhC1Q1X1%2BmN7tgT3Ti%2BTwhronSNZeX3Qn%2Bg-g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
ACLs on FreeBSD are not exposed through extended attributes but rather
acl(9) interfaces in VFS implemented by each filesystem. There is a
good selection of library interfaces already in acl(3).
acl_extended_file(3) looks like it could be pretty much a convenience
wrapper around acl_is_trivial_np(3). Hope that helps point you in the
right direction!
-Ryan
On Tue, Apr 27, 2021 at 4:41 AM Gleb Popov <arrowd@freebsd.org> wrote:
>
> Hello hackers.
>
> I'm trying to implement Linux acl_extended_file() function [1] within our
> libc. On Linux this function is implemented via getxattr, a function that
> reads extended attributes from the file [2][3]
>
> My implementation follows the Linux one:
>
>
> int
> acl_extended_file_np(const char *path_p)
> {
> return _acl_extended_file(extattr_get_file, path_p);
> }
>
> int _acl_extended_file(getattr_func f, const char* path_p)
> {
> int base_size = 9999; // figure out this later
> int retval;
>
> retval = f(path_p, POSIX1E_ACL_ACCESS_EXTATTR_NAMESPACE,
> POSIX1E_ACL_ACCESS_EXTATTR_NAME, NULL, 0);
> printf("Retval1: %d\n", retval);
> if (retval < 0 && errno != ENOATTR)
> return -1;
> if (retval > base_size)
> return 1;
> retval = f(path_p, POSIX1E_ACL_DEFAULT_EXTATTR_NAMESPACE,
> POSIX1E_ACL_DEFAULT_EXTATTR_NAME, NULL, 0);
> printf("Retval2: %d\n", retval);
> if (retval < 0 && errno != ENOATTR)
> return -1;
> if (retval > base_size)
> return 1;
> return 0;
> }
>
>
> However, when I tried to use it, I stumbled upon following differences:
>
> - It requires root permissions to operate. I guess this is because it tries
> to look at "system" extattr namespace.
> - It doesn't work anyways due to "Attribute not found" error.
>
> And indeed, the same behavior can be seen when using command line tools.
> On Linux:
> $ setfacl -m u:someuser:rwx somefile
> $ getfattr -d -m - somefile
> system.posix_acl_access=<mangled ACL data>
>
>
> On FreeBSD:
> $ setfacl -m u:someuser:rwx:allow somefile
> $ sudo getextattr system posix1e.acl_access somefile
> failed: Attribute not found
>
> I guess that FreeBSD behaviour is actually not a bug and libacl just uses
> some internal knowledge about how ACL/xattr is implemented on Linux. If
> this is correct, how should I approach implementing this function on
> FreeBSD?
>
> Thanks in advance.
>
> [1] https://linux.die.net/man/3/acl_extended_file
> [2]
> http://git.savannah.nongnu.org/cgit/acl.git/tree/libacl/acl_extended_file.c
> [3]
> http://git.savannah.nongnu.org/cgit/acl.git/tree/libacl/__acl_extended_file.c
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
--
Ryan Moeller
iXsystems, Inc.
OS Developer
Email: ryan@iXsystems.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGuotKB3-oLP05syFpQ%2B7%2B6ixeuSqBO5MC1ZpiAb%2BMNKyarh2g>